summaryrefslogtreecommitdiffstats
path: root/roles/contiv/tasks/api_proxy.yml
diff options
context:
space:
mode:
Diffstat (limited to 'roles/contiv/tasks/api_proxy.yml')
-rw-r--r--roles/contiv/tasks/api_proxy.yml120
1 files changed, 120 insertions, 0 deletions
diff --git a/roles/contiv/tasks/api_proxy.yml b/roles/contiv/tasks/api_proxy.yml
new file mode 100644
index 000000000..8b524dd6e
--- /dev/null
+++ b/roles/contiv/tasks/api_proxy.yml
@@ -0,0 +1,120 @@
+---
+- name: API proxy | Create contiv-api-proxy openshift user
+ oc_serviceaccount:
+ state: present
+ name: contiv-api-proxy
+ namespace: kube-system
+ run_once: true
+
+- name: API proxy | Set contiv-api-proxy openshift user permissions
+ oc_adm_policy_user:
+ user: system:serviceaccount:kube-system:contiv-api-proxy
+ resource_kind: scc
+ resource_name: hostnetwork
+ state: present
+ run_once: true
+
+- name: API proxy | Create temp directory for doing work
+ command: mktemp -d /tmp/openshift-contiv-XXXXXX
+ register: mktemp
+ changed_when: False
+ # For things that pass temp files between steps, we want to make sure they
+ # run on the same node.
+ delegate_to: "{{ groups.oo_masters_to_config.0 }}"
+ run_once: true
+
+- name: API proxy | Check for existing api proxy secret volume
+ oc_obj:
+ namespace: kube-system
+ kind: secret
+ state: list
+ selector: "name=contiv-api-proxy-secret"
+ register: existing_secret_volume
+ run_once: true
+
+- name: API proxy | Generate a self signed certificate for api proxy
+ command: openssl req -new -nodes -x509 -subj "/C=US/ST=/L=/O=/CN=localhost" -days 3650 -keyout "{{ mktemp.stdout }}/key.pem" -out "{{ mktemp.stdout }}/cert.pem" -extensions v3_ca
+ when: (contiv_api_proxy_cert is not defined or contiv_api_proxy_key is not defined)
+ and not existing_secret_volume.results.results[0]['items']
+ register: created_self_signed_cert
+ delegate_to: "{{ groups.oo_masters_to_config.0 }}"
+ run_once: true
+
+- name: API proxy | Read self signed certificate file
+ command: cat "{{ mktemp.stdout }}/cert.pem"
+ register: generated_cert
+ when: created_self_signed_cert.changed
+ delegate_to: "{{ groups.oo_masters_to_config.0 }}"
+ run_once: true
+
+- name: API proxy | Read self signed key file
+ command: cat "{{ mktemp.stdout }}/key.pem"
+ register: generated_key
+ when: created_self_signed_cert.changed
+ delegate_to: "{{ groups.oo_masters_to_config.0 }}"
+ run_once: true
+
+- name: API proxy | Create api-proxy-secrets.yml from template using generated cert
+ template:
+ src: api-proxy-secrets.yml.j2
+ dest: "{{ mktemp.stdout }}/api-proxy-secrets.yml"
+ vars:
+ key: "{{ generated_key.stdout }}"
+ cert: "{{ generated_cert.stdout }}"
+ when: created_self_signed_cert.changed
+ delegate_to: "{{ groups.oo_masters_to_config.0 }}"
+ run_once: true
+
+- name: API proxy | Create api-proxy-secrets.yml from template using user defined cert
+ template:
+ src: api-proxy-secrets.yml.j2
+ dest: "{{ mktemp.stdout }}/api-proxy-secrets.yml"
+ vars:
+ key: "{{ lookup('file', contiv_api_proxy_key) }}"
+ cert: "{{ lookup('file', contiv_api_proxy_cert) }}"
+ when: contiv_api_proxy_cert is defined and contiv_api_proxy_key is defined
+ delegate_to: "{{ groups.oo_masters_to_config.0 }}"
+ run_once: true
+
+- name: API proxy | Create secret certificate volume
+ oc_obj:
+ state: present
+ namespace: "kube-system"
+ kind: secret
+ name: contiv-api-proxy-secret
+ files:
+ - "{{ mktemp.stdout }}/api-proxy-secrets.yml"
+ when: (contiv_api_proxy_cert is defined and contiv_api_proxy_key is defined)
+ or created_self_signed_cert.changed
+ delegate_to: "{{ groups.oo_masters_to_config.0 }}"
+ run_once: true
+
+- name: API proxy | Create api-proxy-daemonset.yml from template
+ template:
+ src: api-proxy-daemonset.yml.j2
+ dest: "{{ mktemp.stdout }}/api-proxy-daemonset.yml"
+ vars:
+ etcd_host: "etcd://{{ groups.oo_etcd_to_config.0 }}:{{ contiv_etcd_port }}"
+ delegate_to: "{{ groups.oo_masters_to_config.0 }}"
+ run_once: true
+
+# Always "import" this file, k8s won't do anything if it matches exactly what
+# is already in the cluster.
+- name: API proxy | Add API proxy daemonset
+ oc_obj:
+ state: present
+ namespace: "kube-system"
+ kind: daemonset
+ name: contiv-api-proxy
+ files:
+ - "{{ mktemp.stdout }}/api-proxy-daemonset.yml"
+ delegate_to: "{{ groups.oo_masters_to_config.0 }}"
+ run_once: true
+
+- name: API proxy | Delete temp directory
+ file:
+ name: "{{ mktemp.stdout }}"
+ state: absent
+ changed_when: False
+ delegate_to: "{{ groups.oo_masters_to_config.0 }}"
+ run_once: true
generated by cgit v1.2.1 (git 2.18.0) at 2024-05-05 14:53:20 +0000