From 917e871843192b107776ce8459b87f3960e455ed Mon Sep 17 00:00:00 2001
From: Andrew Butcher <abutcher@redhat.com>
Date: Wed, 26 Oct 2016 14:59:05 -0400
Subject: Restructure certificate redeploy playbooks
---
roles/etcd_ca/tasks/main.yml | 3 +-
roles/etcd_server_certificates/tasks/main.yml | 1 +
roles/openshift_ca/tasks/main.yml | 24 ++++++++++------
roles/openshift_master/templates/master.yaml.v1.j2 | 8 ++++++
roles/openshift_master_certificates/tasks/main.yml | 10 +++++++
.../openshift_node_certificates/handlers/main.yml | 1 +
roles/openshift_node_certificates/tasks/main.yml | 32 ++++++++++++++--------
7 files changed, 59 insertions(+), 20 deletions(-)
(limited to 'roles')
diff --git a/roles/etcd_ca/tasks/main.yml b/roles/etcd_ca/tasks/main.yml
index c4d5efa14..b4dea4a07 100644
--- a/roles/etcd_ca/tasks/main.yml
+++ b/roles/etcd_ca/tasks/main.yml
@@ -60,7 +60,8 @@
delegate_to: "{{ etcd_ca_host }}"
run_once: true
-- command: >
+- name: Create etcd CA certificate
+ command: >
openssl req -config {{ etcd_openssl_conf }} -newkey rsa:4096
-keyout {{ etcd_ca_key }} -new -out {{ etcd_ca_cert }}
-x509 -extensions {{ etcd_ca_exts_self }} -batch -nodes
diff --git a/roles/etcd_server_certificates/tasks/main.yml b/roles/etcd_server_certificates/tasks/main.yml
index 1acdf1c85..242c1e997 100644
--- a/roles/etcd_server_certificates/tasks/main.yml
+++ b/roles/etcd_server_certificates/tasks/main.yml
@@ -58,6 +58,7 @@
~ etcd_cert_prefix ~ 'server.crt' }}"
environment:
SAN: "IP:{{ etcd_ip }}"
+ when: etcd_server_certs_missing | bool
delegate_to: "{{ etcd_ca_host }}"
- name: Create the peer csr
diff --git a/roles/openshift_ca/tasks/main.yml b/roles/openshift_ca/tasks/main.yml
index e21397170..4efc77f11 100644
--- a/roles/openshift_ca/tasks/main.yml
+++ b/roles/openshift_ca/tasks/main.yml
@@ -41,10 +41,9 @@
run_once: true
- set_fact:
- master_ca_missing: "{{ true if openshift_certificates_redeploy | default(false) | bool
- else False in (g_master_ca_stat_result.results
- | oo_collect(attribute='stat.exists')
- | list) }}"
+ master_ca_missing: "{{ False in (g_master_ca_stat_result.results
+ | oo_collect(attribute='stat.exists')
+ | list) }}"
run_once: true
- name: Retain original serviceaccount keys
@@ -61,7 +60,6 @@
copy:
src: "{{ item.src }}"
dest: "{{ openshift_ca_config_dir }}/{{ item.dest }}"
- force: "{{ true if openshift_certificates_redeploy_ca | default(false) | bool else false }}"
with_items:
- src: "{{ (openshift_master_ca_certificate | default({'certfile':none})).certfile }}"
dest: ca.crt
@@ -73,25 +71,35 @@
- name: Create ca serial
copy:
- content: "1"
+ content: "00"
dest: "{{ openshift_ca_config_dir }}/ca.serial.txt"
- force: "{{ true if openshift_certificates_redeploy | default(false) | bool else false }}"
+ force: "{{ openshift_certificates_redeploy | default(false) | bool }}"
when: openshift_master_ca_certificate is defined
delegate_to: "{{ openshift_ca_host }}"
run_once: true
+- find:
+ paths: "{{ openshift.common.config_base }}/master/legacy-ca/"
+ patterns: ".*-ca.crt"
+ use_regex: true
+ register: g_master_legacy_ca_result
+
+# This should NOT replace the CA due to --overwrite=false when a CA already exists.
