diff options
Diffstat (limited to 'roles/openshift_logging/tasks/generate_jks_chain.yaml')
-rw-r--r-- | roles/openshift_logging/tasks/generate_jks_chain.yaml | 60 |
1 files changed, 60 insertions, 0 deletions
diff --git a/roles/openshift_logging/tasks/generate_jks_chain.yaml b/roles/openshift_logging/tasks/generate_jks_chain.yaml new file mode 100644 index 000000000..14ffdc51f --- /dev/null +++ b/roles/openshift_logging/tasks/generate_jks_chain.yaml @@ -0,0 +1,60 @@ +--- +- debug: msg="certs are {{chain_certs}} and oid is {{oid}}" + when: chain_certs is defined and oid is defined + +- debug: msg="certs are {{chain_certs}}" + when: chain_certs is defined and oid is undefined + +- name: Build extensions with certs + shell: echo "{{chain_certs}}{{ (oid) | ternary(',oid:1.2.3.4.5.5','') }}" + register: cert_ext + when: chain_certs is defined and oid is defined + check_mode: no + +- debug: msg="extensions are {{cert_ext.stdout}}" + when: cert_ext.stdout is defined + +- shell: > + echo {{ (cert_ext.stdout is defined) | ternary( '-ext san=dns:localhost,ip:127.0.0.1','') }}{{ (cert_ext.stdout is defined) | ternary( cert_ext.stdout, '') }} + register: extensions + check_mode: no + +- name: Checking for {{component}}.jks ... + stat: path="{{generated_certs_dir}}/{{component}}.jks" + register: jks_file + check_mode: no + +- name: Checking for truststore... + stat: path="{{generated_certs_dir}}/truststore.jks" + register: jks_truststore + check_mode: no + +- block: + - shell: > + keytool -genkey -alias {{component}} -keystore {{generated_certs_dir}}/{{component}}.jks -keypass kspass -storepass kspass + -keyalg RSA -keysize 2048 -validity 712 -dname "CN={{component}}, OU=OpenShift, O=Logging" {{extensions.stdout}} + + - shell: > + keytool -certreq -alias {{component}} -keystore {{generated_certs_dir}}/{{component}}.jks -storepass kspass + -file {{generated_certs_dir}}/{{component}}-jks.csr -keyalg RSA -dname "CN={{component}}, OU=OpenShift, O=Logging" {{extensions.stdout}} + + - shell: > + openssl ca -in {{generated_certs_dir}}/{{component}}-jks.csr -notext -out {{generated_certs_dir}}/{{component}}-jks.crt + -config {{generated_certs_dir}}/signing.conf -extensions v3_req -batch -extensions server_ext + + - shell: > + keytool -import -file {{generated_certs_dir}}/ca.crt -keystore {{generated_certs_dir}}/{{component}}.jks + -storepass kspass -noprompt -alias sig-ca + + - shell: > + keytool -import -file {{generated_certs_dir}}/{{component}}-jks.crt -keystore {{generated_certs_dir}}/{{component}}.jks + -storepass kspass -noprompt -alias {{component}} + + when: not jks_file.stat.exists + check_mode: no + +- block: + - shell: > + keytool -import -file {{generated_certs_dir}}/ca.crt -keystore {{generated_certs_dir}}/truststore.jks -storepass tspass -noprompt -alias sig-ca + when: not jks_truststore.stat.exists + check_mode: no |