blob: fad1ff5de92eca0751edc5e12b9f073e64cb58aa (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
|
---
- fail:
msg: "openshift_ca_host variable must be defined for this role"
when: openshift_ca_host is not defined
- fail:
msg: "Both 'certfile' and 'keyfile' keys must be supplied when configuring openshift_master_ca_certificate"
when: openshift_master_ca_certificate is defined and ('certfile' not in openshift_master_ca_certificate or 'keyfile' not in openshift_master_ca_certificate)
- name: Install the base package for admin tooling
package:
name: "{{ openshift.common.service_type }}{{ openshift_pkg_version | default('') | oo_image_tag_to_rpm_version(include_dash=True) }}"
state: present
when: not openshift.common.is_containerized | bool
register: install_result
delegate_to: "{{ openshift_ca_host }}"
run_once: true
- name: Reload generated facts
openshift_facts:
when: hostvars[openshift_ca_host].install_result | changed
- name: Create openshift_ca_config_dir if it does not exist
file:
path: "{{ openshift_ca_config_dir }}"
state: directory
delegate_to: "{{ openshift_ca_host }}"
run_once: true
- name: Determine if CA must be created
stat:
path: "{{ openshift_ca_config_dir }}/{{ item }}"
register: g_master_ca_stat_result
with_items:
- ca-bundle.crt
- ca.crt
- ca.key
delegate_to: "{{ openshift_ca_host }}"
run_once: true
- set_fact:
master_ca_missing: "{{ False in (g_master_ca_stat_result.results
| oo_collect(attribute='stat.exists')
| list) }}"
run_once: true
- name: Retain original serviceaccount keys
copy:
src: "{{ item }}"
dest: "{{ item }}.keep"
remote_src: true
with_items:
- "{{ openshift_ca_config_dir }}/serviceaccounts.private.key"
- "{{ openshift_ca_config_dir }}/serviceaccounts.public.key"
when: openshift_certificates_redeploy | default(false) | bool
- name: Deploy master ca certificate
copy:
src: "{{ item.src }}"
dest: "{{ openshift_ca_config_dir }}/{{ item.dest }}"
force: no
with_items:
- src: "{{ (openshift_master_ca_certificate | default({'certfile':none})).certfile }}"
dest: ca.crt
- src: "{{ (openshift_master_ca_certificate | default({'keyfile':none})).keyfile }}"
dest: ca.key
when: openshift_master_ca_certificate is defined
delegate_to: "{{ openshift_ca_host }}"
run_once: true
- name: Create ca serial
copy:
content: "00"
dest: "{{ openshift_ca_config_dir }}/ca.serial.txt"
force: "{{ openshift_certificates_redeploy | default(false) | bool }}"
when: openshift_master_ca_certificate is defined
delegate_to: "{{ openshift_ca_host }}"
run_once: true
- find:
paths: "{{ openshift.common.config_base }}/master/legacy-ca/"
patterns: ".*-ca.crt"
use_regex: true
register: g_master_legacy_ca_result
# This should NOT replace the CA due to --overwrite=false when a CA already exists.
- name: Create the master certificates if they do not already exist
command: >
{{ hostvars[openshift_ca_host].openshift.common.client_binary }} adm ca create-master-certs
{% for named_ca_certificate in openshift.master.named_certificates | default([]) | oo_collect('cafile') %}
--certificate-authority {{ named_ca_certificate }}
{% endfor %}
{% for legacy_ca_certificate in g_master_legacy_ca_result.files | default([]) | oo_collect('path') %}
--certificate-authority {{ legacy_ca_certificate }}
{% endfor %}
--hostnames={{ hostvars[openshift_ca_host].openshift.common.all_hostnames | join(',') }}
--master={{ openshift.master.api_url }}
--public-master={{ openshift.master.public_api_url }}
--cert-dir={{ openshift_ca_config_dir }}
{% if openshift_version | oo_version_gte_3_5_or_1_5(openshift.common.deployment_type) | bool %}
--expire-days={{ openshift_master_cert_expire_days }}
--signer-expire-days={{ openshift_ca_cert_expire_days }}
{% endif %}
--overwrite=false
when: master_ca_missing | bool or openshift_certificates_redeploy | default(false) | bool
delegate_to: "{{ openshift_ca_host }}"
run_once: true
- name: Test local loopback context
command: >
{{ hostvars[openshift_ca_host].openshift.common.client_binary }} config view
--config={{ openshift_master_loopback_config }}
changed_when: false
register: loopback_config
delegate_to: "{{ openshift_ca_host }}"
run_once: true
# create-api-client-config generates a ca.crt file which will
# overwrite the OpenShift CA certificate. Generate the loopback
# kubeconfig in a temporary directory and then copy files into the
# master config dir to avoid overwriting ca.crt.
- block:
- name: Create temp directory for loopback master client config
command: mktemp -d /tmp/openshift-ansible-XXXXXX
register: openshift_ca_loopback_tmpdir
- name: Generate the loopback master client config
command: >
{{ hostvars[openshift_ca_host].openshift.common.client_binary }} adm create-api-client-config
--certificate-authority={{ openshift_ca_cert }}
{% for named_ca_certificate in openshift.master.named_certificates | default([]) | oo_collect('cafile') %}
--certificate-authority {{ named_ca_certificate }}
{% endfor %}
--client-dir={{ openshift_ca_loopback_tmpdir.stdout }}
--groups=system:masters,system:openshift-master
--master={{ hostvars[openshift_ca_host].openshift.master.loopback_api_url }}
--public-master={{ hostvars[openshift_ca_host].openshift.master.loopback_api_url }}
--signer-cert={{ openshift_ca_cert }}
--signer-key={{ openshift_ca_key }}
--signer-serial={{ openshift_ca_serial }}
--user=system:openshift-master
--basename=openshift-master
{% if openshift_version | oo_version_gte_3_5_or_1_5(openshift.common.deployment_type) | bool %}
--expire-days={{ openshift_master_cert_expire_days }}
{% endif %}
- name: Copy generated loopback master client config to master config dir
copy:
src: "{{ openshift_ca_loopback_tmpdir.stdout }}/{{ item }}"
dest: "{{ openshift_ca_config_dir }}"
remote_src: true
with_items:
- openshift-master.crt
- openshift-master.key
- openshift-master.kubeconfig
- name: Delete temp directory
file:
name: "{{ openshift_ca_loopback_tmpdir.stdout }}"
state: absent
when: loopback_context_string not in loopback_config.stdout
delegate_to: "{{ openshift_ca_host }}"
run_once: true
- name: Restore original serviceaccount keys
copy:
src: "{{ item }}.keep"
dest: "{{ item }}"
remote_src: true
with_items:
- "{{ openshift_ca_config_dir }}/serviceaccounts.private.key"
- "{{ openshift_ca_config_dir }}/serviceaccounts.public.key"
when: openshift_certificates_redeploy | default(false) | bool
- name: Remove backup serviceaccount keys
file:
path: "{{ item }}.keep"
state: absent
with_items:
- "{{ openshift_ca_config_dir }}/serviceaccounts.private.key"
- "{{ openshift_ca_config_dir }}/serviceaccounts.public.key"
when: openshift_certificates_redeploy | default(false) | bool
|