Etcd role updates and playbook updates

- fix firewall conflict issues with co-located etcd and openshift hosts
- added os_firewall dependency to etcd role
- updated etcd template to better handle clustered and non-clustered installs
- added etcd_ca role
  - generates a self-signed cert to manage etcd certificates, since etcd peer
    certificates are required to be client and server certs and the openshift
    ca will only generate client or server certs (not one authorized for
    both).
- renamed openshift_etcd_certs role to etcd_certificates and updated it to
  manage certificates generated from the CA managed by the etcd_ca role
- remove hard coded etcd_port in openshift_facts
- updates for the openshift-etcd common playbook
- removed etcd and openshift-etcd playbooks from the byo playbooks directory
- added a common playbook for setting etcd launch facts
- added an openshift-etcd common service playbook
- removed unused variables
- fixed tests for embedded_{etcd,dns,kube} in openshift_master
- removed old workaround for reloading systemd units

playbooks/byo/etcd/config.yml

@@ -1,7 +0,0 @@
-## deploys a simple etcd cluster, this cluster does not provide client side ssl
-## and cannot be used directly for openshift. This should only be used for testing.
----
-- name: Configure etcd
-  hosts: etcd
-  roles:
-  - etcd

playbooks/byo/etcd/filter_plugins

@@ -1 +0,0 @@
-../../../filter_plugins/

playbooks/byo/etcd/roles

@@ -1 +0,0 @@
-../../../roles/

playbooks/byo/openshift-etcd/config.yml

@@ -1,20 +0,0 @@
----
-- name: Populate oo_etcd_hosts_to_config and oo_first_master host groups
-  hosts: localhost
-  gather_facts: no
-  tasks:
-  - name: Evaluate oo_etcd_hosts_to_config
-    add_host:
-      name: "{{ item }}"
-      groups: oo_etcd_hosts_to_config
-    with_items: groups.etcd
-  - name: Evaluate oo_first_master
-    add_host:
-      name: "{{ item }}"
-      groups: oo_first_master
-    with_items: groups.masters.0
-
-
-- include: ../../common/openshift-etcd/config.yml
-  vars:
-    openshift_first_master: "{{ groups.masters.0 }}"

playbooks/byo/openshift-etcd/filter_plugins

@@ -1 +0,0 @@
-../../../filter_plugins

playbooks/byo/openshift-etcd/roles

@@ -1 +0,0 @@
-../../../roles

playbooks/common/openshift-cluster/set_etcd_launch_facts_tasks.yml

@@ -0,0 +1,13 @@
+---
+- set_fact: k8s_type="etcd"
+
+- name: Generate etcd instance names(s)
+  set_fact:
+    scratch_name: "{{ cluster_id }}-{{ k8s_type }}-{{ '%05x' | format(1048576 | random) }}"
+  register: etcd_names_output
+  with_sequence: count={{ num_etcd }}
+
+- set_fact:
+    etcd_names: "{{ etcd_names_output.results | default([])
+                    | oo_collect('ansible_facts')
+                    | oo_collect('scratch_name') }}"

playbooks/common/openshift-etcd/config.yml

@@ -1,30 +1,32 @@
 ---
-- name: Gather and set facts for etcd hosts
-  hosts: oo_etcd_hosts_to_config
+- name: Set etcd facts needed for generating certs
+  hosts: oo_etcd_to_config
   roles:
   - openshift_facts
   tasks:
   - openshift_facts:
-      role: common
-      local_facts:
-        hostname: "{{ openshift_hostname | default(None) }}"
-  - name: Check for etcd certificates
+      role: "{{ item.role }}"
+      local_facts: "{{ item.local_facts }}"
+    with_items:
+      - role: common
+        local_facts:
+          hostname: "{{ openshift_hostname | default(None) }}"
+          public_hostname: "{{ openshift_public_hostname | default(None) }}"
+          deployment_type: "{{ openshift_deployment_type }}"
+  - name: Check status of etcd certificates
     stat:
       path: "{{ item }}"
     with_items:
-    - "/etc/etcd/ca.crt"
-    - "/etc/etcd/client.crt"
-    - "/etc/etcd/client.key"
-    - "/etc/etcd/peer-ca.crt"
-    - "/etc/etcd/peer.crt"
-    - "/etc/etcd/peer.key"
-    register: g_etcd_certs_stat
+    - /etc/etcd/server.crt
+    - /etc/etcd/peer.crt
+    - /etc/etcd/ca.crt
+    register: g_etcd_server_cert_stat_result
   - set_fact:
-      etcd_certs_missing: "{{ g_etcd_certs_stat.results | map(attribute='stat.exists')
-                              | list | intersect([false])}}"
-      etcd_subdir: etcd-{{ openshift.common.hostname }}
-      etcd_dir: /etc/openshift/generated-configs/etcd-{{ openshift.common.hostname }}
-      etcd_cert_dir: /etc/etcd
+      etcd_server_certs_missing: "{{ g_etcd_server_cert_stat_result.results | map(attribute='stat.exists')
+                                    | list | intersect([false])}}"
+      etcd_cert_subdir: etcd-{{ openshift.common.hostname }}
+      etcd_cert_config_dir: /etc/etcd
+      etcd_cert_prefix:
 
 - name: Create temp directory for syncing certs
   hosts: localhost
@@ -37,65 +39,53 @@
     register: g_etcd_mktemp
     changed_when: False
 
-- name: Create etcd certs
-  hosts: oo_first_master
+- name: Configure etcd certificates
+  hosts: oo_first_etcd
   vars:
-    etcd_hosts_needing_certs: "{{ hostvars
-                             | oo_select_keys(groups['oo_etcd_hosts_to_config'])
-                             | oo_filter_list(filter_attr='etcd_certs_missing') }}"
-    etcd_hosts: "{{ hostvars
-                         | oo_select_keys(groups['oo_etcd_hosts_to_config']) }}"
+    etcd_generated_certs_dir: /etc/etcd/generated_certs
+    etcd_needing_server_certs: "{{ hostvars
+                                  | oo_select_keys(groups['oo_etcd_to_config'])
+                                  | oo_filter_list(filter_attr='etcd_server_certs_missing') }}"
     sync_tmpdir: "{{ hostvars.localhost.g_etcd_mktemp.stdout }}"
   roles:
-  - openshift_etcd_certs
+  - etcd_certificates
   post_tasks:
   - name: Create a tarball of the etcd certs
     command: >
-      tar -czvf {{ item.etcd_dir }}.tgz
-        -C {{ item.etcd_dir }} .
+      tar -czvf {{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}.tgz
+        -C {{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }} .
     args:
-      creates: "{{ item.etcd_dir }}.tgz"
-    with_items: etcd_hosts_needing_certs
-
-  - name: Retrieve the etcd cert tarballs from the master
+      creates: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}.tgz"
+    with_items: etcd_needing_server_certs
+  - name: Retrieve the etcd cert tarballs
     fetch:
-      src: "{{ item.etcd_dir }}.tgz"
+      src: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}.tgz"
       dest: "{{ sync_tmpdir }}/"
       flat: yes
       fail_on_missing: yes
       validate_checksum: yes
-    with_items: etcd_hosts_needing_certs
+    with_items: etcd_needing_server_certs
 
-- name: Deploy etcd
-  hosts: oo_etcd_hosts_to_config
+- name: Configure etcd hosts
+  hosts: oo_etcd_to_config
   vars:
     sync_tmpdir: "{{ hostvars.localhost.g_etcd_mktemp.stdout }}"
     etcd_url_scheme: https
+    etcd_peer_url_scheme: https
+    etcd_peers_group: oo_etcd_to_config
   pre_tasks:
   - name: Ensure certificate directory exists
     file:
-      path: "{{ etcd_cert_dir }}"
+      path: "{{ etcd_cert_config_dir }}"
       state: directory
-  - name: Unarchive the tarball on the node
+  - name: Unarchive the tarball on the etcd host
     unarchive:
-      src: "{{ sync_tmpdir }}/{{ etcd_subdir }}.tgz"
-      dest: "{{ etcd_cert_dir }}"
-    when: etcd_certs_missing
-  - file: path=/etc/etcd/client.crt mode=0600 owner=etcd group=etcd
-  - file: path=/etc/etcd/client.key mode=0600 owner=etcd group=etcd
-  - file: path=/etc/etcd/ca.crt mode=0644 owner=etcd group=etcd
+      src: "{{ sync_tmpdir }}/{{ etcd_cert_subdir }}.tgz"
+      dest: "{{ etcd_cert_config_dir }}"
+    when: etcd_server_certs_missing
   roles:
   - etcd
 
-- name: Delete the temporary directory on the master
-  hosts: oo_first_master
-  gather_facts: no
-  vars:
-    sync_tmpdir: "{{ hostvars.localhost.g_etcd_mktemp.stdout }}"
-  tasks:
-  - file: name={{ sync_tmpdir }} state=absent
-    changed_when: False
-
 - name: Delete temporary directory on localhost
   hosts: localhost
   connection: local

playbooks/common/openshift-etcd/lookup_plugins

@@ -0,0 +1 @@
+../../../lookup_plugins

playbooks/common/openshift-etcd/service.yml

@@ -0,0 +1,18 @@
+---
+- name: Populate g_service_masters host group if needed
+  hosts: localhost
+  gather_facts: no
+  tasks:
+  - fail: msg="new_cluster_state is required to be injected in this playbook"
+    when: new_cluster_state is not defined
+
+  - name: Evaluate g_service_etcd
+    add_host: name={{ item }} groups=g_service_etcd
+    with_items: oo_host_group_exp | default([])
+
+- name: Change etcd state on etcd instance(s)
+  hosts: g_service_etcd
+  connection: ssh
+  gather_facts: no
+  tasks:
+    - service: name=etcd state="{{ new_cluster_state }}"

roles/etcd/defaults/main.yaml

@@ -5,12 +5,13 @@ etcd_peer_port: 2380
 etcd_peers_group: etcd
 etcd_url_scheme: http
 etcd_peer_url_scheme: http
-etcd_ca_file: /etc/etcd/ca.crt
-etcd_cert_file: /etc/etcd/client.crt
-etcd_key_file: /etc/etcd/client.key
-etcd_peer_ca_file: /etc/etcd/ca.crt
-etcd_peer_cert_file: /etc/etcd/peer.crt
-etcd_peer_key_file: /etc/etcd/peer.key
+etcd_conf_dir: /etc/etcd
+etcd_ca_file: "{{ etcd_conf_dir }}/ca.crt"
+etcd_cert_file: "{{ etcd_conf_dir }}/server.crt"
+etcd_key_file: "{{ etcd_conf_dir }}/server.key"
+etcd_peer_ca_file: "{{ etcd_conf_dir }}/ca.crt"
+etcd_peer_cert_file: "{{ etcd_conf_dir }}/peer.crt"
+etcd_peer_key_file: "{{ etcd_conf_dir }}/peer.key"
 
 etcd_initial_cluster_state: new
 etcd_initial_cluster_token: etcd-cluster-1
@@ -21,6 +22,8 @@ etcd_advertise_client_urls: "{{ etcd_url_scheme }}://{{ hostvars[inventory_hostn
 etcd_listen_client_urls: "{{ etcd_url_scheme }}://{{ hostvars[inventory_hostname]['ansible_' + etcd_interface]['ipv4']['address'] }}:{{ etcd_client_port }}"
 
 etcd_data_dir: /var/lib/etcd/
+
+os_firewall_use_firewalld: False
 os_firewall_allow:
 - service: etcd
   port: "{{etcd_client_port}}/tcp"

roles/etcd/meta/main.yml

@@ -15,3 +15,5 @@ galaxy_info:
   categories:
   - cloud
   - system
+dependencies:
+- { role: os_firewall }

roles/etcd/tasks/main.yml

@@ -1,6 +1,38 @@
 ---
 - name: Install etcd
-  yum: pkg=etcd state=present disable_gpg_check=yes
+  yum: pkg=etcd state=present
+
+- name: Validate permissions on the config dir
+  file:
+    path: "{{ etcd_conf_dir }}"
+    state: directory
+    owner: etcd
+    group: etcd
+    mode: 0700
+
+- name: Validate permissions on certificate files
+  file:
+    path: "{{ item }}"
+    mode: 0600
+    group: etcd
+    owner: etcd
+  when: etcd_url_scheme == 'https'
+  with_items:
+  - "{{ etcd_ca_file }}"
+  - "{{ etcd_cert_file }}"
+  - "{{ etcd_key_file }}"
+
+- name: Validate permissions on peer certificate files
+  file:
+    path: "{{ item }}"
+    mode: 0600
+    group: etcd
+    owner: etcd
+  when: etcd_peer_url_scheme == 'https'
+  with_items:
+  - "{{ etcd_peer_ca_file }}"
+  - "{{ etcd_peer_cert_file }}"
+  - "{{ etcd_peer_key_file }}"
 
 - name: Write etcd global config file
   template:
@@ -14,3 +46,5 @@
     name: etcd
     state: started
     enabled: yes
+
+- pause: seconds=10

roles/etcd/templates/etcd.conf.j2

@@ -8,31 +8,37 @@
 {% endfor -%}
 {% endmacro -%}
 
+{% if groups[etcd_peers_group] and groups[etcd_peers_group] | length > 1 %}
 ETCD_NAME={{ inventory_hostname }}
+ETCD_LISTEN_PEER_URLS={{ etcd_listen_peer_urls }}
+{% else %}
+ETCD_NAME=default
+{% endif %}
 ETCD_DATA_DIR={{ etcd_data_dir }}
 #ETCD_SNAPSHOT_COUNTER="10000"
 #ETCD_HEARTBEAT_INTERVAL="100"
 #ETCD_ELECTION_TIMEOUT="1000"
-ETCD_LISTEN_PEER_URLS={{ etcd_listen_peer_urls }}
 ETCD_LISTEN_CLIENT_URLS={{ etcd_listen_client_urls }}
 #ETCD_MAX_SNAPSHOTS="5"
 #ETCD_MAX_WALS="5"
 #ETCD_CORS=""
-#
+
+{% if groups[etcd_peers_group] and groups[etcd_peers_group] | length > 1 %}
 #[cluster]
 ETCD_INITIAL_ADVERTISE_PEER_URLS={{ etcd_initial_advertise_peer_urls }}
 ETCD_INITIAL_CLUSTER={{ initial_cluster() }}
 ETCD_INITIAL_CLUSTER_STATE={{ etcd_initial_cluster_state }}
 ETCD_INITIAL_CLUSTER_TOKEN={{ etcd_initial_cluster_token }}
-ETCD_ADVERTISE_CLIENT_URLS={{ etcd_advertise_client_urls }}
 #ETCD_DISCOVERY=""
 #ETCD_DISCOVERY_SRV=""
 #ETCD_DISCOVERY_FALLBACK="proxy"
 #ETCD_DISCOVERY_PROXY=""
-#
+{% endif %}
+ETCD_ADVERTISE_CLIENT_URLS={{ etcd_advertise_client_urls }}
+
 #[proxy]
 #ETCD_PROXY="off"
-#
+
 #[security]
 {% if etcd_url_scheme == 'https' -%}
 ETCD_CA_FILE={{ etcd_ca_file }}

roles/openshift_etcd_certs/README.md

@@ -1,4 +1,4 @@
-OpenShift etcd certs
+etcd_ca
 ========================
 
 TODO

roles/etcd_ca/meta/main.yml

@@ -0,0 +1,16 @@
+---
+galaxy_info:
+  author: Jason DeTiberus
+  description:
+  company: Red Hat, Inc.
+  license: Apache License, Version 2.0
+  min_ansible_version: 1.9
+  platforms:
+  - name: EL
+    versions:
+    - 7
+  categories:
+  - cloud
+  - system
+dependencies:
+- { role: openshift_facts }

roles/etcd_ca/tasks/main.yml

@@ -0,0 +1,44 @@
+---
+- file:
+    path: "{{ etcd_ca_dir }}/{{ item }}"
+    state: directory
+    mode: 0700
+    owner: root
+    group: root
+  with_items:
+  - certs
+  - crl
+  - fragments
+
+- command: cp /etc/pki/tls/openssl.cnf ./
+  args:
+    chdir: "{{ etcd_ca_dir }}/fragments"
+    creates: "{{ etcd_ca_dir }}/fragments/openssl.cnf"
+
+- template:
+    dest: "{{ etcd_ca_dir }}/fragments/openssl_append.cnf"
+    src: openssl_append.j2
+
+- assemble:
+    src: "{{ etcd_ca_dir }}/fragments"
+    dest: "{{ etcd_ca_dir }}/openssl.cnf"
+
+- command: touch index.txt
+  args:
+    chdir: "{{ etcd_ca_dir }}"
+    creates: "{{ etcd_ca_dir }}/index.txt"
+
+- copy:
+    dest: "{{ etcd_ca_dir }}/serial"
+    content: "01"
+    force: no
+
+- command: >
+    openssl req -config openssl.cnf -newkey rsa:4096
+    -keyout ca.key -new -out ca.crt -x509 -extensions etcd_v3_ca_self
+    -batch -nodes -subj /CN=etcd-signer@{{ ansible_date_time.epoch }}
+  args:
+    chdir: "{{ etcd_ca_dir }}"
+    creates: "{{ etcd_ca_dir }}/ca.crt"
+  environment:
+    SAN: ''

