Always backup both certs and kubeconfig

There are no reasons not to backup during upgrade Signed-off-by: Etienne Champetier <e.champetier@ateme.com>

Always backup both certs and kubeconfig
53e5ef6b · Etienne Champetier · Kubernetes Prow Robot · 8800b5c0 · 53e5ef6b · 8800b5c0
Commit 53e5ef6b authored 4 years ago by Etienne Champetier Committed by Kubernetes Prow Robot 4 years ago
--- a/roles/kubernetes/control-plane/tasks/kubeadm-backup.yml
+++ b/roles/kubernetes/control-plane/tasks/kubeadm-backup.yml
+---
+- name: Backup old certs and keys
+  copy:
+    src: "{{ kube_cert_dir }}/{{ item }}"
+    dest: "{{ kube_cert_dir }}/{{ item }}.old"
+    mode: preserve
+    remote_src: yes
+  with_items:
+    - apiserver.crt
+    - apiserver.key
+    - apiserver-kubelet-client.crt
+    - apiserver-kubelet-client.key
+    - front-proxy-client.crt
+    - front-proxy-client.key
+  ignore_errors: yes
+
+- name: Backup old confs
+  copy:
+    src: "{{ kube_config_dir }}/{{ item }}"
+    dest: "{{ kube_config_dir }}/{{ item }}.old"
+    mode: preserve
+    remote_src: yes
+  with_items:
+    - admin.conf
+    - controller-manager.conf
+    - kubelet.conf
+    - scheduler.conf
+  ignore_errors: yes
--- a/roles/kubernetes/control-plane/tasks/kubeadm-certificate.yml
+++ b/roles/kubernetes/control-plane/tasks/kubeadm-certificate.yml
---
- name: Backup old certs and keys
-  copy:
-    src: "{{ kube_cert_dir }}/{{ item.src }}"
-    dest: "{{ kube_cert_dir }}/{{ item.dest }}"
-    mode: 0640
-    remote_src: yes
-  with_items:
-    - {src: apiserver.crt, dest: apiserver.crt.old}
-    - {src: apiserver.key, dest: apiserver.key.old}
-    - {src: apiserver-kubelet-client.crt, dest: apiserver-kubelet-client.crt.old}
-    - {src: apiserver-kubelet-client.key, dest: apiserver-kubelet-client.key.old}
-    - {src: front-proxy-client.crt, dest: front-proxy-client.crt.old}
-    - {src: front-proxy-client.key, dest: front-proxy-client.key.old}
-  ignore_errors: yes
--- a/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml
+++ b/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml
@@ -18,6 +18,11 @@
    get_mime: no
  register: kubeadm_already_run

+- name: kubeadm | Backup kubeadm certs / kubeconfig
+  import_tasks: kubeadm-backup.yml
+  when:
+    - kubeadm_already_run.stat.exists
+
 - name: kubeadm | aggregate all SANs
  set_fact:
    apiserver_sans: "{{ (sans_base + groups['kube-master'] + sans_lb + sans_lb_ip + sans_supp + sans_access_ip + sans_ip + sans_address + sans_override + sans_hostname + sans_fqdn) | unique }}"
@@ -68,12 +73,6 @@
 - name: kubeadm | set kubeadm version
  import_tasks: kubeadm-version.yml

- name: kubeadm | Certificate management with kubeadm
-  import_tasks: kubeadm-certificate.yml
-  when:
-    - not upgrade_cluster_setup
-    - kubeadm_already_run.stat.exists
-
 - name: kubeadm | Check if apiserver.crt contains all needed SANs
  command: openssl x509 -noout -in "{{ kube_cert_dir }}/apiserver.crt" -check{{ item|ipaddr|ternary('ip','host') }} "{{ item }}"
  with_items: "{{ apiserver_sans }}"