blob: 55409e503d665ee4b2c969e02e5c7400e252cac2 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
|
---
- name: Check cert expirys
hosts: oo_etcd_to_config:oo_masters_to_config
vars:
openshift_certificate_expiry_show_all: yes
roles:
# Sets 'check_results' per host which contains health status for
# etcd, master and node certificates. We will use 'check_results'
# to determine if any certificates were expired prior to running
# this playbook. Service restarts will be skipped if any
# certificates were previously expired.
- role: openshift_certificate_expiry
- name: Backup existing etcd CA certificate directories
hosts: oo_etcd_to_config
tasks:
- import_role:
name: etcd
tasks_from: backup_ca_certificates.yml
- import_role:
name: etcd
tasks_from: remove_ca_certificates.yml
- import_playbook: ca.yml
- name: Create temp directory for syncing certs
hosts: localhost
connection: local
gather_facts: no
tasks:
- name: Create local temp directory for syncing certs
local_action: command mktemp -d /tmp/openshift-ansible-XXXXXXX
register: g_etcd_mktemp
changed_when: false
- name: Chmod local temp directory for syncing certs
local_action: command chmod 777 "{{ g_etcd_mktemp.stdout }}"
changed_when: false
- name: Distribute etcd CA to etcd hosts
hosts: oo_etcd_to_config
tasks:
- import_role:
name: etcd
tasks_from: distribute_ca.yml
vars:
etcd_sync_cert_dir: "{{ hostvars['localhost'].g_etcd_mktemp.stdout }}"
- import_playbook: restart.yml
# Do not restart etcd when etcd certificates were previously expired.
when: ('expired' not in (hostvars
| lib_utils_oo_select_keys(groups['etcd'])
| lib_utils_oo_collect('check_results.check_results.etcd')
| lib_utils_oo_collect('health')))
- name: Retrieve etcd CA certificate
hosts: oo_first_etcd
tasks:
- import_role:
name: etcd
tasks_from: retrieve_ca_certificates.yml
vars:
etcd_sync_cert_dir: "{{ hostvars['localhost'].g_etcd_mktemp.stdout }}"
- name: Distribute etcd CA to masters
hosts: oo_masters_to_config
vars:
openshift_ca_host: "{{ groups.oo_first_master.0 }}"
tasks:
- name: Deploy etcd CA
copy:
src: "{{ hostvars['localhost'].g_etcd_mktemp.stdout }}/ca.crt"
dest: "{{ openshift.common.config_base }}/master/master.etcd-ca.crt"
when: groups.oo_etcd_to_config | default([]) | length > 0
- name: Delete temporary directory on localhost
hosts: localhost
connection: local
gather_facts: no
tasks:
- file:
name: "{{ g_etcd_mktemp.stdout }}"
state: absent
changed_when: false
- import_playbook: ../../openshift-master/private/restart.yml
# Do not restart masters when master or etcd certificates were previously expired.
when:
# masters
- ('expired' not in hostvars
| lib_utils_oo_select_keys(groups['oo_masters_to_config'])
| lib_utils_oo_collect('check_results.check_results.ocp_certs')
| lib_utils_oo_collect('health', {'path':hostvars[groups.oo_first_master.0].openshift.common.config_base ~ "/master/master.server.crt"}))
- ('expired' not in hostvars
| lib_utils_oo_select_keys(groups['oo_masters_to_config'])
| lib_utils_oo_collect('check_results.check_results.ocp_certs')
| lib_utils_oo_collect('health', {'path':hostvars[groups.oo_first_master.0].openshift.common.config_base ~ "/master/ca-bundle.crt"}))
# etcd
- ('expired' not in (hostvars
| lib_utils_oo_select_keys(groups['etcd'])
| lib_utils_oo_collect('check_results.check_results.etcd')
| lib_utils_oo_collect('health')))
|