Merge pull request #5643 from mtnbikenc/refactor-certificates

Automatic merge from submit-queue.

Refactor certificate playbooks for checkpointing

The recent breakout of the certificate playbooks resulted in the certificate portion of the install to be outside of the component checkpoint.  This PR moves the certificate playbooks inside their respective config.yml playbook.

Removes an unused tasks file from the openshift_named_certificates role.

playbooks/byo/openshift-master/certificates.yml

@@ -3,6 +3,4 @@
 
 - include: ../../common/openshift-cluster/std_include.yml
 
-- include: ../../common/openshift-master/ca.yml
-
 - include: ../../common/openshift-master/certificates.yml

playbooks/byo/openshift-node/scaleup.yml

@@ -16,6 +16,4 @@
 
 - include: ../../common/openshift-cluster/std_include.yml
 
-- include: ../../common/openshift-node/certificates.yml
-
 - include: ../../common/openshift-node/config.yml

playbooks/common/openshift-cluster/config.yml

@@ -18,10 +18,6 @@
       - docker_image_availability
       - docker_storage
 
-- include: ../openshift-etcd/ca.yml
-
-- include: ../openshift-etcd/certificates.yml
-
 - include: ../openshift-etcd/config.yml
 
 - include: ../openshift-nfs/config.yml
@@ -30,16 +26,10 @@
 - include: ../openshift-loadbalancer/config.yml
   when: groups.oo_lb_to_config | default([]) | count > 0
 
-- include: ../openshift-master/ca.yml
-
-- include: ../openshift-master/certificates.yml
-
 - include: ../openshift-master/config.yml
 
 - include: ../openshift-master/additional_config.yml
 
-- include: ../openshift-node/certificates.yml
-
 - include: ../openshift-node/config.yml
 
 - include: ../openshift-glusterfs/config.yml

playbooks/common/openshift-cluster/redeploy-certificates/openshift-ca.yml

@@ -114,12 +114,18 @@
     register: g_new_openshift_ca_mktemp
     changed_when: false
 
-- include: ../../openshift-master/ca.yml
+- name: Create OpenShift CA
+  hosts: oo_first_master
   vars:
     # Set openshift_ca_config_dir to a temporary directory where CA
     # will be created. We'll replace the existing CA with the CA
     # created in the temporary directory.
     openshift_ca_config_dir: "{{ hostvars[groups.oo_first_master.0].g_new_openshift_ca_mktemp.stdout }}"
+  roles:
+  - role: openshift_master_facts
+  - role: openshift_named_certificates
+  - role: openshift_ca
+    openshift_ca_host: "{{ groups.oo_first_master.0 }}"
 
 - name: Create temp directory for syncing certs
   hosts: localhost

playbooks/common/openshift-etcd/config.yml

@@ -10,6 +10,10 @@
         installer_phase_etcd: "In Progress"
       aggregate: false
 
+- include: ca.yml
+
+- include: certificates.yml
+
 - name: Configure etcd
   hosts: oo_etcd_to_config
   any_errors_fatal: true

playbooks/common/openshift-master/ca.yml

@@ -1,8 +0,0 @@
----
-- name: Create OpenShift CA
-  hosts: oo_masters_to_config
-  roles:
-  - role: openshift_master_facts
-  - role: openshift_named_certificates
-  - role: openshift_ca
-    openshift_ca_host: "{{ groups.oo_first_master.0 }}"

playbooks/common/openshift-master/config.yml

@@ -10,6 +10,8 @@
         installer_phase_master: "In Progress"
       aggregate: false
 
+- include: certificates.yml
+
 - name: Disable excluders
   hosts: oo_masters_to_config
   gather_facts: no

playbooks/common/openshift-master/scaleup.yml

@@ -47,8 +47,6 @@
 
 - include: ../openshift-etcd/certificates.yml
 
-- include: ../openshift-master/certificates.yml
-
 - include: ../openshift-master/config.yml
 
 - include: ../openshift-loadbalancer/config.yml

playbooks/common/openshift-node/config.yml

@@ -10,6 +10,8 @@
         installer_phase_node: "In Progress"
       aggregate: false
 
+- include: certificates.yml
+
 - include: setup.yml
 
 - include: containerized_nodes.yml

roles/openshift_named_certificates/tasks/named_certificates.yml

@@ -1,32 +0,0 @@
----
-- name: Clear named certificates
-  file:
-    path: "{{ named_certs_dir }}"
-    state: absent
-  when: overwrite_named_certs | bool
-
-- name: Ensure named certificate directory exists
-  file:
-    path: "{{ named_certs_dir }}"
-    state: directory
-    mode: 0700
-
-- name: Land named certificates
-  copy:
-    src: "{{ item.certfile }}"
-    dest: "{{ named_certs_dir }}"
-  with_items: "{{ openshift_master_named_certificates | default([]) }}"
-
-- name: Land named certificate keys
-  copy:
-    src: "{{ item.keyfile }}"
-    dest: "{{ named_certs_dir }}"
-    mode: 0600
-  with_items: "{{ openshift_master_named_certificates | default([]) }}"
-
-- name: Land named CA certificates
-  copy:
-    src: "{{ item }}"
-    dest: "{{ named_certs_dir }}"
-    mode: 0600
-  with_items: "{{ openshift_master_named_certificates | default([]) | oo_collect('cafile') }}"