diff options
Diffstat (limited to 'roles/openshift_master_certificates/tasks/main.yml')
-rw-r--r-- | roles/openshift_master_certificates/tasks/main.yml | 65 |
1 files changed, 42 insertions, 23 deletions
diff --git a/roles/openshift_master_certificates/tasks/main.yml b/roles/openshift_master_certificates/tasks/main.yml index e9b7de330..4620dd877 100644 --- a/roles/openshift_master_certificates/tasks/main.yml +++ b/roles/openshift_master_certificates/tasks/main.yml @@ -30,7 +30,6 @@ | oo_collect(attribute='stat.exists') | list)) }}" - - name: Ensure the generated_configs directory present file: path: "{{ openshift_master_generated_config_dir }}" @@ -39,30 +38,50 @@ when: master_certs_missing | bool and inventory_hostname != openshift_ca_host delegate_to: "{{ openshift_ca_host }}" -- file: - src: "{{ openshift_master_config_dir }}/{{ item }}" - dest: "{{ openshift_master_generated_config_dir }}/{{ item }}" - state: hard - with_items: - - ca.crt - - ca.key - - ca.serial.txt - when: master_certs_missing | bool and inventory_hostname != openshift_ca_host - delegate_to: "{{ openshift_ca_host }}" - -- name: Create the master certificates if they do not already exist +- name: Create the master server certificate command: > - {{ openshift.common.client_binary }} adm create-master-certs + {{ hostvars[openshift_ca_host].openshift.common.client_binary }} adm ca create-server-cert {% for named_ca_certificate in openshift.master.named_certificates | default([]) | oo_collect('cafile') %} --certificate-authority {{ named_ca_certificate }} {% endfor %} - --hostnames={{ openshift.common.all_hostnames | join(',') }} - --master={{ openshift.master.api_url }} - --public-master={{ openshift.master.public_api_url }} - --cert-dir={{ openshift_master_generated_config_dir }} + --hostnames={{ hostvars[item].openshift.common.all_hostnames | join(',') }} + --cert={{ openshift_generated_configs_dir }}/master-{{ hostvars[item].openshift.common.hostname }}/master.server.crt + --key={{ openshift_generated_configs_dir }}/master-{{ hostvars[item].openshift.common.hostname }}/master.server.key + --signer-cert={{ openshift_ca_cert }} + --signer-key={{ openshift_ca_key }} + --signer-serial={{ openshift_ca_serial }} --overwrite=false - when: master_certs_missing | bool and inventory_hostname != openshift_ca_host + with_items: "{{ hostvars + | oo_select_keys(groups['oo_masters_to_config']) + | oo_collect(attribute='inventory_hostname', filters={'master_certs_missing':True}) + | difference([openshift_ca_host])}}" + delegate_to: "{{ openshift_ca_host }}" + run_once: true + +- name: Generate the master client config + command: > + {{ hostvars[openshift_ca_host].openshift.common.client_binary }} adm create-api-client-config + {% for named_ca_certificate in openshift.master.named_certificates | default([]) | oo_collect('cafile') %} + --certificate-authority {{ named_ca_certificate }} + {% endfor %} + --certificate-authority={{ openshift_ca_cert }} + --client-dir={{ openshift_generated_configs_dir }}/master-{{ hostvars[item].openshift.common.hostname }} + --groups=system:masters,system:openshift-master + --master={{ openshift.master.api_url }} + --public-master={{ openshift.master.public_api_url }} + --signer-cert={{ openshift_ca_cert }} + --signer-key={{ openshift_ca_key }} + --signer-serial={{ openshift_ca_serial }} + --user=system:openshift-master + --basename=openshift-master + args: + creates: "{{ openshift_generated_configs_dir }}/master-{{ hostvars[item].openshift.common.hostname }}/openshift-master.kubeconfig" + with_items: "{{ hostvars + | oo_select_keys(groups['oo_masters_to_config']) + | oo_collect(attribute='inventory_hostname', filters={'master_certs_missing':True}) + | difference([openshift_ca_host])}}" delegate_to: "{{ openshift_ca_host }}" + run_once: true - file: src: "{{ openshift_master_config_dir }}/{{ item }}" @@ -86,7 +105,7 @@ - name: Create local temp directory for syncing certs local_action: command mktemp -d /tmp/openshift-ansible-XXXXXXX - register: g_master_mktemp + register: g_master_certs_mktemp changed_when: False when: master_certs_missing | bool delegate_to: localhost @@ -104,7 +123,7 @@ - name: Retrieve the master cert tarball from the master fetch: src: "{{ openshift_master_generated_config_dir }}.tgz" - dest: "{{ g_master_mktemp.stdout }}/" + dest: "{{ g_master_certs_mktemp.stdout }}/" flat: yes fail_on_missing: yes validate_checksum: yes @@ -119,11 +138,11 @@ - name: Unarchive the tarball on the master unarchive: - src: "{{ g_master_mktemp.stdout }}/{{ openshift_master_cert_subdir }}.tgz" + src: "{{ g_master_certs_mktemp.stdout }}/{{ openshift_master_cert_subdir }}.tgz" dest: "{{ openshift_master_config_dir }}" when: master_certs_missing | bool and inventory_hostname != openshift_ca_host -- file: name={{ g_master_mktemp.stdout }} state=absent +- file: name={{ g_master_certs_mktemp.stdout }} state=absent changed_when: False when: master_certs_missing | bool delegate_to: localhost |