Add tags to deploy components by --tags option (#2960)

* Add tags for cert serial tasks

This will help facilitate tag-based deployment of specific components.

* fixup kubernetes node

docs/upgrades.md

@@ -81,3 +81,55 @@ kubernetes-apps/rotate_tokens role, only pods in kube-system are destroyed and
 recreated. All other invalidated service account tokens are cleaned up
 automatically, but other pods are not deleted out of an abundance of caution
 for impact to user deployed pods.
+
+### Component-based upgrades
+
+A deployer may want to upgrade specific components in order to minimize risk
+or save time. This strategy is not covered by CI as of this writing, so it is
+not guaranteed to work. 
+
+These commands are useful only for upgrading fully-deployed, healthy, existing
+hosts. This will definitely not work for undeployed or partially deployed
+hosts.
+
+Upgrade etcd:
+
+```
+ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=etcd
+```
+
+Upgrade vault:
+
+```
+ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=vault
+```
+
+Upgrade kubelet:
+
+```
+ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=node --skip-tags=k8s-gen-certs,k8s-gen-tokens
+```
+
+Upgrade Kubernetes master components:
+
+```
+ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=master
+```
+
+Upgrade network plugins:
+
+```
+ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=network
+```
+
+Upgrade all add-ons:
+
+```
+ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=apps
+```
+
+Upgrade just helm (assuming `helm_enabled` is true):
+
+```
+ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=helm
+```

roles/etcd/tasks/main.yml

@@ -19,11 +19,17 @@
   register: "etcd_client_cert_serial_result"
   changed_when: false
   when: inventory_hostname in groups['k8s-cluster']|union(groups['etcd'])|union(groups['calico-rr']|default([]))|unique|sort
+  tags:
+    - master
+    - network
 
 - name: Set etcd_client_cert_serial
   set_fact:
     etcd_client_cert_serial: "{{ etcd_client_cert_serial_result.stdout }}"
   when: inventory_hostname in groups['k8s-cluster']|union(groups['etcd'])|union(groups['calico-rr']|default([]))|unique|sort
+  tags:
+    - master
+    - network
 
 - include_tasks: "install_{{ etcd_deployment_type }}.yml"
   when: is_etcd_master

roles/kubernetes/node/tasks/install.yml

@@ -1,19 +1,4 @@
 ---
-- name: install | Set SSL CA directories
-  set_fact:
-    ssl_ca_dirs: "[
-      {% if ansible_os_family in ['CoreOS', 'Container Linux by CoreOS'] -%}
-      '/usr/share/ca-certificates',
-      {% elif ansible_os_family == 'RedHat' -%}
-      '/etc/pki/tls',
-      '/etc/pki/ca-trust',
-      {% elif ansible_os_family == 'Debian' -%}
-      '/usr/share/ca-certificates',
-      {% endif -%}
-    ]"
-  tags:
-    - facts
-
 - name: Set kubelet deployment to host if kubeadm is enabled
   set_fact:
     kubelet_deployment_type: host

roles/kubernetes/secrets/tasks/main.yml

@@ -2,11 +2,13 @@
 - import_tasks: check-certs.yml
   tags:
     - k8s-secrets
+    - k8s-gen-certs
     - facts
 
 - import_tasks: check-tokens.yml
   tags:
     - k8s-secrets
+    - k8s-gen-tokens
     - facts
 
 - name: Make sure the certificate directory exits
@@ -70,10 +72,12 @@
 - include_tasks: "gen_certs_{{ cert_management }}.yml"
   tags:
     - k8s-secrets
+    - k8s-gen-certs
 
 - import_tasks: upd_ca_trust.yml
   tags:
     - k8s-secrets
+    - k8s-gen-certs
 
 - name: "Gen_certs | Get certificate serials on kube masters"
   shell: "openssl x509 -in {{ kube_cert_dir }}/{{ item }} -noout -serial | cut -d= -f2"
@@ -85,6 +89,10 @@
     - "kube-controller-manager.pem"
     - "kube-scheduler.pem"
   when: inventory_hostname in groups['kube-master']
+  tags:
+    - master
+    - kubelet
+    - node
 
 - name: "Gen_certs | set kube master certificate serial facts"
   set_fact:
@@ -93,6 +101,10 @@
     controller_manager_cert_serial: "{{ master_certificate_serials.results[2].stdout|default() }}"
     scheduler_cert_serial: "{{ master_certificate_serials.results[3].stdout|default() }}"
   when: inventory_hostname in groups['kube-master']
+  tags:
+    - master
+    - kubelet
+    - node
 
 - name: "Gen_certs | Get certificate serials on kube nodes"
   shell: "openssl x509 -in {{ kube_cert_dir }}/{{ item }} -noout -serial | cut -d= -f2"
@@ -108,7 +120,11 @@
     kubelet_cert_serial: "{{ node_certificate_serials.results[0].stdout|default() }}"
     kube_proxy_cert_serial: "{{ node_certificate_serials.results[1].stdout|default() }}"
   when: inventory_hostname in groups['k8s-cluster']
+  tags:
+    - kubelet
+    - node
 
 - import_tasks: gen_tokens.yml
   tags:
     - k8s-secrets
+    - k8s-gen-tokens

roles/kubespray-defaults/defaults/main.yaml

@@ -279,6 +279,18 @@ proxy_env:
   https_proxy: "{{ https_proxy| default ('') }}"
   no_proxy: "{{ no_proxy| default ('') }}"
 
+ssl_ca_dirs: >-
+  [
+  {% if ansible_os_family in ['CoreOS', 'Container Linux by CoreOS'] -%}
+  '/usr/share/ca-certificates',
+  {% elif ansible_os_family == 'RedHat' -%}
+  '/etc/pki/tls',
+  '/etc/pki/ca-trust',
+  {% elif ansible_os_family == 'Debian' -%}
+  '/usr/share/ca-certificates',
+  {% endif -%}
+  ]
+
 # Vars for pointing to kubernetes api endpoints
 is_kube_master: "{{ inventory_hostname in groups['kube-master'] }}"
 kube_apiserver_count: "{{ groups['kube-master'] | length }}"