Erwan Miran
2ab2f3a0a3
Ability to define SSL certificates duration and SSL key size ( #3482 )
* Ability to specify ssl certificate duration and ssl key size - etcd/secrets
* Ability to specify ssl certificate duration and ssl key size - helm/contiv + fix contiv missing copy certs generation script
6 years ago
Dylan
30132d8c35
Removed hostname truncation. ( #3409 )
6 years ago
Shida Qiu
8b8e534769
remove the redundant space ( #3400 )
6 years ago
Matthew Mosesohn
97e0de7e29
Fix vault file owner issues and k8s apiserver cert creation ( #2985 )
apiserver cert should be created only once
6 years ago
Matthew Mosesohn
5c617c5a8b
Add tags to deploy components by --tags option ( #2960 )
* Add tags for cert serial tasks
This will help facilitate tag-based deployment of specific components.
* fixup kubernetes node
6 years ago
Yumo Yang
6c2f169ea2
update test-pr2 ( #2911 )
6 years ago
Brad Beam
3d819a6edd
Adding cluster_name to api cert alt name for vault
6 years ago
Matthew Mosesohn
59be578842
Revert "wip pr for improved cert sync" ( #2849 )
6 years ago
Matthew Mosesohn
7433348aae
wip pr for improved cert sync
6 years ago
Matthew Mosesohn
07cc981971
refactor vault role ( #2733 )
* Move front-proxy-client certs back to kube mount
We want the same CA for all k8s certs
* Refactor vault to use a third party module
The module adds idempotency and reduces some of the repetitive
logic in the vault role
Requires ansible-modules-hashivault on ansible node and hvac
on the vault hosts themselves
Add upgrade test scenario
Remove bootstrap-os tags from tasks
* fix upgrade issues
* improve unseal logic
* specify ca and fix etcd check
* Fix initialization check
bump machine size
6 years ago
Tomasz Majchrowski
59789ae02a
ISSUE-2706: Provide consistent usage of supplementary_addresses_in_ssl_keys across vault and script mode ( #2707 )
6 years ago
Markos Chandras
9168c71359
Revert "Revert "Add openSUSE support" ( #2697 )" ( #2699 )
This reverts commit 51f4e6585a
.
6 years ago
Matthew Mosesohn
51f4e6585a
Revert "Add openSUSE support" ( #2697 )
6 years ago
Romain DEQUIDT
80dd230a65
sync certs tasks ( fix #2596 #2667 )
6 years ago
Chad Swenson
d87b6fd9f3
Use dedicated front-proxy-ca for front-proxy-client
6 years ago
Markos Chandras
d07f75b389
roles: kubernetes: secrets: Add SUSE support
Add path for certificate location for SUSE distributions. Also make sure
the 'update-ca-certificates' command is executed on SUSE hosts as well.
6 years ago
Brad Beam
dfc46f02d7
Adding missing service-account certificate for vault
Missed in #2554
6 years ago
georgejdli
76bb5f8d75
check if dedicated service account token signing key exists
6 years ago
avoidik
72c2a8982b
Fix kubecert_node.results indexes
6 years ago
georgejdli
c8f857eae4
configure kubespray to sign service account tokens with a dedicated and stable key
6 years ago
Kuldip Madnani
9ebbf1c3cd
Added a fix in openssl.conf template to check if IP of loadbalncer is available or not.
6 years ago
woopstar
0b5404b2b7
Fix
6 years ago
woopstar
0df32b03ca
Update openssl.conf to count better and work with Jinja 2.9
6 years ago
woopstar
b9a949820a
Only copy tokens if tokens_list contains any
6 years ago
Sergey Bondarev
f8fed0f308
change expirations period for generated certificate from 10 years to 100 years
6 years ago
chadswen
cd153a1fb3
Fix kubernetes cert permission sync
Add `state: directory` to `file` task so that `recurse: yes` will actually take effect and ensure
certs/keys have the right file mode and owner
6 years ago
Simon Li
6b80ac6500
Fix indexing of supplementary DNS in openssl.conf
6 years ago
Maxim Krasilnikov
ba91304636
Fixed generate front proxy client certs with vault ( #2359 )
* Fixed generate front proxy client certs with vault
* fix vault cert management
* Distrebute etcd node certs to vault hosts
6 years ago
woopstar
f9df692056
Issue front proxy certs for vault
6 years ago
woopstar
4dab92ce69
Rename from aggregator-proxy-client to front-proxy-client to match kubeadm design. Added kubeadm support too. Changed to use variables set and not hardcode paths. Still missing cert generation for Vault
6 years ago
woopstar
b2d30d68e7
Rename CN for aggreator back. Add flags to apiserver when version is >= 1.9
6 years ago
woopstar
82d10b882c
Added fixes from whereismyjetpack
6 years ago
woopstar
0b4168cad4
WIP. Adding metrics-server support for K8s version 1.9
6 years ago
Simon Li
27a1a697e7
supplementary_addresses_in_ssl_keys can be a hostname
7 years ago
Andreas Krüger
088d36da09
Increase the idx counter
Fix the idx counter to increase too, or you will end up with two same indexes.
