From 7a0ce2c534d508f5f06387d181a78a97a31f1e16 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nicolas=20Mass=C3=A9?= <nicolas.masse@itix.fr>
Date: Mon, 26 Jun 2017 20:57:22 +0200
Subject: [PATCH] switch sso route to reencrypt

---
 roles/sso/tasks/main.yml | 32 +++++++++++++++++++++++++++++++-
 roles/sso/vars/main.yml  |  1 +
 2 files changed, 32 insertions(+), 1 deletion(-)

diff --git a/roles/sso/tasks/main.yml b/roles/sso/tasks/main.yml
index 3e6f3fd..b6471ee 100644
--- a/roles/sso/tasks/main.yml
+++ b/roles/sso/tasks/main.yml
@@ -4,6 +4,26 @@
     set_fact:
       sso_route_name: '{{ "secure-" ~ sso_application_name ~ "-" ~ sso_project ~ "." ~ openshift_master_default_subdomain }}'
     when: sso_route_name is not defined
+    tags: vars
+
+  - name: Get the exiting service account password
+    command: oc get dc {{ sso_application_name }} -n "{{ sso_project }}" -o 'jsonpath={.spec.template.spec.containers[0].env[?(@.name=="SSO_SERVICE_PASSWORD")].value}'
+    register: password
+    changed_when: false
+    failed_when: false
+    tags: vars
+
+  - name: Re-use the exiting service account password
+    set_fact:
+      sso_service_password: "{{ password.stdout_lines[0] }}"
+    when: 'password.stdout != ""'
+    tags: vars
+
+  - name: Generate a new service account password
+    set_fact:
+      sso_service_password: "{{ lookup('password', '/dev/null length=8') }}"
+    when: 'sso_service_password is not defined'
+    tags: vars
 
   - name: Install java-1.8.0-openjdk-headless (required to use 'keytool')
     yum: name=java-1.8.0-openjdk-headless state=installed
@@ -61,9 +81,19 @@
     command: oc secrets link sso-service-account sso-app-secret -n "{{ sso_project }}"
 
   - name: Process the OpenShift Template and create the OpenShift objects
-    command: oc new-app -n {{ sso_project }} {{ sso_template }} -p "HTTPS_PASSWORD={{ sso_keystore_password }}" -p "JGROUPS_ENCRYPT_PASSWORD={{ sso_keystore_password }}" -p "SSO_REALM={{ sso_realm }}" -p "SSO_ADMIN_USERNAME={{ sso_admin_username }}" -p "APPLICATION_NAME={{ sso_application_name }}"
+    command: oc new-app -n {{ sso_project }} {{ sso_template }} -p "HTTPS_PASSWORD={{ sso_keystore_password }}" -p "JGROUPS_ENCRYPT_PASSWORD={{ sso_keystore_password }}" -p "SSO_REALM={{ sso_realm }}" -p "SSO_ADMIN_USERNAME={{ sso_admin_username }}" -p "APPLICATION_NAME={{ sso_application_name }}" -p "SSO_SERVICE_PASSWORD={{ sso_service_password }}" -p "SSO_SERVICE_USERNAME={{ sso_service_username }}"
     when: deploy_needed
 
+  - name: Extract the CA Cert from the keystore.jks
+    command: creates=cacert.pem keytool -exportcert -alias ssl -keypass "{{ sso_keystore_password }}" -storepass "{{ sso_keystore_password }}" -keystore keystore.jks -file cacert.pem -rfc
+
+  - name: Convert the CA Cert to a JSON String to be used in a JSON Patch
+    command: 'perl -pe ''chomp; print "\\n"'' cacert.pem'
+    register: cacert
+
+  - name: Update the secure route to use "reencrypt" instead of "passthrough"
+    command: 'oc patch route secure-{{ sso_application_name }} -n {{ sso_project }} --type=json -p ''[ { "op": "replace", "path": "/spec/tls/termination", "value": "reencrypt" }, { "op": "replace", "path": "/spec/tls/destinationCACertificate", "value": "{{ cacert.stdout }}" } ]'' '
+
   - name: Get Admin Username
     command: oc get dc {{ sso_application_name }} -n "{{ sso_project }}" -o 'jsonpath={.spec.template.spec.containers[0].env[?(@.name=="SSO_ADMIN_USERNAME")].value}'
     register: username
diff --git a/roles/sso/vars/main.yml b/roles/sso/vars/main.yml
index 54de7fb..9d4b9ab 100644
--- a/roles/sso/vars/main.yml
+++ b/roles/sso/vars/main.yml
@@ -14,3 +14,4 @@
   sso_keystore_password: secret
   sso_admin_username: admin
   sso_application_name: sso
+  sso_service_username: cli