blob: e75e3b16fa9ef891101cc665dd356841b561ac65 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
|
---
- name: Retrieve list of openshift nodes matching router selector
oc_obj:
state: list
kind: node
namespace: "{{ openshift.hosted.router.namespace | default('default') }}"
selector: "{{ openshift.hosted.router.selector | default(omit) }}"
register: router_nodes
when: openshift.hosted.router.replicas | default(none) is none
- name: set_fact replicas
set_fact:
replicas: "{{ openshift.hosted.router.replicas|default(None) | get_router_replicas(router_nodes) }}"
openshift_hosted_router_selector: "{{ openshift.hosted.router.selector | default(None) }}"
openshift_hosted_router_image: "{{ openshift.hosted.router.registryurl }}"
# This is for when we desire a cluster signed cert
# The certificate is generated and placed in master_config_dir/
- block:
- name: generate a default wildcard router certificate
oc_adm_ca_server_cert:
signer_cert: "{{ openshift_master_config_dir }}/ca.crt"
signer_key: "{{ openshift_master_config_dir }}/ca.key"
signer_serial: "{{ openshift_master_config_dir }}/ca.serial.txt"
hostnames:
- "{{ openshift_master_default_subdomain }}"
- "*.{{ openshift_master_default_subdomain }}"
cert: "{{ ('/etc/origin/master/' ~ (item.certificate.certfile | basename)) if 'certfile' in item.certificate else ((openshift_master_config_dir) ~ '/openshift-router.crt') }}"
key: "{{ ('/etc/origin/master/' ~ (item.certificate.keyfile | basename)) if 'keyfile' in item.certificate else ((openshift_master_config_dir) ~ '/openshift-router.key') }}"
with_items: "{{ openshift_hosted_routers }}"
- name: set the openshift_hosted_router_certificate
set_fact:
openshift_hosted_router_certificate:
certfile: "{{ openshift_master_config_dir ~ '/openshift-router.crt' }}"
keyfile: "{{ openshift_master_config_dir ~ '/openshift-router.key' }}"
cafile: "{{ openshift_master_config_dir ~ '/ca.crt' }}"
# End Block
when: openshift_hosted_router_create_certificate
- name: Get the certificate contents for router
copy:
backup: True
dest: "/etc/origin/master/{{ item | basename }}"
src: "{{ item }}"
with_items: "{{ openshift_hosted_routers | oo_collect(attribute='certificate') |
oo_select_keys_from_list(['keyfile', 'certfile', 'cafile']) }}"
when: not openshift_hosted_router_create_certificate
- name: Create the router service account(s)
oc_serviceaccount:
name: "{{ item.serviceaccount }}"
namespace: "{{ item.namespace }}"
state: present
with_items: "{{ openshift_hosted_routers }}"
- name: Grant the router serivce account(s) access to the appropriate scc
oc_adm_policy_user:
user: "system:serviceaccount:{{ item.namespace }}:{{ item.serviceaccount }}"
namespace: "{{ item.namespace }}"
resource_kind: scc
resource_name: hostnetwork
with_items: "{{ openshift_hosted_routers }}"
- name: Set additional permissions for router service account
oc_adm_policy_user:
user: "system:serviceaccount:{{ item.namespace }}:{{ item.serviceaccount }}"
namespace: "{{ item.namespace }}"
resource_kind: cluster-role
resource_name: cluster-reader
when: item.namespace == 'default'
with_items: "{{ openshift_hosted_routers }}"
- name: Create OpenShift router
oc_adm_router:
name: "{{ item.name }}"
replicas: "{{ item.replicas }}"
namespace: "{{ item.namespace | default('default') }}"
# This option is not yet implemented
# force_subdomain: "{{ openshift.hosted.router.force_subdomain | default(none) }}"
service_account: "{{ item.serviceaccount | default('router') }}"
selector: "{{ item.selector | default(none) }}"
images: "{{ item.images | default(omit) }}"
cert_file: "{{ ('/etc/origin/master/' ~ (item.certificate.certfile | basename)) if 'certfile' in item.certificate else omit }}"
key_file: "{{ ('/etc/origin/master/' ~ (item.certificate.keyfile | basename)) if 'keyfile' in item.certificate else omit }}"
cacert_file: "{{ ('/etc/origin/master/' ~ (item.certificate.cafile | basename)) if 'cafile' in item.certificate else omit }}"
edits: "{{ openshift_hosted_router_edits | union(item.edits) }}"
ports: "{{ item.ports }}"
stats_port: "{{ item.stats_port }}"
with_items: "{{ openshift_hosted_routers }}"
register: routerout
# This should probably move to module
- name: wait for deploy
pause:
seconds: 30
when: routerout.changed
- name: Ensure router replica count matches desired
oc_scale:
kind: dc
name: "{{ item.name | default('router') }}"
namespace: "{{ item.namespace | default('default') }}"
replicas: "{{ item.replicas }}"
with_items: "{{ openshift_hosted_routers }}"
|