diff options
author | Fabian von Feilitzsch <fabian@fabianism.us> | 2017-10-30 16:38:09 -0400 |
---|---|---|
committer | Fabian von Feilitzsch <fabian@fabianism.us> | 2017-11-03 13:01:11 -0400 |
commit | 3ee9a2368c1bba68477aacbb4b950eee32939eee (patch) | |
tree | 2d6e338984bb5931d0f7066805e693a77906c99f | |
parent | 3e2f7911f08504e7da8344df28f008a81897c329 (diff) | |
download | openshift-3ee9a2368c1bba68477aacbb4b950eee32939eee.tar.gz openshift-3ee9a2368c1bba68477aacbb4b950eee32939eee.tar.bz2 openshift-3ee9a2368c1bba68477aacbb4b950eee32939eee.tar.xz openshift-3ee9a2368c1bba68477aacbb4b950eee32939eee.zip |
Bug 1507617- Move etcd into its own service/dc with SSL
-rw-r--r-- | roles/ansible_service_broker/tasks/generate_certs.yml | 35 | ||||
-rw-r--r-- | roles/ansible_service_broker/tasks/install.yml | 126 | ||||
-rw-r--r-- | roles/ansible_service_broker/tasks/remove.yml | 26 |
3 files changed, 174 insertions, 13 deletions
diff --git a/roles/ansible_service_broker/tasks/generate_certs.yml b/roles/ansible_service_broker/tasks/generate_certs.yml new file mode 100644 index 000000000..50156a35c --- /dev/null +++ b/roles/ansible_service_broker/tasks/generate_certs.yml @@ -0,0 +1,35 @@ +--- + +- when: ansible_service_broker_certs_dir is undefined + block: + - name: Create ansible-service-broker cert directory + file: + path: "{{ openshift.common.config_base }}/ansible-service-broker" + state: directory + mode: 0755 + check_mode: no + + - set_fact: + ansible_service_broker_certs_dir: "{{ openshift.common.config_base }}/ansible-service-broker" + + - name: Create self signing ca cert + command: 'openssl req -nodes -x509 -newkey rsa:4096 -keyout {{ ansible_service_broker_certs_dir }}/key.pem -out {{ ansible_service_broker_certs_dir }}/cert.pem -days 365 -subj "/CN=asb-etcd.openshift-ansible-service-broker.svc"' + args: + creates: '{{ ansible_service_broker_certs_dir }}/cert.pem' + + - name: Create self signed client cert + command: '{{ item.cmd }}' + args: + creates: '{{ item.creates }}' + with_items: + - cmd: openssl genrsa -out {{ ansible_service_broker_certs_dir }}/client.key 2048 + creates: '{{ ansible_service_broker_certs_dir }}/client.key' + - cmd: 'openssl req -new -key {{ ansible_service_broker_certs_dir }}/client.key -out {{ ansible_service_broker_certs_dir }}/client.csr -subj "/CN=client"' + creates: '{{ ansible_service_broker_certs_dir }}/client.csr' + - cmd: openssl x509 -req -in {{ ansible_service_broker_certs_dir }}/client.csr -CA {{ ansible_service_broker_certs_dir }}/cert.pem -CAkey {{ ansible_service_broker_certs_dir }}/key.pem -CAcreateserial -out {{ ansible_service_broker_certs_dir }}/client.pem -days 1024 + creates: '{{ ansible_service_broker_certs_dir }}/client.pem' + +- set_fact: + etcd_ca_cert: "{{ lookup('file', '{{ ansible_service_broker_certs_dir }}/cert.pem') }}" + etcd_client_cert: "{{ lookup('file', '{{ ansible_service_broker_certs_dir }}/client.pem') }}" + etcd_client_key: "{{ lookup('file', '{{ ansible_service_broker_certs_dir }}/client.key') }}" diff --git a/roles/ansible_service_broker/tasks/install.yml b/roles/ansible_service_broker/tasks/install.yml index 89a84c4df..282c7d156 100644 --- a/roles/ansible_service_broker/tasks/install.yml +++ b/roles/ansible_service_broker/tasks/install.yml @@ -32,6 +32,7 @@ - include: validate_facts.yml +- include: generate_certs.yml # Deployment of ansible-service-broker starts here - name: create openshift-ansible-service-broker project @@ -116,6 +117,24 @@ kubernetes.io/service-account.name: asb-client type: kubernetes.io/service-account-token +- name: Create etcd-auth secret + oc_secret: + name: etcd-auth-secret + namespace: openshift-ansible-service-broker + contents: + - path: ca.crt + data: '{{ etcd_ca_cert }}' + +- name: Create broker-etcd-auth secret + oc_secret: + name: broker-etcd-auth-secret + namespace: openshift-ansible-service-broker + contents: + - path: client.crt + data: '{{ etcd_client_cert }}' + - path: client.key + data: '{{ etcd_client_key }}' + - oc_secret: state: list namespace: openshift-ansible-service-broker @@ -156,6 +175,34 @@ app: openshift-ansible-service-broker service: asb +- name: create asb-etcd service + oc_obj: + name: asb-etcd + namespace: openshift-ansible-service-broker + state: present + kind: Service + content: + path: /tmp/asbetcdsvcout + data: + apiVersion: v1 + kind: Service + metadata: + name: asb-etcd + labels: + app: etcd + service: asb-etcd + annotations: + service.alpha.openshift.io/serving-cert-secret-name: etcd-tls + spec: + ports: + - name: port-2379 + port: 2379 + targetPort: 2379 + protocol: TCP + selector: + app: etcd + service: asb-etcd + - name: create route for ansible-service-broker service oc_route: name: asb-1338 @@ -227,6 +274,8 @@ mountPath: /etc/ansible-service-broker - name: asb-tls mountPath: /etc/tls/private + - name: asb-etcd-auth + mountPath: /var/run/asb-etcd-auth ports: - containerPort: 1338 protocol: TCP @@ -249,7 +298,50 @@ scheme: HTTPS initialDelaySeconds: 15 timeoutSeconds: 1 + volumes: + - name: config-volume + configMap: + name: broker-config + items: + - key: broker-config + path: config.yaml + - name: asb-tls + secret: + secretName: asb-tls + - name: asb-etcd-auth + secret: + secretName: broker-etcd-auth-secret +- name: Create asb-etcd deployment config + oc_obj: + name: etcd + namespace: openshift-ansible-service-broker + state: present + kind: DeploymentConfig + content: + path: /tmp/dcout + data: + apiVersion: v1 + kind: DeploymentConfig + metadata: + name: asb-etcd + labels: + app: etcd + service: asb-etcd + spec: + replicas: 1 + selector: + app: etcd + strategy: + type: Rolling + template: + metadata: + labels: + app: etcd + service: asb-etcd + spec: + serviceAccount: asb + containers: - image: "{{ ansible_service_broker_etcd_image }}" name: etcd imagePullPolicy: IfNotPresent @@ -258,8 +350,12 @@ args: - "{{ ansible_service_broker_etcd_image_etcd_path }}" - "--data-dir=/data" - - "--listen-client-urls=http://0.0.0.0:2379" - - "--advertise-client-urls=http://0.0.0.0:2379" + - "--listen-client-urls=https://0.0.0.0:2379" + - "--advertise-client-urls=https://0.0.0.0:2379" + - "--client-cert-auth" + - "--trusted-ca-file=/var/run/etcd-auth-secret/ca.crt" + - "--cert-file=/etc/tls/private/tls.crt" + - "--key-file=/etc/tls/private/tls.key" ports: - containerPort: 2379 protocol: TCP @@ -267,21 +363,22 @@ - name: ETCDCTL_API value: "3" volumeMounts: - - mountPath: /data - name: etcd + - name: etcd + mountPath: /data + - name: etcd-tls + mountPath: /etc/tls/private + - name: etcd-auth + mountPath: /var/run/etcd-auth-secret volumes: - name: etcd persistentVolumeClaim: claimName: etcd - - name: config-volume - configMap: - name: broker-config - items: - - key: broker-config - path: config.yaml - - name: asb-tls + - name: etcd-tls secret: - secretName: asb-tls + secretName: etcd-tls + - name: etcd-auth + secret: + secretName: etcd-auth-secret # TODO: saw a oc_configmap in the library, but didn't understand how to get it to do the following: @@ -313,8 +410,11 @@ tag: {{ ansible_service_broker_registry_tag }} white_list: {{ ansible_service_broker_registry_whitelist }} dao: - etcd_host: 0.0.0.0 + etcd_host: asb-etcd.openshift-ansible-service-broker.svc etcd_port: 2379 + etcd_ca_file: /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt + etcd_client_cert: /var/run/asb-etcd-auth/client.crt + etcd_client_key: /var/run/asb-etcd-auth/client.key log: logfile: /var/log/ansible-service-broker/asb.log stdout: true diff --git a/roles/ansible_service_broker/tasks/remove.yml b/roles/ansible_service_broker/tasks/remove.yml index 51b86fb26..28dc967a0 100644 --- a/roles/ansible_service_broker/tasks/remove.yml +++ b/roles/ansible_service_broker/tasks/remove.yml @@ -52,12 +52,30 @@ name: asb-client namespace: openshift-ansible-service-broker +- name: Remove etcd-auth secret + oc_secret: + state: absent + name: etcd-auth-secret + namespace: openshift-ansible-service-broker + +- name: Remove broker-etcd-auth secret + oc_secret: + state: absent + name: broker-etcd-auth-secret + namespace: openshift-ansible-service-broker + - name: remove ansible-service-broker service oc_service: name: asb namespace: openshift-ansible-service-broker state: absent +- name: remove asb-etcd service + oc_service: + state: absent + name: asb-etcd + namespace: openshift-ansible-service-broker + - name: remove etcd service oc_service: name: etcd @@ -83,6 +101,14 @@ kind: DeploymentConfig state: absent +- name: remove Ansible Service Broker etcd deployment config + oc_obj: + name: asb-etcd + namespace: openshift-ansible-service-broker + kind: DeploymentConfig + state: absent + + - name: remove secret for broker auth oc_obj: name: asb-client |