diff options
46 files changed, 177 insertions, 45 deletions
diff --git a/.tito/packages/openshift-ansible b/.tito/packages/openshift-ansible index 867baf141..9a8ce8a69 100644 --- a/.tito/packages/openshift-ansible +++ b/.tito/packages/openshift-ansible @@ -1 +1 @@ -3.6.11-1 ./ +3.6.12-1 ./ diff --git a/inventory/byo/hosts.openstack b/inventory/byo/hosts.openstack index ea7e905cb..c648078c4 100644 --- a/inventory/byo/hosts.openstack +++ b/inventory/byo/hosts.openstack @@ -15,7 +15,7 @@ ansible_become=yes # Debug level for all OpenShift components (Defaults to 2) debug_level=2 -deployment_type=openshift-enterprise +openshift_deployment_type=openshift-enterprise openshift_additional_repos=[{'id': 'ose-3.1', 'name': 'ose-3.1', 'baseurl': 'http://pulp.dist.prod.ext.phx2.redhat.com/content/dist/rhel/server/7/7Server/x86_64/ose/3.1/os', 'enabled': 1, 'gpgcheck': 0}] diff --git a/inventory/byo/hosts.origin.example b/inventory/byo/hosts.origin.example index 7e58eb543..d61f033f8 100644 --- a/inventory/byo/hosts.origin.example +++ b/inventory/byo/hosts.origin.example @@ -23,7 +23,7 @@ ansible_ssh_user=root debug_level=2 # deployment type valid values are origin, online, atomic-enterprise and openshift-enterprise -deployment_type=origin +openshift_deployment_type=origin # Specify the generic release of OpenShift to install. This is used mainly just during installation, after which we # rely on the version running on the first master. Works best for containerized installs where we can usually @@ -388,6 +388,9 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', # based on the number of nodes matching the openshift registry selector. #openshift_hosted_registry_replicas=2 # +# Validity of the auto-generated certificate in days (optional) +#openshift_hosted_registry_cert_expire_days=730 +# # Disable management of the OpenShift Registry #openshift_hosted_manage_registry=false @@ -754,6 +757,13 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', # by deployment_type=origin #openshift_enable_origin_repo=false +# Validity of the auto-generated certificates in days. +# See also openshift_hosted_registry_cert_expire_days above. +# +#openshift_ca_cert_expire_days=1825 +#openshift_node_cert_expire_days=730 +#openshift_master_cert_expire_days=730 + # host group for masters [masters] ose3-master[1:3]-ansible.test.example.com diff --git a/inventory/byo/hosts.ose.example b/inventory/byo/hosts.ose.example index 3002feac2..823d6f58f 100644 --- a/inventory/byo/hosts.ose.example +++ b/inventory/byo/hosts.ose.example @@ -23,7 +23,7 @@ ansible_ssh_user=root debug_level=2 # deployment type valid values are origin, online, atomic-enterprise, and openshift-enterprise -deployment_type=openshift-enterprise +openshift_deployment_type=openshift-enterprise # Specify the generic release of OpenShift to install. This is used mainly just during installation, after which we # rely on the version running on the first master. Works best for containerized installs where we can usually @@ -388,6 +388,9 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', # based on the number of nodes matching the openshift registry selector. #openshift_hosted_registry_replicas=2 # +# Validity of the auto-generated certificate in days (optional) +#openshift_hosted_registry_cert_expire_days=730 +# # Disable management of the OpenShift Registry #openshift_hosted_manage_registry=false @@ -751,6 +754,13 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', # Enable API service auditing, available as of 3.2 #openshift_master_audit_config={"basicAuditEnabled": true} +# Validity of the auto-generated certificates in days. +# See also openshift_hosted_registry_cert_expire_days above. +# +#openshift_ca_cert_expire_days=1825 +#openshift_node_cert_expire_days=730 +#openshift_master_cert_expire_days=730 + # host group for masters [masters] ose3-master[1:3]-ansible.test.example.com diff --git a/openshift-ansible.spec b/openshift-ansible.spec index e0cd9c097..c25c152df 100644 --- a/openshift-ansible.spec +++ b/openshift-ansible.spec @@ -9,7 +9,7 @@ %global __requires_exclude ^/usr/bin/ansible-playbook$ Name: openshift-ansible -Version: 3.6.11 +Version: 3.6.12 Release: 1%{?dist} Summary: Openshift and Atomic Enterprise Ansible License: ASL 2.0 @@ -270,6 +270,23 @@ Atomic OpenShift Utilities includes %changelog +* Thu Mar 30 2017 Jenkins CD Merge Bot <tdawson@redhat.com> 3.6.12-1 +- Update example inventory files to mention certificate validity parameters. + (vsemushi@redhat.com) +- openshift_hosted: add openshift_hosted_registry_cert_expire_days parameter. + (vsemushi@redhat.com) +- oc_adm_ca_server_cert.py: re-generate. (vsemushi@redhat.com) +- oc_adm_ca_server_cert: add expire_days parameter. (vsemushi@redhat.com) +- openshift_ca: add openshift_ca_cert_expire_days and + openshift_master_cert_expire_days parameters. (vsemushi@redhat.com) +- redeploy-certificates/registry.yml: add + openshift_hosted_registry_cert_expire_days parameter. (vsemushi@redhat.com) +- openshift_master_certificates: add openshift_master_cert_expire_days + parameter. (vsemushi@redhat.com) +- openshift_node_certificates: add openshift_node_cert_expire_days parameter. + (vsemushi@redhat.com) +- Update Dockerfile.rhel7 to reflect changes to Dockerfile (pep@redhat.com) + * Wed Mar 29 2017 Jenkins CD Merge Bot <tdawson@redhat.com> 3.6.11-1 - Add etcd_debug and etcd_log_package_levels variables (sdodson@redhat.com) - Make the OCP available version detection excluder free (jchaloup@redhat.com) diff --git a/playbooks/byo/openshift-cluster/config.yml b/playbooks/byo/openshift-cluster/config.yml index 86eff4ca4..4db0720d0 100644 --- a/playbooks/byo/openshift-cluster/config.yml +++ b/playbooks/byo/openshift-cluster/config.yml @@ -7,5 +7,4 @@ vars: openshift_cluster_id: "{{ cluster_id | default('default') }}" openshift_debug_level: "{{ debug_level | default(2) }}" - openshift_deployment_type: "{{ deployment_type }}" openshift_deployment_subtype: "{{ deployment_subtype | default(none) }}" diff --git a/playbooks/byo/openshift-cluster/openshift-logging.yml b/playbooks/byo/openshift-cluster/openshift-logging.yml index eebfcd20d..f8eebe898 100644 --- a/playbooks/byo/openshift-cluster/openshift-logging.yml +++ b/playbooks/byo/openshift-cluster/openshift-logging.yml @@ -32,4 +32,3 @@ vars: openshift_cluster_id: "{{ cluster_id | default('default') }}" openshift_debug_level: "{{ debug_level | default(2) }}" - openshift_deployment_type: "{{ deployment_type }}" diff --git a/playbooks/byo/openshift-cluster/upgrades/docker/upgrade.yml b/playbooks/byo/openshift-cluster/upgrades/docker/upgrade.yml index d5fd7c424..5feb33be4 100644 --- a/playbooks/byo/openshift-cluster/upgrades/docker/upgrade.yml +++ b/playbooks/byo/openshift-cluster/upgrades/docker/upgrade.yml @@ -30,7 +30,6 @@ g_new_master_hosts: [] g_new_node_hosts: [] openshift_cluster_id: "{{ cluster_id | default('default') }}" - openshift_deployment_type: "{{ deployment_type }}" - include: ../../../../common/openshift-cluster/upgrades/initialize_nodes_to_upgrade.yml diff --git a/playbooks/byo/openshift-etcd/restart.yml b/playbooks/byo/openshift-etcd/restart.yml index 6713f07e3..19403116d 100644 --- a/playbooks/byo/openshift-etcd/restart.yml +++ b/playbooks/byo/openshift-etcd/restart.yml @@ -4,5 +4,3 @@ - always - include: ../../common/openshift-etcd/restart.yml - vars: - openshift_deployment_type: "{{ deployment_type }}" diff --git a/playbooks/byo/openshift-master/restart.yml b/playbooks/byo/openshift-master/restart.yml index 2d20f69f4..21e4cff1b 100644 --- a/playbooks/byo/openshift-master/restart.yml +++ b/playbooks/byo/openshift-master/restart.yml @@ -4,5 +4,3 @@ - always - include: ../../common/openshift-master/restart.yml - vars: - openshift_deployment_type: "{{ deployment_type }}" diff --git a/playbooks/byo/openshift-master/scaleup.yml b/playbooks/byo/openshift-master/scaleup.yml index 7075bb59e..a5705e990 100644 --- a/playbooks/byo/openshift-master/scaleup.yml +++ b/playbooks/byo/openshift-master/scaleup.yml @@ -27,4 +27,3 @@ vars: openshift_cluster_id: "{{ cluster_id | default('default') }}" openshift_debug_level: "{{ debug_level | default(2) }}" - openshift_deployment_type: "{{ deployment_type }}" diff --git a/playbooks/byo/openshift-node/restart.yml b/playbooks/byo/openshift-node/restart.yml index 3985a83bb..6861625b9 100644 --- a/playbooks/byo/openshift-node/restart.yml +++ b/playbooks/byo/openshift-node/restart.yml @@ -4,5 +4,3 @@ - always - include: ../../common/openshift-node/restart.yml - vars: - openshift_deployment_type: "{{ deployment_type }}" diff --git a/playbooks/byo/openshift-node/scaleup.yml b/playbooks/byo/openshift-node/scaleup.yml index 2b10b6c76..88d236b53 100644 --- a/playbooks/byo/openshift-node/scaleup.yml +++ b/playbooks/byo/openshift-node/scaleup.yml @@ -27,6 +27,5 @@ vars: openshift_cluster_id: "{{ cluster_id | default('default') }}" openshift_debug_level: "{{ debug_level | default(2) }}" - openshift_deployment_type: "{{ deployment_type }}" openshift_master_etcd_hosts: "{{ groups.etcd | default([]) }}" openshift_master_etcd_port: 2379 diff --git a/playbooks/byo/rhel_subscribe.yml b/playbooks/byo/rhel_subscribe.yml index 65c0b1c01..8c6d77024 100644 --- a/playbooks/byo/rhel_subscribe.yml +++ b/playbooks/byo/rhel_subscribe.yml @@ -5,8 +5,6 @@ - name: Subscribe hosts, update repos and update OS packages hosts: l_oo_all_hosts - vars: - openshift_deployment_type: "{{ deployment_type }}" roles: - role: rhel_subscribe when: deployment_type in ['atomic-enterprise', 'enterprise', 'openshift-enterprise'] and diff --git a/playbooks/common/openshift-cluster/enable_dnsmasq.yml b/playbooks/common/openshift-cluster/enable_dnsmasq.yml index ca5177852..5425f448f 100644 --- a/playbooks/common/openshift-cluster/enable_dnsmasq.yml +++ b/playbooks/common/openshift-cluster/enable_dnsmasq.yml @@ -56,8 +56,6 @@ - role: node local_facts: dns_ip: "{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}" - vars: - openshift_deployment_type: "{{ deployment_type }}" roles: - openshift_node_dnsmasq post_tasks: diff --git a/playbooks/common/openshift-cluster/initialize_facts.yml b/playbooks/common/openshift-cluster/initialize_facts.yml index 18f99728c..9cebecd68 100644 --- a/playbooks/common/openshift-cluster/initialize_facts.yml +++ b/playbooks/common/openshift-cluster/initialize_facts.yml @@ -15,5 +15,3 @@ hostname: "{{ openshift_hostname | default(None) }}" - set_fact: openshift_docker_hosted_registry_network: "{{ hostvars[groups.oo_first_master.0].openshift.common.portal_net }}" - - set_fact: - openshift_deployment_type: "{{ deployment_type }}" diff --git a/playbooks/common/openshift-cluster/redeploy-certificates/registry.yml b/playbooks/common/openshift-cluster/redeploy-certificates/registry.yml index 08ebfe735..e82996cf4 100644 --- a/playbooks/common/openshift-cluster/redeploy-certificates/registry.yml +++ b/playbooks/common/openshift-cluster/redeploy-certificates/registry.yml @@ -69,6 +69,9 @@ --hostnames="{{ docker_registry_service_ip.results.clusterip }},docker-registry.default.svc.cluster.local,{{ docker_registry_route_hostname }}" --cert={{ openshift.common.config_base }}/master/registry.crt --key={{ openshift.common.config_base }}/master/registry.key + {% if openshift_version | oo_version_gte_3_5_or_1_5(openshift.common.deployment_type) | bool %} + --expire-days={{ openshift_hosted_registry_cert_expire_days | default(730) }} + {% endif %} - name: Update registry certificates secret oc_secret: diff --git a/playbooks/common/openshift-cluster/std_include.yml b/playbooks/common/openshift-cluster/std_include.yml index 078991b12..74cc1d527 100644 --- a/playbooks/common/openshift-cluster/std_include.yml +++ b/playbooks/common/openshift-cluster/std_include.yml @@ -22,8 +22,6 @@ - always tasks: - include_vars: ../../byo/openshift-cluster/cluster_hosts.yml - - set_fact: - openshift_deployment_type: "{{ deployment_type }}" - include: evaluate_groups.yml tags: diff --git a/playbooks/common/openshift-cluster/update_repos_and_packages.yml b/playbooks/common/openshift-cluster/update_repos_and_packages.yml index b83e4d821..be956fca5 100644 --- a/playbooks/common/openshift-cluster/update_repos_and_packages.yml +++ b/playbooks/common/openshift-cluster/update_repos_and_packages.yml @@ -3,8 +3,6 @@ - name: Subscribe hosts, update repos and update OS packages