summaryrefslogtreecommitdiffstats
path: root/roles/openshift_metrics
diff options
context:
space:
mode:
authorOpenShift Bot <eparis+openshiftbot@redhat.com>2017-03-21 16:12:35 -0500
committerGitHub <noreply@github.com>2017-03-21 16:12:35 -0500
commitbe09be62cf9c3ac7ef1142f494437026d72bd3e7 (patch)
treec839a4301e88eee61e412830ede3afb10a4bf284 /roles/openshift_metrics
parent2ac2c5c4fcc260d5e59c524d54879f9717ac9fa6 (diff)
parent6d7ca91fc4ddd7b40c8b7e9983a9a4b475f72214 (diff)
downloadopenshift-be09be62cf9c3ac7ef1142f494437026d72bd3e7.tar.gz
openshift-be09be62cf9c3ac7ef1142f494437026d72bd3e7.tar.bz2
openshift-be09be62cf9c3ac7ef1142f494437026d72bd3e7.tar.xz
openshift-be09be62cf9c3ac7ef1142f494437026d72bd3e7.zip
Merge pull request #3667 from jpkrohling/JPK-SwitchCassandraToUseGeneratedCerts
Merged by openshift-bot
Diffstat (limited to 'roles/openshift_metrics')
-rwxr-xr-xroles/openshift_metrics/files/import_jks_certs.sh55
-rw-r--r--roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml51
-rw-r--r--roles/openshift_metrics/tasks/import_jks_certs.yaml19
-rw-r--r--roles/openshift_metrics/templates/hawkular_cassandra_rc.j225
-rw-r--r--roles/openshift_metrics/templates/secret.j26
5 files changed, 34 insertions, 122 deletions
diff --git a/roles/openshift_metrics/files/import_jks_certs.sh b/roles/openshift_metrics/files/import_jks_certs.sh
index c8d5bb3d2..b2537f448 100755
--- a/roles/openshift_metrics/files/import_jks_certs.sh
+++ b/roles/openshift_metrics/files/import_jks_certs.sh
@@ -21,11 +21,7 @@ set -ex
function import_certs() {
dir=$CERT_DIR
hawkular_metrics_keystore_password=$(echo $METRICS_KEYSTORE_PASSWD | base64 -d)
- hawkular_cassandra_keystore_password=$(echo $CASSANDRA_KEYSTORE_PASSWD | base64 -d)
hawkular_metrics_truststore_password=$(echo $METRICS_TRUSTSTORE_PASSWD | base64 -d)
- hawkular_cassandra_truststore_password=$(echo $CASSANDRA_TRUSTSTORE_PASSWD | base64 -d)
-
- cassandra_alias=`keytool -noprompt -list -keystore $dir/hawkular-cassandra.truststore -storepass ${hawkular_cassandra_truststore_password} | sed -n '7~2s/,.*$//p'`
hawkular_alias=`keytool -noprompt -list -keystore $dir/hawkular-metrics.truststore -storepass ${hawkular_metrics_truststore_password} | sed -n '7~2s/,.*$//p'`
if [ ! -f $dir/hawkular-metrics.keystore ]; then
@@ -39,56 +35,7 @@ function import_certs() {
-deststorepass $hawkular_metrics_keystore_password
fi
- if [ ! -f $dir/hawkular-cassandra.keystore ]; then
- echo "Creating the Hawkular Cassandra keystore from the PEM file"
- keytool -importkeystore -v \
- -srckeystore $dir/hawkular-cassandra.pkcs12 \
- -destkeystore $dir/hawkular-cassandra.keystore \
- -srcstoretype PKCS12 \
- -deststoretype JKS \
- -srcstorepass $hawkular_cassandra_keystore_password \
- -deststorepass $hawkular_cassandra_keystore_password
- fi
-
- if [[ ! ${cassandra_alias[*]} =~ hawkular-metrics ]]; then
- echo "Importing the Hawkular Certificate into the Cassandra Truststore"
- keytool -noprompt -import -v -trustcacerts -alias hawkular-metrics \
- -file $dir/hawkular-metrics.crt \
