richard
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Optimize CA cert hash calculation with community.crypto (#11758) 

Signed-off-by: bo.jiang <bo.jiang@daocloud.io>
pull/11767/head
ERIK 4 months ago
committed by GitHub
parent
8b96d00d30
commit
98807ffb6b
No known key found for this signature in database GPG Key ID: B5690EEEBB952194
6 changed files with 14 additions and 16 deletions
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 1
      galaxy.yml
  2. 2
      requirements.txt
  3. 5
      roles/kubernetes/control-plane/defaults/main/main.yml
  4. 13
      roles/kubernetes/kubeadm/tasks/main.yml
  5. 4
      roles/kubernetes/kubeadm/templates/kubeadm-client.conf.j2
  6. 5
      roles/kubespray-defaults/defaults/main/main.yml

1
galaxy.yml
View File

@ -14,6 +14,7 @@ documentation: https://kubespray.io
license_file: LICENSE license_file: LICENSE
dependencies: dependencies:
ansible.utils: '>=2.5.0' ansible.utils: '>=2.5.0'
community.crypto: '>=2.22.3'
community.general: '>=7.0.0' community.general: '>=7.0.0'
ansible.netcommon: '>=5.3.0' ansible.netcommon: '>=5.3.0'
ansible.posix: '>=1.5.4' ansible.posix: '>=1.5.4'

2
requirements.txt
View File

@ -1,4 +1,6 @@
ansible==9.12.0 ansible==9.12.0
# Needed for community.crypto module
cryptography==44.0.0
# Needed for jinja2 json_query templating # Needed for jinja2 json_query templating
jmespath==1.0.1 jmespath==1.0.1
# Needed for ansible.utils.ipaddr # Needed for ansible.utils.ipaddr

5
roles/kubernetes/control-plane/defaults/main/main.yml
View File

@ -236,3 +236,8 @@ kube_apiserver_tracing_sampling_rate_per_million: 100
# Enable kubeadm file discovery if anonymous access has been removed # Enable kubeadm file discovery if anonymous access has been removed
kubeadm_use_file_discovery: "{{ remove_anonymous_access }}" kubeadm_use_file_discovery: "{{ remove_anonymous_access }}"
# Supported asymmetric encryption algorithm types for the cluster's keys and certificates.
# can be one of RSA-2048(default), RSA-3072, RSA-4096, ECDSA-P256
# ref: https://kubernetes.io/docs/reference/config-api/kubeadm-config.v1beta4/#kubeadm-k8s-io-v1beta4-ClusterConfiguration
kube_asymmetric_encryption_algorithm: "RSA-2048"

13
roles/kubernetes/kubeadm/tasks/main.yml
View File

@ -29,20 +29,15 @@
delegate_to: "{{ groups['kube_control_plane'][0] }}" delegate_to: "{{ groups['kube_control_plane'][0] }}"
run_once: true run_once: true
- name: Calculate kubeadm CA cert hash
shell: |
set -o pipefail && openssl x509 -pubkey -in {{ kube_cert_dir }}/ca.crt | \
openssl {% if 'RSA' in kube_asymmetric_encryption_algorithm %}rsa{% elif 'ECDSA' in kube_asymmetric_encryption_algorithm %}ec{% else %}rsa{% endif %} -pubin -outform der 2>/dev/null | \
openssl dgst -sha256 -hex | sed 's/^.* //'
args:
executable: /bin/bash
register: kubeadm_ca_hash
- name: Fetch CA certificate from control plane node
slurp:
src: "{{ kube_cert_dir }}/ca.crt"
register: ca_cert_content
when: when:
- kubeadm_ca_stat.stat is defined - kubeadm_ca_stat.stat is defined
- kubeadm_ca_stat.stat.exists - kubeadm_ca_stat.stat.exists
delegate_to: "{{ groups['kube_control_plane'][0] }}" delegate_to: "{{ groups['kube_control_plane'][0] }}"
run_once: true run_once: true
changed_when: false
- name: Create kubeadm token for joining nodes with 24h expiration (default) - name: Create kubeadm token for joining nodes with 24h expiration (default)
command: "{{ bin_dir }}/kubeadm token create" command: "{{ bin_dir }}/kubeadm token create"

4
roles/kubernetes/kubeadm/templates/kubeadm-client.conf.j2
View File

@ -13,9 +13,9 @@ discovery:
apiServerEndpoint: {{ kubeadm_discovery_address }} apiServerEndpoint: {{ kubeadm_discovery_address }}
{% endif %} {% endif %}
token: {{ kubeadm_token }} token: {{ kubeadm_token }}
{% if kubeadm_ca_hash.stdout is defined %}
{% if ca_cert_content is defined %}
caCertHashes: caCertHashes:
- sha256:{{ kubeadm_ca_hash.stdout }}
- sha256:{{ (ca_cert_content.content | b64decode | community.crypto.x509_certificate_info).public_key_fingerprints.sha256.replace(':', '') }}
{% else %} {% else %}
unsafeSkipCAVerification: true unsafeSkipCAVerification: true
{% endif %} {% endif %}

5
roles/kubespray-defaults/defaults/main/main.yml
View File

@ -62,11 +62,6 @@ kubeadm_join_phases_skip: >-
# Set to true to remove the role binding to anonymous users created by kubeadm # Set to true to remove the role binding to anonymous users created by kubeadm
remove_anonymous_access: false remove_anonymous_access: false
# Supported asymmetric encryption algorithm types for the cluster's keys and certificates.
# can be one of RSA-2048(default), RSA-3072, RSA-4096, ECDSA-P256
# ref: https://kubernetes.io/docs/reference/config-api/kubeadm-config.v1beta4/#kubeadm-k8s-io-v1beta4-ClusterConfiguration
kube_asymmetric_encryption_algorithm: "RSA-2048"
# A string slice of values which specify the addresses to use for NodePorts. # A string slice of values which specify the addresses to use for NodePorts.
# Values may be valid IP blocks (e.g. 1.2.3.0/24, 1.2.3.4/32). # Values may be valid IP blocks (e.g. 1.2.3.0/24, 1.2.3.4/32).
# The default empty string slice ([]) means to use all local addresses. # The default empty string slice ([]) means to use all local addresses.

Write Preview
Loading…
Cancel
Save