External-Mirrors/kubespray
2
0
Fork 0
mirror of https://github.com/kubernetes-sigs/kubespray.git synced 2026-01-18 13:11:21 -03:30
Code Issues Packages Projects Releases Wiki Activity
kubespray/roles/etcd/tasks/gen_certs_script.yml
Kenichi Omichi 7afbdb3e1e
Drop canal network_plugin (#10100) 
According to the canal github[1] the repo is not maintained over 5 years.
In addition, the README says
```
  Originally, we thought we might more deeply integrate the two projects
  (possibly even going as far as a rebranding!). However, over time it
  became clear that that wasn't really necessary to fulfil our goal of
  making them work well together. Ultimately, we decided to focus on
  adding features to both projects rather than doing work just to
  combine them.
```
So it is difficult to support canal by Kubespray at this situation.

[1]: https://github.com/projectcalico/canal
2023-05-18 03:40:33 -07:00

167 lines
5.7 KiB
YAML
Raw Blame History

---
- name: Gen_certs | create etcd cert dir
file:
path: "{{ etcd_cert_dir }}"
group: "{{ etcd_cert_group }}"
state: directory
owner: "{{ etcd_owner }}"
mode: "{{ etcd_cert_dir_mode }}"
recurse: yes
- name: "Gen_certs | create etcd script dir (on {{ groups['etcd'][0] }})"
file:
path: "{{ etcd_script_dir }}"
state: directory
owner: root
mode: 0700
run_once: yes
when: inventory_hostname == groups['etcd'][0]
- name: Gen_certs | write openssl config
template:
src: "openssl.conf.j2"
dest: "{{ etcd_config_dir }}/openssl.conf"
mode: 0640
run_once: yes
delegate_to: "{{ groups['etcd'][0] }}"
when:
- gen_certs|default(false)
- inventory_hostname == groups['etcd'][0]
- name: Gen_certs | copy certs generation script
template:
src: "make-ssl-etcd.sh.j2"
dest: "{{ etcd_script_dir }}/make-ssl-etcd.sh"
mode: 0700
run_once: yes
when:
- gen_certs|default(false)
- inventory_hostname == groups['etcd'][0]
- name: Gen_certs | run cert generation script for etcd and kube control plane nodes
command: "bash -x {{ etcd_script_dir }}/make-ssl-etcd.sh -f {{ etcd_config_dir }}/openssl.conf -d {{ etcd_cert_dir }}"
environment:
- MASTERS: "{% for m in groups['etcd'] %}
{% if gen_master_certs[m] %}
{{ m }}
{% endif %}
{% endfor %}"
- HOSTS: "{% for h in groups['kube_control_plane'] %}
{% if gen_node_certs[h] %}
{{ h }}
{% endif %}
{% endfor %}"
run_once: yes
delegate_to: "{{ groups['etcd'][0] }}"
when: gen_certs|default(false)
notify: set etcd_secret_changed
- name: Gen_certs | run cert generation script for all clients
command: "bash -x {{ etcd_script_dir }}/make-ssl-etcd.sh -f {{ etcd_config_dir }}/openssl.conf -d {{ etcd_cert_dir }}"
environment:
- HOSTS: "{% for h in groups['k8s_cluster'] %}
{% if gen_node_certs[h] %}
{{ h }}
{% endif %}
{% endfor %}"
run_once: yes
delegate_to: "{{ groups['etcd'][0] }}"
when:
- kube_network_plugin in ["calico", "flannel", "cilium"] or cilium_deploy_additionally | default(false) | bool
- kube_network_plugin != "calico" or calico_datastore == "etcd"
- gen_certs|default(false)
notify: set etcd_secret_changed
- name: Gen_certs | Gather etcd member/admin and kube_control_plane client certs from first etcd node
slurp:
src: "{{ item }}"
register: etcd_master_certs
with_items:
- "{{ etcd_cert_dir }}/ca.pem"
- "{{ etcd_cert_dir }}/ca-key.pem"
- "[{% for node in groups['etcd'] %}
'{{ etcd_cert_dir }}/admin-{{ node }}.pem',
'{{ etcd_cert_dir }}/admin-{{ node }}-key.pem',
'{{ etcd_cert_dir }}/member-{{ node }}.pem',
'{{ etcd_cert_dir }}/member-{{ node }}-key.pem',
{% endfor %}]"
- "[{% for node in (groups['kube_control_plane']) %}
'{{ etcd_cert_dir }}/node-{{ node }}.pem',
'{{ etcd_cert_dir }}/node-{{ node }}-key.pem',
{% endfor %}]"
delegate_to: "{{ groups['etcd'][0] }}"
when:
- inventory_hostname in groups['etcd']
- sync_certs|default(false)
- inventory_hostname != groups['etcd'][0]
notify: set etcd_secret_changed
- name: Gen_certs | Write etcd member/admin and kube_control_plane client certs to other etcd nodes
copy:
dest: "{{ item.item }}"
content: "{{ item.content | b64decode }}"
group: "{{ etcd_cert_group }}"
owner: "{{ etcd_owner }}"
mode: 0640
with_items: "{{ etcd_master_certs.results }}"
when:
- inventory_hostname in groups['etcd']
- sync_certs|default(false)
- inventory_hostname != groups['etcd'][0]
loop_control:
label: "{{ item.item }}"
- name: Gen_certs | Gather node certs from first etcd node
slurp:
src: "{{ item }}"
register: etcd_master_node_certs
with_items:
- "[{% for node in groups['k8s_cluster'] %}
'{{ etcd_cert_dir }}/node-{{ node }}.pem',
'{{ etcd_cert_dir }}/node-{{ node }}-key.pem',
{% endfor %}]"
delegate_to: "{{ groups['etcd'][0] }}"
when:
- inventory_hostname in groups['etcd']
- inventory_hostname != groups['etcd'][0]
- kube_network_plugin in ["calico", "flannel", "cilium"] or cilium_deploy_additionally | default(false) | bool
- kube_network_plugin != "calico" or calico_datastore == "etcd"
notify: set etcd_secret_changed
- name: Gen_certs | Write node certs to other etcd nodes
copy:
dest: "{{ item.item }}"
content: "{{ item.content | b64decode }}"
group: "{{ etcd_cert_group }}"
owner: "{{ etcd_owner }}"
mode: 0640
with_items: "{{ etcd_master_node_certs.results }}"
when:
- inventory_hostname in groups['etcd']
- inventory_hostname != groups['etcd'][0]
- kube_network_plugin in ["calico", "flannel", "cilium"] or cilium_deploy_additionally | default(false) | bool
- kube_network_plugin != "calico" or calico_datastore == "etcd"
loop_control:
label: "{{ item.item }}"
- include_tasks: gen_nodes_certs_script.yml
when:
- inventory_hostname in groups['kube_control_plane'] and
sync_certs|default(false) and inventory_hostname not in groups['etcd']
- include_tasks: gen_nodes_certs_script.yml
when:
- kube_network_plugin in ["calico", "flannel", "cilium"] or cilium_deploy_additionally | default(false) | bool
- kube_network_plugin != "calico" or calico_datastore == "etcd"
- inventory_hostname in groups['k8s_cluster'] and
sync_certs|default(false) and inventory_hostname not in groups['etcd']
- name: Gen_certs | check certificate permissions
file:
path: "{{ etcd_cert_dir }}"
group: "{{ etcd_cert_group }}"
state: directory
owner: "{{ etcd_owner }}"
mode: "{{ etcd_cert_dir_mode }}"
recurse: yes
Reference in New Issue View Git Blame Copy Permalink