summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rwxr-xr-xgit/pylint.sh1
-rw-r--r--playbooks/adhoc/uninstall.yml13
-rw-r--r--playbooks/aws/openshift-cluster/config.yml20
-rw-r--r--playbooks/aws/openshift-cluster/tasks/launch_instances.yml1
-rw-r--r--playbooks/aws/openshift-cluster/templates/user_data.j25
-rw-r--r--playbooks/aws/openshift-cluster/update.yml21
-rw-r--r--playbooks/aws/openshift-cluster/vars.yml2
-rw-r--r--playbooks/common/openshift-cluster/update_repos_and_packages.yml2
-rw-r--r--playbooks/common/openshift-master/config.yml101
-rw-r--r--playbooks/common/openshift-node/config.yml70
-rw-r--r--playbooks/gce/openshift-cluster/config.yml21
-rw-r--r--playbooks/gce/openshift-cluster/library/gce.py543
-rw-r--r--playbooks/gce/openshift-cluster/tasks/launch_instances.yml5
-rw-r--r--playbooks/gce/openshift-cluster/update.yml21
-rw-r--r--playbooks/libvirt/openshift-cluster/config.yml20
-rw-r--r--playbooks/libvirt/openshift-cluster/update.yml18
-rw-r--r--playbooks/openstack/openshift-cluster/config.yml19
-rw-r--r--playbooks/openstack/openshift-cluster/files/heat_stack.yaml8
-rw-r--r--playbooks/openstack/openshift-cluster/launch.yml2
-rw-r--r--playbooks/openstack/openshift-cluster/update.yml21
-rw-r--r--playbooks/openstack/openshift-cluster/vars.yml1
-rw-r--r--roles/openshift_ca/README.md48
-rw-r--r--roles/openshift_ca/meta/main.yml (renamed from roles/openshift_master_ca/meta/main.yml)8
-rw-r--r--roles/openshift_ca/tasks/main.yml56
-rw-r--r--roles/openshift_ca/vars/main.yml6
-rw-r--r--roles/openshift_master/meta/main.yml1
-rw-r--r--roles/openshift_master_ca/README.md34
-rw-r--r--roles/openshift_master_ca/tasks/main.yml23
-rw-r--r--roles/openshift_master_ca/vars/main.yml6
-rw-r--r--roles/openshift_master_certificates/README.md29
-rw-r--r--roles/openshift_master_certificates/meta/main.yml6
-rw-r--r--roles/openshift_master_certificates/tasks/main.yml123
-rw-r--r--roles/openshift_master_certificates/vars/main.yml2
-rw-r--r--roles/openshift_node/meta/main.yml2
-rw-r--r--roles/openshift_node_certificates/README.md33
-rw-r--r--roles/openshift_node_certificates/meta/main.yml6
-rw-r--r--roles/openshift_node_certificates/tasks/main.yml97
-rw-r--r--roles/openshift_node_certificates/vars/main.yml9
38 files changed, 1084 insertions, 320 deletions
diff --git a/git/pylint.sh b/git/pylint.sh
index f29c055dc..3acf9cc8c 100755
--- a/git/pylint.sh
+++ b/git/pylint.sh
@@ -7,6 +7,7 @@ ANSIBLE_UPSTREAM_FILES=(
'inventory/libvirt/hosts/libvirt_generic.py'
'inventory/openstack/hosts/nova.py'
'lookup_plugins/sequence.py'
+ 'playbooks/gce/openshift-cluster/library/gce.py'
)
OLDREV=$1
diff --git a/playbooks/adhoc/uninstall.yml b/playbooks/adhoc/uninstall.yml
index 6b1f2f6dd..e42fa214a 100644
--- a/playbooks/adhoc/uninstall.yml
+++ b/playbooks/adhoc/uninstall.yml
@@ -200,6 +200,11 @@
- /etc/systemd/system/atomic-openshift-master-controllers.service
- /etc/systemd/system/atomic-openshift-node.service
- /etc/systemd/system/atomic-openshift-node-dep.service
+ - /etc/systemd/system/origin-master.service
+ - /etc/systemd/system/origin-master-api.service
+ - /etc/systemd/system/origin-master-controllers.service
+ - /etc/systemd/system/origin-node.service
+ - /etc/systemd/system/origin-node-dep.service
- /etc/systemd/system/etcd_container.service
- /etc/systemd/system/openvswitch.service
- /etc/sysconfig/atomic-enterprise-master
@@ -210,9 +215,15 @@
- /etc/sysconfig/atomic-openshift-master-api
- /etc/sysconfig/atomic-openshift-master-controllers
- /etc/sysconfig/atomic-openshift-node
+ - /etc/sysconfig/atomic-openshift-node-dep
+ - /etc/sysconfig/origin-master
+ - /etc/sysconfig/origin-master-api
+ - /etc/sysconfig/origin-master-controllers
+ - /etc/sysconfig/origin-node
+ - /etc/sysconfig/origin-node-dep
- /etc/sysconfig/openshift-master
- /etc/sysconfig/openshift-node
- - /etc/sysconfig/openshift-node
+ - /etc/sysconfig/openshift-node-dep
- /etc/sysconfig/openvswitch
- /etc/sysconfig/origin-master
- /etc/sysconfig/origin-master-api
diff --git a/playbooks/aws/openshift-cluster/config.yml b/playbooks/aws/openshift-cluster/config.yml
index 8402b3579..4839c100b 100644
--- a/playbooks/aws/openshift-cluster/config.yml
+++ b/playbooks/aws/openshift-cluster/config.yml
@@ -1,7 +1,20 @@
+- hosts: localhost
+ gather_facts: no
+ tasks:
+ - include_vars: vars.yml
+ - include_vars: cluster_hosts.yml
+ - add_host:
+ name: "{{ item }}"
+ groups: l_oo_all_hosts
+ with_items: g_all_hosts
+
+- hosts: l_oo_all_hosts
+ gather_facts: no
+ tasks:
+ - include_vars: vars.yml
+ - include_vars: cluster_hosts.yml
+
- include: ../../common/openshift-cluster/config.yml
- vars_files:
- - ../../aws/openshift-cluster/vars.yml
- - ../../aws/openshift-cluster/cluster_hosts.yml
vars:
g_ssh_user: "{{ deployment_vars[deployment_type].ssh_user }}"
g_sudo: "{{ deployment_vars[deployment_type].become }}"
@@ -21,3 +34,4 @@
os_sdn_network_plugin_name: "{{ lookup('oo_option', 'sdn_network_plugin_name') }}"
openshift_use_flannel: "{{ lookup('oo_option', 'use_flannel') }}"
openshift_use_fluentd: "{{ lookup('oo_option', 'use_fluentd') }}"
+ openshift_use_dnsmasq: false
diff --git a/playbooks/aws/openshift-cluster/tasks/launch_instances.yml b/playbooks/aws/openshift-cluster/tasks/launch_instances.yml
index 7d5776ae6..d22c86cda 100644
--- a/playbooks/aws/openshift-cluster/tasks/launch_instances.yml
+++ b/playbooks/aws/openshift-cluster/tasks/launch_instances.yml
@@ -150,6 +150,7 @@
groups: "{{ instance_groups }}"
ec2_private_ip_address: "{{ item.1.private_ip }}"
ec2_ip_address: "{{ item.1.public_ip }}"
+ ec2_tag_sub-host-type: "{{ sub_host_type }}"
openshift_node_labels: "{{ node_label }}"
logrotate_scripts: "{{ logrotate }}"
with_together:
diff --git a/playbooks/aws/openshift-cluster/templates/user_data.j2 b/playbooks/aws/openshift-cluster/templates/user_data.j2
index 2a3974a8c..b1087f9c4 100644
--- a/playbooks/aws/openshift-cluster/templates/user_data.j2
+++ b/playbooks/aws/openshift-cluster/templates/user_data.j2
@@ -3,8 +3,10 @@
mounts:
- [ xvdb ]
- [ ephemeral0 ]
+{% endif %}
write_files:
+{% if type in ['node', 'master'] and 'docker' in volume_defs[type] %}
- content: |
DEVS=/dev/xvdb
VG=docker_vg
@@ -12,8 +14,7 @@ write_files:
owner: root:root
permissions: '0644'
{% endif %}
-
-{% if deployment_vars[deployment_type].become %}
+{% if deployment_vars[deployment_type].become | bool %}
- path: /etc/sudoers.d/99-{{ deployment_vars[deployment_type].ssh_user }}-cloud-init-requiretty
permissions: 440
content: |
diff --git a/playbooks/aws/openshift-cluster/update.yml b/playbooks/aws/openshift-cluster/update.yml
index bd31c42dd..d762203b2 100644
--- a/playbooks/aws/openshift-cluster/update.yml
+++ b/playbooks/aws/openshift-cluster/update.yml
@@ -1,12 +1,25 @@
---
+- hosts: localhost
+ gather_facts: no
+ tasks:
+ - include_vars: vars.yml
+ - include_vars: cluster_hosts.yml
+ - add_host:
+ name: "{{ item }}"
+ groups: l_oo_all_hosts
+ with_items: g_all_hosts
+
+- hosts: l_oo_all_hosts
+ gather_facts: no
+ tasks:
+ - include_vars: vars.yml
+ - include_vars: cluster_hosts.yml
+
- name: Update - Populate oo_hosts_to_update group
hosts: localhost
connection: local
become: no
gather_facts: no
- vars_files:
- - vars.yml
- - cluster_hosts.yml
tasks:
- name: Update - Evaluate oo_hosts_to_update
add_host:
@@ -14,7 +27,7 @@
groups: oo_hosts_to_update
ansible_ssh_user: "{{ deployment_vars[deployment_type].ssh_user }}"
ansible_become: "{{ deployment_vars[deployment_type].become }}"
- with_items: "{{ g_all_hosts | default([]) }}"
+ with_items: g_all_hosts | default([])
- include: ../../common/openshift-cluster/update_repos_and_packages.yml
diff --git a/playbooks/aws/openshift-cluster/vars.yml b/playbooks/aws/openshift-cluster/vars.yml
