Refactor etcd certificates roles.

library/delegated_serial_command.py

@@ -0,0 +1,275 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+# (c) 2012, Michael DeHaan <michael.dehaan@gmail.com>, and others
+# (c) 2016, Andrew Butcher <abutcher@redhat.com>
+#
+# This module is derrived from the Ansible command module.
+#
+# Ansible is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# Ansible is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Ansible.  If not, see <http://www.gnu.org/licenses/>.
+
+
+# pylint: disable=unused-wildcard-import,wildcard-import,unused-import,redefined-builtin
+
+''' delegated_serial_command '''
+
+import copy
+import sys
+import datetime
+import glob
+import traceback
+import re
+import shlex
+import os
+import fcntl
+import time
+
+DOCUMENTATION = '''
+---
+module: delegated_serial_command
+short_description: Executes a command on a remote node
+version_added: historical
+description:
+     - The M(command) module takes the command name followed by a list
+       of space-delimited arguments.
+     - The given command will be executed on all selected nodes. It
+       will not be processed through the shell, so variables like
+       C($HOME) and operations like C("<"), C(">"), C("|"), and C("&")
+       will not work (use the M(shell) module if you need these
+       features).
+     - Creates and maintains a lockfile such that this module will
+       wait for other invocations to proceed.
+options:
+  command:
+    description:
+      - the command to run
+    required: true
+    default: null
+  creates:
+    description:
+      - a filename or (since 2.0) glob pattern, when it already
+        exists, this step will B(not) be run.
+    required: no
+    default: null
+  removes:
+    description:
+      - a filename or (since 2.0) glob pattern, when it does not
+        exist, this step will B(not) be run.
+    version_added: "0.8"
+    required: no
+    default: null
+  chdir:
+    description:
+      - cd into this directory before running the command
+    version_added: "0.6"
+    required: false
+    default: null
+  executable:
+    description:
+      - change the shell used to execute the command. Should be an
+        absolute path to the executable.
+    required: false
+    default: null
+    version_added: "0.9"
+  warn:
+    version_added: "1.8"
+    default: yes
+    description:
+      - if command warnings are on in ansible.cfg, do not warn about
+        this particular line if set to no/false.
+    required: false
+  lockfile:
+    default: yes
+    description:
+      - the lockfile that will be created
+  timeout:
+    default: yes
+    description:
+      - time in milliseconds to wait to obtain the lock
+notes:
+    -  If you want to run a command through the shell (say you are using C(<),
+       C(>), C(|), etc), you actually want the M(shell) module instead. The
+       M(command) module is much more secure as it's not affected by the user's
+       environment.
+    - " C(creates), C(removes), and C(chdir) can be specified after
+       the command. For instance, if you only want to run a command if
+       a certain file does not exist, use this."
+author:
+    - Ansible Core Team
+    - Michael DeHaan
+    - Andrew Butcher
+'''
+
+EXAMPLES = '''
+# Example from Ansible Playbooks.
+- delegated_serial_command:
+    command: /sbin/shutdown -t now
+
+# Run the command if the specified file does not exist.
+- delegated_serial_command:
+    command: /usr/bin/make_database.sh arg1 arg2
+    creates: /path/to/database
+'''
+
+# Dict of options and their defaults
+OPTIONS = {'chdir': None,
+           'creates': None,
+           'command': None,
+           'executable': None,
+           'NO_LOG': None,
+           'removes': None,
+           'warn': True,
+           'lockfile': None,
+           'timeout': None}
+
+def check_command(commandline):
+    ''' Check provided command '''
+    arguments = {'chown': 'owner', 'chmod': 'mode', 'chgrp': 'group',
+                 'ln': 'state=link', 'mkdir': 'state=directory',
+                 'rmdir': 'state=absent', 'rm': 'state=absent', 'touch': 'state=touch'}
+    commands = {'git': 'git', 'hg': 'hg', 'curl': 'get_url or uri', 'wget': 'get_url or uri',
+                'svn': 'subversion', 'service': 'service',
+                'mount': 'mount', 'rpm': 'yum, dnf or zypper', 'yum': 'yum', 'apt-get': 'apt',
+                'tar': 'unarchive', 'unzip': 'unarchive', 'sed': 'template or lineinfile',
+                'rsync': 'synchronize', 'dnf': 'dnf', 'zypper': 'zypper'}
+    become = ['sudo', 'su', 'pbrun', 'pfexec', 'runas']
+    warnings = list()
+    command = os.path.basename(commandline.split()[0])
+    # pylint: disable=line-too-long
+    if command in arguments:
+        warnings.append("Consider using file module with {0} rather than running {1}".format(arguments[command], command))
+    if command in commands:
+        warnings.append("Consider using {0} module rather than running {1}".format(commands[command], command))
+    if command in become:
+        warnings.append(
+            "Consider using 'become', 'become_method', and 'become_user' rather than running {0}".format(command,))
+    return warnings
+
+
+# pylint: disable=too-many-statements,too-many-branches,too-many-locals
+def main():
+    ''' Main module function '''
+    module = AnsibleModule(
+        argument_spec=dict(
+            _uses_shell=dict(type='bool', default=False),
+            command=dict(required=True),
+            chdir=dict(),
+            executable=dict(),
+            creates=dict(),
+            removes=dict(),
+            warn=dict(type='bool', default=True),
+            lockfile=dict(default='/tmp/delegated_serial_command.lock'),
+            timeout=dict(type='int', default=30)
+        )
+    )
+
+    shell = module.params['_uses_shell']
+    chdir = module.params['chdir']
+    executable = module.params['executable']
+    command = module.params['command']
+    creates = module.params['creates']
+    removes = module.params['removes']
+    warn = module.params['warn']
+    lockfile = module.params['lockfile']
+    timeout = module.params['timeout']
+
+    if command.strip() == '':
+        module.fail_json(rc=256, msg="no command given")
+
+    iterated = 0
+    lockfd = open(lockfile, 'w+')
+    while iterated < timeout:
+        try:
+            fcntl.flock(lockfd, fcntl.LOCK_EX | fcntl.LOCK_NB)
+            break
+        # pylint: disable=invalid-name
+        except IOError as e:
+            if e.errno != errno.EAGAIN:
+                module.fail_json(msg="I/O Error {0}: {1}".format(e.errno, e.strerror))
+            else:
+                iterated += 1
+                time.sleep(0.1)
+
+    if chdir:
+        chdir = os.path.abspath(os.path.expanduser(chdir))
+        os.chdir(chdir)
+
+    if creates:
+        # do not run the command if the line contains creates=filename
+        # and the filename already exists.  This allows idempotence
+        # of command executions.
+        path = os.path.expanduser(creates)
+        if glob.glob(path):
+            module.exit_json(
+                cmd=command,
+                stdout="skipped, since %s exists" % path,
+                changed=False,
+                stderr=False,
+                rc=0
+            )
+
+    if removes:
+    # do not run the command if the line contains removes=filename
+    # and the filename does not exist.  This allows idempotence
+    # of command executions.
+        path = os.path.expanduser(removes)
+        if not glob.glob(path):
+            module.exit_json(
+                cmd=command,
+                stdout="skipped, since %s does not exist" % path,
+                changed=False,
+                stderr=False,
+                rc=0
+            )
+
+    warnings = list()
+    if warn:
+        warnings = check_command(command)
+
+    if not shell:
+        command = shlex.split(command)
+    startd = datetime.datetime.now()
+
+    # pylint: disable=invalid-name
+    rc, out, err = module.run_command(command, executable=executable, use_unsafe_shell=shell)
+
+    fcntl.flock(lockfd, fcntl.LOCK_UN)
+    lockfd.close()
+
+    endd = datetime.datetime.now()
+    delta = endd - startd
+
+    if out is None:
+        out = ''
+    if err is None:
+        err = ''
+
+    module.exit_json(
+        cmd=command,
+        stdout=out.rstrip("\r\n"),
+        stderr=err.rstrip("\r\n"),
+        rc=rc,
+        start=str(startd),
+        end=str(endd),
+        delta=str(delta),
+        changed=True,
+        warnings=warnings,
+        iterated=iterated
+    )
+
+# import module snippets
+from ansible.module_utils.basic import *
+from ansible.module_utils.splitter import *
+
+main()

