diff options
Diffstat (limited to 'roles/openshift_master_certificates')
-rw-r--r-- | roles/openshift_master_certificates/README.md | 29 | ||||
-rw-r--r-- | roles/openshift_master_certificates/meta/main.yml | 6 | ||||
-rw-r--r-- | roles/openshift_master_certificates/tasks/main.yml | 123 | ||||
-rw-r--r-- | roles/openshift_master_certificates/vars/main.yml | 2 |
4 files changed, 29 insertions, 131 deletions
diff --git a/roles/openshift_master_certificates/README.md b/roles/openshift_master_certificates/README.md index a80d47040..ba3d5f28c 100644 --- a/roles/openshift_master_certificates/README.md +++ b/roles/openshift_master_certificates/README.md @@ -1,44 +1,27 @@ OpenShift Master Certificates ======================== -This role determines if OpenShift master certificates must be created, delegates certificate creation to the `openshift_ca_host` and then deploys those certificates to master hosts which this role is being applied to. If this role is applied to the `openshift_ca_host`, certificate deployment will be skipped. +TODO Requirements ------------ +TODO + Role Variables -------------- -From `openshift_ca`: - -| Name | Default value | Description | -|---------------------------------------|---------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------| -| openshift_ca_host | None (Required) | The hostname of the system where the OpenShift CA will be (or has been) created. | - -From this role: - -| Name | Default value | Description | -|---------------------------------------|---------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------| -| openshift_generated_configs_dir | `{{ openshift.common.config_base }}/generated-configs` | Directory in which per-master generated config directories will be created on the `openshift_ca_host`. | -| openshift_master_cert_subdir | `master-{{ openshift.common.hostname }}` | Directory within `openshift_generated_configs_dir` where per-master configurations will be placed on the `openshift_ca_host`. | -| openshift_master_config_dir | `{{ openshift.common.config_base }}/master` | Master configuration directory in which certificates will be deployed on masters. | -| openshift_master_generated_config_dir | `{{ openshift_generated_configs_dir }}/{{ openshift_master_cert_subdir }` | Full path to the per-master generated config directory. | +TODO Dependencies ------------ -* openshift_ca +TODO Example Playbook ---------------- -``` -- name: Create OpenShift Master Certificates - hosts: masters - roles: - - role: openshift_master_certificates - openshift_ca_host: master1.example.com -``` +TODO License ------- diff --git a/roles/openshift_master_certificates/meta/main.yml b/roles/openshift_master_certificates/meta/main.yml index 90fc0fb10..fd7b73b0f 100644 --- a/roles/openshift_master_certificates/meta/main.yml +++ b/roles/openshift_master_certificates/meta/main.yml @@ -1,10 +1,10 @@ --- galaxy_info: author: Jason DeTiberus - description: OpenShift Master Certificates + description: company: Red Hat, Inc. license: Apache License, Version 2.0 - min_ansible_version: 1.9.4 + min_ansible_version: 1.8 platforms: - name: EL versions: @@ -13,4 +13,4 @@ galaxy_info: - cloud - system dependencies: -- role: openshift_ca +- { role: openshift_master_ca } diff --git a/roles/openshift_master_certificates/tasks/main.yml b/roles/openshift_master_certificates/tasks/main.yml index dd105652b..394f9d381 100644 --- a/roles/openshift_master_certificates/tasks/main.yml +++ b/roles/openshift_master_certificates/tasks/main.yml @@ -1,121 +1,38 @@ --- -- set_fact: - openshift_master_certs_no_etcd: - - admin.crt - - master.kubelet-client.crt - - "{{ 'master.proxy-client.crt' if openshift.common.version_gte_3_1_or_1_1 else omit }}" - - master.server.crt - - openshift-master.crt - - openshift-registry.crt - - openshift-router.crt - - etcd.server.crt - openshift_master_certs_etcd: - - master.etcd-client.crt - -- set_fact: - openshift_master_certs: "{{ (openshift_master_certs_no_etcd | union(openshift_master_certs_etcd )) if openshift_master_etcd_hosts | length > 0 else openshift_master_certs_no_etcd }}" - -- name: Check status of master certificates - stat: - path: "{{ openshift_master_config_dir }}/{{ item }}" - with_items: - - "{{ openshift_master_certs }}" - register: g_master_cert_stat_result - -- set_fact: - master_certs_missing: "{{ False in (g_master_cert_stat_result.results - | oo_collect(attribute='stat.exists') - | list) }}" - - name: Ensure the generated_configs directory present file: - path: "{{ openshift_master_generated_config_dir }}" + path: "{{ openshift_generated_configs_dir }}/{{ item.master_cert_subdir }}" state: directory mode: 0700 - when: master_certs_missing | bool - delegate_to: "{{ openshift_ca_host }}" + with_items: "{{ masters_needing_certs | default([]) }}" - file: - src: "{{ openshift_master_config_dir }}/{{ item }}" - dest: "{{ openshift_master_generated_config_dir }}/{{ item }}" + src: "{{ openshift_master_config_dir }}/{{ item.1 }}" + dest: "{{ openshift_generated_configs_dir }}/{{ item.0.master_cert_subdir }}/{{ item.1 }}" state: hard - with_items: - - ca.crt - - ca.key - - ca.serial.txt - when: master_certs_missing | bool - delegate_to: "{{ openshift_ca_host }}" + with_nested: + - "{{ masters_needing_certs | default([]) }}" + - + - ca.crt + - ca.key + - ca.serial.txt - name: Create the master certificates if they do not already exist command: > {{ openshift.common.admin_binary }} create-master-certs - --hostnames={{ openshift.common.all_hostnames | join(',') }} - --master={{ openshift.master.api_url }} - --public-master={{ openshift.master.public_api_url }} - --cert-dir={{ openshift_master_generated_config_dir }} + --hostnames={{ item.openshift.common.all_hostnames | join(',') }} + --master={{ item.openshift.master.api_url }} + --public-master={{ item.openshift.master.public_api_url }} + --cert-dir={{ openshift_generated_configs_dir }}/{{ item.master_cert_subdir }} --overwrite=false - when: master_certs_missing | bool - delegate_to: "{{ openshift_ca_host }}" + when: item.master_certs_missing | bool + with_items: "{{ masters_needing_certs | default([]) }}" - file: - src: "{{ openshift_master_config_dir }}/{{ item }}" - dest: "{{ openshift_master_generated_config_dir }}/{{ item }}" + src: "{{ openshift_master_config_dir }}/{{ item.1 }}" + dest: "{{ openshift_generated_configs_dir }}/{{ item.0.master_cert_subdir }}/{{ item.1 }}" state: hard force: true - with_items: + with_nested: + - "{{ masters_needing_certs | default([]) }}" - "{{ hostvars[inventory_hostname] | certificates_to_synchronize }}" - when: master_certs_missing | bool - delegate_to: "{{ openshift_ca_host }}" - -- name: Remove generated etcd client certs when using external etcd - file: - path: "{{ openshift_master_generated_config_dir }}/{{ item }}" - state: absent - when: openshift_master_etcd_hosts | length > 0 - with_items: - - master.etcd-client.crt - - master.etcd-client.key - delegate_to: "{{ openshift_ca_host }}" - -- name: Create local temp directory for syncing certs - local_action: command mktemp -d /tmp/openshift-ansible-XXXXXXX - register: g_master_mktemp - changed_when: False - when: master_certs_missing | bool - delegate_to: localhost - -- name: Create a tarball of the master certs - command: > - tar -czvf {{ openshift_master_generated_config_dir }}.tgz - -C {{ openshift_master_generated_config_dir }} . - args: - creates: "{{ openshift_master_generated_config_dir }}.tgz" - when: master_certs_missing | bool and inventory_hostname != openshift_ca_host - delegate_to: "{{ openshift_ca_host }}" - -- name: Retrieve the master cert tarball from the master - fetch: - src: "{{ openshift_master_generated_config_dir }}.tgz" - dest: "{{ g_master_mktemp.stdout }}/" - flat: yes - fail_on_missing: yes - validate_checksum: yes - when: master_certs_missing | bool and inventory_hostname != openshift_ca_host - delegate_to: "{{ openshift_ca_host }}" - -- name: Ensure certificate directory exists - file: - path: "{{ openshift_master_config_dir }}" - state: directory - when: master_certs_missing | bool and inventory_hostname != openshift_ca_host - -- name: Unarchive the tarball on the master - unarchive: - src: "{{ g_master_mktemp.stdout }}/{{ openshift_master_cert_subdir }}.tgz" - dest: "{{ openshift_master_config_dir }}" - when: master_certs_missing | bool and inventory_hostname != openshift_ca_host - -- file: name={{ g_master_mktemp.stdout }} state=absent - changed_when: False - when: master_certs_missing | bool - delegate_to: localhost diff --git a/roles/openshift_master_certificates/vars/main.yml b/roles/openshift_master_certificates/vars/main.yml index 66f2e5162..3f18ddc79 100644 --- a/roles/openshift_master_certificates/vars/main.yml +++ b/roles/openshift_master_certificates/vars/main.yml @@ -1,5 +1,3 @@ --- openshift_generated_configs_dir: "{{ openshift.common.config_base }}/generated-configs" -openshift_master_cert_subdir: "master-{{ openshift.common.hostname }}" openshift_master_config_dir: "{{ openshift.common.config_base }}/master" -openshift_master_generated_config_dir: "{{ openshift_generated_configs_dir }}/{{ openshift_master_cert_subdir }}" |