From 6d7ca91fc4ddd7b40c8b7e9983a9a4b475f72214 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Juraci=20Paix=C3=A3o=20Kr=C3=B6hling?= Date: Wed, 15 Mar 2017 10:23:20 +0100 Subject: Switched Cassandra to use certificates generated by OpenShift --- roles/openshift_metrics/files/import_jks_certs.sh | 55 +--------------------- .../tasks/generate_hawkular_certificates.yaml | 51 ++++++-------------- .../openshift_metrics/tasks/import_jks_certs.yaml | 19 +------- .../templates/hawkular_cassandra_rc.j2 | 25 +++++----- roles/openshift_metrics/templates/secret.j2 | 6 +++ 5 files changed, 34 insertions(+), 122 deletions(-) diff --git a/roles/openshift_metrics/files/import_jks_certs.sh b/roles/openshift_metrics/files/import_jks_certs.sh index c8d5bb3d2..b2537f448 100755 --- a/roles/openshift_metrics/files/import_jks_certs.sh +++ b/roles/openshift_metrics/files/import_jks_certs.sh @@ -21,11 +21,7 @@ set -ex function import_certs() { dir=$CERT_DIR hawkular_metrics_keystore_password=$(echo $METRICS_KEYSTORE_PASSWD | base64 -d) - hawkular_cassandra_keystore_password=$(echo $CASSANDRA_KEYSTORE_PASSWD | base64 -d) hawkular_metrics_truststore_password=$(echo $METRICS_TRUSTSTORE_PASSWD | base64 -d) - hawkular_cassandra_truststore_password=$(echo $CASSANDRA_TRUSTSTORE_PASSWD | base64 -d) - - cassandra_alias=`keytool -noprompt -list -keystore $dir/hawkular-cassandra.truststore -storepass ${hawkular_cassandra_truststore_password} | sed -n '7~2s/,.*$//p'` hawkular_alias=`keytool -noprompt -list -keystore $dir/hawkular-metrics.truststore -storepass ${hawkular_metrics_truststore_password} | sed -n '7~2s/,.*$//p'` if [ ! -f $dir/hawkular-metrics.keystore ]; then @@ -39,56 +35,7 @@ function import_certs() { -deststorepass $hawkular_metrics_keystore_password fi - if [ ! -f $dir/hawkular-cassandra.keystore ]; then - echo "Creating the Hawkular Cassandra keystore from the PEM file" - keytool -importkeystore -v \ - -srckeystore $dir/hawkular-cassandra.pkcs12 \ - -destkeystore $dir/hawkular-cassandra.keystore \ - -srcstoretype PKCS12 \ - -deststoretype JKS \ - -srcstorepass $hawkular_cassandra_keystore_password \ - -deststorepass $hawkular_cassandra_keystore_password - fi - - if [[ ! ${cassandra_alias[*]} =~ hawkular-metrics ]]; then - echo "Importing the Hawkular Certificate into the Cassandra Truststore" - keytool -noprompt -import -v -trustcacerts -alias hawkular-metrics \ - -file $dir/hawkular-metrics.crt \ - -keystore $dir/hawkular-cassandra.truststore \ - -trustcacerts \ - -storepass $hawkular_cassandra_truststore_password - fi - - if [[ ! ${hawkular_alias[*]} =~ hawkular-cassandra ]]; then - echo "Importing the Cassandra Certificate into the Hawkular Truststore" - keytool -noprompt -import -v -trustcacerts -alias hawkular-cassandra \ - -file $dir/hawkular-cassandra.crt \ - -keystore $dir/hawkular-metrics.truststore \ - -trustcacerts \ - -storepass $hawkular_metrics_truststore_password - fi - - if [[ ! ${cassandra_alias[*]} =~ hawkular-cassandra ]]; then - echo "Importing the Hawkular Cassandra Certificate into the Cassandra Truststore" - keytool -noprompt -import -v -trustcacerts -alias hawkular-cassandra \ - -file $dir/hawkular-cassandra.crt \ - -keystore $dir/hawkular-cassandra.truststore \ - -trustcacerts \ - -storepass $hawkular_cassandra_truststore_password - fi - - cert_alias_names=(ca metricca cassandraca) - - for cert_alias in ${cert_alias_names[*]}; do - if [[ ! ${cassandra_alias[*]} =~ "$cert_alias" ]]; then - echo "Importing the CA Certificate with alias $cert_alias into the Cassandra Truststore" - keytool -noprompt -import -v -trustcacerts -alias $cert_alias \ - -file ${dir}/ca.crt \ - -keystore $dir/hawkular-cassandra.truststore \ - -trustcacerts \ - -storepass $hawkular_cassandra_truststore_password - fi - done + cert_alias_names=(ca metricca) for cert_alias in ${cert_alias_names[*]}; do if [[ ! ${hawkular_alias[*]} =~ "$cert_alias" ]]; then diff --git a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml index 61a240a33..01fc1ef64 100644 --- a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml +++ b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml @@ -13,9 +13,6 @@ hostnames: hawkular-cassandra changed_when: no -- slurp: src={{ mktemp.stdout }}/hawkular-cassandra-truststore.pwd - register: cassandra_truststore_password - - slurp: src={{ mktemp.stdout }}/hawkular-metrics-truststore.pwd register: hawkular_truststore_password @@ -67,11 +64,8 @@ - hawkular-metrics.pwd - hawkular-metrics.htpasswd - hawkular-cassandra.crt + - hawkular-cassandra.key - hawkular-cassandra.pem - - hawkular-cassandra.keystore - - hawkular-cassandra-keystore.pwd - - hawkular-cassandra.truststore - - hawkular-cassandra-truststore.pwd changed_when: false - set_fact: @@ -136,38 +130,21 @@ - name: generate cassandra secret template template: src: secret.j2 - dest: "{{ mktemp.stdout }}/templates/cassandra_secrets.yaml" + dest: "{{ mktemp.stdout }}/templates/hawkular-cassandra-certs.yaml" vars: - name: hawkular-cassandra-secrets + name: hawkular-cassandra-certs labels: - metrics-infra: hawkular-cassandra + metrics-infra: hawkular-cassandra-certs + annotations: + service.alpha.openshift.io/originating-service-name: hawkular-cassandra data: - cassandra.keystore: > - {{ hawkular_secrets['hawkular-cassandra.keystore'] }} - cassandra.keystore.password: > - {{ hawkular_secrets['hawkular-cassandra-keystore.pwd'] }} - cassandra.keystore.alias: "{{ 'hawkular-cassandra'|b64encode }}" - cassandra.truststore: > - {{ hawkular_secrets['hawkular-cassandra.truststore'] }} - cassandra.truststore.password: > - {{ hawkular_secrets['hawkular-cassandra-truststore.pwd'] }} - cassandra.pem: > - {{ hawkular_secrets['hawkular-cassandra.pem'] }} - when: name not in metrics_secrets - changed_when: no - -- name: generate cassandra-certificate secret template - template: - src: secret.j2 - dest: "{{ mktemp.stdout }}/templates/cassandra_certificate.yaml" - vars: - name: hawkular-cassandra-certificate - labels: - metrics-infra: hawkular-cassandra - data: - cassandra.certificate: > + tls.crt: > {{ hawkular_secrets['hawkular-cassandra.crt'] }} - cassandra-ca.certificate: > - {{ hawkular_secrets['hawkular-cassandra.pem'] }} - when: name not in metrics_secrets.stdout_lines + tls.key: > + {{ hawkular_secrets['hawkular-cassandra.key'] }} + tls.peer.truststore.crt: > + {{ hawkular_secrets['hawkular-cassandra.crt'] }} + tls.client.truststore.crt: > + {{ hawkular_secrets['hawkular-metrics.crt'] }} + when: name not in metrics_secrets changed_when: no diff --git a/roles/openshift_metrics/tasks/import_jks_certs.yaml b/roles/openshift_metrics/tasks/import_jks_certs.yaml index 2a67dad0e..e098145e9 100644 --- a/roles/openshift_metrics/tasks/import_jks_certs.yaml +++ b/roles/openshift_metrics/tasks/import_jks_certs.yaml @@ -1,12 +1,4 @@ --- -- stat: path="{{mktemp.stdout}}/hawkular-cassandra.keystore" - register: cassandra_keystore - check_mode: no - -- stat: path="{{mktemp.stdout}}/hawkular-cassandra.truststore" - register: cassandra_truststore - check_mode: no - - stat: path="{{mktemp.stdout}}/hawkular-metrics.keystore" register: metrics_keystore check_mode: no @@ -19,9 +11,6 @@ - slurp: src={{ mktemp.stdout }}/hawkular-metrics-keystore.pwd register: metrics_keystore_password - - slurp: src={{ mktemp.stdout }}/hawkular-cassandra-keystore.pwd - register: cassandra_keystore_password - - fetch: dest: "{{local_tmp.stdout}}/" src: "{{ mktemp.stdout }}/{{item}}" @@ -29,18 +18,14 @@ changed_when: False with_items: - hawkular-metrics.pkcs12 - - hawkular-cassandra.pkcs12 - hawkular-metrics.crt - - hawkular-cassandra.crt - ca.crt - local_action: command {{role_path}}/files/import_jks_certs.sh environment: CERT_DIR: "{{local_tmp.stdout}}" METRICS_KEYSTORE_PASSWD: "{{metrics_keystore_password.content}}" - CASSANDRA_KEYSTORE_PASSWD: "{{cassandra_keystore_password.content}}" METRICS_TRUSTSTORE_PASSWD: "{{hawkular_truststore_password.content}}" - CASSANDRA_TRUSTSTORE_PASSWD: "{{cassandra_truststore_password.content}}" changed_when: False - copy: @@ -49,6 +34,4 @@ with_fileglob: "{{local_tmp.stdout}}/*.*store" when: not metrics_keystore.stat.exists or - not metrics_truststore.stat.exists or - not cassandra_keystore.stat.exists or - not cassandra_truststore.stat.exists + not metrics_truststore.stat.exists diff --git a/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 b/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 index 504476dc4..889317847 100644 --- a/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 +++ b/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 @@ -48,11 +48,6 @@ spec: - "--require_node_auth=true" - "--enable_client_encryption=true" - "--require_client_auth=true" - - "--keystore_file=/secret/cassandra.keystore" - - "--keystore_password_file=/secret/cassandra.keystore.password" - - "--truststore_file=/secret/cassandra.truststore" - - "--truststore_password_file=/secret/cassandra.truststore.password" - - "--cassandra_pem_file=/secret/cassandra.pem" env: - name: CASSANDRA_MASTER value: "{{ master }}" @@ -60,6 +55,10 @@ spec: value: "/cassandra_data" - name: JVM_OPTS value: "-Dcassandra.commitlog.ignorereplayerrors=true" + - name: TRUSTSTORE_NODES_AUTHORITIES + value: "/hawkular-cassandra-certs/tls.peer.truststore.crt" + - name: TRUSTSTORE_CLIENT_AUTHORITIES + value: "/hawkular-cassandra-certs/tls.client.truststore.crt" - name: POD_NAMESPACE valueFrom: fieldRef: @@ -76,12 +75,12 @@ spec: volumeMounts: - name: cassandra-data mountPath: "/cassandra_data" - - name: hawkular-cassandra-secrets - mountPath: "/secret" -{% if ((openshift_metrics_cassandra_limits_cpu is defined and openshift_metrics_cassandra_limits_cpu is not none) + - name: hawkular-cassandra-certs + mountPath: "/hawkular-cassandra-certs" +{% if ((openshift_metrics_cassandra_limits_cpu is defined and openshift_metrics_cassandra_limits_cpu is not none) or (openshift_metrics_cassandra_limits_memory is defined and openshift_metrics_cassandra_limits_memory is not none) or (openshift_metrics_cassandra_requests_cpu is defined and openshift_metrics_cassandra_requests_cpu is not none) - or (openshift_metrics_cassandra_requests_memory is defined and openshift_metrics_cassandra_requests_memory is not none)) + or (openshift_metrics_cassandra_requests_memory is defined and openshift_metrics_cassandra_requests_memory is not none)) %} resources: {% if (openshift_metrics_cassandra_limits_cpu is not none @@ -95,8 +94,8 @@ spec: memory: "{{openshift_metrics_cassandra_limits_memory}}" {% endif %} {% endif %} -{% if (openshift_metrics_cassandra_requests_cpu is not none - or openshift_metrics_cassandra_requests_memory is not none) +{% if (openshift_metrics_cassandra_requests_cpu is not none + or openshift_metrics_cassandra_requests_memory is not none) %} requests: {% if openshift_metrics_cassandra_requests_cpu is not none %} @@ -129,6 +128,6 @@ spec: persistentVolumeClaim: claimName: "{{ openshift_metrics_cassandra_pvc_prefix }}-{{ node }}" {% endif %} - - name: hawkular-cassandra-secrets + - name: hawkular-cassandra-certs secret: - secretName: hawkular-cassandra-secrets + secretName: hawkular-cassandra-certs diff --git a/roles/openshift_metrics/templates/secret.j2 b/roles/openshift_metrics/templates/secret.j2 index 370890c7d..5b9dba122 100644 --- a/roles/openshift_metrics/templates/secret.j2 +++ b/roles/openshift_metrics/templates/secret.j2 @@ -2,6 +2,12 @@ apiVersion: v1 kind: Secret metadata: name: "{{ name }}" +{% if annotations is defined%} + annotations: +{% for key, value in annotations.iteritems() %} + {{key}}: {{value}} +{% endfor %} +{% endif %} labels: {% for k, v in labels.iteritems() %} {{ k }}: {{ v }} -- cgit v1.2.3