Home Explore Help
Register Sign In
shixiong
/
okd
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 3bd5ae21ad
Branches Tags
okd
/
roles
/
openshift_ca
/
tasks
/
main.yml

main.yml 4.1 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113 
  1. ---
    2. 

  2. - fail:
    3. 

  3.     msg: "openshift_ca_host variable must be defined for this role"
    4. 

  4.   when: openshift_ca_host is not defined
    5. 

  5. 

  6. - fail:
    7. 

  7.     msg: "Both 'certfile' and 'keyfile' keys must be supplied when configuring openshift_master_ca_certificate"
    8. 

  8.   when: openshift_master_ca_certificate is defined and ('certfile' not in openshift_master_ca_certificate or 'keyfile' not in openshift_master_ca_certificate)
    9. 

  9. 

  10. - name: Install the base package for admin tooling
    11. 

  11.   action: "{{ ansible_pkg_mgr }} name={{ openshift.common.service_type }}{{ openshift_pkg_version | default('') | oo_image_tag_to_rpm_version(include_dash=True) }} state=present"
    12. 

  12.   when: not openshift.common.is_containerized | bool
    13. 

  13.   register: install_result
    14. 

  14.   delegate_to: "{{ openshift_ca_host }}"
    15. 

  15.   run_once: true
    16. 

  16. 

  17. - name: Reload generated facts
    18. 

  18.   openshift_facts:
    19. 

  19.   when: install_result | changed
    20. 

  20.   delegate_to: "{{ openshift_ca_host }}"
    21. 

  21.   run_once: true
    22. 

  22. 

  23. - name: Create openshift_ca_config_dir if it does not exist
    24. 

  24.   file:
    25. 

  25.     path: "{{ openshift_ca_config_dir }}"
    26. 

  26.     state: directory
    27. 

  27.   delegate_to: "{{ openshift_ca_host }}"
    28. 

  28.   run_once: true
    29. 

  29. 

  30. - name: Determine if CA must be created
    31. 

  31.   stat:
    32. 

  32.     path: "{{ openshift_ca_config_dir }}/{{ item }}"
    33. 

  33.   register: g_master_ca_stat_result
    34. 

  34.   with_items:
    35. 

  35.   - ca-bundle.crt
    36. 

  36.   - ca.crt
    37. 

  37.   - ca.key
    38. 

  38.   delegate_to: "{{ openshift_ca_host }}"
    39. 

  39.   run_once: true
    40. 

  40. 

  41. - set_fact:
    42. 

  42.     master_ca_missing: "{{ true if openshift_certificates_redeploy | default(false) | bool
    43. 

  43.                            else False in (g_master_ca_stat_result.results
    44. 

  44.                                          | oo_collect(attribute='stat.exists')
    45. 

  45.                                          | list) }}"
    46. 

  46.   run_once: true
    47. 

  47. 

  48. - name: Retain original serviceaccount keys
    49. 

  49.   copy:
    50. 

  50.     src: "{{ item }}"
    51. 

  51.     dest: "{{ item }}.keep"
    52. 

  52.     remote_src: true
    53. 

  53.   with_items:
    54. 

  54.   - "{{ openshift_ca_config_dir }}/serviceaccounts.private.key"
    55. 

  55.   - "{{ openshift_ca_config_dir }}/serviceaccounts.public.key"
    56. 

  56.   when: openshift_certificates_redeploy | default(false) | bool
    57. 

  57. 

  58. - name: Deploy master ca certificate
    59. 

  59.   copy:
    60. 

  60.     src: "{{ item.src }}"
    61. 

  61.     dest: "{{ openshift_ca_config_dir }}/{{ item.dest }}"
    62. 

  62.     force: "{{ true if openshift_certificates_redeploy_ca | default(false) | bool else false }}"
    63. 

  63.   with_items:
    64. 

  64.   - src: "{{ (openshift_master_ca_certificate | default({'certfile':none})).certfile }}"
    65. 

  65.     dest: ca.crt
    66. 

  66.   - src: "{{ (openshift_master_ca_certificate | default({'keyfile':none})).keyfile }}"
    67. 

  67.     dest: ca.key
    68. 

  68.   when: openshift_master_ca_certificate is defined
    69. 

  69.   delegate_to: "{{ openshift_ca_host }}"
    70. 

  70.   run_once: true
    71. 

  71. 

  72. - name: Create ca serial
    73. 

  73.   copy:
    74. 

  74.     content: "1"
    75. 

  75.     dest: "{{ openshift_ca_config_dir }}/ca.serial.txt"
    76. 

  76.     force: "{{ true if openshift_certificates_redeploy | default(false) | bool else false }}"
    77. 

  77.   when: openshift_master_ca_certificate is defined
    78. 

  78.   delegate_to: "{{ openshift_ca_host }}"
    79. 

  79.   run_once: true
    80. 

  80. 

  81. - name: Create the master certificates if they do not already exist
    82. 

  82.   command: >
    83. 

  83.     {{ openshift.common.admin_binary }} create-master-certs
    84. 

  84.     {% for named_ca_certificate in openshift.master.named_certificates | default([]) | oo_collect('cafile') %}
    85. 

  85.     --certificate-authority {{ named_ca_certificate }}
    86. 

  86.     {% endfor %}
    87. 

  87.     --hostnames={{ openshift_master_hostnames | join(',') }}
    88. 

  88.     --master={{ openshift.master.api_url }}
    89. 

  89.     --public-master={{ openshift.master.public_api_url }}
    90. 

  90.     --cert-dir={{ openshift_ca_config_dir }}
    91. 

  91.     --overwrite=false
    92. 

  92.   when: master_ca_missing | bool
    93. 

  93.   delegate_to: "{{ openshift_ca_host }}"
    94. 

  94.   run_once: true
    95. 

  95. 

  96. - name: Restore original serviceaccount keys
    97. 

  97.   copy:
    98. 

  98.     src: "{{ item }}.keep"
    99. 

  99.     dest: "{{ item }}"
    100. 

  100.     remote_src: true
    101. 

  101.   with_items:
    102. 

  102.   - "{{ openshift_ca_config_dir }}/serviceaccounts.private.key"
    103. 

  103.   - "{{ openshift_ca_config_dir }}/serviceaccounts.public.key"
    104. 

  104.   when: openshift_certificates_redeploy | default(false) | bool
    105. 

  105. 

  106. - name: Remove backup serviceaccount keys
    107. 

  107.   file:
    108. 

  108.     path: "{{ item }}.keep"
    109. 

  109.     state: absent
    110. 

  110.   with_items:
    111. 

  111.   - "{{ openshift_ca_config_dir }}/serviceaccounts.private.key"
    112. 

  112.   - "{{ openshift_ca_config_dir }}/serviceaccounts.public.key"
    113. 

  113.   when: openshift_certificates_redeploy | default(false) | bool
    114.