Addition of Neustar DNS provisioning and wildcard certificate provisi…

…oning (#157) * Reference playbook in openshift-tooling repo to setup cluster DNS records * Test removing post-deployment registry cert tasks * Removal of certbot as a tool to request Let's Encrypt certificates * Tidy up post-deployment certificate tasks and split acme.sh into individual playbook * Remove unnecessary condition since getCertificates is a boolean * Remove unnecessary conditions from boolean variables * Addition of playbook to replace certificates used within cluster as part of acme.sh post-renew hook * Change task name for clarity * Change delegate_to tasks to loopback IP as opposed to hostname * Remove * from directory name * Remove * from directory name
UKCloud · Nov 27, 2019 · fe4a7b7 · fe4a7b7
1 parent 4c82295
commit fe4a7b7
Show file tree

Hide file tree

Showing 6 changed files with 62 additions and 139 deletions.
diff --git a/certbot.yml b/certbot.yml
diff --git a/dns.yml b/dns.yml
@@ -1,3 +1,6 @@
 - hosts: dns, dns_net2
   roles:
     - dns
+
+- name: Create external DNS records for cluster
+  import_playbook: /home/cloud-user/openshift-tooling/neustar-ultradns/deployment.yml
diff --git a/replace_certificates.yml b/replace_certificates.yml
@@ -0,0 +1,46 @@
+---
+- import_playbook: /usr/share/ansible/openshift-ansible/playbooks/openshift-master/redeploy-certificates.yml
+
+- import_playbook: /usr/share/ansible/openshift-ansible/playbooks/openshift-hosted/redeploy-router-certificates.yml
+
+- hosts: masters[0]
+
+  vars:
+    certificate: "{{ lookup('file', '/home/cloud-user/' + domainSuffix + '/fullchain.pem').split('\n') }}"
+    key: "{{ lookup('file', '/home/cloud-user/' + domainSuffix + '/privkey.pem').split('\n') }}"
+
+  tasks:
+    - name: Setup default router environment
+      command: /usr/local/bin/oc set env dc/router {{ item }} -n default
+      with_items:
+        - ROUTER_USE_PROXY_PROTOCOL=true
+        - ROUTER_LOG_LEVEL=debug
+
+    - name: Patch syslog pod into router deployment
+      command: /usr/local/bin/oc patch dc/router -p '{"spec":{"template":{"spec":{"containers":[{"name":"router","env":[{"name":"ROUTER_SYSLOG_ADDRESS","value":"/var/lib/rsyslog/rsyslog.sock"}],"volumeMounts":[{"mountPath":"/var/lib/rsyslog","name":"rsyslog-socket"}]},{"name":"syslog","command":["/sbin/rsyslogd","-n","-i","/tmp/rsyslog.pid","-f","/etc/rsyslog/rsyslog.conf"],"image":"registry.redhat.io/openshift3/ose-haproxy-router:v3.11","imagePullPolicy":"IfNotPresent","resources":{"requests":{"cpu":"50m","memory":"256Mi"}},"volumeMounts":[{"mountPath":"/etc/rsyslog","name":"rsyslog-config"},{"mountPath":"/var/lib/rsyslog","name":"rsyslog-socket"}]}],"volumes":[{"configMap":{"name":"rsyslog-config"},"name":"rsyslog-config"},{"emptyDir":{},"name":"rsyslog-socket"}]}}}}' -n default
+
+    - name: Create registry console cert
+      shell: cat fullchain.pem privkey.pem > registry.cert
+      args:
+        chdir: "/home/cloud-user/{{ domainSuffix }}"
+      delegate_to: 127.0.0.1
+      run_once: yes
+
+    - name: Move registry.cert across to masters[0]
+      copy:
+        src: /home/cloud-user/{{ domainSuffix }}/registry.cert
+        dest: /home/cloud-user/registry.cert
+        owner: cloud-user
+        mode: 0644
+
+    - name: Delete registry cert secret
+      command: /usr/local/bin/oc delete secret console-secret -n default
+
+    - name: Create registry cert secret
+      command: /usr/local/bin/oc secrets new console-secret /home/cloud-user/registry.cert -n default
+
+    - name: Rollout deployment
+      command: /usr/local/bin/oc rollout latest dc/registry-console -n default
+
+    - name: Patch docker-registry
+      command: /usr/local/bin/oc patch route docker-registry -p '{"spec":{"tls":{"certificate":"'"{{ certificate | join("\n") }}"'","key":"'"{{ key | join("\n") }}"'"}}}' -n default
diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml
diff --git a/roles/openshiftpostdeployment/tasks/main.yml b/roles/openshiftpostdeployment/tasks/main.yml
@@ -21,7 +21,7 @@
     - openshift-infra
     - kube-system
     - openshift
-  when: installLogging == True
+  when: installLogging
 
