From bd0f7878091cb75613aca098d386ee25d424e917 Mon Sep 17 00:00:00 2001 From: Matthew Mosesohn Date: Fri, 30 Dec 2016 12:55:26 +0300 Subject: [PATCH] Fix etcd cert generation to support large deployments Due to bash max args limits, we should pass all node filenames and base64-encoded tar data through stdin/stdout instead. Fixes #832 --- roles/etcd/tasks/gen_certs.yml | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/roles/etcd/tasks/gen_certs.yml b/roles/etcd/tasks/gen_certs.yml index 02d9d62dd..3dcec8499 100644 --- a/roles/etcd/tasks/gen_certs.yml +++ b/roles/etcd/tasks/gen_certs.yml @@ -73,7 +73,9 @@ tags: facts - name: Gen_certs | Gather etcd master certs - shell: "tar cfz - -C {{ etcd_cert_dir }} {{ my_master_certs|join(' ') }} {{ all_node_certs|join(' ') }}| base64 --wrap=0" + shell: "tar cfz - -C {{ etcd_cert_dir }} -T /dev/stdin <<< {{ my_master_certs|join(' ') }} {{ all_node_certs|join(' ') }} | base64 --wrap=0" + args: + executable: /bin/bash register: etcd_master_cert_data delegate_to: "{{groups['etcd'][0]}}" when: inventory_hostname in groups['etcd'] and sync_certs|default(false) and @@ -81,7 +83,9 @@ notify: set etcd_secret_changed - name: Gen_certs | Gather etcd node certs - shell: "tar cfz - -C {{ etcd_cert_dir }} {{ my_node_certs|join(' ') }} | base64 --wrap=0" + shell: "tar cfz - -C {{ etcd_cert_dir }} -T /dev/stdin <<< {{ my_node_certs|join(' ') }} | base64 --wrap=0" + args: + executable: /bin/bash register: etcd_node_cert_data delegate_to: "{{groups['etcd'][0]}}" when: inventory_hostname in groups['k8s-cluster'] and sync_certs|default(false) and @@ -89,13 +93,17 @@ notify: set etcd_secret_changed - name: Gen_certs | Copy certs on masters - shell: "echo '{{etcd_master_cert_data.stdout|quote}}' | base64 -d | tar xz -C {{ etcd_cert_dir }}" + shell: "base64 -d <<< '{{etcd_master_cert_data.stdout|quote}}' | tar xz -C {{ etcd_cert_dir }}" + args: + executable: /bin/bash changed_when: false when: inventory_hostname in groups['etcd'] and sync_certs|default(false) and inventory_hostname != groups['etcd'][0] - name: Gen_certs | Copy certs on nodes - shell: "echo '{{etcd_node_cert_data.stdout|quote}}' | base64 -d | tar xz -C {{ etcd_cert_dir }}" + shell: "base64 -d <<< '{{etcd_node_cert_data.stdout|quote}}' | tar xz -C {{ etcd_cert_dir }}" + args: + executable: /bin/bash changed_when: false when: sync_certs|default(false) and inventory_hostname not in groups['etcd']