Adding in certificate serial numbers to manifests (#1392)

2026-03-22 19:35:03 -02:30 · 2017-09-01 01:02:23 -05:00
parent 783924e671
commit 8ae77e955e
8 changed files with 56 additions and 1 deletions
--- a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
+++ b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
@@ -6,6 +6,9 @@ metadata:
  labels:
    k8s-app: kube-apiserver
    kubespray: v2
+  annotations:
+    kubespray.etcd-cert/serial: "{{ etcd_node_cert_serial }}"
+    kubespray.apiserver-cert/serial: "{{ apiserver_cert_serial }}"
 spec:
  hostNetwork: true
 {% if kube_version | version_compare('v1.6', '>=')  %}
--- a/roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2
+++ b/roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2
@@ -5,6 +5,9 @@ metadata:
  namespace: {{system_namespace}}
  labels:
    k8s-app: kube-controller
+  annotations:
+    kubespray.etcd-cert/serial: "{{ etcd_node_cert_serial }}"
+    kubespray.controller-manager-cert/serial: "{{ controller_manager_cert_serial }}"
 spec:
  hostNetwork: true
 {% if kube_version | version_compare('v1.6', '>=') %}
--- a/roles/kubernetes/master/templates/manifests/kube-scheduler.manifest.j2
+++ b/roles/kubernetes/master/templates/manifests/kube-scheduler.manifest.j2
@@ -5,6 +5,8 @@ metadata:
  namespace: {{ system_namespace }}
  labels:
    k8s-app: kube-scheduler
+  annotations:
+    kubespray.scheduler-cert/serial: "{{ scheduler_cert_serial }}"
 spec:
  hostNetwork: true
 {% if kube_version | version_compare('v1.6', '>=') %}
--- a/roles/kubernetes/node/templates/manifests/kube-proxy.manifest.j2
+++ b/roles/kubernetes/node/templates/manifests/kube-proxy.manifest.j2
@@ -5,6 +5,8 @@ metadata:
  namespace: {{system_namespace}}
  labels:
    k8s-app: kube-proxy
+  annotations:
+    kubespray.kube-proxy-cert/serial: "{{ kube_proxy_cert_serial }}"
 spec:
  hostNetwork: true
 {% if kube_version | version_compare('v1.6', '>=') %}
--- a/roles/kubernetes/secrets/tasks/main.yml
+++ b/roles/kubernetes/secrets/tasks/main.yml
@@ -75,5 +75,37 @@
 - include: upd_ca_trust.yml
  tags: k8s-secrets

+- name: "Gen_certs | Get certificate serials on kube masters"
+  shell: "openssl x509 -in {{ kube_cert_dir }}/{{ item }} -noout -serial | cut -d= -f2"
+  register: "master_certificate_serials"
+  with_items:
+    - "admin-{{ inventory_hostname }}.pem"
+    - "apiserver.pem"
+    - "kube-controller-manager.pem"
+    - "kube-scheduler.pem"
+  when: inventory_hostname in groups['kube-master']
+
+- name: "Gen_certs | set kube master certificate serial facts"
+  set_fact:
+    etcd_admin_cert_serial: "{{ master_certificate_serials.results[0].stdout|default() }}"
+    apiserver_cert_serial: "{{ master_certificate_serials.results[1].stdout|default() }}"
+    controller_manager_cert_serial: "{{ master_certificate_serials.results[2].stdout|default() }}"
+    scheduler_cert_serial: "{{ master_certificate_serials.results[3].stdout|default() }}"
+  when: inventory_hostname in groups['kube-master']
+
+- name: "Gen_certs | Get certificate serials on kube nodes"
+  shell: "openssl x509 -in {{ kube_cert_dir }}/{{ item }} -noout -serial | cut -d= -f2"
+  register: "node_certificate_serials"
+  with_items:
+    - "node-{{ inventory_hostname }}.pem"
+    - "kube-proxy-{{ inventory_hostname }}.pem"
+  when: inventory_hostname in groups['k8s-cluster']
+
+- name: "Gen_certs | set kube node certificate serial facts"
+  set_fact:
+    etcd_node_cert_serial: "{{ node_certificate_serials.results[0].stdout|default() }}"
+    kube_proxy_cert_serial: "{{ node_certificate_serials.results[1].stdout|default() }}"
+  when: inventory_hostname in groups['k8s-cluster']
+
 - include: gen_tokens.yml
  tags: k8s-secrets