diff options
Diffstat (limited to 'roles/openshift_master_certificates')
| -rw-r--r-- | roles/openshift_master_certificates/README.md | 52 | ||||
| -rw-r--r-- | roles/openshift_master_certificates/defaults/main.yml | 2 | ||||
| -rw-r--r-- | roles/openshift_master_certificates/meta/main.yml | 15 | ||||
| -rw-r--r-- | roles/openshift_master_certificates/tasks/main.yml | 226 | ||||
| -rw-r--r-- | roles/openshift_master_certificates/vars/main.yml | 5 |
5 files changed, 300 insertions, 0 deletions
diff --git a/roles/openshift_master_certificates/README.md b/roles/openshift_master_certificates/README.md new file mode 100644 index 000000000..4758bbdfb --- /dev/null +++ b/roles/openshift_master_certificates/README.md @@ -0,0 +1,52 @@ +OpenShift Master Certificates +======================== + +This role determines if OpenShift master certificates must be created, delegates certificate creation to the `openshift_ca_host` and then deploys those certificates to master hosts which this role is being applied to. If this role is applied to the `openshift_ca_host`, certificate deployment will be skipped. + +Requirements +------------ + +Role Variables +-------------- + +From `openshift_ca`: + +| Name | Default value | Description | +|---------------------------------------|---------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------| +| openshift_ca_host | None (Required) | The hostname of the system where the OpenShift CA will be (or has been) created. | + +From this role: + +| Name | Default value | Description | +|---------------------------------------|---------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------| +| openshift_generated_configs_dir | `{{ openshift.common.config_base }}/generated-configs` | Directory in which per-master generated config directories will be created on the `openshift_ca_host`. | +| openshift_master_cert_subdir | `master-{{ openshift.common.hostname }}` | Directory within `openshift_generated_configs_dir` where per-master configurations will be placed on the `openshift_ca_host`. | +| openshift_master_cert_expire_days | `730` (2 years) | Validity of the certificates in days. Works only with OpenShift version 1.5 (3.5) and later. | +| openshift_master_config_dir | `{{ openshift.common.config_base }}/master` | Master configuration directory in which certificates will be deployed on masters. | +| openshift_master_generated_config_dir | `{{ openshift_generated_configs_dir }}/{{ openshift_master_cert_subdir }` | Full path to the per-master generated config directory. | + +Dependencies +------------ + +* openshift_ca + +Example Playbook +---------------- + +``` +- name: Create OpenShift Master Certificates + hosts: masters + roles: + - role: openshift_master_certificates + openshift_ca_host: master1.example.com +``` + +License +------- + +Apache License Version 2.0 + +Author Information +------------------ + +Jason DeTiberus (jdetiber@redhat.com) diff --git a/roles/openshift_master_certificates/defaults/main.yml b/roles/openshift_master_certificates/defaults/main.yml new file mode 100644 index 000000000..dba62c4ec --- /dev/null +++ b/roles/openshift_master_certificates/defaults/main.yml @@ -0,0 +1,2 @@ +--- +openshift_master_cert_expire_days: 730 diff --git a/roles/openshift_master_certificates/meta/main.yml b/roles/openshift_master_certificates/meta/main.yml new file mode 100644 index 000000000..300b2cbff --- /dev/null +++ b/roles/openshift_master_certificates/meta/main.yml @@ -0,0 +1,15 @@ +--- +galaxy_info: + author: Jason DeTiberus + description: OpenShift Master Certificates + company: Red Hat, Inc. + license: Apache License, Version 2.0 + min_ansible_version: 2.1 + platforms: + - name: EL + versions: + - 7 + categories: + - cloud + - system +dependencies: [] diff --git a/roles/openshift_master_certificates/tasks/main.yml b/roles/openshift_master_certificates/tasks/main.yml new file mode 100644 index 000000000..d9ffb1b6f --- /dev/null +++ b/roles/openshift_master_certificates/tasks/main.yml @@ -0,0 +1,226 @@ +--- +- set_fact: + openshift_master_certs_no_etcd: + - admin.crt + - master.kubelet-client.crt + - "{{ 'master.proxy-client.crt' if openshift.common.version_gte_3_1_or_1_1 else omit }}" + - master.server.crt + - openshift-master.crt + - openshift-registry.crt + - openshift-router.crt + - etcd.server.crt + openshift_master_certs_etcd: + - master.etcd-client.crt + +- set_fact: + openshift_master_certs: "{{ (openshift_master_certs_no_etcd | union(openshift_master_certs_etcd )) if openshift_master_etcd_hosts | length > 0 else openshift_master_certs_no_etcd }}" + +- name: Check status of master certificates + stat: + path: "{{ openshift_master_config_dir }}/{{ item }}" + with_items: + - "{{ openshift_master_certs }}" + register: g_master_cert_stat_result + when: not openshift_certificates_redeploy | default(false) | bool + +- set_fact: + master_certs_missing: "{{ true if openshift_certificates_redeploy | default(false) | bool + else (False in (g_master_cert_stat_result.results + | default({}) + | oo_collect(attribute='stat.exists') + | list)) }}" + +- name: Ensure the generated_configs directory present + file: + path: "{{ openshift_master_generated_config_dir }}" + state: directory + mode: 0700 + when: master_certs_missing | bool and inventory_hostname != openshift_ca_host + delegate_to: "{{ openshift_ca_host }}" + +- find: + paths: "{{ openshift_master_config_dir }}/legacy-ca/" + patterns: ".*-ca.crt" + use_regex: true + register: g_master_legacy_ca_result + delegate_to: "{{ openshift_ca_host }}" + +- name: Create the master server certificate + command: > + {{ hostvars[openshift_ca_host].openshift.common.client_binary }} adm ca create-server-cert + {% for named_ca_certificate in openshift.master.named_certificates | default([]) | oo_collect('cafile') %} + --certificate-authority {{ named_ca_certificate }} + {% endfor %} + {% for legacy_ca_certificate in g_master_legacy_ca_result.files | default([]) | oo_collect('path') %} + --certificate-authority {{ legacy_ca_certificate }} + {% endfor %} + --hostnames={{ hostvars[item].openshift.common.all_hostnames | join(',') }} + --cert={{ openshift_generated_configs_dir }}/master-{{ hostvars[item].openshift.common.hostname }}/master.server.crt + --key={{ openshift_generated_configs_dir }}/master-{{ hostvars[item].openshift.common.hostname }}/master.server.key + {% if openshift_version | oo_version_gte_3_5_or_1_5(openshift.common.deployment_type) | bool %} + --expire-days={{ openshift_master_cert_expire_days }} + {% endif %} + --signer-cert={{ openshift_ca_cert }} + --signer-key={{ openshift_ca_key }} + --signer-serial={{ openshift_ca_serial }} + --overwrite=false + when: item != openshift_ca_host + with_items: "{{ hostvars + | oo_select_keys(groups['oo_masters_to_config']) + | oo_collect(attribute='inventory_hostname', filters={'master_certs_missing':True}) }}" + delegate_to: "{{ openshift_ca_host }}" + run_once: true + +- name: Generate the loopback master client config + command: > + {{ hostvars[openshift_ca_host].openshift.common.client_binary }} adm create-api-client-config + --certificate-authority={{ openshift_ca_cert }} + {% for named_ca_certificate in openshift.master.named_certificates | default([]) | oo_collect('cafile') %} + --certificate-authority {{ named_ca_certificate }} + {% endfor %} + --client-dir={{ openshift_generated_configs_dir }}/master-{{ hostvars[item].openshift.common.hostname }} + --groups=system:masters,system:openshift-master + --master={{ hostvars[item].openshift.master.loopback_api_url }} + --public-master={{ hostvars[item].openshift.master.loopback_api_url }} + --signer-cert={{ openshift_ca_cert }} + --signer-key={{ openshift_ca_key }} + --signer-serial={{ openshift_ca_serial }} + --user=system:openshift-master + --basename=openshift-master + {% if openshift_version | oo_version_gte_3_5_or_1_5(openshift.common.deployment_type) | bool %} + --expire-days={{ openshift_master_cert_expire_days }} + {% endif %} + args: + creates: "{{ openshift_generated_configs_dir }}/master-{{ hostvars[item].openshift.common.hostname }}/openshift-master.kubeconfig" + with_items: "{{ hostvars + | oo_select_keys(groups['oo_masters_to_config']) + | oo_collect(attribute='inventory_hostname', filters={'master_certs_missing':True}) }}" + when: item != openshift_ca_host + delegate_to: "{{ openshift_ca_host }}" + run_once: true + +- file: + src: "{{ openshift_master_config_dir }}/{{ item }}" + dest: "{{ openshift_master_generated_config_dir }}/{{ item }}" + state: hard + force: true + with_items: + - "{{ hostvars[inventory_hostname] | certificates_to_synchronize }}" + when: master_certs_missing | bool and inventory_hostname != openshift_ca_host + delegate_to: "{{ openshift_ca_host }}" + +- name: Remove generated etcd client certs when using external etcd + file: + path: "{{ openshift_master_generated_config_dir }}/{{ item }}" + state: absent + when: openshift_master_etcd_hosts | length > 0 + with_items: + - master.etcd-client.crt + - master.etcd-client.key + delegate_to: "{{ openshift_ca_host }}" + +- name: Create local temp directory for syncing certs + local_action: command mktemp -d /tmp/openshift-ansible-XXXXXXX + register: g_master_certs_mktemp + changed_when: False + when: master_certs_missing | bool + become: no + +- name: Create a tarball of the master certs + command: > + tar -czvf {{ openshift_master_generated_config_dir }}.tgz + -C {{ openshift_master_generated_config_dir }} . + args: + creates: "{{ openshift_master_generated_config_dir }}.tgz" + when: master_certs_missing | bool and inventory_hostname != openshift_ca_host + delegate_to: "{{ openshift_ca_host }}" + +- name: Retrieve the master cert tarball from the master + fetch: + src: "{{ openshift_master_generated_config_dir }}.tgz" + dest: "{{ g_master_certs_mktemp.stdout }}/" + flat: yes + fail_on_missing: yes + validate_checksum: yes + when: master_certs_missing | bool and inventory_hostname != openshift_ca_host + delegate_to: "{{ openshift_ca_host }}" + +- name: Ensure certificate directory exists + file: + path: "{{ openshift_master_config_dir }}" + state: directory + when: master_certs_missing | bool and inventory_hostname != openshift_ca_host + +- name: Unarchive the tarball on the master + unarchive: + src: "{{ g_master_certs_mktemp.stdout }}/{{ openshift_master_cert_subdir }}.tgz" + dest: "{{ openshift_master_config_dir }}" + when: master_certs_missing | bool and inventory_hostname != openshift_ca_host + +- name: Delete local temp directory + local_action: file path="{{ g_master_certs_mktemp.stdout }}" state=absent + changed_when: False + when: master_certs_missing | bool + become: no + +- name: Lookup default group for ansible_ssh_user + command: "/usr/bin/id -g {{ ansible_ssh_user | quote }}" + changed_when: false + register: _ansible_ssh_user_gid + +- set_fact: + client_users: "{{ [ansible_ssh_user, 'root'] | unique }}" + +- name: Create the client config dir(s) + file: + path: "~{{ item }}/.kube" + state: directory + mode: 0700 + owner: "{{ item }}" + group: "{{ 'root' if item == 'root' else _ansible_ssh_user_gid.stdout }}" + with_items: "{{ client_users }}" + +# TODO: Update this file if the contents of the source file are not present in +# the dest file, will need to make sure to ignore things that could be added +- name: Copy the admin client config(s) + copy: + src: "{{ openshift_master_config_dir }}/admin.kubeconfig" + dest: "~{{ item }}/.kube/config" + remote_src: yes + force: "{{ openshift_certificates_redeploy | default(false) }}" + with_items: "{{ client_users }}" + +- name: Update the permissions on the admin client config(s) + file: + path: "~{{ item }}/.kube/config" + state: file + mode: 0700 + owner: "{{ item }}" + group: "{{ 'root' if item == 'root' else _ansible_ssh_user_gid.stdout }}" + with_items: "{{ client_users }}" + +# Ensure ca-bundle exists for 3.2+ configuration +- name: Check for ca-bundle.crt + stat: + path: "{{ openshift.common.config_base }}/master/ca-bundle.crt" + register: ca_bundle_stat + failed_when: false + +- name: Check for ca.crt + stat: + path: "{{ openshift.common.config_base }}/master/ca.crt" + register: ca_crt_stat + failed_when: false + +- name: Migrate ca.crt to ca-bundle.crt + command: mv ca.crt ca-bundle.crt + args: + chdir: "{{ openshift.common.config_base }}/master" + when: ca_crt_stat.stat.isreg and not ca_bundle_stat.stat.exists + +- name: Link ca.crt to ca-bundle.crt + file: + src: "{{ openshift.common.config_base }}/master/ca-bundle.crt" + path: "{{ openshift.common.config_base }}/master/ca.crt" + state: link + when: ca_crt_stat.stat.isreg and not ca_bundle_stat.stat.exists diff --git a/roles/openshift_master_certificates/vars/main.yml b/roles/openshift_master_certificates/vars/main.yml new file mode 100644 index 000000000..66f2e5162 --- /dev/null +++ b/roles/openshift_master_certificates/vars/main.yml @@ -0,0 +1,5 @@ +--- +openshift_generated_configs_dir: "{{ openshift.common.config_base }}/generated-configs" +openshift_master_cert_subdir: "master-{{ openshift.common.hostname }}" +openshift_master_config_dir: "{{ openshift.common.config_base }}/master" +openshift_master_generated_config_dir: "{{ openshift_generated_configs_dir }}/{{ openshift_master_cert_subdir }}" |