Custom certificates (#5)

* Generate secrets on a persistent directory.

* Split certificate generation files.

* Custom certificates.

* Minor fixes.

- use `slurp` instead of `shell: base64`
- fix route hostname

* Updates on origin-metrics.

6 files changed, 316 insertions, 257 deletions

diff --git a/roles/openshift_metrics/tasks/generate_certificates.yaml b/roles/openshift_metrics/tasks/generate_certificates.yaml
index 9f6a3348e..92ce919a1 100644
--- a/roles/openshift_metrics/tasks/generate_certificates.yaml
+++ b/roles/openshift_metrics/tasks/generate_certificates.yaml
@@ -1,233 +1,22 @@
 ---
-# TODO idempotency?
-# TODO support providing custom certificates
 - name: create certificate output directory
   file:
-    path: "{{ mktemp.stdout }}/certs"
+    path: "{{ openshift_metrics_certs_dir }}"
     state: directory
     mode: 0700
+- name: list existing secrets
+  command: >
+    {{ openshift.common.client_binary }} -n {{ openshift_metrics_project }}
+    get secrets -o name
+  register: metrics_secrets
+  changed_when: false
 - name: generate ca certificate chain
   shell: >
     {{ openshift.common.admin_binary }} ca create-signer-cert
-    --key='{{ mktemp.stdout }}/certs/ca.key'
-    --cert='{{ mktemp.stdout }}/certs/ca.crt'
-    --serial='{{ mktemp.stdout }}/certs/ca.serial.txt'
+    --key='{{ openshift_metrics_certs_dir }}/ca.key'
+    --cert='{{ openshift_metrics_certs_dir }}/ca.crt'
+    --serial='{{ openshift_metrics_certs_dir }}/ca.serial.txt'
     --name="metrics-signer@$(date +%s)"
-- name: generate heapster key/cert
-  command: >
-    {{ openshift.common.admin_binary }} ca create-server-cert
-    --key='{{ mktemp.stdout }}/certs/heapster.key'
-    --cert='{{ mktemp.stdout }}/certs/heapster.cert'
-    --hostnames=heapster
-    --signer-cert='{{ mktemp.stdout }}/certs/ca.crt'
-    --signer-key='{{ mktemp.stdout }}/certs/ca.key'
-    --signer-serial='{{ mktemp.stdout }}/certs/ca.serial.txt'
-# TODO maybe there's an easier way to get the service accounts' ca crt?
-- name: get heapster service account secrets
-  shell: >
-    {{ openshift.common.client_binary }} -n '{{ openshift_metrics_project }}'
-    get serviceaccount/default
-    --template '{{ '{{range .secrets}}{{println .name}}{{end}}' }}'
-    | grep ^default-token-
-  register: sa_secret
-- name: get heapster service account ca
-  command: >
-    {{ openshift.common.client_binary }} -n '{{ openshift_metrics_project }}'
-    get 'secret/{{ sa_secret.stdout }}'
-    --template '{{ '{{index .data "ca.crt"}}' }}'
-  register: sa_secret
-- name: read files for the heapster secret
-  command: base64 --wrap 0 "{{ mktemp.stdout }}/certs/heapster.{{ item }}"
-  register: heapster_secret
-  with_items:
-  - cert
-  - key
-- name: generate heapster secret template
-  template:
-    src: secret.j2
-    dest: "{{ mktemp.stdout }}/templates/heapster_secrets.yaml"
-  vars:
-    name: heapster-secrets
-    labels:
-      metrics-infra: heapster
-    data:
-      heapster.cert: "{{ heapster_secret.results[0].stdout }}"
-      heapster.key: "{{ heapster_secret.results[1].stdout }}"
-      heapster.client-ca: "{{ sa_secret.stdout }}"
-      heapster.allowed-users: "{{ openshift_metrics_heapster_allowed_users|b64encode }}"
-- name: generate hawkular-metrics certificates
-  include: setup_certificate.yaml
-  vars:
-    component: hawkular-metrics
-    hostnames: "hawkular-metrics,{{ openshift_metrics_hawkular_metrics_hostname }}"
-- name: generate hawkular-cassandra certificates
-  include: setup_certificate.yaml
-  vars:
-    component: hawkular-cassandra
-    hostnames: hawkular-cassandra
-# TODO keytool as dependency?  move key/trust store generation to containers?
-- name: import the hawkular metrics cert into the cassandra truststore
-  shell: >
-    keytool -noprompt -import -v -trustcacerts
-    -alias hawkular-metrics
-    -file '{{ mktemp.stdout|quote }}/certs/hawkular-metrics.cert'
-    -keystore '{{ mktemp.stdout|quote }}/certs/hawkular-cassandra.truststore'
-    -storepass
-    "$(< "{{ mktemp.stdout|quote }}/certs/hawkular-cassandra-truststore.pwd")"
-- name: import the hawkular cassandra cert into the hawkular metrics truststore
-  shell: >
-    keytool -noprompt -import -v -trustcacerts
-    -alias hawkular-cassandra
-    -file '{{ mktemp.stdout }}/certs/hawkular-cassandra.cert'
-    -keystore '{{ mktemp.stdout }}/certs/hawkular-metrics.truststore'
-    -storepass
-    "$(< "{{ mktemp.stdout|quote }}/certs/hawkular-metrics-truststore.pwd")"
-- name: import the hawkular cassandra cert into the cassandra truststore
-  shell: >
-    keytool -noprompt -import -v -trustcacerts
-    -alias hawkular-cassandra
-    -file '{{ mktemp.stdout }}/certs/hawkular-cassandra.cert'
-    -keystore '{{ mktemp.stdout }}/certs/hawkular-cassandra.truststore'
-    -storepass
-    "$(< "{{ mktemp.stdout|quote }}/certs/hawkular-cassandra-truststore.pwd")"
-- name: import the ca certificate into the cassandra truststore
-  shell: >
-    keytool -noprompt -import -v -trustcacerts
-    -alias '{{ item }}'
-    -file '{{ mktemp.stdout }}/certs/ca.crt'
-    -keystore '{{ mktemp.stdout }}/certs/hawkular-cassandra.truststore'
-    -storepass
-    "$(< "{{ mktemp.stdout|quote }}/certs/hawkular-cassandra-truststore.pwd")"
-  with_items:
-  - ca
-  - metricca
-  - cassandraca
-- name: import the ca certificate into the hawkular metrics truststore
-  shell: >
-    keytool -noprompt -import -v -trustcacerts
-    -alias '{{ item }}'
-    -file '{{ mktemp.stdout }}/certs/ca.crt'
-    -keystore '{{ mktemp.stdout }}/certs/hawkular-metrics.truststore'
-    -storepass
-    "$(< "{{ mktemp.stdout|quote }}/certs/hawkular-metrics-truststore.pwd")"
-  with_items:
-  - ca
-  - metricca
-  - cassandraca
-- name: generate password for htpasswd file for hawkular metrics
-  shell: cat /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c15
-  register: hawkular_metrics_password
-- name: generate password for hawkular metrics jgroups
-  shell: cat /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c15
-  register: hawkular_metrics_jgroups_password
-- name: generate htpasswd file for hawkular metrics
-  shell: >
-    htpasswd -cb
-    "{{ mktemp.stdout|quote }}/certs/hawkular-metrics.htpasswd" hawkular
-    '{{ hawkular_metrics_password.stdout }}'
-- name: generate the jgroups keystore
-  command: >
-    keytool -genseckey -alias hawkular
-    -keypass {{ hawkular_metrics_jgroups_password.stdout }}
-    -storepass {{ hawkular_metrics_jgroups_password.stdout }}
-    -keyalg Blowfish -keysize 56 -storetype JCEKS
-    -keystore {{ mktemp.stdout }}/certs/hawkular-jgroups.keystore
-- name: read files for the hawkular-metrics secret
-  command: >
-    base64 --wrap 0 "{{ mktemp.stdout }}/certs/{{ item }}"
-  register: hawkular_metrics_secret
-  with_items:
-  - hawkular-metrics.keystore
-  - hawkular-metrics-keystore.pwd
-  - hawkular-metrics.truststore
-  - hawkular-metrics-truststore.pwd
-  - hawkular-metrics.htpasswd
-  - hawkular-metrics.cert
-  - ca.crt
-  - hawkular-cassandra.keystore
-  - hawkular-cassandra-keystore.pwd
-  - hawkular-cassandra.truststore
-  - hawkular-cassandra-truststore.pwd
-  - hawkular-cassandra.pem
-  - hawkular-cassandra.cert
-  - hawkular-jgroups.keystore
-- name: generate hawkular-metrics-secrets secret template
-  template:
-    src: secret.j2
-    dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_secrets.yaml"
-  vars:
-    name: hawkular-metrics-secrets
-    labels:
-      metrics-infra: hawkular-metrics
-    data:
-      hawkular-metrics.keystore: >
-        "{{ hawkular_metrics_secret.results[0].stdout }}"
-      hawkular-metrics.keystore.password: >
-        "{{ hawkular_metrics_secret.results[1].stdout }}"
-      hawkular-metrics.truststore: >
-        "{{ hawkular_metrics_secret.results[2].stdout }}"
-      hawkular-metrics.truststore.password: >
-        "{{ hawkular_metrics_secret.results[3].stdout }}"
-      hawkular-metrics.keystore.alias: "{{ 'hawkular-metrics'|b64encode }}"
-      hawkular-metrics.htpasswd.file: >
-        "{{ hawkular_metrics_secret.results[4].stdout }}"
-      hawkular-metrics.jgroups.keystore.password: >
-        "{{ hawkular_metrics_jgroups_password.stdout|b64encode }}"
-      hawkular-metrics.jgroups.keystore: >
-        "{{ hawkular_metrics_secret.results[13].stdout }}"
-      hawkular-metrics.jgroups.alias: "{{ 'hawkular'|b64encode }}"
-- name: generate hawkular-metrics-certificate secret template
-  template:
-    src: secret.j2
-    dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_certificate.yaml"
-  vars:
-    name: hawkular-metrics-certificate
-    labels:
-      metrics-infra: hawkular-metrics
-    data:
-      hawkular-metrics.certificate: >
-        "{{ hawkular_metrics_secret.results[5].stdout }}"
-      hawkular-metrics-ca.certificate: >
-        "{{ hawkular_metrics_secret.results[6].stdout }}"
-- name: generate hawkular-metrics-account secret template
-  template:
-    src: secret.j2
-    dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_account.yaml"
-  vars:
-    name: hawkular-metrics-account
-    labels:
-      metrics-infra: hawkular-metrics
-    data:
-      hawkular-metrics.username: "{{ 'hawkular'|b64encode }}"
-      hawkular-metrics.password: >
-        "{{ hawkular_metrics_password.stdout|b64encode }}"
-- name: generate cassandra secret template
-  template:
-    src: secret.j2
-    dest: "{{ mktemp.stdout }}/templates/cassandra_secrets.yaml"
-  vars:
-    name: hawkular-cassandra-secrets
-    labels:
-      metrics-infra: hawkular-cassandra
-    data:
-      cassandra.keystore: "{{ hawkular_metrics_secret.results[7].stdout }}"
-      cassandra.keystore.password: >
-        {{ hawkular_metrics_secret.results[8].stdout }}
-      cassandra.keystore.alias: "{{ 'hawkular-cassandra'|b64encode }}"
-      cassandra.truststore: "{{ hawkular_metrics_secret.results[9].stdout }}"
-      cassandra.truststore.password: >
-        {{ hawkular_metrics_secret.results[10].stdout }}
-      cassandra.pem: "{{ hawkular_metrics_secret.results[10].stdout }}"
-- name: generate cassandra-certificate secret template
-  template:
-    src: secret.j2
-    dest: "{{ mktemp.stdout }}/templates/cassandra_certificate.yaml"
-  vars:
-    name: hawkular-cassandra-certificate
-    labels:
-      metrics-infra: hawkular-cassandra
-    data:
-      cassandra.certificate: >
-        {{ hawkular_metrics_secret.results[11].stdout }}
-      cassandra-ca.certificate: >
-        {{ hawkular_metrics_secret.results[7].stdout }}
+  when: not '{{ openshift_metrics_certs_dir }}/ca.key'|exists
+- include: generate_heapster_certificates.yaml
+- include: generate_hawkular_certificates.yaml
