From 0460d54961753bc3bdab4038a1946de08d11097c Mon Sep 17 00:00:00 2001 From: Kenny Woodson Date: Sun, 12 Feb 2017 22:33:45 -0500 Subject: Adding oadm_ca to lib_openshift. --- roles/lib_openshift/library/oadm_ca.py | 1445 ++++++++++++++++++++ .../src/ansible/oadm_certificate_authority.py | 49 + .../src/class/oadm_certificate_authority.py | 110 ++ roles/lib_openshift/src/doc/certificate_authority | 96 ++ roles/lib_openshift/src/sources.yml | 10 + 5 files changed, 1710 insertions(+) create mode 100644 roles/lib_openshift/library/oadm_ca.py create mode 100644 roles/lib_openshift/src/ansible/oadm_certificate_authority.py create mode 100644 roles/lib_openshift/src/class/oadm_certificate_authority.py create mode 100644 roles/lib_openshift/src/doc/certificate_authority diff --git a/roles/lib_openshift/library/oadm_ca.py b/roles/lib_openshift/library/oadm_ca.py new file mode 100644 index 000000000..30490cc40 --- /dev/null +++ b/roles/lib_openshift/library/oadm_ca.py @@ -0,0 +1,1445 @@ +#!/usr/bin/env python +# pylint: disable=missing-docstring +# flake8: noqa: T001 +# ___ ___ _ _ ___ ___ _ _____ ___ ___ +# / __| __| \| | __| _ \ /_\_ _| __| \ +# | (_ | _|| .` | _|| / / _ \| | | _|| |) | +# \___|___|_|\_|___|_|_\/_/_\_\_|_|___|___/_ _____ +# | \ / _ \ | \| |/ _ \_ _| | __| \_ _|_ _| +# | |) | (_) | | .` | (_) || | | _|| |) | | | | +# |___/ \___/ |_|\_|\___/ |_| |___|___/___| |_| +# +# Copyright 2016 Red Hat, Inc. and/or its affiliates +# and other contributors as indicated by the @author tags. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +# -*- -*- -*- Begin included fragment: lib/import.py -*- -*- -*- +''' + OpenShiftCLI class that wraps the oc commands in a subprocess +''' +# pylint: disable=too-many-lines + +from __future__ import print_function +import atexit +import json +import os +import re +import shutil +import subprocess +import tempfile +# pylint: disable=import-error +import ruamel.yaml as yaml +from ansible.module_utils.basic import AnsibleModule + +# -*- -*- -*- End included fragment: lib/import.py -*- -*- -*- + +# -*- -*- -*- Begin included fragment: doc/certificate_authority -*- -*- -*- + +DOCUMENTATION = ''' +--- +module: oc_secret +short_description: Module to manage openshift certificate authority +description: + - Wrapper around the openshift `oc adm ca` command. +options: + state: + description: + - Present is the only supported state. The state present means that `oc adm ca` will generate a certificate + - When create-master-certs is desired then the following parameters are passed. + - ['cert_dir', 'hostnames', 'master', 'public_master', 'overwrite', 'signer_name'] + - When create-key-pair is desired then the following parameters are passed. + - ['private_key', 'public_key'] + - When create-server-cert is desired then the following parameters are passed. + - ['cert', 'key', 'signer_cert', 'signer_key', 'signer_serial'] + required: false + default: present + choices: ["present"] + aliases: [] + kubeconfig: + description: + - The path for the kubeconfig file to use for authentication + required: false + default: /etc/origin/master/admin.kubeconfig + aliases: [] + debug: + description: + - Turn on debug output. + required: false + default: False + aliases: [] + cmd: + description: + - The sub command given for `oc adm ca` + required: false + default: None + choices: + - create-master-certs + - create-key-pair + - create-server-cert + aliases: [] + cert_dir: + description: + - The directory to place the certificates. + required: false + default: False + aliases: [] +author: +- "Kenny Woodson " +extends_documentation_fragment: [] +''' + +EXAMPLES = ''' +- name: create secret + oc_secret: + state: present + namespace: openshift-infra + name: metrics-deployer + files: + - name: nothing + path: /dev/null + register: secretout + run_once: true + +- name: get ca from hawkular + oc_secret: + state: list + namespace: openshift-infra + name: hawkular-metrics-certificate + decode: True + register: hawkout + run_once: true + +- name: Create secrets + oc_secret: + namespace: mynamespace + name: mysecrets + contents: + - path: data.yml + data: "{{ data_content }}" + - path: auth-keys + data: "{{ auth_keys_content }}" + - path: configdata.yml + data: "{{ configdata_content }}" + - path: cert.crt + data: "{{ cert_content }}" + - path: key.pem + data: "{{ osso_site_key_content }}" + - path: ca.cert.pem + data: "{{ ca_cert_content }}" + register: secretout +''' + +# -*- -*- -*- End included fragment: doc/certificate_authority -*- -*- -*- + +# -*- -*- -*- Begin included fragment: ../../lib_utils/src/class/yedit.py -*- -*- -*- +# noqa: E301,E302 + + +class YeditException(Exception): + ''' Exception class for Yedit ''' + pass + + +# pylint: disable=too-many-public-methods +class Yedit(object): + ''' Class to modify yaml files ''' + re_valid_key = r"(((\[-?\d+\])|([0-9a-zA-Z%s/_-]+)).?)+$" + re_key = r"(?:\[(-?\d+)\])|([0-9a-zA-Z%s/_-]+)" + com_sep = set(['.', '#', '|', ':']) + + # pylint: disable=too-many-arguments + def __init__(self, + filename=None, + content=None, + content_type='yaml', + separator='.', + backup=False): + self.content = content + self._separator = separator + self.filename = filename + self.__yaml_dict = content + self.content_type = content_type + self.backup = backup + self.load(content_type=self.content_type) + if self.__yaml_dict is None: + self.__yaml_dict = {} + + @property + def separator(self): + ''' getter method for yaml_dict ''' + return self._separator + + @separator.setter + def separator(self): + ''' getter method for yaml_dict ''' + return self._separator + + @property + def yaml_dict(self): + ''' getter method for yaml_dict ''' + return self.__yaml_dict + + @yaml_dict.setter + def yaml_dict(self, value): + ''' setter method for yaml_dict ''' + self.__yaml_dict = value + + @staticmethod + def parse_key(key, sep='.'): + '''parse the key allowing the appropriate separator''' + common_separators = list(Yedit.com_sep - set([sep])) + return re.findall(Yedit.re_key % ''.join(common_separators), key) + + @staticmethod + def valid_key(key, sep='.'): + '''validate the incoming key''' + common_separators = list(Yedit.com_sep - set([sep])) + if not re.match(Yedit.re_valid_key % ''.join(common_separators), key): + return False + + return True + + @staticmethod + def remove_entry(data, key, sep='.'): + ''' remove data at location key ''' + if key == '' and isinstance(data, dict): + data.clear() + return True + elif key == '' and isinstance(data, list): + del data[:] + return True + + if not (key and Yedit.valid_key(key, sep)) and \ + isinstance(data, (list, dict)): + return None + + key_indexes = Yedit.parse_key(key, sep) + for arr_ind, dict_key in key_indexes[:-1]: + if dict_key and isinstance(data, dict): + data = data.get(dict_key, None) + elif (arr_ind and isinstance(data, list) and + int(arr_ind) <= len(data) - 1): + data = data[int(arr_ind)] + else: + return None + + # process last index for remove + # expected list entry + if key_indexes[-1][0]: + if isinstance(data, list) and int(key_indexes[-1][0]) <= len(data) - 1: # noqa: E501 + del data[int(key_indexes[-1][0])] + return True + + # expected dict entry + elif key_indexes[-1][1]: + if isinstance(data, dict): + del data[key_indexes[-1][1]] + return True + + @staticmethod + def add_entry(data, key, item=None, sep='.'): + ''' Get an item from a dictionary with key notation a.b.c + d = {'a': {'b': 'c'}}} + key = a#b + return c + ''' + if key == '': + pass + elif (not (key and Yedit.valid_key(key, sep)) and + isinstance(data, (list, dict))): + return None + + key_indexes = Yedit.parse_key(key, sep) + for arr_ind, dict_key in key_indexes[:-1]: + if dict_key: + if isinstance(data, dict) and dict_key in data and data[dict_key]: # noqa: E501 + data = data[dict_key] + continue + + elif data and not isinstance(data, dict): + return None + + data[dict_key] = {} + data = data[dict_key] + + elif (arr_ind and isinstance(data, list) and + int(arr_ind) <= len(data) - 1): + data = data[int(arr_ind)] + else: + return None + + if key == '': + data = item + + # process last index for add + # expected list entry + elif key_indexes[-1][0] and isinstance(data, list) and int(key_indexes[-1][0]) <= len(data) - 1: # noqa: E501 + data[int(key_indexes[-1][0])] = item + + # expected dict entry + elif key_indexes[-1][1] and isinstance(data, dict): + data[key_indexes[-1][1]] = item + + return data + + @staticmethod + def get_entry(data, key, sep='.'): + ''' Get an item from a dictionary with key notation a.b.c + d = {'a': {'b': 'c'}}} + key = a.b + return c + ''' + if key == '': + pass + elif (not (key and Yedit.valid_key(key, sep)) and + isinstance(data, (list, dict))): + return None + + key_indexes = Yedit.parse_key(key, sep) + for arr_ind, dict_key in key_indexes: + if dict_key and isinstance(data, dict): + data = data.get(dict_key, None) + elif (arr_ind and isinstance(data, list) and + int(arr_ind) <= len(data) - 1): + data = data[int(arr_ind)] + else: + return None + + return data + + @staticmethod + def _write(filename, contents): + ''' Actually write the file contents to disk. This helps with mocking. ''' + + tmp_filename = filename + '.yedit' + + with open(tmp_filename, 'w') as yfd: + yfd.write(contents) + + os.rename(tmp_filename, filename) + + def write(self): + ''' write to file ''' + if not self.filename: + raise YeditException('Please specify a filename.') + + if self.backup and self.file_exists(): + shutil.copy(self.filename, self.filename + '.orig') + + # pylint: disable=no-member + if hasattr(self.yaml_dict, 'fa'): + self.yaml_dict.fa.set_block_style() + + Yedit._write(self.filename, yaml.dump(self.yaml_dict, Dumper=yaml.RoundTripDumper)) + + return (True, self.yaml_dict) + + def read(self): + ''' read from file ''' + # check if it exists + if self.filename is None or not self.file_exists(): + return None + + contents = None + with open(self.filename) as yfd: + contents = yfd.read() + + return contents + + def file_exists(self): + ''' return whether file exists ''' + if os.path.exists(self.filename): + return True + + return False + + def load(self, content_type='yaml'): + ''' return yaml file ''' + contents = self.read() + + if not contents and not self.content: + return None + + if self.content: + if isinstance(self.content, dict): + self.yaml_dict = self.content + return self.yaml_dict + elif isinstance(self.content, str): + contents = self.content + + # check if it is yaml + try: + if content_type == 'yaml' and contents: + self.yaml_dict = yaml.load(contents, yaml.RoundTripLoader) + # pylint: disable=no-member + if hasattr(self.yaml_dict, 'fa'): + self.yaml_dict.fa.set_block_style() + elif content_type == 'json' and contents: + self.yaml_dict = json.loads(contents) + except yaml.YAMLError as err: + # Error loading yaml or json + raise YeditException('Problem with loading yaml file. %s' % err) + + return self.yaml_dict + + def get(self, key): + ''' get a specified key''' + try: + entry = Yedit.get_entry(self.yaml_dict, key, self.separator) + except KeyError: + entry = None + + return entry + + def pop(self, path, key_or_item): + ''' remove a key, value pair from a dict or an item for a list''' + try: + entry = Yedit.get_entry(self.yaml_dict, path, self.separator) + except KeyError: + entry = None + + if entry is None: + return (False, self.yaml_dict) + + if isinstance(entry, dict): + # pylint: disable=no-member,maybe-no-member + if key_or_item in entry: + entry.pop(key_or_item) + return (True, self.yaml_dict) + return (False, self.yaml_dict) + + elif isinstance(entry, list): + # pylint: disable=no-member,maybe-no-member + ind = None + try: + ind = entry.index(key_or_item) + except ValueError: + return (False, self.yaml_dict) + + entry.pop(ind) + return (True, self.yaml_dict) + + return (False, self.yaml_dict) + + def delete(self, path): + ''' remove path from a dict''' + try: + entry = Yedit.get_entry(self.yaml_dict, path, self.separator) + except KeyError: + entry = None + + if entry is None: + return (False, self.yaml_dict) + + result = Yedit.remove_entry(self.yaml_dict, path, self.separator) + if not result: + return (False, self.yaml_dict) + + return (True, self.yaml_dict) + + def exists(self, path, value): + ''' check if value exists at path''' + try: + entry = Yedit.get_entry(self.yaml_dict, path, self.separator) + except KeyError: + entry = None + + if isinstance(entry, list): + if value in entry: + return True + return False + + elif isinstance(entry, dict): + if isinstance(value, dict): + rval = False + for key, val in value.items(): + if entry[key] != val: + rval = False + break + else: + rval = True + return rval + + return value in entry + + return entry == value + + def append(self, path, value): + '''append value to a list''' + try: + entry = Yedit.get_entry(self.yaml_dict, path, self.separator) + except KeyError: + entry = None + + if entry is None: + self.put(path, []) + entry = Yedit.get_entry(self.yaml_dict, path, self.separator) + if not isinstance(entry, list): + return (False, self.yaml_dict) + + # pylint: disable=no-member,maybe-no-member + entry.append(value) + return (True, self.yaml_dict) + + # pylint: disable=too-many-arguments + def update(self, path, value, index=None, curr_value=None): + ''' put path, value into a dict ''' + try: + entry = Yedit.get_entry(self.yaml_dict, path, self.separator) + except KeyError: + entry = None + + if isinstance(entry, dict): + # pylint: disable=no-member,maybe-no-member + if not isinstance(value, dict): + raise YeditException('Cannot replace key, value entry in ' + + 'dict with non-dict type. value=[%s] [%s]' % (value, type(value))) # noqa: E501 + + entry.update(value) + return (True, self.yaml_dict) + + elif isinstance(entry, list): + # pylint: disable=no-member,maybe-no-member + ind = None + if curr_value: + try: + ind = entry.index(curr_value) + except ValueError: + return (False, self.yaml_dict) + + elif index is not None: + ind = index + + if ind is not None and entry[ind] != value: + entry[ind] = value + return (True, self.yaml_dict) + + # see if it exists in the list + try: + ind = entry.index(value) + except ValueError: + # doesn't exist, append it + entry.append(value) + return (True, self.yaml_dict) + + # already exists, return + if ind is not None: + return (False, self.yaml_dict) + return (False, self.yaml_dict) + + def put(self, path, value): + ''' put path, value into a dict ''' + try: + entry = Yedit.get_entry(self.yaml_dict, path, self.separator) + except KeyError: + entry = None + + if entry == value: + return (False, self.yaml_dict) + + # deepcopy didn't work + tmp_copy = yaml.load(yaml.round_trip_dump(self.yaml_dict, + default_flow_style=False), + yaml.RoundTripLoader) + # pylint: disable=no-member + if hasattr(self.yaml_dict, 'fa'): + tmp_copy.fa.set_block_style() + result = Yedit.add_entry(tmp_copy, path, value, self.separator) + if not result: + return (False, self.yaml_dict) + + self.yaml_dict = tmp_copy + + return (True, self.yaml_dict) + + def create(self, path, value): + ''' create a yaml file ''' + if not self.file_exists(): + # deepcopy didn't work + tmp_copy = yaml.load(yaml.round_trip_dump(self.yaml_dict, default_flow_style=False), # noqa: E501 + yaml.RoundTripLoader) + # pylint: disable=no-member + if hasattr(self.yaml_dict, 'fa'): + tmp_copy.fa.set_block_style() + result = Yedit.add_entry(tmp_copy, path, value, self.separator) + if result: + self.yaml_dict = tmp_copy + return (True, self.yaml_dict) + + return (False, self.yaml_dict) + + @staticmethod + def get_curr_value(invalue, val_type): + '''return the current value''' + if invalue is None: + return None + + curr_value = invalue + if val_type == 'yaml': + curr_value = yaml.load(invalue) + elif val_type == 'json': + curr_value = json.loads(invalue) + + return curr_value + + @staticmethod + def parse_value(inc_value, vtype=''): + '''determine value type passed''' + true_bools = ['y', 'Y', 'yes', 'Yes', 'YES', 'true', 'True', 'TRUE', + 'on', 'On', 'ON', ] + false_bools = ['n', 'N', 'no', 'No', 'NO', 'false', 'False', 'FALSE', + 'off', 'Off', 'OFF'] + + # It came in as a string but you didn't specify value_type as string + # we will convert to bool if it matches any of the above cases + if isinstance(inc_value, str) and 'bool' in vtype: + if inc_value not in true_bools and inc_value not in false_bools: + raise YeditException('Not a boolean type. str=[%s] vtype=[%s]' + % (inc_value, vtype)) + elif isinstance(inc_value, bool) and 'str' in vtype: + inc_value = str(inc_value) + + # If vtype is not str then go ahead and attempt to yaml load it. + if isinstance(inc_value, str) and 'str' not in vtype: + try: + inc_value = yaml.load(inc_value) + except Exception: + raise YeditException('Could not determine type of incoming ' + + 'value. value=[%s] vtype=[%s]' + % (type(inc_value), vtype)) + + return inc_value + + # pylint: disable=too-many-return-statements,too-many-branches + @staticmethod + def run_ansible(module): + '''perform the idempotent crud operations''' + yamlfile = Yedit(filename=module.params['src'], + backup=module.params['backup'], + separator=module.params['separator']) + + if module.params['src']: + rval = yamlfile.load() + + if yamlfile.yaml_dict is None and \ + module.params['state'] != 'present': + return {'failed': True, + 'msg': 'Error opening file [%s]. Verify that the ' + + 'file exists, that it is has correct' + + ' permissions, and is valid yaml.'} + + if module.params['state'] == 'list': + if module.params['content']: + content = Yedit.parse_value(module.params['content'], + module.params['content_type']) + yamlfile.yaml_dict = content + + if module.params['key']: + rval = yamlfile.get(module.params['key']) or {} + + return {'changed': False, 'result': rval, 'state': "list"} + + elif module.params['state'] == 'absent': + if module.params['content']: + content = Yedit.parse_value(module.params['content'], + module.params['content_type']) + yamlfile.yaml_dict = content + + if module.params['update']: + rval = yamlfile.pop(module.params['key'], + module.params['value']) + else: + rval = yamlfile.delete(module.params['key']) + + if rval[0] and module.params['src']: + yamlfile.write() + + return {'changed': rval[0], 'result': rval[1], 'state': "absent"} + + elif module.params['state'] == 'present': + # check if content is different than what is in the file + if module.params['content']: + content = Yedit.parse_value(module.params['content'], + module.params['content_type']) + + # We had no edits to make and the contents are the same + if yamlfile.yaml_dict == content and \ + module.params['value'] is None: + return {'changed': False, + 'result': yamlfile.yaml_dict, + 'state': "present"} + + yamlfile.yaml_dict = content + + # we were passed a value; parse it + if module.params['value']: + value = Yedit.parse_value(module.params['value'], + module.params['value_type']) + key = module.params['key'] + if module.params['update']: + # pylint: disable=line-too-long + curr_value = Yedit.get_curr_value(Yedit.parse_value(module.params['curr_value']), # noqa: E501 + module.params['curr_value_format']) # noqa: E501 + + rval = yamlfile.update(key, value, module.params['index'], curr_value) # noqa: E501 + + elif module.params['append']: + rval = yamlfile.append(key, value) + else: + rval = yamlfile.put(key, value) + + if rval[0] and module.params['src']: + yamlfile.write() + + return {'changed': rval[0], + 'result': rval[1], 'state': "present"} + + # no edits to make + if module.params['src']: + # pylint: disable=redefined-variable-type + rval = yamlfile.write() + return {'changed': rval[0], + 'result': rval[1], + 'state': "present"} + + return {'failed': True, 'msg': 'Unkown state passed'} + +# -*- -*- -*- End included fragment: ../../lib_utils/src/class/yedit.py -*- -*- -*- + +# -*- -*- -*- Begin included fragment: lib/base.py -*- -*- -*- +# pylint: disable=too-many-lines +# noqa: E301,E302,E303,T001 + + +class OpenShiftCLIError(Exception): + '''Exception class for openshiftcli''' + pass + + +# pylint: disable=too-few-public-methods +class OpenShiftCLI(object): + ''' Class to wrap the command line tools ''' + def __init__(self, + namespace, + kubeconfig='/etc/origin/master/admin.kubeconfig', + verbose=False, + all_namespaces=False): + ''' Constructor for OpenshiftCLI ''' + self.namespace = namespace + self.verbose = verbose + self.kubeconfig = Utils.create_tmpfile_copy(kubeconfig) + self.all_namespaces = all_namespaces + + # Pylint allows only 5 arguments to be passed. + # pylint: disable=too-many-arguments + def _replace_content(self, resource, rname, content, force=False, sep='.'): + ''' replace the current object with the content ''' + res = self._get(resource, rname) + if not res['results']: + return res + + fname = Utils.create_tmpfile(rname + '-') + + yed = Yedit(fname, res['results'][0], separator=sep) + changes = [] + for key, value in content.items(): + changes.append(yed.put(key, value)) + + if any([change[0] for change in changes]): + yed.write() + + atexit.register(Utils.cleanup, [fname]) + + return self._replace(fname, force) + + return {'returncode': 0, 'updated': False} + + def _replace(self, fname, force=False): + '''replace the current object with oc replace''' + cmd = ['replace', '-f', fname] + if force: + cmd.append('--force') + return self.openshift_cmd(cmd) + + def _create_from_content(self, rname, content): + '''create a temporary file and then call oc create on it''' + fname = Utils.create_tmpfile(rname + '-') + yed = Yedit(fname, content=content) + yed.write() + + atexit.register(Utils.cleanup, [fname]) + + return self._create(fname) + + def _create(self, fname): + '''call oc create on a filename''' + return self.openshift_cmd(['create', '-f', fname]) + + def _delete(self, resource, rname, selector=None): + '''call oc delete on a resource''' + cmd = ['delete', resource, rname] + if selector: + cmd.append('--selector=%s' % selector) + + return self.openshift_cmd(cmd) + + def _process(self, template_name, create=False, params=None, template_data=None): # noqa: E501 + '''process a template + + template_name: the name of the template to process + create: whether to send to oc create after processing + params: the parameters for the template + template_data: the incoming template's data; instead of a file + ''' + cmd = ['process'] + if template_data: + cmd.extend(['-f', '-']) + else: + cmd.append(template_name) + if params: + param_str = ["%s=%s" % (key, value) for key, value in params.items()] + cmd.append('-v') + cmd.extend(param_str) + + results = self.openshift_cmd(cmd, output=True, input_data=template_data) + + if results['returncode'] != 0 or not create: + return results + + fname = Utils.create_tmpfile(template_name + '-') + yed = Yedit(fname, results['results']) + yed.write() + + atexit.register(Utils.cleanup, [fname]) + + return self.openshift_cmd(['create', '-f', fname]) + + def _get(self, resource, rname=None, selector=None): + '''return a resource by name ''' + cmd = ['get', resource] + if selector: + cmd.append('--selector=%s' % selector) + elif rname: + cmd.append(rname) + + cmd.extend(['-o', 'json']) + + rval = self.openshift_cmd(cmd, output=True) + + # Ensure results are retuned in an array + if 'items' in rval: + rval['results'] = rval['items'] + elif not isinstance(rval['results'], list): + rval['results'] = [rval['results']] + + return rval + + def _schedulable(self, node=None, selector=None, schedulable=True): + ''' perform oadm manage-node scheduable ''' + cmd = ['manage-node'] + if node: + cmd.extend(node) + else: + cmd.append('--selector=%s' % selector) + + cmd.append('--schedulable=%s' % schedulable) + + return self.openshift_cmd(cmd, oadm=True, output=True, output_type='raw') # noqa: E501 + + def _list_pods(self, node=None, selector=None, pod_selector=None): + ''' perform oadm list pods + + node: the node in which to list pods + selector: the label selector filter if provided + pod_selector: the pod selector filter if provided + ''' + cmd = ['manage-node'] + if node: + cmd.extend(node) + else: + cmd.append('--selector=%s' % selector) + + if pod_selector: + cmd.append('--pod-selector=%s' % pod_selector) + + cmd.extend(['--list-pods', '-o', 'json']) + + return self.openshift_cmd(cmd, oadm=True, output=True, output_type='raw') + + # pylint: disable=too-many-arguments + def _evacuate(self, node=None, selector=None, pod_selector=None, dry_run=False, grace_period=None, force=False): + ''' perform oadm manage-node evacuate ''' + cmd = ['manage-node'] + if node: + cmd.extend(node) + else: + cmd.append('--selector=%s' % selector) + + if dry_run: + cmd.append('--dry-run') + + if pod_selector: + cmd.append('--pod-selector=%s' % pod_selector) + + if grace_period: + cmd.append('--grace-period=%s' % int(grace_period)) + + if force: + cmd.append('--force') + + cmd.append('--evacuate') + + return self.openshift_cmd(cmd, oadm=True, output=True, output_type='raw') + + def _version(self): + ''' return the openshift version''' + return self.openshift_cmd(['version'], output=True, output_type='raw') + + def _import_image(self, url=None, name=None, tag=None): + ''' perform image import ''' + cmd = ['import-image'] + + image = '{0}'.format(name) + if tag: + image += ':{0}'.format(tag) + + cmd.append(image) + + if url: + cmd.append('--from={0}/{1}'.format(url, image)) + + cmd.append('-n{0}'.format(self.namespace)) + + cmd.append('--confirm') + return self.openshift_cmd(cmd) + + def _run(self, cmds, input_data): + ''' Actually executes the command. This makes mocking easier. ''' + curr_env = os.environ.copy() + curr_env.update({'KUBECONFIG': self.kubeconfig}) + proc = subprocess.Popen(cmds, + stdin=subprocess.PIPE, + stdout=subprocess.PIPE, + stderr=subprocess.PIPE, + env=curr_env) + + stdout, stderr = proc.communicate(input_data) + + return proc.returncode, stdout, stderr + + # pylint: disable=too-many-arguments,too-many-branches + def openshift_cmd(self, cmd, oadm=False, output=False, output_type='json', input_data=None): + '''Base command for oc ''' + cmds = [] + if oadm: + cmds = ['oadm'] + else: + cmds = ['oc'] + + if self.all_namespaces: + cmds.extend(['--all-namespaces']) + elif self.namespace is not None and self.namespace.lower() not in ['none', 'emtpy']: # E501 + cmds.extend(['-n', self.namespace]) + + cmds.extend(cmd) + + rval = {} + results = '' + err = None + + if self.verbose: + print(' '.join(cmds)) + + returncode, stdout, stderr = self._run(cmds, input_data) + + rval = {"returncode": returncode, + "results": results, + "cmd": ' '.join(cmds)} + + if returncode == 0: + if output: + if output_type == 'json': + try: + rval['results'] = json.loads(stdout) + except ValueError as err: + if "No JSON object could be decoded" in err.args: + err = err.args + elif output_type == 'raw': + rval['results'] = stdout + + if self.verbose: + print("STDOUT: {0}".format(stdout)) + print("STDERR: {0}".format(stderr)) + + if err: + rval.update({"err": err, + "stderr": stderr, + "stdout": stdout, + "cmd": cmds}) + + else: + rval.update({"stderr": stderr, + "stdout": stdout, + "results": {}}) + + return rval + + +class Utils(object): + ''' utilities for openshiftcli modules ''' + + @staticmethod + def _write(filename, contents): + ''' Actually write the file contents to disk. This helps with mocking. ''' + + with open(filename, 'w') as sfd: + sfd.write(contents) + + @staticmethod + def create_tmp_file_from_contents(rname, data, ftype='yaml'): + ''' create a file in tmp with name and contents''' + + tmp = Utils.create_tmpfile(prefix=rname) + + if ftype == 'yaml': + Utils._write(tmp, yaml.dump(data, Dumper=yaml.RoundTripDumper)) + elif ftype == 'json': + Utils._write(tmp, json.dumps(data)) + else: + Utils._write(tmp, data) + + # Register cleanup when module is done + atexit.register(Utils.cleanup, [tmp]) + return tmp + + @staticmethod + def create_tmpfile_copy(inc_file): + '''create a temporary copy of a file''' + tmpfile = Utils.create_tmpfile('lib_openshift-') + Utils._write(tmpfile, open(inc_file).read()) + + # Cleanup the tmpfile + atexit.register(Utils.cleanup, [tmpfile]) + + return tmpfile + + @staticmethod + def create_tmpfile(prefix='tmp'): + ''' Generates and returns a temporary file name ''' + + with tempfile.NamedTemporaryFile(prefix=prefix, delete=False) as tmp: + return tmp.name + + @staticmethod + def create_tmp_files_from_contents(content, content_type=None): + '''Turn an array of dict: filename, content into a files array''' + if not isinstance(content, list): + content = [content] + files = [] + for item in content: + path = Utils.create_tmp_file_from_contents(item['path'] + '-', + item['data'], + ftype=content_type) + files.append({'name': os.path.basename(item['path']), + 'path': path}) + return files + + @staticmethod + def cleanup(files): + '''Clean up on exit ''' + for sfile in files: + if os.path.exists(sfile): + if os.path.isdir(sfile): + shutil.rmtree(sfile) + elif os.path.isfile(sfile): + os.remove(sfile) + + @staticmethod + def exists(results, _name): + ''' Check to see if the results include the name ''' + if not results: + return False + + if Utils.find_result(results, _name): + return True + + return False + + @staticmethod + def find_result(results, _name): + ''' Find the specified result by name''' + rval = None + for result in results: + if 'metadata' in result and result['metadata']['name'] == _name: + rval = result + break + + return rval + + @staticmethod + def get_resource_file(sfile, sfile_type='yaml'): + ''' return the service file ''' + contents = None + with open(sfile) as sfd: + contents = sfd.read() + + if sfile_type == 'yaml': + contents = yaml.load(contents, yaml.RoundTripLoader) + elif sfile_type == 'json': + contents = json.loads(contents) + + return contents + + @staticmethod + def filter_versions(stdout): + ''' filter the oc version output ''' + + version_dict = {} + version_search = ['oc', 'openshift', 'kubernetes'] + + for line in stdout.strip().split('\n'): + for term in version_search: + if not line: + continue + if line.startswith(term): + version_dict[term] = line.split()[-1] + + # horrible hack to get openshift version in Openshift 3.2 + # By default "oc version in 3.2 does not return an "openshift" version + if "openshift" not in version_dict: + version_dict["openshift"] = version_dict["oc"] + + return version_dict + + @staticmethod + def add_custom_versions(versions): + ''' create custom versions strings ''' + + versions_dict = {} + + for tech, version in versions.items(): + # clean up "-" from version + if "-" in version: + version = version.split("-")[0] + + if version.startswith('v'): + versions_dict[tech + '_numeric'] = version[1:].split('+')[0] + # "v3.3.0.33" is what we have, we want "3.3" + versions_dict[tech + '_short'] = version[1:4] + + return versions_dict + + @staticmethod + def openshift_installed(): + ''' check if openshift is installed ''' + import yum + + yum_base = yum.YumBase() + if yum_base.rpmdb.searchNevra(name='atomic-openshift'): + return True + + return False + + # Disabling too-many-branches. This is a yaml dictionary comparison function + # pylint: disable=too-many-branches,too-many-return-statements,too-many-statements + @staticmethod + def check_def_equal(user_def, result_def, skip_keys=None, debug=False): + ''' Given a user defined definition, compare it with the results given back by our query. ''' + + # Currently these values are autogenerated and we do not need to check them + skip = ['metadata', 'status'] + if skip_keys: + skip.extend(skip_keys) + + for key, value in result_def.items(): + if key in skip: + continue + + # Both are lists + if isinstance(value, list): + if key not in user_def: + if debug: + print('User data does not have key [%s]' % key) + print('User data: %s' % user_def) + return False + + if not isinstance(user_def[key], list): + if debug: + print('user_def[key] is not a list key=[%s] user_def[key]=%s' % (key, user_def[key])) + return False + + if len(user_def[key]) != len(value): + if debug: + print("List lengths are not equal.") + print("key=[%s]: user_def[%s] != value[%s]" % (key, len(user_def[key]), len(value))) + print("user_def: %s" % user_def[key]) + print("value: %s" % value) + return False + + for values in zip(user_def[key], value): + if isinstance(values[0], dict) and isinstance(values[1], dict): + if debug: + print('sending list - list') + print(type(values[0])) + print(type(values[1])) + result = Utils.check_def_equal(values[0], values[1], skip_keys=skip_keys, debug=debug) + if not result: + print('list compare returned false') + return False + + elif value != user_def[key]: + if debug: + print('value should be identical') + print(value) + print(user_def[key]) + return False + + # recurse on a dictionary + elif isinstance(value, dict): + if key not in user_def: + if debug: + print("user_def does not have key [%s]" % key) + return False + if not isinstance(user_def[key], dict): + if debug: + print("dict returned false: not instance of dict") + return False + + # before passing ensure keys match + api_values = set(value.keys()) - set(skip) + user_values = set(user_def[key].keys()) - set(skip) + if api_values != user_values: + if debug: + print("keys are not equal in dict") + print(api_values) + print(user_values) + return False + + result = Utils.check_def_equal(user_def[key], value, skip_keys=skip_keys, debug=debug) + if not result: + if debug: + print("dict returned false") + print(result) + return False + + # Verify each key, value pair is the same + else: + if key not in user_def or value != user_def[key]: + if debug: + print("value not equal; user_def does not have key") + print(key) + print(value) + if key in user_def: + print(user_def[key]) + return False + + if debug: + print('returning true') + return True + + +class OpenShiftCLIConfig(object): + '''Generic Config''' + def __init__(self, rname, namespace, kubeconfig, options): + self.kubeconfig = kubeconfig + self.name = rname + self.namespace = namespace + self._options = options + + @property + def config_options(self): + ''' return config options ''' + return self._options + + def to_option_list(self): + '''return all options as a string''' + return self.stringify() + + def stringify(self): + ''' return the options hash as cli params in a string ''' + rval = [] + for key, data in self.config_options.items(): + if data['include'] \ + and (data['value'] or isinstance(data['value'], int)): + rval.append('--%s=%s' % (key.replace('_', '-'), data['value'])) + + return rval + + +# -*- -*- -*- End included fragment: lib/base.py -*- -*- -*- + +# -*- -*- -*- Begin included fragment: class/oadm_certificate_authority.py -*- -*- -*- + +class CertificateAuthorityConfig(OpenShiftCLIConfig): + ''' CertificateAuthorityConfig is a DTO for the oadm ca command ''' + def __init__(self, cmd, kubeconfig, verbose, ca_options): + super(CertificateAuthorityConfig, self).__init__('ca', None, kubeconfig, ca_options) + self.cmd = cmd + self.kubeconfig = kubeconfig + self.verbose = verbose + self._ca = ca_options + +class CertificateAuthority(OpenShiftCLI): + ''' Class to wrap the oc command line tools ''' + def __init__(self, + config, + verbose=False): + ''' Constructor for oadm ca ''' + super(CertificateAuthority, self).__init__(None, config.kubeconfig, verbose) + self.config = config + self.verbose = verbose + + def get(self): + '''get the current cert file + + If a file exists by the same name in the specified location then the cert exists + ''' + cert = self.config.config_options['cert']['value'] + if cert and os.path.exists(cert): + return open(cert).read() + + return None + + def create(self): + '''Create a deploymentconfig ''' + options = self.config.to_option_list() + + cmd = ['ca'] + cmd.append(self.config.cmd) + cmd.extend(options) + + return self.openshift_cmd(cmd, oadm=True) + + def exists(self): + ''' check whether the certificate exists and has the clusterIP ''' + + cert_path = self.config.config_options['cert']['value'] + if not os.path.exists(cert_path): + return False + + proc = subprocess.Popen(['openssl', 'x509', '-noout', '-subject', '-in', cert_path], + stdout=subprocess.PIPE, stderr=subprocess.PIPE) + stdout, stderr = proc.communicate() + if proc.returncode == 0: + for var in self.config.config_options['hostnames']['value'].split(','): + if var in stdout: + return True + + return False + + @staticmethod + def run_ansible(params, check_mode): + '''run the idempotent ansible code''' + + config = CertificateAuthorityConfig(params['cmd'], + params['kubeconfig'], + params['debug'], + {'cert_dir': {'value': params['cert_dir'], 'include': True}, + 'cert': {'value': params['cert'], 'include': True}, + 'hostnames': {'value': ','.join(params['hostnames']), 'include': True}, + 'master': {'value': params['master'], 'include': True}, + 'public_master': {'value': params['public_master'], 'include': True}, + 'overwrite': {'value': params['overwrite'], 'include': True}, + 'signer_name': {'value': params['signer_name'], 'include': True}, + 'private_key': {'value': params['private_key'], 'include': True}, + 'public_key': {'value': params['public_key'], 'include': True}, + 'key': {'value': params['key'], 'include': True}, + 'signer_cert': {'value': params['signer_cert'], 'include': True}, + 'signer_key': {'value': params['signer_key'], 'include': True}, + 'signer_serial': {'value': params['signer_serial'], 'include': True}, + }) + + + oadm_ca = CertificateAuthority(config) + + state = params['state'] + + if state == 'present': + ######## + # Create + ######## + if not oadm_ca.exists() or params['overwrite']: + + if check_mode: + return {'changed': True, + 'msg': "CHECK_MODE: Would have created the certificate.", + 'state': state} + + api_rval = oadm_ca.create() + + return {'changed': True, 'results': api_rval, 'state': state} + + ######## + # Exists + ######## + api_rval = oadm_ca.get() + return {'changed': False, 'results': api_rval, 'state': state} + + return {'failed': True, + 'msg': 'Unknown state passed. %s' % state} + + +# -*- -*- -*- End included fragment: class/oadm_certificate_authority.py -*- -*- -*- + +# -*- -*- -*- Begin included fragment: ansible/oadm_certificate_authority.py -*- -*- -*- + +def main(): + ''' + ansible oadm module for ca + ''' + + module = AnsibleModule( + argument_spec=dict( + state=dict(default='present', type='str', + choices=['present']), + debug=dict(default=False, type='bool'), + kubeconfig=dict(default='/etc/origin/master/admin.kubeconfig', type='str'), + cmd=dict(default=None, require=True, type='str'), + + # oadm ca create-master-certs [options] + cert_dir=dict(default=None, type='str'), + hostnames=dict(default=[], type='list'), + master=dict(default=None, type='str'), + public_master=dict(default=None, type='str'), + overwrite=dict(default=False, type='bool'), + signer_name=dict(default=None, type='str'), + + # oadm ca create-key-pair [options] + private_key=dict(default=None, type='str'), + public_key=dict(default=None, type='str'), + + # oadm ca create-server-cert [options] + cert=dict(default=None, type='str'), + key=dict(default=None, type='str'), + signer_cert=dict(default=None, type='str'), + signer_key=dict(default=None, type='str'), + signer_serial=dict(default=None, type='str'), + + ), + supports_check_mode=True, + ) + + # pylint: disable=line-too-long + results = CertificateAuthority.run_ansible(module.params, module.check_mode) + if 'failed' in results: + return module.fail_json(**results) + + return module.exit_json(**results) + + +if __name__ == '__main__': + main() + +# -*- -*- -*- End included fragment: ansible/oadm_certificate_authority.py -*- -*- -*- diff --git a/roles/lib_openshift/src/ansible/oadm_certificate_authority.py b/roles/lib_openshift/src/ansible/oadm_certificate_authority.py new file mode 100644 index 000000000..856b06290 --- /dev/null +++ b/roles/lib_openshift/src/ansible/oadm_certificate_authority.py @@ -0,0 +1,49 @@ +# pylint: skip-file +# flake8: noqa + +def main(): + ''' + ansible oadm module for ca + ''' + + module = AnsibleModule( + argument_spec=dict( + state=dict(default='present', type='str', + choices=['present']), + debug=dict(default=False, type='bool'), + kubeconfig=dict(default='/etc/origin/master/admin.kubeconfig', type='str'), + cmd=dict(default=None, require=True, type='str'), + + # oadm ca create-master-certs [options] + cert_dir=dict(default=None, type='str'), + hostnames=dict(default=[], type='list'), + master=dict(default=None, type='str'), + public_master=dict(default=None, type='str'), + overwrite=dict(default=False, type='bool'), + signer_name=dict(default=None, type='str'), + + # oadm ca create-key-pair [options] + private_key=dict(default=None, type='str'), + public_key=dict(default=None, type='str'), + + # oadm ca create-server-cert [options] + cert=dict(default=None, type='str'), + key=dict(default=None, type='str'), + signer_cert=dict(default=None, type='str'), + signer_key=dict(default=None, type='str'), + signer_serial=dict(default=None, type='str'), + + ), + supports_check_mode=True, + ) + + # pylint: disable=line-too-long + results = CertificateAuthority.run_ansible(module.params, module.check_mode) + if 'failed' in results: + return module.fail_json(**results) + + return module.exit_json(**results) + + +if __name__ == '__main__': + main() diff --git a/roles/lib_openshift/src/class/oadm_certificate_authority.py b/roles/lib_openshift/src/class/oadm_certificate_authority.py new file mode 100644 index 000000000..34bd0f0a9 --- /dev/null +++ b/roles/lib_openshift/src/class/oadm_certificate_authority.py @@ -0,0 +1,110 @@ +# pylint: skip-file + +class CertificateAuthorityConfig(OpenShiftCLIConfig): + ''' CertificateAuthorityConfig is a DTO for the oadm ca command ''' + def __init__(self, cmd, kubeconfig, verbose, ca_options): + super(CertificateAuthorityConfig, self).__init__('ca', None, kubeconfig, ca_options) + self.cmd = cmd + self.kubeconfig = kubeconfig + self.verbose = verbose + self._ca = ca_options + +class CertificateAuthority(OpenShiftCLI): + ''' Class to wrap the oc command line tools ''' + def __init__(self, + config, + verbose=False): + ''' Constructor for oadm ca ''' + super(CertificateAuthority, self).__init__(None, config.kubeconfig, verbose) + self.config = config + self.verbose = verbose + + def get(self): + '''get the current cert file + + If a file exists by the same name in the specified location then the cert exists + ''' + cert = self.config.config_options['cert']['value'] + if cert and os.path.exists(cert): + return open(cert).read() + + return None + + def create(self): + '''Create a deploymentconfig ''' + options = self.config.to_option_list() + + cmd = ['ca'] + cmd.append(self.config.cmd) + cmd.extend(options) + + return self.openshift_cmd(cmd, oadm=True) + + def exists(self): + ''' check whether the certificate exists and has the clusterIP ''' + + cert_path = self.config.config_options['cert']['value'] + if not os.path.exists(cert_path): + return False + + proc = subprocess.Popen(['openssl', 'x509', '-noout', '-subject', '-in', cert_path], + stdout=subprocess.PIPE, stderr=subprocess.PIPE) + stdout, stderr = proc.communicate() + if proc.returncode == 0: + for var in self.config.config_options['hostnames']['value'].split(','): + if var in stdout: + return True + + return False + + @staticmethod + def run_ansible(params, check_mode): + '''run the idempotent ansible code''' + + config = CertificateAuthorityConfig(params['cmd'], + params['kubeconfig'], + params['debug'], + {'cert_dir': {'value': params['cert_dir'], 'include': True}, + 'cert': {'value': params['cert'], 'include': True}, + 'hostnames': {'value': ','.join(params['hostnames']), 'include': True}, + 'master': {'value': params['master'], 'include': True}, + 'public_master': {'value': params['public_master'], 'include': True}, + 'overwrite': {'value': params['overwrite'], 'include': True}, + 'signer_name': {'value': params['signer_name'], 'include': True}, + 'private_key': {'value': params['private_key'], 'include': True}, + 'public_key': {'value': params['public_key'], 'include': True}, + 'key': {'value': params['key'], 'include': True}, + 'signer_cert': {'value': params['signer_cert'], 'include': True}, + 'signer_key': {'value': params['signer_key'], 'include': True}, + 'signer_serial': {'value': params['signer_serial'], 'include': True}, + }) + + + oadm_ca = CertificateAuthority(config) + + state = params['state'] + + if state == 'present': + ######## + # Create + ######## + if not oadm_ca.exists() or params['overwrite']: + + if check_mode: + return {'changed': True, + 'msg': "CHECK_MODE: Would have created the certificate.", + 'state': state} + + api_rval = oadm_ca.create() + + return {'changed': True, 'results': api_rval, 'state': state} + + ######## + # Exists + ######## + api_rval = oadm_ca.get() + return {'changed': False, 'results': api_rval, 'state': state} + + return {'failed': True, + 'msg': 'Unknown state passed. %s' % state} + diff --git a/roles/lib_openshift/src/doc/certificate_authority b/roles/lib_openshift/src/doc/certificate_authority new file mode 100644 index 000000000..be6861444 --- /dev/null +++ b/roles/lib_openshift/src/doc/certificate_authority @@ -0,0 +1,96 @@ +# flake8: noqa +# pylint: skip-file + +DOCUMENTATION = ''' +--- +module: oc_secret +short_description: Module to manage openshift certificate authority +description: + - Wrapper around the openshift `oc adm ca` command. +options: + state: + description: + - Present is the only supported state. The state present means that `oc adm ca` will generate a certificate + - When create-master-certs is desired then the following parameters are passed. + - ['cert_dir', 'hostnames', 'master', 'public_master', 'overwrite', 'signer_name'] + - When create-key-pair is desired then the following parameters are passed. + - ['private_key', 'public_key'] + - When create-server-cert is desired then the following parameters are passed. + - ['cert', 'key', 'signer_cert', 'signer_key', 'signer_serial'] + required: false + default: present + choices: ["present"] + aliases: [] + kubeconfig: + description: + - The path for the kubeconfig file to use for authentication + required: false + default: /etc/origin/master/admin.kubeconfig + aliases: [] + debug: + description: + - Turn on debug output. + required: false + default: False + aliases: [] + cmd: + description: + - The sub command given for `oc adm ca` + required: false + default: None + choices: + - create-master-certs + - create-key-pair + - create-server-cert + aliases: [] + cert_dir: + description: + - The directory to place the certificates. + required: false + default: False + aliases: [] +author: +- "Kenny Woodson " +extends_documentation_fragment: [] +''' + +EXAMPLES = ''' +- name: create secret + oc_secret: + state: present + namespace: openshift-infra + name: metrics-deployer + files: + - name: nothing + path: /dev/null + register: secretout + run_once: true + +- name: get ca from hawkular + oc_secret: + state: list + namespace: openshift-infra + name: hawkular-metrics-certificate + decode: True + register: hawkout + run_once: true + +- name: Create secrets + oc_secret: + namespace: mynamespace + name: mysecrets + contents: + - path: data.yml + data: "{{ data_content }}" + - path: auth-keys + data: "{{ auth_keys_content }}" + - path: configdata.yml + data: "{{ configdata_content }}" + - path: cert.crt + data: "{{ cert_content }}" + - path: key.pem + data: "{{ osso_site_key_content }}" + - path: ca.cert.pem + data: "{{ ca_cert_content }}" + register: secretout +''' diff --git a/roles/lib_openshift/src/sources.yml b/roles/lib_openshift/src/sources.yml index 091aaef2e..7f0de6a65 100644 --- a/roles/lib_openshift/src/sources.yml +++ b/roles/lib_openshift/src/sources.yml @@ -1,4 +1,14 @@ --- +oadm_ca.py: +- doc/generated +- doc/license +- lib/import.py +- doc/certificate_authority +- ../../lib_utils/src/class/yedit.py +- lib/base.py +- class/oadm_certificate_authority.py +- ansible/oadm_certificate_authority.py + oadm_manage_node.py: - doc/generated - doc/license -- cgit v1.2.3 From d517312b0b14c632d66edfe191269e732242a101 Mon Sep 17 00:00:00 2001 From: Kenny Woodson Date: Wed, 15 Feb 2017 17:28:40 -0500 Subject: Fixing doc. --- roles/lib_openshift/library/oadm_ca.py | 130 ++++++++++++++------- .../src/ansible/oadm_certificate_authority.py | 3 +- roles/lib_openshift/src/doc/certificate_authority | 127 +++++++++++++------- 3 files changed, 174 insertions(+), 86 deletions(-) diff --git a/roles/lib_openshift/library/oadm_ca.py b/roles/lib_openshift/library/oadm_ca.py index 30490cc40..1482ab591 100644 --- a/roles/lib_openshift/library/oadm_ca.py +++ b/roles/lib_openshift/library/oadm_ca.py @@ -49,7 +49,7 @@ from ansible.module_utils.basic import AnsibleModule DOCUMENTATION = ''' --- -module: oc_secret +module: oadm_ca short_description: Module to manage openshift certificate authority description: - Wrapper around the openshift `oc adm ca` command. @@ -65,7 +65,8 @@ options: - ['cert', 'key', 'signer_cert', 'signer_key', 'signer_serial'] required: false default: present - choices: ["present"] + choices: + - present aliases: [] kubeconfig: description: @@ -91,54 +92,98 @@ options: aliases: [] cert_dir: description: - - The directory to place the certificates. + - The certificate data directory. + required: false + default: None + aliases: [] + cert: + description: + - The certificate file. Choose a name that indicates what the service is. + required: false + default: None + aliases: [] + key: + description: + - The key file. Choose a name that indicates what the service is. + required: false + default: None + aliases: [] + overwrite: + description: + - Overwrite existing cert files if found. If false, any existing file will be left as-is. required: false default: False aliases: [] + signer_cert: + description: + - The signer certificate file. + required: false + default: None + aliases: [] + signer_key: + description: + - The signer key file. + required: false + default: None + aliases: [] + signer_serial: + description: + - The signer serial file. + required: false + default: None + aliases: [] + public_key: + description: + - The public key file used with create-key-pair + required: false + default: None + aliases: [] + private_key: + description: + - The private key file used with create-key-pair + required: false + default: None + aliases: [] + + hostnames: + description: + - Every hostname or IP that server certs should be valid for (comma-delimited list) + required: false + default: None + aliases: [] + master: + description: + - The API server's URL + required: false + default: None + aliases: [] + public_master: + description: + - The API public facing server's URL (if applicable) + required: false + default: None + aliases: [] + signer_name: + description: + - The name to use for the generated signer + required: false + default: None + aliases: [] author: - "Kenny Woodson " extends_documentation_fragment: [] ''' EXAMPLES = ''' -- name: create secret - oc_secret: - state: present - namespace: openshift-infra - name: metrics-deployer - files: - - name: nothing - path: /dev/null - register: secretout - run_once: true - -- name: get ca from hawkular - oc_secret: - state: list - namespace: openshift-infra - name: hawkular-metrics-certificate - decode: True - register: hawkout - run_once: true - -- name: Create secrets - oc_secret: - namespace: mynamespace - name: mysecrets - contents: - - path: data.yml - data: "{{ data_content }}" - - path: auth-keys - data: "{{ auth_keys_content }}" - - path: configdata.yml - data: "{{ configdata_content }}" - - path: cert.crt - data: "{{ cert_content }}" - - path: key.pem - data: "{{ osso_site_key_content }}" - - path: ca.cert.pem - data: "{{ ca_cert_content }}" - register: secretout +- name: Create a self-signed cert + oadm_ca: + cmd: create-server-cert + signer_cert: /etc/origin/master/ca.crt + signer_key: /etc/origin/master/ca.key + signer_serial: /etc/origin/master/ca.serial.txt + hostnames: "registry.test.openshift.com,127.0.0.1,docker-registry.default.svc.cluster.local" + cert: /etc/origin/master/registry.crt + key: /etc/origin/master/registry.key ''' # -*- -*- -*- End included fragment: doc/certificate_authority -*- -*- -*- @@ -1402,8 +1447,7 @@ def main(): module = AnsibleModule( argument_spec=dict( - state=dict(default='present', type='str', - choices=['present']), + state=dict(default='present', type='str', choices=['present']), debug=dict(default=False, type='bool'), kubeconfig=dict(default='/etc/origin/master/admin.kubeconfig', type='str'), cmd=dict(default=None, require=True, type='str'), diff --git a/roles/lib_openshift/src/ansible/oadm_certificate_authority.py b/roles/lib_openshift/src/ansible/oadm_certificate_authority.py index 856b06290..ad00b25b4 100644 --- a/roles/lib_openshift/src/ansible/oadm_certificate_authority.py +++ b/roles/lib_openshift/src/ansible/oadm_certificate_authority.py @@ -8,8 +8,7 @@ def main(): module = AnsibleModule( argument_spec=dict( - state=dict(default='present', type='str', - choices=['present']), + state=dict(default='present', type='str', choices=['present']), debug=dict(default=False, type='bool'), kubeconfig=dict(default='/etc/origin/master/admin.kubeconfig', type='str'), cmd=dict(default=None, require=True, type='str'), diff --git a/roles/lib_openshift/src/doc/certificate_authority b/roles/lib_openshift/src/doc/certificate_authority index be6861444..bf299f0cb 100644 --- a/roles/lib_openshift/src/doc/certificate_authority +++ b/roles/lib_openshift/src/doc/certificate_authority @@ -3,7 +3,7 @@ DOCUMENTATION = ''' --- -module: oc_secret +module: oadm_ca short_description: Module to manage openshift certificate authority description: - Wrapper around the openshift `oc adm ca` command. @@ -19,7 +19,8 @@ options: - ['cert', 'key', 'signer_cert', 'signer_key', 'signer_serial'] required: false default: present - choices: ["present"] + choices: + - present aliases: [] kubeconfig: description: @@ -45,52 +46,96 @@ options: aliases: [] cert_dir: description: - - The directory to place the certificates. + - The certificate data directory. + required: false + default: None + aliases: [] + cert: + description: + - The certificate file. Choose a name that indicates what the service is. + required: false + default: None + aliases: [] + key: + description: + - The key file. Choose a name that indicates what the service is. + required: false + default: None + aliases: [] + overwrite: + description: + - Overwrite existing cert files if found. If false, any existing file will be left as-is. required: false default: False aliases: [] + signer_cert: + description: + - The signer certificate file. + required: false + default: None + aliases: [] + signer_key: + description: + - The signer key file. + required: false + default: None + aliases: [] + signer_serial: + description: + - The signer serial file. + required: false + default: None + aliases: [] + public_key: + description: + - The public key file used with create-key-pair + required: false + default: None + aliases: [] + private_key: + description: + - The private key file used with create-key-pair + required: false + default: None + aliases: [] + + hostnames: + description: + - Every hostname or IP that server certs should be valid for (comma-delimited list) + required: false + default: None + aliases: [] + master: + description: + - The API server's URL + required: false + default: None + aliases: [] + public_master: + description: + - The API public facing server's URL (if applicable) + required: false + default: None + aliases: [] + signer_name: + description: + - The name to use for the generated signer + required: false + default: None + aliases: [] author: - "Kenny Woodson " extends_documentation_fragment: [] ''' EXAMPLES = ''' -- name: create secret - oc_secret: - state: present - namespace: openshift-infra - name: metrics-deployer - files: - - name: nothing - path: /dev/null - register: secretout - run_once: true - -- name: get ca from hawkular - oc_secret: - state: list - namespace: openshift-infra - name: hawkular-metrics-certificate - decode: True - register: hawkout - run_once: true - -- name: Create secrets - oc_secret: - namespace: mynamespace - name: mysecrets - contents: - - path: data.yml - data: "{{ data_content }}" - - path: auth-keys - data: "{{ auth_keys_content }}" - - path: configdata.yml - data: "{{ configdata_content }}" - - path: cert.crt - data: "{{ cert_content }}" - - path: key.pem - data: "{{ osso_site_key_content }}" - - path: ca.cert.pem - data: "{{ ca_cert_content }}" - register: secretout +- name: Create a self-signed cert + oadm_ca: + cmd: create-server-cert + signer_cert: /etc/origin/master/ca.crt + signer_key: /etc/origin/master/ca.key + signer_serial: /etc/origin/master/ca.serial.txt + hostnames: "registry.test.openshift.com,127.0.0.1,docker-registry.default.svc.cluster.local" + cert: /etc/origin/master/registry.crt + key: /etc/origin/master/registry.key ''' -- cgit v1.2.3 From 5ff3071297b0bd91e5135bbe9def3a59dadfe885 Mon Sep 17 00:00:00 2001 From: Kenny Woodson Date: Fri, 17 Feb 2017 09:34:10 -0500 Subject: Rename of oadm_ca to oc_adm_ca. Decided to whittle down to the direct call, server_cert. --- roles/lib_openshift/library/oadm_ca.py | 1489 -------------------- .../lib_openshift/library/oc_adm_ca_server_cert.py | 1471 +++++++++++++++++++ .../src/ansible/oadm_certificate_authority.py | 48 - .../src/ansible/oc_adm_ca_server_cert.py | 36 + .../src/class/oadm_certificate_authority.py | 110 -- .../src/class/oc_adm_ca_server_cert.py | 104 ++ roles/lib_openshift/src/doc/ca_server_cert | 141 ++ roles/lib_openshift/src/doc/certificate_authority | 141 -- roles/lib_openshift/src/sources.yml | 8 +- 9 files changed, 1756 insertions(+), 1792 deletions(-) delete mode 100644 roles/lib_openshift/library/oadm_ca.py create mode 100644 roles/lib_openshift/library/oc_adm_ca_server_cert.py delete mode 100644 roles/lib_openshift/src/ansible/oadm_certificate_authority.py create mode 100644 roles/lib_openshift/src/ansible/oc_adm_ca_server_cert.py delete mode 100644 roles/lib_openshift/src/class/oadm_certificate_authority.py create mode 100644 roles/lib_openshift/src/class/oc_adm_ca_server_cert.py create mode 100644 roles/lib_openshift/src/doc/ca_server_cert delete mode 100644 roles/lib_openshift/src/doc/certificate_authority diff --git a/roles/lib_openshift/library/oadm_ca.py b/roles/lib_openshift/library/oadm_ca.py deleted file mode 100644 index 1482ab591..000000000 --- a/roles/lib_openshift/library/oadm_ca.py +++ /dev/null @@ -1,1489 +0,0 @@ -#!/usr/bin/env python -# pylint: disable=missing-docstring -# flake8: noqa: T001 -# ___ ___ _ _ ___ ___ _ _____ ___ ___ -# / __| __| \| | __| _ \ /_\_ _| __| \ -# | (_ | _|| .` | _|| / / _ \| | | _|| |) | -# \___|___|_|\_|___|_|_\/_/_\_\_|_|___|___/_ _____ -# | \ / _ \ | \| |/ _ \_ _| | __| \_ _|_ _| -# | |) | (_) | | .` | (_) || | | _|| |) | | | | -# |___/ \___/ |_|\_|\___/ |_| |___|___/___| |_| -# -# Copyright 2016 Red Hat, Inc. and/or its affiliates -# and other contributors as indicated by the @author tags. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -# -*- -*- -*- Begin included fragment: lib/import.py -*- -*- -*- -''' - OpenShiftCLI class that wraps the oc commands in a subprocess -''' -# pylint: disable=too-many-lines - -from __future__ import print_function -import atexit -import json -import os -import re -import shutil -import subprocess -import tempfile -# pylint: disable=import-error -import ruamel.yaml as yaml -from ansible.module_utils.basic import AnsibleModule - -# -*- -*- -*- End included fragment: lib/import.py -*- -*- -*- - -# -*- -*- -*- Begin included fragment: doc/certificate_authority -*- -*- -*- - -DOCUMENTATION = ''' ---- -module: oadm_ca -short_description: Module to manage openshift certificate authority -description: - - Wrapper around the openshift `oc adm ca` command. -options: - state: - description: - - Present is the only supported state. The state present means that `oc adm ca` will generate a certificate - - When create-master-certs is desired then the following parameters are passed. - - ['cert_dir', 'hostnames', 'master', 'public_master', 'overwrite', 'signer_name'] - - When create-key-pair is desired then the following parameters are passed. - - ['private_key', 'public_key'] - - When create-server-cert is desired then the following parameters are passed. - - ['cert', 'key', 'signer_cert', 'signer_key', 'signer_serial'] - required: false - default: present - choices: - - present - aliases: [] - kubeconfig: - description: - - The path for the kubeconfig file to use for authentication - required: false - default: /etc/origin/master/admin.kubeconfig - aliases: [] - debug: - description: - - Turn on debug output. - required: false - default: False - aliases: [] - cmd: - description: - - The sub command given for `oc adm ca` - required: false - default: None - choices: - - create-master-certs - - create-key-pair - - create-server-cert - aliases: [] - cert_dir: - description: - - The certificate data directory. - required: false - default: None - aliases: [] - cert: - description: - - The certificate file. Choose a name that indicates what the service is. - required: false - default: None - aliases: [] - key: - description: - - The key file. Choose a name that indicates what the service is. - required: false - default: None - aliases: [] - overwrite: - description: - - Overwrite existing cert files if found. If false, any existing file will be left as-is. - required: false - default: False - aliases: [] - signer_cert: - description: - - The signer certificate file. - required: false - default: None - aliases: [] - signer_key: - description: - - The signer key file. - required: false - default: None - aliases: [] - signer_serial: - description: - - The signer serial file. - required: false - default: None - aliases: [] - public_key: - description: - - The public key file used with create-key-pair - required: false - default: None - aliases: [] - private_key: - description: - - The private key file used with create-key-pair - required: false - default: None - aliases: [] - - hostnames: - description: - - Every hostname or IP that server certs should be valid for (comma-delimited list) - required: false - default: None - aliases: [] - master: - description: - - The API server's URL - required: false - default: None - aliases: [] - public_master: - description: - - The API public facing server's URL (if applicable) - required: false - default: None - aliases: [] - signer_name: - description: - - The name to use for the generated signer - required: false - default: None - aliases: [] -author: -- "Kenny Woodson " -extends_documentation_fragment: [] -''' - -EXAMPLES = ''' -- name: Create a self-signed cert - oadm_ca: - cmd: create-server-cert - signer_cert: /etc/origin/master/ca.crt - signer_key: /etc/origin/master/ca.key - signer_serial: /etc/origin/master/ca.serial.txt - hostnames: "registry.test.openshift.com,127.0.0.1,docker-registry.default.svc.cluster.local" - cert: /etc/origin/master/registry.crt - key: /etc/origin/master/registry.key -''' - -# -*- -*- -*- End included fragment: doc/certificate_authority -*- -*- -*- - -# -*- -*- -*- Begin included fragment: ../../lib_utils/src/class/yedit.py -*- -*- -*- -# noqa: E301,E302 - - -class YeditException(Exception): - ''' Exception class for Yedit ''' - pass - - -# pylint: disable=too-many-public-methods -class Yedit(object): - ''' Class to modify yaml files ''' - re_valid_key = r"(((\[-?\d+\])|([0-9a-zA-Z%s/_-]+)).?)+$" - re_key = r"(?:\[(-?\d+)\])|([0-9a-zA-Z%s/_-]+)" - com_sep = set(['.', '#', '|', ':']) - - # pylint: disable=too-many-arguments - def __init__(self, - filename=None, - content=None, - content_type='yaml', - separator='.', - backup=False): - self.content = content - self._separator = separator - self.filename = filename - self.__yaml_dict = content - self.content_type = content_type - self.backup = backup - self.load(content_type=self.content_type) - if self.__yaml_dict is None: - self.__yaml_dict = {} - - @property - def separator(self): - ''' getter method for yaml_dict ''' - return self._separator - - @separator.setter - def separator(self): - ''' getter method for yaml_dict ''' - return self._separator - - @property - def yaml_dict(self): - ''' getter method for yaml_dict ''' - return self.__yaml_dict - - @yaml_dict.setter - def yaml_dict(self, value): - ''' setter method for yaml_dict ''' - self.__yaml_dict = value - - @staticmethod - def parse_key(key, sep='.'): - '''parse the key allowing the appropriate separator''' - common_separators = list(Yedit.com_sep - set([sep])) - return re.findall(Yedit.re_key % ''.join(common_separators), key) - - @staticmethod - def valid_key(key, sep='.'): - '''validate the incoming key''' - common_separators = list(Yedit.com_sep - set([sep])) - if not re.match(Yedit.re_valid_key % ''.join(common_separators), key): - return False - - return True - - @staticmethod - def remove_entry(data, key, sep='.'): - ''' remove data at location key ''' - if key == '' and isinstance(data, dict): - data.clear() - return True - elif key == '' and isinstance(data, list): - del data[:] - return True - - if not (key and Yedit.valid_key(key, sep)) and \ - isinstance(data, (list, dict)): - return None - - key_indexes = Yedit.parse_key(key, sep) - for arr_ind, dict_key in key_indexes[:-1]: - if dict_key and isinstance(data, dict): - data = data.get(dict_key, None) - elif (arr_ind and isinstance(data, list) and - int(arr_ind) <= len(data) - 1): - data = data[int(arr_ind)] - else: - return None - - # process last index for remove - # expected list entry - if key_indexes[-1][0]: - if isinstance(data, list) and int(key_indexes[-1][0]) <= len(data) - 1: # noqa: E501 - del data[int(key_indexes[-1][0])] - return True - - # expected dict entry - elif key_indexes[-1][1]: - if isinstance(data, dict): - del data[key_indexes[-1][1]] - return True - - @staticmethod - def add_entry(data, key, item=None, sep='.'): - ''' Get an item from a dictionary with key notation a.b.c - d = {'a': {'b': 'c'}}} - key = a#b - return c - ''' - if key == '': - pass - elif (not (key and Yedit.valid_key(key, sep)) and - isinstance(data, (list, dict))): - return None - - key_indexes = Yedit.parse_key(key, sep) - for arr_ind, dict_key in key_indexes[:-1]: - if dict_key: - if isinstance(data, dict) and dict_key in data and data[dict_key]: # noqa: E501 - data = data[dict_key] - continue - - elif data and not isinstance(data, dict): - return None - - data[dict_key] = {} - data = data[dict_key] - - elif (arr_ind and isinstance(data, list) and - int(arr_ind) <= len(data) - 1): - data = data[int(arr_ind)] - else: - return None - - if key == '': - data = item - - # process last index for add - # expected list entry - elif key_indexes[-1][0] and isinstance(data, list) and int(key_indexes[-1][0]) <= len(data) - 1: # noqa: E501 - data[int(key_indexes[-1][0])] = item - - # expected dict entry - elif key_indexes[-1][1] and isinstance(data, dict): - data[key_indexes[-1][1]] = item - - return data - - @staticmethod - def get_entry(data, key, sep='.'): - ''' Get an item from a dictionary with key notation a.b.c - d = {'a': {'b': 'c'}}} - key = a.b - return c - ''' - if key == '': - pass - elif (not (key and Yedit.valid_key(key, sep)) and - isinstance(data, (list, dict))): - return None - - key_indexes = Yedit.parse_key(key, sep) - for arr_ind, dict_key in key_indexes: - if dict_key and isinstance(data, dict): - data = data.get(dict_key, None) - elif (arr_ind and isinstance(data, list) and - int(arr_ind) <= len(data) - 1): - data = data[int(arr_ind)] - else: - return None - - return data - - @staticmethod - def _write(filename, contents): - ''' Actually write the file contents to disk. This helps with mocking. ''' - - tmp_filename = filename + '.yedit' - - with open(tmp_filename, 'w') as yfd: - yfd.write(contents) - - os.rename(tmp_filename, filename) - - def write(self): - ''' write to file ''' - if not self.filename: - raise YeditException('Please specify a filename.') - - if self.backup and self.file_exists(): - shutil.copy(self.filename, self.filename + '.orig') - - # pylint: disable=no-member - if hasattr(self.yaml_dict, 'fa'): - self.yaml_dict.fa.set_block_style() - - Yedit._write(self.filename, yaml.dump(self.yaml_dict, Dumper=yaml.RoundTripDumper)) - - return (True, self.yaml_dict) - - def read(self): - ''' read from file ''' - # check if it exists - if self.filename is None or not self.file_exists(): - return None - - contents = None - with open(self.filename) as yfd: - contents = yfd.read() - - return contents - - def file_exists(self): - ''' return whether file exists ''' - if os.path.exists(self.filename): - return True - - return False - - def load(self, content_type='yaml'): - ''' return yaml file ''' - contents = self.read() - - if not contents and not self.content: - return None - - if self.content: - if isinstance(self.content, dict): - self.yaml_dict = self.content - return self.yaml_dict - elif isinstance(self.content, str): - contents = self.content - - # check if it is yaml - try: - if content_type == 'yaml' and contents: - self.yaml_dict = yaml.load(contents, yaml.RoundTripLoader) - # pylint: disable=no-member - if hasattr(self.yaml_dict, 'fa'): - self.yaml_dict.fa.set_block_style() - elif content_type == 'json' and contents: - self.yaml_dict = json.loads(contents) - except yaml.YAMLError as err: - # Error loading yaml or json - raise YeditException('Problem with loading yaml file. %s' % err) - - return self.yaml_dict - - def get(self, key): - ''' get a specified key''' - try: - entry = Yedit.get_entry(self.yaml_dict, key, self.separator) - except KeyError: - entry = None - - return entry - - def pop(self, path, key_or_item): - ''' remove a key, value pair from a dict or an item for a list''' - try: - entry = Yedit.get_entry(self.yaml_dict, path, self.separator) - except KeyError: - entry = None - - if entry is None: - return (False, self.yaml_dict) - - if isinstance(entry, dict): - # pylint: disable=no-member,maybe-no-member - if key_or_item in entry: - entry.pop(key_or_item) - return (True, self.yaml_dict) - return (False, self.yaml_dict) - - elif isinstance(entry, list): - # pylint: disable=no-member,maybe-no-member - ind = None - try: - ind = entry.index(key_or_item) - except ValueError: - return (False, self.yaml_dict) - - entry.pop(ind) - return (True, self.yaml_dict) - - return (False, self.yaml_dict) - - def delete(self, path): - ''' remove path from a dict''' - try: - entry = Yedit.get_entry(self.yaml_dict, path, self.separator) - except KeyError: - entry = None - - if entry is None: - return (False, self.yaml_dict) - - result = Yedit.remove_entry(self.yaml_dict, path, self.separator) - if not result: - return (False, self.yaml_dict) - - return (True, self.yaml_dict) - - def exists(self, path, value): - ''' check if value exists at path''' - try: - entry = Yedit.get_entry(self.yaml_dict, path, self.separator) - except KeyError: - entry = None - - if isinstance(entry, list): - if value in entry: - return True - return False - - elif isinstance(entry, dict): - if isinstance(value, dict): - rval = False - for key, val in value.items(): - if entry[key] != val: - rval = False - break - else: - rval = True - return rval - - return value in entry - - return entry == value - - def append(self, path, value): - '''append value to a list''' - try: - entry = Yedit.get_entry(self.yaml_dict, path, self.separator) - except KeyError: - entry = None - - if entry is None: - self.put(path, []) - entry = Yedit.get_entry(self.yaml_dict, path, self.separator) - if not isinstance(entry, list): - return (False, self.yaml_dict) - - # pylint: disable=no-member,maybe-no-member - entry.append(value) - return (True, self.yaml_dict) - - # pylint: disable=too-many-arguments - def update(self, path, value, index=None, curr_value=None): - ''' put path, value into a dict ''' - try: - entry = Yedit.get_entry(self.yaml_dict, path, self.separator) - except KeyError: - entry = None - - if isinstance(entry, dict): - # pylint: disable=no-member,maybe-no-member - if not isinstance(value, dict): - raise YeditException('Cannot replace key, value entry in ' + - 'dict with non-dict type. value=[%s] [%s]' % (value, type(value))) # noqa: E501 - - entry.update(value) - return (True, self.yaml_dict) - - elif isinstance(entry, list): - # pylint: disable=no-member,maybe-no-member - ind = None - if curr_value: - try: - ind = entry.index(curr_value) - except ValueError: - return (False, self.yaml_dict) - - elif index is not None: - ind = index - - if ind is not None and entry[ind] != value: - entry[ind] = value - return (True, self.yaml_dict) - - # see if it exists in the list - try: - ind = entry.index(value) - except ValueError: - # doesn't exist, append it - entry.append(value) - return (True, self.yaml_dict) - - # already exists, return - if ind is not None: - return (False, self.yaml_dict) - return (False, self.yaml_dict) - - def put(self, path, value): - ''' put path, value into a dict ''' - try: - entry = Yedit.get_entry(self.yaml_dict, path, self.separator) - except KeyError: - entry = None - - if entry == value: - return (False, self.yaml_dict) - - # deepcopy didn't work - tmp_copy = yaml.load(yaml.round_trip_dump(self.yaml_dict, - default_flow_style=False), - yaml.RoundTripLoader) - # pylint: disable=no-member - if hasattr(self.yaml_dict, 'fa'): - tmp_copy.fa.set_block_style() - result = Yedit.add_entry(tmp_copy, path, value, self.separator) - if not result: - return (False, self.yaml_dict) - - self.yaml_dict = tmp_copy - - return (True, self.yaml_dict) - - def create(self, path, value): - ''' create a yaml file ''' - if not self.file_exists(): - # deepcopy didn't work - tmp_copy = yaml.load(yaml.round_trip_dump(self.yaml_dict, default_flow_style=False), # noqa: E501 - yaml.RoundTripLoader) - # pylint: disable=no-member - if hasattr(self.yaml_dict, 'fa'): - tmp_copy.fa.set_block_style() - result = Yedit.add_entry(tmp_copy, path, value, self.separator) - if result: - self.yaml_dict = tmp_copy - return (True, self.yaml_dict) - - return (False, self.yaml_dict) - - @staticmethod - def get_curr_value(invalue, val_type): - '''return the current value''' - if invalue is None: - return None - - curr_value = invalue - if val_type == 'yaml': - curr_value = yaml.load(invalue) - elif val_type == 'json': - curr_value = json.loads(invalue) - - return curr_value - - @staticmethod - def parse_value(inc_value, vtype=''): - '''determine value type passed''' - true_bools = ['y', 'Y', 'yes', 'Yes', 'YES', 'true', 'True', 'TRUE', - 'on', 'On', 'ON', ] - false_bools = ['n', 'N', 'no', 'No', 'NO', 'false', 'False', 'FALSE', - 'off', 'Off', 'OFF'] - - # It came in as a string but you didn't specify value_type as string - # we will convert to bool if it matches any of the above cases - if isinstance(inc_value, str) and 'bool' in vtype: - if inc_value not in true_bools and inc_value not in false_bools: - raise YeditException('Not a boolean type. str=[%s] vtype=[%s]' - % (inc_value, vtype)) - elif isinstance(inc_value, bool) and 'str' in vtype: - inc_value = str(inc_value) - - # If vtype is not str then go ahead and attempt to yaml load it. - if isinstance(inc_value, str) and 'str' not in vtype: - try: - inc_value = yaml.load(inc_value) - except Exception: - raise YeditException('Could not determine type of incoming ' + - 'value. value=[%s] vtype=[%s]' - % (type(inc_value), vtype)) - - return inc_value - - # pylint: disable=too-many-return-statements,too-many-branches - @staticmethod - def run_ansible(module): - '''perform the idempotent crud operations''' - yamlfile = Yedit(filename=module.params['src'], - backup=module.params['backup'], - separator=module.params['separator']) - - if module.params['src']: - rval = yamlfile.load() - - if yamlfile.yaml_dict is None and \ - module.params['state'] != 'present': - return {'failed': True, - 'msg': 'Error opening file [%s]. Verify that the ' + - 'file exists, that it is has correct' + - ' permissions, and is valid yaml.'