diff options
author | OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> | 2018-01-25 17:27:45 -0800 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-01-25 17:27:45 -0800 |
commit | a97704f4db140037a67aeb2ca45254e4ecffed6e (patch) | |
tree | a7575bff0a2d8fff0bef01d96007b5685d9c3b47 /playbooks/common/openshift-cluster/upgrades | |
parent | 962f186bcf0ffa56d1dacfbbfe79e6d76d6e8bbd (diff) | |
parent | 5e3dc7116fd6f0d1600906be00654ea8e0fd43a2 (diff) | |
download | openshift-a97704f4db140037a67aeb2ca45254e4ecffed6e.tar.gz openshift-a97704f4db140037a67aeb2ca45254e4ecffed6e.tar.bz2 openshift-a97704f4db140037a67aeb2ca45254e4ecffed6e.tar.xz openshift-a97704f4db140037a67aeb2ca45254e4ecffed6e.zip |
Merge pull request #6859 from abutcher/bz1536217
Automatic merge from submit-queue.
Bug 1536217: Need to validate etcd serving certs before 3.9 upgrade
Diffstat (limited to 'playbooks/common/openshift-cluster/upgrades')
-rw-r--r-- | playbooks/common/openshift-cluster/upgrades/pre/verify_cluster.yml | 22 | ||||
-rw-r--r-- | playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml | 24 |
2 files changed, 46 insertions, 0 deletions
diff --git a/playbooks/common/openshift-cluster/upgrades/pre/verify_cluster.yml b/playbooks/common/openshift-cluster/upgrades/pre/verify_cluster.yml index 693ab2d96..5ee8a9d78 100644 --- a/playbooks/common/openshift-cluster/upgrades/pre/verify_cluster.yml +++ b/playbooks/common/openshift-cluster/upgrades/pre/verify_cluster.yml @@ -92,3 +92,25 @@ state: started enabled: yes with_items: "{{ master_services }}" + +# Until openshift-ansible is determining which host is the CA host we +# must (unfortunately) ensure that the first host in the etcd group is +# the etcd CA host. +# https://bugzilla.redhat.com/show_bug.cgi?id=1469358 +- name: Verify we can proceed on first etcd + hosts: oo_first_etcd + gather_facts: no + tasks: + - name: Ensure CA exists on first etcd + stat: + path: /etc/etcd/generated_certs + register: __etcd_ca_stat + + - fail: + msg: > + In order to correct an etcd certificate signing problem + upgrading may require re-generating etcd certificates. Please + ensure that the /etc/etcd/generated_certs directory exists on + the first host defined in your [etcd] group. + when: + - not __etcd_ca_stat.stat.exists | bool diff --git a/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml index 080372c81..a10fd4bee 100644 --- a/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml +++ b/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml @@ -2,6 +2,30 @@ ############################################################################### # Upgrade Masters ############################################################################### + +# Prior to 3.6, openshift-ansible created etcd serving certificates +# without a SubjectAlternativeName entry for the system hostname. The +# SAN list in Go 1.8 is now (correctly) authoritative and since +# openshift-ansible configures masters to talk to etcd hostnames +# rather than IP addresses, we must correct etcd certificates. +# +# This play examines the etcd serving certificate SANs on each etcd +# host and records whether or not the system hostname is missing. +- name: Examine etcd serving certificate SAN + hosts: oo_etcd_to_config + tasks: + - slurp: + src: /etc/etcd/server.crt + register: etcd_serving_cert + - set_fact: + __etcd_cert_lacks_hostname: "{{ (openshift.common.hostname not in (etcd_serving_cert.content | b64decode | lib_utils_oo_parse_certificate_san)) | bool }}" + +# Redeploy etcd certificates when hostnames were missing from etcd +# serving certificate SANs. +- import_playbook: ../../../openshift-etcd/redeploy-certificates.yml + when: + - true in hostvars | lib_utils_oo_select_keys(groups['oo_etcd_to_config']) | lib_utils_oo_collect('__etcd_cert_lacks_hostname') | default([false]) + - name: Backup and upgrade etcd import_playbook: ../../../openshift-etcd/private/upgrade_main.yml |