From 0460d54961753bc3bdab4038a1946de08d11097c Mon Sep 17 00:00:00 2001 From: Kenny Woodson Date: Sun, 12 Feb 2017 22:33:45 -0500 Subject: Adding oadm_ca to lib_openshift. --- .../src/ansible/oadm_certificate_authority.py | 49 +++++++++ .../src/class/oadm_certificate_authority.py | 110 +++++++++++++++++++++ roles/lib_openshift/src/doc/certificate_authority | 96 ++++++++++++++++++ roles/lib_openshift/src/sources.yml | 10 ++ 4 files changed, 265 insertions(+) create mode 100644 roles/lib_openshift/src/ansible/oadm_certificate_authority.py create mode 100644 roles/lib_openshift/src/class/oadm_certificate_authority.py create mode 100644 roles/lib_openshift/src/doc/certificate_authority (limited to 'roles/lib_openshift/src') diff --git a/roles/lib_openshift/src/ansible/oadm_certificate_authority.py b/roles/lib_openshift/src/ansible/oadm_certificate_authority.py new file mode 100644 index 000000000..856b06290 --- /dev/null +++ b/roles/lib_openshift/src/ansible/oadm_certificate_authority.py @@ -0,0 +1,49 @@ +# pylint: skip-file +# flake8: noqa + +def main(): + ''' + ansible oadm module for ca + ''' + + module = AnsibleModule( + argument_spec=dict( + state=dict(default='present', type='str', + choices=['present']), + debug=dict(default=False, type='bool'), + kubeconfig=dict(default='/etc/origin/master/admin.kubeconfig', type='str'), + cmd=dict(default=None, require=True, type='str'), + + # oadm ca create-master-certs [options] + cert_dir=dict(default=None, type='str'), + hostnames=dict(default=[], type='list'), + master=dict(default=None, type='str'), + public_master=dict(default=None, type='str'), + overwrite=dict(default=False, type='bool'), + signer_name=dict(default=None, type='str'), + + # oadm ca create-key-pair [options] + private_key=dict(default=None, type='str'), + public_key=dict(default=None, type='str'), + + # oadm ca create-server-cert [options] + cert=dict(default=None, type='str'), + key=dict(default=None, type='str'), + signer_cert=dict(default=None, type='str'), + signer_key=dict(default=None, type='str'), + signer_serial=dict(default=None, type='str'), + + ), + supports_check_mode=True, + ) + + # pylint: disable=line-too-long + results = CertificateAuthority.run_ansible(module.params, module.check_mode) + if 'failed' in results: + return module.fail_json(**results) + + return module.exit_json(**results) + + +if __name__ == '__main__': + main() diff --git a/roles/lib_openshift/src/class/oadm_certificate_authority.py b/roles/lib_openshift/src/class/oadm_certificate_authority.py new file mode 100644 index 000000000..34bd0f0a9 --- /dev/null +++ b/roles/lib_openshift/src/class/oadm_certificate_authority.py @@ -0,0 +1,110 @@ +# pylint: skip-file + +class CertificateAuthorityConfig(OpenShiftCLIConfig): + ''' CertificateAuthorityConfig is a DTO for the oadm ca command ''' + def __init__(self, cmd, kubeconfig, verbose, ca_options): + super(CertificateAuthorityConfig, self).__init__('ca', None, kubeconfig, ca_options) + self.cmd = cmd + self.kubeconfig = kubeconfig + self.verbose = verbose + self._ca = ca_options + +class CertificateAuthority(OpenShiftCLI): + ''' Class to wrap the oc command line tools ''' + def __init__(self, + config, + verbose=False): + ''' Constructor for oadm ca ''' + super(CertificateAuthority, self).__init__(None, config.kubeconfig, verbose) + self.config = config + self.verbose = verbose + + def get(self): + '''get the current cert file + + If a file exists by the same name in the specified location then the cert exists + ''' + cert = self.config.config_options['cert']['value'] + if cert and os.path.exists(cert): + return open(cert).read() + + return None + + def create(self): + '''Create a deploymentconfig ''' + options = self.config.to_option_list() + + cmd = ['ca'] + cmd.append(self.config.cmd) + cmd.extend(options) + + return self.openshift_cmd(cmd, oadm=True) + + def exists(self): + ''' check whether the certificate exists and has the clusterIP ''' + + cert_path = self.config.config_options['cert']['value'] + if not os.path.exists(cert_path): + return False + + proc = subprocess.Popen(['openssl', 'x509', '-noout', '-subject', '-in', cert_path], + stdout=subprocess.PIPE, stderr=subprocess.PIPE) + stdout, stderr = proc.communicate() + if proc.returncode == 0: + for var in self.config.config_options['hostnames']['value'].split(','): + if var in stdout: + return True + + return False + + @staticmethod + def run_ansible(params, check_mode): + '''run the idempotent ansible code''' + + config = CertificateAuthorityConfig(params['cmd'], + params['kubeconfig'], + params['debug'], + {'cert_dir': {'value': params['cert_dir'], 'include': True}, + 'cert': {'value': params['cert'], 'include': True}, + 'hostnames': {'value': ','.join(params['hostnames']), 'include': True}, + 'master': {'value': params['master'], 'include': True}, + 'public_master': {'value': params['public_master'], 'include': True}, + 'overwrite': {'value': params['overwrite'], 'include': True}, + 'signer_name': {'value': params['signer_name'], 'include': True}, + 'private_key': {'value': params['private_key'], 'include': True}, + 'public_key': {'value': params['public_key'], 'include': True}, + 'key': {'value': params['key'], 'include': True}, + 'signer_cert': {'value': params['signer_cert'], 'include': True}, + 'signer_key': {'value': params['signer_key'], 'include': True}, + 'signer_serial': {'value': params['signer_serial'], 'include': True}, + }) + + + oadm_ca = CertificateAuthority(config) + + state = params['state'] + + if state == 'present': + ######## + # Create + ######## + if not oadm_ca.exists() or params['overwrite']: + + if check_mode: + return {'changed': True, + 'msg': "CHECK_MODE: Would have created the certificate.", + 'state': state} + + api_rval = oadm_ca.create() + + return {'changed': True, 'results': api_rval, 'state': state} + + ######## + # Exists + ######## + api_rval = oadm_ca.get() + return {'changed': False, 'results': api_rval, 'state': state} + + return {'failed': True, + 'msg': 'Unknown state passed. %s' % state} + diff --git a/roles/lib_openshift/src/doc/certificate_authority b/roles/lib_openshift/src/doc/certificate_authority new file mode 100644 index 000000000..be6861444 --- /dev/null +++ b/roles/lib_openshift/src/doc/certificate_authority @@ -0,0 +1,96 @@ +# flake8: noqa +# pylint: skip-file + +DOCUMENTATION = ''' +--- +module: oc_secret +short_description: Module to manage openshift certificate authority +description: + - Wrapper around the openshift `oc adm ca` command. +options: + state: + description: + - Present is the only supported state. The state present means that `oc adm ca` will generate a certificate + - When create-master-certs is desired then the following parameters are passed. + - ['cert_dir', 'hostnames', 'master', 'public_master', 'overwrite', 'signer_name'] + - When create-key-pair is desired then the following parameters are passed. + - ['private_key', 'public_key'] + - When create-server-cert is desired then the following parameters are passed. + - ['cert', 'key', 'signer_cert', 'signer_key', 'signer_serial'] + required: false + default: present + choices: ["present"] + aliases: [] + kubeconfig: + description: + - The path for the kubeconfig file to use for authentication + required: false + default: /etc/origin/master/admin.kubeconfig + aliases: [] + debug: + description: + - Turn on debug output. + required: false + default: False + aliases: [] + cmd: + description: + - The sub command given for `oc adm ca` + required: false + default: None + choices: + - create-master-certs + - create-key-pair + - create-server-cert + aliases: [] + cert_dir: + description: + - The directory to place the certificates. + required: false + default: False + aliases: [] +author: +- "Kenny Woodson " +extends_documentation_fragment: [] +''' + +EXAMPLES = ''' +- name: create secret + oc_secret: + state: present + namespace: openshift-infra + name: metrics-deployer + files: + - name: nothing + path: /dev/null + register: secretout + run_once: true + +- name: get ca from hawkular + oc_secret: + state: list + namespace: openshift-infra + name: hawkular-metrics-certificate + decode: True + register: hawkout + run_once: true + +- name: Create secrets + oc_secret: + namespace: mynamespace + name: mysecrets + contents: + - path: data.yml + data: "{{ data_content }}" + - path: auth-keys + data: "{{ auth_keys_content }}" + - path: configdata.yml + data: "{{ configdata_content }}" + - path: cert.crt + data: "{{ cert_content }}" + - path: key.pem + data: "{{ osso_site_key_content }}" + - path: ca.cert.pem + data: "{{ ca_cert_content }}" + register: secretout +''' diff --git a/roles/lib_openshift/src/sources.yml b/roles/lib_openshift/src/sources.yml index 091aaef2e..7f0de6a65 100644 --- a/roles/lib_openshift/src/sources.yml +++ b/roles/lib_openshift/src/sources.yml @@ -1,4 +1,14 @@ --- +oadm_ca.py: +- doc/generated +- doc/license +- lib/import.py +- doc/certificate_authority +- ../../lib_utils/src/class/yedit.py +- lib/base.py +- class/oadm_certificate_authority.py +- ansible/oadm_certificate_authority.py + oadm_manage_node.py: - doc/generated - doc/license -- cgit v1.2.3