From d740fd159416783c88839e6e2c2e150eb81b67da Mon Sep 17 00:00:00 2001 From: ewolinetz Date: Fri, 20 Jan 2017 15:17:04 -0600 Subject: Adding to ansible spec and changing logging jks generation to be a local_action --- roles/openshift_logging/tasks/generate_jks.yaml | 111 ++++++++++++++++++++++++ 1 file changed, 111 insertions(+) create mode 100644 roles/openshift_logging/tasks/generate_jks.yaml (limited to 'roles/openshift_logging/tasks/generate_jks.yaml') diff --git a/roles/openshift_logging/tasks/generate_jks.yaml b/roles/openshift_logging/tasks/generate_jks.yaml new file mode 100644 index 000000000..adb6c2b2d --- /dev/null +++ b/roles/openshift_logging/tasks/generate_jks.yaml @@ -0,0 +1,111 @@ +--- +# check if pod generated files exist -- if they all do don't run the pod +- name: Checking for elasticsearch.jks + stat: path="{{generated_certs_dir}}/elasticsearch.jks" + register: elasticsearch_jks + check_mode: no + +- name: Checking for logging-es.jks + stat: path="{{generated_certs_dir}}/logging-es.jks" + register: logging_es_jks + check_mode: no + +- name: Checking for system.admin.jks + stat: path="{{generated_certs_dir}}/system.admin.jks" + register: system_admin_jks + check_mode: no + +- name: Checking for truststore.jks + stat: path="{{generated_certs_dir}}/truststore.jks" + register: truststore_jks + check_mode: no + +- name: Create temp directory for doing work in + local_action: command mktemp -d /tmp/openshift-logging-ansible-XXXXXX + register: local_tmp + changed_when: False + check_mode: no + +- name: Create placeholder for previously created JKS certs to prevent recreating... + file: + path: "{{local_tmp.stdout}}/elasticsearch.jks" + state: touch + mode: "u=rw,g=r,o=r" + when: elasticsearch_jks.stat.exists + changed_when: False + +- name: Create placeholder for previously created JKS certs to prevent recreating... + file: + path: "{{local_tmp.stdout}}/logging-es.jks" + state: touch + mode: "u=rw,g=r,o=r" + when: logging_es_jks.stat.exists + changed_when: False + +- name: Create placeholder for previously created JKS certs to prevent recreating... + file: + path: "{{local_tmp.stdout}}/system.admin.jks" + state: touch + mode: "u=rw,g=r,o=r" + when: system_admin_jks.stat.exists + changed_when: False + +- name: Create placeholder for previously created JKS certs to prevent recreating... + file: + path: "{{local_tmp.stdout}}/truststore.jks" + state: touch + mode: "u=rw,g=r,o=r" + when: truststore_jks.stat.exists + changed_when: False + +- name: pulling down signing items from host + fetch: + src: "{{generated_certs_dir}}/{{item}}" + dest: "{{local_tmp.stdout}}/{{item}}" + flat: yes + with_items: + - ca.crt + - ca.key + - ca.serial.txt + - ca.crl.srl + - ca.db + +- local_action: template src=signing.conf.j2 dest={{local_tmp.stdout}}/signing.conf + vars: + - top_dir: "{{local_tmp.stdout}}" + +- name: Run JKS generation script + local_action: script generate-jks.sh {{local_tmp.stdout}} {{openshift_logging_namespace}} + check_mode: no + become: yes + when: not elasticsearch_jks.stat.exists or not logging_es_jks.stat.exists or not system_admin_jks.stat.exists or not truststore_jks.stat.exists + +- name: Pushing locally generated JKS certs to remote host... + copy: + src: "{{local_tmp.stdout}}/elasticsearch.jks" + dest: "{{generated_certs_dir}}/elasticsearch.jks" + when: not elasticsearch_jks.stat.exists + +- name: Pushing locally generated JKS certs to remote host... + copy: + src: "{{local_tmp.stdout}}/logging-es.jks" + dest: "{{generated_certs_dir}}/logging-es.jks" + when: not logging_es_jks.stat.exists + +- name: Pushing locally generated JKS certs to remote host... + copy: + src: "{{local_tmp.stdout}}/system.admin.jks" + dest: "{{generated_certs_dir}}/system.admin.jks" + when: not system_admin_jks.stat.exists + +- name: Pushing locally generated JKS certs to remote host... + copy: + src: "{{local_tmp.stdout}}/truststore.jks" + dest: "{{generated_certs_dir}}/truststore.jks" + when: not truststore_jks.stat.exists + +- name: Cleaning up temp dir + file: + path: "{{local_tmp.stdout}}" + state: absent + changed_when: False -- cgit v1.2.1