Adding in certificate serial numbers to manifests (#1392)
This commit is contained in:
parent
783924e671
commit
8ae77e955e
8 changed files with 56 additions and 1 deletions
|
@ -13,6 +13,11 @@
|
||||||
- include: upd_ca_trust.yml
|
- include: upd_ca_trust.yml
|
||||||
tags: etcd-secrets
|
tags: etcd-secrets
|
||||||
|
|
||||||
|
- name: "Gen_certs | Get etcd certificate serials"
|
||||||
|
shell: "openssl x509 -in {{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem -noout -serial | cut -d= -f2"
|
||||||
|
register: "node-{{ inventory_hostname }}_serial"
|
||||||
|
when: inventory_hostname in groups['k8s-cluster']|union(groups['etcd'])|union(groups['calico-rr']|default([]))|unique|sort
|
||||||
|
|
||||||
- include: "install_{{ etcd_deployment_type }}.yml"
|
- include: "install_{{ etcd_deployment_type }}.yml"
|
||||||
when: is_etcd_master
|
when: is_etcd_master
|
||||||
tags: upgrade
|
tags: upgrade
|
||||||
|
|
|
@ -34,7 +34,7 @@
|
||||||
|
|
||||||
- name: "Pre-upgrade | remove etcd-proxy if it exists"
|
- name: "Pre-upgrade | remove etcd-proxy if it exists"
|
||||||
command: "{{ docker_bin_dir }}/docker rm -f {{item}}"
|
command: "{{ docker_bin_dir }}/docker rm -f {{item}}"
|
||||||
with_items: "{{etcd_proxy_container.stdout_lines}}"
|
with_items: "{{etcd_proxy_container.stdout_lines|default()}}"
|
||||||
|
|
||||||
- name: "Pre-upgrade | see if etcdctl is installed"
|
- name: "Pre-upgrade | see if etcdctl is installed"
|
||||||
stat:
|
stat:
|
||||||
|
|
|
@ -6,6 +6,9 @@ metadata:
|
||||||
labels:
|
labels:
|
||||||
k8s-app: kube-apiserver
|
k8s-app: kube-apiserver
|
||||||
kubespray: v2
|
kubespray: v2
|
||||||
|
annotations:
|
||||||
|
kubespray.etcd-cert/serial: "{{ etcd_node_cert_serial }}"
|
||||||
|
kubespray.apiserver-cert/serial: "{{ apiserver_cert_serial }}"
|
||||||
spec:
|
spec:
|
||||||
hostNetwork: true
|
hostNetwork: true
|
||||||
{% if kube_version | version_compare('v1.6', '>=') %}
|
{% if kube_version | version_compare('v1.6', '>=') %}
|
||||||
|
|
|
@ -5,6 +5,9 @@ metadata:
|
||||||
namespace: {{system_namespace}}
|
namespace: {{system_namespace}}
|
||||||
labels:
|
labels:
|
||||||
k8s-app: kube-controller
|
k8s-app: kube-controller
|
||||||
|
annotations:
|
||||||
|
kubespray.etcd-cert/serial: "{{ etcd_node_cert_serial }}"
|
||||||
|
kubespray.controller-manager-cert/serial: "{{ controller_manager_cert_serial }}"
|
||||||
spec:
|
spec:
|
||||||
hostNetwork: true
|
hostNetwork: true
|
||||||
{% if kube_version | version_compare('v1.6', '>=') %}
|
{% if kube_version | version_compare('v1.6', '>=') %}
|
||||||
|
|
|
@ -5,6 +5,8 @@ metadata:
|
||||||
namespace: {{ system_namespace }}
|
namespace: {{ system_namespace }}
|
||||||
labels:
|
labels:
|
||||||
k8s-app: kube-scheduler
|
k8s-app: kube-scheduler
|
||||||
|
annotations:
|
||||||
|
kubespray.scheduler-cert/serial: "{{ scheduler_cert_serial }}"
|
||||||
spec:
|
spec:
|
||||||
hostNetwork: true
|
hostNetwork: true
|
||||||
{% if kube_version | version_compare('v1.6', '>=') %}
|
{% if kube_version | version_compare('v1.6', '>=') %}
|
||||||
|
|
|
@ -5,6 +5,8 @@ metadata:
|
||||||
namespace: {{system_namespace}}
|
namespace: {{system_namespace}}
|
||||||
labels:
|
labels:
|
||||||
k8s-app: kube-proxy
