94b81dbdd7
Related bug: https://github.com/ansible/ansible/issues/15405 Uses tar and register because synchronize module cannot sudo on the remote side correctly and copy is too slow. This patch dramatically cuts down the number of tasks to process for cert synchronization.
57 lines
1.9 KiB
YAML
57 lines
1.9 KiB
YAML
---
|
|
- name: Gen_tokens | copy tokens generation script
|
|
copy:
|
|
src: "kube-gen-token.sh"
|
|
dest: "{{ kube_script_dir }}/kube-gen-token.sh"
|
|
mode: 0700
|
|
run_once: yes
|
|
delegate_to: "{{groups['kube-master'][0]}}"
|
|
when: gen_tokens|default(false)
|
|
|
|
- name: Gen_tokens | generate tokens for master components
|
|
command: "{{ kube_script_dir }}/kube-gen-token.sh {{ item[0] }}-{{ item[1] }}"
|
|
environment:
|
|
TOKEN_DIR: "{{ kube_token_dir }}"
|
|
with_nested:
|
|
- [ "system:kubectl" ]
|
|
- "{{ groups['kube-master'] }}"
|
|
register: gentoken_master
|
|
changed_when: "'Added' in gentoken_master.stdout"
|
|
notify: set secret_changed
|
|
run_once: yes
|
|
delegate_to: "{{groups['kube-master'][0]}}"
|
|
when: gen_tokens|default(false)
|
|
|
|
- name: Gen_tokens | generate tokens for node components
|
|
command: "{{ kube_script_dir }}/kube-gen-token.sh {{ item[0] }}-{{ item[1] }}"
|
|
environment:
|
|
TOKEN_DIR: "{{ kube_token_dir }}"
|
|
with_nested:
|
|
- [ 'system:kubelet' ]
|
|
- "{{ groups['kube-node'] }}"
|
|
register: gentoken_node
|
|
changed_when: "'Added' in gentoken_node.stdout"
|
|
notify: set secret_changed
|
|
run_once: yes
|
|
delegate_to: "{{groups['kube-master'][0]}}"
|
|
when: gen_tokens|default(false)
|
|
|
|
- name: Gen_tokens | Get list of tokens from first master
|
|
shell: "(find {{ kube_token_dir }} -maxdepth 1 -type f)"
|
|
register: tokens_list
|
|
changed_when: false
|
|
delegate_to: "{{groups['kube-master'][0]}}"
|
|
when: sync_tokens|default(false)
|
|
|
|
- name: Gen_tokens | Gather tokens
|
|
shell: "tar cfz - {{ tokens_list.stdout_lines | join(' ') }} | base64 --wrap=0"
|
|
register: tokens_data
|
|
delegate_to: "{{groups['kube-master'][0]}}"
|
|
run_once: true
|
|
when: sync_tokens|default(false)
|
|
|
|
- name: Gen_tokens | Copy tokens on masters
|
|
shell: "echo '{{ tokens_data.stdout|quote }}' | base64 -d | tar xz -C /"
|
|
changed_when: false
|
|
when: inventory_hostname in groups['kube-master'] and sync_tokens|default(false) and
|
|
inventory_hostname != groups['kube-master'][0]
|