summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--inventory/byo/hosts.origin.example8
-rw-r--r--inventory/byo/hosts.ose.example10
-rw-r--r--playbooks/adhoc/openshift_hosted_logging_efk.yaml2
-rw-r--r--playbooks/common/openshift-cluster/openshift_hosted.yml26
-rw-r--r--roles/lib_openshift/tasks/main.yml9
-rw-r--r--roles/openshift_logging/README.md8
-rw-r--r--roles/openshift_logging/defaults/main.yml32
-rw-r--r--roles/openshift_logging/templates/curator.j22
-rw-r--r--roles/openshift_logging/templates/fluentd.j22
-rw-r--r--roles/openshift_logging/templates/kibana.j22
-rw-r--r--roles/openshift_metrics/defaults/main.yaml4
-rw-r--r--roles/openshift_metrics/tasks/generate_certificates.yaml10
-rw-r--r--roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml21
-rw-r--r--roles/openshift_metrics/tasks/generate_heapster_certificates.yaml17
-rw-r--r--roles/openshift_metrics/tasks/import_jks_certs.yaml20
-rw-r--r--roles/openshift_metrics/tasks/install_hawkular.yaml2
-rw-r--r--roles/openshift_metrics/tasks/main.yaml11
-rw-r--r--roles/openshift_metrics/tasks/pre_install.yaml6
-rw-r--r--roles/openshift_metrics/tasks/setup_certificate.yaml35
-rw-r--r--roles/openshift_metrics/templates/hawkular_cassandra_rc.j23
20 files changed, 106 insertions, 124 deletions
diff --git a/inventory/byo/hosts.origin.example b/inventory/byo/hosts.origin.example
index a4a01670a..7741730ad 100644
--- a/inventory/byo/hosts.origin.example
+++ b/inventory/byo/hosts.origin.example
@@ -488,11 +488,11 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true',
#openshift_master_logging_public_url=https://kibana.example.com
# Configure the number of elastic search nodes, unless you're using dynamic provisioning
# this value must be 1
-#openshift_logging_es_cluster_size=1
-#openshift_logging_kibana_hostname=logging.apps.example.com
+#openshift_hosted_logging_elasticsearch_cluster_size=1
+#openshift_hosted_logging_hostname=logging.apps.example.com
# Configure the prefix and version for the deployer image
-#openshift_logging_image_prefix=registry.example.com:8888/openshift3/
-#openshift_logging_image_version=3.3.0
+#openshift_hosted_logging_deployer_prefix=registry.example.com:8888/openshift3/
+#openshift_hosted_logging_deployer_version=3.3.0
# Configure the multi-tenant SDN plugin (default is 'redhat/openshift-ovs-subnet')
# os_sdn_network_plugin_name='redhat/openshift-ovs-multitenant'
diff --git a/inventory/byo/hosts.ose.example b/inventory/byo/hosts.ose.example
index 91ebf9936..3da9be081 100644
--- a/inventory/byo/hosts.ose.example
+++ b/inventory/byo/hosts.ose.example
@@ -482,18 +482,18 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true',
# pods are deleted
#
# Other Logging Options -- Common items you may wish to reconfigure, for the complete
-# list of options please see roles/openshift_hosted_logging/README.md
+# list of options please see roles/openshift_logging/README.md
#
# Configure loggingPublicURL in the master config for aggregate logging, defaults
# to https://kibana.{{ openshift_master_default_subdomain }}
#openshift_master_logging_public_url=https://kibana.example.com
# Configure the number of elastic search nodes, unless you're using dynamic provisioning
# this value must be 1
-#openshift_logging_es_cluster_size=1
-#openshift_logging_kibana_hostname=logging.apps.example.com
+#openshift_hosted_logging_elasticsearch_cluster_size=1
+#openshift_hosted_logging_hostname=logging.apps.example.com
# Configure the prefix and version for the deployer image
-#openshift_logging_image_prefix=registry.example.com:8888/openshift3/
-#openshift_logging_image_version=3.3.0
+#openshift_hosted_logging_deployer_prefix=registry.example.com:8888/openshift3/
+#openshift_hosted_logging_deployer_version=3.3.0
# Configure the multi-tenant SDN plugin (default is 'redhat/openshift-ovs-subnet')
# os_sdn_network_plugin_name='redhat/openshift-ovs-multitenant'
diff --git a/playbooks/adhoc/openshift_hosted_logging_efk.yaml b/playbooks/adhoc/openshift_hosted_logging_efk.yaml
index e83351272..44a2ef534 100644
--- a/playbooks/adhoc/openshift_hosted_logging_efk.yaml
+++ b/playbooks/adhoc/openshift_hosted_logging_efk.yaml
@@ -8,7 +8,7 @@
hosts: masters:!masters[0]
pre_tasks:
- set_fact:
- logging_hostname: "{{ openshift_hosted_logging_hostname | default('kibana.' ~ (openshift_master_default_subdomain | default('router.default.svc.cluster.local', true))) }}"
+ openshift_logging_kibana_hostname: "{{ openshift_hosted_logging_hostname | default('kibana.' ~ (openshift_master_default_subdomain | default('router.default.svc.cluster.local', true))) }}"
tasks:
- include_role:
name: openshift_logging
diff --git a/playbooks/common/openshift-cluster/openshift_hosted.yml b/playbooks/common/openshift-cluster/openshift_hosted.yml
index 7b58eebc3..ca4f5b8b2 100644
--- a/playbooks/common/openshift-cluster/openshift_hosted.yml
+++ b/playbooks/common/openshift-cluster/openshift_hosted.yml
@@ -31,17 +31,17 @@
when: openshift_hosted_metrics_deploy | default(false) | bool
- role: openshift_logging
when: openshift_hosted_logging_deploy | default(false) | bool
- openshift_logging_kibana_hostname: "{{ logging_hostname }}"
- openshift_logging_kibana_ops_hostname: "{{ logging_ops_hostname }}"
- openshift_logging_master_public_url: "{{ logging_master_public_url }}"
- openshift_logging_es_cluster_size: "{{ logging_elasticsearch_cluster_size }}"
- openshift_logging_es_pvc_dynamic: "{{ 'true' if openshift_hosted_logging_storage_kind | default(none) == 'dynamic' else '' }}"
- openshift_logging_es_pvc_size: "{{ openshift.hosted.logging.storage.volume.size if openshift_hosted_logging_storage_kind | default(none) in ['dynamic','nfs'] else '' }}"
- openshift_logging_es_pvc_prefix: "{{ 'logging-es' if openshift_hosted_logging_storage_kind | default(none) == 'dynamic' else '' }}"
- openshift_logging_es_ops_cluster_size: "{{ logging_elasticsearch_ops_cluster_size }}"
- openshift_logging_es_ops_pvc_dynamic: "{{ 'true' if openshift_hosted_logging_storage_kind | default(none) == 'dynamic' else '' }}"
- openshift_logging_es_ops_pvc_size: "{{ openshift.hosted.logging.storage.volume.size if openshift_hosted_logging_storage_kind | default(none) in ['dynamic','nfs' ] else '' }}"
- openshift_logging_es_ops_pvc_prefix: "{{ 'logging-es' if openshift_hosted_logging_storage_kind | default(none) =='dynamic' else '' }}"
+ openshift_hosted_logging_hostname: "{{ logging_hostname }}"
+ openshift_hosted_logging_ops_hostname: "{{ logging_ops_hostname }}"
+ openshift_hosted_logging_master_public_url: "{{ logging_master_public_url }}"
+ openshift_hosted_logging_elasticsearch_cluster_size: "{{ logging_elasticsearch_cluster_size }}"
+ openshift_hosted_logging_elasticsearch_pvc_dynamic: "{{ 'true' if openshift_hosted_logging_storage_kind | default(none) == 'dynamic' else '' }}"
+ openshift_hosted_logging_elasticsearch_pvc_size: "{{ openshift.hosted.logging.storage.volume.size if openshift_hosted_logging_storage_kind | default(none) in ['dynamic','nfs'] else '' }}"
+ openshift_hosted_logging_elasticsearch_pvc_prefix: "{{ 'logging-es' if openshift_hosted_logging_storage_kind | default(none) == 'dynamic' else '' }}"
+ openshift_hosted_logging_elasticsearch_ops_cluster_size: "{{ logging_elasticsearch_ops_cluster_size }}"
+ openshift_hosted_logging_elasticsearch_ops_pvc_dynamic: "{{ 'true' if openshift_hosted_logging_storage_kind | default(none) == 'dynamic' else '' }}"
+ openshift_hosted_logging_elasticsearch_ops_pvc_size: "{{ openshift.hosted.logging.storage.volume.size if openshift_hosted_logging_storage_kind | default(none) in ['dynamic','nfs' ] else '' }}"
+ openshift_hosted_logging_elasticsearch_ops_pvc_prefix: "{{ 'logging-es' if openshift_hosted_logging_storage_kind | default(none) =='dynamic' else '' }}"
- role: cockpit-ui
when: ( openshift.common.version_gte_3_3_or_1_3 | bool ) and ( openshift_hosted_manage_registry | default(true) | bool ) and not (openshift.docker.hosted_registry_insecure | default(false) | bool)
@@ -52,11 +52,11 @@
- hosted
pre_tasks:
- set_fact:
- logging_hostname: "{{ openshift_hosted_logging_hostname | default('kibana.' ~ (openshift_master_default_subdomain | default('router.default.svc.cluster.local', true))) }}"
+ openshift_logging_kibana_hostname: "{{ openshift_hosted_logging_hostname | default('kibana.' ~ (openshift_master_default_subdomain | default('router.default.svc.cluster.local', true))) }}"
tasks:
- block:
- include_role:
- name: openshift_hosted_logging
+ name: openshift_logging
tasks_from: update_master_config
when: openshift_hosted_logging_deploy | default(false) | bool
diff --git a/roles/lib_openshift/tasks/main.yml b/roles/lib_openshift/tasks/main.yml
index 157cf8f7f..2980c8a8d 100644
--- a/roles/lib_openshift/tasks/main.yml
+++ b/roles/lib_openshift/tasks/main.yml
@@ -1,12 +1,5 @@
---
- name: lib_openshift ensure python-ruamel-yaml package is on target
package:
- name: "{{ item }}"
+ name: python-ruamel-yaml
state: present
- with_items:
- - ruamel.yaml
- - ruamel.yaml
- - ruamel.yaml
- - ruamel.yaml
- - ruamel.yaml
- - ruamel.yaml
diff --git a/roles/openshift_logging/README.md b/roles/openshift_logging/README.md
index 9394977c0..f7b2f7743 100644
--- a/roles/openshift_logging/README.md
+++ b/roles/openshift_logging/README.md
@@ -24,8 +24,8 @@ When both `openshift_logging_install_logging` and `openshift_logging_upgrade_log
- `openshift_logging_image_prefix`: The prefix for the logging images to use. Defaults to 'docker.io/openshift/origin-'.
- `openshift_logging_image_version`: The image version for the logging images to use. Defaults to 'latest'.
- `openshift_logging_use_ops`: If 'True', set up a second ES and Kibana cluster for infrastructure logs. Defaults to 'False'.
-- `master_url`: The URL for the Kubernetes master, this does not need to be public facing but should be accessible from within the cluster. Defaults to 'https://kubernetes.default.svc.cluster.local'.
-- `openshift_logging_master_public_url`: The public facing URL for the Kubernetes master, this is used for Authentication redirection. Defaults to 'https://localhost:8443'.
+- `openshift_logging_master_url`: The URL for the Kubernetes master, this does not need to be public facing but should be accessible from within the cluster. Defaults to 'https://kubernetes.default.svc.{{openshift.common.dns_domain}}'.
+- `openshift_logging_master_public_url`: The public facing URL for the Kubernetes master, this is used for Authentication redirection. Defaults to 'https://{{openshift.common.public_hostname}}:8443'.
- `openshift_logging_namespace`: The namespace that Aggregated Logging will be installed in. Defaults to 'logging'.
- `openshift_logging_curator_default_days`: The default minimum age (in days) Curator uses for deleting log records. Defaults to '30'.
- `openshift_logging_curator_run_hour`: The hour of the day that Curator will run at. Defaults to '0'.
@@ -51,8 +51,8 @@ When both `openshift_logging_install_logging` and `openshift_logging_upgrade_log
- `openshift_logging_fluentd_cpu_limit`: The CPU limit for Fluentd pods. Defaults to '100m'.
- `openshift_logging_fluentd_memory_limit`: The memory limit for Fluentd pods. Defaults to '512Mi'.
- `openshift_logging_fluentd_es_copy`: Whether or not to use the ES_COPY feature for Fluentd (DEPRECATED). Defaults to 'False'.
-- `openshift_logging_fluentd_use_journal`: Whether or not Fluentd should read log entries from Journal. Defaults to 'False'. NOTE: Fluentd will attempt to detect whether or not Docker is using the journald log driver and may overwrite this value.
-- `openshift_logging_fluentd_journal_read_from_head`: Whether or not Fluentd will try to read from the head of Journal when first starting up, using this may cause a delay in ES receiving current log records. Defaults to 'False'.
+- `openshift_logging_fluentd_use_journal`: NOTE: Fluentd will attempt to detect whether or not Docker is using the journald log driver when using the default of empty.
+- `openshift_logging_fluentd_journal_read_from_head`: If empty, Fluentd will use its internal default, which is false.
- `openshift_logging_fluentd_hosts`: List of nodes that should be labeled for Fluentd to be deployed to. Defaults to ['--all'].
- `openshift_logging_es_host`: The name of the ES service Fluentd should send logs to. Defaults to 'logging-es'.
diff --git a/roles/openshift_logging/defaults/main.yml b/roles/openshift_logging/defaults/main.yml
index ead59c029..73849f46a 100644
--- a/roles/openshift_logging/defaults/main.yml
+++ b/roles/openshift_logging/defaults/main.yml
@@ -1,9 +1,9 @@
---
-openshift_logging_image_prefix: docker.io/openshift/origin-
-openshift_logging_image_version: latest
+openshift_logging_image_prefix: "{{ openshift_hosted_logging_deployer_prefix | default(docker.io/openshift/origin-) }}"
+openshift_logging_image_version: "{{ openshift_hosted_logging_deployer_version | default(latest) }}"
openshift_logging_use_ops: False
-master_url: "https://kubernetes.default.svc.{{ openshift.common.dns_domain }}"
-openshift_logging_master_public_url: "https://{{openshift.common.public_hostname}}:8443"
+openshift_logging_master_url: "https://kubernetes.default.svc.{{ openshift.common.dns_domain }}"
+openshift_logging_master_public_url: "{{ openshift_hosted_logging_master_public_url | default(https://{{openshift.common.public_hostname}}:8443) }}"
openshift_logging_namespace: logging
openshift_logging_install_logging: True
@@ -19,7 +19,7 @@ openshift_logging_curator_memory_limit: null
openshift_logging_curator_ops_cpu_limit: 100m
openshift_logging_curator_ops_memory_limit: null
-openshift_logging_kibana_hostname: "kibana.{{openshift.common.dns_domain}}"
+openshift_logging_kibana_hostname: "{{ openshift_hosted_logging_hostname | default(kibana.{{openshift.common.dns_domain}}) }}"
openshift_logging_kibana_cpu_limit: null
openshift_logging_kibana_memory_limit: null
openshift_logging_kibana_proxy_debug: false
@@ -27,7 +27,7 @@ openshift_logging_kibana_proxy_cpu_limit: null
openshift_logging_kibana_proxy_memory_limit: null
openshift_logging_kibana_replica_count: 1
-openshift_logging_kibana_ops_hostname: "kibana-ops.{{openshift.common.dns_domain}}"
+openshift_logging_kibana_ops_hostname: "{{ openshift_hosted_logging_ops_hostname | default(kibana-ops.{{openshift.common.dns_domain}}) }}"
openshift_logging_kibana_ops_cpu_limit: null
openshift_logging_kibana_ops_memory_limit: null
openshift_logging_kibana_ops_proxy_debug: false
@@ -39,8 +39,8 @@ openshift_logging_fluentd_nodeselector: {'logging-infra-fluentd': 'true'}
openshift_logging_fluentd_cpu_limit: 100m
openshift_logging_fluentd_memory_limit: 512Mi
openshift_logging_fluentd_es_copy: false
-openshift_logging_fluentd_use_journal: false
-openshift_logging_fluentd_journal_read_from_head: false
+openshift_logging_fluentd_use_journal: ''
+openshift_logging_fluentd_journal_read_from_head: ''
openshift_logging_fluentd_hosts: ['--all']
openshift_logging_es_host: logging-es
@@ -48,13 +48,13 @@ openshift_logging_es_port: 9200
openshift_logging_es_ca: /etc/fluent/keys/ca
openshift_logging_es_client_cert: /etc/fluent/keys/cert
openshift_logging_es_client_key: /etc/fluent/keys/key
-openshift_logging_es_cluster_size: 1
+openshift_logging_es_cluster_size: "{{ openshift_hosted_logging_elasticsearch_cluster_size | default(1) }}"
openshift_logging_es_cpu_limit: null
openshift_logging_es_memory_limit: 1024Mi
openshift_logging_es_pv_selector: null
-openshift_logging_es_pvc_dynamic: False
-openshift_logging_es_pvc_size: ""
-openshift_logging_es_pvc_prefix: logging-es
+openshift_logging_es_pvc_dynamic: "{{ openshift_hosted_logging_elasticsearch_pvc_dynamic | default(False) }}"
+openshift_logging_es_pvc_size: "{{ openshift_hosted_logging_elasticsearch_pvc_size | default('') }}"
+openshift_logging_es_pvc_prefix: "{{ openshift_hosted_logging_elasticsearch_pvc_prefix | default(logging-es) }}"
openshift_logging_es_recover_after_time: 5m
openshift_logging_es_storage_group: 65534
@@ -66,13 +66,13 @@ openshift_logging_es_ops_port: 9200
openshift_logging_es_ops_ca: /etc/fluent/keys/ca
openshift_logging_es_ops_client_cert: /etc/fluent/keys/cert
openshift_logging_es_ops_client_key: /etc/fluent/keys/key
-openshift_logging_es_ops_cluster_size: 1
+openshift_logging_es_ops_cluster_size: "{{ openshift_hosted_logging_elasticsearch_ops_cluster_size | default(1) }}"
openshift_logging_es_ops_cpu_limit: null
openshift_logging_es_ops_memory_limit: 1024Mi
openshift_logging_es_ops_pv_selector: None
-openshift_logging_es_ops_pvc_dynamic: False
-openshift_logging_es_ops_pvc_size: ""
-openshift_logging_es_ops_pvc_prefix: logging-es-ops
+openshift_logging_es_ops_pvc_dynamic: "{{ openshift_hosted_logging_elasticsearch_ops_pvc_dynamic | default(False) }}"
+openshift_logging_es_ops_pvc_size: "{{ openshift_hosted_logging_elasticsearch_ops_pvc_size | default('') }}"
+openshift_logging_es_ops_pvc_prefix: "{{ openshift_hosted_logging_elasticsearch_ops_pvc_prefix | default(logging-es-ops) }}"
openshift_logging_es_ops_recover_after_time: 5m
openshift_logging_es_ops_storage_group: 65534
diff --git a/roles/openshift_logging/templates/curator.j2 b/roles/openshift_logging/templates/curator.j2
index de6258eaa..b7bc15b62 100644
--- a/roles/openshift_logging/templates/curator.j2
+++ b/roles/openshift_logging/templates/curator.j2
@@ -48,7 +48,7 @@ spec:
env:
-
name: "K8S_HOST_URL"
- value: "{{master_url}}"
+ value: "{{openshift_logging_master_url}}"
-
name: "ES_HOST"
value: "{{es_host}}"
diff --git a/roles/openshift_logging/templates/fluentd.j2 b/roles/openshift_logging/templates/fluentd.j2
index b6c91f8ed..223d342b9 100644
--- a/roles/openshift_logging/templates/fluentd.j2
+++ b/roles/openshift_logging/templates/fluentd.j2
@@ -61,7 +61,7 @@ spec:
readOnly: true
env:
- name: "K8S_HOST_URL"
- value: "{{master_url}}"
+ value: "{{openshift_logging_master_url}}"
- name: "ES_HOST"
value: "{{openshift_logging_es_host}}"
- name: "ES_PORT"
diff --git a/roles/openshift_logging/templates/kibana.j2 b/roles/openshift_logging/templates/kibana.j2
index 3a9e03768..be9b45ab4 100644
--- a/roles/openshift_logging/templates/kibana.j2
+++ b/roles/openshift_logging/templates/kibana.j2
@@ -90,7 +90,7 @@ spec:
value: kibana-proxy
-
name: "OAP_MASTER_URL"
- value: {{master_url}}
+ value: {{openshift_logging_master_url}}
-
name: "OAP_PUBLIC_MASTER_URL"
value: {{openshift_logging_master_public_url}}
diff --git a/roles/openshift_metrics/defaults/main.yaml b/roles/openshift_metrics/defaults/main.yaml
index 17614f716..0cfbac8a9 100644
--- a/roles/openshift_metrics/defaults/main.yaml
+++ b/roles/openshift_metrics/defaults/main.yaml
@@ -23,6 +23,7 @@ openshift_metrics_cassandra_limits_cpu: null
openshift_metrics_cassandra_requests_memory: 1G
openshift_metrics_cassandra_requests_cpu: null
openshift_metrics_cassandra_nodeselector: ""
+openshift_metrics_cassandra_storage_group: 65534
openshift_metrics_heapster_standalone: False
openshift_metrics_heapster_limits_memory: 3.75G
@@ -31,6 +32,8 @@ openshift_metrics_heapster_requests_memory: 0.9375G
openshift_metrics_heapster_requests_cpu: null
openshift_metrics_heapster_nodeselector: ""
+openshift_metrics_hostname: "hawkular-metrics.{{openshift_master_default_subdomain}}"
+
openshift_metrics_duration: 7
openshift_metrics_resolution: 15s
@@ -39,7 +42,6 @@ openshift_metrics_resolution: 15s
# overriding the values here
#####
-openshift_metrics_certs_dir: "{{ openshift.common.config_base }}/master/metrics"
openshift_metrics_master_url: https://kubernetes.default.svc.cluster.local
openshift_metrics_node_id: nodename
openshift_metrics_project: openshift-infra
diff --git a/roles/openshift_metrics/tasks/generate_certificates.yaml b/roles/openshift_metrics/tasks/generate_certificates.yaml
index 4925275e8..f7cba0093 100644
--- a/roles/openshift_metrics/tasks/generate_certificates.yaml
+++ b/roles/openshift_metrics/tasks/generate_certificates.yaml
@@ -1,11 +1,11 @@
---
- name: generate ca certificate chain
- shell: >
+ command: >
{{ openshift.common.admin_binary }} ca create-signer-cert
--config={{ mktemp.stdout }}/admin.kubeconfig
- --key='{{ openshift_metrics_certs_dir }}/ca.key'
- --cert='{{ openshift_metrics_certs_dir }}/ca.crt'
- --serial='{{ openshift_metrics_certs_dir }}/ca.serial.txt'
+ --key='{{ mktemp.stdout }}/ca.key'
+ --cert='{{ mktemp.stdout }}/ca.crt'
+ --serial='{{ mktemp.stdout }}/ca.serial.txt'
--name="metrics-signer@$(date +%s)"
- when: not '{{ openshift_metrics_certs_dir }}/ca.key' | exists
+
- include: generate_hawkular_certificates.yaml
diff --git a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml
index 9333d341c..854697abb 100644
--- a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml
+++ b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml
@@ -13,13 +13,13 @@
hostnames: hawkular-cassandra
changed_when: no
-- slurp: src={{ openshift_metrics_certs_dir }}/hawkular-cassandra-truststore.pwd
+- slurp: src={{ mktemp.stdout }}/hawkular-cassandra-truststore.pwd
register: cassandra_truststore_password
-- slurp: src={{ openshift_metrics_certs_dir }}/hawkular-metrics-truststore.pwd
+- slurp: src={{ mktemp.stdout }}/hawkular-metrics-truststore.pwd
register: hawkular_truststore_password
-- stat: path="{{openshift_metrics_certs_dir}}/{{item}}"
+- stat: path="{{mktemp.stdout}}/{{item}}"
register: pwd_file_stat
with_items:
- hawkular-metrics.pwd
@@ -32,44 +32,33 @@
with_items: "{{pwd_file_stat.results}}"
changed_when: no
-- name: Create temp directory local on control node
- local_action: command mktemp -d
- register: local_tmp
- changed_when: False
-
- name: generate password for hawkular metrics and jgroups
local_action: copy dest="{{ local_tmp.stdout}}/{{ item }}.pwd" content="{{ 15 | oo_random_word }}"
with_items:
- hawkular-metrics
- hawkular-jgroups-keystore
- when: "not pwd_files['{{ item }}.pwd'].exists"
- name: generate htpasswd file for hawkular metrics
local_action: >
shell htpasswd -ci
'{{ local_tmp.stdout }}/hawkular-metrics.htpasswd' hawkular
< '{{ local_tmp.stdout }}/hawkular-metrics.pwd'
- when: "not pwd_files['hawkular-metrics.htpasswd'].exists"
- name: copy local generated passwords to target
copy:
src: "{{local_tmp.stdout}}/{{item}}"
- dest: "{{openshift_metrics_certs_dir}}/{{item}}"
+ dest: "{{mktemp.stdout}}/{{item}}"
with_items:
- hawkular-metrics.pwd
- hawkular-metrics.htpasswd
- hawkular-jgroups-keystore.pwd
- when: "not pwd_files['{{ item }}'].exists"
- include: import_jks_certs.yaml
-- local_action: file path="{{local_tmp.stdout}}" state=absent
- changed_when: False
-
- name: read files for the hawkular-metrics secret
shell: >
printf '%s: ' '{{ item }}'
- && base64 --wrap 0 '{{ openshift_metrics_certs_dir }}/{{ item }}'
+ && base64 --wrap 0 '{{ mktemp.stdout }}/{{ item }}'
register: hawkular_secrets
with_items:
- ca.crt
diff --git a/roles/openshift_metrics/tasks/generate_heapster_certificates.yaml b/roles/openshift_metrics/tasks/generate_heapster_certificates.yaml
index 2449b1518..ced2df1d0 100644
--- a/roles/openshift_metrics/tasks/generate_heapster_certificates.yaml
+++ b/roles/openshift_metrics/tasks/generate_heapster_certificates.yaml
@@ -3,13 +3,12 @@
command: >
{{ openshift.common.admin_binary }} ca create-server-cert
--config={{ mktemp.stdout }}/admin.kubeconfig
- --key='{{ openshift_metrics_certs_dir }}/heapster.key'
- --cert='{{ openshift_metrics_certs_dir }}/heapster.cert'
+ --key='{{ mktemp.stdout }}/heapster.key'
+ --cert='{{ mktemp.stdout }}/heapster.cert'
--hostnames=heapster
- --signer-cert='{{ openshift_metrics_certs_dir }}/ca.crt'
- --signer-key='{{ openshift_metrics_certs_dir }}/ca.key'
- --signer-serial='{{ openshift_metrics_certs_dir }}/ca.serial.txt'
- when: not '{{ openshift_metrics_certs_dir }}/heapster.key' | exists
+ --signer-cert='{{ mktemp.stdout }}/ca.crt'
+ --signer-key='{{ mktemp.stdout }}/ca.key'
+ --signer-serial='{{ mktemp.stdout }}/ca.serial.txt'
- when: "'secret/heapster-secrets' not in metrics_secrets.stdout_lines"
block:
@@ -17,11 +16,11 @@
slurp: src={{ item }}
register: heapster_secret
with_items:
- - "{{ openshift_metrics_certs_dir }}/heapster.cert"
- - "{{ openshift_metrics_certs_dir }}/heapster.key"
+ - "{{ mktemp.stdout }}/heapster.cert"
+ - "{{ mktemp.stdout }}/heapster.key"
- "{{ client_ca }}"
vars:
- custom_ca: "{{ openshift_metrics_certs_dir }}/heapster_client_ca.crt"
+ custom_ca: "{{ mktemp.stdout }}/heapster_client_ca.crt"
default_ca: "{{ openshift.common.config_base }}/master/ca-bundle.crt"
client_ca: "{{ custom_ca|exists|ternary(custom_ca, default_ca) }}"
- name: generate heapster secret template
diff --git a/roles/openshift_metrics/tasks/import_jks_certs.yaml b/roles/openshift_metrics/tasks/import_jks_certs.yaml
index 16fd8d9f8..57ec70c79 100644
--- a/roles/openshift_metrics/tasks/import_jks_certs.yaml
+++ b/roles/openshift_metrics/tasks/import_jks_certs.yaml
@@ -1,37 +1,37 @@
---
-- stat: path="{{openshift_metrics_certs_dir}}/hawkular-cassandra.keystore"
+- stat: path="{{mktemp.stdout}}/hawkular-cassandra.keystore"
register: cassandra_keystore
check_mode: no
-- stat: path="{{openshift_metrics_certs_dir}}/hawkular-cassandra.truststore"
+- stat: path="{{mktemp.stdout}}/hawkular-cassandra.truststore"
register: cassandra_truststore
check_mode: no
-- stat: path="{{openshift_metrics_certs_dir}}/hawkular-metrics.keystore"
+- stat: path="{{mktemp.stdout}}/hawkular-metrics.keystore"
register: metrics_keystore
check_mode: no
-- stat: path="{{openshift_metrics_certs_dir}}/hawkular-metrics.truststore"
+- stat: path="{{mktemp.stdout}}/hawkular-metrics.truststore"
register: metrics_truststore
check_mode: no
-- stat: path="{{openshift_metrics_certs_dir}}/hawkular-jgroups.keystore"
+- stat: path="{{mktemp.stdout}}/hawkular-jgroups.keystore"
register: jgroups_keystore
check_mode: no
- block:
- - slurp: src={{ openshift_metrics_certs_dir }}/hawkular-metrics-keystore.pwd
+ - slurp: src={{ mktemp.stdout }}/hawkular-metrics-keystore.pwd
register: metrics_keystore_password
- - slurp: src={{ openshift_metrics_certs_dir }}/hawkular-cassandra-keystore.pwd
+ - slurp: src={{ mktemp.stdout }}/hawkular-cassandra-keystore.pwd
register: cassandra_keystore_password
- - slurp: src={{ openshift_metrics_certs_dir }}/hawkular-jgroups-keystore.pwd
+ - slurp: src={{ mktemp.stdout }}/hawkular-jgroups-keystore.pwd
register: jgroups_keystore_password
- fetch:
dest: "{{local_tmp.stdout}}/"
- src: "{{ openshift_metrics_certs_dir }}/{{item}}"
+ src: "{{ mktemp.stdout }}/{{item}}"
flat: yes
changed_when: False
with_items:
@@ -52,7 +52,7 @@
changed_when: False
- copy:
- dest: "{{openshift_metrics_certs_dir}}/"
+ dest: "{{mktemp.stdout}}/"
src: "{{item}}"
with_fileglob: "{{local_tmp.stdout}}/*.*store"
diff --git a/roles/openshift_metrics/tasks/install_hawkular.yaml b/roles/openshift_metrics/tasks/install_hawkular.yaml
index 1ba11efa8..6b37f85ab 100644
--- a/roles/openshift_metrics/tasks/install_hawkular.yaml
+++ b/roles/openshift_metrics/tasks/install_hawkular.yaml
@@ -17,7 +17,7 @@
changed_when: false
- name: read hawkular-metrics route destination ca certificate
- slurp: src={{ openshift_metrics_certs_dir }}/ca.crt
+ slurp: src={{ mktemp.stdout }}/ca.crt
register: metrics_route_dest_ca_cert
changed_when: false
diff --git a/roles/openshift_metrics/tasks/main.yaml b/roles/openshift_metrics/tasks/main.yaml
index d03d4176b..1eebff3bf 100644
--- a/roles/openshift_metrics/tasks/main.yaml
+++ b/roles/openshift_metrics/tasks/main.yaml
@@ -9,6 +9,11 @@
changed_when: False
when: "{{ openshift_metrics_install_metrics | bool }}"
+- name: Create temp directory local on control node
+ local_action: command mktemp -d
+ register: local_tmp
+ changed_when: False
+
- name: Copy the admin client config(s)
command: >
cp {{ openshift.common.config_base}}/master/admin.kubeconfig {{ mktemp.stdout }}/admin.kubeconfig
@@ -17,3 +22,9 @@
tags: metrics_init
- include: "{{ (openshift_metrics_install_metrics | bool) | ternary('install_metrics.yaml','uninstall_metrics.yaml') }}"
+
+- name: Delete temp directory
+ local_action: file path=local_tmp.stdout state=absent
+ tags: metrics_cleanup
+ changed_when: False
+ check_mode: no
diff --git a/roles/openshift_metrics/tasks/pre_install.yaml b/roles/openshift_metrics/tasks/pre_install.yaml
index 262acd546..2e2013d40 100644
--- a/roles/openshift_metrics/tasks/pre_install.yaml
+++ b/roles/openshift_metrics/tasks/pre_install.yaml
@@ -12,12 +12,6 @@
- openshift_metrics_cassandra_storage_type not in openshift_metrics_cassandra_storage_types
- "not {{ openshift_metrics_heapster_standalone | bool }}"
-- name: create certificate output directory
- file:
- path: "{{ openshift_metrics_certs_dir }}"
- state: directory
- mode: 0700
-
- name: list existing secrets
command: >
{{ openshift.common.client_binary }} -n {{ openshift_metrics_project }}
diff --git a/roles/openshift_metrics/tasks/setup_certificate.yaml b/roles/openshift_metrics/tasks/setup_certificate.yaml
index 5ca8f4462..199968579 100644
--- a/roles/openshift_metrics/tasks/setup_certificate.yaml
+++ b/roles/openshift_metrics/tasks/setup_certificate.yaml
@@ -3,50 +3,41 @@
command: >
{{ openshift.common.admin_binary }} ca create-server-cert
--config={{ mktemp.stdout }}/admin.kubeconfig
- --key='{{ openshift_metrics_certs_dir }}/{{ component }}.key'
- --cert='{{ openshift_metrics_certs_dir }}/{{ component }}.crt'
+ --key='{{ mktemp.stdout }}/{{ component }}.key'
+ --cert='{{ mktemp.stdout }}/{{ component }}.crt'
--hostnames='{{ hostnames }}'
- --signer-cert='{{ openshift_metrics_certs_dir }}/ca.crt'
- --signer-key='{{ openshift_metrics_certs_dir }}/ca.key'
- --signer-serial='{{ openshift_metrics_certs_dir }}/ca.serial.txt'
- when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.key'|exists
+ --signer-cert='{{ mktemp.stdout }}/ca.crt'
+ --signer-key='{{ mktemp.stdout }}/ca.key'
+ --signer-serial='{{ mktemp.stdout }}/ca.serial.txt'
- slurp: src={{item}}
register: component_certs
with_items:
- - '{{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}.key'
- - '{{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}.crt'
- when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.pem'|exists
+ - '{{ mktemp.stdout | quote }}/{{ component|quote }}.key'
+ - '{{ mktemp.stdout | quote }}/{{ component|quote }}.crt'
- name: generate {{ component }} certificate
copy:
- dest: '{{ openshift_metrics_certs_dir }}/{{ component }}.pem'
+ dest: '{{ mktemp.stdout }}/{{ component }}.pem'
content: "{{ component_certs.results | map(attribute='content') | map('b64decode') | join('') }}"
- when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.pem'|exists
- name: generate random password for the {{ component }} keystore
copy:
content: "{{ 15 | oo_random_word }}"
- dest: '{{ openshift_metrics_certs_dir }}/{{ component }}-keystore.pwd'
- when: >
- not '{{ openshift_metrics_certs_dir }}/{{ component }}-keystore.pwd'|exists
+ dest: '{{ mktemp.stdout }}/{{ component }}-keystore.pwd'
-- slurp: src={{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}-keystore.pwd
+- slurp: src={{ mktemp.stdout | quote }}/{{ component|quote }}-keystore.pwd
register: keystore_password
- name: create the {{ component }} pkcs12 from the pem file
command: >
openssl pkcs12 -export
- -in '{{ openshift_metrics_certs_dir }}/{{ component }}.pem'
- -out '{{ openshift_metrics_certs_dir }}/{{ component }}.pkcs12'
+ -in '{{ mktemp.stdout }}/{{ component }}.pem'
+ -out '{{ mktemp.stdout }}/{{ component }}.pkcs12'
-name '{{ component }}' -noiter -nomaciter
-password 'pass:{{keystore_password.content | b64decode }}'
- when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.pkcs12'|exists
- name: generate random password for the {{ component }} truststore
copy:
content: "{{ 15 | oo_random_word }}"
- dest: '{{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}-truststore.pwd'
- when: >
- not
- '{{ openshift_metrics_certs_dir | quote }}/{{ component| quote }}-truststore.pwd'|exists
+ dest: '{{ mktemp.stdout | quote }}/{{ component|quote }}-truststore.pwd'
diff --git a/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 b/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2
index 6f6efc469..504476dc4 100644
--- a/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2
+++ b/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2
@@ -19,6 +19,9 @@ spec:
type: hawkular-cassandra
spec:
serviceAccount: cassandra
+ securityContext:
+ supplementalGroups:
+ - {{openshift_metrics_cassandra_storage_group}}
{% if node_selector is iterable and node_selector | length > 0 %}
nodeSelector:
{% for key, value in node_selector.iteritems() %}