blob: df3ea27b4d7c9fbaf7a5e84c3aacb5bc09168279 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
|
---
- name: Make temp cert dir
command: mktemp -d /tmp/openshift-service-catalog-ansible-XXXXXX
register: certtemp
changed_when: False
- name: Check for First Master Aggregator Signer cert
stat:
path: /etc/origin/master/front-proxy-ca.crt
register: first_proxy_ca_crt
changed_when: false
delegate_to: "{{ groups.oo_first_master.0 }}"
- name: Check for First Master Aggregator Signer key
stat:
path: /etc/origin/master/front-proxy-ca.crt
register: first_proxy_ca_key
changed_when: false
delegate_to: "{{ groups.oo_first_master.0 }}"
# TODO: this currently has a bug where hostnames are required
- name: Creating First Master Aggregator signer certs
command: >
{{ hostvars[groups.oo_first_master.0].openshift.common.client_binary }} adm ca create-signer-cert
--cert=/etc/origin/master/front-proxy-ca.crt
--key=/etc/origin/master/front-proxy-ca.key
--serial=/etc/origin/master/ca.serial.txt
delegate_to: "{{ groups.oo_first_master.0 }}"
when:
- not first_proxy_ca_crt.stat.exists
- not first_proxy_ca_key.stat.exists
- name: Check for Aggregator Signer cert
stat:
path: /etc/origin/master/front-proxy-ca.crt
register: proxy_ca_crt
changed_when: false
- name: Check for Aggregator Signer key
stat:
path: /etc/origin/master/front-proxy-ca.crt
register: proxy_ca_key
changed_when: false
- name: Copy Aggregator Signer certs from first master
fetch:
src: "/etc/origin/master/{{ item }}"
dest: "{{ certtemp.stdout }}/{{ item }}"
flat: yes
with_items:
- front-proxy-ca.crt
- front-proxy-ca.key
delegate_to: "{{ groups.oo_first_master.0 }}"
when:
- not proxy_ca_key.stat.exists
- not proxy_ca_crt.stat.exists
- name: Copy Aggregator Signer certs to host
copy:
src: "{{ certtemp.stdout }}/{{ item }}"
dest: "/etc/origin/master/{{ item }}"
with_items:
- front-proxy-ca.crt
- front-proxy-ca.key
when:
- not proxy_ca_key.stat.exists
- not proxy_ca_crt.stat.exists
# oc_adm_ca_server_cert:
# cert: /etc/origin/master/front-proxy-ca.crt
# key: /etc/origin/master/front-proxy-ca.key
- name: Check for first master api-client config
stat:
path: /etc/origin/master/aggregator-front-proxy.kubeconfig
register: first_front_proxy_kubeconfig
delegate_to: "{{ groups.oo_first_master.0 }}"
run_once: true
# create-api-client-config generates a ca.crt file which will
# overwrite the OpenShift CA certificate. Generate the aggregator
# kubeconfig in a temporary directory and then copy files into the
# master config dir to avoid overwriting ca.crt.
- block:
- name: Create first master api-client config for Aggregator
command: >
{{ hostvars[groups.oo_first_master.0].openshift.common.client_binary }} adm create-api-client-config
--certificate-authority=/etc/origin/master/front-proxy-ca.crt
--signer-cert=/etc/origin/master/front-proxy-ca.crt
--signer-key=/etc/origin/master/front-proxy-ca.key
--user aggregator-front-proxy
--client-dir={{ certtemp.stdout }}
--signer-serial=/etc/origin/master/ca.serial.txt
delegate_to: "{{ groups.oo_first_master.0 }}"
run_once: true
- name: Copy first master api-client config for Aggregator
copy:
src: "{{ certtemp.stdout }}/{{ item }}"
dest: "/etc/origin/master/"
remote_src: true
with_items:
- aggregator-front-proxy.crt
- aggregator-front-proxy.key
- aggregator-front-proxy.kubeconfig
delegate_to: "{{ groups.oo_first_master.0 }}"
run_once: true
when:
- not first_front_proxy_kubeconfig.stat.exists
- name: Check for api-client config
stat:
path: /etc/origin/master/aggregator-front-proxy.kubeconfig
register: front_proxy_kubeconfig
- name: Copy api-client config from first master
fetch:
src: "/etc/origin/master/{{ item }}"
dest: "{{ certtemp.stdout }}/{{ item }}"
flat: yes
delegate_to: "{{ groups.oo_first_master.0 }}"
with_items:
- aggregator-front-proxy.crt
- aggregator-front-proxy.key
- aggregator-front-proxy.kubeconfig
when:
- not front_proxy_kubeconfig.stat.exists
- name: Copy api-client config to host
copy:
src: "{{ certtemp.stdout }}/{{ item }}"
dest: "/etc/origin/master/{{ item }}"
with_items:
- aggregator-front-proxy.crt
- aggregator-front-proxy.key
- aggregator-front-proxy.kubeconfig
when:
- not front_proxy_kubeconfig.stat.exists
- name: copy tech preview extension file for service console UI
copy:
src: openshift-ansible-catalog-console.js
dest: /etc/origin/master/openshift-ansible-catalog-console.js
- name: Update master config
yedit:
state: present
src: /etc/origin/master/master-config.yaml
edits:
- key: aggregatorConfig.proxyClientInfo.certFile
value: aggregator-front-proxy.crt
- key: aggregatorConfig.proxyClientInfo.keyFile
value: aggregator-front-proxy.key
- key: authConfig.requestHeader.clientCA
value: front-proxy-ca.crt
- key: authConfig.requestHeader.clientCommonNames
value: [aggregator-front-proxy]
- key: authConfig.requestHeader.usernameHeaders
value: [X-Remote-User]
- key: authConfig.requestHeader.groupHeaders
value: [X-Remote-Group]
- key: authConfig.requestHeader.extraHeaderPrefixes
value: [X-Remote-Extra-]
- key: assetConfig.extensionScripts
value: [/etc/origin/master/openshift-ansible-catalog-console.js]
- key: kubernetesMasterConfig.apiServerArguments.runtime-config
value: [apis/settings.k8s.io/v1alpha1=true]
- key: admissionConfig.pluginConfig.PodPreset.configuration.kind
value: DefaultAdmissionConfig
- key: admissionConfig.pluginConfig.PodPreset.configuration.apiVersion
value: v1
- key: admissionConfig.pluginConfig.PodPreset.configuration.disable
value: false
register: yedit_output
#restart master serially here
- name: restart master api
systemd: name={{ openshift.common.service_type }}-master-api state=restarted
when:
- yedit_output.changed
- openshift.master.cluster_method == 'native'
# We retry the controllers because the API may not be 100% initialized yet.
- name: restart master controllers
command: "systemctl restart {{ openshift.common.service_type }}-master-controllers"
retries: 3
delay: 5
register: result
until: result.rc == 0
when:
- yedit_output.changed
- openshift.master.cluster_method == 'native'
- name: Verify API Server
# Using curl here since the uri module requires python-httplib2 and
# wait_for port doesn't provide health information.
command: >
curl --silent --tlsv1.2
{% if openshift.common.version_gte_3_2_or_1_2 | bool %}
--cacert {{ openshift.common.config_base }}/master/ca-bundle.crt
{% else %}
--cacert {{ openshift.common.config_base }}/master/ca.crt
{% endif %}
{{ openshift.master.api_url }}/healthz/ready
args:
# Disables the following warning:
# Consider using get_url or uri module rather than running curl
warn: no
register: api_available_output
until: api_available_output.stdout == 'ok'
retries: 120
delay: 1
changed_when: false
when:
- yedit_output.changed
- name: Delete temp directory
file:
name: "{{ certtemp.stdout }}"
state: absent
changed_when: False
|