Fix upgrade for canal and apiserver cert

Fixes #1573
This commit is contained in:
Matthew Mosesohn 2017-08-29 19:35:27 +01:00
parent 76b72338da
commit 13d08af054
3 changed files with 11 additions and 15 deletions

View file

@ -8,18 +8,6 @@
resource: "configmap" resource: "configmap"
namespace: "{{system_namespace}}" namespace: "{{system_namespace}}"
# FIXME: remove if kubernetes/features#124 is implemented
- name: Purge old flannel and canal-node
run_once: true
kube:
name: "canal-node"
kubectl: "{{ bin_dir }}/kubectl"
filename: "{{ kube_config_dir }}/canal-node.yaml"
resource: "ds"
namespace: "{{system_namespace}}"
state: absent
when: inventory_hostname == groups['kube-master'][0] and canal_node_manifest.changed
- name: Start flannel and calico-node - name: Start flannel and calico-node
run_once: true run_once: true
kube: kube:

View file

@ -82,10 +82,13 @@ gen_key_and_cert() {
# Admins # Admins
if [ -n "$MASTERS" ]; then if [ -n "$MASTERS" ]; then
# If any host requires new certs, just regenerate all master certs
# kube-apiserver # kube-apiserver
# Generate only if we don't have existing ca and apiserver certs
if ! [ -e "$SSLDIR/ca-key.pem" ] || ! [ -e "$SSLDIR/apiserver-key.pem" ]; then
gen_key_and_cert "apiserver" "/CN=kube-apiserver" gen_key_and_cert "apiserver" "/CN=kube-apiserver"
cat ca.pem >> apiserver.pem cat ca.pem >> apiserver.pem
fi
# If any host requires new certs, just regenerate scheduler and controller-manager master certs
# kube-scheduler # kube-scheduler
gen_key_and_cert "kube-scheduler" "/CN=system:kube-scheduler" gen_key_and_cert "kube-scheduler" "/CN=system:kube-scheduler"
# kube-controller-manager # kube-controller-manager

View file

@ -3,6 +3,7 @@ kind: DaemonSet
apiVersion: extensions/v1beta1 apiVersion: extensions/v1beta1
metadata: metadata:
name: canal-node name: canal-node
namespace: {{ system_namespace }}
labels: labels:
k8s-app: canal-node k8s-app: canal-node
spec: spec:
@ -180,3 +181,7 @@ spec:
- name: "canal-certs" - name: "canal-certs"
mountPath: "{{ canal_cert_dir }}" mountPath: "{{ canal_cert_dir }}"
readOnly: true readOnly: true
updateStrategy:
rollingUpdate:
maxUnavailable: 1
type: RollingUpdate