roles/kubernetes/kubeadm/control-plane/tasks/primary.yml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131

---
- name: check if kubeconfig kubelet.conf already exists
  stat:
    path: /etc/kubernetes/kubelet.conf
  register: kubeconfig_kubelet_stats

  ## TODO: switch to kubeadm config version v1beta3 (available since 1.22)
- name: generate kubeadm.config
  template:
    src: kubeadm.config.j2
    dest: /etc/kubernetes/kubeadm.config
  register: kubeadm_config

### cluster not yet initialized

- name: create new cluster
  when: not kubeconfig_kubelet_stats.stat.exists
  block:

  #### kubeadm wants token to come from --config if --config is used
  #### i think this is stupid -> TODO: send bug report
  # - name: generate bootstrap token for new cluster
  #   command: kubeadm token generate
  #   changed_when: False
  #   check_mode: no
  #   register: kubeadm_token_generate

  - name: initialize kubernetes primary control-plane node and store log
    block:
    - name: initialize kubernetes primary  control-plane node
      command: "kubeadm init --config /etc/kubernetes/kubeadm.config --node-name {{ inventory_hostname }} --skip-token-print"
  #    command: "kubeadm init --config /etc/kubernetes/kubeadm.config --node-name {{ inventory_hostname }} --token '{{ kubeadm_token_generate.stdout }}' --token-ttl 42m --skip-token-print"
      args:
        creates: /etc/kubernetes/pki/ca.crt
      register: kubeadm_init

    always:
    - name: dump output of kubeadm init to log file
      when: kubeadm_init.changed
      copy:
        content: "{{ kubeadm_init.stdout }}\n"
        dest: /etc/kubernetes/kubeadm-init.log

    - name: dump error output of kubeadm init to log file
      when: kubeadm_init.changed and kubeadm_init.stderr
      copy:
        content: "{{ kubeadm_init.stderr }}\n"
        dest: /etc/kubernetes/kubeadm-init.errors

  - name: create bootstrap token for new cluster
    command: kubeadm token create --ttl 42m
    check_mode: no
    register: kubeadm_token_generate


### cluster is already initialized but config has changed

- name: upgrade cluster config
  when: kubeconfig_kubelet_stats.stat.exists and kubeadm_config is changed
  block:

  - name: fail for cluster upgrades
    fail:
      msg: "upgrading cluster config is currently not supported!"


### cluster is already initialized

- name: prepare cluster for new nodes
  when: kubeconfig_kubelet_stats.stat.exists and kubeadm_config is not changed
  block:

  - name: fetch list of current nodes
    command: kubectl --kubeconfig /etc/kubernetes/admin.conf get nodes -o name
    changed_when: False
    check_mode: no
    register: kubectl_node_list

  - name: save list of current nodes
    set_fact:
      kubernetes_current_nodes: "{{ kubectl_node_list.stdout_lines | map('replace', 'node/', '') | list }}"

  - name: create bootstrap token for existing cluster
    when: "groups['_kubernetes_nodes_'] | difference(kubernetes_current_nodes) | length > 0"
    command: kubeadm token create --ttl 42m
    check_mode: no
    register: kubeadm_token_create


## calculate certificate digest

- name: install openssl
  apt:
    name: openssl
    state: present

- name: get ca certificate digest
  shell: "set -o pipefail && openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'"
  args:
    executable: /bin/bash
  check_mode: no
  register: kube_ca_openssl
  changed_when: False

- name: set variables needed by kubernetes/nodes to join the cluster
  set_fact:
    kube_bootstrap_token: "{% if kubeadm_token_generate.stdout is defined %}{{ kubeadm_token_generate.stdout }}{% elif kubeadm_token_create.stdout is defined %}{{ kubeadm_token_create.stdout }}{% endif %}"
    kube_bootstrap_ca_cert_hash: "sha256:{{ kube_ca_openssl.stdout }}"
  delegate_to: "{{ item }}"
  delegate_facts: True
  loop: "{{ groups['_kubernetes_nodes_'] }}"


## install node-local-dns

- name: generate node-local dns cache config
  template:
    src: node-local-dns.yml.j2
    dest: /etc/kubernetes/node-local-dns.yml

  ## TODO: move to server-side apply (GA since 1.22)
- name: install  node-local dns cache
  command: kubectl --kubeconfig /etc/kubernetes/admin.conf apply -f /etc/kubernetes/node-local-dns.yml
  register: kube_node_local_dns_apply_result
  changed_when: (kube_node_local_dns_apply_result.stdout_lines | reject("regex", " unchanged$") | list | length) > 0


## Network Plugin

- name: install network plugin
  include_tasks: "net_{{ kubernetes_network_plugin }}.yml"