From dbb140a649a5540102e3af1d74cbacdd12f1d04a Mon Sep 17 00:00:00 2001
From: Andrew Butcher <abutcher@redhat.com>
Date: Tue, 24 May 2016 10:42:55 -0400
Subject: Refactor etcd certificates roles.
---
playbooks/common/openshift-etcd/config.yml | 117 +--------------------------
playbooks/common/openshift-master/config.yml | 81 ++-----------------
playbooks/common/openshift-node/config.yml | 87 ++------------------
3 files changed, 16 insertions(+), 269 deletions(-)
(limited to 'playbooks/common')
diff --git a/playbooks/common/openshift-etcd/config.yml b/playbooks/common/openshift-etcd/config.yml
index a95de8cf3..1b8106e0e 100644
--- a/playbooks/common/openshift-etcd/config.yml
+++ b/playbooks/common/openshift-etcd/config.yml
@@ -1,119 +1,10 @@
---
-- name: Set etcd facts needed for generating certs
+- name: Configure etcd
hosts: oo_etcd_to_config
any_errors_fatal: true
roles:
- - openshift_facts
- tasks:
- - openshift_facts:
- role: etcd
- local_facts:
- etcd_image: "{{ osm_etcd_image | default(None) }}"
- - name: Check status of etcd certificates
- stat:
- path: "{{ item }}"
- with_items:
- - /etc/etcd/server.crt
- - /etc/etcd/peer.crt
- - /etc/etcd/ca.crt
- register: g_etcd_server_cert_stat_result
- - set_fact:
- etcd_server_certs_missing: "{{ g_etcd_server_cert_stat_result.results | oo_collect(attribute='stat.exists')
- | list | intersect([false])}}"
- etcd_cert_subdir: etcd-{{ openshift.common.hostname }}
- etcd_cert_config_dir: /etc/etcd
- etcd_cert_prefix:
- etcd_hostname: "{{ openshift.common.hostname }}"
- etcd_ip: "{{ openshift.common.ip }}"
-
-- name: Create temp directory for syncing certs
- hosts: localhost
- connection: local
- become: no
- gather_facts: no
- tasks:
- - name: Create local temp directory for syncing certs
- local_action: command mktemp -d /tmp/openshift-ansible-XXXXXXX
- register: g_etcd_mktemp
- changed_when: False
-
-- name: Configure etcd certificates
- hosts: oo_first_etcd
- vars:
- etcd_generated_certs_dir: /etc/etcd/generated_certs
- etcd_needing_server_certs: "{{ hostvars
- | oo_select_keys(groups['oo_etcd_to_config'])
- | oo_filter_list(filter_attr='etcd_server_certs_missing') }}"
- sync_tmpdir: "{{ hostvars.localhost.g_etcd_mktemp.stdout }}"
- roles:
- - openshift_etcd_certificates
- post_tasks:
- - name: Create a tarball of the etcd certs
- command: >
- tar -czvf {{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}.tgz
- -C {{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }} .
- args:
- creates: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}.tgz"
- with_items: "{{ etcd_needing_server_certs | default([]) }}"
- - name: Retrieve the etcd cert tarballs
- fetch:
- src: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}.tgz"
- dest: "{{ sync_tmpdir }}/"
- flat: yes
- fail_on_missing: yes
- validate_checksum: yes
- with_items: "{{ etcd_needing_server_certs | default([]) }}"
-
-# Configure a first etcd host to avoid conflicts in choosing a leader
-# if other members come online too quickly.
-- name: Configure first etcd host
- hosts: oo_first_etcd
- vars:
- sync_tmpdir: "{{ hostvars.localhost.g_etcd_mktemp.stdout }}"
- etcd_url_scheme: https
- etcd_peer_url_scheme: https
- etcd_peers: "{{ groups.oo_etcd_to_config | default([], true) }}"
- pre_tasks:
- - name: Ensure certificate directory exists
- file:
- path: "{{ etcd_cert_config_dir }}"
- state: directory
- - name: Unarchive the tarball on the etcd host
- unarchive:
- src: "{{ sync_tmpdir }}/{{ etcd_cert_subdir }}.tgz"
- dest: "{{ etcd_cert_config_dir }}"
- when: etcd_server_certs_missing
- roles:
- - openshift_etcd
- - nickhammond.logrotate
-
-# Configure the remaining etcd hosts, skipping the first one we dealt with above.
-- name: Configure remaining etcd hosts
- hosts: oo_etcd_to_config:!oo_first_etcd
- vars:
- sync_tmpdir: "{{ hostvars.localhost.g_etcd_mktemp.stdout }}"
- etcd_url_scheme: https
- etcd_peer_url_scheme: https
+ - role: openshift_etcd
etcd_peers: "{{ groups.oo_etcd_to_config | default([], true) }}"
- pre_tasks:
- - name: Ensure certificate directory exists
- file:
- path: "{{ etcd_cert_config_dir }}"
- state: directory
- - name: Unarchive the tarball on the etcd host
- unarchive:
- src: "{{ sync_tmpdir }}/{{ etcd_cert_subdir }}.tgz"
- dest: "{{ etcd_cert_config_dir }}"
- when: etcd_server_certs_missing
- roles:
- - openshift_etcd
+ etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}"
+ etcd_certificates_etcd_hosts: "{{ groups.oo_etcd_to_config | default([], true) }}"
- role: nickhammond.logrotate
-
-- name: Delete temporary directory on localhost
- hosts: localhost
- connection: local
- become: no
- gather_facts: no
- tasks:
- - file: name={{ g_etcd_mktemp.stdout }} state=absent
- changed_when: False
diff --git a/playbooks/common/openshift-master/config.yml b/playbooks/common/openshift-master/config.yml
index 73b4bc594..7d2b44637 100644
--- a/playbooks/common/openshift-master/config.yml
+++ b/playbooks/common/openshift-master/config.yml
@@ -1,5 +1,5 @@
---
-- name: Set master facts and determine if external etcd certs need to be generated
+- name: Set master facts
hosts: oo_masters_to_config
vars:
t_oo_option_master_debug_level: "{{ lookup('oo_option', 'openshift_master_debug_level') }}"
@@ -73,23 +73,6 @@
openshift_env:
openshift_hosted_registry_storage_kind: 'nfs'
when: openshift_hosted_registry_storage_kind is not defined and groups.oo_nfs_to_config is defined and groups.oo_nfs_to_config | length > 0
- - name: Check status of external etcd certificatees
- stat:
- path: "{{ openshift.common.config_base }}/master/{{ item }}"
- with_items:
- - master.etcd-client.crt
- - master.etcd-ca.crt
- register: g_external_etcd_cert_stat_result
- - set_fact:
- etcd_client_certs_missing: "{{ g_external_etcd_cert_stat_result.results
- | oo_collect(attribute='stat.exists')
- | list | intersect([false])}}"
- etcd_cert_subdir: openshift-master-{{ openshift.common.hostname }}
- etcd_cert_config_dir: "{{ openshift.common.config_base }}/master"
- etcd_cert_prefix: master.etcd-
- etcd_hostname: "{{ openshift.common.hostname }}"
- etcd_ip: "{{ openshift.common.ip }}"
- when: groups.oo_etcd_to_config is defined and groups.oo_etcd_to_config
- name: Create temp directory for syncing certs
hosts: localhost
@@ -102,60 +85,6 @@
register: g_master_mktemp
changed_when: False
-- name: Configure etcd certificates
- hosts: oo_first_etcd
- vars:
- etcd_generated_certs_dir: /etc/etcd/generated_certs
- etcd_needing_client_certs: "{{ hostvars
- | oo_select_keys(groups['oo_masters_to_config'])
- | default([])
- | oo_filter_list(filter_attr='etcd_client_certs_missing') }}"
- sync_tmpdir: "{{ hostvars.localhost.g_master_mktemp.stdout }}"
- roles:
- - openshift_etcd_certificates
- post_tasks:
- - name: Create a tarball of the etcd certs
- command: >
- tar -czvf {{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}.tgz
- -C {{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }} .
- args:
- creates: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}.tgz"
- with_items: "{{ etcd_needing_client_certs | default([]) }}"
- - name: Retrieve the etcd cert tarballs
- fetch:
- src: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}.tgz"
- dest: "{{ sync_tmpdir }}/"
- flat: yes
- fail_on_missing: yes
- validate_checksum: yes
- with_items: "{{ etcd_needing_client_certs | default([]) }}"
-
-- name: Copy the external etcd certs to the masters
- hosts: oo_masters_to_config
- vars:
- sync_tmpdir: "{{ hostvars.localhost.g_master_mktemp.stdout }}"
- tasks:
- - name: Ensure certificate directory exists
- file:
- path: "{{ openshift.common.config_base }}/master"
- state: directory
- when: etcd_client_certs_missing is defined and etcd_client_certs_missing
- - name: Unarchive the tarball on the master
- unarchive:
- src: "{{ sync_tmpdir }}/{{ etcd_cert_subdir }}.tgz"
- dest: "{{ etcd_cert_config_dir }}"
- when: etcd_client_certs_missing is defined and etcd_client_certs_missing
- - file:
- path: "{{ etcd_cert_config_dir }}/{{ item }}"
- owner: root
- group: root
- mode: 0600
- with_items:
- - master.etcd-client.crt
- - master.etcd-client.key
- - master.etcd-ca.crt
- when: etcd_client_certs_missing is defined and etcd_client_certs_missing
-
- name: Check for cached session secrets
hosts: oo_first_master
roles:
@@ -245,8 +174,6 @@
| union(groups['oo_etcd_to_config'] | default([])))
| oo_collect('openshift.common.hostname') | default([]) | join (',')
}}"
- when: "{{ (openshift_http_proxy is defined or openshift_https_proxy is defined) and
- openshift_generate_no_proxy_hosts | default(True) | bool }}"
roles:
- role: openshift_master_facts
- role: openshift_hosted_facts
@@ -260,6 +187,12 @@
| oo_select_keys(groups['oo_masters_to_config'] | default([]))
| oo_collect('openshift.common.all_hostnames')
| oo_flatten | unique }}"
+ - role: openshift_etcd_client_certificates
+ etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}"
+ etcd_cert_subdir: "openshift-master-{{ openshift.common.hostname }}"
+ etcd_cert_config_dir: "{{ openshift.common.config_base }}/master"
+ etcd_cert_prefix: "master.etcd-"
+ when: groups.oo_etcd_to_config is defined and groups.oo_etcd_to_config
- role: openshift_clock
- role: openshift_cloud_provider
- role: openshift_builddefaults
diff --git a/playbooks/common/openshift-node/config.yml b/playbooks/common/openshift-node/config.yml
index fc6e57439..2e0ec2ca7 100644
--- a/playbooks/common/openshift-node/config.yml
+++ b/playbooks/common/openshift-node/config.yml
@@ -124,94 +124,17 @@
when: openshift.node.use_openshift_sdn | bool
- role: openshift_node
-- name: Gather and set facts for flannel certificatess
- hosts: oo_nodes_to_config
- tasks:
- - name: Check status of flannel external etcd certificates
- stat:
- path: "{{ openshift.common.config_base }}/node/{{ item }}"
- with_items:
- - node.etcd-client.crt
- - node.etcd-ca.crt
- register: g_external_etcd_flannel_cert_stat_result
- when: groups.oo_etcd_to_config is defined and groups.oo_etcd_to_config and (openshift.common.use_flannel | bool)
- - set_fact:
- etcd_client_flannel_certs_missing: "{{ False in g_external_etcd_flannel_cert_stat_result.results
- | oo_collect(attribute='stat.exists')