 - name: Label privileged namespaces
   command: /usr/local/bin/oc label namespace {{ item }} state=privileged
@@ -46,24 +46,28 @@
   with_items: "{{ netpol_projects.stdout_lines }}"
 
 - name: Create registry.cert file
-  local_action: shell cd /home/cloud-user/ocp.{{ domainSuffix }} ; cat fullchain1.pem privkey1.pem > registry.cert
-  when: getCertificates == True
+  shell: cat fullchain.pem privkey.pem > registry.cert
+  args:
+    chdir: "/home/cloud-user/{{ domainSuffix }}"
+  delegate_to: 127.0.0.1
+  run_once: yes
+  when: getCertificates
 
 - name: Move registry.cert across to masters[0]
   copy:
-    src: /home/cloud-user/ocp.{{ domainSuffix }}/registry.cert
+    src: /home/cloud-user/{{ domainSuffix }}/registry.cert
     dest: /home/cloud-user/registry.cert
     owner: cloud-user
     mode: 0644 
-  when: getCertificates == True 
+  when: getCertificates
 
 - name: Create registry cert secret
   command: /usr/local/bin/oc secrets new console-secret /home/cloud-user/registry.cert -n default
-  when: getCertificates == True
+  when: getCertificates
 
 - name: Mount secret to registry console container and trigger new deploy
   command: /usr/local/bin/oc set volume dc/registry-console --add --type=secret --secret-name=console-secret -m /etc/cockpit/ws-certs.d -n default
-  when: getCertificates == True
+  when: getCertificates
 
 - name: Create 'monitoring' serviceaccount for monitoring use
   command: /usr/local/bin/oc create serviceaccount monitoring -n openshift-infra
@@ -74,32 +78,6 @@
 - name: Patch nodeSelector into metrics-server deployment
   command: /usr/local/bin/oc patch deployment.apps/metrics-server -p '{"spec":{"template":{"spec":{"nodeSelector":{"infra":"'"true"'"}}}}}' -n openshift-metrics-server
 
-- name: read fullchain cert into var
-  shell: /usr/bin/awk '{printf "%s\n", $0}'  /etc/origin/master/named_certificates/fullchain1.pem
-  register: fullchain
-  when: getCertificates == True
-
-- name: read private key into var
-  shell: /usr/bin/awk '{printf "%s\n", $0}'  /etc/origin/master/named_certificates/privkey1.pem
-  register: privkey
-  when: getCertificates == True
-
-- name: Patch routes for updated hostnames and certs
-  vars:
-    contents: "{{ lookup('file', '/home/cloud-user/ocp.{{ domainSuffix }}/fullchain1.pem') }}"
-  command: /usr/local/bin/oc patch route {{ item.service }} -p '{"spec":{"host":"{{ item.hostname }}.{{ domainSuffix }}","tls":{"certificate":"'"{{ fullchain.stdout_lines | join("\n") }}"'","key":"'"{{ privkey.stdout_lines | join("\n") }}"'"}}}' -n {{ item.namespace }}
-  loop:
-    - service: "alertmanager-main"
-      namespace: "openshift-monitoring"
-      hostname: "alertmanager"
-    - service: "grafana"
-      namespace: "openshift-monitoring"
-      hostname: "grafana"
-    - service: "prometheus-k8s"
-      namespace: "openshift-monitoring"
-      hostname: "prometheus"
-  when: getCertificates == True
-
 - include_tasks: routers.yml
 
 - include_tasks: squid-whitelist.yml

diff --git a/site.yml b/site.yml
@@ -1,8 +1,9 @@
 - import_playbook: upgrade_and_reboot_servers.yml
 - import_playbook: loadbalancers.yml
 - import_playbook: dns.yml
+- import_playbook: /home/cloud-user/openshift-tooling/acme.sh/deployment.yml
+  when: getCertificates
 - import_playbook: all_servers.yml
-- import_playbook: certbot.yml
 - import_playbook: openshift.yml
 - import_playbook: backup.yml
 - import_playbook: upgrade_bastion.yml