Adding oadm_ca to lib_openshift.

roles/lib_openshift/src/ansible/oadm_certificate_authority.py

@@ -0,0 +1,49 @@
+# pylint: skip-file
+# flake8: noqa
+
+def main():
+    '''
+    ansible oadm module for ca
+    '''
+
+    module = AnsibleModule(
+        argument_spec=dict(
+            state=dict(default='present', type='str',
+                       choices=['present']),
+            debug=dict(default=False, type='bool'),
+            kubeconfig=dict(default='/etc/origin/master/admin.kubeconfig', type='str'),
+            cmd=dict(default=None, require=True, type='str'),
+
+            # oadm ca create-master-certs [options]
+            cert_dir=dict(default=None, type='str'),
+            hostnames=dict(default=[], type='list'),
+            master=dict(default=None, type='str'),
+            public_master=dict(default=None, type='str'),
+            overwrite=dict(default=False, type='bool'),
+            signer_name=dict(default=None, type='str'),
+
+            # oadm ca create-key-pair [options]
+            private_key=dict(default=None, type='str'),
+            public_key=dict(default=None, type='str'),
+
+            # oadm ca create-server-cert [options]
+            cert=dict(default=None, type='str'),
+            key=dict(default=None, type='str'),
+            signer_cert=dict(default=None, type='str'),
+            signer_key=dict(default=None, type='str'),
+            signer_serial=dict(default=None, type='str'),
+
+        ),
+        supports_check_mode=True,
+    )
+
+    # pylint: disable=line-too-long
+    results = CertificateAuthority.run_ansible(module.params, module.check_mode)
+    if 'failed' in results:
+        return module.fail_json(**results)
+
+    return module.exit_json(**results)
+
+
+if __name__ == '__main__':
+    main()

roles/lib_openshift/src/class/oadm_certificate_authority.py

@@ -0,0 +1,110 @@
+# pylint: skip-file
+
+class CertificateAuthorityConfig(OpenShiftCLIConfig):
+    ''' CertificateAuthorityConfig is a DTO for the oadm ca command '''
+    def __init__(self, cmd, kubeconfig, verbose, ca_options):
+        super(CertificateAuthorityConfig, self).__init__('ca', None, kubeconfig, ca_options)
+        self.cmd = cmd
+        self.kubeconfig = kubeconfig
+        self.verbose = verbose
+        self._ca = ca_options
+
+class CertificateAuthority(OpenShiftCLI):
+    ''' Class to wrap the oc command line tools '''
+    def __init__(self,
+                 config,
+                 verbose=False):
+        ''' Constructor for oadm ca '''
+        super(CertificateAuthority, self).__init__(None, config.kubeconfig, verbose)
+        self.config = config
+        self.verbose = verbose
+
+    def get(self):
+        '''get the current cert file
+
+           If a file exists by the same name in the specified location then the cert exists
+        '''
+        cert = self.config.config_options['cert']['value']
+        if cert and os.path.exists(cert):
+            return open(cert).read()
+
+        return None
+
+    def create(self):
+        '''Create a deploymentconfig '''
+        options = self.config.to_option_list()
+
+        cmd = ['ca']
+        cmd.append(self.config.cmd)
+        cmd.extend(options)
+
+        return self.openshift_cmd(cmd, oadm=True)
+
+    def exists(self):
+        ''' check whether the certificate exists and has the clusterIP '''
+
+        cert_path = self.config.config_options['cert']['value']
+        if not os.path.exists(cert_path):
+            return False
+
+        proc = subprocess.Popen(['openssl', 'x509', '-noout', '-subject', '-in', cert_path],
+                                stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+        stdout, stderr = proc.communicate()
+        if proc.returncode == 0:
+            for var in self.config.config_options['hostnames']['value'].split(','):
+                if var in stdout:
+                    return True
+
+        return False
+
+    @staticmethod
+    def run_ansible(params, check_mode):
+        '''run the idempotent ansible code'''
+
+        config = CertificateAuthorityConfig(params['cmd'],
+                                            params['kubeconfig'],
+                                            params['debug'],
+                                            {'cert_dir':      {'value': params['cert_dir'], 'include': True},
+                                             'cert':          {'value': params['cert'], 'include': True},
+                                             'hostnames':     {'value': ','.join(params['hostnames']), 'include': True},
+                                             'master':        {'value': params['master'], 'include': True},
+                                             'public_master': {'value': params['public_master'], 'include': True},
+                                             'overwrite':     {'value': params['overwrite'], 'include': True},
+                                             'signer_name':   {'value': params['signer_name'], 'include': True},
+                                             'private_key':   {'value': params['private_key'], 'include': True},
+                                             'public_key':    {'value': params['public_key'], 'include': True},
+                                             'key':           {'value': params['key'], 'include': True},
+                                             'signer_cert':   {'value': params['signer_cert'], 'include': True},
+                                             'signer_key':    {'value': params['signer_key'], 'include': True},
+                                             'signer_serial': {'value': params['signer_serial'], 'include': True},
+                                            })
+
+
+        oadm_ca = CertificateAuthority(config)
+
+        state = params['state']
+
+        if state == 'present':
+            ########
+            # Create
+            ########
+            if not oadm_ca.exists() or params['overwrite']:
+
+                if check_mode:
+                    return {'changed': True,
+                            'msg': "CHECK_MODE: Would have created the certificate.",
+                            'state': state}
+
+                api_rval = oadm_ca.create()
+
+                return {'changed': True, 'results': api_rval, 'state': state}
+
+            ########
+            # Exists
+            ########
+            api_rval = oadm_ca.get()
+            return {'changed': False, 'results': api_rval, 'state': state}
+
+        return {'failed': True,
+                'msg': 'Unknown state passed. %s' % state}
+

roles/lib_openshift/src/doc/certificate_authority

@@ -0,0 +1,96 @@
+# flake8: noqa
+# pylint: skip-file
+
+DOCUMENTATION = '''
+---
+module: oc_secret
+short_description: Module to manage openshift certificate authority
+description:
+  - Wrapper around the openshift `oc adm ca` command.
+options:
+  state:
+    description:
+    - Present is the only supported state.  The state present means that `oc adm ca` will generate a certificate
+    - When create-master-certs is desired then the following parameters are passed.
+    - ['cert_dir', 'hostnames', 'master', 'public_master', 'overwrite', 'signer_name']
+    - When create-key-pair is desired then the following parameters are passed.
+    - ['private_key', 'public_key']
+    - When create-server-cert is desired then the following parameters are passed.
+    - ['cert', 'key', 'signer_cert', 'signer_key', 'signer_serial']
+    required: false
+    default: present
+    choices: ["present"]
+    aliases: []
+  kubeconfig:
+    description:
+    - The path for the kubeconfig file to use for authentication
+    required: false
+    default: /etc/origin/master/admin.kubeconfig
+    aliases: []
+  debug:
+    description:
+    - Turn on debug output.
+    required: false
+    default: False
+    aliases: []
+  cmd:
+    description:
+    - The sub command given for `oc adm ca`
+    required: false
+    default: None
+    choices:
+    - create-master-certs
+    - create-key-pair
+    - create-server-cert
+    aliases: []
+  cert_dir:
+    description:
+    - The directory to place the certificates.
+    required: false
+    default: False
+    aliases: []
+author:
+- "Kenny Woodson <kwoodson@redhat.com>"
+extends_documentation_fragment: []
+'''
+
+EXAMPLES = '''
+- name: create secret
+  oc_secret:
+    state: present
+    namespace: openshift-infra
+    name: metrics-deployer
+    files:
+    - name: nothing
+      path: /dev/null
+  register: secretout
+  run_once: true
+
+- name: get ca from hawkular
+  oc_secret:
+    state: list
+    namespace: openshift-infra
+    name:  hawkular-metrics-certificate
+    decode: True
+  register: hawkout
+  run_once: true
+
+- name: Create secrets
+  oc_secret:
+    namespace: mynamespace
+    name: mysecrets
+    contents:
+    - path: data.yml
+      data: "{{ data_content }}"
+    - path: auth-keys
+      data: "{{ auth_keys_content }}"
+    - path: configdata.yml
+      data: "{{ configdata_content }}"
+    - path: cert.crt
+      data: "{{ cert_content }}"
+    - path: key.pem
+      data: "{{ osso_site_key_content }}"
+    - path: ca.cert.pem
+      data: "{{ ca_cert_content }}"
+  register: secretout
+'''

roles/lib_openshift/src/sources.yml

@@ -1,4 +1,14 @@
 ---
+oadm_ca.py:
+- doc/generated
+- doc/license
+- lib/import.py
+- doc/certificate_authority
+- ../../lib_utils/src/class/yedit.py
+- lib/base.py
+- class/oadm_certificate_authority.py
+- ansible/oadm_certificate_authority.py
+
 oadm_manage_node.py:
 - doc/generated
 - doc/license