sync certs tasks (fix #2596 #2667)

7 years ago · 80dd230a65
2 changed files with 30 additions and 38 deletions
--- a/roles/kubernetes/secrets/tasks/check-certs.yml
+++ b/roles/kubernetes/secrets/tasks/check-certs.yml
@ -14,27 +14,6 @@
    gen_certs: false
    secret_changed: false

- name: "Check certs | check if a cert already exists on node"
-  stat:
-    path: "{{ kube_cert_dir }}/{{ item }}"
-  register: kubecert_node
-  with_items:
-    - ca.pem
-    - apiserver.pem
-    - apiserver-key.pem
-    - kube-scheduler.pem
-    - kube-scheduler-key.pem
-    - kube-controller-manager.pem
-    - kube-controller-manager-key.pem
-    - front-proxy-client.pem
-    - front-proxy-client-key.pem
-    - admin-{{ inventory_hostname }}.pem
-    - admin-{{ inventory_hostname }}-key.pem
-    - node-{{ inventory_hostname }}.pem
-    - node-{{ inventory_hostname }}-key.pem
-    - kube-proxy-{{ inventory_hostname }}.pem
-    - kube-proxy-{{ inventory_hostname }}-key.pem
-
 - name: "Check_certs | Set 'gen_certs' to true"
  set_fact:
    gen_certs: true
@ -85,7 +64,6 @@
      {{ gen }}
  run_once: true

-
 - name: "Check_certs | Set 'gen_node_certs' to true"
  set_fact:
    gen_node_certs: |-
@ -102,17 +80,3 @@
      {% endfor %}
      }
  run_once: true
-
- name: "Check_certs | Set 'sync_certs' to true"
-  set_fact:
-    sync_certs: true
-  when: |-
-      {%- set certs = {'sync': False} -%}
-      {% if gen_node_certs[inventory_hostname] or
-        (not kubecert_node.results[0].stat.exists|default(False)) or
-          (not kubecert_node.results[12].stat.exists|default(False)) or
-            (not kubecert_node.results[8].stat.exists|default(False)) or
-              (kubecert_node.results[12].stat.checksum|default('') != kubecert_master.files|selectattr("path", "equalto", kubecert_node.results[12].stat.path)|map(attribute="checksum")|first|default('')) -%}
-                {%- set _ = certs.update({'sync': True}) -%}
-      {% endif %}
-      {{ certs.sync }}
--- a/roles/kubernetes/secrets/tasks/gen_certs_script.yml
+++ b/roles/kubernetes/secrets/tasks/gen_certs_script.yml
@ -111,6 +111,34 @@
  tags:
    - facts

+- name: "Check certs | check if a cert already exists on node"
+  find:
+    paths: "{{ kube_cert_dir }}"
+    patterns: "*.pem"
+    get_checksum: true
+  register: kubecert_node
+  when: inventory_hostname != groups['kube-master'][0]
+
+- name: "Check_certs | Set 'sync_certs' to true on masters"
+  set_fact:
+    sync_certs: true
+  when: inventory_hostname in groups['kube-master'] and
+        inventory_hostname != groups['kube-master'][0] and
+        (not item in kubecert_node.files | map(attribute='path') | map("basename") | list or
+        kubecert_node.files | selectattr("path", "equalto", "{{ kube_cert_dir }}/{{ item }}") | map(attribute="checksum")|first|default('') != kubecert_master.files | selectattr("path", "equalto", "{{ kube_cert_dir }}/{{ item }}") | map(attribute="checksum")|first|default(''))
+  with_items:
+    - "{{ my_master_certs + all_node_certs }}"
+
+- name: "Check_certs | Set 'sync_certs' to true on nodes"
+  set_fact:
+    sync_certs: true
+  when: inventory_hostname in groups['kube-node'] and
+        inventory_hostname != groups['kube-master'][0] and
+        (not item in kubecert_node.files | map(attribute='path') | map("basename") | list or
+        kubecert_node.files | selectattr("path", "equalto", "{{ kube_cert_dir }}/{{ item }}") | map(attribute="checksum")|first|default('') != kubecert_master.files | selectattr("path", "equalto", "{{ kube_cert_dir }}/{{ item }}") | map(attribute="checksum")|first|default(''))
+  with_items:
+    - "{{ my_node_certs }}"
+
 - name: Gen_certs | Gather master certs
  shell: "tar cfz - -C {{ kube_cert_dir }} -T /dev/stdin <<< {{ my_master_certs|join(' ') }} {{ all_node_certs|join(' ') }} | base64 --wrap=0"
  args:
@ -138,7 +166,7 @@
 # char limit when using shell command

 # FIXME(mattymo): Use tempfile module in ansible 2.3
- name: Gen_certs | Prepare tempfile for unpacking certs
+- name: Gen_certs | Prepare tempfile for unpacking certs on masters
  command: mktemp /tmp/certsXXXXX.tar.gz
  register: cert_tempfile
  when: inventory_hostname in groups['kube-master'] and sync_certs|default(false) and
@ -162,7 +190,7 @@
        inventory_hostname != groups['kube-master'][0]
  notify: set secret_changed

- name: Gen_certs | Cleanup tempfile
+- name: Gen_certs | Cleanup tempfile on masters
  file:
    path: "{{cert_tempfile.stdout}}"
    state: absent