Enable external CA mode for control-plane deployment (#8620)
This commit is contained in:
Julien Le Fur
GitHub
parent
d7254eead6
commit
30306d6ec7
4 changed files with 30 additions and 3 deletions
|
|
@ -19,6 +19,7 @@
|
||||||
register: kubeadm_upload_cert
|
register: kubeadm_upload_cert
|
||||||
when:
|
when:
|
||||||
- inventory_hostname == first_kube_control_plane
|
- inventory_hostname == first_kube_control_plane
|
||||||
|
- not kube_external_ca_mode
|
||||||
|
|
||||||
- name: Parse certificate key if not set
|
- name: Parse certificate key if not set
|
||||||
set_fact:
|
set_fact:
|
||||||
|
|
@ -49,11 +50,20 @@
|
||||||
debug:
|
debug:
|
||||||
msg: "{{ kubeadm_already_run.stat.exists }}"
|
msg: "{{ kubeadm_already_run.stat.exists }}"
|
||||||
|
|
||||||
- name: Joining control plane node to the cluster.
|
- name: Reset cert directory
|
||||||
shell: >-
|
shell: >-
|
||||||
if [ -f /etc/kubernetes/manifests/kube-apiserver.yaml ]; then
|
if [ -f /etc/kubernetes/manifests/kube-apiserver.yaml ]; then
|
||||||
{{ bin_dir }}/kubeadm reset -f --cert-dir {{ kube_cert_dir }};
|
{{ bin_dir }}/kubeadm reset -f --cert-dir {{ kube_cert_dir }};
|
||||||
fi &&
|
fi
|
||||||
|
environment:
|
||||||
|
PATH: "{{ bin_dir }}:{{ ansible_env.PATH }}"
|
||||||
|
when:
|
||||||
|
- inventory_hostname != first_kube_control_plane
|
||||||
|
- kubeadm_already_run is not defined or not kubeadm_already_run.stat.exists
|
||||||
|
- not kube_external_ca_mode
|
||||||
|
|
||||||
|
- name: Joining control plane node to the cluster.
|
||||||
|
command: >-
|
||||||
{{ bin_dir }}/kubeadm join
|
{{ bin_dir }}/kubeadm join
|
||||||
--config {{ kube_config_dir }}/kubeadm-controlplane.yaml
|
--config {{ kube_config_dir }}/kubeadm-controlplane.yaml
|
||||||
--ignore-preflight-errors=all
|
--ignore-preflight-errors=all
|
||||||
|
|
|
||||||
|
|
@ -101,6 +101,7 @@
|
||||||
changed_when: "'NEED-RENEW' in apiserver_sans_check.stdout"
|
changed_when: "'NEED-RENEW' in apiserver_sans_check.stdout"
|
||||||
when:
|
when:
|
||||||
- kubeadm_already_run.stat.exists
|
- kubeadm_already_run.stat.exists
|
||||||
|
- not kube_external_ca_mode
|
||||||
|
|
||||||
- name: kubeadm | regenerate apiserver cert 1/2
|
- name: kubeadm | regenerate apiserver cert 1/2
|
||||||
file:
|
file:
|
||||||
|
|
@ -112,6 +113,7 @@
|
||||||
when:
|
when:
|
||||||
- kubeadm_already_run.stat.exists
|
- kubeadm_already_run.stat.exists
|
||||||
- apiserver_sans_check.changed
|
- apiserver_sans_check.changed
|
||||||
|
- not kube_external_ca_mode
|
||||||
|
|
||||||
- name: kubeadm | regenerate apiserver cert 2/2
|
- name: kubeadm | regenerate apiserver cert 2/2
|
||||||
command: >-
|
command: >-
|
||||||
|
|
@ -121,6 +123,7 @@
|
||||||
when:
|
when:
|
||||||
- kubeadm_already_run.stat.exists
|
- kubeadm_already_run.stat.exists
|
||||||
- apiserver_sans_check.changed
|
- apiserver_sans_check.changed
|
||||||
|
- not kube_external_ca_mode
|
||||||
|
|
||||||
- name: kubeadm | Initialize first master
|
- name: kubeadm | Initialize first master
|
||||||
command: >-
|
command: >-
|
||||||
|
|
@ -129,7 +132,7 @@
|
||||||
--config={{ kube_config_dir }}/kubeadm-config.yaml
|
--config={{ kube_config_dir }}/kubeadm-config.yaml
|
||||||
--ignore-preflight-errors=all
|
--ignore-preflight-errors=all
|
||||||
--skip-phases={{ kubeadm_init_phases_skip | join(',') }}
|
--skip-phases={{ kubeadm_init_phases_skip | join(',') }}
|
||||||
--upload-certs
|
{{ kube_external_ca_mode | ternary('', '--upload-certs') }}
|
||||||
register: kubeadm_init
|
register: kubeadm_init
|
||||||
# Retry is because upload config sometimes fails
|
# Retry is because upload config sometimes fails
|
||||||
retries: 3
|
retries: 3
|
||||||
|
|
|
||||||
|
|
@ -376,3 +376,11 @@
|
||||||
when:
|
when:
|
||||||
- containerd_config is defined
|
- containerd_config is defined
|
||||||
- not ignore_assert_errors
|
- not ignore_assert_errors
|
||||||
|
|
||||||
|
- name: Stop if auto_renew_certificates is enabled when certificates are managed externally (kube_external_ca_mode is true)
|
||||||
|
assert:
|
||||||
|
that: not auto_renew_certificates
|
||||||
|
msg: "Variable auto_renew_certificates must be disabled when CA are managed externally: kube_external_ca_mode = true"
|
||||||
|
when:
|
||||||
|
- kube_external_ca_mode
|
||||||
|
- not ignore_assert_errors
|
||||||
|
|
|
||||||
|
|
@ -157,6 +157,12 @@ kube_token_dir: "{{ kube_config_dir }}/tokens"
|
||||||
# cert files to. Not really changeable...
|
# cert files to. Not really changeable...
|
||||||
kube_cert_group: kube-cert
|
kube_cert_group: kube-cert
|
||||||
|
|
||||||
|
# Set to true when the CAs are managed externally.
|
||||||
|
# When true, disables all tasks manipulating certificates. Ensure before the kubespray run that:
|
||||||
|
# - Certificates and CAs are present in kube_cert_dir
|
||||||
|
# - Kubeconfig files are present in kube_config_dir
|
||||||
|
kube_external_ca_mode: false
|
||||||
|
|
||||||
# Cluster Loglevel configuration
|
# Cluster Loglevel configuration
|
||||||
kube_log_level: 2
|
kube_log_level: 2
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue