shixiong
/
okd


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128
							---
- fail:
    msg: "openshift_ca_host variable must be defined for this role"
  when: openshift_ca_host is not defined

- fail:
    msg: "Both 'certfile' and 'keyfile' keys must be supplied when configuring openshift_master_ca_certificate"
  when: openshift_master_ca_certificate is defined and ('certfile' not in openshift_master_ca_certificate or 'keyfile' not in openshift_master_ca_certificate)

- name: Install the base package for admin tooling
  package:
    name: "{{ openshift.common.service_type }}{{ openshift_pkg_version | default('') | oo_image_tag_to_rpm_version(include_dash=True) }}"
    state: present
  when: not openshift.common.is_containerized | bool
  register: install_result
  delegate_to: "{{ openshift_ca_host }}"
  run_once: true

- name: Reload generated facts
  openshift_facts:
  when: install_result | changed
  delegate_to: "{{ openshift_ca_host }}"
  run_once: true

- name: Create openshift_ca_config_dir if it does not exist
  file:
    path: "{{ openshift_ca_config_dir }}"
    state: directory
  delegate_to: "{{ openshift_ca_host }}"
  run_once: true

- name: Determine if CA must be created
  stat:
    path: "{{ openshift_ca_config_dir }}/{{ item }}"
  register: g_master_ca_stat_result
  with_items:
  - ca-bundle.crt
  - ca.crt
  - ca.key
  delegate_to: "{{ openshift_ca_host }}"
  run_once: true

- set_fact:
    master_ca_missing: "{{ False in (g_master_ca_stat_result.results
                                     | oo_collect(attribute='stat.exists')
                                     | list) }}"
  run_once: true

- name: Retain original serviceaccount keys
  copy:
    src: "{{ item }}"
    dest: "{{ item }}.keep"
    remote_src: true
  with_items:
  - "{{ openshift_ca_config_dir }}/serviceaccounts.private.key"
  - "{{ openshift_ca_config_dir }}/serviceaccounts.public.key"
  when: openshift_certificates_redeploy | default(false) | bool

- name: Deploy master ca certificate
  copy:
    src: "{{ item.src }}"
    dest: "{{ openshift_ca_config_dir }}/{{ item.dest }}"
    force: no
  with_items:
  - src: "{{ (openshift_master_ca_certificate | default({'certfile':none})).certfile }}"
    dest: ca.crt
  - src: "{{ (openshift_master_ca_certificate | default({'keyfile':none})).keyfile }}"
    dest: ca.key
  when: openshift_master_ca_certificate is defined
  delegate_to: "{{ openshift_ca_host }}"
  run_once: true

- name: Create ca serial
  copy:
    content: "00"
    dest: "{{ openshift_ca_config_dir }}/ca.serial.txt"
    force: "{{ openshift_certificates_redeploy | default(false) | bool }}"
  when: openshift_master_ca_certificate is defined
  delegate_to: "{{ openshift_ca_host }}"
  run_once: true

- find:
    paths: "{{ openshift.common.config_base }}/master/legacy-ca/"
    patterns: ".*-ca.crt"
    use_regex: true
  register: g_master_legacy_ca_result

# This should NOT replace the CA due to --overwrite=false when a CA already exists.
- name: Create the master certificates if they do not already exist
  command: >
    {{ hostvars[openshift_ca_host].openshift.common.client_binary }} adm ca create-master-certs
    {% for named_ca_certificate in openshift.master.named_certificates | default([]) | oo_collect('cafile') %}
    --certificate-authority {{ named_ca_certificate }}
    {% endfor %}
    {% for legacy_ca_certificate in g_master_legacy_ca_result.files | default([]) | oo_collect('path') %}
    --certificate-authority {{ legacy_ca_certificate }}
    {% endfor %}
    --hostnames={{ openshift.common.all_hostnames | join(',') }}
    --master={{ openshift.master.api_url }}
    --public-master={{ openshift.master.public_api_url }}
    --cert-dir={{ openshift_ca_config_dir }}
    {% if openshift_version | oo_version_gte_3_5_or_1_5(openshift.common.deployment_type) | bool %}
    --expire-days={{ openshift_master_cert_expire_days }}
    --signer-expire-days={{ openshift_ca_cert_expire_days }}
    {% endif %}
    --overwrite=false
  when: master_ca_missing | bool or openshift_certificates_redeploy | default(false) | bool
  delegate_to: "{{ openshift_ca_host }}"
  run_once: true

- name: Restore original serviceaccount keys
  copy:
    src: "{{ item }}.keep"
    dest: "{{ item }}"
    remote_src: true
  with_items:
  - "{{ openshift_ca_config_dir }}/serviceaccounts.private.key"
  - "{{ openshift_ca_config_dir }}/serviceaccounts.public.key"
  when: openshift_certificates_redeploy | default(false) | bool

- name: Remove backup serviceaccount keys
  file:
    path: "{{ item }}.keep"
    state: absent
  with_items:
  - "{{ openshift_ca_config_dir }}/serviceaccounts.private.key"
  - "{{ openshift_ca_config_dir }}/serviceaccounts.public.key"
  when: openshift_certificates_redeploy | default(false) | bool