diff options
19 files changed, 101 insertions, 112 deletions
diff --git a/inventory/byo/hosts.origin.example b/inventory/byo/hosts.origin.example index a4a01670a..7741730ad 100644 --- a/inventory/byo/hosts.origin.example +++ b/inventory/byo/hosts.origin.example @@ -488,11 +488,11 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', #openshift_master_logging_public_url=https://kibana.example.com # Configure the number of elastic search nodes, unless you're using dynamic provisioning # this value must be 1 -#openshift_logging_es_cluster_size=1 -#openshift_logging_kibana_hostname=logging.apps.example.com +#openshift_hosted_logging_elasticsearch_cluster_size=1 +#openshift_hosted_logging_hostname=logging.apps.example.com # Configure the prefix and version for the deployer image -#openshift_logging_image_prefix=registry.example.com:8888/openshift3/ -#openshift_logging_image_version=3.3.0 +#openshift_hosted_logging_deployer_prefix=registry.example.com:8888/openshift3/ +#openshift_hosted_logging_deployer_version=3.3.0 # Configure the multi-tenant SDN plugin (default is 'redhat/openshift-ovs-subnet') # os_sdn_network_plugin_name='redhat/openshift-ovs-multitenant' diff --git a/inventory/byo/hosts.ose.example b/inventory/byo/hosts.ose.example index 91ebf9936..3da9be081 100644 --- a/inventory/byo/hosts.ose.example +++ b/inventory/byo/hosts.ose.example @@ -482,18 +482,18 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', # pods are deleted # # Other Logging Options -- Common items you may wish to reconfigure, for the complete -# list of options please see roles/openshift_hosted_logging/README.md +# list of options please see roles/openshift_logging/README.md # # Configure loggingPublicURL in the master config for aggregate logging, defaults # to https://kibana.{{ openshift_master_default_subdomain }} #openshift_master_logging_public_url=https://kibana.example.com # Configure the number of elastic search nodes, unless you're using dynamic provisioning # this value must be 1 -#openshift_logging_es_cluster_size=1 -#openshift_logging_kibana_hostname=logging.apps.example.com +#openshift_hosted_logging_elasticsearch_cluster_size=1 +#openshift_hosted_logging_hostname=logging.apps.example.com # Configure the prefix and version for the deployer image -#openshift_logging_image_prefix=registry.example.com:8888/openshift3/ -#openshift_logging_image_version=3.3.0 +#openshift_hosted_logging_deployer_prefix=registry.example.com:8888/openshift3/ +#openshift_hosted_logging_deployer_version=3.3.0 # Configure the multi-tenant SDN plugin (default is 'redhat/openshift-ovs-subnet') # os_sdn_network_plugin_name='redhat/openshift-ovs-multitenant' diff --git a/playbooks/adhoc/openshift_hosted_logging_efk.yaml b/playbooks/adhoc/openshift_hosted_logging_efk.yaml index e83351272..44a2ef534 100644 --- a/playbooks/adhoc/openshift_hosted_logging_efk.yaml +++ b/playbooks/adhoc/openshift_hosted_logging_efk.yaml @@ -8,7 +8,7 @@ hosts: masters:!masters[0] pre_tasks: - set_fact: - logging_hostname: "{{ openshift_hosted_logging_hostname | default('kibana.' ~ (openshift_master_default_subdomain | default('router.default.svc.cluster.local', true))) }}" + openshift_logging_kibana_hostname: "{{ openshift_hosted_logging_hostname | default('kibana.' ~ (openshift_master_default_subdomain | default('router.default.svc.cluster.local', true))) }}" tasks: - include_role: name: openshift_logging diff --git a/playbooks/common/openshift-cluster/openshift_hosted.yml b/playbooks/common/openshift-cluster/openshift_hosted.yml index 7b58eebc3..ca4f5b8b2 100644 --- a/playbooks/common/openshift-cluster/openshift_hosted.yml +++ b/playbooks/common/openshift-cluster/openshift_hosted.yml @@ -31,17 +31,17 @@ when: openshift_hosted_metrics_deploy | default(false) | bool - role: openshift_logging when: openshift_hosted_logging_deploy | default(false) | bool - openshift_logging_kibana_hostname: "{{ logging_hostname }}" - openshift_logging_kibana_ops_hostname: "{{ logging_ops_hostname }}" - openshift_logging_master_public_url: "{{ logging_master_public_url }}" - openshift_logging_es_cluster_size: "{{ logging_elasticsearch_cluster_size }}" - openshift_logging_es_pvc_dynamic: "{{ 'true' if openshift_hosted_logging_storage_kind | default(none) == 'dynamic' else '' }}" - openshift_logging_es_pvc_size: "{{ openshift.hosted.logging.storage.volume.size if openshift_hosted_logging_storage_kind | default(none) in ['dynamic','nfs'] else '' }}" - openshift_logging_es_pvc_prefix: "{{ 'logging-es' if openshift_hosted_logging_storage_kind | default(none) == 'dynamic' else '' }}" - openshift_logging_es_ops_cluster_size: "{{ logging_elasticsearch_ops_cluster_size }}" - openshift_logging_es_ops_pvc_dynamic: "{{ 'true' if openshift_hosted_logging_storage_kind | default(none) == 'dynamic' else '' }}" - openshift_logging_es_ops_pvc_size: "{{ openshift.hosted.logging.storage.volume.size if openshift_hosted_logging_storage_kind | default(none) in ['dynamic','nfs' ] else '' }}" - openshift_logging_es_ops_pvc_prefix: "{{ 'logging-es' if openshift_hosted_logging_storage_kind | default(none) =='dynamic' else '' }}" + openshift_hosted_logging_hostname: "{{ logging_hostname }}" + openshift_hosted_logging_ops_hostname: "{{ logging_ops_hostname }}" + openshift_hosted_logging_master_public_url: "{{ logging_master_public_url }}" + openshift_hosted_logging_elasticsearch_cluster_size: "{{ logging_elasticsearch_cluster_size }}" + openshift_hosted_logging_elasticsearch_pvc_dynamic: "{{ 'true' if openshift_hosted_logging_storage_kind | default(none) == 'dynamic' else '' }}" + openshift_hosted_logging_elasticsearch_pvc_size: "{{ openshift.hosted.logging.storage.volume.size if openshift_hosted_logging_storage_kind | default(none) in ['dynamic','nfs'] else '' }}" + openshift_hosted_logging_elasticsearch_pvc_prefix: "{{ 'logging-es' if openshift_hosted_logging_storage_kind | default(none) == 'dynamic' else '' }}" + openshift_hosted_logging_elasticsearch_ops_cluster_size: "{{ logging_elasticsearch_ops_cluster_size }}" + openshift_hosted_logging_elasticsearch_ops_pvc_dynamic: "{{ 'true' if openshift_hosted_logging_storage_kind | default(none) == 'dynamic' else '' }}" + openshift_hosted_logging_elasticsearch_ops_pvc_size: "{{ openshift.hosted.logging.storage.volume.size if openshift_hosted_logging_storage_kind | default(none) in ['dynamic','nfs' ] else '' }}" + openshift_hosted_logging_elasticsearch_ops_pvc_prefix: "{{ 'logging-es' if openshift_hosted_logging_storage_kind | default(none) =='dynamic' else '' }}" - role: cockpit-ui when: ( openshift.common.version_gte_3_3_or_1_3 | bool ) and ( openshift_hosted_manage_registry | default(true) | bool ) and not (openshift.docker.hosted_registry_insecure | default(false) | bool) @@ -52,11 +52,11 @@ - hosted pre_tasks: - set_fact: - logging_hostname: "{{ openshift_hosted_logging_hostname | default('kibana.' ~ (openshift_master_default_subdomain | default('router.default.svc.cluster.local', true))) }}" + openshift_logging_kibana_hostname: "{{ openshift_hosted_logging_hostname | default('kibana.' ~ (openshift_master_default_subdomain | default('router.default.svc.cluster.local', true))) }}" tasks: - block: - include_role: - name: openshift_hosted_logging + name: openshift_logging tasks_from: update_master_config when: openshift_hosted_logging_deploy | default(false) | bool diff --git a/roles/openshift_logging/README.md b/roles/openshift_logging/README.md index 9394977c0..f4ec58668 100644 --- a/roles/openshift_logging/README.md +++ b/roles/openshift_logging/README.md @@ -24,8 +24,8 @@ When both `openshift_logging_install_logging` and `openshift_logging_upgrade_log - `openshift_logging_image_prefix`: The prefix for the logging images to use. Defaults to 'docker.io/openshift/origin-'. - `openshift_logging_image_version`: The image version for the logging images to use. Defaults to 'latest'. - `openshift_logging_use_ops`: If 'True', set up a second ES and Kibana cluster for infrastructure logs. Defaults to 'False'. -- `master_url`: The URL for the Kubernetes master, this does not need to be public facing but should be accessible from within the cluster. Defaults to 'https://kubernetes.default.svc.cluster.local'. -- `openshift_logging_master_public_url`: The public facing URL for the Kubernetes master, this is used for Authentication redirection. Defaults to 'https://localhost:8443'. +- `openshift_logging_master_url`: The URL for the Kubernetes master, this does not need to be public facing but should be accessible from within the cluster. Defaults to 'https://kubernetes.default.svc.{{openshift.common.dns_domain}}'. +- `openshift_logging_master_public_url`: The public facing URL for the Kubernetes master, this is used for Authentication redirection. Defaults to 'https://{{openshift.common.public_hostname}}:8443'. - `openshift_logging_namespace`: The namespace that Aggregated Logging will be installed in. Defaults to 'logging'. - `openshift_logging_curator_default_days`: The default minimum age (in days) Curator uses for deleting log records. Defaults to '30'. - `openshift_logging_curator_run_hour`: The hour of the day that Curator will run at. Defaults to '0'. diff --git a/roles/openshift_logging/defaults/main.yml b/roles/openshift_logging/defaults/main.yml index ead59c029..5a229ee73 100644 --- a/roles/openshift_logging/defaults/main.yml +++ b/roles/openshift_logging/defaults/main.yml @@ -1,9 +1,9 @@ --- -openshift_logging_image_prefix: docker.io/openshift/origin- -openshift_logging_image_version: latest +openshift_logging_image_prefix: "{{ openshift_hosted_logging_deployer_prefix | default(docker.io/openshift/origin-) }}" +openshift_logging_image_version: "{{ openshift_hosted_logging_deployer_version | default(latest) }}" openshift_logging_use_ops: False -master_url: "https://kubernetes.default.svc.{{ openshift.common.dns_domain }}" -openshift_logging_master_public_url: "https://{{openshift.common.public_hostname}}:8443" +openshift_logging_master_url: "https://kubernetes.default.svc.{{ openshift.common.dns_domain }}" +openshift_logging_master_public_url: "{{ openshift_hosted_logging_master_public_url | default(https://{{openshift.common.public_hostname}}:8443) }}" openshift_logging_namespace: logging openshift_logging_install_logging: True @@ -19,7 +19,7 @@ openshift_logging_curator_memory_limit: null openshift_logging_curator_ops_cpu_limit: 100m openshift_logging_curator_ops_memory_limit: null -openshift_logging_kibana_hostname: "kibana.{{openshift.common.dns_domain}}" +openshift_logging_kibana_hostname: "{{ openshift_hosted_logging_hostname | default(kibana.{{openshift.common.dns_domain}}) }}" openshift_logging_kibana_cpu_limit: null openshift_logging_kibana_memory_limit: null openshift_logging_kibana_proxy_debug: false @@ -27,7 +27,7 @@ openshift_logging_kibana_proxy_cpu_limit: null openshift_logging_kibana_proxy_memory_limit: null openshift_logging_kibana_replica_count: 1 -openshift_logging_kibana_ops_hostname: "kibana-ops.{{openshift.common.dns_domain}}" +openshift_logging_kibana_ops_hostname: "{{ openshift_hosted_logging_ops_hostname | default(kibana-ops.{{openshift.common.dns_domain}}) }}" openshift_logging_kibana_ops_cpu_limit: null openshift_logging_kibana_ops_memory_limit: null openshift_logging_kibana_ops_proxy_debug: false @@ -48,13 +48,13 @@ openshift_logging_es_port: 9200 openshift_logging_es_ca: /etc/fluent/keys/ca openshift_logging_es_client_cert: /etc/fluent/keys/cert openshift_logging_es_client_key: /etc/fluent/keys/key -openshift_logging_es_cluster_size: 1 +openshift_logging_es_cluster_size: "{{ openshift_hosted_logging_elasticsearch_cluster_size | default(1) }}" openshift_logging_es_cpu_limit: null openshift_logging_es_memory_limit: 1024Mi openshift_logging_es_pv_selector: null -openshift_logging_es_pvc_dynamic: False -openshift_logging_es_pvc_size: "" -openshift_logging_es_pvc_prefix: logging-es +openshift_logging_es_pvc_dynamic: "{{ openshift_hosted_logging_elasticsearch_pvc_dynamic | default(False) }}" +openshift_logging_es_pvc_size: "{{ openshift_hosted_logging_elasticsearch_pvc_size | default('') }}" +openshift_logging_es_pvc_prefix: "{{ openshift_hosted_logging_elasticsearch_pvc_prefix | default(logging-es) }}" openshift_logging_es_recover_after_time: 5m openshift_logging_es_storage_group: 65534 @@ -66,13 +66,13 @@ openshift_logging_es_ops_port: 9200 openshift_logging_es_ops_ca: /etc/fluent/keys/ca openshift_logging_es_ops_client_cert: /etc/fluent/keys/cert openshift_logging_es_ops_client_key: /etc/fluent/keys/key -openshift_logging_es_ops_cluster_size: 1 +openshift_logging_es_ops_cluster_size: "{{ openshift_hosted_logging_elasticsearch_ops_cluster_size | default(1) }}" openshift_logging_es_ops_cpu_limit: null openshift_logging_es_ops_memory_limit: 1024Mi openshift_logging_es_ops_pv_selector: None -openshift_logging_es_ops_pvc_dynamic: False -openshift_logging_es_ops_pvc_size: "" -openshift_logging_es_ops_pvc_prefix: logging-es-ops +openshift_logging_es_ops_pvc_dynamic: "{{ openshift_hosted_logging_elasticsearch_ops_pvc_dynamic | default(False) }}" +openshift_logging_es_ops_pvc_size: "{{ openshift_hosted_logging_elasticsearch_ops_pvc_size | default('') }}" +openshift_logging_es_ops_pvc_prefix: "{{ openshift_hosted_logging_elasticsearch_ops_pvc_prefix | default(logging-es-ops) }}" openshift_logging_es_ops_recover_after_time: 5m openshift_logging_es_ops_storage_group: 65534 diff --git a/roles/openshift_logging/templates/curator.j2 b/roles/openshift_logging/templates/curator.j2 index de6258eaa..b7bc15b62 100644 --- a/roles/openshift_logging/templates/curator.j2 +++ b/roles/openshift_logging/templates/curator.j2 @@ -48,7 +48,7 @@ spec: env: - name: "K8S_HOST_URL" - value: "{{master_url}}" + value: "{{openshift_logging_master_url}}" - name: "ES_HOST" value: "{{es_host}}" diff --git a/roles/openshift_logging/templates/fluentd.j2 b/roles/openshift_logging/templates/fluentd.j2 index b6c91f8ed..223d342b9 100644 --- a/roles/openshift_logging/templates/fluentd.j2 +++ b/roles/openshift_logging/templates/fluentd.j2 @@ -61,7 +61,7 @@ spec: readOnly: true env: - name: "K8S_HOST_URL" - value: "{{master_url}}" + value: "{{openshift_logging_master_url}}" - name: "ES_HOST" value: "{{openshift_logging_es_host}}" - name: "ES_PORT" diff --git a/roles/openshift_logging/templates/kibana.j2 b/roles/openshift_logging/templates/kibana.j2 index 3a9e03768..be9b45ab4 100644 --- a/roles/openshift_logging/templates/kibana.j2 +++ b/roles/openshift_logging/templates/kibana.j2 @@ -90,7 +90,7 @@ spec: value: kibana-proxy - name: "OAP_MASTER_URL" - value: {{master_url}} + value: {{openshift_logging_master_url}} - name: "OAP_PUBLIC_MASTER_URL" value: {{openshift_logging_master_public_url}} diff --git a/roles/openshift_metrics/defaults/main.yaml b/roles/openshift_metrics/defaults/main.yaml index 17614f716..0cfbac8a9 100644 --- a/roles/openshift_metrics/defaults/main.yaml +++ b/roles/openshift_metrics/defaults/main.yaml @@ -23,6 +23,7 @@ openshift_metrics_cassandra_limits_cpu: null openshift_metrics_cassandra_requests_memory: 1G openshift_metrics_cassandra_requests_cpu: null openshift_metrics_cassandra_nodeselector: "" +openshift_metrics_cassandra_storage_group: 65534 openshift_metrics_heapster_standalone: False openshift_metrics_heapster_limits_memory: 3.75G @@ -31,6 +32,8 @@ openshift_metrics_heapster_requests_memory: 0.9375G openshift_metrics_heapster_requests_cpu: null openshift_metrics_heapster_nodeselector: "" +openshift_metrics_hostname: "hawkular-metrics.{{openshift_master_default_subdomain}}" + openshift_metrics_duration: 7 openshift_metrics_resolution: 15s @@ -39,7 +42,6 @@ openshift_metrics_resolution: 15s # overriding the values here ##### -openshift_metrics_certs_dir: "{{ openshift.common.config_base }}/master/metrics" openshift_metrics_master_url: https://kubernetes.default.svc.cluster.local openshift_metrics_node_id: nodename openshift_metrics_project: openshift-infra diff --git a/roles/openshift_metrics/tasks/generate_certificates.yaml b/roles/openshift_metrics/tasks/generate_certificates.yaml index 4925275e8..f7cba0093 100644 --- a/roles/openshift_metrics/tasks/generate_certificates.yaml +++ b/roles/openshift_metrics/tasks/generate_certificates.yaml @@ -1,11 +1,11 @@ --- - name: generate ca certificate chain - shell: > + command: > {{ openshift.common.admin_binary }} ca create-signer-cert --config={{ mktemp.stdout }}/admin.kubeconfig - --key='{{ openshift_metrics_certs_dir }}/ca.key' - --cert='{{ openshift_metrics_certs_dir }}/ca.crt' - --serial='{{ openshift_metrics_certs_dir }}/ca.serial.txt' + --key='{{ mktemp.stdout }}/ca.key' + --cert='{{ mktemp.stdout }}/ca.crt' + --serial='{{ mktemp.stdout }}/ca.serial.txt' --name="metrics-signer@$(date +%s)" - when: not '{{ openshift_metrics_certs_dir }}/ca.key' | exists + - include: generate_hawkular_certificates.yaml diff --git a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml index 9333d341c..854697abb 100644 --- a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml +++ b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml @@ -13,13 +13,13 @@ hostnames: hawkular-cassandra changed_when: no -- slurp: src={{ openshift_metrics_certs_dir }}/hawkular-cassandra-truststore.pwd +- slurp: src={{ mktemp.stdout }}/hawkular-cassandra-truststore.pwd register: cassandra_truststore_password -- slurp: src={{ openshift_metrics_certs_dir }}/hawkular-metrics-truststore.pwd +- slurp: src={{ mktemp.stdout }}/hawkular-metrics-truststore.pwd register: hawkular_truststore_password -- stat: path="{{openshift_metrics_certs_dir}}/{{item}}" +- stat: path="{{mktemp.stdout}}/{{item}}" register: pwd_file_stat with_items: - hawkular-metrics.pwd @@ -32,44 +32,33 @@ with_items: "{{pwd_file_stat.results}}" changed_when: no -- name: Create temp directory local on control node - local_action: command mktemp -d - register: local_tmp - changed_when: False - - name: generate password for hawkular metrics and jgroups local_action: copy dest="{{ local_tmp.stdout}}/{{ item }}.pwd" content="{{ 15 | oo_random_word }}" with_items: - hawkular-metrics - hawkular-jgroups-keystore - when: "not pwd_files['{{ item }}.pwd'].exists" - name: generate htpasswd file for hawkular metrics local_action: > shell htpasswd -ci '{{ local_tmp.stdout }}/hawkular-metrics.htpasswd' hawkular < '{{ local_tmp.stdout }}/hawkular-metrics.pwd' - when: "not pwd_files['hawkular-metrics.htpasswd'].exists" - name: copy local generated passwords to target copy: src: "{{local_tmp.stdout}}/{{item}}" - dest: "{{openshift_metrics_certs_dir}}/{{item}}" + dest: "{{mktemp.stdout}}/{{item}}" with_items: - hawkular-metrics.pwd - hawkular-metrics.htpasswd - hawkular-jgroups-keystore.pwd - when: "not pwd_files['{{ item }}'].exists" - include: import_jks_certs.yaml -- local_action: file path="{{local_tmp.stdout}}" state=absent - changed_when: False - - name: read files for the hawkular-metrics secret shell: > printf '%s: ' '{{ item }}' - && base64 --wrap 0 '{{ openshift_metrics_certs_dir }}/{{ item }}' + && base64 --wrap 0 '{{ mktemp.stdout }}/{{ item }}' register: hawkular_secrets with_items: - ca.crt diff --git a/roles/openshift_metrics/tasks/generate_heapster_certificates.yaml b/roles/openshift_metrics/tasks/generate_heapster_certificates.yaml index 2449b1518..ced2df1d0 100644 --- a/roles/openshift_metrics/tasks/generate_heapster_certificates.yaml +++ b/roles/openshift_metrics/tasks/generate_heapster_certificates.yaml @@ -3,13 +3,12 @@ command: > {{ openshift.common.admin_binary }} ca create-server-cert --config={{ mktemp.stdout }}/admin.kubeconfig - --key='{{ openshift_metrics_certs_dir }}/heapster.key' - --cert='{{ openshift_metrics_certs_dir }}/heapster.cert' + --key='{{ mktemp.stdout }}/heapster.key' + --cert='{{ mktemp.stdout }}/heapster.cert' --hostnames=heapster - --signer-cert='{{ openshift_metrics_certs_dir }}/ca.crt' - --signer-key='{{ openshift_metrics_certs_dir }}/ca.key' - --signer-serial='{{ openshift_metrics_certs_dir }}/ca.serial.txt' - when: not '{{ openshift_metrics_certs_dir }}/heapster.key' | exists + --signer-cert='{{ mktemp.stdout }}/ca.crt' + --signer-key='{{ mktemp.stdout }}/ca.key' + --signer-serial='{{ mktemp.stdout }}/ca.serial.txt' - when: "'secret/heapster-secrets' not in metrics_secrets.stdout_lines" block: @@ -17,11 +16,11 @@ slurp: src={{ item }} register: heapster_secret with_items: - - "{{ openshift_metrics_certs_dir }}/heapster.cert" - - "{{ openshift_metrics_certs_dir }}/heapster.key" + - "{{ mktemp.stdout }}/heapster.cert" + - "{{ mktemp.stdout }}/heapster.key" - "{{ client_ca }}" vars: - custom_ca: "{{ openshift_metrics_certs_dir }}/heapster_client_ca.crt" + custom_ca: "{{ mktemp.stdout }}/heapster_client_ca.crt" default_ca: "{{ openshift.common.config_base }}/master/ca-bundle.crt" client_ca: "{{ custom_ca|exists|ternary(custom_ca, default_ca) }}" - name: generate heapster secret template diff --git a/roles/openshift_metrics/tasks/import_jks_certs.yaml b/roles/openshift_metrics/tasks/import_jks_certs.yaml index 16fd8d9f8..57ec70c79 100644 --- a/roles/openshift_metrics/tasks/import_jks_certs.yaml +++ b/roles/openshift_metrics/tasks/import_jks_certs.yaml @@ -1,37 +1,37 @@ --- -- stat: path="{{openshift_metrics_certs_dir}}/hawkular-cassandra.keystore" +- stat: path="{{mktemp.stdout}}/hawkular-cassandra.keystore" register: cassandra_keystore check_mode: no -- stat: path="{{openshift_metrics_certs_dir}}/hawkular-cassandra.truststore" +- stat: path="{{mktemp.stdout}}/hawkular-cassandra.truststore" register: cassandra_truststore check_mode: no -- stat: path="{{openshift_metrics_certs_dir}}/hawkular-metrics.keystore" +- stat: path="{{mktemp.stdout}}/hawkular-metrics.keystore" register: metrics_keystore check_mode: no -- stat: path="{{openshift_metrics_certs_dir}}/hawkular-metrics.truststore" +- stat: path="{{mktemp.stdout}}/hawkular-metrics.truststore" register: metrics_truststore check_mode: no -- stat: path="{{openshift_metrics_certs_dir}}/hawkular-jgroups.keystore" +- stat: path="{{mktemp.stdout}}/hawkular-jgroups.keystore" register: jgroups_keystore check_mode: no - block: - - slurp: src={{ openshift_metrics_certs_dir }}/hawkular-metrics-keystore.pwd + - slurp: src={{ mktemp.stdout }}/hawkular-metrics-keystore.pwd register: metrics_keystore_password - - slurp: src={{ openshift_metrics_certs_dir }}/hawkular-cassandra-keystore.pwd + - slurp: src={{ mktemp.stdout }}/hawkular-cassandra-keystore.pwd register: cassandra_keystore_password - - slurp: src={{ openshift_metrics_certs_dir }}/hawkular-jgroups-keystore.pwd + - slurp: src={{ mktemp.stdout }}/hawkular-jgroups-keystore.pwd register: jgroups_keystore_password - fetch: dest: "{{local_tmp.stdout}}/" - src: "{{ openshift_metrics_certs_dir }}/{{item}}" + src: "{{ mktemp.stdout }}/{{item}}" flat: yes changed_when: False with_items: @@ -52,7 +52,7 @@ changed_when: False - copy: - dest: "{{openshift_metrics_certs_dir}}/" + dest: "{{mktemp.stdout}}/" src: "{{item}}" with_fileglob: "{{local_tmp.stdout}}/*.*store" diff --git a/roles/openshift_metrics/tasks/install_hawkular.yaml b/roles/openshift_metrics/tasks/install_hawkular.yaml index 1ba11efa8..6b37f85ab 100644 --- a/roles/openshift_metrics/tasks/install_hawkular.yaml +++ b/roles/openshift_metrics/tasks/install_hawkular.yaml @@ -17,7 +17,7 @@ changed_when: false - name: read hawkular-metrics route destination ca certificate - slurp: src={{ openshift_metrics_certs_dir }}/ca.crt + slurp: src={{ mktemp.stdout }}/ca.crt register: metrics_route_dest_ca_cert changed_when: false diff --git a/roles/openshift_metrics/tasks/main.yaml b/roles/openshift_metrics/tasks/main.yaml index d03d4176b..1eebff3bf 100644 --- a/roles/openshift_metrics/tasks/main.yaml +++ b/roles/openshift_metrics/tasks/main.yaml @@ -9,6 +9,11 @@ changed_when: False when: "{{ openshift_metrics_install_metrics | bool }}" +- name: Create temp directory local on control node + local_action: command mktemp -d + register: local_tmp + changed_when: False + - name: Copy the admin client config(s) command: > cp {{ openshift.common.config_base}}/master/admin.kubeconfig {{ mktemp.stdout }}/admin.kubeconfig @@ -17,3 +22,9 @@ tags: metrics_init - include: "{{ (openshift_metrics_install_metrics | bool) | ternary('install_metrics.yaml','uninstall_metrics.yaml') }}" + +- name: Delete temp directory + local_action: file path=local_tmp.stdout state=absent + tags: metrics_cleanup + changed_when: False + check_mode: no diff --git a/roles/openshift_metrics/tasks/pre_install.yaml b/roles/openshift_metrics/tasks/pre_install.yaml index 262acd546..2e2013d40 100644 --- a/roles/openshift_metrics/tasks/pre_install.yaml +++ b/roles/openshift_metrics/tasks/pre_install.yaml @@ -12,12 +12,6 @@ - openshift_metrics_cassandra_storage_type not in openshift_metrics_cassandra_storage_types - "not {{ openshift_metrics_heapster_standalone | bool }}" -- name: create certificate output directory - file: - path: "{{ openshift_metrics_certs_dir }}" - state: directory - mode: 0700 - - name: list existing secrets command: > {{ openshift.common.client_binary }} -n {{ openshift_metrics_project }} diff --git a/roles/openshift_metrics/tasks/setup_certificate.yaml b/roles/openshift_metrics/tasks/setup_certificate.yaml index 5ca8f4462..199968579 100644 --- a/roles/openshift_metrics/tasks/setup_certificate.yaml +++ b/roles/openshift_metrics/tasks/setup_certificate.yaml @@ -3,50 +3,41 @@ command: > {{ openshift.common.admin_binary }} ca create-server-cert --config={{ mktemp.stdout }}/admin.kubeconfig - --key='{{ openshift_metrics_certs_dir }}/{{ component }}.key' - --cert='{{ openshift_metrics_certs_dir }}/{{ component }}.crt' + --key='{{ mktemp.stdout }}/{{ component }}.key' + --cert='{{ mktemp.stdout }}/{{ component }}.crt' --hostnames='{{ hostnames }}' - --signer-cert='{{ openshift_metrics_certs_dir }}/ca.crt' - --signer-key='{{ openshift_metrics_certs_dir }}/ca.key' - --signer-serial='{{ openshift_metrics_certs_dir }}/ca.serial.txt' - when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.key'|exists + --signer-cert='{{ mktemp.stdout }}/ca.crt' + --signer-key='{{ mktemp.stdout }}/ca.key' + --signer-serial='{{ mktemp.stdout }}/ca.serial.txt' - slurp: src={{item}} register: component_certs with_items: - - '{{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}.key' - - '{{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}.crt' - when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.pem'|exists + - '{{ mktemp.stdout | quote }}/{{ component|quote }}.key' + - '{{ mktemp.stdout | quote }}/{{ component|quote }}.crt' - name: generate {{ component }} certificate copy: - dest: '{{ openshift_metrics_certs_dir }}/{{ component }}.pem' + dest: '{{ mktemp.stdout }}/{{ component }}.pem' content: "{{ component_certs.results | map(attribute='content') | map('b64decode') | join('') }}" - when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.pem'|exists - name: generate random password for the {{ component }} keystore copy: content: "{{ 15 | oo_random_word }}" - dest: '{{ openshift_metrics_certs_dir }}/{{ component }}-keystore.pwd' - when: > - not '{{ openshift_metrics_certs_dir }}/{{ component }}-keystore.pwd'|exists + dest: '{{ mktemp.stdout }}/{{ component }}-keystore.pwd' -- slurp: src={{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}-keystore.pwd +- slurp: src={{ mktemp.stdout | quote }}/{{ component|quote }}-keystore.pwd register: keystore_password - name: create the {{ component }} pkcs12 from the pem file command: > openssl pkcs12 -export - -in '{{ openshift_metrics_certs_dir }}/{{ component }}.pem' - -out '{{ openshift_metrics_certs_dir }}/{{ component }}.pkcs12' + -in '{{ mktemp.stdout }}/{{ component }}.pem' + -out '{{ mktemp.stdout }}/{{ component }}.pkcs12' -name '{{ component }}' -noiter -nomaciter -password 'pass:{{keystore_password.content | b64decode }}' - when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.pkcs12'|exists - name: generate random password for the {{ component }} truststore copy: content: "{{ 15 | oo_random_word }}" - dest: '{{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}-truststore.pwd' - when: > - not - '{{ openshift_metrics_certs_dir | quote }}/{{ component| quote }}-truststore.pwd'|exists + dest: '{{ mktemp.stdout | quote }}/{{ component|quote }}-truststore.pwd' diff --git a/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 b/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 index 6f6efc469..504476dc4 100644 --- a/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 +++ b/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 @@ -19,6 +19,9 @@ spec: type: hawkular-cassandra spec: serviceAccount: cassandra + securityContext: + supplementalGroups: + - {{openshift_metrics_cassandra_storage_group}} {% if node_selector is iterable and node_selector | length > 0 %} nodeSelector: {% for key, value in node_selector.iteritems() %} |