From a2d88fe4e283c2e9ae030ed9f8cfd92c5871bcab Mon Sep 17 00:00:00 2001 From: Max Gautier Date: Fri, 10 Nov 2023 12:16:09 +0100 Subject: [PATCH] etcd: use dynamic group for certs generation check We take advantage of group_by to create the list of nodes needing new certs, instead of manually looping inside a Jinja template. This should make the role more readable and less susceptible to white space problems. --- roles/etcd/tasks/check_certs.yml | 53 ++++----------------------- roles/etcd/tasks/gen_certs_script.yml | 21 ++--------- roles/etcd/vars/main.yml | 10 +++++ 3 files changed, 21 insertions(+), 63 deletions(-) create mode 100644 roles/etcd/vars/main.yml diff --git a/roles/etcd/tasks/check_certs.yml b/roles/etcd/tasks/check_certs.yml index 2cb802d4e96..1611f9ec1d9 100644 --- a/roles/etcd/tasks/check_certs.yml +++ b/roles/etcd/tasks/check_certs.yml @@ -88,49 +88,12 @@ - kube_network_plugin != "calico" or calico_datastore == "etcd" - force_etcd_cert_refresh or not item in etcdcert_master.files | map(attribute='path') | list -- name: "Check_certs | Set 'gen_master_certs' object to track whether member and admin certs exist on first etcd node" - set_fact: - # noqa: jinja[spacing] - gen_master_certs: |- - { - {% set etcd_members = groups['etcd'] -%} - {% set existing_certs = etcdcert_master.files | map(attribute='path') | list | sort %} - {% for host in etcd_members -%} - {% set member_cert = "%s/member-%s.pem" | format(etcd_cert_dir, host) %} - {% set member_key = "%s/member-%s-key.pem" | format(etcd_cert_dir, host) %} - {% set admin_cert = "%s/admin-%s.pem" | format(etcd_cert_dir, host) %} - {% set admin_key = "%s/admin-%s-key.pem" | format(etcd_cert_dir, host) %} - {% if force_etcd_cert_refresh -%} - "{{ host }}": True, - {% elif member_cert in existing_certs and member_key in existing_certs and admin_cert in existing_certs and admin_key in existing_certs -%} - "{{ host }}": False, - {% else -%} - "{{ host }}": True, - {% endif -%} - {% endfor %} - } - run_once: true - -- name: "Check_certs | Set 'gen_node_certs' object to track whether node certs exist on first etcd node" - set_fact: - # noqa: jinja[spacing] - gen_node_certs: |- - { - {% set k8s_nodes = groups['k8s_cluster'] -%} - {% set existing_certs = etcdcert_master.files | map(attribute='path') | list | sort %} - {% for host in k8s_nodes -%} - {% set host_cert = "%s/node-%s.pem" | format(etcd_cert_dir, host) %} - {% set host_key = "%s/node-%s-key.pem" | format(etcd_cert_dir, host) %} - {% if force_etcd_cert_refresh -%} - "{{ host }}": True, - {% elif host_cert in existing_certs and host_key in existing_certs -%} - "{{ host }}": False, - {% else -%} - "{{ host }}": True, - {% endif -%} - {% endfor %} - } - run_once: true +- name: "Check_certs | Set 'gen_*_certs' groups to track which nodes needs to have certs generated on first etcd node" + vars: + existing_certs: etcdcert_master.files | map(attribute='path') + ansible.builtin.group_by: + key: "gen_{{ item.node_type }}_certs_{{ force_etcd_cert_refresh or item.certs is not subset(existing_certs) }}" + loop: "{{ cert_files | dict2items(key_name='node_type', value_name='certs') }}" - name: "Check_certs | Set 'etcd_member_requires_sync' to true if ca or member/admin cert and key don't exist on etcd member or checksum doesn't match" set_fact: @@ -167,5 +130,5 @@ when: - etcd_member_requires_sync | default(false) or kubernetes_host_requires_sync | default(false) or - (inventory_hostname in gen_master_certs and gen_master_certs[inventory_hostname]) or - (inventory_hostname in gen_node_certs and gen_node_certs[inventory_hostname]) + 'gen_master_certs_True' in group_names or + 'gen_node_certs_True' in group_names diff --git a/roles/etcd/tasks/gen_certs_script.yml b/roles/etcd/tasks/gen_certs_script.yml index 2ce3e14cf89..33e9d94c680 100644 --- a/roles/etcd/tasks/gen_certs_script.yml +++ b/roles/etcd/tasks/gen_certs_script.yml @@ -41,18 +41,8 @@ - name: Gen_certs | run cert generation script for etcd and kube control plane nodes command: "bash -x {{ etcd_script_dir }}/make-ssl-etcd.sh -f {{ etcd_config_dir }}/openssl.conf -d {{ etcd_cert_dir }}" environment: - MASTERS: |- - {% for m in groups['etcd'] %} - {% if gen_master_certs[m] %} - {{ m }} - {% endif %} - {% endfor %} - HOSTS: |- - {% for h in groups['kube_control_plane'] %} - {% if gen_node_certs[h] %} - {{ h }} - {% endif %} - {% endfor %} + MASTERS: "{{ groups['gen_master_certs_True'] | ansible.builtin.intersect(groups['etcd']) | join(' ') }}" + HOSTS: "{{ groups['gen_node_certs_True'] | ansible.builtin.intersect(groups['kube_control_plane']) | join(' ') }}" run_once: yes delegate_to: "{{ groups['etcd'][0] }}" when: gen_certs | default(false) @@ -61,12 +51,7 @@ - name: Gen_certs | run cert generation script for all clients command: "bash -x {{ etcd_script_dir }}/make-ssl-etcd.sh -f {{ etcd_config_dir }}/openssl.conf -d {{ etcd_cert_dir }}" environment: - HOSTS: |- - {% for h in groups['k8s_cluster'] %} - {% if gen_node_certs[h] %} - {{ h }} - {% endif %} - {% endfor %} + HOSTS: "{{ groups['gen_node_certs_True'] | ansible.builtin.intersect(groups['k8s_cluster']) | join(' ') }}" run_once: yes delegate_to: "{{ groups['etcd'][0] }}" when: diff --git a/roles/etcd/vars/main.yml b/roles/etcd/vars/main.yml new file mode 100644 index 00000000000..1e569042068 --- /dev/null +++ b/roles/etcd/vars/main.yml @@ -0,0 +1,10 @@ +--- +cert_files: + master: + - "{{ etcd_cert_dir }}/member-{{ inventory_hostname }}.pem" + - "{{ etcd_cert_dir }}/member-{{ inventory_hostname }}-key.pem" + - "{{ etcd_cert_dir }}/admin-{{ inventory_hostname }}.pem" + - "{{ etcd_cert_dir }}/admin-{{ inventory_hostname }}-key.pem" + node: + - "{{ etcd_cert_dir}}/node-{{ inventory_hostname }}.pem" + - "{{ etcd_cert_dir}}/node-{{ inventory_hostname }}-key.pem"