From 0460d54961753bc3bdab4038a1946de08d11097c Mon Sep 17 00:00:00 2001
From: Kenny Woodson <kwoodson@redhat.com>
Date: Sun, 12 Feb 2017 22:33:45 -0500
Subject: Adding oadm_ca to lib_openshift.
---
roles/lib_openshift/library/oadm_ca.py | 1445 ++++++++++++++++++++++++++++++++
1 file changed, 1445 insertions(+)
create mode 100644 roles/lib_openshift/library/oadm_ca.py
(limited to 'roles/lib_openshift/library')
diff --git a/roles/lib_openshift/library/oadm_ca.py b/roles/lib_openshift/library/oadm_ca.py
new file mode 100644
index 000000000..30490cc40
--- /dev/null
+++ b/roles/lib_openshift/library/oadm_ca.py
@@ -0,0 +1,1445 @@
+#!/usr/bin/env python
+# pylint: disable=missing-docstring
+# flake8: noqa: T001
+# ___ ___ _ _ ___ ___ _ _____ ___ ___
+# / __| __| \| | __| _ \ /_\_ _| __| \
+# | (_ | _|| .` | _|| / / _ \| | | _|| |) |
+# \___|___|_|\_|___|_|_\/_/_\_\_|_|___|___/_ _____
+# | \ / _ \ | \| |/ _ \_ _| | __| \_ _|_ _|
+# | |) | (_) | | .` | (_) || | | _|| |) | | | |
+# |___/ \___/ |_|\_|\___/ |_| |___|___/___| |_|
+#
+# Copyright 2016 Red Hat, Inc. and/or its affiliates
+# and other contributors as indicated by the @author tags.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# -*- -*- -*- Begin included fragment: lib/import.py -*- -*- -*-
+'''
+ OpenShiftCLI class that wraps the oc commands in a subprocess
+'''
+# pylint: disable=too-many-lines
+
+from __future__ import print_function
+import atexit
+import json
+import os
+import re
+import shutil
+import subprocess
+import tempfile
+# pylint: disable=import-error
+import ruamel.yaml as yaml
+from ansible.module_utils.basic import AnsibleModule
+
+# -*- -*- -*- End included fragment: lib/import.py -*- -*- -*-
+
+# -*- -*- -*- Begin included fragment: doc/certificate_authority -*- -*- -*-
+
+DOCUMENTATION = '''
+---
+module: oc_secret
+short_description: Module to manage openshift certificate authority
+description:
+ - Wrapper around the openshift `oc adm ca` command.
+options:
+ state:
+ description:
+ - Present is the only supported state. The state present means that `oc adm ca` will generate a certificate
+ - When create-master-certs is desired then the following parameters are passed.
+ - ['cert_dir', 'hostnames', 'master', 'public_master', 'overwrite', 'signer_name']
+ - When create-key-pair is desired then the following parameters are passed.
+ - ['private_key', 'public_key']
+ - When create-server-cert is desired then the following parameters are passed.
+ - ['cert', 'key', 'signer_cert', 'signer_key', 'signer_serial']
+ required: false
+ default: present
+ choices: ["present"]
+ aliases: []
+ kubeconfig:
+ description:
+ - The path for the kubeconfig file to use for authentication
+ required: false
+ default: /etc/origin/master/admin.kubeconfig
+ aliases: []
+ debug:
+ description:
+ - Turn on debug output.
+ required: false
+ default: False
+ aliases: []
+ cmd:
+ description:
+ - The sub command given for `oc adm ca`
+ required: false
+ default: None
+ choices:
+ - create-master-certs
+ - create-key-pair
+ - create-server-cert
+ aliases: []
+ cert_dir:
+ description:
+ - The directory to place the certificates.
+ required: false
+ default: False
+ aliases: []
+author:
+- "Kenny Woodson <kwoodson@redhat.com>"
+extends_documentation_fragment: []
+'''
+
+EXAMPLES = '''
+- name: create secret
+ oc_secret:
+ state: present
+ namespace: openshift-infra
+ name: metrics-deployer
+ files:
+ - name: nothing
+ path: /dev/null
+ register: secretout
+ run_once: true
+
+- name: get ca from hawkular
+ oc_secret:
+ state: list
+ namespace: openshift-infra
+ name: hawkular-metrics-certificate
+ decode: True
+ register: hawkout
+ run_once: true
+
+- name: Create secrets
+ oc_secret:
+ namespace: mynamespace
+ name: mysecrets
+ contents:
+ - path: data.yml
+ data: "{{ data_content }}"
+ - path: auth-keys
+ data: "{{ auth_keys_content }}"
+ - path: configdata.yml
+ data: "{{ configdata_content }}"
+ - path: cert.crt
+ data: "{{ cert_content }}"
+ - path: key.pem
+ data: "{{ osso_site_key_content }}"
+ - path: ca.cert.pem
+ data: "{{ ca_cert_content }}"
+ register: secretout
+'''
+
+# -*- -*- -*- End included fragment: doc/certificate_authority -*- -*- -*-
+
+# -*- -*- -*- Begin included fragment: ../../lib_utils/src/class/yedit.py -*- -*- -*-
+# noqa: E301,E302
+
+
+class YeditException(Exception):
+ ''' Exception class for Yedit '''
+ pass
+
+
+# pylint: disable=too-many-public-methods
+class Yedit(object):
+ ''' Class to modify yaml files '''
+ re_valid_key = r"(((\[-?\d+\])|([0-9a-zA-Z%s/_-]+)).?)+$"
+ re_key = r"(?:\[(-?\d+)\])|([0-9a-zA-Z%s/_-]+)"
+ com_sep = set(['.', '#', '|', ':'])
+
+ # pylint: disable=too-many-arguments
+ def __init__(self,
+ filename=None,
+ content=None,
+ content_type='yaml',
+ separator='.',
+ backup=False):
+ self.content = content
+ self._separator = separator
+ self.filename = filename
+ self.__yaml_dict = content
+ self.content_type = content_type
+ self.backup = backup
+ self.load(content_type=self.content_type)
+ if self.__yaml_dict is None:
+ self.__yaml_dict = {}
+
+ @property
+ def separator(self):
+ ''' getter method for yaml_dict '''
+ return self._separator
+
+ @separator.setter
+ def separator(self):
+ ''' getter method for yaml_dict '''
+ return self._separator
+
+ @property
+ def yaml_dict(self):
+ ''' getter method for yaml_dict '''
+ return self.__yaml_dict
+
+ @yaml_dict.setter
+ def yaml_dict(self, value):
+ ''' setter method for yaml_dict '''
+ self.__yaml_dict = value
+
+ @staticmethod
+ def parse_key(key, sep='.'):
+ '''parse the key allowing the appropriate separator'''
+ common_separators = list(Yedit.com_sep - set([sep]))
+ return re.findall(Yedit.re_key % ''.join(common_separators), key)
+
+ @staticmethod
+ def valid_key(key, sep='.'):
+ '''validate the incoming key'''
+ common_separators = list(Yedit.com_sep - set([sep]))
+ if not re.match(Yedit.re_valid_key % ''.join(common_separators), key):
+ return False
+
+ return True
+
+ @staticmethod
+ def remove_entry(data, key, sep='.'):
+ ''' remove data at location key '''
+ if key == '' and isinstance(data, dict):
+ data.clear()
+ return True
+ elif key == '' and isinstance(data, list):
+ del data[:]
+ return True
+
+ if not (key and Yedit.valid_key(key, sep)) and \
+ isinstance(data, (list, dict)):
+ return None
+
+ key_indexes = Yedit.parse_key(key, sep)
+ for arr_ind, dict_key in key_indexes[:-1]:
+ if dict_key and isinstance(data, dict):
+ data = data.get(dict_key, None)
+ elif (arr_ind and isinstance(data, list) and
+ int(arr_ind) <= len(data) - 1):
+ data = data[int(arr_ind)]
+ else:
+ return None
+
+ # process last index for remove
+ # expected list entry
+ if key_indexes[-1][0]:
+ if isinstance(data, list) and int(key_indexes[-1][0]) <= len(data) - 1: # noqa: E501
+ del data[int(key_indexes[-1][0])]
+ return True
+
+ # expected dict entry
+ elif key_indexes[-1][1]:
+ if isinstance(data, dict):
+ del data[key_indexes[-1][1]]
+ return True
+
+ @staticmethod
+ def add_entry(data, key, item=None, sep='.'):
+ ''' Get an item from a dictionary with key notation a.b.c
+ d = {'a': {'b': 'c'}}}
+ key = a#b
+ return c
+ '''
+ if key == '':
+ pass
+ elif (not (key and Yedit.valid_key(key, sep)) and
+ isinstance(data, (list, dict))):
+ return None
+
+ key_indexes = Yedit.parse_key(key, sep)
+ for arr_ind, dict_key in key_indexes[:-1]:
+ if dict_key:
+ if isinstance(data, dict) and dict_key in data and data[dict_key]: # noqa: E501
+ data = data[dict_key]
+ continue
+
+ elif data and not isinstance(data, dict):
+ return None
+
+ data[dict_key] = {}
+ data = data[dict_key]
+
+ elif (arr_ind and isinstance(data, list) and
+ int(arr_ind) <= len(data) - 1):
+ data = data[int(arr_ind)]
+ else:
+ return None
+
+ if key == '':
+ data = item
+
+ # process last index for add
+ # expected list entry
+ elif key_indexes[-1][0] and isinstance(data, list) and int(key_indexes[-1][0]) <= len(data) - 1: # noqa: E501
+ data[int(key_indexes[-1][0])] = item
+
+ # expected dict entry
+ elif key_indexes[-1][1] and isinstance(data, dict):
+ data[key_indexes[-1][1]] = item
+
+ return data
+
+ @staticmethod
+ def get_entry(data, key, sep='.'):
+ ''' Get an item from a dictionary with key notation a.b.c
+ d = {'a': {'b': 'c'}}}
+ key = a.b
+ return c
+ '''
+ if key == '':
+ pass
+ elif (not (key and Yedit.valid_key(key, sep)) and
+ isinstance(data, (list, dict))):
+ return None
+
+ key_indexes = Yedit.parse_key(key, sep)
+ for arr_ind, dict_key in key_indexes:
+ if dict_key and isinstance(data, dict):
+ data = data.get(dict_key, None)
+ elif (arr_ind and isinstance(data, list) and
+ int(arr_ind) <= len(data) - 1):
+ data = data[int(arr_ind)]
+ else:
+ return None
+
+ return data
+
+ @staticmethod
+ def _write(filename, contents):
+ ''' Actually write the file contents to disk. This helps with mocking. '''
+
+ tmp_filename = filename + '.yedit'
+
+ with open(tmp_filename, 'w') as yfd:
+ yfd.write(contents)
+
+ os.rename(tmp_filename, filename)
+
+ def write(self):
+ ''' write to file '''
+ if not self.filename:
+ raise YeditException('Please specify a filename.')
+
+ if self.backup and self.file_exists():
+ shutil.copy(self.filename, self.filename + '.orig')
+
+ # pylint: disable=no-member
+ if hasattr(self.yaml_dict, 'fa'):
+ self.yaml_dict.fa.set_block_style()
+
+ Yedit._write(self.filename, yaml.dump(self.yaml_dict, Dumper=yaml.RoundTripDumper))
+
+ return (True, self.yaml_dict)
+
+ def read(self):
+ ''' read from file '''
+ # check if it exists
+ if self.filename is None or not self.file_exists():
+ return None
+
+ contents = None
+ with open(self.filename) as yfd:
+ contents = yfd.read()
+
+ return contents
+
+ def file_exists(self):
+ ''' return whether file exists '''
+ if os.path.exists(self.filename):
+ return True
+
+ return False
+
+ def load(self, content_type='yaml'):
+ ''' return yaml file '''
+ contents = self.read()
+
+ if not contents and not self.content:
+ return None
+
+ if self.content:
+ if isinstance(self.content, dict):
+ self.yaml_dict = self.content
+ return self.yaml_dict
+ elif isinstance(self.content, str):
+ contents = self.content
+
+ # check if it is yaml
+ try:
+ if content_type == 'yaml' and contents:
+ self.yaml_dict = yaml.load(contents, yaml.RoundTripLoader)
+ # pylint: disable=no-member
+ if hasattr(self.yaml_dict, 'fa'):
+ self.yaml_dict.fa.set_block_style()
+ elif content_type == 'json' and contents:
+ self.yaml_dict = json.loads(contents)
+ except yaml.YAMLError as err:
+ # Error loading yaml or json
+ raise YeditException('Problem with loading yaml file. %s' % err)
+
+ return self.yaml_dict
+
+ def get(self, key):
+ ''' get a specified key'''
+ try:
+ entry = Yedit.get_entry(self.yaml_dict, key, self.separator)
+ except KeyError:
+ entry = None
+
+ return entry
+
+ def pop(self, path, key_or_item):
+ ''' remove a key, value pair from a dict or an item for a list'''
+ try:
+ entry = Yedit.get_entry(self.yaml_dict, path, self.separator)
+ except KeyError:
+ entry = None
+
+ if entry is None:
+ return (False, self.yaml_dict)
+
+ if isinstance(entry, dict):
+ # pylint: disable=no-member,maybe-no-member
+ if key_or_item in entry:
+ entry.pop(key_or_item)
+ return (True, self.yaml_dict)
+ return (False, self.yaml_dict)
+
+ elif isinstance(entry, list):
+ # pylint: disable=no-member,maybe-no-member
+ ind = None
+ try:
+ ind = entry.index(key_or_item)
+ except ValueError:
+ return (False, self.yaml_dict)
+
+ entry.pop(ind)
+ return (True, self.yaml_dict)
+
+ return (False, self.yaml_dict)
+
+ def delete(self, path):
+ ''' remove path from a dict'''
+ try:
+ entry = Yedit.get_entry(self.yaml_dict, path, self.separator)
+ except KeyError:
+ entry = None
+
+ if entry is None:
+ return (False, self.yaml_dict)
+
+ result = Yedit.remove_entry(self.yaml_dict, path, self.separator)
+ if not result:
+ return (False, self.yaml_dict)
+
+ return (True, self.yaml_dict)
+
+ def exists(self, path, value):
+ ''' check if value exists at path'''
+ try:
+ entry = Yedit.get_entry(self.yaml_dict, path, self.separator)
+ except KeyError:
+ entry = None
+
+ if isinstance(entry, list):
+ if value in entry:
+ return True
+ return False
+
+ elif isinstance(entry, dict):
+ if isinstance(value, dict):
+ rval = False
+ for key, val in value.items():
+ if entry[key] != val:
+ rval = False
+ break
+ else:
+ rval = True
+ return rval
+
+ return value in entry
+
+ return entry == value
+
+ def append(self, path, value):
+ '''append value to a list'''
+ try:
+ entry = Yedit.get_entry(self.yaml_dict, path, self.separator)
+ except KeyError:
+ entry = None
+
+ if entry is None:
+ self.put(path, [])
+ entry = Yedit.get_entry(self.yaml_dict, path, self.separator)
+ if not isinstance(entry, list):
+ return (False, self.yaml_dict)
+
+ # pylint: disable=no-member,maybe-no-member
+ entry.append(value)
+ return (True, self.yaml_dict)
+
+ # pylint: disable=too-many-arguments
+ def update(self, path, value, index=None, curr_value=None):
+ ''' put path, value into a dict '''
+ try:
+ entry = Yedit.get_entry(self.yaml_dict, path, self.separator)
+ except KeyError:
+ entry = None
+
+ if isinstance(entry, dict):
+ # pylint: disable=no-member,maybe-no-member
+ if not isinstance(value, dict):
+ raise YeditException('Cannot replace key, value entry in ' +
+ 'dict with non-dict type. value=[%s] [%s]' % (value, type(value))) # noqa: E501
+
+ entry.update(value)
+ return (True, self.yaml_dict)
+
+ elif isinstance(entry, list):
+ # pylint: disable=no-member,maybe-no-member
+ ind = None
+ if curr_value:
+ try:
+ ind = entry.index(curr_value)
+ except ValueError:
+ return (False, self.yaml_dict)
+
+ elif index is not None:
+ ind = index
+
+ if ind is not None and entry[ind] != value:
+ entry[ind] = value
+ return (True, self.yaml_dict)
+
+ # see if it exists in the list
+ try:
+ ind = entry.index(value)
+ except ValueError:
+ # doesn't exist, append it
+ entry.append(value)
+ return (True, self.yaml_dict)
+
+ # already exists, return
+ if ind is not None:
+ return (False, self.yaml_dict)
+ return (False, self.yaml_dict)
+
+ def put(self, path, value):
+ ''' put path, value into a dict '''
+ try:
+ entry = Yedit.get_entry(self.yaml_dict, path, self.separator)
+ except KeyError:
+ entry = None
+
+ if entry == value:
+ return (False, self.yaml_dict)
+
+ # deepcopy didn't work
+ tmp_copy = yaml.load(yaml.round_trip_dump(self.yaml_dict,
+ default_flow_style=False),
+ yaml.RoundTripLoader)
+ # pylint: disable=no-member
+ if hasattr(self.yaml_dict, 'fa'):
+ tmp_copy.fa.set_block_style()
+ result = Yedit.add_entry(tmp_copy, path, value, self.separator)
+ if not result:
+ return (False, self.yaml_dict)
+
+ self.yaml_dict = tmp_copy
+
+ return (True, self.yaml_dict)
+
+ def create(self, path, value):
+ ''' create a yaml file '''
+ if not self.file_exists():
+ # deepcopy didn't work
+ tmp_copy = yaml.load(yaml.round_trip_dump(self.yaml_dict, default_flow_style=False), # noqa: E501
+ yaml.RoundTripLoader)
+ # pylint: disable=no-member
+ if hasattr(self.yaml_dict, 'fa'):
+ tmp_copy.fa.set_block_style()
+ result = Yedit.add_entry(tmp_copy, path, value, self.separator)
+ if result:
+ self.yaml_dict = tmp_copy
+ return (True, self.yaml_dict)
+
+ return (False, self.yaml_dict)
+
+ @staticmethod
+ def get_curr_value(invalue, val_type):
+ '''return the current value'''
+ if invalue is None:
+ return None
+
+ curr_value = invalue
+ if val_type == 'yaml':
+ curr_value = yaml.load(invalue)
+ elif val_type == 'json':
+ curr_value = json.loads(invalue)
+
+ return curr_value
+
+ @staticmethod
+ def parse_value(inc_value, vtype=''):
+ '''determine value type passed'''
+ true_bools = ['y', 'Y', 'yes', 'Yes', 'YES', 'true', 'True', 'TRUE',
+ 'on', 'On', 'ON', ]
+ false_bools = ['n', 'N', 'no', 'No', 'NO', 'false', 'False', 'FALSE',
+ 'off', 'Off', 'OFF']
+
+ # It came in as a string but you didn't specify value_type as string
+ # we will convert to bool if it matches any of the above cases
+ if isinstance(inc_value, str) and 'bool' in vtype:
+ if inc_value not in true_bools and inc_value not in false_bools:
+ raise YeditException('Not a boolean type. str=[%s] vtype=[%s]'
+ % (inc_value, vtype))
+ elif isinstance(inc_value, bool) and 'str' in vtype:
+ inc_value = str(inc_value)
+
+ # If vtype is not str then go ahead and attempt to yaml load it.
+ if isinstance(inc_value, str) and 'str' not in vtype:
+ try:
+ inc_value = yaml.load(inc_value)
+ except Exception:
+ raise YeditException('Could not determine type of incoming ' +
+ 'value. value=[%s] vtype=[%s]'
+ % (type(inc_value), vtype))
+
+ return inc_value
+
+ # pylint: disable=too-many-return-statements,too-many-branches
+ @staticmethod
+ def run_ansible(module):
+ '''perform the idempotent crud operations'''
+ yamlfile = Yedit(filename=module.params['src'],
+ backup=module.params['backup'],
+ separator=module.params['separator'])
+
+ if module.params['src']:
+ rval = yamlfile.load()
+
+ if yamlfile.yaml_dict is None and \
+ module.params['state'] != 'present':
+ return {'failed': True,
+ 'msg': 'Error opening file [%s]. Verify that the ' +
+ 'file exists, that it is has correct' +
+ ' permissions, and is valid yaml.'}
+
+ if module.params['state'] == 'list':
+ if module.params['content']:
+ content = Yedit.parse_value(module.params['content'],
+ module.params['content_type'])
+ yamlfile.yaml_dict = content
+
+ if module.params['key']:
+ rval = yamlfile.get(module.params['key']) or {}
+
+ return {'changed': False, 'result': rval, 'state': "list"}
+
+ elif module.params['state'] == 'absent':
+ if module.params['content']:
+ content = Yedit.parse_value(module.params['content'],
+ module.params['content_type'])
+ yamlfile.yaml_dict = content
+
+ if module.params['update']:
+ rval = yamlfile.pop(module.params['key'],
+ module.params['value'])
+ else:
+ rval = yamlfile.delete(module.params['key'])
+
+ if rval[0] and module.params['src']:
+ yamlfile.write()
+
+ return {'changed': rval[0], 'result': rval[1], 'state': "absent"}
+
+ elif module.params['state'] == 'present':
+ # check if content is different than what is in the file
+ if module.params['content']:
+ content = Yedit.parse_value(module.params['content'],
+ module.params['content_type'])
+
+ # We had no edits to make and the contents are the same
+ if yamlfile.yaml_dict == content and \
+ module.params['value'] is None:
+ return {'changed': False,
+ 'result': yamlfile.yaml_dict,
+ 'state': "present"}
+
+ yamlfile.yaml_dict = content
+
+ # we were passed a value; parse it
+ if module.params['value']:
+ value = Yedit.parse_value(module.params['value'],
+ module.params['value_type'])
+ key = module.params['key']
+ if module.params['update']:
+ # pylint: disable=line-too-long
+ curr_value = Yedit.get_curr_value(Yedit.parse_value(module.params['curr_value']), # noqa: E501
+ module.params['curr_value_format']) # noqa: E501
+
+ rval = yamlfile.update(key, value, module.params['index'], curr_value) # noqa: E501
+
+ elif module.params['append']:
+ rval = yamlfile.append(key, value)
+ else:
+ rval = yamlfile.put(key, value)
+
+ if rval[0] and module.params['src']:
+ yamlfile.write()
+
+ return {'changed': rval[0],
+ 'result': rval[1], 'state': "present"}
+
+ # no edits to make
+ if module.params['src']:
+ # pylint: disable=redefined-variable-type
+ rval = yamlfile.write()
+ return {'changed': rval[0],
+ 'result': rval[1],
+ 'state': "present"}
+
+ return {'failed': True, 'msg': 'Unkown state passed'}
+
+# -*- -*- -*- End included fragment: ../../lib_utils/src/class/yedit.py -*- -*- -*-
+
+# -*- -*- -*- Begin included fragment: lib/base.py -*- -*- -*-
+# pylint: disable=too-many-lines
+# noqa: E301,E302,E303,T001
+
+
+class OpenShiftCLIError(Exception):
+ '''Exception class for openshiftcli'''
+ pass
+
+
+# pylint: disable=too-few-public-methods
+class OpenShiftCLI(object):
+ ''' Class to wrap the command line tools '''
+ def __init__(self,
+ namespace,
+ kubeconfig='/etc/origin/master/admin.kubeconfig',
+ verbose=False,
+ all_namespaces=False):
+ ''' Constructor for OpenshiftCLI '''
+ self.namespace = namespace
+ self.verbose = verbose
+ self.kubeconfig = Utils.create_tmpfile_copy(kubeconfig)
+ self.all_namespaces = all_namespaces
+
+ # Pylint allows only 5 arguments to be passed.
