0

How to use Ansible for certs rotation on different layers in kubernetes cluster?

Before we used fleet and now migrating to kubernetes.

StephenKing
  • 36,187
  • 11
  • 83
  • 112
Ravim
  • 1
  • 3
  • _different layers in kubernetes cluster?_ what does "different layers" mean? – mdaniel Sep 23 '17 at 06:42
  • Is ansible new to your workflow, or you had it working under fleet and now would like to do the same steps under kubernetes? – mdaniel Sep 23 '17 at 06:43
  • Different layers: Infrastructure layer, Kubernetes layer, and Services layer (Upper platform services (elasticsearch, etc..) Lower platform services (etcd, pwx, etc...). – Ravim Sep 23 '17 at 13:46
  • Yes, we implemented ansible to do certs rotation when using fleet and my concern is about how we can use that in kubernetes? – Ravim Sep 23 '17 at 13:49

1 Answers1

0

If I hear your situation correctly, then I think you will be happiest with a DaemonSet that installs (and optionally monitors) ansible-pull.service and ansible-pull.timer on the Nodes.

The DaemonSet ensures the container is scheduled on every Node (unlike a CronJob or such), and with /etc/systemd/system volume mounted into the container plus go-systemd's ability to daemon-reload (along with the dbus socket, of course), the container can write out a suitably descriptive .service and .timer file for that Node.

Then ansible-pull will run as before, taking whatever steps your existing ansible playbooks did.

There are many approaches to how to achieve this similar action on non-Node machines, so I'll leave that as an exercise to the reader.

I don't know what you define as "Infrastructure" layer, but rotating the Kubernetes certs is relatively straightforward from ansible-pull's perspective: write out the new worker.pem and worker.key in /etc/kubernetes/ssl, bounce kubelet.service (or its hyperkube equivalent), voilà. Upper platform services I would expect are managed by the (ReplicaSet|Deployment|ReplicationController|etc) which owns them, meaning one can be a lot more declarative for in-cluster resources, having access to the full power of ConfigMap, Secret, Service, etc.

mdaniel
  • 31,240
  • 5
  • 55
  • 58