diff options
| author | OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> | 2017-09-21 14:24:43 -0700 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2017-09-21 14:24:43 -0700 |
| commit | ee8252d536c4204b9e0c4a88d0899297caf39423 (patch) | |
| tree | 9c92bb13a285058e5b20bc76f33cb5d58c91ba9d /roles/etcd_ca | |
| parent | 505764651b3f8279ffe8881e9b26851d1dd14258 (diff) | |
| parent | 99745a04223f2ed8111b5eb4b49d2bcfec9e678f (diff) | |
| download | openshift-ee8252d536c4204b9e0c4a88d0899297caf39423.tar.gz openshift-ee8252d536c4204b9e0c4a88d0899297caf39423.tar.bz2 openshift-ee8252d536c4204b9e0c4a88d0899297caf39423.tar.xz openshift-ee8252d536c4204b9e0c4a88d0899297caf39423.zip | |
Merge pull request #5371 from ingvagabund/consolidate-etcd-certs-roles
Automatic merge from submit-queue
consolidate etcd certs roles
This is a starter for consolidation of all etcd like roles into a single `etcd` action-based role. I have intentionally started with the simplest one to demonstrate the steps needed to make it so and to make the review easy enough for everyone.
Diffstat (limited to 'roles/etcd_ca')
| -rw-r--r-- | roles/etcd_ca/README.md | 34 | ||||
| -rw-r--r-- | roles/etcd_ca/meta/main.yml | 16 | ||||
| -rw-r--r-- | roles/etcd_ca/tasks/main.yml | 76 | ||||
| -rw-r--r-- | roles/etcd_ca/templates/openssl_append.j2 | 51 |
4 files changed, 0 insertions, 177 deletions
diff --git a/roles/etcd_ca/README.md b/roles/etcd_ca/README.md deleted file mode 100644 index 60a880e30..000000000 --- a/roles/etcd_ca/README.md +++ /dev/null @@ -1,34 +0,0 @@ -etcd_ca -======================== - -TODO - -Requirements ------------- - -TODO - -Role Variables --------------- - -TODO - -Dependencies ------------- - -TODO - -Example Playbook ----------------- - -TODO - -License -------- - -Apache License Version 2.0 - -Author Information ------------------- - -Scott Dodson (sdodson@redhat.com) diff --git a/roles/etcd_ca/meta/main.yml b/roles/etcd_ca/meta/main.yml deleted file mode 100644 index e3e2f7781..000000000 --- a/roles/etcd_ca/meta/main.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- -galaxy_info: - author: Jason DeTiberus - description: Etcd CA - company: Red Hat, Inc. - license: Apache License, Version 2.0 - min_ansible_version: 2.1 - platforms: - - name: EL - versions: - - 7 - categories: - - cloud - - system -dependencies: -- role: etcd_common diff --git a/roles/etcd_ca/tasks/main.yml b/roles/etcd_ca/tasks/main.yml deleted file mode 100644 index b4dea4a07..000000000 --- a/roles/etcd_ca/tasks/main.yml +++ /dev/null @@ -1,76 +0,0 @@ ---- -- name: Install openssl - package: name=openssl state=present - when: not etcd_is_atomic | bool - delegate_to: "{{ etcd_ca_host }}" - run_once: true - -- file: - path: "{{ item }}" - state: directory - mode: 0700 - owner: root - group: root - with_items: - - "{{ etcd_ca_new_certs_dir }}" - - "{{ etcd_ca_crl_dir }}" - - "{{ etcd_ca_dir }}/fragments" - delegate_to: "{{ etcd_ca_host }}" - run_once: true - -- command: cp /etc/pki/tls/openssl.cnf ./ - args: - chdir: "{{ etcd_ca_dir }}/fragments" - creates: "{{ etcd_ca_dir }}/fragments/openssl.cnf" - delegate_to: "{{ etcd_ca_host }}" - run_once: true - -- template: - dest: "{{ etcd_ca_dir }}/fragments/openssl_append.cnf" - src: openssl_append.j2 - backup: true - delegate_to: "{{ etcd_ca_host }}" - run_once: true - -- assemble: - src: "{{ etcd_ca_dir }}/fragments" - dest: "{{ etcd_openssl_conf }}" - delegate_to: "{{ etcd_ca_host }}" - run_once: true - -- name: Check etcd_ca_db exist - stat: path="{{ etcd_ca_db }}" - register: etcd_ca_db_check - changed_when: false - delegate_to: "{{ etcd_ca_host }}" - run_once: true - -- name: Touch etcd_ca_db file - file: - path: "{{ etcd_ca_db }}" - state: touch - when: etcd_ca_db_check.stat.isreg is not defined - delegate_to: "{{ etcd_ca_host }}" - run_once: true - -- copy: - dest: "{{ etcd_ca_serial }}" - content: "01" - force: no - delegate_to: "{{ etcd_ca_host }}" - run_once: true - -- name: Create etcd CA certificate - command: > - openssl req -config {{ etcd_openssl_conf }} -newkey rsa:4096 - -keyout {{ etcd_ca_key }} -new -out {{ etcd_ca_cert }} - -x509 -extensions {{ etcd_ca_exts_self }} -batch -nodes - -days {{ etcd_ca_default_days }} - -subj /CN=etcd-signer@{{ ansible_date_time.epoch }} - args: - chdir: "{{ etcd_ca_dir }}" - creates: "{{ etcd_ca_cert }}" - environment: - SAN: 'etcd-signer' - delegate_to: "{{ etcd_ca_host }}" - run_once: true diff --git a/roles/etcd_ca/templates/openssl_append.j2 b/roles/etcd_ca/templates/openssl_append.j2 deleted file mode 100644 index f28316fc2..000000000 --- a/roles/etcd_ca/templates/openssl_append.j2 +++ /dev/null @@ -1,51 +0,0 @@ - -[ {{ etcd_req_ext }} ] -basicConstraints = critical,CA:FALSE -keyUsage = digitalSignature,keyEncipherment -subjectAltName = ${ENV::SAN} - -[ {{ etcd_ca_name }} ] -dir = {{ etcd_ca_dir }} -crl_dir = {{ etcd_ca_crl_dir }} -database = {{ etcd_ca_db }} -new_certs_dir = {{ etcd_ca_new_certs_dir }} -certificate = {{ etcd_ca_cert }} -serial = {{ etcd_ca_serial }} -private_key = {{ etcd_ca_key }} -crl_number = {{ etcd_ca_crl_number }} -x509_extensions = {{ etcd_ca_exts_client }} -default_days = {{ etcd_ca_default_days }} -default_md = sha256 -preserve = no -name_opt = ca_default -cert_opt = ca_default -policy = policy_anything -unique_subject = no -copy_extensions = copy - -[ {{ etcd_ca_exts_self }} ] -authorityKeyIdentifier = keyid,issuer -basicConstraints = critical,CA:TRUE,pathlen:0 -keyUsage = critical,digitalSignature,keyEncipherment,keyCertSign -subjectKeyIdentifier = hash - -[ {{ etcd_ca_exts_peer }} ] -authorityKeyIdentifier = keyid,issuer:always -basicConstraints = critical,CA:FALSE -extendedKeyUsage = clientAuth,serverAuth -keyUsage = digitalSignature,keyEncipherment -subjectKeyIdentifier = hash - -[ {{ etcd_ca_exts_server }} ] -authorityKeyIdentifier = keyid,issuer:always -basicConstraints = critical,CA:FALSE -extendedKeyUsage = serverAuth -keyUsage = digitalSignature,keyEncipherment -subjectKeyIdentifier = hash - -[ {{ etcd_ca_exts_client }} ] -authorityKeyIdentifier = keyid,issuer:always -basicConstraints = critical,CA:FALSE -extendedKeyUsage = clientAuth -keyUsage = digitalSignature,keyEncipherment -subjectKeyIdentifier = hash |