diff options
| author | OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> | 2017-11-06 19:39:48 -0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2017-11-06 19:39:48 -0800 |
| commit | 7b2afd71ea20e5e6a5f38f02f65b3202c78fabb1 (patch) | |
| tree | 9e30cba6a3aba2ac02f8411b1f5deba115ece8e8 /roles | |
| parent | 3d1677e3e2db0cac168e9cdec692506ed86f32d2 (diff) | |
| parent | 89fcbb72447ab74b440c15d1e35a1dd10cef1c49 (diff) | |
| download | openshift-7b2afd71ea20e5e6a5f38f02f65b3202c78fabb1.tar.gz openshift-7b2afd71ea20e5e6a5f38f02f65b3202c78fabb1.tar.bz2 openshift-7b2afd71ea20e5e6a5f38f02f65b3202c78fabb1.tar.xz openshift-7b2afd71ea20e5e6a5f38f02f65b3202c78fabb1.zip | |
Merge pull request #6031 from abutcher/temporary-servinginfo-clientca
Automatic merge from submit-queue.
Temporarily set master servingInfo.clientCA as client-ca-bundle.crt during rolling CA redeployment.
This PR temporarily configures master `servingInfo.clientCA` as `client-ca-bundle.crt` during CA redeploy so that clients referencing the old OpenShift CA can continue to function until all cluster certificates have been replaced and `servingInfo.clientCA` is reset to `ca.crt`.
`client-ca-bundle.crt` is a new bundle created by the `openshift_ca` role which contains old and new OpenShift CA certificates.
https://bugzilla.redhat.com/show_bug.cgi?id=1509124
Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1493276
Diffstat (limited to 'roles')
| -rw-r--r-- | roles/openshift_ca/tasks/main.yml | 30 | ||||
| -rw-r--r-- | roles/openshift_master_facts/filter_plugins/openshift_master.py | 2 |
2 files changed, 31 insertions, 1 deletions
diff --git a/roles/openshift_ca/tasks/main.yml b/roles/openshift_ca/tasks/main.yml index fad1ff5de..587526d07 100644 --- a/roles/openshift_ca/tasks/main.yml +++ b/roles/openshift_ca/tasks/main.yml @@ -106,6 +106,36 @@ delegate_to: "{{ openshift_ca_host }}" run_once: true +# Create client-ca-bundle.crt containing old and new OpenShift CA +# certificates. This bundle will be used when rolling the OpenShift CA +# certificate. +- name: Create client-ca-bundle.crt + block: + - command: mktemp -d /tmp/openshift-ansible-XXXXXX + register: openshift_ca_clientconfig_tmpdir + delegate_to: "{{ openshift_ca_host }}" + - copy: + src: "{{ item }}" + dest: "{{ openshift_ca_clientconfig_tmpdir.stdout }}/" + remote_src: true + with_items: "{{ g_master_legacy_ca_result.files | default([]) | oo_collect('path') }}" + delegate_to: "{{ openshift_ca_host }}" + run_once: true + - copy: + src: "{{ openshift_ca_config_dir }}/ca.crt" + dest: "{{ openshift_ca_clientconfig_tmpdir.stdout }}/" + remote_src: true + delegate_to: "{{ openshift_ca_host }}" + run_once: true + - assemble: + src: "{{ openshift_ca_clientconfig_tmpdir.stdout }}" + dest: "{{ openshift_ca_config_dir }}/client-ca-bundle.crt" + mode: 0644 + owner: root + group: root + delegate_to: "{{ openshift_ca_host }}" + run_once: true + - name: Test local loopback context command: > {{ hostvars[openshift_ca_host].openshift.common.client_binary }} config view diff --git a/roles/openshift_master_facts/filter_plugins/openshift_master.py b/roles/openshift_master_facts/filter_plugins/openshift_master.py index 69fecc7d2..1bea66c26 100644 --- a/roles/openshift_master_facts/filter_plugins/openshift_master.py +++ b/roles/openshift_master_facts/filter_plugins/openshift_master.py @@ -508,7 +508,7 @@ class FilterModule(object): 'master.kubelet-client.crt', 'master.kubelet-client.key'] if bool(include_ca): - certs += ['ca.crt', 'ca.key', 'ca-bundle.crt'] + certs += ['ca.crt', 'ca.key', 'ca-bundle.crt', 'client-ca-bundle.crt'] if bool(include_keys): certs += ['serviceaccounts.private.key', 'serviceaccounts.public.key'] |