consolidate etcd_common role

playbooks/common/openshift-cluster/redeploy-certificates/etcd-ca.yml

@@ -13,26 +13,13 @@
 
 - name: Backup existing etcd CA certificate directories
   hosts: oo_etcd_to_config
-  roles:
-  - role: etcd_common
-    r_etcd_common_etcd_runtime: "{{ openshift.common.etcd_runtime }}"
   tasks:
-  - name: Determine if CA certificate directory exists
-    stat:
-      path: "{{ etcd_ca_dir }}"
-    register: etcd_ca_certs_dir_stat
-  - name: Backup generated etcd certificates
-    command: >
-      tar -czf {{ etcd_conf_dir }}/etcd-ca-certificate-backup-{{ ansible_date_time.epoch }}.tgz
-      {{ etcd_ca_dir }}
-    args:
-      warn: no
-    when: etcd_ca_certs_dir_stat.stat.exists | bool
-  - name: Remove CA certificate directory
-    file:
-      path: "{{ etcd_ca_dir }}"
-      state: absent
-    when: etcd_ca_certs_dir_stat.stat.exists | bool
+  - include_role:
+      name: etcd
+      tasks_from: backup_ca_certificates
+  - include_role:
+      name: etcd
+      tasks_from: remove_ca_certificates
 
 - name: Generate new etcd CA
   hosts: oo_first_etcd
@@ -62,52 +49,14 @@
 
 - name: Distribute etcd CA to etcd hosts
   hosts: oo_etcd_to_config
-  vars:
-    etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}"
-  roles:
-  - role: etcd_common
-    r_etcd_common_etcd_runtime: "{{ openshift.common.etcd_runtime }}"
   tasks:
-  - name: Create a tarball of the etcd ca certs
-    command: >
-      tar -czvf {{ etcd_conf_dir }}/{{ etcd_ca_name }}.tgz
-        -C {{ etcd_ca_dir }} .
-    args:
-      creates: "{{ etcd_conf_dir }}/{{ etcd_ca_name }}.tgz"
-      warn: no
-    delegate_to: "{{ etcd_ca_host }}"
-    run_once: true
-  - name: Retrieve etcd ca cert tarball
-    fetch:
-      src: "{{ etcd_conf_dir }}/{{ etcd_ca_name }}.tgz"
-      dest: "{{ hostvars['localhost'].g_etcd_mktemp.stdout }}/"
-      flat: yes
-      fail_on_missing: yes
-      validate_checksum: yes
-    delegate_to: "{{ etcd_ca_host }}"
-    run_once: true
-  - name: Ensure ca directory exists
-    file:
-      path: "{{ etcd_ca_dir }}"
-      state: directory
-  - name: Unarchive etcd ca cert tarballs
-    unarchive:
-      src: "{{ hostvars['localhost'].g_etcd_mktemp.stdout }}/{{ etcd_ca_name }}.tgz"
-      dest: "{{ etcd_ca_dir }}"
-  - name: Read current etcd CA
-    slurp:
-      src: "{{ etcd_conf_dir }}/ca.crt"
-    register: g_current_etcd_ca_output
-  - name: Read new etcd CA
-    slurp:
-      src: "{{ etcd_ca_dir }}/ca.crt"
-    register: g_new_etcd_ca_output
-  - copy:
-      content: "{{ (g_new_etcd_ca_output.content|b64decode) + (g_current_etcd_ca_output.content|b64decode) }}"
-      dest: "{{ item }}/ca.crt"
-    with_items:
-    - "{{ etcd_conf_dir }}"
-    - "{{ etcd_ca_dir }}"
+  - include_role:
+      name: etcd
+      tasks_from: distribute_ca
+    vars:
+      r_etcd_common_etcd_runtime: "{{ openshift.common.etcd_runtime }}"
+      etcd_sync_cert_dir: "{{ hostvars['localhost'].g_etcd_mktemp.stdout }}"
+      etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}"
 
 - include: ../../openshift-etcd/restart.yml
   # Do not restart etcd when etcd certificates were previously expired.
@@ -118,17 +67,13 @@
 
