Use find module for checking for certificates
Also generate certs only when absent on master (rather than when absent on target node)
This commit is contained in:
parent
b6861ebed0
commit
7e1aa3b43b
4 changed files with 121 additions and 68 deletions
|
@ -1,18 +1,11 @@
|
||||||
---
|
---
|
||||||
- name: "Check_certs | check if all certs have already been generated on first master"
|
- name: "Check_certs | check if all certs have already been generated on first master"
|
||||||
stat:
|
find:
|
||||||
path: "{{ etcd_cert_dir }}/{{ item }}"
|
paths: "{{ etcd_cert_dir }}"
|
||||||
get_md5: no
|
patterns: "ca.pem,node*.pem"
|
||||||
delegate_to: "{{groups['etcd'][0]}}"
|
delegate_to: "{{groups['etcd'][0]}}"
|
||||||
register: etcdcert_master
|
register: etcdcert_master
|
||||||
run_once: true
|
run_once: true
|
||||||
with_items: >-
|
|
||||||
['ca.pem',
|
|
||||||
{% set all_etcd_hosts = groups['k8s-cluster']|union(groups['etcd'])|union(groups['calico-rr']|default([]))|unique %}
|
|
||||||
{% for host in all_etcd_hosts %}
|
|
||||||
'node-{{ host }}-key.pem'
|
|
||||||
{% if not loop.last %}{{','}}{% endif %}
|
|
||||||
{% endfor %}]
|
|
||||||
|
|
||||||
- name: "Check_certs | Set default value for 'sync_certs', 'gen_certs' and 'etcd_secret_changed' to false"
|
- name: "Check_certs | Set default value for 'sync_certs', 'gen_certs' and 'etcd_secret_changed' to false"
|
||||||
set_fact:
|
set_fact:
|
||||||
|
@ -20,34 +13,56 @@
|
||||||
gen_certs: false
|
gen_certs: false
|
||||||
etcd_secret_changed: false
|
etcd_secret_changed: false
|
||||||
|
|
||||||
- name: "Check_certs | Set 'gen_certs' to true"
|
- name: "Check certs | check if a cert already exists on node"
|
||||||
set_fact:
|
|
||||||
gen_certs: true
|
|
||||||
when: "not {{item.stat.exists}}"
|
|
||||||
run_once: true
|
|
||||||
with_items: "{{etcdcert_master.results}}"
|
|
||||||
|
|
||||||
- name: "Check certs | check if a cert already exists"
|
|
||||||
stat:
|
stat:
|
||||||
path: "{{ etcd_cert_dir }}/{{ item }}"
|
path: "{{ etcd_cert_dir }}/{{ item }}"
|
||||||
register: etcdcert
|
register: etcdcert_node
|
||||||
with_items:
|
with_items:
|
||||||
- ca.pem
|
- ca.pem
|
||||||
- node-{{ inventory_hostname }}-key.pem
|
- node-{{ inventory_hostname }}-key.pem
|
||||||
|
|
||||||
|
|
||||||
|
- name: "Check_certs | Set 'gen_certs' to true"
|
||||||
|
set_fact:
|
||||||
|
gen_certs: true
|
||||||
|
when: "not '{{ item }}' in etcdcert_master.files|map(attribute='path') | list"
|
||||||
|
run_once: true
|
||||||
|
with_items: >-
|
||||||
|
['{{etcd_cert_dir}}/ca.pem',
|
||||||
|
{% set all_etcd_hosts = groups['k8s-cluster']|union(groups['etcd'])|union(groups['calico-rr']|default([]))|unique|sort %}
|
||||||
|
{% for host in all_etcd_hosts %}
|
||||||
|
'{{etcd_cert_dir}}/node-{{ host }}-key.pem'
|
||||||
|
{% if not loop.last %}{{','}}{% endif %}
|
||||||
|
{% endfor %}]
|
||||||
|
|
||||||
|
|
||||||
|
- name: "Check_certs | Set 'gen_node_certs' to true"
|
||||||
|
set_fact:
|
||||||
|
gen_node_certs: |-
|
||||||
|
{
|
||||||
|
{% set all_etcd_hosts = groups['k8s-cluster']|union(groups['etcd'])|union(groups['calico-rr']|default([]))|unique|sort -%}
|
||||||
|
{% set existing_certs = etcdcert_master.files|map(attribute='path')|list|sort %}
|
||||||
|
{% for host in all_etcd_hosts -%}
|
||||||
|
{% set host_cert = "%s/node-%s-key.pem"|format(etcd_cert_dir, host) %}
|
||||||
|
{% if host_cert in existing_certs -%}
|
||||||
