summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorirozzo <iacopo.rozzo@amadeus.com>2017-11-20 14:22:07 +0100
committerirozzo <iacopo.rozzo@amadeus.com>2017-11-30 20:50:03 +0100
commit1eec1ab3395d07a06d76e756c8944163c62da422 (patch)
treec62bb82435b1f92e5418b8c2103c18caa35623ec
parentfdf3edec3f880d21e19e2007065be3ed0ed59a13 (diff)
downloadopenshift-1eec1ab3395d07a06d76e756c8944163c62da422.tar.gz
openshift-1eec1ab3395d07a06d76e756c8944163c62da422.tar.bz2
openshift-1eec1ab3395d07a06d76e756c8944163c62da422.tar.xz
openshift-1eec1ab3395d07a06d76e756c8944163c62da422.zip
Do not escalate privileges in jks generation tasks
-rw-r--r--roles/openshift_logging/tasks/generate_jks.yaml6
1 files changed, 6 insertions, 0 deletions
diff --git a/roles/openshift_logging/tasks/generate_jks.yaml b/roles/openshift_logging/tasks/generate_jks.yaml
index 6e3204589..d6ac88dcc 100644
--- a/roles/openshift_logging/tasks/generate_jks.yaml
+++ b/roles/openshift_logging/tasks/generate_jks.yaml
@@ -24,21 +24,25 @@
local_action: file path="{{local_tmp.stdout}}/elasticsearch.jks" state=touch mode="u=rw,g=r,o=r"
when: elasticsearch_jks.stat.exists
changed_when: False
+ become: no
- name: Create placeholder for previously created JKS certs to prevent recreating...
local_action: file path="{{local_tmp.stdout}}/logging-es.jks" state=touch mode="u=rw,g=r,o=r"
when: logging_es_jks.stat.exists
changed_when: False
+ become: no
- name: Create placeholder for previously created JKS certs to prevent recreating...
local_action: file path="{{local_tmp.stdout}}/system.admin.jks" state=touch mode="u=rw,g=r,o=r"
when: system_admin_jks.stat.exists
changed_when: False
+ become: no
- name: Create placeholder for previously created JKS certs to prevent recreating...
local_action: file path="{{local_tmp.stdout}}/truststore.jks" state=touch mode="u=rw,g=r,o=r"
when: truststore_jks.stat.exists
changed_when: False
+ become: no
- name: pulling down signing items from host
fetch:
@@ -57,10 +61,12 @@
vars:
- top_dir: "{{local_tmp.stdout}}"
when: not elasticsearch_jks.stat.exists or not logging_es_jks.stat.exists or not system_admin_jks.stat.exists or not truststore_jks.stat.exists
+ become: no
- name: Run JKS generation script
local_action: script generate-jks.sh {{local_tmp.stdout}} {{openshift_logging_namespace}}
check_mode: no
+ become: no
when: not elasticsearch_jks.stat.exists or not logging_es_jks.stat.exists or not system_admin_jks.stat.exists or not truststore_jks.stat.exists
- name: Pushing locally generated JKS certs to remote host...