playbooks/common/openshift-etcd/config.yml

@@ -1,119 +1,10 @@
 ---
-- name: Set etcd facts needed for generating certs
+- name: Configure etcd
   hosts: oo_etcd_to_config
   any_errors_fatal: true
   roles:
-  - openshift_facts
-  tasks:
-  - openshift_facts:
-      role: etcd
-      local_facts:
-        etcd_image: "{{ osm_etcd_image | default(None) }}"
-  - name: Check status of etcd certificates
-    stat:
-      path: "{{ item }}"
-    with_items:
-    - /etc/etcd/server.crt
-    - /etc/etcd/peer.crt
-    - /etc/etcd/ca.crt
-    register: g_etcd_server_cert_stat_result
-  - set_fact:
-      etcd_server_certs_missing: "{{ g_etcd_server_cert_stat_result.results | oo_collect(attribute='stat.exists')
-                                    | list | intersect([false])}}"
-      etcd_cert_subdir: etcd-{{ openshift.common.hostname }}
-      etcd_cert_config_dir: /etc/etcd
-      etcd_cert_prefix:
-      etcd_hostname: "{{ openshift.common.hostname }}"
-      etcd_ip: "{{ openshift.common.ip }}"
-
-- name: Create temp directory for syncing certs
-  hosts: localhost
-  connection: local
-  become: no
-  gather_facts: no
-  tasks:
-  - name: Create local temp directory for syncing certs
-    local_action: command mktemp -d /tmp/openshift-ansible-XXXXXXX
-    register: g_etcd_mktemp
-    changed_when: False
-
-- name: Configure etcd certificates
-  hosts: oo_first_etcd
-  vars:
-    etcd_generated_certs_dir: /etc/etcd/generated_certs
-    etcd_needing_server_certs: "{{ hostvars
-                                  | oo_select_keys(groups['oo_etcd_to_config'])
-                                  | oo_filter_list(filter_attr='etcd_server_certs_missing') }}"
-    sync_tmpdir: "{{ hostvars.localhost.g_etcd_mktemp.stdout }}"
-  roles:
-  - openshift_etcd_certificates
-  post_tasks:
-  - name: Create a tarball of the etcd certs
-    command: >
-      tar -czvf {{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}.tgz
-        -C {{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }} .
-    args:
-      creates: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}.tgz"
-    with_items: "{{ etcd_needing_server_certs | default([]) }}"
-  - name: Retrieve the etcd cert tarballs
-    fetch:
-      src: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}.tgz"
-      dest: "{{ sync_tmpdir }}/"
-      flat: yes
-      fail_on_missing: yes
-      validate_checksum: yes
-    with_items: "{{ etcd_needing_server_certs | default([]) }}"
-
-# Configure a first etcd host to avoid conflicts in choosing a leader
-# if other members come online too quickly.
-- name: Configure first etcd host
-  hosts: oo_first_etcd
-  vars:
-    sync_tmpdir: "{{ hostvars.localhost.g_etcd_mktemp.stdout }}"
-    etcd_url_scheme: https
-    etcd_peer_url_scheme: https
-    etcd_peers: "{{ groups.oo_etcd_to_config | default([], true) }}"
-  pre_tasks:
-  - name: Ensure certificate directory exists
-    file:
-      path: "{{ etcd_cert_config_dir }}"
-      state: directory
-  - name: Unarchive the tarball on the etcd host
-    unarchive:
-      src: "{{ sync_tmpdir }}/{{ etcd_cert_subdir }}.tgz"
-      dest: "{{ etcd_cert_config_dir }}"
-    when: etcd_server_certs_missing
-  roles:
-  - openshift_etcd
-  - nickhammond.logrotate
-
-# Configure the remaining etcd hosts, skipping the first one we dealt with above.
-- name: Configure remaining etcd hosts
-  hosts: oo_etcd_to_config:!oo_first_etcd
-  vars:
-    sync_tmpdir: "{{ hostvars.localhost.g_etcd_mktemp.stdout }}"
-    etcd_url_scheme: https
-    etcd_peer_url_scheme: https
+  - role: openshift_etcd
     etcd_peers: "{{ groups.oo_etcd_to_config | default([], true) }}"
-  pre_tasks:
-  - name: Ensure certificate directory exists
-    file:
-      path: "{{ etcd_cert_config_dir }}"
-      state: directory
-  - name: Unarchive the tarball on the etcd host
-    unarchive:
-      src: "{{ sync_tmpdir }}/{{ etcd_cert_subdir }}.tgz"
-      dest: "{{ etcd_cert_config_dir }}"
-    when: etcd_server_certs_missing
-  roles:
-  - openshift_etcd
+    etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}"
+    etcd_certificates_etcd_hosts: "{{ groups.oo_etcd_to_config | default([], true) }}"
   - role: nickhammond.logrotate
-
-- name: Delete temporary directory on localhost
-  hosts: localhost
-  connection: local
-  become: no
-  gather_facts: no
-  tasks:
-  - file: name={{ g_etcd_mktemp.stdout }} state=absent
-    changed_when: False

