Merge remote-tracking branch 'upstream/master' into upgrade33

playbooks/common/openshift-master/config.yml

@@ -156,6 +156,85 @@
     - master.etcd-ca.crt
     when: etcd_client_certs_missing is defined and etcd_client_certs_missing
 
+- name: Determine if master certificates need to be generated
+  hosts: oo_first_master:oo_masters_to_config
+  tasks:
+  - set_fact:
+      openshift_master_certs_no_etcd:
+      - admin.crt
+      - master.kubelet-client.crt
+      - "{{ 'master.proxy-client.crt' if openshift.common.version_gte_3_1_or_1_1 else omit }}"
+      - master.server.crt
+      - openshift-master.crt
+      - openshift-registry.crt
+      - openshift-router.crt
+      - etcd.server.crt
+      openshift_master_certs_etcd:
+      - master.etcd-client.crt
+
+  - set_fact:
+      openshift_master_certs: "{{ (openshift_master_certs_no_etcd | union(openshift_master_certs_etcd)) if (groups.oo_etcd_to_config is defined and groups.oo_etcd_to_config) else openshift_master_certs_no_etcd }}"
+
+  - name: Check status of master certificates
+    stat:
+      path: "{{ openshift.common.config_base }}/master/{{ item }}"
+    with_items: "{{ openshift_master_certs }}"
+    register: g_master_cert_stat_result
+  - set_fact:
+      master_certs_missing: "{{ False in (g_master_cert_stat_result.results
+                                | oo_collect(attribute='stat.exists')
+                                | list ) }}"
+      master_cert_subdir: master-{{ openshift.common.hostname }}
+      master_cert_config_dir: "{{ openshift.common.config_base }}/master"
+  - set_fact:
+      openshift_infra_nodes: "{{ hostvars | oo_select_keys(groups['oo_nodes_to_config'])
+                                 | oo_nodes_with_label('region', 'infra')
+                                 | oo_collect('inventory_hostname') }}"
+    when: openshift_infra_nodes is not defined and groups.oo_nodes_to_config | default([]) | length > 0
+
+- name: Configure master certificates
+  hosts: oo_first_master
+  vars:
+    master_generated_certs_dir: "{{ openshift.common.config_base }}/generated-configs"
+    masters_needing_certs: "{{ hostvars
+                               | oo_select_keys(groups['oo_masters_to_config'] | difference(groups['oo_first_master']))
+                               | oo_filter_list(filter_attr='master_certs_missing') }}"
+    master_hostnames: "{{ hostvars
+                               | oo_select_keys(groups['oo_masters_to_config'])
+                               | oo_collect('openshift.common.all_hostnames')
+                               | oo_flatten | unique }}"
+    sync_tmpdir: "{{ hostvars.localhost.g_master_mktemp.stdout }}"
+    openshift_docker_hosted_registry_network: "{{ hostvars[groups.oo_first_master.0].openshift.common.portal_net }}"
+  roles:
+  - openshift_master_certificates
+  post_tasks:
+  - name: Remove generated etcd client certs when using external etcd
+    file:
+      path: "{{ master_generated_certs_dir }}/{{ item.0.master_cert_subdir }}/{{ item.1 }}"
+      state: absent
+    when: groups.oo_etcd_to_config is defined and groups.oo_etcd_to_config
+    with_nested:
+    - "{{ masters_needing_certs | default([]) }}"
+    - - master.etcd-client.crt
+      - master.etcd-client.key
+
+  - name: Create a tarball of the master certs
+    command: >
+      tar -czvf {{ master_generated_certs_dir }}/{{ item.master_cert_subdir }}.tgz
+        -C {{ master_generated_certs_dir }}/{{ item.master_cert_subdir }} .
+    args:
+      creates: "{{ master_generated_certs_dir }}/{{ item.master_cert_subdir }}.tgz"
+    with_items: "{{ masters_needing_certs | default([]) }}"
+
+  - name: Retrieve the master cert tarball from the master
+    fetch:
+      src: "{{ master_generated_certs_dir }}/{{ item.master_cert_subdir }}.tgz"
+      dest: "{{ sync_tmpdir }}/"
+      flat: yes
+      fail_on_missing: yes
+      validate_checksum: yes
+    with_items: "{{ masters_needing_certs | default([]) }}"
+
 - name: Check for cached session secrets
   hosts: oo_first_master
   roles:
@@ -256,17 +335,19 @@
                                                 }}"
     when: "{{ (openshift_http_proxy is defined or openshift_https_proxy is defined) and
             openshift_generate_no_proxy_hosts | default(True) | bool }}"
+  pre_tasks:
+  - name: Ensure certificate directory exists
+    file:
+      path: "{{ openshift.common.config_base }}/master"
+      state: directory
+    when: master_certs_missing | bool and 'oo_first_master' not in group_names
+  - name: Unarchive the tarball on the master
+    unarchive:
+      src: "{{ sync_tmpdir }}/{{ master_cert_subdir }}.tgz"
+      dest: "{{ master_cert_config_dir }}"
+    when: master_certs_missing | bool and 'oo_first_master' not in group_names
   roles:
-  - role: openshift_master
-    openshift_ca_host: "{{ groups.oo_first_master.0 }}"
-    openshift_master_etcd_hosts: "{{ hostvars
-                                     | oo_select_keys(groups['oo_etcd_to_config'] | default([]))
-                                     | oo_collect('openshift.common.hostname')
-                                     | default(none, true) }}"
-    openshift_master_hostnames: "{{ hostvars
-                                    | oo_select_keys(groups['oo_masters_to_config'] | default([]))
-                                    | oo_collect('openshift.common.all_hostnames')
-                                    | oo_flatten | unique }}"
+  - openshift_master
   - role: nickhammond.logrotate
   - role: nuage_master
     when: openshift.common.use_nuage | bool

playbooks/common/openshift-node/config.yml

@@ -19,6 +19,23 @@
         labels: "{{ openshift_node_labels | default(None) }}"
         annotations: "{{ openshift_node_annotations | default(None) }}"
         schedulable: "{{ openshift_schedulable | default(openshift_scheduleable) | default(None) }}"
+  - name: Check status of node certificates
+    stat:
+      path: "{{ openshift.common.config_base }}/node/{{ item }}"
+    with_items:
+    - "system:node:{{ openshift.common.hostname }}.crt"
+    - "system:node:{{ openshift.common.hostname }}.key"
+    - "system:node:{{ openshift.common.hostname }}.kubeconfig"
+    - ca.crt
+    - server.key
+    - server.crt
+    register: stat_result
+  - set_fact:
+      certs_missing: "{{ stat_result.results | oo_collect(attribute='stat.exists')
+                         | list | intersect([false])}}"
+      node_subdir: node-{{ openshift.common.hostname }}
+      config_dir: "{{ openshift.common.config_base }}/generated-configs/node-{{ openshift.common.hostname }}"
+      node_cert_dir: "{{ openshift.common.config_base }}/node"
 
 - name: Create temp directory for syncing certs
   hosts: localhost
@@ -31,6 +48,53 @@
     register: mktemp
     changed_when: False
 
