blob: 3e5897ba441aaaba7c8cb7f4fc59743f484f6825 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
|
---
# TODO: this currently has a bug where hostnames are required
- name: Creating Aggregator signer certs
command: >
oc adm ca create-signer-cert
--cert=/etc/origin/master/front-proxy-ca.crt
--key=/etc/origin/master/front-proxy-ca.key
--serial=/etc/origin/master/ca.serial.txt
# oc_adm_ca_server_cert:
# cert: /etc/origin/master/front-proxy-ca.crt
# key: /etc/origin/master/front-proxy-ca.key
- name: Create api-client config for Aggregator
command: >
oc adm create-api-client-config
--certificate-authority=/etc/origin/master/front-proxy-ca.crt
--signer-cert=/etc/origin/master/front-proxy-ca.crt
--signer-key=/etc/origin/master/front-proxy-ca.key
--user aggregator-front-proxy
--client-dir=/etc/origin/master
--signer-serial=/etc/origin/master/ca.serial.txt
- name: Update master config
yedit:
state: present
src: /etc/origin/master/master-config.yaml
edits:
- key: aggregatorConfig.proxyClientInfo.certFile
value: aggregator-front-proxy.crt
- key: aggregatorConfig.proxyClientInfo.keyFile
value: aggregator-front-proxy.key
- key: authConfig.requestHeader.clientCA
value: front-proxy-ca.crt
- key: authConfig.requestHeader.clientCommonNames
value: [aggregator-front-proxy]
- key: authConfig.requestHeader.usernameHeaders
value: [X-Remote-User]
- key: authConfig.requestHeader.groupHeaders
value: [X-Remote-Group]
- key: authConfig.requestHeader.extraHeaderPrefixes
value: [X-Remote-Extra-]
register: yedit_output
#restart master serially here
- name: restart master
systemd: name={{ openshift.common.service_type }}-master state=restarted
when:
- yedit_output.changed
- openshift.master.ha is not defined or not openshift.master.ha | bool
- name: restart master api
systemd: name={{ openshift.common.service_type }}-master-api state=restarted
when:
- yedit_output.changed
- openshift.master.ha is defined and openshift.master.ha | bool
- openshift.master.cluster_method == 'native'
- name: restart master controllers
systemd: name={{ openshift.common.service_type }}-master-controllers state=restarted
when:
- yedit_output.changed
- openshift.master.ha is defined and openshift.master.ha | bool
- openshift.master.cluster_method == 'native'
- name: Verify API Server
# Using curl here since the uri module requires python-httplib2 and
# wait_for port doesn't provide health information.
command: >
curl --silent --tlsv1.2
{% if openshift.common.version_gte_3_2_or_1_2 | bool %}
--cacert {{ openshift.common.config_base }}/master/ca-bundle.crt
{% else %}
--cacert {{ openshift.common.config_base }}/master/ca.crt
{% endif %}
{{ openshift.master.api_url }}/healthz/ready
args:
# Disables the following warning:
# Consider using get_url or uri module rather than running curl
warn: no
register: api_available_output
until: api_available_output.stdout == 'ok'
retries: 120
delay: 1
changed_when: false
when:
- yedit_output.changed
|