From b6ce0464142403785a7ba8eae664286082f4d30e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bruno=20Barcarol=20Guimar=C3=A3es?= Date: Mon, 5 Dec 2016 16:34:32 +0000 Subject: Custom certificates (#5) * Generate secrets on a persistent directory. * Split certificate generation files. * Custom certificates. * Minor fixes. - use `slurp` instead of `shell: base64` - fix route hostname * Updates on origin-metrics. --- .../tasks/generate_hawkular_certificates.yaml | 227 +++++++++++++++++++++ 1 file changed, 227 insertions(+) create mode 100644 roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml (limited to 'roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml') diff --git a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml new file mode 100644 index 000000000..4e032ca7e --- /dev/null +++ b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml @@ -0,0 +1,227 @@ +--- +- name: generate hawkular-metrics certificates + include: setup_certificate.yaml + vars: + component: hawkular-metrics + hostnames: "hawkular-metrics,{{ openshift_metrics_hawkular_metrics_hostname }}" +- name: generate hawkular-cassandra certificates + include: setup_certificate.yaml + vars: + component: hawkular-cassandra + hostnames: hawkular-cassandra +- name: check existing aliases on the hawkular-cassandra truststore + shell: > + keytool -noprompt -list + -keystore {{ openshift_metrics_certs_dir }}/hawkular-cassandra.truststore + -storepass "$(< + '{{ openshift_metrics_certs_dir }}/hawkular-cassandra-truststore.pwd')" + | sed -n '7~2s/,.*$//p' + register: hawkular_cassandra_truststore_aliases + changed_when: false +- name: check existing aliases on the hawkular-metrics truststore + shell: > + keytool -noprompt -list + -keystore {{ openshift_metrics_certs_dir }}/hawkular-metrics.truststore + -storepass "$(< + '{{ openshift_metrics_certs_dir }}/hawkular-metrics-truststore.pwd')" + | sed -n '7~2s/,.*$//p' + register: hawkular_metrics_truststore_aliases + changed_when: false +- name: import the hawkular metrics cert into the cassandra truststore + shell: > + keytool -noprompt -import -v -trustcacerts + -alias hawkular-metrics + -file '{{ openshift_metrics_certs_dir }}/hawkular-metrics.crt' + -keystore '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.truststore' + -storepass "$(< + '{{ openshift_metrics_certs_dir }}/hawkular-cassandra-truststore.pwd')" + when: > + 'hawkular-metrics' not in + hawkular_cassandra_truststore_aliases.stdout_lines +- name: import the hawkular cassandra cert into the hawkular metrics truststore + shell: > + keytool -noprompt -import -v -trustcacerts + -alias hawkular-cassandra + -file '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.crt' + -keystore '{{ openshift_metrics_certs_dir }}/hawkular-metrics.truststore' + -storepass "$(< + '{{ openshift_metrics_certs_dir }}/hawkular-metrics-truststore.pwd')" + when: > + 'hawkular-cassandra' not in + hawkular_metrics_truststore_aliases.stdout_lines +- name: import the hawkular cassandra cert into the cassandra truststore + shell: > + keytool -noprompt -import -v -trustcacerts + -alias hawkular-cassandra + -file '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.crt' + -keystore '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.truststore' + -storepass "$(< + '{{ openshift_metrics_certs_dir }}/hawkular-cassandra-truststore.pwd')" + when: > + 'hawkular-cassandra' not in + hawkular_cassandra_truststore_aliases.stdout_lines +- name: import the ca certificate into the cassandra truststore + shell: > + keytool -noprompt -import -v -trustcacerts + -alias '{{ item }}' + -file '{{ openshift_metrics_certs_dir }}/ca.crt' + -keystore '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.truststore' + -storepass "$(< + '{{ openshift_metrics_certs_dir }}/hawkular-cassandra-truststore.pwd')" + with_items: + - ca + - metricca + - cassandraca + when: item not in hawkular_cassandra_truststore_aliases.stdout_lines +- name: import the ca certificate into the hawkular metrics truststore + shell: > + keytool -noprompt -import -v -trustcacerts + -alias '{{ item }}' + -file '{{ openshift_metrics_certs_dir }}/ca.crt' + -keystore '{{ openshift_metrics_certs_dir }}/hawkular-metrics.truststore' + -storepass "$(< + '{{ openshift_metrics_certs_dir }}/hawkular-metrics-truststore.pwd')" + with_items: + - ca + - metricca + - cassandraca + when: item not in hawkular_metrics_truststore_aliases.stdout_lines +- name: generate password for hawkular metrics and jgroups + shell: > + tr -dc _A-Z-a-z-0-9 < /dev/urandom | head -c15 + > '{{ openshift_metrics_certs_dir }}/{{ item }}.pwd' + with_items: + - hawkular-metrics + - hawkular-jgroups-keystore + when: not '{{ openshift_metrics_certs_dir }}/{{ item }}.pwd'|exists +- name: generate htpasswd file for hawkular metrics + shell: > + htpasswd -ci + '{{ openshift_metrics_certs_dir }}/hawkular-metrics.htpasswd' hawkular + < '{{ openshift_metrics_certs_dir }}/hawkular-metrics.pwd' + when: > + not '{{ openshift_metrics_certs_dir }}/hawkular-metrics.htpasswd'|exists +- name: generate the jgroups keystore + shell: > + p=$(< '{{ openshift_metrics_certs_dir }}/hawkular-jgroups-keystore.pwd' ) + && + keytool -genseckey -alias hawkular + -keypass "$p" -storepass "$p" -keyalg Blowfish -keysize 56 -storetype JCEKS + -keystore '{{ openshift_metrics_certs_dir }}/hawkular-jgroups.keystore' + when: > + not '{{ openshift_metrics_certs_dir }}/hawkular-jgroups.keystore'|exists +- name: read files for the hawkular-metrics secret + shell: > + printf '%s: ' '{{ item }}' + && base64 --wrap 0 '{{ openshift_metrics_certs_dir }}/{{ item }}' + register: hawkular_secrets + with_items: + - ca.crt + - hawkular-metrics.crt + - hawkular-metrics.keystore + - hawkular-metrics-keystore.pwd + - hawkular-metrics.truststore + - hawkular-metrics-truststore.pwd + - hawkular-metrics.pwd + - hawkular-metrics.htpasswd + - hawkular-jgroups.keystore + - hawkular-jgroups-keystore.pwd + - hawkular-cassandra.crt + - hawkular-cassandra.pem + - hawkular-cassandra.keystore + - hawkular-cassandra-keystore.pwd + - hawkular-cassandra.truststore + - hawkular-cassandra-truststore.pwd + changed_when: false +- set_fact: + hawkular_secrets: | + {{ hawkular_secrets.results|map(attribute='stdout')|join(' + ')|from_yaml }} +- name: generate hawkular-metrics-secrets secret template + template: + src: secret.j2 + dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_secrets.yaml" + vars: + name: hawkular-metrics-secrets + labels: + metrics-infra: hawkular-metrics + data: + hawkular-metrics.keystore: > + {{ hawkular_secrets['hawkular-metrics.keystore'] }} + hawkular-metrics.keystore.password: > + {{ hawkular_secrets['hawkular-metrics-keystore.pwd'] }} + hawkular-metrics.truststore: > + {{ hawkular_secrets['hawkular-metrics.truststore'] }} + hawkular-metrics.truststore.password: > + {{ hawkular_secrets['hawkular-metrics-truststore.pwd'] }} + hawkular-metrics.keystore.alias: "{{ 'hawkular-metrics'|b64encode }}" + hawkular-metrics.htpasswd.file: > + {{ hawkular_secrets['hawkular-metrics.htpasswd'] }} + hawkular-metrics.jgroups.keystore: > + {{ hawkular_secrets['hawkular-jgroups.keystore'] }} + hawkular-metrics.jgroups.keystore.password: > + {{ hawkular_secrets['hawkular-jgroups-keystore.pwd'] }} + hawkular-metrics.jgroups.alias: "{{ 'hawkular'|b64encode }}" + when: name not in metrics_secrets.stdout_lines +- name: generate hawkular-metrics-certificate secret template + template: + src: secret.j2 + dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_certificate.yaml" + vars: + name: hawkular-metrics-certificate + labels: + metrics-infra: hawkular-metrics + data: + hawkular-metrics.certificate: > + {{ hawkular_secrets['hawkular-metrics.crt'] }} + hawkular-metrics-ca.certificate: > + {{ hawkular_secrets['ca.crt'] }} + when: name not in metrics_secrets.stdout_lines +- name: generate hawkular-metrics-account secret template + template: + src: secret.j2 + dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_account.yaml" + vars: + name: hawkular-metrics-account + labels: + metrics-infra: hawkular-metrics + data: + hawkular-metrics.username: "{{ 'hawkular'|b64encode }}" + hawkular-metrics.password: > + {{ hawkular_secrets['hawkular-metrics.pwd'] }} + when: name not in metrics_secrets.stdout_lines +- name: generate cassandra secret template + template: + src: secret.j2 + dest: "{{ mktemp.stdout }}/templates/cassandra_secrets.yaml" + vars: + name: hawkular-cassandra-secrets + labels: + metrics-infra: hawkular-cassandra + data: + cassandra.keystore: > + {{ hawkular_secrets['hawkular-cassandra.keystore'] }} + cassandra.keystore.password: > + {{ hawkular_secrets['hawkular-cassandra-keystore.pwd'] }} + cassandra.keystore.alias: "{{ 'hawkular-cassandra'|b64encode }}" + cassandra.truststore: > + {{ hawkular_secrets['hawkular-cassandra.truststore'] }} + cassandra.truststore.password: > + {{ hawkular_secrets['hawkular-cassandra-truststore.pwd'] }} + cassandra.pem: > + {{ hawkular_secrets['hawkular-cassandra.pem'] }} + when: name not in metrics_secrets +- name: generate cassandra-certificate secret template + template: + src: secret.j2 + dest: "{{ mktemp.stdout }}/templates/cassandra_certificate.yaml" + vars: + name: hawkular-cassandra-certificate + labels: + metrics-infra: hawkular-cassandra + data: + cassandra.certificate: > + {{ hawkular_secrets['hawkular-cassandra.crt'] }} + cassandra-ca.certificate: > + {{ hawkular_secrets['hawkular-cassandra.pem'] }} + when: name not in metrics_secrets.stdout_lines -- cgit v1.2.3 From 1e8928c96627218fdc422bfa3731f790699abfbb Mon Sep 17 00:00:00 2001 From: Jeff Cantrill Date: Fri, 6 Jan 2017 11:23:28 -0500 Subject: User provided certs pushed from control. vars reorg (#12) Merging per discussion and agreement from @bbguimaraes --- roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml') diff --git a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml index 4e032ca7e..f36175735 100644 --- a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml +++ b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml @@ -3,7 +3,7 @@ include: setup_certificate.yaml vars: component: hawkular-metrics - hostnames: "hawkular-metrics,{{ openshift_metrics_hawkular_metrics_hostname }}" + hostnames: "hawkular-metrics,{{ openshift_metrics_hawkular_hostname }}" - name: generate hawkular-cassandra certificates include: setup_certificate.yaml vars: -- cgit v1.2.3 From a5f6e3f684a3294056d4d4e224226b90acc062e6 Mon Sep 17 00:00:00 2001 From: Jeff Cantrill Date: Wed, 11 Jan 2017 14:07:19 -0500 Subject: additional code reviews --- .../tasks/generate_hawkular_certificates.yaml | 43 +++++++++++++++++----- 1 file changed, 34 insertions(+), 9 deletions(-) (limited to 'roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml') diff --git a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml index f36175735..995440598 100644 --- a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml +++ b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml @@ -4,31 +4,37 @@ vars: component: hawkular-metrics hostnames: "hawkular-metrics,{{ openshift_metrics_hawkular_hostname }}" + changed_when: no + - name: generate hawkular-cassandra certificates include: setup_certificate.yaml vars: component: hawkular-cassandra hostnames: hawkular-cassandra + changed_when: no + - name: check existing aliases on the hawkular-cassandra truststore shell: > keytool -noprompt -list - -keystore {{ openshift_metrics_certs_dir }}/hawkular-cassandra.truststore + -keystore {{ openshift_metrics_certs_dir|quote }}/hawkular-cassandra.truststore -storepass "$(< - '{{ openshift_metrics_certs_dir }}/hawkular-cassandra-truststore.pwd')" + '{{ openshift_metrics_certs_dir|quote }}/hawkular-cassandra-truststore.pwd')" | sed -n '7~2s/,.*$//p' register: hawkular_cassandra_truststore_aliases changed_when: false + - name: check existing aliases on the hawkular-metrics truststore shell: > keytool -noprompt -list - -keystore {{ openshift_metrics_certs_dir }}/hawkular-metrics.truststore + -keystore {{ openshift_metrics_certs_dir|quote }}/hawkular-metrics.truststore -storepass "$(< - '{{ openshift_metrics_certs_dir }}/hawkular-metrics-truststore.pwd')" + '{{ openshift_metrics_certs_dir|quote }}/hawkular-metrics-truststore.pwd')" | sed -n '7~2s/,.*$//p' register: hawkular_metrics_truststore_aliases changed_when: false + - name: import the hawkular metrics cert into the cassandra truststore - shell: > + command: > keytool -noprompt -import -v -trustcacerts -alias hawkular-metrics -file '{{ openshift_metrics_certs_dir }}/hawkular-metrics.crt' @@ -38,8 +44,9 @@ when: > 'hawkular-metrics' not in hawkular_cassandra_truststore_aliases.stdout_lines + - name: import the hawkular cassandra cert into the hawkular metrics truststore - shell: > + command: > keytool -noprompt -import -v -trustcacerts -alias hawkular-cassandra -file '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.crt' @@ -49,8 +56,9 @@ when: > 'hawkular-cassandra' not in hawkular_metrics_truststore_aliases.stdout_lines + - name: import the hawkular cassandra cert into the cassandra truststore - shell: > + command: > keytool -noprompt -import -v -trustcacerts -alias hawkular-cassandra -file '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.crt' @@ -60,8 +68,9 @@ when: > 'hawkular-cassandra' not in hawkular_cassandra_truststore_aliases.stdout_lines + - name: import the ca certificate into the cassandra truststore - shell: > + command: > keytool -noprompt -import -v -trustcacerts -alias '{{ item }}' -file '{{ openshift_metrics_certs_dir }}/ca.crt' @@ -73,8 +82,9 @@ - metricca - cassandraca when: item not in hawkular_cassandra_truststore_aliases.stdout_lines + - name: import the ca certificate into the hawkular metrics truststore - shell: > + command: > keytool -noprompt -import -v -trustcacerts -alias '{{ item }}' -file '{{ openshift_metrics_certs_dir }}/ca.crt' @@ -86,6 +96,7 @@ - metricca - cassandraca when: item not in hawkular_metrics_truststore_aliases.stdout_lines + - name: generate password for hawkular metrics and jgroups shell: > tr -dc _A-Z-a-z-0-9 < /dev/urandom | head -c15 @@ -94,6 +105,7 @@ - hawkular-metrics - hawkular-jgroups-keystore when: not '{{ openshift_metrics_certs_dir }}/{{ item }}.pwd'|exists + - name: generate htpasswd file for hawkular metrics shell: > htpasswd -ci @@ -101,6 +113,7 @@ < '{{ openshift_metrics_certs_dir }}/hawkular-metrics.pwd' when: > not '{{ openshift_metrics_certs_dir }}/hawkular-metrics.htpasswd'|exists + - name: generate the jgroups keystore shell: > p=$(< '{{ openshift_metrics_certs_dir }}/hawkular-jgroups-keystore.pwd' ) @@ -110,6 +123,7 @@ -keystore '{{ openshift_metrics_certs_dir }}/hawkular-jgroups.keystore' when: > not '{{ openshift_metrics_certs_dir }}/hawkular-jgroups.keystore'|exists + - name: read files