Fix vault file owner issues and k8s apiserver cert creation (#2985)

apiserver cert should be created only once
This commit is contained in:
Matthew Mosesohn 2018-07-11 14:58:02 +03:00 committed by GitHub
parent 83d1486a67
commit 97e0de7e29
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 12 additions and 2 deletions

View file

@ -13,6 +13,8 @@
sync_file: "{{ item }}" sync_file: "{{ item }}"
sync_file_dir: "{{ etcd_cert_dir }}" sync_file_dir: "{{ etcd_cert_dir }}"
sync_file_hosts: [ "{{ inventory_hostname }}" ] sync_file_hosts: [ "{{ inventory_hostname }}" ]
sync_file_owner: kube
sync_file_group: root
sync_file_is_cert: true sync_file_is_cert: true
with_items: "{{ etcd_master_cert_list|d([]) }}" with_items: "{{ etcd_master_cert_list|d([]) }}"

View file

@ -44,6 +44,7 @@
issue_cert_file_group: "{{ kube_cert_group }}" issue_cert_file_group: "{{ kube_cert_group }}"
issue_cert_file_owner: kube issue_cert_file_owner: kube
issue_cert_hosts: "{{ groups['kube-master'] }}" issue_cert_hosts: "{{ groups['kube-master'] }}"
issue_cert_run_once: true
issue_cert_ip_sans: >- issue_cert_ip_sans: >-
[ [
{%- for host in groups['kube-master'] -%} {%- for host in groups['kube-master'] -%}

View file

@ -43,7 +43,7 @@
- "{{ vault_pki_mounts.etcd }}" - "{{ vault_pki_mounts.etcd }}"
loop_control: loop_control:
loop_var: mount loop_var: mount
when: inventory_hostname in groups.vault and not vault_cluster_is_initialized when: inventory_hostname == groups.vault|first and not vault_cluster_is_initialized
- include_tasks: ../shared/gen_ca.yml - include_tasks: ../shared/gen_ca.yml
vars: vars:

View file

@ -4,6 +4,8 @@
sync_file: "ca.pem" sync_file: "ca.pem"
sync_file_dir: "{{ vault_cert_dir }}" sync_file_dir: "{{ vault_cert_dir }}"
sync_file_hosts: "{{ groups.vault }}" sync_file_hosts: "{{ groups.vault }}"
sync_file_owner: vault
sync_file_group: root
sync_file_is_cert: true sync_file_is_cert: true
- name: bootstrap/sync_vault_certs | Set facts for vault sync_file results - name: bootstrap/sync_vault_certs | Set facts for vault sync_file results
@ -20,6 +22,8 @@
sync_file: "ca.pem" sync_file: "ca.pem"
sync_file_dir: "{{ vault_cert_dir }}" sync_file_dir: "{{ vault_cert_dir }}"
sync_file_hosts: "{{ groups['kube-master'] }}" sync_file_hosts: "{{ groups['kube-master'] }}"
sync_file_owner: vault
sync_file_group: root
sync_file_is_cert: false sync_file_is_cert: false
- name: bootstrap/sync_vault_certs | Set facts for vault sync_file results - name: bootstrap/sync_vault_certs | Set facts for vault sync_file results
@ -36,6 +40,8 @@
sync_file: "api.pem" sync_file: "api.pem"
sync_file_dir: "{{ vault_cert_dir }}" sync_file_dir: "{{ vault_cert_dir }}"
sync_file_hosts: "{{ groups.vault }}" sync_file_hosts: "{{ groups.vault }}"
sync_file_owner: vault
sync_file_group: root
sync_file_is_cert: true sync_file_is_cert: true
- name: bootstrap/sync_vault_certs | Set fact if Vault's API cert is needed - name: bootstrap/sync_vault_certs | Set fact if Vault's API cert is needed

View file

@ -45,7 +45,7 @@
state: directory state: directory
recurse: yes recurse: yes
owner: "vault" owner: "vault"
group: "vault" group: "root"
mode: 0755 mode: 0755
- name: gen_certs_vault | install hvac - name: gen_certs_vault | install hvac
@ -87,6 +87,7 @@
format: "{{ issue_cert_format | d('pem') }}" format: "{{ issue_cert_format | d('pem') }}"
ip_sans: "{{ issue_cert_ip_sans | default([]) | join(',') }}" ip_sans: "{{ issue_cert_ip_sans | default([]) | join(',') }}"
register: issue_cert_result register: issue_cert_result
run_once: "{{ issue_cert_run_once | d(false) }}"
- name: "issue_cert | Copy {{ issue_cert_path }} cert to all hosts" - name: "issue_cert | Copy {{ issue_cert_path }} cert to all hosts"
copy: copy: