diff --git a/playbooks/openshift-node/certificates.yml b/playbooks/openshift-node/certificates.yml deleted file mode 100644 index 7ae87c09af8..00000000000 --- a/playbooks/openshift-node/certificates.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -- import_playbook: ../init/main.yml - -- import_playbook: private/certificates.yml diff --git a/playbooks/openshift-node/private/certificates-backup.yml b/playbooks/openshift-node/private/certificates-backup.yml deleted file mode 100644 index 2ad84b3b99e..00000000000 --- a/playbooks/openshift-node/private/certificates-backup.yml +++ /dev/null @@ -1,24 +0,0 @@ ---- -- name: Ensure node directory is absent from generated configs - hosts: oo_first_master - tasks: - # The generated configs directory (/etc/origin/generated-configs) is - # backed up during redeployment of the control plane certificates. - # We need to ensure that the generated config directory for - # individual nodes has been deleted before continuing, so verify - # that it is missing here. - - name: Ensure node directories and tarballs are absent from generated configs - shell: > - rm -rf {{ openshift.common.config_base }}/generated-configs/node-* - args: - warn: no - -- name: Redeploy node certificates - hosts: oo_nodes_to_config - pre_tasks: - - name: Remove CA certificate - file: - path: "{{ item }}" - state: absent - with_items: - - "{{ openshift.common.config_base }}/node/ca.crt" diff --git a/playbooks/openshift-node/private/certificates.yml b/playbooks/openshift-node/private/certificates.yml deleted file mode 100644 index 5bf3665083e..00000000000 --- a/playbooks/openshift-node/private/certificates.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: Create OpenShift certificates for node hosts - hosts: oo_nodes_to_config - gather_facts: no - roles: - - role: openshift_node_certificates diff --git a/playbooks/openshift-node/private/redeploy-certificates.yml b/playbooks/openshift-node/private/redeploy-certificates.yml deleted file mode 100644 index c0f75ae80d9..00000000000 --- a/playbooks/openshift-node/private/redeploy-certificates.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- import_playbook: certificates-backup.yml - -- import_playbook: certificates.yml - vars: - openshift_certificates_redeploy: true diff --git a/playbooks/openshift-node/redeploy-certificates.yml b/playbooks/openshift-node/redeploy-certificates.yml deleted file mode 100644 index cdf816fbf64..00000000000 --- a/playbooks/openshift-node/redeploy-certificates.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -- import_playbook: ../init/main.yml - -- import_playbook: private/redeploy-certificates.yml - -- import_playbook: private/restart.yml - vars: - openshift_node_restart_docker_required: False diff --git a/playbooks/redeploy-certificates.yml b/playbooks/redeploy-certificates.yml index 658c7ef2aaf..bba9d9f4c78 100644 --- a/playbooks/redeploy-certificates.yml +++ b/playbooks/redeploy-certificates.yml @@ -5,8 +5,6 @@ - import_playbook: openshift-master/private/redeploy-certificates.yml -- import_playbook: openshift-node/private/redeploy-certificates.yml - - import_playbook: openshift-etcd/private/restart.yml vars: g_etcd_certificates_expired: "{{ ('expired' in (hostvars | lib_utils_oo_select_keys(groups['etcd']) | lib_utils_oo_collect('check_results.check_results.etcd') | lib_utils_oo_collect('health'))) | bool }}" diff --git a/roles/openshift_node_certificates/OWNERS b/roles/openshift_node_certificates/OWNERS deleted file mode 100644 index e2d568233e9..00000000000 --- a/roles/openshift_node_certificates/OWNERS +++ /dev/null @@ -1,14 +0,0 @@ -# approval == this is a good idea /approve -approvers: - - abutcher - - michaelgugino - - mtnbikenc - - sdodson - - vrutkovs -# review == this code is good /lgtm -reviewers: - - abutcher - - michaelgugino - - mtnbikenc - - sdodson - - vrutkovs diff --git a/roles/openshift_node_certificates/README.md b/roles/openshift_node_certificates/README.md deleted file mode 100644 index 6aa090cc8ef..00000000000 --- a/roles/openshift_node_certificates/README.md +++ /dev/null @@ -1,52 +0,0 @@ -OpenShift Node Certificates -=========================== - -This role determines if OpenShift node certificates must be created, delegates certificate creation to the `openshift_ca_host` and then deploys those certificates to node hosts which this role is being applied to. - -Requirements ------------- - -* Ansible 2.2 - -Role Variables --------------- - -From `openshift_ca`: - -| Name | Default value | Description | -|-------------------------------------|-------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------| - -From this role: - -| Name | Default value | Description | -|-------------------------------------|-------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------| -| openshift_generated_configs_dir | `{{ openshift.common.config_base }}/generated-configs` | Directory in which per-node generated config directories will be created on the `openshift_ca_host`. | -| openshift_node_cert_subdir | `node-{{ openshift.common.hostname }}` | Directory within `openshift_generated_configs_dir` where per-node certificates will be placed on the `openshift_ca_host`. | -| openshift_node_cert_expire_days | `730` (2 years) | Validity of the certificates in days. Works only with OpenShift version 1.5 (3.5) and later. | -| openshift_node_config_dir | `{{ openshift.common.config_base }}/node` | Node configuration directory in which certificates will be deployed on nodes. | -| openshift_node_generated_config_dir | `{{ openshift_generated_configs_dir }}/{{ openshift_node_cert_subdir }` | Full path to the per-node generated config directory. | - -Dependencies ------------- - -* openshift_ca - -Example Playbook ----------------- - -``` -- name: Create OpenShift Node Certificates - hosts: nodes - roles: - - role: openshift_node_certificates -``` - -License -------- - -Apache License Version 2.0 - -Author Information ------------------- - -Jason DeTiberus (jdetiber@redhat.com) diff --git a/roles/openshift_node_certificates/defaults/main.yml b/roles/openshift_node_certificates/defaults/main.yml deleted file mode 100644 index 64bc2f45c05..00000000000 --- a/roles/openshift_node_certificates/defaults/main.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -openshift_node_cert_expire_days: 730 - -openshift_docker_service_name: "docker" diff --git a/roles/openshift_node_certificates/handlers/main.yml b/roles/openshift_node_certificates/handlers/main.yml deleted file mode 100644 index 3531e30b80f..00000000000 --- a/roles/openshift_node_certificates/handlers/main.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -- name: update ca trust - command: update-ca-trust - notify: - - check for container runtime after updating ca trust - -- name: check for container runtime after updating ca trust - command: > - systemctl -q is-active {{ openshift_docker_service_name }}.service - register: l_docker_installed - # An rc of 0 indicates that the container runtime service is - # running. We will restart it by notifying the restart handler since - # we have updated the system CA trust. - changed_when: l_docker_installed.rc == 0 - failed_when: false - notify: - - restart container runtime after updating ca trust - -- name: restart container runtime after updating ca trust - systemd: - name: "{{ openshift_docker_service_name }}" - state: restarted - when: not openshift_certificates_redeploy | default(false) | bool - register: l_docker_restart_docker_in_cert_result - until: not (l_docker_restart_docker_in_cert_result is failed) - retries: 3 - delay: 30 diff --git a/roles/openshift_node_certificates/meta/main.yml b/roles/openshift_node_certificates/meta/main.yml deleted file mode 100644 index 3afab0ec975..00000000000 --- a/roles/openshift_node_certificates/meta/main.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- -galaxy_info: - author: Jason DeTiberus - description: OpenShift Node Certificates - company: Red Hat, Inc. - license: Apache License, Version 2.0 - min_ansible_version: 2.2 - platforms: - - name: EL - versions: - - 7 - categories: - - cloud - - system -dependencies: -- role: lib_utils -- role: openshift_facts diff --git a/roles/openshift_node_certificates/tasks/main.yml b/roles/openshift_node_certificates/tasks/main.yml deleted file mode 100644 index 25ea2c1aaa4..00000000000 --- a/roles/openshift_node_certificates/tasks/main.yml +++ /dev/null @@ -1,151 +0,0 @@ ---- -- name: Ensure CA certificate exists on openshift_ca_host - stat: - path: "{{ openshift_ca_cert }}" - get_checksum: false - get_attributes: false - get_mime: false - register: g_ca_cert_stat_result - delegate_to: "{{ openshift_ca_host }}" - run_once: true - -- fail: - msg: > - CA certificate {{ openshift_ca_cert }} doesn't exist on CA host - {{ openshift_ca_host }}. Apply 'openshift_ca' role to - {{ openshift_ca_host }}. - when: not g_ca_cert_stat_result.stat.exists | bool - run_once: true - -- name: Check status of node certificates - stat: - path: "{{ openshift.common.config_base }}/node/{{ item }}" - get_checksum: false - get_attributes: false - get_mime: false - with_items: - - "system:node:{{ openshift.common.hostname | lower }}.crt" - - "system:node:{{ openshift.common.hostname | lower }}.key" - - "system:node:{{ openshift.common.hostname | lower }}.kubeconfig" - - ca.crt - - server.key - - server.crt - register: g_node_cert_stat_result - when: not openshift_certificates_redeploy | default(false) | bool - -- set_fact: - node_certs_missing: "{{ true if openshift_certificates_redeploy | default(false) | bool - else (False in (g_node_cert_stat_result.results - | default({}) - | lib_utils_oo_collect(attribute='stat.exists') - | list)) }}" - -- name: Create openshift_generated_configs_dir if it does not exist - file: - path: "{{ openshift_generated_configs_dir }}" - state: directory - mode: 0700 - when: node_certs_missing | bool - delegate_to: "{{ openshift_ca_host }}" - -- find: - paths: "{{ openshift.common.config_base }}/master/legacy-ca/" - patterns: ".