+- name: Create node certificates
+  hosts: oo_first_master
+  vars:
+    nodes_needing_certs: "{{ hostvars
+                             | oo_select_keys(groups['oo_nodes_to_config']
+                                              | default([]))
+                             | oo_filter_list(filter_attr='certs_missing') }}"
+    sync_tmpdir: "{{ hostvars.localhost.mktemp.stdout }}"
+  roles:
+  - openshift_node_certificates
+  post_tasks:
+  - name: Create a tarball of the node config directories
+    command: >
+      tar -czvf {{ item.config_dir }}.tgz
+        --transform 's|system:{{ item.node_subdir }}|node|'
+        -C {{ item.config_dir }} .
+    args:
+      creates: "{{ item.config_dir }}.tgz"
+    with_items: "{{ nodes_needing_certs | default([]) }}"
+
+  - name: Retrieve the node config tarballs from the master
+    fetch:
+      src: "{{ item.config_dir }}.tgz"
+      dest: "{{ sync_tmpdir }}/"
+      flat: yes
+      fail_on_missing: yes
+      validate_checksum: yes
+    with_items: "{{ nodes_needing_certs | default([]) }}"
+
+- name: Deploy node certificates
+  hosts: oo_nodes_to_config
+  vars:
+    sync_tmpdir: "{{ hostvars.localhost.mktemp.stdout }}"
+  tasks:
+  - name: Ensure certificate directory exists
+    file:
+      path: "{{ node_cert_dir }}"
+      state: directory
+  # TODO: notify restart node
+  # possibly test service started time against certificate/config file
+  # timestamps in node to trigger notify
+  - name: Unarchive the tarball on the node
+    unarchive:
+      src: "{{ sync_tmpdir }}/{{ node_subdir }}.tgz"
+      dest: "{{ node_cert_dir }}"
+    when: certs_missing
+
 - name: Evaluate node groups
   hosts: localhost
   become: no
@@ -76,8 +140,7 @@
     when: "{{ (openshift_http_proxy is defined or openshift_https_proxy is defined) and
             openshift_generate_no_proxy_hosts | default(True) | bool }}"
   roles:
-  - role: openshift_node
-    openshift_ca_host: "{{ groups.oo_first_master.0 }}"
+  - openshift_node
 
 - name: Configure node instances
   hosts: oo_nodes_to_config:!oo_containerized_master_nodes
@@ -93,8 +156,7 @@
     when: "{{ (openshift_http_proxy is defined or openshift_https_proxy is defined) and
             openshift_generate_no_proxy_hosts | default(True) | bool }}"
   roles:
-  - role: openshift_node
-    openshift_ca_host: "{{ groups.oo_first_master.0 }}"
+  - openshift_node
 
 - name: Gather and set facts for flannel certificatess
   hosts: oo_nodes_to_config

roles/openshift_ca/README.md

@@ -1,48 +0,0 @@
-OpenShift CA
-============
-
-This role delegates all tasks to the `openshift_ca_host` such that this role can be depended on by other OpenShift certificate roles.
-
-Requirements
-------------
-
-Role Variables
---------------
-
-From this role:
-
-| Name                    | Default value                                 | Description                                                                 |
-|-------------------------|-----------------------------------------------|-----------------------------------------------------------------------------|
-| openshift_ca_host       | None (Required)                               | The hostname of the system where the OpenShift CA will be created.          |
-| openshift_ca_config_dir | `{{ openshift.common.config_base }}/master`   | CA certificate directory.                                                   |
-| openshift_ca_cert       | `{{ openshift_ca_config_dir }}/ca.crt`        | CA certificate path including CA certificate filename.                      |
-| openshift_ca_key        | `{{ openshift_ca_config_dir }}/ca.key`        | CA key path including CA key filename.                                      |
-| openshift_ca_serial     | `{{ openshift_ca_config_dir }}/ca.serial.txt` | CA serial path including CA serial filename.                                |
-| openshift_version       | `{{ openshift_pkg_version }}`                 | OpenShift package version.                                                  |
-
-Dependencies
-------------
-
-* openshift_repos
-* openshift_cli
-
-Example Playbook
-----------------
-
-```
-- name: Create OpenShift CA
-  hosts: localhost
-  roles:
-  - role: openshift_ca
-    openshift_ca_host: master1.example.com
-```
-
-License
--------
-
-Apache License Version 2.0
-
-Author Information
-------------------
-
-Jason DeTiberus (jdetiber@redhat.com)

roles/openshift_ca/vars/main.yml

@@ -1,6 +0,0 @@
----
-openshift_ca_config_dir: "{{ openshift.common.config_base }}/master"
-openshift_ca_cert: "{{ openshift_ca_config_dir }}/ca.crt"
-openshift_ca_key: "{{ openshift_ca_config_dir }}/ca.key"
-openshift_ca_serial: "{{ openshift_ca_config_dir }}/ca.serial.txt"
-openshift_version: "{{ openshift_pkg_version | default('') }}"

