Erwan Miran
fcd8d850dc
Fix ansible syntax to avoid ansible warnings (again) ( #3509 )
...
* Fix ansible syntax to avoid ansible warnings (again)
* warn: false on tar -cfz
* wrong placement of warn:false
2018-10-15 23:47:04 -07:00
Erwan Miran
dd5327ef9e
Fix ansible syntax to avoid ansible warnings ( #3499 )
2018-10-11 00:45:00 -07:00
Erwan Miran
2ab2f3a0a3
Ability to define SSL certificates duration and SSL key size ( #3482 )
...
* Ability to specify ssl certificate duration and ssl key size - etcd/secrets
* Ability to specify ssl certificate duration and ssl key size - helm/contiv + fix contiv missing copy certs generation script
2018-10-09 04:43:30 -07:00
Dylan
30132d8c35
Removed hostname truncation. ( #3409 )
2018-10-08 05:14:01 -07:00
Shida Qiu
8b8e534769
remove the redundant space ( #3400 )
2018-09-27 03:32:26 -07:00
Rong Zhang
9075dbdd3c
Merge pull request #2875 from bradbeam/movault
...
Adding cluster_name to api cert alt name for vault
2018-08-07 17:36:04 +08:00
Matthew Mosesohn
97e0de7e29
Fix vault file owner issues and k8s apiserver cert creation ( #2985 )
...
apiserver cert should be created only once
2018-07-11 14:58:02 +03:00
Matthew Mosesohn
5c617c5a8b
Add tags to deploy components by --tags option ( #2960 )
...
* Add tags for cert serial tasks
This will help facilitate tag-based deployment of specific components.
* fixup kubernetes node
2018-07-06 09:12:13 +03:00
Yumo Yang
6c2f169ea2
update test-pr2 ( #2911 )
2018-06-22 13:22:26 +03:00
Brad Beam
3d819a6edd
Adding cluster_name to api cert alt name for vault
2018-06-12 14:15:07 -05:00
Matthew Mosesohn
59be578842
Revert "wip pr for improved cert sync" ( #2849 )
2018-06-06 17:22:25 +03:00
Matthew Mosesohn
7433348aae
wip pr for improved cert sync
2018-05-30 12:15:11 +03:00
Matthew Mosesohn
07cc981971
refactor vault role ( #2733 )
...
* Move front-proxy-client certs back to kube mount
We want the same CA for all k8s certs
* Refactor vault to use a third party module
The module adds idempotency and reduces some of the repetitive
logic in the vault role
Requires ansible-modules-hashivault on ansible node and hvac
on the vault hosts themselves
Add upgrade test scenario
Remove bootstrap-os tags from tasks
* fix upgrade issues
* improve unseal logic
* specify ca and fix etcd check
* Fix initialization check
bump machine size
2018-05-11 19:11:38 +03:00
Chad Swenson
595e96ebf1
Merge pull request #2693 from romaindequidt/sync-certs-tasks-fix
...
sync certs tasks (fix #2596 #2667 )
2018-05-02 12:17:23 -05:00
Tomasz Majchrowski
59789ae02a
ISSUE-2706: Provide consistent usage of supplementary_addresses_in_ssl_keys across vault and script mode ( #2707 )
2018-04-30 14:48:17 +03:00
Markos Chandras
9168c71359
Revert "Revert "Add openSUSE support" ( #2697 )" ( #2699 )
...
This reverts commit 51f4e6585a
.
2018-04-26 12:52:06 +03:00
Matthew Mosesohn
51f4e6585a
Revert "Add openSUSE support" ( #2697 )
2018-04-23 14:28:24 +03:00
Romain DEQUIDT
80dd230a65
sync certs tasks ( fix #2596 #2667 )
2018-04-22 10:00:31 +02:00
Aivars Sterns
1967963702
Merge pull request #2380 from hwoarang/add-opensuse-support
...
Add openSUSE support
2018-04-12 20:28:50 +03:00
Chad Swenson
d87b6fd9f3
Use dedicated front-proxy-ca for front-proxy-client
2018-04-12 11:03:22 -05:00
Markos Chandras
d07f75b389
roles: kubernetes: secrets: Add SUSE support
...
Add path for certificate location for SUSE distributions. Also make sure
the 'update-ca-certificates' command is executed on SUSE hosts as well.
2018-04-11 20:55:02 +01:00
Brad Beam
dfc46f02d7
Adding missing service-account certificate for vault
...
Missed in #2554
2018-04-06 15:29:52 -05:00
georgejdli
76bb5f8d75
check if dedicated service account token signing key exists
2018-04-02 10:57:24 -05:00
Andreas Krüger
d9418b1dc4
Merge pull request #2554 from georgejdli/fix-sa-token-signing
...
Fix kubespray's ServiceAccount token signing keys
2018-03-31 09:59:22 +02:00
Andreas Krüger
887a468d32
Merge pull request #2562 from avoidik/fix-indexes-pr-2251
...
Fix kubecert_node.results indexes
2018-03-31 00:16:11 +02:00
avoidik
72c2a8982b
Fix kubecert_node.results indexes
2018-03-30 17:24:50 +03:00
georgejdli
c8f857eae4
configure kubespray to sign service account tokens with a dedicated and stable key
2018-03-29 09:50:31 -05:00
Andreas Kruger
bf29198efd
Fix merge conflict
2018-03-29 09:11:13 +02:00
Kuldip Madnani
9ebbf1c3cd
Added a fix in openssl.conf template to check if IP of loadbalncer is available or not.
2018-03-28 16:34:26 -05:00
woopstar
0b5404b2b7
Fix
2018-03-28 20:28:04 +02:00
woopstar
0df32b03ca
Update openssl.conf to count better and work with Jinja 2.9
2018-03-28 17:48:56 +02:00
woopstar
b9a949820a
Only copy tokens if tokens_list contains any
2018-03-18 08:42:38 +01:00
Sergey Bondarev
f8fed0f308
change expirations period for generated certificate from 10 years to 100 years
2018-03-14 13:33:36 +03:00
Aivars Sterns
436de45dd4
Merge pull request #2295 from manics/supplementary-bugfix
...
Fix indexing of supplementary DNS in openssl.conf
2018-03-12 10:54:56 +02:00
chadswen
cd153a1fb3
Fix kubernetes cert permission sync
...
Add `state: directory` to `file` task so that `recurse: yes` will actually take effect and ensure
certs/keys have the right file mode and owner
2018-03-09 00:11:10 -06:00
Simon Li
6b80ac6500
Fix indexing of supplementary DNS in openssl.conf
2018-02-28 16:04:52 +00:00
Maxim Krasilnikov
ba91304636
Fixed generate front proxy client certs with vault ( #2359 )
...
* Fixed generate front proxy client certs with vault
* fix vault cert management
* Distrebute etcd node certs to vault hosts
2018-02-22 15:08:50 +03:00
Antoine Legrand
7bce70339f
Merge pull request #2251 from woopstar/metrics-server-patch-2
...
Adding metrics-server support for K8s version 1.9
2018-02-08 11:16:44 +01:00
woopstar
f9df692056
Issue front proxy certs for vault
2018-02-07 11:03:10 +01:00
woopstar
4dab92ce69
Rename from aggregator-proxy-client to front-proxy-client to match kubeadm design. Added kubeadm support too. Changed to use variables set and not hardcode paths. Still missing cert generation for Vault
2018-02-07 09:50:19 +01:00
Antoine Legrand
bb4446e94c
Merge pull request #2226 from manics/supplemental-addresses
...
Enable additional addresses to be added to certificates
2018-02-06 13:51:54 +01:00
woopstar
b2d30d68e7
Rename CN for aggreator back. Add flags to apiserver when version is >= 1.9
2018-02-05 20:37:14 +01:00
woopstar
82d10b882c
Added fixes from whereismyjetpack
2018-02-05 20:07:12 +01:00
woopstar
0b4168cad4
WIP. Adding metrics-server support for K8s version 1.9
2018-02-05 10:37:41 +01:00
Simon Li
27a1a697e7
supplementary_addresses_in_ssl_keys can be a hostname
2018-01-31 15:16:08 +00:00
Andreas Krüger
088d36da09
Increase the idx counter
...
Fix the idx counter to increase too, or you will end up with two same indexes.
2018-01-30 21:48:13 +01:00
Andreas Krüger
6f36faa4f9
Loadbalancer Apiserver Address is missing
...
If you configure your external loadbalancer to do a simple tcp pass-through to the api servers, and you do not use a DNS FQDN but just the ip, then you need to add the ip adress to the certificates too.
Example config:
```
## External LB example config
apiserver_loadbalancer_domain_name: "10.50.63.10"
loadbalancer_apiserver:
address: 10.50.63.10
port: 8383
```
2018-01-30 17:33:00 +01:00
Matthew Mosesohn
dc6a17e092
Use include/import tasks ( #2192 )
...
import_tasks will consume far less memory, so it should be
used whenever it is compatible.
2018-01-29 14:37:48 +03:00
Bogdan Dobrelya
8aafe64397
Defaults for apiserver_loadbalancer_domain_name ( #1993 )
...
* Defaults for apiserver_loadbalancer_domain_name
When loadbalancer_apiserver is defined, use the
apiserver_loadbalancer_domain_name with a given default value.
Fix unconsistencies for checking if apiserver_loadbalancer_domain_name
is defined AND using it with a default value provided at once.
Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
* Define defaults for LB modes in common defaults
Adjust the defaults for apiserver_loadbalancer_domain_name and
loadbalancer_apiserver_localhost to come from a single source, which is
kubespray-defaults. Removes some confusion and simplefies the code.
Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
2017-11-23 16:15:48 +00:00
Günther Grill
0d55ed3600
Avoid that some read-only tasks cause an ansible-change ( #1910 )
2017-11-06 13:51:07 +00:00