Fix scaling (#5889) (#5911)

* etcd: etcd-events doesn't depend on etcd_cluster_setup Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com> * etcd: remove condition already present on include_tasks Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com> * etcd: fix scaling up Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com> * etcd: use *access_addresses, do not delegate to etcd[0] We want to wait for the full cluster to be healthy, so use all the cluster addresses Also we should be able to run the playbook when etcd[0] is down (not tested), so do not delegate to etcd[0] Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com> * etcd: use failed_when for health check unhealthy cluster is expected on first run, so use failed_when instead of ignore_errors to remove scary red messages Also use run_once Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com> * kubernetes/preinstall: ensure ansible_fqdn is up to date after changing /etc/hosts Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com> * kubernetes/master: regenerate apiserver cert if needed Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com> (cherry picked from commit a35b6dc1af)
2026-02-02 01:58:12 -03:30 · 2020-04-20 03:45:39 -04:00
parent b4d067e2ed
commit fa35cc02a7
5 changed files with 60 additions and 19 deletions
--- a/roles/kubernetes/master/tasks/kubeadm-setup.yml
+++ b/roles/kubernetes/master/tasks/kubeadm-setup.yml
@@ -103,6 +103,37 @@
    - not upgrade_cluster_setup
    - kubeadm_already_run.stat.exists

+- name: kubeadm | Check if apiserver.crt contains all needed SANs
+  command: openssl x509 -noout -in "{{ kube_cert_dir }}/apiserver.crt" -checkip "{{ item }}"
+  with_items: "{{ apiserver_sans }}"
+  register: apiserver_sans_check
+  changed_when: "'does match certificate' not in apiserver_sans_check.stdout"
+  when:
+    - inventory_hostname == groups['kube-master']|first
+    - kubeadm_already_run.stat.exists
+
+- name: kubeadm | regenerate apiserver cert 1/2
+  file:
+    state: absent
+    path: "{{ kube_cert_dir }}/{{ item }}"
+  with_items:
+    - apiserver.crt
+    - apiserver.key
+  when:
+    - inventory_hostname == groups['kube-master']|first
+    - kubeadm_already_run.stat.exists
+    - apiserver_sans_check.changed
+
+- name: kubeadm | regenerate apiserver cert 2/2
+  command: >-
+    {{ bin_dir }}/kubeadm
+    init phase certs apiserver
+    --config={{ kube_config_dir }}/kubeadm-config.yaml
+  when:
+    - inventory_hostname == groups['kube-master']|first
+    - kubeadm_already_run.stat.exists
+    - apiserver_sans_check.changed
+
 - name: kubeadm | Initialize first master
  command: >-
    timeout -k 300s 300s
--- a/roles/kubernetes/preinstall/tasks/0090-etchosts.yml
+++ b/roles/kubernetes/preinstall/tasks/0090-etchosts.yml
@@ -59,3 +59,8 @@
    backup: yes
    unsafe_writes: yes
  with_dict: "{{ etc_hosts_localhosts_dict_target }}"
+
+# gather facts to update ansible_fqdn
+- name: Update facts
+  setup:
+    gather_subset: min