Remove cert rotation code. Remove disclaimer for supported auth methods.
This commit is contained in:
parent
d3ea13b3f0
commit
a3760a8b84
10 changed files with 8 additions and 19 deletions
|
@ -68,11 +68,6 @@ following default cluster paramters:
|
|||
* *kube_hostpath_dynamic_provisioner* - Required for use of PetSets type in
|
||||
Kubernetes
|
||||
* *authorization_mode* - A list of authorization modes that the apiserver should be configured.
|
||||
Supported values are `['AlwaysAllow', 'RBAC']` (Default: `['AlwaysAllow']`)
|
||||
* *rotate_kubernetes_certs* - Set this to true to regenerate kubernetes node and master certificates.
|
||||
Useful if the authorization mode was changed and certificate format
|
||||
needs to be updated. This will not regenerate the root CA. *(!!Warning!!: Will overwrite old certs.)*
|
||||
|
||||
|
||||
Note, if cloud providers have any use of the ``10.233.0.0/16``, like instances'
|
||||
private addresses, make sure to pick another values for ``kube_service_addresses``
|
||||
|
|
|
@ -116,13 +116,10 @@ efk_enabled: false
|
|||
enable_network_policy: false
|
||||
|
||||
## List of authorization plugins that must be configured for
|
||||
## the k8s cluster. Only 'AlwaysAllow' and 'RBAC' is supported
|
||||
## at the moment.
|
||||
## the k8s cluster.
|
||||
authorization_mode: ['AlwaysAllow']
|
||||
rbac_enabled: "{{ 'RBAC' in authorization_mode }}"
|
||||
|
||||
## Set this flag to re-create kubernetes node and master certificates !!WARNING!!: Will overwrite existing certs.
|
||||
rotate_kubernetes_certs: false
|
||||
|
||||
ssl_ca_dirs: "[
|
||||
{% if ansible_os_family in ['CoreOS', 'Container Linux by CoreOS'] -%}
|
||||
|
|
|
@ -41,8 +41,7 @@ netchecker_server_memory_requests: 64M
|
|||
etcd_cert_dir: "/etc/ssl/etcd/ssl"
|
||||
canal_cert_dir: "/etc/canal/certs"
|
||||
|
||||
# RBAC specific resources that will be ignored when RBAC is not enabled.
|
||||
apiserver_rbac_resources:
|
||||
kubedns_rbac_resources:
|
||||
- clusterrole,
|
||||
- clusterrolebinding,
|
||||
- sa
|
||||
|
|
|
@ -21,7 +21,7 @@
|
|||
- {name: kubedns-autoscaler, file: kubedns-autoscaler-clusterrolebinding.yml, type: clusterrolebinding}
|
||||
- {name: kubedns-autoscaler, file: kubedns-autoscaler.yml, type: deployment}
|
||||
register: manifests
|
||||
when: dns_mode != 'none' and inventory_hostname == groups['kube-master'][0] and (item.type not in apiserver_rbac_resources or rbac_enabled)
|
||||
when: dns_mode != 'none' and inventory_hostname == groups['kube-master'][0] and (item.type not in kubedns_rbac_resources or rbac_enabled)
|
||||
tags: dnsmasq
|
||||
|
||||
# see https://github.com/kubernetes/kubernetes/issues/45084
|
||||
|
|
|
@ -12,7 +12,7 @@
|
|||
|
||||
- name: Helm | Lay Down Helm Manifests (RBAC)
|
||||
template:
|
||||
src: "manifests/{{item.file}}"
|
||||
src: "{{item.file}}"
|
||||
dest: "{{kube_config_dir}}/{{item.file}}"
|
||||
with_items:
|
||||
- {name: tiller, file: tiller-sa.yml, type: sa}
|
||||
|
|
|
@ -1,4 +1,2 @@
|
|||
---
|
||||
kube_cert_group: kube-cert
|
||||
|
||||
rotate_kubernetes_certs: false # set this to true to regenerate certificates
|
||||
|
|
|
@ -25,7 +25,7 @@
|
|||
- name: "Check_certs | Set 'gen_certs' to true"
|
||||
set_fact:
|
||||
gen_certs: true
|
||||
when: "rotate_kubernetes_certs or item not in (kubecert_master.files|map(attribute='path')|list)"
|
||||
when: "item not in (kubecert_master.files|map(attribute='path')|list)"
|
||||
run_once: true
|
||||
with_items: >-
|
||||
['{{ kube_cert_dir }}/ca.pem',
|
||||
|
@ -41,7 +41,7 @@
|
|||
{% set existing_certs = kubecert_master.files|map(attribute='path')|list|sort %}
|
||||
{% for host in groups['k8s-cluster'] -%}
|
||||
{% set host_cert = "%s/node-%s-key.pem"|format(kube_cert_dir, host) %}
|
||||
{% if host_cert in existing_certs and not rotate_kubernetes_certs -%}
|
||||
{% if host_cert in existing_certs -%}
|
||||
"{{ host }}": False,
|
||||
{% else -%}
|
||||
"{{ host }}": True,
|
||||
|
@ -62,5 +62,5 @@
|
|||
(kubecert_node.results[1].stat.checksum|default('') != kubecert_master.files|selectattr("path", "equalto", kubecert_node.results[1].stat.path)|map(attribute="checksum")|first|default('')) -%}
|
||||
{%- set _ = certs.update({'sync': True}) -%}
|
||||
{% endif %}
|
||||
{{ rotate_kubernetes_certs or certs.sync }}
|
||||
{{ certs.sync }}
|
||||
|
||||
|
|
Loading…
Reference in a new issue