blob: 9c8534c74dc4dc618ab949640d67a0f25ffe9062 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
|
---
- fail:
msg: "openshift_ca_host variable must be defined for this role"
when: openshift_ca_host is not defined
- fail:
msg: "Both 'certfile' and 'keyfile' keys must be supplied when configuring openshift_master_ca_certificate"
when: openshift_master_ca_certificate is defined and ('certfile' not in openshift_master_ca_certificate or 'keyfile' not in openshift_master_ca_certificate)
- name: Install the base package for admin tooling
package:
name: "{{ openshift_service_type }}{{ openshift_pkg_version | default('') | lib_utils_oo_image_tag_to_rpm_version(include_dash=True) }}"
state: present
when: not openshift_is_containerized | bool
register: install_result
until: install_result is succeeded
delegate_to: "{{ openshift_ca_host }}"
run_once: true
- name: Reload generated facts
openshift_facts:
when:
- hostvars[openshift_ca_host].install_result | default({'changed':false}) is changed
- name: Create openshift_ca_config_dir if it does not exist
file:
path: "{{ openshift_ca_config_dir }}"
state: directory
delegate_to: "{{ openshift_ca_host }}"
run_once: true
- name: Determine if CA must be created
stat:
path: "{{ openshift_ca_config_dir }}/{{ item }}"
register: g_master_ca_stat_result
with_items:
- ca-bundle.crt
- ca.crt
- ca.key
delegate_to: "{{ openshift_ca_host }}"
run_once: true
- set_fact:
master_ca_missing: "{{ False in (g_master_ca_stat_result.results
| lib_utils_oo_collect(attribute='stat.exists')
| list) }}"
run_once: true
- name: Retain original serviceaccount keys
copy:
src: "{{ item }}"
dest: "{{ item }}.keep"
remote_src: true
with_items:
- "{{ openshift_ca_config_dir }}/serviceaccounts.private.key"
- "{{ openshift_ca_config_dir }}/serviceaccounts.public.key"
when: openshift_certificates_redeploy | default(false) | bool
- name: Deploy master ca certificate
copy:
src: "{{ item.src }}"
dest: "{{ openshift_ca_config_dir }}/{{ item.dest }}"
force: no
with_items:
- src: "{{ (openshift_master_ca_certificate | default({'certfile':none})).certfile }}"
dest: ca.crt
- src: "{{ (openshift_master_ca_certificate | default({'keyfile':none})).keyfile }}"
dest: ca.key
when: openshift_master_ca_certificate is defined
delegate_to: "{{ openshift_ca_host }}"
run_once: true
- name: Create ca serial
copy:
content: "00"
dest: "{{ openshift_ca_config_dir }}/ca.serial.txt"
force: "{{ openshift_certificates_redeploy | default(false) | bool }}"
when: openshift_master_ca_certificate is defined
delegate_to: "{{ openshift_ca_host }}"
run_once: true
- find:
paths: "{{ openshift.common.config_base }}/master/legacy-ca/"
patterns: ".*-ca.crt"
use_regex: true
register: g_master_legacy_ca_result
# This should NOT replace the CA due to --overwrite=false when a CA already exists.
- name: Create the master certificates if they do not already exist
command: >
{{ hostvars[openshift_ca_host]['first_master_client_binary'] }} adm ca create-master-certs
{% for named_ca_certificate in openshift.master.named_certificates | default([]) | lib_utils_oo_collect('cafile') %}
--certificate-authority {{ named_ca_certificate }}
{% endfor %}
{% for legacy_ca_certificate in g_master_legacy_ca_result.files | default([]) | lib_utils_oo_collect('path') %}
--certificate-authority {{ legacy_ca_certificate }}
{% endfor %}
--hostnames={{ hostvars[openshift_ca_host].openshift.common.all_hostnames | join(',') }}
--master={{ openshift.master.api_url }}
--public-master={{ openshift.master.public_api_url }}
--cert-dir={{ openshift_ca_config_dir }}
--expire-days={{ openshift_master_cert_expire_days }}
--signer-expire-days={{ openshift_ca_cert_expire_days }}
--overwrite=false
when: master_ca_missing | bool or openshift_certificates_redeploy | default(false) | bool
delegate_to: "{{ openshift_ca_host }}"