|
k8s-app: kube-proxy
|
||||||
|
annotations:
|
||||||
|
kubespray.kube-proxy-cert/serial: "{{ kube_proxy_cert_serial }}"
|
||||||
spec:
|
spec:
|
||||||
hostNetwork: true
|
hostNetwork: true
|
||||||
{% if kube_version | version_compare('v1.6', '>=') %}
|
{% if kube_version | version_compare('v1.6', '>=') %}
|
||||||
|
|
|
@ -75,5 +75,37 @@
|
||||||
- include: upd_ca_trust.yml
|
- include: upd_ca_trust.yml
|
||||||
tags: k8s-secrets
|
tags: k8s-secrets
|
||||||
|
|
||||||
|
- name: "Gen_certs | Get certificate serials on kube masters"
|
||||||
|
shell: "openssl x509 -in {{ kube_cert_dir }}/{{ item }} -noout -serial | cut -d= -f2"
|
||||||
|
register: "master_certificate_serials"
|
||||||
|
with_items:
|
||||||
|
- "admin-{{ inventory_hostname }}.pem"
|
||||||
|
- "apiserver.pem"
|
||||||
|
- "kube-controller-manager.pem"
|
||||||
|
- "kube-scheduler.pem"
|
||||||
|
when: inventory_hostname in groups['kube-master']
|
||||||
|
|
||||||
|
- name: "Gen_certs | set kube master certificate serial facts"
|
||||||
|
set_fact:
|
||||||
|
etcd_admin_cert_serial: "{{ master_certificate_serials.results[0].stdout|default() }}"
|
||||||
|
apiserver_cert_serial: "{{ master_certificate_serials.results[1].stdout|default() }}"
|
||||||
|
controller_manager_cert_serial: "{{ master_certificate_serials.results[2].stdout|default() }}"
|
||||||
|
scheduler_cert_serial: "{{ master_certificate_serials.results[3].stdout|default() }}"
|
||||||
|
when: inventory_hostname in groups['kube-master']
|
||||||
|
|
||||||
|
- name: "Gen_certs | Get certificate serials on kube nodes"
|
||||||
|
shell: "openssl x509 -in {{ kube_cert_dir }}/{{ item }} -noout -serial | cut -d= -f2"
|
||||||
|
register: "node_certificate_serials"
|
||||||
|
with_items:
|
||||||
|
- "node-{{ inventory_hostname }}.pem"
|
||||||
|
- "kube-proxy-{{ inventory_hostname }}.pem"
|
||||||
|
when: inventory_hostname in groups['k8s-cluster']
|
||||||
|
|
||||||
|
- name: "Gen_certs | set kube node certificate serial facts"
|
||||||
|
set_fact:
|
||||||
|
etcd_node_cert_serial: "{{ node_certificate_serials.results[0].stdout|default() }}"
|
||||||
|
kube_proxy_cert_serial: "{{ node_certificate_serials.results[1].stdout|default() }}"
|
||||||
|
when: inventory_hostname in groups['k8s-cluster']
|
||||||
|
|
||||||
- include: gen_tokens.yml
|
- include: gen_tokens.yml
|
||||||
tags: k8s-secrets
|
tags: k8s-secrets
|
||||||
|
|
|
@ -66,3 +66,11 @@
|
||||||
mode: "{{ issue_cert_file_mode | d('0644') }}"
|
mode: "{{ issue_cert_file_mode | d('0644') }}"
|
||||||
owner: "{{ issue_cert_file_owner | d('root') }}"
|
owner: "{{ issue_cert_file_owner | d('root') }}"
|
||||||
when: issue_cert_copy_ca|default(false)
|
when: issue_cert_copy_ca|default(false)
|
||||||
|
|
||||||
|
- name: issue_cert | Copy certificate serial to all hosts
|
||||||
|
copy:
|
||||||
|
content: "{{ hostvars[issue_cert_hosts|first]['issue_cert_result']['json']['data']['serial_number'] }}"
|
||||||
|
dest: "{{ issue_cert_path.rsplit('.', 1)|first }}.serial }}"
|
||||||
|
group: "{{ issue_cert_file_group | d('root' )}}"
|
||||||
|
mode: "{{ issue_cert_file_mode | d('0640') }}"
|
||||||
|
owner: "{{ issue_cert_file_owner | d('root') }}"
|
||||||
|
|
Loading…
Reference in a new issue