summaryrefslogtreecommitdiffstats
path: root/roles/etcd_server_certificates
diff options
context:
space:
mode:
Diffstat (limited to 'roles/etcd_server_certificates')
-rw-r--r--roles/etcd_server_certificates/README.md34
-rw-r--r--roles/etcd_server_certificates/meta/main.yml17
-rw-r--r--roles/etcd_server_certificates/tasks/main.yml232
3 files changed, 0 insertions, 283 deletions
diff --git a/roles/etcd_server_certificates/README.md b/roles/etcd_server_certificates/README.md
deleted file mode 100644
index 269d5296d..000000000
--- a/roles/etcd_server_certificates/README.md
+++ /dev/null
@@ -1,34 +0,0 @@
-OpenShift Etcd Certificates
-===========================
-
-TODO
-
-Requirements
-------------
-
-TODO
-
-Role Variables
---------------
-
-TODO
-
-Dependencies
-------------
-
-TODO
-
-Example Playbook
-----------------
-
-TODO
-
-License
--------
-
-Apache License Version 2.0
-
-Author Information
-------------------
-
-Scott Dodson (sdodson@redhat.com)
diff --git a/roles/etcd_server_certificates/meta/main.yml b/roles/etcd_server_certificates/meta/main.yml
deleted file mode 100644
index 4b6013a49..000000000
--- a/roles/etcd_server_certificates/meta/main.yml
+++ /dev/null
@@ -1,17 +0,0 @@
----
-galaxy_info:
- author: Jason DeTiberus
- description: Etcd Server Certificates
- company: Red Hat, Inc.
- license: Apache License, Version 2.0
- min_ansible_version: 2.1
- platforms:
- - name: EL
- versions:
- - 7
- categories:
- - cloud
- - system
-dependencies:
-- role: etcd_ca
- when: (etcd_ca_setup | default(True) | bool)
diff --git a/roles/etcd_server_certificates/tasks/main.yml b/roles/etcd_server_certificates/tasks/main.yml
deleted file mode 100644
index 4795188a6..000000000
--- a/roles/etcd_server_certificates/tasks/main.yml
+++ /dev/null
@@ -1,232 +0,0 @@
----
-- name: Install etcd
- package: name=etcd{{ '-' + etcd_version if etcd_version is defined else '' }} state=present
- when: not etcd_is_containerized | bool
-
-- name: Check status of etcd certificates
- stat:
- path: "{{ item }}"
- with_items:
- - "{{ etcd_cert_config_dir }}/{{ etcd_cert_prefix }}server.crt"
- - "{{ etcd_cert_config_dir }}/{{ etcd_cert_prefix }}peer.crt"
- - "{{ etcd_cert_config_dir }}/{{ etcd_cert_prefix }}ca.crt"
- - "{{ etcd_system_container_cert_config_dir }}/{{ etcd_cert_prefix }}server.crt"
- - "{{ etcd_system_container_cert_config_dir }}/{{ etcd_cert_prefix }}peer.crt"
- - "{{ etcd_system_container_cert_config_dir }}/{{ etcd_cert_prefix }}ca.crt"
- register: g_etcd_server_cert_stat_result
- when: not etcd_certificates_redeploy | default(false) | bool
-
-- set_fact:
- etcd_server_certs_missing: "{{ true if etcd_certificates_redeploy | default(false) | bool
- else (False in (g_etcd_server_cert_stat_result.results
- | default({})
- | oo_collect(attribute='stat.exists')
- | list)) }}"
-
-- name: Ensure generated_certs directory present
- file:
- path: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}"
- state: directory
- mode: 0700
- when: etcd_server_certs_missing | bool
- delegate_to: "{{ etcd_ca_host }}"
-
-- name: Create the server csr
- command: >
- openssl req -new -keyout {{ etcd_cert_prefix }}server.key
- -config {{ etcd_openssl_conf }}
- -out {{ etcd_cert_prefix }}server.csr
- -reqexts {{ etcd_req_ext }} -batch -nodes
- -subj /CN={{ etcd_hostname }}
- args:
- chdir: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}"
- creates: "{{ etcd_generated_certs_dir ~ '/' ~ etcd_cert_subdir ~ '/'
- ~ etcd_cert_prefix ~ 'server.csr' }}"
- environment:
- SAN: "IP:{{ etcd_ip }},DNS:{{ etcd_hostname }}"
- when: etcd_server_certs_missing | bool
- delegate_to: "{{ etcd_ca_host }}"
-
-# Certificates must be signed serially in order to avoid competing
-# for the serial file.
