From da4c0dffd070fe5c2a0752d5d5574ab1f8e6c6f2 Mon Sep 17 00:00:00 2001 From: Boris Barnier Date: Mon, 31 Aug 2020 13:04:29 +0200 Subject: [PATCH] Fix cinder & external_openstack cacert deployment The CA cert was only deployed on master nodes --- .../csi_driver/cinder/tasks/cinder-write-cacert.yml | 12 ++++++++++++ .../kubernetes-apps/csi_driver/cinder/tasks/main.yml | 10 +++++----- .../openstack/tasks/main.yml | 10 +++++----- .../openstack/tasks/openstack-write-cacert.yml | 12 ++++++++++++ 4 files changed, 34 insertions(+), 10 deletions(-) create mode 100644 roles/kubernetes-apps/csi_driver/cinder/tasks/cinder-write-cacert.yml create mode 100644 roles/kubernetes-apps/external_cloud_controller/openstack/tasks/openstack-write-cacert.yml diff --git a/roles/kubernetes-apps/csi_driver/cinder/tasks/cinder-write-cacert.yml b/roles/kubernetes-apps/csi_driver/cinder/tasks/cinder-write-cacert.yml new file mode 100644 index 00000000000..2e997647c8a --- /dev/null +++ b/roles/kubernetes-apps/csi_driver/cinder/tasks/cinder-write-cacert.yml @@ -0,0 +1,12 @@ +--- +# include to workaround mitogen issue +# https://github.com/dw/mitogen/issues/663 + +- name: Cinder CSI Driver | Write cacert file + copy: + src: "{{ cinder_cacert }}" + dest: "{{ kube_config_dir }}/cinder-cacert.pem" + group: "{{ kube_cert_group }}" + mode: 0640 + tags: cinder-csi-driver + delegate_to: "{{ delegate_host_to_write_cacert }}" diff --git a/roles/kubernetes-apps/csi_driver/cinder/tasks/main.yml b/roles/kubernetes-apps/csi_driver/cinder/tasks/main.yml index b63912d2b9f..14b8275135e 100644 --- a/roles/kubernetes-apps/csi_driver/cinder/tasks/main.yml +++ b/roles/kubernetes-apps/csi_driver/cinder/tasks/main.yml @@ -3,11 +3,11 @@ tags: cinder-csi-driver - name: Cinder CSI Driver | Write cacert file - copy: - src: "{{ cinder_cacert }}" - dest: "{{ kube_config_dir }}/cinder-cacert.pem" - group: "{{ kube_cert_group }}" - mode: 0640 + include_tasks: cinder-write-cacert.yml + run_once: true + loop: "{{ groups['k8s-cluster'] }}" + loop_control: + loop_var: delegate_host_to_write_cacert when: - inventory_hostname in groups['k8s-cluster'] - cinder_cacert is defined diff --git a/roles/kubernetes-apps/external_cloud_controller/openstack/tasks/main.yml b/roles/kubernetes-apps/external_cloud_controller/openstack/tasks/main.yml index b7b2f2ddf0e..1aa2795aaa8 100644 --- a/roles/kubernetes-apps/external_cloud_controller/openstack/tasks/main.yml +++ b/roles/kubernetes-apps/external_cloud_controller/openstack/tasks/main.yml @@ -3,11 +3,11 @@ tags: external-openstack - name: External OpenStack Cloud Controller | Write cacert file - copy: - src: "{{ external_openstack_cacert }}" - dest: "{{ kube_config_dir }}/external-openstack-cacert.pem" - group: "{{ kube_cert_group }}" - mode: 0640 + include_tasks: openstack-write-cacert.yml + run_once: true + loop: "{{ groups['k8s-cluster'] }}" + loop_control: + loop_var: delegate_host_to_write_cacert when: - inventory_hostname in groups['k8s-cluster'] - external_openstack_cacert is defined diff --git a/roles/kubernetes-apps/external_cloud_controller/openstack/tasks/openstack-write-cacert.yml b/roles/kubernetes-apps/external_cloud_controller/openstack/tasks/openstack-write-cacert.yml new file mode 100644 index 00000000000..b975fe5b121 --- /dev/null +++ b/roles/kubernetes-apps/external_cloud_controller/openstack/tasks/openstack-write-cacert.yml @@ -0,0 +1,12 @@ +--- +# include to workaround mitogen issue +# https://github.com/dw/mitogen/issues/663 + +- name: External OpenStack Cloud Controller | Write cacert file + copy: + src: "{{ external_openstack_cacert }}" + dest: "{{ kube_config_dir }}/external-openstack-cacert.pem" + group: "{{ kube_cert_group }}" + mode: 0640 + tags: external-openstack + delegate_to: "{{ delegate_host_to_write_cacert }}"