diff options
Diffstat (limited to 'roles/openshift_metrics')
-rw-r--r-- | roles/openshift_metrics/defaults/main.yaml | 2 | ||||
-rwxr-xr-x | roles/openshift_metrics/files/import_jks_certs.sh | 59 | ||||
-rw-r--r-- | roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml | 51 | ||||
-rw-r--r-- | roles/openshift_metrics/tasks/import_jks_certs.yaml | 19 | ||||
-rw-r--r-- | roles/openshift_metrics/tasks/main.yaml | 12 | ||||
-rw-r--r-- | roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 | 25 | ||||
-rw-r--r-- | roles/openshift_metrics/templates/pvc.j2 | 2 | ||||
-rw-r--r-- | roles/openshift_metrics/templates/secret.j2 | 6 | ||||
-rw-r--r-- | roles/openshift_metrics/vars/default_images.yml | 3 | ||||
-rw-r--r-- | roles/openshift_metrics/vars/openshift-enterprise.yml | 3 |
10 files changed, 55 insertions, 127 deletions
diff --git a/roles/openshift_metrics/defaults/main.yaml b/roles/openshift_metrics/defaults/main.yaml index 5921b7bb7..1d3db8a1a 100644 --- a/roles/openshift_metrics/defaults/main.yaml +++ b/roles/openshift_metrics/defaults/main.yaml @@ -1,8 +1,6 @@ --- openshift_metrics_start_cluster: True openshift_metrics_install_metrics: True -openshift_metrics_image_prefix: docker.io/openshift/origin- -openshift_metrics_image_version: latest openshift_metrics_startup_timeout: 500 openshift_metrics_hawkular_replicas: 1 diff --git a/roles/openshift_metrics/files/import_jks_certs.sh b/roles/openshift_metrics/files/import_jks_certs.sh index c8d5bb3d2..f977b6dd6 100755 --- a/roles/openshift_metrics/files/import_jks_certs.sh +++ b/roles/openshift_metrics/files/import_jks_certs.sh @@ -20,12 +20,8 @@ set -ex function import_certs() { dir=$CERT_DIR - hawkular_metrics_keystore_password=$(echo $METRICS_KEYSTORE_PASSWD | base64 -d) - hawkular_cassandra_keystore_password=$(echo $CASSANDRA_KEYSTORE_PASSWD | base64 -d) - hawkular_metrics_truststore_password=$(echo $METRICS_TRUSTSTORE_PASSWD | base64 -d) - hawkular_cassandra_truststore_password=$(echo $CASSANDRA_TRUSTSTORE_PASSWD | base64 -d) - - cassandra_alias=`keytool -noprompt -list -keystore $dir/hawkular-cassandra.truststore -storepass ${hawkular_cassandra_truststore_password} | sed -n '7~2s/,.*$//p'` + hawkular_metrics_keystore_password=$(echo $METRICS_KEYSTORE_PASSWD | base64 --decode) + hawkular_metrics_truststore_password=$(echo $METRICS_TRUSTSTORE_PASSWD | base64 --decode) hawkular_alias=`keytool -noprompt -list -keystore $dir/hawkular-metrics.truststore -storepass ${hawkular_metrics_truststore_password} | sed -n '7~2s/,.*$//p'` if [ ! -f $dir/hawkular-metrics.keystore ]; then @@ -39,56 +35,7 @@ function import_certs() { -deststorepass $hawkular_metrics_keystore_password fi - if [ ! -f $dir/hawkular-cassandra.keystore ]; then - echo "Creating the Hawkular Cassandra keystore from the PEM file" - keytool -importkeystore -v \ - -srckeystore $dir/hawkular-cassandra.pkcs12 \ - -destkeystore $dir/hawkular-cassandra.keystore \ - -srcstoretype PKCS12 \ - -deststoretype JKS \ - -srcstorepass $hawkular_cassandra_keystore_password \ - -deststorepass $hawkular_cassandra_keystore_password - fi - - if [[ ! ${cassandra_alias[*]} =~ hawkular-metrics ]]; then - echo "Importing the Hawkular Certificate into the Cassandra Truststore" - keytool -noprompt -import -v -trustcacerts -alias hawkular-metrics \ - -file $dir/hawkular-metrics.crt \ - -keystore $dir/hawkular-cassandra.truststore \ - -trustcacerts \ - -storepass $hawkular_cassandra_truststore_password - fi - - if [[ ! ${hawkular_alias[*]} =~ hawkular-cassandra ]]; then - echo "Importing the Cassandra Certificate into the Hawkular Truststore" - keytool -noprompt -import -v -trustcacerts -alias hawkular-cassandra \ - -file $dir/hawkular-cassandra.crt \ - -keystore $dir/hawkular-metrics.truststore \ - -trustcacerts \ - -storepass $hawkular_metrics_truststore_password - fi - - if [[ ! ${cassandra_alias[*]} =~ hawkular-cassandra ]]; then - echo "Importing the Hawkular Cassandra Certificate into the Cassandra Truststore" - keytool -noprompt -import -v -trustcacerts -alias hawkular-cassandra \ - -file $dir/hawkular-cassandra.crt \ - -keystore $dir/hawkular-cassandra.truststore \ - -trustcacerts \ - -storepass $hawkular_cassandra_truststore_password - fi - - cert_alias_names=(ca metricca cassandraca) - - for cert_alias in ${cert_alias_names[*]}; do - if [[ ! ${cassandra_alias[*]} =~ "$cert_alias" ]]; then - echo "Importing the CA Certificate with alias $cert_alias into the Cassandra Truststore" - keytool -noprompt -import -v -trustcacerts -alias $cert_alias \ - -file ${dir}/ca.crt \ - -keystore $dir/hawkular-cassandra.truststore \ - -trustcacerts \ - -storepass $hawkular_cassandra_truststore_password - fi - done + cert_alias_names=(ca metricca) for cert_alias in ${cert_alias_names[*]}; do if [[ ! ${hawkular_alias[*]} =~ "$cert_alias" ]]; then diff --git a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml index 61a240a33..01fc1ef64 100644 --- a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml +++ b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml @@ -13,9 +13,6 @@ hostnames: hawkular-cassandra changed_when: no -- slurp: src={{ mktemp.stdout }}/hawkular-cassandra-truststore.pwd - register: cassandra_truststore_password - - slurp: src={{ mktemp.stdout }}/hawkular-metrics-truststore.pwd register: hawkular_truststore_password @@ -67,11 +64,8 @@ - hawkular-metrics.pwd - hawkular-metrics.htpasswd - hawkular-cassandra.crt + - hawkular-cassandra.key - hawkular-cassandra.pem - - hawkular-cassandra.keystore - - hawkular-cassandra-keystore.pwd - - hawkular-cassandra.truststore - - hawkular-cassandra-truststore.pwd changed_when: false - set_fact: @@ -136,38 +130,21 @@ - name: generate cassandra secret template template: src: secret.j2 - dest: "{{ mktemp.stdout }}/templates/cassandra_secrets.yaml" + dest: "{{ mktemp.stdout }}/templates/hawkular-cassandra-certs.yaml" vars: - name: hawkular-cassandra-secrets + name: hawkular-cassandra-certs labels: - metrics-infra: hawkular-cassandra + metrics-infra: hawkular-cassandra-certs + annotations: + service.alpha.openshift.io/originating-service-name: hawkular-cassandra data: - cassandra.keystore: > - {{ hawkular_secrets['hawkular-cassandra.keystore'] }} - cassandra.keystore.password: > - {{ hawkular_secrets['hawkular-cassandra-keystore.pwd'] }} - cassandra.keystore.alias: "{{ 'hawkular-cassandra'|b64encode }}" - cassandra.truststore: > - {{ hawkular_secrets['hawkular-cassandra.truststore'] }} - cassandra.truststore.password: > - {{ hawkular_secrets['hawkular-cassandra-truststore.pwd'] }} - cassandra.pem: > - {{ hawkular_secrets['hawkular-cassandra.pem'] }} - when: name not in metrics_secrets - changed_when: no - -- name: generate cassandra-certificate secret template - template: - src: secret.j2 - dest: "{{ mktemp.stdout }}/templates/cassandra_certificate.yaml" - vars: - name: hawkular-cassandra-certificate - labels: - metrics-infra: hawkular-cassandra - data: - cassandra.certificate: > + tls.crt: > {{ hawkular_secrets['hawkular-cassandra.crt'] }} - cassandra-ca.certificate: > - {{ hawkular_secrets['hawkular-cassandra.pem'] }} - when: name not in metrics_secrets.stdout_lines + tls.key: > + {{ hawkular_secrets['hawkular-cassandra.key'] }} + tls.peer.truststore.crt: > + {{ hawkular_secrets['hawkular-cassandra.crt'] }} + tls.client.truststore.crt: > + {{ hawkular_secrets['hawkular-metrics.crt'] }} + when: name not in metrics_secrets changed_when: no diff --git a/roles/openshift_metrics/tasks/import_jks_certs.yaml b/roles/openshift_metrics/tasks/import_jks_certs.yaml index 2a67dad0e..e098145e9 100644 --- a/roles/openshift_metrics/tasks/import_jks_certs.yaml +++ b/roles/openshift_metrics/tasks/import_jks_certs.yaml @@ -1,12 +1,4 @@ --- -- stat: path="{{mktemp.stdout}}/hawkular-cassandra.keystore" - register: cassandra_keystore - check_mode: no - -- stat: path="{{mktemp.stdout}}/hawkular-cassandra.truststore" - register: cassandra_truststore - check_mode: no - - stat: path="{{mktemp.stdout}}/hawkular-metrics.keystore" register: metrics_keystore check_mode: no @@ -19,9 +11,6 @@ - slurp: src={{ mktemp.stdout }}/hawkular-metrics-keystore.pwd register: metrics_keystore_password - - slurp: src={{ mktemp.stdout }}/hawkular-cassandra-keystore.pwd - register: cassandra_keystore_password - - fetch: dest: "{{local_tmp.stdout}}/" src: "{{ mktemp.stdout }}/{{item}}" @@ -29,18 +18,14 @@ changed_when: False with_items: - hawkular-metrics.pkcs12 - - hawkular-cassandra.pkcs12 - hawkular-metrics.crt - - hawkular-cassandra.crt - ca.crt - local_action: command {{role_path}}/files/import_jks_certs.sh environment: CERT_DIR: "{{local_tmp.stdout}}" METRICS_KEYSTORE_PASSWD: "{{metrics_keystore_password.content}}" - CASSANDRA_KEYSTORE_PASSWD: "{{cassandra_keystore_password.content}}" METRICS_TRUSTSTORE_PASSWD: "{{hawkular_truststore_password.content}}" - CASSANDRA_TRUSTSTORE_PASSWD: "{{cassandra_truststore_password.content}}" changed_when: False - copy: @@ -49,6 +34,4 @@ with_fileglob: "{{local_tmp.stdout}}/*.*store" when: not metrics_keystore.stat.exists or - not metrics_truststore.stat.exists or - not cassandra_keystore.stat.exists or - not cassandra_truststore.stat.exists + not metrics_truststore.stat.exists diff --git a/roles/openshift_metrics/tasks/main.yaml b/roles/openshift_metrics/tasks/main.yaml index 1eebff3bf..c8d222c60 100644 --- a/roles/openshift_metrics/tasks/main.yaml +++ b/roles/openshift_metrics/tasks/main.yaml @@ -1,4 +1,16 @@ --- + +- name: Set default image variables based on deployment_type + include_vars: "{{ item }}" + with_first_found: + - "{{ openshift_deployment_type | default(deployment_type) }}.yml" + - "default_images.yml" + +- name: Set metrics image facts + set_fact: + openshift_metrics_image_prefix: "{{ openshift_metrics_image_prefix | default(__openshift_metrics_image_prefix) }}" + openshift_metrics_image_version: "{{ openshift_metrics_image_version | default(__openshift_metrics_image_version) }}" + - name: Create temp directory for doing work in on target command: mktemp -td openshift-metrics-ansible-XXXXXX register: mktemp diff --git a/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 b/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 index 504476dc4..889317847 100644 --- a/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 +++ b/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 @@ -48,11 +48,6 @@ spec: - "--require_node_auth=true" - "--enable_client_encryption=true" - "--require_client_auth=true" - - "--keystore_file=/secret/cassandra.keystore" - - "--keystore_password_file=/secret/cassandra.keystore.password" - - "--truststore_file=/secret/cassandra.truststore" - - "--truststore_password_file=/secret/cassandra.truststore.password" - - "--cassandra_pem_file=/secret/cassandra.pem" env: - name: CASSANDRA_MASTER value: "{{ master }}" @@ -60,6 +55,10 @@ spec: value: "/cassandra_data" - name: JVM_OPTS value: "-Dcassandra.commitlog.ignorereplayerrors=true" + - name: TRUSTSTORE_NODES_AUTHORITIES + value: "/hawkular-cassandra-certs/tls.peer.truststore.crt" + - name: TRUSTSTORE_CLIENT_AUTHORITIES + value: "/hawkular-cassandra-certs/tls.client.truststore.crt" - name: POD_NAMESPACE valueFrom: fieldRef: @@ -76,12 +75,12 @@ spec: volumeMounts: - name: cassandra-data mountPath: "/cassandra_data" - - name: hawkular-cassandra-secrets - mountPath: "/secret" -{% if ((openshift_metrics_cassandra_limits_cpu is defined and openshift_metrics_cassandra_limits_cpu is not none) + - name: hawkular-cassandra-certs + mountPath: "/hawkular-cassandra-certs" +{% if ((openshift_metrics_cassandra_limits_cpu is defined and openshift_metrics_cassandra_limits_cpu is not none) or (openshift_metrics_cassandra_limits_memory is defined and openshift_metrics_cassandra_limits_memory is not none) or (openshift_metrics_cassandra_requests_cpu is defined and openshift_metrics_cassandra_requests_cpu is not none) - or (openshift_metrics_cassandra_requests_memory is defined and openshift_metrics_cassandra_requests_memory is not none)) + or (openshift_metrics_cassandra_requests_memory is defined and openshift_metrics_cassandra_requests_memory is not none)) %} resources: {% if (openshift_metrics_cassandra_limits_cpu is not none @@ -95,8 +94,8 @@ spec: memory: "{{openshift_metrics_cassandra_limits_memory}}" {% endif %} {% endif %} -{% if (openshift_metrics_cassandra_requests_cpu is not none - or openshift_metrics_cassandra_requests_memory is not none) +{% if (openshift_metrics_cassandra_requests_cpu is not none + or openshift_metrics_cassandra_requests_memory is not none) %} requests: {% if openshift_metrics_cassandra_requests_cpu is not none %} @@ -129,6 +128,6 @@ spec: persistentVolumeClaim: claimName: "{{ openshift_metrics_cassandra_pvc_prefix }}-{{ node }}" {% endif %} - - name: hawkular-cassandra-secrets + - name: hawkular-cassandra-certs secret: - secretName: hawkular-cassandra-secrets + secretName: hawkular-cassandra-certs diff --git a/roles/openshift_metrics/templates/pvc.j2 b/roles/openshift_metrics/templates/pvc.j2 index 885dd368d..c2e56ba21 100644 --- a/roles/openshift_metrics/templates/pvc.j2 +++ b/roles/openshift_metrics/templates/pvc.j2 @@ -4,7 +4,7 @@ metadata: name: "{{obj_name}}" {% if labels is not defined %} labels: - logging-infra: support + metrics-infra: support {% elif labels %} labels: {% for key, value in labels.iteritems() %} diff --git a/roles/openshift_metrics/templates/secret.j2 b/roles/openshift_metrics/templates/secret.j2 index 370890c7d..5b9dba122 100644 --- a/roles/openshift_metrics/templates/secret.j2 +++ b/roles/openshift_metrics/templates/secret.j2 @@ -2,6 +2,12 @@ apiVersion: v1 kind: Secret metadata: name: "{{ name }}" +{% if annotations is defined%} + annotations: +{% for key, value in annotations.iteritems() %} + {{key}}: {{value}} +{% endfor %} +{% endif %} labels: {% for k, v in labels.iteritems() %} {{ k }}: {{ v }} diff --git a/roles/openshift_metrics/vars/default_images.yml b/roles/openshift_metrics/vars/default_images.yml new file mode 100644 index 000000000..678c4104c --- /dev/null +++ b/roles/openshift_metrics/vars/default_images.yml @@ -0,0 +1,3 @@ +--- +__openshift_metrics_image_prefix: "{{ openshift_hosted_metrics_deployer_prefix | default('docker.io/openshift/origin-') }}" +__openshift_metrics_image_version: "{{ openshift_hosted_metrics_deployer_version | default('latest') }}" diff --git a/roles/openshift_metrics/vars/openshift-enterprise.yml b/roles/openshift_metrics/vars/openshift-enterprise.yml new file mode 100644 index 000000000..f28c3ce48 --- /dev/null +++ b/roles/openshift_metrics/vars/openshift-enterprise.yml @@ -0,0 +1,3 @@ +--- +__openshift_metrics_image_prefix: "{{ openshift_hosted_metrics_deployer_prefix | default('registry.access.redhat.com/openshift3/') }}" +__openshift_metrics_image_version: "{{ openshift_hosted_metrics_deployer_version | default(openshift_release | default ('3.5.0') ) }}" |