Add tags to deploy components by --tags option (#2960)

* Add tags for cert serial tasks

This will help facilitate tag-based deployment of specific components.

* fixup kubernetes node

roles/etcd/tasks/main.yml

@@ -19,11 +19,17 @@
   register: "etcd_client_cert_serial_result"
   changed_when: false
   when: inventory_hostname in groups['k8s-cluster']|union(groups['etcd'])|union(groups['calico-rr']|default([]))|unique|sort
+  tags:
+    - master
+    - network
 
 - name: Set etcd_client_cert_serial
   set_fact:
     etcd_client_cert_serial: "{{ etcd_client_cert_serial_result.stdout }}"
   when: inventory_hostname in groups['k8s-cluster']|union(groups['etcd'])|union(groups['calico-rr']|default([]))|unique|sort
+  tags:
+    - master
+    - network
 
 - include_tasks: "install_{{ etcd_deployment_type }}.yml"
   when: is_etcd_master

roles/kubernetes/node/tasks/install.yml

@@ -1,19 +1,4 @@
 ---
-- name: install | Set SSL CA directories
-  set_fact:
-    ssl_ca_dirs: "[
-      {% if ansible_os_family in ['CoreOS', 'Container Linux by CoreOS'] -%}
-      '/usr/share/ca-certificates',
-      {% elif ansible_os_family == 'RedHat' -%}
-      '/etc/pki/tls',
-      '/etc/pki/ca-trust',
-      {% elif ansible_os_family == 'Debian' -%}
-      '/usr/share/ca-certificates',
-      {% endif -%}
-    ]"
-  tags:
-    - facts
-
 - name: Set kubelet deployment to host if kubeadm is enabled
   set_fact:
     kubelet_deployment_type: host

roles/kubernetes/secrets/tasks/main.yml

@@ -2,11 +2,13 @@
 - import_tasks: check-certs.yml
   tags:
     - k8s-secrets
+    - k8s-gen-certs
     - facts
 
 - import_tasks: check-tokens.yml
   tags:
     - k8s-secrets
+    - k8s-gen-tokens
     - facts
 
 - name: Make sure the certificate directory exits
@@ -70,10 +72,12 @@
 - include_tasks: "gen_certs_{{ cert_management }}.yml"
   tags:
     - k8s-secrets
+    - k8s-gen-certs
 
 - import_tasks: upd_ca_trust.yml
   tags:
     - k8s-secrets
+    - k8s-gen-certs
 
 - name: "Gen_certs | Get certificate serials on kube masters"
   shell: "openssl x509 -in {{ kube_cert_dir }}/{{ item }} -noout -serial | cut -d= -f2"
@@ -85,6 +89,10 @@
     - "kube-controller-manager.pem"
     - "kube-scheduler.pem"
   when: inventory_hostname in groups['kube-master']
+  tags:
+    - master
+    - kubelet
+    - node
 
 - name: "Gen_certs | set kube master certificate serial facts"
   set_fact:
@@ -93,6 +101,10 @@
     controller_manager_cert_serial: "{{ master_certificate_serials.results[2].stdout|default() }}"
     scheduler_cert_serial: "{{ master_certificate_serials.results[3].stdout|default() }}"
   when: inventory_hostname in groups['kube-master']
+  tags:
+    - master
+    - kubelet
+    - node
 
 - name: "Gen_certs | Get certificate serials on kube nodes"
   shell: "openssl x509 -in {{ kube_cert_dir }}/{{ item }} -noout -serial | cut -d= -f2"
@@ -108,7 +120,11 @@
     kubelet_cert_serial: "{{ node_certificate_serials.results[0].stdout|default() }}"
     kube_proxy_cert_serial: "{{ node_certificate_serials.results[1].stdout|default() }}"
   when: inventory_hostname in groups['k8s-cluster']
+  tags:
+    - kubelet
+    - node
 
 - import_tasks: gen_tokens.yml
   tags:
     - k8s-secrets
+    - k8s-gen-tokens

roles/kubespray-defaults/defaults/main.yaml

@@ -279,6 +279,18 @@ proxy_env:
   https_proxy: "{{ https_proxy| default ('') }}"
   no_proxy: "{{ no_proxy| default ('') }}"
 
+ssl_ca_dirs: >-
+  [
+  {% if ansible_os_family in ['CoreOS', 'Container Linux by CoreOS'] -%}
+  '/usr/share/ca-certificates',
+  {% elif ansible_os_family == 'RedHat' -%}
+  '/etc/pki/tls',
+  '/etc/pki/ca-trust',
+  {% elif ansible_os_family == 'Debian' -%}
+  '/usr/share/ca-certificates',
+  {% endif -%}
+  ]
+
 # Vars for pointing to kubernetes api endpoints
 is_kube_master: "{{ inventory_hostname in groups['kube-master'] }}"
 kube_apiserver_count: "{{ groups['kube-master'] | length }}"