Use include/import tasks (#2192)

import_tasks will consume far less memory, so it should be used whenever it is compatible.

Use include/import tasks (#2192)
dc6a17e0 · Matthew Mosesohn · GitHub · f4180503 · dc6a17e0 · dc6a17e0
Unverified Commit dc6a17e0 authored 7 years ago by Matthew Mosesohn Committed by GitHub 7 years ago
--- a/roles/kubernetes/secrets/tasks/gen_certs_vault.yml
+++ b/roles/kubernetes/secrets/tasks/gen_certs_vault.yml
 ---
- include: sync_kube_master_certs.yml
+- import_tasks: sync_kube_master_certs.yml
  when: inventory_hostname in groups['kube-master']

- include: sync_kube_node_certs.yml
+- import_tasks: sync_kube_node_certs.yml
  when: inventory_hostname in groups['k8s-cluster']

 # Issue admin certs to kube-master hosts
- include: ../../../vault/tasks/shared/issue_cert.yml
+- include_tasks: ../../../vault/tasks/shared/issue_cert.yml
  vars:
    issue_cert_common_name: "admin"
    issue_cert_copy_ca: "{{ item == kube_admin_certs_needed|first }}"
@@ -37,7 +37,7 @@
  run_once: true

 # Issue master components certs to kube-master hosts
- include: ../../../vault/tasks/shared/issue_cert.yml
+- include_tasks: ../../../vault/tasks/shared/issue_cert.yml
  vars:
    issue_cert_common_name: "kubernetes"
    issue_cert_alt_names: "{{ kube_cert_alt_names }}"
@@ -63,7 +63,7 @@
  notify: set secret_changed

 # Issue node certs to k8s-cluster nodes
- include: ../../../vault/tasks/shared/issue_cert.yml
+- include_tasks: ../../../vault/tasks/shared/issue_cert.yml
  vars:
    # Need to strip out the 'node-' prefix from the cert name so it can be used
    # with the node authorization plugin ( CN matches kubelet node name )
@@ -80,7 +80,7 @@
  when: inventory_hostname in groups['k8s-cluster']

 # Issue proxy certs to k8s-cluster nodes
- include: ../../../vault/tasks/shared/issue_cert.yml
+- include_tasks: ../../../vault/tasks/shared/issue_cert.yml
  vars:
    issue_cert_common_name: "system:kube-proxy"
    issue_cert_copy_ca: "{{ item == kube_proxy_certs_needed|first }}"

--- a/roles/kubernetes/secrets/tasks/main.yml
+++ b/roles/kubernetes/secrets/tasks/main.yml
 ---
- include: check-certs.yml
+- import_tasks: check-certs.yml
  tags:
    - k8s-secrets
    - facts

- include: check-tokens.yml
+- import_tasks: check-tokens.yml
  tags:
    - k8s-secrets
    - facts
@@ -69,11 +69,11 @@
  delegate_to: "{{groups['kube-master'][0]}}"
  when: gen_tokens|default(false)

- include: "gen_certs_{{ cert_management }}.yml"
+- include_tasks: "gen_certs_{{ cert_management }}.yml"
  tags:
    - k8s-secrets

- include: upd_ca_trust.yml
+- import_tasks: upd_ca_trust.yml
  tags:
    - k8s-secrets

@@ -111,6 +111,6 @@
    kube_proxy_cert_serial: "{{ node_certificate_serials.results[1].stdout|default() }}"
  when: inventory_hostname in groups['k8s-cluster']

- include: gen_tokens.yml
+- import_tasks: gen_tokens.yml
  tags:
    - k8s-secrets
--- a/roles/kubernetes/secrets/tasks/sync_kube_master_certs.yml
+++ b/roles/kubernetes/secrets/tasks/sync_kube_master_certs.yml
@@ -4,7 +4,7 @@
  set_fact:
    kube_admin_cert_list: "{{ kube_admin_cert_list|d([]) + ['admin-' + inventory_hostname + '.pem'] }}"

- include: ../../../vault/tasks/shared/sync_file.yml
+- include_tasks: ../../../vault/tasks/shared/sync_file.yml
  vars:
    sync_file: "{{ item }}"
    sync_file_dir: "{{ kube_cert_dir }}"
@@ -24,7 +24,7 @@
  set_fact:
    sync_file_results: []

