summaryrefslogtreecommitdiffstats
path: root/playbooks/common/openshift-cluster/redeploy-certificates/router.yml
diff options
context:
space:
mode:
Diffstat (limited to 'playbooks/common/openshift-cluster/redeploy-certificates/router.yml')
-rw-r--r--playbooks/common/openshift-cluster/redeploy-certificates/router.yml79
1 files changed, 79 insertions, 0 deletions
diff --git a/playbooks/common/openshift-cluster/redeploy-certificates/router.yml b/playbooks/common/openshift-cluster/redeploy-certificates/router.yml
new file mode 100644
index 000000000..03d64685d
--- /dev/null
+++ b/playbooks/common/openshift-cluster/redeploy-certificates/router.yml
@@ -0,0 +1,79 @@
+---
+- name: Update router certificates
+ hosts: oo_first_master
+ vars:
+ tasks:
+ - name: Create temp directory for kubeconfig
+ command: mktemp -d /tmp/openshift-ansible-XXXXXX
+ register: mktemp
+ changed_when: false
+
+ - name: Copy admin client config(s)
+ command: >
+ cp {{ openshift.common.config_base }}/master//admin.kubeconfig {{ mktemp.stdout }}/admin.kubeconfig
+ changed_when: false
+
+ - name: Determine if router exists
+ command: >
+ {{ openshift.common.client_binary }} get dc/router -o json
+ --config={{ mktemp.stdout }}/admin.kubeconfig
+ -n default
+ register: l_router_dc
+ failed_when: false
+ changed_when: false
+
+ - set_fact:
+ router_env_vars: "{{ ((l_router_dc.stdout | from_json)['spec']['template']['spec']['containers'][0]['env']
+ | oo_collect('name'))
+ | default([]) }}"
+ router_secrets: "{{ ((l_router_dc.stdout | from_json)['spec']['template']['spec']['volumes']
+ | oo_collect('secret')
+ | oo_collect('secretName'))
+ | default([]) }}"
+ changed_when: false
+ when: l_router_dc.rc == 0
+
+ - name: Update router environment variables
+ shell: >
+ {{ openshift.common.client_binary }} env dc/router
+ OPENSHIFT_CA_DATA="$(cat /etc/origin/master/ca.crt)"
+ OPENSHIFT_CERT_DATA="$(cat /etc/origin/master/openshift-router.crt)"
+ OPENSHIFT_KEY_DATA="$(cat /etc/origin/master/openshift-router.key)"
+ --config={{ mktemp.stdout }}/admin.kubeconfig
+ -n default
+ when: l_router_dc.rc == 0 and 'OPENSHIFT_CA_DATA' in router_env_vars and 'OPENSHIFT_CERT_DATA' in router_env_vars and 'OPENSHIFT_KEY_DATA' in router_env_vars
+
+ - block:
+ - name: Generate router certificate
+ command: >
+ {{ openshift.common.client_binary }} adm ca create-server-cert
+ --hostnames=router.default.svc,router.default.svc.cluster.local
+ --signer-cert={{ openshift.common.config_base }}/master/service-signer.crt
+ --signer-key={{ openshift.common.config_base }}/master/service-signer.key
+ --signer-serial={{ openshift.common.config_base }}/master/ca.serial.txt
+ --cert={{ mktemp.stdout }}/tls.crt
+ --key={{ mktemp.stdout }}/tls.key
+
+ - name: Update router certificates secret
+ shell: >
+ {{ openshift.common.client_binary }} secret new router-certs
+ {{ mktemp.stdout }}/tls.crt
+ {{ mktemp.stdout }}/tls.key
+ --type=kubernetes.io/tls
+ --config={{ mktemp.stdout }}/admin.kubeconfig
+ -n default
+ -o json | oc replace -f -
+ when: l_router_dc.rc == 0 and 'router-certs' in router_secrets
+
+ - name: Redeploy router
+ command: >
+ {{ openshift.common.client_binary }} deploy dc/router
+ --latest
+ --config={{ mktemp.stdout }}/admin.kubeconfig
+ -n default
+
+ - name: Delete temp directory
+ file:
+ name: "{{ mktemp.stdout }}"
+ state: absent
+ changed_when: False
generated by cgit v1.2.1 (git 2.18.0) at 2024-05-20 16:02:55 +0000