roles/etcd_ca/templates/openssl_append.j2

@@ -0,0 +1,51 @@
+
+[ etcd_v3_req ]
+basicConstraints = critical,CA:FALSE
+keyUsage         = digitalSignature,keyEncipherment
+subjectAltName   = ${ENV::SAN}
+
+[ etcd_ca ]
+dir             = {{ etcd_ca_dir }}
+crl_dir         = $dir/crl
+database        = $dir/index.txt
+new_certs_dir   = $dir/certs
+certificate     = $dir/ca.crt
+serial          = $dir/serial
+private_key     = $dir/ca.key
+crl_number      = $dir/crlnumber
+x509_extensions = etcd_v3_ca_client
+default_days    = 365
+default_md      = sha256
+preserve        = no
+name_opt        = ca_default
+cert_opt        = ca_default
+policy          = policy_anything
+unique_subject  = no
+copy_extensions = copy
+
+[ etcd_v3_ca_self ]
+authorityKeyIdentifier = keyid,issuer
+basicConstraints       = critical,CA:TRUE,pathlen:0
+keyUsage               = critical,digitalSignature,keyEncipherment,keyCertSign
+subjectKeyIdentifier   = hash
+
+[ etcd_v3_ca_peer ]
+authorityKeyIdentifier = keyid,issuer:always
+basicConstraints       = critical,CA:FALSE
+extendedKeyUsage       = clientAuth,serverAuth
+keyUsage               = digitalSignature,keyEncipherment
+subjectKeyIdentifier   = hash
+
+[ etcd_v3_ca_server ]
+authorityKeyIdentifier = keyid,issuer:always
+basicConstraints       = critical,CA:FALSE
+extendedKeyUsage       = serverAuth
+keyUsage               = digitalSignature,keyEncipherment
+subjectKeyIdentifier   = hash
+
+[ etcd_v3_ca_client ]
+authorityKeyIdentifier = keyid,issuer:always
+basicConstraints       = critical,CA:FALSE
+extendedKeyUsage       = clientAuth
+keyUsage               = digitalSignature,keyEncipherment
+subjectKeyIdentifier   = hash

roles/etcd_ca/vars/main.yml

@@ -0,0 +1,3 @@
+---
+etcd_conf_dir: /etc/etcd
+etcd_ca_dir: /etc/etcd/ca

roles/etcd_certificates/README.md

@@ -0,0 +1,34 @@
+OpenShift etcd certificates
+========================
+
+TODO
+
+Requirements
+------------
+
+TODO
+
+Role Variables
+--------------
+
+TODO
+
+Dependencies
+------------
+
+TODO
+
+Example Playbook
+----------------
+
+TODO
+
+License
+-------
+
+Apache License Version 2.0
+
+Author Information
+------------------
+
+Scott Dodson (sdodson@redhat.com)

roles/openshift_etcd_certs/meta/main.yml

@@ -1,6 +1,6 @@
 ---
 galaxy_info:
-  author: Scott Dodson
+  author: Jason DeTiberus
   description:
   company: Red Hat, Inc.
   license: Apache License, Version 2.0
@@ -13,4 +13,4 @@ galaxy_info:
   - cloud
   - system
 dependencies:
-- { role: openshift_facts }
+- { role: etcd_ca }

