diff --git a/roles/download/tasks/kubeadm_images.yml b/roles/download/tasks/kubeadm_images.yml
index 4ed068b918fbd0ba1ac828c65402b69fdd700f2e..6492151d14283ef2d941790c77d3af22070fff75 100644
--- a/roles/download/tasks/kubeadm_images.yml
+++ b/roles/download/tasks/kubeadm_images.yml
@@ -1,3 +1,4 @@
+---
- name: kubeadm | Create kubeadm config
template:
src: "kubeadm-images.yaml.j2"
diff --git a/roles/kubernetes/master/tasks/kubeadm-certificate.yml b/roles/kubernetes/master/tasks/kubeadm-certificate.yml
new file mode 100644
index 0000000000000000000000000000000000000000..a2ce2d6761ced7d7b067cebd6db8e24c5c33f8a6
--- /dev/null
+++ b/roles/kubernetes/master/tasks/kubeadm-certificate.yml
@@ -0,0 +1,42 @@
+---
+- name: Backup old certs and keys
+ copy:
+ src: "{{ kube_cert_dir }}/{{ item.src }}"
+ dest: "{{ kube_cert_dir }}/{{ item.dest }}"
+ remote_src: yes
+ with_items:
+ - {src: apiserver.crt, dest: apiserver.crt.old}
+ - {src: apiserver.key, dest: apiserver.key.old}
+ - {src: apiserver-kubelet-client.crt, dest: apiserver-kubelet-client.crt.old}
+ - {src: apiserver-kubelet-client.key, dest: apiserver-kubelet-client.key.old}
+ - {src: front-proxy-client.crt, dest: front-proxy-client.crt.old}
+ - {src: front-proxy-client.key, dest: front-proxy-client.key.old}
+ ignore_errors: yes
+
+- name: Remove old certs and keys
+ file:
+ path: "{{ kube_cert_dir }}/{{ item }}"
+ state: absent
+ with_items:
+ - apiserver.crt
+ - apiserver.key
+ - apiserver-kubelet-client.crt
+ - apiserver-kubelet-client.key
+ - front-proxy-client.crt
+ - front-proxy-client.key
+
+- name: Generate new certs and keys
+ command: "{{ bin_dir }}/kubeadm init phase certs {{ item }} --config={{ kube_config_dir }}/kubeadm-config.yaml"
+ with_items:
+ - apiserver
+ - apiserver-kubelet-client
+ - front-proxy-client
+ when: inventory_hostname == groups['kube-master']|first and kubeadm_version is version('v1.13.0', '>=')
+
+- name: Generate new certs and keys
+ command: "{{ bin_dir }}/kubeadm alpha phase certs {{ item }} --config={{ kube_config_dir }}/kubeadm-config.yaml"
+ with_items:
+ - apiserver
+ - apiserver-kubelet-client
+ - front-proxy-client
+ when: inventory_hostname == groups['kube-master']|first and kubeadm_version is version('v1.13.0', '<')
diff --git a/roles/kubernetes/master/tasks/kubeadm-kubeconfig.yml b/roles/kubernetes/master/tasks/kubeadm-kubeconfig.yml
new file mode 100644
index 0000000000000000000000000000000000000000..5e48773e6a292b18bef3e51a386d8c9194bc456b
--- /dev/null
+++ b/roles/kubernetes/master/tasks/kubeadm-kubeconfig.yml
@@ -0,0 +1,32 @@
+---
+- name: Backup old configuration files
+ copy:
+ src: "{{ kube_config_dir }}/{{ item.src }}"
+ dest: "{{ kube_config_dir }}/{{ item.dest }}"
+ remote_src: yes
+ with_items:
+ - {src: admin.conf, dest: admin.conf.old}
+ - {src: kubelet.conf, dest: kubelet.conf.old}
+ - {src: controller-manager.conf, dest: controller-manager.conf.old}
+ - {src: scheduler.conf, dest: scheduler.conf.old}
+ ignore_errors: yes
+
+- name: Remove old configuration files
+ file:
