summaryrefslogtreecommitdiffstats
path: root/roles/openshift_master_certificates/tasks/main.yml
blob: 273414f8da860f8392dbb91d2a8750b89c6412ac (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
---
- set_fact:
    openshift_master_certs_no_etcd:
    - admin.crt
    - master.kubelet-client.crt
    - master.proxy-client.crt
    - master.server.crt
    - openshift-master.crt
    - openshift-registry.crt
    - openshift-router.crt
    - etcd.server.crt
    openshift_master_certs_etcd:
    - master.etcd-client.crt

- set_fact:
    openshift_master_certs: "{{ (openshift_master_certs_no_etcd | union(openshift_master_certs_etcd )) if openshift_master_etcd_hosts | length > 0 else openshift_master_certs_no_etcd }}"

- name: Check status of master certificates
  stat:
    path: "{{ openshift_master_config_dir }}/{{ item }}"
  with_items:
  - "{{ openshift_master_certs }}"
  register: g_master_cert_stat_result
  when: not openshift_certificates_redeploy | default(false) | bool

- set_fact:
    master_certs_missing: "{{ true if openshift_certificates_redeploy | default(false) | bool
                              else (False in (g_master_cert_stat_result.results
                                              | default({})
                                              | lib_utils_oo_collect(attribute='stat.exists')
                                              | list)) }}"

- name: Ensure the generated_configs directory present
  file:
    path: "{{ openshift_master_generated_config_dir }}"
    state: directory
    mode: 0700
  when: master_certs_missing | bool and inventory_hostname != openshift_ca_host
  delegate_to: "{{ openshift_ca_host }}"

- find:
    paths: "{{ openshift_master_config_dir }}/legacy-ca/"
    patterns: ".*-ca.crt"
    use_regex: true
  register: g_master_legacy_ca_result
  delegate_to: "{{ openshift_ca_host }}"

- name: Create the master server certificate
  command: >
    {{ hostvars[openshift_ca_host].openshift.common.client_binary }} adm ca create-server-cert
    {% for named_ca_certificate in openshift.master.named_certificates | default([]) | lib_utils_oo_collect('cafile') %}
    --certificate-authority {{ named_ca_certificate }}
    {% endfor %}
    {% for legacy_ca_certificate in g_master_legacy_ca_result.files | default([]) | lib_utils_oo_collect('path') %}
    --certificate-authority {{ legacy_ca_certificate }}
    {% endfor %}
    --hostnames={{ hostvars[item].openshift.common.all_hostnames | join(',') }}
    --cert={{ openshift_generated_configs_dir }}/master-{{ hostvars[item].openshift.common.hostname }}/master.server.crt
    --key={{ openshift_generated_configs_dir }}/master-{{ hostvars[item].openshift.common.hostname }}/master.server.key
    --expire-days={{ openshift_master_cert_expire_days }}
    --signer-cert={{ openshift_ca_cert }}
    --signer-key={{ openshift_ca_key }}
    --signer-serial={{ openshift_ca_serial }}
    --overwrite=false
  when: item != openshift_ca_host
  with_items: "{{ hostvars
                  | lib_utils_oo_select_keys(groups['oo_masters_to_config'])
                  | lib_utils_oo_collect(attribute='inventory_hostname', filters={'master_certs_missing':True}) }}"
  delegate_to: "{{ openshift_ca_host }}"
  run_once: true

- name: Generate the loopback master client config
  command: >
    {{ hostvars[openshift_ca_host].openshift.common.client_binary }} adm create-api-client-config
      --certificate-authority={{ openshift_ca_cert }}
      {% for named_ca_certificate in openshift.master.named_certificates | default([]) | lib_utils_oo_collect('cafile') %}
      --certificate-authority {{ named_ca_certificate }}
      {% endfor %}
      --client-dir={{ openshift_generated_configs_dir }}/master-{{ hostvars[item].openshift.common.hostname }}
      --groups=system:masters,system:openshift-master
      --master={{ hostvars[item].openshift.master.loopback_api_url }}
      --public-master={{ hostvars[item].openshift.master.loopback_api_url }}
      --signer-cert={{ openshift_ca_cert }}
      --signer-key={{ openshift_ca_key }}
      --signer-serial={{ openshift_ca_serial }}
      --user=system:openshift-master
      --basename=openshift-master
      --expire-days={{ openshift_master_cert_expire_days }}
  args:
    creates: "{{ openshift_generated_configs_dir }}/master-{{ hostvars[item].openshift.common.hostname }}/openshift-master.kubeconfig"
  with_items: "{{ hostvars
                  | lib_utils_oo_select_keys(groups['oo_masters_to_config'])
                  | lib_utils_oo_collect(attribute='inventory_hostname', filters={'master_certs_missing':True}) }}"
  when: item != openshift_ca_host
  delegate_to: "{{ openshift_ca_host }}"
  run_once: true

