--- - name: Ensure CA certificate exists on openshift_ca_host stat: path: "{{ openshift_ca_cert }}" register: g_ca_cert_stat_result delegate_to: "{{ openshift_ca_host }}" run_once: true - fail: msg: > CA certificate {{ openshift_ca_cert }} doesn't exist on CA host {{ openshift_ca_host }}. Apply 'openshift_ca' role to {{ openshift_ca_host }}. when: not g_ca_cert_stat_result.stat.exists | bool run_once: true - name: Check status of node certificates stat: path: "{{ openshift.common.config_base }}/node/{{ item }}" with_items: - "system:node:{{ openshift.common.hostname }}.crt" - "system:node:{{ openshift.common.hostname }}.key" - "system:node:{{ openshift.common.hostname }}.kubeconfig" - ca.crt - server.key - server.crt register: g_node_cert_stat_result when: not openshift_certificates_redeploy | default(false) | bool - set_fact: node_certs_missing: "{{ true if openshift_certificates_redeploy | default(false) | bool else (False in (g_node_cert_stat_result.results | default({}) | oo_collect(attribute='stat.exists') | list)) }}" - name: Create openshift_generated_configs_dir if it does not exist file: path: "{{ openshift_generated_configs_dir }}" state: directory mode: 0700 when: node_certs_missing | bool delegate_to: "{{ openshift_ca_host }}" - find: paths: "{{ openshift.common.config_base }}/master/legacy-ca/" patterns: ".*-ca.crt" use_regex: true register: g_master_legacy_ca_result delegate_to: "{{ openshift_ca_host }}" - name: Generate the node client config command: > {{ hostvars[openshift_ca_host].openshift.common.client_binary }} adm create-api-client-config {% for named_ca_certificate in hostvars[openshift_ca_host].openshift.master.named_certificates | default([]) | oo_collect('cafile') %} --certificate-authority {{ named_ca_certificate }} {% endfor %} {% for legacy_ca_certificate in g_master_legacy_ca_result.files | default([]) | oo_collect('path') %} --certificate-authority {{ legacy_ca_certificate }} {% endfor %} --certificate-authority={{ openshift_ca_cert }} --client-dir={{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname }} --groups=system:nodes --master={{ hostvars[openshift_ca_host].openshift.master.api_url }} --signer-cert={{ openshift_ca_cert }} --signer-key={{ openshift_ca_key }} --signer-serial={{ openshift_ca_serial }} --user=system:node:{{ hostvars[item].openshift.common.hostname }} --expire-days={{ openshift_node_cert_expire_days }} args: creates: "{{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname }}" with_items: "{{ hostvars | oo_select_keys(groups['oo_nodes_to_config']) | oo_collect(attribute='inventory_hostname', filters={'node_certs_missing':True}) }}" delegate_to: "{{ openshift_ca_host }}" run_once: true - name: Generate the node server certificate command: > {{ hostvars[openshift_ca_host].openshift.common.client_binary }} adm ca create-server-cert --cert={{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname }}/server.crt --key={{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname }}/server.key --expire-days={{ openshift_node_cert_expire_days }} --overwrite=true --hostnames={{ hostvars[item].openshift.common.hostname }},{{ hostvars[item].openshift.common.public_hostname }},{{ hostvars[item].openshift.common.ip }},{{ hostvars[item].openshift.common.public_ip }} --signer-cert={{ openshift_ca_cert }} --signer-key={{ openshift_ca_key }} --signer-serial={{ openshift_ca_serial }} args: creates: "{{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname }}/server.crt" with_items: "{{ hostvars | oo_select_keys(groups['oo_nodes_to_config']) | oo_collect(attribute='inventory_hostname', filters={'node_certs_missing':True}) }}" delegate_to: "{{ openshift_ca_host }}" run_once: true - name: Create local temp directory for syncing certs local_action: command mktemp -d /tmp/openshift-ansible-XXXXXXX register: node_cert_mktemp changed_when: False when: node_certs_missing | bool become: no - name: Create a tarball of the node config directories command: > tar -czvf {{ openshift_node_generated_config_dir }}.tgz --transform 's|system:{{ openshift_node_cert_subdir }}|node|' -C {{ openshift_node_generated_config_dir }} . args: creates: "{{ openshift_node_generated_config_dir }}.tgz" # Disables the following warning: # Consider using unarchive module rather than running tar warn: no when: node_certs_missing | bool delegate_to: "{{ openshift_ca_host }}" - name: Retrieve the node config tarballs from the master fetch: src: "{{ openshift_node_generated_config_dir }}.tgz" dest: "{{ node_cert_mktemp.stdout }}/" flat: yes fail_on_missing: yes validate_checksum: yes when: node_certs_missing | bool delegate_to: "{{ openshift_ca_host }}" - name: Ensure certificate directory exists file: path: "{{ openshift_node_cert_dir }}" state: directory when: node_certs_missing | bool - name: Unarchive the tarball on the node unarchive: src: "{{ node_cert_mktemp.stdout }}/{{ openshift_node_cert_subdir }}.tgz" dest: "{{ openshift_node_cert_dir }}" when: node_certs_missing | bool - name: Delete local temp directory local_action: file path="{{ node_cert_mktemp.stdout }}" state=absent changed_when: False when: node_certs_missing | bool become: no - name: Copy OpenShift CA to system CA trust copy: src: "{{ item.cert }}" dest: "/etc/pki/ca-trust/source/anchors/{{ item.id }}-{{ item.cert | basename }}" remote_src: yes with_items: - id: openshift cert: "{{ openshift_node_cert_dir }}/ca.crt" notify: - update ca trust