summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--playbooks/common/openshift-master/config.yml101
-rw-r--r--playbooks/common/openshift-node/config.yml70
-rw-r--r--roles/openshift_ca/README.md48
-rw-r--r--roles/openshift_ca/tasks/main.yml56
-rw-r--r--roles/openshift_ca/vars/main.yml6
-rw-r--r--roles/openshift_master/meta/main.yml1
-rw-r--r--roles/openshift_master_ca/README.md34
-rw-r--r--roles/openshift_master_ca/meta/main.yml (renamed from roles/openshift_ca/meta/main.yml)8
-rw-r--r--roles/openshift_master_ca/tasks/main.yml23
-rw-r--r--roles/openshift_master_ca/vars/main.yml6
-rw-r--r--roles/openshift_master_certificates/README.md29
-rw-r--r--roles/openshift_master_certificates/meta/main.yml6
-rw-r--r--roles/openshift_master_certificates/tasks/main.yml123
-rw-r--r--roles/openshift_master_certificates/vars/main.yml2
-rw-r--r--roles/openshift_node/meta/main.yml2
-rw-r--r--roles/openshift_node_certificates/README.md33
-rw-r--r--roles/openshift_node_certificates/meta/main.yml6
-rw-r--r--roles/openshift_node_certificates/tasks/main.yml97
-rw-r--r--roles/openshift_node_certificates/vars/main.yml9
19 files changed, 289 insertions, 371 deletions
diff --git a/playbooks/common/openshift-master/config.yml b/playbooks/common/openshift-master/config.yml
index e9337270b..0ca148169 100644
--- a/playbooks/common/openshift-master/config.yml
+++ b/playbooks/common/openshift-master/config.yml
@@ -156,6 +156,85 @@
- master.etcd-ca.crt
when: etcd_client_certs_missing is defined and etcd_client_certs_missing
+- name: Determine if master certificates need to be generated
+ hosts: oo_first_master:oo_masters_to_config
+ tasks:
+ - set_fact:
+ openshift_master_certs_no_etcd:
+ - admin.crt
+ - master.kubelet-client.crt
+ - "{{ 'master.proxy-client.crt' if openshift.common.version_gte_3_1_or_1_1 else omit }}"
+ - master.server.crt
+ - openshift-master.crt
+ - openshift-registry.crt
+ - openshift-router.crt
+ - etcd.server.crt
+ openshift_master_certs_etcd:
+ - master.etcd-client.crt
+
+ - set_fact:
+ openshift_master_certs: "{{ (openshift_master_certs_no_etcd | union(openshift_master_certs_etcd)) if (groups.oo_etcd_to_config is defined and groups.oo_etcd_to_config) else openshift_master_certs_no_etcd }}"
+
+ - name: Check status of master certificates
+ stat:
+ path: "{{ openshift.common.config_base }}/master/{{ item }}"
+ with_items: "{{ openshift_master_certs }}"
+ register: g_master_cert_stat_result
+ - set_fact:
+ master_certs_missing: "{{ False in (g_master_cert_stat_result.results
+ | oo_collect(attribute='stat.exists')
+ | list ) }}"
+ master_cert_subdir: master-{{ openshift.common.hostname }}
+ master_cert_config_dir: "{{ openshift.common.config_base }}/master"
+ - set_fact:
+ openshift_infra_nodes: "{{ hostvars | oo_select_keys(groups['oo_nodes_to_config'])
+ | oo_nodes_with_label('region', 'infra')
+ | oo_collect('inventory_hostname') }}"
+ when: openshift_infra_nodes is not defined and groups.oo_nodes_to_config | default([]) | length > 0
+
+- name: Configure master certificates
+ hosts: oo_first_master
+ vars:
+ master_generated_certs_dir: "{{ openshift.common.config_base }}/generated-configs"
+ masters_needing_certs: "{{ hostvars
+ | oo_select_keys(groups['oo_masters_to_config'] | difference(groups['oo_first_master']))
+ | oo_filter_list(filter_attr='master_certs_missing') }}"
+ master_hostnames: "{{ hostvars
+ | oo_select_keys(groups['oo_masters_to_config'])
+ | oo_collect('openshift.common.all_hostnames')
+ | oo_flatten | unique }}"
+ sync_tmpdir: "{{ hostvars.localhost.g_master_mktemp.stdout }}"
+ openshift_docker_hosted_registry_network: "{{ hostvars[groups.oo_first_master.0].openshift.common.portal_net }}"
+ roles:
+ - openshift_master_certificates
+ post_tasks:
+ - name: Remove generated etcd client certs when using external etcd
+ file:
+ path: "{{ master_generated_certs_dir }}/{{ item.0.master_cert_subdir }}/{{ item.1 }}"
+ state: absent
+ when: groups.oo_etcd_to_config is defined and groups.oo_etcd_to_config
+ with_nested:
+ - "{{ masters_needing_certs | default([]) }}"
+ - - master.etcd-client.crt
+ - master.etcd-client.key
+
+ - name: Create a tarball of the master certs
+ command: >
+ tar -czvf {{ master_generated_certs_dir }}/{{ item.master_cert_subdir }}.tgz
+ -C {{ master_generated_certs_dir }}/{{ item.master_cert_subdir }} .
