From 5ff3071297b0bd91e5135bbe9def3a59dadfe885 Mon Sep 17 00:00:00 2001 From: Kenny Woodson Date: Fri, 17 Feb 2017 09:34:10 -0500 Subject: Rename of oadm_ca to oc_adm_ca. Decided to whittle down to the direct call, server_cert. --- roles/lib_openshift/src/doc/ca_server_cert | 141 +++++++++++++++++++++++++++++ 1 file changed, 141 insertions(+) create mode 100644 roles/lib_openshift/src/doc/ca_server_cert (limited to 'roles/lib_openshift/src/doc/ca_server_cert') diff --git a/roles/lib_openshift/src/doc/ca_server_cert b/roles/lib_openshift/src/doc/ca_server_cert new file mode 100644 index 000000000..bf299f0cb --- /dev/null +++ b/roles/lib_openshift/src/doc/ca_server_cert @@ -0,0 +1,141 @@ +# flake8: noqa +# pylint: skip-file + +DOCUMENTATION = ''' +--- +module: oadm_ca +short_description: Module to manage openshift certificate authority +description: + - Wrapper around the openshift `oc adm ca` command. +options: + state: + description: + - Present is the only supported state. The state present means that `oc adm ca` will generate a certificate + - When create-master-certs is desired then the following parameters are passed. + - ['cert_dir', 'hostnames', 'master', 'public_master', 'overwrite', 'signer_name'] + - When create-key-pair is desired then the following parameters are passed. + - ['private_key', 'public_key'] + - When create-server-cert is desired then the following parameters are passed. + - ['cert', 'key', 'signer_cert', 'signer_key', 'signer_serial'] + required: false + default: present + choices: + - present + aliases: [] + kubeconfig: + description: + - The path for the kubeconfig file to use for authentication + required: false + default: /etc/origin/master/admin.kubeconfig + aliases: [] + debug: + description: + - Turn on debug output. + required: false + default: False + aliases: [] + cmd: + description: + - The sub command given for `oc adm ca` + required: false + default: None + choices: + - create-master-certs + - create-key-pair + - create-server-cert + aliases: [] + cert_dir: + description: + - The certificate data directory. + required: false + default: None + aliases: [] + cert: + description: + - The certificate file. Choose a name that indicates what the service is. + required: false + default: None + aliases: [] + key: + description: + - The key file. Choose a name that indicates what the service is. + required: false + default: None + aliases: [] + overwrite: + description: + - Overwrite existing cert files if found. If false, any existing file will be left as-is. + required: false + default: False + aliases: [] + signer_cert: + description: + - The signer certificate file. + required: false + default: None + aliases: [] + signer_key: + description: + - The signer key file. + required: false + default: None + aliases: [] + signer_serial: + description: + - The signer serial file. + required: false + default: None + aliases: [] + public_key: + description: + - The public key file used with create-key-pair + required: false + default: None + aliases: [] + private_key: + description: + - The private key file used with create-key-pair + required: false + default: None + aliases: [] + + hostnames: + description: + - Every hostname or IP that server certs should be valid for (comma-delimited list) + required: false + default: None + aliases: [] + master: + description: + - The API server's URL + required: false + default: None + aliases: [] + public_master: + description: + - The API public facing server's URL (if applicable) + required: false + default: None + aliases: [] + signer_name: + description: + - The name to use for the generated signer + required: false + default: None + aliases: [] +author: +- "Kenny Woodson " +extends_documentation_fragment: [] +''' + +EXAMPLES = ''' +- name: Create a self-signed cert + oadm_ca: + cmd: create-server-cert + signer_cert: /etc/origin/master/ca.crt + signer_key: /etc/origin/master/ca.key + signer_serial: /etc/origin/master/ca.serial.txt + hostnames: "registry.test.openshift.com,127.0.0.1,docker-registry.default.svc.cluster.local" + cert: /etc/origin/master/registry.crt + key: /etc/origin/master/registry.key +''' -- cgit v1.2.3 From f3cafbe005d54aaea6e46f2f348b092e430531f2 Mon Sep 17 00:00:00 2001 From: Kenny Woodson Date: Fri, 17 Feb 2017 09:42:07 -0500 Subject: Removing cmd, fixed docs and comments. --- roles/lib_openshift/src/doc/ca_server_cert | 61 +++--------------------------- 1 file changed, 5 insertions(+), 56 deletions(-) (limited to 'roles/lib_openshift/src/doc/ca_server_cert') diff --git a/roles/lib_openshift/src/doc/ca_server_cert b/roles/lib_openshift/src/doc/ca_server_cert index bf299f0cb..401caf1fc 100644 --- a/roles/lib_openshift/src/doc/ca_server_cert +++ b/roles/lib_openshift/src/doc/ca_server_cert @@ -3,18 +3,15 @@ DOCUMENTATION = ''' --- -module: oadm_ca -short_description: Module to manage openshift certificate authority +module: oc_adm_ca_server_cert +short_description: Module to run openshift oc adm ca create-server-cert description: - - Wrapper around the openshift `oc adm ca` command. + - Wrapper around the openshift `oc adm ca create-server-cert` command. options: state: description: - Present is the only supported state. The state present means that `oc adm ca` will generate a certificate - - When create-master-certs is desired then the following parameters are passed. - - ['cert_dir', 'hostnames', 'master', 'public_master', 'overwrite', 'signer_name'] - - When create-key-pair is desired then the following parameters are passed. - - ['private_key', 'public_key'] + - and verify if the hostnames and the ClusterIP exists in the certificate. - When create-server-cert is desired then the following parameters are passed. - ['cert', 'key', 'signer_cert', 'signer_key', 'signer_serial'] required: false @@ -34,22 +31,6 @@ options: required: false default: False aliases: [] - cmd: - description: - - The sub command given for `oc adm ca` - required: false - default: None - choices: - - create-master-certs - - create-key-pair - - create-server-cert - aliases: [] - cert_dir: - description: - - The certificate data directory. - required: false - default: None - aliases: [] cert: description: - The certificate file. Choose a name that indicates what the service is. @@ -86,43 +67,12 @@ options: required: false default: None aliases: [] - public_key: - description: - - The public key file used with create-key-pair - required: false - default: None - aliases: [] - private_key: - description: - - The private key file used with create-key-pair - required: false - default: None - aliases: [] - hostnames: description: - Every hostname or IP that server certs should be valid for (comma-delimited list) required: false default: None aliases: [] - master: - description: - - The API server's URL - required: false - default: None - aliases: [] - public_master: - description: - - The API public facing server's URL (if applicable) - required: false - default: None - aliases: [] - signer_name: - description: - - The name to use for the generated signer - required: false - default: None - aliases: [] author: - "Kenny Woodson " extends_documentation_fragment: [] @@ -130,8 +80,7 @@ extends_documentation_fragment: [] EXAMPLES = ''' - name: Create a self-signed cert - oadm_ca: - cmd: create-server-cert + oc_adm_ca_server_cert: signer_cert: /etc/origin/master/ca.crt signer_key: /etc/origin/master/ca.key signer_serial: /etc/origin/master/ca.serial.txt -- cgit v1.2.3 From a330de2153a66c458a21fd506c3220a4b3acd563 Mon Sep 17 00:00:00 2001 From: Kenny Woodson Date: Fri, 17 Feb 2017 15:46:06 -0500 Subject: Updated doc and defined defaults for signer_* --- roles/lib_openshift/src/doc/ca_server_cert | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'roles/lib_openshift/src/doc/ca_server_cert') diff --git a/roles/lib_openshift/src/doc/ca_server_cert b/roles/lib_openshift/src/doc/ca_server_cert index 401caf1fc..bb57a3e11 100644 --- a/roles/lib_openshift/src/doc/ca_server_cert +++ b/roles/lib_openshift/src/doc/ca_server_cert @@ -53,19 +53,19 @@ options: description: - The signer certificate file. required: false - default: None + default: /etc/origin/master/ca.crt aliases: [] signer_key: description: - The signer key file. required: false - default: None + default: /etc/origin/master/ca.key aliases: [] signer_serial: description: - The signer serial file. required: false - default: None + default: /etc/origin/master/ca.serial.txt aliases: [] hostnames: description: -- cgit v1.2.3 From 8200377dbb3d0e6aa2b35ea369cceb03976b508b Mon Sep 17 00:00:00 2001 From: Kenny Woodson Date: Tue, 21 Feb 2017 10:26:17 -0500 Subject: Added copy support when modifying cert and key on existence --- roles/lib_openshift/src/doc/ca_server_cert | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'roles/lib_openshift/src/doc/ca_server_cert') diff --git a/roles/lib_openshift/src/doc/ca_server_cert b/roles/lib_openshift/src/doc/ca_server_cert index bb57a3e11..58720b09f 100644 --- a/roles/lib_openshift/src/doc/ca_server_cert +++ b/roles/lib_openshift/src/doc/ca_server_cert @@ -73,6 +73,12 @@ options: required: false default: None aliases: [] + backup: + description: + - Whether to backup the cert and key files before writing them. + required: false + default: True + aliases: [] author: - "Kenny Woodson " extends_documentation_fragment: [] -- cgit v1.2.3 From 3effaa96c8e843a5820b98cf9c2dab608481c259 Mon Sep 17 00:00:00 2001 From: Kenny Woodson Date: Tue, 21 Feb 2017 20:15:28 -0500 Subject: Added backup feature. Fixed a bug with reading the certificate and verifying names. Added force option. --- roles/lib_openshift/src/doc/ca_server_cert | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'roles/lib_openshift/src/doc/ca_server_cert') diff --git a/roles/lib_openshift/src/doc/ca_server_cert b/roles/lib_openshift/src/doc/ca_server_cert index 58720b09f..a8034158e 100644 --- a/roles/lib_openshift/src/doc/ca_server_cert +++ b/roles/lib_openshift/src/doc/ca_server_cert @@ -43,9 +43,9 @@ options: required: false default: None aliases: [] - overwrite: + force: description: - - Overwrite existing cert files if found. If false, any existing file will be left as-is. + - Force updating of the existing cert and key files required: false default: False aliases: [] -- cgit v1.2.3