Generate external admin.conf with kubeadm (#4056)

* Generate external admin.conf with kubeadm * Fix apiserver sans
2019-01-16 16:30:50 +03:00 · 2019-01-16 16:30:50 +03:00 · eecaba6b84
parent 5a7ac7e5c1
commit eecaba6b84
3 changed files with 32 additions and 29 deletions
--- a/roles/kubernetes/client/tasks/main.yml
+++ b/roles/kubernetes/client/tasks/main.yml
@ -1,11 +1,17 @@
 ---
 - name: Set external kube-apiserver endpoint
  set_fact:
-    external_apiserver_endpoint: >-
+    external_apiserver_address: >-
      {%- if loadbalancer_apiserver is defined and loadbalancer_apiserver.port is defined -%}
-      https://{{ apiserver_loadbalancer_domain_name }}:{{ loadbalancer_apiserver.port|default(kube_apiserver_port) }}
+      {{ apiserver_loadbalancer_domain_name }}
      {%- else -%}
-      https://{{ kube_apiserver_access_address }}:{{ kube_apiserver_port }}
+      {{ kube_apiserver_access_address }}
+      {%- endif -%}
+    external_apiserver_port: >-
+      {%- if loadbalancer_apiserver is defined and loadbalancer_apiserver.port is defined -%}
+      {{ loadbalancer_apiserver.port|default(kube_apiserver_port) }}
+      {%- else -%}
+      {{ kube_apiserver_port }}
      {%- endif -%}
  tags:
    - facts
@ -24,12 +30,28 @@
    mode: "0600"
    backup: yes

- name: Copy admin kubeconfig to ansible host
-  fetch:
-    src: "{{ kube_config_dir }}/admin.conf"
+- name: Generate admin kubeconfig with external api endpoint
+  shell: >-
+    {{ bin_dir }}/kubeadm alpha
+    {% if kubeadm_version is version('v1.13.0', '<') %}
+    phase
+    {% endif %}
+    kubeconfig user
+    --client-name kubernetes-admin
+    --org system:masters
+    --cert-dir {{ kube_config_dir }}/ssl
+    --apiserver-advertise-address {{ external_apiserver_address }}
+    --apiserver-bind-port {{ external_apiserver_port }}
+  run_once: yes
+  register: admin_kubeconfig
+
+- name: Write admin kubeconfig on ansible host
+  copy:
+    content: "{{ admin_kubeconfig.stdout }}"
    dest: "{{ artifacts_dir }}/admin.conf"
-    flat: yes
-    validate_checksum: no
+    mode: 0640
+  delegate_to: localhost
+  become: no
  run_once: yes
  when: kubeconfig_localhost|default(false)

--- a/roles/kubernetes/client/templates/admin.conf.j2
+++ b/roles/kubernetes/client/templates/admin.conf.j2
@ -1,19 +0,0 @@
-apiVersion: v1
-kind: Config
-current-context: admin-{{ cluster_name }}
-preferences: {}
-clusters:
- cluster:
-    certificate-authority-data: {{ admin_certs.results[0]['content'] }}
-    server: {{ external_apiserver_endpoint }}
-  name: {{ cluster_name }}
-contexts:
- context:
-    cluster: {{ cluster_name }}
-    user: admin-{{ cluster_name }}
-  name: admin-{{ cluster_name }}
-users:
- name: admin-{{ cluster_name }}
-  user:
-    client-certificate-data: {{ admin_certs.results[1]['content'] }}
-    client-key-data: {{ admin_certs.results[2]['content'] }}
--- a/roles/kubernetes/master/tasks/kubeadm-setup.yml
+++ b/roles/kubernetes/master/tasks/kubeadm-setup.yml
@ -56,11 +56,11 @@
      {{ ' '.join(groups['kube-master']) }}
      {%- if loadbalancer_apiserver is defined %}
      {{ apiserver_loadbalancer_domain_name }}
-      {%- endif %}
+      {% endif %}
      {% for host in groups['kube-master'] -%}
      {%- if hostvars[host]['access_ip'] is defined -%}
      {{ hostvars[host]['access_ip'] }}
-      {%- endif %}
+      {% endif %}
      {{ hostvars[host]['ip'] | default(hostvars[host]['ansible_default_ipv4']['address']) }}
      {%- endfor %}
      {%- if supplementary_addresses_in_ssl_keys is defined -%}