 - name: Retrieve etcd CA certificate
   hosts: oo_first_etcd
-  roles:
-  - role: etcd_common
-    r_etcd_common_etcd_runtime: "{{ openshift.common.etcd_runtime }}"
   tasks:
-  - name: Retrieve etcd CA certificate
-    fetch:
-      src: "{{ etcd_conf_dir }}/ca.crt"
-      dest: "{{ hostvars['localhost'].g_etcd_mktemp.stdout }}/"
-      flat: yes
-      fail_on_missing: yes
-      validate_checksum: yes
+  - include_role:
+      name: etcd
+      tasks_from: retrieve_ca_certificates
+    vars:
+      etcd_sync_cert_dir: hostvars['localhost'].g_etcd_mktemp.stdout
+      r_etcd_common_etcd_runtime: "{{ openshift.common.etcd_runtime }}"
 
 - name: Distribute etcd CA to masters
   hosts: oo_masters_to_config

playbooks/common/openshift-cluster/redeploy-certificates/etcd.yml

@@ -2,73 +2,53 @@
 - name: Backup and remove generated etcd certificates
   hosts: oo_first_etcd
   any_errors_fatal: true
-  roles:
-    - role: etcd_common
-      r_etcd_common_etcd_runtime: "{{ openshift.common.etcd_runtime }}"
-  post_tasks:
-    - name: Determine if generated etcd certificates exist
-      stat:
-        path: "{{ etcd_conf_dir }}/generated_certs"
-      register: etcd_generated_certs_dir_stat
-    - name: Backup generated etcd certificates
-      command: >
-        tar -czf {{ etcd_conf_dir }}/etcd-generated-certificate-backup-{{ ansible_date_time.epoch }}.tgz
-        {{ etcd_conf_dir }}/generated_certs
-      args:
-        warn: no
-      when: etcd_generated_certs_dir_stat.stat.exists | bool
-    - name: Remove generated etcd certificates
-      file:
-        path: "{{ item }}"
-        state: absent
-      with_items:
-        - "{{ etcd_conf_dir }}/generated_certs"
+  tasks:
+  - include_role:
+      name: etcd
+      tasks_from: backup_generated_certificates
+  - include_role:
+      name: etcd
+      tasks_from: remove_generated_certificates
 
 - name: Backup and removed deployed etcd certificates
   hosts: oo_etcd_to_config
   any_errors_fatal: true
-  roles:
-    - role: etcd_common
+  tasks:
+  - include_role:
+      name: etcd
+      tasks_from: backup_server_certificates
+    vars:
       r_etcd_common_etcd_runtime: "{{ openshift.common.etcd_runtime }}"
-  post_tasks:
-    - name: Backup etcd certificates
-      command: >
-        tar -czvf /etc/etcd/etcd-server-certificate-backup-{{ ansible_date_time.epoch }}.tgz
-        {{ etcd_conf_dir }}/ca.crt
-        {{ etcd_conf_dir }}/server.crt
-        {{ etcd_conf_dir }}/server.key
-        {{ etcd_conf_dir }}/peer.crt
-        {{ etcd_conf_dir }}/peer.key
-      args:
-        warn: no
 
 - name: Redeploy etcd certificates
   hosts: oo_etcd_to_config
   any_errors_fatal: true
+  roles:
+  - role: openshift_etcd_facts
   tasks:
-    - include_role:
-        name: etcd
-        tasks_from: server_certificates
-      vars:
-        etcd_certificates_redeploy: true
-        etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}"
-        etcd_peers: "{{ groups.oo_etcd_to_config | default([], true) }}"
-        etcd_certificates_etcd_hosts: "{{ groups.oo_etcd_to_config | default([], true) }}"
-        openshift_ca_host: "{{ groups.oo_first_master.0 }}"
-        r_etcd_common_etcd_runtime: "{{ openshift.common.etcd_runtime }}"
+  - include_role:
+      name: etcd
+      tasks_from: server_certificates
+    vars:
+      etcd_certificates_redeploy: true
+      etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}"
+      etcd_peers: "{{ groups.oo_etcd_to_config | default([], true) }}"
+      etcd_certificates_etcd_hosts: "{{ groups.oo_etcd_to_config | default([], true) }}"
+      openshift_ca_host: "{{ groups.oo_first_master.0 }}"
+      r_etcd_common_etcd_runtime: "{{ openshift.common.etcd_runtime }}"
 
 - name: Redeploy etcd client certificates for masters
   hosts: oo_masters_to_config
   any_errors_fatal: true
   roles:
-    - role: openshift_etcd_facts
-    - role: openshift_etcd_client_certificates
-      etcd_certificates_redeploy: true
-      etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}"
-      etcd_cert_subdir: "openshift-master-{{ openshift.common.hostname }}"
-      etcd_cert_config_dir: "{{ openshift.common.config_base }}/master"
-      etcd_cert_prefix: "master.etcd-"
-      openshift_ca_host: "{{ groups.oo_first_master.0 }}"
-      openshift_master_count: "{{ openshift.master.master_count | default(groups.oo_masters | length) }}"
-      r_etcd_common_etcd_runtime: "{{ openshift.common.etcd_runtime }}"
-      when: groups.oo_etcd_to_config is defined and groups.oo_etcd_to_config
+  - role: openshift_etcd_facts
+  - role: openshift_etcd_client_certificates
+    etcd_certificates_redeploy: true
+    etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}"
+    etcd_cert_subdir: "openshift-master-{{ openshift.common.hostname }}"
+    etcd_cert_config_dir: "{{ openshift.common.config_base }}/master"
+    etcd_cert_prefix: "master.etcd-"
+    openshift_ca_host: "{{ groups.oo_first_master.0 }}"
+    openshift_master_count: "{{ openshift.master.master_count | default(groups.oo_masters | length) }}"
+    r_etcd_common_etcd_runtime: "{{ openshift.common.etcd_runtime }}"
+    when: groups.oo_etcd_to_config is defined and groups.oo_etcd_to_config

playbooks/common/openshift-cluster/upgrades/etcd/backup.yml

@@ -3,12 +3,15 @@
   hosts: oo_etcd_hosts_to_backup
   roles:
   - role: openshift_etcd_facts
-  - role: etcd_common
-    r_etcd_common_action: backup
-    r_etcd_common_backup_tag: etcd_backup_tag
-    r_etcd_common_etcd_runtime: "{{ openshift.common.etcd_runtime }}"
-    r_etcd_common_embedded_etcd: "{{ groups.oo_etcd_to_config | default([]) | length == 0 }}"
-    r_etcd_common_backup_sufix_name: "{{ lookup('pipe', 'date +%Y%m%d%H%M%S') }}"
+  post_tasks:
+  - include_role:
+      name: etcd
+      tasks_from: backup
+    vars:
+      r_etcd_common_backup_tag: etcd_backup_tag
+      r_etcd_common_etcd_runtime: "{{ openshift.common.etcd_runtime }}"
+      r_etcd_common_embedded_etcd: "{{ groups.oo_etcd_to_config | default([]) | length == 0 }}"
+      r_etcd_common_backup_sufix_name: "{{ lookup('pipe', 'date +%Y%m%d%H%M%S') }}"
 
 - name: Gate on etcd backup
   hosts: localhost

playbooks/common/openshift-cluster/upgrades/etcd/main.yml

@@ -15,9 +15,8 @@
   hosts: oo_etcd_hosts_to_upgrade
   tasks:
   - include_role:
-      name: etcd_common
-    vars:
-      r_etcd_common_action: drop_etcdctl
+      name: etcd
+      tasks_from: drop_etcdctl
 
 - name: Perform etcd upgrade
   include: ./upgrade.yml

playbooks/common/openshift-etcd/migrate.yml

@@ -30,12 +30,15 @@
   gather_facts: no
   roles:
   - role: openshift_facts
-  - role: etcd_common
-    r_etcd_common_action: backup
-    r_etcd_common_etcd_runtime: "{{ openshift.common.etcd_runtime }}"
-    r_etcd_common_backup_tag: pre-migration
-    r_etcd_common_embedded_etcd: "{{ groups.oo_etcd_to_config | default([]) | length == 0 }}"
-    r_etcd_common_backup_sufix_name: "{{ lookup('pipe', 'date +%Y%m%d%H%M%S') }}"
+  post_tasks:
+  - include_role:
+      name: etcd
+      tasks_from: backup
+    vars:
+      r_etcd_common_etcd_runtime: "{{ openshift.common.etcd_runtime }}"
+      r_etcd_common_backup_tag: pre-migration
+      r_etcd_common_embedded_etcd: "{{ groups.oo_etcd_to_config | default([]) | length == 0 }}"
+      r_etcd_common_backup_sufix_name: "{{ lookup('pipe', 'date +%Y%m%d%H%M%S') }}"
 
 - name: Gate on etcd backup
   hosts: localhost

roles/etcd/defaults/main.yaml

@@ -1,6 +1,66 @@
 ---
-r_etcd_firewall_enabled: "{{ os_firewall_enabled | default(True) }}"
-r_etcd_use_firewalld: "{{ os_firewall_use_firewalld | default(Falsel) }}"
+r_etcd_common_backup_tag: ''
+r_etcd_common_backup_sufix_name: ''
+
+# runc, docker, host
+r_etcd_common_etcd_runtime: "docker"
+r_etcd_common_embedded_etcd: false
+
+# etcd run on a host => use etcdctl command directly
+# etcd run as a docker container => use docker exec
+# etcd run as a runc container => use runc exec
+r_etcd_common_etcdctl_command: "{{ 'etcdctl' if r_etcd_common_etcd_runtime == 'host' or r_etcd_common_embedded_etcd | bool else 'docker exec etcd_container etcdctl' if r_etcd_common_etcd_runtime == 'docker' else 'runc exec etcd etcdctl' }}"
+
+# etcd server vars
+etcd_conf_dir: '/etc/etcd'
+r_etcd_common_system_container_host_dir: /var/lib/etcd/etcd.etcd
+etcd_system_container_conf_dir: /var/lib/etcd/etc
+etcd_conf_file: "{{ etcd_conf_dir }}/etcd.conf"
+etcd_ca_file: "{{ etcd_conf_dir }}/ca.crt"
+etcd_cert_file: "{{ etcd_conf_dir }}/server.crt"
+etcd_key_file: "{{ etcd_conf_dir }}/server.key"
+etcd_peer_ca_file: "{{ etcd_conf_dir }}/ca.crt"
+etcd_peer_cert_file: "{{ etcd_conf_dir }}/peer.crt"
+etcd_peer_key_file: "{{ etcd_conf_dir }}/peer.key"
+
+# etcd ca vars
+etcd_ca_dir: "{{ etcd_conf_dir}}/ca"
+etcd_generated_certs_dir: "{{ etcd_conf_dir }}/generated_certs"
+etcd_ca_cert: "{{ etcd_ca_dir }}/ca.crt"
+etcd_ca_key: "{{ etcd_ca_dir }}/ca.key"
+etcd_openssl_conf: "{{ etcd_ca_dir }}/openssl.cnf"
+etcd_ca_name: etcd_ca
+etcd_req_ext: etcd_v3_req
+etcd_ca_exts_peer: etcd_v3_ca_peer
+etcd_ca_exts_server: etcd_v3_ca_server
+etcd_ca_exts_self: etcd_v3_ca_self
+etcd_ca_exts_client: etcd_v3_ca_client
+etcd_ca_crl_dir: "{{ etcd_ca_dir }}/crl"
+etcd_ca_new_certs_dir: "{{ etcd_ca_dir }}/certs"
+etcd_ca_db: "{{ etcd_ca_dir }}/index.txt"
+etcd_ca_serial: "{{ etcd_ca_dir }}/serial"
+etcd_ca_crl_number: "{{ etcd_ca_dir }}/crlnumber"
+etcd_ca_default_days: 1825
+
+r_etcd_common_master_peer_cert_file: /etc/origin/master/master.etcd-client.crt
+r_etcd_common_master_peer_key_file: /etc/origin/master/master.etcd-client.key
+r_etcd_common_master_peer_ca_file: /etc/origin/master/master.etcd-ca.crt
+
+# etcd server & certificate vars
+etcd_hostname: "{{ inventory_hostname }}"
+etcd_ip: "{{ ansible_default_ipv4.address }}"
+etcd_is_atomic: False
+etcd_is_containerized: False
+etcd_is_thirdparty: False
+
+# etcd dir vars
+etcd_data_dir: "{{ '/var/lib/origin/openshift.local.etcd' if r_etcd_common_embedded_etcd | bool else '/var/lib/etcd/' if r_etcd_common_etcd_runtime != 'runc' else '/var/lib/etcd/etcd.etcd/' }}"
+
+# etcd ports and protocols
+etcd_client_port: 2379
+etcd_peer_port: 2380
+etcd_url_scheme: http
+etcd_peer_url_scheme: http
 
 etcd_initial_cluster_state: new
 etcd_initial_cluster_token: etcd-cluster-1
@@ -10,8 +70,15 @@ etcd_listen_peer_urls: "{{ etcd_peer_url_scheme }}://{{ etcd_ip }}:{{ etcd_peer_
 etcd_advertise_client_urls: "{{ etcd_url_scheme }}://{{ etcd_ip }}:{{ etcd_client_port }}"
 etcd_listen_client_urls: "{{ etcd_url_scheme }}://{{ etcd_ip }}:{{ etcd_client_port }}"
 
