summaryrefslogtreecommitdiffstats
path: root/roles/openshift_metrics/tasks
diff options
context:
space:
mode:
authorJeff Cantrill <jcantrill@users.noreply.github.com>2017-01-17 11:42:23 -0500
committerJeff Cantrill <jcantril@redhat.com>2017-01-17 13:49:11 -0500
commit65eb7e43faf38698b22b90ad3c743d1fecdc0961 (patch)
treebb690323269d929c9582756b4a77c8189217dcf4 /roles/openshift_metrics/tasks
parente96de3d7eb0b0ce6a8df96d4e3afa02f0859b94b (diff)
downloadopenshift-65eb7e43faf38698b22b90ad3c743d1fecdc0961.tar.gz
openshift-65eb7e43faf38698b22b90ad3c743d1fecdc0961.tar.bz2
openshift-65eb7e43faf38698b22b90ad3c743d1fecdc0961.tar.xz
openshift-65eb7e43faf38698b22b90ad3c743d1fecdc0961.zip
use pod to generate keystores (#14)
Diffstat (limited to 'roles/openshift_metrics/tasks')
-rw-r--r--roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml97
-rw-r--r--roles/openshift_metrics/tasks/import_jks_certs.yaml120
-rw-r--r--roles/openshift_metrics/tasks/install_metrics.yaml8
-rw-r--r--roles/openshift_metrics/tasks/oc_apply.yaml7
-rw-r--r--roles/openshift_metrics/tasks/setup_certificate.yaml21
-rw-r--r--roles/openshift_metrics/tasks/stop_metrics.yaml1
6 files changed, 139 insertions, 115 deletions
diff --git a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml
index 489856c27..9cf4afee0 100644
--- a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml
+++ b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml
@@ -13,93 +13,16 @@
hostnames: hawkular-cassandra
changed_when: no
-- slurp: src={{ openshift_metrics_certs_dir|quote }}/hawkular-cassandra-truststore.pwd
+- slurp: src={{ openshift_metrics_certs_dir }}/hawkular-cassandra-truststore.pwd
register: cassandra_truststore_password
-- name: check existing aliases on the hawkular-cassandra truststore
- shell: >
- keytool -noprompt -list
- -keystore {{ openshift_metrics_certs_dir|quote }}/hawkular-cassandra.truststore
- -storepass {{cassandra_truststore_password.content | b64decode }}
- | sed -n '7~2s/,.*$//p'
- register: hawkular_cassandra_truststore_aliases
- changed_when: false
-
-- slurp: src={{ openshift_metrics_certs_dir|quote }}/hawkular-metrics-truststore.pwd
+- slurp: src={{ openshift_metrics_certs_dir }}/hawkular-metrics-truststore.pwd
register: hawkular_truststore_password
-- name: check existing aliases on the hawkular-metrics truststore
- shell: >
- keytool -noprompt -list
- -keystore {{ openshift_metrics_certs_dir|quote }}/hawkular-metrics.truststore
- -storepass {{ hawkular_truststore_password.content | b64decode }}
- | sed -n '7~2s/,.*$//p'
- register: hawkular_metrics_truststore_aliases
- changed_when: false
-
-- name: import the hawkular metrics cert into the cassandra truststore
- command: >
- keytool -noprompt -import -v -trustcacerts
- -alias hawkular-metrics
- -file '{{ openshift_metrics_certs_dir }}/hawkular-metrics.crt'
- -keystore '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.truststore'
- -storepass {{cassandra_truststore_password.content | b64decode }}
- when: >
- 'hawkular-metrics' not in
- hawkular_cassandra_truststore_aliases.stdout_lines
-
-- name: import the hawkular cassandra cert into the hawkular metrics truststore
- command: >
- keytool -noprompt -import -v -trustcacerts
- -alias hawkular-cassandra
- -file '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.crt'
- -keystore '{{ openshift_metrics_certs_dir }}/hawkular-metrics.truststore'
- -storepass {{ hawkular_truststore_password.content | b64decode }}
- when: >
- 'hawkular-cassandra' not in
