blob: 9f14f2d69987639c8aed2cf053a0f149b893f93c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
|
---
- name: Update router certificates
hosts: oo_first_master
vars:
roles:
- lib_openshift
tasks:
- name: Create temp directory for kubeconfig
command: mktemp -d /tmp/openshift-ansible-XXXXXX
register: mktemp
changed_when: false
- name: Copy admin client config(s)
command: >
cp {{ openshift.common.config_base }}/master//admin.kubeconfig {{ mktemp.stdout }}/admin.kubeconfig
changed_when: false
- name: Determine if router exists
command: >
{{ openshift.common.client_binary }} get dc/router -o json
--config={{ mktemp.stdout }}/admin.kubeconfig
-n default
register: l_router_dc
failed_when: false
changed_when: false
- set_fact:
router_env_vars: "{{ ((l_router_dc.stdout | from_json)['spec']['template']['spec']['containers'][0]['env']
| oo_collect('name'))
| default([]) }}"
router_secrets: "{{ ((l_router_dc.stdout | from_json)['spec']['template']['spec']['volumes']
| oo_collect('secret')
| oo_collect('secretName'))
| default([]) }}"
changed_when: false
when: l_router_dc.rc == 0
- name: Update router environment variables
shell: >
{{ openshift.common.client_binary }} env dc/router
OPENSHIFT_CA_DATA="$(cat /etc/origin/master/ca.crt)"
OPENSHIFT_CERT_DATA="$(cat /etc/origin/master/openshift-router.crt)"
OPENSHIFT_KEY_DATA="$(cat /etc/origin/master/openshift-router.key)"
--config={{ mktemp.stdout }}/admin.kubeconfig
-n default
when: l_router_dc.rc == 0 and 'OPENSHIFT_CA_DATA' in router_env_vars and 'OPENSHIFT_CERT_DATA' in router_env_vars and 'OPENSHIFT_KEY_DATA' in router_env_vars
- block:
- name: Delete existing router certificate secret
oc_secret:
kubeconfig: "{{ mktemp.stdout }}/admin.kubeconfig"
name: router-certs
namespace: default
state: absent
run_once: true
- name: Remove router service annotations
command: >
{{ openshift.common.client_binary }} annotate service/router
service.alpha.openshift.io/serving-cert-secret-name-
service.alpha.openshift.io/serving-cert-signed-by-
--config={{ mktemp.stdout }}/admin.kubeconfig
-n default
- name: Add serving-cert-secret annotation to router service
command: >
{{ openshift.common.client_binary }} annotate service/router
service.alpha.openshift.io/serving-cert-secret-name=router-certs
--config={{ mktemp.stdout }}/admin.kubeconfig
-n default
when: l_router_dc.rc == 0 and 'router-certs' in router_secrets and openshift_hosted_router_certificate is undefined
- block:
- assert:
that:
- "'certfile' in openshift_hosted_router_certificate"
- "'keyfile' in openshift_hosted_router_certificate"
- "'cafile' in openshift_hosted_router_certificate"
msg: |-
openshift_hosted_router_certificate has been set in the inventory but is
missing one or more required keys. Ensure that 'certfile', 'keyfile',
and 'cafile' keys have been specified for the openshift_hosted_router_certificate
inventory variable.
- name: Read router certificate and key
become: no
local_action:
module: slurp
src: "{{ item }}"
register: openshift_router_certificate_output
# Defaulting dictionary keys to none to avoid deprecation warnings
# (future fatal errors) during template evaluation. Dictionary keys
# won't be accessed unless openshift_hosted_router_certificate is
# defined and has all keys (certfile, keyfile, cafile) which we
# check above.
with_items:
- "{{ (openshift_hosted_router_certificate | default({'certfile':none})).certfile }}"
- "{{ (openshift_hosted_router_certificate | default({'keyfile':none})).keyfile }}"
- "{{ (openshift_hosted_router_certificate | default({'cafile':none})).cafile }}"
- name: Write temporary router certificate file
copy:
content: "{% for certificate in openshift_router_certificate_output.results -%}{{ certificate.content | b64decode }}{% endfor -%}"
dest: "{{ mktemp.stdout }}/openshift-hosted-router-certificate.pem"
mode: 0600
- name: Write temporary router key file
copy:
content: "{{ (openshift_router_certificate_output.results
| oo_collect('content', {'source':(openshift_hosted_router_certificate | default({'keyfile':none})).keyfile}))[0] | b64decode }}"
dest: "{{ mktemp.stdout }}/openshift-hosted-router-certificate.key"
mode: 0600
- name: Replace router-certs secret
shell: >
{{ openshift.common.client_binary }} secrets new router-certs
tls.crt="{{ mktemp.stdout }}/openshift-hosted-router-certificate.pem"
tls.key="{{ mktemp.stdout }}/openshift-hosted-router-certificate.key"
--type=kubernetes.io/tls
--confirm
-o json | {{ openshift.common.client_binary }} replace -f -
- name: Remove temporary router certificate and key files
file:
path: "{{ item }}"
state: absent
with_items:
- "{{ mktemp.stdout }}/openshift-hosted-router-certificate.pem"
- "{{ mktemp.stdout }}/openshift-hosted-router-certificate.key"
when: l_router_dc.rc == 0 and 'router-certs' in router_secrets and openshift_hosted_router_certificate is defined
- name: Redeploy router
command: >
{{ openshift.common.client_binary }} deploy dc/router
--latest
--config={{ mktemp.stdout }}/admin.kubeconfig
-n default
- name: Delete temp directory
file:
name: "{{ mktemp.stdout }}"
state: absent
changed_when: False
|