Adding signed router cert and fixing server_cert bug.

roles/lib_openshift/library/oc_adm_ca_server_cert.py

@@ -1505,6 +1505,9 @@ class CAServerCert(OpenShiftCLI):
         if proc.returncode == 0:
             regex = re.compile(r"^\s*X509v3 Subject Alternative Name:\s*?\n\s*(.*)\s*\n", re.MULTILINE)
             match = regex.search(x509output)  # E501
+            if not match:
+                return False
+
             for entry in re.split(r", *", match.group(1)):
                 if entry.startswith('DNS') or entry.startswith('IP Address'):
                     cert_names.append(entry.split(':')[1])

roles/lib_openshift/src/class/oc_adm_ca_server_cert.py

@@ -78,6 +78,9 @@ class CAServerCert(OpenShiftCLI):
         if proc.returncode == 0:
             regex = re.compile(r"^\s*X509v3 Subject Alternative Name:\s*?\n\s*(.*)\s*\n", re.MULTILINE)
             match = regex.search(x509output)  # E501
+            if not match:
+                return False
+
             for entry in re.split(r", *", match.group(1)):
                 if entry.startswith('DNS') or entry.startswith('IP Address'):
                     cert_names.append(entry.split(':')[1])

roles/openshift_hosted/defaults/main.yml

@@ -24,8 +24,9 @@ openshift_hosted_routers:
   ports:
   - 80:80
   - 443:443
-  certificates: "{{ openshift_hosted_router_certificate | default({}) }}"
+  certificates: "{{ openshift_hosted_router_certificates | default({}) }}"
 
 
 openshift_hosted_router_certificates: {}
 openshift_hosted_registry_cert_expire_days: 730
+openshift_hosted_router_create_certificate: False

roles/openshift_hosted/tasks/router/router.yml

@@ -14,6 +14,31 @@
     openshift_hosted_router_selector: "{{ openshift.hosted.router.selector | default(None) }}"
     openshift_hosted_router_image: "{{ openshift.hosted.router.registryurl }}"
 
+# This is for when we desire a cluster signed cert
+# The certificate is generated and placed in master_config_dir/
+- block:
+  - name: generate a default wildcard router certificate
+    oc_adm_ca_server_cert:
+      signer_cert: "{{ openshift_master_config_dir }}/ca.crt"
+      signer_key: "{{ openshift_master_config_dir }}/ca.key"
+      signer_serial: "{{ openshift_master_config_dir }}/ca.serial.txt"
+      hostnames:
+      - "{{ openshift_master_default_subdomain }}"
+      - "*.{{ openshift_master_default_subdomain }}"
+      cert: "{{ ('/etc/origin/master/' ~ (item.certificates.certfile | basename)) if 'certfile' in item.certificates else ((openshift_master_config_dir) ~ '/openshift-router.crt') }}"
+      key: "{{ ('/etc/origin/master/' ~ (item.certificates.keyfile | basename)) if 'keyfile' in item.certificates else ((openshift_master_config_dir) ~ '/openshift-router.key') }}"
+    with_items: "{{ openshift_hosted_routers }}"
+
+  - name: set the openshift_hosted_router_certificates
+    set_fact:
+      openshift_hosted_router_certificates:
+        certfile: "{{ openshift_master_config_dir ~ '/openshift-router.crt' }}"
+        keyfile: "{{ openshift_master_config_dir ~ '/openshift-router.key' }}"
+        cafile: "{{ openshift_master_config_dir ~ '/ca.crt' }}"
+
+  # End Block
+  when: openshift_hosted_router_create_certificate
+
 - name: Get the certificate contents for router
   copy:
     backup: True
@@ -21,6 +46,7 @@
     src: "{{ item }}"
   with_items: "{{ openshift_hosted_routers | oo_collect(attribute='certificates') |
                   oo_select_keys_from_list(['keyfile', 'certfile', 'cafile']) }}"
+  when: not openshift_hosted_router_create_certificate
 
 - name: Create the router service account(s)
   oc_serviceaccount: