summaryrefslogtreecommitdiffstats
path: root/roles/openshift_ca/tasks
diff options
context:
space:
mode:
authorScott Dodson <sdodson@redhat.com>2016-08-11 17:37:16 -0400
committerGitHub <noreply@github.com>2016-08-11 17:37:16 -0400
commit2fcfbb350a888dfeb82913f2e043bf2fea760cd6 (patch)
treedd8141baaae3cff0dd4f048f6e2d2c959dcd8799 /roles/openshift_ca/tasks
parentcac26a48c10aac5ce2b27b31c3d5567f978bb72d (diff)
parent3bd5ae21adbc1d5b3e5063408e30bb5adb14ba53 (diff)
downloadopenshift-2fcfbb350a888dfeb82913f2e043bf2fea760cd6.tar.gz
openshift-2fcfbb350a888dfeb82913f2e043bf2fea760cd6.tar.bz2
openshift-2fcfbb350a888dfeb82913f2e043bf2fea760cd6.tar.xz
openshift-2fcfbb350a888dfeb82913f2e043bf2fea760cd6.zip
Merge pull request #1142 from abutcher/new-certs-who-dis
Support for redeploying certificates
Diffstat (limited to 'roles/openshift_ca/tasks')
-rw-r--r--roles/openshift_ca/tasks/main.yml63
1 files changed, 60 insertions, 3 deletions
diff --git a/roles/openshift_ca/tasks/main.yml b/roles/openshift_ca/tasks/main.yml
index e1bf7dcad..bb89b65a6 100644
--- a/roles/openshift_ca/tasks/main.yml
+++ b/roles/openshift_ca/tasks/main.yml
@@ -3,6 +3,10 @@
msg: "openshift_ca_host variable must be defined for this role"
when: openshift_ca_host is not defined
+- fail:
+ msg: "Both 'certfile' and 'keyfile' keys must be supplied when configuring openshift_master_ca_certificate"
+ when: openshift_master_ca_certificate is defined and ('certfile' not in openshift_master_ca_certificate or 'keyfile' not in openshift_master_ca_certificate)
+
- name: Install the base package for admin tooling
action: "{{ ansible_pkg_mgr }} name={{ openshift.common.service_type }}{{ openshift_pkg_version | default('') | oo_image_tag_to_rpm_version(include_dash=True) }} state=present"
when: not openshift.common.is_containerized | bool
@@ -35,9 +39,43 @@
run_once: true
- set_fact:
- master_ca_missing: "{{ False in (g_master_ca_stat_result.results
- | oo_collect(attribute='stat.exists')
- | list) }}"
+ master_ca_missing: "{{ true if openshift_certificates_redeploy | default(false) | bool
+ else False in (g_master_ca_stat_result.results
+ | oo_collect(attribute='stat.exists')
+ | list) }}"
+ run_once: true
+
+- name: Retain original serviceaccount keys
+ copy:
+ src: "{{ item }}"
+ dest: "{{ item }}.keep"
+ remote_src: true
+ with_items:
+ - "{{ openshift_ca_config_dir }}/serviceaccounts.private.key"
+ - "{{ openshift_ca_config_dir }}/serviceaccounts.public.key"
+ when: openshift_certificates_redeploy | default(false) | bool
+
+- name: Deploy master ca certificate
+ copy:
+ src: "{{ item.src }}"
+ dest: "{{ openshift_ca_config_dir }}/{{ item.dest }}"
+ force: "{{ true if openshift_certificates_redeploy_ca | default(false) | bool else false }}"
+ with_items:
+ - src: "{{ (openshift_master_ca_certificate | default({'certfile':none})).certfile }}"
+ dest: ca.crt
+ - src: "{{ (openshift_master_ca_certificate | default({'keyfile':none})).keyfile }}"
+ dest: ca.key
+ when: openshift_master_ca_certificate is defined
+ delegate_to: "{{ openshift_ca_host }}"
+ run_once: true
+
+- name: Create ca serial
+ copy:
+ content: "1"
+ dest: "{{ openshift_ca_config_dir }}/ca.serial.txt"
+ force: "{{ true if openshift_certificates_redeploy | default(false) | bool else false }}"
+ when: openshift_master_ca_certificate is defined
+ delegate_to: "{{ openshift_ca_host }}"
run_once: true
- name: Create the master certificates if they do not already exist
@@ -54,3 +92,22 @@
when: master_ca_missing | bool
delegate_to: "{{ openshift_ca_host }}"
run_once: true
+
+- name: Restore original serviceaccount keys
+ copy:
+ src: "{{ item }}.keep"
+ dest: "{{ item }}"
+ remote_src: true
+ with_items:
+ - "{{ openshift_ca_config_dir }}/serviceaccounts.private.key"
+ - "{{ openshift_ca_config_dir }}/serviceaccounts.public.key"
+ when: openshift_certificates_redeploy | default(false) | bool
+
+- name: Remove backup serviceaccount keys
+ file:
+ path: "{{ item }}.keep"
+ state: absent
+ with_items:
+ - "{{ openshift_ca_config_dir }}/serviceaccounts.private.key"
+ - "{{ openshift_ca_config_dir }}/serviceaccounts.public.key"
+ when: openshift_certificates_redeploy | default(false) | bool