summaryrefslogtreecommitdiffstats
path: root/roles
diff options
context:
space:
mode:
authorScott Dodson <sdodson@redhat.com>2017-01-18 13:44:33 -0500
committerGitHub <noreply@github.com>2017-01-18 13:44:33 -0500
commit2b73c9713cd816a6095e40e10d664eff68c8e206 (patch)
tree1bb7aa0fb99a3f8132e53a8898fbd57e171b71e1 /roles
parentf133c863a0ca657b7e0c87c117428e053ac74db0 (diff)
parentc25212b12ef7f7bd785f2a476f917eb439e3600a (diff)
downloadopenshift-2b73c9713cd816a6095e40e10d664eff68c8e206.tar.gz
openshift-2b73c9713cd816a6095e40e10d664eff68c8e206.tar.bz2
openshift-2b73c9713cd816a6095e40e10d664eff68c8e206.tar.xz
openshift-2b73c9713cd816a6095e40e10d664eff68c8e206.zip
Merge pull request #3100 from abutcher/serials
Serialize cert creation in delegated commands
Diffstat (limited to 'roles')
-rw-r--r--roles/openshift_ca/tasks/main.yml2
-rw-r--r--roles/openshift_master_certificates/tasks/main.yml57
-rw-r--r--roles/openshift_node_certificates/tasks/main.yml26
3 files changed, 55 insertions, 30 deletions
diff --git a/roles/openshift_ca/tasks/main.yml b/roles/openshift_ca/tasks/main.yml
index e2a12e5ff..e21397170 100644
--- a/roles/openshift_ca/tasks/main.yml
+++ b/roles/openshift_ca/tasks/main.yml
@@ -86,7 +86,7 @@
{% for named_ca_certificate in openshift.master.named_certificates | default([]) | oo_collect('cafile') %}
--certificate-authority {{ named_ca_certificate }}
{% endfor %}
- --hostnames={{ openshift_master_hostnames | join(',') }}
+ --hostnames={{ openshift.common.all_hostnames | join(',') }}
--master={{ openshift.master.api_url }}
--public-master={{ openshift.master.public_api_url }}
--cert-dir={{ openshift_ca_config_dir }}
diff --git a/roles/openshift_master_certificates/tasks/main.yml b/roles/openshift_master_certificates/tasks/main.yml
index e9b7de330..a1688aabc 100644
--- a/roles/openshift_master_certificates/tasks/main.yml
+++ b/roles/openshift_master_certificates/tasks/main.yml
@@ -30,7 +30,6 @@
| oo_collect(attribute='stat.exists')
| list)) }}"
-
- name: Ensure the generated_configs directory present
file:
path: "{{ openshift_master_generated_config_dir }}"
@@ -39,30 +38,50 @@
when: master_certs_missing | bool and inventory_hostname != openshift_ca_host
delegate_to: "{{ openshift_ca_host }}"
-- file:
- src: "{{ openshift_master_config_dir }}/{{ item }}"
- dest: "{{ openshift_master_generated_config_dir }}/{{ item }}"
- state: hard
- with_items:
- - ca.crt
- - ca.key
- - ca.serial.txt
- when: master_certs_missing | bool and inventory_hostname != openshift_ca_host
- delegate_to: "{{ openshift_ca_host }}"
-
-- name: Create the master certificates if they do not already exist
+- name: Create the master server certificate
command: >
- {{ openshift.common.client_binary }} adm create-master-certs
+ {{ hostvars[openshift_ca_host].openshift.common.client_binary }} adm ca create-server-cert
{% for named_ca_certificate in openshift.master.named_certificates | default([]) | oo_collect('cafile') %}
--certificate-authority {{ named_ca_certificate }}
{% endfor %}
- --hostnames={{ openshift.common.all_hostnames | join(',') }}
- --master={{ openshift.master.api_url }}
- --public-master={{ openshift.master.public_api_url }}
- --cert-dir={{ openshift_master_generated_config_dir }}
+ --hostnames={{ hostvars[item].openshift.common.all_hostnames | join(',') }}
+ --cert={{ openshift_generated_configs_dir }}/master-{{ hostvars[item].openshift.common.hostname }}/master.server.crt
+ --key={{ openshift_generated_configs_dir }}/master-{{ hostvars[item].openshift.common.hostname }}/master.server.key
+ --signer-cert={{ openshift_ca_cert }}
+ --signer-key={{ openshift_ca_key }}
+ --signer-serial={{ openshift_ca_serial }}
--overwrite=false
- when: master_certs_missing | bool and inventory_hostname != openshift_ca_host
+ with_items: "{{ hostvars
+ | oo_select_keys(groups['oo_masters_to_config'])
+ | oo_collect(attribute='inventory_hostname', filters={'master_certs_missing':True})
+ | difference([openshift_ca_host])}}"
+ delegate_to: "{{ openshift_ca_host }}"
+ run_once: true
+