- -keystore $dir/hawkular-cassandra.truststore \
- -trustcacerts \
- -storepass $hawkular_cassandra_truststore_password
- fi
-
- if [[ ! ${hawkular_alias[*]} =~ hawkular-cassandra ]]; then
- echo "Importing the Cassandra Certificate into the Hawkular Truststore"
- keytool -noprompt -import -v -trustcacerts -alias hawkular-cassandra \
- -file $dir/hawkular-cassandra.crt \
- -keystore $dir/hawkular-metrics.truststore \
- -trustcacerts \
- -storepass $hawkular_metrics_truststore_password
- fi
-
- if [[ ! ${cassandra_alias[*]} =~ hawkular-cassandra ]]; then
- echo "Importing the Hawkular Cassandra Certificate into the Cassandra Truststore"
- keytool -noprompt -import -v -trustcacerts -alias hawkular-cassandra \
- -file $dir/hawkular-cassandra.crt \
- -keystore $dir/hawkular-cassandra.truststore \
- -trustcacerts \
- -storepass $hawkular_cassandra_truststore_password
- fi
-
- cert_alias_names=(ca metricca cassandraca)
-
- for cert_alias in ${cert_alias_names[*]}; do
- if [[ ! ${cassandra_alias[*]} =~ "$cert_alias" ]]; then
- echo "Importing the CA Certificate with alias $cert_alias into the Cassandra Truststore"
- keytool -noprompt -import -v -trustcacerts -alias $cert_alias \
- -file ${dir}/ca.crt \
- -keystore $dir/hawkular-cassandra.truststore \
- -trustcacerts \
- -storepass $hawkular_cassandra_truststore_password
- fi
- done
+ cert_alias_names=(ca metricca)
for cert_alias in ${cert_alias_names[*]}; do
if [[ ! ${hawkular_alias[*]} =~ "$cert_alias" ]]; then
diff --git a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml
index 61a240a33..01fc1ef64 100644
--- a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml
+++ b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml
@@ -13,9 +13,6 @@
hostnames: hawkular-cassandra
changed_when: no
-- slurp: src={{ mktemp.stdout }}/hawkular-cassandra-truststore.pwd
- register: cassandra_truststore_password
-
- slurp: src={{ mktemp.stdout }}/hawkular-metrics-truststore.pwd
register: hawkular_truststore_password
@@ -67,11 +64,8 @@
- hawkular-metrics.pwd
- hawkular-metrics.htpasswd
- hawkular-cassandra.crt
+ - hawkular-cassandra.key
- hawkular-cassandra.pem
- - hawkular-cassandra.keystore
- - hawkular-cassandra-keystore.pwd
- - hawkular-cassandra.truststore
- - hawkular-cassandra-truststore.pwd
changed_when: false
- set_fact:
@@ -136,38 +130,21 @@
- name: generate cassandra secret template
template:
src: secret.j2
- dest: "{{ mktemp.stdout }}/templates/cassandra_secrets.yaml"
+ dest: "{{ mktemp.stdout }}/templates/hawkular-cassandra-certs.yaml"
vars:
- name: hawkular-cassandra-secrets
+ name: hawkular-cassandra-certs
labels:
- metrics-infra: hawkular-cassandra
+ metrics-infra: hawkular-cassandra-certs
+ annotations:
+ service.alpha.openshift.io/originating-service-name: hawkular-cassandra
data:
- cassandra.keystore: >
- {{ hawkular_secrets['hawkular-cassandra.keystore'] }}
- cassandra.keystore.password: >
- {{ hawkular_secrets['hawkular-cassandra-keystore.pwd'] }}
- cassandra.keystore.alias: "{{ 'hawkular-cassandra'|b64encode }}"
- cassandra.truststore: >
- {{ hawkular_secrets['hawkular-cassandra.truststore'] }}
