summaryrefslogtreecommitdiffstats
path: root/roles
diff options
context:
space:
mode:
authorScott Dodson <sdodson@redhat.com>2016-07-21 13:11:59 -0400
committerGitHub <noreply@github.com>2016-07-21 13:11:59 -0400
commit4507beb2d4f4709583b3cba3eec7c5b57163e9bc (patch)
tree9e4f7229780e7a19329d631bf729f971225057de /roles
parent19b6794f877e723c0828e6e592dfaa99f0207d18 (diff)
parent4ec879a68e7d50f7848364c8cb5b55e82694ef00 (diff)
downloadopenshift-4507beb2d4f4709583b3cba3eec7c5b57163e9bc.tar.gz
openshift-4507beb2d4f4709583b3cba3eec7c5b57163e9bc.tar.bz2
openshift-4507beb2d4f4709583b3cba3eec7c5b57163e9bc.tar.xz
openshift-4507beb2d4f4709583b3cba3eec7c5b57163e9bc.zip
Merge pull request #1990 from abutcher/openshift-certificates
Refactor openshift certificates roles.
Diffstat (limited to 'roles')
-rw-r--r--roles/openshift_ca/README.md48
-rw-r--r--roles/openshift_ca/meta/main.yml (renamed from roles/openshift_master_ca/meta/main.yml)8
-rw-r--r--roles/openshift_ca/vars/main.yml6
-rw-r--r--roles/openshift_master/meta/main.yml5
-rw-r--r--roles/openshift_master/tasks/main.yml1
-rw-r--r--roles/openshift_master_ca/README.md34
-rw-r--r--roles/openshift_master_ca/tasks/main.yml24
-rw-r--r--roles/openshift_master_ca/vars/main.yml5
-rw-r--r--roles/openshift_master_certificates/README.md29
-rw-r--r--roles/openshift_master_certificates/meta/main.yml6
-rw-r--r--roles/openshift_master_certificates/tasks/main.yml125
-rw-r--r--roles/openshift_master_certificates/vars/main.yml2
-rw-r--r--roles/openshift_node/meta/main.yml3
-rw-r--r--roles/openshift_node_certificates/README.md33
-rw-r--r--roles/openshift_node_certificates/meta/main.yml6
-rw-r--r--roles/openshift_node_certificates/tasks/main.yml119
-rw-r--r--roles/openshift_node_certificates/vars/main.yml14
17 files changed, 333 insertions, 135 deletions
diff --git a/roles/openshift_ca/README.md b/roles/openshift_ca/README.md
new file mode 100644
index 000000000..96c9cd5f2
--- /dev/null
+++ b/roles/openshift_ca/README.md
@@ -0,0 +1,48 @@
+OpenShift CA
+============
+
+This role delegates all tasks to the `openshift_ca_host` such that this role can be depended on by other OpenShift certificate roles.
+
+Requirements
+------------
+
+Role Variables
+--------------
+
+From this role:
+
+| Name | Default value | Description |
+|-------------------------|-----------------------------------------------|-----------------------------------------------------------------------------|
+| openshift_ca_host | None (Required) | The hostname of the system where the OpenShift CA will be created. |
+| openshift_ca_config_dir | `{{ openshift.common.config_base }}/master` | CA certificate directory. |
+| openshift_ca_cert | `{{ openshift_ca_config_dir }}/ca.crt` | CA certificate path including CA certificate filename. |
+| openshift_ca_key | `{{ openshift_ca_config_dir }}/ca.key` | CA key path including CA key filename. |
+| openshift_ca_serial | `{{ openshift_ca_config_dir }}/ca.serial.txt` | CA serial path including CA serial filename. |
+| openshift_version | `{{ openshift_pkg_version }}` | OpenShift package version. |
+
+Dependencies
+------------
+
+* openshift_repos
+* openshift_cli
+
+Example Playbook
+----------------
+
+```
+- name: Create OpenShift CA
+ hosts: localhost
+ roles:
+ - role: openshift_ca
+ openshift_ca_host: master1.example.com
+```
+
+License
+-------
+
+Apache License Version 2.0
+
+Author Information
+------------------
+
+Jason DeTiberus (jdetiber@redhat.com)
diff --git a/roles/openshift_master_ca/meta/main.yml b/roles/openshift_ca/meta/main.yml
index b5dd466c9..a08aa1686 100644
--- a/roles/openshift_master_ca/meta/main.yml
+++ b/roles/openshift_ca/meta/main.yml
@@ -1,10 +1,10 @@
---
galaxy_info:
author: Jason DeTiberus
- description:
+ description: OpenShift CA
company: Red Hat, Inc.
