summaryrefslogtreecommitdiffstats
path: root/roles/openshift_node_certificates/tasks/main.yml
blob: 1e5ebe98e29ede7c4708cc067e3bbb69ca6ac823 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
---
- name: Ensure CA certificate exists on openshift_ca_host
  stat:
    path: "{{ openshift_ca_cert }}"
  register: g_ca_cert_stat_result
  delegate_to: "{{ openshift_ca_host }}"
  run_once: true

- fail:
    msg: >
      CA certificate {{ openshift_ca_cert }} doesn't exist on CA host
      {{ openshift_ca_host }}. Apply 'openshift_ca' role to
      {{ openshift_ca_host }}.
  when: not g_ca_cert_stat_result.stat.exists | bool
  run_once: true

- name: Check status of node certificates
  stat:
    path: "{{ openshift.common.config_base }}/node/{{ item }}"
  with_items:
  - "system:node:{{ openshift.common.hostname }}.crt"
  - "system:node:{{ openshift.common.hostname }}.key"
  - "system:node:{{ openshift.common.hostname }}.kubeconfig"
  - ca.crt
  - server.key
  - server.crt
  register: g_node_cert_stat_result
  when: not openshift_certificates_redeploy | default(false) | bool

- set_fact:
    node_certs_missing: "{{ true if openshift_certificates_redeploy | default(false) | bool
                            else (False in (g_node_cert_stat_result.results
                                            | default({})
                                            | lib_utils_oo_collect(attribute='stat.exists')
                                            | list)) }}"

- name: Create openshift_generated_configs_dir if it does not exist
  file:
    path: "{{ openshift_generated_configs_dir }}"
    state: directory
    mode: 0700
  when: node_certs_missing | bool
  delegate_to: "{{ openshift_ca_host }}"

- find:
    paths: "{{ openshift.common.config_base }}/master/legacy-ca/"
    patterns: ".*-ca.crt"
    use_regex: true
  register: g_master_legacy_ca_result
  delegate_to: "{{ openshift_ca_host }}"

- name: Generate the node client config
  command: >
    {{ hostvars[openshift_ca_host].openshift.common.client_binary }} adm create-api-client-config
    {% for named_ca_certificate in hostvars[openshift_ca_host].openshift.master.named_certificates | default([]) | lib_utils_oo_collect('cafile') %}
    --certificate-authority {{ named_ca_certificate }}
    {% endfor %}
    {% for legacy_ca_certificate in g_master_legacy_ca_result.files | default([]) | lib_utils_oo_collect('path') %}
    --certificate-authority {{ legacy_ca_certificate }}
    {% endfor %}
    --certificate-authority={{ openshift_ca_cert }}
    --client-dir={{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname }}
    --groups=system:nodes
    --master={{ hostvars[openshift_ca_host].openshift.master.api_url }}
    --signer-cert={{ openshift_ca_cert }}
    --signer-key={{ openshift_ca_key }}
    --signer-serial={{ openshift_ca_serial }}
    --user=system:node:{{ hostvars[item].openshift.common.hostname }}
    --expire-days={{ openshift_node_cert_expire_days }}
  args:
    creates: "{{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname }}"
  with_items: "{{ hostvars
                  | lib_utils_oo_select_keys(groups['oo_nodes_to_config'])
                  | lib_utils_oo_collect(attribute='inventory_hostname', filters={'node_certs_missing':True}) }}"
  delegate_to: "{{ openshift_ca_host }}"
  run_once: true

- name: Generate the node server certificate
  command: >
    {{ hostvars[openshift_ca_host].openshift.common.client_binary }} adm ca create-server-cert
    --cert={{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname }}/server.crt
    --key={{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname }}/server.key
    --expire-days={{ openshift_node_cert_expire_days }}
    --overwrite=true
    --hostnames={{ hostvars[item].openshift.common.hostname }},{{ hostvars[item].openshift.common.public_hostname }},{{ hostvars[item].openshift.common.ip }},{{ hostvars[item].openshift.common.public_ip }}
    --signer-cert={{ openshift_ca_cert }}
    --signer-key={{ openshift_ca_key }}
    --signer-serial={{ openshift_ca_serial }}
  args:
    creates: "{{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname }}/server.crt"
  with_items: "{{ hostvars
                  | lib_utils_oo_select_keys(groups['oo_nodes_to_config'])
                  | lib_utils_oo_collect(attribute='inventory_hostname', filters={'node_certs_missing':True}) }}"
  delegate_to: "{{ openshift_ca_host }}"
  run_once: true

- name: Create local temp directory for syncing certs
  local_action: command mktemp -d /tmp/openshift-ansible-XXXXXXX
  register: node_cert_mktemp
  changed_when: False
  when: node_certs_missing | bool
  become: no

- name: Create a tarball of the node config directories
  command: >
    tar -czvf {{ openshift_node_generated_config_dir }}.tgz
    --transform 's|system:{{ openshift_node_cert_subdir }}|node|'
    -C {{ openshift_node_generated_config_dir }} .
  args:
    creates: "{{ openshift_node_generated_config_dir }}.tgz"
    # Disables the following warning:
    # Consider using unarchive module rather than running tar
    warn: no
  when: node_certs_missing | bool
  delegate_to: "{{ openshift_ca_host }}"

- name: Retrieve the node config tarballs from the master
  fetch:
    src: "{{ openshift_node_generated_config_dir }}.tgz"
    dest: "{{ node_cert_mktemp.stdout }}/"
    flat: yes
    fail_on_missing: yes
    validate_checksum: yes
  when: node_certs_missing | bool
  delegate_to: "{{ openshift_ca_host }}"

- name: Ensure certificate directory exists
  file:
    path: "{{ openshift_node_cert_dir }}"
    state: directory
  when: node_certs_missing | bool

- name: Unarchive the tarball on the node
  unarchive:
    src: "{{ node_cert_mktemp.stdout }}/{{ openshift_node_cert_subdir }}.tgz"
    dest: "{{ openshift_node_cert_dir }}"
  when: node_certs_missing | bool

- name: Delete local temp directory
  local_action: file path="{{ node_cert_mktemp.stdout }}" state=absent
  changed_when: False
  when: node_certs_missing | bool
  become: no

- name: Copy OpenShift CA to system CA trust
  copy:
    src: "{{ item.cert }}"
    dest: "/etc/pki/ca-trust/source/anchors/{{ item.id }}-{{ item.cert | basename }}"
    remote_src: yes
  with_items:
  - id: openshift
    cert: "{{ openshift_node_cert_dir }}/ca.crt"
  notify:
  - update ca trust