More idempotency fixes
Fixed sync_tokens fact Fixed sync_certs for k8s tokens fact Disabled register docker images changability Fixed CNI dir permission Fix idempotency for etcd pre upgrade checks
This commit is contained in:
parent
3feab1cb2d
commit
a422ad0d50
13 changed files with 69 additions and 43 deletions
|
@ -13,6 +13,7 @@
|
||||||
no_log: true
|
no_log: true
|
||||||
register: docker_images_raw
|
register: docker_images_raw
|
||||||
failed_when: false
|
failed_when: false
|
||||||
|
changed_when: false
|
||||||
check_mode: no
|
check_mode: no
|
||||||
when: not download_always_pull|bool
|
when: not download_always_pull|bool
|
||||||
|
|
||||||
|
|
|
@ -3,6 +3,7 @@
|
||||||
find:
|
find:
|
||||||
paths: "{{ etcd_cert_dir }}"
|
paths: "{{ etcd_cert_dir }}"
|
||||||
patterns: "ca.pem,node*.pem"
|
patterns: "ca.pem,node*.pem"
|
||||||
|
get_checksum: true
|
||||||
delegate_to: "{{groups['etcd'][0]}}"
|
delegate_to: "{{groups['etcd'][0]}}"
|
||||||
register: etcdcert_master
|
register: etcdcert_master
|
||||||
run_once: true
|
run_once: true
|
||||||
|
@ -58,7 +59,7 @@
|
||||||
sync_certs: true
|
sync_certs: true
|
||||||
when: >-
|
when: >-
|
||||||
{%- set certs = {'sync': False} -%}
|
{%- set certs = {'sync': False} -%}
|
||||||
{% if gen_node_certs[inventory_hostname] or
|
{% if gen_node_certs[inventory_hostname] or
|
||||||
(not etcdcert_node.results[0].stat.exists|default(False)) or
|
(not etcdcert_node.results[0].stat.exists|default(False)) or
|
||||||
(not etcdcert_node.results[1].stat.exists|default(False)) or
|
(not etcdcert_node.results[1].stat.exists|default(False)) or
|
||||||
(etcdcert_node.results[1].stat.checksum|default('') != etcdcert_master.files|selectattr("path", "equalto", etcdcert_node.results[1].stat.path)|first|map(attribute="checksum")|default('')) -%}
|
(etcdcert_node.results[1].stat.checksum|default('') != etcdcert_master.files|selectattr("path", "equalto", etcdcert_node.results[1].stat.path)|first|map(attribute="checksum")|default('')) -%}
|
||||||
|
|
|
@ -107,38 +107,38 @@
|
||||||
sync_certs|default(false) and inventory_hostname not in groups['etcd']
|
sync_certs|default(false) and inventory_hostname not in groups['etcd']
|
||||||
notify: set etcd_secret_changed
|
notify: set etcd_secret_changed
|
||||||
|
|
||||||
#NOTE(mattymo): Use temporary file to copy master certs because we have a ~200k
|
#NOTE(mattymo): Use temporary file to copy master certs because we have a ~200k
|
||||||
#char limit when using shell command
|
#char limit when using shell command
|
||||||
|
|
||||||
#FIXME(mattymo): Use tempfile module in ansible 2.3
|
#FIXME(mattymo): Use tempfile module in ansible 2.3
|
||||||
- name: Gen_certs | Prepare tempfile for unpacking certs
|
- name: Gen_certs | Prepare tempfile for unpacking certs
|
||||||
shell: mktemp /tmp/certsXXXXX.tar.gz
|
shell: mktemp /tmp/certsXXXXX.tar.gz
|
||||||
register: cert_tempfile
|
register: cert_tempfile
|
||||||
|
|
||||||
- name: Gen_certs | Write master certs to tempfile
|
- name: Gen_certs | Write master certs to tempfile
|
||||||
copy:
|
copy:
|
||||||
content: "{{etcd_master_cert_data.stdout}}"