license: Apache License, Version 2.0
- min_ansible_version: 1.8
+ min_ansible_version: 2.1
platforms:
- name: EL
versions:
@@ -13,5 +13,5 @@ galaxy_info:
- cloud
- system
dependencies:
-- { role: openshift_repos }
-- { role: openshift_cli }
+- role: openshift_repos
+- role: openshift_cli
diff --git a/roles/openshift_ca/vars/main.yml b/roles/openshift_ca/vars/main.yml
new file mode 100644
index 000000000..a32e385ec
--- /dev/null
+++ b/roles/openshift_ca/vars/main.yml
@@ -0,0 +1,6 @@
+---
+openshift_ca_config_dir: "{{ openshift.common.config_base }}/master"
+openshift_ca_cert: "{{ openshift_ca_config_dir }}/ca.crt"
+openshift_ca_key: "{{ openshift_ca_config_dir }}/ca.key"
+openshift_ca_serial: "{{ openshift_ca_config_dir }}/ca.serial.txt"
+openshift_version: "{{ openshift_pkg_version | default('') }}"
diff --git a/roles/openshift_master/meta/main.yml b/roles/openshift_master/meta/main.yml
index 0a69b3eef..be70d9102 100644
--- a/roles/openshift_master/meta/main.yml
+++ b/roles/openshift_master/meta/main.yml
@@ -4,7 +4,7 @@ galaxy_info:
description: Master
company: Red Hat, Inc.
license: Apache License, Version 2.0
- min_ansible_version: 1.7
+ min_ansible_version: 2.1
platforms:
- name: EL
versions:
@@ -13,8 +13,7 @@ galaxy_info:
- cloud
dependencies:
- role: openshift_clock
-- role: openshift_docker
-- role: openshift_cli
+- role: openshift_master_certificates
- role: openshift_cloud_provider
- role: openshift_builddefaults
- role: openshift_master_facts
diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml
index 5c6c64018..0b87ae48c 100644
--- a/roles/openshift_master/tasks/main.yml
+++ b/roles/openshift_master/tasks/main.yml
@@ -212,6 +212,7 @@
until: api_available_output.stdout == 'ok'
retries: 120
delay: 1
+ run_once: true
changed_when: false
when: openshift_master_ha | bool and openshift.master.cluster_method == 'native' and master_api_service_status_changed | bool
diff --git a/roles/openshift_master_ca/README.md b/roles/openshift_master_ca/README.md
deleted file mode 100644
index 5b2d3601b..000000000
--- a/roles/openshift_master_ca/README.md
+++ /dev/null
@@ -1,34 +0,0 @@
-OpenShift Master CA
-========================
-
-TODO
-
-Requirements
-------------
-
-TODO
-
-Role Variables
---------------
-
-TODO
-
-Dependencies
-------------
-
-TODO
-
-Example Playbook
-----------------
-
-TODO
-
-License
--------
-
-Apache License Version 2.0
-
-Author Information
-------------------
-
-Jason DeTiberus (jdetiber@redhat.com)
diff --git a/roles/openshift_master_ca/tasks/main.yml b/roles/openshift_master_ca/tasks/main.yml
deleted file mode 100644
index ae99467f0..000000000
--- a/roles/openshift_master_ca/tasks/main.yml
+++ /dev/null
@@ -1,24 +0,0 @@
----
-
-- name: Install the base package for admin tooling
- action: "{{ ansible_pkg_mgr }} name={{ openshift.common.service_type }}{{ openshift_pkg_version | default('') | oo_image_tag_to_rpm_version(include_dash=True) }} state=present"
- when: not openshift.common.is_containerized | bool
- register: install_result
-
-- name: Reload generated facts
- openshift_facts:
- when: install_result | changed
-
-- name: Create openshift_master_config_dir if it doesn't exist
- file:
- path: "{{ openshift_master_config_dir }}"
- state: directory
-
-- name: Create the master certificates if they do not already exist
- command: >
- {{ openshift.common.admin_binary }} create-master-certs