+ # pylint: disable=too-many-arguments
+ def _replace_content(self, resource, rname, content, force=False, sep='.'):
+ ''' replace the current object with the content '''
+ res = self._get(resource, rname)
+ if not res['results']:
+ return res
+
+ fname = Utils.create_tmpfile(rname + '-')
+
+ yed = Yedit(fname, res['results'][0], separator=sep)
+ changes = []
+ for key, value in content.items():
+ changes.append(yed.put(key, value))
+
+ if any([change[0] for change in changes]):
+ yed.write()
+
+ atexit.register(Utils.cleanup, [fname])
+
+ return self._replace(fname, force)
+
+ return {'returncode': 0, 'updated': False}
+
+ def _replace(self, fname, force=False):
+ '''replace the current object with oc replace'''
+ cmd = ['replace', '-f', fname]
+ if force:
+ cmd.append('--force')
+ return self.openshift_cmd(cmd)
+
+ def _create_from_content(self, rname, content):
+ '''create a temporary file and then call oc create on it'''
+ fname = Utils.create_tmpfile(rname + '-')
+ yed = Yedit(fname, content=content)
+ yed.write()
+
+ atexit.register(Utils.cleanup, [fname])
+
+ return self._create(fname)
+
+ def _create(self, fname):
+ '''call oc create on a filename'''
+ return self.openshift_cmd(['create', '-f', fname])
+
+ def _delete(self, resource, rname, selector=None):
+ '''call oc delete on a resource'''
+ cmd = ['delete', resource, rname]
+ if selector:
+ cmd.append('--selector=%s' % selector)
+
+ return self.openshift_cmd(cmd)
+
+ def _process(self, template_name, create=False, params=None, template_data=None): # noqa: E501
+ '''process a template
+
+ template_name: the name of the template to process
+ create: whether to send to oc create after processing
+ params: the parameters for the template
+ template_data: the incoming template's data; instead of a file
+ '''
+ cmd = ['process']
+ if template_data:
+ cmd.extend(['-f', '-'])
+ else:
+ cmd.append(template_name)
+ if params:
+ param_str = ["%s=%s" % (key, value) for key, value in params.items()]
+ cmd.append('-v')
+ cmd.extend(param_str)
+
+ results = self.openshift_cmd(cmd, output=True, input_data=template_data)
+
+ if results['returncode'] != 0 or not create:
+ return results
+
+ fname = Utils.create_tmpfile(template_name + '-')
+ yed = Yedit(fname, results['results'])
+ yed.write()
+
+ atexit.register(Utils.cleanup, [fname])
+
+ return self.openshift_cmd(['create', '-f', fname])
+
+ def _get(self, resource, rname=None, selector=None):
+ '''return a resource by name '''
+ cmd = ['get', resource]
+ if selector:
+ cmd.append('--selector=%s' % selector)
+ elif rname:
+ cmd.append(rname)
+
+ cmd.extend(['-o', 'json'])
+
+ rval = self.openshift_cmd(cmd, output=True)
+
+ # Ensure results are retuned in an array
+ if 'items' in rval:
+ rval['results'] = rval['items']
+ elif not isinstance(rval['results'], list):
+ rval['results'] = [rval['results']]
+
+ return rval
+
+ def _schedulable(self, node=None, selector=None, schedulable=True):
+ ''' perform oadm manage-node scheduable '''
+ cmd = ['manage-node']
+ if node:
+ cmd.extend(node)
+ else:
+ cmd.append('--selector=%s' % selector)
+
+ cmd.append('--schedulable=%s' % schedulable)
+
+ return self.openshift_cmd(cmd, oadm=True, output=True, output_type='raw') # noqa: E501
+
+ def _list_pods(self, node=None, selector=None, pod_selector=None):
+ ''' perform oadm list pods
+
+ node: the node in which to list pods
+ selector: the label selector filter if provided
+ pod_selector: the pod selector filter if provided
+ '''
+ cmd = ['manage-node']
+ if node:
+ cmd.extend(node)
+ else:
+ cmd.append('--selector=%s' % selector)
+
+ if pod_selector:
+ cmd.append('--pod-selector=%s' % pod_selector)
+
+ cmd.extend(['--list-pods', '-o', 'json'])
+
+ return self.openshift_cmd(cmd, oadm=True, output=True, output_type='raw')
+
+ # pylint: disable=too-many-arguments
+ def _evacuate(self, node=None, selector=None, pod_selector=None, dry_run=False, grace_period=None, force=False):
+ ''' perform oadm manage-node evacuate '''
+ cmd = ['manage-node']
+ if node:
+ cmd.extend(node)
+ else:
+ cmd.append('--selector=%s' % selector)
+
+ if dry_run:
+ cmd.append('--dry-run')
+
+ if pod_selector:
+ cmd.append('--pod-selector=%s' % pod_selector)
+
+ if grace_period:
+ cmd.append('--grace-period=%s' % int(grace_period))
+
+ if force:
+ cmd.append('--force')
+
+ cmd.append('--evacuate')
+
+ return self.openshift_cmd(cmd, oadm=True, output=True, output_type='raw')
+
+ def _version(self):
+ ''' return the openshift version'''
+ return self.openshift_cmd(['version'], output=True, output_type='raw')
+
+ def _import_image(self, url=None, name=None, tag=None):
+ ''' perform image import '''
+ cmd = ['import-image']
+
+ image = '{0}'.format(name)
+ if tag:
+ image += ':{0}'.format(tag)
+
+ cmd.append(image)
+
+ if url:
+ cmd.append('--from={0}/{1}'.format(url, image))
+
+ cmd.append('-n{0}'.format(self.namespace))
+
+ cmd.append('--confirm')
+ return self.openshift_cmd(cmd)
+
+ def _run(self, cmds, input_data):
+ ''' Actually executes the command. This makes mocking easier. '''
+ curr_env = os.environ.copy()
+ curr_env.update({'KUBECONFIG': self.kubeconfig})
+ proc = subprocess.Popen(cmds,
+ stdin=subprocess.PIPE,
+ stdout=subprocess.PIPE,
+ stderr=subprocess.PIPE,
+ env=curr_env)
+
+ stdout, stderr = proc.communicate(input_data)
+
+ return proc.returncode, stdout, stderr
+
+ # pylint: disable=too-many-arguments,too-many-branches
+ def openshift_cmd(self, cmd, oadm=False, output=False, output_type='json', input_data=None):
+ '''Base command for oc '''
+ cmds = []
+ if oadm:
+ cmds = ['oadm']
+ else:
+ cmds = ['oc']
+
+ if self.all_namespaces:
+ cmds.extend(['--all-namespaces'])
+ elif self.namespace is not None and self.namespace.lower() not in ['none', 'emtpy']: # E501
+ cmds.extend(['-n', self.namespace])
+
+ cmds.extend(cmd)
+
+ rval = {}
+ results = ''
+ err = None
+
+ if self.verbose:
+ print(' '.join(cmds))
+
+ returncode, stdout, stderr = self._run(cmds, input_data)
+
+ rval = {"returncode": returncode,
+ "results": results,
+ "cmd": ' '.join(cmds)}
+
+ if returncode == 0:
+ if output:
+ if output_type == 'json':
+ try:
+ rval['results'] = json.loads(stdout)
+ except ValueError as err:
+ if "No JSON object could be decoded" in err.args:
+ err = err.args
+ elif output_type == 'raw':
+ rval['results'] = stdout
+
+ if self.verbose:
+ print("STDOUT: {0}".format(stdout))
+ print("STDERR: {0}".format(stderr))
+
+ if err:
+ rval.update({"err": err,
+ "stderr": stderr,
+ "stdout": stdout,
+ "cmd": cmds})
+
+ else:
+ rval.update({"stderr": stderr,
+ "stdout": stdout,
+ "results": {}})
+
+ return rval
+
+
+class Utils(object):
+ ''' utilities for openshiftcli modules '''
+
+ @staticmethod
+ def _write(filename, contents):
+ ''' Actually write the file contents to disk. This helps with mocking. '''
+
+ with open(filename, 'w') as sfd:
+ sfd.write(contents)
+
+ @staticmethod
+ def create_tmp_file_from_contents(rname, data, ftype='yaml'):
+ ''' create a file in tmp with name and contents'''
+
+ tmp = Utils.create_tmpfile(prefix=rname)
+
+ if ftype == 'yaml':
+ Utils._write(tmp, yaml.dump(data, Dumper=yaml.RoundTripDumper))
+ elif ftype == 'json':
+ Utils._write(tmp, json.dumps(data))
+ else:
+ Utils._write(tmp, data)
+
+ # Register cleanup when module is done
+ atexit.register(Utils.cleanup, [tmp])
+ return tmp
+
+ @staticmethod
+ def create_tmpfile_copy(inc_file):
+ '''create a temporary copy of a file'''
+ tmpfile = Utils.create_tmpfile('lib_openshift-')
+ Utils._write(tmpfile, open(inc_file).read())
+
+ # Cleanup the tmpfile
+ atexit.register(Utils.cleanup, [tmpfile])
+
+ return tmpfile
+
+ @staticmethod
+ def create_tmpfile(prefix='tmp'):
+ ''' Generates and returns a temporary file name '''
+
+ with tempfile.NamedTemporaryFile(prefix=prefix, delete=False) as tmp:
+ return tmp.name
+
+ @staticmethod
+ def create_tmp_files_from_contents(content, content_type=None):
+ '''Turn an array of dict: filename, content into a files array'''
+ if not isinstance(content, list):
+ content = [content]
+ files = []
+ for item in content:
+ path = Utils.create_tmp_file_from_contents(item['path'] + '-',
+ item['data'],
+ ftype=content_type)
+ files.append({'name': os.path.basename(item['path']),
+ 'path': path})
+ return files
+
+ @staticmethod
+ def cleanup(files):
+ '''Clean up on exit '''
+ for sfile in files:
+ if os.path.exists(sfile):
+ if os.path.isdir(sfile):
+ shutil.rmtree(sfile)
+ elif os.path.isfile(sfile):
+ os.remove(sfile)
+
+ @staticmethod
+ def exists(results, _name):
+ ''' Check to see if the results include the name '''
+ if not results:
+ return False
+
+ if Utils.find_result(results, _name):
+ return True
+
+ return False
+
+ @staticmethod
+ def find_result(results, _name):
+ ''' Find the specified result by name'''
+ rval = None
+ for result in results:
+ if 'metadata' in result and result['metadata']['name'] == _name:
+ rval = result
+ break
+
+ return rval
+
+ @staticmethod
+ def get_resource_file(sfile, sfile_type='yaml'):
+ ''' return the service file '''
+ contents = None
+ with open(sfile) as sfd:
+ contents = sfd.read()
+
+ if sfile_type == 'yaml':
+ contents = yaml.load(contents, yaml.RoundTripLoader)
+ elif sfile_type == 'json':
+ contents = json.loads(contents)
+
+ return contents
+
+ @staticmethod
+ def filter_versions(stdout):
+ ''' filter the oc version output '''
+
+ version_dict = {}
+ version_search = ['oc', 'openshift', 'kubernetes']
+
+ for line in stdout.strip().split('\n'):
+ for term in version_search:
+ if not line:
+ continue
+ if line.startswith(term):
+ version_dict[term] = line.split()[-1]
+
+ # horrible hack to get openshift version in Openshift 3.2
+ # By default "oc version in 3.2 does not return an "openshift" version
+ if "openshift" not in version_dict:
+ version_dict["openshift"] = version_dict["oc"]
+
+ return version_dict
+
+ @staticmethod
+ def add_custom_versions(versions):
+ ''' create custom versions strings '''
+
+ versions_dict = {}
+
+ for tech, version in versions.items():
+ # clean up "-" from version
+ if "-" in version:
+ version = version.split("-")[0]
+
+ if version.startswith('v'):
+ versions_dict[tech + '_numeric'] = version[1:].split('+')[0]
+ # "v3.3.0.33" is what we have, we want "3.3"
+ versions_dict[tech + '_short'] = version[1:4]
+
+ return versions_dict
+
+ @staticmethod
+ def openshift_installed():
+ ''' check if openshift is installed '''
+ import yum
+
+ yum_base = yum.YumBase()
+ if yum_base.rpmdb.searchNevra(name='atomic-openshift'):
+ return True
+
+ return False
+
+ # Disabling too-many-branches. This is a yaml dictionary comparison function
+ # pylint: disable=too-many-branches,too-many-return-statements,too-many-statements
+ @staticmethod
+ def check_def_equal(user_def, result_def, skip_keys=None, debug=False):
+ ''' Given a user defined definition, compare it with the results given back by our query. '''
+
+ # Currently these values are autogenerated and we do not need to check them
+ skip = ['metadata', 'status']
+ if skip_keys:
+ skip.extend(skip_keys)
+
+ for key, value in result_def.items():
+ if key in skip:
+ continue
+
+ # Both are lists
+ if isinstance(value, list):
+ if key not in user_def:
+ if debug:
+ print('User data does not have key [%s]' % key)
+ print('User data: %s' % user_def)
+ return False
+
+ if not isinstance(user_def[key], list):
+ if debug:
+ print('user_def[key] is not a list key=[%s] user_def[key]=%s' % (key, user_def[key]))
+ return False
+
+ if len(user_def[key]) != len(value):
+ if debug:
+ print("List lengths are not equal.")
+ print("key=[%s]: user_def[%s] != value[%s]" % (key, len(user_def[key]), len(value)))
+ print("user_def: %s" % user_def[key])
+ print("value: %s" % value)
+ return False
+
+ for values in zip(user_def[key], value):
+ if isinstance(values[0], dict) and isinstance(values[1], dict):
+ if debug:
+ print('sending list - list')
+ print(type(values[0]))
+ print(type(values[1]))
+ result = Utils.check_def_equal(values[0], values[1], skip_keys=skip_keys, debug=debug)
+ if not result:
+ print('list compare returned false')
+ return False
+
+ elif value != user_def[key]:
+ if debug:
+ print('value should be identical')
+ print(value)
+ print(user_def[key])
+ return False
+
+ # recurse on a dictionary
+ elif isinstance(value, dict):
+ if key not in user_def:
+ if debug:
+ print("user_def does not have key [%s]" % key)
+ return False
+ if not isinstance(user_def[key], dict):
+ if debug:
+ print("dict returned false: not instance of dict")
+ return False
+
+ # before passing ensure keys match
+ api_values = set(value.keys()) - set(skip)
+ user_values = set(user_def[key].keys()) - set(skip)
+ if api_values != user_values:
+ if debug:
+ print("keys are not equal in dict")
+ print(api_values)
+ print(user_values)
+ return False
+
+ result = Utils.check_def_equal(user_def[key], value, skip_keys=skip_keys, debug=debug)
+ if not result:
+ if debug:
+ print("dict returned false")
+ print(result)
+ return False
+
+ # Verify each key, value pair is the same
+ else:
+ if key not in user_def or value != user_def[key]:
+ if debug:
+ print("value not equal; user_def does not have key")
+ print(key)
+ print(value)
+ if key in user_def:
+ print(user_def[key])
+ return False
+
+ if debug:
+ print('returning true')
+ return True
+
+
+class OpenShiftCLIConfig(object):
+ '''Generic Config'''
+ def __init__(self, rname, namespace, kubeconfig, options):
+ self.kubeconfig = kubeconfig
+ self.name = rname
+ self.namespace = namespace
+ self._options = options
+
+ @property
+ def config_options(self):
+ ''' return config options '''
+ return self._options
+
+ def to_option_list(self):
+ '''return all options as a string'''
+ return self.stringify()
+
+ def stringify(self):
+ ''' return the options hash as cli params in a string '''
+ rval = []
+ for key, data in self.config_options.items():
+ if data['include'] \
+ and (data['value'] or isinstance(data['value'], int)):
+ rval.append('--%s=%s' % (key.replace('_', '-'), data['value']))
+
+ return rval
+
+
+# -*- -*- -*- End included fragment: lib/base.py -*- -*- -*-
+
+# -*- -*- -*- Begin included fragment: class/oadm_certificate_authority.py -*- -*- -*-
+
+class CertificateAuthorityConfig(OpenShiftCLIConfig):
+ ''' CertificateAuthorityConfig is a DTO for the oadm ca command '''
+ def __init__(self, cmd, kubeconfig, verbose, ca_options):
+ super(CertificateAuthorityConfig, self).__init__('ca', None, kubeconfig, ca_options)
+ self.cmd = cmd
+ self.kubeconfig = kubeconfig
+ self.verbose = verbose
+ self._ca = ca_options
+
+class CertificateAuthority(OpenShiftCLI):
+ ''' Class to wrap the oc command line tools '''
+ def __init__(self,
+ config,
+ verbose=False):
+ ''' Constructor for oadm ca '''
+ super(CertificateAuthority, self).__init__(None, config.kubeconfig, verbose)
+ self.config = config
+ self.verbose = verbose
+
+ def get(self):
+ '''get the current cert file
+
+ If a file exists by the same name in the specified location then the cert exists
+ '''
+ cert = self.config.config_options['cert']['value']
+ if cert and os.path.exists(cert):
+ return open(cert).read()
+
+ return None
+
+ def create(self):
+ '''Create a deploymentconfig '''
+ options = self.config.to_option_list()
+
+ cmd = ['ca']
+ cmd.append(self.config.cmd)
+ cmd.extend(options)
+
+ return self.openshift_cmd(cmd, oadm=True)
+
+ def exists(self):
+ ''' check whether the certificate exists and has the clusterIP '''
+
+ cert_path = self.config.config_options['cert']['value']
+ if not os.path.exists(cert_path):
+ return False
+
+ proc = subprocess.Popen(['openssl', 'x509', '-noout', '-subject', '-in', cert_path],
+ stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+ stdout, stderr = proc.communicate()
+ if proc.returncode == 0:
+ for var in self.config.config_options['hostnames']['value'].split(','):
+ if var in stdout:
+ return True
+
+ return False
+
+ @staticmethod
+ def run_ansible(params, check_mode):
+ '''run the idempotent ansible code'''
+
+ config = CertificateAuthorityConfig(params['cmd'],
+ params['kubeconfig'],
+ params['debug'],
+ {'cert_dir': {'value': params['cert_dir'], 'include': True},
+ 'cert': {'value': params['cert'], 'include': True},
+ 'hostnames': {'value': ','.join(params['hostnames']), 'include': True},
+ 'master': {'value': params['master'], 'include': True},
+ 'public_master': {'value': params['public_master'], 'include': True},
+ 'overwrite': {'value': params['overwrite'], 'include': True},
+ 'signer_name': {'value': params['signer_name'], 'include': True},
+ 'private_key': {'value': params['private_key'], 'include': True},
+ 'public_key': {'value': params['public_key'], 'include': True},
+ 'key': {'value': params['key'], 'include': True},
+ 'signer_cert': {'value': params['signer_cert'], 'include': True},
+ 'signer_key': {'value': params['signer_key'], 'include': True},
+ 'signer_serial': {'value': params['signer_serial'], 'include': True},
+ })
+
+
+ oadm_ca = CertificateAuthority(config)
+
+ state = params['state']
+
+ if state == 'present':
+ ########
+ # Create
+ ########
+ if not oadm_ca.exists() or params['overwrite']:
+
+ if check_mode:
+ return {'changed': True,
+ 'msg': "CHECK_MODE: Would have created the certificate.",
+ 'state': state}
+
+ api_rval = oadm_ca.create()
+
+ return {'changed': True, 'results': api_rval, 'state': state}
+
+ ########
+ # Exists
+ ########
+ api_rval = oadm_ca.get()
+ return {'changed': False, 'results': api_rval, 'state': state}
+
+ return {'failed': True,
+ 'msg': 'Unknown state passed. %s' % state}
+
+
+# -*- -*- -*- End included fragment: class/oadm_certificate_authority.py -*- -*- -*-
+
+# -*- -*- -*- Begin included fragment: ansible/oadm_certificate_authority.py -*- -*- -*-
+
+def main():
+ '''
+ ansible oadm module for ca
+ '''
+
+ module = AnsibleModule(
+ argument_spec=dict(
+ state=dict(default='present', type='str',
+ choices=['present']),
+ debug=dict(default=False, type='bool'),
+ kubeconfig=dict(default='/etc/origin/master/admin.kubeconfig', type='str'),
+ cmd=dict(default=None, require=True, type='str'),
+
+ # oadm ca create-master-certs [options]
+ cert_dir=dict(default=None, type='str'),
+ hostnames=dict(default=[], type='list'),
+ master=dict(default=None, type='str'),
+ public_master=dict(default=None, type='str'),
+ overwrite=dict(default=False, type='bool'),
+ signer_name=dict(default=None, type='str'),
+
+ # oadm ca create-key-pair [options]
+ private_key=dict(default=None, type='str'),
+ public_key=dict(default=None, type='str'),
+
+ # oadm ca create-server-cert [options]
+ cert=dict(default=None, type='str'),
+ key=dict(default=None, type='str'),
+ signer_cert=dict(default=None, type='str'),
+ signer_key=dict(default=None, type='str'),
+ signer_serial=dict(default=None, type='str'),
+
+ ),
+ supports_check_mode=True,
+ )
+
+ # pylint: disable=line-too-long
+ results = CertificateAuthority.run_ansible(module.params, module.check_mode)
+ if 'failed' in results:
+ return module.fail_json(**results)
+
+ return module.exit_json(**results)
+
+
+if __name__ == '__main__':
+ main()
+
+# -*- -*- -*- End included fragment: ansible/oadm_certificate_authority.py -*- -*- -*-
--
cgit v1.2.3
From d517312b0b14c632d66edfe191269e732242a101 Mon Sep 17 00:00:00 2001
From: Kenny Woodson <kwoodson@redhat.com>
Date: Wed, 15 Feb 2017 17:28:40 -0500
Subject: Fixing doc.
---
roles/lib_openshift/library/oadm_ca.py | 130 ++++++++++++++++++++++-----------
1 file changed, 87 insertions(+), 43 deletions(-)
(limited to 'roles/lib_openshift/library')
diff --git a/roles/lib_openshift/library/oadm_ca.py b/roles/lib_openshift/library/oadm_ca.py
index 30490cc40..1482ab591 100644
--- a/roles/lib_openshift/library/oadm_ca.py
+++ b/roles/lib_openshift/library/oadm_ca.py
@@ -49,7 +49,7 @@ from ansible.module_utils.basic import AnsibleModule
DOCUMENTATION = '''
---
-module: oc_secret
+module: oadm_ca
short_description: Module to manage openshift certificate authority
description:
- Wrapper around the openshift `oc adm ca` command.
@@ -65,7 +65,8 @@ options:
- ['cert', 'key', 'signer_cert', 'signer_key', 'signer_serial']
required: false
default: present
- choices: ["present"]
+ choices:
+ - present
aliases: []
kubeconfig:
description:
@@ -91,54 +92,98 @@ options:
aliases: []
cert_dir:
description:
- - The directory to place the certificates.
+ - The certificate data directory.
+ required: false
+ default: None
+ aliases: []
+ cert:
+ description:
+ - The certificate file. Choose a name that indicates what the service is.
+ required: false
+ default: None
+ aliases: []
+ key:
+ description:
+ - The key file. Choose a name that indicates what the service is.
+ required: false
+ default: None
+ aliases: []
+ overwrite:
+ description:
+ - Overwrite existing cert files if found. If false, any existing file will be left as-is.
required: false
default: False
aliases: []
+ signer_cert:
+ description:
+ - The signer certificate file.
+ required: false
+ default: None
+ aliases: []
+ signer_key:
+ description:
+ - The signer key file.
+ required: false
+ default: None
+ aliases: []
+ signer_serial:
+ description:
+ - The signer serial file.
+ required: false
+ default: None
+ aliases: []
+ public_key:
+ description:
+ - The public key file used with create-key-pair
+ required: false
+ default: None
+ aliases: []
+ private_key:
+ description:
+ - The private key file used with create-key-pair
+ required: false
+ default: None
+ aliases: []
+
+ hostnames:
+ description:
+ - Every hostname or IP that server certs should be valid for (comma-delimited list)
+ required: false
+ default: None
+ aliases: []
+ master:
+ description:
+ - The API server's URL
+ required: false
+ default: None
+ aliases: []
+ public_master:
+ description:
+ - The API public facing server's URL (if applicable)
+ required: false
+ default: None
+ aliases: []
+ signer_name:
+ description:
+ - The name to use for the generated signer
+ required: false
+ default: None
+ aliases: []
author:
- "Kenny Woodson <kwoodson@redhat.com>"
extends_documentation_fragment: []
'''
EXAMPLES = '''
-- name: create secret
- oc_secret:
- state: present
- namespace: openshift-infra
- name: metrics-deployer
- files:
- - name: nothing
- path: /dev/null
- register: secretout
- run_once: true
-
-- name: get ca from hawkular
- oc_secret:
- state: list
- namespace: openshift-infra
- name: hawkular-metrics-certificate
- decode: True
- register: hawkout
- run_once: true
-
-- name: Create secrets
- oc_secret:
- namespace: mynamespace
- name: mysecrets
- contents:
- - path: data.yml
- data: "{{ data_content }}"
- - path: auth-keys
- data: "{{ auth_keys_content }}"
- - path: configdata.yml
- data: "{{ configdata_content }}"
- - path: cert.crt
- data: "{{ cert_content }}"
- - path: key.pem
- data: "{{ osso_site_key_content }}"
- - path: ca.cert.pem
- data: "{{ ca_cert_content }}"
- register: secretout
+- name: Create a self-signed cert
+ oadm_ca:
+ cmd: create-server-cert
+ signer_cert: /etc/origin/master/ca.crt
+ signer_key: /etc/origin/master/ca.key
+ signer_serial: /etc/origin/master/ca.serial.txt
+ hostnames: "registry.test.openshift.com,127.0.0.1,docker-registry.default.svc.cluster.local"
+ cert: /etc/origin/master/registry.crt
+ key: /etc/origin/master/registry.key
'''
# -*- -*- -*- End included fragment: doc/certificate_authority -*- -*- -*-
@@ -1402,8 +1447,7 @@ def main():
module = AnsibleModule(
argument_spec=dict(
- state=dict(default='present', type='str',
- choices=['present']),
+ state=dict(default='present', type='str', choices=['present']),
debug=dict(default=False, type='bool'),
kubeconfig=dict(default='/etc/origin/master/admin.kubeconfig', type='str'),
cmd=dict(default=None, require=True, type='str'),
--
cgit v1.2.3
From 5ff3071297b0bd91e5135bbe9def3a59dadfe885 Mon Sep 17 00:00:00 2001
From: Kenny Woodson <kwoodson@redhat.com>
Date: Fri, 17 Feb 2017 09:34:10 -0500
Subject: Rename of oadm_ca to oc_adm_ca. Decided to whittle down to the
direct call, server_cert.
---
roles/lib_openshift/library/oadm_ca.py | 1489 --------------------
.../lib_openshift/library/oc_adm_ca_server_cert.py | 1471 +++++++++++++++++++
2 files changed, 1471 insertions(+), 1489 deletions(-)
delete mode 100644 roles/lib_openshift/library/oadm_ca.py
create mode 100644 roles/lib_openshift/library/oc_adm_ca_server_cert.py
(limited to 'roles/lib_openshift/library')
diff --git a/roles/lib_openshift/library/oadm_ca.py b/roles/lib_openshift/library/oadm_ca.py
deleted file mode 100644
index 1482ab591..000000000
--- a/roles/lib_openshift/library/oadm_ca.py
+++ /dev/null
@@ -1,1489 +0,0 @@
-#!/usr/bin/env python
-# pylint: disable=missing-docstring
-# flake8: noqa: T001
-# ___ ___ _ _ ___ ___ _ _____ ___ ___
-# / __| __| \| | __| _ \ /_\_ _| __| \
-# | (_ | _|| .` | _|| / / _ \| | | _|| |) |
-# \___|___|_|\_|___|_|_\/_/_\_\_|_|___|___/_ _____
-# | \ / _ \ | \| |/ _ \_ _| | __| \_ _|_ _|
-# | |) | (_) | | .` | (_) || | | _|| |) | | | |
-# |___/ \___/ |_|\_|\___/ |_| |___|___/___| |_|
-#
-# Copyright 2016 Red Hat, Inc. and/or its affiliates
-# and other contributors as indicated by the @author tags.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-# -*- -*- -*- Begin included fragment: lib/import.py -*- -*- -*-
-'''
- OpenShiftCLI class that wraps the oc commands in a subprocess
-'''
-# pylint: disable=too-many-lines
-
-from __future__ import print_function
-import atexit
-import json
-import os
-import re
-import shutil
-import subprocess
-import tempfile
-# pylint: disable=import-error
-import ruamel.yaml as yaml
-from ansible.module_utils.basic import AnsibleModule
-
-# -*- -*- -*- End included fragment: lib/import.py -*- -*- -*-
-
-# -*- -*- -*- Begin included fragment: doc/certificate_authority -*- -*- -*-
-
-DOCUMENTATION = '''
----
-module: oadm_ca
-short_description: Module to manage openshift certificate authority
-description:
- - Wrapper around the openshift `oc adm ca` command.
-options:
- state:
- description:
- - Present is the only supported state. The state present means that `oc adm ca` will generate a certificate
- - When create-master-certs is desired then the following parameters are passed.
- - ['cert_dir', 'hostnames', 'master', 'public_master', 'overwrite', 'signer_name']
- - When create-key-pair is desired then the following parameters are passed.
- - ['private_key', 'public_key']
- - When create-server-cert is desired then the following parameters are passed.
- - ['cert', 'key', 'signer_cert', 'signer_key', 'signer_serial']
- required: false
- default: present
- choices:
- - present
- aliases: []
- kubeconfig:
- description:
- - The path for the kubeconfig file to use for authentication
- required: false
- default: /etc/origin/master/admin.kubeconfig
- aliases: []
- debug:
- description:
- - Turn on debug output.
- required: false
- default: False
- aliases: []
- cmd:
- description:
- - The sub command given for `oc adm ca`
- required: false
- default: None
- choices:
- - create-master-certs
- - create-key-pair
- - create-server-cert
- aliases: []
- cert_dir:
- description:
- - The certificate data directory.
- required: false
- default: None
- aliases: []
- cert:
- description:
- - The certificate file. Choose a name that indicates what the service is.
- required: false
- default: None
- aliases: []
- key:
- description:
- - The key file. Choose a name that indicates what the service is.
- required: false
- default: None
- aliases: []
- overwrite:
- description:
- - Overwrite existing cert files if found. If false, any existing file will be left as-is.
- required: false
- default: False
- aliases: []
- signer_cert:
- description:
- - The signer certificate file.
- required: false
- default: None
- aliases: []
- signer_key:
- description:
- - The signer key file.
- required: false
- default: None
- aliases: []
- signer_serial:
- description:
- - The signer serial file.
- required: false
- default: None
- aliases: []
- public_key:
- description:
- - The public key file used with create-key-pair
- required: false
- default: None
- aliases: []
- private_key:
- description:
- - The private key file used with create-key-pair
- required: false
- default: None
- aliases: []
-
- hostnames:
- description:
- - Every hostname or IP that server certs should be valid for (comma-delimited list)
- required: false
- default: None
- aliases: []
- master:
- description:
- - The API server's URL
- required: false
- default: None
- aliases: []
- public_master:
- description:
- - The API public facing server's URL (if applicable)
- required: false
- default: None
- aliases: []
- signer_name:
- description:
- - The name to use for the generated signer
- required: false
- default: None
- aliases: []
-author:
-- "Kenny Woodson <kwoodson@redhat.com>"
-extends_documentation_fragment: []
-'''
-
-EXAMPLES = '''
-- name: Create a self-signed cert
- oadm_ca:
- cmd: create-server-cert
- signer_cert: /etc/origin/master/ca.crt
- signer_key: /etc/origin/master/ca.key
- signer_serial: /etc/origin/master/ca.serial.txt
- hostnames: "registry.test.openshift.com,127.0.0.1,docker-registry.default.svc.cluster.local"
- cert: /etc/origin/master/registry.crt
- key: /etc/origin/master/registry.key
-'''
-
-# -*- -*- -*- End included fragment: doc/certificate_authority -*- -*- -*-
-
-# -*- -*- -*- Begin included fragment: ../../lib_utils/src/class/yedit.py -*- -*- -*-
-# noqa: E301,E302
-
-
-class YeditException(Exception):
- ''' Exception class for Yedit '''
- pass
-
-
-# pylint: disable=too-many-public-methods
-class Yedit(object):
- ''' Class to modify yaml files '''
- re_valid_key = r"(((\[-?\d+\])|([0-9a-zA-Z%s/_-]+)).?)+$"
- re_key = r"(?:\[(-?\d+)\])|([0-9a-zA-Z%s/_-]+)"
- com_sep = set(['.', '#', '|', ':'])
-
- # pylint: disable=too-many-arguments
- def __init__(self,
- filename=None,
- content=None,
- content_type='yaml',
- separator='.',
- backup=False):
- self.content = content
- self._separator = separator
- self.filename = filename
- self.__yaml_dict = content
- self.content_type = content_type
- self.backup = backup
- self.load(content_type=self.content_type)
- if self.__yaml_dict is None:
- self.__yaml_dict = {}
-
- @property
- def separator(self):
- ''' getter method for yaml_dict '''
- return self._separator
-
- @separator.setter
- def separator(self):
- ''' getter method for yaml_dict '''
- return self._separator
-
- @property
- def yaml_dict(self):
- ''' getter method for yaml_dict '''
- return self.__yaml_dict
-
- @yaml_dict.setter
- def yaml_dict(self, value):
- ''' setter method for yaml_dict '''
- self.__yaml_dict = value
-
- @staticmethod
- def parse_key(key, sep='.'):
- '''parse the key allowing the appropriate separator'''
- common_separators = list(Yedit.com_sep - set([sep]))
- return re.findall(Yedit.re_key % ''.join(common_separators), key)
-
- @staticmethod
- def valid_key(key, sep='.'):
- '''validate the incoming key'''
- common_separators = list(Yedit.com_sep - set([sep]))
- if not re.match(Yedit.re_valid_key % ''.join(common_separators), key):
- return False
-
- return True
-
- @staticmethod
- def remove_entry(data, key, sep='.'):
- ''' remove data at location key '''
- if key == '' and isinstance(data, dict):
- data.clear()
- return True
- elif key == '' and isinstance(data, list):
- del data[:]
- return True
-
- if not (key and Yedit.valid_key(key, sep)) and \
- isinstance(data, (list, dict)):
- return None
-
- key_indexes = Yedit.parse_key(key, sep)
- for arr_ind, dict_key in key_indexes[:-1]:
- if dict_key and isinstance(data, dict):
- data = data.get(dict_key, None)
- elif (arr_ind and isinstance(data, list) and
- int(arr_ind) <= len(data) - 1):
- data = data[int(arr_ind)]
- else:
- return None
-
- # process last index for remove
- # expected list entry
- if key_indexes[-1][0]:
- if isinstance(data, list) and int(key_indexes[-1][0]) <= len(data) - 1: # noqa: E501
- del data[int(key_indexes[-1][0])]
- return True
-
- # expected dict entry
- elif key_indexes[-1][1]:
- if isinstance(data, dict):
- del data[key_indexes[-1][1]]
- return True
-
- @staticmethod
- def add_entry(data, key, item=None, sep='.'):
- ''' Get an item from a dictionary with key notation a.b.c
- d = {'a': {'b': 'c'}}}
- key = a#b
- return c
- '''
- if key == '':
- pass
- elif (not (key and Yedit.valid_key(key, sep)) and
- isinstance(data, (list, dict))):
- return None
-
- key_indexes = Yedit.parse_key(key, sep)
- for arr_ind, dict_key in key_indexes[:-1]:
- if dict_key:
- if isinstance(data, dict) and dict_key in data and data[dict_key]: # noqa: E501
- data = data[dict_key]
- continue
-
- elif data and not isinstance(data, dict):
- return None
-
- data[dict_key] = {}
- data = data[dict_key]
-
- elif (arr_ind and isinstance(data, list) and
- int(arr_ind) <= len(data) - 1):
- data = data[int(arr_ind)]
- else:
- return None
-
- if key == '':
- data = item
-
- # process last index for add
- # expected list entry
- elif key_indexes[-1][0] and isinstance(data, list) and int(key_indexes[-1][0]) <= len(data) - 1: # noqa: E501
- data[int(key_indexes[-1][0])] = item
-
- # expected dict entry
- elif key_indexes[-1][1] and isinstance(data, dict):
- data[key_indexes[-1][1]] = item
-
- return data
-
- @staticmethod
- def get_entry(data, key, sep='.'):
- ''' Get an item from a dictionary with key notation a.b.c
- d = {'a': {'b': 'c'}}}
- key = a.b
- return c
- '''
- if key == '':
- pass
- elif (not (key and Yedit.valid_key(key, sep)) and
- isinstance(data, (list, dict))):
- return None
-
- key_indexes = Yedit.parse_key(key, sep)
- for arr_ind, dict_key in key_indexes:
- if dict_key and isinstance(data, dict):
- data = data.get(dict_key, None)
- elif (arr_ind and isinstance(data, list) and
- int(arr_ind) <= len(data) - 1):
- data = data[int(arr_ind)]
- else:
- return None
-
- return data
-
- @staticmethod
- def _write(filename, contents):
- ''' Actually write the file contents to disk. This helps with mocking. '''
-
- tmp_filename = filename + '.yedit'
-
- with open(tmp_filename, 'w') as yfd:
- yfd.write(contents)
-
- os.rename(tmp_filename, filename)
-
- def write(self):
- ''' write to file '''
- if not self.filename:
- raise YeditException('Please specify a filename.')
-
- if self.backup and self.file_exists():
- shutil.copy(self.filename, self.filename + '.orig')
-
- # pylint: disable=no-member
- if hasattr(self.yaml_dict, 'fa'):
- self.yaml_dict.fa.set_block_style()
-
- Yedit._write(self.filename, yaml.dump(self.yaml_dict, Dumper=yaml.RoundTripDumper))
-
- return (True, self.yaml_dict)
-
- def read(self):
- ''' read from file '''
- # check if it exists
- if self.filename is None or not self.file_exists():
- return None
-
- contents = None
- with open(self.filename) as yfd:
- contents = yfd.read()
-
- return contents
-
- def file_exists(self):
- ''' return whether file exists '''
- if os.path.exists(self.filename):
- return True
-
- return False
-
- def load(self, content_type='yaml'):
- ''' return yaml file '''
- contents = self.read()
-
- if not contents and not self.content:
- return None
-
- if self.content:
- if isinstance(self.content, dict):
- self.yaml_dict = self.content
- return self.yaml_dict
- elif isinstance(self.content, str):
- contents = self.content
-
- # check if it is yaml
- try:
- if content_type == 'yaml' and contents:
- self.yaml_dict = yaml.load(contents, yaml.RoundTripLoader)
- # pylint: disable=no-member
- if hasattr(self.yaml_dict, 'fa'):
- self.yaml_dict.fa.set_block_style()
- elif content_type == 'json' and contents:
- self.yaml_dict = json.loads(contents)
- except yaml.YAMLError as err:
- # Error loading yaml or json
- raise YeditException('Problem with loading yaml file. %s' % err)
-
- return self.yaml_dict
-
- def get(self, key):
- ''' get a specified key'''
- try:
- entry = Yedit.get_entry(self.yaml_dict, key, self.separator)
- except KeyError:
- entry = None
-
- return entry
-
- def pop(self, path, key_or_item):
- ''' remove a key, value pair from a dict or an item for a list'''
- try:
- entry = Yedit.get_entry(self.yaml_dict, path, self.separator)
- except KeyError:
- entry = None
-
- if entry is None:
- return (False, self.yaml_dict)
-
- if isinstance(entry, dict):
- # pylint: disable=no-member,maybe-no-member
- if key_or_item in entry:
- entry.pop(key_or_item)
- return (True, self.yaml_dict)
- return (False, self.yaml_dict)
-
- elif isinstance(entry, list):
- # pylint: disable=no-member,maybe-no-member
- ind = None
- try:
- ind = entry.index(key_or_item)
- except ValueError:
- return (False, self.yaml_dict)
-
- entry.pop(ind)
- return (True, self.yaml_dict)
-
- return (False, self.yaml_dict)
-
- def delete(self, path):
- ''' remove path from a dict'''
- try:
- entry = Yedit.get_entry(self.yaml_dict, path, self.separator)
- except KeyError:
- entry = None
-
- if entry is None:
- return (False, self.yaml_dict)
-
- result = Yedit.remove_entry(self.yaml_dict, path, self.separator)
- if not result:
- return (False, self.yaml_dict)
-
- return (True, self.yaml_dict)
-
- def exists(self, path, value):
- ''' check if value exists at path'''
- try:
- entry = Yedit.get_entry(self.yaml_dict, path, self.separator)
- except KeyError:
- entry = None
-
- if isinstance(entry, list):
- if value in entry:
- return True
- return False
-
- elif isinstance(entry, dict):
- if isinstance(value, dict):
- rval = False
- for key, val in value.items():
- if entry[key] != val:
- rval = False
- break
- else:
- rval = True
- return rval
-
- return value in entry
-
- return entry == value
-
- def append(self, path, value):
- '''append value to a list'''
- try:
- entry = Yedit.get_entry(self.yaml_dict, path, self.separator)
- except KeyError:
- entry = None
-
- if entry is None:
- self.put(path, [])
- entry = Yedit.get_entry(self.yaml_dict, path, self.separator)
- if not isinstance(entry, list):
- return (False, self.yaml_dict)
-
- # pylint: disable=no-member,maybe-no-member
- entry.append(value)
- return (True, self.yaml_dict)
-
- # pylint: disable=too-many-arguments
- def update(self, path, value, index=None, curr_value=None):
- ''' put path, value into a dict '''
- try:
- entry = Yedit.get_entry(self.yaml_dict, path, self.separator)
- except KeyError:
- entry = None
-
- if isinstance(entry, dict):
- # pylint: disable=no-member,maybe-no-member
- if not isinstance(value, dict):
- raise YeditException('Cannot replace key, value entry in ' +
- 'dict with non-dict type. value=[%s] [%s]' % (value, type(value))) # noqa: E501
-
- entry.update(value)
- return (True, self.yaml_dict)
-
- elif isinstance(entry, list):
- # pylint: disable=no-member,maybe-no-member
- ind = None
- if curr_value:
- try:
- ind = entry.index(curr_value)
- except ValueError:
- return (False, self.yaml_dict)
-
- elif index is not None:
- ind = index
-
- if ind is not None and entry[ind] != value:
- entry[ind] = value
- return (True, self.yaml_dict)
-
- # see if it exists in the list
- try:
- ind = entry.index(value)
- except ValueError:
- # doesn't exist, append it
- entry.append(value)
- return (True, self.yaml_dict)
-
- # already exists, return
- if ind is not None:
- return (False, self.yaml_dict)
- return (False, self.yaml_dict)
-
- def put(self, path, value):
- ''' put path, value into a dict '''
- try:
- entry = Yedit.get_entry(self.yaml_dict, path, self.separator)
- except KeyError:
- entry = None
-
- if entry == value:
- return (False, self.yaml_dict)
-
- # deepcopy didn't work
- tmp_copy = yaml.load(yaml.round_trip_dump(self.yaml_dict,
- default_flow_style=False),
- yaml.RoundTripLoader)
- # pylint: disable=no-member
- if hasattr(self.yaml_dict, 'fa'):
- tmp_copy.fa.set_block_style()
- result = Yedit.add_entry(tmp_copy, path, value, self.separator)
- if not result:
- return (False, self.yaml_dict)
-
- self.yaml_dict = tmp_copy
-
- return (True, self.yaml_dict)
-
- def create(self, path, value):
- ''' create a yaml file '''
- if not self.file_exists():
- # deepcopy didn't work
- tmp_copy = yaml.load(yaml.round_trip_dump(self.yaml_dict, default_flow_style=False), # noqa: E501
- yaml.RoundTripLoader)
- # pylint: disable=no-member
- if hasattr(self.yaml_dict, 'fa'):
- tmp_copy.fa.set_block_style()
- result = Yedit.add_entry(tmp_copy, path, value, self.separator)
- if result:
- self.yaml_dict = tmp_copy
- return (True, self.yaml_dict)
-
- return (False, self.yaml_dict)
-
- @staticmethod
- def get_curr_value(invalue, val_type):
- '''return the current value'''
- if invalue is None:
- return None
-
- curr_value = invalue
- if val_type == 'yaml':
- curr_value = yaml.load(invalue)
- elif val_type == 'json':
- curr_value = json.loads(invalue)
-
- return curr_value
-
- @staticmethod
- def parse_value(inc_value, vtype=''):
- '''determine value type passed'''
- true_bools = ['y', 'Y', 'yes', 'Yes', 'YES', 'true', 'True', 'TRUE',
- 'on', 'On', 'ON', ]
- false_bools = ['n', 'N', 'no', 'No', 'NO', 'false', 'False', 'FALSE',
- 'off', 'Off', 'OFF']
-
- # It came in as a string but you didn't specify value_type as string
- # we will convert to bool if it matches any of the above cases
- if isinstance(inc_value, str) and 'bool' in vtype:
- if inc_value not in true_bools and inc_value not in false_bools:
- raise YeditException('Not a boolean type. str=[%s] vtype=[%s]'
- % (inc_value, vtype))
- elif isinstance(inc_value, bool) and 'str' in vtype:
- inc_value = str(inc_value)
-
- # If vtype is not str then go ahead and attempt to yaml load it.
