mirror of
https://github.com/kubernetes-sigs/kubespray.git
synced 2025-12-13 21:34:40 +03:00
Etcd certs: use symlink in kubeadm config
This commit is contained in:
ant31
@@ -27,3 +27,11 @@ etcd_extra_vars: {}
|
|||||||
# etcd_max_request_bytes: "1572864"
|
# etcd_max_request_bytes: "1572864"
|
||||||
|
|
||||||
etcd_compaction_retention: "8"
|
etcd_compaction_retention: "8"
|
||||||
|
|
||||||
|
|
||||||
|
# softlink to etcd certs
|
||||||
|
etcd_cert_paths:
|
||||||
|
client:
|
||||||
|
ca: "{{ etcd_cert_dir }}/ca.pem"
|
||||||
|
cert: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem"
|
||||||
|
key: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem"
|
||||||
|
|||||||
@@ -23,10 +23,6 @@ kube_apiserver_etcd_compaction_interval: "5m0s"
|
|||||||
# in the request is actually present in etcd.
|
# in the request is actually present in etcd.
|
||||||
kube_apiserver_service_account_lookup: true
|
kube_apiserver_service_account_lookup: true
|
||||||
|
|
||||||
kube_etcd_cacert_file: ca.pem
|
|
||||||
kube_etcd_cert_file: node-{{ inventory_hostname }}.pem
|
|
||||||
kube_etcd_key_file: node-{{ inventory_hostname }}-key.pem
|
|
||||||
|
|
||||||
# Associated interfaces must be reachable by the rest of the cluster, and by
|
# Associated interfaces must be reachable by the rest of the cluster, and by
|
||||||
# CLI/web clients.
|
# CLI/web clients.
|
||||||
kube_controller_manager_bind_address: "::"
|
kube_controller_manager_bind_address: "::"
|
||||||
|
|||||||
24
roles/kubernetes/control-plane/tasks/0010-etcd-link.yml
Normal file
24
roles/kubernetes/control-plane/tasks/0010-etcd-link.yml
Normal file
@@ -0,0 +1,24 @@
|
|||||||
|
---
|
||||||
|
- name: Create etcd cert directory
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: "{{ etcd_cert_dir }}"
|
||||||
|
state: directory
|
||||||
|
mode: '0750'
|
||||||
|
when:
|
||||||
|
- inventory_hostname in groups['kube_control_plane']
|
||||||
|
|
||||||
|
- name: Generate symlink to etcd certs
|
||||||
|
ansible.builtin.file:
|
||||||
|
src: "{{ etcd_cert_paths.client[item.src] }}"
|
||||||
|
dest: "{{ etcd_cert_dir }}/{{ item.dest }}"
|
||||||
|
state: link
|
||||||
|
force: true
|
||||||
|
loop:
|
||||||
|
- src: ca
|
||||||
|
dest: "{{ kube_etcd_cacert_file }}"
|
||||||
|
- src: cert
|
||||||
|
dest: "{{ kube_etcd_cert_file }}"
|
||||||
|
- src: key
|
||||||
|
dest: "{{ kube_etcd_key_file }}"
|
||||||
|
when:
|
||||||
|
- inventory_hostname in groups['kube_control_plane']
|
||||||
@@ -4,6 +4,11 @@
|
|||||||
tags:
|
tags:
|
||||||
- k8s-pre-upgrade
|
- k8s-pre-upgrade
|
||||||
|
|
||||||
|
- name: Create etcd cert symbolic links
|
||||||
|
import_tasks: 0010-etcd-link.yml
|
||||||
|
when:
|
||||||
|
- etcd_deployment_type != "kubeadm"
|
||||||
|
|
||||||
- name: Create webhook token auth config
|
- name: Create webhook token auth config
|
||||||
template:
|
template:
|
||||||
src: webhook-token-auth-config.yaml.j2
|
src: webhook-token-auth-config.yaml.j2
|
||||||
|
|||||||
@@ -27,3 +27,8 @@ kube_pods_subnets: >-
|
|||||||
{%- else -%}
|
{%- else -%}
|
||||||
{{ kube_pods_subnet_ipv6 }}
|
{{ kube_pods_subnet_ipv6 }}
|
||||||
{%- endif -%}
|
{%- endif -%}
|
||||||
|
|
||||||
|
# Symlinks to etcd certs
|
||||||
|
kube_etcd_cacert_file: "kube-client-ca.pem"
|
||||||
|
kube_etcd_cert_file: "kube-client-cert.pem"
|
||||||
|
kube_etcd_key_file: "kube-client-key.pem"
|
||||||
|
|||||||
Reference in New Issue
Block a user