diff options
author | OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> | 2018-02-06 07:40:55 -0800 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-02-06 07:40:55 -0800 |
commit | d512d781be3530997522fb38ba29ee7f33eae5c8 (patch) | |
tree | 6156269eceba0af6d9b434737cbb63940dd9b0af /playbooks/openshift-etcd | |
parent | f048e7dec959cd3a0d10d007d1afaa62864172e0 (diff) | |
parent | 43138470ca05806403bd9ad1b99e0e581307b191 (diff) | |
download | openshift-d512d781be3530997522fb38ba29ee7f33eae5c8.tar.gz openshift-d512d781be3530997522fb38ba29ee7f33eae5c8.tar.bz2 openshift-d512d781be3530997522fb38ba29ee7f33eae5c8.tar.xz openshift-d512d781be3530997522fb38ba29ee7f33eae5c8.zip |
Merge pull request #7018 from mtnbikenc/refactor-cert-SAN
Automatic merge from submit-queue.
Move cert SAN update logic to openshift-etcd
Recent additions for checking certificate SAN validation were added to the upgrade playbooks and should be moved to the openshift-etcd playbooks to ensure this check is performed when the openshift-etcd upgrade playbook is run directly, vice only when running a full control plane upgrade. Additionally, the formerly included playbook for redeploying certificates called the main entry point playbook which caused the initialization playbooks to be called twice.
Diffstat (limited to 'playbooks/openshift-etcd')
-rw-r--r-- | playbooks/openshift-etcd/private/upgrade_main.yml | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/playbooks/openshift-etcd/private/upgrade_main.yml b/playbooks/openshift-etcd/private/upgrade_main.yml index 8997680f9..fea588260 100644 --- a/playbooks/openshift-etcd/private/upgrade_main.yml +++ b/playbooks/openshift-etcd/private/upgrade_main.yml @@ -1,4 +1,37 @@ --- +# Prior to 3.6, openshift-ansible created etcd serving certificates +# without a SubjectAlternativeName entry for the system hostname. The +# SAN list in Go 1.8 is now (correctly) authoritative and since +# openshift-ansible configures masters to talk to etcd hostnames +# rather than IP addresses, we must correct etcd certificates. +# +# This play examines the etcd serving certificate SANs on each etcd +# host and records whether or not the system hostname is missing. +- name: Examine etcd serving certificate SAN + hosts: oo_etcd_to_config + tasks: + - slurp: + src: /etc/etcd/server.crt + register: etcd_serving_cert + - set_fact: + __etcd_cert_lacks_hostname: "{{ (openshift.common.hostname not in (etcd_serving_cert.content | b64decode | lib_utils_oo_parse_certificate_san)) | bool }}" + +# Redeploy etcd certificates when hostnames were missing from etcd +# serving certificate SANs. +- import_playbook: redeploy-certificates.yml + when: + - true in hostvars | lib_utils_oo_select_keys(groups['oo_etcd_to_config']) | lib_utils_oo_collect('__etcd_cert_lacks_hostname') | default([false]) + +- import_playbook: restart.yml + vars: + g_etcd_certificates_expired: "{{ ('expired' in (hostvars | lib_utils_oo_select_keys(groups['etcd']) | lib_utils_oo_collect('check_results.check_results.etcd') | lib_utils_oo_collect('health'))) | bool }}" + when: + - true in hostvars | lib_utils_oo_select_keys(groups['oo_etcd_to_config']) | lib_utils_oo_collect('__etcd_cert_lacks_hostname') | default([false]) + +- import_playbook: ../../openshift-master/private/restart.yml + when: + - true in hostvars | lib_utils_oo_select_keys(groups['oo_etcd_to_config']) | lib_utils_oo_collect('__etcd_cert_lacks_hostname') | default([false]) + # For 1.4/3.4 we want to upgrade everyone to etcd-3.0. etcd docs say to # upgrade from 2.0.x to 2.1.x to 2.2.x to 2.3.x to 3.0.x. While this is a tedius # task for RHEL and CENTOS it's simply not possible in Fedora unless you've |