From 96dea4b4a63e550248eeb404360514fed6cb08b0 Mon Sep 17 00:00:00 2001 From: ewolinetz Date: Wed, 5 Jul 2017 17:11:12 -0500 Subject: Synching certs and aggregator configs from first master to all other masters --- .../common/openshift-cluster/service_catalog.yml | 18 ++-- roles/openshift_service_catalog/tasks/install.yml | 1 - .../tasks/wire_aggregator.yml | 107 ++++++++++++++++++++- 3 files changed, 116 insertions(+), 10 deletions(-) diff --git a/playbooks/common/openshift-cluster/service_catalog.yml b/playbooks/common/openshift-cluster/service_catalog.yml index 85c7248e9..68ca6cdbf 100644 --- a/playbooks/common/openshift-cluster/service_catalog.yml +++ b/playbooks/common/openshift-cluster/service_catalog.yml @@ -1,16 +1,20 @@ --- - include: evaluate_groups.yml -- name: Service Catalog - hosts: oo_first_master - roles: - - openshift_service_catalog - - ansible_service_broker - - name: Update Master configs - hosts: oo_masters:!oo_first_master + hosts: oo_masters tasks: - block: - include_role: name: openshift_service_catalog tasks_from: wire_aggregator + vars: + first_master: "{{ groups.oo_first_master[0] }}" + +- name: Service Catalog + hosts: oo_first_master + roles: + - openshift_service_catalog + - ansible_service_broker + vars: + first_master: "{{ groups.oo_first_master[0] }}" diff --git a/roles/openshift_service_catalog/tasks/install.yml b/roles/openshift_service_catalog/tasks/install.yml index 6e8301ffe..1342c3d30 100644 --- a/roles/openshift_service_catalog/tasks/install.yml +++ b/roles/openshift_service_catalog/tasks/install.yml @@ -6,7 +6,6 @@ register: mktemp changed_when: False - - include: wire_aggregator.yml - name: Set default image variables based on deployment_type diff --git a/roles/openshift_service_catalog/tasks/wire_aggregator.yml b/roles/openshift_service_catalog/tasks/wire_aggregator.yml index 3e5897ba4..b8b8d0863 100644 --- a/roles/openshift_service_catalog/tasks/wire_aggregator.yml +++ b/roles/openshift_service_catalog/tasks/wire_aggregator.yml @@ -1,16 +1,82 @@ --- +- name: Make temp cert dir + command: mktemp -d /tmp/openshift-service-catalog-ansible-XXXXXX + register: certtemp + changed_when: False + +- name: Check for First Master Aggregator Signer cert + stat: + path: /etc/origin/master/front-proxy-ca.crt + register: first_proxy_ca_crt + changed_when: false + delegate_to: "{{ first_master }}" + +- name: Check for First Master Aggregator Signer key + stat: + path: /etc/origin/master/front-proxy-ca.crt + register: first_proxy_ca_key + changed_when: false + delegate_to: "{{ first_master }}" + + # TODO: this currently has a bug where hostnames are required -- name: Creating Aggregator signer certs +- name: Creating First Master Aggregator signer certs command: > oc adm ca create-signer-cert --cert=/etc/origin/master/front-proxy-ca.crt --key=/etc/origin/master/front-proxy-ca.key --serial=/etc/origin/master/ca.serial.txt + delegate_to: "{{ first_master }}" + when: + - not first_proxy_ca_crt.stat.exists + - not first_proxy_ca_key.stat.exists + +- name: Check for Aggregator Signer cert + stat: + path: /etc/origin/master/front-proxy-ca.crt + register: proxy_ca_crt + changed_when: false + +- name: Check for Aggregator Signer key + stat: + path: /etc/origin/master/front-proxy-ca.crt + register: proxy_ca_key + changed_when: false + +- name: Copy Aggregator Signer certs from first master + fetch: + src: "/etc/origin/master/{{ item }}" + dest: "{{ certtemp.stdout }}/{{ item }}" + with_items: + - front-proxy-ca.crt + - front-proxy-ca.key + delegate_to: "{{ first_master }}" + when: + - not proxy_ca_key.stat.exists + - not proxy_ca_crt.stat.exists + +- name: Copy Aggregator Signer certs to host + copy: + src: "{{ certtemp.stdout }}/{{ item }}" + dest: "/etc/origin/master/{{ item }}" + with_items: + - front-proxy-ca.crt + - front-proxy-ca.key + when: + - not proxy_ca_key.stat.exists + - not proxy_ca_crt.stat.exists + # oc_adm_ca_server_cert: # cert: /etc/origin/master/front-proxy-ca.crt # key: /etc/origin/master/front-proxy-ca.key -- name: Create api-client config for Aggregator +- name: Check for first master api-client config + stat: + path: /etc/origin/master/aggregator-front-proxy.kubeconfig + register: first_front_proxy_kubeconfig + delegate_to: "{{ first_master }}" + +- name: Create first master api-client config for Aggregator command: > oc adm create-api-client-config --certificate-authority=/etc/origin/master/front-proxy-ca.crt @@ -19,6 +85,37 @@ --user aggregator-front-proxy --client-dir=/etc/origin/master --signer-serial=/etc/origin/master/ca.serial.txt + delegate_to: "{{ first_master }}" + when: + - not first_front_proxy_kubeconfig.stat.exists + +- name: Check for api-client config + stat: + path: /etc/origin/master/aggregator-front-proxy.kubeconfig + register: front_proxy_kubeconfig + +- name: Copy api-client config from first master + fetch: + src: "/etc/origin/master/{{ item }}" + dest: "{{ certtemp.stdout }}/{{ item }}" + delegate_to: "{{ first_master }}" + with_items: + - aggregator-front-proxy.crt + - aggregator-front-proxy.key + - aggregator-front-proxy.kubeconfig + when: + - not front_proxy_kubeconfig.stat.exists + +- name: Copy api-client config to host + copy: + src: "{{ certtemp.stdout }}/{{ item }}" + dest: "/etc/origin/master/{{ item }}" + with_items: + - aggregator-front-proxy.crt + - aggregator-front-proxy.key + - aggregator-front-proxy.kubeconfig + when: + - not front_proxy_kubeconfig.stat.exists - name: Update master config yedit: @@ -84,3 +181,9 @@ changed_when: false when: - yedit_output.changed + +- name: Delete temp directory + file: + name: "{{ certtemp.stdout }}" + state: absent + changed_when: False -- cgit v1.2.3