diff options
author | irozzo <iacopo.rozzo@amadeus.com> | 2017-11-20 14:22:07 +0100 |
---|---|---|
committer | irozzo <iacopo.rozzo@amadeus.com> | 2017-11-30 20:50:03 +0100 |
commit | 1eec1ab3395d07a06d76e756c8944163c62da422 (patch) | |
tree | c62bb82435b1f92e5418b8c2103c18caa35623ec | |
parent | fdf3edec3f880d21e19e2007065be3ed0ed59a13 (diff) | |
download | openshift-1eec1ab3395d07a06d76e756c8944163c62da422.tar.gz openshift-1eec1ab3395d07a06d76e756c8944163c62da422.tar.bz2 openshift-1eec1ab3395d07a06d76e756c8944163c62da422.tar.xz openshift-1eec1ab3395d07a06d76e756c8944163c62da422.zip |
Do not escalate privileges in jks generation tasks
-rw-r--r-- | roles/openshift_logging/tasks/generate_jks.yaml | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/roles/openshift_logging/tasks/generate_jks.yaml b/roles/openshift_logging/tasks/generate_jks.yaml index 6e3204589..d6ac88dcc 100644 --- a/roles/openshift_logging/tasks/generate_jks.yaml +++ b/roles/openshift_logging/tasks/generate_jks.yaml @@ -24,21 +24,25 @@ local_action: file path="{{local_tmp.stdout}}/elasticsearch.jks" state=touch mode="u=rw,g=r,o=r" when: elasticsearch_jks.stat.exists changed_when: False + become: no - name: Create placeholder for previously created JKS certs to prevent recreating... local_action: file path="{{local_tmp.stdout}}/logging-es.jks" state=touch mode="u=rw,g=r,o=r" when: logging_es_jks.stat.exists changed_when: False + become: no - name: Create placeholder for previously created JKS certs to prevent recreating... local_action: file path="{{local_tmp.stdout}}/system.admin.jks" state=touch mode="u=rw,g=r,o=r" when: system_admin_jks.stat.exists changed_when: False + become: no - name: Create placeholder for previously created JKS certs to prevent recreating... local_action: file path="{{local_tmp.stdout}}/truststore.jks" state=touch mode="u=rw,g=r,o=r" when: truststore_jks.stat.exists changed_when: False + become: no - name: pulling down signing items from host fetch: @@ -57,10 +61,12 @@ vars: - top_dir: "{{local_tmp.stdout}}" when: not elasticsearch_jks.stat.exists or not logging_es_jks.stat.exists or not system_admin_jks.stat.exists or not truststore_jks.stat.exists + become: no - name: Run JKS generation script local_action: script generate-jks.sh {{local_tmp.stdout}} {{openshift_logging_namespace}} check_mode: no + become: no when: not elasticsearch_jks.stat.exists or not logging_es_jks.stat.exists or not system_admin_jks.stat.exists or not truststore_jks.stat.exists - name: Pushing locally generated JKS certs to remote host... |