Changed Hawkular Metrics secrets to use a format similar to the one automatically generated by OpenShift

roles/openshift_metrics/files/import_jks_certs.sh

@@ -1,52 +0,0 @@
-#!/bin/bash
-#
-# Copyright 2014-2015 Red Hat, Inc. and/or its affiliates
-# and other contributors as indicated by the @author tags.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#    http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-set -ex
-
-function import_certs() {
-  dir=$CERT_DIR
-  hawkular_metrics_keystore_password=$(echo $METRICS_KEYSTORE_PASSWD | base64 --decode)
-  hawkular_metrics_truststore_password=$(echo $METRICS_TRUSTSTORE_PASSWD | base64 --decode)
-  hawkular_alias=`keytool -noprompt -list -keystore $dir/hawkular-metrics.truststore -storepass ${hawkular_metrics_truststore_password} | sed -n '7~2s/,.*$//p'`
-
-  if [ ! -f $dir/hawkular-metrics.keystore ]; then
-    echo "Creating the Hawkular Metrics keystore from the PEM file"
-    keytool -importkeystore -v \
-      -srckeystore $dir/hawkular-metrics.pkcs12 \
-      -destkeystore $dir/hawkular-metrics.keystore \
-      -srcstoretype PKCS12 \
-      -deststoretype JKS \
-      -srcstorepass $hawkular_metrics_keystore_password \
-      -deststorepass $hawkular_metrics_keystore_password
-  fi
-
-  cert_alias_names=(ca metricca)
-
-  for cert_alias in ${cert_alias_names[*]}; do
-    if [[ ! ${hawkular_alias[*]} =~ "$cert_alias" ]]; then
-      echo "Importing the CA Certificate with alias $cert_alias into the Hawkular Metrics Truststore"
-      keytool -noprompt -import -v -trustcacerts -alias $cert_alias \
-        -file ${dir}/ca.crt \
-        -keystore $dir/hawkular-metrics.truststore \
-        -trustcacerts \
-        -storepass $hawkular_metrics_truststore_password
-    fi
-  done
-}
-
-import_certs

roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml

@@ -13,21 +13,6 @@
     hostnames: hawkular-cassandra
   changed_when: no
 
-- slurp: src={{ mktemp.stdout }}/hawkular-metrics-truststore.pwd
-  register: hawkular_truststore_password
-
-- stat: path="{{mktemp.stdout}}/{{item}}"
-  register: pwd_file_stat
-  with_items:
-  - hawkular-metrics.pwd
-  - hawkular-metrics.htpasswd
-  changed_when: no
-
-- set_fact:
-    pwd_files: "{{pwd_files | default({}) | combine ({item.item: item.stat}) }}"
-  with_items: "{{pwd_file_stat.results}}"
-  changed_when: no
-
 - name: generate password for hawkular metrics
   local_action: copy dest="{{ local_tmp.stdout}}/{{ item }}.pwd" content="{{ 15 | oo_random_word }}"
   with_items:
@@ -47,8 +32,6 @@
   - hawkular-metrics.pwd
   - hawkular-metrics.htpasswd
 
-- include: import_jks_certs.yaml
-
 - name: read files for the hawkular-metrics secret
   shell: >
     printf '%s: ' '{{ item }}'
@@ -56,13 +39,11 @@
   register: hawkular_secrets
   with_items:
   - ca.crt
-  - hawkular-metrics.crt
-  - hawkular-metrics.keystore
-  - hawkular-metrics-keystore.pwd
-  - hawkular-metrics.truststore
-  - hawkular-metrics-truststore.pwd
   - hawkular-metrics.pwd
   - hawkular-metrics.htpasswd
+  - hawkular-metrics.crt
+  - hawkular-metrics.key
+  - hawkular-metrics.pem
   - hawkular-cassandra.crt
   - hawkular-cassandra.key
   - hawkular-cassandra.pem
@@ -73,42 +54,23 @@
       {{ hawkular_secrets.results|map(attribute='stdout')|join('
       ')|from_yaml }}
 
