summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndrew Butcher <abutcher@redhat.com>2016-01-06 13:01:25 -0500
committerAndrew Butcher <abutcher@redhat.com>2016-01-06 13:28:20 -0500
commit82db6897085a1278e6b982a403875ed8671190bb (patch)
tree52c112891b849ce5fdf7a4f3229d0f50d8622025
parent62fcc9436db024d189f3ff8107aeb7e2a1ae812f (diff)
downloadopenshift-82db6897085a1278e6b982a403875ed8671190bb.tar.gz
openshift-82db6897085a1278e6b982a403875ed8671190bb.tar.bz2
openshift-82db6897085a1278e6b982a403875ed8671190bb.tar.xz
openshift-82db6897085a1278e6b982a403875ed8671190bb.zip
Move extra secret validations into openshift_facts.
-rw-r--r--playbooks/common/openshift-master/config.yml9
-rwxr-xr-xroles/openshift_facts/library/openshift_facts.py18
-rw-r--r--roles/openshift_master/tasks/main.yml10
3 files changed, 15 insertions, 22 deletions
diff --git a/playbooks/common/openshift-master/config.yml b/playbooks/common/openshift-master/config.yml
index 0334a002e..a41f489ea 100644
--- a/playbooks/common/openshift-master/config.yml
+++ b/playbooks/common/openshift-master/config.yml
@@ -238,15 +238,6 @@
- name: Check for cached session secrets
hosts: oo_first_master
- pre_tasks:
- - fail:
- msg: >
- Both openshift_master_session_auth_secrets and openshift_master_session_encryption_secrets must be provided if either variable is set
- when: (openshift_master_session_auth_secrets is defined and openshift_master_session_encryption_secrets is not defined) or (openshift_master_session_encryption_secrets is defined and openshift_master_session_auth_secrets is not defined)
- - fail:
- msg: >
- openshift_master_session_auth_secrets and openshift_master_encryption_secrets must be equal length
- when: (openshift_master_session_auth_secrets is defined and openshift_master_session_encryption_secrets is defined) and (openshift_master_session_auth_secrets | length != openshift_master_session_encryption_secrets | length)
roles:
- role: openshift_facts
post_tasks:
diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py
index 133de758f..9cebbcce1 100755
--- a/roles/openshift_facts/library/openshift_facts.py
+++ b/roles/openshift_facts/library/openshift_facts.py
@@ -1259,9 +1259,8 @@ class OpenShiftFacts(object):
if new_local_facts != local_facts:
self.validate_local_facts(new_local_facts)
-
+ changed = True
if not module.check_mode:
- changed = True
save_local_facts(self.filename, new_local_facts)
self.changed = changed
@@ -1284,7 +1283,9 @@ class OpenShiftFacts(object):
# disabling pylint errors for line-too-long since we're dealing
# with best effort reduction of error messages here.
- # pylint: disable=line-too-long
+ # disabling errors for too-many-branches since we require checking
+ # many conditions.
+ # pylint: disable=line-too-long, too-many-branches
@staticmethod
def validate_master_facts(facts, invalid_facts):
""" Validate master facts
@@ -1302,6 +1303,13 @@ class OpenShiftFacts(object):
session_auth_secrets = facts['master']['session_auth_secrets']
if not issubclass(type(session_auth_secrets), list):
invalid_facts['session_auth_secrets'] = 'Expects session_auth_secrets is a list.'
+ elif 'session_encryption_secrets' not in facts['master']:
+ invalid_facts['session_auth_secrets'] = ('openshift_master_session_encryption secrets must be set '
+ 'if openshift_master_session_auth_secrets is provided.')
+ elif len(session_auth_secrets) != len(facts['master']['session_encryption_secrets']):
+ invalid_facts['session_auth_secrets'] = ('openshift_master_session_auth_secrets and '
+ 'openshift_master_session_encryption_secrets must be '
+ 'equal length.')
else:
for secret in session_auth_secrets:
if len(secret) < 32:
@@ -1312,6 +1320,10 @@ class OpenShiftFacts(object):
session_encryption_secrets = facts['master']['session_encryption_secrets']
if not issubclass(type(session_encryption_secrets), list):
invalid_facts['session_encryption_secrets'] = 'Expects session_encryption_secrets is a list.'
+ elif 'session_auth_secrets' not in facts['master']:
+ invalid_facts['session_encryption_secrets'] = ('openshift_master_session_auth_secrets must be '
+ 'set if openshift_master_session_encryption_secrets '
+ 'is provided.')
else:
for secret in session_encryption_secrets:
if len(secret) not in [16, 24, 32]:
diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml
index a3cddfd63..397122631 100644
--- a/roles/openshift_master/tasks/main.yml
+++ b/roles/openshift_master/tasks/main.yml
@@ -9,16 +9,6 @@
Invalid OAuth grant method: {{ openshift_master_oauth_grant_method }}
when: openshift_master_oauth_grant_method is defined and openshift_master_oauth_grant_method not in openshift_master_valid_grant_methods
-# Session Options Validation
-- fail:
- msg: >
- Both openshift_master_session_auth_secrets and openshift_master_session_encryption_secrets must be provided if either variable is set
- when: (openshift_master_session_auth_secrets is defined and openshift_master_session_encryption_secrets is not defined) or (openshift_master_session_encryption_secrets is defined and openshift_master_session_auth_secrets is not defined)
-- fail:
- msg: >
- openshift_master_session_auth_secrets and openshift_master_encryption_secrets must be equal length
- when: (openshift_master_session_auth_secrets is defined and openshift_master_session_encryption_secrets is defined) and (openshift_master_session_auth_secrets | length != openshift_master_session_encryption_secrets | length)
-
# HA Variable Validation
- fail:
msg: "openshift_master_cluster_method must be set to either 'native' or 'pacemaker' for multi-master installations"