diff options
author | Brenton Leanhardt <bleanhar@redhat.com> | 2016-01-06 14:30:09 -0500 |
---|---|---|
committer | Brenton Leanhardt <bleanhar@redhat.com> | 2016-01-06 14:30:09 -0500 |
commit | 31a18b4e6096451bd81603b92a2d4cf7d21cecef (patch) | |
tree | 26137b20f9df24d47958948baffd3b56880c9b03 /playbooks/common/openshift-master | |
parent | af803894ad2e214948264d105f539bb7514e92ce (diff) | |
parent | 82db6897085a1278e6b982a403875ed8671190bb (diff) | |
download | openshift-31a18b4e6096451bd81603b92a2d4cf7d21cecef.tar.gz openshift-31a18b4e6096451bd81603b92a2d4cf7d21cecef.tar.bz2 openshift-31a18b4e6096451bd81603b92a2d4cf7d21cecef.tar.xz openshift-31a18b4e6096451bd81603b92a2d4cf7d21cecef.zip |
Merge pull request #1018 from abutcher/secrets
Clean up idempotency issues with session secrets.
Diffstat (limited to 'playbooks/common/openshift-master')
-rw-r--r-- | playbooks/common/openshift-master/config.yml | 49 |
1 files changed, 26 insertions, 23 deletions
diff --git a/playbooks/common/openshift-master/config.yml b/playbooks/common/openshift-master/config.yml index 759656e63..677c274c4 100644 --- a/playbooks/common/openshift-master/config.yml +++ b/playbooks/common/openshift-master/config.yml @@ -236,29 +236,32 @@ - role: haproxy when: groups.oo_masters_to_config | length > 1 -- name: Generate master session keys +- name: Check for cached session secrets hosts: oo_first_master + roles: + - role: openshift_facts + post_tasks: + - openshift_facts: + role: master + local_facts: + session_auth_secrets: "{{ openshift_master_session_auth_secrets | default(openshift.master.session_auth_secrets | default(None)) }}" + session_encryption_secrets: "{{ openshift_master_session_encryption_secrets | default(openshift.master.session_encryption_secrets | default(None)) }}" + +- name: Generate master session secrets + hosts: oo_first_master + vars: + g_session_secrets_present: "{{ (openshift.master.session_auth_secrets | default([]) and openshift.master.session_encryption_secrets | default([])) | length > 0 }}" + g_session_auth_secrets: "{{ [ 24 | oo_generate_secret ] }}" + g_session_encryption_secrets: "{{ [ 24 | oo_generate_secret ] }}" + roles: + - role: openshift_facts tasks: - - fail: - msg: "Both openshift_master_session_auth_secrets and openshift_master_session_encryption_secrets must be provided if either variable is set" - when: (openshift_master_session_auth_secrets is defined and openshift_master_session_encryption_secrets is not defined) or (openshift_master_session_encryption_secrets is defined and openshift_master_session_auth_secrets is not defined) - - fail: - msg: "openshift_master_session_auth_secrets and openshift_master_encryption_secrets must be equal length" - when: (openshift_master_session_auth_secrets is defined and openshift_master_session_encryption_secrets is defined) and (openshift_master_session_auth_secrets | length != openshift_master_session_encryption_secrets | length) - - name: Install OpenSSL package - action: "{{ ansible_pkg_mgr }} name=openssl state=present" - when: not openshift.common.is_atomic | bool - - name: Generate session authentication key - command: /usr/bin/openssl rand -base64 24 - register: session_auth_output - when: openshift_master_session_auth_secrets is undefined - - name: Generate session encryption key - command: /usr/bin/openssl rand -base64 24 - register: session_encryption_output - when: openshift_master_session_encryption_secrets is undefined - - set_fact: - session_auth_secret: "{{ openshift_master_session_auth_secrets | default([session_auth_output.stdout]) }}" - session_encryption_secret: "{{ openshift_master_session_encryption_secrets | default([session_encryption_output.stdout]) }}" + - openshift_facts: + role: master + local_facts: + session_auth_secrets: "{{ g_session_auth_secrets }}" + session_encryption_secrets: "{{ g_session_encryption_secrets }}" + when: not g_session_secrets_present | bool - name: Parse named certificates hosts: localhost @@ -314,8 +317,8 @@ sync_tmpdir: "{{ hostvars.localhost.g_master_mktemp.stdout }}" openshift_master_ha: "{{ groups.oo_masters_to_config | length > 1 }}" openshift_master_count: "{{ groups.oo_masters_to_config | length }}" - openshift_master_session_auth_secrets: "{{ hostvars[groups['oo_first_master'][0]]['session_auth_secret'] }}" - openshift_master_session_encryption_secrets: "{{ hostvars[groups['oo_first_master'][0]]['session_encryption_secret'] }}" + openshift_master_session_auth_secrets: "{{ hostvars[groups.oo_first_master.0].openshift.master.session_auth_secrets }}" + openshift_master_session_encryption_secrets: "{{ hostvars[groups.oo_first_master.0].openshift.master.session_encryption_secrets }}" pre_tasks: - name: Ensure certificate directory exists file: |