- | list }}"
- etcd_cert_subdir: openshift-node-{{ openshift.common.hostname }}
- etcd_cert_config_dir: "{{ openshift.common.config_base }}/node"
- etcd_cert_prefix: node.etcd-
- etcd_hostname: "{{ openshift.common.hostname }}"
- etcd_ip: "{{ openshift.common.ip }}"
- when: groups.oo_etcd_to_config is defined and groups.oo_etcd_to_config | length > 0 and (openshift.common.use_flannel | bool)
-
-- name: Configure flannel etcd certificates
- hosts: oo_first_etcd
- vars:
- etcd_generated_certs_dir: /etc/etcd/generated_certs
- sync_tmpdir: "{{ hostvars.localhost.mktemp.stdout }}"
- pre_tasks:
- - set_fact:
- etcd_needing_client_certs: "{{ hostvars
- | oo_select_keys(groups['oo_nodes_to_config'])
- | oo_filter_list('etcd_client_flannel_certs_missing') | default([]) }}"
- roles:
- - role: openshift_etcd_certificates
- when: openshift_use_flannel | default(false) | bool
- post_tasks:
- - name: Create a tarball of the etcd flannel certs
- command: >
- tar -czvf {{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}.tgz
- -C {{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }} .
- args:
- creates: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}.tgz"
- with_items: "{{ etcd_needing_client_certs | default([]) }}"
- - name: Retrieve the etcd cert tarballs
- fetch:
- src: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}.tgz"
- dest: "{{ sync_tmpdir }}/"
- flat: yes
- fail_on_missing: yes
- validate_checksum: yes
- with_items: "{{ etcd_needing_client_certs | default([]) }}"
-
-- name: Copy the external etcd flannel certs to the nodes
- hosts: oo_nodes_to_config
- vars:
- sync_tmpdir: "{{ hostvars.localhost.mktemp.stdout }}"
- tasks:
- - name: Ensure certificate directory exists
- file:
- path: "{{ openshift.common.config_base }}/node"
- state: directory
- when: etcd_client_flannel_certs_missing | default(false) | bool
- - name: Unarchive the tarball on the master
- unarchive:
- src: "{{ sync_tmpdir }}/{{ etcd_cert_subdir }}.tgz"
- dest: "{{ etcd_cert_config_dir }}"
- when: etcd_client_flannel_certs_missing | default(false) | bool
- - file:
- path: "{{ etcd_cert_config_dir }}/{{ item }}"
- owner: root
- group: root
- mode: 0600
- with_items:
- - node.etcd-client.crt
- - node.etcd-client.key
- - node.etcd-ca.crt
- when: etcd_client_flannel_certs_missing | default(false) | bool
-
-
- name: Additional node config
hosts: oo_nodes_to_config
vars:
- # TODO: Prefix flannel role variables.
openshift_node_master_api_url: "{{ hostvars[groups.oo_first_master.0].openshift.master.api_url }}"
- etcd_urls: "{{ hostvars[groups.oo_first_master.0].openshift.master.etcd_urls }}"
- embedded_etcd: "{{ hostvars[groups.oo_first_master.0].openshift.master.embedded_etcd }}"
roles:
- role: flannel
+ etcd_urls: "{{ hostvars[groups.oo_first_master.0].openshift.master.etcd_urls }}"
+ embedded_etcd: "{{ hostvars[groups.oo_first_master.0].openshift.master.embedded_etcd }}"
+ etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}"
+ etcd_cert_subdir: "openshift-node-{{ openshift.common.hostname }}"
+ etcd_cert_config_dir: "{{ openshift.common.config_base }}/node"
when: openshift.common.use_flannel | bool
- role: nuage_node
when: openshift.common.use_nuage | bool
--
cgit v1.2.3