09847567ae
"shell" step doesn't support check mode, which currently leads to failures, when Ansible is being run in check mode (because Ansible doesn't run command, assuming that command might have effect, and no "rc" or "output" is registered). Setting "check_mode: no" allows to run those "shell" commands in check mode (which is safe, because those shell commands doesn't have side effects).
182 lines
6.3 KiB
YAML
182 lines
6.3 KiB
YAML
---
|
|
- name: "Gen_certs | Create kubernetes config directory (on {{groups['kube-master'][0]}})"
|
|
file:
|
|
path: "{{ kube_config_dir }}"
|
|
state: directory
|
|
owner: kube
|
|
run_once: yes
|
|
delegate_to: "{{groups['kube-master'][0]}}"
|
|
tags: [kubelet, k8s-secrets, kube-controller-manager, kube-apiserver, bootstrap-os, apps, network, master, node]
|
|
when: gen_certs|default(false)
|
|
|
|
- name: "Gen_certs | Create kubernetes script directory (on {{groups['kube-master'][0]}})"
|
|
file:
|
|
path: "{{ kube_script_dir }}"
|
|
state: directory
|
|
owner: kube
|
|
run_once: yes
|
|
delegate_to: "{{groups['kube-master'][0]}}"
|
|
tags: [k8s-secrets, bootstrap-os]
|
|
when: gen_certs|default(false)
|
|
|
|
- name: Gen_certs | write openssl config
|
|
template:
|
|
src: "openssl.conf.j2"
|
|
dest: "{{ kube_config_dir }}/openssl.conf"
|
|
run_once: yes
|
|
delegate_to: "{{groups['kube-master'][0]}}"
|
|
when: gen_certs|default(false)
|
|
|
|
- name: Gen_certs | copy certs generation script
|
|
copy:
|
|
src: "make-ssl.sh"
|
|
dest: "{{ kube_script_dir }}/make-ssl.sh"
|
|
mode: 0700
|
|
run_once: yes
|
|
delegate_to: "{{groups['kube-master'][0]}}"
|
|
when: gen_certs|default(false)
|
|
|
|
- name: Gen_certs | run cert generation script
|
|
command: "{{ kube_script_dir }}/make-ssl.sh -f {{ kube_config_dir }}/openssl.conf -d {{ kube_cert_dir }}"
|
|
environment:
|
|
- MASTERS: "{% for m in groups['kube-master'] %}
|
|
{% if hostvars[m].sync_certs|default(true) %}
|
|
{{ m }}
|
|
{% endif %}
|
|
{% endfor %}"
|
|
- HOSTS: "{% for h in groups['k8s-cluster'] %}
|
|
{% if hostvars[h].sync_certs|default(true) %}
|
|
{{ h }}
|
|
{% endif %}
|
|
{% endfor %}"
|
|
run_once: yes
|
|
delegate_to: "{{groups['kube-master'][0]}}"
|
|
when: gen_certs|default(false)
|
|
notify: set secret_changed
|
|
|
|
- set_fact:
|
|
all_master_certs: "['ca-key.pem',
|
|
{% for node in groups['kube-master'] %}
|
|
'admin-{{ node }}.pem',
|
|
'admin-{{ node }}-key.pem',
|
|
'apiserver.pem',
|
|
'apiserver-key.pem',
|
|
{% endfor %}]"
|
|
my_master_certs: ['ca-key.pem',
|
|
'admin-{{ inventory_hostname }}.pem',
|
|
'admin-{{ inventory_hostname }}-key.pem',
|
|
'apiserver.pem',
|
|
'apiserver-key.pem'
|
|
]
|
|
all_node_certs: "['ca.pem',
|
|
{% for node in groups['k8s-cluster'] %}
|
|
'node-{{ node }}.pem',
|
|
'node-{{ node }}-key.pem',
|
|
{% endfor %}]"
|
|
my_node_certs: ['ca.pem', 'node-{{ inventory_hostname }}.pem', 'node-{{ inventory_hostname }}-key.pem']
|
|
tags: facts
|
|
|
|
- name: Gen_certs | Gather master certs
|
|
shell: "tar cfz - -C {{ kube_cert_dir }} -T /dev/stdin <<< {{ my_master_certs|join(' ') }} {{ all_node_certs|join(' ') }} | base64 --wrap=0"
|
|
args:
|
|
executable: /bin/bash
|
|
register: master_cert_data
|
|
check_mode: no
|
|
delegate_to: "{{groups['kube-master'][0]}}"
|
|
when: inventory_hostname in groups['kube-master'] and sync_certs|default(false) and
|
|
inventory_hostname != groups['kube-master'][0]