index 8bda72ac2..d774187f0 100644
--- a/playbooks/aws/openshift-cluster/vars.yml
+++ b/playbooks/aws/openshift-cluster/vars.yml
@@ -17,7 +17,7 @@ deployment_rhel7_ent_base:
deployment_vars:
origin:
# centos-7, requires marketplace
- image: "{{ lookup('oo_option', 'ec2_image') | default('ami-61bbf104', True) }}"
+ image: "{{ lookup('oo_option', 'ec2_image') | default('ami-6d1c2007', True) }}"
image_name: "{{ lookup('oo_option', 'ec2_image_name') | default(None, True) }}"
region: "{{ lookup('oo_option', 'ec2_region') | default('us-east-1', True) }}"
ssh_user: centos
diff --git a/playbooks/common/openshift-cluster/update_repos_and_packages.yml b/playbooks/common/openshift-cluster/update_repos_and_packages.yml
index 1474bb3ca..0a37d4597 100644
--- a/playbooks/common/openshift-cluster/update_repos_and_packages.yml
+++ b/playbooks/common/openshift-cluster/update_repos_and_packages.yml
@@ -1,4 +1,6 @@
---
+- include: evaluate_groups.yml
+
- hosts: oo_hosts_to_update
vars:
openshift_deployment_type: "{{ deployment_type }}"
diff --git a/playbooks/common/openshift-master/config.yml b/playbooks/common/openshift-master/config.yml
index 125aab0ae..fe0e2e666 100644
--- a/playbooks/common/openshift-master/config.yml
+++ b/playbooks/common/openshift-master/config.yml
@@ -156,85 +156,6 @@
- master.etcd-ca.crt
when: etcd_client_certs_missing is defined and etcd_client_certs_missing
-- name: Determine if master certificates need to be generated
- hosts: oo_first_master:oo_masters_to_config
- tasks:
- - set_fact:
- openshift_master_certs_no_etcd:
- - admin.crt
- - master.kubelet-client.crt
- - "{{ 'master.proxy-client.crt' if openshift.common.version_gte_3_1_or_1_1 else omit }}"
- - master.server.crt
- - openshift-master.crt
- - openshift-registry.crt
- - openshift-router.crt
- - etcd.server.crt
- openshift_master_certs_etcd:
- - master.etcd-client.crt
-
- - set_fact:
- openshift_master_certs: "{{ (openshift_master_certs_no_etcd | union(openshift_master_certs_etcd)) if (groups.oo_etcd_to_config is defined and groups.oo_etcd_to_config) else openshift_master_certs_no_etcd }}"
-
- - name: Check status of master certificates
- stat:
- path: "{{ openshift.common.config_base }}/master/{{ item }}"
- with_items: "{{ openshift_master_certs }}"
- register: g_master_cert_stat_result
- - set_fact:
- master_certs_missing: "{{ False in (g_master_cert_stat_result.results
- | oo_collect(attribute='stat.exists')
- | list ) }}"
- master_cert_subdir: master-{{ openshift.common.hostname }}
- master_cert_config_dir: "{{ openshift.common.config_base }}/master"
- - set_fact:
- openshift_infra_nodes: "{{ hostvars | oo_select_keys(groups['oo_nodes_to_config'])
- | oo_nodes_with_label('region', 'infra')
- | oo_collect('inventory_hostname') }}"
- when: openshift_infra_nodes is not defined and groups.oo_nodes_to_config | default([]) | length > 0
-
-- name: Configure master certificates
- hosts: oo_first_master
- vars:
- master_generated_certs_dir: "{{ openshift.common.config_base }}/generated-configs"
- masters_needing_certs: "{{ hostvars
- | oo_select_keys(groups['oo_masters_to_config'] | difference(groups['oo_first_master']))
- | oo_filter_list(filter_attr='master_certs_missing') }}"
- master_hostnames: "{{ hostvars
- | oo_select_keys(groups['oo_masters_to_config'])
- | oo_collect('openshift.common.all_hostnames')
- | oo_flatten | unique }}"
- sync_tmpdir: "{{ hostvars.localhost.g_master_mktemp.stdout }}"
- openshift_docker_hosted_registry_network: "{{ hostvars[groups.oo_first_master.0].openshift.common.portal_net }}"
- roles:
- - openshift_master_certificates
- post_tasks:
- - name: Remove generated etcd client certs when using external etcd
- file:
- path: "{{ master_generated_certs_dir }}/{{ item.0.master_cert_subdir }}/{{ item.1 }}"
- state: absent
- when: groups.oo_etcd_to_config is defined and groups.oo_etcd_to_config
- with_nested:
- - "{{ masters_needing_certs | default([]) }}"
- - - master.etcd-client.crt
- - master.etcd-client.key
-
- - name: Create a tarball of the master certs
- command: >
- tar -czvf {{ master_generated_certs_dir }}/{{ item.master_cert_subdir }}.tgz
- -C {{ master_generated_certs_dir }}/{{ item.master_cert_subdir }} .
- args:
- creates: "{{ master_generated_certs_dir }}/{{ item.master_cert_subdir }}.tgz"
- with_items: "{{ masters_needing_certs | default([]) }}"
-
- - name: Retrieve the master cert tarball from the master
- fetch:
- src: "{{ master_generated_certs_dir }}/{{ item.master_cert_subdir }}.tgz"
- dest: "{{ sync_tmpdir }}/"
- flat: yes
- fail_on_missing: yes
- validate_checksum: yes
- with_items: "{{ masters_needing_certs | default([]) }}"
-
- name: Configure load balancers
hosts: oo_lb_to_config
vars:
@@ -355,19 +276,17 @@
}}"
when: "{{ (openshift_http_proxy is defined or openshift_https_proxy is defined) and
openshift_generate_no_proxy_hosts | default(True) | bool }}"
- pre_tasks:
- - name: Ensure certificate directory exists
- file:
- path: "{{ openshift.common.config_base }}/master"
- state: directory
- when: master_certs_missing | bool and 'oo_first_master' not in group_names
- - name: Unarchive the tarball on the master
- unarchive:
- src: "{{ sync_tmpdir }}/{{ master_cert_subdir }}.tgz"
- dest: "{{ master_cert_config_dir }}"
- when: master_certs_missing | bool and 'oo_first_master' not in group_names
roles:
- - openshift_master
+ - role: openshift_master
+ openshift_ca_host: "{{ groups.oo_first_master.0 }}"
+ openshift_master_etcd_hosts: "{{ hostvars
+ | oo_select_keys(groups['oo_etcd_to_config'] | default([]))
+ | oo_collect('openshift.common.hostname')
+ | default(none, true) }}"
+ openshift_master_hostnames: "{{ hostvars
+ | oo_select_keys(groups['oo_masters_to_config'] | default([]))
+ | oo_collect('openshift.common.all_hostnames')
+ | oo_flatten | unique }}"
- role: nickhammond.logrotate
- role: nuage_master
when: openshift.common.use_nuage | bool
diff --git a/playbooks/common/openshift-node/config.yml b/playbooks/common/openshift-node/config.yml
index b3491ef8d..6fbf7d44a 100644
--- a/playbooks/common/openshift-node/config.yml
+++ b/playbooks/common/openshift-node/config.yml
@@ -19,23 +19,6 @@
labels: "{{ openshift_node_labels | default(None) }}"
annotations: "{{ openshift_node_annotations | default(None) }}"
schedulable: "{{ openshift_schedulable | default(openshift_scheduleable) | default(None) }}"
- - name: Check status of node certificates
- stat:
- path: "{{ openshift.common.config_base }}/node/{{ item }}"
- with_items:
- - "system:node:{{ openshift.common.hostname }}.crt"
- - "system:node:{{ openshift.common.hostname }}.key"
- - "system:node:{{ openshift.common.hostname }}.kubeconfig"
- - ca.crt
- - server.key
- - server.crt
- register: stat_result
- - set_fact:
- certs_missing: "{{ stat_result.results | oo_collect(attribute='stat.exists')
- | list | intersect([false])}}"
- node_subdir: node-{{ openshift.common.hostname }}
- config_dir: "{{ openshift.common.config_base }}/generated-configs/node-{{ openshift.common.hostname }}"
- node_cert_dir: "{{ openshift.common.config_base }}/node"
- name: Create temp directory for syncing certs
hosts: localhost
@@ -48,53 +31,6 @@
register: mktemp
changed_when: False
-- name: Create node certificates
- hosts: oo_first_master
- vars:
- nodes_needing_certs: "{{ hostvars
- | oo_select_keys(groups['oo_nodes_to_config']
- | default([]))
- | oo_filter_list(filter_attr='certs_missing') }}"
- sync_tmpdir: "{{ hostvars.localhost.mktemp.stdout }}"
- roles:
- - openshift_node_certificates
- post_tasks:
- - name: Create a tarball of the node config directories
- command: >
- tar -czvf {{ item.config_dir }}.tgz
- --transform 's|system:{{ item.node_subdir }}|node|'
- -C {{ item.config_dir }} .
