tripleo-ansible/tripleo_ansible/roles/octavia_controller_check/tasks/main.yml

99 lines
3.2 KiB
YAML

---
# Copyright 2020 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
- name: Check if octavia CA file exists on host
become: true
stat:
path: "{{ octavia_confd_prefix }}/{{ ca_cert_path }}"
register: ca_file_stat
- name: Get and store CA data
block:
- name: Get CA file if exists
become: true
slurp:
src: "{{ octavia_confd_prefix }}/{{ ca_cert_path }}"
register: ca_file_data
- name: Store CA data
set_fact:
ca_cert: "{{ ca_file_data.content | b64decode }}"
- name: Get remaining validity period of the CA
shell: |
now=$(date +%s)
enddate=$(date +%s -d "$(openssl x509 -enddate -noout -in {{ octavia_confd_prefix }}/{{ ca_cert_path }} | cut -d= -f2)")
echo $((enddate - now))
register: validity_period
- name: Force CA update if remaining validity is less than 1 year
set_fact:
force_certs_update: true
when:
- (validity_period.stdout| int) < 31622400 # 31622400 seconds == 366 days
when:
- ca_file_stat.stat.exists | bool
- name: Check if octavia CA private key exists on host
become: true
stat:
path: "{{ octavia_confd_prefix }}/{{ ca_private_key_path }}"
register: ca_key_file_stat
- name: Get and store CA private key
block:
- name: Get CA private key file if exists
become: true
slurp:
src: "{{ octavia_confd_prefix }}/{{ ca_private_key_path }}"
register: key_file_data
- name: Store CA private key
set_fact:
ca_private_key: "{{ key_file_data.content | b64decode }}"
- name: Detect if key is encrypted with AES256
shell: grep -q 'AES-256-CBC' {{ octavia_confd_prefix }}/{{ ca_private_key_path }}
failed_when: false
register: ca_private_key_aes_256
- name: Store flag if a private key update is required
set_fact:
force_private_key_update: true
force_certs_update: true
when:
- ca_private_key_aes_256.rc != 0
when:
- ca_key_file_stat.stat.exists | bool
- name: Check if octavia client certificate exists on host
become: true
stat:
path: "{{ octavia_confd_prefix }}/{{ client_cert_path }}"
register: client_cert_file_stat
# TODO(gthiemon) Remove those tasks when we support per-controller and
# per-process client certificates for Octavia.
- name: Get and store client certificate
block:
- name: Get client certificate file if exists
become: true
slurp:
src: "{{ octavia_confd_prefix }}/{{ client_cert_path }}"
register: client_file_data
- name: Store client certificate data
set_fact:
service_pem_content: "{{ client_file_data.content | b64decode }}"
when:
- client_cert_file_stat.stat.exists | bool