Switched Cassandra to use certificates generated by OpenShift

roles/openshift_metrics/files/import_jks_certs.sh

@@ -21,11 +21,7 @@ set -ex
 function import_certs() {
   dir=$CERT_DIR
   hawkular_metrics_keystore_password=$(echo $METRICS_KEYSTORE_PASSWD | base64 -d)
-  hawkular_cassandra_keystore_password=$(echo $CASSANDRA_KEYSTORE_PASSWD | base64 -d)
   hawkular_metrics_truststore_password=$(echo $METRICS_TRUSTSTORE_PASSWD | base64 -d)
-  hawkular_cassandra_truststore_password=$(echo $CASSANDRA_TRUSTSTORE_PASSWD | base64 -d)
-
-  cassandra_alias=`keytool -noprompt -list -keystore $dir/hawkular-cassandra.truststore -storepass ${hawkular_cassandra_truststore_password} | sed -n '7~2s/,.*$//p'`
   hawkular_alias=`keytool -noprompt -list -keystore $dir/hawkular-metrics.truststore -storepass ${hawkular_metrics_truststore_password} | sed -n '7~2s/,.*$//p'`
 
   if [ ! -f $dir/hawkular-metrics.keystore ]; then
@@ -39,56 +35,7 @@ function import_certs() {
       -deststorepass $hawkular_metrics_keystore_password
   fi
 
-  if [ ! -f $dir/hawkular-cassandra.keystore ]; then
-    echo "Creating the Hawkular Cassandra keystore from the PEM file"
-    keytool -importkeystore -v \
-      -srckeystore $dir/hawkular-cassandra.pkcs12 \
-      -destkeystore $dir/hawkular-cassandra.keystore \
-      -srcstoretype PKCS12 \
-      -deststoretype JKS \
-      -srcstorepass $hawkular_cassandra_keystore_password \
-      -deststorepass $hawkular_cassandra_keystore_password
-  fi
-
-  if [[ ! ${cassandra_alias[*]} =~ hawkular-metrics ]]; then
-    echo "Importing the Hawkular Certificate into the Cassandra Truststore"
-    keytool -noprompt -import -v -trustcacerts -alias hawkular-metrics \
-      -file $dir/hawkular-metrics.crt \
-      -keystore $dir/hawkular-cassandra.truststore \
-      -trustcacerts \
-      -storepass $hawkular_cassandra_truststore_password
-  fi
-
-  if [[ ! ${hawkular_alias[*]} =~ hawkular-cassandra ]]; then
-    echo "Importing the Cassandra Certificate into the Hawkular Truststore"
-    keytool -noprompt -import -v -trustcacerts -alias hawkular-cassandra \
-      -file $dir/hawkular-cassandra.crt \
-      -keystore $dir/hawkular-metrics.truststore \
-      -trustcacerts \
-      -storepass $hawkular_metrics_truststore_password
-  fi
-
-  if [[ ! ${cassandra_alias[*]} =~ hawkular-cassandra ]]; then
-    echo "Importing the Hawkular Cassandra Certificate into the Cassandra Truststore"
-    keytool -noprompt -import -v -trustcacerts -alias hawkular-cassandra \
-      -file $dir/hawkular-cassandra.crt \
-      -keystore $dir/hawkular-cassandra.truststore \
-      -trustcacerts \
-      -storepass $hawkular_cassandra_truststore_password
-  fi
-
-  cert_alias_names=(ca metricca cassandraca)
-
-  for cert_alias in ${cert_alias_names[*]}; do
-    if [[ ! ${cassandra_alias[*]} =~ "$cert_alias" ]]; then
-      echo "Importing the CA Certificate with alias $cert_alias into the Cassandra Truststore"
-      keytool -noprompt -import -v -trustcacerts -alias $cert_alias \
-        -file ${dir}/ca.crt \
-        -keystore $dir/hawkular-cassandra.truststore \
-        -trustcacerts \
-        -storepass $hawkular_cassandra_truststore_password
-    fi
-  done
+  cert_alias_names=(ca metricca)
 
   for cert_alias in ${cert_alias_names[*]}; do
     if [[ ! ${hawkular_alias[*]} =~ "$cert_alias" ]]; then

roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml

@@ -13,9 +13,6 @@
     hostnames: hawkular-cassandra
   changed_when: no
 
-- slurp: src={{ mktemp.stdout }}/hawkular-cassandra-truststore.pwd
-  register: cassandra_truststore_password
-
 - slurp: src={{ mktemp.stdout }}/hawkular-metrics-truststore.pwd
   register: hawkular_truststore_password
 
