From 8ae77e955e12bb2edc83f8b3433f3842ba364337 Mon Sep 17 00:00:00 2001
From: Brad Beam <bradbeam@users.noreply.github.com>
Date: Fri, 1 Sep 2017 01:02:23 -0500
Subject: [PATCH] Adding in certificate serial numbers to manifests (#1392)

---
 roles/etcd/tasks/main.yml                     |  5 +++
 roles/etcd/tasks/pre_upgrade.yml              |  2 +-
 .../manifests/kube-apiserver.manifest.j2      |  3 ++
 .../kube-controller-manager.manifest.j2       |  3 ++
 .../manifests/kube-scheduler.manifest.j2      |  2 ++
 .../manifests/kube-proxy.manifest.j2          |  2 ++
 roles/kubernetes/secrets/tasks/main.yml       | 32 +++++++++++++++++++
 roles/vault/tasks/shared/issue_cert.yml       |  8 +++++
 8 files changed, 56 insertions(+), 1 deletion(-)

diff --git a/roles/etcd/tasks/main.yml b/roles/etcd/tasks/main.yml
index 6d8388ee8..a21016941 100644
--- a/roles/etcd/tasks/main.yml
+++ b/roles/etcd/tasks/main.yml
@@ -13,6 +13,11 @@
 - include: upd_ca_trust.yml
   tags: etcd-secrets
 
+- name: "Gen_certs | Get etcd certificate serials"
+  shell: "openssl x509 -in {{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem -noout -serial | cut -d= -f2"
+  register: "node-{{ inventory_hostname }}_serial"
+  when: inventory_hostname in groups['k8s-cluster']|union(groups['etcd'])|union(groups['calico-rr']|default([]))|unique|sort
+
 - include: "install_{{ etcd_deployment_type }}.yml"
   when: is_etcd_master
   tags: upgrade
diff --git a/roles/etcd/tasks/pre_upgrade.yml b/roles/etcd/tasks/pre_upgrade.yml
index e86a0d947..c08aee621 100644
--- a/roles/etcd/tasks/pre_upgrade.yml
+++ b/roles/etcd/tasks/pre_upgrade.yml
@@ -34,7 +34,7 @@
 
 - name: "Pre-upgrade | remove etcd-proxy if it exists"
   command: "{{ docker_bin_dir }}/docker rm -f {{item}}"
-  with_items: "{{etcd_proxy_container.stdout_lines}}"
+  with_items: "{{etcd_proxy_container.stdout_lines|default()}}"
 
 - name: "Pre-upgrade | see if etcdctl is installed"
   stat:
diff --git a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
index 1032ba482..f5dec5589 100644
--- a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
+++ b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
@@ -6,6 +6,9 @@ metadata:
   labels:
     k8s-app: kube-apiserver
     kubespray: v2
+  annotations:
+    kubespray.etcd-cert/serial: "{{ etcd_node_cert_serial }}"
+    kubespray.apiserver-cert/serial: "{{ apiserver_cert_serial }}"
 spec:
   hostNetwork: true
 {% if kube_version | version_compare('v1.6', '>=')  %}
diff --git a/roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2 b/roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2
index 8d08dfeb6..e0ef08fe4 100644
--- a/roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2
+++ b/roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2
@@ -5,6 +5,9 @@ metadata:
   namespace: {{system_namespace}}
   labels:
     k8s-app: kube-controller
+  annotations:
+    kubespray.etcd-cert/serial: "{{ etcd_node_cert_serial }}"
+    kubespray.controller-manager-cert/serial: "{{ controller_manager_cert_serial }}"
 spec:
   hostNetwork: true
 {% if kube_version | version_compare('v1.6', '>=') %}
diff --git a/roles/kubernetes/master/templates/manifests/kube-scheduler.manifest.j2 b/roles/kubernetes/master/templates/manifests/kube-scheduler.manifest.j2
index e9422d4a1..6353ca102 100644
--- a/roles/kubernetes/master/templates/manifests/kube-scheduler.manifest.j2
+++ b/roles/kubernetes/master/templates/manifests/kube-scheduler.manifest.j2
@@ -5,6 +5,8 @@ metadata:
   namespace: {{ system_namespace }}
   labels:
     k8s-app: kube-scheduler
+  annotations:
+    kubespray.scheduler-cert/serial: "{{ scheduler_cert_serial }}"
 spec:
   hostNetwork: true
 {% if kube_version | version_compare('v1.6', '>=') %}
diff --git a/roles/kubernetes/node/templates/manifests/kube-proxy.manifest.j2 b/roles/kubernetes/node/templates/manifests/kube-proxy.manifest.j2
index 65feeee65..daf0fcb4f 100644
--- a/roles/kubernetes/node/templates/manifests/kube-proxy.manifest.j2
+++ b/roles/kubernetes/node/templates/manifests/kube-proxy.manifest.j2
@@ -5,6 +5,8 @@ metadata:
   namespace: {{system_namespace}}
   labels:
     k8s-app: kube-proxy
+  annotations:
+    kubespray.kube-proxy-cert/serial: "{{ kube_proxy_cert_serial }}"
 spec:
   hostNetwork: true
 {% if kube_version | version_compare('v1.6', '>=') %}
diff --git a/roles/kubernetes/secrets/tasks/main.yml b/roles/kubernetes/secrets/tasks/main.yml
index d2ce2283d..2a15591df 100644
--- a/roles/kubernetes/secrets/tasks/main.yml
+++ b/roles/kubernetes/secrets/tasks/main.yml
@@ -75,5 +75,37 @@
 - include: upd_ca_trust.yml
   tags: k8s-secrets
 
