diff options
author | Sylvain Baubeau <sbaubeau@redhat.com> | 2015-10-19 15:50:07 +0200 |
---|---|---|
committer | Sylvain Baubeau <sbaubeau@redhat.com> | 2015-10-27 17:42:57 +0100 |
commit | bb30f53935399fee9dcaf42664fe8678dd157ee1 (patch) | |
tree | ae0d03eda04aa53228efb157816b53eeb3a090e4 | |
parent | 490c50fe358a88d7ebdf3f473a2fb3131d6773c9 (diff) | |
download | openshift-bb30f53935399fee9dcaf42664fe8678dd157ee1.tar.gz openshift-bb30f53935399fee9dcaf42664fe8678dd157ee1.tar.bz2 openshift-bb30f53935399fee9dcaf42664fe8678dd157ee1.tar.xz openshift-bb30f53935399fee9dcaf42664fe8678dd157ee1.zip |
Generate etcd certificats for flannel when is not embedded
-rw-r--r-- | playbooks/common/openshift-node/config.yml | 70 | ||||
-rw-r--r-- | roles/flannel/defaults/main.yaml | 6 | ||||
-rw-r--r-- | roles/flannel_register/defaults/main.yaml | 2 |
3 files changed, 74 insertions, 4 deletions
diff --git a/playbooks/common/openshift-node/config.yml b/playbooks/common/openshift-node/config.yml index e39e9164c..5f0f329c4 100644 --- a/playbooks/common/openshift-node/config.yml +++ b/playbooks/common/openshift-node/config.yml @@ -38,6 +38,21 @@ node_subdir: node-{{ openshift.common.hostname }} config_dir: "{{ openshift.common.config_base }}/generated-configs/node-{{ openshift.common.hostname }}" node_cert_dir: "{{ openshift.common.config_base }}/node" + - name: Check status of flannel external etcd certificates + stat: + path: "{{ openshift.common.config_base }}/node/{{ item }}" + with_items: + - node.etcd-client.crt + - node.etcd-ca.crt + register: g_external_etcd_flannel_cert_stat_result + - set_fact: + etcd_client_flannel_certs_missing: "{{ g_external_etcd_flannel_cert_stat_result.results + | map(attribute='stat.exists') + | list | intersect([false])}}" + etcd_cert_subdir: openshift-node-{{ openshift.common.hostname }} + etcd_cert_config_dir: "{{ openshift.common.config_base }}/node" + etcd_cert_prefix: node.etcd- + when: groups.oo_etcd_to_config is defined and groups.oo_etcd_to_config - name: Create temp directory for syncing certs hosts: localhost @@ -50,6 +65,60 @@ register: mktemp changed_when: False +- name: Configure flannel etcd certificates + hosts: oo_first_etcd + vars: + etcd_generated_certs_dir: /etc/etcd/generated_certs + etcd_needing_client_certs: "{{ hostvars + | oo_select_keys(groups['oo_nodes_to_config']) + | oo_filter_list(filter_attr='etcd_client_flannel_certs_missing') }}" + sync_tmpdir: "{{ hostvars.localhost.mktemp.stdout }}" + pre_tasks: + roles: + - role: etcd_certificates + post_tasks: + - name: Create a tarball of the etcd flannel certs + command: > + tar -czvf {{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}.tgz + -C {{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }} . + args: + creates: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}.tgz" + with_items: etcd_needing_client_certs + - name: Retrieve the etcd cert tarballs + fetch: + src: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}.tgz" + dest: "{{ sync_tmpdir }}/" + flat: yes + fail_on_missing: yes + validate_checksum: yes + with_items: etcd_needing_client_certs + +- name: Copy the external etcd flannel certs to the nodes + hosts: oo_nodes_to_config + vars: + sync_tmpdir: "{{ hostvars.localhost.mktemp.stdout }}" + tasks: + - name: Ensure certificate directory exists + file: + path: "{{ openshift.common.config_base }}/node" + state: directory + when: etcd_client_flannel_certs_missing is defined and etcd_client_flannel_certs_missing + - name: Unarchive the tarball on the master + unarchive: + src: "{{ sync_tmpdir }}/{{ etcd_cert_subdir }}.tgz" + dest: "{{ etcd_cert_config_dir }}" + when: etcd_client_flannel_certs_missing is defined and etcd_client_flannel_certs_missing + - file: + path: "{{ etcd_cert_config_dir }}/{{ item }}" + owner: root + group: root + mode: 0600 + with_items: + - node.etcd-client.crt + - node.etcd-client.key + - node.etcd-ca.crt + when: etcd_client_flannel_certs_missing is defined and etcd_client_flannel_certs_missing + - name: Create node certificates hosts: oo_first_master vars: @@ -85,6 +154,7 @@ sync_tmpdir: "{{ hostvars.localhost.mktemp.stdout }}" openshift_node_master_api_url: "{{ hostvars[groups.oo_first_master.0].openshift.master.api_url }}" etcd_urls: "{{ hostvars[groups.oo_first_master.0].openshift.master.etcd_urls }}" + embedded_etcd: "{{ hostvars[groups.oo_first_master.0].openshift.master.embedded_etcd }}" pre_tasks: - name: Ensure certificate directory exists file: diff --git a/roles/flannel/defaults/main.yaml b/roles/flannel/defaults/main.yaml index a9acab634..34cebda9c 100644 --- a/roles/flannel/defaults/main.yaml +++ b/roles/flannel/defaults/main.yaml @@ -3,6 +3,6 @@ flannel_interface: "{{ ansible_default_ipv4.interface }}" flannel_etcd_key: /openshift.com/network etcd_hosts: "{{ etcd_urls }}" etcd_conf_dir: "{{ openshift.common.config_base }}/node" -etcd_peer_ca_file: "{{ etcd_conf_dir }}/ca.crt" -etcd_peer_cert_file: "{{ etcd_conf_dir }}/system:node:{{ openshift.common.hostname }}.crt" -etcd_peer_key_file: "{{ etcd_conf_dir }}/system:node:{{ openshift.common.hostname }}.key" +etcd_peer_ca_file: "{{ etcd_conf_dir }}/{{ 'ca' if (embedded_etcd | bool) else 'node.etcd-ca' }}.crt" +etcd_peer_cert_file: "{{ etcd_conf_dir }}/{{ 'system:node:' + openshift.common.hostname if (embedded_etcd | bool) else 'node.etcd-client' }}.crt" +etcd_peer_key_file: "{{ etcd_conf_dir }}/{{ 'system:node:' + openshift.common.hostname if (embedded_etcd | bool) else 'node.etcd-client' }}.key" diff --git a/roles/flannel_register/defaults/main.yaml b/roles/flannel_register/defaults/main.yaml index e4b06b49b..7a454d1d2 100644 --- a/roles/flannel_register/defaults/main.yaml +++ b/roles/flannel_register/defaults/main.yaml @@ -5,7 +5,7 @@ flannel_subnet_len: "{{ subnet_len | default(24, true) }}" flannel_etcd_key: /openshift.com/network etcd_hosts: "{{ etcd_urls }}" etcd_conf_dir: "{{ openshift.common.config_base }}/master" -etcd_peer_ca_file: "{{ etcd_conf_dir }}/ca.crt" +etcd_peer_ca_file: "{{ etcd_conf_dir + '/ca.crt' if (openshift.master.embedded_etcd | bool) else etcd_conf_dir + '/master.etcd-ca.crt' }}" etcd_peer_cert_file: "{{ etcd_conf_dir }}/master.etcd-client.crt" etcd_peer_key_file: "{{ etcd_conf_dir }}/master.etcd-client.key" |