fix BZ1414477. Use keytool on control node and require java

roles/openshift_metrics/files/import_jks_certs.sh

@@ -114,5 +114,3 @@ function import_certs() {
 }
 
 import_certs
-
-exit 0

roles/openshift_metrics/tasks/import_jks_certs.yaml

@@ -1,76 +1,4 @@
 ---
-- name: Check for jks-generator service account
-  command: >
-    {{ openshift.common.client_binary }}
-    --config={{ mktemp.stdout }}/admin.kubeconfig
-    -n {{openshift_metrics_project}}
-    get serviceaccount/jks-generator --no-headers
-  register: serviceaccount_result
-  ignore_errors: yes
-  when: not ansible_check_mode
-  changed_when: no
-
-- name: Create jks-generator service account
-  command: >
-    {{ openshift.common.client_binary }}
-    --config={{ mktemp.stdout }}/admin.kubeconfig
-    -n {{openshift_metrics_project}}
-    create serviceaccount jks-generator
-  when: not ansible_check_mode and "not found" in serviceaccount_result.stderr
-
-- name: Check for hostmount-anyuid scc entry
-  command: >
-    {{ openshift.common.client_binary }}
-    --config={{ mktemp.stdout }}/admin.kubeconfig
-    get scc hostmount-anyuid
-    -o jsonpath='{.users}'
-  register: scc_result
-  when: not ansible_check_mode
-  changed_when: no
-
-- name: Add to hostmount-anyuid scc
-  command: >
-    {{ openshift.common.admin_binary }}
-    --config={{ mktemp.stdout }}/admin.kubeconfig
-    -n {{openshift_metrics_project}}
-    policy add-scc-to-user hostmount-anyuid
-    -z jks-generator
-  when:
-    - not ansible_check_mode
-    - scc_result.stdout.find("system:serviceaccount:{{openshift_metrics_project}}:jks-generator") == -1
-
-- name: Copy JKS generation script
-  copy:
-    src: import_jks_certs.sh
-    dest: "{{openshift_metrics_certs_dir}}/import_jks_certs.sh"
-  check_mode: no
-
-- slurp: src={{ openshift_metrics_certs_dir }}/hawkular-metrics-keystore.pwd
-  register: metrics_keystore_password
-
-- slurp: src={{ openshift_metrics_certs_dir }}/hawkular-cassandra-keystore.pwd
-  register: cassandra_keystore_password
-
-- slurp: src={{ openshift_metrics_certs_dir }}/hawkular-jgroups-keystore.pwd
-  register: jgroups_keystore_password
-
-- name: Generate JKS pod template
-  template:
-    src: jks_pod.j2
-    dest: "{{mktemp.stdout}}/jks_pod.yaml"
-  vars:
-    metrics_keystore_passwd: "{{metrics_keystore_password.content}}"
-    cassandra_keystore_passwd: "{{cassandra_keystore_password.content}}"
-    metrics_truststore_passwd: "{{hawkular_truststore_password.content}}"
-    cassandra_truststore_passwd: "{{cassandra_truststore_password.content}}"
-    jgroups_passwd: "{{jgroups_keystore_password.content}}"
-  check_mode: no
-  changed_when: no
-
-- stat: path="{{openshift_metrics_certs_dir}}/hawkular-metrics.keystore"
-  register: metrics_keystore
-  check_mode: no
-
 - stat: path="{{openshift_metrics_certs_dir}}/hawkular-cassandra.keystore"
   register: cassandra_keystore
   check_mode: no
@@ -79,6 +7,10 @@
   register: cassandra_truststore
   check_mode: no
 
+- stat: path="{{openshift_metrics_certs_dir}}/hawkular-metrics.keystore"
+  register: metrics_keystore
+  check_mode: no
+
 - stat: path="{{openshift_metrics_certs_dir}}/hawkular-metrics.truststore"
   register: metrics_truststore
   check_mode: no
@@ -87,32 +19,52 @@
   register: jgroups_keystore
   check_mode: no
 
-- name: create JKS pod
-  command: >
-    {{ openshift.common.client_binary }}
-    --config={{ mktemp.stdout }}/admin.kubeconfig
-    -n {{openshift_metrics_project}}
-    create -f {{mktemp.stdout}}/jks_pod.yaml
-    -o name
-  register: podoutput
-  check_mode: no
-  when: not metrics_keystore.stat.exists or
-        not metrics_truststore.stat.exists or
-        not cassandra_keystore.stat.exists or
-        not cassandra_truststore.stat.exists or
-        not jgroups_keystore.stat.exists
+- block:
+  - slurp: src={{ openshift_metrics_certs_dir }}/hawkular-metrics-keystore.pwd
+    register: metrics_keystore_password
+
+  - slurp: src={{ openshift_metrics_certs_dir }}/hawkular-cassandra-keystore.pwd
+    register: cassandra_keystore_password
+
+  - slurp: src={{ openshift_metrics_certs_dir }}/hawkular-jgroups-keystore.pwd
+    register: jgroups_keystore_password
+
+  - local_action: command mktemp -d
+    register: local_tmp
+    changed_when: False
+
+  - fetch:
+      dest: "{{local_tmp.stdout}}/"
+      src: "{{ openshift_metrics_certs_dir }}/{{item}}"
+      flat: yes
+    changed_when: False
+    with_items:
+    - hawkular-metrics.pkcs12
+    - hawkular-cassandra.pkcs12
+    - hawkular-metrics.crt
+    - hawkular-cassandra.crt
+    - ca.crt
+
+  - local_action: command {{role_path}}/files/import_jks_certs.sh
+    environment:
+      CERT_DIR: "{{local_tmp.stdout}}"
+      METRICS_KEYSTORE_PASSWD: "{{metrics_keystore_password.content}}"
+      CASSANDRA_KEYSTORE_PASSWD: "{{cassandra_keystore_password.content}}"
+      METRICS_TRUSTSTORE_PASSWD: "{{hawkular_truststore_password.content}}"
+      CASSANDRA_TRUSTSTORE_PASSWD: "{{cassandra_truststore_password.content}}"
+      JGROUPS_PASSWD: "{{jgroups_keystore_password.content}}"
+    changed_when: False
+
+  - copy:
+      dest: "{{openshift_metrics_certs_dir}}/"
+      src: "{{item}}"
+    with_fileglob: "{{local_tmp.stdout}}/*.*store"
+
+  - file:
+      path: "{{local_tmp.stdout}}"
+      state: absent
+    changed_when: False
 
-- command: >
-    {{ openshift.common.client_binary }}
-    --config={{ mktemp.stdout }}/admin.kubeconfig
-    -n {{openshift_metrics_project}}
-    get {{podoutput.stdout}}
-    -o jsonpath='{.status.phase}'
-  register: result
-  until: result.stdout.find("Succeeded") != -1
-  retries: 5
-  delay: 10
-  changed_when: no
   when: not metrics_keystore.stat.exists or
         not metrics_truststore.stat.exists or
         not cassandra_keystore.stat.exists or

roles/openshift_metrics/templates/jks_pod.j2

@@ -1,38 +0,0 @@
-apiVersion: v1
-kind: Pod
-metadata:
-  labels:
-    metrics-infra: support
-  generateName: jks-cert-gen-
-spec:
-  containers:
-  - name: jks-cert-gen
-    image: {{openshift_metrics_image_prefix}}metrics-deployer:{{openshift_metrics_image_version}}
-    imagePullPolicy: Always
-    command: ["sh",  "{{openshift_metrics_certs_dir}}/import_jks_certs.sh"]
-    securityContext:
-      runAsUser: 0
-    volumeMounts:
-    - mountPath: {{openshift_metrics_certs_dir}}
-      name: certmount
-    env:
-    - name: CERT_DIR
-      value: {{openshift_metrics_certs_dir}}
-    - name: METRICS_KEYSTORE_PASSWD
-      value: {{metrics_keystore_passwd}}
-    - name: CASSANDRA_KEYSTORE_PASSWD
-      value: {{cassandra_keystore_passwd}}
-    - name: METRICS_TRUSTSTORE_PASSWD
-      value: {{metrics_truststore_passwd}}
-    - name: CASSANDRA_TRUSTSTORE_PASSWD
-      value: {{cassandra_truststore_passwd}}
-    - name: hawkular_cassandra_alias
-      value: {{cassandra_keystore_passwd}}
-    - name: JGROUPS_PASSWD
-      value: {{jgroups_passwd}}
-  restartPolicy: Never
-  serviceAccount: jks-generator
-  volumes:
-  - hostPath:
-      path: "{{openshift_metrics_certs_dir}}"
-    name: certmount