From 06c111d22641ba5cc2dbbe0144d9d6722d94f159 Mon Sep 17 00:00:00 2001
From: ewolinetz <ewolinet@redhat.com>
Date: Wed, 11 Jan 2017 15:26:46 -0600
Subject: addressing comments
---
roles/openshift_logging/defaults/main.yml | 2 +-
roles/openshift_logging/files/signing.conf | 103 -----------
roles/openshift_logging/files/util.sh | 192 ---------------------
roles/openshift_logging/filter_plugins/__init__.py | 0
roles/openshift_logging/library/__init.py__ | 0
roles/openshift_logging/meta/main.yaml | 14 +-
roles/openshift_logging/tasks/generate_certs.yaml | 48 ++----
.../tasks/generate_configmaps.yaml | 25 ++-
.../tasks/generate_jks_chain.yaml | 60 -------
roles/openshift_logging/tasks/generate_pkcs12.yaml | 24 ---
roles/openshift_logging/tasks/install_fluentd.yaml | 15 +-
roles/openshift_logging/tasks/install_logging.yaml | 6 +-
roles/openshift_logging/tasks/label_node.yaml | 8 +-
roles/openshift_logging/tasks/main.yaml | 5 +
roles/openshift_logging/tasks/scale.yaml | 16 +-
roles/openshift_logging/tasks/start_cluster.yaml | 24 +--
roles/openshift_logging/tasks/stop_cluster.yaml | 24 +--
roles/openshift_logging/tasks/upgrade_logging.yaml | 4 +-
roles/openshift_logging/templates/fluentd.j2 | 2 +-
roles/openshift_logging/templates/signing.conf.j2 | 103 +++++++++++
20 files changed, 214 insertions(+), 461 deletions(-)
delete mode 100644 roles/openshift_logging/files/signing.conf
delete mode 100644 roles/openshift_logging/files/util.sh
delete mode 100644 roles/openshift_logging/filter_plugins/__init__.py
delete mode 100644 roles/openshift_logging/library/__init.py__
delete mode 100644 roles/openshift_logging/tasks/generate_jks_chain.yaml
delete mode 100644 roles/openshift_logging/tasks/generate_pkcs12.yaml
create mode 100644 roles/openshift_logging/templates/signing.conf.j2
diff --git a/roles/openshift_logging/defaults/main.yml b/roles/openshift_logging/defaults/main.yml
index a441f10b9..4eb852207 100644
--- a/roles/openshift_logging/defaults/main.yml
+++ b/roles/openshift_logging/defaults/main.yml
@@ -33,7 +33,7 @@ openshift_logging_kibana_ops_proxy_debug: false
openshift_logging_kibana_ops_proxy_cpu_limit: null
openshift_logging_kibana_ops_proxy_memory_limit: null
-openshift_logging_fluentd_nodeselector: '"logging-infra-fluentd": "true"'
+openshift_logging_fluentd_nodeselector: {'logging-infra-fluentd': 'true'}
openshift_logging_fluentd_cpu_limit: 100m
openshift_logging_fluentd_memory_limit: 512Mi
openshift_logging_fluentd_es_copy: false
diff --git a/roles/openshift_logging/files/signing.conf b/roles/openshift_logging/files/signing.conf
deleted file mode 100644
index 810a057d9..000000000
--- a/roles/openshift_logging/files/signing.conf
+++ /dev/null
@@ -1,103 +0,0 @@
-# Simple Signing CA
-
-# The [default] section contains global constants that can be referred to from
-# the entire configuration file. It may also hold settings pertaining to more
-# than one openssl command.
-
-[ default ]
-#dir = _output # Top dir
-
-# The next part of the configuration file is used by the openssl req command.
-# It defines the CA's key pair, its DN, and the desired extensions for the CA
-# certificate.
-
-[ req ]
-default_bits = 2048 # RSA key size
-encrypt_key = yes # Protect private key
-default_md = sha1 # MD to use
-utf8 = yes # Input is UTF-8
-string_mask = utf8only # Emit UTF-8 strings
-prompt = no # Don't prompt for DN
-distinguished_name = ca_dn # DN section
-req_extensions = ca_reqext # Desired extensions
-
-[ ca_dn ]
-0.domainComponent = "io"
-1.domainComponent = "openshift"
-organizationName = "OpenShift Origin"
-organizationalUnitName = "Logging Signing CA"
-commonName = "Logging Signing CA"
-
-[ ca_reqext ]
-keyUsage = critical,keyCertSign,cRLSign
-basicConstraints = critical,CA:true,pathlen:0
-subjectKeyIdentifier = hash
-
-# The remainder of the configuration file is used by the openssl ca command.
-# The CA section defines the locations of CA assets, as well as the policies
-# applying to the CA.
-
-[ ca ]
-default_ca = signing_ca # The default CA section
-
-[ signing_ca ]
-certificate = $dir/ca.crt # The CA cert
-private_key = $dir/ca.key # CA private key
-new_certs_dir = $dir/ # Certificate archive
-serial = $dir/ca.serial.txt # Serial number file
-crlnumber = $dir/ca.crl.srl # CRL number file
-database = $dir/ca.db # Index file
-unique_subject = no # Require unique subject
-default_days = 730 # How long to certify for
-default_md = sha1 # MD to use
-policy = any_pol # Default naming policy
-email_in_dn = no # Add email to cert DN
-preserve = no # Keep passed DN ordering
-name_opt = ca_default # Subject DN display options
-cert_opt = ca_default # Certificate display options
-copy_extensions = copy # Copy extensions from CSR
-x509_extensions = client_ext # Default cert extensions
-default_crl_days = 7 # How long before next CRL
-crl_extensions = crl_ext # CRL extensions
-
-# Naming policies control which parts of a DN end up in the certificate and
-# under what circumstances certification should be denied.
-
-[ match_pol ]
-domainComponent = match # Must match 'simple.org'
-organizationName = match # Must match 'Simple Inc'
-organizationalUnitName = optional # Included if present
-commonName = supplied # Must be present
-
-[ any_pol ]
-domainComponent = optional
-countryName = optional
-stateOrProvinceName = optional
-localityName = optional
-organizationName = optional
-organizationalUnitName = optional
-commonName = optional
-emailAddress = optional
-
-# Certificate extensions define what types of certificates the CA is able to
-# create.
-
-[ client_ext ]
-keyUsage = critical,digitalSignature,keyEncipherment
-basicConstraints = CA:false
-extendedKeyUsage = clientAuth
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid
-
-[ server_ext ]
-keyUsage = critical,digitalSignature,keyEncipherment
-basicConstraints = CA:false
-extendedKeyUsage = serverAuth,clientAuth
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid
-
-# CRL extensions exist solely to point to the CA certificate that has issued
-# the CRL.
-
-[ crl_ext ]
-authorityKeyIdentifier = keyid
diff --git a/roles/openshift_logging/files/util.sh b/roles/openshift_logging/files/util.sh
deleted file mode 100644
index 5752a0fcd..000000000
--- a/roles/openshift_logging/files/util.sh
+++ /dev/null
@@ -1,192 +0,0 @@
-#!/bin/bash
-
-function generate_JKS_chain() {
- dir=${SCRATCH_DIR:-_output}
- ADD_OID=$1
- NODE_NAME=$2
- CERT_NAMES=${3:-$NODE_NAME}
- ks_pass=${KS_PASS:-kspass}
- ts_pass=${TS_PASS:-tspass}
- rm -rf $NODE_NAME
-
- extension_names=""
- for name in ${CERT_NAMES//,/ }; do
- extension_names="${extension_names},dns:${name}"
- done
-
- if [ "$ADD_OID" = true ]; then
- extension_names="${extension_names},oid:1.2.3.4.5.5"
- fi
-
- echo Generating keystore and certificate for node $NODE_NAME
-
- "$keytool" -genkey \
- -alias $NODE_NAME \
- -keystore $dir/keystore.jks \
- -keypass $ks_pass \
- -storepass $ks_pass \
- -keyalg RSA \
- -keysize 2048 \
- -validity 712 \
- -dname "CN=$NODE_NAME, OU=OpenShift, O=Logging" \
- -ext san=dns:localhost,ip:127.0.0.1"${extension_names}"
-
- echo Generating certificate signing request for node $NODE_NAME
-
- "$keytool" -certreq \
- -alias $NODE_NAME \
- -keystore $dir/keystore.jks \
- -storepass $ks_pass \
- -file $dir/$NODE_NAME.csr \
- -keyalg rsa \
- -dname "CN=$NODE_NAME, OU=OpenShift, O=Logging" \
- -ext san=dns:localhost,ip:127.0.0.1"${extension_names}"
-
- echo Sign certificate request with CA
-
- openssl ca \
- -in $dir/$NODE_NAME.csr \
- -notext \
- -out $dir/$NODE_NAME.crt \
- -config $dir/signing.conf \
- -extensions v3_req \
- -batch \
- -extensions server_ext
-
- echo "Import back to keystore (including CA chain)"
-
- "$keytool" \
- -import \
- -file $dir/ca.crt \
- -keystore $dir/keystore.jks \
- -storepass $ks_pass \
- -noprompt -alias sig-ca
-
- "$keytool" \
- -import \
- -file $dir/$NODE_NAME.crt \
- -keystore $dir/keystore.jks \
- -storepass $ks_pass \
- -noprompt \
- -alias $NODE_NAME
-
- echo "Import CA to truststore for validating client certs"
-
- "$keytool" \
- -import \
- -file $dir/ca.crt \
- -keystore $dir/truststore.jks \
- -storepass $ts_pass \
- -noprompt -alias sig-ca
-
- echo All done for $NODE_NAME
-}
-
-function generate_PEM_cert() {
- NODE_NAME="$1"
- dir=${SCRATCH_DIR:-_output} # for writing files to bundle into secrets
-
- echo Generating keystore and certificate for node ${NODE_NAME}
-
- openssl req -out "$dir/$NODE_NAME.csr" -new -newkey rsa:2048 -keyout "$dir/$NODE_NAME.key" -subj "/CN=$NODE_NAME/OU=OpenShift/O=Logging" -days 712 -nodes
-
- echo Sign certificate request with CA
- openssl ca \
- -in "$dir/$NODE_NAME.csr" \
- -notext \
- -out "$dir/$NODE_NAME.crt" \
- -config $dir/signing.conf \
- -extensions v3_req \
- -batch \
- -extensions server_ext
-}
-
-function generate_JKS_client_cert() {
- NODE_NAME="$1"
- ks_pass=${KS_PASS:-kspass}
- ts_pass=${TS_PASS:-tspass}
- dir=${SCRATCH_DIR:-_output} # for writing files to bundle into secrets
-
- echo Generating keystore and certificate for node ${NODE_NAME}
-
- "$keytool" -genkey \
- -alias $NODE_NAME \
- -keystore $dir/$NODE_NAME.jks \
- -keyalg RSA \
- -keysize 2048 \
- -validity 712 \
- -keypass $ks_pass \
- -storepass $ks_pass \
- -dname "CN=$NODE_NAME, OU=OpenShift, O=Logging"
-
- echo Generating certificate signing request for node $NODE_NAME
-
- "$keytool" -certreq \
- -alias $NODE_NAME \
- -keystore $dir/$NODE_NAME.jks \
- -file $dir/$NODE_NAME.csr \
- -keyalg rsa \
- -keypass $ks_pass \
- -storepass $ks_pass \
- -dname "CN=$NODE_NAME, OU=OpenShift, O=Logging"
-
- echo Sign certificate request with CA
- openssl ca \
- -in "$dir/$NODE_NAME.csr" \
- -notext \
- -out "$dir/$NODE_NAME.crt" \
- -config $dir/signing.conf \
- -extensions v3_req \
- -batch \
- -extensions server_ext
-
