summaryrefslogtreecommitdiffstats
path: root/roles
diff options
context:
space:
mode:
authorRich Megginson <rmeggins@redhat.com>2017-05-24 10:48:49 -0600
committerRich Megginson <rmeggins@redhat.com>2017-06-07 19:38:50 -0600
commit3973b9fd6fcb80c639c1435e017976319b8c08df (patch)
tree98749395d4a8afb95a3e09bb29a17628b3d895e2 /roles
parentedf1d68ff01b6fc448b721c04d57ac39f80c07da (diff)
downloadopenshift-3973b9fd6fcb80c639c1435e017976319b8c08df.tar.gz
openshift-3973b9fd6fcb80c639c1435e017976319b8c08df.tar.bz2
openshift-3973b9fd6fcb80c639c1435e017976319b8c08df.tar.xz
openshift-3973b9fd6fcb80c639c1435e017976319b8c08df.zip
fix es routes for new logging roles
port the code that creates the external Elasticsearch routes to the new logging roles Have to suppress this error message: SSL Problem illegal change cipher spec msg, conn state = 6, handshake state = 1 which is coming from the router health check, until https://github.com/openshift/origin/issues/14515 is fixed - otherwise, the es log is spammed relentlessly
Diffstat (limited to 'roles')
-rw-r--r--roles/openshift_logging/tasks/install_logging.yaml12
-rw-r--r--roles/openshift_logging_elasticsearch/tasks/main.yaml69
-rw-r--r--roles/openshift_logging_elasticsearch/templates/elasticsearch-logging.yml.j212
-rw-r--r--roles/openshift_logging_elasticsearch/templates/route_reencrypt.j236
4 files changed, 129 insertions, 0 deletions
diff --git a/roles/openshift_logging/tasks/install_logging.yaml b/roles/openshift_logging/tasks/install_logging.yaml
index 7c1062b77..66dc0e096 100644
--- a/roles/openshift_logging/tasks/install_logging.yaml
+++ b/roles/openshift_logging/tasks/install_logging.yaml
@@ -119,6 +119,12 @@
openshift_logging_elasticsearch_pvc_size: "{{ openshift_logging_es_pvc_size }}"
openshift_logging_elasticsearch_pvc_dynamic: "{{ openshift_logging_es_pvc_dynamic }}"
openshift_logging_elasticsearch_pvc_pv_selector: "{{ openshift_logging_es_pv_selector }}"
+ openshift_logging_es_key: "{{ openshift_logging_es_ops_key }}"
+ openshift_logging_es_cert: "{{ openshift_logging_es_ops_cert }}"
+ openshift_logging_es_ca_ext: "{{ openshift_logging_es_ops_ca_ext }}"
+ openshift_logging_es_hostname: "{{ openshift_logging_es_ops_hostname }}"
+ openshift_logging_es_edge_term_policy: "{{ openshift_logging_es_ops_edge_term_policy | default('') }}"
+ openshift_logging_es_allow_external: "{{ openshift_logging_es_ops_allow_external }}"
with_together:
- "{{ openshift_logging_facts.elasticsearch_ops.deploymentconfigs }}"
@@ -141,6 +147,12 @@
openshift_logging_elasticsearch_pvc_size: "{{ openshift_logging_es_pvc_size }}"
openshift_logging_elasticsearch_pvc_dynamic: "{{ openshift_logging_es_pvc_dynamic }}"
openshift_logging_elasticsearch_pvc_pv_selector: "{{ openshift_logging_es_pv_selector }}"
+ openshift_logging_es_key: "{{ openshift_logging_es_ops_key }}"
+ openshift_logging_es_cert: "{{ openshift_logging_es_ops_cert }}"
+ openshift_logging_es_ca_ext: "{{ openshift_logging_es_ops_ca_ext }}"
+ openshift_logging_es_hostname: "{{ openshift_logging_es_ops_hostname }}"
+ openshift_logging_es_edge_term_policy: "{{ openshift_logging_es_ops_edge_term_policy | default('') }}"
+ openshift_logging_es_allow_external: "{{ openshift_logging_es_ops_allow_external }}"
with_sequence: count={{ openshift_logging_es_ops_cluster_size | int - openshift_logging_facts.elasticsearch_ops.deploymentconfigs.keys() | count }}
when:
diff --git a/roles/openshift_logging_elasticsearch/tasks/main.yaml b/roles/openshift_logging_elasticsearch/tasks/main.yaml
index 7e88a7498..8c62a76a5 100644
--- a/roles/openshift_logging_elasticsearch/tasks/main.yaml
+++ b/roles/openshift_logging_elasticsearch/tasks/main.yaml
@@ -269,6 +269,75 @@
- "{{ tempdir }}/templates/logging-es-dc.yml"
delete_after: true
+- name: Retrieving the cert to use when generating secrets for the {{ es_component }} component
+ slurp:
+ src: "{{ generated_certs_dir }}/{{ item.file }}"
+ register: key_pairs
+ with_items:
+ - { name: "ca_file", file: "ca.crt" }
+ - { name: "es_key", file: "system.logging.es.key" }
+ - { name: "es_cert", file: "system.logging.es.crt" }
+ when: openshift_logging_es_allow_external | bool
+
+- set_fact:
+ es_key: "{{ lookup('file', openshift_logging_es_key) | b64encode }}"
+ when:
+ - openshift_logging_es_key | trim | length > 0
+ - openshift_logging_es_allow_external | bool
+ changed_when: false
+
+- set_fact:
+ es_cert: "{{ lookup('file', openshift_logging_es_cert) | b64encode }}"
+ when:
+ - openshift_logging_es_cert | trim | length > 0
+ - openshift_logging_es_allow_external | bool
+ changed_when: false
+
+- set_fact:
+ es_ca: "{{ lookup('file', openshift_logging_es_ca_ext) | b64encode }}"
+ when:
+ - openshift_logging_es_ca_ext | trim | length > 0
+ - openshift_logging_es_allow_external | bool
+ changed_when: false
+
+- set_fact:
+ es_ca: "{{ key_pairs | entry_from_named_pair('ca_file') }}"
+ when:
+ - es_ca is not defined
+ - openshift_logging_es_allow_external | bool
+ changed_when: false
+
+- name: Generating Elasticsearch {{ es_component }} route template
+ template:
+ src: route_reencrypt.j2
+ dest: "{{mktemp.stdout}}/templates/logging-{{ es_component }}-route.yaml"
+ vars:
+ obj_name: "logging-{{ es_component }}"
+ route_host: "{{ openshift_logging_es_hostname }}"
+ service_name: "logging-{{ es_component }}"
+ tls_key: "{{ es_key | default('') | b64decode }}"
+ tls_cert: "{{ es_cert | default('') | b64decode }}"
+ tls_ca_cert: "{{ es_ca | b64decode }}"
+ tls_dest_ca_cert: "{{ key_pairs | entry_from_named_pair('ca_file') | b64decode }}"
+ edge_term_policy: "{{ openshift_logging_es_edge_term_policy | default('') }}"
+ labels:
+ component: support
+ logging-infra: support
+ provider: openshift
+ changed_when: no
+ when: openshift_logging_es_allow_external | bool
+
+# This currently has an issue if the host name changes
+- name: Setting Elasticsearch {{ es_component }} route
+ oc_obj:
+ state: present
+ name: "logging-{{ es_component }}"
+ namespace: "{{ openshift_logging_elasticsearch_namespace }}"
+ kind: route
+ files:
+ - "{{ tempdir }}/templates/logging-{{ es_component }}-route.yaml"
+ when: openshift_logging_es_allow_external | bool
+
## Placeholder for migration when necessary ##
- name: Delete temp directory
diff --git a/roles/openshift_logging_elasticsearch/templates/elasticsearch-logging.yml.j2 b/roles/openshift_logging_elasticsearch/templates/elasticsearch-logging.yml.j2
index 377abe21f..38948ba2f 100644
--- a/roles/openshift_logging_elasticsearch/templates/elasticsearch-logging.yml.j2
+++ b/roles/openshift_logging_elasticsearch/templates/elasticsearch-logging.yml.j2
@@ -35,6 +35,12 @@ appender:
layout:
type: consolePattern
conversionPattern: "[%d{ISO8601}][%-5p][%-25c] %m%n"
+ # need this filter until https://github.com/openshift/origin/issues/14515 is fixed
+ filter:
+ 1:
+ type: org.apache.log4j.varia.StringMatchFilter
+ StringToMatch: "SSL Problem illegal change cipher spec msg, conn state = 6, handshake state = 1"
+ AcceptOnMatch: false
file:
type: dailyRollingFile
@@ -43,6 +49,12 @@ appender:
layout:
type: pattern
conversionPattern: "[%d{ISO8601}][%-5p][%-25c] %m%n"
+ # need this filter until https://github.com/openshift/origin/issues/14515 is fixed
+ filter:
+ 1:
+ type: org.apache.log4j.varia.StringMatchFilter
+ StringToMatch: "SSL Problem illegal change cipher spec msg, conn state = 6, handshake state = 1"
+ AcceptOnMatch: false
# Use the following log4j-extras RollingFileAppender to enable gzip compression of log files.
# For more information see https://logging.apache.org/log4j/extras/apidocs/org/apache/log4j/rolling/RollingFileAppender.html
diff --git a/roles/openshift_logging_elasticsearch/templates/route_reencrypt.j2 b/roles/openshift_logging_elasticsearch/templates/route_reencrypt.j2
new file mode 100644
index 000000000..cf8a9e65f
--- /dev/null
+++ b/roles/openshift_logging_elasticsearch/templates/route_reencrypt.j2
@@ -0,0 +1,36 @@
+apiVersion: "v1"
+kind: "Route"
+metadata:
+ name: "{{obj_name}}"
+{% if labels is defined%}
+ labels:
+{% for key, value in labels.iteritems() %}
+ {{key}}: {{value}}
+{% endfor %}
+{% endif %}
+spec:
+ host: {{ route_host }}
+ tls:
+{% if tls_key is defined and tls_key | length > 0 %}
+ key: |
+{{ tls_key|indent(6, true) }}
+{% if tls_cert is defined and tls_cert | length > 0 %}
+ certificate: |
+{{ tls_cert|indent(6, true) }}
+{% endif %}
+{% endif %}
+ caCertificate: |
+{% for line in tls_ca_cert.split('\n') %}
+ {{ line }}
+{% endfor %}
+ destinationCACertificate: |
+{% for line in tls_dest_ca_cert.split('\n') %}
+ {{ line }}
+{% endfor %}
+ termination: reencrypt
+{% if edge_term_policy is defined and edge_term_policy | length > 0 %}
+ insecureEdgeTerminationPolicy: {{ edge_term_policy }}
+{% endif %}
+ to:
+ kind: Service
+ name: {{ service_name }}