okd/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml

---
- name: generate hawkular-metrics certificates
  include: setup_certificate.yaml
  vars:
    component: hawkular-metrics
    hostnames: "hawkular-metrics,hawkular-metrics.{{ openshift_metrics_project }}.svc.cluster.local,{{ openshift_metrics_hawkular_hostname }}"
  changed_when: no

- name: generate hawkular-cassandra certificates
  include: setup_certificate.yaml
  vars:
    component: hawkular-cassandra
    hostnames: hawkular-cassandra
  changed_when: no

- slurp: src={{ mktemp.stdout }}/hawkular-cassandra-truststore.pwd
  register: cassandra_truststore_password

- slurp: src={{ mktemp.stdout }}/hawkular-metrics-truststore.pwd
  register: hawkular_truststore_password

- stat: path="{{mktemp.stdout}}/{{item}}"
  register: pwd_file_stat
  with_items:
  - hawkular-metrics.pwd
  - hawkular-metrics.htpasswd
  changed_when: no

- set_fact:
    pwd_files: "{{pwd_files | default({}) | combine ({item.item: item.stat}) }}"
  with_items: "{{pwd_file_stat.results}}"
  changed_when: no

- name: generate password for hawkular metrics
  local_action: copy dest="{{ local_tmp.stdout}}/{{ item }}.pwd" content="{{ 15 | oo_random_word }}"
  with_items:
  - hawkular-metrics

- name: generate htpasswd file for hawkular metrics
  local_action: >
    shell htpasswd -ci
    '{{ local_tmp.stdout }}/hawkular-metrics.htpasswd' hawkular
    < '{{ local_tmp.stdout }}/hawkular-metrics.pwd'

- name: copy local generated passwords to target
  copy:
    src: "{{local_tmp.stdout}}/{{item}}"
    dest: "{{mktemp.stdout}}/{{item}}"
  with_items:
  - hawkular-metrics.pwd
  - hawkular-metrics.htpasswd

- include: import_jks_certs.yaml

- name: read files for the hawkular-metrics secret
  shell: >
    printf '%s: ' '{{ item }}'
    && base64 --wrap 0 '{{ mktemp.stdout }}/{{ item }}'
  register: hawkular_secrets
  with_items:
  - ca.crt
  - hawkular-metrics.crt
  - hawkular-metrics.keystore
  - hawkular-metrics-keystore.pwd
  - hawkular-metrics.truststore
  - hawkular-metrics-truststore.pwd
  - hawkular-metrics.pwd
  - hawkular-metrics.htpasswd
  - hawkular-cassandra.crt
  - hawkular-cassandra.pem
  - hawkular-cassandra.keystore
  - hawkular-cassandra-keystore.pwd
  - hawkular-cassandra.truststore
  - hawkular-cassandra-truststore.pwd
  changed_when: false

- set_fact:
    hawkular_secrets: |
      {{ hawkular_secrets.results|map(attribute='stdout')|join('
      ')|from_yaml }}

- name: generate hawkular-metrics-secrets secret template
  template:
    src: secret.j2
    dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_secrets.yaml"
  vars:
    name: hawkular-metrics-secrets
    labels:
      metrics-infra: hawkular-metrics
    data:
      hawkular-metrics.keystore: >
        {{ hawkular_secrets['hawkular-metrics.keystore'] }}
      hawkular-metrics.keystore.password: >
        {{ hawkular_secrets['hawkular-metrics-keystore.pwd'] }}
      hawkular-metrics.truststore: >
        {{ hawkular_secrets['hawkular-metrics.truststore'] }}
      hawkular-metrics.truststore.password: >
        {{ hawkular_secrets['hawkular-metrics-truststore.pwd'] }}
      hawkular-metrics.keystore.alias: "{{ 'hawkular-metrics'|b64encode }}"
      hawkular-metrics.htpasswd.file: >
        {{ hawkular_secrets['hawkular-metrics.htpasswd'] }}
  when: name not in metrics_secrets.stdout_lines
  changed_when: no

- name: generate hawkular-metrics-certificate secret template
  template:
    src: secret.j2
    dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_certificate.yaml"
  vars:
    name: hawkular-metrics-certificate
    labels:
      metrics-infra: hawkular-metrics
    data:
      hawkular-metrics.certificate: >
        {{ hawkular_secrets['hawkular-metrics.crt'] }}
      hawkular-metrics-ca.certificate: >
        {{ hawkular_secrets['ca.crt'] }}
  when: name not in metrics_secrets.stdout_lines
  changed_when: no

- name: generate hawkular-metrics-account secret template
  template:
    src: secret.j2
    dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_account.yaml"
  vars:
    name: hawkular-metrics-account
    labels:
      metrics-infra: hawkular-metrics
    data:
      hawkular-metrics.username: "{{ 'hawkular'|b64encode }}"
      hawkular-metrics.password: >
        {{ hawkular_secrets['hawkular-metrics.pwd'] }}
  when: name not in metrics_secrets.stdout_lines
  changed_when: no

- name: generate cassandra secret template
  template:
    src: secret.j2
    dest: "{{ mktemp.stdout }}/templates/cassandra_secrets.yaml"
  vars:
    name: hawkular-cassandra-secrets
    labels:
      metrics-infra: hawkular-cassandra
    data:
      cassandra.keystore: >
        {{ hawkular_secrets['hawkular-cassandra.keystore'] }}
      cassandra.keystore.password: >
        {{ hawkular_secrets['hawkular-cassandra-keystore.pwd'] }}
      cassandra.keystore.alias: "{{ 'hawkular-cassandra'|b64encode }}"
      cassandra.truststore: >
        {{ hawkular_secrets['hawkular-cassandra.truststore'] }}
      cassandra.truststore.password: >
        {{ hawkular_secrets['hawkular-cassandra-truststore.pwd'] }}
      cassandra.pem: >
        {{ hawkular_secrets['hawkular-cassandra.pem'] }}
  when: name not in metrics_secrets
  changed_when: no

- name: generate cassandra-certificate secret template
  template:
    src: secret.j2
    dest: "{{ mktemp.stdout }}/templates/cassandra_certificate.yaml"
  vars:
    name: hawkular-cassandra-certificate
    labels:
      metrics-infra: hawkular-cassandra
    data:
      cassandra.certificate: >
        {{ hawkular_secrets['hawkular-cassandra.crt'] }}
      cassandra-ca.certificate: >
        {{ hawkular_secrets['hawkular-cassandra.pem'] }}
  when: name not in metrics_secrets.stdout_lines
  changed_when: no