diff options
| -rw-r--r-- | roles/lib_openshift/library/oc_adm_ca_server_cert.py | 153 | ||||
| -rw-r--r-- | roles/lib_openshift/src/class/oc_adm_ca_server_cert.py | 17 | ||||
| -rw-r--r-- | roles/lib_openshift/src/doc/ca_server_cert | 61 | 
3 files changed, 82 insertions, 149 deletions
| diff --git a/roles/lib_openshift/library/oc_adm_ca_server_cert.py b/roles/lib_openshift/library/oc_adm_ca_server_cert.py index 19031f956..4c5c1f1ab 100644 --- a/roles/lib_openshift/library/oc_adm_ca_server_cert.py +++ b/roles/lib_openshift/library/oc_adm_ca_server_cert.py @@ -33,6 +33,7 @@  from __future__ import print_function  import atexit +import copy  import json  import os  import re @@ -40,7 +41,11 @@ import shutil  import subprocess  import tempfile  # pylint: disable=import-error -import ruamel.yaml as yaml +try: +    import ruamel.yaml as yaml +except ImportError: +    import yaml +  from ansible.module_utils.basic import AnsibleModule  # -*- -*- -*- End included fragment: lib/import.py -*- -*- -*- @@ -49,18 +54,15 @@ from ansible.module_utils.basic import AnsibleModule  DOCUMENTATION = '''  --- -module: oadm_ca -short_description: Module to manage openshift certificate authority +module: oc_adm_ca_server_cert +short_description: Module to run openshift oc adm ca create-server-cert  description: -  - Wrapper around the openshift `oc adm ca` command. +  - Wrapper around the openshift `oc adm ca create-server-cert` command.  options:    state:      description:      - Present is the only supported state.  The state present means that `oc adm ca` will generate a certificate -    - When create-master-certs is desired then the following parameters are passed. -    - ['cert_dir', 'hostnames', 'master', 'public_master', 'overwrite', 'signer_name'] -    - When create-key-pair is desired then the following parameters are passed. -    - ['private_key', 'public_key'] +    - and verify if the hostnames and the ClusterIP exists in the certificate.      - When create-server-cert is desired then the following parameters are passed.      - ['cert', 'key', 'signer_cert', 'signer_key', 'signer_serial']      required: false @@ -80,22 +82,6 @@ options:      required: false      default: False      aliases: [] -  cmd: -    description: -    - The sub command given for `oc adm ca` -    required: false -    default: None -    choices: -    - create-master-certs -    - create-key-pair -    - create-server-cert -    aliases: [] -  cert_dir: -    description: -    - The certificate data directory. -    required: false -    default: None -    aliases: []    cert:      description:      - The certificate file. Choose a name that indicates what the service is. @@ -132,43 +118,12 @@ options:      required: false      default: None      aliases: [] -  public_key: -    description: -    - The public key file used with create-key-pair -    required: false -    default: None -    aliases: [] -  private_key: -    description: -    - The private key file used with create-key-pair -    required: false -    default: None -    aliases: [] -        hostnames:      description:      - Every hostname or IP that server certs should be valid for (comma-delimited list)      required: false      default: None      aliases: [] -  master: -    description: -    - The API server's URL -    required: false -    default: None -    aliases: [] -  public_master: -    description: -    - The API public facing server's URL (if applicable) -    required: false -    default: None -    aliases: [] -  signer_name: -    description: -    - The name to use for the generated signer -    required: false -    default: None -    aliases: []  author:  - "Kenny Woodson <kwoodson@redhat.com>"  extends_documentation_fragment: [] @@ -176,8 +131,7 @@ extends_documentation_fragment: []  EXAMPLES = '''  - name: Create a self-signed cert -  oadm_ca: -    cmd: create-server-cert +  oc_adm_ca_server_cert:      signer_cert: /etc/origin/master/ca.crt      signer_key: /etc/origin/master/ca.key      signer_serial: /etc/origin/master/ca.serial.txt @@ -383,11 +337,15 @@ class Yedit(object):          if self.backup and self.file_exists():              shutil.copy(self.filename, self.filename + '.orig') -        # pylint: disable=no-member -        if hasattr(self.yaml_dict, 