From 0d0d0e99169d9285f46b3fd5fc425843c42fff89 Mon Sep 17 00:00:00 2001
From: Jim Rigsbee <jimrigsbee@gmail.com>
Date: Mon, 22 Jul 2019 20:30:22 +0200
Subject: [PATCH] Apply Let's Encrypt Certificates to local IdentityManager (#507)
---
ansible/roles/ocp4-workload-idm/tasks/workload.yml | 58 +++++++++
ansible/roles/ocp4-workload-nexus-operator/defaults/main.yml | 4
ansible/roles/ocp4-workload-enable-lets-encrypt-certificates/files/deploy_certs.sh | 0
ansible/roles/ocp4-workload-nexus-operator/templates/operator.j2 | 6
ansible/roles/host-lets-encrypt-certs-certbot/defaults/main.yml | 4
ansible/roles/ocp4-workload-idm/files/LEAuthX3.pem | 27 ++++
ansible/roles/ocp4-workload-idm/files/DSTRootCAX3.pem | 20 +++
ansible/roles/ocp4-workload-nexus-operator/tasks/remove_workload.yml | 3
ansible/roles/ocp4-workload-enable-lets-encrypt-certificates/files/router-certs.j2 | 0
ansible/roles/ocp4-workload-idm/tasks/remove_workload.yml | 5
ansible/roles/ocp4-workload-idm/files/deploy_certs.sh | 4
/dev/null | 24 ----
ansible/roles/ocp4-workload-enable-lets-encrypt-certificates/files/deploy_certs.yml | 47 +++++++
ansible/roles/ocp4-workload-nexus-operator/tasks/workload.yml | 55 +++++++++
ansible/roles/ocp4-workload-nexus-operator/templates/opentlc-nexus.j2 | 2
ansible/roles/ocp4-workload-nexus-operator/templates/role.j2 | 8 +
ansible/roles/host-lets-encrypt-certs-certbot/tasks/main.yml | 28 ---
ansible/roles/ocp4-workload-enable-lets-encrypt-certificates/tasks/workload.yml | 19 +++
ansible/roles/ocp4-workload-idm/files/deploy_certs.yml | 30 +++++
19 files changed, 287 insertions(+), 57 deletions(-)
diff --git a/ansible/roles/host-lets-encrypt-certs-certbot/defaults/main.yml b/ansible/roles/host-lets-encrypt-certs-certbot/defaults/main.yml
index b715211..e0605ce 100644
--- a/ansible/roles/host-lets-encrypt-certs-certbot/defaults/main.yml
+++ b/ansible/roles/host-lets-encrypt-certs-certbot/defaults/main.yml
@@ -46,4 +46,6 @@
_certbot_force_issue: False
# Internal Variable. Don't change
-_certbot_setup_complete: false
\ No newline at end of file
+_certbot_setup_complete: false
+
+_certbot_cron_job_name: LETS_ENCRYPT_RENEW
diff --git a/ansible/roles/host-lets-encrypt-certs-certbot/files/deploy_certs.yml b/ansible/roles/host-lets-encrypt-certs-certbot/files/deploy_certs.yml
deleted file mode 100644
index 6a1a04e..0000000
--- a/ansible/roles/host-lets-encrypt-certs-certbot/files/deploy_certs.yml
+++ /dev/null
@@ -1,24 +0,0 @@
----
-# This playbook redeploys Lets Encrypt certificates
-# It does not renew the certs, which is done by the certbot cronjob.
-#
-# Please ensure CA and key have not changed.
-
-- hosts: localhost
- gather_facts: no
- become: no
- tasks:
- - name: Read Certificate
- slurp:
- src: "$HOME/certificates/fullchain.pem"
- register: server_cert
-
- - name: Read Key
- slurp:
- src: "$HOME/certificates/privkey.pem"
- register: server_key
-
- - name: Create Router Certificate
- k8s:
- state: present
- definition: "{{ lookup('template', './router-certs.j2' ) | from_yaml }}"
\ No newline at end of file
diff --git a/ansible/roles/host-lets-encrypt-certs-certbot/tasks/main.yml b/ansible/roles/host-lets-encrypt-certs-certbot/tasks/main.yml
index aaab94b..9596d8d 100644
--- a/ansible/roles/host-lets-encrypt-certs-certbot/tasks/main.yml
+++ b/ansible/roles/host-lets-encrypt-certs-certbot/tasks/main.yml
@@ -7,7 +7,7 @@
- name: Verify if AWS Credentials exist on the host
when: _certbot_dns_provider is match('route53')
stat:
- path: "{{ _certbot_remote_dir }}/.aws/credentials"
+ path: "/home/{{ ansible_user }}/.aws/credentials"
register: aws_credentials_result
- name: Fail if AWS Credentials are not on the host
@@ -15,7 +15,7 @@
msg: AWS Credentials are required when requesting certificates for a wildcard domain
when:
- _certbot_dns_provider is match('route53')
- - aws_credentials_result.stat.exists == False
+ - aws_credentials_result.stat.exists == False
- name: Set _certbot_wildcard_certs fact
set_fact:
@@ -74,22 +74,6 @@
- "{{ _certbot_dir }}/renewal-hooks"
- "{{ _certbot_dir }}/renewal-hooks/deploy"
- - name: Install redeploy hook scripts
- copy:
- src: ./files/deploy_certs.sh
- dest: "{{ _certbot_dir }}/renewal-hooks/deploy/deploy_certs.sh"
- mode: 0775
- owner: "{{ _certbot_remote_dir_owner }}"
- - name: Install redeploy hook playbook and cert secret template
- copy:
- src: "./files/{{ item }}"
- dest: "{{ _certbot_dir }}/renewal-hooks/deploy/{{ item }}"
- mode: 0664
- owner: "{{ _certbot_remote_dir_owner }}"
- loop:
- - deploy_certs.yml
- - router-certs.j2
-
- name: Request Certificates from Let's Encrypt (force or no cache)
when:
- _certbot_force_issue|bool or not _certbot_setup_complete|bool
@@ -104,7 +88,7 @@
debug:
msg: >-
About to request certificates using the following command:
- certbot certonly -n --agree-tos --email {{ _certbot_le_email }}
+ certbot certonly -n --agree-tos --email {{ _certbot_le_email }}
-d {{ _certbot_domain }}
{{ (_certbot_wildcard_domain|length>0)|ternary('-d','')}} {{ (_certbot_wildcard_domain|length>0)|ternary(_certbot_wildcard_domain,'')}}
{{ (_certbot_production|bool)|ternary('','--test-cert') }}
@@ -117,7 +101,7 @@
- name: Request API and Wildcard Certificates
become: False
shell: >-
- certbot certonly -n --agree-tos --email {{ _certbot_le_email }}
+ certbot certonly -n --agree-tos --email {{ _certbot_le_email }}
-d {{ _certbot_domain }}
{{ (_certbot_wildcard_domain|length>0)|ternary('-d','')}} {{ (_certbot_wildcard_domain|length>0)|ternary(_certbot_wildcard_domain,'')}}
{{ (_certbot_production|bool)|ternary('','--test-cert') }}
@@ -177,8 +161,6 @@
- name: Install crontab to renew certificates when they expire
become: False
cron:
- name: LETS_ENCRYPT_RENEW
+ name: "{{ _certbot_cron_job_name }}"
special_time: daily
job: "certbot renew {{ _certbot_additional_args|d(_certbot_args)|d('') }} --config-dir={{ _certbot_dir }}/config --work-dir={{ _certbot_dir }}/work --logs-dir={{ _certbot_dir }}/logs --quiet > /dev/null"
-# --deploy-hook /path/to/deploy-hook-script
-# You can also specify hooks by placing files in subdirectories of Certbot���s configuration directory. Assuming your configuration directory is /etc/letsencrypt, any executable files found in /etc/letsencrypt/renewal-hooks/pre, /etc/letsencrypt/renewal-hooks/deploy, and /etc/letsencrypt/renewal-hooks/post will be run as pre, deploy, and post hooks respectively when any certificate is renewed with the renew subcommand. These hooks are run in alphabetical order and are not run for other subcommands. (The order the hooks are run is determined by the byte value of the characters in their filenames and is not dependent on your locale.)
diff --git a/ansible/roles/host-lets-encrypt-certs-certbot/files/deploy_certs.sh b/ansible/roles/ocp4-workload-enable-lets-encrypt-certificates/files/deploy_certs.sh
similarity index 100%
rename from ansible/roles/host-lets-encrypt-certs-certbot/files/deploy_certs.sh
rename to ansible/roles/ocp4-workload-enable-lets-encrypt-certificates/files/deploy_certs.sh
diff --git a/ansible/roles/ocp4-workload-enable-lets-encrypt-certificates/files/deploy_certs.yml b/ansible/roles/ocp4-workload-enable-lets-encrypt-certificates/files/deploy_certs.yml
new file mode 100644
index 0000000..45248f9
--- /dev/null
+++ b/ansible/roles/ocp4-workload-enable-lets-encrypt-certificates/files/deploy_certs.yml
@@ -0,0 +1,47 @@
+---
+# This playbook redeploys Lets Encrypt certificates
+# It does not renew the certs, which is done by the certbot cronjob.
+#
+# Please ensure CA and key have not changed.
+
+- hosts: localhost
+ gather_facts: no
+ become: no
+ vars:
+ - _certbot_install_dir: "/home/{{ ansible_user }}/certificates"
+ - _certbot_remote_dir: "/home/{{ ansible_user }}"
+ - _certbot_dir: "{{ _certbot_remote_dir }}/certbot"
+ tasks:
+ - name: Determine API server hostname
+ shell: "oc whoami --show-server | cut -f 2 -d ':' | cut -f 3 -d '/' | sed 's/-api././'"
+ register: api_hostname
+
+ - name: Compute domain name
+ set_fact:
+ _certbot_domain: "{{ api_hostname.stdout }}"
+
+ - name: Install certificates
+ copy:
+ src: "{{ _certbot_dir }}/config/live/{{ _certbot_domain }}/{{ item }}"
+ dest: "{{ _certbot_install_dir }}/{{ item }}"
+ remote_src: yes
+ loop:
+ - "cert.pem"
+ - "fullchain.pem"
+ - "chain.pem"
+ - "privkey.pem"
+
+ - name: Read Certificate
+ slurp:
+ src: "$HOME/certificates/fullchain.pem"
+ register: server_cert
+
+ - name: Read Key
+ slurp:
+ src: "$HOME/certificates/privkey.pem"
+ register: server_key
+
+ - name: Create Router Certificate
+ k8s:
+ state: present
+ definition: "{{ lookup('template', './router-certs.j2' ) | from_yaml }}"
diff --git a/ansible/roles/host-lets-encrypt-certs-certbot/files/router-certs.j2 b/ansible/roles/ocp4-workload-enable-lets-encrypt-certificates/files/router-certs.j2
similarity index 100%
rename from ansible/roles/host-lets-encrypt-certs-certbot/files/router-certs.j2
rename to ansible/roles/ocp4-workload-enable-lets-encrypt-certificates/files/router-certs.j2
diff --git a/ansible/roles/ocp4-workload-enable-lets-encrypt-certificates/tasks/workload.yml b/ansible/roles/ocp4-workload-enable-lets-encrypt-certificates/tasks/workload.yml
index 72e8bd0..db80a8a 100644
--- a/ansible/roles/ocp4-workload-enable-lets-encrypt-certificates/tasks/workload.yml
+++ b/ansible/roles/ocp4-workload-enable-lets-encrypt-certificates/tasks/workload.yml
@@ -45,10 +45,27 @@
- _certbot_use_cache: True
- _certbot_force_issue: False
- _certbot_production: True
+ - _certbot_cron_job_name: LETS_ENCRYPT_RENEW
# production false results in unusable certificates
# (not possible to login to OCP)
# - _certbot_production: "{{ lets_encrypt_production|d(False)|bool}}"
+ - name: Install redeploy hook scripts
+ copy:
+ src: ./files/deploy_certs.sh
+ dest: "/home/{{ ansible_user }}/certbot/renewal-hooks/deploy/deploy_certs.sh"
+ mode: 0775
+ owner: "{{ ansible_user }}"
+ - name: Install redeploy hook playbook and cert secret template
+ copy:
+ src: "./files/{{ item }}"
+ dest: "/home/{{ ansible_user }}/certbot/renewal-hooks/deploy/{{ item }}"
+ mode: 0664
+ owner: "{{ ansible_user }}"
+ loop:
+ - deploy_certs.yml
+ - router-certs.j2
+
- name: Read Certificate
slurp:
src: "$HOME/certificates/fullchain.pem"
@@ -73,4 +90,4 @@
