okd/roles/openshift_service_catalog/tasks/wire_aggregator.yml

---
- name: Make temp cert dir
  command: mktemp -d /tmp/openshift-service-catalog-ansible-XXXXXX
  register: certtemp
  changed_when: False

- name: Check for First Master Aggregator Signer cert
  stat:
    path: /etc/origin/master/front-proxy-ca.crt
  register: first_proxy_ca_crt
  changed_when: false
  delegate_to: "{{ first_master }}"

- name: Check for First Master Aggregator Signer key
  stat:
    path: /etc/origin/master/front-proxy-ca.crt
  register: first_proxy_ca_key
  changed_when: false
  delegate_to: "{{ first_master }}"


# TODO: this currently has a bug where hostnames are required
- name: Creating First Master Aggregator signer certs
  command: >
    oc adm ca create-signer-cert
    --cert=/etc/origin/master/front-proxy-ca.crt
    --key=/etc/origin/master/front-proxy-ca.key
    --serial=/etc/origin/master/ca.serial.txt
  delegate_to: "{{ first_master }}"
  when:
  - not first_proxy_ca_crt.stat.exists
  - not first_proxy_ca_key.stat.exists

- name: Check for Aggregator Signer cert
  stat:
    path: /etc/origin/master/front-proxy-ca.crt
  register: proxy_ca_crt
  changed_when: false

- name: Check for Aggregator Signer key
  stat:
    path: /etc/origin/master/front-proxy-ca.crt
  register: proxy_ca_key
  changed_when: false

- name: Copy Aggregator Signer certs from first master
  fetch:
    src: "/etc/origin/master/{{ item }}"
    dest: "{{ certtemp.stdout }}/{{ item }}"
  with_items:
  - front-proxy-ca.crt
  - front-proxy-ca.key
  delegate_to: "{{ first_master }}"
  when:
  - not proxy_ca_key.stat.exists
  - not proxy_ca_crt.stat.exists

- name: Copy Aggregator Signer certs to host
  copy:
    src: "{{ certtemp.stdout }}/{{ item }}"
    dest: "/etc/origin/master/{{ item }}"
  with_items:
  - front-proxy-ca.crt
  - front-proxy-ca.key
  when:
  - not proxy_ca_key.stat.exists
  - not proxy_ca_crt.stat.exists

#  oc_adm_ca_server_cert:
#    cert: /etc/origin/master/front-proxy-ca.crt
#    key: /etc/origin/master/front-proxy-ca.key

- name: Check for first master api-client config
  stat:
    path: /etc/origin/master/aggregator-front-proxy.kubeconfig
  register: first_front_proxy_kubeconfig
  delegate_to: "{{ first_master }}"

- name: Create first master api-client config for Aggregator
  command: >
    oc adm create-api-client-config
    --certificate-authority=/etc/origin/master/front-proxy-ca.crt
    --signer-cert=/etc/origin/master/front-proxy-ca.crt
    --signer-key=/etc/origin/master/front-proxy-ca.key
    --user aggregator-front-proxy
    --client-dir=/etc/origin/master
    --signer-serial=/etc/origin/master/ca.serial.txt
  delegate_to: "{{ first_master }}"
  when:
  - not first_front_proxy_kubeconfig.stat.exists

- name: Check for api-client config
  stat:
    path: /etc/origin/master/aggregator-front-proxy.kubeconfig
  register: front_proxy_kubeconfig

- name: Copy api-client config from first master
  fetch:
    src: "/etc/origin/master/{{ item }}"
    dest: "{{ certtemp.stdout }}/{{ item }}"
  delegate_to: "{{ first_master }}"
  with_items:
  - aggregator-front-proxy.crt
  - aggregator-front-proxy.key
  - aggregator-front-proxy.kubeconfig
  when:
  - not front_proxy_kubeconfig.stat.exists

- name: Copy api-client config to host
  copy:
    src: "{{ certtemp.stdout }}/{{ item }}"
    dest: "/etc/origin/master/{{ item }}"
  with_items:
  - aggregator-front-proxy.crt
  - aggregator-front-proxy.key
  - aggregator-front-proxy.kubeconfig
  when:
  - not front_proxy_kubeconfig.stat.exists

- name: Update master config
  yedit:
    state: present
    src: /etc/origin/master/master-config.yaml
    edits:
    - key: aggregatorConfig.proxyClientInfo.certFile
      value: aggregator-front-proxy.crt
    - key: aggregatorConfig.proxyClientInfo.keyFile
      value: aggregator-front-proxy.key
    - key: authConfig.requestHeader.clientCA
      value: front-proxy-ca.crt
    - key: authConfig.requestHeader.clientCommonNames
      value: [aggregator-front-proxy]
    - key: authConfig.requestHeader.usernameHeaders
      value: [X-Remote-User]
    - key: authConfig.requestHeader.groupHeaders
      value: [X-Remote-Group]
    - key: authConfig.requestHeader.extraHeaderPrefixes
      value: [X-Remote-Extra-]
  register: yedit_output

#restart master serially here
- name: restart master
  systemd: name={{ openshift.common.service_type }}-master state=restarted
  when:
  - yedit_output.changed
  - openshift.master.ha is not defined or not openshift.master.ha | bool

- name: restart master api
  systemd: name={{ openshift.common.service_type }}-master-api state=restarted
  when:
  - yedit_output.changed
  - openshift.master.ha is defined and openshift.master.ha | bool
  - openshift.master.cluster_method == 'native'

- name: restart master controllers
  systemd: name={{ openshift.common.service_type }}-master-controllers state=restarted
  when:
  - yedit_output.changed
  - openshift.master.ha is defined and openshift.master.ha | bool
  - openshift.master.cluster_method == 'native'

- name: Verify API Server
  # Using curl here since the uri module requires python-httplib2 and
  # wait_for port doesn't provide health information.
  command: >
    curl --silent --tlsv1.2
    {% if openshift.common.version_gte_3_2_or_1_2 | bool %}
    --cacert {{ openshift.common.config_base }}/master/ca-bundle.crt
    {% else %}
    --cacert {{ openshift.common.config_base }}/master/ca.crt
    {% endif %}
    {{ openshift.master.api_url }}/healthz/ready
  args:
    # Disables the following warning:
    # Consider using get_url or uri module rather than running curl
    warn: no
  register: api_available_output
  until: api_available_output.stdout == 'ok'
  retries: 120
  delay: 1
  changed_when: false
  when:
  - yedit_output.changed

- name: Delete temp directory
  file:
    name: "{{ certtemp.stdout }}"
    state: absent
  changed_when: False