roles/openshift_master/meta/main.yml

@@ -15,7 +15,6 @@ dependencies:
 - role: openshift_clock
 - role: openshift_docker
 - role: openshift_cli
-- role: openshift_master_certificates
 - role: openshift_cloud_provider
 - role: openshift_builddefaults
 - role: openshift_master_facts

roles/openshift_master_ca/README.md

@@ -0,0 +1,34 @@
+OpenShift Master CA
+========================
+
+TODO
+
+Requirements
+------------
+
+TODO
+
+Role Variables
+--------------
+
+TODO
+
+Dependencies
+------------
+
+TODO
+
+Example Playbook
+----------------
+
+TODO
+
+License
+-------
+
+Apache License Version 2.0
+
+Author Information
+------------------
+
+Jason DeTiberus (jdetiber@redhat.com)

roles/openshift_ca/meta/main.yml

@@ -1,10 +1,10 @@
 ---
 galaxy_info:
   author: Jason DeTiberus
-  description: OpenShift CA
+  description:
   company: Red Hat, Inc.
   license: Apache License, Version 2.0
-  min_ansible_version: 1.9.4
+  min_ansible_version: 1.8
   platforms:
   - name: EL
     versions:
@@ -13,5 +13,5 @@ galaxy_info:
   - cloud
   - system
 dependencies:
-- role: openshift_repos
-- role: openshift_cli
+- { role: openshift_repos }
+- { role: openshift_cli }

roles/openshift_master_certificates/README.md

@@ -1,44 +1,27 @@
 OpenShift Master Certificates
 ========================
 
-This role determines if OpenShift master certificates must be created, delegates certificate creation to the `openshift_ca_host` and then deploys those certificates to master hosts which this role is being applied to. If this role is applied to the `openshift_ca_host`, certificate deployment will be skipped.
+TODO
 
 Requirements
 ------------
 
+TODO
+
 Role Variables
 --------------
 
-From `openshift_ca`:
-
-| Name                                  | Default value                                                             | Description                                                                                                                   |
-|---------------------------------------|---------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------|
-| openshift_ca_host                     | None (Required)                                                           | The hostname of the system where the OpenShift CA will be (or has been) created.                                              |
-
-From this role:
-
-| Name                                  | Default value                                                             | Description                                                                                                                   |
-|---------------------------------------|---------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------|
-| openshift_generated_configs_dir       | `{{ openshift.common.config_base }}/generated-configs`                    | Directory in which per-master generated config directories will be created on the `openshift_ca_host`.                        |
-| openshift_master_cert_subdir          | `master-{{ openshift.common.hostname }}`                                  | Directory within `openshift_generated_configs_dir` where per-master configurations will be placed on the `openshift_ca_host`. |
-| openshift_master_config_dir           | `{{ openshift.common.config_base }}/master`                               | Master configuration directory in which certificates will be deployed on masters.                                             |
-| openshift_master_generated_config_dir | `{{ openshift_generated_configs_dir }}/{{ openshift_master_cert_subdir }` | Full path to the per-master generated config directory.                                                                       |
+TODO
 
 Dependencies
 ------------
 
-* openshift_ca
+TODO
 
 Example Playbook
 ----------------
 
-```
-- name: Create OpenShift Master Certificates
-  hosts: masters
-  roles:
-  - role: openshift_master_certificates
-    openshift_ca_host: master1.example.com
-```
+TODO
 
