summaryrefslogtreecommitdiffstats
path: root/roles/openshift_logging/files
diff options
context:
space:
mode:
authorewolinetz <ewolinet@redhat.com>2017-01-11 15:26:46 -0600
committerewolinetz <ewolinet@redhat.com>2017-01-12 10:55:38 -0600
commit06c111d22641ba5cc2dbbe0144d9d6722d94f159 (patch)
tree0d01d1b33fd69b386c17c0a32c51ed091a860363 /roles/openshift_logging/files
parenta8c2999d94548d1c82b75387ef33d2e3f5c67536 (diff)
downloadopenshift-06c111d22641ba5cc2dbbe0144d9d6722d94f159.tar.gz
openshift-06c111d22641ba5cc2dbbe0144d9d6722d94f159.tar.bz2
openshift-06c111d22641ba5cc2dbbe0144d9d6722d94f159.tar.xz
openshift-06c111d22641ba5cc2dbbe0144d9d6722d94f159.zip
addressing comments
Diffstat (limited to 'roles/openshift_logging/files')
-rw-r--r--roles/openshift_logging/files/signing.conf103
-rw-r--r--roles/openshift_logging/files/util.sh192
2 files changed, 0 insertions, 295 deletions
diff --git a/roles/openshift_logging/files/signing.conf b/roles/openshift_logging/files/signing.conf
deleted file mode 100644
index 810a057d9..000000000
--- a/roles/openshift_logging/files/signing.conf
+++ /dev/null
@@ -1,103 +0,0 @@
-# Simple Signing CA
-
-# The [default] section contains global constants that can be referred to from
-# the entire configuration file. It may also hold settings pertaining to more
-# than one openssl command.
-
-[ default ]
-#dir = _output # Top dir
-
-# The next part of the configuration file is used by the openssl req command.
-# It defines the CA's key pair, its DN, and the desired extensions for the CA
-# certificate.
-
-[ req ]
-default_bits = 2048 # RSA key size
-encrypt_key = yes # Protect private key
-default_md = sha1 # MD to use
-utf8 = yes # Input is UTF-8
-string_mask = utf8only # Emit UTF-8 strings
-prompt = no # Don't prompt for DN
-distinguished_name = ca_dn # DN section
-req_extensions = ca_reqext # Desired extensions
-
-[ ca_dn ]
-0.domainComponent = "io"
-1.domainComponent = "openshift"
-organizationName = "OpenShift Origin"
-organizationalUnitName = "Logging Signing CA"
-commonName = "Logging Signing CA"
-
-[ ca_reqext ]
-keyUsage = critical,keyCertSign,cRLSign
-basicConstraints = critical,CA:true,pathlen:0
-subjectKeyIdentifier = hash
-
-# The remainder of the configuration file is used by the openssl ca command.
-# The CA section defines the locations of CA assets, as well as the policies
-# applying to the CA.
-
-[ ca ]
-default_ca = signing_ca # The default CA section
-
-[ signing_ca ]
-certificate = $dir/ca.crt # The CA cert
-private_key = $dir/ca.key # CA private key
-new_certs_dir = $dir/ # Certificate archive
-serial = $dir/ca.serial.txt # Serial number file
-crlnumber = $dir/ca.crl.srl # CRL number file
-database = $dir/ca.db # Index file
-unique_subject = no # Require unique subject
-default_days = 730 # How long to certify for
-default_md = sha1 # MD to use
-policy = any_pol # Default naming policy
-email_in_dn = no # Add email to cert DN
-preserve = no # Keep passed DN ordering
-name_opt = ca_default # Subject DN display options
-cert_opt = ca_default # Certificate display options
-copy_extensions = copy # Copy extensions from CSR
-x509_extensions = client_ext # Default cert extensions
-default_crl_days = 7 # How long before next CRL
-crl_extensions = crl_ext # CRL extensions
-
-# Naming policies control which parts of a DN end up in the certificate and
-# under what circumstances certification should be denied.
