diff options
| author | Scott Dodson <sdodson@redhat.com> | 2016-08-11 17:37:16 -0400 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2016-08-11 17:37:16 -0400 |
| commit | 2fcfbb350a888dfeb82913f2e043bf2fea760cd6 (patch) | |
| tree | dd8141baaae3cff0dd4f048f6e2d2c959dcd8799 /roles/etcd_server_certificates | |
| parent | cac26a48c10aac5ce2b27b31c3d5567f978bb72d (diff) | |
| parent | 3bd5ae21adbc1d5b3e5063408e30bb5adb14ba53 (diff) | |
| download | openshift-2fcfbb350a888dfeb82913f2e043bf2fea760cd6.tar.gz openshift-2fcfbb350a888dfeb82913f2e043bf2fea760cd6.tar.bz2 openshift-2fcfbb350a888dfeb82913f2e043bf2fea760cd6.tar.xz openshift-2fcfbb350a888dfeb82913f2e043bf2fea760cd6.zip | |
Merge pull request #1142 from abutcher/new-certs-who-dis
Support for redeploying certificates
Diffstat (limited to 'roles/etcd_server_certificates')
| -rw-r--r-- | roles/etcd_server_certificates/tasks/main.yml | 43 |
1 files changed, 40 insertions, 3 deletions
diff --git a/roles/etcd_server_certificates/tasks/main.yml b/roles/etcd_server_certificates/tasks/main.yml index f11b51453..27bd2a88d 100644 --- a/roles/etcd_server_certificates/tasks/main.yml +++ b/roles/etcd_server_certificates/tasks/main.yml @@ -7,11 +7,14 @@ - "{{ etcd_cert_prefix }}peer.crt" - "{{ etcd_cert_prefix }}ca.crt" register: g_etcd_server_cert_stat_result + when: not etcd_certificates_redeploy | default(false) | bool - set_fact: - etcd_server_certs_missing: "{{ False in (g_etcd_server_cert_stat_result.results - | oo_collect(attribute='stat.exists') - | list) }}" + etcd_server_certs_missing: "{{ true if etcd_certificates_redeploy | default(false) | bool + else (False in (g_etcd_server_cert_stat_result.results + | default({}) + | oo_collect(attribute='stat.exists') + | list)) }}" - name: Ensure generated_certs directory present file: @@ -69,6 +72,8 @@ when: etcd_server_certs_missing | bool delegate_to: "{{ etcd_ca_host }}" +# Certificates must be signed serially in order to avoid competing +# for the serial file. - name: Sign and create the peer crt delegated_serial_command: command: > @@ -136,3 +141,35 @@ changed_when: False when: etcd_server_certs_missing | bool delegate_to: localhost + +- name: Validate permissions on certificate files + file: + path: "{{ item }}" + mode: 0600 + owner: "{{ 'etcd' if not etcd_is_containerized | bool else omit }}" + group: "{{ 'etcd' if not etcd_is_containerized | bool else omit }}" + when: etcd_url_scheme == 'https' + with_items: + - "{{ etcd_ca_file }}" + - "{{ etcd_cert_file }}" + - "{{ etcd_key_file }}" + +- name: Validate permissions on peer certificate files + file: + path: "{{ item }}" + mode: 0600 + owner: "{{ 'etcd' if not etcd_is_containerized | bool else omit }}" + group: "{{ 'etcd' if not etcd_is_containerized | bool else omit }}" + when: etcd_peer_url_scheme == 'https' + with_items: + - "{{ etcd_peer_ca_file }}" + - "{{ etcd_peer_cert_file }}" + - "{{ etcd_peer_key_file }}" + +- name: Validate permissions on the config dir + file: + path: "{{ etcd_conf_dir }}" + state: directory + owner: "{{ 'etcd' if not etcd_is_containerized | bool else omit }}" + group: "{{ 'etcd' if not etcd_is_containerized | bool else omit }}" + mode: 0700 |