fad22bae97
Fixed sync_tokens fact Fixed sync_certs for k8s tokens fact Disabled register docker images changability Fixed CNI dir permission Fix idempotency for etcd pre upgrade checks
189 lines
6.5 KiB
YAML
189 lines
6.5 KiB
YAML
---
|
|
- name: Gen_certs | create etcd cert dir
|
|
file:
|
|
path: "{{ etcd_cert_dir }}"
|
|
group: "{{ etcd_cert_group }}"
|
|
state: directory
|
|
owner: root
|
|
recurse: yes
|
|
|
|
- name: "Gen_certs | create etcd script dir (on {{groups['etcd'][0]}})"
|
|
file:
|
|
path: "{{ etcd_script_dir }}"
|
|
state: directory
|
|
owner: root
|
|
run_once: yes
|
|
delegate_to: "{{groups['etcd'][0]}}"
|
|
|
|
- name: "Gen_certs | create etcd cert dir (on {{groups['etcd'][0]}})"
|
|
file:
|
|
path: "{{ etcd_cert_dir }}"
|
|
group: "{{ etcd_cert_group }}"
|
|
state: directory
|
|
owner: root
|
|
recurse: yes
|
|
run_once: yes
|
|
delegate_to: "{{groups['etcd'][0]}}"
|
|
|
|
- name: Gen_certs | write openssl config
|
|
template:
|
|
src: "openssl.conf.j2"
|
|
dest: "{{ etcd_config_dir }}/openssl.conf"
|
|
run_once: yes
|
|
delegate_to: "{{groups['etcd'][0]}}"
|
|
when: gen_certs|default(false)
|
|
|
|
- name: Gen_certs | copy certs generation script
|
|
copy:
|
|
src: "make-ssl-etcd.sh"
|
|
dest: "{{ etcd_script_dir }}/make-ssl-etcd.sh"
|
|
mode: 0700
|
|
run_once: yes
|
|
delegate_to: "{{groups['etcd'][0]}}"
|
|
when: gen_certs|default(false)
|
|
|
|
- name: Gen_certs | run cert generation script
|
|
command: "bash -x {{ etcd_script_dir }}/make-ssl-etcd.sh -f {{ etcd_config_dir }}/openssl.conf -d {{ etcd_cert_dir }}"
|
|
environment:
|
|
- MASTERS: "{% for m in groups['etcd'] %}
|
|
{% if gen_node_certs[m] %}
|
|
{{ m }}
|
|
{% endif %}
|
|
{% endfor %}"
|
|
- HOSTS: "{% for h in (groups['k8s-cluster'] + groups['calico-rr']|default([]))|unique %}
|
|
{% if gen_node_certs[h] %}
|
|
{{ h }}
|
|
{% endif %}
|
|
{% endfor %}"
|
|
run_once: yes
|
|
delegate_to: "{{groups['etcd'][0]}}"
|
|
when: gen_certs|default(false)
|
|
notify: set etcd_secret_changed
|
|
|
|
- set_fact:
|
|
all_master_certs: "['ca-key.pem',
|
|
{% for node in groups['etcd'] %}
|
|
'admin-{{ node }}.pem',
|
|
'admin-{{ node }}-key.pem',
|
|
'member-{{ node }}.pem',
|
|
'member-{{ node }}-key.pem',
|
|
{% endfor %}]"
|
|
my_master_certs: ['ca-key.pem',
|
|
'admin-{{ inventory_hostname }}.pem',
|
|
'admin-{{ inventory_hostname }}-key.pem',
|
|
'member-{{ inventory_hostname }}.pem',
|
|
'member-{{ inventory_hostname }}-key.pem'
|
|
]
|
|
all_node_certs: "['ca.pem',
|
|
{% for node in (groups['k8s-cluster'] + groups['calico-rr']|default([]))|unique %}
|
|
'node-{{ node }}.pem',
|
|
'node-{{ node }}-key.pem',
|
|
{% endfor %}]"
|
|
my_node_certs: ['ca.pem', 'node-{{ inventory_hostname }}.pem', 'node-{{ inventory_hostname }}-key.pem']
|
|
tags: facts
|
|
|
|
- name: Gen_certs | Gather etcd master certs
|
|
shell: "tar cfz - -C {{ etcd_cert_dir }} -T /dev/stdin <<< {{ my_master_certs|join(' ') }} {{ all_node_certs|join(' ') }} | base64 --wrap=0"
|
|
args:
|
|
executable: /bin/bash
|
|
register: etcd_master_cert_data
|
|
no_log: true
|
|
check_mode: no
|
|
delegate_to: "{{groups['etcd'][0]}}"
|
|
when: inventory_hostname in groups['etcd'] and sync_certs|default(false) and
|
|
inventory_hostname != groups['etcd'][0]
|
|
notify: set etcd_secret_changed
|
|
|
|
- name: Gen_certs | Gather etcd node certs
|
|
