From 0acb823d963e66556170ada6082e309db4560045 Mon Sep 17 00:00:00 2001
From: Bart Laarhoven <bartlaarhoven@users.noreply.github.com>
Date: Mon, 29 Oct 2018 11:45:32 +0100
Subject: [PATCH] Distribute node etcd certificates like it's done in
kubernetes/secrets (#3486)
* do it like in kubernetes/secrets
* fix indentation
* processed comments
* missed one, sorry
* trailing space fix
---
roles/etcd/tasks/gen_certs_script.yml | 80 ++++++++++++++++++---------
1 file changed, 54 insertions(+), 26 deletions(-)
diff --git a/roles/etcd/tasks/gen_certs_script.yml b/roles/etcd/tasks/gen_certs_script.yml
index 4e9a4f2e0..f9f574715 100644
--- a/roles/etcd/tasks/gen_certs_script.yml
+++ b/roles/etcd/tasks/gen_certs_script.yml
@@ -89,22 +89,10 @@
'{{ etcd_cert_dir }}/node-{{ node }}-key.pem',
{% endfor %}]"
delegate_to: "{{groups['etcd'][0]}}"
- when: inventory_hostname in groups['etcd'] and sync_certs|default(false) and
- inventory_hostname != groups['etcd'][0]
- notify: set etcd_secret_changed
-
-- name: Gen_certs | Gather etcd node certs
- slurp:
- src: "{{ item }}"
- register: etcd_node_certs
- with_items:
- - "{{ etcd_cert_dir }}/ca.pem"
- - "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem"
- - "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem"
- delegate_to: "{{groups['etcd'][0]}}"
- when: (('calico-rr' in groups and inventory_hostname in groups['calico-rr']) or
- inventory_hostname in groups['k8s-cluster']) and
- sync_certs|default(false) and inventory_hostname not in groups['etcd']
+ when:
+ - inventory_hostname in groups['etcd']
+ - sync_certs|default(false)
+ - inventory_hostname != groups['etcd'][0]
notify: set etcd_secret_changed
- name: Gen_certs | Write etcd master certs
@@ -115,17 +103,57 @@
owner: kube
mode: 0640
with_items: "{{ etcd_master_certs.results }}"
- when: inventory_hostname in groups['etcd'] and sync_certs|default(false) and
- inventory_hostname != groups['etcd'][0]
+ when:
+ - inventory_hostname in groups['etcd']
+ - sync_certs|default(false)
+ - inventory_hostname != groups['etcd'][0]
-- name: Gen_certs | Write etcd node certs
- copy:
- dest: "{{ item.item }}"
- content: "{{ item.content | b64decode }}"
- group: "{{ etcd_cert_group }}"
- owner: kube
- mode: 0640
- with_items: "{{ etcd_node_certs.results }}"
+- set_fact:
+ my_etcd_node_certs: ['ca.pem',
+ 'node-{{ inventory_hostname }}.pem',
+ 'node-{{ inventory_hostname }}-key.pem']
+ tags:
+ - facts
+
+- name: "Check_certs | Set 'sync_certs' to true on nodes"
+ set_fact:
+ sync_certs: true
+ when: (('calico-rr' in groups and inventory_hostname in groups['calico-rr']) or
+ inventory_hostname in groups['k8s-cluster']) and
+ inventory_hostname not in groups['etcd']
+ with_items:
+ - "{{ my_etcd_node_certs }}"
+
+- name: Gen_certs | Gather node certs
+ shell: "tar cfz - -C {{ etcd_cert_dir }} -T /dev/stdin <<< {{ my_etcd_node_certs|join(' ') }} | base64 --wrap=0"
+ args:
+ executable: /bin/bash
+ warn: false
+ no_log: true
+ register: etcd_node_certs
+ check_mode: no
+ delegate_to: "{{groups['etcd'][0]}}"
+ when: (('calico-rr' in groups and inventory_hostname in groups['calico-rr']) or
+ inventory_hostname in groups['k8s-cluster']) and
+ sync_certs|default(false) and inventory_hostname not in groups['etcd']
+
+- name: Gen_certs | Copy certs on nodes
+ shell: "base64 -d <<< '{{etcd_node_certs.stdout|quote}}' | tar xz -C {{ etcd_cert_dir }}"
+ args:
+ executable: /bin/bash
+ no_log: true
+ changed_when: false
+ check_mode: no
when: (('calico-rr' in groups and inventory_hostname in groups['calico-rr']) or
inventory_hostname in groups['k8s-cluster']) and
sync_certs|default(false) and inventory_hostname not in groups['etcd']
+ notify: set etcd_secret_changed
+
+- name: Gen_certs | check certificate permissions
+ file:
+ path: "{{ etcd_cert_dir }}"
+ group: "{{ etcd_cert_group }}"
+ state: directory
+ owner: kube
+ mode: 0640
+ recurse: yes
--
GitLab