Home Explore Help
Register Sign In
shixiong
/
okd
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: fcd93e2dae
Branches Tags
okd
/
roles
/
openshift_service_catalog
/
tasks
/
wire_aggregator.yml

wire_aggregator.yml 6.4 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206 
  1. ---
    2. 

  2. - name: Make temp cert dir
    3. 

  3.   command: mktemp -d /tmp/openshift-service-catalog-ansible-XXXXXX
    4. 

  4.   register: certtemp
    5. 

  5.   changed_when: False
    6. 

  6. 

  7. - name: Check for First Master Aggregator Signer cert
    8. 

  8.   stat:
    9. 

  9.     path: /etc/origin/master/front-proxy-ca.crt
    10. 

  10.   register: first_proxy_ca_crt
    11. 

  11.   changed_when: false
    12. 

  12.   delegate_to: "{{ first_master }}"
    13. 

  13. 

  14. - name: Check for First Master Aggregator Signer key
    15. 

  15.   stat:
    16. 

  16.     path: /etc/origin/master/front-proxy-ca.crt
    17. 

  17.   register: first_proxy_ca_key
    18. 

  18.   changed_when: false
    19. 

  19.   delegate_to: "{{ first_master }}"
    20. 

  20. 

  21. 

  22. # TODO: this currently has a bug where hostnames are required
    23. 

  23. - name: Creating First Master Aggregator signer certs
    24. 

  24.   command: >
    25. 

  25.     oc adm ca create-signer-cert
    26. 

  26.     --cert=/etc/origin/master/front-proxy-ca.crt
    27. 

  27.     --key=/etc/origin/master/front-proxy-ca.key
    28. 

  28.     --serial=/etc/origin/master/ca.serial.txt
    29. 

  29.   delegate_to: "{{ first_master }}"
    30. 

  30.   when:
    31. 

  31.   - not first_proxy_ca_crt.stat.exists
    32. 

  32.   - not first_proxy_ca_key.stat.exists
    33. 

  33. 

  34. - name: Check for Aggregator Signer cert
    35. 

  35.   stat:
    36. 

  36.     path: /etc/origin/master/front-proxy-ca.crt
    37. 

  37.   register: proxy_ca_crt
    38. 

  38.   changed_when: false
    39. 

  39. 

  40. - name: Check for Aggregator Signer key
    41. 

  41.   stat:
    42. 

  42.     path: /etc/origin/master/front-proxy-ca.crt
    43. 

  43.   register: proxy_ca_key
    44. 

  44.   changed_when: false
    45. 

  45. 

  46. - name: Copy Aggregator Signer certs from first master
    47. 

  47.   fetch:
    48. 

  48.     src: "/etc/origin/master/{{ item }}"
    49. 

  49.     dest: "{{ certtemp.stdout }}/{{ item }}"
    50. 

  50.     flat: yes
    51. 

  51.   with_items:
    52. 

  52.   - front-proxy-ca.crt
    53. 

  53.   - front-proxy-ca.key
    54. 

  54.   delegate_to: "{{ first_master }}"
    55. 

  55.   when:
    56. 

  56.   - not proxy_ca_key.stat.exists
    57. 

  57.   - not proxy_ca_crt.stat.exists
    58. 

  58. 

  59. - name: Copy Aggregator Signer certs to host
    60. 

  60.   copy:
    61. 

  61.     src: "{{ certtemp.stdout }}/{{ item }}"
    62. 

  62.     dest: "/etc/origin/master/{{ item }}"
    63. 

  63.   with_items:
    64. 

  64.   - front-proxy-ca.crt
    65. 

  65.   - front-proxy-ca.key
    66. 

  66.   when:
    67. 

  67.   - not proxy_ca_key.stat.exists
    68. 

  68.   - not proxy_ca_crt.stat.exists
    69. 

  69. 

  70. #  oc_adm_ca_server_cert:
    71. 

  71. #    cert: /etc/origin/master/front-proxy-ca.crt
    72. 

  72. #    key: /etc/origin/master/front-proxy-ca.key
    73. 

  73. 

  74. - name: Check for first master api-client config
    75. 

  75.   stat:
    76. 

  76.     path: /etc/origin/master/aggregator-front-proxy.kubeconfig
    77. 

  77.   register: first_front_proxy_kubeconfig
    78. 

  78.   delegate_to: "{{ first_master }}"
    79. 

  79. 

  80. - name: Create first master api-client config for Aggregator
    81. 

  81.   command: >
    82. 

  82.     oc adm create-api-client-config
    83. 

  83.     --certificate-authority=/etc/origin/master/front-proxy-ca.crt
    84. 

  84.     --signer-cert=/etc/origin/master/front-proxy-ca.crt
    85. 

  85.     --signer-key=/etc/origin/master/front-proxy-ca.key
    86. 

  86.     --user aggregator-front-proxy
    87. 

  87.     --client-dir=/etc/origin/master
    88. 

  88.     --signer-serial=/etc/origin/master/ca.serial.txt
    89. 

  89.   delegate_to: "{{ first_master }}"
    90. 

  90.   when:
    91. 

  91.   - not first_front_proxy_kubeconfig.stat.exists
    92. 

  92. 

  93. - name: Check for api-client config
    94. 

  94.   stat:
    95. 

  95.     path: /etc/origin/master/aggregator-front-proxy.kubeconfig
    96. 

  96.   register: front_proxy_kubeconfig
    97. 

  97. 

  98. - name: Copy api-client config from first master
    99. 

  99.   fetch:
    100. 

  100.     src: "/etc/origin/master/{{ item }}"
    101. 

  101.     dest: "{{ certtemp.stdout }}/{{ item }}"
    102. 

  102.     flat: yes
    103. 

  103.   delegate_to: "{{ first_master }}"
    104. 

