blob: 2116c745ca905fd528ce31d499643f709eb3c619 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
|
---
- name: Update router certificates
hosts: oo_first_master
vars:
roles:
- lib_openshift
tasks:
- name: Create temp directory for kubeconfig
command: mktemp -d /tmp/openshift-ansible-XXXXXX
register: router_cert_redeploy_tempdir
changed_when: false
- name: Copy admin client config(s)
command: >
cp {{ openshift.common.config_base }}/master//admin.kubeconfig {{ router_cert_redeploy_tempdir.stdout }}/admin.kubeconfig
changed_when: false
- name: Determine if router exists
command: >
{{ openshift.common.client_binary }} get dc/router -o json
--config={{ router_cert_redeploy_tempdir.stdout }}/admin.kubeconfig
-n default
register: l_router_dc
failed_when: false
changed_when: false
- name: Determine if router service exists
command: >
{{ openshift.common.client_binary }} get svc/router -o json
--config={{ router_cert_redeploy_tempdir.stdout }}/admin.kubeconfig
-n default
register: l_router_svc
failed_when: false
changed_when: false
- name: Collect router environment variables and secrets
set_fact:
router_env_vars: "{{ ((l_router_dc.stdout | from_json)['spec']['template']['spec']['containers'][0]['env']
| oo_collect('name'))
| default([]) }}"
router_secrets: "{{ ((l_router_dc.stdout | from_json)['spec']['template']['spec']['volumes']
| oo_collect('secret')
| oo_collect('secretName'))
| default([]) }}"
changed_when: false
when: l_router_dc.rc == 0
- name: Collect router service annotations
set_fact:
router_service_annotations: "{{ (l_router_svc.stdout | from_json)['metadata']['annotations'] if 'annotations' in (l_router_svc.stdout | from_json)['metadata'] else [] }}"
when: l_router_svc.rc == 0
- name: Update router environment variables
shell: >
{{ openshift.common.client_binary }} env dc/router
OPENSHIFT_CA_DATA="$(cat /etc/origin/master/ca.crt)"
OPENSHIFT_CERT_DATA="$(cat /etc/origin/master/openshift-router.crt)"
OPENSHIFT_KEY_DATA="$(cat /etc/origin/master/openshift-router.key)"
--config={{ router_cert_redeploy_tempdir.stdout }}/admin.kubeconfig
-n default
when:
- l_router_dc.rc == 0
- ('OPENSHIFT_CA_DATA' in router_env_vars)
- ('OPENSHIFT_CERT_DATA' in router_env_vars)
- ('OPENSHIFT_KEY_DATA' in router_env_vars)
# When the router service contains service signer annotations we
# will delete the existing certificate secret and allow OpenShift to
# replace the secret.
- block:
- name: Delete existing router certificate secret
oc_secret:
kubeconfig: "{{ router_cert_redeploy_tempdir.stdout }}/admin.kubeconfig"
name: router-certs
namespace: default
state: absent
run_once: true
- name: Remove router service annotations
command: >
{{ openshift.common.client_binary }} annotate service/router
service.alpha.openshift.io/serving-cert-secret-name-
service.alpha.openshift.io/serving-cert-signed-by-
--config={{ router_cert_redeploy_tempdir.stdout }}/admin.kubeconfig
-n default
- name: Add serving-cert-secret annotation to router service
command: >
{{ openshift.common.client_binary }} annotate service/router
service.alpha.openshift.io/serving-cert-secret-name=router-certs
--config={{ router_cert_redeploy_tempdir.stdout }}/admin.kubeconfig
-n default
when:
- l_router_dc.rc == 0
- l_router_svc.rc == 0
- ('router-certs' in router_secrets)
- openshift_hosted_router_certificate is undefined
- ('service.alpha.openshift.io/serving-cert-secret-name') in router_service_annotations
- ('service.alpha.openshift.io/serving-cert-signed-by') in router_service_annotations
# When there are no annotations on the router service we will allow
# the openshift_hosted role to either create a new wildcard
# certificate (since we deleted the original) or reapply a custom
# openshift_hosted_router_certificate.
- file:
path: "{{ item }}"
state: absent
with_items:
- /etc/origin/master/openshift-router.crt
- /etc/origin/master/openshift-router.key
when:
- l_router_dc.rc == 0
- l_router_svc.rc == 0
- ('router-certs' in router_secrets)
- ('service.alpha.openshift.io/serving-cert-secret-name') not in router_service_annotations
- ('service.alpha.openshift.io/serving-cert-signed-by') not in router_service_annotations
- include_role:
name: openshift_hosted
tasks_from: main
vars:
openshift_hosted_manage_registry: false
when:
- l_router_dc.rc == 0
- l_router_svc.rc == 0
- ('router-certs' in router_secrets)
- ('service.alpha.openshift.io/serving-cert-secret-name') not in router_service_annotations
- ('service.alpha.openshift.io/serving-cert-signed-by') not in router_service_annotations
- name: Redeploy router
command: >
{{ openshift.common.client_binary }} deploy dc/router
--latest
--config={{ router_cert_redeploy_tempdir.stdout }}/admin.kubeconfig
-n default
- name: Delete temp directory
file:
name: "{{ router_cert_redeploy_tempdir.stdout }}"
state: absent
changed_when: False
|