- include: ../../../vault/tasks/shared/sync_file.yml
+- include_tasks: ../../../vault/tasks/shared/sync_file.yml
  vars:
    sync_file: "{{ item }}"
    sync_file_dir: "{{ kube_cert_dir }}"
@@ -44,7 +44,7 @@
  set_fact:
    sync_file_results: []

- include: ../../../vault/tasks/shared/sync_file.yml
+- include_tasks: ../../../vault/tasks/shared/sync_file.yml
  vars:
    sync_file: ca.pem
    sync_file_dir: "{{ kube_cert_dir }}"

--- a/roles/kubernetes/secrets/tasks/sync_kube_node_certs.yml
+++ b/roles/kubernetes/secrets/tasks/sync_kube_node_certs.yml
@@ -4,7 +4,7 @@
  set_fact:
    kube_node_cert_list: "{{ kube_node_cert_list|default([]) + ['node-' + inventory_hostname + '.pem'] }}"

- include: ../../../vault/tasks/shared/sync_file.yml
+- include_tasks: ../../../vault/tasks/shared/sync_file.yml
  vars:
    sync_file: "{{ item }}"
    sync_file_dir: "{{ kube_cert_dir }}"
@@ -24,7 +24,7 @@
  set_fact:
    sync_file_results: []

- include: ../../../vault/tasks/shared/sync_file.yml
+- include_tasks: ../../../vault/tasks/shared/sync_file.yml
  vars:
    sync_file: ca.pem
    sync_file_dir: "{{ kube_cert_dir }}"
@@ -40,7 +40,7 @@
  set_fact:
    kube_proxy_cert_list: "{{ kube_proxy_cert_list|default([]) + ['kube-proxy-' + inventory_hostname + '.pem'] }}"

- include: ../../../vault/tasks/shared/sync_file.yml
+- include_tasks: ../../../vault/tasks/shared/sync_file.yml
  vars:
    sync_file: "{{ item }}"
    sync_file_dir: "{{ kube_cert_dir }}"

--- a/roles/network_plugin/flannel/tasks/main.yml
+++ b/roles/network_plugin/flannel/tasks/main.yml
 ---
- include: pre-upgrade.yml
+- import_tasks: pre-upgrade.yml

 - name: Flannel | Create Flannel manifests
  template:
@@ -11,4 +11,4 @@
  register: flannel_node_manifests
  when:
    - inventory_hostname in groups['kube-master']
-    - rbac_enabled or item.type not in rbac_resources
\ No newline at end of file
+    - rbac_enabled or item.type not in rbac_resources
--- a/roles/network_plugin/weave/tasks/main.yml
+++ b/roles/network_plugin/weave/tasks/main.yml
 ---
- include: seed.yml
+- import_tasks: seed.yml
  when: weave_mode_seed

 - name: Weave | Copy cni plugins from hyperkube

--- a/roles/rkt/tasks/main.yml
+++ b/roles/rkt/tasks/main.yml
 ---

 - name: Install rkt
-  include: install.yml
+  import_tasks: install.yml
--- a/roles/vault/tasks/bootstrap/create_mounts.yml
+++ b/roles/vault/tasks/bootstrap/create_mounts.yml
 ---
- include: ../shared/create_mount.yml
+- include_tasks: ../shared/create_mount.yml
  vars:
    create_mount_path: "{{ item.name }}"
    create_mount_default_lease_ttl: "{{ item.default_lease_ttl }}"

--- a/roles/vault/tasks/bootstrap/create_roles.yml
+++ b/roles/vault/tasks/bootstrap/create_roles.yml
 ---
- include: ../shared/create_role.yml
+- include_tasks: ../shared/create_role.yml
  vars:
    create_role_name: "{{ item.name }}"
    create_role_group: "{{ item.group }}"

--- a/roles/vault/tasks/bootstrap/gen_vault_certs.yml
+++ b/roles/vault/tasks/bootstrap/gen_vault_certs.yml
 ---
- include: ../shared/issue_cert.yml
+- import_tasks: ../shared/issue_cert.yml
  vars:
    issue_cert_common_name: "{{ vault_pki_mounts.vault.roles[0].name }}"
    issue_cert_alt_names: "{{ groups['vault'] + ['localhost'] + (vault_ca_options['vault']['alt_names'].split(','))|default() }}"

--- a/roles/vault/tasks/bootstrap/main.yml
+++ b/roles/vault/tasks/bootstrap/main.yml
 ---
- include: ../shared/check_vault.yml
+- import_tasks: ../shared/check_vault.yml
  when: inventory_hostname in groups.vault