'fa'): -            self.yaml_dict.fa.set_block_style() +        if hasattr(yaml, 'RoundTripDumper'): +            # pylint: disable=no-member +            if hasattr(self.yaml_dict, 'fa'): +                self.yaml_dict.fa.set_block_style() -        Yedit._write(self.filename, yaml.dump(self.yaml_dict, Dumper=yaml.RoundTripDumper)) +            # pylint: disable=no-member +            Yedit._write(self.filename, yaml.dump(self.yaml_dict, Dumper=yaml.RoundTripDumper)) +        else: +            Yedit._write(self.filename, yaml.safe_dump(self.yaml_dict, default_flow_style=False))          return (True, self.yaml_dict) @@ -427,10 +385,16 @@ class Yedit(object):          # check if it is yaml          try:              if content_type == 'yaml' and contents: -                self.yaml_dict = yaml.load(contents, yaml.RoundTripLoader) +                # pylint: disable=no-member +                if hasattr(yaml, 'RoundTripLoader'): +                    self.yaml_dict = yaml.load(contents, yaml.RoundTripLoader) +                else: +                    self.yaml_dict = yaml.safe_load(contents) +                  # pylint: disable=no-member                  if hasattr(self.yaml_dict, 'fa'):                      self.yaml_dict.fa.set_block_style() +              elif content_type == 'json' and contents:                  self.yaml_dict = json.loads(contents)          except yaml.YAMLError as err: @@ -595,12 +559,19 @@ class Yedit(object):              return (False, self.yaml_dict)          # deepcopy didn't work -        tmp_copy = yaml.load(yaml.round_trip_dump(self.yaml_dict, -                                                  default_flow_style=False), -                             yaml.RoundTripLoader) -        # pylint: disable=no-member -        if hasattr(self.yaml_dict, 'fa'): -            tmp_copy.fa.set_block_style() +        if hasattr(yaml, 'round_trip_dump'): +            # pylint: disable=no-member +            tmp_copy = yaml.load(yaml.round_trip_dump(self.yaml_dict, +                                                      default_flow_style=False), +                                 yaml.RoundTripLoader) + +            # pylint: disable=no-member +            if hasattr(self.yaml_dict, 'fa'): +                tmp_copy.fa.set_block_style() + +        else: +            tmp_copy = copy.deepcopy(self.yaml_dict) +          result = Yedit.add_entry(tmp_copy, path, value, self.separator)          if not result:              return (False, self.yaml_dict) @@ -613,11 +584,17 @@ class Yedit(object):          ''' create a yaml file '''          if not self.file_exists():              # deepcopy didn't work -            tmp_copy = yaml.load(yaml.round_trip_dump(self.yaml_dict, default_flow_style=False),  # noqa: E501 -                                 yaml.RoundTripLoader) -            # pylint: disable=no-member -            if hasattr(self.yaml_dict, 'fa'): -                tmp_copy.fa.set_block_style() +            if hasattr(yaml, 'round_trip_dump'): +                # pylint: disable=no-member +                tmp_copy = yaml.load(yaml.round_trip_dump(self.yaml_dict, default_flow_style=False),  # noqa: E501 +                                     yaml.RoundTripLoader) + +                # pylint: disable=no-member +                if hasattr(self.yaml_dict, 'fa'): +                    tmp_copy.fa.set_block_style() +            else: +                tmp_copy = copy.deepcopy(self.yaml_dict) +              result = Yedit.add_entry(tmp_copy, path, value, self.separator)              if result:                  self.yaml_dict = tmp_copy @@ -1059,7 +1036,12 @@ class Utils(object):          tmp = Utils.create_tmpfile(prefix=rname)          if ftype == 'yaml': -            Utils._write(tmp, yaml.dump(data, Dumper=yaml.RoundTripDumper)) +            # pylint: disable=no-member +            if hasattr(yaml, 'RoundTripDumper'): +                Utils._write(tmp, yaml.dump(data, Dumper=yaml.RoundTripDumper)) +            else: +                Utils._write(tmp, yaml.safe_dump(data, default_flow_style=False)) +          elif ftype == 'json':              Utils._write(tmp, json.dumps(data))          else: @@ -1141,7 +1123,11 @@ class Utils(object):              contents = sfd.read()          if sfile_type == 'yaml': -            contents = yaml.load(contents, yaml.RoundTripLoader) +            # pylint: disable=no-member +            if hasattr(yaml, 'RoundTripLoader'): +                contents = yaml.load(contents, yaml.RoundTripLoader) +            else: +                contents = yaml.safe_load(contents)          elif sfile_type == 'json':              contents = json.loads(contents) @@ -1328,16 +1314,15 @@ class OpenShiftCLIConfig(object):  # -*- -*- -*- Begin included fragment: class/oc_adm_ca_server_cert.py -*- -*- -*-  class CAServerCertConfig(OpenShiftCLIConfig): -    ''' CertificateAuthorityConfig is a DTO for the oadm ca command ''' -    def __init__(self, cmd, kubeconfig, verbose, ca_options): +    ''' CAServerCertConfig is a DTO for the oc adm ca command ''' +    def __init__(self, kubeconfig, verbose, ca_options):          super(CertificateAuthorityConfig, self).__init__('ca', None, kubeconfig, ca_options) -        self.cmd = cmd          self.kubeconfig = kubeconfig          self.verbose = verbose          self._ca = ca_options  class CAServerCert(OpenShiftCLI): -    ''' Class to wrap the oc command line tools ''' +    ''' Class to wrap the oc adm ca create-server-cert command line'''      def __init__(self,                   config,                   verbose=False): @@ -1358,11 +1343,10 @@ class CAServerCert(OpenShiftCLI):          return None      def create(self): -        '''run openshift ca cmd''' +        '''run openshift oc adm ca create-server-cert cmd'''          options = self.config.to_option_list() -        cmd = ['ca'] -        cmd.append(self.config.cmd) +        cmd = ['ca', 'create-server-cert']          cmd.extend(options)          return self.openshift_cmd(cmd, oadm=True) @@ -1374,6 +1358,8 @@ class CAServerCert(OpenShiftCLI):          if not os.path.exists(cert_path):              return False +        # Would prefer pyopenssl but is not installed.   +        # When we verify it is, switch this code          proc = subprocess.Popen(['openssl', 'x509', '-noout', '-subject', '-in', cert_path],                                  stdout=subprocess.PIPE, stderr=subprocess.PIPE)          stdout, stderr = proc.communicate() @@ -1388,8 +1374,7 @@ class CAServerCert(OpenShiftCLI):      def run_ansible(params, check_mode):          '''run the idempotent ansible code''' -        config = CAServerCertConfig(params['cmd'], -                                    params['kubeconfig'], +        config = CAServerCertConfig(params['kubeconfig'],                                      params['debug'],                                      {'cert':          {'value': params['cert'], 'include': True},                                       'hostnames':     {'value': ','.join(params['hostnames']), 'include': True}, diff --git a/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py b/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py index 92505c08e..162f606f7 100644 --- a/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py +++ b/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py @@ -1,16 +1,15 @@  # pylint: skip-file  class CAServerCertConfig(OpenShiftCLIConfig): -    ''' CertificateAuthorityConfig is a DTO for the oadm ca command ''' -    def __init__(self, cmd, kubeconfig, verbose, ca_options): +    ''' CAServerCertConfig is a DTO for the oc adm ca command ''' +    def __init__(self, kubeconfig, verbose, ca_options):          super(CertificateAuthorityConfig, self).__init__('ca', None, kubeconfig, ca_options) -        self.cmd = cmd          self.kubeconfig = kubeconfig          self.verbose = verbose          self._ca = ca_options  class CAServerCert(OpenShiftCLI): -    ''' Class to wrap the oc command line tools ''' +    ''' Class to wrap the oc adm ca create-server-cert command line'''      def __init__(self,                   config,                   verbose=False): @@ -31,11 +30,10 @@ class CAServerCert(OpenShiftCLI):          return None      def create(self): -        '''run openshift ca cmd''' +        '''run openshift oc adm ca create-server-cert cmd'''          options = self.config.to_option_list() -        cmd = ['ca'] -        cmd.append(self.config.cmd) +        cmd = ['ca', 'create-server-cert']          cmd.extend(options)          return self.openshift_cmd(cmd, oadm=True) @@ -47,6 +45,8 @@ class CAServerCert(OpenShiftCLI):          if not os.path.exists(cert_path):              return False +        # Would prefer pyopenssl but is not installed.   +        # When we verify it is, switch this code          proc = subprocess.Popen(['openssl', 'x509', '-noout', '-subject', '-in', cert_path],                                  stdout=subprocess.PIPE, stderr=subprocess.PIPE)          stdout, stderr = proc.communicate() @@ -61,8 +61,7 @@ class CAServerCert(OpenShiftCLI):      def run_ansible(params, check_mode):          '''run the idempotent ansible code''' -        config = CAServerCertConfig(params['cmd'], -                                    params['kubeconfig'], +        config = CAServerCertConfig(params['kubeconfig'],                                      params['debug'],                                      {'cert':          {'value': params['cert'], 'include': True},                                       'hostnames':     {'value': ','.join(params['hostnames']), 'include': True}, diff --git a/roles/lib_openshift/src/doc/ca_server_cert b/roles/lib_openshift/src/doc/ca_server_cert index bf299f0cb..401caf1fc 100644 --- a/roles/lib_openshift/src/doc/ca_server_cert +++ b/roles/lib_openshift/src/doc/ca_server_cert @@ -3,18 +3,15 @@  DOCUMENTATION = '''  --- -module: oadm_ca -short_description: Module to manage openshift certificate authority +module: oc_adm_ca_server_cert +short_description: Module to run openshift oc adm ca create-server-cert  description: -  - Wrapper around the openshift `oc adm ca` command. +  - Wrapper around the openshift `oc adm ca create-server-cert` command.  options:    state:      description:      - Present is the only supported state.  The state present means that `oc adm ca` will generate a certificate -    - When create-master-certs is desired then the following parameters are passed. -    - ['cert_dir', 'hostnames', 'master', 'public_master', 'overwrite', 'signer_name'] -    - When create-key-pair is desired then the following parameters are passed. -    - ['private_key', 'public_key'] +    - and verify if the hostnames and the ClusterIP exists in the certificate.      - When create-server-cert is desired then the following parameters are passed.      - ['cert', 'key', 'signer_cert', 'signer_key', 'signer_serial']      required: false @@ -34,22 +31,6 @@ options:      required: false      default: False      aliases: [] -  cmd: -    description: -    - The sub command given for `oc adm ca` -    required: false -    default: None -    choices: -    - create-master-certs -    - create-key-pair -    - create-server-cert -    aliases: [] -  cert_dir: -    description: -    - The certificate data directory. -    required: false -    default: None -    aliases: []    cert:      description:      - The certificate file. Choose a name that indicates what the service is. @@ -86,43 +67,12 @@ options:      required: false      default: None      aliases: [] -  public_key: -    description: -    - The public key file used with create-key-pair -    required: false -    default: None -    aliases: [] -  private_key: -    description: -    - The private key file used with create-key-pair -    required: false -    default: None -    aliases: [] -        hostnames:      description:      - Every hostname or IP that server certs should be valid for (comma-delimited list)      required: false      default: None      aliases: [] -  master: -    description: -    - The API server's URL -    required: false -    default: None -    aliases: [] -  public_master: -    description: -    - The API public facing server's URL (if applicable) -    required: false -    default: None -    aliases: [] -  signer_name: -    description: -    - The name to use for the generated signer -    required: false -    default: None -    aliases: []  author:  - "Kenny Woodson <kwoodson@redhat.com>"  extends_documentation_fragment: [] @@ -130,8 +80,7 @@ extends_documentation_fragment: []  EXAMPLES = '''  - name: Create a self-signed cert -  oadm_ca: -    cmd: create-server-cert +  oc_adm_ca_server_cert:      signer_cert: /etc/origin/master/ca.crt      signer_key: /etc/origin/master/ca.key      signer_serial: /etc/origin/master/ca.serial.txt | 
