From 6ad660987278ca3c711c3f89c1fc3f206ed02d67 Mon Sep 17 00:00:00 2001
From: Etienne Champetier <champetier.etienne@gmail.com>
Date: Wed, 25 Mar 2020 15:46:25 -0400
Subject: [PATCH] Fix certificates checking when adding etcd node to existing
 k8s node (#5807)

Co-authored-by: alexkomrakov <alexkomrakov@gmail.com>
---
 roles/etcd/tasks/check_certs.yml      | 24 ++++++++++++++++++++++--
 roles/etcd/tasks/gen_certs_script.yml |  2 +-
 2 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/roles/etcd/tasks/check_certs.yml b/roles/etcd/tasks/check_certs.yml
index e0ee9f7e9..aa77e4d09 100644
--- a/roles/etcd/tasks/check_certs.yml
+++ b/roles/etcd/tasks/check_certs.yml
@@ -33,10 +33,29 @@
        ['{{ etcd_cert_dir }}/ca.pem',
        {% set all_etcd_hosts = groups['k8s-cluster']|union(groups['etcd'])|union(groups['calico-rr']|default([]))|unique|sort %}
        {% for host in all_etcd_hosts %}
-       '{{ etcd_cert_dir }}/node-{{ host }}-key.pem'
-       {% if not loop.last %}{{','}}{% endif %}
+         '{{ etcd_cert_dir }}/node-{{ host }}-key.pem',
+         '{{ etcd_cert_dir }}/admin-{{ host }}-key.pem',
+         '{{ etcd_cert_dir }}/member-{{ host }}-key.pem'
+         {% if not loop.last %}{{','}}{% endif %}
        {% endfor %}]
 
+- name: "Check_certs | Set 'gen_master_certs' to true"
+  set_fact:
+    gen_master_certs: |-
+      {
+      {% set all_etcd_hosts = groups['k8s-cluster']|union(groups['etcd'])|union(groups['calico-rr']|default([]))|unique|sort -%}
+      {% set existing_certs = etcdcert_master.files|map(attribute='path')|list|sort %}
+      {% for host in all_etcd_hosts -%}
+        {% set host_cert = "%s/member-%s-key.pem"|format(etcd_cert_dir, host) %}
+        {% if host_cert in existing_certs -%}
+        "{{ host }}": False,
+        {% else -%}
+        "{{ host }}": True,
+        {% endif -%}
+      {% endfor %}
+      }
+  run_once: true
+
 - name: "Check_certs | Set 'gen_node_certs' to true"
   set_fact:
     gen_node_certs: |-
@@ -59,6 +78,7 @@
     sync_certs: true
   when:
     - gen_node_certs[inventory_hostname] or
+      gen_master_certs[inventory_hostname] or
       (not etcdcert_node.results[0].stat.exists|default(false)) or
       (not etcdcert_node.results[1].stat.exists|default(false)) or
       (etcdcert_node.results[1].stat.checksum|default('') != etcdcert_master.files|selectattr("path", "equalto", etcdcert_node.results[1].stat.path)|map(attribute="checksum")|first|default(''))
diff --git a/roles/etcd/tasks/gen_certs_script.yml b/roles/etcd/tasks/gen_certs_script.yml
index aa8e98b93..adc7c99e8 100644
--- a/roles/etcd/tasks/gen_certs_script.yml
+++ b/roles/etcd/tasks/gen_certs_script.yml
@@ -55,7 +55,7 @@
   command: "bash -x {{ etcd_script_dir }}/make-ssl-etcd.sh -f {{ etcd_config_dir }}/openssl.conf -d {{ etcd_cert_dir }}"
   environment:
     - MASTERS: "{% for m in groups['etcd'] %}
-                  {% if gen_node_certs[m] %}
+                  {% if gen_master_certs[m] %}
                     {{ m }}
                   {% endif %}
                 {% endfor %}"
-- 
GitLab