|
|
@@ -236,29 +236,39 @@
|
|
|
- role: haproxy
|
|
|
when: groups.oo_masters_to_config | length > 1
|
|
|
|
|
|
-- name: Generate master session keys
|
|
|
+- name: Check for cached session secrets
|
|
|
hosts: oo_first_master
|
|
|
- tasks:
|
|
|
+ pre_tasks:
|
|
|
- fail:
|
|
|
msg: "Both openshift_master_session_auth_secrets and openshift_master_session_encryption_secrets must be provided if either variable is set"
|
|
|
when: (openshift_master_session_auth_secrets is defined and openshift_master_session_encryption_secrets is not defined) or (openshift_master_session_encryption_secrets is defined and openshift_master_session_auth_secrets is not defined)
|
|
|
- fail:
|
|
|
msg: "openshift_master_session_auth_secrets and openshift_master_encryption_secrets must be equal length"
|
|
|
when: (openshift_master_session_auth_secrets is defined and openshift_master_session_encryption_secrets is defined) and (openshift_master_session_auth_secrets | length != openshift_master_session_encryption_secrets | length)
|
|
|
- - name: Install OpenSSL package
|
|
|
- action: "{{ ansible_pkg_mgr }} name=openssl state=present"
|
|
|
- when: not openshift.common.is_atomic | bool
|
|
|
- - name: Generate session authentication key
|
|
|
- command: /usr/bin/openssl rand -base64 24
|
|
|
- register: session_auth_output
|
|
|
- when: openshift_master_session_auth_secrets is undefined
|
|
|
- - name: Generate session encryption key
|
|
|
- command: /usr/bin/openssl rand -base64 24
|
|
|
- register: session_encryption_output
|
|
|
- when: openshift_master_session_encryption_secrets is undefined
|
|
|
- - set_fact:
|
|
|
- session_auth_secret: "{{ openshift_master_session_auth_secrets | default([session_auth_output.stdout]) }}"
|
|
|
- session_encryption_secret: "{{ openshift_master_session_encryption_secrets | default([session_encryption_output.stdout]) }}"
|
|
|
+ roles:
|
|
|
+ - role: openshift_facts
|
|
|
+ post_tasks:
|
|
|
+ - openshift_facts:
|
|
|
+ role: master
|
|
|
+ local_facts:
|
|
|
+ session_auth_secrets: "{{ openshift_master_session_auth_secrets | default(openshift.master.session_auth_secrets | default(None)) }}"
|
|
|
+ session_encryption_secrets: "{{ openshift_master_session_encryption_secrets | default(openshift.master.session_encryption_secrets | default(None)) }}"
|
|
|
+
|
|
|
+- name: Generate master session secrets
|
|
|
+ hosts: oo_first_master
|
|
|
+ vars:
|
|
|
+ g_session_secrets_present: "{{ (openshift.master.session_auth_secrets | default([]) and openshift.master.session_encryption_secrets | default([])) | length > 0 }}"
|
|
|
+ g_session_auth_secrets: "{{ [ 24 | oo_generate_secret ] }}"
|
|
|
+ g_session_encryption_secrets: "{{ [ 24 | oo_generate_secret ] }}"
|
|
|
+ roles:
|
|
|
+ - role: openshift_facts
|
|
|
+ tasks:
|
|
|
+ - openshift_facts:
|
|
|
+ role: master
|
|
|
+ local_facts:
|
|
|
+ session_auth_secrets: "{{ g_session_auth_secrets }}"
|
|
|
+ session_encryption_secrets: "{{ g_session_encryption_secrets }}"
|
|
|
+ when: not g_session_secrets_present | bool
|
|
|
|
|
|
- name: Parse named certificates
|
|
|
hosts: localhost
|
|
|
@@ -314,8 +324,8 @@
|
|
|
sync_tmpdir: "{{ hostvars.localhost.g_master_mktemp.stdout }}"
|
|
|
openshift_master_ha: "{{ groups.oo_masters_to_config | length > 1 }}"
|
|
|
openshift_master_count: "{{ groups.oo_masters_to_config | length }}"
|
|
|
- openshift_master_session_auth_secrets: "{{ hostvars[groups['oo_first_master'][0]]['session_auth_secret'] }}"
|
|
|
- openshift_master_session_encryption_secrets: "{{ hostvars[groups['oo_first_master'][0]]['session_encryption_secret'] }}"
|
|
|
+ openshift_master_session_auth_secrets: "{{ hostvars[groups.oo_first_master.0].openshift.master.session_auth_secrets }}"
|
|
|
+ openshift_master_session_encryption_secrets: "{{ hostvars[groups.oo_first_master.0].openshift.master.session_encryption_secrets }}"
|
|
|
pre_tasks:
|
|
|
- name: Ensure certificate directory exists
|
|
|
file:
|
Andrew Butcher