diff options
author | Scott Dodson <sdodson@redhat.com> | 2017-01-18 13:44:33 -0500 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-01-18 13:44:33 -0500 |
commit | 2b73c9713cd816a6095e40e10d664eff68c8e206 (patch) | |
tree | 1bb7aa0fb99a3f8132e53a8898fbd57e171b71e1 /roles | |
parent | f133c863a0ca657b7e0c87c117428e053ac74db0 (diff) | |
parent | c25212b12ef7f7bd785f2a476f917eb439e3600a (diff) | |
download | openshift-2b73c9713cd816a6095e40e10d664eff68c8e206.tar.gz openshift-2b73c9713cd816a6095e40e10d664eff68c8e206.tar.bz2 openshift-2b73c9713cd816a6095e40e10d664eff68c8e206.tar.xz openshift-2b73c9713cd816a6095e40e10d664eff68c8e206.zip |
Merge pull request #3100 from abutcher/serials
Serialize cert creation in delegated commands
Diffstat (limited to 'roles')
-rw-r--r-- | roles/openshift_ca/tasks/main.yml | 2 | ||||
-rw-r--r-- | roles/openshift_master_certificates/tasks/main.yml | 57 | ||||
-rw-r--r-- | roles/openshift_node_certificates/tasks/main.yml | 26 |
3 files changed, 55 insertions, 30 deletions
diff --git a/roles/openshift_ca/tasks/main.yml b/roles/openshift_ca/tasks/main.yml index e2a12e5ff..e21397170 100644 --- a/roles/openshift_ca/tasks/main.yml +++ b/roles/openshift_ca/tasks/main.yml @@ -86,7 +86,7 @@ {% for named_ca_certificate in openshift.master.named_certificates | default([]) | oo_collect('cafile') %} --certificate-authority {{ named_ca_certificate }} {% endfor %} - --hostnames={{ openshift_master_hostnames | join(',') }} + --hostnames={{ openshift.common.all_hostnames | join(',') }} --master={{ openshift.master.api_url }} --public-master={{ openshift.master.public_api_url }} --cert-dir={{ openshift_ca_config_dir }} diff --git a/roles/openshift_master_certificates/tasks/main.yml b/roles/openshift_master_certificates/tasks/main.yml index e9b7de330..a1688aabc 100644 --- a/roles/openshift_master_certificates/tasks/main.yml +++ b/roles/openshift_master_certificates/tasks/main.yml @@ -30,7 +30,6 @@ | oo_collect(attribute='stat.exists') | list)) }}" - - name: Ensure the generated_configs directory present file: path: "{{ openshift_master_generated_config_dir }}" @@ -39,30 +38,50 @@ when: master_certs_missing | bool and inventory_hostname != openshift_ca_host delegate_to: "{{ openshift_ca_host }}" -- file: - src: "{{ openshift_master_config_dir }}/{{ item }}" - dest: "{{ openshift_master_generated_config_dir }}/{{ item }}" - state: hard - with_items: - - ca.crt - - ca.key - - ca.serial.txt - when: master_certs_missing | bool and inventory_hostname != openshift_ca_host - delegate_to: "{{ openshift_ca_host }}" - -- name: Create the master certificates if they do not already exist +- name: Create the master server certificate command: > - {{ openshift.common.client_binary }} adm create-master-certs + {{ hostvars[openshift_ca_host].openshift.common.client_binary }} adm ca create-server-cert {% for named_ca_certificate in openshift.master.named_certificates | default([]) | oo_collect('cafile') %} --certificate-authority {{ named_ca_certificate }} {% endfor %} - --hostnames={{ openshift.common.all_hostnames | join(',') }} - --master={{ openshift.master.api_url }} - --public-master={{ openshift.master.public_api_url }} - --cert-dir={{ openshift_master_generated_config_dir }} + --hostnames={{ hostvars[item].openshift.common.all_hostnames | join(',') }} + --cert={{ openshift_generated_configs_dir }}/master-{{ hostvars[item].openshift.common.hostname }}/master.server.crt + --key={{ openshift_generated_configs_dir }}/master-{{ hostvars[item].openshift.common.hostname }}/master.server.key + --signer-cert={{ openshift_ca_cert }} + --signer-key={{ openshift_ca_key }} + --signer-serial={{ openshift_ca_serial }} --overwrite=false - when: master_certs_missing | bool and inventory_hostname != openshift_ca_host + with_items: "{{ hostvars + | oo_select_keys(groups['oo_masters_to_config']) + | oo_collect(attribute='inventory_hostname', filters={'master_certs_missing':True}) + | difference([openshift_ca_host])}}" + delegate_to: "{{ openshift_ca_host }}" + run_once: true + +- name: Generate the master client config + command: > + {{ hostvars[openshift_ca_host].openshift.common.client_binary }} adm create-api-client-config + {% for named_ca_certificate in openshift.master.named_certificates | default([]) | oo_collect('cafile') %} + --certificate-authority {{ named_ca_certificate }} + {% endfor %} + --certificate-authority={{ openshift_ca_cert }} + --client-dir={{ openshift_generated_configs_dir }}/master-{{ hostvars[item].openshift.common.hostname }} + --groups=system:masters,system:openshift-master + --master={{ openshift.master.api_url }} + --public-master={{ openshift.master.public_api_url }} + --signer-cert={{ openshift_ca_cert }} + --signer-key={{ openshift_ca_key }} + --signer-serial={{ openshift_ca_serial }} + --user=system:openshift-master + --basename=openshift-master + args: + creates: "{{ openshift_generated_configs_dir }}/master-{{ hostvars[item].openshift.common.hostname }}/openshift-master.kubeconfig" + with_items: "{{ hostvars + | oo_select_keys(groups['oo_masters_to_config']) + | oo_collect(attribute='inventory_hostname', filters={'master_certs_missing':True}) + | difference([openshift_ca_host])}}" delegate_to: "{{ openshift_ca_host }}" + run_once: true - file: src: "{{ openshift_master_config_dir }}/{{ item }}" diff --git a/roles/openshift_node_certificates/tasks/main.yml b/roles/openshift_node_certificates/tasks/main.yml index 717bf3cea..a263f4f3a 100644 --- a/roles/openshift_node_certificates/tasks/main.yml +++ b/roles/openshift_node_certificates/tasks/main.yml @@ -49,32 +49,38 @@ --certificate-authority {{ named_ca_certificate }} {% endfor %} --certificate-authority={{ openshift_ca_cert }} - --client-dir={{ openshift_node_generated_config_dir }} + --client-dir={{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname }} --groups=system:nodes --master={{ hostvars[openshift_ca_host].openshift.master.api_url }} --signer-cert={{ openshift_ca_cert }} --signer-key={{ openshift_ca_key }} --signer-serial={{ openshift_ca_serial }} - --user=system:node:{{ openshift.common.hostname }} + --user=system:node:{{ hostvars[item].openshift.common.hostname }} args: - creates: "{{ openshift_node_generated_config_dir }}" - when: node_certs_missing | bool + creates: "{{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname }}" + with_items: "{{ hostvars + | oo_select_keys(groups['oo_nodes_to_config']) + | oo_collect(attribute='inventory_hostname', filters={'node_certs_missing':True}) }}" delegate_to: "{{ openshift_ca_host }}" + run_once: true - name: Generate the node server certificate command: > {{ hostvars[openshift_ca_host].openshift.common.client_binary }} adm ca create-server-cert - --cert={{ openshift_node_generated_config_dir }}/server.crt - --key={{ openshift_generated_configs_dir }}/node-{{ openshift.common.hostname }}/server.key + --cert={{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname }}/server.crt + --key={{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname }}/server.key --overwrite=true - --hostnames={{ openshift.common.hostname }},{{ openshift.common.public_hostname }},{{ openshift.common.ip }},{{ openshift.common.public_ip }} + --hostnames={{ hostvars[item].openshift.common.hostname }},{{ hostvars[item].openshift.common.public_hostname }},{{ hostvars[item].openshift.common.ip }},{{ hostvars[item].openshift.common.public_ip }} --signer-cert={{ openshift_ca_cert }} --signer-key={{ openshift_ca_key }} --signer-serial={{ openshift_ca_serial }} args: - creates: "{{ openshift_node_generated_config_dir }}/server.crt" - when: node_certs_missing | bool - delegate_to: "{{ openshift_ca_host}}" + creates: "{{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname }}/server.crt" + with_items: "{{ hostvars + | oo_select_keys(groups['oo_nodes_to_config']) + | oo_collect(attribute='inventory_hostname', filters={'node_certs_missing':True}) }}" + delegate_to: "{{ openshift_ca_host }}" + run_once: true - name: Create local temp directory for syncing certs local_action: command mktemp -d /tmp/openshift-ansible-XXXXXXX |