summaryrefslogtreecommitdiffstats
path: root/playbooks/openshift-master/private/tasks/wire_aggregator.yml
blob: ecf8f15d9064e8d63a4800013638b4d8d2fd0553 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
---
- name: Make temp cert dir
  command: mktemp -d /tmp/openshift-service-catalog-ansible-XXXXXX
  register: certtemp
  changed_when: False

- name: Check for First Master Aggregator Signer cert
  stat:
    path: /etc/origin/master/front-proxy-ca.crt
  register: first_proxy_ca_crt
  changed_when: false
  delegate_to: "{{ groups.oo_first_master.0 }}"

- name: Check for First Master Aggregator Signer key
  stat:
    path: /etc/origin/master/front-proxy-ca.crt
  register: first_proxy_ca_key
  changed_when: false
  delegate_to: "{{ groups.oo_first_master.0 }}"

# TODO: this currently has a bug where hostnames are required
- name: Creating First Master Aggregator signer certs
  command: >
    {{ hostvars[groups.oo_first_master.0].openshift.common.client_binary }} adm ca create-signer-cert
    --cert=/etc/origin/master/front-proxy-ca.crt
    --key=/etc/origin/master/front-proxy-ca.key
    --serial=/etc/origin/master/ca.serial.txt
  delegate_to: "{{ groups.oo_first_master.0 }}"
  when:
  - not first_proxy_ca_crt.stat.exists
  - not first_proxy_ca_key.stat.exists

- name: Check for Aggregator Signer cert
  stat:
    path: /etc/origin/master/front-proxy-ca.crt
  register: proxy_ca_crt
  changed_when: false

- name: Check for Aggregator Signer key
  stat:
    path: /etc/origin/master/front-proxy-ca.crt
  register: proxy_ca_key
  changed_when: false

- name: Copy Aggregator Signer certs from first master
  fetch:
    src: "/etc/origin/master/{{ item }}"
    dest: "{{ certtemp.stdout }}/{{ item }}"
    flat: yes
  with_items:
  - front-proxy-ca.crt
  - front-proxy-ca.key
  delegate_to: "{{ groups.oo_first_master.0 }}"
  when:
  - not proxy_ca_key.stat.exists
  - not proxy_ca_crt.stat.exists

- name: Copy Aggregator Signer certs to host
  copy:
    src: "{{ certtemp.stdout }}/{{ item }}"
    dest: "/etc/origin/master/{{ item }}"
  with_items:
  - front-proxy-ca.crt
  - front-proxy-ca.key
  when:
  - not proxy_ca_key.stat.exists
  - not proxy_ca_crt.stat.exists

#  oc_adm_ca_server_cert:
#    cert: /etc/origin/master/front-proxy-ca.crt
#    key: /etc/origin/master/front-proxy-ca.key

- name: Check for first master api-client config
  stat:
    path: /etc/origin/master/aggregator-front-proxy.kubeconfig
  register: first_front_proxy_kubeconfig
  delegate_to: "{{ groups.oo_first_master.0 }}"
  run_once: true

# create-api-client-config generates a ca.crt file which will
# overwrite the OpenShift CA certificate.  Generate the aggregator
# kubeconfig in a temporary directory and then copy files into the
# master config dir to avoid overwriting ca.crt.
- block:
  - name: Create first master api-client config for Aggregator
    command: >
      {{ hostvars[groups.oo_first_master.0].openshift.common.client_binary }} adm create-api-client-config
      --certificate-authority=/etc/origin/master/front-proxy-ca.crt
      --signer-cert=/etc/origin/master/front-proxy-ca.crt
      --signer-key=/etc/origin/master/front-proxy-ca.key
      --user aggregator-front-proxy
      --client-dir={{ certtemp.stdout }}
      --signer-serial=/etc/origin/master/ca.serial.txt
    delegate_to: "{{ groups.oo_first_master.0 }}"
    run_once: true
  - name: Copy first master api-client config for Aggregator
    copy:
      src: "{{ certtemp.stdout }}/{{ item }}"
      dest: "/etc/origin/master/"
      remote_src: true
    with_items:
    - aggregator-front-proxy.crt
    - aggregator-front-proxy.key
    - aggregator-front-proxy.kubeconfig
    delegate_to: "{{ groups.oo_first_master.0 }}"
    run_once: true
  when:
  - not first_front_proxy_kubeconfig.stat.exists