} - - if module.params['state'] == 'list': - if module.params['content']: - content = Yedit.parse_value(module.params['content'], - module.params['content_type']) - yamlfile.yaml_dict = content - - if module.params['key']: - rval = yamlfile.get(module.params['key']) or {} - - return {'changed': False, 'result': rval, 'state': "list"} - - elif module.params['state'] == 'absent': - if module.params['content']: - content = Yedit.parse_value(module.params['content'], - module.params['content_type']) - yamlfile.yaml_dict = content - - if module.params['update']: - rval = yamlfile.pop(module.params['key'], - module.params['value']) - else: - rval = yamlfile.delete(module.params['key']) - - if rval[0] and module.params['src']: - yamlfile.write() - - return {'changed': rval[0], 'result': rval[1], 'state': "absent"} - - elif module.params['state'] == 'present': - # check if content is different than what is in the file - if module.params['content']: - content = Yedit.parse_value(module.params['content'], - module.params['content_type']) - - # We had no edits to make and the contents are the same - if yamlfile.yaml_dict == content and \ - module.params['value'] is None: - return {'changed': False, - 'result': yamlfile.yaml_dict, - 'state': "present"} - - yamlfile.yaml_dict = content - - # we were passed a value; parse it - if module.params['value']: - value = Yedit.parse_value(module.params['value'], - module.params['value_type']) - key = module.params['key'] - if module.params['update']: - # pylint: disable=line-too-long - curr_value = Yedit.get_curr_value(Yedit.parse_value(module.params['curr_value']), # noqa: E501 - module.params['curr_value_format']) # noqa: E501 - - rval = yamlfile.update(key, value, module.params['index'], curr_value) # noqa: E501 - - elif module.params['append']: - rval = yamlfile.append(key, value) - else: - rval = yamlfile.put(key, value) - - if rval[0] and module.params['src']: - yamlfile.write() - - return {'changed': rval[0], - 'result': rval[1], 'state': "present"} - - # no edits to make - if module.params['src']: - # pylint: disable=redefined-variable-type - rval = yamlfile.write() - return {'changed': rval[0], - 'result': rval[1], - 'state': "present"} - - return {'failed': True, 'msg': 'Unkown state passed'} - -# -*- -*- -*- End included fragment: ../../lib_utils/src/class/yedit.py -*- -*- -*- - -# -*- -*- -*- Begin included fragment: lib/base.py -*- -*- -*- -# pylint: disable=too-many-lines -# noqa: E301,E302,E303,T001 - - -class OpenShiftCLIError(Exception): - '''Exception class for openshiftcli''' - pass - - -# pylint: disable=too-few-public-methods -class OpenShiftCLI(object): - ''' Class to wrap the command line tools ''' - def __init__(self, - namespace, - kubeconfig='/etc/origin/master/admin.kubeconfig', - verbose=False, - all_namespaces=False): - ''' Constructor for OpenshiftCLI ''' - self.namespace = namespace - self.verbose = verbose - self.kubeconfig = Utils.create_tmpfile_copy(kubeconfig) - self.all_namespaces = all_namespaces - - # Pylint allows only 5 arguments to be passed. - # pylint: disable=too-many-arguments - def _replace_content(self, resource, rname, content, force=False, sep='.'): - ''' replace the current object with the content ''' - res = self._get(resource, rname) - if not res['results']: - return res - - fname = Utils.create_tmpfile(rname + '-') - - yed = Yedit(fname, res['results'][0], separator=sep) - changes = [] - for key, value in content.items(): - changes.append(yed.put(key, value)) - - if any([change[0] for change in changes]): - yed.write() - - atexit.register(Utils.cleanup, [fname]) - - return self._replace(fname, force) - - return {'returncode': 0, 'updated': False} - - def _replace(self, fname, force=False): - '''replace the current object with oc replace''' - cmd = ['replace', '-f', fname] - if force: - cmd.append('--force') - return self.openshift_cmd(cmd) - - def _create_from_content(self, rname, content): - '''create a temporary file and then call oc create on it''' - fname = Utils.create_tmpfile(rname + '-') - yed = Yedit(fname, content=content) - yed.write() - - atexit.register(Utils.cleanup, [fname]) - - return self._create(fname) - - def _create(self, fname): - '''call oc create on a filename''' - return self.openshift_cmd(['create', '-f', fname]) - - def _delete(self, resource, rname, selector=None): - '''call oc delete on a resource''' - cmd = ['delete', resource, rname] - if selector: - cmd.append('--selector=%s' % selector) - - return self.openshift_cmd(cmd) - - def _process(self, template_name, create=False, params=None, template_data=None): # noqa: E501 - '''process a template - - template_name: the name of the template to process - create: whether to send to oc create after processing - params: the parameters for the template - template_data: the incoming template's data; instead of a file - ''' - cmd = ['process'] - if template_data: - cmd.extend(['-f', '-']) - else: - cmd.append(template_name) - if params: - param_str = ["%s=%s" % (key, value) for key, value in params.items()] - cmd.append('-v') - cmd.extend(param_str) - - results = self.openshift_cmd(cmd, output=True, input_data=template_data) - - if results['returncode'] != 0 or not create: - return results - - fname = Utils.create_tmpfile(template_name + '-') - yed = Yedit(fname, results['results']) - yed.write() - - atexit.register(Utils.cleanup, [fname]) - - return self.openshift_cmd(['create', '-f', fname]) - - def _get(self, resource, rname=None, selector=None): - '''return a resource by name ''' - cmd = ['get', resource] - if selector: - cmd.append('--selector=%s' % selector) - elif rname: - cmd.append(rname) - - cmd.extend(['-o', 'json']) - - rval = self.openshift_cmd(cmd, output=True) - - # Ensure results are retuned in an array - if 'items' in rval: - rval['results'] = rval['items'] - elif not isinstance(rval['results'], list): - rval['results'] = [rval['results']] - - return rval - - def _schedulable(self, node=None, selector=None, schedulable=True): - ''' perform oadm manage-node scheduable ''' - cmd = ['manage-node'] - if node: - cmd.extend(node) - else: - cmd.append('--selector=%s' % selector) - - cmd.append('--schedulable=%s' % schedulable) - - return self.openshift_cmd(cmd, oadm=True, output=True, output_type='raw') # noqa: E501 - - def _list_pods(self, node=None, selector=None, pod_selector=None): - ''' perform oadm list pods - - node: the node in which to list pods - selector: the label selector filter if provided - pod_selector: the pod selector filter if provided - ''' - cmd = ['manage-node'] - if node: - cmd.extend(node) - else: - cmd.append('--selector=%s' % selector) - - if pod_selector: - cmd.append('--pod-selector=%s' % pod_selector) - - cmd.extend(['--list-pods', '-o', 'json']) - - return self.openshift_cmd(cmd, oadm=True, output=True, output_type='raw') - - # pylint: disable=too-many-arguments - def _evacuate(self, node=None, selector=None, pod_selector=None, dry_run=False, grace_period=None, force=False): - ''' perform oadm manage-node evacuate ''' - cmd = ['manage-node'] - if node: - cmd.extend(node) - else: - cmd.append('--selector=%s' % selector) - - if dry_run: - cmd.append('--dry-run') - - if pod_selector: - cmd.append('--pod-selector=%s' % pod_selector) - - if grace_period: - cmd.append('--grace-period=%s' % int(grace_period)) - - if force: - cmd.append('--force') - - cmd.append('--evacuate') - - return self.openshift_cmd(cmd, oadm=True, output=True, output_type='raw') - - def _version(self): - ''' return the openshift version''' - return self.openshift_cmd(['version'], output=True, output_type='raw') - - def _import_image(self, url=None, name=None, tag=None): - ''' perform image import ''' - cmd = ['import-image'] - - image = '{0}'.format(name) - if tag: - image += ':{0}'.format(tag) - - cmd.append(image) - - if url: - cmd.append('--from={0}/{1}'.format(url, image)) - - cmd.append('-n{0}'.format(self.namespace)) - - cmd.append('--confirm') - return self.openshift_cmd(cmd) - - def _run(self, cmds, input_data): - ''' Actually executes the command. This makes mocking easier. ''' - curr_env = os.environ.copy() - curr_env.update({'KUBECONFIG': self.kubeconfig}) - proc = subprocess.Popen(cmds, - stdin=subprocess.PIPE, - stdout=subprocess.PIPE, - stderr=subprocess.PIPE, - env=curr_env) - - stdout, stderr = proc.communicate(input_data) - - return proc.returncode, stdout, stderr - - # pylint: disable=too-many-arguments,too-many-branches - def openshift_cmd(self, cmd, oadm=False, output=False, output_type='json', input_data=None): - '''Base command for oc ''' - cmds = [] - if oadm: - cmds = ['oadm'] - else: - cmds = ['oc'] - - if self.all_namespaces: - cmds.extend(['--all-namespaces']) - elif self.namespace is not None and self.namespace.lower() not in ['none', 'emtpy']: # E501 - cmds.extend(['-n', self.namespace]) - - cmds.extend(cmd) - - rval = {} - results = '' - err = None - - if self.verbose: - print(' '.join(cmds)) - - returncode, stdout, stderr = self._run(cmds, input_data) - - rval = {"returncode": returncode, - "results": results, - "cmd": ' '.join(cmds)} - - if returncode == 0: - if output: - if output_type == 'json': - try: - rval['results'] = json.loads(stdout) - except ValueError as err: - if "No JSON object could be decoded" in err.args: - err = err.args - elif output_type == 'raw': - rval['results'] = stdout - - if self.verbose: - print("STDOUT: {0}".format(stdout)) - print("STDERR: {0}".format(stderr)) - - if err: - rval.update({"err": err, - "stderr": stderr, - "stdout": stdout, - "cmd": cmds}) - - else: - rval.update({"stderr": stderr, - "stdout": stdout, - "results": {}}) - - return rval - - -class Utils(object): - ''' utilities for openshiftcli modules ''' - - @staticmethod - def _write(filename, contents): - ''' Actually write the file contents to disk. This helps with mocking. ''' - - with open(filename, 'w') as sfd: - sfd.write(contents) - - @staticmethod - def create_tmp_file_from_contents(rname, data, ftype='yaml'): - ''' create a file in tmp with name and contents''' - - tmp = Utils.create_tmpfile(prefix=rname) - - if ftype == 'yaml': - Utils._write(tmp, yaml.dump(data, Dumper=yaml.RoundTripDumper)) - elif ftype == 'json': - Utils._write(tmp, json.dumps(data)) - else: - Utils._write(tmp, data) - - # Register cleanup when module is done - atexit.register(Utils.cleanup, [tmp]) - return tmp - - @staticmethod - def create_tmpfile_copy(inc_file): - '''create a temporary copy of a file''' - tmpfile = Utils.create_tmpfile('lib_openshift-') - Utils._write(tmpfile, open(inc_file).read()) - - # Cleanup the tmpfile - atexit.register(Utils.cleanup, [tmpfile]) - - return tmpfile - - @staticmethod - def create_tmpfile(prefix='tmp'): - ''' Generates and returns a temporary file name ''' - - with tempfile.NamedTemporaryFile(prefix=prefix, delete=False) as tmp: - return tmp.name - - @staticmethod - def create_tmp_files_from_contents(content, content_type=None): - '''Turn an array of dict: filename, content into a files array''' - if not isinstance(content, list): - content = [content] - files = [] - for item in content: - path = Utils.create_tmp_file_from_contents(item['path'] + '-', - item['data'], - ftype=content_type) - files.append({'name': os.path.basename(item['path']), - 'path': path}) - return files - - @staticmethod - def cleanup(files): - '''Clean up on exit ''' - for sfile in files: - if os.path.exists(sfile): - if os.path.isdir(sfile): - shutil.rmtree(sfile) - elif os.path.isfile(sfile): - os.remove(sfile) - - @staticmethod - def exists(results, _name): - ''' Check to see if the results include the name ''' - if not results: - return False - - if Utils.find_result(results, _name): - return True - - return False - - @staticmethod - def find_result(results, _name): - ''' Find the specified result by name''' - rval = None - for result in results: - if 'metadata' in result and result['metadata']['name'] == _name: - rval = result - break - - return rval - - @staticmethod - def get_resource_file(sfile, sfile_type='yaml'): - ''' return the service file ''' - contents = None - with open(sfile) as sfd: - contents = sfd.read() - - if sfile_type == 'yaml': - contents = yaml.load(contents, yaml.RoundTripLoader) - elif sfile_type == 'json': - contents = json.loads(contents) - - return contents - - @staticmethod - def filter_versions(stdout): - ''' filter the oc version output ''' - - version_dict = {} - version_search = ['oc', 'openshift', 'kubernetes'] - - for line in stdout.strip().split('\n'): - for term in version_search: - if not line: - continue - if line.startswith(term): - version_dict[term] = line.split()[-1] - - # horrible hack to get openshift version in Openshift 3.2 - # By default "oc version in 3.2 does not return an "openshift" version - if "openshift" not in version_dict: - version_dict["openshift"] = version_dict["oc"] - - return version_dict - - @staticmethod - def add_custom_versions(versions): - ''' create custom versions strings ''' - - versions_dict = {} - - for tech, version in versions.items(): - # clean up "-" from version - if "-" in version: - version = version.split("-")[0] - - if version.startswith('v'): - versions_dict[tech + '_numeric'] = version[1:].split('+')[0] - # "v3.3.0.33" is what we have, we want "3.3" - versions_dict[tech + '_short'] = version[1:4] - - return versions_dict - - @staticmethod - def openshift_installed(): - ''' check if openshift is installed ''' - import yum - - yum_base = yum.YumBase() - if yum_base.rpmdb.searchNevra(name='atomic-openshift'): - return True - - return False - - # Disabling too-many-branches. This is a yaml dictionary comparison function - # pylint: disable=too-many-branches,too-many-return-statements,too-many-statements - @staticmethod - def check_def_equal(user_def, result_def, skip_keys=None, debug=False): - ''' Given a user defined definition, compare it with the results given back by our query. ''' - - # Currently these values are autogenerated and we do not need to check them - skip = ['metadata', 'status'] - if skip_keys: - skip.extend(skip_keys) - - for key, value in result_def.items(): - if key in skip: - continue - - # Both are lists - if isinstance(value, list): - if key not in user_def: - if debug: - print('User data does not have key [%s]' % key) - print('User data: %s' % user_def) - return False - - if not isinstance(user_def[key], list): - if debug: - print('user_def[key] is not a list key=[%s] user_def[key]=%s' % (key, user_def[key])) - return False - - if len(user_def[key]) != len(value): - if debug: - print("List lengths are not equal.") - print("key=[%s]: user_def[%s] != value[%s]" % (key, len(user_def[key]), len(value))) - print("user_def: %s" % user_def[key]) - print("value: %s" % value) - return False - - for values in zip(user_def[key], value): - if isinstance(values[0], dict) and isinstance(values[1], dict): - if debug: - print('sending list - list') - print(type(values[0])) - print(type(values[1])) - result = Utils.check_def_equal(values[0], values[1], skip_keys=skip_keys, debug=debug) - if not result: - print('list compare returned false') - return False - - elif value != user_def[key]: - if debug: - print('value should be identical') - print(value) - print(user_def[key]) - return False - - # recurse on a dictionary - elif isinstance(value, dict): - if key not in user_def: - if debug: - print("user_def does not have key [%s]" % key) - return False - if not isinstance(user_def[key], dict): - if debug: - print("dict returned false: not instance of dict") - return False - - # before passing ensure keys match - api_values = set(value.keys()) - set(skip) - user_values = set(user_def[key].keys()) - set(skip) - if api_values != user_values: - if debug: - print("keys are not equal in dict") - print(api_values) - print(user_values) - return False - - result = Utils.check_def_equal(user_def[key], value, skip_keys=skip_keys, debug=debug) - if not result: - if debug: - print("dict returned false") - print(result) - return False - - # Verify each key, value pair is the same - else: - if key not in user_def or value != user_def[key]: - if debug: - print("value not equal; user_def does not have key") - print(key) - print(value) - if key in user_def: - print(user_def[key]) - return False - - if debug: - print('returning true') - return True - - -class OpenShiftCLIConfig(object): - '''Generic Config''' - def __init__(self, rname, namespace, kubeconfig, options): - self.kubeconfig = kubeconfig - self.name = rname - self.namespace = namespace - self._options = options - - @property - def config_options(self): - ''' return config options ''' - return self._options - - def to_option_list(self): - '''return all options as a string''' - return self.stringify() - - def stringify(self): - ''' return the options hash as cli params in a string ''' - rval = [] - for key, data in self.config_options.items(): - if data['include'] \ - and (data['value'] or isinstance(data['value'], int)): - rval.append('--%s=%s' % (key.replace('_', '-'), data['value'])) - - return rval - - -# -*- -*- -*- End included fragment: lib/base.py -*- -*- -*- - -# -*- -*- -*- Begin included fragment: class/oadm_certificate_authority.py -*- -*- -*- - -class CertificateAuthorityConfig(OpenShiftCLIConfig): - ''' CertificateAuthorityConfig is a DTO for the oadm ca command ''' - def __init__(self, cmd, kubeconfig, verbose, ca_options): - super(CertificateAuthorityConfig, self).__init__('ca', None, kubeconfig, ca_options) - self.cmd = cmd - self.kubeconfig = kubeconfig - self.verbose = verbose - self._ca = ca_options - -class CertificateAuthority(OpenShiftCLI): - ''' Class to wrap the oc command line tools ''' - def __init__(self, - config, - verbose=False): - ''' Constructor for oadm ca ''' - super(CertificateAuthority, self).__init__(None, config.kubeconfig, verbose) - self.config = config - self.verbose = verbose - - def get(self): - '''get the current cert file - - If a file exists by the same name in the specified location then the cert exists - ''' - cert = self.config.config_options['cert']['value'] - if cert and os.path.exists(cert): - return open(cert).read() - - return None - - def create(self): - '''Create a deploymentconfig ''' - options = self.config.to_option_list() - - cmd = ['ca'] - cmd.append(self.config.cmd) - cmd.extend(options) - - return self.openshift_cmd(cmd, oadm=True) - - def exists(self): - ''' check whether the certificate exists and has the clusterIP ''' - - cert_path = self.config.config_options['cert']['value'] - if not os.path.exists(cert_path): - return False - - proc = subprocess.Popen(['openssl', 'x509', '-noout', '-subject', '-in', cert_path], - stdout=subprocess.PIPE, stderr=subprocess.PIPE) - stdout, stderr = proc.communicate() - if proc.returncode == 0: - for var in self.config.config_options['hostnames']['value'].split(','): - if var in stdout: - return True - - return False - - @staticmethod - def run_ansible(params, check_mode): - '''run the idempotent ansible code''' - - config = CertificateAuthorityConfig(params['cmd'], - params['kubeconfig'], - params['debug'], - {'cert_dir': {'value': params['cert_dir'], 'include': True}, - 'cert': {'value': params['cert'], 'include': True}, - 'hostnames': {'value': ','.join(params['hostnames']), 'include': True}, - 'master': {'value': params['master'], 'include': True}, - 'public_master': {'value': params['public_master'], 'include': True}, - 'overwrite': {'value': params['overwrite'], 'include': True}, - 'signer_name': {'value': params['signer_name'], 'include': True}, - 'private_key': {'value': params['private_key'], 'include': True}, - 'public_key': {'value': params['public_key'], 'include': True}, - 'key': {'value': params['key'], 'include': True}, - 'signer_cert': {'value': params['signer_cert'], 'include': True}, - 'signer_key': {'value': params['signer_key'], 'include': True}, - 'signer_serial': {'value': params['signer_serial'], 'include': True}, - }) - - - oadm_ca = CertificateAuthority(config) - - state = params['state'] - - if state == 'present': - ######## - # Create - ######## - if not oadm_ca.exists() or params['overwrite']: - - if check_mode: - return {'changed': True, - 'msg': "CHECK_MODE: Would have created the certificate.", - 'state': state} - - api_rval = oadm_ca.create() - - return {'changed': True, 'results': api_rval, 'state': state} - - ######## - # Exists - ######## - api_rval = oadm_ca.get() - return {'changed': False, 'results': api_rval, 'state': state} - - return {'failed': True, - 'msg': 'Unknown state passed. %s' % state} - - -# -*- -*- -*- End included fragment: class/oadm_certificate_authority.py -*- -*- -*- - -# -*- -*- -*- Begin included fragment: ansible/oadm_certificate_authority.py -*- -*- -*- - -def main(): - ''' - ansible oadm module for ca - ''' - - module = AnsibleModule( - argument_spec=dict( - state=dict(default='present', type='str', choices=['present']), - debug=dict(default=False, type='bool'), - kubeconfig=dict(default='/etc/origin/master/admin.kubeconfig', type='str'), - cmd=dict(default=None, require=True, type='str'), - - # oadm ca create-master-certs [options] - cert_dir=dict(default=None, type='str'), - hostnames=dict(default=[], type='list'), - master=dict(default=None, type='str'), - public_master=dict(default=None, type='str'), - overwrite=dict(default=False, type='bool'), - signer_name=dict(default=None, type='str'), - - # oadm ca create-key-pair [options] - private_key=dict(default=None, type='str'), - public_key=dict(default=None, type='str'), - - # oadm ca create-server-cert [options] - cert=dict(default=None, type='str'), - key=dict(default=None, type='str'), - signer_cert=dict(default=None, type='str'), - signer_key=dict(default=None, type='str'), - signer_serial=dict(default=None, type='str'), - - ), - supports_check_mode=True, - ) - - # pylint: disable=line-too-long - results = CertificateAuthority.run_ansible(module.params, module.check_mode) - if 'failed' in results: - return module.fail_json(**results) - - return module.exit_json(**results) - - -if __name__ == '__main__': - main() - -# -*- -*- -*- End included fragment: ansible/oadm_certificate_authority.py -*- -*- -*- diff --git a/roles/lib_openshift/library/oc_adm_ca_server_cert.py b/roles/lib_openshift/library/oc_adm_ca_server_cert.py new file mode 100644 index 000000000..19031f956 --- /dev/null +++ b/roles/lib_openshift/library/oc_adm_ca_server_cert.py @@ -0,0 +1,1471 @@ +#!/usr/bin/env python +# pylint: disable=missing-docstring +# flake8: noqa: T001 +# ___ ___ _ _ ___ ___ _ _____ ___ ___ +# / __| __| \| | __| _ \ /_\_ _| __| \ +# | (_ | _|| .` | _|| / / _ \| | | _|| |) | +# \___|___|_|\_|___|_|_\/_/_\_\_|_|___|___/_ _____ +# | \ / _ \ | \| |/ _ \_ _| | __| \_ _|_ _| +# | |) | (_) | | .` | (_) || | | _|| |) | | | | +# |___/ \___/ |_|\_|\___/ |_| |___|___/___| |_| +# +# Copyright 2016 Red Hat, Inc. and/or its affiliates +# and other contributors as indicated by the @author tags. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +# -*- -*- -*- Begin included fragment: lib/import.py -*- -*- -*- +''' + OpenShiftCLI class that wraps the oc commands in a subprocess +''' +# pylint: disable=too-many-lines + +from __future__ import print_function +import atexit +import json +import os +import re +import shutil +import subprocess +import tempfile +# pylint: disable=import-error +import ruamel.yaml as yaml +from ansible.module_utils.basic import AnsibleModule + +# -*- -*- -*- End included fragment: lib/import.py -*- -*- -*- + +# -*- -*- -*- Begin included fragment: doc/ca_server_cert -*- -*- -*- + +DOCUMENTATION = ''' +--- +module: oadm_ca +short_description: Module to manage openshift certificate authority +description: + - Wrapper around the openshift `oc adm ca` command. +options: + state: + description: + - Present is the only supported state. The state present means that `oc adm ca` will generate a certificate + - When create-master-certs is desired then the following parameters are passed. + - ['cert_dir', 'hostnames', 'master', 'public_master', 'overwrite', 'signer_name'] + - When create-key-pair is desired then the following parameters are passed. + - ['private_key', 'public_key'] + - When create-server-cert is desired then the following parameters are passed. + - ['cert', 'key', 'signer_cert', 'signer_key', 'signer_serial'] + required: false + default: present + choices: + - present + aliases: [] + kubeconfig: + description: + - The path for the kubeconfig file to use for authentication + required: false + default: /etc/origin/master/admin.kubeconfig + aliases: [] + debug: + description: + - Turn on debug output. + required: false + default: False + aliases: [] + cmd: + description: + - The sub command given for `oc adm ca` + required: false + default: None + choices: + - create-master-certs + - create-key-pair + - create-server-cert + aliases: [] + cert_dir: + description: + - The certificate data directory. + required: false + default: None + aliases: [] + cert: + description: + - The certificate file. Choose a name that indicates what the service is. + required: false + default: None + aliases: [] + key: + description: + - The key file. Choose a name that indicates what the service is. + required: false + default: None + aliases: [] + overwrite: + description: + - Overwrite existing cert files if found. If false, any existing file will be left as-is. + required: false + default: False + aliases: [] + signer_cert: + description: + - The signer certificate file. + required: false + default: None + aliases: [] + signer_key: + description: + - The signer key file. + required: false + default: None + aliases: [] + signer_serial: + description: + - The signer serial file. + required: false + default: None + aliases: [] + public_key: + description: + - The public key file used with create-key-pair + required: false + default: None + aliases: [] + private_key: + description: + - The private key file used with create-key-pair + required: false + default: None + aliases: [] + + hostnames: + description: + - Every hostname or IP that server certs should be valid for (comma-delimited list) + required: false + default: None + aliases: [] + master: + description: + - The API server's URL + required: false + default: None + aliases: [] + public_master: + description: + - The API public facing server's URL (if applicable) + required: false + default: None + aliases: [] + signer_name: + description: + - The name to use for the generated signer + required: false + default: None + aliases: [] +author: +- "Kenny Woodson " +extends_documentation_fragment: [] +''' + +EXAMPLES = ''' +- name: Create a self-signed cert + oadm_ca: + cmd: create-server-cert + signer_cert: /etc/origin/master/ca.crt + signer_key: /etc/origin/master/ca.key + signer_serial: /etc/origin/master/ca.serial.txt + hostnames: "registry.test.openshift.com,127.0.0.1,docker-registry.default.svc.cluster.local" + cert: /etc/origin/master/registry.crt + key: /etc/origin/master/registry.key +''' + +# -*- -*- -*- End included fragment: doc/ca_server_cert -*- -*- -*- + +# -*- -*- -*- Begin included fragment: ../../lib_utils/src/class/yedit.py -*- -*- -*- +# noqa: E301,E302 + + +class YeditException(Exception): + ''' Exception class for Yedit ''' + pass + + +# pylint: disable=too-many-public-methods +class Yedit(object): + ''' Class to modify yaml files ''' + re_valid_key = r"(((\[-?\d+\])|([0-9a-zA-Z%s/_-]+)).?)+$" + re_key = r"(?:\[(-?\d+)\])|([0-9a-zA-Z%s/_-]+)" + com_sep = set(['.', '#', '|', ':']) + + # pylint: disable=too-many-arguments + def __init__(self, + filename=None, + content=None, + content_type='yaml', + separator='.', + backup=False): + self.content = content + self._separator = separator + self.filename = filename + self.__yaml_dict = content + self.content_type = content_type + self.backup = backup + self.load(content_type=self.content_type) + if self.__yaml_dict is None: + self.__yaml_dict = {} + + @property + def separator(self): + ''' getter method for yaml_dict ''' + return self._separator + + @separator.setter + def separator(self): + ''' getter method for yaml_dict ''' + return self._separator + + @property + def yaml_dict(self): + ''' getter method for yaml_dict ''' + return self.__yaml_dict + + @yaml_dict.setter + def yaml_dict(self, value): + ''' setter method for yaml_dict ''' + self.