summaryrefslogtreecommitdiffstats
path: root/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml
diff options
context:
space:
mode:
Diffstat (limited to 'roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml')
-rw-r--r--roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml227
1 files changed, 227 insertions, 0 deletions
diff --git a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml
new file mode 100644
index 000000000..4e032ca7e
--- /dev/null
+++ b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml
@@ -0,0 +1,227 @@
+---
+- name: generate hawkular-metrics certificates
+ include: setup_certificate.yaml
+ vars:
+ component: hawkular-metrics
+ hostnames: "hawkular-metrics,{{ openshift_metrics_hawkular_metrics_hostname }}"
+- name: generate hawkular-cassandra certificates
+ include: setup_certificate.yaml
+ vars:
+ component: hawkular-cassandra
+ hostnames: hawkular-cassandra
+- name: check existing aliases on the hawkular-cassandra truststore
+ shell: >
+ keytool -noprompt -list
+ -keystore {{ openshift_metrics_certs_dir }}/hawkular-cassandra.truststore
+ -storepass "$(<
+ '{{ openshift_metrics_certs_dir }}/hawkular-cassandra-truststore.pwd')"
+ | sed -n '7~2s/,.*$//p'
+ register: hawkular_cassandra_truststore_aliases
+ changed_when: false
+- name: check existing aliases on the hawkular-metrics truststore
+ shell: >
+ keytool -noprompt -list
+ -keystore {{ openshift_metrics_certs_dir }}/hawkular-metrics.truststore
+ -storepass "$(<
+ '{{ openshift_metrics_certs_dir }}/hawkular-metrics-truststore.pwd')"
+ | sed -n '7~2s/,.*$//p'
+ register: hawkular_metrics_truststore_aliases
+ changed_when: false
+- name: import the hawkular metrics cert into the cassandra truststore
+ shell: >
+ keytool -noprompt -import -v -trustcacerts
+ -alias hawkular-metrics
+ -file '{{ openshift_metrics_certs_dir }}/hawkular-metrics.crt'
+ -keystore '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.truststore'
+ -storepass "$(<
+ '{{ openshift_metrics_certs_dir }}/hawkular-cassandra-truststore.pwd')"
+ when: >
+ 'hawkular-metrics' not in
+ hawkular_cassandra_truststore_aliases.stdout_lines
+- name: import the hawkular cassandra cert into the hawkular metrics truststore
+ shell: >
+ keytool -noprompt -import -v -trustcacerts
+ -alias hawkular-cassandra
+ -file '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.crt'
+ -keystore '{{ openshift_metrics_certs_dir }}/hawkular-metrics.truststore'
+ -storepass "$(<
+ '{{ openshift_metrics_certs_dir }}/hawkular-metrics-truststore.pwd')"
+ when: >
+ 'hawkular-cassandra' not in
+ hawkular_metrics_truststore_aliases.stdout_lines
+- name: import the hawkular cassandra cert into the cassandra truststore
+ shell: >
+ keytool -noprompt -import -v -trustcacerts
+ -alias hawkular-cassandra
+ -file '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.crt'
+ -keystore '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.truststore'
+ -storepass "$(<
+ '{{ openshift_metrics_certs_dir }}/hawkular-cassandra-truststore.pwd')"
+ when: >
+ 'hawkular-cassandra' not in
+ hawkular_cassandra_truststore_aliases.stdout_lines
+- name: import the ca certificate into the cassandra truststore
+ shell: >
+ keytool -noprompt -import -v -trustcacerts
+ -alias '{{ item }}'
+ -file '{{ openshift_metrics_certs_dir }}/ca.crt'
+ -keystore '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.truststore'
+ -storepass "$(<
+ '{{ openshift_metrics_certs_dir }}/hawkular-cassandra-truststore.pwd')"
+ with_items:
+ - ca
+ - metricca
+ - cassandraca
+ when: item not in hawkular_cassandra_truststore_aliases.stdout_lines
+- name: import the ca certificate into the hawkular metrics truststore
+ shell: >
+ keytool -noprompt -import -v -trustcacerts
+ -alias '{{ item }}'
+ -file '{{ openshift_metrics_certs_dir }}/ca.crt'
+ -keystore '{{ openshift_metrics_certs_dir }}/hawkular-metrics.truststore'
+ -storepass "$(<
+ '{{ openshift_metrics_certs_dir }}/hawkular-metrics-truststore.pwd')"
+ with_items:
+ - ca
+ - metricca
+ - cassandraca
+ when: item not in hawkular_metrics_truststore_aliases.stdout_lines
+- name: generate password for hawkular metrics and jgroups
+ shell: >
+ tr -dc _A-Z-a-z-0-9 < /dev/urandom | head -c15
+ > '{{ openshift_metrics_certs_dir }}/{{ item }}.pwd'
+ with_items:
+ - hawkular-metrics
+ - hawkular-jgroups-keystore
+ when: not '{{ openshift_metrics_certs_dir }}/{{ item }}.pwd'|exists
+- name: generate htpasswd file for hawkular metrics
+ shell: >
+ htpasswd -ci
+ '{{ openshift_metrics_certs_dir }}/hawkular-metrics.htpasswd' hawkular
+ < '{{ openshift_metrics_certs_dir }}/hawkular-metrics.pwd'
