openstack
/
tripleo-upgrade
Code Issues Proposed changes
tripleo-upgrade/tasks/upgrade/undercloud_ssl_camap.yaml

100 lines
4.3 KiB
YAML
Raw Blame History

---
- name: register undercloud public endpoint
shell: |
source {{ undercloud_rc }}
openstack catalog list | grep -Po 'https.*13000'
register: keystone_endpoint
- name: register first controller ip address
shell: |
source {{ undercloud_rc }}
openstack server list -f json | jq -r -c '.[] | select(.Name | contains("controller","ctrl")) | .Networks' | grep -oP '[0-9.]+' | head -1
register: ctrl_ip
- name: test undercloud keystone reachability
vars:
oc_user: "{{ (overcloud_ssh_user == '') | ternary('heat-admin', overcloud_ssh_user) }}"
shell: |
ssh -q -o StrictHostKeyChecking=no {{ oc_user }}@{{ ctrl_ip.stdout }} curl --silent {{ keystone_endpoint.stdout }}
register: uc_keystone_conn
ignore_errors: true
- block:
#
# SSL is enabled on uc by default, so here is a way how ssl cert path is resolved
# 1. If undercloud_service_certificate configured in undercloud.conf
# use it
# 2. Check if generate_service_certificate is specified and set to 'true' in undercloud.conf
# or not present in undercloud.conf (defaults to 'true')
# 3. Find autogenerated file in format: /etc/pki/tls/certs/undercloud-[undercloud_public_host].pem
#
- name: get ssl certificate location from undercloud.conf
shell: |
awk -F '=' '/^[[:space:]]*undercloud_service_certificate/ {gsub(/[[:space:]]/, "", $2); print $2}' {{ undercloud_conf }}
register: uc_undercloud_service_certificate
changed_when: uc_undercloud_service_certificate.stdout|length > 0
- name: get generate_service_certificate option from undercloud.conf
shell: |
awk -F '=' '/^[[:space:]]*generate_service_certificate/ {gsub(/[[:space:]]/, "", $2) ; print tolower($2)}' {{ undercloud_conf}}
register: uc_generate_service_certificate
changed_when: uc_generate_service_certificate.stdout|length > 0
- name: get undercloud_public_host option from undercloud.conf
shell: |
awk -F '=' '/^[[:space:]]*undercloud_public_host/ {gsub(/[[:space:]]/, "", $2) ; print $2}' {{ undercloud_conf}}
register: uc_undercloud_public_host
changed_when: uc_undercloud_public_host.stdout|length > 0
- name: get undercloud_public_vip option from undercloud.conf
# undercloud_public_vip is deprecated name of undercloud_public_host
shell: |
awk -F '=' '/^[[:space:]]*undercloud_public_vip/ {gsub(/[[:space:]]/, "", $2) ; print $2}' {{ undercloud_conf}}
register: uc_undercloud_public_vip
changed_when: uc_undercloud_public_vip.stdout|length > 0
- name: find autogenerated SSL cert
vars:
uc_ssl_part: "{{ uc_undercloud_public_host.stdout if uc_undercloud_public_host.stdout|length > 0 else uc_undercloud_public_vip.stdout }}"
find:
path: /etc/pki/tls/certs/
patterns: 'undercloud-{{uc_ssl_part}}*.pem$'
use_regex: true
register: autogenerated_ssl_cert
- name: fail if SSL cert for undercloud not found
fail:
msg: cannot determine SSL cert for undercloud
when:
- uc_undercloud_service_certificate.stdout|length == 0
- autogenerated_ssl_cert.files|length == 0
- name: set undercloud ssl cert fact
set_fact:
undercloud_cert: "{{ uc_undercloud_service_certificate.stdout if uc_undercloud_service_certificate.stdout else autogenerated_ssl_cert.files[0].path }}"
- name: make a local copy of the certificate
copy:
src: "{{ undercloud_cert }}"
dest: "{{ working_dir }}/undercloud.pem"
owner: stack
remote_src: true
become: true
become_user: root
- name: register overcloud nodes ip address
shell: |
source {{ undercloud_rc }}
openstack server list -f json | jq -r -c '.[] | .Networks' | grep -oP '[0-9.]+'
register: node_ip
- name: copy certificate to the overcloud nodes and update the trusted store
vars:
oc_user: "{{ (overcloud_ssh_user == '') | ternary('heat-admin', overcloud_ssh_user) }}"
shell: |
scp -q -o StrictHostKeyChecking=no {{ working_dir }}/undercloud.pem {{ oc_user }}@{{ item }}:
ssh -q -o StrictHostKeyChecking=no {{ oc_user }}@{{ item }} 'sudo cp undercloud.pem /etc/pki/ca-trust/source/anchors/; sudo update-ca-trust extract'
with_items:
- "{{ node_ip.stdout_lines }}"
when: uc_keystone_conn|failed
View Git Blame Copy Permalink