roles/etcd/tasks/migration/add_ttls.yml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

---
# To be executed on first master
- slurp:
    src: "{{ openshift.common.config_base }}/master/master-config.yaml"
  register: g_master_config_output

- set_fact:
    accessTokenMaxAgeSeconds: "{{ (g_master_config_output.content|b64decode|from_yaml).oauthConfig.tokenConfig.accessTokenMaxAgeSeconds | default(86400) }}"
    authorizeTokenMaxAgeSeconds: "{{ (g_master_config_output.content|b64decode|from_yaml).oauthConfig.tokenConfig.authorizeTokenMaxAgeSeconds | default(500) }}"
    controllerLeaseTTL: "{{ (g_master_config_output.content|b64decode|from_yaml).controllerLeaseTTL | default(30) }}"

- name: Re-introduce leases (as a replacement for key TTLs)
  command: >
    {{ openshift.common.client_binary }} adm migrate etcd-ttl \
    --cert {{ r_etcd_common_master_peer_cert_file }} \
    --key {{ r_etcd_common_master_peer_key_file }} \
    --cacert {{ r_etcd_common_master_peer_ca_file }} \
    --etcd-address 'https://{{ etcd_peer }}:{{ etcd_client_port }}' \
    --ttl-keys-prefix {{ item.keys }} \
    --lease-duration {{ item.ttl }}
  environment:
    ETCDCTL_API: 3
    PATH: "/usr/local/bin:/var/usrlocal/bin:{{ ansible_env.PATH }}"
  with_items:
    - keys: "/kubernetes.io/events"
      ttl: "1h"
    - keys: "/kubernetes.io/masterleases"
      ttl: "10s"
    - keys: "/openshift.io/oauth/accesstokens"
      ttl: "{{ accessTokenMaxAgeSeconds }}s"
    - keys: "/openshift.io/oauth/authorizetokens"
      ttl: "{{ authorizeTokenMaxAgeSeconds }}s"
    - keys: "/openshift.io/leases/controllers"
      ttl: "{{ controllerLeaseTTL }}s"