- if isinstance(inc_value, str) and 'str' not in vtype:
- try:
- inc_value = yaml.load(inc_value)
- except Exception:
- raise YeditException('Could not determine type of incoming ' +
- 'value. value=[%s] vtype=[%s]'
- % (type(inc_value), vtype))
-
- return inc_value
-
- # pylint: disable=too-many-return-statements,too-many-branches
- @staticmethod
- def run_ansible(module):
- '''perform the idempotent crud operations'''
- yamlfile = Yedit(filename=module.params['src'],
- backup=module.params['backup'],
- separator=module.params['separator'])
-
- if module.params['src']:
- rval = yamlfile.load()
-
- if yamlfile.yaml_dict is None and \
- module.params['state'] != 'present':
- return {'failed': True,
- 'msg': 'Error opening file [%s]. Verify that the ' +
- 'file exists, that it is has correct' +
- ' permissions, and is valid yaml.'}
-
- if module.params['state'] == 'list':
- if module.params['content']:
- content = Yedit.parse_value(module.params['content'],
- module.params['content_type'])
- yamlfile.yaml_dict = content
-
- if module.params['key']:
- rval = yamlfile.get(module.params['key']) or {}
-
- return {'changed': False, 'result': rval, 'state': "list"}
-
- elif module.params['state'] == 'absent':
- if module.params['content']:
- content = Yedit.parse_value(module.params['content'],
- module.params['content_type'])
- yamlfile.yaml_dict = content
-
- if module.params['update']:
- rval = yamlfile.pop(module.params['key'],
- module.params['value'])
- else:
- rval = yamlfile.delete(module.params['key'])
-
- if rval[0] and module.params['src']:
- yamlfile.write()
-
- return {'changed': rval[0], 'result': rval[1], 'state': "absent"}
-
- elif module.params['state'] == 'present':
- # check if content is different than what is in the file
- if module.params['content']:
- content = Yedit.parse_value(module.params['content'],
- module.params['content_type'])
-
- # We had no edits to make and the contents are the same
- if yamlfile.yaml_dict == content and \
- module.params['value'] is None:
- return {'changed': False,
- 'result': yamlfile.yaml_dict,
- 'state': "present"}
-
- yamlfile.yaml_dict = content
-
- # we were passed a value; parse it
- if module.params['value']:
- value = Yedit.parse_value(module.params['value'],
- module.params['value_type'])
- key = module.params['key']
- if module.params['update']:
- # pylint: disable=line-too-long
- curr_value = Yedit.get_curr_value(Yedit.parse_value(module.params['curr_value']), # noqa: E501
- module.params['curr_value_format']) # noqa: E501
-
- rval = yamlfile.update(key, value, module.params['index'], curr_value) # noqa: E501
-
- elif module.params['append']:
- rval = yamlfile.append(key, value)
- else:
- rval = yamlfile.put(key, value)
-
- if rval[0] and module.params['src']:
- yamlfile.write()
-
- return {'changed': rval[0],
- 'result': rval[1], 'state': "present"}
-
- # no edits to make
- if module.params['src']:
- # pylint: disable=redefined-variable-type
- rval = yamlfile.write()
- return {'changed': rval[0],
- 'result': rval[1],
- 'state': "present"}
-
- return {'failed': True, 'msg': 'Unkown state passed'}
-
-# -*- -*- -*- End included fragment: ../../lib_utils/src/class/yedit.py -*- -*- -*-
-
-# -*- -*- -*- Begin included fragment: lib/base.py -*- -*- -*-
-# pylint: disable=too-many-lines
-# noqa: E301,E302,E303,T001
-
-
-class OpenShiftCLIError(Exception):
- '''Exception class for openshiftcli'''
- pass
-
-
-# pylint: disable=too-few-public-methods
-class OpenShiftCLI(object):
- ''' Class to wrap the command line tools '''
- def __init__(self,
- namespace,
- kubeconfig='/etc/origin/master/admin.kubeconfig',
- verbose=False,
- all_namespaces=False):
- ''' Constructor for OpenshiftCLI '''
- self.namespace = namespace
- self.verbose = verbose
- self.kubeconfig = Utils.create_tmpfile_copy(kubeconfig)
- self.all_namespaces = all_namespaces
-
- # Pylint allows only 5 arguments to be passed.
- # pylint: disable=too-many-arguments
- def _replace_content(self, resource, rname, content, force=False, sep='.'):
- ''' replace the current object with the content '''
- res = self._get(resource, rname)
- if not res['results']:
- return res
-
- fname = Utils.create_tmpfile(rname + '-')
-
- yed = Yedit(fname, res['results'][0], separator=sep)
- changes = []
- for key, value in content.items():
- changes.append(yed.put(key, value))
-
- if any([change[0] for change in changes]):
- yed.write()
-
- atexit.register(Utils.cleanup, [fname])
-
- return self._replace(fname, force)
-
- return {'returncode': 0, 'updated': False}
-
- def _replace(self, fname, force=False):
- '''replace the current object with oc replace'''
- cmd = ['replace', '-f', fname]
- if force:
- cmd.append('--force')
- return self.openshift_cmd(cmd)
-
- def _create_from_content(self, rname, content):
- '''create a temporary file and then call oc create on it'''
- fname = Utils.create_tmpfile(rname + '-')
- yed = Yedit(fname, content=content)
- yed.write()
-
- atexit.register(Utils.cleanup, [fname])
-
- return self._create(fname)
-
- def _create(self, fname):
- '''call oc create on a filename'''
- return self.openshift_cmd(['create', '-f', fname])
-
- def _delete(self, resource, rname, selector=None):
- '''call oc delete on a resource'''
- cmd = ['delete', resource, rname]
- if selector:
- cmd.append('--selector=%s' % selector)
-
- return self.openshift_cmd(cmd)
-
- def _process(self, template_name, create=False, params=None, template_data=None): # noqa: E501
- '''process a template
-
- template_name: the name of the template to process
- create: whether to send to oc create after processing
- params: the parameters for the template
- template_data: the incoming template's data; instead of a file
- '''
- cmd = ['process']
- if template_data:
- cmd.extend(['-f', '-'])
- else:
- cmd.append(template_name)
- if params:
- param_str = ["%s=%s" % (key, value) for key, value in params.items()]
- cmd.append('-v')
- cmd.extend(param_str)
-
- results = self.openshift_cmd(cmd, output=True, input_data=template_data)
-
- if results['returncode'] != 0 or not create:
- return results
-
- fname = Utils.create_tmpfile(template_name + '-')
- yed = Yedit(fname, results['results'])
- yed.write()
-
- atexit.register(Utils.cleanup, [fname])
-
- return self.openshift_cmd(['create', '-f', fname])
-
- def _get(self, resource, rname=None, selector=None):
- '''return a resource by name '''
- cmd = ['get', resource]
- if selector:
- cmd.append('--selector=%s' % selector)
- elif rname:
- cmd.append(rname)
-
- cmd.extend(['-o', 'json'])
-
- rval = self.openshift_cmd(cmd, output=True)
-
- # Ensure results are retuned in an array
- if 'items' in rval:
- rval['results'] = rval['items']
- elif not isinstance(rval['results'], list):
- rval['results'] = [rval['results']]
-
- return rval
-
- def _schedulable(self, node=None, selector=None, schedulable=True):
- ''' perform oadm manage-node scheduable '''
- cmd = ['manage-node']
- if node:
- cmd.extend(node)
- else:
- cmd.append('--selector=%s' % selector)
-
- cmd.append('--schedulable=%s' % schedulable)
-
- return self.openshift_cmd(cmd, oadm=True, output=True, output_type='raw') # noqa: E501
-
- def _list_pods(self, node=None, selector=None, pod_selector=None):
- ''' perform oadm list pods
-
- node: the node in which to list pods
- selector: the label selector filter if provided
- pod_selector: the pod selector filter if provided
- '''
- cmd = ['manage-node']
- if node:
- cmd.extend(node)
- else:
- cmd.append('--selector=%s' % selector)
-
- if pod_selector:
- cmd.append('--pod-selector=%s' % pod_selector)
-
- cmd.extend(['--list-pods', '-o', 'json'])
-
- return self.openshift_cmd(cmd, oadm=True, output=True, output_type='raw')
-
- # pylint: disable=too-many-arguments
- def _evacuate(self, node=None, selector=None, pod_selector=None, dry_run=False, grace_period=None, force=False):
- ''' perform oadm manage-node evacuate '''
- cmd = ['manage-node']
- if node:
- cmd.extend(node)
- else:
- cmd.append('--selector=%s' % selector)
-
- if dry_run:
- cmd.append('--dry-run')
-
- if pod_selector:
- cmd.append('--pod-selector=%s' % pod_selector)
-
- if grace_period:
- cmd.append('--grace-period=%s' % int(grace_period))
-
- if force:
- cmd.append('--force')
-
- cmd.append('--evacuate')
-
- return self.openshift_cmd(cmd, oadm=True, output=True, output_type='raw')
-
- def _version(self):
- ''' return the openshift version'''
- return self.openshift_cmd(['version'], output=True, output_type='raw')
-
- def _import_image(self, url=None, name=None, tag=None):
- ''' perform image import '''
- cmd = ['import-image']
-
- image = '{0}'.format(name)
- if tag:
- image += ':{0}'.format(tag)
-
- cmd.append(image)
-
- if url:
- cmd.append('--from={0}/{1}'.format(url, image))
-
- cmd.append('-n{0}'.format(self.namespace))
-
- cmd.append('--confirm')
- return self.openshift_cmd(cmd)
-
- def _run(self, cmds, input_data):
- ''' Actually executes the command. This makes mocking easier. '''
- curr_env = os.environ.copy()
- curr_env.update({'KUBECONFIG': self.kubeconfig})
- proc = subprocess.Popen(cmds,
- stdin=subprocess.PIPE,
- stdout=subprocess.PIPE,
- stderr=subprocess.PIPE,
- env=curr_env)
-
- stdout, stderr = proc.communicate(input_data)
-
- return proc.returncode, stdout, stderr
-
- # pylint: disable=too-many-arguments,too-many-branches
- def openshift_cmd(self, cmd, oadm=False, output=False, output_type='json', input_data=None):
- '''Base command for oc '''
- cmds = []
- if oadm:
- cmds = ['oadm']
- else:
- cmds = ['oc']
-
- if self.all_namespaces:
- cmds.extend(['--all-namespaces'])
- elif self.namespace is not None and self.namespace.lower() not in ['none', 'emtpy']: # E501
- cmds.extend(['-n', self.namespace])
-
- cmds.extend(cmd)
-
- rval = {}
- results = ''
- err = None
-
- if self.verbose:
- print(' '.join(cmds))
-
- returncode, stdout, stderr = self._run(cmds, input_data)
-
- rval = {"returncode": returncode,
- "results": results,
- "cmd": ' '.join(cmds)}
-
- if returncode == 0:
- if output:
- if output_type == 'json':
- try:
- rval['results'] = json.loads(stdout)
- except ValueError as err:
- if "No JSON object could be decoded" in err.args:
- err = err.args
- elif output_type == 'raw':
- rval['results'] = stdout
-
- if self.verbose:
- print("STDOUT: {0}".format(stdout))
- print("STDERR: {0}".format(stderr))
-
- if err:
- rval.update({"err": err,
- "stderr": stderr,
- "stdout": stdout,
- "cmd": cmds})
-
- else:
- rval.update({"stderr": stderr,
- "stdout": stdout,
- "results": {}})
-
- return rval
-
-
-class Utils(object):
- ''' utilities for openshiftcli modules '''
-
- @staticmethod
- def _write(filename, contents):
- ''' Actually write the file contents to disk. This helps with mocking. '''
-
- with open(filename, 'w') as sfd:
- sfd.write(contents)
-
- @staticmethod
- def create_tmp_file_from_contents(rname, data, ftype='yaml'):
- ''' create a file in tmp with name and contents'''
-
- tmp = Utils.create_tmpfile(prefix=rname)
-
- if ftype == 'yaml':
- Utils._write(tmp, yaml.dump(data, Dumper=yaml.RoundTripDumper))
- elif ftype == 'json':
- Utils._write(tmp, json.dumps(data))
- else:
- Utils._write(tmp, data)
-
- # Register cleanup when module is done
- atexit.register(Utils.cleanup, [tmp])
- return tmp
-
- @staticmethod
- def create_tmpfile_copy(inc_file):
- '''create a temporary copy of a file'''
- tmpfile = Utils.create_tmpfile('lib_openshift-')
- Utils._write(tmpfile, open(inc_file).read())
-
- # Cleanup the tmpfile
- atexit.register(Utils.cleanup, [tmpfile])
-
- return tmpfile
-
- @staticmethod
- def create_tmpfile(prefix='tmp'):
- ''' Generates and returns a temporary file name '''
-
- with tempfile.NamedTemporaryFile(prefix=prefix, delete=False) as tmp:
- return tmp.name
-
- @staticmethod
- def create_tmp_files_from_contents(content, content_type=None):
- '''Turn an array of dict: filename, content into a files array'''
- if not isinstance(content, list):
- content = [content]
- files = []
- for item in content:
- path = Utils.create_tmp_file_from_contents(item['path'] + '-',
- item['data'],
- ftype=content_type)
- files.append({'name': os.path.basename(item['path']),
- 'path': path})
- return files
-
- @staticmethod
- def cleanup(files):
- '''Clean up on exit '''
- for sfile in files:
- if os.path.exists(sfile):
- if os.path.isdir(sfile):
- shutil.rmtree(sfile)
- elif os.path.isfile(sfile):
- os.remove(sfile)
-
- @staticmethod
- def exists(results, _name):
- ''' Check to see if the results include the name '''
- if not results:
- return False
-
- if Utils.find_result(results, _name):
- return True
-
- return False
-
- @staticmethod
- def find_result(results, _name):
- ''' Find the specified result by name'''
- rval = None
- for result in results:
- if 'metadata' in result and result['metadata']['name'] == _name:
- rval = result
- break
-
- return rval
-
- @staticmethod
- def get_resource_file(sfile, sfile_type='yaml'):
- ''' return the service file '''
- contents = None
- with open(sfile) as sfd:
- contents = sfd.read()
-
- if sfile_type == 'yaml':
- contents = yaml.load(contents, yaml.RoundTripLoader)
- elif sfile_type == 'json':
- contents = json.loads(contents)
-
- return contents
-
- @staticmethod
- def filter_versions(stdout):
- ''' filter the oc version output '''
-
- version_dict = {}
- version_search = ['oc', 'openshift', 'kubernetes']
-
- for line in stdout.strip().split('\n'):
- for term in version_search:
- if not line:
- continue
- if line.startswith(term):
- version_dict[term] = line.split()[-1]
-
- # horrible hack to get openshift version in Openshift 3.2
- # By default "oc version in 3.2 does not return an "openshift" version
- if "openshift" not in version_dict:
- version_dict["openshift"] = version_dict["oc"]
-
- return version_dict
-
- @staticmethod
- def add_custom_versions(versions):
- ''' create custom versions strings '''
-
- versions_dict = {}
-
- for tech, version in versions.items():
- # clean up "-" from version
- if "-" in version:
- version = version.split("-")[0]
-
- if version.startswith('v'):
- versions_dict[tech + '_numeric'] = version[1:].split('+')[0]
- # "v3.3.0.33" is what we have, we want "3.3"
- versions_dict[tech + '_short'] = version[1:4]
-
- return versions_dict
-
- @staticmethod
- def openshift_installed():
- ''' check if openshift is installed '''
- import yum
-
- yum_base = yum.YumBase()
- if yum_base.rpmdb.searchNevra(name='atomic-openshift'):
- return True
-
- return False
-
- # Disabling too-many-branches. This is a yaml dictionary comparison function
- # pylint: disable=too-many-branches,too-many-return-statements,too-many-statements
- @staticmethod
- def check_def_equal(user_def, result_def, skip_keys=None, debug=False):
- ''' Given a user defined definition, compare it with the results given back by our query. '''
-
- # Currently these values are autogenerated and we do not need to check them
- skip = ['metadata', 'status']
- if skip_keys:
- skip.extend(skip_keys)
-
- for key, value in result_def.items():
- if key in skip:
- continue
-
- # Both are lists
- if isinstance(value, list):
- if key not in user_def:
- if debug:
- print('User data does not have key [%s]' % key)
- print('User data: %s' % user_def)
- return False
-
- if not isinstance(user_def[key], list):
- if debug:
- print('user_def[key] is not a list key=[%s] user_def[key]=%s' % (key, user_def[key]))
- return False
-
- if len(user_def[key]) != len(value):
- if debug:
- print("List lengths are not equal.")