hosts: oo_hosts_to_update - vars: - openshift_deployment_type: "{{ deployment_type }}" roles: # Explicitly calling openshift_facts because it appears that when # rhel_subscribe is skipped that the openshift_facts dependency for diff --git a/playbooks/common/openshift-cluster/upgrades/init.yml b/playbooks/common/openshift-cluster/upgrades/init.yml index a3b8c489e..bcbc4ee02 100644 --- a/playbooks/common/openshift-cluster/upgrades/init.yml +++ b/playbooks/common/openshift-cluster/upgrades/init.yml @@ -29,7 +29,6 @@ g_new_master_hosts: [] g_new_node_hosts: [] openshift_cluster_id: "{{ cluster_id | default('default') }}" - openshift_deployment_type: "{{ deployment_type }}" - name: Set oo_options hosts: oo_all_hosts diff --git a/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml index 6f096f705..c00795a8d 100644 --- a/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml +++ b/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml @@ -5,7 +5,6 @@ - name: Upgrade default router and default registry hosts: oo_first_master vars: - openshift_deployment_type: "{{ deployment_type }}" registry_image: "{{ openshift.master.registry_url | replace( '${component}', 'docker-registry' ) | replace ( '${version}', openshift_image_tag ) }}" router_image: "{{ openshift.master.registry_url | replace( '${component}', 'haproxy-router' ) | replace ( '${version}', openshift_image_tag ) }}" oc_cmd: "{{ openshift.common.client_binary }} --config={{ openshift.common.config_base }}/master/admin.kubeconfig" diff --git a/roles/lib_openshift/library/oc_adm_ca_server_cert.py b/roles/lib_openshift/library/oc_adm_ca_server_cert.py index af1d13fe1..afe026099 100644 --- a/roles/lib_openshift/library/oc_adm_ca_server_cert.py +++ b/roles/lib_openshift/library/oc_adm_ca_server_cert.py @@ -130,6 +130,12 @@ options: required: false default: True aliases: [] + expire_days: + description + - Validity of the certificate in days + required: false + default: None + aliases: [] author: - "Kenny Woodson <kwoodson@redhat.com>" extends_documentation_fragment: [] @@ -1480,6 +1486,7 @@ class CAServerCert(OpenShiftCLI): 'signer_cert': {'value': params['signer_cert'], 'include': True}, 'signer_key': {'value': params['signer_key'], 'include': True}, 'signer_serial': {'value': params['signer_serial'], 'include': True}, + 'expire_days': {'value': params['expire_days'], 'include': True}, 'backup': {'value': params['backup'], 'include': False}, }) @@ -1538,6 +1545,7 @@ def main(): signer_key=dict(default='/etc/origin/master/ca.key', type='str'), signer_serial=dict(default='/etc/origin/master/ca.serial.txt', type='str'), hostnames=dict(default=[], type='list'), + expire_days=dict(default=None, type='int'), ), supports_check_mode=True, ) diff --git a/roles/lib_openshift/src/ansible/oc_adm_ca_server_cert.py b/roles/lib_openshift/src/ansible/oc_adm_ca_server_cert.py index c80c2eb44..10f1c9b4b 100644 --- a/roles/lib_openshift/src/ansible/oc_adm_ca_server_cert.py +++ b/roles/lib_openshift/src/ansible/oc_adm_ca_server_cert.py @@ -20,6 +20,7 @@ def main(): signer_key=dict(default='/etc/origin/master/ca.key', type='str'), signer_serial=dict(default='/etc/origin/master/ca.serial.txt', type='str'), hostnames=dict(default=[], type='list'), + expire_days=dict(default=None, type='int'), ), supports_check_mode=True, ) diff --git a/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py b/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py index 18c69f2fa..fa0c4e3af 100644 --- a/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py +++ b/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py @@ -102,6 +102,7 @@ class CAServerCert(OpenShiftCLI): 'signer_cert': {'value': params['signer_cert'], 'include': True}, 'signer_key': {'value': params['signer_key'], 'include': True}, 'signer_serial': {'value': params['signer_serial'], 'include': True}, + 'expire_days': {'value': params['expire_days'], 'include': True}, 'backup': {'value': params['backup'], 'include': False}, }) diff --git a/roles/lib_openshift/src/doc/ca_server_cert b/roles/lib_openshift/src/doc/ca_server_cert index ff9229281..7f2be4ada 