From 99745a04223f2ed8111b5eb4b49d2bcfec9e678f Mon Sep 17 00:00:00 2001 From: Jan Chaloupka Date: Thu, 14 Sep 2017 12:10:15 +0200 Subject: Consolidate etcd certs roles This is a part of the etcd_ like role consolidationi into an action-based role. As part of the consilidation some roles have been removed and some replaced by include_role module. Resulting in reorder and shift of role dependencies from a role into a play. --- .../redeploy-certificates/etcd-ca.yml | 15 +- .../redeploy-certificates/etcd.yml | 20 +- playbooks/common/openshift-master/config.yml | 3 + playbooks/common/openshift-node/config.yml | 10 +- roles/calico/tasks/main.yml | 22 +- roles/etcd/meta/main.yml | 1 - roles/etcd/tasks/ca.yml | 2 + roles/etcd/tasks/ca/deploy.yml | 78 +++++++ roles/etcd/tasks/client_certificates.yml | 2 + .../tasks/client_certificates/fetch_from_ca.yml | 138 ++++++++++++ roles/etcd/tasks/main.yml | 2 + roles/etcd/tasks/server_certificates.yml | 2 + .../tasks/server_certificates/fetch_from_ca.yml | 238 +++++++++++++++++++++ roles/etcd/templates/openssl_append.j2 | 51 +++++ roles/etcd_ca/README.md | 34 --- roles/etcd_ca/meta/main.yml | 16 -- roles/etcd_ca/tasks/main.yml | 76 ------- roles/etcd_ca/templates/openssl_append.j2 | 51 ----- roles/etcd_client_certificates/README.md | 34 --- roles/etcd_client_certificates/meta/main.yml | 16 -- roles/etcd_client_certificates/tasks/main.yml | 138 ------------ roles/etcd_server_certificates/README.md | 34 --- roles/etcd_server_certificates/meta/main.yml | 17 -- roles/etcd_server_certificates/tasks/main.yml | 232 -------------------- roles/flannel/README.md | 2 - roles/flannel/meta/main.yml | 5 +- roles/nuage_master/meta/main.yml | 3 - roles/openshift_etcd_ca/meta/main.yml | 18 -- .../meta/main.yml | 4 +- .../tasks/main.yml | 4 + .../meta/main.yml | 16 -- 31 files changed, 565 insertions(+), 719 deletions(-) create mode 100644 roles/etcd/tasks/ca.yml create mode 100644 roles/etcd/tasks/ca/deploy.yml create mode 100644 roles/etcd/tasks/client_certificates.yml create mode 100644 roles/etcd/tasks/client_certificates/fetch_from_ca.yml create mode 100644 roles/etcd/tasks/server_certificates.yml create mode 100644 roles/etcd/tasks/server_certificates/fetch_from_ca.yml create mode 100644 roles/etcd/templates/openssl_append.j2 delete mode 100644 roles/etcd_ca/README.md delete mode 100644 roles/etcd_ca/meta/main.yml delete mode 100644 roles/etcd_ca/tasks/main.yml delete mode 100644 roles/etcd_ca/templates/openssl_append.j2 delete mode 100644 roles/etcd_client_certificates/README.md delete mode 100644 roles/etcd_client_certificates/meta/main.yml delete mode 100644 roles/etcd_client_certificates/tasks/main.yml delete mode 100644 roles/etcd_server_certificates/README.md delete mode 100644 roles/etcd_server_certificates/meta/main.yml delete mode 100644 roles/etcd_server_certificates/tasks/main.yml delete mode 100644 roles/openshift_etcd_ca/meta/main.yml create mode 100644 roles/openshift_etcd_client_certificates/tasks/main.yml delete mode 100644 roles/openshift_etcd_server_certificates/meta/main.yml diff --git a/playbooks/common/openshift-cluster/redeploy-certificates/etcd-ca.yml b/playbooks/common/openshift-cluster/redeploy-certificates/etcd-ca.yml index 6964e8567..58bbcc658 100644 --- a/playbooks/common/openshift-cluster/redeploy-certificates/etcd-ca.yml +++ b/playbooks/common/openshift-cluster/redeploy-certificates/etcd-ca.yml @@ -37,10 +37,17 @@ - name: Generate new etcd CA hosts: oo_first_etcd roles: - - role: openshift_etcd_ca - etcd_peers: "{{ groups.oo_etcd_to_config | default([], true) }}" - etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}" - etcd_certificates_etcd_hosts: "{{ groups.oo_etcd_to_config | default([], true) }}" + - role: openshift_etcd_facts + tasks: + - include_role: + name: etcd + tasks_from: ca + vars: + etcd_peers: "{{ groups.oo_etcd_to_config | default([], true) }}" + etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}" + etcd_certificates_etcd_hosts: "{{ groups.oo_etcd_to_config | default([], true) }}" + when: + - etcd_ca_setup | default(True) | bool - name: Create temp directory for syncing certs hosts: localhost diff --git a/playbooks/common/openshift-cluster/redeploy-certificates/etcd.yml b/playbooks/common/openshift-cluster/redeploy-certificates/etcd.yml index 6b5c805e6..16f0edb06 100644 --- a/playbooks/common/openshift-cluster/redeploy-certificates/etcd.yml +++ b/playbooks/common/openshift-cluster/redeploy-certificates/etcd.yml @@ -45,19 +45,23 @@ - name: Redeploy etcd certificates hosts: oo_etcd_to_config any_errors_fatal: true - roles: - - role: openshift_etcd_server_certificates - etcd_certificates_redeploy: true - etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}" - etcd_peers: "{{ groups.oo_etcd_to_config | default([], true) }}" - etcd_certificates_etcd_hosts: "{{ groups.oo_etcd_to_config | default([], true) }}" - openshift_ca_host: "{{ groups.oo_first_master.0 }}" - r_etcd_common_etcd_runtime: "{{ openshift.common.etcd_runtime }}" + tasks: + - include_role: + name: etcd + tasks_from: server_certificates + vars: + etcd_certificates_redeploy: true + etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}" + etcd_peers: "{{ groups.oo_etcd_to_config | default([], true) }}" + etcd_certificates_etcd_hosts: "{{ groups.oo_etcd_to_config | default([], true) }}" + openshift_ca_host: "{{ groups.oo_first_master.0 }}" + r_etcd_common_etcd_runtime: "{{ openshift.common.etcd_runtime }}" - name: Redeploy etcd client certificates for masters hosts: oo_masters_to_config any_errors_fatal: true roles: + - role: openshift_etcd_facts - role: openshift_etcd_client_certificates etcd_certificates_redeploy: true etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}" diff --git a/playbooks/common/openshift-master/config.yml b/playbooks/common/openshift-master/config.yml index e1b9a4964..65c6a3cbf 100644 --- a/playbooks/common/openshift-master/config.yml +++ b/playbooks/common/openshift-master/config.yml @@ -192,6 +192,7 @@ - role: openshift_master_facts - role: openshift_hosted_facts - role: openshift_master_certificates + - role: openshift_etcd_facts - role: openshift_etcd_client_certificates etcd_cert_subdir: "openshift-master-{{ openshift.common.hostname }}" etcd_cert_config_dir: "{{ openshift.common.config_base }}/master" @@ -215,6 +216,8 @@ openshift_master_default_registry_value: "{{ hostvars[groups.oo_first_master.0].l_default_registry_value }}" openshift_master_default_registry_value_api: "{{ hostvars[groups.oo_first_master.0].l_default_registry_value_api }}" openshift_master_default_registry_value_controllers: "{{ hostvars[groups.oo_first_master.0].l_default_registry_value_controllers }}" + - role: nuage_ca + - role: nuage_common - role: nuage_master when: openshift_use_nuage | default(false) | bool - role: calico_master diff --git a/playbooks/common/openshift-node/config.yml b/playbooks/common/openshift-node/config.yml index 0801c41ff..5207ca9c8 100644 --- a/playbooks/common/openshift-node/config.yml +++ b/playbooks/common/openshift-node/config.yml @@ -65,12 +65,16 @@ vars: openshift_node_master_api_url: "{{ hostvars[groups.oo_first_master.0].openshift.master.api_url }}" roles: - - role: flannel - etcd_urls: "{{ hostvars[groups.oo_first_master.0].openshift.master.etcd_urls }}" - embedded_etcd: "{{ hostvars[groups.oo_first_master.0].openshift.master.embedded_etcd }}" + - role: openshift_facts + - role: openshift_etcd_facts + - role: openshift_etcd_client_certificates + etcd_cert_prefix: flannel.etcd- etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}" etcd_cert_subdir: "openshift-node-{{ openshift.common.hostname }}" etcd_cert_config_dir: "{{ openshift.common.config_base }}/node" + - role: flannel + etcd_urls: "{{ hostvars[groups.oo_first_master.0].openshift.master.etcd_urls }}" + embedded_etcd: "{{ hostvars[groups.oo_first_master.0].openshift.master.embedded_etcd }}" when: openshift_use_flannel | default(false) | bool - role: calico when: openshift_use_calico | default(false) | bool diff --git a/roles/calico/tasks/main.yml b/roles/calico/tasks/main.yml index 39f730462..0e3863304 100644 --- a/roles/calico/tasks/main.yml +++ b/roles/calico/tasks/main.yml @@ -2,10 +2,14 @@ - name: Calico Node | Error if invalid cert arguments fail: msg: "Must provide all or none for the following etcd params: calico_etcd_cert_dir, calico_etcd_ca_cert_file, calico_etcd_cert_file, calico_etcd_key_file, calico_etcd_endpoints" - when: (calico_etcd_cert_dir is defined or calico_etcd_ca_cert_file is defined or calico_etcd_cert_file is defined or calico_etcd_key_file is defined or calico_etcd_endpoints is defined) and not (calico_etcd_cert_dir is defined and calico_etcd_ca_cert_file is defined and calico_etcd_cert_file is defined and calico_etcd_key_file is defined and calico_etcd_endpoints is defined) + when: + - calico_etcd_cert_dir is defined or calico_etcd_ca_cert_file is defined or calico_etcd_cert_file is defined or calico_etcd_key_file is defined or calico_etcd_endpoints is defined + - not (calico_etcd_cert_dir is defined and calico_etcd_ca_cert_file is defined and calico_etcd_cert_file is defined and calico_etcd_key_file is defined and calico_etcd_endpoints is defined) - name: Calico Node | Generate OpenShift-etcd certs - include: ../../../roles/etcd_client_certificates/tasks/main.yml + include_role: + name: etcd + tasks_from: client_certificates when: calico_etcd_ca_cert_file is not defined or calico_etcd_cert_file is not defined or calico_etcd_key_file is not defined or calico_etcd_endpoints is not defined or calico_etcd_cert_dir is not defined vars: etcd_cert_prefix: calico.etcd- @@ -28,18 +32,18 @@ msg: "Invalid etcd configuration for calico." when: item is not defined or item == '' with_items: - - calico_etcd_ca_cert_file - - calico_etcd_cert_file - - calico_etcd_key_file - - calico_etcd_endpoints + - calico_etcd_ca_cert_file + - calico_etcd_cert_file + - calico_etcd_key_file + - calico_etcd_endpoints - name: Calico Node | Assure the calico certs are present stat: path: "{{ item }}" with_items: - - "{{ calico_etcd_ca_cert_file }}" - - "{{ calico_etcd_cert_file }}" - - "{{ calico_etcd_key_file }}" + - "{{ calico_etcd_ca_cert_file }}" + - "{{ calico_etcd_cert_file }}" + - "{{ calico_etcd_key_file }}" - name: Calico Node | Configure Calico service unit file template: diff --git a/roles/etcd/meta/main.yml b/roles/etcd/meta/main.yml index 9a955c822..d69366a39 100644 --- a/roles/etcd/meta/main.yml +++ b/roles/etcd/meta/main.yml @@ -18,5 +18,4 @@ galaxy_info: dependencies: - role: lib_openshift - role: lib_os_firewall -- role: etcd_server_certificates - role: etcd_common diff --git a/roles/etcd/tasks/ca.yml b/roles/etcd/tasks/ca.yml new file mode 100644 index 000000000..7cda49069 --- /dev/null +++ b/roles/etcd/tasks/ca.yml @@ -0,0 +1,2 @@ +--- +- include: ca/deploy.yml diff --git a/roles/etcd/tasks/ca/deploy.yml b/roles/etcd/tasks/ca/deploy.yml new file mode 100644 index 000000000..3d32290a2 --- /dev/null +++ b/roles/etcd/tasks/ca/deploy.yml @@ -0,0 +1,78 @@ +--- +- name: Install openssl + package: + name: openssl + state: present + when: not etcd_is_atomic | bool + delegate_to: "{{ etcd_ca_host }}" + run_once: true + +- file: + path: "{{ item }}" + state: directory + mode: 0700 + owner: root + group: root + with_items: + - "{{ etcd_ca_new_certs_dir }}" + - "{{ etcd_ca_crl_dir }}" + - "{{ etcd_ca_dir }}/fragments" + delegate_to: "{{ etcd_ca_host }}" + run_once: true + +- command: cp /etc/pki/tls/openssl.cnf ./ + args: + chdir: "{{ etcd_ca_dir }}/fragments" + creates: "{{ etcd_ca_dir }}/fragments/openssl.cnf" + delegate_to: "{{ etcd_ca_host }}" + run_once: true + +- template: + dest: "{{ etcd_ca_dir }}/fragments/openssl_append.cnf" + src: openssl_append.j2 + backup: true + delegate_to: "{{ etcd_ca_host }}" + run_once: true + +- assemble: + src: "{{ etcd_ca_dir }}/fragments" + dest: "{{ etcd_openssl_conf }}" + delegate_to: "{{ etcd_ca_host }}" + run_once: true + +- name: Check etcd_ca_db exist + stat: path="{{ etcd_ca_db }}" + register: etcd_ca_db_check + changed_when: false + delegate_to: "{{ etcd_ca_host }}" + run_once: true + +- name: Touch etcd_ca_db file + file: + path: "{{ etcd_ca_db }}" + state: touch + when: etcd_ca_db_check.stat.isreg is not defined + delegate_to: "{{ etcd_ca_host }}" + run_once: true + +- copy: + dest: "{{ etcd_ca_serial }}" + content: "01" + force: no + delegate_to: "{{ etcd_ca_host }}" + run_once: true + +- name: Create etcd CA certificate + command: > + openssl req -config {{ etcd_openssl_conf }} -newkey rsa:4096 + -keyout {{ etcd_ca_key }} -new -out {{ etcd_ca_cert }} + -x509 -extensions {{ etcd_ca_exts_self }} -batch -nodes + -days {{ etcd_ca_default_days }} + -subj /CN=etcd-signer@{{ ansible_date_time.epoch }} + args: + chdir: "{{ etcd_ca_dir }}" + creates: "{{ etcd_ca_cert }}" + environment: + SAN: 'etcd-signer' + delegate_to: "{{ etcd_ca_host }}" + run_once: true diff --git a/roles/etcd/tasks/client_certificates.yml b/roles/etcd/tasks/client_certificates.yml new file mode 100644 index 000000000..2e9c078b9 --- /dev/null +++ b/roles/etcd/tasks/client_certificates.yml @@ -0,0 +1,2 @@ +--- +- include: client_certificates/fetch_from_ca.yml diff --git a/roles/etcd/tasks/client_certificates/fetch_from_ca.yml b/roles/etcd/tasks/client_certificates/fetch_from_ca.yml new file mode 100644 index 000000000..119071a72 --- /dev/null +++ b/roles/etcd/tasks/client_certificates/fetch_from_ca.yml @@ -0,0 +1,138 @@ +--- +- name: Ensure CA certificate exists on etcd_ca_host + stat: + path: "{{ etcd_ca_cert }}" + register: g_ca_cert_stat_result + delegate_to: "{{ etcd_ca_host }}" + run_once: true + +- fail: + msg: > + CA certificate {{ etcd_ca_cert }} doesn't exist on CA host + {{ etcd_ca_host }}. Apply 'etcd_ca' action from `etcd` role to + {{ etcd_ca_host }}. + when: not g_ca_cert_stat_result.stat.exists | bool + run_once: true + +- name: Check status of external etcd certificatees + stat: + path: "{{ etcd_cert_config_dir }}/{{ item }}" + with_items: + - "{{ etcd_cert_prefix }}client.crt" + - "{{ etcd_cert_prefix }}client.key" + - "{{ etcd_cert_prefix }}ca.crt" + register: g_external_etcd_cert_stat_result + when: not etcd_certificates_redeploy | default(false) | bool + +- set_fact: + etcd_client_certs_missing: "{{ true if etcd_certificates_redeploy | default(false) | bool + else (False in (g_external_etcd_cert_stat_result.results + | default({}) + | oo_collect(attribute='stat.exists') + | list)) }}" + +- name: Ensure generated_certs directory present + file: + path: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}" + state: directory + mode: 0700 + when: etcd_client_certs_missing | bool + delegate_to: "{{ etcd_ca_host }}" + +- name: Create the client csr + command: > + openssl req -new -keyout {{ etcd_cert_prefix }}client.key + -config {{ etcd_openssl_conf }} + -out {{ etcd_cert_prefix }}client.csr + -reqexts {{ etcd_req_ext }} -batch -nodes + -subj /CN={{ etcd_hostname }} + args: + chdir: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}" + creates: "{{ etcd_generated_certs_dir ~ '/' ~ etcd_cert_subdir ~ '/' + ~ etcd_cert_prefix ~ 'client.csr' }}" + environment: + SAN: "IP:{{ etcd_ip }},DNS:{{ etcd_hostname }}" + when: etcd_client_certs_missing | bool + delegate_to: "{{ etcd_ca_host }}" + +# Certificates must be signed serially in order to avoid competing +# for the serial file. +- name: Sign and create the client crt + delegated_serial_command: + command: > + openssl ca -name {{ etcd_ca_name }} -config {{ etcd_openssl_conf }} + -out {{ etcd_cert_prefix }}client.crt + -in {{ etcd_cert_prefix }}client.csr + -batch + chdir: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}" + creates: "{{ etcd_generated_certs_dir ~ '/' ~ etcd_cert_subdir ~ '/' + ~ etcd_cert_prefix ~ 'client.crt' }}" + environment: + SAN: "IP:{{ etcd_ip }}" + when: etcd_client_certs_missing | bool + delegate_to: "{{ etcd_ca_host }}" + +- file: + src: "{{ etcd_ca_cert }}" + dest: "{{ etcd_generated_certs_dir}}/{{ etcd_cert_subdir }}/{{ etcd_cert_prefix }}ca.crt" + state: hard + when: etcd_client_certs_missing | bool + delegate_to: "{{ etcd_ca_host }}" + +- name: Create local temp directory for syncing certs + local_action: command mktemp -d /tmp/etcd_certificates-XXXXXXX + register: g_etcd_client_mktemp + changed_when: False + when: etcd_client_certs_missing | bool + become: no + +- name: Create a tarball of the etcd certs + command: > + tar -czvf {{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}.tgz + -C {{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }} . + args: + creates: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}.tgz" + # Disables the following warning: + # Consider using unarchive module rather than running tar + warn: no + when: etcd_client_certs_missing | bool + delegate_to: "{{ etcd_ca_host }}" + +- name: Retrieve the etcd cert tarballs + fetch: + src: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}.tgz" + dest: "{{ g_etcd_client_mktemp.stdout }}/" + flat: yes + fail_on_missing: yes + validate_checksum: yes + when: etcd_client_certs_missing | bool + delegate_to: "{{ etcd_ca_host }}" + +- name: Ensure certificate directory exists + file: + path: "{{ etcd_cert_config_dir }}" + state: directory + when: etcd_client_certs_missing | bool + +- name: Unarchive etcd cert tarballs + unarchive: + src: "{{ g_etcd_client_mktemp.stdout }}/{{ etcd_cert_subdir }}.tgz" + dest: "{{ etcd_cert_config_dir }}" + when: etcd_client_certs_missing | bool + +- file: + path: "{{ etcd_cert_config_dir }}/{{ item }}" + owner: root + group: root + mode: 0600 + with_items: + - "{{ etcd_cert_prefix }}client.crt" + - "{{ etcd_cert_prefix }}client.key" + - "{{ etcd_cert_prefix }}ca.crt" + when: etcd_client_certs_missing | bool + +- name: Delete temporary directory + local_action: file path="{{ g_etcd_client_mktemp.stdout }}" state=absent + changed_when: False + when: etcd_client_certs_missing | bool + become: no diff --git a/roles/etcd/tasks/main.yml b/roles/etcd/tasks/main.yml index 78e543ef1..870c11ad4 100644 --- a/roles/etcd/tasks/main.yml +++ b/roles/etcd/tasks/main.yml @@ -1,4 +1,6 @@ --- +- include: server_certificates.yml + - name: Set hostname and ip facts set_fact: # Store etcd_hostname and etcd_ip such that they will be available diff --git a/roles/etcd/tasks/server_certificates.yml b/roles/etcd/tasks/server_certificates.yml new file mode 100644 index 000000000..f0ba58b6e --- /dev/null +++ b/roles/etcd/tasks/server_certificates.yml @@ -0,0 +1,2 @@ +--- +- include: server_certificates/fetch_from_ca.yml diff --git a/roles/etcd/tasks/server_certificates/fetch_from_ca.yml b/roles/etcd/tasks/server_certificates/fetch_from_ca.yml new file mode 100644 index 000000000..064fe1952 --- /dev/null +++ b/roles/etcd/tasks/server_certificates/fetch_from_ca.yml @@ -0,0 +1,238 @@ +--- +- include: ../ca/deploy.yml + when: + - etcd_ca_setup | default(True) | bool + +- name: Install etcd + package: + name: "etcd{{ '-' + etcd_version if etcd_version is defined else '' }}" + state: present + when: not etcd_is_containerized | bool + +- name: Check status of etcd certificates + stat: + path: "{{ item }}" + with_items: + - "{{ etcd_cert_config_dir }}/{{ etcd_cert_prefix }}server.crt" + - "{{ etcd_cert_config_dir }}/{{ etcd_cert_prefix }}peer.crt" + - "{{ etcd_cert_config_dir }}/{{ etcd_cert_prefix }}ca.crt" + - "{{ etcd_system_container_cert_config_dir }}/{{ etcd_cert_prefix }}server.crt" + - "{{ etcd_system_container_cert_config_dir }}/{{ etcd_cert_prefix }}peer.crt" + - "{{ etcd_system_container_cert_config_dir }}/{{ etcd_cert_prefix }}ca.crt" + register: g_etcd_server_cert_stat_result + when: not etcd_certificates_redeploy | default(false) | bool + +- set_fact: + etcd_server_certs_missing: "{{ true if etcd_certificates_redeploy | default(false) | bool + else (False in (g_etcd_server_cert_stat_result.results + | default({}) + | oo_collect(attribute='stat.exists') + | list)) }}" + +- name: Ensure generated_certs directory present + file: + path: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}" + state: directory + mode: 0700 + when: etcd_server_certs_missing | bool + delegate_to: "{{ etcd_ca_host }}" + +- name: Create the server csr + command: > + openssl req -new -keyout {{ etcd_cert_prefix }}server.key + -config {{ etcd_openssl_conf }} + -out {{ etcd_cert_prefix }}server.csr + -reqexts {{ etcd_req_ext }} -batch -nodes + -subj /CN={{ etcd_hostname }} + args: + chdir: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}" + creates: "{{ etcd_generated_certs_dir ~ '/' ~ etcd_cert_subdir ~ '/' + ~ etcd_cert_prefix ~ 'server.csr' }}" + environment: + SAN: "IP:{{ etcd_ip }},DNS:{{ etcd_hostname }}" + when: etcd_server_certs_missing | bool + delegate_to: "{{ etcd_ca_host }}" + +# Certificates must be signed serially in order to avoid competing +# for the serial file. +- name: Sign and create the server crt + delegated_serial_command: + command: > + openssl ca -name {{ etcd_ca_name }} -config {{ etcd_openssl_conf }} + -out {{ etcd_cert_prefix }}server.crt + -in {{ etcd_cert_prefix }}server.csr + -extensions {{ etcd_ca_exts_server }} -batch + chdir: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}" + creates: "{{ etcd_generated_certs_dir ~ '/' ~ etcd_cert_subdir ~ '/' + ~ etcd_cert_prefix ~ 'server.crt' }}" + environment: + SAN: "IP:{{ etcd_ip }}" + when: etcd_server_certs_missing | bool + delegate_to: "{{ etcd_ca_host }}" + +- name: Create the peer csr + command: > + openssl req -new -keyout {{ etcd_cert_prefix }}peer.key + -config {{ etcd_openssl_conf }} + -out {{ etcd_cert_prefix }}peer.csr + -reqexts {{ etcd_req_ext }} -batch -nodes + -subj /CN={{ etcd_hostname }} + args: + chdir: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}" + creates: "{{ etcd_generated_certs_dir ~ '/' ~ etcd_cert_subdir ~ '/' + ~ etcd_cert_prefix ~ 'peer.csr' }}" + environment: + SAN: "IP:{{ etcd_ip }},DNS:{{ etcd_hostname }}" + when: etcd_server_certs_missing | bool + delegate_to: "{{ etcd_ca_host }}" + +# Certificates must be signed serially in order to avoid competing +# for the serial file. +- name: Sign and create the peer crt + delegated_serial_command: + command: > + openssl ca -name {{ etcd_ca_name }} -config {{ etcd_openssl_conf }} + -out {{ etcd_cert_prefix }}peer.crt + -in {{ etcd_cert_prefix }}peer.csr + -extensions {{ etcd_ca_exts_peer }} -batch + chdir: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}" + creates: "{{ etcd_generated_certs_dir ~ '/' ~ etcd_cert_subdir ~ '/' + ~ etcd_cert_prefix ~ 'peer.crt' }}" + environment: + SAN: "IP:{{ etcd_ip }}" + when: etcd_server_certs_missing | bool + delegate_to: "{{ etcd_ca_host }}" + +- file: + src: "{{ etcd_ca_cert }}" + dest: "{{ etcd_generated_certs_dir}}/{{ etcd_cert_subdir }}/{{ etcd_cert_prefix }}ca.crt" + state: hard + when: etcd_server_certs_missing | bool + delegate_to: "{{ etcd_ca_host }}" + +- name: Create local temp directory for syncing certs + local_action: command mktemp -d /tmp/etcd_certificates-XXXXXXX + become: no + register: g_etcd_server_mktemp + changed_when: False + when: etcd_server_certs_missing | bool + +- name: Create a tarball of the etcd certs + command: > + tar -czvf {{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}.tgz + -C {{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }} . + args: + creates: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}.tgz" + # Disables the following warning: + # Consider using unarchive module rather than running tar + warn: no + when: etcd_server_certs_missing | bool + delegate_to: "{{ etcd_ca_host }}" + +- name: Retrieve etcd cert tarball + fetch: + src: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}.tgz" + dest: "{{ g_etcd_server_mktemp.stdout }}/" + flat: yes + fail_on_missing: yes + validate_checksum: yes + when: etcd_server_certs_missing | bool + delegate_to: "{{ etcd_ca_host }}" + +- name: Ensure certificate directory exists + file: + path: "{{ item }}" + state: directory + with_items: + - "{{ etcd_cert_config_dir }}" + - "{{ etcd_system_container_cert_config_dir }}" + when: etcd_server_certs_missing | bool + +- name: Unarchive cert tarball + unarchive: + src: "{{ g_etcd_server_mktemp.stdout }}/{{ etcd_cert_subdir }}.tgz" + dest: "{{ etcd_cert_config_dir }}" + when: etcd_server_certs_missing | bool + +- name: Create a tarball of the etcd ca certs + command: > + tar -czvf {{ etcd_generated_certs_dir }}/{{ etcd_ca_name }}.tgz + -C {{ etcd_ca_dir }} . + args: + creates: "{{ etcd_generated_certs_dir }}/{{ etcd_ca_name }}.tgz" + warn: no + when: etcd_server_certs_missing | bool + delegate_to: "{{ etcd_ca_host }}" + +- name: Retrieve etcd ca cert tarball + fetch: + src: "{{ etcd_generated_certs_dir }}/{{ etcd_ca_name }}.tgz" + dest: "{{ g_etcd_server_mktemp.stdout }}/" + flat: yes + fail_on_missing: yes + validate_checksum: yes + when: etcd_server_certs_missing | bool + delegate_to: "{{ etcd_ca_host }}" + +- name: Ensure ca directory exists + file: + path: "{{ item }}" + state: directory + with_items: + - "{{ etcd_ca_dir }}" + - "{{ etcd_system_container_cert_config_dir }}/ca" + when: etcd_server_certs_missing | bool + +- name: Unarchive cert tarball for the system container + unarchive: + src: "{{ g_etcd_server_mktemp.stdout }}/{{ etcd_cert_subdir }}.tgz" + dest: "{{ etcd_system_container_cert_config_dir }}" + when: + - etcd_server_certs_missing | bool + - r_etcd_common_etcd_runtime == 'runc' + +- name: Unarchive etcd ca cert tarballs for the system container + unarchive: + src: "{{ g_etcd_server_mktemp.stdout }}/{{ etcd_ca_name }}.tgz" + dest: "{{ etcd_system_container_cert_config_dir }}/ca" + when: + - etcd_server_certs_missing | bool + - r_etcd_common_etcd_runtime == 'runc' + +- name: Delete temporary directory + local_action: file path="{{ g_etcd_server_mktemp.stdout }}" state=absent + become: no + changed_when: False + when: etcd_server_certs_missing | bool + +- name: Validate permissions on certificate files + file: + path: "{{ item }}" + mode: 0600 + owner: "{{ 'etcd' if not etcd_is_containerized | bool else omit }}" + group: "{{ 'etcd' if not etcd_is_containerized | bool else omit }}" + when: etcd_url_scheme == 'https' + with_items: + - "{{ etcd_ca_file }}" + - "{{ etcd_cert_file }}" + - "{{ etcd_key_file }}" + +- name: Validate permissions on peer certificate files + file: + path: "{{ item }}" + mode: 0600 + owner: "{{ 'etcd' if not etcd_is_containerized | bool else omit }}" + group: "{{ 'etcd' if not etcd_is_containerized | bool else omit }}" + when: etcd_peer_url_scheme == 'https' + with_items: + - "{{ etcd_peer_ca_file }}" + - "{{ etcd_peer_cert_file }}" + - "{{ etcd_peer_key_file }}" + +- name: Validate permissions on the config dir + file: + path: "{{ etcd_conf_dir }}" + state: directory + owner: "{{ 'etcd' if not etcd_is_containerized | bool else omit }}" + group: "{{ 'etcd' if not etcd_is_containerized | bool else omit }}" + mode: 0700 diff --git a/roles/etcd/templates/openssl_append.j2 b/roles/etcd/templates/openssl_append.j2 new file mode 100644 index 000000000..f28316fc2 --- /dev/null +++ b/roles/etcd/templates/openssl_append.j2 @@ -0,0 +1,51 @@ + +[ {{ etcd_req_ext }} ] +basicConstraints = critical,CA:FALSE +keyUsage = digitalSignature,keyEncipherment +subjectAltName = ${ENV::SAN} + +[ {{ etcd_ca_name }} ] +dir = {{ etcd_ca_dir }} +crl_dir = {{ etcd_ca_crl_dir }} +database = {{ etcd_ca_db }} +new_certs_dir = {{ etcd_ca_new_certs_dir }} +certificate = {{ etcd_ca_cert }} +serial = {{ etcd_ca_serial }} +private_key = {{ etcd_ca_key }} +crl_number = {{ etcd_ca_crl_number }} +x509_extensions = {{ etcd_ca_exts_client }} +default_days = {{ etcd_ca_default_days }} +default_md = sha256 +preserve = no +name_opt = ca_default +cert_opt = ca_default +policy = policy_anything +unique_subject = no +copy_extensions = copy + +[ {{ etcd_ca_exts_self }} ] +authorityKeyIdentifier = keyid,issuer +basicConstraints = critical,CA:TRUE,pathlen:0 +keyUsage = critical,digitalSignature,keyEncipherment,keyCertSign +subjectKeyIdentifier = hash + +[ {{ etcd_ca_exts_peer }} ] +authorityKeyIdentifier = keyid,issuer:always +basicConstraints = critical,CA:FALSE +extendedKeyUsage = clientAuth,serverAuth +keyUsage = digitalSignature,keyEncipherment +subjectKeyIdentifier = hash + +[ {{ etcd_ca_exts_server }} ] +authorityKeyIdentifier = keyid,issuer:always +basicConstraints = critical,CA:FALSE +extendedKeyUsage = serverAuth +keyUsage = digitalSignature,keyEncipherment +subjectKeyIdentifier = hash + +[ {{ etcd_ca_exts_client }} ] +authorityKeyIdentifier = keyid,issuer:always +basicConstraints = critical,CA:FALSE +extendedKeyUsage = clientAuth +keyUsage = digitalSignature,keyEncipherment +subjectKeyIdentifier = hash diff --git a/roles/etcd_ca/README.md b/roles/etcd_ca/README.md deleted file mode 100644 index 60a880e30..000000000 --- a/roles/etcd_ca/README.md +++ /dev/null @@ -1,34 +0,0 @@ -etcd_ca -======================== - -TODO - -Requirements ------------- - -TODO - -Role Variables --------------- - -TODO - -Dependencies ------------- - -TODO - -Example Playbook ----------------- - -TODO - -License -------- - -Apache License Version 2.0 - -Author Information ------------------- - -Scott Dodson (sdodson@redhat.com) diff --git a/roles/etcd_ca/meta/main.yml b/roles/etcd_ca/meta/main.yml deleted file mode 100644 index e3e2f7781..000000000 --- a/roles/etcd_ca/meta/main.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- -galaxy_info: - author: Jason DeTiberus - description: Etcd CA - company: Red Hat, Inc. - license: Apache License, Version 2.0 - min_ansible_version: 2.1 - platforms: - - name: EL - versions: - - 7 - categories: - - cloud - - system -dependencies: -- role: etcd_common diff --git a/roles/etcd_ca/tasks/main.yml b/roles/etcd_ca/tasks/main.yml deleted file mode 100644 index b4dea4a07..000000000 --- a/roles/etcd_ca/tasks/main.yml +++ /dev/null @@ -1,76 +0,0 @@ ---- -- name: Install openssl - package: name=openssl state=present - when: not etcd_is_atomic | bool - delegate_to: "{{ etcd_ca_host }}" - run_once: true - -- file: - path: "{{ item }}" - state: directory - mode: 0700 - owner: root - group: root - with_items: - - "{{ etcd_ca_new_certs_dir }}" - - "{{ etcd_ca_crl_dir }}" - - "{{ etcd_ca_dir }}/fragments" - delegate_to: "{{ etcd_ca_host }}" - run_once: true - -- command: cp /etc/pki/tls/openssl.cnf ./ - args: - chdir: "{{ etcd_ca_dir }}/fragments" - creates: "{{ etcd_ca_dir }}/fragments/openssl.cnf" - delegate_to: "{{ etcd_ca_host }}" - run_once: true - -- template: - dest: "{{ etcd_ca_dir }}/fragments/openssl_append.cnf" - src: openssl_append.j2 - backup: true - delegate_to: "{{ etcd_ca_host }}" - run_once: true - -- assemble: - src: "{{ etcd_ca_dir }}/fragments" - dest: "{{ etcd_openssl_conf }}" - delegate_to: "{{ etcd_ca_host }}" - run_once: true - -- name: Check etcd_ca_db exist - stat: path="{{ etcd_ca_db }}" - register: etcd_ca_db_check - changed_when: false - delegate_to: "{{ etcd_ca_host }}" - run_once: true - -- name: Touch etcd_ca_db file - file: - path: "{{ etcd_ca_db }}" - state: touch - when: etcd_ca_db_check.stat.isreg is not defined - delegate_to: "{{ etcd_ca_host }}" - run_once: true - -- copy: - dest: "{{ etcd_ca_serial }}" - content: "01" - force: no - delegate_to: "{{ etcd_ca_host }}" - run_once: true - -- name: Create etcd CA certificate - command: > - openssl req -config {{ etcd_openssl_conf }} -newkey rsa:4096 - -keyout {{ etcd_ca_key }} -new -out {{ etcd_ca_cert }} - -x509 -extensions {{ etcd_ca_exts_self }} -batch -nodes - -days {{ etcd_ca_default_days }} - -subj /CN=etcd-signer@{{ ansible_date_time.epoch }} - args: - chdir: "{{ etcd_ca_dir }}" - creates: "{{ etcd_ca_cert }}" - environment: - SAN: 'etcd-signer' - delegate_to: "{{ etcd_ca_host }}" - run_once: true diff --git a/roles/etcd_ca/templates/openssl_append.j2 b/roles/etcd_ca/templates/openssl_append.j2 deleted file mode 100644 index f28316fc2..000000000 --- a/roles/etcd_ca/templates/openssl_append.j2 +++ /dev/null @@ -1,51 +0,0 @@ - -[ {{ etcd_req_ext }} ] -basicConstraints = critical,CA:FALSE -keyUsage = digitalSignature,keyEncipherment -subjectAltName = ${ENV::SAN} - -[ {{ etcd_ca_name }} ] -dir = {{ etcd_ca_dir }} -crl_dir = {{ etcd_ca_crl_dir }} -database = {{ etcd_ca_db }} -new_certs_dir = {{ etcd_ca_new_certs_dir }} -certificate = {{ etcd_ca_cert }} -serial = {{ etcd_ca_serial }} -private_key = {{ etcd_ca_key }} -crl_number = {{ etcd_ca_crl_number }} -x509_extensions = {{ etcd_ca_exts_client }} -default_days = {{ etcd_ca_default_days }} -default_md = sha256 -preserve = no -name_opt = ca_default -cert_opt = ca_default -policy = policy_anything -unique_subject = no -copy_extensions = copy - -[ {{ etcd_ca_exts_self }} ] -authorityKeyIdentifier = keyid,issuer -basicConstraints = critical,CA:TRUE,pathlen:0 -keyUsage = critical,digitalSignature,keyEncipherment,keyCertSign -subjectKeyIdentifier = hash - -[ {{ etcd_ca_exts_peer }} ] -authorityKeyIdentifier = keyid,issuer:always -basicConstraints = critical,CA:FALSE -extendedKeyUsage = clientAuth,serverAuth -keyUsage = digitalSignature,keyEncipherment -subjectKeyIdentifier = hash - -[ {{ etcd_ca_exts_server }} ] -authorityKeyIdentifier = keyid,issuer:always -basicConstraints = critical,CA:FALSE -extendedKeyUsage = serverAuth -keyUsage = digitalSignature,keyEncipherment -subjectKeyIdentifier = hash - -[ {{ etcd_ca_exts_client }} ] -authorityKeyIdentifier = keyid,issuer:always -basicConstraints = critical,CA:FALSE -extendedKeyUsage = clientAuth -keyUsage = digitalSignature,keyEncipherment -subjectKeyIdentifier = hash diff --git a/roles/etcd_client_certificates/README.md b/roles/etcd_client_certificates/README.md deleted file mode 100644 index 269d5296d..000000000 --- a/roles/etcd_client_certificates/README.md +++ /dev/null @@ -1,34 +0,0 @@ -OpenShift Etcd Certificates -=========================== - -TODO - -Requirements ------------- - -TODO - -Role Variables --------------- - -TODO - -Dependencies ------------- - -TODO - -Example Playbook ----------------- - -TODO - -License -------- - -Apache License Version 2.0 - -Author Information ------------------- - -Scott Dodson (sdodson@redhat.com) diff --git a/roles/etcd_client_certificates/meta/main.yml b/roles/etcd_client_certificates/meta/main.yml deleted file mode 100644 index efebdb599..000000000 --- a/roles/etcd_client_certificates/meta/main.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- -galaxy_info: - author: Jason DeTiberus - description: Etcd Client Certificates - company: Red Hat, Inc. - license: Apache License, Version 2.0 - min_ansible_version: 2.1 - platforms: - - name: EL - versions: - - 7 - categories: - - cloud - - system -dependencies: -- role: etcd_common diff --git a/roles/etcd_client_certificates/tasks/main.yml b/roles/etcd_client_certificates/tasks/main.yml deleted file mode 100644 index bbd29ece1..000000000 --- a/roles/etcd_client_certificates/tasks/main.yml +++ /dev/null @@ -1,138 +0,0 @@ ---- -- name: Ensure CA certificate exists on etcd_ca_host - stat: - path: "{{ etcd_ca_cert }}" - register: g_ca_cert_stat_result - delegate_to: "{{ etcd_ca_host }}" - run_once: true - -- fail: - msg: > - CA certificate {{ etcd_ca_cert }} doesn't exist on CA host - {{ etcd_ca_host }}. Apply 'etcd_ca' role to - {{ etcd_ca_host }}. - when: not g_ca_cert_stat_result.stat.exists | bool - run_once: true - -- name: Check status of external etcd certificatees - stat: - path: "{{ etcd_cert_config_dir }}/{{ item }}" - with_items: - - "{{ etcd_cert_prefix }}client.crt" - - "{{ etcd_cert_prefix }}client.key" - - "{{ etcd_cert_prefix }}ca.crt" - register: g_external_etcd_cert_stat_result - when: not etcd_certificates_redeploy | default(false) | bool - -- set_fact: - etcd_client_certs_missing: "{{ true if etcd_certificates_redeploy | default(false) | bool - else (False in (g_external_etcd_cert_stat_result.results - | default({}) - | oo_collect(attribute='stat.exists') - | list)) }}" - -- name: Ensure generated_certs directory present - file: - path: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}" - state: directory - mode: 0700 - when: etcd_client_certs_missing | bool - delegate_to: "{{ etcd_ca_host }}" - -- name: Create the client csr - command: > - openssl req -new -keyout {{ etcd_cert_prefix }}client.key - -config {{ etcd_openssl_conf }} - -out {{ etcd_cert_prefix }}client.csr - -reqexts {{ etcd_req_ext }} -batch -nodes - -subj /CN={{ etcd_hostname }} - args: - chdir: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}" - creates: "{{ etcd_generated_certs_dir ~ '/' ~ etcd_cert_subdir ~ '/' - ~ etcd_cert_prefix ~ 'client.csr' }}" - environment: - SAN: "IP:{{ etcd_ip }},DNS:{{ etcd_hostname }}" - when: etcd_client_certs_missing | bool - delegate_to: "{{ etcd_ca_host }}" - -# Certificates must be signed serially in order to avoid competing -# for the serial file. -- name: Sign and create the client crt - delegated_serial_command: - command: > - openssl ca -name {{ etcd_ca_name }} -config {{ etcd_openssl_conf }} - -out {{ etcd_cert_prefix }}client.crt - -in {{ etcd_cert_prefix }}client.csr - -batch - chdir: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}" - creates: "{{ etcd_generated_certs_dir ~ '/' ~ etcd_cert_subdir ~ '/' - ~ etcd_cert_prefix ~ 'client.crt' }}" - environment: - SAN: "IP:{{ etcd_ip }}" - when: etcd_client_certs_missing | bool - delegate_to: "{{ etcd_ca_host }}" - -- file: - src: "{{ etcd_ca_cert }}" - dest: "{{ etcd_generated_certs_dir}}/{{ etcd_cert_subdir }}/{{ etcd_cert_prefix }}ca.crt" - state: hard - when: etcd_client_certs_missing | bool - delegate_to: "{{ etcd_ca_host }}" - -- name: Create local temp directory for syncing certs - local_action: command mktemp -d /tmp/etcd_certificates-XXXXXXX - register: g_etcd_client_mktemp - changed_when: False - when: etcd_client_certs_missing | bool - become: no - -- name: Create a tarball of the etcd certs - command: > - tar -czvf {{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}.tgz - -C {{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }} . - args: - creates: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}.tgz" - # Disables the following warning: - # Consider using unarchive module rather than running tar - warn: no - when: etcd_client_certs_missing | bool - delegate_to: "{{ etcd_ca_host }}" - -- name: Retrieve the etcd cert tarballs - fetch: - src: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}.tgz" - dest: "{{ g_etcd_client_mktemp.stdout }}/" - flat: yes - fail_on_missing: yes - validate_checksum: yes - when: etcd_client_certs_missing | bool - delegate_to: "{{ etcd_ca_host }}" - -- name: Ensure certificate directory exists - file: - path: "{{ etcd_cert_config_dir }}" - state: directory - when: etcd_client_certs_missing | bool - -- name: Unarchive etcd cert tarballs - unarchive: - src: "{{ g_etcd_client_mktemp.stdout }}/{{ etcd_cert_subdir }}.tgz" - dest: "{{ etcd_cert_config_dir }}" - when: etcd_client_certs_missing | bool - -- file: - path: "{{ etcd_cert_config_dir }}/{{ item }}" - owner: root - group: root - mode: 0600 - with_items: - - "{{ etcd_cert_prefix }}client.crt" - - "{{ etcd_cert_prefix }}client.key" - - "{{ etcd_cert_prefix }}ca.crt" - when: etcd_client_certs_missing | bool - -- name: Delete temporary directory - local_action: file path="{{ g_etcd_client_mktemp.stdout }}" state=absent - changed_when: False - when: etcd_client_certs_missing | bool - become: no diff --git a/roles/etcd_server_certificates/README.md b/roles/etcd_server_certificates/README.md deleted file mode 100644 index 269d5296d..000000000 --- a/roles/etcd_server_certificates/README.md +++ /dev/null @@ -1,34 +0,0 @@ -OpenShift Etcd Certificates -=========================== - -TODO - -Requirements ------------- - -TODO - -Role Variables --------------- - -TODO - -Dependencies ------------- - -TODO - -Example Playbook ----------------- - -TODO - -License -------- - -Apache License Version 2.0 - -Author Information ------------------- - -Scott Dodson (sdodson@redhat.com) diff --git a/roles/etcd_server_certificates/meta/main.yml b/roles/etcd_server_certificates/meta/main.yml deleted file mode 100644 index 4b6013a49..000000000 --- a/roles/etcd_server_certificates/meta/main.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- -galaxy_info: - author: Jason DeTiberus - description: Etcd Server Certificates - company: Red Hat, Inc. - license: Apache License, Version 2.0 - min_ansible_version: 2.1 - platforms: - - name: EL - versions: - - 7 - categories: - - cloud - - system -dependencies: -- role: etcd_ca - when: (etcd_ca_setup | default(True) | bool) diff --git a/roles/etcd_server_certificates/tasks/main.yml b/roles/etcd_server_certificates/tasks/main.yml deleted file mode 100644 index 4795188a6..000000000 --- a/roles/etcd_server_certificates/tasks/main.yml +++ /dev/null @@ -1,232 +0,0 @@ ---- -- name: Install etcd - package: name=etcd{{ '-' + etcd_version if etcd_version is defined else '' }} state=present - when: not etcd_is_containerized | bool - -- name: Check status of etcd certificates - stat: - path: "{{ item }}" - with_items: - - "{{ etcd_cert_config_dir }}/{{ etcd_cert_prefix }}server.crt" - - "{{ etcd_cert_config_dir }}/{{ etcd_cert_prefix }}peer.crt" - - "{{ etcd_cert_config_dir }}/{{ etcd_cert_prefix }}ca.crt" - - "{{ etcd_system_container_cert_config_dir }}/{{ etcd_cert_prefix }}server.crt" - - "{{ etcd_system_container_cert_config_dir }}/{{ etcd_cert_prefix }}peer.crt" - - "{{ etcd_system_container_cert_config_dir }}/{{ etcd_cert_prefix }}ca.crt" - register: g_etcd_server_cert_stat_result - when: not etcd_certificates_redeploy | default(false) | bool - -- set_fact: - etcd_server_certs_missing: "{{ true if etcd_certificates_redeploy | default(false) | bool - else (False in (g_etcd_server_cert_stat_result.results - | default({}) - | oo_collect(attribute='stat.exists') - | list)) }}" - -- name: Ensure generated_certs directory present - file: - path: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}" - state: directory - mode: 0700 - when: etcd_server_certs_missing | bool - delegate_to: "{{ etcd_ca_host }}" - -- name: Create the server csr - command: > - openssl req -new -keyout {{ etcd_cert_prefix }}server.key - -config {{ etcd_openssl_conf }} - -out {{ etcd_cert_prefix }}server.csr - -reqexts {{ etcd_req_ext }} -batch -nodes - -subj /CN={{ etcd_hostname }} - args: - chdir: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}" - creates: "{{ etcd_generated_certs_dir ~ '/' ~ etcd_cert_subdir ~ '/' - ~ etcd_cert_prefix ~ 'server.csr' }}" - environment: - SAN: "IP:{{ etcd_ip }},DNS:{{ etcd_hostname }}" - when: etcd_server_certs_missing | bool - delegate_to: "{{ etcd_ca_host }}" - -# Certificates must be signed serially in order to avoid competing -# for the serial file. -- name: Sign and create the server crt - delegated_serial_command: - command: > - openssl ca -name {{ etcd_ca_name }} -config {{ etcd_openssl_conf }} - -out {{ etcd_cert_prefix }}server.crt - -in {{ etcd_cert_prefix }}server.csr - -extensions {{ etcd_ca_exts_server }} -batch - chdir: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}" - creates: "{{ etcd_generated_certs_dir ~ '/' ~ etcd_cert_subdir ~ '/' - ~ etcd_cert_prefix ~ 'server.crt' }}" - environment: - SAN: "IP:{{ etcd_ip }}" - when: etcd_server_certs_missing | bool - delegate_to: "{{ etcd_ca_host }}" - -- name: Create the peer csr - command: > - openssl req -new -keyout {{ etcd_cert_prefix }}peer.key - -config {{ etcd_openssl_conf }} - -out {{ etcd_cert_prefix }}peer.csr - -reqexts {{ etcd_req_ext }} -batch -nodes - -subj /CN={{ etcd_hostname }} - args: - chdir: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}" - creates: "{{ etcd_generated_certs_dir ~ '/' ~ etcd_cert_subdir ~ '/' - ~ etcd_cert_prefix ~ 'peer.csr' }}" - environment: - SAN: "IP:{{ etcd_ip }},DNS:{{ etcd_hostname }}" - when: etcd_server_certs_missing | bool - delegate_to: "{{ etcd_ca_host }}" - -# Certificates must be signed serially in order to avoid competing -# for the serial file. -- name: Sign and create the peer crt - delegated_serial_command: - command: > - openssl ca -name {{ etcd_ca_name }} -config {{ etcd_openssl_conf }} - -out {{ etcd_cert_prefix }}peer.crt - -in {{ etcd_cert_prefix }}peer.csr - -extensions {{ etcd_ca_exts_peer }} -batch - chdir: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}" - creates: "{{ etcd_generated_certs_dir ~ '/' ~ etcd_cert_subdir ~ '/' - ~ etcd_cert_prefix ~ 'peer.crt' }}" - environment: - SAN: "IP:{{ etcd_ip }}" - when: etcd_server_certs_missing | bool - delegate_to: "{{ etcd_ca_host }}" - -- file: - src: "{{ etcd_ca_cert }}" - dest: "{{ etcd_generated_certs_dir}}/{{ etcd_cert_subdir }}/{{ etcd_cert_prefix }}ca.crt" - state: hard - when: etcd_server_certs_missing | bool - delegate_to: "{{ etcd_ca_host }}" - -- name: Create local temp directory for syncing certs - local_action: command mktemp -d /tmp/etcd_certificates-XXXXXXX - become: no - register: g_etcd_server_mktemp - changed_when: False - when: etcd_server_certs_missing | bool - -- name: Create a tarball of the etcd certs - command: > - tar -czvf {{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}.tgz - -C {{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }} . - args: - creates: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}.tgz" - # Disables the following warning: - # Consider using unarchive module rather than running tar - warn: no - when: etcd_server_certs_missing | bool - delegate_to: "{{ etcd_ca_host }}" - -- name: Retrieve etcd cert tarball - fetch: - src: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}.tgz" - dest: "{{ g_etcd_server_mktemp.stdout }}/" - flat: yes - fail_on_missing: yes - validate_checksum: yes - when: etcd_server_certs_missing | bool - delegate_to: "{{ etcd_ca_host }}" - -- name: Ensure certificate directory exists - file: - path: "{{ item }}" - state: directory - with_items: - - "{{ etcd_cert_config_dir }}" - - "{{ etcd_system_container_cert_config_dir }}" - when: etcd_server_certs_missing | bool - -- name: Unarchive cert tarball - unarchive: - src: "{{ g_etcd_server_mktemp.stdout }}/{{ etcd_cert_subdir }}.tgz" - dest: "{{ etcd_cert_config_dir }}" - when: etcd_server_certs_missing | bool - -- name: Create a tarball of the etcd ca certs - command: > - tar -czvf {{ etcd_generated_certs_dir }}/{{ etcd_ca_name }}.tgz - -C {{ etcd_ca_dir }} . - args: - creates: "{{ etcd_generated_certs_dir }}/{{ etcd_ca_name }}.tgz" - warn: no - when: etcd_server_certs_missing | bool - delegate_to: "{{ etcd_ca_host }}" - -- name: Retrieve etcd ca cert tarball - fetch: - src: "{{ etcd_generated_certs_dir }}/{{ etcd_ca_name }}.tgz" - dest: "{{ g_etcd_server_mktemp.stdout }}/" - flat: yes - fail_on_missing: yes - validate_checksum: yes - when: etcd_server_certs_missing | bool - delegate_to: "{{ etcd_ca_host }}" - -- name: Ensure ca directory exists - file: - path: "{{ item }}" - state: directory - with_items: - - "{{ etcd_ca_dir }}" - - "{{ etcd_system_container_cert_config_dir }}/ca" - when: etcd_server_certs_missing | bool - -- name: Unarchive cert tarball for the system container - unarchive: - src: "{{ g_etcd_server_mktemp.stdout }}/{{ etcd_cert_subdir }}.tgz" - dest: "{{ etcd_system_container_cert_config_dir }}" - when: - - etcd_server_certs_missing | bool - - r_etcd_common_etcd_runtime == 'runc' - -- name: Unarchive etcd ca cert tarballs for the system container - unarchive: - src: "{{ g_etcd_server_mktemp.stdout }}/{{ etcd_ca_name }}.tgz" - dest: "{{ etcd_system_container_cert_config_dir }}/ca" - when: - - etcd_server_certs_missing | bool - - r_etcd_common_etcd_runtime == 'runc' - -- name: Delete temporary directory - local_action: file path="{{ g_etcd_server_mktemp.stdout }}" state=absent - become: no - changed_when: False - when: etcd_server_certs_missing | bool - -- name: Validate permissions on certificate files - file: - path: "{{ item }}" - mode: 0600 - owner: "{{ 'etcd' if not etcd_is_containerized | bool else omit }}" - group: "{{ 'etcd' if not etcd_is_containerized | bool else omit }}" - when: etcd_url_scheme == 'https' - with_items: - - "{{ etcd_ca_file }}" - - "{{ etcd_cert_file }}" - - "{{ etcd_key_file }}" - -- name: Validate permissions on peer certificate files - file: - path: "{{ item }}" - mode: 0600 - owner: "{{ 'etcd' if not etcd_is_containerized | bool else omit }}" - group: "{{ 'etcd' if not etcd_is_containerized | bool else omit }}" - when: etcd_peer_url_scheme == 'https' - with_items: - - "{{ etcd_peer_ca_file }}" - - "{{ etcd_peer_cert_file }}" - - "{{ etcd_peer_key_file }}" - -- name: Validate permissions on the config dir - file: - path: "{{ etcd_conf_dir }}" - state: directory - owner: "{{ 'etcd' if not etcd_is_containerized | bool else omit }}" - group: "{{ 'etcd' if not etcd_is_containerized | bool else omit }}" - mode: 0700 diff --git a/roles/flannel/README.md b/roles/flannel/README.md index 0c7347603..b9e15e6e0 100644 --- a/roles/flannel/README.md +++ b/roles/flannel/README.md @@ -27,8 +27,6 @@ Role Variables Dependencies ------------ -openshift_facts - Example Playbook ---------------- diff --git a/roles/flannel/meta/main.yml b/roles/flannel/meta/main.yml index 35f825586..51128dba6 100644 --- a/roles/flannel/meta/main.yml +++ b/roles/flannel/meta/main.yml @@ -12,7 +12,4 @@ galaxy_info: categories: - cloud - system -dependencies: -- role: openshift_facts -- role: openshift_etcd_client_certificates - etcd_cert_prefix: flannel.etcd- +dependencies: [] diff --git a/roles/nuage_master/meta/main.yml b/roles/nuage_master/meta/main.yml index 3da340c85..e2f7af5ad 100644 --- a/roles/nuage_master/meta/main.yml +++ b/roles/nuage_master/meta/main.yml @@ -13,8 +13,5 @@ galaxy_info: - cloud - system dependencies: -- role: nuage_ca -- role: nuage_common -- role: openshift_etcd_client_certificates - role: lib_openshift - role: lib_os_firewall diff --git a/roles/openshift_etcd_ca/meta/main.yml b/roles/openshift_etcd_ca/meta/main.yml deleted file mode 100644 index f1d669d6b..000000000 --- a/roles/openshift_etcd_ca/meta/main.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- -galaxy_info: - author: Tim Bielawa - description: Meta role around the etcd_ca role - company: Red Hat, Inc. - license: Apache License, Version 2.0 - min_ansible_version: 2.2 - platforms: - - name: EL - versions: - - 7 - categories: - - cloud - - system -dependencies: -- role: openshift_etcd_facts -- role: etcd_ca - when: (etcd_ca_setup | default(True) | bool) diff --git a/roles/openshift_etcd_client_certificates/meta/main.yml b/roles/openshift_etcd_client_certificates/meta/main.yml index 3268c390f..fbc72c8a3 100644 --- a/roles/openshift_etcd_client_certificates/meta/main.yml +++ b/roles/openshift_etcd_client_certificates/meta/main.yml @@ -11,6 +11,4 @@ galaxy_info: - 7 categories: - cloud -dependencies: -- role: openshift_etcd_facts -- role: etcd_client_certificates +dependencies: [] diff --git a/roles/openshift_etcd_client_certificates/tasks/main.yml b/roles/openshift_etcd_client_certificates/tasks/main.yml new file mode 100644 index 000000000..7f8b667f0 --- /dev/null +++ b/roles/openshift_etcd_client_certificates/tasks/main.yml @@ -0,0 +1,4 @@ +--- +- include_role: + name: etcd + tasks_from: client_certificates diff --git a/roles/openshift_etcd_server_certificates/meta/main.yml b/roles/openshift_etcd_server_certificates/meta/main.yml deleted file mode 100644 index 7750f14af..000000000 --- a/roles/openshift_etcd_server_certificates/meta/main.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- -galaxy_info: - author: Jason DeTiberus - description: OpenShift Etcd Server Certificates - company: Red Hat, Inc. - license: Apache License, Version 2.0 - min_ansible_version: 2.1 - platforms: - - name: EL - versions: - - 7 - categories: - - cloud -dependencies: -- role: openshift_etcd_facts -- role: etcd_server_certificates -- cgit v1.2.3