- print("key=[%s]: user_def[%s] != value[%s]" % (key, len(user_def[key]), len(value)))
- print("user_def: %s" % user_def[key])
- print("value: %s" % value)
- return False
-
- for values in zip(user_def[key], value):
- if isinstance(values[0], dict) and isinstance(values[1], dict):
- if debug:
- print('sending list - list')
- print(type(values[0]))
- print(type(values[1]))
- result = Utils.check_def_equal(values[0], values[1], skip_keys=skip_keys, debug=debug)
- if not result:
- print('list compare returned false')
- return False
-
- elif value != user_def[key]:
- if debug:
- print('value should be identical')
- print(value)
- print(user_def[key])
- return False
-
- # recurse on a dictionary
- elif isinstance(value, dict):
- if key not in user_def:
- if debug:
- print("user_def does not have key [%s]" % key)
- return False
- if not isinstance(user_def[key], dict):
- if debug:
- print("dict returned false: not instance of dict")
- return False
-
- # before passing ensure keys match
- api_values = set(value.keys()) - set(skip)
- user_values = set(user_def[key].keys()) - set(skip)
- if api_values != user_values:
- if debug:
- print("keys are not equal in dict")
- print(api_values)
- print(user_values)
- return False
-
- result = Utils.check_def_equal(user_def[key], value, skip_keys=skip_keys, debug=debug)
- if not result:
- if debug:
- print("dict returned false")
- print(result)
- return False
-
- # Verify each key, value pair is the same
- else:
- if key not in user_def or value != user_def[key]:
- if debug:
- print("value not equal; user_def does not have key")
- print(key)
- print(value)
- if key in user_def:
- print(user_def[key])
- return False
-
- if debug:
- print('returning true')
- return True
-
-
-class OpenShiftCLIConfig(object):
- '''Generic Config'''
- def __init__(self, rname, namespace, kubeconfig, options):
- self.kubeconfig = kubeconfig
- self.name = rname
- self.namespace = namespace
- self._options = options
-
- @property
- def config_options(self):
- ''' return config options '''
- return self._options
-
- def to_option_list(self):
- '''return all options as a string'''
- return self.stringify()
-
- def stringify(self):
- ''' return the options hash as cli params in a string '''
- rval = []
- for key, data in self.config_options.items():
- if data['include'] \
- and (data['value'] or isinstance(data['value'], int)):
- rval.append('--%s=%s' % (key.replace('_', '-'), data['value']))
-
- return rval
-
-
-# -*- -*- -*- End included fragment: lib/base.py -*- -*- -*-
-
-# -*- -*- -*- Begin included fragment: class/oadm_certificate_authority.py -*- -*- -*-
-
-class CertificateAuthorityConfig(OpenShiftCLIConfig):
- ''' CertificateAuthorityConfig is a DTO for the oadm ca command '''
- def __init__(self, cmd, kubeconfig, verbose, ca_options):
- super(CertificateAuthorityConfig, self).__init__('ca', None, kubeconfig, ca_options)
- self.cmd = cmd
- self.kubeconfig = kubeconfig
- self.verbose = verbose
- self._ca = ca_options
-
-class CertificateAuthority(OpenShiftCLI):
- ''' Class to wrap the oc command line tools '''
- def __init__(self,
- config,
- verbose=False):
- ''' Constructor for oadm ca '''
- super(CertificateAuthority, self).__init__(None, config.kubeconfig, verbose)
- self.config = config
- self.verbose = verbose
-
- def get(self):
- '''get the current cert file
-
- If a file exists by the same name in the specified location then the cert exists
- '''
- cert = self.config.config_options['cert']['value']
- if cert and os.path.exists(cert):
- return open(cert).read()
-
- return None
-
- def create(self):
- '''Create a deploymentconfig '''
- options = self.config.to_option_list()
-
- cmd = ['ca']
- cmd.append(self.config.cmd)
- cmd.extend(options)
-
- return self.openshift_cmd(cmd, oadm=True)
-
- def exists(self):
- ''' check whether the certificate exists and has the clusterIP '''
-
- cert_path = self.config.config_options['cert']['value']
- if not os.path.exists(cert_path):
- return False
-
- proc = subprocess.Popen(['openssl', 'x509', '-noout', '-subject', '-in', cert_path],
- stdout=subprocess.PIPE, stderr=subprocess.PIPE)
- stdout, stderr = proc.communicate()
- if proc.returncode == 0:
- for var in self.config.config_options['hostnames']['value'].split(','):
- if var in stdout:
- return True
-
- return False
-
- @staticmethod
- def run_ansible(params, check_mode):
- '''run the idempotent ansible code'''
-
- config = CertificateAuthorityConfig(params['cmd'],
- params['kubeconfig'],
- params['debug'],
- {'cert_dir': {'value': params['cert_dir'], 'include': True},
- 'cert': {'value': params['cert'], 'include': True},
- 'hostnames': {'value': ','.join(params['hostnames']), 'include': True},
- 'master': {'value': params['master'], 'include': True},
- 'public_master': {'value': params['public_master'], 'include': True},
- 'overwrite': {'value': params['overwrite'], 'include': True},
- 'signer_name': {'value': params['signer_name'], 'include': True},
- 'private_key': {'value': params['private_key'], 'include': True},
- 'public_key': {'value': params['public_key'], 'include': True},
- 'key': {'value': params['key'], 'include': True},
- 'signer_cert': {'value': params['signer_cert'], 'include': True},
- 'signer_key': {'value': params['signer_key'], 'include': True},
- 'signer_serial': {'value': params['signer_serial'], 'include': True},
- })
-
-
- oadm_ca = CertificateAuthority(config)
-
- state = params['state']
-
- if state == 'present':
- ########
- # Create
- ########
- if not oadm_ca.exists() or params['overwrite']:
-
- if check_mode:
- return {'changed': True,
- 'msg': "CHECK_MODE: Would have created the certificate.",
- 'state': state}
-
- api_rval = oadm_ca.create()
-
- return {'changed': True, 'results': api_rval, 'state': state}
-
- ########
- # Exists
- ########
- api_rval = oadm_ca.get()
- return {'changed': False, 'results': api_rval, 'state': state}
-
- return {'failed': True,
- 'msg': 'Unknown state passed. %s' % state}
-
-
-# -*- -*- -*- End included fragment: class/oadm_certificate_authority.py -*- -*- -*-
-
-# -*- -*- -*- Begin included fragment: ansible/oadm_certificate_authority.py -*- -*- -*-
-
-def main():
- '''
- ansible oadm module for ca
- '''
-
- module = AnsibleModule(
- argument_spec=dict(
- state=dict(default='present', type='str', choices=['present']),
- debug=dict(default=False, type='bool'),
- kubeconfig=dict(default='/etc/origin/master/admin.kubeconfig', type='str'),
- cmd=dict(default=None, require=True, type='str'),
-
- # oadm ca create-master-certs [options]
- cert_dir=dict(default=None, type='str'),
- hostnames=dict(default=[], type='list'),
- master=dict(default=None, type='str'),
- public_master=dict(default=None, type='str'),
- overwrite=dict(default=False, type='bool'),
- signer_name=dict(default=None, type='str'),
-
- # oadm ca create-key-pair [options]
- private_key=dict(default=None, type='str'),
- public_key=dict(default=None, type='str'),
-
- # oadm ca create-server-cert [options]
- cert=dict(default=None, type='str'),
- key=dict(default=None, type='str'),
- signer_cert=dict(default=None, type='str'),
- signer_key=dict(default=None, type='str'),
- signer_serial=dict(default=None, type='str'),
-
- ),
- supports_check_mode=True,
- )
-
- # pylint: disable=line-too-long
- results = CertificateAuthority.run_ansible(module.params, module.check_mode)
- if 'failed' in results:
- return module.fail_json(**results)
-
- return module.exit_json(**results)
-
-
-if __name__ == '__main__':
- main()
-
-# -*- -*- -*- End included fragment: ansible/oadm_certificate_authority.py -*- -*- -*-
diff --git a/roles/lib_openshift/library/oc_adm_ca_server_cert.py b/roles/lib_openshift/library/oc_adm_ca_server_cert.py
new file mode 100644
index 000000000..19031f956
--- /dev/null
+++ b/roles/lib_openshift/library/oc_adm_ca_server_cert.py
@@ -0,0 +1,1471 @@
+#!/usr/bin/env python
+# pylint: disable=missing-docstring
+# flake8: noqa: T001
+# ___ ___ _ _ ___ ___ _ _____ ___ ___
+# / __| __| \| | __| _ \ /_\_ _| __| \
+# | (_ | _|| .` | _|| / / _ \| | | _|| |) |
+# \___|___|_|\_|___|_|_\/_/_\_\_|_|___|___/_ _____
+# | \ / _ \ | \| |/ _ \_ _| | __| \_ _|_ _|
+# | |) | (_) | | .` | (_) || | | _|| |) | | | |
+# |___/ \___/ |_|\_|\___/ |_| |___|___/___| |_|
+#
+# Copyright 2016 Red Hat, Inc. and/or its affiliates
+# and other contributors as indicated by the @author tags.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# -*- -*- -*- Begin included fragment: lib/import.py -*- -*- -*-
+'''
+ OpenShiftCLI class that wraps the oc commands in a subprocess
+'''
+# pylint: disable=too-many-lines
+
+from __future__ import print_function
+import atexit
+import json
+import os
+import re
+import shutil
+import subprocess
+import tempfile
+# pylint: disable=import-error
+import ruamel.yaml as yaml
+from ansible.module_utils.basic import AnsibleModule
+
+# -*- -*- -*- End included fragment: lib/import.py -*- -*- -*-
+
+# -*- -*- -*- Begin included fragment: doc/ca_server_cert -*- -*- -*-
+
+DOCUMENTATION = '''
+---
+module: oadm_ca
+short_description: Module to manage openshift certificate authority
+description:
+ - Wrapper around the openshift `oc adm ca` command.
+options:
+ state:
+ description:
+ - Present is the only supported state. The state present means that `oc adm ca` will generate a certificate
+ - When create-master-certs is desired then the following parameters are passed.
+ - ['cert_dir', 'hostnames', 'master', 'public_master', 'overwrite', 'signer_name']
+ - When create-key-pair is desired then the following parameters are passed.
+ - ['private_key', 'public_key']
+ - When create-server-cert is desired then the following parameters are passed.
+ - ['cert', 'key', 'signer_cert', 'signer_key', 'signer_serial']
+ required: false
+ default: present
+ choices:
+ - present
+ aliases: []
+ kubeconfig:
+ description:
+ - The path for the kubeconfig file to use for authentication
+ required: false
+ default: /etc/origin/master/admin.kubeconfig
+ aliases: []
+ debug:
+ description:
+ - Turn on debug output.
+ required: false
+ default: False
+ aliases: []
+ cmd:
+ description:
+ - The sub command given for `oc adm ca`
+ required: false
+ default: None
+ choices:
+ - create-master-certs
+ - create-key-pair
+ - create-server-cert
+ aliases: []
+ cert_dir:
+ description:
+ - The certificate data directory.
+ required: false
+ default: None
+ aliases: []
+ cert:
+ description:
+ - The certificate file. Choose a name that indicates what the service is.
+ required: false
+ default: None
+ aliases: []
+ key:
+ description:
+ - The key file. Choose a name that indicates what the service is.
+ required: false
+ default: None
+ aliases: []
+ overwrite:
+ description:
+ - Overwrite existing cert files if found. If false, any existing file will be left as-is.
+ required: false
+ default: False
+ aliases: []
+ signer_cert:
+ description:
+ - The signer certificate file.
+ required: false
+ default: None
+ aliases: []
+ signer_key:
+ description:
+ - The signer key file.
+ required: false
+ default: None
+ aliases: []
+ signer_serial:
+ description:
+ - The signer serial file.
+ required: false
+ default: None
+ aliases: []
+ public_key:
+ description:
+ - The public key file used with create-key-pair
+ required: false
+ default: None
+ aliases: []
+ private_key:
+ description:
+ - The private key file used with create-key-pair
+ required: false
+ default: None
+ aliases: []
+
+ hostnames:
+ description:
+ - Every hostname or IP that server certs should be valid for (comma-delimited list)
+ required: false
+ default: None
+ aliases: []
+ master:
+ description:
+ - The API server's URL
+ required: false
+ default: None
+ aliases: []
+ public_master:
+ description:
+ - The API public facing server's URL (if applicable)
+ required: false
+ default: None
+ aliases: []
+ signer_name:
+ description:
+ - The name to use for the generated signer
+ required: false
+ default: None
+ aliases: []
+author:
+- "Kenny Woodson <kwoodson@redhat.com>"
+extends_documentation_fragment: []
+'''
+
+EXAMPLES = '''
+- name: Create a self-signed cert
+ oadm_ca:
+ cmd: create-server-cert
+ signer_cert: /etc/origin/master/ca.crt
+ signer_key: /etc/origin/master/ca.key
+ signer_serial: /etc/origin/master/ca.serial.txt
+ hostnames: "registry.test.openshift.com,127.0.0.1,docker-registry.default.svc.cluster.local"
+ cert: /etc/origin/master/registry.crt
+ key: /etc/origin/master/registry.key
+'''
+
+# -*- -*- -*- End included fragment: doc/ca_server_cert -*- -*- -*-
+
+# -*- -*- -*- Begin included fragment: ../../lib_utils/src/class/yedit.py -*- -*- -*-
+# noqa: E301,E302
+
+
+class YeditException(Exception):
+ ''' Exception class for Yedit '''
+ pass
+
+
+# pylint: disable=too-many-public-methods
+class Yedit(object):
+ ''' Class to modify yaml files '''
+ re_valid_key = r"(((\[-?\d+\])|([0-9a-zA-Z%s/_-]+)).?)+$"
+ re_key = r"(?:\[(-?\d+)\])|([0-9a-zA-Z%s/_-]+)"
+ com_sep = set(['.', '#', '|', ':'])
+
+ # pylint: disable=too-many-arguments
+ def __init__(self,
+ filename=None,
+ content=None,
+ content_type='yaml',
+ separator='.',
+ backup=False):
+ self.content = content
+ self._separator = separator
+ self.filename = filename
+ self.__yaml_dict = content
+ self.content_type = content_type
+ self.backup = backup
+ self.load(content_type=self.content_type)
+ if self.__yaml_dict is None:
+ self.__yaml_dict = {}
+
+ @property
+ def separator(self):
+ ''' getter method for yaml_dict '''
+ return self._separator
+
+ @separator.setter
+ def separator(self):
+ ''' getter method for yaml_dict '''
+ return self._separator
+
+ @property
+ def yaml_dict(self):
+ ''' getter method for yaml_dict '''
+ return self.__yaml_dict
+
+ @yaml_dict.setter
+ def yaml_dict(self, value):
+ ''' setter method for yaml_dict '''
+ self.__yaml_dict = value
+
+ @staticmethod
+ def parse_key(key, sep='.'):
+ '''parse the key allowing the appropriate separator'''
+ common_separators = list(Yedit.com_sep - set([sep]))
+ return re.findall(Yedit.re_key % ''.join(common_separators), key)
+
+ @staticmethod
+ def valid_key(key, sep='.'):
+ '''validate the incoming key'''
+ common_separators = list(Yedit.com_sep - set([sep]))
+ if not re.match(Yedit.re_valid_key % ''.join(common_separators), key):
+ return False
+
+ return True
+
+ @staticmethod
+ def remove_entry(data, key, sep='.'):
+ ''' remove data at location key '''
+ if key == '' and isinstance(data, dict):
+ data.clear()
+ return True
+ elif key == '' and isinstance(data, list):
+ del data[:]
+ return True
+
+ if not (key and Yedit.valid_key(key, sep)) and \
+ isinstance(data, (list, dict)):
+ return None
+
+ key_indexes = Yedit.parse_key(key, sep)
+ for arr_ind, dict_key in key_indexes[:-1]:
+ if dict_key and isinstance(data, dict):
+ data = data.get(dict_key, None)
+ elif (arr_ind and isinstance(data, list) and
+ int(arr_ind) <= len(data) - 1):
+ data = data[int(arr_ind)]
+ else:
+ return None
+
+ # process last index for remove
+ # expected list entry
+ if key_indexes[-1][0]:
+ if isinstance(data, list) and int(key_indexes[-1][0]) <= len(data) - 1: # noqa: E501
+ del data[int(key_indexes[-1][0])]
+ return True
+
+ # expected dict entry
+ elif key_indexes[-1][1]:
+ if isinstance(data, dict):
+ del data[key_indexes[-1][1]]
+ return True
+
+ @staticmethod
+ def add_entry(data, key, item=None, sep='.'):
+ ''' Get an item from a dictionary with key notation a.b.c
+ d = {'a': {'b': 'c'}}}
+ key = a#b
+ return c
+ '''
+ if key == '':
+ pass
+ elif (not (key and Yedit.valid_key(key, sep)) and
+ isinstance(data, (list, dict))):
+ return None
+
+ key_indexes = Yedit.parse_key(key, sep)
+ for arr_ind, dict_key in key_indexes[:-1]:
+ if dict_key:
+ if isinstance(data, dict) and dict_key in data and data[dict_key]: # noqa: E501
+ data = data[dict_key]
+ continue
+
+ elif data and not isinstance(data, dict):
+ return None
+
+ data[dict_key] = {}
+ data = data[dict_key]
+
+ elif (arr_ind and isinstance(data, list) and
+ int(arr_ind) <= len(data) - 1):
+ data = data[int(arr_ind)]
+ else:
+ return None
+
+ if key == '':
+ data = item
+
+ # process last index for add
+ # expected list entry
+ elif key_indexes[-1][0] and isinstance(data, list) and int(key_indexes[-1][0]) <= len(data) - 1: # noqa: E501
+ data[int(key_indexes[-1][0])] = item
+
+ # expected dict entry
+ elif key_indexes[-1][1] and isinstance(data, dict):
+ data[key_indexes[-1][1]] = item
+
+ return data
+
+ @staticmethod
+ def get_entry(data, key, sep='.'):
+ ''' Get an item from a dictionary with key notation a.b.c
+ d = {'a': {'b': 'c'}}}
+ key = a.b
+ return c
+ '''
+ if key == '':
+ pass
+ elif (not (key and Yedit.valid_key(key, sep)) and
+ isinstance(data, (list, dict))):
+ return None
+
+ key_indexes = Yedit.parse_key(key, sep)
+ for arr_ind, dict_key in key_indexes:
+ if dict_key and isinstance(data, dict):
+ data = data.get(dict_key, None)
+ elif (arr_ind and isinstance(data, list) and
+ int(arr_ind) <= len(data) - 1):
+ data = data[int(arr_ind)]
+ else:
+ return None
+
+ return data
+
+ @staticmethod
+ def _write(filename, contents):
+ ''' Actually write the file contents to disk. This helps with mocking. '''
+
+ tmp_filename = filename + '.yedit'
+
+ with open(tmp_filename, 'w') as yfd:
+ yfd.write(contents)
+
+ os.rename(tmp_filename, filename)
+
+ def write(self):
+ ''' write to file '''
+ if not self.filename:
+ raise YeditException('Please specify a filename.')
+
+ if self.backup and self.file_exists():
+ shutil.copy(self.filename, self.filename + '.orig')
+
+ # pylint: disable=no-member
+ if hasattr(self.yaml_dict, 'fa'):
+ self.yaml_dict.fa.set_block_style()
+
+ Yedit._write(self.filename, yaml.dump(self.yaml_dict, Dumper=yaml.RoundTripDumper))
+
+ return (True, self.yaml_dict)
+
+ def read(self):
+ ''' read from file '''
+ # check if it exists
+ if self.filename is None or not self.file_exists():
+ return None
+
+ contents = None
+ with open(self.filename) as yfd:
+ contents = yfd.read()
+
+ return contents
+
+ def file_exists(self):
+ ''' return whether file exists '''
+ if os.path.exists(self.filename):
+ return True
+
+ return False
+
+ def load(self, content_type='yaml'):
+ ''' return yaml file '''
+ contents = self.read()
+
+ if not contents and not self.content:
+ return None
+
+ if self.content:
+ if isinstance(self.content, dict):
+ self.yaml_dict = self.content
+ return self.yaml_dict
+ elif isinstance(self.content, str):
+ contents = self.content
+
+ # check if it is yaml
+ try:
+ if content_type == 'yaml' and contents:
+ self.yaml_dict = yaml.load(contents, yaml.RoundTripLoader)
+ # pylint: disable=no-member
+ if hasattr(self.yaml_dict, 'fa'):
+ self.yaml_dict.fa.set_block_style()
+ elif content_type == 'json' and contents:
+ self.yaml_dict = json.loads(contents)
+ except yaml.YAMLError as err:
+ # Error loading yaml or json
+ raise YeditException('Problem with loading yaml file. %s' % err)
+
+ return self.yaml_dict
+
+ def get(self, key):
+ ''' get a specified key'''
+ try:
+ entry = Yedit.get_entry(self.yaml_dict, key, self.separator)
+ except KeyError:
+ entry = None
+
+ return entry
+
+ def pop(self, path, key_or_item):
+ ''' remove a key, value pair from a dict or an item for a list'''
+ try:
+ entry = Yedit.get_entry(self.yaml_dict, path, self.separator)
+ except KeyError:
+ entry = None
+
+ if entry is None:
+ return (False, self.yaml_dict)
+
+ if isinstance(entry, dict):
+ # pylint: disable=no-member,maybe-no-member
+ if key_or_item in entry:
+ entry.pop(key_or_item)
+ return (True, self.yaml_dict)
+ return (False, self.yaml_dict)
+
+ elif isinstance(entry, list):
+ # pylint: disable=no-member,maybe-no-member
+ ind = None
+ try:
+ ind = entry.index(key_or_item)
+ except ValueError:
+ return (False, self.yaml_dict)
+
+ entry.pop(ind)
+ return (True, self.yaml_dict)
+
+ return (False, self.yaml_dict)
+
+ def delete(self, path):
+ ''' remove path from a dict'''
+ try:
+ entry = Yedit.get_entry(self.yaml_dict, path, self.separator)
+ except KeyError:
+ entry = None
+
+ if entry is None:
+ return (False, self.yaml_dict)
+
+ result = Yedit.remove_entry(self.yaml_dict, path, self.separator)
+ if not result:
+ return (False, self.yaml_dict)
+
+ return (True, self.yaml_dict)
+
+ def exists(self, path, value):
+ ''' check if value exists at path'''
+ try:
+ entry = Yedit.get_entry(self.yaml_dict, path, self.separator)
+ except KeyError:
+ entry = None
+
+ if isinstance(entry, list):
+ if value in entry:
+ return True
+ return False
+
+ elif isinstance(entry, dict):
+ if isinstance(value, dict):
+ rval = False
+ for key, val in value.items():
+ if entry[key] != val:
+ rval = False
+ break
+ else:
+ rval = True
+ return rval
+
+ return value in entry
+
+ return entry == value
+
+ def append(self, path, value):
+ '''append value to a list'''
+ try:
+ entry = Yedit.get_entry(self.yaml_dict, path, self.separator)
+ except KeyError:
+ entry = None
+
+ if entry is None:
+ self.put(path, [])
+ entry = Yedit.get_entry(self.yaml_dict, path, self.separator)
+ if not isinstance(entry, list):
+ return (False, self.yaml_dict)
+
+ # pylint: disable=no-member,maybe-no-member
+ entry.append(value)
+ return (True, self.yaml_dict)
+
+ # pylint: disable=too-many-arguments
+ def update(self, path, value, index=None, curr_value=None):
+ ''' put path, value into a dict '''
+ try:
+ entry = Yedit.get_entry(self.yaml_dict, path, self.separator)
+ except KeyError:
+ entry = None
+
+ if isinstance(entry, dict):
+ # pylint: disable=no-member,maybe-no-member
+ if not isinstance(value, dict):
+ raise YeditException('Cannot replace key, value entry in ' +
+ 'dict with non-dict type. value=[%s] [%s]' % (value, type(value))) # noqa: E501
+
+ entry.update(value)
+ return (True, self.yaml_dict)
+
+ elif isinstance(entry, list):
+ # pylint: disable=no-member,maybe-no-member
+ ind = None
+ if curr_value:
+ try:
+ ind = entry.index(curr_value)
+ except ValueError:
+ return (False, self.yaml_dict)
+
+ elif index is not None:
+ ind = index
+
+ if ind is not None and entry[ind] != value:
+ entry[ind] = value
+ return (True, self.yaml_dict)
+
+ # see if it exists in the list
+ try:
+ ind = entry.index(value)
+ except ValueError:
+ # doesn't exist, append it
+ entry.append(value)
+ return (True, self.yaml_dict)
+
+ # already exists, return
+ if ind is not None:
+ return (False, self.yaml_dict)
+ return (False, self.yaml_dict)
+
+ def put(self, path, value):
+ ''' put path, value into a dict '''
+ try:
+ entry = Yedit.get_entry(self.yaml_dict, path, self.separator)
+ except KeyError:
+ entry = None
+
+ if entry == value:
+ return (False, self.yaml_dict)
+
+ # deepcopy didn't work
+ tmp_copy = yaml.load(yaml.round_trip_dump(self.yaml_dict,
+ default_flow_style=False),
+ yaml.RoundTripLoader)
+ # pylint: disable=no-member
+ if hasattr(self.yaml_dict, 'fa'):
+ tmp_copy.fa.set_block_style()
+ result = Yedit.add_entry(tmp_copy, path, value, self.separator)
+ if not result:
+ return (False, self.yaml_dict)
+
+ self.yaml_dict = tmp_copy
+
+ return (True, self.yaml_dict)
+
+ def create(self, path, value):
+ ''' create a yaml file '''
+ if not self.file_exists():
+ # deepcopy didn't work
+ tmp_copy = yaml.load(yaml.round_trip_dump(self.yaml_dict, default_flow_style=False), # noqa: E501
+ yaml.RoundTripLoader)
+ # pylint: disable=no-member
+ if hasattr(self.yaml_dict, 'fa'):
+ tmp_copy.fa.set_block_style()
+ result = Yedit.add_entry(tmp_copy, path, value, self.separator)
+ if result:
+ self.yaml_dict = tmp_copy
+ return (True, self.yaml_dict)
+
+ return (False, self.yaml_dict)
+
+ @staticmethod
+ def get_curr_value(invalue, val_type):
+ '''return the current value'''
+ if invalue is None:
+ return None
+
+ curr_value = invalue
+ if val_type == 'yaml':
+ curr_value = yaml.load(invalue)
+ elif val_type == 'json':
+ curr_value = json.loads(invalue)
+
+ return curr_value
+
+ @staticmethod
+ def parse_value(inc_value, vtype=''):
+ '''determine value type passed'''
+ true_bools = ['y', 'Y', 'yes', 'Yes', 'YES', 'true', 'True', 'TRUE',
+ 'on', 'On', 'ON', ]
+ false_bools = ['n', 'N', 'no', 'No', 'NO', 'false', 'False', 'FALSE',
+ 'off', 'Off', 'OFF']
+
+ # It came in as a string but you didn't specify value_type as string
+ # we will convert to bool if it matches any of the above cases
+ if isinstance(inc_value, str) and 'bool' in vtype:
+ if inc_value not in true_bools and inc_value not in false_bools:
+ raise YeditException('Not a boolean type. str=[%s] vtype=[%s]'
+ % (inc_value, vtype))
+ elif isinstance(inc_value, bool) and 'str' in vtype:
+ inc_value = str(inc_value)
+
+ # If vtype is not str then go ahead and attempt to yaml load it.
