ansible/roles/host-lets-encrypt-certs-certbot/defaults/main.yml
@@ -46,4 +46,6 @@ _certbot_force_issue: False # Internal Variable. Don't change _certbot_setup_complete: false _certbot_setup_complete: false _certbot_cron_job_name: LETS_ENCRYPT_RENEW ansible/roles/host-lets-encrypt-certs-certbot/files/deploy_certs.yml
File was deleted ansible/roles/host-lets-encrypt-certs-certbot/tasks/main.yml
@@ -7,7 +7,7 @@ - name: Verify if AWS Credentials exist on the host when: _certbot_dns_provider is match('route53') stat: path: "{{ _certbot_remote_dir }}/.aws/credentials" path: "/home/{{ ansible_user }}/.aws/credentials" register: aws_credentials_result - name: Fail if AWS Credentials are not on the host @@ -15,7 +15,7 @@ msg: AWS Credentials are required when requesting certificates for a wildcard domain when: - _certbot_dns_provider is match('route53') - aws_credentials_result.stat.exists == False - aws_credentials_result.stat.exists == False - name: Set _certbot_wildcard_certs fact set_fact: @@ -74,22 +74,6 @@ - "{{ _certbot_dir }}/renewal-hooks" - "{{ _certbot_dir }}/renewal-hooks/deploy" - name: Install redeploy hook scripts copy: src: ./files/deploy_certs.sh dest: "{{ _certbot_dir }}/renewal-hooks/deploy/deploy_certs.sh" mode: 0775 owner: "{{ _certbot_remote_dir_owner }}" - name: Install redeploy hook playbook and cert secret template copy: src: "./files/{{ item }}" dest: "{{ _certbot_dir }}/renewal-hooks/deploy/{{ item }}" mode: 0664 owner: "{{ _certbot_remote_dir_owner }}" loop: - deploy_certs.yml - router-certs.j2 - name: Request Certificates from Let's Encrypt (force or no cache) when: - _certbot_force_issue|bool or not _certbot_setup_complete|bool @@ -104,7 +88,7 @@ debug: msg: >- About to request certificates using the following command: certbot certonly -n --agree-tos --email {{ _certbot_le_email }} certbot certonly -n --agree-tos --email {{ _certbot_le_email }} -d {{ _certbot_domain }} {{ (_certbot_wildcard_domain|length>0)|ternary('-d','')}} {{ (_certbot_wildcard_domain|length>0)|ternary(_certbot_wildcard_domain,'')}} {{ (_certbot_production|bool)|ternary('','--test-cert') }} @@ -117,7 +101,7 @@ - name: Request API and Wildcard Certificates become: False shell: >- certbot certonly -n --agree-tos --email {{ _certbot_le_email }} certbot certonly -n --agree-tos --email {{ _certbot_le_email }} -d {{ _certbot_domain }} {{ (_certbot_wildcard_domain|length>0)|ternary('-d','')}} {{ (_certbot_wildcard_domain|length>0)|ternary(_certbot_wildcard_domain,'')}} {{ (_certbot_production|bool)|ternary('','--test-cert') }} @@ -177,8 +161,6 @@ - name: Install crontab to renew certificates when they expire become: False cron: name: LETS_ENCRYPT_RENEW name: "{{ _certbot_cron_job_name }}" special_time: daily job: "certbot renew {{ _certbot_additional_args|d(_certbot_args)|d('') }} --config-dir={{ _certbot_dir }}/config --work-dir={{ _certbot_dir }}/work --logs-dir={{ _certbot_dir }}/logs --quiet > /dev/null" # --deploy-hook /path/to/deploy-hook-script # You can also specify hooks by placing files in subdirectories of Certbot’s configuration directory. Assuming your configuration directory is /etc/letsencrypt, any executable files found in /etc/letsencrypt/renewal-hooks/pre, /etc/letsencrypt/renewal-hooks/deploy, and /etc/letsencrypt/renewal-hooks/post will be run as pre, deploy, and post hooks respectively when any certificate is renewed with the renew subcommand. These hooks are run in alphabetical order and are not run for other subcommands. (The order the hooks are run is determined by the byte value of the characters in their filenames and is not dependent on your locale.) ansible/roles/ocp4-workload-enable-lets-encrypt-certificates/files/deploy_certs.sh
