5 files changed, 260 insertions, 0 deletions

diff --git a/roles/openshift_ca/README.md b/roles/openshift_ca/README.md
new file mode 100644
index 000000000..dfbe81c6c
--- /dev/null
+++ b/roles/openshift_ca/README.md
@@ -0,0 +1,50 @@
+OpenShift CA
+============
+
+This role delegates all tasks to the `openshift_ca_host` such that this role can be depended on by other OpenShift certificate roles.
+
+Requirements
+------------
+
+Role Variables
+--------------
+
+From this role:
+
+| Name                    | Default value                                 | Description                                                                 |
+|-------------------------|-----------------------------------------------|-----------------------------------------------------------------------------|
+| openshift_ca_host       | None (Required)                               | The hostname of the system where the OpenShift CA will be created.          |
+| openshift_ca_config_dir | `{{ openshift.common.config_base }}/master`   | CA certificate directory.                                                   |
+| openshift_ca_cert       | `{{ openshift_ca_config_dir }}/ca.crt`        | CA certificate path including CA certificate filename.                      |
+| openshift_ca_key        | `{{ openshift_ca_config_dir }}/ca.key`        | CA key path including CA key filename.                                      |
+| openshift_ca_serial     | `{{ openshift_ca_config_dir }}/ca.serial.txt` | CA serial path including CA serial filename.                                |
+| openshift_version       | `{{ openshift_pkg_version }}`                 | OpenShift package version.                                                  |
+| openshift_master_cert_expire_days | `730` (2 years)                     | Validity of the certificates in days. Works only with OpenShift version 1.5 (3.5) and later. |
+| openshift_ca_cert_expire_days     | `1825` (5 years)                    | Validity of the CA certificates in days. Works only with OpenShift version 1.5 (3.5) and later. |
+
+Dependencies
+------------
+
+* openshift_repos
+* openshift_cli
+
+Example Playbook
+----------------
+
+```
+- name: Create OpenShift CA
+  hosts: localhost
+  roles:
+  - role: openshift_ca
+    openshift_ca_host: master1.example.com
+```
+
+License
+-------
+
+Apache License Version 2.0
+
+Author Information
+------------------
+
+Jason DeTiberus (jdetiber@redhat.com)
diff --git a/roles/openshift_ca/defaults/main.yml b/roles/openshift_ca/defaults/main.yml
new file mode 100644
index 000000000..742b15df4
--- /dev/null
+++ b/roles/openshift_ca/defaults/main.yml
@@ -0,0 +1,11 @@
+---
+openshift_ca_cert_expire_days: 1825
+openshift_master_cert_expire_days: 730
+
+openshift_ca_config_dir: "{{ openshift.common.config_base }}/master"
+openshift_ca_cert: "{{ openshift_ca_config_dir }}/ca.crt"
+openshift_ca_key: "{{ openshift_ca_config_dir }}/ca.key"
+openshift_ca_serial: "{{ openshift_ca_config_dir }}/ca.serial.txt"
+openshift_master_loopback_config: "{{ openshift_ca_config_dir }}/openshift-master.kubeconfig"
+
+openshift_version: "{{ openshift_pkg_version | default('') }}"
diff --git a/roles/openshift_ca/meta/main.yml b/roles/openshift_ca/meta/main.yml
new file mode 100644
index 000000000..f8b784a63
--- /dev/null
+++ b/roles/openshift_ca/meta/main.yml
@@ -0,0 +1,16 @@
+---
+galaxy_info:
+  author: Jason DeTiberus
+  description: OpenShift CA
+  company: Red Hat, Inc.
+  license: Apache License, Version 2.0
+  min_ansible_version: 2.1
+  platforms:
+  - name: EL
+    versions:
+    - 7
+  categories:
+  - cloud
+  - system
+dependencies:
+- role: openshift_cli
diff --git a/roles/openshift_ca/tasks/main.yml b/roles/openshift_ca/tasks/main.yml
new file mode 100644
index 000000000..419679bc2
--- /dev/null
+++ b/roles/openshift_ca/tasks/main.yml
@@ -0,0 +1,181 @@
+---
+- fail:
+    msg: "openshift_ca_host variable must be defined for this role"
+  when: openshift_ca_host is not defined
+
+- fail:
+    msg: "Both 'certfile' and 'keyfile' keys must be supplied when configuring openshift_master_ca_certificate"
+  when: openshift_master_ca_certificate is defined and ('certfile' not in openshift_master_ca_certificate or 'keyfile' not in openshift_master_ca_certificate)
+
+- name: Install the base package for admin tooling
+  package:
+    name: "{{ openshift.common.service_type }}{{ openshift_pkg_version | default('') | oo_image_tag_to_rpm_version(include_dash=True) }}"
+    state: present
+  when: not openshift.common.is_containerized | bool
+  register: install_result
+  delegate_to: "{{ openshift_ca_host }}"
+  run_once: true
+
+- name: Reload generated facts
+  openshift_facts:
+  when: install_result | changed
+  delegate_to: "{{ openshift_ca_host }}"
+  run_once: true
+
+- name: Create openshift_ca_config_dir if it does not exist
+  file:
+    path: "{{ openshift_ca_config_dir }}"
+    state: directory
+  delegate_to: "{{ openshift_ca_host }}"
+  run_once: true
+
+- name: Determine if CA must be created
+  stat:
+    path: "{{ openshift_ca_config_dir }}/{{ item }}"
+  register: g_master_ca_stat_result
+  with_items:
+  - ca-bundle.crt
+  - ca.crt
+  - ca.key
+  delegate_to: "{{ openshift_ca_host }}"
+  run_once: true
+
+- set_fact:
+    master_ca_missing: "{{ False in (g_master_ca_stat_result.results
+                                     | oo_collect(attribute='stat.exists')
+                                     | list) }}"
+  run_once: true
+
+- name: Retain original serviceaccount keys
+  copy:
+    src: "{{ item }}"
+    dest: "{{ item }}.keep"
+    remote_src: true
+  with_items:
+  - "{{ openshift_ca_config_dir }}/serviceaccounts.private.key"
+  - "{{ openshift_ca_config_dir }}/serviceaccounts.public.key"
+  when: openshift_certificates_redeploy | default(false) | bool
+
+- name: Deploy master ca certificate
+  copy:
+    src: "{{ item.src }}"
+    dest: "{{ openshift_ca_config_dir }}/{{ item.dest }}"
+    force: no
+  with_items:
+  - src: "{{ (openshift_master_ca_certificate | default({'certfile':none})).certfile }}"
+    dest: ca.crt
+  - src: "{{ (openshift_master_ca_certificate | default({'keyfile':none})).keyfile }}"
+    dest: ca.key
+  when: openshift_master_ca_certificate is defined
+  delegate_to: "{{ openshift_ca_host }}"
+  run_once: true
+
+- name: Create ca serial
+  copy:
+    content: "00"
+    dest: "{{ openshift_ca_config_dir }}/ca.serial.txt"
+    force: "{{ openshift_certificates_redeploy | default(false) | bool }}"
+  when: openshift_master_ca_certificate is defined
+  delegate_to: "{{ openshift_ca_host }}"
+  run_once: true
+
+- find:
+    paths: "{{ openshift.common.config_base }}/master/legacy-ca/"
+    patterns: ".*-ca.crt"
+    use_regex: true
+  register: g_master_legacy_ca_result
+
+# This should NOT replace the CA due to --overwrite=false when a CA already exists.
