Merge "Hide log output for system-local-ca data"
This commit is contained in:
Zuul
Gerrit Code Review
commit
bca2e13d37
|
|
@ -248,18 +248,21 @@
|
|||
system_local_ca_cert: "{{ system_local_ca_cert | default('', true) }}"
|
||||
system_local_ca_key: "{{ system_local_ca_key | default('', true) }}"
|
||||
system_root_ca_cert: "{{ system_root_ca_cert | default('', true) }}"
|
||||
no_log: true
|
||||
|
||||
- name: Define k8s root CA certificate parameters for subcloud role
|
||||
set_fact:
|
||||
k8s_root_ca_cert: "{{ k8s_root_ca_cert | default(default_subcloud_k8s_root_ca_cert) }}"
|
||||
k8s_root_ca_key: "{{ k8s_root_ca_key | default(default_subcloud_k8s_root_ca_key) }}"
|
||||
when: distributed_cloud_role == 'subcloud'
|
||||
no_log: true
|
||||
|
||||
- name: Define k8s root CA certificate parameters for non subcloud roles
|
||||
set_fact:
|
||||
k8s_root_ca_cert: "{{ k8s_root_ca_cert | default('') }}"
|
||||
k8s_root_ca_key: "{{ k8s_root_ca_key | default('') }}"
|
||||
when: distributed_cloud_role != 'subcloud'
|
||||
no_log: true
|
||||
|
||||
- name: Check if external certificates were embedded as strings and install them
|
||||
include_tasks: convert_embedded_certificates.yml
|
||||
|
|
|
|||
|
|
@ -923,26 +923,31 @@
|
|||
- name: Encode system_root_ca_cert
|
||||
shell: cat "{{ system_root_ca_cert }}" | base64 -w0
|
||||
register: root_ca_cert_output
|
||||
no_log: true
|
||||
|
||||
- name: Encode system_local_ca_cert
|
||||
shell: cat "{{ system_local_ca_cert }}" | base64 -w0
|
||||
register: local_ca_cert_output
|
||||
no_log: true
|
||||
|
||||
- name: Encode system_local_ca_key
|
||||
shell: cat "{{ system_local_ca_key }}" | base64 -w0
|
||||
register: local_ca_key_output
|
||||
no_log: true
|
||||
|
||||
- name: Keep the file paths for the CA certs/key as variables
|
||||
set_fact:
|
||||
system_root_ca_cert_file: "{{ system_root_ca_cert }}"
|
||||
system_local_ca_cert_file: "{{ system_local_ca_cert }}"
|
||||
system_local_ca_key_file: "{{ system_local_ca_key }}"
|
||||
block:
|
||||
- set_fact:
|
||||
system_root_ca_cert_file: "{{ system_root_ca_cert }}"
|
||||
system_local_ca_cert_file: "{{ system_local_ca_cert }}"
|
||||
system_local_ca_key_file: "{{ system_local_ca_key }}"
|
||||
|
||||
- set_fact:
|
||||
system_root_ca_cert: "{{ root_ca_cert_output.stdout }}"
|
||||
system_local_ca_cert: "{{ local_ca_cert_output.stdout }}"
|
||||
system_local_ca_key: "{{ local_ca_key_output.stdout }}"
|
||||
system_local_ca_overrides: true
|
||||
- set_fact:
|
||||
system_root_ca_cert: "{{ root_ca_cert_output.stdout }}"
|
||||
system_local_ca_cert: "{{ local_ca_cert_output.stdout }}"
|
||||
system_local_ca_key: "{{ local_ca_key_output.stdout }}"
|
||||
system_local_ca_overrides: true
|
||||
no_log: true
|
||||
|
||||
- name: Verify 'system-local-ca' certs
|
||||
include_role:
|
||||
|
|
|
|||
|
|
@ -32,6 +32,7 @@
|
|||
until: registry_cert_b64.rc == 0 and registry_cert_b64.stdout | length > 0
|
||||
retries: 6
|
||||
delay: 5
|
||||
no_log: true
|
||||
|
||||
- name: Retrieve key from k8s secret
|
||||
command: >-
|
||||
|
|
@ -43,11 +44,13 @@
|
|||
until: registry_key_pkcs8_b64.rc == 0 and registry_key_pkcs8_b64.stdout | length > 0
|
||||
retries: 6
|
||||
delay: 5
|
||||
no_log: true
|
||||
|
||||