|
"{{ host }}": False,
|
||||||
|
{% else -%}
|
||||||
|
"{{ host }}": True,
|
||||||
|
{% endif -%}
|
||||||
|
{% endfor %}
|
||||||
|
}
|
||||||
|
run_once: true
|
||||||
|
|
||||||
- name: "Check_certs | Set 'sync_certs' to true"
|
- name: "Check_certs | Set 'sync_certs' to true"
|
||||||
set_fact:
|
set_fact:
|
||||||
sync_certs: true
|
sync_certs: true
|
||||||
when: >-
|
when: >-
|
||||||
{%- set certs = {'sync': False} -%}
|
{%- set certs = {'sync': False} -%}
|
||||||
{% set all_etcd_hosts = groups['k8s-cluster']|union(groups['etcd'])|union(groups['calico-rr']|default([]))|unique %}
|
{% if gen_node_certs[inventory_hostname] or
|
||||||
{% for host in all_etcd_hosts %}
|
(not etcdcert_node.results[0].stat.exists|default(False)) or
|
||||||
{% if host == inventory_hostname %}
|
(not etcdcert_node.results[1].stat.exists|default(False)) or
|
||||||
{% if (not etcdcert.results[0].stat.exists|default(False)) or
|
(etcdcert_node.results[1].stat.checksum|default('') != etcdcert_master.files|selectattr("path", "equalto", etcdcert_node.results[1].stat.path)|first|map(attribute="checksum")|default('')) -%}
|
||||||
(not etcdcert.results[1].stat.exists|default(False)) or
|
{%- set _ = certs.update({'sync': True}) -%}
|
||||||
(etcdcert.results[1].stat.checksum|default('') != etcdcert_master.results[loop.index].stat.checksum|default('')) -%}
|
{% endif %}
|
||||||
{%- set _ = certs.update({'sync': True}) -%}
|
|
||||||
{% endif %}
|
|
||||||
{% endif %}
|
|
||||||
{%- endfor -%}
|
|
||||||
{{ certs.sync }}
|
{{ certs.sync }}
|
||||||
|
|
||||||
|
|
|
@ -43,15 +43,15 @@
|
||||||
when: gen_certs|default(false)
|
when: gen_certs|default(false)
|
||||||
|
|
||||||
- name: Gen_certs | run cert generation script
|
- name: Gen_certs | run cert generation script
|
||||||
command: "{{ etcd_script_dir }}/make-ssl-etcd.sh -f {{ etcd_config_dir }}/openssl.conf -d {{ etcd_cert_dir }}"
|
command: "bash -x {{ etcd_script_dir }}/make-ssl-etcd.sh -f {{ etcd_config_dir }}/openssl.conf -d {{ etcd_cert_dir }}"
|
||||||
environment:
|
environment:
|
||||||
- MASTERS: "{% for m in groups['etcd'] %}
|
- MASTERS: "{% for m in groups['etcd'] %}
|
||||||
{% if hostvars[m].sync_certs|default(false) %}
|
{% if gen_node_certs[m] %}
|
||||||
{{ m }}
|
{{ m }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% endfor %}"
|
{% endfor %}"
|
||||||
- HOSTS: "{% for h in (groups['k8s-cluster'] + groups['calico-rr']|default([]))|unique %}
|
- HOSTS: "{% for h in (groups['k8s-cluster'] + groups['calico-rr']|default([]))|unique %}
|
||||||
{% if hostvars[h].sync_certs|default(false) %}
|
{% if gen_node_certs[h] %}
|
||||||
{{ h }}
|
{{ h }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% endfor %}"
|
{% endfor %}"
|
||||||
|
@ -107,12 +107,36 @@
|
||||||
sync_certs|default(false) and inventory_hostname not in groups['etcd']
|
sync_certs|default(false) and inventory_hostname not in groups['etcd']
|
||||||
notify: set etcd_secret_changed
|
notify: set etcd_secret_changed
|
||||||
|
|
||||||
- name: Gen_certs | Copy certs on masters
|
#NOTE(mattymo): Use temporary file to copy master certs because we have a ~200k
|
||||||
shell: "base64 -d <<< '{{etcd_master_cert_data.stdout|quote}}' | tar xz -C {{ etcd_cert_dir }}"
|
#char limit when using shell command
|
||||||
args:
|
|
||||||
executable: /bin/bash
|
#FIXME(mattymo): Use tempfile module in ansible 2.3
|
||||||
|
- name: Gen_certs | Prepare tempfile for unpacking certs
|
||||||
|
shell: mktemp /tmp/certsXXXXX.tar.gz
|
||||||
|
register: cert_tempfile
|
||||||
|
|
||||||
|
- name: Gen_certs | Write master certs to tempfile
|
||||||
|
copy:
|
||||||
|
content: "{{etcd_master_cert_data.stdout}}"
|
||||||
|
dest: "{{cert_tempfile.stdout}}"
|
||||||
|
owner: root
|
||||||
|
mode: "0600"
|
||||||
|
when: inventory_hostname in groups['etcd'] and sync_certs|default(false) and
|
||||||
|
inventory_hostname != groups['etcd'][0]
|
||||||
|
|
||||||
|
- name: Gen_certs | Unpack certs on masters
|
||||||
|
shell: "base64 -d < {{ cert_tempfile.stdout }} | tar xz -C {{ etcd_cert_dir }}"
|
||||||
no_log: true
|
no_log: true
|
||||||
changed_when: false
|
changed_when: false
|
||||||
|
check_mode: no
|
||||||
|
when: inventory_hostname in groups['etcd'] and sync_certs|default(false) and
|
||||||
|
inventory_hostname != groups['etcd'][0]
|
||||||
|
notify: set secret_changed
|
||||||
|
|
||||||
|
- name: Gen_certs | Cleanup tempfile
|
||||||
|
file:
|
||||||
|
path: "{{cert_tempfile.stdout}}"
|
||||||
|
state: absent
|
||||||
when: inventory_hostname in groups['etcd'] and sync_certs|default(false) and
|
when: inventory_hostname in groups['etcd'] and sync_certs|default(false) and
|
||||||
inventory_hostname != groups['etcd'][0]
|
inventory_hostname != groups['etcd'][0]
|
||||||
|
|
||||||
|
@ -163,4 +187,3 @@
|
||||||
- name: Gen_certs | update ca-certificates (RedHat)
|
- name: Gen_certs | update ca-certificates (RedHat)
|
||||||
command: update-ca-trust extract
|
command: update-ca-trust extract
|
||||||
when: etcd_ca_cert.changed and ansible_os_family == "RedHat"
|
when: etcd_ca_cert.changed and ansible_os_family == "RedHat"
|
||||||
|
|
||||||
|
|
|
@ -1,16 +1,11 @@
|
||||||
---
|
---
|
||||||
- name: "Check_certs | check if the certs have already been generated on first master"
|
- name: "Check_certs | check if the certs have already been generated on first master"
|
||||||
stat:
|
find:
|
||||||
path: "{{ kube_cert_dir }}/{{ item }}"
|
paths: "{{ kube_cert_dir }}"
|
||||||
|
patterns: "*.pem"
|
||||||
delegate_to: "{{groups['kube-master'][0]}}"
|
delegate_to: "{{groups['kube-master'][0]}}"
|
||||||
register: kubecert_master
|
register: kubecert_master
|
||||||
run_once: true
|
run_once: true
|
||||||
with_items: >-
|
|
||||||
['ca.pem',
|
|
||||||
{% for host in groups['k8s-cluster'] %}
|
|
||||||
'node-{{ host }}-key.pem'
|
|
||||||
{% if not loop.last %}{{','}}{% endif %}
|
|
||||||
{% endfor %}]
|
|
||||||
|
|
||||||
- name: "Check_certs | Set default value for 'sync_certs', 'gen_certs', and 'secret_changed' to false"
|
- name: "Check_certs | Set default value for 'sync_certs', 'gen_certs', and 'secret_changed' to false"
|
||||||
set_fact:
|
set_fact:
|
||||||
|
@ -18,33 +13,53 @@
|
||||||
gen_certs: false
|
gen_certs: false
|
||||||
secret_changed: false
|
secret_changed: false
|
||||||
|
|
||||||
- name: "Check_certs | Set 'gen_certs' to true"
|
- name: "Check certs | check if a cert already exists on node"
|
||||||
set_fact:
|
|
||||||
gen_certs: true
|
|
||||||
when: "not {{ item.stat.exists }}"
|
|
||||||
run_once: true
|
|
||||||
with_items: "{{ kubecert_master.results }}"
|
|
||||||
|
|
||||||
- name: "Check certs | check if a cert already exists"
|
|
||||||
stat:
|
stat:
|
||||||
path: "{{ kube_cert_dir }}/{{ item }}"
|
path: "{{ kube_cert_dir }}/{{ item }}"
|
||||||
register: kubecert
|
register: kubecert_node
|
||||||
with_items:
|
with_items:
