summaryrefslogtreecommitdiffstats
path: root/roles/lib_openshift/src
diff options
context:
space:
mode:
Diffstat (limited to 'roles/lib_openshift/src')
-rw-r--r--roles/lib_openshift/src/ansible/oadm_certificate_authority.py49
-rw-r--r--roles/lib_openshift/src/class/oadm_certificate_authority.py110
-rw-r--r--roles/lib_openshift/src/doc/certificate_authority96
-rw-r--r--roles/lib_openshift/src/sources.yml10
4 files changed, 265 insertions, 0 deletions
diff --git a/roles/lib_openshift/src/ansible/oadm_certificate_authority.py b/roles/lib_openshift/src/ansible/oadm_certificate_authority.py
new file mode 100644
index 000000000..856b06290
--- /dev/null
+++ b/roles/lib_openshift/src/ansible/oadm_certificate_authority.py
@@ -0,0 +1,49 @@
+# pylint: skip-file
+# flake8: noqa
+
+def main():
+ '''
+ ansible oadm module for ca
+ '''
+
+ module = AnsibleModule(
+ argument_spec=dict(
+ state=dict(default='present', type='str',
+ choices=['present']),
+ debug=dict(default=False, type='bool'),
+ kubeconfig=dict(default='/etc/origin/master/admin.kubeconfig', type='str'),
+ cmd=dict(default=None, require=True, type='str'),
+
+ # oadm ca create-master-certs [options]
+ cert_dir=dict(default=None, type='str'),
+ hostnames=dict(default=[], type='list'),
+ master=dict(default=None, type='str'),
+ public_master=dict(default=None, type='str'),
+ overwrite=dict(default=False, type='bool'),
+ signer_name=dict(default=None, type='str'),
+
+ # oadm ca create-key-pair [options]
+ private_key=dict(default=None, type='str'),
+ public_key=dict(default=None, type='str'),
+
+ # oadm ca create-server-cert [options]
+ cert=dict(default=None, type='str'),
+ key=dict(default=None, type='str'),
+ signer_cert=dict(default=None, type='str'),
+ signer_key=dict(default=None, type='str'),
+ signer_serial=dict(default=None, type='str'),
+
+ ),
+ supports_check_mode=True,
+ )
+
+ # pylint: disable=line-too-long
+ results = CertificateAuthority.run_ansible(module.params, module.check_mode)
+ if 'failed' in results:
+ return module.fail_json(**results)
+
+ return module.exit_json(**results)
+
+
+if __name__ == '__main__':
+ main()
diff --git a/roles/lib_openshift/src/class/oadm_certificate_authority.py b/roles/lib_openshift/src/class/oadm_certificate_authority.py
new file mode 100644
index 000000000..34bd0f0a9
--- /dev/null
+++ b/roles/lib_openshift/src/class/oadm_certificate_authority.py
@@ -0,0 +1,110 @@
+# pylint: skip-file
+
+class CertificateAuthorityConfig(OpenShiftCLIConfig):
+ ''' CertificateAuthorityConfig is a DTO for the oadm ca command '''
+ def __init__(self, cmd, kubeconfig, verbose, ca_options):
+ super(CertificateAuthorityConfig, self).__init__('ca', None, kubeconfig, ca_options)
+ self.cmd = cmd
+ self.kubeconfig = kubeconfig
+ self.verbose = verbose
+ self._ca = ca_options
+
+class CertificateAuthority(OpenShiftCLI):
+ ''' Class to wrap the oc command line tools '''
+ def __init__(self,
+ config,
+ verbose=False):
+ ''' Constructor for oadm ca '''
+ super(CertificateAuthority, self).__init__(None, config.kubeconfig, verbose)
+ self.config = config
+ self.verbose = verbose
+
+ def get(self):
+ '''get the current cert file
+
+ If a file exists by the same name in the specified location then the cert exists
+ '''
+ cert = self.config.config_options['cert']['value']
+ if cert and os.path.exists(cert):
+ return open(cert).read()
+
+ return None
+
+ def create(self):
+ '''Create a deploymentconfig '''
+ options = self.config.to_option_list()
+
+ cmd = ['ca']
+ cmd.append(self.config.cmd)
+ cmd.extend(options)
+
+ return self.openshift_cmd(cmd, oadm=True)
+
+ def exists(self):
+ ''' check whether the certificate exists and has the clusterIP '''
+
+ cert_path = self.config.config_options['cert']['value']
+ if not os.path.exists(cert_path):
+ return False
+
+ proc = subprocess.Popen(['openssl', 'x509', '-noout', '-subject', '-in', cert_path],
+ stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+ stdout, stderr = proc.communicate()
+ if proc.returncode == 0:
+ for var in self.config.config_options['hostnames']['value'].split(','):
+ if var in stdout:
+ return True
+
+ return False
+
+ @staticmethod
+ def run_ansible(params, check_mode):
+ '''run the idempotent ansible code'''
+
+ config = CertificateAuthorityConfig(params['cmd'],
+ params['kubeconfig'],
+ params['debug'],
+ {'cert_dir': {'value': params['cert_dir'], 'include': True},
+ 'cert': {'value': params['cert'], 'include': True},