+- name: "Gen_certs | Get certificate serials on kube masters"
+  shell: "openssl x509 -in {{ kube_cert_dir }}/{{ item }} -noout -serial | cut -d= -f2"
+  register: "master_certificate_serials"
+  with_items:
+    - "admin-{{ inventory_hostname }}.pem"
+    - "apiserver.pem"
+    - "kube-controller-manager.pem"
+    - "kube-scheduler.pem"
+  when: inventory_hostname in groups['kube-master']
+
+- name: "Gen_certs | set kube master certificate serial facts"
+  set_fact:
+    etcd_admin_cert_serial: "{{ master_certificate_serials.results[0].stdout|default() }}"
+    apiserver_cert_serial: "{{ master_certificate_serials.results[1].stdout|default() }}"
+    controller_manager_cert_serial: "{{ master_certificate_serials.results[2].stdout|default() }}"
+    scheduler_cert_serial: "{{ master_certificate_serials.results[3].stdout|default() }}"
+  when: inventory_hostname in groups['kube-master']
+
+- name: "Gen_certs | Get certificate serials on kube nodes"
+  shell: "openssl x509 -in {{ kube_cert_dir }}/{{ item }} -noout -serial | cut -d= -f2"
+  register: "node_certificate_serials"
+  with_items:
+    - "node-{{ inventory_hostname }}.pem"
+    - "kube-proxy-{{ inventory_hostname }}.pem"
+  when: inventory_hostname in groups['k8s-cluster']
+
+- name: "Gen_certs | set kube node certificate serial facts"
+  set_fact:
+    etcd_node_cert_serial: "{{ node_certificate_serials.results[0].stdout|default() }}"
+    kube_proxy_cert_serial: "{{ node_certificate_serials.results[1].stdout|default() }}"
+  when: inventory_hostname in groups['k8s-cluster']
+
 - include: gen_tokens.yml
   tags: k8s-secrets
diff --git a/roles/vault/tasks/shared/issue_cert.yml b/roles/vault/tasks/shared/issue_cert.yml
index d3dbbd9e8..fa09bfd2b 100644
--- a/roles/vault/tasks/shared/issue_cert.yml
+++ b/roles/vault/tasks/shared/issue_cert.yml
@@ -66,3 +66,11 @@
     mode: "{{ issue_cert_file_mode | d('0644') }}"
     owner: "{{ issue_cert_file_owner | d('root') }}"
   when: issue_cert_copy_ca|default(false)
+
+- name: issue_cert | Copy certificate serial to all hosts
+  copy:
+    content: "{{ hostvars[issue_cert_hosts|first]['issue_cert_result']['json']['data']['serial_number'] }}"
+    dest: "{{ issue_cert_path.rsplit('.', 1)|first }}.serial }}"
+    group: "{{ issue_cert_file_group | d('root' )}}"
+    mode: "{{ issue_cert_file_mode | d('0640') }}"
+    owner: "{{ issue_cert_file_owner | d('root') }}"
-- 
GitLab