roles/openshift_service_catalog/tasks/generate_certs.yml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89

---
- name: Create service catalog cert directory
  file:
    path: "{{ openshift.common.config_base }}/service-catalog"
    state: directory
    mode: 0755
  changed_when: False
  check_mode: no

- set_fact:
    generated_certs_dir: "{{ openshift.common.config_base }}/service-catalog"

- name: Generate signing cert
  command: >
    {{ openshift.common.client_binary }} adm --config=/etc/origin/master/admin.kubeconfig ca create-signer-cert
    --key={{ generated_certs_dir }}/ca.key --cert={{ generated_certs_dir }}/ca.crt
    --serial={{ generated_certs_dir }}/apiserver.serial.txt --name=service-catalog-signer

- name: Delete old apiserver.crt
  file:
    path: "{{ generated_certs_dir }}/apiserver.crt"
    state: absent

- name: Delete old apiserver.key
  file:
    path: "{{ generated_certs_dir }}/apiserver.key"
    state: absent

- name: Generating server keys
  oc_adm_ca_server_cert:
    cert: "{{ generated_certs_dir }}/apiserver.crt"
    key: "{{ generated_certs_dir }}/apiserver.key"
    hostnames: "apiserver.kube-service-catalog.svc,apiserver.kube-service-catalog.svc.cluster.local,apiserver.kube-service-catalog"
    signer_cert: "{{ generated_certs_dir }}/ca.crt"
    signer_key: "{{ generated_certs_dir }}/ca.key"
    signer_serial: "{{ generated_certs_dir }}/apiserver.serial.txt"

- name: Create apiserver-ssl secret
  oc_secret:
    state: present
    name: apiserver-ssl
    namespace: kube-service-catalog
    files:
    - name: tls.crt
      path: "{{ generated_certs_dir }}/apiserver.crt"
    - name: tls.key
      path: "{{ generated_certs_dir }}/apiserver.key"

- name: Create service-catalog-ssl secret
  oc_secret:
    state: present
    name: service-catalog-ssl
    namespace: kube-service-catalog
    files:
    - name: tls.crt
      path: "{{ generated_certs_dir }}/apiserver.crt"

- slurp:
    src: "{{ generated_certs_dir }}/ca.crt"
  register: apiserver_ca

- shell: >
    {{ openshift.common.client_binary }} --config=/etc/origin/master/admin.kubeconfig get apiservices.apiregistration.k8s.io/v1beta1.servicecatalog.k8s.io -n kube-service-catalog || echo "not found"
  register: get_apiservices
  changed_when: no

- name: Create api service
  oc_obj:
    state: present
    name: v1beta1.servicecatalog.k8s.io
    kind: apiservices.apiregistration.k8s.io
    namespace: "kube-service-catalog"
    content:
      path: /tmp/apisvcout
      data:
        apiVersion: apiregistration.k8s.io/v1beta1
        kind: APIService
        metadata:
          name: v1beta1.servicecatalog.k8s.io
        spec:
          group: servicecatalog.k8s.io
          version: v1beta1
          service:
            namespace: "kube-service-catalog"
            name: apiserver
          caBundle: "{{ apiserver_ca.content }}"
          groupPriorityMinimum: 20
          versionPriority: 10
  when: "'not found' in get_apiservices.stdout"