|
content: "{{etcd_master_cert_data.stdout}}"
|
||||||
dest: "{{cert_tempfile.stdout}}"
|
dest: "{{cert_tempfile.stdout}}"
|
||||||
owner: root
|
owner: root
|
||||||
mode: "0600"
|
mode: "0600"
|
||||||
when: inventory_hostname in groups['etcd'] and sync_certs|default(false) and
|
when: inventory_hostname in groups['etcd'] and sync_certs|default(false) and
|
||||||
inventory_hostname != groups['etcd'][0]
|
inventory_hostname != groups['etcd'][0]
|
||||||
|
|
||||||
- name: Gen_certs | Unpack certs on masters
|
- name: Gen_certs | Unpack certs on masters
|
||||||
shell: "base64 -d < {{ cert_tempfile.stdout }} | tar xz -C {{ etcd_cert_dir }}"
|
shell: "base64 -d < {{ cert_tempfile.stdout }} | tar xz -C {{ etcd_cert_dir }}"
|
||||||
no_log: true
|
no_log: true
|
||||||
changed_when: false
|
changed_when: false
|
||||||
check_mode: no
|
check_mode: no
|
||||||
when: inventory_hostname in groups['etcd'] and sync_certs|default(false) and
|
when: inventory_hostname in groups['etcd'] and sync_certs|default(false) and
|
||||||
inventory_hostname != groups['etcd'][0]
|
inventory_hostname != groups['etcd'][0]
|
||||||
notify: set secret_changed
|
notify: set secret_changed
|
||||||
|
|
||||||
- name: Gen_certs | Cleanup tempfile
|
- name: Gen_certs | Cleanup tempfile
|
||||||
file:
|
file:
|
||||||
path: "{{cert_tempfile.stdout}}"
|
path: "{{cert_tempfile.stdout}}"
|
||||||
state: absent
|
state: absent
|
||||||
when: inventory_hostname in groups['etcd'] and sync_certs|default(false) and
|
when: inventory_hostname in groups['etcd'] and sync_certs|default(false) and
|
||||||
inventory_hostname != groups['etcd'][0]
|
inventory_hostname != groups['etcd'][0]
|
||||||
|
|
||||||
- name: Gen_certs | Copy certs on nodes
|
- name: Gen_certs | Copy certs on nodes
|
||||||
shell: "base64 -d <<< '{{etcd_node_cert_data.stdout|quote}}' | tar xz -C {{ etcd_cert_dir }}"
|
shell: "base64 -d <<< '{{etcd_node_cert_data.stdout|quote}}' | tar xz -C {{ etcd_cert_dir }}"
|
||||||
|
|
|
@ -16,7 +16,7 @@
|
||||||
tags: etcd-secrets
|
tags: etcd-secrets
|
||||||
|
|
||||||
- include: sync_etcd_node_certs.yml
|
- include: sync_etcd_node_certs.yml
|
||||||
when: cert_management == "vault" and inventory_hostname in etcd_node_cert_hosts
|
when: cert_management == "vault" and inventory_hostname in etcd_node_cert_hosts
|
||||||
tags: etcd-secrets
|
tags: etcd-secrets
|
||||||
|
|
||||||
- include: gen_certs_vault.yml
|
- include: gen_certs_vault.yml
|
||||||
|
|
|
@ -28,6 +28,7 @@
|
||||||
- name: "Pre-upgrade | find etcd-proxy container"
|
- name: "Pre-upgrade | find etcd-proxy container"
|
||||||
command: "{{ docker_bin_dir }}/docker ps -aq --filter 'name=etcd-proxy*'"
|
command: "{{ docker_bin_dir }}/docker ps -aq --filter 'name=etcd-proxy*'"
|
||||||
register: etcd_proxy_container
|
register: etcd_proxy_container
|
||||||
|
changed_when: false
|
||||||
failed_when: false
|
failed_when: false
|
||||||
|
|
||||||
- name: "Pre-upgrade | remove etcd-proxy if it exists"
|
- name: "Pre-upgrade | remove etcd-proxy if it exists"
|
||||||
|
@ -47,6 +48,7 @@
|
||||||
until: etcd_member_list.rc != 2
|
until: etcd_member_list.rc != 2