roles/etcd_certificates/tasks/client.yml

@@ -0,0 +1,42 @@
+---
+- name: Ensure generated_certs directory present
+  file:
+    path: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}"
+    state: directory
+    mode: 0700
+  with_items: etcd_needing_client_certs
+
+- name: Create the client csr
+  command: >
+    openssl req -new -keyout {{ item.etcd_cert_prefix }}client.key
+    -config {{ etcd_openssl_conf }}
+    -out {{ item.etcd_cert_prefix }}client.csr
+    -reqexts {{ etcd_req_ext }} -batch -nodes
+    -subj /CN={{ item.openshift.common.hostname }}
+  args:
+    chdir: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}"
+    creates: "{{ etcd_generated_certs_dir ~ '/' ~  item.etcd_cert_subdir ~ '/'
+                 ~ item.etcd_cert_prefix ~ 'client.csr' }}"
+  environment:
+    SAN: "IP:{{ item.openshift.common.ip }}"
+  with_items: etcd_needing_client_certs
+
+- name: Sign and create the client crt
+  command: >
+    openssl ca -name {{ etcd_ca_name }} -config {{ etcd_openssl_conf }}
+    -out {{ item.etcd_cert_prefix }}client.crt
+    -in {{ item.etcd_cert_prefix }}client.csr
+    -batch
+  args:
+    chdir: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}"
+    creates: "{{ etcd_generated_certs_dir ~ '/' ~  item.etcd_cert_subdir ~ '/'
+                 ~ item.etcd_cert_prefix ~ 'client.crt' }}"
+  environment:
+    SAN: ''
+  with_items: etcd_needing_client_certs
+
+- file:
+    src: "{{ etcd_ca_cert }}"
+    dest: "{{ etcd_generated_certs_dir}}/{{ item.etcd_cert_subdir }}/{{ item.etcd_cert_prefix }}ca.crt"
+    state: hard
+  with_items: etcd_needing_client_certs

roles/etcd_certificates/tasks/main.yml

@@ -0,0 +1,9 @@
+---
+- include: client.yml
+  when: etcd_needing_client_certs is defined and etcd_needing_client_certs
+
+- include: server.yml
+  when: etcd_needing_server_certs is defined and etcd_needing_server_certs
+
+
+

roles/etcd_certificates/tasks/server.yml

@@ -0,0 +1,73 @@
+---
+- name: Ensure generated_certs directory present
+  file:
+    path: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}"
+    state: directory
+    mode: 0700
+  with_items: etcd_needing_server_certs
+
+- name: Create the server csr
+  command: >
+    openssl req -new -keyout {{ item.etcd_cert_prefix }}server.key
+    -config {{ etcd_openssl_conf }}
+    -out {{ item.etcd_cert_prefix }}server.csr
+    -reqexts {{ etcd_req_ext }} -batch -nodes
+    -subj /CN={{ item.openshift.common.hostname }}
+  args:
+    chdir: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}"
+    creates: "{{ etcd_generated_certs_dir ~ '/' ~  item.etcd_cert_subdir ~ '/'
+                 ~ item.etcd_cert_prefix ~ 'server.csr' }}"
+  environment:
+    SAN: "IP:{{ item.openshift.common.ip }}"
+  with_items: etcd_needing_server_certs
+
+- name: Sign and create the server crt
+  command: >
+    openssl ca -name {{ etcd_ca_name }} -config {{ etcd_openssl_conf }}
+    -out {{ item.etcd_cert_prefix }}server.crt
+    -in {{ item.etcd_cert_prefix }}server.csr
+    -extensions {{ etcd_ca_exts_server }} -batch
+  args:
+    chdir: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}"
+    creates: "{{ etcd_generated_certs_dir ~ '/' ~  item.etcd_cert_subdir ~ '/'
+                 ~ item.etcd_cert_prefix ~ 'server.crt' }}"
+  environment:
+    SAN: ''
+  with_items: etcd_needing_server_certs
+
+- name: Create the peer csr
+  command: >
+    openssl req -new -keyout {{ item.etcd_cert_prefix }}peer.key
+    -config {{ etcd_openssl_conf }}
+    -out {{ item.etcd_cert_prefix }}peer.csr
+    -reqexts {{ etcd_req_ext }} -batch -nodes
+    -subj /CN={{ item.openshift.common.hostname }}
+  args:
+    chdir: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}"
+    creates: "{{ etcd_generated_certs_dir ~ '/' ~  item.etcd_cert_subdir ~ '/'
+                 ~ item.etcd_cert_prefix ~ 'peer.csr' }}"
+  environment:
+    SAN: "IP:{{ item.openshift.common.ip }}"
+  with_items: etcd_needing_server_certs
+
+- name: Sign and create the peer crt
+  command: >
+    openssl ca -name {{ etcd_ca_name }} -config {{ etcd_openssl_conf }}
+    -out {{ item.etcd_cert_prefix }}peer.crt
+    -in {{ item.etcd_cert_prefix }}peer.csr
+    -extensions {{ etcd_ca_exts_peer }} -batch
+  args:
+    chdir: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}"
+    creates: "{{ etcd_generated_certs_dir ~ '/' ~  item.etcd_cert_subdir ~ '/'
+                 ~ item.etcd_cert_prefix ~ 'peer.crt' }}"
+  environment:
+    SAN: ''
+  with_items: etcd_needing_server_certs
+
+- file:
+    src: "{{ etcd_ca_cert }}"
+    dest: "{{ etcd_generated_certs_dir}}/{{ item.etcd_cert_subdir }}/{{ item.etcd_cert_prefix }}ca.crt"
+    state: hard
+  with_items: etcd_needing_server_certs
+
+

