Remove cert rotation code. Remove disclaimer for supported auth methods.

This commit is contained in:
Raj Perera 2017-06-20 00:49:33 -04:00 committed by jwfang
parent d3ea13b3f0
commit a3760a8b84
10 changed files with 8 additions and 19 deletions

View file

@ -68,11 +68,6 @@ following default cluster paramters:
* *kube_hostpath_dynamic_provisioner* - Required for use of PetSets type in
Kubernetes
* *authorization_mode* - A list of authorization modes that the apiserver should be configured.
Supported values are `['AlwaysAllow', 'RBAC']` (Default: `['AlwaysAllow']`)
* *rotate_kubernetes_certs* - Set this to true to regenerate kubernetes node and master certificates.
Useful if the authorization mode was changed and certificate format
needs to be updated. This will not regenerate the root CA. *(!!Warning!!: Will overwrite old certs.)*
Note, if cloud providers have any use of the ``10.233.0.0/16``, like instances'
private addresses, make sure to pick another values for ``kube_service_addresses``

View file

@ -116,13 +116,10 @@ efk_enabled: false
enable_network_policy: false
## List of authorization plugins that must be configured for
## the k8s cluster. Only 'AlwaysAllow' and 'RBAC' is supported
## at the moment.
## the k8s cluster.
authorization_mode: ['AlwaysAllow']
rbac_enabled: "{{ 'RBAC' in authorization_mode }}"
## Set this flag to re-create kubernetes node and master certificates !!WARNING!!: Will overwrite existing certs.
rotate_kubernetes_certs: false
ssl_ca_dirs: "[
{% if ansible_os_family in ['CoreOS', 'Container Linux by CoreOS'] -%}

View file

@ -41,8 +41,7 @@ netchecker_server_memory_requests: 64M
etcd_cert_dir: "/etc/ssl/etcd/ssl"
canal_cert_dir: "/etc/canal/certs"
# RBAC specific resources that will be ignored when RBAC is not enabled.
apiserver_rbac_resources:
kubedns_rbac_resources:
- clusterrole,
- clusterrolebinding,
- sa

View file

@ -21,7 +21,7 @@
- {name: kubedns-autoscaler, file: kubedns-autoscaler-clusterrolebinding.yml, type: clusterrolebinding}
- {name: kubedns-autoscaler, file: kubedns-autoscaler.yml, type: deployment}
register: manifests
when: dns_mode != 'none' and inventory_hostname == groups['kube-master'][0] and (item.type not in apiserver_rbac_resources or rbac_enabled)
when: dns_mode != 'none' and inventory_hostname == groups['kube-master'][0] and (item.type not in kubedns_rbac_resources or rbac_enabled)
tags: dnsmasq
# see https://github.com/kubernetes/kubernetes/issues/45084

View file

@ -12,7 +12,7 @@
- name: Helm | Lay Down Helm Manifests (RBAC)
template:
src: "manifests/{{item.file}}"
src: "{{item.file}}"
dest: "{{kube_config_dir}}/{{item.file}}"
with_items:
- {name: tiller, file: tiller-sa.yml, type: sa}

View file

@ -7,4 +7,4 @@
- name: "Pre-upgrade | Make sure to restart kubelet if certificates changed"
command: /bin/true
notify: restart kubelet if secrets changed
notify: restart kubelet if secrets changed

View file

@ -1,4 +1,2 @@
---
kube_cert_group: kube-cert
rotate_kubernetes_certs: false # set this to true to regenerate certificates

View file

@ -25,7 +25,7 @@
- name: "Check_certs | Set 'gen_certs' to true"
set_fact:
gen_certs: true
when: "rotate_kubernetes_certs or item not in (kubecert_master.files|map(attribute='path')|list)"
when: "item not in (kubecert_master.files|map(attribute='path')|list)"
run_once: true
with_items: >-
['{{ kube_cert_dir }}/ca.pem',
@ -41,7 +41,7 @@
{% set existing_certs = kubecert_master.files|map(attribute='path')|list|sort %}
{% for host in groups['k8s-cluster'] -%}
{% set host_cert = "%s/node-%s-key.pem"|format(kube_cert_dir, host) %}
{% if host_cert in existing_certs and not rotate_kubernetes_certs -%}
{% if host_cert in existing_certs -%}
"{{ host }}": False,
{% else -%}
"{{ host }}": True,
@ -62,5 +62,5 @@
(kubecert_node.results[1].stat.checksum|default('') != kubecert_master.files|selectattr("path", "equalto", kubecert_node.results[1].stat.path)|map(attribute="checksum")|first|default('')) -%}
{%- set _ = certs.update({'sync': True}) -%}
{% endif %}
{{ rotate_kubernetes_certs or certs.sync }}
{{ certs.sync }}