- include: sync_secrets.yml
+- import_tasks: sync_secrets.yml
  when: inventory_hostname in groups.vault

- include: ../shared/find_leader.yml
+- import_tasks: ../shared/find_leader.yml
  when: inventory_hostname in groups.vault and vault_cluster_is_initialized

- include: sync_vault_certs.yml
+- import_tasks: sync_vault_certs.yml
  when: inventory_hostname in groups.vault

- include: sync_etcd_certs.yml
+- import_tasks: sync_etcd_certs.yml
  when: inventory_hostname in groups.etcd

- include: start_vault_temp.yml
+- import_tasks: start_vault_temp.yml
  when: inventory_hostname == groups.vault|first and not vault_cluster_is_initialized

 - name: vault | Set fact about vault leader url
@@ -22,17 +22,17 @@
    vault_leader_url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}"
  when: not vault_cluster_is_initialized

- include: create_mounts.yml
+- import_tasks: create_mounts.yml
  when: inventory_hostname == groups.vault|first

- include: ../shared/auth_backend.yml
+- include_tasks: ../shared/auth_backend.yml
  vars:
    auth_backend_description: A Username/Password Auth Backend primarily used for services needing to issue certificates
    auth_backend_path: userpass
    auth_backend_type: userpass
  when: inventory_hostname == groups.vault|first

- include: create_roles.yml
+- include_tasks: create_roles.yml
  with_items:
    - "{{ vault_pki_mounts.vault }}"
    - "{{ vault_pki_mounts.etcd }}"
@@ -40,7 +40,7 @@
    loop_var: mount
  when: inventory_hostname in groups.vault

- include: ../shared/gen_ca.yml
+- include_tasks: ../shared/gen_ca.yml
  vars:
    gen_ca_cert_dir: "{{ vault_pki_mounts.vault.cert_dir }}"
    gen_ca_mount_path: "{{ vault_pki_mounts.vault.name }}"
@@ -51,7 +51,7 @@
        and not vault_cluster_is_initialized
        and vault_ca_cert_needed

- include: ../shared/gen_ca.yml
+- include_tasks: ../shared/gen_ca.yml
  vars:
    gen_ca_cert_dir: "{{ vault_pki_mounts.etcd.cert_dir }}"
    gen_ca_mount_path: "{{ vault_pki_mounts.etcd.name }}"
@@ -59,7 +59,7 @@
    gen_ca_vault_options: "{{ vault_ca_options.etcd }}"
  when: inventory_hostname in groups.etcd and vault_etcd_ca_cert_needed

- include: gen_vault_certs.yml
+- import_tasks: gen_vault_certs.yml
  when: inventory_hostname in groups.vault and vault_api_cert_needed

- include: ca_trust.yml
+- import_tasks: ca_trust.yml
--- a/roles/vault/tasks/bootstrap/sync_etcd_certs.yml
+++ b/roles/vault/tasks/bootstrap/sync_etcd_certs.yml
 ---

- include: ../shared/sync_file.yml
+- include_tasks: ../shared/sync_file.yml
  vars:
    sync_file: "ca.pem"
    sync_file_dir: "{{ vault_etcd_cert_dir }}"

--- a/roles/vault/tasks/bootstrap/sync_secrets.yml
+++ b/roles/vault/tasks/bootstrap/sync_secrets.yml
 ---

- include: ../shared/sync_file.yml
+- include_tasks: ../shared/sync_file.yml
  vars:
    sync_file: "{{ item }}"
    sync_file_dir: "{{ vault_secrets_dir }}"

--- a/roles/vault/tasks/bootstrap/sync_vault_certs.yml
+++ b/roles/vault/tasks/bootstrap/sync_vault_certs.yml
 ---
- include: ../shared/sync_file.yml
+- include_tasks: ../shared/sync_file.yml
  vars:
    sync_file: "ca.pem"
    sync_file_dir: "{{ vault_cert_dir }}"
@@ -14,7 +14,7 @@
  set_fact:
    sync_file_results: []

- include: ../shared/sync_file.yml
+- include_tasks: ../shared/sync_file.yml
  vars:
    sync_file: "api.pem"
    sync_file_dir: "{{ vault_cert_dir }}"

--- a/roles/vault/tasks/cluster/create_mounts.yml
+++ b/roles/vault/tasks/cluster/create_mounts.yml
 ---
- include: ../shared/create_mount.yml
+- include_tasks: ../shared/create_mount.yml
  vars:
    create_mount_path: "{{ item.name }}"
    create_mount_default_lease_ttl: "{{ item.default_lease_ttl }}"

--- a/roles/vault/tasks/cluster/create_roles.yml
+++ b/roles/vault/tasks/cluster/create_roles.yml
 ---
- include: ../shared/create_role.yml
+- include_tasks: ../shared/create_role.yml
  vars:
    create_role_name: "{{ item.name }}"
    create_role_group: "{{ item.group }}"

--- a/roles/vault/tasks/cluster/main.yml
+++ b/roles/vault/tasks/cluster/main.yml
 ---
- include: ../shared/check_vault.yml
+- import_tasks: ../shared/check_vault.yml
  when: inventory_hostname in groups.vault

- include: ../shared/check_etcd.yml
+- import_tasks: ../shared/check_etcd.yml
  when: inventory_hostname in groups.vault

- include: configure.yml
+- import_tasks: configure.yml
  when: inventory_hostname in groups.vault

- include: binary.yml
+- import_tasks: binary.yml
  when: inventory_hostname in groups.vault and vault_deployment_type == "host"

- include: systemd.yml
+- import_tasks: systemd.yml
  when: inventory_hostname in groups.vault

- include: init.yml
+- import_tasks: init.yml
  when: inventory_hostname in groups.vault

- include: unseal.yml
+- import_tasks: unseal.yml
  when: inventory_hostname in groups.vault

- include: ../shared/find_leader.yml
+- import_tasks: ../shared/find_leader.yml
  when: inventory_hostname in groups.vault

- include: create_mounts.yml
+- import_tasks: create_mounts.yml
  when: inventory_hostname == groups.vault|first

- include: ../shared/gen_ca.yml
+- include_tasks: ../shared/gen_ca.yml
  vars:
    gen_ca_cert_dir: "{{ vault_pki_mounts.kube.cert_dir }}"
    gen_ca_mount_path: "{{ vault_pki_mounts.kube.name }}"
@@ -34,14 +34,14 @@
    gen_ca_vault_options: "{{ vault_ca_options.kube }}"
  when: inventory_hostname in groups.vault

- include: ../shared/auth_backend.yml
+- include_tasks: ../shared/auth_backend.yml
  vars:
    auth_backend_description: A Username/Password Auth Backend primarily used for services needing to issue certificates
    auth_backend_path: userpass
    auth_backend_type: userpass
  when: inventory_hostname == groups.vault|first

- include: create_roles.yml
+- include_tasks: create_roles.yml
  with_items:
    - "{{ vault_pki_mounts.vault }}"
    - "{{ vault_pki_mounts.etcd }}"

--- a/roles/vault/tasks/main.yml
+++ b/roles/vault/tasks/main.yml
@@ -11,9 +11,9 @@
 #    used during step 1, allowing all certs to have the same chain of trust.

 ## Bootstrap
- include: bootstrap/main.yml
+- include_tasks: bootstrap/main.yml
  when: cert_management == 'vault' and vault_bootstrap | d()

 ## Cluster
- include: cluster/main.yml
+- include_tasks: cluster/main.yml
  when: cert_management == 'vault' and not vault_bootstrap | d()
--- a/roles/vault/tasks/shared/cert_auth_mount.yml
+++ b/roles/vault/tasks/shared/cert_auth_mount.yml
 ---

- include: ../shared/pki_mount.yml
+- include_tasks: ../shared/pki_mount.yml
  vars:
    pki_mount_path: auth-pki
    pki_mount_options:

--- a/roles/vault/tasks/shared/create_mount.yml
+++ b/roles/vault/tasks/shared/create_mount.yml
 ---
- include: ../shared/pki_mount.yml
+- include_tasks: ../shared/pki_mount.yml
  vars:
    pki_mount_path: "{{ create_mount_path }}"
    pki_mount_options:
@@ -8,7 +8,7 @@
        max_lease_ttl: "{{ create_mount_max_lease_ttl }}"
      description: "{{ create_mount_description }}"

- include: ../shared/config_ca.yml
+- include_tasks: ../shared/config_ca.yml
  vars:
    config_ca_ca_pem: "{{ create_mount_cert_dir }}/ca.pem"
    config_ca_ca_key: "{{ create_mount_cert_dir }}/ca-key.pem"