summaryrefslogtreecommitdiffstats
path: root/roles
diff options
context:
space:
mode:
authorJason DeTiberus <jdetiber@redhat.com>2015-07-10 14:46:43 -0400
committerJason DeTiberus <jdetiber@redhat.com>2015-07-10 14:46:43 -0400
commitadd3fbcce31e9db4ea8c76acb9c8579f20581912 (patch)
treeb2734a94adc7d6e05c49c348bf83b566960f01da /roles
parent5991073262127e4b85e9b1cf4ad7f62fb2c7c345 (diff)
downloadopenshift-add3fbcce31e9db4ea8c76acb9c8579f20581912.tar.gz
openshift-add3fbcce31e9db4ea8c76acb9c8579f20581912.tar.bz2
openshift-add3fbcce31e9db4ea8c76acb9c8579f20581912.tar.xz
openshift-add3fbcce31e9db4ea8c76acb9c8579f20581912.zip
Etcd role updates and playbook updates
- fix firewall conflict issues with co-located etcd and openshift hosts - added os_firewall dependency to etcd role - updated etcd template to better handle clustered and non-clustered installs - added etcd_ca role - generates a self-signed cert to manage etcd certificates, since etcd peer certificates are required to be client and server certs and the openshift ca will only generate client or server certs (not one authorized for both). - renamed openshift_etcd_certs role to etcd_certificates and updated it to manage certificates generated from the CA managed by the etcd_ca role - remove hard coded etcd_port in openshift_facts - updates for the openshift-etcd common playbook - removed etcd and openshift-etcd playbooks from the byo playbooks directory - added a common playbook for setting etcd launch facts - added an openshift-etcd common service playbook - removed unused variables - fixed tests for embedded_{etcd,dns,kube} in openshift_master - removed old workaround for reloading systemd units
Diffstat (limited to 'roles')
-rw-r--r--roles/etcd/defaults/main.yaml15
-rw-r--r--roles/etcd/meta/main.yml2
-rw-r--r--roles/etcd/tasks/main.yml36
-rw-r--r--roles/etcd/templates/etcd.conf.j216
-rw-r--r--roles/etcd_ca/README.md (renamed from roles/openshift_etcd_certs/README.md)2
-rw-r--r--roles/etcd_ca/meta/main.yml16
-rw-r--r--roles/etcd_ca/tasks/main.yml44
-rw-r--r--roles/etcd_ca/templates/openssl_append.j251
-rw-r--r--roles/etcd_ca/vars/main.yml3
-rw-r--r--roles/etcd_certificates/README.md34
-rw-r--r--roles/etcd_certificates/meta/main.yml (renamed from roles/openshift_etcd_certs/meta/main.yml)4
-rw-r--r--roles/etcd_certificates/tasks/client.yml42
-rw-r--r--roles/etcd_certificates/tasks/main.yml9
-rw-r--r--roles/etcd_certificates/tasks/server.yml73
-rw-r--r--roles/etcd_certificates/vars/main.yml11
-rw-r--r--roles/openshift_etcd_certs/tasks/main.yml33
-rw-r--r--roles/openshift_etcd_certs/vars/main.yml8
-rwxr-xr-xroles/openshift_facts/library/openshift_facts.py7
-rw-r--r--roles/openshift_master/tasks/main.yml5
-rw-r--r--roles/openshift_master/templates/master.yaml.v1.j28
-rw-r--r--roles/openshift_node/tasks/main.yml8
-rw-r--r--roles/openshift_node_certificates/vars/main.yml1
22 files changed, 348 insertions, 80 deletions
