C12s/c12s-kubespray
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
c12s-kubespray/roles/kubernetes/secrets/tasks/check-certs.yml
Matthew Mosesohn a422ad0d50 More idempotency fixes 
Fixed sync_tokens fact
Fixed sync_certs for k8s tokens fact
Disabled register docker images changability
Fixed CNI dir permission
Fix idempotency for etcd pre upgrade checks
2017-03-15 19:06:39 +03:00

66 lines
2.1 KiB
YAML
Raw Blame History

---
- name: "Check_certs | check if the certs have already been generated on first master"
find:
paths: "{{ kube_cert_dir }}"
patterns: "*.pem"
get_checksum: true
delegate_to: "{{groups['kube-master'][0]}}"
register: kubecert_master
run_once: true
- name: "Check_certs | Set default value for 'sync_certs', 'gen_certs', and 'secret_changed' to false"
set_fact:
sync_certs: false
gen_certs: false
secret_changed: false
- name: "Check certs | check if a cert already exists on node"
stat:
path: "{{ kube_cert_dir }}/{{ item }}"
register: kubecert_node
with_items:
- ca.pem
- node-{{ inventory_hostname }}-key.pem
- name: "Check_certs | Set 'gen_certs' to true"
set_fact:
gen_certs: true
when: "not item in kubecert_master.files|map(attribute='path') | list"
run_once: true
with_items: >-
['{{ kube_cert_dir }}/ca.pem',
{% for host in groups['k8s-cluster'] %}
'{{ kube_cert_dir }}/node-{{ host }}-key.pem'
{% if not loop.last %}{{','}}{% endif %}
{% endfor %}]
- name: "Check_certs | Set 'gen_node_certs' to true"
set_fact:
gen_node_certs: |-
{
{% set existing_certs = kubecert_master.files|map(attribute='path')|list|sort %}
{% for host in groups['k8s-cluster'] -%}
{% set host_cert = "%s/node-%s-key.pem"|format(kube_cert_dir, host) %}
{% if host_cert in existing_certs -%}
"{{ host }}": False,
{% else -%}
"{{ host }}": True,
{% endif -%}
{% endfor %}
}
run_once: true
- name: "Check_certs | Set 'sync_certs' to true"
set_fact:
sync_certs: true
when: >-
{%- set certs = {'sync': False} -%}
{% if gen_node_certs[inventory_hostname] or
(not kubecert_node.results[0].stat.exists|default(False)) or
(not kubecert_node.results[1].stat.exists|default(False)) or
(kubecert_node.results[1].stat.checksum|default('') != kubecert_master.files|selectattr("path", "equalto", kubecert_node.results[1].stat.path)|map(attribute="checksum")|first|default('')) -%}
{%- set _ = certs.update({'sync': True}) -%}
{% endif %}
{{ certs.sync }}
Reference in a new issue View git blame Copy permalink