From b30c15b83937e45b7b3356ef4cb6e93c9203ff68 Mon Sep 17 00:00:00 2001
From: Andrew Butcher <abutcher@redhat.com>
Date: Mon, 16 Jan 2017 11:41:56 -0500
Subject: Create individual serving cert and loopback kubeconfig for additional
 masters.

Deprecates use of 'create-master-certs' for generating master serving
certificate and loopback kubeconfig in order to reference the first
master's CA serial file.
---
 filter_plugins/openshift_master.py                 |  4 +-
 .../openshift-cluster/redeploy-certificates.yml    |  4 --
 playbooks/common/openshift-master/config.yml       |  4 --
 roles/openshift_ca/tasks/main.yml                  |  2 +-
 roles/openshift_master_certificates/tasks/main.yml | 44 ++++++++++++++--------
 5 files changed, 32 insertions(+), 26 deletions(-)

diff --git a/filter_plugins/openshift_master.py b/filter_plugins/openshift_master.py
index 437f4c400..f71d9b863 100644
--- a/filter_plugins/openshift_master.py
+++ b/filter_plugins/openshift_master.py
@@ -517,7 +517,9 @@ class FilterModule(object):
         ''' Return certificates to synchronize based on facts. '''
         if not issubclass(type(hostvars), dict):
             raise errors.AnsibleFilterError("|failed expects hostvars is a dict")
-        certs = ['admin.crt',
+        certs = ['ca.crt',
+                 'ca.key',
+                 'admin.crt',
                  'admin.key',
                  'admin.kubeconfig',
                  'master.kubelet-client.crt',
diff --git a/playbooks/common/openshift-cluster/redeploy-certificates.yml b/playbooks/common/openshift-cluster/redeploy-certificates.yml
index 6e3e04a6b..2383836d4 100644
--- a/playbooks/common/openshift-cluster/redeploy-certificates.yml
+++ b/playbooks/common/openshift-cluster/redeploy-certificates.yml
@@ -108,10 +108,6 @@
                                      | oo_select_keys(groups['oo_etcd_to_config'] | default([]))
                                      | oo_collect('openshift.common.hostname')
                                      | default(none, true) }}"
-    openshift_master_hostnames: "{{ hostvars
-                                    | oo_select_keys(groups['oo_masters_to_config'] | default([]))
-                                    | oo_collect('openshift.common.all_hostnames')
-                                    | oo_flatten | unique }}"
     openshift_certificates_redeploy: true
   - role: openshift_etcd_client_certificates
     etcd_certificates_redeploy: true
diff --git a/playbooks/common/openshift-master/config.yml b/playbooks/common/openshift-master/config.yml
index 39d64a126..de36fd263 100644
--- a/playbooks/common/openshift-master/config.yml
+++ b/playbooks/common/openshift-master/config.yml
@@ -134,10 +134,6 @@
                                      | oo_select_keys(groups['oo_etcd_to_config'] | default([]))
                                      | oo_collect('openshift.common.hostname')
                                      | default(none, true) }}"
-    openshift_master_hostnames: "{{ hostvars
-                                    | oo_select_keys(groups['oo_masters_to_config'] | default([]))
-                                    | oo_collect('openshift.common.all_hostnames')
-                                    | oo_flatten | unique }}"
     openshift_master_hosts: "{{ groups.oo_masters_to_config }}"
     etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}"
     etcd_cert_subdir: "openshift-master-{{ openshift.common.hostname }}"
diff --git a/roles/openshift_ca/tasks/main.yml b/roles/openshift_ca/tasks/main.yml
index e2a12e5ff..e21397170 100644
--- a/roles/openshift_ca/tasks/main.yml
+++ b/roles/openshift_ca/tasks/main.yml
@@ -86,7 +86,7 @@
     {% for named_ca_certificate in openshift.master.named_certificates | default([]) | oo_collect('cafile') %}
     --certificate-authority {{ named_ca_certificate }}
     {% endfor %}
-    --hostnames={{ openshift_master_hostnames | join(',') }}
+    --hostnames={{ openshift.common.all_hostnames | join(',') }}
     --master={{ openshift.master.api_url }}
     --public-master={{ openshift.master.public_api_url }}
     --cert-dir={{ openshift_ca_config_dir }}
diff --git a/roles/openshift_master_certificates/tasks/main.yml b/roles/openshift_master_certificates/tasks/main.yml
index e9b7de330..118a04d8f 100644
--- a/roles/openshift_master_certificates/tasks/main.yml
+++ b/roles/openshift_master_certificates/tasks/main.yml
@@ -39,31 +39,43 @@
   when: master_certs_missing | bool and inventory_hostname != openshift_ca_host
   delegate_to: "{{ openshift_ca_host }}"
 
-- file:
-    src: "{{ openshift_master_config_dir }}/{{ item }}"
-    dest: "{{ openshift_master_generated_config_dir }}/{{ item }}"
-    state: hard
-  with_items:
-  - ca.crt
-  - ca.key
-  - ca.serial.txt
-  when: master_certs_missing | bool and inventory_hostname != openshift_ca_host
-  delegate_to: "{{ openshift_ca_host }}"
-
-- name: Create the master certificates if they do not already exist
+- name: Create the master server certificate
   command: >
-    {{ openshift.common.client_binary }} adm create-master-certs
+    {{ openshift.common.client_binary }} adm ca create-server-cert
     {% for named_ca_certificate in openshift.master.named_certificates | default([]) | oo_collect('cafile') %}
     --certificate-authority {{ named_ca_certificate }}
     {% endfor %}
     --hostnames={{ openshift.common.all_hostnames | join(',') }}
-    --master={{ openshift.master.api_url }}
-    --public-master={{ openshift.master.public_api_url }}
-    --cert-dir={{ openshift_master_generated_config_dir }}
+    --cert={{ openshift_master_generated_config_dir }}/master.server.crt
+    --key={{ openshift_master_generated_config_dir }}/master.server.key
+    --signer-cert={{ openshift_ca_cert }}
+    --signer-key={{ openshift_ca_key }}
+    --signer-serial={{ openshift_ca_serial }}
     --overwrite=false
   when: master_certs_missing | bool and inventory_hostname != openshift_ca_host
   delegate_to: "{{ openshift_ca_host }}"
 
+- name: Generate the master client config
+  command: >
+    {{ openshift.common.client_binary }} adm create-api-client-config
+      {% for named_ca_certificate in openshift.master.named_certificates | default([]) | oo_collect('cafile') %}
+      --certificate-authority {{ named_ca_certificate }}
+      {% endfor %}
+      --certificate-authority={{ openshift_ca_cert }}
+      --client-dir={{ openshift_master_generated_config_dir }}
+      --groups=system:masters,system:openshift-master
+      --master={{ openshift.master.api_url }}
+      --public-master={{ openshift.master.public_api_url }}
+      --signer-cert={{ openshift_ca_cert }}
+      --signer-key={{ openshift_ca_key }}
+      --signer-serial={{ openshift_ca_serial }}
+      --user=system:openshift-master
+      --basename=openshift-master
+  args:
+    creates: "{{ openshift_master_generated_config_dir }}/openshift-master.kubeconfig"
+  when: master_certs_missing | bool and inventory_hostname != openshift_ca_host
+  delegate_to: "{{ openshift_ca_host }}"
+
 - file:
     src: "{{ openshift_master_config_dir }}/{{ item }}"
     dest: "{{ openshift_master_generated_config_dir }}/{{ item }}"
-- 
cgit v1.2.1