blob: fea58826032a34c05a1f39c5dd077e213c7a0be4 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
|
---
# Prior to 3.6, openshift-ansible created etcd serving certificates
# without a SubjectAlternativeName entry for the system hostname. The
# SAN list in Go 1.8 is now (correctly) authoritative and since
# openshift-ansible configures masters to talk to etcd hostnames
# rather than IP addresses, we must correct etcd certificates.
#
# This play examines the etcd serving certificate SANs on each etcd
# host and records whether or not the system hostname is missing.
- name: Examine etcd serving certificate SAN
hosts: oo_etcd_to_config
tasks:
- slurp:
src: /etc/etcd/server.crt
register: etcd_serving_cert
- set_fact:
__etcd_cert_lacks_hostname: "{{ (openshift.common.hostname not in (etcd_serving_cert.content | b64decode | lib_utils_oo_parse_certificate_san)) | bool }}"
# Redeploy etcd certificates when hostnames were missing from etcd
# serving certificate SANs.
- import_playbook: redeploy-certificates.yml
when:
- true in hostvars | lib_utils_oo_select_keys(groups['oo_etcd_to_config']) | lib_utils_oo_collect('__etcd_cert_lacks_hostname') | default([false])
- import_playbook: restart.yml
vars:
g_etcd_certificates_expired: "{{ ('expired' in (hostvars | lib_utils_oo_select_keys(groups['etcd']) | lib_utils_oo_collect('check_results.check_results.etcd') | lib_utils_oo_collect('health'))) | bool }}"
when:
- true in hostvars | lib_utils_oo_select_keys(groups['oo_etcd_to_config']) | lib_utils_oo_collect('__etcd_cert_lacks_hostname') | default([false])
- import_playbook: ../../openshift-master/private/restart.yml
when:
- true in hostvars | lib_utils_oo_select_keys(groups['oo_etcd_to_config']) | lib_utils_oo_collect('__etcd_cert_lacks_hostname') | default([false])
# For 1.4/3.4 we want to upgrade everyone to etcd-3.0. etcd docs say to
# upgrade from 2.0.x to 2.1.x to 2.2.x to 2.3.x to 3.0.x. While this is a tedius
# task for RHEL and CENTOS it's simply not possible in Fedora unless you've
# mirrored packages on your own because only the GA and latest versions are
# available in the repos. So for Fedora we'll simply skip this, sorry.
- name: Backup etcd before upgrading anything
import_playbook: upgrade_backup.yml
vars:
etcd_backup_tag: "pre-upgrade-"
when: openshift_etcd_backup | default(true) | bool
- name: Drop etcdctl profiles
hosts: oo_etcd_hosts_to_upgrade
tasks:
- import_role:
name: etcd
tasks_from: drop_etcdctl.yml
- name: Perform etcd upgrade
import_playbook: upgrade_step.yml
when: openshift_etcd_upgrade | default(true) | bool
- name: Backup etcd
import_playbook: upgrade_backup.yml
vars:
etcd_backup_tag: "post-3.0-"
when: openshift_etcd_backup | default(true) | bool
|