-- name: Sign and create the server crt
- delegated_serial_command:
- command: >
- openssl ca -name {{ etcd_ca_name }} -config {{ etcd_openssl_conf }}
- -out {{ etcd_cert_prefix }}server.crt
- -in {{ etcd_cert_prefix }}server.csr
- -extensions {{ etcd_ca_exts_server }} -batch
- chdir: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}"
- creates: "{{ etcd_generated_certs_dir ~ '/' ~ etcd_cert_subdir ~ '/'
- ~ etcd_cert_prefix ~ 'server.crt' }}"
- environment:
- SAN: "IP:{{ etcd_ip }}"
- when: etcd_server_certs_missing | bool
- delegate_to: "{{ etcd_ca_host }}"
-
-- name: Create the peer csr
- command: >
- openssl req -new -keyout {{ etcd_cert_prefix }}peer.key
- -config {{ etcd_openssl_conf }}
- -out {{ etcd_cert_prefix }}peer.csr
- -reqexts {{ etcd_req_ext }} -batch -nodes
- -subj /CN={{ etcd_hostname }}
- args:
- chdir: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}"
- creates: "{{ etcd_generated_certs_dir ~ '/' ~ etcd_cert_subdir ~ '/'
- ~ etcd_cert_prefix ~ 'peer.csr' }}"
- environment:
- SAN: "IP:{{ etcd_ip }},DNS:{{ etcd_hostname }}"
- when: etcd_server_certs_missing | bool
- delegate_to: "{{ etcd_ca_host }}"
-
-# Certificates must be signed serially in order to avoid competing
-# for the serial file.
-- name: Sign and create the peer crt
- delegated_serial_command:
- command: >
- openssl ca -name {{ etcd_ca_name }} -config {{ etcd_openssl_conf }}
- -out {{ etcd_cert_prefix }}peer.crt
- -in {{ etcd_cert_prefix }}peer.csr
- -extensions {{ etcd_ca_exts_peer }} -batch
- chdir: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}"
- creates: "{{ etcd_generated_certs_dir ~ '/' ~ etcd_cert_subdir ~ '/'
- ~ etcd_cert_prefix ~ 'peer.crt' }}"
- environment:
- SAN: "IP:{{ etcd_ip }}"
- when: etcd_server_certs_missing | bool
- delegate_to: "{{ etcd_ca_host }}"
-
-- file:
- src: "{{ etcd_ca_cert }}"
- dest: "{{ etcd_generated_certs_dir}}/{{ etcd_cert_subdir }}/{{ etcd_cert_prefix }}ca.crt"
- state: hard
- when: etcd_server_certs_missing | bool
- delegate_to: "{{ etcd_ca_host }}"
-
-- name: Create local temp directory for syncing certs
- local_action: command mktemp -d /tmp/etcd_certificates-XXXXXXX
- become: no
- register: g_etcd_server_mktemp
- changed_when: False
- when: etcd_server_certs_missing | bool
-
-- name: Create a tarball of the etcd certs
- command: >
- tar -czvf {{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}.tgz
- -C {{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }} .
- args:
- creates: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}.tgz"
- # Disables the following warning:
- # Consider using unarchive module rather than running tar
- warn: no
- when: etcd_server_certs_missing | bool
- delegate_to: "{{ etcd_ca_host }}"
-
-- name: Retrieve etcd cert tarball
- fetch:
- src: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}.tgz"
- dest: "{{ g_etcd_server_mktemp.stdout }}/"
- flat: yes
- fail_on_missing: yes
- validate_checksum: yes
- when: etcd_server_certs_missing | bool
- delegate_to: "{{ etcd_ca_host }}"
-
-- name: Ensure certificate directory exists
- file:
- path: "{{ item }}"
- state: directory
- with_items:
- - "{{ etcd_cert_config_dir }}"
- - "{{ etcd_system_container_cert_config_dir }}"
- when: etcd_server_certs_missing | bool
-
-- name: Unarchive cert tarball
- unarchive:
- src: "{{ g_etcd_server_mktemp.stdout }}/{{ etcd_cert_subdir }}.tgz"
- dest: "{{ etcd_cert_config_dir }}"
- when: etcd_server_certs_missing | bool
-
-- name: Create a tarball of the etcd ca certs
- command: >
- tar -czvf {{ etcd_generated_certs_dir }}/{{ etcd_ca_name }}.tgz
- -C {{ etcd_ca_dir }} .
- args:
- creates: "{{ etcd_generated_certs_dir }}/{{ etcd_ca_name }}.tgz"
- warn: no
- when: etcd_server_certs_missing | bool
- delegate_to: "{{ etcd_ca_host }}"
-
-- name: Retrieve etcd ca cert tarball
- fetch:
- src: "{{ etcd_generated_certs_dir }}/{{ etcd_ca_name }}.tgz"
- dest: "{{ g_etcd_server_mktemp.stdout }}/"
- flat: yes
- fail_on_missing: yes
- validate_checksum: yes
- when: etcd_server_certs_missing | bool
- delegate_to: "{{ etcd_ca_host }}"
-
-- name: Ensure ca directory exists
- file:
- path: "{{ item }}"
- state: directory
- with_items:
- - "{{ etcd_ca_dir }}"
- - "{{ etcd_system_container_cert_config_dir }}/ca"
- when: etcd_server_certs_missing | bool
-
-- name: Unarchive cert tarball for the system container
- unarchive:
- src: "{{ g_etcd_server_mktemp.stdout }}/{{ etcd_cert_subdir }}.tgz"
- dest: "{{ etcd_system_container_cert_config_dir }}"
- when:
- - etcd_server_certs_missing | bool
- - r_etcd_common_etcd_runtime == 'runc'
-
-- name: Unarchive etcd ca cert tarballs for the system container
- unarchive:
- src: "{{ g_etcd_server_mktemp.stdout }}/{{ etcd_ca_name }}.tgz"
- dest: "{{ etcd_system_container_cert_config_dir }}/ca"
- when:
- - etcd_server_certs_missing | bool
- - r_etcd_common_etcd_runtime == 'runc'
-
-- name: Delete temporary directory
- local_action: file path="{{ g_etcd_server_mktemp.stdout }}" state=absent
- become: no
- changed_when: False
- when: etcd_server_certs_missing | bool
-
-- name: Validate permissions on certificate files
- file:
- path: "{{ item }}"
- mode: 0600
- owner: "{{ 'etcd' if not etcd_is_containerized | bool else omit }}"
- group: "{{ 'etcd' if not etcd_is_containerized | bool else omit }}"
- when: etcd_url_scheme == 'https'
- with_items:
- - "{{ etcd_ca_file }}"
- - "{{ etcd_cert_file }}"
- - "{{ etcd_key_file }}"
-
-- name: Validate permissions on peer certificate files
- file:
- path: "{{ item }}"
- mode: 0600
- owner: "{{ 'etcd' if not etcd_is_containerized | bool else omit }}"
- group: "{{ 'etcd' if not etcd_is_containerized | bool else omit }}"
- when: etcd_peer_url_scheme == 'https'
- with_items:
- - "{{ etcd_peer_ca_file }}"
- - "{{ etcd_peer_cert_file }}"
- - "{{ etcd_peer_key_file }}"
-
-- name: Validate permissions on the config dir
- file:
- path: "{{ etcd_conf_dir }}"
- state: directory
- owner: "{{ 'etcd' if not etcd_is_containerized | bool else omit }}"
- group: "{{ 'etcd' if not etcd_is_containerized | bool else omit }}"
- mode: 0700