- hawkular_metrics_truststore_aliases.stdout_lines
-
-- name: import the hawkular cassandra cert into the cassandra truststore
- command: >
- keytool -noprompt -import -v -trustcacerts
- -alias hawkular-cassandra
- -file '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.crt'
- -keystore '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.truststore'
- -storepass {{cassandra_truststore_password.content | b64decode }}
- when: >
- 'hawkular-cassandra' not in
- hawkular_cassandra_truststore_aliases.stdout_lines
-
-- name: import the ca certificate into the cassandra truststore
- command: >
- keytool -noprompt -import -v -trustcacerts
- -alias '{{ item }}'
- -file '{{ openshift_metrics_certs_dir }}/ca.crt'
- -keystore '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.truststore'
- -storepass {{cassandra_truststore_password.content | b64decode }}
- with_items:
- - ca
- - metricca
- - cassandraca
- when: item not in hawkular_cassandra_truststore_aliases.stdout_lines
-
-- name: import the ca certificate into the hawkular metrics truststore
- command: >
- keytool -noprompt -import -v -trustcacerts
- -alias '{{ item }}'
- -file '{{ openshift_metrics_certs_dir }}/ca.crt'
- -keystore '{{ openshift_metrics_certs_dir }}/hawkular-metrics.truststore'
- -storepass {{ hawkular_truststore_password.content | b64decode }}
- with_items:
- - ca
- - metricca
- - cassandraca
- when: item not in hawkular_metrics_truststore_aliases.stdout_lines
-
- name: generate password for hawkular metrics and jgroups
- shell: >
- tr -dc _A-Z-a-z-0-9 < /dev/urandom | head -c15
- > '{{ openshift_metrics_certs_dir }}/{{ item }}.pwd'
+ copy:
+ dest: '{{ openshift_metrics_certs_dir }}/{{ item }}.pwd'
+ content: "{{ 15 | oo_random_word }}"
with_items:
- hawkular-metrics
- hawkular-jgroups-keystore
@@ -113,15 +36,7 @@
when: >
not '{{ openshift_metrics_certs_dir }}/hawkular-metrics.htpasswd'|exists
-- name: generate the jgroups keystore
- shell: >
- p=$(< '{{ openshift_metrics_certs_dir }}/hawkular-jgroups-keystore.pwd' )
- &&
- keytool -genseckey -alias hawkular
- -keypass "$p" -storepass "$p" -keyalg Blowfish -keysize 56 -storetype JCEKS
- -keystore '{{ openshift_metrics_certs_dir }}/hawkular-jgroups.keystore'
- when: >
- not '{{ openshift_metrics_certs_dir }}/hawkular-jgroups.keystore'|exists
+- include: import_jks_certs.yaml
- name: read files for the hawkular-metrics secret
shell: >
diff --git a/roles/openshift_metrics/tasks/import_jks_certs.yaml b/roles/openshift_metrics/tasks/import_jks_certs.yaml
new file mode 100644
index 000000000..f6bf6c1a6
--- /dev/null
+++ b/roles/openshift_metrics/tasks/import_jks_certs.yaml
@@ -0,0 +1,120 @@
+---
+- name: Check for jks-generator service account
+ command: >
+ {{ openshift.common.client_binary }}
+ --config={{ mktemp.stdout }}/admin.kubeconfig
+ -n {{openshift_metrics_project}}
+ get serviceaccount/jks-generator --no-headers
+ register: serviceaccount_result
+ ignore_errors: yes
+ when: not ansible_check_mode
+ changed_when: no
+
+- name: Create jks-generator service account
+ command: >
+ {{ openshift.common.client_binary }}
+ --config={{ mktemp.stdout }}/admin.kubeconfig
+ -n {{openshift_metrics_project}}
+ create serviceaccount jks-generator
+ when: not ansible_check_mode and "not found" in serviceaccount_result.stderr
+
+- name: Check for hostmount-anyuid scc entry
+ command: >
+ {{ openshift.common.client_binary }}
+ --config={{ mktemp.stdout }}/admin.kubeconfig
+ get scc hostmount-anyuid
+ -o jsonpath='{.users}'
+ register: scc_result
+ when: not ansible_check_mode
+ changed_when: no
+
+- name: Add to hostmount-anyuid scc
+ command: >
+ {{ openshift.common.admin_binary }}
+ --config={{ mktemp.stdout }}/admin.kubeconfig
+ -n {{openshift_metrics_project}}
+ policy add-scc-to-user hostmount-anyuid
+ -z jks-generator
+ when:
+ - not ansible_check_mode
+ - scc_result.stdout.find("system:serviceaccount:{{openshift_metrics_project}}:jks-generator") == -1
+
+- name: Copy JKS generation script
+ copy:
+ src: import_jks_certs.sh
+ dest: "{{openshift_metrics_certs_dir}}/import_jks_certs.sh"
+ check_mode: no
+
+- slurp: src={{ openshift_metrics_certs_dir }}/hawkular-metrics-keystore.pwd
+ register: metrics_keystore_password
+
+- slurp: src={{ openshift_metrics_certs_dir }}/hawkular-cassandra-keystore.pwd
+ register: cassandra_keystore_password
+
+- slurp: src={{ openshift_metrics_certs_dir }}/hawkular-jgroups-keystore.pwd
+ register: jgroups_keystore_password
+
+- name: Generate JKS pod template
+ template:
+ src: jks_pod.j2
+ dest: "{{mktemp.stdout}}/jks_pod.yaml"
+ vars:
+ metrics_keystore_passwd: "{{metrics_keystore_password.content}}"
+ cassandra_keystore_passwd: "{{cassandra_keystore_password.content}}"
+ metrics_truststore_passwd: "{{hawkular_truststore_password.content}}"
+ cassandra_truststore_passwd: "{{cassandra_truststore_password.content}}"
+ jgroups_passwd: "{{jgroups_keystore_password.content}}"
+ check_mode: no
+ changed_when: no
+
+- stat: path="{{openshift_metrics_certs_dir}}/hawkular-metrics.keystore"
+ register: metrics_keystore
+ check_mode: no
+
+- stat: path="{{openshift_metrics_certs_dir}}/hawkular-cassandra.keystore"
+ register: cassandra_keystore
+ check_mode: no
+
+- stat: path="{{openshift_metrics_certs_dir}}/hawkular-cassandra.truststore"
+ register: cassandra_truststore
+ check_mode: no
+
+- stat: path="{{openshift_metrics_certs_dir}}/hawkular-metrics.truststore"
+ register: metrics_truststore
+ check_mode: no
+
+- stat: path="{{openshift_metrics_certs_dir}}/hawkular-jgroups.keystore"
+ register: jgroups_keystore
+ check_mode: no
+
+- name: create JKS pod
+ command: >
+ {{ openshift.common.client_binary }}
+ --config={{ mktemp.stdout }}/admin.kubeconfig
+ -n {{openshift_metrics_project}}
+ create -f {{mktemp.stdout}}/jks_pod.yaml
+ -o name
+ register: podoutput
+ check_mode: no
+ when: not metrics_keystore.stat.exists or
+ not metrics_truststore.stat.exists or
+ not cassandra_keystore.stat.exists or
+ not cassandra_truststore.stat.exists or
+ not jgroups_keystore.stat.exists
+
+- command: >
+ {{ openshift.common.client_binary }}
+ --config={{ mktemp.stdout }}/admin.kubeconfig
+ -n {{openshift_metrics_project}}
+ get {{podoutput.stdout}}
+ -o jsonpath='{.status.phase}'
+ register: result
+ until: result.stdout.find("Succeeded") != -1
+ retries: 5
+ delay: 10
+ changed_when: no
+ when: not metrics_keystore.stat.exists or
+ not metrics_truststore.stat.exists or
+ not cassandra_keystore.stat.exists or
+ not cassandra_truststore.stat.exists or
+ not jgroups_keystore.stat.exists
diff --git a/roles/openshift_metrics/tasks/install_metrics.yaml b/roles/openshift_metrics/tasks/install_metrics.yaml
index 67d22cbc3..bab37dbfb 100644
--- a/roles/openshift_metrics/tasks/install_metrics.yaml
+++ b/roles/openshift_metrics/tasks/install_metrics.yaml
@@ -23,10 +23,10 @@
- name: Create objects
include: oc_apply.yaml
vars:
- kubeconfig: "{{ mktemp.stdout }}/admin.kubeconfig"
- namespace: "{{ openshift_metrics_project }}"
- file_name: "{{ item }}"
- file_content: "{{ lookup('file',item) | from_yaml }}"