+ args:
+ creates: "{{ master_generated_certs_dir }}/{{ item.master_cert_subdir }}.tgz"
+ with_items: "{{ masters_needing_certs | default([]) }}"
+
+ - name: Retrieve the master cert tarball from the master
+ fetch:
+ src: "{{ master_generated_certs_dir }}/{{ item.master_cert_subdir }}.tgz"
+ dest: "{{ sync_tmpdir }}/"
+ flat: yes
+ fail_on_missing: yes
+ validate_checksum: yes
+ with_items: "{{ masters_needing_certs | default([]) }}"
+
- name: Check for cached session secrets
hosts: oo_first_master
roles:
@@ -249,17 +328,19 @@
}}"
when: "{{ (openshift_http_proxy is defined or openshift_https_proxy is defined) and
openshift_generate_no_proxy_hosts | default(True) | bool }}"
+ pre_tasks:
+ - name: Ensure certificate directory exists
+ file:
+ path: "{{ openshift.common.config_base }}/master"
+ state: directory
+ when: master_certs_missing | bool and 'oo_first_master' not in group_names
+ - name: Unarchive the tarball on the master
+ unarchive:
+ src: "{{ sync_tmpdir }}/{{ master_cert_subdir }}.tgz"
+ dest: "{{ master_cert_config_dir }}"
+ when: master_certs_missing | bool and 'oo_first_master' not in group_names
roles:
- - role: openshift_master
- openshift_ca_host: "{{ groups.oo_first_master.0 }}"
- openshift_master_etcd_hosts: "{{ hostvars
- | oo_select_keys(groups['oo_etcd_to_config'] | default([]))
- | oo_collect('openshift.common.hostname')
- | default(none, true) }}"
- openshift_master_hostnames: "{{ hostvars
- | oo_select_keys(groups['oo_masters_to_config'] | default([]))
- | oo_collect('openshift.common.all_hostnames')
- | oo_flatten | unique }}"
+ - openshift_master
- role: nickhammond.logrotate
- role: nuage_master
when: openshift.common.use_nuage | bool
diff --git a/playbooks/common/openshift-node/config.yml b/playbooks/common/openshift-node/config.yml
index 6fbf7d44a..b3491ef8d 100644
--- a/playbooks/common/openshift-node/config.yml
+++ b/playbooks/common/openshift-node/config.yml
@@ -19,6 +19,23 @@
labels: "{{ openshift_node_labels | default(None) }}"
annotations: "{{ openshift_node_annotations | default(None) }}"
schedulable: "{{ openshift_schedulable | default(openshift_scheduleable) | default(None) }}"
+ - name: Check status of node certificates
+ stat:
+ path: "{{ openshift.common.config_base }}/node/{{ item }}"
+ with_items:
+ - "system:node:{{ openshift.common.hostname }}.crt"
+ - "system:node:{{ openshift.common.hostname }}.key"
+ - "system:node:{{ openshift.common.hostname }}.kubeconfig"
+ - ca.crt
+ - server.key
+ - server.crt
+ register: stat_result
+ - set_fact:
+ certs_missing: "{{ stat_result.results | oo_collect(attribute='stat.exists')
+ | list | intersect([false])}}"
+ node_subdir: node-{{ openshift.common.hostname }}
+ config_dir: "{{ openshift.common.config_base }}/generated-configs/node-{{ openshift.common.hostname }}"
+ node_cert_dir: "{{ openshift.common.config_base }}/node"
- name: Create temp directory for syncing certs
hosts: localhost
@@ -31,6 +48,53 @@
register: mktemp
changed_when: False
+- name: Create node certificates
+ hosts: oo_first_master
+ vars:
+ nodes_needing_certs: "{{ hostvars
+ | oo_select_keys(groups['oo_nodes_to_config']
+ | default([]))
+ | oo_filter_list(filter_attr='certs_missing') }}"
+ sync_tmpdir: "{{ hostvars.localhost.mktemp.stdout }}"
+ roles:
+ - openshift_node_certificates
+ post_tasks:
+ - name: Create a tarball of the node config directories
+ command: >
+ tar -czvf {{ item.config_dir }}.tgz
+ --transform 's|system:{{ item.node_subdir }}|node|'
+ -C {{ item.config_dir }} .