6 years ago
Andreas Krüger
6f36faa4f9
Loadbalancer Apiserver Address is missing
If you configure your external loadbalancer to do a simple tcp pass-through to the api servers, and you do not use a DNS FQDN but just the ip, then you need to add the ip adress to the certificates too.
Example config:
```
## External LB example config
apiserver_loadbalancer_domain_name: "10.50.63.10"
loadbalancer_apiserver:
address: 10.50.63.10
port: 8383
```
6 years ago
Matthew Mosesohn
dc6a17e092
Use include/import tasks ( #2192 )
import_tasks will consume far less memory, so it should be
used whenever it is compatible.
6 years ago
Bogdan Dobrelya
8aafe64397
Defaults for apiserver_loadbalancer_domain_name ( #1993 )
* Defaults for apiserver_loadbalancer_domain_name
When loadbalancer_apiserver is defined, use the
apiserver_loadbalancer_domain_name with a given default value.
Fix unconsistencies for checking if apiserver_loadbalancer_domain_name
is defined AND using it with a default value provided at once.
Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
* Define defaults for LB modes in common defaults
Adjust the defaults for apiserver_loadbalancer_domain_name and
loadbalancer_apiserver_localhost to come from a single source, which is
kubespray-defaults. Removes some confusion and simplefies the code.
Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
7 years ago
Günther Grill
0d55ed3600
Avoid that some read-only tasks cause an ansible-change ( #1910 )
7 years ago
Matthew Mosesohn
fe81bba08d
Force kubelet certificates to be generated as lowercase ( #1886 )
All nodes get converted to lowercase, so certs should set
CN with lowercase as well.
7 years ago
Rémi de Passmoilesel
356515222a
Add possibility to insert more ip adresses in certificates ( #1678 )
* Add possibility to insert more ip adresses in certificates
* Add newline at end of files
* Move supp ip parameters to k8s-cluster group file
* Add supplementary addresses in kubeadm master role
* Improve openssl indexes
7 years ago
neith00
77f1d4b0f1
Revert "Update roadmap" ( #1809 )
* Revert "Debian jessie docs (#1806 )"
This reverts commit d78577c810
.
* Revert "[contrib/network-storage/glusterfs] adds service for glusterfs endpoint (#1800 )"
This reverts commit 5fb6b2eaf7
.
* Revert "[contrib/network-storage/glusterfs] bootstrap for glusterfs nodes (#1799 )"
This reverts commit 404caa111a
.
* Revert "Fixed kubelet standard log environment (#1780 )"
This reverts commit b838468500
.
* Revert "Add support for fedora atomic host (#1779 )"
This reverts commit f2235be1d3
.
* Revert "Update network-plugins to use portmap plugin (#1763 )"
This reverts commit 6ec45b10f1
.
* Revert "Update roadmap (#1795 )"
This reverts commit d9879d8026
.
7 years ago
Matthew Mosesohn
d9879d8026
Update roadmap ( #1795 )
7 years ago
Matthew Mosesohn
ee83e874a8
Clear admin kubeconfig when rotating certs ( #1772 )
* Clear admin kubeconfig when rotating certs
* Update main.yml
7 years ago
Matthew Mosesohn
f14f04c5ea
Upgrade to kubernetes v1.8.0 ( #1730 )
* Upgrade to kubernetes v1.8.0
hyperkube no longer contains rsync, so now use cp
* Enable node authorization mode
* change kube-proxy cert group name
7 years ago
Aivars Sterns
9c86da1403
Normalize tags in all places to prepare for tag fixing in future ( #1739 )
7 years ago
foxyriver
30b5493fd6
use command module instead of shell module
7 years ago
Brad Beam
ac281476c8
Prune unnecessary certs from vault setup ( #1652 )
* Cleaning up cert checks for vault
* Removing all unnecessary etcd certs from each node
* Removing all unnecessary kube certs from each node
7 years ago
Matthew Mosesohn
6744726089
kubeadm support ( #1631 )
* kubeadm support
* move k8s master to a subtask
* disable k8s secrets when using kubeadm
* fix etcd cert serial var
* move simple auth users to master role
* make a kubeadm-specific env file for kubelet
* add non-ha CI job
* change ci boolean vars to json format
* fixup
* Update create-gce.yml
* Update create-gce.yml
* Update create-gce.yml
7 years ago
Maxim Krasilnikov
e16b57aa05
Store vault users passwords to credentials dir. Create vault and etcd roles after start vault cluster ( #1632 )
7 years ago