okd/roles/openshift_logging/tasks/generate_pems.yaml

---
- name: Checking for {{component}}.key
  stat:
    path: "{{generated_certs_dir}}/{{component}}.key"
    get_checksum: false
    get_attributes: false
    get_mime: false
  register: key_file
  check_mode: no

- name: Checking for {{component}}.crt
  stat:
    path: "{{generated_certs_dir}}/{{component}}.crt"
    get_checksum: false
    get_attributes: false
    get_mime: false
  register: cert_file
  check_mode: no

- name: Creating cert req for {{component}}
  command: >
    openssl req -out {{generated_certs_dir}}/{{component}}.csr -new -newkey rsa:2048 -keyout {{generated_certs_dir}}/{{component}}.key
    -subj "/CN={{component}}/OU=OpenShift/O=Logging/subjectAltName=DNS.1=localhost{{cert_ext.stdout}}" -days 712 -nodes
  when:
    - not key_file.stat.exists
    - cert_ext is defined
    - cert_ext.stdout is defined
  check_mode: no

- name: Creating cert req for {{component}}
  command: >
    openssl req -out {{generated_certs_dir}}/{{component}}.csr -new -newkey rsa:2048 -keyout {{generated_certs_dir}}/{{component}}.key
    -subj "/CN={{component}}/OU=OpenShift/O=Logging" -days 712 -nodes
  when:
    - not key_file.stat.exists
    - cert_ext is undefined or cert_ext is defined and cert_ext.stdout is undefined
  check_mode: no

- name: Sign cert request with CA for {{component}}
  command: >
    openssl ca -in {{generated_certs_dir}}/{{component}}.csr -notext -out {{generated_certs_dir}}/{{component}}.crt
    -config {{generated_certs_dir}}/signing.conf -extensions v3_req -batch -extensions server_ext
  when:
    - not cert_file.stat.exists
  check_mode: no