--- - name: API proxy | Create contiv-api-proxy openshift user oc_serviceaccount: state: present name: contiv-api-proxy namespace: kube-system run_once: true - name: API proxy | Set contiv-api-proxy openshift user permissions oc_adm_policy_user: user: system:serviceaccount:kube-system:contiv-api-proxy resource_kind: scc resource_name: hostnetwork state: present run_once: true - name: API proxy | Create temp directory for doing work command: mktemp -d /tmp/openshift-contiv-XXXXXX register: mktemp changed_when: False # For things that pass temp files between steps, we want to make sure they # run on the same node. delegate_to: "{{ groups.oo_masters_to_config.0 }}" run_once: true - name: API proxy | Check for existing api proxy secret volume oc_obj: namespace: kube-system kind: secret state: list selector: "name=contiv-api-proxy-secret" register: existing_secret_volume run_once: true - name: API proxy | Generate a self signed certificate for api proxy command: openssl req -new -nodes -x509 -subj "/C=US/ST=/L=/O=/CN=localhost" -days 3650 -keyout "{{ mktemp.stdout }}/key.pem" -out "{{ mktemp.stdout }}/cert.pem" -extensions v3_ca when: (contiv_api_proxy_cert is not defined or contiv_api_proxy_key is not defined) and not existing_secret_volume.results.results[0]['items'] register: created_self_signed_cert delegate_to: "{{ groups.oo_masters_to_config.0 }}" run_once: true - name: API proxy | Read self signed certificate file command: cat "{{ mktemp.stdout }}/cert.pem" register: generated_cert when: created_self_signed_cert.changed delegate_to: "{{ groups.oo_masters_to_config.0 }}" run_once: true - name: API proxy | Read self signed key file command: cat "{{ mktemp.stdout }}/key.pem" register: generated_key when: created_self_signed_cert.changed delegate_to: "{{ groups.oo_masters_to_config.0 }}" run_once: true - name: API proxy | Create api-proxy-secrets.yml from template using generated cert template: src: api-proxy-secrets.yml.j2 dest: "{{ mktemp.stdout }}/api-proxy-secrets.yml" vars: key: "{{ generated_key.stdout }}" cert: "{{ generated_cert.stdout }}" when: created_self_signed_cert.changed delegate_to: "{{ groups.oo_masters_to_config.0 }}" run_once: true - name: API proxy | Create api-proxy-secrets.yml from template using user defined cert template: src: api-proxy-secrets.yml.j2 dest: "{{ mktemp.stdout }}/api-proxy-secrets.yml" vars: key: "{{ lookup('file', contiv_api_proxy_key) }}" cert: "{{ lookup('file', contiv_api_proxy_cert) }}" when: contiv_api_proxy_cert is defined and contiv_api_proxy_key is defined delegate_to: "{{ groups.oo_masters_to_config.0 }}" run_once: true - name: API proxy | Create secret certificate volume oc_obj: state: present namespace: "kube-system" kind: secret name: contiv-api-proxy-secret files: - "{{ mktemp.stdout }}/api-proxy-secrets.yml" when: (contiv_api_proxy_cert is defined and contiv_api_proxy_key is defined) or created_self_signed_cert.changed delegate_to: "{{ groups.oo_masters_to_config.0 }}" run_once: true - name: API proxy | Create api-proxy-daemonset.yml from template template: src: api-proxy-daemonset.yml.j2 dest: "{{ mktemp.stdout }}/api-proxy-daemonset.yml" vars: etcd_host: "etcd://{{ groups.oo_etcd_to_config.0 }}:{{ contiv_etcd_port }}" delegate_to: "{{ groups.oo_masters_to_config.0 }}" run_once: true # Always "import" this file, k8s won't do anything if it matches exactly what # is already in the cluster. - name: API proxy | Add API proxy daemonset oc_obj: state: present namespace: "kube-system" kind: daemonset name: contiv-api-proxy files: - "{{ mktemp.stdout }}/api-proxy-daemonset.yml" delegate_to: "{{ groups.oo_masters_to_config.0 }}" run_once: true - name: API proxy | Delete temp directory file: name: "{{ mktemp.stdout }}" state: absent changed_when: False delegate_to: "{{ groups.oo_masters_to_config.0 }}" run_once: true