diff --git a/roles/etcd/defaults/main.yaml b/roles/etcd/defaults/main.yaml
index f6281101f..0fb45f37c 100644
--- a/roles/etcd/defaults/main.yaml
+++ b/roles/etcd/defaults/main.yaml
@@ -5,12 +5,13 @@ etcd_peer_port: 2380
etcd_peers_group: etcd
etcd_url_scheme: http
etcd_peer_url_scheme: http
-etcd_ca_file: /etc/etcd/ca.crt
-etcd_cert_file: /etc/etcd/client.crt
-etcd_key_file: /etc/etcd/client.key
-etcd_peer_ca_file: /etc/etcd/ca.crt
-etcd_peer_cert_file: /etc/etcd/peer.crt
-etcd_peer_key_file: /etc/etcd/peer.key
+etcd_conf_dir: /etc/etcd
+etcd_ca_file: "{{ etcd_conf_dir }}/ca.crt"
+etcd_cert_file: "{{ etcd_conf_dir }}/server.crt"
+etcd_key_file: "{{ etcd_conf_dir }}/server.key"
+etcd_peer_ca_file: "{{ etcd_conf_dir }}/ca.crt"
+etcd_peer_cert_file: "{{ etcd_conf_dir }}/peer.crt"
+etcd_peer_key_file: "{{ etcd_conf_dir }}/peer.key"
etcd_initial_cluster_state: new
etcd_initial_cluster_token: etcd-cluster-1
@@ -21,6 +22,8 @@ etcd_advertise_client_urls: "{{ etcd_url_scheme }}://{{ hostvars[inventory_hostn
etcd_listen_client_urls: "{{ etcd_url_scheme }}://{{ hostvars[inventory_hostname]['ansible_' + etcd_interface]['ipv4']['address'] }}:{{ etcd_client_port }}"
etcd_data_dir: /var/lib/etcd/
+
+os_firewall_use_firewalld: False
os_firewall_allow:
- service: etcd
port: "{{etcd_client_port}}/tcp"
diff --git a/roles/etcd/meta/main.yml b/roles/etcd/meta/main.yml
index f952f84be..82b1a62b8 100644
--- a/roles/etcd/meta/main.yml
+++ b/roles/etcd/meta/main.yml
@@ -15,3 +15,5 @@ galaxy_info:
categories:
- cloud
- system
+dependencies:
+- { role: os_firewall }
diff --git a/roles/etcd/tasks/main.yml b/roles/etcd/tasks/main.yml
index 8ed803119..62e29324c 100644
--- a/roles/etcd/tasks/main.yml
+++ b/roles/etcd/tasks/main.yml
@@ -1,6 +1,38 @@
---
- name: Install etcd
- yum: pkg=etcd state=present disable_gpg_check=yes
+ yum: pkg=etcd state=present
+
+- name: Validate permissions on the config dir
+ file:
+ path: "{{ etcd_conf_dir }}"
+ state: directory
+ owner: etcd
+ group: etcd
+ mode: 0700
+
+- name: Validate permissions on certificate files
+ file:
+ path: "{{ item }}"
+ mode: 0600
+ group: etcd
+ owner: etcd
+ when: etcd_url_scheme == 'https'
+ with_items:
+ - "{{ etcd_ca_file }}"
+ - "{{ etcd_cert_file }}"
+ - "{{ etcd_key_file }}"
+
+- name: Validate permissions on peer certificate files
+ file:
+ path: "{{ item }}"
+ mode: 0600
+ group: etcd
+ owner: etcd
+ when: etcd_peer_url_scheme == 'https'
+ with_items:
+ - "{{ etcd_peer_ca_file }}"
+ - "{{ etcd_peer_cert_file }}"
+ - "{{ etcd_peer_key_file }}"
- name: Write etcd global config file
template:
@@ -14,3 +46,5 @@
name: etcd
state: started
enabled: yes
+
+- pause: seconds=10
diff --git a/roles/etcd/templates/etcd.conf.j2 b/roles/etcd/templates/etcd.conf.j2
index 5723b5089..801be2c97 100644
--- a/roles/etcd/templates/etcd.conf.j2
+++ b/roles/etcd/templates/etcd.conf.j2
@@ -8,31 +8,37 @@
{% endfor -%}
{% endmacro -%}
+{% if groups[etcd_peers_group] and groups[etcd_peers_group] | length > 1 %}
ETCD_NAME={{ inventory_hostname }}
+ETCD_LISTEN_PEER_URLS={{ etcd_listen_peer_urls }}
+{% else %}
+ETCD_NAME=default
+{% endif %}
ETCD_DATA_DIR={{ etcd_data_dir }}
#ETCD_SNAPSHOT_COUNTER="10000"
#ETCD_HEARTBEAT_INTERVAL="100"
#ETCD_ELECTION_TIMEOUT="1000"
-ETCD_LISTEN_PEER_URLS={{ etcd_listen_peer_urls }}
ETCD_LISTEN_CLIENT_URLS={{ etcd_listen_client_urls }}
#ETCD_MAX_SNAPSHOTS="5"
#ETCD_MAX_WALS="5"
#ETCD_CORS=""
-#
+
+{% if groups[etcd_peers_group] and groups[etcd_peers_group] | length > 1 %}
#[cluster]
ETCD_INITIAL_ADVERTISE_PEER_URLS={{ etcd_initial_advertise_peer_urls }}
ETCD_INITIAL_CLUSTER={{ initial_cluster() }}
ETCD_INITIAL_CLUSTER_STATE={{ etcd_initial_cluster_state }}
ETCD_INITIAL_CLUSTER_TOKEN={{ etcd_initial_cluster_token }}
-ETCD_ADVERTISE_CLIENT_URLS={{ etcd_advertise_client_urls }}
#ETCD_DISCOVERY=""
#ETCD_DISCOVERY_SRV=""
#ETCD_DISCOVERY_FALLBACK="proxy"
#ETCD_DISCOVERY_PROXY=""
-#
+{% endif %}
+ETCD_ADVERTISE_CLIENT_URLS={{ etcd_advertise_client_urls }}
+
#[proxy]
#ETCD_PROXY="off"
-#
+
#[security]
{% if etcd_url_scheme == 'https' -%}
ETCD_CA_FILE={{ etcd_ca_file }}
diff --git a/roles/openshift_etcd_certs/README.md b/roles/etcd_ca/README.md
index efac6d9fe..60a880e30 100644
--- a/roles/openshift_etcd_certs/README.md
+++ b/roles/etcd_ca/README.md
@@ -1,4 +1,4 @@
-OpenShift etcd certs
+etcd_ca
========================
TODO
diff --git a/roles/etcd_ca/meta/main.yml b/roles/etcd_ca/meta/main.yml
new file mode 100644
index 000000000..ce909b992
--- /dev/null
+++ b/roles/etcd_ca/meta/main.yml
@@ -0,0 +1,16 @@
+---
+galaxy_info:
+ author: Jason DeTiberus
+ description:
+ company: Red Hat, Inc.
+ license: Apache License, Version 2.0
+ min_ansible_version: 1.9
+ platforms:
+ - name: EL
+ versions:
+ - 7
+ categories:
+ - cloud
+ - system
+dependencies:
+- { role: openshift_facts }
diff --git a/roles/etcd_ca/tasks/main.yml b/roles/etcd_ca/tasks/main.yml
new file mode 100644
index 000000000..ab151fe5b
--- /dev/null
+++ b/roles/etcd_ca/tasks/main.yml
@@ -0,0 +1,44 @@
+---
+- file:
+ path: "{{ etcd_ca_dir }}/{{ item }}"
+ state: directory
+ mode: 0700
+ owner: root
+ group: root
+ with_items:
+ - certs
+ - crl
+ - fragments
+
+- command: cp /etc/pki/tls/openssl.cnf ./
+ args:
+ chdir: "{{ etcd_ca_dir }}/fragments"
+ creates: "{{ etcd_ca_dir }}/fragments/openssl.cnf"
+
+- template:
+ dest: "{{ etcd_ca_dir }}/fragments/openssl_append.cnf"
+ src: openssl_append.j2
+
+- assemble:
+ src: "{{ etcd_ca_dir }}/fragments"
+ dest: "{{ etcd_ca_dir }}/openssl.cnf"
+
+- command: touch index.txt
+ args:
+ chdir: "{{ etcd_ca_dir }}"
+ creates: "{{ etcd_ca_dir }}/index.txt"
+
+- copy:
+ dest: "{{ etcd_ca_dir }}/serial"
+ content: "01"
+ force: no
+
+- command: >
+ openssl req -config openssl.cnf -newkey rsa:4096
+ -keyout ca.key -new -out ca.crt -x509 -extensions etcd_v3_ca_self
+ -batch -nodes -subj /CN=etcd-signer@{{ ansible_date_time.epoch }}
+ args:
+ chdir: "{{ etcd_ca_dir }}"
+ creates: "{{ etcd_ca_dir }}/ca.crt"
+ environment:
+ SAN: ''
diff --git a/roles/etcd_ca/templates/openssl_append.j2 b/roles/etcd_ca/templates/openssl_append.j2
new file mode 100644
index 000000000..de2adaead
--- /dev/null
+++ b/roles/etcd_ca/templates/openssl_append.j2
@@ -0,0 +1,51 @@
+
+[ etcd_v3_req ]
+basicConstraints = critical,CA:FALSE
+keyUsage = digitalSignature,keyEncipherment
+subjectAltName = ${ENV::SAN}
+
+[ etcd_ca ]
+dir = {{ etcd_ca_dir }}
+crl_dir = $dir/crl
+database = $dir/index.txt
+new_certs_dir = $dir/certs
+certificate = $dir/ca.crt
+serial = $dir/serial
+private_key = $dir/ca.key
+crl_number = $dir/crlnumber
+x509_extensions = etcd_v3_ca_client
+default_days = 365
+default_md = sha256
+preserve = no
+name_opt = ca_default
+cert_opt = ca_default
+policy = policy_anything
+unique_subject = no
+copy_extensions = copy
+
+[ etcd_v3_ca_self ]
+authorityKeyIdentifier = keyid,issuer
+basicConstraints = critical,CA:TRUE,pathlen:0
+keyUsage = critical,digitalSignature,keyEncipherment,keyCertSign
+subjectKeyIdentifier = hash
+
+[ etcd_v3_ca_peer ]
+authorityKeyIdentifier = keyid,issuer:always
+basicConstraints = critical,CA:FALSE
+extendedKeyUsage = clientAuth,serverAuth
+keyUsage = digitalSignature,keyEncipherment
+subjectKeyIdentifier = hash
+
+[ etcd_v3_ca_server ]
+authorityKeyIdentifier = keyid,issuer:always
+basicConstraints = critical,CA:FALSE
+extendedKeyUsage = serverAuth
+keyUsage = digitalSignature,keyEncipherment
+subjectKeyIdentifier = hash
+
+[ etcd_v3_ca_client ]
+authorityKeyIdentifier = keyid,issuer:always
+basicConstraints = critical,CA:FALSE
+extendedKeyUsage = clientAuth
+keyUsage = digitalSignature,keyEncipherment
+subjectKeyIdentifier = hash
diff --git a/roles/etcd_ca/vars/main.yml b/roles/etcd_ca/vars/main.yml
new file mode 100644
index 000000000..901e95027
--- /dev/null
+++ b/roles/etcd_ca/vars/main.yml
@@ -0,0 +1,3 @@
+---
+etcd_conf_dir: /etc/etcd
+etcd_ca_dir: /etc/etcd/ca
diff --git a/roles/etcd_certificates/README.md b/roles/etcd_certificates/README.md
new file mode 100644
index 000000000..95f8f8aab
--- /dev/null
+++ b/roles/etcd_certificates/README.md
@@ -0,0 +1,34 @@
+OpenShift etcd certificates
+========================
+
+TODO
+
+Requirements
+------------
+
+TODO
+
+Role Variables
+--------------
+
+TODO
+
+Dependencies
+------------
+
+TODO
+
+Example Playbook
+----------------
+
+TODO
+
+License
+-------
+
+Apache License Version 2.0
+
+Author Information
+------------------
+
+Scott Dodson (sdodson@redhat.com)
diff --git a/roles/openshift_etcd_certs/meta/main.yml b/roles/etcd_certificates/meta/main.yml
index 4847ba94b..41370fab4 100644
--- a/roles/openshift_etcd_certs/meta/main.yml
+++ b/roles/etcd_certificates/meta/main.yml
@@ -1,6 +1,6 @@
---
galaxy_info:
- author: Scott Dodson
+ author: Jason DeTiberus
description:
company: Red Hat, Inc.