- args:
- creates: "{{ item.config_dir }}.tgz"
- with_items: "{{ nodes_needing_certs | default([]) }}"
-
- - name: Retrieve the node config tarballs from the master
- fetch:
- src: "{{ item.config_dir }}.tgz"
- dest: "{{ sync_tmpdir }}/"
- flat: yes
- fail_on_missing: yes
- validate_checksum: yes
- with_items: "{{ nodes_needing_certs | default([]) }}"
-
-- name: Deploy node certificates
- hosts: oo_nodes_to_config
- vars:
- sync_tmpdir: "{{ hostvars.localhost.mktemp.stdout }}"
- tasks:
- - name: Ensure certificate directory exists
- file:
- path: "{{ node_cert_dir }}"
- state: directory
- # TODO: notify restart node
- # possibly test service started time against certificate/config file
- # timestamps in node to trigger notify
- - name: Unarchive the tarball on the node
- unarchive:
- src: "{{ sync_tmpdir }}/{{ node_subdir }}.tgz"
- dest: "{{ node_cert_dir }}"
- when: certs_missing
-
- name: Evaluate node groups
hosts: localhost
become: no
@@ -124,7 +60,8 @@
when: "{{ (openshift_http_proxy is defined or openshift_https_proxy is defined) and
openshift_generate_no_proxy_hosts | default(True) | bool }}"
roles:
- - openshift_node
+ - role: openshift_node
+ openshift_ca_host: "{{ groups.oo_first_master.0 }}"
- name: Configure node instances
hosts: oo_nodes_to_config:!oo_containerized_master_nodes
@@ -140,7 +77,8 @@
when: "{{ (openshift_http_proxy is defined or openshift_https_proxy is defined) and
openshift_generate_no_proxy_hosts | default(True) | bool }}"
roles:
- - openshift_node
+ - role: openshift_node
+ openshift_ca_host: "{{ groups.oo_first_master.0 }}"
- name: Gather and set facts for flannel certificatess
hosts: oo_nodes_to_config
diff --git a/playbooks/gce/openshift-cluster/config.yml b/playbooks/gce/openshift-cluster/config.yml
index 475d29293..b973c513f 100644
--- a/playbooks/gce/openshift-cluster/config.yml
+++ b/playbooks/gce/openshift-cluster/config.yml
@@ -1,8 +1,23 @@
---
+- hosts: localhost
+ gather_facts: no
+ tasks:
+ - include_vars: vars.yml
+ - include_vars: cluster_hosts.yml
+ - add_host:
+ name: "{{ item }}"
+ groups: l_oo_all_hosts
+ ansible_ssh_user: "{{ deployment_vars[deployment_type].ssh_user }}"
+ ansible_become: "{{ deployment_vars[deployment_type].become }}"
+ with_items: g_all_hosts
+
+- hosts: l_oo_all_hosts
+ gather_facts: no
+ tasks:
+ - include_vars: vars.yml
+ - include_vars: cluster_hosts.yml
+
- include: ../../common/openshift-cluster/config.yml
- vars_files:
- - ../../gce/openshift-cluster/vars.yml
- - ../../gce/openshift-cluster/cluster_hosts.yml
vars:
g_ssh_user: "{{ deployment_vars[deployment_type].ssh_user }}"
g_sudo: "{{ deployment_vars[deployment_type].become }}"
diff --git a/playbooks/gce/openshift-cluster/library/gce.py b/playbooks/gce/openshift-cluster/library/gce.py
new file mode 100644
index 000000000..fcaa3b850
--- /dev/null
+++ b/playbooks/gce/openshift-cluster/library/gce.py
@@ -0,0 +1,543 @@
+#!/usr/bin/python
+# Copyright 2013 Google Inc.
+#
+# This file is part of Ansible
+#
+# Ansible is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# Ansible is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
+
+DOCUMENTATION = '''
+---
+module: gce
+version_added: "1.4"
+short_description: create or terminate GCE instances
+description:
+ - Creates or terminates Google Compute Engine (GCE) instances. See
+ U(https://cloud.google.com/products/compute-engine) for an overview.
+ Full install/configuration instructions for the gce* modules can
+ be found in the comments of ansible/test/gce_tests.py.
+options:
+ image:
+ description:
+ - image string to use for the instance
+ required: false
+ default: "debian-7"
+ instance_names:
+ description:
+ - a comma-separated list of instance names to create or destroy
+ required: false
+ default: null
+ machine_type:
+ description:
+ - machine type to use for the instance, use 'n1-standard-1' by default
+ required: false
+ default: "n1-standard-1"
+ metadata:
+ description:
+ - a hash/dictionary of custom data for the instance;
+ '{"key":"value", ...}'
+ required: false
+ default: null
+ service_account_email:
+ version_added: "1.5.1"
+ description:
+ - service account email
+ required: false
+ default: null
+ service_account_permissions:
+ version_added: "2.0"
+ description:
+ - service account permissions (see
+ U(https://cloud.google.com/sdk/gcloud/reference/compute/instances/create),
+ --scopes section for detailed information)
+ required: false
+ default: null
+ choices: [
+ "bigquery", "cloud-platform", "compute-ro", "compute-rw",
+ "computeaccounts-ro", "computeaccounts-rw", "datastore", "logging-write",
+ "monitoring", "sql", "sql-admin", "storage-full", "storage-ro",
+ "storage-rw", "taskqueue", "userinfo-email"
+ ]
+ pem_file:
+ version_added: "1.5.1"
+ description:
+ - path to the pem file associated with the service account email
+ required: false
+ default: null
+ project_id:
+ version_added: "1.5.1"
+ description:
+ - your GCE project ID
+ required: false
+ default: null
+ name:
+ description:
+ - identifier when working with a single instance
+ required: false
+ network:
+ description:
+ - name of the network, 'default' will be used if not specified
+ required: false
+ default: "default"
+ persistent_boot_disk:
+ description:
+ - if set, create the instance with a persistent boot disk
+ required: false
+ default: "false"
+ disks:
+ description:
+ - a list of persistent disks to attach to the instance; a string value
+ gives the name of the disk; alternatively, a dictionary value can
+ define 'name' and 'mode' ('READ_ONLY' or 'READ_WRITE'). The first entry
+ will be the boot disk (which must be READ_WRITE).
+ required: false
+ default: null
+ version_added: "1.7"
+ state:
+ description:
+ - desired state of the resource
+ required: false
+ default: "present"
+ choices: ["active", "present", "absent", "deleted"]
+ tags:
+ description:
+ - a comma-separated list of tags to associate with the instance
+ required: false
+ default: null
+ zone:
+ description:
+ - the GCE zone to use
+ required: true
+ default: "us-central1-a"
+ ip_forward:
+ version_added: "1.9"
+ description:
+ - set to true if the instance can forward ip packets (useful for
+ gateways)
+ required: false
+ default: "false"
+ external_ip:
+ version_added: "1.9"
+ description:
+ - type of external ip, ephemeral by default
+ required: false
+ default: "ephemeral"
+ disk_auto_delete:
+ version_added: "1.9"
+ description:
+ - if set boot disk will be removed after instance destruction
+ required: false
+ default: "true"
+
+requirements:
+ - "python >= 2.6"
+ - "apache-libcloud >= 0.13.3"
+notes:
+ - Either I(name) or I(instance_names) is required.
+author: "Eric Johnson (@erjohnso) <erjohnso@google.com>"
+'''
+
+EXAMPLES = '''
+# Basic provisioning example. Create a single Debian 7 instance in the
+# us-central1-a Zone of n1-standard-1 machine type.
+- local_action:
+ module: gce
+ name: test-instance
+ zone: us-central1-a
+ machine_type: n1-standard-1
+ image: debian-7
+
+# Example using defaults and with metadata to create a single 'foo' instance
+- local_action:
+ module: gce
+ name: foo
+ metadata: '{"db":"postgres", "group":"qa", "id":500}'
+
+
+# Launch instances from a control node, runs some tasks on the new instances,
+# and then terminate them
+- name: Create a sandbox instance
+ hosts: localhost
+ vars:
+ names: foo,bar
+ machine_type: n1-standard-1
+ image: debian-6
+ zone: us-central1-a
+ service_account_email: unique-email@developer.gserviceaccount.com
+ pem_file: /path/to/pem_file
+ project_id: project-id
+ tasks:
+ - name: Launch instances
+ local_action: gce instance_names={{names}} machine_type={{machine_type}}
+ image={{image}} zone={{zone}}
+ service_account_email={{ service_account_email }}
+ pem_file={{ pem_file }} project_id={{ project_id }}
+ register: gce
+ - name: Wait for SSH to come up
+ local_action: wait_for host={{item.public_ip}} port=22 delay=10
+ timeout=60 state=started
+ with_items: {{gce.instance_data}}
+
+- name: Configure instance(s)
+ hosts: launched
+ sudo: True
+ roles:
+ - my_awesome_role
+ - my_awesome_tasks
+
+- name: Terminate instances
+ hosts: localhost
+ connection: local
+ tasks:
+ - name: Terminate instances that were previously launched
+ local_action:
+ module: gce
+ state: 'absent'
+ instance_names: {{gce.instance_names}}
+
+'''
+
+try:
+ import libcloud
+ from libcloud.compute.types import Provider
+ from libcloud.compute.providers import get_driver
+ from libcloud.common.google import GoogleBaseError, QuotaExceededError, \
+ ResourceExistsError, ResourceInUseError, ResourceNotFoundError
+ _ = Provider.GCE
+ HAS_LIBCLOUD = True
+except ImportError:
+ HAS_LIBCLOUD = False
+
+try:
+ from ast import literal_eval
+ HAS_PYTHON26 = True
+except ImportError:
+ HAS_PYTHON26 = False
+
+
+def get_instance_info(inst):
+ """Retrieves instance information from an instance object and returns it
+ as a dictionary.
