Always backup both certs and kubeconfig
There are no reasons not to backup during upgrade Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
This commit is contained in:
parent
8800b5c01d
commit
53e5ef6b4e
3 changed files with 33 additions and 21 deletions
28
roles/kubernetes/control-plane/tasks/kubeadm-backup.yml
Normal file
28
roles/kubernetes/control-plane/tasks/kubeadm-backup.yml
Normal file
|
@ -0,0 +1,28 @@
|
||||||
|
---
|
||||||
|
- name: Backup old certs and keys
|
||||||
|
copy:
|
||||||
|
src: "{{ kube_cert_dir }}/{{ item }}"
|
||||||
|
dest: "{{ kube_cert_dir }}/{{ item }}.old"
|
||||||
|
mode: preserve
|
||||||
|
remote_src: yes
|
||||||
|
with_items:
|
||||||
|
- apiserver.crt
|
||||||
|
- apiserver.key
|
||||||
|
- apiserver-kubelet-client.crt
|
||||||
|
- apiserver-kubelet-client.key
|
||||||
|
- front-proxy-client.crt
|
||||||
|
- front-proxy-client.key
|
||||||
|
ignore_errors: yes
|
||||||
|
|
||||||
|
- name: Backup old confs
|
||||||
|
copy:
|
||||||
|
src: "{{ kube_config_dir }}/{{ item }}"
|
||||||
|
dest: "{{ kube_config_dir }}/{{ item }}.old"
|
||||||
|
mode: preserve
|
||||||
|
remote_src: yes
|
||||||
|
with_items:
|
||||||
|
- admin.conf
|
||||||
|
- controller-manager.conf
|
||||||
|
- kubelet.conf
|
||||||
|
- scheduler.conf
|
||||||
|
ignore_errors: yes
|
|
@ -1,15 +0,0 @@
|
||||||
---
|
|
||||||
- name: Backup old certs and keys
|
|
||||||
copy:
|
|
||||||
src: "{{ kube_cert_dir }}/{{ item.src }}"
|
|
||||||
dest: "{{ kube_cert_dir }}/{{ item.dest }}"
|
|
||||||
mode: 0640
|
|
||||||
remote_src: yes
|
|
||||||
with_items:
|
|
||||||
- {src: apiserver.crt, dest: apiserver.crt.old}
|
|
||||||
- {src: apiserver.key, dest: apiserver.key.old}
|
|
||||||
- {src: apiserver-kubelet-client.crt, dest: apiserver-kubelet-client.crt.old}
|
|
||||||
- {src: apiserver-kubelet-client.key, dest: apiserver-kubelet-client.key.old}
|
|
||||||
- {src: front-proxy-client.crt, dest: front-proxy-client.crt.old}
|
|
||||||
- {src: front-proxy-client.key, dest: front-proxy-client.key.old}
|
|
||||||
ignore_errors: yes
|
|
|
@ -18,6 +18,11 @@
|
||||||
get_mime: no
|
get_mime: no
|
||||||
register: kubeadm_already_run
|
register: kubeadm_already_run
|
||||||
|
|
||||||
|
- name: kubeadm | Backup kubeadm certs / kubeconfig
|
||||||
|
import_tasks: kubeadm-backup.yml
|
||||||
|
when:
|
||||||
|
- kubeadm_already_run.stat.exists
|
||||||
|
|
||||||
- name: kubeadm | aggregate all SANs
|
- name: kubeadm | aggregate all SANs
|
||||||
set_fact:
|
set_fact:
|
||||||
apiserver_sans: "{{ (sans_base + groups['kube-master'] + sans_lb + sans_lb_ip + sans_supp + sans_access_ip + sans_ip + sans_address + sans_override + sans_hostname + sans_fqdn) | unique }}"
|
apiserver_sans: "{{ (sans_base + groups['kube-master'] + sans_lb + sans_lb_ip + sans_supp + sans_access_ip + sans_ip + sans_address + sans_override + sans_hostname + sans_fqdn) | unique }}"
|
||||||
|
@ -68,12 +73,6 @@
|
||||||
- name: kubeadm | set kubeadm version
|
- name: kubeadm | set kubeadm version
|
||||||
import_tasks: kubeadm-version.yml
|
import_tasks: kubeadm-version.yml
|
||||||
|
|
||||||
- name: kubeadm | Certificate management with kubeadm
|
|
||||||
import_tasks: kubeadm-certificate.yml
|
|
||||||
when:
|
|
||||||
- not upgrade_cluster_setup
|
|
||||||
- kubeadm_already_run.stat.exists
|
|
||||||
|
|
||||||
- name: kubeadm | Check if apiserver.crt contains all needed SANs
|
- name: kubeadm | Check if apiserver.crt contains all needed SANs
|
||||||
command: openssl x509 -noout -in "{{ kube_cert_dir }}/apiserver.crt" -check{{ item|ipaddr|ternary('ip','host') }} "{{ item }}"
|
command: openssl x509 -noout -in "{{ kube_cert_dir }}/apiserver.crt" -check{{ item|ipaddr|ternary('ip','host') }} "{{ item }}"
|
||||||
with_items: "{{ apiserver_sans }}"
|
with_items: "{{ apiserver_sans }}"
|
||||||
|
|
Loading…
Reference in a new issue