blob: 740e490e112993bba479274a6b817c7db8c41a89 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
|
---
# we will ensure our secrets and configmaps are set up here first
- name: Checking for ca.key
stat: path="{{generated_certs_dir}}/ca.key"
register: ca_key_file
check_mode: no
- name: Checking for ca.crt
stat: path="{{generated_certs_dir}}/ca.crt"
register: ca_cert_file
check_mode: no
- name: Checking for ca.serial.txt
stat: path="{{generated_certs_dir}}/ca.serial.txt"
register: ca_serial_file
check_mode: no
- name: Generate certificates
command: >
{{ openshift.common.admin_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig ca create-signer-cert
--key={{generated_certs_dir}}/ca.key --cert={{generated_certs_dir}}/ca.crt
--serial={{generated_certs_dir}}/ca.serial.txt --name=logging-signer-test
check_mode: no
when:
- not ca_key_file.stat.exists
- not ca_cert_file.stat.exists
- not ca_serial_file.stat.exists
- name: Checking for signing.conf
stat: path="{{generated_certs_dir}}/signing.conf"
register: signing_conf_file
check_mode: no
- template: src=signing.conf.j2 dest={{generated_certs_dir}}/signing.conf
vars:
- top_dir: '{{generated_certs_dir}}'
when: not signing_conf_file.stat.exists
- include: procure_server_certs.yaml
loop_control:
loop_var: cert_info
with_items:
- procure_component: kibana
- procure_component: kibana-ops
- procure_component: kibana-internal
hostnames: "kibana, kibana-ops, {{openshift_logging_kibana_hostname}}, {{openshift_logging_kibana_ops_hostname}}"
- name: Copy proxy TLS configuration file
copy: src=server-tls.json dest={{generated_certs_dir}}/server-tls.json
when: server_tls_json is undefined
check_mode: no
- name: Copy proxy TLS configuration file
copy: content="{{server_tls_json}}" dest={{generated_certs_dir}}/server-tls.json
when: server_tls_json is defined
check_mode: no
- name: Checking for ca.db
stat: path="{{generated_certs_dir}}/ca.db"
register: ca_db_file
check_mode: no
- copy: content="" dest={{generated_certs_dir}}/ca.db
check_mode: no
when:
- not ca_db_file.stat.exists
- name: Checking for ca.crt.srl
stat: path="{{generated_certs_dir}}/ca.crt.srl"
register: ca_cert_srl_file
check_mode: no
- copy: content="" dest={{generated_certs_dir}}/ca.crt.srl
check_mode: no
when:
- not ca_cert_srl_file.stat.exists
- name: Generate PEM certs
include: generate_pems.yaml component={{node_name}}
with_items:
- system.logging.fluentd
- system.logging.kibana
- system.logging.curator
- system.admin
loop_control:
loop_var: node_name
- name: Creating necessary JKS certs
include: generate_jks.yaml
# TODO: make idempotent
- name: Generate proxy session
set_fact: session_secret={{'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'|random_word(200)}}
check_mode: no
# TODO: make idempotent
- name: Generate oauth client secret
set_fact: oauth_secret={{'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'|random_word(64)}}
check_mode: no
|
