summaryrefslogtreecommitdiffstats
path: root/playbooks/common/openshift-cluster/redeploy-certificates.yml
diff options
context:
space:
mode:
Diffstat (limited to 'playbooks/common/openshift-cluster/redeploy-certificates.yml')
-rw-r--r--playbooks/common/openshift-cluster/redeploy-certificates.yml250
1 files changed, 0 insertions, 250 deletions
diff --git a/playbooks/common/openshift-cluster/redeploy-certificates.yml b/playbooks/common/openshift-cluster/redeploy-certificates.yml
deleted file mode 100644
index a0e3f1d8a..000000000
--- a/playbooks/common/openshift-cluster/redeploy-certificates.yml
+++ /dev/null
@@ -1,250 +0,0 @@
----
-- include: evaluate_groups.yml
-
-- include: initialize_facts.yml
-
-- include: initialize_openshift_version.yml
-
-- name: Load openshift_facts
- hosts: oo_etcd_to_config:oo_masters_to_config:oo_nodes_to_config
- roles:
- - openshift_facts
-
-- name: Redeploy etcd certificates
- hosts: oo_etcd_to_config
- any_errors_fatal: true
- vars:
- etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}"
- etcd_conf_dir: /etc/etcd
- etcd_generated_certs_dir: "{{ etcd_conf_dir }}/generated_certs"
-
- pre_tasks:
- - stat:
- path: "{{ etcd_generated_certs_dir }}"
- register: etcd_generated_certs_dir_stat
- - name: Backup etcd certificates
- command: >
- tar -czvf /etc/etcd/etcd-certificate-backup-{{ ansible_date_time.epoch }}.tgz
- {{ etcd_conf_dir }}/ca.crt
- {{ etcd_conf_dir }}/ca
- {{ etcd_generated_certs_dir }}
- when: etcd_generated_certs_dir_stat.stat.exists
- delegate_to: "{{ etcd_ca_host }}"
- run_once: true
- - name: Remove existing etcd certificates
- file:
- path: "{{ item }}"
- state: absent
- with_items:
- - "{{ etcd_conf_dir }}/ca.crt"
- - "{{ etcd_conf_dir }}/ca"
- - "{{ etcd_generated_certs_dir }}"
- roles:
- - role: openshift_etcd_server_certificates
- etcd_peers: "{{ groups.oo_etcd_to_config | default([], true) }}"
- etcd_certificates_etcd_hosts: "{{ groups.oo_etcd_to_config | default([], true) }}"
- etcd_certificates_redeploy: true
-
-- name: Redeploy master certificates
- hosts: oo_masters_to_config
- any_errors_fatal: true
- vars:
- openshift_ca_host: "{{ groups.oo_first_master.0 }}"
- openshift_master_count: "{{ openshift.master.master_count | default(groups.oo_masters | length) }}"
- pre_tasks:
- # set_fact task copied from playbooks/common/openshift-master/config.yml
- # so that openshift_master_default_subdomain has a default value of ""
- # (emptry string). openshift_master_default_subdomain must have a default
- # value for openshift_master_facts to set metrics_public_url.
- # TODO: clean this up.
- - set_fact:
- openshift_master_default_subdomain: "{{ lookup('oo_option', 'openshift_master_default_subdomain') | default(None, true) }}"
- when: openshift_master_default_subdomain is not defined
- - stat:
- path: "{{ openshift_generated_configs_dir }}"
- register: openshift_generated_configs_dir_stat
- - name: Backup generated certificate and config directories
- command: >
- tar -czvf /etc/origin/master-node-cert-config-backup-{{ ansible_date_time.epoch }}.tgz
- {{ openshift_generated_configs_dir }}
- {{ openshift.common.config_base }}/master
- when: openshift_generated_configs_dir_stat.stat.exists
- delegate_to: "{{ openshift_ca_host }}"
- run_once: true
- - name: Remove generated certificate directories
- file:
- path: "{{ item }}"
- state: absent
- with_items:
- - "{{ openshift_generated_configs_dir }}"
- - name: Remove generated certificates
- file:
- path: "{{ openshift.common.config_base }}/master/{{ item }}"
- state: absent
- with_items:
- - "{{ hostvars[inventory_hostname] | certificates_to_synchronize(include_keys=false) }}"
- - "etcd.server.crt"
- - "etcd.server.key"
- - "master.etcd-client.crt"
- - "master.etcd-client.key"
- - "master.server.crt"
- - "master.server.key"
- - "openshift-master.crt"
- - "openshift-master.key"
- - "openshift-master.kubeconfig"
- - name: Remove CA certificate
- file:
- path: "{{ openshift.common.config_base }}/master/{{ item }}"
- state: absent
- when: openshift_certificates_redeploy_ca | default(false) | bool
- with_items:
- - "ca.crt"
- - "ca.key"
- - "ca.serial.txt"
- - "ca-bundle.crt"
- roles:
- - role: openshift_master_certificates
- openshift_master_etcd_hosts: "{{ hostvars
- | oo_select_keys(groups['oo_etcd_to_config'] | default([]))
- | oo_collect('openshift.common.hostname')
- | default(none, true) }}"
- openshift_certificates_redeploy: true
- - role: openshift_etcd_client_certificates
- etcd_certificates_redeploy: true
- etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}"
- etcd_cert_subdir: "openshift-master-{{ openshift.common.hostname }}"
- etcd_cert_config_dir: "{{ openshift.common.config_base }}/master"
- etcd_cert_prefix: "master.etcd-"
- when: groups.oo_etcd_to_config is defined and groups.oo_etcd_to_config
-
-- name: Redeploy node certificates
- hosts: oo_nodes_to_config
- any_errors_fatal: true
