diff options
Diffstat (limited to 'playbooks')
3 files changed, 30 insertions, 5 deletions
| diff --git a/playbooks/byo/openshift-cluster/redeploy-certificates.yml b/playbooks/byo/openshift-cluster/redeploy-certificates.yml index 255b0dbf7..f53d34145 100644 --- a/playbooks/byo/openshift-cluster/redeploy-certificates.yml +++ b/playbooks/byo/openshift-cluster/redeploy-certificates.yml @@ -42,3 +42,7 @@  - include: ../../common/openshift-cluster/redeploy-certificates/registry.yml    when: openshift_hosted_manage_registry | default(true) | bool + +- include: ../../common/openshift-master/revert-client-ca.yml + +- include: ../../common/openshift-master/restart.yml diff --git a/playbooks/common/openshift-cluster/redeploy-certificates/openshift-ca.yml b/playbooks/common/openshift-cluster/redeploy-certificates/openshift-ca.yml index 2068ed199..e22c8cbdb 100644 --- a/playbooks/common/openshift-cluster/redeploy-certificates/openshift-ca.yml +++ b/playbooks/common/openshift-cluster/redeploy-certificates/openshift-ca.yml @@ -43,11 +43,6 @@      when: (g_master_config_output.content|b64decode|from_yaml).oauthConfig.masterCA != 'ca-bundle.crt'    - modify_yaml:        dest: "{{ openshift.common.config_base }}/master/master-config.yaml" -      yaml_key: servingInfo.clientCA -      yaml_value: ca.crt -    when: (g_master_config_output.content|b64decode|from_yaml).servingInfo.clientCA != 'ca.crt' -  - modify_yaml: -      dest: "{{ openshift.common.config_base }}/master/master-config.yaml"        yaml_key: etcdClientInfo.ca        yaml_value: ca-bundle.crt      when: @@ -67,6 +62,13 @@      when:      - groups.oo_etcd_to_config | default([]) | length == 0      - (g_master_config_output.content|b64decode|from_yaml).etcdConfig.servingInfo.clientCA != 'ca-bundle.crt' +  # Set servingInfo.clientCA to client-ca-bundle.crt in order to roll the CA certificate. +  # This change will be reverted in playbooks/byo/openshift-cluster/redeploy-certificates.yml +  - modify_yaml: +      dest: "{{ openshift.common.config_base }}/master/master-config.yaml" +      yaml_key: servingInfo.clientCA +      yaml_value: client-ca-bundle.crt +    when: (g_master_config_output.content|b64decode|from_yaml).servingInfo.clientCA != 'client-ca-bundle.crt'  - name: Copy current OpenShift CA to legacy directory    hosts: oo_masters_to_config @@ -155,6 +157,7 @@      - ca.key      - ca-bundle.crt      - ca.serial.txt +    - client-ca-bundle.crt      delegate_to: "{{ openshift_ca_host }}"      run_once: true      changed_when: false @@ -173,6 +176,7 @@      - ca.key      - ca-bundle.crt      - ca.serial.txt +    - client-ca-bundle.crt    - name: Update master client kubeconfig CA data      kubeclient_ca:        client_path: "{{ openshift.common.config_base }}/master/openshift-master.kubeconfig" diff --git a/playbooks/common/openshift-master/revert-client-ca.yml b/playbooks/common/openshift-master/revert-client-ca.yml new file mode 100644 index 000000000..9ae23bf5b --- /dev/null +++ b/playbooks/common/openshift-master/revert-client-ca.yml @@ -0,0 +1,17 @@ +--- +- name: Set servingInfo.clientCA = ca.crt in master config +  hosts: oo_masters_to_config +  tasks: +  - name: Read master config +    slurp: +      src: "{{ openshift.common.config_base }}/master/master-config.yaml" +    register: g_master_config_output + +  # servingInfo.clientCA may be set as the client-ca-bundle.crt from +  # CA redeployment and this task reverts that change. +  - name: Set servingInfo.clientCA = ca.crt in master config +    modify_yaml: +      dest: "{{ openshift.common.config_base }}/master/master-config.yaml" +      yaml_key: servingInfo.clientCA +      yaml_value: ca.crt +    when: (g_master_config_output.content|b64decode|from_yaml).servingInfo.clientCA != 'ca.crt' | 
