diff --git a/docs/upgrades.md b/docs/upgrades.md
index 6297976ddb5194fff154a81f270af8b9c8441a11..26a4a180b85816e52363807a84fd163cad065319 100644
--- a/docs/upgrades.md
+++ b/docs/upgrades.md
@@ -81,3 +81,55 @@ kubernetes-apps/rotate_tokens role, only pods in kube-system are destroyed and
recreated. All other invalidated service account tokens are cleaned up
automatically, but other pods are not deleted out of an abundance of caution
for impact to user deployed pods.
+
+### Component-based upgrades
+
+A deployer may want to upgrade specific components in order to minimize risk
+or save time. This strategy is not covered by CI as of this writing, so it is
+not guaranteed to work.
+
+These commands are useful only for upgrading fully-deployed, healthy, existing
+hosts. This will definitely not work for undeployed or partially deployed
+hosts.
+
+Upgrade etcd:
+
+```
+ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=etcd
+```
+
+Upgrade vault:
+
+```
+ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=vault
+```
+
+Upgrade kubelet:
+
+```
+ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=node --skip-tags=k8s-gen-certs,k8s-gen-tokens
+```
+
+Upgrade Kubernetes master components:
+
+```
+ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=master
+```
+
+Upgrade network plugins:
+
+```
+ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=network
+```
+
+Upgrade all add-ons:
+
+```
+ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=apps
+```
+
+Upgrade just helm (assuming `helm_enabled` is true):
+
+```
+ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=helm
+```
diff --git a/roles/etcd/tasks/main.yml b/roles/etcd/tasks/main.yml
index c35a9cab6561cad78f28ca9826cbaed6bbb9e398..38df04d731a363161a76993561cd4706ce34e8e5 100644
--- a/roles/etcd/tasks/main.yml
+++ b/roles/etcd/tasks/main.yml
@@ -19,11 +19,17 @@
register: "etcd_client_cert_serial_result"
changed_when: false
when: inventory_hostname in groups['k8s-cluster']|union(groups['etcd'])|union(groups['calico-rr']|default([]))|unique|sort
+ tags:
+ - master
+ - network
- name: Set etcd_client_cert_serial
set_fact:
etcd_client_cert_serial: "{{ etcd_client_cert_serial_result.stdout }}"
when: inventory_hostname in groups['k8s-cluster']|union(groups['etcd'])|union(groups['calico-rr']|default([]))|unique|sort
+ tags:
+ - master
+ - network
- include_tasks: "install_{{ etcd_deployment_type }}.yml"
when: is_etcd_master
diff --git a/roles/kubernetes/node/tasks/install.yml b/roles/kubernetes/node/tasks/install.yml
index 63a529aceba7147eb3601f708bae9350c6f97028..fe4b6c9c8081e61a9bf835df24356f7f870a86df 100644
--- a/roles/kubernetes/node/tasks/install.yml
+++ b/roles/kubernetes/node/tasks/install.yml
@@ -1,19 +1,4 @@
---
-- name: install | Set SSL CA directories
- set_fact:
- ssl_ca_dirs: "[
- {% if ansible_os_family in ['CoreOS', 'Container Linux by CoreOS'] -%}
- '/usr/share/ca-certificates',
- {% elif ansible_os_family == 'RedHat' -%}
- '/etc/pki/tls',
- '/etc/pki/ca-trust',
- {% elif ansible_os_family == 'Debian' -%}
- '/usr/share/ca-certificates',
- {% endif -%}
- ]"
- tags:
- - facts
-
- name: Set kubelet deployment to host if kubeadm is enabled
set_fact:
kubelet_deployment_type: host
diff --git a/roles/kubernetes/secrets/tasks/main.yml b/roles/kubernetes/secrets/tasks/main.yml
index 52fedae5b03d8d9430434c429739dd1e7a9d433b..d36c3a057289c92632842e5883eb77c509e6c747 100644
--- a/roles/kubernetes/secrets/tasks/main.yml
+++ b/roles/kubernetes/secrets/tasks/main.yml
@@ -2,11 +2,13 @@
- import_tasks: check-certs.yml
tags:
- k8s-secrets
+ - k8s-gen-certs
- facts
- import_tasks: check-tokens.yml
tags:
- k8s-secrets
+ - k8s-gen-tokens
- facts
- name: Make sure the certificate directory exits
@@ -70,10 +72,12 @@
- include_tasks: "gen_certs_{{ cert_management }}.yml"
tags:
- k8s-secrets
+ - k8s-gen-certs
- import_tasks: upd_ca_trust.yml
tags:
- k8s-secrets
+ - k8s-gen-certs
- name: "Gen_certs | Get certificate serials on kube masters"
shell: "openssl x509 -in {{ kube_cert_dir }}/{{ item }} -noout -serial | cut -d= -f2"
@@ -85,6 +89,10 @@
- "kube-controller-manager.pem"
- "kube-scheduler.pem"
when: inventory_hostname in groups['kube-master']
+ tags:
+ - master
+ - kubelet
+ - node
- name: "Gen_certs | set kube master certificate serial facts"
set_fact:
@@ -93,6 +101,10 @@
controller_manager_cert_serial: "{{ master_certificate_serials.results[2].stdout|default() }}"
scheduler_cert_serial: "{{ master_certificate_serials.results[3].stdout|default() }}"
when: inventory_hostname in groups['kube-master']
+ tags:
+ - master
+ - kubelet
+ - node
- name: "Gen_certs | Get certificate serials on kube nodes"
shell: "openssl x509 -in {{ kube_cert_dir }}/{{ item }} -noout -serial | cut -d= -f2"
@@ -108,7 +120,11 @@
kubelet_cert_serial: "{{ node_certificate_serials.results[0].stdout|default() }}"
kube_proxy_cert_serial: "{{ node_certificate_serials.results[1].stdout|default() }}"
when: inventory_hostname in groups['k8s-cluster']
+ tags:
+ - kubelet
+ - node
- import_tasks: gen_tokens.yml
tags:
- k8s-secrets
+ - k8s-gen-tokens
diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml
index 3471508509ae51f0692c16e23a3ba8d9cba8e77f..074bd4b1e4547fe782778f5a80aa4c3bd6af2121 100644
--- a/roles/kubespray-defaults/defaults/main.yaml
+++ b/roles/kubespray-defaults/defaults/main.yaml
@@ -279,6 +279,18 @@ proxy_env:
https_proxy: "{{ https_proxy| default ('') }}"
no_proxy: "{{ no_proxy| default ('') }}"
+ssl_ca_dirs: >-
+ [
+ {% if ansible_os_family in ['CoreOS', 'Container Linux by CoreOS'] -%}
+ '/usr/share/ca-certificates',
+ {% elif ansible_os_family == 'RedHat' -%}
+ '/etc/pki/tls',
+ '/etc/pki/ca-trust',
+ {% elif ansible_os_family == 'Debian' -%}
+ '/usr/share/ca-certificates',
+ {% endif -%}
+ ]
+
# Vars for pointing to kubernetes api endpoints
is_kube_master: "{{ inventory_hostname in groups['kube-master'] }}"
kube_apiserver_count: "{{ groups['kube-master'] | length }}"