diff options
author | Devan Goodwin <dgoodwin@redhat.com> | 2016-05-31 10:05:14 -0300 |
---|---|---|
committer | Devan Goodwin <dgoodwin@redhat.com> | 2016-05-31 10:05:14 -0300 |
commit | a7f71eab952e574db89ae9cac2e15922443db048 (patch) | |
tree | 9688f26cef8d6a7a96146a0f0396ca30d23ffadf /roles/openshift_node_certificates | |
parent | 4a97c9d0f7409b2be90964647f5712e51df37242 (diff) | |
parent | a24ee80575da72d07dfd1a2cbbc60c91b8c2c256 (diff) | |
download | openshift-a7f71eab952e574db89ae9cac2e15922443db048.tar.gz openshift-a7f71eab952e574db89ae9cac2e15922443db048.tar.bz2 openshift-a7f71eab952e574db89ae9cac2e15922443db048.tar.xz openshift-a7f71eab952e574db89ae9cac2e15922443db048.zip |
Merge remote-tracking branch 'upstream/master' into upgrade33
Diffstat (limited to 'roles/openshift_node_certificates')
-rw-r--r-- | roles/openshift_node_certificates/README.md | 33 | ||||
-rw-r--r-- | roles/openshift_node_certificates/meta/main.yml | 6 | ||||
-rw-r--r-- | roles/openshift_node_certificates/tasks/main.yml | 97 | ||||
-rw-r--r-- | roles/openshift_node_certificates/vars/main.yml | 9 |
4 files changed, 35 insertions, 110 deletions
diff --git a/roles/openshift_node_certificates/README.md b/roles/openshift_node_certificates/README.md index f56066b29..6264d253a 100644 --- a/roles/openshift_node_certificates/README.md +++ b/roles/openshift_node_certificates/README.md @@ -1,44 +1,27 @@ -OpenShift Node Certificates -=========================== +OpenShift/Atomic Enterprise Node Certificates +============================================= -This role determines if OpenShift node certificates must be created, delegates certificate creation to the `openshift_ca_host` and then deploys those certificates to node hosts which this role is being applied to. +TODO Requirements ------------ +TODO + Role Variables -------------- -From `openshift_ca`: - -| Name | Default value | Description | -|-------------------------------------|-------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------| -| openshift_ca_host | None (Required) | The hostname of the system where the OpenShift CA will be (or has been) created. | - -From this role: - -| Name | Default value | Description | -|-------------------------------------|-------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------| -| openshift_generated_configs_dir | `{{ openshift.common.config_base }}/generated-configs` | Directory in which per-node generated config directories will be created on the `openshift_ca_host`. | -| openshift_node_cert_subdir | `node-{{ openshift.common.hostname }}` | Directory within `openshift_generated_configs_dir` where per-node certificates will be placed on the `openshift_ca_host`. | -| openshift_node_config_dir | `{{ openshift.common.config_base }}/node` | Node configuration directory in which certificates will be deployed on nodes. | -| openshift_node_generated_config_dir | `{{ openshift_generated_configs_dir }}/{{ openshift_node_cert_subdir }` | Full path to the per-node generated config directory. | +TODO Dependencies ------------ -* openshift_ca +TODO Example Playbook ---------------- -``` -- name: Create OpenShift Node Certificates - hosts: nodes - roles: - - role: openshift_node_certificates - openshift_ca_host: master1.example.com -``` +TODO License ------- diff --git a/roles/openshift_node_certificates/meta/main.yml b/roles/openshift_node_certificates/meta/main.yml index 3caa1cdf1..f3236e850 100644 --- a/roles/openshift_node_certificates/meta/main.yml +++ b/roles/openshift_node_certificates/meta/main.yml @@ -1,10 +1,10 @@ --- galaxy_info: author: Jason DeTiberus - description: OpenShift Node Certificates + description: company: Red Hat, Inc. license: Apache License, Version 2.0 - min_ansible_version: 1.9.4 + min_ansible_version: 1.8 platforms: - name: EL versions: @@ -13,4 +13,4 @@ galaxy_info: - cloud - system dependencies: -- role: openshift_ca +- { role: openshift_facts } diff --git a/roles/openshift_node_certificates/tasks/main.yml b/roles/openshift_node_certificates/tasks/main.yml index 147a432a4..216c11093 100644 --- a/roles/openshift_node_certificates/tasks/main.yml +++ b/roles/openshift_node_certificates/tasks/main.yml @@ -1,95 +1,36 @@ --- -- name: Check status of node certificates - stat: - path: "{{ openshift.common.config_base }}/node/{{ item }}" - with_items: - - "system:node:{{ openshift.common.hostname }}.crt" - - "system:node:{{ openshift.common.hostname }}.key" - - "system:node:{{ openshift.common.hostname }}.kubeconfig" - - ca.crt - - server.key - - server.crt - register: g_node_cert_stat_result - -- set_fact: - node_certs_missing: "{{ False in (g_node_cert_stat_result.results - | oo_collect(attribute='stat.exists') - | list) }}" - -- name: Create openshift_generated_configs_dir if it does not exist +- name: Create