From 06c111d22641ba5cc2dbbe0144d9d6722d94f159 Mon Sep 17 00:00:00 2001 From: ewolinetz Date: Wed, 11 Jan 2017 15:26:46 -0600 Subject: addressing comments --- roles/openshift_logging/files/signing.conf | 103 ---------------- roles/openshift_logging/files/util.sh | 192 ----------------------------- 2 files changed, 295 deletions(-) delete mode 100644 roles/openshift_logging/files/signing.conf delete mode 100644 roles/openshift_logging/files/util.sh (limited to 'roles/openshift_logging/files') diff --git a/roles/openshift_logging/files/signing.conf b/roles/openshift_logging/files/signing.conf deleted file mode 100644 index 810a057d9..000000000 --- a/roles/openshift_logging/files/signing.conf +++ /dev/null @@ -1,103 +0,0 @@ -# Simple Signing CA - -# The [default] section contains global constants that can be referred to from -# the entire configuration file. It may also hold settings pertaining to more -# than one openssl command. - -[ default ] -#dir = _output # Top dir - -# The next part of the configuration file is used by the openssl req command. -# It defines the CA's key pair, its DN, and the desired extensions for the CA -# certificate. - -[ req ] -default_bits = 2048 # RSA key size -encrypt_key = yes # Protect private key -default_md = sha1 # MD to use -utf8 = yes # Input is UTF-8 -string_mask = utf8only # Emit UTF-8 strings -prompt = no # Don't prompt for DN -distinguished_name = ca_dn # DN section -req_extensions = ca_reqext # Desired extensions - -[ ca_dn ] -0.domainComponent = "io" -1.domainComponent = "openshift" -organizationName = "OpenShift Origin" -organizationalUnitName = "Logging Signing CA" -commonName = "Logging Signing CA" - -[ ca_reqext ] -keyUsage = critical,keyCertSign,cRLSign -basicConstraints = critical,CA:true,pathlen:0 -subjectKeyIdentifier = hash - -# The remainder of the configuration file is used by the openssl ca command. -# The CA section defines the locations of CA assets, as well as the policies -# applying to the CA. - -[ ca ] -default_ca = signing_ca # The default CA section - -[ signing_ca ] -certificate = $dir/ca.crt # The CA cert -private_key = $dir/ca.key # CA private key -new_certs_dir = $dir/ # Certificate archive -serial = $dir/ca.serial.txt # Serial number file -crlnumber = $dir/ca.crl.srl # CRL number file -database = $dir/ca.db # Index file -unique_subject = no # Require unique subject -default_days = 730 # How long to certify for -default_md = sha1 # MD to use -policy = any_pol # Default naming policy -email_in_dn = no # Add email to cert DN -preserve = no # Keep passed DN ordering -name_opt = ca_default # Subject DN display options -cert_opt = ca_default # Certificate display options -copy_extensions = copy # Copy extensions from CSR -x509_extensions = client_ext # Default cert extensions -default_crl_days = 7 # How long before next CRL -crl_extensions = crl_ext # CRL extensions - -# Naming policies control which parts of a DN end up in the certificate and -# under what circumstances certification should be denied. - -[ match_pol ] -domainComponent = match # Must match 'simple.org' -organizationName = match # Must match 'Simple Inc' -organizationalUnitName = optional # Included if present -commonName = supplied # Must be present - -[ any_pol ] -domainComponent = optional -countryName = optional -stateOrProvinceName = optional -localityName = optional -organizationName = optional -organizationalUnitName = optional -commonName = optional -emailAddress = optional - -# Certificate extensions define what types of certificates the CA is able to -# create. - -[ client_ext ] -keyUsage = critical,digitalSignature,keyEncipherment -basicConstraints = CA:false -extendedKeyUsage = clientAuth -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid - -[ server_ext ] -keyUsage = critical,digitalSignature,keyEncipherment -basicConstraints = CA:false -extendedKeyUsage = serverAuth,clientAuth -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid - -# CRL extensions exist solely to point to the CA certificate that has issued -# the CRL. - -[ crl_ext ] -authorityKeyIdentifier = keyid diff --git a/roles/openshift_logging/files/util.sh b/roles/openshift_logging/files/util.sh deleted file mode 100644 index 5752a0fcd..000000000 --- a/roles/openshift_logging/files/util.sh +++ /dev/null @@ -1,192 +0,0 @@ -#!