From 53bd951747c03e181d0a3fcdb4f93354d7258ed6 Mon Sep 17 00:00:00 2001
From: Jeff Peeler <jpeeler@redhat.com>
Date: Wed, 10 Jan 2018 10:45:59 -0500
Subject: Update deployment and apiserver with new certs

Since new certificates are generated for every run, the apiservice
caBundle needs updating in order to have the on disk CA match what is in
Kubernetes.

Because the secrets are updated, the daemonset needs to do a rolling
update for the api server to pick up the new certs. Implemented here is
an added annotation to the api server such that the update occurs
automatically when the CA is changed.
---
 roles/openshift_service_catalog/tasks/install.yml | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'roles/openshift_service_catalog/tasks/install.yml')

diff --git a/roles/openshift_service_catalog/tasks/install.yml b/roles/openshift_service_catalog/tasks/install.yml
index cfecaa12c..9b38a85c4 100644
--- a/roles/openshift_service_catalog/tasks/install.yml
+++ b/roles/openshift_service_catalog/tasks/install.yml
@@ -179,6 +179,8 @@
     etcd_servers: "{{ openshift.master.etcd_urls | join(',') }}"
     etcd_cafile: "{{ '/etc/origin/master/master.etcd-ca.crt' if etcd_ca_crt.stat.exists else '/etc/origin/master/ca-bundle.crt' }}"
     node_selector: "{{ openshift_service_catalog_nodeselector | default ({'openshift-infra': 'apiserver'}) }}"
+    # apiserver_ca is defined in generate_certs.yml
+    ca_hash: "{{ apiserver_ca.content|hash('sha1') }}"
 
 - name: Set Service Catalog API Server daemonset
   oc_obj:
-- 
cgit v1.2.1