+- name: Create the master certificates if they do not already exist
+  command: >
+    {{ hostvars[openshift_ca_host].openshift.common.client_binary }} adm ca create-master-certs
+    {% for named_ca_certificate in openshift.master.named_certificates | default([]) | oo_collect('cafile') %}
+    --certificate-authority {{ named_ca_certificate }}
+    {% endfor %}
+    {% for legacy_ca_certificate in g_master_legacy_ca_result.files | default([]) | oo_collect('path') %}
+    --certificate-authority {{ legacy_ca_certificate }}
+    {% endfor %}
+    --hostnames={{ hostvars[openshift_ca_host].openshift.common.all_hostnames | join(',') }}
+    --master={{ openshift.master.api_url }}
+    --public-master={{ openshift.master.public_api_url }}
+    --cert-dir={{ openshift_ca_config_dir }}
+    {% if openshift_version | oo_version_gte_3_5_or_1_5(openshift.common.deployment_type) | bool %}
+    --expire-days={{ openshift_master_cert_expire_days }}
+    --signer-expire-days={{ openshift_ca_cert_expire_days }}
+    {% endif %}
+    --overwrite=false
+  when: master_ca_missing | bool or openshift_certificates_redeploy | default(false) | bool
+  delegate_to: "{{ openshift_ca_host }}"
+  run_once: true
+
+- name: Test local loopback context
+  command: >
+    {{ hostvars[openshift_ca_host].openshift.common.client_binary }} config view
+    --config={{ openshift_master_loopback_config }}
+  changed_when: false
+  register: loopback_config
+  delegate_to: "{{ openshift_ca_host }}"
+  run_once: true
+
+# create-api-client-config generates a ca.crt file which will
+# overwrite the OpenShift CA certificate.  Generate the loopback
+# kubeconfig in a temporary directory and then copy files into the
+# master config dir to avoid overwriting ca.crt.
+- block:
+  - name: Create temp directory for loopback master client config
+    command: mktemp -d /tmp/openshift-ansible-XXXXXX
+    register: openshift_ca_loopback_tmpdir
+  - name: Generate the loopback master client config
+    command: >
+      {{ hostvars[openshift_ca_host].openshift.common.client_binary }} adm create-api-client-config
+        --certificate-authority={{ openshift_ca_cert }}
+        {% for named_ca_certificate in openshift.master.named_certificates | default([]) | oo_collect('cafile') %}
+        --certificate-authority {{ named_ca_certificate }}
+        {% endfor %}
+        --client-dir={{ openshift_ca_loopback_tmpdir.stdout }}
+        --groups=system:masters,system:openshift-master
+        --master={{ hostvars[openshift_ca_host].openshift.master.loopback_api_url }}
+        --public-master={{ hostvars[openshift_ca_host].openshift.master.loopback_api_url }}
+        --signer-cert={{ openshift_ca_cert }}
+        --signer-key={{ openshift_ca_key }}
+        --signer-serial={{ openshift_ca_serial }}
+        --user=system:openshift-master
+        --basename=openshift-master
+        {% if openshift_version | oo_version_gte_3_5_or_1_5(openshift.common.deployment_type) | bool %}
+        --expire-days={{ openshift_master_cert_expire_days }}
+        {% endif %}
+  - name: Copy generated loopback master client config to master config dir
+    copy:
+      src: "{{ openshift_ca_loopback_tmpdir.stdout }}/{{ item }}"
+      dest: "{{ openshift_ca_config_dir }}"
+      remote_src: true
+    with_items:
+    - openshift-master.crt
+    - openshift-master.key
+    - openshift-master.kubeconfig
+  - name: Delete temp directory
+    file:
+      name: "{{ openshift_ca_loopback_tmpdir.stdout }}"
+      state: absent
+  when: loopback_context_string not in loopback_config.stdout
+  delegate_to: "{{ openshift_ca_host }}"
+  run_once: true
+
+- name: Restore original serviceaccount keys
+  copy:
+    src: "{{ item }}.keep"
+    dest: "{{ item }}"
+    remote_src: true
+  with_items:
+  - "{{ openshift_ca_config_dir }}/serviceaccounts.private.key"
+  - "{{ openshift_ca_config_dir }}/serviceaccounts.public.key"
+  when: openshift_certificates_redeploy | default(false) | bool
+
+- name: Remove backup serviceaccount keys
+  file:
+    path: "{{ item }}.keep"
+    state: absent
+  with_items:
+  - "{{ openshift_ca_config_dir }}/serviceaccounts.private.key"
+  - "{{ openshift_ca_config_dir }}/serviceaccounts.public.key"
+  when: openshift_certificates_redeploy | default(false) | bool
diff --git a/roles/openshift_ca/vars/main.yml b/roles/openshift_ca/vars/main.yml
new file mode 100644
index 000000000..4d80bf921
--- /dev/null
+++ b/roles/openshift_ca/vars/main.yml
@@ -0,0 +1,2 @@
+---
+loopback_context_string: "current-context: {{ openshift.master.loopback_context_name }}"