diff options
Diffstat (limited to 'roles/openshift_ca')
-rw-r--r-- | roles/openshift_ca/README.md | 50 | ||||
-rw-r--r-- | roles/openshift_ca/defaults/main.yml | 11 | ||||
-rw-r--r-- | roles/openshift_ca/meta/main.yml | 16 | ||||
-rw-r--r-- | roles/openshift_ca/tasks/main.yml | 181 | ||||
-rw-r--r-- | roles/openshift_ca/vars/main.yml | 2 |
5 files changed, 260 insertions, 0 deletions
diff --git a/roles/openshift_ca/README.md b/roles/openshift_ca/README.md new file mode 100644 index 000000000..dfbe81c6c --- /dev/null +++ b/roles/openshift_ca/README.md @@ -0,0 +1,50 @@ +OpenShift CA +============ + +This role delegates all tasks to the `openshift_ca_host` such that this role can be depended on by other OpenShift certificate roles. + +Requirements +------------ + +Role Variables +-------------- + +From this role: + +| Name | Default value | Description | +|-------------------------|-----------------------------------------------|-----------------------------------------------------------------------------| +| openshift_ca_host | None (Required) | The hostname of the system where the OpenShift CA will be created. | +| openshift_ca_config_dir | `{{ openshift.common.config_base }}/master` | CA certificate directory. | +| openshift_ca_cert | `{{ openshift_ca_config_dir }}/ca.crt` | CA certificate path including CA certificate filename. | +| openshift_ca_key | `{{ openshift_ca_config_dir }}/ca.key` | CA key path including CA key filename. | +| openshift_ca_serial | `{{ openshift_ca_config_dir }}/ca.serial.txt` | CA serial path including CA serial filename. | +| openshift_version | `{{ openshift_pkg_version }}` | OpenShift package version. | +| openshift_master_cert_expire_days | `730` (2 years) | Validity of the certificates in days. Works only with OpenShift version 1.5 (3.5) and later. | +| openshift_ca_cert_expire_days | `1825` (5 years) | Validity of the CA certificates in days. Works only with OpenShift version 1.5 (3.5) and later. | + +Dependencies +------------ + +* openshift_repos +* openshift_cli + +Example Playbook +---------------- + +``` +- name: Create OpenShift CA + hosts: localhost + roles: + - role: openshift_ca + openshift_ca_host: master1.example.com +``` + +License +------- + +Apache License Version 2.0 + +Author Information +------------------ + +Jason DeTiberus (jdetiber@redhat.com) diff --git a/roles/openshift_ca/defaults/main.yml b/roles/openshift_ca/defaults/main.yml new file mode 100644 index 000000000..742b15df4 --- /dev/null +++ b/roles/openshift_ca/defaults/main.yml @@ -0,0 +1,11 @@ +--- +openshift_ca_cert_expire_days: 1825 +openshift_master_cert_expire_days: 730 + +openshift_ca_config_dir: "{{ openshift.common.config_base }}/master" +openshift_ca_cert: "{{ openshift_ca_config_dir }}/ca.crt" +openshift_ca_key: "{{ openshift_ca_config_dir }}/ca.key" +openshift_ca_serial: "{{ openshift_ca_config_dir }}/ca.serial.txt" +openshift_master_loopback_config: "{{ openshift_ca_config_dir }}/openshift-master.kubeconfig" + +openshift_version: "{{ openshift_pkg_version | default('') }}" diff --git a/roles/openshift_ca/meta/main.yml b/roles/openshift_ca/meta/main.yml new file mode 100644 index 000000000..f8b784a63 --- /dev/null +++ b/roles/openshift_ca/meta/main.yml @@ -0,0 +1,16 @@ +--- +galaxy_info: + author: Jason DeTiberus + description: OpenShift CA + company: Red Hat, Inc. + license: Apache License, Version 2.0 + min_ansible_version: 2.1 + platforms: + - name: EL + versions: + - 7 + categories: + - cloud + - system +dependencies: +- role: openshift_cli diff --git a/roles/openshift_ca/tasks/main.yml b/roles/openshift_ca/tasks/main.yml new file mode 