okd/roles/openshift_logging/tasks/generate_certs.yaml

---
# we will ensure our secrets and configmaps are set up here first
- name: Checking for ca.key
  stat: path="{{generated_certs_dir}}/ca.key"
  register: ca_key_file
  check_mode: no

- name: Checking for ca.crt
  stat: path="{{generated_certs_dir}}/ca.crt"
  register: ca_cert_file
  check_mode: no

- name: Checking for ca.serial.txt
  stat: path="{{generated_certs_dir}}/ca.serial.txt"
  register: ca_serial_file
  check_mode: no

- name: Generate certificates
  command: >
    {{ openshift.common.admin_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig ca create-signer-cert
    --key={{generated_certs_dir}}/ca.key --cert={{generated_certs_dir}}/ca.crt
    --serial={{generated_certs_dir}}/ca.serial.txt --name=logging-signer-test
  check_mode: no
  when:
    - not ca_key_file.stat.exists
    - not ca_cert_file.stat.exists
    - not ca_serial_file.stat.exists

- name: Checking for signing.conf
  stat: path="{{generated_certs_dir}}/signing.conf"
  register: signing_conf_file
  check_mode: no

- block:
  - copy: src=signing.conf dest={{generated_certs_dir}}/signing.conf
    check_mode: no

  - lineinfile: "dest={{generated_certs_dir}}/signing.conf regexp='# Top dir$' line='dir                     = {{generated_certs_dir}}               # Top dir'"
    check_mode: no
  when:
    - not signing_conf_file.stat.exists

- include: procure_server_certs.yaml
  loop_control:
    loop_var: cert_info
  with_items:
    - procure_component: kibana
    - procure_component: kibana-ops
    - procure_component: kibana-internal
      hostnames: "kibana, kibana-ops, {{openshift_logging_kibana_hostname}}, {{openshift_logging_kibana_ops_hostname}}"

# - include: procure_server_certs.yaml
#   vars:
#     - procure_component: kibana

# - include: procure_server_certs.yaml
#   vars:
#     - procure_component: kibana-ops

# - include: procure_server_certs.yaml
#   vars:
#     - procure_component: kibana-internal
#     - hostnames: "kibana, kibana-ops, {{openshift_logging_kibana_hostname}}, {{openshift_logging_kibana_ops_hostname}}"

- name: Copy proxy TLS configuration file
  copy: src=server-tls.json dest={{generated_certs_dir}}/server-tls.json
  when: server_tls_json is undefined
  check_mode: no

- name: Copy proxy TLS configuration file
  copy: content="{{server_tls_json}}" dest={{generated_certs_dir}}/server-tls.json
  when: server_tls_json is defined
  check_mode: no

- name: Checking for ca.db
  stat: path="{{generated_certs_dir}}/ca.db"
  register: ca_db_file
  check_mode: no

- copy: content="" dest={{generated_certs_dir}}/ca.db
  check_mode: no
  when:
    - not ca_db_file.stat.exists

- name: Checking for ca.crt.srl
  stat: path="{{generated_certs_dir}}/ca.crt.srl"
  register: ca_cert_srl_file
  check_mode: no

- copy: content="" dest={{generated_certs_dir}}/ca.crt.srl
  check_mode: no
  when:
    - not ca_cert_srl_file.stat.exists

- name: Generate PEM certs
  include: generate_pems.yaml component={{node_name}}
  with_items:
    - system.logging.fluentd
    - system.logging.kibana
    - system.logging.curator
    - system.admin
  loop_control:
    loop_var: node_name

- shell: certs=""; for cert in $(echo logging-es{,-ops}); do certs=$certs,dns:$cert; done; echo $certs
  register: elasticsearch_certs
  check_mode: no

- shell: certs=""; for cert in $(echo logging-es{,-ops}{,-cluster}{,.logging.svc.cluster.local}); do certs=$certs,dns:$cert; done; echo $certs
  register: logging_es_certs
  check_mode: no

#- shell: index=2; certs=""; for cert in $(echo logging-es{,-ops}); do certs=$certs,DNS.$index=$cert; index=$(($index+1)); done; echo $certs
#  register: elasticsearch_certs
#  check_mode: no

#- shell: index=2; certs=""; for cert in $(echo logging-es{,-ops}{,-cluster}{,.logging.svc.cluster.local}); do certs=$certs,DNS.$index=$cert; index=$(($index+1)); done; echo $certs
#  register: logging_es_certs
#  check_mode: no

- name: Generate PKCS12 chains
#  include: generate_pkcs12.yaml component='system.admin'
  include: generate_jks_chain.yaml component='system.admin'

- name: Generate PKCS12 chains
#  include: generate_pkcs12.yaml component={{node.name}} oid={{node.oid | default(False)}} chain_certs={{node.certs}}
  include: generate_jks_chain.yaml component={{node.name}} oid={{node.oid | default(False)}} chain_certs={{node.certs}}
  with_items:
    - {name: 'elasticsearch', oid: True, certs: '{{elasticsearch_certs.stdout}}'}
    - {name: 'logging-es', certs: '{{logging_es_certs.stdout}}'}
  loop_control:
    loop_var: node
# This should be handled within the ES image instead... ---
#- name: Copy jks script
#  copy:
#    src: generate-jks.sh
#    dest: "{{etcd_generated_certs_dir}}/logging"

#- name: Generate JKS chains
#  template:
#    src: job.j2
#    dest: "{{mktemp.stdout}}/jks_job.yaml"

#- name: kick off job
#  shell: >
#    {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig create -f {{mktemp.stdout}}/jks_job.yaml -n {{logging_namespace}}
#  register: podoutput

#- shell: >
#    echo {{podoutput.stdout}} | awk -v podname='\\\".*\\\"' '{print $2}'
#  register: podname

#- action: shell >
#    {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig oc get pod/{{podname.stdout}} -o go-template='{{ '{{' }}index .status "phase"{{ '}}' }}' -n {{logging_namespace}}
#  register: result
#  until: result.stdout.find("Succeeded") != -1
#  retries: 5
#  delay: 10
# --- This should be handled within the ES image instead...
- name: Generate proxy session
  shell: tr -dc 'a-zA-Z0-9' < /dev/urandom | head -c 200
  register: session_secret
  check_mode: no

- name: Generate oauth client secret
  shell: tr -dc 'a-zA-Z0-9' < /dev/urandom | head -c 64
  register: oauth_secret
  check_mode: no