Fix vault file owner issues and k8s apiserver cert creation (#2985)
apiserver cert should be created only once
This commit is contained in:
parent
83d1486a67
commit
97e0de7e29
5 changed files with 12 additions and 2 deletions
|
@ -13,6 +13,8 @@
|
|||
sync_file: "{{ item }}"
|
||||
sync_file_dir: "{{ etcd_cert_dir }}"
|
||||
sync_file_hosts: [ "{{ inventory_hostname }}" ]
|
||||
sync_file_owner: kube
|
||||
sync_file_group: root
|
||||
sync_file_is_cert: true
|
||||
with_items: "{{ etcd_master_cert_list|d([]) }}"
|
||||
|
||||
|
|
|
@ -44,6 +44,7 @@
|
|||
issue_cert_file_group: "{{ kube_cert_group }}"
|
||||
issue_cert_file_owner: kube
|
||||
issue_cert_hosts: "{{ groups['kube-master'] }}"
|
||||
issue_cert_run_once: true
|
||||
issue_cert_ip_sans: >-
|
||||
[
|
||||
{%- for host in groups['kube-master'] -%}
|
||||
|
|
|
@ -43,7 +43,7 @@
|
|||
- "{{ vault_pki_mounts.etcd }}"
|
||||
loop_control:
|
||||
loop_var: mount
|
||||
when: inventory_hostname in groups.vault and not vault_cluster_is_initialized
|
||||
when: inventory_hostname == groups.vault|first and not vault_cluster_is_initialized
|
||||
|
||||
- include_tasks: ../shared/gen_ca.yml
|
||||
vars:
|
||||
|
|
|
@ -4,6 +4,8 @@
|
|||
sync_file: "ca.pem"
|
||||
sync_file_dir: "{{ vault_cert_dir }}"
|
||||
sync_file_hosts: "{{ groups.vault }}"
|
||||
sync_file_owner: vault
|
||||
sync_file_group: root
|
||||
sync_file_is_cert: true
|
||||
|
||||
- name: bootstrap/sync_vault_certs | Set facts for vault sync_file results
|
||||
|
@ -20,6 +22,8 @@
|
|||
sync_file: "ca.pem"
|
||||
sync_file_dir: "{{ vault_cert_dir }}"
|
||||
sync_file_hosts: "{{ groups['kube-master'] }}"
|
||||
sync_file_owner: vault
|
||||
sync_file_group: root
|
||||
sync_file_is_cert: false
|
||||
|
||||
- name: bootstrap/sync_vault_certs | Set facts for vault sync_file results
|
||||
|
@ -36,6 +40,8 @@
|
|||
sync_file: "api.pem"
|
||||
sync_file_dir: "{{ vault_cert_dir }}"
|
||||
sync_file_hosts: "{{ groups.vault }}"
|
||||
sync_file_owner: vault
|
||||
sync_file_group: root
|
||||
sync_file_is_cert: true
|
||||
|
||||
- name: bootstrap/sync_vault_certs | Set fact if Vault's API cert is needed
|
||||
|
|
|
@ -45,7 +45,7 @@
|
|||
state: directory
|
||||
recurse: yes
|
||||
owner: "vault"
|
||||
group: "vault"
|
||||
group: "root"
|
||||
mode: 0755
|
||||
|
||||
- name: gen_certs_vault | install hvac
|
||||
|
@ -87,6 +87,7 @@
|
|||
format: "{{ issue_cert_format | d('pem') }}"
|
||||
ip_sans: "{{ issue_cert_ip_sans | default([]) | join(',') }}"
|
||||
register: issue_cert_result
|
||||
run_once: "{{ issue_cert_run_once | d(false) }}"
|
||||
|
||||
- name: "issue_cert | Copy {{ issue_cert_path }} cert to all hosts"
|
||||
copy:
|
||||
|
|
Loading…
Reference in a new issue