|
||||||
run_once: true
|
run_once: true
|
||||||
when: etcdctl_installed.stat.exists
|
when: etcdctl_installed.stat.exists
|
||||||
|
changed_when: false
|
||||||
failed_when: false
|
failed_when: false
|
||||||
|
|
||||||
- name: "Pre-upgrade | change peer names to SSL"
|
- name: "Pre-upgrade | change peer names to SSL"
|
||||||
|
|
|
@ -13,7 +13,6 @@
|
||||||
|
|
||||||
- name: Install kubectl bash completion
|
- name: Install kubectl bash completion
|
||||||
shell: "{{ bin_dir }}/kubectl completion bash >/etc/bash_completion.d/kubectl.sh"
|
shell: "{{ bin_dir }}/kubectl completion bash >/etc/bash_completion.d/kubectl.sh"
|
||||||
#no_log: true
|
|
||||||
when: ansible_os_family in ["Debian","RedHat"]
|
when: ansible_os_family in ["Debian","RedHat"]
|
||||||
tags: kubectl
|
tags: kubectl
|
||||||
|
|
||||||
|
|
|
@ -3,6 +3,7 @@
|
||||||
find:
|
find:
|
||||||
paths: "{{ kube_cert_dir }}"
|
paths: "{{ kube_cert_dir }}"
|
||||||
patterns: "*.pem"
|
patterns: "*.pem"
|
||||||
|
get_checksum: true
|
||||||
delegate_to: "{{groups['kube-master'][0]}}"
|
delegate_to: "{{groups['kube-master'][0]}}"
|
||||||
register: kubecert_master
|
register: kubecert_master
|
||||||
run_once: true
|
run_once: true
|
||||||
|
@ -58,7 +59,7 @@
|
||||||
{% if gen_node_certs[inventory_hostname] or
|
{% if gen_node_certs[inventory_hostname] or
|
||||||
(not kubecert_node.results[0].stat.exists|default(False)) or
|
(not kubecert_node.results[0].stat.exists|default(False)) or
|
||||||
(not kubecert_node.results[1].stat.exists|default(False)) or
|
(not kubecert_node.results[1].stat.exists|default(False)) or
|
||||||
(kubecert_node.results[1].stat.checksum|default('') != kubecert_master.files|selectattr("path", "equalto", kubecert_node.results[1].stat.path)|first|map(attribute="checksum")|default('')) -%}
|
(kubecert_node.results[1].stat.checksum|default('') != kubecert_master.files|selectattr("path", "equalto", kubecert_node.results[1].stat.path)|map(attribute="checksum")|first|default('')) -%}
|
||||||
{%- set _ = certs.update({'sync': True}) -%}
|
{%- set _ = certs.update({'sync': True}) -%}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{{ certs.sync }}
|
{{ certs.sync }}
|
||||||
|
|
|
@ -19,7 +19,7 @@
|
||||||
|
|
||||||
- name: "Check tokens | check if a cert already exists"
|
- name: "Check tokens | check if a cert already exists"
|
||||||
stat:
|
stat:
|
||||||
path: "{{ kube_cert_dir }}/ca.pem"
|
path: "{{ kube_token_dir }}/known_tokens.csv"
|
||||||
register: known_tokens
|
register: known_tokens
|
||||||
|
|
||||||
- name: "Check_tokens | Set 'sync_tokens' to true"
|
- name: "Check_tokens | Set 'sync_tokens' to true"
|
||||||
|
|
|
@ -106,6 +106,8 @@
|
||||||
- name: Gen_certs | Prepare tempfile for unpacking certs
|
- name: Gen_certs | Prepare tempfile for unpacking certs
|
||||||
shell: mktemp /tmp/certsXXXXX.tar.gz
|
shell: mktemp /tmp/certsXXXXX.tar.gz
|
||||||
register: cert_tempfile
|
register: cert_tempfile
|
||||||
|
when: inventory_hostname in groups['kube-master'] and sync_certs|default(false) and
|
||||||
|
inventory_hostname != groups['kube-master'][0]
|
||||||
|
|