-etcd_client_port: 2379
-etcd_peer_port: 2380
+etcd_peer: 127.0.0.1
+etcdctlv2: "etcdctl --cert-file {{ etcd_peer_cert_file }} --key-file {{ etcd_peer_key_file }} --ca-file {{ etcd_peer_ca_file }} -C https://{{ etcd_peer }}:{{ etcd_client_port }}"
+
+etcd_service: "{{ 'etcd_container' if r_etcd_common_etcd_runtime == 'docker' else 'etcd' }}"
+# Location of the service file is fixed and not meant to be changed
+etcd_service_file: "/etc/systemd/system/{{ etcd_service }}.service"
+
+r_etcd_firewall_enabled: "{{ os_firewall_enabled | default(True) }}"
+r_etcd_use_firewalld: "{{ os_firewall_use_firewalld | default(Falsel) }}"
 
 etcd_systemd_dir: "/etc/systemd/system/{{ etcd_service }}.service.d"
 r_etcd_os_firewall_deny: []

roles/etcd/meta/main.yml

@@ -19,4 +19,3 @@ dependencies:
 - role: lib_openshift
 - role: lib_os_firewall
 - role: lib_utils
-- role: etcd_common

roles/etcd/tasks/backup.yml

@@ -0,0 +1,2 @@
+---
+- include: backup/backup.yml

roles/etcd/tasks/backup_ca_certificates.yml

@@ -0,0 +1,2 @@
+---
+- include: certificates/backup_ca_certificates.yml

roles/etcd/tasks/backup_generated_certificates.yml

@@ -0,0 +1,2 @@
+---
+- include: certificates/backup_generated_certificates.yml

roles/etcd/tasks/backup_server_certificates.yml

@@ -0,0 +1,2 @@
+---
+- include: certificates/backup_server_certificates.yml

roles/etcd/tasks/ca.yml

@@ -1,2 +1,2 @@
 ---
-- include: ca/deploy.yml
+- include: certificates/deploy_ca.yml

roles/etcd/tasks/certificates/backup_ca_certificates.yml

@@ -0,0 +1,12 @@
+---
+- name: Determine if CA certificate directory exists
+  stat:
+    path: "{{ etcd_ca_dir }}"
+  register: etcd_ca_certs_dir_stat
+- name: Backup generated etcd certificates
+  command: >
+    tar -czf {{ etcd_conf_dir }}/etcd-ca-certificate-backup-{{ ansible_date_time.epoch }}.tgz
+    {{ etcd_ca_dir }}
+  args:
+    warn: no
+  when: etcd_ca_certs_dir_stat.stat.exists | bool

roles/etcd/tasks/certificates/backup_generated_certificates.yml

@@ -0,0 +1,13 @@
+---
+- name: Determine if generated etcd certificates exist
+  stat:
+    path: "{{ etcd_conf_dir }}/generated_certs"
+  register: etcd_generated_certs_dir_stat
+
+- name: Backup generated etcd certificates
+  command: >
+    tar -czf {{ etcd_conf_dir }}/etcd-generated-certificate-backup-{{ ansible_date_time.epoch }}.tgz
+    {{ etcd_conf_dir }}/generated_certs
+  args:
+    warn: no
+  when: etcd_generated_certs_dir_stat.stat.exists | bool

roles/etcd/tasks/certificates/backup_server_certificates.yml

@@ -0,0 +1,11 @@
+---
+- name: Backup etcd certificates
+  command: >
+    tar -czvf /etc/etcd/etcd-server-certificate-backup-{{ ansible_date_time.epoch }}.tgz
+    {{ etcd_conf_dir }}/ca.crt
+    {{ etcd_conf_dir }}/server.crt
+    {{ etcd_conf_dir }}/server.key
+    {{ etcd_conf_dir }}/peer.crt
+    {{ etcd_conf_dir }}/peer.key
+  args:
+    warn: no