 License
 -------

roles/openshift_master_certificates/meta/main.yml

@@ -1,10 +1,10 @@
 ---
 galaxy_info:
   author: Jason DeTiberus
-  description: OpenShift Master Certificates
+  description:
   company: Red Hat, Inc.
   license: Apache License, Version 2.0
-  min_ansible_version: 1.9.4
+  min_ansible_version: 1.8
   platforms:
   - name: EL
     versions:
@@ -13,4 +13,4 @@ galaxy_info:
   - cloud
   - system
 dependencies:
-- role: openshift_ca
+- { role: openshift_master_ca }

roles/openshift_master_certificates/tasks/main.yml

@@ -1,121 +1,38 @@
 ---
-- set_fact:
-    openshift_master_certs_no_etcd:
-    - admin.crt
-    - master.kubelet-client.crt
-    - "{{ 'master.proxy-client.crt' if openshift.common.version_gte_3_1_or_1_1 else omit }}"
-    - master.server.crt
-    - openshift-master.crt
-    - openshift-registry.crt
-    - openshift-router.crt
-    - etcd.server.crt
-    openshift_master_certs_etcd:
-    - master.etcd-client.crt
-
-- set_fact:
-    openshift_master_certs: "{{ (openshift_master_certs_no_etcd | union(openshift_master_certs_etcd )) if openshift_master_etcd_hosts | length > 0 else openshift_master_certs_no_etcd }}"
-
-- name: Check status of master certificates
-  stat:
-    path: "{{ openshift_master_config_dir }}/{{ item }}"
-  with_items:
-  - "{{ openshift_master_certs }}"
-  register: g_master_cert_stat_result
-
-- set_fact:
-    master_certs_missing: "{{ False in (g_master_cert_stat_result.results
-                              | oo_collect(attribute='stat.exists')
-                              | list) }}"
-
 - name: Ensure the generated_configs directory present
   file:
-    path: "{{ openshift_master_generated_config_dir }}"
+    path: "{{ openshift_generated_configs_dir }}/{{ item.master_cert_subdir }}"
     state: directory
     mode: 0700
-  when: master_certs_missing | bool
-  delegate_to: "{{ openshift_ca_host }}"
+  with_items: "{{ masters_needing_certs | default([]) }}"
 
 - file:
-    src: "{{ openshift_master_config_dir }}/{{ item }}"
-    dest: "{{ openshift_master_generated_config_dir }}/{{ item }}"
+    src: "{{ openshift_master_config_dir }}/{{ item.1 }}"
+    dest: "{{ openshift_generated_configs_dir }}/{{ item.0.master_cert_subdir }}/{{ item.1 }}"
     state: hard
-  with_items:
-  - ca.crt
-  - ca.key
-  - ca.serial.txt
-  when: master_certs_missing | bool
-  delegate_to: "{{ openshift_ca_host }}"
+  with_nested:
+  - "{{ masters_needing_certs | default([]) }}"
+  -
+    - ca.crt
+    - ca.key
+    - ca.serial.txt
 
 - name: Create the master certificates if they do not already exist
   command: >
     {{ openshift.common.admin_binary }} create-master-certs
-      --hostnames={{ openshift.common.all_hostnames | join(',') }}
-      --master={{ openshift.master.api_url }}
-      --public-master={{ openshift.master.public_api_url }}
-      --cert-dir={{ openshift_master_generated_config_dir }}
+      --hostnames={{ item.openshift.common.all_hostnames | join(',') }}
+      --master={{ item.openshift.master.api_url }}
+      --public-master={{ item.openshift.master.public_api_url }}
+      --cert-dir={{ openshift_generated_configs_dir }}/{{ item.master_cert_subdir }}
       --overwrite=false
-  when: master_certs_missing | bool
-  delegate_to: "{{ openshift_ca_host }}"
+  when: item.master_certs_missing | bool
+  with_items: "{{ masters_needing_certs | default([]) }}"
 
 - file:
-    src: "{{ openshift_master_config_dir }}/{{ item }}"
-    dest: "{{ openshift_master_generated_config_dir }}/{{ item }}"
+    src: "{{ openshift_master_config_dir }}/{{ item.1 }}"
+    dest: "{{ openshift_generated_configs_dir }}/{{ item.0.master_cert_subdir }}/{{ item.1 }}"
     state: hard
     force: true
-  with_items:
+  with_nested:
+  - "{{ masters_needing_certs | default([]) }}"
   - "{{ hostvars[inventory_hostname] | certificates_to_synchronize }}"
-  when: master_certs_missing | bool
-  delegate_to: "{{ openshift_ca_host }}"
-
-- name: Remove generated etcd client certs when using external etcd
-  file:
-    path: "{{ openshift_master_generated_config_dir }}/{{ item }}"
-    state: absent
-  when: openshift_master_etcd_hosts | length > 0
-  with_items:
-  - master.etcd-client.crt
-  - master.etcd-client.key
-  delegate_to: "{{ openshift_ca_host }}"
-
-- name: Create local temp directory for syncing certs
-  local_action: command mktemp -d /tmp/openshift-ansible-XXXXXXX
-  register: g_master_mktemp
-  changed_when: False
-  when: master_certs_missing | bool
-  delegate_to: localhost
-
-- name: Create a tarball of the master certs
-  command: >
-    tar -czvf {{ openshift_master_generated_config_dir }}.tgz
-      -C {{ openshift_master_generated_config_dir }} .
-  args:
-    creates: "{{ openshift_master_generated_config_dir }}.tgz"
-  when: master_certs_missing | bool and inventory_hostname != openshift_ca_host
-  delegate_to: "{{ openshift_ca_host }}"
-
-- name: Retrieve the master cert tarball from the master
-  fetch:
-    src: "{{ openshift_master_generated_config_dir }}.tgz"
-    dest: "{{ g_master_mktemp.stdout }}/"
-    flat: yes
-    fail_on_missing: yes
-    validate_checksum: yes
-  when: master_certs_missing | bool and inventory_hostname != openshift_ca_host
-  delegate_to: "{{ openshift_ca_host }}"
-
-- name: Ensure certificate directory exists
-  file:
-    path: "{{ openshift_master_config_dir }}"
-    state: directory
-  when: master_certs_missing | bool and inventory_hostname != openshift_ca_host
-
-- name: Unarchive the tarball on the master
-  unarchive:
-    src: "{{ g_master_mktemp.stdout }}/{{ openshift_master_cert_subdir }}.tgz"
-    dest: "{{ openshift_master_config_dir }}"
-  when: master_certs_missing | bool and inventory_hostname != openshift_ca_host
-
-- file: name={{ g_master_mktemp.stdout }} state=absent
-  changed_when: False
-  when: master_certs_missing | bool
-  delegate_to: localhost

roles/openshift_master_certificates/vars/main.yml

@@ -1,5 +1,3 @@
 ---
 openshift_generated_configs_dir: "{{ openshift.common.config_base }}/generated-configs"
-openshift_master_cert_subdir: "master-{{ openshift.common.hostname }}"
 openshift_master_config_dir: "{{ openshift.common.config_base }}/master"
-openshift_master_generated_config_dir: "{{ openshift_generated_configs_dir }}/{{ openshift_master_cert_subdir }}"

roles/openshift_node/meta/main.yml

@@ -14,9 +14,9 @@ galaxy_info:
 dependencies:
 - role: openshift_clock
 - role: openshift_docker
-- role: openshift_node_certificates
 - role: openshift_cloud_provider
 - role: openshift_common
 - role: openshift_node_dnsmasq
   when: openshift.common.use_dnsmasq
 - role: os_firewall
+

roles/openshift_node_certificates/README.md

@@ -1,44 +1,27 @@
-OpenShift Node Certificates
-===========================
+OpenShift/Atomic Enterprise Node Certificates
+=============================================
 
-This role determines if OpenShift node certificates must be created, delegates certificate creation to the `openshift_ca_host` and then deploys those certificates to node hosts which this role is being applied to.
+TODO
 
 Requirements
 ------------
 
+TODO
+
 Role Variables
 --------------
 
-From `openshift_ca`:
-
-| Name                                | Default value                                                           | Description                                                                                                               |
-|-------------------------------------|-------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|
-| openshift_ca_host                   | None (Required)                                                         | The hostname of the system where the OpenShift CA will be (or has been) created.                                          |
-
-From this role:
-
-| Name                                | Default value                                                           | Description                                                                                                               |
-|-------------------------------------|-------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|
-| openshift_generated_configs_dir     | `{{ openshift.common.config_base }}/generated-configs`                  | Directory in which per-node generated config directories will be created on the `openshift_ca_host`.                      |
-| openshift_node_cert_subdir          | `node-{{ openshift.common.hostname }}`                                  | Directory within `openshift_generated_configs_dir` where per-node certificates will be placed on the `openshift_ca_host`. |
-| openshift_node_config_dir           | `{{ openshift.common.config_base }}/node`                               | Node configuration directory in which certificates will be deployed on nodes.                                             |
-| openshift_node_generated_config_dir | `{{ openshift_generated_configs_dir }}/{{ openshift_node_cert_subdir }` | Full path to the per-node generated config directory.                                                                     |
+TODO
 
 Dependencies
 ------------
 
-* openshift_ca
+TODO
 
 Example Playbook
 ----------------
 
-```
-- name: Create OpenShift Node Certificates
-  hosts: nodes
-  roles:
-  - role: openshift_node_certificates
-    openshift_ca_host: master1.example.com
-```
+TODO
 
 License
 -------

roles/openshift_node_certificates/meta/main.yml

@@ -1,10 +1,10 @@
 ---
 galaxy_info:
   author: Jason DeTiberus
-  description: OpenShift Node Certificates
+  description:
   company: Red Hat, Inc.
   license: Apache License, Version 2.0
-  min_ansible_version: 1.9.4
+  min_ansible_version: 1.8
   platforms:
   - name: EL
     versions:
@@ -13,4 +13,4 @@ galaxy_info:
   - cloud
   - system
 dependencies:
-- role: openshift_ca
+- { role: openshift_facts }

roles/openshift_node_certificates/tasks/main.yml

@@ -1,95 +1,36 @@
 ---
-- name: Check status of node certificates
-  stat:
-    path: "{{ openshift.common.config_base }}/node/{{ item }}"
-  with_items:
-  - "system:node:{{ openshift.common.hostname }}.crt"
-  - "system:node:{{ openshift.common.hostname }}.key"
-  - "system:node:{{ openshift.common.hostname }}.kubeconfig"
-  - ca.crt
-  - server.key
-  - server.crt
-  register: g_node_cert_stat_result
-
-- set_fact:
-    node_certs_missing: "{{ False in (g_node_cert_stat_result.results
-                            | oo_collect(attribute='stat.exists')
-                            | list) }}"
-
-- name: Create openshift_generated_configs_dir if it does not exist
+- name: Create openshift_generated_configs_dir if it doesn\'t exist
   file:
     path: "{{ openshift_generated_configs_dir }}"
     state: directory
     mode: 0700
-  when: node_certs_missing | bool
-  delegate_to: "{{ openshift_ca_host }}"
+  when: nodes_needing_certs | length > 0
 
 - name: Generate the node client config
   command: >
     {{ openshift.common.admin_binary }} create-api-client-config
-      --certificate-authority={{ openshift_ca_cert }}
-      --client-dir={{ openshift_node_generated_config_dir }}
+      --certificate-authority={{ openshift_master_ca_cert }}
+      --client-dir={{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}
       --groups=system:nodes
-      --master={{ hostvars[openshift_ca_host].openshift.master.api_url }}
-      --signer-cert={{ openshift_ca_cert }}
-      --signer-key={{ openshift_ca_key }}
-      --signer-serial={{ openshift_ca_serial }}
-      --user=system:node:{{ openshift.common.hostname }}
+      --master={{ openshift.master.api_url }}
+      --signer-cert={{ openshift_master_ca_cert }}
+      --signer-key={{ openshift_master_ca_key }}
+      --signer-serial={{ openshift_master_ca_serial }}
+      --user=system:node:{{ item.openshift.common.hostname }}
   args:
-    creates: "{{ openshift_node_generated_config_dir }}"
-  when: node_certs_missing | bool
-  delegate_to: "{{ openshift_ca_host }}"
+    creates: "{{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}"
+  with_items: "{{ nodes_needing_certs | default([]) }}"
 
