From 3bd5ae21adbc1d5b3e5063408e30bb5adb14ba53 Mon Sep 17 00:00:00 2001 From: Andrew Butcher Date: Mon, 25 Jul 2016 12:04:25 -0400 Subject: Support for redeploying certificates. --- roles/openshift_ca/tasks/main.yml | 63 +++++++++++++++++++++++++++++++++++++-- 1 file changed, 60 insertions(+), 3 deletions(-) (limited to 'roles/openshift_ca') diff --git a/roles/openshift_ca/tasks/main.yml b/roles/openshift_ca/tasks/main.yml index e1bf7dcad..bb89b65a6 100644 --- a/roles/openshift_ca/tasks/main.yml +++ b/roles/openshift_ca/tasks/main.yml @@ -3,6 +3,10 @@ msg: "openshift_ca_host variable must be defined for this role" when: openshift_ca_host is not defined +- fail: + msg: "Both 'certfile' and 'keyfile' keys must be supplied when configuring openshift_master_ca_certificate" + when: openshift_master_ca_certificate is defined and ('certfile' not in openshift_master_ca_certificate or 'keyfile' not in openshift_master_ca_certificate) + - name: Install the base package for admin tooling action: "{{ ansible_pkg_mgr }} name={{ openshift.common.service_type }}{{ openshift_pkg_version | default('') | oo_image_tag_to_rpm_version(include_dash=True) }} state=present" when: not openshift.common.is_containerized | bool @@ -35,9 +39,43 @@ run_once: true - set_fact: - master_ca_missing: "{{ False in (g_master_ca_stat_result.results - | oo_collect(attribute='stat.exists') - | list) }}" + master_ca_missing: "{{ true if openshift_certificates_redeploy | default(false) | bool + else False in (g_master_ca_stat_result.results + | oo_collect(attribute='stat.exists') + | list) }}" + run_once: true + +- name: Retain original serviceaccount keys + copy: + src: "{{ item }}" + dest: "{{ item }}.keep" + remote_src: true + with_items: + - "{{ openshift_ca_config_dir }}/serviceaccounts.private.key" + - "{{ openshift_ca_config_dir }}/serviceaccounts.public.key" + when: openshift_certificates_redeploy | default(false) | bool + +- name: Deploy master ca certificate + copy: + src: "{{ item.src }}" + dest: "{{ openshift_ca_config_dir }}/{{ item.dest }}" + force: "{{ true if openshift_certificates_redeploy_ca | default(false) | bool else false }}" + with_items: + - src: "{{ (openshift_master_ca_certificate | default({'certfile':none})).certfile }}" + dest: ca.crt + - src: "{{ (openshift_master_ca_certificate | default({'keyfile':none})).keyfile }}" + dest: ca.key + when: openshift_master_ca_certificate is defined + delegate_to: "{{ openshift_ca_host }}" + run_once: true + +- name: Create ca serial + copy: + content: "1" + dest: "{{ openshift_ca_config_dir }}/ca.serial.txt" + force: "{{ true if openshift_certificates_redeploy | default(false) | bool else false }}" + when: openshift_master_ca_certificate is defined + delegate_to: "{{ openshift_ca_host }}" run_once: true - name: Create the master certificates if they do not already exist @@ -54,3 +92,22 @@ when: master_ca_missing | bool delegate_to: "{{ openshift_ca_host }}" run_once: true + +- name: Restore original serviceaccount keys + copy: + src: "{{ item }}.keep" + dest: "{{ item }}" + remote_src: true + with_items: + - "{{ openshift_ca_config_dir }}/serviceaccounts.private.key" + - "{{ openshift_ca_config_dir }}/serviceaccounts.public.key" + when: openshift_certificates_redeploy | default(false) | bool + +- name: Remove backup serviceaccount keys + file: + path: "{{ item }}.keep" + state: absent + with_items: + - "{{ openshift_ca_config_dir }}/serviceaccounts.private.key" + - "{{ openshift_ca_config_dir }}/serviceaccounts.public.key" + when: openshift_certificates_redeploy | default(false) | bool -- cgit v1.2.1