-
-[ match_pol ]
-domainComponent = match # Must match 'simple.org'
-organizationName = match # Must match 'Simple Inc'
-organizationalUnitName = optional # Included if present
-commonName = supplied # Must be present
-
-[ any_pol ]
-domainComponent = optional
-countryName = optional
-stateOrProvinceName = optional
-localityName = optional
-organizationName = optional
-organizationalUnitName = optional
-commonName = optional
-emailAddress = optional
-
-# Certificate extensions define what types of certificates the CA is able to
-# create.
-
-[ client_ext ]
-keyUsage = critical,digitalSignature,keyEncipherment
-basicConstraints = CA:false
-extendedKeyUsage = clientAuth
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid
-
-[ server_ext ]
-keyUsage = critical,digitalSignature,keyEncipherment
-basicConstraints = CA:false
-extendedKeyUsage = serverAuth,clientAuth
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid
-
-# CRL extensions exist solely to point to the CA certificate that has issued
-# the CRL.
-
-[ crl_ext ]
-authorityKeyIdentifier = keyid
diff --git a/roles/openshift_logging/files/util.sh b/roles/openshift_logging/files/util.sh
deleted file mode 100644
index 5752a0fcd..000000000
--- a/roles/openshift_logging/files/util.sh
+++ /dev/null
@@ -1,192 +0,0 @@
-#!/bin/bash
-
-function generate_JKS_chain() {
- dir=${SCRATCH_DIR:-_output}
- ADD_OID=$1
- NODE_NAME=$2
- CERT_NAMES=${3:-$NODE_NAME}
- ks_pass=${KS_PASS:-kspass}
- ts_pass=${TS_PASS:-tspass}
- rm -rf $NODE_NAME
-
- extension_names=""
- for name in ${CERT_NAMES//,/ }; do
- extension_names="${extension_names},dns:${name}"
- done
-
- if [ "$ADD_OID" = true ]; then
- extension_names="${extension_names},oid:1.2.3.4.5.5"
- fi
-
- echo Generating keystore and certificate for node $NODE_NAME
-
- "$keytool" -genkey \
- -alias $NODE_NAME \
- -keystore $dir/keystore.jks \
- -keypass $ks_pass \
- -storepass $ks_pass \
- -keyalg RSA \
- -keysize 2048 \
- -validity 712 \
- -dname "CN=$NODE_NAME, OU=OpenShift, O=Logging" \
- -ext san=dns:localhost,ip:127.0.0.1"${extension_names}"
-
- echo Generating certificate signing request for node $NODE_NAME
-
- "$keytool" -certreq \
- -alias $NODE_NAME \
- -keystore $dir/keystore.jks \
- -storepass $ks_pass \
- -file $dir/$NODE_NAME.csr \
- -keyalg rsa \
- -dname "CN=$NODE_NAME, OU=OpenShift, O=Logging" \
- -ext san=dns:localhost,ip:127.0.0.1"${extension_names}"
-
- echo Sign certificate request with CA
-
- openssl ca \
- -in $dir/$NODE_NAME.csr \
- -notext \
- -out $dir/$NODE_NAME.crt \
- -config $dir/signing.conf \
- -extensions v3_req \
- -batch \
- -extensions server_ext
-
- echo "Import back to keystore (including CA chain)"
-
- "$keytool" \
- -import \
- -file $dir/ca.crt \
- -keystore $dir/keystore.jks \
- -storepass $ks_pass \
- -noprompt -alias sig-ca
-
- "$keytool" \
- -import \
- -file $dir/$NODE_NAME.crt \
- -keystore $dir/keystore.jks \
- -storepass $ks_pass \
- -noprompt \
- -alias $NODE_NAME
-
- echo "Import CA to truststore for validating client certs"
-
- "$keytool" \
- -import \
- -file $dir/ca.crt \
- -keystore $dir/truststore.jks \
- -storepass $ts_pass \
- -noprompt -alias sig-ca
-
- echo All done for $NODE_NAME
-}
-
-function generate_PEM_cert() {
- NODE_NAME="$1"
- dir=${SCRATCH_DIR:-_output} # for writing files to bundle into secrets
-
- echo Generating keystore and certificate for node ${NODE_NAME}
-
- openssl req -out "$dir/$NODE_NAME.csr" -new -newkey rsa:2048 -keyout "$dir/$NODE_NAME.key" -subj "/CN=$NODE_NAME/OU=OpenShift/O=Logging" -days 712 -nodes
-
- echo Sign certificate request with CA
- openssl ca \
- -in "$dir/$NODE_NAME.csr" \
- -notext \
- -out "$dir/$NODE_NAME.crt" \
- -config $dir/signing.conf \
- -extensions v3_req \
- -batch \
- -extensions server_ext
-}
-
-function generate_JKS_client_cert() {
- NODE_NAME="$1"
- ks_pass=${KS_PASS:-kspass}
- ts_pass=${TS_PASS:-tspass}
- dir=${SCRATCH_DIR:-_output} # for writing files to bundle into secrets
-
- echo Generating keystore and certificate for node ${NODE_NAME}
-
- "$keytool" -genkey \
- -alias $NODE_NAME \
- -keystore $dir/$NODE_NAME.jks \
- -keyalg RSA \
- -keysize 2048 \
- -validity 712 \
- -keypass $ks_pass \
- -storepass $ks_pass \
- -dname "CN=$NODE_NAME, OU=OpenShift, O=Logging"
-
- echo Generating certificate signing request for node $NODE_NAME
-
- "$keytool" -certreq \
- -alias $NODE_NAME \
- -keystore $dir/$NODE_NAME.jks \
- -file $dir/$NODE_NAME.csr \
- -keyalg rsa \
- -keypass $ks_pass \
- -storepass $ks_pass \
- -dname "CN=$NODE_NAME, OU=OpenShift, O=Logging"
-
- echo Sign certificate request with CA
- openssl ca \
- -in "$dir/$NODE_NAME.csr" \
- -notext \
- -out "$dir/$NODE_NAME.crt" \
- -config $dir/signing.conf \
- -extensions v3_req \
- -batch \
- -extensions server_ext
-
- echo "Import back to keystore (including CA chain)"
-
- "$keytool" \
- -import \
- -file $dir/ca.crt \
- -keystore $dir/$NODE_NAME.jks \
- -storepass $ks_pass \
- -noprompt -alias sig-ca
-
- "$keytool" \
- -import \
- -file $dir/$NODE_NAME.crt \
- -keystore $dir/$NODE_NAME.jks \
- -storepass $ks_pass \
- -noprompt \
- -alias $NODE_NAME
-
- echo All done for $NODE_NAME
-}
-
-function join { local IFS="$1"; shift; echo "$*"; }
-
-function get_es_dcs() {
- oc get dc --selector logging-infra=elasticsearch -o name
-}
-
-function get_curator_dcs() {
- oc get dc --selector logging-infra=curator -o name
-}
-
-function extract_nodeselector() {
- local inputstring="${1//\"/}" # remove any errant double quotes in the inputs
- local selectors=()
-
- for keyvalstr in ${inputstring//\,/ }; do
-
- keyval=( ${keyvalstr//=/ } )
-
- if [[ -n "${keyval[0]}" && -n "${keyval[1]}" ]]; then
- selectors+=( "\"${keyval[0]}\": \"${keyval[1]}\"")
- else
- echo "Could not make a node selector label from '${keyval[*]}'"
- exit 255
- fi
- done
-
- if [[ "${#selectors[*]}" -gt 0 ]]; then
- echo nodeSelector: "{" $(join , "${selectors[@]}") "}"
- fi
-}