From 55ddb4f4b901632f051251ba0387a107dd3bb7ef Mon Sep 17 00:00:00 2001 From: ewolinetz Date: Thu, 12 Jan 2017 12:52:41 -0600 Subject: Removing shell module calls and cleaning up changed --- roles/openshift_logging/tasks/generate_certs.yaml | 49 +++++++++++++++++------ 1 file changed, 37 insertions(+), 12 deletions(-) (limited to 'roles/openshift_logging/tasks/generate_certs.yaml') diff --git a/roles/openshift_logging/tasks/generate_certs.yaml b/roles/openshift_logging/tasks/generate_certs.yaml index bcf4881bb..5e6498ad7 100644 --- a/roles/openshift_logging/tasks/generate_certs.yaml +++ b/roles/openshift_logging/tasks/generate_certs.yaml @@ -91,6 +91,7 @@ register: serviceaccount_result ignore_errors: yes when: not ansible_check_mode + changed_when: no - name: Create jks-generator service account command: > @@ -98,35 +99,59 @@ when: not ansible_check_mode and "not found" in serviceaccount_result.stderr - name: Check for hostmount-anyuid scc entry - shell: > - {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get scc hostmount-anyuid -o jsonpath='{.users}' | - grep system:serviceaccount:{{openshift_logging_namespace | quote}}:jks-generator + command: > + {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get scc hostmount-anyuid -o jsonpath='{.users}' register: scc_result - ignore_errors: yes when: not ansible_check_mode + changed_when: no - name: Add to hostmount-anyuid scc command: > {{ openshift.common.admin_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig policy add-scc-to-user hostmount-anyuid -z jks-generator -n {{openshift_logging_namespace}} - when: not ansible_check_mode and scc_result.rc == 1 + when: + - not ansible_check_mode + - scc_result.stdout.find("system:serviceaccount:{{openshift_logging_namespace}}:jks-generator") == -1 -- name: Copy jks script +- name: Copy JKS generation script copy: src: generate-jks.sh dest: "{{generated_certs_dir}}/generate-jks.sh" check_mode: no -- name: Generate JKS chains +- name: Generate JKS pod template template: src: jks_pod.j2 dest: "{{mktemp.stdout}}/jks_pod.yaml" check_mode: no + changed_when: no + +# check if pod generated files exist -- if they all do don't run the pod +- name: Checking for elasticsearch.jks + stat: path="{{generated_certs_dir}}/elasticsearch.jks" + register: elasticsearch_jks + check_mode: no + +- name: Checking for logging-es.jks + stat: path="{{generated_certs_dir}}/logging-es.jks" + register: logging_es_jks + check_mode: no + +- name: Checking for system.admin.jks + stat: path="{{generated_certs_dir}}/system.admin.jks" + register: system_admin_jks + check_mode: no + +- name: Checking for truststore.jks + stat: path="{{generated_certs_dir}}/truststore.jks" + register: truststore_jks + check_mode: no -- name: create pod +- name: create JKS generation pod command: > {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig create -f {{mktemp.stdout}}/jks_pod.yaml -n {{openshift_logging_namespace}} -o name register: podoutput check_mode: no + when: not elasticsearch_jks.stat.exists or not logging_es_jks.stat.exists or not system_admin_jks.stat.exists or not truststore_jks.stat.exists - command: > {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get {{podoutput.stdout}} -o jsonpath='{.status.phase}' -n {{openshift_logging_namespace}} @@ -134,13 +159,13 @@ until: result.stdout.find("Succeeded") != -1 retries: 5 delay: 10 + changed_when: no + when: not elasticsearch_jks.stat.exists or not logging_es_jks.stat.exists or not system_admin_jks.stat.exists or not truststore_jks.stat.exists - name: Generate proxy session - command: echo {{'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'|random_word(200)}} - register: session_secret + set_fact: session_secret={{'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'|random_word(200)}} check_mode: no - name: Generate oauth client secret - command: echo {{'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'|random_word(64)}} - register: oauth_secret + set_fact: oauth_secret={{'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'|random_word(64)}} check_mode: no -- cgit v1.2.1