summaryrefslogtreecommitdiffstats
path: root/roles/openshift_master_certificates
diff options
context:
space:
mode:
Diffstat (limited to 'roles/openshift_master_certificates')
-rw-r--r--roles/openshift_master_certificates/README.md29
-rw-r--r--roles/openshift_master_certificates/meta/main.yml6
-rw-r--r--roles/openshift_master_certificates/tasks/main.yml123
-rw-r--r--roles/openshift_master_certificates/vars/main.yml2
4 files changed, 29 insertions, 131 deletions
diff --git a/roles/openshift_master_certificates/README.md b/roles/openshift_master_certificates/README.md
index a80d47040..ba3d5f28c 100644
--- a/roles/openshift_master_certificates/README.md
+++ b/roles/openshift_master_certificates/README.md
@@ -1,44 +1,27 @@
OpenShift Master Certificates
========================
-This role determines if OpenShift master certificates must be created, delegates certificate creation to the `openshift_ca_host` and then deploys those certificates to master hosts which this role is being applied to. If this role is applied to the `openshift_ca_host`, certificate deployment will be skipped.
+TODO
Requirements
------------
+TODO
+
Role Variables
--------------
-From `openshift_ca`:
-
-| Name | Default value | Description |
-|---------------------------------------|---------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------|
-| openshift_ca_host | None (Required) | The hostname of the system where the OpenShift CA will be (or has been) created. |
-
-From this role:
-
-| Name | Default value | Description |
-|---------------------------------------|---------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------|
-| openshift_generated_configs_dir | `{{ openshift.common.config_base }}/generated-configs` | Directory in which per-master generated config directories will be created on the `openshift_ca_host`. |
-| openshift_master_cert_subdir | `master-{{ openshift.common.hostname }}` | Directory within `openshift_generated_configs_dir` where per-master configurations will be placed on the `openshift_ca_host`. |
-| openshift_master_config_dir | `{{ openshift.common.config_base }}/master` | Master configuration directory in which certificates will be deployed on masters. |
-| openshift_master_generated_config_dir | `{{ openshift_generated_configs_dir }}/{{ openshift_master_cert_subdir }` | Full path to the per-master generated config directory. |
+TODO
Dependencies
------------
-* openshift_ca
+TODO
Example Playbook
----------------
-```
-- name: Create OpenShift Master Certificates
- hosts: masters
- roles:
- - role: openshift_master_certificates
- openshift_ca_host: master1.example.com
-```
+TODO
License
-------
diff --git a/roles/openshift_master_certificates/meta/main.yml b/roles/openshift_master_certificates/meta/main.yml
index 90fc0fb10..fd7b73b0f 100644
--- a/roles/openshift_master_certificates/meta/main.yml
+++ b/roles/openshift_master_certificates/meta/main.yml
@@ -1,10 +1,10 @@
---
galaxy_info:
author: Jason DeTiberus
- description: OpenShift Master Certificates
+ description:
company: Red Hat, Inc.
license: Apache License, Version 2.0
- min_ansible_version: 1.9.4
+ min_ansible_version: 1.8
platforms:
- name: EL
versions:
@@ -13,4 +13,4 @@ galaxy_info:
- cloud
- system
dependencies:
-- role: openshift_ca
+- { role: openshift_master_ca }
diff --git a/roles/openshift_master_certificates/tasks/main.yml b/roles/openshift_master_certificates/tasks/main.yml
index dd105652b..394f9d381 100644
--- a/roles/openshift_master_certificates/tasks/main.yml
+++ b/roles/openshift_master_certificates/tasks/main.yml
@@ -1,121 +1,38 @@
---
-- set_fact:
- openshift_master_certs_no_etcd:
- - admin.crt
- - master.kubelet-client.crt
- - "{{ 'master.proxy-client.crt' if openshift.common.version_gte_3_1_or_1_1 else omit }}"
- - master.server.crt
- - openshift-master.crt
- - openshift-registry.crt
- - openshift-router.crt
- - etcd.server.crt
- openshift_master_certs_etcd:
- - master.etcd-client.crt
-
-- set_fact:
- openshift_master_certs: "{{ (openshift_master_certs_no_etcd | union(openshift_master_certs_etcd )) if openshift_master_etcd_hosts | length > 0 else openshift_master_certs_no_etcd }}"
-
-- name: Check status of master certificates
- stat:
- path: "{{ openshift_master_config_dir }}/{{ item }}"
- with_items:
- - "{{ openshift_master_certs }}"
- register: g_master_cert_stat_result
-
-- set_fact:
- master_certs_missing: "{{ False in (g_master_cert_stat_result.results
- | oo_collect(attribute='stat.exists')
- | list) }}"
-
- name: Ensure the generated_configs directory present
file:
- path: "{{ openshift_master_generated_config_dir }}"
+ path: "{{ openshift_generated_configs_dir }}/{{ item.master_cert_subdir }}"
state: directory
mode: 0700
- when: master_certs_missing | bool
- delegate_to: "{{ openshift_ca_host }}"
+ with_items: "{{ masters_needing_certs | default([]) }}"
- file:
- src: "{{ openshift_master_config_dir }}/{{ item }}"
- dest: "{{ openshift_master_generated_config_dir }}/{{ item }}"
+ src: "{{ openshift_master_config_dir }}/{{ item.1 }}"
+ dest: "{{ openshift_generated_configs_dir }}/{{ item.0.master_cert_subdir }}/{{ item.1 }}"
state: hard
- with_items:
- - ca.crt
- - ca.key
- - ca.serial.txt
- when: master_certs_missing | bool
- delegate_to: "{{ openshift_ca_host }}"
+ with_nested:
+ - "{{ masters_needing_certs | default([]) }}"
+ -
+ - ca.crt
+ - ca.key
+ - ca.serial.txt
- name: Create the master certificates if they do not already exist
command: >
{{ openshift.common.admin_binary }} create-master-certs
- --hostnames={{ openshift.common.all_hostnames | join(',') }}
- --master={{ openshift.master.api_url }}
- --public-master={{ openshift.master.public_api_url }}
- --cert-dir={{ openshift_master_generated_config_dir }}
+ --hostnames={{ item.openshift.common.all_hostnames | join(',') }}
+ --master={{ item.openshift.master.api_url }}
+ --public-master={{ item.openshift.master.public_api_url }}
+ --cert-dir={{ openshift_generated_configs_dir }}/{{ item.master_cert_subdir }}
--overwrite=false
- when: master_certs_missing | bool
- delegate_to: "{{ openshift_ca_host }}"
+ when: item.master_certs_missing | bool
+ with_items: "{{ masters_needing_certs | default([]) }}"
- file:
- src: "{{ openshift_master_config_dir }}/{{ item }}"
- dest: "{{ openshift_master_generated_config_dir }}/{{ item }}"
+ src: "{{ openshift_master_config_dir }}/{{ item.1 }}"
+ dest: "{{ openshift_generated_configs_dir }}/{{ item.0.master_cert_subdir }}/{{ item.1 }}"
state: hard
force: true
- with_items:
+ with_nested:
+ - "{{ masters_needing_certs | default([]) }}"
- "{{ hostvars[inventory_hostname] | certificates_to_synchronize }}"
- when: master_certs_missing | bool
- delegate_to: "{{ openshift_ca_host }}"
-
-- name: Remove generated etcd client certs when using external etcd
- file:
- path: "{{ openshift_master_generated_config_dir }}/{{ item }}"
- state: absent
- when: openshift_master_etcd_hosts | length > 0
- with_items:
- - master.etcd-client.crt
- - master.etcd-client.key
- delegate_to: "{{ openshift_ca_host }}"
-
-- name: Create local temp directory for syncing certs
- local_action: command mktemp -d /tmp/openshift-ansible-XXXXXXX
- register: g_master_mktemp
- changed_when: False
- when: master_certs_missing | bool
- delegate_to: localhost
-
-- name: Create a tarball of the master certs
- command: >
- tar -czvf {{ openshift_master_generated_config_dir }}.tgz
- -C {{ openshift_master_generated_config_dir }} .
- args:
- creates: "{{ openshift_master_generated_config_dir }}.tgz"
- when: master_certs_missing | bool and inventory_hostname != openshift_ca_host
- delegate_to: "{{ openshift_ca_host }}"
-
-- name: Retrieve the master cert tarball from the master
- fetch:
- src: "{{ openshift_master_generated_config_dir }}.tgz"
- dest: "{{ g_master_mktemp.stdout }}/"
- flat: yes
- fail_on_missing: yes
- validate_checksum: yes
- when: master_certs_missing | bool and inventory_hostname != openshift_ca_host
- delegate_to: "{{ openshift_ca_host }}"
-
-- name: Ensure certificate directory exists
- file:
- path: "{{ openshift_master_config_dir }}"
- state: directory
- when: master_certs_missing | bool and inventory_hostname != openshift_ca_host
-
-- name: Unarchive the tarball on the master
- unarchive:
- src: "{{ g_master_mktemp.stdout }}/{{ openshift_master_cert_subdir }}.tgz"
- dest: "{{ openshift_master_config_dir }}"
- when: master_certs_missing | bool and inventory_hostname != openshift_ca_host
-
-- file: name={{ g_master_mktemp.stdout }} state=absent
- changed_when: False
- when: master_certs_missing | bool
- delegate_to: localhost
diff --git a/roles/openshift_master_certificates/vars/main.yml b/roles/openshift_master_certificates/vars/main.yml
index 66f2e5162..3f18ddc79 100644
--- a/roles/openshift_master_certificates/vars/main.yml
+++ b/roles/openshift_master_certificates/vars/main.yml
@@ -1,5 +1,3 @@
---
openshift_generated_configs_dir: "{{ openshift.common.config_base }}/generated-configs"
-openshift_master_cert_subdir: "master-{{ openshift.common.hostname }}"
openshift_master_config_dir: "{{ openshift.common.config_base }}/master"
-openshift_master_generated_config_dir: "{{ openshift_generated_configs_dir }}/{{ openshift_master_cert_subdir }}"