From 02cf4ef8e279602190ae991f028dc36793747e9e Mon Sep 17 00:00:00 2001 From: Andrew Butcher Date: Fri, 5 Feb 2016 12:47:29 -0500 Subject: Generate each master's certificates separately. --- playbooks/common/openshift-master/config.yml | 10 ++----- roles/openshift_master_ca/tasks/main.yml | 2 +- roles/openshift_master_certificates/tasks/main.yml | 34 ++++------------------ 3 files changed, 9 insertions(+), 37 deletions(-) diff --git a/playbooks/common/openshift-master/config.yml b/playbooks/common/openshift-master/config.yml index 44bb4313a..2931af253 100644 --- a/playbooks/common/openshift-master/config.yml +++ b/playbooks/common/openshift-master/config.yml @@ -1,6 +1,6 @@ --- - name: Set master facts and determine if external etcd certs need to be generated - hosts: oo_first_master:oo_masters_to_config + hosts: oo_masters_to_config pre_tasks: - name: Check for RPM generated config marker file .config_managed stat: @@ -186,10 +186,6 @@ masters_needing_certs: "{{ hostvars | oo_select_keys(groups['oo_masters_to_config'] | difference(groups['oo_first_master'])) | oo_filter_list(filter_attr='master_certs_missing') }}" - master_hostnames: "{{ hostvars - | oo_select_keys(groups['oo_masters_to_config']) - | oo_collect('openshift.common.all_hostnames') - | oo_flatten | unique }}" sync_tmpdir: "{{ hostvars.localhost.g_master_mktemp.stdout }}" roles: - openshift_master_certificates @@ -343,12 +339,12 @@ file: path: "{{ openshift.common.config_base }}/master" state: directory - when: master_certs_missing and 'oo_first_master' not in group_names + when: master_certs_missing | bool and 'oo_first_master' not in group_names - name: Unarchive the tarball on the master unarchive: src: "{{ sync_tmpdir }}/{{ master_cert_subdir }}.tgz" dest: "{{ master_cert_config_dir }}" - when: master_certs_missing and 'oo_first_master' not in group_names + when: master_certs_missing | bool and 'oo_first_master' not in group_names roles: - openshift_master - role: nickhammond.logrotate diff --git a/roles/openshift_master_ca/tasks/main.yml b/roles/openshift_master_ca/tasks/main.yml index 6d9be81c0..66960e73e 100644 --- a/roles/openshift_master_ca/tasks/main.yml +++ b/roles/openshift_master_ca/tasks/main.yml @@ -25,4 +25,4 @@ --master={{ openshift.master.api_url }} --public-master={{ openshift.master.public_api_url }} --cert-dir={{ openshift_master_config_dir }} --overwrite=false - when: master_certs_missing + when: master_certs_missing | bool diff --git a/roles/openshift_master_certificates/tasks/main.yml b/roles/openshift_master_certificates/tasks/main.yml index 7c58e943a..72869a592 100644 --- a/roles/openshift_master_certificates/tasks/main.yml +++ b/roles/openshift_master_certificates/tasks/main.yml @@ -6,40 +6,16 @@ mode: 0700 with_items: masters_needing_certs -- set_fact: - master_certificates: - - ca.crt - - ca.key - - ca.serial.txt - - admin.crt - - admin.key - - admin.kubeconfig - - master.kubelet-client.crt - - master.kubelet-client.key - - master.server.crt - - master.server.key - - openshift-master.crt - - openshift-master.key - - openshift-master.kubeconfig - - openshift-registry.crt - - openshift-registry.key - - openshift-registry.kubeconfig - - openshift-router.crt - - openshift-router.key - - openshift-router.kubeconfig - - serviceaccounts.private.key - - serviceaccounts.public.key - master_31_certificates: - - master.proxy-client.crt - - master.proxy-client.key - - file: src: "{{ openshift_master_config_dir }}/{{ item.1 }}" dest: "{{ openshift_generated_configs_dir }}/{{ item.0.master_cert_subdir }}/{{ item.1 }}" state: hard with_nested: - masters_needing_certs - - "{{ master_certificates | union(master_31_certificates) if openshift.common.version_gte_3_1_or_1_1 | bool else master_certificates }}" + - + - ca.crt + - ca.key + - ca.serial.txt - name: Create the master certificates if they do not already exist command: > @@ -49,5 +25,5 @@ --public-master={{ item.openshift.master.public_api_url }} --cert-dir={{ openshift_generated_configs_dir }}/{{ item.master_cert_subdir }} --overwrite=false - when: master_certs_missing + when: item.master_certs_missing | bool with_items: masters_needing_certs -- cgit v1.2.3