+ args:
+ creates: "{{ item.config_dir }}.tgz"
+ with_items: "{{ nodes_needing_certs | default([]) }}"
+
+ - name: Retrieve the node config tarballs from the master
+ fetch:
+ src: "{{ item.config_dir }}.tgz"
+ dest: "{{ sync_tmpdir }}/"
+ flat: yes
+ fail_on_missing: yes
+ validate_checksum: yes
+ with_items: "{{ nodes_needing_certs | default([]) }}"
+
+- name: Deploy node certificates
+ hosts: oo_nodes_to_config
+ vars:
+ sync_tmpdir: "{{ hostvars.localhost.mktemp.stdout }}"
+ tasks:
+ - name: Ensure certificate directory exists
+ file:
+ path: "{{ node_cert_dir }}"
+ state: directory
+ # TODO: notify restart node
+ # possibly test service started time against certificate/config file
+ # timestamps in node to trigger notify
+ - name: Unarchive the tarball on the node
+ unarchive:
+ src: "{{ sync_tmpdir }}/{{ node_subdir }}.tgz"
+ dest: "{{ node_cert_dir }}"
+ when: certs_missing
+
- name: Evaluate node groups
hosts: localhost
become: no
@@ -60,8 +124,7 @@
when: "{{ (openshift_http_proxy is defined or openshift_https_proxy is defined) and
openshift_generate_no_proxy_hosts | default(True) | bool }}"
roles:
- - role: openshift_node
- openshift_ca_host: "{{ groups.oo_first_master.0 }}"
+ - openshift_node
- name: Configure node instances
hosts: oo_nodes_to_config:!oo_containerized_master_nodes
@@ -77,8 +140,7 @@
when: "{{ (openshift_http_proxy is defined or openshift_https_proxy is defined) and
openshift_generate_no_proxy_hosts | default(True) | bool }}"
roles:
- - role: openshift_node
- openshift_ca_host: "{{ groups.oo_first_master.0 }}"
+ - openshift_node
- name: Gather and set facts for flannel certificatess
hosts: oo_nodes_to_config
diff --git a/roles/openshift_ca/README.md b/roles/openshift_ca/README.md
deleted file mode 100644
index 96c9cd5f2..000000000
--- a/roles/openshift_ca/README.md
+++ /dev/null
@@ -1,48 +0,0 @@
-OpenShift CA
-============
-
-This role delegates all tasks to the `openshift_ca_host` such that this role can be depended on by other OpenShift certificate roles.
-
-Requirements
-------------
-
-Role Variables
---------------
-
-From this role:
-
-| Name | Default value | Description |
-|-------------------------|-----------------------------------------------|-----------------------------------------------------------------------------|
-| openshift_ca_host | None (Required) | The hostname of the system where the OpenShift CA will be created. |
-| openshift_ca_config_dir | `{{ openshift.common.config_base }}/master` | CA certificate directory. |
-| openshift_ca_cert | `{{ openshift_ca_config_dir }}/ca.crt` | CA certificate path including CA certificate filename. |
-| openshift_ca_key | `{{ openshift_ca_config_dir }}/ca.key` | CA key path including CA key filename. |
-| openshift_ca_serial | `{{ openshift_ca_config_dir }}/ca.serial.txt` | CA serial path including CA serial filename. |
-| openshift_version | `{{ openshift_pkg_version }}` | OpenShift package version. |
-
-Dependencies
-------------
-
-* openshift_repos
-* openshift_cli
-
-Example Playbook
-----------------
-
-```
-- name: Create OpenShift CA
- hosts: localhost
- roles:
- - role: openshift_ca
- openshift_ca_host: master1.example.com
-```
-
-License
--------
-
-Apache License Version 2.0
-
-Author Information
-------------------
-
-Jason DeTiberus (jdetiber@redhat.com)
diff --git a/roles/openshift_ca/tasks/main.yml b/roles/openshift_ca/tasks/main.yml
deleted file mode 100644
index 497473f22..000000000
--- a/roles/openshift_ca/tasks/main.yml
+++ /dev/null
@@ -1,56 +0,0 @@
----
-- fail:
- msg: "openshift_ca_host variable must be defined for this role"
- when: openshift_ca_host is not defined
-
-- name: Install the base package for admin tooling
- action: >
- {{ ansible_pkg_mgr }}
- name={{ openshift.common.service_type }}{{ openshift_version }}
- state=present
- when: not openshift.common.is_containerized | bool
- register: install_result
- delegate_to: "{{ openshift_ca_host }}"
- run_once: true
-
-- name: Reload generated facts
- openshift_facts:
- when: install_result | changed
- delegate_to: "{{ openshift_ca_host }}"
- run_once: true
-
-- name: Create openshift_ca_config_dir if it does not exist
- file:
- path: "{{ openshift_ca_config_dir }}"
- state: directory
- delegate_to: "{{ openshift_ca_host }}"
- run_once: true
-
-- name: Determine if CA must be created
- stat:
- path: "{{ openshift_ca_config_dir }}/{{ item }}"
- register: g_master_ca_stat_result
- with_items:
- - ca.crt
- - ca.key
- delegate_to: "{{ openshift_ca_host }}"
- run_once: true
-
-- set_fact:
- master_ca_missing: "{{ False in (g_master_ca_stat_result.results
- | oo_collect(attribute='stat.exists')
- | list) }}"
- delegate_to: "{{ openshift_ca_host }}"
- run_once: true
-
-- name: Create the master certificates if they do not already exist
- command: >
