Merge pull request #6031 from abutcher/temporary-servinginfo-clientca

Automatic merge from submit-queue. Temporarily set master servingInfo.clientCA as client-ca-bundle.crt during rolling CA redeployment. This PR temporarily configures master `servingInfo.clientCA` as `client-ca-bundle.crt` during CA redeploy so that clients referencing the old OpenShift CA can continue to function until all cluster certificates have been replaced and `servingInfo.clientCA` is reset to `ca.crt`. `client-ca-bundle.crt` is a new bundle created by the `openshift_ca` role which contains old and new OpenShift CA certificates. https://bugzilla.redhat.com/show_bug.cgi?id=1509124 Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1493276
author: OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> 2017-11-06 19:39:48 -0800
committer: GitHub <noreply@github.com> 2017-11-06 19:39:48 -0800
commit: 7b2afd71ea20e5e6a5f38f02f65b3202c78fabb1 (patch)
tree: 9e30cba6a3aba2ac02f8411b1f5deba115ece8e8 /playbooks
parent: 3d1677e3e2db0cac168e9cdec692506ed86f32d2 (diff)
parent: 89fcbb72447ab74b440c15d1e35a1dd10cef1c49 (diff)
download: openshift-7b2afd71ea20e5e6a5f38f02f65b3202c78fabb1.tar.gz
openshift-7b2afd71ea20e5e6a5f38f02f65b3202c78fabb1.tar.bz2
openshift-7b2afd71ea20e5e6a5f38f02f65b3202c78fabb1.tar.xz
openshift-7b2afd71ea20e5e6a5f38f02f65b3202c78fabb1.zip
3 files changed, 30 insertions, 5 deletions
diff --git a/playbooks/byo/openshift-cluster/redeploy-certificates.yml b/playbooks/byo/openshift-cluster/redeploy-certificates.yml
index 255b0dbf7..f53d34145 100644
--- a/playbooks/byo/openshift-cluster/redeploy-certificates.yml
+++ b/playbooks/byo/openshift-cluster/redeploy-certificates.yml
@@ -42,3 +42,7 @@
 
 - include: ../../common/openshift-cluster/redeploy-certificates/registry.yml
   when: openshift_hosted_manage_registry | default(true) | bool
+
+- include: ../../common/openshift-master/revert-client-ca.yml
+
+- include: ../../common/openshift-master/restart.yml
diff --git a/playbooks/common/openshift-cluster/redeploy-certificates/openshift-ca.yml b/playbooks/common/openshift-cluster/redeploy-certificates/openshift-ca.yml
index 2068ed199..e22c8cbdb 100644
--- a/playbooks/common/openshift-cluster/redeploy-certificates/openshift-ca.yml
+++ b/playbooks/common/openshift-cluster/redeploy-certificates/openshift-ca.yml
@@ -43,11 +43,6 @@
     when: (g_master_config_output.content|b64decode|from_yaml).oauthConfig.masterCA != 'ca-bundle.crt'
   - modify_yaml:
       dest: "{{ openshift.common.config_base }}/master/master-config.yaml"
-      yaml_key: servingInfo.clientCA
-      yaml_value: ca.crt
-    when: (g_master_config_output.content|b64decode|from_yaml).servingInfo.clientCA != 'ca.crt'
-  - modify_yaml:
-      dest: "{{ openshift.common.config_base }}/master/master-config.yaml"
       yaml_key: etcdClientInfo.ca
       yaml_value: ca-bundle.crt
     when:
@@ -67,6 +62,13 @@
     when:
     - groups.oo_etcd_to_config | default([]) | length == 0
     - (g_master_config_output.content|b64decode|from_yaml).etcdConfig.servingInfo.clientCA != 'ca-bundle.crt'
+  # Set servingInfo.clientCA to client-ca-bundle.crt in order to roll the CA certificate.
+  # This change will be reverted in playbooks/byo/openshift-cluster/redeploy-certificates.yml
+  - modify_yaml:
+      dest: "{{ openshift.common.config_base }}/master/master-config.yaml"
+      yaml_key: servingInfo.clientCA
+      yaml_value: client-ca-bundle.crt
+    when: (g_master_config_output.content|b64decode|from_yaml).servingInfo.clientCA != 'client-ca-bundle.crt'
 
 - name: Copy current OpenShift CA to legacy directory
   hosts: oo_masters_to_config
@@ -155,6 +157,7 @@
     - ca.key
     - ca-bundle.crt
     - ca.serial.txt
+    - client-ca-bundle.crt
     delegate_to: "{{ openshift_ca_host }}"
     run_once: true
     changed_when: false
@@ -173,6 +176,7 @@
     - ca.key
     - ca-bundle.crt
     - ca.serial.txt
+    - client-ca-bundle.crt
   - name: Update master client kubeconfig CA data
     kubeclient_ca:
       client_path: "{{ openshift.common.config_base }}/master/openshift-master.kubeconfig"
diff --git a/playbooks/common/openshift-master/revert-client-ca.yml b/playbooks/common/openshift-master/revert-client-ca.yml
new file mode 100644
index 000000000..9ae23bf5b
--- /dev/null
+++ b/playbooks/common/openshift-master/revert-client-ca.yml
@@ -0,0 +1,17 @@
+---
+- name: Set servingInfo.clientCA = ca.crt in master config
+  hosts: oo_masters_to_config
+  tasks:
+  - name: Read master config
+    slurp:
+      src: "{{ openshift.common.config_base }}/master/master-config.yaml"
+    register: g_master_config_output
+
+  # servingInfo.clientCA may be set as the client-ca-bundle.crt from
+  # CA redeployment and this task reverts that change.
+  - name: Set servingInfo.clientCA = ca.crt in master config
+    modify_yaml:
+      dest: "{{ openshift.common.config_base }}/master/master-config.yaml"
+      yaml_key: servingInfo.clientCA
+      yaml_value: ca.crt
+    when: (g_master_config_output.content|b64decode|from_yaml).servingInfo.clientCA != 'ca.crt'
author	OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com>	2017-11-06 19:39:48 -0800
committer	GitHub <noreply@github.com>	2017-11-06 19:39:48 -0800
commit	7b2afd71ea20e5e6a5f38f02f65b3202c78fabb1 (patch)
tree	9e30cba6a3aba2ac02f8411b1f5deba115ece8e8 /playbooks
parent	3d1677e3e2db0cac168e9cdec692506ed86f32d2 (diff)
parent	89fcbb72447ab74b440c15d1e35a1dd10cef1c49 (diff)
download	openshift-7b2afd71ea20e5e6a5f38f02f65b3202c78fabb1.tar.gz openshift-7b2afd71ea20e5e6a5f38f02f65b3202c78fabb1.tar.bz2 openshift-7b2afd71ea20e5e6a5f38f02f65b3202c78fabb1.tar.xz openshift-7b2afd71ea20e5e6a5f38f02f65b3202c78fabb1.zip