shixiong
/
okd


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251
							---
- name: generate hawkular-metrics certificates
  include: setup_certificate.yaml
  vars:
    component: hawkular-metrics
    hostnames: "hawkular-metrics,{{ openshift_metrics_hawkular_hostname }}"
  changed_when: no

- name: generate hawkular-cassandra certificates
  include: setup_certificate.yaml
  vars:
    component: hawkular-cassandra
    hostnames: hawkular-cassandra
  changed_when: no

- slurp: src={{ openshift_metrics_certs_dir|quote }}/hawkular-cassandra-truststore.pwd
  register: cassandra_truststore_password

- name: check existing aliases on the hawkular-cassandra truststore
  shell: >
    keytool -noprompt -list
    -keystore {{ openshift_metrics_certs_dir|quote }}/hawkular-cassandra.truststore
    -storepass {{cassandra_truststore_password.content | b64decode }}
    | sed -n '7~2s/,.*$//p'
  register: hawkular_cassandra_truststore_aliases
  changed_when: false

- slurp: src={{ openshift_metrics_certs_dir|quote }}/hawkular-metrics-truststore.pwd
  register: hawkular_truststore_password

- name: check existing aliases on the hawkular-metrics truststore
  shell: >
    keytool -noprompt -list
    -keystore {{ openshift_metrics_certs_dir|quote }}/hawkular-metrics.truststore
    -storepass {{ hawkular_truststore_password.content | b64decode }}
    | sed -n '7~2s/,.*$//p'
  register: hawkular_metrics_truststore_aliases
  changed_when: false

- name: import the hawkular metrics cert into the cassandra truststore
  command: >
    keytool -noprompt -import -v -trustcacerts
    -alias hawkular-metrics
    -file '{{ openshift_metrics_certs_dir }}/hawkular-metrics.crt'
    -keystore '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.truststore'
    -storepass {{cassandra_truststore_password.content | b64decode }}
  when: >
    'hawkular-metrics' not in
    hawkular_cassandra_truststore_aliases.stdout_lines

- name: import the hawkular cassandra cert into the hawkular metrics truststore
  command: >
    keytool -noprompt -import -v -trustcacerts
    -alias hawkular-cassandra
    -file '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.crt'
    -keystore '{{ openshift_metrics_certs_dir }}/hawkular-metrics.truststore'
    -storepass {{ hawkular_truststore_password.content | b64decode }}
  when: >
    'hawkular-cassandra' not in
    hawkular_metrics_truststore_aliases.stdout_lines

- name: import the hawkular cassandra cert into the cassandra truststore
  command: >
    keytool -noprompt -import -v -trustcacerts
    -alias hawkular-cassandra
    -file '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.crt'
    -keystore '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.truststore'
    -storepass {{cassandra_truststore_password.content | b64decode }}
  when: >
    'hawkular-cassandra' not in
    hawkular_cassandra_truststore_aliases.stdout_lines

- name: import the ca certificate into the cassandra truststore
  command: >
    keytool -noprompt -import -v -trustcacerts
    -alias '{{ item }}'
    -file '{{ openshift_metrics_certs_dir }}/ca.crt'
    -keystore '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.truststore'
    -storepass {{cassandra_truststore_password.content | b64decode }}
  with_items:
  - ca
  - metricca
  - cassandraca
  when: item not in hawkular_cassandra_truststore_aliases.stdout_lines

- name: import the ca certificate into the hawkular metrics truststore
  command: >
    keytool -noprompt -import -v -trustcacerts
    -alias '{{ item }}'
    -file '{{ openshift_metrics_certs_dir }}/ca.crt'
    -keystore '{{ openshift_metrics_certs_dir }}/hawkular-metrics.truststore'
    -storepass {{ hawkular_truststore_password.content | b64decode }}
  with_items:
  - ca
  - metricca
  - cassandraca
  when: item not in hawkular_metrics_truststore_aliases.stdout_lines

- name: generate password for hawkular metrics and jgroups
  shell: >
    tr -dc _A-Z-a-z-0-9 < /dev/urandom | head -c15
    > '{{ openshift_metrics_certs_dir }}/{{ item }}.pwd'
  with_items:
  - hawkular-metrics
  - hawkular-jgroups-keystore
  when: not '{{ openshift_metrics_certs_dir }}/{{ item }}.pwd'|exists

- name: generate htpasswd file for hawkular metrics
  shell: >
    htpasswd -ci
    '{{ openshift_metrics_certs_dir }}/hawkular-metrics.htpasswd' hawkular
    < '{{ openshift_metrics_certs_dir }}/hawkular-metrics.pwd'
  when: >
    not '{{ openshift_metrics_certs_dir }}/hawkular-metrics.htpasswd'|exists

- name: generate the jgroups keystore
  shell: >
    p=$(< '{{ openshift_metrics_certs_dir }}/hawkular-jgroups-keystore.pwd' )
    &&
    keytool -genseckey -alias hawkular
    -keypass "$p" -storepass "$p" -keyalg Blowfish -keysize 56 -storetype JCEKS
    -keystore '{{ openshift_metrics_certs_dir }}/hawkular-jgroups.keystore'
  when: >
    not '{{ openshift_metrics_certs_dir }}/hawkular-jgroups.keystore'|exists

- name: read files for the hawkular-metrics secret
  shell: >
    printf '%s: ' '{{ item }}'
    && base64 --wrap 0 '{{ openshift_metrics_certs_dir }}/{{ item }}'
  register: hawkular_secrets
  with_items:
  - ca.crt
  - hawkular-metrics.crt
  - hawkular-metrics.keystore
  - hawkular-metrics-keystore.pwd
  - hawkular-metrics.truststore
  - hawkular-metrics-truststore.pwd
  - hawkular-metrics.pwd
  - hawkular-metrics.htpasswd
  - hawkular-jgroups.keystore
  - hawkular-jgroups-keystore.pwd
  - hawkular-cassandra.crt
  - hawkular-cassandra.pem
  - hawkular-cassandra.keystore
  - hawkular-cassandra-keystore.pwd
  - hawkular-cassandra.truststore
  - hawkular-cassandra-truststore.pwd
  changed_when: false

- set_fact:
    hawkular_secrets: |
      {{ hawkular_secrets.results|map(attribute='stdout')|join('
      ')|from_yaml }}

- name: generate hawkular-metrics-secrets secret template
  template:
    src: secret.j2
    dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_secrets.yaml"
  vars:
    name: hawkular-metrics-secrets
    labels:
      metrics-infra: hawkular-metrics
    data:
      hawkular-metrics.keystore: >
        {{ hawkular_secrets['hawkular-metrics.keystore'] }}
      hawkular-metrics.keystore.password: >
        {{ hawkular_secrets['hawkular-metrics-keystore.pwd'] }}
      hawkular-metrics.truststore: >
        {{ hawkular_secrets['hawkular-metrics.truststore'] }}
      hawkular-metrics.truststore.password: >
        {{ hawkular_secrets['hawkular-metrics-truststore.pwd'] }}
      hawkular-metrics.keystore.alias: "{{ 'hawkular-metrics'|b64encode }}"
      hawkular-metrics.htpasswd.file: >
        {{ hawkular_secrets['hawkular-metrics.htpasswd'] }}
      hawkular-metrics.jgroups.keystore: >
        {{ hawkular_secrets['hawkular-jgroups.keystore'] }}
      hawkular-metrics.jgroups.keystore.password: >
        {{ hawkular_secrets['hawkular-jgroups-keystore.pwd'] }}
      hawkular-metrics.jgroups.alias: "{{ 'hawkular'|b64encode }}"
  when: name not in metrics_secrets.stdout_lines
  changed_when: no

- name: generate hawkular-metrics-certificate secret template
  template:
    src: secret.j2
    dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_certificate.yaml"
  vars:
    name: hawkular-metrics-certificate
    labels:
      metrics-infra: hawkular-metrics
    data:
      hawkular-metrics.certificate: >
        {{ hawkular_secrets['hawkular-metrics.crt'] }}
      hawkular-metrics-ca.certificate: >
        {{ hawkular_secrets['ca.crt'] }}
  when: name not in metrics_secrets.stdout_lines
  changed_when: no

- name: generate hawkular-metrics-account secret template
  template:
    src: secret.j2
    dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_account.yaml"
  vars:
    name: hawkular-metrics-account
    labels:
      metrics-infra: hawkular-metrics
    data:
      hawkular-metrics.username: "{{ 'hawkular'|b64encode }}"
      hawkular-metrics.password: >
        {{ hawkular_secrets['hawkular-metrics.pwd'] }}
  when: name not in metrics_secrets.stdout_lines
  changed_when: no

- name: generate cassandra secret template
  template:
    src: secret.j2
    dest: "{{ mktemp.stdout }}/templates/cassandra_secrets.yaml"
  vars:
    name: hawkular-cassandra-secrets
    labels:
      metrics-infra: hawkular-cassandra
    data:
      cassandra.keystore: >
        {{ hawkular_secrets['hawkular-cassandra.keystore'] }}
      cassandra.keystore.password: >
        {{ hawkular_secrets['hawkular-cassandra-keystore.pwd'] }}
      cassandra.keystore.alias: "{{ 'hawkular-cassandra'|b64encode }}"
      cassandra.truststore: >
        {{ hawkular_secrets['hawkular-cassandra.truststore'] }}
      cassandra.truststore.password: >
        {{ hawkular_secrets['hawkular-cassandra-truststore.pwd'] }}
      cassandra.pem: >
        {{ hawkular_secrets['hawkular-cassandra.pem'] }}
  when: name not in metrics_secrets
  changed_when: no

- name: generate cassandra-certificate secret template
  template:
    src: secret.j2
    dest: "{{ mktemp.stdout }}/templates/cassandra_certificate.yaml"
  vars:
    name: hawkular-cassandra-certificate
    labels:
      metrics-infra: hawkular-cassandra
    data:
      cassandra.certificate: >
        {{ hawkular_secrets['hawkular-cassandra.crt'] }}
      cassandra-ca.certificate: >
        {{ hawkular_secrets['hawkular-cassandra.pem'] }}
  when: name not in metrics_secrets.stdout_lines
  changed_when: no