@@ -67,11 +64,8 @@
   - hawkular-metrics.pwd
   - hawkular-metrics.htpasswd
   - hawkular-cassandra.crt
+  - hawkular-cassandra.key
   - hawkular-cassandra.pem
-  - hawkular-cassandra.keystore
-  - hawkular-cassandra-keystore.pwd
-  - hawkular-cassandra.truststore
-  - hawkular-cassandra-truststore.pwd
   changed_when: false
 
 - set_fact:
@@ -136,38 +130,21 @@
 - name: generate cassandra secret template
   template:
     src: secret.j2
-    dest: "{{ mktemp.stdout }}/templates/cassandra_secrets.yaml"
+    dest: "{{ mktemp.stdout }}/templates/hawkular-cassandra-certs.yaml"
   vars:
-    name: hawkular-cassandra-secrets
+    name: hawkular-cassandra-certs
     labels:
-      metrics-infra: hawkular-cassandra
+      metrics-infra: hawkular-cassandra-certs
+    annotations:
+      service.alpha.openshift.io/originating-service-name: hawkular-cassandra
     data:
-      cassandra.keystore: >
-        {{ hawkular_secrets['hawkular-cassandra.keystore'] }}
-      cassandra.keystore.password: >
-        {{ hawkular_secrets['hawkular-cassandra-keystore.pwd'] }}
-      cassandra.keystore.alias: "{{ 'hawkular-cassandra'|b64encode }}"
-      cassandra.truststore: >
-        {{ hawkular_secrets['hawkular-cassandra.truststore'] }}
-      cassandra.truststore.password: >
-        {{ hawkular_secrets['hawkular-cassandra-truststore.pwd'] }}
-      cassandra.pem: >
-        {{ hawkular_secrets['hawkular-cassandra.pem'] }}
-  when: name not in metrics_secrets
-  changed_when: no
-
-- name: generate cassandra-certificate secret template
-  template:
-    src: secret.j2
-    dest: "{{ mktemp.stdout }}/templates/cassandra_certificate.yaml"
-  vars:
-    name: hawkular-cassandra-certificate
-    labels:
-      metrics-infra: hawkular-cassandra
-    data:
-      cassandra.certificate: >
+      tls.crt: >
         {{ hawkular_secrets['hawkular-cassandra.crt'] }}
-      cassandra-ca.certificate: >
-        {{ hawkular_secrets['hawkular-cassandra.pem'] }}
-  when: name not in metrics_secrets.stdout_lines
+      tls.key: >
+        {{ hawkular_secrets['hawkular-cassandra.key'] }}
+      tls.peer.truststore.crt: >
+        {{ hawkular_secrets['hawkular-cassandra.crt'] }}
+      tls.client.truststore.crt: >
+        {{ hawkular_secrets['hawkular-metrics.crt'] }}
+  when: name not in metrics_secrets
   changed_when: no

roles/openshift_metrics/tasks/import_jks_certs.yaml

@@ -1,12 +1,4 @@
 ---
-- stat: path="{{mktemp.stdout}}/hawkular-cassandra.keystore"
-  register: cassandra_keystore
-  check_mode: no
-
-- stat: path="{{mktemp.stdout}}/hawkular-cassandra.truststore"
-  register: cassandra_truststore
-  check_mode: no
-
 - stat: path="{{mktemp.stdout}}/hawkular-metrics.keystore"
   register: metrics_keystore
   check_mode: no
@@ -19,9 +11,6 @@
   - slurp: src={{ mktemp.stdout }}/hawkular-metrics-keystore.pwd
     register: metrics_keystore_password
 
-  - slurp: src={{ mktemp.stdout }}/hawkular-cassandra-keystore.pwd
-    register: cassandra_keystore_password
-
   - fetch:
       dest: "{{local_tmp.stdout}}/"
       src: "{{ mktemp.stdout }}/{{item}}"
@@ -29,18 +18,14 @@
     changed_when: False
     with_items:
     - hawkular-metrics.pkcs12
-    - hawkular-cassandra.pkcs12
     - hawkular-metrics.crt
-    - hawkular-cassandra.crt
     - ca.crt
 
   - local_action: command {{role_path}}/files/import_jks_certs.sh
     environment:
       CERT_DIR: "{{local_tmp.stdout}}"
       METRICS_KEYSTORE_PASSWD: "{{metrics_keystore_password.content}}"
-      CASSANDRA_KEYSTORE_PASSWD: "{{cassandra_keystore_password.content}}"
       METRICS_TRUSTSTORE_PASSWD: "{{hawkular_truststore_password.content}}"
-      CASSANDRA_TRUSTSTORE_PASSWD: "{{cassandra_truststore_password.content}}"
     changed_when: False
 
   - copy:
@@ -49,6 +34,4 @@
     with_fileglob: "{{local_tmp.stdout}}/*.*store"
 
   when: not metrics_keystore.stat.exists or
-        not metrics_truststore.stat.exists or
-        not cassandra_keystore.stat.exists or
-        not cassandra_truststore.stat.exists
+        not metrics_truststore.stat.exists

roles/openshift_metrics/templates/hawkular_cassandra_rc.j2

@@ -48,11 +48,6 @@ spec:
         - "--require_node_auth=true"
         - "--enable_client_encryption=true"
         - "--require_client_auth=true"
-        - "--keystore_file=/secret/cassandra.keystore"
-        - "--keystore_password_file=/secret/cassandra.keystore.password"
-        - "--truststore_file=/secret/cassandra.truststore"
-        - "--truststore_password_file=/secret/cassandra.truststore.password"
-        - "--cassandra_pem_file=/secret/cassandra.pem"
         env:
         - name: CASSANDRA_MASTER
           value: "{{ master }}"
@@ -60,6 +55,10 @@ spec:
           value: "/cassandra_data"
         - name: JVM_OPTS
           value: "-Dcassandra.commitlog.ignorereplayerrors=true"
+        - name: TRUSTSTORE_NODES_AUTHORITIES
+          value: "/hawkular-cassandra-certs/tls.peer.truststore.crt"
+        - name: TRUSTSTORE_CLIENT_AUTHORITIES
+          value: "/hawkular-cassandra-certs/tls.client.truststore.crt"
         - name: POD_NAMESPACE
           valueFrom:
             fieldRef:
@@ -76,12 +75,12 @@ spec:
         volumeMounts:
         - name: cassandra-data
           mountPath: "/cassandra_data"
-        - name: hawkular-cassandra-secrets
-          mountPath: "/secret"
-{% if ((openshift_metrics_cassandra_limits_cpu is defined and openshift_metrics_cassandra_limits_cpu is not none) 
+        - name: hawkular-cassandra-certs
+          mountPath: "/hawkular-cassandra-certs"
+{% if ((openshift_metrics_cassandra_limits_cpu is defined and openshift_metrics_cassandra_limits_cpu is not none)
    or (openshift_metrics_cassandra_limits_memory is defined and openshift_metrics_cassandra_limits_memory is not none)
    or (openshift_metrics_cassandra_requests_cpu is defined and openshift_metrics_cassandra_requests_cpu is not none)
-   or (openshift_metrics_cassandra_requests_memory is defined and openshift_metrics_cassandra_requests_memory is not none)) 
+   or (openshift_metrics_cassandra_requests_memory is defined and openshift_metrics_cassandra_requests_memory is not none))
 %}
         resources:
 {%      if (openshift_metrics_cassandra_limits_cpu is not none
@@ -95,8 +94,8 @@ spec:
             memory: "{{openshift_metrics_cassandra_limits_memory}}"
 {% endif %}
 {% endif %}
-{%        if (openshift_metrics_cassandra_requests_cpu is not none 
-          or openshift_metrics_cassandra_requests_memory is not none) 
+{%        if (openshift_metrics_cassandra_requests_cpu is not none
+          or openshift_metrics_cassandra_requests_memory is not none)
 %}
           requests:
 {%        if openshift_metrics_cassandra_requests_cpu is not none %}
@@ -129,6 +128,6 @@ spec:
         persistentVolumeClaim:
           claimName: "{{ openshift_metrics_cassandra_pvc_prefix }}-{{ node }}"
 {% endif %}
-      - name: hawkular-cassandra-secrets
+      - name: hawkular-cassandra-certs
         secret:
-          secretName: hawkular-cassandra-secrets
+          secretName: hawkular-cassandra-certs

roles/openshift_metrics/templates/secret.j2

@@ -2,6 +2,12 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: "{{ name }}"
+{% if annotations is defined%}
+  annotations:
+{% for key, value in annotations.iteritems() %}
+    {{key}}: {{value}}
+{% endfor %}
+{% endif %}
   labels:
 {% for k, v in labels.iteritems() %}
     {{ k }}: {{ v }}