Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
K
Kubespray
Manage
Activity
Members
Code
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Deploy
Model registry
Help
Help
Support
GitLab documentation
Compare GitLab plans
GitLab community forum
Contribute to GitLab
Provide feedback
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
Mirror
Kubespray
Commits
145e5c89
Commit
145e5c89
authored
Sep 27, 2018
by
刘旭
Committed by
k8s-ci-robot
Sep 27, 2018
Browse files
Options
Downloads
Patches
Plain Diff
use copy and slurp module (#3313)
parent
28315ca9
No related branches found
No related tags found
No related merge requests found
Changes
2
Show whitespace changes
Inline
Side-by-side
Showing
2 changed files
roles/etcd/tasks/gen_certs_script.yml
+39
-79
39 additions, 79 deletions
roles/etcd/tasks/gen_certs_script.yml
roles/etcd/tasks/install_host.yml
+5
-19
5 additions, 19 deletions
roles/etcd/tasks/install_host.yml
with
44 additions
and
98 deletions
roles/etcd/tasks/gen_certs_script.yml
+
39
−
79
View file @
145e5c89
...
@@ -71,101 +71,61 @@
...
@@ -71,101 +71,61 @@
-
inventory_hostname == groups['etcd'][0]
-
inventory_hostname == groups['etcd'][0]
notify
:
set etcd_secret_changed
notify
:
set etcd_secret_changed
-
set_fact
:
-
name
:
Gen_certs | Gather etcd master certs
all_master_certs
:
"
['ca-key.pem',
slurp
:
{%
for
node
in
groups['etcd']
%}
src
:
"
{{
item
}}"
'admin-{{
node
}}.pem',
register
:
etcd_master_certs
'admin-{{
node
}}-key.pem',
with_items
:
'member-{{
node
}}.pem',
-
"
{{
etcd_cert_dir
}}/ca.pem"
'member-{{
node
}}-key.pem',
-
"
{{
etcd_cert_dir
}}/ca-key.pem"
-
"
[{%
for
node
in
groups['etcd']
%}
'{{
etcd_cert_dir
}}/admin-{{
node
}}.pem',
'{{
etcd_cert_dir
}}/admin-{{
node
}}-key.pem',
'{{
etcd_cert_dir
}}/member-{{
node
}}.pem',
'{{
etcd_cert_dir
}}/member-{{
node
}}-key.pem',
{%
endfor
%}]"
{%
endfor
%}]"
my_master_certs
:
[
'
ca-key.pem'
,
-
"
[{%
for
node
in
(groups['k8s-cluster']
+
groups['calico-rr']|default([]))|unique
%}
'
admin-{{
inventory_hostname
}}.pem'
,
'{{
etcd_cert_dir
}}/node-{{
node
}}.pem',
'
admin-{{
inventory_hostname
}}-key.pem'
,
'{{
etcd_cert_dir
}}/node-{{
node
}}-key.pem',
'
member-{{
inventory_hostname
}}.pem'
,
'
member-{{
inventory_hostname
}}-key.pem'
]
all_node_certs
:
"
['ca.pem',
{%
for
node
in
(groups['k8s-cluster']
+
groups['calico-rr']|default([]))|unique
%}
'node-{{
node
}}.pem',
'node-{{
node
}}-key.pem',
{%
endfor
%}]"
{%
endfor
%}]"
my_node_certs
:
[
'
ca.pem'
,
'
node-{{
inventory_hostname
}}.pem'
,
'
node-{{
inventory_hostname
}}-key.pem'
]
tags
:
-
facts
-
name
:
Gen_certs | Gather etcd master certs
shell
:
"
tar
cfz
-
-C
{{
etcd_cert_dir
}}
-T
/dev/stdin
<<<
{{
my_master_certs|join('
')
}}
{{
all_node_certs|join('
')
}}
|
base64
--wrap=0"
args
:
executable
:
/bin/bash
register
:
etcd_master_cert_data
no_log
:
true
check_mode
:
no
delegate_to
:
"
{{groups['etcd'][0]}}"
delegate_to
:
"
{{groups['etcd'][0]}}"
when
:
inventory_hostname in groups['etcd'] and sync_certs|default(false) and
when
:
inventory_hostname in groups['etcd'] and sync_certs|default(false) and
inventory_hostname != groups['etcd'][0]
inventory_hostname != groups['etcd'][0]
notify
:
set etcd_secret_changed
notify
:
set etcd_secret_changed
-
name
:
Gen_certs | Gather etcd node certs
-
name
:
Gen_certs | Gather etcd node certs
shell
:
"
tar
cfz
-
-C
{{
etcd_cert_dir
}}
-T
/dev/stdin
<<<
{{
my_node_certs|join('
')
}}
|
base64
--wrap=0"
slurp
:
args
:
src
:
"
{{
item
}}"
executable
:
/bin/bash
register
:
etcd_node_certs
register
:
etcd_node_cert_data
with_items
:
no_log
:
true
-
"
{{
etcd_cert_dir
}}/ca.pem"
check_mode
:
no
-
"
{{
etcd_cert_dir
}}/node-{{
inventory_hostname
}}.pem"
-
"
{{
etcd_cert_dir
}}/node-{{
inventory_hostname
}}-key.pem"
delegate_to
:
"
{{groups['etcd'][0]}}"
delegate_to
:
"
{{groups['etcd'][0]}}"
when
:
(('calico-rr' in groups and inventory_hostname in groups['calico-rr']) or
