From 432f8e98417cc4bd2a87c5bc25b6d85865e38686 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20Kr=C3=BCger?= <ak@patientsky.com>
Date: Mon, 3 Dec 2018 19:44:29 +0100
Subject: [PATCH] Fix basic auth tokens for kubeadm deployment. (#3801)
* Fix basic auth tokens for kubeadm deployment.
* Tokens should be a dependancy on master, not nodes
---
roles/kubernetes/master/meta/main.yml | 6 ++++
roles/kubernetes/secrets/tasks/main.yml | 32 ++-----------------
.../files/kube-gen-token.sh | 0
.../tasks/check-tokens.yml | 0
.../{secrets => tokens}/tasks/gen_tokens.yml | 2 --
roles/kubernetes/tokens/tasks/main.yml | 19 +++++++++++
tests/files/gce_centos7-flannel-addons.yml | 2 ++
7 files changed, 29 insertions(+), 32 deletions(-)
create mode 100644 roles/kubernetes/master/meta/main.yml
rename roles/kubernetes/{secrets => tokens}/files/kube-gen-token.sh (100%)
mode change 100755 => 100644
rename roles/kubernetes/{secrets => tokens}/tasks/check-tokens.yml (100%)
rename roles/kubernetes/{secrets => tokens}/tasks/gen_tokens.yml (97%)
create mode 100644 roles/kubernetes/tokens/tasks/main.yml
diff --git a/roles/kubernetes/master/meta/main.yml b/roles/kubernetes/master/meta/main.yml
new file mode 100644
index 000000000..f3cd01a64
--- /dev/null
+++ b/roles/kubernetes/master/meta/main.yml
@@ -0,0 +1,6 @@
+---
+dependencies:
+ - role: kubernetes/tokens
+ when: kube_token_auth
+ tags:
+ - k8s-secrets
diff --git a/roles/kubernetes/secrets/tasks/main.yml b/roles/kubernetes/secrets/tasks/main.yml
index abc850cbb..ea5f604c5 100644
--- a/roles/kubernetes/secrets/tasks/main.yml
+++ b/roles/kubernetes/secrets/tasks/main.yml
@@ -5,12 +5,6 @@
- k8s-gen-certs
- facts
-- import_tasks: check-tokens.yml
- tags:
- - k8s-secrets
- - k8s-gen-tokens
- - facts
-
- name: Make sure the certificate directory exits
file:
path: "{{ kube_cert_dir }}"
@@ -18,13 +12,6 @@
mode: o-rwx
group: "{{ kube_cert_group }}"
-- name: Make sure the tokens directory exits
- file:
- path: "{{ kube_token_dir }}"
- state: directory
- mode: o-rwx
- group: "{{ kube_cert_group }}"
-
#
# The following directory creates make sure that the directories
# exist on the first master for cases where the first master isn't
@@ -37,7 +24,7 @@
owner: kube
run_once: yes
delegate_to: "{{groups['kube-master'][0]}}"
- when: gen_certs|default(false) or gen_tokens|default(false)
+ when: gen_certs|default(false)
tags:
- kubelet
- k8s-secrets
@@ -55,20 +42,10 @@
owner: kube
run_once: yes
delegate_to: "{{groups['kube-master'][0]}}"
- when: gen_certs|default(false) or gen_tokens|default(false)
+ when: gen_certs|default(false)
tags:
- k8s-secrets
-- name: "Get_tokens | Make sure the tokens directory exits (on {{groups['kube-master'][0]}})"
- file:
- path: "{{ kube_token_dir }}"
- state: directory
- mode: o-rwx
- group: "{{ kube_cert_group }}"
- run_once: yes
- delegate_to: "{{groups['kube-master'][0]}}"
- when: gen_tokens|default(false)
-
- include_tasks: "gen_certs_script.yml"
when:
- cert_management |d('script') == 'script'
@@ -130,8 +107,3 @@
- kubelet
- node
- kube-proxy
-
-- import_tasks: gen_tokens.yml
- tags:
- - k8s-secrets
- - k8s-gen-tokens
diff --git a/roles/kubernetes/secrets/files/kube-gen-token.sh b/roles/kubernetes/tokens/files/kube-gen-token.sh
old mode 100755
new mode 100644
similarity index 100%
rename from roles/kubernetes/secrets/files/kube-gen-token.sh
rename to roles/kubernetes/tokens/files/kube-gen-token.sh
diff --git a/roles/kubernetes/secrets/tasks/check-tokens.yml b/roles/kubernetes/tokens/tasks/check-tokens.yml
similarity index 100%
rename from roles/kubernetes/secrets/tasks/check-tokens.yml
rename to roles/kubernetes/tokens/tasks/check-tokens.yml
diff --git a/roles/kubernetes/secrets/tasks/gen_tokens.yml b/roles/kubernetes/tokens/tasks/gen_tokens.yml
similarity index 97%
rename from roles/kubernetes/secrets/tasks/gen_tokens.yml
rename to roles/kubernetes/tokens/tasks/gen_tokens.yml
index c24ba50fd..47370c205 100644
--- a/roles/kubernetes/secrets/tasks/gen_tokens.yml
+++ b/roles/kubernetes/tokens/tasks/gen_tokens.yml
@@ -17,7 +17,6 @@
- "{{ groups['kube-master'] }}"
register: gentoken_master
changed_when: "'Added' in gentoken_master.stdout"
- notify: set secret_changed
run_once: yes
delegate_to: "{{groups['kube-master'][0]}}"
when: gen_tokens|default(false)
@@ -31,7 +30,6 @@
- "{{ groups['kube-node'] }}"
register: gentoken_node
changed_when: "'Added' in gentoken_node.stdout"
- notify: set secret_changed
run_once: yes
delegate_to: "{{groups['kube-master'][0]}}"
when: gen_tokens|default(false)
diff --git a/roles/kubernetes/tokens/tasks/main.yml b/roles/kubernetes/tokens/tasks/main.yml
new file mode 100644
index 000000000..49b8c13fa
--- /dev/null
+++ b/roles/kubernetes/tokens/tasks/main.yml
@@ -0,0 +1,19 @@
+---
+
+- import_tasks: check-tokens.yml
+ tags:
+ - k8s-secrets
+ - k8s-gen-tokens
+ - facts
+
+- name: Make sure the tokens directory exits
+ file:
+ path: "{{ kube_token_dir }}"
+ state: directory
+ mode: o-rwx
+ group: "{{ kube_cert_group }}"
+
+- import_tasks: gen_tokens.yml
+ tags:
+ - k8s-secrets
+ - k8s-gen-tokens
diff --git a/tests/files/gce_centos7-flannel-addons.yml b/tests/files/gce_centos7-flannel-addons.yml
index 3847fbc91..05a9a837f 100644
--- a/tests/files/gce_centos7-flannel-addons.yml
+++ b/tests/files/gce_centos7-flannel-addons.yml
@@ -18,3 +18,5 @@ kube_encrypt_secret_data: true
ingress_nginx_enabled: true
cert_manager_enabled: true
metrics_server_enabled: true
+kube_token_auth: true
+kube_basic_auth: true
--
GitLab