4 files changed, 91 insertions, 0 deletions

diff --git a/roles/openshift_etcd_certs/README.md b/roles/openshift_etcd_certs/README.md
new file mode 100644
index 000000000..efac6d9fe
--- /dev/null
+++ b/roles/openshift_etcd_certs/README.md
@@ -0,0 +1,34 @@
+OpenShift etcd certs
+========================
+
+TODO
+
+Requirements
+------------
+
+TODO
+
+Role Variables
+--------------
+
+TODO
+
+Dependencies
+------------
+
+TODO
+
+Example Playbook
+----------------
+
+TODO
+
+License
+-------
+
+Apache License Version 2.0
+
+Author Information
+------------------
+
+Scott Dodson (sdodson@redhat.com)
diff --git a/roles/openshift_etcd_certs/meta/main.yml b/roles/openshift_etcd_certs/meta/main.yml
new file mode 100644
index 000000000..4847ba94b
--- /dev/null
+++ b/roles/openshift_etcd_certs/meta/main.yml
@@ -0,0 +1,16 @@
+---
+galaxy_info:
+  author: Scott Dodson
+  description:
+  company: Red Hat, Inc.
+  license: Apache License, Version 2.0
+  min_ansible_version: 1.8
+  platforms:
+  - name: EL
+    versions:
+    - 7
+  categories:
+  - cloud
+  - system
+dependencies:
+- { role: openshift_facts }
diff --git a/roles/openshift_etcd_certs/tasks/main.yml b/roles/openshift_etcd_certs/tasks/main.yml
new file mode 100644
index 000000000..04b411117
--- /dev/null
+++ b/roles/openshift_etcd_certs/tasks/main.yml
@@ -0,0 +1,33 @@
+---
+- name: Create openshift_generated_configs_dir if it doesn't exist
+  file:
+    path: "{{ openshift_generated_configs_dir }}"
+    state: directory
+
+- name: Create openshift_generated_configs_dir for each etcd host
+  file:
+    path: "{{ openshift_generated_configs_dir }}/etcd-{{ item.openshift.common.hostname}}"
+    state: directory
+  with_items: etcd_hosts_needing_certs
+
+- name: Generate the etcd client side certs
+  delegate_to: "{{ openshift_first_master }}"
+  command: >
+    {{ openshift.common.admin_binary }} create-server-cert
+      --cert=client.crt --key=client.key --overwrite=true
+      --hostnames={{ [item.openshift.common.hostname, item.openshift.common.public_hostname, item.openshift.common.ip]|unique|join(",") }}
+      --signer-cert={{ openshift_master_ca_cert }}
+      --signer-key={{ openshift_master_ca_key }}
+      --signer-serial={{ openshift_master_ca_serial }}
+  args:
+    chdir: "{{ openshift_generated_configs_dir }}/etcd-{{ item.openshift.common.hostname }}"
+    creates: "{{ openshift_generated_configs_dir }}/etcd-{{ item.openshift.common.hostname }}/client.crt"
+  with_items: etcd_hosts_needing_certs
+
+- name: Copy CA cert
+  delegate_to: "{{ openshift_first_master }}"
+  command: "cp {{ openshift_master_ca_cert }} ."
+  args:
+    chdir: "{{ openshift_generated_configs_dir }}/etcd-{{ item.openshift.common.hostname }}"
+    creates: "{{ openshift_generated_configs_dir }}/etcd-{{ item.openshift.common.hostname }}/ca.crt"
+  with_items: etcd_hosts_needing_certs
diff --git a/roles/openshift_etcd_certs/vars/main.yml b/roles/openshift_etcd_certs/vars/main.yml
new file mode 100644
index 000000000..3801b8427
--- /dev/null
+++ b/roles/openshift_etcd_certs/vars/main.yml
@@ -0,0 +1,8 @@
+---
+openshift_node_config_dir: /etc/openshift/node
+openshift_master_config_dir: /etc/openshift/master
+openshift_generated_configs_dir: /etc/openshift/generated-configs
+openshift_master_ca_cert: "{{ openshift_master_config_dir }}/ca.crt"
+openshift_master_ca_key: "{{ openshift_master_config_dir }}/ca.key"
+openshift_master_ca_serial: "{{ openshift_master_config_dir }}/ca.serial.txt"
+openshift_kube_api_version: v1beta3