+ if isinstance(inc_value, str) and 'str' not in vtype:
+ try:
+ inc_value = yaml.load(inc_value)
+ except Exception:
+ raise YeditException('Could not determine type of incoming ' +
+ 'value. value=[%s] vtype=[%s]'
+ % (type(inc_value), vtype))
+
+ return inc_value
+
+ # pylint: disable=too-many-return-statements,too-many-branches
+ @staticmethod
+ def run_ansible(module):
+ '''perform the idempotent crud operations'''
+ yamlfile = Yedit(filename=module.params['src'],
+ backup=module.params['backup'],
+ separator=module.params['separator'])
+
+ if module.params['src']:
+ rval = yamlfile.load()
+
+ if yamlfile.yaml_dict is None and \
+ module.params['state'] != 'present':
+ return {'failed': True,
+ 'msg': 'Error opening file [%s]. Verify that the ' +
+ 'file exists, that it is has correct' +
+ ' permissions, and is valid yaml.'}
+
+ if module.params['state'] == 'list':
+ if module.params['content']:
+ content = Yedit.parse_value(module.params['content'],
+ module.params['content_type'])
+ yamlfile.yaml_dict = content
+
+ if module.params['key']:
+ rval = yamlfile.get(module.params['key']) or {}
+
+ return {'changed': False, 'result': rval, 'state': "list"}
+
+ elif module.params['state'] == 'absent':
+ if module.params['content']:
+ content = Yedit.parse_value(module.params['content'],
+ module.params['content_type'])
+ yamlfile.yaml_dict = content
+
+ if module.params['update']:
+ rval = yamlfile.pop(module.params['key'],
+ module.params['value'])
+ else:
+ rval = yamlfile.delete(module.params['key'])
+
+ if rval[0] and module.params['src']:
+ yamlfile.write()
+
+ return {'changed': rval[0], 'result': rval[1], 'state': "absent"}
+
+ elif module.params['state'] == 'present':
+ # check if content is different than what is in the file
+ if module.params['content']:
+ content = Yedit.parse_value(module.params['content'],
+ module.params['content_type'])
+
+ # We had no edits to make and the contents are the same
+ if yamlfile.yaml_dict == content and \
+ module.params['value'] is None:
+ return {'changed': False,
+ 'result': yamlfile.yaml_dict,
+ 'state': "present"}
+
+ yamlfile.yaml_dict = content
+
+ # we were passed a value; parse it
+ if module.params['value']:
+ value = Yedit.parse_value(module.params['value'],
+ module.params['value_type'])
+ key = module.params['key']
+ if module.params['update']:
+ # pylint: disable=line-too-long
+ curr_value = Yedit.get_curr_value(Yedit.parse_value(module.params['curr_value']), # noqa: E501
+ module.params['curr_value_format']) # noqa: E501
+
+ rval = yamlfile.update(key, value, module.params['index'], curr_value) # noqa: E501
+
+ elif module.params['append']:
+ rval = yamlfile.append(key, value)
+ else:
+ rval = yamlfile.put(key, value)
+
+ if rval[0] and module.params['src']:
+ yamlfile.write()
+
+ return {'changed': rval[0],
+ 'result': rval[1], 'state': "present"}
+
+ # no edits to make
+ if module.params['src']:
+ # pylint: disable=redefined-variable-type
+ rval = yamlfile.write()
+ return {'changed': rval[0],
+ 'result': rval[1],
+ 'state': "present"}
+
+ return {'failed': True, 'msg': 'Unkown state passed'}
+
+# -*- -*- -*- End included fragment: ../../lib_utils/src/class/yedit.py -*- -*- -*-
+
+# -*- -*- -*- Begin included fragment: lib/base.py -*- -*- -*-
+# pylint: disable=too-many-lines
+# noqa: E301,E302,E303,T001
+
+
+class OpenShiftCLIError(Exception):
+ '''Exception class for openshiftcli'''
+ pass
+
+
+# pylint: disable=too-few-public-methods
+class OpenShiftCLI(object):
+ ''' Class to wrap the command line tools '''
+ def __init__(self,
+ namespace,
+ kubeconfig='/etc/origin/master/admin.kubeconfig',
+ verbose=False,
+ all_namespaces=False):
+ ''' Constructor for OpenshiftCLI '''
+ self.namespace = namespace
+ self.verbose = verbose
+ self.kubeconfig = Utils.create_tmpfile_copy(kubeconfig)
+ self.all_namespaces = all_namespaces
+
+ # Pylint allows only 5 arguments to be passed.
+ # pylint: disable=too-many-arguments
+ def _replace_content(self, resource, rname, content, force=False, sep='.'):
+ ''' replace the current object with the content '''
+ res = self._get(resource, rname)
+ if not res['results']:
+ return res
+
+ fname = Utils.create_tmpfile(rname + '-')
+
+ yed = Yedit(fname, res['results'][0], separator=sep)
+ changes = []
+ for key, value in content.items():
+ changes.append(yed.put(key, value))
+
+ if any([change[0] for change in changes]):
+ yed.write()
+
+ atexit.register(Utils.cleanup, [fname])
+
+ return self._replace(fname, force)
+
+ return {'returncode': 0, 'updated': False}
+
+ def _replace(self, fname, force=False):
+ '''replace the current object with oc replace'''
+ cmd = ['replace', '-f', fname]
+ if force:
+ cmd.append('--force')
+ return self.openshift_cmd(cmd)
+
+ def _create_from_content(self, rname, content):
+ '''create a temporary file and then call oc create on it'''
+ fname = Utils.create_tmpfile(rname + '-')
+ yed = Yedit(fname, content=content)
+ yed.write()
+
+ atexit.register(Utils.cleanup, [fname])
+
+ return self._create(fname)
+
+ def _create(self, fname):
+ '''call oc create on a filename'''
+ return self.openshift_cmd(['create', '-f', fname])
+
+ def _delete(self, resource, rname, selector=None):
+ '''call oc delete on a resource'''
+ cmd = ['delete', resource, rname]
+ if selector:
+ cmd.append('--selector=%s' % selector)
+
+ return self.openshift_cmd(cmd)
+
+ def _process(self, template_name, create=False, params=None, template_data=None): # noqa: E501
+ '''process a template
+
+ template_name: the name of the template to process
+ create: whether to send to oc create after processing
+ params: the parameters for the template
+ template_data: the incoming template's data; instead of a file
+ '''
+ cmd = ['process']
+ if template_data:
+ cmd.extend(['-f', '-'])
+ else:
+ cmd.append(template_name)
+ if params:
+ param_str = ["%s=%s" % (key, value) for key, value in params.items()]
+ cmd.append('-v')
+ cmd.extend(param_str)
+
+ results = self.openshift_cmd(cmd, output=True, input_data=template_data)
+
+ if results['returncode'] != 0 or not create:
+ return results
+
+ fname = Utils.create_tmpfile(template_name + '-')
+ yed = Yedit(fname, results['results'])
+ yed.write()
+
+ atexit.register(Utils.cleanup, [fname])
+
+ return self.openshift_cmd(['create', '-f', fname])
+
+ def _get(self, resource, rname=None, selector=None):
+ '''return a resource by name '''
+ cmd = ['get', resource]
+ if selector:
+ cmd.append('--selector=%s' % selector)
+ elif rname:
+ cmd.append(rname)
+
+ cmd.extend(['-o', 'json'])
+
+ rval = self.openshift_cmd(cmd, output=True)
+
+ # Ensure results are retuned in an array
+ if 'items' in rval:
+ rval['results'] = rval['items']
+ elif not isinstance(rval['results'], list):
+ rval['results'] = [rval['results']]
+
+ return rval
+
+ def _schedulable(self, node=None, selector=None, schedulable=True):
+ ''' perform oadm manage-node scheduable '''
+ cmd = ['manage-node']
+ if node:
+ cmd.extend(node)
+ else:
+ cmd.append('--selector=%s' % selector)
+
+ cmd.append('--schedulable=%s' % schedulable)
+
+ return self.openshift_cmd(cmd, oadm=True, output=True, output_type='raw') # noqa: E501
+
+ def _list_pods(self, node=None, selector=None, pod_selector=None):
+ ''' perform oadm list pods
+
+ node: the node in which to list pods
+ selector: the label selector filter if provided
+ pod_selector: the pod selector filter if provided
+ '''
+ cmd = ['manage-node']
+ if node:
+ cmd.extend(node)
+ else:
+ cmd.append('--selector=%s' % selector)
+
+ if pod_selector:
+ cmd.append('--pod-selector=%s' % pod_selector)
+
+ cmd.extend(['--list-pods', '-o', 'json'])
+
+ return self.openshift_cmd(cmd, oadm=True, output=True, output_type='raw')
+
+ # pylint: disable=too-many-arguments
+ def _evacuate(self, node=None, selector=None, pod_selector=None, dry_run=False, grace_period=None, force=False):
+ ''' perform oadm manage-node evacuate '''
+ cmd = ['manage-node']
+ if node:
+ cmd.extend(node)
+ else:
+ cmd.append('--selector=%s' % selector)
+
+ if dry_run:
+ cmd.append('--dry-run')
+
+ if pod_selector:
+ cmd.append('--pod-selector=%s' % pod_selector)
+
+ if grace_period:
+ cmd.append('--grace-period=%s' % int(grace_period))
+
+ if force:
+ cmd.append('--force')
+
+ cmd.append('--evacuate')
+
+ return self.openshift_cmd(cmd, oadm=True, output=True, output_type='raw')
+
+ def _version(self):
+ ''' return the openshift version'''
+ return self.openshift_cmd(['version'], output=True, output_type='raw')
+
+ def _import_image(self, url=None, name=None, tag=None):
+ ''' perform image import '''
+ cmd = ['import-image']
+
+ image = '{0}'.format(name)
+ if tag:
+ image += ':{0}'.format(tag)
+
+ cmd.append(image)
+
+ if url:
+ cmd.append('--from={0}/{1}'.format(url, image))
+
+ cmd.append('-n{0}'.format(self.namespace))
+
+ cmd.append('--confirm')
+ return self.openshift_cmd(cmd)
+
+ def _run(self, cmds, input_data):
+ ''' Actually executes the command. This makes mocking easier. '''
+ curr_env = os.environ.copy()
+ curr_env.update({'KUBECONFIG': self.kubeconfig})
+ proc = subprocess.Popen(cmds,
+ stdin=subprocess.PIPE,
+ stdout=subprocess.PIPE,
+ stderr=subprocess.PIPE,
+ env=curr_env)
+
+ stdout, stderr = proc.communicate(input_data)
+
+ return proc.returncode, stdout, stderr
+
+ # pylint: disable=too-many-arguments,too-many-branches
+ def openshift_cmd(self, cmd, oadm=False, output=False, output_type='json', input_data=None):
+ '''Base command for oc '''
+ cmds = []
+ if oadm:
+ cmds = ['oadm']
+ else:
+ cmds = ['oc']
+
+ if self.all_namespaces:
+ cmds.extend(['--all-namespaces'])
+ elif self.namespace is not None and self.namespace.lower() not in ['none', 'emtpy']: # E501
+ cmds.extend(['-n', self.namespace])
+
+ cmds.extend(cmd)
+
+ rval = {}
+ results = ''
+ err = None
+
+ if self.verbose:
+ print(' '.join(cmds))
+
+ returncode, stdout, stderr = self._run(cmds, input_data)
+
+ rval = {"returncode": returncode,
+ "results": results,
+ "cmd": ' '.join(cmds)}
+
+ if returncode == 0:
+ if output:
+ if output_type == 'json':
+ try:
+ rval['results'] = json.loads(stdout)
+ except ValueError as err:
+ if "No JSON object could be decoded" in err.args:
+ err = err.args
+ elif output_type == 'raw':
+ rval['results'] = stdout
+
+ if self.verbose:
+ print("STDOUT: {0}".format(stdout))
+ print("STDERR: {0}".format(stderr))
+
+ if err:
+ rval.update({"err": err,
+ "stderr": stderr,
+ "stdout": stdout,
+ "cmd": cmds})
+
+ else:
+ rval.update({"stderr": stderr,
+ "stdout": stdout,
+ "results": {}})
+
+ return rval
+
+
+class Utils(object):
+ ''' utilities for openshiftcli modules '''
+
+ @staticmethod
+ def _write(filename, contents):
+ ''' Actually write the file contents to disk. This helps with mocking. '''
+
+ with open(filename, 'w') as sfd:
+ sfd.write(contents)
+
+ @staticmethod
+ def create_tmp_file_from_contents(rname, data, ftype='yaml'):
+ ''' create a file in tmp with name and contents'''
+
+ tmp = Utils.create_tmpfile(prefix=rname)
+
+ if ftype == 'yaml':
+ Utils._write(tmp, yaml.dump(data, Dumper=yaml.RoundTripDumper))
+ elif ftype == 'json':
+ Utils._write(tmp, json.dumps(data))
+ else:
+ Utils._write(tmp, data)
+
+ # Register cleanup when module is done
+ atexit.register(Utils.cleanup, [tmp])
+ return tmp
+
+ @staticmethod
+ def create_tmpfile_copy(inc_file):
+ '''create a temporary copy of a file'''
+ tmpfile = Utils.create_tmpfile('lib_openshift-')
+ Utils._write(tmpfile, open(inc_file).read())
+
+ # Cleanup the tmpfile
+ atexit.register(Utils.cleanup, [tmpfile])
+
+ return tmpfile
+
+ @staticmethod
+ def create_tmpfile(prefix='tmp'):
+ ''' Generates and returns a temporary file name '''
+
+ with tempfile.NamedTemporaryFile(prefix=prefix, delete=False) as tmp:
+ return tmp.name
+
+ @staticmethod
+ def create_tmp_files_from_contents(content, content_type=None):
+ '''Turn an array of dict: filename, content into a files array'''
+ if not isinstance(content, list):
+ content = [content]
+ files = []
+ for item in content:
+ path = Utils.create_tmp_file_from_contents(item['path'] + '-',
+ item['data'],
+ ftype=content_type)
+ files.append({'name': os.path.basename(item['path']),
+ 'path': path})
+ return files
+
+ @staticmethod
+ def cleanup(files):
+ '''Clean up on exit '''
+ for sfile in files:
+ if os.path.exists(sfile):
+ if os.path.isdir(sfile):
+ shutil.rmtree(sfile)
+ elif os.path.isfile(sfile):
+ os.remove(sfile)
+
+ @staticmethod
+ def exists(results, _name):
+ ''' Check to see if the results include the name '''
+ if not results:
+ return False
+
+ if Utils.find_result(results, _name):
+ return True
+
+ return False
+
+ @staticmethod
+ def find_result(results, _name):
+ ''' Find the specified result by name'''
+ rval = None
+ for result in results:
+ if 'metadata' in result and result['metadata']['name'] == _name:
+ rval = result
+ break
+
+ return rval
+
+ @staticmethod
+ def get_resource_file(sfile, sfile_type='yaml'):
+ ''' return the service file '''
+ contents = None
+ with open(sfile) as sfd:
+ contents = sfd.read()
+
+ if sfile_type == 'yaml':
+ contents = yaml.load(contents, yaml.RoundTripLoader)
+ elif sfile_type == 'json':
+ contents = json.loads(contents)
+
+ return contents
+
+ @staticmethod
+ def filter_versions(stdout):
+ ''' filter the oc version output '''
+
+ version_dict = {}
+ version_search = ['oc', 'openshift', 'kubernetes']
+
+ for line in stdout.strip().split('\n'):
+ for term in version_search:
+ if not line:
+ continue
+ if line.startswith(term):
+ version_dict[term] = line.split()[-1]
+
+ # horrible hack to get openshift version in Openshift 3.2
+ # By default "oc version in 3.2 does not return an "openshift" version
+ if "openshift" not in version_dict:
+ version_dict["openshift"] = version_dict["oc"]
+
+ return version_dict
+
+ @staticmethod
+ def add_custom_versions(versions):
+ ''' create custom versions strings '''
+
+ versions_dict = {}
+
+ for tech, version in versions.items():
+ # clean up "-" from version
+ if "-" in version:
+ version = version.split("-")[0]
+
+ if version.startswith('v'):
+ versions_dict[tech + '_numeric'] = version[1:].split('+')[0]
+ # "v3.3.0.33" is what we have, we want "3.3"
+ versions_dict[tech + '_short'] = version[1:4]
+
+ return versions_dict
+
+ @staticmethod
+ def openshift_installed():
+ ''' check if openshift is installed '''
+ import yum
+
+ yum_base = yum.YumBase()
+ if yum_base.rpmdb.searchNevra(name='atomic-openshift'):
+ return True
+
+ return False
+
+ # Disabling too-many-branches. This is a yaml dictionary comparison function
+ # pylint: disable=too-many-branches,too-many-return-statements,too-many-statements
+ @staticmethod
+ def check_def_equal(user_def, result_def, skip_keys=None, debug=False):
+ ''' Given a user defined definition, compare it with the results given back by our query. '''
+
+ # Currently these values are autogenerated and we do not need to check them
+ skip = ['metadata', 'status']
+ if skip_keys:
+ skip.extend(skip_keys)
+
+ for key, value in result_def.items():
+ if key in skip:
+ continue
+
+ # Both are lists
+ if isinstance(value, list):
+ if key not in user_def:
+ if debug:
+ print('User data does not have key [%s]' % key)
+ print('User data: %s' % user_def)
+ return False
+
+ if not isinstance(user_def[key], list):
+ if debug:
+ print('user_def[key] is not a list key=[%s] user_def[key]=%s' % (key, user_def[key]))
+ return False
+
+ if len(user_def[key]) != len(value):
+ if debug:
+ print("List lengths are not equal.")
