Openshift-ansible: How to redeploy only named certificates?

Created on 4 Oct 2018  路  4Comments  路  Source: openshift/openshift-ansible

Description

I use a custom named_certificate for publicMasterURL.

Ansible inventory config:

openshift_master_overwrite_named_certificates: yes

openshift_master_named_certificates:
- certfile: /opt/foobar/fullchain.pem
  keyfile: /opt/foobar/privkey.pem
  cafile: /opt/foobar/fullchain.pem

How do I redeploy the named certificate, and only the named certificate, without touching the master's internal CA certificate? This is a common usecase when renewing an externally-signed wildcard certificate for publicMasterURL. Running ./playbooks/openshift-master/redeploy-certificates.yml will redeploy all of them:

https://github.com/openshift/openshift-ansible/blob/40a8fdeff01cf3bd4f670bb78934b72989259c61/playbooks/openshift-master/private/certificates.yml

Version
# ansible --version 
ansible 2.6.5
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /bin/ansible
  python version = 2.7.5 (default, Jul 13 2018, 13:06:57) [GCC 4.8.5 20150623 (Red Hat 4.8.5-28)]

# git describe 
openshift-ansible-3.9.32-1-198-g40a8fde (latest release-3.9 branch)
picture leoluk

Most helpful comment

Hey, i finally found a solution.
If you want to roll out ONLY the openshift_master_named_certificates for the API (also webconsole) you can use this playbooks:

/usr/local/src/openshift-ansible/playbooks/openshift-master/certificates.yml
/usr/local/src/openshift-ansible/playbooks/openshift-master/restart.yml

It is important that you have:

openshift_master_overwrite_named_certificates=true

in your inventory and don`t change the file names of the certs, cause master-config.yaml will not be updated and the api container will not find the certs if they are renamed!

picture ThoTischner on 15 Mar 2019
👍31

All 4 comments

Have you found a solution for this?

ThoTischner picture ThoTischner on 14 Mar 2019

I ended up writing a custom playbook which replaces only the certificates on the nodes.

leoluk picture leoluk on 14 Mar 2019

Hey, i finally found a solution.
If you want to roll out ONLY the openshift_master_named_certificates for the API (also webconsole) you can use this playbooks:

/usr/local/src/openshift-ansible/playbooks/openshift-master/certificates.yml
/usr/local/src/openshift-ansible/playbooks/openshift-master/restart.yml

It is important that you have:

openshift_master_overwrite_named_certificates=true

in your inventory and don`t change the file names of the certs, cause master-config.yaml will not be updated and the api container will not find the certs if they are renamed!

ThoTischner picture ThoTischner on 15 Mar 2019
👍31

Awesome, I opened a documentation issue.

leoluk picture leoluk on 15 Mar 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

thebithead picture thebithead  路  5Comments
anhnguyenbk picture anhnguyenbk  路  7Comments
gvv90 picture gvv90  路  4Comments
jmontleon picture jmontleon  路  5Comments
wongkafai picture wongkafai  路  7Comments