+ path: "{{ kube_config_dir }}/{{ item }}"
+ state: absent
+ with_items:
+ - admin.conf
+ - kubelet.conf
+ - controller-manager.conf
+ - scheduler.conf
+
+- name: Generate new configuration files
+ command: "{{ bin_dir }}/kubeadm init phase kubeconfig all --config={{ kube_config_dir }}/kubeadm-config.yaml"
+ when: kubeadm_version is version('v1.13.0', '>=')
+ ignore_errors: yes
+
+- name: Generate new configuration files
+ command: "{{ bin_dir }}/kubeadm alpha phase kubeconfig all --config={{ kube_config_dir }}/kubeadm-config.yaml"
+ when: kubeadm_version is version('v1.13.0', '<')
+ ignore_errors: yes
diff --git a/roles/kubernetes/master/tasks/kubeadm-setup.yml b/roles/kubernetes/master/tasks/kubeadm-setup.yml
index 32f1703256d0b502d47b1ad2e4ee548de67b2fd2..1b3f9d4603dbcf8cf6e8d9bde8fd57606b7d645f 100644
--- a/roles/kubernetes/master/tasks/kubeadm-setup.yml
+++ b/roles/kubernetes/master/tasks/kubeadm-setup.yml
@@ -10,10 +10,10 @@
import_tasks: kubeadm-migrate-certs.yml
when: old_apiserver_cert.stat.exists
-- name: kubeadm | Check service account key
+- name: kubeadm | Check apiserver key
stat:
- path: "{{ kube_cert_dir }}/sa.key"
- register: sa_key_before
+ path: "{{ kube_cert_dir }}/apiserver.key"
+ register: apiserver_key_before
delegate_to: "{{groups['kube-master']|first}}"
run_once: true
@@ -95,6 +95,12 @@
- name: kubeadm | set kubeadm version
import_tasks: kubeadm-version.yml
+- name: kubeadm | Certificate management with kubeadm
+ import_tasks: kubeadm-certificate.yml
+ when:
+ - not upgrade_cluster_setup
+ - kubeadm_already_run.stat.exists
+
- name: kubeadm | Initialize first master
command: timeout -k 600s 600s {{ bin_dir }}/kubeadm init --config={{ kube_config_dir }}/kubeadm-config.yaml --ignore-preflight-errors=all
register: kubeadm_init
@@ -136,6 +142,12 @@
with_items: "{{ kubeadm_certs.results }}"
when: inventory_hostname != groups['kube-master']|first
+- name: kubeadm | Kubeconfig management with kubeadm
+ import_tasks: kubeadm-kubeconfig.yml
+ when:
+ - not upgrade_cluster_setup
+ - kubeadm_already_run.stat.exists
+
- name: kubeadm | Init other uninitialized masters
command: timeout -k 600s 600s {{ bin_dir }}/kubeadm init --config={{ kube_config_dir }}/kubeadm-config.yaml --ignore-preflight-errors=all
register: kubeadm_init
@@ -149,17 +161,17 @@
import_tasks: kubeadm-upgrade.yml
when: upgrade_cluster_setup
-- name: kubeadm | Check service account key again
+- name: kubeadm | Check apiserver key again
stat:
- path: "{{ kube_cert_dir }}/sa.key"
- register: sa_key_after
+ path: "{{ kube_cert_dir }}/apiserver.key"
+ register: apiserver_key_after
delegate_to: "{{groups['kube-master']|first}}"
run_once: true
- name: kubeadm | Set secret_changed if service account key was updated
command: /bin/true
notify: Master | set secret_changed
- when: sa_key_before.stat.checksum|default("") != sa_key_after.stat.checksum
+ when: apiserver_key_before.stat.checksum|default("") != apiserver_key_after.stat.checksum
- name: kubeadm | cleanup old certs if necessary
import_tasks: kubeadm-cleanup-old-certs.yml