100644 --- a/roles/lib_openshift/src/doc/ca_server_cert +++ b/roles/lib_openshift/src/doc/ca_server_cert @@ -79,6 +79,12 @@ options: required: false default: True aliases: [] + expire_days: + description + - Validity of the certificate in days + required: false + default: None + aliases: [] author: - "Kenny Woodson <kwoodson@redhat.com>" extends_documentation_fragment: [] diff --git a/roles/openshift_ca/README.md b/roles/openshift_ca/README.md index 96c9cd5f2..dfbe81c6c 100644 --- a/roles/openshift_ca/README.md +++ b/roles/openshift_ca/README.md @@ -19,6 +19,8 @@ From this role: | openshift_ca_key | `{{ openshift_ca_config_dir }}/ca.key` | CA key path including CA key filename. | | openshift_ca_serial | `{{ openshift_ca_config_dir }}/ca.serial.txt` | CA serial path including CA serial filename. | | openshift_version | `{{ openshift_pkg_version }}` | OpenShift package version. | +| openshift_master_cert_expire_days | `730` (2 years) | Validity of the certificates in days. Works only with OpenShift version 1.5 (3.5) and later. | +| openshift_ca_cert_expire_days | `1825` (5 years) | Validity of the CA certificates in days. Works only with OpenShift version 1.5 (3.5) and later. | Dependencies ------------ diff --git a/roles/openshift_ca/defaults/main.yml b/roles/openshift_ca/defaults/main.yml new file mode 100644 index 000000000..ecfcc88b3 --- /dev/null +++ b/roles/openshift_ca/defaults/main.yml @@ -0,0 +1,3 @@ +--- +openshift_ca_cert_expire_days: 1825 +openshift_master_cert_expire_days: 730 diff --git a/roles/openshift_ca/tasks/main.yml b/roles/openshift_ca/tasks/main.yml index 70c2a9121..3b17d9ed6 100644 --- a/roles/openshift_ca/tasks/main.yml +++ b/roles/openshift_ca/tasks/main.yml @@ -88,7 +88,7 @@ # This should NOT replace the CA due to --overwrite=false when a CA already exists. - name: Create the master certificates if they do not already exist command: > - {{ hostvars[openshift_ca_host].openshift.common.client_binary }} adm create-master-certs + {{ hostvars[openshift_ca_host].openshift.common.client_binary }} adm ca create-master-certs {% for named_ca_certificate in openshift.master.named_certificates | default([]) | oo_collect('cafile') %} --certificate-authority {{ named_ca_certificate }} {% endfor %} @@ -99,6 +99,10 @@ --master={{ openshift.master.api_url }} --public-master={{ openshift.master.public_api_url }} --cert-dir={{ openshift_ca_config_dir }} + {% if openshift_version | oo_version_gte_3_5_or_1_5(openshift.common.deployment_type) | bool %} + --expire-days={{ openshift_master_cert_expire_days }} + --signer-expire-days={{ openshift_ca_cert_expire_days }} + {% endif %} --overwrite=false when: master_ca_missing | bool or openshift_certificates_redeploy | default(false) | bool delegate_to: "{{ openshift_ca_host }}" diff --git a/roles/openshift_facts/meta/main.yml b/roles/openshift_facts/meta/main.yml index 0be3afd24..7eead2d6e 100644 --- a/roles/openshift_facts/meta/main.yml +++ b/roles/openshift_facts/meta/main.yml @@ -12,4 +12,5 @@ galaxy_info: categories: - cloud - system -dependencies: [] +dependencies: +- role: openshift_sanitize_inventory diff --git a/roles/openshift_facts/tasks/main.yml b/roles/openshift_facts/tasks/main.yml index 73c668c72..93972f0e0 100644 --- a/roles/openshift_facts/tasks/main.yml +++ b/roles/openshift_facts/tasks/main.yml @@ -64,8 +64,7 @@ role: common local_facts: debug_level: "{{ openshift_debug_level | default(2) }}" - # TODO: Deprecate deployment_type in favor of openshift_deployment_type - deployment_type: "{{ openshift_deployment_type | default(deployment_type) }}" + deployment_type: "{{ openshift_deployment_type }}" deployment_subtype: "{{ openshift_deployment_subtype | default(None) }}" cluster_id: "{{ openshift_cluster_id | default('default') }}" hostname: "{{ openshift_hostname | default(None) }}" diff --git a/roles/openshift_hosted/README.md b/roles/openshift_hosted/README.md index 328f800bf..6d576df71 100644 --- a/roles/openshift_hosted/README.md +++ b/roles/openshift_hosted/README.md @@ -26,6 +26,7 @@ From this role: | openshift_hosted_registry_registryurl | 'openshift3/ose-${component}:${version}' | The