- echo "Import back to keystore (including CA chain)"
-
- "$keytool" \
- -import \
- -file $dir/ca.crt \
- -keystore $dir/$NODE_NAME.jks \
- -storepass $ks_pass \
- -noprompt -alias sig-ca
-
- "$keytool" \
- -import \
- -file $dir/$NODE_NAME.crt \
- -keystore $dir/$NODE_NAME.jks \
- -storepass $ks_pass \
- -noprompt \
- -alias $NODE_NAME
-
- echo All done for $NODE_NAME
-}
-
-function join { local IFS="$1"; shift; echo "$*"; }
-
-function get_es_dcs() {
- oc get dc --selector logging-infra=elasticsearch -o name
-}
-
-function get_curator_dcs() {
- oc get dc --selector logging-infra=curator -o name
-}
-
-function extract_nodeselector() {
- local inputstring="${1//\"/}" # remove any errant double quotes in the inputs
- local selectors=()
-
- for keyvalstr in ${inputstring//\,/ }; do
-
- keyval=( ${keyvalstr//=/ } )
-
- if [[ -n "${keyval[0]}" && -n "${keyval[1]}" ]]; then
- selectors+=( "\"${keyval[0]}\": \"${keyval[1]}\"")
- else
- echo "Could not make a node selector label from '${keyval[*]}'"
- exit 255
- fi
- done
-
- if [[ "${#selectors[*]}" -gt 0 ]]; then
- echo nodeSelector: "{" $(join , "${selectors[@]}") "}"
- fi
-}
diff --git a/roles/openshift_logging/filter_plugins/__init__.py b/roles/openshift_logging/filter_plugins/__init__.py
deleted file mode 100644
index e69de29bb..000000000
diff --git a/roles/openshift_logging/library/__init.py__ b/roles/openshift_logging/library/__init.py__
deleted file mode 100644
index e69de29bb..000000000
diff --git a/roles/openshift_logging/meta/main.yaml b/roles/openshift_logging/meta/main.yaml
index 8bff6cfb7..a95c84901 100644
--- a/roles/openshift_logging/meta/main.yaml
+++ b/roles/openshift_logging/meta/main.yaml
@@ -1,3 +1,15 @@
---
+galaxy_info:
+ author: OpenShift Red Hat
+ description: OpenShift Embedded Router
+ company: Red Hat, Inc.
+ license: Apache License, Version 2.0
+ min_ansible_version: 2.2
+ platforms:
+ - name: EL
+ versions:
+ - 7
+ categories:
+ - cloud
dependencies:
- - { role: openshift_facts }
+ - role: openshift_facts
diff --git a/roles/openshift_logging/tasks/generate_certs.yaml b/roles/openshift_logging/tasks/generate_certs.yaml
index 6bfeccf61..bcf4881bb 100644
--- a/roles/openshift_logging/tasks/generate_certs.yaml
+++ b/roles/openshift_logging/tasks/generate_certs.yaml
@@ -31,14 +31,10 @@
register: signing_conf_file
check_mode: no
-- block:
- - copy: src=signing.conf dest={{generated_certs_dir}}/signing.conf
- check_mode: no
-
- - lineinfile: "dest={{generated_certs_dir}}/signing.conf regexp='# Top dir$' line='dir = {{generated_certs_dir}} # Top dir'"
- check_mode: no
- when:
- - not signing_conf_file.stat.exists
+- template: src=signing.conf.j2 dest={{generated_certs_dir}}/signing.conf
+ vars:
+ - top_dir: '{{generated_certs_dir}}'
+ when: not signing_conf_file.stat.exists
- include: procure_server_certs.yaml
loop_control:
@@ -49,19 +45,6 @@
- procure_component: kibana-internal
hostnames: "kibana, kibana-ops, {{openshift_logging_kibana_hostname}}, {{openshift_logging_kibana_ops_hostname}}"
-# - include: procure_server_certs.yaml
-# vars:
-# - procure_component: kibana
-
-# - include: procure_server_certs.yaml
-# vars:
-# - procure_component: kibana-ops
-
-# - include: procure_server_certs.yaml
-# vars:
-# - procure_component: kibana-internal
-# - hostnames: "kibana, kibana-ops, {{openshift_logging_kibana_hostname}}, {{openshift_logging_kibana_ops_hostname}}"
-
- name: Copy proxy TLS configuration file
copy: src=server-tls.json dest={{generated_certs_dir}}/server-tls.json
when: server_tls_json is undefined
@@ -116,8 +99,8 @@
- name: Check for hostmount-anyuid scc entry
shell: >
- {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get scc hostmount-anyuid -o go-template='{{ '{{' }}.users{{ '}}' }}' |
- grep system:serviceaccount:{{openshift_logging_namespace}}:jks-generator
+ {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get scc hostmount-anyuid -o jsonpath='{.users}' |
+ grep system:serviceaccount:{{openshift_logging_namespace | quote}}:jks-generator
register: scc_result
ignore_errors: yes
when: not ansible_check_mode
@@ -131,34 +114,33 @@
copy:
src: generate-jks.sh
dest: "{{generated_certs_dir}}/generate-jks.sh"
+ check_mode: no
- name: Generate JKS chains
template:
src: jks_pod.j2
dest: "{{mktemp.stdout}}/jks_pod.yaml"
+ check_mode: no
- name: create pod
- shell: >
- {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig create -f {{mktemp.stdout}}/jks_pod.yaml -n {{openshift_logging_namespace}}
+ command: >
+ {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig create -f {{mktemp.stdout}}/jks_pod.yaml -n {{openshift_logging_namespace}} -o name
register: podoutput
+ check_mode: no
-- shell: >
- echo {{podoutput.stdout}} | awk -v podname='\\\".*\\\"' '{print $2}'
- register: podname
-
-- shell: >
- {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get pod {{podname.stdout}} -o go-template='{{ '{{' }}index .status "phase"{{ '}}' }}' -n {{openshift_logging_namespace}}
+- command: >
+ {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get {{podoutput.stdout}} -o jsonpath='{.status.phase}' -n {{openshift_logging_namespace}}
register: result
until: result.stdout.find("Succeeded") != -1
retries: 5
delay: 10
- name: Generate proxy session
- shell: tr -dc 'a-zA-Z0-9' < /dev/urandom | head -c 200
+ command: echo {{'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'|random_word(200)}}
register: session_secret
check_mode: no
- name: Generate oauth client secret
- shell: tr -dc 'a-zA-Z0-9' < /dev/urandom | head -c 64
+ command: echo {{'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'|random_word(64)}}
register: oauth_secret
check_mode: no
diff --git a/roles/openshift_logging/tasks/generate_configmaps.yaml b/roles/openshift_logging/tasks/generate_configmaps.yaml
index 86882a5da..f9f9ee79f 100644
--- a/roles/openshift_logging/tasks/generate_configmaps.yaml
+++ b/roles/openshift_logging/tasks/generate_configmaps.yaml
@@ -4,37 +4,44 @@
src: elasticsearch-logging.yml
dest: "{{mktemp.stdout}}/elasticsearch-logging.yml"
when: es_logging_contents is undefined
+ changed_when: no
- copy:
src: elasticsearch.yml
dest: "{{mktemp.stdout}}/elasticsearch.yml"
when: es_config_contents is undefined
+ changed_when: no
- lineinfile:
dest: "{{mktemp.stdout}}/elasticsearch.yml"
regexp: '^openshift\.operations\.allow_cluster_reader(.)*$'
line: "\nopenshift.operations.allow_cluster_reader: {{openshift_logging_es_ops_allow_cluster_reader | lower}}"
when: es_config_contents is undefined
+ changed_when: no
- copy:
content: "{{es_logging_contents}}"
dest: "{{mktemp.stdout}}/elasticsearch-logging.yml"
when: es_logging_contents is defined
+ changed_when: no
- copy:
content: "{{es_config_contents}}"
dest: "{{mktemp.stdout}}/elasticsearch.yml"
when: es_config_contents is defined
+ changed_when: no
- - shell: >
+ - command: >
{{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig create configmap logging-elasticsearch
--from-file=logging.yml={{mktemp.stdout}}/elasticsearch-logging.yml --from-file=elasticsearch.yml={{mktemp.stdout}}/elasticsearch.yml -o yaml --dry-run
register: es_configmap
+ changed_when: no
- copy:
content: "{{es_configmap.stdout}}"
dest: "{{mktemp.stdout}}/templates/logging-elasticsearch-configmap.yaml"
when: es_configmap.stdout is defined
+ changed_when: no
check_mode: no
- block:
@@ -42,21 +49,25 @@
src: curator.yml
dest: "{{mktemp.stdout}}/curator.yml"
when: curator_config_contents is undefined
+ changed_when: no
- copy:
content: "{{curator_config_contents}}"
dest: "{{mktemp.stdout}}/curator.yml"
when: curator_config_contenets is defined
+ changed_when: no
- - shell: >
+ - command: >
{{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig create configmap logging-curator
--from-file=config.yaml={{mktemp.stdout}}/curator.yml -o yaml --dry-run
register: curator_configmap
+ changed_when: no
- copy:
content: "{{curator_configmap.stdout}}"
dest: "{{mktemp.stdout}}/templates/logging-curator-configmap.yaml"
when: curator_configmap.stdout is defined
+ changed_when: no
check_mode: no
- block:
@@ -64,40 +75,48 @@
src: fluent.conf
dest: "{{mktemp.stdout}}/fluent.conf"
when: fluentd_config_contents is undefined
+ changed_when: no
- copy:
src: fluentd-throttle-config.yaml
dest: "{{mktemp.stdout}}/fluentd-throttle-config.yaml"
when: fluentd_throttle_contents is undefined
+ changed_when: no
- copy:
src: secure-forward.conf
dest: "{{mktemp.stdout}}/secure-forward.conf"
when: fluentd_securefoward_contents is undefined
+ changed_when: no
- copy:
content: "{{fluentd_config_contents}}"
dest: "{{mktemp.stdout}}/fluent.conf"
when: fluentd_config_contents is defined
+ changed_when: no
- copy:
content: "{{fluentd_throttle_contents}}"
dest: "{{mktemp.stdout}}/fluentd-throttle-config.yaml"
when: fluentd_throttle_contents is defined
+ changed_when: no
- copy:
content: "{{fluentd_secureforward_contents}}"
dest: "{{mktemp.stdout}}/secure-forward.conf"
when: fluentd_secureforward_contents is defined
+ changed_when: no
- - shell: >
+ - command: >
{{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig create configmap logging-fluentd
--from-file=fluent.conf={{mktemp.stdout}}/fluent.conf --from-file=throttle-config.yaml={{mktemp.stdout}}/fluentd-throttle-config.yaml
--from-file=secure-forward.conf={{mktemp.stdout}}/secure-forward.conf -o yaml --dry-run
register: fluentd_configmap
+ changed_when: no
- copy:
content: "{{fluentd_configmap.stdout}}"
dest: "{{mktemp.stdout}}/templates/logging-fluentd-configmap.yaml"
when: fluentd_configmap.stdout is defined
+ changed_when: no
check_mode: no
