summaryrefslogtreecommitdiffstats
path: root/roles/openshift_ca
diff options
context:
space:
mode:
authorAndrew Butcher <abutcher@redhat.com>2016-10-26 14:59:05 -0400
committerAndrew Butcher <abutcher@redhat.com>2017-02-02 15:29:11 -0500
commit917e871843192b107776ce8459b87f3960e455ed (patch)
tree08acb27fa87578137bb21917487c2521cd08aa82 /roles/openshift_ca
parentc9480811d2222693abe4460ca42c292b289a0ef4 (diff)
downloadopenshift-917e871843192b107776ce8459b87f3960e455ed.tar.gz
openshift-917e871843192b107776ce8459b87f3960e455ed.tar.bz2
openshift-917e871843192b107776ce8459b87f3960e455ed.tar.xz
openshift-917e871843192b107776ce8459b87f3960e455ed.zip
Restructure certificate redeploy playbooks
Diffstat (limited to 'roles/openshift_ca')
-rw-r--r--roles/openshift_ca/tasks/main.yml24
1 files changed, 16 insertions, 8 deletions
diff --git a/roles/openshift_ca/tasks/main.yml b/roles/openshift_ca/tasks/main.yml
index e21397170..4efc77f11 100644
--- a/roles/openshift_ca/tasks/main.yml
+++ b/roles/openshift_ca/tasks/main.yml
@@ -41,10 +41,9 @@
run_once: true
- set_fact:
- master_ca_missing: "{{ true if openshift_certificates_redeploy | default(false) | bool
- else False in (g_master_ca_stat_result.results
- | oo_collect(attribute='stat.exists')
- | list) }}"
+ master_ca_missing: "{{ False in (g_master_ca_stat_result.results
+ | oo_collect(attribute='stat.exists')
+ | list) }}"
run_once: true
- name: Retain original serviceaccount keys
@@ -61,7 +60,6 @@
copy:
src: "{{ item.src }}"
dest: "{{ openshift_ca_config_dir }}/{{ item.dest }}"
- force: "{{ true if openshift_certificates_redeploy_ca | default(false) | bool else false }}"
with_items:
- src: "{{ (openshift_master_ca_certificate | default({'certfile':none})).certfile }}"
dest: ca.crt
@@ -73,25 +71,35 @@
- name: Create ca serial
copy:
- content: "1"
+ content: "00"
dest: "{{ openshift_ca_config_dir }}/ca.serial.txt"
- force: "{{ true if openshift_certificates_redeploy | default(false) | bool else false }}"
+ force: "{{ openshift_certificates_redeploy | default(false) | bool }}"
when: openshift_master_ca_certificate is defined
delegate_to: "{{ openshift_ca_host }}"
run_once: true
+- find:
+ paths: "{{ openshift.common.config_base }}/master/legacy-ca/"
+ patterns: ".*-ca.crt"
+ use_regex: true
+ register: g_master_legacy_ca_result
+
+# This should NOT replace the CA due to --overwrite=false when a CA already exists.
- name: Create the master certificates if they do not already exist
command: >
{{ openshift.common.client_binary }} adm create-master-certs
{% for named_ca_certificate in openshift.master.named_certificates | default([]) | oo_collect('cafile') %}
--certificate-authority {{ named_ca_certificate }}
{% endfor %}
+ {% for legacy_ca_certificate in g_master_legacy_ca_result.files | default([]) | oo_collect('path') %}
+ --certificate-authority {{ legacy_ca_certificate }}
+ {% endfor %}
--hostnames={{ openshift.common.all_hostnames | join(',') }}
--master={{ openshift.master.api_url }}
--public-master={{ openshift.master.public_api_url }}
--cert-dir={{ openshift_ca_config_dir }}
--overwrite=false
- when: master_ca_missing | bool
+ when: master_ca_missing | bool or openshift_certificates_redeploy | default(false) | bool
delegate_to: "{{ openshift_ca_host }}"
run_once: true