6c69da1573
be run by limit on each node without regard for order. The changes make sure that all of the directories needed to do certificate management are on the master[0] or etcd[0] node regardless of when the playbook gets run on each node. This allows for separate ansible playbook runs in parallel that don't have to be synchronized.
146 lines
5.3 KiB
YAML
146 lines
5.3 KiB
YAML
---
|
|
- name: Gen_certs | Create kubernetes config directory (on master[0])
|
|
file:
|
|
path: "{{ kube_config_dir }}"
|
|
state: directory
|
|
owner: kube
|
|
run_once: yes
|
|
delegate_to: "{{groups['kube-master'][0]}}"
|
|
tags: [kubelet, k8s-secrets, kube-controller-manager, kube-apiserver, bootstrap-os, apps, network, master, node]
|
|
when: gen_certs|default(false)
|
|
|
|
- name: Gen_certs | Create kubernetes script directory (on master[0])
|
|
file:
|
|
path: "{{ kube_script_dir }}"
|
|
state: directory
|
|
owner: kube
|
|
run_once: yes
|
|
delegate_to: "{{groups['kube-master'][0]}}"
|
|
tags: [k8s-secrets, bootstrap-os]
|
|
when: gen_certs|default(false)
|
|
|
|
- name: Gen_certs | write openssl config
|
|
template:
|
|
src: "openssl.conf.j2"
|
|
dest: "{{ kube_config_dir }}/openssl.conf"
|
|
run_once: yes
|
|
delegate_to: "{{groups['kube-master'][0]}}"
|
|
when: gen_certs|default(false)
|
|
|
|
- name: Gen_certs | copy certs generation script
|
|
copy:
|
|
src: "make-ssl.sh"
|
|
dest: "{{ kube_script_dir }}/make-ssl.sh"
|
|
mode: 0700
|
|
run_once: yes
|
|
delegate_to: "{{groups['kube-master'][0]}}"
|
|
when: gen_certs|default(false)
|
|
|
|
- name: Gen_certs | run cert generation script
|
|
command: "{{ kube_script_dir }}/make-ssl.sh -f {{ kube_config_dir }}/openssl.conf -d {{ kube_cert_dir }}"
|
|
environment:
|
|
- MASTERS: "{% for m in groups['kube-master'] %}
|
|
{% if hostvars[m].sync_certs|default(true) %}
|
|
{{ m }}
|
|
{% endif %}
|
|
{% endfor %}"
|
|
- HOSTS: "{% for h in groups['k8s-cluster'] %}
|
|
{% if hostvars[h].sync_certs|default(true) %}
|
|
{{ h }}
|
|
{% endif %}
|
|
{% endfor %}"
|
|
run_once: yes
|
|
delegate_to: "{{groups['kube-master'][0]}}"
|
|
when: gen_certs|default(false)
|
|
notify: set secret_changed
|
|
|
|
- set_fact:
|
|
all_master_certs: "['ca-key.pem',
|
|
{% for node in groups['kube-master'] %}
|
|
'admin-{{ node }}.pem',
|
|
'admin-{{ node }}-key.pem',
|
|
'apiserver.pem',
|
|
'apiserver-key.pem',
|
|
{% endfor %}]"
|
|
my_master_certs: ['ca-key.pem',
|
|
'admin-{{ inventory_hostname }}.pem',
|
|
'admin-{{ inventory_hostname }}-key.pem',
|
|
'apiserver.pem',
|
|
'apiserver-key.pem'
|
|
]
|
|
all_node_certs: "['ca.pem',
|
|
{% for node in groups['k8s-cluster'] %}
|
|
'node-{{ node }}.pem',
|
|
'node-{{ node }}-key.pem',
|
|
{% endfor %}]"
|
|
my_node_certs: ['ca.pem', 'node-{{ inventory_hostname }}.pem', 'node-{{ inventory_hostname }}-key.pem']
|
|
tags: facts
|
|
|
|
- name: Gen_certs | Gather master certs
|
|
shell: "tar cfz - -C {{ kube_cert_dir }} {{ my_master_certs|join(' ') }} {{ all_node_certs|join(' ') }} | base64 --wrap=0"
|
|
register: master_cert_data
|
|
delegate_to: "{{groups['kube-master'][0]}}"
|
|
when: inventory_hostname in groups['kube-master'] and sync_certs|default(false) and
|
|
inventory_hostname != groups['kube-master'][0]
|
|
|
|
- name: Gen_certs | Gather node certs
|
|
shell: "tar cfz - -C {{ kube_cert_dir }} {{ my_node_certs|join(' ') }} | base64 --wrap=0"
|
|
register: node_cert_data
|
|
delegate_to: "{{groups['kube-master'][0]}}"
|
|
when: inventory_hostname in groups['kube-node'] and
|
|
sync_certs|default(false) and
|
|
inventory_hostname != groups['kube-master'][0]
|
|
|
|
- name: Gen_certs | Copy certs on masters
|
|
shell: "echo '{{master_cert_data.stdout|quote}}' | base64 -d | tar xz -C {{ kube_cert_dir }}"
|
|
changed_when: false
|
|
when: inventory_hostname in groups['kube-master'] and sync_certs|default(false) and
|
|
inventory_hostname != groups['kube-master'][0]
|
|
notify: set secret_changed
|
|
|
|
- name: Gen_certs | Copy certs on nodes
|
|
shell: "echo '{{node_cert_data.stdout|quote}}' | base64 -d | tar xz -C {{ kube_cert_dir }}"
|
|
changed_when: false
|
|
when: inventory_hostname in groups['kube-node'] and
|
|
sync_certs|default(false) and
|
|
inventory_hostname != groups['kube-master'][0]
|
|
notify: set secret_changed
|
|
|
|
- name: Gen_certs | check certificate permissions
|
|
file:
|
|
path={{ kube_cert_dir }}
|
|
group={{ kube_cert_group }}
|
|
owner=kube
|
|
recurse=yes
|
|
|
|
- name: Gen_certs | set permissions on keys
|
|
shell: chmod 0600 {{ kube_cert_dir}}/*key.pem
|
|
when: inventory_hostname in groups['kube-master']
|
|
changed_when: false
|
|
|
|
- name: Gen_certs | target ca-certificates path
|
|
set_fact:
|
|
ca_cert_path: |-
|
|
{% if ansible_os_family == "Debian" -%}
|
|
/usr/local/share/ca-certificates/kube-ca.crt
|
|
{%- elif ansible_os_family == "RedHat" -%}
|
|
/etc/pki/ca-trust/source/anchors/kube-ca.crt
|
|
{%- elif ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] -%}
|
|
/etc/ssl/certs/kube-ca.pem
|
|
{%- endif %}
|
|
tags: facts
|
|
|
|
- name: Gen_certs | add CA to trusted CA dir
|
|
copy:
|
|
src: "{{ kube_cert_dir }}/ca.pem"
|
|
dest: "{{ ca_cert_path }}"
|
|
remote_src: true
|
|
register: kube_ca_cert
|
|
|
|
- name: Gen_certs | update ca-certificates (Debian/Ubuntu/Container Linux by CoreOS)
|
|
command: update-ca-certificates
|
|
when: kube_ca_cert.changed and ansible_os_family in ["Debian", "Container Linux by CoreOS"]
|
|
|
|
- name: Gen_certs | update ca-certificates (RedHat)
|
|
command: update-ca-trust extract
|
|
when: kube_ca_cert.changed and ansible_os_family == "RedHat"
|