100 lines
4.3 KiB
YAML
100 lines
4.3 KiB
YAML
---
|
|
- name: register undercloud public endpoint
|
|
shell: |
|
|
source {{ undercloud_rc }}
|
|
openstack catalog list | grep -Po 'https.*13000'
|
|
register: keystone_endpoint
|
|
|
|
- name: register first controller ip address
|
|
shell: |
|
|
source {{ undercloud_rc }}
|
|
openstack server list -f json | jq -r -c '.[] | select(.Name | contains("controller","ctrl")) | .Networks' | grep -oP '[0-9.]+' | head -1
|
|
register: ctrl_ip
|
|
|
|
- name: test undercloud keystone reachability
|
|
vars:
|
|
oc_user: "{{ (overcloud_ssh_user == '') | ternary('heat-admin', overcloud_ssh_user) }}"
|
|
shell: |
|
|
ssh -q -o StrictHostKeyChecking=no {{ oc_user }}@{{ ctrl_ip.stdout }} curl --silent {{ keystone_endpoint.stdout }}
|
|
register: uc_keystone_conn
|
|
ignore_errors: true
|
|
|
|
- block:
|
|
#
|
|
# SSL is enabled on uc by default, so here is a way how ssl cert path is resolved
|
|
# 1. If undercloud_service_certificate configured in undercloud.conf
|
|
# use it
|
|
# 2. Check if generate_service_certificate is specified and set to 'true' in undercloud.conf
|
|
# or not present in undercloud.conf (defaults to 'true')
|
|
# 3. Find autogenerated file in format: /etc/pki/tls/certs/undercloud-[undercloud_public_host].pem
|
|
#
|
|
- name: get ssl certificate location from undercloud.conf
|
|
shell: |
|
|
awk -F '=' '/^[[:space:]]*undercloud_service_certificate/ {gsub(/[[:space:]]/, "", $2); print $2}' {{ undercloud_conf }}
|
|
register: uc_undercloud_service_certificate
|
|
changed_when: uc_undercloud_service_certificate.stdout|length > 0
|
|
|
|
- name: get generate_service_certificate option from undercloud.conf
|
|
shell: |
|
|
awk -F '=' '/^[[:space:]]*generate_service_certificate/ {gsub(/[[:space:]]/, "", $2) ; print tolower($2)}' {{ undercloud_conf}}
|
|
register: uc_generate_service_certificate
|
|
changed_when: uc_generate_service_certificate.stdout|length > 0
|
|
|
|
- name: get undercloud_public_host option from undercloud.conf
|
|
shell: |
|
|
awk -F '=' '/^[[:space:]]*undercloud_public_host/ {gsub(/[[:space:]]/, "", $2) ; print $2}' {{ undercloud_conf}}
|
|
register: uc_undercloud_public_host
|
|
changed_when: uc_undercloud_public_host.stdout|length > 0
|
|
|
|
- name: get undercloud_public_vip option from undercloud.conf
|
|
# undercloud_public_vip is deprecated name of undercloud_public_host
|
|
shell: |
|
|
awk -F '=' '/^[[:space:]]*undercloud_public_vip/ {gsub(/[[:space:]]/, "", $2) ; print $2}' {{ undercloud_conf}}
|
|
register: uc_undercloud_public_vip
|
|
changed_when: uc_undercloud_public_vip.stdout|length > 0
|
|
|
|
- name: find autogenerated SSL cert
|
|
vars:
|
|
uc_ssl_part: "{{ uc_undercloud_public_host.stdout if uc_undercloud_public_host.stdout|length > 0 else uc_undercloud_public_vip.stdout }}"
|
|
find:
|
|
path: /etc/pki/tls/certs/
|
|
patterns: 'undercloud-{{uc_ssl_part}}*.pem$'
|
|
use_regex: true
|
|
register: autogenerated_ssl_cert
|
|
|
|
- name: fail if SSL cert for undercloud not found
|
|
fail:
|
|
msg: cannot determine SSL cert for undercloud
|
|
when:
|
|
- uc_undercloud_service_certificate.stdout|length == 0
|
|
- autogenerated_ssl_cert.files|length == 0
|
|
|
|
- name: set undercloud ssl cert fact
|
|
set_fact:
|
|
undercloud_cert: "{{ uc_undercloud_service_certificate.stdout if uc_undercloud_service_certificate.stdout else autogenerated_ssl_cert.files[0].path }}"
|
|
|
|
- name: make a local copy of the certificate
|
|
copy:
|
|
src: "{{ undercloud_cert }}"
|
|
dest: "{{ working_dir }}/undercloud.pem"
|
|
owner: stack
|
|
remote_src: true
|
|
become: true
|
|
become_user: root
|
|
|
|
- name: register overcloud nodes ip address
|
|
shell: |
|
|
source {{ undercloud_rc }}
|
|
openstack server list -f json | jq -r -c '.[] | .Networks' | grep -oP '[0-9.]+'
|
|
register: node_ip
|
|
|
|
- name: copy certificate to the overcloud nodes and update the trusted store
|
|
vars:
|
|
oc_user: "{{ (overcloud_ssh_user == '') | ternary('heat-admin', overcloud_ssh_user) }}"
|
|
shell: |
|
|
scp -q -o StrictHostKeyChecking=no {{ working_dir }}/undercloud.pem {{ oc_user }}@{{ item }}:
|
|
ssh -q -o StrictHostKeyChecking=no {{ oc_user }}@{{ item }} 'sudo cp undercloud.pem /etc/pki/ca-trust/source/anchors/; sudo update-ca-trust extract'
|
|
with_items:
|
|
- "{{ node_ip.stdout_lines }}"
|
|
when: uc_keystone_conn|failed
|