From 7cb710f66261ee6367c0b9ee88bced87f1331134 Mon Sep 17 00:00:00 2001 From: ewolinetz Date: Thu, 19 Jan 2017 18:17:44 -0600 Subject: Updating to use docker run instead of scheduling jks gen pod --- roles/openshift_logging/tasks/generate_certs.yaml | 60 +++++------------------ 1 file changed, 13 insertions(+), 47 deletions(-) (limited to 'roles/openshift_logging/tasks') diff --git a/roles/openshift_logging/tasks/generate_certs.yaml b/roles/openshift_logging/tasks/generate_certs.yaml index e16071e46..b3826838a 100644 --- a/roles/openshift_logging/tasks/generate_certs.yaml +++ b/roles/openshift_logging/tasks/generate_certs.yaml @@ -85,46 +85,12 @@ loop_control: loop_var: node_name -- name: Check for jks-generator service account - command: > - {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get serviceaccount/jks-generator --no-headers -n {{openshift_logging_namespace}} - register: serviceaccount_result - ignore_errors: yes - when: not ansible_check_mode - changed_when: no - -- name: Create jks-generator service account - command: > - {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig create serviceaccount jks-generator -n {{openshift_logging_namespace}} - when: not ansible_check_mode and "not found" in serviceaccount_result.stderr - -- name: Check for hostmount-anyuid scc entry - command: > - {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get scc hostmount-anyuid -o jsonpath='{.users}' - register: scc_result - when: not ansible_check_mode - changed_when: no - -- name: Add to hostmount-anyuid scc - command: > - {{ openshift.common.admin_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig policy add-scc-to-user hostmount-anyuid -z jks-generator -n {{openshift_logging_namespace}} - when: - - not ansible_check_mode - - scc_result.stdout.find("system:serviceaccount:{{openshift_logging_namespace}}:jks-generator") == -1 - - name: Copy JKS generation script copy: src: generate-jks.sh dest: "{{generated_certs_dir}}/generate-jks.sh" check_mode: no -- name: Generate JKS pod template - template: - src: jks_pod.j2 - dest: "{{mktemp.stdout}}/jks_pod.yaml" - check_mode: no - changed_when: no - # check if pod generated files exist -- if they all do don't run the pod - name: Checking for elasticsearch.jks stat: path="{{generated_certs_dir}}/elasticsearch.jks" @@ -146,20 +112,20 @@ register: truststore_jks check_mode: no -- name: create JKS generation pod +- name: create JKS generation container command: > - {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig create -f {{mktemp.stdout}}/jks_pod.yaml -n {{openshift_logging_namespace}} -o name - register: podoutput - check_mode: no - when: not elasticsearch_jks.stat.exists or not logging_es_jks.stat.exists or not system_admin_jks.stat.exists or not truststore_jks.stat.exists - -- command: > - {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get {{podoutput.stdout}} -o jsonpath='{.status.phase}' -n {{openshift_logging_namespace}} - register: result - until: result.stdout.find("Succeeded") != -1 - retries: 5 - delay: 10 - changed_when: no + docker run + -u 0 + -e "PROJECT={{openshift_logging_namespace}}" + -e "CERT_DIR={{generated_certs_dir}}" + -v "{{generated_certs_dir}}:{{generated_certs_dir}}" + --name "jks_gen_{{'abcdefghijklmnopqrstuvwxyz0123456789'|random_word(10)}}" + --entrypoint="/bin/bash" + "{{openshift_logging_image_prefix}}logging-deployer:{{openshift_logging_image_version}}" + "{{generated_certs_dir}}/generate-jks.sh" + register: container_output + check_mode: no + become: yes when: not elasticsearch_jks.stat.exists or not logging_es_jks.stat.exists or not system_admin_jks.stat.exists or not truststore_jks.stat.exists # check for secret/logging-kibana-proxy -- cgit v1.2.3 From 9edfa73d2caeca19472bb369580d10a1c9057c24 Mon Sep 17 00:00:00 2001 From: ewolinetz Date: Fri, 20 Jan 2017 14:19:09 -0600 Subject: Removing docker run strategy and make java a requirement for control host --- roles/openshift_logging/tasks/generate_certs.yaml | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) (limited to 'roles/openshift_logging/tasks') diff --git a/roles/openshift_logging/tasks/generate_certs.yaml b/roles/openshift_logging/tasks/generate_certs.yaml index b3826838a..3940ff971 100644 --- a/roles/openshift_logging/tasks/generate_certs.yaml +++ b/roles/openshift_logging/tasks/generate_certs.yaml @@ -112,20 +112,12 @@ register: truststore_jks check_mode: no -- name: create JKS generation container - command: > - docker run - -u 0 - -e "PROJECT={{openshift_logging_namespace}}" - -e "CERT_DIR={{generated_certs_dir}}" - -v "{{generated_certs_dir}}:{{generated_certs_dir}}" - --name "jks_gen_{{'abcdefghijklmnopqrstuvwxyz0123456789'|random_word(10)}}" - --entrypoint="/bin/bash" - "{{openshift_logging_image_prefix}}logging-deployer:{{openshift_logging_image_version}}" - "{{generated_certs_dir}}/generate-jks.sh" - register: container_output +- name: Run JKS generation script + script: generate-jks.sh {{generate_certs_dir}} {{openshift_logging_namespace}} + register: script_output check_mode: no become: yes + changed_when: script_output.RC == "0" when: not elasticsearch_jks.stat.exists or not logging_es_jks.stat.exists or not system_admin_jks.stat.exists or not truststore_jks.stat.exists # check for secret/logging-kibana-proxy -- cgit v1.2.3 From d740fd159416783c88839e6e2c2e150eb81b67da Mon Sep 17 00:00:00 2001 From: ewolinetz Date: Fri, 20 Jan 2017 15:17:04 -0600 Subject: Adding to ansible spec and changing logging jks generation to be a local_action --- roles/openshift_logging/tasks/generate_certs.yaml | 36 +------ roles/openshift_logging/tasks/generate_jks.yaml | 111 ++++++++++++++++++++++ roles/openshift_logging/tasks/main.yaml | 1 - 3 files changed, 113 insertions(+), 35 deletions(-) create mode 100644 roles/openshift_logging/tasks/generate_jks.yaml (limited to 'roles/openshift_logging/tasks') diff --git a/roles/openshift_logging/tasks/generate_certs.yaml b/roles/openshift_logging/tasks/generate_certs.yaml index 3940ff971..20e50482e 100644 --- a/roles/openshift_logging/tasks/generate_certs.yaml +++ b/roles/openshift_logging/tasks/generate_certs.yaml @@ -85,40 +85,8 @@ loop_control: loop_var: node_name -- name: Copy JKS generation script - copy: - src: generate-jks.sh - dest: "{{generated_certs_dir}}/generate-jks.sh" - check_mode: no - -# check if pod generated files exist -- if they all do don't run the pod -- name: Checking for elasticsearch.jks - stat: path="{{generated_certs_dir}}/elasticsearch.jks" - register: elasticsearch_jks - check_mode: no - -- name: Checking for logging-es.jks - stat: path="{{generated_certs_dir}}/logging-es.jks" - register: logging_es_jks - check_mode: no - -- name: Checking for system.admin.jks - stat: path="{{generated_certs_dir}}/system.admin.jks" - register: system_admin_jks - check_mode: no - -- name: Checking for truststore.jks - stat: path="{{generated_certs_dir}}/truststore.jks" - register: truststore_jks - check_mode: no - -- name: Run JKS generation script - script: generate-jks.sh {{generate_certs_dir}} {{openshift_logging_namespace}} - register: script_output - check_mode: no - become: yes - changed_when: script_output.RC == "0" - when: not elasticsearch_jks.stat.exists or not logging_es_jks.stat.exists or not system_admin_jks.stat.exists or not truststore_jks.stat.exists +- name: Creating necessary JKS certs + include: generate_jks.yaml # check for secret/logging-kibana-proxy - command: > diff --git a/roles/openshift_logging/tasks/generate_jks.yaml b/roles/openshift_logging/tasks/generate_jks.yaml new file mode 100644 index 000000000..adb6c2b2d --- /dev/null +++ b/roles/openshift_logging/tasks/generate_jks.yaml @@ -0,0 +1,111 @@ +--- +# check if pod generated files exist -- if they all do don't run the pod +- name: Checking for elasticsearch.jks + stat: path="{{generated_certs_dir}}/elasticsearch.jks" + register: elasticsearch_jks + check_mode: no + +- name: Checking for logging-es.jks + stat: path="{{generated_certs_dir}}/logging-es.jks" + register: logging_es_jks + check_mode: no + +- name: Checking for system.admin.jks + stat: path="{{generated_certs_dir}}/system.admin.jks" + register: system_admin_jks + check_mode: no + +- name: Checking for truststore.jks + stat: path="{{generated_certs_dir}}/truststore.jks" + register: truststore_jks + check_mode: no + +- name: Create temp directory for doing work in + local_action: command mktemp -d /tmp/openshift-logging-ansible-XXXXXX + register: local_tmp + changed_when: False + check_mode: no + +- name: Create placeholder for previously created JKS certs to prevent recreating... + file: + path: "{{local_tmp.stdout}}/elasticsearch.jks" + state: touch + mode: "u=rw,g=r,o=r" + when: elasticsearch_jks.stat.exists + changed_when: False + +- name: Create placeholder for previously created JKS certs to prevent recreating... + file: + path: "{{local_tmp.stdout}}/logging-es.jks" + state: touch + mode: "u=rw,g=r,o=r" + when: logging_es_jks.stat.exists + changed_when: False + +- name: Create placeholder for previously created JKS certs to prevent recreating... + file: + path: "{{local_tmp.stdout}}/system.admin.jks" + state: touch + mode: "u=rw,g=r,o=r" + when: system_admin_jks.stat.exists + changed_when: False + +- name: Create placeholder for previously created JKS certs to prevent recreating... + file: + path: "{{local_tmp.stdout}}/truststore.jks" + state: touch + mode: "u=rw,g=r,o=r" + when: truststore_jks.stat.exists + changed_when: False + +- name: pulling down signing items from host + fetch: + src: "{{generated_certs_dir}}/{{item}}" + dest: "{{local_tmp.stdout}}/{{item}}" + flat: yes + with_items: + - ca.crt + - ca.key + - ca.serial.txt + - ca.crl.srl + - ca.db + +- local_action: template src=signing.conf.j2 dest={{local_tmp.stdout}}/signing.conf + vars: + - top_dir: "{{local_tmp.stdout}}" + +- name: Run JKS generation script + local_action: script generate-jks.sh {{local_tmp.stdout}} {{openshift_logging_namespace}} + check_mode: no + become: yes + when: not elasticsearch_jks.stat.exists or not logging_es_jks.stat.exists or not system_admin_jks.stat.exists or not truststore_jks.stat.exists + +- name: Pushing locally generated JKS certs to remote host... + copy: + src: "{{local_tmp.stdout}}/elasticsearch.jks" + dest: "{{generated_certs_dir}}/elasticsearch.jks" + when: not elasticsearch_jks.stat.exists + +- name: Pushing locally generated JKS certs to remote host... + copy: + src: "{{local_tmp.stdout}}/logging-es.jks" + dest: "{{generated_certs_dir}}/logging-es.jks" + when: not logging_es_jks.stat.exists + +- name: Pushing locally generated JKS certs to remote host... + copy: + src: "{{local_tmp.stdout}}/system.admin.jks" + dest: "{{generated_certs_dir}}/system.admin.jks" + when: not system_admin_jks.stat.exists + +- name: Pushing locally generated JKS certs to remote host... + copy: + src: "{{local_tmp.stdout}}/truststore.jks" + dest: "{{generated_certs_dir}}/truststore.jks" + when: not truststore_jks.stat.exists + +- name: Cleaning up temp dir + file: + path: "{{local_tmp.stdout}}" + state: absent + changed_when: False diff --git a/roles/openshift_logging/tasks/main.yaml b/roles/openshift_logging/tasks/main.yaml index c4ec1b255..4c718805e 100644 --- a/roles/openshift_logging/tasks/main.yaml +++ b/roles/openshift_logging/tasks/main.yaml @@ -3,7 +3,6 @@ msg: Only one Fluentd nodeselector key pair should be provided when: "{{ openshift_logging_fluentd_nodeselector.keys() | count }} > 1" - - name: Create temp directory for doing work in command: mktemp -d /tmp/openshift-logging-ansible-XXXXXX register: mktemp -- cgit v1.2.3