Home Explore Help
Register Sign In
shixiong
/
okd
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Improve CA playbook restart logic and skip restarts when related services had previously expired certificates.

Andrew Butcher 7 years ago
parent
505764651b
commit
4ba216918e
2 changed files with 58 additions and 31 deletions
Split View Show Diff Stats
  1. 16 10
      playbooks/common/openshift-cluster/redeploy-certificates/etcd-ca.yml
  2. 42 21
      playbooks/common/openshift-cluster/redeploy-certificates/openshift-ca.yml

+ 16 - 10
playbooks/common/openshift-cluster/redeploy-certificates/etcd-ca.yml
View File 

@@ -146,13 +146,19 @@
 
     changed_when: false
 
 
 - include: ../../openshift-master/restart.yml
 
-  # Do not restart masters when master certificates were previously expired.
 
-  when: ('expired' not in hostvars
 
-                       | oo_select_keys(groups['oo_masters_to_config'])
 
-                       | oo_collect('check_results.check_results.ocp_certs')
 
-                       | oo_collect('health', {'path':hostvars[groups.oo_first_master.0].openshift.common.config_base ~ "/master/master.server.crt"}))
 
-        and
 
-        ('expired' not in hostvars
 
-                          | oo_select_keys(groups['oo_masters_to_config'])
 
-                          | oo_collect('check_results.check_results.ocp_certs')
 
-                          | oo_collect('health', {'path':hostvars[groups.oo_first_master.0].openshift.common.config_base ~ "/master/ca-bundle.crt"}))
 
+  # Do not restart masters when master or etcd certificates were previously expired.
 
+  when:
 
+  # masters
 
+  - ('expired' not in hostvars
 
+      | oo_select_keys(groups['oo_masters_to_config'])
 
+      | oo_collect('check_results.check_results.ocp_certs')
 
+      | oo_collect('health', {'path':hostvars[groups.oo_first_master.0].openshift.common.config_base ~ "/master/master.server.crt"}))
 
+  - ('expired' not in hostvars
 
+      | oo_select_keys(groups['oo_masters_to_config'])
 
+      | oo_collect('check_results.check_results.ocp_certs')
 
+      | oo_collect('health', {'path':hostvars[groups.oo_first_master.0].openshift.common.config_base ~ "/master/ca-bundle.crt"}))
 
+  # etcd
 
+  - ('expired' not in (hostvars
 
+      | oo_select_keys(groups['etcd'])
 
+      | oo_collect('check_results.check_results.etcd')
 
+      | oo_collect('health')))

+ 42 - 21
playbooks/common/openshift-cluster/redeploy-certificates/openshift-ca.yml
View File 

@@ -7,7 +7,7 @@
 
     when: not openshift.common.version_gte_3_2_or_1_2 | bool
 
 
 - name: Check cert expirys
 
-  hosts: oo_nodes_to_config:oo_masters_to_config
 
+  hosts: oo_nodes_to_config:oo_masters_to_config:oo_etcd_to_config
 
   vars:
 
     openshift_certificate_expiry_show_all: yes
 
   roles:
 
@@ -209,16 +209,22 @@
 
     with_items: "{{ client_users }}"
 
 
 - include: ../../openshift-master/restart.yml
 
-  # Do not restart masters when master certificates were previously expired.
 
-  when: ('expired' not in hostvars
 
-                       | oo_select_keys(groups['oo_masters_to_config'])
 
-                       | oo_collect('check_results.check_results.ocp_certs')
 
-                       | oo_collect('health', {'path':hostvars[groups.oo_first_master.0].openshift.common.config_base ~ "/master/master.server.crt"}))
 
-        and
 
-        ('expired' not in hostvars
 
-                          | oo_select_keys(groups['oo_masters_to_config'])
 
-                          | oo_collect('check_results.check_results.ocp_certs')
 
-                          | oo_collect('health', {'path':hostvars[groups.oo_first_master.0].openshift.common.config_base ~ "/master/ca-bundle.crt"}))
 
+  # Do not restart masters when master or etcd certificates were previously expired.
 
+  when:
 
+  # masters
 
+  - ('expired' not in hostvars
 
+      | oo_select_keys(groups['oo_masters_to_config'])
 
+      | oo_collect('check_results.check_results.ocp_certs')
 
+      | oo_collect('health', {'path':hostvars[groups.oo_first_master.0].openshift.common.config_base ~ "/master/master.server.crt"}))
 
+  - ('expired' not in hostvars
 
+      | oo_select_keys(groups['oo_masters_to_config'])
 
+      | oo_collect('check_results.check_results.ocp_certs')
 
+      | oo_collect('health', {'path':hostvars[groups.oo_first_master.0].openshift.common.config_base ~ "/master/ca-bundle.crt"}))
 
+  # etcd
 
+  - ('expired' not in (hostvars
 
+      | oo_select_keys(groups['etcd'])
 
+      | oo_collect('check_results.check_results.etcd')
 
+      | oo_collect('health')))
 
 
 - name: Distribute OpenShift CA certificate to nodes
 
   hosts: oo_nodes_to_config
 
@@ -268,13 +274,28 @@
 
     changed_when: false
 
 
 - include: ../../openshift-node/restart.yml
 
-  # Do not restart nodes when node certificates were previously expired.
 
-  when: ('expired' not in hostvars
 
-                       | oo_select_keys(groups['oo_nodes_to_config'])
 
-                       | oo_collect('check_results.check_results.ocp_certs')
 
-                       | oo_collect('health', {'path':hostvars[groups.oo_nodes_to_config.0].openshift.common.config_base ~ "/node/server.crt"}))
 
-        and
 
-        ('expired' not in hostvars
 
-                          | oo_select_keys(groups['oo_nodes_to_config'])
 
-                          | oo_collect('check_results.check_results.ocp_certs')
 
-                          | oo_collect('health', {'path':hostvars[groups.oo_nodes_to_config.0].openshift.common.config_base ~ "/node/ca.crt"}))
 
+  # Do not restart nodes when node, master or etcd certificates were previously expired.
 
+  when:
 
+  # nodes
 
+  - ('expired' not in hostvars
 
+      | oo_select_keys(groups['oo_nodes_to_config'])
 
+      | oo_collect('check_results.check_results.ocp_certs')
 
+      | oo_collect('health', {'path':hostvars[groups.oo_nodes_to_config.0].openshift.common.config_base ~ "/node/server.crt"}))
 
+  - ('expired' not in hostvars
 
+      | oo_select_keys(groups['oo_nodes_to_config'])
 
+      | oo_collect('check_results.check_results.ocp_certs')
 
+      | oo_collect('health', {'path':hostvars[groups.oo_nodes_to_config.0].openshift.common.config_base ~ "/node/ca.crt"}))
 
+  # masters
 
+  - ('expired' not in hostvars
 
+      | oo_select_keys(groups['oo_masters_to_config'])
 
+      | oo_collect('check_results.check_results.ocp_certs')
 
+      | oo_collect('health', {'path':hostvars[groups.oo_first_master.0].openshift.common.config_base ~ "/master/master.server.crt"}))
 
+  - ('expired' not in hostvars
 
+      | oo_select_keys(groups['oo_masters_to_config'])
 
+      | oo_collect('check_results.check_results.ocp_certs')
 
+      | oo_collect('health', {'path':hostvars[groups.oo_first_master.0].openshift.common.config_base ~ "/master/ca-bundle.crt"}))
 
+  # etcd
 
+  - ('expired' not in (hostvars
 
+      | oo_select_keys(groups['etcd'])
 
+      | oo_collect('check_results.check_results.etcd')
 
+      | oo_collect('health')))