From aeadaa11844a20b2cc35f5516d9c03834f022242 Mon Sep 17 00:00:00 2001
From: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
Date: Fri, 10 Feb 2017 12:50:26 +0100
Subject: [PATCH] Set ssl_ca_dirs for rkt based on fact

Since systemd kubelet.service has {{ ssl_ca_dirs }}, fact should be
gathered before writing kubelet.service.

Closes: #1007
Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
---
 roles/kubernetes/node/tasks/install.yml                |  8 ++++----
 roles/kubernetes/node/templates/kubelet.rkt.service.j2 | 10 +++++++---
 2 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/roles/kubernetes/node/tasks/install.yml b/roles/kubernetes/node/tasks/install.yml
index e949e87de..b45a42194 100644
--- a/roles/kubernetes/node/tasks/install.yml
+++ b/roles/kubernetes/node/tasks/install.yml
@@ -21,10 +21,6 @@
     path: /var/lib/kubelet
   when: kubelet_deployment_type == "rkt"
 
-- name: install | Write kubelet systemd init file
-  template: "src=kubelet.{{ kubelet_deployment_type }}.service.j2 dest=/etc/systemd/system/kubelet.service backup=yes"
-  notify: restart kubelet
-
 - name: install | Set SSL CA directories
   set_fact:
     ssl_ca_dirs: "[
@@ -39,6 +35,10 @@
     ]"
   tags: facts
 
+- name: install | Write kubelet systemd init file
+  template: "src=kubelet.{{ kubelet_deployment_type }}.service.j2 dest=/etc/systemd/system/kubelet.service backup=yes"
+  notify: restart kubelet
+
 - name: install | Install kubelet launch script
   template: src=kubelet-container.j2 dest="{{ bin_dir }}/kubelet" owner=kube mode=0755 backup=yes
   notify: restart kubelet
diff --git a/roles/kubernetes/node/templates/kubelet.rkt.service.j2 b/roles/kubernetes/node/templates/kubelet.rkt.service.j2
index 12ce01c75..a36ce1ef9 100644
--- a/roles/kubernetes/node/templates/kubelet.rkt.service.j2
+++ b/roles/kubernetes/node/templates/kubelet.rkt.service.j2
@@ -27,9 +27,11 @@ ExecStart=/usr/bin/rkt run \
         --volume etcd-ssl,kind=host,source={{ etcd_config_dir }},readOnly=true \
         --volume opt-cni,kind=host,source=/opt/cni,readOnly=true \
         --volume run,kind=host,source=/run,readOnly=false \
-        --volume usr-share-certs,kind=host,source=/usr/share/ca-certificates,readOnly=true \
+        {% for dir in ssl_ca_dirs -%}
+        --volume {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }},kind=host,source={{ dir }},readOnly=true \
+        {% endfor -%}
         --volume var-lib-docker,kind=host,source={{ docker_daemon_graph }},readOnly=false \
-	--volume var-lib-kubelet,kind=host,source=/var/lib/kubelet,readOnly=false \
+        --volume var-lib-kubelet,kind=host,source=/var/lib/kubelet,readOnly=false \
         --volume var-log,kind=host,source=/var/log \
         --mount volume=dns,target=/etc/resolv.conf \
         --mount volume=etc-cni,target=/etc/cni \
@@ -38,7 +40,9 @@ ExecStart=/usr/bin/rkt run \
         --mount volume=etcd-ssl,target={{ etcd_config_dir }} \
         --mount volume=opt-cni,target=/opt/cni \
         --mount volume=run,target=/run \
-        --mount volume=usr-share-certs,target=/usr/share/ca-certificates \
+        {% for dir in ssl_ca_dirs -%}
+        --mount volume={{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }},target={{ dir }} \
+        {% endfor -%}
         --mount volume=var-lib-docker,target=/var/lib/docker \
         --mount volume=var-lib-kubelet,target=/var/lib/kubelet \
         --mount volume=var-log,target=/var/log \
-- 
GitLab