blob: 6964e85676b783487a391e2b7bb931ebc2abcab4 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
|
---
- name: Check cert expirys
hosts: oo_etcd_to_config:oo_masters_to_config
vars:
openshift_certificate_expiry_show_all: yes
roles:
# Sets 'check_results' per host which contains health status for
# etcd, master and node certificates. We will use 'check_results'
# to determine if any certificates were expired prior to running
# this playbook. Service restarts will be skipped if any
# certificates were previously expired.
- role: openshift_certificate_expiry
- name: Backup existing etcd CA certificate directories
hosts: oo_etcd_to_config
roles:
- role: etcd_common
r_etcd_common_etcd_runtime: "{{ openshift.common.etcd_runtime }}"
tasks:
- name: Determine if CA certificate directory exists
stat:
path: "{{ etcd_ca_dir }}"
register: etcd_ca_certs_dir_stat
- name: Backup generated etcd certificates
command: >
tar -czf {{ etcd_conf_dir }}/etcd-ca-certificate-backup-{{ ansible_date_time.epoch }}.tgz
{{ etcd_ca_dir }}
args:
warn: no
when: etcd_ca_certs_dir_stat.stat.exists | bool
- name: Remove CA certificate directory
file:
path: "{{ etcd_ca_dir }}"
state: absent
when: etcd_ca_certs_dir_stat.stat.exists | bool
- name: Generate new etcd CA
hosts: oo_first_etcd
roles:
- role: openshift_etcd_ca
etcd_peers: "{{ groups.oo_etcd_to_config | default([], true) }}"
etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}"
etcd_certificates_etcd_hosts: "{{ groups.oo_etcd_to_config | default([], true) }}"
- name: Create temp directory for syncing certs
hosts: localhost
connection: local
become: no
gather_facts: no
tasks:
- name: Create local temp directory for syncing certs
local_action: command mktemp -d /tmp/openshift-ansible-XXXXXXX
register: g_etcd_mktemp
changed_when: false
- name: Distribute etcd CA to etcd hosts
hosts: oo_etcd_to_config
vars:
etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}"
roles:
- role: etcd_common
r_etcd_common_etcd_runtime: "{{ openshift.common.etcd_runtime }}"
tasks:
- name: Create a tarball of the etcd ca certs
command: >
tar -czvf {{ etcd_conf_dir }}/{{ etcd_ca_name }}.tgz
-C {{ etcd_ca_dir }} .
args:
creates: "{{ etcd_conf_dir }}/{{ etcd_ca_name }}.tgz"
warn: no
delegate_to: "{{ etcd_ca_host }}"
run_once: true
- name: Retrieve etcd ca cert tarball
fetch:
src: "{{ etcd_conf_dir }}/{{ etcd_ca_name }}.tgz"
dest: "{{ hostvars['localhost'].g_etcd_mktemp.stdout }}/"
flat: yes
fail_on_missing: yes
validate_checksum: yes
delegate_to: "{{ etcd_ca_host }}"
run_once: true
- name: Ensure ca directory exists
file:
path: "{{ etcd_ca_dir }}"
state: directory
- name: Unarchive etcd ca cert tarballs
unarchive:
src: "{{ hostvars['localhost'].g_etcd_mktemp.stdout }}/{{ etcd_ca_name }}.tgz"
dest: "{{ etcd_ca_dir }}"
- name: Read current etcd CA
slurp:
src: "{{ etcd_conf_dir }}/ca.crt"
register: g_current_etcd_ca_output
- name: Read new etcd CA
slurp:
src: "{{ etcd_ca_dir }}/ca.crt"
register: g_new_etcd_ca_output
- copy:
content: "{{ (g_new_etcd_ca_output.content|b64decode) + (g_current_etcd_ca_output.content|b64decode) }}"
dest: "{{ item }}/ca.crt"
with_items:
- "{{ etcd_conf_dir }}"
- "{{ etcd_ca_dir }}"
- include: ../../openshift-etcd/restart.yml
# Do not restart etcd when etcd certificates were previously expired.
when: ('expired' not in (hostvars
| oo_select_keys(groups['etcd'])
| oo_collect('check_results.check_results.etcd')
| oo_collect('health')))
- name: Retrieve etcd CA certificate
hosts: oo_first_etcd
roles:
- role: etcd_common
r_etcd_common_etcd_runtime: "{{ openshift.common.etcd_runtime }}"
tasks:
- name: Retrieve etcd CA certificate
fetch:
src: "{{ etcd_conf_dir }}/ca.crt"
dest: "{{ hostvars['localhost'].g_etcd_mktemp.stdout }}/"
flat: yes
fail_on_missing: yes
validate_checksum: yes
- name: Distribute etcd CA to masters
hosts: oo_masters_to_config
vars:
openshift_ca_host: "{{ groups.oo_first_master.0 }}"
tasks:
- name: Deploy etcd CA
copy:
src: "{{ hostvars['localhost'].g_etcd_mktemp.stdout }}/ca.crt"
dest: "{{ openshift.common.config_base }}/master/master.etcd-ca.crt"
when: groups.oo_etcd_to_config | default([]) | length > 0
- name: Delete temporary directory on localhost
hosts: localhost
connection: local
become: no
gather_facts: no
tasks:
- file:
name: "{{ g_etcd_mktemp.stdout }}"
state: absent
changed_when: false
- include: ../../openshift-master/restart.yml
# Do not restart masters when master certificates were previously expired.
when: ('expired' not in hostvars
| oo_select_keys(groups['oo_masters_to_config'])
| oo_collect('check_results.check_results.ocp_certs')
| oo_collect('health', {'path':hostvars[groups.oo_first_master.0].openshift.common.config_base ~ "/master/master.server.crt"}))
and
('expired' not in hostvars
| oo_select_keys(groups['oo_masters_to_config'])
| oo_collect('check_results.check_results.ocp_certs')
| oo_collect('health', {'path':hostvars[groups.oo_first_master.0].openshift.common.config_base ~ "/master/ca-bundle.crt"}))
|
