epostnikof/kubespray
1
0
Fork 0
mirror of https://github.com/kubernetes-sigs/kubespray.git synced 2026-03-06 10:08:37 +03:00
Code Issues Packages Projects Releases Wiki Activity

sync certs tasks (fix #2596 #2667)

Browse Source
This commit is contained in:
Romain DEQUIDT
2018-04-18 03:00:37 +02:00
parent f90673ac68
commit 80dd230a65
2 changed files with 30 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
roles/kubernetes/secrets/tasks/gen_certs_script.yml
View File

@@ -111,6 +111,34 @@
tags:
- facts
- name: "Check certs | check if a cert already exists on node"
find:
paths: "{{ kube_cert_dir }}"
patterns: "*.pem"
get_checksum: true
register: kubecert_node
when: inventory_hostname != groups['kube-master'][0]
- name: "Check_certs | Set 'sync_certs' to true on masters"
set_fact:
sync_certs: true
when: inventory_hostname in groups['kube-master'] and
inventory_hostname != groups['kube-master'][0] and
(not item in kubecert_node.files | map(attribute='path') | map("basename") | list or
kubecert_node.files | selectattr("path", "equalto", "{{ kube_cert_dir }}/{{ item }}") | map(attribute="checksum")|first|default('') != kubecert_master.files | selectattr("path", "equalto", "{{ kube_cert_dir }}/{{ item }}") | map(attribute="checksum")|first|default(''))
with_items:
- "{{ my_master_certs + all_node_certs }}"
- name: "Check_certs | Set 'sync_certs' to true on nodes"
set_fact:
sync_certs: true
when: inventory_hostname in groups['kube-node'] and
inventory_hostname != groups['kube-master'][0] and
(not item in kubecert_node.files | map(attribute='path') | map("basename") | list or
kubecert_node.files | selectattr("path", "equalto", "{{ kube_cert_dir }}/{{ item }}") | map(attribute="checksum")|first|default('') != kubecert_master.files | selectattr("path", "equalto", "{{ kube_cert_dir }}/{{ item }}") | map(attribute="checksum")|first|default(''))
with_items:
- "{{ my_node_certs }}"
- name: Gen_certs | Gather master certs
shell: "tar cfz - -C {{ kube_cert_dir }} -T /dev/stdin <<< {{ my_master_certs|join(' ') }} {{ all_node_certs|join(' ') }} | base64 --wrap=0"
args:
@@ -138,7 +166,7 @@
# char limit when using shell command
# FIXME(mattymo): Use tempfile module in ansible 2.3
- name: Gen_certs | Prepare tempfile for unpacking certs
- name: Gen_certs | Prepare tempfile for unpacking certs on masters
command: mktemp /tmp/certsXXXXX.tar.gz
register: cert_tempfile
when: inventory_hostname in groups['kube-master'] and sync_certs|default(false) and
@@ -162,7 +190,7 @@
inventory_hostname != groups['kube-master'][0]
notify: set secret_changed
- name: Gen_certs | Cleanup tempfile
- name: Gen_certs | Cleanup tempfile on masters
file:
path: "{{cert_tempfile.stdout}}"
state: absent