- {{ openshift.common.admin_binary }} create-master-certs
- --hostnames={{ openshift_master_hostnames | join(',') }}
- --master={{ openshift.master.api_url }}
- --public-master={{ openshift.master.public_api_url }}
- --cert-dir={{ openshift_ca_config_dir }}
- --overwrite=false
- when: hostvars[openshift_ca_host].master_ca_missing | bool
- delegate_to: "{{ openshift_ca_host }}"
- run_once: true
diff --git a/roles/openshift_ca/vars/main.yml b/roles/openshift_ca/vars/main.yml
deleted file mode 100644
index a32e385ec..000000000
--- a/roles/openshift_ca/vars/main.yml
+++ /dev/null
@@ -1,6 +0,0 @@
----
-openshift_ca_config_dir: "{{ openshift.common.config_base }}/master"
-openshift_ca_cert: "{{ openshift_ca_config_dir }}/ca.crt"
-openshift_ca_key: "{{ openshift_ca_config_dir }}/ca.key"
-openshift_ca_serial: "{{ openshift_ca_config_dir }}/ca.serial.txt"
-openshift_version: "{{ openshift_pkg_version | default('') }}"
diff --git a/roles/openshift_master/meta/main.yml b/roles/openshift_master/meta/main.yml
index f6b926d74..0a69b3eef 100644
--- a/roles/openshift_master/meta/main.yml
+++ b/roles/openshift_master/meta/main.yml
@@ -15,7 +15,6 @@ dependencies:
- role: openshift_clock
- role: openshift_docker
- role: openshift_cli
-- role: openshift_master_certificates
- role: openshift_cloud_provider
- role: openshift_builddefaults
- role: openshift_master_facts
diff --git a/roles/openshift_master_ca/README.md b/roles/openshift_master_ca/README.md
new file mode 100644
index 000000000..5b2d3601b
--- /dev/null
+++ b/roles/openshift_master_ca/README.md
@@ -0,0 +1,34 @@
+OpenShift Master CA
+========================
+
+TODO
+
+Requirements
+------------
+
+TODO
+
+Role Variables
+--------------
+
+TODO
+
+Dependencies
+------------
+
+TODO
+
+Example Playbook
+----------------
+
+TODO
+
+License
+-------
+
+Apache License Version 2.0
+
+Author Information
+------------------
+
+Jason DeTiberus (jdetiber@redhat.com)
diff --git a/roles/openshift_ca/meta/main.yml b/roles/openshift_master_ca/meta/main.yml
index 0089f4209..b5dd466c9 100644
--- a/roles/openshift_ca/meta/main.yml
+++ b/roles/openshift_master_ca/meta/main.yml
@@ -1,10 +1,10 @@
---
galaxy_info:
author: Jason DeTiberus
- description: OpenShift CA
+ description:
company: Red Hat, Inc.
license: Apache License, Version 2.0
- min_ansible_version: 1.9.4
+ min_ansible_version: 1.8
platforms:
- name: EL
versions:
@@ -13,5 +13,5 @@ galaxy_info:
- cloud
- system
dependencies:
-- role: openshift_repos
-- role: openshift_cli
+- { role: openshift_repos }
+- { role: openshift_cli }
diff --git a/roles/openshift_master_ca/tasks/main.yml b/roles/openshift_master_ca/tasks/main.yml
new file mode 100644
index 000000000..4b7ef1d84
--- /dev/null
+++ b/roles/openshift_master_ca/tasks/main.yml
@@ -0,0 +1,23 @@
+---
+- name: Install the base package for admin tooling
+ action: "{{ ansible_pkg_mgr }} name={{ openshift.common.service_type }}{{ openshift_version }} state=present"
+ when: not openshift.common.is_containerized | bool
+ register: install_result
+
+- name: Reload generated facts
+ openshift_facts:
+ when: install_result | changed
+
+- name: Create openshift_master_config_dir if it doesn't exist
+ file:
+ path: "{{ openshift_master_config_dir }}"
+ state: directory
+
+- name: Create the master certificates if they do not already exist
+ command: >
+ {{ openshift.common.admin_binary }} create-master-certs
+ --hostnames={{ master_hostnames | join(',') }}
+ --master={{ openshift.master.api_url }}
+ --public-master={{ openshift.master.public_api_url }}
+ --cert-dir={{ openshift_master_config_dir }} --overwrite=false
+ when: master_certs_missing | bool
diff --git a/roles/openshift_master_ca/vars/main.yml b/roles/openshift_master_ca/vars/main.yml
new file mode 100644
index 000000000..b35339b18
--- /dev/null
+++ b/roles/openshift_master_ca/vars/main.yml
@@ -0,0 +1,6 @@
+---
+openshift_master_config_dir: "{{ openshift.common.config_base }}/master"
+openshift_master_ca_cert: "{{ openshift_master_config_dir }}/ca.crt"
+openshift_master_ca_key: "{{ openshift_master_config_dir }}/ca.key"
+openshift_master_ca_serial: "{{ openshift_master_config_dir }}/ca.serial.txt"
+openshift_version: "{{ openshift_pkg_version | default('') }}"
diff --git a/roles/openshift_master_certificates/README.md b/roles/openshift_master_certificates/README.md
index a80d47040..ba3d5f28c 100644
--- a/roles/openshift_master_certificates/README.md
+++ b/roles/openshift_master_certificates/README.md
@@ -1,44 +1,27 @@
OpenShift Master Certificates
========================
-This role determines if OpenShift master certificates must be created, delegates certificate creation to the `openshift_ca_host` and then deploys those certificates to master hosts which this role is being applied to. If this role is applied to the `openshift_ca_host`, certificate deployment will be skipped.
+TODO
Requirements
------------
+TODO
+
Role Variables
--------------
-From `openshift_ca`:
-
-| Name | Default value | Description |
-|---------------------------------------|---------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------|
-| openshift_ca_host | None (Required) | The hostname of the system where the OpenShift CA will be (or has been) created. |
-
-From this role:
-
-| Name | Default value | Description |
-|---------------------------------------|---------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------|
-| openshift_generated_configs_dir | `{{ openshift.common.config_base }}/generated-configs` | Directory in which per-master generated config directories will be created on the `openshift_ca_host`. |
-| openshift_master_cert_subdir | `master-{{ openshift.common.hostname }}` | Directory within `openshift_generated_configs_dir` where per-master configurations will be placed on the `openshift_ca_host`. |
-| openshift_master_config_dir | `{{ openshift.common.config_base }}/master` | Master configuration directory in which certificates will be deployed on masters. |
-| openshift_master_generated_config_dir | `{{ openshift_generated_configs_dir }}/{{ openshift_master_cert_subdir }` | Full path to the per-master generated config directory. |
+TODO
Dependencies
------------
-* openshift_ca
+TODO
Example Playbook
----------------
-```
-- name: Create OpenShift Master Certificates
- hosts: masters
- roles:
- - role: openshift_master_certificates
- openshift_ca_host: master1.example.com
-```
+TODO
License
-------
diff --git a/roles/openshift_master_certificates/meta/main.yml b/roles/openshift_master_certificates/meta/main.yml
index 90fc0fb10..fd7b73b0f 100644
--- a/roles/openshift_master_certificates/meta/main.yml
+++ b/roles/openshift_master_certificates/meta/main.yml
@@ -1,10 +1,10 @@
---
galaxy_info:
author: Jason DeTiberus
- description: OpenShift Master Certificates
+ description:
company: Red Hat, Inc.
license: Apache License, Version 2.0
- min_ansible_version: 1.9.4
+ min_ansible_version: 1.8
platforms:
- name: EL
versions:
@@ -13,4 +13,4 @@ galaxy_info:
- cloud
- system
dependencies:
-- role: openshift_ca
+- { role: openshift_master_ca }
diff --git a/roles/openshift_master_certificates/tasks/main.yml b/roles/openshift_master_certificates/tasks/main.yml
index dd105652b..394f9d381 100644
--- a/roles/openshift_master_certificates/tasks/main.yml
+++ b/roles/openshift_master_certificates/tasks/main.yml
@@ -1,121 +1,38 @@
---
-- set_fact:
- openshift_master_certs_no_etcd:
- - admin.crt
- - master.kubelet-client.crt
- - "{{ 'master.proxy-client.crt' if openshift.common.version_gte_3_1_or_1_1 else omit }}"
- - master.server.crt
- - openshift-master.crt
- - openshift-registry.crt
- - openshift-router.crt
- - etcd.server.crt
- openshift_master_certs_etcd:
- - master.etcd-client.crt
-
-- set_fact:
- openshift_master_certs: "{{ (openshift_master_certs_no_etcd | union(openshift_master_certs_etcd )) if openshift_master_etcd_hosts | length > 0 else openshift_master_certs_no_etcd }}"
-
-- name: Check status of master certificates
- stat:
- path: "{{ openshift_master_config_dir }}/{{ item }}"
- with_items:
- - "{{ openshift_master_certs }}"
- register: g_master_cert_stat_result
-
-- set_fact:
- master_certs_missing: "{{ False in (g_master_cert_stat_result.results
- | oo_collect(attribute='stat.exists')
- | list) }}"
-
- name: Ensure the generated_configs directory present
file:
- path: "{{ openshift_master_generated_config_dir }}"
+ path: "{{ openshift_generated_configs_dir }}/{{ item.master_cert_subdir }}"
state: directory
mode: 0700
- when: master_certs_missing | bool
- delegate_to: "{{ openshift_ca_host }}"
+ with_items: "{{ masters_needing_certs | default([]) }}"
- file:
- src: "{{ openshift_master_config_dir }}/{{ item }}"
- dest: "{{ openshift_master_generated_config_dir }}/{{ item }}"
+ src: "{{ openshift_master_config_dir }}/{{ item.1 }}"
+ dest: "{{ openshift_generated_configs_dir }}/{{ item.0.master_cert_subdir }}/{{ item.1 }}"
state: hard
- with_items:
- - ca.crt
- - ca.key
- - ca.serial.txt
- when: master_certs_missing | bool
- delegate_to: "{{ openshift_ca_host }}"
+ with_nested:
+ - "{{ masters_needing_certs | default([]) }}"
+ -
+ - ca.crt
+ - ca.key
+ - ca.serial.txt
- name: Create the master certificates if they do not already exist
command: >
{{ openshift.common.admin_binary }} create-master-certs
- --hostnames={{ openshift.common.all_hostnames | join(',') }}
- --master={{ openshift.master.api_url }}
- --public-master={{ openshift.master.public_api_url }}