playbooks/common/openshift-master/config.yml

@@ -1,5 +1,5 @@
 ---
-- name: Set master facts and determine if external etcd certs need to be generated
+- name: Set master facts
   hosts: oo_masters_to_config
   vars:
     t_oo_option_master_debug_level: "{{ lookup('oo_option', 'openshift_master_debug_level') }}"
@@ -73,23 +73,6 @@
       openshift_env:
         openshift_hosted_registry_storage_kind: 'nfs'
     when: openshift_hosted_registry_storage_kind is not defined and groups.oo_nfs_to_config is defined and groups.oo_nfs_to_config | length > 0
-  - name: Check status of external etcd certificatees
-    stat:
-      path: "{{ openshift.common.config_base }}/master/{{ item }}"
-    with_items:
-    - master.etcd-client.crt
-    - master.etcd-ca.crt
-    register: g_external_etcd_cert_stat_result
-  - set_fact:
-      etcd_client_certs_missing: "{{ g_external_etcd_cert_stat_result.results
-                                    | oo_collect(attribute='stat.exists')
-                                    | list | intersect([false])}}"
-      etcd_cert_subdir: openshift-master-{{ openshift.common.hostname }}
-      etcd_cert_config_dir: "{{ openshift.common.config_base }}/master"
-      etcd_cert_prefix: master.etcd-
-      etcd_hostname: "{{ openshift.common.hostname }}"
-      etcd_ip: "{{ openshift.common.ip }}"
-    when: groups.oo_etcd_to_config is defined and groups.oo_etcd_to_config
 
 - name: Create temp directory for syncing certs
   hosts: localhost
@@ -102,60 +85,6 @@
     register: g_master_mktemp
     changed_when: False
 
-- name: Configure etcd certificates
-  hosts: oo_first_etcd
-  vars:
-    etcd_generated_certs_dir: /etc/etcd/generated_certs
-    etcd_needing_client_certs: "{{ hostvars
-                                   | oo_select_keys(groups['oo_masters_to_config'])
-                                   | default([])
-                                   | oo_filter_list(filter_attr='etcd_client_certs_missing') }}"
-    sync_tmpdir: "{{ hostvars.localhost.g_master_mktemp.stdout }}"
-  roles:
-  - openshift_etcd_certificates
-  post_tasks:
-  - name: Create a tarball of the etcd certs
-    command: >
-      tar -czvf {{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}.tgz
-        -C {{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }} .
-    args:
-      creates: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}.tgz"
-    with_items: "{{ etcd_needing_client_certs | default([]) }}"
-  - name: Retrieve the etcd cert tarballs
-    fetch:
-      src: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}.tgz"
-      dest: "{{ sync_tmpdir }}/"
-      flat: yes
-      fail_on_missing: yes
-      validate_checksum: yes
-    with_items: "{{ etcd_needing_client_certs | default([]) }}"
-
-- name: Copy the external etcd certs to the masters
-  hosts: oo_masters_to_config
-  vars:
-    sync_tmpdir: "{{ hostvars.localhost.g_master_mktemp.stdout }}"
-  tasks:
-  - name: Ensure certificate directory exists
-    file:
-      path: "{{ openshift.common.config_base }}/master"
-      state: directory
-    when: etcd_client_certs_missing is defined and etcd_client_certs_missing
-  - name: Unarchive the tarball on the master
-    unarchive:
-      src: "{{ sync_tmpdir }}/{{ etcd_cert_subdir }}.tgz"
-      dest: "{{ etcd_cert_config_dir }}"
-    when: etcd_client_certs_missing is defined and etcd_client_certs_missing
-  - file:
-      path: "{{ etcd_cert_config_dir }}/{{ item }}"
-      owner: root
-      group: root
-      mode: 0600
-    with_items:
-    - master.etcd-client.crt
-    - master.etcd-client.key
-    - master.etcd-ca.crt
-    when: etcd_client_certs_missing is defined and etcd_client_certs_missing
-
 - name: Check for cached session secrets
   hosts: oo_first_master
   roles:
@@ -245,8 +174,6 @@
                                                     | union(groups['oo_etcd_to_config'] | default([])))
                                                 | oo_collect('openshift.common.hostname') | default([]) | join (',')
                                                 }}"
-    when: "{{ (openshift_http_proxy is defined or openshift_https_proxy is defined) and
-            openshift_generate_no_proxy_hosts | default(True) | bool }}"
   roles:
   - role: openshift_master_facts
   - role: openshift_hosted_facts
@@ -260,6 +187,12 @@
                                     | oo_select_keys(groups['oo_masters_to_config'] | default([]))
                                     | oo_collect('openshift.common.all_hostnames')
                                     | oo_flatten | unique }}"
+  - role: openshift_etcd_client_certificates
+    etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}"
+    etcd_cert_subdir: "openshift-master-{{ openshift.common.hostname }}"
+    etcd_cert_config_dir: "{{ openshift.common.config_base }}/master"
+    etcd_cert_prefix: "master.etcd-"
+    when: groups.oo_etcd_to_config is defined and groups.oo_etcd_to_config
   - role: openshift_clock
   - role: openshift_cloud_provider
   - role: openshift_builddefaults

playbooks/common/openshift-node/config.yml

@@ -124,94 +124,17 @@
       when: openshift.node.use_openshift_sdn | bool
   - role: openshift_node
 