+
+ """
+ metadata = {}
+ if 'metadata' in inst.extra and 'items' in inst.extra['metadata']:
+ for md in inst.extra['metadata']['items']:
+ metadata[md['key']] = md['value']
+
+ try:
+ netname = inst.extra['networkInterfaces'][0]['network'].split('/')[-1]
+ except:
+ netname = None
+ if 'disks' in inst.extra:
+ disk_names = [disk_info['source'].split('/')[-1]
+ for disk_info
+ in sorted(inst.extra['disks'],
+ key=lambda disk_info: disk_info['index'])]
+ else:
+ disk_names = []
+
+ if len(inst.public_ips) == 0:
+ public_ip = None
+ else:
+ public_ip = inst.public_ips[0]
+
+ return({
+ 'image': inst.image is not None and inst.image.split('/')[-1] or None,
+ 'disks': disk_names,
+ 'machine_type': inst.size,
+ 'metadata': metadata,
+ 'name': inst.name,
+ 'network': netname,
+ 'private_ip': inst.private_ips[0],
+ 'public_ip': public_ip,
+ 'status': ('status' in inst.extra) and inst.extra['status'] or None,
+ 'tags': ('tags' in inst.extra) and inst.extra['tags'] or [],
+ 'zone': ('zone' in inst.extra) and inst.extra['zone'].name or None,
+ })
+
+
+def create_instances(module, gce, instance_names):
+ """Creates new instances. Attributes other than instance_names are picked
+ up from 'module'
+
+ module : AnsibleModule object
+ gce: authenticated GCE libcloud driver
+ instance_names: python list of instance names to create
+
+ Returns:
+ A list of dictionaries with instance information
+ about the instances that were launched.
+
+ """
+ image = module.params.get('image')
+ machine_type = module.params.get('machine_type')
+ metadata = module.params.get('metadata')
+ network = module.params.get('network')
+ persistent_boot_disk = module.params.get('persistent_boot_disk')
+ disks = module.params.get('disks')
+ state = module.params.get('state')
+ tags = module.params.get('tags')
+ zone = module.params.get('zone')
+ ip_forward = module.params.get('ip_forward')
+ external_ip = module.params.get('external_ip')
+ disk_auto_delete = module.params.get('disk_auto_delete')
+ service_account_permissions = module.params.get('service_account_permissions')
+ service_account_email = module.params.get('service_account_email')
+
+ if external_ip == "none":
+ external_ip = None
+
+ new_instances = []
+ changed = False
+
+ lc_image = gce.ex_get_image(image)
+ lc_disks = []
+ disk_modes = []
+ for i, disk in enumerate(disks or []):
+ if isinstance(disk, dict):
+ lc_disks.append(gce.ex_get_volume(disk['name']))
+ disk_modes.append(disk['mode'])
+ else:
+ lc_disks.append(gce.ex_get_volume(disk))
+ # boot disk is implicitly READ_WRITE
+ disk_modes.append('READ_ONLY' if i > 0 else 'READ_WRITE')
+ lc_network = gce.ex_get_network(network)
+ lc_machine_type = gce.ex_get_size(machine_type)
+ lc_zone = gce.ex_get_zone(zone)
+
+ # Try to convert the user's metadata value into the format expected
+ # by GCE. First try to ensure user has proper quoting of a
+ # dictionary-like syntax using 'literal_eval', then convert the python
+ # dict into a python list of 'key' / 'value' dicts. Should end up
+ # with:
+ # [ {'key': key1, 'value': value1}, {'key': key2, 'value': value2}, ...]
+ if metadata:
+ if isinstance(metadata, dict):
+ md = metadata
+ else:
+ try:
+ md = literal_eval(str(metadata))
+ if not isinstance(md, dict):
+ raise ValueError('metadata must be a dict')
+ except ValueError as e:
+ module.fail_json(msg='bad metadata: %s' % str(e))
+ except SyntaxError as e:
+ module.fail_json(msg='bad metadata syntax')
+
+ if hasattr(libcloud, '__version__') and libcloud.__version__ < '0.15':
+ items = []
+ for k, v in md.items():
+ items.append({"key": k, "value": v})
+ metadata = {'items': items}
+ else:
+ metadata = md
+
+ ex_sa_perms = []
+ bad_perms = []
+ if service_account_permissions:
+ for perm in service_account_permissions:
+ if perm not in gce.SA_SCOPES_MAP.keys():
+ bad_perms.append(perm)
+ if len(bad_perms) > 0:
+ module.fail_json(msg='bad permissions: %s' % str(bad_perms))
+ if service_account_email:
+ ex_sa_perms.append({'email': service_account_email})
+ else:
+ ex_sa_perms.append({'email': "default"})
+ ex_sa_perms[0]['scopes'] = service_account_permissions
+
+ # These variables all have default values but check just in case
+ if not lc_image or not lc_network or not lc_machine_type or not lc_zone:
+ module.fail_json(msg='Missing required create instance variable',
+ changed=False)
+
+ for name in instance_names:
+ pd = None
+ if lc_disks:
+ pd = lc_disks[0]
+ elif persistent_boot_disk:
+ try:
+ pd = gce.create_volume(None, "%s" % name, image=lc_image)
+ except ResourceExistsError:
+ pd = gce.ex_get_volume("%s" % name, lc_zone)
+ inst = None
+ try:
+ inst = gce.create_node(
+ name, lc_machine_type, lc_image, location=lc_zone,
+ ex_network=network, ex_tags=tags, ex_metadata=metadata,
+ ex_boot_disk=pd, ex_can_ip_forward=ip_forward,
+ external_ip=external_ip, ex_disk_auto_delete=disk_auto_delete,
+ ex_service_accounts=ex_sa_perms
+ )
+ changed = True
+ except ResourceExistsError:
+ inst = gce.ex_get_node(name, lc_zone)
+ except GoogleBaseError as e:
+ module.fail_json(msg='Unexpected error attempting to create ' +
+ 'instance %s, error: %s' % (name, e.value))
+
+ for i, lc_disk in enumerate(lc_disks):
+ # Check whether the disk is already attached
+ if (len(inst.extra['disks']) > i):
+ attached_disk = inst.extra['disks'][i]
+ if attached_disk['source'] != lc_disk.extra['selfLink']:
+ module.fail_json(
+ msg=("Disk at index %d does not match: requested=%s found=%s" % (
+ i, lc_disk.extra['selfLink'], attached_disk['source'])))
+ elif attached_disk['mode'] != disk_modes[i]:
+ module.fail_json(
+ msg=("Disk at index %d is in the wrong mode: requested=%s found=%s" % (
+ i, disk_modes[i], attached_disk['mode'])))
+ else:
+ continue
+ gce.attach_volume(inst, lc_disk, ex_mode=disk_modes[i])
+ # Work around libcloud bug: attached volumes don't get added
+ # to the instance metadata. get_instance_info() only cares about
+ # source and index.
+ if len(inst.extra['disks']) != i+1:
+ inst.extra['disks'].append(
+ {'source': lc_disk.extra['selfLink'], 'index': i})
+
+ if inst:
+ new_instances.append(inst)
+
+ instance_names = []
+ instance_json_data = []
+ for inst in new_instances:
+ d = get_instance_info(inst)
+ instance_names.append(d['name'])
+ instance_json_data.append(d)
+
+ return (changed, instance_json_data, instance_names)
+
+
+def terminate_instances(module, gce, instance_names, zone_name):
+ """Terminates a list of instances.
+
+ module: Ansible module object
+ gce: authenticated GCE connection object
+ instance_names: a list of instance names to terminate
+ zone_name: the zone where the instances reside prior to termination
+
+ Returns a dictionary of instance names that were terminated.
+
+ """
+ changed = False
+ terminated_instance_names = []
+ for name in instance_names:
+ inst = None
+ try:
+ inst = gce.ex_get_node(name, zone_name)
+ except ResourceNotFoundError:
+ pass
+ except Exception as e:
+ module.fail_json(msg=unexpected_error_msg(e), changed=False)
+ if inst:
+ gce.destroy_node(inst)
+ terminated_instance_names.append(inst.name)
+ changed = True
+
+ return (changed, terminated_instance_names)
+
+
+def main():
+ module = AnsibleModule(
+ argument_spec=dict(
+ image=dict(default='debian-7'),
+ instance_names=dict(),
+ machine_type=dict(default='n1-standard-1'),
+ metadata=dict(),
+ name=dict(),
+ network=dict(default='default'),
+ persistent_boot_disk=dict(type='bool', default=False),
+ disks=dict(type='list'),
+ state=dict(choices=['active', 'present', 'absent', 'deleted'],
+ default='present'),
+ tags=dict(type='list'),
+ zone=dict(default='us-central1-a'),
+ service_account_email=dict(),
+ service_account_permissions=dict(type='list'),
+ pem_file=dict(),
+ project_id=dict(),
+ ip_forward=dict(type='bool', default=False),
+ external_ip=dict(choices=['ephemeral', 'none'],
+ default='ephemeral'),
+ disk_auto_delete=dict(type='bool', default=True),
+ )
+ )
+
+ if not HAS_PYTHON26:
+ module.fail_json(msg="GCE module requires python's 'ast' module, python v2.6+")
+ if not HAS_LIBCLOUD:
+ module.fail_json(msg='libcloud with GCE support (0.13.3+) required for this module')
+
+ gce = gce_connect(module)
+
+ image = module.params.get('image')
+ instance_names = module.params.get('instance_names')
+ machine_type = module.params.get('machine_type')
+ metadata = module.params.get('metadata')
+ name = module.params.get('name')
+ network = module.params.get('network')
+ persistent_boot_disk = module.params.get('persistent_boot_disk')
+ state = module.params.get('state')
+ tags = module.params.get('tags')
+ zone = module.params.get('zone')
+ ip_forward = module.params.get('ip_forward')
+ changed = False
+
+ inames = []
+ if isinstance(instance_names, list):
+ inames = instance_names
+ elif isinstance(instance_names, str):
+ inames = instance_names.split(',')
+ if name:
+ inames.append(name)
+ if not inames:
+ module.fail_json(msg='Must specify a "name" or "instance_names"',
+ changed=False)
+ if not zone:
+ module.fail_json(msg='Must specify a "zone"', changed=False)
+
+ json_output = {'zone': zone}
+ if state in ['absent', 'deleted']:
+ json_output['state'] = 'absent'
+ (changed, terminated_instance_names) = terminate_instances(
+ module, gce, inames, zone)
+
+ # based on what user specified, return the same variable, although
+ # value could be different if an instance could not be destroyed
+ if instance_names:
+ json_output['instance_names'] = terminated_instance_names
+ elif name:
+ json_output['name'] = name
+
+ elif state in ['active', 'present']:
+ json_output['state'] = 'present'
+ (changed, instance_data, instance_name_list) = create_instances(
+ module, gce, inames)
+ json_output['instance_data'] = instance_data
+ if instance_names:
+ json_output['instance_names'] = instance_name_list
+ elif name:
+ json_output['name'] = name
+
+ json_output['changed'] = changed
+ module.exit_json(**json_output)
+
+# import module snippets
+from ansible.module_utils.basic import *
+from ansible.module_utils.gce import *
+if __name__ == '__main__':
+ main()
diff --git a/playbooks/gce/openshift-cluster/tasks/launch_instances.yml b/playbooks/gce/openshift-cluster/tasks/launch_instances.yml
index e3efd8566..c5c479052 100644
--- a/playbooks/gce/openshift-cluster/tasks/launch_instances.yml
+++ b/playbooks/gce/openshift-cluster/tasks/launch_instances.yml
@@ -17,6 +17,11 @@
- clusterid-{{ cluster_id }}
- host-type-{{ type }}
- sub-host-type-{{ g_sub_host_type }}
+ metadata:
+ startup-script: |
+ #!/bin/bash
+ echo "Defaults:{{ deployment_vars[deployment_type].ssh_user }} !requiretty" > /etc/sudoers.d/99-{{ deployment_vars[deployment_type].ssh_user }}
+
when: instances |length > 0
register: gce
diff --git a/playbooks/gce/openshift-cluster/update.yml b/playbooks/gce/openshift-cluster/update.yml
index 9b7a2777a..332f27da7 100644
--- a/playbooks/gce/openshift-cluster/update.yml
+++ b/playbooks/gce/openshift-cluster/update.yml
@@ -1,12 +1,25 @@
---
+- hosts: localhost
+ gather_facts: no
+ tasks:
+ - include_vars: vars.yml
+ - include_vars: cluster_hosts.yml
+ - add_host:
+ name: "{{ item }}"
+ groups: l_oo_all_hosts
+ with_items: g_all_hosts
+
+- hosts: l_oo_all_hosts
+ gather_facts: no
+ tasks:
+ - include_vars: vars.yml
+ - include_vars: cluster_hosts.yml
+
- name: Populate oo_hosts_to_update group
hosts: localhost
connection: local
become: no
gather_facts: no
- vars_files:
- - vars.yml
- - cluster_hosts.yml
tasks:
- name: Evaluate oo_hosts_to_update
add_host:
@@ -14,7 +27,7 @@
groups: oo_hosts_to_update
ansible_ssh_user: "{{ deployment_vars[deployment_type].ssh_user }}"
ansible_become: "{{ deployment_vars[deployment_type].become }}"
- with_items: "{{ g_all_hosts | default([]) }}"
+ with_items: g_all_hosts | default([])
- include: ../../common/openshift-cluster/update_repos_and_packages.yml
diff --git a/playbooks/libvirt/openshift-cluster/config.yml b/playbooks/libvirt/openshift-cluster/config.yml
index 81a6fff0d..032d4cf68 100644
--- a/playbooks/libvirt/openshift-cluster/config.yml
+++ b/playbooks/libvirt/openshift-cluster/config.yml
@@ -2,10 +2,23 @@
# TODO: need to figure out a plan for setting hostname, currently the default
# is localhost, so no hostname value (or public_hostname) value is getting
# assigned
+- hosts: localhost
+ gather_facts: no
+ tasks:
+ - include_vars: vars.yml
+ - include_vars: cluster_hosts.yml
+ - add_host:
+ name: "{{ item }}"
+ groups: l_oo_all_hosts
+ with_items: g_all_hosts
+
+- hosts: l_oo_all_hosts
+ gather_facts: no
+ tasks:
+ - include_vars: vars.yml
+ - include_vars: cluster_hosts.yml
+
- include: ../../common/openshift-cluster/config.yml
- vars_files:
- - ../../libvirt/openshift-cluster/vars.yml
- - ../../libvirt/openshift-cluster/cluster_hosts.yml
vars:
g_ssh_user: "{{ deployment_vars[deployment_type].ssh_user }}"
g_sudo: "{{ deployment_vars[deployment_type].become }}"
@@ -21,3 +34,4 @@
os_sdn_network_plugin_name: "{{ lookup('oo_option', 'sdn_network_plugin_name') }}"
openshift_use_flannel: "{{ lookup('oo_option', 'use_flannel') }}"
openshift_use_fluentd: "{{ lookup('oo_option', 'use_fluentd') }}"
+ openshift_use_dnsmasq: false
diff --git a/playbooks/libvirt/openshift-cluster/update.yml b/playbooks/libvirt/openshift-cluster/update.yml
index 9b7a2777a..28362c984 100644
--- a/playbooks/libvirt/openshift-cluster/update.yml
+++ b/playbooks/libvirt/openshift-cluster/update.yml
@@ -1,4 +1,20 @@
---
+- hosts: localhost
+ gather_facts: no
+ tasks:
+ - include_vars: vars.yml
+ - include_vars: cluster_hosts.yml
+ - add_host:
+ name: "{{ item }}"
+ groups: l_oo_all_hosts
+ with_items: g_all_hosts
+
+- hosts: l_oo_all_hosts
+ gather_facts: no
+ tasks:
+ - include_vars: vars.yml
+ - include_vars: cluster_hosts.yml
+
- name: Populate oo_hosts_to_update group
hosts: localhost
connection: local
@@ -14,7 +30,7 @@
groups: oo_hosts_to_update
ansible_ssh_user: "{{ deployment_vars[deployment_type].ssh_user }}"
ansible_become: "{{ deployment_vars[deployment_type].become }}"
- with_items: "{{ g_all_hosts | default([]) }}"
+ with_items: g_all_hosts | default([])
- include: ../../common/openshift-cluster/update_repos_and_packages.yml
diff --git a/playbooks/openstack/openshift-cluster/config.yml b/playbooks/openstack/openshift-cluster/config.yml
index 9c0ca9af9..6e4f414d6 100644
--- a/playbooks/openstack/openshift-cluster/config.yml
+++ b/playbooks/openstack/openshift-cluster/config.yml
@@ -1,8 +1,21 @@
---
+- hosts: localhost
+ gather_facts: no
+ tasks:
+ - include_vars: vars.yml
+ - include_vars: cluster_hosts.yml
+ - add_host:
+ name: "{{ item }}"
+ groups: l_oo_all_hosts
+ with_items: g_all_hosts
+
+- hosts: l_oo_all_hosts
+ gather_facts: no
+ tasks:
+ - include_vars: vars.yml
+ - include_vars: cluster_hosts.yml
+
- include: ../../common/openshift-cluster/config.yml
- vars_files:
- - ../../openstack/openshift-cluster/vars.yml
- - ../../openstack/openshift-cluster/cluster_hosts.yml
vars:
g_nodeonmaster: true
g_ssh_user: "{{ deployment_vars[deployment_type].ssh_user }}"
diff --git a/playbooks/openstack/openshift-cluster/files/heat_stack.yaml b/playbooks/openstack/openshift-cluster/files/heat_stack.yaml
index 2f05c3adc..1d54a9c39 100644
--- a/playbooks/openstack/openshift-cluster/files/heat_stack.yaml
+++ b/playbooks/openstack/openshift-cluster/files/heat_stack.yaml
@@ -591,11 +591,17 @@ resources:
type: OS::Heat::MultipartMime
properties:
parts:
- - config: { get_file: user-data }
- config:
str_replace:
template: |
#cloud-config
+ disable_root: true
+
+ system_info:
+ default_user:
+ name: openshift
+ sudo: ["ALL=(ALL) NOPASSWD: ALL"]
+
write_files:
- path: /etc/sudoers.d/00-openshift-no-requiretty
permissions: 440
diff --git a/playbooks/openstack/openshift-cluster/launch.yml b/playbooks/openstack/openshift-cluster/launch.yml
index 3d4fe42d0..6429a6755 100644
--- a/playbooks/openstack/openshift-cluster/launch.yml
+++ b/playbooks/openstack/openshift-cluster/launch.yml
@@ -46,7 +46,7 @@
-P master_flavor={{ openstack_flavor["master"] }}
-P node_flavor={{ openstack_flavor["node"] }}
-P infra_flavor={{ openstack_flavor["infra"] }}
- -P dns_flavor=m1.small
+ -P dns_flavor={{ openshift_flavor["dns"] }}
openshift-ansible-{{ cluster_id }}-stack'
- name: Wait for OpenStack Stack readiness
diff --git a/playbooks/openstack/openshift-cluster/update.yml b/playbooks/openstack/openshift-cluster/update.yml
index 539af6524..6d4d23963 100644
--- a/playbooks/openstack/openshift-cluster/update.yml
+++ b/playbooks/openstack/openshift-cluster/update.yml
@@ -1,4 +1,20 @@
---
+- hosts: localhost
+ gather_facts: no
+ tasks:
+ - include_vars: vars.yml
+ - include_vars: cluster_hosts.yml
+ - add_host:
+ name: "{{ item }}"
+ groups: l_oo_all_hosts
+ with_items: g_all_hosts
+
+- hosts: l_oo_all_hosts
+ gather_facts: no
+ tasks:
+ - include_vars: vars.yml
+ - include_vars: cluster_hosts.yml
+
- include: dns.yml
- name: Populate oo_hosts_to_update group
@@ -6,9 +22,6 @@
connection: local
become: no
gather_facts: no
- vars_files:
- - vars.yml
- - cluster_hosts.yml
tasks:
- name: Evaluate oo_hosts_to_update
add_host:
@@ -16,7 +29,7 @@
groups: oo_hosts_to_update
ansible_ssh_user: "{{ deployment_vars[deployment_type].ssh_user }}"
ansible_become: "{{ deployment_vars[deployment_type].become }}"
- with_items: "{{ g_all_hosts | default([]) }}"
+ with_items: g_all_hosts | default([])
- include: ../../common/openshift-cluster/update_repos_and_packages.yml
diff --git a/playbooks/openstack/openshift-cluster/vars.yml b/playbooks/openstack/openshift-cluster/vars.yml
index 84cba0506..bc53a51b0 100644
--- a/playbooks/openstack/openshift-cluster/vars.yml
+++ b/playbooks/openstack/openshift-cluster/vars.yml
@@ -13,6 +13,7 @@ openstack_ssh_public_key: "{{ lookup('file', lookup('oo_option', 'public_k
openstack_ssh_access_from: "{{ lookup('oo_option', 'ssh_from') |
default('0.0.0.0/0', True) }}"
openstack_flavor:
+ dns: "{{ lookup('oo_option', 'dns_flavor' ) | default('m1.small', True) }}"
etcd: "{{ lookup('oo_option', 'etcd_flavor' ) | default('m1.small', True) }}"
master: "{{ lookup('oo_option', 'master_flavor' ) | default('m1.small', True) }}"
infra: "{{ lookup('oo_option', 'infra_flavor' ) | default('m1.small', True) }}"
diff --git a/roles/openshift_ca/README.md b/roles/openshift_ca/README.md
new file mode 100644
index 000000000..96c9cd5f2
--- /dev/null
+++ b/roles/openshift_ca/README.md
@@ -0,0 +1,48 @@
+OpenShift CA
+============
+
+This role delegates all tasks to the `openshift_ca_host` such that this role can be depended on by other OpenShift certificate roles.