+ print("key=[%s]: user_def[%s] != value[%s]" % (key, len(user_def[key]), len(value)))
+ print("user_def: %s" % user_def[key])
+ print("value: %s" % value)
+ return False
+
+ for values in zip(user_def[key], value):
+ if isinstance(values[0], dict) and isinstance(values[1], dict):
+ if debug:
+ print('sending list - list')
+ print(type(values[0]))
+ print(type(values[1]))
+ result = Utils.check_def_equal(values[0], values[1], skip_keys=skip_keys, debug=debug)
+ if not result:
+ print('list compare returned false')
+ return False
+
+ elif value != user_def[key]:
+ if debug:
+ print('value should be identical')
+ print(value)
+ print(user_def[key])
+ return False
+
+ # recurse on a dictionary
+ elif isinstance(value, dict):
+ if key not in user_def:
+ if debug:
+ print("user_def does not have key [%s]" % key)
+ return False
+ if not isinstance(user_def[key], dict):
+ if debug:
+ print("dict returned false: not instance of dict")
+ return False
+
+ # before passing ensure keys match
+ api_values = set(value.keys()) - set(skip)
+ user_values = set(user_def[key].keys()) - set(skip)
+ if api_values != user_values:
+ if debug:
+ print("keys are not equal in dict")
+ print(api_values)
+ print(user_values)
+ return False
+
+ result = Utils.check_def_equal(user_def[key], value, skip_keys=skip_keys, debug=debug)
+ if not result:
+ if debug:
+ print("dict returned false")
+ print(result)
+ return False
+
+ # Verify each key, value pair is the same
+ else:
+ if key not in user_def or value != user_def[key]:
+ if debug:
+ print("value not equal; user_def does not have key")
+ print(key)
+ print(value)
+ if key in user_def:
+ print(user_def[key])
+ return False
+
+ if debug:
+ print('returning true')
+ return True
+
+
+class OpenShiftCLIConfig(object):
+ '''Generic Config'''
+ def __init__(self, rname, namespace, kubeconfig, options):
+ self.kubeconfig = kubeconfig
+ self.name = rname
+ self.namespace = namespace
+ self._options = options
+
+ @property
+ def config_options(self):
+ ''' return config options '''
+ return self._options
+
+ def to_option_list(self):
+ '''return all options as a string'''
+ return self.stringify()
+
+ def stringify(self):
+ ''' return the options hash as cli params in a string '''
+ rval = []
+ for key, data in self.config_options.items():
+ if data['include'] \
+ and (data['value'] or isinstance(data['value'], int)):
+ rval.append('--%s=%s' % (key.replace('_', '-'), data['value']))
+
+ return rval
+
+
+# -*- -*- -*- End included fragment: lib/base.py -*- -*- -*-
+
+# -*- -*- -*- Begin included fragment: class/oc_adm_ca_server_cert.py -*- -*- -*-
+
+class CAServerCertConfig(OpenShiftCLIConfig):
+ ''' CertificateAuthorityConfig is a DTO for the oadm ca command '''
+ def __init__(self, cmd, kubeconfig, verbose, ca_options):
+ super(CertificateAuthorityConfig, self).__init__('ca', None, kubeconfig, ca_options)
+ self.cmd = cmd
+ self.kubeconfig = kubeconfig
+ self.verbose = verbose
+ self._ca = ca_options
+
+class CAServerCert(OpenShiftCLI):
+ ''' Class to wrap the oc command line tools '''
+ def __init__(self,
+ config,
+ verbose=False):
+ ''' Constructor for oadm ca '''
+ super(CAServerCert, self).__init__(None, config.kubeconfig, verbose)
+ self.config = config
+ self.verbose = verbose
+
+ def get(self):
+ '''get the current cert file
+
+ If a file exists by the same name in the specified location then the cert exists
+ '''
+ cert = self.config.config_options['cert']['value']
+ if cert and os.path.exists(cert):
+ return open(cert).read()
+
+ return None
+
+ def create(self):
+ '''run openshift ca cmd'''
+ options = self.config.to_option_list()
+
+ cmd = ['ca']
+ cmd.append(self.config.cmd)
+ cmd.extend(options)
+
+ return self.openshift_cmd(cmd, oadm=True)
+
+ def exists(self):
+ ''' check whether the certificate exists and has the clusterIP '''
+
+ cert_path = self.config.config_options['cert']['value']
+ if not os.path.exists(cert_path):
+ return False
+
+ proc = subprocess.Popen(['openssl', 'x509', '-noout', '-subject', '-in', cert_path],
+ stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+ stdout, stderr = proc.communicate()
+ if proc.returncode == 0:
+ for var in self.config.config_options['hostnames']['value'].split(','):
+ if var in stdout:
+ return True
+
+ return False
+
+ @staticmethod
+ def run_ansible(params, check_mode):
+ '''run the idempotent ansible code'''
+
+ config = CAServerCertConfig(params['cmd'],
+ params['kubeconfig'],
+ params['debug'],
+ {'cert': {'value': params['cert'], 'include': True},
+ 'hostnames': {'value': ','.join(params['hostnames']), 'include': True},
+ 'overwrite': {'value': params['overwrite'], 'include': True},
+ 'signer_name': {'value': params['signer_name'], 'include': True},
+ 'key': {'value': params['key'], 'include': True},
+ 'signer_cert': {'value': params['signer_cert'], 'include': True},
+ 'signer_key': {'value': params['signer_key'], 'include': True},
+ 'signer_serial': {'value': params['signer_serial'], 'include': True},
+ })
+
+ server_cert = CAServerCert(config)
+
+ state = params['state']
+
+ if state == 'present':
+ ########
+ # Create
+ ########
+ if not server_cert.exists() or params['overwrite']:
+
+ if check_mode:
+ return {'changed': True,
+ 'msg': "CHECK_MODE: Would have created the certificate.",
+ 'state': state}
+
+ api_rval = server_cert.create()
+
+ return {'changed': True, 'results': api_rval, 'state': state}
+
+ ########
+ # Exists
+ ########
+ api_rval = server_cert.get()
+ return {'changed': False, 'results': api_rval, 'state': state}
+
+ return {'failed': True,
+ 'msg': 'Unknown state passed. %s' % state}
+
+
+# -*- -*- -*- End included fragment: class/oc_adm_ca_server_cert.py -*- -*- -*-
+
+# -*- -*- -*- Begin included fragment: ansible/oc_adm_ca_server_cert.py -*- -*- -*-
+
+def main():
+ '''
+ ansible oc adm module for ca create-server-cert
+ '''
+
+ module = AnsibleModule(
+ argument_spec=dict(
+ state=dict(default='present', type='str', choices=['present']),
+ debug=dict(default=False, type='bool'),
+ kubeconfig=dict(default='/etc/origin/master/admin.kubeconfig', type='str'),
+ cmd=dict(default=None, require=True, type='str'),
+ # oadm ca create-server-cert [options]
+ cert=dict(default=None, type='str'),
+ key=dict(default=None, type='str'),
+ signer_cert=dict(default=None, type='str'),
+ signer_key=dict(default=None, type='str'),
+ signer_serial=dict(default=None, type='str'),
+ hostnames=dict(default=[], type='list'),
+ overwrite=dict(default=False, type='bool'),
+ ),
+ supports_check_mode=True,
+ )
+
+ # pylint: disable=line-too-long
+ results = CAServerCert.run_ansible(module.params, module.check_mode)
+ if 'failed' in results:
+ return module.fail_json(**results)
+
+ return module.exit_json(**results)
+
+
+if __name__ == '__main__':
+ main()
+
+# -*- -*- -*- End included fragment: ansible/oc_adm_ca_server_cert.py -*- -*- -*-
--
cgit v1.2.3
From f3cafbe005d54aaea6e46f2f348b092e430531f2 Mon Sep 17 00:00:00 2001
From: Kenny Woodson <kwoodson@redhat.com>
Date: Fri, 17 Feb 2017 09:42:07 -0500
Subject: Removing cmd, fixed docs and comments.
---
.../lib_openshift/library/oc_adm_ca_server_cert.py | 153 ++++++++++-----------
1 file changed, 69 insertions(+), 84 deletions(-)
(limited to 'roles/lib_openshift/library')
diff --git a/roles/lib_openshift/library/oc_adm_ca_server_cert.py b/roles/lib_openshift/library/oc_adm_ca_server_cert.py
index 19031f956..4c5c1f1ab 100644
--- a/roles/lib_openshift/library/oc_adm_ca_server_cert.py
+++ b/roles/lib_openshift/library/oc_adm_ca_server_cert.py
@@ -33,6 +33,7 @@
from __future__ import print_function
import atexit
+import copy
import json
import os
import re
@@ -40,7 +41,11 @@ import shutil
import subprocess
import tempfile
# pylint: disable=import-error
-import ruamel.yaml as yaml
+try:
+ import ruamel.yaml as yaml
+except ImportError:
+ import yaml
+
from ansible.module_utils.basic import AnsibleModule
# -*- -*- -*- End included fragment: lib/import.py -*- -*- -*-
@@ -49,18 +54,15 @@ from ansible.module_utils.basic import AnsibleModule
DOCUMENTATION = '''
---
-module: oadm_ca
-short_description: Module to manage openshift certificate authority
+module: oc_adm_ca_server_cert
+short_description: Module to run openshift oc adm ca create-server-cert
description:
- - Wrapper around the openshift `oc adm ca` command.
+ - Wrapper around the openshift `oc adm ca create-server-cert` command.
options:
state:
description:
- Present is the only supported state. The state present means that `oc adm ca` will generate a certificate
- - When create-master-certs is desired then the following parameters are passed.
- - ['cert_dir', 'hostnames', 'master', 'public_master', 'overwrite', 'signer_name']
- - When create-key-pair is desired then the following parameters are passed.
- - ['private_key', 'public_key']
+ - and verify if the hostnames and the ClusterIP exists in the certificate.
- When create-server-cert is desired then the following parameters are passed.
- ['cert', 'key', 'signer_cert', 'signer_key', 'signer_serial']
required: false
@@ -80,22 +82,6 @@ options:
required: false
default: False
aliases: []
- cmd:
- description:
- - The sub command given for `oc adm ca`
- required: false
- default: None
- choices:
- - create-master-certs
- - create-key-pair
- - create-server-cert
- aliases: []
- cert_dir:
- description:
- - The certificate data directory.
- required: false
- default: None
- aliases: []
cert:
description:
- The certificate file. Choose a name that indicates what the service is.
@@ -132,43 +118,12 @@ options:
required: false
default: None
aliases: []
- public_key:
- description:
- - The public key file used with create-key-pair
- required: false
- default: None
- aliases: []
- private_key:
- description:
- - The private key file used with create-key-pair
- required: false
- default: None
- aliases: []
-
hostnames:
description:
- Every hostname or IP that server certs should be valid for (comma-delimited list)
required: false
default: None
aliases: []
- master:
- description:
- - The API server's URL
- required: false
- default: None
- aliases: []
- public_master:
- description:
- - The API public facing server's URL (if applicable)
- required: false
- default: None
- aliases: []
- signer_name:
- description:
- - The name to use for the generated signer
- required: false
- default: None
- aliases: []
author:
- "Kenny Woodson <kwoodson@redhat.com>"
extends_documentation_fragment: []
@@ -176,8 +131,7 @@ extends_documentation_fragment: []
EXAMPLES = '''
- name: Create a self-signed cert
- oadm_ca:
- cmd: create-server-cert
+ oc_adm_ca_server_cert:
signer_cert: /etc/origin/master/ca.crt
signer_key: /etc/origin/master/ca.key
signer_serial: /etc/origin/master/ca.serial.txt
@@ -383,11 +337,15 @@ class Yedit(object):
if self.backup and self.file_exists():
shutil.copy(self.filename, self.filename + '.orig')
- # pylint: disable=no-member
- if hasattr(self.yaml_dict, 'fa'):
- self.yaml_dict.fa.set_block_style()
+ if hasattr(yaml, 'RoundTripDumper'):
+ # pylint: disable=no-member
+ if hasattr(self.yaml_dict, 'fa'):
+ self.yaml_dict.fa.set_block_style()
- Yedit._write(self.filename, yaml.dump(self.yaml_dict, Dumper=yaml.RoundTripDumper))
+ # pylint: disable=no-member
+ Yedit._write(self.filename, yaml.dump(self.yaml_dict, Dumper=yaml.RoundTripDumper))
+ else:
+ Yedit._write(self.filename, yaml.safe_dump(self.yaml_dict, default_flow_style=False))
return (True, self.yaml_dict)
@@ -427,10 +385,16 @@ class Yedit(object):
# check if it is yaml
try:
if content_type == 'yaml' and contents:
- self.yaml_dict = yaml.load(contents, yaml.RoundTripLoader)
+ # pylint: disable=no-member
+ if hasattr(yaml, 'RoundTripLoader'):
+ self.yaml_dict = yaml.load(contents, yaml.RoundTripLoader)
+ else:
+ self.yaml_dict = yaml.safe_load(contents)
+
# pylint: disable=no-member
if hasattr(self.yaml_dict, 'fa'):
self.yaml_dict.fa.set_block_style()
+
elif content_type == 'json' and contents:
self.yaml_dict = json.loads(contents)
except yaml.YAMLError as err:
@@ -595,12 +559,19 @@ class Yedit(object):
return (False, self.yaml_dict)
# deepcopy didn't work
- tmp_copy = yaml.load(yaml.round_trip_dump(self.yaml_dict,
- default_flow_style=False),
- yaml.RoundTripLoader)
- # pylint: disable=no-member
- if hasattr(self.yaml_dict, 'fa'):
- tmp_copy.fa.set_block_style()
+ if hasattr(yaml, 'round_trip_dump'):
+ # pylint: disable=no-member
+ tmp_copy = yaml.load(yaml.round_trip_dump(self.yaml_dict,
+ default_flow_style=False),
+ yaml.RoundTripLoader)
+
+ # pylint: disable=no-member
+ if hasattr(self.yaml_dict, 'fa'):
+ tmp_copy.fa.set_block_style()
+
+ else:
+ tmp_copy = copy.deepcopy(self.yaml_dict)
+
result = Yedit.add_entry(tmp_copy, path, value, self.separator)
if not result:
return (False, self.yaml_dict)
@@ -613,11 +584,17 @@ class Yedit(object):
''' create a yaml file '''
if not self.file_exists():
# deepcopy didn't work
- tmp_copy = yaml.load(yaml.round_trip_dump(self.yaml_dict, default_flow_style=False), # noqa: E501
- yaml.RoundTripLoader)
- # pylint: disable=no-member
- if hasattr(self.yaml_dict, 'fa'):
- tmp_copy.fa.set_block_style()
+ if hasattr(yaml, 'round_trip_dump'):
+ # pylint: disable=no-member
+ tmp_copy = yaml.load(yaml.round_trip_dump(self.yaml_dict, default_flow_style=False), # noqa: E501
+ yaml.RoundTripLoader)
+
+ # pylint: disable=no-member
+ if hasattr(self.yaml_dict, 'fa'):
+ tmp_copy.fa.set_block_style()
+ else:
+ tmp_copy = copy.deepcopy(self.yaml_dict)
+
result = Yedit.add_entry(tmp_copy, path, value, self.separator)
if result:
self.yaml_dict = tmp_copy
@@ -1059,7 +1036,12 @@ class Utils(object):
tmp = Utils.create_tmpfile(prefix=rname)
if ftype == 'yaml':
- Utils._write(tmp, yaml.dump(data, Dumper=yaml.RoundTripDumper))
+ # pylint: disable=no-member
+ if hasattr(yaml, 'RoundTripDumper'):
+ Utils._write(tmp, yaml.dump(data, Dumper=yaml.RoundTripDumper))
+ else:
+ Utils._write(tmp, yaml.safe_dump(data, default_flow_style=False))
+
elif ftype == 'json':
Utils._write(tmp, json.dumps(data))
else:
@@ -1141,7 +1123,11 @@ class Utils(object):
contents = sfd.read()
if sfile_type == 'yaml':
- contents = yaml.load(contents, yaml.RoundTripLoader)
+ # pylint: disable=no-member
+ if hasattr(yaml, 'RoundTripLoader'):
+ contents = yaml.load(contents, yaml.RoundTripLoader)
+ else:
+ contents = yaml.safe_load(contents)
elif sfile_type == 'json':
contents = json.loads(contents)
@@ -1328,16 +1314,15 @@ class OpenShiftCLIConfig(object):
# -*- -*- -*- Begin included fragment: class/oc_adm_ca_server_cert.py -*- -*- -*-
class CAServerCertConfig(OpenShiftCLIConfig):
- ''' CertificateAuthorityConfig is a DTO for the oadm ca command '''
- def __init__(self, cmd, kubeconfig, verbose, ca_options):
+ ''' CAServerCertConfig is a DTO for the oc adm ca command '''
+ def __init__(self, kubeconfig, verbose, ca_options):
super(CertificateAuthorityConfig, self).__init__('ca', None, kubeconfig, ca_options)
- self.cmd = cmd
self.kubeconfig = kubeconfig
self.verbose = verbose
self._ca = ca_options
class CAServerCert(OpenShiftCLI):
- ''' Class to wrap the oc command line tools '''
+ ''' Class to wrap the oc adm ca create-server-cert command line'''
def __init__(self,
config,
verbose=False):
@@ -1358,11 +1343,10 @@ class CAServerCert(OpenShiftCLI):
return None
def create(self):
- '''run openshift ca cmd'''
+ '''run openshift oc adm ca create-server-cert cmd'''
options = self.config.to_option_list()
- cmd = ['ca']
- cmd.append(self.config.cmd)
+ cmd = ['ca', 'create-server-cert']
cmd.extend(options)
return self.openshift_cmd(cmd, oadm=True)
@@ -1374,6 +1358,8 @@ class CAServerCert(OpenShiftCLI):
if not os.path.exists(cert_path):
return False
+ # Would prefer pyopenssl but is not installed.
+ # When we verify it is, switch this code
proc = subprocess.Popen(['openssl', 'x509', '-noout', '-subject', '-in', cert_path],
stdout=subprocess.PIPE, stderr=subprocess.PIPE)
stdout, stderr = proc.communicate()
@@ -1388,8 +1374,7 @@ class CAServerCert(OpenShiftCLI):
def run_ansible(params, check_mode):
'''run the idempotent ansible code'''
- config = CAServerCertConfig(params['cmd'],
- params['kubeconfig'],
+ config = CAServerCertConfig(params['kubeconfig'],
params['debug'],
{'cert': {'value': params['cert'], 'include': True},
'hostnames': {'value': ','.join(params['hostnames']), 'include': True},
--
cgit v1.2.3
From a330de2153a66c458a21fd506c3220a4b3acd563 Mon Sep 17 00:00:00 2001
From: Kenny Woodson <kwoodson@redhat.com>
Date: Fri, 17 Feb 2017 15:46:06 -0500
Subject: Updated doc and defined defaults for signer_*
---
.../lib_openshift/library/oc_adm_ca_server_cert.py | 22 ++++++++++------------
1 file changed, 10 insertions(+), 12 deletions(-)
(limited to 'roles/lib_openshift/library')
diff --git a/roles/lib_openshift/library/oc_adm_ca_server_cert.py b/roles/lib_openshift/library/oc_adm_ca_server_cert.py
index 4c5c1f1ab..98e61cef4 100644
--- a/roles/lib_openshift/library/oc_adm_ca_server_cert.py
+++ b/roles/lib_openshift/library/oc_adm_ca_server_cert.py
@@ -104,19 +104,19 @@ options:
description:
- The signer certificate file.
required: false
- default: None
+ default: /etc/origin/master/ca.crt
aliases: []
signer_key:
description:
- The signer key file.
required: false
- default: None
+ default: /etc/origin/master/ca.key
aliases: []
signer_serial:
description:
- The signer serial file.
required: false
- default: None
+ default: /etc/origin/master/ca.serial.txt
aliases: []
hostnames:
description:
@@ -959,7 +959,7 @@ class OpenShiftCLI(object):
stdout, stderr = proc.communicate(input_data)
- return proc.returncode, stdout, stderr
+ return proc.returncode, stdout.decode(), stderr.decode()
# pylint: disable=too-many-arguments,too-many-branches
def openshift_cmd(self, cmd, oadm=False, output=False, output_type='json', input_data=None):
@@ -1316,7 +1316,7 @@ class OpenShiftCLIConfig(object):
class CAServerCertConfig(OpenShiftCLIConfig):
''' CAServerCertConfig is a DTO for the oc adm ca command '''
def __init__(self, kubeconfig, verbose, ca_options):
- super(CertificateAuthorityConfig, self).__init__('ca', None, kubeconfig, ca_options)
+ super(CAServerCertConfig, self).__init__('ca', None, kubeconfig, ca_options)
self.kubeconfig = kubeconfig
self.verbose = verbose
self._ca = ca_options
@@ -1358,11 +1358,11 @@ class CAServerCert(OpenShiftCLI):
if not os.path.exists(cert_path):
return False
- # Would prefer pyopenssl but is not installed.
+ # Would prefer pyopenssl but is not installed.
# When we verify it is, switch this code
proc = subprocess.Popen(['openssl', 'x509', '-noout', '-subject', '-in', cert_path],
stdout=subprocess.PIPE, stderr=subprocess.PIPE)
- stdout, stderr = proc.communicate()
+ stdout, _ = proc.communicate()
if proc.returncode == 0:
for var in self.config.config_options['hostnames']['value'].split(','):
if var in stdout:
@@ -1379,7 +1379,6 @@ class CAServerCert(OpenShiftCLI):
{'cert': {'value': params['cert'], 'include': True},
'hostnames': {'value': ','.join(params['hostnames']), 'include': True},
'overwrite': {'value': params['overwrite'], 'include': True},
- 'signer_name': {'value': params['signer_name'], 'include': True},
'key': {'value': params['key'], 'include': True},
'signer_cert': {'value': params['signer_cert'], 'include': True},
'signer_key': {'value': params['signer_key'], 'include': True},
@@ -1433,16 +1432,15 @@ def main():
# oadm ca create-server-cert [options]
cert=dict(default=None, type='str'),
key=dict(default=None, type='str'),
- signer_cert=dict(default=None, type='str'),
- signer_key=dict(default=None, type='str'),
- signer_serial=dict(default=None, type='str'),
+ signer_cert=dict(default='/etc/origin/master/ca.crt', type='str'),
+ signer_key=dict(default='/etc/origin/master/ca.key', type='str'),
+ signer_serial=dict(default='/etc/origin/master/ca.serial.txt', type='str'),
hostnames=dict(default=[], type='list'),
overwrite=dict(default=False, type='bool'),
),
supports_check_mode=True,
)
- # pylint: disable=line-too-long
results = CAServerCert.run_ansible(module.params, module.check_mode)
if 'failed' in results:
return module.fail_json(**results)
--
cgit v1.2.3
From c0a264e4c220bf086760acd6ab1d27bfe36a06dc Mon Sep 17 00:00:00 2001
From: Kenny Woodson <kwoodson@redhat.com>
Date: Tue, 21 Feb 2017 09:59:09 -0500
Subject: Small spacing fix.
---
roles/lib_openshift/library/oc_adm_ca_server_cert.py | 1 +
1 file changed, 1 insertion(+)
(limited to 'roles/lib_openshift/library')
diff --git a/roles/lib_openshift/library/oc_adm_ca_server_cert.py b/roles/lib_openshift/library/oc_adm_ca_server_cert.py
index 98e61cef4..9c8c62621 100644
--- a/roles/lib_openshift/library/oc_adm_ca_server_cert.py
+++ b/roles/lib_openshift/library/oc_adm_ca_server_cert.py
@@ -1321,6 +1321,7 @@ class CAServerCertConfig(OpenShiftCLIConfig):
self.verbose = verbose
self._ca = ca_options
+
class CAServerCert(OpenShiftCLI):
''' Class to wrap the oc adm ca create-server-cert command line'''
def __init__(self,
--
cgit v1.2.3
From 8200377dbb3d0e6aa2b35ea369cceb03976b508b Mon Sep 17 00:00:00 2001
From: Kenny Woodson <kwoodson@redhat.com>
Date: Tue, 21 Feb 2017 10:26:17 -0500
Subject: Added copy support when modifying cert and key on existence
---
roles/lib_openshift/library/oc_adm_ca_server_cert.py | 20 +++++++++++++++++++-
1 file changed, 19 insertions(+), 1 deletion(-)
(limited to 'roles/lib_openshift/library')
diff --git a/roles/lib_openshift/library/oc_adm_ca_server_cert.py b/roles/lib_openshift/library/oc_adm_ca_server_cert.py
index 9c8c62621..9c57435e7 100644
--- a/roles/lib_openshift/library/oc_adm_ca_server_cert.py
+++ b/roles/lib_openshift/library/oc_adm_ca_server_cert.py
@@ -124,6 +124,12 @@ options:
required: false
default: None
aliases: []
+ backup:
+ description:
+ - Whether to backup the cert and key files before writing them.