image to base the OpenShift registry on. | | openshift_hosted_registry_replicas | Number of nodes matching selector | The number of replicas to configure. | | openshift_hosted_registry_selector | region=infra | Node selector used when creating registry. The OpenShift registry will only be deployed to nodes matching this selector. | +| openshift_hosted_registry_cert_expire_days | `730` (2 years) | Validity of the certificates in days. Works only with OpenShift version 1.5 (3.5) and later. | Dependencies ------------ diff --git a/roles/openshift_hosted/defaults/main.yml b/roles/openshift_hosted/defaults/main.yml index 32bcd8d08..d73f339f7 100644 --- a/roles/openshift_hosted/defaults/main.yml +++ b/roles/openshift_hosted/defaults/main.yml @@ -28,3 +28,4 @@ openshift_hosted_routers: openshift_hosted_router_certificates: {} +openshift_hosted_registry_cert_expire_days: 730 diff --git a/roles/openshift_hosted/tasks/registry/secure.yml b/roles/openshift_hosted/tasks/registry/secure.yml index f9ea2ebeb..8a159bf73 100644 --- a/roles/openshift_hosted/tasks/registry/secure.yml +++ b/roles/openshift_hosted/tasks/registry/secure.yml @@ -57,6 +57,7 @@ - "{{ docker_registry_route_hostname }}" cert: "{{ openshift_master_config_dir }}/registry.crt" key: "{{ openshift_master_config_dir }}/registry.key" + expire_days: "{{ openshift_hosted_registry_cert_expire_days if openshift_version | oo_version_gte_3_5_or_1_5(openshift.common.deployment_type) | bool else omit }}" register: server_cert_out - name: Create the secret for the registry certificates diff --git a/roles/openshift_master_certificates/README.md b/roles/openshift_master_certificates/README.md index a80d47040..4758bbdfb 100644 --- a/roles/openshift_master_certificates/README.md +++ b/roles/openshift_master_certificates/README.md @@ -21,6 +21,7 @@ From this role: |---------------------------------------|---------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------| | openshift_generated_configs_dir | `{{ openshift.common.config_base }}/generated-configs` | Directory in which per-master generated config directories will be created on the `openshift_ca_host`. | | openshift_master_cert_subdir | `master-{{ openshift.common.hostname }}` | Directory within `openshift_generated_configs_dir` where per-master configurations will be placed on the `openshift_ca_host`. | +| openshift_master_cert_expire_days | `730` (2 years) | Validity of the certificates in days. Works only with OpenShift version 1.5 (3.5) and later. | | openshift_master_config_dir | `{{ openshift.common.config_base }}/master` | Master configuration directory in which certificates will be deployed on masters. | | openshift_master_generated_config_dir | `{{ openshift_generated_configs_dir }}/{{ openshift_master_cert_subdir }` | Full path to the per-master generated config directory. | diff --git a/roles/openshift_master_certificates/defaults/main.yml b/roles/openshift_master_certificates/defaults/main.yml new file mode 100644 index 000000000..dba62c4ec --- /dev/null +++ b/roles/openshift_master_certificates/defaults/main.yml @@ -0,0 +1,2 @@ +--- +openshift_master_cert_expire_days: 730 diff --git a/roles/openshift_master_certificates/tasks/main.yml b/roles/openshift_master_certificates/tasks/main.yml index 61541acb8..d4c9a96ca 100644 --- a/roles/openshift_master_certificates/tasks/main.yml +++ b/roles/openshift_master_certificates/tasks/main.yml @@ -57,6 +57,9 @@ --hostnames={{ hostvars[item].openshift.common.all_hostnames | join(',') }} --cert={{ openshift_generated_configs_dir }}/master-{{ hostvars[item].openshift.common.hostname }}/master.server.crt --key={{ openshift_generated_configs_dir }}/master-{{ hostvars[item].openshift.common.hostname }}/master.server.key + {% if openshift_version | oo_version_gte_3_5_or_1_5(openshift.common.deployment_type) | bool %} + --expire-days={{ openshift_master_cert_expire_days }} + {% endif %} --signer-cert={{ openshift_ca_cert }} --signer-key={{ openshift_ca_key }} --signer-serial={{ openshift_ca_serial }} @@ -84,6 +87,9 @@ --signer-serial={{ openshift_ca_serial }} --user=system:openshift-master --basename=openshift-master + {% if openshift_version | oo_version_gte_3_5_or_1_5(openshift.common.deployment_type) | bool %} + --expire-days={{ openshift_master_cert_expire_days }} + {% endif %} args: creates: "{{ openshift_generated_configs_dir }}/master-{{ hostvars[item].openshift.common.hostname }}/openshift-master.kubeconfig" with_items: "{{ hostvars diff --git a/roles/openshift_node_certificates/README.md b/roles/openshift_node_certificates/README.md index f4215950f..fef2f0783 100644 --- a/roles/openshift_node_certificates/README.md +++ b/roles/openshift_node_certificates/README.md @@ -23,6 +23,7 @@ From this role: |-------------------------------------|-------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------| | openshift_generated_configs_dir | `{{ openshift.common.config_base }}/generated-configs` | Directory in which per-node generated config directories will be created on the `openshift_ca_host`. | | openshift_node_cert_subdir | `node-{{ openshift.common.hostname }}` | Directory within `openshift_generated_configs_dir` where per-node certificates will be placed on the `openshift_ca_host`. | +| openshift_node_cert_expire_days | `730` (2 years) | Validity of the certificates in days. Works only with OpenShift version 1.5 (3.5) and later. | | openshift_node_config_dir | `{{ openshift.common.config_base }}/node` | Node configuration directory in which certificates will be deployed on nodes. | | openshift_node_generated_config_dir | `{{ openshift_generated_configs_dir }}/{{ openshift_node_cert_subdir }` | Full path to the per-node generated config directory. | diff --git a/roles/openshift_node_certificates/defaults/main.yml b/roles/openshift_node_certificates/defaults/main.yml new file mode 100644 index 000000000..70a38b844 --- /dev/null +++ b/roles/openshift_node_certificates/defaults/main.yml @@ -0,0 +1,2 @@ +--- +openshift_node_cert_expire_days: 730 diff --git a/roles/openshift_node_certificates/tasks/main.yml b/roles/openshift_node_certificates/tasks/main.yml index 4cb89aba2..9120915b2 100644 --- a/roles/openshift_node_certificates/tasks/main.yml +++ b/roles/openshift_node_certificates/tasks/main.yml @@ -66,6 +66,9 @@ --signer-key={{ openshift_ca_key }} --signer-serial={{ openshift_ca_serial }} --user=system:node:{{ hostvars[item].openshift.common.hostname }} + {% if openshift_version | oo_version_gte_3_5_or_1_5(openshift.common.deployment_type) | bool %} + --expire-days={{ openshift_node_cert_expire_days }} + {% endif %} args: creates: "{{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname }}" with_items: "{{ hostvars @@ -79,6 +82,9 @@ {{ hostvars[openshift_ca_host].openshift.common.client_binary }} adm ca create-server-cert --cert={{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname }}/server.crt --key={{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname }}/server.key + {% if openshift_version | oo_version_gte_3_5_or_1_5(openshift.common.deployment_type) | bool %} + --expire-days={{ openshift_node_cert_expire_days }} + {% endif %} --overwrite=true --hostnames={{ hostvars[item].openshift.common.hostname }},{{ hostvars[item].openshift.common.public_hostname }},{{ hostvars[item].openshift.common.ip }},{{ hostvars[item].openshift.common.public_ip }} --signer-cert={{ openshift_ca_cert }} diff --git a/roles/openshift_repos/meta/main.yml b/roles/openshift_repos/meta/main.yml index cc18c453c..1b043863b 100644 --- a/roles/openshift_repos/meta/main.yml +++ b/roles/openshift_repos/meta/main.yml @@ -11,4 +11,5 @@ galaxy_info: - 7 categories: - cloud -dependencies: [] +dependencies: +- role: openshift_sanitize_inventory diff --git a/roles/openshift_repos/tasks/main.yaml b/roles/openshift_repos/tasks/main.yaml index ffb760bfe..84a0905cc 100644 --- a/roles/openshift_repos/tasks/main.yaml +++ b/roles/openshift_repos/tasks/main.yaml @@ -4,10 +4,6 @@ path: /run/ostree-booted register: ostree_booted -- assert: - that: openshift_deployment_type in known_openshift_deployment_types - msg: "openshift_deployment_type must be one of {{ known_openshift_deployment_types }}" - - block: - name: Ensure libselinux-python is installed package: name=libselinux-python state=present diff --git a/roles/openshift_sanitize_inventory/README.md b/roles/openshift_sanitize_inventory/README.md new file mode 100644 index 000000000..23f6b84fc --- /dev/null +++ b/roles/openshift_sanitize_inventory/README.md @@ -0,0 +1,37 @@ +OpenShift Inventory +=================== + +Provides a role to validate and normalize the variables the user has +provided. This role should run before pretty much everything else so that +this kind of logic only has to be in one place. However, complicated +business logic should usually be left to other roles. + +Requirements +------------ + +None + +Role Variables +-------------- + +None + +Dependencies +------------ + +None + +Example Playbook +---------------- + +TODO + +License +------- + +Apache License, Version 2.0 + +Author Information +------------------ + +OpenShift dev (dev@lists.openshift.redhat.com) diff --git a/roles/openshift_sanitize_inventory/meta/main.yml b/roles/openshift_sanitize_inventory/meta/main.yml new file mode 100644 index 000000000..f5b37186e --- /dev/null +++ b/roles/openshift_sanitize_inventory/meta/main.yml @@ -0,0 +1,15 @@ +--- +galaxy_info: + author: OpenShift dev + description: + company: Red Hat, Inc. + license: Apache License, Version 2.0 + min_ansible_version: 1.8 + platforms: + - name: EL + versions: + - 7 + categories: + - cloud + - system +dependencies: [] diff --git a/roles/openshift_sanitize_inventory/tasks/main.yml b/roles/openshift_sanitize_inventory/tasks/main.yml new file mode 100644 index 000000000..fc562c42c --- /dev/null +++ b/roles/openshift_sanitize_inventory/tasks/main.yml @@ -0,0 +1,28 @@ +--- +- name: Standardize on latest variable names + no_log: True # keep task description legible + set_fact: + # goal is to deprecate deployment_type in favor of openshift_deployment_type. + # both will be accepted for now, but code should refer to the new name. + # TODO: once this is well-documented, add deprecation notice if using old name. + deployment_type: "{{ openshift_deployment_type | default(deployment_type) | default | string }}" + openshift_deployment_type: "{{ openshift_deployment_type | default(deployment_type) | default | string }}" + +- name: Normalize openshift_release + no_log: True # keep task description legible + set_fact: + # Normalize release if provided, e.g. "v3.5" => "3.5" + # Currently this is not required to be defined for all installs, and the + # `openshift_version` role can generally figure out the specific version + # that gets installed (e.g. 3.5.0.1). So consider this the user's expressed + # intent (if any), not the authoritative version that will be installed. + openshift_release: "{{ openshift_release | string | regex_replace('^v', '') }}" + when: openshift_release is defined + +- name: Ensure a valid deployment type has been given. + # this variable is required; complain early and clearly if it is invalid. + when: openshift_deployment_type not in known_openshift_deployment_types + fail: + msg: |- + Please set openshift_deployment_type to one of: + {{ known_openshift_deployment_types | join(', ') }} diff --git a/roles/openshift_repos/vars/main.yml b/roles/openshift_sanitize_inventory/vars/main.yml index da48e42c1..da48e42c1 100644 --- a/roles/openshift_repos/vars/main.yml +++ b/roles/openshift_sanitize_inventory/vars/main.yml diff --git a/roles/openshift_version/tasks/main.yml b/roles/openshift_version/tasks/main.yml index 0f2a660a7..35953b744 100644 --- a/roles/openshift_version/tasks/main.yml +++ b/roles/openshift_version/tasks/main.yml @@ -13,14 +13,6 @@ # Normalize some values that we need in a certain format that might be confusing: - set_fact: - openshift_release: "{{ openshift_release[1:] }}" - when: openshift_release is defined and openshift_release[0] == 'v' - -- set_fact: - openshift_release: "{{ openshift_release | string }}" - when: openshift_release is defined - -- set_fact: openshift_image_tag: "{{ 'v' + openshift_image_tag }}" when: openshift_image_tag is defined and openshift_image_tag[0] != 'v' and openshift_image_tag != 'latest' |