diff options
| author | Scott Dodson <sdodson@redhat.com> | 2017-01-18 13:44:33 -0500 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2017-01-18 13:44:33 -0500 |
| commit | 2b73c9713cd816a6095e40e10d664eff68c8e206 (patch) | |
| tree | 1bb7aa0fb99a3f8132e53a8898fbd57e171b71e1 | |
| parent | f133c863a0ca657b7e0c87c117428e053ac74db0 (diff) | |
| parent | c25212b12ef7f7bd785f2a476f917eb439e3600a (diff) | |
Merge pull request #3100 from abutcher/serials
Serialize cert creation in delegated commands
| -rw-r--r-- | filter_plugins/openshift_master.py | 4 | ||||
| -rw-r--r-- | playbooks/common/openshift-cluster/redeploy-certificates.yml | 4 | ||||
| -rw-r--r-- | playbooks/common/openshift-master/config.yml | 4 | ||||
| -rw-r--r-- | roles/openshift_ca/tasks/main.yml | 2 | ||||
| -rw-r--r-- | roles/openshift_master_certificates/tasks/main.yml | 57 | ||||
| -rw-r--r-- | roles/openshift_node_certificates/tasks/main.yml | 26 |
6 files changed, 58 insertions, 39 deletions
diff --git a/filter_plugins/openshift_master.py b/filter_plugins/openshift_master.py index 437f4c400..f71d9b863 100644 --- a/filter_plugins/openshift_master.py +++ b/filter_plugins/openshift_master.py @@ -517,7 +517,9 @@ class FilterModule(object): ''' Return certificates to synchronize based on facts. ''' if not issubclass(type(hostvars), dict): raise errors.AnsibleFilterError("|failed expects hostvars is a dict") - certs = ['admin.crt', + certs = ['ca.crt', + 'ca.key', + 'admin.crt', 'admin.key', 'admin.kubeconfig', 'master.kubelet-client.crt', diff --git a/playbooks/common/openshift-cluster/redeploy-certificates.yml b/playbooks/common/openshift-cluster/redeploy-certificates.yml index 6e3e04a6b..2383836d4 100644 --- a/playbooks/common/openshift-cluster/redeploy-certificates.yml +++ b/playbooks/common/openshift-cluster/redeploy-certificates.yml @@ -108,10 +108,6 @@ | oo_select_keys(groups['oo_etcd_to_config'] | default([])) | oo_collect('openshift.common.hostname') | default(none, true) }}" - openshift_master_hostnames: "{{ hostvars - | oo_select_keys(groups['oo_masters_to_config'] | default([])) - | oo_collect('openshift.common.all_hostnames') - | oo_flatten | unique }}" openshift_certificates_redeploy: true - role: openshift_etcd_client_certificates etcd_certificates_redeploy: true diff --git a/playbooks/common/openshift-master/config.yml b/playbooks/common/openshift-master/config.yml index 39d64a126..de36fd263 100644 --- a/playbooks/common/openshift-master/config.yml +++ b/playbooks/common/openshift-master/config.yml @@ -134,10 +134,6 @@ | oo_select_keys(groups['oo_etcd_to_config'] | default([])) | oo_collect('openshift.common.hostname') | default(none, true) }}" - openshift_master_hostnames: "{{ hostvars - | oo_select_keys(groups['oo_masters_to_config'] | default([])) - | oo_collect('openshift.common.all_hostnames') - | oo_flatten | unique }}" openshift_master_hosts: "{{ groups.oo_masters_to_config }}" etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}" etcd_cert_subdir: "openshift-master-{{ openshift.common.hostname }}" diff --git a/roles/openshift_ca/tasks/main.yml b/roles/openshift_ca/tasks/main.yml index e2a12e5ff..e21397170 100644 --- a/roles/openshift_ca/tasks/main.yml +++ b/roles/openshift_ca/tasks/main.yml @@ -86,7 +86,7 @@ {% for named_ca_certificate in openshift.master.named_certificates | default([]) | oo_collect('cafile') %} --certificate-authority {{ named_ca_certificate }} {% endfor %} - --hostnames={{ openshift_master_hostnames | join(',') }} + --hostnames={{ openshift.common.all_hostnames | join(',') }} --master={{ openshift.master.api_url }} --public-master={{ openshift.master.public_api_url }} --cert-dir={{ openshift_ca_config_dir }} diff --git a/roles/openshift_master_certificates/tasks/main.yml b/roles/openshift_master_certificates/tasks/main.yml index e9b7de330..a1688aabc 100644 --- a/roles/openshift_master_certificates/tasks/main.yml +++ b/roles/openshift_master_certificates/tasks/main.yml @@ -30,7 +30,6 @@ | oo_collect(attribute='stat.exists') | list)) }}" - - name: Ensure the generated_configs directory present file: path: "{{ openshift_master_generated_config_dir }}" @@ -39,30 +38,50 @@ when: master_certs_missing | bool and inventory_hostname != openshift_ca_host delegate_to: "{{ openshift_ca_host }}" -- file: - src: "{{ openshift_master_config_dir }}/{{ item }}" - dest: "{{ openshift_master_generated_config_dir }}/{{ item }}" - state: hard - with_items: - - ca.crt - - ca.key - - ca.serial.txt - when: master_certs_missing | bool and inventory_hostname != openshift_ca_host - delegate_to: "{{ openshift_ca_host }}" - -- name: Create the master certificates if they do not already exist +- name: Create the master server certificate command: > - {{ openshift.common.client_binary }} adm create-master-certs + {{ hostvars[openshift_ca_host].openshift.common.client_binary }} adm ca create-server-cert {% for named_ca_certificate in openshift.master.named_certificates | default([]) | oo_collect('cafile') %} --certificate-authority {{ named_ca_certificate }} {% endfor %} - --hostnames={{ openshift.common.all_hostnames | join(',') }} - --master={{ openshift.master.api_url }} - --public-master={{ openshift.master.public_api_url }} - --cert-dir={{ openshift_master_generated_config_dir }} + --hostnames={{ hostvars[item].openshift.common.all_hostnames | join(',') }} + --cert={{ openshift_generated_configs_dir }}/master-{{ hostvars[item].openshift.common.hostname }}/master.server.crt + --key={{ openshift_generated_configs_dir }}/master-{{ hostvars[item].openshift.common.hostname }}/master.server.key + --signer-cert={{ openshift_ca_cert }} + --signer-key={{ openshift_ca_key }} + --signer-serial={{ openshift_ca_serial }} --overwrite=false - when: master_certs_missing | bool and inventory_hostname != openshift_ca_host + with_items: "{{ hostvars + | oo_select_keys(groups['oo_masters_to_config']) + | oo_collect(attribute='inventory_hostname', filters={'master_certs_missing':True}) + | difference([openshift_ca_host])}}" + delegate_to: "{{ openshift_ca_host }}" + run_once: true + +- name: Generate the master client config + command: > + {{ hostvars[openshift_ca_host].openshift.common.client_binary }} adm create-api-client-config + {% for named_ca_certificate in openshift.master.named_certificates | default([]) | oo_collect('cafile') %} + --certificate-authority {{ named_ca_certificate }} + {% endfor %} + --certificate-authority={{ openshift_ca_cert }} + --client-dir={{ openshift_generated_configs_dir }}/master-{{ hostvars[item].openshift.common.hostname }} + --groups=system:masters,system:openshift-master + --master={{ openshift.master.api_url }} + --public-master={{ openshift.master.public_api_url }} + --signer-cert={{ openshift_ca_cert }} + --signer-key={{ openshift_ca_key }} + --signer-serial={{ openshift_ca_serial }} + --user=system:openshift-master + --basename=openshift-master + args: + creates: "{{ openshift_generated_configs_dir }}/master-{{ hostvars[item].openshift.common.hostname }}/openshift-master.kubeconfig" + with_items: "{{ hostvars + | oo_select_keys(groups['oo_masters_to_config']) + | oo_collect(attribute='inventory_hostname', filters={'master_certs_missing':True}) + | difference([openshift_ca_host])}}" delegate_to: "{{ openshift_ca_host }}" + run_once: true - file: src: "{{ openshift_master_config_dir }}/{{ item }}" diff --git a/roles/openshift_node_certificates/tasks/main.yml b/roles/openshift_node_certificates/tasks/main.yml index 717bf3cea..a263f4f3a 100644 --- a/roles/openshift_node_certificates/tasks/main.yml +++ b/roles/openshift_node_certificates/tasks/main.yml @@ -49,32 +49,38 @@ --certificate-authority {{ named_ca_certificate }} {% endfor %} --certificate-authority={{ openshift_ca_cert }} - --client-dir={{ openshift_node_generated_config_dir }} + --client-dir={{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname }} --groups=system:nodes --master={{ hostvars[openshift_ca_host].openshift.master.api_url }} --signer-cert={{ openshift_ca_cert }} --signer-key={{ openshift_ca_key }} --signer-serial={{ openshift_ca_serial }} - --user=system:node:{{ openshift.common.hostname }} + --user=system:node:{{ hostvars[item].openshift.common.hostname }} args: - creates: "{{ openshift_node_generated_config_dir }}" - when: node_certs_missing | bool + creates: "{{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname }}" + with_items: "{{ hostvars + | oo_select_keys(groups['oo_nodes_to_config']) + | oo_collect(attribute='inventory_hostname', filters={'node_certs_missing':True}) }}" delegate_to: "{{ openshift_ca_host }}" + run_once: true - name: Generate the node server certificate command: > {{ hostvars[openshift_ca_host].openshift.common.client_binary }} adm ca create-server-cert - --cert={{ openshift_node_generated_config_dir }}/server.crt - --key={{ openshift_generated_configs_dir }}/node-{{ openshift.common.hostname }}/server.key + --cert={{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname }}/server.crt + --key={{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname }}/server.key --overwrite=true - --hostnames={{ openshift.common.hostname }},{{ openshift.common.public_hostname }},{{ openshift.common.ip }},{{ openshift.common.public_ip }} + --hostnames={{ hostvars[item].openshift.common.hostname }},{{ hostvars[item].openshift.common.public_hostname }},{{ hostvars[item].openshift.common.ip }},{{ hostvars[item].openshift.common.public_ip }} --signer-cert={{ openshift_ca_cert }} --signer-key={{ openshift_ca_key }} --signer-serial={{ openshift_ca_serial }} args: - creates: "{{ openshift_node_generated_config_dir }}/server.crt" - when: node_certs_missing | bool - delegate_to: "{{ openshift_ca_host}}" + creates: "{{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname }}/server.crt" + with_items: "{{ hostvars + | oo_select_keys(groups['oo_nodes_to_config']) + | oo_collect(attribute='inventory_hostname', filters={'node_certs_missing':True}) }}" + delegate_to: "{{ openshift_ca_host }}" + run_once: true - name: Create local temp directory for syncing certs local_action: command mktemp -d /tmp/openshift-ansible-XXXXXXX |