blob: 8b524dd6e3e9df7ec1ef662242ba0ca59836bf0e (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
|
---
- name: API proxy | Create contiv-api-proxy openshift user
oc_serviceaccount:
state: present
name: contiv-api-proxy
namespace: kube-system
run_once: true
- name: API proxy | Set contiv-api-proxy openshift user permissions
oc_adm_policy_user:
user: system:serviceaccount:kube-system:contiv-api-proxy
resource_kind: scc
resource_name: hostnetwork
state: present
run_once: true
- name: API proxy | Create temp directory for doing work
command: mktemp -d /tmp/openshift-contiv-XXXXXX
register: mktemp
changed_when: False
# For things that pass temp files between steps, we want to make sure they
# run on the same node.
delegate_to: "{{ groups.oo_masters_to_config.0 }}"
run_once: true
- name: API proxy | Check for existing api proxy secret volume
oc_obj:
namespace: kube-system
kind: secret
state: list
selector: "name=contiv-api-proxy-secret"
register: existing_secret_volume
run_once: true
- name: API proxy | Generate a self signed certificate for api proxy
command: openssl req -new -nodes -x509 -subj "/C=US/ST=/L=/O=/CN=localhost" -days 3650 -keyout "{{ mktemp.stdout }}/key.pem" -out "{{ mktemp.stdout }}/cert.pem" -extensions v3_ca
when: (contiv_api_proxy_cert is not defined or contiv_api_proxy_key is not defined)
and not existing_secret_volume.results.results[0]['items']
register: created_self_signed_cert
delegate_to: "{{ groups.oo_masters_to_config.0 }}"
run_once: true
- name: API proxy | Read self signed certificate file
command: cat "{{ mktemp.stdout }}/cert.pem"
register: generated_cert
when: created_self_signed_cert.changed
delegate_to: "{{ groups.oo_masters_to_config.0 }}"
run_once: true
- name: API proxy | Read self signed key file
command: cat "{{ mktemp.stdout }}/key.pem"
register: generated_key
when: created_self_signed_cert.changed
delegate_to: "{{ groups.oo_masters_to_config.0 }}"
run_once: true
- name: API proxy | Create api-proxy-secrets.yml from template using generated cert
template:
src: api-proxy-secrets.yml.j2
dest: "{{ mktemp.stdout }}/api-proxy-secrets.yml"
vars:
key: "{{ generated_key.stdout }}"
cert: "{{ generated_cert.stdout }}"
when: created_self_signed_cert.changed
delegate_to: "{{ groups.oo_masters_to_config.0 }}"
run_once: true
- name: API proxy | Create api-proxy-secrets.yml from template using user defined cert
template:
src: api-proxy-secrets.yml.j2
dest: "{{ mktemp.stdout }}/api-proxy-secrets.yml"
vars:
key: "{{ lookup('file', contiv_api_proxy_key) }}"
cert: "{{ lookup('file', contiv_api_proxy_cert) }}"
when: contiv_api_proxy_cert is defined and contiv_api_proxy_key is defined
delegate_to: "{{ groups.oo_masters_to_config.0 }}"
run_once: true
- name: API proxy | Create secret certificate volume
oc_obj:
state: present
namespace: "kube-system"
kind: secret
name: contiv-api-proxy-secret
files:
- "{{ mktemp.stdout }}/api-proxy-secrets.yml"
when: (contiv_api_proxy_cert is defined and contiv_api_proxy_key is defined)
or created_self_signed_cert.changed
delegate_to: "{{ groups.oo_masters_to_config.0 }}"
run_once: true
- name: API proxy | Create api-proxy-daemonset.yml from template
template:
src: api-proxy-daemonset.yml.j2
dest: "{{ mktemp.stdout }}/api-proxy-daemonset.yml"
vars:
etcd_host: "etcd://{{ groups.oo_etcd_to_config.0 }}:{{ contiv_etcd_port }}"
delegate_to: "{{ groups.oo_masters_to_config.0 }}"
run_once: true
# Always "import" this file, k8s won't do anything if it matches exactly what
# is already in the cluster.
- name: API proxy | Add API proxy daemonset
oc_obj:
state: present
namespace: "kube-system"
kind: daemonset
name: contiv-api-proxy
files:
- "{{ mktemp.stdout }}/api-proxy-daemonset.yml"
delegate_to: "{{ groups.oo_masters_to_config.0 }}"
run_once: true
- name: API proxy | Delete temp directory
file:
name: "{{ mktemp.stdout }}"
state: absent
changed_when: False
delegate_to: "{{ groups.oo_masters_to_config.0 }}"
run_once: true
|