- name: workload tasks complete
debug:
msg: "Workload Tasks completed successfully."
- when: not silent|bool
\ No newline at end of file
+ when: not silent|bool
diff --git a/ansible/roles/ocp4-workload-idm/files/DSTRootCAX3.pem b/ansible/roles/ocp4-workload-idm/files/DSTRootCAX3.pem
new file mode 100644
index 0000000..b2e43c9
--- /dev/null
+++ b/ansible/roles/ocp4-workload-idm/files/DSTRootCAX3.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
+PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
+Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
+rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
+OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
+xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
+7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
+aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
+HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
+SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
+ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
+AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
+R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
+JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
+Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
+-----END CERTIFICATE-----
diff --git a/ansible/roles/ocp4-workload-idm/files/LEAuthX3.pem b/ansible/roles/ocp4-workload-idm/files/LEAuthX3.pem
new file mode 100644
index 0000000..0002462
--- /dev/null
+++ b/ansible/roles/ocp4-workload-idm/files/LEAuthX3.pem
@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
+SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
+GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
+q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
+SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
+Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
+a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
+/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
+AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
+CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
+bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
+c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
+VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
+ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
+MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
+Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
+AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
+uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
+wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
+X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
+PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
+KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
+-----END CERTIFICATE-----
diff --git a/ansible/roles/ocp4-workload-idm/files/deploy_certs.sh b/ansible/roles/ocp4-workload-idm/files/deploy_certs.sh
new file mode 100644
index 0000000..f760add
--- /dev/null
+++ b/ansible/roles/ocp4-workload-idm/files/deploy_certs.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+ansible-playbook ./deploy_certs.yml \
+ -e "_certbot_domain={{ idm_dns_name }}" \
+ -e "idm_dm_password={{ idm_dm_password }}"
diff --git a/ansible/roles/ocp4-workload-idm/files/deploy_certs.yml b/ansible/roles/ocp4-workload-idm/files/deploy_certs.yml
new file mode 100644
index 0000000..b71b315
--- /dev/null
+++ b/ansible/roles/ocp4-workload-idm/files/deploy_certs.yml
@@ -0,0 +1,30 @@
+---
+# This playbook redeploys Lets Encrypt certificates
+# It does not renew the certs, which is done by the certbot cronjob.
+#
+# Please ensure CA and key have not changed.
+
+- hosts: localhost
+ gather_facts: no
+ become: no
+ vars:
+ - _certbot_install_dir: "/home/{{ ansible_user }}/idm/certificates"
+ - _certbot_dir: "/home/{{ ansible_user }}/idm/certbot"
+ tasks:
+
+ - name: Install certificates
+ copy:
+ src: "{{ _certbot_dir }}/config/live/{{ _certbot_domain }}/{{ item }}"
+ dest: "{{ _certbot_install_dir }}/{{ item }}"
+ remote_src: yes
+ loop:
+ - "cert.pem"
+ - "fullchain.pem"
+ - "chain.pem"
+ - "privkey.pem"
+
+ - name: Install IPA Certificate
+ shell: |
+ ipa-server-certinstall -w -d /home/{{ ansible_user }}/idm/certificates/privkey.pem /home/{{ ansible_user }}/idm/certificates/fullchain.pem -p {{ idm_dm_password }} --pin=''
+ ipactl restart
+ become: True
diff --git a/ansible/roles/ocp4-workload-idm/tasks/remove_workload.yml b/ansible/roles/ocp4-workload-idm/tasks/remove_workload.yml
index 828b033..1a37780 100644
--- a/ansible/roles/ocp4-workload-idm/tasks/remove_workload.yml
+++ b/ansible/roles/ocp4-workload-idm/tasks/remove_workload.yml
@@ -55,6 +55,11 @@
zone: "{{ cluster_name }}{{ subdomain_base_suffix }}."
vpc_id: "{{ cluster_vpc.vpcs[0].vpc_id }}"
+- name: Remove Certificate renewal cronjob
+ cron:
+ name: LETS_ENCRYPT_RENEW_IDM
+ state: absent
+
# Leave this as the last task in the playbook.
- name: remove_workload tasks complete
debug:
diff --git a/ansible/roles/ocp4-workload-idm/tasks/workload.yml b/ansible/roles/ocp4-workload-idm/tasks/workload.yml
index a26b1e0..0f4d660 100644
--- a/ansible/roles/ocp4-workload-idm/tasks/workload.yml
+++ b/ansible/roles/ocp4-workload-idm/tasks/workload.yml
@@ -10,6 +10,64 @@
vars:
become_override: yes
+# /home/{{ ansible_user }}/.aws/credentials needs to exist before calling this role
+- name: Create Let's Encrypt Certificates
+ include_role:
+ name: host-lets-encrypt-certs-certbot
+ vars:
+ - _certbot_domain: "{{ idm_dns_name }}"
+ - _certbot_wildcard_domain: "{{cluster_name}}{{subdomain_base_suffix}}"
+ - _certbot_dns_provider: "route53"
+ - _certbot_remote_dir: "/home/{{ ansible_user }}/idm"
+ - _certbot_remote_dir_owner: "{{ ansible_user }}"
+ - _certbot_install_dir: "/home/{{ ansible_user }}/idm/certificates"
+ - _certbot_install_dir_owner: "{{ ansible_user }}"
+ - _certbot_cache_archive_file: "{{ output_dir|d('/tmp') }}/{{ guid }}-idm-certs.tar.gz"
+ - _certbot_renew_automatically: True
+ - _certbot_use_cache: True
+ - _certbot_force_issue: False
+ - _certbot_production: True
+ - _certbot_cron_job_name: LETS_ENCRYPT_RENEW_IDM
+
+- name: Get Root CA
+ copy:
+ src: ./files/DSTRootCAX3.pem
+ dest: /tmp/DSTRootCAX3.pem
+
+- name: Get Intermediate CA
+ copy:
+ src: ./files/LEAuthX3.pem
+ dest: /tmp/LEAuthX3.pem
+
+- name: Install CAs
+ shell: |
+ echo {{ idm_admin_password }} | kinit admin
+ ipa-cert-manage -p {{ idm_dm_password }} install /tmp/DSTRootCAX3.pem -n DSTRootCAX3 -t C,,
+ ipa-cert-manage -p {{ idm_dm_password }} install /tmp/LEAuthX3.pem -n LEAuthX3 -t C,,
+ ipa-certupdate -v
+ become: True
+
+- name: Install IPA Certificate
+ shell: |
+ ipa-server-certinstall -w -d /home/{{ ansible_user }}/idm/certificates/privkey.pem /home/{{ ansible_user }}/idm/certificates/fullchain.pem -p {{ idm_dm_password }} --pin=''
+ ipactl restart
+ become: True
+
+- name: Install redeploy hook scripts
+ template:
+ src: ./files/deploy_certs.sh
+ dest: "/home/{{ ansible_user }}/idm/certbot/renewal-hooks/deploy/deploy_certs.sh"