for the hawkular-metrics secret shell: > printf '%s: ' '{{ item }}' @@ -133,10 +147,12 @@ - hawkular-cassandra.truststore - hawkular-cassandra-truststore.pwd changed_when: false + - set_fact: hawkular_secrets: | {{ hawkular_secrets.results|map(attribute='stdout')|join(' ')|from_yaml }} + - name: generate hawkular-metrics-secrets secret template template: src: secret.j2 @@ -163,6 +179,8 @@ {{ hawkular_secrets['hawkular-jgroups-keystore.pwd'] }} hawkular-metrics.jgroups.alias: "{{ 'hawkular'|b64encode }}" when: name not in metrics_secrets.stdout_lines + changed_when: no + - name: generate hawkular-metrics-certificate secret template template: src: secret.j2 @@ -177,6 +195,8 @@ hawkular-metrics-ca.certificate: > {{ hawkular_secrets['ca.crt'] }} when: name not in metrics_secrets.stdout_lines + changed_when: no + - name: generate hawkular-metrics-account secret template template: src: secret.j2 @@ -190,6 +210,8 @@ hawkular-metrics.password: > {{ hawkular_secrets['hawkular-metrics.pwd'] }} when: name not in metrics_secrets.stdout_lines + changed_when: no + - name: generate cassandra secret template template: src: secret.j2 @@ -211,6 +233,8 @@ cassandra.pem: > {{ hawkular_secrets['hawkular-cassandra.pem'] }} when: name not in metrics_secrets + changed_when: no + - name: generate cassandra-certificate secret template template: src: secret.j2 @@ -225,3 +249,4 @@ cassandra-ca.certificate: > {{ hawkular_secrets['hawkular-cassandra.pem'] }} when: name not in metrics_secrets.stdout_lines + changed_when: no -- cgit v1.2.3 From 9c6766e8588ff96bffc0479251dbbb5dd9c80521 Mon Sep 17 00:00:00 2001 From: Jeff Cantrill Date: Thu, 12 Jan 2017 08:38:06 -0500 Subject: metrics fixes for yamlint --- roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml') diff --git a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml index 995440598..1306d0ccd 100644 --- a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml +++ b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml @@ -211,7 +211,7 @@ {{ hawkular_secrets['hawkular-metrics.pwd'] }} when: name not in metrics_secrets.stdout_lines changed_when: no - + - name: generate cassandra secret template template: src: secret.j2 -- cgit v1.2.3 From 868e800a1325a726c24afc752033434a80d13b2d Mon Sep 17 00:00:00 2001 From: Jeff Cantrill Date: Thu, 12 Jan 2017 16:52:23 -0500 Subject: additional cr fixes --- .../tasks/generate_hawkular_certificates.yaml | 27 +++++++++++----------- 1 file changed, 13 insertions(+), 14 deletions(-) (limited to 'roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml') diff --git a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml index 1306d0ccd..489856c27 100644 --- a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml +++ b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml @@ -13,22 +13,26 @@ hostnames: hawkular-cassandra changed_when: no +- slurp: src={{ openshift_metrics_certs_dir|quote }}/hawkular-cassandra-truststore.pwd + register: cassandra_truststore_password + - name: check existing aliases on the hawkular-cassandra truststore shell: > keytool -noprompt -list -keystore {{ openshift_metrics_certs_dir|quote }}/hawkular-cassandra.truststore - -storepass "$(< - '{{ openshift_metrics_certs_dir|quote }}/hawkular-cassandra-truststore.pwd')" + -storepass {{cassandra_truststore_password.content | b64decode }} | sed -n '7~2s/,.*$//p' register: hawkular_cassandra_truststore_aliases changed_when: false +- slurp: src={{ openshift_metrics_certs_dir|quote }}/hawkular-metrics-truststore.pwd + register: hawkular_truststore_password + - name: check existing aliases on the hawkular-metrics truststore shell: > keytool -noprompt -list -keystore {{ openshift_metrics_certs_dir|quote }}/hawkular-metrics.truststore - -storepass "$(< - '{{ openshift_metrics_certs_dir|quote }}/hawkular-metrics-truststore.pwd')" + -storepass {{ hawkular_truststore_password.content | b64decode }} | sed -n '7~2s/,.