||||||
- name: Gen_certs | Write master certs to tempfile
|
- name: Gen_certs | Write master certs to tempfile
|
||||||
copy:
|
copy:
|
||||||
|
@ -149,13 +151,9 @@
|
||||||
path: "{{ kube_cert_dir }}"
|
path: "{{ kube_cert_dir }}"
|
||||||
group: "{{ kube_cert_group }}"
|
group: "{{ kube_cert_group }}"
|
||||||
owner: kube
|
owner: kube
|
||||||
|
mode: "u=rwX,g-rwx,o-rwx"
|
||||||
recurse: yes
|
recurse: yes
|
||||||
|
|
||||||
- name: Gen_certs | set permissions on keys
|
|
||||||
shell: chmod 0600 {{ kube_cert_dir}}/*key.pem
|
|
||||||
when: inventory_hostname in groups['kube-master']
|
|
||||||
changed_when: false
|
|
||||||
|
|
||||||
- name: Gen_certs | target ca-certificates path
|
- name: Gen_certs | target ca-certificates path
|
||||||
set_fact:
|
set_fact:
|
||||||
ca_cert_path: |-
|
ca_cert_path: |-
|
||||||
|
|
|
@ -39,9 +39,9 @@
|
||||||
- name: Gen_tokens | Get list of tokens from first master
|
- name: Gen_tokens | Get list of tokens from first master
|
||||||
shell: "(find {{ kube_token_dir }} -maxdepth 1 -type f)"
|
shell: "(find {{ kube_token_dir }} -maxdepth 1 -type f)"
|
||||||
register: tokens_list
|
register: tokens_list
|
||||||
changed_when: false
|
|
||||||
check_mode: no
|
check_mode: no
|
||||||
delegate_to: "{{groups['kube-master'][0]}}"
|
delegate_to: "{{groups['kube-master'][0]}}"
|
||||||
|
run_once: true
|
||||||
when: sync_tokens|default(false)
|
when: sync_tokens|default(false)
|
||||||
|
|
||||||
- name: Gen_tokens | Gather tokens
|
- name: Gen_tokens | Gather tokens
|
||||||
|
@ -54,6 +54,5 @@
|
||||||
|
|
||||||
- name: Gen_tokens | Copy tokens on masters
|
- name: Gen_tokens | Copy tokens on masters
|
||||||
shell: "echo '{{ tokens_data.stdout|quote }}' | base64 -d | tar xz -C /"
|
shell: "echo '{{ tokens_data.stdout|quote }}' | base64 -d | tar xz -C /"
|
||||||
changed_when: false
|
|
||||||
when: inventory_hostname in groups['kube-master'] and sync_tokens|default(false) and
|
when: inventory_hostname in groups['kube-master'] and sync_tokens|default(false) and
|
||||||
inventory_hostname != groups['kube-master'][0]
|
inventory_hostname != groups['kube-master'][0]
|
||||||
|
|
|
@ -41,7 +41,7 @@
|
||||||
notify: restart calico-node
|
notify: restart calico-node
|
||||||
|
|
||||||
- name: Calico | Copy cni plugins from hyperkube
|
- name: Calico | Copy cni plugins from hyperkube
|
||||||
command: "{{ docker_bin_dir }}/docker run --rm -v /opt/cni/bin:/cnibindir {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} /usr/bin/rsync -a /opt/cni/bin/ /cnibindir/"
|
command: "{{ docker_bin_dir }}/docker run --rm -v /opt/cni/bin:/cnibindir {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} /usr/bin/rsync -ac /opt/cni/bin/ /cnibindir/"
|
||||||
register: cni_task_result
|
register: cni_task_result
|
||||||
until: cni_task_result.rc == 0
|
until: cni_task_result.rc == 0
|
||||||
retries: 4
|
retries: 4
|
||||||
|
@ -59,6 +59,14 @@
|
||||||
when: "{{ overwrite_hyperkube_cni|bool }}"
|
when: "{{ overwrite_hyperkube_cni|bool }}"
|
||||||
tags: [hyperkube, upgrade]
|
tags: [hyperkube, upgrade]
|
||||||
|
|
||||||
|
- name: Calico | Set cni directory permissions
