blob: 80ab4bb1d687859161ba4278ece87916f8a3f94a (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
|
---
- name: Ensure CA certificate exists on openshift_ca_host
stat:
path: "{{ openshift_ca_cert }}"
register: g_ca_cert_stat_result
delegate_to: "{{ openshift_ca_host }}"
run_once: true
- fail:
msg: >
CA certificate {{ openshift_ca_cert }} doesn't exist on CA host
{{ openshift_ca_host }}. Apply 'openshift_ca' role to
{{ openshift_ca_host }}.
when: not g_ca_cert_stat_result.stat.exists | bool
run_once: true
- name: Check status of node certificates
stat:
path: "{{ openshift.common.config_base }}/node/{{ item }}"
with_items:
- "system:node:{{ openshift.common.hostname }}.crt"
- "system:node:{{ openshift.common.hostname }}.key"
- "system:node:{{ openshift.common.hostname }}.kubeconfig"
- ca.crt
- server.key
- server.crt
register: g_node_cert_stat_result
when: not openshift_certificates_redeploy | default(false) | bool
- set_fact:
node_certs_missing: "{{ true if openshift_certificates_redeploy | default(false) | bool
else (False in (g_node_cert_stat_result.results
| default({})
| oo_collect(attribute='stat.exists')
| list)) }}"
- name: Create openshift_generated_configs_dir if it does not exist
file:
path: "{{ openshift_generated_configs_dir }}"
state: directory
mode: 0700
when: node_certs_missing | bool
delegate_to: "{{ openshift_ca_host }}"
- name: Generate the node client config
command: >
{{ openshift.common.admin_binary }} create-api-client-config
{% for named_ca_certificate in hostvars[openshift_ca_host].openshift.master.named_certificates | default([]) | oo_collect('cafile') %}
--certificate-authority {{ named_ca_certificate }}
{% endfor %}
--certificate-authority={{ openshift_ca_cert }}
--client-dir={{ openshift_node_generated_config_dir }}
--groups=system:nodes
--master={{ hostvars[openshift_ca_host].openshift.master.api_url }}
--signer-cert={{ openshift_ca_cert }}
--signer-key={{ openshift_ca_key }}
--signer-serial={{ openshift_ca_serial }}
--user=system:node:{{ openshift.common.hostname }}
args:
creates: "{{ openshift_node_generated_config_dir }}"
when: node_certs_missing | bool
delegate_to: "{{ openshift_ca_host }}"
- name: Generate the node server certificate
command: >
{{ openshift.common.admin_binary }} ca create-server-cert
--cert={{ openshift_node_generated_config_dir }}/server.crt
--key={{ openshift_generated_configs_dir }}/node-{{ openshift.common.hostname }}/server.key
--overwrite=true
--hostnames={{ openshift.common.all_hostnames |join(",") }}
--signer-cert={{ openshift_ca_cert }}
--signer-key={{ openshift_ca_key }}
--signer-serial={{ openshift_ca_serial }}
args:
creates: "{{ openshift_node_generated_config_dir }}/server.crt"
when: node_certs_missing | bool
delegate_to: "{{ openshift_ca_host}}"
- name: Create local temp directory for syncing certs
local_action: command mktemp -d /tmp/openshift-ansible-XXXXXXX
register: node_cert_mktemp
changed_when: False
when: node_certs_missing | bool
delegate_to: localhost
become: no
- name: Create a tarball of the node config directories
command: >
tar -czvf {{ openshift_node_generated_config_dir }}.tgz
--transform 's|system:{{ openshift_node_cert_subdir }}|node|'
-C {{ openshift_node_generated_config_dir }} .
args:
creates: "{{ openshift_node_generated_config_dir }}.tgz"
# Disables the following warning:
# Consider using unarchive module rather than running tar
warn: no
when: node_certs_missing | bool
delegate_to: "{{ openshift_ca_host }}"
- name: Retrieve the node config tarballs from the master
fetch:
src: "{{ openshift_node_generated_config_dir }}.tgz"
dest: "{{ node_cert_mktemp.stdout }}/"
flat: yes
fail_on_missing: yes
validate_checksum: yes
when: node_certs_missing | bool
delegate_to: "{{ openshift_ca_host }}"
- name: Ensure certificate directory exists
file:
path: "{{ openshift_node_cert_dir }}"
state: directory
when: node_certs_missing | bool
- name: Unarchive the tarball on the node
unarchive:
src: "{{ node_cert_mktemp.stdout }}/{{ openshift_node_cert_subdir }}.tgz"
dest: "{{ openshift_node_cert_dir }}"
when: node_certs_missing | bool
- file: name={{ node_cert_mktemp.stdout }} state=absent
changed_when: False
when: node_certs_missing | bool
delegate_to: localhost
become: no
- name: Copy OpenShift CA to system CA trust
copy:
src: "{{ item.cert }}"
dest: "/etc/pki/ca-trust/source/anchors/{{ item.id }}-{{ item.cert | basename }}"
remote_src: yes
with_items:
- id: openshift
cert: "{{ openshift_node_cert_dir }}/ca.crt"
notify:
- update ca trust
|