-- name: Gather and set facts for flannel certificatess
-  hosts: oo_nodes_to_config
-  tasks:
-  - name: Check status of flannel external etcd certificates
-    stat:
-      path: "{{ openshift.common.config_base }}/node/{{ item }}"
-    with_items:
-    - node.etcd-client.crt
-    - node.etcd-ca.crt
-    register: g_external_etcd_flannel_cert_stat_result
-    when: groups.oo_etcd_to_config is defined and groups.oo_etcd_to_config and (openshift.common.use_flannel | bool)
-  - set_fact:
-      etcd_client_flannel_certs_missing: "{{ False in g_external_etcd_flannel_cert_stat_result.results
-                                             | oo_collect(attribute='stat.exists')
-                                             | list }}"
-      etcd_cert_subdir: openshift-node-{{ openshift.common.hostname }}
-      etcd_cert_config_dir: "{{ openshift.common.config_base }}/node"
-      etcd_cert_prefix: node.etcd-
-      etcd_hostname: "{{ openshift.common.hostname }}"
-      etcd_ip: "{{ openshift.common.ip }}"
-    when: groups.oo_etcd_to_config is defined and groups.oo_etcd_to_config | length > 0 and (openshift.common.use_flannel | bool)
-
-- name: Configure flannel etcd certificates
-  hosts: oo_first_etcd
-  vars:
-    etcd_generated_certs_dir: /etc/etcd/generated_certs
-    sync_tmpdir: "{{ hostvars.localhost.mktemp.stdout }}"
-  pre_tasks:
-  - set_fact:
-      etcd_needing_client_certs: "{{ hostvars
-                                     | oo_select_keys(groups['oo_nodes_to_config'])
-                                     | oo_filter_list('etcd_client_flannel_certs_missing') | default([]) }}"
-  roles:
-  - role: openshift_etcd_certificates
-    when: openshift_use_flannel | default(false) | bool
-  post_tasks:
-  - name: Create a tarball of the etcd flannel certs
-    command: >
-      tar -czvf {{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}.tgz
-        -C {{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }} .
-    args:
-      creates: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}.tgz"
-    with_items: "{{ etcd_needing_client_certs | default([]) }}"
-  - name: Retrieve the etcd cert tarballs
-    fetch:
-      src: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}.tgz"
-      dest: "{{ sync_tmpdir }}/"
-      flat: yes
-      fail_on_missing: yes
-      validate_checksum: yes
-    with_items: "{{ etcd_needing_client_certs | default([]) }}"
-
-- name: Copy the external etcd flannel certs to the nodes
-  hosts: oo_nodes_to_config
-  vars:
-    sync_tmpdir: "{{ hostvars.localhost.mktemp.stdout }}"
-  tasks:
-  - name: Ensure certificate directory exists
-    file:
-      path: "{{ openshift.common.config_base }}/node"
-      state: directory
-    when: etcd_client_flannel_certs_missing | default(false) | bool
-  - name: Unarchive the tarball on the master
-    unarchive:
-      src: "{{ sync_tmpdir }}/{{ etcd_cert_subdir }}.tgz"
-      dest: "{{ etcd_cert_config_dir }}"
-    when: etcd_client_flannel_certs_missing | default(false) | bool
-  - file:
-      path: "{{ etcd_cert_config_dir }}/{{ item }}"
-      owner: root
-      group: root
-      mode: 0600
-    with_items:
-    - node.etcd-client.crt
-    - node.etcd-client.key
-    - node.etcd-ca.crt
-    when: etcd_client_flannel_certs_missing | default(false) | bool
-
-
 - name: Additional node config
   hosts: oo_nodes_to_config
   vars:
-    # TODO: Prefix flannel role variables.
     openshift_node_master_api_url: "{{ hostvars[groups.oo_first_master.0].openshift.master.api_url }}"
-    etcd_urls: "{{ hostvars[groups.oo_first_master.0].openshift.master.etcd_urls }}"
-    embedded_etcd: "{{ hostvars[groups.oo_first_master.0].openshift.master.embedded_etcd }}"
   roles:
   - role: flannel
+    etcd_urls: "{{ hostvars[groups.oo_first_master.0].openshift.master.etcd_urls }}"
+    embedded_etcd: "{{ hostvars[groups.oo_first_master.0].openshift.master.embedded_etcd }}"
+    etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}"
+    etcd_cert_subdir: "openshift-node-{{ openshift.common.hostname }}"
+    etcd_cert_config_dir: "{{ openshift.common.config_base }}/node"
     when: openshift.common.use_flannel | bool
   - role: nuage_node
     when: openshift.common.use_nuage | bool

roles/etcd/meta/main.yml

@@ -7,7 +7,7 @@ galaxy_info:
   description: etcd management
   company: Red Hat, Inc.
   license: Apache License, Version 2.0
-  min_ansible_version: 1.2
+  min_ansible_version: 2.1
   platforms:
   - name: EL
     versions:
@@ -22,4 +22,4 @@ dependencies:
     port: "{{etcd_client_port}}/tcp"
   - service: etcd peering
     port: "{{ etcd_peer_port }}/tcp"
-- role: etcd_common
+- role: etcd_server_certificates

