From f79c819387b93af7b32a09b60652195f850d0574 Mon Sep 17 00:00:00 2001 From: ewolinetz Date: Wed, 14 Dec 2016 16:34:55 -0600 Subject: Updating to use deployer pod to generate JKS chain instead --- roles/openshift_logging/tasks/generate_certs.yaml | 102 +++++++++++----------- 1 file changed, 49 insertions(+), 53 deletions(-) (limited to 'roles/openshift_logging/tasks/generate_certs.yaml') diff --git a/roles/openshift_logging/tasks/generate_certs.yaml b/roles/openshift_logging/tasks/generate_certs.yaml index 161d51055..6bfeccf61 100644 --- a/roles/openshift_logging/tasks/generate_certs.yaml +++ b/roles/openshift_logging/tasks/generate_certs.yaml @@ -102,61 +102,57 @@ loop_control: loop_var: node_name -- shell: certs=""; for cert in $(echo logging-es{,-ops}); do certs=$certs,dns:$cert; done; echo $certs - register: elasticsearch_certs - check_mode: no - -- shell: certs=""; for cert in $(echo logging-es{,-ops}{,-cluster}{,.logging.svc.cluster.local}); do certs=$certs,dns:$cert; done; echo $certs - register: logging_es_certs - check_mode: no - -#- shell: index=2; certs=""; for cert in $(echo logging-es{,-ops}); do certs=$certs,DNS.$index=$cert; index=$(($index+1)); done; echo $certs -# register: elasticsearch_certs -# check_mode: no - -#- shell: index=2; certs=""; for cert in $(echo logging-es{,-ops}{,-cluster}{,.logging.svc.cluster.local}); do certs=$certs,DNS.$index=$cert; index=$(($index+1)); done; echo $certs -# register: logging_es_certs -# check_mode: no +- name: Check for jks-generator service account + command: > + {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get serviceaccount/jks-generator --no-headers -n {{openshift_logging_namespace}} + register: serviceaccount_result + ignore_errors: yes + when: not ansible_check_mode -- name: Generate PKCS12 chains -# include: generate_pkcs12.yaml component='system.admin' - include: generate_jks_chain.yaml component='system.admin' +- name: Create jks-generator service account + command: > + {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig create serviceaccount jks-generator -n {{openshift_logging_namespace}} + when: not ansible_check_mode and "not found" in serviceaccount_result.stderr + +- name: Check for hostmount-anyuid scc entry + shell: > + {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get scc hostmount-anyuid -o go-template='{{ '{{' }}.users{{ '}}' }}' | + grep system:serviceaccount:{{openshift_logging_namespace}}:jks-generator + register: scc_result + ignore_errors: yes + when: not ansible_check_mode + +- name: Add to hostmount-anyuid scc + command: > + {{ openshift.common.admin_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig policy add-scc-to-user hostmount-anyuid -z jks-generator -n {{openshift_logging_namespace}} + when: not ansible_check_mode and scc_result.rc == 1 + +- name: Copy jks script + copy: + src: generate-jks.sh + dest: "{{generated_certs_dir}}/generate-jks.sh" + +- name: Generate JKS chains + template: + src: jks_pod.j2 + dest: "{{mktemp.stdout}}/jks_pod.yaml" + +- name: create pod + shell: > + {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig create -f {{mktemp.stdout}}/jks_pod.yaml -n {{openshift_logging_namespace}} + register: podoutput + +- shell: > + echo {{podoutput.stdout}} | awk -v podname='\\\".*\\\"' '{print $2}' + register: podname + +- shell: > + {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get pod {{podname.stdout}} -o go-template='{{ '{{' }}index .status "phase"{{ '}}' }}' -n {{openshift_logging_namespace}} + register: result + until: result.stdout.find("Succeeded") != -1 + retries: 5 + delay: 10 -- name: Generate PKCS12 chains -# include: generate_pkcs12.yaml component={{node.name}} oid={{node.oid | default(False)}} chain_certs={{node.certs}} - include: generate_jks_chain.yaml component={{node.name}} oid={{node.oid | default(False)}} chain_certs={{node.certs}} - with_items: - - {name: 'elasticsearch', oid: True, certs: '{{elasticsearch_certs.stdout}}'} - - {name: 'logging-es', certs: '{{logging_es_certs.stdout}}'} - loop_control: - loop_var: node -# This should be handled within the ES image instead... --- -#- name: Copy jks script -# copy: -# src: generate-jks.sh -# dest: "{{etcd_generated_certs_dir}}/logging" - -#- name: Generate JKS chains -# template: -# src: job.j2 -# dest: "{{mktemp.stdout}}/jks_job.yaml" - -#- name: kick off job -# shell: > -# {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig create -f {{mktemp.stdout}}/jks_job.yaml -n {{logging_namespace}} -# register: podoutput - -#- shell: > -# echo {{podoutput.stdout}} | awk -v podname='\\\".*\\\"' '{print $2}' -# register: podname - -#- action: shell > -# {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig oc get pod/{{podname.stdout}} -o go-template='{{ '{{' }}index .status "phase"{{ '}}' }}' -n {{logging_namespace}} -# register: result -# until: result.stdout.find("Succeeded") != -1 -# retries: 5 -# delay: 10 -# --- This should be handled within the ES image instead... - name: Generate proxy session shell: tr -dc 'a-zA-Z0-9' < /dev/urandom | head -c 200 register: session_secret -- cgit v1.2.1