From b579a4acfa64f85119ffbcbb8f6701972ef0dbb6 Mon Sep 17 00:00:00 2001 From: ewolinetz Date: Wed, 28 Sep 2016 10:52:07 -0500 Subject: Creating openshift_logging role for deploying Aggregated Logging without a deployer image --- roles/openshift_logging/templates/clusterrole.j2 | 21 +++ .../templates/clusterrolebinding.j2 | 24 ++++ roles/openshift_logging/templates/curator.j2 | 97 ++++++++++++++ roles/openshift_logging/templates/es.j2 | 105 +++++++++++++++ roles/openshift_logging/templates/fluentd.j2 | 149 +++++++++++++++++++++ roles/openshift_logging/templates/job.j2 | 26 ++++ roles/openshift_logging/templates/kibana.j2 | 110 +++++++++++++++ roles/openshift_logging/templates/oauth-client.j2 | 15 +++ roles/openshift_logging/templates/pvc.j2 | 27 ++++ roles/openshift_logging/templates/rolebinding.j2 | 14 ++ .../openshift_logging/templates/route_reencrypt.j2 | 25 ++++ roles/openshift_logging/templates/secret.j2 | 9 ++ roles/openshift_logging/templates/service.j2 | 28 ++++ .../openshift_logging/templates/serviceaccount.j2 | 16 +++ 14 files changed, 666 insertions(+) create mode 100644 roles/openshift_logging/templates/clusterrole.j2 create mode 100644 roles/openshift_logging/templates/clusterrolebinding.j2 create mode 100644 roles/openshift_logging/templates/curator.j2 create mode 100644 roles/openshift_logging/templates/es.j2 create mode 100644 roles/openshift_logging/templates/fluentd.j2 create mode 100644 roles/openshift_logging/templates/job.j2 create mode 100644 roles/openshift_logging/templates/kibana.j2 create mode 100644 roles/openshift_logging/templates/oauth-client.j2 create mode 100644 roles/openshift_logging/templates/pvc.j2 create mode 100644 roles/openshift_logging/templates/rolebinding.j2 create mode 100644 roles/openshift_logging/templates/route_reencrypt.j2 create mode 100644 roles/openshift_logging/templates/secret.j2 create mode 100644 roles/openshift_logging/templates/service.j2 create mode 100644 roles/openshift_logging/templates/serviceaccount.j2 (limited to 'roles/openshift_logging/templates') diff --git a/roles/openshift_logging/templates/clusterrole.j2 b/roles/openshift_logging/templates/clusterrole.j2 new file mode 100644 index 000000000..0d28db48e --- /dev/null +++ b/roles/openshift_logging/templates/clusterrole.j2 @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: ClusterRole +metadata: + name: {{obj_name}} +rules: +{% for rule in rules %} +- resources: +{% for kind in rule.resources %} + - {{ kind }} +{% endfor %} + apiGroups: +{% if rule.api_groups is defined %} +{% for group in rule.api_groups %} + - {{ group }} +{% endfor %} +{% endif %} + verbs: +{% for verb in rule.verbs %} + - {{ verb }} +{% endfor %} +{% endfor %} diff --git a/roles/openshift_logging/templates/clusterrolebinding.j2 b/roles/openshift_logging/templates/clusterrolebinding.j2 new file mode 100644 index 000000000..2d25ff1fb --- /dev/null +++ b/roles/openshift_logging/templates/clusterrolebinding.j2 @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: ClusterRoleBinding +metadata: + name: {{obj_name}} +{% if crb_usernames is defined %} +userNames: +{% for name in crb_usernames %} + - {{ name }} +{% endfor %} +{% endif %} +{% if crb_groupnames is defined %} +groupNames: +{% for name in crb_groupnames %} + - {{ name }} +{% endfor %} +{% endif %} +subjects: +{% for sub in subjects %} + - kind: {{ sub.kind }} + name: {{ sub.name }} + namespace: {{sub.namespace}} +{% endfor %} +roleRef: + name: {{obj_name}} diff --git a/roles/openshift_logging/templates/curator.j2 b/roles/openshift_logging/templates/curator.j2 new file mode 100644 index 000000000..3ffb48bfb --- /dev/null +++ b/roles/openshift_logging/templates/curator.j2 @@ -0,0 +1,97 @@ +apiVersion: "v1" +kind: "DeploymentConfig" +metadata: + name: "{{deploy_name}}" + labels: + provider: openshift + component: "{{component}}" + logging-infra: "{{logging_component}}" +spec: + replicas: 0 + selector: + provider: openshift + component: "{{component}}" + logging-infra: "{{logging_component}}" + strategy: + rollingParams: + intervalSeconds: 