Run rotate_tokens role only once (#1970)
This commit is contained in:
Matthew Mosesohn
GitHub
parent
849aaf7435
commit
67419e8d0a
3 changed files with 12 additions and 7 deletions
|
|
@ -82,11 +82,16 @@
|
||||||
- { role: kubernetes/kubeadm, tags: kubeadm, when: "kubeadm_enabled" }
|
- { role: kubernetes/kubeadm, tags: kubeadm, when: "kubeadm_enabled" }
|
||||||
- { role: network_plugin, tags: network }
|
- { role: network_plugin, tags: network }
|
||||||
|
|
||||||
- hosts: kube-master
|
- hosts: kube-master[0]
|
||||||
any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
|
any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
|
||||||
roles:
|
roles:
|
||||||
- { role: kubespray-defaults}
|
- { role: kubespray-defaults}
|
||||||
- { role: kubernetes-apps/rotate_tokens, tags: rotate_tokens, when: "secret_changed|default(false)" }
|
- { role: kubernetes-apps/rotate_tokens, tags: rotate_tokens, when: "secret_changed|default(false)" }
|
||||||
|
|
||||||
|
- hosts: kube-master
|
||||||
|
any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
|
||||||
|
roles:
|
||||||
|
- { role: kubespray-defaults}
|
||||||
- { role: kubernetes-apps/network_plugin, tags: network }
|
- { role: kubernetes-apps/network_plugin, tags: network }
|
||||||
- { role: kubernetes-apps/policy_controller, tags: policy-controller }
|
- { role: kubernetes-apps/policy_controller, tags: policy-controller }
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -8,7 +8,6 @@
|
||||||
command: "{{ bin_dir }}/kubectl get secrets {{ default_token.stdout }} -ojson"
|
command: "{{ bin_dir }}/kubectl get secrets {{ default_token.stdout }} -ojson"
|
||||||
register: default_token_data
|
register: default_token_data
|
||||||
changed_when: false
|
changed_when: false
|
||||||
run_once: true
|
|
||||||
|
|
||||||
- name: Rotate Tokens | Test if default certificate is expired
|
- name: Rotate Tokens | Test if default certificate is expired
|
||||||
uri:
|
uri:
|
||||||
|
|
@ -19,7 +18,6 @@
|
||||||
headers:
|
headers:
|
||||||
Authorization: "Bearer {{ (default_token_data.stdout|from_json)['data']['token']|b64decode }}"
|
Authorization: "Bearer {{ (default_token_data.stdout|from_json)['data']['token']|b64decode }}"
|
||||||
register: check_secret
|
register: check_secret
|
||||||
run_once: true
|
|
||||||
failed_when: false
|
failed_when: false
|
||||||
|
|
||||||
- name: Rotate Tokens | Determine if certificate is expired
|
- name: Rotate Tokens | Determine if certificate is expired
|
||||||
|
|
@ -35,16 +33,13 @@
|
||||||
| grep kubernetes.io/service-account-token
|
| grep kubernetes.io/service-account-token
|
||||||
| egrep 'default-token|kube-proxy|kube-dns|dnsmasq|netchecker|weave|calico|canal|flannel|dashboard|cluster-proportional-autoscaler|efk|tiller'
|
| egrep 'default-token|kube-proxy|kube-dns|dnsmasq|netchecker|weave|calico|canal|flannel|dashboard|cluster-proportional-autoscaler|efk|tiller'
|
||||||
register: tokens_to_delete
|
register: tokens_to_delete
|
||||||
run_once: true
|
|
||||||
when: needs_rotation
|
when: needs_rotation
|
||||||
|
|
||||||
- name: Rotate Tokens | Delete expired tokens
|
- name: Rotate Tokens | Delete expired tokens
|
||||||
command: "{{ bin_dir }}/kubectl delete secrets -n {{ item.split(' ')[0] }} {{ item.split(' ')[1] }}"
|
command: "{{ bin_dir }}/kubectl delete secrets -n {{ item.split(' ')[0] }} {{ item.split(' ')[1] }}"
|
||||||
with_items: "{{ tokens_to_delete.stdout_lines }}"
|
with_items: "{{ tokens_to_delete.stdout_lines }}"
|
||||||
run_once: true
|
|
||||||
when: needs_rotation
|
when: needs_rotation
|
||||||
|
|
||||||
- name: Rotate Tokens | Delete pods in system namespace
|
- name: Rotate Tokens | Delete pods in system namespace
|
||||||
command: "{{ bin_dir }}/kubectl delete pods -n {{ system_namespace }} --all"
|
command: "{{ bin_dir }}/kubectl delete pods -n {{ system_namespace }} --all"
|
||||||
run_once: true
|
|
||||||
when: needs_rotation
|
when: needs_rotation
|
||||||
|
|
|
||||||
|
|
@ -85,11 +85,16 @@
|
||||||
- { role: kubernetes/kubeadm, tags: kubeadm, when: "kubeadm_enabled" }
|
- { role: kubernetes/kubeadm, tags: kubeadm, when: "kubeadm_enabled" }
|
||||||
- { role: kubespray-defaults}
|
- { role: kubespray-defaults}
|
||||||
|
|
||||||
- hosts: kube-master
|
- hosts: kube-master[0]
|
||||||
any_errors_fatal: true
|
any_errors_fatal: true
|
||||||
roles:
|
roles:
|
||||||
- { role: kubespray-defaults}
|
- { role: kubespray-defaults}
|
||||||
- { role: kubernetes-apps/rotate_tokens, tags: rotate_tokens, when: "secret_changed|default(false)" }
|
- { role: kubernetes-apps/rotate_tokens, tags: rotate_tokens, when: "secret_changed|default(false)" }
|
||||||
|
|
||||||
|
- hosts: kube-master
|
||||||
|
any_errors_fatal: true
|
||||||
|
roles:
|
||||||
|
- { role: kubespray-defaults}
|
||||||
- { role: kubernetes-apps/network_plugin, tags: network }
|
- { role: kubernetes-apps/network_plugin, tags: network }
|
||||||
- { role: kubernetes-apps/policy_controller, tags: policy-controller }
|
- { role: kubernetes-apps/policy_controller, tags: policy-controller }
|
||||||
- { role: kubernetes/client, tags: client }
|
- { role: kubernetes/client, tags: client }
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue