From 0460d54961753bc3bdab4038a1946de08d11097c Mon Sep 17 00:00:00 2001 From: Kenny Woodson Date: Sun, 12 Feb 2017 22:33:45 -0500 Subject: Adding oadm_ca to lib_openshift. --- roles/lib_openshift/src/doc/certificate_authority | 96 +++++++++++++++++++++++ 1 file changed, 96 insertions(+) create mode 100644 roles/lib_openshift/src/doc/certificate_authority (limited to 'roles/lib_openshift/src/doc') diff --git a/roles/lib_openshift/src/doc/certificate_authority b/roles/lib_openshift/src/doc/certificate_authority new file mode 100644 index 000000000..be6861444 --- /dev/null +++ b/roles/lib_openshift/src/doc/certificate_authority @@ -0,0 +1,96 @@ +# flake8: noqa +# pylint: skip-file + +DOCUMENTATION = ''' +--- +module: oc_secret +short_description: Module to manage openshift certificate authority +description: + - Wrapper around the openshift `oc adm ca` command. +options: + state: + description: + - Present is the only supported state. The state present means that `oc adm ca` will generate a certificate + - When create-master-certs is desired then the following parameters are passed. + - ['cert_dir', 'hostnames', 'master', 'public_master', 'overwrite', 'signer_name'] + - When create-key-pair is desired then the following parameters are passed. + - ['private_key', 'public_key'] + - When create-server-cert is desired then the following parameters are passed. + - ['cert', 'key', 'signer_cert', 'signer_key', 'signer_serial'] + required: false + default: present + choices: ["present"] + aliases: [] + kubeconfig: + description: + - The path for the kubeconfig file to use for authentication + required: false + default: /etc/origin/master/admin.kubeconfig + aliases: [] + debug: + description: + - Turn on debug output. + required: false + default: False + aliases: [] + cmd: + description: + - The sub command given for `oc adm ca` + required: false + default: None + choices: + - create-master-certs + - create-key-pair + - create-server-cert + aliases: [] + cert_dir: + description: + - The directory to place the certificates. + required: false + default: False + aliases: [] +author: +- "Kenny Woodson " +extends_documentation_fragment: [] +''' + +EXAMPLES = ''' +- name: create secret + oc_secret: + state: present + namespace: openshift-infra + name: metrics-deployer + files: + - name: nothing + path: /dev/null + register: secretout + run_once: true + +- name: get ca from hawkular + oc_secret: + state: list + namespace: openshift-infra + name: hawkular-metrics-certificate + decode: True + register: hawkout + run_once: true + +- name: Create secrets + oc_secret: + namespace: mynamespace + name: mysecrets + contents: + - path: data.yml + data: "{{ data_content }}" + - path: auth-keys + data: "{{ auth_keys_content }}" + - path: configdata.yml + data: "{{ configdata_content }}" + - path: cert.crt + data: "{{ cert_content }}" + - path: key.pem + data: "{{ osso_site_key_content }}" + - path: ca.cert.pem + data: "{{ ca_cert_content }}" + register: secretout +''' -- cgit v1.2.3 From d517312b0b14c632d66edfe191269e732242a101 Mon Sep 17 00:00:00 2001 From: Kenny Woodson Date: Wed, 15 Feb 2017 17:28:40 -0500 Subject: Fixing doc. --- roles/lib_openshift/src/doc/certificate_authority | 127 +++++++++++++++------- 1 file changed, 86 insertions(+), 41 deletions(-) (limited to 'roles/lib_openshift/src/doc') diff --git a/roles/lib_openshift/src/doc/certificate_authority b/roles/lib_openshift/src/doc/certificate_authority index be6861444..bf299f0cb 100644 --- a/roles/lib_openshift/src/doc/certificate_authority +++ b/roles/lib_openshift/src/doc/certificate_authority @@ -3,7 +3,7 @@ DOCUMENTATION = ''' --- -module: oc_secret +module: oadm_ca short_description: Module to manage openshift certificate authority description: - Wrapper around the openshift `oc adm ca` command. @@ -19,7 +19,8 @@ options: - ['cert', 'key', 'signer_cert', 'signer_key', 'signer_serial'] required: false default: present - choices: ["present"] + choices: + - present aliases: [] kubeconfig: description: @@ -45,52 +46,96 @@ options: aliases: [] cert_dir: description: - - The directory to place the certificates. + - The certificate data directory. + required: false + default: None + aliases: [] + cert: + description: + - The certificate file. Choose a name that indicates what the service is. + required: false + default: None + aliases: [] + key: + description: + - The key file. Choose a name that indicates what the service is. + required: false + default: None + aliases: [] + overwrite: + description: + - Overwrite existing cert files if found. If false, any existing file will be left as-is. required: false default: False aliases: [] + signer_cert: + description: + - The signer certificate file. + required: false + default: None + aliases: [] + signer_key: + description: + - The signer key file. + required: false + default: None + aliases: [] + signer_serial: + description: + - The signer serial file. + required: false + default: None + aliases: [] + public_key: + description: + - The public key file used with create-key-pair + required: false + default: None + aliases: [] + private_key: + description: + - The private key file used with create-key-pair + required: false + default: None + aliases: [] + + hostnames: + description: + - Every hostname or IP that server certs should be valid for (comma-delimited list) + required: false + default: None + aliases: [] + master: + description: + - The API server's URL + required: false + default: None + aliases: [] + public_master: + description: + - The API public facing server's URL (if applicable) + required: false + default: None + aliases: [] + signer_name: + description: + - The name to use for the generated signer + required: false + default: None + aliases: [] author: - "Kenny Woodson " extends_documentation_fragment: [] ''' EXAMPLES = ''' -- name: create secret - oc_secret: - state: present - namespace: openshift-infra - name: metrics-deployer - files: - - name: nothing - path: /dev/null - register: secretout - run_once: true - -- name: get ca from hawkular - oc_secret: - state: list - namespace: openshift-infra - name: hawkular-metrics-certificate - decode: True - register: hawkout - run_once: true - -- name: Create secrets - oc_secret: - namespace: mynamespace - name: mysecrets - contents: - - path: data.yml - data: "{{ data_content }}" - - path: auth-keys - data: "{{ auth_keys_content }}" - - path: configdata.yml - data: "{{ configdata_content }}" - - path: cert.crt - data: "{{ cert_content }}" - - path: key.pem - data: "{{ osso_site_key_content }}" - - path: ca.cert.pem - data: "{{ ca_cert_content }}" - register: secretout +- name: Create a self-signed cert + oadm_ca: + cmd: create-server-cert + signer_cert: /etc/origin/master/ca.crt + signer_key: /etc/origin/master/ca.key + signer_serial: /etc/origin/master/ca.serial.txt + hostnames: "registry.test.openshift.com,127.0.0.1,docker-registry.default.svc.cluster.local" + cert: /etc/origin/master/registry.crt + key: /etc/origin/master/registry.key ''' -- cgit v1.2.3 From 5ff3071297b0bd91e5135bbe9def3a59dadfe885 Mon Sep 17 00:00:00 2001 From: Kenny Woodson Date: Fri, 17 Feb 2017 09:34:10 -0500 Subject: Rename of oadm_ca to oc_adm_ca. Decided to whittle down to the direct call, server_cert. --- roles/lib_openshift/src/doc/ca_server_cert | 141 ++++++++++++++++++++++ roles/lib_openshift/src/doc/certificate_authority | 141 ---------------------- 2 files changed, 141 insertions(+), 141 deletions(-) create mode 100644 roles/lib_openshift/src/doc/ca_server_cert delete mode 100644 roles/lib_openshift/src/doc/certificate_authority (limited to 'roles/lib_openshift/src/doc') diff --git a/roles/lib_openshift/src/doc/ca_server_cert b/roles/lib_openshift/src/doc/ca_server_cert new file mode 100644 index 000000000..bf299f0cb --- /dev/null +++ b/roles/lib_openshift/src/doc/ca_server_cert @@ -0,0 +1,141 @@ +# flake8: noqa +# pylint: skip-file + +DOCUMENTATION = ''' +--- +module: oadm_ca +short_description: Module to manage openshift certificate authority +description: + - Wrapper around the openshift `oc adm ca` command. +options: + state: + description: + - Present is the only supported state. The state present means that `oc adm ca` will generate a certificate + - When create-master-certs is desired then the following parameters are passed. + - ['cert_dir', 'hostnames', 'master', 'public_master', 'overwrite', 'signer_name'] + - When create-key-pair is desired then the following parameters are passed. + - ['private_key', 'public_key'] + - When create-server-cert is desired then the following parameters are passed. + - ['cert', 'key', 'signer_cert', 'signer_key', 'signer_serial'] + required: false + default: present + choices: + - present + aliases: [] + kubeconfig: + description: + - The path for the kubeconfig file to use for authentication + required: false + default: /etc/origin/master/admin.kubeconfig + aliases: [] + debug: + description: + - Turn on debug output. + required: false + default: False + aliases: [] + cmd: + description: + - The sub command given for `oc adm ca` + required: false + default: None + choices: + - create-master-certs + - create-key-pair + - create-server-cert + aliases: [] + cert_dir: + description: + - The certificate data directory. + required: false + default: None + aliases: [] + cert: + description: + - The certificate file. Choose a name that indicates what the service is. + required: false + default: None + aliases: [] + key: + description: + - The key file. Choose a name that indicates what the service is. + required: false + default: None + aliases: [] + overwrite: + description: + - Overwrite existing cert files if found. If false, any existing file will be left as-is. + required: false + default: False + aliases: [] + signer_cert: + description: + - The signer certificate file. + required: false + default: None + aliases: [] + signer_key: + description: + - The signer key file. + required: false + default: None + aliases: [] + signer_serial: + description: + - The signer serial file. + required: false + default: None + aliases: [] + public_key: + description: + - The public key file used with create-key-pair + required: false + default: None + aliases: [] + private_key: + description: + - The private key file used with create-key-pair + required: false + default: None + aliases: [] + + hostnames: + description: + - Every hostname or IP that server certs should be valid for (comma-delimited list) + required: false + default: None + aliases: [] + master: + description: + - The API server's URL + required: false + default: None + aliases: [] + public_master: + description: + - The API public facing server's URL (if applicable) + required: false + default: None + aliases: [] + signer_name: + description: + - The name to use for the generated signer + required: false + default: None + aliases: [] +author: +- "Kenny Woodson " +extends_documentation_fragment: [] +''' + +EXAMPLES = ''' +- name: Create a self-signed cert + oadm_ca: + cmd: create-server-cert + signer_cert: /etc/origin/master/ca.crt + signer_key: /etc/origin/master/ca.key + signer_serial: /etc/origin/master/ca.serial.txt + hostnames: "registry.test.openshift.com,127.0.0.1,docker-registry.default.svc.cluster.local" + cert: /etc/origin/master/registry.crt + key: /etc/origin/master/registry.key +''' diff --git a/roles/lib_openshift/src/doc/certificate_authority b/roles/lib_openshift/src/doc/certificate_authority deleted file mode 100644 index bf299f0cb..000000000 --- a/roles/lib_openshift/src/doc/certificate_authority +++ /dev/null @@ -1,141 +0,0 @@ -# flake8: noqa -# pylint: skip-file - -DOCUMENTATION = ''' ---- -module: oadm_ca -short_description: Module to manage openshift certificate authority -description: - - Wrapper around the openshift `oc adm ca` command. -options: - state: - description: - - Present is the only supported state. The state present means that `oc adm ca` will generate a certificate - - When create-master-certs is desired then the following parameters are passed. - - ['cert_dir', 'hostnames', 'master', 'public_master', 'overwrite', 'signer_name'] - - When create-key-pair is desired then the following parameters are passed. - - ['private_key', 'public_key'] - - When create-server-cert is desired then the following parameters are passed. - - ['cert', 'key', 'signer_cert', 'signer_key', 'signer_serial'] - required: false - default: present - choices: - - present - aliases: [] - kubeconfig: - description: - - The path for the kubeconfig file to use for authentication - required: false - default: /etc/origin/master/admin.kubeconfig - aliases: [] - debug: - description: - - Turn on debug output. - required: false - default: False - aliases: [] - cmd: - description: - - The sub command given for `oc adm ca` - required: false - default: None - choices: - - create-master-certs - - create-key-pair - - create-server-cert - aliases: [] - cert_dir: - description: - - The certificate data directory. - required: false - default: None - aliases: [] - cert: - description: - - The certificate file. Choose a name that indicates what the service is. - required: false - default: None - aliases: [] - key: - description: - - The key file. Choose a name that indicates what the service is. - required: false - default: None - aliases: [] - overwrite: - description: - - Overwrite existing cert files if found. If false, any existing file will be left as-is. - required: false - default: False - aliases: [] - signer_cert: - description: - - The signer certificate file. - required: false - default: None - aliases: [] - signer_key: - description: - - The signer key file. - required: false - default: None - aliases: [] - signer_serial: - description: - - The signer serial file. - required: false - default: None - aliases: [] - public_key: - description: - - The public key file used with create-key-pair - required: false - default: None - aliases: [] - private_key: - description: - - The private key file used with create-key-pair - required: false - default: None - aliases: [] - - hostnames: - description: - - Every hostname or IP that server certs should be valid for (comma-delimited list) - required: false - default: None - aliases: [] - master: - description: - - The API server's URL - required: false - default: None - aliases: [] - public_master: - description: - - The API public facing server's URL (if applicable) - required: false - default: None - aliases: [] - signer_name: - description: - - The name to use for the generated signer - required: false - default: None - aliases: [] -author: -- "Kenny Woodson " -extends_documentation_fragment: [] -''' - -EXAMPLES = ''' -- name: Create a self-signed cert - oadm_ca: - cmd: create-server-cert - signer_cert: /etc/origin/master/ca.crt - signer_key: /etc/origin/master/ca.key - signer_serial: /etc/origin/master/ca.serial.txt - hostnames: "registry.test.openshift.com,127.0.0.1,docker-registry.default.svc.cluster.local" - cert: /etc/origin/master/registry.crt - key: /etc/origin/master/registry.key -''' -- cgit v1.2.3 From f3cafbe005d54aaea6e46f2f348b092e430531f2 Mon Sep 17 00:00:00 2001 From: Kenny Woodson Date: Fri, 17 Feb 2017 09:42:07 -0500 Subject: Removing cmd, fixed docs and comments. --- roles/lib_openshift/src/doc/ca_server_cert | 61 +++--------------------------- 1 file changed, 5 insertions(+), 56 deletions(-) (limited to 'roles/lib_openshift/src/doc') diff --git a/roles/lib_openshift/src/doc/ca_server_cert b/roles/lib_openshift/src/doc/ca_server_cert index bf299f0cb..401caf1fc 100644 --- a/roles/lib_openshift/src/doc/ca_server_cert +++ b/roles/lib_openshift/src/doc/ca_server_cert @@ -3,18 +3,15 @@ DOCUMENTATION = ''' --- -module: oadm_ca -short_description: Module to manage openshift certificate authority +module: oc_adm_ca_server_cert +short_description: Module to run openshift oc adm ca create-server-cert description: - - Wrapper around the openshift `oc adm ca` command. + - Wrapper around the openshift `oc adm ca create-server-cert` command. options: state: description: - Present is the only supported state. The state present means that `oc adm ca` will generate a certificate - - When create-master-certs is desired then the following parameters are passed. - - ['cert_dir', 'hostnames', 'master', 'public_master', 'overwrite', 'signer_name'] - - When create-key-pair is desired then the following parameters are passed. - - ['private_key', 'public_key'] + - and verify if the hostnames and the ClusterIP exists in the certificate. - When create-server-cert is desired then the following parameters are passed. - ['cert', 'key', 'signer_cert', 'signer_key', 'signer_serial'] required: false @@ -34,22 +31,6 @@ options: required: false default: False aliases: [] - cmd: - description: - - The sub command given for `oc adm ca` - required: false - default: None - choices: - - create-master-certs - - create-key-pair - - create-server-cert - aliases: [] - cert_dir: - description: - - The certificate data directory. - required: false - default: None - aliases: [] cert: description: - The certificate file. Choose a name that indicates what the service is. @@ -86,43 +67,12 @@ options: required: false default: None aliases: [] - public_key: - description: - - The public key file used with create-key-pair - required: false - default: None - aliases: [] - private_key: - description: - - The private key file used with create-key-pair - required: false - default: None - aliases: [] - hostnames: description: - Every hostname or IP that server certs should be valid for (comma-delimited list) required: false default: None aliases: [] - master: - description: - - The API server's URL - required: false - default: None - aliases: [] - public_master: - description: - - The API public facing server's URL (if applicable) - required: false - default: None - aliases: [] - signer_name: - description: - - The name to use for the generated signer - required: false - default: None - aliases: [] author: - "Kenny Woodson " extends_documentation_fragment: [] @@ -130,8 +80,7 @@ extends_documentation_fragment: [] EXAMPLES = ''' - name: Create a self-signed cert - oadm_ca: - cmd: create-server-cert + oc_adm_ca_server_cert: signer_cert: /etc/origin/master/ca.crt signer_key: /etc/origin/master/ca.key signer_serial: /etc/origin/master/ca.serial.txt -- cgit v1.2.3 From a330de2153a66c458a21fd506c3220a4b3acd563 Mon Sep 17 00:00:00 2001 From: Kenny Woodson Date: Fri, 17 Feb 2017 15:46:06 -0500 Subject: Updated doc and defined defaults for signer_* --- roles/lib_openshift/src/doc/ca_server_cert | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'roles/lib_openshift/src/doc') diff --git a/roles/lib_openshift/src/doc/ca_server_cert b/roles/lib_openshift/src/doc/ca_server_cert index 401caf1fc..bb57a3e11 100644 --- a/roles/lib_openshift/src/doc/ca_server_cert +++ b/roles/lib_openshift/src/doc/ca_server_cert @@ -53,19 +53,19 @@ options: description: - The signer certificate file. required: false - default: None + default: /etc/origin/master/ca.crt aliases: [] signer_key: description: - The signer key file. required: false - default: None + default: /etc/origin/master/ca.key aliases: [] signer_serial: description: - The signer serial file. required: false - default: None + default: /etc/origin/master/ca.serial.txt aliases: [] hostnames: description: -- cgit v1.2.3 From 8200377dbb3d0e6aa2b35ea369cceb03976b508b Mon Sep 17 00:00:00 2001 From: Kenny Woodson Date: Tue, 21 Feb 2017 10:26:17 -0500 Subject: Added copy support when modifying cert and key on existence --- roles/lib_openshift/src/doc/ca_server_cert | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'roles/lib_openshift/src/doc') diff --git a/roles/lib_openshift/src/doc/ca_server_cert b/roles/lib_openshift/src/doc/ca_server_cert index bb57a3e11..58720b09f 100644 --- a/roles/lib_openshift/src/doc/ca_server_cert +++ b/roles/lib_openshift/src/doc/ca_server_cert @@ -73,6 +73,12 @@ options: required: false default: None aliases: [] + backup: + description: + - Whether to backup the cert and key files before writing them. + required: false + default: True + aliases: [] author: - "Kenny Woodson " extends_documentation_fragment: [] -- cgit v1.2.3 From 3effaa96c8e843a5820b98cf9c2dab608481c259 Mon Sep 17 00:00:00 2001 From: Kenny Woodson Date: Tue, 21 Feb 2017 20:15:28 -0500 Subject: Added backup feature. Fixed a bug with reading the certificate and verifying names. Added force option. --- roles/lib_openshift/src/doc/ca_server_cert | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'roles/lib_openshift/src/doc') diff --git a/roles/lib_openshift/src/doc/ca_server_cert b/roles/lib_openshift/src/doc/ca_server_cert index 58720b09f..a8034158e 100644 --- a/roles/lib_openshift/src/doc/ca_server_cert +++ b/roles/lib_openshift/src/doc/ca_server_cert @@ -43,9 +43,9 @@ options: required: false default: None aliases: [] - overwrite: + force: description: - - Overwrite existing cert files if found. If false, any existing file will be left as-is. + - Force updating of the existing cert and key files required: false default: False aliases: [] -- cgit v1.2.3