/bin/bash - -function generate_JKS_chain() { - dir=${SCRATCH_DIR:-_output} - ADD_OID=$1 - NODE_NAME=$2 - CERT_NAMES=${3:-$NODE_NAME} - ks_pass=${KS_PASS:-kspass} - ts_pass=${TS_PASS:-tspass} - rm -rf $NODE_NAME - - extension_names="" - for name in ${CERT_NAMES//,/ }; do - extension_names="${extension_names},dns:${name}" - done - - if [ "$ADD_OID" = true ]; then - extension_names="${extension_names},oid:1.2.3.4.5.5" - fi - - echo Generating keystore and certificate for node $NODE_NAME - - "$keytool" -genkey \ - -alias $NODE_NAME \ - -keystore $dir/keystore.jks \ - -keypass $ks_pass \ - -storepass $ks_pass \ - -keyalg RSA \ - -keysize 2048 \ - -validity 712 \ - -dname "CN=$NODE_NAME, OU=OpenShift, O=Logging" \ - -ext san=dns:localhost,ip:127.0.0.1"${extension_names}" - - echo Generating certificate signing request for node $NODE_NAME - - "$keytool" -certreq \ - -alias $NODE_NAME \ - -keystore $dir/keystore.jks \ - -storepass $ks_pass \ - -file $dir/$NODE_NAME.csr \ - -keyalg rsa \ - -dname "CN=$NODE_NAME, OU=OpenShift, O=Logging" \ - -ext san=dns:localhost,ip:127.0.0.1"${extension_names}" - - echo Sign certificate request with CA - - openssl ca \ - -in $dir/$NODE_NAME.csr \ - -notext \ - -out $dir/$NODE_NAME.crt \ - -config $dir/signing.conf \ - -extensions v3_req \ - -batch \ - -extensions server_ext - - echo "Import back to keystore (including CA chain)" - - "$keytool" \ - -import \ - -file $dir/ca.crt \ - -keystore $dir/keystore.jks \ - -storepass $ks_pass \ - -noprompt -alias sig-ca - - "$keytool" \ - -import \ - -file $dir/$NODE_NAME.crt \ - -keystore $dir/keystore.jks \ - -storepass $ks_pass \ - -noprompt \ - -alias $NODE_NAME - - echo "Import CA to truststore for validating client certs" - - "$keytool" \ - -import \ - -file $dir/ca.crt \ - -keystore $dir/truststore.jks \ - -storepass $ts_pass \ - -noprompt -alias sig-ca - - echo All done for $NODE_NAME -} - -function generate_PEM_cert() { - NODE_NAME="$1" - dir=${SCRATCH_DIR:-_output} # for writing files to bundle into secrets - - echo Generating keystore and certificate for node ${NODE_NAME} - - openssl req -out "$dir/$NODE_NAME.csr" -new -newkey rsa:2048 -keyout "$dir/$NODE_NAME.key" -subj "/CN=$NODE_NAME/OU=OpenShift/O=Logging" -days 712 -nodes - - echo Sign certificate request with CA - openssl ca \ - -in "$dir/$NODE_NAME.csr" \ - -notext \ - -out "$dir/$NODE_NAME.crt" \ - -config $dir/signing.conf \ - -extensions v3_req \ - -batch \ - -extensions server_ext -} - -function generate_JKS_client_cert() { - NODE_NAME="$1" - ks_pass=${KS_PASS:-kspass} - ts_pass=${TS_PASS:-tspass} - dir=${SCRATCH_DIR:-_output} # for writing files to bundle into secrets - - echo Generating keystore and certificate for node ${NODE_NAME} - - "$keytool" -genkey \ - -alias $NODE_NAME \ - -keystore $dir/$NODE_NAME.jks \ - -keyalg RSA \ - -keysize 2048 \ - -validity 712 \ - -keypass $ks_pass \ - -storepass $ks_pass \ - -dname "CN=$NODE_NAME, OU=OpenShift, O=Logging" - - echo Generating certificate signing request for node $NODE_NAME - - "$keytool" -certreq \ - -alias $NODE_NAME \ - -keystore $dir/$NODE_NAME.jks \ - -file $dir/$NODE_NAME.csr \ - -keyalg rsa \ - -keypass $ks_pass \ - -storepass $ks_pass \ - -dname "CN=$NODE_NAME, OU=OpenShift, O=Logging" - - echo Sign certificate request with CA - openssl ca \ - -in "$dir/$NODE_NAME.csr" \ - -notext \ - -out "$dir/$NODE_NAME.crt" \ - -config $dir/signing.conf \ - -extensions v3_req \ - -batch \ - -extensions server_ext - - echo "Import back to keystore (including CA chain)" - - "$keytool" \ - -import \ - -file $dir/ca.crt \ - -keystore $dir/$NODE_NAME.jks \ - -storepass $ks_pass \ - -noprompt -alias sig-ca - - "$keytool" \ - -import \ - -file $dir/$NODE_NAME.crt \ - -keystore $dir/$NODE_NAME.jks \ - -storepass $ks_pass \ - -noprompt \ - -alias $NODE_NAME - - echo All done for $NODE_NAME -} - -function join { local IFS="$1"; shift; echo "$*"; } - -function get_es_dcs() { - oc get dc --selector logging-infra=elasticsearch -o name -} - -function get_curator_dcs() { - oc get dc --selector logging-infra=curator -o name -} - -function extract_nodeselector() { - local inputstring="${1//\"/}" # remove any errant double quotes in the inputs - local selectors=() - - for keyvalstr in ${inputstring//\,/ }; do - - keyval=( ${keyvalstr//=/ } ) - - if [[ -n "${keyval[0]}" && -n "${keyval[1]}" ]]; then - selectors+=( "\"${keyval[0]}\": \"${keyval[1]}\"") - else - echo "Could not make a node selector label from '${keyval[*]}'" - exit 255 - fi - done - - if [[ "${#selectors[*]}" -gt 0 ]]; then - echo nodeSelector: "{" $(join , "${selectors[@]}") "}" - fi -} -- cgit v1.2.1