3 files changed, 174 insertions, 86 deletions

diff --git a/roles/lib_openshift/library/oadm_ca.py b/roles/lib_openshift/library/oadm_ca.py
index 30490cc40..1482ab591 100644
--- a/roles/lib_openshift/library/oadm_ca.py
+++ b/roles/lib_openshift/library/oadm_ca.py
@@ -49,7 +49,7 @@ from ansible.module_utils.basic import AnsibleModule
 
 DOCUMENTATION = '''
 ---
-module: oc_secret
+module: oadm_ca
 short_description: Module to manage openshift certificate authority
 description:
   - Wrapper around the openshift `oc adm ca` command.
@@ -65,7 +65,8 @@ options:
     - ['cert', 'key', 'signer_cert', 'signer_key', 'signer_serial']
     required: false
     default: present
-    choices: ["present"]
+    choices: 
+    - present
     aliases: []
   kubeconfig:
     description:
@@ -91,54 +92,98 @@ options:
     aliases: []
   cert_dir:
     description:
-    - The directory to place the certificates.
+    - The certificate data directory.
+    required: false
+    default: None
+    aliases: []
+  cert:
+    description:
+    - The certificate file. Choose a name that indicates what the service is.
+    required: false
+    default: None
+    aliases: []
+  key:
+    description:
+    - The key file. Choose a name that indicates what the service is.
+    required: false
+    default: None
+    aliases: []
+  overwrite:
+    description:
+    - Overwrite existing cert files if found.  If false, any existing file will be left as-is.
     required: false
     default: False
     aliases: []
+  signer_cert:
+    description:
+    - The signer certificate file.
+    required: false
+    default: None
+    aliases: []
+  signer_key:
+    description:
+    - The signer key file.
+    required: false
+    default: None
+    aliases: []
+  signer_serial:
+    description:
+    - The signer serial file.
+    required: false
+    default: None
+    aliases: []
+  public_key:
+    description:
+    - The public key file used with create-key-pair
+    required: false
+    default: None
+    aliases: []
+  private_key:
+    description:
+    - The private key file used with create-key-pair
+    required: false
+    default: None
+    aliases: []
+    
+  hostnames:
+    description:
+    - Every hostname or IP that server certs should be valid for (comma-delimited list)
+    required: false
+    default: None
+    aliases: []
+  master:
+    description:
+    - The API server's URL
+    required: false
+    default: None
+    aliases: []
+  public_master:
+    description:
+    - The API public facing server's URL (if applicable)
+    required: false
+    default: None
+    aliases: []
+  signer_name:
+    description:
+    - The name to use for the generated signer
+    required: false
+    default: None
+    aliases: []
 author:
 - "Kenny Woodson <kwoodson@redhat.com>"
 extends_documentation_fragment: []
 '''
 
 EXAMPLES = '''
-- name: create secret
-  oc_secret:
-    state: present
-    namespace: openshift-infra
-    name: metrics-deployer
-    files:
-    - name: nothing
-      path: /dev/null
-  register: secretout
-  run_once: true
-
-- name: get ca from hawkular
-  oc_secret:
-    state: list
-    namespace: openshift-infra
-    name:  hawkular-metrics-certificate
-    decode: True
-  register: hawkout
-  run_once: true
-
-- name: Create secrets
-  oc_secret:
-    namespace: mynamespace
-    name: mysecrets
-    contents:
-    - path: data.yml
-      data: "{{ data_content }}"
-    - path: auth-keys
-      data: "{{ auth_keys_content }}"
-    - path: configdata.yml
-      data: "{{ configdata_content }}"
-    - path: cert.crt
-      data: "{{ cert_content }}"
-    - path: key.pem
-      data: "{{ osso_site_key_content }}"
-    - path: ca.cert.pem
-      data: "{{ ca_cert_content }}"
-  register: secretout
+- name: Create a self-signed cert
+  oadm_ca:
+    cmd: create-server-cert
+    signer_cert: /etc/origin/master/ca.crt
+    signer_key: /etc/origin/master/ca.key
+    signer_serial: /etc/origin/master/ca.serial.txt
+    hostnames: "registry.test.openshift.com,127.0.0.1,docker-registry.default.svc.cluster.local"
+    cert: /etc/origin/master/registry.crt
+    key: /etc/origin/master/registry.key
 '''
 
 # -*- -*- -*- End included fragment: doc/certificate_authority -*- -*- -*-
@@ -1402,8 +1447,7 @@ def main():
 
     module = AnsibleModule(
         argument_spec=dict(
-            state=dict(default='present', type='str',
-                       choices=['present']),
+            state=dict(default='present', type='str', choices=['present']),
             debug=dict(default=False, type='bool'),
             kubeconfig=dict(default='/etc/origin/master/admin.kubeconfig', type='str'),
             cmd=dict(default=None, require=True, type='str'),
diff --git a/roles/lib_openshift/src/ansible/oadm_certificate_authority.py b/roles/lib_openshift/src/ansible/oadm_certificate_authority.py
index 856b06290..ad00b25b4 100644
--- a/roles/lib_openshift/src/ansible/oadm_certificate_authority.py
+++ b/roles/lib_openshift/src/ansible/oadm_certificate_authority.py
@@ -8,8 +8,7 @@ def main():
 
     module = AnsibleModule(
         argument_spec=dict(
-            state=dict(default='present', type='str',
-                       choices=['present']),
+            state=dict(default='present', type='str', choices=['present']),
             debug=dict(default=False, type='bool'),
             kubeconfig=dict(default='/etc/origin/master/admin.kubeconfig', type='str'),
             cmd=dict(default=None, require=True, type='str'),
diff --git a/roles/lib_openshift/src/doc/certificate_authority b/roles/lib_openshift/src/doc/certificate_authority
index be6861444..bf299f0cb 100644
--- a/roles/lib_openshift/src/doc/certificate_authority
+++ b/roles/lib_openshift/src/doc/certificate_authority
@@ -3,7 +3,7 @@
 
 DOCUMENTATION = '''
 ---
-module: oc_secret
+module: oadm_ca
 short_description: Module to manage openshift certificate authority
 description:
   - Wrapper around the openshift `oc adm ca` command.
@@ -19,7 +19,8 @@ options:
     - ['cert', 'key', 'signer_cert', 'signer_key', 'signer_serial']
     required: false
     default: present
-    choices: ["present"]
+    choices: 
+    - present
     aliases: []
   kubeconfig:
     description:
@@ -45,52 +46,96 @@ options:
     aliases: []
   cert_dir:
     description:
-    - The directory to place the certificates.
+    - The certificate data directory.
+    required: false
+    default: None
+    aliases: []
+  cert:
+    description:
+    - The certificate file. Choose a name that indicates what the service is.
+    required: false
+    default: None
+    aliases: []
+  key:
+    description:
+    - The key file. Choose a name that indicates what the service is.
+    required: false
+    default: None
+    aliases: []
+  overwrite:
+    description:
+    - Overwrite existing cert files if found.  If false, any existing file will be left as-is.
     required: false
     default: False
     aliases: []
+  signer_cert:
+    description:
+    - The signer certificate file.
+    required: false
+    default: None
+    aliases: []
+  signer_key:
+    description:
+    - The signer key file.
+    required: false
+    default: None
+    aliases: []
+  signer_serial:
+    description:
+    - The signer serial file.
+    required: false
+    default: None
+    aliases: []
+  public_key:
+    description:
+    - The public key file used with create-key-pair
+    required: false
+    default: None
+    aliases: []
+  private_key:
+    description:
+    - The private key file used with create-key-pair
+    required: false
+    default: None
+    aliases: []
+    
+  hostnames:
+    description:
+    - Every hostname or IP that server certs should be valid for (comma-delimited list)
+    required: false
+    default: None
+    aliases: []
+  master:
+    description:
+    - The API server's URL
+    required: false
+    default: None
+    aliases: []
+  public_master:
+    description:
+    - The API public facing server's URL (if applicable)
+    required: false
+    default: None
+    aliases: []
+  signer_name:
+    description:
+    - The name to use for the generated signer
+    required: false
+    default: None
+    aliases: []
 author:
 - "Kenny Woodson <kwoodson@redhat.com>"
 extends_documentation_fragment: []
 '''
 
 EXAMPLES = '''
-- name: create secret
-  oc_secret:
-    state: present
-    namespace: openshift-infra
-    name: metrics-deployer
-    files:
-    - name: nothing
-      path: /dev/null
-  register: secretout
-  run_once: true
-
-- name: get ca from hawkular
-  oc_secret:
-    state: list
-    namespace: openshift-infra
-    name:  hawkular-metrics-certificate
-    decode: True
-  register: hawkout
-  run_once: true
-
-- name: Create secrets
-  oc_secret:
-    namespace: mynamespace
-    name: mysecrets
-    contents:
-    - path: data.yml
-      data: "{{ data_content }}"
-    - path: auth-keys
-      data: "{{ auth_keys_content }}"
-    - path: configdata.yml
-      data: "{{ configdata_content }}"
-    - path: cert.crt
-      data: "{{ cert_content }}"
-    - path: key.pem
-      data: "{{ osso_site_key_content }}"
-    - path: ca.cert.pem
-      data: "{{ ca_cert_content }}"
-  register: secretout
+- name: Create a self-signed cert
+  oadm_ca:
+    cmd: create-server-cert
+    signer_cert: /etc/origin/master/ca.crt
+    signer_key: /etc/origin/master/ca.key
+    signer_serial: /etc/origin/master/ca.serial.txt
+    hostnames: "registry.test.openshift.com,127.0.0.1,docker-registry.default.svc.cluster.local"
+    cert: /etc/origin/master/registry.crt
+    key: /etc/origin/master/registry.key
 '''