From 3e5d38caf39d53c917a78542a04ebb6a109e7e6f Mon Sep 17 00:00:00 2001
From: Andrew Butcher <abutcher@redhat.com>
Date: Tue, 13 Sep 2016 16:33:26 -0400
Subject: [upgrade] Create/configure service signer cert when missing.

---
 .../upgrades/create_service_signer_cert.yml        | 69 ++++++++++++++++++++++
 .../common/openshift-cluster/upgrades/upgrade.yml  | 24 +++++++-
 .../upgrades/v3_3/master_config_upgrade.yml        | 10 ++++
 3 files changed, 102 insertions(+), 1 deletion(-)
 create mode 100644 playbooks/common/openshift-cluster/upgrades/create_service_signer_cert.yml

(limited to 'playbooks')

diff --git a/playbooks/common/openshift-cluster/upgrades/create_service_signer_cert.yml b/playbooks/common/openshift-cluster/upgrades/create_service_signer_cert.yml
new file mode 100644
index 000000000..e8a20aa2b
--- /dev/null
+++ b/playbooks/common/openshift-cluster/upgrades/create_service_signer_cert.yml
@@ -0,0 +1,69 @@
+---
+- name: Create local temp directory for syncing certs
+  hosts: localhost
+  connection: local
+  become: no
+  gather_facts: no
+  tasks:
+  - name: Create local temp directory for syncing certs
+    local_action: command mktemp -d /tmp/openshift-ansible-XXXXXXX
+    register: local_cert_sync_tmpdir
+    changed_when: false
+
+- name: Create service signer certificate
+  hosts: oo_first_master
+  tasks:
+  - name: Create remote temp directory for creating certs
+    command: mktemp -d /tmp/openshift-ansible-XXXXXXX
+    register: remote_cert_create_tmpdir
+    changed_when: false
+
+  - name: Create service signer certificate
+    command: >
+      {{ openshift.common.admin_binary }} ca create-signer-cert
+      --cert=service-signer.crt
+      --key=service-signer.key
+      --name=openshift-service-serving-signer
+      --serial=service-signer.serial.txt
+    args:
+      chdir: "{{ remote_cert_create_tmpdir.stdout }}/"
+
+  - name: Retrieve service signer certificate
+    fetch:
+      src: "{{ remote_cert_create_tmpdir.stdout }}/{{ item }}"
+      dest: "{{ hostvars.localhost.local_cert_sync_tmpdir.stdout }}/"
+      flat: yes
+      fail_on_missing: yes
+      validate_checksum: yes
+    with_items:
+    - "service-signer.crt"
+    - "service-signer.key"
+
+  - name: Delete remote temp directory
+    file:
+      name: "{{ remote_cert_create_tmpdir.stdout }}"
+      state: absent
+    changed_when: false
+
+- name: Deploy service signer certificate
+  hosts: oo_masters_to_config
+  tasks:
+  - name: Deploy service signer certificate
+    copy:
+      src: "{{ hostvars.localhost.local_cert_sync_tmpdir.stdout }}/{{ item }}"
+      dest: "{{ openshift.common.config_base }}/master/"
+    with_items:
+    - "service-signer.crt"
+    - "service-signer.key"
+
+- name: Delete local temp directory
+  hosts: localhost
+  connection: local
+  become: no
+  gather_facts: no
+  tasks:
+  - name: Delete local temp directory
+    file:
+      name: "{{ local_cert_sync_tmpdir.stdout }}"
+      state: absent
+    changed_when: false
diff --git a/playbooks/common/openshift-cluster/upgrades/upgrade.yml b/playbooks/common/openshift-cluster/upgrades/upgrade.yml
index e8bf133e6..ba4fc63be 100644
--- a/playbooks/common/openshift-cluster/upgrades/upgrade.yml
+++ b/playbooks/common/openshift-cluster/upgrades/upgrade.yml
@@ -34,7 +34,7 @@
 ###############################################################################
 # Upgrade Masters
 ###############################################################################
-- name: Upgrade master
+- name: Upgrade master packages
   hosts: oo_masters_to_config
   handlers:
   - include: ../../../../roles/openshift_master/handlers/main.yml
@@ -45,6 +45,28 @@
   - include: rpm_upgrade.yml component=master
     when: not openshift.common.is_containerized | bool
 
+- name: Determine if service signer cert must be created
+  hosts: oo_first_master
+  tasks:
+  - name: Determine if service signer certificate must be created
+    stat:
+      path: "{{ openshift.common.config_base }}/master/service-signer.crt"
+    register: service_signer_cert_stat
+    changed_when: false
+
+# Create service signer cert when missing. Service signer certificate
+# is added to master config in the master config hook for v3_3.
+- include: create_service_signer_cert.yml
+  when: not (hostvars[groups.oo_first_master.0].service_signer_cert_stat.stat.exists | bool)
+
+- name: Upgrade master config and systemd units
+  hosts: oo_masters_to_config
+  handlers:
+  - include: ../../../../roles/openshift_master/handlers/main.yml
+    static: yes
+  roles:
+  - openshift_facts
+  tasks:
   - include: "{{ master_config_hook }}"
     when: master_config_hook is defined
 
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_3/master_config_upgrade.yml b/playbooks/common/openshift-cluster/upgrades/v3_3/master_config_upgrade.yml
index 641e7cafc..684eea343 100644
--- a/playbooks/common/openshift-cluster/upgrades/v3_3/master_config_upgrade.yml
+++ b/playbooks/common/openshift-cluster/upgrades/v3_3/master_config_upgrade.yml
@@ -38,3 +38,13 @@
     dest: "{{ openshift.common.config_base}}/master/master-config.yaml"
     yaml_key: 'masterClients.openshiftLoopbackClientConnectionOverrides.qps'
     yaml_value: 300
+
+- modify_yaml:
+    dest: "{{ openshift.common.config_base}}/master/master-config.yaml"
+    yaml_key: 'controllerConfig.servicesServingCert.signer.certFile'
+    yaml_value: service-signer.crt
+
+- modify_yaml:
+    dest: "{{ openshift.common.config_base}}/master/master-config.yaml"
+    yaml_key: 'controllerConfig.servicesServingCert.signer.keyFile'
+    yaml_value: service-signer.key
-- 
cgit v1.2.1