summaryrefslogtreecommitdiffstats
path: root/roles/lib_openshift/src
diff options
context:
space:
mode:
authorKenny Woodson <kwoodson@redhat.com>2017-02-21 20:15:28 -0500
committerKenny Woodson <kwoodson@redhat.com>2017-02-21 20:15:28 -0500
commit3effaa96c8e843a5820b98cf9c2dab608481c259 (patch)
tree4e3bd99fbb72b15ce2e6066bac1fc60815e9e032 /roles/lib_openshift/src
parent8200377dbb3d0e6aa2b35ea369cceb03976b508b (diff)
downloadopenshift-3effaa96c8e843a5820b98cf9c2dab608481c259.tar.gz
openshift-3effaa96c8e843a5820b98cf9c2dab608481c259.tar.bz2
openshift-3effaa96c8e843a5820b98cf9c2dab608481c259.tar.xz
openshift-3effaa96c8e843a5820b98cf9c2dab608481c259.zip
Added backup feature. Fixed a bug with reading the certificate and verifying names. Added force option.
Diffstat (limited to 'roles/lib_openshift/src')
-rw-r--r--roles/lib_openshift/src/ansible/oc_adm_ca_server_cert.py2
-rw-r--r--roles/lib_openshift/src/class/oc_adm_ca_server_cert.py36
-rw-r--r--roles/lib_openshift/src/doc/ca_server_cert4
-rw-r--r--roles/lib_openshift/src/lib/import.py2
4 files changed, 32 insertions, 12 deletions
diff --git a/roles/lib_openshift/src/ansible/oc_adm_ca_server_cert.py b/roles/lib_openshift/src/ansible/oc_adm_ca_server_cert.py
index 367f6d932..197095cac 100644
--- a/roles/lib_openshift/src/ansible/oc_adm_ca_server_cert.py
+++ b/roles/lib_openshift/src/ansible/oc_adm_ca_server_cert.py
@@ -19,7 +19,7 @@ def main():
signer_key=dict(default='/etc/origin/master/ca.key', type='str'),
signer_serial=dict(default='/etc/origin/master/ca.serial.txt', type='str'),
hostnames=dict(default=[], type='list'),
- overwrite=dict(default=False, type='bool'),
+ force=dict(default=False, type='bool'),
),
supports_check_mode=True,
)
diff --git a/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py b/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py
index ee6cd4a29..c0e7f292a 100644
--- a/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py
+++ b/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py
@@ -37,12 +37,15 @@ class CAServerCert(OpenShiftCLI):
# Added this here as a safegaurd for stomping on the
# cert and key files if they exist
if self.config.config_options['backup']['value']:
+ ext = time.strftime("%Y-%m-%d@%H:%M:%S", time.localtime(time.time()))
+ date_str = "%s_" + "%s" % ext
+
if os.path.exists(self.config.config_options['key']['value']):
shutil.copy(self.config.config_options['key']['value'],
- "%s.orig" % self.config.config_options['key']['value'])
+ date_str % self.config.config_options['key']['value'])
if os.path.exists(self.config.config_options['cert']['value']):
shutil.copy(self.config.config_options['cert']['value'],
- "%s.orig" % self.config.config_options['cert']['value'])
+ date_str % self.config.config_options['cert']['value'])
options = self.config.to_option_list()
@@ -60,13 +63,28 @@ class CAServerCert(OpenShiftCLI):
# Would prefer pyopenssl but is not installed.
# When we verify it is, switch this code
- proc = subprocess.Popen(['openssl', 'x509', '-noout', '-subject', '-in', cert_path],
+ # Here is the code to get the subject and the SAN
+ # openssl x509 -text -noout -certopt \
+ # no_header,no_version,no_serial,no_signame,no_validity,no_issuer,no_pubkey,no_sigdump,no_aux \
+ # -in /etc/origin/master/registry.crt
+ # Instead of this solution we will use a regex.
+ cert_names = []
+ hostnames = self.config.config_options['hostnames']['value'].split(',')
+ proc = subprocess.Popen(['openssl', 'x509', '-noout', '-text', '-in', cert_path],
stdout=subprocess.PIPE, stderr=subprocess.PIPE)
- stdout, _ = proc.communicate()
+
+ x509output, _ = proc.communicate()
if proc.returncode == 0:
- for var in self.config.config_options['hostnames']['value'].split(','):
- if var in stdout:
- return True
+ regex = re.compile(r"^\s*X509v3 Subject Alternative Name:\s*?\n\s*(.*)\s*\n", re.MULTILINE)
+ match = regex.search(x509output) # E501
+ for entry in re.split(r", *", match.group(1)):
+ if entry.startswith('DNS') or entry.startswith('IP Address'):
+ cert_names.append(entry.split(':')[1])
+ # now that we have cert names let's compare
+ cert_set = set(cert_names)
+ hname_set = set(hostnames)
+ if cert_set.issubset(hname_set) and hname_set.issubset(cert_set):
+ return True
return False
@@ -78,7 +96,7 @@ class CAServerCert(OpenShiftCLI):
params['debug'],
{'cert': {'value': params['cert'], 'include': True},
'hostnames': {'value': ','.join(params['hostnames']), 'include': True},
- 'overwrite': {'value': params['overwrite'], 'include': True},
+ 'overwrite': {'value': True, 'include': True},
'key': {'value': params['key'], 'include': True},
'signer_cert': {'value': params['signer_cert'], 'include': True},
'signer_key': {'value': params['signer_key'], 'include': True},
@@ -94,7 +112,7 @@ class CAServerCert(OpenShiftCLI):
########
# Create
########
- if not server_cert.exists() or params['overwrite']:
+ if not server_cert.exists() or params['force']:
if check_mode:
return {'changed': True,
diff --git a/roles/lib_openshift/src/doc/ca_server_cert b/roles/lib_openshift/src/doc/ca_server_cert
index 58720b09f..a8034158e 100644
--- a/roles/lib_openshift/src/doc/ca_server_cert
+++ b/roles/lib_openshift/src/doc/ca_server_cert
@@ -43,9 +43,9 @@ options:
required: false
default: None
aliases: []
- overwrite:
+ force:
description:
- - Overwrite existing cert files if found. If false, any existing file will be left as-is.
+ - Force updating of the existing cert and key files
required: false
default: False
aliases: []
diff --git a/roles/lib_openshift/src/lib/import.py b/roles/lib_openshift/src/lib/import.py
index a79297898..9a1fc6ef7 100644
--- a/roles/lib_openshift/src/lib/import.py
+++ b/roles/lib_openshift/src/lib/import.py
@@ -8,6 +8,8 @@
from __future__ import print_function
import atexit
import copy
+# pylint: disable=unused-import
+import time
import json
import os
import re