+ when: >
+ not '{{ openshift_metrics_certs_dir }}/hawkular-metrics.htpasswd'|exists
+- name: generate the jgroups keystore
+ shell: >
+ p=$(< '{{ openshift_metrics_certs_dir }}/hawkular-jgroups-keystore.pwd' )
+ &&
+ keytool -genseckey -alias hawkular
+ -keypass "$p" -storepass "$p" -keyalg Blowfish -keysize 56 -storetype JCEKS
+ -keystore '{{ openshift_metrics_certs_dir }}/hawkular-jgroups.keystore'
+ when: >
+ not '{{ openshift_metrics_certs_dir }}/hawkular-jgroups.keystore'|exists
+- name: read files for the hawkular-metrics secret
+ shell: >
+ printf '%s: ' '{{ item }}'
+ && base64 --wrap 0 '{{ openshift_metrics_certs_dir }}/{{ item }}'
+ register: hawkular_secrets
+ with_items:
+ - ca.crt
+ - hawkular-metrics.crt
+ - hawkular-metrics.keystore
+ - hawkular-metrics-keystore.pwd
+ - hawkular-metrics.truststore
+ - hawkular-metrics-truststore.pwd
+ - hawkular-metrics.pwd
+ - hawkular-metrics.htpasswd
+ - hawkular-jgroups.keystore
+ - hawkular-jgroups-keystore.pwd
+ - hawkular-cassandra.crt
+ - hawkular-cassandra.pem
+ - hawkular-cassandra.keystore
+ - hawkular-cassandra-keystore.pwd
+ - hawkular-cassandra.truststore
+ - hawkular-cassandra-truststore.pwd
+ changed_when: false
+- set_fact:
+ hawkular_secrets: |
+ {{ hawkular_secrets.results|map(attribute='stdout')|join('
+ ')|from_yaml }}
+- name: generate hawkular-metrics-secrets secret template
+ template:
+ src: secret.j2
+ dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_secrets.yaml"
+ vars:
+ name: hawkular-metrics-secrets
+ labels:
+ metrics-infra: hawkular-metrics
+ data:
+ hawkular-metrics.keystore: >
+ {{ hawkular_secrets['hawkular-metrics.keystore'] }}
+ hawkular-metrics.keystore.password: >
+ {{ hawkular_secrets['hawkular-metrics-keystore.pwd'] }}
+ hawkular-metrics.truststore: >
+ {{ hawkular_secrets['hawkular-metrics.truststore'] }}
+ hawkular-metrics.truststore.password: >
+ {{ hawkular_secrets['hawkular-metrics-truststore.pwd'] }}
+ hawkular-metrics.keystore.alias: "{{ 'hawkular-metrics'|b64encode }}"
+ hawkular-metrics.htpasswd.file: >
+ {{ hawkular_secrets['hawkular-metrics.htpasswd'] }}
+ hawkular-metrics.jgroups.keystore: >
+ {{ hawkular_secrets['hawkular-jgroups.keystore'] }}
+ hawkular-metrics.jgroups.keystore.password: >
+ {{ hawkular_secrets['hawkular-jgroups-keystore.pwd'] }}
+ hawkular-metrics.jgroups.alias: "{{ 'hawkular'|b64encode }}"
+ when: name not in metrics_secrets.stdout_lines
+- name: generate hawkular-metrics-certificate secret template
+ template:
+ src: secret.j2
+ dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_certificate.yaml"
+ vars:
+ name: hawkular-metrics-certificate
+ labels:
+ metrics-infra: hawkular-metrics
+ data:
+ hawkular-metrics.certificate: >
+ {{ hawkular_secrets['hawkular-metrics.crt'] }}
+ hawkular-metrics-ca.certificate: >
+ {{ hawkular_secrets['ca.crt'] }}
+ when: name not in metrics_secrets.stdout_lines
+- name: generate hawkular-metrics-account secret template
+ template:
+ src: secret.j2
+ dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_account.yaml"
+ vars:
+ name: hawkular-metrics-account
+ labels:
+ metrics-infra: hawkular-metrics
+ data:
+ hawkular-metrics.username: "{{ 'hawkular'|b64encode }}"
+ hawkular-metrics.password: >
+ {{ hawkular_secrets['hawkular-metrics.pwd'] }}
+ when: name not in metrics_secrets.stdout_lines
+- name: generate cassandra secret template
+ template:
+ src: secret.j2
+ dest: "{{ mktemp.stdout }}/templates/cassandra_secrets.yaml"
+ vars:
+ name: hawkular-cassandra-secrets
+ labels:
+ metrics-infra: hawkular-cassandra
+ data:
+ cassandra.keystore: >
+ {{ hawkular_secrets['hawkular-cassandra.keystore'] }}
+ cassandra.keystore.password: >
+ {{ hawkular_secrets['hawkular-cassandra-keystore.pwd'] }}
+ cassandra.keystore.alias: "{{ 'hawkular-cassandra'|b64encode }}"
+ cassandra.truststore: >
+ {{ hawkular_secrets['hawkular-cassandra.truststore'] }}
+ cassandra.truststore.password: >
+ {{ hawkular_secrets['hawkular-cassandra-truststore.pwd'] }}
+ cassandra.pem: >
+ {{ hawkular_secrets['hawkular-cassandra.pem'] }}
+ when: name not in metrics_secrets
+- name: generate cassandra-certificate secret template
+ template:
+ src: secret.j2
+ dest: "{{ mktemp.stdout }}/templates/cassandra_certificate.yaml"
+ vars:
+ name: hawkular-cassandra-certificate
+ labels:
+ metrics-infra: hawkular-cassandra
+ data:
+ cassandra.certificate: >
+ {{ hawkular_secrets['hawkular-cassandra.crt'] }}
+ cassandra-ca.certificate: >
+ {{ hawkular_secrets['hawkular-cassandra.pem'] }}
+ when: name not in metrics_secrets.stdout_lines
generated by cgit v1.2.1 (git 2.18.0) at 2024-05-20 07:24:13 +0000