*$//p' register: hawkular_metrics_truststore_aliases changed_when: false @@ -39,8 +43,7 @@ -alias hawkular-metrics -file '{{ openshift_metrics_certs_dir }}/hawkular-metrics.crt' -keystore '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.truststore' - -storepass "$(< - '{{ openshift_metrics_certs_dir }}/hawkular-cassandra-truststore.pwd')" + -storepass {{cassandra_truststore_password.content | b64decode }} when: > 'hawkular-metrics' not in hawkular_cassandra_truststore_aliases.stdout_lines @@ -51,8 +54,7 @@ -alias hawkular-cassandra -file '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.crt' -keystore '{{ openshift_metrics_certs_dir }}/hawkular-metrics.truststore' - -storepass "$(< - '{{ openshift_metrics_certs_dir }}/hawkular-metrics-truststore.pwd')" + -storepass {{ hawkular_truststore_password.content | b64decode }} when: > 'hawkular-cassandra' not in hawkular_metrics_truststore_aliases.stdout_lines @@ -63,8 +65,7 @@ -alias hawkular-cassandra -file '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.crt' -keystore '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.truststore' - -storepass "$(< - '{{ openshift_metrics_certs_dir }}/hawkular-cassandra-truststore.pwd')" + -storepass {{cassandra_truststore_password.content | b64decode }} when: > 'hawkular-cassandra' not in hawkular_cassandra_truststore_aliases.stdout_lines @@ -75,8 +76,7 @@ -alias '{{ item }}' -file '{{ openshift_metrics_certs_dir }}/ca.crt' -keystore '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.truststore' - -storepass "$(< - '{{ openshift_metrics_certs_dir }}/hawkular-cassandra-truststore.pwd')" + -storepass {{cassandra_truststore_password.content | b64decode }} with_items: - ca - metricca @@ -89,8 +89,7 @@ -alias '{{ item }}' -file '{{ openshift_metrics_certs_dir }}/ca.crt' -keystore '{{ openshift_metrics_certs_dir }}/hawkular-metrics.truststore' - -storepass "$(< - '{{ openshift_metrics_certs_dir }}/hawkular-metrics-truststore.pwd')" + -storepass {{ hawkular_truststore_password.content | b64decode }} with_items: - ca - metricca -- cgit v1.2.3 From 65eb7e43faf38698b22b90ad3c743d1fecdc0961 Mon Sep 17 00:00:00 2001 From: Jeff Cantrill Date: Tue, 17 Jan 2017 11:42:23 -0500 Subject: use pod to generate keystores (#14) --- .../tasks/generate_hawkular_certificates.yaml | 97 ++-------------------- 1 file changed, 6 insertions(+), 91 deletions(-) (limited to 'roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml') diff --git a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml index 489856c27..9cf4afee0 100644 --- a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml +++ b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml @@ -13,93 +13,16 @@ hostnames: hawkular-cassandra changed_when: no -- slurp: src={{ openshift_metrics_certs_dir|quote }}/hawkular-cassandra-truststore.pwd +- slurp: src={{ openshift_metrics_certs_dir }}/hawkular-cassandra-truststore.pwd register: cassandra_truststore_password -- name: check existing aliases on the hawkular-cassandra truststore - shell: > - keytool -noprompt -list - -keystore {{ openshift_metrics_certs_dir|quote }}/hawkular-cassandra.truststore - -storepass {{cassandra_truststore_password.content | b64decode }} - | sed -n '7~2s/,.*$//p' - register: hawkular_cassandra_truststore_aliases - changed_when: false - -- slurp: src={{ openshift_metrics_certs_dir|quote }}/hawkular-metrics-truststore.pwd +- slurp: src={{ openshift_metrics_certs_dir }}/hawkular-metrics-truststore.pwd register: hawkular_truststore_password -- name: check existing aliases on the hawkular-metrics truststore - shell: > - keytool -noprompt -list - -keystore {{ openshift_metrics_certs_dir|quote }}/hawkular-metrics.truststore - -storepass {{ hawkular_truststore_password.content | b64decode }} - | sed -n '7~2s/,.*$//p' - register: hawkular_metrics_truststore_aliases - changed_when: false - -- name: import the hawkular metrics cert into the cassandra truststore - command: > - keytool -noprompt -import -v -trustcacerts - -alias hawkular-metrics - -file '{{ openshift_metrics_certs_dir }}/hawkular-metrics.crt' - -keystore '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.truststore' - -storepass {{cassandra_truststore_password.content | b64decode }} - when: > - 'hawkular-metrics' not in - hawkular_cassandra_truststore_aliases.stdout_lines - -- name: import the hawkular cassandra cert into the hawkular metrics truststore - command: > - keytool -noprompt -import -v -trustcacerts - -alias hawkular-cassandra - -file '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.crt' - -keystore '{{ openshift_metrics_certs_dir }}/hawkular-metrics.truststore' - -storepass {{ hawkular_truststore_password.content | b64decode }} - when: > - 'hawkular-cassandra' not in - hawkular_metrics_truststore_aliases.stdout_lines - -- name: import the hawkular cassandra cert into the cassandra truststore - command: > - keytool -noprompt -import -v -trustcacerts - -alias hawkular-cassandra - -file '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.crt' - -keystore '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.truststore' - -storepass {{cassandra_truststore_password.content | b64decode }} - when: > - 'hawkular-cassandra' not in - hawkular_cassandra_truststore_aliases.stdout_lines - -- name: import the ca certificate into the cassandra truststore - command: > - keytool -noprompt -import -v -trustcacerts - -alias '{{ item }}' - -file '{{ openshift_metrics_certs_dir }}/ca.crt' - -keystore '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.truststore' - -storepass {{cassandra_truststore_password.content | b64decode }} - with_items: - - ca - - metricca - - cassandraca - when: item not in hawkular_cassandra_truststore_aliases.stdout_lines - -- name: import the ca certificate into the hawkular metrics truststore - command: > - keytool -noprompt -import -v -trustcacerts - -alias '{{ item }}' - -file '{{ openshift_metrics_certs_dir }}/ca.crt' - -keystore '{{ openshift_metrics_certs_dir }}/hawkular-metrics.truststore' - -storepass {{ hawkular_truststore_password.content | b64decode }} - with_items: - - ca - - metricca - - cassandraca - when: item not in hawkular_metrics_truststore_aliases.stdout_lines - - name: generate password for hawkular metrics and jgroups - shell: > - tr -dc _A-Z-a-z-0-9 < /dev/urandom | head -c15 - > '{{ openshift_metrics_certs_dir }}/{{ item }}.pwd' + copy: + dest: '{{ openshift_metrics_certs_dir }}/{{ item }}.pwd' + content: "{{ 15 | oo_random_word }}" with_items: - hawkular-metrics - hawkular-jgroups-keystore @@ -113,15 +36,7 @@ when: > not '{{ openshift_metrics_certs_dir }}/hawkular-metrics.htpasswd'|exists -- name: generate the jgroups keystore - shell: > - p=$(< '{{ openshift_metrics_certs_dir }}/hawkular-jgroups-keystore.pwd' ) - && - keytool -genseckey -alias hawkular - -keypass "$p" -storepass "$p" -keyalg Blowfish -keysize 56 -storetype JCEKS - -keystore '{{ openshift_metrics_certs_dir }}/hawkular-jgroups.keystore' - when: > - not '{{ openshift_metrics_certs_dir }}/hawkular-jgroups.keystore'|exists +- include: import_jks_certs.yaml - name: read files for the hawkular-metrics secret shell: > -- cgit v1.2.3