94b81dbdd7
Related bug: https://github.com/ansible/ansible/issues/15405 Uses tar and register because synchronize module cannot sudo on the remote side correctly and copy is too slow. This patch dramatically cuts down the number of tasks to process for cert synchronization.
93 lines
3.1 KiB
YAML
93 lines
3.1 KiB
YAML
---
|
|
- name: Gen_certs | write openssl config
|
|
template:
|
|
src: "openssl.conf.j2"
|
|
dest: "{{ kube_config_dir }}/openssl.conf"
|
|
run_once: yes
|
|
delegate_to: "{{groups['kube-master'][0]}}"
|
|
when: gen_certs|default(false)
|
|
|
|
- name: Gen_certs | copy certs generation script
|
|
copy:
|
|
src: "make-ssl.sh"
|
|
dest: "{{ kube_script_dir }}/make-ssl.sh"
|
|
mode: 0700
|
|
run_once: yes
|
|
delegate_to: "{{groups['kube-master'][0]}}"
|
|
when: gen_certs|default(false)
|
|
|
|
- name: Gen_certs | run cert generation script
|
|
command: "{{ kube_script_dir }}/make-ssl.sh -f {{ kube_config_dir }}/openssl.conf -d {{ kube_cert_dir }}"
|
|
run_once: yes
|
|
delegate_to: "{{groups['kube-master'][0]}}"
|
|
when: gen_certs|default(false)
|
|
notify: set secret_changed
|
|
|
|
- set_fact:
|
|
master_certs: ['ca-key.pem', 'admin.pem', 'admin-key.pem', 'apiserver-key.pem', 'apiserver.pem']
|
|
node_certs: ['ca.pem', 'node.pem', 'node-key.pem']
|
|
|
|
- name: Gen_certs | Gather master certs
|
|
shell: "tar cfz - -C {{ kube_cert_dir }} {{ master_certs|join(' ') }} {{ node_certs|join(' ') }} | base64 --wrap=0"
|
|
register: master_cert_data
|
|
delegate_to: "{{groups['kube-master'][0]}}"
|
|
run_once: true
|
|
when: sync_certs|default(false)
|
|
|
|
- name: Gen_certs | Gather node certs
|
|
shell: "tar cfz - -C {{ kube_cert_dir }} {{ node_certs|join(' ') }} | base64 --wrap=0"
|
|
register: node_cert_data
|
|
delegate_to: "{{groups['kube-master'][0]}}"
|
|
run_once: true
|
|
when: sync_certs|default(false)
|
|
|
|
- name: Gen_certs | Copy certs on masters
|
|
shell: "echo '{{master_cert_data.stdout|quote}}' | base64 -d | tar xz -C {{ kube_cert_dir }}"
|
|
changed_when: false
|
|
when: inventory_hostname in groups['kube-master'] and sync_certs|default(false) and
|
|
inventory_hostname != groups['kube-master'][0]
|
|
|
|
- name: Gen_certs | Copy certs on nodes
|
|
shell: "echo '{{node_cert_data.stdout|quote}}' | base64 -d | tar xz -C {{ kube_cert_dir }}"
|
|
changed_when: false
|
|
when: inventory_hostname in groups['kube-node'] and sync_certs|default(false) and
|
|
inventory_hostname != groups['kube-master'][0]
|
|
|
|
- name: Gen_certs | check certificate permissions
|
|
file:
|
|
path={{ kube_cert_dir }}
|
|
group={{ kube_cert_group }}
|
|
owner=kube
|
|
recurse=yes
|
|
|
|
- name: Gen_certs | set permissions on keys
|
|
shell: chmod 0600 {{ kube_cert_dir}}/*key.pem
|
|
when: inventory_hostname in groups['kube-master']
|
|
changed_when: false
|
|
|
|
- name: Gen_certs | target ca-certificates directory
|
|
set_fact:
|
|
ca_cert_dir: |-
|
|
{% if ansible_os_family == "Debian" -%}
|
|
/usr/local/share/ca-certificates
|
|
{%- elif ansible_os_family == "RedHat" -%}
|
|
/etc/pki/ca-trust/source/anchors
|
|
{%- elif ansible_os_family == "CoreOS" -%}
|
|
/etc/ssl/certs
|
|
{%- endif %}
|
|
|
|
- name: Gen_certs | add CA to trusted CA dir
|
|
copy:
|
|
src: "{{ kube_cert_dir }}/ca.pem"
|
|
dest: "{{ ca_cert_dir }}/kube-ca.crt"
|
|
remote_src: true
|
|
register: kube_ca_cert
|
|
|
|
- name: Gen_certs | update ca-certificates (Debian/Ubuntu/CoreOS)
|
|
command: update-ca-certificates
|
|
when: kube_ca_cert.changed and ansible_os_family in ["Debian", "CoreOS"]
|
|
|
|
- name: Gen_certs | update ca-certificatesa (RedHat)
|
|
command: update-ca-trust extract
|
|
when: kube_ca_cert.changed and ansible_os_family == "RedHat"
|
|
|