+ mode: 0775
+ owner: "{{ ansible_user }}"
+- name: Install redeploy hook ansible components
+ copy:
+ src: "./files/{{ item }}"
+ dest: "/home/{{ ansible_user }}/idm/certbot/renewal-hooks/deploy/{{ item }}"
+ mode: 0664
+ owner: "{{ ansible_user }}"
+ loop:
+ - deploy_certs.yml
+
# Find public IP of bastion
- name: Gather VPC facts
ec2_vpc_net_facts:
diff --git a/ansible/roles/ocp4-workload-nexus-operator/defaults/main.yml b/ansible/roles/ocp4-workload-nexus-operator/defaults/main.yml
index 83ea521..3bbf1a1 100644
--- a/ansible/roles/ocp4-workload-nexus-operator/defaults/main.yml
+++ b/ansible/roles/ocp4-workload-nexus-operator/defaults/main.yml
@@ -12,4 +12,6 @@
_nexus_cpu_request: 1
_nexus_cpu_limit: 2
_nexus_memory_request: 2Gi
-_nexus_memory_limit: 2Gi
\ No newline at end of file
+_nexus_memory_limit: 2Gi
+
+_nexus_deploy_nexus_instance: True
diff --git a/ansible/roles/ocp4-workload-nexus-operator/tasks/remove_workload.yml b/ansible/roles/ocp4-workload-nexus-operator/tasks/remove_workload.yml
index 002c079..8d18043 100644
--- a/ansible/roles/ocp4-workload-nexus-operator/tasks/remove_workload.yml
+++ b/ansible/roles/ocp4-workload-nexus-operator/tasks/remove_workload.yml
@@ -5,7 +5,8 @@
k8s:
state: absent
definition: "{{ lookup('template', './templates/opentlc-nexus.j2' ) | from_yaml }}"
-
+ when: _nexus_deploy_nexus_instance|bool
+
- name: Wait 15 seconds for the Nexus to disappear
wait_for: timeout=15
delegate_to: localhost
diff --git a/ansible/roles/ocp4-workload-nexus-operator/tasks/workload.yml b/ansible/roles/ocp4-workload-nexus-operator/tasks/workload.yml
index 42655e1..4314340 100644
--- a/ansible/roles/ocp4-workload-nexus-operator/tasks/workload.yml
+++ b/ansible/roles/ocp4-workload-nexus-operator/tasks/workload.yml
@@ -19,7 +19,60 @@
- ./templates/role.j2
- ./templates/role_binding.j2
- ./templates/operator.j2
- - ./templates/opentlc-nexus.j2
+
+- name: Deploy default Nexus instance
+ when: _nexus_deploy_nexus_instance|bool
+ block:
+ - name: Create OpenShift Custom Resource for Nexus Instance
+ k8s:
+ state: present
+ merge_type:
+ - strategic-merge
+ - merge
+ definition: "{{ lookup('template', './templates/opentlc-nexus.j2' ) | from_yaml }}"
+ - name: Wait for Nexus Pod to start creating
+ pause:
+ seconds: 10
+ - name: Wait for Nexus Pod to start
+ k8s:
+ api_version: v1
+ kind: Pod
+ name: "{{ _nexus_name }}"
+ namespace: "{{ _nexus_operator_project }}"
+ register: nexus_pod
+ until:
+ - nexus_pod.result is defined
+ - nexus_pod.result.status.phase == "Running"
+ retries: 50
+ delay: 10
+ changed_when: false
+ - name: Wait for the Nexus Pod to be ready
+ k8s:
+ api_version: v1
+ kind: Pod
+ name: "{{ _nexus_name }}"
+ namespace: "{{ _nexus_operator_project }}"
+ register: nexus_pod
+ until:
+ - nexus_pod.result.status.containerStatuses[0].ready|d(False)|bool
+ retries: 50
+ delay: 10
+ changed_when: false
+ - name: Get Admin password
+ k8s:
+ api_version: gpte.opentlc.com/v1alpha1
+ kind: Nexus
+ name: "{{ _nexus_name }}"
+ namespace: "{{ _nexus_operator_project }}"
+ register: nexus_cr
+ until:
+ - nexus_cr.result.status.admin_password is defined
+ retries: 25
+ delay: 5
+ changed_when: false
+ - name: Display Nexus password
+ debug:
+ msg: "user.info: Nexus password is {{ nexus_cr.result.status.admin_password }}"
