shixiong
/
okd


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126
							---
- set_fact:
    openshift_master_certs_no_etcd:
    - admin.crt
    - master.kubelet-client.crt
    - "{{ 'master.proxy-client.crt' if openshift.common.version_gte_3_1_or_1_1 else omit }}"
    - master.server.crt
    - openshift-master.crt
    - openshift-registry.crt
    - openshift-router.crt
    - etcd.server.crt
    openshift_master_certs_etcd:
    - master.etcd-client.crt

- set_fact:
    openshift_master_certs: "{{ (openshift_master_certs_no_etcd | union(openshift_master_certs_etcd )) if openshift_master_etcd_hosts | length > 0 else openshift_master_certs_no_etcd }}"

- name: Check status of master certificates
  stat:
    path: "{{ openshift_master_config_dir }}/{{ item }}"
  with_items:
  - "{{ openshift_master_certs }}"
  register: g_master_cert_stat_result

- set_fact:
    master_certs_missing: "{{ False in (g_master_cert_stat_result.results
                              | oo_collect(attribute='stat.exists')
                              | list) }}"

- name: Ensure the generated_configs directory present
  file:
    path: "{{ openshift_master_generated_config_dir }}"
    state: directory
    mode: 0700
  when: master_certs_missing | bool
  delegate_to: "{{ openshift_ca_host }}"

- file:
    src: "{{ openshift_master_config_dir }}/{{ item }}"
    dest: "{{ openshift_master_generated_config_dir }}/{{ item }}"
    state: hard
  with_items:
  - ca.crt
  - ca.key
  - ca.serial.txt
  when: master_certs_missing | bool
  delegate_to: "{{ openshift_ca_host }}"

- name: Create the master certificates if they do not already exist
  command: >
    {{ openshift.common.admin_binary }} create-master-certs
    {% for named_ca_certificate in openshift.master.named_certificates | default([]) | oo_collect('cafile') %}
    --certificate-authority {{ named_ca_certificate }}
    {% endfor %}
    --hostnames={{ openshift.common.all_hostnames | join(',') }}
    --master={{ openshift.master.api_url }}
    --public-master={{ openshift.master.public_api_url }}
    --cert-dir={{ openshift_master_generated_config_dir }}
    --overwrite=false
  when: master_certs_missing | bool
  delegate_to: "{{ openshift_ca_host }}"

- file:
    src: "{{ openshift_master_config_dir }}/{{ item }}"
    dest: "{{ openshift_master_generated_config_dir }}/{{ item }}"
    state: hard
    force: true
  with_items:
  - "{{ hostvars[inventory_hostname] | certificates_to_synchronize }}"
  when: master_certs_missing | bool
  delegate_to: "{{ openshift_ca_host }}"

- name: Remove generated etcd client certs when using external etcd
  file:
    path: "{{ openshift_master_generated_config_dir }}/{{ item }}"
    state: absent
  when: openshift_master_etcd_hosts | length > 0
  with_items:
  - master.etcd-client.crt
  - master.etcd-client.key
  delegate_to: "{{ openshift_ca_host }}"

- name: Create local temp directory for syncing certs
  local_action: command mktemp -d /tmp/openshift-ansible-XXXXXXX
  register: g_master_mktemp
  changed_when: False
  when: master_certs_missing | bool
  delegate_to: localhost
  become: no

- name: Create a tarball of the master certs
  command: >
    tar -czvf {{ openshift_master_generated_config_dir }}.tgz
      -C {{ openshift_master_generated_config_dir }} .
  args:
    creates: "{{ openshift_master_generated_config_dir }}.tgz"
  when: master_certs_missing | bool and inventory_hostname != openshift_ca_host
  delegate_to: "{{ openshift_ca_host }}"

- name: Retrieve the master cert tarball from the master
  fetch:
    src: "{{ openshift_master_generated_config_dir }}.tgz"
    dest: "{{ g_master_mktemp.stdout }}/"
    flat: yes
    fail_on_missing: yes
    validate_checksum: yes
  when: master_certs_missing | bool and inventory_hostname != openshift_ca_host
  delegate_to: "{{ openshift_ca_host }}"

- name: Ensure certificate directory exists
  file:
    path: "{{ openshift_master_config_dir }}"
    state: directory
  when: master_certs_missing | bool and inventory_hostname != openshift_ca_host

- name: Unarchive the tarball on the master
  unarchive:
    src: "{{ g_master_mktemp.stdout }}/{{ openshift_master_cert_subdir }}.tgz"
    dest: "{{ openshift_master_config_dir }}"
  when: master_certs_missing | bool and inventory_hostname != openshift_ca_host

- file: name={{ g_master_mktemp.stdout }} state=absent
  changed_when: False
  when: master_certs_missing | bool
  delegate_to: localhost
  become: no