From 7cb710f66261ee6367c0b9ee88bced87f1331134 Mon Sep 17 00:00:00 2001 From: ewolinetz Date: Thu, 19 Jan 2017 18:17:44 -0600 Subject: Updating to use docker run instead of scheduling jks gen pod --- roles/openshift_logging/tasks/generate_certs.yaml | 60 +++++------------------ 1 file changed, 13 insertions(+), 47 deletions(-) diff --git a/roles/openshift_logging/tasks/generate_certs.yaml b/roles/openshift_logging/tasks/generate_certs.yaml index e16071e46..b3826838a 100644 --- a/roles/openshift_logging/tasks/generate_certs.yaml +++ b/roles/openshift_logging/tasks/generate_certs.yaml @@ -85,46 +85,12 @@ loop_control: loop_var: node_name -- name: Check for jks-generator service account - command: > - {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get serviceaccount/jks-generator --no-headers -n {{openshift_logging_namespace}} - register: serviceaccount_result - ignore_errors: yes - when: not ansible_check_mode - changed_when: no - -- name: Create jks-generator service account - command: > - {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig create serviceaccount jks-generator -n {{openshift_logging_namespace}} - when: not ansible_check_mode and "not found" in serviceaccount_result.stderr - -- name: Check for hostmount-anyuid scc entry - command: > - {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get scc hostmount-anyuid -o jsonpath='{.users}' - register: scc_result - when: not ansible_check_mode - changed_when: no - -- name: Add to hostmount-anyuid scc - command: > - {{ openshift.common.admin_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig policy add-scc-to-user hostmount-anyuid -z jks-generator -n {{openshift_logging_namespace}} - when: - - not ansible_check_mode - - scc_result.stdout.find("system:serviceaccount:{{openshift_logging_namespace}}:jks-generator") == -1 - - name: Copy JKS generation script copy: src: generate-jks.sh dest: "{{generated_certs_dir}}/generate-jks.sh" check_mode: no -- name: Generate JKS pod template - template: - src: jks_pod.j2 - dest: "{{mktemp.stdout}}/jks_pod.yaml" - check_mode: no - changed_when: no - # check if pod generated files exist -- if they all do don't run the pod - name: Checking for elasticsearch.jks stat: path="{{generated_certs_dir}}/elasticsearch.jks" @@ -146,20 +112,20 @@ register: truststore_jks check_mode: no -- name: create JKS generation pod +- name: create JKS generation container command: > - {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig create -f {{mktemp.stdout}}/jks_pod.yaml -n {{openshift_logging_namespace}} -o name - register: podoutput - check_mode: no - when: not elasticsearch_jks.stat.exists or not logging_es_jks.stat.exists or not system_admin_jks.stat.exists or not truststore_jks.stat.exists - -- command: > - {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get {{podoutput.stdout}} -o jsonpath='{.status.phase}' -n {{openshift_logging_namespace}} - register: result - until: result.stdout.find("Succeeded") != -1 - retries: 5 - delay: 10 - changed_when: no + docker run + -u 0 + -e "PROJECT={{openshift_logging_namespace}}" + -e "CERT_DIR={{generated_certs_dir}}" + -v "{{generated_certs_dir}}:{{generated_certs_dir}}" + --name "jks_gen_{{'abcdefghijklmnopqrstuvwxyz0123456789'|random_word(10)}}" + --entrypoint="/bin/bash" + "{{openshift_logging_image_prefix}}logging-deployer:{{openshift_logging_image_version}}" + "{{generated_certs_dir}}/generate-jks.sh" + register: container_output + check_mode: no + become: yes when: not elasticsearch_jks.stat.exists or not logging_es_jks.stat.exists or not system_admin_jks.stat.exists or not truststore_jks.stat.exists # check for