summaryrefslogtreecommitdiffstats
path: root/playbooks/common/openshift-cluster/upgrades/create_service_signer_cert.yml
blob: 6d82fa928496c990f33cbf2877fca4af42456fe6 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81

---
- name: Create local temp directory for syncing certs
  hosts: localhost
  connection: local
  gather_facts: no
  tasks:
  - name: Create local temp directory for syncing certs
    local_action: command mktemp -d /tmp/openshift-ansible-XXXXXXX
    register: local_cert_sync_tmpdir
    changed_when: false
    when: not (hostvars[groups.oo_first_master.0].service_signer_cert_stat.stat.exists | bool)

  - name: Chmod local temp directory
    local_action: command chmod 777 "{{ local_cert_sync_tmpdir.stdout }}"
    changed_when: false
    when: not (hostvars[groups.oo_first_master.0].service_signer_cert_stat.stat.exists | bool)

- name: Create service signer certificate
  hosts: oo_first_master
  roles:
  - openshift_facts
  tasks:
  - name: Create remote temp directory for creating certs
    command: mktemp -d /tmp/openshift-ansible-XXXXXXX
    register: remote_cert_create_tmpdir
    changed_when: false
    when: not (hostvars[groups.oo_first_master.0].service_signer_cert_stat.stat.exists | bool)

  - name: Create service signer certificate
    command: >
      {{ openshift_client_binary }} adm ca create-signer-cert
      --cert="{{ remote_cert_create_tmpdir.stdout }}/"service-signer.crt
      --key="{{ remote_cert_create_tmpdir.stdout }}/"service-signer.key
      --name="{{ remote_cert_create_tmpdir.stdout }}/"openshift-service-serving-signer
      --serial="{{ remote_cert_create_tmpdir.stdout }}/"service-signer.serial.txt
    args:
      chdir: "{{ remote_cert_create_tmpdir.stdout }}/"
    when: not (hostvars[groups.oo_first_master.0].service_signer_cert_stat.stat.exists | bool)

  - name: Retrieve service signer certificate
    fetch:
      src: "{{ remote_cert_create_tmpdir.stdout }}/{{ item }}"
      dest: "{{ hostvars.localhost.local_cert_sync_tmpdir.stdout }}/"
      flat: yes
      fail_on_missing: yes
      validate_checksum: yes
    with_items:
    - "service-signer.crt"
    - "service-signer.key"
    when: not (hostvars[groups.oo_first_master.0].service_signer_cert_stat.stat.exists | bool)

  - name: Delete remote temp directory
    file:
      name: "{{ remote_cert_create_tmpdir.stdout }}"
      state: absent
    changed_when: false
    when: not (hostvars[groups.oo_first_master.0].service_signer_cert_stat.stat.exists | bool)

- name: Deploy service signer certificate
  hosts: oo_masters_to_config
  tasks:
  - name: Deploy service signer certificate
    copy:
      src: "{{ hostvars.localhost.local_cert_sync_tmpdir.stdout }}/{{ item }}"
      dest: "{{ openshift.common.config_base }}/master/"
    with_items:
    - "service-signer.crt"
    - "service-signer.key"
    when: not (hostvars[groups.oo_first_master.0].service_signer_cert_stat.stat.exists | bool)

- name: Delete local temp directory
  hosts: localhost
  connection: local
  gather_facts: no
  tasks:
  - name: Delete local temp directory
    file:
      name: "{{ local_cert_sync_tmpdir.stdout }}"
      state: absent
    changed_when: false
    when: not (hostvars[groups.oo_first_master.0].service_signer_cert_stat.stat.exists | bool)
generated by cgit v1.2.1 (git 2.18.0) at 2024-04-27 17:49:30 +0000