Automated cherry-pick of #6324 on release-3.8

playbooks/common/openshift-cluster/redeploy-certificates/etcd-ca.yml → playbooks/openshift-etcd/private/redeploy-ca.yml

@@ -21,7 +21,7 @@
       name: etcd
       tasks_from: remove_ca_certificates
 
-- include: ../../../openshift-etcd/private/ca.yml
+- include: ca.yml
 
 - name: Create temp directory for syncing certs
   hosts: localhost
@@ -44,7 +44,7 @@
       etcd_sync_cert_dir: "{{ hostvars['localhost'].g_etcd_mktemp.stdout }}"
       etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}"
 
-- include: ../../../openshift-etcd/private/restart.yml
+- include: restart.yml
   # Do not restart etcd when etcd certificates were previously expired.
   when: ('expired' not in (hostvars
                            | oo_select_keys(groups['etcd'])
@@ -82,7 +82,7 @@
       state: absent
     changed_when: false
 
-- include: ../../../openshift-master/private/restart.yml
+- include: ../../openshift-master/private/restart.yml
   # Do not restart masters when master or etcd certificates were previously expired.
   when:
   # masters

playbooks/common/openshift-cluster/redeploy-certificates/check-expiry.yml → playbooks/openshift-etcd/private/redeploy-certificates.yml

@@ -1,6 +1,6 @@
 ---
 - name: Check cert expirys
-  hosts: "{{ g_check_expiry_hosts }}"
+  hosts: oo_etcd_to_config
   vars:
     openshift_certificate_expiry_show_all: yes
   roles:
@@ -10,3 +10,9 @@
   # this playbook. Service restarts will be skipped if any
   # certificates were previously expired.
   - role: openshift_certificate_expiry
+
+- include: certificates-backup.yml
+
+- include: certificates.yml
+  vars:
+    etcd_certificates_redeploy: true

playbooks/openshift-etcd/redeploy-ca.yml

@@ -0,0 +1,4 @@
+---
+- include: ../init/main.yml
+
+- include: private/redeploy-ca.yml

playbooks/openshift-etcd/redeploy-certificates.yml

@@ -0,0 +1,10 @@
+---
+- include: ../init/main.yml
+
+- include: private/redeploy-certificates.yml
+
+- include: private/restart.yml
+  vars:
+    g_etcd_certificates_expired: "{{ ('expired' in (hostvars | oo_select_keys(groups['etcd']) | oo_collect('check_results.check_results.etcd') | oo_collect('health'))) | bool }}"
+
+- include: ../openshift-master/private/restart.yml

playbooks/openshift-hosted/redeploy-registry-certificates.yml

@@ -0,0 +1,4 @@
+---
+- include: ../init/main.yml
+
+- include: private/redeploy-registry-certificates.yml

playbooks/openshift-hosted/redeploy-router-certificates.yml

@@ -0,0 +1,4 @@
+---
+- include: ../init/main.yml
+
+- include: private/redeploy-router-certificates.yml

playbooks/openshift-master/private/redeploy-certificates.yml

@@ -0,0 +1,6 @@
+---
+- include: certificates-backup.yml
+
+- include: certificates.yml
+  vars:
+    openshift_certificates_redeploy: true

playbooks/common/openshift-cluster/redeploy-certificates/openshift-ca.yml → playbooks/openshift-master/private/redeploy-openshift-ca.yml

@@ -207,7 +207,7 @@
       group: "{{ 'root' if item == 'root' else _ansible_ssh_user_gid.stdout  }}"
     with_items: "{{ client_users }}"
 
-- include: ../../../openshift-master/private/restart.yml
+- include: restart.yml
   # Do not restart masters when master or etcd certificates were previously expired.
   when:
   # masters
@@ -272,7 +272,7 @@
       state: absent
     changed_when: false
 
-- include: ../../../openshift-node/private/restart.yml
+- include: ../../openshift-node/private/restart.yml
   # Do not restart nodes when node, master or etcd certificates were previously expired.
   when:
   # nodes

playbooks/openshift-master/redeploy-certificates.yml

@@ -0,0 +1,6 @@
+---
+- include: ../init/main.yml
+
+- include: private/redeploy-certificates.yml
+
+- include: private/restart.yml

playbooks/openshift-master/redeploy-openshift-ca.yml

@@ -0,0 +1,4 @@
+---
+- include: ../init/main.yml
+
+- include: private/redeploy-openshift-ca.yml

playbooks/openshift-node/private/redeploy-certificates.yml

@@ -0,0 +1,6 @@
+---
+- include: certificates-backup.yml
+
+- include: certificates.yml
+  vars:
+    openshift_certificates_redeploy: true

playbooks/openshift-node/redeploy-certificates.yml

@@ -0,0 +1,6 @@
+---
+- include: ../init/main.yml
+
+- include: private/redeploy-certificates.yml
+
+- include: private/restart.yml

playbooks/redeploy-certificates.yml

@@ -0,0 +1,26 @@
+---
+- include: init/main.yml
+
+- include: openshift-etcd/private/redeploy-certificates.yml
+
+- include: openshift-master/private/redeploy-certificates.yml
+
+- include: openshift-node/private/redeploy-certificates.yml
+
+- include: openshift-etcd/private/restart.yml
+  vars:
+    g_etcd_certificates_expired: "{{ ('expired' in (hostvars | oo_select_keys(groups['etcd']) | oo_collect('check_results.check_results.etcd') | oo_collect('health'))) | bool }}"
+
+- include: openshift-master/private/restart.yml
+
+- include: openshift-node/private/restart.yml
+
+- include: openshift-hosted/private/redeploy-router-certificates.yml
+  when: openshift_hosted_manage_router | default(true) | bool
+
+- include: openshift-hosted/private/redeploy-registry-certificates.yml
+  when: openshift_hosted_manage_registry | default(true) | bool
+
+- include: openshift-master/private/revert-client-ca.yml
+
+- include: openshift-master/private/restart.yml