blob: 5f008a045a5af0d39b96391b1af4e850fc1f5981 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
|
---
- include: evaluate_groups.yml
- include: initialize_facts.yml
- include: initialize_openshift_version.yml
- name: Load openshift_facts
hosts: oo_etcd_to_config:oo_masters_to_config:oo_nodes_to_config
roles:
- openshift_facts
- name: Redeploy etcd certificates
hosts: oo_etcd_to_config
any_errors_fatal: true
vars:
etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}"
etcd_conf_dir: /etc/etcd
etcd_generated_certs_dir: "{{ etcd_conf_dir }}/generated_certs"
pre_tasks:
- stat:
path: "{{ etcd_generated_certs_dir }}"
register: etcd_generated_certs_dir_stat
- name: Backup etcd certificates
command: >
tar -czvf /etc/etcd/etcd-certificate-backup-{{ ansible_date_time.epoch }}.tgz
{{ etcd_conf_dir }}/ca.crt
{{ etcd_conf_dir }}/ca
{{ etcd_generated_certs_dir }}
when: etcd_generated_certs_dir_stat.stat.exists
delegate_to: "{{ etcd_ca_host }}"
run_once: true
- name: Remove existing etcd certificates
file:
path: "{{ item }}"
state: absent
with_items:
- "{{ etcd_conf_dir }}/ca.crt"
- "{{ etcd_conf_dir }}/ca"
- "{{ etcd_generated_certs_dir }}"
roles:
- role: openshift_etcd_server_certificates
etcd_peers: "{{ groups.oo_etcd_to_config | default([], true) }}"
etcd_certificates_etcd_hosts: "{{ groups.oo_etcd_to_config | default([], true) }}"
etcd_certificates_redeploy: true
- name: Redeploy master certificates
hosts: oo_masters_to_config
any_errors_fatal: true
vars:
openshift_ca_host: "{{ groups.oo_first_master.0 }}"
openshift_master_count: "{{ openshift.master.master_count | default(groups.oo_masters | length) }}"
pre_tasks:
# set_fact task copied from playbooks/common/openshift-master/config.yml
# so that openshift_master_default_subdomain has a default value of ""
# (emptry string). openshift_master_default_subdomain must have a default
# value for openshift_master_facts to set metrics_public_url.
# TODO: clean this up.
- set_fact:
openshift_master_default_subdomain: "{{ lookup('oo_option', 'openshift_master_default_subdomain') | default(None, true) }}"
when: openshift_master_default_subdomain is not defined
- stat:
path: "{{ openshift_generated_configs_dir }}"
register: openshift_generated_configs_dir_stat
- name: Backup generated certificate and config directories
command: >
tar -czvf /etc/origin/master-node-cert-config-backup-{{ ansible_date_time.epoch }}.tgz
{{ openshift_generated_configs_dir }}
{{ openshift.common.config_base }}/master
when: openshift_generated_configs_dir_stat.stat.exists
delegate_to: "{{ openshift_ca_host }}"
run_once: true
- name: Remove generated certificate directories
file:
path: "{{ item }}"
state: absent
with_items:
- "{{ openshift_generated_configs_dir }}"
- name: Remove generated certificates
file:
path: "{{ openshift.common.config_base }}/master/{{ item }}"
state: absent
with_items:
- "{{ hostvars[inventory_hostname] | certificates_to_synchronize(include_keys=false) }}"
- "etcd.server.crt"
- "etcd.server.key"
- "master.etcd-client.crt"
- "master.etcd-client.key"
- "master.server.crt"
- "master.server.key"
- "openshift-master.crt"
- "openshift-master.key"
- "openshift-master.kubeconfig"
- name: Remove CA certificate
file:
path: "{{ openshift.common.config_base }}/master/{{ item }}"
state: absent
when: openshift_certificates_redeploy_ca | default(false) | bool
with_items:
- "ca.crt"
- "ca.key"
- "ca.serial.txt"
- "ca-bundle.crt"
roles:
- role: openshift_master_certificates
openshift_master_etcd_hosts: "{{ hostvars
| oo_select_keys(groups['oo_etcd_to_config'] | default([]))
| oo_collect('openshift.common.hostname')
| default(none, true) }}"
openshift_master_hostnames: "{{ hostvars
| oo_select_keys(groups['oo_masters_to_config'] | default([]))
| oo_collect('openshift.common.all_hostnames')
| oo_flatten | unique }}"
openshift_certificates_redeploy: true
- role: openshift_etcd_client_certificates
etcd_certificates_redeploy: true
etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}"
etcd_cert_subdir: "openshift-master-{{ openshift.common.hostname }}"
etcd_cert_config_dir: "{{ openshift.common.config_base }}/master"
etcd_cert_prefix: "master.etcd-"
when: groups.oo_etcd_to_config is defined and groups.oo_etcd_to_config
- name: Redeploy node certificates
hosts: oo_nodes_to_config
any_errors_fatal: true
pre_tasks:
- name: Remove CA certificate
file:
path: "{{ item }}"
state: absent
with_items:
- "{{ openshift.common.config_base }}/node/ca.crt"
