shixiong
/
okd


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220
							---
- name: Make temp cert dir
  command: mktemp -d /tmp/openshift-service-catalog-ansible-XXXXXX
  register: certtemp
  changed_when: False

- name: Check for First Master Aggregator Signer cert
  stat:
    path: /etc/origin/master/front-proxy-ca.crt
  register: first_proxy_ca_crt
  changed_when: false
  delegate_to: "{{ groups.oo_first_master.0 }}"

- name: Check for First Master Aggregator Signer key
  stat:
    path: /etc/origin/master/front-proxy-ca.crt
  register: first_proxy_ca_key
  changed_when: false
  delegate_to: "{{ groups.oo_first_master.0 }}"

# TODO: this currently has a bug where hostnames are required
- name: Creating First Master Aggregator signer certs
  command: >
    {{ hostvars[groups.oo_first_master.0]['first_master_client_binary'] }} adm ca create-signer-cert
    --cert=/etc/origin/master/front-proxy-ca.crt
    --key=/etc/origin/master/front-proxy-ca.key
    --serial=/etc/origin/master/ca.serial.txt
  delegate_to: "{{ groups.oo_first_master.0 }}"
  when:
  - not first_proxy_ca_crt.stat.exists
  - not first_proxy_ca_key.stat.exists

- name: Check for Aggregator Signer cert
  stat:
    path: /etc/origin/master/front-proxy-ca.crt
  register: proxy_ca_crt
  changed_when: false

- name: Check for Aggregator Signer key
  stat:
    path: /etc/origin/master/front-proxy-ca.crt
  register: proxy_ca_key
  changed_when: false

- name: Copy Aggregator Signer certs from first master
  fetch:
    src: "/etc/origin/master/{{ item }}"
    dest: "{{ certtemp.stdout }}/{{ item }}"
    flat: yes
  with_items:
  - front-proxy-ca.crt
  - front-proxy-ca.key
  delegate_to: "{{ groups.oo_first_master.0 }}"
  when:
  - not proxy_ca_key.stat.exists
  - not proxy_ca_crt.stat.exists

- name: Copy Aggregator Signer certs to host
  copy:
    src: "{{ certtemp.stdout }}/{{ item }}"
    dest: "/etc/origin/master/{{ item }}"
  with_items:
  - front-proxy-ca.crt
  - front-proxy-ca.key
  when:
  - not proxy_ca_key.stat.exists
  - not proxy_ca_crt.stat.exists

#  oc_adm_ca_server_cert:
#    cert: /etc/origin/master/front-proxy-ca.crt
#    key: /etc/origin/master/front-proxy-ca.key

- name: Check for first master api-client config
  stat:
    path: /etc/origin/master/aggregator-front-proxy.kubeconfig
  register: first_front_proxy_kubeconfig
  delegate_to: "{{ groups.oo_first_master.0 }}"
  run_once: true

# create-api-client-config generates a ca.crt file which will
# overwrite the OpenShift CA certificate.  Generate the aggregator
# kubeconfig in a temporary directory and then copy files into the
# master config dir to avoid overwriting ca.crt.
- block:
  - name: Create first master api-client config for Aggregator
    command: >
      {{ hostvars[groups.oo_first_master.0]['first_master_client_binary'] }} adm create-api-client-config
      --certificate-authority=/etc/origin/master/front-proxy-ca.crt
      --signer-cert=/etc/origin/master/front-proxy-ca.crt
      --signer-key=/etc/origin/master/front-proxy-ca.key
      --user aggregator-front-proxy
      --client-dir={{ certtemp.stdout }}
      --signer-serial=/etc/origin/master/ca.serial.txt
    delegate_to: "{{ groups.oo_first_master.0 }}"
    run_once: true
  - name: Copy first master api-client config for Aggregator
    copy:
      src: "{{ certtemp.stdout }}/{{ item }}"
      dest: "/etc/origin/master/"
      remote_src: true
    with_items:
    - aggregator-front-proxy.crt
    - aggregator-front-proxy.key
    - aggregator-front-proxy.kubeconfig
    delegate_to: "{{ groups.oo_first_master.0 }}"
    run_once: true
  when:
  - not first_front_proxy_kubeconfig.stat.exists