diff --git a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml
new file mode 100644
index 000000000..4e032ca7e
--- /dev/null
+++ b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml
@@ -0,0 +1,227 @@
+---
+- name: generate hawkular-metrics certificates
+  include: setup_certificate.yaml
+  vars:
+    component: hawkular-metrics
+    hostnames: "hawkular-metrics,{{ openshift_metrics_hawkular_metrics_hostname }}"
+- name: generate hawkular-cassandra certificates
+  include: setup_certificate.yaml
+  vars:
+    component: hawkular-cassandra
+    hostnames: hawkular-cassandra
+- name: check existing aliases on the hawkular-cassandra truststore
+  shell: >
+    keytool -noprompt -list
+    -keystore {{ openshift_metrics_certs_dir }}/hawkular-cassandra.truststore
+    -storepass "$(<
+    '{{ openshift_metrics_certs_dir }}/hawkular-cassandra-truststore.pwd')"
+    | sed -n '7~2s/,.*$//p'
+  register: hawkular_cassandra_truststore_aliases
+  changed_when: false
+- name: check existing aliases on the hawkular-metrics truststore
+  shell: >
+    keytool -noprompt -list
+    -keystore {{ openshift_metrics_certs_dir }}/hawkular-metrics.truststore
+    -storepass "$(<
+    '{{ openshift_metrics_certs_dir }}/hawkular-metrics-truststore.pwd')"
+    | sed -n '7~2s/,.*$//p'
+  register: hawkular_metrics_truststore_aliases
+  changed_when: false
+- name: import the hawkular metrics cert into the cassandra truststore
+  shell: >
+    keytool -noprompt -import -v -trustcacerts
+    -alias hawkular-metrics
+    -file '{{ openshift_metrics_certs_dir }}/hawkular-metrics.crt'
+    -keystore '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.truststore'
+    -storepass "$(<
+    '{{ openshift_metrics_certs_dir }}/hawkular-cassandra-truststore.pwd')"
+  when: >
+    'hawkular-metrics' not in
+    hawkular_cassandra_truststore_aliases.stdout_lines
+- name: import the hawkular cassandra cert into the hawkular metrics truststore
+  shell: >
+    keytool -noprompt -import -v -trustcacerts
+    -alias hawkular-cassandra
+    -file '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.crt'
+    -keystore '{{ openshift_metrics_certs_dir }}/hawkular-metrics.truststore'
+    -storepass "$(<
+    '{{ openshift_metrics_certs_dir }}/hawkular-metrics-truststore.pwd')"
+  when: >
+    'hawkular-cassandra' not in
+    hawkular_metrics_truststore_aliases.stdout_lines
+- name: import the hawkular cassandra cert into the cassandra truststore
+  shell: >
+    keytool -noprompt -import -v -trustcacerts
+    -alias hawkular-cassandra
+    -file '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.crt'
+    -keystore '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.truststore'
+    -storepass "$(<
+    '{{ openshift_metrics_certs_dir }}/hawkular-cassandra-truststore.pwd')"
+  when: >
+    'hawkular-cassandra' not in
+    hawkular_cassandra_truststore_aliases.stdout_lines
+- name: import the ca certificate into the cassandra truststore
+  shell: >
+    keytool -noprompt -import -v -trustcacerts
+    -alias '{{ item }}'
+    -file '{{ openshift_metrics_certs_dir }}/ca.crt'
+    -keystore '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.truststore'
+    -storepass "$(<
+    '{{ openshift_metrics_certs_dir }}/hawkular-cassandra-truststore.pwd')"
+  with_items:
+  - ca
+  - metricca
+  - cassandraca
+  when: item not in hawkular_cassandra_truststore_aliases.stdout_lines
+- name: import the ca certificate into the hawkular metrics truststore
+  shell: >
