diff options
author | OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> | 2018-01-11 09:23:49 -0800 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-01-11 09:23:49 -0800 |
commit | dc6ee13c88384c4be0deca622dba9452c096a746 (patch) | |
tree | d956efb226637c28630cbf56418293d3048a85be | |
parent | 9ce10b8415cd53042e80520a918b4541a9e785d1 (diff) | |
parent | 53bd951747c03e181d0a3fcdb4f93354d7258ed6 (diff) | |
download | openshift-dc6ee13c88384c4be0deca622dba9452c096a746.tar.gz openshift-dc6ee13c88384c4be0deca622dba9452c096a746.tar.bz2 openshift-dc6ee13c88384c4be0deca622dba9452c096a746.tar.xz openshift-dc6ee13c88384c4be0deca622dba9452c096a746.zip |
Merge pull request #6687 from jpeeler/sc-cert-fix
Automatic merge from submit-queue.
Update deployment and apiserver with new certs
Since new certificates are generated for every run, the apiservice
caBundle needs updating in order to have the on disk CA match what is in
Kubernetes.
Because the secrets are updated, the daemonset needs to do a rolling
update for the apiserver to pick up the new certs. Implemented here is
an added annotation to the api server such that the update occurs
automatically when the CA is changed.
---
There may be a better way to make the rolling update occur without adding an annotation, such as within ansible itself (I just didn't know how to do that). Also, I think that probably the controller needs to be updated too in order to ensure staying in sync with the api server.
Edit: I did not think that doing "oc apply" would cause the daemonset to pick up a change since the yaml may be exactly the same, but if it does then the annotation part can definitely be changed.
-rw-r--r-- | roles/openshift_service_catalog/tasks/generate_certs.yml | 6 | ||||
-rw-r--r-- | roles/openshift_service_catalog/tasks/install.yml | 2 | ||||
-rw-r--r-- | roles/openshift_service_catalog/templates/api_server.j2 | 2 |
3 files changed, 4 insertions, 6 deletions
diff --git a/roles/openshift_service_catalog/tasks/generate_certs.yml b/roles/openshift_service_catalog/tasks/generate_certs.yml index e478023f8..72110b18c 100644 --- a/roles/openshift_service_catalog/tasks/generate_certs.yml +++ b/roles/openshift_service_catalog/tasks/generate_certs.yml @@ -59,11 +59,6 @@ src: "{{ generated_certs_dir }}/ca.crt" register: apiserver_ca -- shell: > - {{ openshift_client_binary }} --config=/etc/origin/master/admin.kubeconfig get apiservices.apiregistration.k8s.io/v1beta1.servicecatalog.k8s.io -n kube-service-catalog || echo "not found" - register: get_apiservices - changed_when: no - - name: Create api service oc_obj: state: present @@ -86,4 +81,3 @@ caBundle: "{{ apiserver_ca.content }}" groupPriorityMinimum: 20 versionPriority: 10 - when: "'not found' in get_apiservices.stdout" diff --git a/roles/openshift_service_catalog/tasks/install.yml b/roles/openshift_service_catalog/tasks/install.yml index cfecaa12c..9b38a85c4 100644 --- a/roles/openshift_service_catalog/tasks/install.yml +++ b/roles/openshift_service_catalog/tasks/install.yml @@ -179,6 +179,8 @@ etcd_servers: "{{ openshift.master.etcd_urls | join(',') }}" etcd_cafile: "{{ '/etc/origin/master/master.etcd-ca.crt' if etcd_ca_crt.stat.exists else '/etc/origin/master/ca-bundle.crt' }}" node_selector: "{{ openshift_service_catalog_nodeselector | default ({'openshift-infra': 'apiserver'}) }}" + # apiserver_ca is defined in generate_certs.yml + ca_hash: "{{ apiserver_ca.content|hash('sha1') }}" - name: Set Service Catalog API Server daemonset oc_obj: diff --git a/roles/openshift_service_catalog/templates/api_server.j2 b/roles/openshift_service_catalog/templates/api_server.j2 index 4f51b8c3c..e345df32c 100644 --- a/roles/openshift_service_catalog/templates/api_server.j2 +++ b/roles/openshift_service_catalog/templates/api_server.j2 @@ -14,6 +14,8 @@ spec: type: RollingUpdate template: metadata: + annotations: + ca_hash: {{ ca_hash }} labels: app: apiserver spec: |