roles/etcd_certificates/vars/main.yml

@@ -0,0 +1,11 @@
+---
+etcd_conf_dir: /etc/etcd
+etcd_ca_dir: /etc/etcd/ca
+etcd_generated_certs_dir: /etc/etcd/generated_certs
+etcd_ca_cert: "{{ etcd_ca_dir }}/ca.crt"
+etcd_ca_key: "{{ etcd_ca_dir }}/ca.key"
+etcd_openssl_conf: "{{ etcd_ca_dir }}/openssl.cnf"
+etcd_ca_name: etcd_ca
+etcd_req_ext: etcd_v3_req
+etcd_ca_exts_peer: etcd_v3_ca_peer
+etcd_ca_exts_server: etcd_v3_ca_server

roles/openshift_etcd_certs/tasks/main.yml

@@ -1,33 +0,0 @@
----
-- name: Create openshift_generated_configs_dir if it doesn't exist
-  file:
-    path: "{{ openshift_generated_configs_dir }}"
-    state: directory
-
-- name: Create openshift_generated_configs_dir for each etcd host
-  file:
-    path: "{{ openshift_generated_configs_dir }}/etcd-{{ item.openshift.common.hostname}}"
-    state: directory
-  with_items: etcd_hosts_needing_certs
-
-- name: Generate the etcd client side certs
-  delegate_to: "{{ openshift_first_master }}"
-  command: >
-    {{ openshift.common.admin_binary }} create-server-cert
-      --cert=client.crt --key=client.key --overwrite=true
-      --hostnames={{ [item.openshift.common.hostname, item.openshift.common.public_hostname, item.openshift.common.ip]|unique|join(",") }}
-      --signer-cert={{ openshift_master_ca_cert }}
-      --signer-key={{ openshift_master_ca_key }}
-      --signer-serial={{ openshift_master_ca_serial }}
-  args:
-    chdir: "{{ openshift_generated_configs_dir }}/etcd-{{ item.openshift.common.hostname }}"
-    creates: "{{ openshift_generated_configs_dir }}/etcd-{{ item.openshift.common.hostname }}/client.crt"
-  with_items: etcd_hosts_needing_certs
-
-- name: Copy CA cert
-  delegate_to: "{{ openshift_first_master }}"
-  command: "cp {{ openshift_master_ca_cert }} ."
-  args:
-    chdir: "{{ openshift_generated_configs_dir }}/etcd-{{ item.openshift.common.hostname }}"
-    creates: "{{ openshift_generated_configs_dir }}/etcd-{{ item.openshift.common.hostname }}/ca.crt"
-  with_items: etcd_hosts_needing_certs

roles/openshift_etcd_certs/vars/main.yml

@@ -1,8 +0,0 @@
----
-openshift_node_config_dir: /etc/openshift/node
-openshift_master_config_dir: /etc/openshift/master
-openshift_generated_configs_dir: /etc/openshift/generated-configs
-openshift_master_ca_cert: "{{ openshift_master_config_dir }}/ca.crt"
-openshift_master_ca_key: "{{ openshift_master_config_dir }}/ca.key"
-openshift_master_ca_serial: "{{ openshift_master_config_dir }}/ca.serial.txt"
-openshift_kube_api_version: v1beta3