+    keytool -noprompt -import -v -trustcacerts
+    -alias '{{ item }}'
+    -file '{{ openshift_metrics_certs_dir }}/ca.crt'
+    -keystore '{{ openshift_metrics_certs_dir }}/hawkular-metrics.truststore'
+    -storepass "$(<
+    '{{ openshift_metrics_certs_dir }}/hawkular-metrics-truststore.pwd')"
+  with_items:
+  - ca
+  - metricca
+  - cassandraca
+  when: item not in hawkular_metrics_truststore_aliases.stdout_lines
+- name: generate password for hawkular metrics and jgroups
+  shell: >
+    tr -dc _A-Z-a-z-0-9 < /dev/urandom | head -c15
+    > '{{ openshift_metrics_certs_dir }}/{{ item }}.pwd'
+  with_items:
+  - hawkular-metrics
+  - hawkular-jgroups-keystore
+  when: not '{{ openshift_metrics_certs_dir }}/{{ item }}.pwd'|exists
+- name: generate htpasswd file for hawkular metrics
+  shell: >
+    htpasswd -ci
+    '{{ openshift_metrics_certs_dir }}/hawkular-metrics.htpasswd' hawkular
+    < '{{ openshift_metrics_certs_dir }}/hawkular-metrics.pwd'
+  when: >
+    not '{{ openshift_metrics_certs_dir }}/hawkular-metrics.htpasswd'|exists
+- name: generate the jgroups keystore
+  shell: >
+    p=$(< '{{ openshift_metrics_certs_dir }}/hawkular-jgroups-keystore.pwd' )
+    &&
+    keytool -genseckey -alias hawkular
+    -keypass "$p" -storepass "$p" -keyalg Blowfish -keysize 56 -storetype JCEKS
+    -keystore '{{ openshift_metrics_certs_dir }}/hawkular-jgroups.keystore'
+  when: >
+    not '{{ openshift_metrics_certs_dir }}/hawkular-jgroups.keystore'|exists
+- name: read files for the hawkular-metrics secret
+  shell: >
+    printf '%s: ' '{{ item }}'
+    && base64 --wrap 0 '{{ openshift_metrics_certs_dir }}/{{ item }}'
+  register: hawkular_secrets
+  with_items:
+  - ca.crt
+  - hawkular-metrics.crt
+  - hawkular-metrics.keystore
+  - hawkular-metrics-keystore.pwd
+  - hawkular-metrics.truststore
+  - hawkular-metrics-truststore.pwd
+  - hawkular-metrics.pwd
+  - hawkular-metrics.htpasswd
+  - hawkular-jgroups.keystore
+  - hawkular-jgroups-keystore.pwd
+  - hawkular-cassandra.crt
+  - hawkular-cassandra.pem
+  - hawkular-cassandra.keystore
+  - hawkular-cassandra-keystore.pwd
+  - hawkular-cassandra.truststore
+  - hawkular-cassandra-truststore.pwd
+  changed_when: false
+- set_fact:
+    hawkular_secrets: |
+      {{ hawkular_secrets.results|map(attribute='stdout')|join('
+      ')|from_yaml }}
+- name: generate hawkular-metrics-secrets secret template
+  template:
+    src: secret.j2
+    dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_secrets.yaml"
+  vars:
+    name: hawkular-metrics-secrets
+    labels:
+      metrics-infra: hawkular-metrics
+    data:
+      hawkular-metrics.keystore: >
+        {{ hawkular_secrets['hawkular-metrics.keystore'] }}
+      hawkular-metrics.keystore.password: >
+        {{ hawkular_secrets['hawkular-metrics-keystore.pwd'] }}
+      hawkular-metrics.truststore: >
+        {{ hawkular_secrets['hawkular-metrics.truststore'] }}
+      hawkular-metrics.truststore.password: >
+        {{ hawkular_secrets['hawkular-metrics-truststore.pwd'] }}
+      hawkular-metrics.keystore.alias: "{{ 'hawkular-metrics'|b64encode }}"
+      hawkular-metrics.htpasswd.file: >
+        {{ hawkular_secrets['hawkular-metrics.htpasswd'] }}
+      hawkular-metrics.jgroups.keystore: >
+        {{ hawkular_secrets['hawkular-jgroups.keystore'] }}
+      hawkular-metrics.jgroups.keystore.password: >
+        {{ hawkular_secrets['hawkular-jgroups-keystore.pwd'] }}
+      hawkular-metrics.jgroups.alias: "{{ 'hawkular'|b64encode }}"
