From 135d5e90354062919d4bfb100ba09720322cf8f8 Mon Sep 17 00:00:00 2001 From: atsikham Date: Tue, 25 Aug 2020 09:27:22 +0200 Subject: [PATCH 1/6] Refactored certificates settings --- .../roles/kubernetes_master/templates/kubeadm-config.yml.j2 | 2 +- .../data/common/defaults/configuration/kubernetes-master.yml | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/templates/kubeadm-config.yml.j2 b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/templates/kubeadm-config.yml.j2 index 716fc9417e..ff4eede0a8 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/templates/kubeadm-config.yml.j2 +++ b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/templates/kubeadm-config.yml.j2 @@ -46,5 +46,5 @@ imageRepository: {{ image_registry_address }}/{{ specification.advanced.imageRep imageRepository: {{ custom_image_registry_address }}/{{ specification.advanced.imageRepository }} {% endif %} -certificatesDir: {{ specification.advanced.certificatesDir }} +certificatesDir: {{ specification.advanced.certificates.location }} diff --git a/core/src/epicli/data/common/defaults/configuration/kubernetes-master.yml b/core/src/epicli/data/common/defaults/configuration/kubernetes-master.yml index a409a99212..baa03036f3 100644 --- a/core/src/epicli/data/common/defaults/configuration/kubernetes-master.yml +++ b/core/src/epicli/data/common/defaults/configuration/kubernetes-master.yml @@ -28,7 +28,9 @@ specification: serviceSubnet: 10.96.0.0/12 plugin: flannel # valid options: calico, flannel, canal (due to lack of support for calico on Azure - use canal) imageRepository: k8s.gcr.io - certificatesDir: /etc/kubernetes/pki + certificates: + location: /etc/kubernetes/pki + expiration_days: 365 etcd_args: encrypted: yes From c356401119f67115ff4e4d96ba1797ddfafca5d5 Mon Sep 17 00:00:00 2001 From: atsikham Date: Wed, 26 Aug 2020 15:26:27 +0200 Subject: [PATCH 2/6] Added initial certificates regeneration role --- .../tasks/generate-certificates.yml | 142 ++++++++++++++++++ .../roles/kubernetes_master/tasks/main.yml | 6 +- .../templates/certificate-v3.ext.j2 | 5 + .../configuration/kubernetes-master.yml | 1 + 4 files changed, 153 insertions(+), 1 deletion(-) create mode 100644 core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/generate-certificates.yml create mode 100644 core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/templates/certificate-v3.ext.j2 diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/generate-certificates.yml b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/generate-certificates.yml new file mode 100644 index 0000000000..86fbb228ae --- /dev/null +++ b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/generate-certificates.yml @@ -0,0 +1,142 @@ +--- +- name: Generate certificates block + vars: + # https://kubernetes.io/docs/setup/best-practices/certificates/#all-certificates + _certificates_opt_mapping: + - name: admin.conf + kind: ['clientAuth'] + target: "{{ specification.advanced.certificates.location }}/admin.conf" + parent_ca: "ca" + - name: apiserver-etcd-client + kind: ['clientAuth'] + target: "{{ specification.advanced.certificates.location }}/apiserver-etcd-client" + parent_ca: "etcd/ca" + - name: apiserver-kubelet-client + kind: ['clientAuth'] + target: "{{ specification.advanced.certificates.location }}/apiserver-kubelet-client" + parent_ca: "ca" + - name: apiserver + kind: ['serverAuth'] + target: "{{ specification.advanced.certificates.location }}/apiserver" + parent_ca: "ca" + - name: controller-manager.conf + kind: ['clientAuth'] + target: "{{ specification.advanced.certificates.location }}/controller-manager.conf" + parent_ca: "ca" + - name: etcd-healthcheck-client + kind: ['clientAuth'] + target: "{{ specification.advanced.certificates.location }}/etcd/healthcheck-client" + parent_ca: "etcd/ca" + - name: etcd-peer + kind: ['serverAuth', 'clientAuth'] + target: "{{ specification.advanced.certificates.location }}/etcd/peer" + parent_ca: "etcd/ca" + - name: etcd-server + kind: ['serverAuth', 'clientAuth'] + target: "{{ specification.advanced.certificates.location }}/etcd/server" + parent_ca: "etcd/ca" + - name: front-proxy-client + kind: ['clientAuth'] + target: "{{ specification.advanced.certificates.location }}/front-proxy-client" + parent_ca: "front-proxy-ca" + - name: scheduler.conf + kind: ['clientAuth'] + target: "{{ specification.advanced.certificates.location }}/scheduler.conf" + parent_ca: "ca" + block: + - name: Save old certificates + synchronize: + src: "{{ specification.advanced.certificates.location }}/" + dest: >- + "{{ specification.advanced.certificates.location | regex_replace('\\/$', '') }}-backup-{{ lookup('pipe','date +%Y%m%d%H%M%S') }}" + delegate_to: "{{ inventory_hostname }}" + - name: Ensure necessary directories exist + file: + path: "{{ specification.advanced.certificates.location }}/csr" + state: directory + owner: root + group: root + mode: u=rw + - name: Generate new CSR + shell: kubeadm alpha certs renew all --csr-only --csr-dir=csr + args: + executable: /bin/bash + chdir: "{{ specification.advanced.certificates.location }}" + - name: Register CSR info + openssl_csr_info: + path: "{{ specification.advanced.certificates.location }}/csr/{{ item.name }}.csr" + register: csr_info + with_items: "{{ _certificates_opt_mapping }}" + - debug: var=csr_info + # https://github.com/openssl/openssl/issues/10458 + #- name: Generate extension files + # template: + # src: certificate-v3.ext.j2 + # dest: "{{ specification.advanced.certificates.location }}/ext/{{ item.0.name }}.ext" + # with_together: + # - "{{ _certificates_opt_mapping }}" + # - "{{ csr_info.results }}" + - name: Regenerate an OpenSSL Certificate Signing Request + openssl_csr: + path: "{{ specification.advanced.certificates.location }}/csr/{{ item.0.name }}.csr" + privatekey_path: "{{ specification.advanced.certificates.location }}/csr/{{ item.0.name }}.key" + common_name: "{{ item.1.subject.commonName }}" + organization_name: "{{ item.1.subject.organizationName is defined | ternary(item.1.subject.organizationName, '') }}" + # key usage and extended key usage are not added to CSR by kubeadm + key_usage: + - digitalSignature + - keyEncipherment + key_usage_critical: yes + extended_key_usage: "{{ item.0.kind }}" + subject_alt_name: "{{ item.1.subject_alt_name | ternary(item.1.subject_alt_name, []) }}" + with_together: + - "{{ _certificates_opt_mapping }}" + - "{{ csr_info.results }}" + - name: Create signed certificates + openssl_certificate: + path: "{{ item.target }}.crt" + csr_path: "{{ specification.advanced.certificates.location }}/csr/{{ item.name }}.csr" + ownca_path: "{{ specification.advanced.certificates.location }}/{{ item.parent_ca }}.crt" + ownca_privatekey_path: "{{ specification.advanced.certificates.location }}/{{ item.parent_ca }}.key" + ownca_not_after: "+{{ specification.advanced.certificates.expiration_days }}d" + provider: ownca + with_items: + - "{{ _certificates_opt_mapping }}" + - name: Copy keys to pki location and ensure that permissions are strict + copy: + src: "{{ specification.advanced.certificates.location }}/csr/{{ item.name }}.key" + remote_src: yes + dest: "{{ item.target }}.key" + owner: root + group: root + mode: '0600' + with_items: + - "{{ _certificates_opt_mapping }}" + - name: Remove CSR directory + file: + path: "{{ specification.advanced.certificates.location }}/csr" + state: absent + - name: Update conf files with embedded certs + environment: + KUBECONFIG: "/etc/kubernetes/{{ item.name }}" + shell: | + kubectl config set-credentials {{ item.account }} \ + --client-key {{ specification.advanced.certificates.location }}/{{ item.name }}.key \ + --client-certificate {{ specification.advanced.certificates.location }}/{{ item.name }}.crt --embed-certs + args: + executable: /bin/bash + with_items: + - { name: 'admin.conf', account: 'kubernetes-admin' } + - { name: 'scheduler.conf', account: 'system:kube-scheduler' } + - { name: 'controller-manager.conf', account: 'system:kube-controller-manager' } + - name: Remove conf certificates + file: + path: "{{ specification.advanced.certificates.location }}/{{ item.0 }}.{{ item.1 }}" + state: absent + with_nested: + - ['admin.conf', 'scheduler.conf', 'controller-manager.conf'] + - ['crt', 'key'] + - name: Restart kubelet service + systemd: + name: kubelet + state: restarted diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/main.yml b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/main.yml index 993669f456..9d1080dbab 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/main.