- --cert-dir={{ openshift_master_generated_config_dir }}
+ --hostnames={{ item.openshift.common.all_hostnames | join(',') }}
+ --master={{ item.openshift.master.api_url }}
+ --public-master={{ item.openshift.master.public_api_url }}
+ --cert-dir={{ openshift_generated_configs_dir }}/{{ item.master_cert_subdir }}
--overwrite=false
- when: master_certs_missing | bool
- delegate_to: "{{ openshift_ca_host }}"
+ when: item.master_certs_missing | bool
+ with_items: "{{ masters_needing_certs | default([]) }}"
- file:
- src: "{{ openshift_master_config_dir }}/{{ item }}"
- dest: "{{ openshift_master_generated_config_dir }}/{{ item }}"
+ src: "{{ openshift_master_config_dir }}/{{ item.1 }}"
+ dest: "{{ openshift_generated_configs_dir }}/{{ item.0.master_cert_subdir }}/{{ item.1 }}"
state: hard
force: true
- with_items:
+ with_nested:
+ - "{{ masters_needing_certs | default([]) }}"
- "{{ hostvars[inventory_hostname] | certificates_to_synchronize }}"
- when: master_certs_missing | bool
- delegate_to: "{{ openshift_ca_host }}"
-
-- name: Remove generated etcd client certs when using external etcd
- file:
- path: "{{ openshift_master_generated_config_dir }}/{{ item }}"
- state: absent
- when: openshift_master_etcd_hosts | length > 0
- with_items:
- - master.etcd-client.crt
- - master.etcd-client.key
- delegate_to: "{{ openshift_ca_host }}"
-
-- name: Create local temp directory for syncing certs
- local_action: command mktemp -d /tmp/openshift-ansible-XXXXXXX
- register: g_master_mktemp
- changed_when: False
- when: master_certs_missing | bool
- delegate_to: localhost
-
-- name: Create a tarball of the master certs
- command: >
- tar -czvf {{ openshift_master_generated_config_dir }}.tgz
- -C {{ openshift_master_generated_config_dir }} .
- args:
- creates: "{{ openshift_master_generated_config_dir }}.tgz"
- when: master_certs_missing | bool and inventory_hostname != openshift_ca_host
- delegate_to: "{{ openshift_ca_host }}"
-
-- name: Retrieve the master cert tarball from the master
- fetch:
- src: "{{ openshift_master_generated_config_dir }}.tgz"
- dest: "{{ g_master_mktemp.stdout }}/"
- flat: yes
- fail_on_missing: yes
- validate_checksum: yes
- when: master_certs_missing | bool and inventory_hostname != openshift_ca_host
- delegate_to: "{{ openshift_ca_host }}"
-
-- name: Ensure certificate directory exists
- file:
- path: "{{ openshift_master_config_dir }}"
- state: directory
- when: master_certs_missing | bool and inventory_hostname != openshift_ca_host
-
-- name: Unarchive the tarball on the master
- unarchive:
- src: "{{ g_master_mktemp.stdout }}/{{ openshift_master_cert_subdir }}.tgz"
- dest: "{{ openshift_master_config_dir }}"
- when: master_certs_missing | bool and inventory_hostname != openshift_ca_host
-
-- file: name={{ g_master_mktemp.stdout }} state=absent
- changed_when: False
- when: master_certs_missing | bool
- delegate_to: localhost
diff --git a/roles/openshift_master_certificates/vars/main.yml b/roles/openshift_master_certificates/vars/main.yml
index 66f2e5162..3f18ddc79 100644
--- a/roles/openshift_master_certificates/vars/main.yml
+++ b/roles/openshift_master_certificates/vars/main.yml
@@ -1,5 +1,3 @@
---
openshift_generated_configs_dir: "{{ openshift.common.config_base }}/generated-configs"
-openshift_master_cert_subdir: "master-{{ openshift.common.hostname }}"
openshift_master_config_dir: "{{ openshift.common.config_base }}/master"
-openshift_master_generated_config_dir: "{{ openshift_generated_configs_dir }}/{{ openshift_master_cert_subdir }}"
diff --git a/roles/openshift_node/meta/main.yml b/roles/openshift_node/meta/main.yml
index ea52bbb99..31547b846 100644
--- a/roles/openshift_node/meta/main.yml
+++ b/roles/openshift_node/meta/main.yml
@@ -14,9 +14,9 @@ galaxy_info:
dependencies:
- role: openshift_clock
- role: openshift_docker
-- role: openshift_node_certificates
- role: openshift_cloud_provider
- role: openshift_common
- role: openshift_node_dnsmasq
when: openshift.common.use_dnsmasq
- role: os_firewall
+
diff --git a/roles/openshift_node_certificates/README.md b/roles/openshift_node_certificates/README.md
index f56066b29..6264d253a 100644
--- a/roles/openshift_node_certificates/README.md
+++ b/roles/openshift_node_certificates/README.md
@@ -1,44 +1,27 @@
-OpenShift Node Certificates
-===========================
+OpenShift/Atomic Enterprise Node Certificates
+=============================================
-This role determines if OpenShift node certificates must be created, delegates certificate creation to the `openshift_ca_host` and then deploys those certificates to node hosts which this role is being applied to.
