shixiong
/
okd


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120
							---
- name: Ensure CA certificate exists on openshift_ca_host
  stat:
    path: "{{ openshift_ca_cert }}"
  register: g_ca_cert_stat_result
  delegate_to: "{{ openshift_ca_host }}"
  run_once: true

- fail:
    msg: >
      CA certificate {{ openshift_ca_cert }} doesn't exist on CA host
      {{ openshift_ca_host }}. Apply 'openshift_ca' role to
      {{ openshift_ca_host }}.
  when: not g_ca_cert_stat_result.stat.exists | bool
  run_once: true

- name: Check status of node certificates
  stat:
    path: "{{ openshift.common.config_base }}/node/{{ item }}"
  with_items:
  - "system:node:{{ openshift.common.hostname }}.crt"
  - "system:node:{{ openshift.common.hostname }}.key"
  - "system:node:{{ openshift.common.hostname }}.kubeconfig"
  - ca.crt
  - server.key
  - server.crt
  register: g_node_cert_stat_result

- set_fact:
    node_certs_missing: "{{ False in (g_node_cert_stat_result.results
                            | oo_collect(attribute='stat.exists')
                            | list) }}"

- name: Create openshift_generated_configs_dir if it does not exist
  file:
    path: "{{ openshift_generated_configs_dir }}"
    state: directory
    mode: 0700
  when: node_certs_missing | bool
  delegate_to: "{{ openshift_ca_host }}"

- name: Generate the node client config
  command: >
    {{ openshift.common.admin_binary }} create-api-client-config
      {% for named_ca_certificate in hostvars[openshift_ca_host].openshift.master.named_certificates | default([]) | oo_collect('cafile') %}
      --certificate-authority {{ named_ca_certificate }}
      {% endfor %}
      --certificate-authority={{ openshift_ca_cert }}
      --client-dir={{ openshift_node_generated_config_dir }}
      --groups=system:nodes
      --master={{ hostvars[openshift_ca_host].openshift.master.api_url }}
      --signer-cert={{ openshift_ca_cert }}
      --signer-key={{ openshift_ca_key }}
      --signer-serial={{ openshift_ca_serial }}
      --user=system:node:{{ openshift.common.hostname }}
  args:
    creates: "{{ openshift_node_generated_config_dir }}"
  when: node_certs_missing | bool
  delegate_to: "{{ openshift_ca_host }}"

- name: Generate the node server certificate
  command: >
    {{ openshift.common.admin_binary }} ca create-server-cert
      --cert={{ openshift_node_generated_config_dir }}/server.crt
      --key={{ openshift_generated_configs_dir }}/node-{{ openshift.common.hostname }}/server.key
      --overwrite=true
      --hostnames={{ openshift.common.all_hostnames |join(",") }}
      --signer-cert={{ openshift_ca_cert }}
      --signer-key={{ openshift_ca_key }}
      --signer-serial={{ openshift_ca_serial }}
  args:
    creates: "{{ openshift_node_generated_config_dir }}/server.crt"
  when: node_certs_missing | bool
  delegate_to: "{{ openshift_ca_host}}"

- name: Create local temp directory for syncing certs
  local_action: command mktemp -d /tmp/openshift-ansible-XXXXXXX
  register: node_cert_mktemp
  changed_when: False
  when: node_certs_missing | bool
  delegate_to: localhost
  become: no

- name: Create a tarball of the node config directories
  command: >
    tar -czvf {{ openshift_node_generated_config_dir }}.tgz
    --transform 's|system:{{ openshift_node_cert_subdir }}|node|'
    -C {{ openshift_node_generated_config_dir }} .
  args:
    creates: "{{ openshift_node_generated_config_dir }}.tgz"
  when: node_certs_missing | bool
  delegate_to: "{{ openshift_ca_host }}"

- name: Retrieve the node config tarballs from the master
  fetch:
    src: "{{ openshift_node_generated_config_dir }}.tgz"
    dest: "{{ node_cert_mktemp.stdout }}/"
    flat: yes
    fail_on_missing: yes
    validate_checksum: yes
  when: node_certs_missing | bool
  delegate_to: "{{ openshift_ca_host }}"

- name: Ensure certificate directory exists
  file:
    path: "{{ openshift_node_cert_dir }}"
    state: directory
  when: node_certs_missing | bool

- name: Unarchive the tarball on the node
  unarchive:
    src: "{{ node_cert_mktemp.stdout }}/{{ openshift_node_cert_subdir }}.tgz"
    dest: "{{ openshift_node_cert_dir }}"
  when: node_certs_missing | bool

- file: name={{ node_cert_mktemp.stdout }} state=absent
  changed_when: False
  when: node_certs_missing | bool
  delegate_to: localhost
  become: no