Home Explore Help
Register Sign In
shixiong
/
okd
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Synching certs and aggregator configs from first master to all other masters

ewolinetz 7 years ago
parent
8c1343b778
commit
96dea4b4a6
3 changed files with 116 additions and 10 deletions
Split View Show Diff Stats
  1. 11 7
      playbooks/common/openshift-cluster/service_catalog.yml
  2. 0 1
      roles/openshift_service_catalog/tasks/install.yml
  3. 105 2
      roles/openshift_service_catalog/tasks/wire_aggregator.yml

+ 11 - 7
playbooks/common/openshift-cluster/service_catalog.yml
View File 

@@ -1,16 +1,20 @@
 
 ---
 
 - include: evaluate_groups.yml
 
 
-- name: Service Catalog
 
-  hosts: oo_first_master
 
-  roles:
 
-  - openshift_service_catalog
 
-  - ansible_service_broker
 
-
 
 - name: Update Master configs
 
-  hosts: oo_masters:!oo_first_master
 
+  hosts: oo_masters
 
   tasks:
 
   - block:
 
     - include_role:
 
         name: openshift_service_catalog
 
         tasks_from: wire_aggregator
 
+      vars:
 
+        first_master: "{{ groups.oo_first_master[0] }}"
 
+
 
+- name: Service Catalog
 
+  hosts: oo_first_master
 
+  roles:
 
+  - openshift_service_catalog
 
+  - ansible_service_broker
 
+  vars:
 
+    first_master: "{{ groups.oo_first_master[0] }}"

+ 0 - 1
roles/openshift_service_catalog/tasks/install.yml
View File 

@@ -6,7 +6,6 @@
 
   register: mktemp
 
   changed_when: False
 
 
-
 
 - include: wire_aggregator.yml
 
 
 - name: Set default image variables based on deployment_type

+ 105 - 2
roles/openshift_service_catalog/tasks/wire_aggregator.yml
View File 

@@ -1,16 +1,82 @@
 
 ---
 
+- name: Make temp cert dir
 
+  command: mktemp -d /tmp/openshift-service-catalog-ansible-XXXXXX
 
+  register: certtemp
 
+  changed_when: False
 
+
 
+- name: Check for First Master Aggregator Signer cert
 
+  stat:
 
+    path: /etc/origin/master/front-proxy-ca.crt
 
+  register: first_proxy_ca_crt
 
+  changed_when: false
 
+  delegate_to: "{{ first_master }}"
 
+
 
+- name: Check for First Master Aggregator Signer key
 
+  stat:
 
+    path: /etc/origin/master/front-proxy-ca.crt
 
+  register: first_proxy_ca_key
 
+  changed_when: false
 
+  delegate_to: "{{ first_master }}"
 
+
 
+
 
 # TODO: this currently has a bug where hostnames are required
 
-- name: Creating Aggregator signer certs
 
+- name: Creating First Master Aggregator signer certs
 
   command: >
 
     oc adm ca create-signer-cert
 
     --cert=/etc/origin/master/front-proxy-ca.crt
 
     --key=/etc/origin/master/front-proxy-ca.key
 
     --serial=/etc/origin/master/ca.serial.txt
 
+  delegate_to: "{{ first_master }}"
 
+  when:
 
+  - not first_proxy_ca_crt.stat.exists
 
+  - not first_proxy_ca_key.stat.exists
 
+
 
+- name: Check for Aggregator Signer cert
 
+  stat:
 
+    path: /etc/origin/master/front-proxy-ca.crt
 
+  register: proxy_ca_crt
 
+  changed_when: false
 
+
 
+- name: Check for Aggregator Signer key
 
+  stat:
 
+    path: /etc/origin/master/front-proxy-ca.crt
 
+  register: proxy_ca_key
 
+  changed_when: false
 
+
 
+- name: Copy Aggregator Signer certs from first master
 
+  fetch:
 
+    src: "/etc/origin/master/{{ item }}"
 
+    dest: "{{ certtemp.stdout }}/{{ item }}"
 
+  with_items:
 
+  - front-proxy-ca.crt
 
+  - front-proxy-ca.key
 
+  delegate_to: "{{ first_master }}"
 
+  when:
 
+  - not proxy_ca_key.stat.exists
 
+  - not proxy_ca_crt.stat.exists
 
+
 
+- name: Copy Aggregator Signer certs to host
 
+  copy:
 
+    src: "{{ certtemp.stdout }}/{{ item }}"
 
+    dest: "/etc/origin/master/{{ item }}"
 
+  with_items:
 
+  - front-proxy-ca.crt
 
+  - front-proxy-ca.key
 
+  when:
 
+  - not proxy_ca_key.stat.exists
 
+  - not proxy_ca_crt.stat.exists
 
+
 
 #  oc_adm_ca_server_cert:
 
 #    cert: /etc/origin/master/front-proxy-ca.crt
 
 #    key: /etc/origin/master/front-proxy-ca.key
 
 
-- name: Create api-client config for Aggregator
 
+- name: Check for first master api-client config
 
+  stat:
 
+    path: /etc/origin/master/aggregator-front-proxy.kubeconfig
 
+  register: first_front_proxy_kubeconfig
 
+  delegate_to: "{{ first_master }}"
 
+
 
+- name: Create first master api-client config for Aggregator
 
   command: >
 
     oc adm create-api-client-config
 
     --certificate-authority=/etc/origin/master/front-proxy-ca.crt
 
@@ -19,6 +85,37 @@
 
     --user aggregator-front-proxy
 
     --client-dir=/etc/origin/master
 
     --signer-serial=/etc/origin/master/ca.serial.txt
 
+  delegate_to: "{{ first_master }}"
 
+  when:
 
+  - not first_front_proxy_kubeconfig.stat.exists
 
+
 
+- name: Check for api-client config
 
+  stat:
 
+    path: /etc/origin/master/aggregator-front-proxy.kubeconfig
 
+  register: front_proxy_kubeconfig
 
+
 
+- name: Copy api-client config from first master
 
+  fetch:
 
+    src: "/etc/origin/master/{{ item }}"
 
+    dest: "{{ certtemp.stdout }}/{{ item }}"
 
+  delegate_to: "{{ first_master }}"
 
+  with_items:
 
+  - aggregator-front-proxy.crt
 
+  - aggregator-front-proxy.key
 
+  - aggregator-front-proxy.kubeconfig
 
+  when:
 
+  - not front_proxy_kubeconfig.stat.exists
 
+
 
+- name: Copy api-client config to host
 
+  copy:
 
+    src: "{{ certtemp.stdout }}/{{ item }}"
 
+    dest: "/etc/origin/master/{{ item }}"
 
+  with_items:
 
+  - aggregator-front-proxy.crt
 
+  - aggregator-front-proxy.key
 
+  - aggregator-front-proxy.kubeconfig
 
+  when:
 
+  - not front_proxy_kubeconfig.stat.exists
 
 
 - name: Update master config
 
   yedit:
 
@@ -84,3 +181,9 @@
 
   changed_when: false
 
   when:
 
   - yedit_output.changed
 
+
 
+- name: Delete temp directory
 
+  file:
 
+    name: "{{ certtemp.stdout }}"
 
+    state: absent
 
+  changed_when: False