diff options
Diffstat (limited to 'playbooks/openshift-master/private/tasks')
| -rw-r--r-- | playbooks/openshift-master/private/tasks/wire_aggregator.yml | 216 | 
1 files changed, 216 insertions, 0 deletions
| diff --git a/playbooks/openshift-master/private/tasks/wire_aggregator.yml b/playbooks/openshift-master/private/tasks/wire_aggregator.yml new file mode 100644 index 000000000..97acc5d5d --- /dev/null +++ b/playbooks/openshift-master/private/tasks/wire_aggregator.yml @@ -0,0 +1,216 @@ +--- +- name: Make temp cert dir +  command: mktemp -d /tmp/openshift-service-catalog-ansible-XXXXXX +  register: certtemp +  changed_when: False + +- name: Check for First Master Aggregator Signer cert +  stat: +    path: /etc/origin/master/front-proxy-ca.crt +  register: first_proxy_ca_crt +  changed_when: false +  delegate_to: "{{ groups.oo_first_master.0 }}" + +- name: Check for First Master Aggregator Signer key +  stat: +    path: /etc/origin/master/front-proxy-ca.crt +  register: first_proxy_ca_key +  changed_when: false +  delegate_to: "{{ groups.oo_first_master.0 }}" + +# TODO: this currently has a bug where hostnames are required +- name: Creating First Master Aggregator signer certs +  command: > +    {{ hostvars[groups.oo_first_master.0].openshift.common.client_binary }} adm ca create-signer-cert +    --cert=/etc/origin/master/front-proxy-ca.crt +    --key=/etc/origin/master/front-proxy-ca.key +    --serial=/etc/origin/master/ca.serial.txt +  delegate_to: "{{ groups.oo_first_master.0 }}" +  when: +  - not first_proxy_ca_crt.stat.exists +  - not first_proxy_ca_key.stat.exists + +- name: Check for Aggregator Signer cert +  stat: +    path: /etc/origin/master/front-proxy-ca.crt +  register: proxy_ca_crt +  changed_when: false + +- name: Check for Aggregator Signer key +  stat: +    path: /etc/origin/master/front-proxy-ca.crt +  register: proxy_ca_key +  changed_when: false + +- name: Copy Aggregator Signer certs from first master +  fetch: +    src: "/etc/origin/master/{{ item }}" +    dest: "{{ certtemp.stdout }}/{{ item }}" +    flat: yes +  with_items: +  - front-proxy-ca.crt +  - front-proxy-ca.key +  delegate_to: "{{ groups.oo_first_master.0 }}" +  when: +  - not proxy_ca_key.stat.exists +  - not proxy_ca_crt.stat.exists + +- name: Copy Aggregator Signer certs to host +  copy: +    src: "{{ certtemp.stdout }}/{{ item }}" +    dest: "/etc/origin/master/{{ item }}" +  with_items: +  - front-proxy-ca.crt +  - front-proxy-ca.key +  when: +  - not proxy_ca_key.stat.exists +  - not proxy_ca_crt.stat.exists + +#  oc_adm_ca_server_cert: +#    cert: /etc/origin/master/front-proxy-ca.crt +#    key: /etc/origin/master/front-proxy-ca.key + +- name: Check for first master api-client config +  stat: +    path: /etc/origin/master/aggregator-front-proxy.kubeconfig +  register: first_front_proxy_kubeconfig +  delegate_to: "{{ groups.oo_first_master.0 }}" +  run_once: true + +# create-api-client-config generates a ca.crt file which will +# overwrite the OpenShift CA certificate.  Generate the aggregator +# kubeconfig in a temporary directory and then copy files into the +# master config dir to avoid overwriting ca.crt. +- block: +  - name: Create first master api-client config for Aggregator +    command: > +      {{ hostvars[groups.oo_first_master.0].openshift.common.client_binary }} adm create-api-client-config +      --certificate-authority=/etc/origin/master/front-proxy-ca.crt +      --signer-cert=/etc/origin/master/front-proxy-ca.crt +      --signer-key=/etc/origin/master/front-proxy-ca.key +      --user aggregator-front-proxy +      --client-dir={{ certtemp.stdout }} +      --signer-serial=/etc/origin/master/ca.serial.txt +    delegate_to: "{{ groups.oo_first_master.0 }}" +    run_once: true +  - name: Copy first master api-client config for Aggregator +    copy: +      src: "{{ certtemp.stdout }}/{{ item }}" +      dest: "/etc/origin/master/" +      remote_src: true +    with_items: +    - aggregator-front-proxy.crt +    - aggregator-front-proxy.key +    - aggregator-front-proxy.kubeconfig +    delegate_to: "{{ groups.oo_first_master.0 }}" +    run_once: true +  when: +  - not first_front_proxy_kubeconfig.stat.exists + +- name: Check for api-client config +  stat: +    path: /etc/origin/master/aggregator-front-proxy.kubeconfig +  register: front_proxy_kubeconfig + +- name: Copy api-client config from first master +  fetch: +    src: "/etc/origin/master/{{ item }}" +    dest: "{{ certtemp.stdout }}/{{ item }}" +    flat: yes +  delegate_to: "{{ groups.oo_first_master.0 }}" +  with_items: +  - aggregator-front-proxy.crt +  - aggregator-front-proxy.key +  - aggregator-front-proxy.kubeconfig +  when: +  - not front_proxy_kubeconfig.stat.exists + +- name: Copy api-client config to host +  copy: +    src: "{{ certtemp.stdout }}/{{ item }}" +    dest: "/etc/origin/master/{{ item }}" +  with_items: +  - aggregator-front-proxy.crt +  - aggregator-front-proxy.key +  - aggregator-front-proxy.kubeconfig +  when: +  - not front_proxy_kubeconfig.stat.exists + +- name: Delete temp directory +  file: +    name: "{{ certtemp.stdout }}" +    state: absent +  changed_when: False + +- name: Setup extension file for service console UI +  template: +    src: ../templates/openshift-ansible-catalog-console.js +    dest: /etc/origin/master/openshift-ansible-catalog-console.js + +- name: Update master config +  yedit: +    state: present +    src: /etc/origin/master/master-config.yaml +    edits: +    - key: aggregatorConfig.proxyClientInfo.certFile +      value: aggregator-front-proxy.crt +    - key: aggregatorConfig.proxyClientInfo.keyFile +      value: aggregator-front-proxy.key +    - key: authConfig.requestHeader.clientCA +      value: front-proxy-ca.crt +    - key: authConfig.requestHeader.clientCommonNames +      value: [aggregator-front-proxy] +    - key: authConfig.requestHeader.usernameHeaders +      value: [X-Remote-User] +    - key: authConfig.requestHeader.groupHeaders +      value: [X-Remote-Group] +    - key: authConfig.requestHeader.extraHeaderPrefixes +      value: [X-Remote-Extra-] +    - key: assetConfig.extensionScripts +      value: [/etc/origin/master/openshift-ansible-catalog-console.js] +    - key: kubernetesMasterConfig.apiServerArguments.runtime-config +      value: [apis/settings.k8s.io/v1alpha1=true] +    - key: admissionConfig.pluginConfig.PodPreset.configuration.kind +      value: DefaultAdmissionConfig +    - key: admissionConfig.pluginConfig.PodPreset.configuration.apiVersion +      value: v1 +    - key: admissionConfig.pluginConfig.PodPreset.configuration.disable +      value: false +  register: yedit_output + +#restart master serially here +- name: restart master api +  systemd: name={{ openshift.common.service_type }}-master-api state=restarted +  when: +  - yedit_output.changed +  - openshift.master.cluster_method == 'native' + +# We retry the controllers because the API may not be 100% initialized yet. +- name: restart master controllers +  command: "systemctl restart {{ openshift.common.service_type }}-master-controllers" +  retries: 3 +  delay: 5 +  register: result +  until: result.rc == 0 +  when: +  - yedit_output.changed +  - openshift.master.cluster_method == 'native' + +- name: Verify API Server +  # Using curl here since the uri module requires python-httplib2 and +  # wait_for port doesn't provide health information. +  command: > +    curl --silent --tlsv1.2 +    --cacert {{ openshift.common.config_base }}/master/ca-bundle.crt +    {{ openshift.master.api_url }}/healthz/ready +  args: +    # Disables the following warning: +    # Consider using get_url or uri module rather than running curl +    warn: no +  register: api_available_output +  until: api_available_output.stdout == 'ok' +  retries: 120 +  delay: 1 +  changed_when: false +  when: +  - yedit_output.changed | 
