Merge pull request #1990 from abutcher/openshift-certificates

Refactor openshift certificates roles.
author: Scott Dodson <sdodson@redhat.com> 2016-07-21 13:11:59 -0400
committer: GitHub <noreply@github.com> 2016-07-21 13:11:59 -0400
commit: 4507beb2d4f4709583b3cba3eec7c5b57163e9bc (patch)
tree: 9e4f7229780e7a19329d631bf729f971225057de /playbooks/common/openshift-master
parent: 19b6794f877e723c0828e6e592dfaa99f0207d18 (diff)
parent: 4ec879a68e7d50f7848364c8cb5b55e82694ef00 (diff)
download: openshift-4507beb2d4f4709583b3cba3eec7c5b57163e9bc.tar.gz
openshift-4507beb2d4f4709583b3cba3eec7c5b57163e9bc.tar.bz2
openshift-4507beb2d4f4709583b3cba3eec7c5b57163e9bc.tar.xz
openshift-4507beb2d4f4709583b3cba3eec7c5b57163e9bc.zip
1 files changed, 12 insertions, 88 deletions
diff --git a/playbooks/common/openshift-master/config.yml b/playbooks/common/openshift-master/config.yml
index bb8fb77b6..911c23d70 100644
--- a/playbooks/common/openshift-master/config.yml
+++ b/playbooks/common/openshift-master/config.yml
@@ -156,79 +156,6 @@
     - master.etcd-ca.crt
     when: etcd_client_certs_missing is defined and etcd_client_certs_missing
 
-- name: Determine if master certificates need to be generated
-  hosts: oo_first_master:oo_masters_to_config
-  tasks:
-  - set_fact:
-      openshift_master_certs_no_etcd:
-      - admin.crt
-      - master.kubelet-client.crt
-      - "{{ 'master.proxy-client.crt' if openshift.common.version_gte_3_1_or_1_1 else omit }}"
-      - master.server.crt
-      - openshift-master.crt
-      - openshift-registry.crt
-      - openshift-router.crt
-      - etcd.server.crt
-      openshift_master_certs_etcd:
-      - master.etcd-client.crt
-
-  - set_fact:
-      openshift_master_certs: "{{ (openshift_master_certs_no_etcd | union(openshift_master_certs_etcd)) if (groups.oo_etcd_to_config is defined and groups.oo_etcd_to_config) else openshift_master_certs_no_etcd }}"
-
-  - name: Check status of master certificates
-    stat:
-      path: "{{ openshift.common.config_base }}/master/{{ item }}"
-    with_items: "{{ openshift_master_certs }}"
-    register: g_master_cert_stat_result
-  - set_fact:
-      master_certs_missing: "{{ False in (g_master_cert_stat_result.results
-                                | oo_collect(attribute='stat.exists')
-                                | list ) }}"
-      master_cert_subdir: master-{{ openshift.common.hostname }}
-      master_cert_config_dir: "{{ openshift.common.config_base }}/master"
-
-- name: Configure master certificates
-  hosts: oo_first_master
-  vars:
-    master_generated_certs_dir: "{{ openshift.common.config_base }}/generated-configs"
-    masters_needing_certs: "{{ hostvars
-                               | oo_select_keys(groups['oo_masters_to_config'] | difference(groups['oo_first_master']))
-                               | oo_filter_list(filter_attr='master_certs_missing') }}"
-    master_hostnames: "{{ hostvars
-                               | oo_select_keys(groups['oo_masters_to_config'])
-                               | oo_collect('openshift.common.all_hostnames')
-                               | oo_flatten | unique }}"
-    sync_tmpdir: "{{ hostvars.localhost.g_master_mktemp.stdout }}"
-  roles:
-  - openshift_master_certificates
-  post_tasks:
-  - name: Remove generated etcd client certs when using external etcd
-    file:
-      path: "{{ master_generated_certs_dir }}/{{ item.0.master_cert_subdir }}/{{ item.1 }}"
-      state: absent
-    when: groups.oo_etcd_to_config is defined and groups.oo_etcd_to_config
-    with_nested:
-    - "{{ masters_needing_certs | default([]) }}"
-    - - master.etcd-client.crt
-      - master.etcd-client.key
-
-  - name: Create a tarball of the master certs
-    command: >
-      tar -czvf {{ master_generated_certs_dir }}/{{ item.master_cert_subdir }}.tgz
-        -C {{ master_generated_certs_dir }}/{{ item.master_cert_subdir }} .
-    args:
-      creates: "{{ master_generated_certs_dir }}/{{ item.master_cert_subdir }}.tgz"
-    with_items: "{{ masters_needing_certs | default([]) }}"
-
-  - name: Retrieve the master cert tarball from the master
-    fetch:
-      src: "{{ master_generated_certs_dir }}/{{ item.master_cert_subdir }}.tgz"
-      dest: "{{ sync_tmpdir }}/"
-      flat: yes
-      fail_on_missing: yes
-      validate_checksum: yes
-    with_items: "{{ masters_needing_certs | default([]) }}"
-
 - name: Check for cached session secrets
   hosts: oo_first_master
   roles:
@@ -243,7 +170,7 @@
 - name: Generate master session secrets
   hosts: oo_first_master
   vars:
-    g_session_secrets_present: "{{ (openshift.master.session_auth_secrets | default([]) and openshift.master.session_encryption_secrets | default([])) | length > 0 }}"
+    g_session_secrets_present: "{{ (openshift.master.session_auth_secrets | default([])) | length > 0 and (openshift.master.session_encryption_secrets | default([])) | length > 0 }}"
     g_session_auth_secrets: "{{ [ 24 | oo_generate_secret ] }}"
     g_session_encryption_secrets: "{{ [ 24 | oo_generate_secret ] }}"
   roles:
@@ -263,7 +190,7 @@
   vars:
     internal_hostnames: "{{ hostvars[groups.oo_first_master.0].openshift.common.internal_hostnames }}"
     named_certificates: "{{ hostvars[groups.oo_first_master.0].openshift_master_named_certificates | default([]) }}"
-    named_certificates_dir: "{{ hostvars[groups.oo_first_master.0].master_cert_config_dir }}/named_certificates/"
+    named_certificates_dir: "{{ hostvars[groups.oo_first_master.0].openshift.common.config_base }}/master/named_certificates/"
   tasks:
   - set_fact:
       parsed_named_certificates: "{{ named_certificates | oo_parse_named_certificates(named_certificates_dir, internal_hostnames) }}"
@@ -307,7 +234,6 @@
 - name: Configure masters
   hosts: oo_masters_to_config
   any_errors_fatal: true
-  serial: 1
   vars:
     sync_tmpdir: "{{ hostvars.localhost.g_master_mktemp.stdout }}"
     openshift_master_ha: "{{ openshift.master.ha }}"
@@ -321,19 +247,17 @@
                                                 }}"
     when: "{{ (openshift_http_proxy is defined or openshift_https_proxy is defined) and
             openshift_generate_no_proxy_hosts | default(True) | bool }}"
-  pre_tasks:
-  - name: Ensure certificate directory exists
-    file:
-      path: "{{ openshift.common.config_base }}/master"
-      state: directory
-    when: master_certs_missing | bool and 'oo_first_master' not in group_names
-  - name: Unarchive the tarball on the master
-    unarchive:
-      src: "{{ sync_tmpdir }}/{{ master_cert_subdir }}.tgz"
-      dest: "{{ master_cert_config_dir }}"
-    when: master_certs_missing | bool and 'oo_first_master' not in group_names
   roles:
-  - openshift_master
+  - role: openshift_master
+    openshift_ca_host: "{{ groups.oo_first_master.0 }}"
+    openshift_master_etcd_hosts: "{{ hostvars
+                                     | oo_select_keys(groups['oo_etcd_to_config'] | default([]))
+                                     | oo_collect('openshift.common.hostname')
+                                     | default(none, true) }}"
+    openshift_master_hostnames: "{{ hostvars
+                                    | oo_select_keys(groups['oo_masters_to_config'] | default([]))
+                                    | oo_collect('openshift.common.all_hostnames')
+                                    | oo_flatten | unique }}"
   - role: nickhammond.logrotate
   - role: nuage_master
     when: openshift.common.use_nuage | bool
author	Scott Dodson <sdodson@redhat.com>	2016-07-21 13:11:59 -0400
committer	GitHub <noreply@github.com>	2016-07-21 13:11:59 -0400
commit	4507beb2d4f4709583b3cba3eec7c5b57163e9bc (patch)
tree	9e4f7229780e7a19329d631bf729f971225057de /playbooks/common/openshift-master
parent	19b6794f877e723c0828e6e592dfaa99f0207d18 (diff)
parent	4ec879a68e7d50f7848364c8cb5b55e82694ef00 (diff)
download	openshift-4507beb2d4f4709583b3cba3eec7c5b57163e9bc.tar.gz openshift-4507beb2d4f4709583b3cba3eec7c5b57163e9bc.tar.bz2 openshift-4507beb2d4f4709583b3cba3eec7c5b57163e9bc.tar.xz openshift-4507beb2d4f4709583b3cba3eec7c5b57163e9bc.zip