- name: Create the master certificates if they do not already exist
command: >
{{ openshift.common.client_binary }} adm create-master-certs
{% for named_ca_certificate in openshift.master.named_certificates | default([]) | oo_collect('cafile') %}
--certificate-authority {{ named_ca_certificate }}
{% endfor %}
+ {% for legacy_ca_certificate in g_master_legacy_ca_result.files | default([]) | oo_collect('path') %}
+ --certificate-authority {{ legacy_ca_certificate }}
+ {% endfor %}
--hostnames={{ openshift.common.all_hostnames | join(',') }}
--master={{ openshift.master.api_url }}
--public-master={{ openshift.master.public_api_url }}
--cert-dir={{ openshift_ca_config_dir }}
--overwrite=false
- when: master_ca_missing | bool
+ when: master_ca_missing | bool or openshift_certificates_redeploy | default(false) | bool
delegate_to: "{{ openshift_ca_host }}"
run_once: true
diff --git a/roles/openshift_master/templates/master.yaml.v1.j2 b/roles/openshift_master/templates/master.yaml.v1.j2
index cf7ceacff..9ae54dac1 100644
--- a/roles/openshift_master/templates/master.yaml.v1.j2
+++ b/roles/openshift_master/templates/master.yaml.v1.j2
@@ -102,7 +102,11 @@ imagePolicyConfig:{{ openshift.master.image_policy_config | to_padded_yaml(level
kind: MasterConfig
kubeletClientInfo:
{# TODO: allow user specified kubelet port #}
+{% if openshift.common.version_gte_3_2_or_1_2 | bool %}
+ ca: ca-bundle.crt
+{% else %}
ca: ca.crt
+{% endif %}
certFile: master.kubelet-client.crt
keyFile: master.kubelet-client.key
port: 10250
@@ -221,7 +225,11 @@ servingInfo:
bindAddress: {{ openshift.master.bind_addr }}:{{ openshift.master.api_port }}
bindNetwork: tcp4
certFile: master.server.crt
+{% if openshift.common.version_gte_3_2_or_1_2 | bool %}
+ clientCA: ca-bundle.crt
+{% else %}
clientCA: ca.crt
+{% endif %}
keyFile: master.server.key
maxRequestsInFlight: {{ openshift.master.max_requests_inflight }}
requestTimeoutSeconds: 3600
diff --git a/roles/openshift_master_certificates/tasks/main.yml b/roles/openshift_master_certificates/tasks/main.yml
index 4620dd877..7a5ed51ec 100644
--- a/roles/openshift_master_certificates/tasks/main.yml
+++ b/roles/openshift_master_certificates/tasks/main.yml
@@ -38,12 +38,22 @@
when: master_certs_missing | bool and inventory_hostname != openshift_ca_host
delegate_to: "{{ openshift_ca_host }}"
+- find:
+ paths: "{{ openshift_master_config_dir }}/legacy-ca/"
+ patterns: ".*-ca.crt"
+ use_regex: true
+ register: g_master_legacy_ca_result
+ delegate_to: "{{ openshift_ca_host }}"
+
- name: Create the master server certificate
command: >
{{ hostvars[openshift_ca_host].openshift.common.client_binary }} adm ca create-server-cert
{% for named_ca_certificate in openshift.master.named_certificates | default([]) | oo_collect('cafile') %}
--certificate-authority {{ named_ca_certificate }}
{% endfor %}
+ {% for legacy_ca_certificate in g_master_legacy_ca_result.files | default([]) | oo_collect('path') %}
+ --certificate-authority {{ legacy_ca_certificate }}
+ {% endfor %}
--hostnames={{ hostvars[item].openshift.common.all_hostnames | join(',') }}
--cert={{ openshift_generated_configs_dir }}/master-{{ hostvars[item].openshift.common.hostname }}/master.server.crt
--key={{ openshift_generated_configs_dir }}/master-{{ hostvars[item].openshift.common.hostname }}/master.server.key
diff --git a/roles/openshift_node_certificates/handlers/main.yml b/roles/openshift_node_certificates/handlers/main.yml
index a74668b13..1aa826c09 100644
--- a/roles/openshift_node_certificates/handlers/main.yml
+++ b/roles/openshift_node_certificates/handlers/main.yml
@@ -8,3 +8,4 @@
systemd:
name: docker
state: restarted
+ when: not openshift_certificates_redeploy | default(false) | bool
diff --git a/roles/openshift_node_certificates/tasks/main.yml b/roles/openshift_node_certificates/tasks/main.yml
index a263f4f3a..4cb89aba2 100644
--- a/roles/openshift_node_certificates/tasks/main.yml
+++ b/roles/openshift_node_certificates/tasks/main.yml
@@ -42,20 +42,30 @@
when: node_certs_missing | bool
delegate_to: "{{ openshift_ca_host }}"
+- find:
+ paths: "{{ openshift.common.config_base }}/master/legacy-ca/"
+ patterns: ".*-ca.crt"
+ use_regex: true
+ register: g_master_legacy_ca_result
+ delegate_to: "{{ openshift_ca_host }}"
+
- name: Generate the node client config
command: >
{{ hostvars[openshift_ca_host].openshift.common.client_binary }} adm create-api-client-config
- {% for named_ca_certificate in hostvars[openshift_ca_host].openshift.master.named_certificates | default([]) | oo_collect('cafile') %}
- --certificate-authority {{ named_ca_certificate }}
- {% endfor %}
- --certificate-authority={{ openshift_ca_cert }}
- --client-dir={{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname }}
- --groups=system:nodes
- --master={{ hostvars[openshift_ca_host].openshift.master.api_url }}
- --signer-cert={{ openshift_ca_cert }}
- --signer-key={{ openshift_ca_key }}
- --signer-serial={{ openshift_ca_serial }}
- --user=system:node:{{ hostvars[item].openshift.common.hostname }}
+ {% for named_ca_certificate in hostvars[openshift_ca_host].openshift.master.named_certificates | default([]) | oo_collect('cafile') %}
+ --certificate-authority {{ named_ca_certificate }}
+ {% endfor %}
+ {% for legacy_ca_certificate in g_master_legacy_ca_result.files | default([]) | oo_collect('path') %}
+ --certificate-authority {{ legacy_ca_certificate }}
+ {% endfor %}
+ --certificate-authority={{ openshift_ca_cert }}
+ --client-dir={{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname }}
+ --groups=system:nodes
+ --master={{ hostvars[openshift_ca_host].openshift.master.api_url }}
+ --signer-cert={{ openshift_ca_cert }}
+ --signer-key={{ openshift_ca_key }}
+ --signer-serial={{ openshift_ca_serial }}
+ --user=system:node:{{ hostvars[item].openshift.common.hostname }}
args:
creates: "{{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname }}"
with_items: "{{ hostvars
--
cgit v1.2.3