ansible/roles/ocp4-workload-enable-lets-encrypt-certificates/files/deploy_certs.yml
New file @@ -0,0 +1,47 @@ --- # This playbook redeploys Lets Encrypt certificates # It does not renew the certs, which is done by the certbot cronjob. # # Please ensure CA and key have not changed. - hosts: localhost gather_facts: no become: no vars: - _certbot_install_dir: "/home/{{ ansible_user }}/certificates" - _certbot_remote_dir: "/home/{{ ansible_user }}" - _certbot_dir: "{{ _certbot_remote_dir }}/certbot" tasks: - name: Determine API server hostname shell: "oc whoami --show-server | cut -f 2 -d ':' | cut -f 3 -d '/' | sed 's/-api././'" register: api_hostname - name: Compute domain name set_fact: _certbot_domain: "{{ api_hostname.stdout }}" - name: Install certificates copy: src: "{{ _certbot_dir }}/config/live/{{ _certbot_domain }}/{{ item }}" dest: "{{ _certbot_install_dir }}/{{ item }}" remote_src: yes loop: - "cert.pem" - "fullchain.pem" - "chain.pem" - "privkey.pem" - name: Read Certificate slurp: src: "$HOME/certificates/fullchain.pem" register: server_cert - name: Read Key slurp: src: "$HOME/certificates/privkey.pem" register: server_key - name: Create Router Certificate k8s: state: present definition: "{{ lookup('template', './router-certs.j2' ) | from_yaml }}" ansible/roles/ocp4-workload-enable-lets-encrypt-certificates/files/router-certs.j2
ansible/roles/ocp4-workload-enable-lets-encrypt-certificates/tasks/workload.yml
@@ -45,10 +45,27 @@ - _certbot_use_cache: True - _certbot_force_issue: False - _certbot_production: True - _certbot_cron_job_name: LETS_ENCRYPT_RENEW # production false results in unusable certificates # (not possible to login to OCP) # - _certbot_production: "{{ lets_encrypt_production|d(False)|bool}}" - name: Install redeploy hook scripts copy: src: ./files/deploy_certs.sh dest: "/home/{{ ansible_user }}/certbot/renewal-hooks/deploy/deploy_certs.sh" mode: 0775 owner: "{{ ansible_user }}" - name: Install redeploy hook playbook and cert secret template copy: src: "./files/{{ item }}" dest: "/home/{{ ansible_user }}/certbot/renewal-hooks/deploy/{{ item }}" mode: 0664 owner: "{{ ansible_user }}" loop: - deploy_certs.yml - router-certs.j2 - name: Read Certificate slurp: src: "$HOME/certificates/fullchain.pem" @@ -73,4 +90,4 @@ - name: workload tasks complete debug: msg: "Workload Tasks completed successfully." when: not silent|bool when: not silent|bool ansible/roles/ocp4-workload-idm/files/DSTRootCAX3.pem
New file @@ -0,0 +1,20 @@ -----BEGIN CERTIFICATE----- MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/ MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw 7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69 ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5 JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ -----END CERTIFICATE----- ansible/roles/ocp4-workload-idm/files/LEAuthX3.pem
New file @@ -0,0 +1,27 @@ -----BEGIN CERTIFICATE----- MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/ MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8 SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0 Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj /PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/ wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6 KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg== -----END CERTIFICATE----- ansible/roles/ocp4-workload-idm/files/deploy_certs.sh
New file @@ -0,0 +1,4 @@ #!/bin/bash ansible-playbook ./deploy_certs.yml \ -e "_certbot_domain={{ idm_dns_name }}" \ -e "idm_dm_password={{ idm_dm_password }}" ansible/roles/ocp4-workload-idm/files/deploy_certs.yml
New file @@ -0,0 +1,30 @@ --- # This playbook redeploys Lets Encrypt certificates # It does not renew the certs, which is done by the certbot cronjob. # # Please ensure CA and key have not changed. - hosts: localhost gather_facts: no become: no vars: - _certbot_install_dir: "/home/{{ ansible_user }}/idm/certificates" - _certbot_dir: "/home/{{ ansible_user }}/idm/certbot" tasks: - name: Install certificates copy: src: "{{ _certbot_dir }}/config/live/{{ _certbot_domain }}/{{ item }}" dest: "{{ _certbot_install_dir }}/{{ item }}" remote_src: yes loop: - "cert.pem" - "fullchain.pem" - "chain.pem" - "privkey.pem" - name: Install IPA Certificate shell: | ipa-server-certinstall -w -d /home/{{ ansible_user }}/idm/certificates/privkey.pem /home/{{ ansible_user }}/idm/certificates/fullchain.pem -p {{ idm_dm_password }} --pin='' ipactl restart become: True ansible/roles/ocp4-workload-idm/tasks/remove_workload.yml
@@ -55,6 +55,11 @@ zone: "{{ cluster_name }}{{ subdomain_base_suffix }}." vpc_id: "{{ cluster_vpc.vpcs[0].vpc_id }}" - name: Remove Certificate renewal cronjob cron: name: LETS_ENCRYPT_RENEW_IDM state: absent # Leave this as the last task in the playbook. - name: remove_workload tasks complete debug: ansible/roles/ocp4-workload-idm/tasks/workload.yml
@@ -10,6 +10,64 @@ vars: become_override: yes # /home/{{ ansible_user }}/.aws/credentials needs to exist before calling this role - name: Create Let's Encrypt Certificates include_role: name: host-lets-encrypt-certs-certbot vars: - _certbot_domain: "{{ idm_dns_name }}" - _certbot_wildcard_domain: "{{cluster_name}}{{subdomain_base_suffix}}" - _certbot_dns_provider: "route53" - _certbot_remote_dir: "/home/{{ ansible_user }}/idm" - _certbot_remote_dir_owner: "{{ ansible_user }}" - _certbot_install_dir: "/home/{{ ansible_user }}/idm/certificates" - _certbot_install_dir_owner: "{{ ansible_user }}" - _certbot_cache_archive_file: "{{ output_dir|d('/tmp') }}/{{ guid }}-idm-certs.tar.gz" - _certbot_renew_automatically: True - _certbot_use_cache: True - _certbot_force_issue: False - _certbot_production: True - _certbot_cron_job_name: LETS_ENCRYPT_RENEW_IDM - name: Get Root CA copy: src: ./files/DSTRootCAX3.pem dest: /tmp/DSTRootCAX3.pem - name: Get Intermediate CA copy: src: ./files/LEAuthX3.pem dest: /tmp/LEAuthX3.pem - name: Install CAs shell: | echo {{ idm_admin_password }} | kinit admin ipa-cert-manage -p {{ idm_dm_password }} install /tmp/DSTRootCAX3.pem -n DSTRootCAX3 -t C,, ipa-cert-manage -p {{ idm_dm_password }} install /tmp/LEAuthX3.pem -n LEAuthX3 -t C,, ipa-certupdate -v become: True - name: Install IPA Certificate shell: | ipa-server-certinstall -w -d /home/{{ ansible_user }}/idm/certificates/privkey.pem /home/{{ ansible_user }}/idm/certificates/fullchain.pem -p {{ idm_dm_password }} --pin='' ipactl restart become: True - name: Install redeploy hook scripts template: src: ./files/deploy_certs.sh dest: "/home/{{ ansible_user }}/idm/certbot/renewal-hooks/deploy/deploy_certs.sh" mode: 0775 owner: "{{ ansible_user }}" - name: Install redeploy hook ansible components copy: src: "./files/{{ item }}" dest: "/home/{{ ansible_user }}/idm/certbot/renewal-hooks/deploy/{{ item }}" mode: 0664 owner: "{{ ansible_user }}" loop: - deploy_certs.yml # Find public IP of bastion - name: Gather VPC facts ec2_vpc_net_facts: ansible/roles/ocp4-workload-nexus-operator/defaults/main.yml
