From 917e871843192b107776ce8459b87f3960e455ed Mon Sep 17 00:00:00 2001 From: Andrew Butcher Date: Wed, 26 Oct 2016 14:59:05 -0400 Subject: Restructure certificate redeploy playbooks --- .../redeploy-certificates/router.yml | 79 ++++++++++++++++++++++ 1 file changed, 79 insertions(+) create mode 100644 playbooks/common/openshift-cluster/redeploy-certificates/router.yml (limited to 'playbooks/common/openshift-cluster/redeploy-certificates/router.yml') diff --git a/playbooks/common/openshift-cluster/redeploy-certificates/router.yml b/playbooks/common/openshift-cluster/redeploy-certificates/router.yml new file mode 100644 index 000000000..03d64685d --- /dev/null +++ b/playbooks/common/openshift-cluster/redeploy-certificates/router.yml @@ -0,0 +1,79 @@ +--- +- name: Update router certificates + hosts: oo_first_master + vars: + tasks: + - name: Create temp directory for kubeconfig + command: mktemp -d /tmp/openshift-ansible-XXXXXX + register: mktemp + changed_when: false + + - name: Copy admin client config(s) + command: > + cp {{ openshift.common.config_base }}/master//admin.kubeconfig {{ mktemp.stdout }}/admin.kubeconfig + changed_when: false + + - name: Determine if router exists + command: > + {{ openshift.common.client_binary }} get dc/router -o json + --config={{ mktemp.stdout }}/admin.kubeconfig + -n default + register: l_router_dc + failed_when: false + changed_when: false + + - set_fact: + router_env_vars: "{{ ((l_router_dc.stdout | from_json)['spec']['template']['spec']['containers'][0]['env'] + | oo_collect('name')) + | default([]) }}" + router_secrets: "{{ ((l_router_dc.stdout | from_json)['spec']['template']['spec']['volumes'] + | oo_collect('secret') + | oo_collect('secretName')) + | default([]) }}" + changed_when: false + when: l_router_dc.rc == 0 + + - name: Update router environment variables + shell: > + {{ openshift.common.client_binary }} env dc/router + OPENSHIFT_CA_DATA="$(cat /etc/origin/master/ca.crt)" + OPENSHIFT_CERT_DATA="$(cat /etc/origin/master/openshift-router.crt)" + OPENSHIFT_KEY_DATA="$(cat /etc/origin/master/openshift-router.key)" + --config={{ mktemp.stdout }}/admin.kubeconfig + -n default + when: l_router_dc.rc == 0 and 'OPENSHIFT_CA_DATA' in router_env_vars and 'OPENSHIFT_CERT_DATA' in router_env_vars and 'OPENSHIFT_KEY_DATA' in router_env_vars + + - block: + - name: Generate router certificate + command: > + {{ openshift.common.client_binary }} adm ca create-server-cert + --hostnames=router.default.svc,router.default.svc.cluster.local + --signer-cert={{ openshift.common.config_base }}/master/service-signer.crt + --signer-key={{ openshift.common.config_base }}/master/service-signer.key + --signer-serial={{ openshift.common.config_base }}/master/ca.serial.txt + --cert={{ mktemp.stdout }}/tls.crt + --key={{ mktemp.stdout }}/tls.key + + - name: Update router certificates secret + shell: > + {{ openshift.common.client_binary }} secret new router-certs + {{ mktemp.stdout }}/tls.crt + {{ mktemp.stdout }}/tls.key + --type=kubernetes.io/tls + --config={{ mktemp.stdout }}/admin.kubeconfig + -n default + -o json | oc replace -f - + when: l_router_dc.rc == 0 and 'router-certs' in router_secrets + + - name: Redeploy router + command: > + {{ openshift.common.client_binary }} deploy dc/router + --latest + --config={{ mktemp.stdout }}/admin.kubeconfig + -n default + + - name: Delete temp directory + file: + name: "{{ mktemp.stdout }}" + state: absent + changed_when: False -- cgit v1.2.3