diff --git a/roles/openshift_logging/tasks/generate_jks_chain.yaml b/roles/openshift_logging/tasks/generate_jks_chain.yaml
deleted file mode 100644
index 14ffdc51f..000000000
--- a/roles/openshift_logging/tasks/generate_jks_chain.yaml
+++ /dev/null
@@ -1,60 +0,0 @@
----
-- debug: msg="certs are {{chain_certs}} and oid is {{oid}}"
- when: chain_certs is defined and oid is defined
-
-- debug: msg="certs are {{chain_certs}}"
- when: chain_certs is defined and oid is undefined
-
-- name: Build extensions with certs
- shell: echo "{{chain_certs}}{{ (oid) | ternary(',oid:1.2.3.4.5.5','') }}"
- register: cert_ext
- when: chain_certs is defined and oid is defined
- check_mode: no
-
-- debug: msg="extensions are {{cert_ext.stdout}}"
- when: cert_ext.stdout is defined
-
-- shell: >
- echo {{ (cert_ext.stdout is defined) | ternary( '-ext san=dns:localhost,ip:127.0.0.1','') }}{{ (cert_ext.stdout is defined) | ternary( cert_ext.stdout, '') }}
- register: extensions
- check_mode: no
-
-- name: Checking for {{component}}.jks ...
- stat: path="{{generated_certs_dir}}/{{component}}.jks"
- register: jks_file
- check_mode: no
-
-- name: Checking for truststore...
- stat: path="{{generated_certs_dir}}/truststore.jks"
- register: jks_truststore
- check_mode: no
-
-- block:
- - shell: >
- keytool -genkey -alias {{component}} -keystore {{generated_certs_dir}}/{{component}}.jks -keypass kspass -storepass kspass
- -keyalg RSA -keysize 2048 -validity 712 -dname "CN={{component}}, OU=OpenShift, O=Logging" {{extensions.stdout}}
-
- - shell: >
- keytool -certreq -alias {{component}} -keystore {{generated_certs_dir}}/{{component}}.jks -storepass kspass
- -file {{generated_certs_dir}}/{{component}}-jks.csr -keyalg RSA -dname "CN={{component}}, OU=OpenShift, O=Logging" {{extensions.stdout}}
-
- - shell: >
- openssl ca -in {{generated_certs_dir}}/{{component}}-jks.csr -notext -out {{generated_certs_dir}}/{{component}}-jks.crt
- -config {{generated_certs_dir}}/signing.conf -extensions v3_req -batch -extensions server_ext
-
- - shell: >
- keytool -import -file {{generated_certs_dir}}/ca.crt -keystore {{generated_certs_dir}}/{{component}}.jks
- -storepass kspass -noprompt -alias sig-ca
-
- - shell: >
- keytool -import -file {{generated_certs_dir}}/{{component}}-jks.crt -keystore {{generated_certs_dir}}/{{component}}.jks
- -storepass kspass -noprompt -alias {{component}}
-
- when: not jks_file.stat.exists
- check_mode: no
-
-- block:
- - shell: >
- keytool -import -file {{generated_certs_dir}}/ca.crt -keystore {{generated_certs_dir}}/truststore.jks -storepass tspass -noprompt -alias sig-ca
- when: not jks_truststore.stat.exists
- check_mode: no
diff --git a/roles/openshift_logging/tasks/generate_pkcs12.yaml b/roles/openshift_logging/tasks/generate_pkcs12.yaml
deleted file mode 100644
index dde65746f..000000000
--- a/roles/openshift_logging/tasks/generate_pkcs12.yaml
+++ /dev/null
@@ -1,24 +0,0 @@
----
-- debug: msg="certs are {{chain_certs}} and oid is {{oid}}"
- when: chain_certs is defined and oid is defined
-
-- debug: msg="certs are {{chain_certs}}"
- when: chain_certs is defined and oid is undefined
-
-- name: Build extensions with certs
- shell: echo "{{chain_certs}}{{ (oid) | ternary(',oid=1.2.3.4.5.5','') }}"
- register: cert_ext
- when: chain_certs is defined and oid is defined
-
-- debug: msg="extensions are {{cert_ext.stdout}}"
- when: cert_ext.stdout is defined
-
-- include: generate_pems.yaml
-
-- local_action: stat path="{{mktemp.stdout}}/{{component}}.pkcs12"
- register: pkcs_file
- become: no
-
-- name: Generating pkcs12 chain for {{component}}
- command: openssl pkcs12 -export -out {{generated_certs_dir}}/{{component}}.pkcs12 -inkey {{generated_certs_dir}}/{{component}}.key -in {{generated_certs_dir}}/{{component}}.crt -password pass:pass
- when: not pkcs_file.stat.exists
diff --git a/roles/openshift_logging/tasks/install_fluentd.yaml b/roles/openshift_logging/tasks/install_fluentd.yaml
index 35bd452ed..6f93081d7 100644
--- a/roles/openshift_logging/tasks/install_fluentd.yaml
+++ b/roles/openshift_logging/tasks/install_fluentd.yaml
@@ -1,14 +1,23 @@
---
-- shell: >
+- command: >
echo "{{ (openshift_logging_use_ops) | ternary(openshift_logging_es_ops_host, openshift_logging_es_host) }}"
register: fluentd_ops_host
check_mode: no
-- shell: >
+- command: >
echo "{{ (openshift_logging_use_ops) | ternary(openshift_logging_es_ops_port, openshift_logging_es_port) }}"
register: fluentd_ops_port
check_mode: no
+- command: >
+ echo "{{openshift_logging_fluentd_nodeselector.keys()[0]}}"
+ register: openshift_logging_fluentd_nodeselector_key
+ check_mode: no
+
+- command: >
+ echo "{{openshift_logging_fluentd_nodeselector.values()[0]}}"
+ register: openshift_logging_fluentd_nodeselector_value
+ check_mode: no
- name: Generating Fluentd daemonset
template: src=fluentd.j2 dest={{mktemp.stdout}}/templates/logging-fluentd.yaml
@@ -19,6 +28,8 @@
daemonset_serviceAccount: aggregated-logging-fluentd
ops_host: "{{ fluentd_ops_host.stdout }}"
ops_port: "{{ fluentd_ops_port.stdout }}"
+ fluentd_nodeselector_key: "{{openshift_logging_fluentd_nodeselector_key.stdout}}"
+ fluentd_nodeselector_value: "{{openshift_logging_fluentd_nodeselector_value.stdout}}"
check_mode: no
- name: "Set permissions for fluentd"
diff --git a/roles/openshift_logging/tasks/install_logging.yaml b/roles/openshift_logging/tasks/install_logging.yaml
index 591f11476..09630e213 100644
--- a/roles/openshift_logging/tasks/install_logging.yaml
+++ b/roles/openshift_logging/tasks/install_logging.yaml
@@ -24,14 +24,14 @@
loop_var: install_component
- name: Register API objects from generated templates
- shell: ls -d -1 {{mktemp.stdout}}/templates/* | sort
+ command: ls -1 {{mktemp.stdout}}/templates/
register: logging_objects
check_mode: no
- name: Creating API objects from generated templates
command: >
- {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig apply -f {{file}} -n {{openshift_logging_namespace}}
- with_items: "{{logging_objects.stdout_lines}}"
+ {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig apply -f {{mktemp.stdout}}/templates/{{file}} -n {{openshift_logging_namespace}}
+ with_items: "{{logging_objects.stdout_lines | sort}}"
loop_control:
loop_var: file
when: not ansible_check_mode
diff --git a/roles/openshift_logging/tasks/label_node.yaml b/roles/openshift_logging/tasks/label_node.yaml
index 55cfea38c..f35ccc3b6 100644
--- a/roles/openshift_logging/tasks/label_node.yaml
+++ b/roles/openshift_logging/tasks/label_node.yaml
@@ -1,12 +1,12 @@
---
-- shell: >
+- command: >
{{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get node {{host}}
- --template='{{ '{{index .metadata.labels "' }}{{label}}{{ '"}}' }}'
+ -o jsonpath='{.metadata.labels.{{ label }}}'
register: label_value
failed_when: label_value.rc == 1 and 'exists' not in label_value.stderr
when: not ansible_check_mode
-- shell: >
+- command: >
{{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig label node {{host}} {{label}}={{value}} --overwrite
register: label_result
failed_when: label_result.rc == 1 and 'exists' not in label_result.stderr
@@ -17,7 +17,7 @@
- unlabel is not defined or not unlabel
- not ansible_check_mode
-- shell: >
+- command: >
{{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig label node {{host}} {{label}}-
register: label_result
failed_when: label_result.rc == 1 and 'exists' not in label_result.stderr
diff --git a/roles/openshift_logging/tasks/main.yaml b/roles/openshift_logging/tasks/main.yaml
index b64c24ade..c4ec1b255 100644
--- a/roles/openshift_logging/tasks/main.yaml
+++ b/roles/openshift_logging/tasks/main.yaml
@@ -1,4 +1,9 @@
---
+- fail:
+ msg: Only one Fluentd nodeselector key pair should be provided
+ when: "{{ openshift_logging_fluentd_nodeselector.keys() | count }} > 1"
+
+
- name: Create temp directory for doing work in
command: mktemp -d /tmp/openshift-logging-ansible-XXXXXX
register: mktemp
diff --git a/roles/openshift_logging/tasks/scale.yaml b/roles/openshift_logging/tasks/scale.yaml
index 3d86ea171..aa3e39641 100644
--- a/roles/openshift_logging/tasks/scale.yaml
+++ b/roles/openshift_logging/tasks/scale.yaml
@@ -1,26 +1,26 @@
---
-- shell: >
+- command: >
{{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get {{object}}
- --template='{{ '{{.spec.replicas}}' }}' -n {{openshift_logging_namespace}}
+ -o jsonpath='{.spec.replicas}' -n {{openshift_logging_namespace}}
register: replica_count
failed_when: replica_count.rc == 1 and 'exists' not in replica_count.stderr
when: not ansible_check_mode
-- shell: >
+- command: >
{{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig scale {{object}}
--replicas={{desired}} -n {{openshift_logging_namespace}}
register: scale_result
failed_when: scale_result.rc == 1 and 'exists' not in scale_result.stderr
when:
- - replica_count.stdout != desired
- not ansible_check_mode
+ - replica_count.stdout|int != desired
-- shell: >
- {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig describe {{object}} -n {{openshift_logging_namespace}} | awk -v statusrx='Pods Status:' '$0 ~ statusrx {print $3}'
+- command: >
+ {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get {{object}} -n {{openshift_logging_namespace}} -o jsonpath='{.status.replicas}'
register: replica_counts
- until: replica_counts.stdout.find("{{desired}}") != -1
+ until: replica_counts.stdout|int == desired
retries: 30
delay: 10
when:
- - replica_count.stdout != desired
- not ansible_check_mode
+ - replica_count.stdout|int != desired
diff --git a/roles/openshift_logging/tasks/start_cluster.yaml b/roles/openshift_logging/tasks/start_cluster.yaml
index cdfc5f2d3..090ca8359 100644
--- a/roles/openshift_logging/tasks/start_cluster.yaml
+++ b/roles/openshift_logging/tasks/start_cluster.yaml
@@ -1,16 +1,16 @@
---
-- shell: >
- echo "{{openshift_logging_fluentd_nodeselector}}" | cut -d':' -f1
+- command: >
+ echo "{{openshift_logging_fluentd_nodeselector.keys()[0]}}"
register: openshift_logging_fluentd_nodeselector_key
check_mode: no
-- shell: >
- echo "{{openshift_logging_fluentd_nodeselector}}" | cut -d' ' -f2
+- command: >
+ echo "{{openshift_logging_fluentd_nodeselector.values()[0]}}"
register: openshift_logging_fluentd_nodeselector_value
check_mode: no
-- shell: >
- {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get node -o name | sed "s,^node/,,g"
+- command: >
+ {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get node -o jsonpath='{.items[*].metadata.name}'
register: fluentd_hosts
when: "'--all' in openshift_logging_fluentd_hosts"
check_mode: no
@@ -25,7 +25,7 @@
loop_control:
loop_var: fluentd_host
-- shell: >
+- command: >
{{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=es -o name -n {{openshift_logging_namespace}}
register: es_dc
check_mode: no
@@ -38,7 +38,7 @@
loop_control:
loop_var: object
-- shell: >
+- command: >
{{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=kibana -o name -n {{openshift_logging_namespace}}
register: kibana_dc
check_mode: no
@@ -51,7 +51,7 @@
loop_control:
loop_var: object
-- shell: >
+- command: >
{{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=curator -o name -n {{openshift_logging_namespace}}
register: curator_dc
check_mode: no
@@ -64,7 +64,7 @@
loop_control:
loop_var: object
-- shell: >
+- command: >
{{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=es-ops -o name -n {{openshift_logging_namespace}}
register: es_dc
check_mode: no
@@ -78,7 +78,7 @@
loop_var: object
when: openshift_logging_use_ops
-- shell: >
+- command: >
{{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=kibana-ops -o name -n {{openshift_logging_namespace}}
register: kibana_dc
check_mode: no
@@ -92,7 +92,7 @@
loop_var: object
when: openshift_logging_use_ops
-- shell: >
+- command: >
{{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=curator-ops -o name -n {{openshift_logging_namespace}}
register: curator_dc
check_mode: no
diff --git a/roles/openshift_logging/tasks/stop_cluster.yaml b/roles/openshift_logging/tasks/stop_cluster.yaml
index e018d0618..dd3693f7e 100644
--- a/roles/openshift_logging/tasks/stop_cluster.yaml
+++ b/roles/openshift_logging/tasks/stop_cluster.yaml
@@ -1,14 +1,14 @@
---
-- shell: >
- echo "{{openshift_logging_fluentd_nodeselector}}" | cut -d':' -f1
+- command: >
+ echo "{{openshift_logging_fluentd_nodeselector.keys()[0]}}"
register: openshift_logging_fluentd_nodeselector_key
-- shell: >
- echo "{{openshift_logging_fluentd_nodeselector}}" | cut -d' ' -f2
+- command: >
+ echo "{{openshift_logging_fluentd_nodeselector.values()[0]}}"
register: openshift_logging_fluentd_nodeselector_value
-- shell: >
- {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get node -o name | sed "s,^node/,,g"
+- command: >
+ {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get node -o jsonpath='{.items[*].metadata.name}'
register: fluentd_hosts
when: "'--all' in openshift_logging_fluentd_hosts"
@@ -22,7 +22,7 @@
loop_control:
loop_var: fluentd_host
-- shell: >
+- command: >
{{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=es -o name -n {{openshift_logging_namespace}}
register: es_dc
@@ -34,7 +34,7 @@
loop_control:
loop_var: object
-- shell: >
+- command: >
{{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=kibana -o name -n {{openshift_logging_namespace}}
register: kibana_dc
@@ -46,7 +46,7 @@
loop_control:
loop_var: object
-- shell: >
+- command: >
{{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=curator -o name -n {{openshift_logging_namespace}}
register: curator_dc
@@ -58,7 +58,7 @@
loop_control:
loop_var: object
-- shell: >
+- command: >
{{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=es-ops -o name -n {{openshift_logging_namespace}}
register: es_dc
@@ -71,7 +71,7 @@
loop_var: object
when: openshift_logging_use_ops
-- shell: >
+- command: >
{{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=kibana-ops -o name -n {{openshift_logging_namespace}}
register: kibana_dc
@@ -84,7 +84,7 @@
loop_var: object
when: openshift_logging_use_ops
-- shell: >
+- command: >
{{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=curator-ops -o name -n {{openshift_logging_namespace}}
register: curator_dc
diff --git a/roles/openshift_logging/tasks/upgrade_logging.yaml b/roles/openshift_logging/tasks/upgrade_logging.yaml
index b2c8022d5..9b285a5fe 100644
--- a/roles/openshift_logging/tasks/upgrade_logging.yaml
+++ b/roles/openshift_logging/tasks/upgrade_logging.yaml