1 + timeoutSeconds: 600 + updatePeriodSeconds: 1 + type: Recreate + template: + metadata: + name: "{{deploy_name}}" + labels: + logging-infra: "{{logging_component}}" + provider: openshift + component: "{{component}}" + spec: + terminationGracePeriod: 600 + serviceAccountName: aggregated-logging-curator + containers: + - + name: "curator" + image: {{image}} + imagePullPolicy: Always + resources: + limits: + cpu: "{{curator_cpu_limit}}" +{% if curator_memory_limit is defined and curator_memory_limit is not none %} + memory: "{{curator_memory_limit}}" +{% endif %} + env: + - + name: "K8S_HOST_URL" + value: "{{master_url}}" + - + name: "ES_HOST" + value: "{{es_host}}" + - + name: "ES_PORT" + value: "{{es_port}}" + - + name: "ES_CLIENT_CERT" + value: "/etc/curator/keys/cert" + - + name: "ES_CLIENT_KEY" + value: "/etc/curator/keys/key" + - + name: "ES_CA" + value: "/etc/curator/keys/ca" + - + name: "CURATOR_DEFAULT_DAYS" + value: "{{openshift_logging_curator_default_days}}" + - + name: "CURATOR_RUN_HOUR" + value: "{{openshift_logging_curator_run_hour}}" + - + name: "CURATOR_RUN_MINUTE" + value: "{{openshift_logging_curator_run_minute}}" + - + name: "CURATOR_RUN_TIMEZONE" + value: "{{openshift_logging_curator_run_timezone}}" + - + name: "CURATOR_SCRIPT_LOG_LEVEL" + value: "{{openshift_logging_curator_script_log_level}}" + - + name: "CURATOR_LOG_LEVEL" + value: "{{openshift_logging_curator_log_level}}" + volumeMounts: + - name: certs + mountPath: /etc/curator/keys + readOnly: true + - name: config + mountPath: /usr/curator/settings + readOnly: true + - name: elasticsearch-storage + mountPath: /elasticsearch/persistent + readOnly: true + volumes: + - name: certs + secret: + secretName: logging-curator + - name: config + configMap: + name: logging-curator + - name: elasticsearch-storage + emptyDir: {} diff --git a/roles/openshift_logging/templates/es.j2 b/roles/openshift_logging/templates/es.j2 new file mode 100644 index 000000000..e5d415f81 --- /dev/null +++ b/roles/openshift_logging/templates/es.j2 @@ -0,0 +1,105 @@ +apiVersion: "v1" +kind: "DeploymentConfig" +metadata: + name: "{{deploy_name}}" + labels: + provider: openshift + component: "{{component}}" + deployment: "{{deploy_name}}" + logging-infra: "{{logging_component}}" +spec: + replicas: 0 + selector: + provider: openshift + component: "{{component}}" + deployment: "{{deploy_name}}" + logging-infra: "{{logging_component}}" + strategy: + type: Recreate + template: + metadata: + name: "{{deploy_name}}" + labels: + logging-infra: "{{logging_component}}" + provider: openshift + component: "{{component}}" + deployment: "{{deploy_name}}" + spec: + terminationGracePeriod: 600 + serviceAccountName: aggregated-logging-elasticsearch + securityContext: + supplementalGroups: + - {{openshift_logging_es_storage_group}} + containers: + - + name: "elasticsearch" + image: {{image}} + imagePullPolicy: Always + resources: + limits: + memory: "{{es_memory_limit}}" +{% if es_cpu_limit is defined and es_cpu_limit is not none %} + cpu: "{{es_cpu_limit}}" +{% endif %} + requests: + memory: "512Mi" + ports: + - + containerPort: 9200 + name: "restapi" + - + containerPort: 9300 + name: "cluster" + env: + - + name: "NAMESPACE" + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - + name: "KUBERNETES_TRUST_CERT" + value: "true" + - + name: "SERVICE_DNS" + value: "logging-{{es_cluster_name}}-cluster" + - + name: "CLUSTER_NAME" + value: "logging-{{es_cluster_name}}" + - + name: "INSTANCE_RAM" + value: "{{openshift_logging_es_memory_limit}}" + - + name: "NODE_QUORUM" + value: "{{es_node_quorum | int}}" + - + name: "RECOVER_AFTER_NODES" + value: "{{es_recover_after_nodes}}" + - + name: "RECOVER_EXPECTED_NODES" + value: "{{es_recover_expected_nodes}}" + - + name: "RECOVER_AFTER_TIME" + value: "{{openshift_logging_es_recover_after_time}}" + volumeMounts: + - name: elasticsearch + mountPath: /etc/elasticsearch/secret + readOnly: true + - name: elasticsearch-config + mountPath: /usr/share/java/elasticsearch/config + readOnly: true + - name: elasticsearch-storage + mountPath: /elasticsearch/persistent + volumes: + - name: elasticsearch + secret: + secretName: logging-elasticsearch + - name: elasticsearch-config + configMap: + name: logging-elasticsearch + - name: elasticsearch-storage +{% if pvc_claim is defined and pvc_claim | trim | length > 0 %} + persistentVolumeClaim: + claimName: {{pvc_claim}} +{% else %} + emptyDir: {} +{% endif %} diff --git a/roles/openshift_logging/templates/fluentd.j2 b/roles/openshift_logging/templates/fluentd.j2 new file mode 100644 index 000000000..a09b582a2 --- /dev/null +++ b/roles/openshift_logging/templates/fluentd.j2 @@ -0,0 +1,149 @@ +apiVersion: extensions/v1beta1 +kind: "DaemonSet" +metadata: + name: "{{daemonset_name}}" + labels: + provider: openshift + component: "{{daemonset_component}}" + logging-infra: "{{daemonset_component}}" +spec: + selector: + matchLabels: + provider: openshift + component: "{{daemonset_component}}" + updateStrategy: + type: RollingUpdate + rollingUpdate: + minReadySeconds: 600 + template: + metadata: + name: "{{daemonset_container_name}}" + labels: + logging-infra: "{{daemonset_component}}" + provider: openshift + component: "{{daemonset_component}}" + spec: + serviceAccountName: "{{daemonset_serviceAccount}}" + nodeSelector: + {{openshift_logging_fluentd_nodeselector}} + containers: + - name: "{{daemonset_container_name}}" + image: "{{openshift_logging_image_prefix}}{{daemonset_name}}:{{openshift_logging_image_version}}" + imagePullPolicy: Always + securityContext: + privileged: true + resources: + limits: + cpu: {{openshift_logging_fluentd_cpu_limit}} + memory: {{openshift_logging_fluentd_memory_limit}} + volumeMounts: + - name: runlogjournal + mountPath: /run/log/journal + - name: varlog + mountPath: /var/log + - name: varlibdockercontainers + mountPath: /var/lib/docker/containers + readOnly: true + - name: config + mountPath: /etc/fluent/configs.d/user + readOnly: true + - name: certs + mountPath: /etc/fluent/keys + readOnly: true + - name: dockerhostname + mountPath: /etc/docker-hostname + readOnly: true + - name: localtime + mountPath: /etc/localtime + readOnly: true + - name: dockercfg + mountPath: /etc/sysconfig/docker + readOnly: true + env: + - name: "K8S_HOST_URL" + value: "{{master_url}}" + - name: "ES_HOST" + value: "{{openshift_logging_es_host}}" + - name: "ES_PORT" + value: "{{openshift_logging_es_port}}" + - name: "ES_CLIENT_CERT" + value: "{{openshift_logging_es_client_cert}}" + - name: "ES_CLIENT_KEY" + value: "{{openshift_logging_es_client_key}}" + - name: "ES_CA" + value: "{{openshift_logging_es_ca}}" + - name: "OPS_HOST" + value: "{{ops_host}}" + - name: "OPS_PORT" + value: "{{ops_port}}" + - name: "OPS_CLIENT_CERT" + value: "{{openshift_logging_es_ops_client_cert}}" + - name: "OPS_CLIENT_KEY" + value: "{{openshift_logging_es_ops_client_key}}" + - name: "OPS_CA" + value: "{{openshift_logging_es_ops_ca}}" + - name: "ES_COPY" + value: "{{openshift_logging_fluentd_es_copy|lower}}" + - name: "ES_COPY_HOST" + value: "{{es_copy_host | default('')}}" + - name: "ES_COPY_PORT" + value: "{{es_copy_port | default('')}}" + - name: "ES_COPY_SCHEME" + value: "{{es_copy_scheme | default('https')}}" + - name: "ES_COPY_CLIENT_CERT" + value: "{{es_copy_client_cert | default('')}}" + - name: "ES_COPY_CLIENT_KEY" + value: "{{es_copy_client_key | default('')}}" + - name: "ES_COPY_CA" + value: "{{es_copy_ca | default('')}}" + - name: "ES_COPY_USERNAME" + value: "{{es_copy_username | default('')}}" + - name: "ES_COPY_PASSWORD" + value: "{{es_copy_password | default('')}}" + - name: "OPS_COPY_HOST" + value: "{{ops_copy_host | default('')}}" + - name: "OPS_COPY_PORT" + value: "{{ops_copy_port | default('')}}" + - name: "OPS_COPY_SCHEME" + value: "{{ops_copy_scheme | default('https')}}" + - name: "OPS_COPY_CLIENT_CERT" + value: "{{ops_copy_client_cert | default('')}}" + - name: "OPS_COPY_CLIENT_KEY" + value: "{{ops_copy_client_key | default('')}}" + - name: "OPS_COPY_CA" + value: "{{ops_copy_ca | default('')}}" + - name: "OPS_COPY_USERNAME" + value: "{{ops_copy_username | default('')}}" + - name: "OPS_COPY_PASSWORD" + value: "{{ops_copy_password | default('')}}" + - name: "USE_JOURNAL" + value: "{{openshift_logging_fluentd_use_journal|lower}}" + - name: "JOURNAL_SOURCE" + value: "{{fluentd_journal_source | default('')}}" + - name: "JOURNAL_READ_FROM_HEAD" + value: "{{openshift_logging_fluentd_journal_read_from_head|lower}}" + volumes: + - name: runlogjournal + hostPath: + path: /run/log/journal + - name: varlog + hostPath: + path: /var/log + - name: varlibdockercontainers + hostPath: + path: /var/lib/docker/containers + - name: config + configMap: + name: logging-fluentd + - name: certs + secret: + secretName: logging-fluentd + - name: dockerhostname + hostPath: + path: /etc/hostname + - name: localtime + hostPath: + path: /etc/localtime + - name: dockercfg + hostPath: + path: /etc/sysconfig/docker diff --git a/roles/openshift_logging/templates/job.j2 b/roles/openshift_logging/templates/job.j2 new file mode 100644 index 000000000..d7794a407 --- /dev/null +++ b/roles/openshift_logging/templates/job.j2 @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + labels: + logging-infra: support + generateName: jks-cert-gen- +spec: + containers: + - name: jks-cert-gen + image: {{openshift_logging_image_prefix}}logging-deployer:{{openshift_logging_image_version}} + imagePullPolicy: Always + command: ["sh", "generate-jks.sh"] + securityContext: + privileged: true + volumeMounts: + - mountPath: /opt/deploy + name: certmount + env: + - name: PROJECT + value: {{openshift_logging_namespace}} + restartPolicy: Never + serviceAccount: aggregated-logging-fluentd + volumes: + - hostPath: + path: "{{generated_certs_dir}}" + name: certmount diff --git a/roles/openshift_logging/templates/kibana.j2 b/roles/openshift_logging/templates/kibana.j2 new file mode 100644 index 000000000..ca3d727bf --- /dev/null +++ b/roles/openshift_logging/templates/kibana.j2 @@ -0,0 +1,110 @@ +apiVersion: "v1" +kind: "DeploymentConfig" +metadata: + name: "{{deploy_name}}" + labels: + provider: openshift + component: "{{component}}" + logging-infra: "{{logging_component}}" +spec: + replicas: 0 + selector: + provider: openshift + component: "{{component}}" + logging-infra: "{{logging_component}}" + strategy: + rollingParams: + intervalSeconds: 1 + timeoutSeconds: 600 + updatePeriodSeconds: 1 + type: Rolling + template: + metadata: + name: "{{deploy_name}}" + labels: + logging-infra: "{{logging_component}}" + provider: openshift + component: "{{component}}" + spec: + serviceAccountName: aggregated-logging-kibana + containers: + - + name: "kibana" + image: {{image}} + imagePullPolicy: Always +{% if (kibana_memory_limit is defined and kibana_memory_limit is not none) or (kibana_cpu_limit is defined and kibana_cpu_limit is not none) %} + resources: + limits: +{% if kibana_cpu_limit is not none %} + cpu: "{{kibana_cpu_limit}}" +{% endif %} +{% if kibana_memory_limit is not none %} + memory: "{{kibana_memory_limit}}" +{% endif %} +{% endif %} + env: + - name: "ES_HOST" + value: "{{es_host}}" + - name: "ES_PORT" + value: "{{es_port}}" + volumeMounts: + - name: kibana + mountPath: /etc/kibana/keys + readOnly: true + - + name: "kibana-proxy" + image: {{proxy_image}} + imagePullPolicy: Always +{% if (kibana_proxy_memory_limit is defined and kibana_proxy_memory_limit is not none) or (kibana_proxy_cpu_limit is defined and kibana_proxy_cpu_limit is not none) %} + resources: + limits: +{% if kibana_proxy_cpu_limit is not none %} + cpu: "{{kibana_proxy_cpu_limit}}" +{% endif %} +{% if kibana_proxy_memory_limit is not none %} + memory: "{{kibana_proxy_memory_limit}}" +{% endif %} +{% endif %} + ports: + - + name: "oaproxy" + containerPort: 3000 + env: + - + name: "OAP_BACKEND_URL" + value: "http://localhost:5601" + - + name: "OAP_AUTH_MODE" + value: "oauth2" + - + name: "OAP_TRANSFORM" + value: "user_header,token_header" + - + name: "OAP_OAUTH_ID" + value: kibana-proxy + - + name: "OAP_MASTER_URL" + value: {{master_url}} + - + name: "OAP_PUBLIC_MASTER_URL" + value: {{public_master_url}} + - + name: "OAP_LOGOUT_REDIRECT" + value: {{public_master_url}}/console/logout + - + name: "OAP_MASTER_CA_FILE" + value: "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" + - + name: "OAP_DEBUG" + value: "{{openshift_logging_kibana_proxy_debug}}" + volumeMounts: + - name: kibana-proxy + mountPath: /secret + readOnly: true + volumes: + - name: kibana + secret: + secretName: logging-kibana + - name: kibana-proxy + secret: + secretName: logging-kibana-proxy diff --git a/roles/openshift_logging/templates/oauth-client.j2 b/roles/openshift_logging/templates/oauth-client.j2 new file mode 100644 index 000000000..41d3123cb --- /dev/null +++ b/roles/openshift_logging/templates/oauth-client.j2 @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: OAuthClient +metadata: + name: kibana-proxy + labels: + logging-infra: support +secret: {{secret}} +redirectURIs: +- https://{{openshift_logging_kibana_hostname}} +- https://{{openshift_logging_kibana_ops_hostname}} +scopeRestrictions: +- literals: + - user:info + - user:check-access + - user:list-projects diff --git a/roles/openshift_logging/templates/pvc.j2 b/roles/openshift_logging/templates/pvc.j2 new file mode 100644 index 000000000..f19a3a750 --- /dev/null +++ b/roles/openshift_logging/templates/pvc.j2 @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{obj_name}} + labels: + logging-infra: support +{% if annotations is defined %} + annotations: +{% for key,value in annotations.iteritems() %} + {{key}}: {{value}} +{% endfor %} +{% endif %} +spec: +{% if pv_selector is defined and pv_selector is mapping %} + selector: + matchLabels: +{% for key,value in pv_selector.iteritems() %} + {{key}}: {{value}} +{% endfor %} +{% endif %} + accessModes: +{% for mode in access_modes %} + - {{ mode }} +{% endfor %} + resources: + requests: + storage: {{size}} diff --git a/roles/openshift_logging/templates/rolebinding.j2 b/roles/openshift_logging/templates/rolebinding.j2 new file mode 100644 index 000000000..fcd4e87cc --- /dev/null +++ b/roles/openshift_logging/templates/rolebinding.j2 @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: RoleBinding +metadata: + name: {{obj_name}} +roleRef: +{% if roleRef.kind is defined %} + kind: {{ roleRef.kind }} +{% endif %} + name: {{ roleRef.name }} +subjects: +{% for sub in subjects %} + - kind: {{ sub.kind }} + name: {{ sub.name }} +{% endfor %} diff --git a/roles/openshift_logging/templates/route_reencrypt.j2 b/roles/openshift_logging/templates/route_reencrypt.j2 new file mode 100644 index 000000000..8be30a2c4 --- /dev/null +++ b/roles/openshift_logging/templates/route_reencrypt.j2 @@ -0,0 +1,25 @@ +apiVersion: "v1" +kind: "Route" +metadata: + name: "{{obj_name}}" +{% if labels is defined%} + labels: +{% for key, value in labels.iteritems() %} + {{key}}: {{value}} +{% endfor %} +{% endif %} +spec: + host: {{ route_host }} + tls: + caCertificate: | +{% for line in tls_ca_cert.split('\n') %} + {{ line }} +{% endfor %} + destinationCACertificate: | +{% for line in tls_dest_ca_cert.split('\n') %} + {{ line }} +{% endfor %} + termination: reencrypt + to: + kind: Service + name: {{ service_name }} diff --git a/roles/openshift_logging/templates/secret.j2 b/roles/openshift_logging/templates/secret.j2 new file mode 100644 index 000000000..d73bae9c4 --- /dev/null +++ b/roles/openshift_logging/templates/secret.j2 @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{secret_name}} +type: Opaque +data: +{% for s in secrets %} + {{s.key}}: {{s.value | b64encode}} +{% endfor %} diff --git a/roles/openshift_logging/templates/service.j2 b/roles/openshift_logging/templates/service.j2 new file mode 100644 index 000000000..6c4ec0c76 --- /dev/null +++ b/roles/openshift_logging/templates/service.j2 @@ -0,0 +1,28 @@ +apiVersion: "v1" +kind: "Service" +metadata: + name: "{{obj_name}}" +{% if labels is defined%} + labels: +{% for key, value in labels.iteritems() %} + {{key}}: {{value}} +{% endfor %} +{% endif %} +spec: + ports: +{% for port in ports %} + - +{% for key, value in port.iteritems() %} + {{key}}: {{value}} +{% endfor %} +{% if port.targetPort is undefined %} + clusterIP: "None" +{% endif %} +{% endfor %} +{% if service_targetPort is defined %} + targetPort: {{service_targetPort}} +{% endif %} + selector: + {% for key, value in selector.iteritems() %} + {{key}}: {{value}} + {% endfor %} diff --git a/roles/openshift_logging/templates/serviceaccount.j2 b/roles/openshift_logging/templates/serviceaccount.j2 new file mode 100644 index 000000000..b22acc594 --- /dev/null +++ b/roles/openshift_logging/templates/serviceaccount.j2 @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{obj_name}} +{% if labels is defined%} + labels: +{% for key, value in labels.iteritems() %} + {{key}}: {{value}} +{% endfor %} +{% endif %} +{% if secrets is defined %} +secrets: +{% for name in secrets %} +- name: {{ name }} +{% endfor %} +{% endif %} -- cgit v1.2.3 From f79c819387b93af7b32a09b60652195f850d0574 Mon Sep 17 00:00:00 2001 From: ewolinetz Date: Wed, 14 Dec 2016 16:34:55 -0600 Subject: Updating to use deployer pod to generate JKS chain instead --- roles/openshift_logging/templates/jks_pod.j2 | 28 ++++++++++++++++++++++++++++ roles/openshift_logging/templates/job.j2 | 26 -------------------------- 2 files changed, 28 insertions(+), 26 deletions(-) create mode 100644 roles/openshift_logging/templates/jks_pod.j2 delete mode 100644 roles/openshift_logging/templates/job.j2 (limited to 'roles/openshift_logging/templates') diff --git a/roles/openshift_logging/templates/jks_pod.j2 b/roles/openshift_logging/templates/jks_pod.j2 new file mode 100644 index 000000000..8b1c74211 --- /dev/null +++ b/roles/openshift_logging/templates/jks_pod.j2 @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Pod +metadata: + labels: + logging-infra: support + generateName: jks-cert-gen- +spec: + containers: + - name: jks-cert-gen + image: {{openshift_logging_image_prefix}}logging-deployer:{{openshift_logging_image_version}} + imagePullPolicy: Always + command: ["sh", "{{generated_certs_dir}}/generate-jks.sh"] + securityContext: + privileged: true + volumeMounts: + - mountPath: {{generated_certs_dir}} + name: certmount + env: + - name: PROJECT + value: {{openshift_logging_namespace}} + - name: CERT_DIR + value: {{generated_certs_dir}} + restartPolicy: Never + serviceAccount: jks-generator + volumes: + - hostPath: + path: "{{generated_certs_dir}}" + name: certmount diff --git a/roles/openshift_logging/templates/job.j2 b/roles/openshift_logging/templates/job.j2 deleted file mode 100644 index d7794a407..000000000 --- a/roles/openshift_logging/templates/job.j2 +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - labels: - logging-infra: support - generateName: jks-cert-gen- -spec: - containers: - - name: jks-cert-gen - image: {{openshift_logging_image_prefix}}logging-deployer:{{openshift_logging_image_version}} - imagePullPolicy: Always - command: ["sh", "generate-jks.sh"] - securityContext: - privileged: true - volumeMounts: - - mountPath: /opt/deploy - name: certmount - env: - - name: PROJECT - value: {{openshift_logging_namespace}} - restartPolicy: Never - serviceAccount: aggregated-logging-fluentd - volumes: - - hostPath: - path: "{{generated_certs_dir}}" - name: certmount -- cgit v1.2.3 From 06c111d22641ba5cc2dbbe0144d9d6722d94f159 Mon Sep 17 00:00:00 2001 From: ewolinetz Date: Wed, 11 Jan 2017 15:26:46 -0600 Subject: addressing comments --- roles/openshift_logging/templates/fluentd.j2 | 2 +- roles/openshift_logging/templates/signing.conf.j2 | 103 ++++++++++++++++++++++ 2 files changed, 104 insertions(+), 1 deletion(-) create mode 100644 roles/openshift_logging/templates/signing.conf.j2 (limited to 'roles/openshift_logging/templates') diff --git a/roles/openshift_logging/templates/fluentd.j2 b/roles/openshift_logging/templates/fluentd.j2 index a09b582a2..b6c91f8ed 100644 --- a/roles/openshift_logging/templates/fluentd.j2 +++ b/roles/openshift_logging/templates/fluentd.j2 @@ -25,7 +25,7 @@ spec: spec: serviceAccountName: "{{daemonset_serviceAccount}}" nodeSelector: - {{openshift_logging_fluentd_nodeselector}} + {{fluentd_nodeselector_key}}: "{{fluentd_nodeselector_value}}" containers: - name: "{{daemonset_container_name}}" image: "{{openshift_logging_image_prefix}}{{daemonset_name}}:{{openshift_logging_image_version}}" diff --git a/roles/openshift_logging/templates/signing.conf.j2 b/roles/openshift_logging/templates/signing.conf.j2 new file mode 100644 index 000000000..727cde4c9 --- /dev/null +++ b/roles/openshift_logging/templates/signing.conf.j2 @@ -0,0 +1,103 @@ +# Simple Signing CA + +# The [default] section contains global constants that can be referred to from +# the entire configuration file. It may also hold settings pertaining to more +# than one openssl command. + +[ default ] +dir = {{top_dir}} # Top dir + +# The next part of the configuration file is used by the openssl req command. +# It defines the CA's key pair, its DN, and the desired extensions for the CA +# certificate. + +[ req ] +default_bits = 2048 # RSA key size +encrypt_key = yes # Protect private key +default_md = sha1 # MD to use +utf8 = yes # Input is UTF-8 +string_mask = utf8only # Emit UTF-8 strings +prompt = no # Don't prompt for DN +distinguished_name = ca_dn # DN section +req_extensions = ca_reqext # Desired extensions + +[ ca_dn ] +0.domainComponent = "io" +1.domainComponent = "openshift" +organizationName = "OpenShift Origin" +organizationalUnitName = "Logging Signing CA" +commonName = "Logging Signing CA" + +[ ca_reqext ] +keyUsage = critical,keyCertSign,cRLSign +basicConstraints = critical,CA:true,pathlen:0 +subjectKeyIdentifier = hash + +# The remainder of the configuration file is used by the openssl ca command. +# The CA section defines the locations of CA assets, as well as the policies +# applying to the CA. + +[ ca ] +default_ca = signing_ca # The default CA section + +[ signing_ca ] +certificate = $dir/ca.crt # The CA cert +private_key = $dir/ca.key # CA private key +new_certs_dir = $dir/ # Certificate archive +serial = $dir/ca.serial.txt # Serial number file +crlnumber = $dir/ca.crl.srl # CRL number file +database = $dir/ca.db # Index file +unique_subject = no # Require unique subject +default_days = 730 # How long to certify for +default_md = sha1 # MD to use +policy = any_pol # Default naming policy +email_in_dn = no # Add email to cert DN +preserve = no # Keep passed DN ordering +name_opt = ca_default # Subject DN display options +cert_opt = ca_default # Certificate display options +copy_extensions = copy # Copy extensions from CSR +x509_extensions = client_ext # Default cert extensions +default_crl_days = 7 # How long before next CRL +crl_extensions = crl_ext # CRL extensions + +# Naming policies control which parts of a DN end up in the certificate and +# under what circumstances certification should be denied. + +[ match_pol ] +domainComponent = match # Must match 'simple.org' +organizationName = match # Must match 'Simple Inc' +organizationalUnitName = optional # Included if present +commonName = supplied # Must be present + +[ any_pol ] +domainComponent = optional +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = optional +emailAddress = optional + +# Certificate extensions define what types of certificates the CA is able to +# create. + +[ client_ext ] +keyUsage = critical,digitalSignature,keyEncipherment +basicConstraints = CA:false +extendedKeyUsage = clientAuth +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid + +[ server_ext ] +keyUsage = critical,digitalSignature,keyEncipherment +basicConstraints = CA:false +extendedKeyUsage = serverAuth,clientAuth +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid + +# CRL extensions exist solely to point to the CA certificate that has issued +# the CRL. + +[ crl_ext ] +authorityKeyIdentifier = keyid -- cgit v1.2.3 From 55ddb4f4b901632f051251ba0387a107dd3bb7ef Mon Sep 17 00:00:00 2001 From: ewolinetz Date: Thu, 12 Jan 2017 12:52:41 -0600 Subject: Removing shell module calls and cleaning up changed --- roles/openshift_logging/templates/curator.j2 | 2 +- roles/openshift_logging/templates/es.j2 | 2 +- roles/openshift_logging/templates/kibana.j2 | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) (limited to 'roles/openshift_logging/templates') diff --git a/roles/openshift_logging/templates/curator.j2 b/roles/openshift_logging/templates/curator.j2 index 3ffb48bfb..d3b5d33a2 100644 --- a/roles/openshift_logging/templates/curator.j2 +++ b/roles/openshift_logging/templates/curator.j2 @@ -7,7 +7,7 @@ metadata: component: "{{component}}" logging-infra: "{{logging_component}}" spec: - replicas: 0 + replicas: {{replicas|default(0)}} selector: provider: openshift component: "{{component}}" diff --git a/roles/openshift_logging/templates/es.j2 b/roles/openshift_logging/templates/es.j2 index e5d415f81..291589690 100644 --- a/roles/openshift_logging/templates/es.j2 +++ b/roles/openshift_logging/templates/es.j2 @@ -8,7 +8,7 @@ metadata: deployment: "{{deploy_name}}" logging-infra: "{{logging_component}}" spec: - replicas: 0 + replicas: {{replicas|default(0)}} selector: provider: openshift component: "{{component}}" diff --git a/roles/openshift_logging/templates/kibana.j2 b/roles/openshift_logging/templates/kibana.j2 index ca3d727bf..1ec97701a 100644 --- a/roles/openshift_logging/templates/kibana.j2 +++ b/roles/openshift_logging/templates/kibana.j2 @@ -7,7 +7,7 @@ metadata: component: "{{component}}" logging-infra: "{{logging_component}}" spec: - replicas: 0 + replicas: {{replicas|default(0)}} selector: provider: openshift component: "{{component}}" -- cgit v1.2.3 From 9cf70bb6991df874350ea0f5c97da26bb6757edb Mon Sep 17 00:00:00 2001 From: ewolinetz Date: Fri, 13 Jan 2017 16:37:27 -0600 Subject: additional comments addressed --- .../templates/elasticsearch.yml.j2 | 75 ++++++++++++++++++++++ 1 file changed, 75 insertions(+) create mode 100644 roles/openshift_logging/templates/elasticsearch.yml.j2 (limited to 'roles/openshift_logging/templates') diff --git a/roles/openshift_logging/templates/elasticsearch.yml.j2 b/roles/openshift_logging/templates/elasticsearch.yml.j2 new file mode 100644 index 000000000..dad78b844 --- /dev/null +++ b/roles/openshift_logging/templates/elasticsearch.yml.j2 @@ -0,0 +1,75 @@ +cluster: + name: ${CLUSTER_NAME} + +script: + inline: on + indexed: on + +index: + number_of_shards: 1 + number_of_replicas: 0 + auto_expand_replicas: 0-3 + unassigned.node_left.delayed_timeout: 2m + translog: + flush_threshold_size: 256mb + flush_threshold_period: 5m + +node: + master: true + data: true + +network: + host: 0.0.0.0 + +cloud: + kubernetes: + service: ${SERVICE_DNS} + namespace: ${NAMESPACE} + +discovery: + type: kubernetes + zen.ping.multicast.enabled: false + +gateway: + expected_master_nodes: ${NODE_QUORUM} + recover_after_nodes: ${RECOVER_AFTER_NODES} + expected_nodes: ${RECOVER_EXPECTED_NODES} + recover_after_time: ${RECOVER_AFTER_TIME} + +io.fabric8.elasticsearch.authentication.users: ["system.logging.kibana", "system.logging.fluentd", "system.logging.curator", "system.admin"] + +openshift.searchguard: + keystore.path: /etc/elasticsearch/secret/admin.jks + truststore.path: /etc/elasticsearch/secret/searchguard.truststore + +openshift.operations.allow_cluster_reader: {{allow_cluster_reader | default ('false')}} + +path: + data: /elasticsearch/persistent/${CLUSTER_NAME}/data + logs: /elasticsearch/${CLUSTER_NAME}/logs + work: /elasticsearch/${CLUSTER_NAME}/work + scripts: /elasticsearch/${CLUSTER_NAME}/scripts + +searchguard: + authcz.admin_dn: + - CN=system.admin,OU=OpenShift,O=Logging + config_index_name: ".searchguard.${HOSTNAME}" + ssl: + transport: + enabled: true + enforce_hostname_verification: false + keystore_type: JKS + keystore_filepath: /etc/elasticsearch/secret/searchguard.key + keystore_password: kspass + truststore_type: JKS + truststore_filepath: /etc/elasticsearch/secret/searchguard.truststore + truststore_password: tspass + http: + enabled: true + keystore_type: JKS + keystore_filepath: /etc/elasticsearch/secret/key + keystore_password: kspass + clientauth_mode: OPTIONAL + truststore_type: JKS + truststore_filepath: /etc/elasticsearch/secret/truststore + truststore_password: tspass -- cgit v1.2.3