roles/etcd/templates/etcd.conf.j2

@@ -1,5 +1,5 @@
 {% macro initial_cluster() -%}
-{% for host in etcd_peers -%}
+{% for host in etcd_peers | default([]) -%}
 {% if loop.last -%}
 {{ hostvars[host].etcd_hostname }}={{ etcd_peer_url_scheme }}://{{ hostvars[host].etcd_ip }}:{{ etcd_peer_port }}
 {%- else -%}

roles/etcd_ca/meta/main.yml

@@ -1,10 +1,10 @@
 ---
 galaxy_info:
   author: Jason DeTiberus
-  description:
+  description: Etcd CA
   company: Red Hat, Inc.
   license: Apache License, Version 2.0
-  min_ansible_version: 1.9
+  min_ansible_version: 2.1
   platforms:
   - name: EL
     versions:
@@ -13,4 +13,4 @@ galaxy_info:
   - cloud
   - system
 dependencies:
-- { role: etcd_common }
+- role: etcd_common

roles/etcd_ca/tasks/main.yml

@@ -2,6 +2,8 @@
 - name: Install openssl
   action: "{{ ansible_pkg_mgr }} name=openssl state=present"
   when: not etcd_is_atomic | bool
+  delegate_to: "{{ etcd_ca_host }}"
+  run_once: true
 
 - file:
     path: "{{ item }}"
@@ -13,29 +15,41 @@
   - "{{ etcd_ca_new_certs_dir }}"
   - "{{ etcd_ca_crl_dir }}"
   - "{{ etcd_ca_dir }}/fragments"
+  delegate_to: "{{ etcd_ca_host }}"
+  run_once: true
 
 - command: cp /etc/pki/tls/openssl.cnf ./
   args:
     chdir: "{{ etcd_ca_dir }}/fragments"
     creates: "{{ etcd_ca_dir }}/fragments/openssl.cnf"
+  delegate_to: "{{ etcd_ca_host }}"
+  run_once: true
 
 - template:
     dest: "{{ etcd_ca_dir }}/fragments/openssl_append.cnf"
     src: openssl_append.j2
     backup: true
+  delegate_to: "{{ etcd_ca_host }}"
+  run_once: true
 
 - assemble:
     src: "{{ etcd_ca_dir }}/fragments"
     dest: "{{ etcd_openssl_conf }}"
+  delegate_to: "{{ etcd_ca_host }}"
+  run_once: true
 
 - command: touch {{ etcd_ca_db }}
   args:
     creates: "{{ etcd_ca_db }}"
+  delegate_to: "{{ etcd_ca_host }}"
+  run_once: true
 
 - copy:
     dest: "{{ etcd_ca_serial }}"
     content: "01"
     force: no
+  delegate_to: "{{ etcd_ca_host }}"
+  run_once: true
 
 - command: >
     openssl req -config {{ etcd_openssl_conf }} -newkey rsa:4096
@@ -48,3 +62,5 @@
     creates: "{{ etcd_ca_cert }}"
   environment:
     SAN: 'etcd-signer'
+  delegate_to: "{{ etcd_ca_host }}"
+  run_once: true

roles/etcd_certificates/tasks/client.yml

@@ -1,42 +0,0 @@
----
-- name: Ensure generated_certs directory present
-  file:
-    path: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}"
-    state: directory
-    mode: 0700
-  with_items: "{{ etcd_needing_client_certs | default([]) }}"
-
-- name: Create the client csr
-  command: >
-    openssl req -new -keyout {{ item.etcd_cert_prefix }}client.key
-    -config {{ etcd_openssl_conf }}
-    -out {{ item.etcd_cert_prefix }}client.csr
-    -reqexts {{ etcd_req_ext }} -batch -nodes
-    -subj /CN={{ item.etcd_hostname }}
-  args:
-    chdir: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}"
-    creates: "{{ etcd_generated_certs_dir ~ '/' ~  item.etcd_cert_subdir ~ '/'
-                 ~ item.etcd_cert_prefix ~ 'client.csr' }}"
-  environment:
-    SAN: "IP:{{ item.etcd_ip }}"
-  with_items: "{{ etcd_needing_client_certs | default([]) }}"
-
-- name: Sign and create the client crt
-  command: >
-    openssl ca -name {{ etcd_ca_name }} -config {{ etcd_openssl_conf }}
-    -out {{ item.etcd_cert_prefix }}client.crt
-    -in {{ item.etcd_cert_prefix }}client.csr
-    -batch
-  args:
-    chdir: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}"
-    creates: "{{ etcd_generated_certs_dir ~ '/' ~  item.etcd_cert_subdir ~ '/'
-                 ~ item.etcd_cert_prefix ~ 'client.crt' }}"
-  environment:
-    SAN: "IP:{{ item.etcd_ip }}"
-  with_items: "{{ etcd_needing_client_certs | default([]) }}"
-
-- file:
-    src: "{{ etcd_ca_cert }}"
-    dest: "{{ etcd_generated_certs_dir}}/{{ item.etcd_cert_subdir }}/{{ item.etcd_cert_prefix }}ca.crt"
-    state: hard
-  with_items: "{{ etcd_needing_client_certs | default([]) }}"

roles/etcd_certificates/tasks/main.yml

@@ -1,6 +0,0 @@
----
-- include: client.yml
-  when: etcd_needing_client_certs | default([]) | length > 0
-
-- include: server.yml
-  when: etcd_needing_server_certs | default([]) | length > 0

