diff options
14 files changed, 50 insertions, 37 deletions
diff --git a/playbooks/common/openshift-cluster/upgrades/pre/verify_cluster.yml b/playbooks/common/openshift-cluster/upgrades/pre/verify_cluster.yml index 463a05688..4902b9ecd 100644 --- a/playbooks/common/openshift-cluster/upgrades/pre/verify_cluster.yml +++ b/playbooks/common/openshift-cluster/upgrades/pre/verify_cluster.yml @@ -94,25 +94,3 @@ state: started enabled: yes with_items: "{{ master_services }}" - -# Until openshift-ansible is determining which host is the CA host we -# must (unfortunately) ensure that the first host in the etcd group is -# the etcd CA host. -# https://bugzilla.redhat.com/show_bug.cgi?id=1469358 -- name: Verify we can proceed on first etcd - hosts: oo_first_etcd - gather_facts: no - tasks: - - name: Ensure CA exists on first etcd - stat: - path: /etc/etcd/generated_certs - register: __etcd_ca_stat - - - fail: - msg: > - In order to correct an etcd certificate signing problem - upgrading may require re-generating etcd certificates. Please - ensure that the /etc/etcd/generated_certs directory exists on - the first host defined in your [etcd] group. - when: - - not __etcd_ca_stat.stat.exists | bool diff --git a/playbooks/openshift-etcd/private/ca.yml b/playbooks/openshift-etcd/private/ca.yml index 72c39d546..77e7b0ed0 100644 --- a/playbooks/openshift-etcd/private/ca.yml +++ b/playbooks/openshift-etcd/private/ca.yml @@ -10,7 +10,6 @@ tasks_from: ca.yml vars: etcd_peers: "{{ groups.oo_etcd_to_config | default([], true) }}" - etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}" etcd_certificates_etcd_hosts: "{{ groups.oo_etcd_to_config | default([], true) }}" when: - etcd_ca_setup | default(True) | bool diff --git a/playbooks/openshift-etcd/private/certificates-backup.yml b/playbooks/openshift-etcd/private/certificates-backup.yml index 2f9bef799..e1354de67 100644 --- a/playbooks/openshift-etcd/private/certificates-backup.yml +++ b/playbooks/openshift-etcd/private/certificates-backup.yml @@ -1,6 +1,6 @@ --- - name: Backup and remove generated etcd certificates - hosts: oo_first_etcd + hosts: oo_etcd_to_config any_errors_fatal: true tasks: - import_role: diff --git a/playbooks/openshift-etcd/private/config.yml b/playbooks/openshift-etcd/private/config.yml index 35407969e..bbc952d8e 100644 --- a/playbooks/openshift-etcd/private/config.yml +++ b/playbooks/openshift-etcd/private/config.yml @@ -22,7 +22,6 @@ - role: openshift_clock - role: openshift_etcd etcd_peers: "{{ groups.oo_etcd_to_config | default([], true) }}" - etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}" etcd_certificates_etcd_hosts: "{{ groups.oo_etcd_to_config | default([], true) }}" - role: nickhammond.logrotate diff --git a/playbooks/openshift-etcd/private/master_etcd_certificates.yml b/playbooks/openshift-etcd/private/master_etcd_certificates.yml index d98470db2..4e4972dba 100644 --- a/playbooks/openshift-etcd/private/master_etcd_certificates.yml +++ b/playbooks/openshift-etcd/private/master_etcd_certificates.yml @@ -5,9 +5,7 @@ roles: - role: openshift_etcd_facts - role: openshift_etcd_client_certificates - etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}" etcd_cert_subdir: "openshift-master-{{ openshift.common.hostname }}" etcd_cert_config_dir: "{{ openshift.common.config_base }}/master" etcd_cert_prefix: "master.etcd-" - openshift_ca_host: "{{ groups.oo_first_master.0 }}" when: groups.oo_etcd_to_config is defined and groups.oo_etcd_to_config diff --git a/playbooks/openshift-etcd/private/redeploy-ca.yml b/playbooks/openshift-etcd/private/redeploy-ca.yml index a3acf6945..55409e503 100644 --- a/playbooks/openshift-etcd/private/redeploy-ca.yml +++ b/playbooks/openshift-etcd/private/redeploy-ca.yml @@ -45,7 +45,6 @@ tasks_from: distribute_ca.yml vars: etcd_sync_cert_dir: "{{ hostvars['localhost'].g_etcd_mktemp.stdout }}" - etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}" - import_playbook: restart.yml # Do not restart etcd when etcd certificates were previously expired. diff --git a/playbooks/openshift-etcd/private/scaleup.yml b/playbooks/openshift-etcd/private/scaleup.yml index 8a9811a25..162a5eba7 100644 --- a/playbooks/openshift-etcd/private/scaleup.yml +++ b/playbooks/openshift-etcd/private/scaleup.yml @@ -12,8 +12,6 @@ hosts: oo_new_etcd_to_config serial: 1 any_errors_fatal: true - vars: - etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}" pre_tasks: - name: Add new etcd members to cluster command: > @@ -42,7 +40,6 @@ - role: openshift_etcd when: etcd_add_check.rc == 0 etcd_peers: "{{ groups.oo_etcd_to_config | union(groups.oo_new_etcd_to_config)| default([], true) }}" - etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}" etcd_certificates_etcd_hosts: "{{ groups.oo_etcd_to_config | default([], true) }}" etcd_initial_cluster_state: "existing" etcd_initial_cluster: "{{ etcd_add_check.stdout_lines[3] | regex_replace('ETCD_INITIAL_CLUSTER=','') | regex_replace('\"','') }}" @@ -66,8 +63,6 @@ hosts: oo_masters_to_config serial: 1 vars: - etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}" - openshift_ca_host: "{{ groups.oo_first_master.0 }}" openshift_master_etcd_hosts: "{{ hostvars | lib_utils_oo_select_keys(groups['oo_etcd_to_config'] | union(groups['oo_new_etcd_to_config'] | default([]) )) | lib_utils_oo_collect('openshift.common.hostname') diff --git a/playbooks/openshift-etcd/private/server_certificates.yml b/playbooks/openshift-etcd/private/server_certificates.yml index ebcf4a5ff..0abfe1650 100644 --- a/playbooks/openshift-etcd/private/server_certificates.yml +++ b/playbooks/openshift-etcd/private/server_certificates.yml @@ -9,6 +9,5 @@ name: etcd tasks_from: server_certificates.yml vars: - etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}" etcd_peers: "{{ groups.oo_etcd_to_config | default([], true) }}" etcd_certificates_etcd_hosts: "{{ groups.oo_etcd_to_config | default([], true) }}" diff --git a/playbooks/openshift-master/private/scaleup.yml b/playbooks/openshift-master/private/scaleup.yml index 20ebf70d3..5aaa0b156 100644 --- a/playbooks/openshift-master/private/scaleup.yml +++ b/playbooks/openshift-master/private/scaleup.yml @@ -45,7 +45,7 @@ - import_playbook: set_network_facts.yml -- import_playbook: ../../openshift-etcd/private/certificates.yml +- import_playbook: ../../openshift-etcd/private/master_etcd_certificates.yml - import_playbook: config.yml diff --git a/playbooks/openshift-node/private/etcd_client_config.yml b/playbooks/openshift-node/private/etcd_client_config.yml index c3fa38a81..148bdc769 100644 --- a/playbooks/openshift-node/private/etcd_client_config.yml +++ b/playbooks/openshift-node/private/etcd_client_config.yml @@ -6,6 +6,5 @@ - role: openshift_etcd_facts - role: openshift_etcd_client_certificates etcd_cert_prefix: flannel.etcd- - etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}" etcd_cert_subdir: "openshift-node-{{ openshift.common.hostname }}" etcd_cert_config_dir: "{{ openshift.common.config_base }}/node" diff --git a/roles/lib_utils/filter_plugins/oo_filters.py b/roles/lib_utils/filter_plugins/oo_filters.py index 574743ff1..c355115b5 100644 --- a/roles/lib_utils/filter_plugins/oo_filters.py +++ b/roles/lib_utils/filter_plugins/oo_filters.py @@ -126,7 +126,7 @@ def lib_utils_oo_collect(data_list, attribute=None, filters=None): raise errors.AnsibleFilterError( "lib_utils_oo_collect expects filter to be a dict") retval.extend([get_attr(d, attribute) for d in data if ( - all([d.get(key, None) == filters[key] for key in filters]))]) + all([get_attr(d, key) == filters[key] for key in filters]))]) else: retval.extend([get_attr(d, attribute) for d in data]) diff --git a/roles/openshift_etcd_facts/defaults/main.yml b/roles/openshift_etcd_facts/defaults/main.yml new file mode 100644 index 000000000..d13e7c912 --- /dev/null +++ b/roles/openshift_etcd_facts/defaults/main.yml @@ -0,0 +1,2 @@ +--- +etcd_ca_host_group: "oo_etcd_to_config" diff --git a/roles/openshift_etcd_facts/tasks/main.yml b/roles/openshift_etcd_facts/tasks/main.yml index ed97d539c..86546f4e3 100644 --- a/roles/openshift_etcd_facts/tasks/main.yml +++ b/roles/openshift_etcd_facts/tasks/main.yml @@ -1 +1,2 @@ --- +- import_tasks: set_etcd_ca_host.yml diff --git a/roles/openshift_etcd_facts/tasks/set_etcd_ca_host.yml b/roles/openshift_etcd_facts/tasks/set_etcd_ca_host.yml new file mode 100644 index 000000000..bf8d28a9b --- /dev/null +++ b/roles/openshift_etcd_facts/tasks/set_etcd_ca_host.yml @@ -0,0 +1,44 @@ +--- +- name: Check for CA indicator files + stat: + path: "{{ item.0 }}" + delegate_to: "{{ item.1 }}" + with_nested: + - - /etc/etcd/ca + - /etc/etcd/generated_certs + - "{{ groups[etcd_ca_host_group] }}" + register: __etcd_ca_host_stat + run_once: true + +# Collect ansible_host (inventory hostname) of hosts with /etc/etcd/ca +# and /etc/etcd/generated_certs directories. +- set_fact: + __etcd_ca_dir_hosts: "{{ __etcd_ca_host_stat.results + | lib_utils_oo_collect('_ansible_delegated_vars.ansible_host', + filters={'stat.path':'/etc/etcd/ca','stat.exists':True}) }}" + __etcd_generated_certs_dir_hosts: "{{ __etcd_ca_host_stat.results + | lib_utils_oo_collect('_ansible_delegated_vars.ansible_host', + filters={'stat.path':'/etc/etcd/generated_certs','stat.exists':True}) }}" + run_once: true + +# __etcd_ca_hosts is the intersection of hosts which have /etc/etcd/ca +# and /etc/etcd/generated_certs directories. +- set_fact: + __etcd_ca_hosts: "{{ __etcd_ca_dir_hosts | intersect(__etcd_generated_certs_dir_hosts) }}" + run_once: true + +# __etcd_ca_hosts should only contain one host. If more than one host +# is able to be an etcd CA host then we will use the first. +- set_fact: + etcd_ca_host: "{{ __etcd_ca_hosts[0] }}" + when: + - __etcd_ca_hosts | length > 0 + - etcd_ca_host is not defined + +# No etcd_ca_host was found in __etcd_ca_hosts. This is probably a +# fresh installation so we will default to the first member of the +# etcd host group. +- set_fact: + etcd_ca_host: "{{ groups[etcd_ca_host_group].0 }}" + when: + - etcd_ca_host is not defined |