Merge pull request #7649 from smarterclayton/refactor_6

Make API aggregation part of openshift_ca

playbooks/openshift-master/private/tasks/wire_aggregator.yml

@@ -1,217 +0,0 @@
----
-# DEPRECATED: These tasks will be removed
-
-- name: Make temp cert dir
-  command: mktemp -d /tmp/openshift-service-catalog-ansible-XXXXXX
-  register: certtemp
-  changed_when: False
-
-- name: Check for First Master Aggregator Signer cert
-  stat:
-    path: /etc/origin/master/front-proxy-ca.crt
-  register: first_proxy_ca_crt
-  changed_when: false
-  delegate_to: "{{ groups.oo_first_master.0 }}"
-
-- name: Check for First Master Aggregator Signer key
-  stat:
-    path: /etc/origin/master/front-proxy-ca.crt
-  register: first_proxy_ca_key
-  changed_when: false
-  delegate_to: "{{ groups.oo_first_master.0 }}"
-
-# TODO: this currently has a bug where hostnames are required
-- name: Creating First Master Aggregator signer certs
-  command: >
-    {{ hostvars[groups.oo_first_master.0]['first_master_client_binary'] }} adm ca create-signer-cert
-    --cert=/etc/origin/master/front-proxy-ca.crt
-    --key=/etc/origin/master/front-proxy-ca.key
-    --serial=/etc/origin/master/ca.serial.txt
-  delegate_to: "{{ groups.oo_first_master.0 }}"
-  when:
-  - not first_proxy_ca_crt.stat.exists
-  - not first_proxy_ca_key.stat.exists
-
-- name: Check for Aggregator Signer cert
-  stat:
-    path: /etc/origin/master/front-proxy-ca.crt
-  register: proxy_ca_crt
-  changed_when: false
-
-- name: Check for Aggregator Signer key
-  stat:
-    path: /etc/origin/master/front-proxy-ca.crt
-  register: proxy_ca_key
-  changed_when: false
-
-- name: Copy Aggregator Signer certs from first master
-  fetch:
-    src: "/etc/origin/master/{{ item }}"
-    dest: "{{ certtemp.stdout }}/{{ item }}"
-    flat: yes
-  with_items:
-  - front-proxy-ca.crt
-  - front-proxy-ca.key
-  delegate_to: "{{ groups.oo_first_master.0 }}"
-  when:
-  - not proxy_ca_key.stat.exists
-  - not proxy_ca_crt.stat.exists
-
-- name: Copy Aggregator Signer certs to host
-  copy:
-    src: "{{ certtemp.stdout }}/{{ item }}"
-    dest: "/etc/origin/master/{{ item }}"
-  with_items:
-  - front-proxy-ca.crt
-  - front-proxy-ca.key
-  when:
-  - not proxy_ca_key.stat.exists
-  - not proxy_ca_crt.stat.exists
-
-#  oc_adm_ca_server_cert:
-#    cert: /etc/origin/master/front-proxy-ca.crt
-#    key: /etc/origin/master/front-proxy-ca.key
-
-- name: Check for first master api-client config
-  stat:
-    path: /etc/origin/master/aggregator-front-proxy.kubeconfig
-  register: first_front_proxy_kubeconfig
-  delegate_to: "{{ groups.oo_first_master.0 }}"
-  run_once: true
-
-# create-api-client-config generates a ca.crt file which will
-# overwrite the OpenShift CA certificate.  Generate the aggregator
-# kubeconfig in a temporary directory and then copy files into the
-# master config dir to avoid overwriting ca.crt.
-- block:
-  - name: Create first master api-client config for Aggregator
-    command: >
-      {{ hostvars[groups.oo_first_master.0]['first_master_client_binary'] }} adm create-api-client-config
-      --certificate-authority=/etc/origin/master/front-proxy-ca.crt
-      --signer-cert=/etc/origin/master/front-proxy-ca.crt
-      --signer-key=/etc/origin/master/front-proxy-ca.key
-      --user aggregator-front-proxy
-      --client-dir={{ certtemp.stdout }}
-      --signer-serial=/etc/origin/master/ca.serial.txt
-    delegate_to: "{{ groups.oo_first_master.0 }}"
-    run_once: true
-  - name: Copy first master api-client config for Aggregator
-    copy:
-      src: "{{ certtemp.stdout }}/{{ item }}"
-      dest: "/etc/origin/master/"
-      remote_src: true
-    with_items:
-    - aggregator-front-proxy.crt
-    - aggregator-front-proxy.key
-    - aggregator-front-proxy.kubeconfig
-    delegate_to: "{{ groups.oo_first_master.0 }}"
-    run_once: true
-  when:
-  - not first_front_proxy_kubeconfig.stat.exists
-
-- name: Check for api-client config
-  stat:
-    path: /etc/origin/master/aggregator-front-proxy.kubeconfig
-  register: front_proxy_kubeconfig
-
-- name: Copy api-client config from first master
-  fetch:
-    src: "/etc/origin/master/{{ item }}"
-    dest: "{{ certtemp.stdout }}/{{ item }}"
-    flat: yes
-  delegate_to: "{{ groups.oo_first_master.0 }}"
-  with_items:
-  - aggregator-front-proxy.crt
-  - aggregator-front-proxy.key
-  - aggregator-front-proxy.kubeconfig
-  when:
-  - not front_proxy_kubeconfig.stat.exists
-
-- name: Copy api-client config to host
-  copy:
-    src: "{{ certtemp.stdout }}/{{ item }}"
-    dest: "/etc/origin/master/{{ item }}"
-  with_items:
-  - aggregator-front-proxy.crt
-  - aggregator-front-proxy.key
-  - aggregator-front-proxy.kubeconfig
-  when:
-  - not front_proxy_kubeconfig.stat.exists
-
-- name: Delete temp directory
-  file:
-    name: "{{ certtemp.stdout }}"
-    state: absent
-  changed_when: False
-
-- name: Update master config
-  yedit:
-    state: present
-    src: /etc/origin/master/master-config.yaml
-    edits:
-    - key: aggregatorConfig.proxyClientInfo.certFile
-      value: aggregator-front-proxy.crt
-    - key: aggregatorConfig.proxyClientInfo.keyFile
-      value: aggregator-front-proxy.key
-    - key: authConfig.requestHeader.clientCA
-      value: front-proxy-ca.crt
-    - key: authConfig.requestHeader.clientCommonNames
-      value: [aggregator-front-proxy]
-    - key: authConfig.requestHeader.usernameHeaders
-      value: [X-Remote-User]
-    - key: authConfig.requestHeader.groupHeaders
-      value: [X-Remote-Group]
-    - key: authConfig.requestHeader.extraHeaderPrefixes
-      value: [X-Remote-Extra-]
-    - key: kubernetesMasterConfig.apiServerArguments.runtime-config
-      value: [apis/settings.k8s.io/v1alpha1=true]
-    - key: admissionConfig.pluginConfig.PodPreset.configuration.kind
-      value: DefaultAdmissionConfig
-    - key: admissionConfig.pluginConfig.PodPreset.configuration.apiVersion
-      value: v1
-    - key: admissionConfig.pluginConfig.PodPreset.configuration.disable
-      value: false
-  register: yedit_output
-
-# Only add the catalog extension script if not 3.9. From 3.9 on, the console
-# can discover if template service broker is running.
-- when: not openshift_version_gte_3_9
-  block:
-  - name: Setup extension file for service console UI
-    template:
-      src: ../templates/openshift-ansible-catalog-console.js
-      dest: /etc/origin/master/openshift-ansible-catalog-console.js
-
-  - name: Update master config
-    yedit:
-      state: present
-      src: /etc/origin/master/master-config.yaml
-      key: assetConfig.extensionScripts
-      value: [/etc/origin/master/openshift-ansible-catalog-console.js]
-    register: yedit_asset_config_output
-
-#restart master serially here
-- when: yedit_output.changed or (yedit_asset_config_output is defined and yedit_asset_config_output.changed)
-  block:
-  - name: restart master
-    command: /usr/local/bin/master-restart "{{ item }}"
-    with_items:
-    - api
-    - controllers
-
-  - name: Verify API Server
-    # Using curl here since the uri module requires python-httplib2 and
-    # wait_for port doesn't provide health information.
-    command: >
-      curl --silent --tlsv1.2
-      --cacert {{ openshift.common.config_base }}/master/ca-bundle.crt
-      {{ openshift.master.api_url }}/healthz/ready
-    args:
-      # Disables the following warning:
-      # Consider using get_url or uri module rather than running curl
-      warn: no
-    register: api_available_output
-    until: api_available_output.stdout == 'ok'
-    retries: 120
-    delay: 1
-    changed_when: false

roles/openshift_control_plane/templates/master.yaml.v1.j2

@@ -6,7 +6,7 @@ admissionConfig:
       configuration:
         kind: DefaultAdmissionConfig
         apiVersion: v1
-        disable: false
+        disable: true
 aggregatorConfig:
   proxyClientInfo:
     certFile: aggregator-front-proxy.crt
@@ -76,7 +76,8 @@ kubeletClientInfo:
   port: 10250
 {% if openshift_master_embedded_kube | bool %}
 kubernetesMasterConfig:
-  apiServerArguments: {{ openshift.master.api_server_args | default(None) | lib_utils_to_padded_yaml( level=2 ) }}
+  apiServerArguments:
+    {{ openshift.master.api_server_args | default(None) | lib_utils_to_padded_yaml( level=2 ) }}
     storage-backend:
     - etcd3
     storage-media-type: