richard
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Run rotate_tokens role only once (#1970)

pull/1983/head
Matthew Mosesohn 7 years ago
committed by GitHub
parent
849aaf7435
commit
67419e8d0a
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 12 additions and 7 deletions
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 7
      cluster.yml
  2. 5
      roles/kubernetes-apps/rotate_tokens/tasks/main.yml
  3. 7
      upgrade-cluster.yml

7
cluster.yml
View File

@ -82,11 +82,16 @@
- { role: kubernetes/kubeadm, tags: kubeadm, when: "kubeadm_enabled" } - { role: kubernetes/kubeadm, tags: kubeadm, when: "kubeadm_enabled" }
- { role: network_plugin, tags: network } - { role: network_plugin, tags: network }
- hosts: kube-master
- hosts: kube-master[0]
any_errors_fatal: "{{ any_errors_fatal | default(true) }}" any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
roles: roles:
- { role: kubespray-defaults} - { role: kubespray-defaults}
- { role: kubernetes-apps/rotate_tokens, tags: rotate_tokens, when: "secret_changed|default(false)" } - { role: kubernetes-apps/rotate_tokens, tags: rotate_tokens, when: "secret_changed|default(false)" }
- hosts: kube-master
any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
roles:
- { role: kubespray-defaults}
- { role: kubernetes-apps/network_plugin, tags: network } - { role: kubernetes-apps/network_plugin, tags: network }
- { role: kubernetes-apps/policy_controller, tags: policy-controller } - { role: kubernetes-apps/policy_controller, tags: policy-controller }

5
roles/kubernetes-apps/rotate_tokens/tasks/main.yml
View File

@ -8,7 +8,6 @@
command: "{{ bin_dir }}/kubectl get secrets {{ default_token.stdout }} -ojson" command: "{{ bin_dir }}/kubectl get secrets {{ default_token.stdout }} -ojson"
register: default_token_data register: default_token_data
changed_when: false changed_when: false
run_once: true
- name: Rotate Tokens | Test if default certificate is expired - name: Rotate Tokens | Test if default certificate is expired
uri: uri:
@ -19,7 +18,6 @@
headers: headers:
Authorization: "Bearer {{ (default_token_data.stdout|from_json)['data']['token']|b64decode }}" Authorization: "Bearer {{ (default_token_data.stdout|from_json)['data']['token']|b64decode }}"
register: check_secret register: check_secret
run_once: true
failed_when: false failed_when: false
- name: Rotate Tokens | Determine if certificate is expired - name: Rotate Tokens | Determine if certificate is expired
@ -35,16 +33,13 @@
| grep kubernetes.io/service-account-token | grep kubernetes.io/service-account-token
| egrep 'default-token|kube-proxy|kube-dns|dnsmasq|netchecker|weave|calico|canal|flannel|dashboard|cluster-proportional-autoscaler|efk|tiller' | egrep 'default-token|kube-proxy|kube-dns|dnsmasq|netchecker|weave|calico|canal|flannel|dashboard|cluster-proportional-autoscaler|efk|tiller'
register: tokens_to_delete register: tokens_to_delete
run_once: true
when: needs_rotation when: needs_rotation
- name: Rotate Tokens | Delete expired tokens - name: Rotate Tokens | Delete expired tokens
command: "{{ bin_dir }}/kubectl delete secrets -n {{ item.split(' ')[0] }} {{ item.split(' ')[1] }}" command: "{{ bin_dir }}/kubectl delete secrets -n {{ item.split(' ')[0] }} {{ item.split(' ')[1] }}"
with_items: "{{ tokens_to_delete.stdout_lines }}" with_items: "{{ tokens_to_delete.stdout_lines }}"
run_once: true
when: needs_rotation when: needs_rotation
- name: Rotate Tokens | Delete pods in system namespace - name: Rotate Tokens | Delete pods in system namespace
command: "{{ bin_dir }}/kubectl delete pods -n {{ system_namespace }} --all" command: "{{ bin_dir }}/kubectl delete pods -n {{ system_namespace }} --all"
run_once: true
when: needs_rotation when: needs_rotation

7
upgrade-cluster.yml
View File

@ -85,11 +85,16 @@
- { role: kubernetes/kubeadm, tags: kubeadm, when: "kubeadm_enabled" } - { role: kubernetes/kubeadm, tags: kubeadm, when: "kubeadm_enabled" }
- { role: kubespray-defaults} - { role: kubespray-defaults}
- hosts: kube-master
- hosts: kube-master[0]
any_errors_fatal: true any_errors_fatal: true
roles: roles:
- { role: kubespray-defaults} - { role: kubespray-defaults}
- { role: kubernetes-apps/rotate_tokens, tags: rotate_tokens, when: "secret_changed|default(false)" } - { role: kubernetes-apps/rotate_tokens, tags: rotate_tokens, when: "secret_changed|default(false)" }
- hosts: kube-master
any_errors_fatal: true
roles:
- { role: kubespray-defaults}
- { role: kubernetes-apps/network_plugin, tags: network } - { role: kubernetes-apps/network_plugin, tags: network }
- { role: kubernetes-apps/policy_controller, tags: policy-controller } - { role: kubernetes-apps/policy_controller, tags: policy-controller }
- { role: kubernetes/client, tags: client } - { role: kubernetes/client, tags: client }

Write Preview
Loading…
Cancel
Save