Skip to content
Snippets Groups Projects
Unverified Commit 6ad66098 authored by Etienne Champetier's avatar Etienne Champetier Committed by GitHub
Browse files

Fix certificates checking when adding etcd node to existing k8s node (#5807) 


Co-authored-by: default avataralexkomrakov <alexkomrakov@gmail.com>
parent 474fbf09
No related branches found
No related tags found
No related merge requests found
Show whitespace changes
Inline Side-by-side
roles/etcd/tasks/check_certs.yml
+ 22
2
View file @ 6ad66098
...@@ -33,10 +33,29 @@ ...@@ -33,10 +33,29 @@
['{{ etcd_cert_dir }}/ca.pem', ['{{ etcd_cert_dir }}/ca.pem',
{% set all_etcd_hosts = groups['k8s-cluster']|union(groups['etcd'])|union(groups['calico-rr']|default([]))|unique|sort %} {% set all_etcd_hosts = groups['k8s-cluster']|union(groups['etcd'])|union(groups['calico-rr']|default([]))|unique|sort %}
{% for host in all_etcd_hosts %} {% for host in all_etcd_hosts %}
'{{ etcd_cert_dir }}/node-{{ host }}-key.pem' '{{ etcd_cert_dir }}/node-{{ host }}-key.pem',
'{{ etcd_cert_dir }}/admin-{{ host }}-key.pem',
'{{ etcd_cert_dir }}/member-{{ host }}-key.pem'
{% if not loop.last %}{{','}}{% endif %} {% if not loop.last %}{{','}}{% endif %}
{% endfor %}] {% endfor %}]
- name: "Check_certs | Set 'gen_master_certs' to true"
set_fact:
gen_master_certs: |-
{
{% set all_etcd_hosts = groups['k8s-cluster']|union(groups['etcd'])|union(groups['calico-rr']|default([]))|unique|sort -%}
{% set existing_certs = etcdcert_master.files|map(attribute='path')|list|sort %}
{% for host in all_etcd_hosts -%}
{% set host_cert = "%s/member-%s-key.pem"|format(etcd_cert_dir, host) %}
{% if host_cert in existing_certs -%}
"{{ host }}": False,
{% else -%}
"{{ host }}": True,
{% endif -%}
{% endfor %}
}
run_once: true
- name: "Check_certs | Set 'gen_node_certs' to true" - name: "Check_certs | Set 'gen_node_certs' to true"
set_fact: set_fact:
gen_node_certs: |- gen_node_certs: |-
...@@ -59,6 +78,7 @@ ...@@ -59,6 +78,7 @@
sync_certs: true sync_certs: true
when: when:
- gen_node_certs[inventory_hostname] or - gen_node_certs[inventory_hostname] or
gen_master_certs[inventory_hostname] or
(not etcdcert_node.results[0].stat.exists|default(false)) or (not etcdcert_node.results[0].stat.exists|default(false)) or
(not etcdcert_node.results[1].stat.exists|default(false)) or (not etcdcert_node.results[1].stat.exists|default(false)) or
(etcdcert_node.results[1].stat.checksum|default('') != etcdcert_master.files|selectattr("path", "equalto", etcdcert_node.results[1].stat.path)|map(attribute="checksum")|first|default('')) (etcdcert_node.results[1].stat.checksum|default('') != etcdcert_master.files|selectattr("path", "equalto", etcdcert_node.results[1].stat.path)|map(attribute="checksum")|first|default(''))
roles/etcd/tasks/gen_certs_script.yml
+ 1
1
View file @ 6ad66098
...@@ -55,7 +55,7 @@ ...@@ -55,7 +55,7 @@
command: "bash -x {{ etcd_script_dir }}/make-ssl-etcd.sh -f {{ etcd_config_dir }}/openssl.conf -d {{ etcd_cert_dir }}" command: "bash -x {{ etcd_script_dir }}/make-ssl-etcd.sh -f {{ etcd_config_dir }}/openssl.conf -d {{ etcd_cert_dir }}"
environment: environment:
- MASTERS: "{% for m in groups['etcd'] %} - MASTERS: "{% for m in groups['etcd'] %}
{% if gen_node_certs[m] %} {% if gen_master_certs[m] %}
{{ m }} {{ m }}
{% endif %} {% endif %}
{% endfor %}" {% endfor %}"
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment