Use tar+register instead of copy/slurp for distributing tokens and certs

Related bug: https://github.com/ansible/ansible/issues/15405

Uses tar and register because synchronize module cannot sudo on the
remote side correctly and copy is too slow.

This patch dramatically cuts down the number of tasks to process
for cert synchronization.
This commit is contained in:
Matthew Mosesohn 2016-10-21 14:21:46 +03:00
parent f440f74e3b
commit 94b81dbdd7
2 changed files with 22 additions and 28 deletions

View file

@ -27,31 +27,30 @@
master_certs: ['ca-key.pem', 'admin.pem', 'admin-key.pem', 'apiserver-key.pem', 'apiserver.pem'] master_certs: ['ca-key.pem', 'admin.pem', 'admin-key.pem', 'apiserver-key.pem', 'apiserver.pem']
node_certs: ['ca.pem', 'node.pem', 'node-key.pem'] node_certs: ['ca.pem', 'node.pem', 'node-key.pem']
- name: Gen_certs | Get the certs from first master - name: Gen_certs | Gather master certs
slurp: shell: "tar cfz - -C {{ kube_cert_dir }} {{ master_certs|join(' ') }} {{ node_certs|join(' ') }} | base64 --wrap=0"
src: "{{ kube_cert_dir }}/{{ item }}" register: master_cert_data
delegate_to: "{{groups['kube-master'][0]}}" delegate_to: "{{groups['kube-master'][0]}}"
register: slurp_certs
with_items: '{{ master_certs + node_certs }}'
when: sync_certs|default(false)
run_once: true run_once: true
notify: set secret_changed when: sync_certs|default(false)
- name: Gen_certs | Gather node certs
shell: "tar cfz - -C {{ kube_cert_dir }} {{ node_certs|join(' ') }} | base64 --wrap=0"
register: node_cert_data
delegate_to: "{{groups['kube-master'][0]}}"
run_once: true
when: sync_certs|default(false)
- name: Gen_certs | Copy certs on masters - name: Gen_certs | Copy certs on masters
copy: shell: "echo '{{master_cert_data.stdout|quote}}' | base64 -d | tar xz -C {{ kube_cert_dir }}"
content: "{{ item.content|b64decode }}" changed_when: false
dest: "{{ item.source }}"
with_items: '{{slurp_certs.results}}'
when: inventory_hostname in groups['kube-master'] and sync_certs|default(false) and when: inventory_hostname in groups['kube-master'] and sync_certs|default(false) and
inventory_hostname != groups['kube-master'][0] inventory_hostname != groups['kube-master'][0]
- name: Gen_certs | Copy certs on nodes - name: Gen_certs | Copy certs on nodes
copy: shell: "echo '{{node_cert_data.stdout|quote}}' | base64 -d | tar xz -C {{ kube_cert_dir }}"
content: "{{ item.content|b64decode }}" changed_when: false
dest: "{{ item.source }}" when: inventory_hostname in groups['kube-node'] and sync_certs|default(false) and
with_items: '{{slurp_certs.results}}'
when: item.item in node_certs and
inventory_hostname in groups['kube-node'] and sync_certs|default(false) and
inventory_hostname != groups['kube-master'][0] inventory_hostname != groups['kube-master'][0]
- name: Gen_certs | check certificate permissions - name: Gen_certs | check certificate permissions

View file

@ -43,20 +43,15 @@
delegate_to: "{{groups['kube-master'][0]}}" delegate_to: "{{groups['kube-master'][0]}}"
when: sync_tokens|default(false) when: sync_tokens|default(false)
- name: Gen_tokens | Get the tokens from first master - name: Gen_tokens | Gather tokens
slurp: shell: "tar cfz - {{ tokens_list.stdout_lines | join(' ') }} | base64 --wrap=0"
src: "{{ item }}" register: tokens_data
register: slurp_tokens
with_items: '{{tokens_list.stdout_lines}}'
run_once: true
delegate_to: "{{groups['kube-master'][0]}}" delegate_to: "{{groups['kube-master'][0]}}"
run_once: true
when: sync_tokens|default(false) when: sync_tokens|default(false)
notify: set secret_changed
- name: Gen_tokens | Copy tokens on masters - name: Gen_tokens | Copy tokens on masters
copy: shell: "echo '{{ tokens_data.stdout|quote }}' | base64 -d | tar xz -C /"
content: "{{ item.content|b64decode }}" changed_when: false
dest: "{{ item.source }}"
with_items: '{{slurp_tokens.results}}'
when: inventory_hostname in groups['kube-master'] and sync_tokens|default(false) and when: inventory_hostname in groups['kube-master'] and sync_tokens|default(false) and
inventory_hostname != groups['kube-master'][0] inventory_hostname != groups['kube-master'][0]