+- name: Generate the master client config
+ command: >
+ {{ hostvars[openshift_ca_host].openshift.common.client_binary }} adm create-api-client-config
+ {% for named_ca_certificate in openshift.master.named_certificates | default([]) | oo_collect('cafile') %}
+ --certificate-authority {{ named_ca_certificate }}
+ {% endfor %}
+ --certificate-authority={{ openshift_ca_cert }}
+ --client-dir={{ openshift_generated_configs_dir }}/master-{{ hostvars[item].openshift.common.hostname }}
+ --groups=system:masters,system:openshift-master
+ --master={{ openshift.master.api_url }}
+ --public-master={{ openshift.master.public_api_url }}
+ --signer-cert={{ openshift_ca_cert }}
+ --signer-key={{ openshift_ca_key }}
+ --signer-serial={{ openshift_ca_serial }}
+ --user=system:openshift-master
+ --basename=openshift-master
+ args:
+ creates: "{{ openshift_generated_configs_dir }}/master-{{ hostvars[item].openshift.common.hostname }}/openshift-master.kubeconfig"
+ with_items: "{{ hostvars
+ | oo_select_keys(groups['oo_masters_to_config'])
+ | oo_collect(attribute='inventory_hostname', filters={'master_certs_missing':True})
+ | difference([openshift_ca_host])}}"
delegate_to: "{{ openshift_ca_host }}"
+ run_once: true
- file:
src: "{{ openshift_master_config_dir }}/{{ item }}"
diff --git a/roles/openshift_node_certificates/tasks/main.yml b/roles/openshift_node_certificates/tasks/main.yml
index 717bf3cea..a263f4f3a 100644
--- a/roles/openshift_node_certificates/tasks/main.yml
+++ b/roles/openshift_node_certificates/tasks/main.yml
@@ -49,32 +49,38 @@
--certificate-authority {{ named_ca_certificate }}
{% endfor %}
--certificate-authority={{ openshift_ca_cert }}
- --client-dir={{ openshift_node_generated_config_dir }}
+ --client-dir={{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname }}
--groups=system:nodes
--master={{ hostvars[openshift_ca_host].openshift.master.api_url }}
--signer-cert={{ openshift_ca_cert }}
--signer-key={{ openshift_ca_key }}
--signer-serial={{ openshift_ca_serial }}
- --user=system:node:{{ openshift.common.hostname }}
+ --user=system:node:{{ hostvars[item].openshift.common.hostname }}
args:
- creates: "{{ openshift_node_generated_config_dir }}"
- when: node_certs_missing | bool
+ creates: "{{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname }}"
+ with_items: "{{ hostvars
+ | oo_select_keys(groups['oo_nodes_to_config'])
+ | oo_collect(attribute='inventory_hostname', filters={'node_certs_missing':True}) }}"
delegate_to: "{{ openshift_ca_host }}"
+ run_once: true
- name: Generate the node server certificate
command: >
{{ hostvars[openshift_ca_host].openshift.common.client_binary }} adm ca create-server-cert
- --cert={{ openshift_node_generated_config_dir }}/server.crt
- --key={{ openshift_generated_configs_dir }}/node-{{ openshift.common.hostname }}/server.key
+ --cert={{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname }}/server.crt
+ --key={{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname }}/server.key
--overwrite=true
- --hostnames={{ openshift.common.hostname }},{{ openshift.common.public_hostname }},{{ openshift.common.ip }},{{ openshift.common.public_ip }}
+ --hostnames={{ hostvars[item].openshift.common.hostname }},{{ hostvars[item].openshift.common.public_hostname }},{{ hostvars[item].openshift.common.ip }},{{ hostvars[item].openshift.common.public_ip }}
--signer-cert={{ openshift_ca_cert }}
--signer-key={{ openshift_ca_key }}
--signer-serial={{ openshift_ca_serial }}
args:
- creates: "{{ openshift_node_generated_config_dir }}/server.crt"
- when: node_certs_missing | bool
- delegate_to: "{{ openshift_ca_host}}"
+ creates: "{{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname }}/server.crt"
+ with_items: "{{ hostvars
+ | oo_select_keys(groups['oo_nodes_to_config'])
+ | oo_collect(attribute='inventory_hostname', filters={'node_certs_missing':True}) }}"
+ delegate_to: "{{ openshift_ca_host }}"
+ run_once: true
- name: Create local temp directory for syncing certs
local_action: command mktemp -d /tmp/openshift-ansible-XXXXXXX