Add tags to deploy components by --tags option (#2960)

* Add tags for cert serial tasks This will help facilitate tag-based deployment of specific components. * fixup kubernetes node
6 years ago · 5c617c5a8b
5 changed files with 86 additions and 15 deletions
--- a/docs/upgrades.md
+++ b/docs/upgrades.md
@ -81,3 +81,55 @@ kubernetes-apps/rotate_tokens role, only pods in kube-system are destroyed and
 recreated. All other invalidated service account tokens are cleaned up
 automatically, but other pods are not deleted out of an abundance of caution
 for impact to user deployed pods.
+
+### Component-based upgrades
+
+A deployer may want to upgrade specific components in order to minimize risk
+or save time. This strategy is not covered by CI as of this writing, so it is
+not guaranteed to work. 
+
+These commands are useful only for upgrading fully-deployed, healthy, existing
+hosts. This will definitely not work for undeployed or partially deployed
+hosts.
+
+Upgrade etcd:
+
+```
+ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=etcd
+```
+
+Upgrade vault:
+
+```
+ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=vault
+```
+
+Upgrade kubelet:
+
+```
+ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=node --skip-tags=k8s-gen-certs,k8s-gen-tokens
+```
+
+Upgrade Kubernetes master components:
+
+```
+ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=master
+```
+
+Upgrade network plugins:
+
+```
+ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=network
+```
+
+Upgrade all add-ons:
+
+```
+ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=apps
+```
+
+Upgrade just helm (assuming `helm_enabled` is true):
+
+```
+ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=helm
+```
--- a/roles/etcd/tasks/main.yml
+++ b/roles/etcd/tasks/main.yml
@ -19,11 +19,17 @@
  register: "etcd_client_cert_serial_result"
  changed_when: false
  when: inventory_hostname in groups['k8s-cluster']|union(groups['etcd'])|union(groups['calico-rr']|default([]))|unique|sort
+  tags:
+    - master
+    - network

 - name: Set etcd_client_cert_serial
  set_fact:
    etcd_client_cert_serial: "{{ etcd_client_cert_serial_result.stdout }}"
  when: inventory_hostname in groups['k8s-cluster']|union(groups['etcd'])|union(groups['calico-rr']|default([]))|unique|sort
+  tags:
+    - master
+    - network

 - include_tasks: "install_{{ etcd_deployment_type }}.yml"
  when: is_etcd_master
--- a/roles/kubernetes/node/tasks/install.yml
+++ b/roles/kubernetes/node/tasks/install.yml
@ -1,19 +1,4 @@
 ---
- name: install | Set SSL CA directories
-  set_fact:
-    ssl_ca_dirs: "[
-      {% if ansible_os_family in ['CoreOS', 'Container Linux by CoreOS'] -%}
-      '/usr/share/ca-certificates',
-      {% elif ansible_os_family == 'RedHat' -%}
-      '/etc/pki/tls',
-      '/etc/pki/ca-trust',
-      {% elif ansible_os_family == 'Debian' -%}
-      '/usr/share/ca-certificates',
-      {% endif -%}
-    ]"
-  tags:
-    - facts
-
 - name: Set kubelet deployment to host if kubeadm is enabled
  set_fact:
    kubelet_deployment_type: host
--- a/roles/kubernetes/secrets/tasks/main.yml
+++ b/roles/kubernetes/secrets/tasks/main.yml
@ -2,11 +2,13 @@
 - import_tasks: check-certs.yml
  tags:
    - k8s-secrets
+    - k8s-gen-certs
    - facts

 - import_tasks: check-tokens.yml
  tags:
    - k8s-secrets
+    - k8s-gen-tokens
    - facts

 - name: Make sure the certificate directory exits
@ -70,10 +72,12 @@
 - include_tasks: "gen_certs_{{ cert_management }}.yml"
  tags:
    - k8s-secrets
+    - k8s-gen-certs

 - import_tasks: upd_ca_trust.yml
  tags:
    - k8s-secrets
+    - k8s-gen-certs

 - name: "Gen_certs | Get certificate serials on kube masters"
  shell: "openssl x509 -in {{ kube_cert_dir }}/{{ item }} -noout -serial | cut -d= -f2"
@ -85,6 +89,10 @@
    - "kube-controller-manager.pem"
    - "kube-scheduler.pem"
  when: inventory_hostname in groups['kube-master']
+  tags:
+    - master
+    - kubelet
+    - node

 - name: "Gen_certs | set kube master certificate serial facts"
  set_fact:
@ -93,6 +101,10 @@
    controller_manager_cert_serial: "{{ master_certificate_serials.results[2].stdout|default() }}"
    scheduler_cert_serial: "{{ master_certificate_serials.results[3].stdout|default() }}"
  when: inventory_hostname in groups['kube-master']
+  tags:
+    - master
+    - kubelet
+    - node

 - name: "Gen_certs | Get certificate serials on kube nodes"
  shell: "openssl x509 -in {{ kube_cert_dir }}/{{ item }} -noout -serial | cut -d= -f2"
@ -108,7 +120,11 @@
    kubelet_cert_serial: "{{ node_certificate_serials.results[0].stdout|default() }}"
    kube_proxy_cert_serial: "{{ node_certificate_serials.results[1].stdout|default() }}"
  when: inventory_hostname in groups['k8s-cluster']
+  tags:
+    - kubelet
+    - node

 - import_tasks: gen_tokens.yml
  tags:
    - k8s-secrets
+    - k8s-gen-tokens
--- a/roles/kubespray-defaults/defaults/main.yaml
+++ b/roles/kubespray-defaults/defaults/main.yaml
@ -279,6 +279,18 @@ proxy_env:
  https_proxy: "{{ https_proxy| default ('') }}"
  no_proxy: "{{ no_proxy| default ('') }}"

+ssl_ca_dirs: >-
+  [
+  {% if ansible_os_family in ['CoreOS', 'Container Linux by CoreOS'] -%}
+  '/usr/share/ca-certificates',
+  {% elif ansible_os_family == 'RedHat' -%}
+  '/etc/pki/tls',
+  '/etc/pki/ca-trust',
+  {% elif ansible_os_family == 'Debian' -%}
+  '/usr/share/ca-certificates',
+  {% endif -%}
+  ]
+
 # Vars for pointing to kubernetes api endpoints
 is_kube_master: "{{ inventory_hostname in groups['kube-master'] }}"
 kube_apiserver_count: "{{ groups['kube-master'] | length }}"