Reverted leftover tasks from cert rotation functionality.

2017-06-20 13:29:31 -04:00 · 2017-06-20 13:29:31 -04:00 · 0816f620b9
commit 0816f620b9
parent a3760a8b84
6 changed files with 19 additions and 24 deletions
--- a/roles/kargo-defaults/defaults/main.yaml
+++ b/roles/kargo-defaults/defaults/main.yaml
@ -115,19 +115,8 @@ k8s_image_pull_policy: IfNotPresent
 efk_enabled: false
 enable_network_policy: false

-## List of authorization plugins that must be configured for
-## the k8s cluster.
+## List of authorization modes that must be configured for
+## the k8s cluster. Only 'AlwaysAllow','AlwaysDeny', and
+## 'RBAC' modes are tested.
 authorization_mode: ['AlwaysAllow']
 rbac_enabled: "{{ 'RBAC' in authorization_mode }}"
-
-
-ssl_ca_dirs: "[
-      {% if ansible_os_family in ['CoreOS', 'Container Linux by CoreOS'] -%}
-      '/usr/share/ca-certificates',
-      {% elif ansible_os_family == 'RedHat' -%}
-      '/etc/pki/tls',
-      '/etc/pki/ca-trust',
-      {% elif ansible_os_family == 'Debian' -%}
-      '/usr/share/ca-certificates',
-      {% endif -%}
-    ]"
--- a/roles/kubernetes-apps/ansible/templates/kubedns-autoscaler.yml
+++ b/roles/kubernetes-apps/ansible/templates/kubedns-autoscaler.yml
@ -47,4 +47,3 @@ spec:
          - --logtostderr=true
          - --v=2
      serviceAccountName: cluster-proportional-autoscaler
-      serviceAccount: cluster-proportional-autoscaler
--- a/roles/kubernetes/node/handlers/main.yml
+++ b/roles/kubernetes/node/handlers/main.yml
@ -1,9 +1,4 @@
 ---
- name: restart kubelet if secrets changed
-  command: /bin/true
-  when: secret_changed|d(False)
-  notify: restart kubelet
-
 - name: restart kubelet
  command: /bin/true
  notify:
--- a/roles/kubernetes/node/tasks/install.yml
+++ b/roles/kubernetes/node/tasks/install.yml
@ -1,4 +1,18 @@
 ---
+- name: install | Set SSL CA directories
+  set_fact:
+    ssl_ca_dirs: "[
+      {% if ansible_os_family in ['CoreOS', 'Container Linux by CoreOS'] -%}
+      '/usr/share/ca-certificates',
+      {% elif ansible_os_family == 'RedHat' -%}
+      '/etc/pki/tls',
+      '/etc/pki/ca-trust',
+      {% elif ansible_os_family == 'Debian' -%}
+      '/usr/share/ca-certificates',
+      {% endif -%}
+    ]"
+  tags: facts
+
 - include: "install_{{ kubelet_deployment_type }}.yml"

 - name: install | Write kubelet systemd init file
--- a/roles/kubernetes/node/tasks/pre_upgrade.yml
+++ b/roles/kubernetes/node/tasks/pre_upgrade.yml
@ -4,7 +4,3 @@
  args:
    creates: "/var/lib/cni"
  failed_when: false
-
- name: "Pre-upgrade | Make sure to restart kubelet if certificates changed"
-  command: /bin/true
-  notify: restart kubelet if secrets changed
--- a/roles/kubernetes/secrets/tasks/gen_certs_script.yml
+++ b/roles/kubernetes/secrets/tasks/gen_certs_script.yml
@ -136,6 +136,7 @@
 - name: Gen_certs | Unpack certs on masters
  shell: "base64 -d < {{ cert_tempfile.stdout }} | tar xz -C {{ kube_cert_dir }}"
  no_log: true
+  changed_when: false
  check_mode: no
  when: inventory_hostname in groups['kube-master'] and sync_certs|default(false) and
        inventory_hostname != groups['kube-master'][0]
@ -153,6 +154,7 @@
  args:
    executable: /bin/bash
  no_log: true
+  changed_when: false
  check_mode: no
  when: inventory_hostname in groups['kube-node'] and
        sync_certs|default(false) and