Updating to use deployer pod to generate JKS chain instead

author: ewolinetz <ewolinet@redhat.com> 2016-12-14 16:34:55 -0600
committer: ewolinetz <ewolinet@redhat.com> 2016-12-15 16:25:10 -0600
commit: f79c819387b93af7b32a09b60652195f850d0574 (patch)
tree: fdfdadc875d46c64b1ca4e28d2b0286b32daaee4 /roles/openshift_logging/files
parent: b579a4acfa64f85119ffbcbb8f6701972ef0dbb6 (diff)
download: openshift-f79c819387b93af7b32a09b60652195f850d0574.tar.gz
openshift-f79c819387b93af7b32a09b60652195f850d0574.tar.bz2
openshift-f79c819387b93af7b32a09b60652195f850d0574.tar.xz
openshift-f79c819387b93af7b32a09b60652195f850d0574.zip
1 files changed, 137 insertions, 40 deletions
diff --git a/roles/openshift_logging/files/generate-jks.sh b/roles/openshift_logging/files/generate-jks.sh
index 8760f37fe..db7ed9ab8 100644
--- a/roles/openshift_logging/files/generate-jks.sh
+++ b/roles/openshift_logging/files/generate-jks.sh
@@ -1,36 +1,140 @@
 #! /bin/sh
 set -ex
 
-function importPKCS() {
-  dir=${SCRATCH_DIR:-_output}
-  NODE_NAME=$1
-  ks_pass=${KS_PASS:-kspass}
-  ts_pass=${TS_PASS:-tspass}
-  rm -rf $NODE_NAME
-
-  keytool \
-    -importkeystore \
-    -srckeystore $NODE_NAME.pkcs12 \
-    -srcstoretype PKCS12 \
-    -srcstorepass pass \
-    -deststorepass $ks_pass \
-    -destkeypass $ks_pass \
-    -destkeystore $dir/keystore.jks \
-    -alias 1 \
-    -destalias $NODE_NAME
-
-  echo "Import back to keystore (including CA chain)"
-
-  keytool  \
-    -import \
-    -file $dir/ca.crt  \
-    -keystore $dir/keystore.jks   \
-    -storepass $ks_pass  \
-    -noprompt -alias sig-ca
+function generate_JKS_chain() {
+    dir=${SCRATCH_DIR:-_output}
+    ADD_OID=$1
+    NODE_NAME=$2
+    CERT_NAMES=${3:-$NODE_NAME}
+    ks_pass=${KS_PASS:-kspass}
+    ts_pass=${TS_PASS:-tspass}
+    rm -rf $NODE_NAME
+
+    extension_names=""
+    for name in ${CERT_NAMES//,/ }; do
+        extension_names="${extension_names},dns:${name}"
+    done
+
+    if [ "$ADD_OID" = true ]; then
+        extension_names="${extension_names},oid:1.2.3.4.5.5"
+    fi
+
+    echo Generating keystore and certificate for node $NODE_NAME
+
+    keytool -genkey \
+        -alias     $NODE_NAME \
+        -keystore  $dir/$NODE_NAME.jks \
+        -keypass   $ks_pass \
+        -storepass $ks_pass \
+        -keyalg    RSA \
+        -keysize   2048 \
+        -validity  712 \
+        -dname "CN=$NODE_NAME, OU=OpenShift, O=Logging" \
+        -ext san=dns:localhost,ip:127.0.0.1"${extension_names}"
+
+    echo Generating certificate signing request for node $NODE_NAME
+
+    keytool -certreq \
+        -alias      $NODE_NAME \
+        -keystore   $dir/$NODE_NAME.jks \
+        -storepass  $ks_pass \
+        -file       $dir/$NODE_NAME.csr \
+        -keyalg     rsa \
+        -dname "CN=$NODE_NAME, OU=OpenShift, O=Logging" \
+        -ext san=dns:localhost,ip:127.0.0.1"${extension_names}"
+
+    echo Sign certificate request with CA
+
+    openssl ca \
+        -in $dir/$NODE_NAME.csr \
+        -notext \
+        -out $dir/$NODE_NAME.crt \
+        -config $dir/signing.conf \
+        -extensions v3_req \
+        -batch \
+        -extensions server_ext
+
+    echo "Import back to keystore (including CA chain)"
+
+    keytool  \
+        -import \
+        -file $dir/ca.crt  \
+        -keystore $dir/$NODE_NAME.jks   \
+        -storepass $ks_pass  \
+        -noprompt -alias sig-ca
+
+    keytool \
+        -import \
+        -file $dir/$NODE_NAME.crt \
+        -keystore $dir/$NODE_NAME.jks \
+        -storepass $ks_pass \
+        -noprompt \
+        -alias $NODE_NAME
+
+    echo All done for $NODE_NAME
+}
 