-- name: generate hawkular-metrics-secrets secret template
-  template:
-    src: secret.j2
-    dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_secrets.yaml"
-  vars:
-    name: hawkular-metrics-secrets
-    labels:
-      metrics-infra: hawkular-metrics
-    data:
-      hawkular-metrics.keystore: >
-        {{ hawkular_secrets['hawkular-metrics.keystore'] }}
-      hawkular-metrics.keystore.password: >
-        {{ hawkular_secrets['hawkular-metrics-keystore.pwd'] }}
-      hawkular-metrics.truststore: >
-        {{ hawkular_secrets['hawkular-metrics.truststore'] }}
-      hawkular-metrics.truststore.password: >
-        {{ hawkular_secrets['hawkular-metrics-truststore.pwd'] }}
-      hawkular-metrics.keystore.alias: "{{ 'hawkular-metrics'|b64encode }}"
-      hawkular-metrics.htpasswd.file: >
-        {{ hawkular_secrets['hawkular-metrics.htpasswd'] }}
-  when: name not in metrics_secrets.stdout_lines
-  changed_when: no
-
-- name: generate hawkular-metrics-certificate secret template
+- name: generate hawkular-metrics-certs secret template
   template:
     src: secret.j2
-    dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_certificate.yaml"
+    dest: "{{ mktemp.stdout }}/templates/hawkular-metrics-certs.yaml"
   vars:
-    name: hawkular-metrics-certificate
+    name: hawkular-metrics-certs
     labels:
-      metrics-infra: hawkular-metrics
+      metrics-infra: hawkular-metrics-certs
+    annotations:
+      service.alpha.openshift.io/originating-service-name: hawkular-metrics
     data:
-      hawkular-metrics.certificate: >
+      tls.crt: >
         {{ hawkular_secrets['hawkular-metrics.crt'] }}
-      hawkular-metrics-ca.certificate: >
-        {{ hawkular_secrets['ca.crt'] }}
+      tls.key: >
+        {{ hawkular_secrets['hawkular-metrics.key'] }}
+      tls.truststore.crt: >
+        {{ hawkular_secrets['hawkular-cassandra.crt'] }}
   when: name not in metrics_secrets.stdout_lines
   changed_when: no
 
@@ -122,6 +84,7 @@
       metrics-infra: hawkular-metrics
     data:
       hawkular-metrics.username: "{{ 'hawkular'|b64encode }}"
+      hawkular-metrics.htpasswd: "{{ hawkular_secrets['hawkular-metrics.htpasswd'] }}"
       hawkular-metrics.password: >
         {{ hawkular_secrets['hawkular-metrics.pwd'] }}
   when: name not in metrics_secrets.stdout_lines

roles/openshift_metrics/tasks/import_jks_certs.yaml

@@ -1,37 +0,0 @@
----
-- stat: path="{{mktemp.stdout}}/hawkular-metrics.keystore"
-  register: metrics_keystore
-  check_mode: no
-
-- stat: path="{{mktemp.stdout}}/hawkular-metrics.truststore"
-  register: metrics_truststore
-  check_mode: no
-
-- block:
-  - slurp: src={{ mktemp.stdout }}/hawkular-metrics-keystore.pwd
-    register: metrics_keystore_password
-
-  - fetch:
-      dest: "{{local_tmp.stdout}}/"
-      src: "{{ mktemp.stdout }}/{{item}}"
-      flat: yes
-    changed_when: False
-    with_items:
-    - hawkular-metrics.pkcs12
-    - hawkular-metrics.crt
-    - ca.crt
-
-  - local_action: command {{role_path}}/files/import_jks_certs.sh
-    environment:
-      CERT_DIR: "{{local_tmp.stdout}}"
-      METRICS_KEYSTORE_PASSWD: "{{metrics_keystore_password.content}}"
-      METRICS_TRUSTSTORE_PASSWD: "{{hawkular_truststore_password.content}}"
-    changed_when: False
-
-  - copy:
-      dest: "{{mktemp.stdout}}/"
-      src: "{{item}}"
-    with_fileglob: "{{local_tmp.stdout}}/*.*store"
-
-  when: not metrics_keystore.stat.exists or
-        not metrics_truststore.stat.exists

