Merge pull request #4073 from richm/logging-es-route

add ability to expose Elasticsearch as an external route

1 files changed, 28 insertions, 0 deletions

diff --git a/roles/openshift_logging/tasks/generate_secrets.yaml b/roles/openshift_logging/tasks/generate_secrets.yaml
index c1da49fd8..b629bd995 100644
--- a/roles/openshift_logging/tasks/generate_secrets.yaml
+++ b/roles/openshift_logging/tasks/generate_secrets.yaml
@@ -99,3 +99,31 @@
   when: logging_es_secret.stdout is defined
   check_mode: no
   changed_when: no
+
+- name: Retrieving the cert to use when generating secrets for Elasticsearch external route
+  slurp: src="{{generated_certs_dir}}/{{item.file}}"
+  register: es_key_pairs
+  with_items:
+    - { name: "ca_file", file: "ca.crt" }
+    - { name: "es_key", file: "system.logging.es.key"}
+    - { name: "es_cert", file: "system.logging.es.crt"}
+  when: openshift_logging_es_allow_external | bool
+
+- name: Generating secrets for Elasticsearch external route
+  template: src=secret.j2 dest={{mktemp.stdout}}/templates/{{secret_name}}-secret.yaml
+  vars:
+    secret_name: "logging-{{component}}"
+    secret_key_file: "{{component}}_key"
+    secret_cert_file: "{{component}}_cert"
+    secrets:
+      - {key: ca, value: "{{es_key_pairs | entry_from_named_pair('ca_file')| b64decode }}"}
+      - {key: key, value: "{{es_key_pairs | entry_from_named_pair(secret_key_file)| b64decode }}"}
+      - {key: cert, value: "{{es_key_pairs | entry_from_named_pair(secret_cert_file)| b64decode }}"}
+    secret_keys: ["ca", "cert", "key"]
+  with_items:
+    - es
+  loop_control:
+    loop_var: component
+  check_mode: no
+  changed_when: no
+  when: openshift_logging_es_allow_external | bool