roles/etcd_certificates/tasks/server.yml

@@ -1,71 +0,0 @@
----
-- name: Ensure generated_certs directory present
-  file:
-    path: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}"
-    state: directory
-    mode: 0700
-  with_items: "{{ etcd_needing_server_certs | default([]) }}"
-
-- name: Create the server csr
-  command: >
-    openssl req -new -keyout {{ item.etcd_cert_prefix }}server.key
-    -config {{ etcd_openssl_conf }}
-    -out {{ item.etcd_cert_prefix }}server.csr
-    -reqexts {{ etcd_req_ext }} -batch -nodes
-    -subj /CN={{ item.etcd_hostname }}
-  args:
-    chdir: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}"
-    creates: "{{ etcd_generated_certs_dir ~ '/' ~  item.etcd_cert_subdir ~ '/'
-                 ~ item.etcd_cert_prefix ~ 'server.csr' }}"
-  environment:
-    SAN: "IP:{{ item.etcd_ip }}"
-  with_items: "{{ etcd_needing_server_certs  | default([]) }}"
-
-- name: Sign and create the server crt
-  command: >
-    openssl ca -name {{ etcd_ca_name }} -config {{ etcd_openssl_conf }}
-    -out {{ item.etcd_cert_prefix }}server.crt
-    -in {{ item.etcd_cert_prefix }}server.csr
-    -extensions {{ etcd_ca_exts_server }} -batch
-  args:
-    chdir: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}"
-    creates: "{{ etcd_generated_certs_dir ~ '/' ~  item.etcd_cert_subdir ~ '/'
-                 ~ item.etcd_cert_prefix ~ 'server.crt' }}"
-  environment:
-    SAN: "IP:{{ item.etcd_ip }}"
-  with_items: "{{ etcd_needing_server_certs  | default([]) }}"
-
-- name: Create the peer csr
-  command: >
-    openssl req -new -keyout {{ item.etcd_cert_prefix }}peer.key
-    -config {{ etcd_openssl_conf }}
-    -out {{ item.etcd_cert_prefix }}peer.csr
-    -reqexts {{ etcd_req_ext }} -batch -nodes
-    -subj /CN={{ item.etcd_hostname }}
-  args:
-    chdir: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}"
-    creates: "{{ etcd_generated_certs_dir ~ '/' ~  item.etcd_cert_subdir ~ '/'
-                 ~ item.etcd_cert_prefix ~ 'peer.csr' }}"
-  environment:
-    SAN: "IP:{{ item.etcd_ip }}"
-  with_items: "{{ etcd_needing_server_certs | default([]) }}"
-
-- name: Sign and create the peer crt
-  command: >
-    openssl ca -name {{ etcd_ca_name }} -config {{ etcd_openssl_conf }}
-    -out {{ item.etcd_cert_prefix }}peer.crt
-    -in {{ item.etcd_cert_prefix }}peer.csr
-    -extensions {{ etcd_ca_exts_peer }} -batch
-  args:
-    chdir: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}"
-    creates: "{{ etcd_generated_certs_dir ~ '/' ~  item.etcd_cert_subdir ~ '/'
-                 ~ item.etcd_cert_prefix ~ 'peer.crt' }}"
-  environment:
-    SAN: "IP:{{ item.etcd_ip }}"
-  with_items: "{{ etcd_needing_server_certs | default([]) }}"
-
-- file:
-    src: "{{ etcd_ca_cert }}"
-    dest: "{{ etcd_generated_certs_dir}}/{{ item.etcd_cert_subdir }}/{{ item.etcd_cert_prefix }}ca.crt"
-    state: hard
-  with_items: "{{ etcd_needing_server_certs | default([]) }}"

roles/etcd_certificates/README.md

@@ -1,5 +1,5 @@
-OpenShift etcd certificates
-========================
+OpenShift Etcd Certificates
+===========================
 
 TODO
 

roles/etcd_client_certificates/library

@@ -0,0 +1 @@
+../../library

roles/etcd_certificates/meta/main.yml

@@ -1,10 +1,10 @@
 ---
 galaxy_info:
   author: Jason DeTiberus
-  description:
+  description: Etcd Client Certificates
   company: Red Hat, Inc.
   license: Apache License, Version 2.0
-  min_ansible_version: 1.8
+  min_ansible_version: 2.1
   platforms:
   - name: EL
     versions:
@@ -13,4 +13,4 @@ galaxy_info:
   - cloud
   - system
 dependencies:
-- { role: etcd_ca }
+- role: etcd_ca

roles/etcd_client_certificates/tasks/main.yml

@@ -0,0 +1,119 @@
+---
+- name: Check status of external etcd certificatees
+  stat:
+    path: "{{ etcd_cert_config_dir }}/{{ item }}"
+  with_items:
+  - "{{ etcd_cert_prefix }}client.crt"
+  - "{{ etcd_cert_prefix }}client.key"
+  - "{{ etcd_cert_prefix }}ca.crt"
+  register: g_external_etcd_cert_stat_result
+
+- set_fact:
+    etcd_client_certs_missing: "{{ False in (g_external_etcd_cert_stat_result.results
+                                   | oo_collect(attribute='stat.exists')
+                                   | list) }}"
+
+- name: Ensure generated_certs directory present
+  file:
+    path: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}"
+    state: directory
+    mode: 0700
+  when: etcd_client_certs_missing | bool
+  delegate_to: "{{ etcd_ca_host }}"
+
+- name: Create the client csr
+  command: >
+    openssl req -new -keyout {{ etcd_cert_prefix }}client.key
+    -config {{ etcd_openssl_conf }}
+    -out {{ etcd_cert_prefix }}client.csr
+    -reqexts {{ etcd_req_ext }} -batch -nodes
+    -subj /CN={{ etcd_hostname }}
+  args:
+    chdir: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}"
+    creates: "{{ etcd_generated_certs_dir ~ '/' ~  etcd_cert_subdir ~ '/'
+                 ~ etcd_cert_prefix ~ 'client.csr' }}"
+  environment:
+    SAN: "IP:{{ etcd_ip }}"
+  when: etcd_client_certs_missing | bool
+  delegate_to: "{{ etcd_ca_host }}"
+
+# Certificates must be signed serially in order to avoid competing
+# for the serial file.
+- name: Sign and create the client crt
+  delegated_serial_command:
+    command: >
+      openssl ca -name {{ etcd_ca_name }} -config {{ etcd_openssl_conf }}
+      -out {{ etcd_cert_prefix }}client.crt
+      -in {{ etcd_cert_prefix }}client.csr
+      -batch
+    chdir: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}"
+    creates: "{{ etcd_generated_certs_dir ~ '/' ~  etcd_cert_subdir ~ '/'
+                 ~ etcd_cert_prefix ~ 'client.crt' }}"
+  environment:
+    SAN: "IP:{{ etcd_ip }}"
+  when: etcd_client_certs_missing | bool
+  delegate_to: "{{ etcd_ca_host }}"
+
+- file:
+    src: "{{ etcd_ca_cert }}"
+    dest: "{{ etcd_generated_certs_dir}}/{{ etcd_cert_subdir }}/{{ etcd_cert_prefix }}ca.crt"
+    state: hard
+  when: etcd_client_certs_missing | bool
+  delegate_to: "{{ etcd_ca_host }}"
+
+- name: Create local temp directory for syncing certs
+  local_action: command mktemp -d /tmp/etcd_certificates-XXXXXXX
+  register: g_etcd_client_mktemp
+  changed_when: False
+  when: etcd_client_certs_missing | bool
+  delegate_to: localhost
+  become: no
+
+- name: Create a tarball of the etcd certs
+  command: >
+    tar -czvf {{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}.tgz
+      -C {{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }} .
+  args:
+    creates: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}.tgz"
+  when: etcd_client_certs_missing | bool
+  delegate_to: "{{ etcd_ca_host }}"
+
+- name: Retrieve the etcd cert tarballs
+  fetch:
+    src: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}.tgz"
+    dest: "{{ g_etcd_client_mktemp.stdout }}/"
+    flat: yes
+    fail_on_missing: yes
+    validate_checksum: yes
+  when: etcd_client_certs_missing | bool
+  delegate_to: "{{ etcd_ca_host }}"
+
+- name: Ensure certificate directory exists
+  file:
+    path: "{{ etcd_cert_config_dir }}"
+    state: directory
+  when: etcd_client_certs_missing | bool
+
+- name: Unarchive etcd cert tarballs
+  unarchive:
+    src: "{{ g_etcd_client_mktemp.stdout }}/{{ etcd_cert_subdir }}.tgz"
+    dest: "{{ etcd_cert_config_dir }}"
+  when: etcd_client_certs_missing | bool
+
+- file:
+    path: "{{ etcd_cert_config_dir }}/{{ item }}"
+    owner: root
+    group: root
+    mode: 0600
+  with_items:
+  - "{{ etcd_cert_prefix }}client.crt"
+  - "{{ etcd_cert_prefix }}client.key"
+  - "{{ etcd_cert_prefix }}ca.crt"
+  when: etcd_client_certs_missing | bool
+
+- name: Delete temporary directory
+  file: name={{ g_etcd_client_mktemp.stdout }} state=absent
+  changed_when: False
+  when: etcd_client_certs_missing | bool
+  delegate_to: localhost
+  become: no

roles/etcd_server_certificates/README.md

@@ -0,0 +1,34 @@
+OpenShift Etcd Certificates
+===========================
+
+TODO
+
+Requirements
+------------
+
+TODO
+
+Role Variables
+--------------
+
+TODO
+
+Dependencies
+------------
+
+TODO
+
+Example Playbook
+----------------
+
+TODO
+
+License
+-------
+
+Apache License Version 2.0
+
+Author Information
+------------------
+
+Scott Dodson (sdodson@redhat.com)

roles/etcd_server_certificates/library

@@ -0,0 +1 @@
+../../library

roles/etcd_server_certificates/meta/main.yml

@@ -0,0 +1,16 @@
+---
+galaxy_info:
+  author: Jason DeTiberus
+  description: Etcd Server Certificates
+  company: Red Hat, Inc.
+  license: Apache License, Version 2.0
+  min_ansible_version: 2.1
+  platforms:
+  - name: EL
+    versions:
+    - 7
+  categories:
+  - cloud
+  - system
+dependencies:
+- role: etcd_ca

