summaryrefslogtreecommitdiffstats
path: root/roles/openshift_node_certificates/tasks
diff options
context:
space:
mode:
Diffstat (limited to 'roles/openshift_node_certificates/tasks')
-rw-r--r--roles/openshift_node_certificates/tasks/main.yml158
1 files changed, 158 insertions, 0 deletions
diff --git a/roles/openshift_node_certificates/tasks/main.yml b/roles/openshift_node_certificates/tasks/main.yml
new file mode 100644
index 000000000..1a775178d
--- /dev/null
+++ b/roles/openshift_node_certificates/tasks/main.yml
@@ -0,0 +1,158 @@
+---
+- name: Ensure CA certificate exists on openshift_ca_host
+ stat:
+ path: "{{ openshift_ca_cert }}"
+ register: g_ca_cert_stat_result
+ delegate_to: "{{ openshift_ca_host }}"
+ run_once: true
+
+- fail:
+ msg: >
+ CA certificate {{ openshift_ca_cert }} doesn't exist on CA host
+ {{ openshift_ca_host }}. Apply 'openshift_ca' role to
+ {{ openshift_ca_host }}.
+ when: not g_ca_cert_stat_result.stat.exists | bool
+ run_once: true
+
+- name: Check status of node certificates
+ stat:
+ path: "{{ openshift.common.config_base }}/node/{{ item }}"
+ with_items:
+ - "system:node:{{ openshift.common.hostname }}.crt"
+ - "system:node:{{ openshift.common.hostname }}.key"
+ - "system:node:{{ openshift.common.hostname }}.kubeconfig"
+ - ca.crt
+ - server.key
+ - server.crt
+ register: g_node_cert_stat_result
+ when: not openshift_certificates_redeploy | default(false) | bool
+
+- set_fact:
+ node_certs_missing: "{{ true if openshift_certificates_redeploy | default(false) | bool
+ else (False in (g_node_cert_stat_result.results
+ | default({})
+ | oo_collect(attribute='stat.exists')
+ | list)) }}"
+
+- name: Create openshift_generated_configs_dir if it does not exist
+ file:
+ path: "{{ openshift_generated_configs_dir }}"
+ state: directory
+ mode: 0700
+ when: node_certs_missing | bool
+ delegate_to: "{{ openshift_ca_host }}"
+
+- find:
+ paths: "{{ openshift.common.config_base }}/master/legacy-ca/"
+ patterns: ".*-ca.crt"
+ use_regex: true
+ register: g_master_legacy_ca_result
+ delegate_to: "{{ openshift_ca_host }}"
+
+- name: Generate the node client config
+ command: >
+ {{ hostvars[openshift_ca_host].openshift.common.client_binary }} adm create-api-client-config
+ {% for named_ca_certificate in hostvars[openshift_ca_host].openshift.master.named_certificates | default([]) | oo_collect('cafile') %}
+ --certificate-authority {{ named_ca_certificate }}
+ {% endfor %}
+ {% for legacy_ca_certificate in g_master_legacy_ca_result.files | default([]) | oo_collect('path') %}
+ --certificate-authority {{ legacy_ca_certificate }}
+ {% endfor %}
+ --certificate-authority={{ openshift_ca_cert }}
+ --client-dir={{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname }}
+ --groups=system:nodes
+ --master={{ hostvars[openshift_ca_host].openshift.master.api_url }}
+ --signer-cert={{ openshift_ca_cert }}
+ --signer-key={{ openshift_ca_key }}
+ --signer-serial={{ openshift_ca_serial }}
+ --user=system:node:{{ hostvars[item].openshift.common.hostname }}
+ {% if openshift_version | oo_version_gte_3_5_or_1_5(openshift.common.deployment_type) | bool %}
+ --expire-days={{ openshift_node_cert_expire_days }}
+ {% endif %}
+ args:
+ creates: "{{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname }}"
