diff options
| author | Andrew Butcher <abutcher@redhat.com> | 2016-10-26 14:59:05 -0400 |
|---|---|---|
| committer | Andrew Butcher <abutcher@redhat.com> | 2017-02-02 15:29:11 -0500 |
| commit | 917e871843192b107776ce8459b87f3960e455ed (patch) | |
| tree | 08acb27fa87578137bb21917487c2521cd08aa82 /roles/openshift_ca | |
| parent | c9480811d2222693abe4460ca42c292b289a0ef4 (diff) | |
| download | openshift-917e871843192b107776ce8459b87f3960e455ed.tar.gz openshift-917e871843192b107776ce8459b87f3960e455ed.tar.bz2 openshift-917e871843192b107776ce8459b87f3960e455ed.tar.xz openshift-917e871843192b107776ce8459b87f3960e455ed.zip | |
Restructure certificate redeploy playbooks
Diffstat (limited to 'roles/openshift_ca')
| -rw-r--r-- | roles/openshift_ca/tasks/main.yml | 24 |
1 files changed, 16 insertions, 8 deletions
diff --git a/roles/openshift_ca/tasks/main.yml b/roles/openshift_ca/tasks/main.yml index e21397170..4efc77f11 100644 --- a/roles/openshift_ca/tasks/main.yml +++ b/roles/openshift_ca/tasks/main.yml @@ -41,10 +41,9 @@ run_once: true - set_fact: - master_ca_missing: "{{ true if openshift_certificates_redeploy | default(false) | bool - else False in (g_master_ca_stat_result.results - | oo_collect(attribute='stat.exists') - | list) }}" + master_ca_missing: "{{ False in (g_master_ca_stat_result.results + | oo_collect(attribute='stat.exists') + | list) }}" run_once: true - name: Retain original serviceaccount keys @@ -61,7 +60,6 @@ copy: src: "{{ item.src }}" dest: "{{ openshift_ca_config_dir }}/{{ item.dest }}" - force: "{{ true if openshift_certificates_redeploy_ca | default(false) | bool else false }}" with_items: - src: "{{ (openshift_master_ca_certificate | default({'certfile':none})).certfile }}" dest: ca.crt @@ -73,25 +71,35 @@ - name: Create ca serial copy: - content: "1" + content: "00" dest: "{{ openshift_ca_config_dir }}/ca.serial.txt" - force: "{{ true if openshift_certificates_redeploy | default(false) | bool else false }}" + force: "{{ openshift_certificates_redeploy | default(false) | bool }}" when: openshift_master_ca_certificate is defined delegate_to: "{{ openshift_ca_host }}" run_once: true +- find: + paths: "{{ openshift.common.config_base }}/master/legacy-ca/" + patterns: ".*-ca.crt" + use_regex: true + register: g_master_legacy_ca_result + +# This should NOT replace the CA due to --overwrite=false when a CA already exists. - name: Create the master certificates if they do not already exist command: > {{ openshift.common.client_binary }} adm create-master-certs {% for named_ca_certificate in openshift.master.named_certificates | default([]) | oo_collect('cafile') %} --certificate-authority {{ named_ca_certificate }} {% endfor %} + {% for legacy_ca_certificate in g_master_legacy_ca_result.files | default([]) | oo_collect('path') %} + --certificate-authority {{ legacy_ca_certificate }} + {% endfor %} --hostnames={{ openshift.common.all_hostnames | join(',') }} --master={{ openshift.master.api_url }} --public-master={{ openshift.master.public_api_url }} --cert-dir={{ openshift_ca_config_dir }} --overwrite=false - when: master_ca_missing | bool + when: master_ca_missing | bool or openshift_certificates_redeploy | default(false) | bool delegate_to: "{{ openshift_ca_host }}" run_once: true |