roles/etcd/tasks/certificates/distribute_ca.yml

@@ -0,0 +1,47 @@
+---
+- name: Create a tarball of the etcd ca certs
+  command: >
+    tar -czvf {{ etcd_conf_dir }}/{{ etcd_ca_name }}.tgz
+      -C {{ etcd_ca_dir }} .
+  args:
+    creates: "{{ etcd_conf_dir }}/{{ etcd_ca_name }}.tgz"
+    warn: no
+  delegate_to: "{{ etcd_ca_host }}"
+  run_once: true
+
+- name: Retrieve etcd ca cert tarball
+  fetch:
+    src: "{{ etcd_conf_dir }}/{{ etcd_ca_name }}.tgz"
+    dest: "{{ etcd_sync_cert_dir }}/"
+    flat: yes
+    fail_on_missing: yes
+    validate_checksum: yes
+  delegate_to: "{{ etcd_ca_host }}"
+  run_once: true
+
+- name: Ensure ca directory exists
+  file:
+    path: "{{ etcd_ca_dir }}"
+    state: directory
+
+- name: Unarchive etcd ca cert tarballs
+  unarchive:
+    src: "{{ etcd_sync_cert_dir }}/{{ etcd_ca_name }}.tgz"
+    dest: "{{ etcd_ca_dir }}"
+
+- name: Read current etcd CA
+  slurp:
+    src: "{{ etcd_conf_dir }}/ca.crt"
+  register: g_current_etcd_ca_output
+
+- name: Read new etcd CA
+  slurp:
+    src: "{{ etcd_ca_dir }}/ca.crt"
+  register: g_new_etcd_ca_output
+
+- copy:
+    content: "{{ (g_new_etcd_ca_output.content|b64decode) + (g_current_etcd_ca_output.content|b64decode) }}"
+    dest: "{{ item }}/ca.crt"
+  with_items:
+  - "{{ etcd_conf_dir }}"
+  - "{{ etcd_ca_dir }}"

roles/etcd/tasks/server_certificates/fetch_from_ca.yml

@@ -1,8 +1,4 @@
 ---
-- include: ../ca/deploy.yml
-  when:
-  - etcd_ca_setup | default(True) | bool
-
 - name: Install etcd
   package:
     name: "etcd{{ '-' + etcd_version if etcd_version is defined else '' }}"

roles/etcd/tasks/certificates/remove_ca_certificates.yml

@@ -0,0 +1,5 @@
+---
+- name: Remove CA certificate directory
+  file:
+    path: "{{ etcd_ca_dir }}"
+    state: absent

roles/etcd/tasks/certificates/remove_generated_certificates.yml

@@ -0,0 +1,5 @@
+---
+- name: Remove generated etcd certificates
+  file:
+    path: "{{ etcd_conf_dir }}/generated_certs"
+    state: absent

roles/etcd/tasks/certificates/retrieve_ca_certificates.yml

@@ -0,0 +1,8 @@
+---
+- name: Retrieve etcd CA certificate
+  fetch:
+    src: "{{ etcd_conf_dir }}/ca.crt"
+    dest: "{{ etcd_sync_cert_dir }}/"
+    flat: yes
+    fail_on_missing: yes
+    validate_checksum: yes

roles/etcd/tasks/client_certificates.yml

@@ -1,2 +1,2 @@
 ---
-- include: client_certificates/fetch_from_ca.yml
+- include: certificates/fetch_client_certificates_from_ca.yml

roles/etcd/tasks/distribute_ca

@@ -0,0 +1,2 @@
+---
+- include: certificates/distribute_ca.yml

roles/etcd/tasks/drop_etcdctl.yml

@@ -0,0 +1,2 @@
+---
+- include: auxiliary/drop_etcdctl.yml

roles/etcd/tasks/main.yml

@@ -16,10 +16,7 @@
   package: name=etcd{{ '-' + etcd_version if etcd_version is defined else '' }} state=present
   when: not etcd_is_containerized | bool
 
-- include_role:
-    name: etcd_common
-  vars:
-    r_etcd_common_action: drop_etcdctl
+- include: drop_etcdctl.yml
   when:
   - openshift_etcd_etcdctl_profile | default(true) | bool
 

roles/etcd/tasks/remove_ca_certificates.yml

@@ -0,0 +1,2 @@
+---
+- include: certificates/remove_ca_certificates.yml

roles/etcd/tasks/remove_generated_certificates.yml

@@ -0,0 +1,2 @@
+---
+- include: certificates/remove_generated_certificates.yml

roles/etcd/tasks/retrieve_ca_certificates.yml

@@ -0,0 +1,2 @@
+---
+- include: certificates/retrieve_ca_certificates.yml

roles/etcd/tasks/server_certificates.yml

@@ -1,2 +1,6 @@
 ---
-- include: server_certificates/fetch_from_ca.yml
+- include: ca.yml
+  when:
+  - etcd_ca_setup | default(True) | bool
+
+- include: certificates/fetch_server_certificates_from_ca.yml

roles/etcd_common/README.md

@@ -1,53 +0,0 @@
-etcd_common
-========================
-
-Common resources for dependent etcd roles. E.g. default variables for:
-* config directories
-* certificates
-* ports
-* other settings
-
-Or `delegated_serial_command` ansible module for executing a command on a remote node. E.g.
-
-```yaml
-- delegated_serial_command:
-    command: /usr/bin/make_database.sh arg1 arg2
-    creates: /path/to/database
-```
-
-Or etcdctl.yml playbook for installation of `etcdctl` aliases on a node (see example).
-
-Dependencies
-------------
-
-openshift-repos
-
-Example Playbook
-----------------
-
-**Drop etcdctl aliases**
-
-```yaml
-- include_role:
-    name: etcd_common
-    tasks_from: etcdctl
-```
-
-**Get access to common variables**
-
-```yaml
-# meta.yml of etcd
-...
-dependencies:
-- { role: etcd_common }
-```
-
-License
--------
-
-Apache License Version 2.0
-
-Author Information
-------------------
-
-Jason DeTiberus (jdetiber@redhat.com)

