Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Generate wildcard router certificate #3749

Closed
wants to merge 2 commits into from
Closed

Generate wildcard router certificate #3749

wants to merge 2 commits into from

Conversation

enoodle
Copy link
Contributor

@enoodle enoodle commented Mar 23, 2017

Conditioned on openshift_hosted_router_create_certificate=true.
Covers *.{{openshift_master_default_subdomain}},
in particular makes hawkular-metrics route have good cert out of the box.

resubmitting of #3226

@enoodle enoodle changed the title Generate wildcard router certificate [WIP] Generate wildcard router certificate Mar 23, 2017
@cben cben mentioned this pull request Mar 23, 2017
Closed
@openshift-bot
Copy link

Can one of the admins verify this patch?
I understand the following commands:

  • bot, add author to whitelist
  • bot, test pull request
  • bot, test pull request once

@cben
Copy link
Contributor

cben commented Mar 23, 2017

cc @mtnbikenc @detiber

@enoodle enoodle force-pushed the generate_wildcard_certificate_cben branch from 1dc2510 to 944a918 Compare March 27, 2017 09:23
cben and others added 2 commits March 29, 2017 18:58
@cben
Generate wildcard router certificate
06cb356 
Conditioned on openshift_hosted_router_create_certificate=true.
Covers *.{{openshift_master_default_subdomain}},
in particular makes hawkular-metrics route have good cert out of the box.
fix crushing when cert file exists but is wrong
e8aeeef
@enoodle enoodle force-pushed the generate_wildcard_certificate_cben branch from 944a918 to cef331b Compare March 29, 2017 16:42
@enoodle enoodle changed the title [WIP] Generate wildcard router certificate Generate wildcard router certificate Mar 29, 2017
@enoodle enoodle force-pushed the generate_wildcard_certificate_cben branch from cef331b to e8aeeef Compare March 29, 2017 16:47
@enoodle
Copy link
Contributor Author

enoodle commented Mar 29, 2017

@mtnbikenc @detiber can you please take a look?
@kwoodson I had to touch the ansible module to prevent it from crushing on me, can you talk a look please?

kwoodson
kwoodson reviewed Mar 30, 2017
View reviewed changes
Copy link
Contributor

@kwoodson kwoodson left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@enoodle @mtnbikenc
Would prefer to move the cert generation to an include in order to keep the logic in the main router.yml the same and accomplish the same goal by setting fact in the included tasks. Something like this:

https://github.com/kwoodson/openshift-ansible/blob/default_router_cert/roles/openshift_hosted/tasks/router/router.yml

https://github.com/kwoodson/openshift-ansible/blob/default_router_cert/roles/openshift_hosted/tasks/router/wildcard_router_cert.yml

If you'd prefer that I close this PR and open another against my branch we can.

roles/lib_openshift/library/oc_adm_ca_server_cert.py
if proc.returncode == 0:
regex = re.compile(r"^\s*X509v3 Subject Alternative Name:\s*?\n\s*(.*)\s*\n", re.MULTILINE)
match = regex.search(x509output) # E501
if not match:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These changes need to make it into the src file as the module file (the file under /library/) is autogenerated.

https://github.com/openshift/openshift-ansible/blob/master/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py#L80-L80

Then you can call roles/lib_openshift/src/generate.py to rebuild the lib_openshift/library/ code.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I made these changes under my branch.

@enoodle
Copy link
Contributor Author

enoodle commented Mar 30, 2017
edited
Loading

@kwoodson I need this change to allow SSO to Kibana from ManageIQ. In ManageIQ we ask the user to give us the main Openshift CA if he wants to authenticate with it. If the router's certificates do not include a wildcard to use with the logging routes, ManageIQ won't be able to authenticate the router through it and we won't be able to securely initiate the SSO.

I would be happy for you to take over with your branch. You seem to know your way around here better than I do :)
Could you please check in your branch if you don't need something similar to [1] to use the certificates default location? (using the new facts that you created? 👍 ).

[1]https://github.com/enoodle/openshift-ansible/blob/e8aeeef35608b06cd92de9b2f88d6e3a84d5f60e/roles/openshift_hosted/tasks/router/router.yml#L72-L74

@kwoodson
Copy link
Contributor

kwoodson commented Mar 31, 2017
edited
Loading

@enoodle, I can take this over.

Could you please check in your branch if you don't need something similar to [1] to use the certificates default location? (using the new facts that you created? 👍 ).

In theory the set_fact in the wildcard router task include sets the openshift_hosted_router_certificates that are used for the openshift_hosted_routers and thus this will wind up taking the ('/etc/origin/master/' ~ (item.certificates.certfile | basename)) which should result in what we want.

#3821

@kwoodson kwoodson mentioned this pull request Mar 31, 2017
Merged
@kwoodson kwoodson closed this Mar 31, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kwoodson kwoodson kwoodson left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@enoodle @openshift-bot @cben @kwoodson