+  when: name not in metrics_secrets.stdout_lines
+- name: generate hawkular-metrics-certificate secret template
+  template:
+    src: secret.j2
+    dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_certificate.yaml"
+  vars:
+    name: hawkular-metrics-certificate
+    labels:
+      metrics-infra: hawkular-metrics
+    data:
+      hawkular-metrics.certificate: >
+        {{ hawkular_secrets['hawkular-metrics.crt'] }}
+      hawkular-metrics-ca.certificate: >
+        {{ hawkular_secrets['ca.crt'] }}
+  when: name not in metrics_secrets.stdout_lines
+- name: generate hawkular-metrics-account secret template
+  template:
+    src: secret.j2
+    dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_account.yaml"
+  vars:
+    name: hawkular-metrics-account
+    labels:
+      metrics-infra: hawkular-metrics
+    data:
+      hawkular-metrics.username: "{{ 'hawkular'|b64encode }}"
+      hawkular-metrics.password: >
+        {{ hawkular_secrets['hawkular-metrics.pwd'] }}
+  when: name not in metrics_secrets.stdout_lines
+- name: generate cassandra secret template
+  template:
+    src: secret.j2
+    dest: "{{ mktemp.stdout }}/templates/cassandra_secrets.yaml"
+  vars:
+    name: hawkular-cassandra-secrets
+    labels:
+      metrics-infra: hawkular-cassandra
+    data:
+      cassandra.keystore: >
+        {{ hawkular_secrets['hawkular-cassandra.keystore'] }}
+      cassandra.keystore.password: >
+        {{ hawkular_secrets['hawkular-cassandra-keystore.pwd'] }}
+      cassandra.keystore.alias: "{{ 'hawkular-cassandra'|b64encode }}"
+      cassandra.truststore: >
+        {{ hawkular_secrets['hawkular-cassandra.truststore'] }}
+      cassandra.truststore.password: >
+        {{ hawkular_secrets['hawkular-cassandra-truststore.pwd'] }}
+      cassandra.pem: >
+        {{ hawkular_secrets['hawkular-cassandra.pem'] }}
+  when: name not in metrics_secrets
+- name: generate cassandra-certificate secret template
+  template:
+    src: secret.j2
+    dest: "{{ mktemp.stdout }}/templates/cassandra_certificate.yaml"
+  vars:
+    name: hawkular-cassandra-certificate
+    labels:
+      metrics-infra: hawkular-cassandra
+    data:
+      cassandra.certificate: >
+        {{ hawkular_secrets['hawkular-cassandra.crt'] }}
+      cassandra-ca.certificate: >
+        {{ hawkular_secrets['hawkular-cassandra.pem'] }}
+  when: name not in metrics_secrets.stdout_lines
diff --git a/roles/openshift_metrics/tasks/generate_heapster_certificates.yaml b/roles/openshift_metrics/tasks/generate_heapster_certificates.yaml
new file mode 100644
index 000000000..2fc449520
--- /dev/null
+++ b/roles/openshift_metrics/tasks/generate_heapster_certificates.yaml
@@ -0,0 +1,39 @@
+---
+- name: generate heapster key/cert
+  command: >
+    {{ openshift.common.admin_binary }} ca create-server-cert
+    --key='{{ openshift_metrics_certs_dir }}/heapster.key'
+    --cert='{{ openshift_metrics_certs_dir }}/heapster.cert'
+    --hostnames=heapster
+    --signer-cert='{{ openshift_metrics_certs_dir }}/ca.crt'
+    --signer-key='{{ openshift_metrics_certs_dir }}/ca.key'
+    --signer-serial='{{ openshift_metrics_certs_dir }}/ca.serial.txt'
+  when: not '{{ openshift_metrics_certs_dir }}/heapster.key'|exists
+- when: "'secret/heapster-secrets' not in metrics_secrets.stdout_lines"
+  block:
+  - name: read files for the heapster secret
+    slurp: src={{ item }}
+    register: heapster_secret
+    with_items:
+    - "{{ openshift_metrics_certs_dir }}/heapster.cert"
+    - "{{ openshift_metrics_certs_dir }}/heapster.key"
+    - "{{ client_ca }}"
+    vars:
+      custom_ca: "{{ openshift_metrics_certs_dir }}/heapster_client_ca.crt"
+      default_ca: "{{ openshift.common.config_base }}/master/ca-bundle.crt"
+      client_ca: "{{ custom_ca|exists|ternary(custom_ca, default_ca) }}"
+  - name: generate heapster secret template
+    template:
+      src: secret.j2
+      dest: "{{ mktemp.stdout }}/templates/heapster_secrets.yaml"
+      force: no
+    vars:
+      name: heapster-secrets
+      labels:
+        metrics-infra: heapster
+      data:
+        heapster.cert: "{{ heapster_secret.results[0].content }}"
+        heapster.key: "{{ heapster_secret.results[1].content }}"
+        heapster.client-ca: "{{ heapster_secret.results[2].content }}"
+        heapster.allowed-users: >
+          {{ openshift_metrics_heapster_allowed_users|b64encode }}
diff --git a/roles/openshift_metrics/tasks/install_hawkular.yaml b/roles/openshift_metrics/tasks/install_hawkular.yaml
index 9a39cce34..d7a029fa8 100644
--- a/roles/openshift_metrics/tasks/install_hawkular.yaml
+++ b/roles/openshift_metrics/tasks/install_hawkular.yaml
@@ -39,6 +39,9 @@
     size: "{{ openshift_metrics_hawkular_cassandra_pv_size }}"
   with_sequence: count={{ openshift_metrics_hawkular_cassandra_nodes }}
   when: openshift_metrics_hawkular_cassandra_storage_type == 'dynamic'
+- name: read hawkular-metrics route destination ca certificate
+  slurp: src={{ openshift_metrics_certs_dir }}/ca.crt
+  register: metrics_route_dest_ca_cert
 - name: generate the hawkular-metrics route
   template:
     src: route.j2
@@ -47,11 +50,10 @@
     name: hawkular-metrics
     labels:
       metrics-infra: hawkular-metrics
-    host: hawkular-metrics.example.com
+    host: "{{ openshift_metrics_hawkular_metrics_hostname }}"
     to:
       kind: Service
       name: hawkular-metrics
     tls:
       termination: reencrypt
-      destination_ca_certificate: >
-        {{ hawkular_metrics_secret.results[6].stdout|b64decode }}
+      destination_ca_certificate: "{{ metrics_route_dest_ca_cert.content }}"
diff --git a/roles/openshift_metrics/tasks/install_metrics.yaml b/roles/openshift_metrics/tasks/install_metrics.yaml
index 34b4a47fe..5d95fa112 100644
--- a/roles/openshift_metrics/tasks/install_metrics.yaml
+++ b/roles/openshift_metrics/tasks/install_metrics.yaml
@@ -11,7 +11,7 @@
   file: path={{mktemp.stdout}}/templates state=directory mode=0755
   changed_when: False
 
+- include: generate_certificates.yaml
 - include: generate_serviceaccounts.yaml
 - include: generate_services.yaml
-- include: generate_certificates.yaml
 - include: generate_rolebindings.yaml
diff --git a/roles/openshift_metrics/tasks/setup_certificate.yaml b/roles/openshift_metrics/tasks/setup_certificate.yaml
index 46ac4ea7f..d6ee4167b 100644
--- a/roles/openshift_metrics/tasks/setup_certificate.yaml
+++ b/roles/openshift_metrics/tasks/setup_certificate.yaml
@@ -2,49 +2,51 @@
 - name: generate {{ component }} keys
   command: >
     {{ openshift.common.admin_binary }} ca create-server-cert
-    --key='{{ mktemp.stdout }}/certs/{{ component }}.key'
-    --cert='{{ mktemp.stdout }}/certs/{{ component }}.crt'
+    --key='{{ openshift_metrics_certs_dir }}/{{ component }}.key'
+    --cert='{{ openshift_metrics_certs_dir }}/{{ component }}.crt'
     --hostnames='{{ hostnames }}'
-    --signer-cert='{{ mktemp.stdout }}/certs/ca.crt'
-    --signer-key='{{ mktemp.stdout }}/certs/ca.key'