|
||||||
|
file:
|
||||||
|
path: /opt/cni/bin
|
||||||
|
state: directory
|
||||||
|
owner: kube
|
||||||
|
recurse: true
|
||||||
|
mode: 0755
|
||||||
|
|
||||||
- name: Calico | wait for etcd
|
- name: Calico | wait for etcd
|
||||||
uri:
|
uri:
|
||||||
url: https://localhost:2379/health
|
url: https://localhost:2379/health
|
||||||
|
@ -80,6 +88,7 @@
|
||||||
register: calico_conf
|
register: calico_conf
|
||||||
delegate_to: "{{groups['etcd'][0]}}"
|
delegate_to: "{{groups['etcd'][0]}}"
|
||||||
run_once: true
|
run_once: true
|
||||||
|
changed_when: false
|
||||||
|
|
||||||
- name: Calico | Configure calico network pool
|
- name: Calico | Configure calico network pool
|
||||||
shell: >
|
shell: >
|
||||||
|
|
|
@ -44,7 +44,7 @@
|
||||||
register: canal_node_manifest
|
register: canal_node_manifest
|
||||||
|
|
||||||
- name: Canal | Copy cni plugins from hyperkube
|
- name: Canal | Copy cni plugins from hyperkube
|
||||||
command: "{{ docker_bin_dir }}/docker run --rm -v /opt/cni/bin:/cnibindir {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} /usr/bin/rsync -a /opt/cni/bin/ /cnibindir/"
|
command: "{{ docker_bin_dir }}/docker run --rm -v /opt/cni/bin:/cnibindir {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} /usr/bin/rsync -ac /opt/cni/bin/ /cnibindir/"
|
||||||
register: cni_task_result
|
register: cni_task_result
|
||||||
until: cni_task_result.rc == 0
|
until: cni_task_result.rc == 0
|
||||||
retries: 4
|
retries: 4
|
||||||
|
@ -61,6 +61,14 @@
|
||||||
changed_when: false
|
changed_when: false
|
||||||
tags: [hyperkube, upgrade]
|
tags: [hyperkube, upgrade]
|
||||||
|
|
||||||
|
- name: Canal | Set cni directory permissions
|
||||||
|
file:
|
||||||
|
path: /opt/cni/bin
|
||||||
|
state: directory
|
||||||
|
owner: kube
|
||||||
|
recurse: true
|
||||||
|
mode: 0755
|
||||||
|
|
||||||
- name: Canal | Install calicoctl container script
|
- name: Canal | Install calicoctl container script
|
||||||
template:
|
template:
|
||||||
src: calicoctl-container.j2
|
src: calicoctl-container.j2
|
||||||
|
|
|
@ -1,5 +1,4 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: Cloud | Copy cni plugins from hyperkube
|
- name: Cloud | Copy cni plugins from hyperkube
|
||||||
command: "{{ docker_bin_dir }}/docker run --rm -v /opt/cni/bin:/cnibindir {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} /bin/cp -r /opt/cni/bin/. /cnibindir/"
|
command: "{{ docker_bin_dir }}/docker run --rm -v /opt/cni/bin:/cnibindir {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} /bin/cp -r /opt/cni/bin/. /cnibindir/"
|
||||||
register: cni_task_result
|
register: cni_task_result
|
||||||
|
@ -7,3 +6,12 @@
|
||||||
retries: 4
|
retries: 4
|
||||||
delay: "{{ retry_stagger | random + 3 }}"
|
delay: "{{ retry_stagger | random + 3 }}"
|
||||||
changed_when: false
|
changed_when: false
|
||||||
|
|
||||||
|
- name: Cloud | Set cni directory permissions
|
||||||
|
file:
|
||||||
|
path: /opt/cni/bin
|
||||||
|
state: directory
|
||||||
|
owner: kube
|
||||||
|
recurse: true
|
||||||
|
mode: "u=rwX,g-rwx,o-rwx"
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue