From 04c1500801f4d88635001bda1e4f73473fe8e33a Mon Sep 17 00:00:00 2001 From: Jeff Cantrill Date: Tue, 29 Nov 2016 16:31:13 -0500 Subject: Bruno Barcarol GuimarĂ£es work to move metrics to ansible from deployer MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- roles/openshift_metrics/defaults/main.yaml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 roles/openshift_metrics/defaults/main.yaml (limited to 'roles/openshift_metrics/defaults') diff --git a/roles/openshift_metrics/defaults/main.yaml b/roles/openshift_metrics/defaults/main.yaml new file mode 100644 index 000000000..cb4fbdee2 --- /dev/null +++ b/roles/openshift_metrics/defaults/main.yaml @@ -0,0 +1,17 @@ +--- +image_prefix: docker.io/openshift/origin- +image_version: latest +master_url: https://kubernetes.default.svc.cluster.local + +hawkular_user_write_access: False +hawkular_cassandra_nodes: 1 +hawkular_cassandra_storage_type: emptydir +hawkular_cassandra_pv_prefix: metrics-cassandra +hawkular_cassandra_pv_size: 10Gi + +heapster_standalone: False +heapster_allowed_users: system:master-proxy + +metrics_duration: 7 +metrics_resolution: 15s +metrics_node_id: nodename -- cgit v1.2.3 From f3f1f610c9e0fdf8115dd8ea61e647080ad42006 Mon Sep 17 00:00:00 2001 From: Jeff Cantrill Date: Wed, 30 Nov 2016 12:12:14 -0500 Subject: prefix vars with metrics role (#4) --- roles/openshift_metrics/README.md | 28 +++++++++++----------- roles/openshift_metrics/defaults/main.yaml | 27 +++++++++++---------- roles/openshift_metrics/tasks/cleanup.yaml | 4 ++-- .../tasks/generate_certificates.yaml | 8 +++---- .../tasks/generate_rolebindings.yaml | 2 +- .../openshift_metrics/tasks/install_hawkular.yaml | 18 +++++++------- roles/openshift_metrics/tasks/main.yaml | 12 +++++----- .../templates/hawkular_cassandra_rc.j2 | 6 ++--- .../templates/hawkular_metrics_rc.j2 | 10 ++++---- roles/openshift_metrics/templates/heapster.j2 | 14 +++++------ roles/openshift_metrics/vars/main.yaml | 2 +- 11 files changed, 66 insertions(+), 65 deletions(-) (limited to 'roles/openshift_metrics/defaults') diff --git a/roles/openshift_metrics/README.md b/roles/openshift_metrics/README.md index ac5353886..b79b472d3 100644 --- a/roles/openshift_metrics/README.md +++ b/roles/openshift_metrics/README.md @@ -8,9 +8,9 @@ Requirements The following variables need to be set and will be validated: -- `metrics_hostname`: hostname used on the hawkular metrics route. +- `openshift_metrics_hostname`: hostname used on the hawkular metrics route. -- `metrics_project`: project (i.e. namespace) where the components will be +- `openshift_metrics_project`: project (i.e. namespace) where the components will be deployed. @@ -19,45 +19,45 @@ Role Variables For default values, see [`defaults/main.yaml`](defaults/main.yaml). -- `image_prefix`: Specify prefix for metrics components; e.g for +- `openshift_metrics_image_prefix`: Specify prefix for metrics components; e.g for "openshift/origin-metrics-deployer:v1.1", set prefix "openshift/origin-". -- `image_version`: Specify version for metrics components; e.g. for +- `openshift_metrics_image_version`: Specify version for metrics components; e.g. for "openshift/origin-metrics-deployer:v1.1", set version "v1.1". -- `master_url`: Internal URL for the master, for authentication retrieval. +- `openshift_metrics_master_url`: Internal URL for the master, for authentication retrieval. -- `hawkular_user_write_access`: If user accounts should be able to write +- `openshift_metrics_hawkular_user_write_access`: If user accounts should be able to write metrics. Defaults to 'false' so that only Heapster can write metrics and not individual users. It is recommended to disable user write access, if enabled any user will be able to write metrics to the system which can affect performance and use Cassandra disk usage to unpredictably increase. -- `hawkular_cassandra_nodes`: The number of Cassandra Nodes to deploy for the +- `openshift_metrics_hawkular_cassandra_nodes`: The number of Cassandra Nodes to deploy for the initial cluster. -- `hawkular_cassandra_storage_type`: Use `emptydir` for ephemeral storage (for +- `openshift_metrics_hawkular_cassandra_storage_type`: Use `emptydir` for ephemeral storage (for testing), `pv` to use persistent volumes (which need to be created before the installation) or `dynamic` for dynamic persistent volumes. -- `hawkular_cassandra_pv_prefix`: The name of persistent volume claims created +- `openshift_metrics_hawkular_cassandra_pv_prefix`: The name of persistent volume claims created for cassandra will be this with a serial number appended to the end, starting from 1. -- `hawkular_cassandra_pv_size`: The persistent volume size for each of the +- `openshift_metrics_hawkular_cassandra_pv_size`: The persistent volume size for each of the Cassandra nodes. -- `heapster_standalone`: Deploy only heapster, without the Hawkular Metrics and +- `openshift_metrics_heapster_standalone`: Deploy only heapster, without the Hawkular Metrics and Cassandra components. -- `heapster_allowed_users`: A comma-separated list of CN to accept. By +- `openshift_metrics_heapster_allowed_users`: A comma-separated list of CN to accept. By default, this is set to allow the OpenShift service proxy to connect. If you override this, make sure to add `system:master-proxy` to the list in order to allow horizontal pod autoscaling to function properly. -- `metrics_duration`: How many days metrics should be stored for. +- `openshift_metrics_duration`: How many days metrics should be stored for. -- `metrics_resolution`: How often metrics should be gathered. +- `openshift_metrics_resolution`: How often metrics should be gathered. Dependencies diff --git a/roles/openshift_metrics/defaults/main.yaml b/roles/openshift_metrics/defaults/main.yaml index cb4fbdee2..8d2ff8a62 100644 --- a/roles/openshift_metrics/defaults/main.yaml +++ b/roles/openshift_metrics/defaults/main.yaml @@ -1,17 +1,18 @@ --- -image_prefix: docker.io/openshift/origin- -image_version: latest -master_url: https://kubernetes.default.svc.cluster.local +openshift_metrics_image_prefix: docker.io/openshift/origin- +openshift_metrics_image_version: latest +openshift_metrics_master_url: https://kubernetes.default.svc.cluster.local +openshift_metrics_project: openshift-infra -hawkular_user_write_access: False -hawkular_cassandra_nodes: 1 -hawkular_cassandra_storage_type: emptydir -hawkular_cassandra_pv_prefix: metrics-cassandra -hawkular_cassandra_pv_size: 10Gi +openshift_metrics_hawkular_user_write_access: False +openshift_metrics_hawkular_cassandra_nodes: 1 +openshift_metrics_hawkular_cassandra_storage_type: emptydir +openshift_metrics_hawkular_cassandra_pv_prefix: metrics-cassandra +openshift_metrics_hawkular_cassandra_pv_size: 10Gi -heapster_standalone: False -heapster_allowed_users: system:master-proxy +openshift_metrics_heapster_standalone: False +openshift_metrics_heapster_allowed_users: system:master-proxy -metrics_duration: 7 -metrics_resolution: 15s -metrics_node_id: nodename +openshift_metrics_duration: 7 +openshift_metrics_resolution: 15s +openshift_metrics_node_id: nodename diff --git a/roles/openshift_metrics/tasks/cleanup.yaml b/roles/openshift_metrics/tasks/cleanup.yaml index a61fed7b4..a29faef31 100644 --- a/roles/openshift_metrics/tasks/cleanup.yaml +++ b/roles/openshift_metrics/tasks/cleanup.yaml @@ -1,14 +1,14 @@ --- - name: remove metrics components command: > - {{ openshift.common.client_binary }} -n '{{ metrics_project }}' + {{ openshift.common.client_binary }} -n '{{ openshift_metrics_project }}' delete --selector=metrics-infra all,sa,secrets,templates,routes,pvc,rolebindings,clusterrolebindings register: delete_metrics changed_when: "delete_metrics.stdout != 'No resources found'" - name: remove rolebindings command: > - {{ openshift.common.client_binary }} -n {{ metrics_project }} + {{ openshift.common.client_binary }} -n {{ openshift_metrics_project }} delete --ignore-not-found rolebinding/hawkular-view clusterrolebinding/heapster-cluster-reader diff --git a/roles/openshift_metrics/tasks/generate_certificates.yaml b/roles/openshift_metrics/tasks/generate_certificates.yaml index b1ecf46b9..9f6a3348e 100644 --- a/roles/openshift_metrics/tasks/generate_certificates.yaml +++ b/roles/openshift_metrics/tasks/generate_certificates.yaml @@ -25,14 +25,14 @@ # TODO maybe there's an easier way to get the service accounts' ca crt? - name: get heapster service account secrets shell: > - {{ openshift.common.client_binary }} -n '{{ metrics_project }}' + {{ openshift.common.client_binary }} -n '{{ openshift_metrics_project }}' get serviceaccount/default --template '{{ '{{range .secrets}}{{println .name}}{{end}}' }}' | grep ^default-token- register: sa_secret - name: get heapster service account ca command: > - {{ openshift.common.client_binary }} -n '{{ metrics_project }}' + {{ openshift.common.client_binary }} -n '{{ openshift_metrics_project }}' get 'secret/{{ sa_secret.stdout }}' --template '{{ '{{index .data "ca.crt"}}' }}' register: sa_secret @@ -54,12 +54,12 @@ heapster.cert: "{{ heapster_secret.results[0].stdout }}" heapster.key: "{{ heapster_secret.results[1].stdout }}" heapster.client-ca: "{{ sa_secret.stdout }}" - heapster.allowed-users: "{{ heapster_allowed_users|b64encode }}" + heapster.allowed-users: "{{ openshift_metrics_heapster_allowed_users|b64encode }}" - name: generate hawkular-metrics certificates include: setup_certificate.yaml vars: component: hawkular-metrics - hostnames: "hawkular-metrics,{{ hawkular_metrics_hostname }}" + hostnames: "hawkular-metrics,{{ openshift_metrics_hawkular_metrics_hostname }}" - name: generate hawkular-cassandra certificates include: setup_certificate.yaml vars: diff --git a/roles/openshift_metrics/tasks/generate_rolebindings.yaml b/roles/openshift_metrics/tasks/generate_rolebindings.yaml index d1bc7374a..9a72b24fe 100644 --- a/roles/openshift_metrics/tasks/generate_rolebindings.yaml +++ b/roles/openshift_metrics/tasks/generate_rolebindings.yaml @@ -27,4 +27,4 @@ subjects: - kind: ServiceAccount name: heapster - namespace: "{{ metrics_project }}" + namespace: "{{ openshift_metrics_project }}" diff --git a/roles/openshift_metrics/tasks/install_hawkular.yaml b/roles/openshift_metrics/tasks/install_hawkular.yaml index 670396f6e..9a39cce34 100644 --- a/roles/openshift_metrics/tasks/install_hawkular.yaml +++ b/roles/openshift_metrics/tasks/install_hawkular.yaml @@ -10,35 +10,35 @@ vars: node: "{{ item }}" master: "{{ (item == '1')|string|lower }}" - with_sequence: count={{ hawkular_cassandra_nodes }} + with_sequence: count={{ openshift_metrics_hawkular_cassandra_nodes }} - name: generate hawkular-cassandra persistent volume claims template: src: pvc.j2 dest: "{{ mktemp.stdout }}/templates/hawkular-cassandra-pvc{{ item }}.yaml" vars: - obj_name: "{{ hawkular_cassandra_pv_prefix }}-{{ item }}" + obj_name: "{{ openshift_metrics_hawkular_cassandra_pv_prefix }}-{{ item }}" labels: metrics-infra: hawkular-cassandra access_modes: - ReadWriteOnce - size: "{{ hawkular_cassandra_pv_size }}" - with_sequence: count={{ hawkular_cassandra_nodes }} - when: hawkular_cassandra_storage_type == 'pv' + size: "{{ openshift_metrics_hawkular_cassandra_pv_size }}" + with_sequence: count={{ openshift_metrics_hawkular_cassandra_nodes }} + when: openshift_metrics_hawkular_cassandra_storage_type == 'pv' - name: generate hawkular-cassandra persistent volume claims (dynamic) template: src: pvc.j2 dest: "{{ mktemp.stdout }}/templates/hawkular-cassandra-pvc{{ item }}.yaml" vars: - obj_name: "{{ hawkular_cassandra_pv_prefix }}-{{ item }}" + obj_name: "{{ openshift_metrics_hawkular_cassandra_pv_prefix }}-{{ item }}" labels: metrics-infra: hawkular-cassandra annotations: volume.alpha.kubernetes.io/storage-class: dynamic access_modes: - ReadWriteOnce - size: "{{ hawkular_cassandra_pv_size }}" - with_sequence: count={{ hawkular_cassandra_nodes }} - when: hawkular_cassandra_storage_type == 'dynamic' + size: "{{ openshift_metrics_hawkular_cassandra_pv_size }}" + with_sequence: count={{ openshift_metrics_hawkular_cassandra_nodes }} + when: openshift_metrics_hawkular_cassandra_storage_type == 'dynamic' - name: generate the hawkular-metrics route template: src: route.j2 diff --git a/roles/openshift_metrics/tasks/main.yaml b/roles/openshift_metrics/tasks/main.yaml index e9a5fbebd..79aae1e0b 100644 --- a/roles/openshift_metrics/tasks/main.yaml +++ b/roles/openshift_metrics/tasks/main.yaml @@ -1,13 +1,13 @@ --- - name: check that hawkular_metrics_hostname is set - fail: msg='the hawkular_metrics_hostname variable is required' - when: "{{ hawkular_metrics_hostname is not defined }}" -- name: check the value of hawkular_cassandra_storage_type + fail: msg='the openshift_metrics_hawkular_metrics_hostname variable is required' + when: "{{ openshift_metrics_hawkular_metrics_hostname is not defined }}" +- name: check the value of openshift_metrics_hawkular_cassandra_storage_type fail: msg: > - hawkular_cassandra_storage_type ({{ hawkular_cassandra_storage_type }}) + openshift_metrics_hawkular_cassandra_storage_type ({{ openshift_metrics_hawkular_cassandra_storage_type }}) is invalid, must be one of: emptydir, pv, dynamic - when: hawkular_cassandra_storage_type not in hawkular_cassandra_storage_types + when: openshift_metrics_hawkular_cassandra_storage_type not in openshift_metrics_hawkular_cassandra_storage_types - name: Install Metrics include: "{{ role_path }}/tasks/install_{{ include_file }}.yaml" with_items: @@ -18,7 +18,7 @@ loop_var: include_file - name: create objects command: > - {{ openshift.common.client_binary }} -n '{{ metrics_project }}' + {{ openshift.common.client_binary }} -n '{{ openshift_metrics_project }}' apply -f {{ item }} with_fileglob: - "{{ mktemp.stdout }}/templates/*.yaml" diff --git a/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 b/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 index bb8866263..525f32859 100644 --- a/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 +++ b/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 @@ -20,7 +20,7 @@ spec: spec: serviceAccount: cassandra containers: - - image: "{{ image_prefix }}metrics-cassandra:{{ image_version }}" + - image: "{{ openshift_metrics_image_prefix }}metrics-cassandra:{{ openshift_metrics_image_version }}" name: hawkular-cassandra-{{ node }} ports: - name: cql-port @@ -83,11 +83,11 @@ spec: terminationGracePeriodSeconds: 1800 volumes: - name: cassandra-data -{% if hawkular_cassandra_storage_type == 'emptydir' %} +{% if openshift_metrics_hawkular_cassandra_storage_type == 'emptydir' %} emptyDir: {} {% else %} persistentVolumeClaim: - claimName: "{{ hawkular_cassandra_pv_prefix }}-{{ node }}" + claimName: "{{ openshift_metrics_hawkular_cassandra_pv_prefix }}-{{ node }}" {% endif %} - name: hawkular-cassandra-secrets secret: diff --git a/roles/openshift_metrics/templates/hawkular_metrics_rc.j2 b/roles/openshift_metrics/templates/hawkular_metrics_rc.j2 index bcfe9dc84..6f1275809 100644 --- a/roles/openshift_metrics/templates/hawkular_metrics_rc.j2 +++ b/roles/openshift_metrics/templates/hawkular_metrics_rc.j2 @@ -18,7 +18,7 @@ spec: spec: serviceAccount: hawkular containers: - - image: {{image_prefix}}metrics-hawkular-metrics:{{image_version}} + - image: {{openshift_metrics_image_prefix}}metrics-hawkular-metrics:{{openshift_metrics_image_version}} name: hawkular-metrics ports: - name: http-endpoint @@ -36,7 +36,7 @@ spec: - "-Dhawkular.metrics.openshift.auth-methods=openshift-oauth,htpasswd" - "-Dhawkular.metrics.openshift.htpasswd-file=/secrets/hawkular-metrics.htpasswd.file" - "-Dhawkular.metrics.allowed-cors-access-control-allow-headers=authorization" - - "-Dhawkular.metrics.default-ttl={{metrics_duration}}" + - "-Dhawkular.metrics.default-ttl={{openshift_metrics_duration}}" - "-Dhawkular-alerts.cassandra-nodes=hawkular-cassandra" - "-Dhawkular-alerts.cassandra-use-ssl" - "-Dhawkular.alerts.openshift.auth-methods=openshift-oauth,htpasswd" @@ -44,8 +44,8 @@ spec: - "-Dhawkular.alerts.allowed-cors-access-control-allow-headers=authorization" - "-Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true" - "-Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true" - - "-DKUBERNETES_MASTER_URL={{master_url}}" - - "-DUSER_WRITE_ACCESS={{hawkular_user_write_access}}" + - "-DKUBERNETES_MASTER_URL={{openshift_metrics_master_url}}" + - "-DUSER_WRITE_ACCESS={{openshift_metrics_hawkular_user_write_access}}" - "--hmw.keystore=/secrets/hawkular-metrics.keystore" - "--hmw.truststore=/secrets/hawkular-metrics.truststore" - "--hmw.keystore_password_file=/secrets/hawkular-metrics.keystore.password" @@ -59,7 +59,7 @@ spec: fieldRef: fieldPath: metadata.namespace - name: MASTER_URL - value: "{{ master_url }}" + value: "{{ openshift_metrics_master_url }}" - name: OPENSHIFT_KUBE_PING_NAMESPACE valueFrom: fieldRef: diff --git a/roles/openshift_metrics/templates/heapster.j2 b/roles/openshift_metrics/templates/heapster.j2 index 779be0145..e4b4b9739 100644 --- a/roles/openshift_metrics/templates/heapster.j2 +++ b/roles/openshift_metrics/templates/heapster.j2 @@ -20,29 +20,29 @@ spec: serviceAccountName: heapster containers: - name: heapster - image: {{image_prefix}}metrics-heapster:{{image_version}} + image: {{openshift_metrics_image_prefix}}metrics-heapster:{{openshift_metrics_image_version}} ports: - containerPort: 8082 name: "http-endpoint" command: - "heapster-wrapper.sh" - "--wrapper.allowed_users_file=/secrets/heapster.allowed-users" - - "--source=kubernetes:{{master_url}}?useServiceAccount=true&kubeletHttps=true&kubeletPort=10250" + - "--source=kubernetes:{{openshift_metrics_master_url}}?useServiceAccount=true&kubeletHttps=true&kubeletPort=10250" - "--tls_cert=/secrets/heapster.cert" - "--tls_key=/secrets/heapster.key" - "--tls_client_ca=/secrets/heapster.client-ca" - "--allowed_users=%allowed_users%" - - "--metric_resolution={{metrics_resolution}}" -{% if not heapster_standalone %} + - "--metric_resolution={{openshift_metrics_resolution}}" +{% if not openshift_metrics_heapster_standalone %} - "--wrapper.username_file=/hawkular-account/hawkular-metrics.username" - "--wrapper.password_file=/hawkular-account/hawkular-metrics.password" - "--wrapper.endpoint_check=https://hawkular-metrics:443/hawkular/metrics/status" - - "--sink=hawkular:https://hawkular-metrics:443?tenant=_system&labelToTenant=pod_namespace&labelNodeId={{metrics_node_id}}&caCert=/hawkular-cert/hawkular-metrics-ca.certificate&user=%username%&pass=%password%&filter=label(container_name:^system.slice.*|^user.slice)" + - "--sink=hawkular:https://hawkular-metrics:443?tenant=_system&labelToTenant=pod_namespace&labelNodeId={{openshift_metrics_node_id}}&caCert=/hawkular-cert/hawkular-metrics-ca.certificate&user=%username%&pass=%password%&filter=label(container_name:^system.slice.*|^user.slice)" {% endif %} volumeMounts: - name: heapster-secrets mountPath: "/secrets" -{% if not heapster_standalone %} +{% if not openshift_metrics_heapster_standalone %} - name: hawkular-metrics-certificate mountPath: "/hawkular-cert" - name: hawkular-metrics-account @@ -56,7 +56,7 @@ spec: - name: heapster-secrets secret: secretName: heapster-secrets -{% if not heapster_standalone %} +{% if not openshift_metrics_heapster_standalone %} - name: hawkular-metrics-certificate secret: secretName: hawkular-metrics-certificate diff --git a/roles/openshift_metrics/vars/main.yaml b/roles/openshift_metrics/vars/main.yaml index eb02a87fd..25307c23c 100644 --- a/roles/openshift_metrics/vars/main.yaml +++ b/roles/openshift_metrics/vars/main.yaml @@ -1,4 +1,4 @@ -hawkular_cassandra_storage_types: +openshift_metrics_hawkular_cassandra_storage_types: - emptydir - pv - dynamic -- cgit v1.2.3 From b6ce0464142403785a7ba8eae664286082f4d30e Mon Sep 17 00:00:00 2001 From: Bruno Barcarol GuimarĂ£es Date: Mon, 5 Dec 2016 16:34:32 +0000 Subject: Custom certificates (#5) * Generate secrets on a persistent directory. * Split certificate generation files. * Custom certificates. * Minor fixes. - use `slurp` instead of `shell: base64` - fix route hostname * Updates on origin-metrics. --- roles/openshift_metrics/README.md | 3 + roles/openshift_metrics/defaults/main.yaml | 3 + .../tasks/generate_certificates.yaml | 237 ++------------------- .../tasks/generate_hawkular_certificates.yaml | 227 ++++++++++++++++++++ .../tasks/generate_heapster_certificates.yaml | 39 ++++ .../openshift_metrics/tasks/install_hawkular.yaml | 8 +- roles/openshift_metrics/tasks/install_metrics.yaml | 2 +- .../openshift_metrics/tasks/setup_certificate.yaml | 60 +++--- .../templates/hawkular_cassandra_rc.j2 | 2 + .../templates/hawkular_metrics_rc.j2 | 2 + roles/openshift_metrics/templates/heapster.j2 | 5 +- 11 files changed, 330 insertions(+), 258 deletions(-) create mode 100644 roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml create mode 100644 roles/openshift_metrics/tasks/generate_heapster_certificates.yaml (limited to 'roles/openshift_metrics/defaults') diff --git a/roles/openshift_metrics/README.md b/roles/openshift_metrics/README.md index b79b472d3..092844870 100644 --- a/roles/openshift_metrics/README.md +++ b/roles/openshift_metrics/README.md @@ -55,6 +55,9 @@ For default values, see [`defaults/main.yaml`](defaults/main.yaml). override this, make sure to add `system:master-proxy` to the list in order to allow horizontal pod autoscaling to function properly. +- `openshift_metrics_startup_timeout`: How long in seconds we should wait until + Hawkular Metrics and Heapster starts up before attempting a restart. + - `openshift_metrics_duration`: How many days metrics should be stored for. - `openshift_metrics_resolution`: How often metrics should be gathered. diff --git a/roles/openshift_metrics/defaults/main.yaml b/roles/openshift_metrics/defaults/main.yaml index 8d2ff8a62..4b5ecadbf 100644 --- a/roles/openshift_metrics/defaults/main.yaml +++ b/roles/openshift_metrics/defaults/main.yaml @@ -3,12 +3,15 @@ openshift_metrics_image_prefix: docker.io/openshift/origin- openshift_metrics_image_version: latest openshift_metrics_master_url: https://kubernetes.default.svc.cluster.local openshift_metrics_project: openshift-infra +openshift_metrics_startup_timeout: 500 openshift_metrics_hawkular_user_write_access: False openshift_metrics_hawkular_cassandra_nodes: 1 openshift_metrics_hawkular_cassandra_storage_type: emptydir openshift_metrics_hawkular_cassandra_pv_prefix: metrics-cassandra openshift_metrics_hawkular_cassandra_pv_size: 10Gi +openshift_metrics_certs_dir: > + {{ openshift.common.config_base }}/master/metrics openshift_metrics_heapster_standalone: False openshift_metrics_heapster_allowed_users: system:master-proxy diff --git a/roles/openshift_metrics/tasks/generate_certificates.yaml b/roles/openshift_metrics/tasks/generate_certificates.yaml index 9f6a3348e..92ce919a1 100644 --- a/roles/openshift_metrics/tasks/generate_certificates.yaml +++ b/roles/openshift_metrics/tasks/generate_certificates.yaml @@ -1,233 +1,22 @@ --- -# TODO idempotency? -# TODO support providing custom certificates - name: create certificate output directory file: - path: "{{ mktemp.stdout }}/certs" + path: "{{ openshift_metrics_certs_dir }}" state: directory mode: 0700 +- name: list existing secrets + command: > + {{ openshift.common.client_binary }} -n {{ openshift_metrics_project }} + get secrets -o name + register: metrics_secrets + changed_when: false - name: generate ca certificate chain shell: > {{ openshift.common.admin_binary }} ca create-signer-cert - --key='{{ mktemp.stdout }}/certs/ca.key' - --cert='{{ mktemp.stdout }}/certs/ca.crt' - --serial='{{ mktemp.stdout }}/certs/ca.serial.txt' + --key='{{ openshift_metrics_certs_dir }}/ca.key' + --cert='{{ openshift_metrics_certs_dir }}/ca.crt' + --serial='{{ openshift_metrics_certs_dir }}/ca.serial.txt' --name="metrics-signer@$(date +%s)" -- name: generate heapster key/cert - command: > - {{ openshift.common.admin_binary }} ca create-server-cert - --key='{{ mktemp.stdout }}/certs/heapster.key' - --cert='{{ mktemp.stdout }}/certs/heapster.cert' - --hostnames=heapster - --signer-cert='{{ mktemp.stdout }}/certs/ca.crt' - --signer-key='{{ mktemp.stdout }}/certs/ca.key' - --signer-serial='{{ mktemp.stdout }}/certs/ca.serial.txt' -# TODO maybe there's an easier way to get the service accounts' ca crt? -- name: get heapster service account secrets - shell: > - {{ openshift.common.client_binary }} -n '{{ openshift_metrics_project }}' - get serviceaccount/default - --template '{{ '{{range .secrets}}{{println .name}}{{end}}' }}' - | grep ^default-token- - register: sa_secret -- name: get heapster service account ca - command: > - {{ openshift.common.client_binary }} -n '{{ openshift_metrics_project }}' - get 'secret/{{ sa_secret.stdout }}' - --template '{{ '{{index .data "ca.crt"}}' }}' - register: sa_secret -- name: read files for the heapster secret - command: base64 --wrap 0 "{{ mktemp.stdout }}/certs/heapster.{{ item }}" - register: heapster_secret - with_items: - - cert - - key -- name: generate heapster secret template - template: - src: secret.j2 - dest: "{{ mktemp.stdout }}/templates/heapster_secrets.yaml" - vars: - name: heapster-secrets - labels: - metrics-infra: heapster - data: - heapster.cert: "{{ heapster_secret.results[0].stdout }}" - heapster.key: "{{ heapster_secret.results[1].stdout }}" - heapster.client-ca: "{{ sa_secret.stdout }}" - heapster.allowed-users: "{{ openshift_metrics_heapster_allowed_users|b64encode }}" -- name: generate hawkular-metrics certificates - include: setup_certificate.yaml - vars: - component: hawkular-metrics - hostnames: "hawkular-metrics,{{ openshift_metrics_hawkular_metrics_hostname }}" -- name: generate hawkular-cassandra certificates - include: setup_certificate.yaml - vars: - component: hawkular-cassandra - hostnames: hawkular-cassandra -# TODO keytool as dependency? move key/trust store generation to containers? -- name: import the hawkular metrics cert into the cassandra truststore - shell: > - keytool -noprompt -import -v -trustcacerts - -alias hawkular-metrics - -file '{{ mktemp.stdout|quote }}/certs/hawkular-metrics.cert' - -keystore '{{ mktemp.stdout|quote }}/certs/hawkular-cassandra.truststore' - -storepass - "$(< "{{ mktemp.stdout|quote }}/certs/hawkular-cassandra-truststore.pwd")" -- name: import the hawkular cassandra cert into the hawkular metrics truststore - shell: > - keytool -noprompt -import -v -trustcacerts - -alias hawkular-cassandra - -file '{{ mktemp.stdout }}/certs/hawkular-cassandra.cert' - -keystore '{{ mktemp.stdout }}/certs/hawkular-metrics.truststore' - -storepass - "$(< "{{ mktemp.stdout|quote }}/certs/hawkular-metrics-truststore.pwd")" -- name: import the hawkular cassandra cert into the cassandra truststore - shell: > - keytool -noprompt -import -v -trustcacerts - -alias hawkular-cassandra - -file '{{ mktemp.stdout }}/certs/hawkular-cassandra.cert' - -keystore '{{ mktemp.stdout }}/certs/hawkular-cassandra.truststore' - -storepass - "$(< "{{ mktemp.stdout|quote }}/certs/hawkular-cassandra-truststore.pwd")" -- name: import the ca certificate into the cassandra truststore - shell: > - keytool -noprompt -import -v -trustcacerts - -alias '{{ item }}' - -file '{{ mktemp.stdout }}/certs/ca.crt' - -keystore '{{ mktemp.stdout }}/certs/hawkular-cassandra.truststore' - -storepass - "$(< "{{ mktemp.stdout|quote }}/certs/hawkular-cassandra-truststore.pwd")" - with_items: - - ca - - metricca - - cassandraca -- name: import the ca certificate into the hawkular metrics truststore - shell: > - keytool -noprompt -import -v -trustcacerts - -alias '{{ item }}' - -file '{{ mktemp.stdout }}/certs/ca.crt' - -keystore '{{ mktemp.stdout }}/certs/hawkular-metrics.truststore' - -storepass - "$(< "{{ mktemp.stdout|quote }}/certs/hawkular-metrics-truststore.pwd")" - with_items: - - ca - - metricca - - cassandraca -- name: generate password for htpasswd file for hawkular metrics - shell: cat /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c15 - register: hawkular_metrics_password -- name: generate password for hawkular metrics jgroups - shell: cat /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c15 - register: hawkular_metrics_jgroups_password -- name: generate htpasswd file for hawkular metrics - shell: > - htpasswd -cb - "{{ mktemp.stdout|quote }}/certs/hawkular-metrics.htpasswd" hawkular - '{{ hawkular_metrics_password.stdout }}' -- name: generate the jgroups keystore - command: > - keytool -genseckey -alias hawkular - -keypass {{ hawkular_metrics_jgroups_password.stdout }} - -storepass {{ hawkular_metrics_jgroups_password.stdout }} - -keyalg Blowfish -keysize 56 -storetype JCEKS - -keystore {{ mktemp.stdout }}/certs/hawkular-jgroups.keystore -- name: read files for the hawkular-metrics secret - command: > - base64 --wrap 0 "{{ mktemp.stdout }}/certs/{{ item }}" - register: hawkular_metrics_secret - with_items: - - hawkular-metrics.keystore - - hawkular-metrics-keystore.pwd - - hawkular-metrics.truststore - - hawkular-metrics-truststore.pwd - - hawkular-metrics.htpasswd - - hawkular-metrics.cert - - ca.crt - - hawkular-cassandra.keystore - - hawkular-cassandra-keystore.pwd - - hawkular-cassandra.truststore - - hawkular-cassandra-truststore.pwd - - hawkular-cassandra.pem - - hawkular-cassandra.cert - - hawkular-jgroups.keystore -- name: generate hawkular-metrics-secrets secret template - template: - src: secret.j2 - dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_secrets.yaml" - vars: - name: hawkular-metrics-secrets - labels: - metrics-infra: hawkular-metrics - data: - hawkular-metrics.keystore: > - "{{ hawkular_metrics_secret.results[0].stdout }}" - hawkular-metrics.keystore.password: > - "{{ hawkular_metrics_secret.results[1].stdout }}" - hawkular-metrics.truststore: > - "{{ hawkular_metrics_secret.results[2].stdout }}" - hawkular-metrics.truststore.password: > - "{{ hawkular_metrics_secret.results[3].stdout }}" - hawkular-metrics.keystore.alias: "{{ 'hawkular-metrics'|b64encode }}" - hawkular-metrics.htpasswd.file: > - "{{ hawkular_metrics_secret.results[4].stdout }}" - hawkular-metrics.jgroups.keystore.password: > - "{{ hawkular_metrics_jgroups_password.stdout|b64encode }}" - hawkular-metrics.jgroups.keystore: > - "{{ hawkular_metrics_secret.results[13].stdout }}" - hawkular-metrics.jgroups.alias: "{{ 'hawkular'|b64encode }}" -- name: generate hawkular-metrics-certificate secret template - template: - src: secret.j2 - dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_certificate.yaml" - vars: - name: hawkular-metrics-certificate - labels: - metrics-infra: hawkular-metrics - data: - hawkular-metrics.certificate: > - "{{ hawkular_metrics_secret.results[5].stdout }}" - hawkular-metrics-ca.certificate: > - "{{ hawkular_metrics_secret.results[6].stdout }}" -- name: generate hawkular-metrics-account secret template - template: - src: secret.j2 - dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_account.yaml" - vars: - name: hawkular-metrics-account - labels: - metrics-infra: hawkular-metrics - data: - hawkular-metrics.username: "{{ 'hawkular'|b64encode }}" - hawkular-metrics.password: > - "{{ hawkular_metrics_password.stdout|b64encode }}" -- name: generate cassandra secret template - template: - src: secret.j2 - dest: "{{ mktemp.stdout }}/templates/cassandra_secrets.yaml" - vars: - name: hawkular-cassandra-secrets - labels: - metrics-infra: hawkular-cassandra - data: - cassandra.keystore: "{{ hawkular_metrics_secret.results[7].stdout }}" - cassandra.keystore.password: > - {{ hawkular_metrics_secret.results[8].stdout }} - cassandra.keystore.alias: "{{ 'hawkular-cassandra'|b64encode }}" - cassandra.truststore: "{{ hawkular_metrics_secret.results[9].stdout }}" - cassandra.truststore.password: > - {{ hawkular_metrics_secret.results[10].stdout }} - cassandra.pem: "{{ hawkular_metrics_secret.results[10].stdout }}" -- name: generate cassandra-certificate secret template - template: - src: secret.j2 - dest: "{{ mktemp.stdout }}/templates/cassandra_certificate.yaml" - vars: - name: hawkular-cassandra-certificate - labels: - metrics-infra: hawkular-cassandra - data: - cassandra.certificate: > - {{ hawkular_metrics_secret.results[11].stdout }} - cassandra-ca.certificate: > - {{ hawkular_metrics_secret.results[7].stdout }} + when: not '{{ openshift_metrics_certs_dir }}/ca.key'|exists +- include: generate_heapster_certificates.yaml +- include: generate_hawkular_certificates.yaml diff --git a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml new file mode 100644 index 000000000..4e032ca7e --- /dev/null +++ b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml @@ -0,0 +1,227 @@ +--- +- name: generate hawkular-metrics certificates + include: setup_certificate.yaml + vars: + component: hawkular-metrics + hostnames: "hawkular-metrics,{{ openshift_metrics_hawkular_metrics_hostname }}" +- name: generate hawkular-cassandra certificates + include: setup_certificate.yaml + vars: + component: hawkular-cassandra + hostnames: hawkular-cassandra +- name: check existing aliases on the hawkular-cassandra truststore + shell: > + keytool -noprompt -list + -keystore {{ openshift_metrics_certs_dir }}/hawkular-cassandra.truststore + -storepass "$(< + '{{ openshift_metrics_certs_dir }}/hawkular-cassandra-truststore.pwd')" + | sed -n '7~2s/,.*$//p' + register: hawkular_cassandra_truststore_aliases + changed_when: false +- name: check existing aliases on the hawkular-metrics truststore + shell: > + keytool -noprompt -list + -keystore {{ openshift_metrics_certs_dir }}/hawkular-metrics.truststore + -storepass "$(< + '{{ openshift_metrics_certs_dir }}/hawkular-metrics-truststore.pwd')" + | sed -n '7~2s/,.*$//p' + register: hawkular_metrics_truststore_aliases + changed_when: false +- name: import the hawkular metrics cert into the cassandra truststore + shell: > + keytool -noprompt -import -v -trustcacerts + -alias hawkular-metrics + -file '{{ openshift_metrics_certs_dir }}/hawkular-metrics.crt' + -keystore '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.truststore' + -storepass "$(< + '{{ openshift_metrics_certs_dir }}/hawkular-cassandra-truststore.pwd')" + when: > + 'hawkular-metrics' not in + hawkular_cassandra_truststore_aliases.stdout_lines +- name: import the hawkular cassandra cert into the hawkular metrics truststore + shell: > + keytool -noprompt -import -v -trustcacerts + -alias hawkular-cassandra + -file '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.crt' + -keystore '{{ openshift_metrics_certs_dir }}/hawkular-metrics.truststore' + -storepass "$(< + '{{ openshift_metrics_certs_dir }}/hawkular-metrics-truststore.pwd')" + when: > + 'hawkular-cassandra' not in + hawkular_metrics_truststore_aliases.stdout_lines +- name: import the hawkular cassandra cert into the cassandra truststore + shell: > + keytool -noprompt -import -v -trustcacerts + -alias hawkular-cassandra + -file '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.crt' + -keystore '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.truststore' + -storepass "$(< + '{{ openshift_metrics_certs_dir }}/hawkular-cassandra-truststore.pwd')" + when: > + 'hawkular-cassandra' not in + hawkular_cassandra_truststore_aliases.stdout_lines +- name: import the ca certificate into the cassandra truststore + shell: > + keytool -noprompt -import -v -trustcacerts + -alias '{{ item }}' + -file '{{ openshift_metrics_certs_dir }}/ca.crt' + -keystore '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.truststore' + -storepass "$(< + '{{ openshift_metrics_certs_dir }}/hawkular-cassandra-truststore.pwd')" + with_items: + - ca + - metricca + - cassandraca + when: item not in hawkular_cassandra_truststore_aliases.stdout_lines +- name: import the ca certificate into the hawkular metrics truststore + shell: > + keytool -noprompt -import -v -trustcacerts + -alias '{{ item }}' + -file '{{ openshift_metrics_certs_dir }}/ca.crt' + -keystore '{{ openshift_metrics_certs_dir }}/hawkular-metrics.truststore' + -storepass "$(< + '{{ openshift_metrics_certs_dir }}/hawkular-metrics-truststore.pwd')" + with_items: + - ca + - metricca + - cassandraca + when: item not in hawkular_metrics_truststore_aliases.stdout_lines +- name: generate password for hawkular metrics and jgroups + shell: > + tr -dc _A-Z-a-z-0-9 < /dev/urandom | head -c15 + > '{{ openshift_metrics_certs_dir }}/{{ item }}.pwd' + with_items: + - hawkular-metrics + - hawkular-jgroups-keystore + when: not '{{ openshift_metrics_certs_dir }}/{{ item }}.pwd'|exists +- name: generate htpasswd file for hawkular metrics + shell: > + htpasswd -ci + '{{ openshift_metrics_certs_dir }}/hawkular-metrics.htpasswd' hawkular + < '{{ openshift_metrics_certs_dir }}/hawkular-metrics.pwd' + when: > + not '{{ openshift_metrics_certs_dir }}/hawkular-metrics.htpasswd'|exists +- name: generate the jgroups keystore + shell: > + p=$(< '{{ openshift_metrics_certs_dir }}/hawkular-jgroups-keystore.pwd' ) + && + keytool -genseckey -alias hawkular + -keypass "$p" -storepass "$p" -keyalg Blowfish -keysize 56 -storetype JCEKS + -keystore '{{ openshift_metrics_certs_dir }}/hawkular-jgroups.keystore' + when: > + not '{{ openshift_metrics_certs_dir }}/hawkular-jgroups.keystore'|exists +- name: read files for the hawkular-metrics secret + shell: > + printf '%s: ' '{{ item }}' + && base64 --wrap 0 '{{ openshift_metrics_certs_dir }}/{{ item }}' + register: hawkular_secrets + with_items: + - ca.crt + - hawkular-metrics.crt + - hawkular-metrics.keystore + - hawkular-metrics-keystore.pwd + - hawkular-metrics.truststore + - hawkular-metrics-truststore.pwd + - hawkular-metrics.pwd + - hawkular-metrics.htpasswd + - hawkular-jgroups.keystore + - hawkular-jgroups-keystore.pwd + - hawkular-cassandra.crt + - hawkular-cassandra.pem + - hawkular-cassandra.keystore + - hawkular-cassandra-keystore.pwd + - hawkular-cassandra.truststore + - hawkular-cassandra-truststore.pwd + changed_when: false +- set_fact: + hawkular_secrets: | + {{ hawkular_secrets.results|map(attribute='stdout')|join(' + ')|from_yaml }} +- name: generate hawkular-metrics-secrets secret template + template: + src: secret.j2 + dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_secrets.yaml" + vars: + name: hawkular-metrics-secrets + labels: + metrics-infra: hawkular-metrics + data: + hawkular-metrics.keystore: > + {{ hawkular_secrets['hawkular-metrics.keystore'] }} + hawkular-metrics.keystore.password: > + {{ hawkular_secrets['hawkular-metrics-keystore.pwd'] }} + hawkular-metrics.truststore: > + {{ hawkular_secrets['hawkular-metrics.truststore'] }} + hawkular-metrics.truststore.password: > + {{ hawkular_secrets['hawkular-metrics-truststore.pwd'] }} + hawkular-metrics.keystore.alias: "{{ 'hawkular-metrics'|b64encode }}" + hawkular-metrics.htpasswd.file: > + {{ hawkular_secrets['hawkular-metrics.htpasswd'] }} + hawkular-metrics.jgroups.keystore: > + {{ hawkular_secrets['hawkular-jgroups.keystore'] }} + hawkular-metrics.jgroups.keystore.password: > + {{ hawkular_secrets['hawkular-jgroups-keystore.pwd'] }} + hawkular-metrics.jgroups.alias: "{{ 'hawkular'|b64encode }}" + when: name not in metrics_secrets.stdout_lines +- name: generate hawkular-metrics-certificate secret template + template: + src: secret.j2 + dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_certificate.yaml" + vars: + name: hawkular-metrics-certificate + labels: + metrics-infra: hawkular-metrics + data: + hawkular-metrics.certificate: > + {{ hawkular_secrets['hawkular-metrics.crt'] }} + hawkular-metrics-ca.certificate: > + {{ hawkular_secrets['ca.crt'] }} + when: name not in metrics_secrets.stdout_lines +- name: generate hawkular-metrics-account secret template + template: + src: secret.j2 + dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_account.yaml" + vars: + name: hawkular-metrics-account + labels: + metrics-infra: hawkular-metrics + data: + hawkular-metrics.username: "{{ 'hawkular'|b64encode }}" + hawkular-metrics.password: > + {{ hawkular_secrets['hawkular-metrics.pwd'] }} + when: name not in metrics_secrets.stdout_lines +- name: generate cassandra secret template + template: + src: secret.j2 + dest: "{{ mktemp.stdout }}/templates/cassandra_secrets.yaml" + vars: + name: hawkular-cassandra-secrets + labels: + metrics-infra: hawkular-cassandra + data: + cassandra.keystore: > + {{ hawkular_secrets['hawkular-cassandra.keystore'] }} + cassandra.keystore.password: > + {{ hawkular_secrets['hawkular-cassandra-keystore.pwd'] }} + cassandra.keystore.alias: "{{ 'hawkular-cassandra'|b64encode }}" + cassandra.truststore: > + {{ hawkular_secrets['hawkular-cassandra.truststore'] }} + cassandra.truststore.password: > + {{ hawkular_secrets['hawkular-cassandra-truststore.pwd'] }} + cassandra.pem: > + {{ hawkular_secrets['hawkular-cassandra.pem'] }} + when: name not in metrics_secrets +- name: generate cassandra-certificate secret template + template: + src: secret.j2 + dest: "{{ mktemp.stdout }}/templates/cassandra_certificate.yaml" + vars: + name: hawkular-cassandra-certificate + labels: + metrics-infra: hawkular-cassandra + data: + cassandra.certificate: > + {{ hawkular_secrets['hawkular-cassandra.crt'] }} + cassandra-ca.certificate: > + {{ hawkular_secrets['hawkular-cassandra.pem'] }} + when: name not in metrics_secrets.stdout_lines diff --git a/roles/openshift_metrics/tasks/generate_heapster_certificates.yaml b/roles/openshift_metrics/tasks/generate_heapster_certificates.yaml new file mode 100644 index 000000000..2fc449520 --- /dev/null +++ b/roles/openshift_metrics/tasks/generate_heapster_certificates.yaml @@ -0,0 +1,39 @@ +--- +- name: generate heapster key/cert + command: > + {{ openshift.common.admin_binary }} ca create-server-cert + --key='{{ openshift_metrics_certs_dir }}/heapster.key' + --cert='{{ openshift_metrics_certs_dir }}/heapster.cert' + --hostnames=heapster + --signer-cert='{{ openshift_metrics_certs_dir }}/ca.crt' + --signer-key='{{ openshift_metrics_certs_dir }}/ca.key' + --signer-serial='{{ openshift_metrics_certs_dir }}/ca.serial.txt' + when: not '{{ openshift_metrics_certs_dir }}/heapster.key'|exists +- when: "'secret/heapster-secrets' not in metrics_secrets.stdout_lines" + block: + - name: read files for the heapster secret + slurp: src={{ item }} + register: heapster_secret + with_items: + - "{{ openshift_metrics_certs_dir }}/heapster.cert" + - "{{ openshift_metrics_certs_dir }}/heapster.key" + - "{{ client_ca }}" + vars: + custom_ca: "{{ openshift_metrics_certs_dir }}/heapster_client_ca.crt" + default_ca: "{{ openshift.common.config_base }}/master/ca-bundle.crt" + client_ca: "{{ custom_ca|exists|ternary(custom_ca, default_ca) }}" + - name: generate heapster secret template + template: + src: secret.j2 + dest: "{{ mktemp.stdout }}/templates/heapster_secrets.yaml" + force: no + vars: + name: heapster-secrets + labels: + metrics-infra: heapster + data: + heapster.cert: "{{ heapster_secret.results[0].content }}" + heapster.key: "{{ heapster_secret.results[1].content }}" + heapster.client-ca: "{{ heapster_secret.results[2].content }}" + heapster.allowed-users: > + {{ openshift_metrics_heapster_allowed_users|b64encode }} diff --git a/roles/openshift_metrics/tasks/install_hawkular.yaml b/roles/openshift_metrics/tasks/install_hawkular.yaml index 9a39cce34..d7a029fa8 100644 --- a/roles/openshift_metrics/tasks/install_hawkular.yaml +++ b/roles/openshift_metrics/tasks/install_hawkular.yaml @@ -39,6 +39,9 @@ size: "{{ openshift_metrics_hawkular_cassandra_pv_size }}" with_sequence: count={{ openshift_metrics_hawkular_cassandra_nodes }} when: openshift_metrics_hawkular_cassandra_storage_type == 'dynamic' +- name: read hawkular-metrics route destination ca certificate + slurp: src={{ openshift_metrics_certs_dir }}/ca.crt + register: metrics_route_dest_ca_cert - name: generate the hawkular-metrics route template: src: route.j2 @@ -47,11 +50,10 @@ name: hawkular-metrics labels: metrics-infra: hawkular-metrics - host: hawkular-metrics.example.com + host: "{{ openshift_metrics_hawkular_metrics_hostname }}" to: kind: Service name: hawkular-metrics tls: termination: reencrypt - destination_ca_certificate: > - {{ hawkular_metrics_secret.results[6].stdout|b64decode }} + destination_ca_certificate: "{{ metrics_route_dest_ca_cert.content }}" diff --git a/roles/openshift_metrics/tasks/install_metrics.yaml b/roles/openshift_metrics/tasks/install_metrics.yaml index 34b4a47fe..5d95fa112 100644 --- a/roles/openshift_metrics/tasks/install_metrics.yaml +++ b/roles/openshift_metrics/tasks/install_metrics.yaml @@ -11,7 +11,7 @@ file: path={{mktemp.stdout}}/templates state=directory mode=0755 changed_when: False +- include: generate_certificates.yaml - include: generate_serviceaccounts.yaml - include: generate_services.yaml -- include: generate_certificates.yaml - include: generate_rolebindings.yaml diff --git a/roles/openshift_metrics/tasks/setup_certificate.yaml b/roles/openshift_metrics/tasks/setup_certificate.yaml index 46ac4ea7f..d6ee4167b 100644 --- a/roles/openshift_metrics/tasks/setup_certificate.yaml +++ b/roles/openshift_metrics/tasks/setup_certificate.yaml @@ -2,49 +2,51 @@ - name: generate {{ component }} keys command: > {{ openshift.common.admin_binary }} ca create-server-cert - --key='{{ mktemp.stdout }}/certs/{{ component }}.key' - --cert='{{ mktemp.stdout }}/certs/{{ component }}.crt' + --key='{{ openshift_metrics_certs_dir }}/{{ component }}.key' + --cert='{{ openshift_metrics_certs_dir }}/{{ component }}.crt' --hostnames='{{ hostnames }}' - --signer-cert='{{ mktemp.stdout }}/certs/ca.crt' - --signer-key='{{ mktemp.stdout }}/certs/ca.key' - --signer-serial='{{ mktemp.stdout }}/certs/ca.serial.txt' + --signer-cert='{{ openshift_metrics_certs_dir }}/ca.crt' + --signer-key='{{ openshift_metrics_certs_dir }}/ca.key' + --signer-serial='{{ openshift_metrics_certs_dir }}/ca.serial.txt' + when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.key'|exists - name: generate {{ component }} certificate shell: > cat - '{{ mktemp.stdout|quote }}/certs/{{ component|quote }}.key' - '{{ mktemp.stdout|quote }}/certs/{{ component|quote }}.crt' - > '{{ mktemp.stdout|quote }}/certs/{{ component|quote }}.pem' + '{{ openshift_metrics_certs_dir }}/{{ component|quote }}.key' + '{{ openshift_metrics_certs_dir }}/{{ component|quote }}.crt' + > '{{ openshift_metrics_certs_dir }}/{{ component|quote }}.pem' + when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.pem'|exists - name: generate random password for the {{ component }} keystore - shell: tr -dc _A-Z-a-z-0-9 < /dev/urandom | head -c15 - register: keystore_pwd -- name: create the password file for {{ component }} shell: > - echo '{{ keystore_pwd.stdout|quote }}' - > '{{ mktemp.stdout }}/certs/{{ component|quote }}-keystore.pwd' + tr -dc _A-Z-a-z-0-9 < /dev/urandom | head -c15 + > '{{ openshift_metrics_certs_dir }}/{{ component|quote }}-keystore.pwd' + when: > + not '{{ openshift_metrics_certs_dir }}/{{ component }}-keystore.pwd'|exists - name: create the {{ component }} pkcs12 from the pem file command: > openssl pkcs12 -export - -in '{{ mktemp.stdout }}/certs/{{ component }}.pem' - -out '{{ mktemp.stdout }}/certs/{{ component }}.pkcs12' + -in '{{ openshift_metrics_certs_dir }}/{{ component }}.pem' + -out '{{ openshift_metrics_certs_dir }}/{{ component }}.pkcs12' -name '{{ component }}' -noiter -nomaciter - -password 'pass:{{ keystore_pwd.stdout }}' + -password + 'file:{{ openshift_metrics_certs_dir }}/{{ component }}-keystore.pwd' + when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.pkcs12'|exists - name: create the {{ component }} keystore from the pkcs12 file - command: > + shell: > + p=$(< {{ openshift_metrics_certs_dir }}/{{ component }}-keystore.pwd) + && keytool -v -importkeystore - -srckeystore '{{ mktemp.stdout }}/certs/{{ component }}.pkcs12' + -srckeystore '{{ openshift_metrics_certs_dir }}/{{ component }}.pkcs12' -srcstoretype PKCS12 - -destkeystore '{{ mktemp.stdout }}/certs/{{ component }}.keystore' + -destkeystore '{{ openshift_metrics_certs_dir }}/{{ component }}.keystore' -deststoretype JKS - -deststorepass '{{ keystore_pwd.stdout }}' - -srcstorepass '{{ keystore_pwd.stdout }}' -- name: create the {{ component }} certificate - command: > - keytool -noprompt -export - -alias '{{ component }}' - -file '{{ mktemp.stdout }}/certs/{{ component }}.cert' - -keystore '{{ mktemp.stdout }}/certs/{{ component }}.keystore' - -storepass '{{ keystore_pwd.stdout }}' + -deststorepass "$p" + -srcstorepass "$p" + when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.keystore'|exists - name: generate random password for the {{ component }} truststore shell: > tr -dc _A-Z-a-z-0-9 < /dev/urandom | head -c15 - > '{{ mktemp.stdout }}/certs/{{ component|quote }}-truststore.pwd' + > '{{ openshift_metrics_certs_dir }}/{{ component|quote }}-truststore.pwd' + when: > + not + '{{ openshift_metrics_certs_dir }}/{{ component }}-truststore.pwd'|exists diff --git a/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 b/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 index 525f32859..158d0d1a3 100644 --- a/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 +++ b/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 @@ -49,6 +49,8 @@ spec: value: "{{ master }}" - name: CASSANDRA_DATA_VOLUME value: "/cassandra_data" + - name: JVM_OPTS + value: "-Dcassandra.commitlog.ignorereplayerrors=true" - name: POD_NAMESPACE valueFrom: fieldRef: diff --git a/roles/openshift_metrics/templates/hawkular_metrics_rc.j2 b/roles/openshift_metrics/templates/hawkular_metrics_rc.j2 index 6f1275809..647a4bfbb 100644 --- a/roles/openshift_metrics/templates/hawkular_metrics_rc.j2 +++ b/roles/openshift_metrics/templates/hawkular_metrics_rc.j2 @@ -66,6 +66,8 @@ spec: fieldPath: metadata.namespace - name: OPENSHIFT_KUBE_PING_LABELS value: "metrics-infra=hawkular-metrics,name=hawkular-metrics" + - name: STARTUP_TIMEOUT + value: "{{ openshift_metrics_startup_timeout }}" volumeMounts: - name: hawkular-metrics-secrets mountPath: "/secrets" diff --git a/roles/openshift_metrics/templates/heapster.j2 b/roles/openshift_metrics/templates/heapster.j2 index e4b4b9739..90227db68 100644 --- a/roles/openshift_metrics/templates/heapster.j2 +++ b/roles/openshift_metrics/templates/heapster.j2 @@ -27,7 +27,7 @@ spec: command: - "heapster-wrapper.sh" - "--wrapper.allowed_users_file=/secrets/heapster.allowed-users" - - "--source=kubernetes:{{openshift_metrics_master_url}}?useServiceAccount=true&kubeletHttps=true&kubeletPort=10250" + - "--source=kubernetes.summary_api:${MASTER_URL}?useServiceAccount=true&kubeletHttps=true&kubeletPort=10250" - "--tls_cert=/secrets/heapster.cert" - "--tls_key=/secrets/heapster.key" - "--tls_client_ca=/secrets/heapster.client-ca" @@ -39,6 +39,9 @@ spec: - "--wrapper.endpoint_check=https://hawkular-metrics:443/hawkular/metrics/status" - "--sink=hawkular:https://hawkular-metrics:443?tenant=_system&labelToTenant=pod_namespace&labelNodeId={{openshift_metrics_node_id}}&caCert=/hawkular-cert/hawkular-metrics-ca.certificate&user=%username%&pass=%password%&filter=label(container_name:^system.slice.*|^user.slice)" {% endif %} + env: + - name: STARTUP_TIMEOUT + value: "{{ openshift_metrics_startup_timeout }}" volumeMounts: - name: heapster-secrets mountPath: "/secrets" -- cgit v1.2.3 From ee931f90dbab01596bd90fa8007ac49de5178a17 Mon Sep 17 00:00:00 2001 From: Jeff Cantrill Date: Wed, 14 Dec 2016 14:36:28 -0500 Subject: Add tasks to uninstall metrics (#7) --- .../common/openshift-cluster/openshift_metrics.yml | 4 ++++ roles/openshift_metrics/defaults/main.yaml | 4 ++-- roles/openshift_metrics/tasks/cleanup.yaml | 14 ----------- roles/openshift_metrics/tasks/install_metrics.yaml | 24 +++++++------------ roles/openshift_metrics/tasks/install_support.yaml | 5 ++++ roles/openshift_metrics/tasks/main.yaml | 27 +++++++++++++++------- .../openshift_metrics/tasks/uninstall_metrics.yaml | 14 +++++++++++ 7 files changed, 52 insertions(+), 40 deletions(-) create mode 100644 playbooks/common/openshift-cluster/openshift_metrics.yml delete mode 100644 roles/openshift_metrics/tasks/cleanup.yaml create mode 100644 roles/openshift_metrics/tasks/install_support.yaml create mode 100644 roles/openshift_metrics/tasks/uninstall_metrics.yaml (limited to 'roles/openshift_metrics/defaults') diff --git a/playbooks/common/openshift-cluster/openshift_metrics.yml b/playbooks/common/openshift-cluster/openshift_metrics.yml new file mode 100644 index 000000000..3a8a4cf77 --- /dev/null +++ b/playbooks/common/openshift-cluster/openshift_metrics.yml @@ -0,0 +1,4 @@ +- name: OpenShift Metrics + hosts: oo_first_master + roles: + - openshift_metrics diff --git a/roles/openshift_metrics/defaults/main.yaml b/roles/openshift_metrics/defaults/main.yaml index 4b5ecadbf..7f9a5f36a 100644 --- a/roles/openshift_metrics/defaults/main.yaml +++ b/roles/openshift_metrics/defaults/main.yaml @@ -1,4 +1,5 @@ --- +openshift_metrics_install_metrics: True openshift_metrics_image_prefix: docker.io/openshift/origin- openshift_metrics_image_version: latest openshift_metrics_master_url: https://kubernetes.default.svc.cluster.local @@ -10,8 +11,7 @@ openshift_metrics_hawkular_cassandra_nodes: 1 openshift_metrics_hawkular_cassandra_storage_type: emptydir openshift_metrics_hawkular_cassandra_pv_prefix: metrics-cassandra openshift_metrics_hawkular_cassandra_pv_size: 10Gi -openshift_metrics_certs_dir: > - {{ openshift.common.config_base }}/master/metrics +openshift_metrics_certs_dir: "{{ openshift.common.config_base }}/master/metrics" openshift_metrics_heapster_standalone: False openshift_metrics_heapster_allowed_users: system:master-proxy diff --git a/roles/openshift_metrics/tasks/cleanup.yaml b/roles/openshift_metrics/tasks/cleanup.yaml deleted file mode 100644 index a29faef31..000000000 --- a/roles/openshift_metrics/tasks/cleanup.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -- name: remove metrics components - command: > - {{ openshift.common.client_binary }} -n '{{ openshift_metrics_project }}' - delete --selector=metrics-infra - all,sa,secrets,templates,routes,pvc,rolebindings,clusterrolebindings - register: delete_metrics - changed_when: "delete_metrics.stdout != 'No resources found'" -- name: remove rolebindings - command: > - {{ openshift.common.client_binary }} -n {{ openshift_metrics_project }} - delete --ignore-not-found - rolebinding/hawkular-view - clusterrolebinding/heapster-cluster-reader diff --git a/roles/openshift_metrics/tasks/install_metrics.yaml b/roles/openshift_metrics/tasks/install_metrics.yaml index 5d95fa112..db023e6a2 100644 --- a/roles/openshift_metrics/tasks/install_metrics.yaml +++ b/roles/openshift_metrics/tasks/install_metrics.yaml @@ -1,17 +1,9 @@ --- -# This is the base configuration for installing the other components -- name: Create temp directory for doing work in - command: mktemp -td openshift-metrics-ansible-XXXXXX - register: mktemp - changed_when: False - -- debug: msg="Created temp dir {{mktemp.stdout}}" - -- name: Create temp directory for all our templates - file: path={{mktemp.stdout}}/templates state=directory mode=0755 - changed_when: False - -- include: generate_certificates.yaml -- include: generate_serviceaccounts.yaml -- include: generate_services.yaml -- include: generate_rolebindings.yaml +- name: Install Metrics + include: "{{ role_path }}/tasks/install_{{ include_file }}.yaml" + with_items: + - support + - heapster + - hawkular + loop_control: + loop_var: include_file diff --git a/roles/openshift_metrics/tasks/install_support.yaml b/roles/openshift_metrics/tasks/install_support.yaml new file mode 100644 index 000000000..b0e4bec80 --- /dev/null +++ b/roles/openshift_metrics/tasks/install_support.yaml @@ -0,0 +1,5 @@ +--- +- include: generate_certificates.yaml +- include: generate_serviceaccounts.yaml +- include: generate_services.yaml +- include: generate_rolebindings.yaml diff --git a/roles/openshift_metrics/tasks/main.yaml b/roles/openshift_metrics/tasks/main.yaml index 79aae1e0b..adedd4069 100644 --- a/roles/openshift_metrics/tasks/main.yaml +++ b/roles/openshift_metrics/tasks/main.yaml @@ -2,20 +2,31 @@ - name: check that hawkular_metrics_hostname is set fail: msg='the openshift_metrics_hawkular_metrics_hostname variable is required' when: "{{ openshift_metrics_hawkular_metrics_hostname is not defined }}" + - name: check the value of openshift_metrics_hawkular_cassandra_storage_type fail: msg: > openshift_metrics_hawkular_cassandra_storage_type ({{ openshift_metrics_hawkular_cassandra_storage_type }}) is invalid, must be one of: emptydir, pv, dynamic when: openshift_metrics_hawkular_cassandra_storage_type not in openshift_metrics_hawkular_cassandra_storage_types -- name: Install Metrics - include: "{{ role_path }}/tasks/install_{{ include_file }}.yaml" - with_items: - - metrics - - heapster - - hawkular - loop_control: - loop_var: include_file + +- name: Create temp directory for doing work in + command: mktemp -td openshift-metrics-ansible-XXXXXX + register: mktemp + changed_when: False + +- debug: msg="Created temp dir {{mktemp.stdout}}" + +- name: Create temp directory for all our templates + file: path={{mktemp.stdout}}/templates state=directory mode=0755 + changed_when: False + +- include: "{{role_path}}/tasks/install_metrics.yaml" + when: openshift_metrics_install_metrics | default(false) | bool + +- include: "{{role_path}}/tasks/uninstall_metrics.yaml" + when: not openshift_metrics_install_metrics | default(false) | bool + - name: create objects command: > {{ openshift.common.client_binary }} -n '{{ openshift_metrics_project }}' diff --git a/roles/openshift_metrics/tasks/uninstall_metrics.yaml b/roles/openshift_metrics/tasks/uninstall_metrics.yaml new file mode 100644 index 000000000..a29faef31 --- /dev/null +++ b/roles/openshift_metrics/tasks/uninstall_metrics.yaml @@ -0,0 +1,14 @@ +--- +- name: remove metrics components + command: > + {{ openshift.common.client_binary }} -n '{{ openshift_metrics_project }}' + delete --selector=metrics-infra + all,sa,secrets,templates,routes,pvc,rolebindings,clusterrolebindings + register: delete_metrics + changed_when: "delete_metrics.stdout != 'No resources found'" +- name: remove rolebindings + command: > + {{ openshift.common.client_binary }} -n {{ openshift_metrics_project }} + delete --ignore-not-found + rolebinding/hawkular-view + clusterrolebinding/heapster-cluster-reader -- cgit v1.2.3 From 9d0b2eed6f2b897280660949d12e09a3b7993b2b Mon Sep 17 00:00:00 2001 From: Jeff Cantrill Date: Thu, 15 Dec 2016 10:34:58 -0500 Subject: rename variables to be less extraneous (#10) --- roles/openshift_metrics/README.md | 10 ++++++---- roles/openshift_metrics/defaults/main.yaml | 10 ++++++---- roles/openshift_metrics/tasks/install_hawkular.yaml | 21 ++++++++++++--------- roles/openshift_metrics/tasks/main.yaml | 6 +++--- .../templates/hawkular_cassandra_rc.j2 | 4 ++-- roles/openshift_metrics/vars/main.yaml | 2 +- 6 files changed, 30 insertions(+), 23 deletions(-) (limited to 'roles/openshift_metrics/defaults') diff --git a/roles/openshift_metrics/README.md b/roles/openshift_metrics/README.md index 092844870..d1b9a79a9 100644 --- a/roles/openshift_metrics/README.md +++ b/roles/openshift_metrics/README.md @@ -33,18 +33,20 @@ For default values, see [`defaults/main.yaml`](defaults/main.yaml). any user will be able to write metrics to the system which can affect performance and use Cassandra disk usage to unpredictably increase. -- `openshift_metrics_hawkular_cassandra_nodes`: The number of Cassandra Nodes to deploy for the +- `openshift_metrics_hawkular_replicas:` The number of replicas for Hawkular metrics. + +- `openshift_metrics_cassandra_nodes`: The number of Cassandra Nodes to deploy for the initial cluster. -- `openshift_metrics_hawkular_cassandra_storage_type`: Use `emptydir` for ephemeral storage (for +- `openshift_metrics_cassandra_storage_type`: Use `emptydir` for ephemeral storage (for testing), `pv` to use persistent volumes (which need to be created before the installation) or `dynamic` for dynamic persistent volumes. -- `openshift_metrics_hawkular_cassandra_pv_prefix`: The name of persistent volume claims created +- `openshift_metrics_cassandra_pv_prefix`: The name of persistent volume claims created for cassandra will be this with a serial number appended to the end, starting from 1. -- `openshift_metrics_hawkular_cassandra_pv_size`: The persistent volume size for each of the +- `openshift_metrics_cassandra_pv_size`: The persistent volume size for each of the Cassandra nodes. - `openshift_metrics_heapster_standalone`: Deploy only heapster, without the Hawkular Metrics and diff --git a/roles/openshift_metrics/defaults/main.yaml b/roles/openshift_metrics/defaults/main.yaml index 7f9a5f36a..4538099a3 100644 --- a/roles/openshift_metrics/defaults/main.yaml +++ b/roles/openshift_metrics/defaults/main.yaml @@ -7,10 +7,12 @@ openshift_metrics_project: openshift-infra openshift_metrics_startup_timeout: 500 openshift_metrics_hawkular_user_write_access: False -openshift_metrics_hawkular_cassandra_nodes: 1 -openshift_metrics_hawkular_cassandra_storage_type: emptydir -openshift_metrics_hawkular_cassandra_pv_prefix: metrics-cassandra -openshift_metrics_hawkular_cassandra_pv_size: 10Gi +openshift_metrics_hawkular_replicas: 1 + +openshift_metrics_cassandra_nodes: 1 +openshift_metrics_cassandra_storage_type: emptydir +openshift_metrics_cassandra_pv_prefix: metrics-cassandra +openshift_metrics_cassandra_pv_size: 10Gi openshift_metrics_certs_dir: "{{ openshift.common.config_base }}/master/metrics" openshift_metrics_heapster_standalone: False diff --git a/roles/openshift_metrics/tasks/install_hawkular.yaml b/roles/openshift_metrics/tasks/install_hawkular.yaml index d7a029fa8..6e503c8c1 100644 --- a/roles/openshift_metrics/tasks/install_hawkular.yaml +++ b/roles/openshift_metrics/tasks/install_hawkular.yaml @@ -10,35 +10,38 @@ vars: node: "{{ item }}" master: "{{ (item == '1')|string|lower }}" - with_sequence: count={{ openshift_metrics_hawkular_cassandra_nodes }} + with_sequence: count={{ openshift_metrics_cassandra_nodes }} + - name: generate hawkular-cassandra persistent volume claims template: src: pvc.j2 dest: "{{ mktemp.stdout }}/templates/hawkular-cassandra-pvc{{ item }}.yaml" vars: - obj_name: "{{ openshift_metrics_hawkular_cassandra_pv_prefix }}-{{ item }}" + obj_name: "{{ openshift_metrics_cassandra_pv_prefix }}-{{ item }}" labels: metrics-infra: hawkular-cassandra access_modes: - ReadWriteOnce - size: "{{ openshift_metrics_hawkular_cassandra_pv_size }}" - with_sequence: count={{ openshift_metrics_hawkular_cassandra_nodes }} - when: openshift_metrics_hawkular_cassandra_storage_type == 'pv' + size: "{{ openshift_metrics_cassandra_pv_size }}" + with_sequence: count={{ openshift_metrics_cassandra_nodes }} + when: openshift_metrics_cassandra_storage_type == 'pv' + - name: generate hawkular-cassandra persistent volume claims (dynamic) template: src: pvc.j2 dest: "{{ mktemp.stdout }}/templates/hawkular-cassandra-pvc{{ item }}.yaml" vars: - obj_name: "{{ openshift_metrics_hawkular_cassandra_pv_prefix }}-{{ item }}" + obj_name: "{{ openshift_metrics_cassandra_pv_prefix }}-{{ item }}" labels: metrics-infra: hawkular-cassandra annotations: volume.alpha.kubernetes.io/storage-class: dynamic access_modes: - ReadWriteOnce - size: "{{ openshift_metrics_hawkular_cassandra_pv_size }}" - with_sequence: count={{ openshift_metrics_hawkular_cassandra_nodes }} - when: openshift_metrics_hawkular_cassandra_storage_type == 'dynamic' + size: "{{ openshift_metrics_cassandra_pv_size }}" + with_sequence: count={{ openshift_metrics_cassandra_nodes }} + when: openshift_metrics_cassandra_storage_type == 'dynamic' + - name: read hawkular-metrics route destination ca certificate slurp: src={{ openshift_metrics_certs_dir }}/ca.crt register: metrics_route_dest_ca_cert diff --git a/roles/openshift_metrics/tasks/main.yaml b/roles/openshift_metrics/tasks/main.yaml index d4bafdc30..74abd120f 100644 --- a/roles/openshift_metrics/tasks/main.yaml +++ b/roles/openshift_metrics/tasks/main.yaml @@ -3,12 +3,12 @@ fail: msg='the openshift_metrics_hawkular_metrics_hostname variable is required' when: openshift_metrics_hawkular_metrics_hostname is not defined -- name: check the value of openshift_metrics_hawkular_cassandra_storage_type +- name: check the value of openshift_metrics_cassandra_storage_type fail: msg: > - openshift_metrics_hawkular_cassandra_storage_type ({{ openshift_metrics_hawkular_cassandra_storage_type }}) + openshift_metrics_cassandra_storage_type ({{ openshift_metrics_cassandra_storage_type }}) is invalid, must be one of: emptydir, pv, dynamic - when: openshift_metrics_hawkular_cassandra_storage_type not in openshift_metrics_hawkular_cassandra_storage_types + when: openshift_metrics_cassandra_storage_type not in openshift_metrics_cassandra_storage_types - name: Create temp directory for doing work in command: mktemp -td openshift-metrics-ansible-XXXXXX diff --git a/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 b/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 index 158d0d1a3..7cea5f040 100644 --- a/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 +++ b/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 @@ -85,11 +85,11 @@ spec: terminationGracePeriodSeconds: 1800 volumes: - name: cassandra-data -{% if openshift_metrics_hawkular_cassandra_storage_type == 'emptydir' %} +{% if openshift_metrics_cassandra_storage_type == 'emptydir' %} emptyDir: {} {% else %} persistentVolumeClaim: - claimName: "{{ openshift_metrics_hawkular_cassandra_pv_prefix }}-{{ node }}" + claimName: "{{ openshift_metrics_cassandra_pv_prefix }}-{{ node }}" {% endif %} - name: hawkular-cassandra-secrets secret: diff --git a/roles/openshift_metrics/vars/main.yaml b/roles/openshift_metrics/vars/main.yaml index 25307c23c..de3bb878d 100644 --- a/roles/openshift_metrics/vars/main.yaml +++ b/roles/openshift_metrics/vars/main.yaml @@ -1,4 +1,4 @@ -openshift_metrics_hawkular_cassandra_storage_types: +openshift_metrics_cassandra_storage_types: - emptydir - pv - dynamic -- cgit v1.2.3 From b335bd4e88d5ec50aa3106f789f4e08a8baac9b2 Mon Sep 17 00:00:00 2001 From: Jeff Cantrill Date: Thu, 15 Dec 2016 15:46:10 -0500 Subject: allow definition of cpu/memory limits/resources (#11) --- roles/openshift_metrics/README.md | 11 ++++++++ roles/openshift_metrics/defaults/main.yaml | 14 ++++++++++- .../templates/hawkular_cassandra_rc.j2 | 29 ++++++++++++++++++++++ .../templates/hawkular_metrics_rc.j2 | 29 ++++++++++++++++++++++ roles/openshift_metrics/templates/heapster.j2 | 29 ++++++++++++++++++++++ 5 files changed, 111 insertions(+), 1 deletion(-) (limited to 'roles/openshift_metrics/defaults') diff --git a/roles/openshift_metrics/README.md b/roles/openshift_metrics/README.md index d1b9a79a9..8c67d193d 100644 --- a/roles/openshift_metrics/README.md +++ b/roles/openshift_metrics/README.md @@ -64,6 +64,17 @@ For default values, see [`defaults/main.yaml`](defaults/main.yaml). - `openshift_metrics_resolution`: How often metrics should be gathered. +## Additional variables to control resource limits +Each metrics component (hawkular, cassandra, heapster) can specify a cpu and memory limits and requests by setting +the corresponding role variable: +``` +openshift_metrics__(limits|requests)_(memory|cpu): +``` +e.g +``` +openshift_metrics_cassandra_limits_memory: 1G +openshift_metrics_hawkular_requests_cpu: 100 +``` Dependencies ------------ diff --git a/roles/openshift_metrics/defaults/main.yaml b/roles/openshift_metrics/defaults/main.yaml index 4538099a3..ae24e1972 100644 --- a/roles/openshift_metrics/defaults/main.yaml +++ b/roles/openshift_metrics/defaults/main.yaml @@ -5,18 +5,30 @@ openshift_metrics_image_version: latest openshift_metrics_master_url: https://kubernetes.default.svc.cluster.local openshift_metrics_project: openshift-infra openshift_metrics_startup_timeout: 500 +openshift_metrics_certs_dir: "{{ openshift.common.config_base }}/master/metrics" openshift_metrics_hawkular_user_write_access: False openshift_metrics_hawkular_replicas: 1 +openshift_metrics_hawkular_limits_memory: 2.5G +openshift_metrics_hawkular_limits_cpu: null +openshift_metrics_hawkular_requests_memory: 1.5G +openshift_metrics_hawkular_requests_cpu: null openshift_metrics_cassandra_nodes: 1 openshift_metrics_cassandra_storage_type: emptydir openshift_metrics_cassandra_pv_prefix: metrics-cassandra openshift_metrics_cassandra_pv_size: 10Gi -openshift_metrics_certs_dir: "{{ openshift.common.config_base }}/master/metrics" +openshift_metrics_cassandra_limits_memory: 2G +openshift_metrics_cassandra_limits_cpu: null +openshift_metrics_cassandra_requests_memory: 1G +openshift_metrics_cassandra_requests_cpu: null openshift_metrics_heapster_standalone: False openshift_metrics_heapster_allowed_users: system:master-proxy +openshift_metrics_heapster_limits_memory: 3.75G +openshift_metrics_heapster_limits_cpu: null +openshift_metrics_heapster_requests_memory: 0.9375G +openshift_metrics_heapster_requests_cpu: null openshift_metrics_duration: 7 openshift_metrics_resolution: 15s diff --git a/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 b/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 index 7cea5f040..7ce1a6a87 100644 --- a/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 +++ b/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 @@ -69,6 +69,35 @@ spec: mountPath: "/cassandra_data" - name: hawkular-cassandra-secrets mountPath: "/secret" +{% if ((openshift_metrics_cassandra_limits_cpu is defined and openshift_metrics_cassandra_limits_cpu is not none) + or (openshift_metrics_cassandra_limits_memory is defined and openshift_metrics_cassandra_limits_memory is not none) + or (openshift_metrics_cassandra_requests_cpu is defined and openshift_metrics_cassandra_requests_cpu is not none) + or (openshift_metrics_cassandra_requests_memory is defined and openshift_metrics_cassandra_requests_memory is not none)) +%} + resources: +{% if (openshift_metrics_cassandra_limits_cpu is not none + or openshift_metrics_cassandra_limits_memory is not none) +%} + limits: +{% if openshift_metrics_cassandra_limits_cpu is not none %} + cpu: "{{openshift_metrics_cassandra_limits_cpu}}" +{% endif %} +{% if openshift_metrics_cassandra_limits_memory is not none %} + memory: "{{openshift_metrics_cassandra_limits_memory}}" +{% endif %} +{% endif %} +{% if (openshift_metrics_cassandra_requests_cpu is not none + or openshift_metrics_cassandra_requests_memory is not none) +%} + requests: +{% if openshift_metrics_cassandra_requests_cpu is not none %} + cpu: "{{openshift_metrics_cassandra_requests_cpu}}" +{% endif %} +{% if openshift_metrics_cassandra_requests_memory is not none %} + memory: "{{openshift_metrics_cassandra_requests_memory}}" +{% endif %} +{% endif %} +{% endif %} readinessProbe: exec: command: diff --git a/roles/openshift_metrics/templates/hawkular_metrics_rc.j2 b/roles/openshift_metrics/templates/hawkular_metrics_rc.j2 index 647a4bfbb..4314800a3 100644 --- a/roles/openshift_metrics/templates/hawkular_metrics_rc.j2 +++ b/roles/openshift_metrics/templates/hawkular_metrics_rc.j2 @@ -73,6 +73,35 @@ spec: mountPath: "/secrets" - name: hawkular-metrics-client-secrets mountPath: "/client-secrets" +{% if ((openshift_metrics_hawkular_limits_cpu is defined and openshift_metrics_hawkular_limits_cpu is not none) + or (openshift_metrics_hawkular_limits_memory is defined and openshift_metrics_hawkular_limits_memory is not none) + or (openshift_metrics_hawkular_requests_cpu is defined and openshift_metrics_hawkular_requests_cpu is not none) + or (openshift_metrics_hawkular_requests_memory is defined and openshift_metrics_hawkular_requests_memory is not none)) +%} + resources: +{% if (openshift_metrics_hawkular_limits_cpu is not none + or openshift_metrics_hawkular_limits_memory is not none) +%} + limits: +{% if openshift_metrics_hawkular_limits_cpu is not none %} + cpu: "{{openshift_metrics_hawkular_limits_cpu}}" +{% endif %} +{% if openshift_metrics_hawkular_limits_memory is not none %} + memory: "{{openshift_metrics_hawkular_limits_memory}}" +{% endif %} +{% endif %} +{% if (openshift_metrics_hawkular_requests_cpu is not none + or openshift_metrics_hawkular_requests_memory is not none) +%} + requests: +{% if openshift_metrics_hawkular_requests_cpu is not none %} + cpu: "{{openshift_metrics_hawkular_requests_cpu}}" +{% endif %} +{% if openshift_metrics_hawkular_requests_memory is not none %} + memory: "{{openshift_metrics_hawkular_requests_memory}}" +{% endif %} +{% endif %} +{% endif %} readinessProbe: exec: command: diff --git a/roles/openshift_metrics/templates/heapster.j2 b/roles/openshift_metrics/templates/heapster.j2 index 90227db68..04fb76982 100644 --- a/roles/openshift_metrics/templates/heapster.j2 +++ b/roles/openshift_metrics/templates/heapster.j2 @@ -42,6 +42,35 @@ spec: env: - name: STARTUP_TIMEOUT value: "{{ openshift_metrics_startup_timeout }}" +{% if ((openshift_metrics_heapster_limits_cpu is defined and openshift_metrics_heapster_limits_cpu is not none) + or (openshift_metrics_heapster_limits_memory is defined and openshift_metrics_heapster_limits_memory is not none) + or (openshift_metrics_heapster_requests_cpu is defined and openshift_metrics_heapster_requests_cpu is not none) + or (openshift_metrics_heapster_requests_memory is defined and openshift_metrics_heapster_requests_memory is not none)) +%} + resources: +{% if (openshift_metrics_heapster_limits_cpu is not none + or openshift_metrics_heapster_limits_memory is not none) +%} + limits: +{% if openshift_metrics_heapster_limits_cpu is not none %} + cpu: "{{openshift_metrics_heapster_limits_cpu}}" +{% endif %} +{% if openshift_metrics_heapster_limits_memory is not none %} + memory: "{{openshift_metrics_heapster_limits_memory}}" +{% endif %} +{% endif %} +{% if (openshift_metrics_heapster_requests_cpu is not none + or openshift_metrics_heapster_requests_memory is not none) +%} + requests: +{% if openshift_metrics_heapster_requests_cpu is not none %} + cpu: "{{openshift_metrics_heapster_requests_cpu}}" +{% endif %} +{% if openshift_metrics_heapster_requests_memory is not none %} + memory: "{{openshift_metrics_heapster_requests_memory}}" +{% endif %} +{% endif %} +{% endif %} volumeMounts: - name: heapster-secrets mountPath: "/secrets" -- cgit v1.2.3 From 765fb5ce39fdca0b56a23f6d13650fe16debf20a Mon Sep 17 00:00:00 2001 From: Jeff Cantrill Date: Thu, 15 Dec 2016 15:48:09 -0500 Subject: update vars to allow scaling of components (#9) --- roles/openshift_metrics/defaults/main.yaml | 2 + .../openshift_metrics/tasks/install_hawkular.yaml | 2 + roles/openshift_metrics/tasks/install_metrics.yaml | 25 ++++++++++ roles/openshift_metrics/tasks/main.yaml | 19 -------- roles/openshift_metrics/tasks/scale.yaml | 27 +++++++++++ roles/openshift_metrics/tasks/start_metrics.yaml | 52 ++++++++++++++++++++ roles/openshift_metrics/tasks/stop_metrics.yaml | 56 ++++++++++++++++++++++ .../openshift_metrics/tasks/uninstall_metrics.yaml | 7 ++- .../templates/hawkular_cassandra_rc.j2 | 2 +- .../templates/hawkular_metrics_rc.j2 | 2 +- roles/openshift_metrics/templates/heapster.j2 | 2 +- 11 files changed, 173 insertions(+), 23 deletions(-) create mode 100644 roles/openshift_metrics/tasks/scale.yaml create mode 100644 roles/openshift_metrics/tasks/start_metrics.yaml create mode 100644 roles/openshift_metrics/tasks/stop_metrics.yaml (limited to 'roles/openshift_metrics/defaults') diff --git a/roles/openshift_metrics/defaults/main.yaml b/roles/openshift_metrics/defaults/main.yaml index ae24e1972..c27943220 100644 --- a/roles/openshift_metrics/defaults/main.yaml +++ b/roles/openshift_metrics/defaults/main.yaml @@ -1,9 +1,11 @@ --- +openshift_metrics_start_cluster: True openshift_metrics_install_metrics: True openshift_metrics_image_prefix: docker.io/openshift/origin- openshift_metrics_image_version: latest openshift_metrics_master_url: https://kubernetes.default.svc.cluster.local openshift_metrics_project: openshift-infra +openshift_metrics_certs_dir: "{{ openshift.common.config_base }}/master/metrics" openshift_metrics_startup_timeout: 500 openshift_metrics_certs_dir: "{{ openshift.common.config_base }}/master/metrics" diff --git a/roles/openshift_metrics/tasks/install_hawkular.yaml b/roles/openshift_metrics/tasks/install_hawkular.yaml index 6e503c8c1..1acc8948d 100644 --- a/roles/openshift_metrics/tasks/install_hawkular.yaml +++ b/roles/openshift_metrics/tasks/install_hawkular.yaml @@ -3,6 +3,7 @@ template: src: hawkular_metrics_rc.j2 dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_rc.yaml" + - name: generate hawkular-cassandra replication controllers template: src: hawkular_cassandra_rc.j2 @@ -45,6 +46,7 @@ - name: read hawkular-metrics route destination ca certificate slurp: src={{ openshift_metrics_certs_dir }}/ca.crt register: metrics_route_dest_ca_cert + - name: generate the hawkular-metrics route template: src: route.j2 diff --git a/roles/openshift_metrics/tasks/install_metrics.yaml b/roles/openshift_metrics/tasks/install_metrics.yaml index db023e6a2..a6a094a83 100644 --- a/roles/openshift_metrics/tasks/install_metrics.yaml +++ b/roles/openshift_metrics/tasks/install_metrics.yaml @@ -1,4 +1,15 @@ --- +- name: check that hawkular_metrics_hostname is set + fail: msg='the openshift_metrics_hawkular_metrics_hostname variable is required' + when: openshift_metrics_hawkular_metrics_hostname is not defined + +- name: check the value of openshift_metrics_cassandra_storage_type + fail: + msg: > + openshift_metrics_cassandra_storage_type ({{ openshift_metrics_cassandra_storage_type }}) + is invalid, must be one of: emptydir, pv, dynamic + when: openshift_metrics_cassandra_storage_type not in openshift_metrics_cassandra_storage_types + - name: Install Metrics include: "{{ role_path }}/tasks/install_{{ include_file }}.yaml" with_items: @@ -7,3 +18,17 @@ - hawkular loop_control: loop_var: include_file + +- name: create objects + command: > + {{ openshift.common.client_binary }} -n {{ openshift_metrics_project }} + --config={{ mktemp.stdout }}/admin.kubeconfig + apply -f {{ item }} + with_fileglob: + - "{{ mktemp.stdout }}/templates/*.yaml" + +- name: Scaling up cluster + include: start_metrics.yaml + tags: openshift_metrics_start_cluster + when: + - openshift_metrics_start_cluster | default(true) | bool diff --git a/roles/openshift_metrics/tasks/main.yaml b/roles/openshift_metrics/tasks/main.yaml index 74abd120f..e8c74b8dc 100644 --- a/roles/openshift_metrics/tasks/main.yaml +++ b/roles/openshift_metrics/tasks/main.yaml @@ -1,15 +1,4 @@ --- -- name: check that hawkular_metrics_hostname is set - fail: msg='the openshift_metrics_hawkular_metrics_hostname variable is required' - when: openshift_metrics_hawkular_metrics_hostname is not defined - -- name: check the value of openshift_metrics_cassandra_storage_type - fail: - msg: > - openshift_metrics_cassandra_storage_type ({{ openshift_metrics_cassandra_storage_type }}) - is invalid, must be one of: emptydir, pv, dynamic - when: openshift_metrics_cassandra_storage_type not in openshift_metrics_cassandra_storage_types - - name: Create temp directory for doing work in command: mktemp -td openshift-metrics-ansible-XXXXXX register: mktemp @@ -33,11 +22,3 @@ - include: "{{role_path}}/tasks/uninstall_metrics.yaml" when: not openshift_metrics_install_metrics | default(false) | bool - -- name: create objects - command: > - {{ openshift.common.client_binary }} -n {{ openshift_metrics_project }} - --config={{ mktemp.stdout }}/admin.kubeconfig - apply -f {{ item }} - with_fileglob: - - "{{ mktemp.stdout }}/templates/*.yaml" diff --git a/roles/openshift_metrics/tasks/scale.yaml b/roles/openshift_metrics/tasks/scale.yaml new file mode 100644 index 000000000..031336a01 --- /dev/null +++ b/roles/openshift_metrics/tasks/scale.yaml @@ -0,0 +1,27 @@ +--- +- shell: > + {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get {{object}} + --template='{{ '{{.spec.replicas}}' }}' -n {{openshift_metrics_project}} + register: replica_count + failed_when: "replica_count.rc == 1 and 'exists' not in replica_count.stderr" + when: not ansible_check_mode + +- shell: > + {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig scale {{object}} + --replicas={{desired}} -n {{openshift_metrics_project}} + register: scale_result + failed_when: scale_result.rc == 1 and 'exists' not in scale_result.stderr + when: + - replica_count.stdout != desired + - not ansible_check_mode + +- name: Waiting for {{object}} to scale to {{desired}} + shell: > + {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig describe {{object}} -n {{openshift_metrics_project}} | awk -v statusrx='Pods Status:' '$0 ~ statusrx {print $3}' + register: replica_counts + until: replica_counts.stdout.find("{{desired}}") != -1 + retries: 30 + delay: 10 + when: + - replica_count.stdout != desired + - not ansible_check_mode diff --git a/roles/openshift_metrics/tasks/start_metrics.yaml b/roles/openshift_metrics/tasks/start_metrics.yaml new file mode 100644 index 000000000..99d593dd7 --- /dev/null +++ b/roles/openshift_metrics/tasks/start_metrics.yaml @@ -0,0 +1,52 @@ +--- +- shell: > + {{openshift.common.client_binary}} + --config={{mktemp.stdout}}/admin.kubeconfig + get rc + -l metrics-infra=hawkular-cassandra + -o name + -n {{openshift_metrics_project}} + register: metrics_cassandra_rc + +- name: Start Hawkular Cassandra + include: scale.yaml + vars: + desired: 1 + with_items: "{{metrics_cassandra_rc.stdout_lines}}" + loop_control: + loop_var: object + +- shell: > + {{openshift.common.client_binary}} + --config={{mktemp.stdout}}/admin.kubeconfig + get rc + -l metrics-infra=hawkular-metrics + -o name + -n {{openshift_metrics_project}} + register: metrics_metrics_rc + +- name: Start Hawkular Metrics + include: scale.yaml + vars: + desired: "{{openshift_metrics_hawkular_replicas}}" + with_items: "{{metrics_metrics_rc.stdout_lines}}" + loop_control: + loop_var: object + +- shell: > + {{openshift.common.client_binary}} + --config={{mktemp.stdout}}/admin.kubeconfig + get rc + -l metrics-infra=heapster + -o name + -n {{openshift_metrics_project}} + register: metrics_heapster_rc + check_mode: no + +- name: Start Heapster + include: scale.yaml + vars: + desired: 1 + with_items: "{{metrics_heapster_rc.stdout_lines}}" + loop_control: + loop_var: object diff --git a/roles/openshift_metrics/tasks/stop_metrics.yaml b/roles/openshift_metrics/tasks/stop_metrics.yaml new file mode 100644 index 000000000..79556e923 --- /dev/null +++ b/roles/openshift_metrics/tasks/stop_metrics.yaml @@ -0,0 +1,56 @@ +--- +- shell: > + {{openshift.common.client_binary}} + --config={{mktemp.stdout}}/admin.kubeconfig + get rc + -l metrics-infra=heapster + -o name + -n {{openshift_metrics_project}} + register: metrics_heapster_rc + changed_when: "'No resources found' not in metrics_heapster_rc.stderr" + check_mode: no + +- name: Stop Heapster + include: scale.yaml + vars: + desired: 0 + with_items: "{{metrics_heapster_rc.stdout_lines}}" + loop_control: + loop_var: object + +- shell: > + {{openshift.common.client_binary}} + --config={{mktemp.stdout}}/admin.kubeconfig + get rc + -l metrics-infra=hawkular-metrics + -o name + -n {{openshift_metrics_project}} + register: metrics_hawkular_rc + changed_when: "'No resources found' not in metrics_hawkular_rc.stderr" + +- name: Stop Hawkular Metrics + include: scale.yaml + vars: + desired: 0 + with_items: "{{metrics_hawkular_rc.stdout_lines}}" + loop_control: + loop_var: object + +- shell: > + {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig + get rc + -o name + -l metrics-infra=hawkular-cassandra + -n {{openshift_metrics_project}} + register: metrics_cassandra_rc + changed_when: "'No resources found' not in metrics_cassandra_rc.stderr" + +- name: Stop Hawkular Cassandra + include: scale.yaml + vars: + desired: 0 + with_items: "{{metrics_cassandra_rc.stdout_lines}}" + loop_control: + loop_var: object + when: metrics_cassandra_rc is defined + diff --git a/roles/openshift_metrics/tasks/uninstall_metrics.yaml b/roles/openshift_metrics/tasks/uninstall_metrics.yaml index cf9b5171c..8a6be6237 100644 --- a/roles/openshift_metrics/tasks/uninstall_metrics.yaml +++ b/roles/openshift_metrics/tasks/uninstall_metrics.yaml @@ -1,14 +1,19 @@ --- +- name: stop metrics + include: stop_metrics.yaml + - name: remove metrics components command: > {{ openshift.common.client_binary }} -n {{ openshift_metrics_project }} --config={{ mktemp.stdout }}/admin.kubeconfig - delete --selector=metrics-infra + delete --ignore-not-found --selector=metrics-infra all,sa,secrets,templates,routes,pvc,rolebindings,clusterrolebindings register: delete_metrics changed_when: "delete_metrics.stdout != 'No resources found'" + - name: remove rolebindings command: > {{ openshift.common.client_binary }} -n {{ openshift_metrics_project }} --config={{ mktemp.stdout }}/admin.kubeconfig delete --ignore-not-found rolebinding/hawkular-view clusterrolebinding/heapster-cluster-reader + changed_when: "delete_metrics.stdout != 'No resources found'" diff --git a/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 b/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 index 7ce1a6a87..9a1c446cd 100644 --- a/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 +++ b/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 @@ -9,7 +9,7 @@ metadata: spec: selector: name: hawkular-cassandra-{{ node }} - replicas: 1 + replicas: 0 template: version: v1 metadata: diff --git a/roles/openshift_metrics/templates/hawkular_metrics_rc.j2 b/roles/openshift_metrics/templates/hawkular_metrics_rc.j2 index 4314800a3..1397276e6 100644 --- a/roles/openshift_metrics/templates/hawkular_metrics_rc.j2 +++ b/roles/openshift_metrics/templates/hawkular_metrics_rc.j2 @@ -8,7 +8,7 @@ metadata: spec: selector: name: hawkular-metrics - replicas: 1 + replicas: 0 template: version: v1 metadata: diff --git a/roles/openshift_metrics/templates/heapster.j2 b/roles/openshift_metrics/templates/heapster.j2 index 04fb76982..f64c6696e 100644 --- a/roles/openshift_metrics/templates/heapster.j2 +++ b/roles/openshift_metrics/templates/heapster.j2 @@ -8,7 +8,7 @@ metadata: spec: selector: name: heapster - replicas: 1 + replicas: 0 template: version: v1 metadata: -- cgit v1.2.3 From 1e8928c96627218fdc422bfa3731f790699abfbb Mon Sep 17 00:00:00 2001 From: Jeff Cantrill Date: Fri, 6 Jan 2017 11:23:28 -0500 Subject: User provided certs pushed from control. vars reorg (#12) Merging per discussion and agreement from @bbguimaraes --- roles/openshift_metrics/README.md | 14 +++---- roles/openshift_metrics/defaults/main.yaml | 27 +++++++++---- .../tasks/generate_certificates.yaml | 2 + .../tasks/generate_hawkular_certificates.yaml | 2 +- .../openshift_metrics/tasks/install_hawkular.yaml | 47 ++++++++++++++-------- roles/openshift_metrics/tasks/install_metrics.yaml | 4 +- roles/openshift_metrics/templates/route.j2 | 12 ++++++ roles/openshift_metrics/vars/main.yaml | 6 +++ 8 files changed, 79 insertions(+), 35 deletions(-) (limited to 'roles/openshift_metrics/defaults') diff --git a/roles/openshift_metrics/README.md b/roles/openshift_metrics/README.md index 8c67d193d..f4c47c7bb 100644 --- a/roles/openshift_metrics/README.md +++ b/roles/openshift_metrics/README.md @@ -25,17 +25,17 @@ For default values, see [`defaults/main.yaml`](defaults/main.yaml). - `openshift_metrics_image_version`: Specify version for metrics components; e.g. for "openshift/origin-metrics-deployer:v1.1", set version "v1.1". -- `openshift_metrics_master_url`: Internal URL for the master, for authentication retrieval. +- `openshift_metrics_hawkular_cert:` The certificate used for re-encrypting the route + to Hawkular metrics. The certificate must contain the hostname used by the route. + The default router certificate will be used if unspecified -- `openshift_metrics_hawkular_user_write_access`: If user accounts should be able to write - metrics. Defaults to 'false' so that only Heapster can write metrics and not - individual users. It is recommended to disable user write access, if enabled - any user will be able to write metrics to the system which can affect - performance and use Cassandra disk usage to unpredictably increase. +- `openshift_metrics_hawkular_key:` The key used with the Hawkular certificate + +- `openshift_metrics_hawkular_ca:` An optional certificate used to sign the Hawkular certificate. - `openshift_metrics_hawkular_replicas:` The number of replicas for Hawkular metrics. -- `openshift_metrics_cassandra_nodes`: The number of Cassandra Nodes to deploy for the +- `openshift_metrics_cassandra_replicas`: The number of Cassandra nodes to deploy for the initial cluster. - `openshift_metrics_cassandra_storage_type`: Use `emptydir` for ephemeral storage (for diff --git a/roles/openshift_metrics/defaults/main.yaml b/roles/openshift_metrics/defaults/main.yaml index c27943220..b99adf779 100644 --- a/roles/openshift_metrics/defaults/main.yaml +++ b/roles/openshift_metrics/defaults/main.yaml @@ -3,22 +3,19 @@ openshift_metrics_start_cluster: True openshift_metrics_install_metrics: True openshift_metrics_image_prefix: docker.io/openshift/origin- openshift_metrics_image_version: latest -openshift_metrics_master_url: https://kubernetes.default.svc.cluster.local -openshift_metrics_project: openshift-infra -openshift_metrics_certs_dir: "{{ openshift.common.config_base }}/master/metrics" openshift_metrics_startup_timeout: 500 -openshift_metrics_certs_dir: "{{ openshift.common.config_base }}/master/metrics" -openshift_metrics_hawkular_user_write_access: False openshift_metrics_hawkular_replicas: 1 openshift_metrics_hawkular_limits_memory: 2.5G openshift_metrics_hawkular_limits_cpu: null openshift_metrics_hawkular_requests_memory: 1.5G openshift_metrics_hawkular_requests_cpu: null +openshift_metrics_hawkular_cert: "" +openshift_metrics_hawkular_key: "" +openshift_metrics_hawkular_ca: "" -openshift_metrics_cassandra_nodes: 1 +openshift_metrics_cassandra_replicas: 1 openshift_metrics_cassandra_storage_type: emptydir -openshift_metrics_cassandra_pv_prefix: metrics-cassandra openshift_metrics_cassandra_pv_size: 10Gi openshift_metrics_cassandra_limits_memory: 2G openshift_metrics_cassandra_limits_cpu: null @@ -26,7 +23,6 @@ openshift_metrics_cassandra_requests_memory: 1G openshift_metrics_cassandra_requests_cpu: null openshift_metrics_heapster_standalone: False -openshift_metrics_heapster_allowed_users: system:master-proxy openshift_metrics_heapster_limits_memory: 3.75G openshift_metrics_heapster_limits_cpu: null openshift_metrics_heapster_requests_memory: 0.9375G @@ -34,4 +30,19 @@ openshift_metrics_heapster_requests_cpu: null openshift_metrics_duration: 7 openshift_metrics_resolution: 15s + +##### +# Caution should be taken for the following defaults before +# overriding the values here +##### + +openshift_metrics_certs_dir: "{{ openshift.common.config_base }}/master/metrics" +openshift_metrics_master_url: https://kubernetes.default.svc.cluster.local openshift_metrics_node_id: nodename +openshift_metrics_project: openshift-infra + +openshift_metrics_cassandra_pv_prefix: metrics-cassandra + +openshift_metrics_hawkular_user_write_access: False + +openshift_metrics_heapster_allowed_users: system:master-proxy diff --git a/roles/openshift_metrics/tasks/generate_certificates.yaml b/roles/openshift_metrics/tasks/generate_certificates.yaml index 66cfbca03..16a967aa7 100644 --- a/roles/openshift_metrics/tasks/generate_certificates.yaml +++ b/roles/openshift_metrics/tasks/generate_certificates.yaml @@ -4,6 +4,7 @@ path: "{{ openshift_metrics_certs_dir }}" state: directory mode: 0700 + - name: list existing secrets command: > {{ openshift.common.client_binary }} -n {{ openshift_metrics_project }} @@ -11,6 +12,7 @@ get secrets -o name register: metrics_secrets changed_when: false + - name: generate ca certificate chain shell: > {{ openshift.common.admin_binary }} ca create-signer-cert diff --git a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml index 4e032ca7e..f36175735 100644 --- a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml +++ b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml @@ -3,7 +3,7 @@ include: setup_certificate.yaml vars: component: hawkular-metrics - hostnames: "hawkular-metrics,{{ openshift_metrics_hawkular_metrics_hostname }}" + hostnames: "hawkular-metrics,{{ openshift_metrics_hawkular_hostname }}" - name: generate hawkular-cassandra certificates include: setup_certificate.yaml vars: diff --git a/roles/openshift_metrics/tasks/install_hawkular.yaml b/roles/openshift_metrics/tasks/install_hawkular.yaml index 1acc8948d..34a8c58b8 100644 --- a/roles/openshift_metrics/tasks/install_hawkular.yaml +++ b/roles/openshift_metrics/tasks/install_hawkular.yaml @@ -11,7 +11,7 @@ vars: node: "{{ item }}" master: "{{ (item == '1')|string|lower }}" - with_sequence: count={{ openshift_metrics_cassandra_nodes }} + with_sequence: count={{ openshift_metrics_cassandra_replicas }} - name: generate hawkular-cassandra persistent volume claims template: @@ -24,7 +24,7 @@ access_modes: - ReadWriteOnce size: "{{ openshift_metrics_cassandra_pv_size }}" - with_sequence: count={{ openshift_metrics_cassandra_nodes }} + with_sequence: count={{ openshift_metrics_cassandra_replicas }} when: openshift_metrics_cassandra_storage_type == 'pv' - name: generate hawkular-cassandra persistent volume claims (dynamic) @@ -40,25 +40,38 @@ access_modes: - ReadWriteOnce size: "{{ openshift_metrics_cassandra_pv_size }}" - with_sequence: count={{ openshift_metrics_cassandra_nodes }} + with_sequence: count={{ openshift_metrics_cassandra_replicas }} when: openshift_metrics_cassandra_storage_type == 'dynamic' - name: read hawkular-metrics route destination ca certificate slurp: src={{ openshift_metrics_certs_dir }}/ca.crt register: metrics_route_dest_ca_cert -- name: generate the hawkular-metrics route - template: - src: route.j2 - dest: "{{ mktemp.stdout }}/templates/hawkular-metrics-route.yaml" - vars: - name: hawkular-metrics - labels: - metrics-infra: hawkular-metrics - host: "{{ openshift_metrics_hawkular_metrics_hostname }}" - to: - kind: Service +- block: + - set_fact: hawkular_key={{ lookup('file', openshift_metrics_hawkular_key) }} + when: openshift_metrics_hawkular_key | exists + + - set_fact: hawkular_cert={{ lookup('file', openshift_metrics_hawkular_cert) }} + when: openshift_metrics_hawkular_cert | exists + + - set_fact: hawkular_ca={{ lookup('file', openshift_metrics_hawkular_ca) }} + when: openshift_metrics_hawkular_ca | exists + + - name: generate the hawkular-metrics route + template: + src: route.j2 + dest: "{{ mktemp.stdout }}/templates/hawkular-metrics-route.yaml" + vars: name: hawkular-metrics - tls: - termination: reencrypt - destination_ca_certificate: "{{ metrics_route_dest_ca_cert.content }}" + labels: + metrics-infra: hawkular-metrics + host: "{{ openshift_metrics_hawkular_hostname }}" + to: + kind: Service + name: hawkular-metrics + tls: + termination: reencrypt + key: "{{ hawkular_key | default('') }}" + certificate: "{{ hawkular_cert | default('') }}" + ca_certificate: "{{ hawkular_ca | default('') }}" + destination_ca_certificate: "{{ metrics_route_dest_ca_cert.content | b64decode }}" diff --git a/roles/openshift_metrics/tasks/install_metrics.yaml b/roles/openshift_metrics/tasks/install_metrics.yaml index a6a094a83..b45629b70 100644 --- a/roles/openshift_metrics/tasks/install_metrics.yaml +++ b/roles/openshift_metrics/tasks/install_metrics.yaml @@ -1,7 +1,7 @@ --- - name: check that hawkular_metrics_hostname is set - fail: msg='the openshift_metrics_hawkular_metrics_hostname variable is required' - when: openshift_metrics_hawkular_metrics_hostname is not defined + fail: msg='the openshift_metrics_hawkular_hostname variable is required' + when: openshift_metrics_hawkular_hostname is not defined - name: check the value of openshift_metrics_cassandra_storage_type fail: diff --git a/roles/openshift_metrics/templates/route.j2 b/roles/openshift_metrics/templates/route.j2 index a720c4959..08ca87288 100644 --- a/roles/openshift_metrics/templates/route.j2 +++ b/roles/openshift_metrics/templates/route.j2 @@ -16,6 +16,18 @@ spec: {% if tls is defined %} tls: termination: {{ tls.termination }} +{% if tls.ca_certificate is defined and tls.ca_certificate | length > 0 %} + CACertificate: | +{{ tls.ca_certificate|indent(6, true) }} +{% endif %} +{% if tls.key is defined and tls.key | length > 0 %} + key: | +{{ tls.key|indent(6, true) }} +{% endif %} +{% if tls.certificate is defined and tls.certificate | length > 0 %} + certificate: | +{{ tls.certificate|indent(6, true) }} +{% endif %} {% if tls.termination == 'reencrypt' %} destinationCACertificate: | {{ tls.destination_ca_certificate|indent(6, true) }} diff --git a/roles/openshift_metrics/vars/main.yaml b/roles/openshift_metrics/vars/main.yaml index de3bb878d..4a3724e3f 100644 --- a/roles/openshift_metrics/vars/main.yaml +++ b/roles/openshift_metrics/vars/main.yaml @@ -1,3 +1,9 @@ +--- +# +# These vars are generally considered private and not expected to be altered +# by end users +# + openshift_metrics_cassandra_storage_types: - emptydir - pv -- cgit v1.2.3