+ 'hostnames': {'value': ','.join(params['hostnames']), 'include': True},
+ 'master': {'value': params['master'], 'include': True},
+ 'public_master': {'value': params['public_master'], 'include': True},
+ 'overwrite': {'value': params['overwrite'], 'include': True},
+ 'signer_name': {'value': params['signer_name'], 'include': True},
+ 'private_key': {'value': params['private_key'], 'include': True},
+ 'public_key': {'value': params['public_key'], 'include': True},
+ 'key': {'value': params['key'], 'include': True},
+ 'signer_cert': {'value': params['signer_cert'], 'include': True},
+ 'signer_key': {'value': params['signer_key'], 'include': True},
+ 'signer_serial': {'value': params['signer_serial'], 'include': True},
+ })
+
+
+ oadm_ca = CertificateAuthority(config)
+
+ state = params['state']
+
+ if state == 'present':
+ ########
+ # Create
+ ########
+ if not oadm_ca.exists() or params['overwrite']:
+
+ if check_mode:
+ return {'changed': True,
+ 'msg': "CHECK_MODE: Would have created the certificate.",
+ 'state': state}
+
+ api_rval = oadm_ca.create()
+
+ return {'changed': True, 'results': api_rval, 'state': state}
+
+ ########
+ # Exists
+ ########
+ api_rval = oadm_ca.get()
+ return {'changed': False, 'results': api_rval, 'state': state}
+
+ return {'failed': True,
+ 'msg': 'Unknown state passed. %s' % state}
+
diff --git a/roles/lib_openshift/src/doc/certificate_authority b/roles/lib_openshift/src/doc/certificate_authority
new file mode 100644
index 000000000..be6861444
--- /dev/null
+++ b/roles/lib_openshift/src/doc/certificate_authority
@@ -0,0 +1,96 @@
+# flake8: noqa
+# pylint: skip-file
+
+DOCUMENTATION = '''
+---
+module: oc_secret
+short_description: Module to manage openshift certificate authority
+description:
+ - Wrapper around the openshift `oc adm ca` command.
+options:
+ state:
+ description:
+ - Present is the only supported state. The state present means that `oc adm ca` will generate a certificate
+ - When create-master-certs is desired then the following parameters are passed.
+ - ['cert_dir', 'hostnames', 'master', 'public_master', 'overwrite', 'signer_name']
+ - When create-key-pair is desired then the following parameters are passed.
+ - ['private_key', 'public_key']
+ - When create-server-cert is desired then the following parameters are passed.
+ - ['cert', 'key', 'signer_cert', 'signer_key', 'signer_serial']
+ required: false
+ default: present
+ choices: ["present"]
+ aliases: []
+ kubeconfig:
+ description:
+ - The path for the kubeconfig file to use for authentication
+ required: false
+ default: /etc/origin/master/admin.kubeconfig
+ aliases: []
+ debug:
+ description:
+ - Turn on debug output.
+ required: false
+ default: False
+ aliases: []
+ cmd:
+ description:
+ - The sub command given for `oc adm ca`
+ required: false
+ default: None
+ choices:
+ - create-master-certs
+ - create-key-pair
+ - create-server-cert
+ aliases: []
+ cert_dir:
+ description:
+ - The directory to place the certificates.
+ required: false
+ default: False
+ aliases: []
+author:
+- "Kenny Woodson <kwoodson@redhat.com>"
+extends_documentation_fragment: []
+'''
+
+EXAMPLES = '''
+- name: create secret
+ oc_secret:
+ state: present
+ namespace: openshift-infra
+ name: metrics-deployer
+ files:
+ - name: nothing
+ path: /dev/null
+ register: secretout
+ run_once: true
+
+- name: get ca from hawkular
+ oc_secret:
+ state: list
+ namespace: openshift-infra
+ name: hawkular-metrics-certificate
+ decode: True
+ register: hawkout
+ run_once: true
+
+- name: Create secrets
+ oc_secret:
+ namespace: mynamespace
+ name: mysecrets
+ contents:
+ - path: data.yml
+ data: "{{ data_content }}"
+ - path: auth-keys
+ data: "{{ auth_keys_content }}"
+ - path: configdata.yml
+ data: "{{ configdata_content }}"
+ - path: cert.crt
+ data: "{{ cert_content }}"
+ - path: key.pem
+ data: "{{ osso_site_key_content }}"
+ - path: ca.cert.pem
+ data: "{{ ca_cert_content }}"
+ register: secretout
+'''
diff --git a/roles/lib_openshift/src/sources.yml b/roles/lib_openshift/src/sources.yml
index 091aaef2e..7f0de6a65 100644
--- a/roles/lib_openshift/src/sources.yml
+++ b/roles/lib_openshift/src/sources.yml
@@ -1,4 +1,14 @@
---
+oadm_ca.py:
+- doc/generated
+- doc/license
+- lib/import.py
+- doc/certificate_authority
+- ../../lib_utils/src/class/yedit.py
+- lib/base.py
+- class/oadm_certificate_authority.py
+- ansible/oadm_certificate_authority.py
+
oadm_manage_node.py:
- doc/generated
- doc/license