summaryrefslogtreecommitdiffstats
path: root/playbooks
diff options
context:
space:
mode:
Diffstat (limited to 'playbooks')
-rw-r--r--playbooks/common/openshift-master/config.yml101
-rw-r--r--playbooks/common/openshift-node/config.yml70
2 files changed, 157 insertions, 14 deletions
diff --git a/playbooks/common/openshift-master/config.yml b/playbooks/common/openshift-master/config.yml
index c6fac2870..8ed62a7f1 100644
--- a/playbooks/common/openshift-master/config.yml
+++ b/playbooks/common/openshift-master/config.yml
@@ -156,6 +156,85 @@
- master.etcd-ca.crt
when: etcd_client_certs_missing is defined and etcd_client_certs_missing
+- name: Determine if master certificates need to be generated
+ hosts: oo_first_master:oo_masters_to_config
+ tasks:
+ - set_fact:
+ openshift_master_certs_no_etcd:
+ - admin.crt
+ - master.kubelet-client.crt
+ - "{{ 'master.proxy-client.crt' if openshift.common.version_gte_3_1_or_1_1 else omit }}"
+ - master.server.crt
+ - openshift-master.crt
+ - openshift-registry.crt
+ - openshift-router.crt
+ - etcd.server.crt
+ openshift_master_certs_etcd:
+ - master.etcd-client.crt
+
+ - set_fact:
+ openshift_master_certs: "{{ (openshift_master_certs_no_etcd | union(openshift_master_certs_etcd)) if (groups.oo_etcd_to_config is defined and groups.oo_etcd_to_config) else openshift_master_certs_no_etcd }}"
+
+ - name: Check status of master certificates
+ stat:
+ path: "{{ openshift.common.config_base }}/master/{{ item }}"
+ with_items: "{{ openshift_master_certs }}"
+ register: g_master_cert_stat_result
+ - set_fact:
+ master_certs_missing: "{{ False in (g_master_cert_stat_result.results
+ | oo_collect(attribute='stat.exists')
+ | list ) }}"
+ master_cert_subdir: master-{{ openshift.common.hostname }}
+ master_cert_config_dir: "{{ openshift.common.config_base }}/master"
+ - set_fact:
+ openshift_infra_nodes: "{{ hostvars | oo_select_keys(groups['oo_nodes_to_config'])
+ | oo_nodes_with_label('region', 'infra')
+ | oo_collect('inventory_hostname') }}"
+ when: openshift_infra_nodes is not defined and groups.oo_nodes_to_config | default([]) | length > 0
+
+- name: Configure master certificates
+ hosts: oo_first_master
+ vars:
+ master_generated_certs_dir: "{{ openshift.common.config_base }}/generated-configs"
+ masters_needing_certs: "{{ hostvars
+ | oo_select_keys(groups['oo_masters_to_config'] | difference(groups['oo_first_master']))
+ | oo_filter_list(filter_attr='master_certs_missing') }}"
+ master_hostnames: "{{ hostvars
+ | oo_select_keys(groups['oo_masters_to_config'])
+ | oo_collect('openshift.common.all_hostnames')
+ | oo_flatten | unique }}"
+ sync_tmpdir: "{{ hostvars.localhost.g_master_mktemp.stdout }}"
+ openshift_docker_hosted_registry_network: "{{ hostvars[groups.oo_first_master.0].openshift.common.portal_net }}"
+ roles:
+ - openshift_master_certificates
+ post_tasks:
+ - name: Remove generated etcd client certs when using external etcd
+ file:
+ path: "{{ master_generated_certs_dir }}/{{ item.0.master_cert_subdir }}/{{ item.1 }}"
+ state: absent
+ when: groups.oo_etcd_to_config is defined and groups.oo_etcd_to_config
+ with_nested:
+ - "{{ masters_needing_certs | default([]) }}"
+ - - master.etcd-client.crt
+ - master.etcd-client.key
+
+ - name: Create a tarball of the master certs
+ command: >
+ tar -czvf {{ master_generated_certs_dir }}/{{ item.master_cert_subdir }}.tgz
+ -C {{ master_generated_certs_dir }}/{{ item.master_cert_subdir }} .
+ args:
+ creates: "{{ master_generated_certs_dir }}/{{ item.master_cert_subdir }}.tgz"
+ with_items: "{{ masters_needing_certs | default([]) }}"
+
+ - name: Retrieve the master cert tarball from the master
+ fetch:
+ src: "{{ master_generated_certs_dir }}/{{ item.master_cert_subdir }}.tgz"
+ dest: "{{ sync_tmpdir }}/"
+ flat: yes
+ fail_on_missing: yes
+ validate_checksum: yes
+ with_items: "{{ masters_needing_certs | default([]) }}"
+
- name: Check for cached session secrets
hosts: oo_first_master
roles:
@@ -256,17 +335,19 @@
}}"
when: "{{ (openshift_http_proxy is defined or openshift_https_proxy is defined) and
openshift_generate_no_proxy_hosts | default(True) | bool }}"
+ pre_tasks:
+ - name: Ensure certificate directory exists
+ file:
+ path: "{{ openshift.common.config_base }}/master"
+ state: directory
+ when: master_certs_missing | bool and 'oo_first_master' not in group_names
+ - name: Unarchive the tarball on the master
+ unarchive:
+ src: "{{ sync_tmpdir }}/{{ master_cert_subdir }}.tgz"
+ dest: "{{ master_cert_config_dir }}"
+ when: master_certs_missing | bool and 'oo_first_master' not in group_names
roles:
- - role: openshift_master
- openshift_ca_host: "{{ groups.oo_first_master.0 }}"
- openshift_master_etcd_hosts: "{{ hostvars
- | oo_select_keys(groups['oo_etcd_to_config'] | default([]))
- | oo_collect('openshift.common.hostname')
- | default(none, true) }}"
- openshift_master_hostnames: "{{ hostvars
- | oo_select_keys(groups['oo_masters_to_config'] | default([]))
- | oo_collect('openshift.common.all_hostnames')
- | oo_flatten | unique }}"
+ - openshift_master
- role: nickhammond.logrotate
- role: nuage_master
when: openshift.common.use_nuage | bool
diff --git a/playbooks/common/openshift-node/config.yml b/playbooks/common/openshift-node/config.yml
index 9c9aa779a..5e92b5cbd 100644
--- a/playbooks/common/openshift-node/config.yml
+++ b/playbooks/common/openshift-node/config.yml
@@ -19,6 +19,23 @@
labels: "{{ openshift_node_labels | default(None) }}"
annotations: "{{ openshift_node_annotations | default(None) }}"
schedulable: "{{ openshift_schedulable | default(openshift_scheduleable) | default(None) }}"
+ - name: Check status of node certificates
+ stat:
+ path: "{{ openshift.common.config_base }}/node/{{ item }}"
+ with_items:
+ - "system:node:{{ openshift.common.hostname }}.crt"
+ - "system:node:{{ openshift.common.hostname }}.key"
+ - "system:node:{{ openshift.common.hostname }}.kubeconfig"
+ - ca.crt
+ - server.key
+ - server.crt
+ register: stat_result
+ - set_fact:
+ certs_missing: "{{ stat_result.results | oo_collect(attribute='stat.exists')
+ | list | intersect([false])}}"
+ node_subdir: node-{{ openshift.common.hostname }}
+ config_dir: "{{ openshift.common.config_base }}/generated-configs/node-{{ openshift.common.hostname }}"
+ node_cert_dir: "{{ openshift.common.config_base }}/node"
- name: Create temp directory for syncing certs
hosts: localhost
@@ -31,6 +48,53 @@
register: mktemp
changed_when: False
+- name: Create node certificates
+ hosts: oo_first_master
+ vars:
+ nodes_needing_certs: "{{ hostvars
+ | oo_select_keys(groups['oo_nodes_to_config']
+ | default([]))
+ | oo_filter_list(filter_attr='certs_missing') }}"
+ sync_tmpdir: "{{ hostvars.localhost.mktemp.stdout }}"
+ roles:
+ - openshift_node_certificates
+ post_tasks:
+ - name: Create a tarball of the node config directories
+ command: >
+ tar -czvf {{ item.config_dir }}.tgz
+ --transform 's|system:{{ item.node_subdir }}|node|'
+ -C {{ item.config_dir }} .
+ args:
+ creates: "{{ item.config_dir }}.tgz"
+ with_items: "{{ nodes_needing_certs | default([]) }}"
+
+ - name: Retrieve the node config tarballs from the master
+ fetch:
+ src: "{{ item.config_dir }}.tgz"
+ dest: "{{ sync_tmpdir }}/"
+ flat: yes
+ fail_on_missing: yes
+ validate_checksum: yes
+ with_items: "{{ nodes_needing_certs | default([]) }}"
+
+- name: Deploy node certificates
+ hosts: oo_nodes_to_config
+ vars:
+ sync_tmpdir: "{{ hostvars.localhost.mktemp.stdout }}"
+ tasks:
+ - name: Ensure certificate directory exists
+ file:
+ path: "{{ node_cert_dir }}"
+ state: directory
+ # TODO: notify restart node
+ # possibly test service started time against certificate/config file
+ # timestamps in node to trigger notify
+ - name: Unarchive the tarball on the node
+ unarchive:
+ src: "{{ sync_tmpdir }}/{{ node_subdir }}.tgz"
+ dest: "{{ node_cert_dir }}"
+ when: certs_missing
+
- name: Evaluate node groups
hosts: localhost
become: no
@@ -76,8 +140,7 @@
when: "{{ (openshift_http_proxy is defined or openshift_https_proxy is defined) and
openshift_generate_no_proxy_hosts | default(True) | bool }}"
roles:
- - role: openshift_node
- openshift_ca_host: "{{ groups.oo_first_master.0 }}"
+ - openshift_node
- name: Configure node instances
hosts: oo_nodes_to_config:!oo_containerized_master_nodes
@@ -93,8 +156,7 @@
when: "{{ (openshift_http_proxy is defined or openshift_https_proxy is defined) and
openshift_generate_no_proxy_hosts | default(True) | bool }}"
roles:
- - role: openshift_node
- openshift_ca_host: "{{ groups.oo_first_master.0 }}"
+ - openshift_node
- name: Gather and set facts for flannel certificatess
hosts: oo_nodes_to_config