Home Explore Help
Register Sign In
shixiong
/
okd
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

openshift_ca: add openshift_ca_cert_expire_days and openshift_master_cert_expire_days parameters.

Slava Semushin 8 years ago
parent
c5da9d90c4
commit
5ae588b6d6
3 changed files with 10 additions and 1 deletions
Split View Show Diff Stats
  1. 2 0
      roles/openshift_ca/README.md
  2. 3 0
      roles/openshift_ca/defaults/main.yml
  3. 5 1
      roles/openshift_ca/tasks/main.yml

+ 2 - 0
roles/openshift_ca/README.md
View File 

@@ -19,6 +19,8 @@ From this role:
 
 | openshift_ca_key        | `{{ openshift_ca_config_dir }}/ca.key`        | CA key path including CA key filename.                                      |
 
 | openshift_ca_serial     | `{{ openshift_ca_config_dir }}/ca.serial.txt` | CA serial path including CA serial filename.                                |
 
 | openshift_version       | `{{ openshift_pkg_version }}`                 | OpenShift package version.                                                  |
 
+| openshift_master_cert_expire_days | `730` (2 years)                     | Validity of the certificates in days. Works only with OpenShift version 1.5 (3.5) and later. |
 
+| openshift_ca_cert_expire_days     | `1825` (5 years)                    | Validity of the CA certificates in days. Works only with OpenShift version 1.5 (3.5) and later. |
 
 
 Dependencies
 
 ------------

+ 3 - 0
roles/openshift_ca/defaults/main.yml
View File 

@@ -0,0 +1,3 @@
 
+---
 
+openshift_ca_cert_expire_days: 1825
 
+openshift_master_cert_expire_days: 730

+ 5 - 1
roles/openshift_ca/tasks/main.yml
View File 

@@ -88,7 +88,7 @@
 
 # This should NOT replace the CA due to --overwrite=false when a CA already exists.
 
 - name: Create the master certificates if they do not already exist
 
   command: >
 
-    {{ hostvars[openshift_ca_host].openshift.common.client_binary }} adm create-master-certs
 
+    {{ hostvars[openshift_ca_host].openshift.common.client_binary }} adm ca create-master-certs
 
     {% for named_ca_certificate in openshift.master.named_certificates | default([]) | oo_collect('cafile') %}
 
     --certificate-authority {{ named_ca_certificate }}
 
     {% endfor %}
 
@@ -99,6 +99,10 @@
 
     --master={{ openshift.master.api_url }}
 
     --public-master={{ openshift.master.public_api_url }}
 
     --cert-dir={{ openshift_ca_config_dir }}
 
+    {% if openshift_version | oo_version_gte_3_5_or_1_5(openshift.common.deployment_type) | bool %}
 
+    --expire-days={{ openshift_master_cert_expire_days }}
 
+    --signer-expire-days={{ openshift_ca_cert_expire_days }}
 
+    {% endif %}
 
     --overwrite=false
 
   when: master_ca_missing | bool or openshift_certificates_redeploy | default(false) | bool
 
   delegate_to: "{{ openshift_ca_host }}"