From 89fcbb72447ab74b440c15d1e35a1dd10cef1c49 Mon Sep 17 00:00:00 2001 From: Andrew Butcher Date: Mon, 6 Nov 2017 12:35:13 -0500 Subject: Temporarily set master servingInfo.clientCA as client-ca-bundle.crt during rolling CA redeployment. --- .../openshift-cluster/redeploy-certificates.yml | 4 +++ .../redeploy-certificates/openshift-ca.yml | 14 ++++++---- .../common/openshift-master/revert-client-ca.yml | 17 ++++++++++++ roles/openshift_ca/tasks/main.yml | 30 ++++++++++++++++++++++ .../filter_plugins/openshift_master.py | 2 +- 5 files changed, 61 insertions(+), 6 deletions(-) create mode 100644 playbooks/common/openshift-master/revert-client-ca.yml diff --git a/playbooks/byo/openshift-cluster/redeploy-certificates.yml b/playbooks/byo/openshift-cluster/redeploy-certificates.yml index 255b0dbf7..f53d34145 100644 --- a/playbooks/byo/openshift-cluster/redeploy-certificates.yml +++ b/playbooks/byo/openshift-cluster/redeploy-certificates.yml @@ -42,3 +42,7 @@ - include: ../../common/openshift-cluster/redeploy-certificates/registry.yml when: openshift_hosted_manage_registry | default(true) | bool + +- include: ../../common/openshift-master/revert-client-ca.yml + +- include: ../../common/openshift-master/restart.yml diff --git a/playbooks/common/openshift-cluster/redeploy-certificates/openshift-ca.yml b/playbooks/common/openshift-cluster/redeploy-certificates/openshift-ca.yml index 2068ed199..e22c8cbdb 100644 --- a/playbooks/common/openshift-cluster/redeploy-certificates/openshift-ca.yml +++ b/playbooks/common/openshift-cluster/redeploy-certificates/openshift-ca.yml @@ -41,11 +41,6 @@ yaml_key: oauthConfig.masterCA yaml_value: ca-bundle.crt when: (g_master_config_output.content|b64decode|from_yaml).oauthConfig.masterCA != 'ca-bundle.crt' - - modify_yaml: - dest: "{{ openshift.common.config_base }}/master/master-config.yaml" - yaml_key: servingInfo.clientCA - yaml_value: ca.crt - when: (g_master_config_output.content|b64decode|from_yaml).servingInfo.clientCA != 'ca.crt' - modify_yaml: dest: "{{ openshift.common.config_base }}/master/master-config.yaml" yaml_key: etcdClientInfo.ca @@ -67,6 +62,13 @@ when: - groups.oo_etcd_to_config | default([]) | length == 0 - (g_master_config_output.content|b64decode|from_yaml).etcdConfig.servingInfo.clientCA != 'ca-bundle.crt' + # Set servingInfo.clientCA to client-ca-bundle.crt in order to roll the CA certificate. + # This change will be reverted in playbooks/byo/openshift-cluster/redeploy-certificates.yml + - modify_yaml: + dest: "{{ openshift.common.config_base }}/master/master-config.yaml" + yaml_key: servingInfo.clientCA + yaml_value: client-ca-bundle.crt + when: (g_master_config_output.content|b64decode|from_yaml).servingInfo.clientCA != 'client-ca-bundle.crt' - name: Copy current OpenShift CA to legacy directory hosts: oo_masters_to_config @@ -155,6 +157,7 @@ - ca.key - ca-bundle.crt - ca.serial.txt + - client-ca-bundle.crt delegate_to: "{{ openshift_ca_host }}" run_once: true changed_when: false @@ -173,6 +176,7 @@ - ca.key - ca-bundle.crt - ca.serial.txt + - client-ca-bundle.crt - name: Update master client kubeconfig CA data kubeclient_ca: client_path: "{{ openshift.common.config_base }}/master/openshift-master.kubeconfig" diff --git a/playbooks/common/openshift-master/revert-client-ca.yml b/playbooks/common/openshift-master/revert-client-ca.yml new file mode 100644 index 000000000..9ae23bf5b --- /dev/null +++ b/playbooks/common/openshift-master/revert-client-ca.yml @@ -0,0 +1,17 @@ +--- +- name: Set servingInfo.clientCA = ca.crt in master config + hosts: oo_masters_to_config + tasks: + - name: Read master config + slurp: + src: "{{ openshift.common.config_base }}/master/master-config.yaml" + register: g_master_config_output + + # servingInfo.clientCA may be set as the client-ca-bundle.crt from + # CA redeployment and this task reverts that change. + - name: Set servingInfo.clientCA = ca.crt in master config + modify_yaml: + dest: "{{ openshift.common.config_base }}/master/master-config.yaml" + yaml_key: servingInfo.clientCA + yaml_value: ca.crt + when: (g_master_config_output.content|b64decode|from_yaml).servingInfo.clientCA != 'ca.crt' diff --git a/roles/openshift_ca/tasks/main.yml b/roles/openshift_ca/tasks/main.yml index fad1ff5de..587526d07 100644 --- a/roles/openshift_ca/tasks/main.yml +++ b/roles/openshift_ca/tasks/main.yml @@ -106,6 +106,36 @@ delegate_to: "{{ openshift_ca_host }}" run_once: true +# Create client-ca-bundle.crt containing old and new OpenShift CA +# certificates. This bundle will be used when rolling the OpenShift CA +# certificate. +- name: Create client-ca-bundle.crt + block: + - command: mktemp -d /tmp/openshift-ansible-XXXXXX + register: openshift_ca_clientconfig_tmpdir + delegate_to: "{{ openshift_ca_host }}" + - copy: + src: "{{ item }}" + dest: "{{ openshift_ca_clientconfig_tmpdir.stdout }}/" + remote_src: true + with_items: "{{ g_master_legacy_ca_result.files | default([]) | oo_collect('path') }}" + delegate_to: "{{ openshift_ca_host }}" + run_once: true + - copy: + src: "{{ openshift_ca_config_dir }}/ca.crt" + dest: "{{ openshift_ca_clientconfig_tmpdir.stdout }}/" + remote_src: true + delegate_to: "{{ openshift_ca_host }}" + run_once: true + - assemble: + src: "{{ openshift_ca_clientconfig_tmpdir.stdout }}" + dest: "{{ openshift_ca_config_dir }}/client-ca-bundle.crt" + mode: 0644 + owner: root + group: root + delegate_to: "{{ openshift_ca_host }}" + run_once: true + - name: Test local loopback context command: > {{ hostvars[openshift_ca_host].openshift.common.client_binary }} config view diff --git a/roles/openshift_master_facts/filter_plugins/openshift_master.py b/roles/openshift_master_facts/filter_plugins/openshift_master.py index a4f410296..d5720b580 100644 --- a/roles/openshift_master_facts/filter_plugins/openshift_master.py +++ b/roles/openshift_master_facts/filter_plugins/openshift_master.py @@ -510,7 +510,7 @@ class FilterModule(object): 'master.kubelet-client.crt', 'master.kubelet-client.key'] if bool(include_ca): - certs += ['ca.crt', 'ca.key', 'ca-bundle.crt'] + certs += ['ca.crt', 'ca.key', 'ca-bundle.crt', 'client-ca-bundle.crt'] if bool(include_keys): certs += ['serviceaccounts.private.key', 'serviceaccounts.public.key'] -- cgit v1.2.3