- name: Check for api-client config
  stat:
    path: /etc/origin/master/aggregator-front-proxy.kubeconfig
  register: front_proxy_kubeconfig

- name: Copy api-client config from first master
  fetch:
    src: "/etc/origin/master/{{ item }}"
    dest: "{{ certtemp.stdout }}/{{ item }}"
    flat: yes
  delegate_to: "{{ groups.oo_first_master.0 }}"
  with_items:
  - aggregator-front-proxy.crt
  - aggregator-front-proxy.key
  - aggregator-front-proxy.kubeconfig
  when:
  - not front_proxy_kubeconfig.stat.exists

- name: Copy api-client config to host
  copy:
    src: "{{ certtemp.stdout }}/{{ item }}"
    dest: "/etc/origin/master/{{ item }}"
  with_items:
  - aggregator-front-proxy.crt
  - aggregator-front-proxy.key
  - aggregator-front-proxy.kubeconfig
  when:
  - not front_proxy_kubeconfig.stat.exists

- name: Delete temp directory
  file:
    name: "{{ certtemp.stdout }}"
    state: absent
  changed_when: False

- name: Update master config
  yedit:
    state: present
    src: /etc/origin/master/master-config.yaml
    edits:
    - key: aggregatorConfig.proxyClientInfo.certFile
      value: aggregator-front-proxy.crt
    - key: aggregatorConfig.proxyClientInfo.keyFile
      value: aggregator-front-proxy.key
    - key: authConfig.requestHeader.clientCA
      value: front-proxy-ca.crt
    - key: authConfig.requestHeader.clientCommonNames
      value: [aggregator-front-proxy]
    - key: authConfig.requestHeader.usernameHeaders
      value: [X-Remote-User]
    - key: authConfig.requestHeader.groupHeaders
      value: [X-Remote-Group]
    - key: authConfig.requestHeader.extraHeaderPrefixes
      value: [X-Remote-Extra-]
    - key: kubernetesMasterConfig.apiServerArguments.runtime-config
      value: [apis/settings.k8s.io/v1alpha1=true]
    - key: admissionConfig.pluginConfig.PodPreset.configuration.kind
      value: DefaultAdmissionConfig
    - key: admissionConfig.pluginConfig.PodPreset.configuration.apiVersion
      value: v1
    - key: admissionConfig.pluginConfig.PodPreset.configuration.disable
      value: false
  register: yedit_output

# Only add the catalog extension script if not 3.9. From 3.9 on, the console
# can discover if template service broker is running.
- when: not openshift.common.version_gte_3_9
  block:
  - name: Setup extension file for service console UI
    template:
      src: ../templates/openshift-ansible-catalog-console.js
      dest: /etc/origin/master/openshift-ansible-catalog-console.js

  - name: Update master config
    yedit:
      state: present
      src: /etc/origin/master/master-config.yaml
      key: assetConfig.extensionScripts
      value: [/etc/origin/master/openshift-ansible-catalog-console.js]
    register: yedit_asset_config_output

#restart master serially here
- when: yedit_output.changed or (yedit_asset_config_output is defined and yedit_asset_config_output.changed)
  block:
  - name: restart master api
    systemd: name={{ openshift_service_type }}-master-api state=restarted

  # We retry the controllers because the API may not be 100% initialized yet.
  - name: restart master controllers
    command: "systemctl restart {{ openshift_service_type }}-master-controllers"
    retries: 3
    delay: 5
    register: result
    until: result.rc == 0

  - name: Verify API Server
    # Using curl here since the uri module requires python-httplib2 and
    # wait_for port doesn't provide health information.
    command: >
      curl --silent --tlsv1.2
      --cacert {{ openshift.common.config_base }}/master/ca-bundle.crt
      {{ openshift.master.api_url }}/healthz/ready
    args:
      # Disables the following warning:
      # Consider using get_url or uri module rather than running curl
      warn: no
    register: api_available_output
    until: api_available_output.stdout == 'ok'
    retries: 120
    delay: 1
    changed_when: false