- file:
    src: "{{ openshift_master_config_dir }}/{{ item }}"
    dest: "{{ openshift_master_generated_config_dir }}/{{ item }}"
    state: hard
    force: true
  with_items:
  - "{{ hostvars[inventory_hostname] | certificates_to_synchronize }}"
  when: master_certs_missing | bool and inventory_hostname != openshift_ca_host
  delegate_to: "{{ openshift_ca_host }}"

- name: Remove generated etcd client certs when using external etcd
  file:
    path: "{{ openshift_master_generated_config_dir }}/{{ item }}"
    state: absent
  when: openshift_master_etcd_hosts | length > 0
  with_items:
  - master.etcd-client.crt
  - master.etcd-client.key
  delegate_to: "{{ openshift_ca_host }}"

- name: Create local temp directory for syncing certs
  local_action: command mktemp -d /tmp/openshift-ansible-XXXXXXX
  register: g_master_certs_mktemp
  changed_when: False
  when: master_certs_missing | bool
  become: no

- name: Create a tarball of the master certs
  command: >
    tar -czvf {{ openshift_master_generated_config_dir }}.tgz
      -C {{ openshift_master_generated_config_dir }} .
  args:
    creates: "{{ openshift_master_generated_config_dir }}.tgz"
  when: master_certs_missing | bool and inventory_hostname != openshift_ca_host
  delegate_to: "{{ openshift_ca_host }}"

- name: Retrieve the master cert tarball from the master
  fetch:
    src: "{{ openshift_master_generated_config_dir }}.tgz"
    dest: "{{ g_master_certs_mktemp.stdout }}/"
    flat: yes
    fail_on_missing: yes
    validate_checksum: yes
  when: master_certs_missing | bool and inventory_hostname != openshift_ca_host
  delegate_to: "{{ openshift_ca_host }}"

- name: Ensure certificate directory exists
  file:
    path: "{{ openshift_master_config_dir }}"
    state: directory
  when: master_certs_missing | bool and inventory_hostname != openshift_ca_host

- name: Unarchive the tarball on the master
  unarchive:
    src: "{{ g_master_certs_mktemp.stdout }}/{{ openshift_master_cert_subdir }}.tgz"
    dest: "{{ openshift_master_config_dir }}"
  when: master_certs_missing | bool and inventory_hostname != openshift_ca_host

- name: Delete local temp directory
  local_action: file path="{{ g_master_certs_mktemp.stdout }}" state=absent
  changed_when: False
  when: master_certs_missing | bool
  become: no

- name: Lookup default group for ansible_ssh_user
  command: "/usr/bin/id -g {{ ansible_ssh_user | quote }}"
  changed_when: false
  register: _ansible_ssh_user_gid

- set_fact:
    client_users: "{{ [ansible_ssh_user, 'root'] | unique }}"

- name: Create the client config dir(s)
  file:
    path: "~{{ item }}/.kube"
    state: directory
    mode: 0700
    owner: "{{ item }}"
    group: "{{ 'root' if item == 'root' else _ansible_ssh_user_gid.stdout  }}"
  with_items: "{{ client_users }}"

# TODO: Update this file if the contents of the source file are not present in
# the dest file, will need to make sure to ignore things that could be added
- name: Copy the admin client config(s)
  copy:
    src: "{{ openshift_master_config_dir }}/admin.kubeconfig"
    dest: "~{{ item }}/.kube/config"
    remote_src: yes
    force: "{{ openshift_certificates_redeploy | default(false) }}"
  with_items: "{{ client_users }}"

- name: Update the permissions on the admin client config(s)
  file:
    path: "~{{ item }}/.kube/config"
    state: file
    mode: 0700
    owner: "{{ item }}"
    group: "{{ 'root' if item == 'root' else _ansible_ssh_user_gid.stdout  }}"
  with_items: "{{ client_users }}"

# Ensure ca-bundle exists for 3.2+ configuration
- name: Check for ca-bundle.crt
  stat:
    path: "{{ openshift.common.config_base }}/master/ca-bundle.crt"
  register: ca_bundle_stat
  failed_when: false

- name: Check for ca.crt
  stat:
    path: "{{ openshift.common.config_base }}/master/ca.crt"
  register: ca_crt_stat
  failed_when: false

- name: Migrate ca.crt to ca-bundle.crt
  command: mv ca.crt ca-bundle.crt
  args:
    chdir: "{{ openshift.common.config_base }}/master"
  when: ca_crt_stat.stat.isreg and not ca_bundle_stat.stat.exists

- name: Link ca.crt to ca-bundle.crt
  file:
    src: "{{ openshift.common.config_base }}/master/ca-bundle.crt"
    path: "{{ openshift.common.config_base }}/master/ca.crt"
    state: link
  when: ca_crt_stat.stat.isreg and not ca_bundle_stat.stat.exists