+
+Requirements
+------------
+
+Role Variables
+--------------
+
+From this role:
+
+| Name | Default value | Description |
+|-------------------------|-----------------------------------------------|-----------------------------------------------------------------------------|
+| openshift_ca_host | None (Required) | The hostname of the system where the OpenShift CA will be created. |
+| openshift_ca_config_dir | `{{ openshift.common.config_base }}/master` | CA certificate directory. |
+| openshift_ca_cert | `{{ openshift_ca_config_dir }}/ca.crt` | CA certificate path including CA certificate filename. |
+| openshift_ca_key | `{{ openshift_ca_config_dir }}/ca.key` | CA key path including CA key filename. |
+| openshift_ca_serial | `{{ openshift_ca_config_dir }}/ca.serial.txt` | CA serial path including CA serial filename. |
+| openshift_version | `{{ openshift_pkg_version }}` | OpenShift package version. |
+
+Dependencies
+------------
+
+* openshift_repos
+* openshift_cli
+
+Example Playbook
+----------------
+
+```
+- name: Create OpenShift CA
+ hosts: localhost
+ roles:
+ - role: openshift_ca
+ openshift_ca_host: master1.example.com
+```
+
+License
+-------
+
+Apache License Version 2.0
+
+Author Information
+------------------
+
+Jason DeTiberus (jdetiber@redhat.com)
diff --git a/roles/openshift_master_ca/meta/main.yml b/roles/openshift_ca/meta/main.yml
index b5dd466c9..0089f4209 100644
--- a/roles/openshift_master_ca/meta/main.yml
+++ b/roles/openshift_ca/meta/main.yml
@@ -1,10 +1,10 @@
---
galaxy_info:
author: Jason DeTiberus
- description:
+ description: OpenShift CA
company: Red Hat, Inc.
license: Apache License, Version 2.0
- min_ansible_version: 1.8
+ min_ansible_version: 1.9.4
platforms:
- name: EL
versions:
@@ -13,5 +13,5 @@ galaxy_info:
- cloud
- system
dependencies:
-- { role: openshift_repos }
-- { role: openshift_cli }
+- role: openshift_repos
+- role: openshift_cli
diff --git a/roles/openshift_ca/tasks/main.yml b/roles/openshift_ca/tasks/main.yml
new file mode 100644
index 000000000..497473f22
--- /dev/null
+++ b/roles/openshift_ca/tasks/main.yml
@@ -0,0 +1,56 @@
+---
+- fail:
+ msg: "openshift_ca_host variable must be defined for this role"
+ when: openshift_ca_host is not defined
+
+- name: Install the base package for admin tooling
+ action: >
+ {{ ansible_pkg_mgr }}
+ name={{ openshift.common.service_type }}{{ openshift_version }}
+ state=present
+ when: not openshift.common.is_containerized | bool
+ register: install_result
+ delegate_to: "{{ openshift_ca_host }}"
+ run_once: true
+
+- name: Reload generated facts
+ openshift_facts:
+ when: install_result | changed
+ delegate_to: "{{ openshift_ca_host }}"
+ run_once: true
+
+- name: Create openshift_ca_config_dir if it does not exist
+ file:
+ path: "{{ openshift_ca_config_dir }}"
+ state: directory
+ delegate_to: "{{ openshift_ca_host }}"
+ run_once: true
+
+- name: Determine if CA must be created
+ stat:
+ path: "{{ openshift_ca_config_dir }}/{{ item }}"
+ register: g_master_ca_stat_result
+ with_items:
+ - ca.crt
+ - ca.key
+ delegate_to: "{{ openshift_ca_host }}"
+ run_once: true
+
+- set_fact:
+ master_ca_missing: "{{ False in (g_master_ca_stat_result.results
+ | oo_collect(attribute='stat.exists')
+ | list) }}"
+ delegate_to: "{{ openshift_ca_host }}"
+ run_once: true
+
+- name: Create the master certificates if they do not already exist
+ command: >
+ {{ openshift.common.admin_binary }} create-master-certs
+ --hostnames={{ openshift_master_hostnames | join(',') }}
+ --master={{ openshift.master.api_url }}
+ --public-master={{ openshift.master.public_api_url }}
+ --cert-dir={{ openshift_ca_config_dir }}
+ --overwrite=false
+ when: hostvars[openshift_ca_host].master_ca_missing | bool
+ delegate_to: "{{ openshift_ca_host }}"
+ run_once: true
diff --git a/roles/openshift_ca/vars/main.yml b/roles/openshift_ca/vars/main.yml
new file mode 100644
index 000000000..a32e385ec
--- /dev/null
+++ b/roles/openshift_ca/vars/main.yml
@@ -0,0 +1,6 @@
+---
+openshift_ca_config_dir: "{{ openshift.common.config_base }}/master"
+openshift_ca_cert: "{{ openshift_ca_config_dir }}/ca.crt"
+openshift_ca_key: "{{ openshift_ca_config_dir }}/ca.key"
+openshift_ca_serial: "{{ openshift_ca_config_dir }}/ca.serial.txt"
+openshift_version: "{{ openshift_pkg_version | default('') }}"
diff --git a/roles/openshift_master/meta/main.yml b/roles/openshift_master/meta/main.yml
index d8834d27f..774f190c8 100644
--- a/roles/openshift_master/meta/main.yml
+++ b/roles/openshift_master/meta/main.yml
@@ -14,6 +14,7 @@ galaxy_info:
dependencies:
- role: openshift_docker
- role: openshift_cli
+- role: openshift_master_certificates
- role: openshift_cloud_provider
- role: openshift_builddefaults
- role: openshift_master_facts
diff --git a/roles/openshift_master_ca/README.md b/roles/openshift_master_ca/README.md
deleted file mode 100644
index 5b2d3601b..000000000
--- a/roles/openshift_master_ca/README.md
+++ /dev/null
@@ -1,34 +0,0 @@
-OpenShift Master CA
-========================
-
-TODO
-
-Requirements
-------------
-
-TODO
-
-Role Variables
---------------
-
-TODO
-
-Dependencies
-------------
-
-TODO
-
-Example Playbook
-----------------
-
-TODO
-
-License
--------
-
-Apache License Version 2.0
-
-Author Information
-------------------
-
-Jason DeTiberus (jdetiber@redhat.com)
diff --git a/roles/openshift_master_ca/tasks/main.yml b/roles/openshift_master_ca/tasks/main.yml
deleted file mode 100644
index 4b7ef1d84..000000000
--- a/roles/openshift_master_ca/tasks/main.yml
+++ /dev/null
@@ -1,23 +0,0 @@
----
-- name: Install the base package for admin tooling
- action: "{{ ansible_pkg_mgr }} name={{ openshift.common.service_type }}{{ openshift_version }} state=present"
- when: not openshift.common.is_containerized | bool
- register: install_result
-
-- name: Reload generated facts
- openshift_facts:
- when: install_result | changed
-
-- name: Create openshift_master_config_dir if it doesn't exist
- file:
- path: "{{ openshift_master_config_dir }}"
- state: directory
-
-- name: Create the master certificates if they do not already exist
- command: >
- {{ openshift.common.admin_binary }} create-master-certs
- --hostnames={{ master_hostnames | join(',') }}
- --master={{ openshift.master.api_url }}
- --public-master={{ openshift.master.public_api_url }}
- --cert-dir={{ openshift_master_config_dir }} --overwrite=false
- when: master_certs_missing | bool
diff --git a/roles/openshift_master_ca/vars/main.yml b/roles/openshift_master_ca/vars/main.yml
deleted file mode 100644
index b35339b18..000000000
--- a/roles/openshift_master_ca/vars/main.yml
+++ /dev/null
@@ -1,6 +0,0 @@
----
-openshift_master_config_dir: "{{ openshift.common.config_base }}/master"
-openshift_master_ca_cert: "{{ openshift_master_config_dir }}/ca.crt"
-openshift_master_ca_key: "{{ openshift_master_config_dir }}/ca.key"
-openshift_master_ca_serial: "{{ openshift_master_config_dir }}/ca.serial.txt"
-openshift_version: "{{ openshift_pkg_version | default('') }}"
diff --git a/roles/openshift_master_certificates/README.md b/roles/openshift_master_certificates/README.md
index ba3d5f28c..a80d47040 100644
--- a/roles/openshift_master_certificates/README.md
+++ b/roles/openshift_master_certificates/README.md
@@ -1,27 +1,44 @@
OpenShift Master Certificates
========================
-TODO
+This role determines if OpenShift master certificates must be created, delegates certificate creation to the `openshift_ca_host` and then deploys those certificates to master hosts which this role is being applied to. If this role is applied to the `openshift_ca_host`, certificate deployment will be skipped.
