Home Explore Help
Register Sign In
shixiong
/
okd
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 19b532d289
Branches Tags
okd
/
playbooks
/
openshift-hosted
/
private
/
redeploy-router-certificates.yml

redeploy-router-certificates.yml 4.4 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124 
  1. ---
    2. 

  2. - name: Update router certificates
    3. 

  3.   hosts: oo_first_master
    4. 

  4.   vars:
    5. 

  5.   roles:
    6. 

  6.   - lib_openshift
    7. 

  7.   tasks:
    8. 

  8.   - name: Create temp directory for kubeconfig
    9. 

  9.     command: mktemp -d /tmp/openshift-ansible-XXXXXX
    10. 

  10.     register: router_cert_redeploy_tempdir
    11. 

  11.     changed_when: false
    12. 

  12. 

  13.   - name: Copy admin client config(s)
    14. 

  14.     command: >
    15. 

  15.       cp {{ openshift.common.config_base }}/master//admin.kubeconfig {{ router_cert_redeploy_tempdir.stdout }}/admin.kubeconfig
    16. 

  16.     changed_when: false
    17. 

  17. 

  18.   - name: Determine if router exists
    19. 

  19.     command: >
    20. 

  20.       {{ openshift_client_binary }} get dc/router -o json
    21. 

  21.       --config={{ router_cert_redeploy_tempdir.stdout }}/admin.kubeconfig
    22. 

  22.       -n default
    23. 

  23.     register: l_router_dc
    24. 

  24.     failed_when: false
    25. 

  25.     changed_when: false
    26. 

  26. 

  27.   - name: Determine if router service exists
    28. 

  28.     command: >
    29. 

  29.       {{ openshift_client_binary }} get svc/router -o json
    30. 

  30.       --config={{ router_cert_redeploy_tempdir.stdout }}/admin.kubeconfig
    31. 

  31.       -n default
    32. 

  32.     register: l_router_svc
    33. 

  33.     failed_when: false
    34. 

  34.     changed_when: false
    35. 

  35. 

  36.   - name: Collect router environment variables and secrets
    37. 

  37.     set_fact:
    38. 

  38.       router_env_vars: "{{ ((l_router_dc.stdout | from_json)['spec']['template']['spec']['containers'][0]['env']
    39. 

  39.                              | lib_utils_oo_collect('name'))
    40. 

  40.                              | default([]) }}"
    41. 

  41.       router_secrets: "{{ ((l_router_dc.stdout | from_json)['spec']['template']['spec']['volumes']
    42. 

  42.                             | lib_utils_oo_collect('secret')
    43. 

  43.                             | lib_utils_oo_collect('secretName'))
    44. 

  44.                             | default([]) }}"
    45. 

  45.     changed_when: false
    46. 

  46.     when: l_router_dc.rc == 0
    47. 

  47. 

  48.   - name: Collect router service annotations
    49. 

  49.     set_fact:
    50. 

  50.       router_service_annotations: "{{ (l_router_svc.stdout | from_json)['metadata']['annotations'] if 'annotations' in (l_router_svc.stdout | from_json)['metadata'] else [] }}"
    51. 

  51.     when: l_router_svc.rc == 0
    52. 

  52. 

  53.   - name: Update router environment variables
    54. 

  54.     shell: >
    55. 

  55.       {{ openshift_client_binary }} set env dc/router
    56. 

  56.       OPENSHIFT_CA_DATA="$(cat /etc/origin/master/ca.crt)"
    57. 

  57.       OPENSHIFT_CERT_DATA="$(cat /etc/origin/master/openshift-router.crt)"
    58. 

  58.       OPENSHIFT_KEY_DATA="$(cat /etc/origin/master/openshift-router.key)"
    59. 

  59.       --config={{ router_cert_redeploy_tempdir.stdout }}/admin.kubeconfig
    60. 

  60.       -n default
    61. 

  61.     when:
    62. 

  62.     - l_router_dc.rc == 0
    63. 

  63.     - ('OPENSHIFT_CA_DATA' in router_env_vars)
    64. 

  64.     - ('OPENSHIFT_CERT_DATA' in router_env_vars)
    65. 

  65.     - ('OPENSHIFT_KEY_DATA' in router_env_vars)
    66. 

  66. 

  67.   # When the router service contains service signer annotations we
    68. 

  68.   # will delete the existing certificate secret and allow OpenShift to
    69. 

  69.   # replace the secret.
    70. 

  70.   - block:
    71. 

  71.     - name: Delete existing router certificate secret
    72. 

  72.       oc_secret:
    73. 

  73.         kubeconfig: "{{ router_cert_redeploy_tempdir.stdout }}/admin.kubeconfig"
    74. 

  74.         name: router-certs
    75. 

  75.         namespace: default
    76. 

  76.         state: absent
    77. 

  77.       run_once: true
    78. 

  78. 

  79.     - name: Remove router service annotations
    80. 

  80.       command: >
    81. 

  81.         {{ openshift_client_binary }} annotate service/router
    82. 

  82.         service.alpha.openshift.io/serving-cert-secret-name-
    83. 

  83.         service.alpha.openshift.io/serving-cert-signed-by-
    84. 

  84.         --config={{ router_cert_redeploy_tempdir.stdout }}/admin.kubeconfig
    85. 

  85.         -n default
    86. 

  86. 

  87.     - name: Add serving-cert-secret annotation to router service
    88. 

  88.       command: >
    89. 

  89.         {{ openshift_client_binary }} annotate service/router
    90. 

  90.         service.alpha.openshift.io/serving-cert-secret-name=router-certs
    91. 

  91.         --config={{ router_cert_redeploy_tempdir.stdout }}/admin.kubeconfig
    92. 

  92.         -n default
    93. 

  93.     when:
    94. 

  94.     - l_router_dc.rc == 0
    95. 

  95.     - l_router_svc.rc == 0
    96. 

  96.     - ('router-certs' in router_secrets)
    97. 

  97.     - openshift_hosted_router_certificate is undefined
    98. 

  98.     - ('service.alpha.openshift.io/serving-cert-secret-name') in router_service_annotations
    99. 

  99.     - ('service.alpha.openshift.io/serving-cert-signed-by') in router_service_annotations
    100. 

  100. 

  101.   - file:
    102. 

  102.       path: "{{ item }}"
    103. 

  103.       state: absent
    104. 

  104.     with_items:
    105. 

  105.     - /etc/origin/master/openshift-router.crt
    106. 

  106.     - /etc/origin/master/openshift-router.key
    107. 

  107.     when:
    108. 

  108.     - l_router_dc.rc == 0
    109. 

  109.     - l_router_svc.rc == 0
    110. 

  110.     - ('router-certs' in router_secrets)
    111. 

  111. 

  112.   - import_role:
    113. 

  113.       name: openshift_hosted
    114. 

  114.       tasks_from: router.yml
    115. 

  115.     when:
    116. 

  116.     - l_router_dc.rc == 0
    117. 

  117.     - l_router_svc.rc == 0
    118. 

  118.     - ('router-certs' in router_secrets)
    119. 

  119. 

  120.   - name: Delete temp directory
    121. 

  121.     file:
    122. 

  122.       name: "{{ router_cert_redeploy_tempdir.stdout }}"
    123. 

  123.       state: absent
    124. 

  124.     changed_when: False
    125.