license: Apache License, Version 2.0
@@ -13,4 +13,4 @@ galaxy_info:
- cloud
- system
dependencies:
-- { role: openshift_facts }
+- { role: etcd_ca }
diff --git a/roles/etcd_certificates/tasks/client.yml b/roles/etcd_certificates/tasks/client.yml
new file mode 100644
index 000000000..28f33f442
--- /dev/null
+++ b/roles/etcd_certificates/tasks/client.yml
@@ -0,0 +1,42 @@
+---
+- name: Ensure generated_certs directory present
+ file:
+ path: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}"
+ state: directory
+ mode: 0700
+ with_items: etcd_needing_client_certs
+
+- name: Create the client csr
+ command: >
+ openssl req -new -keyout {{ item.etcd_cert_prefix }}client.key
+ -config {{ etcd_openssl_conf }}
+ -out {{ item.etcd_cert_prefix }}client.csr
+ -reqexts {{ etcd_req_ext }} -batch -nodes
+ -subj /CN={{ item.openshift.common.hostname }}
+ args:
+ chdir: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}"
+ creates: "{{ etcd_generated_certs_dir ~ '/' ~ item.etcd_cert_subdir ~ '/'
+ ~ item.etcd_cert_prefix ~ 'client.csr' }}"
+ environment:
+ SAN: "IP:{{ item.openshift.common.ip }}"
+ with_items: etcd_needing_client_certs
+
+- name: Sign and create the client crt
+ command: >
+ openssl ca -name {{ etcd_ca_name }} -config {{ etcd_openssl_conf }}
+ -out {{ item.etcd_cert_prefix }}client.crt
+ -in {{ item.etcd_cert_prefix }}client.csr
+ -batch
+ args:
+ chdir: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}"
+ creates: "{{ etcd_generated_certs_dir ~ '/' ~ item.etcd_cert_subdir ~ '/'
+ ~ item.etcd_cert_prefix ~ 'client.crt' }}"
+ environment:
+ SAN: ''
+ with_items: etcd_needing_client_certs
+
+- file:
+ src: "{{ etcd_ca_cert }}"
+ dest: "{{ etcd_generated_certs_dir}}/{{ item.etcd_cert_subdir }}/{{ item.etcd_cert_prefix }}ca.crt"
+ state: hard
+ with_items: etcd_needing_client_certs
diff --git a/roles/etcd_certificates/tasks/main.yml b/roles/etcd_certificates/tasks/main.yml
new file mode 100644
index 000000000..da875e8ea
--- /dev/null
+++ b/roles/etcd_certificates/tasks/main.yml
@@ -0,0 +1,9 @@
+---
+- include: client.yml
+ when: etcd_needing_client_certs is defined and etcd_needing_client_certs
+
+- include: server.yml
+ when: etcd_needing_server_certs is defined and etcd_needing_server_certs
+
+
+
diff --git a/roles/etcd_certificates/tasks/server.yml b/roles/etcd_certificates/tasks/server.yml
new file mode 100644
index 000000000..727b7fa2c
--- /dev/null
+++ b/roles/etcd_certificates/tasks/server.yml
@@ -0,0 +1,73 @@
+---
+- name: Ensure generated_certs directory present
+ file:
+ path: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}"
+ state: directory
+ mode: 0700
+ with_items: etcd_needing_server_certs
+
+- name: Create the server csr
+ command: >
+ openssl req -new -keyout {{ item.etcd_cert_prefix }}server.key
+ -config {{ etcd_openssl_conf }}
+ -out {{ item.etcd_cert_prefix }}server.csr
+ -reqexts {{ etcd_req_ext }} -batch -nodes
+ -subj /CN={{ item.openshift.common.hostname }}
+ args:
+ chdir: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}"
+ creates: "{{ etcd_generated_certs_dir ~ '/' ~ item.etcd_cert_subdir ~ '/'