__yaml_dict = value + + @staticmethod + def parse_key(key, sep='.'): + '''parse the key allowing the appropriate separator''' + common_separators = list(Yedit.com_sep - set([sep])) + return re.findall(Yedit.re_key % ''.join(common_separators), key) + + @staticmethod + def valid_key(key, sep='.'): + '''validate the incoming key''' + common_separators = list(Yedit.com_sep - set([sep])) + if not re.match(Yedit.re_valid_key % ''.join(common_separators), key): + return False + + return True + + @staticmethod + def remove_entry(data, key, sep='.'): + ''' remove data at location key ''' + if key == '' and isinstance(data, dict): + data.clear() + return True + elif key == '' and isinstance(data, list): + del data[:] + return True + + if not (key and Yedit.valid_key(key, sep)) and \ + isinstance(data, (list, dict)): + return None + + key_indexes = Yedit.parse_key(key, sep) + for arr_ind, dict_key in key_indexes[:-1]: + if dict_key and isinstance(data, dict): + data = data.get(dict_key, None) + elif (arr_ind and isinstance(data, list) and + int(arr_ind) <= len(data) - 1): + data = data[int(arr_ind)] + else: + return None + + # process last index for remove + # expected list entry + if key_indexes[-1][0]: + if isinstance(data, list) and int(key_indexes[-1][0]) <= len(data) - 1: # noqa: E501 + del data[int(key_indexes[-1][0])] + return True + + # expected dict entry + elif key_indexes[-1][1]: + if isinstance(data, dict): + del data[key_indexes[-1][1]] + return True + + @staticmethod + def add_entry(data, key, item=None, sep='.'): + ''' Get an item from a dictionary with key notation a.b.c + d = {'a': {'b': 'c'}}} + key = a#b + return c + ''' + if key == '': + pass + elif (not (key and Yedit.valid_key(key, sep)) and + isinstance(data, (list, dict))): + return None + + key_indexes = Yedit.parse_key(key, sep) + for arr_ind, dict_key in key_indexes[:-1]: + if dict_key: + if isinstance(data, dict) and dict_key in data and data[dict_key]: # noqa: E501 + data = data[dict_key] + continue + + elif data and not isinstance(data, dict): + return None + + data[dict_key] = {} + data = data[dict_key] + + elif (arr_ind and isinstance(data, list) and + int(arr_ind) <= len(data) - 1): + data = data[int(arr_ind)] + else: + return None + + if key == '': + data = item + + # process last index for add + # expected list entry + elif key_indexes[-1][0] and isinstance(data, list) and int(key_indexes[-1][0]) <= len(data) - 1: # noqa: E501 + data[int(key_indexes[-1][0])] = item + + # expected dict entry + elif key_indexes[-1][1] and isinstance(data, dict): + data[key_indexes[-1][1]] = item + + return data + + @staticmethod + def get_entry(data, key, sep='.'): + ''' Get an item from a dictionary with key notation a.b.c + d = {'a': {'b': 'c'}}} + key = a.b + return c + ''' + if key == '': + pass + elif (not (key and Yedit.valid_key(key, sep)) and + isinstance(data, (list, dict))): + return None + + key_indexes = Yedit.parse_key(key, sep) + for arr_ind, dict_key in key_indexes: + if dict_key and isinstance(data, dict): + data = data.get(dict_key, None) + elif (arr_ind and isinstance(data, list) and + int(arr_ind) <= len(data) - 1): + data = data[int(arr_ind)] + else: + return None + + return data + + @staticmethod + def _write(filename, contents): + ''' Actually write the file contents to disk. This helps with mocking. ''' + + tmp_filename = filename + '.yedit' + + with open(tmp_filename, 'w') as yfd: + yfd.write(contents) + + os.rename(tmp_filename, filename) + + def write(self): + ''' write to file ''' + if not self.filename: + raise YeditException('Please specify a filename.') + + if self.backup and self.file_exists(): + shutil.copy(self.filename, self.filename + '.orig') + + # pylint: disable=no-member + if hasattr(self.yaml_dict, 'fa'): + self.yaml_dict.fa.set_block_style() + + Yedit._write(self.filename, yaml.dump(self.yaml_dict, Dumper=yaml.RoundTripDumper)) + + return (True, self.yaml_dict) + + def read(self): + ''' read from file ''' + # check if it exists + if self.filename is None or not self.file_exists(): + return None + + contents = None + with open(self.filename) as yfd: + contents = yfd.read() + + return contents + + def file_exists(self): + ''' return whether file exists ''' + if os.path.exists(self.filename): + return True + + return False + + def load(self, content_type='yaml'): + ''' return yaml file ''' + contents = self.read() + + if not contents and not self.content: + return None + + if self.content: + if isinstance(self.content, dict): + self.yaml_dict = self.content + return self.yaml_dict + elif isinstance(self.content, str): + contents = self.content + + # check if it is yaml + try: + if content_type == 'yaml' and contents: + self.yaml_dict = yaml.load(contents, yaml.RoundTripLoader) + # pylint: disable=no-member + if hasattr(self.yaml_dict, 'fa'): + self.yaml_dict.fa.set_block_style() + elif content_type == 'json' and contents: + self.yaml_dict = json.loads(contents) + except yaml.YAMLError as err: + # Error loading yaml or json + raise YeditException('Problem with loading yaml file. %s' % err) + + return self.yaml_dict + + def get(self, key): + ''' get a specified key''' + try: + entry = Yedit.get_entry(self.yaml_dict, key, self.separator) + except KeyError: + entry = None + + return entry + + def pop(self, path, key_or_item): + ''' remove a key, value pair from a dict or an item for a list''' + try: + entry = Yedit.get_entry(self.yaml_dict, path, self.separator) + except KeyError: + entry = None + + if entry is None: + return (False, self.yaml_dict) + + if isinstance(entry, dict): + # pylint: disable=no-member,maybe-no-member + if key_or_item in entry: + entry.pop(key_or_item) + return (True, self.yaml_dict) + return (False, self.yaml_dict) + + elif isinstance(entry, list): + # pylint: disable=no-member,maybe-no-member + ind = None + try: + ind = entry.index(key_or_item) + except ValueError: + return (False, self.yaml_dict) + + entry.pop(ind) + return (True, self.yaml_dict) + + return (False, self.yaml_dict) + + def delete(self, path): + ''' remove path from a dict''' + try: + entry = Yedit.get_entry(self.yaml_dict, path, self.separator) + except KeyError: + entry = None + + if entry is None: + return (False, self.yaml_dict) + + result = Yedit.remove_entry(self.yaml_dict, path, self.separator) + if not result: + return (False, self.yaml_dict) + + return (True, self.yaml_dict) + + def exists(self, path, value): + ''' check if value exists at path''' + try: + entry = Yedit.get_entry(self.yaml_dict, path, self.separator) + except KeyError: + entry = None + + if isinstance(entry, list): + if value in entry: + return True + return False + + elif isinstance(entry, dict): + if isinstance(value, dict): + rval = False + for key, val in value.items(): + if entry[key] != val: + rval = False + break + else: + rval = True + return rval + + return value in entry + + return entry == value + + def append(self, path, value): + '''append value to a list''' + try: + entry = Yedit.get_entry(self.yaml_dict, path, self.separator) + except KeyError: + entry = None + + if entry is None: + self.put(path, []) + entry = Yedit.get_entry(self.yaml_dict, path, self.separator) + if not isinstance(entry, list): + return (False, self.yaml_dict) + + # pylint: disable=no-member,maybe-no-member + entry.append(value) + return (True, self.yaml_dict) + + # pylint: disable=too-many-arguments + def update(self, path, value, index=None, curr_value=None): + ''' put path, value into a dict ''' + try: + entry = Yedit.get_entry(self.yaml_dict, path, self.separator) + except KeyError: + entry = None + + if isinstance(entry, dict): + # pylint: disable=no-member,maybe-no-member + if not isinstance(value, dict): + raise YeditException('Cannot replace key, value entry in ' + + 'dict with non-dict type. value=[%s] [%s]' % (value, type(value))) # noqa: E501 + + entry.update(value) + return (True, self.yaml_dict) + + elif isinstance(entry, list): + # pylint: disable=no-member,maybe-no-member + ind = None + if curr_value: + try: + ind = entry.index(curr_value) + except ValueError: + return (False, self.yaml_dict) + + elif index is not None: + ind = index + + if ind is not None and entry[ind] != value: + entry[ind] = value + return (True, self.yaml_dict) + + # see if it exists in the list + try: + ind = entry.index(value) + except ValueError: + # doesn't exist, append it + entry.append(value) + return (True, self.yaml_dict) + + # already exists, return + if ind is not None: + return (False, self.yaml_dict) + return (False, self.yaml_dict) + + def put(self, path, value): + ''' put path, value into a dict ''' + try: + entry = Yedit.get_entry(self.yaml_dict, path, self.separator) + except KeyError: + entry = None + + if entry == value: + return (False, self.yaml_dict) + + # deepcopy didn't work + tmp_copy = yaml.load(yaml.round_trip_dump(self.yaml_dict, + default_flow_style=False), + yaml.RoundTripLoader) + # pylint: disable=no-member + if hasattr(self.yaml_dict, 'fa'): + tmp_copy.fa.set_block_style() + result = Yedit.add_entry(tmp_copy, path, value, self.separator) + if not result: + return (False, self.yaml_dict) + + self.yaml_dict = tmp_copy + + return (True, self.yaml_dict) + + def create(self, path, value): + ''' create a yaml file ''' + if not self.file_exists(): + # deepcopy didn't work + tmp_copy = yaml.load(yaml.round_trip_dump(self.yaml_dict, default_flow_style=False), # noqa: E501 + yaml.RoundTripLoader) + # pylint: disable=no-member + if hasattr(self.yaml_dict, 'fa'): + tmp_copy.fa.set_block_style() + result = Yedit.add_entry(tmp_copy, path, value, self.separator) + if result: + self.yaml_dict = tmp_copy + return (True, self.yaml_dict) + + return (False, self.yaml_dict) + + @staticmethod + def get_curr_value(invalue, val_type): + '''return the current value''' + if invalue is None: + return None + + curr_value = invalue + if val_type == 'yaml': + curr_value = yaml.load(invalue) + elif val_type == 'json': + curr_value = json.loads(invalue) + + return curr_value + + @staticmethod + def parse_value(inc_value, vtype=''): + '''determine value type passed''' + true_bools = ['y', 'Y', 'yes', 'Yes', 'YES', 'true', 'True', 'TRUE', + 'on', 'On', 'ON', ] + false_bools = ['n', 'N', 'no', 'No', 'NO', 'false', 'False', 'FALSE', + 'off', 'Off', 'OFF'] + + # It came in as a string but you didn't specify value_type as string + # we will convert to bool if it matches any of the above cases + if isinstance(inc_value, str) and 'bool' in vtype: + if inc_value not in true_bools and inc_value not in false_bools: + raise YeditException('Not a boolean type. str=[%s] vtype=[%s]' + % (inc_value, vtype)) + elif isinstance(inc_value, bool) and 'str' in vtype: + inc_value = str(inc_value) + + # If vtype is not str then go ahead and attempt to yaml load it. + if isinstance(inc_value, str) and 'str' not in vtype: + try: + inc_value = yaml.load(inc_value) + except Exception: + raise YeditException('Could not determine type of incoming ' + + 'value. value=[%s] vtype=[%s]' + % (type(inc_value), vtype)) + + return inc_value + + # pylint: disable=too-many-return-statements,too-many-branches + @staticmethod + def run_ansible(module): + '''perform the idempotent crud operations''' + yamlfile = Yedit(filename=module.params['src'], + backup=module.params['backup'], + separator=module.params['separator']) + + if module.params['src']: + rval = yamlfile.load() + + if yamlfile.yaml_dict is None and \ + module.params['state'] != 'present': + return {'failed': True, + 'msg': 'Error opening file [%s]. Verify that the ' + + 'file exists, that it is has correct' + + ' permissions, and is valid yaml.'} + + if module.params['state'] == 'list': + if module.params['content']: + content = Yedit.parse_value(module.params['content'], + module.params['content_type']) + yamlfile.yaml_dict = content + + if module.params['key']: + rval = yamlfile.get(module.params['key']) or {} + + return {'changed': False, 'result': rval, 'state': "list"} + + elif module.params['state'] == 'absent': + if module.params['content']: + content = Yedit.parse_value(module.params['content'], + module.params['content_type']) + yamlfile.yaml_dict = content + + if module.params['update']: + rval = yamlfile.pop(module.params['key'], + module.params['value']) + else: + rval = yamlfile.delete(module.params['key']) + + if rval[0] and module.params['src']: + yamlfile.write() + + return {'changed': rval[0], 'result': rval[1], 'state': "absent"} + + elif module.params['state'] == 'present': + # check if content is different than what is in the file + if module.params['content']: + content = Yedit.parse_value(module.params['content'], + module.params['content_type']) + + # We had no edits to make and the contents are the same + if yamlfile.yaml_dict == content and \ + module.params['value'] is None: + return {'changed': False, + 'result': yamlfile.yaml_dict, + 'state': "present"} + + yamlfile.yaml_dict = content + + # we were passed a value; parse it + if module.params['value']: + value = Yedit.parse_value(module.params['value'], + module.params['value_type']) + key = module.params['key'] + if module.params['update']: + # pylint: disable=line-too-long + curr_value = Yedit.get_curr_value(Yedit.parse_value(module.params['curr_value']), # noqa: E501 + module.params['curr_value_format']) # noqa: E501 + + rval = yamlfile.update(key, value, module.params['index'], curr_value) # noqa: E501 + + elif module.params['append']: + rval = yamlfile.append(key, value) + else: + rval = yamlfile.put(key, value) + + if rval[0] and module.params['src']: + yamlfile.write() + + return {'changed': rval[0], + 'result': rval[1], 'state': "present"} + + # no edits to make + if module.params['src']: + # pylint: disable=redefined-variable-type + rval = yamlfile.write() + return {'changed': rval[0], + 'result': rval[1], + 'state': "present"} + + return {'failed': True, 'msg': 'Unkown state passed'} + +# -*- -*- -*- End included fragment: ../../lib_utils/src/class/yedit.py -*- -*- -*- + +# -*- -*- -*- Begin included fragment: lib/base.py -*- -*- -*- +# pylint: disable=too-many-lines +# noqa: E301,E302,E303,T001 + + +class OpenShiftCLIError(Exception): + '''Exception class for openshiftcli''' + pass + + +# pylint: disable=too-few-public-methods +class OpenShiftCLI(object): + ''' Class to wrap the command line tools ''' + def __init__(self, + namespace, + kubeconfig='/etc/origin/master/admin.kubeconfig', + verbose=False, + all_namespaces=False): + ''' Constructor for OpenshiftCLI ''' + self.namespace = namespace + self.verbose = verbose + self.kubeconfig = Utils.create_tmpfile_copy(kubeconfig) + self.all_namespaces = all_namespaces + + # Pylint allows only 5 arguments to be passed. + # pylint: disable=too-many-arguments + def _replace_content(self, resource, rname, content, force=False, sep='.'): + ''' replace the current object with the content ''' + res = self._get(resource, rname) + if not res['results']: + return res + + fname = Utils.create_tmpfile(rname + '-') + + yed = Yedit(fname, res['results'][0], separator=sep) + changes = [] + for key, value in content.items(): + changes.append(yed.put(key, value)) + + if any([change[0] for change in changes]): + yed.write() + + atexit.register(Utils.cleanup, [fname]) + + return self._replace(fname, force) + + return {'returncode': 0, 'updated': False} + + def _replace(self, fname, force=False): + '''replace the current object with oc replace''' + cmd = ['replace', '-f', fname] + if force: + cmd.append('--force') + return self.openshift_cmd(cmd) + + def _create_from_content(self, rname, content): + '''create a temporary file and then call oc create on it''' + fname = Utils.create_tmpfile(rname + '-') + yed = Yedit(fname, content=content) + yed.write() + + atexit.register(Utils.cleanup, [fname]) + + return self._create(fname) + + def _create(self, fname): + '''call oc create on a filename''' + return self.openshift_cmd(['create', '-f', fname]) + + def _delete(self, resource, rname, selector=None): + '''call oc delete on a resource''' + cmd = ['delete', resource, rname] + if selector: + cmd.append('--selector=%s' % selector) + + return self.openshift_cmd(cmd) + + def _process(self, template_name, create=False, params=None, template_data=None): # noqa: E501 + '''process a template + + template_name: the name of the template to process + create: whether to send to oc create after processing + params: the parameters for the template + template_data: the incoming template's data; instead of a file + ''' + cmd = ['process'] + if template_data: + cmd.extend(['-f', '-']) + else: + cmd.append(template_name) + if params: + param_str = ["%s=%s" % (key, value) for key, value in params.items()] + cmd.append('-v') + cmd.extend(param_str) + + results = self.openshift_cmd(cmd, output=True, input_data=template_data) + + if results['returncode'] != 0 or not create: + return results + + fname = Utils.create_tmpfile(template_name + '-') + yed = Yedit(fname, results['results']) + yed.write() + + atexit.register(Utils.cleanup, [fname]) + + return self.openshift_cmd(['create', '-f', fname]) + + def _get(self, resource, rname=None, selector=None): + '''return a resource by name ''' + cmd = ['get', resource] + if selector: + cmd.append('--selector=%s' % selector) + elif rname: + cmd.append(rname) + + cmd.extend(['-o', 'json']) + + rval = self.openshift_cmd(cmd, output=True) + + # Ensure results are retuned in an array + if 'items' in rval: + rval['results'] = rval['items'] + elif not isinstance(rval['results'], list): + rval['results'] = [rval['results']] + + return rval + + def _schedulable(self, node=None, selector=None, schedulable=True): + ''' perform oadm manage-node scheduable ''' + cmd = ['manage-node'] + if node: + cmd.extend(node) + else: + cmd.append('--selector=%s' % selector) + + cmd.append('--schedulable=%s' % schedulable) + + return self.openshift_cmd(cmd, oadm=True, output=True, output_type='raw') # noqa: E501 + + def _list_pods(self, node=None, selector=None, pod_selector=None): + ''' perform oadm list pods + + node: the node in which to list pods + selector: the label selector filter if provided + pod_selector: the pod selector filter if provided + ''' + cmd = ['manage-node'] + if node: + cmd.extend(node) + else: + cmd.append('--selector=%s' % selector) + + if pod_selector: + cmd.append('--pod-selector=%s' % pod_selector) + + cmd.extend(['--list-pods', '-o', 'json']) + + return self.openshift_cmd(cmd, oadm=True, output=True, output_type='raw') + + # pylint: disable=too-many-arguments + def _evacuate(self, node=None, selector=None, pod_selector=None, dry_run=False, grace_period=None, force=False): + ''' perform oadm manage-node evacuate ''' + cmd = ['manage-node'] + if node: + cmd.extend(node) + else: + cmd.append('--selector=%s' % selector) + + if dry_run: + cmd.append('--dry-run') + + if pod_selector: + cmd.append('--pod-selector=%s' % pod_selector) + + if grace_period: + cmd.append('--grace-period=%s' % int(grace_period)) + + if force: + cmd.append('--force') + + cmd.append('--evacuate') + + return self.openshift_cmd(cmd, oadm=True, output=True, output_type='raw') + + def _version(self): + ''' return the openshift version''' + return self.openshift_cmd(['version'], output=True, output_type='raw') + + def _import_image(self, url=None, name=None, tag=None): + ''' perform image import ''' + cmd = ['import-image'] + + image = '{0}'.format(name) + if tag: + image += ':{0}'.format(tag) + + cmd.append(image) + + if url: + cmd.append('--from={0}/{1}'.format(url, image)) + + cmd.append('-n{0}'.format(self.namespace)) + + cmd.append('--confirm') + return self.openshift_cmd(cmd) + + def _run(self, cmds, input_data): + ''' Actually executes the command. This makes mocking easier. ''' + curr_env = os.environ.copy() + curr_env.update({'KUBECONFIG': self.kubeconfig}) + proc = subprocess.Popen(cmds, + stdin=subprocess.PIPE, + stdout=subprocess.PIPE, + stderr=subprocess.PIPE, + env=curr_env) + + stdout, stderr = proc.communicate(input_data) + + return proc.returncode, stdout, stderr + + # pylint: disable=too-many-arguments,too-many-branches + def openshift_cmd(self, cmd, oadm=False, output=False, output_type='json', input_data=None): + '''Base command for oc ''' + cmds = [] + if oadm: + cmds = ['oadm'] + else: + cmds = ['oc'] + + if self.all_namespaces: + cmds.extend(['--all-namespaces']) + elif self.namespace is not None and self.namespace.lower() not in ['none', 'emtpy']: # E501 + cmds.extend(['-n', self.namespace]) + + cmds.extend(cmd) + + rval = {} + results = '' + err = None + + if self.verbose: + print(' '.join(cmds)) + + returncode, stdout, stderr = self._run(cmds, input_data) + + rval = {"returncode": returncode, + "results": results, + "cmd": ' '.join(cmds)} + + if returncode == 0: + if output: + if output_type == 'json': + try: + rval['results'] = json.loads(stdout) + except ValueError as err: + if "No JSON object could be decoded" in err.args: + err = err.args + elif output_type == 'raw': + rval['results'] = stdout + + if self.verbose: + print("STDOUT: {0}".format(stdout)) + print("STDERR: {0}".format(stderr)) + + if err: + rval.update({"err": err, + "stderr": stderr, + "stdout": stdout, + "cmd": cmds}) + + else: + rval.update({"stderr": stderr, + "stdout": stdout, + "results": {}}) + + return rval + + +class Utils(object): + ''' utilities for openshiftcli modules ''' + + @staticmethod + def _write(filename, contents): + ''' Actually write the file contents to disk. This helps with mocking. ''' + + with open(filename, 'w') as sfd: + sfd.write(contents) + + @staticmethod + def create_tmp_file_from_contents(rname, data, ftype='yaml'): + ''' create a file in tmp with name and contents''' + + tmp = Utils.create_tmpfile(prefix=rname) + + if ftype == 'yaml': + Utils._write(tmp, yaml.dump(data, Dumper=yaml.RoundTripDumper)) + elif ftype == 'json': + Utils._write(tmp, json.dumps(data)) + else: + Utils._write(tmp, data) + + # Register cleanup when module is done + atexit.register(Utils.cleanup, [tmp]) + return tmp + + @staticmethod + def create_tmpfile_copy(inc_file): + '''create a temporary copy of a file''' + tmpfile = Utils.create_tmpfile('lib_openshift-') + Utils._write(tmpfile, open(inc_file).read()) + + # Cleanup the tmpfile + atexit.register(Utils.cleanup, [tmpfile]) + + return tmpfile + + @staticmethod + def create_tmpfile(prefix='tmp'): + ''' Generates and returns a temporary file name ''' + + with tempfile.NamedTemporaryFile(prefix=prefix, delete=False) as tmp: + return tmp.name + + @staticmethod + def create_tmp_files_from_contents(content, content_type=None): + '''Turn an array of dict: filename, content into a files array''' + if not isinstance(content, list): + content = [content] + files = [] + for item in content: + path = Utils.create_tmp_file_from_contents(item['path'] + '-', + item['data'], + ftype=content_type) + files.append({'name': os.path.basename(item['path']), + 'path': path}) + return files + + @staticmethod + def cleanup(files): + '''Clean up on exit ''' + for sfile in files: + if os.path.exists(sfile): + if os.path.isdir(sfile): + shutil.rmtree(sfile) + elif os.path.isfile(sfile): + os.remove(sfile) + + @staticmethod + def exists(results, _name): + ''' Check to see if the results include the name ''' + if not results: + return False + + if Utils.find_result(results, _name): + return True + + return False + + @staticmethod + def find_result(results, _name): + ''' Find the specified result by name''' + rval = None + for result in results: + if 'metadata' in result and result['metadata']['name'] == _name: + rval = result + break + + return rval + + @staticmethod + def get_resource_file(sfile, sfile_type='yaml'): + ''' return the service file ''' + contents = None + with open(sfile) as sfd: + contents = sfd.read() + + if sfile_type == 'yaml': + contents = yaml.load(contents, yaml.RoundTripLoader) + elif sfile_type == 'json': + contents = json.loads(contents) + + return contents + + @staticmethod + def filter_versions(stdout): + ''' filter the oc version output ''' + + version_dict = {} + version_search = ['oc', 'openshift', 'kubernetes'] + + for line in stdout.strip().split('\n'): + for term in version_search: + if not line: + continue + if line.startswith(term): + version_dict[term] = line.split()[-1] + + # horrible hack to get openshift version in Openshift 3.2 + # By default "oc version in 3.2 does not return an "openshift" version + if "openshift" not in version_dict: + version_dict["openshift"] = version_dict["oc"] + + return version_dict + + @staticmethod + def add_custom_versions(versions): + ''' create custom versions strings ''' + + versions_dict = {} + + for tech, version in versions.items(): + # clean up "-" from version + if "-" in version: + version = version.split("-")[0] + + if version.startswith('v'): + versions_dict[tech + '_numeric'] = version[1:].split('+')[0] + # "v3.3.0.33" is what we have, we want "3.3" + versions_dict[tech + '_short'] = version[1:4] + + return versions_dict + + @staticmethod + def openshift_installed(): + ''' check if openshift is installed ''' + import yum + + yum_base = yum.YumBase() + if yum_base.rpmdb.searchNevra(name='atomic-openshift'): + return True + + return False + + # Disabling too-many-branches. This is a yaml dictionary comparison function + # pylint: disable=too-many-branches,too-many-return-statements,too-many-statements + @staticmethod + def check_def_equal(user_def, result_def, skip_keys=None, debug=False): + ''' Given a user defined definition, compare it with the results given back by our query. ''' + + # Currently these values are autogenerated and we do not need to check them + skip = ['metadata', 'status'] + if skip_keys: + skip.extend(skip_keys) + + for key, value in result_def.items(): + if key in skip: + continue + + # Both are lists + if isinstance(value, list): + if key not in user_def: + if debug: + print('User data does not have key [%s]' % key) + print('User data: %s' % user_def) + return False + + if not isinstance(user_def[key], list): + if debug: + print('user_def[key] is not a list key=[%s] user_def[key]=%s' % (key, user_def[key])) + return False + + if len(user_def[key]) != len(value): + if debug: + print("List lengths are not equal.") + print("key=[%s]: user_def[%s] != value[%s]" % (key, len(user_def[key]), len(value))) + print("user_def: %s" % user_def[key]) + print("value: %s" % value) + return False + + for values in zip(user_def[key], value): + if isinstance(values[0], dict) and isinstance(values[1], dict): + if debug: + print('sending list - list') + print(type(values[0])) + print(type(values[1])) + result = Utils.check_def_equal(values[0], values[1], skip_keys=skip_keys, debug=debug) + if not result: + print('list compare returned false') + return False + + elif value != user_def[key]: + if debug: + print('value should be identical') + print(value) + print(user_def[key]) + return False + + # recurse on a dictionary + elif isinstance(value, dict): + if key not in user_def: + if debug: + print("user_def does not have key [%s]" % key) + return False + if not isinstance(user_def[key], dict): + if debug: + print("dict returned false: not instance of dict") + return False + + # before passing ensure keys match + api_values = set(value.keys()) - set(skip) + user_values = set(user_def[key].keys()) - set(skip) + if api_values != user_values: + if debug: + print("keys are not equal in dict") + print(api_values) + print(user_values) + return False + + result = Utils.check_def_equal(user_def[key], value, skip_keys=skip_keys, debug=debug) + if not result: + if debug: + print("dict returned false") + print(result) + return False + + # Verify each key, value pair is the same + else: + if key not in user_def or value != user_def[key]: + if debug: + print("value not equal; user_def does not have key") + print(key) + print(value) + if key in user_def: + print(user_def[key]) + return False + + if debug: + print('returning true') + return True + + +class OpenShiftCLIConfig(object): + '''Generic Config''' + def __init__(self, rname, namespace, kubeconfig, options): + self.kubeconfig = kubeconfig + self.name = rname + self.namespace = namespace + self._options = options + + @property + def config_options(self): + ''' return config options ''' + return self._options + + def to_option_list(self): + '''return all options as a string''' + return self.stringify() + + def stringify(self): + ''' return the options hash as cli params in a string ''' + rval = [] + for key, data in self.config_options.items(): + if data['include'] \ + and (data['value'] or isinstance(data['value'], int)): + rval.append('--%s=%s' % (key.replace('_', '-'), data['value'])) + + return rval + + +# -*- -*- -*- End included fragment: lib/base.py -*- -*- -*- + +# -*- -*- -*- Begin included fragment: class/oc_adm_ca_server_cert.py -*- -*- -*- + +class CAServerCertConfig(OpenShiftCLIConfig): + ''' CertificateAuthorityConfig is a DTO for the oadm ca command ''' + def __init__(self, cmd, kubeconfig, verbose, ca_options): + super(CertificateAuthorityConfig, self).