run_once: true
# Create client-ca-bundle.crt containing old and new OpenShift CA
# certificates. This bundle will be used when rolling the OpenShift CA
# certificate.
- name: Create client-ca-bundle.crt
block:
- command: mktemp -d /tmp/openshift-ansible-XXXXXX
register: openshift_ca_clientconfig_tmpdir
delegate_to: "{{ openshift_ca_host }}"
- copy:
src: "{{ item }}"
dest: "{{ openshift_ca_clientconfig_tmpdir.stdout }}/"
remote_src: true
with_items: "{{ g_master_legacy_ca_result.files | default([]) | lib_utils_oo_collect('path') }}"
delegate_to: "{{ openshift_ca_host }}"
run_once: true
- copy:
src: "{{ openshift_ca_config_dir }}/ca.crt"
dest: "{{ openshift_ca_clientconfig_tmpdir.stdout }}/"
remote_src: true
delegate_to: "{{ openshift_ca_host }}"
run_once: true
- assemble:
src: "{{ openshift_ca_clientconfig_tmpdir.stdout }}"
dest: "{{ openshift_ca_config_dir }}/client-ca-bundle.crt"
mode: 0644
owner: root
group: root
delegate_to: "{{ openshift_ca_host }}"
run_once: true
- name: Test local loopback context
command: >
{{ hostvars[openshift_ca_host]['first_master_client_binary'] }} config view
--config={{ openshift_master_loopback_config }}
changed_when: false
register: loopback_config
delegate_to: "{{ openshift_ca_host }}"
run_once: true
# create-api-client-config generates a ca.crt file which will
# overwrite the OpenShift CA certificate. Generate the loopback
# kubeconfig in a temporary directory and then copy files into the
# master config dir to avoid overwriting ca.crt.
- block:
- name: Create temp directory for loopback master client config
command: mktemp -d /tmp/openshift-ansible-XXXXXX
register: openshift_ca_loopback_tmpdir
- name: Generate the loopback master client config
command: >
{{ hostvars[openshift_ca_host]['first_master_client_binary'] }} adm create-api-client-config
--certificate-authority={{ openshift_ca_cert }}
{% for named_ca_certificate in openshift.master.named_certificates | default([]) | lib_utils_oo_collect('cafile') %}
--certificate-authority {{ named_ca_certificate }}
{% endfor %}
--client-dir={{ openshift_ca_loopback_tmpdir.stdout }}
--groups=system:masters,system:openshift-master
--master={{ hostvars[openshift_ca_host].openshift.master.loopback_api_url }}
--public-master={{ hostvars[openshift_ca_host].openshift.master.loopback_api_url }}
--signer-cert={{ openshift_ca_cert }}
--signer-key={{ openshift_ca_key }}
--signer-serial={{ openshift_ca_serial }}
--user=system:openshift-master
--basename=openshift-master
--expire-days={{ openshift_master_cert_expire_days }}
- name: Copy generated loopback master client config to master config dir
copy:
src: "{{ openshift_ca_loopback_tmpdir.stdout }}/{{ item }}"
dest: "{{ openshift_ca_config_dir }}"
remote_src: true
with_items:
- openshift-master.crt
- openshift-master.key
- openshift-master.kubeconfig
- name: Delete temp directory
file:
name: "{{ openshift_ca_loopback_tmpdir.stdout }}"
state: absent
when: loopback_context_string not in loopback_config.stdout
delegate_to: "{{ openshift_ca_host }}"
run_once: true
- name: Restore original serviceaccount keys
copy:
src: "{{ item }}.keep"
dest: "{{ item }}"
remote_src: true
with_items:
- "{{ openshift_ca_config_dir }}/serviceaccounts.private.key"
- "{{ openshift_ca_config_dir }}/serviceaccounts.public.key"
when: openshift_certificates_redeploy | default(false) | bool
- name: Remove backup serviceaccount keys
file:
path: "{{ item }}.keep"
state: absent
with_items:
- "{{ openshift_ca_config_dir }}/serviceaccounts.private.key"
- "{{ openshift_ca_config_dir }}/serviceaccounts.public.key"
when: openshift_certificates_redeploy | default(false) | bool
|
