Remove cert rotation code. Remove disclaimer for supported auth methods.

This commit is contained in:
Raj Perera 2017-06-20 00:49:33 -04:00 committed by jwfang
parent d3ea13b3f0
commit a3760a8b84
10 changed files with 8 additions and 19 deletions

View file

@ -68,11 +68,6 @@ following default cluster paramters:
* *kube_hostpath_dynamic_provisioner* - Required for use of PetSets type in * *kube_hostpath_dynamic_provisioner* - Required for use of PetSets type in
Kubernetes Kubernetes
* *authorization_mode* - A list of authorization modes that the apiserver should be configured. * *authorization_mode* - A list of authorization modes that the apiserver should be configured.
Supported values are `['AlwaysAllow', 'RBAC']` (Default: `['AlwaysAllow']`)
* *rotate_kubernetes_certs* - Set this to true to regenerate kubernetes node and master certificates.
Useful if the authorization mode was changed and certificate format
needs to be updated. This will not regenerate the root CA. *(!!Warning!!: Will overwrite old certs.)*
Note, if cloud providers have any use of the ``10.233.0.0/16``, like instances' Note, if cloud providers have any use of the ``10.233.0.0/16``, like instances'
private addresses, make sure to pick another values for ``kube_service_addresses`` private addresses, make sure to pick another values for ``kube_service_addresses``

View file

@ -116,13 +116,10 @@ efk_enabled: false
enable_network_policy: false enable_network_policy: false
## List of authorization plugins that must be configured for ## List of authorization plugins that must be configured for
## the k8s cluster. Only 'AlwaysAllow' and 'RBAC' is supported ## the k8s cluster.
## at the moment.
authorization_mode: ['AlwaysAllow'] authorization_mode: ['AlwaysAllow']
rbac_enabled: "{{ 'RBAC' in authorization_mode }}" rbac_enabled: "{{ 'RBAC' in authorization_mode }}"
## Set this flag to re-create kubernetes node and master certificates !!WARNING!!: Will overwrite existing certs.
rotate_kubernetes_certs: false
ssl_ca_dirs: "[ ssl_ca_dirs: "[
{% if ansible_os_family in ['CoreOS', 'Container Linux by CoreOS'] -%} {% if ansible_os_family in ['CoreOS', 'Container Linux by CoreOS'] -%}

View file

@ -41,8 +41,7 @@ netchecker_server_memory_requests: 64M
etcd_cert_dir: "/etc/ssl/etcd/ssl" etcd_cert_dir: "/etc/ssl/etcd/ssl"
canal_cert_dir: "/etc/canal/certs" canal_cert_dir: "/etc/canal/certs"
# RBAC specific resources that will be ignored when RBAC is not enabled. kubedns_rbac_resources:
apiserver_rbac_resources:
- clusterrole, - clusterrole,
- clusterrolebinding, - clusterrolebinding,
- sa - sa

View file

@ -21,7 +21,7 @@
- {name: kubedns-autoscaler, file: kubedns-autoscaler-clusterrolebinding.yml, type: clusterrolebinding} - {name: kubedns-autoscaler, file: kubedns-autoscaler-clusterrolebinding.yml, type: clusterrolebinding}
- {name: kubedns-autoscaler, file: kubedns-autoscaler.yml, type: deployment} - {name: kubedns-autoscaler, file: kubedns-autoscaler.yml, type: deployment}
register: manifests register: manifests
when: dns_mode != 'none' and inventory_hostname == groups['kube-master'][0] and (item.type not in apiserver_rbac_resources or rbac_enabled) when: dns_mode != 'none' and inventory_hostname == groups['kube-master'][0] and (item.type not in kubedns_rbac_resources or rbac_enabled)
tags: dnsmasq tags: dnsmasq
# see https://github.com/kubernetes/kubernetes/issues/45084 # see https://github.com/kubernetes/kubernetes/issues/45084

View file

@ -12,7 +12,7 @@
- name: Helm | Lay Down Helm Manifests (RBAC) - name: Helm | Lay Down Helm Manifests (RBAC)
template: template:
src: "manifests/{{item.file}}" src: "{{item.file}}"
dest: "{{kube_config_dir}}/{{item.file}}" dest: "{{kube_config_dir}}/{{item.file}}"
with_items: with_items:
- {name: tiller, file: tiller-sa.yml, type: sa} - {name: tiller, file: tiller-sa.yml, type: sa}

View file

@ -7,4 +7,4 @@
- name: "Pre-upgrade | Make sure to restart kubelet if certificates changed" - name: "Pre-upgrade | Make sure to restart kubelet if certificates changed"
command: /bin/true command: /bin/true
notify: restart kubelet if secrets changed notify: restart kubelet if secrets changed

View file

@ -1,4 +1,2 @@
--- ---
kube_cert_group: kube-cert kube_cert_group: kube-cert
rotate_kubernetes_certs: false # set this to true to regenerate certificates

View file

@ -25,7 +25,7 @@
- name: "Check_certs | Set 'gen_certs' to true" - name: "Check_certs | Set 'gen_certs' to true"
set_fact: set_fact:
gen_certs: true gen_certs: true
when: "rotate_kubernetes_certs or item not in (kubecert_master.files|map(attribute='path')|list)" when: "item not in (kubecert_master.files|map(attribute='path')|list)"
run_once: true run_once: true
with_items: >- with_items: >-
['{{ kube_cert_dir }}/ca.pem', ['{{ kube_cert_dir }}/ca.pem',
@ -41,7 +41,7 @@
{% set existing_certs = kubecert_master.files|map(attribute='path')|list|sort %} {% set existing_certs = kubecert_master.files|map(attribute='path')|list|sort %}
{% for host in groups['k8s-cluster'] -%} {% for host in groups['k8s-cluster'] -%}
{% set host_cert = "%s/node-%s-key.pem"|format(kube_cert_dir, host) %} {% set host_cert = "%s/node-%s-key.pem"|format(kube_cert_dir, host) %}
{% if host_cert in existing_certs and not rotate_kubernetes_certs -%} {% if host_cert in existing_certs -%}
"{{ host }}": False, "{{ host }}": False,
{% else -%} {% else -%}
"{{ host }}": True, "{{ host }}": True,
@ -62,5 +62,5 @@
(kubecert_node.results[1].stat.checksum|default('') != kubecert_master.files|selectattr("path", "equalto", kubecert_node.results[1].stat.path)|map(attribute="checksum")|first|default('')) -%} (kubecert_node.results[1].stat.checksum|default('') != kubecert_master.files|selectattr("path", "equalto", kubecert_node.results[1].stat.path)|map(attribute="checksum")|first|default('')) -%}
{%- set _ = certs.update({'sync': True}) -%} {%- set _ = certs.update({'sync': True}) -%}
{% endif %} {% endif %}
{{ rotate_kubernetes_certs or certs.sync }} {{ certs.sync }}