roles/openshift_metrics/tasks/install_heapster.yaml

@@ -20,7 +20,7 @@
 - set_fact:
     heapster_sa_secrets: "{{ heapster_sa_secrets + [item] }}"
   with_items:
-    - hawkular-metrics-certificate
+    - hawkular-metrics-certs
     - hawkular-metrics-account
   when: "not {{ openshift_metrics_heapster_standalone | bool }}"
 

roles/openshift_metrics/templates/hawkular_metrics_rc.j2

@@ -40,24 +40,20 @@ spec:
         - "-Dhawkular.metrics.cassandra.nodes=hawkular-cassandra"
         - "-Dhawkular.metrics.cassandra.use-ssl"
         - "-Dhawkular.metrics.openshift.auth-methods=openshift-oauth,htpasswd"
-        - "-Dhawkular.metrics.openshift.htpasswd-file=/secrets/hawkular-metrics.htpasswd.file"
+        - "-Dhawkular.metrics.openshift.htpasswd-file=/hawkular-account/hawkular-metrics.htpasswd"
         - "-Dhawkular.metrics.allowed-cors-access-control-allow-headers=authorization"
         - "-Dhawkular.metrics.default-ttl={{openshift_metrics_duration}}"
         - "-Dhawkular.metrics.admin-tenant=_hawkular_admin"
         - "-Dhawkular-alerts.cassandra-nodes=hawkular-cassandra"
         - "-Dhawkular-alerts.cassandra-use-ssl"
         - "-Dhawkular.alerts.openshift.auth-methods=openshift-oauth,htpasswd"
-        - "-Dhawkular.alerts.openshift.htpasswd-file=/secrets/hawkular-metrics.htpasswd.file"
+        - "-Dhawkular.alerts.openshift.htpasswd-file=/hawkular-account/hawkular-metrics.htpasswd"
         - "-Dhawkular.alerts.allowed-cors-access-control-allow-headers=authorization"
         - "-Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true"
         - "-Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true"
         - "-Dcom.datastax.driver.FORCE_NIO=true"
         - "-DKUBERNETES_MASTER_URL={{openshift_metrics_master_url}}"
         - "-DUSER_WRITE_ACCESS={{openshift_metrics_hawkular_user_write_access}}"
-        - "--hmw.keystore=/secrets/hawkular-metrics.keystore"
-        - "--hmw.truststore=/secrets/hawkular-metrics.truststore"
-        - "--hmw.keystore_password_file=/secrets/hawkular-metrics.keystore.password"
-        - "--hmw.truststore_password_file=/secrets/hawkular-metrics.truststore.password"
         env:
         - name: POD_NAMESPACE
           valueFrom:
@@ -67,6 +63,8 @@ spec:
           value: "{{ openshift_metrics_master_url }}"
         - name: JGROUPS_PASSWORD
           value: "{{ 17 | oo_random_word }}"
+        - name: TRUSTSTORE_AUTHORITIES
+          value: "/hawkular-metrics-certs/tls.truststore.crt"
         - name: OPENSHIFT_KUBE_PING_NAMESPACE
           valueFrom:
             fieldRef:
@@ -76,10 +74,10 @@ spec:
         - name: STARTUP_TIMEOUT
           value: "{{ openshift_metrics_startup_timeout }}"
         volumeMounts:
-        - name: hawkular-metrics-secrets
-          mountPath: "/secrets"
-        - name: hawkular-metrics-client-secrets
-          mountPath: "/client-secrets"
+        - name: hawkular-metrics-certs
+          mountPath: "/hawkular-metrics-certs"
+        - name: hawkular-metrics-account
+          mountPath: "/hawkular-account"
 {% if ((openshift_metrics_hawkular_limits_cpu is defined and openshift_metrics_hawkular_limits_cpu is not none)
    or (openshift_metrics_hawkular_limits_memory is defined and openshift_metrics_hawkular_limits_memory is not none)
    or (openshift_metrics_hawkular_requests_cpu is defined and openshift_metrics_hawkular_requests_cpu is not none)
@@ -118,9 +116,9 @@ spec:
             command:
             - "/opt/hawkular/scripts/hawkular-metrics-liveness.py"
       volumes:
-      - name: hawkular-metrics-secrets
+      - name: hawkular-metrics-certs
         secret:
-          secretName: hawkular-metrics-secrets
-      - name: hawkular-metrics-client-secrets
+          secretName: hawkular-metrics-certs
+      - name: hawkular-metrics-account
         secret:
           secretName: hawkular-metrics-account

