From b579a4acfa64f85119ffbcbb8f6701972ef0dbb6 Mon Sep 17 00:00:00 2001
From: ewolinetz <ewolinet@redhat.com>
Date: Wed, 28 Sep 2016 10:52:07 -0500
Subject: Creating openshift_logging role for deploying Aggregated Logging
 without a deployer image

---
 roles/openshift_logging/files/curator.yml          |  18 ++
 .../files/elasticsearch-logging.yml                |  72 ++++++++
 roles/openshift_logging/files/elasticsearch.yml    |  74 ++++++++
 roles/openshift_logging/files/es_migration.sh      |  81 +++++++++
 roles/openshift_logging/files/fluent.conf          |  34 ++++
 .../files/fluentd-throttle-config.yaml             |   7 +
 roles/openshift_logging/files/generate-jks.sh      |  71 ++++++++
 .../files/logging-deployer-sa.yaml                 |   6 +
 roles/openshift_logging/files/secure-forward.conf  |  24 +++
 roles/openshift_logging/files/server-tls.json      |   5 +
 roles/openshift_logging/files/signing.conf         | 103 +++++++++++
 roles/openshift_logging/files/util.sh              | 192 +++++++++++++++++++++
 12 files changed, 687 insertions(+)
 create mode 100644 roles/openshift_logging/files/curator.yml
 create mode 100644 roles/openshift_logging/files/elasticsearch-logging.yml
 create mode 100644 roles/openshift_logging/files/elasticsearch.yml
 create mode 100644 roles/openshift_logging/files/es_migration.sh
 create mode 100644 roles/openshift_logging/files/fluent.conf
 create mode 100644 roles/openshift_logging/files/fluentd-throttle-config.yaml
 create mode 100644 roles/openshift_logging/files/generate-jks.sh
 create mode 100644 roles/openshift_logging/files/logging-deployer-sa.yaml
 create mode 100644 roles/openshift_logging/files/secure-forward.conf
 create mode 100644 roles/openshift_logging/files/server-tls.json
 create mode 100644 roles/openshift_logging/files/signing.conf
 create mode 100644 roles/openshift_logging/files/util.sh

(limited to 'roles/openshift_logging/files')

diff --git a/roles/openshift_logging/files/curator.yml b/roles/openshift_logging/files/curator.yml
new file mode 100644
index 000000000..8d62d8e7d
--- /dev/null
+++ b/roles/openshift_logging/files/curator.yml
@@ -0,0 +1,18 @@
+# Logging example curator config file
+
+# uncomment and use this to override the defaults from env vars
+#.defaults:
+#  delete:
+#    days: 30
+#  runhour: 0
+#  runminute: 0
+
+# to keep ops logs for a different duration:
+#.operations:
+#  delete:
+#    weeks: 8
+
+# example for a normal project
+#myapp:
+#  delete:
+#    weeks: 1
diff --git a/roles/openshift_logging/files/elasticsearch-logging.yml b/roles/openshift_logging/files/elasticsearch-logging.yml
new file mode 100644
index 000000000..377abe21f
--- /dev/null
+++ b/roles/openshift_logging/files/elasticsearch-logging.yml
@@ -0,0 +1,72 @@
+# you can override this using by setting a system property, for example -Des.logger.level=DEBUG
+es.logger.level: INFO
+rootLogger: ${es.logger.level}, console, file
+logger:
+  # log action execution errors for easier debugging
+  action: WARN
+  # reduce the logging for aws, too much is logged under the default INFO
+  com.amazonaws: WARN
+  io.fabric8.elasticsearch: ${PLUGIN_LOGLEVEL}
+  io.fabric8.kubernetes: ${PLUGIN_LOGLEVEL}
+
+  # gateway
+  #gateway: DEBUG
+  #index.gateway: DEBUG
+
+  # peer shard recovery
+  #indices.recovery: DEBUG
+
+  # discovery
+  #discovery: TRACE
+
+  index.search.slowlog: TRACE, index_search_slow_log_file
+  index.indexing.slowlog: TRACE, index_indexing_slow_log_file
+
+  # search-guard
+  com.floragunn.searchguard: WARN
+
+additivity:
+  index.search.slowlog: false
+  index.indexing.slowlog: false
+
+appender:
+  console:
+    type: console
+    layout:
+      type: consolePattern
+      conversionPattern: "[%d{ISO8601}][%-5p][%-25c] %m%n"
+
+  file:
+    type: dailyRollingFile
+    file: ${path.logs}/${cluster.name}.log
+    datePattern: "'.'yyyy-MM-dd"
+    layout:
+      type: pattern
+      conversionPattern: "[%d{ISO8601}][%-5p][%-25c] %m%n"
+
+  # Use the following log4j-extras RollingFileAppender to enable gzip compression of log files.
+  # For more information see https://logging.apache.org/log4j/extras/apidocs/org/apache/log4j/rolling/RollingFileAppender.html
+  #file:
+    #type: extrasRollingFile
+    #file: ${path.logs}/${cluster.name}.log
+    #rollingPolicy: timeBased
+    #rollingPolicy.FileNamePattern: ${path.logs}/${cluster.name}.log.%d{yyyy-MM-dd}.gz
+    #layout:
+      #type: pattern
+      #conversionPattern: "[%d{ISO8601}][%-5p][%-25c] %m%n"
+
+  index_search_slow_log_file:
+    type: dailyRollingFile
+    file: ${path.logs}/${cluster.name}_index_search_slowlog.log
+    datePattern: "'.'yyyy-MM-dd"
+    layout:
+      type: pattern
+      conversionPattern: "[%d{ISO8601}][%-5p][%-25c] %m%n"
+
+  index_indexing_slow_log_file:
+    type: dailyRollingFile
+    file: ${path.logs}/${cluster.name}_index_indexing_slowlog.log
+    datePattern: "'.'yyyy-MM-dd"
+    layout:
+      type: pattern
+      conversionPattern: "[%d{ISO8601}][%-5p][%-25c] %m%n"
diff --git a/roles/openshift_logging/files/elasticsearch.yml b/roles/openshift_logging/files/elasticsearch.yml
new file mode 100644
index 000000000..4eff30e61
--- /dev/null
+++ b/roles/openshift_logging/files/elasticsearch.yml
@@ -0,0 +1,74 @@
+cluster:
+  name: ${CLUSTER_NAME}
+
+script:
+  inline: on
+  indexed: on
+
+index:
+  number_of_shards: 1
+  number_of_replicas: 0
+  auto_expand_replicas: 0-3
+  unassigned.node_left.delayed_timeout: 2m
+  translog:
+    flush_threshold_size: 256mb
+    flush_threshold_period: 5m
+
+node:
+  master: true
+  data: true
+
+network:
+  host: 0.0.0.0
+
+cloud:
+  kubernetes:
+    service: ${SERVICE_DNS}
+    namespace: ${NAMESPACE}
+
+discovery:
+  type: kubernetes
+  zen.ping.multicast.enabled: false
+
+gateway:
+  expected_master_nodes: ${NODE_QUORUM}
+  recover_after_nodes: ${RECOVER_AFTER_NODES}
+  expected_nodes: ${RECOVER_EXPECTED_NODES}
+  recover_after_time: ${RECOVER_AFTER_TIME}
+
+io.fabric8.elasticsearch.authentication.users: ["system.logging.kibana", "system.logging.fluentd", "system.logging.curator", "system.admin"]
+
+openshift.searchguard:
+  keystore.path: /etc/elasticsearch/secret/admin.jks
+  truststore.path: /etc/elasticsearch/secret/searchguard.truststore
+
+
+path:
+  data: /elasticsearch/persistent/${CLUSTER_NAME}/data
+  logs: /elasticsearch/${CLUSTER_NAME}/logs
+  work: /elasticsearch/${CLUSTER_NAME}/work
+  scripts: /elasticsearch/${CLUSTER_NAME}/scripts
+
+searchguard:
+  authcz.admin_dn:
+  - CN=system.admin,OU=OpenShift,O=Logging
+  config_index_name: ".searchguard.${HOSTNAME}"
+  ssl:
+    transport:
+      enabled: true
+      enforce_hostname_verification: false
+      keystore_type: JKS
+      keystore_filepath: /etc/elasticsearch/secret/searchguard.key
+      keystore_password: kspass
+      truststore_type: JKS
+      truststore_filepath: /etc/elasticsearch/secret/searchguard.truststore
+      truststore_password: tspass
+    http:
+      enabled: true
+      keystore_type: JKS
+      keystore_filepath: /etc/elasticsearch/secret/key
+      keystore_password: kspass
+      clientauth_mode: OPTIONAL
+      truststore_type: JKS
+      truststore_filepath: /etc/elasticsearch/secret/truststore
+      truststore_password: tspass
diff --git a/roles/openshift_logging/files/es_migration.sh b/roles/openshift_logging/files/es_migration.sh
new file mode 100644
index 000000000..cca283bae
--- /dev/null
+++ b/roles/openshift_logging/files/es_migration.sh
@@ -0,0 +1,81 @@
+#! bin/bash
+
+CA=${1:-/etc/openshift/logging/ca.crt}
+KEY=${2:-/etc/openshift/logging/system.admin.key}
+CERT=${3:-/etc/openshift/logging/system.admin.crt}
+openshift_logging_es_host=${4:-logging-es}
+openshift_logging_es_port=${5:-9200}
+namespace=${6:-logging}
+
+# for each index in _cat/indices
+# skip indices that begin with . - .kibana, .operations, etc.
+# skip indices that contain a uuid
+# get a list of unique project
+# daterx - the date regex that matches the .%Y.%m.%d at the end of the indices
+# we are interested in - the awk will strip that part off
+function get_list_of_indices() {
+    curl -s --cacert $CA --key $KEY --cert $CERT https://$openshift_logging_es_host:$openshift_logging_es_port/_cat/indices | \
+        awk -v daterx='[.]20[0-9]{2}[.][0-1]?[0-9][.][0-9]{1,2}$' \
+        '$3 !~ "^[.]" && $3 !~ "^[^.]+[.][^.]+"daterx && $3 !~ "^project." && $3 ~ daterx {print gensub(daterx, "", "", $3)}' | \
+    sort -u
+}
+
+# for each index in _cat/indices
+# skip indices that begin with . - .kibana, .operations, etc.
+# get a list of unique project.uuid
+# daterx - the date regex that matches the .%Y.%m.%d at the end of the indices
+# we are interested in - the awk will strip that part off
+function get_list_of_proj_uuid_indices() {
+    curl -s --cacert $CA --key $KEY --cert $CERT https://$openshift_logging_es_host:$openshift_logging_es_port/_cat/indices | \
+        awk -v daterx='[.]20[0-9]{2}[.][0-1]?[0-9][.][0-9]{1,2}$' \
+            '$3 !~ "^[.]" && $3 ~ "^[^.]+[.][^.]+"daterx && $3 !~ "^project." && $3 ~ daterx {print gensub(daterx, "", "", $3)}' | \
+        sort -u
+}
+
+if [[ -z "$(oc get pods -l component=es -o jsonpath='{.items[?(@.status.phase == "Running")].metadata.name}')" ]]; then
+  echo "No Elasticsearch pods found running.  Cannot update common data model."
+  exit 1
+fi
+
+count=$(get_list_of_indices | wc -l)
+if [ $count -eq 0 ]; then
+  echo No matching indices found - skipping update_for_uuid
+else
+  echo Creating aliases for $count index patterns . . .
+  {
+    echo '{"actions":['
+    get_list_of_indices | \
+      while IFS=. read proj ; do
+        # e.g. make test.uuid.* an alias of test.* so we can search for
+        # /test.uuid.*/_search and get both the test.uuid.* and
+        # the test.* indices
+        uid=$(oc get project "$proj" -o jsonpath='{.metadata.uid}' 2>/dev/null)
+        [ -n "$uid" ] && echo "{\"add\":{\"index\":\"$proj.*\",\"alias\":\"$proj.$uuid.*\"}}"
+      done
+    echo ']}'
+  } | curl -s --cacert $CA --key $KEY --cert $CERT -XPOST -d @- "https://$openshift_logging_es_host:$openshift_logging_es_port/_aliases"
+fi
+
+count=$(get_list_of_proj_uuid_indices | wc -l)
+if [ $count -eq 0 ] ; then
+    echo No matching indexes found - skipping update_for_common_data_model
+    exit 0
+fi
+
+echo Creating aliases for $count index patterns . . .
+# for each index in _cat/indices
+# skip indices that begin with . - .kibana, .operations, etc.
+# get a list of unique project.uuid
+# daterx - the date regex that matches the .%Y.%m.%d at the end of the indices
+# we are interested in - the awk will strip that part off
+{
+  echo '{"actions":['
+  get_list_of_proj_uuid_indices | \
+    while IFS=. read proj uuid ; do
+      # e.g. make project.test.uuid.* and alias of test.uuid.* so we can search for
+      # /project.test.uuid.*/_search and get both the test.uuid.* and
+      # the project.test.uuid.* indices
+      echo "{\"add\":{\"index\":\"$proj.$uuid.*\",\"alias\":\"${PROJ_PREFIX}$proj.$uuid.*\"}}"
+    done
+  echo ']}'
+} | curl -s --cacert $CA --key $KEY --cert $CERT -XPOST -d @- "https://$openshift_logging_es_host:$openshift_logging_es_port/_aliases"
diff --git a/roles/openshift_logging/files/fluent.conf b/roles/openshift_logging/files/fluent.conf
new file mode 100644
index 000000000..aa843e983
--- /dev/null
+++ b/roles/openshift_logging/files/fluent.conf
@@ -0,0 +1,34 @@
+# This file is the fluentd configuration entrypoint. Edit with care.
+
+@include configs.d/openshift/system.conf
+
+# In each section below, pre- and post- includes don't include anything initially;
+# they exist to enable future additions to openshift conf as needed.
+
+## sources
+## ordered so that syslog always runs last...
+@include configs.d/openshift/input-pre-*.conf
+@include configs.d/dynamic/input-docker-*.conf
+@include configs.d/dynamic/input-syslog-*.conf
+@include configs.d/openshift/input-post-*.conf
+##
+
+<label @INGRESS>
+## filters
+  @include configs.d/openshift/filter-pre-*.conf
+  @include configs.d/openshift/filter-retag-journal.conf
+  @include configs.d/openshift/filter-k8s-meta.conf
+  @include configs.d/openshift/filter-kibana-transform.conf
+  @include configs.d/openshift/filter-k8s-flatten-hash.conf
+  @include configs.d/openshift/filter-k8s-record-transform.conf
+  @include configs.d/openshift/filter-syslog-record-transform.conf
+  @include configs.d/openshift/filter-post-*.conf
+##
+
+## matches
+  @include configs.d/openshift/output-pre-*.conf
+  @include configs.d/openshift/output-operations.conf
+  @include configs.d/openshift/output-applications.conf
+  # no post - applications.conf matches everything left
+##
+</label>
diff --git a/roles/openshift_logging/files/fluentd-throttle-config.yaml b/roles/openshift_logging/files/fluentd-throttle-config.yaml
new file mode 100644
index 000000000..375621ff1
--- /dev/null
+++ b/roles/openshift_logging/files/fluentd-throttle-config.yaml
@@ -0,0 +1,7 @@
+# Logging example fluentd throttling config file
+
+#example-project:
+#  read_lines_limit: 10
+#
+#.operations:
+#  read_lines_limit: 100
diff --git a/roles/openshift_logging/files/generate-jks.sh b/roles/openshift_logging/files/generate-jks.sh
new file mode 100644
index 000000000..8760f37fe
--- /dev/null
+++ b/roles/openshift_logging/files/generate-jks.sh
@@ -0,0 +1,71 @@
+#! /bin/sh
+set -ex
+
+function importPKCS() {
+  dir=${SCRATCH_DIR:-_output}
+  NODE_NAME=$1
+  ks_pass=${KS_PASS:-kspass}
+  ts_pass=${TS_PASS:-tspass}
+  rm -rf $NODE_NAME
+
+  keytool \
+    -importkeystore \
+    -srckeystore $NODE_NAME.pkcs12 \
+    -srcstoretype PKCS12 \
+    -srcstorepass pass \
+    -deststorepass $ks_pass \
+    -destkeypass $ks_pass \
+    -destkeystore $dir/keystore.jks \
+    -alias 1 \
+    -destalias $NODE_NAME
+
+  echo "Import back to keystore (including CA chain)"
+
+  keytool  \
+    -import \
+    -file $dir/ca.crt  \
+    -keystore $dir/keystore.jks   \
+    -storepass $ks_pass  \
+    -noprompt -alias sig-ca
+
+  echo All done for $NODE_NAME
+}
+
+function createTruststore() {
+
+  echo "Import CA to truststore for validating client certs"
+
+  keytool  \
+    -import \
+    -file $dir/ca.crt  \
+    -keystore $dir/truststore.jks   \
+    -storepass $ts_pass  \
+    -noprompt -alias sig-ca
+}
+
+dir="/opt/deploy/"
+SCRATCH_DIR=$dir
+
+admin_user='system.admin'
+
+if [[ ! -f $dir/system.admin.jks || -z "$(keytool -list -keystore $dir/system.admin.jks -storepass kspass | grep sig-ca)" ]]; then
+  importPKCS "system.admin"
+  mv $dir/keystore.jks $dir/system.admin.jks
+fi
+
+if [[ ! -f $dir/searchguard_node_key || -z "$(keytool -list -keystore $dir/searchguard_node_key -storepass kspass | grep sig-ca)" ]]; then
+  importPKCS "elasticsearch"
+  mv $dir/keystore.jks $dir/searchguard_node_key
+fi
+
+
+if [[ ! -f $dir/system.admin.jks || -z "$(keytool -list -keystore $dir/system.admin.jks -storepass kspass | grep sig-ca)" ]]; then
+  importPKCS "logging-es"
+fi
+
+[ ! -f $dir/truststore.jks ] && createTruststore
+
+[ ! -f $dir/searchguard_node_truststore ] && cp $dir/truststore.jks $dir/searchguard_node_truststore
+
+# necessary so that the job knows it completed successfully
+exit 0
diff --git a/roles/openshift_logging/files/logging-deployer-sa.yaml b/roles/openshift_logging/files/logging-deployer-sa.yaml
new file mode 100644
index 000000000..334c9402b
--- /dev/null
+++ b/roles/openshift_logging/files/logging-deployer-sa.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: logging-deployer
+secrets:
+- name: logging-deployer
diff --git a/roles/openshift_logging/files/secure-forward.conf b/roles/openshift_logging/files/secure-forward.conf
new file mode 100644
index 000000000..f4483df79
--- /dev/null
+++ b/roles/openshift_logging/files/secure-forward.conf
@@ -0,0 +1,24 @@
+# @type secure_forward
+
+# self_hostname ${HOSTNAME}
+# shared_key <SECRET_STRING>
+
+# secure yes
+# enable_strict_verification yes
+
+# ca_cert_path /etc/fluent/keys/your_ca_cert
+# ca_private_key_path /etc/fluent/keys/your_private_key
+  # for private CA secret key
+# ca_private_key_passphrase passphrase
+
+# <server>
+  # or IP
+#   host server.fqdn.example.com
+#   port 24284
+# </server>
+# <server>
+  # ip address to connect
+#   host 203.0.113.8
+  # specify hostlabel for FQDN verification if ipaddress is used for host
+#   hostlabel server.fqdn.example.com
+# </server>
diff --git a/roles/openshift_logging/files/server-tls.json b/roles/openshift_logging/files/server-tls.json
new file mode 100644
index 000000000..86deb23e3
--- /dev/null
+++ b/roles/openshift_logging/files/server-tls.json
@@ -0,0 +1,5 @@
+// See for available options: https://nodejs.org/api/tls.html#tls_tls_createserver_options_secureconnectionlistener
+tls_options = {
+	ciphers: 'kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!DES:!EXP:!SEED:!IDEA:+3DES',
+	honorCipherOrder: true
+}
diff --git a/roles/openshift_logging/files/signing.conf b/roles/openshift_logging/files/signing.conf
new file mode 100644
index 000000000..810a057d9
--- /dev/null
+++ b/roles/openshift_logging/files/signing.conf
@@ -0,0 +1,103 @@
+# Simple Signing CA
+
+# The [default] section contains global constants that can be referred to from
+# the entire configuration file. It may also hold settings pertaining to more
+# than one openssl command.
+
+[ default ]
+#dir                     = _output               # Top dir
+
+# The next part of the configuration file is used by the openssl req command.
+# It defines the CA's key pair, its DN, and the desired extensions for the CA
+# certificate.
+
+[ req ]
+default_bits            = 2048                  # RSA key size
+encrypt_key             = yes                   # Protect private key
+default_md              = sha1                  # MD to use
+utf8                    = yes                   # Input is UTF-8
+string_mask             = utf8only              # Emit UTF-8 strings
+prompt                  = no                    # Don't prompt for DN
+distinguished_name      = ca_dn                 # DN section
+req_extensions          = ca_reqext             # Desired extensions
+
+[ ca_dn ]
+0.domainComponent       = "io"
+1.domainComponent       = "openshift"
+organizationName        = "OpenShift Origin"
+organizationalUnitName  = "Logging Signing CA"
+commonName              = "Logging Signing CA"
+
+[ ca_reqext ]
+keyUsage                = critical,keyCertSign,cRLSign
+basicConstraints        = critical,CA:true,pathlen:0
+subjectKeyIdentifier    = hash
+
+# The remainder of the configuration file is used by the openssl ca command.
+# The CA section defines the locations of CA assets, as well as the policies
+# applying to the CA.
+
+[ ca ]
+default_ca              = signing_ca            # The default CA section
+
+[ signing_ca ]
+certificate             = $dir/ca.crt       # The CA cert
+private_key             = $dir/ca.key # CA private key
+new_certs_dir           = $dir/           # Certificate archive
+serial                  = $dir/ca.serial.txt # Serial number file
+crlnumber               = $dir/ca.crl.srl # CRL number file
+database                = $dir/ca.db # Index file
+unique_subject          = no                    # Require unique subject
+default_days            = 730                   # How long to certify for
+default_md              = sha1                  # MD to use
+policy                  = any_pol             # Default naming policy
+email_in_dn             = no                    # Add email to cert DN
+preserve                = no                    # Keep passed DN ordering
+name_opt                = ca_default            # Subject DN display options
+cert_opt                = ca_default            # Certificate display options
+copy_extensions         = copy                  # Copy extensions from CSR
+x509_extensions         = client_ext             # Default cert extensions
+default_crl_days        = 7                     # How long before next CRL
+crl_extensions          = crl_ext               # CRL extensions
+
+# Naming policies control which parts of a DN end up in the certificate and
+# under what circumstances certification should be denied.
+
+[ match_pol ]
+domainComponent         = match                 # Must match 'simple.org'
+organizationName        = match                 # Must match 'Simple Inc'
+organizationalUnitName  = optional              # Included if present
+commonName              = supplied              # Must be present
+
+[ any_pol ]
+domainComponent         = optional
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = optional
+emailAddress            = optional
+
+# Certificate extensions define what types of certificates the CA is able to
+# create.
+
+[ client_ext ]
+keyUsage                = critical,digitalSignature,keyEncipherment
+basicConstraints        = CA:false
+extendedKeyUsage        = clientAuth
+subjectKeyIdentifier    = hash
+authorityKeyIdentifier  = keyid
+
+[ server_ext ]
+keyUsage                = critical,digitalSignature,keyEncipherment
+basicConstraints        = CA:false
+extendedKeyUsage        = serverAuth,clientAuth
+subjectKeyIdentifier    = hash
+authorityKeyIdentifier  = keyid
+
+# CRL extensions exist solely to point to the CA certificate that has issued
+# the CRL.
+
+[ crl_ext ]
+authorityKeyIdentifier  = keyid
diff --git a/roles/openshift_logging/files/util.sh b/roles/openshift_logging/files/util.sh
new file mode 100644
index 000000000..5752a0fcd
--- /dev/null
+++ b/roles/openshift_logging/files/util.sh
@@ -0,0 +1,192 @@
+#!/bin/bash
+
+function generate_JKS_chain() {
+  dir=${SCRATCH_DIR:-_output}
+  ADD_OID=$1
+  NODE_NAME=$2
+  CERT_NAMES=${3:-$NODE_NAME}
+  ks_pass=${KS_PASS:-kspass}
+  ts_pass=${TS_PASS:-tspass}
+  rm -rf $NODE_NAME
+
+  extension_names=""
+  for name in ${CERT_NAMES//,/ }; do
+	extension_names="${extension_names},dns:${name}"
+  done
+
+  if [ "$ADD_OID" = true ]; then
+    extension_names="${extension_names},oid:1.2.3.4.5.5"
+  fi
+
+  echo Generating keystore and certificate for node $NODE_NAME
+
+  "$keytool" -genkey \
+        -alias     $NODE_NAME \
+        -keystore  $dir/keystore.jks \
+        -keypass   $ks_pass \
+        -storepass $ks_pass \
+        -keyalg    RSA \
+        -keysize   2048 \
+        -validity  712 \
+        -dname "CN=$NODE_NAME, OU=OpenShift, O=Logging" \
+        -ext san=dns:localhost,ip:127.0.0.1"${extension_names}"
+
+  echo Generating certificate signing request for node $NODE_NAME
+
+  "$keytool" -certreq \
+        -alias      $NODE_NAME \
+        -keystore   $dir/keystore.jks \
+        -storepass  $ks_pass \
+        -file       $dir/$NODE_NAME.csr \
+        -keyalg     rsa \
+        -dname "CN=$NODE_NAME, OU=OpenShift, O=Logging" \
+        -ext san=dns:localhost,ip:127.0.0.1"${extension_names}"
+
+  echo Sign certificate request with CA
+
+  openssl ca \
+    -in $dir/$NODE_NAME.csr \
+    -notext \
+    -out $dir/$NODE_NAME.crt \
+    -config $dir/signing.conf \
+    -extensions v3_req \
+    -batch \
+	-extensions server_ext
+
+  echo "Import back to keystore (including CA chain)"
+
+  "$keytool"  \
+    -import \
+    -file $dir/ca.crt  \
+    -keystore $dir/keystore.jks   \
+    -storepass $ks_pass  \
+    -noprompt -alias sig-ca
+
+  "$keytool" \
+    -import \
+    -file $dir/$NODE_NAME.crt \
+    -keystore $dir/keystore.jks \
+    -storepass $ks_pass \
+    -noprompt \
+    -alias $NODE_NAME
+
+  echo "Import CA to truststore for validating client certs"
+
+  "$keytool"  \
+    -import \
+    -file $dir/ca.crt  \
+    -keystore $dir/truststore.jks   \
+    -storepass $ts_pass  \
+    -noprompt -alias sig-ca
+
+  echo All done for $NODE_NAME
+}
+
+function generate_PEM_cert() {
+  NODE_NAME="$1"
+  dir=${SCRATCH_DIR:-_output}  # for writing files to bundle into secrets
+
+  echo Generating keystore and certificate for node ${NODE_NAME}
+
+  openssl req -out "$dir/$NODE_NAME.csr" -new -newkey rsa:2048 -keyout "$dir/$NODE_NAME.key" -subj "/CN=$NODE_NAME/OU=OpenShift/O=Logging" -days 712 -nodes
+
+  echo Sign certificate request with CA
+  openssl ca \
+    -in "$dir/$NODE_NAME.csr" \
+    -notext \
+    -out "$dir/$NODE_NAME.crt" \
+    -config $dir/signing.conf \
+    -extensions v3_req \
+    -batch \
+	-extensions server_ext
+}
+
+function generate_JKS_client_cert() {
+  NODE_NAME="$1"
+  ks_pass=${KS_PASS:-kspass}
+  ts_pass=${TS_PASS:-tspass}
+  dir=${SCRATCH_DIR:-_output}  # for writing files to bundle into secrets
+
+  echo Generating keystore and certificate for node ${NODE_NAME}
+
+  "$keytool" -genkey \
+        -alias     $NODE_NAME \
+        -keystore  $dir/$NODE_NAME.jks \
+        -keyalg    RSA \
+        -keysize   2048 \
+        -validity  712 \
+        -keypass $ks_pass \
+        -storepass $ks_pass \
+        -dname "CN=$NODE_NAME, OU=OpenShift, O=Logging"
+
+  echo Generating certificate signing request for node $NODE_NAME
+
+  "$keytool" -certreq \
+          -alias      $NODE_NAME \
+          -keystore   $dir/$NODE_NAME.jks \
+          -file       $dir/$NODE_NAME.csr \
+          -keyalg     rsa \
+          -keypass $ks_pass \
+          -storepass $ks_pass \
+          -dname "CN=$NODE_NAME, OU=OpenShift, O=Logging"
+
+  echo Sign certificate request with CA
+  openssl ca \
+    -in "$dir/$NODE_NAME.csr" \
+    -notext \
+    -out "$dir/$NODE_NAME.crt" \
+    -config $dir/signing.conf \
+    -extensions v3_req \
+    -batch \
+	-extensions server_ext
+
+  echo "Import back to keystore (including CA chain)"
+
+  "$keytool"  \
+    -import \
+    -file $dir/ca.crt  \
+    -keystore $dir/$NODE_NAME.jks   \
+    -storepass $ks_pass  \
+    -noprompt -alias sig-ca
+
+  "$keytool" \
+    -import \
+    -file $dir/$NODE_NAME.crt \
+    -keystore $dir/$NODE_NAME.jks \
+    -storepass $ks_pass \
+    -noprompt \
+    -alias $NODE_NAME
+
+  echo All done for $NODE_NAME
+}
+
+function join { local IFS="$1"; shift; echo "$*"; }
+
+function get_es_dcs() {
+  oc get dc --selector logging-infra=elasticsearch -o name
+}
+
+function get_curator_dcs() {
+  oc get dc --selector logging-infra=curator -o name
+}
+
+function extract_nodeselector() {
+  local inputstring="${1//\"/}"  # remove any errant double quotes in the inputs
+  local selectors=()
+
+  for keyvalstr in ${inputstring//\,/ }; do
+
+    keyval=( ${keyvalstr//=/ } )
+
+    if [[ -n "${keyval[0]}" && -n "${keyval[1]}" ]]; then
+      selectors+=( "\"${keyval[0]}\": \"${keyval[1]}\"")
+    else
+      echo "Could not make a node selector label from '${keyval[*]}'"
+      exit 255
+    fi
+  done
+
+  if [[ "${#selectors[*]}" -gt 0 ]]; then
+    echo nodeSelector: "{" $(join , "${selectors[@]}") "}"
+  fi
+}
-- 
cgit v1.2.3


From f79c819387b93af7b32a09b60652195f850d0574 Mon Sep 17 00:00:00 2001
From: ewolinetz <ewolinet@redhat.com>
Date: Wed, 14 Dec 2016 16:34:55 -0600
Subject: Updating to use deployer pod to generate JKS chain instead

---
 roles/openshift_logging/files/generate-jks.sh     | 177 +++++++++++++++++-----
 roles/openshift_logging/tasks/generate_certs.yaml | 102 ++++++-------
 roles/openshift_logging/templates/jks_pod.j2      |  28 ++++
 roles/openshift_logging/templates/job.j2          |  26 ----
 4 files changed, 214 insertions(+), 119 deletions(-)
 create mode 100644 roles/openshift_logging/templates/jks_pod.j2
 delete mode 100644 roles/openshift_logging/templates/job.j2

(limited to 'roles/openshift_logging/files')

diff --git a/roles/openshift_logging/files/generate-jks.sh b/roles/openshift_logging/files/generate-jks.sh
index 8760f37fe..db7ed9ab8 100644
--- a/roles/openshift_logging/files/generate-jks.sh
+++ b/roles/openshift_logging/files/generate-jks.sh
@@ -1,36 +1,140 @@
 #! /bin/sh
 set -ex
 
-function importPKCS() {
-  dir=${SCRATCH_DIR:-_output}
-  NODE_NAME=$1
-  ks_pass=${KS_PASS:-kspass}
-  ts_pass=${TS_PASS:-tspass}
-  rm -rf $NODE_NAME
-
-  keytool \
-    -importkeystore \
-    -srckeystore $NODE_NAME.pkcs12 \
-    -srcstoretype PKCS12 \
-    -srcstorepass pass \
-    -deststorepass $ks_pass \
-    -destkeypass $ks_pass \
-    -destkeystore $dir/keystore.jks \
-    -alias 1 \
-    -destalias $NODE_NAME
-
-  echo "Import back to keystore (including CA chain)"
-
-  keytool  \
-    -import \
-    -file $dir/ca.crt  \
-    -keystore $dir/keystore.jks   \
-    -storepass $ks_pass  \
-    -noprompt -alias sig-ca
+function generate_JKS_chain() {
+    dir=${SCRATCH_DIR:-_output}
+    ADD_OID=$1
+    NODE_NAME=$2
+    CERT_NAMES=${3:-$NODE_NAME}
+    ks_pass=${KS_PASS:-kspass}
+    ts_pass=${TS_PASS:-tspass}
+    rm -rf $NODE_NAME
+
+    extension_names=""
+    for name in ${CERT_NAMES//,/ }; do
+        extension_names="${extension_names},dns:${name}"
+    done
+
+    if [ "$ADD_OID" = true ]; then
+        extension_names="${extension_names},oid:1.2.3.4.5.5"
+    fi
+
+    echo Generating keystore and certificate for node $NODE_NAME
+
+    keytool -genkey \
+        -alias     $NODE_NAME \
+        -keystore  $dir/$NODE_NAME.jks \
+        -keypass   $ks_pass \
+        -storepass $ks_pass \
+        -keyalg    RSA \
+        -keysize   2048 \
+        -validity  712 \
+        -dname "CN=$NODE_NAME, OU=OpenShift, O=Logging" \
+        -ext san=dns:localhost,ip:127.0.0.1"${extension_names}"
+
+    echo Generating certificate signing request for node $NODE_NAME
+
+    keytool -certreq \
+        -alias      $NODE_NAME \
+        -keystore   $dir/$NODE_NAME.jks \
+        -storepass  $ks_pass \
+        -file       $dir/$NODE_NAME.csr \
+        -keyalg     rsa \
+        -dname "CN=$NODE_NAME, OU=OpenShift, O=Logging" \
+        -ext san=dns:localhost,ip:127.0.0.1"${extension_names}"
+
+    echo Sign certificate request with CA
+
+    openssl ca \
+        -in $dir/$NODE_NAME.csr \
+        -notext \
+        -out $dir/$NODE_NAME.crt \
+        -config $dir/signing.conf \
+        -extensions v3_req \
+        -batch \
+        -extensions server_ext
+
+    echo "Import back to keystore (including CA chain)"
+
+    keytool  \
+        -import \
+        -file $dir/ca.crt  \
+        -keystore $dir/$NODE_NAME.jks   \
+        -storepass $ks_pass  \
+        -noprompt -alias sig-ca
+
+    keytool \
+        -import \
+        -file $dir/$NODE_NAME.crt \
+        -keystore $dir/$NODE_NAME.jks \
+        -storepass $ks_pass \
+        -noprompt \
+        -alias $NODE_NAME
+
+    echo All done for $NODE_NAME
+}
 
-  echo All done for $NODE_NAME
+function generate_JKS_client_cert() {
+    NODE_NAME="$1"
+    ks_pass=${KS_PASS:-kspass}
+    ts_pass=${TS_PASS:-tspass}
+    dir=${SCRATCH_DIR:-_output}  # for writing files to bundle into secrets
+
+    echo Generating keystore and certificate for node ${NODE_NAME}
+
+    keytool -genkey \
+        -alias     $NODE_NAME \
+        -keystore  $dir/$NODE_NAME.jks \
+        -keyalg    RSA \
+        -keysize   2048 \
+        -validity  712 \
+        -keypass $ks_pass \
+        -storepass $ks_pass \
+        -dname "CN=$NODE_NAME, OU=OpenShift, O=Logging"
+
+    echo Generating certificate signing request for node $NODE_NAME
+
+    keytool -certreq \
+        -alias      $NODE_NAME \
+        -keystore   $dir/$NODE_NAME.jks \
+        -file       $dir/$NODE_NAME.csr \
+        -keyalg     rsa \
+        -keypass $ks_pass \
+        -storepass $ks_pass \
+        -dname "CN=$NODE_NAME, OU=OpenShift, O=Logging"
+
+    echo Sign certificate request with CA
+    openssl ca \
+        -in "$dir/$NODE_NAME.csr" \
+        -notext \
+        -out "$dir/$NODE_NAME.crt" \
+        -config $dir/signing.conf \
+        -extensions v3_req \
+        -batch \
+        -extensions server_ext
+
+    echo "Import back to keystore (including CA chain)"
+
+    keytool  \
+        -import \
+        -file $dir/ca.crt  \
+        -keystore $dir/$NODE_NAME.jks   \
+        -storepass $ks_pass  \
+        -noprompt -alias sig-ca
+
+    keytool \
+        -import \
+        -file $dir/$NODE_NAME.crt \
+        -keystore $dir/$NODE_NAME.jks \
+        -storepass $ks_pass \
+        -noprompt \
+        -alias $NODE_NAME
+
+    echo All done for $NODE_NAME
 }
 
+function join { local IFS="$1"; shift; echo "$*"; }
+
 function createTruststore() {
 
   echo "Import CA to truststore for validating client certs"
@@ -43,29 +147,22 @@ function createTruststore() {
     -noprompt -alias sig-ca
 }
 
-dir="/opt/deploy/"
+dir="$CERT_DIR"
 SCRATCH_DIR=$dir
 
-admin_user='system.admin'
-
 if [[ ! -f $dir/system.admin.jks || -z "$(keytool -list -keystore $dir/system.admin.jks -storepass kspass | grep sig-ca)" ]]; then
-  importPKCS "system.admin"
-  mv $dir/keystore.jks $dir/system.admin.jks
+  generate_JKS_client_cert "system.admin"
 fi
 
-if [[ ! -f $dir/searchguard_node_key || -z "$(keytool -list -keystore $dir/searchguard_node_key -storepass kspass | grep sig-ca)" ]]; then
-  importPKCS "elasticsearch"
-  mv $dir/keystore.jks $dir/searchguard_node_key
+if [[ ! -f $dir/elasticsearch.jks || -z "$(keytool -list -keystore $dir/elasticsearch.jks -storepass kspass | grep sig-ca)" ]]; then
+  generate_JKS_chain true elasticsearch "$(join , logging-es{,-ops})"
 fi
 
-
-if [[ ! -f $dir/system.admin.jks || -z "$(keytool -list -keystore $dir/system.admin.jks -storepass kspass | grep sig-ca)" ]]; then
-  importPKCS "logging-es"
+if [[ ! -f $dir/logging-es.jks || -z "$(keytool -list -keystore $dir/logging-es.jks -storepass kspass | grep sig-ca)" ]]; then
+  generate_JKS_chain false logging-es "$(join , logging-es{,-ops}{,-cluster}{,.${PROJECT}.svc.cluster.local})"
 fi
 
 [ ! -f $dir/truststore.jks ] && createTruststore
 
-[ ! -f $dir/searchguard_node_truststore ] && cp $dir/truststore.jks $dir/searchguard_node_truststore
-
 # necessary so that the job knows it completed successfully
 exit 0
diff --git a/roles/openshift_logging/tasks/generate_certs.yaml b/roles/openshift_logging/tasks/generate_certs.yaml
index 161d51055..6bfeccf61 100644
--- a/roles/openshift_logging/tasks/generate_certs.yaml
+++ b/roles/openshift_logging/tasks/generate_certs.yaml
@@ -102,61 +102,57 @@
   loop_control:
     loop_var: node_name
 
-- shell: certs=""; for cert in $(echo logging-es{,-ops}); do certs=$certs,dns:$cert; done; echo $certs
-  register: elasticsearch_certs
-  check_mode: no
-
-- shell: certs=""; for cert in $(echo logging-es{,-ops}{,-cluster}{,.logging.svc.cluster.local}); do certs=$certs,dns:$cert; done; echo $certs
-  register: logging_es_certs
-  check_mode: no
-
-#- shell: index=2; certs=""; for cert in $(echo logging-es{,-ops}); do certs=$certs,DNS.$index=$cert; index=$(($index+1)); done; echo $certs
-#  register: elasticsearch_certs
-#  check_mode: no
-
-#- shell: index=2; certs=""; for cert in $(echo logging-es{,-ops}{,-cluster}{,.logging.svc.cluster.local}); do certs=$certs,DNS.$index=$cert; index=$(($index+1)); done; echo $certs
-#  register: logging_es_certs
-#  check_mode: no
+- name: Check for jks-generator service account
+  command: >
+    {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get serviceaccount/jks-generator --no-headers -n {{openshift_logging_namespace}}
+  register: serviceaccount_result
+  ignore_errors: yes
+  when: not ansible_check_mode
 
-- name: Generate PKCS12 chains
-#  include: generate_pkcs12.yaml component='system.admin'
-  include: generate_jks_chain.yaml component='system.admin'
+- name: Create jks-generator service account
+  command: >
+    {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig create serviceaccount jks-generator -n {{openshift_logging_namespace}}
+  when: not ansible_check_mode and "not found" in serviceaccount_result.stderr
+
+- name: Check for hostmount-anyuid scc entry
+  shell: >
+    {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get scc hostmount-anyuid -o go-template='{{ '{{' }}.users{{ '}}' }}' |
+    grep system:serviceaccount:{{openshift_logging_namespace}}:jks-generator
+  register: scc_result
+  ignore_errors: yes
+  when: not ansible_check_mode
+
+- name: Add to hostmount-anyuid scc
+  command: >
+    {{ openshift.common.admin_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig policy add-scc-to-user hostmount-anyuid -z jks-generator -n {{openshift_logging_namespace}}
+  when: not ansible_check_mode and scc_result.rc == 1
+
+- name: Copy jks script
+  copy:
+    src: generate-jks.sh
+    dest: "{{generated_certs_dir}}/generate-jks.sh"
+
+- name: Generate JKS chains
+  template:
+    src: jks_pod.j2
+    dest: "{{mktemp.stdout}}/jks_pod.yaml"
+
+- name: create pod
+  shell: >
+    {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig create -f {{mktemp.stdout}}/jks_pod.yaml -n {{openshift_logging_namespace}}
+  register: podoutput
+
+- shell: >
+    echo {{podoutput.stdout}} | awk -v podname='\\\".*\\\"' '{print $2}'
+  register: podname
+
+- shell: >
+    {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get pod {{podname.stdout}} -o go-template='{{ '{{' }}index .status "phase"{{ '}}' }}' -n {{openshift_logging_namespace}}
+  register: result
+  until: result.stdout.find("Succeeded") != -1
+  retries: 5
+  delay: 10
 
-- name: Generate PKCS12 chains
-#  include: generate_pkcs12.yaml component={{node.name}} oid={{node.oid | default(False)}} chain_certs={{node.certs}}
-  include: generate_jks_chain.yaml component={{node.name}} oid={{node.oid | default(False)}} chain_certs={{node.certs}}
-  with_items:
-    - {name: 'elasticsearch', oid: True, certs: '{{elasticsearch_certs.stdout}}'}
-    - {name: 'logging-es', certs: '{{logging_es_certs.stdout}}'}
-  loop_control:
-    loop_var: node
-# This should be handled within the ES image instead... ---
-#- name: Copy jks script
-#  copy:
-#    src: generate-jks.sh
-#    dest: "{{etcd_generated_certs_dir}}/logging"
-
-#- name: Generate JKS chains
-#  template:
-#    src: job.j2
-#    dest: "{{mktemp.stdout}}/jks_job.yaml"
-
-#- name: kick off job
-#  shell: >
-#    {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig create -f {{mktemp.stdout}}/jks_job.yaml -n {{logging_namespace}}
-#  register: podoutput
-
-#- shell: >
-#    echo {{podoutput.stdout}} | awk -v podname='\\\".*\\\"' '{print $2}'
-#  register: podname
-
-#- action: shell >
-#    {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig oc get pod/{{podname.stdout}} -o go-template='{{ '{{' }}index .status "phase"{{ '}}' }}' -n {{logging_namespace}}
-#  register: result
-#  until: result.stdout.find("Succeeded") != -1
-#  retries: 5
-#  delay: 10
-# --- This should be handled within the ES image instead...
 - name: Generate proxy session
   shell: tr -dc 'a-zA-Z0-9' < /dev/urandom | head -c 200
   register: session_secret
diff --git a/roles/openshift_logging/templates/jks_pod.j2 b/roles/openshift_logging/templates/jks_pod.j2
new file mode 100644
index 000000000..8b1c74211
--- /dev/null
+++ b/roles/openshift_logging/templates/jks_pod.j2
@@ -0,0 +1,28 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  labels:
+    logging-infra: support
+  generateName: jks-cert-gen-
+spec:
+  containers:
+  - name: jks-cert-gen
+    image: {{openshift_logging_image_prefix}}logging-deployer:{{openshift_logging_image_version}}
+    imagePullPolicy: Always
+    command: ["sh",  "{{generated_certs_dir}}/generate-jks.sh"]
+    securityContext:
+      privileged: true
+    volumeMounts:
+    - mountPath: {{generated_certs_dir}}
+      name: certmount
+    env:
+    - name: PROJECT
+      value: {{openshift_logging_namespace}}
+    - name: CERT_DIR
+      value: {{generated_certs_dir}}
+  restartPolicy: Never
+  serviceAccount: jks-generator
+  volumes:
+  - hostPath:
+      path: "{{generated_certs_dir}}"
+    name: certmount
diff --git a/roles/openshift_logging/templates/job.j2 b/roles/openshift_logging/templates/job.j2
deleted file mode 100644
index d7794a407..000000000
--- a/roles/openshift_logging/templates/job.j2
+++ /dev/null
@@ -1,26 +0,0 @@
-apiVersion: v1
-kind: Pod
-metadata:
-  labels:
-    logging-infra: support
-  generateName: jks-cert-gen-
-spec:
-  containers:
-  - name: jks-cert-gen
-    image: {{openshift_logging_image_prefix}}logging-deployer:{{openshift_logging_image_version}}
-    imagePullPolicy: Always
-    command: ["sh",  "generate-jks.sh"]
-    securityContext:
-      privileged: true
-    volumeMounts:
-    - mountPath: /opt/deploy
-      name: certmount
-    env:
-    - name: PROJECT
-      value: {{openshift_logging_namespace}}
-  restartPolicy: Never
-  serviceAccount: aggregated-logging-fluentd
-  volumes:
-  - hostPath:
-      path: "{{generated_certs_dir}}"
-    name: certmount
-- 
cgit v1.2.3


From a8c2999d94548d1c82b75387ef33d2e3f5c67536 Mon Sep 17 00:00:00 2001
From: ewolinetz <ewolinet@redhat.com>
Date: Wed, 4 Jan 2017 15:09:47 -0600
Subject: Fixing collision of system.admin cert generation

---
 roles/openshift_logging/files/generate-jks.sh | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

(limited to 'roles/openshift_logging/files')

diff --git a/roles/openshift_logging/files/generate-jks.sh b/roles/openshift_logging/files/generate-jks.sh
index db7ed9ab8..995ec0b98 100644
--- a/roles/openshift_logging/files/generate-jks.sh
+++ b/roles/openshift_logging/files/generate-jks.sh
@@ -97,7 +97,7 @@ function generate_JKS_client_cert() {
     keytool -certreq \
         -alias      $NODE_NAME \
         -keystore   $dir/$NODE_NAME.jks \
-        -file       $dir/$NODE_NAME.csr \
+        -file       $dir/$NODE_NAME.jks.csr \
         -keyalg     rsa \
         -keypass $ks_pass \
         -storepass $ks_pass \
@@ -105,9 +105,9 @@ function generate_JKS_client_cert() {
 
     echo Sign certificate request with CA
     openssl ca \
-        -in "$dir/$NODE_NAME.csr" \
+        -in "$dir/$NODE_NAME.jks.csr" \
         -notext \
-        -out "$dir/$NODE_NAME.crt" \
+        -out "$dir/$NODE_NAME.jks.crt" \
         -config $dir/signing.conf \
         -extensions v3_req \
         -batch \
@@ -124,7 +124,7 @@ function generate_JKS_client_cert() {
 
     keytool \
         -import \
-        -file $dir/$NODE_NAME.crt \
+        -file $dir/$NODE_NAME.jks.crt \
         -keystore $dir/$NODE_NAME.jks \
         -storepass $ks_pass \
         -noprompt \
-- 
cgit v1.2.3


From 06c111d22641ba5cc2dbbe0144d9d6722d94f159 Mon Sep 17 00:00:00 2001
From: ewolinetz <ewolinet@redhat.com>
Date: Wed, 11 Jan 2017 15:26:46 -0600
Subject: addressing comments

---
 roles/openshift_logging/defaults/main.yml          |   2 +-
 roles/openshift_logging/files/signing.conf         | 103 -----------
 roles/openshift_logging/files/util.sh              | 192 ---------------------
 roles/openshift_logging/filter_plugins/__init__.py |   0
 roles/openshift_logging/library/__init.py__        |   0
 roles/openshift_logging/meta/main.yaml             |  14 +-
 roles/openshift_logging/tasks/generate_certs.yaml  |  48 ++----
 .../tasks/generate_configmaps.yaml                 |  25 ++-
 .../tasks/generate_jks_chain.yaml                  |  60 -------
 roles/openshift_logging/tasks/generate_pkcs12.yaml |  24 ---
 roles/openshift_logging/tasks/install_fluentd.yaml |  15 +-
 roles/openshift_logging/tasks/install_logging.yaml |   6 +-
 roles/openshift_logging/tasks/label_node.yaml      |   8 +-
 roles/openshift_logging/tasks/main.yaml            |   5 +
 roles/openshift_logging/tasks/scale.yaml           |  16 +-
 roles/openshift_logging/tasks/start_cluster.yaml   |  24 +--
 roles/openshift_logging/tasks/stop_cluster.yaml    |  24 +--
 roles/openshift_logging/tasks/upgrade_logging.yaml |   4 +-
 roles/openshift_logging/templates/fluentd.j2       |   2 +-
 roles/openshift_logging/templates/signing.conf.j2  | 103 +++++++++++
 20 files changed, 214 insertions(+), 461 deletions(-)
 delete mode 100644 roles/openshift_logging/files/signing.conf
 delete mode 100644 roles/openshift_logging/files/util.sh
 delete mode 100644 roles/openshift_logging/filter_plugins/__init__.py
 delete mode 100644 roles/openshift_logging/library/__init.py__
 delete mode 100644 roles/openshift_logging/tasks/generate_jks_chain.yaml
 delete mode 100644 roles/openshift_logging/tasks/generate_pkcs12.yaml
 create mode 100644 roles/openshift_logging/templates/signing.conf.j2

(limited to 'roles/openshift_logging/files')

diff --git a/roles/openshift_logging/defaults/main.yml b/roles/openshift_logging/defaults/main.yml
index a441f10b9..4eb852207 100644
--- a/roles/openshift_logging/defaults/main.yml
+++ b/roles/openshift_logging/defaults/main.yml
@@ -33,7 +33,7 @@ openshift_logging_kibana_ops_proxy_debug: false
 openshift_logging_kibana_ops_proxy_cpu_limit: null
 openshift_logging_kibana_ops_proxy_memory_limit: null
 
-openshift_logging_fluentd_nodeselector: '"logging-infra-fluentd": "true"'
+openshift_logging_fluentd_nodeselector: {'logging-infra-fluentd': 'true'}
 openshift_logging_fluentd_cpu_limit: 100m
 openshift_logging_fluentd_memory_limit: 512Mi
 openshift_logging_fluentd_es_copy: false
diff --git a/roles/openshift_logging/files/signing.conf b/roles/openshift_logging/files/signing.conf
deleted file mode 100644
index 810a057d9..000000000
--- a/roles/openshift_logging/files/signing.conf
+++ /dev/null
@@ -1,103 +0,0 @@
-# Simple Signing CA
-
-# The [default] section contains global constants that can be referred to from
-# the entire configuration file. It may also hold settings pertaining to more
-# than one openssl command.
-
-[ default ]
-#dir                     = _output               # Top dir
-
-# The next part of the configuration file is used by the openssl req command.
-# It defines the CA's key pair, its DN, and the desired extensions for the CA
-# certificate.
-
-[ req ]
-default_bits            = 2048                  # RSA key size
-encrypt_key             = yes                   # Protect private key
-default_md              = sha1                  # MD to use
-utf8                    = yes                   # Input is UTF-8
-string_mask             = utf8only              # Emit UTF-8 strings
-prompt                  = no                    # Don't prompt for DN
-distinguished_name      = ca_dn                 # DN section
-req_extensions          = ca_reqext             # Desired extensions
-
-[ ca_dn ]
-0.domainComponent       = "io"
-1.domainComponent       = "openshift"
-organizationName        = "OpenShift Origin"
-organizationalUnitName  = "Logging Signing CA"
-commonName              = "Logging Signing CA"
-
-[ ca_reqext ]
-keyUsage                = critical,keyCertSign,cRLSign
-basicConstraints        = critical,CA:true,pathlen:0
-subjectKeyIdentifier    = hash
-
-# The remainder of the configuration file is used by the openssl ca command.
-# The CA section defines the locations of CA assets, as well as the policies
-# applying to the CA.
-
-[ ca ]
-default_ca              = signing_ca            # The default CA section
-
-[ signing_ca ]
-certificate             = $dir/ca.crt       # The CA cert
-private_key             = $dir/ca.key # CA private key
-new_certs_dir           = $dir/           # Certificate archive
-serial                  = $dir/ca.serial.txt # Serial number file
-crlnumber               = $dir/ca.crl.srl # CRL number file
-database                = $dir/ca.db # Index file
-unique_subject          = no                    # Require unique subject
-default_days            = 730                   # How long to certify for
-default_md              = sha1                  # MD to use
-policy                  = any_pol             # Default naming policy
-email_in_dn             = no                    # Add email to cert DN
-preserve                = no                    # Keep passed DN ordering
-name_opt                = ca_default            # Subject DN display options
-cert_opt                = ca_default            # Certificate display options
-copy_extensions         = copy                  # Copy extensions from CSR
-x509_extensions         = client_ext             # Default cert extensions
-default_crl_days        = 7                     # How long before next CRL
-crl_extensions          = crl_ext               # CRL extensions
-
-# Naming policies control which parts of a DN end up in the certificate and
-# under what circumstances certification should be denied.
-
-[ match_pol ]
-domainComponent         = match                 # Must match 'simple.org'
-organizationName        = match                 # Must match 'Simple Inc'
-organizationalUnitName  = optional              # Included if present
-commonName              = supplied              # Must be present
-
-[ any_pol ]
-domainComponent         = optional
-countryName             = optional
-stateOrProvinceName     = optional
-localityName            = optional
-organizationName        = optional
-organizationalUnitName  = optional
-commonName              = optional
-emailAddress            = optional
-
-# Certificate extensions define what types of certificates the CA is able to
-# create.
-
-[ client_ext ]
-keyUsage                = critical,digitalSignature,keyEncipherment
-basicConstraints        = CA:false
-extendedKeyUsage        = clientAuth
-subjectKeyIdentifier    = hash
-authorityKeyIdentifier  = keyid
-
-[ server_ext ]
-keyUsage                = critical,digitalSignature,keyEncipherment
-basicConstraints        = CA:false
-extendedKeyUsage        = serverAuth,clientAuth
-subjectKeyIdentifier    = hash
-authorityKeyIdentifier  = keyid
-
-# CRL extensions exist solely to point to the CA certificate that has issued
-# the CRL.
-
-[ crl_ext ]
-authorityKeyIdentifier  = keyid
diff --git a/roles/openshift_logging/files/util.sh b/roles/openshift_logging/files/util.sh
deleted file mode 100644
index 5752a0fcd..000000000
--- a/roles/openshift_logging/files/util.sh
+++ /dev/null
@@ -1,192 +0,0 @@
-#!/bin/bash
-
-function generate_JKS_chain() {
-  dir=${SCRATCH_DIR:-_output}
-  ADD_OID=$1
-  NODE_NAME=$2
-  CERT_NAMES=${3:-$NODE_NAME}
-  ks_pass=${KS_PASS:-kspass}
-  ts_pass=${TS_PASS:-tspass}
-  rm -rf $NODE_NAME
-
-  extension_names=""
-  for name in ${CERT_NAMES//,/ }; do
-	extension_names="${extension_names},dns:${name}"
-  done
-
-  if [ "$ADD_OID" = true ]; then
-    extension_names="${extension_names},oid:1.2.3.4.5.5"
-  fi
-
-  echo Generating keystore and certificate for node $NODE_NAME
-
-  "$keytool" -genkey \
-        -alias     $NODE_NAME \
-        -keystore  $dir/keystore.jks \
-        -keypass   $ks_pass \
-        -storepass $ks_pass \
-        -keyalg    RSA \
-        -keysize   2048 \
-        -validity  712 \
-        -dname "CN=$NODE_NAME, OU=OpenShift, O=Logging" \
-        -ext san=dns:localhost,ip:127.0.0.1"${extension_names}"
-
-  echo Generating certificate signing request for node $NODE_NAME
-
-  "$keytool" -certreq \
-        -alias      $NODE_NAME \
-        -keystore   $dir/keystore.jks \
-        -storepass  $ks_pass \
-        -file       $dir/$NODE_NAME.csr \
-        -keyalg     rsa \
-        -dname "CN=$NODE_NAME, OU=OpenShift, O=Logging" \
-        -ext san=dns:localhost,ip:127.0.0.1"${extension_names}"
-
-  echo Sign certificate request with CA
-
-  openssl ca \
-    -in $dir/$NODE_NAME.csr \
-    -notext \
-    -out $dir/$NODE_NAME.crt \
-    -config $dir/signing.conf \
-    -extensions v3_req \
-    -batch \
-	-extensions server_ext
-
-  echo "Import back to keystore (including CA chain)"
-
-  "$keytool"  \
-    -import \
-    -file $dir/ca.crt  \
-    -keystore $dir/keystore.jks   \
-    -storepass $ks_pass  \
-    -noprompt -alias sig-ca
-
-  "$keytool" \
-    -import \
-    -file $dir/$NODE_NAME.crt \
-    -keystore $dir/keystore.jks \
-    -storepass $ks_pass \
-    -noprompt \
-    -alias $NODE_NAME
-
-  echo "Import CA to truststore for validating client certs"
-
-  "$keytool"  \
-    -import \
-    -file $dir/ca.crt  \
-    -keystore $dir/truststore.jks   \
-    -storepass $ts_pass  \
-    -noprompt -alias sig-ca
-
-  echo All done for $NODE_NAME
-}
-
-function generate_PEM_cert() {
-  NODE_NAME="$1"
-  dir=${SCRATCH_DIR:-_output}  # for writing files to bundle into secrets
-
-  echo Generating keystore and certificate for node ${NODE_NAME}
-
-  openssl req -out "$dir/$NODE_NAME.csr" -new -newkey rsa:2048 -keyout "$dir/$NODE_NAME.key" -subj "/CN=$NODE_NAME/OU=OpenShift/O=Logging" -days 712 -nodes
-
-  echo Sign certificate request with CA
-  openssl ca \
-    -in "$dir/$NODE_NAME.csr" \
-    -notext \
-    -out "$dir/$NODE_NAME.crt" \
-    -config $dir/signing.conf \
-    -extensions v3_req \
-    -batch \
-	-extensions server_ext
-}
-
-function generate_JKS_client_cert() {
-  NODE_NAME="$1"
-  ks_pass=${KS_PASS:-kspass}
-  ts_pass=${TS_PASS:-tspass}
-  dir=${SCRATCH_DIR:-_output}  # for writing files to bundle into secrets
-
-  echo Generating keystore and certificate for node ${NODE_NAME}
-
-  "$keytool" -genkey \
-        -alias     $NODE_NAME \
-        -keystore  $dir/$NODE_NAME.jks \
-        -keyalg    RSA \
-        -keysize   2048 \
-        -validity  712 \
-        -keypass $ks_pass \
-        -storepass $ks_pass \
-        -dname "CN=$NODE_NAME, OU=OpenShift, O=Logging"
-
-  echo Generating certificate signing request for node $NODE_NAME
-
-  "$keytool" -certreq \
-          -alias      $NODE_NAME \
-          -keystore   $dir/$NODE_NAME.jks \
-          -file       $dir/$NODE_NAME.csr \
-          -keyalg     rsa \
-          -keypass $ks_pass \
-          -storepass $ks_pass \
-          -dname "CN=$NODE_NAME, OU=OpenShift, O=Logging"
-
-  echo Sign certificate request with CA
-  openssl ca \
-    -in "$dir/$NODE_NAME.csr" \
-    -notext \
-    -out "$dir/$NODE_NAME.crt" \
-    -config $dir/signing.conf \
-    -extensions v3_req \
-    -batch \
-	-extensions server_ext
-
-  echo "Import back to keystore (including CA chain)"
-
-  "$keytool"  \
-    -import \
-    -file $dir/ca.crt  \
-    -keystore $dir/$NODE_NAME.jks   \
-    -storepass $ks_pass  \
-    -noprompt -alias sig-ca
-
-  "$keytool" \
-    -import \
-    -file $dir/$NODE_NAME.crt \
-    -keystore $dir/$NODE_NAME.jks \
-    -storepass $ks_pass \
-    -noprompt \
-    -alias $NODE_NAME
-
-  echo All done for $NODE_NAME
-}
-
-function join { local IFS="$1"; shift; echo "$*"; }
-
-function get_es_dcs() {
-  oc get dc --selector logging-infra=elasticsearch -o name
-}
-
-function get_curator_dcs() {
-  oc get dc --selector logging-infra=curator -o name
-}
-
-function extract_nodeselector() {
-  local inputstring="${1//\"/}"  # remove any errant double quotes in the inputs
-  local selectors=()
-
-  for keyvalstr in ${inputstring//\,/ }; do
-
-    keyval=( ${keyvalstr//=/ } )
-
-    if [[ -n "${keyval[0]}" && -n "${keyval[1]}" ]]; then
-      selectors+=( "\"${keyval[0]}\": \"${keyval[1]}\"")
-    else
-      echo "Could not make a node selector label from '${keyval[*]}'"
-      exit 255
-    fi
-  done
-
-  if [[ "${#selectors[*]}" -gt 0 ]]; then
-    echo nodeSelector: "{" $(join , "${selectors[@]}") "}"
-  fi
-}
diff --git a/roles/openshift_logging/filter_plugins/__init__.py b/roles/openshift_logging/filter_plugins/__init__.py
deleted file mode 100644
index e69de29bb..000000000
diff --git a/roles/openshift_logging/library/__init.py__ b/roles/openshift_logging/library/__init.py__
deleted file mode 100644
index e69de29bb..000000000
diff --git a/roles/openshift_logging/meta/main.yaml b/roles/openshift_logging/meta/main.yaml
index 8bff6cfb7..a95c84901 100644
--- a/roles/openshift_logging/meta/main.yaml
+++ b/roles/openshift_logging/meta/main.yaml
@@ -1,3 +1,15 @@
 ---
+galaxy_info:
+  author: OpenShift Red Hat
+  description: OpenShift Embedded Router
+  company: Red Hat, Inc.
+  license: Apache License, Version 2.0
+  min_ansible_version: 2.2
+  platforms:
+  - name: EL
+    versions:
+    - 7
+  categories:
+  - cloud
 dependencies:
-  - { role: openshift_facts }
+  - role: openshift_facts
diff --git a/roles/openshift_logging/tasks/generate_certs.yaml b/roles/openshift_logging/tasks/generate_certs.yaml
index 6bfeccf61..bcf4881bb 100644
--- a/roles/openshift_logging/tasks/generate_certs.yaml
+++ b/roles/openshift_logging/tasks/generate_certs.yaml
@@ -31,14 +31,10 @@
   register: signing_conf_file
   check_mode: no
 
-- block:
-  - copy: src=signing.conf dest={{generated_certs_dir}}/signing.conf
-    check_mode: no
-
-  - lineinfile: "dest={{generated_certs_dir}}/signing.conf regexp='# Top dir$' line='dir                     = {{generated_certs_dir}}               # Top dir'"
-    check_mode: no
-  when:
-    - not signing_conf_file.stat.exists
+- template: src=signing.conf.j2 dest={{generated_certs_dir}}/signing.conf
+  vars:
+    - top_dir: '{{generated_certs_dir}}'
+  when: not signing_conf_file.stat.exists
 
 - include: procure_server_certs.yaml
   loop_control:
@@ -49,19 +45,6 @@
     - procure_component: kibana-internal
       hostnames: "kibana, kibana-ops, {{openshift_logging_kibana_hostname}}, {{openshift_logging_kibana_ops_hostname}}"
 
-# - include: procure_server_certs.yaml
-#   vars:
-#     - procure_component: kibana
-
-# - include: procure_server_certs.yaml
-#   vars:
-#     - procure_component: kibana-ops
-
-# - include: procure_server_certs.yaml
-#   vars:
-#     - procure_component: kibana-internal
-#     - hostnames: "kibana, kibana-ops, {{openshift_logging_kibana_hostname}}, {{openshift_logging_kibana_ops_hostname}}"
-
 - name: Copy proxy TLS configuration file
   copy: src=server-tls.json dest={{generated_certs_dir}}/server-tls.json
   when: server_tls_json is undefined
@@ -116,8 +99,8 @@
 
 - name: Check for hostmount-anyuid scc entry
   shell: >
-    {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get scc hostmount-anyuid -o go-template='{{ '{{' }}.users{{ '}}' }}' |
-    grep system:serviceaccount:{{openshift_logging_namespace}}:jks-generator
+    {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get scc hostmount-anyuid -o jsonpath='{.users}' |
+    grep system:serviceaccount:{{openshift_logging_namespace | quote}}:jks-generator
   register: scc_result
   ignore_errors: yes
   when: not ansible_check_mode
@@ -131,34 +114,33 @@
   copy:
     src: generate-jks.sh
     dest: "{{generated_certs_dir}}/generate-jks.sh"
+  check_mode: no
 
 - name: Generate JKS chains
   template:
     src: jks_pod.j2
     dest: "{{mktemp.stdout}}/jks_pod.yaml"
+  check_mode: no
 
 - name: create pod
-  shell: >
-    {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig create -f {{mktemp.stdout}}/jks_pod.yaml -n {{openshift_logging_namespace}}
+  command: >
+    {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig create -f {{mktemp.stdout}}/jks_pod.yaml -n {{openshift_logging_namespace}} -o name
   register: podoutput
+  check_mode: no
 
-- shell: >
-    echo {{podoutput.stdout}} | awk -v podname='\\\".*\\\"' '{print $2}'
-  register: podname
-
-- shell: >
-    {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get pod {{podname.stdout}} -o go-template='{{ '{{' }}index .status "phase"{{ '}}' }}' -n {{openshift_logging_namespace}}
+- command: >
+    {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get {{podoutput.stdout}} -o jsonpath='{.status.phase}' -n {{openshift_logging_namespace}}
   register: result
   until: result.stdout.find("Succeeded") != -1
   retries: 5
   delay: 10
 
 - name: Generate proxy session
-  shell: tr -dc 'a-zA-Z0-9' < /dev/urandom | head -c 200
+  command: echo {{'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'|random_word(200)}}
   register: session_secret
   check_mode: no
 
 - name: Generate oauth client secret
-  shell: tr -dc 'a-zA-Z0-9' < /dev/urandom | head -c 64
+  command: echo {{'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'|random_word(64)}}
   register: oauth_secret
   check_mode: no
diff --git a/roles/openshift_logging/tasks/generate_configmaps.yaml b/roles/openshift_logging/tasks/generate_configmaps.yaml
index 86882a5da..f9f9ee79f 100644
--- a/roles/openshift_logging/tasks/generate_configmaps.yaml
+++ b/roles/openshift_logging/tasks/generate_configmaps.yaml
@@ -4,37 +4,44 @@
         src: elasticsearch-logging.yml
         dest: "{{mktemp.stdout}}/elasticsearch-logging.yml"
       when: es_logging_contents is undefined
+      changed_when: no
 
     - copy:
         src: elasticsearch.yml
         dest: "{{mktemp.stdout}}/elasticsearch.yml"
       when: es_config_contents is undefined
+      changed_when: no
 
     - lineinfile:
         dest: "{{mktemp.stdout}}/elasticsearch.yml"
         regexp: '^openshift\.operations\.allow_cluster_reader(.)*$'
         line: "\nopenshift.operations.allow_cluster_reader: {{openshift_logging_es_ops_allow_cluster_reader | lower}}"
       when: es_config_contents is undefined
+      changed_when: no
 
     - copy:
         content: "{{es_logging_contents}}"
         dest: "{{mktemp.stdout}}/elasticsearch-logging.yml"
       when: es_logging_contents is defined
+      changed_when: no
 
     - copy:
         content: "{{es_config_contents}}"
         dest: "{{mktemp.stdout}}/elasticsearch.yml"
       when: es_config_contents is defined
+      changed_when: no
 
-    - shell: >
+    - command: >
         {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig create configmap logging-elasticsearch
         --from-file=logging.yml={{mktemp.stdout}}/elasticsearch-logging.yml --from-file=elasticsearch.yml={{mktemp.stdout}}/elasticsearch.yml -o yaml --dry-run
       register: es_configmap
+      changed_when: no
 
     - copy:
         content: "{{es_configmap.stdout}}"
         dest: "{{mktemp.stdout}}/templates/logging-elasticsearch-configmap.yaml"
       when: es_configmap.stdout is defined
+      changed_when: no
   check_mode: no
 
 - block:
@@ -42,21 +49,25 @@
         src: curator.yml
         dest: "{{mktemp.stdout}}/curator.yml"
       when: curator_config_contents is undefined
+      changed_when: no
 
     - copy:
         content: "{{curator_config_contents}}"
         dest: "{{mktemp.stdout}}/curator.yml"
       when: curator_config_contenets is defined
+      changed_when: no
 
-    - shell: >
+    - command: >
         {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig create configmap logging-curator
         --from-file=config.yaml={{mktemp.stdout}}/curator.yml -o yaml --dry-run
       register: curator_configmap
+      changed_when: no
 
     - copy:
         content: "{{curator_configmap.stdout}}"
         dest: "{{mktemp.stdout}}/templates/logging-curator-configmap.yaml"
       when: curator_configmap.stdout is defined
+      changed_when: no
   check_mode: no
 
 - block:
@@ -64,40 +75,48 @@
         src: fluent.conf
         dest: "{{mktemp.stdout}}/fluent.conf"
       when: fluentd_config_contents is undefined
+      changed_when: no
 
     - copy:
         src: fluentd-throttle-config.yaml
         dest: "{{mktemp.stdout}}/fluentd-throttle-config.yaml"
       when: fluentd_throttle_contents is undefined
+      changed_when: no
 
     - copy:
         src: secure-forward.conf
         dest: "{{mktemp.stdout}}/secure-forward.conf"
       when: fluentd_securefoward_contents is undefined
+      changed_when: no
 
     - copy:
         content: "{{fluentd_config_contents}}"
         dest: "{{mktemp.stdout}}/fluent.conf"
       when: fluentd_config_contents is defined
+      changed_when: no
 
     - copy:
         content: "{{fluentd_throttle_contents}}"
         dest: "{{mktemp.stdout}}/fluentd-throttle-config.yaml"
       when: fluentd_throttle_contents is defined
+      changed_when: no
 
     - copy:
         content: "{{fluentd_secureforward_contents}}"
         dest: "{{mktemp.stdout}}/secure-forward.conf"
       when: fluentd_secureforward_contents is defined
+      changed_when: no
 
-    - shell: >
+    - command: >
         {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig create configmap logging-fluentd
         --from-file=fluent.conf={{mktemp.stdout}}/fluent.conf --from-file=throttle-config.yaml={{mktemp.stdout}}/fluentd-throttle-config.yaml
         --from-file=secure-forward.conf={{mktemp.stdout}}/secure-forward.conf -o yaml --dry-run
       register: fluentd_configmap
+      changed_when: no
 
     - copy:
         content: "{{fluentd_configmap.stdout}}"
         dest: "{{mktemp.stdout}}/templates/logging-fluentd-configmap.yaml"
       when: fluentd_configmap.stdout is defined
+      changed_when: no
   check_mode: no
diff --git a/roles/openshift_logging/tasks/generate_jks_chain.yaml b/roles/openshift_logging/tasks/generate_jks_chain.yaml
deleted file mode 100644
index 14ffdc51f..000000000
--- a/roles/openshift_logging/tasks/generate_jks_chain.yaml
+++ /dev/null
@@ -1,60 +0,0 @@
----
-- debug: msg="certs are {{chain_certs}} and oid is {{oid}}"
-  when: chain_certs is defined and oid is defined
-
-- debug: msg="certs are {{chain_certs}}"
-  when: chain_certs is defined and oid is undefined
-
-- name: Build extensions with certs
-  shell: echo "{{chain_certs}}{{ (oid) | ternary(',oid:1.2.3.4.5.5','') }}"
-  register: cert_ext
-  when: chain_certs is defined and oid is defined
-  check_mode: no
-
-- debug: msg="extensions are {{cert_ext.stdout}}"
-  when: cert_ext.stdout is defined
-
-- shell: >
-    echo {{ (cert_ext.stdout is defined) | ternary( '-ext san=dns:localhost,ip:127.0.0.1','') }}{{ (cert_ext.stdout is defined) | ternary( cert_ext.stdout, '') }}
-  register: extensions
-  check_mode: no
-
-- name: Checking for {{component}}.jks ...
-  stat: path="{{generated_certs_dir}}/{{component}}.jks"
-  register: jks_file
-  check_mode: no
-
-- name: Checking for truststore...
-  stat: path="{{generated_certs_dir}}/truststore.jks"
-  register: jks_truststore
-  check_mode: no
-
-- block:
-    - shell: >
-        keytool -genkey -alias {{component}} -keystore {{generated_certs_dir}}/{{component}}.jks -keypass kspass -storepass kspass
-        -keyalg RSA -keysize 2048 -validity 712 -dname "CN={{component}}, OU=OpenShift, O=Logging" {{extensions.stdout}}
-
-    - shell: >
-        keytool -certreq -alias {{component}} -keystore {{generated_certs_dir}}/{{component}}.jks -storepass kspass
-        -file {{generated_certs_dir}}/{{component}}-jks.csr -keyalg RSA -dname "CN={{component}}, OU=OpenShift, O=Logging" {{extensions.stdout}}
-
-    - shell: >
-        openssl ca -in {{generated_certs_dir}}/{{component}}-jks.csr -notext -out {{generated_certs_dir}}/{{component}}-jks.crt
-        -config {{generated_certs_dir}}/signing.conf -extensions v3_req -batch -extensions server_ext
-
-    - shell: >
-        keytool -import -file {{generated_certs_dir}}/ca.crt -keystore {{generated_certs_dir}}/{{component}}.jks
-        -storepass kspass -noprompt -alias sig-ca
-
-    - shell: >
-         keytool -import -file {{generated_certs_dir}}/{{component}}-jks.crt -keystore {{generated_certs_dir}}/{{component}}.jks
-         -storepass kspass -noprompt -alias {{component}}
-
-  when: not jks_file.stat.exists
-  check_mode: no
-
-- block:
-    - shell: >
-        keytool -import -file {{generated_certs_dir}}/ca.crt -keystore {{generated_certs_dir}}/truststore.jks -storepass tspass -noprompt -alias sig-ca
-  when: not jks_truststore.stat.exists
-  check_mode: no
diff --git a/roles/openshift_logging/tasks/generate_pkcs12.yaml b/roles/openshift_logging/tasks/generate_pkcs12.yaml
deleted file mode 100644
index dde65746f..000000000
--- a/roles/openshift_logging/tasks/generate_pkcs12.yaml
+++ /dev/null
@@ -1,24 +0,0 @@
----
-- debug: msg="certs are {{chain_certs}} and oid is {{oid}}"
-  when: chain_certs is defined and oid is defined
-
-- debug: msg="certs are {{chain_certs}}"
-  when: chain_certs is defined and oid is undefined
-
-- name: Build extensions with certs
-  shell: echo "{{chain_certs}}{{ (oid) | ternary(',oid=1.2.3.4.5.5','') }}"
-  register: cert_ext
-  when: chain_certs is defined and oid is defined
-
-- debug: msg="extensions are {{cert_ext.stdout}}"
-  when: cert_ext.stdout is defined
-
-- include: generate_pems.yaml
-
-- local_action: stat path="{{mktemp.stdout}}/{{component}}.pkcs12"
-  register: pkcs_file
-  become: no
-
-- name: Generating pkcs12 chain for {{component}}
-  command: openssl pkcs12 -export -out {{generated_certs_dir}}/{{component}}.pkcs12 -inkey {{generated_certs_dir}}/{{component}}.key -in {{generated_certs_dir}}/{{component}}.crt -password pass:pass
-  when: not pkcs_file.stat.exists
diff --git a/roles/openshift_logging/tasks/install_fluentd.yaml b/roles/openshift_logging/tasks/install_fluentd.yaml
index 35bd452ed..6f93081d7 100644
--- a/roles/openshift_logging/tasks/install_fluentd.yaml
+++ b/roles/openshift_logging/tasks/install_fluentd.yaml
@@ -1,14 +1,23 @@
 ---
-- shell: >
+- command: >
     echo "{{ (openshift_logging_use_ops) | ternary(openshift_logging_es_ops_host, openshift_logging_es_host) }}"
   register: fluentd_ops_host
   check_mode: no
 
-- shell: >
+- command: >
     echo "{{ (openshift_logging_use_ops) | ternary(openshift_logging_es_ops_port, openshift_logging_es_port) }}"
   register: fluentd_ops_port
   check_mode: no
 
+- command: >
+    echo "{{openshift_logging_fluentd_nodeselector.keys()[0]}}"
+  register: openshift_logging_fluentd_nodeselector_key
+  check_mode: no
+
+- command: >
+    echo "{{openshift_logging_fluentd_nodeselector.values()[0]}}"
+  register: openshift_logging_fluentd_nodeselector_value
+  check_mode: no
 
 - name: Generating Fluentd daemonset
   template: src=fluentd.j2 dest={{mktemp.stdout}}/templates/logging-fluentd.yaml
@@ -19,6 +28,8 @@
     daemonset_serviceAccount: aggregated-logging-fluentd
     ops_host: "{{ fluentd_ops_host.stdout }}"
     ops_port: "{{ fluentd_ops_port.stdout }}"
+    fluentd_nodeselector_key: "{{openshift_logging_fluentd_nodeselector_key.stdout}}"
+    fluentd_nodeselector_value: "{{openshift_logging_fluentd_nodeselector_value.stdout}}"
   check_mode: no
 
 - name: "Set permissions for fluentd"
diff --git a/roles/openshift_logging/tasks/install_logging.yaml b/roles/openshift_logging/tasks/install_logging.yaml
index 591f11476..09630e213 100644
--- a/roles/openshift_logging/tasks/install_logging.yaml
+++ b/roles/openshift_logging/tasks/install_logging.yaml
@@ -24,14 +24,14 @@
     loop_var: install_component
 
 - name: Register API objects from generated templates
-  shell: ls -d -1 {{mktemp.stdout}}/templates/* | sort
+  command: ls -1 {{mktemp.stdout}}/templates/
   register: logging_objects
   check_mode: no
 
 - name: Creating API objects from generated templates
   command: >
-    {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig apply -f {{file}} -n {{openshift_logging_namespace}}
-  with_items: "{{logging_objects.stdout_lines}}"
+    {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig apply -f {{mktemp.stdout}}/templates/{{file}} -n {{openshift_logging_namespace}}
+  with_items: "{{logging_objects.stdout_lines | sort}}"
   loop_control:
     loop_var: file
   when: not ansible_check_mode
diff --git a/roles/openshift_logging/tasks/label_node.yaml b/roles/openshift_logging/tasks/label_node.yaml
index 55cfea38c..f35ccc3b6 100644
--- a/roles/openshift_logging/tasks/label_node.yaml
+++ b/roles/openshift_logging/tasks/label_node.yaml
@@ -1,12 +1,12 @@
 ---
-- shell: >
+- command: >
     {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get node {{host}}
-    --template='{{ '{{index .metadata.labels "' }}{{label}}{{ '"}}' }}'
+    -o jsonpath='{.metadata.labels.{{ label }}}'
   register: label_value
   failed_when: label_value.rc == 1 and 'exists' not in label_value.stderr
   when: not ansible_check_mode
 
-- shell: >
+- command: >
     {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig label node {{host}} {{label}}={{value}} --overwrite
   register: label_result
   failed_when: label_result.rc == 1 and 'exists' not in label_result.stderr
@@ -17,7 +17,7 @@
   - unlabel is not defined or not unlabel
   - not ansible_check_mode
 
-- shell: >
+- command: >
     {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig label node {{host}} {{label}}-
   register: label_result
   failed_when: label_result.rc == 1 and 'exists' not in label_result.stderr
diff --git a/roles/openshift_logging/tasks/main.yaml b/roles/openshift_logging/tasks/main.yaml
index b64c24ade..c4ec1b255 100644
--- a/roles/openshift_logging/tasks/main.yaml
+++ b/roles/openshift_logging/tasks/main.yaml
@@ -1,4 +1,9 @@
 ---
+- fail:
+    msg: Only one Fluentd nodeselector key pair should be provided
+  when: "{{ openshift_logging_fluentd_nodeselector.keys() | count }} > 1"
+
+
 - name: Create temp directory for doing work in
   command: mktemp -d /tmp/openshift-logging-ansible-XXXXXX
   register: mktemp
diff --git a/roles/openshift_logging/tasks/scale.yaml b/roles/openshift_logging/tasks/scale.yaml
index 3d86ea171..aa3e39641 100644
--- a/roles/openshift_logging/tasks/scale.yaml
+++ b/roles/openshift_logging/tasks/scale.yaml
@@ -1,26 +1,26 @@
 ---
-- shell: >
+- command: >
     {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get {{object}}
-    --template='{{ '{{.spec.replicas}}' }}' -n {{openshift_logging_namespace}}
+    -o jsonpath='{.spec.replicas}' -n {{openshift_logging_namespace}}
   register: replica_count
   failed_when: replica_count.rc == 1 and 'exists' not in replica_count.stderr
   when: not ansible_check_mode
 
-- shell: >
+- command: >
     {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig scale {{object}}
     --replicas={{desired}} -n {{openshift_logging_namespace}}
   register: scale_result
   failed_when: scale_result.rc == 1 and 'exists' not in scale_result.stderr
   when:
-  - replica_count.stdout != desired
   - not ansible_check_mode
+  - replica_count.stdout|int != desired
 
-- shell: >
-    {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig describe {{object}} -n {{openshift_logging_namespace}} | awk -v statusrx='Pods Status:' '$0 ~ statusrx {print $3}'
+- command: >
+    {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get {{object}} -n {{openshift_logging_namespace}} -o jsonpath='{.status.replicas}'
   register: replica_counts
-  until: replica_counts.stdout.find("{{desired}}") != -1
+  until: replica_counts.stdout|int == desired
   retries: 30
   delay: 10
   when:
-    - replica_count.stdout != desired
     - not ansible_check_mode
+    - replica_count.stdout|int != desired
diff --git a/roles/openshift_logging/tasks/start_cluster.yaml b/roles/openshift_logging/tasks/start_cluster.yaml
index cdfc5f2d3..090ca8359 100644
--- a/roles/openshift_logging/tasks/start_cluster.yaml
+++ b/roles/openshift_logging/tasks/start_cluster.yaml
@@ -1,16 +1,16 @@
 ---
-- shell: >
-    echo "{{openshift_logging_fluentd_nodeselector}}" | cut -d':' -f1
+- command: >
+    echo "{{openshift_logging_fluentd_nodeselector.keys()[0]}}"
   register: openshift_logging_fluentd_nodeselector_key
   check_mode: no
 
-- shell: >
-    echo "{{openshift_logging_fluentd_nodeselector}}" | cut -d' ' -f2
+- command: >
+    echo "{{openshift_logging_fluentd_nodeselector.values()[0]}}"
   register: openshift_logging_fluentd_nodeselector_value
   check_mode: no
 
-- shell: >
-    {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get node -o name | sed "s,^node/,,g"
+- command: >
+    {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get node -o jsonpath='{.items[*].metadata.name}'
   register: fluentd_hosts
   when: "'--all' in openshift_logging_fluentd_hosts"
   check_mode: no
@@ -25,7 +25,7 @@
   loop_control:
     loop_var: fluentd_host
 
