diff options
Diffstat (limited to 'roles/openshift_ca/tasks/main.yml')
| -rw-r--r-- | roles/openshift_ca/tasks/main.yml | 181 |
1 files changed, 181 insertions, 0 deletions
diff --git a/roles/openshift_ca/tasks/main.yml b/roles/openshift_ca/tasks/main.yml new file mode 100644 index 000000000..419679bc2 --- /dev/null +++ b/roles/openshift_ca/tasks/main.yml @@ -0,0 +1,181 @@ +--- +- fail: + msg: "openshift_ca_host variable must be defined for this role" + when: openshift_ca_host is not defined + +- fail: + msg: "Both 'certfile' and 'keyfile' keys must be supplied when configuring openshift_master_ca_certificate" + when: openshift_master_ca_certificate is defined and ('certfile' not in openshift_master_ca_certificate or 'keyfile' not in openshift_master_ca_certificate) + +- name: Install the base package for admin tooling + package: + name: "{{ openshift.common.service_type }}{{ openshift_pkg_version | default('') | oo_image_tag_to_rpm_version(include_dash=True) }}" + state: present + when: not openshift.common.is_containerized | bool + register: install_result + delegate_to: "{{ openshift_ca_host }}" + run_once: true + +- name: Reload generated facts + openshift_facts: + when: install_result | changed + delegate_to: "{{ openshift_ca_host }}" + run_once: true + +- name: Create openshift_ca_config_dir if it does not exist + file: + path: "{{ openshift_ca_config_dir }}" + state: directory + delegate_to: "{{ openshift_ca_host }}" + run_once: true + +- name: Determine if CA must be created + stat: + path: "{{ openshift_ca_config_dir }}/{{ item }}" + register: g_master_ca_stat_result + with_items: + - ca-bundle.crt + - ca.crt + - ca.key + delegate_to: "{{ openshift_ca_host }}" + run_once: true + +- set_fact: + master_ca_missing: "{{ False in (g_master_ca_stat_result.results + | oo_collect(attribute='stat.exists') + | list) }}" + run_once: true + +- name: Retain original serviceaccount keys + copy: + src: "{{ item }}" + dest: "{{ item }}.keep" + remote_src: true + with_items: + - "{{ openshift_ca_config_dir }}/serviceaccounts.private.key" + - "{{ openshift_ca_config_dir }}/serviceaccounts.public.key" + when: openshift_certificates_redeploy | default(false) | bool + +- name: Deploy master ca certificate + copy: + src: "{{ item.src }}" + dest: "{{ openshift_ca_config_dir }}/{{ item.dest }}" + force: no + with_items: + - src: "{{ (openshift_master_ca_certificate | default({'certfile':none})).certfile }}" + dest: ca.crt + - src: "{{ (openshift_master_ca_certificate | default({'keyfile':none})).keyfile }}" + dest: ca.key + when: openshift_master_ca_certificate is defined + delegate_to: "{{ openshift_ca_host }}" + run_once: true + +- name: Create ca serial + copy: + content: "00" + dest: "{{ openshift_ca_config_dir }}/ca.serial.txt" + force: "{{ openshift_certificates_redeploy | default(false) | bool }}" + when: openshift_master_ca_certificate is defined + delegate_to: "{{ openshift_ca_host }}" + run_once: true + +- find: + paths: "{{ openshift.common.config_base }}/master/legacy-ca/" + patterns: ".*-ca.crt" + use_regex: true + register: g_master_legacy_ca_result + +# This should NOT replace the CA due to --overwrite=false when a CA already exists. +- name: Create the master certificates if they do not already exist + command: > + {{ hostvars[openshift_ca_host].openshift.common.client_binary }} adm ca create-master-certs + {% for named_ca_certificate in openshift.master.named_certificates | default([]) | oo_collect('cafile') %} + --certificate-authority {{ named_ca_certificate }} + {% endfor %} + {% for legacy_ca_certificate in g_master_legacy_ca_result.files | default([]) | oo_collect('path') %} + --certificate-authority {{ legacy_ca_certificate }} + {% endfor %} + --hostnames={{ hostvars[openshift_ca_host].openshift.common.all_hostnames | join(',') }} + --master={{ openshift.master.api_url }} + --public-master={{ openshift.master.public_api_url }} + --cert-dir={{ openshift_ca_config_dir }} + {% if openshift_version | oo_version_gte_3_5_or_1_5(openshift.common.deployment_type) | bool %} + --expire-days={{ openshift_master_cert_expire_days }} + --signer-expire-days={{ openshift_ca_cert_expire_days }} + {% endif %} + --overwrite=false + when: master_ca_missing | bool or openshift_certificates_redeploy | default(false) | bool + delegate_to: "{{ openshift_ca_host }}" + run_once: true + +- name: Test local loopback context + command: > + {{ hostvars[openshift_ca_host].openshift.common.client_binary }} config view + --config={{ openshift_master_loopback_config }} + changed_when: false + register: loopback_config + delegate_to: "{{ openshift_ca_host }}" + run_once: true + +# create-api-client-config generates a ca.crt file which will +# overwrite the OpenShift CA certificate. Generate the loopback +# kubeconfig in a temporary directory and then copy files into the +# master config dir to avoid overwriting ca.crt. +- block: + - name: Create temp directory for loopback master client config + command: mktemp -d /tmp/openshift-ansible-XXXXXX + register: openshift_ca_loopback_tmpdir + - name: Generate the loopback master client config + command: > + {{ hostvars[openshift_ca_host].openshift.common.client_binary }} adm create-api-client-config + --certificate-authority={{ openshift_ca_cert }} + {% for named_ca_certificate in openshift.master.named_certificates | default([]) | oo_collect('cafile') %} + --certificate-authority {{ named_ca_certificate }} + {% endfor %} + --client-dir={{ openshift_ca_loopback_tmpdir.stdout }} + --groups=system:masters,system:openshift-master + --master={{ hostvars[openshift_ca_host].openshift.master.loopback_api_url }} + --public-master={{ hostvars[openshift_ca_host].openshift.master.loopback_api_url }} + --signer-cert={{ openshift_ca_cert }} + --signer-key={{ openshift_ca_key }} + --signer-serial={{ openshift_ca_serial }} + --user=system:openshift-master + --basename=openshift-master + {% if openshift_version | oo_version_gte_3_5_or_1_5(openshift.common.deployment_type) | bool %} + --expire-days={{ openshift_master_cert_expire_days }} + {% endif %} + - name: Copy generated loopback master client config to master config dir + copy: + src: "{{ openshift_ca_loopback_tmpdir.stdout }}/{{ item }}" + dest: "{{ openshift_ca_config_dir }}" + remote_src: true + with_items: + - openshift-master.crt + - openshift-master.key + - openshift-master.kubeconfig + - name: Delete temp directory + file: + name: "{{ openshift_ca_loopback_tmpdir.stdout }}" + state: absent + when: loopback_context_string not in loopback_config.stdout + delegate_to: "{{ openshift_ca_host }}" + run_once: true + +- name: Restore original serviceaccount keys + copy: + src: "{{ item }}.keep" + dest: "{{ item }}" + remote_src: true + with_items: + - "{{ openshift_ca_config_dir }}/serviceaccounts.private.key" + - "{{ openshift_ca_config_dir }}/serviceaccounts.public.key" + when: openshift_certificates_redeploy | default(false) | bool + +- name: Remove backup serviceaccount keys + file: + path: "{{ item }}.keep" + state: absent + with_items: + - "{{ openshift_ca_config_dir }}/serviceaccounts.private.key" + - "{{ openshift_ca_config_dir }}/serviceaccounts.public.key" + when: openshift_certificates_redeploy | default(false) | bool |