- pre_tasks:
- - name: Remove CA certificate
- file:
- path: "{{ item }}"
- state: absent
- with_items:
- - "{{ openshift.common.config_base }}/node/ca.crt"
- roles:
- - role: openshift_node_certificates
- openshift_node_master_api_url: "{{ hostvars[groups.oo_first_master.0].openshift.master.api_url }}"
- openshift_ca_host: "{{ groups.oo_first_master.0 }}"
- openshift_certificates_redeploy: true
-
-- name: Restart etcd
- hosts: oo_etcd_to_config
- tasks:
- - name: restart etcd
- service:
- name: "{{ 'etcd' if not openshift.common.is_containerized | bool else 'etcd_container' }}"
- state: restarted
-
-- name: Stop master services
- hosts: oo_masters_to_config
- vars:
- openshift_master_ha: "{{ groups.oo_masters_to_config | length > 1 }}"
- tasks:
- - name: stop master
- service: name={{ openshift.common.service_type }}-master state=stopped
- when: not openshift_master_ha | bool
- - name: stop master api
- service: name={{ openshift.common.service_type }}-master-api state=stopped
- when: openshift_master_ha | bool and openshift_master_cluster_method == 'native'
- - name: stop master controllers
- service: name={{ openshift.common.service_type }}-master-controllers state=stopped
- when: openshift_master_ha | bool and openshift_master_cluster_method == 'native'
-
-- name: Start master services
- hosts: oo_masters_to_config
- serial: 1
- vars:
- openshift_master_ha: "{{ groups.oo_masters_to_config | length > 1 }}"
- tasks:
- - name: start master
- service: name={{ openshift.common.service_type }}-master state=started
- when: not openshift_master_ha | bool
- - name: start master api
- service: name={{ openshift.common.service_type }}-master-api state=started
- when: openshift_master_ha | bool and openshift_master_cluster_method == 'native'
- - name: start master controllers
- service: name={{ openshift.common.service_type }}-master-controllers state=started
- when: openshift_master_ha | bool and openshift_master_cluster_method == 'native'
-
-- name: Restart masters (pacemaker)
- hosts: oo_first_master
- vars:
- openshift_master_ha: "{{ groups.oo_masters_to_config | length > 1 }}"
- tasks:
- - name: restart master
- command: pcs resource restart master
- when: openshift_master_ha | bool and openshift_master_cluster_method == 'pacemaker'
-
-- name: Restart nodes
- hosts: oo_nodes_to_config
- tasks:
- - name: restart node
- service: name={{ openshift.common.service_type }}-node state=restarted
-
-- name: Copy admin client config(s)
- hosts: oo_first_master
- tasks:
- - name: Create temp directory for kubeconfig
- command: mktemp -d /tmp/openshift-ansible-XXXXXX
- register: mktemp
- changed_when: False
-
- - name: Copy admin client config(s)
- command: >
- cp {{ openshift.common.config_base }}/master//admin.kubeconfig {{ mktemp.stdout }}/admin.kubeconfig
- changed_when: False
-
-- name: Serially drain all nodes to trigger redeployments
- hosts: oo_nodes_to_config
- serial: 1
- any_errors_fatal: true
- tasks:
- - name: Determine if node is currently scheduleable
- command: >
- {{ openshift.common.client_binary }} --config={{ hostvars[groups.oo_first_master.0].mktemp.stdout }}/admin.kubeconfig
- get node {{ openshift.node.nodename }} -o json
- register: node_output
- when: openshift_certificates_redeploy_ca | default(false) | bool
- delegate_to: "{{ groups.oo_first_master.0 }}"
- changed_when: false
-
- - set_fact:
- was_schedulable: "{{ 'unschedulable' not in (node_output.stdout | from_json).spec }}"
- when: openshift_certificates_redeploy_ca | default(false) | bool
-
- - name: Prepare for node draining
- command: >
- {{ openshift.common.client_binary }} adm --config={{ hostvars[groups.oo_first_master.0].mktemp.stdout }}/admin.kubeconfig
- manage-node {{ openshift.node.nodename }}
- --schedulable=false
- delegate_to: "{{ groups.oo_first_master.0 }}"
- when: openshift_certificates_redeploy_ca | default(false) | bool and was_schedulable | bool
-
- - name: Drain node
- command: >
- {{ openshift.common.admin_binary }} --config={{ hostvars[groups.oo_first_master.0].mktemp.stdout }}/admin.kubeconfig
- drain {{ openshift.node.nodename }} --force --delete-local-data
- delegate_to: "{{ groups.oo_first_master.0 }}"
- when: openshift_certificates_redeploy_ca | default(false) | bool and was_schedulable | bool
-
- - name: Set node schedulability
- command: >
- {{ openshift.common.client_binary }} adm --config={{ hostvars[groups.oo_first_master.0].mktemp.stdout }}/admin.kubeconfig
- manage-node {{ openshift.node.nodename }} --schedulable=true
- delegate_to: "{{ groups.oo_first_master.0 }}"
- when: openshift_certificates_redeploy_ca | default(false) | bool and was_schedulable | bool
-
-- name: Delete temporary directory
- hosts: oo_first_master
- tasks:
- - name: Delete temp directory
- file:
- name: "{{ mktemp.stdout }}"
- state: absent
- changed_when: False
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-02 03:23:17 +0000