addressing comments

2 files changed, 0 insertions, 295 deletions

diff --git a/roles/openshift_logging/files/signing.conf b/roles/openshift_logging/files/signing.conf
deleted file mode 100644
index 810a057d9..000000000
--- a/roles/openshift_logging/files/signing.conf
+++ /dev/null
@@ -1,103 +0,0 @@
-# Simple Signing CA
-
-# The [default] section contains global constants that can be referred to from
-# the entire configuration file. It may also hold settings pertaining to more
-# than one openssl command.
-
-[ default ]
-#dir                     = _output               # Top dir
-
-# The next part of the configuration file is used by the openssl req command.
-# It defines the CA's key pair, its DN, and the desired extensions for the CA
-# certificate.
-
-[ req ]
-default_bits            = 2048                  # RSA key size
-encrypt_key             = yes                   # Protect private key
-default_md              = sha1                  # MD to use
-utf8                    = yes                   # Input is UTF-8
-string_mask             = utf8only              # Emit UTF-8 strings
-prompt                  = no                    # Don't prompt for DN
-distinguished_name      = ca_dn                 # DN section
-req_extensions          = ca_reqext             # Desired extensions
-
-[ ca_dn ]
-0.domainComponent       = "io"
-1.domainComponent       = "openshift"
-organizationName        = "OpenShift Origin"
-organizationalUnitName  = "Logging Signing CA"
-commonName              = "Logging Signing CA"
-
-[ ca_reqext ]
-keyUsage                = critical,keyCertSign,cRLSign
-basicConstraints        = critical,CA:true,pathlen:0
-subjectKeyIdentifier    = hash
-
-# The remainder of the configuration file is used by the openssl ca command.
-# The CA section defines the locations of CA assets, as well as the policies
-# applying to the CA.
-
-[ ca ]
-default_ca              = signing_ca            # The default CA section
-
-[ signing_ca ]
-certificate             = $dir/ca.crt       # The CA cert
-private_key             = $dir/ca.key # CA private key
-new_certs_dir           = $dir/           # Certificate archive
-serial                  = $dir/ca.serial.txt # Serial number file
-crlnumber               = $dir/ca.crl.srl # CRL number file
-database                = $dir/ca.db # Index file
-unique_subject          = no                    # Require unique subject
-default_days            = 730                   # How long to certify for
-default_md              = sha1                  # MD to use
-policy                  = any_pol             # Default naming policy
-email_in_dn             = no                    # Add email to cert DN
-preserve                = no                    # Keep passed DN ordering
-name_opt                = ca_default            # Subject DN display options
-cert_opt                = ca_default            # Certificate display options
-copy_extensions         = copy                  # Copy extensions from CSR
-x509_extensions         = client_ext             # Default cert extensions
-default_crl_days        = 7                     # How long before next CRL
-crl_extensions          = crl_ext               # CRL extensions
-
-# Naming policies control which parts of a DN end up in the certificate and
-# under what circumstances certification should be denied.
-
-[ match_pol ]
-domainComponent         = match                 # Must match 'simple.org'
-organizationName        = match                 # Must match 'Simple Inc'
-organizationalUnitName  = optional              # Included if present
-commonName              = supplied              # Must be present
-
-[ any_pol ]
-domainComponent         = optional
-countryName             = optional
-stateOrProvinceName     = optional
-localityName            = optional
-organizationName        = optional
-organizationalUnitName  = optional
-commonName              = optional
-emailAddress            = optional
-
-# Certificate extensions define what types of certificates the CA is able to
-# create.
-
-[ client_ext ]
-keyUsage                = critical,digitalSignature,keyEncipherment
-basicConstraints        = CA:false
-extendedKeyUsage        = clientAuth
-subjectKeyIdentifier    = hash
-authorityKeyIdentifier  = keyid
-
-[ server_ext ]
-keyUsage                = critical,digitalSignature,keyEncipherment
-basicConstraints        = CA:false
-extendedKeyUsage        = serverAuth,clientAuth
-subjectKeyIdentifier    = hash
-authorityKeyIdentifier  = keyid
-
-# CRL extensions exist solely to point to the CA certificate that has issued
-# the CRL.