-  echo All done for $NODE_NAME
+function generate_JKS_client_cert() {
+    NODE_NAME="$1"
+    ks_pass=${KS_PASS:-kspass}
+    ts_pass=${TS_PASS:-tspass}
+    dir=${SCRATCH_DIR:-_output}  # for writing files to bundle into secrets
+
+    echo Generating keystore and certificate for node ${NODE_NAME}
+
+    keytool -genkey \
+        -alias     $NODE_NAME \
+        -keystore  $dir/$NODE_NAME.jks \
+        -keyalg    RSA \
+        -keysize   2048 \
+        -validity  712 \
+        -keypass $ks_pass \
+        -storepass $ks_pass \
+        -dname "CN=$NODE_NAME, OU=OpenShift, O=Logging"
+
+    echo Generating certificate signing request for node $NODE_NAME
+
+    keytool -certreq \
+        -alias      $NODE_NAME \
+        -keystore   $dir/$NODE_NAME.jks \
+        -file       $dir/$NODE_NAME.csr \
+        -keyalg     rsa \
+        -keypass $ks_pass \
+        -storepass $ks_pass \
+        -dname "CN=$NODE_NAME, OU=OpenShift, O=Logging"
+
+    echo Sign certificate request with CA
+    openssl ca \
+        -in "$dir/$NODE_NAME.csr" \
+        -notext \
+        -out "$dir/$NODE_NAME.crt" \
+        -config $dir/signing.conf \
+        -extensions v3_req \
+        -batch \
+        -extensions server_ext
+
+    echo "Import back to keystore (including CA chain)"
+
+    keytool  \
+        -import \
+        -file $dir/ca.crt  \
+        -keystore $dir/$NODE_NAME.jks   \
+        -storepass $ks_pass  \
+        -noprompt -alias sig-ca
+
+    keytool \
+        -import \
+        -file $dir/$NODE_NAME.crt \
+        -keystore $dir/$NODE_NAME.jks \
+        -storepass $ks_pass \
+        -noprompt \
+        -alias $NODE_NAME
+
+    echo All done for $NODE_NAME
 }
 
+function join { local IFS="$1"; shift; echo "$*"; }
+
 function createTruststore() {
 
   echo "Import CA to truststore for validating client certs"
@@ -43,29 +147,22 @@ function createTruststore() {
     -noprompt -alias sig-ca
 }
 
-dir="/opt/deploy/"
+dir="$CERT_DIR"
 SCRATCH_DIR=$dir
 
-admin_user='system.admin'
-
 if [[ ! -f $dir/system.admin.jks || -z "$(keytool -list -keystore $dir/system.admin.jks -storepass kspass | grep sig-ca)" ]]; then
-  importPKCS "system.admin"
-  mv $dir/keystore.jks $dir/system.admin.jks
+  generate_JKS_client_cert "system.admin"
 fi
 
-if [[ ! -f $dir/searchguard_node_key || -z "$(keytool -list -keystore $dir/searchguard_node_key -storepass kspass | grep sig-ca)" ]]; then
-  importPKCS "elasticsearch"
-  mv $dir/keystore.jks $dir/searchguard_node_key
+if [[ ! -f $dir/elasticsearch.jks || -z "$(keytool -list -keystore $dir/elasticsearch.jks -storepass kspass | grep sig-ca)" ]]; then
+  generate_JKS_chain true elasticsearch "$(join , logging-es{,-ops})"
 fi
 
-
-if [[ ! -f $dir/system.admin.jks || -z "$(keytool -list -keystore $dir/system.admin.jks -storepass kspass | grep sig-ca)" ]]; then
-  importPKCS "logging-es"
+if [[ ! -f $dir/logging-es.jks || -z "$(keytool -list -keystore $dir/logging-es.jks -storepass kspass | grep sig-ca)" ]]; then
+  generate_JKS_chain false logging-es "$(join , logging-es{,-ops}{,-cluster}{,.${PROJECT}.svc.cluster.local})"
 fi
 
 [ ! -f $dir/truststore.jks ] && createTruststore
 
-[ ! -f $dir/searchguard_node_truststore ] && cp $dir/truststore.jks $dir/searchguard_node_truststore
-
 # necessary so that the job knows it completed successfully
 exit 0
author	ewolinetz <ewolinet@redhat.com>	2016-12-14 16:34:55 -0600
committer	ewolinetz <ewolinet@redhat.com>	2016-12-15 16:25:10 -0600
commit	f79c819387b93af7b32a09b60652195f850d0574 (patch)
tree	fdfdadc875d46c64b1ca4e28d2b0286b32daaee4 /roles/openshift_logging/files
parent	b579a4acfa64f85119ffbcbb8f6701972ef0dbb6 (diff)
download	openshift-f79c819387b93af7b32a09b60652195f850d0574.tar.gz openshift-f79c819387b93af7b32a09b60652195f850d0574.tar.bz2 openshift-f79c819387b93af7b32a09b60652195f850d0574.tar.xz openshift-f79c819387b93af7b32a09b60652195f850d0574.zip