-    --signer-serial='{{ mktemp.stdout }}/certs/ca.serial.txt'
+    --signer-cert='{{ openshift_metrics_certs_dir }}/ca.crt'
+    --signer-key='{{ openshift_metrics_certs_dir }}/ca.key'
+    --signer-serial='{{ openshift_metrics_certs_dir }}/ca.serial.txt'
+  when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.key'|exists
 - name: generate {{ component }} certificate
   shell: >
     cat
-    '{{ mktemp.stdout|quote }}/certs/{{ component|quote }}.key'
-    '{{ mktemp.stdout|quote }}/certs/{{ component|quote }}.crt'
-    > '{{ mktemp.stdout|quote }}/certs/{{ component|quote }}.pem'
+    '{{ openshift_metrics_certs_dir }}/{{ component|quote }}.key'
+    '{{ openshift_metrics_certs_dir }}/{{ component|quote }}.crt'
+    > '{{ openshift_metrics_certs_dir }}/{{ component|quote }}.pem'
+  when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.pem'|exists
 - name: generate random password for the {{ component }} keystore
-  shell: tr -dc _A-Z-a-z-0-9 < /dev/urandom | head -c15
-  register: keystore_pwd
-- name: create the password file for {{ component }}
   shell: >
-    echo '{{ keystore_pwd.stdout|quote }}'
-    > '{{ mktemp.stdout }}/certs/{{ component|quote }}-keystore.pwd'
+    tr -dc _A-Z-a-z-0-9 < /dev/urandom | head -c15
+    > '{{ openshift_metrics_certs_dir }}/{{ component|quote }}-keystore.pwd'
+  when: >
+    not '{{ openshift_metrics_certs_dir }}/{{ component }}-keystore.pwd'|exists
 - name: create the {{ component }} pkcs12 from the pem file
   command: >
     openssl pkcs12 -export
-    -in '{{ mktemp.stdout }}/certs/{{ component }}.pem'
-    -out '{{ mktemp.stdout }}/certs/{{ component }}.pkcs12'
+    -in '{{ openshift_metrics_certs_dir }}/{{ component }}.pem'
+    -out '{{ openshift_metrics_certs_dir }}/{{ component }}.pkcs12'
     -name '{{ component }}' -noiter -nomaciter
-    -password 'pass:{{ keystore_pwd.stdout }}'
+    -password
+    'file:{{ openshift_metrics_certs_dir }}/{{ component }}-keystore.pwd'
+  when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.pkcs12'|exists
 - name: create the {{ component }} keystore from the pkcs12 file
-  command: >
+  shell: >
+    p=$(< {{ openshift_metrics_certs_dir }}/{{ component }}-keystore.pwd)
+    &&
     keytool -v -importkeystore
-    -srckeystore '{{ mktemp.stdout }}/certs/{{ component }}.pkcs12'
+    -srckeystore '{{ openshift_metrics_certs_dir }}/{{ component }}.pkcs12'
     -srcstoretype PKCS12
-    -destkeystore '{{ mktemp.stdout }}/certs/{{ component }}.keystore'
+    -destkeystore '{{ openshift_metrics_certs_dir }}/{{ component }}.keystore'
     -deststoretype JKS
-    -deststorepass '{{ keystore_pwd.stdout }}'
-    -srcstorepass '{{ keystore_pwd.stdout }}'
-- name: create the {{ component }} certificate
-  command: >
-    keytool -noprompt -export
-    -alias '{{ component }}'
-    -file '{{ mktemp.stdout }}/certs/{{ component }}.cert'
-    -keystore '{{ mktemp.stdout }}/certs/{{ component }}.keystore'
-    -storepass '{{ keystore_pwd.stdout }}'
+    -deststorepass "$p"
+    -srcstorepass "$p"
+  when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.keystore'|exists
 - name: generate random password for the {{ component }} truststore
   shell: >
     tr -dc _A-Z-a-z-0-9 < /dev/urandom | head -c15
-    > '{{ mktemp.stdout }}/certs/{{ component|quote }}-truststore.pwd'
+    > '{{ openshift_metrics_certs_dir }}/{{ component|quote }}-truststore.pwd'
+  when: >
+    not
+    '{{ openshift_metrics_certs_dir }}/{{ component }}-truststore.pwd'|exists