|
||||||
- ca.pem
|
- ca.pem
|
||||||
- node-{{ inventory_hostname }}-key.pem
|
- node-{{ inventory_hostname }}-key.pem
|
||||||
|
|
||||||
|
- name: "Check_certs | Set 'gen_certs' to true"
|
||||||
|
set_fact:
|
||||||
|
gen_certs: true
|
||||||
|
when: "not item in kubecert_master.files|map(attribute='path') | list"
|
||||||
|
run_once: true
|
||||||
|
with_items: >-
|
||||||
|
['{{ kube_cert_dir }}/ca.pem',
|
||||||
|
{% for host in groups['k8s-cluster'] %}
|
||||||
|
'{{ kube_cert_dir }}/node-{{ host }}-key.pem'
|
||||||
|
{% if not loop.last %}{{','}}{% endif %}
|
||||||
|
{% endfor %}]
|
||||||
|
|
||||||
|
- name: "Check_certs | Set 'gen_node_certs' to true"
|
||||||
|
set_fact:
|
||||||
|
gen_node_certs: |-
|
||||||
|
{
|
||||||
|
{% set existing_certs = kubecert_master.files|map(attribute='path')|list|sort %}
|
||||||
|
{% for host in groups['k8s-cluster'] -%}
|
||||||
|
{% set host_cert = "%s/node-%s-key.pem"|format(kube_cert_dir, host) %}
|
||||||
|
{% if host_cert in existing_certs -%}
|
||||||
|
"{{ host }}": False,
|
||||||
|
{% else -%}
|
||||||
|
"{{ host }}": True,
|
||||||
|
{% endif -%}
|
||||||
|
{% endfor %}
|
||||||
|
}
|
||||||
|
run_once: true
|
||||||
|
|
||||||
|
|
||||||
- name: "Check_certs | Set 'sync_certs' to true"
|
- name: "Check_certs | Set 'sync_certs' to true"
|
||||||
set_fact:
|
set_fact:
|
||||||
sync_certs: true
|
sync_certs: true
|
||||||
when: >-
|
when: >-
|
||||||
{%- set certs = {'sync': False} -%}
|
{%- set certs = {'sync': False} -%}
|
||||||
{%- for host in groups['k8s-cluster'] %}
|
{% if gen_node_certs[inventory_hostname] or
|
||||||
{% if host == inventory_hostname %}
|
(not kubecert_node.results[0].stat.exists|default(False)) or
|
||||||
{% if (not kubecert.results[0].stat.exists|default(False)) or
|
(not kubecert_node.results[1].stat.exists|default(False)) or
|
||||||
(not kubecert.results[1].stat.exists|default(False)) or
|
(kubecert_node.results[1].stat.checksum|default('') != kubecert_master.files|selectattr("path", "equalto", kubecert_node.results[1].stat.path)|first|map(attribute="checksum")|default('')) -%}
|
||||||
(kubecert.results[1].stat.checksum|default('') != kubecert_master.results[loop.index].stat.checksum|default('')) -%}
|
{%- set _ = certs.update({'sync': True}) -%}
|
||||||
{%- set _ = certs.update({'sync': True}) -%}
|
{% endif %}
|
||||||
{% endif %}
|
|
||||||
{% endif %}
|
|
||||||
{%- endfor -%}
|
|
||||||
{{ certs.sync }}
|
{{ certs.sync }}
|
||||||
|
|
||||||
|
|
|
@ -40,12 +40,12 @@
|
||||||
command: "{{ kube_script_dir }}/make-ssl.sh -f {{ kube_config_dir }}/openssl.conf -d {{ kube_cert_dir }}"
|
command: "{{ kube_script_dir }}/make-ssl.sh -f {{ kube_config_dir }}/openssl.conf -d {{ kube_cert_dir }}"
|
||||||
environment:
|
environment:
|
||||||
- MASTERS: "{% for m in groups['kube-master'] %}
|
- MASTERS: "{% for m in groups['kube-master'] %}
|
||||||
{% if hostvars[m].sync_certs|default(true) %}
|
{% if gen_node_certs[m]|default(false) %}
|
||||||
{{ m }}
|
{{ m }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% endfor %}"
|
{% endfor %}"
|
||||||
- HOSTS: "{% for h in groups['k8s-cluster'] %}
|
- HOSTS: "{% for h in groups['k8s-cluster'] %}
|
||||||
{% if hostvars[h].sync_certs|default(true) %}
|
{% if gen_node_certs[h]|default(true) %}
|
||||||
{{ h }}
|
{{ h }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% endfor %}"
|
{% endfor %}"
|
||||||
|
|
Loading…
Reference in a new issue