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/main.yml @@ -30,7 +30,7 @@ - name: Regenerate apiserver certificates when: kubernetes_common.automation_designated_master != inventory_hostname or not is_first_deployment -# It's almost always necessary to regenerate certificates for designated and non-designated masters +# It's almost always necessary to regenerate apiserver certificates for designated and non-designated masters # because of a few points: # a. Update certificates for old clusters have to be supported # b. Execution order is not defined, so when cluster is promoted to HA, @@ -58,6 +58,10 @@ name: kubernetes_common tasks_from: update-in-cluster-config +# kubeadm certs renewal uses the existing certificates as the authoritative source for attributes (Common Name, Organization, SAN, etc.) +# instead of the kubeadm-config ConfigMap, so it's not possible to extend apiserver SANs in this step. +# See https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/#manual-certificate-renewal + - import_tasks: master-untaint.yml - include_tasks: "{{ specification.provider }}/kubernetes-storage.yml" diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/templates/certificate-v3.ext.j2 b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/templates/certificate-v3.ext.j2 new file mode 100644 index 0000000000..fbfa634ef5 --- /dev/null +++ b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/templates/certificate-v3.ext.j2 @@ -0,0 +1,5 @@ +keyUsage = critical, digitalSignature, keyEncipherment +extendedKeyUsage = {{ item.0.kind | join(',') }} +{% if item.1.subject_alt_name %} +subjectAltName = {{ item.1.subject_alt_name | join(',') }} +{% endif %} \ No newline at end of file diff --git a/core/src/epicli/data/common/defaults/configuration/kubernetes-master.yml b/core/src/epicli/data/common/defaults/configuration/kubernetes-master.yml index baa03036f3..6b4999132d 100644 --- a/core/src/epicli/data/common/defaults/configuration/kubernetes-master.yml +++ b/core/src/epicli/data/common/defaults/configuration/kubernetes-master.yml @@ -31,6 +31,7 @@ specification: certificates: location: /etc/kubernetes/pki expiration_days: 365 + update: no etcd_args: encrypted: yes From 5cb8b4661f32d01f6cb28358ddc3255836f43de9 Mon Sep 17 00:00:00 2001 From: atsikham Date: Fri, 28 Aug 2020 10:11:42 +0200 Subject: [PATCH 3/6] Moved apiserver certs tasks to kubernetes_master role --- .../tasks/apiserver-certificates.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename core/src/epicli/data/common/ansible/playbooks/roles/{kubernetes_common => kubernetes_master}/tasks/apiserver-certificates.yml (95%) diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_common/tasks/apiserver-certificates.yml b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/apiserver-certificates.yml similarity index 95% rename from core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_common/tasks/apiserver-certificates.yml rename to core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/apiserver-certificates.yml index 16adcf26ca..4c0b9d2cc9 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_common/tasks/apiserver-certificates.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/apiserver-certificates.yml @@ -29,6 +29,6 @@ docker ps \ --filter 'name=kube-apiserver_kube-apiserver' \ --format '{{ "{{.ID}}" }}' \ - | xargs --no-run-if-empty docker kill + | xargs --no-run-if-empty docker kill args: executable: /bin/bash From 86c3ccc3cd70aab722a1c2e3fb25a72d8d6a83e8 Mon Sep 17 00:00:00 2001 From: atsikham Date: Fri, 28 Aug 2020 10:16:28 +0200 Subject: [PATCH 4/6] Used certificates period update in kubernetes_master playbook --- .../tasks/generate-certificates.yml | 210 ++++++++++-------- .../roles/kubernetes_master/tasks/main.yml | 29 ++- .../configuration/kubernetes-master.yml | 2 +- 3 files changed, 137 insertions(+), 104 deletions(-) diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/generate-certificates.yml b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/generate-certificates.yml index 86fbb228ae..d1c61f1f96 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/generate-certificates.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/generate-certificates.yml @@ -44,99 +44,117 @@ target: "{{ specification.advanced.certificates.location }}/scheduler.conf" parent_ca: "ca" block: - - name: Save old certificates - synchronize: - src: "{{ specification.advanced.certificates.location }}/" - dest: >- - "{{ specification.advanced.certificates.location | regex_replace('\\/$', '') }}-backup-{{ lookup('pipe','date +%Y%m%d%H%M%S') }}" - delegate_to: "{{ inventory_hostname }}" - - name: Ensure necessary directories exist - file: - path: "{{ specification.advanced.certificates.location }}/csr" - state: directory - owner: root - group: root - mode: u=rw - - name: Generate new CSR - shell: kubeadm alpha certs renew all --csr-only --csr-dir=csr - args: - executable: /bin/bash - chdir: "{{ specification.advanced.certificates.location }}" - - name: Register CSR info - openssl_csr_info: - path: "{{ specification.advanced.certificates.location }}/csr/{{ item.name }}.csr" - register: csr_info - with_items: "{{ _certificates_opt_mapping }}" - - debug: var=csr_info - # https://github.com/openssl/openssl/issues/10458 - #- name: Generate extension files - # template: - # src: certificate-v3.ext.j2 - # dest: "{{ specification.advanced.certificates.location }}/ext/{{ item.0.name }}.ext" - # with_together: - # - "{{ _certificates_opt_mapping }}" - # - "{{ csr_info.results }}" - - name: Regenerate an OpenSSL Certificate Signing Request - openssl_csr: - path: "{{ specification.advanced.certificates.location }}/csr/{{ item.0.name }}.csr" - privatekey_path: "{{ specification.advanced.certificates.location }}/csr/{{ item.0.name }}.key" - common_name: "{{ item.1.subject.commonName }}" - organization_name: "{{ item.1.subject.organizationName is defined | ternary(item.1.subject.organizationName, '') }}" - # key usage and extended key usage are not added to CSR by kubeadm - key_usage: - - digitalSignature - - keyEncipherment - key_usage_critical: yes - extended_key_usage: "{{ item.0.kind }}" - subject_alt_name: "{{ item.1.subject_alt_name | ternary(item.1.subject_alt_name, []) }}" - with_together: - - "{{ _certificates_opt_mapping }}" - - "{{ csr_info.results }}" - - name: Create signed certificates - openssl_certificate: - path: "{{ item.target }}.crt" - csr_path: "{{ specification.advanced.certificates.location }}/csr/{{ item.name }}.csr" - ownca_path: "{{ specification.advanced.certificates.location }}/{{ item.parent_ca }}.crt" - ownca_privatekey_path: "{{ specification.advanced.certificates.location }}/{{ item.parent_ca }}.key" - ownca_not_after: "+{{ specification.advanced.certificates.expiration_days }}d" - provider: ownca - with_items: - - "{{ _certificates_opt_mapping }}" - - name: Copy keys to pki location and ensure that permissions are strict - copy: - src: "{{ specification.advanced.certificates.location }}/csr/{{ item.name }}.key" - remote_src: yes - dest: "{{ item.target }}.key" - owner: root - group: root - mode: '0600' - with_items: - - "{{ _certificates_opt_mapping }}" - - name: Remove CSR directory - file: - path: "{{ specification.advanced.certificates.location }}/csr" - state: absent - - name: Update conf files with embedded certs - environment: - KUBECONFIG: "/etc/kubernetes/{{ item.name }}" - shell: | - kubectl config set-credentials {{ item.account }} \ - --client-key {{ specification.advanced.certificates.location }}/{{ item.name }}.key \ - --client-certificate {{ specification.advanced.certificates.location }}/{{ item.name }}.crt --embed-certs - args: - executable: /bin/bash - with_items: - - { name: 'admin.conf', account: 'kubernetes-admin' } - - { name: 'scheduler.conf', account: 'system:kube-scheduler' } - - { name: 'controller-manager.conf', account: 'system:kube-controller-manager' } - - name: Remove conf certificates - file: - path: "{{ specification.advanced.certificates.location }}/{{ item.0 }}.{{ item.1 }}" - state: absent - with_nested: - - ['admin.conf', 'scheduler.conf', 'controller-manager.conf'] - - ['crt', 'key'] - - name: Restart kubelet service - systemd: - name: kubelet - state: restarted + - name: Create certificates_opt_mapping fact + block: + - set_fact: + certificates_opt_mapping: "{{ certificates_opt_mapping | default([]) + [item] }}" + when: certificates_renewal_list is defined and item.name in certificates_renewal_list + with_items: "{{ _certificates_opt_mapping }}" + - set_fact: + certificates_opt_mapping: "{{ _certificates_opt_mapping }}" + when: certificates_renewal_list is not defined + with_items: "{{ _certificates_opt_mapping }}" + - name: Save old certificates + synchronize: + src: "{{ specification.advanced.certificates.location }}/" + dest: >- + "{{ specification.advanced.certificates.location | regex_replace('\\/$', '') }}-backup-{{ lookup('pipe','date +%Y%m%d%H%M%S') }}" + delegate_to: "{{ inventory_hostname }}" + - name: Ensure necessary directories exist + file: + path: "{{ specification.advanced.certificates.location }}/csr" + state: directory + owner: root + group: root + mode: u=rw + - name: Generate new CSR + shell: kubeadm alpha certs renew all --csr-only --csr-dir=csr + args: + executable: /bin/bash + chdir: "{{ specification.advanced.certificates.location }}" + - name: Register CSR info + openssl_csr_info: + path: "{{ specification.advanced.certificates.location }}/csr/{{ item.name }}.csr" + register: csr_info + with_items: "{{ certificates_opt_mapping }}" + # ansible module and openssl behave different, extensions file is not necessary to sign certs + # https://github.com/openssl/openssl/issues/10458 + - name: Regenerate an OpenSSL Certificate Signing Request + openssl_csr: + path: "{{ specification.advanced.certificates.location }}/csr/{{ item.0.name }}.csr" + privatekey_path: "{{ specification.advanced.certificates.location }}/csr/{{ item.0.name }}.key" + common_name: "{{ item.1.subject.commonName }}" + organization_name: "{{ item.1.subject.organizationName is defined | ternary(item.1.subject.organizationName, '') }}" + # key usage and extended key usage are not added to CSR by kubeadm + key_usage: + - digitalSignature + - keyEncipherment + key_usage_critical: yes + extended_key_usage: "{{ item.0.kind }}" + subject_alt_name: "{{ item.1.subject_alt_name | ternary(item.1.subject_alt_name, []) }}" + with_together: + - "{{ certificates_opt_mapping }}" + - "{{ csr_info.results }}" + - name: Create signed certificates + openssl_certificate: + path: "{{ item.target }}.crt" + csr_path: "{{ specification.advanced.certificates.location }}/csr/{{ item.name }}.csr" + ownca_path: "{{ specification.advanced.certificates.location }}/{{ item.parent_ca }}.crt" + ownca_privatekey_path: "{{ specification.advanced.certificates.location }}/{{ item.parent_ca }}.key" + ownca_not_after: "{{ valid_to }}" + provider: ownca + with_items: "{{ certificates_opt_mapping }}" + - name: Copy keys to pki location and ensure that permissions are strict + copy: + src: "{{ specification.advanced.certificates.location }}/csr/{{ item.name }}.key" + remote_src: yes + dest: "{{ item.target }}.key" + owner: root + group: root + mode: '0600' + with_items: "{{ certificates_opt_mapping }}" + - name: Remove CSR directory + file: + path: "{{ specification.advanced.certificates.location }}/csr" + state: absent + - name: Search for .conf certificates + find: + paths: [ "{{ specification.advanced.certificates.location }}" ] + pattern: "*.conf.crt" + register: _conf_certificates + - set_fact: + conf_certificates: >- + {{ _conf_certificates.files + | map(attribute='path') + | map('basename') + | map('regex_replace', '\.crt$', '') + | list }} + - name: Update conf files with embedded certs + environment: + KUBECONFIG: "/etc/kubernetes/{{ item }}" + vars: + conf_account_mapping: + admin.conf: "kubernetes-admin" + scheduler.conf: "system:kube-scheduler" + controller-manager.conf: "system:kube-controller-manager" + shell: | + kubectl config set-credentials {{ conf_account_mapping[item] }} \ + --client-key {{ specification.advanced.certificates.location }}/{{ item }}.key \ + --client-certificate {{ specification.advanced.certificates.location }}/{{ item }}.crt --embed-certs + args: + executable: /bin/bash + with_items: "{{ conf_certificates }}" + - name: Remove conf certificates + file: + path: "{{ specification.advanced.certificates.location }}/{{ item.0 }}.{{ item.1 }}" + state: absent + with_nested: + - ['admin.conf', 'scheduler.conf', 'controller-manager.conf'] + - ['crt', 'key'] + - name: Restart kubelet and docker services + systemd: + name: "{{ item }}" + state: restarted + with_items: + - kubelet + - docker diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/main.yml b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/main.yml index 9d1080dbab..0e85fbb3d3 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/main.