roles:
- role: openshift_node_certificates
openshift_node_master_api_url: "{{ hostvars[groups.oo_first_master.0].openshift.master.api_url }}"
openshift_ca_host: "{{ groups.oo_first_master.0 }}"
openshift_certificates_redeploy: true
- name: Restart etcd
hosts: oo_etcd_to_config
tasks:
- name: restart etcd
service:
name: "{{ 'etcd' if not openshift.common.is_containerized | bool else 'etcd_container' }}"
state: restarted
- name: Stop master services
hosts: oo_masters_to_config
vars:
openshift_master_ha: "{{ groups.oo_masters_to_config | length > 1 }}"
tasks:
- name: stop master
service: name={{ openshift.common.service_type }}-master state=stopped
when: not openshift_master_ha | bool
- name: stop master api
service: name={{ openshift.common.service_type }}-master-api state=stopped
when: openshift_master_ha | bool and openshift_master_cluster_method == 'native'
- name: stop master controllers
service: name={{ openshift.common.service_type }}-master-controllers state=stopped
when: openshift_master_ha | bool and openshift_master_cluster_method == 'native'
- name: Start master services
hosts: oo_masters_to_config
serial: 1
vars:
openshift_master_ha: "{{ groups.oo_masters_to_config | length > 1 }}"
tasks:
- name: start master
service: name={{ openshift.common.service_type }}-master state=started
when: not openshift_master_ha | bool
- name: start master api
service: name={{ openshift.common.service_type }}-master-api state=started
when: openshift_master_ha | bool and openshift_master_cluster_method == 'native'
- name: start master controllers
service: name={{ openshift.common.service_type }}-master-controllers state=started
when: openshift_master_ha | bool and openshift_master_cluster_method == 'native'
- name: Restart masters (pacemaker)
hosts: oo_first_master
vars:
openshift_master_ha: "{{ groups.oo_masters_to_config | length > 1 }}"
tasks:
- name: restart master
command: pcs resource restart master
when: openshift_master_ha | bool and openshift_master_cluster_method == 'pacemaker'
- name: Restart nodes
hosts: oo_nodes_to_config
tasks:
- name: restart node
service: name={{ openshift.common.service_type }}-node state=restarted
- name: Copy admin client config(s)
hosts: oo_first_master
tasks:
- name: Create temp directory for kubeconfig
command: mktemp -d /tmp/openshift-ansible-XXXXXX
register: mktemp
changed_when: False
- name: Copy admin client config(s)
command: >
cp {{ openshift.common.config_base }}/master//admin.kubeconfig {{ mktemp.stdout }}/admin.kubeconfig
changed_when: False
- name: Serially evacuate all nodes to trigger redeployments
hosts: oo_nodes_to_config
serial: 1
any_errors_fatal: true
tasks:
- name: Determine if node is currently scheduleable
command: >
{{ openshift.common.client_binary }} --config={{ hostvars[groups.oo_first_master.0].mktemp.stdout }}/admin.kubeconfig
get node {{ openshift.node.nodename }} -o json
register: node_output
when: openshift_certificates_redeploy_ca | default(false) | bool
delegate_to: "{{ groups.oo_first_master.0 }}"
changed_when: false
- set_fact:
was_schedulable: "{{ 'unschedulable' not in (node_output.stdout | from_json).spec }}"
when: openshift_certificates_redeploy_ca | default(false) | bool
- name: Prepare for node evacuation
command: >
{{ openshift.common.client_binary }} adm --config={{ hostvars[groups.oo_first_master.0].mktemp.stdout }}/admin.kubeconfig
manage-node {{ openshift.node.nodename }}
--schedulable=false
delegate_to: "{{ groups.oo_first_master.0 }}"
when: openshift_certificates_redeploy_ca | default(false) | bool and was_schedulable | bool
- name: Evacuate node
command: >
{{ openshift.common.client_binary }} adm --config={{ hostvars[groups.oo_first_master.0].mktemp.stdout }}/admin.kubeconfig
manage-node {{ openshift.node.nodename }}
--evacuate --force
delegate_to: "{{ groups.oo_first_master.0 }}"
when: openshift_certificates_redeploy_ca | default(false) | bool and was_schedulable | bool
- name: Set node schedulability
command: >
{{ openshift.common.client_binary }} adm --config={{ hostvars[groups.oo_first_master.0].mktemp.stdout }}/admin.kubeconfig
manage-node {{ openshift.node.nodename }} --schedulable=true
delegate_to: "{{ groups.oo_first_master.0 }}"
when: openshift_certificates_redeploy_ca | default(false) | bool and was_schedulable | bool
- name: Delete temporary directory
hosts: oo_first_master
tasks:
- name: Delete temp directory
file:
name: "{{ mktemp.stdout }}"
state: absent
changed_when: False
|
