Skip to content

Commit

Permalink
Enable external CA mode for control-plane deployment (kubernetes-sigs…
Browse files Browse the repository at this point in the history 
…#8620)
  • Loading branch information
@julienlefur @LuckySB
julienlefur authored and LuckySB committed Jun 30, 2023
1 parent cad3623 commit 7a11e24
Show file tree
Hide file tree
Showing 4 changed files with 31 additions and 4 deletions.
14 changes: 12 additions & 2 deletions roles/kubernetes/control-plane/tasks/kubeadm-secondary.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@
register: kubeadm_upload_cert
when:
- inventory_hostname == first_kube_control_plane
- not kube_external_ca_mode

- name: Parse certificate key if not set
set_fact:
Expand Down Expand Up @@ -49,11 +50,20 @@
debug:
msg: "{{ kubeadm_already_run.stat.exists }}"

- name: Joining control plane node to the cluster.
- name: Reset cert directory
shell: >-
if [ -f /etc/kubernetes/manifests/kube-apiserver.yaml ]; then
{{ bin_dir }}/kubeadm reset -f --cert-dir {{ kube_cert_dir }};
fi &&
fi
environment:
PATH: "{{ bin_dir }}:{{ ansible_env.PATH }}"
when:
- inventory_hostname != first_kube_control_plane
- kubeadm_already_run is not defined or not kubeadm_already_run.stat.exists
- not kube_external_ca_mode

- name: Joining control plane node to the cluster.
command: >-
{{ bin_dir }}/kubeadm join
--config {{ kube_config_dir }}/kubeadm-controlplane.yaml
--ignore-preflight-errors=all
Expand Down
7 changes: 5 additions & 2 deletions roles/kubernetes/control-plane/tasks/kubeadm-setup.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -101,6 +101,7 @@
changed_when: "'NEED-RENEW' in apiserver_sans_check.stdout"
when:
- kubeadm_already_run.stat.exists
- not kube_external_ca_mode

- name: kubeadm | regenerate apiserver cert 1/2
file:
Expand All @@ -112,6 +113,7 @@
when:
- kubeadm_already_run.stat.exists
- apiserver_sans_check.changed
- not kube_external_ca_mode

- name: kubeadm | regenerate apiserver cert 2/2
command: >-
Expand All @@ -121,15 +123,16 @@
when:
- kubeadm_already_run.stat.exists
- apiserver_sans_check.changed
- not kube_external_ca_mode

- name: kubeadm | Initialize first master
command: >-
timeout -k 300s 300s
{{ bin_dir }}/kubeadm init
--config={{ kube_config_dir }}/kubeadm-config.yaml
--ignore-preflight-errors=all
--skip-phases=addon/coredns
--upload-certs
--skip-phases={{ kubeadm_init_phases_skip | join(',') }}
{{ kube_external_ca_mode | ternary('', '--upload-certs') }}
register: kubeadm_init
# Retry is because upload config sometimes fails
retries: 3
Expand Down
8 changes: 8 additions & 0 deletions roles/kubernetes/preinstall/tasks/0020-verify-settings.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -386,3 +386,11 @@
when:
- containerd_config is defined
- not ignore_assert_errors

- name: Stop if auto_renew_certificates is enabled when certificates are managed externally (kube_external_ca_mode is true)
assert:
that: not auto_renew_certificates
msg: "Variable auto_renew_certificates must be disabled when CA are managed externally: kube_external_ca_mode = true"
when:
- kube_external_ca_mode
- not ignore_assert_errors
6 changes: 6 additions & 0 deletions roles/kubespray-defaults/defaults/main/main.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -150,6 +150,12 @@ kube_token_dir: "{{ kube_config_dir }}/tokens"
# cert files to. Not really changeable...
kube_cert_group: kube-cert

# Set to true when the CAs are managed externally.
# When true, disables all tasks manipulating certificates. Ensure before the kubespray run that:
# - Certificates and CAs are present in kube_cert_dir
# - Kubeconfig files are present in kube_config_dir
kube_external_ca_mode: false

# Cluster Loglevel configuration
kube_log_level: 2

Expand Down

0 comments on commit 7a11e24

Please sign in to comment.