Individual etcd ssl certs

Includes hooks for triggering calico, kubelet, and kube-apiserver restarts if etcd certs changed.
2026-03-16 08:27:31 -02:30 · 2016-12-13 09:03:35 +00:00
parent de8cd5cd7f
commit ad796d188d
13 changed files with 140 additions and 54 deletions
--- a/roles/kubernetes/master/tasks/pre-upgrade.yml
+++ b/roles/kubernetes/master/tasks/pre-upgrade.yml
@@ -27,3 +27,23 @@
    - /etc/systemd/system/kube-apiserver.service
    - /etc/init.d/kube-apiserver
  tags: kube-apiserver
+
+- name: "Pre-upgrade | See if kube-apiserver manifest exists"
+  stat:
+    path: /etc/kubernetes/manifests/kube-apiserver.manifest
+  register: kube_apiserver_manifest
+  when: secret_changed|default(false) or etcd_secret_changed|default(false)
+
+- name: "Pre-upgrade | Write invalid image to kube-apiserver manifest if secrets were changed"
+  replace:
+    dest: /etc/kubernetes/manifests/kube-apiserver.manifest
+    regexp: '(\s+)image:\s+.*?$'
+    replace: '\1image: kill.apiserver.using.fake.image.in:manifest'
+  register: kube_apiserver_manifest_replaced
+  when: (secret_changed|default(false) or etcd_secret_changed|default(false)) and kube_apiserver_manifest.stat.exists
+
+- name: "Pre-upgrade | Pause while waiting for kubelet to delete kube-apiserver pod"
+  pause: seconds=20
+  when: (secret_changed|default(false) or etcd_secret_changed|default(false)) and kube_apiserver_manifest.stat.exists
+  tags: kube-apiserver
+
--- a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
+++ b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
@@ -5,6 +5,7 @@ metadata:
  namespace: {{system_namespace}}
  labels:
    k8s-app: kube-apiserver
+    kargo: v2
 spec:
  hostNetwork: true
  containers:
@@ -18,8 +19,8 @@ spec:
    - --etcd-servers={{ etcd_access_endpoint }}
    - --etcd-quorum-read=true
    - --etcd-cafile={{ etcd_cert_dir }}/ca.pem
-    - --etcd-certfile={{ etcd_cert_dir }}/node.pem
-    - --etcd-keyfile={{ etcd_cert_dir }}/node-key.pem
+    - --etcd-certfile={{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem
+    - --etcd-keyfile={{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem
    - --insecure-bind-address={{ kube_apiserver_insecure_bind_address }}
    - --apiserver-count={{ kube_apiserver_count }}
    - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota