Fix ca certificate loading on CoreOS

46ee9fac · Matthew Mosesohn · 6cc05c10 · 46ee9fac · 46ee9fac
Commit 46ee9fac authored 8 years ago by Matthew Mosesohn
--- a/roles/etcd/tasks/gen_certs.yml
+++ b/roles/etcd/tasks/gen_certs.yml
@@ -84,21 +84,21 @@
  when: inventory_hostname in groups['etcd']
  changed_when: false

- name: Gen_certs | target ca-certificates directory
+- name: Gen_certs | target ca-certificate store file
  set_fact:
-    ca_cert_dir: |-
+    ca_cert_path: |-
      {% if ansible_os_family == "Debian" -%}
-      /usr/local/share/ca-certificates
+      /usr/local/share/ca-certificates/etcd-ca.crt
      {%- elif ansible_os_family == "RedHat" -%}
-      /etc/pki/ca-trust/source/anchors
+      /etc/pki/ca-trust/source/anchors/etcd-ca.crt
      {%- elif ansible_os_family == "CoreOS" -%}
-      /etc/ssl/certs
+      /etc/ssl/certs/etcd-ca.pem
      {%- endif %}

 - name: Gen_certs | add CA to trusted CA dir
  copy:
    src: "{{ etcd_cert_dir }}/ca.pem"
-    dest: "{{ ca_cert_dir }}/etcd-ca.crt"
+    dest: "{{ ca_cert_path }}"
    remote_src: true
  register: etcd_ca_cert

@@ -106,6 +106,7 @@
  command: update-ca-certificates
  when: etcd_ca_cert.changed and ansible_os_family in ["Debian", "CoreOS"]

- name: Gen_certs | update ca-certificatesa (RedHat)
+- name: Gen_certs | update ca-certificates (RedHat)
  command: update-ca-trust extract
  when: etcd_ca_cert.changed and ansible_os_family == "RedHat"
+
--- a/roles/kubernetes/secrets/tasks/gen_certs.yml
+++ b/roles/kubernetes/secrets/tasks/gen_certs.yml
@@ -65,21 +65,21 @@
  when: inventory_hostname in groups['kube-master']
  changed_when: false

- name: Gen_certs | target ca-certificates directory
+- name: Gen_certs | target ca-certificates path
  set_fact:
-    ca_cert_dir: |-
+    ca_cert_path: |-
      {% if ansible_os_family == "Debian" -%}
-      /usr/local/share/ca-certificates
+      /usr/local/share/ca-certificates/kube-ca.crt
      {%- elif ansible_os_family == "RedHat" -%}
-      /etc/pki/ca-trust/source/anchors
+      /etc/pki/ca-trust/source/anchors/kube-ca.crt
      {%- elif ansible_os_family == "CoreOS" -%}
-      /etc/ssl/certs
+      /etc/ssl/certs/kube-ca.pem
      {%- endif %}

 - name: Gen_certs | add CA to trusted CA dir
  copy:
    src: "{{ kube_cert_dir }}/ca.pem"
-    dest: "{{ ca_cert_dir }}/kube-ca.crt"
+    dest: "{{ ca_cert_path }}"
    remote_src: true
  register: kube_ca_cert

@@ -87,7 +87,7 @@
  command: update-ca-certificates
  when: kube_ca_cert.changed and ansible_os_family in ["Debian", "CoreOS"]

- name: Gen_certs | update ca-certificatesa (RedHat)
+- name: Gen_certs | update ca-certificates (RedHat)
  command: update-ca-trust extract
  when: kube_ca_cert.changed and ansible_os_family == "RedHat"