- --hostnames={{ master_hostnames | join(',') }}
- --master={{ openshift.master.api_url }}
- --public-master={{ openshift.master.public_api_url }}
- --cert-dir={{ openshift_master_config_dir }} --overwrite=false
- when: master_certs_missing | bool
diff --git a/roles/openshift_master_ca/vars/main.yml b/roles/openshift_master_ca/vars/main.yml
deleted file mode 100644
index 1f6af808c..000000000
--- a/roles/openshift_master_ca/vars/main.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-openshift_master_config_dir: "{{ openshift.common.config_base }}/master"
-openshift_master_ca_cert: "{{ openshift_master_config_dir }}/ca.crt"
-openshift_master_ca_key: "{{ openshift_master_config_dir }}/ca.key"
-openshift_master_ca_serial: "{{ openshift_master_config_dir }}/ca.serial.txt"
diff --git a/roles/openshift_master_certificates/README.md b/roles/openshift_master_certificates/README.md
index ba3d5f28c..a80d47040 100644
--- a/roles/openshift_master_certificates/README.md
+++ b/roles/openshift_master_certificates/README.md
@@ -1,27 +1,44 @@
OpenShift Master Certificates
========================
-TODO
+This role determines if OpenShift master certificates must be created, delegates certificate creation to the `openshift_ca_host` and then deploys those certificates to master hosts which this role is being applied to. If this role is applied to the `openshift_ca_host`, certificate deployment will be skipped.
Requirements
------------
-TODO
-
Role Variables
--------------
-TODO
+From `openshift_ca`:
+
+| Name | Default value | Description |
+|---------------------------------------|---------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------|
+| openshift_ca_host | None (Required) | The hostname of the system where the OpenShift CA will be (or has been) created. |
+
+From this role:
+
+| Name | Default value | Description |
+|---------------------------------------|---------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------|
+| openshift_generated_configs_dir | `{{ openshift.common.config_base }}/generated-configs` | Directory in which per-master generated config directories will be created on the `openshift_ca_host`. |
+| openshift_master_cert_subdir | `master-{{ openshift.common.hostname }}` | Directory within `openshift_generated_configs_dir` where per-master configurations will be placed on the `openshift_ca_host`. |
+| openshift_master_config_dir | `{{ openshift.common.config_base }}/master` | Master configuration directory in which certificates will be deployed on masters. |
+| openshift_master_generated_config_dir | `{{ openshift_generated_configs_dir }}/{{ openshift_master_cert_subdir }` | Full path to the per-master generated config directory. |
Dependencies
------------
-TODO
+* openshift_ca
Example Playbook
----------------
-TODO
+```
+- name: Create OpenShift Master Certificates
+ hosts: masters
+ roles:
+ - role: openshift_master_certificates
+ openshift_ca_host: master1.example.com
+```
License
-------
diff --git a/roles/openshift_master_certificates/meta/main.yml b/roles/openshift_master_certificates/meta/main.yml
index fd7b73b0f..dd19c8ded 100644
--- a/roles/openshift_master_certificates/meta/main.yml
+++ b/roles/openshift_master_certificates/meta/main.yml
@@ -1,10 +1,10 @@
---
galaxy_info:
author: Jason DeTiberus
- description:
+ description: OpenShift Master Certificates
company: Red Hat, Inc.