-- shell: >
+- command: >
     {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=es -o name -n {{openshift_logging_namespace}}
   register: es_dc
   check_mode: no
@@ -38,7 +38,7 @@
   loop_control:
     loop_var: object
 
-- shell: >
+- command: >
     {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=kibana -o name -n {{openshift_logging_namespace}}
   register: kibana_dc
   check_mode: no
@@ -51,7 +51,7 @@
   loop_control:
     loop_var: object
 
-- shell: >
+- command: >
     {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=curator -o name -n {{openshift_logging_namespace}}
   register: curator_dc
   check_mode: no
@@ -64,7 +64,7 @@
   loop_control:
     loop_var: object
 
-- shell: >
+- command: >
     {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=es-ops -o name -n {{openshift_logging_namespace}}
   register: es_dc
   check_mode: no
@@ -78,7 +78,7 @@
     loop_var: object
   when: openshift_logging_use_ops
 
-- shell: >
+- command: >
     {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=kibana-ops -o name -n {{openshift_logging_namespace}}
   register: kibana_dc
   check_mode: no
@@ -92,7 +92,7 @@
     loop_var: object
   when: openshift_logging_use_ops
 
-- shell: >
+- command: >
     {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=curator-ops -o name -n {{openshift_logging_namespace}}
   register: curator_dc
   check_mode: no
diff --git a/roles/openshift_logging/tasks/stop_cluster.yaml b/roles/openshift_logging/tasks/stop_cluster.yaml
index e018d0618..dd3693f7e 100644
--- a/roles/openshift_logging/tasks/stop_cluster.yaml
+++ b/roles/openshift_logging/tasks/stop_cluster.yaml
@@ -1,14 +1,14 @@
 ---
-- shell: >
-    echo "{{openshift_logging_fluentd_nodeselector}}" | cut -d':' -f1
+- command: >
+    echo "{{openshift_logging_fluentd_nodeselector.keys()[0]}}"
   register: openshift_logging_fluentd_nodeselector_key
 
-- shell: >
-    echo "{{openshift_logging_fluentd_nodeselector}}" | cut -d' ' -f2
+- command: >
+    echo "{{openshift_logging_fluentd_nodeselector.values()[0]}}"
   register: openshift_logging_fluentd_nodeselector_value
 
-- shell: >
-    {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get node -o name | sed "s,^node/,,g"
+- command: >
+    {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get node -o jsonpath='{.items[*].metadata.name}'
   register: fluentd_hosts
   when: "'--all' in openshift_logging_fluentd_hosts"
 
@@ -22,7 +22,7 @@
   loop_control:
     loop_var: fluentd_host
 
-- shell: >
+- command: >
     {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=es -o name -n {{openshift_logging_namespace}}
   register: es_dc
 
@@ -34,7 +34,7 @@
   loop_control:
     loop_var: object
 
-- shell: >
+- command: >
     {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=kibana -o name -n {{openshift_logging_namespace}}
   register: kibana_dc
 
@@ -46,7 +46,7 @@
   loop_control:
     loop_var: object
 
-- shell: >
+- command: >
     {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=curator -o name -n {{openshift_logging_namespace}}
   register: curator_dc
 
@@ -58,7 +58,7 @@
   loop_control:
     loop_var: object
 
-- shell: >
+- command: >
     {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=es-ops -o name -n {{openshift_logging_namespace}}
   register: es_dc
 
@@ -71,7 +71,7 @@
     loop_var: object
   when: openshift_logging_use_ops
 
-- shell: >
+- command: >
     {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=kibana-ops -o name -n {{openshift_logging_namespace}}
   register: kibana_dc
 
@@ -84,7 +84,7 @@
     loop_var: object
   when: openshift_logging_use_ops
 
-- shell: >
+- command: >
     {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=curator-ops -o name -n {{openshift_logging_namespace}}
   register: curator_dc
 
diff --git a/roles/openshift_logging/tasks/upgrade_logging.yaml b/roles/openshift_logging/tasks/upgrade_logging.yaml
index b2c8022d5..9b285a5fe 100644
--- a/roles/openshift_logging/tasks/upgrade_logging.yaml
+++ b/roles/openshift_logging/tasks/upgrade_logging.yaml
@@ -8,7 +8,7 @@
     start_cluster: False
 
 # ensure that ES is running
-- shell: >
+- command: >
     {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=es -o name -n {{openshift_logging_namespace}}
   register: es_dc
   check_mode: no
@@ -26,7 +26,7 @@
     dest: {{mktemp.stdout}}/es_migration.sh
 
 - name: Run upgrade scripts
-  shell: >
+  command: >
     sh {{mktemp.stdout}}/es_migration.sh {{openshift.common.config_base}}/logging/ca.crt {{openshift.common.config_base}}/logging/system.admin.key {{openshift.common.config_base}}/logging/system.admin.crt {{openshift_logging_es_host}} {{openshift_logging_es_port}} {{openshift_logging_namespace}}
 
 - name: Start up rest of cluster
diff --git a/roles/openshift_logging/templates/fluentd.j2 b/roles/openshift_logging/templates/fluentd.j2
index a09b582a2..b6c91f8ed 100644
--- a/roles/openshift_logging/templates/fluentd.j2
+++ b/roles/openshift_logging/templates/fluentd.j2
@@ -25,7 +25,7 @@ spec:
     spec:
       serviceAccountName: "{{daemonset_serviceAccount}}"
       nodeSelector:
-        {{openshift_logging_fluentd_nodeselector}}
+        {{fluentd_nodeselector_key}}: "{{fluentd_nodeselector_value}}"
       containers:
       - name: "{{daemonset_container_name}}"
         image: "{{openshift_logging_image_prefix}}{{daemonset_name}}:{{openshift_logging_image_version}}"
diff --git a/roles/openshift_logging/templates/signing.conf.j2 b/roles/openshift_logging/templates/signing.conf.j2
new file mode 100644
index 000000000..727cde4c9
--- /dev/null
+++ b/roles/openshift_logging/templates/signing.conf.j2
@@ -0,0 +1,103 @@
+# Simple Signing CA
+
+# The [default] section contains global constants that can be referred to from
+# the entire configuration file. It may also hold settings pertaining to more
+# than one openssl command.
+
+[ default ]
+dir                     = {{top_dir}}               # Top dir
+
+# The next part of the configuration file is used by the openssl req command.
+# It defines the CA's key pair, its DN, and the desired extensions for the CA
+# certificate.
+
+[ req ]
+default_bits            = 2048                  # RSA key size
+encrypt_key             = yes                   # Protect private key
+default_md              = sha1                  # MD to use
+utf8                    = yes                   # Input is UTF-8
+string_mask             = utf8only              # Emit UTF-8 strings
+prompt                  = no                    # Don't prompt for DN
+distinguished_name      = ca_dn                 # DN section
+req_extensions          = ca_reqext             # Desired extensions
+
+[ ca_dn ]
+0.domainComponent       = "io"
+1.domainComponent       = "openshift"
+organizationName        = "OpenShift Origin"
+organizationalUnitName  = "Logging Signing CA"
+commonName              = "Logging Signing CA"
+
+[ ca_reqext ]
+keyUsage                = critical,keyCertSign,cRLSign
+basicConstraints        = critical,CA:true,pathlen:0
+subjectKeyIdentifier    = hash
+
+# The remainder of the configuration file is used by the openssl ca command.
+# The CA section defines the locations of CA assets, as well as the policies
+# applying to the CA.
+
+[ ca ]
+default_ca              = signing_ca            # The default CA section
+
+[ signing_ca ]
+certificate             = $dir/ca.crt       # The CA cert
+private_key             = $dir/ca.key # CA private key
+new_certs_dir           = $dir/           # Certificate archive
+serial                  = $dir/ca.serial.txt # Serial number file
+crlnumber               = $dir/ca.crl.srl # CRL number file
+database                = $dir/ca.db # Index file
+unique_subject          = no                    # Require unique subject
+default_days            = 730                   # How long to certify for
+default_md              = sha1                  # MD to use
+policy                  = any_pol             # Default naming policy
+email_in_dn             = no                    # Add email to cert DN
+preserve                = no                    # Keep passed DN ordering
+name_opt                = ca_default            # Subject DN display options
+cert_opt                = ca_default            # Certificate display options
+copy_extensions         = copy                  # Copy extensions from CSR
+x509_extensions         = client_ext             # Default cert extensions
+default_crl_days        = 7                     # How long before next CRL
+crl_extensions          = crl_ext               # CRL extensions
+
+# Naming policies control which parts of a DN end up in the certificate and
+# under what circumstances certification should be denied.
+
+[ match_pol ]
+domainComponent         = match                 # Must match 'simple.org'
+organizationName        = match                 # Must match 'Simple Inc'
+organizationalUnitName  = optional              # Included if present
+commonName              = supplied              # Must be present
+
+[ any_pol ]
+domainComponent         = optional
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = optional
+emailAddress            = optional
+
+# Certificate extensions define what types of certificates the CA is able to
+# create.
+
+[ client_ext ]
+keyUsage                = critical,digitalSignature,keyEncipherment
+basicConstraints        = CA:false
+extendedKeyUsage        = clientAuth
+subjectKeyIdentifier    = hash
+authorityKeyIdentifier  = keyid
+
+[ server_ext ]
+keyUsage                = critical,digitalSignature,keyEncipherment
+basicConstraints        = CA:false
+extendedKeyUsage        = serverAuth,clientAuth
+subjectKeyIdentifier    = hash
+authorityKeyIdentifier  = keyid
+
+# CRL extensions exist solely to point to the CA certificate that has issued
+# the CRL.
+
+[ crl_ext ]
+authorityKeyIdentifier  = keyid
-- 
cgit v1.2.3


From 054c2a9f169c5547458a4e168855aeb4812b5797 Mon Sep 17 00:00:00 2001
From: ewolinetz <ewolinet@redhat.com>
Date: Fri, 13 Jan 2017 16:25:16 -0600
Subject: Updating upgrade_logging to be more idempotent

---
 roles/openshift_logging/README.md                  |  4 +++-
 roles/openshift_logging/defaults/main.yml          |  2 ++
 roles/openshift_logging/files/es_migration.sh      |  2 --
 roles/openshift_logging/tasks/install_curator.yaml | 10 ++++++----
 roles/openshift_logging/tasks/install_kibana.yaml  |  6 ++++--
 roles/openshift_logging/tasks/start_cluster.yaml   |  4 ++--
 roles/openshift_logging/tasks/upgrade_logging.yaml | 22 +++++++++++++++-------
 7 files changed, 32 insertions(+), 18 deletions(-)

(limited to 'roles/openshift_logging/files')

diff --git a/roles/openshift_logging/README.md b/roles/openshift_logging/README.md
index 9836fc217..2cc2c48ee 100644
--- a/roles/openshift_logging/README.md
+++ b/roles/openshift_logging/README.md
@@ -31,7 +31,7 @@ When both `openshift_logging_install_logging` and `openshift_logging_upgrade_log
 - `openshift_logging_curator_script_log_level`: The script log level for Curator. Defaults to 'INFO'.
 - `openshift_logging_curator_log_level`: The log level for the Curator process. Defaults to 'ERROR'.
 - `openshift_logging_curator_cpu_limit`: The amount of CPU to allocate to Curator. Default is '100m'.
-- `openshift_logging_curator_memory_limit`: The amount of memor to allocate to Curator. Unset if not specified.
+- `openshift_logging_curator_memory_limit`: The amount of memory to allocate to Curator. Unset if not specified.
 
 - `openshift_logging_kibana_hostname`: The Kibana hostname. Defaults to 'kibana.example.com'.
 - `openshift_logging_kibana_cpu_limit`: The amount of CPU to allocate to Kibana or unset if not specified.
@@ -39,6 +39,7 @@ When both `openshift_logging_install_logging` and `openshift_logging_upgrade_log
 - `openshift_logging_kibana_proxy_debug`: When "True", set the Kibana Proxy log level to DEBUG. Defaults to 'false'.
 - `openshift_logging_kibana_proxy_cpu_limit`: The amount of CPU to allocate to Kibana proxy or unset if not specified.
 - `openshift_logging_kibana_proxy_memory_limit`: The amount of memory to allocate to Kibana proxy or unset if not specified.
+- `openshift_logging_kibana_replica_count`: The number of replicas Kibana should be scaled up to. Defaults to 1.
 
