summaryrefslogtreecommitdiffstats
path: root/playbooks/common
diff options
context:
space:
mode:
authorAndrew Butcher <abutcher@redhat.com>2016-09-13 16:33:26 -0400
committerAndrew Butcher <abutcher@redhat.com>2016-09-14 10:47:04 -0400
commit3e5d38caf39d53c917a78542a04ebb6a109e7e6f (patch)
tree11d949640205db7c43269fcb73c49e2b74a75e2e /playbooks/common
parente1ce7d7b305cf5dc2cd7077a462416155fc89be7 (diff)
downloadopenshift-3e5d38caf39d53c917a78542a04ebb6a109e7e6f.tar.gz
openshift-3e5d38caf39d53c917a78542a04ebb6a109e7e6f.tar.bz2
openshift-3e5d38caf39d53c917a78542a04ebb6a109e7e6f.tar.xz
openshift-3e5d38caf39d53c917a78542a04ebb6a109e7e6f.zip
[upgrade] Create/configure service signer cert when missing.
Diffstat (limited to 'playbooks/common')
-rw-r--r--playbooks/common/openshift-cluster/upgrades/create_service_signer_cert.yml69
-rw-r--r--playbooks/common/openshift-cluster/upgrades/upgrade.yml24
-rw-r--r--playbooks/common/openshift-cluster/upgrades/v3_3/master_config_upgrade.yml10
3 files changed, 102 insertions, 1 deletions
diff --git a/playbooks/common/openshift-cluster/upgrades/create_service_signer_cert.yml b/playbooks/common/openshift-cluster/upgrades/create_service_signer_cert.yml
new file mode 100644
index 000000000..e8a20aa2b
--- /dev/null
+++ b/playbooks/common/openshift-cluster/upgrades/create_service_signer_cert.yml
@@ -0,0 +1,69 @@
+---
+- name: Create local temp directory for syncing certs
+ hosts: localhost
+ connection: local
+ become: no
+ gather_facts: no
+ tasks:
+ - name: Create local temp directory for syncing certs
+ local_action: command mktemp -d /tmp/openshift-ansible-XXXXXXX
+ register: local_cert_sync_tmpdir
+ changed_when: false
+
+- name: Create service signer certificate
+ hosts: oo_first_master
+ tasks:
+ - name: Create remote temp directory for creating certs
+ command: mktemp -d /tmp/openshift-ansible-XXXXXXX
+ register: remote_cert_create_tmpdir
+ changed_when: false
+
+ - name: Create service signer certificate
+ command: >
+ {{ openshift.common.admin_binary }} ca create-signer-cert
+ --cert=service-signer.crt
+ --key=service-signer.key
+ --name=openshift-service-serving-signer
+ --serial=service-signer.serial.txt
+ args:
+ chdir: "{{ remote_cert_create_tmpdir.stdout }}/"
+
+ - name: Retrieve service signer certificate
+ fetch:
+ src: "{{ remote_cert_create_tmpdir.stdout }}/{{ item }}"
+ dest: "{{ hostvars.localhost.local_cert_sync_tmpdir.stdout }}/"
+ flat: yes
+ fail_on_missing: yes
+ validate_checksum: yes
+ with_items:
+ - "service-signer.crt"
+ - "service-signer.key"
+
+ - name: Delete remote temp directory
+ file:
+ name: "{{ remote_cert_create_tmpdir.stdout }}"
+ state: absent
+ changed_when: false
+
+- name: Deploy service signer certificate
+ hosts: oo_masters_to_config
+ tasks:
+ - name: Deploy service signer certificate
+ copy:
+ src: "{{ hostvars.localhost.local_cert_sync_tmpdir.stdout }}/{{ item }}"
+ dest: "{{ openshift.common.config_base }}/master/"
+ with_items:
+ - "service-signer.crt"
+ - "service-signer.key"
+
+- name: Delete local temp directory
+ hosts: localhost
+ connection: local
+ become: no
+ gather_facts: no
+ tasks:
+ - name: Delete local temp directory
+ file:
+ name: "{{ local_cert_sync_tmpdir.stdout }}"
+ state: absent
+ changed_when: false
diff --git a/playbooks/common/openshift-cluster/upgrades/upgrade.yml b/playbooks/common/openshift-cluster/upgrades/upgrade.yml
index e8bf133e6..ba4fc63be 100644
--- a/playbooks/common/openshift-cluster/upgrades/upgrade.yml
+++ b/playbooks/common/openshift-cluster/upgrades/upgrade.yml
@@ -34,7 +34,7 @@
###############################################################################
# Upgrade Masters
###############################################################################
-- name: Upgrade master
+- name: Upgrade master packages
hosts: oo_masters_to_config
handlers:
- include: ../../../../roles/openshift_master/handlers/main.yml
@@ -45,6 +45,28 @@
- include: rpm_upgrade.yml component=master
when: not openshift.common.is_containerized | bool
+- name: Determine if service signer cert must be created
+ hosts: oo_first_master
+ tasks:
+ - name: Determine if service signer certificate must be created
+ stat:
+ path: "{{ openshift.common.config_base }}/master/service-signer.crt"
+ register: service_signer_cert_stat
+ changed_when: false
+
+# Create service signer cert when missing. Service signer certificate
+# is added to master config in the master config hook for v3_3.
+- include: create_service_signer_cert.yml
+ when: not (hostvars[groups.oo_first_master.0].service_signer_cert_stat.stat.exists | bool)
+
+- name: Upgrade master config and systemd units
+ hosts: oo_masters_to_config
+ handlers:
+ - include: ../../../../roles/openshift_master/handlers/main.yml
+ static: yes
+ roles:
+ - openshift_facts
+ tasks:
- include: "{{ master_config_hook }}"
when: master_config_hook is defined
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_3/master_config_upgrade.yml b/playbooks/common/openshift-cluster/upgrades/v3_3/master_config_upgrade.yml
index 641e7cafc..684eea343 100644
--- a/playbooks/common/openshift-cluster/upgrades/v3_3/master_config_upgrade.yml
+++ b/playbooks/common/openshift-cluster/upgrades/v3_3/master_config_upgrade.yml
@@ -38,3 +38,13 @@
dest: "{{ openshift.common.config_base}}/master/master-config.yaml"
yaml_key: 'masterClients.openshiftLoopbackClientConnectionOverrides.qps'
yaml_value: 300
+
+- modify_yaml:
+ dest: "{{ openshift.common.config_base}}/master/master-config.yaml"
+ yaml_key: 'controllerConfig.servicesServingCert.signer.certFile'
+ yaml_value: service-signer.crt
+
+- modify_yaml:
+ dest: "{{ openshift.common.config_base}}/master/master-config.yaml"
+ yaml_key: 'controllerConfig.servicesServingCert.signer.keyFile'
+ yaml_value: service-signer.key