license: Apache License, Version 2.0
- min_ansible_version: 1.8
+ min_ansible_version: 2.1
platforms:
- name: EL
versions:
@@ -13,4 +13,4 @@ galaxy_info:
- cloud
- system
dependencies:
-- { role: openshift_master_ca }
+- role: openshift_ca
diff --git a/roles/openshift_master_certificates/tasks/main.yml b/roles/openshift_master_certificates/tasks/main.yml
index 394f9d381..6fb5830cf 100644
--- a/roles/openshift_master_certificates/tasks/main.yml
+++ b/roles/openshift_master_certificates/tasks/main.yml
@@ -1,38 +1,123 @@
---
+- set_fact:
+ openshift_master_certs_no_etcd:
+ - admin.crt
+ - master.kubelet-client.crt
+ - "{{ 'master.proxy-client.crt' if openshift.common.version_gte_3_1_or_1_1 else omit }}"
+ - master.server.crt
+ - openshift-master.crt
+ - openshift-registry.crt
+ - openshift-router.crt
+ - etcd.server.crt
+ openshift_master_certs_etcd:
+ - master.etcd-client.crt
+
+- set_fact:
+ openshift_master_certs: "{{ (openshift_master_certs_no_etcd | union(openshift_master_certs_etcd )) if openshift_master_etcd_hosts | length > 0 else openshift_master_certs_no_etcd }}"
+
+- name: Check status of master certificates
+ stat:
+ path: "{{ openshift_master_config_dir }}/{{ item }}"
+ with_items:
+ - "{{ openshift_master_certs }}"
+ register: g_master_cert_stat_result
+
+- set_fact:
+ master_certs_missing: "{{ False in (g_master_cert_stat_result.results
+ | oo_collect(attribute='stat.exists')
+ | list) }}"
+
- name: Ensure the generated_configs directory present
file:
- path: "{{ openshift_generated_configs_dir }}/{{ item.master_cert_subdir }}"
+ path: "{{ openshift_master_generated_config_dir }}"
state: directory
mode: 0700
- with_items: "{{ masters_needing_certs | default([]) }}"
+ when: master_certs_missing | bool
+ delegate_to: "{{ openshift_ca_host }}"
- file:
- src: "{{ openshift_master_config_dir }}/{{ item.1 }}"
- dest: "{{ openshift_generated_configs_dir }}/{{ item.0.master_cert_subdir }}/{{ item.1 }}"
+ src: "{{ openshift_master_config_dir }}/{{ item }}"
+ dest: "{{ openshift_master_generated_config_dir }}/{{ item }}"
state: hard
- with_nested:
- - "{{ masters_needing_certs | default([]) }}"
- -
- - ca.crt
- - ca.key
- - ca.serial.txt
+ with_items:
+ - ca.crt
+ - ca.key
+ - ca.serial.txt
+ when: master_certs_missing | bool
+ delegate_to: "{{ openshift_ca_host }}"
- name: Create the master certificates if they do not already exist
command: >
{{ openshift.common.admin_binary }} create-master-certs
- --hostnames={{ item.openshift.common.all_hostnames | join(',') }}
- --master={{ item.openshift.master.api_url }}
- --public-master={{ item.openshift.master.public_api_url }}
- --cert-dir={{ openshift_generated_configs_dir }}/{{ item.master_cert_subdir }}
+ --hostnames={{ openshift.common.all_hostnames | join(',') }}
+ --master={{ openshift.master.api_url }}
+ --public-master={{ openshift.master.public_api_url }}
+ --cert-dir={{ openshift_master_generated_config_dir }}
--overwrite=false
- when: item.master_certs_missing | bool
- with_items: "{{ masters_needing_certs | default([]) }}"
+ when: master_certs_missing | bool
+ delegate_to: "{{ openshift_ca_host }}"
- file:
- src: "{{ openshift_master_config_dir }}/{{ item.1 }}"
- dest: "{{ openshift_generated_configs_dir }}/{{ item.0.master_cert_subdir }}/{{ item.1 }}"
+ src: "{{ openshift_master_config_dir }}/{{ item }}"
+ dest: "{{ openshift_master_generated_config_dir }}/{{ item }}"
state: hard
force: true
- with_nested:
- - "{{ masters_needing_certs | default([]) }}"
+ with_items:
- "{{ hostvars[inventory_hostname] | certificates_to_synchronize }}"
+ when: master_certs_missing | bool
+ delegate_to: "{{ openshift_ca_host }}"
+
+- name: Remove generated etcd client certs when using external etcd
+ file:
+ path: "{{ openshift_master_generated_config_dir }}/{{ item }}"
+ state: absent
+ when: openshift_master_etcd_hosts | length > 0
+ with_items:
+ - master.etcd-client.crt
+ - master.etcd-client.key
+ delegate_to: "{{ openshift_ca_host }}"
+
+- name: Create local temp directory for syncing certs
+ local_action: command mktemp -d /tmp/openshift-ansible-XXXXXXX
+ register: g_master_mktemp
+ changed_when: False
+ when: master_certs_missing | bool
+ delegate_to: localhost
+ become: no
+
+- name: Create a tarball of the master certs
+ command: >
+ tar -czvf {{ openshift_master_generated_config_dir }}.tgz
+ -C {{ openshift_master_generated_config_dir }} .
+ args:
+ creates: "{{ openshift_master_generated_config_dir }}.tgz"
+ when: master_certs_missing | bool and inventory_hostname != openshift_ca_host
+ delegate_to: "{{ openshift_ca_host }}"
+
+- name: Retrieve the master cert tarball from the master
+ fetch:
+ src: "{{ openshift_master_generated_config_dir }}.tgz"
+ dest: "{{ g_master_mktemp.stdout }}/"
+ flat: yes
+ fail_on_missing: yes
+ validate_checksum: yes
+ when: master_certs_missing | bool and inventory_hostname != openshift_ca_host
+ delegate_to: "{{ openshift_ca_host }}"
+
+- name: Ensure certificate directory exists
+ file:
+ path: "{{ openshift_master_config_dir }}"
+ state: directory
+ when: master_certs_missing | bool and inventory_hostname != openshift_ca_host
+
+- name: Unarchive the tarball on the master
+ unarchive:
+ src: "{{ g_master_mktemp.stdout }}/{{ openshift_master_cert_subdir }}.tgz"
+ dest: "{{ openshift_master_config_dir }}"
+ when: master_certs_missing | bool and inventory_hostname != openshift_ca_host
+
+- file: name={{ g_master_mktemp.stdout }} state=absent
+ changed_when: False
+ when: master_certs_missing | bool
+ delegate_to: localhost
+ become: no
diff --git a/roles/openshift_master_certificates/vars/main.yml b/roles/openshift_master_certificates/vars/main.yml
index 3f18ddc79..66f2e5162 100644
--- a/roles/openshift_master_certificates/vars/main.yml
+++ b/roles/openshift_master_certificates/vars/main.yml
@@ -1,3 +1,5 @@
---
openshift_generated_configs_dir: "{{ openshift.common.config_base }}/generated-configs"
+openshift_master_cert_subdir: "master-{{ openshift.common.hostname }}"
openshift_master_config_dir: "{{ openshift.common.config_base }}/master"
+openshift_master_generated_config_dir: "{{ openshift_generated_configs_dir }}/{{ openshift_master_cert_subdir }}"
diff --git a/roles/openshift_node/meta/main.yml b/roles/openshift_node/meta/main.yml
index 97ab8241b..fd493340b 100644
--- a/roles/openshift_node/meta/main.yml
+++ b/roles/openshift_node/meta/main.yml
@@ -4,7 +4,7 @@ galaxy_info:
description: OpenShift Node
company: Red Hat, Inc.
license: Apache License, Version 2.0
- min_ansible_version: 1.7
+ min_ansible_version: 2.1
platforms:
- name: EL
versions:
@@ -14,6 +14,7 @@ galaxy_info:
dependencies:
- role: openshift_clock
- role: openshift_docker
+- role: openshift_node_certificates
- role: openshift_cloud_provider
- role: openshift_common
- role: openshift_node_dnsmasq
diff --git a/roles/openshift_node_certificates/README.md b/roles/openshift_node_certificates/README.md
index 6264d253a..f56066b29 100644
--- a/roles/openshift_node_certificates/README.md
+++ b/roles/openshift_node_certificates/README.md
@@ -1,27 +1,44 @@
-OpenShift/Atomic Enterprise Node Certificates
-=============================================
+OpenShift Node Certificates
+===========================
-TODO
+This role determines if OpenShift node certificates must be created, delegates certificate creation to the `openshift_ca_host` and then deploys those certificates to node hosts which this role is being applied to.
Requirements
------------
-TODO
-
Role Variables
--------------
-TODO
+From `openshift_ca`:
+
+| Name | Default value | Description |
+|-------------------------------------|-------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|
+| openshift_ca_host | None (Required) | The hostname of the system where the OpenShift CA will be (or has been) created. |
+
+From this role:
+
+| Name | Default value | Description |
+|-------------------------------------|-------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|
+| openshift_generated_configs_dir | `{{ openshift.common.config_base }}/generated-configs` | Directory in which per-node generated config directories will be created on the `openshift_ca_host`. |
+| openshift_node_cert_subdir | `node-{{ openshift.common.hostname }}` | Directory within `openshift_generated_configs_dir` where per-node certificates will be placed on the `openshift_ca_host`. |
+| openshift_node_config_dir | `{{ openshift.common.config_base }}/node` | Node configuration directory in which certificates will be deployed on nodes. |
+| openshift_node_generated_config_dir | `{{ openshift_generated_configs_dir }}/{{ openshift_node_cert_subdir }` | Full path to the per-node generated config directory. |
Dependencies
------------
-TODO
+* openshift_ca
Example Playbook
----------------
-TODO
+```
+- name: Create OpenShift Node Certificates
+ hosts: nodes
+ roles:
+ - role: openshift_node_certificates
+ openshift_ca_host: master1.example.com
+```
License
-------
diff --git a/roles/openshift_node_certificates/meta/main.yml b/roles/openshift_node_certificates/meta/main.yml
index f3236e850..50a862ee9 100644
--- a/roles/openshift_node_certificates/meta/main.yml
+++ b/roles/openshift_node_certificates/meta/main.yml
@@ -1,10 +1,10 @@
---
galaxy_info:
author: Jason DeTiberus
- description:
+ description: OpenShift Node Certificates
company: Red Hat, Inc.