__init__('ca', None, kubeconfig, ca_options) + self.cmd = cmd + self.kubeconfig = kubeconfig + self.verbose = verbose + self._ca = ca_options + +class CAServerCert(OpenShiftCLI): + ''' Class to wrap the oc command line tools ''' + def __init__(self, + config, + verbose=False): + ''' Constructor for oadm ca ''' + super(CAServerCert, self).__init__(None, config.kubeconfig, verbose) + self.config = config + self.verbose = verbose + + def get(self): + '''get the current cert file + + If a file exists by the same name in the specified location then the cert exists + ''' + cert = self.config.config_options['cert']['value'] + if cert and os.path.exists(cert): + return open(cert).read() + + return None + + def create(self): + '''run openshift ca cmd''' + options = self.config.to_option_list() + + cmd = ['ca'] + cmd.append(self.config.cmd) + cmd.extend(options) + + return self.openshift_cmd(cmd, oadm=True) + + def exists(self): + ''' check whether the certificate exists and has the clusterIP ''' + + cert_path = self.config.config_options['cert']['value'] + if not os.path.exists(cert_path): + return False + + proc = subprocess.Popen(['openssl', 'x509', '-noout', '-subject', '-in', cert_path], + stdout=subprocess.PIPE, stderr=subprocess.PIPE) + stdout, stderr = proc.communicate() + if proc.returncode == 0: + for var in self.config.config_options['hostnames']['value'].split(','): + if var in stdout: + return True + + return False + + @staticmethod + def run_ansible(params, check_mode): + '''run the idempotent ansible code''' + + config = CAServerCertConfig(params['cmd'], + params['kubeconfig'], + params['debug'], + {'cert': {'value': params['cert'], 'include': True}, + 'hostnames': {'value': ','.join(params['hostnames']), 'include': True}, + 'overwrite': {'value': params['overwrite'], 'include': True}, + 'signer_name': {'value': params['signer_name'], 'include': True}, + 'key': {'value': params['key'], 'include': True}, + 'signer_cert': {'value': params['signer_cert'], 'include': True}, + 'signer_key': {'value': params['signer_key'], 'include': True}, + 'signer_serial': {'value': params['signer_serial'], 'include': True}, + }) + + server_cert = CAServerCert(config) + + state = params['state'] + + if state == 'present': + ######## + # Create + ######## + if not server_cert.exists() or params['overwrite']: + + if check_mode: + return {'changed': True, + 'msg': "CHECK_MODE: Would have created the certificate.", + 'state': state} + + api_rval = server_cert.create() + + return {'changed': True, 'results': api_rval, 'state': state} + + ######## + # Exists + ######## + api_rval = server_cert.get() + return {'changed': False, 'results': api_rval, 'state': state} + + return {'failed': True, + 'msg': 'Unknown state passed. %s' % state} + + +# -*- -*- -*- End included fragment: class/oc_adm_ca_server_cert.py -*- -*- -*- + +# -*- -*- -*- Begin included fragment: ansible/oc_adm_ca_server_cert.py -*- -*- -*- + +def main(): + ''' + ansible oc adm module for ca create-server-cert + ''' + + module = AnsibleModule( + argument_spec=dict( + state=dict(default='present', type='str', choices=['present']), + debug=dict(default=False, type='bool'), + kubeconfig=dict(default='/etc/origin/master/admin.kubeconfig', type='str'), + cmd=dict(default=None, require=True, type='str'), + # oadm ca create-server-cert [options] + cert=dict(default=None, type='str'), + key=dict(default=None, type='str'), + signer_cert=dict(default=None, type='str'), + signer_key=dict(default=None, type='str'), + signer_serial=dict(default=None, type='str'), + hostnames=dict(default=[], type='list'), + overwrite=dict(default=False, type='bool'), + ), + supports_check_mode=True, + ) + + # pylint: disable=line-too-long + results = CAServerCert.run_ansible(module.params, module.check_mode) + if 'failed' in results: + return module.fail_json(**results) + + return module.exit_json(**results) + + +if __name__ == '__main__': + main() + +# -*- -*- -*- End included fragment: ansible/oc_adm_ca_server_cert.py -*- -*- -*- diff --git a/roles/lib_openshift/src/ansible/oadm_certificate_authority.py b/roles/lib_openshift/src/ansible/oadm_certificate_authority.py deleted file mode 100644 index ad00b25b4..000000000 --- a/roles/lib_openshift/src/ansible/oadm_certificate_authority.py +++ /dev/null @@ -1,48 +0,0 @@ -# pylint: skip-file -# flake8: noqa - -def main(): - ''' - ansible oadm module for ca - ''' - - module = AnsibleModule( - argument_spec=dict( - state=dict(default='present', type='str', choices=['present']), - debug=dict(default=False, type='bool'), - kubeconfig=dict(default='/etc/origin/master/admin.kubeconfig', type='str'), - cmd=dict(default=None, require=True, type='str'), - - # oadm ca create-master-certs [options] - cert_dir=dict(default=None, type='str'), - hostnames=dict(default=[], type='list'), - master=dict(default=None, type='str'), - public_master=dict(default=None, type='str'), - overwrite=dict(default=False, type='bool'), - signer_name=dict(default=None, type='str'), - - # oadm ca create-key-pair [options] - private_key=dict(default=None, type='str'), - public_key=dict(default=None, type='str'), - - # oadm ca create-server-cert [options] - cert=dict(default=None, type='str'), - key=dict(default=None, type='str'), - signer_cert=dict(default=None, type='str'), - signer_key=dict(default=None, type='str'), - signer_serial=dict(default=None, type='str'), - - ), - supports_check_mode=True, - ) - - # pylint: disable=line-too-long - results = CertificateAuthority.run_ansible(module.params, module.check_mode) - if 'failed' in results: - return module.fail_json(**results) - - return module.exit_json(**results) - - -if __name__ == '__main__': - main() diff --git a/roles/lib_openshift/src/ansible/oc_adm_ca_server_cert.py b/roles/lib_openshift/src/ansible/oc_adm_ca_server_cert.py new file mode 100644 index 000000000..91d8c83b0 --- /dev/null +++ b/roles/lib_openshift/src/ansible/oc_adm_ca_server_cert.py @@ -0,0 +1,36 @@ +# pylint: skip-file +# flake8: noqa + +def main(): + ''' + ansible oc adm module for ca create-server-cert + ''' + + module = AnsibleModule( + argument_spec=dict( + state=dict(default='present', type='str', choices=['present']), + debug=dict(default=False, type='bool'), + kubeconfig=dict(default='/etc/origin/master/admin.kubeconfig', type='str'), + cmd=dict(default=None, require=True, type='str'), + # oadm ca create-server-cert [options] + cert=dict(default=None, type='str'), + key=dict(default=None, type='str'), + signer_cert=dict(default=None, type='str'), + signer_key=dict(default=None, type='str'), + signer_serial=dict(default=None, type='str'), + hostnames=dict(default=[], type='list'), + overwrite=dict(default=False, type='bool'), + ), + supports_check_mode=True, + ) + + # pylint: disable=line-too-long + results = CAServerCert.run_ansible(module.params, module.check_mode) + if 'failed' in results: + return module.fail_json(**results) + + return module.exit_json(**results) + + +if __name__ == '__main__': + main() diff --git a/roles/lib_openshift/src/class/oadm_certificate_authority.py b/roles/lib_openshift/src/class/oadm_certificate_authority.py deleted file mode 100644 index 34bd0f0a9..000000000 --- a/roles/lib_openshift/src/class/oadm_certificate_authority.py +++ /dev/null @@ -1,110 +0,0 @@ -# pylint: skip-file - -class CertificateAuthorityConfig(OpenShiftCLIConfig): - ''' CertificateAuthorityConfig is a DTO for the oadm ca command ''' - def __init__(self, cmd, kubeconfig, verbose, ca_options): - super(CertificateAuthorityConfig, self).__init__('ca', None, kubeconfig, ca_options) - self.cmd = cmd - self.kubeconfig = kubeconfig - self.verbose = verbose - self._ca = ca_options - -class CertificateAuthority(OpenShiftCLI): - ''' Class to wrap the oc command line tools ''' - def __init__(self, - config, - verbose=False): - ''' Constructor for oadm ca ''' - super(CertificateAuthority, self).__init__(None, config.kubeconfig, verbose) - self.config = config - self.verbose = verbose - - def get(self): - '''get the current cert file - - If a file exists by the same name in the specified location then the cert exists - ''' - cert = self.config.config_options['cert']['value'] - if cert and os.path.exists(cert): - return open(cert).read() - - return None - - def create(self): - '''Create a deploymentconfig ''' - options = self.config.to_option_list() - - cmd = ['ca'] - cmd.append(self.config.cmd) - cmd.extend(options) - - return self.openshift_cmd(cmd, oadm=True) - - def exists(self): - ''' check whether the certificate exists and has the clusterIP ''' - - cert_path = self.config.config_options['cert']['value'] - if not os.path.exists(cert_path): - return False - - proc = subprocess.Popen(['openssl', 'x509', '-noout', '-subject', '-in', cert_path], - stdout=subprocess.PIPE, stderr=subprocess.PIPE) - stdout, stderr = proc.communicate() - if proc.returncode == 0: - for var in self.config.config_options['hostnames']['value'].split(','): - if var in stdout: - return True - - return False - - @staticmethod - def run_ansible(params, check_mode): - '''run the idempotent ansible code''' - - config = CertificateAuthorityConfig(params['cmd'], - params['kubeconfig'], - params['debug'], - {'cert_dir': {'value': params['cert_dir'], 'include': True}, - 'cert': {'value': params['cert'], 'include': True}, - 'hostnames': {'value': ','.join(params['hostnames']), 'include': True}, - 'master': {'value': params['master'], 'include': True}, - 'public_master': {'value': params['public_master'], 'include': True}, - 'overwrite': {'value': params['overwrite'], 'include': True}, - 'signer_name': {'value': params['signer_name'], 'include': True}, - 'private_key': {'value': params['private_key'], 'include': True}, - 'public_key': {'value': params['public_key'], 'include': True}, - 'key': {'value': params['key'], 'include': True}, - 'signer_cert': {'value': params['signer_cert'], 'include': True}, - 'signer_key': {'value': params['signer_key'], 'include': True}, - 'signer_serial': {'value': params['signer_serial'], 'include': True}, - }) - - - oadm_ca = CertificateAuthority(config) - - state = params['state'] - - if state == 'present': - ######## - # Create - ######## - if not oadm_ca.exists() or params['overwrite']: - - if check_mode: - return {'changed': True, - 'msg': "CHECK_MODE: Would have created the certificate.", - 'state': state} - - api_rval = oadm_ca.create() - - return {'changed': True, 'results': api_rval, 'state': state} - - ######## - # Exists - ######## - api_rval = oadm_ca.get() - return {'changed': False, 'results': api_rval, 'state': state} - - return {'failed': True, - 'msg': 'Unknown state passed. %s' % state} - diff --git a/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py b/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py new file mode 100644 index 000000000..92505c08e --- /dev/null +++ b/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py @@ -0,0 +1,104 @@ +# pylint: skip-file + +class CAServerCertConfig(OpenShiftCLIConfig): + ''' CertificateAuthorityConfig is a DTO for the oadm ca command ''' + def __init__(self, cmd, kubeconfig, verbose, ca_options): + super(CertificateAuthorityConfig, self).__init__('ca', None, kubeconfig, ca_options) + self.cmd = cmd + self.kubeconfig = kubeconfig + self.verbose = verbose + self._ca = ca_options + +class CAServerCert(OpenShiftCLI): + ''' Class to wrap the oc command line tools ''' + def __init__(self, + config, + verbose=False): + ''' Constructor for oadm ca ''' + super(CAServerCert, self).__init__(None, config.kubeconfig, verbose) + self.config = config + self.verbose = verbose + + def get(self): + '''get the current cert file + + If a file exists by the same name in the specified location then the cert exists + ''' + cert = self.config.config_options['cert']['value'] + if cert and os.path.exists(cert): + return open(cert).read() + + return None + + def create(self): + '''run openshift ca cmd''' + options = self.config.to_option_list() + + cmd = ['ca'] + cmd.append(self.config.cmd) + cmd.extend(options) + + return self.openshift_cmd(cmd, oadm=True) + + def exists(self): + ''' check whether the certificate exists and has the clusterIP ''' + + cert_path = self.config.config_options['cert']['value'] + if not os.path.exists(cert_path): + return False + + proc = subprocess.Popen(['openssl', 'x509', '-noout', '-subject', '-in', cert_path], + stdout=subprocess.PIPE, stderr=subprocess.PIPE) + stdout, stderr = proc.communicate() + if proc.returncode == 0: + for var in self.config.config_options['hostnames']['value'].split(','): + if var in stdout: + return True + + return False + + @staticmethod + def run_ansible(params, check_mode): + '''run the idempotent ansible code''' + + config = CAServerCertConfig(params['cmd'], + params['kubeconfig'], + params['debug'], + {'cert': {'value': params['cert'], 'include': True}, + 'hostnames': {'value': ','.join(params['hostnames']), 'include': True}, + 'overwrite': {'value': params['overwrite'], 'include': True}, + 'signer_name': {'value': params['signer_name'], 'include': True}, + 'key': {'value': params['key'], 'include': True}, + 'signer_cert': {'value': params['signer_cert'], 'include': True}, + 'signer_key': {'value': params['signer_key'], 'include': True}, + 'signer_serial': {'value': params['signer_serial'], 'include': True}, + }) + + server_cert = CAServerCert(config) + + state = params['state'] + + if state == 'present': + ######## + # Create + ######## + if not server_cert.exists() or params['overwrite']: + + if check_mode: + return {'changed': True, + 'msg': "CHECK_MODE: Would have created the certificate.", + 'state': state} + + api_rval = server_cert.create() + + return {'changed': True, 'results': api_rval, 'state': state} + + ######## + # Exists + ######## + api_rval = server_cert.get() + return {'changed': False, 'results': api_rval, 'state': state} + + return {'failed': True, + 'msg': 'Unknown state passed. %s' % state} + diff --git a/roles/lib_openshift/src/doc/ca_server_cert b/roles/lib_openshift/src/doc/ca_server_cert new file mode 100644 index 000000000..bf299f0cb --- /dev/null +++ b/roles/lib_openshift/src/doc/ca_server_cert @@ -0,0 +1,141 @@ +# flake8: noqa +# pylint: skip-file + +DOCUMENTATION = ''' +--- +module: oadm_ca +short_description: Module to manage openshift certificate authority +description: + - Wrapper around the openshift `oc adm ca` command. +options: + state: + description: + - Present is the only supported state. The state present means that `oc adm ca` will generate a certificate + - When create-master-certs is desired then the following parameters are passed. + - ['cert_dir', 'hostnames', 'master', 'public_master', 'overwrite', 'signer_name'] + - When create-key-pair is desired then the following parameters are passed. + - ['private_key', 'public_key'] + - When create-server-cert is desired then the following parameters are passed. + - ['cert', 'key', 'signer_cert', 'signer_key', 'signer_serial'] + required: false + default: present + choices: + - present + aliases: [] + kubeconfig: + description: + - The path for the kubeconfig file to use for authentication + required: false + default: /etc/origin/master/admin.kubeconfig + aliases: [] + debug: + description: + - Turn on debug output. + required: false + default: False + aliases: [] + cmd: + description: + - The sub command given for `oc adm ca` + required: false + default: None + choices: + - create-master-certs + - create-key-pair + - create-server-cert + aliases: [] + cert_dir: + description: + - The certificate data directory. + required: false + default: None + aliases: [] + cert: + description: + - The certificate file. Choose a name that indicates what the service is. + required: false + default: None + aliases: [] + key: + description: + - The key file. Choose a name that indicates what the service is. + required: false + default: None + aliases: [] + overwrite: + description: + - Overwrite existing cert files if found. If false, any existing file will be left as-is. + required: false + default: False + aliases: [] + signer_cert: + description: + - The signer certificate file. + required: false + default: None + aliases: [] + signer_key: + description: + - The signer key file. + required: false + default: None + aliases: [] + signer_serial: + description: + - The signer serial file. + required: false + default: None + aliases: [] + public_key: + description: + - The public key file used with create-key-pair + required: false + default: None + aliases: [] + private_key: + description: + - The private key file used with create-key-pair + required: false + default: None + aliases: [] + + hostnames: + description: + - Every hostname or IP that server certs should be valid for (comma-delimited list) + required: false + default: None + aliases: [] + master: + description: + - The API server's URL + required: false + default: None + aliases: [] + public_master: + description: + - The API public facing server's URL (if applicable) + required: false + default: None + aliases: [] + signer_name: + description: + - The name to use for the generated signer + required: false + default: None + aliases: [] +author: +- "Kenny Woodson " +extends_documentation_fragment: [] +''' + +EXAMPLES = ''' +- name: Create a self-signed cert + oadm_ca: + cmd: create-server-cert + signer_cert: /etc/origin/master/ca.crt + signer_key: /etc/origin/master/ca.key + signer_serial: /etc/origin/master/ca.serial.txt + hostnames: "registry.test.openshift.com,127.0.0.1,docker-registry.default.svc.cluster.local" + cert: /etc/origin/master/registry.crt + key: /etc/origin/master/registry.key +''' diff --git a/roles/lib_openshift/src/doc/certificate_authority b/roles/lib_openshift/src/doc/certificate_authority deleted file mode 100644 index bf299f0cb..000000000 --- a/roles/lib_openshift/src/doc/certificate_authority +++ /dev/null @@ -1,141 +0,0 @@ -# flake8: noqa -# pylint: skip-file - -DOCUMENTATION = ''' ---- -module: oadm_ca -short_description: Module to manage openshift certificate authority -description: - - Wrapper around the openshift `oc adm ca` command. -options: - state: - description: - - Present is the only supported state. The state present means that `oc adm ca` will generate a certificate - - When create-master-certs is desired then the following parameters are passed. - - ['cert_dir', 'hostnames', 'master', 'public_master', 'overwrite', 'signer_name'] - - When create-key-pair is desired then the following parameters are passed. - - ['private_key', 'public_key'] - - When create-server-cert is desired then the following parameters are passed. - - ['cert', 'key', 'signer_cert', 'signer_key', 'signer_serial'] - required: false - default: present - choices: - - present - aliases: [] - kubeconfig: - description: - - The path for the kubeconfig file to use for authentication - required: false - default: /etc/origin/master/admin.kubeconfig - aliases: [] - debug: - description: - - Turn on debug output. - required: false - default: False - aliases: [] - cmd: - description: - - The sub command given for `oc adm ca` - required: false - default: None - choices: - - create-master-certs - - create-key-pair - - create-server-cert - aliases: [] - cert_dir: - description: - - The certificate data directory. - required: false - default: None - aliases: [] - cert: - description: - - The certificate file. Choose a name that indicates what the service is. - required: false - default: None - aliases: [] - key: - description: - - The key file. Choose a name that indicates what the service is. - required: false - default: None - aliases: [] - overwrite: - description: - - Overwrite existing cert files if found. If false, any existing file will be left as-is. - required: false - default: False - aliases: [] - signer_cert: - description: - - The signer certificate file. - required: false - default: None - aliases: [] - signer_key: - description: - - The signer key file. - required: false - default: None - aliases: [] - signer_serial: - description: - - The signer serial file. - required: false - default: None - aliases: [] - public_key: - description: - - The public key file used with create-key-pair - required: false - default: None - aliases: [] - private_key: - description: - - The private key file used with create-key-pair - required: false - default: None - aliases: [] - - hostnames: - description: - - Every hostname or IP that server certs should be valid for (comma-delimited list) - required: false - default: None - aliases: [] - master: - description: - - The API server's URL - required: false - default: None - aliases: [] - public_master: - description: - - The API public facing server's URL (if applicable) - required: false - default: None - aliases: [] - signer_name: - description: - - The name to use for the generated signer - required: false - default: None - aliases: [] -author: -- "Kenny Woodson " -extends_documentation_fragment: [] -''' - -EXAMPLES = ''' -- name: Create a self-signed cert - oadm_ca: - cmd: create-server-cert - signer_cert: /etc/origin/master/ca.crt - signer_key: /etc/origin/master/ca.key - signer_serial: /etc/origin/master/ca.serial.txt - hostnames: "registry.test.openshift.com,127.0.0.1,docker-registry.default.svc.cluster.local" - cert: /etc/origin/master/registry.crt - key: /etc/origin/master/registry.key -''' diff --git a/roles/lib_openshift/src/sources.yml b/roles/lib_openshift/src/sources.yml index 7f0de6a65..b49f7b490 100644 --- a/roles/lib_openshift/src/sources.yml +++ b/roles/lib_openshift/src/sources.yml @@ -1,13 +1,13 @@ --- -oadm_ca.py: +oc_adm_ca_server_cert.py: - doc/generated - doc/license - lib/import.py -- doc/certificate_authority +- doc/ca_server_cert - ../../lib_utils/src/class/yedit.py - lib/base.py -- class/oadm_certificate_authority.py -- ansible/oadm_certificate_authority.py +- class/oc_adm_ca_server_cert.py +- ansible/oc_adm_ca_server_cert.py oadm_manage_node.py: - doc/generated -- cgit v1.2.3 From f3cafbe005d54aaea6e46f2f348b092e430531f2 Mon Sep 17 00:00:00 2001 From: Kenny Woodson Date: Fri, 17 Feb 2017 09:42:07 -0500 Subject: Removing cmd, fixed docs and comments. --- .../lib_openshift/library/oc_adm_ca_server_cert.py | 153 ++++++++++----------- .../src/class/oc_adm_ca_server_cert.py | 17 ++- roles/lib_openshift/src/doc/ca_server_cert | 61 +------- 3 files changed, 82 insertions(+), 149 deletions(-) diff --git a/roles/lib_openshift/library/oc_adm_ca_server_cert.py b/roles/lib_openshift/library/oc_adm_ca_server_cert.py index 19031f956..4c5c1f1ab 100644 --- a/roles/lib_openshift/library/oc_adm_ca_server_cert.py +++ b/roles/lib_openshift/library/oc_adm_ca_server_cert.py @@ -33,6 +33,7 @@ from __future__ import print_function import atexit +import copy import json import os import re @@ -40,7 +41,11 @@ import shutil import subprocess import tempfile # pylint: disable=import-error -import ruamel.yaml as yaml +try: + import ruamel.yaml as yaml +except ImportError: + import yaml + from ansible.module_utils.basic import AnsibleModule # -*- -*- -*- End included fragment: lib/import.py -*- -*- -*- @@ -49,18 +54,15 @@ from ansible.module_utils.basic import AnsibleModule DOCUMENTATION = ''' --- -module: oadm_ca -short_description: Module to manage openshift certificate authority +module: oc_adm_ca_server_cert +short_description: Module to run openshift oc adm ca create-server-cert description: - - Wrapper around the openshift `oc adm ca` command. + - Wrapper around the openshift `oc adm ca create-server-cert` command. options: state: description: - Present is the only supported state. The state present means that `oc adm ca` will generate a certificate - - When create-master-certs is desired then the following parameters are passed. - - ['cert_dir', 'hostnames', 'master', 'public_master', 'overwrite', 'signer_name'] - - When create-key-pair is desired then the following parameters are passed. - - ['private_key', 'public_key'] + - and verify if the hostnames and the ClusterIP exists in the certificate. - When create-server-cert is desired then the following parameters are passed. - ['cert', 'key', 'signer_cert', 'signer_key', 'signer_serial'] required: false @@ -80,22 +82,6 @@ options: required: false default: False aliases: [] - cmd: - description: - - The sub command given for `oc adm ca` - required: false - default: None - choices: - - create-master-certs - - create-key-pair - - create-server-cert - aliases: [] - cert_dir: - description: - - The certificate data directory. - required: false - default: None - aliases: [] cert: description: - The certificate file. Choose a name that indicates what the service is. @@ -132,43 +118,12 @@ options: required: false default: None aliases: [] - public_key: - description: - - The public key file used with create-key-pair - required: false - default: None - aliases: [] - private_key: - description: - - The private key file used with create-key-pair - required: false - default: None - aliases: [] - hostnames: description: - Every hostname or IP that server certs should be valid for (comma-delimited list) required: false default: None aliases: [] - master: - description: - - The API server's URL - required: false - default: None - aliases: [] - public_master: - description: - - The API public facing server's URL (if applicable) - required: false - default: None - aliases: [] - signer_name: - description: - - The name to use for the generated signer - required: false - default: None - aliases: [] author: - "Kenny Woodson " extends_documentation_fragment: [] @@ -176,8 +131,7 @@ extends_documentation_fragment: [] EXAMPLES = ''' - name: Create a self-signed cert - oadm_ca: - cmd: create-server-cert + oc_adm_ca_server_cert: signer_cert: /etc/origin/master/ca.crt signer_key: /etc/origin/master/ca.key signer_serial: /etc/origin/master/ca.serial.txt @@ -383,11 +337,15 @@ class Yedit(object): if self.backup and self.file_exists(): shutil.copy(self.filename, self.filename + '.orig') - # pylint: disable=no-member - if hasattr(self.yaml_dict, 'fa'): - self.yaml_dict.fa.set_block_style() + if hasattr(yaml, 'RoundTripDumper'): + # pylint: disable=no-member + if hasattr(self.yaml_dict, 'fa'): + self.yaml_dict.fa.set_block_style() - Yedit._write(self.filename, yaml.dump(self.yaml_dict, Dumper=yaml.RoundTripDumper)) + # pylint: disable=no-member + Yedit._write(self.filename, yaml.dump(self.yaml_dict, Dumper=yaml.RoundTripDumper)) + else: + Yedit._write(self.filename, yaml.safe_dump(self.yaml_dict, default_flow_style=False)) return (True, self.yaml_dict) @@ -427,10 +385,16 @@ class Yedit(object): # check if it is yaml try: if content_type == 'yaml' and contents: - self.yaml_dict = yaml.load(contents, yaml.RoundTripLoader) + # pylint: disable=no-member + if hasattr(yaml, 'RoundTripLoader'): + self.yaml_dict = yaml.load(contents, yaml.RoundTripLoader) + else: + self.yaml_dict = yaml.safe_load(contents) + # pylint: disable=no-member if hasattr(self.yaml_dict, 'fa'): self.yaml_dict.fa.set_block_style() + elif content_type == 'json' and contents: self.yaml_dict = json.loads(contents) except yaml.YAMLError as err: @@ -595,12 +559,19 @@ class Yedit(object): return (False, self.yaml_dict) # deepcopy didn't work - tmp_copy = yaml.load(yaml.round_trip_dump(self.yaml_dict, - default_flow_style=False), - yaml.RoundTripLoader) - # pylint: disable=no-member - if hasattr(self.yaml_dict, 'fa'): - tmp_copy.fa.set_block_style() + if hasattr(yaml, 'round_trip_dump'): + # pylint: disable=no-member + tmp_copy = yaml.load(yaml.round_trip_dump(self.yaml_dict, + default_flow_style=False), + yaml.RoundTripLoader) + + # pylint: disable=no-member + if hasattr(self.yaml_dict, 'fa'): + tmp_copy.fa.set_block_style() + + else: + tmp_copy = copy.deepcopy(self.yaml_dict) + result = Yedit.add_entry(tmp_copy, path, value, self.separator) if not result: return (False, self.yaml_dict) @@ -613,11 +584,17 @@ class Yedit(object): ''' create a yaml file ''' if not self.file_exists(): # deepcopy didn't work - tmp_copy = yaml.load(yaml.round_trip_dump(self.yaml_dict, default_flow_style=False), # noqa: E501 - yaml.RoundTripLoader) - # pylint: disable=no-member - if hasattr(self.yaml_dict, 'fa'): - tmp_copy.fa.set_block_style() + if hasattr(yaml, 'round_trip_dump'): + # pylint: disable=no-member + tmp_copy = yaml.load(yaml.round_trip_dump(self.yaml_dict, default_flow_style=False), # noqa: E501 + yaml.RoundTripLoader) + + # pylint: disable=no-member + if hasattr(self.yaml_dict, 'fa'): + tmp_copy.fa.set_block_style() + else: + tmp_copy = copy.deepcopy(self.yaml_dict) + result = Yedit.add_entry(tmp_copy, path, value, self.separator) if result: self.yaml_dict = tmp_copy @@ -1059,7 +1036,12 @@ class Utils(object): tmp = Utils.create_tmpfile(prefix=rname) if ftype == 'yaml': - Utils._write(tmp, yaml.dump(data, Dumper=yaml.RoundTripDumper)) + # pylint: disable=no-member + if hasattr(yaml, 'RoundTripDumper'): + Utils._write(tmp, yaml.dump(data, Dumper=yaml.RoundTripDumper)) + else: + Utils._write(tmp, yaml.safe_dump(data, default_flow_style=False)) + elif ftype == 'json': Utils._write(tmp, json.dumps(data)) else: @@ -1141,7 +1123,11 @@ class Utils(object): contents = sfd.read() if sfile_type == 'yaml': - contents = yaml.load(contents, yaml.RoundTripLoader) + # pylint: disable=no-member + if hasattr(yaml, 'RoundTripLoader'): + contents = yaml.load(contents, yaml.RoundTripLoader) + else: + contents = yaml.safe_load(contents) elif sfile_type == 'json': contents = json.loads(contents) @@ -1328,16 +1314,15 @@ class OpenShiftCLIConfig(object): # -*- -*- -*- Begin included fragment: class/oc_adm_ca_server_cert.py -*- -*- -*- class CAServerCertConfig(OpenShiftCLIConfig): - ''' CertificateAuthorityConfig is a DTO for the oadm ca command ''' - def __init__(self, cmd, kubeconfig, verbose, ca_options): + ''' CAServerCertConfig is a DTO for the oc adm ca command ''' + def __init__(self, kubeconfig, verbose, ca_options): super(CertificateAuthorityConfig, self).__init__('ca', None, kubeconfig, ca_options) - self.cmd = cmd self.kubeconfig = kubeconfig self.verbose = verbose self._ca = ca_options class CAServerCert(OpenShiftCLI): - ''' Class to wrap the oc command line tools ''' + ''' Class to wrap the oc adm ca create-server-cert command line''' def __init__(self, config, verbose=False): @@ -1358,11 +1343,10 @@ class CAServerCert(OpenShiftCLI): return None def create(self): - '''run openshift ca cmd''' + '''run openshift oc adm ca create-server-cert cmd''' options = self.config.to_option_list() - cmd = ['ca'] - cmd.append(self.config.cmd) + cmd = ['ca', 'create-server-cert'] cmd.extend(options) return self.openshift_cmd(cmd, oadm=True) @@ -1374,6 +1358,8 @@ class CAServerCert(OpenShiftCLI): if not os.path.exists(cert_path): return False + # Would prefer pyopenssl but is not installed. + # When we verify it is, switch this code proc = subprocess.Popen(['openssl', 'x509', '-noout', '-subject', '-in', cert_path], stdout=subprocess.PIPE, stderr=subprocess.PIPE) stdout, stderr = proc.communicate() @@ -1388,8 +1374,7 @@ class CAServerCert(OpenShiftCLI): def run_ansible(params, check_mode): '''run the idempotent ansible code''' - config = CAServerCertConfig(params['cmd'], - params['kubeconfig'], + config = CAServerCertConfig(params['kubeconfig'], params['debug'], {'cert': {'value': params['cert'], 'include': True}, 'hostnames': {'value': ','.join(params['hostnames']), 'include': True}, diff --git a/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py b/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py index 92505c08e..162f606f7 100644 --- a/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py +++ b/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py @@ -1,16 +1,15 @@ # pylint: skip-file class CAServerCertConfig(OpenShiftCLIConfig): - ''' CertificateAuthorityConfig is a DTO for the oadm ca command ''' - def __init__(self, cmd, kubeconfig, verbose, ca_options): + ''' CAServerCertConfig is a DTO for the oc adm ca command ''' + def __init__(self, kubeconfig, verbose, ca_options): super(CertificateAuthorityConfig, self).__init__('ca', None, kubeconfig, ca_options) - self.cmd = cmd self.kubeconfig = kubeconfig self.verbose = verbose self._ca = ca_options class CAServerCert(OpenShiftCLI): - ''' Class to wrap the oc command line tools ''' + ''' Class to wrap the oc adm ca create-server-cert command line''' def __init__(self, config, verbose=False): @@ -31,11 +30,10 @@ class CAServerCert(OpenShiftCLI): return None def create(self): - '''run openshift ca cmd''' + '''run openshift oc adm ca create-server-cert cmd''' options = self.config.to_option_list() - cmd = ['ca'] - cmd.append(self.config.cmd) + cmd = ['ca', 'create-server-cert'] cmd.extend(options) return self.openshift_cmd(cmd, oadm=True) @@ -47,6 +45,8 @@ class CAServerCert(OpenShiftCLI): if not os.path.exists(cert_path): return False + # Would prefer pyopenssl but is not installed. + # When we verify it is, switch this code proc = subprocess.Popen(['openssl', 'x509', '-noout', '-subject', '-in', cert_path], stdout=subprocess.PIPE, stderr=subprocess.PIPE) stdout, stderr = proc.communicate() @@ -61,8 +61,7 @@ class CAServerCert(OpenShiftCLI): def run_ansible(params, check_mode): '''run the idempotent ansible code''' - config = CAServerCertConfig(params['cmd'], - params['kubeconfig'], + config = CAServerCertConfig(params['kubeconfig'], params['debug'], {'cert': {'value': params['cert'], 'include': True}, 'hostnames': {'value': ','.join(params['hostnames']), 'include': True}, diff --git a/roles/lib_openshift/src/doc/ca_server_cert b/roles/lib_openshift/src/doc/ca_server_cert index bf299f0cb..401caf1fc 100644 --- a/roles/lib_openshift/src/doc/ca_server_cert +++ b/roles/lib_openshift/src/doc/ca_server_cert @@ -3,18 +3,15 @@ DOCUMENTATION = ''' --- -module: oadm_ca -short_description: Module to manage openshift certificate authority +module: oc_adm_ca_server_cert +short_description: Module to run openshift oc adm ca create-server-cert description: - - Wrapper around the openshift `oc adm ca` command. + - Wrapper around the openshift `oc adm ca create-server-cert` command. options: state: description: - Present is the only supported state. The state present means that `oc adm ca` will generate a certificate - - When create-master-certs is desired then the following parameters are passed. - - ['cert_dir', 'hostnames', 'master', 'public_master', 'overwrite', 'signer_name'] - - When create-key-pair is desired then the following parameters are passed. - - ['private_key', 'public_key'] + - and verify if the hostnames and the ClusterIP exists in the certificate. - When create-server-cert is desired then the following parameters are passed. - ['cert', 'key', 'signer_cert', 'signer_key', 'signer_serial'] required: false @@ -34,22 +31,6 @@ options: required: false default: False aliases: [] - cmd: - description: - - The sub command given for `oc adm ca` - required: false - default: None - choices: - - create-master-certs - - create-key-pair - - create-server-cert - aliases: [] - cert_dir: - description: - - The certificate data directory. - required: false - default: None - aliases: [] cert: description: - The certificate file. Choose a name that indicates what the service is. @@ -86,43 +67,12 @@ options: required: false default: None aliases: [] - public_key: - description: - - The public key file used with create-key-pair - required: false - default: None - aliases: [] - private_key: - description: - - The private key file used with create-key-pair - required: false - default: None - aliases: [] - hostnames: description: - Every hostname or IP that server certs should be valid for (comma-delimited list) required: false default: None aliases: [] - master: - description: - - The API server's URL - required: false - default: None - aliases: [] - public_master: - description: - - The API public facing server's URL (if applicable) - required: false - default: None - aliases: [] - signer_name: - description: - - The name to use for the generated signer - required: false - default: None - aliases: [] author: - "Kenny Woodson " extends_documentation_fragment: [] @@ -130,8 +80,7 @@ extends_documentation_fragment: [] EXAMPLES = ''' - name: Create a self-signed cert - oadm_ca: - cmd: create-server-cert + oc_adm_ca_server_cert: signer_cert: /etc/origin/master/ca.crt signer_key: /etc/origin/master/ca.key signer_serial: /etc/origin/master/ca.serial.txt -- cgit v1.2.3 From a330de2153a66c458a21fd506c3220a4b3acd563 Mon Sep 17 00:00:00 2001 From: Kenny Woodson Date: Fri, 17 Feb 2017 15:46:06 -0500 Subject: Updated doc and defined defaults for signer_* --- .../lib_openshift/library/oc_adm_ca_server_cert.py | 22 ++++++++++------------ .../src/ansible/oc_adm_ca_server_cert.py | 7 +++---- .../src/class/oc_adm_ca_server_cert.py | 7 +++---- roles/lib_openshift/src/doc/ca_server_cert | 6 +++--- 4 files changed, 19 insertions(+), 23 deletions(-) diff --git a/roles/lib_openshift/library/oc_adm_ca_server_cert.py b/roles/lib_openshift/library/oc_adm_ca_server_cert.py index 4c5c1f1ab..98e61cef4 100644 --- a/roles/lib_openshift/library/oc_adm_ca_server_cert.py +++ b/roles/lib_openshift/library/oc_adm_ca_server_cert.py @@ -104,19 +104,19 @@ options: description: - The signer certificate file. required: false - default: None + default: /etc/origin/master/ca.crt aliases: [] signer_key: description: - The signer key file. required: false - default: None + default: /etc/origin/master/ca.key aliases: [] signer_serial: description: - The signer serial file. required: false - default: None + default: /etc/origin/master/ca.serial.txt aliases: [] hostnames: description: @@ -959,7 +959,7 @@ class OpenShiftCLI(object): stdout, stderr = proc.communicate(input_data) - return proc.returncode, stdout, stderr + return proc.returncode, stdout.decode(), stderr.decode() # pylint: disable=too-many-arguments,too-many-branches def openshift_cmd(self, cmd, oadm=False, output=False, output_type='json', input_data=None): @@ -1316,7 +1316,7 @@ class OpenShiftCLIConfig(object): class CAServerCertConfig(OpenShiftCLIConfig): ''' CAServerCertConfig is a DTO for the oc adm ca command ''' def __init__(self, kubeconfig, verbose, ca_options): - super(CertificateAuthorityConfig, self).__init__('ca', None, kubeconfig, ca_options) + super(CAServerCertConfig, self).__init__('ca', None, kubeconfig, ca_options) self.kubeconfig = kubeconfig self.verbose = verbose self._ca = ca_options @@ -1358,11 +1358,11 @@ class CAServerCert(OpenShiftCLI): if not os.path.exists(cert_path): return False - # Would prefer pyopenssl but is not installed. + # Would prefer pyopenssl but is not installed. # When we verify it is, switch this code proc = subprocess.Popen(['openssl', 'x509', '-noout', '-subject', '-in', cert_path], stdout=subprocess.PIPE, stderr=subprocess.PIPE) - stdout, stderr = proc.communicate() + stdout, _ = proc.communicate() if proc.returncode == 0: for var in self.config.config_options['hostnames']['value'].split(','): if var in stdout: @@ -1379,7 +1379,6 @@ class CAServerCert(OpenShiftCLI): {'cert': {'value': params['cert'], 'include': True}, 'hostnames': {'value': ','.join(params['hostnames']), 'include': True}, 'overwrite': {'value': params['overwrite'], 'include': True}, - 'signer_name': {'value': params['signer_name'], 'include': True}, 'key': {'value': params['key'], 'include': True}, 'signer_cert': {'value': params['signer_cert'], 'include': True}, 'signer_key': {'value': params['signer_key'], 'include': True}, @@ -1433,16 +1432,15 @@ def main(): # oadm ca create-server-cert [options] cert=dict(default=None, type='str'), key=dict(default=None, type='str'), - signer_cert=dict(default=None, type='str'), - signer_key=dict(default=None, type='str'), - signer_serial=dict(default=None, type='str'), + signer_cert=dict(default='/etc/origin/master/ca.crt', type='str'), + signer_key=dict(default='/etc/origin/master/ca.key', type='str'), + signer_serial=dict(default='/etc/origin/master/ca.serial.txt', type='str'), hostnames=dict(default=[], type='list'), overwrite=dict(default=False, type='bool'), ), supports_check_mode=True, ) - # pylint: disable=line-too-long results = CAServerCert.run_ansible(module.params, module.check_mode) if 'failed' in results: return module.fail_json(**results) diff --git a/roles/lib_openshift/src/ansible/oc_adm_ca_server_cert.py b/roles/lib_openshift/src/ansible/oc_adm_ca_server_cert.py index 91d8c83b0..3518a2de4 100644 --- a/roles/lib_openshift/src/ansible/oc_adm_ca_server_cert.py +++ b/roles/lib_openshift/src/ansible/oc_adm_ca_server_cert.py @@ -15,16 +15,15 @@ def main(): # oadm ca create-server-cert [options] cert=dict(default=None, type='str'), key=dict(default=None, type='str'), - signer_cert=dict(default=None, type='str'), - signer_key=dict(default=None, type='str'), - signer_serial=dict(default=None, type='str'), + signer_cert=dict(default='/etc/origin/master/ca.crt', type='str'), + signer_key=dict(default='/etc/origin/master/ca.key', type='str'), + signer_serial=dict(default='/etc/origin/master/ca.serial.txt', type='str'), hostnames=dict(default=[], type='list'), overwrite=dict(default=False, type='bool'), ), supports_check_mode=True, ) - # pylint: disable=line-too-long results = CAServerCert.run_ansible(module.params, module.check_mode) if 'failed' in results: return module.fail_json(**results) diff --git a/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py b/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py index 162f606f7..62200b592 100644 --- a/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py +++ b/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py @@ -3,7 +3,7 @@ class CAServerCertConfig(OpenShiftCLIConfig): ''' CAServerCertConfig is a DTO for the oc adm ca command ''' def __init__(self, kubeconfig, verbose, ca_options): - super(CertificateAuthorityConfig, self).__init__('ca', None, kubeconfig, ca_options) + super(CAServerCertConfig, self).__init__('ca', None, kubeconfig, ca_options) self.kubeconfig = kubeconfig self.verbose = verbose self._ca = ca_options @@ -45,11 +45,11 @@ class CAServerCert(OpenShiftCLI): if not os.path.exists(cert_path): return False - # Would prefer pyopenssl but is not installed. + # Would prefer pyopenssl but is not installed. # When we verify it is, switch this code proc = subprocess.Popen(['openssl', 'x509', '-noout', '-subject', '-in', cert_path], stdout=subprocess.PIPE, stderr=subprocess.PIPE) - stdout, stderr = proc.communicate() + stdout, _ = proc.communicate() if proc.returncode == 0: for var in self.config.config_options['hostnames']['value'].split(','): if var in stdout: @@ -66,7 +66,6 @@ class CAServerCert(OpenShiftCLI): {'cert': {'value': params['cert'], 'include': True}, 'hostnames': {'value': ','.join(params['hostnames']), 'include': True}, 'overwrite': {'value': params['overwrite'], 'include': True}, - 'signer_name': {'value': params['signer_name'], 'include': True}, 'key': {'value': params['key'], 'include': True}, 'signer_cert': {'value': params['signer_cert'], 'include': True}, 'signer_key': {'value': params['signer_key'], 'include': True}, diff --git a/roles/lib_openshift/src/doc/ca_server_cert b/roles/lib_openshift/src/doc/ca_server_cert index 401caf1fc..bb57a3e11 100644 --- a/roles/lib_openshift/src/doc/ca_server_cert +++ b/roles/lib_openshift/src/doc/ca_server_cert @@ -53,19 +53,19 @@ options: description: - The signer certificate file. required: false - default: None + default: /etc/origin/master/ca.crt aliases: [] signer_key: description: - The signer key file. required: false - default: None + default: /etc/origin/master/ca.key aliases: [] signer_serial: description: - The signer serial file. required: false - default: None + default: /etc/origin/master/ca.serial.txt aliases: [] hostnames: description: -- cgit v1.2.3 From c0a264e4c220bf086760acd6ab1d27bfe36a06dc Mon Sep 17 00:00:00 2001 From: Kenny Woodson Date: Tue, 21 Feb 2017 09:59:09 -0500 Subject: Small spacing fix. --- roles/lib_openshift/library/oc_adm_ca_server_cert.py | 1 + roles/lib_openshift/src/class/oc_adm_ca_server_cert.py | 2 ++ 2 files changed, 3 insertions(+) diff --git a/roles/lib_openshift/library/oc_adm_ca_server_cert.py b/roles/lib_openshift/library/oc_adm_ca_server_cert.py index 98e61cef4..9c8c62621 100644 --- a/roles/lib_openshift/library/oc_adm_ca_server_cert.py +++ b/roles/lib_openshift/library/oc_adm_ca_server_cert.py @@ -1321,6 +1321,7 @@ class CAServerCertConfig(OpenShiftCLIConfig): self.verbose = verbose self._ca = ca_options + class CAServerCert(OpenShiftCLI): ''' Class to wrap the oc adm ca create-server-cert command line''' def __init__(self, diff --git a/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py b/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py index 62200b592..7f9ff9e1d 100644 --- a/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py +++ b/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py @@ -1,4 +1,5 @@ # pylint: skip-file +# flake8: noqa class CAServerCertConfig(OpenShiftCLIConfig): ''' CAServerCertConfig is a DTO for the oc adm ca command ''' @@ -8,6 +9,7 @@ class CAServerCertConfig(OpenShiftCLIConfig): self.verbose = verbose self._ca = ca_options + class CAServerCert(OpenShiftCLI): ''' Class to wrap the oc adm ca create-server-cert command line''' def __init__(self, -- cgit v1.2.3 From 8200377dbb3d0e6aa2b35ea369cceb03976b508b Mon Sep 17 00:00:00 2001 From: Kenny Woodson Date: Tue, 21 Feb 2017 10:26:17 -0500 Subject: Added copy support when modifying cert and key on existence --- roles/lib_openshift/library/oc_adm_ca_server_cert.py | 20 +++++++++++++++++++- .../src/ansible/oc_adm_ca_server_cert.py | 2 +- .../lib_openshift/src/class/oc_adm_ca_server_cert.py | 12 ++++++++++++ roles/lib_openshift/src/doc/ca_server_cert | 6 ++++++ 4 files changed, 38 insertions(+), 2 deletions(-) diff --git a/roles/lib_openshift/library/oc_adm_ca_server_cert.py b/roles/lib_openshift/library/oc_adm_ca_server_cert.py index 9c8c62621..9c57435e7 100644 --- a/roles/lib_openshift/library/oc_adm_ca_server_cert.py +++ b/roles/lib_openshift/library/oc_adm_ca_server_cert.py @@ -124,6 +124,12 @@ options: required: false default: None aliases: [] + backup: + description: + - Whether to backup the cert and key files before writing them. + required: false + default: True + aliases: [] author: - "Kenny Woodson " extends_documentation_fragment: [] @@ -1345,6 +1351,17 @@ class CAServerCert(OpenShiftCLI): def create(self): '''run openshift oc adm ca create-server-cert cmd''' + + # Added this here as a safegaurd for stomping on the + # cert and key files if they exist + if self.config.config_options['backup']['value']: + if os.path.exists(self.config.config_options['key']['value']): + shutil.copy(self.config.config_options['key']['value'], + "%s.orig" % self.config.config_options['key']['value']) + if os.path.exists(self.config.config_options['cert']['value']): + shutil.copy(self.config.config_options['cert']['value'], + "%s.orig" % self.config.config_options['cert']['value']) + options = self.config.to_option_list() cmd = ['ca', 'create-server-cert'] @@ -1384,6 +1401,7 @@ class CAServerCert(OpenShiftCLI): 'signer_cert': {'value': params['signer_cert'], 'include': True}, 'signer_key': {'value': params['signer_key'], 'include': True}, 'signer_serial': {'value': params['signer_serial'], 'include': True}, + 'backup': {'value': params['backup'], 'include': False}, }) server_cert = CAServerCert(config) @@ -1429,7 +1447,7 @@ def main(): state=dict(default='present', type='str', choices=['present']), debug=dict(default=False, type='bool'), kubeconfig=dict(default='/etc/origin/master/admin.kubeconfig', type='str'), - cmd=dict(default=None, require=True, type='str'), + backup=dict(default=True, type='bool'), # oadm ca create-server-cert [options] cert=dict(default=None, type='str'), key=dict(default=None, type='str'), diff --git a/roles/lib_openshift/src/ansible/oc_adm_ca_server_cert.py b/roles/lib_openshift/src/ansible/oc_adm_ca_server_cert.py index 3518a2de4..367f6d932 100644 --- a/roles/lib_openshift/src/ansible/oc_adm_ca_server_cert.py +++ b/roles/lib_openshift/src/ansible/oc_adm_ca_server_cert.py @@ -11,7 +11,7 @@ def main(): state=dict(default='present', type='str', choices=['present']), debug=dict(default=False, type='bool'), kubeconfig=dict(default='/etc/origin/master/admin.kubeconfig', type='str'), - cmd=dict(default=None, require=True, type='str'), + backup=dict(default=True, type='bool'), # oadm ca create-server-cert [options] cert=dict(default=None, type='str'), key=dict(default=None, type='str'), diff --git a/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py b/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py index 7f9ff9e1d..ee6cd4a29 100644 --- a/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py +++ b/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py @@ -33,6 +33,17 @@ class CAServerCert(OpenShiftCLI): def create(self): '''run openshift oc adm ca create-server-cert cmd''' + + # Added this here as a safegaurd for stomping on the + # cert and key files if they exist + if self.config.config_options['backup']['value']: + if os.path.exists(self.config.config_options['key']['value']): + shutil.copy(self.config.config_options['key']['value'], + "%s.orig" % self.config.config_options['key']['value']) + if os.path.exists(self.config.config_options['cert']['value']): + shutil.copy(self.config.config_options['cert']['value'], + "%s.orig" % self.config.config_options['cert']['value']) + options = self.config.to_option_list() cmd = ['ca', 'create-server-cert'] @@ -72,6 +83,7 @@ class CAServerCert(OpenShiftCLI): 