summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorOpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com>2018-01-11 09:23:49 -0800
committerGitHub <noreply@github.com>2018-01-11 09:23:49 -0800
commitdc6ee13c88384c4be0deca622dba9452c096a746 (patch)
treed956efb226637c28630cbf56418293d3048a85be
parent9ce10b8415cd53042e80520a918b4541a9e785d1 (diff)
parent53bd951747c03e181d0a3fcdb4f93354d7258ed6 (diff)
downloadopenshift-dc6ee13c88384c4be0deca622dba9452c096a746.tar.gz
openshift-dc6ee13c88384c4be0deca622dba9452c096a746.tar.bz2
openshift-dc6ee13c88384c4be0deca622dba9452c096a746.tar.xz
openshift-dc6ee13c88384c4be0deca622dba9452c096a746.zip
Merge pull request #6687 from jpeeler/sc-cert-fix
Automatic merge from submit-queue. Update deployment and apiserver with new certs Since new certificates are generated for every run, the apiservice caBundle needs updating in order to have the on disk CA match what is in Kubernetes. Because the secrets are updated, the daemonset needs to do a rolling update for the apiserver to pick up the new certs. Implemented here is an added annotation to the api server such that the update occurs automatically when the CA is changed. --- There may be a better way to make the rolling update occur without adding an annotation, such as within ansible itself (I just didn't know how to do that). Also, I think that probably the controller needs to be updated too in order to ensure staying in sync with the api server. Edit: I did not think that doing "oc apply" would cause the daemonset to pick up a change since the yaml may be exactly the same, but if it does then the annotation part can definitely be changed.
-rw-r--r--roles/openshift_service_catalog/tasks/generate_certs.yml6
-rw-r--r--roles/openshift_service_catalog/tasks/install.yml2
-rw-r--r--roles/openshift_service_catalog/templates/api_server.j22
3 files changed, 4 insertions, 6 deletions
diff --git a/roles/openshift_service_catalog/tasks/generate_certs.yml b/roles/openshift_service_catalog/tasks/generate_certs.yml
index e478023f8..72110b18c 100644
--- a/roles/openshift_service_catalog/tasks/generate_certs.yml
+++ b/roles/openshift_service_catalog/tasks/generate_certs.yml
@@ -59,11 +59,6 @@
src: "{{ generated_certs_dir }}/ca.crt"
register: apiserver_ca
-- shell: >
- {{ openshift_client_binary }} --config=/etc/origin/master/admin.kubeconfig get apiservices.apiregistration.k8s.io/v1beta1.servicecatalog.k8s.io -n kube-service-catalog || echo "not found"
- register: get_apiservices
- changed_when: no
-
- name: Create api service
oc_obj:
state: present
@@ -86,4 +81,3 @@
caBundle: "{{ apiserver_ca.content }}"
groupPriorityMinimum: 20
versionPriority: 10
- when: "'not found' in get_apiservices.stdout"
diff --git a/roles/openshift_service_catalog/tasks/install.yml b/roles/openshift_service_catalog/tasks/install.yml
index cfecaa12c..9b38a85c4 100644
--- a/roles/openshift_service_catalog/tasks/install.yml
+++ b/roles/openshift_service_catalog/tasks/install.yml
@@ -179,6 +179,8 @@
etcd_servers: "{{ openshift.master.etcd_urls | join(',') }}"
etcd_cafile: "{{ '/etc/origin/master/master.etcd-ca.crt' if etcd_ca_crt.stat.exists else '/etc/origin/master/ca-bundle.crt' }}"
node_selector: "{{ openshift_service_catalog_nodeselector | default ({'openshift-infra': 'apiserver'}) }}"
+ # apiserver_ca is defined in generate_certs.yml
+ ca_hash: "{{ apiserver_ca.content|hash('sha1') }}"
- name: Set Service Catalog API Server daemonset
oc_obj:
diff --git a/roles/openshift_service_catalog/templates/api_server.j2 b/roles/openshift_service_catalog/templates/api_server.j2
index 4f51b8c3c..e345df32c 100644
--- a/roles/openshift_service_catalog/templates/api_server.j2
+++ b/roles/openshift_service_catalog/templates/api_server.j2
@@ -14,6 +14,8 @@ spec:
type: RollingUpdate
template:
metadata:
+ annotations:
+ ca_hash: {{ ca_hash }}
labels:
app: apiserver
spec: