roles/openshift_logging/tasks/generate_jks_chain.yaml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60

---
- debug: msg="certs are {{chain_certs}} and oid is {{oid}}"
  when: chain_certs is defined and oid is defined

- debug: msg="certs are {{chain_certs}}"
  when: chain_certs is defined and oid is undefined

- name: Build extensions with certs
  shell: echo "{{chain_certs}}{{ (oid) | ternary(',oid:1.2.3.4.5.5','') }}"
  register: cert_ext
  when: chain_certs is defined and oid is defined
  check_mode: no

- debug: msg="extensions are {{cert_ext.stdout}}"
  when: cert_ext.stdout is defined

- shell: >
    echo {{ (cert_ext.stdout is defined) | ternary( '-ext san=dns:localhost,ip:127.0.0.1','') }}{{ (cert_ext.stdout is defined) | ternary( cert_ext.stdout, '') }}
  register: extensions
  check_mode: no

- name: Checking for {{component}}.jks ...
  stat: path="{{generated_certs_dir}}/{{component}}.jks"
  register: jks_file
  check_mode: no

- name: Checking for truststore...
  stat: path="{{generated_certs_dir}}/truststore.jks"
  register: jks_truststore
  check_mode: no

- block:
    - shell: >
        keytool -genkey -alias {{component}} -keystore {{generated_certs_dir}}/{{component}}.jks -keypass kspass -storepass kspass
        -keyalg RSA -keysize 2048 -validity 712 -dname "CN={{component}}, OU=OpenShift, O=Logging" {{extensions.stdout}}

    - shell: >
        keytool -certreq -alias {{component}} -keystore {{generated_certs_dir}}/{{component}}.jks -storepass kspass
        -file {{generated_certs_dir}}/{{component}}-jks.csr -keyalg RSA -dname "CN={{component}}, OU=OpenShift, O=Logging" {{extensions.stdout}}

    - shell: >
        openssl ca -in {{generated_certs_dir}}/{{component}}-jks.csr -notext -out {{generated_certs_dir}}/{{component}}-jks.crt
        -config {{generated_certs_dir}}/signing.conf -extensions v3_req -batch -extensions server_ext

    - shell: >
        keytool -import -file {{generated_certs_dir}}/ca.crt -keystore {{generated_certs_dir}}/{{component}}.jks
        -storepass kspass -noprompt -alias sig-ca

    - shell: >
         keytool -import -file {{generated_certs_dir}}/{{component}}-jks.crt -keystore {{generated_certs_dir}}/{{component}}.jks
         -storepass kspass -noprompt -alias {{component}}

  when: not jks_file.stat.exists
  check_mode: no

- block:
    - shell: >
        keytool -import -file {{generated_certs_dir}}/ca.crt -keystore {{generated_certs_dir}}/truststore.jks -storepass tspass -noprompt -alias sig-ca
  when: not jks_truststore.stat.exists
  check_mode: no