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/main.yml @@ -30,7 +30,7 @@ - name: Regenerate apiserver certificates when: kubernetes_common.automation_designated_master != inventory_hostname or not is_first_deployment -# It's almost always necessary to regenerate apiserver certificates for designated and non-designated masters +# It's almost always necessary to regenerate certificates for designated and non-designated masters # because of a few points: # a. Update certificates for old clusters have to be supported # b. Execution order is not defined, so when cluster is promoted to HA, @@ -47,10 +47,23 @@ name: kubernetes_common tasks_from: extend-kubeadm-config + - name: Collect current apiserver certificate info + openssl_certificate_info: + path: "{{ specification.advanced.certificates.location }}/apiserver.crt" + register: apiserver_certificate_info + - name: Backup and generate apiserver certificates - include_role: - name: kubernetes_common - tasks_from: apiserver-certificates + include_tasks: apiserver-certificates.yml + +# kubeadm certs renewal uses the existing certificates as the authoritative source for attributes (Common Name, Organization, SAN, etc.) +# instead of the kubeadm-config ConfigMap, so it's not possible to combine this step with previous ones +# See https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/#manual-certificate-renewal + - name: Regenerate apiserver certificate with previous expiration value + when: not specification.advanced.certificates.update + vars: + certificates_renewal_list: ['apiserver'] + valid_to: "{{ apiserver_certificate_info.not_after }}" + include_tasks: generate-certificates.yml - name: Update in-cluster configuration when: kubernetes_common.automation_designated_master == inventory_hostname @@ -58,9 +71,11 @@ name: kubernetes_common tasks_from: update-in-cluster-config -# kubeadm certs renewal uses the existing certificates as the authoritative source for attributes (Common Name, Organization, SAN, etc.) -# instead of the kubeadm-config ConfigMap, so it's not possible to extend apiserver SANs in this step. -# See https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/#manual-certificate-renewal +- name: Regenerate all certificates + when: specification.advanced.certificates.update + vars: + valid_to: "+{{ specification.advanced.certificates.expiration_days }}d" + include_tasks: generate-certificates.yml - import_tasks: master-untaint.yml diff --git a/core/src/epicli/data/common/defaults/configuration/kubernetes-master.yml b/core/src/epicli/data/common/defaults/configuration/kubernetes-master.yml index 6b4999132d..acc3b7a419 100644 --- a/core/src/epicli/data/common/defaults/configuration/kubernetes-master.yml +++ b/core/src/epicli/data/common/defaults/configuration/kubernetes-master.yml @@ -31,7 +31,7 @@ specification: certificates: location: /etc/kubernetes/pki expiration_days: 365 - update: no + update: false etcd_args: encrypted: yes From 78e8eb68a0d9425d65f0139c668007f96a33bbc7 Mon Sep 17 00:00:00 2001 From: atsikham Date: Fri, 28 Aug 2020 10:17:24 +0200 Subject: [PATCH 5/6] Removed extensions file as ansible module used instead of openssl --- .../roles/kubernetes_master/templates/certificate-v3.ext.j2 | 5 ----- 1 file changed, 5 deletions(-) delete mode 100644 core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/templates/certificate-v3.ext.j2 diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/templates/certificate-v3.ext.j2 b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/templates/certificate-v3.ext.j2 deleted file mode 100644 index fbfa634ef5..0000000000 --- a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/templates/certificate-v3.ext.j2 +++ /dev/null @@ -1,5 +0,0 @@ -keyUsage = critical, digitalSignature, keyEncipherment -extendedKeyUsage = {{ item.0.kind | join(',') }} -{% if item.1.subject_alt_name %} -subjectAltName = {{ item.1.subject_alt_name | join(',') }} -{% endif %} \ No newline at end of file From 9840988174687be5d1cd55d8a7ce67614962c0ee Mon Sep 17 00:00:00 2001 From: atsikham Date: Fri, 28 Aug 2020 15:30:37 +0200 Subject: [PATCH 6/6] Wait for cluster availability after control plane components restart --- .../roles/kubernetes_master/tasks/generate-certificates.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/generate-certificates.yml b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/generate-certificates.yml index d1c61f1f96..ece17814f7 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/generate-certificates.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/generate-certificates.yml @@ -158,3 +158,9 @@ with_items: - kubelet - docker + - name: Wait until cluster is available + shell: kubectl cluster-info + retries: 50 + delay: 1 + register: output + until: output is succeeded