+ required: false
+ default: True
+ aliases: []
author:
- "Kenny Woodson <kwoodson@redhat.com>"
extends_documentation_fragment: []
@@ -1345,6 +1351,17 @@ class CAServerCert(OpenShiftCLI):
def create(self):
'''run openshift oc adm ca create-server-cert cmd'''
+
+ # Added this here as a safegaurd for stomping on the
+ # cert and key files if they exist
+ if self.config.config_options['backup']['value']:
+ if os.path.exists(self.config.config_options['key']['value']):
+ shutil.copy(self.config.config_options['key']['value'],
+ "%s.orig" % self.config.config_options['key']['value'])
+ if os.path.exists(self.config.config_options['cert']['value']):
+ shutil.copy(self.config.config_options['cert']['value'],
+ "%s.orig" % self.config.config_options['cert']['value'])
+
options = self.config.to_option_list()
cmd = ['ca', 'create-server-cert']
@@ -1384,6 +1401,7 @@ class CAServerCert(OpenShiftCLI):
'signer_cert': {'value': params['signer_cert'], 'include': True},
'signer_key': {'value': params['signer_key'], 'include': True},
'signer_serial': {'value': params['signer_serial'], 'include': True},
+ 'backup': {'value': params['backup'], 'include': False},
})
server_cert = CAServerCert(config)
@@ -1429,7 +1447,7 @@ def main():
state=dict(default='present', type='str', choices=['present']),
debug=dict(default=False, type='bool'),
kubeconfig=dict(default='/etc/origin/master/admin.kubeconfig', type='str'),
- cmd=dict(default=None, require=True, type='str'),
+ backup=dict(default=True, type='bool'),
# oadm ca create-server-cert [options]
cert=dict(default=None, type='str'),
key=dict(default=None, type='str'),
--
cgit v1.2.3
From 3effaa96c8e843a5820b98cf9c2dab608481c259 Mon Sep 17 00:00:00 2001
From: Kenny Woodson <kwoodson@redhat.com>
Date: Tue, 21 Feb 2017 20:15:28 -0500
Subject: Added backup feature. Fixed a bug with reading the certificate and
verifying names. Added force option.
---
roles/lib_openshift/library/oadm_manage_node.py | 2 +
.../lib_openshift/library/oc_adm_ca_server_cert.py | 44 ++++++++++++++++------
roles/lib_openshift/library/oc_edit.py | 2 +
roles/lib_openshift/library/oc_env.py | 2 +
roles/lib_openshift/library/oc_label.py | 2 +
roles/lib_openshift/library/oc_obj.py | 2 +
roles/lib_openshift/library/oc_process.py | 2 +
roles/lib_openshift/library/oc_route.py | 2 +
roles/lib_openshift/library/oc_scale.py | 2 +
roles/lib_openshift/library/oc_secret.py | 2 +
roles/lib_openshift/library/oc_service.py | 2 +
roles/lib_openshift/library/oc_serviceaccount.py | 2 +
.../library/oc_serviceaccount_secret.py | 2 +
roles/lib_openshift/library/oc_version.py | 2 +
14 files changed, 58 insertions(+), 12 deletions(-)
(limited to 'roles/lib_openshift/library')
diff --git a/roles/lib_openshift/library/oadm_manage_node.py b/roles/lib_openshift/library/oadm_manage_node.py
index 0ac233c72..d0bf553ae 100644
--- a/roles/lib_openshift/library/oadm_manage_node.py
+++ b/roles/lib_openshift/library/oadm_manage_node.py
@@ -34,6 +34,8 @@
from __future__ import print_function
import atexit
import copy
+# pylint: disable=unused-import
+import time
import json
import os
import re
diff --git a/roles/lib_openshift/library/oc_adm_ca_server_cert.py b/roles/lib_openshift/library/oc_adm_ca_server_cert.py
index 9c57435e7..8872cda3a 100644
--- a/roles/lib_openshift/library/oc_adm_ca_server_cert.py
+++ b/roles/lib_openshift/library/oc_adm_ca_server_cert.py
@@ -34,6 +34,8 @@
from __future__ import print_function
import atexit
import copy
+# pylint: disable=unused-import
+import time
import json
import os
import re
@@ -94,9 +96,9 @@ options:
required: false
default: None
aliases: []
- overwrite:
+ force:
description:
- - Overwrite existing cert files if found. If false, any existing file will be left as-is.
+ - Force updating of the existing cert and key files
required: false
default: False
aliases: []
@@ -1355,12 +1357,15 @@ class CAServerCert(OpenShiftCLI):
# Added this here as a safegaurd for stomping on the
# cert and key files if they exist
if self.config.config_options['backup']['value']:
+ ext = time.strftime("%Y-%m-%d@%H:%M:%S", time.localtime(time.time()))
+ date_str = "%s_" + "%s" % ext
+
if os.path.exists(self.config.config_options['key']['value']):
shutil.copy(self.config.config_options['key']['value'],
- "%s.orig" % self.config.config_options['key']['value'])
+ date_str % self.config.config_options['key']['value'])
if os.path.exists(self.config.config_options['cert']['value']):
shutil.copy(self.config.config_options['cert']['value'],
- "%s.orig" % self.config.config_options['cert']['value'])
+ date_str % self.config.config_options['cert']['value'])
options = self.config.to_option_list()
@@ -1378,13 +1383,28 @@ class CAServerCert(OpenShiftCLI):
# Would prefer pyopenssl but is not installed.
# When we verify it is, switch this code
- proc = subprocess.Popen(['openssl', 'x509', '-noout', '-subject', '-in', cert_path],
+ # Here is the code to get the subject and the SAN
+ # openssl x509 -text -noout -certopt \
+ # no_header,no_version,no_serial,no_signame,no_validity,no_issuer,no_pubkey,no_sigdump,no_aux \
+ # -in /etc/origin/master/registry.crt
+ # Instead of this solution we will use a regex.
+ cert_names = []
+ hostnames = self.config.config_options['hostnames']['value'].split(',')
+ proc = subprocess.Popen(['openssl', 'x509', '-noout', '-text', '-in', cert_path],
stdout=subprocess.PIPE, stderr=subprocess.PIPE)
- stdout, _ = proc.communicate()
+
+ x509output, _ = proc.communicate()
if proc.returncode == 0:
- for var in self.config.config_options['hostnames']['value'].split(','):
- if var in stdout:
- return True
+ regex = re.compile(r"^\s*X509v3 Subject Alternative Name:\s*?\n\s*(.*)\s*\n", re.MULTILINE)
+ match = regex.search(x509output) # E501
+ for entry in re.split(r", *", match.group(1)):
+ if entry.startswith('DNS') or entry.startswith('IP Address'):
+ cert_names.append(entry.split(':')[1])
+ # now that we have cert names let's compare
+ cert_set = set(cert_names)
+ hname_set = set(hostnames)
+ if cert_set.issubset(hname_set) and hname_set.issubset(cert_set):
+ return True
return False
@@ -1396,7 +1416,7 @@ class CAServerCert(OpenShiftCLI):
params['debug'],
{'cert': {'value': params['cert'], 'include': True},
'hostnames': {'value': ','.join(params['hostnames']), 'include': True},
- 'overwrite': {'value': params['overwrite'], 'include': True},
+ 'overwrite': {'value': True, 'include': True},
'key': {'value': params['key'], 'include': True},
'signer_cert': {'value': params['signer_cert'], 'include': True},
'signer_key': {'value': params['signer_key'], 'include': True},
@@ -1412,7 +1432,7 @@ class CAServerCert(OpenShiftCLI):
########
# Create
########
- if not server_cert.exists() or params['overwrite']:
+ if not server_cert.exists() or params['force']:
if check_mode:
return {'changed': True,
@@ -1455,7 +1475,7 @@ def main():
signer_key=dict(default='/etc/origin/master/ca.key', type='str'),
signer_serial=dict(default='/etc/origin/master/ca.serial.txt', type='str'),
hostnames=dict(default=[], type='list'),
- overwrite=dict(default=False, type='bool'),
+ force=dict(default=False, type='bool'),
),
supports_check_mode=True,
)
diff --git a/roles/lib_openshift/library/oc_edit.py b/roles/lib_openshift/library/oc_edit.py
index 1b1faf496..2ead608ac 100644
--- a/roles/lib_openshift/library/oc_edit.py
+++ b/roles/lib_openshift/library/oc_edit.py
@@ -34,6 +34,8 @@
from __future__ import print_function
import atexit
import copy
+# pylint: disable=unused-import
+import time
import json
import os
import re
diff --git a/roles/lib_openshift/library/oc_env.py b/roles/lib_openshift/library/oc_env.py
index 7c2ccb98f..49a03b0a7 100644
--- a/roles/lib_openshift/library/oc_env.py
+++ b/roles/lib_openshift/library/oc_env.py
@@ -34,6 +34,8 @@
from __future__ import print_function
import atexit
import copy
+# pylint: disable=unused-import
+import time
import json
import os
import re
diff --git a/roles/lib_openshift/library/oc_label.py b/roles/lib_openshift/library/oc_label.py
index 0db8585a4..4bb67b2b5 100644
--- a/roles/lib_openshift/library/oc_label.py
+++ b/roles/lib_openshift/library/oc_label.py
@@ -34,6 +34,8 @@
from __future__ import print_function
import atexit
import copy
+# pylint: disable=unused-import
+import time
import json
import os
import re
diff --git a/roles/lib_openshift/library/oc_obj.py b/roles/lib_openshift/library/oc_obj.py
index 6d0b391b9..a9bec980c 100644
--- a/roles/lib_openshift/library/oc_obj.py
+++ b/roles/lib_openshift/library/oc_obj.py
@@ -34,6 +34,8 @@
from __future__ import print_function
import atexit
import copy
+# pylint: disable=unused-import
+import time
import json
import os
import re
diff --git a/roles/lib_openshift/library/oc_process.py b/roles/lib_openshift/library/oc_process.py
index a1ee79f6e..2565bd895 100644
--- a/roles/lib_openshift/library/oc_process.py
+++ b/roles/lib_openshift/library/oc_process.py
@@ -34,6 +34,8 @@
from __future__ import print_function
import atexit
import copy
+# pylint: disable=unused-import
+import time
import json
import os
import re
diff --git a/roles/lib_openshift/library/oc_route.py b/roles/lib_openshift/library/oc_route.py
index 4b5c4460c..b1f97505e 100644
--- a/roles/lib_openshift/library/oc_route.py
+++ b/roles/lib_openshift/library/oc_route.py
@@ -34,6 +34,8 @@
from __future__ import print_function
import atexit
import copy
+# pylint: disable=unused-import
+import time
import json
import os
import re
diff --git a/roles/lib_openshift/library/oc_scale.py b/roles/lib_openshift/library/oc_scale.py
index a37b2aba0..babf489ad 100644
--- a/roles/lib_openshift/library/oc_scale.py
+++ b/roles/lib_openshift/library/oc_scale.py
@@ -34,6 +34,8 @@
from __future__ import print_function
import atexit
import copy
+# pylint: disable=unused-import
+import time
import json
import os
import re
diff --git a/roles/lib_openshift/library/oc_secret.py b/roles/lib_openshift/library/oc_secret.py
index c423e9442..020d1a89f 100644
--- a/roles/lib_openshift/library/oc_secret.py
+++ b/roles/lib_openshift/library/oc_secret.py
@@ -34,6 +34,8 @@
from __future__ import print_function
import atexit
import copy
+# pylint: disable=unused-import
+import time
import json
import os
import re
diff --git a/roles/lib_openshift/library/oc_service.py b/roles/lib_openshift/library/oc_service.py
index 319ec4bd7..99829a5e2 100644
--- a/roles/lib_openshift/library/oc_service.py
+++ b/roles/lib_openshift/library/oc_service.py
@@ -34,6 +34,8 @@
from __future__ import print_function
import atexit
import copy
+# pylint: disable=unused-import
+import time
import json
import os
import re
diff --git a/roles/lib_openshift/library/oc_serviceaccount.py b/roles/lib_openshift/library/oc_serviceaccount.py
index 0d1705414..ec2c24983 100644
--- a/roles/lib_openshift/library/oc_serviceaccount.py
+++ b/roles/lib_openshift/library/oc_serviceaccount.py
@@ -34,6 +34,8 @@
from __future__ import print_function
import atexit
import copy
+# pylint: disable=unused-import
+import time
import json
import os
import re
diff --git a/roles/lib_openshift/library/oc_serviceaccount_secret.py b/roles/lib_openshift/library/oc_serviceaccount_secret.py
index 5f07528a0..1c7855f37 100644
--- a/roles/lib_openshift/library/oc_serviceaccount_secret.py
+++ b/roles/lib_openshift/library/oc_serviceaccount_secret.py
@@ -34,6 +34,8 @@
from __future__ import print_function
import atexit
import copy
+# pylint: disable=unused-import
+import time
import json
import os
import re
diff --git a/roles/lib_openshift/library/oc_version.py b/roles/lib_openshift/library/oc_version.py
index 9b660e1d3..8916dc0e0 100644
--- a/roles/lib_openshift/library/oc_version.py
+++ b/roles/lib_openshift/library/oc_version.py
@@ -34,6 +34,8 @@
from __future__ import print_function
import atexit
import copy
+# pylint: disable=unused-import
+import time
import json
import os
import re
--
cgit v1.2.3
From 9c49ba4bb0b69604e98fc3dda65f8ccd40f19552 Mon Sep 17 00:00:00 2001
From: Kenny Woodson <kwoodson@redhat.com>
Date: Wed, 22 Feb 2017 11:19:51 -0500
Subject: Removing reference to oadm. Moved parameter under general params.
---
roles/lib_openshift/library/oc_adm_ca_server_cert.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
(limited to 'roles/lib_openshift/library')
diff --git a/roles/lib_openshift/library/oc_adm_ca_server_cert.py b/roles/lib_openshift/library/oc_adm_ca_server_cert.py
index 8872cda3a..ffb649eb7 100644
--- a/roles/lib_openshift/library/oc_adm_ca_server_cert.py
+++ b/roles/lib_openshift/library/oc_adm_ca_server_cert.py
@@ -1468,14 +1468,14 @@ def main():
debug=dict(default=False, type='bool'),
kubeconfig=dict(default='/etc/origin/master/admin.kubeconfig', type='str'),
backup=dict(default=True, type='bool'),
- # oadm ca create-server-cert [options]
+ force=dict(default=False, type='bool'),
+ # oc adm ca create-server-cert [options]
cert=dict(default=None, type='str'),
key=dict(default=None, type='str'),
signer_cert=dict(default='/etc/origin/master/ca.crt', type='str'),
signer_key=dict(default='/etc/origin/master/ca.key', type='str'),
signer_serial=dict(default='/etc/origin/master/ca.serial.txt', type='str'),
hostnames=dict(default=[], type='list'),
- force=dict(default=False, type='bool'),
),
supports_check_mode=True,
)
--
cgit v1.2.3
From 5fabd910189a125df2943ef8092ff492f90617a1 Mon Sep 17 00:00:00 2001
From: Kenny Woodson <kwoodson@redhat.com>
Date: Wed, 22 Feb 2017 12:53:21 -0500
Subject: Moving import to local class.
---
roles/lib_openshift/library/oadm_manage_node.py | 2 --
roles/lib_openshift/library/oc_adm_ca_server_cert.py | 3 +--
roles/lib_openshift/library/oc_edit.py | 2 --
roles/lib_openshift/library/oc_env.py | 2 --
roles/lib_openshift/library/oc_label.py | 2 --
roles/lib_openshift/library/oc_obj.py | 2 --
roles/lib_openshift/library/oc_process.py | 2 --
roles/lib_openshift/library/oc_route.py | 2 --
roles/lib_openshift/library/oc_scale.py | 2 --
roles/lib_openshift/library/oc_secret.py | 2 --
roles/lib_openshift/library/oc_service.py | 2 --
roles/lib_openshift/library/oc_serviceaccount.py | 2 --
roles/lib_openshift/library/oc_serviceaccount_secret.py | 2 --
roles/lib_openshift/library/oc_version.py | 2 --
14 files changed, 1 insertion(+), 28 deletions(-)
(limited to 'roles/lib_openshift/library')
diff --git a/roles/lib_openshift/library/oadm_manage_node.py b/roles/lib_openshift/library/oadm_manage_node.py
index d0bf553ae..0ac233c72 100644
--- a/roles/lib_openshift/library/oadm_manage_node.py
+++ b/roles/lib_openshift/library/oadm_manage_node.py
@@ -34,8 +34,6 @@
from __future__ import print_function
import atexit
import copy
-# pylint: disable=unused-import
-import time
import json
import os
import re
diff --git a/roles/lib_openshift/library/oc_adm_ca_server_cert.py b/roles/lib_openshift/library/oc_adm_ca_server_cert.py
index ffb649eb7..2b6ee53aa 100644
--- a/roles/lib_openshift/library/oc_adm_ca_server_cert.py
+++ b/roles/lib_openshift/library/oc_adm_ca_server_cert.py
@@ -34,8 +34,6 @@
from __future__ import print_function
import atexit
import copy
-# pylint: disable=unused-import
-import time
import json
import os
import re
@@ -1357,6 +1355,7 @@ class CAServerCert(OpenShiftCLI):
# Added this here as a safegaurd for stomping on the
# cert and key files if they exist
if self.config.config_options['backup']['value']:
+ import time
ext = time.strftime("%Y-%m-%d@%H:%M:%S", time.localtime(time.time()))
date_str = "%s_" + "%s" % ext
diff --git a/roles/lib_openshift/library/oc_edit.py b/roles/lib_openshift/library/oc_edit.py
index 2ead608ac..1b1faf496 100644
--- a/roles/lib_openshift/library/oc_edit.py
+++ b/roles/lib_openshift/library/oc_edit.py
@@ -34,8 +34,6 @@
from __future__ import print_function
import atexit
import copy
-# pylint: disable=unused-import
-import time
import json
import os
import re
diff --git a/roles/lib_openshift/library/oc_env.py b/roles/lib_openshift/library/oc_env.py
index 49a03b0a7..7c2ccb98f 100644
--- a/roles/lib_openshift/library/oc_env.py
+++ b/roles/lib_openshift/library/oc_env.py
@@ -34,8 +34,6 @@
from __future__ import print_function
import atexit
import copy
-# pylint: disable=unused-import
-import time
import json
import os
import re
diff --git a/roles/lib_openshift/library/oc_label.py b/roles/lib_openshift/library/oc_label.py
index 4bb67b2b5..0db8585a4 100644
--- a/roles/lib_openshift/library/oc_label.py
+++ b/roles/lib_openshift/library/oc_label.py
@@ -34,8 +34,6 @@
from __future__ import print_function
import atexit
import copy
-# pylint: disable=unused-import
-import time
import json
import os
import re
diff --git a/roles/lib_openshift/library/oc_obj.py b/roles/lib_openshift/library/oc_obj.py
index a9bec980c..6d0b391b9 100644
--- a/roles/lib_openshift/library/oc_obj.py
+++ b/roles/lib_openshift/library/oc_obj.py
@@ -34,8 +34,6 @@
from __future__ import print_function
import atexit
import copy
-# pylint: disable=unused-import
-import time
import json
import os
import re
diff --git a/roles/lib_openshift/library/oc_process.py b/roles/lib_openshift/library/oc_process.py
index 2565bd895..a1ee79f6e 100644
--- a/roles/lib_openshift/library/oc_process.py
+++ b/roles/lib_openshift/library/oc_process.py
@@ -34,8 +34,6 @@
from __future__ import print_function
import atexit
import copy
-# pylint: disable=unused-import
-import time
import json
import os
import re
diff --git a/roles/lib_openshift/library/oc_route.py b/roles/lib_openshift/library/oc_route.py
index b1f97505e..4b5c4460c 100644
--- a/roles/lib_openshift/library/oc_route.py
+++ b/roles/lib_openshift/library/oc_route.py
@@ -34,8 +34,6 @@
from __future__ import print_function
import atexit
import copy
-# pylint: disable=unused-import
-import time
import json
import os
import re
diff --git a/roles/lib_openshift/library/oc_scale.py b/roles/lib_openshift/library/oc_scale.py
index babf489ad..a37b2aba0 100644
--- a/roles/lib_openshift/library/oc_scale.py
+++ b/roles/lib_openshift/library/oc_scale.py
@@ -34,8 +34,6 @@
from __future__ import print_function
import atexit
import copy
-# pylint: disable=unused-import
-import time
import json
import os
import re
diff --git a/roles/lib_openshift/library/oc_secret.py b/roles/lib_openshift/library/oc_secret.py
index 020d1a89f..c423e9442 100644
--- a/roles/lib_openshift/library/oc_secret.py
+++ b/roles/lib_openshift/library/oc_secret.py
@@ -34,8 +34,6 @@
from __future__ import print_function
import atexit
import copy
-# pylint: disable=unused-import
-import time
import json
import os
import re
diff --git a/roles/lib_openshift/library/oc_service.py b/roles/lib_openshift/library/oc_service.py
index 99829a5e2..319ec4bd7 100644
--- a/roles/lib_openshift/library/oc_service.py
+++ b/roles/lib_openshift/library/oc_service.py
@@ -34,8 +34,6 @@
from __future__ import print_function
import atexit
import copy
-# pylint: disable=unused-import
-import time
import json
import os
import re
diff --git a/roles/lib_openshift/library/oc_serviceaccount.py b/roles/lib_openshift/library/oc_serviceaccount.py
index ec2c24983..0d1705414 100644
--- a/roles/lib_openshift/library/oc_serviceaccount.py
+++ b/roles/lib_openshift/library/oc_serviceaccount.py
@@ -34,8 +34,6 @@
from __future__ import print_function
import atexit
import copy
-# pylint: disable=unused-import
-import time
import json
import os
import re
diff --git a/roles/lib_openshift/library/oc_serviceaccount_secret.py b/roles/lib_openshift/library/oc_serviceaccount_secret.py
index 1c7855f37..5f07528a0 100644
--- a/roles/lib_openshift/library/oc_serviceaccount_secret.py
+++ b/roles/lib_openshift/library/oc_serviceaccount_secret.py
@@ -34,8 +34,6 @@
from __future__ import print_function
import atexit
import copy
-# pylint: disable=unused-import
-import time
import json
import os
import re
diff --git a/roles/lib_openshift/library/oc_version.py b/roles/lib_openshift/library/oc_version.py
index 8916dc0e0..9b660e1d3 100644
--- a/roles/lib_openshift/library/oc_version.py
+++ b/roles/lib_openshift/library/oc_version.py
@@ -34,8 +34,6 @@
from __future__ import print_function
import atexit
import copy
-# pylint: disable=unused-import
-import time
import json
import os
import re
--
cgit v1.2.3