'signer_cert': {'value': params['signer_cert'], 'include': True}, 'signer_key': {'value': params['signer_key'], 'include': True}, 'signer_serial': {'value': params['signer_serial'], 'include': True}, + 'backup': {'value': params['backup'], 'include': False}, }) server_cert = CAServerCert(config) diff --git a/roles/lib_openshift/src/doc/ca_server_cert b/roles/lib_openshift/src/doc/ca_server_cert index bb57a3e11..58720b09f 100644 --- a/roles/lib_openshift/src/doc/ca_server_cert +++ b/roles/lib_openshift/src/doc/ca_server_cert @@ -73,6 +73,12 @@ options: required: false default: None aliases: [] + backup: + description: + - Whether to backup the cert and key files before writing them. + required: false + default: True + aliases: [] author: - "Kenny Woodson " extends_documentation_fragment: [] -- cgit v1.2.3 From 3effaa96c8e843a5820b98cf9c2dab608481c259 Mon Sep 17 00:00:00 2001 From: Kenny Woodson Date: Tue, 21 Feb 2017 20:15:28 -0500 Subject: Added backup feature. Fixed a bug with reading the certificate and verifying names. Added force option. --- roles/lib_openshift/library/oadm_manage_node.py | 2 + .../lib_openshift/library/oc_adm_ca_server_cert.py | 44 ++++++++++++++++------ roles/lib_openshift/library/oc_edit.py | 2 + roles/lib_openshift/library/oc_env.py | 2 + roles/lib_openshift/library/oc_label.py | 2 + roles/lib_openshift/library/oc_obj.py | 2 + roles/lib_openshift/library/oc_process.py | 2 + roles/lib_openshift/library/oc_route.py | 2 + roles/lib_openshift/library/oc_scale.py | 2 + roles/lib_openshift/library/oc_secret.py | 2 + roles/lib_openshift/library/oc_service.py | 2 + roles/lib_openshift/library/oc_serviceaccount.py | 2 + .../library/oc_serviceaccount_secret.py | 2 + roles/lib_openshift/library/oc_version.py | 2 + .../src/ansible/oc_adm_ca_server_cert.py | 2 +- .../src/class/oc_adm_ca_server_cert.py | 36 +++++++++++++----- roles/lib_openshift/src/doc/ca_server_cert | 4 +- roles/lib_openshift/src/lib/import.py | 2 + 18 files changed, 90 insertions(+), 24 deletions(-) diff --git a/roles/lib_openshift/library/oadm_manage_node.py b/roles/lib_openshift/library/oadm_manage_node.py index 0ac233c72..d0bf553ae 100644 --- a/roles/lib_openshift/library/oadm_manage_node.py +++ b/roles/lib_openshift/library/oadm_manage_node.py @@ -34,6 +34,8 @@ from __future__ import print_function import atexit import copy +# pylint: disable=unused-import +import time import json import os import re diff --git a/roles/lib_openshift/library/oc_adm_ca_server_cert.py b/roles/lib_openshift/library/oc_adm_ca_server_cert.py index 9c57435e7..8872cda3a 100644 --- a/roles/lib_openshift/library/oc_adm_ca_server_cert.py +++ b/roles/lib_openshift/library/oc_adm_ca_server_cert.py @@ -34,6 +34,8 @@ from __future__ import print_function import atexit import copy +# pylint: disable=unused-import +import time import json import os import re @@ -94,9 +96,9 @@ options: required: false default: None aliases: [] - overwrite: + force: description: - - Overwrite existing cert files if found. If false, any existing file will be left as-is. + - Force updating of the existing cert and key files required: false default: False aliases: [] @@ -1355,12 +1357,15 @@ class CAServerCert(OpenShiftCLI): # Added this here as a safegaurd for stomping on the # cert and key files if they exist if self.config.config_options['backup']['value']: + ext = time.strftime("%Y-%m-%d@%H:%M:%S", time.localtime(time.time())) + date_str = "%s_" + "%s" % ext + if os.path.exists(self.config.config_options['key']['value']): shutil.copy(self.config.config_options['key']['value'], - "%s.orig" % self.config.config_options['key']['value']) + date_str % self.config.config_options['key']['value']) if os.path.exists(self.config.config_options['cert']['value']): shutil.copy(self.config.config_options['cert']['value'], - "%s.orig" % self.config.config_options['cert']['value']) + date_str % self.config.config_options['cert']['value']) options = self.config.to_option_list() @@ -1378,13 +1383,28 @@ class CAServerCert(OpenShiftCLI): # Would prefer pyopenssl but is not installed. # When we verify it is, switch this code - proc = subprocess.Popen(['openssl', 'x509', '-noout', '-subject', '-in', cert_path], + # Here is the code to get the subject and the SAN + # openssl x509 -text -noout -certopt \ + # no_header,no_version,no_serial,no_signame,no_validity,no_issuer,no_pubkey,no_sigdump,no_aux \ + # -in /etc/origin/master/registry.crt + # Instead of this solution we will use a regex. + cert_names = [] + hostnames = self.config.config_options['hostnames']['value'].split(',') + proc = subprocess.Popen(['openssl', 'x509', '-noout', '-text', '-in', cert_path], stdout=subprocess.PIPE, stderr=subprocess.PIPE) - stdout, _ = proc.communicate() + + x509output, _ = proc.communicate() if proc.returncode == 0: - for var in self.config.config_options['hostnames']['value'].split(','): - if var in stdout: - return True + regex = re.compile(r"^\s*X509v3 Subject Alternative Name:\s*?\n\s*(.*)\s*\n", re.MULTILINE) + match = regex.search(x509output) # E501 + for entry in re.split(r", *", match.group(1)): + if entry.startswith('DNS') or entry.startswith('IP Address'): + cert_names.append(entry.split(':')[1]) + # now that we have cert names let's compare + cert_set = set(cert_names) + hname_set = set(hostnames) + if cert_set.issubset(hname_set) and hname_set.issubset(cert_set): + return True return False @@ -1396,7 +1416,7 @@ class CAServerCert(OpenShiftCLI): params['debug'], {'cert': {'value': params['cert'], 'include': True}, 'hostnames': {'value': ','.join(params['hostnames']), 'include': True}, - 'overwrite': {'value': params['overwrite'], 'include': True}, + 'overwrite': {'value': True, 'include': True}, 'key': {'value': params['key'], 'include': True}, 'signer_cert': {'value': params['signer_cert'], 'include': True}, 'signer_key': {'value': params['signer_key'], 'include': True}, @@ -1412,7 +1432,7 @@ class CAServerCert(OpenShiftCLI): ######## # Create ######## - if not server_cert.exists() or params['overwrite']: + if not server_cert.exists() or params['force']: if check_mode: return {'changed': True, @@ -1455,7 +1475,7 @@ def main(): signer_key=dict(default='/etc/origin/master/ca.key', type='str'), signer_serial=dict(default='/etc/origin/master/ca.serial.txt', type='str'), hostnames=dict(default=[], type='list'), - overwrite=dict(default=False, type='bool'), + force=dict(default=False, type='bool'), ), supports_check_mode=True, ) diff --git a/roles/lib_openshift/library/oc_edit.py b/roles/lib_openshift/library/oc_edit.py index 1b1faf496..2ead608ac 100644 --- a/roles/lib_openshift/library/oc_edit.py +++ b/roles/lib_openshift/library/oc_edit.py @@ -34,6 +34,8 @@ from __future__ import print_function import atexit import copy +# pylint: disable=unused-import +import time import json import os import re diff --git a/roles/lib_openshift/library/oc_env.py b/roles/lib_openshift/library/oc_env.py index 7c2ccb98f..49a03b0a7 100644 --- a/roles/lib_openshift/library/oc_env.py +++ b/roles/lib_openshift/library/oc_env.py @@ -34,6 +34,8 @@ from __future__ import print_function import atexit import copy +# pylint: disable=unused-import +import time import json import os import re diff --git a/roles/lib_openshift/library/oc_label.py b/roles/lib_openshift/library/oc_label.py index 0db8585a4..4bb67b2b5 100644 --- a/roles/lib_openshift/library/oc_label.py +++ b/roles/lib_openshift/library/oc_label.py @@ -34,6 +34,8 @@ from __future__ import print_function import atexit import copy +# pylint: disable=unused-import +import time import json import os import re diff --git a/roles/lib_openshift/library/oc_obj.py b/roles/lib_openshift/library/oc_obj.py index 6d0b391b9..a9bec980c 100644 --- a/roles/lib_openshift/library/oc_obj.py +++ b/roles/lib_openshift/library/oc_obj.py @@ -34,6 +34,8 @@ from __future__ import print_function import atexit import copy +# pylint: disable=unused-import +import time import json import os import re diff --git a/roles/lib_openshift/library/oc_process.py b/roles/lib_openshift/library/oc_process.py index a1ee79f6e..2565bd895 100644 --- a/roles/lib_openshift/library/oc_process.py +++ b/roles/lib_openshift/library/oc_process.py @@ -34,6 +34,8 @@ from __future__ import print_function import atexit import copy +# pylint: disable=unused-import +import time import json import os import re diff --git a/roles/lib_openshift/library/oc_route.py b/roles/lib_openshift/library/oc_route.py index 4b5c4460c..b1f97505e 100644 --- a/roles/lib_openshift/library/oc_route.py +++ b/roles/lib_openshift/library/oc_route.py @@ -34,6 +34,8 @@ from __future__ import print_function import atexit import copy +# pylint: disable=unused-import +import time import json import os import re diff --git a/roles/lib_openshift/library/oc_scale.py b/roles/lib_openshift/library/oc_scale.py index a37b2aba0..babf489ad 100644 --- a/roles/lib_openshift/library/oc_scale.py +++ b/roles/lib_openshift/library/oc_scale.py @@ -34,6 +34,8 @@ from __future__ import print_function import atexit import copy +# pylint: disable=unused-import +import time import json import os import re diff --git a/roles/lib_openshift/library/oc_secret.py b/roles/lib_openshift/library/oc_secret.py index c423e9442..020d1a89f 100644 --- a/roles/lib_openshift/library/oc_secret.py +++ b/roles/lib_openshift/library/oc_secret.py @@ -34,6 +34,8 @@ from __future__ import print_function import atexit import copy +# pylint: disable=unused-import +import time import json import os import re diff --git a/roles/lib_openshift/library/oc_service.py b/roles/lib_openshift/library/oc_service.py index 319ec4bd7..99829a5e2 100644 --- a/roles/lib_openshift/library/oc_service.py +++ b/roles/lib_openshift/library/oc_service.py @@ -34,6 +34,8 @@ from __future__ import print_function import atexit import copy +# pylint: disable=unused-import +import time import json import os import re diff --git a/roles/lib_openshift/library/oc_serviceaccount.py b/roles/lib_openshift/library/oc_serviceaccount.py index 0d1705414..ec2c24983 100644 --- a/roles/lib_openshift/library/oc_serviceaccount.py +++ b/roles/lib_openshift/library/oc_serviceaccount.py @@ -34,6 +34,8 @@ from __future__ import print_function import atexit import copy +# pylint: disable=unused-import +import time import json import os import re diff --git a/roles/lib_openshift/library/oc_serviceaccount_secret.py b/roles/lib_openshift/library/oc_serviceaccount_secret.py index 5f07528a0..1c7855f37 100644 --- a/roles/lib_openshift/library/oc_serviceaccount_secret.py +++ b/roles/lib_openshift/library/oc_serviceaccount_secret.py @@ -34,6 +34,8 @@ from __future__ import print_function import atexit import copy +# pylint: disable=unused-import +import time import json import os import re diff --git a/roles/lib_openshift/library/oc_version.py b/roles/lib_openshift/library/oc_version.py index 9b660e1d3..8916dc0e0 100644 --- a/roles/lib_openshift/library/oc_version.py +++ b/roles/lib_openshift/library/oc_version.py @@ -34,6 +34,8 @@ from __future__ import print_function import atexit import copy +# pylint: disable=unused-import +import time import json import os import re diff --git a/roles/lib_openshift/src/ansible/oc_adm_ca_server_cert.py b/roles/lib_openshift/src/ansible/oc_adm_ca_server_cert.py index 367f6d932..197095cac 100644 --- a/roles/lib_openshift/src/ansible/oc_adm_ca_server_cert.py +++ b/roles/lib_openshift/src/ansible/oc_adm_ca_server_cert.py @@ -19,7 +19,7 @@ def main(): signer_key=dict(default='/etc/origin/master/ca.key', type='str'), signer_serial=dict(default='/etc/origin/master/ca.serial.txt', type='str'), hostnames=dict(default=[], type='list'), - overwrite=dict(default=False, type='bool'), + force=dict(default=False, type='bool'), ), supports_check_mode=True, ) diff --git a/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py b/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py index ee6cd4a29..c0e7f292a 100644 --- a/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py +++ b/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py @@ -37,12 +37,15 @@ class CAServerCert(OpenShiftCLI): # Added this here as a safegaurd for stomping on the # cert and key files if they exist if self.config.config_options['backup']['value']: + ext = time.strftime("%Y-%m-%d@%H:%M:%S", time.localtime(time.time())) + date_str = "%s_" + "%s" % ext + if os.path.exists(self.config.config_options['key']['value']): shutil.copy(self.config.config_options['key']['value'], - "%s.orig" % self.config.config_options['key']['value']) + date_str % self.config.config_options['key']['value']) if os.path.exists(self.config.config_options['cert']['value']): shutil.copy(self.config.config_options['cert']['value'], - "%s.orig" % self.config.config_options['cert']['value']) + date_str % self.config.config_options['cert']['value']) options = self.config.to_option_list() @@ -60,13 +63,28 @@ class CAServerCert(OpenShiftCLI): # Would prefer pyopenssl but is not installed. # When we verify it is, switch this code - proc = subprocess.Popen(['openssl', 'x509', '-noout', '-subject', '-in', cert_path], + # Here is the code to get the subject and the SAN + # openssl x509 -text -noout -certopt \ + # no_header,no_version,no_serial,no_signame,no_validity,no_issuer,no_pubkey,no_sigdump,no_aux \ + # -in /etc/origin/master/registry.crt + # Instead of this solution we will use a regex. + cert_names = [] + hostnames = self.config.config_options['hostnames']['value'].split(',') + proc = subprocess.Popen(['openssl', 'x509', '-noout', '-text', '-in', cert_path], stdout=subprocess.PIPE, stderr=subprocess.PIPE) - stdout, _ = proc.communicate() + + x509output, _ = proc.communicate() if proc.returncode == 0: - for var in self.config.config_options['hostnames']['value'].split(','): - if var in stdout: - return True + regex = re.compile(r"^\s*X509v3 Subject Alternative Name:\s*?\n\s*(.*)\s*\n", re.MULTILINE) + match = regex.search(x509output) # E501 + for entry in re.split(r", *", match.group(1)): + if entry.startswith('DNS') or entry.startswith('IP Address'): + cert_names.append(entry.split(':')[1]) + # now that we have cert names let's compare + cert_set = set(cert_names) + hname_set = set(hostnames) + if cert_set.issubset(hname_set) and hname_set.issubset(cert_set): + return True return False @@ -78,7 +96,7 @@ class CAServerCert(OpenShiftCLI): params['debug'], {'cert': {'value': params['cert'], 'include': True}, 'hostnames': {'value': ','.join(params['hostnames']), 'include': True}, - 'overwrite': {'value': params['overwrite'], 'include': True}, + 'overwrite': {'value': True, 'include': True}, 'key': {'value': params['key'], 'include': True}, 'signer_cert': {'value': params['signer_cert'], 'include': True}, 'signer_key': {'value': params['signer_key'], 'include': True}, @@ -94,7 +112,7 @@ class CAServerCert(OpenShiftCLI): ######## # Create ######## - if not server_cert.exists() or params['overwrite']: + if not server_cert.exists() or params['force']: if check_mode: return {'changed': True, diff --git a/roles/lib_openshift/src/doc/ca_server_cert b/roles/lib_openshift/src/doc/ca_server_cert index 58720b09f..a8034158e 100644 --- a/roles/lib_openshift/src/doc/ca_server_cert +++ b/roles/lib_openshift/src/doc/ca_server_cert @@ -43,9 +43,9 @@ options: required: false default: None aliases: [] - overwrite: + force: description: - - Overwrite existing cert files if found. If false, any existing file will be left as-is. + - Force updating of the existing cert and key files required: false default: False aliases: [] diff --git a/roles/lib_openshift/src/lib/import.py b/roles/lib_openshift/src/lib/import.py index a79297898..9a1fc6ef7 100644 --- a/roles/lib_openshift/src/lib/import.py +++ b/roles/lib_openshift/src/lib/import.py @@ -8,6 +8,8 @@ from __future__ import print_function import atexit import copy +# pylint: disable=unused-import +import time import json import os import re -- cgit v1.2.3 From 9c49ba4bb0b69604e98fc3dda65f8ccd40f19552 Mon Sep 17 00:00:00 2001 From: Kenny Woodson Date: Wed, 22 Feb 2017 11:19:51 -0500 Subject: Removing reference to oadm. Moved parameter under general params. --- roles/lib_openshift/library/oc_adm_ca_server_cert.py | 4 ++-- roles/lib_openshift/src/ansible/oc_adm_ca_server_cert.py | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/lib_openshift/library/oc_adm_ca_server_cert.py b/roles/lib_openshift/library/oc_adm_ca_server_cert.py index 8872cda3a..ffb649eb7 100644 --- a/roles/lib_openshift/library/oc_adm_ca_server_cert.py +++ b/roles/lib_openshift/library/oc_adm_ca_server_cert.py @@ -1468,14 +1468,14 @@ def main(): debug=dict(default=False, type='bool'), kubeconfig=dict(default='/etc/origin/master/admin.kubeconfig', type='str'), backup=dict(default=True, type='bool'), - # oadm ca create-server-cert [options] + force=dict(default=False, type='bool'), + # oc adm ca create-server-cert [options] cert=dict(default=None, type='str'), key=dict(default=None, type='str'), signer_cert=dict(default='/etc/origin/master/ca.crt', type='str'), signer_key=dict(default='/etc/origin/master/ca.key', type='str'), signer_serial=dict(default='/etc/origin/master/ca.serial.txt', type='str'), hostnames=dict(default=[], type='list'), - force=dict(default=False, type='bool'), ), supports_check_mode=True, ) diff --git a/roles/lib_openshift/src/ansible/oc_adm_ca_server_cert.py b/roles/lib_openshift/src/ansible/oc_adm_ca_server_cert.py index 197095cac..c80c2eb44 100644 --- a/roles/lib_openshift/src/ansible/oc_adm_ca_server_cert.py +++ b/roles/lib_openshift/src/ansible/oc_adm_ca_server_cert.py @@ -12,14 +12,14 @@ def main(): debug=dict(default=False, type='bool'), kubeconfig=dict(default='/etc/origin/master/admin.kubeconfig', type='str'), backup=dict(default=True, type='bool'), - # oadm ca create-server-cert [options] + force=dict(default=False, type='bool'), + # oc adm ca create-server-cert [options] cert=dict(default=None, type='str'), key=dict(default=None, type='str'), signer_cert=dict(default='/etc/origin/master/ca.crt', type='str'), signer_key=dict(default='/etc/origin/master/ca.key', type='str'), signer_serial=dict(default='/etc/origin/master/ca.serial.txt', type='str'), hostnames=dict(default=[], type='list'), - force=dict(default=False, type='bool'), ), supports_check_mode=True, ) -- cgit v1.2.3 From 5fabd910189a125df2943ef8092ff492f90617a1 Mon Sep 17 00:00:00 2001 From: Kenny Woodson Date: Wed, 22 Feb 2017 12:53:21 -0500 Subject: Moving import to local class. --- roles/lib_openshift/library/oadm_manage_node.py | 2 -- roles/lib_openshift/library/oc_adm_ca_server_cert.py | 3 +-- roles/lib_openshift/library/oc_edit.py | 2 -- roles/lib_openshift/library/oc_env.py | 2 -- roles/lib_openshift/library/oc_label.py | 2 -- roles/lib_openshift/library/oc_obj.py | 2 -- roles/lib_openshift/library/oc_process.py | 2 -- roles/lib_openshift/library/oc_route.py | 2 -- roles/lib_openshift/library/oc_scale.py | 2 -- roles/lib_openshift/library/oc_secret.py | 2 -- roles/lib_openshift/library/oc_service.py | 2 -- roles/lib_openshift/library/oc_serviceaccount.py | 2 -- roles/lib_openshift/library/oc_serviceaccount_secret.py | 2 -- roles/lib_openshift/library/oc_version.py | 2 -- roles/lib_openshift/src/class/oc_adm_ca_server_cert.py | 1 + roles/lib_openshift/src/lib/import.py | 2 -- 16 files changed, 2 insertions(+), 30 deletions(-) diff --git a/roles/lib_openshift/library/oadm_manage_node.py b/roles/lib_openshift/library/oadm_manage_node.py index d0bf553ae..0ac233c72 100644 --- a/roles/lib_openshift/library/oadm_manage_node.py +++ b/roles/lib_openshift/library/oadm_manage_node.py @@ -34,8 +34,6 @@ from __future__ import print_function import atexit import copy -# pylint: disable=unused-import -import time import json import os import re diff --git a/roles/lib_openshift/library/oc_adm_ca_server_cert.py b/roles/lib_openshift/library/oc_adm_ca_server_cert.py index ffb649eb7..2b6ee53aa 100644 --- a/roles/lib_openshift/library/oc_adm_ca_server_cert.py +++ b/roles/lib_openshift/library/oc_adm_ca_server_cert.py @@ -34,8 +34,6 @@ from __future__ import print_function import atexit import copy -# pylint: disable=unused-import -import time import json import os import re @@ -1357,6 +1355,7 @@ class CAServerCert(OpenShiftCLI): # Added this here as a safegaurd for stomping on the # cert and key files if they exist if self.config.config_options['backup']['value']: + import time ext = time.strftime("%Y-%m-%d@%H:%M:%S", time.localtime(time.time())) date_str = "%s_" + "%s" % ext diff --git a/roles/lib_openshift/library/oc_edit.py b/roles/lib_openshift/library/oc_edit.py index 2ead608ac..1b1faf496 100644 --- a/roles/lib_openshift/library/oc_edit.py +++ b/roles/lib_openshift/library/oc_edit.py @@ -34,8 +34,6 @@ from __future__ import print_function import atexit import copy -# pylint: disable=unused-import -import time import json import os import re diff --git a/roles/lib_openshift/library/oc_env.py b/roles/lib_openshift/library/oc_env.py index 49a03b0a7..7c2ccb98f 100644 --- a/roles/lib_openshift/library/oc_env.py +++ b/roles/lib_openshift/library/oc_env.py @@ -34,8 +34,6 @@ from __future__ import print_function import atexit import copy -# pylint: disable=unused-import -import time import json import os import re diff --git a/roles/lib_openshift/library/oc_label.py b/roles/lib_openshift/library/oc_label.py index 4bb67b2b5..0db8585a4 100644 --- a/roles/lib_openshift/library/oc_label.py +++ b/roles/lib_openshift/library/oc_label.py @@ -34,8 +34,6 @@ from __future__ import print_function import atexit import copy -# pylint: disable=unused-import -import time import json import os import re diff --git a/roles/lib_openshift/library/oc_obj.py b/roles/lib_openshift/library/oc_obj.py index a9bec980c..6d0b391b9 100644 --- a/roles/lib_openshift/library/oc_obj.py +++ b/roles/lib_openshift/library/oc_obj.py @@ -34,8 +34,6 @@ from __future__ import print_function import atexit import copy -# pylint: disable=unused-import -import time import json import os import re diff --git a/roles/lib_openshift/library/oc_process.py b/roles/lib_openshift/library/oc_process.py index 2565bd895..a1ee79f6e 100644 --- a/roles/lib_openshift/library/oc_process.py +++ b/roles/lib_openshift/library/oc_process.py @@ -34,8 +34,6 @@ from __future__ import print_function import atexit import copy -# pylint: disable=unused-import -import time import json import os import re diff --git a/roles/lib_openshift/library/oc_route.py b/roles/lib_openshift/library/oc_route.py index b1f97505e..4b5c4460c 100644 --- a/roles/lib_openshift/library/oc_route.py +++ b/roles/lib_openshift/library/oc_route.py @@ -34,8 +34,6 @@ from __future__ import print_function import atexit import copy -# pylint: disable=unused-import -import time import json import os import re diff --git a/roles/lib_openshift/library/oc_scale.py b/roles/lib_openshift/library/oc_scale.py index babf489ad..a37b2aba0 100644 --- a/roles/lib_openshift/library/oc_scale.py +++ b/roles/lib_openshift/library/oc_scale.py @@ -34,8 +34,6 @@ from __future__ import print_function import atexit import copy -# pylint: disable=unused-import -import time import json import os import re diff --git a/roles/lib_openshift/library/oc_secret.py b/roles/lib_openshift/library/oc_secret.py index 020d1a89f..c423e9442 100644 --- a/roles/lib_openshift/library/oc_secret.py +++ b/roles/lib_openshift/library/oc_secret.py @@ -34,8 +34,6 @@ from __future__ import print_function import atexit import copy -# pylint: disable=unused-import -import time import json import os import re diff --git a/roles/lib_openshift/library/oc_service.py b/roles/lib_openshift/library/oc_service.py index 99829a5e2..319ec4bd7 100644 --- a/roles/lib_openshift/library/oc_service.py +++ b/roles/lib_openshift/library/oc_service.py @@ -34,8 +34,6 @@ from __future__ import print_function import atexit import copy -# pylint: disable=unused-import -import time import json import os import re diff --git a/roles/lib_openshift/library/oc_serviceaccount.py b/roles/lib_openshift/library/oc_serviceaccount.py index ec2c24983..0d1705414 100644 --- a/roles/lib_openshift/library/oc_serviceaccount.py +++ b/roles/lib_openshift/library/oc_serviceaccount.py @@ -34,8 +34,6 @@ from __future__ import print_function import atexit import copy -# pylint: disable=unused-import -import time import json import os import re diff --git a/roles/lib_openshift/library/oc_serviceaccount_secret.py b/roles/lib_openshift/library/oc_serviceaccount_secret.py index 1c7855f37..5f07528a0 100644 --- a/roles/lib_openshift/library/oc_serviceaccount_secret.py +++ b/roles/lib_openshift/library/oc_serviceaccount_secret.py @@ -34,8 +34,6 @@ from __future__ import print_function import atexit import copy -# pylint: disable=unused-import -import time import json import os import re diff --git a/roles/lib_openshift/library/oc_version.py b/roles/lib_openshift/library/oc_version.py index 8916dc0e0..9b660e1d3 100644 --- a/roles/lib_openshift/library/oc_version.py +++ b/roles/lib_openshift/library/oc_version.py @@ -34,8 +34,6 @@ from __future__ import print_function import atexit import copy -# pylint: disable=unused-import -import time import json import os import re diff --git a/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py b/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py index c0e7f292a..6ed1f2f35 100644 --- a/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py +++ b/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py @@ -37,6 +37,7 @@ class CAServerCert(OpenShiftCLI): # Added this here as a safegaurd for stomping on the # cert and key files if they exist if self.config.config_options['backup']['value']: + import time ext = time.strftime("%Y-%m-%d@%H:%M:%S", time.localtime(time.time())) date_str = "%s_" + "%s" % ext diff --git a/roles/lib_openshift/src/lib/import.py b/roles/lib_openshift/src/lib/import.py index 9a1fc6ef7..a79297898 100644 --- a/roles/lib_openshift/src/lib/import.py +++ b/roles/lib_openshift/src/lib/import.py @@ -8,8 +8,6 @@ from __future__ import print_function import atexit import copy -# pylint: disable=unused-import -import time import json import os import re -- cgit v1.2.3