license: Apache License, Version 2.0
- min_ansible_version: 1.8
+ min_ansible_version: 2.1
platforms:
- name: EL
versions:
@@ -13,4 +13,4 @@ galaxy_info:
- cloud
- system
dependencies:
-- { role: openshift_facts }
+- role: openshift_facts
diff --git a/roles/openshift_node_certificates/tasks/main.yml b/roles/openshift_node_certificates/tasks/main.yml
index 216c11093..0e69dc6f0 100644
--- a/roles/openshift_node_certificates/tasks/main.yml
+++ b/roles/openshift_node_certificates/tasks/main.yml
@@ -1,36 +1,117 @@
---
-- name: Create openshift_generated_configs_dir if it doesn\'t exist
+- name: Ensure CA certificate exists on openshift_ca_host
+ stat:
+ path: "{{ openshift_ca_cert }}"
+ register: g_ca_cert_stat_result
+ delegate_to: "{{ openshift_ca_host }}"
+ run_once: true
+
+- fail:
+ msg: >
+ CA certificate {{ openshift_ca_cert }} doesn't exist on CA host
+ {{ openshift_ca_host }}. Apply 'openshift_ca' role to
+ {{ openshift_ca_host }}.
+ when: not g_ca_cert_stat_result.stat.exists | bool
+ run_once: true
+
+- name: Check status of node certificates
+ stat:
+ path: "{{ openshift.common.config_base }}/node/{{ item }}"
+ with_items:
+ - "system:node:{{ openshift.common.hostname }}.crt"
+ - "system:node:{{ openshift.common.hostname }}.key"
+ - "system:node:{{ openshift.common.hostname }}.kubeconfig"
+ - ca.crt
+ - server.key
+ - server.crt
+ register: g_node_cert_stat_result
+
+- set_fact:
+ node_certs_missing: "{{ False in (g_node_cert_stat_result.results
+ | oo_collect(attribute='stat.exists')
+ | list) }}"
+
+- name: Create openshift_generated_configs_dir if it does not exist
file:
path: "{{ openshift_generated_configs_dir }}"
state: directory
mode: 0700
- when: nodes_needing_certs | length > 0
+ when: node_certs_missing | bool
+ delegate_to: "{{ openshift_ca_host }}"
- name: Generate the node client config
command: >
{{ openshift.common.admin_binary }} create-api-client-config
- --certificate-authority={{ openshift_master_ca_cert }}
- --client-dir={{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}
+ --certificate-authority={{ openshift_ca_cert }}
+ --client-dir={{ openshift_node_generated_config_dir }}
--groups=system:nodes
- --master={{ openshift.master.api_url }}
- --signer-cert={{ openshift_master_ca_cert }}
- --signer-key={{ openshift_master_ca_key }}
- --signer-serial={{ openshift_master_ca_serial }}
- --user=system:node:{{ item.openshift.common.hostname }}
+ --master={{ hostvars[openshift_ca_host].openshift.master.api_url }}
+ --signer-cert={{ openshift_ca_cert }}
+ --signer-key={{ openshift_ca_key }}
+ --signer-serial={{ openshift_ca_serial }}
+ --user=system:node:{{ openshift.common.hostname }}
args:
- creates: "{{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}"
- with_items: "{{ nodes_needing_certs | default([]) }}"
+ creates: "{{ openshift_node_generated_config_dir }}"
+ when: node_certs_missing | bool
+ delegate_to: "{{ openshift_ca_host }}"
- name: Generate the node server certificate
command: >
{{ openshift.common.admin_binary }} ca create-server-cert
- --cert={{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}/server.crt
- --key={{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}/server.key
+ --cert={{ openshift_node_generated_config_dir }}/server.crt
+ --key={{ openshift_generated_configs_dir }}/node-{{ openshift.common.hostname }}/server.key
--overwrite=true
