Ensure serial certificate generation for node and master certificates.

roles/openshift_master_certificates/tasks/main.yml

@@ -30,7 +30,6 @@
                                               | oo_collect(attribute='stat.exists')
                                               | list)) }}"
 
-
 - name: Ensure the generated_configs directory present
   file:
     path: "{{ openshift_master_generated_config_dir }}"
@@ -41,28 +40,32 @@
 
 - name: Create the master server certificate
   command: >
-    {{ openshift.common.client_binary }} adm ca create-server-cert
+    {{ hostvars[openshift_ca_host].openshift.common.client_binary }} adm ca create-server-cert
     {% for named_ca_certificate in openshift.master.named_certificates | default([]) | oo_collect('cafile') %}
     --certificate-authority {{ named_ca_certificate }}
     {% endfor %}
-    --hostnames={{ openshift.common.all_hostnames | join(',') }}
-    --cert={{ openshift_master_generated_config_dir }}/master.server.crt
-    --key={{ openshift_master_generated_config_dir }}/master.server.key
+    --hostnames={{ hostvars[item].openshift.common.all_hostnames | join(',') }}
+    --cert={{ openshift_generated_configs_dir }}/master-{{ hostvars[item].openshift.common.hostname }}/master.server.crt
+    --key={{ openshift_generated_configs_dir }}/master-{{ hostvars[item].openshift.common.hostname }}/master.server.key
     --signer-cert={{ openshift_ca_cert }}
     --signer-key={{ openshift_ca_key }}
     --signer-serial={{ openshift_ca_serial }}
     --overwrite=false
-  when: master_certs_missing | bool and inventory_hostname != openshift_ca_host
+  with_items: "{{ hostvars
+                  | oo_select_keys(groups['oo_masters_to_config'])
+                  | oo_collect(attribute='inventory_hostname', filters={'master_certs_missing':True})
+                  | difference([openshift_ca_host])}}"
   delegate_to: "{{ openshift_ca_host }}"
+  run_once: true
 
 - name: Generate the master client config
   command: >
-    {{ openshift.common.client_binary }} adm create-api-client-config
+    {{ hostvars[openshift_ca_host].openshift.common.client_binary }} adm create-api-client-config
       {% for named_ca_certificate in openshift.master.named_certificates | default([]) | oo_collect('cafile') %}
       --certificate-authority {{ named_ca_certificate }}
       {% endfor %}
       --certificate-authority={{ openshift_ca_cert }}
-      --client-dir={{ openshift_master_generated_config_dir }}
+      --client-dir={{ openshift_generated_configs_dir }}/master-{{ hostvars[item].openshift.common.hostname }}
       --groups=system:masters,system:openshift-master
       --master={{ openshift.master.api_url }}
       --public-master={{ openshift.master.public_api_url }}
@@ -72,9 +75,13 @@
       --user=system:openshift-master
       --basename=openshift-master
   args:
-    creates: "{{ openshift_master_generated_config_dir }}/openshift-master.kubeconfig"
-  when: master_certs_missing | bool and inventory_hostname != openshift_ca_host
+    creates: "{{ openshift_generated_configs_dir }}/master-{{ hostvars[item].openshift.common.hostname }}/openshift-master.kubeconfig"
+  with_items: "{{ hostvars
+                  | oo_select_keys(groups['oo_masters_to_config'])
+                  | oo_collect(attribute='inventory_hostname', filters={'master_certs_missing':True})
+                  | difference([openshift_ca_host])}}"
   delegate_to: "{{ openshift_ca_host }}"
+  run_once: true
 
 - file:
     src: "{{ openshift_master_config_dir }}/{{ item }}"

roles/openshift_node_certificates/tasks/main.yml

@@ -49,32 +49,38 @@
       --certificate-authority {{ named_ca_certificate }}
       {% endfor %}
       --certificate-authority={{ openshift_ca_cert }}
-      --client-dir={{ openshift_node_generated_config_dir }}
+      --client-dir={{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname }}
       --groups=system:nodes
       --master={{ hostvars[openshift_ca_host].openshift.master.api_url }}
       --signer-cert={{ openshift_ca_cert }}
       --signer-key={{ openshift_ca_key }}
       --signer-serial={{ openshift_ca_serial }}
-      --user=system:node:{{ openshift.common.hostname }}
+      --user=system:node:{{ hostvars[item].openshift.common.hostname }}
   args:
-    creates: "{{ openshift_node_generated_config_dir }}"
-  when: node_certs_missing | bool
+    creates: "{{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname }}"
+  with_items: "{{ hostvars
+                  | oo_select_keys(groups['oo_nodes_to_config'])
+                  | oo_collect(attribute='inventory_hostname', filters={'node_certs_missing':True}) }}"
   delegate_to: "{{ openshift_ca_host }}"
+  run_once: true
 
 - name: Generate the node server certificate
   command: >
     {{ hostvars[openshift_ca_host].openshift.common.client_binary }} adm ca create-server-cert
-    --cert={{ openshift_node_generated_config_dir }}/server.crt
-    --key={{ openshift_generated_configs_dir }}/node-{{ openshift.common.hostname }}/server.key
+    --cert={{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname }}/server.crt
+    --key={{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname }}/server.key
     --overwrite=true
-    --hostnames={{ openshift.common.hostname }},{{ openshift.common.public_hostname }},{{ openshift.common.ip }},{{ openshift.common.public_ip }}
+    --hostnames={{ hostvars[item].openshift.common.hostname }},{{ hostvars[item].openshift.common.public_hostname }},{{ hostvars[item].openshift.common.ip }},{{ hostvars[item].openshift.common.public_ip }}
     --signer-cert={{ openshift_ca_cert }}
     --signer-key={{ openshift_ca_key }}
     --signer-serial={{ openshift_ca_serial }}
   args:
-    creates: "{{ openshift_node_generated_config_dir }}/server.crt"
-  when: node_certs_missing | bool
-  delegate_to: "{{ openshift_ca_host}}"
+    creates: "{{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname }}/server.crt"
+  with_items: "{{ hostvars
+                  | oo_select_keys(groups['oo_nodes_to_config'])
+                  | oo_collect(attribute='inventory_hostname', filters={'node_certs_missing':True}) }}"
+  delegate_to: "{{ openshift_ca_host }}"
+  run_once: true
 
 - name: Create local temp directory for syncing certs
   local_action: command mktemp -d /tmp/openshift-ansible-XXXXXXX