--- - set_fact: openshift_master_certs_no_etcd: - admin.crt - master.kubelet-client.crt - master.proxy-client.crt - master.server.crt - openshift-master.crt - openshift-registry.crt - openshift-router.crt - etcd.server.crt openshift_master_certs_etcd: - master.etcd-client.crt - set_fact: openshift_master_certs: "{{ (openshift_master_certs_no_etcd | union(openshift_master_certs_etcd )) if openshift_master_etcd_hosts | length > 0 else openshift_master_certs_no_etcd }}" - name: Check status of master certificates stat: path: "{{ openshift_master_config_dir }}/{{ item }}" with_items: - "{{ openshift_master_certs }}" register: g_master_cert_stat_result when: not openshift_certificates_redeploy | default(false) | bool - set_fact: master_certs_missing: "{{ true if openshift_certificates_redeploy | default(false) | bool else (False in (g_master_cert_stat_result.results | default({}) | oo_collect(attribute='stat.exists') | list)) }}" - name: Ensure the generated_configs directory present file: path: "{{ openshift_master_generated_config_dir }}" state: directory mode: 0700 when: master_certs_missing | bool and inventory_hostname != openshift_ca_host delegate_to: "{{ openshift_ca_host }}" - find: paths: "{{ openshift_master_config_dir }}/legacy-ca/" patterns: ".*-ca.crt" use_regex: true register: g_master_legacy_ca_result delegate_to: "{{ openshift_ca_host }}" - name: Create the master server certificate command: > {{ hostvars[openshift_ca_host].openshift.common.client_binary }} adm ca create-server-cert {% for named_ca_certificate in openshift.master.named_certificates | default([]) | oo_collect('cafile') %} --certificate-authority {{ named_ca_certificate }} {% endfor %} {% for legacy_ca_certificate in g_master_legacy_ca_result.files | default([]) | oo_collect('path') %} --certificate-authority {{ legacy_ca_certificate }} {% endfor %} --hostnames={{ hostvars[item].openshift.common.all_hostnames | join(',') }} --cert={{ openshift_generated_configs_dir }}/master-{{ hostvars[item].openshift.common.hostname }}/master.server.crt --key={{ openshift_generated_configs_dir }}/master-{{ hostvars[item].openshift.common.hostname }}/master.server.key --expire-days={{ openshift_master_cert_expire_days }} --signer-cert={{ openshift_ca_cert }} --signer-key={{ openshift_ca_key }} --signer-serial={{ openshift_ca_serial }} --overwrite=false when: item != openshift_ca_host with_items: "{{ hostvars | oo_select_keys(groups['oo_masters_to_config']) | oo_collect(attribute='inventory_hostname', filters={'master_certs_missing':True}) }}" delegate_to: "{{ openshift_ca_host }}" run_once: true - name: Generate the loopback master client config command: > {{ hostvars[openshift_ca_host].openshift.common.client_binary }} adm create-api-client-config --certificate-authority={{ openshift_ca_cert }} {% for named_ca_certificate in openshift.master.named_certificates | default([]) | oo_collect('cafile') %} --certificate-authority {{ named_ca_certificate }} {% endfor %} --client-dir={{ openshift_generated_configs_dir }}/master-{{ hostvars[item].openshift.common.hostname }} --groups=system:masters,system:openshift-master --master={{ hostvars[item].openshift.master.loopback_api_url }} --public-master={{ hostvars[item].openshift.master.loopback_api_url }} --signer-cert={{ openshift_ca_cert }} --signer-key={{ openshift_ca_key }} --signer-serial={{ openshift_ca_serial }} --user=system:openshift-master --basename=openshift-master --expire-days={{ openshift_master_cert_expire_days }} args: creates: "{{ openshift_generated_configs_dir }}/master-{{ hostvars[item].openshift.common.hostname }}/openshift-master.kubeconfig" with_items: "{{ hostvars | oo_select_keys(groups['oo_masters_to_config']) | oo_collect(attribute='inventory_hostname', filters={'master_certs_missing':True}) }}" when: item != openshift_ca_host delegate_to: "{{ openshift_ca_host }}" run_once: true - file: src: "{{ openshift_master_config_dir }}/{{ item }}" dest: "{{ openshift_master_generated_config_dir }}/{{ item }}" state: hard force: true with_items: - "{{ hostvars[inventory_hostname] | certificates_to_synchronize }}" when: master_certs_missing | bool and inventory_hostname != openshift_ca_host delegate_to: "{{ openshift_ca_host }}" - name: Remove generated etcd client certs when using external etcd file: path: "{{ openshift_master_generated_config_dir }}/{{ item }}" state: absent when: openshift_master_etcd_hosts | length > 0 with_items: - master.etcd-client.crt - master.etcd-client.key delegate_to: "{{ openshift_ca_host }}" - name: Create local temp directory for syncing certs local_action: command mktemp -d /tmp/openshift-ansible-XXXXXXX register: g_master_certs_mktemp changed_when: False when: master_certs_missing | bool become: no - name: Create a tarball of the master certs command: > tar -czvf {{ openshift_master_generated_config_dir }}.tgz -C {{ openshift_master_generated_config_dir }} . args: creates: "{{ openshift_master_generated_config_dir }}.tgz" when: master_certs_missing | bool and inventory_hostname != openshift_ca_host delegate_to: "{{ openshift_ca_host }}" - name: Retrieve the master cert tarball from the master fetch: src: "{{ openshift_master_generated_config_dir }}.tgz" dest: "{{ g_master_certs_mktemp.stdout }}/" flat: yes fail_on_missing: yes validate_checksum: yes when: master_certs_missing | bool and inventory_hostname != openshift_ca_host delegate_to: "{{ openshift_ca_host }}" - name: Ensure certificate directory exists file: path: "{{ openshift_master_config_dir }}" state: directory when: master_certs_missing | bool and inventory_hostname != openshift_ca_host - name: Unarchive the tarball on the master unarchive: src: "{{ g_master_certs_mktemp.stdout }}/{{ openshift_master_cert_subdir }}.tgz" dest: "{{ openshift_master_config_dir }}" when: master_certs_missing | bool and inventory_hostname != openshift_ca_host - name: Delete local temp directory local_action: file path="{{ g_master_certs_mktemp.stdout }}" state=absent changed_when: False when: master_certs_missing | bool become: no - name: Lookup default group for ansible_ssh_user command: "/usr/bin/id -g {{ ansible_ssh_user | quote }}" changed_when: false register: _ansible_ssh_user_gid - set_fact: client_users: "{{ [ansible_ssh_user, 'root'] | unique }}" - name: Create the client config dir(s) file: path: "~{{ item }}/.kube" state: directory mode: 0700 owner: "{{ item }}" group: "{{ 'root' if item == 'root' else _ansible_ssh_user_gid.stdout }}" with_items: "{{ client_users }}" # TODO: Update this file if the contents of the source file are not present in # the dest file, will need to make sure to ignore things that could be added - name: Copy the admin client config(s) copy: src: "{{ openshift_master_config_dir }}/admin.kubeconfig" dest: "~{{ item }}/.kube/config" remote_src: yes force: "{{ openshift_certificates_redeploy | default(false) }}" with_items: "{{ client_users }}" - name: Update the permissions on the admin client config(s) file: path: "~{{ item }}/.kube/config" state: file mode: 0700 owner: "{{ item }}" group: "{{ 'root' if item == 'root' else _ansible_ssh_user_gid.stdout }}" with_items: "{{ client_users }}" # Ensure ca-bundle exists for 3.2+ configuration - name: Check for ca-bundle.crt stat: path: "{{ openshift.common.config_base }}/master/ca-bundle.crt" register: ca_bundle_stat failed_when: false - name: Check for ca.crt stat: path: "{{ openshift.common.config_base }}/master/ca.crt" register: ca_crt_stat failed_when: false - name: Migrate ca.crt to ca-bundle.crt command: mv ca.crt ca-bundle.crt args: chdir: "{{ openshift.common.config_base }}/master" when: ca_crt_stat.stat.isreg and not ca_bundle_stat.stat.exists - name: Link ca.crt to ca-bundle.crt file: src: "{{ openshift.common.config_base }}/master/ca-bundle.crt" path: "{{ openshift.common.config_base }}/master/ca.crt" state: link when: ca_crt_stat.stat.isreg and not ca_bundle_stat.stat.exists