# Leave this as the last task in the playbook.
- name: workload tasks complete
diff --git a/ansible/roles/ocp4-workload-nexus-operator/templates/opentlc-nexus.j2 b/ansible/roles/ocp4-workload-nexus-operator/templates/opentlc-nexus.j2
index f8db894..63e50a7 100644
--- a/ansible/roles/ocp4-workload-nexus-operator/templates/opentlc-nexus.j2
+++ b/ansible/roles/ocp4-workload-nexus-operator/templates/opentlc-nexus.j2
@@ -10,4 +10,4 @@
nexusCpuRequest: "{{ _nexus_cpu_request }}"
nexusCpuLimit: "{{ _nexus_cpu_limit }}"
nexusMemoryRequest: "{{ _nexus_memory_request }}"
- nexusMemoryLimit: "{{ _nexus_memory_limit }}"
\ No newline at end of file
+ nexusMemoryLimit: "{{ _nexus_memory_limit }}"
diff --git a/ansible/roles/ocp4-workload-nexus-operator/templates/operator.j2 b/ansible/roles/ocp4-workload-nexus-operator/templates/operator.j2
index 491cd7e..1d110da 100644
--- a/ansible/roles/ocp4-workload-nexus-operator/templates/operator.j2
+++ b/ansible/roles/ocp4-workload-nexus-operator/templates/operator.j2
@@ -20,14 +20,14 @@
- /usr/local/bin/ao-logs
- /tmp/ansible-operator/runner
- stdout
- image: quay.io/wkulhanek/nexus-operator:v0.8.1
+ image: quay.io/gpte-devops-automation/nexus-operator:v0.9
imagePullPolicy: Always
volumeMounts:
- mountPath: /tmp/ansible-operator/runner
name: runner
readOnly: true
- name: operator
- image: quay.io/wkulhanek/nexus-operator:v0.8.1
+ image: quay.io/gpte-devops-automation/nexus-operator:v0.9
imagePullPolicy: Always
volumeMounts:
- mountPath: /tmp/ansible-operator/runner
@@ -43,4 +43,4 @@
value: "nexus-operator"
volumes:
- name: runner
- emptyDir: {}
\ No newline at end of file
+ emptyDir: {}
diff --git a/ansible/roles/ocp4-workload-nexus-operator/templates/role.j2 b/ansible/roles/ocp4-workload-nexus-operator/templates/role.j2
index 245d872..cb22b6f 100644
--- a/ansible/roles/ocp4-workload-nexus-operator/templates/role.j2
+++ b/ansible/roles/ocp4-workload-nexus-operator/templates/role.j2
@@ -6,6 +6,12 @@
- apiGroups:
- ""
resources:
+ - pods/exec
+ verbs:
+ - create
+- apiGroups:
+ - ""
+ resources:
- pods
- services
- endpoints
@@ -26,7 +32,7 @@
resources:
- namespaces
verbs:
- - get
+ - get
- apiGroups:
- apps
resources:
--
Gitblit v1.9.3