summaryrefslogtreecommitdiffstats
path: root/roles/openshift_ca/tasks/main.yml
blob: 9c8534c74dc4dc618ab949640d67a0f25ffe9062 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
---
- fail:
    msg: "openshift_ca_host variable must be defined for this role"
  when: openshift_ca_host is not defined

- fail:
    msg: "Both 'certfile' and 'keyfile' keys must be supplied when configuring openshift_master_ca_certificate"
  when: openshift_master_ca_certificate is defined and ('certfile' not in openshift_master_ca_certificate or 'keyfile' not in openshift_master_ca_certificate)

- name: Install the base package for admin tooling
  package:
    name: "{{ openshift_service_type }}{{ openshift_pkg_version | default('') | lib_utils_oo_image_tag_to_rpm_version(include_dash=True) }}"
    state: present
  when: not openshift_is_containerized | bool
  register: install_result
  until: install_result is succeeded
  delegate_to: "{{ openshift_ca_host }}"
  run_once: true

- name: Reload generated facts
  openshift_facts:
  when:
  - hostvars[openshift_ca_host].install_result | default({'changed':false}) is changed

- name: Create openshift_ca_config_dir if it does not exist
  file:
    path: "{{ openshift_ca_config_dir }}"
    state: directory
  delegate_to: "{{ openshift_ca_host }}"
  run_once: true

- name: Determine if CA must be created
  stat:
    path: "{{ openshift_ca_config_dir }}/{{ item }}"
  register: g_master_ca_stat_result
  with_items:
  - ca-bundle.crt
  - ca.crt
  - ca.key
  delegate_to: "{{ openshift_ca_host }}"
  run_once: true

- set_fact:
    master_ca_missing: "{{ False in (g_master_ca_stat_result.results
                                     | lib_utils_oo_collect(attribute='stat.exists')
                                     | list) }}"
  run_once: true

- name: Retain original serviceaccount keys
  copy:
    src: "{{ item }}"
    dest: "{{ item }}.keep"
    remote_src: true
  with_items:
  - "{{ openshift_ca_config_dir }}/serviceaccounts.private.key"
  - "{{ openshift_ca_config_dir }}/serviceaccounts.public.key"
  when: openshift_certificates_redeploy | default(false) | bool

- name: Deploy master ca certificate
  copy:
    src: "{{ item.src }}"
    dest: "{{ openshift_ca_config_dir }}/{{ item.dest }}"
    force: no
  with_items:
  - src: "{{ (openshift_master_ca_certificate | default({'certfile':none})).certfile }}"
    dest: ca.crt
  - src: "{{ (openshift_master_ca_certificate | default({'keyfile':none})).keyfile }}"
    dest: ca.key
  when: openshift_master_ca_certificate is defined
  delegate_to: "{{ openshift_ca_host }}"
  run_once: true

- name: Create ca serial
  copy:
    content: "00"
    dest: "{{ openshift_ca_config_dir }}/ca.serial.txt"
    force: "{{ openshift_certificates_redeploy | default(false) | bool }}"
  when: openshift_master_ca_certificate is defined
  delegate_to: "{{ openshift_ca_host }}"
  run_once: true

- find:
    paths: "{{ openshift.common.config_base }}/master/legacy-ca/"
    patterns: ".*-ca.crt"
    use_regex: true
  register: g_master_legacy_ca_result

# This should NOT replace the CA due to --overwrite=false when a CA already exists.
- name: Create the master certificates if they do not already exist
  command: >
    {{ hostvars[openshift_ca_host]['first_master_client_binary'] }} adm ca create-master-certs
    {% for named_ca_certificate in openshift.master.named_certificates | default([]) | lib_utils_oo_collect('cafile') %}
    --certificate-authority {{ named_ca_certificate }}
    {% endfor %}
    {% for legacy_ca_certificate in g_master_legacy_ca_result.files | default([]) | lib_utils_oo_collect('path') %}
    --certificate-authority {{ legacy_ca_certificate }}
    {% endfor %}
    --hostnames={{ hostvars[openshift_ca_host].openshift.common.all_hostnames | join(',') }}
    --master={{ openshift.master.api_url }}
    --public-master={{ openshift.master.public_api_url }}
    --cert-dir={{ openshift_ca_config_dir }}
    --expire-days={{ openshift_master_cert_expire_days }}
    --signer-expire-days={{ openshift_ca_cert_expire_days }}
    --overwrite=false
  when: master_ca_missing | bool or openshift_certificates_redeploy | default(false) | bool
  delegate_to: "{{ openshift_ca_host }}"
  run_once: true

