Remove unused/broken node cert plays

This commit removes node certificate plays that are no
longer in use.

playbooks/openshift-node/certificates.yml

@@ -1,4 +0,0 @@
----
-- import_playbook: ../init/main.yml
-
-- import_playbook: private/certificates.yml

playbooks/openshift-node/private/certificates-backup.yml

@@ -1,24 +0,0 @@
----
-- name: Ensure node directory is absent from generated configs
-  hosts: oo_first_master
-  tasks:
-  # The generated configs directory (/etc/origin/generated-configs) is
-  # backed up during redeployment of the control plane certificates.
-  # We need to ensure that the generated config directory for
-  # individual nodes has been deleted before continuing, so verify
-  # that it is missing here.
-  - name: Ensure node directories and tarballs are absent from generated configs
-    shell: >
-      rm -rf {{ openshift.common.config_base }}/generated-configs/node-*
-    args:
-      warn: no
-
-- name: Redeploy node certificates
-  hosts: oo_nodes_to_config
-  pre_tasks:
-  - name: Remove CA certificate
-    file:
-      path: "{{ item }}"
-      state: absent
-    with_items:
-    - "{{ openshift.common.config_base }}/node/ca.crt"

playbooks/openshift-node/private/certificates.yml

@@ -1,6 +0,0 @@
----
-- name: Create OpenShift certificates for node hosts
-  hosts: oo_nodes_to_config
-  gather_facts: no
-  roles:
-  - role: openshift_node_certificates

playbooks/openshift-node/private/redeploy-certificates.yml

@@ -1,6 +0,0 @@
----
-- import_playbook: certificates-backup.yml
-
-- import_playbook: certificates.yml
-  vars:
-    openshift_certificates_redeploy: true

playbooks/openshift-node/redeploy-certificates.yml

@@ -1,8 +0,0 @@
----
-- import_playbook: ../init/main.yml
-
-- import_playbook: private/redeploy-certificates.yml
-
-- import_playbook: private/restart.yml
-  vars:
-    openshift_node_restart_docker_required: False

playbooks/redeploy-certificates.yml

@@ -5,8 +5,6 @@
 
 - import_playbook: openshift-master/private/redeploy-certificates.yml
 
-- import_playbook: openshift-node/private/redeploy-certificates.yml
-
 - import_playbook: openshift-etcd/private/restart.yml
   vars:
     g_etcd_certificates_expired: "{{ ('expired' in (hostvars | lib_utils_oo_select_keys(groups['etcd']) | lib_utils_oo_collect('check_results.check_results.etcd') | lib_utils_oo_collect('health'))) | bool }}"

roles/openshift_node_certificates/OWNERS

@@ -1,14 +0,0 @@
-# approval == this is a good idea /approve
-approvers:
-  - abutcher
-  - michaelgugino
-  - mtnbikenc
-  - sdodson
-  - vrutkovs
-# review == this code is good /lgtm
-reviewers:
-  - abutcher
-  - michaelgugino
-  - mtnbikenc
-  - sdodson
-  - vrutkovs

roles/openshift_node_certificates/README.md

@@ -1,52 +0,0 @@
-OpenShift Node Certificates
-===========================
-
-This role determines if OpenShift node certificates must be created, delegates certificate creation to the `openshift_ca_host` and then deploys those certificates to node hosts which this role is being applied to.
-
-Requirements
-------------
-
-* Ansible 2.2
-
-Role Variables
---------------
-
-From `openshift_ca`:
-
-| Name                                | Default value                                                           | Description                                                                                                               |
-|-------------------------------------|-------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|
-
-From this role:
-
-| Name                                | Default value                                                           | Description                                                                                                               |
-|-------------------------------------|-------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|
-| openshift_generated_configs_dir     | `{{ openshift.common.config_base }}/generated-configs`                  | Directory in which per-node generated config directories will be created on the `openshift_ca_host`.                      |
-| openshift_node_cert_subdir          | `node-{{ openshift.common.hostname }}`                                  | Directory within `openshift_generated_configs_dir` where per-node certificates will be placed on the `openshift_ca_host`. |
-| openshift_node_cert_expire_days     | `730` (2 years)                                                         | Validity of the certificates in days. Works only with OpenShift version 1.5 (3.5) and later.                              |
-| openshift_node_config_dir           | `{{ openshift.common.config_base }}/node`                               | Node configuration directory in which certificates will be deployed on nodes.                                             |
-| openshift_node_generated_config_dir | `{{ openshift_generated_configs_dir }}/{{ openshift_node_cert_subdir }` | Full path to the per-node generated config directory.                                                                     |
-
-Dependencies
-------------
-
-* openshift_ca
-
-Example Playbook
-----------------
-
-```
-- name: Create OpenShift Node Certificates
-  hosts: nodes
-  roles:
-  - role: openshift_node_certificates
-```
-
-License
--------
-
-Apache License Version 2.0
-
-Author Information
-------------------
-
-Jason DeTiberus (jdetiber@redhat.com)

