diff options
| author | Bruno Barcarol GuimarĂ£es <bbarcaro@redhat.com> | 2016-12-05 16:34:32 +0000 |
|---|---|---|
| committer | Jeff Cantrill <jcantril@redhat.com> | 2017-01-17 11:45:04 -0500 |
| commit | b6ce0464142403785a7ba8eae664286082f4d30e (patch) | |
| tree | 3673f52a387edc2894ac11c23fad1253b1f1c9be /roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml | |
| parent | f3f1f610c9e0fdf8115dd8ea61e647080ad42006 (diff) | |
| download | openshift-b6ce0464142403785a7ba8eae664286082f4d30e.tar.gz openshift-b6ce0464142403785a7ba8eae664286082f4d30e.tar.bz2 openshift-b6ce0464142403785a7ba8eae664286082f4d30e.tar.xz openshift-b6ce0464142403785a7ba8eae664286082f4d30e.zip | |
Custom certificates (#5)
* Generate secrets on a persistent directory.
* Split certificate generation files.
* Custom certificates.
* Minor fixes.
- use `slurp` instead of `shell: base64`
- fix route hostname
* Updates on origin-metrics.
Diffstat (limited to 'roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml')
| -rw-r--r-- | roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml | 227 |
1 files changed, 227 insertions, 0 deletions
diff --git a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml new file mode 100644 index 000000000..4e032ca7e --- /dev/null +++ b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml @@ -0,0 +1,227 @@ +--- +- name: generate hawkular-metrics certificates + include: setup_certificate.yaml + vars: + component: hawkular-metrics + hostnames: "hawkular-metrics,{{ openshift_metrics_hawkular_metrics_hostname }}" +- name: generate hawkular-cassandra certificates + include: setup_certificate.yaml + vars: + component: hawkular-cassandra + hostnames: hawkular-cassandra +- name: check existing aliases on the hawkular-cassandra truststore + shell: > + keytool -noprompt -list + -keystore {{ openshift_metrics_certs_dir }}/hawkular-cassandra.truststore + -storepass "$(< + '{{ openshift_metrics_certs_dir }}/hawkular-cassandra-truststore.pwd')" + | sed -n '7~2s/,.*$//p' + register: hawkular_cassandra_truststore_aliases + changed_when: false +- name: check existing aliases on the hawkular-metrics truststore + shell: > + keytool -noprompt -list + -keystore {{ openshift_metrics_certs_dir }}/hawkular-metrics.truststore + -storepass "$(< + '{{ openshift_metrics_certs_dir }}/hawkular-metrics-truststore.pwd')" + | sed -n '7~2s/,.*$//p' + register: hawkular_metrics_truststore_aliases + changed_when: false +- name: import the hawkular metrics cert into the cassandra truststore + shell: > + keytool -noprompt -import -v -trustcacerts + -alias hawkular-metrics + -file '{{ openshift_metrics_certs_dir }}/hawkular-metrics.crt' + -keystore '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.truststore' + -storepass "$(< + '{{ openshift_metrics_certs_dir }}/hawkular-cassandra-truststore.pwd')" + when: > + 'hawkular-metrics' not in + hawkular_cassandra_truststore_aliases.stdout_lines +- name: import the hawkular cassandra cert into the hawkular metrics truststore + shell: > + keytool -noprompt -import -v -trustcacerts + -alias hawkular-cassandra + -file '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.crt' + -keystore '{{ openshift_metrics_certs_dir }}/hawkular-metrics.truststore' + -storepass "$(< + '{{ openshift_metrics_certs_dir }}/hawkular-metrics-truststore.pwd')" + when: > + 'hawkular-cassandra' not in + hawkular_metrics_truststore_aliases.stdout_lines +- name: import the hawkular cassandra cert into the cassandra truststore + shell: > + keytool -noprompt -import -v -trustcacerts + -alias hawkular-cassandra + -file '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.crt' + -keystore '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.truststore' + -storepass "$(< + '{{ openshift_metrics_certs_dir }}/hawkular-cassandra-truststore.pwd')" + when: > + 'hawkular-cassandra' not in + hawkular_cassandra_truststore_aliases.stdout_lines +- name: import the ca certificate into the cassandra truststore + shell: > + keytool -noprompt -import -v -trustcacerts + -alias '{{ item }}' + -file '{{ openshift_metrics_certs_dir }}/ca.crt' + -keystore '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.truststore' + -storepass "$(< + '{{ openshift_metrics_certs_dir }}/hawkular-cassandra-truststore.pwd')" + with_items: + - ca + - metricca + - cassandraca + when: item not in hawkular_cassandra_truststore_aliases.stdout_lines +- name: import the ca certificate into the hawkular metrics truststore + shell: > + keytool -noprompt -import -v -trustcacerts + -alias '{{ item }}' + -file '{{ openshift_metrics_certs_dir }}/ca.crt' + -keystore '{{ openshift_metrics_certs_dir }}/hawkular-metrics.truststore' + -storepass "$(< + '{{ openshift_metrics_certs_dir }}/hawkular-metrics-truststore.pwd')" + with_items: + - ca + - metricca + - cassandraca + when: item not in hawkular_metrics_truststore_aliases.stdout_lines +- name: generate password for hawkular metrics and jgroups + shell: > + tr -dc _A-Z-a-z-0-9 < /dev/urandom | head -c15 + > '{{ openshift_metrics_certs_dir }}/{{ item }}.pwd' + with_items: + - hawkular-metrics + - hawkular-jgroups-keystore + when: not '{{ openshift_metrics_certs_dir }}/{{ item }}.pwd'|exists +- name: generate htpasswd file for hawkular metrics + shell: > + htpasswd -ci + '{{ openshift_metrics_certs_dir }}/hawkular-metrics.htpasswd' hawkular + < '{{ openshift_metrics_certs_dir }}/hawkular-metrics.pwd' + when: > + not '{{ openshift_metrics_certs_dir }}/hawkular-metrics.htpasswd'|exists +- name: generate the jgroups keystore + shell: > + p=$(< '{{ openshift_metrics_certs_dir }}/hawkular-jgroups-keystore.pwd' ) + && + keytool -genseckey -alias hawkular + -keypass "$p" -storepass "$p" -keyalg Blowfish -keysize 56 -storetype JCEKS + -keystore '{{ openshift_metrics_certs_dir }}/hawkular-jgroups.keystore' + when: > + not '{{ openshift_metrics_certs_dir }}/hawkular-jgroups.keystore'|exists +- name: read files for the hawkular-metrics secret + shell: > + printf '%s: ' '{{ item }}' + && base64 --wrap 0 '{{ openshift_metrics_certs_dir }}/{{ item }}' + register: hawkular_secrets + with_items: + - ca.crt + - hawkular-metrics.crt + - hawkular-metrics.keystore + - hawkular-metrics-keystore.pwd + - hawkular-metrics.truststore + - hawkular-metrics-truststore.pwd + - hawkular-metrics.pwd + - hawkular-metrics.htpasswd + - hawkular-jgroups.keystore + - hawkular-jgroups-keystore.pwd + - hawkular-cassandra.crt + - hawkular-cassandra.pem + - hawkular-cassandra.keystore + - hawkular-cassandra-keystore.pwd + - hawkular-cassandra.truststore + - hawkular-cassandra-truststore.pwd + changed_when: false +- set_fact: + hawkular_secrets: | + {{ hawkular_secrets.results|map(attribute='stdout')|join(' + ')|from_yaml }} +- name: generate hawkular-metrics-secrets secret template + template: + src: secret.j2 + dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_secrets.yaml" + vars: + name: hawkular-metrics-secrets + labels: + metrics-infra: hawkular-metrics + data: + hawkular-metrics.keystore: > + {{ hawkular_secrets['hawkular-metrics.keystore'] }} + hawkular-metrics.keystore.password: > + {{ hawkular_secrets['hawkular-metrics-keystore.pwd'] }} + hawkular-metrics.truststore: > + {{ hawkular_secrets['hawkular-metrics.truststore'] }} + hawkular-metrics.truststore.password: > + {{ hawkular_secrets['hawkular-metrics-truststore.pwd'] }} + hawkular-metrics.keystore.alias: "{{ 'hawkular-metrics'|b64encode }}" + hawkular-metrics.htpasswd.file: > + {{ hawkular_secrets['hawkular-metrics.htpasswd'] }} + hawkular-metrics.jgroups.keystore: > + {{ hawkular_secrets['hawkular-jgroups.keystore'] }} + hawkular-metrics.jgroups.keystore.password: > + {{ hawkular_secrets['hawkular-jgroups-keystore.pwd'] }} + hawkular-metrics.jgroups.alias: "{{ 'hawkular'|b64encode }}" + when: name not in metrics_secrets.stdout_lines +- name: generate hawkular-metrics-certificate secret template + template: + src: secret.j2 + dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_certificate.yaml" + vars: + name: hawkular-metrics-certificate + labels: + metrics-infra: hawkular-metrics + data: + hawkular-metrics.certificate: > + {{ hawkular_secrets['hawkular-metrics.crt'] }} + hawkular-metrics-ca.certificate: > + {{ hawkular_secrets['ca.crt'] }} + when: name not in metrics_secrets.stdout_lines +- name: generate hawkular-metrics-account secret template + template: + src: secret.j2 + dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_account.yaml" + vars: + name: hawkular-metrics-account + labels: + metrics-infra: hawkular-metrics + data: + hawkular-metrics.username: "{{ 'hawkular'|b64encode }}" + hawkular-metrics.password: > + {{ hawkular_secrets['hawkular-metrics.pwd'] }} + when: name not in metrics_secrets.stdout_lines +- name: generate cassandra secret template + template: + src: secret.j2 + dest: "{{ mktemp.stdout }}/templates/cassandra_secrets.yaml" + vars: + name: hawkular-cassandra-secrets + labels: + metrics-infra: hawkular-cassandra + data: + cassandra.keystore: > + {{ hawkular_secrets['hawkular-cassandra.keystore'] }} + cassandra.keystore.password: > + {{ hawkular_secrets['hawkular-cassandra-keystore.pwd'] }} + cassandra.keystore.alias: "{{ 'hawkular-cassandra'|b64encode }}" + cassandra.truststore: > + {{ hawkular_secrets['hawkular-cassandra.truststore'] }} + cassandra.truststore.password: > + {{ hawkular_secrets['hawkular-cassandra-truststore.pwd'] }} + cassandra.pem: > + {{ hawkular_secrets['hawkular-cassandra.pem'] }} + when: name not in metrics_secrets +- name: generate cassandra-certificate secret template + template: + src: secret.j2 + dest: "{{ mktemp.stdout }}/templates/cassandra_certificate.yaml" + vars: + name: hawkular-cassandra-certificate + labels: + metrics-infra: hawkular-cassandra + data: + cassandra.certificate: > + {{ hawkular_secrets['hawkular-cassandra.crt'] }} + cassandra-ca.certificate: > + {{ hawkular_secrets['hawkular-cassandra.pem'] }} + when: name not in metrics_secrets.stdout_lines |