roles/etcd_common/defaults/main.yml

@@ -1,78 +0,0 @@
----
-# Default action when calling this role
-r_etcd_common_action: noop
-r_etcd_common_backup_tag: ''
-r_etcd_common_backup_sufix_name: ''
-
-# runc, docker, host
-r_etcd_common_etcd_runtime: "docker"
-r_etcd_common_embedded_etcd: false
-
-# etcd run on a host => use etcdctl command directly
-# etcd run as a docker container => use docker exec
-# etcd run as a runc container => use runc exec
-r_etcd_common_etcdctl_command: "{{ 'etcdctl' if r_etcd_common_etcd_runtime == 'host' or r_etcd_common_embedded_etcd | bool else 'docker exec etcd_container etcdctl' if r_etcd_common_etcd_runtime == 'docker' else 'runc exec etcd etcdctl' }}"
-
-# etcd server vars
-etcd_conf_dir: '/etc/etcd'
-r_etcd_common_system_container_host_dir: /var/lib/etcd/etcd.etcd
-etcd_system_container_conf_dir: /var/lib/etcd/etc
-etcd_conf_file: "{{ etcd_conf_dir }}/etcd.conf"
-etcd_ca_file: "{{ etcd_conf_dir }}/ca.crt"
-etcd_cert_file: "{{ etcd_conf_dir }}/server.crt"
-etcd_key_file: "{{ etcd_conf_dir }}/server.key"
-etcd_peer_ca_file: "{{ etcd_conf_dir }}/ca.crt"
-etcd_peer_cert_file: "{{ etcd_conf_dir }}/peer.crt"
-etcd_peer_key_file: "{{ etcd_conf_dir }}/peer.key"
-
-# etcd ca vars
-etcd_ca_dir: "{{ etcd_conf_dir}}/ca"
-etcd_generated_certs_dir: "{{ etcd_conf_dir }}/generated_certs"
-etcd_ca_cert: "{{ etcd_ca_dir }}/ca.crt"
-etcd_ca_key: "{{ etcd_ca_dir }}/ca.key"
-etcd_openssl_conf: "{{ etcd_ca_dir }}/openssl.cnf"
-etcd_ca_name: etcd_ca
-etcd_req_ext: etcd_v3_req
-etcd_ca_exts_peer: etcd_v3_ca_peer
-etcd_ca_exts_server: etcd_v3_ca_server
-etcd_ca_exts_self: etcd_v3_ca_self
-etcd_ca_exts_client: etcd_v3_ca_client
-etcd_ca_crl_dir: "{{ etcd_ca_dir }}/crl"
-etcd_ca_new_certs_dir: "{{ etcd_ca_dir }}/certs"
-etcd_ca_db: "{{ etcd_ca_dir }}/index.txt"
-etcd_ca_serial: "{{ etcd_ca_dir }}/serial"
-etcd_ca_crl_number: "{{ etcd_ca_dir }}/crlnumber"
-etcd_ca_default_days: 1825
-
-r_etcd_common_master_peer_cert_file: /etc/origin/master/master.etcd-client.crt
-r_etcd_common_master_peer_key_file: /etc/origin/master/master.etcd-client.key
-r_etcd_common_master_peer_ca_file: /etc/origin/master/master.etcd-ca.crt
-
-# etcd server & certificate vars
-etcd_hostname: "{{ inventory_hostname }}"
-etcd_ip: "{{ ansible_default_ipv4.address }}"
-etcd_is_atomic: False
-etcd_is_containerized: False
-etcd_is_thirdparty: False
-
-# etcd dir vars
-etcd_data_dir: "{{ '/var/lib/origin/openshift.local.etcd' if r_etcd_common_embedded_etcd | bool else '/var/lib/etcd/' if r_etcd_common_etcd_runtime != 'runc' else '/var/lib/etcd/etcd.etcd/' }}"
-
-# etcd ports and protocols
-etcd_client_port: 2379
-etcd_peer_port: 2380
-etcd_url_scheme: http
-etcd_peer_url_scheme: http
-
-etcd_initial_cluster_state: new
-etcd_initial_cluster_token: etcd-cluster-1
-
-etcd_initial_advertise_peer_urls: "{{ etcd_peer_url_scheme }}://{{ etcd_ip }}:{{ etcd_peer_port }}"
-etcd_listen_peer_urls: "{{ etcd_peer_url_scheme }}://{{ etcd_ip }}:{{ etcd_peer_port }}"
-etcd_advertise_client_urls: "{{ etcd_url_scheme }}://{{ etcd_ip }}:{{ etcd_client_port }}"
-etcd_listen_client_urls: "{{ etcd_url_scheme }}://{{ etcd_ip }}:{{ etcd_client_port }}"
-
-etcd_systemd_dir: "/etc/systemd/system/{{ etcd_service }}.service.d"
-
-# etcd_peer needs to be set by a role caller
-etcdctlv2: "etcdctl --cert-file {{ etcd_peer_cert_file }} --key-file {{ etcd_peer_key_file }} --ca-file {{ etcd_peer_ca_file }} -C https://{{ etcd_peer }}:{{ etcd_client_port }}"

roles/etcd_common/meta/main.yml

@@ -1,15 +0,0 @@
----
-galaxy_info:
-  author: Jason DeTiberus
-  description:
-  company: Red Hat, Inc.
-  license: Apache License, Version 2.0
-  min_ansible_version: 1.9
-  platforms:
-  - name: EL
-    versions:
-    - 7
-  categories:
-  - cloud
-  - system
-dependencies: []

roles/etcd_common/tasks/main.yml

@@ -1,9 +0,0 @@
----
-- name: Fail if invalid r_etcd_common_action provided
-  fail:
-    msg: "etcd_common role can only be called with 'noop' or 'backup' or 'drop_etcdctl'"
-  when: r_etcd_common_action not in ['noop', 'backup', 'drop_etcdctl']
-
-- name: Include main action task file
-  include: "{{ r_etcd_common_action }}.yml"
-  when: r_etcd_common_action != "noop"

roles/etcd_common/tasks/noop.yml

@@ -1,4 +0,0 @@
----
-# This is file is here because the usage of tags, specifically `pre_upgrade`
-# breaks the functionality of this role.
-# See https://bugzilla.redhat.com/show_bug.cgi?id=1464025

roles/etcd_common/vars/main.yml

@@ -1,4 +0,0 @@
----
-etcd_service: "{{ 'etcd_container' if r_etcd_common_etcd_runtime == 'docker' else 'etcd' }}"
-# Location of the service file is fixed and not meant to be changed
-etcd_service_file: "/etc/systemd/system/{{ etcd_service }}.service"