3 files changed, 72 insertions, 3 deletions

diff --git a/roles/openshift_master/tasks/bootstrap.yml b/roles/openshift_master/tasks/bootstrap.yml
new file mode 100644
index 000000000..0013f5289
--- /dev/null
+++ b/roles/openshift_master/tasks/bootstrap.yml
@@ -0,0 +1,28 @@
+---
+
+- name: ensure the node-bootstrap service account exists
+  oc_serviceaccount:
+    name: node-bootstrapper
+    namespace: openshift-infra
+    state: present
+  run_once: true
+
+- name: grant node-bootstrapper the correct permissions to bootstrap
+  oc_adm_policy_user:
+    namespace: openshift-infra
+    user: system:serviceaccount:openshift-infra:node-bootstrapper
+    resource_kind: cluster-role
+    resource_name: system:node-bootstrapper
+    state: present
+  run_once: true
+
+# TODO: create a module for this command.
+# oc_serviceaccounts_kubeconfig
+- name: create service account kubeconfig with csr rights
+  command: "oc serviceaccounts create-kubeconfig node-bootstrapper -n openshift-infra"
+  register: kubeconfig_out
+
+- name: put service account kubeconfig into a file on disk for bootstrap
+  copy:
+    content: "{{ kubeconfig_out.stdout }}"
+    dest: "{{ openshift_master_config_dir }}/bootstrap.kubeconfig"
diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml
index a11471891..a06defdb9 100644
--- a/roles/openshift_master/tasks/main.yml
+++ b/roles/openshift_master/tasks/main.yml
@@ -177,9 +177,6 @@
     local_facts:
       no_proxy_etcd_host_ips: "{{ openshift_no_proxy_etcd_host_ips }}"
 
-- name: Remove the legacy master service if it exists
-  include: clean_systemd_units.yml
-
 - name: Install the systemd units
   include: systemd_units.yml
 
@@ -218,6 +215,36 @@
   - restart master api
   - restart master controllers
 
+- name: modify controller args
+  yedit:
+    src: /etc/origin/master/master-config.yaml
+    edits:
+    - key: kubernetesMasterConfig.controllerArguments.cluster-signing-cert-file
+      value:
+      - /etc/origin/master/ca.crt
+    - key: kubernetesMasterConfig.controllerArguments.cluster-signing-key-file
+      value:
+      - /etc/origin/master/ca.key
+  notify:
+  - restart master controllers
+  when: openshift_master_bootstrap_enabled | default(False)
+
+- name: Check for credentials file for registry auth
+  stat:
+    path: "{{oreg_auth_credentials_path }}"
+  when:
+  - oreg_auth_user is defined
+  register: master_oreg_auth_credentials_stat
+
+- name: Create credentials for registry auth
+  command: "docker --config={{ oreg_auth_credentials_path }} login -u {{ oreg_auth_user }} -p {{ oreg_auth_password }} {{ oreg_host }}"
+  when:
+  - oreg_auth_user is defined
+  - (not master_oreg_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool
+  notify:
+  - restart master api
+  - restart master controllers
+
 - include: set_loopback_context.yml
   when:
   - openshift.common.version_gte_3_2_or_1_2
@@ -366,3 +393,7 @@
   shell: echo {{ openshift_master_cluster_password | quote }} | passwd --stdin hacluster
   when:
   - l_install_result | changed
+
+- name: node bootstrap settings
+  include: bootstrap.yml
+  when: openshift_master_bootstrap_enabled | default(False)
diff --git a/roles/openshift_master/tasks/systemd_units.yml b/roles/openshift_master/tasks/systemd_units.yml
index 72c231e52..782a35abe 100644
--- a/roles/openshift_master/tasks/systemd_units.yml
+++ b/roles/openshift_master/tasks/systemd_units.yml
@@ -3,6 +3,16 @@
 # playbooks.  For that reason the ha_svc variables are use set_fact instead of
 # the vars directory on the role.
 
+# This play may be consumed outside the role, we need to ensure that
+# openshift_master_config_dir is set.
+- name: Set openshift_master_config_dir if unset
+  set_fact:
+    openshift_master_config_dir: '/var/lib/origin'
+  when: openshift_master_config_dir is not defined
+
+- name: Remove the legacy master service if it exists
+  include: clean_systemd_units.yml
+
 - name: Init HA Service Info
   set_fact:
     containerized_svc_dir: "/usr/lib/systemd/system"