Fix cert distribution at scale

Use stdin instead of bash args to pass node filenames and base64 data. Use tempfile for master cert data

Fix cert distribution at scale
08822ec6 · Matthew Mosesohn · 6463a01e · 08822ec6
Commit 08822ec6 authored 8 years ago by Matthew Mosesohn
--- a/roles/kubernetes/secrets/tasks/gen_certs.yml
+++ b/roles/kubernetes/secrets/tasks/gen_certs.yml
@@ -77,29 +77,59 @@
  tags: facts

 - name: Gen_certs | Gather master certs
-  shell: "tar cfz - -C {{ kube_cert_dir }} {{ my_master_certs|join(' ') }} {{ all_node_certs|join(' ') }} | base64 --wrap=0"
+  shell: "tar cfz - -C {{ kube_cert_dir }} -T /dev/stdin <<< {{ my_master_certs|join(' ') }} {{ all_node_certs|join(' ') }} | base64 --wrap=0"
+  args:
+    executable: /bin/bash
  register: master_cert_data
  delegate_to: "{{groups['kube-master'][0]}}"
  when: inventory_hostname in groups['kube-master'] and sync_certs|default(false) and
        inventory_hostname != groups['kube-master'][0]

 - name: Gen_certs | Gather node certs
-  shell: "tar cfz - -C {{ kube_cert_dir }} {{ my_node_certs|join(' ') }} | base64 --wrap=0"
+  shell: "tar cfz - -C {{ kube_cert_dir }} -T /dev/stdin <<< {{ my_node_certs|join(' ') }} | base64 --wrap=0"
+  args:
+    executable: /bin/bash
  register: node_cert_data
  delegate_to: "{{groups['kube-master'][0]}}"
  when: inventory_hostname in groups['kube-node'] and
        sync_certs|default(false) and
        inventory_hostname != groups['kube-master'][0]

- name: Gen_certs | Copy certs on masters
-  shell: "echo '{{master_cert_data.stdout|quote}}' | base64 -d | tar xz -C {{ kube_cert_dir }}"
+#NOTE(mattymo): Use temporary file to copy master certs because we have a ~200k
+#char limit when using shell command
+
+#FIXME(mattymo): Use tempfile module in ansible 2.3
+- name: Gen_certs | Prepare tempfile for unpacking certs
+  shell: mktemp /tmp/certsXXXXX.tar.gz
+  register: cert_tempfile
+
+- name: Gen_certs | Write master certs to tempfile
+  copy:
+    content: "{{master_cert_data.stdout}}"
+    dest: "{{cert_tempfile.stdout}}"
+    owner: root
+    mode: "0600"
+  when: inventory_hostname in groups['kube-master'] and sync_certs|default(false) and
+        inventory_hostname != groups['kube-master'][0]
+
+- name: Gen_certs | Unpack certs on masters
+  shell: "base64 -d < {{ cert_tempfile.stdout }} | tar xz -C {{ kube_cert_dir }}"
  changed_when: false
  when: inventory_hostname in groups['kube-master'] and sync_certs|default(false) and
        inventory_hostname != groups['kube-master'][0]
  notify: set secret_changed

+- name: Gen_certs | Cleanup tempfile
+  file:
+    path: "{{cert_tempfile.stdout}}"
+    state: absent
+  when: inventory_hostname in groups['kube-master'] and sync_certs|default(false) and
+        inventory_hostname != groups['kube-master'][0]
+
 - name: Gen_certs | Copy certs on nodes
-  shell: "echo '{{node_cert_data.stdout|quote}}' | base64 -d | tar xz -C {{ kube_cert_dir }}"
+  shell: "base64 -d <<< '{{node_cert_data.stdout|quote}}' | tar xz -C {{ kube_cert_dir }}"
+  args:
+    executable: /bin/bash
  changed_when: false
  when: inventory_hostname in groups['kube-node'] and
        sync_certs|default(false) and
@@ -144,3 +174,4 @@
 - name: Gen_certs | update ca-certificates (RedHat)
  command: update-ca-trust extract
  when: kube_ca_cert.changed and ansible_os_family == "RedHat"
+