100644 index 000000000..419679bc2 --- /dev/null +++ b/roles/openshift_ca/tasks/main.yml @@ -0,0 +1,181 @@ +--- +- fail: + msg: "openshift_ca_host variable must be defined for this role" + when: openshift_ca_host is not defined + +- fail: + msg: "Both 'certfile' and 'keyfile' keys must be supplied when configuring openshift_master_ca_certificate" + when: openshift_master_ca_certificate is defined and ('certfile' not in openshift_master_ca_certificate or 'keyfile' not in openshift_master_ca_certificate) + +- name: Install the base package for admin tooling + package: + name: "{{ openshift.common.service_type }}{{ openshift_pkg_version | default('') | oo_image_tag_to_rpm_version(include_dash=True) }}" + state: present + when: not openshift.common.is_containerized | bool + register: install_result + delegate_to: "{{ openshift_ca_host }}" + run_once: true + +- name: Reload generated facts + openshift_facts: + when: install_result | changed + delegate_to: "{{ openshift_ca_host }}" + run_once: true + +- name: Create openshift_ca_config_dir if it does not exist + file: + path: "{{ openshift_ca_config_dir }}" + state: directory + delegate_to: "{{ openshift_ca_host }}" + run_once: true + +- name: Determine if CA must be created + stat: + path: "{{ openshift_ca_config_dir }}/{{ item }}" + register: g_master_ca_stat_result + with_items: + - ca-bundle.crt + - ca.crt + - ca.key + delegate_to: "{{ openshift_ca_host }}" + run_once: true + +- set_fact: + master_ca_missing: "{{ False in (g_master_ca_stat_result.results + | oo_collect(attribute='stat.exists') + | list) }}" + run_once: true + +- name: Retain original serviceaccount keys + copy: + src: "{{ item }}" + dest: "{{ item }}.keep" + remote_src: true + with_items: + - "{{ openshift_ca_config_dir }}/serviceaccounts.private.key" + - "{{ openshift_ca_config_dir }}/serviceaccounts.public.key" + when: openshift_certificates_redeploy | default(false) | bool + +- name: Deploy master ca certificate + copy: + src: "{{ item.src }}" + dest: "{{ openshift_ca_config_dir }}/{{ item.dest }}" + force: no + with_items: + - src: "{{ (openshift_master_ca_certificate | default({'certfile':none})).certfile }}" + dest: ca.crt + - src: "{{ (openshift_master_ca_certificate | default({'keyfile':none})).keyfile }}" + dest: ca.key + when: openshift_master_ca_certificate is defined + delegate_to: "{{ openshift_ca_host }}" + run_once: true + +- name: Create ca serial + copy: + content: "00" + dest: "{{ openshift_ca_config_dir }}/ca.serial.txt" + force: "{{ openshift_certificates_redeploy | default(false) | bool }}" + when: openshift_master_ca_certificate is defined + delegate_to: "{{ openshift_ca_host }}" + run_once: true + +- find: + paths: "{{ openshift.common.config_base }}/master/legacy-ca/" + patterns: ".*-ca.crt" + use_regex: true + register: g_master_legacy_ca_result + +# This should NOT replace the CA due to --overwrite=false when a CA already exists. +- name: Create the master certificates if they do not already exist + command: > + {{ hostvars[openshift_ca_host].openshift.common.client_binary }} adm ca create-master-certs + {% for named_ca_certificate in openshift.master.named_certificates | default([]) | oo_collect('cafile') %} + --certificate-authority {{ named_ca_certificate }} + {% endfor %} + {% for legacy_ca_certificate in g_master_legacy_ca_result.files | default([]) | oo_collect('path') %} + --certificate-authority {{ legacy_ca_certificate }} + {% endfor %} + --hostnames={{ hostvars[openshift_ca_host].openshift.common.all_hostnames | join(',') }} + --master={{ openshift.master.api_url }} + --public-master={{ openshift.master.public_api_url }} + --cert-dir={{ openshift_ca_config_dir }} + {% if openshift_version | oo_version_gte_3_5_or_1_5(openshift.common.deployment_type) | bool %} + --expire-days={{ openshift_master_cert_expire_days }} + --signer-expire-days={{ openshift_ca_cert_expire_days }} + {% endif %} + --overwrite=false + when: master_ca_missing | bool or openshift_certificates_redeploy | default(false) | bool + delegate_to: "{{ openshift_ca_host }}" + run_once: true + +- name: Test local loopback context + command: > + {{ hostvars[openshift_ca_host].openshift.common.client_binary }} config view + --config={{ openshift_master_loopback_config }} + changed_when: false + register: loopback_config + delegate_to: "{{ openshift_ca_host }}" + run_once: true + +# create-api-client-config generates a ca.crt file which will +# overwrite the OpenShift CA certificate. Generate the loopback +# kubeconfig in a temporary directory and then copy files into the +# master config dir to avoid overwriting ca.crt. +- block: + - name: Create temp directory for loopback master client config + command: mktemp -d /tmp/openshift-ansible-XXXXXX + register: openshift_ca_loopback_tmpdir + - name: Generate the loopback master client config + command: > + {{ hostvars[openshift_ca_host].openshift.common.client_binary }} adm create-api-client-config + --certificate-authority={{ openshift_ca_cert }} + {% for named_ca_certificate in openshift.master.named_certificates | default([]) | oo_collect('cafile') %} + --certificate-authority {{ named_ca_certificate }} + {% endfor %} + --client-dir={{ openshift_ca_loopback_tmpdir.stdout }} + --groups=system:masters,system:openshift-master + --master={{ hostvars[openshift_ca_host].openshift.master.loopback_api_url }} + --public-master={{ hostvars[openshift_ca_host].openshift.master.loopback_api_url }} + --signer-cert={{ openshift_ca_cert }} + --signer-key={{ openshift_ca_key }} + --signer-serial={{ openshift_ca_serial }} + --user=system:openshift-master + --basename=openshift-master + {% if openshift_version | oo_version_gte_3_5_or_1_5(openshift.common.deployment_type) | bool %} + --expire-days={{ openshift_master_cert_expire_days }} + {% endif %} + - name: Copy generated loopback master client config to master config dir + copy: + src: "{{ openshift_ca_loopback_tmpdir.stdout }}/{{ item }}" + dest: "{{ openshift_ca_config_dir }}" + remote_src: true + with_items: + - openshift-master.crt + - openshift-master.key + - openshift-master.kubeconfig + - name: Delete temp directory + file: + name: "{{ openshift_ca_loopback_tmpdir.stdout }}" + state: absent + when: loopback_context_string not in loopback_config.stdout + delegate_to: "{{ openshift_ca_host }}" + run_once: true + +- name: Restore original serviceaccount keys + copy: + src: "{{ item }}.keep" + dest: "{{ item }}" + remote_src: true + with_items: + - "{{ openshift_ca_config_dir }}/serviceaccounts.private.key" + - "{{ openshift_ca_config_dir }}/serviceaccounts.public.key" + when: openshift_certificates_redeploy | default(false) | bool + +- name: Remove backup serviceaccount keys + file: + path: "{{ item }}.keep" + state: absent + with_items: + - "{{ openshift_ca_config_dir }}/serviceaccounts.private.key" + - "{{ openshift_ca_config_dir }}/serviceaccounts.public.key" + when: openshift_certificates_redeploy | default(false) | bool diff --git a/roles/openshift_ca/vars/main.yml b/roles/openshift_ca/vars/main.yml new file mode 100644 index 000000000..4d80bf921 --- /dev/null +++ b/roles/openshift_ca/vars/main.yml @@ -0,0 +1,2 @@ +--- +loopback_context_string: "current-context: {{ openshift.master.loopback_context_name }}" |