# Create client-ca-bundle.crt containing old and new OpenShift CA
# certificates. This bundle will be used when rolling the OpenShift CA
# certificate.
- name: Create client-ca-bundle.crt
  block:
  - command: mktemp -d /tmp/openshift-ansible-XXXXXX
    register: openshift_ca_clientconfig_tmpdir
    delegate_to: "{{ openshift_ca_host }}"
  - copy:
      src: "{{ item }}"
      dest: "{{ openshift_ca_clientconfig_tmpdir.stdout }}/"
      remote_src: true
    with_items: "{{ g_master_legacy_ca_result.files | default([]) | lib_utils_oo_collect('path') }}"
    delegate_to: "{{ openshift_ca_host }}"
    run_once: true
  - copy:
      src: "{{ openshift_ca_config_dir }}/ca.crt"
      dest: "{{ openshift_ca_clientconfig_tmpdir.stdout }}/"
      remote_src: true
    delegate_to: "{{ openshift_ca_host }}"
    run_once: true
  - assemble:
      src: "{{ openshift_ca_clientconfig_tmpdir.stdout }}"
      dest: "{{ openshift_ca_config_dir }}/client-ca-bundle.crt"
      mode: 0644
      owner: root
      group: root
    delegate_to: "{{ openshift_ca_host }}"
    run_once: true

- name: Test local loopback context
  command: >
    {{ hostvars[openshift_ca_host]['first_master_client_binary'] }} config view
    --config={{ openshift_master_loopback_config }}
  changed_when: false
  register: loopback_config
  delegate_to: "{{ openshift_ca_host }}"
  run_once: true

# create-api-client-config generates a ca.crt file which will
# overwrite the OpenShift CA certificate.  Generate the loopback
# kubeconfig in a temporary directory and then copy files into the
# master config dir to avoid overwriting ca.crt.
- block:
  - name: Create temp directory for loopback master client config
    command: mktemp -d /tmp/openshift-ansible-XXXXXX
    register: openshift_ca_loopback_tmpdir
  - name: Generate the loopback master client config
    command: >
      {{ hostvars[openshift_ca_host]['first_master_client_binary'] }} adm create-api-client-config
        --certificate-authority={{ openshift_ca_cert }}
        {% for named_ca_certificate in openshift.master.named_certificates | default([]) | lib_utils_oo_collect('cafile') %}
        --certificate-authority {{ named_ca_certificate }}
        {% endfor %}
        --client-dir={{ openshift_ca_loopback_tmpdir.stdout }}
        --groups=system:masters,system:openshift-master
        --master={{ hostvars[openshift_ca_host].openshift.master.loopback_api_url }}
        --public-master={{ hostvars[openshift_ca_host].openshift.master.loopback_api_url }}
        --signer-cert={{ openshift_ca_cert }}
        --signer-key={{ openshift_ca_key }}
        --signer-serial={{ openshift_ca_serial }}
        --user=system:openshift-master
        --basename=openshift-master
        --expire-days={{ openshift_master_cert_expire_days }}
  - name: Copy generated loopback master client config to master config dir
    copy:
      src: "{{ openshift_ca_loopback_tmpdir.stdout }}/{{ item }}"
      dest: "{{ openshift_ca_config_dir }}"
      remote_src: true
    with_items:
    - openshift-master.crt
    - openshift-master.key
    - openshift-master.kubeconfig
  - name: Delete temp directory
    file:
      name: "{{ openshift_ca_loopback_tmpdir.stdout }}"
      state: absent
  when: loopback_context_string not in loopback_config.stdout
  delegate_to: "{{ openshift_ca_host }}"
  run_once: true

- name: Restore original serviceaccount keys
  copy:
    src: "{{ item }}.keep"
    dest: "{{ item }}"
    remote_src: true
  with_items:
  - "{{ openshift_ca_config_dir }}/serviceaccounts.private.key"
  - "{{ openshift_ca_config_dir }}/serviceaccounts.public.key"
  when: openshift_certificates_redeploy | default(false) | bool

- name: Remove backup serviceaccount keys
  file:
    path: "{{ item }}.keep"
    state: absent
  with_items:
  - "{{ openshift_ca_config_dir }}/serviceaccounts.private.key"
  - "{{ openshift_ca_config_dir }}/serviceaccounts.public.key"
  when: openshift_certificates_redeploy | default(false) | bool