secret/logging-kibana-proxy -- cgit v1.2.3 From 9edfa73d2caeca19472bb369580d10a1c9057c24 Mon Sep 17 00:00:00 2001 From: ewolinetz Date: Fri, 20 Jan 2017 14:19:09 -0600 Subject: Removing docker run strategy and make java a requirement for control host --- roles/openshift_logging/README.md | 3 +++ roles/openshift_logging/files/generate-jks.sh | 12 +++++++++++- roles/openshift_logging/tasks/generate_certs.yaml | 16 ++++------------ 3 files changed, 18 insertions(+), 13 deletions(-) diff --git a/roles/openshift_logging/README.md b/roles/openshift_logging/README.md index 2cc2c48ee..07b9cf13e 100644 --- a/roles/openshift_logging/README.md +++ b/roles/openshift_logging/README.md @@ -6,6 +6,9 @@ This role is used for installing the Aggregated Logging stack. It should be run a single host, it will create any missing certificates and API objects that the current [logging deployer](https://github.com/openshift/origin-aggregated-logging/tree/master/deployer) does. +This role requires that the control host it is run on has Java installed as part of keystore +generation for Elasticsearch (it uses JKS). + As part of the installation, it is recommended that you add the Fluentd node selector label to the list of persisted [node labels](https://docs.openshift.org/latest/install_config/install/advanced_install.html#configuring-node-host-labels). diff --git a/roles/openshift_logging/files/generate-jks.sh b/roles/openshift_logging/files/generate-jks.sh index 995ec0b98..9fe557f83 100644 --- a/roles/openshift_logging/files/generate-jks.sh +++ b/roles/openshift_logging/files/generate-jks.sh @@ -1,6 +1,10 @@ #! /bin/sh set -ex +function usage() { + echo Usage: `basename $0` cert_directory [logging_namespace] 1>&2 +} + function generate_JKS_chain() { dir=${SCRATCH_DIR:-_output} ADD_OID=$1 @@ -147,8 +151,14 @@ function createTruststore() { -noprompt -alias sig-ca } -dir="$CERT_DIR" +if [ $# -lt 1 ]; then + usage + exit 1 +fi + +dir=$1 SCRATCH_DIR=$dir +PROJECT=${2:-logging} if [[ ! -f $dir/system.admin.jks || -z "$(keytool -list -keystore $dir/system.admin.jks -storepass kspass | grep sig-ca)" ]]; then generate_JKS_client_cert "system.admin" diff --git a/roles/openshift_logging/tasks/generate_certs.yaml b/roles/openshift_logging/tasks/generate_certs.yaml index b3826838a..3940ff971 100644 --- a/roles/openshift_logging/tasks/generate_certs.yaml +++ b/roles/openshift_logging/tasks/generate_certs.yaml @@ -112,20 +112,12 @@ register: truststore_jks check_mode: no -- name: create JKS generation container - command: > - docker run - -u 0 - -e "PROJECT={{openshift_logging_namespace}}" - -e "CERT_DIR={{generated_certs_dir}}" - -v "{{generated_certs_dir}}:{{generated_certs_dir}}" - --name "jks_gen_{{'abcdefghijklmnopqrstuvwxyz0123456789'|random_word(10)}}" - --entrypoint="/bin/bash" - "{{openshift_logging_image_prefix}}logging-deployer:{{openshift_logging_image_version}}" - "{{generated_certs_dir}}/generate-jks.sh" - register: container_output +- name: Run JKS generation script + script: generate-jks.sh {{generate_certs_dir}} {{openshift_logging_namespace}} + register: script_output check_mode: no become: yes + changed_when: script_output.RC == "0" when: not elasticsearch_jks.stat.exists or not logging_es_jks.stat.exists or not system_admin_jks.stat.exists or not truststore_jks.stat.exists # check for secret/logging-kibana-proxy -- cgit v1.2.3 From d740fd159416783c88839e6e2c2e150eb81b67da Mon Sep 17 00:00:00 2001 From: ewolinetz Date: Fri, 20 Jan 2017 15:17:04 -0600 Subject: Adding to ansible spec and changing logging jks generation to be a local_action --- openshift-ansible.spec | 1 + roles/openshift_logging/README.md | 2 +- roles/openshift_logging/tasks/generate_certs.yaml | 36 +------ roles/openshift_logging/tasks/generate_jks.yaml | 111 ++++++++++++++++++++++ roles/openshift_logging/tasks/main.yaml | 1 - 5 files changed, 115 insertions(+), 36 deletions(-) create mode 100644 roles/openshift_logging/tasks/generate_jks.yaml diff --git a/openshift-ansible.spec b/openshift-ansible.spec index a2940e001..6cc9a893d 100644 --- a/openshift-ansible.spec +++ b/openshift-ansible.spec @@ -18,6 +18,7 @@ Requires: python2 Requires: python-six Requires: tar Requires: openshift-ansible-docs = %{version}-%{release} +Requires: java-1.8.0-openjdk-headless %description Openshift and Atomic Enterprise Ansible diff --git a/roles/openshift_logging/README.md b/roles/openshift_logging/README.md index 07b9cf13e..9b71dc676 100644 --- a/roles/openshift_logging/README.md +++ b/roles/openshift_logging/README.md @@ -7,7 +7,7 @@ a single host, it will create any missing certificates and API objects that the [logging deployer](https://github.com/openshift/origin-aggregated-logging/tree/master/deployer) does. This role requires that the control host it is run on has Java installed as part of keystore -generation for Elasticsearch (it uses JKS). +generation for Elasticsearch (it uses JKS) as well as openssl to sign certificates. As part of the installation, it is recommended that you add the Fluentd node selector label to the list of persisted [node labels](https://docs.openshift.org/latest/install_config/install/advanced_install.html#configuring-node-host-labels). diff --git a/roles/openshift_logging/tasks/generate_certs.yaml b/roles/openshift_logging/tasks/generate_certs.yaml index 3940ff971..20e50482e 100644 --- a/roles/openshift_logging/tasks/generate_certs.yaml +++ b/roles/openshift_logging/tasks/generate_certs.yaml @@ -85,40 +85,8 @@ loop_control: loop_var: node_name -- name: Copy JKS generation script - copy: - src: generate-jks.sh - dest: "{{generated_certs_dir}}/generate-jks.sh" - check_mode: no - -# check if pod generated files exist -- if they all do don't run the pod -- name: Checking for elasticsearch.jks - stat: path="{{generated_certs_dir}}/elasticsearch.jks" - register: elasticsearch_jks - check_mode: no - -- name: Checking for logging-es.jks - stat: path="{{generated_certs_dir}}/logging-es.jks" - register: logging_es_jks - check_mode: no - -- name: Checking for system.admin.jks - stat: path="{{generated_certs_dir}}/system.admin.jks" - register: system_admin_jks - check_mode: no - -- name: Checking for truststore.jks - stat: path="{{generated_certs_dir}}/truststore.jks" - register: truststore_jks - check_mode: no - -- name: Run JKS generation script - script: generate-jks.sh {{generate_certs_dir}} {{openshift_logging_namespace}} - register: script_output - check_mode: no - become: yes - changed_when: script_output.RC == "0" - when: not elasticsearch_jks.stat.exists or not logging_es_jks.stat.exists or not system_admin_jks.stat.exists or not truststore_jks.stat.exists +- name: Creating necessary JKS certs + include: generate_jks.yaml # check for secret/logging-kibana-proxy - command: > diff --git a/roles/openshift_logging/tasks/generate_jks.yaml b/roles/openshift_logging/tasks/generate_jks.yaml new file mode 100644 index 000000000..adb6c2b2d --- /dev/null +++ b/roles/openshift_logging/tasks/generate_jks.yaml @@ -0,0 +1,111 @@ +--- +# check if pod generated files exist -- if they all do don't run the pod +- name: Checking for elasticsearch.jks + stat: path="{{generated_certs_dir}}/elasticsearch.jks" + register: elasticsearch_jks + check_mode: no + +- name: Checking for logging-es.jks + stat: path="{{generated_certs_dir}}/logging-es.jks" + register: logging_es_jks + check_mode: no + +- name: Checking for system.admin.jks + stat: path="{{generated_certs_dir}}/system.admin.jks" + register: system_admin_jks + check_mode: no + +- name: Checking for truststore.jks + stat: path="{{generated_certs_dir}}/truststore.jks" + register: truststore_jks + check_mode: no + +- name: Create temp directory for doing work in + local_action: command mktemp -d /tmp/openshift-logging-ansible-XXXXXX + register: local_tmp + changed_when: False + check_mode: no + +- name: Create placeholder for previously created JKS certs to prevent recreating... + file: + path: "{{local_tmp.stdout}}/elasticsearch.jks" + state: touch + mode: "u=rw,g=r,o=r" + when: elasticsearch_jks.stat.exists + changed_when: False + +- name: Create placeholder for previously created JKS certs to prevent recreating... + file: + path: "{{local_tmp.stdout}}/logging-es.jks" + state: touch + mode: "u=rw,g=r,o=r" + when: logging_es_jks.stat.exists + changed_when: False + +- name: Create placeholder for previously created JKS certs to prevent recreating... + file: + path: "{{local_tmp.stdout}}/system.admin.jks" + state: touch + mode: "u=rw,g=r,o=r" + when: system_admin_jks.stat.exists + changed_when: False + +- name: Create placeholder for previously created JKS certs to prevent recreating... + file: + path: "{{local_tmp.stdout}}/truststore.jks" + state: touch + mode: "u=rw,g=r,o=r" + when: truststore_jks.stat.exists + changed_when: False + +- name: pulling down signing items from host + fetch: + src: "{{generated_certs_dir}}/{{item}}" + dest: "{{local_tmp.stdout}}/{{item}}" + flat: yes + with_items: + - ca.crt + - ca.key + - ca.serial.txt + - ca.crl.srl + - ca.db + +- local_action: template src=signing.conf.j2 dest={{local_tmp.stdout}}/signing.conf + vars: + - top_dir: "{{local_tmp.stdout}}" + +- name: Run JKS generation script + local_action: script generate-jks.sh {{local_tmp.stdout}} {{openshift_logging_namespace}} + check_mode: no + become: yes + when: not elasticsearch_jks.stat.exists or not logging_es_jks.stat.exists or not system_admin_jks.stat.exists or not truststore_jks.stat.exists + +- name: Pushing locally generated JKS certs to remote host... + copy: + src: "{{local_tmp.stdout}}/elasticsearch.jks" + dest: "{{generated_certs_dir}}/elasticsearch.jks" + when: not elasticsearch_jks.stat.exists + +- name: Pushing locally generated JKS certs to remote host... + copy: + src: "{{local_tmp.stdout}}/logging-es.jks" + dest: "{{generated_certs_dir}}/logging-es.jks" + when: not logging_es_jks.stat.exists + +- name: Pushing locally generated JKS certs to remote host... + copy: + src: "{{local_tmp.stdout}}/system.admin.jks" + dest: "{{generated_certs_dir}}/system.admin.jks" + when: not system_admin_jks.stat.exists + +- name: Pushing locally generated JKS certs to remote host... + copy: + src: "{{local_tmp.stdout}}/truststore.jks" + dest: "{{generated_certs_dir}}/truststore.jks" + when: not truststore_jks.stat.exists + +- name: Cleaning up temp dir + file: + path: "{{local_tmp.stdout}}" + state: absent + changed_when: False diff --git a/roles/openshift_logging/tasks/main.yaml b/roles/openshift_logging/tasks/main.yaml index c4ec1b255..4c718805e 100644 --- a/roles/openshift_logging/tasks/main.yaml +++ b/roles/openshift_logging/tasks/main.yaml @@ -3,7 +3,6 @@ msg: Only one Fluentd nodeselector key pair should be provided when: "{{ openshift_logging_fluentd_nodeselector.keys() | count }} > 1" - - name: Create temp directory for doing work in command: mktemp -d /tmp/openshift-logging-ansible-XXXXXX register: mktemp -- cgit v1.2.3