diff options
Diffstat (limited to 'playbooks/common/openshift-cluster/redeploy-certificates/router.yml')
| -rw-r--r-- | playbooks/common/openshift-cluster/redeploy-certificates/router.yml | 141 |
1 files changed, 0 insertions, 141 deletions
diff --git a/playbooks/common/openshift-cluster/redeploy-certificates/router.yml b/playbooks/common/openshift-cluster/redeploy-certificates/router.yml deleted file mode 100644 index 2116c745c..000000000 --- a/playbooks/common/openshift-cluster/redeploy-certificates/router.yml +++ /dev/null @@ -1,141 +0,0 @@ ---- -- name: Update router certificates - hosts: oo_first_master - vars: - roles: - - lib_openshift - tasks: - - name: Create temp directory for kubeconfig - command: mktemp -d /tmp/openshift-ansible-XXXXXX - register: router_cert_redeploy_tempdir - changed_when: false - - - name: Copy admin client config(s) - command: > - cp {{ openshift.common.config_base }}/master//admin.kubeconfig {{ router_cert_redeploy_tempdir.stdout }}/admin.kubeconfig - changed_when: false - - - name: Determine if router exists - command: > - {{ openshift.common.client_binary }} get dc/router -o json - --config={{ router_cert_redeploy_tempdir.stdout }}/admin.kubeconfig - -n default - register: l_router_dc - failed_when: false - changed_when: false - - - name: Determine if router service exists - command: > - {{ openshift.common.client_binary }} get svc/router -o json - --config={{ router_cert_redeploy_tempdir.stdout }}/admin.kubeconfig - -n default - register: l_router_svc - failed_when: false - changed_when: false - - - name: Collect router environment variables and secrets - set_fact: - router_env_vars: "{{ ((l_router_dc.stdout | from_json)['spec']['template']['spec']['containers'][0]['env'] - | oo_collect('name')) - | default([]) }}" - router_secrets: "{{ ((l_router_dc.stdout | from_json)['spec']['template']['spec']['volumes'] - | oo_collect('secret') - | oo_collect('secretName')) - | default([]) }}" - changed_when: false - when: l_router_dc.rc == 0 - - - name: Collect router service annotations - set_fact: - router_service_annotations: "{{ (l_router_svc.stdout | from_json)['metadata']['annotations'] if 'annotations' in (l_router_svc.stdout | from_json)['metadata'] else [] }}" - when: l_router_svc.rc == 0 - - - name: Update router environment variables - shell: > - {{ openshift.common.client_binary }} env dc/router - OPENSHIFT_CA_DATA="$(cat /etc/origin/master/ca.crt)" - OPENSHIFT_CERT_DATA="$(cat /etc/origin/master/openshift-router.crt)" - OPENSHIFT_KEY_DATA="$(cat /etc/origin/master/openshift-router.key)" - --config={{ router_cert_redeploy_tempdir.stdout }}/admin.kubeconfig - -n default - when: - - l_router_dc.rc == 0 - - ('OPENSHIFT_CA_DATA' in router_env_vars) - - ('OPENSHIFT_CERT_DATA' in router_env_vars) - - ('OPENSHIFT_KEY_DATA' in router_env_vars) - - # When the router service contains service signer annotations we - # will delete the existing certificate secret and allow OpenShift to - # replace the secret. - - block: - - name: Delete existing router certificate secret - oc_secret: - kubeconfig: "{{ router_cert_redeploy_tempdir.stdout }}/admin.kubeconfig" - name: router-certs - namespace: default - state: absent - run_once: true - - - name: Remove router service annotations - command: > - {{ openshift.common.client_binary }} annotate service/router - service.alpha.openshift.io/serving-cert-secret-name- - service.alpha.openshift.io/serving-cert-signed-by- - --config={{ router_cert_redeploy_tempdir.stdout }}/admin.kubeconfig - -n default - - - name: Add serving-cert-secret annotation to router service - command: > - {{ openshift.common.client_binary }} annotate service/router - service.alpha.openshift.io/serving-cert-secret-name=router-certs - --config={{ router_cert_redeploy_tempdir.stdout }}/admin.kubeconfig - -n default - when: - - l_router_dc.rc == 0 - - l_router_svc.rc == 0 - - ('router-certs' in router_secrets) - - openshift_hosted_router_certificate is undefined - - ('service.alpha.openshift.io/serving-cert-secret-name') in router_service_annotations - - ('service.alpha.openshift.io/serving-cert-signed-by') in router_service_annotations - - # When there are no annotations on the router service we will allow - # the openshift_hosted role to either create a new wildcard - # certificate (since we deleted the original) or reapply a custom - # openshift_hosted_router_certificate. - - file: - path: "{{ item }}" - state: absent - with_items: - - /etc/origin/master/openshift-router.crt - - /etc/origin/master/openshift-router.key - when: - - l_router_dc.rc == 0 - - l_router_svc.rc == 0 - - ('router-certs' in router_secrets) - - ('service.alpha.openshift.io/serving-cert-secret-name') not in router_service_annotations - - ('service.alpha.openshift.io/serving-cert-signed-by') not in router_service_annotations - - - include_role: - name: openshift_hosted - tasks_from: main - vars: - openshift_hosted_manage_registry: false - when: - - l_router_dc.rc == 0 - - l_router_svc.rc == 0 - - ('router-certs' in router_secrets) - - ('service.alpha.openshift.io/serving-cert-secret-name') not in router_service_annotations - - ('service.alpha.openshift.io/serving-cert-signed-by') not in router_service_annotations - - - name: Redeploy router - command: > - {{ openshift.common.client_binary }} deploy dc/router - --latest - --config={{ router_cert_redeploy_tempdir.stdout }}/admin.kubeconfig - -n default - - - name: Delete temp directory - file: - name: "{{ router_cert_redeploy_tempdir.stdout }}" - state: absent - changed_when: False |