openshift_generated_configs_dir if it doesn\'t exist file: path: "{{ openshift_generated_configs_dir }}" state: directory mode: 0700 - when: node_certs_missing | bool - delegate_to: "{{ openshift_ca_host }}" + when: nodes_needing_certs | length > 0 - name: Generate the node client config command: > {{ openshift.common.admin_binary }} create-api-client-config - --certificate-authority={{ openshift_ca_cert }} - --client-dir={{ openshift_node_generated_config_dir }} + --certificate-authority={{ openshift_master_ca_cert }} + --client-dir={{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }} --groups=system:nodes - --master={{ hostvars[openshift_ca_host].openshift.master.api_url }} - --signer-cert={{ openshift_ca_cert }} - --signer-key={{ openshift_ca_key }} - --signer-serial={{ openshift_ca_serial }} - --user=system:node:{{ openshift.common.hostname }} + --master={{ openshift.master.api_url }} + --signer-cert={{ openshift_master_ca_cert }} + --signer-key={{ openshift_master_ca_key }} + --signer-serial={{ openshift_master_ca_serial }} + --user=system:node:{{ item.openshift.common.hostname }} args: - creates: "{{ openshift_node_generated_config_dir }}" - when: node_certs_missing | bool - delegate_to: "{{ openshift_ca_host }}" + creates: "{{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}" + with_items: "{{ nodes_needing_certs | default([]) }}" - name: Generate the node server certificate command: > {{ openshift.common.admin_binary }} ca create-server-cert - --cert={{ openshift_node_generated_config_dir }}/server.crt - --key={{ openshift_generated_configs_dir }}/node-{{ openshift.common.hostname }}/server.key + --cert={{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}/server.crt + --key={{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}/server.key --overwrite=true - --hostnames={{ openshift.common.all_hostnames |join(",") }} - --signer-cert={{ openshift_ca_cert }} - --signer-key={{ openshift_ca_key }} - --signer-serial={{ openshift_ca_serial }} - args: - creates: "{{ openshift_node_generated_config_dir }}/server.crt" - when: node_certs_missing | bool - delegate_to: "{{ openshift_ca_host}}" - -- name: Create local temp directory for syncing certs - local_action: command mktemp -d /tmp/openshift-ansible-XXXXXXX - register: node_cert_mktemp - changed_when: False - when: node_certs_missing | bool - delegate_to: localhost - -- name: Create a tarball of the node config directories - command: > - tar -czvf {{ openshift_node_generated_config_dir }}.tgz - --transform 's|system:{{ openshift_node_cert_subdir }}|node|' - -C {{ openshift_node_generated_config_dir }} . + --hostnames={{ item.openshift.common.all_hostnames |join(",") }} + --signer-cert={{ openshift_master_ca_cert }} + --signer-key={{ openshift_master_ca_key }} + --signer-serial={{ openshift_master_ca_serial }} args: - creates: "{{ openshift_node_generated_config_dir }}.tgz" - when: node_certs_missing | bool - delegate_to: "{{ openshift_ca_host }}" - -- name: Retrieve the node config tarballs from the master - fetch: - src: "{{ openshift_node_generated_config_dir }}.tgz" - dest: "{{ node_cert_mktemp.stdout }}/" - flat: yes - fail_on_missing: yes - validate_checksum: yes - when: node_certs_missing | bool - delegate_to: "{{ openshift_ca_host }}" - -- name: Ensure certificate directory exists - file: - path: "{{ openshift_node_cert_dir }}" - state: directory - when: node_certs_missing | bool - -- name: Unarchive the tarball on the node - unarchive: - src: "{{ node_cert_mktemp.stdout }}/{{ openshift_node_cert_subdir }}.tgz" - dest: "{{ openshift_node_cert_dir }}" - when: node_certs_missing | bool + creates: "{{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}/server.crt" + with_items: "{{ nodes_needing_certs | default([]) }}" diff --git a/roles/openshift_node_certificates/vars/main.yml b/roles/openshift_node_certificates/vars/main.yml index 2fafc7387..61fbb1e51 100644 --- a/roles/openshift_node_certificates/vars/main.yml +++ b/roles/openshift_node_certificates/vars/main.yml @@ -1,6 +1,7 @@ --- -openshift_generated_configs_dir: "{{ openshift.common.config_base }}/generated-configs" -openshift_node_cert_dir: "{{ openshift.common.config_base }}/node" -openshift_node_cert_subdir: "node-{{ openshift.common.hostname }}" openshift_node_config_dir: "{{ openshift.common.config_base }}/node" -openshift_node_generated_config_dir: "{{ openshift_generated_configs_dir }}/{{ openshift_node_cert_subdir }}" +openshift_master_config_dir: "{{ openshift.common.config_base }}/master" +openshift_generated_configs_dir: "{{ openshift.common.config_base }}/generated-configs" +openshift_master_ca_cert: "{{ openshift_master_config_dir }}/ca.crt" +openshift_master_ca_key: "{{ openshift_master_config_dir }}/ca.key" +openshift_master_ca_serial: "{{ openshift_master_config_dir }}/ca.serial.txt" |