summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rwxr-xr-xroles/openshift_metrics/files/import_jks_certs.sh2
-rw-r--r--roles/openshift_metrics/tasks/import_jks_certs.yaml146
-rw-r--r--roles/openshift_metrics/templates/jks_pod.j238
3 files changed, 49 insertions, 137 deletions
diff --git a/roles/openshift_metrics/files/import_jks_certs.sh b/roles/openshift_metrics/files/import_jks_certs.sh
index bb046df87..f4315ef34 100755
--- a/roles/openshift_metrics/files/import_jks_certs.sh
+++ b/roles/openshift_metrics/files/import_jks_certs.sh
@@ -114,5 +114,3 @@ function import_certs() {
}
import_certs
-
-exit 0
diff --git a/roles/openshift_metrics/tasks/import_jks_certs.yaml b/roles/openshift_metrics/tasks/import_jks_certs.yaml
index f6bf6c1a6..f5192b005 100644
--- a/roles/openshift_metrics/tasks/import_jks_certs.yaml
+++ b/roles/openshift_metrics/tasks/import_jks_certs.yaml
@@ -1,76 +1,4 @@
---
-- name: Check for jks-generator service account
- command: >
- {{ openshift.common.client_binary }}
- --config={{ mktemp.stdout }}/admin.kubeconfig
- -n {{openshift_metrics_project}}
- get serviceaccount/jks-generator --no-headers
- register: serviceaccount_result
- ignore_errors: yes
- when: not ansible_check_mode
- changed_when: no
-
-- name: Create jks-generator service account
- command: >
- {{ openshift.common.client_binary }}
- --config={{ mktemp.stdout }}/admin.kubeconfig
- -n {{openshift_metrics_project}}
- create serviceaccount jks-generator
- when: not ansible_check_mode and "not found" in serviceaccount_result.stderr
-
-- name: Check for hostmount-anyuid scc entry
- command: >
- {{ openshift.common.client_binary }}
- --config={{ mktemp.stdout }}/admin.kubeconfig
- get scc hostmount-anyuid
- -o jsonpath='{.users}'
- register: scc_result
- when: not ansible_check_mode
- changed_when: no
-
-- name: Add to hostmount-anyuid scc
- command: >
- {{ openshift.common.admin_binary }}
- --config={{ mktemp.stdout }}/admin.kubeconfig
- -n {{openshift_metrics_project}}
- policy add-scc-to-user hostmount-anyuid
- -z jks-generator
- when:
- - not ansible_check_mode
- - scc_result.stdout.find("system:serviceaccount:{{openshift_metrics_project}}:jks-generator") == -1
-
-- name: Copy JKS generation script
- copy:
- src: import_jks_certs.sh
- dest: "{{openshift_metrics_certs_dir}}/import_jks_certs.sh"
- check_mode: no
-
-- slurp: src={{ openshift_metrics_certs_dir }}/hawkular-metrics-keystore.pwd
- register: metrics_keystore_password
-
-- slurp: src={{ openshift_metrics_certs_dir }}/hawkular-cassandra-keystore.pwd
- register: cassandra_keystore_password
-
-- slurp: src={{ openshift_metrics_certs_dir }}/hawkular-jgroups-keystore.pwd
- register: jgroups_keystore_password
-
-- name: Generate JKS pod template
- template:
- src: jks_pod.j2
- dest: "{{mktemp.stdout}}/jks_pod.yaml"
- vars:
- metrics_keystore_passwd: "{{metrics_keystore_password.content}}"
- cassandra_keystore_passwd: "{{cassandra_keystore_password.content}}"
- metrics_truststore_passwd: "{{hawkular_truststore_password.content}}"
- cassandra_truststore_passwd: "{{cassandra_truststore_password.content}}"
- jgroups_passwd: "{{jgroups_keystore_password.content}}"
- check_mode: no
- changed_when: no
-
-- stat: path="{{openshift_metrics_certs_dir}}/hawkular-metrics.keystore"
- register: metrics_keystore
- check_mode: no
-
- stat: path="{{openshift_metrics_certs_dir}}/hawkular-cassandra.keystore"
register: cassandra_keystore
check_mode: no
@@ -79,6 +7,10 @@
register: cassandra_truststore
check_mode: no
+- stat: path="{{openshift_metrics_certs_dir}}/hawkular-metrics.keystore"
+ register: metrics_keystore
+ check_mode: no
+
- stat: path="{{openshift_metrics_certs_dir}}/hawkular-metrics.truststore"
