roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150

---
- name: generate hawkular-metrics certificates
  include: setup_certificate.yaml
  vars:
    component: hawkular-metrics
    hostnames: "hawkular-metrics,hawkular-metrics.{{ openshift_metrics_project }}.svc.cluster.local,{{ openshift_metrics_hawkular_hostname }}"
  changed_when: no

- name: generate hawkular-cassandra certificates
  include: setup_certificate.yaml
  vars:
    component: hawkular-cassandra
    hostnames: hawkular-cassandra
  changed_when: no

- slurp: src={{ mktemp.stdout }}/hawkular-metrics-truststore.pwd
  register: hawkular_truststore_password

- stat: path="{{mktemp.stdout}}/{{item}}"
  register: pwd_file_stat
  with_items:
  - hawkular-metrics.pwd
  - hawkular-metrics.htpasswd
  changed_when: no

- set_fact:
    pwd_files: "{{pwd_files | default({}) | combine ({item.item: item.stat}) }}"
  with_items: "{{pwd_file_stat.results}}"
  changed_when: no

- name: generate password for hawkular metrics
  local_action: copy dest="{{ local_tmp.stdout}}/{{ item }}.pwd" content="{{ 15 | oo_random_word }}"
  with_items:
  - hawkular-metrics

- name: generate htpasswd file for hawkular metrics
  local_action: >
    shell htpasswd -ci
    '{{ local_tmp.stdout }}/hawkular-metrics.htpasswd' hawkular
    < '{{ local_tmp.stdout }}/hawkular-metrics.pwd'

- name: copy local generated passwords to target
  copy:
    src: "{{local_tmp.stdout}}/{{item}}"
    dest: "{{mktemp.stdout}}/{{item}}"
  with_items:
  - hawkular-metrics.pwd
  - hawkular-metrics.htpasswd

- include: import_jks_certs.yaml

- name: read files for the hawkular-metrics secret
  shell: >
    printf '%s: ' '{{ item }}'
    && base64 --wrap 0 '{{ mktemp.stdout }}/{{ item }}'
  register: hawkular_secrets
  with_items:
  - ca.crt
  - hawkular-metrics.crt
  - hawkular-metrics.keystore
  - hawkular-metrics-keystore.pwd
  - hawkular-metrics.truststore
  - hawkular-metrics-truststore.pwd
  - hawkular-metrics.pwd
  - hawkular-metrics.htpasswd
  - hawkular-cassandra.crt
  - hawkular-cassandra.key
  - hawkular-cassandra.pem
  changed_when: false

- set_fact:
    hawkular_secrets: |
      {{ hawkular_secrets.results|map(attribute='stdout')|join('
      ')|from_yaml }}

- name: generate hawkular-metrics-secrets secret template
  template:
    src: secret.j2
    dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_secrets.yaml"
  vars:
    name: hawkular-metrics-secrets
    labels:
      metrics-infra: hawkular-metrics
    data:
      hawkular-metrics.keystore: >
        {{ hawkular_secrets['hawkular-metrics.keystore'] }}
      hawkular-metrics.keystore.password: >
        {{ hawkular_secrets['hawkular-metrics-keystore.pwd'] }}
      hawkular-metrics.truststore: >
        {{ hawkular_secrets['hawkular-metrics.truststore'] }}
      hawkular-metrics.truststore.password: >
        {{ hawkular_secrets['hawkular-metrics-truststore.pwd'] }}
      hawkular-metrics.keystore.alias: "{{ 'hawkular-metrics'|b64encode }}"
      hawkular-metrics.htpasswd.file: >
        {{ hawkular_secrets['hawkular-metrics.htpasswd'] }}
  when: name not in metrics_secrets.stdout_lines
  changed_when: no

- name: generate hawkular-metrics-certificate secret template
  template:
    src: secret.j2
    dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_certificate.yaml"
  vars:
    name: hawkular-metrics-certificate
    labels:
      metrics-infra: hawkular-metrics
    data:
      hawkular-metrics.certificate: >
        {{ hawkular_secrets['hawkular-metrics.crt'] }}
      hawkular-metrics-ca.certificate: >
        {{ hawkular_secrets['ca.crt'] }}
  when: name not in metrics_secrets.stdout_lines
  changed_when: no

- name: generate hawkular-metrics-account secret template
  template:
    src: secret.j2
    dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_account.yaml"
  vars:
    name: hawkular-metrics-account
    labels:
      metrics-infra: hawkular-metrics
    data:
      hawkular-metrics.username: "{{ 'hawkular'|b64encode }}"
      hawkular-metrics.password: >
        {{ hawkular_secrets['hawkular-metrics.pwd'] }}
  when: name not in metrics_secrets.stdout_lines
  changed_when: no

- name: generate cassandra secret template
  template:
    src: secret.j2
    dest: "{{ mktemp.stdout }}/templates/hawkular-cassandra-certs.yaml"
  vars:
    name: hawkular-cassandra-certs
    labels:
      metrics-infra: hawkular-cassandra-certs
    annotations:
      service.alpha.openshift.io/originating-service-name: hawkular-cassandra
    data:
      tls.crt: >
        {{ hawkular_secrets['hawkular-cassandra.crt'] }}
      tls.key: >
        {{ hawkular_secrets['hawkular-cassandra.key'] }}
      tls.peer.truststore.crt: >
        {{ hawkular_secrets['hawkular-cassandra.crt'] }}
      tls.client.truststore.crt: >
        {{ hawkular_secrets['hawkular-metrics.crt'] }}
  when: name not in metrics_secrets
  changed_when: no