roles/openshift_metrics/templates/heapster.j2

@@ -43,15 +43,15 @@ spec:
         - "--wrapper.username_file=/hawkular-account/hawkular-metrics.username"
         - "--wrapper.password_file=/hawkular-account/hawkular-metrics.password"
         - "--wrapper.endpoint_check=https://hawkular-metrics:443/hawkular/metrics/status"
-        - "--sink=hawkular:https://hawkular-metrics:443?tenant=_system&labelToTenant=pod_namespace&labelNodeId={{openshift_metrics_node_id}}&caCert=/hawkular-cert/hawkular-metrics-ca.certificate&user=%username%&pass=%password%&filter=label(container_name:^system.slice.*|^user.slice)"
+        - "--sink=hawkular:https://hawkular-metrics:443?tenant=_system&labelToTenant=pod_namespace&labelNodeId={{openshift_metrics_node_id}}&caCert=/hawkular-metrics-certs/tls.crt&user=%username%&pass=%password%&filter=label(container_name:^system.slice.*|^user.slice)"
 {% endif %}
         env:
         - name: STARTUP_TIMEOUT
           value: "{{ openshift_metrics_startup_timeout }}"
-{% if ((openshift_metrics_heapster_limits_cpu is defined and openshift_metrics_heapster_limits_cpu is not none) 
+{% if ((openshift_metrics_heapster_limits_cpu is defined and openshift_metrics_heapster_limits_cpu is not none)
    or (openshift_metrics_heapster_limits_memory is defined and openshift_metrics_heapster_limits_memory is not none)
    or (openshift_metrics_heapster_requests_cpu is defined and openshift_metrics_heapster_requests_cpu is not none)
-   or (openshift_metrics_heapster_requests_memory is defined and openshift_metrics_heapster_requests_memory is not none)) 
+   or (openshift_metrics_heapster_requests_memory is defined and openshift_metrics_heapster_requests_memory is not none))
 %}
         resources:
 {% if (openshift_metrics_heapster_limits_cpu is not none
@@ -65,8 +65,8 @@ spec:
             memory: "{{openshift_metrics_heapster_limits_memory}}"
 {% endif %}
 {% endif %}
-{% if (openshift_metrics_heapster_requests_cpu is not none 
-   or openshift_metrics_heapster_requests_memory is not none) 
+{% if (openshift_metrics_heapster_requests_cpu is not none
+   or openshift_metrics_heapster_requests_memory is not none)
 %}
           requests:
 {% if openshift_metrics_heapster_requests_cpu is not none %}
@@ -81,8 +81,8 @@ spec:
         - name: heapster-secrets
           mountPath: "/secrets"
 {% if not openshift_metrics_heapster_standalone %}
-        - name: hawkular-metrics-certificate
-          mountPath: "/hawkular-cert"
+        - name: hawkular-metrics-certs
+          mountPath: "/hawkular-metrics-certs"
         - name: hawkular-metrics-account
           mountPath: "/hawkular-account"
         readinessProbe:
@@ -95,9 +95,9 @@ spec:
           secret:
             secretName: heapster-secrets
 {% if not openshift_metrics_heapster_standalone %}
-        - name: hawkular-metrics-certificate
+        - name: hawkular-metrics-certs
           secret:
-            secretName: hawkular-metrics-certificate
+            secretName: hawkular-metrics-certs
         - name: hawkular-metrics-account
           secret:
             secretName: hawkular-metrics-account