c12s-kubespray/roles/etcd/tasks/gen_certs_script.yml
David Louks aad78840a0
Updated etcd cert check tasks to detect when new cert gen is required (#7219)
* Added force_etcd_cert_refresh var to maintain existing functionality. Broke out etcd node cert syncing from member and admin cert sync logic. Now first etcd will sync node certs to other etcd members on every run to keep all etcds up to date after adding additional worker nodes to the cluster

* Updated etcd cert check tasks to better detect when new certificates need to be generated

* Move usage of force_etcd_cert_refresh var to gen_certs fact set

* Force etcd cert generation per server if force_etcd_cert_refresh is set to true

* Include gathering of node certs even if k8s-cluster member and in etcd group.

* Removed run_once due to when statement
2021-02-09 01:53:22 -08:00

185 lines
5.8 KiB
YAML

---
- name: Gen_certs | create etcd cert dir
file:
path: "{{ etcd_cert_dir }}"
group: "{{ etcd_cert_group }}"
state: directory
owner: kube
mode: "{{ etcd_cert_dir_mode }}"
recurse: yes
- name: "Gen_certs | create etcd script dir (on {{ groups['etcd'][0] }})"
file:
path: "{{ etcd_script_dir }}"
state: directory
owner: root
mode: 0700
run_once: yes
when: inventory_hostname == groups['etcd'][0]
delegate_to: "{{ groups['etcd'][0] }}"
- name: "Gen_certs | create etcd cert dir (on {{ groups['etcd'][0] }})"
file:
path: "{{ etcd_cert_dir }}"
group: "{{ etcd_cert_group }}"
state: directory
owner: kube
recurse: yes
mode: 0700
run_once: yes
when: inventory_hostname == groups['etcd'][0]
delegate_to: "{{ groups['etcd'][0] }}"
- name: Gen_certs | write openssl config
template:
src: "openssl.conf.j2"
dest: "{{ etcd_config_dir }}/openssl.conf"
run_once: yes
delegate_to: "{{ groups['etcd'][0] }}"
when:
- gen_certs|default(false)
- inventory_hostname == groups['etcd'][0]
- name: Gen_certs | copy certs generation script
template:
src: "make-ssl-etcd.sh.j2"
dest: "{{ etcd_script_dir }}/make-ssl-etcd.sh"
mode: 0700
run_once: yes
delegate_to: "{{ groups['etcd'][0] }}"
when:
- gen_certs|default(false)
- inventory_hostname == groups['etcd'][0]
- name: Gen_certs | run cert generation script
command: "bash -x {{ etcd_script_dir }}/make-ssl-etcd.sh -f {{ etcd_config_dir }}/openssl.conf -d {{ etcd_cert_dir }}"
environment:
- MASTERS: "{% for m in groups['etcd'] %}
{% if gen_master_certs[m] %}
{{ m }}
{% endif %}
{% endfor %}"
- HOSTS: "{% for h in (groups['k8s-cluster'] + groups['calico-rr']|default([]))|unique %}
{% if gen_node_certs[h] %}
{{ h }}
{% endif %}
{% endfor %}"
run_once: yes
delegate_to: "{{ groups['etcd'][0] }}"
when: gen_certs|default(false)
notify: set etcd_secret_changed
- name: Gen_certs | Gather etcd member and admin certs from first etcd node
slurp:
src: "{{ item }}"
register: etcd_master_certs
with_items:
- "{{ etcd_cert_dir }}/ca.pem"
- "{{ etcd_cert_dir }}/ca-key.pem"
- "[{% for node in groups['etcd'] %}
'{{ etcd_cert_dir }}/admin-{{ node }}.pem',
'{{ etcd_cert_dir }}/admin-{{ node }}-key.pem',
'{{ etcd_cert_dir }}/member-{{ node }}.pem',
'{{ etcd_cert_dir }}/member-{{ node }}-key.pem',
{% endfor %}]"
delegate_to: "{{ groups['etcd'][0] }}"
when:
- inventory_hostname in groups['etcd']
- sync_certs|default(false)
- inventory_hostname != groups['etcd'][0]
notify: set etcd_secret_changed
- name: Gen_certs | Write etcd member and admin certs to other etcd nodes
copy:
dest: "{{ item.item }}"
content: "{{ item.content | b64decode }}"
group: "{{ etcd_cert_group }}"
owner: kube
mode: 0640
with_items: "{{ etcd_master_certs.results }}"
when:
- inventory_hostname in groups['etcd']
- sync_certs|default(false)
- inventory_hostname != groups['etcd'][0]
loop_control:
label: "{{ item.item }}"
- name: Gen_certs | Gather node certs from first etcd node
slurp:
src: "{{ item }}"
register: etcd_master_node_certs
with_items:
- "[{% for node in (groups['k8s-cluster'] + groups['calico-rr']|default([]))|unique %}
'{{ etcd_cert_dir }}/node-{{ node }}.pem',
'{{ etcd_cert_dir }}/node-{{ node }}-key.pem',
{% endfor %}]"
delegate_to: "{{ groups['etcd'][0] }}"
when:
- inventory_hostname in groups['etcd']
- inventory_hostname != groups['etcd'][0]
notify: set etcd_secret_changed
- name: Gen_certs | Write node certs to other etcd nodes
copy:
dest: "{{ item.item }}"
content: "{{ item.content | b64decode }}"
group: "{{ etcd_cert_group }}"
owner: kube
mode: 0640
with_items: "{{ etcd_master_node_certs.results }}"
when:
- inventory_hostname in groups['etcd']
- inventory_hostname != groups['etcd'][0]
loop_control:
label: "{{ item.item }}"
- name: Gen_certs | Set cert names per node
set_fact:
my_etcd_node_certs: [ 'ca.pem',
'node-{{ inventory_hostname }}.pem',
'node-{{ inventory_hostname }}-key.pem']
tags:
- facts
- name: "Check_certs | Set 'sync_certs' to true on nodes"
set_fact:
sync_certs: true
when: (('calico-rr' in groups and inventory_hostname in groups['calico-rr']) or
inventory_hostname in groups['k8s-cluster']) and
inventory_hostname not in groups['etcd']
with_items:
- "{{ my_etcd_node_certs }}"
- name: Gen_certs | Gather node certs
shell: "set -o pipefail && tar cfz - -C {{ etcd_cert_dir }} {{ my_etcd_node_certs|join(' ') }} | base64 --wrap=0"
args:
executable: /bin/bash
warn: false
no_log: true
register: etcd_node_certs
check_mode: no
delegate_to: "{{ groups['etcd'][0] }}"
when: (('calico-rr' in groups and inventory_hostname in groups['calico-rr']) or
inventory_hostname in groups['k8s-cluster']) and
sync_certs|default(false) and inventory_hostname not in groups['etcd']
- name: Gen_certs | Copy certs on nodes
shell: "set -o pipefail && base64 -d <<< '{{ etcd_node_certs.stdout|quote }}' | tar xz -C {{ etcd_cert_dir }}"
args:
executable: /bin/bash
no_log: true
changed_when: false
check_mode: no
when: (('calico-rr' in groups and inventory_hostname in groups['calico-rr']) or
inventory_hostname in groups['k8s-cluster']) and
sync_certs|default(false) and inventory_hostname not in groups['etcd']
notify: set etcd_secret_changed
- name: Gen_certs | check certificate permissions
file:
path: "{{ etcd_cert_dir }}"
group: "{{ etcd_cert_group }}"
state: directory
owner: kube
mode: "{{ etcd_cert_dir_mode }}"
recurse: yes