8 years ago · 2987e7490e
--- a/playbooks/common/openshift-cluster/upgrades/create_service_signer_cert.yml
+++ b/playbooks/common/openshift-cluster/upgrades/create_service_signer_cert.yml
@@ -0,0 +1,69 @@
 
				+---
			
 
				+- name: Create local temp directory for syncing certs
			
 
				+  hosts: localhost
			
 
				+  connection: local
			
 
				+  become: no
			
 
				+  gather_facts: no
			
 
				+  tasks:
			
 
				+  - name: Create local temp directory for syncing certs
			
 
				+    local_action: command mktemp -d /tmp/openshift-ansible-XXXXXXX
			
 
				+    register: local_cert_sync_tmpdir
			
 
				+    changed_when: false
			
 
				+
			
 
				+- name: Create service signer certificate
			
 
				+  hosts: oo_first_master
			
 
				+  tasks:
			
 
				+  - name: Create remote temp directory for creating certs
			
 
				+    command: mktemp -d /tmp/openshift-ansible-XXXXXXX
			
 
				+    register: remote_cert_create_tmpdir
			
 
				+    changed_when: false
			
 
				+
			
 
				+  - name: Create service signer certificate
			
 
				+    command: >
			
 
				+      {{ openshift.common.admin_binary }} ca create-signer-cert
			
 
				+      --cert=service-signer.crt
			
 
				+      --key=service-signer.key
			
 
				+      --name=openshift-service-serving-signer
			
 
				+      --serial=service-signer.serial.txt
			
 
				+    args:
			
 
				+      chdir: "{{ remote_cert_create_tmpdir.stdout }}/"
			
 
				+
			
 
				+  - name: Retrieve service signer certificate
			
 
				+    fetch:
			
 
				+      src: "{{ remote_cert_create_tmpdir.stdout }}/{{ item }}"
			
 
				+      dest: "{{ hostvars.localhost.local_cert_sync_tmpdir.stdout }}/"
			
 
				+      flat: yes
			
 
				+      fail_on_missing: yes
			
 
				+      validate_checksum: yes
			
 
				+    with_items:
			
 
				+    - "service-signer.crt"
			
 
				+    - "service-signer.key"
			
 
				+
			
 
				+  - name: Delete remote temp directory
			
 
				+    file:
			
 
				+      name: "{{ remote_cert_create_tmpdir.stdout }}"
			
 
				+      state: absent
			
 
				+    changed_when: false
			
 
				+
			
 
				+- name: Deploy service signer certificate
			
 
				+  hosts: oo_masters_to_config
			
 
				+  tasks:
			
 
				+  - name: Deploy service signer certificate
			
 
				+    copy:
			
 
				+      src: "{{ hostvars.localhost.local_cert_sync_tmpdir.stdout }}/{{ item }}"
			
 
				+      dest: "{{ openshift.common.config_base }}/master/"
			
 
				+    with_items:
			
 
				+    - "service-signer.crt"
			
 
				+    - "service-signer.key"
			
 
				+
			
 
				+- name: Delete local temp directory
			
 
				+  hosts: localhost
			
 
				+  connection: local
			
 
				+  become: no
			
 
				+  gather_facts: no
			
 
				+  tasks:
			
 
				+  - name: Delete local temp directory
			
 
				+    file:
			
 
				+      name: "{{ local_cert_sync_tmpdir.stdout }}"
			
 
				+      state: absent
			
 
				+    changed_when: false
			
--- a/playbooks/common/openshift-cluster/upgrades/upgrade.yml
+++ b/playbooks/common/openshift-cluster/upgrades/upgrade.yml
@@ -34,7 +34,7 @@
 
				 ###############################################################################
			
 
				 # Upgrade Masters
			
 
				 ###############################################################################
			
 
				-- name: Upgrade master
			
 
				+- name: Upgrade master packages
			
 
				   hosts: oo_masters_to_config
			
 
				   handlers:
			
 
				   - include: ../../../../roles/openshift_master/handlers/main.yml
			
@@ -45,6 +45,28 @@
 
				   - include: rpm_upgrade.yml component=master
			
 
				     when: not openshift.common.is_containerized | bool
			
 
				 
			
 
				+- name: Determine if service signer cert must be created
			
 
				+  hosts: oo_first_master
			
 
				+  tasks:
			
 
				+  - name: Determine if service signer certificate must be created
			
 
				+    stat:
			
 
				+      path: "{{ openshift.common.config_base }}/master/service-signer.crt"
			
 
				+    register: service_signer_cert_stat
			
 
				+    changed_when: false
			
 
				+
			
 
				+# Create service signer cert when missing. Service signer certificate
			
 
				+# is added to master config in the master config hook for v3_3.
			
 
				+- include: create_service_signer_cert.yml
			
 
				+  when: not (hostvars[groups.oo_first_master.0].service_signer_cert_stat.stat.exists | bool)
			
 
				+
			
 
				+- name: Upgrade master config and systemd units
			
 
				+  hosts: oo_masters_to_config
			
 
				+  handlers:
			
 
				+  - include: ../../../../roles/openshift_master/handlers/main.yml
			
 
				+    static: yes
			
 
				+  roles:
			
 
				+  - openshift_facts
			
 
				+  tasks:
			
 
				   - include: "{{ master_config_hook }}"
			
 
				     when: master_config_hook is defined
			
 
				 
			
--- a/playbooks/common/openshift-cluster/upgrades/v3_3/master_config_upgrade.yml
+++ b/playbooks/common/openshift-cluster/upgrades/v3_3/master_config_upgrade.yml
@@ -38,3 +38,13 @@
 
				     dest: "{{ openshift.common.config_base}}/master/master-config.yaml"
			
 
				     yaml_key: 'masterClients.openshiftLoopbackClientConnectionOverrides.qps'
			
 
				     yaml_value: 300
			
 
				+
			
 
				+- modify_yaml:
			
 
				+    dest: "{{ openshift.common.config_base}}/master/master-config.yaml"
			
 
				+    yaml_key: 'controllerConfig.servicesServingCert.signer.certFile'
			
 
				+    yaml_value: service-signer.crt
			
 
				+
			
 
				+- modify_yaml:
			
 
				+    dest: "{{ openshift.common.config_base}}/master/master-config.yaml"
			
 
				+    yaml_key: 'controllerConfig.servicesServingCert.signer.keyFile'
			
 
				+    yaml_value: service-signer.key