roles/openshift_facts/library/openshift_facts.py

@@ -374,7 +374,6 @@ def set_url_facts_if_unset(facts):
         if 'etcd_urls' not in facts['master']:
             etcd_urls = []
             if etcd_hosts != '':
-                etcd_port = 2379
                 facts['master']['etcd_port'] = etcd_port
                 facts['master']['embedded_etcd'] = False
                 for host in etcd_hosts:
@@ -718,11 +717,7 @@ class OpenShiftFacts(object):
             defaults['master'] = master
 
         if 'node' in roles:
-            node = dict(pod_cidr='', labels={}, annotations={}, portal_net='172.30.0.0/16')
-            node['resources_cpu'] = self.system_facts['processor_cores']
-            node['resources_memory'] = int(
-                int(self.system_facts['memtotal_mb']) * 1024 * 1024 * 0.75
-            )
+            node = dict(labels={}, annotations={}, portal_net='172.30.0.0/16')
             defaults['node'] = node
 
         return defaults

roles/openshift_master/tasks/main.yml

@@ -12,11 +12,6 @@
   yum: pkg=openshift-master state=present
   register: install_result
 
-# TODO: Is this necessary or was this a workaround for an old bug in packaging?
-- name: Reload systemd units
-  command: systemctl daemon-reload
-  when: install_result | changed
-
 - name: Set master OpenShift facts
   openshift_facts:
     role: master

roles/openshift_master/templates/master.yaml.v1.j2

@@ -18,19 +18,19 @@ corsAllowedOrigins:
 {% for origin in ['127.0.0.1', 'localhost', openshift.common.hostname, openshift.common.ip, openshift.common.public_hostname, openshift.common.public_ip] %}
   - {{ origin }}
 {% endfor %}
-{% if openshift.master.embedded_dns %}
+{% if openshift.master.embedded_dns | bool %}
 dnsConfig:
   bindAddress: {{ openshift.master.bind_addr }}:{{ openshift.master.dns_port }}
 {% endif %}
 etcdClientInfo:
-  ca: ca.crt
+  ca: {{ "ca.crt" if (openshift.master.embedded_etcd | bool) else "master.etcd-ca.crt" }}
   certFile: master.etcd-client.crt
   keyFile: master.etcd-client.key
   urls:
 {% for etcd_url in openshift.master.etcd_urls %}
     - {{ etcd_url }}
 {% endfor %}
-{% if openshift.master.embedded_etcd %}
+{% if openshift.master.embedded_etcd | bool %}
 etcdConfig:
   address: {{ openshift.common.hostname }}:{{ openshift.master.etcd_port }}
   peerAddress: {{ openshift.common.hostname }}:7001
@@ -61,7 +61,7 @@ kubeletClientInfo:
   certFile: master.kubelet-client.crt
   keyFile: master.kubelet-client.key
   port: 10250
-{% if openshift.master.embedded_kube %}
+{% if openshift.master.embedded_kube | bool %}
 kubernetesMasterConfig:
   apiLevels:
   - v1beta3

roles/openshift_node/tasks/main.yml

@@ -10,11 +10,6 @@
   register: sdn_install_result
   when: openshift.common.use_openshift_sdn
 
-- name: Reload systemd units
-  command: systemctl daemon-reload
-  when: (node_install_result | changed or (openshift.common.use_openshift_sdn
-          and sdn_install_result | changed))
-
 - name: Set node OpenShift facts
   openshift_facts:
     role: "{{ item.role }}"
@@ -27,9 +22,6 @@
       deployment_type: "{{ openshift_deployment_type }}"
   - role: node
     local_facts:
-      resources_cpu: "{{ openshift_node_resources_cpu | default(none) }}"
-      resources_memory: "{{ openshift_node_resources_memory | default(none) }}"
-      pod_cidr: "{{ openshift_node_pod_cidr | default(none) }}"
       labels: "{{ openshift_node_labels | default(none) }}"
       annotations: "{{ openshift_node_annotations | default(none) }}"
       registry_url: "{{ oreg_url | default(none) }}"

roles/openshift_node_certificates/vars/main.yml

@@ -5,4 +5,3 @@ openshift_generated_configs_dir: /etc/openshift/generated-configs
 openshift_master_ca_cert: "{{ openshift_master_config_dir }}/ca.crt"
 openshift_master_ca_key: "{{ openshift_master_config_dir }}/ca.key"
 openshift_master_ca_serial: "{{ openshift_master_config_dir }}/ca.serial.txt"
-openshift_kube_api_version: v1beta3