Add tags to deploy components by --tags option (#2960)

* Add tags for cert serial tasks

This will help facilitate tag-based deployment of specific components.

* fixup kubernetes node
This commit is contained in:
Matthew Mosesohn 2018-07-06 09:12:13 +03:00 committed by GitHub
parent 0b939a495b
commit 5c617c5a8b
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 86 additions and 15 deletions

View file

@ -81,3 +81,55 @@ kubernetes-apps/rotate_tokens role, only pods in kube-system are destroyed and
recreated. All other invalidated service account tokens are cleaned up recreated. All other invalidated service account tokens are cleaned up
automatically, but other pods are not deleted out of an abundance of caution automatically, but other pods are not deleted out of an abundance of caution
for impact to user deployed pods. for impact to user deployed pods.
### Component-based upgrades
A deployer may want to upgrade specific components in order to minimize risk
or save time. This strategy is not covered by CI as of this writing, so it is
not guaranteed to work.
These commands are useful only for upgrading fully-deployed, healthy, existing
hosts. This will definitely not work for undeployed or partially deployed
hosts.
Upgrade etcd:
```
ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=etcd
```
Upgrade vault:
```
ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=vault
```
Upgrade kubelet:
```
ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=node --skip-tags=k8s-gen-certs,k8s-gen-tokens
```
Upgrade Kubernetes master components:
```
ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=master
```
Upgrade network plugins:
```
ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=network
```
Upgrade all add-ons:
```
ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=apps
```
Upgrade just helm (assuming `helm_enabled` is true):
```
ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=helm
```

View file

@ -19,11 +19,17 @@
register: "etcd_client_cert_serial_result" register: "etcd_client_cert_serial_result"
changed_when: false changed_when: false
when: inventory_hostname in groups['k8s-cluster']|union(groups['etcd'])|union(groups['calico-rr']|default([]))|unique|sort when: inventory_hostname in groups['k8s-cluster']|union(groups['etcd'])|union(groups['calico-rr']|default([]))|unique|sort
tags:
- master
- network
- name: Set etcd_client_cert_serial - name: Set etcd_client_cert_serial
set_fact: set_fact:
etcd_client_cert_serial: "{{ etcd_client_cert_serial_result.stdout }}" etcd_client_cert_serial: "{{ etcd_client_cert_serial_result.stdout }}"
when: inventory_hostname in groups['k8s-cluster']|union(groups['etcd'])|union(groups['calico-rr']|default([]))|unique|sort when: inventory_hostname in groups['k8s-cluster']|union(groups['etcd'])|union(groups['calico-rr']|default([]))|unique|sort
tags:
- master
- network
- include_tasks: "install_{{ etcd_deployment_type }}.yml" - include_tasks: "install_{{ etcd_deployment_type }}.yml"
when: is_etcd_master when: is_etcd_master

View file

@ -1,19 +1,4 @@
--- ---
- name: install | Set SSL CA directories
set_fact:
ssl_ca_dirs: "[
{% if ansible_os_family in ['CoreOS', 'Container Linux by CoreOS'] -%}
'/usr/share/ca-certificates',
{% elif ansible_os_family == 'RedHat' -%}
'/etc/pki/tls',
'/etc/pki/ca-trust',
{% elif ansible_os_family == 'Debian' -%}
'/usr/share/ca-certificates',
{% endif -%}
]"
tags:
- facts
- name: Set kubelet deployment to host if kubeadm is enabled - name: Set kubelet deployment to host if kubeadm is enabled
set_fact: set_fact:
kubelet_deployment_type: host kubelet_deployment_type: host

View file

@ -2,11 +2,13 @@
- import_tasks: check-certs.yml - import_tasks: check-certs.yml
tags: tags:
- k8s-secrets - k8s-secrets
- k8s-gen-certs
- facts - facts
- import_tasks: check-tokens.yml - import_tasks: check-tokens.yml
tags: tags:
- k8s-secrets - k8s-secrets
- k8s-gen-tokens
- facts - facts
- name: Make sure the certificate directory exits - name: Make sure the certificate directory exits
@ -70,10 +72,12 @@
- include_tasks: "gen_certs_{{ cert_management }}.yml" - include_tasks: "gen_certs_{{ cert_management }}.yml"
tags: tags:
- k8s-secrets - k8s-secrets
- k8s-gen-certs
- import_tasks: upd_ca_trust.yml - import_tasks: upd_ca_trust.yml
tags: tags:
- k8s-secrets - k8s-secrets
- k8s-gen-certs
- name: "Gen_certs | Get certificate serials on kube masters" - name: "Gen_certs | Get certificate serials on kube masters"
shell: "openssl x509 -in {{ kube_cert_dir }}/{{ item }} -noout -serial | cut -d= -f2" shell: "openssl x509 -in {{ kube_cert_dir }}/{{ item }} -noout -serial | cut -d= -f2"
@ -85,6 +89,10 @@
- "kube-controller-manager.pem" - "kube-controller-manager.pem"
- "kube-scheduler.pem" - "kube-scheduler.pem"
when: inventory_hostname in groups['kube-master'] when: inventory_hostname in groups['kube-master']
tags:
- master
- kubelet
- node
- name: "Gen_certs | set kube master certificate serial facts" - name: "Gen_certs | set kube master certificate serial facts"
set_fact: set_fact:
@ -93,6 +101,10 @@
controller_manager_cert_serial: "{{ master_certificate_serials.results[2].stdout|default() }}" controller_manager_cert_serial: "{{ master_certificate_serials.results[2].stdout|default() }}"
scheduler_cert_serial: "{{ master_certificate_serials.results[3].stdout|default() }}" scheduler_cert_serial: "{{ master_certificate_serials.results[3].stdout|default() }}"
when: inventory_hostname in groups['kube-master'] when: inventory_hostname in groups['kube-master']
tags:
- master
- kubelet
- node
- name: "Gen_certs | Get certificate serials on kube nodes" - name: "Gen_certs | Get certificate serials on kube nodes"
shell: "openssl x509 -in {{ kube_cert_dir }}/{{ item }} -noout -serial | cut -d= -f2" shell: "openssl x509 -in {{ kube_cert_dir }}/{{ item }} -noout -serial | cut -d= -f2"
@ -108,7 +120,11 @@
kubelet_cert_serial: "{{ node_certificate_serials.results[0].stdout|default() }}" kubelet_cert_serial: "{{ node_certificate_serials.results[0].stdout|default() }}"
kube_proxy_cert_serial: "{{ node_certificate_serials.results[1].stdout|default() }}" kube_proxy_cert_serial: "{{ node_certificate_serials.results[1].stdout|default() }}"
when: inventory_hostname in groups['k8s-cluster'] when: inventory_hostname in groups['k8s-cluster']
tags:
- kubelet
- node
- import_tasks: gen_tokens.yml - import_tasks: gen_tokens.yml
tags: tags:
- k8s-secrets - k8s-secrets
- k8s-gen-tokens

View file

@ -279,6 +279,18 @@ proxy_env:
https_proxy: "{{ https_proxy| default ('') }}" https_proxy: "{{ https_proxy| default ('') }}"
no_proxy: "{{ no_proxy| default ('') }}" no_proxy: "{{ no_proxy| default ('') }}"
ssl_ca_dirs: >-
[
{% if ansible_os_family in ['CoreOS', 'Container Linux by CoreOS'] -%}
'/usr/share/ca-certificates',
{% elif ansible_os_family == 'RedHat' -%}
'/etc/pki/tls',
'/etc/pki/ca-trust',
{% elif ansible_os_family == 'Debian' -%}
'/usr/share/ca-certificates',
{% endif -%}
]
# Vars for pointing to kubernetes api endpoints # Vars for pointing to kubernetes api endpoints
is_kube_master: "{{ inventory_hostname in groups['kube-master'] }}" is_kube_master: "{{ inventory_hostname in groups['kube-master'] }}"
kube_apiserver_count: "{{ groups['kube-master'] | length }}" kube_apiserver_count: "{{ groups['kube-master'] | length }}"