*-ca.crt" - use_regex: true - register: g_master_legacy_ca_result - delegate_to: "{{ openshift_ca_host }}" - -- name: Generate the node client config - command: > - {{ hostvars[openshift_ca_host]['first_master_client_binary'] }} adm create-api-client-config - {% for named_ca_certificate in hostvars[openshift_ca_host].openshift.master.named_certificates | default([]) | lib_utils_oo_collect('cafile') %} - --certificate-authority {{ named_ca_certificate }} - {% endfor %} - {% for legacy_ca_certificate in g_master_legacy_ca_result.files | default([]) | lib_utils_oo_collect('path') %} - --certificate-authority {{ legacy_ca_certificate }} - {% endfor %} - --certificate-authority={{ openshift_ca_cert }} - --client-dir={{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname | lower }} - --groups=system:nodes - --master={{ hostvars[openshift_ca_host].openshift.master.api_url }} - --signer-cert={{ openshift_ca_cert }} - --signer-key={{ openshift_ca_key }} - --signer-serial={{ openshift_ca_serial }} - --user=system:node:{{ hostvars[item].openshift.common.hostname | lower }} - --expire-days={{ openshift_node_cert_expire_days }} - args: - creates: "{{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname | lower }}" - with_items: "{{ hostvars - | lib_utils_oo_select_keys(groups['oo_nodes_to_config']) - | lib_utils_oo_collect(attribute='inventory_hostname', filters={'node_certs_missing':True}) }}" - delegate_to: "{{ openshift_ca_host }}" - run_once: true - -- name: Generate the node server certificate - command: > - {{ hostvars[openshift_ca_host]['first_master_client_binary'] }} adm ca create-server-cert - --cert={{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname | lower }}/server.crt - --key={{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname | lower }}/server.key - --expire-days={{ openshift_node_cert_expire_days }} - --overwrite=true - --hostnames={{ hostvars[item].openshift.common.hostname }},{{ hostvars[item].openshift.common.hostname | lower }},{{ hostvars[item].openshift.common.public_hostname }},{{ hostvars[item].openshift.common.public_hostname | lower }},{{ hostvars[item].openshift.common.ip }},{{ hostvars[item].openshift.common.public_ip }} - --signer-cert={{ openshift_ca_cert }} - --signer-key={{ openshift_ca_key }} - --signer-serial={{ openshift_ca_serial }} - args: - creates: "{{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname | lower }}/server.crt" - with_items: "{{ hostvars - | lib_utils_oo_select_keys(groups['oo_nodes_to_config']) - | lib_utils_oo_collect(attribute='inventory_hostname', filters={'node_certs_missing':True}) }}" - delegate_to: "{{ openshift_ca_host }}" - run_once: true - -- name: Create a tarball of the node config directories - command: > - tar -czvf {{ openshift_node_generated_config_dir }}.tgz - --transform 's|system:{{ openshift_node_cert_subdir }}|node|' - -C {{ openshift_node_generated_config_dir }} . - args: - creates: "{{ openshift_node_generated_config_dir }}.tgz" - # Disables the following warning: - # Consider using unarchive module rather than running tar - warn: no - when: node_certs_missing | bool - delegate_to: "{{ openshift_ca_host }}" - -- name: Retrieve the node config tarballs from the master - fetch: - src: "{{ openshift_node_generated_config_dir }}.tgz" - dest: "/tmp" - fail_on_missing: yes - validate_checksum: yes - when: node_certs_missing | bool - delegate_to: "{{ openshift_ca_host }}" - -- name: Ensure certificate directory exists - file: - path: "{{ openshift_node_cert_dir }}" - state: directory - when: node_certs_missing | bool - -- name: Unarchive the tarball on the node - unarchive: - src: "/tmp/{{ inventory_hostname }}/{{ openshift_node_generated_config_dir }}.tgz" - dest: "{{ openshift_node_cert_dir }}" - when: node_certs_missing | bool - -- name: Delete local temp directory - local_action: file path="/tmp/{{ inventory_hostname }}" state=absent - changed_when: False - when: node_certs_missing | bool - -- name: Copy OpenShift CA to system CA trust - copy: - src: "{{ item.cert }}" - dest: "/etc/pki/ca-trust/source/anchors/{{ item.id }}-{{ item.cert | basename }}" - remote_src: yes - with_items: - - id: openshift - cert: "{{ openshift_node_cert_dir }}/ca.crt" - notify: - - update ca trust diff --git a/roles/openshift_node_certificates/vars/main.yml b/roles/openshift_node_certificates/vars/main.yml deleted file mode 100644 index 12a6d3f940d..00000000000 --- a/roles/openshift_node_certificates/vars/main.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -openshift_generated_configs_dir: "{{ openshift.common.config_base }}/generated-configs" -openshift_node_cert_dir: "{{ openshift.common.config_base }}/node" -openshift_node_cert_subdir: "node-{{ openshift.common.hostname | lower }}" -openshift_node_config_dir: "{{ openshift.common.config_base }}/node" -openshift_node_generated_config_dir: "{{ openshift_generated_configs_dir }}/{{ openshift_node_cert_subdir }}" - -openshift_ca_config_dir: "{{ openshift.common.config_base }}/master" -openshift_ca_cert: "{{ openshift_ca_config_dir }}/ca.crt" -openshift_ca_key: "{{ openshift_ca_config_dir }}/ca.key" -openshift_ca_serial: "{{ openshift_ca_config_dir }}/ca.serial.txt"