diff options
author | OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> | 2017-12-04 09:51:44 -0800 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-12-04 09:51:44 -0800 |
commit | 411235245c903be9e12790444f2f4cfae5ca7ef0 (patch) | |
tree | c04a172511053513a2c15ced0b703336b0afaa28 /playbooks/openshift-hosted/private/redeploy-router-certificates.yml | |
parent | 2eecb801febfefcc54ce01189e82e2c89027f519 (diff) | |
parent | 0b80aca421a89b10a8254f03e1339d1ddfbd54f1 (diff) | |
download | openshift-411235245c903be9e12790444f2f4cfae5ca7ef0.tar.gz openshift-411235245c903be9e12790444f2f4cfae5ca7ef0.tar.bz2 openshift-411235245c903be9e12790444f2f4cfae5ca7ef0.tar.xz openshift-411235245c903be9e12790444f2f4cfae5ca7ef0.zip |
Merge pull request #6324 from mtnbikenc/consolidate-redeploy-certificates
Automatic merge from submit-queue.
Playbook Consolidation - Redeploy Certificates
This PR moves the certificate redeploy playbooks out of {byo,common}/openshift-cluster and into their respective component areas.
- playbooks/openshift-etcd (redeploy-certificates.yml, redeploy-ca.yml)
- playbooks/openshift-master (redeploy-certificates.yml, redeploy-openshift-ca.yml)
- playbooks/openshift-node (redeploy-certificates.yml)
- playbooks/openshift-hosted (redeploy-registry-certificates.yml, redeploy-router-certificates.yml)
playbooks/byo/openshift-cluster/redeploy-certificates.yml was moved to
playbooks/redeploy-certificates.yml
Trello: https://trello.com/c/zCz6RIHM/578-2-playbook-consolidation-openshift-cluster-redeploy-certificates
Diffstat (limited to 'playbooks/openshift-hosted/private/redeploy-router-certificates.yml')
-rw-r--r-- | playbooks/openshift-hosted/private/redeploy-router-certificates.yml | 141 |
1 files changed, 141 insertions, 0 deletions
diff --git a/playbooks/openshift-hosted/private/redeploy-router-certificates.yml b/playbooks/openshift-hosted/private/redeploy-router-certificates.yml new file mode 100644 index 000000000..2116c745c --- /dev/null +++ b/playbooks/openshift-hosted/private/redeploy-router-certificates.yml @@ -0,0 +1,141 @@ +--- +- name: Update router certificates + hosts: oo_first_master + vars: + roles: + - lib_openshift + tasks: + - name: Create temp directory for kubeconfig + command: mktemp -d /tmp/openshift-ansible-XXXXXX + register: router_cert_redeploy_tempdir + changed_when: false + + - name: Copy admin client config(s) + command: > + cp {{ openshift.common.config_base }}/master//admin.kubeconfig {{ router_cert_redeploy_tempdir.stdout }}/admin.kubeconfig + changed_when: false + + - name: Determine if router exists + command: > + {{ openshift.common.client_binary }} get dc/router -o json + --config={{ router_cert_redeploy_tempdir.stdout }}/admin.kubeconfig + -n default + register: l_router_dc + failed_when: false + changed_when: false + + - name: Determine if router service exists + command: > + {{ openshift.common.client_binary }} get svc/router -o json + --config={{ router_cert_redeploy_tempdir.stdout }}/admin.kubeconfig + -n default + register: l_router_svc + failed_when: false + changed_when: false + + - name: Collect router environment variables and secrets + set_fact: + router_env_vars: "{{ ((l_router_dc.stdout | from_json)['spec']['template']['spec']['containers'][0]['env'] + | oo_collect('name')) + | default([]) }}" + router_secrets: "{{ ((l_router_dc.stdout | from_json)['spec']['template']['spec']['volumes'] + | oo_collect('secret') + | oo_collect('secretName')) + | default([]) }}" + changed_when: false + when: l_router_dc.rc == 0 + + - name: Collect router service annotations + set_fact: + router_service_annotations: "{{ (l_router_svc.stdout | from_json)['metadata']['annotations'] if 'annotations' in (l_router_svc.stdout | from_json)['metadata'] else [] }}" + when: l_router_svc.rc == 0 + + - name: Update router environment variables + shell: > + {{ openshift.common.client_binary }} env dc/router + OPENSHIFT_CA_DATA="$(cat /etc/origin/master/ca.crt)" + OPENSHIFT_CERT_DATA="$(cat /etc/origin/master/openshift-router.crt)" + OPENSHIFT_KEY_DATA="$(cat /etc/origin/master/openshift-router.key)" + --config={{ router_cert_redeploy_tempdir.stdout }}/admin.kubeconfig + -n default + when: + - l_router_dc.rc == 0 + - ('OPENSHIFT_CA_DATA' in router_env_vars) + - ('OPENSHIFT_CERT_DATA' in router_env_vars) + - ('OPENSHIFT_KEY_DATA' in router_env_vars) + + # When the router service contains service signer annotations we + # will delete the existing certificate secret and allow OpenShift to + # replace the secret. + - block: + - name: Delete existing router certificate secret + oc_secret: + kubeconfig: "{{ router_cert_redeploy_tempdir.stdout }}/admin.kubeconfig" + name: router-certs + namespace: default + state: absent + run_once: true + + - name: Remove router service annotations + command: > + {{ openshift.common.client_binary }} annotate service/router + service.alpha.openshift.io/serving-cert-secret-name- + service.alpha.openshift.io/serving-cert-signed-by- + --config={{ router_cert_redeploy_tempdir.stdout }}/admin.kubeconfig + -n default + + - name: Add serving-cert-secret annotation to router service + command: > + {{ openshift.common.client_binary }} annotate service/router + service.alpha.openshift.io/serving-cert-secret-name=router-certs + --config={{ router_cert_redeploy_tempdir.stdout }}/admin.kubeconfig + -n default + when: + - l_router_dc.rc == 0 + - l_router_svc.rc == 0 + - ('router-certs' in router_secrets) + - openshift_hosted_router_certificate is undefined + - ('service.alpha.openshift.io/serving-cert-secret-name') in router_service_annotations + - ('service.alpha.openshift.io/serving-cert-signed-by') in router_service_annotations + + # When there are no annotations on the router service we will allow + # the openshift_hosted role to either create a new wildcard + # certificate (since we deleted the original) or reapply a custom + # openshift_hosted_router_certificate. + - file: + path: "{{ item }}" + state: absent + with_items: + - /etc/origin/master/openshift-router.crt + - /etc/origin/master/openshift-router.key + when: + - l_router_dc.rc == 0 + - l_router_svc.rc == 0 + - ('router-certs' in router_secrets) + - ('service.alpha.openshift.io/serving-cert-secret-name') not in router_service_annotations + - ('service.alpha.openshift.io/serving-cert-signed-by') not in router_service_annotations + + - include_role: + name: openshift_hosted + tasks_from: main + vars: + openshift_hosted_manage_registry: false + when: + - l_router_dc.rc == 0 + - l_router_svc.rc == 0 + - ('router-certs' in router_secrets) + - ('service.alpha.openshift.io/serving-cert-secret-name') not in router_service_annotations + - ('service.alpha.openshift.io/serving-cert-signed-by') not in router_service_annotations + + - name: Redeploy router + command: > + {{ openshift.common.client_binary }} deploy dc/router + --latest + --config={{ router_cert_redeploy_tempdir.stdout }}/admin.kubeconfig + -n default + + - name: Delete temp directory + file: + name: "{{ router_cert_redeploy_tempdir.stdout }}" + state: absent + changed_when: False |