 - `openshift_logging_fluentd_nodeselector`: The node selector that the Fluentd daemonset uses to determine where to deploy to. Defaults to '"logging-infra-fluentd": "true"'.
 - `openshift_logging_fluentd_cpu_limit`: The CPU limit for Fluentd pods. Defaults to '100m'.
@@ -84,3 +85,4 @@ same as above for their non-ops counterparts, but apply to the OPS cluster insta
 - `openshift_logging_kibana_ops_memory_limit`: The amount of memory to allocate to Kibana or unset if not specified.
 - `openshift_logging_kibana_ops_proxy_cpu_limit`: The amount of CPU to allocate to Kibana proxy or unset if not specified.
 - `openshift_logging_kibana_ops_proxy_memory_limit`: The amount of memory to allocate to Kibana proxy or unset if not specified.
+- `openshift_logging_kibana_ops_replica_count`: The number of replicas Kibana ops should be scaled up to. Defaults to 1.
diff --git a/roles/openshift_logging/defaults/main.yml b/roles/openshift_logging/defaults/main.yml
index 4eb852207..919c53787 100644
--- a/roles/openshift_logging/defaults/main.yml
+++ b/roles/openshift_logging/defaults/main.yml
@@ -25,6 +25,7 @@ openshift_logging_kibana_memory_limit: null
 openshift_logging_kibana_proxy_debug: false
 openshift_logging_kibana_proxy_cpu_limit: null
 openshift_logging_kibana_proxy_memory_limit: null
+openshift_logging_kibana_replica_count: 1
 
 openshift_logging_kibana_ops_hostname: "kibana-ops.{{openshift.common.dns_domain}}"
 openshift_logging_kibana_ops_cpu_limit: null
@@ -32,6 +33,7 @@ openshift_logging_kibana_ops_memory_limit: null
 openshift_logging_kibana_ops_proxy_debug: false
 openshift_logging_kibana_ops_proxy_cpu_limit: null
 openshift_logging_kibana_ops_proxy_memory_limit: null
+openshift_logging_kibana_ops_replica_count: 1
 
 openshift_logging_fluentd_nodeselector: {'logging-infra-fluentd': 'true'}
 openshift_logging_fluentd_cpu_limit: 100m
diff --git a/roles/openshift_logging/files/es_migration.sh b/roles/openshift_logging/files/es_migration.sh
index cca283bae..339b5a1b2 100644
--- a/roles/openshift_logging/files/es_migration.sh
+++ b/roles/openshift_logging/files/es_migration.sh
@@ -1,5 +1,3 @@
-#! bin/bash
-
 CA=${1:-/etc/openshift/logging/ca.crt}
 KEY=${2:-/etc/openshift/logging/system.admin.key}
 CERT=${3:-/etc/openshift/logging/system.admin.crt}
diff --git a/roles/openshift_logging/tasks/install_curator.yaml b/roles/openshift_logging/tasks/install_curator.yaml
index 35116ae2b..8f2825552 100644
--- a/roles/openshift_logging/tasks/install_curator.yaml
+++ b/roles/openshift_logging/tasks/install_curator.yaml
@@ -1,5 +1,6 @@
 ---
-- command: >
+- name: Check Curator current replica count
+  command: >
     {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get dc/logging-curator
     -o jsonpath='{.spec.replicas}' -n {{openshift_logging_namespace}}
   register: curator_replica_count
@@ -7,7 +8,8 @@
   ignore_errors: yes
   changed_when: no
 
-- command: >
+- name: Check Curator ops current replica count
+  command: >
     {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get dc/logging-curator-ops
     -o jsonpath='{.spec.replicas}' -n {{openshift_logging_namespace}}
   register: curator_ops_replica_count
@@ -28,7 +30,7 @@
     es_port: "{{openshift_logging_es_port}}"
     curator_cpu_limit: "{{openshift_logging_curator_cpu_limit }}"
     curator_memory_limit: "{{openshift_logging_curator_memory_limit }}"
-    replicas: "{{curator_replica_count.stdout | default (1)}}"
+    replicas: "{{curator_replica_count.stdout | default (0)}}"
   check_mode: no
   changed_when: no
 
@@ -43,7 +45,7 @@
     es_port: "{{openshift_logging_es_ops_port}}"
     curator_cpu_limit: "{{openshift_logging_curator_ops_cpu_limit }}"
     curator_memory_limit: "{{openshift_logging_curator_ops_memory_limit }}"
-    replicas: "{{curator_ops_replica_count.stdout | default (1)}}"
+    replicas: "{{curator_ops_replica_count.stdout | default (0)}}"
   when: openshift_logging_use_ops
   check_mode: no
   changed_when: no
diff --git a/roles/openshift_logging/tasks/install_kibana.yaml b/roles/openshift_logging/tasks/install_kibana.yaml
index f4ce85f97..de4b018dd 100644
--- a/roles/openshift_logging/tasks/install_kibana.yaml
+++ b/roles/openshift_logging/tasks/install_kibana.yaml
@@ -1,5 +1,6 @@
 ---
-- command: >
+- name: Check Kibana current replica count
+  command: >
     {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get dc/logging-kibana
     -o jsonpath='{.spec.replicas}' -n {{openshift_logging_namespace}}
   register: kibana_replica_count
@@ -7,7 +8,8 @@
   ignore_errors: yes
   changed_when: no
 
-- command: >
+- name: Check Kibana ops current replica count
+  command: >
     {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get dc/logging-kibana-ops
     -o jsonpath='{.spec.replicas}' -n {{openshift_logging_namespace}}
   register: kibana_ops_replica_count
diff --git a/roles/openshift_logging/tasks/start_cluster.yaml b/roles/openshift_logging/tasks/start_cluster.yaml
index 4ce6d1aa7..a96ad3f3a 100644
--- a/roles/openshift_logging/tasks/start_cluster.yaml
+++ b/roles/openshift_logging/tasks/start_cluster.yaml
@@ -39,7 +39,7 @@
 - name: start kibana
   include: scale.yaml
   vars:
-    desired: 1
+    desired: "{{ openshift_logging_kibana_replica_count | default (1) }}"
   with_items: "{{kibana_dc.stdout_lines}}"
   loop_control:
     loop_var: object
@@ -82,7 +82,7 @@
 - name: start kibana-ops
   include: scale.yaml
   vars:
-    desired: 1
+    desired: "{{ openshift_logging_kibana_ops_replica_count | default (1) }}"
   with_items: "{{kibana_dc.stdout_lines}}"
   loop_control:
     loop_var: object
diff --git a/roles/openshift_logging/tasks/upgrade_logging.yaml b/roles/openshift_logging/tasks/upgrade_logging.yaml
index 9b285a5fe..a93463239 100644
--- a/roles/openshift_logging/tasks/upgrade_logging.yaml
+++ b/roles/openshift_logging/tasks/upgrade_logging.yaml
@@ -7,7 +7,7 @@
   vars:
     start_cluster: False
 
-# ensure that ES is running
+# start ES so that we can run migrate script
 - command: >
     {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=es -o name -n {{openshift_logging_namespace}}
   register: es_dc
@@ -21,13 +21,21 @@
   loop_control:
     loop_var: object
 
-- copy:
-    src: es_migration.sh
-    dest: {{mktemp.stdout}}/es_migration.sh
+- command: >
+    {{ openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get pods -n {{openshift_logging_namespace}} -l component=es -o jsonpath='{.items[?(@.status.phase == "Running")].metadata.name}'
+  register: running_pod
+  until: running_pod.stdout != ''
+  retries: 30
+  delay: 10
+  changed_when: no
+  check_mode: no
 
-- name: Run upgrade scripts
-  command: >
-    sh {{mktemp.stdout}}/es_migration.sh {{openshift.common.config_base}}/logging/ca.crt {{openshift.common.config_base}}/logging/system.admin.key {{openshift.common.config_base}}/logging/system.admin.crt {{openshift_logging_es_host}} {{openshift_logging_es_port}} {{openshift_logging_namespace}}
+- name: Run upgrade script
+  script: es_migration.sh {{openshift.common.config_base}}/logging/ca.crt {{openshift.common.config_base}}/logging/system.admin.key {{openshift.common.config_base}}/logging/system.admin.crt {{openshift_logging_es_host}} {{openshift_logging_es_port}} {{openshift_logging_namespace}}
+  register: script_output
+  changed_when:
+    - script_output.rc == 0
+    - script_output.stdout.find("skipping update_for_uuid") == -1 or script_output.stdout.find("skipping update_for_common_data_model") == -1
 
 - name: Start up rest of cluster
   include: start_cluster.yaml
-- 
cgit v1.2.3


From 9cf70bb6991df874350ea0f5c97da26bb6757edb Mon Sep 17 00:00:00 2001
From: ewolinetz <ewolinet@redhat.com>
Date: Fri, 13 Jan 2017 16:37:27 -0600
Subject: additional comments addressed

---
 roles/openshift_logging/files/elasticsearch.yml    | 74 ---------------------
 .../tasks/generate_configmaps.yaml                 | 13 ++--
 .../templates/elasticsearch.yml.j2                 | 75 ++++++++++++++++++++++
 3 files changed, 79 insertions(+), 83 deletions(-)
 delete mode 100644 roles/openshift_logging/files/elasticsearch.yml
 create mode 100644 roles/openshift_logging/templates/elasticsearch.yml.j2

(limited to 'roles/openshift_logging/files')

diff --git a/roles/openshift_logging/files/elasticsearch.yml b/roles/openshift_logging/files/elasticsearch.yml
deleted file mode 100644
index 4eff30e61..000000000
--- a/roles/openshift_logging/files/elasticsearch.yml
+++ /dev/null
@@ -1,74 +0,0 @@
-cluster:
-  name: ${CLUSTER_NAME}
-
-script:
-  inline: on
-  indexed: on
-
-index:
-  number_of_shards: 1
-  number_of_replicas: 0
-  auto_expand_replicas: 0-3
-  unassigned.node_left.delayed_timeout: 2m
-  translog:
-    flush_threshold_size: 256mb
-    flush_threshold_period: 5m
-
-node:
-  master: true
-  data: true
-
-network:
-  host: 0.0.0.0
-
-cloud:
-  kubernetes:
-    service: ${SERVICE_DNS}
-    namespace: ${NAMESPACE}
-
-discovery:
-  type: kubernetes
-  zen.ping.multicast.enabled: false
-
-gateway:
-  expected_master_nodes: ${NODE_QUORUM}
-  recover_after_nodes: ${RECOVER_AFTER_NODES}
-  expected_nodes: ${RECOVER_EXPECTED_NODES}
-  recover_after_time: ${RECOVER_AFTER_TIME}
-
-io.fabric8.elasticsearch.authentication.users: ["system.logging.kibana", "system.logging.fluentd", "system.logging.curator", "system.admin"]
-
-openshift.searchguard:
-  keystore.path: /etc/elasticsearch/secret/admin.jks
-  truststore.path: /etc/elasticsearch/secret/searchguard.truststore
-
-
-path:
-  data: /elasticsearch/persistent/${CLUSTER_NAME}/data
-  logs: /elasticsearch/${CLUSTER_NAME}/logs
-  work: /elasticsearch/${CLUSTER_NAME}/work
-  scripts: /elasticsearch/${CLUSTER_NAME}/scripts
-
-searchguard:
-  authcz.admin_dn:
-  - CN=system.admin,OU=OpenShift,O=Logging
-  config_index_name: ".searchguard.${HOSTNAME}"
-  ssl:
-    transport:
-      enabled: true
-      enforce_hostname_verification: false
-      keystore_type: JKS
-      keystore_filepath: /etc/elasticsearch/secret/searchguard.key
-      keystore_password: kspass
-      truststore_type: JKS
-      truststore_filepath: /etc/elasticsearch/secret/searchguard.truststore
-      truststore_password: tspass
-    http:
-      enabled: true
-      keystore_type: JKS
-      keystore_filepath: /etc/elasticsearch/secret/key
-      keystore_password: kspass
-      clientauth_mode: OPTIONAL
-      truststore_type: JKS
-      truststore_filepath: /etc/elasticsearch/secret/truststore
-      truststore_password: tspass
diff --git a/roles/openshift_logging/tasks/generate_configmaps.yaml b/roles/openshift_logging/tasks/generate_configmaps.yaml
index f9f9ee79f..b24a7c342 100644
--- a/roles/openshift_logging/tasks/generate_configmaps.yaml
+++ b/roles/openshift_logging/tasks/generate_configmaps.yaml
@@ -6,16 +6,11 @@
       when: es_logging_contents is undefined
       changed_when: no
 
-    - copy:
-        src: elasticsearch.yml
-        dest: "{{mktemp.stdout}}/elasticsearch.yml"
-      when: es_config_contents is undefined
-      changed_when: no
-
-    - lineinfile:
+    - template:
+        src: elasticsearch.yml.j2
         dest: "{{mktemp.stdout}}/elasticsearch.yml"
-        regexp: '^openshift\.operations\.allow_cluster_reader(.)*$'
-        line: "\nopenshift.operations.allow_cluster_reader: {{openshift_logging_es_ops_allow_cluster_reader | lower}}"
+      vars:
+        - allow_cluster_reader: "{{openshift_logging_es_ops_allow_cluster_reader | lower | default('false')}}"
       when: es_config_contents is undefined
       changed_when: no
 
diff --git a/roles/openshift_logging/templates/elasticsearch.yml.j2 b/roles/openshift_logging/templates/elasticsearch.yml.j2
new file mode 100644
index 000000000..dad78b844
--- /dev/null
+++ b/roles/openshift_logging/templates/elasticsearch.yml.j2
@@ -0,0 +1,75 @@
+cluster:
+  name: ${CLUSTER_NAME}
+
+script:
+  inline: on
+  indexed: on
+
+index:
+  number_of_shards: 1
+  number_of_replicas: 0
+  auto_expand_replicas: 0-3
+  unassigned.node_left.delayed_timeout: 2m
+  translog:
+    flush_threshold_size: 256mb
+    flush_threshold_period: 5m
+
+node:
+  master: true
+  data: true
+
+network:
+  host: 0.0.0.0
+
+cloud:
+  kubernetes:
+    service: ${SERVICE_DNS}
+    namespace: ${NAMESPACE}
+
+discovery:
+  type: kubernetes
+  zen.ping.multicast.enabled: false
+
+gateway:
+  expected_master_nodes: ${NODE_QUORUM}
+  recover_after_nodes: ${RECOVER_AFTER_NODES}
+  expected_nodes: ${RECOVER_EXPECTED_NODES}
+  recover_after_time: ${RECOVER_AFTER_TIME}
+
+io.fabric8.elasticsearch.authentication.users: ["system.logging.kibana", "system.logging.fluentd", "system.logging.curator", "system.admin"]
+
+openshift.searchguard:
+  keystore.path: /etc/elasticsearch/secret/admin.jks
+  truststore.path: /etc/elasticsearch/secret/searchguard.truststore
+
+openshift.operations.allow_cluster_reader: {{allow_cluster_reader | default ('false')}}
+
+path:
+  data: /elasticsearch/persistent/${CLUSTER_NAME}/data
+  logs: /elasticsearch/${CLUSTER_NAME}/logs
+  work: /elasticsearch/${CLUSTER_NAME}/work
+  scripts: /elasticsearch/${CLUSTER_NAME}/scripts
+
+searchguard:
+  authcz.admin_dn:
+  - CN=system.admin,OU=OpenShift,O=Logging
+  config_index_name: ".searchguard.${HOSTNAME}"
+  ssl:
+    transport:
+      enabled: true
+      enforce_hostname_verification: false
+      keystore_type: JKS
+      keystore_filepath: /etc/elasticsearch/secret/searchguard.key
+      keystore_password: kspass
+      truststore_type: JKS
+      truststore_filepath: /etc/elasticsearch/secret/searchguard.truststore
+      truststore_password: tspass
+    http:
+      enabled: true
+      keystore_type: JKS
+      keystore_filepath: /etc/elasticsearch/secret/key
+      keystore_password: kspass
+      clientauth_mode: OPTIONAL
+      truststore_type: JKS
+      truststore_filepath: /etc/elasticsearch/secret/truststore
+      truststore_password: tspass
-- 
cgit v1.2.3