when
:
(('calico-rr' in groups and inventory_hostname in groups['calico-rr']) or
inventory_hostname in groups['k8s-cluster']) and
inventory_hostname in groups['k8s-cluster']) and
sync_certs|default(false) and inventory_hostname not in groups['etcd']
sync_certs|default(false) and inventory_hostname not in groups['etcd']
notify
:
set etcd_secret_changed
notify
:
set etcd_secret_changed
# NOTE(mattymo): Use temporary file to copy master certs because we have a ~200k
-
name
:
Gen_certs | Write etcd master certs
# char limit when using shell command
# FIXME(mattymo): Use tempfile module in ansible 2.3
-
name
:
Gen_certs | Prepare tempfile for unpacking certs
command
:
mktemp /tmp/certsXXXXX.tar.gz
register
:
cert_tempfile
when
:
inventory_hostname in groups['etcd'] and sync_certs|default(false) and
inventory_hostname != groups['etcd'][0]
-
name
:
Gen_certs | Write master certs to tempfile
copy
:
copy
:
content
:
"
{{etcd_master_cert_data.stdout}}"
dest
:
"
{{
item.item
}}"
dest
:
"
{{cert_tempfile.stdout}}"
content
:
"
{{
item.content
|
b64decode
}}"
owner
:
root
group
:
"
{{
etcd_cert_group
}}"
mode
:
"
0600"
owner
:
kube
when
:
inventory_hostname in groups['etcd'] and sync_certs|default(false) and
mode
:
0640
inventory_hostname != groups['etcd'][0]
with_items
:
"
{{
etcd_master_certs.results
}}"
-
name
:
Gen_certs | Unpack certs on masters
shell
:
"
base64
-d
<
{{
cert_tempfile.stdout
}}
|
tar
xz
-C
{{
etcd_cert_dir
}}"
no_log
:
true
changed_when
:
false
check_mode
:
no
when
:
inventory_hostname in groups['etcd'] and sync_certs|default(false) and
inventory_hostname != groups['etcd'][0]
notify
:
set secret_changed
-
name
:
Gen_certs | Cleanup tempfile
file
:
path
:
"
{{cert_tempfile.stdout}}"
state
:
absent
when
:
inventory_hostname in groups['etcd'] and sync_certs|default(false) and
when
:
inventory_hostname in groups['etcd'] and sync_certs|default(false) and
inventory_hostname != groups['etcd'][0]
inventory_hostname != groups['etcd'][0]
-
name
:
Gen_certs | Copy certs on nodes
-
name
:
Gen_certs | Write etcd node certs
shell
:
"
base64
-d
<<<
'{{etcd_node_cert_data.stdout|quote}}'
|
tar
xz
-C
{{
etcd_cert_dir
}}"
copy
:
args
:
dest
:
"
{{
item.item
}}"
executable
:
/bin/bash
content
:
"
{{
item.content
|
b64decode
}}"
changed_when
:
false
when
:
sync_certs|default(false) and
inventory_hostname not in groups['etcd']
-
name
:
Gen_certs | check certificate permissions
file
:
path
:
"
{{
etcd_cert_dir
}}"
group
:
"
{{
etcd_cert_group
}}"
group
:
"
{{
etcd_cert_group
}}"
state
:
directory
owner
:
kube
owner
:
kube
mode
:
"
640"
mode
:
0640
recurse
:
yes
with_items
:
"
{{
etcd_node_certs.results
}}"
when
:
(('calico-rr' in groups and inventory_hostname in groups['calico-rr']) or
inventory_hostname in groups['k8s-cluster']) and
sync_certs|default(false) and inventory_hostname not in groups['etcd']
This diff is collapsed.
Click to expand it.
roles/etcd/tasks/install_host.yml
+
5
−
19
View file @
145e5c89
---
---
-
name
:
install | Copy etcd and etcdctl binary from download dir
-
name
:
install | Copy etcd and etcdctl binary from download dir
synchronize
:
copy
:
src
:
"
{{
local_release_dir
}}/etcd-{{
etcd_version
}}-linux-amd64/{{
item
}}"
src
:
"
{{
local_release_dir
}}/etcd-{{
etcd_version
}}-linux-amd64/{{
item
}}"
dest
:
"
{{
bin_dir
}}/{{
item
}}"
dest
:
"
{{
bin_dir
}}/{{
item
}}"
compress
:
no
mode
:
0755
perms
:
yes
remote_src
:
yes
owner
:
no
group
:
no
changed_when
:
false
delegate_to
:
"
{{
inventory_hostname
}}"
with_items
:
with_items
:
-
"
etcd"
-
etcd
-
"
etcdctl"
-
etcdctl
when
:
etcd_cluster_setup
-
name
:
install | Set etcd and etcdctl binary permissions
file
:
path
:
"
{{
bin_dir
}}/{{
item
}}"
mode
:
"
0755"
state
:
file
with_items
:
-
"
etcd"
-
"
etcdctl"
when
:
etcd_cluster_setup
when
:
etcd_cluster_setup
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment