Permalink
Browse files

[upgrade] Create/configure service signer cert when missing.

  • Loading branch information...
abutcher committed Sep 13, 2016
1 parent e1ce7d7 commit 3e5d38caf39d53c917a78542a04ebb6a109e7e6f
@@ -0,0 +1,69 @@
---
- name: Create local temp directory for syncing certs
hosts: localhost
connection: local
become: no
gather_facts: no
tasks:
- name: Create local temp directory for syncing certs
local_action: command mktemp -d /tmp/openshift-ansible-XXXXXXX
register: local_cert_sync_tmpdir
changed_when: false
- name: Create service signer certificate
hosts: oo_first_master
tasks:
- name: Create remote temp directory for creating certs
command: mktemp -d /tmp/openshift-ansible-XXXXXXX
register: remote_cert_create_tmpdir
changed_when: false
- name: Create service signer certificate
command: >
{{ openshift.common.admin_binary }} ca create-signer-cert
--cert=service-signer.crt
--key=service-signer.key
--name=openshift-service-serving-signer
--serial=service-signer.serial.txt
args:
chdir: "{{ remote_cert_create_tmpdir.stdout }}/"
- name: Retrieve service signer certificate
fetch:
src: "{{ remote_cert_create_tmpdir.stdout }}/{{ item }}"
dest: "{{ hostvars.localhost.local_cert_sync_tmpdir.stdout }}/"
flat: yes
fail_on_missing: yes
validate_checksum: yes
with_items:
- "service-signer.crt"
- "service-signer.key"
- name: Delete remote temp directory
file:
name: "{{ remote_cert_create_tmpdir.stdout }}"
state: absent
changed_when: false
- name: Deploy service signer certificate
hosts: oo_masters_to_config
tasks:
- name: Deploy service signer certificate
copy:
src: "{{ hostvars.localhost.local_cert_sync_tmpdir.stdout }}/{{ item }}"
dest: "{{ openshift.common.config_base }}/master/"
with_items:
- "service-signer.crt"
- "service-signer.key"
- name: Delete local temp directory
hosts: localhost
connection: local
become: no
gather_facts: no
tasks:
- name: Delete local temp directory
file:
name: "{{ local_cert_sync_tmpdir.stdout }}"
state: absent
changed_when: false
@@ -34,7 +34,7 @@
###############################################################################
# Upgrade Masters
###############################################################################
- name: Upgrade master
- name: Upgrade master packages
hosts: oo_masters_to_config
handlers:
- include: ../../../../roles/openshift_master/handlers/main.yml
@@ -45,6 +45,28 @@
- include: rpm_upgrade.yml component=master
when: not openshift.common.is_containerized | bool
- name: Determine if service signer cert must be created
hosts: oo_first_master
tasks:
- name: Determine if service signer certificate must be created
stat:
path: "{{ openshift.common.config_base }}/master/service-signer.crt"
register: service_signer_cert_stat
changed_when: false
# Create service signer cert when missing. Service signer certificate
# is added to master config in the master config hook for v3_3.
- include: create_service_signer_cert.yml
when: not (hostvars[groups.oo_first_master.0].service_signer_cert_stat.stat.exists | bool)
- name: Upgrade master config and systemd units
hosts: oo_masters_to_config
handlers:
- include: ../../../../roles/openshift_master/handlers/main.yml
static: yes
roles:
- openshift_facts
tasks:
- include: "{{ master_config_hook }}"
when: master_config_hook is defined
@@ -38,3 +38,13 @@
dest: "{{ openshift.common.config_base}}/master/master-config.yaml"
yaml_key: 'masterClients.openshiftLoopbackClientConnectionOverrides.qps'
yaml_value: 300
- modify_yaml:
dest: "{{ openshift.common.config_base}}/master/master-config.yaml"
yaml_key: 'controllerConfig.servicesServingCert.signer.certFile'

This comment has been minimized.

Show comment
Hide comment
@dlbewley

dlbewley Oct 13, 2017

Contributor

Should this be serviceServingCert ? @abutcher

@dlbewley

dlbewley Oct 13, 2017

Contributor

Should this be serviceServingCert ? @abutcher

This comment has been minimized.

Show comment
Hide comment
@abutcher

abutcher Oct 13, 2017

Member

@dlbewley Yeah, looks like we updated this here #4201 for 1.3 although the typo still exists in the v3_3 upgrade file in subsequent branches.

@abutcher

abutcher Oct 13, 2017

Member

@dlbewley Yeah, looks like we updated this here #4201 for 1.3 although the typo still exists in the v3_3 upgrade file in subsequent branches.

This comment has been minimized.

Show comment
Hide comment
@abutcher

abutcher Oct 13, 2017

Member

I'm going to add a task to the other branches which corrects the typo.

@abutcher

abutcher Oct 13, 2017

Member

I'm going to add a task to the other branches which corrects the typo.

This comment has been minimized.

Show comment
Hide comment
@dlbewley

dlbewley Oct 13, 2017

Contributor

This causes upgrades of metrics in OCP 3.6 to fail. https://bugzilla.redhat.com/show_bug.cgi?id=1500981

@dlbewley

dlbewley Oct 13, 2017

Contributor

This causes upgrades of metrics in OCP 3.6 to fail. https://bugzilla.redhat.com/show_bug.cgi?id=1500981

yaml_value: service-signer.crt
- modify_yaml:
dest: "{{ openshift.common.config_base}}/master/master-config.yaml"
yaml_key: 'controllerConfig.servicesServingCert.signer.keyFile'
yaml_value: service-signer.key

0 comments on commit 3e5d38c

Please sign in to comment.