summaryrefslogtreecommitdiffstats
path: root/roles
diff options
context:
space:
mode:
authorScott Dodson <sdodson@redhat.com>2016-08-03 13:03:46 -0400
committerGitHub <noreply@github.com>2016-08-03 13:03:46 -0400
commit71bc6b9a67d83c0618ac9a786a6cb0d1abd907da (patch)
treed6d4151be2a2e5621559f8584c3c7aa957e386aa /roles
parent723c1fb1d73582cd0209cdc7201231b258161555 (diff)
parent4c66a9b62488b5e344f2e65cda6bc2ba3e0f2933 (diff)
downloadopenshift-71bc6b9a67d83c0618ac9a786a6cb0d1abd907da.tar.gz
openshift-71bc6b9a67d83c0618ac9a786a6cb0d1abd907da.tar.bz2
openshift-71bc6b9a67d83c0618ac9a786a6cb0d1abd907da.tar.xz
openshift-71bc6b9a67d83c0618ac9a786a6cb0d1abd907da.zip
Merge pull request #2049 from abutcher/named-certificates
Named CA Certificates
Diffstat (limited to 'roles')
-rw-r--r--roles/openshift_ca/meta/main.yml1
-rw-r--r--roles/openshift_ca/tasks/main.yml14
-rw-r--r--roles/openshift_master/handlers/main.yml7
-rw-r--r--roles/openshift_master/tasks/main.yml7
-rw-r--r--roles/openshift_master/templates/master.yaml.v1.j214
-rw-r--r--roles/openshift_master_certificates/meta/main.yml1
-rw-r--r--roles/openshift_master_certificates/tasks/main.yml13
-rw-r--r--roles/openshift_named_certificates/README.md32
-rw-r--r--roles/openshift_named_certificates/meta/main.yml16
-rw-r--r--roles/openshift_named_certificates/tasks/main.yml46
-rw-r--r--roles/openshift_named_certificates/tasks/named_certificates.yml32
-rw-r--r--roles/openshift_named_certificates/vars/main.yml11
-rw-r--r--roles/openshift_node_certificates/tasks/main.yml3
13 files changed, 182 insertions, 15 deletions
diff --git a/roles/openshift_ca/meta/main.yml b/roles/openshift_ca/meta/main.yml
index a08aa1686..444c5b77e 100644
--- a/roles/openshift_ca/meta/main.yml
+++ b/roles/openshift_ca/meta/main.yml
@@ -15,3 +15,4 @@ galaxy_info:
dependencies:
- role: openshift_repos
- role: openshift_cli
+- role: openshift_named_certificates
diff --git a/roles/openshift_ca/tasks/main.yml b/roles/openshift_ca/tasks/main.yml
index 4d9768ce7..2e147840d 100644
--- a/roles/openshift_ca/tasks/main.yml
+++ b/roles/openshift_ca/tasks/main.yml
@@ -28,6 +28,7 @@
path: "{{ openshift_ca_config_dir }}/{{ item }}"
register: g_master_ca_stat_result
with_items:
+ - ca-bundle.crt
- ca.crt
- ca.key
delegate_to: "{{ openshift_ca_host }}"
@@ -43,11 +44,14 @@
- name: Create the master certificates if they do not already exist
command: >
{{ openshift.common.admin_binary }} create-master-certs
- --hostnames={{ openshift_master_hostnames | join(',') }}
- --master={{ openshift.master.api_url }}
- --public-master={{ openshift.master.public_api_url }}
- --cert-dir={{ openshift_ca_config_dir }}
- --overwrite=false
+ {% for named_ca_certificate in openshift.master.named_certificates | default([]) | oo_collect('cafile') %}
+ --certificate-authority {{ named_ca_certificate }}
+ {% endfor %}
+ --hostnames={{ openshift_master_hostnames | join(',') }}
+ --master={{ openshift.master.api_url }}
+ --public-master={{ openshift.master.public_api_url }}
+ --cert-dir={{ openshift_ca_config_dir }}
+ --overwrite=false
when: hostvars[openshift_ca_host].master_ca_missing | bool
delegate_to: "{{ openshift_ca_host }}"
run_once: true
diff --git a/roles/openshift_master/handlers/main.yml b/roles/openshift_master/handlers/main.yml
