From 0460d54961753bc3bdab4038a1946de08d11097c Mon Sep 17 00:00:00 2001 From: Kenny Woodson Date: Sun, 12 Feb 2017 22:33:45 -0500 Subject: Adding oadm_ca to lib_openshift. --- .../src/ansible/oadm_certificate_authority.py | 49 +++++++++ .../src/class/oadm_certificate_authority.py | 110 +++++++++++++++++++++ roles/lib_openshift/src/doc/certificate_authority | 96 ++++++++++++++++++ roles/lib_openshift/src/sources.yml | 10 ++ 4 files changed, 265 insertions(+) create mode 100644 roles/lib_openshift/src/ansible/oadm_certificate_authority.py create mode 100644 roles/lib_openshift/src/class/oadm_certificate_authority.py create mode 100644 roles/lib_openshift/src/doc/certificate_authority (limited to 'roles/lib_openshift/src') diff --git a/roles/lib_openshift/src/ansible/oadm_certificate_authority.py b/roles/lib_openshift/src/ansible/oadm_certificate_authority.py new file mode 100644 index 000000000..856b06290 --- /dev/null +++ b/roles/lib_openshift/src/ansible/oadm_certificate_authority.py @@ -0,0 +1,49 @@ +# pylint: skip-file +# flake8: noqa + +def main(): + ''' + ansible oadm module for ca + ''' + + module = AnsibleModule( + argument_spec=dict( + state=dict(default='present', type='str', + choices=['present']), + debug=dict(default=False, type='bool'), + kubeconfig=dict(default='/etc/origin/master/admin.kubeconfig', type='str'), + cmd=dict(default=None, require=True, type='str'), + + # oadm ca create-master-certs [options] + cert_dir=dict(default=None, type='str'), + hostnames=dict(default=[], type='list'), + master=dict(default=None, type='str'), + public_master=dict(default=None, type='str'), + overwrite=dict(default=False, type='bool'), + signer_name=dict(default=None, type='str'), + + # oadm ca create-key-pair [options] + private_key=dict(default=None, type='str'), + public_key=dict(default=None, type='str'), + + # oadm ca create-server-cert [options] + cert=dict(default=None, type='str'), + key=dict(default=None, type='str'), + signer_cert=dict(default=None, type='str'), + signer_key=dict(default=None, type='str'), + signer_serial=dict(default=None, type='str'), + + ), + supports_check_mode=True, + ) + + # pylint: disable=line-too-long + results = CertificateAuthority.run_ansible(module.params, module.check_mode) + if 'failed' in results: + return module.fail_json(**results) + + return module.exit_json(**results) + + +if __name__ == '__main__': + main() diff --git a/roles/lib_openshift/src/class/oadm_certificate_authority.py b/roles/lib_openshift/src/class/oadm_certificate_authority.py new file mode 100644 index 000000000..34bd0f0a9 --- /dev/null +++ b/roles/lib_openshift/src/class/oadm_certificate_authority.py @@ -0,0 +1,110 @@ +# pylint: skip-file + +class CertificateAuthorityConfig(OpenShiftCLIConfig): + ''' CertificateAuthorityConfig is a DTO for the oadm ca command ''' + def __init__(self, cmd, kubeconfig, verbose, ca_options): + super(CertificateAuthorityConfig, self).__init__('ca', None, kubeconfig, ca_options) + self.cmd = cmd + self.kubeconfig = kubeconfig + self.verbose = verbose + self._ca = ca_options + +class CertificateAuthority(OpenShiftCLI): + ''' Class to wrap the oc command line tools ''' + def __init__(self, + config, + verbose=False): + ''' Constructor for oadm ca ''' + super(CertificateAuthority, self).__init__(None, config.kubeconfig, verbose) + self.config = config + self.verbose = verbose + + def get(self): + '''get the current cert file + + If a file exists by the same name in the specified location then the cert exists + ''' + cert = self.config.config_options['cert']['value'] + if cert and os.path.exists(cert): + return open(cert).read() + + return None + + def create(self): + '''Create a deploymentconfig ''' + options = self.config.to_option_list() + + cmd = ['ca'] + cmd.append(self.config.cmd) + cmd.extend(options) + + return self.openshift_cmd(cmd, oadm=True) + + def exists(self): + ''' check whether the certificate exists and has the clusterIP ''' + + cert_path = self.config.config_options['cert']['value'] + if not os.path.exists(cert_path): + return False + + proc = subprocess.Popen(['openssl', 'x509', '-noout', '-subject', '-in', cert_path], + stdout=subprocess.PIPE, stderr=subprocess.PIPE) + stdout, stderr = proc.communicate() + if proc.returncode == 0: + for var in self.config.config_options['hostnames']['value'].split(','): + if var in stdout: + return True + + return False + + @staticmethod + def run_ansible(params, check_mode): + '''run the idempotent ansible code''' + + config = CertificateAuthorityConfig(params['cmd'], + params['kubeconfig'], + params['debug'], + {'cert_dir': {'value': params['cert_dir'], 'include': True}, + 'cert': {'value': params['cert'], 'include': True}, + 'hostnames': {'value': ','.join(params['hostnames']), 'include': True}, + 'master': {'value': params['master'], 'include': True}, + 'public_master': {'value': params['public_master'], 'include': True}, + 'overwrite': {'value': params['overwrite'], 'include': True}, + 'signer_name': {'value': params['signer_name'], 'include': True}, + 'private_key': {'value': params['private_key'], 'include': True}, + 'public_key': {'value': params['public_key'], 'include': True}, + 'key': {'value': params['key'], 'include': True}, + 'signer_cert': {'value': params['signer_cert'], 'include': True}, + 'signer_key': {'value': params['signer_key'], 'include': True}, + 'signer_serial': {'value': params['signer_serial'], 'include': True}, + }) + + + oadm_ca = CertificateAuthority(config) + + state = params['state'] + + if state == 'present': + ######## + # Create + ######## + if not oadm_ca.exists() or params['overwrite']: + + if check_mode: + return {'changed': True, + 'msg': "CHECK_MODE: Would have created the certificate.", + 'state': state} + + api_rval = oadm_ca.create() + + return {'changed': True, 'results': api_rval, 'state': state} + + ######## + # Exists + ######## + api_rval = oadm_ca.get() + return {'changed': False, 'results': api_rval, 'state': state} + + return {'failed': True, + 'msg': 'Unknown state passed. %s' % state} + diff --git a/roles/lib_openshift/src/doc/certificate_authority b/roles/lib_openshift/src/doc/certificate_authority new file mode 100644 index 000000000..be6861444 --- /dev/null +++ b/roles/lib_openshift/src/doc/certificate_authority @@ -0,0 +1,96 @@ +# flake8: noqa +# pylint: skip-file + +DOCUMENTATION = ''' +--- +module: oc_secret +short_description: Module to manage openshift certificate authority +description: + - Wrapper around the openshift `oc adm ca` command. +options: + state: + description: + - Present is the only supported state. The state present means that `oc adm ca` will generate a certificate + - When create-master-certs is desired then the following parameters are passed. + - ['cert_dir', 'hostnames', 'master', 'public_master', 'overwrite', 'signer_name'] + - When create-key-pair is desired then the following parameters are passed. + - ['private_key', 'public_key'] + - When create-server-cert is desired then the following parameters are passed. + - ['cert', 'key', 'signer_cert', 'signer_key', 'signer_serial'] + required: false + default: present + choices: ["present"] + aliases: [] + kubeconfig: + description: + - The path for the kubeconfig file to use for authentication + required: false + default: /etc/origin/master/admin.kubeconfig + aliases: [] + debug: + description: + - Turn on debug output. + required: false + default: False + aliases: [] + cmd: + description: + - The sub command given for `oc adm ca` + required: false + default: None + choices: + - create-master-certs + - create-key-pair + - create-server-cert + aliases: [] + cert_dir: + description: + - The directory to place the certificates. + required: false + default: False + aliases: [] +author: +- "Kenny Woodson " +extends_documentation_fragment: [] +''' + +EXAMPLES = ''' +- name: create secret + oc_secret: + state: present + namespace: openshift-infra + name: metrics-deployer + files: + - name: nothing + path: /dev/null + register: secretout + run_once: true + +- name: get ca from hawkular + oc_secret: + state: list + namespace: openshift-infra + name: hawkular-metrics-certificate + decode: True + register: hawkout + run_once: true + +- name: Create secrets + oc_secret: + namespace: mynamespace + name: mysecrets + contents: + - path: data.yml + data: "{{ data_content }}" + - path: auth-keys + data: "{{ auth_keys_content }}" + - path: configdata.yml + data: "{{ configdata_content }}" + - path: cert.crt + data: "{{ cert_content }}" + - path: key.pem + data: "{{ osso_site_key_content }}" + - path: ca.cert.pem + data: "{{ ca_cert_content }}" + register: secretout +''' diff --git a/roles/lib_openshift/src/sources.yml b/roles/lib_openshift/src/sources.yml index 091aaef2e..7f0de6a65 100644 --- a/roles/lib_openshift/src/sources.yml +++ b/roles/lib_openshift/src/sources.yml @@ -1,4 +1,14 @@ --- +oadm_ca.py: +- doc/generated +- doc/license +- lib/import.py +- doc/certificate_authority +- ../../lib_utils/src/class/yedit.py +- lib/base.py +- class/oadm_certificate_authority.py +- ansible/oadm_certificate_authority.py + oadm_manage_node.py: - doc/generated - doc/license -- cgit v1.2.3 From d517312b0b14c632d66edfe191269e732242a101 Mon Sep 17 00:00:00 2001 From: Kenny Woodson Date: Wed, 15 Feb 2017 17:28:40 -0500 Subject: Fixing doc. --- .../src/ansible/oadm_certificate_authority.py | 3 +- roles/lib_openshift/src/doc/certificate_authority | 127 ++++++++++++++------- 2 files changed, 87 insertions(+), 43 deletions(-) (limited to 'roles/lib_openshift/src') diff --git a/roles/lib_openshift/src/ansible/oadm_certificate_authority.py b/roles/lib_openshift/src/ansible/oadm_certificate_authority.py index 856b06290..ad00b25b4 100644 --- a/roles/lib_openshift/src/ansible/oadm_certificate_authority.py +++ b/roles/lib_openshift/src/ansible/oadm_certificate_authority.py @@ -8,8 +8,7 @@ def main(): module = AnsibleModule( argument_spec=dict( - state=dict(default='present', type='str', - choices=['present']), + state=dict(default='present', type='str', choices=['present']), debug=dict(default=False, type='bool'), kubeconfig=dict(default='/etc/origin/master/admin.kubeconfig', type='str'), cmd=dict(default=None, require=True, type='str'), diff --git a/roles/lib_openshift/src/doc/certificate_authority b/roles/lib_openshift/src/doc/certificate_authority index be6861444..bf299f0cb 100644 --- a/roles/lib_openshift/src/doc/certificate_authority +++ b/roles/lib_openshift/src/doc/certificate_authority @@ -3,7 +3,7 @@ DOCUMENTATION = ''' --- -module: oc_secret +module: oadm_ca short_description: Module to manage openshift certificate authority description: - Wrapper around the openshift `oc adm ca` command. @@ -19,7 +19,8 @@ options: - ['cert', 'key', 'signer_cert', 'signer_key', 'signer_serial'] required: false default: present - choices: ["present"] + choices: + - present aliases: [] kubeconfig: description: @@ -45,52 +46,96 @@ options: aliases: [] cert_dir: description: - - The directory to place the certificates. + - The certificate data directory. + required: false + default: None + aliases: [] + cert: + description: + - The certificate file. Choose a name that indicates what the service is. + required: false + default: None + aliases: [] + key: + description: + - The key file. Choose a name that indicates what the service is. + required: false + default: None + aliases: [] + overwrite: + description: + - Overwrite existing cert files if found. If false, any existing file will be left as-is. required: false default: False aliases: [] + signer_cert: + description: + - The signer certificate file. + required: false + default: None + aliases: [] + signer_key: + description: + - The signer key file. + required: false + default: None + aliases: [] + signer_serial: + description: + - The signer serial file. + required: false + default: None + aliases: [] + public_key: + description: + - The public key file used with create-key-pair + required: false + default: None + aliases: [] + private_key: + description: + - The private key file used with create-key-pair + required: false + default: None + aliases: [] + + hostnames: + description: + - Every hostname or IP that server certs should be valid for (comma-delimited list) + required: false + default: None + aliases: [] + master: + description: + - The API server's URL + required: false + default: None + aliases: [] + public_master: + description: + - The API public facing server's URL (if applicable) + required: false + default: None + aliases: [] + signer_name: + description: + - The name to use for the generated signer + required: false + default: None + aliases: [] author: - "Kenny Woodson " extends_documentation_fragment: [] ''' EXAMPLES = ''' -- name: create secret - oc_secret: - state: present - namespace: openshift-infra - name: metrics-deployer - files: - - name: nothing - path: /dev/null - register: secretout - run_once: true - -- name: get ca from hawkular - oc_secret: - state: list - namespace: openshift-infra - name: hawkular-metrics-certificate - decode: True - register: hawkout - run_once: true - -- name: Create secrets - oc_secret: - namespace: mynamespace - name: mysecrets - contents: - - path: data.yml - data: "{{ data_content }}" - - path: auth-keys - data: "{{ auth_keys_content }}" - - path: configdata.yml - data: "{{ configdata_content }}" - - path: cert.crt - data: "{{ cert_content }}" - - path: key.pem - data: "{{ osso_site_key_content }}" - - path: ca.cert.pem - data: "{{ ca_cert_content }}" - register: secretout +- name: Create a self-signed cert + oadm_ca: + cmd: create-server-cert + signer_cert: /etc/origin/master/ca.crt + signer_key: /etc/origin/master/ca.key + signer_serial: /etc/origin/master/ca.serial.txt + hostnames: "registry.test.openshift.com,127.0.0.1,docker-registry.default.svc.cluster.local" + cert: /etc/origin/master/registry.crt + key: /etc/origin/master/registry.key ''' -- cgit v1.2.3 From 5ff3071297b0bd91e5135bbe9def3a59dadfe885 Mon Sep 17 00:00:00 2001 From: Kenny Woodson Date: Fri, 17 Feb 2017 09:34:10 -0500 Subject: Rename of oadm_ca to oc_adm_ca. Decided to whittle down to the direct call, server_cert. --- .../src/ansible/oadm_certificate_authority.py | 48 ------- .../src/ansible/oc_adm_ca_server_cert.py | 36 ++++++ .../src/class/oadm_certificate_authority.py | 110 ---------------- .../src/class/oc_adm_ca_server_cert.py | 104 +++++++++++++++ roles/lib_openshift/src/doc/ca_server_cert | 141 +++++++++++++++++++++ roles/lib_openshift/src/doc/certificate_authority | 141 --------------------- roles/lib_openshift/src/sources.yml | 8 +- 7 files changed, 285 insertions(+), 303 deletions(-) delete mode 100644 roles/lib_openshift/src/ansible/oadm_certificate_authority.py create mode 100644 roles/lib_openshift/src/ansible/oc_adm_ca_server_cert.py delete mode 100644 roles/lib_openshift/src/class/oadm_certificate_authority.py create mode 100644 roles/lib_openshift/src/class/oc_adm_ca_server_cert.py create mode 100644 roles/lib_openshift/src/doc/ca_server_cert delete mode 100644 roles/lib_openshift/src/doc/certificate_authority (limited to 'roles/lib_openshift/src') diff --git a/roles/lib_openshift/src/ansible/oadm_certificate_authority.py b/roles/lib_openshift/src/ansible/oadm_certificate_authority.py deleted file mode 100644 index ad00b25b4..000000000 --- a/roles/lib_openshift/src/ansible/oadm_certificate_authority.py +++ /dev/null @@ -1,48 +0,0 @@ -# pylint: skip-file -# flake8: noqa - -def main(): - ''' - ansible oadm module for ca - ''' - - module = AnsibleModule( - argument_spec=dict( - state=dict(default='present', type='str', choices=['present']), - debug=dict(default=False, type='bool'), - kubeconfig=dict(default='/etc/origin/master/admin.kubeconfig', type='str'), - cmd=dict(default=None, require=True, type='str'), - - # oadm ca create-master-certs [options] - cert_dir=dict(default=None, type='str'), - hostnames=dict(default=[], type='list'), - master=dict(default=None, type='str'), - public_master=dict(default=None, type='str'), - overwrite=dict(default=False, type='bool'), - signer_name=dict(default=None, type='str'), - - # oadm ca create-key-pair [options] - private_key=dict(default=None, type='str'), - public_key=dict(default=None, type='str'), - - # oadm ca create-server-cert [options] - cert=dict(default=None, type='str'), - key=dict(default=None, type='str'), - signer_cert=dict(default=None, type='str'), - signer_key=dict(default=None, type='str'), - signer_serial=dict(default=None, type='str'), - - ), - supports_check_mode=True, - ) - - # pylint: disable=line-too-long - results = CertificateAuthority.run_ansible(module.params, module.check_mode) - if 'failed' in results: - return module.fail_json(**results) - - return module.exit_json(**results) - - -if __name__ == '__main__': - main() diff --git a/roles/lib_openshift/src/ansible/oc_adm_ca_server_cert.py b/roles/lib_openshift/src/ansible/oc_adm_ca_server_cert.py new file mode 100644 index 000000000..91d8c83b0 --- /dev/null +++ b/roles/lib_openshift/src/ansible/oc_adm_ca_server_cert.py @@ -0,0 +1,36 @@ +# pylint: skip-file +# flake8: noqa + +def main(): + ''' + ansible oc adm module for ca create-server-cert + ''' + + module = AnsibleModule( + argument_spec=dict( + state=dict(default='present', type='str', choices=['present']), + debug=dict(default=False, type='bool'), + kubeconfig=dict(default='/etc/origin/master/admin.kubeconfig', type='str'), + cmd=dict(default=None, require=True, type='str'), + # oadm ca create-server-cert [options] + cert=dict(default=None, type='str'), + key=dict(default=None, type='str'), + signer_cert=dict(default=None, type='str'), + signer_key=dict(default=None, type='str'), + signer_serial=dict(default=None, type='str'), + hostnames=dict(default=[], type='list'), + overwrite=dict(default=False, type='bool'), + ), + supports_check_mode=True, + ) + + # pylint: disable=line-too-long + results = CAServerCert.run_ansible(module.params, module.check_mode) + if 'failed' in results: + return module.fail_json(**results) + + return module.exit_json(**results) + + +if __name__ == '__main__': + main() diff --git a/roles/lib_openshift/src/class/oadm_certificate_authority.py b/roles/lib_openshift/src/class/oadm_certificate_authority.py deleted file mode 100644 index 34bd0f0a9..000000000 --- a/roles/lib_openshift/src/class/oadm_certificate_authority.py +++ /dev/null @@ -1,110 +0,0 @@ -# pylint: skip-file - -class CertificateAuthorityConfig(OpenShiftCLIConfig): - ''' CertificateAuthorityConfig is a DTO for the oadm ca command ''' - def __init__(self, cmd, kubeconfig, verbose, ca_options): - super(CertificateAuthorityConfig, self).__init__('ca', None, kubeconfig, ca_options) - self.cmd = cmd - self.kubeconfig = kubeconfig - self.verbose = verbose - self._ca = ca_options - -class CertificateAuthority(OpenShiftCLI): - ''' Class to wrap the oc command line tools ''' - def __init__(self, - config, - verbose=False): - ''' Constructor for oadm ca ''' - super(CertificateAuthority, self).__init__(None, config.kubeconfig, verbose) - self.config = config - self.verbose = verbose - - def get(self): - '''get the current cert file - - If a file exists by the same name in the specified location then the cert exists - ''' - cert = self.config.config_options['cert']['value'] - if cert and os.path.exists(cert): - return open(cert).read() - - return None - - def create(self): - '''Create a deploymentconfig ''' - options = self.config.to_option_list() - - cmd = ['ca'] - cmd.append(self.config.cmd) - cmd.extend(options) - - return self.openshift_cmd(cmd, oadm=True) - - def exists(self): - ''' check whether the certificate exists and has the clusterIP ''' - - cert_path = self.config.config_options['cert']['value'] - if not os.path.exists(cert_path): - return False - - proc = subprocess.Popen(['openssl', 'x509', '-noout', '-subject', '-in', cert_path], - stdout=subprocess.PIPE, stderr=subprocess.PIPE) - stdout, stderr = proc.communicate() - if proc.returncode == 0: - for var in self.config.config_options['hostnames']['value'].split(','): - if var in stdout: - return True - - return False - - @staticmethod - def run_ansible(params, check_mode): - '''run the idempotent ansible code''' - - config = CertificateAuthorityConfig(params['cmd'], - params['kubeconfig'], - params['debug'], - {'cert_dir': {'value': params['cert_dir'], 'include': True}, - 'cert': {'value': params['cert'], 'include': True}, - 'hostnames': {'value': ','.join(params['hostnames']), 'include': True}, - 'master': {'value': params['master'], 'include': True}, - 'public_master': {'value': params['public_master'], 'include': True}, - 'overwrite': {'value': params['overwrite'], 'include': True}, - 'signer_name': {'value': params['signer_name'], 'include': True}, - 'private_key': {'value': params['private_key'], 'include': True}, - 'public_key': {'value': params['public_key'], 'include': True}, - 'key': {'value': params['key'], 'include': True}, - 'signer_cert': {'value': params['signer_cert'], 'include': True}, - 'signer_key': {'value': params['signer_key'], 'include': True}, - 'signer_serial': {'value': params['signer_serial'], 'include': True}, - }) - - - oadm_ca = CertificateAuthority(config) - - state = params['state'] - - if state == 'present': - ######## - # Create - ######## - if not oadm_ca.exists() or params['overwrite']: - - if check_mode: - return {'changed': True, - 'msg': "CHECK_MODE: Would have created the certificate.", - 'state': state} - - api_rval = oadm_ca.create() - - return {'changed': True, 'results': api_rval, 'state': state} - - ######## - # Exists - ######## - api_rval = oadm_ca.get() - return {'changed': False, 'results': api_rval, 'state': state} - - return {'failed': True, - 'msg': 'Unknown state passed. %s' % state} - diff --git a/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py b/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py new file mode 100644 index 000000000..92505c08e --- /dev/null +++ b/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py @@ -0,0 +1,104 @@ +# pylint: skip-file + +class CAServerCertConfig(OpenShiftCLIConfig): + ''' CertificateAuthorityConfig is a DTO for the oadm ca command ''' + def __init__(self, cmd, kubeconfig, verbose, ca_options): + super(CertificateAuthorityConfig, self).__init__('ca', None, kubeconfig, ca_options) + self.cmd = cmd + self.kubeconfig = kubeconfig + self.verbose = verbose + self._ca = ca_options + +class CAServerCert(OpenShiftCLI): + ''' Class to wrap the oc command line tools ''' + def __init__(self, + config, + verbose=False): + ''' Constructor for oadm ca ''' + super(CAServerCert, self).__init__(None, config.kubeconfig, verbose) + self.config = config + self.verbose = verbose + + def get(self): + '''get the current cert file + + If a file exists by the same name in the specified location then the cert exists + ''' + cert = self.config.config_options['cert']['value'] + if cert and os.path.exists(cert): + return open(cert).read() + + return None + + def create(self): + '''run openshift ca cmd''' + options = self.config.to_option_list() + + cmd = ['ca'] + cmd.append(self.config.cmd) + cmd.extend(options) + + return self.openshift_cmd(cmd, oadm=True) + + def exists(self): + ''' check whether the certificate exists and has the clusterIP ''' + + cert_path = self.config.config_options['cert']['value'] + if not os.path.exists(cert_path): + return False + + proc = subprocess.Popen(['openssl', 'x509', '-noout', '-subject', '-in', cert_path], + stdout=subprocess.PIPE, stderr=subprocess.PIPE) + stdout, stderr = proc.communicate() + if proc.returncode == 0: + for var in self.config.config_options['hostnames']['value'].split(','): + if var in stdout: + return True + + return False + + @staticmethod + def run_ansible(params, check_mode): + '''run the idempotent ansible code''' + + config = CAServerCertConfig(params['cmd'], + params['kubeconfig'], + params['debug'], + {'cert': {'value': params['cert'], 'include': True}, + 'hostnames': {'value': ','.join(params['hostnames']), 'include': True}, + 'overwrite': {'value': params['overwrite'], 'include': True}, + 'signer_name': {'value': params['signer_name'], 'include': True}, + 'key': {'value': params['key'], 'include': True}, + 'signer_cert': {'value': params['signer_cert'], 'include': True}, + 'signer_key': {'value': params['signer_key'], 'include': True}, + 'signer_serial': {'value': params['signer_serial'], 'include': True}, + }) + + server_cert = CAServerCert(config) + + state = params['state'] + + if state == 'present': + ######## + # Create + ######## + if not server_cert.exists() or params['overwrite']: + + if check_mode: + return {'changed': True, + 'msg': "CHECK_MODE: Would have created the certificate.", + 'state': state} + + api_rval = server_cert.create() + + return {'changed': True, 'results': api_rval, 'state': state} + + ######## + # Exists + ######## + api_rval = server_cert.get() + return {'changed': False, 'results': api_rval, 'state': state} + + return {'failed': True, + 'msg': 'Unknown state passed. %s' % state} + diff --git a/roles/lib_openshift/src/doc/ca_server_cert b/roles/lib_openshift/src/doc/ca_server_cert new file mode 100644 index 000000000..bf299f0cb --- /dev/null +++ b/roles/lib_openshift/src/doc/ca_server_cert @@ -0,0 +1,141 @@ +# flake8: noqa +# pylint: skip-file + +DOCUMENTATION = ''' +--- +module: oadm_ca +short_description: Module to manage openshift certificate authority +description: + - Wrapper around the openshift `oc adm ca` command. +options: + state: + description: + - Present is the only supported state. The state present means that `oc adm ca` will generate a certificate + - When create-master-certs is desired then the following parameters are passed. + - ['cert_dir', 'hostnames', 'master', 'public_master', 'overwrite', 'signer_name'] + - When create-key-pair is desired then the following parameters are passed. + - ['private_key', 'public_key'] + - When create-server-cert is desired then the following parameters are passed. + - ['cert', 'key', 'signer_cert', 'signer_key', 'signer_serial'] + required: false + default: present + choices: + - present + aliases: [] + kubeconfig: + description: + - The path for the kubeconfig file to use for authentication + required: false + default: /etc/origin/master/admin.kubeconfig + aliases: [] + debug: + description: + - Turn on debug output. + required: false + default: False + aliases: [] + cmd: + description: + - The sub command given for `oc adm ca` + required: false + default: None + choices: + - create-master-certs + - create-key-pair + - create-server-cert + aliases: [] + cert_dir: + description: + - The certificate data directory. + required: false + default: None + aliases: [] + cert: + description: + - The certificate file. Choose a name that indicates what the service is. + required: false + default: None + aliases: [] + key: + description: + - The key file. Choose a name that indicates what the service is. + required: false + default: None + aliases: [] + overwrite: + description: + - Overwrite existing cert files if found. If false, any existing file will be left as-is. + required: false + default: False + aliases: [] + signer_cert: + description: + - The signer certificate file. + required: false + default: None + aliases: [] + signer_key: + description: + - The signer key file. + required: false + default: None + aliases: [] + signer_serial: + description: + - The signer serial file. + required: false + default: None + aliases: [] + public_key: + description: + - The public key file used with create-key-pair + required: false + default: None + aliases: [] + private_key: + description: + - The private key file used with create-key-pair + required: false + default: None + aliases: [] + + hostnames: + description: + - Every hostname or IP that server certs should be valid for (comma-delimited list) + required: false + default: None + aliases: [] + master: + description: + - The API server's URL + required: false + default: None + aliases: [] + public_master: + description: + - The API public facing server's URL (if applicable) + required: false + default: None + aliases: [] + signer_name: + description: + - The name to use for the generated signer + required: false + default: None + aliases: [] +author: +- "Kenny Woodson " +extends_documentation_fragment: [] +''' + +EXAMPLES = ''' +- name: Create a self-signed cert + oadm_ca: + cmd: create-server-cert + signer_cert: /etc/origin/master/ca.crt + signer_key: /etc/origin/master/ca.key + signer_serial: /etc/origin/master/ca.serial.txt + hostnames: "registry.test.openshift.com,127.0.0.1,docker-registry.default.svc.cluster.local" + cert: /etc/origin/master/registry.crt + key: /etc/origin/master/registry.key +''' diff --git a/roles/lib_openshift/src/doc/certificate_authority b/roles/lib_openshift/src/doc/certificate_authority deleted file mode 100644 index bf299f0cb..000000000 --- a/roles/lib_openshift/src/doc/certificate_authority +++ /dev/null @@ -1,141 +0,0 @@ -# flake8: noqa -# pylint: skip-file - -DOCUMENTATION = ''' ---- -module: oadm_ca -short_description: Module to manage openshift certificate authority -description: - - Wrapper around the openshift `oc adm ca` command. -options: - state: - description: - - Present is the only supported state. The state present means that `oc adm ca` will generate a certificate - - When create-master-certs is desired then the following parameters are passed. - - ['cert_dir', 'hostnames', 'master', 'public_master', 'overwrite', 'signer_name'] - - When create-key-pair is desired then the following parameters are passed. - - ['private_key', 'public_key'] - - When create-server-cert is desired then the following parameters are passed. - - ['cert', 'key', 'signer_cert', 'signer_key', 'signer_serial'] - required: false - default: present - choices: - - present - aliases: [] - kubeconfig: - description: - - The path for the kubeconfig file to use for authentication - required: false - default: /etc/origin/master/admin.kubeconfig - aliases: [] - debug: - description: - - Turn on debug output. - required: false - default: False - aliases: [] - cmd: - description: - - The sub command given for `oc adm ca` - required: false - default: None - choices: - - create-master-certs - - create-key-pair - - create-server-cert - aliases: [] - cert_dir: - description: - - The certificate data directory. - required: false - default: None - aliases: [] - cert: - description: - - The certificate file. Choose a name that indicates what the service is. - required: false - default: None - aliases: [] - key: - description: - - The key file. Choose a name that indicates what the service is. - required: false - default: None - aliases: [] - overwrite: - description: - - Overwrite existing cert files if found. If false, any existing file will be left as-is. - required: false - default: False - aliases: [] - signer_cert: - description: - - The signer certificate file. - required: false - default: None - aliases: [] - signer_key: - description: - - The signer key file. - required: false - default: None - aliases: [] - signer_serial: - description: - - The signer serial file. - required: false - default: None - aliases: [] - public_key: - description: - - The public key file used with create-key-pair - required: false - default: None - aliases: [] - private_key: - description: - - The private key file used with create-key-pair - required: false - default: None - aliases: [] - - hostnames: - description: - - Every hostname or IP that server certs should be valid for (comma-delimited list) - required: false - default: None - aliases: [] - master: - description: - - The API server's URL - required: false - default: None - aliases: [] - public_master: - description: - - The API public facing server's URL (if applicable) - required: false - default: None - aliases: [] - signer_name: - description: - - The name to use for the generated signer - required: false - default: None - aliases: [] -author: -- "Kenny Woodson " -extends_documentation_fragment: [] -''' - -EXAMPLES = ''' -- name: Create a self-signed cert - oadm_ca: - cmd: create-server-cert - signer_cert: /etc/origin/master/ca.crt - signer_key: /etc/origin/master/ca.key - signer_serial: /etc/origin/master/ca.serial.txt - hostnames: "registry.test.openshift.com,127.0.0.1,docker-registry.default.svc.cluster.local" - cert: /etc/origin/master/registry.crt - key: /etc/origin/master/registry.key -''' diff --git a/roles/lib_openshift/src/sources.yml b/roles/lib_openshift/src/sources.yml index 7f0de6a65..b49f7b490 100644 --- a/roles/lib_openshift/src/sources.yml +++ b/roles/lib_openshift/src/sources.yml @@ -1,13 +1,13 @@ --- -oadm_ca.py: +oc_adm_ca_server_cert.py: - doc/generated - doc/license - lib/import.py -- doc/certificate_authority +- doc/ca_server_cert - ../../lib_utils/src/class/yedit.py - lib/base.py -- class/oadm_certificate_authority.py -- ansible/oadm_certificate_authority.py +- class/oc_adm_ca_server_cert.py +- ansible/oc_adm_ca_server_cert.py oadm_manage_node.py: - doc/generated -- cgit v1.2.3 From f3cafbe005d54aaea6e46f2f348b092e430531f2 Mon Sep 17 00:00:00 2001 From: Kenny Woodson Date: Fri, 17 Feb 2017 09:42:07 -0500 Subject: Removing cmd, fixed docs and comments. --- .../src/class/oc_adm_ca_server_cert.py | 17 +++--- roles/lib_openshift/src/doc/ca_server_cert | 61 ++-------------------- 2 files changed, 13 insertions(+), 65 deletions(-) (limited to 'roles/lib_openshift/src') diff --git a/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py b/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py index 92505c08e..162f606f7 100644 --- a/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py +++ b/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py @@ -1,16 +1,15 @@ # pylint: skip-file class CAServerCertConfig(OpenShiftCLIConfig): - ''' CertificateAuthorityConfig is a DTO for the oadm ca command ''' - def __init__(self, cmd, kubeconfig, verbose, ca_options): + ''' CAServerCertConfig is a DTO for the oc adm ca command ''' + def __init__(self, kubeconfig, verbose, ca_options): super(CertificateAuthorityConfig, self).__init__('ca', None, kubeconfig, ca_options) - self.cmd = cmd self.kubeconfig = kubeconfig self.verbose = verbose self._ca = ca_options class CAServerCert(OpenShiftCLI): - ''' Class to wrap the oc command line tools ''' + ''' Class to wrap the oc adm ca create-server-cert command line''' def __init__(self, config, verbose=False): @@ -31,11 +30,10 @@ class CAServerCert(OpenShiftCLI): return None def create(self): - '''run openshift ca cmd''' + '''run openshift oc adm ca create-server-cert cmd''' options = self.config.to_option_list() - cmd = ['ca'] - cmd.append(self.config.cmd) + cmd = ['ca', 'create-server-cert'] cmd.extend(options) return self.openshift_cmd(cmd, oadm=True) @@ -47,6 +45,8 @@ class CAServerCert(OpenShiftCLI): if not os.path.exists(cert_path): return False + # Would prefer pyopenssl but is not installed. + # When we verify it is, switch this code proc = subprocess.Popen(['openssl', 'x509', '-noout', '-subject', '-in', cert_path], stdout=subprocess.PIPE, stderr=subprocess.PIPE) stdout, stderr = proc.communicate() @@ -61,8 +61,7 @@ class CAServerCert(OpenShiftCLI): def run_ansible(params, check_mode): '''run the idempotent ansible code''' - config = CAServerCertConfig(params['cmd'], - params['kubeconfig'], + config = CAServerCertConfig(params['kubeconfig'], params['debug'], {'cert': {'value': params['cert'], 'include': True}, 'hostnames': {'value': ','.join(params['hostnames']), 'include': True}, diff --git a/roles/lib_openshift/src/doc/ca_server_cert b/roles/lib_openshift/src/doc/ca_server_cert index bf299f0cb..401caf1fc 100644 --- a/roles/lib_openshift/src/doc/ca_server_cert +++ b/roles/lib_openshift/src/doc/ca_server_cert @@ -3,18 +3,15 @@ DOCUMENTATION = ''' --- -module: oadm_ca -short_description: Module to manage openshift certificate authority +module: oc_adm_ca_server_cert +short_description: Module to run openshift oc adm ca create-server-cert description: - - Wrapper around the openshift `oc adm ca` command. + - Wrapper around the openshift `oc adm ca create-server-cert` command. options: state: description: - Present is the only supported state. The state present means that `oc adm ca` will generate a certificate - - When create-master-certs is desired then the following parameters are passed. - - ['cert_dir', 'hostnames', 'master', 'public_master', 'overwrite', 'signer_name'] - - When create-key-pair is desired then the following parameters are passed. - - ['private_key', 'public_key'] + - and verify if the hostnames and the ClusterIP exists in the certificate. - When create-server-cert is desired then the following parameters are passed. - ['cert', 'key', 'signer_cert', 'signer_key', 'signer_serial'] required: false @@ -34,22 +31,6 @@ options: required: false default: False aliases: [] - cmd: - description: - - The sub command given for `oc adm ca` - required: false - default: None - choices: - - create-master-certs - - create-key-pair - - create-server-cert - aliases: [] - cert_dir: - description: - - The certificate data directory. - required: false - default: None - aliases: [] cert: description: - The certificate file. Choose a name that indicates what the service is. @@ -86,43 +67,12 @@ options: required: false default: None aliases: [] - public_key: - description: - - The public key file used with create-key-pair - required: false - default: None - aliases: [] - private_key: - description: - - The private key file used with create-key-pair - required: false - default: None - aliases: [] - hostnames: description: - Every hostname or IP that server certs should be valid for (comma-delimited list) required: false default: None aliases: [] - master: - description: - - The API server's URL - required: false - default: None - aliases: [] - public_master: - description: - - The API public facing server's URL (if applicable) - required: false - default: None - aliases: [] - signer_name: - description: - - The name to use for the generated signer - required: false - default: None - aliases: [] author: - "Kenny Woodson " extends_documentation_fragment: [] @@ -130,8 +80,7 @@ extends_documentation_fragment: [] EXAMPLES = ''' - name: Create a self-signed cert - oadm_ca: - cmd: create-server-cert + oc_adm_ca_server_cert: signer_cert: /etc/origin/master/ca.crt signer_key: /etc/origin/master/ca.key signer_serial: /etc/origin/master/ca.serial.txt -- cgit v1.2.3 From a330de2153a66c458a21fd506c3220a4b3acd563 Mon Sep 17 00:00:00 2001 From: Kenny Woodson Date: Fri, 17 Feb 2017 15:46:06 -0500 Subject: Updated doc and defined defaults for signer_* --- roles/lib_openshift/src/ansible/oc_adm_ca_server_cert.py | 7 +++---- roles/lib_openshift/src/class/oc_adm_ca_server_cert.py | 7 +++---- roles/lib_openshift/src/doc/ca_server_cert | 6 +++--- 3 files changed, 9 insertions(+), 11 deletions(-) (limited to 'roles/lib_openshift/src') diff --git a/roles/lib_openshift/src/ansible/oc_adm_ca_server_cert.py b/roles/lib_openshift/src/ansible/oc_adm_ca_server_cert.py index 91d8c83b0..3518a2de4 100644 --- a/roles/lib_openshift/src/ansible/oc_adm_ca_server_cert.py +++ b/roles/lib_openshift/src/ansible/oc_adm_ca_server_cert.py @@ -15,16 +15,15 @@ def main(): # oadm ca create-server-cert [options] cert=dict(default=None, type='str'), key=dict(default=None, type='str'), - signer_cert=dict(default=None, type='str'), - signer_key=dict(default=None, type='str'), - signer_serial=dict(default=None, type='str'), + signer_cert=dict(default='/etc/origin/master/ca.crt', type='str'), + signer_key=dict(default='/etc/origin/master/ca.key', type='str'), + signer_serial=dict(default='/etc/origin/master/ca.serial.txt', type='str'), hostnames=dict(default=[], type='list'), overwrite=dict(default=False, type='bool'), ), supports_check_mode=True, ) - # pylint: disable=line-too-long results = CAServerCert.run_ansible(module.params, module.check_mode) if 'failed' in results: return module.fail_json(**results) diff --git a/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py b/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py index 162f606f7..62200b592 100644 --- a/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py +++ b/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py @@ -3,7 +3,7 @@ class CAServerCertConfig(OpenShiftCLIConfig): ''' CAServerCertConfig is a DTO for the oc adm ca command ''' def __init__(self, kubeconfig, verbose, ca_options): - super(CertificateAuthorityConfig, self).__init__('ca', None, kubeconfig, ca_options) + super(CAServerCertConfig, self).__init__('ca', None, kubeconfig, ca_options) self.kubeconfig = kubeconfig self.verbose = verbose self._ca = ca_options @@ -45,11 +45,11 @@ class CAServerCert(OpenShiftCLI): if not os.path.exists(cert_path): return False - # Would prefer pyopenssl but is not installed. + # Would prefer pyopenssl but is not installed. # When we verify it is, switch this code proc = subprocess.Popen(['openssl', 'x509', '-noout', '-subject', '-in', cert_path], stdout=subprocess.PIPE, stderr=subprocess.PIPE) - stdout, stderr = proc.communicate() + stdout, _ = proc.communicate() if proc.returncode == 0: for var in self.config.config_options['hostnames']['value'].split(','): if var in stdout: @@ -66,7 +66,6 @@ class CAServerCert(OpenShiftCLI): {'cert': {'value': params['cert'], 'include': True}, 'hostnames': {'value': ','.join(params['hostnames']), 'include': True}, 'overwrite': {'value': params['overwrite'], 'include': True}, - 'signer_name': {'value': params['signer_name'], 'include': True}, 'key': {'value': params['key'], 'include': True}, 'signer_cert': {'value': params['signer_cert'], 'include': True}, 'signer_key': {'value': params['signer_key'], 'include': True}, diff --git a/roles/lib_openshift/src/doc/ca_server_cert b/roles/lib_openshift/src/doc/ca_server_cert index 401caf1fc..bb57a3e11 100644 --- a/roles/lib_openshift/src/doc/ca_server_cert +++ b/roles/lib_openshift/src/doc/ca_server_cert @@ -53,19 +53,19 @@ options: description: - The signer certificate file. required: false - default: None + default: /etc/origin/master/ca.crt aliases: [] signer_key: description: - The signer key file. required: false - default: None + default: /etc/origin/master/ca.key aliases: [] signer_serial: description: - The signer serial file. required: false - default: None + default: /etc/origin/master/ca.serial.txt aliases: [] hostnames: description: -- cgit v1.2.3 From c0a264e4c220bf086760acd6ab1d27bfe36a06dc Mon Sep 17 00:00:00 2001 From: Kenny Woodson Date: Tue, 21 Feb 2017 09:59:09 -0500 Subject: Small spacing fix. --- roles/lib_openshift/src/class/oc_adm_ca_server_cert.py | 2 ++ 1 file changed, 2 insertions(+) (limited to 'roles/lib_openshift/src') diff --git a/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py b/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py index 62200b592..7f9ff9e1d 100644 --- a/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py +++ b/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py @@ -1,4 +1,5 @@ # pylint: skip-file +# flake8: noqa class CAServerCertConfig(OpenShiftCLIConfig): ''' CAServerCertConfig is a DTO for the oc adm ca command ''' @@ -8,6 +9,7 @@ class CAServerCertConfig(OpenShiftCLIConfig): self.verbose = verbose self._ca = ca_options + class CAServerCert(OpenShiftCLI): ''' Class to wrap the oc adm ca create-server-cert command line''' def __init__(self, -- cgit v1.2.3 From 8200377dbb3d0e6aa2b35ea369cceb03976b508b Mon Sep 17 00:00:00 2001 From: Kenny Woodson Date: Tue, 21 Feb 2017 10:26:17 -0500 Subject: Added copy support when modifying cert and key on existence --- roles/lib_openshift/src/ansible/oc_adm_ca_server_cert.py | 2 +- roles/lib_openshift/src/class/oc_adm_ca_server_cert.py | 12 ++++++++++++ roles/lib_openshift/src/doc/ca_server_cert | 6 ++++++ 3 files changed, 19 insertions(+), 1 deletion(-) (limited to 'roles/lib_openshift/src') diff --git a/roles/lib_openshift/src/ansible/oc_adm_ca_server_cert.py b/roles/lib_openshift/src/ansible/oc_adm_ca_server_cert.py index 3518a2de4..367f6d932 100644 --- a/roles/lib_openshift/src/ansible/oc_adm_ca_server_cert.py +++ b/roles/lib_openshift/src/ansible/oc_adm_ca_server_cert.py @@ -11,7 +11,7 @@ def main(): state=dict(default='present', type='str', choices=['present']), debug=dict(default=False, type='bool'), kubeconfig=dict(default='/etc/origin/master/admin.kubeconfig', type='str'), - cmd=dict(default=None, require=True, type='str'), + backup=dict(default=True, type='bool'), # oadm ca create-server-cert [options] cert=dict(default=None, type='str'), key=dict(default=None, type='str'), diff --git a/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py b/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py index 7f9ff9e1d..ee6cd4a29 100644 --- a/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py +++ b/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py @@ -33,6 +33,17 @@ class CAServerCert(OpenShiftCLI): def create(self): '''run openshift oc adm ca create-server-cert cmd''' + + # Added this here as a safegaurd for stomping on the + # cert and key files if they exist + if self.config.config_options['backup']['value']: + if os.path.exists(self.config.config_options['key']['value']): + shutil.copy(self.config.config_options['key']['value'], + "%s.orig" % self.config.config_options['key']['value']) + if os.path.exists(self.config.config_options['cert']['value']): + shutil.copy(self.config.config_options['cert']['value'], + "%s.orig" % self.config.config_options['cert']['value']) + options = self.config.to_option_list() cmd = ['ca', 'create-server-cert'] @@ -72,6 +83,7 @@ class CAServerCert(OpenShiftCLI): 'signer_cert': {'value': params['signer_cert'], 'include': True}, 'signer_key': {'value': params['signer_key'], 'include': True}, 'signer_serial': {'value': params['signer_serial'], 'include': True}, + 'backup': {'value': params['backup'], 'include': False}, }) server_cert = CAServerCert(config) diff --git a/roles/lib_openshift/src/doc/ca_server_cert b/roles/lib_openshift/src/doc/ca_server_cert index bb57a3e11..58720b09f 100644 --- a/roles/lib_openshift/src/doc/ca_server_cert +++ b/roles/lib_openshift/src/doc/ca_server_cert @@ -73,6 +73,12 @@ options: required: false default: None aliases: [] + backup: + description: + - Whether to backup the cert and key files before writing them. + required: false + default: True + aliases: [] author: - "Kenny Woodson " extends_documentation_fragment: [] -- cgit v1.2.3 From 3effaa96c8e843a5820b98cf9c2dab608481c259 Mon Sep 17 00:00:00 2001 From: Kenny Woodson Date: Tue, 21 Feb 2017 20:15:28 -0500 Subject: Added backup feature. Fixed a bug with reading the certificate and verifying names. Added force option. --- .../src/ansible/oc_adm_ca_server_cert.py | 2 +- .../src/class/oc_adm_ca_server_cert.py | 36 ++++++++++++++++------ roles/lib_openshift/src/doc/ca_server_cert | 4 +-- roles/lib_openshift/src/lib/import.py | 2 ++ 4 files changed, 32 insertions(+), 12 deletions(-) (limited to 'roles/lib_openshift/src') diff --git a/roles/lib_openshift/src/ansible/oc_adm_ca_server_cert.py b/roles/lib_openshift/src/ansible/oc_adm_ca_server_cert.py index 367f6d932..197095cac 100644 --- a/roles/lib_openshift/src/ansible/oc_adm_ca_server_cert.py +++ b/roles/lib_openshift/src/ansible/oc_adm_ca_server_cert.py @@ -19,7 +19,7 @@ def main(): signer_key=dict(default='/etc/origin/master/ca.key', type='str'), signer_serial=dict(default='/etc/origin/master/ca.serial.txt', type='str'), hostnames=dict(default=[], type='list'), - overwrite=dict(default=False, type='bool'), + force=dict(default=False, type='bool'), ), supports_check_mode=True, ) diff --git a/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py b/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py index ee6cd4a29..c0e7f292a 100644 --- a/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py +++ b/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py @@ -37,12 +37,15 @@ class CAServerCert(OpenShiftCLI): # Added this here as a safegaurd for stomping on the # cert and key files if they exist if self.config.config_options['backup']['value']: + ext = time.strftime("%Y-%m-%d@%H:%M:%S", time.localtime(time.time())) + date_str = "%s_" + "%s" % ext + if os.path.exists(self.config.config_options['key']['value']): shutil.copy(self.config.config_options['key']['value'], - "%s.orig" % self.config.config_options['key']['value']) + date_str % self.config.config_options['key']['value']) if os.path.exists(self.config.config_options['cert']['value']): shutil.copy(self.config.config_options['cert']['value'], - "%s.orig" % self.config.config_options['cert']['value']) + date_str % self.config.config_options['cert']['value']) options = self.config.to_option_list() @@ -60,13 +63,28 @@ class CAServerCert(OpenShiftCLI): # Would prefer pyopenssl but is not installed. # When we verify it is, switch this code - proc = subprocess.Popen(['openssl', 'x509', '-noout', '-subject', '-in', cert_path], + # Here is the code to get the subject and the SAN + # openssl x509 -text -noout -certopt \ + # no_header,no_version,no_serial,no_signame,no_validity,no_issuer,no_pubkey,no_sigdump,no_aux \ + # -in /etc/origin/master/registry.crt + # Instead of this solution we will use a regex. + cert_names = [] + hostnames = self.config.config_options['hostnames']['value'].split(',') + proc = subprocess.Popen(['openssl', 'x509', '-noout', '-text', '-in', cert_path], stdout=subprocess.PIPE, stderr=subprocess.PIPE) - stdout, _ = proc.communicate() + + x509output, _ = proc.communicate() if proc.returncode == 0: - for var in self.config.config_options['hostnames']['value'].split(','): - if var in stdout: - return True + regex = re.compile(r"^\s*X509v3 Subject Alternative Name:\s*?\n\s*(.*)\s*\n", re.MULTILINE) + match = regex.search(x509output) # E501 + for entry in re.split(r", *", match.group(1)): + if entry.startswith('DNS') or entry.startswith('IP Address'): + cert_names.append(entry.split(':')[1]) + # now that we have cert names let's compare + cert_set = set(cert_names) + hname_set = set(hostnames) + if cert_set.issubset(hname_set) and hname_set.issubset(cert_set): + return True return False @@ -78,7 +96,7 @@ class CAServerCert(OpenShiftCLI): params['debug'], {'cert': {'value': params['cert'], 'include': True}, 'hostnames': {'value': ','.join(params['hostnames']), 'include': True}, - 'overwrite': {'value': params['overwrite'], 'include': True}, + 'overwrite': {'value': True, 'include': True}, 'key': {'value': params['key'], 'include': True}, 'signer_cert': {'value': params['signer_cert'], 'include': True}, 'signer_key': {'value': params['signer_key'], 'include': True}, @@ -94,7 +112,7 @@ class CAServerCert(OpenShiftCLI): ######## # Create ######## - if not server_cert.exists() or params['overwrite']: + if not server_cert.exists() or params['force']: if check_mode: return {'changed': True, diff --git a/roles/lib_openshift/src/doc/ca_server_cert b/roles/lib_openshift/src/doc/ca_server_cert index 58720b09f..a8034158e 100644 --- a/roles/lib_openshift/src/doc/ca_server_cert +++ b/roles/lib_openshift/src/doc/ca_server_cert @@ -43,9 +43,9 @@ options: required: false default: None aliases: [] - overwrite: + force: description: - - Overwrite existing cert files if found. If false, any existing file will be left as-is. + - Force updating of the existing cert and key files required: false default: False aliases: [] diff --git a/roles/lib_openshift/src/lib/import.py b/roles/lib_openshift/src/lib/import.py index a79297898..9a1fc6ef7 100644 --- a/roles/lib_openshift/src/lib/import.py +++ b/roles/lib_openshift/src/lib/import.py @@ -8,6 +8,8 @@ from __future__ import print_function import atexit import copy +# pylint: disable=unused-import +import time import json import os import re -- cgit v1.2.3 From 9c49ba4bb0b69604e98fc3dda65f8ccd40f19552 Mon Sep 17 00:00:00 2001 From: Kenny Woodson Date: Wed, 22 Feb 2017 11:19:51 -0500 Subject: Removing reference to oadm. Moved parameter under general params. --- roles/lib_openshift/src/ansible/oc_adm_ca_server_cert.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'roles/lib_openshift/src') diff --git a/roles/lib_openshift/src/ansible/oc_adm_ca_server_cert.py b/roles/lib_openshift/src/ansible/oc_adm_ca_server_cert.py index 197095cac..c80c2eb44 100644 --- a/roles/lib_openshift/src/ansible/oc_adm_ca_server_cert.py +++ b/roles/lib_openshift/src/ansible/oc_adm_ca_server_cert.py @@ -12,14 +12,14 @@ def main(): debug=dict(default=False, type='bool'), kubeconfig=dict(default='/etc/origin/master/admin.kubeconfig', type='str'), backup=dict(default=True, type='bool'), - # oadm ca create-server-cert [options] + force=dict(default=False, type='bool'), + # oc adm ca create-server-cert [options] cert=dict(default=None, type='str'), key=dict(default=None, type='str'), signer_cert=dict(default='/etc/origin/master/ca.crt', type='str'), signer_key=dict(default='/etc/origin/master/ca.key', type='str'), signer_serial=dict(default='/etc/origin/master/ca.serial.txt', type='str'), hostnames=dict(default=[], type='list'), - force=dict(default=False, type='bool'), ), supports_check_mode=True, ) -- cgit v1.2.3 From 5fabd910189a125df2943ef8092ff492f90617a1 Mon Sep 17 00:00:00 2001 From: Kenny Woodson Date: Wed, 22 Feb 2017 12:53:21 -0500 Subject: Moving import to local class. --- roles/lib_openshift/src/class/oc_adm_ca_server_cert.py | 1 + roles/lib_openshift/src/lib/import.py | 2 -- 2 files changed, 1 insertion(+), 2 deletions(-) (limited to 'roles/lib_openshift/src') diff --git a/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py b/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py index c0e7f292a..6ed1f2f35 100644 --- a/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py +++ b/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py @@ -37,6 +37,7 @@ class CAServerCert(OpenShiftCLI): # Added this here as a safegaurd for stomping on the # cert and key files if they exist if self.config.config_options['backup']['value']: + import time ext = time.strftime("%Y-%m-%d@%H:%M:%S", time.localtime(time.time())) date_str = "%s_" + "%s" % ext diff --git a/roles/lib_openshift/src/lib/import.py b/roles/lib_openshift/src/lib/import.py index 9a1fc6ef7..a79297898 100644 --- a/roles/lib_openshift/src/lib/import.py +++ b/roles/lib_openshift/src/lib/import.py @@ -8,8 +8,6 @@ from __future__ import print_function import atexit import copy -# pylint: disable=unused-import -import time import json import os import re -- cgit v1.2.3