summaryrefslogtreecommitdiffstats
path: root/roles/openshift_ca
diff options
context:
space:
mode:
authorOpenShift Bot <eparis+openshiftbot@redhat.com>2017-03-29 15:31:42 -0500
committerGitHub <noreply@github.com>2017-03-29 15:31:42 -0500
commit6f0c06028dae9b277de409f7bc7eebca5c9bd29e (patch)
tree108af18675c3d7c2d5c1856ba0d96c3d9976f5ec /roles/openshift_ca
parent403b5c5545b9b07e7a4416e5a63609512ddaa224 (diff)
parent638e4198f80e6e2705c7a5e865e7d39112d1f42a (diff)
downloadopenshift-6f0c06028dae9b277de409f7bc7eebca5c9bd29e.tar.gz
openshift-6f0c06028dae9b277de409f7bc7eebca5c9bd29e.tar.bz2
openshift-6f0c06028dae9b277de409f7bc7eebca5c9bd29e.tar.xz
openshift-6f0c06028dae9b277de409f7bc7eebca5c9bd29e.zip
Merge pull request #3581 from php-coder/set_cert_expiration_date
Merged by openshift-bot
Diffstat (limited to 'roles/openshift_ca')
-rw-r--r--roles/openshift_ca/README.md2
-rw-r--r--roles/openshift_ca/defaults/main.yml3
-rw-r--r--roles/openshift_ca/tasks/main.yml6
3 files changed, 10 insertions, 1 deletions
diff --git a/roles/openshift_ca/README.md b/roles/openshift_ca/README.md
index 96c9cd5f2..dfbe81c6c 100644
--- a/roles/openshift_ca/README.md
+++ b/roles/openshift_ca/README.md
@@ -19,6 +19,8 @@ From this role:
| openshift_ca_key | `{{ openshift_ca_config_dir }}/ca.key` | CA key path including CA key filename. |
| openshift_ca_serial | `{{ openshift_ca_config_dir }}/ca.serial.txt` | CA serial path including CA serial filename. |
| openshift_version | `{{ openshift_pkg_version }}` | OpenShift package version. |
+| openshift_master_cert_expire_days | `730` (2 years) | Validity of the certificates in days. Works only with OpenShift version 1.5 (3.5) and later. |
+| openshift_ca_cert_expire_days | `1825` (5 years) | Validity of the CA certificates in days. Works only with OpenShift version 1.5 (3.5) and later. |
Dependencies
------------
diff --git a/roles/openshift_ca/defaults/main.yml b/roles/openshift_ca/defaults/main.yml
new file mode 100644
index 000000000..ecfcc88b3
--- /dev/null
+++ b/roles/openshift_ca/defaults/main.yml
@@ -0,0 +1,3 @@
+---
+openshift_ca_cert_expire_days: 1825
+openshift_master_cert_expire_days: 730
diff --git a/roles/openshift_ca/tasks/main.yml b/roles/openshift_ca/tasks/main.yml
index 70c2a9121..3b17d9ed6 100644
--- a/roles/openshift_ca/tasks/main.yml
+++ b/roles/openshift_ca/tasks/main.yml
@@ -88,7 +88,7 @@
# This should NOT replace the CA due to --overwrite=false when a CA already exists.
- name: Create the master certificates if they do not already exist
command: >
- {{ hostvars[openshift_ca_host].openshift.common.client_binary }} adm create-master-certs
+ {{ hostvars[openshift_ca_host].openshift.common.client_binary }} adm ca create-master-certs
{% for named_ca_certificate in openshift.master.named_certificates | default([]) | oo_collect('cafile') %}
--certificate-authority {{ named_ca_certificate }}
{% endfor %}
@@ -99,6 +99,10 @@
--master={{ openshift.master.api_url }}
--public-master={{ openshift.master.public_api_url }}
--cert-dir={{ openshift_ca_config_dir }}
+ {% if openshift_version | oo_version_gte_3_5_or_1_5(openshift.common.deployment_type) | bool %}
+ --expire-days={{ openshift_master_cert_expire_days }}
+ --signer-expire-days={{ openshift_ca_cert_expire_days }}
+ {% endif %}
--overwrite=false
when: master_ca_missing | bool or openshift_certificates_redeploy | default(false) | bool
delegate_to: "{{ openshift_ca_host }}"