|
|
|
|
- name: Gen_certs | Gather node certs
|
|
shell: "tar cfz - -C {{ kube_cert_dir }} -T /dev/stdin <<< {{ my_node_certs|join(' ') }} | base64 --wrap=0"
|
|
args:
|
|
executable: /bin/bash
|
|
register: node_cert_data
|
|
check_mode: no
|
|
delegate_to: "{{groups['kube-master'][0]}}"
|
|
when: inventory_hostname in groups['kube-node'] and
|
|
sync_certs|default(false) and
|
|
inventory_hostname != groups['kube-master'][0]
|
|
|
|
#NOTE(mattymo): Use temporary file to copy master certs because we have a ~200k
|
|
#char limit when using shell command
|
|
|
|
#FIXME(mattymo): Use tempfile module in ansible 2.3
|
|
- name: Gen_certs | Prepare tempfile for unpacking certs
|
|
shell: mktemp /tmp/certsXXXXX.tar.gz
|
|
register: cert_tempfile
|
|
|
|
- name: Gen_certs | Write master certs to tempfile
|
|
copy:
|
|
content: "{{master_cert_data.stdout}}"
|
|
dest: "{{cert_tempfile.stdout}}"
|
|
owner: root
|
|
mode: "0600"
|
|
when: inventory_hostname in groups['kube-master'] and sync_certs|default(false) and
|
|
inventory_hostname != groups['kube-master'][0]
|
|
|
|
- name: Gen_certs | Unpack certs on masters
|
|
shell: "base64 -d < {{ cert_tempfile.stdout }} | tar xz -C {{ kube_cert_dir }}"
|
|
changed_when: false
|
|
check_mode: no
|
|
when: inventory_hostname in groups['kube-master'] and sync_certs|default(false) and
|
|
inventory_hostname != groups['kube-master'][0]
|
|
notify: set secret_changed
|
|
|
|
- name: Gen_certs | Cleanup tempfile
|
|
file:
|
|
path: "{{cert_tempfile.stdout}}"
|
|
state: absent
|
|
when: inventory_hostname in groups['kube-master'] and sync_certs|default(false) and
|
|
inventory_hostname != groups['kube-master'][0]
|
|
|
|
- name: Gen_certs | Copy certs on nodes
|
|
shell: "base64 -d <<< '{{node_cert_data.stdout|quote}}' | tar xz -C {{ kube_cert_dir }}"
|
|
args:
|
|
executable: /bin/bash
|
|
changed_when: false
|
|
check_mode: no
|
|
when: inventory_hostname in groups['kube-node'] and
|
|
sync_certs|default(false) and
|
|
inventory_hostname != groups['kube-master'][0]
|
|
notify: set secret_changed
|
|
|
|
- name: Gen_certs | check certificate permissions
|
|
file:
|
|
path={{ kube_cert_dir }}
|
|
group={{ kube_cert_group }}
|
|
owner=kube
|
|
recurse=yes
|
|
|
|
- name: Gen_certs | set permissions on keys
|
|
shell: chmod 0600 {{ kube_cert_dir}}/*key.pem
|
|
when: inventory_hostname in groups['kube-master']
|
|
changed_when: false
|
|
|
|
- name: Gen_certs | target ca-certificates path
|
|
set_fact:
|
|
ca_cert_path: |-
|
|
{% if ansible_os_family == "Debian" -%}
|
|
/usr/local/share/ca-certificates/kube-ca.crt
|
|
{%- elif ansible_os_family == "RedHat" -%}
|
|
/etc/pki/ca-trust/source/anchors/kube-ca.crt
|
|
{%- elif ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] -%}
|
|
/etc/ssl/certs/kube-ca.pem
|
|
{%- endif %}
|
|
tags: facts
|
|
|
|
- name: Gen_certs | add CA to trusted CA dir
|
|
copy:
|
|
src: "{{ kube_cert_dir }}/ca.pem"
|
|
dest: "{{ ca_cert_path }}"
|
|
remote_src: true
|
|
register: kube_ca_cert
|
|
|
|
- name: Gen_certs | update ca-certificates (Debian/Ubuntu/Container Linux by CoreOS)
|
|
command: update-ca-certificates
|
|
when: kube_ca_cert.changed and ansible_os_family in ["Debian", "Container Linux by CoreOS"]
|
|
|
|
- name: Gen_certs | update ca-certificates (RedHat)
|
|
command: update-ca-trust extract
|
|
when: kube_ca_cert.changed and ansible_os_family == "RedHat"
|
|
|