blob: aafb06f93f3d73a4a3e48e8052120346cec0147b (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
|
---
- set_fact:
openshift_master_certs_no_etcd:
- admin.crt
- master.kubelet-client.crt
- "{{ 'master.proxy-client.crt' if openshift.common.version_gte_3_1_or_1_1 else omit }}"
- master.server.crt
- openshift-master.crt
- openshift-registry.crt
- openshift-router.crt
- etcd.server.crt
openshift_master_certs_etcd:
- master.etcd-client.crt
- set_fact:
openshift_master_certs: "{{ (openshift_master_certs_no_etcd | union(openshift_master_certs_etcd )) if openshift_master_etcd_hosts | length > 0 else openshift_master_certs_no_etcd }}"
- name: Check status of master certificates
stat:
path: "{{ openshift_master_config_dir }}/{{ item }}"
with_items:
- "{{ openshift_master_certs }}"
register: g_master_cert_stat_result
when: not openshift_certificates_redeploy | default(false) | bool
- set_fact:
master_certs_missing: "{{ true if openshift_certificates_redeploy | default(false) | bool
else (False in (g_master_cert_stat_result.results
| default({})
| oo_collect(attribute='stat.exists')
| list)) }}"
- name: Ensure the generated_configs directory present
file:
path: "{{ openshift_master_generated_config_dir }}"
state: directory
mode: 0700
when: master_certs_missing | bool and inventory_hostname != openshift_ca_host
delegate_to: "{{ openshift_ca_host }}"
- file:
src: "{{ openshift_master_config_dir }}/{{ item }}"
dest: "{{ openshift_master_generated_config_dir }}/{{ item }}"
state: hard
with_items:
- ca.crt
- ca.key
- ca.serial.txt
when: master_certs_missing | bool and inventory_hostname != openshift_ca_host
delegate_to: "{{ openshift_ca_host }}"
- name: Create the master certificates if they do not already exist
command: >
{{ openshift.common.admin_binary }} create-master-certs
{% for named_ca_certificate in openshift.master.named_certificates | default([]) | oo_collect('cafile') %}
--certificate-authority {{ named_ca_certificate }}
{% endfor %}
--hostnames={{ openshift.common.all_hostnames | join(',') }}
--master={{ openshift.master.api_url }}
--public-master={{ openshift.master.public_api_url }}
--cert-dir={{ openshift_master_generated_config_dir }}
--overwrite=false
when: master_certs_missing | bool and inventory_hostname != openshift_ca_host
delegate_to: "{{ openshift_ca_host }}"
- file:
src: "{{ openshift_master_config_dir }}/{{ item }}"
dest: "{{ openshift_master_generated_config_dir }}/{{ item }}"
state: hard
force: true
with_items:
- "{{ hostvars[inventory_hostname] | certificates_to_synchronize }}"
when: master_certs_missing | bool and inventory_hostname != openshift_ca_host
delegate_to: "{{ openshift_ca_host }}"
- name: Remove generated etcd client certs when using external etcd
file:
path: "{{ openshift_master_generated_config_dir }}/{{ item }}"
state: absent
when: openshift_master_etcd_hosts | length > 0
with_items:
- master.etcd-client.crt
- master.etcd-client.key
delegate_to: "{{ openshift_ca_host }}"
- name: Create local temp directory for syncing certs
local_action: command mktemp -d /tmp/openshift-ansible-XXXXXXX
register: g_master_mktemp
changed_when: False
when: master_certs_missing | bool
delegate_to: localhost
become: no
- name: Create a tarball of the master certs
command: >
tar -czvf {{ openshift_master_generated_config_dir }}.tgz
-C {{ openshift_master_generated_config_dir }} .
args:
creates: "{{ openshift_master_generated_config_dir }}.tgz"
when: master_certs_missing | bool and inventory_hostname != openshift_ca_host
delegate_to: "{{ openshift_ca_host }}"
- name: Retrieve the master cert tarball from the master
fetch:
src: "{{ openshift_master_generated_config_dir }}.tgz"
dest: "{{ g_master_mktemp.stdout }}/"
flat: yes
fail_on_missing: yes
validate_checksum: yes
when: master_certs_missing | bool and inventory_hostname != openshift_ca_host
delegate_to: "{{ openshift_ca_host }}"
- name: Ensure certificate directory exists
file:
path: "{{ openshift_master_config_dir }}"
state: directory
when: master_certs_missing | bool and inventory_hostname != openshift_ca_host
- name: Unarchive the tarball on the master
unarchive:
src: "{{ g_master_mktemp.stdout }}/{{ openshift_master_cert_subdir }}.tgz"
dest: "{{ openshift_master_config_dir }}"
when: master_certs_missing | bool and inventory_hostname != openshift_ca_host
- file: name={{ g_master_mktemp.stdout }} state=absent
changed_when: False
when: master_certs_missing | bool
delegate_to: localhost
become: no
- name: Lookup default group for ansible_ssh_user
command: "/usr/bin/id -g {{ ansible_ssh_user }}"
changed_when: false
register: _ansible_ssh_user_gid
- set_fact:
client_users: "{{ [ansible_ssh_user, 'root'] | unique }}"
- name: Create the client config dir(s)
file:
path: "~{{ item }}/.kube"
state: directory
mode: 0700
owner: "{{ item }}"
group: "{{ 'root' if item == 'root' else _ansible_ssh_user_gid.stdout }}"
with_items: "{{ client_users }}"
# TODO: Update this file if the contents of the source file are not present in
# the dest file, will need to make sure to ignore things that could be added
- name: Copy the admin client config(s)
copy:
src: "{{ openshift_master_config_dir }}/admin.kubeconfig"
dest: "~{{ item }}/.kube/config"
remote_src: yes
force: "{{ openshift_certificates_redeploy | default(false) }}"
with_items: "{{ client_users }}"
- name: Update the permissions on the admin client config(s)
file:
path: "~{{ item }}/.kube/config"
state: file
mode: 0700
owner: "{{ item }}"
group: "{{ 'root' if item == 'root' else _ansible_ssh_user_gid.stdout }}"
with_items: "{{ client_users }}"
|