Requirements
------------
-TODO
-
Role Variables
--------------
-TODO
+From `openshift_ca`:
+
+| Name | Default value | Description |
+|---------------------------------------|---------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------|
+| openshift_ca_host | None (Required) | The hostname of the system where the OpenShift CA will be (or has been) created. |
+
+From this role:
+
+| Name | Default value | Description |
+|---------------------------------------|---------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------|
+| openshift_generated_configs_dir | `{{ openshift.common.config_base }}/generated-configs` | Directory in which per-master generated config directories will be created on the `openshift_ca_host`. |
+| openshift_master_cert_subdir | `master-{{ openshift.common.hostname }}` | Directory within `openshift_generated_configs_dir` where per-master configurations will be placed on the `openshift_ca_host`. |
+| openshift_master_config_dir | `{{ openshift.common.config_base }}/master` | Master configuration directory in which certificates will be deployed on masters. |
+| openshift_master_generated_config_dir | `{{ openshift_generated_configs_dir }}/{{ openshift_master_cert_subdir }` | Full path to the per-master generated config directory. |
Dependencies
------------
-TODO
+* openshift_ca
Example Playbook
----------------
-TODO
+```
+- name: Create OpenShift Master Certificates
+ hosts: masters
+ roles:
+ - role: openshift_master_certificates
+ openshift_ca_host: master1.example.com
+```
License
-------
diff --git a/roles/openshift_master_certificates/meta/main.yml b/roles/openshift_master_certificates/meta/main.yml
index fd7b73b0f..90fc0fb10 100644
--- a/roles/openshift_master_certificates/meta/main.yml
+++ b/roles/openshift_master_certificates/meta/main.yml
@@ -1,10 +1,10 @@
---
galaxy_info:
author: Jason DeTiberus
- description:
+ description: OpenShift Master Certificates
company: Red Hat, Inc.
license: Apache License, Version 2.0
- min_ansible_version: 1.8
+ min_ansible_version: 1.9.4
platforms:
- name: EL
versions:
@@ -13,4 +13,4 @@ galaxy_info:
- cloud
- system
dependencies:
-- { role: openshift_master_ca }
+- role: openshift_ca
diff --git a/roles/openshift_master_certificates/tasks/main.yml b/roles/openshift_master_certificates/tasks/main.yml
index 394f9d381..dd105652b 100644
--- a/roles/openshift_master_certificates/tasks/main.yml
+++ b/roles/openshift_master_certificates/tasks/main.yml
@@ -1,38 +1,121 @@
---
+- set_fact:
+ openshift_master_certs_no_etcd:
+ - admin.crt
+ - master.kubelet-client.crt
+ - "{{ 'master.proxy-client.crt' if openshift.common.version_gte_3_1_or_1_1 else omit }}"
+ - master.server.crt
+ - openshift-master.crt
+ - openshift-registry.crt
+ - openshift-router.crt
+ - etcd.server.crt
+ openshift_master_certs_etcd:
+ - master.etcd-client.crt
+
+- set_fact:
+ openshift_master_certs: "{{ (openshift_master_certs_no_etcd | union(openshift_master_certs_etcd )) if openshift_master_etcd_hosts | length > 0 else openshift_master_certs_no_etcd }}"
+
+- name: Check status of master certificates
+ stat:
+ path: "{{ openshift_master_config_dir }}/{{ item }}"
+ with_items:
+ - "{{ openshift_master_certs }}"
+ register: g_master_cert_stat_result
+
+- set_fact:
+ master_certs_missing: "{{ False in (g_master_cert_stat_result.results
+ | oo_collect(attribute='stat.exists')
+ | list) }}"
+
- name: Ensure the generated_configs directory present
file:
- path: "{{ openshift_generated_configs_dir }}/{{ item.master_cert_subdir }}"
+ path: "{{ openshift_master_generated_config_dir }}"
state: directory
mode: 0700
- with_items: "{{ masters_needing_certs | default([]) }}"
+ when: master_certs_missing | bool
+ delegate_to: "{{ openshift_ca_host }}"
- file:
- src: "{{ openshift_master_config_dir }}/{{ item.1 }}"
- dest: "{{ openshift_generated_configs_dir }}/{{ item.0.master_cert_subdir }}/{{ item.1 }}"
+ src: "{{ openshift_master_config_dir }}/{{ item }}"
+ dest: "{{ openshift_master_generated_config_dir }}/{{ item }}"
state: hard
- with_nested:
- - "{{ masters_needing_certs | default([]) }}"
- -
- - ca.crt
- - ca.key
- - ca.serial.txt
+ with_items:
+ - ca.crt
+ - ca.key
+ - ca.serial.txt
+ when: master_certs_missing | bool
+ delegate_to: "{{ openshift_ca_host }}"
- name: Create the master certificates if they do not already exist
command: >
{{ openshift.common.admin_binary }} create-master-certs
- --hostnames={{ item.openshift.common.all_hostnames | join(',') }}
- --master={{ item.openshift.master.api_url }}
- --public-master={{ item.openshift.master.public_api_url }}
- --cert-dir={{ openshift_generated_configs_dir }}/{{ item.master_cert_subdir }}
+ --hostnames={{ openshift.common.all_hostnames | join(',') }}
+ --master={{ openshift.master.api_url }}
+ --public-master={{ openshift.master.public_api_url }}
+ --cert-dir={{ openshift_master_generated_config_dir }}
--overwrite=false
- when: item.master_certs_missing | bool
- with_items: "{{ masters_needing_certs | default([]) }}"
+ when: master_certs_missing | bool
+ delegate_to: "{{ openshift_ca_host }}"
- file:
- src: "{{ openshift_master_config_dir }}/{{ item.1 }}"
- dest: "{{ openshift_generated_configs_dir }}/{{ item.0.master_cert_subdir }}/{{ item.1 }}"
+ src: "{{ openshift_master_config_dir }}/{{ item }}"
+ dest: "{{ openshift_master_generated_config_dir }}/{{ item }}"
state: hard
force: true
- with_nested:
- - "{{ masters_needing_certs | default([]) }}"
+ with_items:
- "{{ hostvars[inventory_hostname] | certificates_to_synchronize }}"
+ when: master_certs_missing | bool
+ delegate_to: "{{ openshift_ca_host }}"
+
+- name: Remove generated etcd client certs when using external etcd
+ file:
+ path: "{{ openshift_master_generated_config_dir }}/{{ item }}"
+ state: absent
+ when: openshift_master_etcd_hosts | length > 0
+ with_items:
+ - master.etcd-client.crt
+ - master.etcd-client.key
+ delegate_to: "{{ openshift_ca_host }}"
+
+- name: Create local temp directory for syncing certs
+ local_action: command mktemp -d /tmp/openshift-ansible-XXXXXXX
+ register: g_master_mktemp
+ changed_when: False
+ when: master_certs_missing | bool
+ delegate_to: localhost
+
+- name: Create a tarball of the master certs
+ command: >
+ tar -czvf {{ openshift_master_generated_config_dir }}.tgz
+ -C {{ openshift_master_generated_config_dir }} .
+ args:
+ creates: "{{ openshift_master_generated_config_dir }}.tgz"
+ when: master_certs_missing | bool and inventory_hostname != openshift_ca_host
+ delegate_to: "{{ openshift_ca_host }}"
+
+- name: Retrieve the master cert tarball from the master
+ fetch:
+ src: "{{ openshift_master_generated_config_dir }}.tgz"
+ dest: "{{ g_master_mktemp.stdout }}/"
+ flat: yes
+ fail_on_missing: yes
+ validate_checksum: yes
+ when: master_certs_missing | bool and inventory_hostname != openshift_ca_host
+ delegate_to: "{{ openshift_ca_host }}"
+
+- name: Ensure certificate directory exists
+ file:
+ path: "{{ openshift_master_config_dir }}"
+ state: directory
+ when: master_certs_missing | bool and inventory_hostname != openshift_ca_host
+
+- name: Unarchive the tarball on the master
+ unarchive:
+ src: "{{ g_master_mktemp.stdout }}/{{ openshift_master_cert_subdir }}.tgz"
+ dest: "{{ openshift_master_config_dir }}"
+ when: master_certs_missing | bool and inventory_hostname != openshift_ca_host
+
+- file: name={{ g_master_mktemp.stdout }} state=absent
+ changed_when: False
+ when: master_certs_missing | bool
+ delegate_to: localhost
diff --git a/roles/openshift_master_certificates/vars/main.yml b/roles/openshift_master_certificates/vars/main.yml
index 3f18ddc79..66f2e5162 100644
--- a/roles/openshift_master_certificates/vars/main.yml
+++ b/roles/openshift_master_certificates/vars/main.yml
@@ -1,3 +1,5 @@
---
openshift_generated_configs_dir: "{{ openshift.common.config_base }}/generated-configs"
+openshift_master_cert_subdir: "master-{{ openshift.common.hostname }}"
openshift_master_config_dir: "{{ openshift.common.config_base }}/master"
+openshift_master_generated_config_dir: "{{ openshift_generated_configs_dir }}/{{ openshift_master_cert_subdir }}"
diff --git a/roles/openshift_node/meta/main.yml b/roles/openshift_node/meta/main.yml
index db1776632..4d35ec420 100644
--- a/roles/openshift_node/meta/main.yml
+++ b/roles/openshift_node/meta/main.yml
@@ -13,9 +13,9 @@ galaxy_info:
- cloud
dependencies:
- role: openshift_docker
+- role: openshift_node_certificates
- role: openshift_cloud_provider
- role: openshift_common
- role: openshift_node_dnsmasq
when: openshift.common.use_dnsmasq
- role: os_firewall
-
diff --git a/roles/openshift_node_certificates/README.md b/roles/openshift_node_certificates/README.md
index 6264d253a..f56066b29 100644
--- a/roles/openshift_node_certificates/README.md
+++ b/roles/openshift_node_certificates/README.md
@@ -1,27 +1,44 @@
-OpenShift/Atomic Enterprise Node Certificates
-=============================================
+OpenShift Node Certificates
+===========================
-TODO
+This role determines if OpenShift node certificates must be created, delegates certificate creation to the `openshift_ca_host` and then deploys those certificates to node hosts which this role is being applied to.
