summaryrefslogtreecommitdiffstats
path: root/roles
diff options
context:
space:
mode:
authorewolinetz <ewolinet@redhat.com>2017-07-05 17:11:12 -0500
committerewolinetz <ewolinet@redhat.com>2017-07-05 17:11:12 -0500
commit96dea4b4a63e550248eeb404360514fed6cb08b0 (patch)
tree03ea1d9dc72b8cc3554ec087d2fb7685a77ff81c /roles
parent8c1343b778e39aca946b4014469810cece873a57 (diff)
downloadopenshift-96dea4b4a63e550248eeb404360514fed6cb08b0.tar.gz
openshift-96dea4b4a63e550248eeb404360514fed6cb08b0.tar.bz2
openshift-96dea4b4a63e550248eeb404360514fed6cb08b0.tar.xz
openshift-96dea4b4a63e550248eeb404360514fed6cb08b0.zip
Synching certs and aggregator configs from first master to all other masters
Diffstat (limited to 'roles')
-rw-r--r--roles/openshift_service_catalog/tasks/install.yml1
-rw-r--r--roles/openshift_service_catalog/tasks/wire_aggregator.yml107
2 files changed, 105 insertions, 3 deletions
diff --git a/roles/openshift_service_catalog/tasks/install.yml b/roles/openshift_service_catalog/tasks/install.yml
index 6e8301ffe..1342c3d30 100644
--- a/roles/openshift_service_catalog/tasks/install.yml
+++ b/roles/openshift_service_catalog/tasks/install.yml
@@ -6,7 +6,6 @@
register: mktemp
changed_when: False
-
- include: wire_aggregator.yml
- name: Set default image variables based on deployment_type
diff --git a/roles/openshift_service_catalog/tasks/wire_aggregator.yml b/roles/openshift_service_catalog/tasks/wire_aggregator.yml
index 3e5897ba4..b8b8d0863 100644
--- a/roles/openshift_service_catalog/tasks/wire_aggregator.yml
+++ b/roles/openshift_service_catalog/tasks/wire_aggregator.yml
@@ -1,16 +1,82 @@
---
+- name: Make temp cert dir
+ command: mktemp -d /tmp/openshift-service-catalog-ansible-XXXXXX
+ register: certtemp
+ changed_when: False
+
+- name: Check for First Master Aggregator Signer cert
+ stat:
+ path: /etc/origin/master/front-proxy-ca.crt
+ register: first_proxy_ca_crt
+ changed_when: false
+ delegate_to: "{{ first_master }}"
+
+- name: Check for First Master Aggregator Signer key
+ stat:
+ path: /etc/origin/master/front-proxy-ca.crt
+ register: first_proxy_ca_key
+ changed_when: false
+ delegate_to: "{{ first_master }}"
+
+
# TODO: this currently has a bug where hostnames are required
-- name: Creating Aggregator signer certs
+- name: Creating First Master Aggregator signer certs
command: >
oc adm ca create-signer-cert
--cert=/etc/origin/master/front-proxy-ca.crt
--key=/etc/origin/master/front-proxy-ca.key
--serial=/etc/origin/master/ca.serial.txt
+ delegate_to: "{{ first_master }}"
+ when:
+ - not first_proxy_ca_crt.stat.exists
+ - not first_proxy_ca_key.stat.exists
+
+- name: Check for Aggregator Signer cert
+ stat:
+ path: /etc/origin/master/front-proxy-ca.crt
+ register: proxy_ca_crt
+ changed_when: false
+
+- name: Check for Aggregator Signer key
+ stat:
+ path: /etc/origin/master/front-proxy-ca.crt
+ register: proxy_ca_key
+ changed_when: false
+
+- name: Copy Aggregator Signer certs from first master
+ fetch:
+ src: "/etc/origin/master/{{ item }}"
+ dest: "{{ certtemp.stdout }}/{{ item }}"
+ with_items:
+ - front-proxy-ca.crt
+ - front-proxy-ca.key
+ delegate_to: "{{ first_master }}"
+ when:
+ - not proxy_ca_key.stat.exists
+ - not proxy_ca_crt.stat.exists
+
+- name: Copy Aggregator Signer certs to host
+ copy:
+ src: "{{ certtemp.stdout }}/{{ item }}"
+ dest: "/etc/origin/master/{{ item }}"
+ with_items:
+ - front-proxy-ca.crt
+ - front-proxy-ca.key
+ when:
+ - not proxy_ca_key.stat.exists
+ - not proxy_ca_crt.stat.exists
+
# oc_adm_ca_server_cert:
# cert: /etc/origin/master/front-proxy-ca.crt
# key: /etc/origin/master/front-proxy-ca.key
-- name: Create api-client config for Aggregator
+- name: Check for first master api-client config
+ stat:
+ path: /etc/origin/master/aggregator-front-proxy.kubeconfig
+ register: first_front_proxy_kubeconfig
+ delegate_to: "{{ first_master }}"
+
+- name: Create first master api-client config for Aggregator
command: >
oc adm create-api-client-config
--certificate-authority=/etc/origin/master/front-proxy-ca.crt
@@ -19,6 +85,37 @@
--user aggregator-front-proxy
--client-dir=/etc/origin/master
--signer-serial=/etc/origin/master/ca.serial.txt
+ delegate_to: "{{ first_master }}"
+ when:
+ - not first_front_proxy_kubeconfig.stat.exists
+
+- name: Check for api-client config
+ stat:
+ path: /etc/origin/master/aggregator-front-proxy.kubeconfig
+ register: front_proxy_kubeconfig
+
+- name: Copy api-client config from first master
+ fetch:
+ src: "/etc/origin/master/{{ item }}"
+ dest: "{{ certtemp.stdout }}/{{ item }}"
+ delegate_to: "{{ first_master }}"
+ with_items:
+ - aggregator-front-proxy.crt
+ - aggregator-front-proxy.key
+ - aggregator-front-proxy.kubeconfig
+ when:
+ - not front_proxy_kubeconfig.stat.exists
+
+- name: Copy api-client config to host
+ copy:
+ src: "{{ certtemp.stdout }}/{{ item }}"
+ dest: "/etc/origin/master/{{ item }}"
+ with_items:
+ - aggregator-front-proxy.crt
+ - aggregator-front-proxy.key
+ - aggregator-front-proxy.kubeconfig
+ when:
+ - not front_proxy_kubeconfig.stat.exists
- name: Update master config
yedit:
@@ -84,3 +181,9 @@
changed_when: false
when:
- yedit_output.changed
+
+- name: Delete temp directory
+ file:
+ name: "{{ certtemp.stdout }}"
+ state: absent
+ changed_when: False