@@ -8,7 +8,7 @@
start_cluster: False
# ensure that ES is running
-- shell: >
+- command: >
{{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=es -o name -n {{openshift_logging_namespace}}
register: es_dc
check_mode: no
@@ -26,7 +26,7 @@
dest: {{mktemp.stdout}}/es_migration.sh
- name: Run upgrade scripts
- shell: >
+ command: >
sh {{mktemp.stdout}}/es_migration.sh {{openshift.common.config_base}}/logging/ca.crt {{openshift.common.config_base}}/logging/system.admin.key {{openshift.common.config_base}}/logging/system.admin.crt {{openshift_logging_es_host}} {{openshift_logging_es_port}} {{openshift_logging_namespace}}
- name: Start up rest of cluster
diff --git a/roles/openshift_logging/templates/fluentd.j2 b/roles/openshift_logging/templates/fluentd.j2
index a09b582a2..b6c91f8ed 100644
--- a/roles/openshift_logging/templates/fluentd.j2
+++ b/roles/openshift_logging/templates/fluentd.j2
@@ -25,7 +25,7 @@ spec:
spec:
serviceAccountName: "{{daemonset_serviceAccount}}"
nodeSelector:
- {{openshift_logging_fluentd_nodeselector}}
+ {{fluentd_nodeselector_key}}: "{{fluentd_nodeselector_value}}"
containers:
- name: "{{daemonset_container_name}}"
image: "{{openshift_logging_image_prefix}}{{daemonset_name}}:{{openshift_logging_image_version}}"
diff --git a/roles/openshift_logging/templates/signing.conf.j2 b/roles/openshift_logging/templates/signing.conf.j2
new file mode 100644
index 000000000..727cde4c9
--- /dev/null
+++ b/roles/openshift_logging/templates/signing.conf.j2
@@ -0,0 +1,103 @@
+# Simple Signing CA
+
+# The [default] section contains global constants that can be referred to from
+# the entire configuration file. It may also hold settings pertaining to more
+# than one openssl command.
+
+[ default ]
+dir = {{top_dir}} # Top dir
+
+# The next part of the configuration file is used by the openssl req command.
+# It defines the CA's key pair, its DN, and the desired extensions for the CA
+# certificate.
+
+[ req ]
+default_bits = 2048 # RSA key size
+encrypt_key = yes # Protect private key
+default_md = sha1 # MD to use
+utf8 = yes # Input is UTF-8
+string_mask = utf8only # Emit UTF-8 strings
+prompt = no # Don't prompt for DN
+distinguished_name = ca_dn # DN section
+req_extensions = ca_reqext # Desired extensions
+
+[ ca_dn ]
+0.domainComponent = "io"
+1.domainComponent = "openshift"
+organizationName = "OpenShift Origin"
+organizationalUnitName = "Logging Signing CA"
+commonName = "Logging Signing CA"
+
+[ ca_reqext ]
+keyUsage = critical,keyCertSign,cRLSign
+basicConstraints = critical,CA:true,pathlen:0
+subjectKeyIdentifier = hash
+
+# The remainder of the configuration file is used by the openssl ca command.
+# The CA section defines the locations of CA assets, as well as the policies
+# applying to the CA.
+
+[ ca ]
+default_ca = signing_ca # The default CA section
+
+[ signing_ca ]
+certificate = $dir/ca.crt # The CA cert
+private_key = $dir/ca.key # CA private key
+new_certs_dir = $dir/ # Certificate archive
+serial = $dir/ca.serial.txt # Serial number file
+crlnumber = $dir/ca.crl.srl # CRL number file
+database = $dir/ca.db # Index file
+unique_subject = no # Require unique subject
+default_days = 730 # How long to certify for
+default_md = sha1 # MD to use
+policy = any_pol # Default naming policy
+email_in_dn = no # Add email to cert DN
+preserve = no # Keep passed DN ordering
+name_opt = ca_default # Subject DN display options
+cert_opt = ca_default # Certificate display options
+copy_extensions = copy # Copy extensions from CSR
+x509_extensions = client_ext # Default cert extensions
+default_crl_days = 7 # How long before next CRL
+crl_extensions = crl_ext # CRL extensions
+
+# Naming policies control which parts of a DN end up in the certificate and
+# under what circumstances certification should be denied.
+
+[ match_pol ]
+domainComponent = match # Must match 'simple.org'
+organizationName = match # Must match 'Simple Inc'
+organizationalUnitName = optional # Included if present
+commonName = supplied # Must be present
+
+[ any_pol ]
+domainComponent = optional
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = optional
+emailAddress = optional
+
+# Certificate extensions define what types of certificates the CA is able to
+# create.
+
+[ client_ext ]
+keyUsage = critical,digitalSignature,keyEncipherment
+basicConstraints = CA:false
+extendedKeyUsage = clientAuth
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid
+
+[ server_ext ]
+keyUsage = critical,digitalSignature,keyEncipherment
+basicConstraints = CA:false
+extendedKeyUsage = serverAuth,clientAuth
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid
+
+# CRL extensions exist solely to point to the CA certificate that has issued
+# the CRL.
+
+[ crl_ext ]
+authorityKeyIdentifier = keyid
--
cgit v1.2.3