5 files changed, 152 insertions, 0 deletions

diff --git a/playbooks/openshift-etcd/private/certificates-backup.yml b/playbooks/openshift-etcd/private/certificates-backup.yml
new file mode 100644
index 000000000..d738c8207
--- /dev/null
+++ b/playbooks/openshift-etcd/private/certificates-backup.yml
@@ -0,0 +1,19 @@
+---
+- name: Backup and remove generated etcd certificates
+  hosts: oo_first_etcd
+  any_errors_fatal: true
+  tasks:
+  - include_role:
+      name: etcd
+      tasks_from: backup_generated_certificates
+  - include_role:
+      name: etcd
+      tasks_from: remove_generated_certificates
+
+- name: Backup deployed etcd certificates
+  hosts: oo_etcd_to_config
+  any_errors_fatal: true
+  tasks:
+  - include_role:
+      name: etcd
+      tasks_from: backup_server_certificates
diff --git a/playbooks/openshift-etcd/private/redeploy-ca.yml b/playbooks/openshift-etcd/private/redeploy-ca.yml
new file mode 100644
index 000000000..cc5d57031
--- /dev/null
+++ b/playbooks/openshift-etcd/private/redeploy-ca.yml
@@ -0,0 +1,101 @@
+---
+- name: Check cert expirys
+  hosts: oo_etcd_to_config:oo_masters_to_config
+  vars:
+    openshift_certificate_expiry_show_all: yes
+  roles:
+  # Sets 'check_results' per host which contains health status for
+  # etcd, master and node certificates.  We will use 'check_results'
+  # to determine if any certificates were expired prior to running
+  # this playbook. Service restarts will be skipped if any
+  # certificates were previously expired.
+  - role: openshift_certificate_expiry
+
+- name: Backup existing etcd CA certificate directories
+  hosts: oo_etcd_to_config
+  tasks:
+  - include_role:
+      name: etcd
+      tasks_from: backup_ca_certificates
+  - include_role:
+      name: etcd
+      tasks_from: remove_ca_certificates
+
+- include: ca.yml
+
+- name: Create temp directory for syncing certs
+  hosts: localhost
+  connection: local
+  become: no
+  gather_facts: no
+  tasks:
+  - name: Create local temp directory for syncing certs
+    local_action: command mktemp -d /tmp/openshift-ansible-XXXXXXX
+    register: g_etcd_mktemp
+    changed_when: false
+
+- name: Distribute etcd CA to etcd hosts
+  hosts: oo_etcd_to_config
+  tasks:
+  - include_role:
+      name: etcd
+      tasks_from: distribute_ca.yml
+    vars:
+      etcd_sync_cert_dir: "{{ hostvars['localhost'].g_etcd_mktemp.stdout }}"
+      etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}"
+
+- include: restart.yml
+  # Do not restart etcd when etcd certificates were previously expired.
+  when: ('expired' not in (hostvars
+                           | oo_select_keys(groups['etcd'])
+                           | oo_collect('check_results.check_results.etcd')
+                           | oo_collect('health')))
+
+- name: Retrieve etcd CA certificate
+  hosts: oo_first_etcd
+  tasks:
+  - include_role:
+      name: etcd
+      tasks_from: retrieve_ca_certificates
+    vars:
+      etcd_sync_cert_dir: "{{ hostvars['localhost'].g_etcd_mktemp.stdout }}"
+
+- name: Distribute etcd CA to masters
+  hosts: oo_masters_to_config
+  vars:
+    openshift_ca_host: "{{ groups.oo_first_master.0 }}"
+  tasks:
+  - name: Deploy etcd CA
+    copy:
+      src: "{{ hostvars['localhost'].g_etcd_mktemp.stdout }}/ca.crt"
+      dest: "{{ openshift.common.config_base }}/master/master.etcd-ca.crt"
+    when: groups.oo_etcd_to_config | default([]) | length > 0
+
+- name: Delete temporary directory on localhost
+  hosts: localhost
+  connection: local
+  become: no
+  gather_facts: no
+  tasks:
+  - file:
+      name: "{{ g_etcd_mktemp.stdout }}"
+      state: absent
+    changed_when: false
+
+- include: ../../openshift-master/private/restart.yml
+  # Do not restart masters when master or etcd certificates were previously expired.
+  when:
+  # masters
+  - ('expired' not in hostvars
+      | oo_select_keys(groups['oo_masters_to_config'])
+      | oo_collect('check_results.check_results.ocp_certs')
+      | oo_collect('health', {'path':hostvars[groups.oo_first_master.0].openshift.common.config_base ~ "/master/master.server.crt"}))
+  - ('expired' not in hostvars
+      | oo_select_keys(groups['oo_masters_to_config'])
+      | oo_collect('check_results.check_results.ocp_certs')
+      | oo_collect('health', {'path':hostvars[groups.oo_first_master.0].openshift.common.config_base ~ "/master/ca-bundle.crt"}))
+  # etcd
+  - ('expired' not in (hostvars
+      | oo_select_keys(groups['etcd'])
+      | oo_collect('check_results.check_results.etcd')
+      | oo_collect('health')))
diff --git a/playbooks/openshift-etcd/private/redeploy-certificates.yml b/playbooks/openshift-etcd/private/redeploy-certificates.yml
new file mode 100644
index 000000000..cc1e6adf5
--- /dev/null
+++ b/playbooks/openshift-etcd/private/redeploy-certificates.yml
@@ -0,0 +1,18 @@
+---
+- name: Check cert expirys
+  hosts: oo_etcd_to_config
+  vars:
+    openshift_certificate_expiry_show_all: yes
+  roles:
+  # Sets 'check_results' per host which contains health status for
+  # etcd, master and node certificates.  We will use 'check_results'
+  # to determine if any certificates were expired prior to running
+  # this playbook. Service restarts will be skipped if any
+  # certificates were previously expired.
+  - role: openshift_certificate_expiry
+
+- include: certificates-backup.yml
+
+- include: certificates.yml
+  vars:
+    etcd_certificates_redeploy: true
diff --git a/playbooks/openshift-etcd/redeploy-ca.yml b/playbooks/openshift-etcd/redeploy-ca.yml
new file mode 100644
index 000000000..b1d23675d
--- /dev/null
+++ b/playbooks/openshift-etcd/redeploy-ca.yml
@@ -0,0 +1,4 @@
+---
+- include: ../init/main.yml
+
+- include: private/redeploy-ca.yml
diff --git a/playbooks/openshift-etcd/redeploy-certificates.yml b/playbooks/openshift-etcd/redeploy-certificates.yml
new file mode 100644
index 000000000..1bd302c03
--- /dev/null
+++ b/playbooks/openshift-etcd/redeploy-certificates.yml
@@ -0,0 +1,10 @@
+---
+- include: ../init/main.yml
+
+- include: private/redeploy-certificates.yml
+
+- include: private/restart.yml
+  vars:
+    g_etcd_certificates_expired: "{{ ('expired' in (hostvars | oo_select_keys(groups['etcd']) | oo_collect('check_results.check_results.etcd') | oo_collect('health'))) | bool }}"
+
+- include: ../openshift-master/private/restart.yml