diff options
25 files changed, 251 insertions, 203 deletions
diff --git a/.tito/packages/openshift-ansible b/.tito/packages/openshift-ansible index 83ad0900b..27e445405 100644 --- a/.tito/packages/openshift-ansible +++ b/.tito/packages/openshift-ansible @@ -1 +1 @@ -3.6.4-1 ./ +3.6.6-1 ./ diff --git a/callback_plugins/openshift_quick_installer.py b/callback_plugins/openshift_quick_installer.py index b4c7edd38..c0fdbc650 100644 --- a/callback_plugins/openshift_quick_installer.py +++ b/callback_plugins/openshift_quick_installer.py @@ -54,6 +54,12 @@ class CallbackModule(CallbackBase): plays_count = 0 plays_total_ran = 0 + def __init__(self): + """Constructor, ensure standard self.*s are set""" + self._play = None + self._last_task_banner = None + super(CallbackModule, self).__init__() + def banner(self, msg, color=None): '''Prints a header-looking line with stars taking up to 80 columns of width (3 columns, minimum) @@ -68,6 +74,29 @@ class CallbackModule(CallbackBase): stars = "*" * star_len self._display.display("\n%s %s" % (msg, stars), color=color, log_only=True) + def _print_task_banner(self, task): + """Imported from the upstream 'default' callback""" + # args can be specified as no_log in several places: in the task or in + # the argument spec. We can check whether the task is no_log but the + # argument spec can't be because that is only run on the target + # machine and we haven't run it thereyet at this time. + # + # So we give people a config option to affect display of the args so + # that they can secure this if they feel that their stdout is insecure + # (shoulder surfing, logging stdout straight to a file, etc). + args = '' + if not task.no_log and C.DISPLAY_ARGS_TO_STDOUT: + args = ', '.join('%s=%s' % a for a in task.args.items()) + args = ' %s' % args + + self.banner(u"TASK [%s%s]" % (task.get_name().strip(), args)) + if self._display.verbosity >= 2: + path = task.get_path() + if path: + self._display.display(u"task path: %s" % path, color=C.COLOR_DEBUG, log_only=True) + + self._last_task_banner = task._uuid + def v2_playbook_on_start(self, playbook): """This is basically the start of it all""" self.plays_count = len(playbook.get_plays()) @@ -236,6 +265,60 @@ The only thing we change here is adding `log_only=True` to the """ self._display.display("skipping: no hosts matched", color=C.COLOR_SKIP, log_only=True) + ###################################################################### + # So we can bubble up errors to the top + def v2_runner_on_failed(self, result, ignore_errors=False): + """I guess this is when an entire task has failed?""" + + if self._play.strategy == 'free' and self._last_task_banner != result._task._uuid: + self._print_task_banner(result._task) + + delegated_vars = result._result.get('_ansible_delegated_vars', None) + if 'exception' in result._result: + if self._display.verbosity < 3: + # extract just the actual error message from the exception text + error = result._result['exception'].strip().split('\n')[-1] + msg = "An exception occurred during task execution. To see the full traceback, use -vvv. The error was: %s" % error + else: + msg = "An exception occurred during task execution. The full traceback is:\n" + result._result['exception'] + + self._display.display(msg, color=C.COLOR_ERROR) + + if result._task.loop and 'results' in result._result: + self._process_items(result) + + else: + if delegated_vars: + self._display.display("fatal: [%s -> %s]: FAILED! => %s" % (result._host.get_name(), delegated_vars['ansible_host'], self._dump_results(result._result)), color=C.COLOR_ERROR) + else: + self._display.display("fatal: [%s]: FAILED! => %s" % (result._host.get_name(), self._dump_results(result._result)), color=C.COLOR_ERROR) + + if ignore_errors: + self._display.display("...ignoring", color=C.COLOR_SKIP) + + def v2_runner_item_on_failed(self, result): + """When an item in a task fails.""" + delegated_vars = result._result.get('_ansible_delegated_vars', None) + if 'exception' in result._result: + if self._display.verbosity < 3: + # extract just the actual error message from the exception text + error = result._result['exception'].strip().split('\n')[-1] + msg = "An exception occurred during task execution. To see the full traceback, use -vvv. The error was: %s" % error + else: + msg = "An exception occurred during task execution. The full traceback is:\n" + result._result['exception'] + + self._display.display(msg, color=C.COLOR_ERROR) + + msg = "failed: " + if delegated_vars: + msg += "[%s -> %s]" % (result._host.get_name(), delegated_vars['ansible_host']) + else: + msg += "[%s]" % (result._host.get_name()) + + self._display.display(msg + " (item=%s) => %s" % (self._get_item(result._result), self._dump_results(result._result)), color=C.COLOR_ERROR) + self._handle_warnings(result._result) + + ###################################################################### def v2_playbook_on_stats(self, stats): """Print the final playbook run stats""" self._display.display("", screen_only=True) diff --git a/openshift-ansible.spec b/openshift-ansible.spec index 6945c52ce..66f536bda 100644 --- a/openshift-ansible.spec +++ b/openshift-ansible.spec @@ -9,7 +9,7 @@ %global __requires_exclude ^/usr/bin/ansible-playbook$ Name: openshift-ansible -Version: 3.6.4 +Version: 3.6.6 Release: 1%{?dist} Summary: Openshift and Atomic Enterprise Ansible License: ASL 2.0 @@ -270,6 +270,30 @@ Atomic OpenShift Utilities includes %changelog +* Wed Mar 22 2017 Jenkins CD Merge Bot <tdawson@redhat.com> 3.6.6-1 +- Fix copy-pasta docstrings (rhcarvalho@gmail.com) +- Rename _ns -> node_selector (rhcarvalho@gmail.com) +- Reindent code (rhcarvalho@gmail.com) +- Update the failure methods and add required variables/functions + (tbielawa@redhat.com) +- Import the default ansible output callback on_failed methods + (tbielawa@redhat.com) +- Switched Cassandra to use certificates generated by OpenShift + (juraci@kroehling.de) +- Allow user to specify additions to ES config (jcantril@redhat.com) + +* Tue Mar 21 2017 Jenkins CD Merge Bot <tdawson@redhat.com> 3.6.5-1 +- Attempt to match version of excluders to target version (sdodson@redhat.com) +- Get rid of adjust.yml (sdodson@redhat.com) +- Protect against missing commands (sdodson@redhat.com) +- Simplify excluder enablement logic a bit more (sdodson@redhat.com) +- Add tito releaser for 3.6 (smunilla@redhat.com) +- Adding oc_group to lib_openshift (kwoodson@redhat.com) +- preflight checks: improve user output from checks (lmeyer@redhat.com) +- preflight checks: bypass RPM excludes (lmeyer@redhat.com) +- acceptschema2 default: true (aweiteka@redhat.com) +- Do not require python-six via openshift_facts (rhcarvalho@gmail.com) + * Sat Mar 18 2017 Jenkins CD Merge Bot <tdawson@redhat.com> 3.6.4-1 - Cherry picking from #3689 (ewolinet@redhat.com) - Moving projects task within openshift_hosted (rteague@redhat.com) diff --git a/playbooks/common/openshift-cluster/disable_excluder.yml b/playbooks/common/openshift-cluster/disable_excluder.yml index 68bffb5f5..f664c51c9 100644 --- a/playbooks/common/openshift-cluster/disable_excluder.yml +++ b/playbooks/common/openshift-cluster/disable_excluder.yml @@ -1,5 +1,5 @@ --- -- name: Record excluder state and disable +- name: Disable excluders hosts: oo_masters_to_config:oo_nodes_to_config gather_facts: no tasks: diff --git a/roles/lib_openshift/library/oc_project.py b/roles/lib_openshift/library/oc_project.py index 0d0094c45..7700a83a3 100644 --- a/roles/lib_openshift/library/oc_project.py +++ b/roles/lib_openshift/library/oc_project.py @@ -1547,19 +1547,22 @@ class OCProject(OpenShiftCLI): def run_ansible(params, check_mode): '''run the idempotent ansible code''' - _ns = None + node_selector = None if params['node_selector'] is not None: - _ns = ','.join(params['node_selector']) - - pconfig = ProjectConfig(params['name'], - 'None', - params['kubeconfig'], - {'admin': {'value': params['admin'], 'include': True}, - 'admin_role': {'value': params['admin_role'], 'include': True}, - 'description': {'value': params['description'], 'include': True}, - 'display_name': {'value': params['display_name'], 'include': True}, - 'node_selector': {'value': _ns, 'include': True}, - }) + node_selector = ','.join(params['node_selector']) + + pconfig = ProjectConfig( + params['name'], + 'None', + params['kubeconfig'], + { + 'admin': {'value': params['admin'], 'include': True}, + 'admin_role': {'value': params['admin_role'], 'include': True}, + 'description': {'value': params['description'], 'include': True}, + 'display_name': {'value': params['display_name'], 'include': True}, + 'node_selector': {'value': node_selector, 'include': True}, + }, + ) oadm_project = OCProject(pconfig, verbose=params['debug']) diff --git a/roles/lib_openshift/src/class/oc_project.py b/roles/lib_openshift/src/class/oc_project.py index 5f02957b7..9ad8111a8 100644 --- a/roles/lib_openshift/src/class/oc_project.py +++ b/roles/lib_openshift/src/class/oc_project.py @@ -97,19 +97,22 @@ class OCProject(OpenShiftCLI): def run_ansible(params, check_mode): '''run the idempotent ansible code''' - _ns = None + node_selector = None if params['node_selector'] is not None: - _ns = ','.join(params['node_selector']) - - pconfig = ProjectConfig(params['name'], - 'None', - params['kubeconfig'], - {'admin': {'value': params['admin'], 'include': True}, - 'admin_role': {'value': params['admin_role'], 'include': True}, - 'description': {'value': params['description'], 'include': True}, - 'display_name': {'value': params['display_name'], 'include': True}, - 'node_selector': {'value': _ns, 'include': True}, - }) + node_selector = ','.join(params['node_selector']) + + pconfig = ProjectConfig( + params['name'], + 'None', + params['kubeconfig'], + { + 'admin': {'value': params['admin'], 'include': True}, + 'admin_role': {'value': params['admin_role'], 'include': True}, + 'description': {'value': params['description'], 'include': True}, + 'display_name': {'value': params['display_name'], 'include': True}, + 'node_selector': {'value': node_selector, 'include': True}, + }, + ) oadm_project = OCProject(pconfig, verbose=params['debug']) diff --git a/roles/lib_openshift/src/test/unit/test_oc_project.py b/roles/lib_openshift/src/test/unit/test_oc_project.py index 8e1a76323..fa454d035 100755 --- a/roles/lib_openshift/src/test/unit/test_oc_project.py +++ b/roles/lib_openshift/src/test/unit/test_oc_project.py @@ -21,7 +21,7 @@ from oc_project import OCProject # noqa: E402 class OCProjectTest(unittest.TestCase): ''' - Test class for OCSecret + Test class for OCProject ''' # run_ansible input parameters diff --git a/roles/lib_openshift/src/test/unit/test_oc_route.py b/roles/lib_openshift/src/test/unit/test_oc_route.py index 09c52a461..afdb5e4dc 100755 --- a/roles/lib_openshift/src/test/unit/test_oc_route.py +++ b/roles/lib_openshift/src/test/unit/test_oc_route.py @@ -21,7 +21,7 @@ from oc_route import OCRoute, locate_oc_binary # noqa: E402 class OCRouteTest(unittest.TestCase): ''' - Test class for OCServiceAccount + Test class for OCRoute ''' @mock.patch('oc_route.locate_oc_binary') diff --git a/roles/openshift_excluder/README.md b/roles/openshift_excluder/README.md index e76a15952..e048bd107 100644 --- a/roles/openshift_excluder/README.md +++ b/roles/openshift_excluder/README.md @@ -18,8 +18,6 @@ Facts | enable_docker_excluder | enable_excluders | Enable docker excluder. If not set, the docker excluder is ignored. | | enable_openshift_excluder | enable_excluders | Enable openshift excluder. If not set, the openshift excluder is ignored. | | enable_excluders | None | Enable all excluders -| enable_docker_excluder_override | None | indication the docker excluder needs to be enabled | -| disable_openshift_excluder_override | None | indication the openshift excluder needs to be disabled | Role Variables -------------- diff --git a/roles/openshift_excluder/tasks/adjust.yml b/roles/openshift_excluder/tasks/adjust.yml deleted file mode 100644 index cbdd7785b..000000000 --- a/roles/openshift_excluder/tasks/adjust.yml +++ /dev/null @@ -1,25 +0,0 @@ ---- -# Depending on enablement of individual excluders and their status -# some excluders needs to be disabled, resp. enabled -# By default, all excluders are disabled unless overrided. -- block: - - include: init.yml - # All excluders that are to be enabled are enabled - - include: exclude.yml - vars: - # Enable the docker excluder only if it is overrided - # BZ #1430612: docker excluders should be enabled even during installation and upgrade - exclude_docker_excluder: "{{ enable_docker_excluder | default(true) | bool }}" - # excluder is to be disabled by default - exclude_openshift_excluder: false - # All excluders that are to be disabled are disabled - - include: unexclude.yml - vars: - # If the docker override is not set, default to the generic behaviour - # BZ #1430612: docker excluders should be enabled even during installation and upgrade - unexclude_docker_excluder: false - # disable openshift excluder is never overrided to be enabled - # disable it if the docker excluder is enabled - unexclude_openshift_excluder: "{{ openshift_excluder_on | bool }}" - when: - - not openshift.common.is_atomic | bool diff --git a/roles/openshift_excluder/tasks/disable.yml b/roles/openshift_excluder/tasks/disable.yml index 2245c7b21..e23496b3b 100644 --- a/roles/openshift_excluder/tasks/disable.yml +++ b/roles/openshift_excluder/tasks/disable.yml @@ -1,7 +1,6 @@ --- # input variables # - with_status_check -# - with_install # - excluder_package_state # - docker_excluder_package_state - include: init.yml @@ -18,5 +17,24 @@ # it the docker excluder is enabled, we install it and in case its status is non-zero # it is enabled no matter what - # And finally adjust an excluder in order to update host components correctly -- include: adjust.yml +# And finally adjust an excluder in order to update host components correctly. First +# exclude then unexclude +- block: + - include: exclude.yml + vars: + # Enable the docker excluder only if it is overrided + # BZ #1430612: docker excluders should be enabled even during installation and upgrade + exclude_docker_excluder: "{{ docker_excluder_on | bool }}" + # excluder is to be disabled by default + exclude_openshift_excluder: false + # All excluders that are to be disabled are disabled + - include: unexclude.yml + vars: + # If the docker override is not set, default to the generic behaviour + # BZ #1430612: docker excluders should be enabled even during installation and upgrade + unexclude_docker_excluder: false + # disable openshift excluder is never overrided to be enabled + # disable it if the docker excluder is enabled + unexclude_openshift_excluder: true + when: + - not openshift.common.is_atomic | bool diff --git a/roles/openshift_excluder/tasks/enable.yml b/roles/openshift_excluder/tasks/enable.yml index 9122c9aeb..e719325bc 100644 --- a/roles/openshift_excluder/tasks/enable.yml +++ b/roles/openshift_excluder/tasks/enable.yml @@ -1,6 +1,5 @@ --- # input variables: -# - with_install - block: - include: init.yml @@ -8,14 +7,12 @@ vars: install_docker_excluder: "{{ docker_excluder_on | bool }}" install_openshift_excluder: "{{ openshift_excluder_on | bool }}" - when: with_install | default(docker_excluder_on or openshift_excluder_on) | bool + when: docker_excluder_on or openshift_excluder_on | bool - include: exclude.yml vars: - # Enable the docker excluder only if it is overrided, resp. enabled by default (in that order) - exclude_docker_excluder: "{{ enable_docker_excluder_override | default(docker_excluder_on) | bool }}" - # Enable the openshift excluder only if it is not overrided, resp. enabled by default (in that order) - exclude_openshift_excluder: "{{ not disable_openshift_excluder_override | default(not openshift_excluder_on) | bool }}" + exclude_docker_excluder: "{{ docker_excluder_on | bool }}" + exclude_openshift_excluder: "{{ openshift_excluder_on | bool }}" when: - not openshift.common.is_atomic | bool diff --git a/roles/openshift_excluder/tasks/exclude.yml b/roles/openshift_excluder/tasks/exclude.yml index d31351aea..ca18d343f 100644 --- a/roles/openshift_excluder/tasks/exclude.yml +++ b/roles/openshift_excluder/tasks/exclude.yml @@ -3,18 +3,28 @@ # - exclude_docker_excluder # - exclude_openshift_excluder - block: + + - name: Check for docker-excluder + stat: + path: /sbin/{{ openshift.common.service_type }}-docker-excluder + register: docker_excluder_stat - name: Enable docker excluder command: "{{ openshift.common.service_type }}-docker-excluder exclude" - # if the docker override is set, it means the docker excluder needs to be enabled no matter what - # if the docker override is not set, the excluder is set based on enable_docker_excluder when: - exclude_docker_excluder | default(false) | bool + - docker_excluder_stat.stat.exists + - name: Check for openshift excluder + stat: + path: /sbin/{{ openshift.common.service_type }}-excluder + register: openshift_excluder_stat - name: Enable openshift excluder command: "{{ openshift.common.service_type }}-excluder exclude" # if the openshift override is set, it means the openshift excluder is disabled no matter what # if the openshift override is not set, the excluder is set based on enable_openshift_excluder when: - exclude_openshift_excluder | default(false) | bool + - openshift_excluder_stat.stat.exists + when: - not openshift.common.is_atomic | bool diff --git a/roles/openshift_excluder/tasks/install.yml b/roles/openshift_excluder/tasks/install.yml index dcc8df0cb..3490a613e 100644 --- a/roles/openshift_excluder/tasks/install.yml +++ b/roles/openshift_excluder/tasks/install.yml @@ -6,14 +6,14 @@ - name: Install docker excluder package: - name: "{{ openshift.common.service_type }}-docker-excluder" + name: "{{ openshift.common.service_type }}-docker-excluder{{ openshift_pkg_version | default('') | oo_image_tag_to_rpm_version(include_dash=True) + '*' }}" state: "{{ docker_excluder_package_state }}" when: - install_docker_excluder | default(true) | bool - name: Install openshift excluder package: - name: "{{ openshift.common.service_type }}-excluder" + name: "{{ openshift.common.service_type }}-excluder{{ openshift_pkg_version | default('') | oo_image_tag_to_rpm_version(include_dash=True) + '*' }}" state: "{{ openshift_excluder_package_state }}" when: - install_openshift_excluder | default(true) | bool diff --git a/roles/openshift_excluder/tasks/unexclude.yml b/roles/openshift_excluder/tasks/unexclude.yml index 9112adbac..4df7f14b4 100644 --- a/roles/openshift_excluder/tasks/unexclude.yml +++ b/roles/openshift_excluder/tasks/unexclude.yml @@ -3,15 +3,26 @@ # - unexclude_docker_excluder # - unexclude_openshift_excluder - block: + + - name: Check for docker-excluder + stat: + path: /sbin/{{ openshift.common.service_type }}-docker-excluder + register: docker_excluder_stat - name: disable docker excluder command: "{{ openshift.common.service_type }}-docker-excluder unexclude" when: - unexclude_docker_excluder | default(false) | bool + - docker_excluder_stat.stat.exists + - name: Check for openshift excluder + stat: + path: /sbin/{{ openshift.common.service_type }}-excluder + register: openshift_excluder_stat - name: disable openshift excluder command: "{{ openshift.common.service_type }}-excluder unexclude" when: - unexclude_openshift_excluder | default(false) | bool + - openshift_excluder_stat.stat.exists when: - not openshift.common.is_atomic | bool diff --git a/roles/openshift_logging/defaults/main.yml b/roles/openshift_logging/defaults/main.yml index 04fd42cbf..75a6e4d69 100644 --- a/roles/openshift_logging/defaults/main.yml +++ b/roles/openshift_logging/defaults/main.yml @@ -78,6 +78,8 @@ openshift_logging_es_pvc_prefix: "{{ openshift_hosted_logging_elasticsearch_pvc_ openshift_logging_es_recover_after_time: 5m openshift_logging_es_storage_group: "{{ openshift_hosted_logging_elasticsearch_storage_group | default('65534') }}" openshift_logging_es_nodeselector: "{{ openshift_hosted_logging_elasticsearch_nodeselector | default('') | map_from_pairs }}" +# openshift_logging_es_config is a hash to be merged into the defaults for the elasticsearch.yaml +openshift_logging_es_config: {} # allow cluster-admin or cluster-reader to view operations index openshift_logging_es_ops_allow_cluster_reader: False diff --git a/roles/openshift_logging/tasks/generate_configmaps.yaml b/roles/openshift_logging/tasks/generate_configmaps.yaml index 8fcf517ad..c1721895c 100644 --- a/roles/openshift_logging/tasks/generate_configmaps.yaml +++ b/roles/openshift_logging/tasks/generate_configmaps.yaml @@ -6,8 +6,17 @@ when: es_logging_contents is undefined changed_when: no + - local_action: > + copy content="{{ config_source | combine(override_config,recursive=True) | to_nice_yaml }}" + dest="{{local_tmp.stdout}}/elasticsearch-gen-template.yml" + vars: + config_source: "{{lookup('file','templates/elasticsearch.yml.j2') | from_yaml }}" + override_config: "{{openshift_logging_es_config | from_yaml}}" + when: es_logging_contents is undefined + changed_when: no + - template: - src: elasticsearch.yml.j2 + src: "{{local_tmp.stdout}}/elasticsearch-gen-template.yml" dest: "{{mktemp.stdout}}/elasticsearch.yml" vars: - allow_cluster_reader: "{{openshift_logging_es_ops_allow_cluster_reader | lower | default('false')}}" diff --git a/roles/openshift_logging/tasks/generate_jks.yaml b/roles/openshift_logging/tasks/generate_jks.yaml index c6e2ccbc0..6e3204589 100644 --- a/roles/openshift_logging/tasks/generate_jks.yaml +++ b/roles/openshift_logging/tasks/generate_jks.yaml @@ -20,12 +20,6 @@ register: truststore_jks check_mode: no -- name: Create temp directory for doing work in - local_action: command mktemp -d /tmp/openshift-logging-ansible-XXXXXX - register: local_tmp - changed_when: False - check_mode: no - - name: Create placeholder for previously created JKS certs to prevent recreating... local_action: file path="{{local_tmp.stdout}}/elasticsearch.jks" state=touch mode="u=rw,g=r,o=r" when: elasticsearch_jks.stat.exists @@ -92,7 +86,3 @@ src: "{{local_tmp.stdout}}/truststore.jks" dest: "{{generated_certs_dir}}/truststore.jks" when: not truststore_jks.stat.exists - -- name: Cleaning up temp dir - local_action: file path="{{local_tmp.stdout}}" state=absent - changed_when: False diff --git a/roles/openshift_logging/tasks/main.yaml b/roles/openshift_logging/tasks/main.yaml index 4c718805e..eb60175c7 100644 --- a/roles/openshift_logging/tasks/main.yaml +++ b/roles/openshift_logging/tasks/main.yaml @@ -12,6 +12,14 @@ - debug: msg="Created temp dir {{mktemp.stdout}}" +- name: Create local temp directory for doing work in + local_action: command mktemp -d /tmp/openshift-logging-ansible-XXXXXX + register: local_tmp + changed_when: False + check_mode: no + +- debug: msg="Created local temp dir {{local_tmp.stdout}}" + - name: Copy the admin client config(s) command: > cp {{ openshift_master_config_dir }}/admin.kubeconfig {{ mktemp.stdout }}/admin.kubeconfig @@ -37,3 +45,8 @@ tags: logging_cleanup changed_when: False check_mode: no + +- name: Cleaning up local temp dir + local_action: file path="{{local_tmp.stdout}}" state=absent + tags: logging_cleanup + changed_when: False diff --git a/roles/openshift_logging/templates/elasticsearch.yml.j2 b/roles/openshift_logging/templates/elasticsearch.yml.j2 index f2d098f10..21708dc12 100644 --- a/roles/openshift_logging/templates/elasticsearch.yml.j2 +++ b/roles/openshift_logging/templates/elasticsearch.yml.j2 @@ -47,7 +47,7 @@ openshift.searchguard: keystore.path: /etc/elasticsearch/secret/admin.jks truststore.path: /etc/elasticsearch/secret/searchguard.truststore -openshift.operations.allow_cluster_reader: {{allow_cluster_reader | default ('false')}} +openshift.operations.allow_cluster_reader: "{{allow_cluster_reader | default (false)}}" path: data: /elasticsearch/persistent/${CLUSTER_NAME}/data diff --git a/roles/openshift_metrics/files/import_jks_certs.sh b/roles/openshift_metrics/files/import_jks_certs.sh index c8d5bb3d2..b2537f448 100755 --- a/roles/openshift_metrics/files/import_jks_certs.sh +++ b/roles/openshift_metrics/files/import_jks_certs.sh @@ -21,11 +21,7 @@ set -ex function import_certs() { dir=$CERT_DIR hawkular_metrics_keystore_password=$(echo $METRICS_KEYSTORE_PASSWD | base64 -d) - hawkular_cassandra_keystore_password=$(echo $CASSANDRA_KEYSTORE_PASSWD | base64 -d) hawkular_metrics_truststore_password=$(echo $METRICS_TRUSTSTORE_PASSWD | base64 -d) - hawkular_cassandra_truststore_password=$(echo $CASSANDRA_TRUSTSTORE_PASSWD | base64 -d) - - cassandra_alias=`keytool -noprompt -list -keystore $dir/hawkular-cassandra.truststore -storepass ${hawkular_cassandra_truststore_password} | sed -n '7~2s/,.*$//p'` hawkular_alias=`keytool -noprompt -list -keystore $dir/hawkular-metrics.truststore -storepass ${hawkular_metrics_truststore_password} | sed -n '7~2s/,.*$//p'` if [ ! -f $dir/hawkular-metrics.keystore ]; then @@ -39,56 +35,7 @@ function import_certs() { -deststorepass $hawkular_metrics_keystore_password fi - if [ ! -f $dir/hawkular-cassandra.keystore ]; then - echo "Creating the Hawkular Cassandra keystore from the PEM file" - keytool -importkeystore -v \ - -srckeystore $dir/hawkular-cassandra.pkcs12 \ - -destkeystore $dir/hawkular-cassandra.keystore \ - -srcstoretype PKCS12 \ - -deststoretype JKS \ - -srcstorepass $hawkular_cassandra_keystore_password \ - -deststorepass $hawkular_cassandra_keystore_password - fi - - if [[ ! ${cassandra_alias[*]} =~ hawkular-metrics ]]; then - echo "Importing the Hawkular Certificate into the Cassandra Truststore" - keytool -noprompt -import -v -trustcacerts -alias hawkular-metrics \ - -file $dir/hawkular-metrics.crt \ - -keystore $dir/hawkular-cassandra.truststore \ - -trustcacerts \ - -storepass $hawkular_cassandra_truststore_password - fi - - if [[ ! ${hawkular_alias[*]} =~ hawkular-cassandra ]]; then - echo "Importing the Cassandra Certificate into the Hawkular Truststore" - keytool -noprompt -import -v -trustcacerts -alias hawkular-cassandra \ - -file $dir/hawkular-cassandra.crt \ - -keystore $dir/hawkular-metrics.truststore \ - -trustcacerts \ - -storepass $hawkular_metrics_truststore_password - fi - - if [[ ! ${cassandra_alias[*]} =~ hawkular-cassandra ]]; then - echo "Importing the Hawkular Cassandra Certificate into the Cassandra Truststore" - keytool -noprompt -import -v -trustcacerts -alias hawkular-cassandra \ - -file $dir/hawkular-cassandra.crt \ - -keystore $dir/hawkular-cassandra.truststore \ - -trustcacerts \ - -storepass $hawkular_cassandra_truststore_password - fi - - cert_alias_names=(ca metricca cassandraca) - - for cert_alias in ${cert_alias_names[*]}; do - if [[ ! ${cassandra_alias[*]} =~ "$cert_alias" ]]; then - echo "Importing the CA Certificate with alias $cert_alias into the Cassandra Truststore" - keytool -noprompt -import -v -trustcacerts -alias $cert_alias \ - -file ${dir}/ca.crt \ - -keystore $dir/hawkular-cassandra.truststore \ - -trustcacerts \ - -storepass $hawkular_cassandra_truststore_password - fi - done + cert_alias_names=(ca metricca) for cert_alias in ${cert_alias_names[*]}; do if [[ ! ${hawkular_alias[*]} =~ "$cert_alias" ]]; then diff --git a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml index 61a240a33..01fc1ef64 100644 --- a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml +++ b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml @@ -13,9 +13,6 @@ hostnames: hawkular-cassandra changed_when: no -- slurp: src={{ mktemp.stdout }}/hawkular-cassandra-truststore.pwd - register: cassandra_truststore_password - - slurp: src={{ mktemp.stdout }}/hawkular-metrics-truststore.pwd register: hawkular_truststore_password @@ -67,11 +64,8 @@ - hawkular-metrics.pwd - hawkular-metrics.htpasswd - hawkular-cassandra.crt + - hawkular-cassandra.key - hawkular-cassandra.pem - - hawkular-cassandra.keystore - - hawkular-cassandra-keystore.pwd - - hawkular-cassandra.truststore - - hawkular-cassandra-truststore.pwd changed_when: false - set_fact: @@ -136,38 +130,21 @@ - name: generate cassandra secret template template: src: secret.j2 - dest: "{{ mktemp.stdout }}/templates/cassandra_secrets.yaml" + dest: "{{ mktemp.stdout }}/templates/hawkular-cassandra-certs.yaml" vars: - name: hawkular-cassandra-secrets + name: hawkular-cassandra-certs labels: - metrics-infra: hawkular-cassandra + metrics-infra: hawkular-cassandra-certs + annotations: + service.alpha.openshift.io/originating-service-name: hawkular-cassandra data: - cassandra.keystore: > - {{ hawkular_secrets['hawkular-cassandra.keystore'] }} - cassandra.keystore.password: > - {{ hawkular_secrets['hawkular-cassandra-keystore.pwd'] }} - cassandra.keystore.alias: "{{ 'hawkular-cassandra'|b64encode }}" - cassandra.truststore: > - {{ hawkular_secrets['hawkular-cassandra.truststore'] }} - cassandra.truststore.password: > - {{ hawkular_secrets['hawkular-cassandra-truststore.pwd'] }} - cassandra.pem: > - {{ hawkular_secrets['hawkular-cassandra.pem'] }} - when: name not in metrics_secrets - changed_when: no - -- name: generate cassandra-certificate secret template - template: - src: secret.j2 - dest: "{{ mktemp.stdout }}/templates/cassandra_certificate.yaml" - vars: - name: hawkular-cassandra-certificate - labels: - metrics-infra: hawkular-cassandra - data: - cassandra.certificate: > + tls.crt: > {{ hawkular_secrets['hawkular-cassandra.crt'] }} - cassandra-ca.certificate: > - {{ hawkular_secrets['hawkular-cassandra.pem'] }} - when: name not in metrics_secrets.stdout_lines + tls.key: > + {{ hawkular_secrets['hawkular-cassandra.key'] }} + tls.peer.truststore.crt: > + {{ hawkular_secrets['hawkular-cassandra.crt'] }} + tls.client.truststore.crt: > + {{ hawkular_secrets['hawkular-metrics.crt'] }} + when: name not in metrics_secrets changed_when: no diff --git a/roles/openshift_metrics/tasks/import_jks_certs.yaml b/roles/openshift_metrics/tasks/import_jks_certs.yaml index 2a67dad0e..e098145e9 100644 --- a/roles/openshift_metrics/tasks/import_jks_certs.yaml +++ b/roles/openshift_metrics/tasks/import_jks_certs.yaml @@ -1,12 +1,4 @@ --- -- stat: path="{{mktemp.stdout}}/hawkular-cassandra.keystore" - register: cassandra_keystore - check_mode: no - -- stat: path="{{mktemp.stdout}}/hawkular-cassandra.truststore" - register: cassandra_truststore - check_mode: no - - stat: path="{{mktemp.stdout}}/hawkular-metrics.keystore" register: metrics_keystore check_mode: no @@ -19,9 +11,6 @@ - slurp: src={{ mktemp.stdout }}/hawkular-metrics-keystore.pwd register: metrics_keystore_password - - slurp: src={{ mktemp.stdout }}/hawkular-cassandra-keystore.pwd - register: cassandra_keystore_password - - fetch: dest: "{{local_tmp.stdout}}/" src: "{{ mktemp.stdout }}/{{item}}" @@ -29,18 +18,14 @@ changed_when: False with_items: - hawkular-metrics.pkcs12 - - hawkular-cassandra.pkcs12 - hawkular-metrics.crt - - hawkular-cassandra.crt - ca.crt - local_action: command {{role_path}}/files/import_jks_certs.sh environment: CERT_DIR: "{{local_tmp.stdout}}" METRICS_KEYSTORE_PASSWD: "{{metrics_keystore_password.content}}" - CASSANDRA_KEYSTORE_PASSWD: "{{cassandra_keystore_password.content}}" METRICS_TRUSTSTORE_PASSWD: "{{hawkular_truststore_password.content}}" - CASSANDRA_TRUSTSTORE_PASSWD: "{{cassandra_truststore_password.content}}" changed_when: False - copy: @@ -49,6 +34,4 @@ with_fileglob: "{{local_tmp.stdout}}/*.*store" when: not metrics_keystore.stat.exists or - not metrics_truststore.stat.exists or - not cassandra_keystore.stat.exists or - not cassandra_truststore.stat.exists + not metrics_truststore.stat.exists diff --git a/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 b/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 index 504476dc4..889317847 100644 --- a/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 +++ b/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 @@ -48,11 +48,6 @@ spec: - "--require_node_auth=true" - "--enable_client_encryption=true" - "--require_client_auth=true" - - "--keystore_file=/secret/cassandra.keystore" - - "--keystore_password_file=/secret/cassandra.keystore.password" - - "--truststore_file=/secret/cassandra.truststore" - - "--truststore_password_file=/secret/cassandra.truststore.password" - - "--cassandra_pem_file=/secret/cassandra.pem" env: - name: CASSANDRA_MASTER value: "{{ master }}" @@ -60,6 +55,10 @@ spec: value: "/cassandra_data" - name: JVM_OPTS value: "-Dcassandra.commitlog.ignorereplayerrors=true" + - name: TRUSTSTORE_NODES_AUTHORITIES + value: "/hawkular-cassandra-certs/tls.peer.truststore.crt" + - name: TRUSTSTORE_CLIENT_AUTHORITIES + value: "/hawkular-cassandra-certs/tls.client.truststore.crt" - name: POD_NAMESPACE valueFrom: fieldRef: @@ -76,12 +75,12 @@ spec: volumeMounts: - name: cassandra-data mountPath: "/cassandra_data" - - name: hawkular-cassandra-secrets - mountPath: "/secret" -{% if ((openshift_metrics_cassandra_limits_cpu is defined and openshift_metrics_cassandra_limits_cpu is not none) + - name: hawkular-cassandra-certs + mountPath: "/hawkular-cassandra-certs" +{% if ((openshift_metrics_cassandra_limits_cpu is defined and openshift_metrics_cassandra_limits_cpu is not none) or (openshift_metrics_cassandra_limits_memory is defined and openshift_metrics_cassandra_limits_memory is not none) or (openshift_metrics_cassandra_requests_cpu is defined and openshift_metrics_cassandra_requests_cpu is not none) - or (openshift_metrics_cassandra_requests_memory is defined and openshift_metrics_cassandra_requests_memory is not none)) + or (openshift_metrics_cassandra_requests_memory is defined and openshift_metrics_cassandra_requests_memory is not none)) %} resources: {% if (openshift_metrics_cassandra_limits_cpu is not none @@ -95,8 +94,8 @@ spec: memory: "{{openshift_metrics_cassandra_limits_memory}}" {% endif %} {% endif %} -{% if (openshift_metrics_cassandra_requests_cpu is not none - or openshift_metrics_cassandra_requests_memory is not none) +{% if (openshift_metrics_cassandra_requests_cpu is not none + or openshift_metrics_cassandra_requests_memory is not none) %} requests: {% if openshift_metrics_cassandra_requests_cpu is not none %} @@ -129,6 +128,6 @@ spec: persistentVolumeClaim: claimName: "{{ openshift_metrics_cassandra_pvc_prefix }}-{{ node }}" {% endif %} - - name: hawkular-cassandra-secrets + - name: hawkular-cassandra-certs secret: - secretName: hawkular-cassandra-secrets + secretName: hawkular-cassandra-certs diff --git a/roles/openshift_metrics/templates/secret.j2 b/roles/openshift_metrics/templates/secret.j2 index 370890c7d..5b9dba122 100644 --- a/roles/openshift_metrics/templates/secret.j2 +++ b/roles/openshift_metrics/templates/secret.j2 @@ -2,6 +2,12 @@ apiVersion: v1 kind: Secret metadata: name: "{{ name }}" +{% if annotations is defined%} + annotations: +{% for key, value in annotations.iteritems() %} + {{key}}: {{value}} +{% endfor %} +{% endif %} labels: {% for k, v in labels.iteritems() %} {{ k }}: {{ v }} |