+TODO
Requirements
------------
+TODO
+
Role Variables
--------------
-From `openshift_ca`:
-
-| Name | Default value | Description |
-|-------------------------------------|-------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|
-| openshift_ca_host | None (Required) | The hostname of the system where the OpenShift CA will be (or has been) created. |
-
-From this role:
-
-| Name | Default value | Description |
-|-------------------------------------|-------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|
-| openshift_generated_configs_dir | `{{ openshift.common.config_base }}/generated-configs` | Directory in which per-node generated config directories will be created on the `openshift_ca_host`. |
-| openshift_node_cert_subdir | `node-{{ openshift.common.hostname }}` | Directory within `openshift_generated_configs_dir` where per-node certificates will be placed on the `openshift_ca_host`. |
-| openshift_node_config_dir | `{{ openshift.common.config_base }}/node` | Node configuration directory in which certificates will be deployed on nodes. |
-| openshift_node_generated_config_dir | `{{ openshift_generated_configs_dir }}/{{ openshift_node_cert_subdir }` | Full path to the per-node generated config directory. |
+TODO
Dependencies
------------
-* openshift_ca
+TODO
Example Playbook
----------------
-```
-- name: Create OpenShift Node Certificates
- hosts: nodes
- roles:
- - role: openshift_node_certificates
- openshift_ca_host: master1.example.com
-```
+TODO
License
-------
diff --git a/roles/openshift_node_certificates/meta/main.yml b/roles/openshift_node_certificates/meta/main.yml
index 3caa1cdf1..f3236e850 100644
--- a/roles/openshift_node_certificates/meta/main.yml
+++ b/roles/openshift_node_certificates/meta/main.yml
@@ -1,10 +1,10 @@
---
galaxy_info:
author: Jason DeTiberus
- description: OpenShift Node Certificates
+ description:
company: Red Hat, Inc.
license: Apache License, Version 2.0
- min_ansible_version: 1.9.4
+ min_ansible_version: 1.8
platforms:
- name: EL
versions:
@@ -13,4 +13,4 @@ galaxy_info:
- cloud
- system
dependencies:
-- role: openshift_ca
+- { role: openshift_facts }
diff --git a/roles/openshift_node_certificates/tasks/main.yml b/roles/openshift_node_certificates/tasks/main.yml
index 147a432a4..216c11093 100644
--- a/roles/openshift_node_certificates/tasks/main.yml
+++ b/roles/openshift_node_certificates/tasks/main.yml
@@ -1,95 +1,36 @@
---
-- name: Check status of node certificates
- stat:
- path: "{{ openshift.common.config_base }}/node/{{ item }}"
- with_items:
- - "system:node:{{ openshift.common.hostname }}.crt"
- - "system:node:{{ openshift.common.hostname }}.key"
- - "system:node:{{ openshift.common.hostname }}.kubeconfig"
- - ca.crt
- - server.key
- - server.crt
- register: g_node_cert_stat_result
-
-- set_fact:
- node_certs_missing: "{{ False in (g_node_cert_stat_result.results
- | oo_collect(attribute='stat.exists')
- | list) }}"
-
-- name: Create openshift_generated_configs_dir if it does not exist
+- name: Create openshift_generated_configs_dir if it doesn\'t exist
file:
path: "{{ openshift_generated_configs_dir }}"
state: directory
mode: 0700
- when: node_certs_missing | bool
- delegate_to: "{{ openshift_ca_host }}"
+ when: nodes_needing_certs | length > 0
- name: Generate the node client config
command: >
{{ openshift.common.admin_binary }} create-api-client-config
- --certificate-authority={{ openshift_ca_cert }}
- --client-dir={{ openshift_node_generated_config_dir }}
+ --certificate-authority={{ openshift_master_ca_cert }}
+ --client-dir={{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}
--groups=system:nodes
- --master={{ hostvars[openshift_ca_host].openshift.master.api_url }}
- --signer-cert={{ openshift_ca_cert }}
- --signer-key={{ openshift_ca_key }}
- --signer-serial={{ openshift_ca_serial }}
- --user=system:node:{{ openshift.common.hostname }}
+ --master={{ openshift.master.api_url }}
+ --signer-cert={{ openshift_master_ca_cert }}
+ --signer-key={{ openshift_master_ca_key }}
+ --signer-serial={{ openshift_master_ca_serial }}
+ --user=system:node:{{ item.openshift.common.hostname }}
args:
- creates: "{{ openshift_node_generated_config_dir }}"
- when: node_certs_missing | bool
- delegate_to: "{{ openshift_ca_host }}"
+ creates: "{{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}"
+ with_items: "{{ nodes_needing_certs | default([]) }}"
- name: Generate the node server certificate
command: >
{{ openshift.common.admin_binary }} ca create-server-cert
- --cert={{ openshift_node_generated_config_dir }}/server.crt
- --key={{ openshift_generated_configs_dir }}/node-{{ openshift.common.hostname }}/server.key
+ --cert={{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}/server.crt
+ --key={{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}/server.key
--overwrite=true
- --hostnames={{ openshift.common.all_hostnames |join(",") }}
- --signer-cert={{ openshift_ca_cert }}
- --signer-key={{ openshift_ca_key }}
- --signer-serial={{ openshift_ca_serial }}
- args:
- creates: "{{ openshift_node_generated_config_dir }}/server.crt"
- when: node_certs_missing | bool
- delegate_to: "{{ openshift_ca_host}}"
-
-- name: Create local temp directory for syncing certs
- local_action: command mktemp -d /tmp/openshift-ansible-XXXXXXX
- register: node_cert_mktemp
- changed_when: False
- when: node_certs_missing | bool
- delegate_to: localhost
-
-- name: Create a tarball of the node config directories
- command: >
- tar -czvf {{ openshift_node_generated_config_dir }}.tgz
- --transform 's|system:{{ openshift_node_cert_subdir }}|node|'
- -C {{ openshift_node_generated_config_dir }} .
+ --hostnames={{ item.openshift.common.all_hostnames |join(",") }}
+ --signer-cert={{ openshift_master_ca_cert }}
+ --signer-key={{ openshift_master_ca_key }}
+ --signer-serial={{ openshift_master_ca_serial }}
args:
- creates: "{{ openshift_node_generated_config_dir }}.tgz"
- when: node_certs_missing | bool
- delegate_to: "{{ openshift_ca_host }}"
-
-- name: Retrieve the node config tarballs from the master
- fetch:
- src: "{{ openshift_node_generated_config_dir }}.tgz"
- dest: "{{ node_cert_mktemp.stdout }}/"
- flat: yes
- fail_on_missing: yes
- validate_checksum: yes
- when: node_certs_missing | bool
- delegate_to: "{{ openshift_ca_host }}"
-
-- name: Ensure certificate directory exists
- file:
- path: "{{ openshift_node_cert_dir }}"
- state: directory
- when: node_certs_missing | bool
-
-- name: Unarchive the tarball on the node
- unarchive:
- src: "{{ node_cert_mktemp.stdout }}/{{ openshift_node_cert_subdir }}.tgz"
- dest: "{{ openshift_node_cert_dir }}"
- when: node_certs_missing | bool
+ creates: "{{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}/server.crt"
+ with_items: "{{ nodes_needing_certs | default([]) }}"
diff --git a/roles/openshift_node_certificates/vars/main.yml b/roles/openshift_node_certificates/vars/main.yml
index 2fafc7387..61fbb1e51 100644
--- a/roles/openshift_node_certificates/vars/main.yml
+++ b/roles/openshift_node_certificates/vars/main.yml
@@ -1,6 +1,7 @@
---
-openshift_generated_configs_dir: "{{ openshift.common.config_base }}/generated-configs"
-openshift_node_cert_dir: "{{ openshift.common.config_base }}/node"
-openshift_node_cert_subdir: "node-{{ openshift.common.hostname }}"
openshift_node_config_dir: "{{ openshift.common.config_base }}/node"
-openshift_node_generated_config_dir: "{{ openshift_generated_configs_dir }}/{{ openshift_node_cert_subdir }}"
+openshift_master_config_dir: "{{ openshift.common.config_base }}/master"
+openshift_generated_configs_dir: "{{ openshift.common.config_base }}/generated-configs"
+openshift_master_ca_cert: "{{ openshift_master_config_dir }}/ca.crt"
+openshift_master_ca_key: "{{ openshift_master_config_dir }}/ca.key"
+openshift_master_ca_serial: "{{ openshift_master_config_dir }}/ca.serial.txt"