summaryrefslogtreecommitdiffstats
path: root/roles/openshift_node_certificates
diff options
context:
space:
mode:
Diffstat (limited to 'roles/openshift_node_certificates')
-rw-r--r--roles/openshift_node_certificates/README.md33
-rw-r--r--roles/openshift_node_certificates/meta/main.yml6
-rw-r--r--roles/openshift_node_certificates/tasks/main.yml97
-rw-r--r--roles/openshift_node_certificates/vars/main.yml9
4 files changed, 35 insertions, 110 deletions
diff --git a/roles/openshift_node_certificates/README.md b/roles/openshift_node_certificates/README.md
index f56066b29..6264d253a 100644
--- a/roles/openshift_node_certificates/README.md
+++ b/roles/openshift_node_certificates/README.md
@@ -1,44 +1,27 @@
-OpenShift Node Certificates
-===========================
+OpenShift/Atomic Enterprise Node Certificates
+=============================================
-This role determines if OpenShift node certificates must be created, delegates certificate creation to the `openshift_ca_host` and then deploys those certificates to node hosts which this role is being applied to.
+TODO
Requirements
------------
+TODO
+
Role Variables
--------------
-From `openshift_ca`:
-
-| Name | Default value | Description |
-|-------------------------------------|-------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|
-| openshift_ca_host | None (Required) | The hostname of the system where the OpenShift CA will be (or has been) created. |
-
-From this role:
-
-| Name | Default value | Description |
-|-------------------------------------|-------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|
-| openshift_generated_configs_dir | `{{ openshift.common.config_base }}/generated-configs` | Directory in which per-node generated config directories will be created on the `openshift_ca_host`. |
-| openshift_node_cert_subdir | `node-{{ openshift.common.hostname }}` | Directory within `openshift_generated_configs_dir` where per-node certificates will be placed on the `openshift_ca_host`. |
-| openshift_node_config_dir | `{{ openshift.common.config_base }}/node` | Node configuration directory in which certificates will be deployed on nodes. |
-| openshift_node_generated_config_dir | `{{ openshift_generated_configs_dir }}/{{ openshift_node_cert_subdir }` | Full path to the per-node generated config directory. |
+TODO
Dependencies
------------
-* openshift_ca
+TODO
Example Playbook
----------------
-```
-- name: Create OpenShift Node Certificates
- hosts: nodes
- roles:
- - role: openshift_node_certificates
- openshift_ca_host: master1.example.com
-```
+TODO
License
-------
diff --git a/roles/openshift_node_certificates/meta/main.yml b/roles/openshift_node_certificates/meta/main.yml
index 3caa1cdf1..f3236e850 100644
--- a/roles/openshift_node_certificates/meta/main.yml
+++ b/roles/openshift_node_certificates/meta/main.yml
@@ -1,10 +1,10 @@
---
galaxy_info:
author: Jason DeTiberus
- description: OpenShift Node Certificates
+ description:
company: Red Hat, Inc.
license: Apache License, Version 2.0
- min_ansible_version: 1.9.4
+ min_ansible_version: 1.8
platforms:
- name: EL
versions:
@@ -13,4 +13,4 @@ galaxy_info:
- cloud
- system
dependencies:
-- role: openshift_ca
+- { role: openshift_facts }
diff --git a/roles/openshift_node_certificates/tasks/main.yml b/roles/openshift_node_certificates/tasks/main.yml
index 147a432a4..216c11093 100644
--- a/roles/openshift_node_certificates/tasks/main.yml
+++ b/roles/openshift_node_certificates/tasks/main.yml
@@ -1,95 +1,36 @@
---
-- name: Check status of node certificates
- stat:
- path: "{{ openshift.common.config_base }}/node/{{ item }}"
- with_items:
- - "system:node:{{ openshift.common.hostname }}.crt"
- - "system:node:{{ openshift.common.hostname }}.key"
- - "system:node:{{ openshift.common.hostname }}.kubeconfig"
- - ca.crt
- - server.key
- - server.crt
- register: g_node_cert_stat_result
-
-- set_fact:
- node_certs_missing: "{{ False in (g_node_cert_stat_result.results
- | oo_collect(attribute='stat.exists')
- | list) }}"
-
-- name: Create openshift_generated_configs_dir if it does not exist
+- name: Create openshift_generated_configs_dir if it doesn\'t exist
file:
path: "{{ openshift_generated_configs_dir }}"
state: directory
mode: 0700
- when: node_certs_missing | bool
- delegate_to: "{{ openshift_ca_host }}"
+ when: nodes_needing_certs | length > 0
- name: Generate the node client config
command: >
{{ openshift.common.admin_binary }} create-api-client-config