roles/etcd_server_certificates/tasks/main.yml

@@ -0,0 +1,136 @@
+---
+- name: Check status of etcd certificates
+  stat:
+    path: "{{ etcd_cert_config_dir }}/{{ item }}"
+  with_items:
+  - "{{ etcd_cert_prefix }}server.crt"
+  - "{{ etcd_cert_prefix }}peer.crt"
+  - "{{ etcd_cert_prefix }}ca.crt"
+  register: g_etcd_server_cert_stat_result
+
+- set_fact:
+    etcd_server_certs_missing: "{{ False in (g_etcd_server_cert_stat_result.results
+                                   | oo_collect(attribute='stat.exists')
+                                   | list) }}"
+
+- name: Ensure generated_certs directory present
+  file:
+    path: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}"
+    state: directory
+    mode: 0700
+  when: etcd_server_certs_missing | bool
+  delegate_to: "{{ etcd_ca_host }}"
+
+- name: Create the server csr
+  command: >
+    openssl req -new -keyout {{ etcd_cert_prefix }}server.key
+    -config {{ etcd_openssl_conf }}
+    -out {{ etcd_cert_prefix }}server.csr
+    -reqexts {{ etcd_req_ext }} -batch -nodes
+    -subj /CN={{ etcd_hostname }}
+  args:
+    chdir: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}"
+    creates: "{{ etcd_generated_certs_dir ~ '/' ~  etcd_cert_subdir ~ '/'
+                 ~ etcd_cert_prefix ~ 'server.csr' }}"
+  environment:
+    SAN: "IP:{{ etcd_ip }}"
+  when: etcd_server_certs_missing | bool
+  delegate_to: "{{ etcd_ca_host }}"
+
+# Certificates must be signed serially in order to avoid competing
+# for the serial file.
+- name: Sign and create the server crt
+  delegated_serial_command:
+    command: >
+      openssl ca -name {{ etcd_ca_name }} -config {{ etcd_openssl_conf }}
+      -out {{ etcd_cert_prefix }}server.crt
+      -in {{ etcd_cert_prefix }}server.csr
+      -extensions {{ etcd_ca_exts_server }} -batch
+    chdir: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}"
+    creates: "{{ etcd_generated_certs_dir ~ '/' ~  etcd_cert_subdir ~ '/'
+                 ~ etcd_cert_prefix ~ 'server.crt' }}"
+  environment:
+    SAN: "IP:{{ etcd_ip }}"
+  delegate_to: "{{ etcd_ca_host }}"
+
+- name: Create the peer csr
+  command: >
+    openssl req -new -keyout {{ etcd_cert_prefix }}peer.key
+    -config {{ etcd_openssl_conf }}
+    -out {{ etcd_cert_prefix }}peer.csr
+    -reqexts {{ etcd_req_ext }} -batch -nodes
+    -subj /CN={{ etcd_hostname }}
+  args:
+    chdir: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}"
+    creates: "{{ etcd_generated_certs_dir ~ '/' ~  etcd_cert_subdir ~ '/'
+                 ~ etcd_cert_prefix ~ 'peer.csr' }}"
+  environment:
+    SAN: "IP:{{ etcd_ip }}"
+  when: etcd_server_certs_missing | bool
+  delegate_to: "{{ etcd_ca_host }}"
+
+- name: Sign and create the peer crt
+  delegated_serial_command:
+    command: >
+      openssl ca -name {{ etcd_ca_name }} -config {{ etcd_openssl_conf }}
+      -out {{ etcd_cert_prefix }}peer.crt
+      -in {{ etcd_cert_prefix }}peer.csr
+      -extensions {{ etcd_ca_exts_peer }} -batch
+    chdir: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}"
+    creates: "{{ etcd_generated_certs_dir ~ '/' ~  etcd_cert_subdir ~ '/'
+                 ~ etcd_cert_prefix ~ 'peer.crt' }}"
+  environment:
+    SAN: "IP:{{ etcd_ip }}"
+  when: etcd_server_certs_missing | bool
+  delegate_to: "{{ etcd_ca_host }}"
+
+- file:
+    src: "{{ etcd_ca_cert }}"
+    dest: "{{ etcd_generated_certs_dir}}/{{ etcd_cert_subdir }}/{{ etcd_cert_prefix }}ca.crt"
+    state: hard
+  when: etcd_server_certs_missing | bool
+  delegate_to: "{{ etcd_ca_host }}"
+
+- name: Create local temp directory for syncing certs
+  local_action: command mktemp -d /tmp/etcd_certificates-XXXXXXX
+  register: g_etcd_server_mktemp
+  changed_when: False
+  when: etcd_server_certs_missing | bool
+  delegate_to: localhost
+
+- name: Create a tarball of the etcd certs
+  command: >
+    tar -czvf {{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}.tgz
+      -C {{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }} .
+  args:
+    creates: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}.tgz"
+  when: etcd_server_certs_missing | bool
+  delegate_to: "{{ etcd_ca_host }}"
+
+- name: Retrieve etcd cert tarball
+  fetch:
+    src: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}.tgz"
+    dest: "{{ g_etcd_server_mktemp.stdout }}/"
+    flat: yes
+    fail_on_missing: yes
+    validate_checksum: yes
+  when: etcd_server_certs_missing | bool
+  delegate_to: "{{ etcd_ca_host }}"
+
+- name: Ensure certificate directory exists
+  file:
+    path: "{{ etcd_cert_config_dir }}"
+    state: directory
+  when: etcd_server_certs_missing | bool
+
+- name: Unarchive cert tarball
+  unarchive:
+    src: "{{ g_etcd_server_mktemp.stdout }}/{{ etcd_cert_subdir }}.tgz"
+    dest: "{{ etcd_cert_config_dir }}"
+  when: etcd_server_certs_missing | bool
+
+- name: Delete temporary directory
+  file: name={{ g_etcd_server_mktemp.stdout }} state=absent
+  changed_when: False
+  when: etcd_server_certs_missing | bool
+  delegate_to: localhost

roles/flannel/meta/main.yml

@@ -4,7 +4,7 @@ galaxy_info:
   description: flannel management
   company: Red Hat, Inc.
   license: Apache License, Version 2.0
-  min_ansible_version: 1.2
+  min_ansible_version: 2.1
   platforms:
   - name: EL
     versions:
@@ -13,4 +13,6 @@ galaxy_info:
   - cloud
   - system
 dependencies:
-- { role: openshift_facts }
+- role: openshift_facts
+- role: openshift_etcd_client_certificates
+  etcd_cert_prefix: flannel.etcd-

roles/openshift_etcd_certificates/meta/main.yml

@@ -1,10 +1,10 @@
 ---
 galaxy_info:
-  author: Andrew Butcher
-  description: OpenShift etcd Certificates
+  author: Jason DeTiberus
+  description: OpenShift Etcd Client Certificates
   company: Red Hat, Inc.
   license: Apache License, Version 2.0
-  min_ansible_version: 1.9
+  min_ansible_version: 2.1
   platforms:
   - name: EL
     versions:
@@ -13,4 +13,4 @@ galaxy_info:
   - cloud
 dependencies:
 - role: openshift_etcd_facts
-- role: etcd_certificates
+- role: etcd_client_certificates

roles/openshift_etcd_facts/vars/main.yml

@@ -3,3 +3,8 @@ etcd_is_containerized: "{{ openshift.common.is_containerized }}"
 etcd_is_atomic: "{{ openshift.common.is_atomic }}"
 etcd_hostname: "{{ openshift.common.hostname }}"
 etcd_ip: "{{ openshift.common.ip }}"
+etcd_cert_subdir: "etcd-{{ openshift.common.hostname }}"
+etcd_cert_prefix:
+etcd_cert_config_dir: /etc/etcd
+etcd_peer_url_scheme: https
+etcd_url_scheme: https

roles/openshift_master/meta/main.yml

@@ -12,4 +12,3 @@ galaxy_info:
   categories:
   - cloud
 dependencies: []
-