diff options
| -rw-r--r-- | playbooks/common/openshift-master/config.yml | 101 | ||||
| -rw-r--r-- | playbooks/common/openshift-node/config.yml | 70 | ||||
| -rw-r--r-- | roles/openshift_ca/README.md | 48 | ||||
| -rw-r--r-- | roles/openshift_ca/vars/main.yml | 6 | ||||
| -rw-r--r-- | roles/openshift_master/meta/main.yml | 1 | ||||
| -rw-r--r-- | roles/openshift_master_ca/README.md | 34 | ||||
| -rw-r--r-- | roles/openshift_master_ca/meta/main.yml (renamed from roles/openshift_ca/meta/main.yml) | 8 | ||||
| -rw-r--r-- | roles/openshift_master_certificates/README.md | 29 | ||||
| -rw-r--r-- | roles/openshift_master_certificates/meta/main.yml | 6 | ||||
| -rw-r--r-- | roles/openshift_master_certificates/tasks/main.yml | 123 | ||||
| -rw-r--r-- | roles/openshift_master_certificates/vars/main.yml | 2 | ||||
| -rw-r--r-- | roles/openshift_node/meta/main.yml | 2 | ||||
| -rw-r--r-- | roles/openshift_node_certificates/README.md | 33 | ||||
| -rw-r--r-- | roles/openshift_node_certificates/meta/main.yml | 6 | ||||
| -rw-r--r-- | roles/openshift_node_certificates/tasks/main.yml | 97 | ||||
| -rw-r--r-- | roles/openshift_node_certificates/vars/main.yml | 9 |
16 files changed, 260 insertions, 315 deletions
diff --git a/playbooks/common/openshift-master/config.yml b/playbooks/common/openshift-master/config.yml index c6fac2870..8ed62a7f1 100644 --- a/playbooks/common/openshift-master/config.yml +++ b/playbooks/common/openshift-master/config.yml @@ -156,6 +156,85 @@ - master.etcd-ca.crt when: etcd_client_certs_missing is defined and etcd_client_certs_missing +- name: Determine if master certificates need to be generated + hosts: oo_first_master:oo_masters_to_config + tasks: + - set_fact: + openshift_master_certs_no_etcd: + - admin.crt + - master.kubelet-client.crt + - "{{ 'master.proxy-client.crt' if openshift.common.version_gte_3_1_or_1_1 else omit }}" + - master.server.crt + - openshift-master.crt + - openshift-registry.crt + - openshift-router.crt + - etcd.server.crt + openshift_master_certs_etcd: + - master.etcd-client.crt + + - set_fact: + openshift_master_certs: "{{ (openshift_master_certs_no_etcd | union(openshift_master_certs_etcd)) if (groups.oo_etcd_to_config is defined and groups.oo_etcd_to_config) else openshift_master_certs_no_etcd }}" + + - name: Check status of master certificates + stat: + path: "{{ openshift.common.config_base }}/master/{{ item }}" + with_items: "{{ openshift_master_certs }}" + register: g_master_cert_stat_result + - set_fact: + master_certs_missing: "{{ False in (g_master_cert_stat_result.results + | oo_collect(attribute='stat.exists') + | list ) }}" + master_cert_subdir: master-{{ openshift.common.hostname }} + master_cert_config_dir: "{{ openshift.common.config_base }}/master" + - set_fact: + openshift_infra_nodes: "{{ hostvars | oo_select_keys(groups['oo_nodes_to_config']) + | oo_nodes_with_label('region', 'infra') + | oo_collect('inventory_hostname') }}" + when: openshift_infra_nodes is not defined and groups.oo_nodes_to_config | default([]) | length > 0 + +- name: Configure master certificates + hosts: oo_first_master + vars: + master_generated_certs_dir: "{{ openshift.common.config_base }}/generated-configs" + masters_needing_certs: "{{ hostvars + | oo_select_keys(groups['oo_masters_to_config'] | difference(groups['oo_first_master'])) + | oo_filter_list(filter_attr='master_certs_missing') }}" + master_hostnames: "{{ hostvars + | oo_select_keys(groups['oo_masters_to_config']) + | oo_collect('openshift.common.all_hostnames') + | oo_flatten | unique }}" + sync_tmpdir: "{{ hostvars.localhost.g_master_mktemp.stdout }}" + openshift_docker_hosted_registry_network: "{{ hostvars[groups.oo_first_master.0].openshift.common.portal_net }}" + roles: + - openshift_master_certificates + post_tasks: + - name: Remove generated etcd client certs when using external etcd + file: + path: "{{ master_generated_certs_dir }}/{{ item.0.master_cert_subdir }}/{{ item.1 }}" + state: absent + when: groups.oo_etcd_to_config is defined and groups.oo_etcd_to_config + with_nested: + - "{{ masters_needing_certs | default([]) }}" + - - master.etcd-client.crt + - master.etcd-client.key + + - name: Create a tarball of the master certs + command: > + tar -czvf {{ master_generated_certs_dir }}/{{ item.master_cert_subdir }}.tgz + -C {{ master_generated_certs_dir }}/{{ item.master_cert_subdir }} . + args: + creates: "{{ master_generated_certs_dir }}/{{ item.master_cert_subdir }}.tgz" + with_items: "{{ masters_needing_certs | default([]) }}" + + - name: Retrieve the master cert tarball from the master + fetch: + src: "{{ master_generated_certs_dir }}/{{ item.master_cert_subdir }}.tgz" + dest: "{{ sync_tmpdir }}/" + flat: yes + fail_on_missing: yes + validate_checksum: yes + with_items: "{{ masters_needing_certs | default([]) }}" + - name: Check for cached session secrets hosts: oo_first_master roles: @@ -256,17 +335,19 @@ }}" when: "{{ (openshift_http_proxy is defined or openshift_https_proxy is defined) and openshift_generate_no_proxy_hosts | default(True) | bool }}" + pre_tasks: + - name: Ensure certificate directory exists + file: + path: "{{ openshift.common.config_base }}/master" + state: directory + when: master_certs_missing | bool and 'oo_first_master' not in group_names + - name: Unarchive the tarball on the master + unarchive: + src: "{{ sync_tmpdir }}/{{ master_cert_subdir }}.tgz" + dest: "{{ master_cert_config_dir }}" + when: master_certs_missing | bool and 'oo_first_master' not in group_names roles: - - role: openshift_master - openshift_ca_host: "{{ groups.oo_first_master.0 }}" - openshift_master_etcd_hosts: "{{ hostvars - | oo_select_keys(groups['oo_etcd_to_config'] | default([])) - | oo_collect('openshift.common.hostname') - | default(none, true) }}" - openshift_master_hostnames: "{{ hostvars - | oo_select_keys(groups['oo_masters_to_config'] | default([])) - | oo_collect('openshift.common.all_hostnames') - | oo_flatten | unique }}" + - openshift_master - role: nickhammond.logrotate - role: nuage_master when: openshift.common.use_nuage | bool diff --git a/playbooks/common/openshift-node/config.yml b/playbooks/common/openshift-node/config.yml index 9c9aa779a..5e92b5cbd 100644 --- a/playbooks/common/openshift-node/config.yml +++ b/playbooks/common/openshift-node/config.yml @@ -19,6 +19,23 @@ labels: "{{ openshift_node_labels | default(None) }}" annotations: "{{ openshift_node_annotations | default(None) }}" schedulable: "{{ openshift_schedulable | default(openshift_scheduleable) | default(None) }}" + - name: Check status of node certificates + stat: + path: "{{ openshift.common.config_base }}/node/{{ item }}" + with_items: + - "system:node:{{ openshift.common.hostname }}.crt" + - "system:node:{{ openshift.common.hostname }}.key" + - "system:node:{{ openshift.common.hostname }}.kubeconfig" + - ca.crt + - server.key + - server.crt + register: stat_result + - set_fact: + certs_missing: "{{ stat_result.results | oo_collect(attribute='stat.exists') + | list | intersect([false])}}" + node_subdir: node-{{ openshift.common.hostname }} + config_dir: "{{ openshift.common.config_base }}/generated-configs/node-{{ openshift.common.hostname }}" + node_cert_dir: "{{ openshift.common.config_base }}/node" - name: Create temp directory for syncing certs hosts: localhost @@ -31,6 +48,53 @@ register: mktemp changed_when: False +- name: Create node certificates + hosts: oo_first_master + vars: + nodes_needing_certs: "{{ hostvars + | oo_select_keys(groups['oo_nodes_to_config'] + | default([])) + | oo_filter_list(filter_attr='certs_missing') }}" + sync_tmpdir: "{{ hostvars.localhost.mktemp.stdout }}" + roles: + - openshift_node_certificates + post_tasks: + - name: Create a tarball of the node config directories + command: > + tar -czvf {{ item.config_dir }}.tgz + --transform 's|system:{{ item.node_subdir }}|node|' + -C {{ item.config_dir }} . + args: + creates: "{{ item.config_dir }}.tgz" + with_items: "{{ nodes_needing_certs | default([]) }}" + + - name: Retrieve the node config tarballs from the master + fetch: + src: "{{ item.config_dir }}.tgz" + dest: "{{ sync_tmpdir }}/" + flat: yes + fail_on_missing: yes + validate_checksum: yes + with_items: "{{ nodes_needing_certs | default([]) }}" + +- name: Deploy node certificates + hosts: oo_nodes_to_config + vars: + sync_tmpdir: "{{ hostvars.localhost.mktemp.stdout }}" + tasks: + - name: Ensure certificate directory exists + file: + path: "{{ node_cert_dir }}" + state: directory + # TODO: notify restart node + # possibly test service started time against certificate/config file + # timestamps in node to trigger notify + - name: Unarchive the tarball on the node + unarchive: + src: "{{ sync_tmpdir }}/{{ node_subdir }}.tgz" + dest: "{{ node_cert_dir }}" + when: certs_missing + - name: Evaluate node groups hosts: localhost become: no @@ -76,8 +140,7 @@ when: "{{ (openshift_http_proxy is defined or openshift_https_proxy is defined) and openshift_generate_no_proxy_hosts | default(True) | bool }}" roles: - - role: openshift_node - openshift_ca_host: "{{ groups.oo_first_master.0 }}" + - openshift_node - name: Configure node instances hosts: oo_nodes_to_config:!oo_containerized_master_nodes @@ -93,8 +156,7 @@ when: "{{ (openshift_http_proxy is defined or openshift_https_proxy is defined) and openshift_generate_no_proxy_hosts | default(True) | bool }}" roles: - - role: openshift_node - openshift_ca_host: "{{ groups.oo_first_master.0 }}" + - openshift_node - name: Gather and set facts for flannel certificatess hosts: oo_nodes_to_config diff --git a/roles/openshift_ca/README.md b/roles/openshift_ca/README.md deleted file mode 100644 index 96c9cd5f2..000000000 --- a/roles/openshift_ca/README.md +++ /dev/null @@ -1,48 +0,0 @@ -OpenShift CA -============ - -This role delegates all tasks to the `openshift_ca_host` such that this role can be depended on by other OpenShift certificate roles. - -Requirements ------------- - -Role Variables --------------- - -From this role: - -| Name | Default value | Description | -|-------------------------|-----------------------------------------------|-----------------------------------------------------------------------------| -| openshift_ca_host | None (Required) | The hostname of the system where the OpenShift CA will be created. | -| openshift_ca_config_dir | `{{ openshift.common.config_base }}/master` | CA certificate directory. | -| openshift_ca_cert | `{{ openshift_ca_config_dir }}/ca.crt` | CA certificate path including CA certificate filename. | -| openshift_ca_key | `{{ openshift_ca_config_dir }}/ca.key` | CA key path including CA key filename. | -| openshift_ca_serial | `{{ openshift_ca_config_dir }}/ca.serial.txt` | CA serial path including CA serial filename. | -| openshift_version | `{{ openshift_pkg_version }}` | OpenShift package version. | - -Dependencies ------------- - -* openshift_repos -* openshift_cli - -Example Playbook ----------------- - -``` -- name: Create OpenShift CA - hosts: localhost - roles: - - role: openshift_ca - openshift_ca_host: master1.example.com -``` - -License -------- - -Apache License Version 2.0 - -Author Information ------------------- - -Jason DeTiberus (jdetiber@redhat.com) diff --git a/roles/openshift_ca/vars/main.yml b/roles/openshift_ca/vars/main.yml deleted file mode 100644 index a32e385ec..000000000 --- a/roles/openshift_ca/vars/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -openshift_ca_config_dir: "{{ openshift.common.config_base }}/master" -openshift_ca_cert: "{{ openshift_ca_config_dir }}/ca.crt" -openshift_ca_key: "{{ openshift_ca_config_dir }}/ca.key" -openshift_ca_serial: "{{ openshift_ca_config_dir }}/ca.serial.txt" -openshift_version: "{{ openshift_pkg_version | default('') }}" diff --git a/roles/openshift_master/meta/main.yml b/roles/openshift_master/meta/main.yml index f6b926d74..0a69b3eef 100644 --- a/roles/openshift_master/meta/main.yml +++ b/roles/openshift_master/meta/main.yml @@ -15,7 +15,6 @@ dependencies: - role: openshift_clock - role: openshift_docker - role: openshift_cli -- role: openshift_master_certificates - role: openshift_cloud_provider - role: openshift_builddefaults - role: openshift_master_facts diff --git a/roles/openshift_master_ca/README.md b/roles/openshift_master_ca/README.md new file mode 100644 index 000000000..5b2d3601b --- /dev/null +++ b/roles/openshift_master_ca/README.md @@ -0,0 +1,34 @@ +OpenShift Master CA +======================== + +TODO + +Requirements +------------ + +TODO + +Role Variables +-------------- + +TODO + +Dependencies +------------ + +TODO + +Example Playbook +---------------- + +TODO + +License +------- + +Apache License Version 2.0 + +Author Information +------------------ + +Jason DeTiberus (jdetiber@redhat.com) diff --git a/roles/openshift_ca/meta/main.yml b/roles/openshift_master_ca/meta/main.yml index 0089f4209..b5dd466c9 100644 --- a/roles/openshift_ca/meta/main.yml +++ b/roles/openshift_master_ca/meta/main.yml @@ -1,10 +1,10 @@ --- galaxy_info: author: Jason DeTiberus - description: OpenShift CA + description: company: Red Hat, Inc. license: Apache License, Version 2.0 - min_ansible_version: 1.9.4 + min_ansible_version: 1.8 platforms: - name: EL versions: @@ -13,5 +13,5 @@ galaxy_info: - cloud - system dependencies: -- role: openshift_repos -- role: openshift_cli +- { role: openshift_repos } +- { role: openshift_cli } diff --git a/roles/openshift_master_certificates/README.md b/roles/openshift_master_certificates/README.md index a80d47040..ba3d5f28c 100644 --- a/roles/openshift_master_certificates/README.md +++ b/roles/openshift_master_certificates/README.md @@ -1,44 +1,27 @@ OpenShift Master Certificates ======================== -This role determines if OpenShift master certificates must be created, delegates certificate creation to the `openshift_ca_host` and then deploys those certificates to master hosts which this role is being applied to. If this role is applied to the `openshift_ca_host`, certificate deployment will be skipped. +TODO Requirements ------------ +TODO + Role Variables -------------- -From `openshift_ca`: - -| Name | Default value | Description | -|---------------------------------------|---------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------| -| openshift_ca_host | None (Required) | The hostname of the system where the OpenShift CA will be (or has been) created. | - -From this role: - -| Name | Default value | Description | -|---------------------------------------|---------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------| -| openshift_generated_configs_dir | `{{ openshift.common.config_base }}/generated-configs` | Directory in which per-master generated config directories will be created on the `openshift_ca_host`. | -| openshift_master_cert_subdir | `master-{{ openshift.common.hostname }}` | Directory within `openshift_generated_configs_dir` where per-master configurations will be placed on the `openshift_ca_host`. | -| openshift_master_config_dir | `{{ openshift.common.config_base }}/master` | Master configuration directory in which certificates will be deployed on masters. | -| openshift_master_generated_config_dir | `{{ openshift_generated_configs_dir }}/{{ openshift_master_cert_subdir }` | Full path to the per-master generated config directory. | +TODO Dependencies ------------ -* openshift_ca +TODO Example Playbook ---------------- -``` -- name: Create OpenShift Master Certificates - hosts: masters - roles: - - role: openshift_master_certificates - openshift_ca_host: master1.example.com -``` +TODO License ------- diff --git a/roles/openshift_master_certificates/meta/main.yml b/roles/openshift_master_certificates/meta/main.yml index 90fc0fb10..fd7b73b0f 100644 --- a/roles/openshift_master_certificates/meta/main.yml +++ b/roles/openshift_master_certificates/meta/main.yml @@ -1,10 +1,10 @@ --- galaxy_info: author: Jason DeTiberus - description: OpenShift Master Certificates + description: company: Red Hat, Inc. license: Apache License, Version 2.0 - min_ansible_version: 1.9.4 + min_ansible_version: 1.8 platforms: - name: EL versions: @@ -13,4 +13,4 @@ galaxy_info: - cloud - system dependencies: -- role: openshift_ca +- { role: openshift_master_ca } diff --git a/roles/openshift_master_certificates/tasks/main.yml b/roles/openshift_master_certificates/tasks/main.yml index dd105652b..394f9d381 100644 --- a/roles/openshift_master_certificates/tasks/main.yml +++ b/roles/openshift_master_certificates/tasks/main.yml @@ -1,121 +1,38 @@ --- -- set_fact: - openshift_master_certs_no_etcd: - - admin.crt - - master.kubelet-client.crt - - "{{ 'master.proxy-client.crt' if openshift.common.version_gte_3_1_or_1_1 else omit }}" - - master.server.crt - - openshift-master.crt - - openshift-registry.crt - - openshift-router.crt - - etcd.server.crt - openshift_master_certs_etcd: - - master.etcd-client.crt - -- set_fact: - openshift_master_certs: "{{ (openshift_master_certs_no_etcd | union(openshift_master_certs_etcd )) if openshift_master_etcd_hosts | length > 0 else openshift_master_certs_no_etcd }}" - -- name: Check status of master certificates - stat: - path: "{{ openshift_master_config_dir }}/{{ item }}" - with_items: - - "{{ openshift_master_certs }}" - register: g_master_cert_stat_result - -- set_fact: - master_certs_missing: "{{ False in (g_master_cert_stat_result.results - | oo_collect(attribute='stat.exists') - | list) }}" - - name: Ensure the generated_configs directory present file: - path: "{{ openshift_master_generated_config_dir }}" + path: "{{ openshift_generated_configs_dir }}/{{ item.master_cert_subdir }}" state: directory mode: 0700 - when: master_certs_missing | bool - delegate_to: "{{ openshift_ca_host }}" + with_items: "{{ masters_needing_certs | default([]) }}" - file: - src: "{{ openshift_master_config_dir }}/{{ item }}" - dest: "{{ openshift_master_generated_config_dir }}/{{ item }}" + src: "{{ openshift_master_config_dir }}/{{ item.1 }}" + dest: "{{ openshift_generated_configs_dir }}/{{ item.0.master_cert_subdir }}/{{ item.1 }}" state: hard - with_items: - - ca.crt - - ca.key - - ca.serial.txt - when: master_certs_missing | bool - delegate_to: "{{ openshift_ca_host }}" + with_nested: + - "{{ masters_needing_certs | default([]) }}" + - + - ca.crt + - ca.key + - ca.serial.txt - name: Create the master certificates if they do not already exist command: > {{ openshift.common.admin_binary }} create-master-certs - --hostnames={{ openshift.common.all_hostnames | join(',') }} - --master={{ openshift.master.api_url }} - --public-master={{ openshift.master.public_api_url }} - --cert-dir={{ openshift_master_generated_config_dir }} + --hostnames={{ item.openshift.common.all_hostnames | join(',') }} + --master={{ item.openshift.master.api_url }} + --public-master={{ item.openshift.master.public_api_url }} + --cert-dir={{ openshift_generated_configs_dir }}/{{ item.master_cert_subdir }} --overwrite=false - when: master_certs_missing | bool - delegate_to: "{{ openshift_ca_host }}" + when: item.master_certs_missing | bool + with_items: "{{ masters_needing_certs | default([]) }}" - file: - src: "{{ openshift_master_config_dir }}/{{ item }}" - dest: "{{ openshift_master_generated_config_dir }}/{{ item }}" + src: "{{ openshift_master_config_dir }}/{{ item.1 }}" + dest: "{{ openshift_generated_configs_dir }}/{{ item.0.master_cert_subdir }}/{{ item.1 }}" state: hard force: true - with_items: + with_nested: + - "{{ masters_needing_certs | default([]) }}" - "{{ hostvars[inventory_hostname] | certificates_to_synchronize }}" - when: master_certs_missing | bool - delegate_to: "{{ openshift_ca_host }}" - -- name: Remove generated etcd client certs when using external etcd - file: - path: "{{ openshift_master_generated_config_dir }}/{{ item }}" - state: absent - when: openshift_master_etcd_hosts | length > 0 - with_items: - - master.etcd-client.crt - - master.etcd-client.key - delegate_to: "{{ openshift_ca_host }}" - -- name: Create local temp directory for syncing certs - local_action: command mktemp -d /tmp/openshift-ansible-XXXXXXX - register: g_master_mktemp - changed_when: False - when: master_certs_missing | bool - delegate_to: localhost - -- name: Create a tarball of the master certs - command: > - tar -czvf {{ openshift_master_generated_config_dir }}.tgz - -C {{ openshift_master_generated_config_dir }} . - args: - creates: "{{ openshift_master_generated_config_dir }}.tgz" - when: master_certs_missing | bool and inventory_hostname != openshift_ca_host - delegate_to: "{{ openshift_ca_host }}" - -- name: Retrieve the master cert tarball from the master - fetch: - src: "{{ openshift_master_generated_config_dir }}.tgz" - dest: "{{ g_master_mktemp.stdout }}/" - flat: yes - fail_on_missing: yes - validate_checksum: yes - when: master_certs_missing | bool and inventory_hostname != openshift_ca_host - delegate_to: "{{ openshift_ca_host }}" - -- name: Ensure certificate directory exists - file: - path: "{{ openshift_master_config_dir }}" - state: directory - when: master_certs_missing | bool and inventory_hostname != openshift_ca_host - -- name: Unarchive the tarball on the master - unarchive: - src: "{{ g_master_mktemp.stdout }}/{{ openshift_master_cert_subdir }}.tgz" - dest: "{{ openshift_master_config_dir }}" - when: master_certs_missing | bool and inventory_hostname != openshift_ca_host - -- file: name={{ g_master_mktemp.stdout }} state=absent - changed_when: False - when: master_certs_missing | bool - delegate_to: localhost diff --git a/roles/openshift_master_certificates/vars/main.yml b/roles/openshift_master_certificates/vars/main.yml index 66f2e5162..3f18ddc79 100644 --- a/roles/openshift_master_certificates/vars/main.yml +++ b/roles/openshift_master_certificates/vars/main.yml @@ -1,5 +1,3 @@ --- openshift_generated_configs_dir: "{{ openshift.common.config_base }}/generated-configs" -openshift_master_cert_subdir: "master-{{ openshift.common.hostname }}" openshift_master_config_dir: "{{ openshift.common.config_base }}/master" -openshift_master_generated_config_dir: "{{ openshift_generated_configs_dir }}/{{ openshift_master_cert_subdir }}" diff --git a/roles/openshift_node/meta/main.yml b/roles/openshift_node/meta/main.yml index ea52bbb99..31547b846 100644 --- a/roles/openshift_node/meta/main.yml +++ b/roles/openshift_node/meta/main.yml @@ -14,9 +14,9 @@ galaxy_info: dependencies: - role: openshift_clock - role: openshift_docker -- role: openshift_node_certificates - role: openshift_cloud_provider - role: openshift_common - role: openshift_node_dnsmasq when: openshift.common.use_dnsmasq - role: os_firewall + diff --git a/roles/openshift_node_certificates/README.md b/roles/openshift_node_certificates/README.md index f56066b29..6264d253a 100644 --- a/roles/openshift_node_certificates/README.md +++ b/roles/openshift_node_certificates/README.md @@ -1,44 +1,27 @@ -OpenShift Node Certificates -=========================== +OpenShift/Atomic Enterprise Node Certificates +============================================= -This role determines if OpenShift node certificates must be created, delegates certificate creation to the `openshift_ca_host` and then deploys those certificates to node hosts which this role is being applied to. +TODO Requirements ------------ +TODO + Role Variables -------------- -From `openshift_ca`: - -| Name | Default value | Description | -|-------------------------------------|-------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------| -| openshift_ca_host | None (Required) | The hostname of the system where the OpenShift CA will be (or has been) created. | - -From this role: - -| Name | Default value | Description | -|-------------------------------------|-------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------| -| openshift_generated_configs_dir | `{{ openshift.common.config_base }}/generated-configs` | Directory in which per-node generated config directories will be created on the `openshift_ca_host`. | -| openshift_node_cert_subdir | `node-{{ openshift.common.hostname }}` | Directory within `openshift_generated_configs_dir` where per-node certificates will be placed on the `openshift_ca_host`. | -| openshift_node_config_dir | `{{ openshift.common.config_base }}/node` | Node configuration directory in which certificates will be deployed on nodes. | -| openshift_node_generated_config_dir | `{{ openshift_generated_configs_dir }}/{{ openshift_node_cert_subdir }` | Full path to the per-node generated config directory. | +TODO Dependencies ------------ -* openshift_ca +TODO Example Playbook ---------------- -``` -- name: Create OpenShift Node Certificates - hosts: nodes - roles: - - role: openshift_node_certificates - openshift_ca_host: master1.example.com -``` +TODO License ------- diff --git a/roles/openshift_node_certificates/meta/main.yml b/roles/openshift_node_certificates/meta/main.yml index 3caa1cdf1..f3236e850 100644 --- a/roles/openshift_node_certificates/meta/main.yml +++ b/roles/openshift_node_certificates/meta/main.yml @@ -1,10 +1,10 @@ --- galaxy_info: author: Jason DeTiberus - description: OpenShift Node Certificates + description: company: Red Hat, Inc. license: Apache License, Version 2.0 - min_ansible_version: 1.9.4 + min_ansible_version: 1.8 platforms: - name: EL versions: @@ -13,4 +13,4 @@ galaxy_info: - cloud - system dependencies: -- role: openshift_ca +- { role: openshift_facts } diff --git a/roles/openshift_node_certificates/tasks/main.yml b/roles/openshift_node_certificates/tasks/main.yml index 147a432a4..216c11093 100644 --- a/roles/openshift_node_certificates/tasks/main.yml +++ b/roles/openshift_node_certificates/tasks/main.yml @@ -1,95 +1,36 @@ --- -- name: Check status of node certificates - stat: - path: "{{ openshift.common.config_base }}/node/{{ item }}" - with_items: - - "system:node:{{ openshift.common.hostname }}.crt" - - "system:node:{{ openshift.common.hostname }}.key" - - "system:node:{{ openshift.common.hostname }}.kubeconfig" - - ca.crt - - server.key - - server.crt - register: g_node_cert_stat_result - -- set_fact: - node_certs_missing: "{{ False in (g_node_cert_stat_result.results - | oo_collect(attribute='stat.exists') - | list) }}" - -- name: Create openshift_generated_configs_dir if it does not exist +- name: Create openshift_generated_configs_dir if it doesn\'t exist file: path: "{{ openshift_generated_configs_dir }}" state: directory mode: 0700 - when: node_certs_missing | bool - delegate_to: "{{ openshift_ca_host }}" + when: nodes_needing_certs | length > 0 - name: Generate the node client config command: > {{ openshift.common.admin_binary }} create-api-client-config - --certificate-authority={{ openshift_ca_cert }} - --client-dir={{ openshift_node_generated_config_dir }} + --certificate-authority={{ openshift_master_ca_cert }} + --client-dir={{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }} --groups=system:nodes - --master={{ hostvars[openshift_ca_host].openshift.master.api_url }} - --signer-cert={{ openshift_ca_cert }} - --signer-key={{ openshift_ca_key }} - --signer-serial={{ openshift_ca_serial }} - --user=system:node:{{ openshift.common.hostname }} + --master={{ openshift.master.api_url }} + --signer-cert={{ openshift_master_ca_cert }} + --signer-key={{ openshift_master_ca_key }} + --signer-serial={{ openshift_master_ca_serial }} + --user=system:node:{{ item.openshift.common.hostname }} args: - creates: "{{ openshift_node_generated_config_dir }}" - when: node_certs_missing | bool - delegate_to: "{{ openshift_ca_host }}" + creates: "{{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}" + with_items: "{{ nodes_needing_certs | default([]) }}" - name: Generate the node server certificate command: > {{ openshift.common.admin_binary }} ca create-server-cert - --cert={{ openshift_node_generated_config_dir }}/server.crt - --key={{ openshift_generated_configs_dir }}/node-{{ openshift.common.hostname }}/server.key + --cert={{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}/server.crt + --key={{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}/server.key --overwrite=true - --hostnames={{ openshift.common.all_hostnames |join(",") }} - --signer-cert={{ openshift_ca_cert }} - --signer-key={{ openshift_ca_key }} - --signer-serial={{ openshift_ca_serial }} - args: - creates: "{{ openshift_node_generated_config_dir }}/server.crt" - when: node_certs_missing | bool - delegate_to: "{{ openshift_ca_host}}" - -- name: Create local temp directory for syncing certs - local_action: command mktemp -d /tmp/openshift-ansible-XXXXXXX - register: node_cert_mktemp - changed_when: False - when: node_certs_missing | bool - delegate_to: localhost - -- name: Create a tarball of the node config directories - command: > - tar -czvf {{ openshift_node_generated_config_dir }}.tgz - --transform 's|system:{{ openshift_node_cert_subdir }}|node|' - -C {{ openshift_node_generated_config_dir }} . + --hostnames={{ item.openshift.common.all_hostnames |join(",") }} + --signer-cert={{ openshift_master_ca_cert }} + --signer-key={{ openshift_master_ca_key }} + --signer-serial={{ openshift_master_ca_serial }} args: - creates: "{{ openshift_node_generated_config_dir }}.tgz" - when: node_certs_missing | bool - delegate_to: "{{ openshift_ca_host }}" - -- name: Retrieve the node config tarballs from the master - fetch: - src: "{{ openshift_node_generated_config_dir }}.tgz" - dest: "{{ node_cert_mktemp.stdout }}/" - flat: yes - fail_on_missing: yes - validate_checksum: yes - when: node_certs_missing | bool - delegate_to: "{{ openshift_ca_host }}" - -- name: Ensure certificate directory exists - file: - path: "{{ openshift_node_cert_dir }}" - state: directory - when: node_certs_missing | bool - -- name: Unarchive the tarball on the node - unarchive: - src: "{{ node_cert_mktemp.stdout }}/{{ openshift_node_cert_subdir }}.tgz" - dest: "{{ openshift_node_cert_dir }}" - when: node_certs_missing | bool + creates: "{{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}/server.crt" + with_items: "{{ nodes_needing_certs | default([]) }}" diff --git a/roles/openshift_node_certificates/vars/main.yml b/roles/openshift_node_certificates/vars/main.yml index 2fafc7387..61fbb1e51 100644 --- a/roles/openshift_node_certificates/vars/main.yml +++ b/roles/openshift_node_certificates/vars/main.yml @@ -1,6 +1,7 @@ --- -openshift_generated_configs_dir: "{{ openshift.common.config_base }}/generated-configs" -openshift_node_cert_dir: "{{ openshift.common.config_base }}/node" -openshift_node_cert_subdir: "node-{{ openshift.common.hostname }}" openshift_node_config_dir: "{{ openshift.common.config_base }}/node" -openshift_node_generated_config_dir: "{{ openshift_generated_configs_dir }}/{{ openshift_node_cert_subdir }}" +openshift_master_config_dir: "{{ openshift.common.config_base }}/master" +openshift_generated_configs_dir: "{{ openshift.common.config_base }}/generated-configs" +openshift_master_ca_cert: "{{ openshift_master_config_dir }}/ca.crt" +openshift_master_ca_key: "{{ openshift_master_config_dir }}/ca.key" +openshift_master_ca_serial: "{{ openshift_master_config_dir }}/ca.serial.txt" |