  104.   with_items:
    105. 

  105.   - aggregator-front-proxy.crt
    106. 

  106.   - aggregator-front-proxy.key
    107. 

  107.   - aggregator-front-proxy.kubeconfig
    108. 

  108.   when:
    109. 

  109.   - not front_proxy_kubeconfig.stat.exists
    110. 

  110. 

  111. - name: Copy api-client config to host
    112. 

  112.   copy:
    113. 

  113.     src: "{{ certtemp.stdout }}/{{ item }}"
    114. 

  114.     dest: "/etc/origin/master/{{ item }}"
    115. 

  115.   with_items:
    116. 

  116.   - aggregator-front-proxy.crt
    117. 

  117.   - aggregator-front-proxy.key
    118. 

  118.   - aggregator-front-proxy.kubeconfig
    119. 

  119.   when:
    120. 

  120.   - not front_proxy_kubeconfig.stat.exists
    121. 

  121. 

  122. - name: copy tech preview extension file for service console UI
    123. 

  123.   copy:
    124. 

  124.     src: openshift-ansible-catalog-console.js
    125. 

  125.     dest: /etc/origin/master/openshift-ansible-catalog-console.js
    126. 

  126. 

  127. - name: Update master config
    128. 

  128.   yedit:
    129. 

  129.     state: present
    130. 

  130.     src: /etc/origin/master/master-config.yaml
    131. 

  131.     edits:
    132. 

  132.     - key: aggregatorConfig.proxyClientInfo.certFile
    133. 

  133.       value: aggregator-front-proxy.crt
    134. 

  134.     - key: aggregatorConfig.proxyClientInfo.keyFile
    135. 

  135.       value: aggregator-front-proxy.key
    136. 

  136.     - key: authConfig.requestHeader.clientCA
    137. 

  137.       value: front-proxy-ca.crt
    138. 

  138.     - key: authConfig.requestHeader.clientCommonNames
    139. 

  139.       value: [aggregator-front-proxy]
    140. 

  140.     - key: authConfig.requestHeader.usernameHeaders
    141. 

  141.       value: [X-Remote-User]
    142. 

  142.     - key: authConfig.requestHeader.groupHeaders
    143. 

  143.       value: [X-Remote-Group]
    144. 

  144.     - key: authConfig.requestHeader.extraHeaderPrefixes
    145. 

  145.       value: [X-Remote-Extra-]
    146. 

  146.     - key: assetConfig.extensionScripts
    147. 

  147.       value: [/etc/origin/master/openshift-ansible-catalog-console.js]
    148. 

  148.     - key: kubernetesMasterConfig.apiServerArguments.runtime-config
    149. 

  149.       value: [apis/settings.k8s.io/v1alpha1=true]
    150. 

  150.     - key: admissionConfig.pluginConfig.PodPreset.configuration.kind
    151. 

  151.       value: DefaultAdmissionConfig
    152. 

  152.     - key: admissionConfig.pluginConfig.PodPreset.configuration.apiVersion
    153. 

  153.       value: v1
    154. 

  154.     - key: admissionConfig.pluginConfig.PodPreset.configuration.disable
    155. 

  155.       value: false
    156. 

  156.   register: yedit_output
    157. 

  157. 

  158. #restart master serially here
    159. 

  159. - name: restart master
    160. 

  160.   systemd: name={{ openshift.common.service_type }}-master state=restarted
    161. 

  161.   when:
    162. 

  162.   - yedit_output.changed
    163. 

  163.   - openshift.master.ha is not defined or not openshift.master.ha | bool
    164. 

  164. 

  165. - name: restart master api
    166. 

  166.   systemd: name={{ openshift.common.service_type }}-master-api state=restarted
    167. 

  167.   when:
    168. 

  168.   - yedit_output.changed
    169. 

  169.   - openshift.master.ha is defined and openshift.master.ha | bool
    170. 

  170.   - openshift.master.cluster_method == 'native'
    171. 

  171. 

  172. - name: restart master controllers
    173. 

  173.   systemd: name={{ openshift.common.service_type }}-master-controllers state=restarted
    174. 

  174.   when:
    175. 

  175.   - yedit_output.changed
    176. 

  176.   - openshift.master.ha is defined and openshift.master.ha | bool
    177. 

  177.   - openshift.master.cluster_method == 'native'
    178. 

  178. 

  179. - name: Verify API Server
    180. 

  180.   # Using curl here since the uri module requires python-httplib2 and
    181. 

  181.   # wait_for port doesn't provide health information.
    182. 

  182.   command: >
    183. 

  183.     curl --silent --tlsv1.2
    184. 

  184.     {% if openshift.common.version_gte_3_2_or_1_2 | bool %}
    185. 

  185.     --cacert {{ openshift.common.config_base }}/master/ca-bundle.crt
    186. 

  186.     {% else %}
    187. 

  187.     --cacert {{ openshift.common.config_base }}/master/ca.crt
    188. 

  188.     {% endif %}
    189. 

  189.     {{ openshift.master.api_url }}/healthz/ready
    190. 

  190.   args:
    191. 

  191.     # Disables the following warning:
    192. 

  192.     # Consider using get_url or uri module rather than running curl
    193. 

  193.     warn: no
    194. 

  194.   register: api_available_output
    195. 

  195.   until: api_available_output.stdout == 'ok'
    196. 

  196.   retries: 120
    197. 

  197.   delay: 1
    198. 

  198.   changed_when: false
    199. 

  199.   when:
    200. 

  200.   - yedit_output.changed
    201. 

  201. 

  202. - name: Delete temp directory
    203. 

  203.   file:
    204. 

  204.     name: "{{ certtemp.stdout }}"
    205. 

  205.     state: absent
    206. 

  206.   changed_when: False
    207.