register: metrics_truststore
check_mode: no
@@ -87,32 +19,52 @@
register: jgroups_keystore
check_mode: no
-- name: create JKS pod
- command: >
- {{ openshift.common.client_binary }}
- --config={{ mktemp.stdout }}/admin.kubeconfig
- -n {{openshift_metrics_project}}
- create -f {{mktemp.stdout}}/jks_pod.yaml
- -o name
- register: podoutput
- check_mode: no
- when: not metrics_keystore.stat.exists or
- not metrics_truststore.stat.exists or
- not cassandra_keystore.stat.exists or
- not cassandra_truststore.stat.exists or
- not jgroups_keystore.stat.exists
+- block:
+ - slurp: src={{ openshift_metrics_certs_dir }}/hawkular-metrics-keystore.pwd
+ register: metrics_keystore_password
+
+ - slurp: src={{ openshift_metrics_certs_dir }}/hawkular-cassandra-keystore.pwd
+ register: cassandra_keystore_password
+
+ - slurp: src={{ openshift_metrics_certs_dir }}/hawkular-jgroups-keystore.pwd
+ register: jgroups_keystore_password
+
+ - local_action: command mktemp -d
+ register: local_tmp
+ changed_when: False
+
+ - fetch:
+ dest: "{{local_tmp.stdout}}/"
+ src: "{{ openshift_metrics_certs_dir }}/{{item}}"
+ flat: yes
+ changed_when: False
+ with_items:
+ - hawkular-metrics.pkcs12
+ - hawkular-cassandra.pkcs12
+ - hawkular-metrics.crt
+ - hawkular-cassandra.crt
+ - ca.crt
+
+ - local_action: command {{role_path}}/files/import_jks_certs.sh
+ environment:
+ CERT_DIR: "{{local_tmp.stdout}}"
+ METRICS_KEYSTORE_PASSWD: "{{metrics_keystore_password.content}}"
+ CASSANDRA_KEYSTORE_PASSWD: "{{cassandra_keystore_password.content}}"
+ METRICS_TRUSTSTORE_PASSWD: "{{hawkular_truststore_password.content}}"
+ CASSANDRA_TRUSTSTORE_PASSWD: "{{cassandra_truststore_password.content}}"
+ JGROUPS_PASSWD: "{{jgroups_keystore_password.content}}"
+ changed_when: False
+
+ - copy:
+ dest: "{{openshift_metrics_certs_dir}}/"
+ src: "{{item}}"
+ with_fileglob: "{{local_tmp.stdout}}/*.*store"
+
+ - file:
+ path: "{{local_tmp.stdout}}"
+ state: absent
+ changed_when: False
-- command: >
- {{ openshift.common.client_binary }}
- --config={{ mktemp.stdout }}/admin.kubeconfig
- -n {{openshift_metrics_project}}
- get {{podoutput.stdout}}
- -o jsonpath='{.status.phase}'
- register: result
- until: result.stdout.find("Succeeded") != -1
- retries: 5
- delay: 10
- changed_when: no
when: not metrics_keystore.stat.exists or
not metrics_truststore.stat.exists or
not cassandra_keystore.stat.exists or
diff --git a/roles/openshift_metrics/templates/jks_pod.j2 b/roles/openshift_metrics/templates/jks_pod.j2
deleted file mode 100644
index e86fe38a4..000000000
--- a/roles/openshift_metrics/templates/jks_pod.j2
+++ /dev/null
@@ -1,38 +0,0 @@
-apiVersion: v1
-kind: Pod
-metadata:
- labels:
- metrics-infra: support
- generateName: jks-cert-gen-
-spec:
- containers:
- - name: jks-cert-gen
- image: {{openshift_metrics_image_prefix}}metrics-deployer:{{openshift_metrics_image_version}}
- imagePullPolicy: Always
- command: ["sh", "{{openshift_metrics_certs_dir}}/import_jks_certs.sh"]
- securityContext:
- runAsUser: 0
- volumeMounts:
- - mountPath: {{openshift_metrics_certs_dir}}
- name: certmount
- env:
- - name: CERT_DIR
- value: {{openshift_metrics_certs_dir}}
- - name: METRICS_KEYSTORE_PASSWD
- value: {{metrics_keystore_passwd}}
- - name: CASSANDRA_KEYSTORE_PASSWD
- value: {{cassandra_keystore_passwd}}
- - name: METRICS_TRUSTSTORE_PASSWD
- value: {{metrics_truststore_passwd}}
- - name: CASSANDRA_TRUSTSTORE_PASSWD
- value: {{cassandra_truststore_passwd}}
- - name: hawkular_cassandra_alias
- value: {{cassandra_keystore_passwd}}
- - name: JGROUPS_PASSWD
- value: {{jgroups_passwd}}
- restartPolicy: Never
- serviceAccount: jks-generator
- volumes:
- - hostPath:
- path: "{{openshift_metrics_certs_dir}}"
- name: certmount