- name: Check for api-client config
  stat:
    path: /etc/origin/master/aggregator-front-proxy.kubeconfig
  register: front_proxy_kubeconfig

- name: Copy api-client config from first master
  fetch:
    src: "/etc/origin/master/{{ item }}"
    dest: "{{ certtemp.stdout }}/{{ item }}"
    flat: yes
  delegate_to: "{{ groups.oo_first_master.0 }}"
  with_items:
  - aggregator-front-proxy.crt
  - aggregator-front-proxy.key
  - aggregator-front-proxy.kubeconfig
  when:
  - not front_proxy_kubeconfig.stat.exists

- name: Copy api-client config to host
  copy:
    src: "{{ certtemp.stdout }}/{{ item }}"
    dest: "/etc/origin/master/{{ item }}"
  with_items:
  - aggregator-front-proxy.crt
  - aggregator-front-proxy.key
  - aggregator-front-proxy.kubeconfig
  when:
  - not front_proxy_kubeconfig.stat.exists

- name: Delete temp directory
  file:
    name: "{{ certtemp.stdout }}"
    state: absent
  changed_when: False

- name: Setup extension file for service console UI
  template:
    src: ../templates/openshift-ansible-catalog-console.js
    dest: /etc/origin/master/openshift-ansible-catalog-console.js

- name: Update master config
  yedit:
    state: present
    src: /etc/origin/master/master-config.yaml
    edits:
    - key: aggregatorConfig.proxyClientInfo.certFile
      value: aggregator-front-proxy.crt
    - key: aggregatorConfig.proxyClientInfo.keyFile
      value: aggregator-front-proxy.key
    - key: authConfig.requestHeader.clientCA
      value: front-proxy-ca.crt
    - key: authConfig.requestHeader.clientCommonNames
      value: [aggregator-front-proxy]
    - key: authConfig.requestHeader.usernameHeaders
      value: [X-Remote-User]
    - key: authConfig.requestHeader.groupHeaders
      value: [X-Remote-Group]
    - key: authConfig.requestHeader.extraHeaderPrefixes
      value: [X-Remote-Extra-]
    - key: assetConfig.extensionScripts
      value: [/etc/origin/master/openshift-ansible-catalog-console.js]
    - key: kubernetesMasterConfig.apiServerArguments.runtime-config
      value: [apis/settings.k8s.io/v1alpha1=true]
    - key: admissionConfig.pluginConfig.PodPreset.configuration.kind
      value: DefaultAdmissionConfig
    - key: admissionConfig.pluginConfig.PodPreset.configuration.apiVersion
      value: v1
    - key: admissionConfig.pluginConfig.PodPreset.configuration.disable
      value: false
  register: yedit_output

#restart master serially here
- name: restart master api
  systemd: name={{ openshift.common.service_type }}-master-api state=restarted
  when:
  - yedit_output.changed

# We retry the controllers because the API may not be 100% initialized yet.
- name: restart master controllers
  command: "systemctl restart {{ openshift.common.service_type }}-master-controllers"
  retries: 3
  delay: 5
  register: result
  until: result.rc == 0
  when:
  - yedit_output.changed

- name: Verify API Server
  # Using curl here since the uri module requires python-httplib2 and
  # wait_for port doesn't provide health information.
  command: >
    curl --silent --tlsv1.2
    --cacert {{ openshift.common.config_base }}/master/ca-bundle.crt
    {{ openshift.master.api_url }}/healthz/ready
  args:
    # Disables the following warning:
    # Consider using get_url or uri module rather than running curl
    warn: no
  register: api_available_output
  until: api_available_output.stdout == 'ok'
  retries: 120
  delay: 1
  changed_when: false
  when:
  - yedit_output.changed