From 0816f620b9b8cef33e37233da09d492f15aa6f63 Mon Sep 17 00:00:00 2001 From: Raj Perera Date: Tue, 20 Jun 2017 13:29:31 -0400 Subject: [PATCH] Reverted leftover tasks from cert rotation functionality. --- roles/kargo-defaults/defaults/main.yaml | 17 +++-------------- .../ansible/templates/kubedns-autoscaler.yml | 1 - roles/kubernetes/node/handlers/main.yml | 5 ----- roles/kubernetes/node/tasks/install.yml | 14 ++++++++++++++ roles/kubernetes/node/tasks/pre_upgrade.yml | 4 ---- .../secrets/tasks/gen_certs_script.yml | 2 ++ 6 files changed, 19 insertions(+), 24 deletions(-) diff --git a/roles/kargo-defaults/defaults/main.yaml b/roles/kargo-defaults/defaults/main.yaml index d13a565aa..3a1d29667 100644 --- a/roles/kargo-defaults/defaults/main.yaml +++ b/roles/kargo-defaults/defaults/main.yaml @@ -115,19 +115,8 @@ k8s_image_pull_policy: IfNotPresent efk_enabled: false enable_network_policy: false -## List of authorization plugins that must be configured for -## the k8s cluster. +## List of authorization modes that must be configured for +## the k8s cluster. Only 'AlwaysAllow','AlwaysDeny', and +## 'RBAC' modes are tested. authorization_mode: ['AlwaysAllow'] rbac_enabled: "{{ 'RBAC' in authorization_mode }}" - - -ssl_ca_dirs: "[ - {% if ansible_os_family in ['CoreOS', 'Container Linux by CoreOS'] -%} - '/usr/share/ca-certificates', - {% elif ansible_os_family == 'RedHat' -%} - '/etc/pki/tls', - '/etc/pki/ca-trust', - {% elif ansible_os_family == 'Debian' -%} - '/usr/share/ca-certificates', - {% endif -%} - ]" diff --git a/roles/kubernetes-apps/ansible/templates/kubedns-autoscaler.yml b/roles/kubernetes-apps/ansible/templates/kubedns-autoscaler.yml index 28a67af4f..ecde5dce2 100644 --- a/roles/kubernetes-apps/ansible/templates/kubedns-autoscaler.yml +++ b/roles/kubernetes-apps/ansible/templates/kubedns-autoscaler.yml @@ -47,4 +47,3 @@ spec: - --logtostderr=true - --v=2 serviceAccountName: cluster-proportional-autoscaler - serviceAccount: cluster-proportional-autoscaler diff --git a/roles/kubernetes/node/handlers/main.yml b/roles/kubernetes/node/handlers/main.yml index 079cbd3da..00525b995 100644 --- a/roles/kubernetes/node/handlers/main.yml +++ b/roles/kubernetes/node/handlers/main.yml @@ -1,9 +1,4 @@ --- -- name: restart kubelet if secrets changed - command: /bin/true - when: secret_changed|d(False) - notify: restart kubelet - - name: restart kubelet command: /bin/true notify: diff --git a/roles/kubernetes/node/tasks/install.yml b/roles/kubernetes/node/tasks/install.yml index 5f5fa0194..ad4cbacf1 100644 --- a/roles/kubernetes/node/tasks/install.yml +++ b/roles/kubernetes/node/tasks/install.yml @@ -1,4 +1,18 @@ --- +- name: install | Set SSL CA directories + set_fact: + ssl_ca_dirs: "[ + {% if ansible_os_family in ['CoreOS', 'Container Linux by CoreOS'] -%} + '/usr/share/ca-certificates', + {% elif ansible_os_family == 'RedHat' -%} + '/etc/pki/tls', + '/etc/pki/ca-trust', + {% elif ansible_os_family == 'Debian' -%} + '/usr/share/ca-certificates', + {% endif -%} + ]" + tags: facts + - include: "install_{{ kubelet_deployment_type }}.yml" - name: install | Write kubelet systemd init file diff --git a/roles/kubernetes/node/tasks/pre_upgrade.yml b/roles/kubernetes/node/tasks/pre_upgrade.yml index d6f729890..612dd3e6f 100644 --- a/roles/kubernetes/node/tasks/pre_upgrade.yml +++ b/roles/kubernetes/node/tasks/pre_upgrade.yml @@ -4,7 +4,3 @@ args: creates: "/var/lib/cni" failed_when: false - -- name: "Pre-upgrade | Make sure to restart kubelet if certificates changed" - command: /bin/true - notify: restart kubelet if secrets changed diff --git a/roles/kubernetes/secrets/tasks/gen_certs_script.yml b/roles/kubernetes/secrets/tasks/gen_certs_script.yml index 54afed35d..61d9c7826 100644 --- a/roles/kubernetes/secrets/tasks/gen_certs_script.yml +++ b/roles/kubernetes/secrets/tasks/gen_certs_script.yml @@ -136,6 +136,7 @@ - name: Gen_certs | Unpack certs on masters shell: "base64 -d < {{ cert_tempfile.stdout }} | tar xz -C {{ kube_cert_dir }}" no_log: true + changed_when: false check_mode: no when: inventory_hostname in groups['kube-master'] and sync_certs|default(false) and inventory_hostname != groups['kube-master'][0] @@ -153,6 +154,7 @@ args: executable: /bin/bash no_log: true + changed_when: false check_mode: no when: inventory_hostname in groups['kube-node'] and sync_certs|default(false) and