@@ -12,4 +12,6 @@ _nexus_cpu_request: 1 _nexus_cpu_limit: 2 _nexus_memory_request: 2Gi _nexus_memory_limit: 2Gi _nexus_memory_limit: 2Gi _nexus_deploy_nexus_instance: True ansible/roles/ocp4-workload-nexus-operator/tasks/remove_workload.yml
@@ -5,7 +5,8 @@ k8s: state: absent definition: "{{ lookup('template', './templates/opentlc-nexus.j2' ) | from_yaml }}" when: _nexus_deploy_nexus_instance|bool - name: Wait 15 seconds for the Nexus to disappear wait_for: timeout=15 delegate_to: localhost ansible/roles/ocp4-workload-nexus-operator/tasks/workload.yml
@@ -19,7 +19,60 @@ - ./templates/role.j2 - ./templates/role_binding.j2 - ./templates/operator.j2 - ./templates/opentlc-nexus.j2 - name: Deploy default Nexus instance when: _nexus_deploy_nexus_instance|bool block: - name: Create OpenShift Custom Resource for Nexus Instance k8s: state: present merge_type: - strategic-merge - merge definition: "{{ lookup('template', './templates/opentlc-nexus.j2' ) | from_yaml }}" - name: Wait for Nexus Pod to start creating pause: seconds: 10 - name: Wait for Nexus Pod to start k8s: api_version: v1 kind: Pod name: "{{ _nexus_name }}" namespace: "{{ _nexus_operator_project }}" register: nexus_pod until: - nexus_pod.result is defined - nexus_pod.result.status.phase == "Running" retries: 50 delay: 10 changed_when: false - name: Wait for the Nexus Pod to be ready k8s: api_version: v1 kind: Pod name: "{{ _nexus_name }}" namespace: "{{ _nexus_operator_project }}" register: nexus_pod until: - nexus_pod.result.status.containerStatuses[0].ready|d(False)|bool retries: 50 delay: 10 changed_when: false - name: Get Admin password k8s: api_version: gpte.opentlc.com/v1alpha1 kind: Nexus name: "{{ _nexus_name }}" namespace: "{{ _nexus_operator_project }}" register: nexus_cr until: - nexus_cr.result.status.admin_password is defined retries: 25 delay: 5 changed_when: false - name: Display Nexus password debug: msg: "user.info: Nexus password is {{ nexus_cr.result.status.admin_password }}" # Leave this as the last task in the playbook. - name: workload tasks complete ansible/roles/ocp4-workload-nexus-operator/templates/opentlc-nexus.j2
@@ -10,4 +10,4 @@ nexusCpuRequest: "{{ _nexus_cpu_request }}" nexusCpuLimit: "{{ _nexus_cpu_limit }}" nexusMemoryRequest: "{{ _nexus_memory_request }}" nexusMemoryLimit: "{{ _nexus_memory_limit }}" nexusMemoryLimit: "{{ _nexus_memory_limit }}" ansible/roles/ocp4-workload-nexus-operator/templates/operator.j2
@@ -20,14 +20,14 @@ - /usr/local/bin/ao-logs - /tmp/ansible-operator/runner - stdout image: quay.io/wkulhanek/nexus-operator:v0.8.1 image: quay.io/gpte-devops-automation/nexus-operator:v0.9 imagePullPolicy: Always volumeMounts: - mountPath: /tmp/ansible-operator/runner name: runner readOnly: true - name: operator image: quay.io/wkulhanek/nexus-operator:v0.8.1 image: quay.io/gpte-devops-automation/nexus-operator:v0.9 imagePullPolicy: Always volumeMounts: - mountPath: /tmp/ansible-operator/runner @@ -43,4 +43,4 @@ value: "nexus-operator" volumes: - name: runner emptyDir: {} emptyDir: {} ansible/roles/ocp4-workload-nexus-operator/templates/role.j2
@@ -6,6 +6,12 @@ - apiGroups: - "" resources: - pods/exec verbs: - create - apiGroups: - "" resources: - pods - services - endpoints @@ -26,7 +32,7 @@ resources: - namespaces verbs: - get - get - apiGroups: - apps resources: