C12s/c12s-kubespray
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Remove cert rotation code. Remove disclaimer for supported auth methods.

Browse source
This commit is contained in:
Raj Perera 2017-06-20 00:49:33 -04:00
parent 4e95788e17
commit e58d06ddd1
10 changed files with 8 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
docs/vars.md
View file

@ -68,11 +68,6 @@ following default cluster paramters:
* *kube_hostpath_dynamic_provisioner* - Required for use of PetSets type in * *kube_hostpath_dynamic_provisioner* - Required for use of PetSets type in
Kubernetes Kubernetes
* *authorization_mode* - A list of authorization modes that the apiserver should be configured. * *authorization_mode* - A list of authorization modes that the apiserver should be configured.
Supported values are `['AlwaysAllow', 'RBAC']` (Default: `['AlwaysAllow']`)
* *rotate_kubernetes_certs* - Set this to true to regenerate kubernetes node and master certificates.
Useful if the authorization mode was changed and certificate format
needs to be updated. This will not regenerate the root CA. *(!!Warning!!: Will overwrite old certs.)*
Note, if cloud providers have any use of the ``10.233.0.0/16``, like instances' Note, if cloud providers have any use of the ``10.233.0.0/16``, like instances'
private addresses, make sure to pick another values for ``kube_service_addresses`` private addresses, make sure to pick another values for ``kube_service_addresses``

5
roles/kargo-defaults/defaults/main.yaml
View file

@ -116,13 +116,10 @@ efk_enabled: false
enable_network_policy: false enable_network_policy: false
## List of authorization plugins that must be configured for ## List of authorization plugins that must be configured for
## the k8s cluster. Only 'AlwaysAllow' and 'RBAC' is supported ## the k8s cluster.
## at the moment.
authorization_mode: ['AlwaysAllow'] authorization_mode: ['AlwaysAllow']
rbac_enabled: "{{ 'RBAC' in authorization_mode }}" rbac_enabled: "{{ 'RBAC' in authorization_mode }}"
## Set this flag to re-create kubernetes node and master certificates !!WARNING!!: Will overwrite existing certs.
rotate_kubernetes_certs: false
ssl_ca_dirs: "[ ssl_ca_dirs: "[
{% if ansible_os_family in ['CoreOS', 'Container Linux by CoreOS'] -%} {% if ansible_os_family in ['CoreOS', 'Container Linux by CoreOS'] -%}

3
roles/kubernetes-apps/ansible/defaults/main.yml
View file

@ -41,8 +41,7 @@ netchecker_server_memory_requests: 64M
etcd_cert_dir: "/etc/ssl/etcd/ssl" etcd_cert_dir: "/etc/ssl/etcd/ssl"
canal_cert_dir: "/etc/canal/certs" canal_cert_dir: "/etc/canal/certs"
# RBAC specific resources that will be ignored when RBAC is not enabled. kubedns_rbac_resources:
apiserver_rbac_resources:
- clusterrole, - clusterrole,
- clusterrolebinding, - clusterrolebinding,
- sa - sa

2
roles/kubernetes-apps/ansible/tasks/main.yml
View file

@ -21,7 +21,7 @@
- {name: kubedns-autoscaler, file: kubedns-autoscaler-clusterrolebinding.yml, type: clusterrolebinding} - {name: kubedns-autoscaler, file: kubedns-autoscaler-clusterrolebinding.yml, type: clusterrolebinding}
- {name: kubedns-autoscaler, file: kubedns-autoscaler.yml, type: deployment} - {name: kubedns-autoscaler, file: kubedns-autoscaler.yml, type: deployment}
register: manifests register: manifests
when: dns_mode != 'none' and inventory_hostname == groups['kube-master'][0] and (item.type not in apiserver_rbac_resources or rbac_enabled) when: dns_mode != 'none' and inventory_hostname == groups['kube-master'][0] and (item.type not in kubedns_rbac_resources or rbac_enabled)
tags: dnsmasq tags: dnsmasq
# see https://github.com/kubernetes/kubernetes/issues/45084 # see https://github.com/kubernetes/kubernetes/issues/45084

2
roles/kubernetes-apps/helm/tasks/main.yml
View file

@ -12,7 +12,7 @@
- name: Helm | Lay Down Helm Manifests (RBAC) - name: Helm | Lay Down Helm Manifests (RBAC)
template: template:
src: "manifests/{{item.file}}" src: "{{item.file}}"
dest: "{{kube_config_dir}}/{{item.file}}" dest: "{{kube_config_dir}}/{{item.file}}"
with_items: with_items:
- {name: tiller, file: tiller-sa.yml, type: sa} - {name: tiller, file: tiller-sa.yml, type: sa}

0
roles/kubernetes-apps/helm/templates/manifests/tiller-clusterrolebinding.yml → roles/kubernetes-apps/helm/templates/tiller-clusterrolebinding.yml
View file

0
roles/kubernetes-apps/helm/templates/manifests/tiller-sa.yml → roles/kubernetes-apps/helm/templates/tiller-sa.yml
View file

2
roles/kubernetes/node/tasks/pre_upgrade.yml
View file

@ -7,4 +7,4 @@
- name: "Pre-upgrade | Make sure to restart kubelet if certificates changed" - name: "Pre-upgrade | Make sure to restart kubelet if certificates changed"
command: /bin/true command: /bin/true
notify: restart kubelet if secrets changed notify: restart kubelet if secrets changed

2
roles/kubernetes/secrets/defaults/main.yml
View file

@ -1,4 +1,2 @@
--- ---
kube_cert_group: kube-cert kube_cert_group: kube-cert
rotate_kubernetes_certs: false # set this to true to regenerate certificates

6
roles/kubernetes/secrets/tasks/check-certs.yml
View file

@ -25,7 +25,7 @@
- name: "Check_certs | Set 'gen_certs' to true" - name: "Check_certs | Set 'gen_certs' to true"
set_fact: set_fact:
gen_certs: true gen_certs: true
when: "rotate_kubernetes_certs or item not in (kubecert_master.files|map(attribute='path')|list)" when: "item not in (kubecert_master.files|map(attribute='path')|list)"
run_once: true run_once: true
with_items: >- with_items: >-
['{{ kube_cert_dir }}/ca.pem', ['{{ kube_cert_dir }}/ca.pem',
@ -41,7 +41,7 @@
{% set existing_certs = kubecert_master.files|map(attribute='path')|list|sort %} {% set existing_certs = kubecert_master.files|map(attribute='path')|list|sort %}
{% for host in groups['k8s-cluster'] -%} {% for host in groups['k8s-cluster'] -%}
{% set host_cert = "%s/node-%s-key.pem"|format(kube_cert_dir, host) %} {% set host_cert = "%s/node-%s-key.pem"|format(kube_cert_dir, host) %}
{% if host_cert in existing_certs and not rotate_kubernetes_certs -%} {% if host_cert in existing_certs -%}
"{{ host }}": False, "{{ host }}": False,
{% else -%} {% else -%}
"{{ host }}": True, "{{ host }}": True,
@ -62,5 +62,5 @@
(kubecert_node.results[1].stat.checksum|default('') != kubecert_master.files|selectattr("path", "equalto", kubecert_node.results[1].stat.path)|map(attribute="checksum")|first|default('')) -%} (kubecert_node.results[1].stat.checksum|default('') != kubecert_master.files|selectattr("path", "equalto", kubecert_node.results[1].stat.path)|map(attribute="checksum")|first|default('')) -%}
{%- set _ = certs.update({'sync': True}) -%} {%- set _ = certs.update({'sync': True}) -%}
{% endif %} {% endif %}
{{ rotate_kubernetes_certs or certs.sync }} {{ certs.sync }}