- name: Get the key also in PKCS1 format
|
||||
shell: >-
|
||||
echo "{{ registry_key_pkcs8_b64.stdout | b64decode }}" | openssl rsa
|
||||
register: registry_key_pkcs1_b64
|
||||
no_log: true
|
||||
|
||||
- name: Write Docker Registry certificate and keys in the shared folder
|
||||
copy:
|
||||
|
|
@ -64,6 +67,7 @@
|
|||
- file: registry-cert-pkcs1.key
|
||||
content: "{{ registry_key_pkcs1_b64.stdout }}"
|
||||
become: yes
|
||||
no_log: true
|
||||
|
||||
when:
|
||||
- mode == 'bootstrap'
|
||||
|
|
|
|||
|
|
@ -36,6 +36,7 @@
|
|||
loop:
|
||||
- "key"
|
||||
- "crt"
|
||||
no_log: true
|
||||
|
||||
- name: Install https certificate in ssl folder
|
||||
copy:
|
||||
|
|
|
|||
|
|
@ -40,18 +40,21 @@
|
|||
environment:
|
||||
KUBECONFIG: "/etc/kubernetes/admin.conf"
|
||||
register: cert_result
|
||||
no_log: true
|
||||
|
||||
- name: Retrieve system local CA key from k8s secret (on System Controller)
|
||||
command: kubectl get secret system-local-ca -n cert-manager -o jsonpath='{.data.tls\.key}'
|
||||
environment:
|
||||
KUBECONFIG: "/etc/kubernetes/admin.conf"
|
||||
register: key_result
|
||||
no_log: true
|
||||
|
||||
- name: Retrieve system local root CA cert from k8s secret (on System Controller)
|
||||
command: kubectl get secret system-local-ca -n cert-manager -o jsonpath='{.data.ca\.crt}'
|
||||
environment:
|
||||
KUBECONFIG: "/etc/kubernetes/admin.conf"
|
||||
register: ca_cert_result
|
||||
no_log: true
|
||||
|
||||
- name: Set system-local-ca data
|
||||
set_fact:
|
||||
|
|
@ -60,6 +63,7 @@
|
|||
system_local_ca_key: "{{ key_result.stdout }}"
|
||||
system_local_ca_data_obtained: true
|
||||
install_rca_as_trusted: "{{ mode == 'bootstrap' or mode == 'rehoming' }}"
|
||||
no_log: true
|
||||
|
||||
when: system_local_ca_exists.stdout | bool
|
||||
|
||||
|
|
@ -74,11 +78,13 @@
|
|||
shell: cat "{{ kubeadm_pki_dir }}/ca.crt" | base64 -w0
|
||||
register: kubernetes_root_ca_crt
|
||||
become: true
|
||||
no_log: true
|
||||
|
||||
- name: Read kubernetes Root CA key
|
||||
shell: cat "{{ kubeadm_pki_dir }}/ca.key" | base64 -w0
|
||||
register: kubernetes_root_ca_key
|
||||
become: true
|
||||
no_log: true
|
||||
|
||||
- name: Set system-local-ca data based on kubernetes Root CA
|
||||
set_fact:
|
||||
|
|
@ -86,6 +92,7 @@
|
|||
system_local_ca_cert: "{{ kubernetes_root_ca_crt.stdout }}"
|
||||
system_local_ca_key: "{{ kubernetes_root_ca_key.stdout }}"
|
||||
system_local_ca_data_obtained: true
|
||||
no_log: true
|
||||
|
||||
connection: local
|
||||
when: not system_local_ca_data_obtained
|
||||
|
|
|
|||
|
|
@ -26,6 +26,7 @@
|
|||
- include_vars: "{{ item.item }}"
|
||||
when: item.stat.exists
|
||||
with_items: "{{ files_to_import.results }}"
|
||||
no_log: true
|
||||
|
||||
# Check host connectivity, change password if provided
|
||||
- block:
|
||||
|
|
|
|||
|
|
@ -17,6 +17,7 @@
|
|||
shell: |
|
||||
echo "{{ cert_req_pem_stream }}" | openssl x509 -text -noout | grep "CA:"
|
||||
register: is_ca
|
||||
no_log: true
|
||||
|
||||
- name: Fail when certificate is not a CA certificate
|
||||
fail:
|
||||
|
|
@ -29,6 +30,7 @@
|
|||
<(echo "{{ cert_req_pem_stream }}") <(echo "{{ cert_req_pem_stream }}")
|
||||
register: openssl_return
|
||||
failed_when: false
|
||||
no_log: true
|
||||
|
||||
- name: Assume RCA if verification succeeds
|
||||
set_fact:
|
||||
|
|
@ -48,6 +50,7 @@
|
|||
time_left_ca=$(expr $expiration_date_timestamp - $min_date_from_now_timestamp)
|
||||
echo $time_left_ca
|
||||
register: ca_time_left
|
||||
no_log: true
|
||||
|
||||
- name: Fail when CA certificate remaining duration is shorter than {{ ca_duration }} years
|
||||
fail:
|
||||
|
|
|
|||
|
|
@ -12,6 +12,7 @@
|
|||
- name: Retrieve the certificate in the end of the chain (first read from the file)
|
||||
command: openssl x509 -in "{{ aux_ca_file.path }}"
|
||||
register: ica_pem_cert
|
||||
no_log: true
|
||||
|
||||
- name: Get a stream from the auxiliar file without the certificate being read
|
||||
shell: >-
|
||||
|
|
@ -31,6 +32,7 @@
|
|||
- name: Assign ICA stream to variable
|
||||
set_fact:
|
||||
cert_req_pem_stream: "{{ ica_pem_cert.stdout }}"
|
||||
no_log: true
|
||||
|
||||
- name: Verify ICA certificate content requirements
|
||||
include_tasks: cert-content-requirements-verification.yml
|
||||
|
|
@ -42,6 +44,7 @@
|
|||
"{{ aux_ca_file.path }}" <(echo "{{ cert_req_pem_stream }}")
|
||||
register: openssl_return
|
||||
failed_when: false
|
||||
no_log: true
|
||||
|
||||
- name: Fail the ICA certificate isn't signed by the next CA in the bundle
|
||||
fail:
|
||||
|
|
@ -58,6 +61,7 @@
|
|||
"{{ system_local_ca_rca.path }}" <(echo "{{ cert_req_pem_stream }}")
|
||||
register: openssl_return
|
||||
failed_when: false
|
||||
no_log: true
|
||||
|
||||
- name: Fail the certificate isn't signed by the RCA
|
||||
fail:
|
||||
|
|
|
|||
|
|
@ -17,6 +17,7 @@
|
|||
<(echo "{{ system_local_ca_key | b64decode }}" | openssl rsa -noout -modulus)
|
||||
register: diff_return
|
||||
failed_when: false
|
||||
no_log: true
|
||||
|
||||
- name: Fail if system_local_ca_cert and system_local_ca_key doesn't match
|
||||
fail:
|
||||
|
|
|
|||
|
|
@ -25,10 +25,12 @@
|
|||
- name: Get RCA pem contents
|
||||
command: openssl x509 -in "{{ system_local_ca_rca.path }}"
|
||||
register: rca_pem_cert
|
||||
no_log: true
|
||||
|
||||
- name: Set variable with RCA content
|
||||
set_fact:
|
||||
cert_req_pem_stream: "{{ rca_pem_cert.stdout }}"
|
||||
no_log: true
|
||||
|
||||
- name: Verify RCA certificate content requirements
|
||||
include_tasks: cert-content-requirements-verification.yml
|
||||
|
|
@ -39,6 +41,7 @@
|
|||
<(echo "{{ cert_req_pem_stream }}") <(echo "{{ cert_req_pem_stream }}")
|
||||
register: openssl_return
|
||||
failed_when: false
|
||||
no_log: true
|
||||
|
||||
- name: Fail if certificate is not a RCA
|
||||
fail:
|
||||
|
|
@ -79,10 +82,12 @@
|
|||
- name: Retrieve the certificate in the end of the ICA chain (first read from the file)
|
||||
command: openssl x509 -in "{{ aux_ca_file.path }}"
|
||||
register: ica_pem_cert
|
||||
no_log: true
|
||||
|
||||
- name: Assign ICA stream to variable
|
||||
set_fact:
|
||||
cert_pem_stream: "{{ ica_pem_cert.stdout }}"
|
||||
no_log: true
|
||||
|
||||
- name: Verify if certificate is a RCA
|
||||
shell: >-
|
||||
|
|
@ -90,6 +95,7 @@
|
|||
<(echo "{{ cert_pem_stream }}") <(echo "{{ cert_pem_stream }}")
|
||||
register: openssl_return
|
||||
failed_when: false
|
||||
no_log: true
|
||||
|
||||
- name: Fail if certificate is a RCA
|
||||
fail:
|
||||
|
|
|
|||
Loading…
Reference in New Issue