- --certificate-authority={{ openshift_ca_cert }}
- --client-dir={{ openshift_node_generated_config_dir }}
+ --certificate-authority={{ openshift_master_ca_cert }}
+ --client-dir={{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}
--groups=system:nodes
- --master={{ hostvars[openshift_ca_host].openshift.master.api_url }}
- --signer-cert={{ openshift_ca_cert }}
- --signer-key={{ openshift_ca_key }}
- --signer-serial={{ openshift_ca_serial }}
- --user=system:node:{{ openshift.common.hostname }}
+ --master={{ openshift.master.api_url }}
+ --signer-cert={{ openshift_master_ca_cert }}
+ --signer-key={{ openshift_master_ca_key }}
+ --signer-serial={{ openshift_master_ca_serial }}
+ --user=system:node:{{ item.openshift.common.hostname }}
args:
- creates: "{{ openshift_node_generated_config_dir }}"
- when: node_certs_missing | bool
- delegate_to: "{{ openshift_ca_host }}"
+ creates: "{{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}"
+ with_items: "{{ nodes_needing_certs | default([]) }}"
- name: Generate the node server certificate
command: >
{{ openshift.common.admin_binary }} ca create-server-cert
- --cert={{ openshift_node_generated_config_dir }}/server.crt
- --key={{ openshift_generated_configs_dir }}/node-{{ openshift.common.hostname }}/server.key
+ --cert={{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}/server.crt
+ --key={{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}/server.key
--overwrite=true
- --hostnames={{ openshift.common.all_hostnames |join(",") }}
- --signer-cert={{ openshift_ca_cert }}
- --signer-key={{ openshift_ca_key }}
- --signer-serial={{ openshift_ca_serial }}
- args:
- creates: "{{ openshift_node_generated_config_dir }}/server.crt"
- when: node_certs_missing | bool
- delegate_to: "{{ openshift_ca_host}}"
-
-- name: Create local temp directory for syncing certs
- local_action: command mktemp -d /tmp/openshift-ansible-XXXXXXX
- register: node_cert_mktemp
- changed_when: False
- when: node_certs_missing | bool
- delegate_to: localhost
-
-- name: Create a tarball of the node config directories
- command: >
- tar -czvf {{ openshift_node_generated_config_dir }}.tgz
- --transform 's|system:{{ openshift_node_cert_subdir }}|node|'
- -C {{ openshift_node_generated_config_dir }} .
+ --hostnames={{ item.openshift.common.all_hostnames |join(",") }}
+ --signer-cert={{ openshift_master_ca_cert }}
+ --signer-key={{ openshift_master_ca_key }}
+ --signer-serial={{ openshift_master_ca_serial }}
args:
- creates: "{{ openshift_node_generated_config_dir }}.tgz"
- when: node_certs_missing | bool
- delegate_to: "{{ openshift_ca_host }}"
-
-- name: Retrieve the node config tarballs from the master
- fetch:
- src: "{{ openshift_node_generated_config_dir }}.tgz"
- dest: "{{ node_cert_mktemp.stdout }}/"
- flat: yes
- fail_on_missing: yes
- validate_checksum: yes
- when: node_certs_missing | bool
- delegate_to: "{{ openshift_ca_host }}"
-
-- name: Ensure certificate directory exists
- file:
- path: "{{ openshift_node_cert_dir }}"
- state: directory
- when: node_certs_missing | bool
-
-- name: Unarchive the tarball on the node
- unarchive:
- src: "{{ node_cert_mktemp.stdout }}/{{ openshift_node_cert_subdir }}.tgz"
- dest: "{{ openshift_node_cert_dir }}"
- when: node_certs_missing | bool
+ creates: "{{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}/server.crt"
+ with_items: "{{ nodes_needing_certs | default([]) }}"
diff --git a/roles/openshift_node_certificates/vars/main.yml b/roles/openshift_node_certificates/vars/main.yml
index 2fafc7387..61fbb1e51 100644
--- a/roles/openshift_node_certificates/vars/main.yml
+++ b/roles/openshift_node_certificates/vars/main.yml
@@ -1,6 +1,7 @@
---
-openshift_generated_configs_dir: "{{ openshift.common.config_base }}/generated-configs"
-openshift_node_cert_dir: "{{ openshift.common.config_base }}/node"
-openshift_node_cert_subdir: "node-{{ openshift.common.hostname }}"
openshift_node_config_dir: "{{ openshift.common.config_base }}/node"
-openshift_node_generated_config_dir: "{{ openshift_generated_configs_dir }}/{{ openshift_node_cert_subdir }}"
+openshift_master_config_dir: "{{ openshift.common.config_base }}/master"
+openshift_generated_configs_dir: "{{ openshift.common.config_base }}/generated-configs"
+openshift_master_ca_cert: "{{ openshift_master_config_dir }}/ca.crt"
+openshift_master_ca_key: "{{ openshift_master_config_dir }}/ca.key"
+openshift_master_ca_serial: "{{ openshift_master_config_dir }}/ca.serial.txt"