Requirements
------------
-TODO
-
Role Variables
--------------
-TODO
+From `openshift_ca`:
+
+| Name | Default value | Description |
+|-------------------------------------|-------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|
+| openshift_ca_host | None (Required) | The hostname of the system where the OpenShift CA will be (or has been) created. |
+
+From this role:
+
+| Name | Default value | Description |
+|-------------------------------------|-------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|
+| openshift_generated_configs_dir | `{{ openshift.common.config_base }}/generated-configs` | Directory in which per-node generated config directories will be created on the `openshift_ca_host`. |
+| openshift_node_cert_subdir | `node-{{ openshift.common.hostname }}` | Directory within `openshift_generated_configs_dir` where per-node certificates will be placed on the `openshift_ca_host`. |
+| openshift_node_config_dir | `{{ openshift.common.config_base }}/node` | Node configuration directory in which certificates will be deployed on nodes. |
+| openshift_node_generated_config_dir | `{{ openshift_generated_configs_dir }}/{{ openshift_node_cert_subdir }` | Full path to the per-node generated config directory. |
Dependencies
------------
-TODO
+* openshift_ca
Example Playbook
----------------
-TODO
+```
+- name: Create OpenShift Node Certificates
+ hosts: nodes
+ roles:
+ - role: openshift_node_certificates
+ openshift_ca_host: master1.example.com
+```
License
-------
diff --git a/roles/openshift_node_certificates/meta/main.yml b/roles/openshift_node_certificates/meta/main.yml
index f3236e850..3caa1cdf1 100644
--- a/roles/openshift_node_certificates/meta/main.yml
+++ b/roles/openshift_node_certificates/meta/main.yml
@@ -1,10 +1,10 @@
---
galaxy_info:
author: Jason DeTiberus
- description:
+ description: OpenShift Node Certificates
company: Red Hat, Inc.
license: Apache License, Version 2.0
- min_ansible_version: 1.8
+ min_ansible_version: 1.9.4
platforms:
- name: EL
versions:
@@ -13,4 +13,4 @@ galaxy_info:
- cloud
- system
dependencies:
-- { role: openshift_facts }
+- role: openshift_ca
diff --git a/roles/openshift_node_certificates/tasks/main.yml b/roles/openshift_node_certificates/tasks/main.yml
index 216c11093..147a432a4 100644
--- a/roles/openshift_node_certificates/tasks/main.yml
+++ b/roles/openshift_node_certificates/tasks/main.yml
@@ -1,36 +1,95 @@
---
-- name: Create openshift_generated_configs_dir if it doesn\'t exist
+- name: Check status of node certificates
+ stat:
+ path: "{{ openshift.common.config_base }}/node/{{ item }}"
+ with_items:
+ - "system:node:{{ openshift.common.hostname }}.crt"
+ - "system:node:{{ openshift.common.hostname }}.key"
+ - "system:node:{{ openshift.common.hostname }}.kubeconfig"
+ - ca.crt
+ - server.key
+ - server.crt
+ register: g_node_cert_stat_result
+
+- set_fact:
+ node_certs_missing: "{{ False in (g_node_cert_stat_result.results
+ | oo_collect(attribute='stat.exists')
+ | list) }}"
+
+- name: Create openshift_generated_configs_dir if it does not exist
file:
path: "{{ openshift_generated_configs_dir }}"
state: directory
mode: 0700
- when: nodes_needing_certs | length > 0
+ when: node_certs_missing | bool
+ delegate_to: "{{ openshift_ca_host }}"
- name: Generate the node client config
command: >
{{ openshift.common.admin_binary }} create-api-client-config
- --certificate-authority={{ openshift_master_ca_cert }}
- --client-dir={{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}
+ --certificate-authority={{ openshift_ca_cert }}
+ --client-dir={{ openshift_node_generated_config_dir }}
--groups=system:nodes
- --master={{ openshift.master.api_url }}
- --signer-cert={{ openshift_master_ca_cert }}
- --signer-key={{ openshift_master_ca_key }}
- --signer-serial={{ openshift_master_ca_serial }}
- --user=system:node:{{ item.openshift.common.hostname }}
+ --master={{ hostvars[openshift_ca_host].openshift.master.api_url }}
+ --signer-cert={{ openshift_ca_cert }}
+ --signer-key={{ openshift_ca_key }}
+ --signer-serial={{ openshift_ca_serial }}
+ --user=system:node:{{ openshift.common.hostname }}
args:
- creates: "{{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}"
- with_items: "{{ nodes_needing_certs | default([]) }}"
+ creates: "{{ openshift_node_generated_config_dir }}"
+ when: node_certs_missing | bool
+ delegate_to: "{{ openshift_ca_host }}"
- name: Generate the node server certificate
command: >
{{ openshift.common.admin_binary }} ca create-server-cert
- --cert={{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}/server.crt
- --key={{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}/server.key
+ --cert={{ openshift_node_generated_config_dir }}/server.crt
+ --key={{ openshift_generated_configs_dir }}/node-{{ openshift.common.hostname }}/server.key
--overwrite=true
- --hostnames={{ item.openshift.common.all_hostnames |join(",") }}
- --signer-cert={{ openshift_master_ca_cert }}
- --signer-key={{ openshift_master_ca_key }}
- --signer-serial={{ openshift_master_ca_serial }}
+ --hostnames={{ openshift.common.all_hostnames |join(",") }}
+ --signer-cert={{ openshift_ca_cert }}
+ --signer-key={{ openshift_ca_key }}
+ --signer-serial={{ openshift_ca_serial }}
+ args:
+ creates: "{{ openshift_node_generated_config_dir }}/server.crt"
+ when: node_certs_missing | bool
+ delegate_to: "{{ openshift_ca_host}}"
+
+- name: Create local temp directory for syncing certs
+ local_action: command mktemp -d /tmp/openshift-ansible-XXXXXXX
+ register: node_cert_mktemp
+ changed_when: False
+ when: node_certs_missing | bool
+ delegate_to: localhost
+
+- name: Create a tarball of the node config directories
+ command: >
+ tar -czvf {{ openshift_node_generated_config_dir }}.tgz
+ --transform 's|system:{{ openshift_node_cert_subdir }}|node|'
+ -C {{ openshift_node_generated_config_dir }} .
args:
- creates: "{{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}/server.crt"
- with_items: "{{ nodes_needing_certs | default([]) }}"
+ creates: "{{ openshift_node_generated_config_dir }}.tgz"
+ when: node_certs_missing | bool
+ delegate_to: "{{ openshift_ca_host }}"
+
+- name: Retrieve the node config tarballs from the master
+ fetch:
+ src: "{{ openshift_node_generated_config_dir }}.tgz"
+ dest: "{{ node_cert_mktemp.stdout }}/"
+ flat: yes
+ fail_on_missing: yes
+ validate_checksum: yes
+ when: node_certs_missing | bool
+ delegate_to: "{{ openshift_ca_host }}"
+
+- name: Ensure certificate directory exists
+ file:
+ path: "{{ openshift_node_cert_dir }}"
+ state: directory
+ when: node_certs_missing | bool
+
+- name: Unarchive the tarball on the node
+ unarchive:
+ src: "{{ node_cert_mktemp.stdout }}/{{ openshift_node_cert_subdir }}.tgz"
+ dest: "{{ openshift_node_cert_dir }}"
+ when: node_certs_missing | bool
diff --git a/roles/openshift_node_certificates/vars/main.yml b/roles/openshift_node_certificates/vars/main.yml
index 61fbb1e51..2fafc7387 100644
--- a/roles/openshift_node_certificates/vars/main.yml
+++ b/roles/openshift_node_certificates/vars/main.yml
@@ -1,7 +1,6 @@
---
-openshift_node_config_dir: "{{ openshift.common.config_base }}/node"
-openshift_master_config_dir: "{{ openshift.common.config_base }}/master"
openshift_generated_configs_dir: "{{ openshift.common.config_base }}/generated-configs"
-openshift_master_ca_cert: "{{ openshift_master_config_dir }}/ca.crt"
-openshift_master_ca_key: "{{ openshift_master_config_dir }}/ca.key"
-openshift_master_ca_serial: "{{ openshift_master_config_dir }}/ca.serial.txt"
+openshift_node_cert_dir: "{{ openshift.common.config_base }}/node"
+openshift_node_cert_subdir: "node-{{ openshift.common.hostname }}"
+openshift_node_config_dir: "{{ openshift.common.config_base }}/node"
+openshift_node_generated_config_dir: "{{ openshift_generated_configs_dir }}/{{ openshift_node_cert_subdir }}"