 - name: Generate the node server certificate
   command: >
     {{ openshift.common.admin_binary }} ca create-server-cert
-      --cert={{ openshift_node_generated_config_dir }}/server.crt
-      --key={{ openshift_generated_configs_dir }}/node-{{ openshift.common.hostname }}/server.key
+      --cert={{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}/server.crt
+      --key={{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}/server.key
       --overwrite=true
-      --hostnames={{ openshift.common.all_hostnames |join(",") }}
-      --signer-cert={{ openshift_ca_cert }}
-      --signer-key={{ openshift_ca_key }}
-      --signer-serial={{ openshift_ca_serial }}
-  args:
-    creates: "{{ openshift_node_generated_config_dir }}/server.crt"
-  when: node_certs_missing | bool
-  delegate_to: "{{ openshift_ca_host}}"
-
-- name: Create local temp directory for syncing certs
-  local_action: command mktemp -d /tmp/openshift-ansible-XXXXXXX
-  register: node_cert_mktemp
-  changed_when: False
-  when: node_certs_missing | bool
-  delegate_to: localhost
-
-- name: Create a tarball of the node config directories
-  command: >
-    tar -czvf {{ openshift_node_generated_config_dir }}.tgz
-    --transform 's|system:{{ openshift_node_cert_subdir }}|node|'
-    -C {{ openshift_node_generated_config_dir }} .
+      --hostnames={{ item.openshift.common.all_hostnames |join(",") }}
+      --signer-cert={{ openshift_master_ca_cert }}
+      --signer-key={{ openshift_master_ca_key }}
+      --signer-serial={{ openshift_master_ca_serial }}
   args:
-    creates: "{{ openshift_node_generated_config_dir }}.tgz"
-  when: node_certs_missing | bool
-  delegate_to: "{{ openshift_ca_host }}"
-
-- name: Retrieve the node config tarballs from the master
-  fetch:
-    src: "{{ openshift_node_generated_config_dir }}.tgz"
-    dest: "{{ node_cert_mktemp.stdout }}/"
-    flat: yes
-    fail_on_missing: yes
-    validate_checksum: yes
-  when: node_certs_missing | bool
-  delegate_to: "{{ openshift_ca_host }}"
-
-- name: Ensure certificate directory exists
-  file:
-    path: "{{ openshift_node_cert_dir }}"
-    state: directory
-  when: node_certs_missing | bool
-
-- name: Unarchive the tarball on the node
-  unarchive:
-    src: "{{ node_cert_mktemp.stdout }}/{{ openshift_node_cert_subdir }}.tgz"
-    dest: "{{ openshift_node_cert_dir }}"
-  when: node_certs_missing | bool
+    creates: "{{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}/server.crt"
+  with_items: "{{ nodes_needing_certs | default([]) }}"

roles/openshift_node_certificates/vars/main.yml

@@ -1,6 +1,7 @@
 ---
-openshift_generated_configs_dir: "{{ openshift.common.config_base }}/generated-configs"
-openshift_node_cert_dir: "{{ openshift.common.config_base }}/node"
-openshift_node_cert_subdir: "node-{{ openshift.common.hostname }}"
 openshift_node_config_dir: "{{ openshift.common.config_base }}/node"
-openshift_node_generated_config_dir: "{{ openshift_generated_configs_dir }}/{{ openshift_node_cert_subdir }}"
+openshift_master_config_dir: "{{ openshift.common.config_base }}/master"
+openshift_generated_configs_dir: "{{ openshift.common.config_base }}/generated-configs"
+openshift_master_ca_cert: "{{ openshift_master_config_dir }}/ca.crt"
+openshift_master_ca_key: "{{ openshift_master_config_dir }}/ca.key"
+openshift_master_ca_serial: "{{ openshift_master_config_dir }}/ca.serial.txt"