- cassandra.truststore.password: >
- {{ hawkular_secrets['hawkular-cassandra-truststore.pwd'] }}
- cassandra.pem: >
- {{ hawkular_secrets['hawkular-cassandra.pem'] }}
- when: name not in metrics_secrets
- changed_when: no
-
-- name: generate cassandra-certificate secret template
- template:
- src: secret.j2
- dest: "{{ mktemp.stdout }}/templates/cassandra_certificate.yaml"
- vars:
- name: hawkular-cassandra-certificate
- labels:
- metrics-infra: hawkular-cassandra
- data:
- cassandra.certificate: >
+ tls.crt: >
{{ hawkular_secrets['hawkular-cassandra.crt'] }}
- cassandra-ca.certificate: >
- {{ hawkular_secrets['hawkular-cassandra.pem'] }}
- when: name not in metrics_secrets.stdout_lines
+ tls.key: >
+ {{ hawkular_secrets['hawkular-cassandra.key'] }}
+ tls.peer.truststore.crt: >
+ {{ hawkular_secrets['hawkular-cassandra.crt'] }}
+ tls.client.truststore.crt: >
+ {{ hawkular_secrets['hawkular-metrics.crt'] }}
+ when: name not in metrics_secrets
changed_when: no
diff --git a/roles/openshift_metrics/tasks/import_jks_certs.yaml b/roles/openshift_metrics/tasks/import_jks_certs.yaml
index 2a67dad0e..e098145e9 100644
--- a/roles/openshift_metrics/tasks/import_jks_certs.yaml
+++ b/roles/openshift_metrics/tasks/import_jks_certs.yaml
@@ -1,12 +1,4 @@
---
-- stat: path="{{mktemp.stdout}}/hawkular-cassandra.keystore"
- register: cassandra_keystore
- check_mode: no
-
-- stat: path="{{mktemp.stdout}}/hawkular-cassandra.truststore"
- register: cassandra_truststore
- check_mode: no
-
- stat: path="{{mktemp.stdout}}/hawkular-metrics.keystore"
register: metrics_keystore
check_mode: no
@@ -19,9 +11,6 @@
- slurp: src={{ mktemp.stdout }}/hawkular-metrics-keystore.pwd
register: metrics_keystore_password
- - slurp: src={{ mktemp.stdout }}/hawkular-cassandra-keystore.pwd
- register: cassandra_keystore_password
-
- fetch:
dest: "{{local_tmp.stdout}}/"
src: "{{ mktemp.stdout }}/{{item}}"
@@ -29,18 +18,14 @@
changed_when: False
with_items:
- hawkular-metrics.pkcs12
- - hawkular-cassandra.pkcs12
- hawkular-metrics.crt
- - hawkular-cassandra.crt
- ca.crt
- local_action: command {{role_path}}/files/import_jks_certs.sh
environment:
CERT_DIR: "{{local_tmp.stdout}}"
METRICS_KEYSTORE_PASSWD: "{{metrics_keystore_password.content}}"
- CASSANDRA_KEYSTORE_PASSWD: "{{cassandra_keystore_password.content}}"
METRICS_TRUSTSTORE_PASSWD: "{{hawkular_truststore_password.content}}"
- CASSANDRA_TRUSTSTORE_PASSWD: "{{cassandra_truststore_password.content}}"
changed_when: False
- copy:
@@ -49,6 +34,4 @@
with_fileglob: "{{local_tmp.stdout}}/*.*store"
when: not metrics_keystore.stat.exists or
- not metrics_truststore.stat.exists or
- not cassandra_keystore.stat.exists or
- not cassandra_truststore.stat.exists
+ not metrics_truststore.stat.exists
diff --git a/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 b/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2
index 504476dc4..889317847 100644
--- a/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2
+++ b/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2