roles/openshift_node_certificates/defaults/main.yml

@@ -1,4 +0,0 @@
----
-openshift_node_cert_expire_days: 730
-
-openshift_docker_service_name: "docker"

roles/openshift_node_certificates/handlers/main.yml

@@ -1,27 +0,0 @@
----
-- name: update ca trust
-  command: update-ca-trust
-  notify:
-    - check for container runtime after updating ca trust
-
-- name: check for container runtime after updating ca trust
-  command: >
-    systemctl -q is-active {{ openshift_docker_service_name }}.service
-  register: l_docker_installed
-  # An rc of 0 indicates that the container runtime service is
-  # running. We will restart it by notifying the restart handler since
-  # we have updated the system CA trust.
-  changed_when: l_docker_installed.rc == 0
-  failed_when: false
-  notify:
-    - restart container runtime after updating ca trust
-
-- name: restart container runtime after updating ca trust
-  systemd:
-    name: "{{ openshift_docker_service_name }}"
-    state: restarted
-  when: not openshift_certificates_redeploy | default(false) | bool
-  register: l_docker_restart_docker_in_cert_result
-  until: not (l_docker_restart_docker_in_cert_result is failed)
-  retries: 3
-  delay: 30

roles/openshift_node_certificates/meta/main.yml

@@ -1,17 +0,0 @@
----
-galaxy_info:
-  author: Jason DeTiberus
-  description: OpenShift Node Certificates
-  company: Red Hat, Inc.
-  license: Apache License, Version 2.0
-  min_ansible_version: 2.2
-  platforms:
-  - name: EL
-    versions:
-    - 7
-  categories:
-  - cloud
-  - system
-dependencies:
-- role: lib_utils
-- role: openshift_facts

roles/openshift_node_certificates/tasks/main.yml

@@ -1,151 +0,0 @@
----
-- name: Ensure CA certificate exists on openshift_ca_host
-  stat:
-    path: "{{ openshift_ca_cert }}"
-    get_checksum: false
-    get_attributes: false
-    get_mime: false
-  register: g_ca_cert_stat_result
-  delegate_to: "{{ openshift_ca_host }}"
-  run_once: true
-
-- fail:
-    msg: >
-      CA certificate {{ openshift_ca_cert }} doesn't exist on CA host
-      {{ openshift_ca_host }}. Apply 'openshift_ca' role to
-      {{ openshift_ca_host }}.
-  when: not g_ca_cert_stat_result.stat.exists | bool
-  run_once: true
-
-- name: Check status of node certificates
-  stat:
-    path: "{{ openshift.common.config_base }}/node/{{ item }}"
-    get_checksum: false
-    get_attributes: false
-    get_mime: false
-  with_items:
-  - "system:node:{{ openshift.common.hostname | lower }}.crt"
-  - "system:node:{{ openshift.common.hostname | lower }}.key"
-  - "system:node:{{ openshift.common.hostname | lower }}.kubeconfig"
-  - ca.crt
-  - server.key
-  - server.crt
-  register: g_node_cert_stat_result
-  when: not openshift_certificates_redeploy | default(false) | bool
-
-- set_fact:
-    node_certs_missing: "{{ true if openshift_certificates_redeploy | default(false) | bool
-                            else (False in (g_node_cert_stat_result.results
-                                            | default({})
-                                            | lib_utils_oo_collect(attribute='stat.exists')
-                                            | list)) }}"
-
-- name: Create openshift_generated_configs_dir if it does not exist
-  file:
-    path: "{{ openshift_generated_configs_dir }}"
-    state: directory
-    mode: 0700
-  when: node_certs_missing | bool
-  delegate_to: "{{ openshift_ca_host }}"
-
-- find:
-    paths: "{{ openshift.common.config_base }}/master/legacy-ca/"
-    patterns: ".*-ca.crt"
-    use_regex: true
-  register: g_master_legacy_ca_result
-  delegate_to: "{{ openshift_ca_host }}"
-
-- name: Generate the node client config
-  command: >
-    {{ hostvars[openshift_ca_host]['first_master_client_binary'] }} adm create-api-client-config
-    {% for named_ca_certificate in hostvars[openshift_ca_host].openshift.master.named_certificates | default([]) | lib_utils_oo_collect('cafile') %}
-    --certificate-authority {{ named_ca_certificate }}
-    {% endfor %}
-    {% for legacy_ca_certificate in g_master_legacy_ca_result.files | default([]) | lib_utils_oo_collect('path') %}
-    --certificate-authority {{ legacy_ca_certificate }}
-    {% endfor %}
-    --certificate-authority={{ openshift_ca_cert }}
-    --client-dir={{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname | lower }}
-    --groups=system:nodes
-    --master={{ hostvars[openshift_ca_host].openshift.master.api_url }}
-    --signer-cert={{ openshift_ca_cert }}
-    --signer-key={{ openshift_ca_key }}
-    --signer-serial={{ openshift_ca_serial }}
-    --user=system:node:{{ hostvars[item].openshift.common.hostname | lower }}
-    --expire-days={{ openshift_node_cert_expire_days }}
-  args:
-    creates: "{{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname | lower }}"
-  with_items: "{{ hostvars
-                  | lib_utils_oo_select_keys(groups['oo_nodes_to_config'])
-                  | lib_utils_oo_collect(attribute='inventory_hostname', filters={'node_certs_missing':True}) }}"
-  delegate_to: "{{ openshift_ca_host }}"
-  run_once: true
-
-- name: Generate the node server certificate
-  command: >
-    {{ hostvars[openshift_ca_host]['first_master_client_binary'] }} adm ca create-server-cert
-    --cert={{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname | lower }}/server.crt
-    --key={{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname | lower }}/server.key
-    --expire-days={{ openshift_node_cert_expire_days }}
-    --overwrite=true
-    --hostnames={{ hostvars[item].openshift.common.hostname }},{{ hostvars[item].openshift.common.hostname | lower }},{{ hostvars[item].openshift.common.public_hostname }},{{ hostvars[item].openshift.common.public_hostname | lower }},{{ hostvars[item].openshift.common.ip }},{{ hostvars[item].openshift.common.public_ip }}
-    --signer-cert={{ openshift_ca_cert }}
-    --signer-key={{ openshift_ca_key }}
-    --signer-serial={{ openshift_ca_serial }}
-  args:
-    creates: "{{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname | lower }}/server.crt"
-  with_items: "{{ hostvars
-                  | lib_utils_oo_select_keys(groups['oo_nodes_to_config'])
-                  | lib_utils_oo_collect(attribute='inventory_hostname', filters={'node_certs_missing':True}) }}"
-  delegate_to: "{{ openshift_ca_host }}"
-  run_once: true
-
-- name: Create a tarball of the node config directories
-  command: >
-    tar -czvf {{ openshift_node_generated_config_dir }}.tgz
-    --transform 's|system:{{ openshift_node_cert_subdir }}|node|'
-    -C {{ openshift_node_generated_config_dir }} .
-  args:
-    creates: "{{ openshift_node_generated_config_dir }}.tgz"
-    # Disables the following warning:
-    # Consider using unarchive module rather than running tar
-    warn: no
-  when: node_certs_missing | bool
-  delegate_to: "{{ openshift_ca_host }}"
-
-- name: Retrieve the node config tarballs from the master
-  fetch:
-    src: "{{ openshift_node_generated_config_dir }}.tgz"
-    dest: "/tmp"
-    fail_on_missing: yes
-    validate_checksum: yes
-  when: node_certs_missing | bool
-  delegate_to: "{{ openshift_ca_host }}"
-
-- name: Ensure certificate directory exists
-  file:
-    path: "{{ openshift_node_cert_dir }}"
-    state: directory
-  when: node_certs_missing | bool
-
-- name: Unarchive the tarball on the node
-  unarchive:
-    src: "/tmp/{{ inventory_hostname }}/{{ openshift_node_generated_config_dir }}.tgz"
-    dest: "{{ openshift_node_cert_dir }}"
-  when: node_certs_missing | bool
-
-- name: Delete local temp directory
-  local_action: file path="/tmp/{{ inventory_hostname }}" state=absent
-  changed_when: False
-  when: node_certs_missing | bool
-
-- name: Copy OpenShift CA to system CA trust
-  copy:
-    src: "{{ item.cert }}"
-    dest: "/etc/pki/ca-trust/source/anchors/{{ item.id }}-{{ item.cert | basename }}"
-    remote_src: yes
-  with_items:
-  - id: openshift
-    cert: "{{ openshift_node_cert_dir }}/ca.crt"
-  notify:
-  - update ca trust

roles/openshift_node_certificates/vars/main.yml

@@ -1,11 +0,0 @@
----
-openshift_generated_configs_dir: "{{ openshift.common.config_base }}/generated-configs"
-openshift_node_cert_dir: "{{ openshift.common.config_base }}/node"
-openshift_node_cert_subdir: "node-{{ openshift.common.hostname | lower }}"
-openshift_node_config_dir: "{{ openshift.common.config_base }}/node"
-openshift_node_generated_config_dir: "{{ openshift_generated_configs_dir }}/{{ openshift_node_cert_subdir }}"
-
-openshift_ca_config_dir: "{{ openshift.common.config_base }}/master"
-openshift_ca_cert: "{{ openshift_ca_config_dir }}/ca.crt"
-openshift_ca_key: "{{ openshift_ca_config_dir }}/ca.key"
-openshift_ca_serial: "{{ openshift_ca_config_dir }}/ca.serial.txt"