Merge pull request #6031 from abutcher/temporary-servinginfo-clientca

Automatic merge from submit-queue.

Temporarily set master servingInfo.clientCA as client-ca-bundle.crt during rolling CA redeployment.

This PR temporarily configures master `servingInfo.clientCA` as `client-ca-bundle.crt` during CA redeploy so that clients referencing the old OpenShift CA can continue to function until all cluster certificates have been replaced and `servingInfo.clientCA` is reset to `ca.crt`.

`client-ca-bundle.crt` is a new bundle created by the `openshift_ca` role which contains old and new OpenShift CA certificates.

https://bugzilla.redhat.com/show_bug.cgi?id=1509124

Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1493276

1 files changed, 17 insertions, 0 deletions

diff --git a/playbooks/common/openshift-master/revert-client-ca.yml b/playbooks/common/openshift-master/revert-client-ca.yml
new file mode 100644
index 000000000..9ae23bf5b
--- /dev/null
+++ b/playbooks/common/openshift-master/revert-client-ca.yml
@@ -0,0 +1,17 @@
+---
+- name: Set servingInfo.clientCA = ca.crt in master config
+  hosts: oo_masters_to_config
+  tasks:
+  - name: Read master config
+    slurp:
+      src: "{{ openshift.common.config_base }}/master/master-config.yaml"
+    register: g_master_config_output
+
+  # servingInfo.clientCA may be set as the client-ca-bundle.crt from
+  # CA redeployment and this task reverts that change.
+  - name: Set servingInfo.clientCA = ca.crt in master config
+    modify_yaml:
+      dest: "{{ openshift.common.config_base }}/master/master-config.yaml"
+      yaml_key: servingInfo.clientCA
+      yaml_value: ca.crt
+    when: (g_master_config_output.content|b64decode|from_yaml).servingInfo.clientCA != 'ca.crt'