diff options
Diffstat (limited to 'roles/openshift_metrics')
19 files changed, 152 insertions, 141 deletions
diff --git a/roles/openshift_metrics/README.md b/roles/openshift_metrics/README.md index a61b0db5e..f4c61a75e 100644 --- a/roles/openshift_metrics/README.md +++ b/roles/openshift_metrics/README.md @@ -46,11 +46,11 @@ For default values, see [`defaults/main.yaml`](defaults/main.yaml). testing), `pv` to use persistent volumes (which need to be created before the installation) or `dynamic` for dynamic persistent volumes. -- `openshift_metrics_cassandra_pv_prefix`: The name of persistent volume claims created +- `openshift_metrics_cassandra_pvc_prefix`: The name of persistent volume claims created for cassandra will be this with a serial number appended to the end, starting from 1. -- `openshift_metrics_cassandra_pv_size`: The persistent volume size for each of the +- `openshift_metrics_cassandra_pvc_size`: The persistent volume claim size for each of the Cassandra nodes. - `openshift_metrics_heapster_standalone`: Deploy only heapster, without the Hawkular Metrics and diff --git a/roles/openshift_metrics/defaults/main.yaml b/roles/openshift_metrics/defaults/main.yaml index dd5a20d5b..0cfbac8a9 100644 --- a/roles/openshift_metrics/defaults/main.yaml +++ b/roles/openshift_metrics/defaults/main.yaml @@ -17,12 +17,13 @@ openshift_metrics_hawkular_nodeselector: "" openshift_metrics_cassandra_replicas: 1 openshift_metrics_cassandra_storage_type: emptydir -openshift_metrics_cassandra_pv_size: 10Gi +openshift_metrics_cassandra_pvc_size: 10Gi openshift_metrics_cassandra_limits_memory: 2G openshift_metrics_cassandra_limits_cpu: null openshift_metrics_cassandra_requests_memory: 1G openshift_metrics_cassandra_requests_cpu: null openshift_metrics_cassandra_nodeselector: "" +openshift_metrics_cassandra_storage_group: 65534 openshift_metrics_heapster_standalone: False openshift_metrics_heapster_limits_memory: 3.75G @@ -31,6 +32,8 @@ openshift_metrics_heapster_requests_memory: 0.9375G openshift_metrics_heapster_requests_cpu: null openshift_metrics_heapster_nodeselector: "" +openshift_metrics_hostname: "hawkular-metrics.{{openshift_master_default_subdomain}}" + openshift_metrics_duration: 7 openshift_metrics_resolution: 15s @@ -39,12 +42,11 @@ openshift_metrics_resolution: 15s # overriding the values here ##### -openshift_metrics_certs_dir: "{{ openshift.common.config_base }}/master/metrics" openshift_metrics_master_url: https://kubernetes.default.svc.cluster.local openshift_metrics_node_id: nodename openshift_metrics_project: openshift-infra -openshift_metrics_cassandra_pv_prefix: metrics-cassandra +openshift_metrics_cassandra_pvc_prefix: metrics-cassandra openshift_metrics_hawkular_user_write_access: False diff --git a/roles/openshift_metrics/tasks/generate_certificates.yaml b/roles/openshift_metrics/tasks/generate_certificates.yaml index 16a967aa7..f7cba0093 100644 --- a/roles/openshift_metrics/tasks/generate_certificates.yaml +++ b/roles/openshift_metrics/tasks/generate_certificates.yaml @@ -1,26 +1,11 @@ --- -- name: create certificate output directory - file: - path: "{{ openshift_metrics_certs_dir }}" - state: directory - mode: 0700 - -- name: list existing secrets - command: > - {{ openshift.common.client_binary }} -n {{ openshift_metrics_project }} - --config={{ mktemp.stdout }}/admin.kubeconfig - get secrets -o name - register: metrics_secrets - changed_when: false - - name: generate ca certificate chain - shell: > + command: > {{ openshift.common.admin_binary }} ca create-signer-cert --config={{ mktemp.stdout }}/admin.kubeconfig - --key='{{ openshift_metrics_certs_dir }}/ca.key' - --cert='{{ openshift_metrics_certs_dir }}/ca.crt' - --serial='{{ openshift_metrics_certs_dir }}/ca.serial.txt' + --key='{{ mktemp.stdout }}/ca.key' + --cert='{{ mktemp.stdout }}/ca.crt' + --serial='{{ mktemp.stdout }}/ca.serial.txt' --name="metrics-signer@$(date +%s)" - when: not '{{ openshift_metrics_certs_dir }}/ca.key' | exists -- include: generate_heapster_certificates.yaml + - include: generate_hawkular_certificates.yaml diff --git a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml index 9333d341c..854697abb 100644 --- a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml +++ b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml @@ -13,13 +13,13 @@ hostnames: hawkular-cassandra changed_when: no -- slurp: src={{ openshift_metrics_certs_dir }}/hawkular-cassandra-truststore.pwd +- slurp: src={{ mktemp.stdout }}/hawkular-cassandra-truststore.pwd register: cassandra_truststore_password -- slurp: src={{ openshift_metrics_certs_dir }}/hawkular-metrics-truststore.pwd +- slurp: src={{ mktemp.stdout }}/hawkular-metrics-truststore.pwd register: hawkular_truststore_password -- stat: path="{{openshift_metrics_certs_dir}}/{{item}}" +- stat: path="{{mktemp.stdout}}/{{item}}" register: pwd_file_stat with_items: - hawkular-metrics.pwd @@ -32,44 +32,33 @@ with_items: "{{pwd_file_stat.results}}" changed_when: no -- name: Create temp directory local on control node - local_action: command mktemp -d - register: local_tmp - changed_when: False - - name: generate password for hawkular metrics and jgroups local_action: copy dest="{{ local_tmp.stdout}}/{{ item }}.pwd" content="{{ 15 | oo_random_word }}" with_items: - hawkular-metrics - hawkular-jgroups-keystore - when: "not pwd_files['{{ item }}.pwd'].exists" - name: generate htpasswd file for hawkular metrics local_action: > shell htpasswd -ci '{{ local_tmp.stdout }}/hawkular-metrics.htpasswd' hawkular < '{{ local_tmp.stdout }}/hawkular-metrics.pwd' - when: "not pwd_files['hawkular-metrics.htpasswd'].exists" - name: copy local generated passwords to target copy: src: "{{local_tmp.stdout}}/{{item}}" - dest: "{{openshift_metrics_certs_dir}}/{{item}}" + dest: "{{mktemp.stdout}}/{{item}}" with_items: - hawkular-metrics.pwd - hawkular-metrics.htpasswd - hawkular-jgroups-keystore.pwd - when: "not pwd_files['{{ item }}'].exists" - include: import_jks_certs.yaml -- local_action: file path="{{local_tmp.stdout}}" state=absent - changed_when: False - - name: read files for the hawkular-metrics secret shell: > printf '%s: ' '{{ item }}' - && base64 --wrap 0 '{{ openshift_metrics_certs_dir }}/{{ item }}' + && base64 --wrap 0 '{{ mktemp.stdout }}/{{ item }}' register: hawkular_secrets with_items: - ca.crt diff --git a/roles/openshift_metrics/tasks/generate_heapster_certificates.yaml b/roles/openshift_metrics/tasks/generate_heapster_certificates.yaml index 2449b1518..ced2df1d0 100644 --- a/roles/openshift_metrics/tasks/generate_heapster_certificates.yaml +++ b/roles/openshift_metrics/tasks/generate_heapster_certificates.yaml @@ -3,13 +3,12 @@ command: > {{ openshift.common.admin_binary }} ca create-server-cert --config={{ mktemp.stdout }}/admin.kubeconfig - --key='{{ openshift_metrics_certs_dir }}/heapster.key' - --cert='{{ openshift_metrics_certs_dir }}/heapster.cert' + --key='{{ mktemp.stdout }}/heapster.key' + --cert='{{ mktemp.stdout }}/heapster.cert' --hostnames=heapster - --signer-cert='{{ openshift_metrics_certs_dir }}/ca.crt' - --signer-key='{{ openshift_metrics_certs_dir }}/ca.key' - --signer-serial='{{ openshift_metrics_certs_dir }}/ca.serial.txt' - when: not '{{ openshift_metrics_certs_dir }}/heapster.key' | exists + --signer-cert='{{ mktemp.stdout }}/ca.crt' + --signer-key='{{ mktemp.stdout }}/ca.key' + --signer-serial='{{ mktemp.stdout }}/ca.serial.txt' - when: "'secret/heapster-secrets' not in metrics_secrets.stdout_lines" block: @@ -17,11 +16,11 @@ slurp: src={{ item }} register: heapster_secret with_items: - - "{{ openshift_metrics_certs_dir }}/heapster.cert" - - "{{ openshift_metrics_certs_dir }}/heapster.key" + - "{{ mktemp.stdout }}/heapster.cert" + - "{{ mktemp.stdout }}/heapster.key" - "{{ client_ca }}" vars: - custom_ca: "{{ openshift_metrics_certs_dir }}/heapster_client_ca.crt" + custom_ca: "{{ mktemp.stdout }}/heapster_client_ca.crt" default_ca: "{{ openshift.common.config_base }}/master/ca-bundle.crt" client_ca: "{{ custom_ca|exists|ternary(custom_ca, default_ca) }}" - name: generate heapster secret template diff --git a/roles/openshift_metrics/tasks/generate_rolebindings.yaml b/roles/openshift_metrics/tasks/generate_rolebindings.yaml index 6524c3f32..e050c8eb2 100644 --- a/roles/openshift_metrics/tasks/generate_rolebindings.yaml +++ b/roles/openshift_metrics/tasks/generate_rolebindings.yaml @@ -13,21 +13,3 @@ - kind: ServiceAccount name: hawkular changed_when: no - -- name: generate cluster-reader role binding for the heapster service account - template: - src: rolebinding.j2 - dest: "{{ mktemp.stdout }}/templates/heapster-rolebinding.yaml" - vars: - cluster: True - obj_name: heapster-cluster-reader - labels: - metrics-infra: heapster - roleRef: - kind: ClusterRole - name: cluster-reader - subjects: - - kind: ServiceAccount - name: heapster - namespace: "{{ openshift_metrics_project }}" - changed_when: no diff --git a/roles/openshift_metrics/tasks/generate_serviceaccounts.yaml b/roles/openshift_metrics/tasks/generate_serviceaccounts.yaml index 94f34d860..e9d70f74f 100644 --- a/roles/openshift_metrics/tasks/generate_serviceaccounts.yaml +++ b/roles/openshift_metrics/tasks/generate_serviceaccounts.yaml @@ -13,15 +13,3 @@ - name: cassandra secret: hawkular-cassandra-secrets changed_when: no - -- name: Generating serviceaccount for heapster - template: src=serviceaccount.j2 dest={{mktemp.stdout}}/templates/metrics-{{obj_name}}-sa.yaml - vars: - obj_name: heapster - labels: - metrics-infra: support - secrets: - - heapster-secrets - - hawkular-metrics-certificate - - hawkular-metrics-account - changed_when: no diff --git a/roles/openshift_metrics/tasks/generate_services.yaml b/roles/openshift_metrics/tasks/generate_services.yaml index 903d52bff..47d3c5c2e 100644 --- a/roles/openshift_metrics/tasks/generate_services.yaml +++ b/roles/openshift_metrics/tasks/generate_services.yaml @@ -1,17 +1,4 @@ --- -- name: Generate service for heapster - template: src=service.j2 dest={{mktemp.stdout}}/templates/metrics-{{obj_name}}-svc.yaml - vars: - obj_name: heapster - ports: - - {port: 80, targetPort: http-endpoint} - selector: - name: "{{obj_name}}" - labels: - metrics-infra: "{{obj_name}}" - name: "{{obj_name}}" - changed_when: no - - name: Generate service for hawkular-metrics template: src=service.j2 dest={{mktemp.stdout}}/templates/metrics-{{obj_name}}-svc.yaml vars: diff --git a/roles/openshift_metrics/tasks/import_jks_certs.yaml b/roles/openshift_metrics/tasks/import_jks_certs.yaml index 16fd8d9f8..57ec70c79 100644 --- a/roles/openshift_metrics/tasks/import_jks_certs.yaml +++ b/roles/openshift_metrics/tasks/import_jks_certs.yaml @@ -1,37 +1,37 @@ --- -- stat: path="{{openshift_metrics_certs_dir}}/hawkular-cassandra.keystore" +- stat: path="{{mktemp.stdout}}/hawkular-cassandra.keystore" register: cassandra_keystore check_mode: no -- stat: path="{{openshift_metrics_certs_dir}}/hawkular-cassandra.truststore" +- stat: path="{{mktemp.stdout}}/hawkular-cassandra.truststore" register: cassandra_truststore check_mode: no -- stat: path="{{openshift_metrics_certs_dir}}/hawkular-metrics.keystore" +- stat: path="{{mktemp.stdout}}/hawkular-metrics.keystore" register: metrics_keystore check_mode: no -- stat: path="{{openshift_metrics_certs_dir}}/hawkular-metrics.truststore" +- stat: path="{{mktemp.stdout}}/hawkular-metrics.truststore" register: metrics_truststore check_mode: no -- stat: path="{{openshift_metrics_certs_dir}}/hawkular-jgroups.keystore" +- stat: path="{{mktemp.stdout}}/hawkular-jgroups.keystore" register: jgroups_keystore check_mode: no - block: - - slurp: src={{ openshift_metrics_certs_dir }}/hawkular-metrics-keystore.pwd + - slurp: src={{ mktemp.stdout }}/hawkular-metrics-keystore.pwd register: metrics_keystore_password - - slurp: src={{ openshift_metrics_certs_dir }}/hawkular-cassandra-keystore.pwd + - slurp: src={{ mktemp.stdout }}/hawkular-cassandra-keystore.pwd register: cassandra_keystore_password - - slurp: src={{ openshift_metrics_certs_dir }}/hawkular-jgroups-keystore.pwd + - slurp: src={{ mktemp.stdout }}/hawkular-jgroups-keystore.pwd register: jgroups_keystore_password - fetch: dest: "{{local_tmp.stdout}}/" - src: "{{ openshift_metrics_certs_dir }}/{{item}}" + src: "{{ mktemp.stdout }}/{{item}}" flat: yes changed_when: False with_items: @@ -52,7 +52,7 @@ changed_when: False - copy: - dest: "{{openshift_metrics_certs_dir}}/" + dest: "{{mktemp.stdout}}/" src: "{{item}}" with_fileglob: "{{local_tmp.stdout}}/*.*store" diff --git a/roles/openshift_metrics/tasks/install_cassandra.yaml b/roles/openshift_metrics/tasks/install_cassandra.yaml index 9e25071af..df39c1e1f 100644 --- a/roles/openshift_metrics/tasks/install_cassandra.yaml +++ b/roles/openshift_metrics/tasks/install_cassandra.yaml @@ -27,12 +27,12 @@ src: pvc.j2 dest: "{{ mktemp.stdout }}/templates/hawkular-cassandra-pvc{{ item }}.yaml" vars: - obj_name: "{{ openshift_metrics_cassandra_pv_prefix }}-{{ item }}" + obj_name: "{{ openshift_metrics_cassandra_pvc_prefix }}-{{ item }}" labels: metrics-infra: hawkular-cassandra access_modes: - ReadWriteOnce - size: "{{ openshift_metrics_cassandra_pv_size }}" + size: "{{ openshift_metrics_cassandra_pvc_size }}" with_sequence: count={{ openshift_metrics_cassandra_replicas }} when: openshift_metrics_cassandra_storage_type == 'pv' changed_when: false @@ -42,14 +42,14 @@ src: pvc.j2 dest: "{{ mktemp.stdout }}/templates/hawkular-cassandra-pvc{{ item }}.yaml" vars: - obj_name: "{{ openshift_metrics_cassandra_pv_prefix }}-{{ item }}" + obj_name: "{{ openshift_metrics_cassandra_pvc_prefix }}-{{ item }}" labels: metrics-infra: hawkular-cassandra annotations: volume.alpha.kubernetes.io/storage-class: dynamic access_modes: - ReadWriteOnce - size: "{{ openshift_metrics_cassandra_pv_size }}" + size: "{{ openshift_metrics_cassandra_pvc_size }}" with_sequence: count={{ openshift_metrics_cassandra_replicas }} when: openshift_metrics_cassandra_storage_type == 'dynamic' changed_when: false diff --git a/roles/openshift_metrics/tasks/install_hawkular.yaml b/roles/openshift_metrics/tasks/install_hawkular.yaml index 1ba11efa8..6b37f85ab 100644 --- a/roles/openshift_metrics/tasks/install_hawkular.yaml +++ b/roles/openshift_metrics/tasks/install_hawkular.yaml @@ -17,7 +17,7 @@ changed_when: false - name: read hawkular-metrics route destination ca certificate - slurp: src={{ openshift_metrics_certs_dir }}/ca.crt + slurp: src={{ mktemp.stdout }}/ca.crt register: metrics_route_dest_ca_cert changed_when: false diff --git a/roles/openshift_metrics/tasks/install_heapster.yaml b/roles/openshift_metrics/tasks/install_heapster.yaml index 44bab8ace..c490bcdd3 100644 --- a/roles/openshift_metrics/tasks/install_heapster.yaml +++ b/roles/openshift_metrics/tasks/install_heapster.yaml @@ -13,3 +13,55 @@ replica_count: "{{heapster_replica_count.stdout | default(0)}}" node_selector: "{{openshift_metrics_heapster_nodeselector | default('') }}" changed_when: no + +- set_fact: + heapster_sa_secrets: ["heapster-secrets"] + +- set_fact: + heapster_sa_secrets: "{{ heapster_sa_secrets + [item] }}" + with_items: + - hawkular-metrics-certificate + - hawkular-metrics-account + when: "not {{ openshift_metrics_heapster_standalone | bool }}" + +- name: Generating serviceaccount for heapster + template: src=serviceaccount.j2 dest={{mktemp.stdout}}/templates/metrics-{{obj_name}}-sa.yaml + vars: + obj_name: heapster + labels: + metrics-infra: support + secrets: "{{ heapster_sa_secrets }}" + changed_when: no + +- name: Generate service for heapster + template: src=service.j2 dest={{mktemp.stdout}}/templates/metrics-{{obj_name}}-svc.yaml + vars: + obj_name: heapster + ports: + - {port: 80, targetPort: http-endpoint} + selector: + name: "{{obj_name}}" + labels: + metrics-infra: "{{obj_name}}" + name: "{{obj_name}}" + changed_when: no + +- name: generate cluster-reader role binding for the heapster service account + template: + src: rolebinding.j2 + dest: "{{ mktemp.stdout }}/templates/heapster-rolebinding.yaml" + vars: + cluster: True + obj_name: heapster-cluster-reader + labels: + metrics-infra: heapster + roleRef: + kind: ClusterRole + name: cluster-reader + subjects: + - kind: ServiceAccount + name: heapster + namespace: "{{ openshift_metrics_project }}" + changed_when: no + +- include: generate_heapster_certificates.yaml diff --git a/roles/openshift_metrics/tasks/install_metrics.yaml b/roles/openshift_metrics/tasks/install_metrics.yaml index ddaa54438..66925c113 100644 --- a/roles/openshift_metrics/tasks/install_metrics.yaml +++ b/roles/openshift_metrics/tasks/install_metrics.yaml @@ -1,14 +1,5 @@ --- -- name: Check that hawkular_metrics_hostname is set - fail: msg='the openshift_metrics_hawkular_hostname variable is required' - when: openshift_metrics_hawkular_hostname is not defined - -- name: Check the value of openshift_metrics_cassandra_storage_type - fail: - msg: > - openshift_metrics_cassandra_storage_type ({{ openshift_metrics_cassandra_storage_type }}) - is invalid, must be one of: emptydir, pv, dynamic - when: openshift_metrics_cassandra_storage_type not in openshift_metrics_cassandra_storage_types +- include: pre_install.yaml - name: Install Metrics include: "{{ role_path }}/tasks/install_{{ include_file }}.yaml" @@ -19,6 +10,11 @@ - cassandra loop_control: loop_var: include_file + when: "not {{ openshift_metrics_heapster_standalone | bool }}" + +- name: Install Heapster Standalone + include: install_heapster.yaml + when: "{{ openshift_metrics_heapster_standalone | bool }}" - find: paths={{ mktemp.stdout }}/templates patterns=*.yaml register: object_def_files diff --git a/roles/openshift_metrics/tasks/main.yaml b/roles/openshift_metrics/tasks/main.yaml index d03d4176b..1eebff3bf 100644 --- a/roles/openshift_metrics/tasks/main.yaml +++ b/roles/openshift_metrics/tasks/main.yaml @@ -9,6 +9,11 @@ changed_when: False when: "{{ openshift_metrics_install_metrics | bool }}" +- name: Create temp directory local on control node + local_action: command mktemp -d + register: local_tmp + changed_when: False + - name: Copy the admin client config(s) command: > cp {{ openshift.common.config_base}}/master/admin.kubeconfig {{ mktemp.stdout }}/admin.kubeconfig @@ -17,3 +22,9 @@ tags: metrics_init - include: "{{ (openshift_metrics_install_metrics | bool) | ternary('install_metrics.yaml','uninstall_metrics.yaml') }}" + +- name: Delete temp directory + local_action: file path=local_tmp.stdout state=absent + tags: metrics_cleanup + changed_when: False + check_mode: no diff --git a/roles/openshift_metrics/tasks/pre_install.yaml b/roles/openshift_metrics/tasks/pre_install.yaml new file mode 100644 index 000000000..2e2013d40 --- /dev/null +++ b/roles/openshift_metrics/tasks/pre_install.yaml @@ -0,0 +1,21 @@ +--- +- name: Check that hawkular_metrics_hostname is set + fail: msg='the openshift_metrics_hawkular_hostname variable is required' + when: openshift_metrics_hawkular_hostname is not defined + +- name: Check the value of openshift_metrics_cassandra_storage_type + fail: + msg: > + openshift_metrics_cassandra_storage_type ({{ openshift_metrics_cassandra_storage_type }}) + is invalid, must be one of: emptydir, pv, dynamic + when: + - openshift_metrics_cassandra_storage_type not in openshift_metrics_cassandra_storage_types + - "not {{ openshift_metrics_heapster_standalone | bool }}" + +- name: list existing secrets + command: > + {{ openshift.common.client_binary }} -n {{ openshift_metrics_project }} + --config={{ mktemp.stdout }}/admin.kubeconfig + get secrets -o name + register: metrics_secrets + changed_when: false diff --git a/roles/openshift_metrics/tasks/setup_certificate.yaml b/roles/openshift_metrics/tasks/setup_certificate.yaml index 5ca8f4462..199968579 100644 --- a/roles/openshift_metrics/tasks/setup_certificate.yaml +++ b/roles/openshift_metrics/tasks/setup_certificate.yaml @@ -3,50 +3,41 @@ command: > {{ openshift.common.admin_binary }} ca create-server-cert --config={{ mktemp.stdout }}/admin.kubeconfig - --key='{{ openshift_metrics_certs_dir }}/{{ component }}.key' - --cert='{{ openshift_metrics_certs_dir }}/{{ component }}.crt' + --key='{{ mktemp.stdout }}/{{ component }}.key' + --cert='{{ mktemp.stdout }}/{{ component }}.crt' --hostnames='{{ hostnames }}' - --signer-cert='{{ openshift_metrics_certs_dir }}/ca.crt' - --signer-key='{{ openshift_metrics_certs_dir }}/ca.key' - --signer-serial='{{ openshift_metrics_certs_dir }}/ca.serial.txt' - when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.key'|exists + --signer-cert='{{ mktemp.stdout }}/ca.crt' + --signer-key='{{ mktemp.stdout }}/ca.key' + --signer-serial='{{ mktemp.stdout }}/ca.serial.txt' - slurp: src={{item}} register: component_certs with_items: - - '{{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}.key' - - '{{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}.crt' - when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.pem'|exists + - '{{ mktemp.stdout | quote }}/{{ component|quote }}.key' + - '{{ mktemp.stdout | quote }}/{{ component|quote }}.crt' - name: generate {{ component }} certificate copy: - dest: '{{ openshift_metrics_certs_dir }}/{{ component }}.pem' + dest: '{{ mktemp.stdout }}/{{ component }}.pem' content: "{{ component_certs.results | map(attribute='content') | map('b64decode') | join('') }}" - when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.pem'|exists - name: generate random password for the {{ component }} keystore copy: content: "{{ 15 | oo_random_word }}" - dest: '{{ openshift_metrics_certs_dir }}/{{ component }}-keystore.pwd' - when: > - not '{{ openshift_metrics_certs_dir }}/{{ component }}-keystore.pwd'|exists + dest: '{{ mktemp.stdout }}/{{ component }}-keystore.pwd' -- slurp: src={{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}-keystore.pwd +- slurp: src={{ mktemp.stdout | quote }}/{{ component|quote }}-keystore.pwd register: keystore_password - name: create the {{ component }} pkcs12 from the pem file command: > openssl pkcs12 -export - -in '{{ openshift_metrics_certs_dir }}/{{ component }}.pem' - -out '{{ openshift_metrics_certs_dir }}/{{ component }}.pkcs12' + -in '{{ mktemp.stdout }}/{{ component }}.pem' + -out '{{ mktemp.stdout }}/{{ component }}.pkcs12' -name '{{ component }}' -noiter -nomaciter -password 'pass:{{keystore_password.content | b64decode }}' - when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.pkcs12'|exists - name: generate random password for the {{ component }} truststore copy: content: "{{ 15 | oo_random_word }}" - dest: '{{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}-truststore.pwd' - when: > - not - '{{ openshift_metrics_certs_dir | quote }}/{{ component| quote }}-truststore.pwd'|exists + dest: '{{ mktemp.stdout | quote }}/{{ component|quote }}-truststore.pwd' diff --git a/roles/openshift_metrics/tasks/start_metrics.yaml b/roles/openshift_metrics/tasks/start_metrics.yaml index f02774e47..b5a1c8f06 100644 --- a/roles/openshift_metrics/tasks/start_metrics.yaml +++ b/roles/openshift_metrics/tasks/start_metrics.yaml @@ -19,6 +19,8 @@ with_items: "{{metrics_cassandra_rc.stdout_lines}}" loop_control: loop_var: object + when: metrics_cassandra_rc is defined + changed_when: "{{metrics_cassandra_rc | length > 0 }}" - command: > {{openshift.common.client_binary}} @@ -40,6 +42,7 @@ with_items: "{{metrics_metrics_rc.stdout_lines}}" loop_control: loop_var: object + changed_when: "{{metrics_metrics_rc | length > 0 }}" - command: > {{openshift.common.client_binary}} diff --git a/roles/openshift_metrics/tasks/stop_metrics.yaml b/roles/openshift_metrics/tasks/stop_metrics.yaml index 5a73443a8..f69bb0f11 100644 --- a/roles/openshift_metrics/tasks/stop_metrics.yaml +++ b/roles/openshift_metrics/tasks/stop_metrics.yaml @@ -41,6 +41,7 @@ with_items: "{{metrics_hawkular_rc.stdout_lines}}" loop_control: loop_var: object + changed_when: "{{metrics_hawkular_rc | length > 0 }}" - command: > {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig @@ -62,3 +63,4 @@ loop_control: loop_var: object when: metrics_cassandra_rc is defined + changed_when: "{{metrics_cassandra_rc | length > 0 }}" diff --git a/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 b/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 index 876cb1915..504476dc4 100644 --- a/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 +++ b/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 @@ -19,6 +19,9 @@ spec: type: hawkular-cassandra spec: serviceAccount: cassandra + securityContext: + supplementalGroups: + - {{openshift_metrics_cassandra_storage_group}} {% if node_selector is iterable and node_selector | length > 0 %} nodeSelector: {% for key, value in node_selector.iteritems() %} @@ -124,7 +127,7 @@ spec: emptyDir: {} {% else %} persistentVolumeClaim: - claimName: "{{ openshift_metrics_cassandra_pv_prefix }}-{{ node }}" + claimName: "{{ openshift_metrics_cassandra_pvc_prefix }}-{{ node }}" {% endif %} - name: hawkular-cassandra-secrets secret: |