blob: 00cabe574ff3cc76fd311a1d86dd747ed0250675 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
|
---
- set_fact:
openshift_master_certs_no_etcd:
- admin.crt
- master.kubelet-client.crt
- master.proxy-client.crt
- master.server.crt
- openshift-master.crt
- openshift-registry.crt
- openshift-router.crt
- etcd.server.crt
openshift_master_certs_etcd:
- master.etcd-client.crt
- set_fact:
openshift_master_certs: "{{ (openshift_master_certs_no_etcd | union(openshift_master_certs_etcd )) if openshift_master_etcd_hosts | length > 0 else openshift_master_certs_no_etcd }}"
- name: Check status of master certificates
stat:
path: "{{ openshift_master_config_dir }}/{{ item }}"
with_items:
- "{{ openshift_master_certs }}"
register: g_master_cert_stat_result
when: not openshift_certificates_redeploy | default(false) | bool
- set_fact:
master_certs_missing: "{{ true if openshift_certificates_redeploy | default(false) | bool
else (False in (g_master_cert_stat_result.results
| default({})
| lib_utils_oo_collect(attribute='stat.exists')
| list)) }}"
- name: Ensure the generated_configs directory present
file:
path: "{{ openshift_master_generated_config_dir }}"
state: directory
mode: 0700
when: master_certs_missing | bool and inventory_hostname != openshift_ca_host
delegate_to: "{{ openshift_ca_host }}"
- find:
paths: "{{ openshift_master_config_dir }}/legacy-ca/"
patterns: ".*-ca.crt"
use_regex: true
register: g_master_legacy_ca_result
delegate_to: "{{ openshift_ca_host }}"
- name: Create the master server certificate
command: >
{{ hostvars[openshift_ca_host]['first_master_client_binary'] }} adm ca create-server-cert
{% for named_ca_certificate in openshift.master.named_certificates | default([]) | lib_utils_oo_collect('cafile') %}
--certificate-authority {{ named_ca_certificate }}
{% endfor %}
{% for legacy_ca_certificate in g_master_legacy_ca_result.files | default([]) | lib_utils_oo_collect('path') %}
--certificate-authority {{ legacy_ca_certificate }}
{% endfor %}
--hostnames={{ hostvars[item].openshift.common.all_hostnames | join(',') }}
--cert={{ openshift_generated_configs_dir }}/master-{{ hostvars[item].openshift.common.hostname }}/master.server.crt
--key={{ openshift_generated_configs_dir }}/master-{{ hostvars[item].openshift.common.hostname }}/master.server.key
--expire-days={{ openshift_master_cert_expire_days }}
--signer-cert={{ openshift_ca_cert }}
--signer-key={{ openshift_ca_key }}
--signer-serial={{ openshift_ca_serial }}
--overwrite=false
when: item != openshift_ca_host
with_items: "{{ hostvars
| lib_utils_oo_select_keys(groups['oo_masters_to_config'])
| lib_utils_oo_collect(attribute='inventory_hostname', filters={'master_certs_missing':True}) }}"
delegate_to: "{{ openshift_ca_host }}"
run_once: true
- name: Generate the loopback master client config
command: >
{{ hostvars[openshift_ca_host]['first_master_client_binary'] }} adm create-api-client-config
--certificate-authority={{ openshift_ca_cert }}
{% for named_ca_certificate in openshift.master.named_certificates | default([]) | lib_utils_oo_collect('cafile') %}
--certificate-authority {{ named_ca_certificate }}
{% endfor %}
--client-dir={{ openshift_generated_configs_dir }}/master-{{ hostvars[item].openshift.common.hostname }}
--groups=system:masters,system:openshift-master
--master={{ hostvars[item].openshift.master.loopback_api_url }}
--public-master={{ hostvars[item].openshift.master.loopback_api_url }}
--signer-cert={{ openshift_ca_cert }}
--signer-key={{ openshift_ca_key }}
--signer-serial={{ openshift_ca_serial }}
--user=system:openshift-master
--basename=openshift-master
--expire-days={{ openshift_master_cert_expire_days }}
args:
creates: "{{ openshift_generated_configs_dir }}/master-{{ hostvars[item].openshift.common.hostname }}/openshift-master.kubeconfig"
with_items: "{{ hostvars
| lib_utils_oo_select_keys(groups['oo_masters_to_config'])
| lib_utils_oo_collect(attribute='inventory_hostname', filters={'master_certs_missing':True}) }}"
when: item != openshift_ca_host
delegate_to: "{{ openshift_ca_host }}"
run_once: true
- file:
src: "{{ openshift_master_config_dir }}/{{ item }}"
dest: "{{ openshift_master_generated_config_dir }}/{{ item }}"
state: hard
force: true
with_items:
- "{{ hostvars[inventory_hostname] | certificates_to_synchronize }}"
when: master_certs_missing | bool and inventory_hostname != openshift_ca_host
delegate_to: "{{ openshift_ca_host }}"
- name: Remove generated etcd client certs when using external etcd
file:
path: "{{ openshift_master_generated_config_dir }}/{{ item }}"
state: absent
when: openshift_master_etcd_hosts | length > 0
with_items:
- master.etcd-client.crt
- master.etcd-client.key
delegate_to: "{{ openshift_ca_host }}"
- name: Create local temp directory for syncing certs
local_action: command mktemp -d /tmp/openshift-ansible-XXXXXXX
register: g_master_certs_mktemp
changed_when: False
when: master_certs_missing | bool
become: no
- name: Create a tarball of the master certs
command: >
tar -czvf {{ openshift_master_generated_config_dir }}.tgz
-C {{ openshift_master_generated_config_dir }} .