-
-[ crl_ext ]
-authorityKeyIdentifier  = keyid
diff --git a/roles/openshift_logging/files/util.sh b/roles/openshift_logging/files/util.sh
deleted file mode 100644
index 5752a0fcd..000000000
--- a/roles/openshift_logging/files/util.sh
+++ /dev/null
@@ -1,192 +0,0 @@
-#!/bin/bash
-
-function generate_JKS_chain() {
-  dir=${SCRATCH_DIR:-_output}
-  ADD_OID=$1
-  NODE_NAME=$2
-  CERT_NAMES=${3:-$NODE_NAME}
-  ks_pass=${KS_PASS:-kspass}
-  ts_pass=${TS_PASS:-tspass}
-  rm -rf $NODE_NAME
-
-  extension_names=""
-  for name in ${CERT_NAMES//,/ }; do
-	extension_names="${extension_names},dns:${name}"
-  done
-
-  if [ "$ADD_OID" = true ]; then
-    extension_names="${extension_names},oid:1.2.3.4.5.5"
-  fi
-
-  echo Generating keystore and certificate for node $NODE_NAME
-
-  "$keytool" -genkey \
-        -alias     $NODE_NAME \
-        -keystore  $dir/keystore.jks \
-        -keypass   $ks_pass \
-        -storepass $ks_pass \
-        -keyalg    RSA \
-        -keysize   2048 \
-        -validity  712 \
-        -dname "CN=$NODE_NAME, OU=OpenShift, O=Logging" \
-        -ext san=dns:localhost,ip:127.0.0.1"${extension_names}"
-
-  echo Generating certificate signing request for node $NODE_NAME
-
-  "$keytool" -certreq \
-        -alias      $NODE_NAME \
-        -keystore   $dir/keystore.jks \
-        -storepass  $ks_pass \
-        -file       $dir/$NODE_NAME.csr \
-        -keyalg     rsa \
-        -dname "CN=$NODE_NAME, OU=OpenShift, O=Logging" \
-        -ext san=dns:localhost,ip:127.0.0.1"${extension_names}"
-
-  echo Sign certificate request with CA
-
-  openssl ca \
-    -in $dir/$NODE_NAME.csr \
-    -notext \
-    -out $dir/$NODE_NAME.crt \
-    -config $dir/signing.conf \
-    -extensions v3_req \
-    -batch \
-	-extensions server_ext
-
-  echo "Import back to keystore (including CA chain)"
-
-  "$keytool"  \
-    -import \
-    -file $dir/ca.crt  \
-    -keystore $dir/keystore.jks   \
-    -storepass $ks_pass  \
-    -noprompt -alias sig-ca
-
-  "$keytool" \
-    -import \
-    -file $dir/$NODE_NAME.crt \
-    -keystore $dir/keystore.jks \
-    -storepass $ks_pass \
-    -noprompt \
-    -alias $NODE_NAME
-
-  echo "Import CA to truststore for validating client certs"
-
-  "$keytool"  \
-    -import \
-    -file $dir/ca.crt  \
-    -keystore $dir/truststore.jks   \
-    -storepass $ts_pass  \
-    -noprompt -alias sig-ca
-
-  echo All done for $NODE_NAME
-}
-
-function generate_PEM_cert() {
-  NODE_NAME="$1"
-  dir=${SCRATCH_DIR:-_output}  # for writing files to bundle into secrets
-
-  echo Generating keystore and certificate for node ${NODE_NAME}
-
-  openssl req -out "$dir/$NODE_NAME.csr" -new -newkey rsa:2048 -keyout "$dir/$NODE_NAME.key" -subj "/CN=$NODE_NAME/OU=OpenShift/O=Logging" -days 712 -nodes
-
-  echo Sign certificate request with CA
-  openssl ca \
-    -in "$dir/$NODE_NAME.csr" \
-    -notext \
-    -out "$dir/$NODE_NAME.crt" \
-    -config $dir/signing.conf \
-    -extensions v3_req \
-    -batch \
-	-extensions server_ext
-}
-
-function generate_JKS_client_cert() {
-  NODE_NAME="$1"
-  ks_pass=${KS_PASS:-kspass}
-  ts_pass=${TS_PASS:-tspass}
-  dir=${SCRATCH_DIR:-_output}  # for writing files to bundle into secrets
-
-  echo Generating keystore and certificate for node ${NODE_NAME}
-
-  "$keytool" -genkey \
-        -alias     $NODE_NAME \
-        -keystore  $dir/$NODE_NAME.jks \
-        -keyalg    RSA \
-        -keysize   2048 \
-        -validity  712 \
-        -keypass $ks_pass \
-        -storepass $ks_pass \
-        -dname "CN=$NODE_NAME, OU=OpenShift, O=Logging"
-
-  echo Generating certificate signing request for node $NODE_NAME
-
-  "$keytool" -certreq \
-          -alias      $NODE_NAME \
-          -keystore   $dir/$NODE_NAME.jks \
-          -file       $dir/$NODE_NAME.csr \
-          -keyalg     rsa \
-          -keypass $ks_pass \
-          -storepass $ks_pass \
-          -dname "CN=$NODE_NAME, OU=OpenShift, O=Logging"
-
-  echo Sign certificate request with CA
-  openssl ca \
-    -in "$dir/$NODE_NAME.csr" \
-    -notext \
-    -out "$dir/$NODE_NAME.crt" \
-    -config $dir/signing.conf \
-    -extensions v3_req \
-    -batch \
-	-extensions server_ext
-
-  echo "Import back to keystore (including CA chain)"
-
-  "$keytool"  \
-    -import \
-    -file $dir/ca.crt  \
-    -keystore $dir/$NODE_NAME.jks   \
-    -storepass $ks_pass  \
-    -noprompt -alias sig-ca
-
-  "$keytool" \
-    -import \
-    -file $dir/$NODE_NAME.crt \
-    -keystore $dir/$NODE_NAME.jks \
-    -storepass $ks_pass \
-    -noprompt \
-    -alias $NODE_NAME
-
-  echo All done for $NODE_NAME
-}
-
-function join { local IFS="$1"; shift; echo "$*"; }
-
-function get_es_dcs() {
-  oc get dc --selector logging-infra=elasticsearch -o name
-}
-
-function get_curator_dcs() {
-  oc get dc --selector logging-infra=curator -o name
-}
-
-function extract_nodeselector() {
-  local inputstring="${1//\"/}"  # remove any errant double quotes in the inputs
-  local selectors=()
-
-  for keyvalstr in ${inputstring//\,/ }; do
-
-    keyval=( ${keyvalstr//=/ } )
-
-    if [[ -n "${keyval[0]}" && -n "${keyval[1]}" ]]; then
-      selectors+=( "\"${keyval[0]}\": \"${keyval[1]}\"")
-    else
-      echo "Could not make a node selector label from '${keyval[*]}'"
-      exit 255
-    fi
-  done
-
-  if [[ "${#selectors[*]}" -gt 0 ]]; then
-    echo nodeSelector: "{" $(join , "${selectors[@]}") "}"
-  fi
-}