+ kubeconfig: "{{ mktemp.stdout }}/admin.kubeconfig"
+ namespace: "{{ openshift_metrics_project }}"
+ file_name: "{{ item }}"
+ file_content: "{{ lookup('file',item) | from_yaml }}"
with_fileglob:
- "{{ mktemp.stdout }}/templates/*.yaml"
diff --git a/roles/openshift_metrics/tasks/oc_apply.yaml b/roles/openshift_metrics/tasks/oc_apply.yaml
index c9154f206..dd67703b4 100644
--- a/roles/openshift_metrics/tasks/oc_apply.yaml
+++ b/roles/openshift_metrics/tasks/oc_apply.yaml
@@ -1,12 +1,13 @@
---
- name: Checking generation of {{file_content.kind}} {{file_content.metadata.name}}
command: >
- {{ openshift.common.client_binary }}
+ {{ openshift.common.client_binary }}
--config={{ kubeconfig }}
get {{file_content.kind}} {{file_content.metadata.name}}
- -o jsonpath='{.metadata.resourceVersion}'
+ -o jsonpath='{.metadata.resourceVersion}'
-n {{namespace}}
register: generation_init
+ failed_when: false
changed_when: no
- name: Applying {{file_name}}
@@ -22,7 +23,7 @@
command: >
{{ openshift.common.client_binary }} --config={{ kubeconfig }}
get {{file_content.kind}} {{file_content.metadata.name}}
- -o jsonpath='{.metadata.resourceVersion}'
+ -o jsonpath='{.metadata.resourceVersion}'
-n {{namespace}}
register: version_changed
vars:
diff --git a/roles/openshift_metrics/tasks/setup_certificate.yaml b/roles/openshift_metrics/tasks/setup_certificate.yaml
index c185d3f88..5ca8f4462 100644
--- a/roles/openshift_metrics/tasks/setup_certificate.yaml
+++ b/roles/openshift_metrics/tasks/setup_certificate.yaml
@@ -26,11 +26,11 @@
- name: generate random password for the {{ component }} keystore
copy:
- content: "{{ 15 | oo_random_word }}"
- dest: '{{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}-keystore.pwd'
+ content: "{{ 15 | oo_random_word }}"
+ dest: '{{ openshift_metrics_certs_dir }}/{{ component }}-keystore.pwd'
when: >
not '{{ openshift_metrics_certs_dir }}/{{ component }}-keystore.pwd'|exists
-
+
- slurp: src={{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}-keystore.pwd
register: keystore_password
@@ -43,21 +43,10 @@
-password 'pass:{{keystore_password.content | b64decode }}'
when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.pkcs12'|exists
-- name: create the {{ component }} keystore from the pkcs12 file
- command: >
- keytool -v -importkeystore
- -srckeystore '{{ openshift_metrics_certs_dir | quote }}/{{ component | quote }}.pkcs12'
- -srcstoretype PKCS12
- -destkeystore '{{ openshift_metrics_certs_dir | quote }}/{{ component | quote}}.keystore'
- -deststoretype JKS
- -deststorepass '{{keystore_password.content | b64decode }}'
- -srcstorepass '{{keystore_password.content | b64decode }}'
- when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.keystore'|exists
-
- name: generate random password for the {{ component }} truststore
copy:
- content: "{{ 15 | oo_random_word }}"
- dest: '{{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}-truststore.pwd'
+ content: "{{ 15 | oo_random_word }}"
+ dest: '{{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}-truststore.pwd'
when: >
not
'{{ openshift_metrics_certs_dir | quote }}/{{ component| quote }}-truststore.pwd'|exists
diff --git a/roles/openshift_metrics/tasks/stop_metrics.yaml b/roles/openshift_metrics/tasks/stop_metrics.yaml
index 524d4227b..bae181e3e 100644
--- a/roles/openshift_metrics/tasks/stop_metrics.yaml
+++ b/roles/openshift_metrics/tasks/stop_metrics.yaml
@@ -53,4 +53,3 @@
loop_control:
loop_var: object
when: metrics_cassandra_rc is defined
-