shell: "tar cfz - -C {{ etcd_cert_dir }} -T /dev/stdin <<< {{ my_node_certs|join(' ') }} | base64 --wrap=0"
|
|
args:
|
|
executable: /bin/bash
|
|
register: etcd_node_cert_data
|
|
no_log: true
|
|
check_mode: no
|
|
delegate_to: "{{groups['etcd'][0]}}"
|
|
when: (('calico-rr' in groups and inventory_hostname in groups['calico-rr']) or
|
|
inventory_hostname in groups['k8s-cluster']) and
|
|
sync_certs|default(false) and inventory_hostname not in groups['etcd']
|
|
notify: set etcd_secret_changed
|
|
|
|
#NOTE(mattymo): Use temporary file to copy master certs because we have a ~200k
|
|
#char limit when using shell command
|
|
|
|
#FIXME(mattymo): Use tempfile module in ansible 2.3
|
|
- name: Gen_certs | Prepare tempfile for unpacking certs
|
|
shell: mktemp /tmp/certsXXXXX.tar.gz
|
|
register: cert_tempfile
|
|
|
|
- name: Gen_certs | Write master certs to tempfile
|
|
copy:
|
|
content: "{{etcd_master_cert_data.stdout}}"
|
|
dest: "{{cert_tempfile.stdout}}"
|
|
owner: root
|
|
mode: "0600"
|
|
when: inventory_hostname in groups['etcd'] and sync_certs|default(false) and
|
|
inventory_hostname != groups['etcd'][0]
|
|
|
|
- name: Gen_certs | Unpack certs on masters
|
|
shell: "base64 -d < {{ cert_tempfile.stdout }} | tar xz -C {{ etcd_cert_dir }}"
|
|
no_log: true
|
|
changed_when: false
|
|
check_mode: no
|
|
when: inventory_hostname in groups['etcd'] and sync_certs|default(false) and
|
|
inventory_hostname != groups['etcd'][0]
|
|
notify: set secret_changed
|
|
|
|
- name: Gen_certs | Cleanup tempfile
|
|
file:
|
|
path: "{{cert_tempfile.stdout}}"
|
|
state: absent
|
|
when: inventory_hostname in groups['etcd'] and sync_certs|default(false) and
|
|
inventory_hostname != groups['etcd'][0]
|
|
|
|
- name: Gen_certs | Copy certs on nodes
|
|
shell: "base64 -d <<< '{{etcd_node_cert_data.stdout|quote}}' | tar xz -C {{ etcd_cert_dir }}"
|
|
args:
|
|
executable: /bin/bash
|
|
changed_when: false
|
|
when: sync_certs|default(false) and
|
|
inventory_hostname not in groups['etcd']
|
|
|
|
- name: Gen_certs | check certificate permissions
|
|
file:
|
|
path: "{{ etcd_cert_dir }}"
|
|
group: "{{ etcd_cert_group }}"
|
|
state: directory
|
|
owner: kube
|
|
recurse: yes
|
|
|
|
- name: Gen_certs | set permissions on keys
|
|
shell: chmod 0600 {{ etcd_cert_dir}}/*key.pem
|
|
when: inventory_hostname in groups['etcd']
|
|
changed_when: false
|
|
|
|
- name: Gen_certs | target ca-certificate store file
|
|
set_fact:
|
|
ca_cert_path: |-
|
|
{% if ansible_os_family == "Debian" -%}
|
|
/usr/local/share/ca-certificates/etcd-ca.crt
|
|
{%- elif ansible_os_family == "RedHat" -%}
|
|
/etc/pki/ca-trust/source/anchors/etcd-ca.crt
|
|
{%- elif ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] -%}
|
|
/etc/ssl/certs/etcd-ca.pem
|
|
{%- endif %}
|
|
tags: facts
|
|
|
|
- name: Gen_certs | add CA to trusted CA dir
|
|
copy:
|
|
src: "{{ etcd_cert_dir }}/ca.pem"
|
|
dest: "{{ ca_cert_path }}"
|
|
remote_src: true
|
|
register: etcd_ca_cert
|
|
|
|
- name: Gen_certs | update ca-certificates (Debian/Ubuntu/Container Linux by CoreOS)
|
|
command: update-ca-certificates
|
|
when: etcd_ca_cert.changed and ansible_os_family in ["Debian", "CoreOS", "Container Linux by CoreOS"]
|
|
|
|
- name: Gen_certs | update ca-certificates (RedHat)
|
|
command: update-ca-trust extract
|
|
when: etcd_ca_cert.changed and ansible_os_family == "RedHat"
|