Home Explore Help
Register Sign In
shixiong
/
okd
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 04c1500801
Branches Tags
okd
/
roles
/
openshift_metrics
/
tasks
/
setup_certificate.yaml

setup_certificate.yaml 2.2 KB
History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950 
  1. ---
    2. 

  2. - name: generate {{ component }} keys
    3. 

  3.   command: >
    4. 

  4.     {{ openshift.common.admin_binary }} ca create-server-cert
    5. 

  5.     --key='{{ mktemp.stdout }}/certs/{{ component }}.key'
    6. 

  6.     --cert='{{ mktemp.stdout }}/certs/{{ component }}.crt'
    7. 

  7.     --hostnames='{{ hostnames }}'
    8. 

  8.     --signer-cert='{{ mktemp.stdout }}/certs/ca.crt'
    9. 

  9.     --signer-key='{{ mktemp.stdout }}/certs/ca.key'
    10. 

  10.     --signer-serial='{{ mktemp.stdout }}/certs/ca.serial.txt'
    11. 

  11. - name: generate {{ component }} certificate
    12. 

  12.   shell: >
    13. 

  13.     cat
    14. 

  14.     '{{ mktemp.stdout|quote }}/certs/{{ component|quote }}.key'
    15. 

  15.     '{{ mktemp.stdout|quote }}/certs/{{ component|quote }}.crt'
    16. 

  16.     > '{{ mktemp.stdout|quote }}/certs/{{ component|quote }}.pem'
    17. 

  17. - name: generate random password for the {{ component }} keystore
    18. 

  18.   shell: tr -dc _A-Z-a-z-0-9 < /dev/urandom | head -c15
    19. 

  19.   register: keystore_pwd
    20. 

  20. - name: create the password file for {{ component }}
    21. 

  21.   shell: >
    22. 

  22.     echo '{{ keystore_pwd.stdout|quote }}'
    23. 

  23.     > '{{ mktemp.stdout }}/certs/{{ component|quote }}-keystore.pwd'
    24. 

  24. - name: create the {{ component }} pkcs12 from the pem file
    25. 

  25.   command: >
    26. 

  26.     openssl pkcs12 -export
    27. 

  27.     -in '{{ mktemp.stdout }}/certs/{{ component }}.pem'
    28. 

  28.     -out '{{ mktemp.stdout }}/certs/{{ component }}.pkcs12'
    29. 

  29.     -name '{{ component }}' -noiter -nomaciter
    30. 

  30.     -password 'pass:{{ keystore_pwd.stdout }}'
    31. 

  31. - name: create the {{ component }} keystore from the pkcs12 file
    32. 

  32.   command: >
    33. 

  33.     keytool -v -importkeystore
    34. 

  34.     -srckeystore '{{ mktemp.stdout }}/certs/{{ component }}.pkcs12'
    35. 

  35.     -srcstoretype PKCS12
    36. 

  36.     -destkeystore '{{ mktemp.stdout }}/certs/{{ component }}.keystore'
    37. 

  37.     -deststoretype JKS
    38. 

  38.     -deststorepass '{{ keystore_pwd.stdout }}'
    39. 

  39.     -srcstorepass '{{ keystore_pwd.stdout }}'
    40. 

  40. - name: create the {{ component }} certificate
    41. 

  41.   command: >
    42. 

  42.     keytool -noprompt -export
    43. 

  43.     -alias '{{ component }}'
    44. 

  44.     -file '{{ mktemp.stdout }}/certs/{{ component }}.cert'
    45. 

  45.     -keystore '{{ mktemp.stdout }}/certs/{{ component }}.keystore'
    46. 

  46.     -storepass '{{ keystore_pwd.stdout }}'
    47. 

  47. - name: generate random password for the {{ component }} truststore
    48. 

  48.   shell: >
    49. 

  49.     tr -dc _A-Z-a-z-0-9 < /dev/urandom | head -c15
    50. 

  50.     > '{{ mktemp.stdout }}/certs/{{ component|quote }}-truststore.pwd'
    51.