+ ~ item.etcd_cert_prefix ~ 'server.csr' }}"
+ environment:
+ SAN: "IP:{{ item.openshift.common.ip }}"
+ with_items: etcd_needing_server_certs
+
+- name: Sign and create the server crt
+ command: >
+ openssl ca -name {{ etcd_ca_name }} -config {{ etcd_openssl_conf }}
+ -out {{ item.etcd_cert_prefix }}server.crt
+ -in {{ item.etcd_cert_prefix }}server.csr
+ -extensions {{ etcd_ca_exts_server }} -batch
+ args:
+ chdir: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}"
+ creates: "{{ etcd_generated_certs_dir ~ '/' ~ item.etcd_cert_subdir ~ '/'
+ ~ item.etcd_cert_prefix ~ 'server.crt' }}"
+ environment:
+ SAN: ''
+ with_items: etcd_needing_server_certs
+
+- name: Create the peer csr
+ command: >
+ openssl req -new -keyout {{ item.etcd_cert_prefix }}peer.key
+ -config {{ etcd_openssl_conf }}
+ -out {{ item.etcd_cert_prefix }}peer.csr
+ -reqexts {{ etcd_req_ext }} -batch -nodes
+ -subj /CN={{ item.openshift.common.hostname }}
+ args:
+ chdir: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}"
+ creates: "{{ etcd_generated_certs_dir ~ '/' ~ item.etcd_cert_subdir ~ '/'
+ ~ item.etcd_cert_prefix ~ 'peer.csr' }}"
+ environment:
+ SAN: "IP:{{ item.openshift.common.ip }}"
+ with_items: etcd_needing_server_certs
+
+- name: Sign and create the peer crt
+ command: >
+ openssl ca -name {{ etcd_ca_name }} -config {{ etcd_openssl_conf }}
+ -out {{ item.etcd_cert_prefix }}peer.crt
+ -in {{ item.etcd_cert_prefix }}peer.csr
+ -extensions {{ etcd_ca_exts_peer }} -batch
+ args:
+ chdir: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}"
+ creates: "{{ etcd_generated_certs_dir ~ '/' ~ item.etcd_cert_subdir ~ '/'
+ ~ item.etcd_cert_prefix ~ 'peer.crt' }}"
+ environment:
+ SAN: ''
+ with_items: etcd_needing_server_certs
+
+- file:
+ src: "{{ etcd_ca_cert }}"
+ dest: "{{ etcd_generated_certs_dir}}/{{ item.etcd_cert_subdir }}/{{ item.etcd_cert_prefix }}ca.crt"
+ state: hard
+ with_items: etcd_needing_server_certs
+
+
diff --git a/roles/etcd_certificates/vars/main.yml b/roles/etcd_certificates/vars/main.yml
new file mode 100644
index 000000000..0eaeeb82b
--- /dev/null
+++ b/roles/etcd_certificates/vars/main.yml
@@ -0,0 +1,11 @@
+---
+etcd_conf_dir: /etc/etcd
+etcd_ca_dir: /etc/etcd/ca
+etcd_generated_certs_dir: /etc/etcd/generated_certs
+etcd_ca_cert: "{{ etcd_ca_dir }}/ca.crt"
+etcd_ca_key: "{{ etcd_ca_dir }}/ca.key"
+etcd_openssl_conf: "{{ etcd_ca_dir }}/openssl.cnf"
+etcd_ca_name: etcd_ca
+etcd_req_ext: etcd_v3_req
+etcd_ca_exts_peer: etcd_v3_ca_peer
+etcd_ca_exts_server: etcd_v3_ca_server
diff --git a/roles/openshift_etcd_certs/tasks/main.yml b/roles/openshift_etcd_certs/tasks/main.yml
deleted file mode 100644
index 04b411117..000000000
--- a/roles/openshift_etcd_certs/tasks/main.yml
+++ /dev/null
@@ -1,33 +0,0 @@
----
-- name: Create openshift_generated_configs_dir if it doesn't exist
- file:
- path: "{{ openshift_generated_configs_dir }}"
- state: directory
-
-- name: Create openshift_generated_configs_dir for each etcd host
- file:
- path: "{{ openshift_generated_configs_dir }}/etcd-{{ item.openshift.common.hostname}}"
- state: directory
- with_items: etcd_hosts_needing_certs
-
-- name: Generate the etcd client side certs
- delegate_to: "{{ openshift_first_master }}"
- command: >
- {{ openshift.common.admin_binary }} create-server-cert
- --cert=client.crt --key=client.key --overwrite=true
- --hostnames={{ [item.openshift.common.hostname, item.openshift.common.public_hostname, item.openshift.common.ip]|unique|join(",") }}
- --signer-cert={{ openshift_master_ca_cert }}
- --signer-key={{ openshift_master_ca_key }}
- --signer-serial={{ openshift_master_ca_serial }}
- args:
- chdir: "{{ openshift_generated_configs_dir }}/etcd-{{ item.openshift.common.hostname }}"
- creates: "{{ openshift_generated_configs_dir }}/etcd-{{ item.openshift.common.hostname }}/client.crt"
- with_items: etcd_hosts_needing_certs
-
-- name: Copy CA cert
- delegate_to: "{{ openshift_first_master }}"
- command: "cp {{ openshift_master_ca_cert }} ."
- args:
- chdir: "{{ openshift_generated_configs_dir }}/etcd-{{ item.openshift.common.hostname }}"
- creates: "{{ openshift_generated_configs_dir }}/etcd-{{ item.openshift.common.hostname }}/ca.crt"
- with_items: etcd_hosts_needing_certs
diff --git a/roles/openshift_etcd_certs/vars/main.yml b/roles/openshift_etcd_certs/vars/main.yml
deleted file mode 100644
index 3801b8427..000000000
--- a/roles/openshift_etcd_certs/vars/main.yml
+++ /dev/null
@@ -1,8 +0,0 @@
----
-openshift_node_config_dir: /etc/openshift/node
-openshift_master_config_dir: /etc/openshift/master
-openshift_generated_configs_dir: /etc/openshift/generated-configs
-openshift_master_ca_cert: "{{ openshift_master_config_dir }}/ca.crt"
-openshift_master_ca_key: "{{ openshift_master_config_dir }}/ca.key"
-openshift_master_ca_serial: "{{ openshift_master_config_dir }}/ca.serial.txt"
-openshift_kube_api_version: v1beta3
diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py
index e9a2ceffb..aff822a23 100755
--- a/roles/openshift_facts/library/openshift_facts.py
+++ b/roles/openshift_facts/library/openshift_facts.py
@@ -374,7 +374,6 @@ def set_url_facts_if_unset(facts):
if 'etcd_urls' not in facts['master']:
etcd_urls = []
if etcd_hosts != '':
- etcd_port = 2379
facts['master']['etcd_port'] = etcd_port
facts['master']['embedded_etcd'] = False
for host in etcd_hosts:
@@ -718,11 +717,7 @@ class OpenShiftFacts(object):
defaults['master'] = master
if 'node' in roles:
- node = dict(pod_cidr='', labels={}, annotations={}, portal_net='172.30.0.0/16')
- node['resources_cpu'] = self.system_facts['processor_cores']
- node['resources_memory'] = int(
- int(self.system_facts['memtotal_mb']) * 1024 * 1024 * 0.75
- )
+ node = dict(labels={}, annotations={}, portal_net='172.30.0.0/16')
defaults['node'] = node
return defaults
diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml
index f6bd2bf2e..95da2d6f4 100644
--- a/roles/openshift_master/tasks/main.yml
+++ b/roles/openshift_master/tasks/main.yml
@@ -12,11 +12,6 @@
yum: pkg=openshift-master state=present
register: install_result
-# TODO: Is this necessary or was this a workaround for an old bug in packaging?
-- name: Reload systemd units
- command: systemctl daemon-reload
- when: install_result | changed
-
- name: Set master OpenShift facts
openshift_facts:
role: master
diff --git a/roles/openshift_master/templates/master.yaml.v1.j2 b/roles/openshift_master/templates/master.yaml.v1.j2
index 3b8b18c39..bc766ec9b 100644
--- a/roles/openshift_master/templates/master.yaml.v1.j2
+++ b/roles/openshift_master/templates/master.yaml.v1.j2
@@ -18,19 +18,19 @@ corsAllowedOrigins:
{% for origin in ['127.0.0.1', 'localhost', openshift.common.hostname, openshift.common.ip, openshift.common.public_hostname, openshift.common.public_ip] %}
- {{ origin }}
{% endfor %}
-{% if openshift.master.embedded_dns %}
+{% if openshift.master.embedded_dns | bool %}
dnsConfig:
bindAddress: {{ openshift.master.bind_addr }}:{{ openshift.master.dns_port }}
{% endif %}
etcdClientInfo:
- ca: ca.crt
+ ca: {{ "ca.crt" if (openshift.master.embedded_etcd | bool) else "master.etcd-ca.crt" }}
certFile: master.etcd-client.crt
keyFile: master.etcd-client.key
urls:
{% for etcd_url in openshift.master.etcd_urls %}
- {{ etcd_url }}
{% endfor %}
-{% if openshift.master.embedded_etcd %}
+{% if openshift.master.embedded_etcd | bool %}
etcdConfig:
address: {{ openshift.common.hostname }}:{{ openshift.master.etcd_port }}
peerAddress: {{ openshift.common.hostname }}:7001
@@ -61,7 +61,7 @@ kubeletClientInfo:
certFile: master.kubelet-client.crt
keyFile: master.kubelet-client.key
port: 10250
-{% if openshift.master.embedded_kube %}
+{% if openshift.master.embedded_kube | bool %}
kubernetesMasterConfig:
apiLevels:
- v1beta3
diff --git a/roles/openshift_node/tasks/main.yml b/roles/openshift_node/tasks/main.yml
index 770b55351..53b325e4d 100644
--- a/roles/openshift_node/tasks/main.yml
+++ b/roles/openshift_node/tasks/main.yml
@@ -10,11 +10,6 @@
register: sdn_install_result
when: openshift.common.use_openshift_sdn
-- name: Reload systemd units
- command: systemctl daemon-reload
- when: (node_install_result | changed or (openshift.common.use_openshift_sdn
- and sdn_install_result | changed))
-
- name: Set node OpenShift facts
openshift_facts:
role: "{{ item.role }}"
@@ -27,9 +22,6 @@
deployment_type: "{{ openshift_deployment_type }}"
- role: node
local_facts:
- resources_cpu: "{{ openshift_node_resources_cpu | default(none) }}"
- resources_memory: "{{ openshift_node_resources_memory | default(none) }}"
- pod_cidr: "{{ openshift_node_pod_cidr | default(none) }}"
labels: "{{ openshift_node_labels | default(none) }}"
annotations: "{{ openshift_node_annotations | default(none) }}"
registry_url: "{{ oreg_url | default(none) }}"
diff --git a/roles/openshift_node_certificates/vars/main.yml b/roles/openshift_node_certificates/vars/main.yml
index 3801b8427..a018bb0f9 100644
--- a/roles/openshift_node_certificates/vars/main.yml
+++ b/roles/openshift_node_certificates/vars/main.yml
@@ -5,4 +5,3 @@ openshift_generated_configs_dir: /etc/openshift/generated-configs
openshift_master_ca_cert: "{{ openshift_master_config_dir }}/ca.crt"
openshift_master_ca_key: "{{ openshift_master_config_dir }}/ca.key"
openshift_master_ca_serial: "{{ openshift_master_config_dir }}/ca.serial.txt"
-openshift_kube_api_version: v1beta3