From 5c617c5a8bef92f1a2966672754c91ece594ea11 Mon Sep 17 00:00:00 2001 From: Matthew Mosesohn Date: Fri, 6 Jul 2018 09:12:13 +0300 Subject: [PATCH] Add tags to deploy components by --tags option (#2960) * Add tags for cert serial tasks This will help facilitate tag-based deployment of specific components. * fixup kubernetes node --- docs/upgrades.md | 52 +++++++++++++++++++++ roles/etcd/tasks/main.yml | 6 +++ roles/kubernetes/node/tasks/install.yml | 15 ------ roles/kubernetes/secrets/tasks/main.yml | 16 +++++++ roles/kubespray-defaults/defaults/main.yaml | 12 +++++ 5 files changed, 86 insertions(+), 15 deletions(-) diff --git a/docs/upgrades.md b/docs/upgrades.md index 6297976dd..26a4a180b 100644 --- a/docs/upgrades.md +++ b/docs/upgrades.md @@ -81,3 +81,55 @@ kubernetes-apps/rotate_tokens role, only pods in kube-system are destroyed and recreated. All other invalidated service account tokens are cleaned up automatically, but other pods are not deleted out of an abundance of caution for impact to user deployed pods. + +### Component-based upgrades + +A deployer may want to upgrade specific components in order to minimize risk +or save time. This strategy is not covered by CI as of this writing, so it is +not guaranteed to work. + +These commands are useful only for upgrading fully-deployed, healthy, existing +hosts. This will definitely not work for undeployed or partially deployed +hosts. + +Upgrade etcd: + +``` +ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=etcd +``` + +Upgrade vault: + +``` +ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=vault +``` + +Upgrade kubelet: + +``` +ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=node --skip-tags=k8s-gen-certs,k8s-gen-tokens +``` + +Upgrade Kubernetes master components: + +``` +ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=master +``` + +Upgrade network plugins: + +``` +ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=network +``` + +Upgrade all add-ons: + +``` +ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=apps +``` + +Upgrade just helm (assuming `helm_enabled` is true): + +``` +ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=helm +``` diff --git a/roles/etcd/tasks/main.yml b/roles/etcd/tasks/main.yml index c35a9cab6..38df04d73 100644 --- a/roles/etcd/tasks/main.yml +++ b/roles/etcd/tasks/main.yml @@ -19,11 +19,17 @@ register: "etcd_client_cert_serial_result" changed_when: false when: inventory_hostname in groups['k8s-cluster']|union(groups['etcd'])|union(groups['calico-rr']|default([]))|unique|sort + tags: + - master + - network - name: Set etcd_client_cert_serial set_fact: etcd_client_cert_serial: "{{ etcd_client_cert_serial_result.stdout }}" when: inventory_hostname in groups['k8s-cluster']|union(groups['etcd'])|union(groups['calico-rr']|default([]))|unique|sort + tags: + - master + - network - include_tasks: "install_{{ etcd_deployment_type }}.yml" when: is_etcd_master diff --git a/roles/kubernetes/node/tasks/install.yml b/roles/kubernetes/node/tasks/install.yml index 63a529ace..fe4b6c9c8 100644 --- a/roles/kubernetes/node/tasks/install.yml +++ b/roles/kubernetes/node/tasks/install.yml @@ -1,19 +1,4 @@ --- -- name: install | Set SSL CA directories - set_fact: - ssl_ca_dirs: "[ - {% if ansible_os_family in ['CoreOS', 'Container Linux by CoreOS'] -%} - '/usr/share/ca-certificates', - {% elif ansible_os_family == 'RedHat' -%} - '/etc/pki/tls', - '/etc/pki/ca-trust', - {% elif ansible_os_family == 'Debian' -%} - '/usr/share/ca-certificates', - {% endif -%} - ]" - tags: - - facts - - name: Set kubelet deployment to host if kubeadm is enabled set_fact: kubelet_deployment_type: host diff --git a/roles/kubernetes/secrets/tasks/main.yml b/roles/kubernetes/secrets/tasks/main.yml index 52fedae5b..d36c3a057 100644 --- a/roles/kubernetes/secrets/tasks/main.yml +++ b/roles/kubernetes/secrets/tasks/main.yml @@ -2,11 +2,13 @@ - import_tasks: check-certs.yml tags: - k8s-secrets + - k8s-gen-certs - facts - import_tasks: check-tokens.yml tags: - k8s-secrets + - k8s-gen-tokens - facts - name: Make sure the certificate directory exits @@ -70,10 +72,12 @@ - include_tasks: "gen_certs_{{ cert_management }}.yml" tags: - k8s-secrets + - k8s-gen-certs - import_tasks: upd_ca_trust.yml tags: - k8s-secrets + - k8s-gen-certs - name: "Gen_certs | Get certificate serials on kube masters" shell: "openssl x509 -in {{ kube_cert_dir }}/{{ item }} -noout -serial | cut -d= -f2" @@ -85,6 +89,10 @@ - "kube-controller-manager.pem" - "kube-scheduler.pem" when: inventory_hostname in groups['kube-master'] + tags: + - master + - kubelet + - node - name: "Gen_certs | set kube master certificate serial facts" set_fact: @@ -93,6 +101,10 @@ controller_manager_cert_serial: "{{ master_certificate_serials.results[2].stdout|default() }}" scheduler_cert_serial: "{{ master_certificate_serials.results[3].stdout|default() }}" when: inventory_hostname in groups['kube-master'] + tags: + - master + - kubelet + - node - name: "Gen_certs | Get certificate serials on kube nodes" shell: "openssl x509 -in {{ kube_cert_dir }}/{{ item }} -noout -serial | cut -d= -f2" @@ -108,7 +120,11 @@ kubelet_cert_serial: "{{ node_certificate_serials.results[0].stdout|default() }}" kube_proxy_cert_serial: "{{ node_certificate_serials.results[1].stdout|default() }}" when: inventory_hostname in groups['k8s-cluster'] + tags: + - kubelet + - node - import_tasks: gen_tokens.yml tags: - k8s-secrets + - k8s-gen-tokens diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml index 347150850..074bd4b1e 100644 --- a/roles/kubespray-defaults/defaults/main.yaml +++ b/roles/kubespray-defaults/defaults/main.yaml @@ -279,6 +279,18 @@ proxy_env: https_proxy: "{{ https_proxy| default ('') }}" no_proxy: "{{ no_proxy| default ('') }}" +ssl_ca_dirs: >- + [ + {% if ansible_os_family in ['CoreOS', 'Container Linux by CoreOS'] -%} + '/usr/share/ca-certificates', + {% elif ansible_os_family == 'RedHat' -%} + '/etc/pki/tls', + '/etc/pki/ca-trust', + {% elif ansible_os_family == 'Debian' -%} + '/usr/share/ca-certificates', + {% endif -%} + ] + # Vars for pointing to kubernetes api endpoints is_kube_master: "{{ inventory_hostname in groups['kube-master'] }}" kube_apiserver_count: "{{ groups['kube-master'] | length }}"