diff options
author | Bruno Barcarol GuimarĂ£es <bbarcaro@redhat.com> | 2016-12-05 16:34:32 +0000 |
---|---|---|
committer | Jeff Cantrill <jcantril@redhat.com> | 2017-01-17 11:45:04 -0500 |
commit | b6ce0464142403785a7ba8eae664286082f4d30e (patch) | |
tree | 3673f52a387edc2894ac11c23fad1253b1f1c9be /roles/openshift_metrics/tasks/setup_certificate.yaml | |
parent | f3f1f610c9e0fdf8115dd8ea61e647080ad42006 (diff) | |
download | openshift-b6ce0464142403785a7ba8eae664286082f4d30e.tar.gz openshift-b6ce0464142403785a7ba8eae664286082f4d30e.tar.bz2 openshift-b6ce0464142403785a7ba8eae664286082f4d30e.tar.xz openshift-b6ce0464142403785a7ba8eae664286082f4d30e.zip |
Custom certificates (#5)
* Generate secrets on a persistent directory.
* Split certificate generation files.
* Custom certificates.
* Minor fixes.
- use `slurp` instead of `shell: base64`
- fix route hostname
* Updates on origin-metrics.
Diffstat (limited to 'roles/openshift_metrics/tasks/setup_certificate.yaml')
-rw-r--r-- | roles/openshift_metrics/tasks/setup_certificate.yaml | 60 |
1 files changed, 31 insertions, 29 deletions
diff --git a/roles/openshift_metrics/tasks/setup_certificate.yaml b/roles/openshift_metrics/tasks/setup_certificate.yaml index 46ac4ea7f..d6ee4167b 100644 --- a/roles/openshift_metrics/tasks/setup_certificate.yaml +++ b/roles/openshift_metrics/tasks/setup_certificate.yaml @@ -2,49 +2,51 @@ - name: generate {{ component }} keys command: > {{ openshift.common.admin_binary }} ca create-server-cert - --key='{{ mktemp.stdout }}/certs/{{ component }}.key' - --cert='{{ mktemp.stdout }}/certs/{{ component }}.crt' + --key='{{ openshift_metrics_certs_dir }}/{{ component }}.key' + --cert='{{ openshift_metrics_certs_dir }}/{{ component }}.crt' --hostnames='{{ hostnames }}' - --signer-cert='{{ mktemp.stdout }}/certs/ca.crt' - --signer-key='{{ mktemp.stdout }}/certs/ca.key' - --signer-serial='{{ mktemp.stdout }}/certs/ca.serial.txt' + --signer-cert='{{ openshift_metrics_certs_dir }}/ca.crt' + --signer-key='{{ openshift_metrics_certs_dir }}/ca.key' + --signer-serial='{{ openshift_metrics_certs_dir }}/ca.serial.txt' + when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.key'|exists - name: generate {{ component }} certificate shell: > cat - '{{ mktemp.stdout|quote }}/certs/{{ component|quote }}.key' - '{{ mktemp.stdout|quote }}/certs/{{ component|quote }}.crt' - > '{{ mktemp.stdout|quote }}/certs/{{ component|quote }}.pem' + '{{ openshift_metrics_certs_dir }}/{{ component|quote }}.key' + '{{ openshift_metrics_certs_dir }}/{{ component|quote }}.crt' + > '{{ openshift_metrics_certs_dir }}/{{ component|quote }}.pem' + when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.pem'|exists - name: generate random password for the {{ component }} keystore - shell: tr -dc _A-Z-a-z-0-9 < /dev/urandom | head -c15 - register: keystore_pwd -- name: create the password file for {{ component }} shell: > - echo '{{ keystore_pwd.stdout|quote }}' - > '{{ mktemp.stdout }}/certs/{{ component|quote }}-keystore.pwd' + tr -dc _A-Z-a-z-0-9 < /dev/urandom | head -c15 + > '{{ openshift_metrics_certs_dir }}/{{ component|quote }}-keystore.pwd' + when: > + not '{{ openshift_metrics_certs_dir }}/{{ component }}-keystore.pwd'|exists - name: create the {{ component }} pkcs12 from the pem file command: > openssl pkcs12 -export - -in '{{ mktemp.stdout }}/certs/{{ component }}.pem' - -out '{{ mktemp.stdout }}/certs/{{ component }}.pkcs12' + -in '{{ openshift_metrics_certs_dir }}/{{ component }}.pem' + -out '{{ openshift_metrics_certs_dir }}/{{ component }}.pkcs12' -name '{{ component }}' -noiter -nomaciter - -password 'pass:{{ keystore_pwd.stdout }}' + -password + 'file:{{ openshift_metrics_certs_dir }}/{{ component }}-keystore.pwd' + when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.pkcs12'|exists - name: create the {{ component }} keystore from the pkcs12 file - command: > + shell: > + p=$(< {{ openshift_metrics_certs_dir }}/{{ component }}-keystore.pwd) + && keytool -v -importkeystore - -srckeystore '{{ mktemp.stdout }}/certs/{{ component }}.pkcs12' + -srckeystore '{{ openshift_metrics_certs_dir }}/{{ component }}.pkcs12' -srcstoretype PKCS12 - -destkeystore '{{ mktemp.stdout }}/certs/{{ component }}.keystore' + -destkeystore '{{ openshift_metrics_certs_dir }}/{{ component }}.keystore' -deststoretype JKS - -deststorepass '{{ keystore_pwd.stdout }}' - -srcstorepass '{{ keystore_pwd.stdout }}' -- name: create the {{ component }} certificate - command: > - keytool -noprompt -export - -alias '{{ component }}' - -file '{{ mktemp.stdout }}/certs/{{ component }}.cert' - -keystore '{{ mktemp.stdout }}/certs/{{ component }}.keystore' - -storepass '{{ keystore_pwd.stdout }}' + -deststorepass "$p" + -srcstorepass "$p" + when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.keystore'|exists - name: generate random password for the {{ component }} truststore shell: > tr -dc _A-Z-a-z-0-9 < /dev/urandom | head -c15 - > '{{ mktemp.stdout }}/certs/{{ component|quote }}-truststore.pwd' + > '{{ openshift_metrics_certs_dir }}/{{ component|quote }}-truststore.pwd' + when: > + not + '{{ openshift_metrics_certs_dir }}/{{ component }}-truststore.pwd'|exists |