args:
creates: "{{ openshift_master_generated_config_dir }}.tgz"
when: master_certs_missing | bool and inventory_hostname != openshift_ca_host
delegate_to: "{{ openshift_ca_host }}"
- name: Retrieve the master cert tarball from the master
fetch:
src: "{{ openshift_master_generated_config_dir }}.tgz"
dest: "{{ g_master_certs_mktemp.stdout }}/"
flat: yes
fail_on_missing: yes
validate_checksum: yes
when: master_certs_missing | bool and inventory_hostname != openshift_ca_host
delegate_to: "{{ openshift_ca_host }}"
- name: Ensure certificate directory exists
file:
path: "{{ openshift_master_config_dir }}"
state: directory
when: master_certs_missing | bool and inventory_hostname != openshift_ca_host
- name: Unarchive the tarball on the master
unarchive:
src: "{{ g_master_certs_mktemp.stdout }}/{{ openshift_master_cert_subdir }}.tgz"
dest: "{{ openshift_master_config_dir }}"
when: master_certs_missing | bool and inventory_hostname != openshift_ca_host
- name: Delete local temp directory
local_action: file path="{{ g_master_certs_mktemp.stdout }}" state=absent
changed_when: False
when: master_certs_missing | bool
become: no
- name: Lookup default group for ansible_ssh_user
command: "/usr/bin/id -g {{ ansible_ssh_user | quote }}"
changed_when: false
register: _ansible_ssh_user_gid
- set_fact:
client_users: "{{ [ansible_ssh_user, 'root'] | unique }}"
- name: Create the client config dir(s)
file:
path: "~{{ item }}/.kube"
state: directory
mode: 0700
owner: "{{ item }}"
group: "{{ 'root' if item == 'root' else _ansible_ssh_user_gid.stdout }}"
with_items: "{{ client_users }}"
# TODO: Update this file if the contents of the source file are not present in
# the dest file, will need to make sure to ignore things that could be added
- name: Copy the admin client config(s)
copy:
src: "{{ openshift_master_config_dir }}/admin.kubeconfig"
dest: "~{{ item }}/.kube/config"
remote_src: yes
force: "{{ openshift_certificates_redeploy | default(false) }}"
with_items: "{{ client_users }}"
- name: Update the permissions on the admin client config(s)
file:
path: "~{{ item }}/.kube/config"
state: file
mode: 0700
owner: "{{ item }}"
group: "{{ 'root' if item == 'root' else _ansible_ssh_user_gid.stdout }}"
with_items: "{{ client_users }}"
# Ensure ca-bundle exists for 3.2+ configuration
- name: Check for ca-bundle.crt
stat:
path: "{{ openshift.common.config_base }}/master/ca-bundle.crt"
register: ca_bundle_stat
failed_when: false
- name: Check for ca.crt
stat:
path: "{{ openshift.common.config_base }}/master/ca.crt"
register: ca_crt_stat
failed_when: false
- name: Migrate ca.crt to ca-bundle.crt
command: mv ca.crt ca-bundle.crt
args:
chdir: "{{ openshift.common.config_base }}/master"
when: ca_crt_stat.stat.isreg and not ca_bundle_stat.stat.exists
- name: Link ca.crt to ca-bundle.crt
file:
src: "{{ openshift.common.config_base }}/master/ca-bundle.crt"
path: "{{ openshift.common.config_base }}/master/ca.crt"
state: link
when: ca_crt_stat.stat.isreg and not ca_bundle_stat.stat.exists
|