Merge pull request #3581 from php-coder/set_cert_expiration_date

Merged by openshift-bot

3 files changed, 9 insertions, 0 deletions

diff --git a/roles/openshift_master_certificates/README.md b/roles/openshift_master_certificates/README.md
index a80d47040..4758bbdfb 100644
--- a/roles/openshift_master_certificates/README.md
+++ b/roles/openshift_master_certificates/README.md
@@ -21,6 +21,7 @@ From this role:
 |---------------------------------------|---------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------|
 | openshift_generated_configs_dir       | `{{ openshift.common.config_base }}/generated-configs`                    | Directory in which per-master generated config directories will be created on the `openshift_ca_host`.                        |
 | openshift_master_cert_subdir          | `master-{{ openshift.common.hostname }}`                                  | Directory within `openshift_generated_configs_dir` where per-master configurations will be placed on the `openshift_ca_host`. |
+| openshift_master_cert_expire_days     | `730` (2 years)                                                           | Validity of the certificates in days. Works only with OpenShift version 1.5 (3.5) and later.                                  |
 | openshift_master_config_dir           | `{{ openshift.common.config_base }}/master`                               | Master configuration directory in which certificates will be deployed on masters.                                             |
 | openshift_master_generated_config_dir | `{{ openshift_generated_configs_dir }}/{{ openshift_master_cert_subdir }` | Full path to the per-master generated config directory.                                                                       |
 
diff --git a/roles/openshift_master_certificates/defaults/main.yml b/roles/openshift_master_certificates/defaults/main.yml
new file mode 100644
index 000000000..dba62c4ec
--- /dev/null
+++ b/roles/openshift_master_certificates/defaults/main.yml
@@ -0,0 +1,2 @@
+---
+openshift_master_cert_expire_days: 730
diff --git a/roles/openshift_master_certificates/tasks/main.yml b/roles/openshift_master_certificates/tasks/main.yml
index 61541acb8..d4c9a96ca 100644
--- a/roles/openshift_master_certificates/tasks/main.yml
+++ b/roles/openshift_master_certificates/tasks/main.yml
@@ -57,6 +57,9 @@
     --hostnames={{ hostvars[item].openshift.common.all_hostnames | join(',') }}
     --cert={{ openshift_generated_configs_dir }}/master-{{ hostvars[item].openshift.common.hostname }}/master.server.crt
     --key={{ openshift_generated_configs_dir }}/master-{{ hostvars[item].openshift.common.hostname }}/master.server.key
+    {% if openshift_version | oo_version_gte_3_5_or_1_5(openshift.common.deployment_type) | bool %}
+    --expire-days={{ openshift_master_cert_expire_days }}
+    {% endif %}
     --signer-cert={{ openshift_ca_cert }}
     --signer-key={{ openshift_ca_key }}
     --signer-serial={{ openshift_ca_serial }}
@@ -84,6 +87,9 @@
       --signer-serial={{ openshift_ca_serial }}
       --user=system:openshift-master
       --basename=openshift-master
+      {% if openshift_version | oo_version_gte_3_5_or_1_5(openshift.common.deployment_type) | bool %}
+      --expire-days={{ openshift_master_cert_expire_days }}
+      {% endif %}
   args:
     creates: "{{ openshift_generated_configs_dir }}/master-{{ hostvars[item].openshift.common.hostname }}/openshift-master.kubeconfig"
   with_items: "{{ hostvars