index f7dfb11f7..edb7369de 100644
--- a/roles/openshift_master/handlers/main.yml
+++ b/roles/openshift_master/handlers/main.yml
@@ -17,7 +17,12 @@
# Using curl here since the uri module requires python-httplib2 and
# wait_for port doesn't provide health information.
command: >
- curl --silent --cacert {{ openshift.common.config_base }}/master/ca.crt
+ curl --silent
+ {% if openshift.common.version_gte_3_2_or_1_2 | bool %}
+ --cacert {{ openshift.common.config_base }}/master/ca-bundle.crt
+ {% else %}
+ --cacert {{ openshift.common.config_base }}/master/ca.crt
+ {% endif %}
{{ openshift.master.api_url }}/healthz/ready
register: api_available_output
until: api_available_output.stdout == 'ok'
diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml
index 115a64aeb..e1efb4c2b 100644
--- a/roles/openshift_master/tasks/main.yml
+++ b/roles/openshift_master/tasks/main.yml
@@ -224,7 +224,12 @@
# Using curl here since the uri module requires python-httplib2 and
# wait_for port doesn't provide health information.
command: >
- curl --silent --cacert {{ openshift.common.config_base }}/master/ca.crt
+ curl --silent
+ {% if openshift.common.version_gte_3_2_or_1_2 | bool %}
+ --cacert {{ openshift.common.config_base }}/master/ca-bundle.crt
+ {% else %}
+ --cacert {{ openshift.common.config_base }}/master/ca.crt
+ {% endif %}
{{ openshift.master.api_url }}/healthz/ready
register: api_available_output
until: api_available_output.stdout == 'ok'
diff --git a/roles/openshift_master/templates/master.yaml.v1.j2 b/roles/openshift_master/templates/master.yaml.v1.j2
index b18a42e32..662f23aa3 100644
--- a/roles/openshift_master/templates/master.yaml.v1.j2
+++ b/roles/openshift_master/templates/master.yaml.v1.j2
@@ -156,7 +156,11 @@ oauthConfig:
{% for line in translated_identity_providers.splitlines() %}
{{ line }}
{% endfor %}
- masterCA: ca.crt
+{% if openshift.common.version_gte_3_2_or_1_2 | bool %}
+ masterCA: ca-bundle.crt
+{% else %}
+ masterCA: ca.rt
+{% endif %}
masterPublicURL: {{ openshift.master.public_api_url }}
masterURL: {{ openshift.master.api_url }}
sessionConfig:
@@ -189,7 +193,11 @@ serviceAccountConfig:
- default
- builder
- deployer
- masterCA: ca.crt
+{% if openshift.common.version_gte_3_2_or_1_2 | bool %}
+ masterCA: ca-bundle.crt
+{% else %}
+ masterCA: ca.rt
+{% endif %}
privateKeyFile: serviceaccounts.private.key
publicKeyFiles:
- serviceaccounts.public.key
@@ -201,7 +209,7 @@ servingInfo:
keyFile: master.server.key
maxRequestsInFlight: {{ openshift.master.max_requests_inflight }}
requestTimeoutSeconds: 3600
-{% if openshift.master.named_certificates %}
+{% if openshift.master.named_certificates | default([]) | length > 0 %}
namedCertificates:
{% for named_certificate in openshift.master.named_certificates %}
- certFile: {{ named_certificate['certfile'] }}
diff --git a/roles/openshift_master_certificates/meta/main.yml b/roles/openshift_master_certificates/meta/main.yml
index dd19c8ded..018186e86 100644
--- a/roles/openshift_master_certificates/meta/main.yml
+++ b/roles/openshift_master_certificates/meta/main.yml
@@ -13,4 +13,5 @@ galaxy_info:
- cloud
- system
dependencies:
+- role: openshift_master_facts
- role: openshift_ca
diff --git a/roles/openshift_master_certificates/tasks/main.yml b/roles/openshift_master_certificates/tasks/main.yml
index 6fb5830cf..9ed082d9f 100644
--- a/roles/openshift_master_certificates/tasks/main.yml
+++ b/roles/openshift_master_certificates/tasks/main.yml
@@ -49,11 +49,14 @@
- name: Create the master certificates if they do not already exist
command: >
{{ openshift.common.admin_binary }} create-master-certs
- --hostnames={{ openshift.common.all_hostnames | join(',') }}
- --master={{ openshift.master.api_url }}
- --public-master={{ openshift.master.public_api_url }}
- --cert-dir={{ openshift_master_generated_config_dir }}
- --overwrite=false
+ {% for named_ca_certificate in openshift.master.named_certificates | default([]) | oo_collect('cafile') %}
+ --certificate-authority {{ named_ca_certificate }}
+ {% endfor %}
+ --hostnames={{ openshift.common.all_hostnames | join(',') }}
+ --master={{ openshift.master.api_url }}
+ --public-master={{ openshift.master.public_api_url }}
+ --cert-dir={{ openshift_master_generated_config_dir }}
+ --overwrite=false
when: master_certs_missing | bool
delegate_to: "{{ openshift_ca_host }}"
diff --git a/roles/openshift_named_certificates/README.md b/roles/openshift_named_certificates/README.md
new file mode 100644
index 000000000..41f895813
--- /dev/null
+++ b/roles/openshift_named_certificates/README.md
@@ -0,0 +1,32 @@
+OpenShift Named Certificates
+============================
+
+TODO
+
+Requirements
+------------
+
+Role Variables
+--------------
+
+TODO
+
+Dependencies
+------------
+
+TODO
+
+Example Playbook
+----------------
+
+TODO
+
+License
+-------
+
+Apache License Version 2.0
+
+Author Information
+------------------
+
+Andrew Butcher <abutcher@redhat.com>
diff --git a/roles/openshift_named_certificates/meta/main.yml b/roles/openshift_named_certificates/meta/main.yml
new file mode 100644
index 000000000..2c6e12494
--- /dev/null
+++ b/roles/openshift_named_certificates/meta/main.yml
@@ -0,0 +1,16 @@
+---
+galaxy_info:
+ author: Andrew Butcher
+ description: OpenShift Named Certificates
+ company: Red Hat, Inc.
+ license: Apache License, Version 2.0
+ min_ansible_version: 2.1
+ platforms:
+ - name: EL
+ versions:
+ - 7
+ categories:
+ - cloud
+ - system
+dependencies:
+- role: openshift_facts
diff --git a/roles/openshift_named_certificates/tasks/main.yml b/roles/openshift_named_certificates/tasks/main.yml
new file mode 100644
index 000000000..7f20cf401
--- /dev/null
+++ b/roles/openshift_named_certificates/tasks/main.yml
@@ -0,0 +1,46 @@
+---
+- set_fact:
+ parsed_named_certificates: "{{ named_certificates | oo_parse_named_certificates(named_certs_dir, internal_hostnames) }}"
+ when: named_certificates | length > 0
+ delegate_to: localhost
+ become: no
+ run_once: true
+
+- openshift_facts:
+ role: master
+ local_facts:
+ named_certificates: "{{ parsed_named_certificates | default([]) }}"
+ additive_facts_to_overwrite:
+ - "{{ 'master.named_certificates' if overwrite_named_certs | bool else omit }}"
+
+- name: Clear named certificates
+ file:
+ path: "{{ named_certs_dir }}"
+ state: absent
+ when: overwrite_named_certs | bool
+
+- name: Ensure named certificate directory exists
+ file:
+ path: "{{ named_certs_dir }}"
+ state: directory
+ mode: 0700
+
+- name: Land named certificates
+ copy:
+ src: "{{ item.certfile }}"
+ dest: "{{ named_certs_dir }}"
+ with_items: "{{ named_certificates }}"
+
+- name: Land named certificate keys
+ copy:
+ src: "{{ item.keyfile }}"
+ dest: "{{ named_certs_dir }}"
+ mode: 0600
+ with_items: "{{ named_certificates }}"
+
+- name: Land named CA certificates
+ copy:
+ src: "{{ item }}"
+ dest: "{{ named_certs_dir }}"
+ mode: 0600
+ with_items: "{{ named_certificates | oo_collect('cafile') }}"
diff --git a/roles/openshift_named_certificates/tasks/named_certificates.yml b/roles/openshift_named_certificates/tasks/named_certificates.yml
new file mode 100644
index 000000000..7b097b443
--- /dev/null
+++ b/roles/openshift_named_certificates/tasks/named_certificates.yml
@@ -0,0 +1,32 @@
+---
+- name: Clear named certificates
+ file:
+ path: "{{ named_certs_dir }}"
+ state: absent
+ when: overwrite_named_certs | bool
+
+- name: Ensure named certificate directory exists
+ file:
+ path: "{{ named_certs_dir }}"
+ state: directory
+ mode: 0700
+
+- name: Land named certificates
+ copy:
+ src: "{{ item.certfile }}"
+ dest: "{{ named_certs_dir }}"
+ with_items: "{{ openshift_master_named_certificates | default([]) }}"
+
+- name: Land named certificate keys
+ copy:
+ src: "{{ item.keyfile }}"
+ dest: "{{ named_certs_dir }}"
+ mode: 0600
+ with_items: "{{ openshift_master_named_certificates | default([]) }}"
+
+- name: Land named CA certificates
+ copy:
+ src: "{{ item }}"
+ dest: "{{ named_certs_dir }}"
+ mode: 0600
+ with_items: "{{ openshift_master_named_certificates | default([]) | oo_collect('cafile') }}"
diff --git a/roles/openshift_named_certificates/vars/main.yml b/roles/openshift_named_certificates/vars/main.yml
new file mode 100644
index 000000000..368e9bdac
--- /dev/null
+++ b/roles/openshift_named_certificates/vars/main.yml
@@ -0,0 +1,11 @@
+---
+openshift_ca_config_dir: "{{ openshift.common.config_base }}/master"
+openshift_ca_cert: "{{ openshift_ca_config_dir }}/ca.crt"
+openshift_ca_key: "{{ openshift_ca_config_dir }}/ca.key"
+openshift_ca_serial: "{{ openshift_ca_config_dir }}/ca.serial.txt"
+openshift_version: "{{ openshift_pkg_version | default('') }}"
+
+overwrite_named_certs: "{{ openshift_master_overwrite_named_certificates | default(false) }}"
+named_certs_dir: "{{ openshift.common.config_base }}/master/named_certificates/"
+internal_hostnames: "{{ openshift.common.internal_hostnames }}"
+named_certificates: "{{ openshift_master_named_certificates | default([]) }}"
diff --git a/roles/openshift_node_certificates/tasks/main.yml b/roles/openshift_node_certificates/tasks/main.yml
index 0e69dc6f0..8768fb0c2 100644
--- a/roles/openshift_node_certificates/tasks/main.yml
+++ b/roles/openshift_node_certificates/tasks/main.yml
@@ -42,6 +42,9 @@
- name: Generate the node client config
command: >
{{ openshift.common.admin_binary }} create-api-client-config
+ {% for named_ca_certificate in hostvars[openshift_ca_host].openshift.master.named_certificates | default([]) | oo_collect('cafile') %}
+ --certificate-authority {{ named_ca_certificate }}
+ {% endfor %}
--certificate-authority={{ openshift_ca_cert }}
--client-dir={{ openshift_node_generated_config_dir }}
--groups=system:nodes