- --hostnames={{ item.openshift.common.all_hostnames |join(",") }}
- --signer-cert={{ openshift_master_ca_cert }}
- --signer-key={{ openshift_master_ca_key }}
- --signer-serial={{ openshift_master_ca_serial }}
+ --hostnames={{ openshift.common.all_hostnames |join(",") }}
+ --signer-cert={{ openshift_ca_cert }}
+ --signer-key={{ openshift_ca_key }}
+ --signer-serial={{ openshift_ca_serial }}
+ args:
+ creates: "{{ openshift_node_generated_config_dir }}/server.crt"
+ when: node_certs_missing | bool
+ delegate_to: "{{ openshift_ca_host}}"
+
+- name: Create local temp directory for syncing certs
+ local_action: command mktemp -d /tmp/openshift-ansible-XXXXXXX
+ register: node_cert_mktemp
+ changed_when: False
+ when: node_certs_missing | bool
+ delegate_to: localhost
+ become: no
+
+- name: Create a tarball of the node config directories
+ command: >
+ tar -czvf {{ openshift_node_generated_config_dir }}.tgz
+ --transform 's|system:{{ openshift_node_cert_subdir }}|node|'
+ -C {{ openshift_node_generated_config_dir }} .
args:
- creates: "{{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}/server.crt"
- with_items: "{{ nodes_needing_certs | default([]) }}"
+ creates: "{{ openshift_node_generated_config_dir }}.tgz"
+ when: node_certs_missing | bool
+ delegate_to: "{{ openshift_ca_host }}"
+
+- name: Retrieve the node config tarballs from the master
+ fetch:
+ src: "{{ openshift_node_generated_config_dir }}.tgz"
+ dest: "{{ node_cert_mktemp.stdout }}/"
+ flat: yes
+ fail_on_missing: yes
+ validate_checksum: yes
+ when: node_certs_missing | bool
+ delegate_to: "{{ openshift_ca_host }}"
+
+- name: Ensure certificate directory exists
+ file:
+ path: "{{ openshift_node_cert_dir }}"
+ state: directory
+ when: node_certs_missing | bool
+
+- name: Unarchive the tarball on the node
+ unarchive:
+ src: "{{ node_cert_mktemp.stdout }}/{{ openshift_node_cert_subdir }}.tgz"
+ dest: "{{ openshift_node_cert_dir }}"
+ when: node_certs_missing | bool
+
+- file: name={{ node_cert_mktemp.stdout }} state=absent
+ changed_when: False
+ when: node_certs_missing | bool
+ delegate_to: localhost
+ become: no
diff --git a/roles/openshift_node_certificates/vars/main.yml b/roles/openshift_node_certificates/vars/main.yml
index 61fbb1e51..17ad8106d 100644
--- a/roles/openshift_node_certificates/vars/main.yml
+++ b/roles/openshift_node_certificates/vars/main.yml
@@ -1,7 +1,11 @@
---
-openshift_node_config_dir: "{{ openshift.common.config_base }}/node"
-openshift_master_config_dir: "{{ openshift.common.config_base }}/master"
openshift_generated_configs_dir: "{{ openshift.common.config_base }}/generated-configs"
-openshift_master_ca_cert: "{{ openshift_master_config_dir }}/ca.crt"
-openshift_master_ca_key: "{{ openshift_master_config_dir }}/ca.key"
-openshift_master_ca_serial: "{{ openshift_master_config_dir }}/ca.serial.txt"
+openshift_node_cert_dir: "{{ openshift.common.config_base }}/node"
+openshift_node_cert_subdir: "node-{{ openshift.common.hostname }}"
+openshift_node_config_dir: "{{ openshift.common.config_base }}/node"
+openshift_node_generated_config_dir: "{{ openshift_generated_configs_dir }}/{{ openshift_node_cert_subdir }}"
+
+openshift_ca_config_dir: "{{ openshift.common.config_base }}/master"
+openshift_ca_cert: "{{ openshift_ca_config_dir }}/ca.crt"
+openshift_ca_key: "{{ openshift_ca_config_dir }}/ca.key"
+openshift_ca_serial: "{{ openshift_ca_config_dir }}/ca.serial.txt"