+ with_items: "{{ hostvars
+ | oo_select_keys(groups['oo_nodes_to_config'])
+ | oo_collect(attribute='inventory_hostname', filters={'node_certs_missing':True}) }}"
+ delegate_to: "{{ openshift_ca_host }}"
+ run_once: true
+
+- name: Generate the node server certificate
+ command: >
+ {{ hostvars[openshift_ca_host].openshift.common.client_binary }} adm ca create-server-cert
+ --cert={{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname }}/server.crt
+ --key={{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname }}/server.key
+ {% if openshift_version | oo_version_gte_3_5_or_1_5(openshift.common.deployment_type) | bool %}
+ --expire-days={{ openshift_node_cert_expire_days }}
+ {% endif %}
+ --overwrite=true
+ --hostnames={{ hostvars[item].openshift.common.hostname }},{{ hostvars[item].openshift.common.public_hostname }},{{ hostvars[item].openshift.common.ip }},{{ hostvars[item].openshift.common.public_ip }}
+ --signer-cert={{ openshift_ca_cert }}
+ --signer-key={{ openshift_ca_key }}
+ --signer-serial={{ openshift_ca_serial }}
+ args:
+ creates: "{{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname }}/server.crt"
+ with_items: "{{ hostvars
+ | oo_select_keys(groups['oo_nodes_to_config'])
+ | oo_collect(attribute='inventory_hostname', filters={'node_certs_missing':True}) }}"
+ delegate_to: "{{ openshift_ca_host }}"
+ run_once: true
+
+- name: Create local temp directory for syncing certs
+ local_action: command mktemp -d /tmp/openshift-ansible-XXXXXXX
+ register: node_cert_mktemp
+ changed_when: False
+ when: node_certs_missing | bool
+ become: no
+
+- name: Create a tarball of the node config directories
+ command: >
+ tar -czvf {{ openshift_node_generated_config_dir }}.tgz
+ --transform 's|system:{{ openshift_node_cert_subdir }}|node|'
+ -C {{ openshift_node_generated_config_dir }} .
+ args:
+ creates: "{{ openshift_node_generated_config_dir }}.tgz"
+ # Disables the following warning:
+ # Consider using unarchive module rather than running tar
+ warn: no
+ when: node_certs_missing | bool
+ delegate_to: "{{ openshift_ca_host }}"
+
+- name: Retrieve the node config tarballs from the master
+ fetch:
+ src: "{{ openshift_node_generated_config_dir }}.tgz"
+ dest: "{{ node_cert_mktemp.stdout }}/"
+ flat: yes
+ fail_on_missing: yes
+ validate_checksum: yes
+ when: node_certs_missing | bool
+ delegate_to: "{{ openshift_ca_host }}"
+
+- name: Ensure certificate directory exists
+ file:
+ path: "{{ openshift_node_cert_dir }}"
+ state: directory
+ when: node_certs_missing | bool
+
+- name: Unarchive the tarball on the node
+ unarchive:
+ src: "{{ node_cert_mktemp.stdout }}/{{ openshift_node_cert_subdir }}.tgz"
+ dest: "{{ openshift_node_cert_dir }}"
+ when: node_certs_missing | bool
+
+- name: Delete local temp directory
+ local_action: file path="{{ node_cert_mktemp.stdout }}" state=absent
+ changed_when: False
+ when: node_certs_missing | bool
+ become: no
+
+- name: Copy OpenShift CA to system CA trust
+ copy:
+ src: "{{ item.cert }}"
+ dest: "/etc/pki/ca-trust/source/anchors/{{ item.id }}-{{ item.cert | basename }}"
+ remote_src: yes
+ with_items:
+ - id: openshift
+ cert: "{{ openshift_node_cert_dir }}/ca.crt"
+ notify:
+ - update ca trust
generated by cgit v1.2.3 (git 2.25.1) at 2024-09-03 07:04:18 +0000