@@ -48,11 +48,6 @@ spec:
- "--require_node_auth=true"
- "--enable_client_encryption=true"
- "--require_client_auth=true"
- - "--keystore_file=/secret/cassandra.keystore"
- - "--keystore_password_file=/secret/cassandra.keystore.password"
- - "--truststore_file=/secret/cassandra.truststore"
- - "--truststore_password_file=/secret/cassandra.truststore.password"
- - "--cassandra_pem_file=/secret/cassandra.pem"
env:
- name: CASSANDRA_MASTER
value: "{{ master }}"
@@ -60,6 +55,10 @@ spec:
value: "/cassandra_data"
- name: JVM_OPTS
value: "-Dcassandra.commitlog.ignorereplayerrors=true"
+ - name: TRUSTSTORE_NODES_AUTHORITIES
+ value: "/hawkular-cassandra-certs/tls.peer.truststore.crt"
+ - name: TRUSTSTORE_CLIENT_AUTHORITIES
+ value: "/hawkular-cassandra-certs/tls.client.truststore.crt"
- name: POD_NAMESPACE
valueFrom:
fieldRef:
@@ -76,12 +75,12 @@ spec:
volumeMounts:
- name: cassandra-data
mountPath: "/cassandra_data"
- - name: hawkular-cassandra-secrets
- mountPath: "/secret"
-{% if ((openshift_metrics_cassandra_limits_cpu is defined and openshift_metrics_cassandra_limits_cpu is not none)
+ - name: hawkular-cassandra-certs
+ mountPath: "/hawkular-cassandra-certs"
+{% if ((openshift_metrics_cassandra_limits_cpu is defined and openshift_metrics_cassandra_limits_cpu is not none)
or (openshift_metrics_cassandra_limits_memory is defined and openshift_metrics_cassandra_limits_memory is not none)
or (openshift_metrics_cassandra_requests_cpu is defined and openshift_metrics_cassandra_requests_cpu is not none)
- or (openshift_metrics_cassandra_requests_memory is defined and openshift_metrics_cassandra_requests_memory is not none))
+ or (openshift_metrics_cassandra_requests_memory is defined and openshift_metrics_cassandra_requests_memory is not none))
%}
resources:
{% if (openshift_metrics_cassandra_limits_cpu is not none
@@ -95,8 +94,8 @@ spec:
memory: "{{openshift_metrics_cassandra_limits_memory}}"
{% endif %}
{% endif %}
-{% if (openshift_metrics_cassandra_requests_cpu is not none
- or openshift_metrics_cassandra_requests_memory is not none)
+{% if (openshift_metrics_cassandra_requests_cpu is not none
+ or openshift_metrics_cassandra_requests_memory is not none)
%}
requests:
{% if openshift_metrics_cassandra_requests_cpu is not none %}
@@ -129,6 +128,6 @@ spec:
persistentVolumeClaim:
claimName: "{{ openshift_metrics_cassandra_pvc_prefix }}-{{ node }}"
{% endif %}
- - name: hawkular-cassandra-secrets
+ - name: hawkular-cassandra-certs
secret:
- secretName: hawkular-cassandra-secrets
+ secretName: hawkular-cassandra-certs
diff --git a/roles/openshift_metrics/templates/secret.j2 b/roles/openshift_metrics/templates/secret.j2
index 370890c7d..5b9dba122 100644
--- a/roles/openshift_metrics/templates/secret.j2
+++ b/roles/openshift_metrics/templates/secret.j2
@@ -2,6 +2,12 @@ apiVersion: v1
kind: Secret
metadata:
name: "{{ name }}"
+{% if annotations is defined%}
+ annotations:
+{% for key, value in annotations.iteritems() %}
+ {{key}}: {{value}}
+{% endfor %}
+{% endif %}
labels:
{% for k, v in labels.iteritems() %}
{{ k }}: {{ v }}