--- - fail: msg: "openshift_ca_host variable must be defined for this role" when: openshift_ca_host is not defined - fail: msg: "Both 'certfile' and 'keyfile' keys must be supplied when configuring openshift_master_ca_certificate" when: openshift_master_ca_certificate is defined and ('certfile' not in openshift_master_ca_certificate or 'keyfile' not in openshift_master_ca_certificate) - name: Install the base package for admin tooling action: "{{ ansible_pkg_mgr }} name={{ openshift.common.service_type }}{{ openshift_pkg_version | default('') | oo_image_tag_to_rpm_version(include_dash=True) }} state=present" when: not openshift.common.is_containerized | bool register: install_result delegate_to: "{{ openshift_ca_host }}" run_once: true - name: Reload generated facts openshift_facts: when: install_result | changed delegate_to: "{{ openshift_ca_host }}" run_once: true - name: Create openshift_ca_config_dir if it does not exist file: path: "{{ openshift_ca_config_dir }}" state: directory delegate_to: "{{ openshift_ca_host }}" run_once: true - name: Determine if CA must be created stat: path: "{{ openshift_ca_config_dir }}/{{ item }}" register: g_master_ca_stat_result with_items: - ca-bundle.crt - ca.crt - ca.key delegate_to: "{{ openshift_ca_host }}" run_once: true - set_fact: master_ca_missing: "{{ true if openshift_certificates_redeploy | default(false) | bool else False in (g_master_ca_stat_result.results | oo_collect(attribute='stat.exists') | list) }}" run_once: true - name: Retain original serviceaccount keys copy: src: "{{ item }}" dest: "{{ item }}.keep" remote_src: true with_items: - "{{ openshift_ca_config_dir }}/serviceaccounts.private.key" - "{{ openshift_ca_config_dir }}/serviceaccounts.public.key" when: openshift_certificates_redeploy | default(false) | bool - name: Deploy master ca certificate copy: src: "{{ item.src }}" dest: "{{ openshift_ca_config_dir }}/{{ item.dest }}" force: "{{ true if openshift_certificates_redeploy_ca | default(false) | bool else false }}" with_items: - src: "{{ (openshift_master_ca_certificate | default({'certfile':none})).certfile }}" dest: ca.crt - src: "{{ (openshift_master_ca_certificate | default({'keyfile':none})).keyfile }}" dest: ca.key when: openshift_master_ca_certificate is defined delegate_to: "{{ openshift_ca_host }}" run_once: true - name: Create ca serial copy: content: "1" dest: "{{ openshift_ca_config_dir }}/ca.serial.txt" force: "{{ true if openshift_certificates_redeploy | default(false) | bool else false }}" when: openshift_master_ca_certificate is defined delegate_to: "{{ openshift_ca_host }}" run_once: true - name: Create the master certificates if they do not already exist command: > {{ openshift.common.client_binary }} adm create-master-certs {% for named_ca_certificate in openshift.master.named_certificates | default([]) | oo_collect('cafile') %} --certificate-authority {{ named_ca_certificate }} {% endfor %} --hostnames={{ openshift_master_hostnames | join(',') }} --master={{ openshift.master.api_url }} --public-master={{ openshift.master.public_api_url }} --cert-dir={{ openshift_ca_config_dir }} --overwrite=false when: master_ca_missing | bool delegate_to: "{{ openshift_ca_host }}" run_once: true - name: Restore original serviceaccount keys copy: src: "{{ item }}.keep" dest: "{{ item }}" remote_src: true with_items: - "{{ openshift_ca_config_dir }}/serviceaccounts.private.key" - "{{ openshift_ca_config_dir }}/serviceaccounts.public.key" when: openshift_certificates_redeploy | default(false) | bool - name: Remove backup serviceaccount keys file: path: "{{ item }}.keep" state: absent with_items: - "{{ openshift_ca_config_dir }}/serviceaccounts.private.key" - "{{ openshift_ca_config_dir }}/serviceaccounts.public.key" when: openshift_certificates_redeploy | default(false) | bool