| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143 |
- ---
- - name: Update router certificates
- hosts: oo_first_master
- vars:
- roles:
- - lib_openshift
- tasks:
- - name: Create temp directory for kubeconfig
- command: mktemp -d /tmp/openshift-ansible-XXXXXX
- register: mktemp
- changed_when: false
- - name: Copy admin client config(s)
- command: >
- cp {{ openshift.common.config_base }}/master//admin.kubeconfig {{ mktemp.stdout }}/admin.kubeconfig
- changed_when: false
- - name: Determine if router exists
- command: >
- {{ openshift.common.client_binary }} get dc/router -o json
- --config={{ mktemp.stdout }}/admin.kubeconfig
- -n default
- register: l_router_dc
- failed_when: false
- changed_when: false
- - set_fact:
- router_env_vars: "{{ ((l_router_dc.stdout | from_json)['spec']['template']['spec']['containers'][0]['env']
- | oo_collect('name'))
- | default([]) }}"
- router_secrets: "{{ ((l_router_dc.stdout | from_json)['spec']['template']['spec']['volumes']
- | oo_collect('secret')
- | oo_collect('secretName'))
- | default([]) }}"
- changed_when: false
- when: l_router_dc.rc == 0
- - name: Update router environment variables
- shell: >
- {{ openshift.common.client_binary }} env dc/router
- OPENSHIFT_CA_DATA="$(cat /etc/origin/master/ca.crt)"
- OPENSHIFT_CERT_DATA="$(cat /etc/origin/master/openshift-router.crt)"
- OPENSHIFT_KEY_DATA="$(cat /etc/origin/master/openshift-router.key)"
- --config={{ mktemp.stdout }}/admin.kubeconfig
- -n default
- when: l_router_dc.rc == 0 and 'OPENSHIFT_CA_DATA' in router_env_vars and 'OPENSHIFT_CERT_DATA' in router_env_vars and 'OPENSHIFT_KEY_DATA' in router_env_vars
- - block:
- - name: Delete existing router certificate secret
- oc_secret:
- kubeconfig: "{{ mktemp.stdout }}/admin.kubeconfig"
- name: router-certs
- namespace: default
- state: absent
- run_once: true
- - name: Remove router service annotations
- command: >
- {{ openshift.common.client_binary }} annotate service/router
- service.alpha.openshift.io/serving-cert-secret-name-
- service.alpha.openshift.io/serving-cert-signed-by-
- --config={{ mktemp.stdout }}/admin.kubeconfig
- -n default
- - name: Add serving-cert-secret annotation to router service
- command: >
- {{ openshift.common.client_binary }} annotate service/router
- service.alpha.openshift.io/serving-cert-secret-name=router-certs
- --config={{ mktemp.stdout }}/admin.kubeconfig
- -n default
- when: l_router_dc.rc == 0 and 'router-certs' in router_secrets and openshift_hosted_router_certificate is undefined
- - block:
- - assert:
- that:
- - "'certfile' in openshift_hosted_router_certificate"
- - "'keyfile' in openshift_hosted_router_certificate"
- - "'cafile' in openshift_hosted_router_certificate"
- msg: |-
- openshift_hosted_router_certificate has been set in the inventory but is
- missing one or more required keys. Ensure that 'certfile', 'keyfile',
- and 'cafile' keys have been specified for the openshift_hosted_router_certificate
- inventory variable.
- - name: Read router certificate and key
- become: no
- local_action:
- module: slurp
- src: "{{ item }}"
- register: openshift_router_certificate_output
- # Defaulting dictionary keys to none to avoid deprecation warnings
- # (future fatal errors) during template evaluation. Dictionary keys
- # won't be accessed unless openshift_hosted_router_certificate is
- # defined and has all keys (certfile, keyfile, cafile) which we
- # check above.
- with_items:
- - "{{ (openshift_hosted_router_certificate | default({'certfile':none})).certfile }}"
- - "{{ (openshift_hosted_router_certificate | default({'keyfile':none})).keyfile }}"
- - "{{ (openshift_hosted_router_certificate | default({'cafile':none})).cafile }}"
- - name: Write temporary router certificate file
- copy:
- content: "{% for certificate in openshift_router_certificate_output.results -%}{{ certificate.content | b64decode }}{% endfor -%}"
- dest: "{{ mktemp.stdout }}/openshift-hosted-router-certificate.pem"
- mode: 0600
- - name: Write temporary router key file
- copy:
- content: "{{ (openshift_router_certificate_output.results
- | oo_collect('content', {'source':(openshift_hosted_router_certificate | default({'keyfile':none})).keyfile}))[0] | b64decode }}"
- dest: "{{ mktemp.stdout }}/openshift-hosted-router-certificate.key"
- mode: 0600
- - name: Replace router-certs secret
- shell: >
- {{ openshift.common.client_binary }} secrets new router-certs
- tls.crt="{{ mktemp.stdout }}/openshift-hosted-router-certificate.pem"
- tls.key="{{ mktemp.stdout }}/openshift-hosted-router-certificate.key"
- --type=kubernetes.io/tls
- --config={{ mktemp.stdout }}/admin.kubeconfig
- --confirm
- -o json | {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig replace -f -
- - name: Remove temporary router certificate and key files
- file:
- path: "{{ item }}"
- state: absent
- with_items:
- - "{{ mktemp.stdout }}/openshift-hosted-router-certificate.pem"
- - "{{ mktemp.stdout }}/openshift-hosted-router-certificate.key"
- when: l_router_dc.rc == 0 and 'router-certs' in router_secrets and openshift_hosted_router_certificate is defined
- - name: Redeploy router
- command: >
- {{ openshift.common.client_binary }} deploy dc/router
- --latest
- --config={{ mktemp.stdout }}/admin.kubeconfig
- -n default
- - name: Delete temp directory
- file:
- name: "{{ mktemp.stdout }}"
- state: absent
- changed_when: False
|
