summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndrew Butcher <abutcher@redhat.com>2017-01-17 12:28:00 -0500
committerAndrew Butcher <abutcher@redhat.com>2017-01-17 12:28:00 -0500
commitc25212b12ef7f7bd785f2a476f917eb439e3600a (patch)
tree0000e74f3bf5fc749ccb669c4f57589f2c12aad8
parentb30c15b83937e45b7b3356ef4cb6e93c9203ff68 (diff)
downloadopenshift-c25212b12ef7f7bd785f2a476f917eb439e3600a.tar.gz
openshift-c25212b12ef7f7bd785f2a476f917eb439e3600a.tar.bz2
openshift-c25212b12ef7f7bd785f2a476f917eb439e3600a.tar.xz
openshift-c25212b12ef7f7bd785f2a476f917eb439e3600a.zip
Ensure serial certificate generation for node and master certificates.
-rw-r--r--roles/openshift_master_certificates/tasks/main.yml27
-rw-r--r--roles/openshift_node_certificates/tasks/main.yml26
2 files changed, 33 insertions, 20 deletions
diff --git a/roles/openshift_master_certificates/tasks/main.yml b/roles/openshift_master_certificates/tasks/main.yml
index 118a04d8f..a1688aabc 100644
--- a/roles/openshift_master_certificates/tasks/main.yml
+++ b/roles/openshift_master_certificates/tasks/main.yml
@@ -30,7 +30,6 @@
| oo_collect(attribute='stat.exists')
| list)) }}"
-
- name: Ensure the generated_configs directory present
file:
path: "{{ openshift_master_generated_config_dir }}"
@@ -41,28 +40,32 @@
- name: Create the master server certificate
command: >
- {{ openshift.common.client_binary }} adm ca create-server-cert
+ {{ hostvars[openshift_ca_host].openshift.common.client_binary }} adm ca create-server-cert
{% for named_ca_certificate in openshift.master.named_certificates | default([]) | oo_collect('cafile') %}
--certificate-authority {{ named_ca_certificate }}
{% endfor %}
- --hostnames={{ openshift.common.all_hostnames | join(',') }}
- --cert={{ openshift_master_generated_config_dir }}/master.server.crt
- --key={{ openshift_master_generated_config_dir }}/master.server.key
+ --hostnames={{ hostvars[item].openshift.common.all_hostnames | join(',') }}
+ --cert={{ openshift_generated_configs_dir }}/master-{{ hostvars[item].openshift.common.hostname }}/master.server.crt
+ --key={{ openshift_generated_configs_dir }}/master-{{ hostvars[item].openshift.common.hostname }}/master.server.key
--signer-cert={{ openshift_ca_cert }}
--signer-key={{ openshift_ca_key }}
--signer-serial={{ openshift_ca_serial }}
--overwrite=false
- when: master_certs_missing | bool and inventory_hostname != openshift_ca_host
+ with_items: "{{ hostvars
+ | oo_select_keys(groups['oo_masters_to_config'])
+ | oo_collect(attribute='inventory_hostname', filters={'master_certs_missing':True})
+ | difference([openshift_ca_host])}}"
delegate_to: "{{ openshift_ca_host }}"
+ run_once: true
- name: Generate the master client config
command: >
- {{ openshift.common.client_binary }} adm create-api-client-config
+ {{ hostvars[openshift_ca_host].openshift.common.client_binary }} adm create-api-client-config
{% for named_ca_certificate in openshift.master.named_certificates | default([]) | oo_collect('cafile') %}
--certificate-authority {{ named_ca_certificate }}
{% endfor %}
--certificate-authority={{ openshift_ca_cert }}
- --client-dir={{ openshift_master_generated_config_dir }}
+ --client-dir={{ openshift_generated_configs_dir }}/master-{{ hostvars[item].openshift.common.hostname }}
--groups=system:masters,system:openshift-master
--master={{ openshift.master.api_url }}
--public-master={{ openshift.master.public_api_url }}
@@ -72,9 +75,13 @@
--user=system:openshift-master
--basename=openshift-master
args:
- creates: "{{ openshift_master_generated_config_dir }}/openshift-master.kubeconfig"
- when: master_certs_missing | bool and inventory_hostname != openshift_ca_host
+ creates: "{{ openshift_generated_configs_dir }}/master-{{ hostvars[item].openshift.common.hostname }}/openshift-master.kubeconfig"
+ with_items: "{{ hostvars
+ | oo_select_keys(groups['oo_masters_to_config'])
+ | oo_collect(attribute='inventory_hostname', filters={'master_certs_missing':True})
+ | difference([openshift_ca_host])}}"
delegate_to: "{{ openshift_ca_host }}"
+ run_once: true
- file:
src: "{{ openshift_master_config_dir }}/{{ item }}"
diff --git a/roles/openshift_node_certificates/tasks/main.yml b/roles/openshift_node_certificates/tasks/main.yml
index 717bf3cea..a263f4f3a 100644
--- a/roles/openshift_node_certificates/tasks/main.yml
+++ b/roles/openshift_node_certificates/tasks/main.yml
@@ -49,32 +49,38 @@
--certificate-authority {{ named_ca_certificate }}
{% endfor %}
--certificate-authority={{ openshift_ca_cert }}
- --client-dir={{ openshift_node_generated_config_dir }}
+ --client-dir={{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname }}
--groups=system:nodes
--master={{ hostvars[openshift_ca_host].openshift.master.api_url }}
--signer-cert={{ openshift_ca_cert }}
--signer-key={{ openshift_ca_key }}
--signer-serial={{ openshift_ca_serial }}
- --user=system:node:{{ openshift.common.hostname }}
+ --user=system:node:{{ hostvars[item].openshift.common.hostname }}
args:
- creates: "{{ openshift_node_generated_config_dir }}"
- when: node_certs_missing | bool
+ creates: "{{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname }}"
+ with_items: "{{ hostvars
+ | oo_select_keys(groups['oo_nodes_to_config'])
+ | oo_collect(attribute='inventory_hostname', filters={'node_certs_missing':True}) }}"
delegate_to: "{{ openshift_ca_host }}"
+ run_once: true
- name: Generate the node server certificate
command: >
{{ hostvars[openshift_ca_host].openshift.common.client_binary }} adm ca create-server-cert
- --cert={{ openshift_node_generated_config_dir }}/server.crt
- --key={{ openshift_generated_configs_dir }}/node-{{ openshift.common.hostname }}/server.key
+ --cert={{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname }}/server.crt
+ --key={{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname }}/server.key
--overwrite=true
- --hostnames={{ openshift.common.hostname }},{{ openshift.common.public_hostname }},{{ openshift.common.ip }},{{ openshift.common.public_ip }}
+ --hostnames={{ hostvars[item].openshift.common.hostname }},{{ hostvars[item].openshift.common.public_hostname }},{{ hostvars[item].openshift.common.ip }},{{ hostvars[item].openshift.common.public_ip }}
--signer-cert={{ openshift_ca_cert }}
--signer-key={{ openshift_ca_key }}
--signer-serial={{ openshift_ca_serial }}
args:
- creates: "{{ openshift_node_generated_config_dir }}/server.crt"
- when: node_certs_missing | bool
- delegate_to: "{{ openshift_ca_host}}"
+ creates: "{{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname }}/server.crt"
+ with_items: "{{ hostvars
+ | oo_select_keys(groups['oo_nodes_to_config'])
+ | oo_collect(attribute='inventory_hostname', filters={'node_certs_missing':True}) }}"
+ delegate_to: "{{ openshift_ca_host }}"
+ run_once: true
- name: Create local temp directory for syncing certs
local_action: command mktemp -d /tmp/openshift-ansible-XXXXXXX