From 04c1500801f4d88635001bda1e4f73473fe8e33a Mon Sep 17 00:00:00 2001 From: Jeff Cantrill Date: Tue, 29 Nov 2016 16:31:13 -0500 Subject: =?UTF-8?q?Bruno=20Barcarol=20Guimar=C3=A3es=20work=20to=20move=20?= =?UTF-8?q?metrics=20to=20ansible=20from=20deployer?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- roles/openshift_metrics/tasks/cleanup.yaml | 14 ++ .../tasks/generate_certificates.yaml | 233 +++++++++++++++++++++ .../tasks/generate_rolebindings.yaml | 30 +++ .../tasks/generate_serviceaccounts.yaml | 25 +++ .../openshift_metrics/tasks/generate_services.yaml | 43 ++++ .../openshift_metrics/tasks/install_hawkular.yaml | 57 +++++ .../openshift_metrics/tasks/install_heapster.yaml | 3 + roles/openshift_metrics/tasks/install_metrics.yaml | 17 ++ roles/openshift_metrics/tasks/main.yaml | 24 +++ .../openshift_metrics/tasks/setup_certificate.yaml | 50 +++++ 10 files changed, 496 insertions(+) create mode 100644 roles/openshift_metrics/tasks/cleanup.yaml create mode 100644 roles/openshift_metrics/tasks/generate_certificates.yaml create mode 100644 roles/openshift_metrics/tasks/generate_rolebindings.yaml create mode 100644 roles/openshift_metrics/tasks/generate_serviceaccounts.yaml create mode 100644 roles/openshift_metrics/tasks/generate_services.yaml create mode 100644 roles/openshift_metrics/tasks/install_hawkular.yaml create mode 100644 roles/openshift_metrics/tasks/install_heapster.yaml create mode 100644 roles/openshift_metrics/tasks/install_metrics.yaml create mode 100644 roles/openshift_metrics/tasks/main.yaml create mode 100644 roles/openshift_metrics/tasks/setup_certificate.yaml (limited to 'roles/openshift_metrics/tasks') diff --git a/roles/openshift_metrics/tasks/cleanup.yaml b/roles/openshift_metrics/tasks/cleanup.yaml new file mode 100644 index 000000000..a61fed7b4 --- /dev/null +++ b/roles/openshift_metrics/tasks/cleanup.yaml @@ -0,0 +1,14 @@ +--- +- name: remove metrics components + command: > + {{ openshift.common.client_binary }} -n '{{ metrics_project }}' + delete --selector=metrics-infra + all,sa,secrets,templates,routes,pvc,rolebindings,clusterrolebindings + register: delete_metrics + changed_when: "delete_metrics.stdout != 'No resources found'" +- name: remove rolebindings + command: > + {{ openshift.common.client_binary }} -n {{ metrics_project }} + delete --ignore-not-found + rolebinding/hawkular-view + clusterrolebinding/heapster-cluster-reader diff --git a/roles/openshift_metrics/tasks/generate_certificates.yaml b/roles/openshift_metrics/tasks/generate_certificates.yaml new file mode 100644 index 000000000..b1ecf46b9 --- /dev/null +++ b/roles/openshift_metrics/tasks/generate_certificates.yaml @@ -0,0 +1,233 @@ +--- +# TODO idempotency? +# TODO support providing custom certificates +- name: create certificate output directory + file: + path: "{{ mktemp.stdout }}/certs" + state: directory + mode: 0700 +- name: generate ca certificate chain + shell: > + {{ openshift.common.admin_binary }} ca create-signer-cert + --key='{{ mktemp.stdout }}/certs/ca.key' + --cert='{{ mktemp.stdout }}/certs/ca.crt' + --serial='{{ mktemp.stdout }}/certs/ca.serial.txt' + --name="metrics-signer@$(date +%s)" +- name: generate heapster key/cert + command: > + {{ openshift.common.admin_binary }} ca create-server-cert + --key='{{ mktemp.stdout }}/certs/heapster.key' + --cert='{{ mktemp.stdout }}/certs/heapster.cert' + --hostnames=heapster + --signer-cert='{{ mktemp.stdout }}/certs/ca.crt' + --signer-key='{{ mktemp.stdout }}/certs/ca.key' + --signer-serial='{{ mktemp.stdout }}/certs/ca.serial.txt' +# TODO maybe there's an easier way to get the service accounts' ca crt? +- name: get heapster service account secrets + shell: > + {{ openshift.common.client_binary }} -n '{{ metrics_project }}' + get serviceaccount/default + --template '{{ '{{range .secrets}}{{println .name}}{{end}}' }}' + | grep ^default-token- + register: sa_secret +- name: get heapster service account ca + command: > + {{ openshift.common.client_binary }} -n '{{ metrics_project }}' + get 'secret/{{ sa_secret.stdout }}' + --template '{{ '{{index .data "ca.crt"}}' }}' + register: sa_secret +- name: read files for the heapster secret + command: base64 --wrap 0 "{{ mktemp.stdout }}/certs/heapster.{{ item }}" + register: heapster_secret + with_items: + - cert + - key +- name: generate heapster secret template + template: + src: secret.j2 + dest: "{{ mktemp.stdout }}/templates/heapster_secrets.yaml" + vars: + name: heapster-secrets + labels: + metrics-infra: heapster + data: + heapster.cert: "{{ heapster_secret.results[0].stdout }}" + heapster.key: "{{ heapster_secret.results[1].stdout }}" + heapster.client-ca: "{{ sa_secret.stdout }}" + heapster.allowed-users: "{{ heapster_allowed_users|b64encode }}" +- name: generate hawkular-metrics certificates + include: setup_certificate.yaml + vars: + component: hawkular-metrics + hostnames: "hawkular-metrics,{{ hawkular_metrics_hostname }}" +- name: generate hawkular-cassandra certificates + include: setup_certificate.yaml + vars: + component: hawkular-cassandra + hostnames: hawkular-cassandra +# TODO keytool as dependency? move key/trust store generation to containers? +- name: import the hawkular metrics cert into the cassandra truststore + shell: > + keytool -noprompt -import -v -trustcacerts + -alias hawkular-metrics + -file '{{ mktemp.stdout|quote }}/certs/hawkular-metrics.cert' + -keystore '{{ mktemp.stdout|quote }}/certs/hawkular-cassandra.truststore' + -storepass + "$(< "{{ mktemp.stdout|quote }}/certs/hawkular-cassandra-truststore.pwd")" +- name: import the hawkular cassandra cert into the hawkular metrics truststore + shell: > + keytool -noprompt -import -v -trustcacerts + -alias hawkular-cassandra + -file '{{ mktemp.stdout }}/certs/hawkular-cassandra.cert' + -keystore '{{ mktemp.stdout }}/certs/hawkular-metrics.truststore' + -storepass + "$(< "{{ mktemp.stdout|quote }}/certs/hawkular-metrics-truststore.pwd")" +- name: import the hawkular cassandra cert into the cassandra truststore + shell: > + keytool -noprompt -import -v -trustcacerts + -alias hawkular-cassandra + -file '{{ mktemp.stdout }}/certs/hawkular-cassandra.cert' + -keystore '{{ mktemp.stdout }}/certs/hawkular-cassandra.truststore' + -storepass + "$(< "{{ mktemp.stdout|quote }}/certs/hawkular-cassandra-truststore.pwd")" +- name: import the ca certificate into the cassandra truststore + shell: > + keytool -noprompt -import -v -trustcacerts + -alias '{{ item }}' + -file '{{ mktemp.stdout }}/certs/ca.crt' + -keystore '{{ mktemp.stdout }}/certs/hawkular-cassandra.truststore' + -storepass + "$(< "{{ mktemp.stdout|quote }}/certs/hawkular-cassandra-truststore.pwd")" + with_items: + - ca + - metricca + - cassandraca +- name: import the ca certificate into the hawkular metrics truststore + shell: > + keytool -noprompt -import -v -trustcacerts + -alias '{{ item }}' + -file '{{ mktemp.stdout }}/certs/ca.crt' + -keystore '{{ mktemp.stdout }}/certs/hawkular-metrics.truststore' + -storepass + "$(< "{{ mktemp.stdout|quote }}/certs/hawkular-metrics-truststore.pwd")" + with_items: + - ca + - metricca + - cassandraca +- name: generate password for htpasswd file for hawkular metrics + shell: cat /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c15 + register: hawkular_metrics_password +- name: generate password for hawkular metrics jgroups + shell: cat /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c15 + register: hawkular_metrics_jgroups_password +- name: generate htpasswd file for hawkular metrics + shell: > + htpasswd -cb + "{{ mktemp.stdout|quote }}/certs/hawkular-metrics.htpasswd" hawkular + '{{ hawkular_metrics_password.stdout }}' +- name: generate the jgroups keystore + command: > + keytool -genseckey -alias hawkular + -keypass {{ hawkular_metrics_jgroups_password.stdout }} + -storepass {{ hawkular_metrics_jgroups_password.stdout }} + -keyalg Blowfish -keysize 56 -storetype JCEKS + -keystore {{ mktemp.stdout }}/certs/hawkular-jgroups.keystore +- name: read files for the hawkular-metrics secret + command: > + base64 --wrap 0 "{{ mktemp.stdout }}/certs/{{ item }}" + register: hawkular_metrics_secret + with_items: + - hawkular-metrics.keystore + - hawkular-metrics-keystore.pwd + - hawkular-metrics.truststore + - hawkular-metrics-truststore.pwd + - hawkular-metrics.htpasswd + - hawkular-metrics.cert + - ca.crt + - hawkular-cassandra.keystore + - hawkular-cassandra-keystore.pwd + - hawkular-cassandra.truststore + - hawkular-cassandra-truststore.pwd + - hawkular-cassandra.pem + - hawkular-cassandra.cert + - hawkular-jgroups.keystore +- name: generate hawkular-metrics-secrets secret template + template: + src: secret.j2 + dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_secrets.yaml" + vars: + name: hawkular-metrics-secrets + labels: + metrics-infra: hawkular-metrics + data: + hawkular-metrics.keystore: > + "{{ hawkular_metrics_secret.results[0].stdout }}" + hawkular-metrics.keystore.password: > + "{{ hawkular_metrics_secret.results[1].stdout }}" + hawkular-metrics.truststore: > + "{{ hawkular_metrics_secret.results[2].stdout }}" + hawkular-metrics.truststore.password: > + "{{ hawkular_metrics_secret.results[3].stdout }}" + hawkular-metrics.keystore.alias: "{{ 'hawkular-metrics'|b64encode }}" + hawkular-metrics.htpasswd.file: > + "{{ hawkular_metrics_secret.results[4].stdout }}" + hawkular-metrics.jgroups.keystore.password: > + "{{ hawkular_metrics_jgroups_password.stdout|b64encode }}" + hawkular-metrics.jgroups.keystore: > + "{{ hawkular_metrics_secret.results[13].stdout }}" + hawkular-metrics.jgroups.alias: "{{ 'hawkular'|b64encode }}" +- name: generate hawkular-metrics-certificate secret template + template: + src: secret.j2 + dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_certificate.yaml" + vars: + name: hawkular-metrics-certificate + labels: + metrics-infra: hawkular-metrics + data: + hawkular-metrics.certificate: > + "{{ hawkular_metrics_secret.results[5].stdout }}" + hawkular-metrics-ca.certificate: > + "{{ hawkular_metrics_secret.results[6].stdout }}" +- name: generate hawkular-metrics-account secret template + template: + src: secret.j2 + dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_account.yaml" + vars: + name: hawkular-metrics-account + labels: + metrics-infra: hawkular-metrics + data: + hawkular-metrics.username: "{{ 'hawkular'|b64encode }}" + hawkular-metrics.password: > + "{{ hawkular_metrics_password.stdout|b64encode }}" +- name: generate cassandra secret template + template: + src: secret.j2 + dest: "{{ mktemp.stdout }}/templates/cassandra_secrets.yaml" + vars: + name: hawkular-cassandra-secrets + labels: + metrics-infra: hawkular-cassandra + data: + cassandra.keystore: "{{ hawkular_metrics_secret.results[7].stdout }}" + cassandra.keystore.password: > + {{ hawkular_metrics_secret.results[8].stdout }} + cassandra.keystore.alias: "{{ 'hawkular-cassandra'|b64encode }}" + cassandra.truststore: "{{ hawkular_metrics_secret.results[9].stdout }}" + cassandra.truststore.password: > + {{ hawkular_metrics_secret.results[10].stdout }} + cassandra.pem: "{{ hawkular_metrics_secret.results[10].stdout }}" +- name: generate cassandra-certificate secret template + template: + src: secret.j2 + dest: "{{ mktemp.stdout }}/templates/cassandra_certificate.yaml" + vars: + name: hawkular-cassandra-certificate + labels: + metrics-infra: hawkular-cassandra + data: + cassandra.certificate: > + {{ hawkular_metrics_secret.results[11].stdout }} + cassandra-ca.certificate: > + {{ hawkular_metrics_secret.results[7].stdout }} diff --git a/roles/openshift_metrics/tasks/generate_rolebindings.yaml b/roles/openshift_metrics/tasks/generate_rolebindings.yaml new file mode 100644 index 000000000..d1bc7374a --- /dev/null +++ b/roles/openshift_metrics/tasks/generate_rolebindings.yaml @@ -0,0 +1,30 @@ +--- +- name: generate view role binding for the hawkular service account + template: + src: rolebinding.j2 + dest: "{{ mktemp.stdout }}/templates/hawkular-rolebinding.yaml" + vars: + obj_name: hawkular-view + labels: + metrics-infra: hawkular + roleRef: + name: view + subjects: + - kind: ServiceAccount + name: hawkular +- name: generate cluster-reader role binding for the heapster service account + template: + src: rolebinding.j2 + dest: "{{ mktemp.stdout }}/templates/heapster-rolebinding.yaml" + vars: + cluster: True + obj_name: heapster-cluster-reader + labels: + metrics-infra: heapster + roleRef: + kind: ClusterRole + name: cluster-reader + subjects: + - kind: ServiceAccount + name: heapster + namespace: "{{ metrics_project }}" diff --git a/roles/openshift_metrics/tasks/generate_serviceaccounts.yaml b/roles/openshift_metrics/tasks/generate_serviceaccounts.yaml new file mode 100644 index 000000000..9230e0423 --- /dev/null +++ b/roles/openshift_metrics/tasks/generate_serviceaccounts.yaml @@ -0,0 +1,25 @@ +--- +- name: Generating serviceaccounts for hawkular metrics/cassandra + template: src=serviceaccount.j2 dest={{mktemp.stdout}}/templates/metrics-{{obj_name}}-sa.yaml + vars: + obj_name: "{{item.name}}" + labels: + metrics-infra: support + secrets: + - hawkular-{{item.secret}}-secrets + with_items: + - name: hawkular + secret: hawkular-metrics-secrets + - name: cassandra + secret: hawkular-cassandra-secrets + +- name: Generating serviceaccount for heapster + template: src=serviceaccount.j2 dest={{mktemp.stdout}}/templates/metrics-{{obj_name}}-sa.yaml + vars: + obj_name: heapster + labels: + metrics-infra: support + secrets: + - heapster-secrets + - hawkular-metrics-certificate + - hawkular-metrics-account diff --git a/roles/openshift_metrics/tasks/generate_services.yaml b/roles/openshift_metrics/tasks/generate_services.yaml new file mode 100644 index 000000000..4f7616a1c --- /dev/null +++ b/roles/openshift_metrics/tasks/generate_services.yaml @@ -0,0 +1,43 @@ +--- +- name: Generate service for heapster + template: src=service.j2 dest={{mktemp.stdout}}/templates/metrics-{{obj_name}}-svc.yaml + vars: + obj_name: heapster + ports: + - {port: 80, targetPort: http-endpoint} + selector: + name: "{{obj_name}}" + labels: + metrics-infra: "{{obj_name}}" + name: "{{obj_name}}" + +- name: Generate service for hawkular-metrics + template: src=service.j2 dest={{mktemp.stdout}}/templates/metrics-{{obj_name}}-svc.yaml + vars: + obj_name: hawkular-metrics + ports: + - {port: 443, targetPort: https-endpoint} + selector: + name: "{{obj_name}}" + labels: + metrics-infra: "{{obj_name}}" + name: "{{obj_name}}" + +- name: Generate services for cassandra + template: src=service.j2 dest={{mktemp.stdout}}/templates/metrics-{{obj_name}}-svc.yaml + vars: + obj_name: hawkular-{{item}} + ports: + - {name: cql-port, port: 9042, targetPort: cql-port} + - {name: thrift-port, port: 9160, targetPort: thrift-port} + - {name: tcp-port, port: 7000, targetPort: tcp-port} + - {name: ssl-port, port: 7001, targetPort: ssl-port} + selector: + type: hawkular-cassandra + labels: + metrics-infra: hawkular-cassandra + name: hawkular-cassandra + headless: "{{ item == 'cassandra-nodes' }}" + with_items: + - cassandra + - cassandra-nodes diff --git a/roles/openshift_metrics/tasks/install_hawkular.yaml b/roles/openshift_metrics/tasks/install_hawkular.yaml new file mode 100644 index 000000000..670396f6e --- /dev/null +++ b/roles/openshift_metrics/tasks/install_hawkular.yaml @@ -0,0 +1,57 @@ +--- +- name: generate hawkular-metrics replication controller + template: + src: hawkular_metrics_rc.j2 + dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_rc.yaml" +- name: generate hawkular-cassandra replication controllers + template: + src: hawkular_cassandra_rc.j2 + dest: "{{ mktemp.stdout }}/templates/hawkular-cassandra-rc{{ item }}.yaml" + vars: + node: "{{ item }}" + master: "{{ (item == '1')|string|lower }}" + with_sequence: count={{ hawkular_cassandra_nodes }} +- name: generate hawkular-cassandra persistent volume claims + template: + src: pvc.j2 + dest: "{{ mktemp.stdout }}/templates/hawkular-cassandra-pvc{{ item }}.yaml" + vars: + obj_name: "{{ hawkular_cassandra_pv_prefix }}-{{ item }}" + labels: + metrics-infra: hawkular-cassandra + access_modes: + - ReadWriteOnce + size: "{{ hawkular_cassandra_pv_size }}" + with_sequence: count={{ hawkular_cassandra_nodes }} + when: hawkular_cassandra_storage_type == 'pv' +- name: generate hawkular-cassandra persistent volume claims (dynamic) + template: + src: pvc.j2 + dest: "{{ mktemp.stdout }}/templates/hawkular-cassandra-pvc{{ item }}.yaml" + vars: + obj_name: "{{ hawkular_cassandra_pv_prefix }}-{{ item }}" + labels: + metrics-infra: hawkular-cassandra + annotations: + volume.alpha.kubernetes.io/storage-class: dynamic + access_modes: + - ReadWriteOnce + size: "{{ hawkular_cassandra_pv_size }}" + with_sequence: count={{ hawkular_cassandra_nodes }} + when: hawkular_cassandra_storage_type == 'dynamic' +- name: generate the hawkular-metrics route + template: + src: route.j2 + dest: "{{ mktemp.stdout }}/templates/hawkular-metrics-route.yaml" + vars: + name: hawkular-metrics + labels: + metrics-infra: hawkular-metrics + host: hawkular-metrics.example.com + to: + kind: Service + name: hawkular-metrics + tls: + termination: reencrypt + destination_ca_certificate: > + {{ hawkular_metrics_secret.results[6].stdout|b64decode }} diff --git a/roles/openshift_metrics/tasks/install_heapster.yaml b/roles/openshift_metrics/tasks/install_heapster.yaml new file mode 100644 index 000000000..a8f849a88 --- /dev/null +++ b/roles/openshift_metrics/tasks/install_heapster.yaml @@ -0,0 +1,3 @@ +--- +- name: Generate heapster replication controller + template: src=heapster.j2 dest={{mktemp.stdout}}/templates/metrics-heapster-rc.yaml diff --git a/roles/openshift_metrics/tasks/install_metrics.yaml b/roles/openshift_metrics/tasks/install_metrics.yaml new file mode 100644 index 000000000..34b4a47fe --- /dev/null +++ b/roles/openshift_metrics/tasks/install_metrics.yaml @@ -0,0 +1,17 @@ +--- +# This is the base configuration for installing the other components +- name: Create temp directory for doing work in + command: mktemp -td openshift-metrics-ansible-XXXXXX + register: mktemp + changed_when: False + +- debug: msg="Created temp dir {{mktemp.stdout}}" + +- name: Create temp directory for all our templates + file: path={{mktemp.stdout}}/templates state=directory mode=0755 + changed_when: False + +- include: generate_serviceaccounts.yaml +- include: generate_services.yaml +- include: generate_certificates.yaml +- include: generate_rolebindings.yaml diff --git a/roles/openshift_metrics/tasks/main.yaml b/roles/openshift_metrics/tasks/main.yaml new file mode 100644 index 000000000..e9a5fbebd --- /dev/null +++ b/roles/openshift_metrics/tasks/main.yaml @@ -0,0 +1,24 @@ +--- +- name: check that hawkular_metrics_hostname is set + fail: msg='the hawkular_metrics_hostname variable is required' + when: "{{ hawkular_metrics_hostname is not defined }}" +- name: check the value of hawkular_cassandra_storage_type + fail: + msg: > + hawkular_cassandra_storage_type ({{ hawkular_cassandra_storage_type }}) + is invalid, must be one of: emptydir, pv, dynamic + when: hawkular_cassandra_storage_type not in hawkular_cassandra_storage_types +- name: Install Metrics + include: "{{ role_path }}/tasks/install_{{ include_file }}.yaml" + with_items: + - metrics + - heapster + - hawkular + loop_control: + loop_var: include_file +- name: create objects + command: > + {{ openshift.common.client_binary }} -n '{{ metrics_project }}' + apply -f {{ item }} + with_fileglob: + - "{{ mktemp.stdout }}/templates/*.yaml" diff --git a/roles/openshift_metrics/tasks/setup_certificate.yaml b/roles/openshift_metrics/tasks/setup_certificate.yaml new file mode 100644 index 000000000..46ac4ea7f --- /dev/null +++ b/roles/openshift_metrics/tasks/setup_certificate.yaml @@ -0,0 +1,50 @@ +--- +- name: generate {{ component }} keys + command: > + {{ openshift.common.admin_binary }} ca create-server-cert + --key='{{ mktemp.stdout }}/certs/{{ component }}.key' + --cert='{{ mktemp.stdout }}/certs/{{ component }}.crt' + --hostnames='{{ hostnames }}' + --signer-cert='{{ mktemp.stdout }}/certs/ca.crt' + --signer-key='{{ mktemp.stdout }}/certs/ca.key' + --signer-serial='{{ mktemp.stdout }}/certs/ca.serial.txt' +- name: generate {{ component }} certificate + shell: > + cat + '{{ mktemp.stdout|quote }}/certs/{{ component|quote }}.key' + '{{ mktemp.stdout|quote }}/certs/{{ component|quote }}.crt' + > '{{ mktemp.stdout|quote }}/certs/{{ component|quote }}.pem' +- name: generate random password for the {{ component }} keystore + shell: tr -dc _A-Z-a-z-0-9 < /dev/urandom | head -c15 + register: keystore_pwd +- name: create the password file for {{ component }} + shell: > + echo '{{ keystore_pwd.stdout|quote }}' + > '{{ mktemp.stdout }}/certs/{{ component|quote }}-keystore.pwd' +- name: create the {{ component }} pkcs12 from the pem file + command: > + openssl pkcs12 -export + -in '{{ mktemp.stdout }}/certs/{{ component }}.pem' + -out '{{ mktemp.stdout }}/certs/{{ component }}.pkcs12' + -name '{{ component }}' -noiter -nomaciter + -password 'pass:{{ keystore_pwd.stdout }}' +- name: create the {{ component }} keystore from the pkcs12 file + command: > + keytool -v -importkeystore + -srckeystore '{{ mktemp.stdout }}/certs/{{ component }}.pkcs12' + -srcstoretype PKCS12 + -destkeystore '{{ mktemp.stdout }}/certs/{{ component }}.keystore' + -deststoretype JKS + -deststorepass '{{ keystore_pwd.stdout }}' + -srcstorepass '{{ keystore_pwd.stdout }}' +- name: create the {{ component }} certificate + command: > + keytool -noprompt -export + -alias '{{ component }}' + -file '{{ mktemp.stdout }}/certs/{{ component }}.cert' + -keystore '{{ mktemp.stdout }}/certs/{{ component }}.keystore' + -storepass '{{ keystore_pwd.stdout }}' +- name: generate random password for the {{ component }} truststore + shell: > + tr -dc _A-Z-a-z-0-9 < /dev/urandom | head -c15 + > '{{ mktemp.stdout }}/certs/{{ component|quote }}-truststore.pwd' -- cgit v1.2.3 From f3f1f610c9e0fdf8115dd8ea61e647080ad42006 Mon Sep 17 00:00:00 2001 From: Jeff Cantrill Date: Wed, 30 Nov 2016 12:12:14 -0500 Subject: prefix vars with metrics role (#4) --- roles/openshift_metrics/tasks/cleanup.yaml | 4 ++-- .../openshift_metrics/tasks/generate_certificates.yaml | 8 ++++---- .../openshift_metrics/tasks/generate_rolebindings.yaml | 2 +- roles/openshift_metrics/tasks/install_hawkular.yaml | 18 +++++++++--------- roles/openshift_metrics/tasks/main.yaml | 12 ++++++------ 5 files changed, 22 insertions(+), 22 deletions(-) (limited to 'roles/openshift_metrics/tasks') diff --git a/roles/openshift_metrics/tasks/cleanup.yaml b/roles/openshift_metrics/tasks/cleanup.yaml index a61fed7b4..a29faef31 100644 --- a/roles/openshift_metrics/tasks/cleanup.yaml +++ b/roles/openshift_metrics/tasks/cleanup.yaml @@ -1,14 +1,14 @@ --- - name: remove metrics components command: > - {{ openshift.common.client_binary }} -n '{{ metrics_project }}' + {{ openshift.common.client_binary }} -n '{{ openshift_metrics_project }}' delete --selector=metrics-infra all,sa,secrets,templates,routes,pvc,rolebindings,clusterrolebindings register: delete_metrics changed_when: "delete_metrics.stdout != 'No resources found'" - name: remove rolebindings command: > - {{ openshift.common.client_binary }} -n {{ metrics_project }} + {{ openshift.common.client_binary }} -n {{ openshift_metrics_project }} delete --ignore-not-found rolebinding/hawkular-view clusterrolebinding/heapster-cluster-reader diff --git a/roles/openshift_metrics/tasks/generate_certificates.yaml b/roles/openshift_metrics/tasks/generate_certificates.yaml index b1ecf46b9..9f6a3348e 100644 --- a/roles/openshift_metrics/tasks/generate_certificates.yaml +++ b/roles/openshift_metrics/tasks/generate_certificates.yaml @@ -25,14 +25,14 @@ # TODO maybe there's an easier way to get the service accounts' ca crt? - name: get heapster service account secrets shell: > - {{ openshift.common.client_binary }} -n '{{ metrics_project }}' + {{ openshift.common.client_binary }} -n '{{ openshift_metrics_project }}' get serviceaccount/default --template '{{ '{{range .secrets}}{{println .name}}{{end}}' }}' | grep ^default-token- register: sa_secret - name: get heapster service account ca command: > - {{ openshift.common.client_binary }} -n '{{ metrics_project }}' + {{ openshift.common.client_binary }} -n '{{ openshift_metrics_project }}' get 'secret/{{ sa_secret.stdout }}' --template '{{ '{{index .data "ca.crt"}}' }}' register: sa_secret @@ -54,12 +54,12 @@ heapster.cert: "{{ heapster_secret.results[0].stdout }}" heapster.key: "{{ heapster_secret.results[1].stdout }}" heapster.client-ca: "{{ sa_secret.stdout }}" - heapster.allowed-users: "{{ heapster_allowed_users|b64encode }}" + heapster.allowed-users: "{{ openshift_metrics_heapster_allowed_users|b64encode }}" - name: generate hawkular-metrics certificates include: setup_certificate.yaml vars: component: hawkular-metrics - hostnames: "hawkular-metrics,{{ hawkular_metrics_hostname }}" + hostnames: "hawkular-metrics,{{ openshift_metrics_hawkular_metrics_hostname }}" - name: generate hawkular-cassandra certificates include: setup_certificate.yaml vars: diff --git a/roles/openshift_metrics/tasks/generate_rolebindings.yaml b/roles/openshift_metrics/tasks/generate_rolebindings.yaml index d1bc7374a..9a72b24fe 100644 --- a/roles/openshift_metrics/tasks/generate_rolebindings.yaml +++ b/roles/openshift_metrics/tasks/generate_rolebindings.yaml @@ -27,4 +27,4 @@ subjects: - kind: ServiceAccount name: heapster - namespace: "{{ metrics_project }}" + namespace: "{{ openshift_metrics_project }}" diff --git a/roles/openshift_metrics/tasks/install_hawkular.yaml b/roles/openshift_metrics/tasks/install_hawkular.yaml index 670396f6e..9a39cce34 100644 --- a/roles/openshift_metrics/tasks/install_hawkular.yaml +++ b/roles/openshift_metrics/tasks/install_hawkular.yaml @@ -10,35 +10,35 @@ vars: node: "{{ item }}" master: "{{ (item == '1')|string|lower }}" - with_sequence: count={{ hawkular_cassandra_nodes }} + with_sequence: count={{ openshift_metrics_hawkular_cassandra_nodes }} - name: generate hawkular-cassandra persistent volume claims template: src: pvc.j2 dest: "{{ mktemp.stdout }}/templates/hawkular-cassandra-pvc{{ item }}.yaml" vars: - obj_name: "{{ hawkular_cassandra_pv_prefix }}-{{ item }}" + obj_name: "{{ openshift_metrics_hawkular_cassandra_pv_prefix }}-{{ item }}" labels: metrics-infra: hawkular-cassandra access_modes: - ReadWriteOnce - size: "{{ hawkular_cassandra_pv_size }}" - with_sequence: count={{ hawkular_cassandra_nodes }} - when: hawkular_cassandra_storage_type == 'pv' + size: "{{ openshift_metrics_hawkular_cassandra_pv_size }}" + with_sequence: count={{ openshift_metrics_hawkular_cassandra_nodes }} + when: openshift_metrics_hawkular_cassandra_storage_type == 'pv' - name: generate hawkular-cassandra persistent volume claims (dynamic) template: src: pvc.j2 dest: "{{ mktemp.stdout }}/templates/hawkular-cassandra-pvc{{ item }}.yaml" vars: - obj_name: "{{ hawkular_cassandra_pv_prefix }}-{{ item }}" + obj_name: "{{ openshift_metrics_hawkular_cassandra_pv_prefix }}-{{ item }}" labels: metrics-infra: hawkular-cassandra annotations: volume.alpha.kubernetes.io/storage-class: dynamic access_modes: - ReadWriteOnce - size: "{{ hawkular_cassandra_pv_size }}" - with_sequence: count={{ hawkular_cassandra_nodes }} - when: hawkular_cassandra_storage_type == 'dynamic' + size: "{{ openshift_metrics_hawkular_cassandra_pv_size }}" + with_sequence: count={{ openshift_metrics_hawkular_cassandra_nodes }} + when: openshift_metrics_hawkular_cassandra_storage_type == 'dynamic' - name: generate the hawkular-metrics route template: src: route.j2 diff --git a/roles/openshift_metrics/tasks/main.yaml b/roles/openshift_metrics/tasks/main.yaml index e9a5fbebd..79aae1e0b 100644 --- a/roles/openshift_metrics/tasks/main.yaml +++ b/roles/openshift_metrics/tasks/main.yaml @@ -1,13 +1,13 @@ --- - name: check that hawkular_metrics_hostname is set - fail: msg='the hawkular_metrics_hostname variable is required' - when: "{{ hawkular_metrics_hostname is not defined }}" -- name: check the value of hawkular_cassandra_storage_type + fail: msg='the openshift_metrics_hawkular_metrics_hostname variable is required' + when: "{{ openshift_metrics_hawkular_metrics_hostname is not defined }}" +- name: check the value of openshift_metrics_hawkular_cassandra_storage_type fail: msg: > - hawkular_cassandra_storage_type ({{ hawkular_cassandra_storage_type }}) + openshift_metrics_hawkular_cassandra_storage_type ({{ openshift_metrics_hawkular_cassandra_storage_type }}) is invalid, must be one of: emptydir, pv, dynamic - when: hawkular_cassandra_storage_type not in hawkular_cassandra_storage_types + when: openshift_metrics_hawkular_cassandra_storage_type not in openshift_metrics_hawkular_cassandra_storage_types - name: Install Metrics include: "{{ role_path }}/tasks/install_{{ include_file }}.yaml" with_items: @@ -18,7 +18,7 @@ loop_var: include_file - name: create objects command: > - {{ openshift.common.client_binary }} -n '{{ metrics_project }}' + {{ openshift.common.client_binary }} -n '{{ openshift_metrics_project }}' apply -f {{ item }} with_fileglob: - "{{ mktemp.stdout }}/templates/*.yaml" -- cgit v1.2.3 From b6ce0464142403785a7ba8eae664286082f4d30e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bruno=20Barcarol=20Guimar=C3=A3es?= Date: Mon, 5 Dec 2016 16:34:32 +0000 Subject: Custom certificates (#5) * Generate secrets on a persistent directory. * Split certificate generation files. * Custom certificates. * Minor fixes. - use `slurp` instead of `shell: base64` - fix route hostname * Updates on origin-metrics. --- .../tasks/generate_certificates.yaml | 237 ++------------------- .../tasks/generate_hawkular_certificates.yaml | 227 ++++++++++++++++++++ .../tasks/generate_heapster_certificates.yaml | 39 ++++ .../openshift_metrics/tasks/install_hawkular.yaml | 8 +- roles/openshift_metrics/tasks/install_metrics.yaml | 2 +- .../openshift_metrics/tasks/setup_certificate.yaml | 60 +++--- 6 files changed, 316 insertions(+), 257 deletions(-) create mode 100644 roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml create mode 100644 roles/openshift_metrics/tasks/generate_heapster_certificates.yaml (limited to 'roles/openshift_metrics/tasks') diff --git a/roles/openshift_metrics/tasks/generate_certificates.yaml b/roles/openshift_metrics/tasks/generate_certificates.yaml index 9f6a3348e..92ce919a1 100644 --- a/roles/openshift_metrics/tasks/generate_certificates.yaml +++ b/roles/openshift_metrics/tasks/generate_certificates.yaml @@ -1,233 +1,22 @@ --- -# TODO idempotency? -# TODO support providing custom certificates - name: create certificate output directory file: - path: "{{ mktemp.stdout }}/certs" + path: "{{ openshift_metrics_certs_dir }}" state: directory mode: 0700 +- name: list existing secrets + command: > + {{ openshift.common.client_binary }} -n {{ openshift_metrics_project }} + get secrets -o name + register: metrics_secrets + changed_when: false - name: generate ca certificate chain shell: > {{ openshift.common.admin_binary }} ca create-signer-cert - --key='{{ mktemp.stdout }}/certs/ca.key' - --cert='{{ mktemp.stdout }}/certs/ca.crt' - --serial='{{ mktemp.stdout }}/certs/ca.serial.txt' + --key='{{ openshift_metrics_certs_dir }}/ca.key' + --cert='{{ openshift_metrics_certs_dir }}/ca.crt' + --serial='{{ openshift_metrics_certs_dir }}/ca.serial.txt' --name="metrics-signer@$(date +%s)" -- name: generate heapster key/cert - command: > - {{ openshift.common.admin_binary }} ca create-server-cert - --key='{{ mktemp.stdout }}/certs/heapster.key' - --cert='{{ mktemp.stdout }}/certs/heapster.cert' - --hostnames=heapster - --signer-cert='{{ mktemp.stdout }}/certs/ca.crt' - --signer-key='{{ mktemp.stdout }}/certs/ca.key' - --signer-serial='{{ mktemp.stdout }}/certs/ca.serial.txt' -# TODO maybe there's an easier way to get the service accounts' ca crt? -- name: get heapster service account secrets - shell: > - {{ openshift.common.client_binary }} -n '{{ openshift_metrics_project }}' - get serviceaccount/default - --template '{{ '{{range .secrets}}{{println .name}}{{end}}' }}' - | grep ^default-token- - register: sa_secret -- name: get heapster service account ca - command: > - {{ openshift.common.client_binary }} -n '{{ openshift_metrics_project }}' - get 'secret/{{ sa_secret.stdout }}' - --template '{{ '{{index .data "ca.crt"}}' }}' - register: sa_secret -- name: read files for the heapster secret - command: base64 --wrap 0 "{{ mktemp.stdout }}/certs/heapster.{{ item }}" - register: heapster_secret - with_items: - - cert - - key -- name: generate heapster secret template - template: - src: secret.j2 - dest: "{{ mktemp.stdout }}/templates/heapster_secrets.yaml" - vars: - name: heapster-secrets - labels: - metrics-infra: heapster - data: - heapster.cert: "{{ heapster_secret.results[0].stdout }}" - heapster.key: "{{ heapster_secret.results[1].stdout }}" - heapster.client-ca: "{{ sa_secret.stdout }}" - heapster.allowed-users: "{{ openshift_metrics_heapster_allowed_users|b64encode }}" -- name: generate hawkular-metrics certificates - include: setup_certificate.yaml - vars: - component: hawkular-metrics - hostnames: "hawkular-metrics,{{ openshift_metrics_hawkular_metrics_hostname }}" -- name: generate hawkular-cassandra certificates - include: setup_certificate.yaml - vars: - component: hawkular-cassandra - hostnames: hawkular-cassandra -# TODO keytool as dependency? move key/trust store generation to containers? -- name: import the hawkular metrics cert into the cassandra truststore - shell: > - keytool -noprompt -import -v -trustcacerts - -alias hawkular-metrics - -file '{{ mktemp.stdout|quote }}/certs/hawkular-metrics.cert' - -keystore '{{ mktemp.stdout|quote }}/certs/hawkular-cassandra.truststore' - -storepass - "$(< "{{ mktemp.stdout|quote }}/certs/hawkular-cassandra-truststore.pwd")" -- name: import the hawkular cassandra cert into the hawkular metrics truststore - shell: > - keytool -noprompt -import -v -trustcacerts - -alias hawkular-cassandra - -file '{{ mktemp.stdout }}/certs/hawkular-cassandra.cert' - -keystore '{{ mktemp.stdout }}/certs/hawkular-metrics.truststore' - -storepass - "$(< "{{ mktemp.stdout|quote }}/certs/hawkular-metrics-truststore.pwd")" -- name: import the hawkular cassandra cert into the cassandra truststore - shell: > - keytool -noprompt -import -v -trustcacerts - -alias hawkular-cassandra - -file '{{ mktemp.stdout }}/certs/hawkular-cassandra.cert' - -keystore '{{ mktemp.stdout }}/certs/hawkular-cassandra.truststore' - -storepass - "$(< "{{ mktemp.stdout|quote }}/certs/hawkular-cassandra-truststore.pwd")" -- name: import the ca certificate into the cassandra truststore - shell: > - keytool -noprompt -import -v -trustcacerts - -alias '{{ item }}' - -file '{{ mktemp.stdout }}/certs/ca.crt' - -keystore '{{ mktemp.stdout }}/certs/hawkular-cassandra.truststore' - -storepass - "$(< "{{ mktemp.stdout|quote }}/certs/hawkular-cassandra-truststore.pwd")" - with_items: - - ca - - metricca - - cassandraca -- name: import the ca certificate into the hawkular metrics truststore - shell: > - keytool -noprompt -import -v -trustcacerts - -alias '{{ item }}' - -file '{{ mktemp.stdout }}/certs/ca.crt' - -keystore '{{ mktemp.stdout }}/certs/hawkular-metrics.truststore' - -storepass - "$(< "{{ mktemp.stdout|quote }}/certs/hawkular-metrics-truststore.pwd")" - with_items: - - ca - - metricca - - cassandraca -- name: generate password for htpasswd file for hawkular metrics - shell: cat /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c15 - register: hawkular_metrics_password -- name: generate password for hawkular metrics jgroups - shell: cat /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c15 - register: hawkular_metrics_jgroups_password -- name: generate htpasswd file for hawkular metrics - shell: > - htpasswd -cb - "{{ mktemp.stdout|quote }}/certs/hawkular-metrics.htpasswd" hawkular - '{{ hawkular_metrics_password.stdout }}' -- name: generate the jgroups keystore - command: > - keytool -genseckey -alias hawkular - -keypass {{ hawkular_metrics_jgroups_password.stdout }} - -storepass {{ hawkular_metrics_jgroups_password.stdout }} - -keyalg Blowfish -keysize 56 -storetype JCEKS - -keystore {{ mktemp.stdout }}/certs/hawkular-jgroups.keystore -- name: read files for the hawkular-metrics secret - command: > - base64 --wrap 0 "{{ mktemp.stdout }}/certs/{{ item }}" - register: hawkular_metrics_secret - with_items: - - hawkular-metrics.keystore - - hawkular-metrics-keystore.pwd - - hawkular-metrics.truststore - - hawkular-metrics-truststore.pwd - - hawkular-metrics.htpasswd - - hawkular-metrics.cert - - ca.crt - - hawkular-cassandra.keystore - - hawkular-cassandra-keystore.pwd - - hawkular-cassandra.truststore - - hawkular-cassandra-truststore.pwd - - hawkular-cassandra.pem - - hawkular-cassandra.cert - - hawkular-jgroups.keystore -- name: generate hawkular-metrics-secrets secret template - template: - src: secret.j2 - dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_secrets.yaml" - vars: - name: hawkular-metrics-secrets - labels: - metrics-infra: hawkular-metrics - data: - hawkular-metrics.keystore: > - "{{ hawkular_metrics_secret.results[0].stdout }}" - hawkular-metrics.keystore.password: > - "{{ hawkular_metrics_secret.results[1].stdout }}" - hawkular-metrics.truststore: > - "{{ hawkular_metrics_secret.results[2].stdout }}" - hawkular-metrics.truststore.password: > - "{{ hawkular_metrics_secret.results[3].stdout }}" - hawkular-metrics.keystore.alias: "{{ 'hawkular-metrics'|b64encode }}" - hawkular-metrics.htpasswd.file: > - "{{ hawkular_metrics_secret.results[4].stdout }}" - hawkular-metrics.jgroups.keystore.password: > - "{{ hawkular_metrics_jgroups_password.stdout|b64encode }}" - hawkular-metrics.jgroups.keystore: > - "{{ hawkular_metrics_secret.results[13].stdout }}" - hawkular-metrics.jgroups.alias: "{{ 'hawkular'|b64encode }}" -- name: generate hawkular-metrics-certificate secret template - template: - src: secret.j2 - dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_certificate.yaml" - vars: - name: hawkular-metrics-certificate - labels: - metrics-infra: hawkular-metrics - data: - hawkular-metrics.certificate: > - "{{ hawkular_metrics_secret.results[5].stdout }}" - hawkular-metrics-ca.certificate: > - "{{ hawkular_metrics_secret.results[6].stdout }}" -- name: generate hawkular-metrics-account secret template - template: - src: secret.j2 - dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_account.yaml" - vars: - name: hawkular-metrics-account - labels: - metrics-infra: hawkular-metrics - data: - hawkular-metrics.username: "{{ 'hawkular'|b64encode }}" - hawkular-metrics.password: > - "{{ hawkular_metrics_password.stdout|b64encode }}" -- name: generate cassandra secret template - template: - src: secret.j2 - dest: "{{ mktemp.stdout }}/templates/cassandra_secrets.yaml" - vars: - name: hawkular-cassandra-secrets - labels: - metrics-infra: hawkular-cassandra - data: - cassandra.keystore: "{{ hawkular_metrics_secret.results[7].stdout }}" - cassandra.keystore.password: > - {{ hawkular_metrics_secret.results[8].stdout }} - cassandra.keystore.alias: "{{ 'hawkular-cassandra'|b64encode }}" - cassandra.truststore: "{{ hawkular_metrics_secret.results[9].stdout }}" - cassandra.truststore.password: > - {{ hawkular_metrics_secret.results[10].stdout }} - cassandra.pem: "{{ hawkular_metrics_secret.results[10].stdout }}" -- name: generate cassandra-certificate secret template - template: - src: secret.j2 - dest: "{{ mktemp.stdout }}/templates/cassandra_certificate.yaml" - vars: - name: hawkular-cassandra-certificate - labels: - metrics-infra: hawkular-cassandra - data: - cassandra.certificate: > - {{ hawkular_metrics_secret.results[11].stdout }} - cassandra-ca.certificate: > - {{ hawkular_metrics_secret.results[7].stdout }} + when: not '{{ openshift_metrics_certs_dir }}/ca.key'|exists +- include: generate_heapster_certificates.yaml +- include: generate_hawkular_certificates.yaml diff --git a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml new file mode 100644 index 000000000..4e032ca7e --- /dev/null +++ b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml @@ -0,0 +1,227 @@ +--- +- name: generate hawkular-metrics certificates + include: setup_certificate.yaml + vars: + component: hawkular-metrics + hostnames: "hawkular-metrics,{{ openshift_metrics_hawkular_metrics_hostname }}" +- name: generate hawkular-cassandra certificates + include: setup_certificate.yaml + vars: + component: hawkular-cassandra + hostnames: hawkular-cassandra +- name: check existing aliases on the hawkular-cassandra truststore + shell: > + keytool -noprompt -list + -keystore {{ openshift_metrics_certs_dir }}/hawkular-cassandra.truststore + -storepass "$(< + '{{ openshift_metrics_certs_dir }}/hawkular-cassandra-truststore.pwd')" + | sed -n '7~2s/,.*$//p' + register: hawkular_cassandra_truststore_aliases + changed_when: false +- name: check existing aliases on the hawkular-metrics truststore + shell: > + keytool -noprompt -list + -keystore {{ openshift_metrics_certs_dir }}/hawkular-metrics.truststore + -storepass "$(< + '{{ openshift_metrics_certs_dir }}/hawkular-metrics-truststore.pwd')" + | sed -n '7~2s/,.*$//p' + register: hawkular_metrics_truststore_aliases + changed_when: false +- name: import the hawkular metrics cert into the cassandra truststore + shell: > + keytool -noprompt -import -v -trustcacerts + -alias hawkular-metrics + -file '{{ openshift_metrics_certs_dir }}/hawkular-metrics.crt' + -keystore '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.truststore' + -storepass "$(< + '{{ openshift_metrics_certs_dir }}/hawkular-cassandra-truststore.pwd')" + when: > + 'hawkular-metrics' not in + hawkular_cassandra_truststore_aliases.stdout_lines +- name: import the hawkular cassandra cert into the hawkular metrics truststore + shell: > + keytool -noprompt -import -v -trustcacerts + -alias hawkular-cassandra + -file '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.crt' + -keystore '{{ openshift_metrics_certs_dir }}/hawkular-metrics.truststore' + -storepass "$(< + '{{ openshift_metrics_certs_dir }}/hawkular-metrics-truststore.pwd')" + when: > + 'hawkular-cassandra' not in + hawkular_metrics_truststore_aliases.stdout_lines +- name: import the hawkular cassandra cert into the cassandra truststore + shell: > + keytool -noprompt -import -v -trustcacerts + -alias hawkular-cassandra + -file '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.crt' + -keystore '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.truststore' + -storepass "$(< + '{{ openshift_metrics_certs_dir }}/hawkular-cassandra-truststore.pwd')" + when: > + 'hawkular-cassandra' not in + hawkular_cassandra_truststore_aliases.stdout_lines +- name: import the ca certificate into the cassandra truststore + shell: > + keytool -noprompt -import -v -trustcacerts + -alias '{{ item }}' + -file '{{ openshift_metrics_certs_dir }}/ca.crt' + -keystore '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.truststore' + -storepass "$(< + '{{ openshift_metrics_certs_dir }}/hawkular-cassandra-truststore.pwd')" + with_items: + - ca + - metricca + - cassandraca + when: item not in hawkular_cassandra_truststore_aliases.stdout_lines +- name: import the ca certificate into the hawkular metrics truststore + shell: > + keytool -noprompt -import -v -trustcacerts + -alias '{{ item }}' + -file '{{ openshift_metrics_certs_dir }}/ca.crt' + -keystore '{{ openshift_metrics_certs_dir }}/hawkular-metrics.truststore' + -storepass "$(< + '{{ openshift_metrics_certs_dir }}/hawkular-metrics-truststore.pwd')" + with_items: + - ca + - metricca + - cassandraca + when: item not in hawkular_metrics_truststore_aliases.stdout_lines +- name: generate password for hawkular metrics and jgroups + shell: > + tr -dc _A-Z-a-z-0-9 < /dev/urandom | head -c15 + > '{{ openshift_metrics_certs_dir }}/{{ item }}.pwd' + with_items: + - hawkular-metrics + - hawkular-jgroups-keystore + when: not '{{ openshift_metrics_certs_dir }}/{{ item }}.pwd'|exists +- name: generate htpasswd file for hawkular metrics + shell: > + htpasswd -ci + '{{ openshift_metrics_certs_dir }}/hawkular-metrics.htpasswd' hawkular + < '{{ openshift_metrics_certs_dir }}/hawkular-metrics.pwd' + when: > + not '{{ openshift_metrics_certs_dir }}/hawkular-metrics.htpasswd'|exists +- name: generate the jgroups keystore + shell: > + p=$(< '{{ openshift_metrics_certs_dir }}/hawkular-jgroups-keystore.pwd' ) + && + keytool -genseckey -alias hawkular + -keypass "$p" -storepass "$p" -keyalg Blowfish -keysize 56 -storetype JCEKS + -keystore '{{ openshift_metrics_certs_dir }}/hawkular-jgroups.keystore' + when: > + not '{{ openshift_metrics_certs_dir }}/hawkular-jgroups.keystore'|exists +- name: read files for the hawkular-metrics secret + shell: > + printf '%s: ' '{{ item }}' + && base64 --wrap 0 '{{ openshift_metrics_certs_dir }}/{{ item }}' + register: hawkular_secrets + with_items: + - ca.crt + - hawkular-metrics.crt + - hawkular-metrics.keystore + - hawkular-metrics-keystore.pwd + - hawkular-metrics.truststore + - hawkular-metrics-truststore.pwd + - hawkular-metrics.pwd + - hawkular-metrics.htpasswd + - hawkular-jgroups.keystore + - hawkular-jgroups-keystore.pwd + - hawkular-cassandra.crt + - hawkular-cassandra.pem + - hawkular-cassandra.keystore + - hawkular-cassandra-keystore.pwd + - hawkular-cassandra.truststore + - hawkular-cassandra-truststore.pwd + changed_when: false +- set_fact: + hawkular_secrets: | + {{ hawkular_secrets.results|map(attribute='stdout')|join(' + ')|from_yaml }} +- name: generate hawkular-metrics-secrets secret template + template: + src: secret.j2 + dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_secrets.yaml" + vars: + name: hawkular-metrics-secrets + labels: + metrics-infra: hawkular-metrics + data: + hawkular-metrics.keystore: > + {{ hawkular_secrets['hawkular-metrics.keystore'] }} + hawkular-metrics.keystore.password: > + {{ hawkular_secrets['hawkular-metrics-keystore.pwd'] }} + hawkular-metrics.truststore: > + {{ hawkular_secrets['hawkular-metrics.truststore'] }} + hawkular-metrics.truststore.password: > + {{ hawkular_secrets['hawkular-metrics-truststore.pwd'] }} + hawkular-metrics.keystore.alias: "{{ 'hawkular-metrics'|b64encode }}" + hawkular-metrics.htpasswd.file: > + {{ hawkular_secrets['hawkular-metrics.htpasswd'] }} + hawkular-metrics.jgroups.keystore: > + {{ hawkular_secrets['hawkular-jgroups.keystore'] }} + hawkular-metrics.jgroups.keystore.password: > + {{ hawkular_secrets['hawkular-jgroups-keystore.pwd'] }} + hawkular-metrics.jgroups.alias: "{{ 'hawkular'|b64encode }}" + when: name not in metrics_secrets.stdout_lines +- name: generate hawkular-metrics-certificate secret template + template: + src: secret.j2 + dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_certificate.yaml" + vars: + name: hawkular-metrics-certificate + labels: + metrics-infra: hawkular-metrics + data: + hawkular-metrics.certificate: > + {{ hawkular_secrets['hawkular-metrics.crt'] }} + hawkular-metrics-ca.certificate: > + {{ hawkular_secrets['ca.crt'] }} + when: name not in metrics_secrets.stdout_lines +- name: generate hawkular-metrics-account secret template + template: + src: secret.j2 + dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_account.yaml" + vars: + name: hawkular-metrics-account + labels: + metrics-infra: hawkular-metrics + data: + hawkular-metrics.username: "{{ 'hawkular'|b64encode }}" + hawkular-metrics.password: > + {{ hawkular_secrets['hawkular-metrics.pwd'] }} + when: name not in metrics_secrets.stdout_lines +- name: generate cassandra secret template + template: + src: secret.j2 + dest: "{{ mktemp.stdout }}/templates/cassandra_secrets.yaml" + vars: + name: hawkular-cassandra-secrets + labels: + metrics-infra: hawkular-cassandra + data: + cassandra.keystore: > + {{ hawkular_secrets['hawkular-cassandra.keystore'] }} + cassandra.keystore.password: > + {{ hawkular_secrets['hawkular-cassandra-keystore.pwd'] }} + cassandra.keystore.alias: "{{ 'hawkular-cassandra'|b64encode }}" + cassandra.truststore: > + {{ hawkular_secrets['hawkular-cassandra.truststore'] }} + cassandra.truststore.password: > + {{ hawkular_secrets['hawkular-cassandra-truststore.pwd'] }} + cassandra.pem: > + {{ hawkular_secrets['hawkular-cassandra.pem'] }} + when: name not in metrics_secrets +- name: generate cassandra-certificate secret template + template: + src: secret.j2 + dest: "{{ mktemp.stdout }}/templates/cassandra_certificate.yaml" + vars: + name: hawkular-cassandra-certificate + labels: + metrics-infra: hawkular-cassandra + data: + cassandra.certificate: > + {{ hawkular_secrets['hawkular-cassandra.crt'] }} + cassandra-ca.certificate: > + {{ hawkular_secrets['hawkular-cassandra.pem'] }} + when: name not in metrics_secrets.stdout_lines diff --git a/roles/openshift_metrics/tasks/generate_heapster_certificates.yaml b/roles/openshift_metrics/tasks/generate_heapster_certificates.yaml new file mode 100644 index 000000000..2fc449520 --- /dev/null +++ b/roles/openshift_metrics/tasks/generate_heapster_certificates.yaml @@ -0,0 +1,39 @@ +--- +- name: generate heapster key/cert + command: > + {{ openshift.common.admin_binary }} ca create-server-cert + --key='{{ openshift_metrics_certs_dir }}/heapster.key' + --cert='{{ openshift_metrics_certs_dir }}/heapster.cert' + --hostnames=heapster + --signer-cert='{{ openshift_metrics_certs_dir }}/ca.crt' + --signer-key='{{ openshift_metrics_certs_dir }}/ca.key' + --signer-serial='{{ openshift_metrics_certs_dir }}/ca.serial.txt' + when: not '{{ openshift_metrics_certs_dir }}/heapster.key'|exists +- when: "'secret/heapster-secrets' not in metrics_secrets.stdout_lines" + block: + - name: read files for the heapster secret + slurp: src={{ item }} + register: heapster_secret + with_items: + - "{{ openshift_metrics_certs_dir }}/heapster.cert" + - "{{ openshift_metrics_certs_dir }}/heapster.key" + - "{{ client_ca }}" + vars: + custom_ca: "{{ openshift_metrics_certs_dir }}/heapster_client_ca.crt" + default_ca: "{{ openshift.common.config_base }}/master/ca-bundle.crt" + client_ca: "{{ custom_ca|exists|ternary(custom_ca, default_ca) }}" + - name: generate heapster secret template + template: + src: secret.j2 + dest: "{{ mktemp.stdout }}/templates/heapster_secrets.yaml" + force: no + vars: + name: heapster-secrets + labels: + metrics-infra: heapster + data: + heapster.cert: "{{ heapster_secret.results[0].content }}" + heapster.key: "{{ heapster_secret.results[1].content }}" + heapster.client-ca: "{{ heapster_secret.results[2].content }}" + heapster.allowed-users: > + {{ openshift_metrics_heapster_allowed_users|b64encode }} diff --git a/roles/openshift_metrics/tasks/install_hawkular.yaml b/roles/openshift_metrics/tasks/install_hawkular.yaml index 9a39cce34..d7a029fa8 100644 --- a/roles/openshift_metrics/tasks/install_hawkular.yaml +++ b/roles/openshift_metrics/tasks/install_hawkular.yaml @@ -39,6 +39,9 @@ size: "{{ openshift_metrics_hawkular_cassandra_pv_size }}" with_sequence: count={{ openshift_metrics_hawkular_cassandra_nodes }} when: openshift_metrics_hawkular_cassandra_storage_type == 'dynamic' +- name: read hawkular-metrics route destination ca certificate + slurp: src={{ openshift_metrics_certs_dir }}/ca.crt + register: metrics_route_dest_ca_cert - name: generate the hawkular-metrics route template: src: route.j2 @@ -47,11 +50,10 @@ name: hawkular-metrics labels: metrics-infra: hawkular-metrics - host: hawkular-metrics.example.com + host: "{{ openshift_metrics_hawkular_metrics_hostname }}" to: kind: Service name: hawkular-metrics tls: termination: reencrypt - destination_ca_certificate: > - {{ hawkular_metrics_secret.results[6].stdout|b64decode }} + destination_ca_certificate: "{{ metrics_route_dest_ca_cert.content }}" diff --git a/roles/openshift_metrics/tasks/install_metrics.yaml b/roles/openshift_metrics/tasks/install_metrics.yaml index 34b4a47fe..5d95fa112 100644 --- a/roles/openshift_metrics/tasks/install_metrics.yaml +++ b/roles/openshift_metrics/tasks/install_metrics.yaml @@ -11,7 +11,7 @@ file: path={{mktemp.stdout}}/templates state=directory mode=0755 changed_when: False +- include: generate_certificates.yaml - include: generate_serviceaccounts.yaml - include: generate_services.yaml -- include: generate_certificates.yaml - include: generate_rolebindings.yaml diff --git a/roles/openshift_metrics/tasks/setup_certificate.yaml b/roles/openshift_metrics/tasks/setup_certificate.yaml index 46ac4ea7f..d6ee4167b 100644 --- a/roles/openshift_metrics/tasks/setup_certificate.yaml +++ b/roles/openshift_metrics/tasks/setup_certificate.yaml @@ -2,49 +2,51 @@ - name: generate {{ component }} keys command: > {{ openshift.common.admin_binary }} ca create-server-cert - --key='{{ mktemp.stdout }}/certs/{{ component }}.key' - --cert='{{ mktemp.stdout }}/certs/{{ component }}.crt' + --key='{{ openshift_metrics_certs_dir }}/{{ component }}.key' + --cert='{{ openshift_metrics_certs_dir }}/{{ component }}.crt' --hostnames='{{ hostnames }}' - --signer-cert='{{ mktemp.stdout }}/certs/ca.crt' - --signer-key='{{ mktemp.stdout }}/certs/ca.key' - --signer-serial='{{ mktemp.stdout }}/certs/ca.serial.txt' + --signer-cert='{{ openshift_metrics_certs_dir }}/ca.crt' + --signer-key='{{ openshift_metrics_certs_dir }}/ca.key' + --signer-serial='{{ openshift_metrics_certs_dir }}/ca.serial.txt' + when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.key'|exists - name: generate {{ component }} certificate shell: > cat - '{{ mktemp.stdout|quote }}/certs/{{ component|quote }}.key' - '{{ mktemp.stdout|quote }}/certs/{{ component|quote }}.crt' - > '{{ mktemp.stdout|quote }}/certs/{{ component|quote }}.pem' + '{{ openshift_metrics_certs_dir }}/{{ component|quote }}.key' + '{{ openshift_metrics_certs_dir }}/{{ component|quote }}.crt' + > '{{ openshift_metrics_certs_dir }}/{{ component|quote }}.pem' + when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.pem'|exists - name: generate random password for the {{ component }} keystore - shell: tr -dc _A-Z-a-z-0-9 < /dev/urandom | head -c15 - register: keystore_pwd -- name: create the password file for {{ component }} shell: > - echo '{{ keystore_pwd.stdout|quote }}' - > '{{ mktemp.stdout }}/certs/{{ component|quote }}-keystore.pwd' + tr -dc _A-Z-a-z-0-9 < /dev/urandom | head -c15 + > '{{ openshift_metrics_certs_dir }}/{{ component|quote }}-keystore.pwd' + when: > + not '{{ openshift_metrics_certs_dir }}/{{ component }}-keystore.pwd'|exists - name: create the {{ component }} pkcs12 from the pem file command: > openssl pkcs12 -export - -in '{{ mktemp.stdout }}/certs/{{ component }}.pem' - -out '{{ mktemp.stdout }}/certs/{{ component }}.pkcs12' + -in '{{ openshift_metrics_certs_dir }}/{{ component }}.pem' + -out '{{ openshift_metrics_certs_dir }}/{{ component }}.pkcs12' -name '{{ component }}' -noiter -nomaciter - -password 'pass:{{ keystore_pwd.stdout }}' + -password + 'file:{{ openshift_metrics_certs_dir }}/{{ component }}-keystore.pwd' + when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.pkcs12'|exists - name: create the {{ component }} keystore from the pkcs12 file - command: > + shell: > + p=$(< {{ openshift_metrics_certs_dir }}/{{ component }}-keystore.pwd) + && keytool -v -importkeystore - -srckeystore '{{ mktemp.stdout }}/certs/{{ component }}.pkcs12' + -srckeystore '{{ openshift_metrics_certs_dir }}/{{ component }}.pkcs12' -srcstoretype PKCS12 - -destkeystore '{{ mktemp.stdout }}/certs/{{ component }}.keystore' + -destkeystore '{{ openshift_metrics_certs_dir }}/{{ component }}.keystore' -deststoretype JKS - -deststorepass '{{ keystore_pwd.stdout }}' - -srcstorepass '{{ keystore_pwd.stdout }}' -- name: create the {{ component }} certificate - command: > - keytool -noprompt -export - -alias '{{ component }}' - -file '{{ mktemp.stdout }}/certs/{{ component }}.cert' - -keystore '{{ mktemp.stdout }}/certs/{{ component }}.keystore' - -storepass '{{ keystore_pwd.stdout }}' + -deststorepass "$p" + -srcstorepass "$p" + when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.keystore'|exists - name: generate random password for the {{ component }} truststore shell: > tr -dc _A-Z-a-z-0-9 < /dev/urandom | head -c15 - > '{{ mktemp.stdout }}/certs/{{ component|quote }}-truststore.pwd' + > '{{ openshift_metrics_certs_dir }}/{{ component|quote }}-truststore.pwd' + when: > + not + '{{ openshift_metrics_certs_dir }}/{{ component }}-truststore.pwd'|exists -- cgit v1.2.3 From ee931f90dbab01596bd90fa8007ac49de5178a17 Mon Sep 17 00:00:00 2001 From: Jeff Cantrill Date: Wed, 14 Dec 2016 14:36:28 -0500 Subject: Add tasks to uninstall metrics (#7) --- roles/openshift_metrics/tasks/cleanup.yaml | 14 ----------- roles/openshift_metrics/tasks/install_metrics.yaml | 24 +++++++------------ roles/openshift_metrics/tasks/install_support.yaml | 5 ++++ roles/openshift_metrics/tasks/main.yaml | 27 +++++++++++++++------- .../openshift_metrics/tasks/uninstall_metrics.yaml | 14 +++++++++++ 5 files changed, 46 insertions(+), 38 deletions(-) delete mode 100644 roles/openshift_metrics/tasks/cleanup.yaml create mode 100644 roles/openshift_metrics/tasks/install_support.yaml create mode 100644 roles/openshift_metrics/tasks/uninstall_metrics.yaml (limited to 'roles/openshift_metrics/tasks') diff --git a/roles/openshift_metrics/tasks/cleanup.yaml b/roles/openshift_metrics/tasks/cleanup.yaml deleted file mode 100644 index a29faef31..000000000 --- a/roles/openshift_metrics/tasks/cleanup.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -- name: remove metrics components - command: > - {{ openshift.common.client_binary }} -n '{{ openshift_metrics_project }}' - delete --selector=metrics-infra - all,sa,secrets,templates,routes,pvc,rolebindings,clusterrolebindings - register: delete_metrics - changed_when: "delete_metrics.stdout != 'No resources found'" -- name: remove rolebindings - command: > - {{ openshift.common.client_binary }} -n {{ openshift_metrics_project }} - delete --ignore-not-found - rolebinding/hawkular-view - clusterrolebinding/heapster-cluster-reader diff --git a/roles/openshift_metrics/tasks/install_metrics.yaml b/roles/openshift_metrics/tasks/install_metrics.yaml index 5d95fa112..db023e6a2 100644 --- a/roles/openshift_metrics/tasks/install_metrics.yaml +++ b/roles/openshift_metrics/tasks/install_metrics.yaml @@ -1,17 +1,9 @@ --- -# This is the base configuration for installing the other components -- name: Create temp directory for doing work in - command: mktemp -td openshift-metrics-ansible-XXXXXX - register: mktemp - changed_when: False - -- debug: msg="Created temp dir {{mktemp.stdout}}" - -- name: Create temp directory for all our templates - file: path={{mktemp.stdout}}/templates state=directory mode=0755 - changed_when: False - -- include: generate_certificates.yaml -- include: generate_serviceaccounts.yaml -- include: generate_services.yaml -- include: generate_rolebindings.yaml +- name: Install Metrics + include: "{{ role_path }}/tasks/install_{{ include_file }}.yaml" + with_items: + - support + - heapster + - hawkular + loop_control: + loop_var: include_file diff --git a/roles/openshift_metrics/tasks/install_support.yaml b/roles/openshift_metrics/tasks/install_support.yaml new file mode 100644 index 000000000..b0e4bec80 --- /dev/null +++ b/roles/openshift_metrics/tasks/install_support.yaml @@ -0,0 +1,5 @@ +--- +- include: generate_certificates.yaml +- include: generate_serviceaccounts.yaml +- include: generate_services.yaml +- include: generate_rolebindings.yaml diff --git a/roles/openshift_metrics/tasks/main.yaml b/roles/openshift_metrics/tasks/main.yaml index 79aae1e0b..adedd4069 100644 --- a/roles/openshift_metrics/tasks/main.yaml +++ b/roles/openshift_metrics/tasks/main.yaml @@ -2,20 +2,31 @@ - name: check that hawkular_metrics_hostname is set fail: msg='the openshift_metrics_hawkular_metrics_hostname variable is required' when: "{{ openshift_metrics_hawkular_metrics_hostname is not defined }}" + - name: check the value of openshift_metrics_hawkular_cassandra_storage_type fail: msg: > openshift_metrics_hawkular_cassandra_storage_type ({{ openshift_metrics_hawkular_cassandra_storage_type }}) is invalid, must be one of: emptydir, pv, dynamic when: openshift_metrics_hawkular_cassandra_storage_type not in openshift_metrics_hawkular_cassandra_storage_types -- name: Install Metrics - include: "{{ role_path }}/tasks/install_{{ include_file }}.yaml" - with_items: - - metrics - - heapster - - hawkular - loop_control: - loop_var: include_file + +- name: Create temp directory for doing work in + command: mktemp -td openshift-metrics-ansible-XXXXXX + register: mktemp + changed_when: False + +- debug: msg="Created temp dir {{mktemp.stdout}}" + +- name: Create temp directory for all our templates + file: path={{mktemp.stdout}}/templates state=directory mode=0755 + changed_when: False + +- include: "{{role_path}}/tasks/install_metrics.yaml" + when: openshift_metrics_install_metrics | default(false) | bool + +- include: "{{role_path}}/tasks/uninstall_metrics.yaml" + when: not openshift_metrics_install_metrics | default(false) | bool + - name: create objects command: > {{ openshift.common.client_binary }} -n '{{ openshift_metrics_project }}' diff --git a/roles/openshift_metrics/tasks/uninstall_metrics.yaml b/roles/openshift_metrics/tasks/uninstall_metrics.yaml new file mode 100644 index 000000000..a29faef31 --- /dev/null +++ b/roles/openshift_metrics/tasks/uninstall_metrics.yaml @@ -0,0 +1,14 @@ +--- +- name: remove metrics components + command: > + {{ openshift.common.client_binary }} -n '{{ openshift_metrics_project }}' + delete --selector=metrics-infra + all,sa,secrets,templates,routes,pvc,rolebindings,clusterrolebindings + register: delete_metrics + changed_when: "delete_metrics.stdout != 'No resources found'" +- name: remove rolebindings + command: > + {{ openshift.common.client_binary }} -n {{ openshift_metrics_project }} + delete --ignore-not-found + rolebinding/hawkular-view + clusterrolebinding/heapster-cluster-reader -- cgit v1.2.3 From 84b1c4848f610c5792809bb2e9e5b0d8f77ea50c Mon Sep 17 00:00:00 2001 From: Jeff Cantrill Date: Wed, 14 Dec 2016 14:40:36 -0500 Subject: copy admin cert for use in subsequent tasks (#8) --- roles/openshift_metrics/tasks/generate_certificates.yaml | 4 +++- .../tasks/generate_heapster_certificates.yaml | 4 +++- roles/openshift_metrics/tasks/main.yaml | 12 ++++++++++-- roles/openshift_metrics/tasks/setup_certificate.yaml | 1 + roles/openshift_metrics/tasks/uninstall_metrics.yaml | 4 ++-- 5 files changed, 19 insertions(+), 6 deletions(-) (limited to 'roles/openshift_metrics/tasks') diff --git a/roles/openshift_metrics/tasks/generate_certificates.yaml b/roles/openshift_metrics/tasks/generate_certificates.yaml index 92ce919a1..66cfbca03 100644 --- a/roles/openshift_metrics/tasks/generate_certificates.yaml +++ b/roles/openshift_metrics/tasks/generate_certificates.yaml @@ -7,16 +7,18 @@ - name: list existing secrets command: > {{ openshift.common.client_binary }} -n {{ openshift_metrics_project }} + --config={{ mktemp.stdout }}/admin.kubeconfig get secrets -o name register: metrics_secrets changed_when: false - name: generate ca certificate chain shell: > {{ openshift.common.admin_binary }} ca create-signer-cert + --config={{ mktemp.stdout }}/admin.kubeconfig --key='{{ openshift_metrics_certs_dir }}/ca.key' --cert='{{ openshift_metrics_certs_dir }}/ca.crt' --serial='{{ openshift_metrics_certs_dir }}/ca.serial.txt' --name="metrics-signer@$(date +%s)" - when: not '{{ openshift_metrics_certs_dir }}/ca.key'|exists + when: not '{{ openshift_metrics_certs_dir }}/ca.key' | exists - include: generate_heapster_certificates.yaml - include: generate_hawkular_certificates.yaml diff --git a/roles/openshift_metrics/tasks/generate_heapster_certificates.yaml b/roles/openshift_metrics/tasks/generate_heapster_certificates.yaml index 2fc449520..2449b1518 100644 --- a/roles/openshift_metrics/tasks/generate_heapster_certificates.yaml +++ b/roles/openshift_metrics/tasks/generate_heapster_certificates.yaml @@ -2,13 +2,15 @@ - name: generate heapster key/cert command: > {{ openshift.common.admin_binary }} ca create-server-cert + --config={{ mktemp.stdout }}/admin.kubeconfig --key='{{ openshift_metrics_certs_dir }}/heapster.key' --cert='{{ openshift_metrics_certs_dir }}/heapster.cert' --hostnames=heapster --signer-cert='{{ openshift_metrics_certs_dir }}/ca.crt' --signer-key='{{ openshift_metrics_certs_dir }}/ca.key' --signer-serial='{{ openshift_metrics_certs_dir }}/ca.serial.txt' - when: not '{{ openshift_metrics_certs_dir }}/heapster.key'|exists + when: not '{{ openshift_metrics_certs_dir }}/heapster.key' | exists + - when: "'secret/heapster-secrets' not in metrics_secrets.stdout_lines" block: - name: read files for the heapster secret diff --git a/roles/openshift_metrics/tasks/main.yaml b/roles/openshift_metrics/tasks/main.yaml index adedd4069..d4bafdc30 100644 --- a/roles/openshift_metrics/tasks/main.yaml +++ b/roles/openshift_metrics/tasks/main.yaml @@ -1,7 +1,7 @@ --- - name: check that hawkular_metrics_hostname is set fail: msg='the openshift_metrics_hawkular_metrics_hostname variable is required' - when: "{{ openshift_metrics_hawkular_metrics_hostname is not defined }}" + when: openshift_metrics_hawkular_metrics_hostname is not defined - name: check the value of openshift_metrics_hawkular_cassandra_storage_type fail: @@ -21,6 +21,13 @@ file: path={{mktemp.stdout}}/templates state=directory mode=0755 changed_when: False +- name: Copy the admin client config(s) + command: > + cp {{ openshift.common.config_base}}/master/admin.kubeconfig {{ mktemp.stdout }}/admin.kubeconfig + changed_when: False + check_mode: no + tags: metrics_init + - include: "{{role_path}}/tasks/install_metrics.yaml" when: openshift_metrics_install_metrics | default(false) | bool @@ -29,7 +36,8 @@ - name: create objects command: > - {{ openshift.common.client_binary }} -n '{{ openshift_metrics_project }}' + {{ openshift.common.client_binary }} -n {{ openshift_metrics_project }} + --config={{ mktemp.stdout }}/admin.kubeconfig apply -f {{ item }} with_fileglob: - "{{ mktemp.stdout }}/templates/*.yaml" diff --git a/roles/openshift_metrics/tasks/setup_certificate.yaml b/roles/openshift_metrics/tasks/setup_certificate.yaml index d6ee4167b..52e748234 100644 --- a/roles/openshift_metrics/tasks/setup_certificate.yaml +++ b/roles/openshift_metrics/tasks/setup_certificate.yaml @@ -2,6 +2,7 @@ - name: generate {{ component }} keys command: > {{ openshift.common.admin_binary }} ca create-server-cert + --config={{ mktemp.stdout }}/admin.kubeconfig --key='{{ openshift_metrics_certs_dir }}/{{ component }}.key' --cert='{{ openshift_metrics_certs_dir }}/{{ component }}.crt' --hostnames='{{ hostnames }}' diff --git a/roles/openshift_metrics/tasks/uninstall_metrics.yaml b/roles/openshift_metrics/tasks/uninstall_metrics.yaml index a29faef31..cf9b5171c 100644 --- a/roles/openshift_metrics/tasks/uninstall_metrics.yaml +++ b/roles/openshift_metrics/tasks/uninstall_metrics.yaml @@ -1,14 +1,14 @@ --- - name: remove metrics components command: > - {{ openshift.common.client_binary }} -n '{{ openshift_metrics_project }}' + {{ openshift.common.client_binary }} -n {{ openshift_metrics_project }} --config={{ mktemp.stdout }}/admin.kubeconfig delete --selector=metrics-infra all,sa,secrets,templates,routes,pvc,rolebindings,clusterrolebindings register: delete_metrics changed_when: "delete_metrics.stdout != 'No resources found'" - name: remove rolebindings command: > - {{ openshift.common.client_binary }} -n {{ openshift_metrics_project }} + {{ openshift.common.client_binary }} -n {{ openshift_metrics_project }} --config={{ mktemp.stdout }}/admin.kubeconfig delete --ignore-not-found rolebinding/hawkular-view clusterrolebinding/heapster-cluster-reader -- cgit v1.2.3 From 9d0b2eed6f2b897280660949d12e09a3b7993b2b Mon Sep 17 00:00:00 2001 From: Jeff Cantrill Date: Thu, 15 Dec 2016 10:34:58 -0500 Subject: rename variables to be less extraneous (#10) --- roles/openshift_metrics/tasks/install_hawkular.yaml | 21 ++++++++++++--------- roles/openshift_metrics/tasks/main.yaml | 6 +++--- 2 files changed, 15 insertions(+), 12 deletions(-) (limited to 'roles/openshift_metrics/tasks') diff --git a/roles/openshift_metrics/tasks/install_hawkular.yaml b/roles/openshift_metrics/tasks/install_hawkular.yaml index d7a029fa8..6e503c8c1 100644 --- a/roles/openshift_metrics/tasks/install_hawkular.yaml +++ b/roles/openshift_metrics/tasks/install_hawkular.yaml @@ -10,35 +10,38 @@ vars: node: "{{ item }}" master: "{{ (item == '1')|string|lower }}" - with_sequence: count={{ openshift_metrics_hawkular_cassandra_nodes }} + with_sequence: count={{ openshift_metrics_cassandra_nodes }} + - name: generate hawkular-cassandra persistent volume claims template: src: pvc.j2 dest: "{{ mktemp.stdout }}/templates/hawkular-cassandra-pvc{{ item }}.yaml" vars: - obj_name: "{{ openshift_metrics_hawkular_cassandra_pv_prefix }}-{{ item }}" + obj_name: "{{ openshift_metrics_cassandra_pv_prefix }}-{{ item }}" labels: metrics-infra: hawkular-cassandra access_modes: - ReadWriteOnce - size: "{{ openshift_metrics_hawkular_cassandra_pv_size }}" - with_sequence: count={{ openshift_metrics_hawkular_cassandra_nodes }} - when: openshift_metrics_hawkular_cassandra_storage_type == 'pv' + size: "{{ openshift_metrics_cassandra_pv_size }}" + with_sequence: count={{ openshift_metrics_cassandra_nodes }} + when: openshift_metrics_cassandra_storage_type == 'pv' + - name: generate hawkular-cassandra persistent volume claims (dynamic) template: src: pvc.j2 dest: "{{ mktemp.stdout }}/templates/hawkular-cassandra-pvc{{ item }}.yaml" vars: - obj_name: "{{ openshift_metrics_hawkular_cassandra_pv_prefix }}-{{ item }}" + obj_name: "{{ openshift_metrics_cassandra_pv_prefix }}-{{ item }}" labels: metrics-infra: hawkular-cassandra annotations: volume.alpha.kubernetes.io/storage-class: dynamic access_modes: - ReadWriteOnce - size: "{{ openshift_metrics_hawkular_cassandra_pv_size }}" - with_sequence: count={{ openshift_metrics_hawkular_cassandra_nodes }} - when: openshift_metrics_hawkular_cassandra_storage_type == 'dynamic' + size: "{{ openshift_metrics_cassandra_pv_size }}" + with_sequence: count={{ openshift_metrics_cassandra_nodes }} + when: openshift_metrics_cassandra_storage_type == 'dynamic' + - name: read hawkular-metrics route destination ca certificate slurp: src={{ openshift_metrics_certs_dir }}/ca.crt register: metrics_route_dest_ca_cert diff --git a/roles/openshift_metrics/tasks/main.yaml b/roles/openshift_metrics/tasks/main.yaml index d4bafdc30..74abd120f 100644 --- a/roles/openshift_metrics/tasks/main.yaml +++ b/roles/openshift_metrics/tasks/main.yaml @@ -3,12 +3,12 @@ fail: msg='the openshift_metrics_hawkular_metrics_hostname variable is required' when: openshift_metrics_hawkular_metrics_hostname is not defined -- name: check the value of openshift_metrics_hawkular_cassandra_storage_type +- name: check the value of openshift_metrics_cassandra_storage_type fail: msg: > - openshift_metrics_hawkular_cassandra_storage_type ({{ openshift_metrics_hawkular_cassandra_storage_type }}) + openshift_metrics_cassandra_storage_type ({{ openshift_metrics_cassandra_storage_type }}) is invalid, must be one of: emptydir, pv, dynamic - when: openshift_metrics_hawkular_cassandra_storage_type not in openshift_metrics_hawkular_cassandra_storage_types + when: openshift_metrics_cassandra_storage_type not in openshift_metrics_cassandra_storage_types - name: Create temp directory for doing work in command: mktemp -td openshift-metrics-ansible-XXXXXX -- cgit v1.2.3 From 765fb5ce39fdca0b56a23f6d13650fe16debf20a Mon Sep 17 00:00:00 2001 From: Jeff Cantrill Date: Thu, 15 Dec 2016 15:48:09 -0500 Subject: update vars to allow scaling of components (#9) --- .../openshift_metrics/tasks/install_hawkular.yaml | 2 + roles/openshift_metrics/tasks/install_metrics.yaml | 25 ++++++++++ roles/openshift_metrics/tasks/main.yaml | 19 -------- roles/openshift_metrics/tasks/scale.yaml | 27 +++++++++++ roles/openshift_metrics/tasks/start_metrics.yaml | 52 ++++++++++++++++++++ roles/openshift_metrics/tasks/stop_metrics.yaml | 56 ++++++++++++++++++++++ .../openshift_metrics/tasks/uninstall_metrics.yaml | 7 ++- 7 files changed, 168 insertions(+), 20 deletions(-) create mode 100644 roles/openshift_metrics/tasks/scale.yaml create mode 100644 roles/openshift_metrics/tasks/start_metrics.yaml create mode 100644 roles/openshift_metrics/tasks/stop_metrics.yaml (limited to 'roles/openshift_metrics/tasks') diff --git a/roles/openshift_metrics/tasks/install_hawkular.yaml b/roles/openshift_metrics/tasks/install_hawkular.yaml index 6e503c8c1..1acc8948d 100644 --- a/roles/openshift_metrics/tasks/install_hawkular.yaml +++ b/roles/openshift_metrics/tasks/install_hawkular.yaml @@ -3,6 +3,7 @@ template: src: hawkular_metrics_rc.j2 dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_rc.yaml" + - name: generate hawkular-cassandra replication controllers template: src: hawkular_cassandra_rc.j2 @@ -45,6 +46,7 @@ - name: read hawkular-metrics route destination ca certificate slurp: src={{ openshift_metrics_certs_dir }}/ca.crt register: metrics_route_dest_ca_cert + - name: generate the hawkular-metrics route template: src: route.j2 diff --git a/roles/openshift_metrics/tasks/install_metrics.yaml b/roles/openshift_metrics/tasks/install_metrics.yaml index db023e6a2..a6a094a83 100644 --- a/roles/openshift_metrics/tasks/install_metrics.yaml +++ b/roles/openshift_metrics/tasks/install_metrics.yaml @@ -1,4 +1,15 @@ --- +- name: check that hawkular_metrics_hostname is set + fail: msg='the openshift_metrics_hawkular_metrics_hostname variable is required' + when: openshift_metrics_hawkular_metrics_hostname is not defined + +- name: check the value of openshift_metrics_cassandra_storage_type + fail: + msg: > + openshift_metrics_cassandra_storage_type ({{ openshift_metrics_cassandra_storage_type }}) + is invalid, must be one of: emptydir, pv, dynamic + when: openshift_metrics_cassandra_storage_type not in openshift_metrics_cassandra_storage_types + - name: Install Metrics include: "{{ role_path }}/tasks/install_{{ include_file }}.yaml" with_items: @@ -7,3 +18,17 @@ - hawkular loop_control: loop_var: include_file + +- name: create objects + command: > + {{ openshift.common.client_binary }} -n {{ openshift_metrics_project }} + --config={{ mktemp.stdout }}/admin.kubeconfig + apply -f {{ item }} + with_fileglob: + - "{{ mktemp.stdout }}/templates/*.yaml" + +- name: Scaling up cluster + include: start_metrics.yaml + tags: openshift_metrics_start_cluster + when: + - openshift_metrics_start_cluster | default(true) | bool diff --git a/roles/openshift_metrics/tasks/main.yaml b/roles/openshift_metrics/tasks/main.yaml index 74abd120f..e8c74b8dc 100644 --- a/roles/openshift_metrics/tasks/main.yaml +++ b/roles/openshift_metrics/tasks/main.yaml @@ -1,15 +1,4 @@ --- -- name: check that hawkular_metrics_hostname is set - fail: msg='the openshift_metrics_hawkular_metrics_hostname variable is required' - when: openshift_metrics_hawkular_metrics_hostname is not defined - -- name: check the value of openshift_metrics_cassandra_storage_type - fail: - msg: > - openshift_metrics_cassandra_storage_type ({{ openshift_metrics_cassandra_storage_type }}) - is invalid, must be one of: emptydir, pv, dynamic - when: openshift_metrics_cassandra_storage_type not in openshift_metrics_cassandra_storage_types - - name: Create temp directory for doing work in command: mktemp -td openshift-metrics-ansible-XXXXXX register: mktemp @@ -33,11 +22,3 @@ - include: "{{role_path}}/tasks/uninstall_metrics.yaml" when: not openshift_metrics_install_metrics | default(false) | bool - -- name: create objects - command: > - {{ openshift.common.client_binary }} -n {{ openshift_metrics_project }} - --config={{ mktemp.stdout }}/admin.kubeconfig - apply -f {{ item }} - with_fileglob: - - "{{ mktemp.stdout }}/templates/*.yaml" diff --git a/roles/openshift_metrics/tasks/scale.yaml b/roles/openshift_metrics/tasks/scale.yaml new file mode 100644 index 000000000..031336a01 --- /dev/null +++ b/roles/openshift_metrics/tasks/scale.yaml @@ -0,0 +1,27 @@ +--- +- shell: > + {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get {{object}} + --template='{{ '{{.spec.replicas}}' }}' -n {{openshift_metrics_project}} + register: replica_count + failed_when: "replica_count.rc == 1 and 'exists' not in replica_count.stderr" + when: not ansible_check_mode + +- shell: > + {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig scale {{object}} + --replicas={{desired}} -n {{openshift_metrics_project}} + register: scale_result + failed_when: scale_result.rc == 1 and 'exists' not in scale_result.stderr + when: + - replica_count.stdout != desired + - not ansible_check_mode + +- name: Waiting for {{object}} to scale to {{desired}} + shell: > + {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig describe {{object}} -n {{openshift_metrics_project}} | awk -v statusrx='Pods Status:' '$0 ~ statusrx {print $3}' + register: replica_counts + until: replica_counts.stdout.find("{{desired}}") != -1 + retries: 30 + delay: 10 + when: + - replica_count.stdout != desired + - not ansible_check_mode diff --git a/roles/openshift_metrics/tasks/start_metrics.yaml b/roles/openshift_metrics/tasks/start_metrics.yaml new file mode 100644 index 000000000..99d593dd7 --- /dev/null +++ b/roles/openshift_metrics/tasks/start_metrics.yaml @@ -0,0 +1,52 @@ +--- +- shell: > + {{openshift.common.client_binary}} + --config={{mktemp.stdout}}/admin.kubeconfig + get rc + -l metrics-infra=hawkular-cassandra + -o name + -n {{openshift_metrics_project}} + register: metrics_cassandra_rc + +- name: Start Hawkular Cassandra + include: scale.yaml + vars: + desired: 1 + with_items: "{{metrics_cassandra_rc.stdout_lines}}" + loop_control: + loop_var: object + +- shell: > + {{openshift.common.client_binary}} + --config={{mktemp.stdout}}/admin.kubeconfig + get rc + -l metrics-infra=hawkular-metrics + -o name + -n {{openshift_metrics_project}} + register: metrics_metrics_rc + +- name: Start Hawkular Metrics + include: scale.yaml + vars: + desired: "{{openshift_metrics_hawkular_replicas}}" + with_items: "{{metrics_metrics_rc.stdout_lines}}" + loop_control: + loop_var: object + +- shell: > + {{openshift.common.client_binary}} + --config={{mktemp.stdout}}/admin.kubeconfig + get rc + -l metrics-infra=heapster + -o name + -n {{openshift_metrics_project}} + register: metrics_heapster_rc + check_mode: no + +- name: Start Heapster + include: scale.yaml + vars: + desired: 1 + with_items: "{{metrics_heapster_rc.stdout_lines}}" + loop_control: + loop_var: object diff --git a/roles/openshift_metrics/tasks/stop_metrics.yaml b/roles/openshift_metrics/tasks/stop_metrics.yaml new file mode 100644 index 000000000..79556e923 --- /dev/null +++ b/roles/openshift_metrics/tasks/stop_metrics.yaml @@ -0,0 +1,56 @@ +--- +- shell: > + {{openshift.common.client_binary}} + --config={{mktemp.stdout}}/admin.kubeconfig + get rc + -l metrics-infra=heapster + -o name + -n {{openshift_metrics_project}} + register: metrics_heapster_rc + changed_when: "'No resources found' not in metrics_heapster_rc.stderr" + check_mode: no + +- name: Stop Heapster + include: scale.yaml + vars: + desired: 0 + with_items: "{{metrics_heapster_rc.stdout_lines}}" + loop_control: + loop_var: object + +- shell: > + {{openshift.common.client_binary}} + --config={{mktemp.stdout}}/admin.kubeconfig + get rc + -l metrics-infra=hawkular-metrics + -o name + -n {{openshift_metrics_project}} + register: metrics_hawkular_rc + changed_when: "'No resources found' not in metrics_hawkular_rc.stderr" + +- name: Stop Hawkular Metrics + include: scale.yaml + vars: + desired: 0 + with_items: "{{metrics_hawkular_rc.stdout_lines}}" + loop_control: + loop_var: object + +- shell: > + {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig + get rc + -o name + -l metrics-infra=hawkular-cassandra + -n {{openshift_metrics_project}} + register: metrics_cassandra_rc + changed_when: "'No resources found' not in metrics_cassandra_rc.stderr" + +- name: Stop Hawkular Cassandra + include: scale.yaml + vars: + desired: 0 + with_items: "{{metrics_cassandra_rc.stdout_lines}}" + loop_control: + loop_var: object + when: metrics_cassandra_rc is defined + diff --git a/roles/openshift_metrics/tasks/uninstall_metrics.yaml b/roles/openshift_metrics/tasks/uninstall_metrics.yaml index cf9b5171c..8a6be6237 100644 --- a/roles/openshift_metrics/tasks/uninstall_metrics.yaml +++ b/roles/openshift_metrics/tasks/uninstall_metrics.yaml @@ -1,14 +1,19 @@ --- +- name: stop metrics + include: stop_metrics.yaml + - name: remove metrics components command: > {{ openshift.common.client_binary }} -n {{ openshift_metrics_project }} --config={{ mktemp.stdout }}/admin.kubeconfig - delete --selector=metrics-infra + delete --ignore-not-found --selector=metrics-infra all,sa,secrets,templates,routes,pvc,rolebindings,clusterrolebindings register: delete_metrics changed_when: "delete_metrics.stdout != 'No resources found'" + - name: remove rolebindings command: > {{ openshift.common.client_binary }} -n {{ openshift_metrics_project }} --config={{ mktemp.stdout }}/admin.kubeconfig delete --ignore-not-found rolebinding/hawkular-view clusterrolebinding/heapster-cluster-reader + changed_when: "delete_metrics.stdout != 'No resources found'" -- cgit v1.2.3 From 1e8928c96627218fdc422bfa3731f790699abfbb Mon Sep 17 00:00:00 2001 From: Jeff Cantrill Date: Fri, 6 Jan 2017 11:23:28 -0500 Subject: User provided certs pushed from control. vars reorg (#12) Merging per discussion and agreement from @bbguimaraes --- .../tasks/generate_certificates.yaml | 2 + .../tasks/generate_hawkular_certificates.yaml | 2 +- .../openshift_metrics/tasks/install_hawkular.yaml | 47 ++++++++++++++-------- roles/openshift_metrics/tasks/install_metrics.yaml | 4 +- 4 files changed, 35 insertions(+), 20 deletions(-) (limited to 'roles/openshift_metrics/tasks') diff --git a/roles/openshift_metrics/tasks/generate_certificates.yaml b/roles/openshift_metrics/tasks/generate_certificates.yaml index 66cfbca03..16a967aa7 100644 --- a/roles/openshift_metrics/tasks/generate_certificates.yaml +++ b/roles/openshift_metrics/tasks/generate_certificates.yaml @@ -4,6 +4,7 @@ path: "{{ openshift_metrics_certs_dir }}" state: directory mode: 0700 + - name: list existing secrets command: > {{ openshift.common.client_binary }} -n {{ openshift_metrics_project }} @@ -11,6 +12,7 @@ get secrets -o name register: metrics_secrets changed_when: false + - name: generate ca certificate chain shell: > {{ openshift.common.admin_binary }} ca create-signer-cert diff --git a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml index 4e032ca7e..f36175735 100644 --- a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml +++ b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml @@ -3,7 +3,7 @@ include: setup_certificate.yaml vars: component: hawkular-metrics - hostnames: "hawkular-metrics,{{ openshift_metrics_hawkular_metrics_hostname }}" + hostnames: "hawkular-metrics,{{ openshift_metrics_hawkular_hostname }}" - name: generate hawkular-cassandra certificates include: setup_certificate.yaml vars: diff --git a/roles/openshift_metrics/tasks/install_hawkular.yaml b/roles/openshift_metrics/tasks/install_hawkular.yaml index 1acc8948d..34a8c58b8 100644 --- a/roles/openshift_metrics/tasks/install_hawkular.yaml +++ b/roles/openshift_metrics/tasks/install_hawkular.yaml @@ -11,7 +11,7 @@ vars: node: "{{ item }}" master: "{{ (item == '1')|string|lower }}" - with_sequence: count={{ openshift_metrics_cassandra_nodes }} + with_sequence: count={{ openshift_metrics_cassandra_replicas }} - name: generate hawkular-cassandra persistent volume claims template: @@ -24,7 +24,7 @@ access_modes: - ReadWriteOnce size: "{{ openshift_metrics_cassandra_pv_size }}" - with_sequence: count={{ openshift_metrics_cassandra_nodes }} + with_sequence: count={{ openshift_metrics_cassandra_replicas }} when: openshift_metrics_cassandra_storage_type == 'pv' - name: generate hawkular-cassandra persistent volume claims (dynamic) @@ -40,25 +40,38 @@ access_modes: - ReadWriteOnce size: "{{ openshift_metrics_cassandra_pv_size }}" - with_sequence: count={{ openshift_metrics_cassandra_nodes }} + with_sequence: count={{ openshift_metrics_cassandra_replicas }} when: openshift_metrics_cassandra_storage_type == 'dynamic' - name: read hawkular-metrics route destination ca certificate slurp: src={{ openshift_metrics_certs_dir }}/ca.crt register: metrics_route_dest_ca_cert -- name: generate the hawkular-metrics route - template: - src: route.j2 - dest: "{{ mktemp.stdout }}/templates/hawkular-metrics-route.yaml" - vars: - name: hawkular-metrics - labels: - metrics-infra: hawkular-metrics - host: "{{ openshift_metrics_hawkular_metrics_hostname }}" - to: - kind: Service +- block: + - set_fact: hawkular_key={{ lookup('file', openshift_metrics_hawkular_key) }} + when: openshift_metrics_hawkular_key | exists + + - set_fact: hawkular_cert={{ lookup('file', openshift_metrics_hawkular_cert) }} + when: openshift_metrics_hawkular_cert | exists + + - set_fact: hawkular_ca={{ lookup('file', openshift_metrics_hawkular_ca) }} + when: openshift_metrics_hawkular_ca | exists + + - name: generate the hawkular-metrics route + template: + src: route.j2 + dest: "{{ mktemp.stdout }}/templates/hawkular-metrics-route.yaml" + vars: name: hawkular-metrics - tls: - termination: reencrypt - destination_ca_certificate: "{{ metrics_route_dest_ca_cert.content }}" + labels: + metrics-infra: hawkular-metrics + host: "{{ openshift_metrics_hawkular_hostname }}" + to: + kind: Service + name: hawkular-metrics + tls: + termination: reencrypt + key: "{{ hawkular_key | default('') }}" + certificate: "{{ hawkular_cert | default('') }}" + ca_certificate: "{{ hawkular_ca | default('') }}" + destination_ca_certificate: "{{ metrics_route_dest_ca_cert.content | b64decode }}" diff --git a/roles/openshift_metrics/tasks/install_metrics.yaml b/roles/openshift_metrics/tasks/install_metrics.yaml index a6a094a83..b45629b70 100644 --- a/roles/openshift_metrics/tasks/install_metrics.yaml +++ b/roles/openshift_metrics/tasks/install_metrics.yaml @@ -1,7 +1,7 @@ --- - name: check that hawkular_metrics_hostname is set - fail: msg='the openshift_metrics_hawkular_metrics_hostname variable is required' - when: openshift_metrics_hawkular_metrics_hostname is not defined + fail: msg='the openshift_metrics_hawkular_hostname variable is required' + when: openshift_metrics_hawkular_hostname is not defined - name: check the value of openshift_metrics_cassandra_storage_type fail: -- cgit v1.2.3 From b097d9f595c378ce35a2d35f2bd4749c3aa5d77d Mon Sep 17 00:00:00 2001 From: Jeff Cantrill Date: Fri, 6 Jan 2017 11:27:18 -0500 Subject: set replicas to current value so not to disrupt current pods (#13) --- roles/openshift_metrics/tasks/install_hawkular.yaml | 20 ++++++++++++++++++++ roles/openshift_metrics/tasks/install_heapster.yaml | 9 +++++++++ 2 files changed, 29 insertions(+) (limited to 'roles/openshift_metrics/tasks') diff --git a/roles/openshift_metrics/tasks/install_hawkular.yaml b/roles/openshift_metrics/tasks/install_hawkular.yaml index 34a8c58b8..b377b6299 100644 --- a/roles/openshift_metrics/tasks/install_hawkular.yaml +++ b/roles/openshift_metrics/tasks/install_hawkular.yaml @@ -1,8 +1,27 @@ --- +- shell: > + {{ openshift.common.client_binary }} -n {{ openshift_metrics_project }} + --config={{ mktemp.stdout }}/admin.kubeconfig + get rc hawkular-metrics --template=\{\{.spec.replicas\}\} || echo 0 + register: hawkular_metrics_replica_count + changed_when: false + - name: generate hawkular-metrics replication controller template: src: hawkular_metrics_rc.j2 dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_rc.yaml" + vars: + replica_count: "{{hawkular_metrics_replica_count.stdout}}" + +- shell: > + {{ openshift.common.client_binary }} -n {{ openshift_metrics_project }} + --config={{ mktemp.stdout }}/admin.kubeconfig + get rc hawkular-cassandra-{{node}} --template=\{\{.spec.replicas\}\} || echo 0 + vars: + node: "{{ item }}" + register: cassandra_replica_count + changed_when: false + with_sequence: count={{ openshift_metrics_cassandra_replicas }} - name: generate hawkular-cassandra replication controllers template: @@ -11,6 +30,7 @@ vars: node: "{{ item }}" master: "{{ (item == '1')|string|lower }}" + replica_count: "{{cassandra_replica_count.results[item|int - 1].stdout}}" with_sequence: count={{ openshift_metrics_cassandra_replicas }} - name: generate hawkular-cassandra persistent volume claims diff --git a/roles/openshift_metrics/tasks/install_heapster.yaml b/roles/openshift_metrics/tasks/install_heapster.yaml index a8f849a88..63ea7e943 100644 --- a/roles/openshift_metrics/tasks/install_heapster.yaml +++ b/roles/openshift_metrics/tasks/install_heapster.yaml @@ -1,3 +1,12 @@ --- +- shell: > + {{ openshift.common.client_binary }} -n {{ openshift_metrics_project }} + --config={{ mktemp.stdout }}/admin.kubeconfig + get rc heapster --template=\{\{.spec.replicas\}\} || echo 0 + register: heapster_replica_count + changed_when: false + - name: Generate heapster replication controller template: src=heapster.j2 dest={{mktemp.stdout}}/templates/metrics-heapster-rc.yaml + vars: + replica_count: "{{heapster_replica_count.stdout}}" -- cgit v1.2.3 From a5f6e3f684a3294056d4d4e224226b90acc062e6 Mon Sep 17 00:00:00 2001 From: Jeff Cantrill Date: Wed, 11 Jan 2017 14:07:19 -0500 Subject: additional code reviews --- .../tasks/generate_hawkular_certificates.yaml | 43 +++++++++++++++++----- .../tasks/generate_rolebindings.yaml | 3 ++ .../tasks/generate_serviceaccounts.yaml | 2 + .../openshift_metrics/tasks/generate_services.yaml | 4 ++ .../openshift_metrics/tasks/install_hawkular.yaml | 19 +++++++--- .../openshift_metrics/tasks/install_heapster.yaml | 7 ++-- roles/openshift_metrics/tasks/main.yaml | 6 +-- roles/openshift_metrics/tasks/scale.yaml | 17 +++++---- .../openshift_metrics/tasks/setup_certificate.yaml | 21 +++++++---- roles/openshift_metrics/tasks/start_metrics.yaml | 8 ++-- roles/openshift_metrics/tasks/stop_metrics.yaml | 6 +-- 11 files changed, 94 insertions(+), 42 deletions(-) (limited to 'roles/openshift_metrics/tasks') diff --git a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml index f36175735..995440598 100644 --- a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml +++ b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml @@ -4,31 +4,37 @@ vars: component: hawkular-metrics hostnames: "hawkular-metrics,{{ openshift_metrics_hawkular_hostname }}" + changed_when: no + - name: generate hawkular-cassandra certificates include: setup_certificate.yaml vars: component: hawkular-cassandra hostnames: hawkular-cassandra + changed_when: no + - name: check existing aliases on the hawkular-cassandra truststore shell: > keytool -noprompt -list - -keystore {{ openshift_metrics_certs_dir }}/hawkular-cassandra.truststore + -keystore {{ openshift_metrics_certs_dir|quote }}/hawkular-cassandra.truststore -storepass "$(< - '{{ openshift_metrics_certs_dir }}/hawkular-cassandra-truststore.pwd')" + '{{ openshift_metrics_certs_dir|quote }}/hawkular-cassandra-truststore.pwd')" | sed -n '7~2s/,.*$//p' register: hawkular_cassandra_truststore_aliases changed_when: false + - name: check existing aliases on the hawkular-metrics truststore shell: > keytool -noprompt -list - -keystore {{ openshift_metrics_certs_dir }}/hawkular-metrics.truststore + -keystore {{ openshift_metrics_certs_dir|quote }}/hawkular-metrics.truststore -storepass "$(< - '{{ openshift_metrics_certs_dir }}/hawkular-metrics-truststore.pwd')" + '{{ openshift_metrics_certs_dir|quote }}/hawkular-metrics-truststore.pwd')" | sed -n '7~2s/,.*$//p' register: hawkular_metrics_truststore_aliases changed_when: false + - name: import the hawkular metrics cert into the cassandra truststore - shell: > + command: > keytool -noprompt -import -v -trustcacerts -alias hawkular-metrics -file '{{ openshift_metrics_certs_dir }}/hawkular-metrics.crt' @@ -38,8 +44,9 @@ when: > 'hawkular-metrics' not in hawkular_cassandra_truststore_aliases.stdout_lines + - name: import the hawkular cassandra cert into the hawkular metrics truststore - shell: > + command: > keytool -noprompt -import -v -trustcacerts -alias hawkular-cassandra -file '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.crt' @@ -49,8 +56,9 @@ when: > 'hawkular-cassandra' not in hawkular_metrics_truststore_aliases.stdout_lines + - name: import the hawkular cassandra cert into the cassandra truststore - shell: > + command: > keytool -noprompt -import -v -trustcacerts -alias hawkular-cassandra -file '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.crt' @@ -60,8 +68,9 @@ when: > 'hawkular-cassandra' not in hawkular_cassandra_truststore_aliases.stdout_lines + - name: import the ca certificate into the cassandra truststore - shell: > + command: > keytool -noprompt -import -v -trustcacerts -alias '{{ item }}' -file '{{ openshift_metrics_certs_dir }}/ca.crt' @@ -73,8 +82,9 @@ - metricca - cassandraca when: item not in hawkular_cassandra_truststore_aliases.stdout_lines + - name: import the ca certificate into the hawkular metrics truststore - shell: > + command: > keytool -noprompt -import -v -trustcacerts -alias '{{ item }}' -file '{{ openshift_metrics_certs_dir }}/ca.crt' @@ -86,6 +96,7 @@ - metricca - cassandraca when: item not in hawkular_metrics_truststore_aliases.stdout_lines + - name: generate password for hawkular metrics and jgroups shell: > tr -dc _A-Z-a-z-0-9 < /dev/urandom | head -c15 @@ -94,6 +105,7 @@ - hawkular-metrics - hawkular-jgroups-keystore when: not '{{ openshift_metrics_certs_dir }}/{{ item }}.pwd'|exists + - name: generate htpasswd file for hawkular metrics shell: > htpasswd -ci @@ -101,6 +113,7 @@ < '{{ openshift_metrics_certs_dir }}/hawkular-metrics.pwd' when: > not '{{ openshift_metrics_certs_dir }}/hawkular-metrics.htpasswd'|exists + - name: generate the jgroups keystore shell: > p=$(< '{{ openshift_metrics_certs_dir }}/hawkular-jgroups-keystore.pwd' ) @@ -110,6 +123,7 @@ -keystore '{{ openshift_metrics_certs_dir }}/hawkular-jgroups.keystore' when: > not '{{ openshift_metrics_certs_dir }}/hawkular-jgroups.keystore'|exists + - name: read files for the hawkular-metrics secret shell: > printf '%s: ' '{{ item }}' @@ -133,10 +147,12 @@ - hawkular-cassandra.truststore - hawkular-cassandra-truststore.pwd changed_when: false + - set_fact: hawkular_secrets: | {{ hawkular_secrets.results|map(attribute='stdout')|join(' ')|from_yaml }} + - name: generate hawkular-metrics-secrets secret template template: src: secret.j2 @@ -163,6 +179,8 @@ {{ hawkular_secrets['hawkular-jgroups-keystore.pwd'] }} hawkular-metrics.jgroups.alias: "{{ 'hawkular'|b64encode }}" when: name not in metrics_secrets.stdout_lines + changed_when: no + - name: generate hawkular-metrics-certificate secret template template: src: secret.j2 @@ -177,6 +195,8 @@ hawkular-metrics-ca.certificate: > {{ hawkular_secrets['ca.crt'] }} when: name not in metrics_secrets.stdout_lines + changed_when: no + - name: generate hawkular-metrics-account secret template template: src: secret.j2 @@ -190,6 +210,8 @@ hawkular-metrics.password: > {{ hawkular_secrets['hawkular-metrics.pwd'] }} when: name not in metrics_secrets.stdout_lines + changed_when: no + - name: generate cassandra secret template template: src: secret.j2 @@ -211,6 +233,8 @@ cassandra.pem: > {{ hawkular_secrets['hawkular-cassandra.pem'] }} when: name not in metrics_secrets + changed_when: no + - name: generate cassandra-certificate secret template template: src: secret.j2 @@ -225,3 +249,4 @@ cassandra-ca.certificate: > {{ hawkular_secrets['hawkular-cassandra.pem'] }} when: name not in metrics_secrets.stdout_lines + changed_when: no diff --git a/roles/openshift_metrics/tasks/generate_rolebindings.yaml b/roles/openshift_metrics/tasks/generate_rolebindings.yaml index 9a72b24fe..6524c3f32 100644 --- a/roles/openshift_metrics/tasks/generate_rolebindings.yaml +++ b/roles/openshift_metrics/tasks/generate_rolebindings.yaml @@ -12,6 +12,8 @@ subjects: - kind: ServiceAccount name: hawkular + changed_when: no + - name: generate cluster-reader role binding for the heapster service account template: src: rolebinding.j2 @@ -28,3 +30,4 @@ - kind: ServiceAccount name: heapster namespace: "{{ openshift_metrics_project }}" + changed_when: no diff --git a/roles/openshift_metrics/tasks/generate_serviceaccounts.yaml b/roles/openshift_metrics/tasks/generate_serviceaccounts.yaml index 9230e0423..94f34d860 100644 --- a/roles/openshift_metrics/tasks/generate_serviceaccounts.yaml +++ b/roles/openshift_metrics/tasks/generate_serviceaccounts.yaml @@ -12,6 +12,7 @@ secret: hawkular-metrics-secrets - name: cassandra secret: hawkular-cassandra-secrets + changed_when: no - name: Generating serviceaccount for heapster template: src=serviceaccount.j2 dest={{mktemp.stdout}}/templates/metrics-{{obj_name}}-sa.yaml @@ -23,3 +24,4 @@ - heapster-secrets - hawkular-metrics-certificate - hawkular-metrics-account + changed_when: no diff --git a/roles/openshift_metrics/tasks/generate_services.yaml b/roles/openshift_metrics/tasks/generate_services.yaml index 4f7616a1c..115053012 100644 --- a/roles/openshift_metrics/tasks/generate_services.yaml +++ b/roles/openshift_metrics/tasks/generate_services.yaml @@ -10,6 +10,7 @@ labels: metrics-infra: "{{obj_name}}" name: "{{obj_name}}" + changed_when: no - name: Generate service for hawkular-metrics template: src=service.j2 dest={{mktemp.stdout}}/templates/metrics-{{obj_name}}-svc.yaml @@ -22,6 +23,7 @@ labels: metrics-infra: "{{obj_name}}" name: "{{obj_name}}" + changed_when: no - name: Generate services for cassandra template: src=service.j2 dest={{mktemp.stdout}}/templates/metrics-{{obj_name}}-svc.yaml @@ -41,3 +43,5 @@ with_items: - cassandra - cassandra-nodes + changed_when: no + diff --git a/roles/openshift_metrics/tasks/install_hawkular.yaml b/roles/openshift_metrics/tasks/install_hawkular.yaml index b377b6299..d49c83138 100644 --- a/roles/openshift_metrics/tasks/install_hawkular.yaml +++ b/roles/openshift_metrics/tasks/install_hawkular.yaml @@ -1,8 +1,8 @@ --- - shell: > - {{ openshift.common.client_binary }} -n {{ openshift_metrics_project }} + {{ openshift.common.client_binary }} -n {{ openshift_metrics_project | quote }} --config={{ mktemp.stdout }}/admin.kubeconfig - get rc hawkular-metrics --template=\{\{.spec.replicas\}\} || echo 0 + get rc hawkular-metrics -o jsonpath='{.spec.replicas}' || echo 0 register: hawkular_metrics_replica_count changed_when: false @@ -12,16 +12,17 @@ dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_rc.yaml" vars: replica_count: "{{hawkular_metrics_replica_count.stdout}}" + changed_when: false - shell: > - {{ openshift.common.client_binary }} -n {{ openshift_metrics_project }} + {{ openshift.common.client_binary }} -n {{ openshift_metrics_project | quote }} --config={{ mktemp.stdout }}/admin.kubeconfig - get rc hawkular-cassandra-{{node}} --template=\{\{.spec.replicas\}\} || echo 0 + get rc hawkular-cassandra-{{node}} -o jsonpath='{.spec.replicas}' || echo 0 vars: node: "{{ item }}" register: cassandra_replica_count - changed_when: false with_sequence: count={{ openshift_metrics_cassandra_replicas }} + changed_when: false - name: generate hawkular-cassandra replication controllers template: @@ -32,6 +33,7 @@ master: "{{ (item == '1')|string|lower }}" replica_count: "{{cassandra_replica_count.results[item|int - 1].stdout}}" with_sequence: count={{ openshift_metrics_cassandra_replicas }} + changed_when: false - name: generate hawkular-cassandra persistent volume claims template: @@ -46,6 +48,7 @@ size: "{{ openshift_metrics_cassandra_pv_size }}" with_sequence: count={{ openshift_metrics_cassandra_replicas }} when: openshift_metrics_cassandra_storage_type == 'pv' + changed_when: false - name: generate hawkular-cassandra persistent volume claims (dynamic) template: @@ -62,20 +65,25 @@ size: "{{ openshift_metrics_cassandra_pv_size }}" with_sequence: count={{ openshift_metrics_cassandra_replicas }} when: openshift_metrics_cassandra_storage_type == 'dynamic' + changed_when: false - name: read hawkular-metrics route destination ca certificate slurp: src={{ openshift_metrics_certs_dir }}/ca.crt register: metrics_route_dest_ca_cert + changed_when: false - block: - set_fact: hawkular_key={{ lookup('file', openshift_metrics_hawkular_key) }} when: openshift_metrics_hawkular_key | exists + changed_when: false - set_fact: hawkular_cert={{ lookup('file', openshift_metrics_hawkular_cert) }} when: openshift_metrics_hawkular_cert | exists + changed_when: false - set_fact: hawkular_ca={{ lookup('file', openshift_metrics_hawkular_ca) }} when: openshift_metrics_hawkular_ca | exists + changed_when: false - name: generate the hawkular-metrics route template: @@ -95,3 +103,4 @@ certificate: "{{ hawkular_cert | default('') }}" ca_certificate: "{{ hawkular_ca | default('') }}" destination_ca_certificate: "{{ metrics_route_dest_ca_cert.content | b64decode }}" + changed_when: false diff --git a/roles/openshift_metrics/tasks/install_heapster.yaml b/roles/openshift_metrics/tasks/install_heapster.yaml index 63ea7e943..e650391a8 100644 --- a/roles/openshift_metrics/tasks/install_heapster.yaml +++ b/roles/openshift_metrics/tasks/install_heapster.yaml @@ -1,12 +1,13 @@ --- - shell: > - {{ openshift.common.client_binary }} -n {{ openshift_metrics_project }} + {{ openshift.common.client_binary }} -n {{ openshift_metrics_project | quote }} --config={{ mktemp.stdout }}/admin.kubeconfig - get rc heapster --template=\{\{.spec.replicas\}\} || echo 0 + get rc heapster -o jsonpath='{.spec.replicas}' || echo 0 register: heapster_replica_count - changed_when: false + changed_when: no - name: Generate heapster replication controller template: src=heapster.j2 dest={{mktemp.stdout}}/templates/metrics-heapster-rc.yaml vars: replica_count: "{{heapster_replica_count.stdout}}" + changed_when: no diff --git a/roles/openshift_metrics/tasks/main.yaml b/roles/openshift_metrics/tasks/main.yaml index e8c74b8dc..c42440130 100644 --- a/roles/openshift_metrics/tasks/main.yaml +++ b/roles/openshift_metrics/tasks/main.yaml @@ -4,8 +4,6 @@ register: mktemp changed_when: False -- debug: msg="Created temp dir {{mktemp.stdout}}" - - name: Create temp directory for all our templates file: path={{mktemp.stdout}}/templates state=directory mode=0755 changed_when: False @@ -17,8 +15,8 @@ check_mode: no tags: metrics_init -- include: "{{role_path}}/tasks/install_metrics.yaml" +- include: install_metrics.yaml when: openshift_metrics_install_metrics | default(false) | bool -- include: "{{role_path}}/tasks/uninstall_metrics.yaml" +- include: uninstall_metrics.yaml when: not openshift_metrics_install_metrics | default(false) | bool diff --git a/roles/openshift_metrics/tasks/scale.yaml b/roles/openshift_metrics/tasks/scale.yaml index 031336a01..65f35fb46 100644 --- a/roles/openshift_metrics/tasks/scale.yaml +++ b/roles/openshift_metrics/tasks/scale.yaml @@ -1,27 +1,30 @@ --- -- shell: > +- command: > {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get {{object}} - --template='{{ '{{.spec.replicas}}' }}' -n {{openshift_metrics_project}} + -o jsonpath='{.spec.replicas}' -n {{openshift_metrics_project}} register: replica_count failed_when: "replica_count.rc == 1 and 'exists' not in replica_count.stderr" when: not ansible_check_mode + changed_when: no -- shell: > +- command: > {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig scale {{object}} --replicas={{desired}} -n {{openshift_metrics_project}} register: scale_result failed_when: scale_result.rc == 1 and 'exists' not in scale_result.stderr when: - - replica_count.stdout != desired + - replica_count.stdout != (desired | string) - not ansible_check_mode + changed_when: no - name: Waiting for {{object}} to scale to {{desired}} - shell: > - {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig describe {{object}} -n {{openshift_metrics_project}} | awk -v statusrx='Pods Status:' '$0 ~ statusrx {print $3}' + command: > + {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig + get {{object}} -n {{openshift_metrics_project|quote}} -o jsonpath='{.status.replicas}' register: replica_counts until: replica_counts.stdout.find("{{desired}}") != -1 retries: 30 delay: 10 when: - - replica_count.stdout != desired + - replica_count.stdout != (desired | string) - not ansible_check_mode diff --git a/roles/openshift_metrics/tasks/setup_certificate.yaml b/roles/openshift_metrics/tasks/setup_certificate.yaml index 52e748234..07c8365b1 100644 --- a/roles/openshift_metrics/tasks/setup_certificate.yaml +++ b/roles/openshift_metrics/tasks/setup_certificate.yaml @@ -10,19 +10,22 @@ --signer-key='{{ openshift_metrics_certs_dir }}/ca.key' --signer-serial='{{ openshift_metrics_certs_dir }}/ca.serial.txt' when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.key'|exists + - name: generate {{ component }} certificate shell: > cat - '{{ openshift_metrics_certs_dir }}/{{ component|quote }}.key' - '{{ openshift_metrics_certs_dir }}/{{ component|quote }}.crt' - > '{{ openshift_metrics_certs_dir }}/{{ component|quote }}.pem' + '{{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}.key' + '{{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}.crt' + > '{{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}.pem' when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.pem'|exists + - name: generate random password for the {{ component }} keystore shell: > tr -dc _A-Z-a-z-0-9 < /dev/urandom | head -c15 - > '{{ openshift_metrics_certs_dir }}/{{ component|quote }}-keystore.pwd' + > '{{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}-keystore.pwd' when: > not '{{ openshift_metrics_certs_dir }}/{{ component }}-keystore.pwd'|exists + - name: create the {{ component }} pkcs12 from the pem file command: > openssl pkcs12 -export @@ -32,22 +35,24 @@ -password 'file:{{ openshift_metrics_certs_dir }}/{{ component }}-keystore.pwd' when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.pkcs12'|exists + - name: create the {{ component }} keystore from the pkcs12 file shell: > p=$(< {{ openshift_metrics_certs_dir }}/{{ component }}-keystore.pwd) && keytool -v -importkeystore - -srckeystore '{{ openshift_metrics_certs_dir }}/{{ component }}.pkcs12' + -srckeystore '{{ openshift_metrics_certs_dir | quote }}/{{ component | quote }}.pkcs12' -srcstoretype PKCS12 - -destkeystore '{{ openshift_metrics_certs_dir }}/{{ component }}.keystore' + -destkeystore '{{ openshift_metrics_certs_dir | quote }}/{{ component | quote}}.keystore' -deststoretype JKS -deststorepass "$p" -srcstorepass "$p" when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.keystore'|exists + - name: generate random password for the {{ component }} truststore shell: > tr -dc _A-Z-a-z-0-9 < /dev/urandom | head -c15 - > '{{ openshift_metrics_certs_dir }}/{{ component|quote }}-truststore.pwd' + > '{{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}-truststore.pwd' when: > not - '{{ openshift_metrics_certs_dir }}/{{ component }}-truststore.pwd'|exists + '{{ openshift_metrics_certs_dir | quote }}/{{ component| quote }}-truststore.pwd'|exists diff --git a/roles/openshift_metrics/tasks/start_metrics.yaml b/roles/openshift_metrics/tasks/start_metrics.yaml index 99d593dd7..0906d71a2 100644 --- a/roles/openshift_metrics/tasks/start_metrics.yaml +++ b/roles/openshift_metrics/tasks/start_metrics.yaml @@ -1,5 +1,5 @@ --- -- shell: > +- command: > {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get rc @@ -7,6 +7,7 @@ -o name -n {{openshift_metrics_project}} register: metrics_cassandra_rc + changed_when: no - name: Start Hawkular Cassandra include: scale.yaml @@ -16,7 +17,7 @@ loop_control: loop_var: object -- shell: > +- command: > {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get rc @@ -24,6 +25,7 @@ -o name -n {{openshift_metrics_project}} register: metrics_metrics_rc + changed_when: no - name: Start Hawkular Metrics include: scale.yaml @@ -33,7 +35,7 @@ loop_control: loop_var: object -- shell: > +- command: > {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get rc diff --git a/roles/openshift_metrics/tasks/stop_metrics.yaml b/roles/openshift_metrics/tasks/stop_metrics.yaml index 79556e923..cdb029c2f 100644 --- a/roles/openshift_metrics/tasks/stop_metrics.yaml +++ b/roles/openshift_metrics/tasks/stop_metrics.yaml @@ -1,5 +1,5 @@ --- -- shell: > +- command: > {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get rc @@ -18,7 +18,7 @@ loop_control: loop_var: object -- shell: > +- command: > {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get rc @@ -36,7 +36,7 @@ loop_control: loop_var: object -- shell: > +- command: > {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get rc -o name -- cgit v1.2.3 From 9c6766e8588ff96bffc0479251dbbb5dd9c80521 Mon Sep 17 00:00:00 2001 From: Jeff Cantrill Date: Thu, 12 Jan 2017 08:38:06 -0500 Subject: metrics fixes for yamlint --- .../tasks/generate_hawkular_certificates.yaml | 2 +- .../openshift_metrics/tasks/generate_services.yaml | 5 ++-- .../openshift_metrics/tasks/install_hawkular.yaml | 2 +- roles/openshift_metrics/tasks/install_metrics.yaml | 4 ++-- roles/openshift_metrics/tasks/scale.yaml | 6 ++--- roles/openshift_metrics/tasks/start_metrics.yaml | 28 +++++++++++----------- roles/openshift_metrics/tasks/stop_metrics.yaml | 18 +++++++------- 7 files changed, 32 insertions(+), 33 deletions(-) (limited to 'roles/openshift_metrics/tasks') diff --git a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml index 995440598..1306d0ccd 100644 --- a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml +++ b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml @@ -211,7 +211,7 @@ {{ hawkular_secrets['hawkular-metrics.pwd'] }} when: name not in metrics_secrets.stdout_lines changed_when: no - + - name: generate cassandra secret template template: src: secret.j2 diff --git a/roles/openshift_metrics/tasks/generate_services.yaml b/roles/openshift_metrics/tasks/generate_services.yaml index 115053012..903d52bff 100644 --- a/roles/openshift_metrics/tasks/generate_services.yaml +++ b/roles/openshift_metrics/tasks/generate_services.yaml @@ -41,7 +41,6 @@ name: hawkular-cassandra headless: "{{ item == 'cassandra-nodes' }}" with_items: - - cassandra - - cassandra-nodes + - cassandra + - cassandra-nodes changed_when: no - diff --git a/roles/openshift_metrics/tasks/install_hawkular.yaml b/roles/openshift_metrics/tasks/install_hawkular.yaml index d49c83138..7c06bc1db 100644 --- a/roles/openshift_metrics/tasks/install_hawkular.yaml +++ b/roles/openshift_metrics/tasks/install_hawkular.yaml @@ -11,7 +11,7 @@ src: hawkular_metrics_rc.j2 dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_rc.yaml" vars: - replica_count: "{{hawkular_metrics_replica_count.stdout}}" + replica_count: "{{hawkular_metrics_replica_count.stdout}}" changed_when: false - shell: > diff --git a/roles/openshift_metrics/tasks/install_metrics.yaml b/roles/openshift_metrics/tasks/install_metrics.yaml index b45629b70..5f4b84418 100644 --- a/roles/openshift_metrics/tasks/install_metrics.yaml +++ b/roles/openshift_metrics/tasks/install_metrics.yaml @@ -25,10 +25,10 @@ --config={{ mktemp.stdout }}/admin.kubeconfig apply -f {{ item }} with_fileglob: - - "{{ mktemp.stdout }}/templates/*.yaml" + - "{{ mktemp.stdout }}/templates/*.yaml" - name: Scaling up cluster include: start_metrics.yaml tags: openshift_metrics_start_cluster when: - - openshift_metrics_start_cluster | default(true) | bool + - openshift_metrics_start_cluster | default(true) | bool diff --git a/roles/openshift_metrics/tasks/scale.yaml b/roles/openshift_metrics/tasks/scale.yaml index 65f35fb46..bb4fa621b 100644 --- a/roles/openshift_metrics/tasks/scale.yaml +++ b/roles/openshift_metrics/tasks/scale.yaml @@ -19,12 +19,12 @@ - name: Waiting for {{object}} to scale to {{desired}} command: > - {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig + {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get {{object}} -n {{openshift_metrics_project|quote}} -o jsonpath='{.status.replicas}' register: replica_counts until: replica_counts.stdout.find("{{desired}}") != -1 retries: 30 delay: 10 when: - - replica_count.stdout != (desired | string) - - not ansible_check_mode + - replica_count.stdout != (desired | string) + - not ansible_check_mode diff --git a/roles/openshift_metrics/tasks/start_metrics.yaml b/roles/openshift_metrics/tasks/start_metrics.yaml index 0906d71a2..31f303c86 100644 --- a/roles/openshift_metrics/tasks/start_metrics.yaml +++ b/roles/openshift_metrics/tasks/start_metrics.yaml @@ -1,10 +1,10 @@ --- - command: > - {{openshift.common.client_binary}} - --config={{mktemp.stdout}}/admin.kubeconfig - get rc - -l metrics-infra=hawkular-cassandra - -o name + {{openshift.common.client_binary}} + --config={{mktemp.stdout}}/admin.kubeconfig + get rc + -l metrics-infra=hawkular-cassandra + -o name -n {{openshift_metrics_project}} register: metrics_cassandra_rc changed_when: no @@ -18,11 +18,11 @@ loop_var: object - command: > - {{openshift.common.client_binary}} - --config={{mktemp.stdout}}/admin.kubeconfig - get rc - -l metrics-infra=hawkular-metrics - -o name + {{openshift.common.client_binary}} + --config={{mktemp.stdout}}/admin.kubeconfig + get rc + -l metrics-infra=hawkular-metrics + -o name -n {{openshift_metrics_project}} register: metrics_metrics_rc changed_when: no @@ -36,11 +36,11 @@ loop_var: object - command: > - {{openshift.common.client_binary}} - --config={{mktemp.stdout}}/admin.kubeconfig - get rc + {{openshift.common.client_binary}} + --config={{mktemp.stdout}}/admin.kubeconfig + get rc -l metrics-infra=heapster - -o name + -o name -n {{openshift_metrics_project}} register: metrics_heapster_rc check_mode: no diff --git a/roles/openshift_metrics/tasks/stop_metrics.yaml b/roles/openshift_metrics/tasks/stop_metrics.yaml index cdb029c2f..524d4227b 100644 --- a/roles/openshift_metrics/tasks/stop_metrics.yaml +++ b/roles/openshift_metrics/tasks/stop_metrics.yaml @@ -1,10 +1,10 @@ --- - command: > - {{openshift.common.client_binary}} - --config={{mktemp.stdout}}/admin.kubeconfig - get rc + {{openshift.common.client_binary}} + --config={{mktemp.stdout}}/admin.kubeconfig + get rc -l metrics-infra=heapster - -o name + -o name -n {{openshift_metrics_project}} register: metrics_heapster_rc changed_when: "'No resources found' not in metrics_heapster_rc.stderr" @@ -19,11 +19,11 @@ loop_var: object - command: > - {{openshift.common.client_binary}} - --config={{mktemp.stdout}}/admin.kubeconfig + {{openshift.common.client_binary}} + --config={{mktemp.stdout}}/admin.kubeconfig get rc -l metrics-infra=hawkular-metrics - -o name + -o name -n {{openshift_metrics_project}} register: metrics_hawkular_rc changed_when: "'No resources found' not in metrics_hawkular_rc.stderr" @@ -37,10 +37,10 @@ loop_var: object - command: > - {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig + {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get rc -o name - -l metrics-infra=hawkular-cassandra + -l metrics-infra=hawkular-cassandra -n {{openshift_metrics_project}} register: metrics_cassandra_rc changed_when: "'No resources found' not in metrics_cassandra_rc.stderr" -- cgit v1.2.3 From 868e800a1325a726c24afc752033434a80d13b2d Mon Sep 17 00:00:00 2001 From: Jeff Cantrill Date: Thu, 12 Jan 2017 16:52:23 -0500 Subject: additional cr fixes --- .../tasks/generate_hawkular_certificates.yaml | 27 +++++----- .../openshift_metrics/tasks/install_cassandra.yaml | 54 +++++++++++++++++++ .../openshift_metrics/tasks/install_hawkular.yaml | 60 ++-------------------- .../openshift_metrics/tasks/install_heapster.yaml | 7 +-- roles/openshift_metrics/tasks/install_metrics.yaml | 1 + .../openshift_metrics/tasks/setup_certificate.yaml | 41 ++++++++------- 6 files changed, 99 insertions(+), 91 deletions(-) create mode 100644 roles/openshift_metrics/tasks/install_cassandra.yaml (limited to 'roles/openshift_metrics/tasks') diff --git a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml index 1306d0ccd..489856c27 100644 --- a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml +++ b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml @@ -13,22 +13,26 @@ hostnames: hawkular-cassandra changed_when: no +- slurp: src={{ openshift_metrics_certs_dir|quote }}/hawkular-cassandra-truststore.pwd + register: cassandra_truststore_password + - name: check existing aliases on the hawkular-cassandra truststore shell: > keytool -noprompt -list -keystore {{ openshift_metrics_certs_dir|quote }}/hawkular-cassandra.truststore - -storepass "$(< - '{{ openshift_metrics_certs_dir|quote }}/hawkular-cassandra-truststore.pwd')" + -storepass {{cassandra_truststore_password.content | b64decode }} | sed -n '7~2s/,.*$//p' register: hawkular_cassandra_truststore_aliases changed_when: false +- slurp: src={{ openshift_metrics_certs_dir|quote }}/hawkular-metrics-truststore.pwd + register: hawkular_truststore_password + - name: check existing aliases on the hawkular-metrics truststore shell: > keytool -noprompt -list -keystore {{ openshift_metrics_certs_dir|quote }}/hawkular-metrics.truststore - -storepass "$(< - '{{ openshift_metrics_certs_dir|quote }}/hawkular-metrics-truststore.pwd')" + -storepass {{ hawkular_truststore_password.content | b64decode }} | sed -n '7~2s/,.*$//p' register: hawkular_metrics_truststore_aliases changed_when: false @@ -39,8 +43,7 @@ -alias hawkular-metrics -file '{{ openshift_metrics_certs_dir }}/hawkular-metrics.crt' -keystore '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.truststore' - -storepass "$(< - '{{ openshift_metrics_certs_dir }}/hawkular-cassandra-truststore.pwd')" + -storepass {{cassandra_truststore_password.content | b64decode }} when: > 'hawkular-metrics' not in hawkular_cassandra_truststore_aliases.stdout_lines @@ -51,8 +54,7 @@ -alias hawkular-cassandra -file '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.crt' -keystore '{{ openshift_metrics_certs_dir }}/hawkular-metrics.truststore' - -storepass "$(< - '{{ openshift_metrics_certs_dir }}/hawkular-metrics-truststore.pwd')" + -storepass {{ hawkular_truststore_password.content | b64decode }} when: > 'hawkular-cassandra' not in hawkular_metrics_truststore_aliases.stdout_lines @@ -63,8 +65,7 @@ -alias hawkular-cassandra -file '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.crt' -keystore '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.truststore' - -storepass "$(< - '{{ openshift_metrics_certs_dir }}/hawkular-cassandra-truststore.pwd')" + -storepass {{cassandra_truststore_password.content | b64decode }} when: > 'hawkular-cassandra' not in hawkular_cassandra_truststore_aliases.stdout_lines @@ -75,8 +76,7 @@ -alias '{{ item }}' -file '{{ openshift_metrics_certs_dir }}/ca.crt' -keystore '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.truststore' - -storepass "$(< - '{{ openshift_metrics_certs_dir }}/hawkular-cassandra-truststore.pwd')" + -storepass {{cassandra_truststore_password.content | b64decode }} with_items: - ca - metricca @@ -89,8 +89,7 @@ -alias '{{ item }}' -file '{{ openshift_metrics_certs_dir }}/ca.crt' -keystore '{{ openshift_metrics_certs_dir }}/hawkular-metrics.truststore' - -storepass "$(< - '{{ openshift_metrics_certs_dir }}/hawkular-metrics-truststore.pwd')" + -storepass {{ hawkular_truststore_password.content | b64decode }} with_items: - ca - metricca diff --git a/roles/openshift_metrics/tasks/install_cassandra.yaml b/roles/openshift_metrics/tasks/install_cassandra.yaml new file mode 100644 index 000000000..a9340acc3 --- /dev/null +++ b/roles/openshift_metrics/tasks/install_cassandra.yaml @@ -0,0 +1,54 @@ +--- +- shell: > + {{ openshift.common.client_binary }} -n {{ openshift_metrics_project | quote }} + --config={{ mktemp.stdout }}/admin.kubeconfig + get rc hawkular-cassandra-{{node}} -o jsonpath='{.spec.replicas}' || echo 0 + vars: + node: "{{ item }}" + register: cassandra_replica_count + with_sequence: count={{ openshift_metrics_cassandra_replicas }} + changed_when: false + failed_when: false + +- name: generate hawkular-cassandra replication controllers + template: + src: hawkular_cassandra_rc.j2 + dest: "{{ mktemp.stdout }}/templates/hawkular-cassandra-rc{{ item }}.yaml" + vars: + node: "{{ item }}" + master: "{{ (item == '1')|string|lower }}" + replica_count: "{{cassandra_replica_count.results[item|int - 1].stdout}}" + with_sequence: count={{ openshift_metrics_cassandra_replicas }} + changed_when: false + +- name: generate hawkular-cassandra persistent volume claims + template: + src: pvc.j2 + dest: "{{ mktemp.stdout }}/templates/hawkular-cassandra-pvc{{ item }}.yaml" + vars: + obj_name: "{{ openshift_metrics_cassandra_pv_prefix }}-{{ item }}" + labels: + metrics-infra: hawkular-cassandra + access_modes: + - ReadWriteOnce + size: "{{ openshift_metrics_cassandra_pv_size }}" + with_sequence: count={{ openshift_metrics_cassandra_replicas }} + when: openshift_metrics_cassandra_storage_type == 'pv' + changed_when: false + +- name: generate hawkular-cassandra persistent volume claims (dynamic) + template: + src: pvc.j2 + dest: "{{ mktemp.stdout }}/templates/hawkular-cassandra-pvc{{ item }}.yaml" + vars: + obj_name: "{{ openshift_metrics_cassandra_pv_prefix }}-{{ item }}" + labels: + metrics-infra: hawkular-cassandra + annotations: + volume.alpha.kubernetes.io/storage-class: dynamic + access_modes: + - ReadWriteOnce + size: "{{ openshift_metrics_cassandra_pv_size }}" + with_sequence: count={{ openshift_metrics_cassandra_replicas }} + when: openshift_metrics_cassandra_storage_type == 'dynamic' + changed_when: false diff --git a/roles/openshift_metrics/tasks/install_hawkular.yaml b/roles/openshift_metrics/tasks/install_hawkular.yaml index 7c06bc1db..00f7b2554 100644 --- a/roles/openshift_metrics/tasks/install_hawkular.yaml +++ b/roles/openshift_metrics/tasks/install_hawkular.yaml @@ -1,9 +1,10 @@ --- -- shell: > +- command: > {{ openshift.common.client_binary }} -n {{ openshift_metrics_project | quote }} --config={{ mktemp.stdout }}/admin.kubeconfig - get rc hawkular-metrics -o jsonpath='{.spec.replicas}' || echo 0 + get rc hawkular-metrics -o jsonpath='{.spec.replicas}' register: hawkular_metrics_replica_count + failed_when: false changed_when: false - name: generate hawkular-metrics replication controller @@ -11,60 +12,7 @@ src: hawkular_metrics_rc.j2 dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_rc.yaml" vars: - replica_count: "{{hawkular_metrics_replica_count.stdout}}" - changed_when: false - -- shell: > - {{ openshift.common.client_binary }} -n {{ openshift_metrics_project | quote }} - --config={{ mktemp.stdout }}/admin.kubeconfig - get rc hawkular-cassandra-{{node}} -o jsonpath='{.spec.replicas}' || echo 0 - vars: - node: "{{ item }}" - register: cassandra_replica_count - with_sequence: count={{ openshift_metrics_cassandra_replicas }} - changed_when: false - -- name: generate hawkular-cassandra replication controllers - template: - src: hawkular_cassandra_rc.j2 - dest: "{{ mktemp.stdout }}/templates/hawkular-cassandra-rc{{ item }}.yaml" - vars: - node: "{{ item }}" - master: "{{ (item == '1')|string|lower }}" - replica_count: "{{cassandra_replica_count.results[item|int - 1].stdout}}" - with_sequence: count={{ openshift_metrics_cassandra_replicas }} - changed_when: false - -- name: generate hawkular-cassandra persistent volume claims - template: - src: pvc.j2 - dest: "{{ mktemp.stdout }}/templates/hawkular-cassandra-pvc{{ item }}.yaml" - vars: - obj_name: "{{ openshift_metrics_cassandra_pv_prefix }}-{{ item }}" - labels: - metrics-infra: hawkular-cassandra - access_modes: - - ReadWriteOnce - size: "{{ openshift_metrics_cassandra_pv_size }}" - with_sequence: count={{ openshift_metrics_cassandra_replicas }} - when: openshift_metrics_cassandra_storage_type == 'pv' - changed_when: false - -- name: generate hawkular-cassandra persistent volume claims (dynamic) - template: - src: pvc.j2 - dest: "{{ mktemp.stdout }}/templates/hawkular-cassandra-pvc{{ item }}.yaml" - vars: - obj_name: "{{ openshift_metrics_cassandra_pv_prefix }}-{{ item }}" - labels: - metrics-infra: hawkular-cassandra - annotations: - volume.alpha.kubernetes.io/storage-class: dynamic - access_modes: - - ReadWriteOnce - size: "{{ openshift_metrics_cassandra_pv_size }}" - with_sequence: count={{ openshift_metrics_cassandra_replicas }} - when: openshift_metrics_cassandra_storage_type == 'dynamic' + replica_count: "{{hawkular_metrics_replica_count.stdout | default(0)}}" changed_when: false - name: read hawkular-metrics route destination ca certificate diff --git a/roles/openshift_metrics/tasks/install_heapster.yaml b/roles/openshift_metrics/tasks/install_heapster.yaml index e650391a8..39df797ab 100644 --- a/roles/openshift_metrics/tasks/install_heapster.yaml +++ b/roles/openshift_metrics/tasks/install_heapster.yaml @@ -1,13 +1,14 @@ --- -- shell: > +- command: > {{ openshift.common.client_binary }} -n {{ openshift_metrics_project | quote }} --config={{ mktemp.stdout }}/admin.kubeconfig - get rc heapster -o jsonpath='{.spec.replicas}' || echo 0 + get rc heapster -o jsonpath='{.spec.replicas}' register: heapster_replica_count + failed_when: false changed_when: no - name: Generate heapster replication controller template: src=heapster.j2 dest={{mktemp.stdout}}/templates/metrics-heapster-rc.yaml vars: - replica_count: "{{heapster_replica_count.stdout}}" + replica_count: "{{heapster_replica_count.stdout | default(0)}}" changed_when: no diff --git a/roles/openshift_metrics/tasks/install_metrics.yaml b/roles/openshift_metrics/tasks/install_metrics.yaml index 5f4b84418..e550f6e8d 100644 --- a/roles/openshift_metrics/tasks/install_metrics.yaml +++ b/roles/openshift_metrics/tasks/install_metrics.yaml @@ -16,6 +16,7 @@ - support - heapster - hawkular + - cassandra loop_control: loop_var: include_file diff --git a/roles/openshift_metrics/tasks/setup_certificate.yaml b/roles/openshift_metrics/tasks/setup_certificate.yaml index 07c8365b1..c185d3f88 100644 --- a/roles/openshift_metrics/tasks/setup_certificate.yaml +++ b/roles/openshift_metrics/tasks/setup_certificate.yaml @@ -11,20 +11,28 @@ --signer-serial='{{ openshift_metrics_certs_dir }}/ca.serial.txt' when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.key'|exists +- slurp: src={{item}} + register: component_certs + with_items: + - '{{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}.key' + - '{{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}.crt' + when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.pem'|exists + - name: generate {{ component }} certificate - shell: > - cat - '{{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}.key' - '{{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}.crt' - > '{{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}.pem' + copy: + dest: '{{ openshift_metrics_certs_dir }}/{{ component }}.pem' + content: "{{ component_certs.results | map(attribute='content') | map('b64decode') | join('') }}" when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.pem'|exists - name: generate random password for the {{ component }} keystore - shell: > - tr -dc _A-Z-a-z-0-9 < /dev/urandom | head -c15 - > '{{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}-keystore.pwd' + copy: + content: "{{ 15 | oo_random_word }}" + dest: '{{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}-keystore.pwd' when: > not '{{ openshift_metrics_certs_dir }}/{{ component }}-keystore.pwd'|exists + +- slurp: src={{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}-keystore.pwd + register: keystore_password - name: create the {{ component }} pkcs12 from the pem file command: > @@ -32,27 +40,24 @@ -in '{{ openshift_metrics_certs_dir }}/{{ component }}.pem' -out '{{ openshift_metrics_certs_dir }}/{{ component }}.pkcs12' -name '{{ component }}' -noiter -nomaciter - -password - 'file:{{ openshift_metrics_certs_dir }}/{{ component }}-keystore.pwd' + -password 'pass:{{keystore_password.content | b64decode }}' when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.pkcs12'|exists - name: create the {{ component }} keystore from the pkcs12 file - shell: > - p=$(< {{ openshift_metrics_certs_dir }}/{{ component }}-keystore.pwd) - && + command: > keytool -v -importkeystore -srckeystore '{{ openshift_metrics_certs_dir | quote }}/{{ component | quote }}.pkcs12' -srcstoretype PKCS12 -destkeystore '{{ openshift_metrics_certs_dir | quote }}/{{ component | quote}}.keystore' -deststoretype JKS - -deststorepass "$p" - -srcstorepass "$p" + -deststorepass '{{keystore_password.content | b64decode }}' + -srcstorepass '{{keystore_password.content | b64decode }}' when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.keystore'|exists - name: generate random password for the {{ component }} truststore - shell: > - tr -dc _A-Z-a-z-0-9 < /dev/urandom | head -c15 - > '{{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}-truststore.pwd' + copy: + content: "{{ 15 | oo_random_word }}" + dest: '{{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}-truststore.pwd' when: > not '{{ openshift_metrics_certs_dir | quote }}/{{ component| quote }}-truststore.pwd'|exists -- cgit v1.2.3 From e96de3d7eb0b0ce6a8df96d4e3afa02f0859b94b Mon Sep 17 00:00:00 2001 From: Jeff Cantrill Date: Fri, 13 Jan 2017 12:19:55 -0500 Subject: properly set changes when oc apply --- roles/openshift_metrics/tasks/install_metrics.yaml | 16 ++++++----- roles/openshift_metrics/tasks/oc_apply.yaml | 31 ++++++++++++++++++++++ roles/openshift_metrics/tasks/start_metrics.yaml | 2 +- 3 files changed, 41 insertions(+), 8 deletions(-) create mode 100644 roles/openshift_metrics/tasks/oc_apply.yaml (limited to 'roles/openshift_metrics/tasks') diff --git a/roles/openshift_metrics/tasks/install_metrics.yaml b/roles/openshift_metrics/tasks/install_metrics.yaml index e550f6e8d..67d22cbc3 100644 --- a/roles/openshift_metrics/tasks/install_metrics.yaml +++ b/roles/openshift_metrics/tasks/install_metrics.yaml @@ -1,9 +1,9 @@ --- -- name: check that hawkular_metrics_hostname is set +- name: Check that hawkular_metrics_hostname is set fail: msg='the openshift_metrics_hawkular_hostname variable is required' when: openshift_metrics_hawkular_hostname is not defined -- name: check the value of openshift_metrics_cassandra_storage_type +- name: Check the value of openshift_metrics_cassandra_storage_type fail: msg: > openshift_metrics_cassandra_storage_type ({{ openshift_metrics_cassandra_storage_type }}) @@ -20,11 +20,13 @@ loop_control: loop_var: include_file -- name: create objects - command: > - {{ openshift.common.client_binary }} -n {{ openshift_metrics_project }} - --config={{ mktemp.stdout }}/admin.kubeconfig - apply -f {{ item }} +- name: Create objects + include: oc_apply.yaml + vars: + kubeconfig: "{{ mktemp.stdout }}/admin.kubeconfig" + namespace: "{{ openshift_metrics_project }}" + file_name: "{{ item }}" + file_content: "{{ lookup('file',item) | from_yaml }}" with_fileglob: - "{{ mktemp.stdout }}/templates/*.yaml" diff --git a/roles/openshift_metrics/tasks/oc_apply.yaml b/roles/openshift_metrics/tasks/oc_apply.yaml new file mode 100644 index 000000000..c9154f206 --- /dev/null +++ b/roles/openshift_metrics/tasks/oc_apply.yaml @@ -0,0 +1,31 @@ +--- +- name: Checking generation of {{file_content.kind}} {{file_content.metadata.name}} + command: > + {{ openshift.common.client_binary }} + --config={{ kubeconfig }} + get {{file_content.kind}} {{file_content.metadata.name}} + -o jsonpath='{.metadata.resourceVersion}' + -n {{namespace}} + register: generation_init + changed_when: no + +- name: Applying {{file_name}} + command: > + {{ openshift.common.client_binary }} --config={{ kubeconfig }} + apply -f {{ file_name }} + -n {{ openshift_metrics_project }} + register: generation_apply + failed_when: "'error' in generation_apply.stderr" + changed_when: no + +- name: Determine change status of {{file_content.kind}} {{file_content.metadata.name}} + command: > + {{ openshift.common.client_binary }} --config={{ kubeconfig }} + get {{file_content.kind}} {{file_content.metadata.name}} + -o jsonpath='{.metadata.resourceVersion}' + -n {{namespace}} + register: version_changed + vars: + init_version: "{{ (generation_init is defined) | ternary(generation_init.stdout, '0') }}" + failed_when: "'error' in version_changed.stderr" + changed_when: version_changed.stdout | int > init_version | int diff --git a/roles/openshift_metrics/tasks/start_metrics.yaml b/roles/openshift_metrics/tasks/start_metrics.yaml index 31f303c86..c4cae4aff 100644 --- a/roles/openshift_metrics/tasks/start_metrics.yaml +++ b/roles/openshift_metrics/tasks/start_metrics.yaml @@ -43,7 +43,7 @@ -o name -n {{openshift_metrics_project}} register: metrics_heapster_rc - check_mode: no + changed_when: no - name: Start Heapster include: scale.yaml -- cgit v1.2.3 From 65eb7e43faf38698b22b90ad3c743d1fecdc0961 Mon Sep 17 00:00:00 2001 From: Jeff Cantrill Date: Tue, 17 Jan 2017 11:42:23 -0500 Subject: use pod to generate keystores (#14) --- .../tasks/generate_hawkular_certificates.yaml | 97 ++--------------- .../openshift_metrics/tasks/import_jks_certs.yaml | 120 +++++++++++++++++++++ roles/openshift_metrics/tasks/install_metrics.yaml | 8 +- roles/openshift_metrics/tasks/oc_apply.yaml | 7 +- .../openshift_metrics/tasks/setup_certificate.yaml | 21 +--- roles/openshift_metrics/tasks/stop_metrics.yaml | 1 - 6 files changed, 139 insertions(+), 115 deletions(-) create mode 100644 roles/openshift_metrics/tasks/import_jks_certs.yaml (limited to 'roles/openshift_metrics/tasks') diff --git a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml index 489856c27..9cf4afee0 100644 --- a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml +++ b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml @@ -13,93 +13,16 @@ hostnames: hawkular-cassandra changed_when: no -- slurp: src={{ openshift_metrics_certs_dir|quote }}/hawkular-cassandra-truststore.pwd +- slurp: src={{ openshift_metrics_certs_dir }}/hawkular-cassandra-truststore.pwd register: cassandra_truststore_password -- name: check existing aliases on the hawkular-cassandra truststore - shell: > - keytool -noprompt -list - -keystore {{ openshift_metrics_certs_dir|quote }}/hawkular-cassandra.truststore - -storepass {{cassandra_truststore_password.content | b64decode }} - | sed -n '7~2s/,.*$//p' - register: hawkular_cassandra_truststore_aliases - changed_when: false - -- slurp: src={{ openshift_metrics_certs_dir|quote }}/hawkular-metrics-truststore.pwd +- slurp: src={{ openshift_metrics_certs_dir }}/hawkular-metrics-truststore.pwd register: hawkular_truststore_password -- name: check existing aliases on the hawkular-metrics truststore - shell: > - keytool -noprompt -list - -keystore {{ openshift_metrics_certs_dir|quote }}/hawkular-metrics.truststore - -storepass {{ hawkular_truststore_password.content | b64decode }} - | sed -n '7~2s/,.*$//p' - register: hawkular_metrics_truststore_aliases - changed_when: false - -- name: import the hawkular metrics cert into the cassandra truststore - command: > - keytool -noprompt -import -v -trustcacerts - -alias hawkular-metrics - -file '{{ openshift_metrics_certs_dir }}/hawkular-metrics.crt' - -keystore '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.truststore' - -storepass {{cassandra_truststore_password.content | b64decode }} - when: > - 'hawkular-metrics' not in - hawkular_cassandra_truststore_aliases.stdout_lines - -- name: import the hawkular cassandra cert into the hawkular metrics truststore - command: > - keytool -noprompt -import -v -trustcacerts - -alias hawkular-cassandra - -file '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.crt' - -keystore '{{ openshift_metrics_certs_dir }}/hawkular-metrics.truststore' - -storepass {{ hawkular_truststore_password.content | b64decode }} - when: > - 'hawkular-cassandra' not in - hawkular_metrics_truststore_aliases.stdout_lines - -- name: import the hawkular cassandra cert into the cassandra truststore - command: > - keytool -noprompt -import -v -trustcacerts - -alias hawkular-cassandra - -file '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.crt' - -keystore '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.truststore' - -storepass {{cassandra_truststore_password.content | b64decode }} - when: > - 'hawkular-cassandra' not in - hawkular_cassandra_truststore_aliases.stdout_lines - -- name: import the ca certificate into the cassandra truststore - command: > - keytool -noprompt -import -v -trustcacerts - -alias '{{ item }}' - -file '{{ openshift_metrics_certs_dir }}/ca.crt' - -keystore '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.truststore' - -storepass {{cassandra_truststore_password.content | b64decode }} - with_items: - - ca - - metricca - - cassandraca - when: item not in hawkular_cassandra_truststore_aliases.stdout_lines - -- name: import the ca certificate into the hawkular metrics truststore - command: > - keytool -noprompt -import -v -trustcacerts - -alias '{{ item }}' - -file '{{ openshift_metrics_certs_dir }}/ca.crt' - -keystore '{{ openshift_metrics_certs_dir }}/hawkular-metrics.truststore' - -storepass {{ hawkular_truststore_password.content | b64decode }} - with_items: - - ca - - metricca - - cassandraca - when: item not in hawkular_metrics_truststore_aliases.stdout_lines - - name: generate password for hawkular metrics and jgroups - shell: > - tr -dc _A-Z-a-z-0-9 < /dev/urandom | head -c15 - > '{{ openshift_metrics_certs_dir }}/{{ item }}.pwd' + copy: + dest: '{{ openshift_metrics_certs_dir }}/{{ item }}.pwd' + content: "{{ 15 | oo_random_word }}" with_items: - hawkular-metrics - hawkular-jgroups-keystore @@ -113,15 +36,7 @@ when: > not '{{ openshift_metrics_certs_dir }}/hawkular-metrics.htpasswd'|exists -- name: generate the jgroups keystore - shell: > - p=$(< '{{ openshift_metrics_certs_dir }}/hawkular-jgroups-keystore.pwd' ) - && - keytool -genseckey -alias hawkular - -keypass "$p" -storepass "$p" -keyalg Blowfish -keysize 56 -storetype JCEKS - -keystore '{{ openshift_metrics_certs_dir }}/hawkular-jgroups.keystore' - when: > - not '{{ openshift_metrics_certs_dir }}/hawkular-jgroups.keystore'|exists +- include: import_jks_certs.yaml - name: read files for the hawkular-metrics secret shell: > diff --git a/roles/openshift_metrics/tasks/import_jks_certs.yaml b/roles/openshift_metrics/tasks/import_jks_certs.yaml new file mode 100644 index 000000000..f6bf6c1a6 --- /dev/null +++ b/roles/openshift_metrics/tasks/import_jks_certs.yaml @@ -0,0 +1,120 @@ +--- +- name: Check for jks-generator service account + command: > + {{ openshift.common.client_binary }} + --config={{ mktemp.stdout }}/admin.kubeconfig + -n {{openshift_metrics_project}} + get serviceaccount/jks-generator --no-headers + register: serviceaccount_result + ignore_errors: yes + when: not ansible_check_mode + changed_when: no + +- name: Create jks-generator service account + command: > + {{ openshift.common.client_binary }} + --config={{ mktemp.stdout }}/admin.kubeconfig + -n {{openshift_metrics_project}} + create serviceaccount jks-generator + when: not ansible_check_mode and "not found" in serviceaccount_result.stderr + +- name: Check for hostmount-anyuid scc entry + command: > + {{ openshift.common.client_binary }} + --config={{ mktemp.stdout }}/admin.kubeconfig + get scc hostmount-anyuid + -o jsonpath='{.users}' + register: scc_result + when: not ansible_check_mode + changed_when: no + +- name: Add to hostmount-anyuid scc + command: > + {{ openshift.common.admin_binary }} + --config={{ mktemp.stdout }}/admin.kubeconfig + -n {{openshift_metrics_project}} + policy add-scc-to-user hostmount-anyuid + -z jks-generator + when: + - not ansible_check_mode + - scc_result.stdout.find("system:serviceaccount:{{openshift_metrics_project}}:jks-generator") == -1 + +- name: Copy JKS generation script + copy: + src: import_jks_certs.sh + dest: "{{openshift_metrics_certs_dir}}/import_jks_certs.sh" + check_mode: no + +- slurp: src={{ openshift_metrics_certs_dir }}/hawkular-metrics-keystore.pwd + register: metrics_keystore_password + +- slurp: src={{ openshift_metrics_certs_dir }}/hawkular-cassandra-keystore.pwd + register: cassandra_keystore_password + +- slurp: src={{ openshift_metrics_certs_dir }}/hawkular-jgroups-keystore.pwd + register: jgroups_keystore_password + +- name: Generate JKS pod template + template: + src: jks_pod.j2 + dest: "{{mktemp.stdout}}/jks_pod.yaml" + vars: + metrics_keystore_passwd: "{{metrics_keystore_password.content}}" + cassandra_keystore_passwd: "{{cassandra_keystore_password.content}}" + metrics_truststore_passwd: "{{hawkular_truststore_password.content}}" + cassandra_truststore_passwd: "{{cassandra_truststore_password.content}}" + jgroups_passwd: "{{jgroups_keystore_password.content}}" + check_mode: no + changed_when: no + +- stat: path="{{openshift_metrics_certs_dir}}/hawkular-metrics.keystore" + register: metrics_keystore + check_mode: no + +- stat: path="{{openshift_metrics_certs_dir}}/hawkular-cassandra.keystore" + register: cassandra_keystore + check_mode: no + +- stat: path="{{openshift_metrics_certs_dir}}/hawkular-cassandra.truststore" + register: cassandra_truststore + check_mode: no + +- stat: path="{{openshift_metrics_certs_dir}}/hawkular-metrics.truststore" + register: metrics_truststore + check_mode: no + +- stat: path="{{openshift_metrics_certs_dir}}/hawkular-jgroups.keystore" + register: jgroups_keystore + check_mode: no + +- name: create JKS pod + command: > + {{ openshift.common.client_binary }} + --config={{ mktemp.stdout }}/admin.kubeconfig + -n {{openshift_metrics_project}} + create -f {{mktemp.stdout}}/jks_pod.yaml + -o name + register: podoutput + check_mode: no + when: not metrics_keystore.stat.exists or + not metrics_truststore.stat.exists or + not cassandra_keystore.stat.exists or + not cassandra_truststore.stat.exists or + not jgroups_keystore.stat.exists + +- command: > + {{ openshift.common.client_binary }} + --config={{ mktemp.stdout }}/admin.kubeconfig + -n {{openshift_metrics_project}} + get {{podoutput.stdout}} + -o jsonpath='{.status.phase}' + register: result + until: result.stdout.find("Succeeded") != -1 + retries: 5 + delay: 10 + changed_when: no + when: not metrics_keystore.stat.exists or + not metrics_truststore.stat.exists or + not cassandra_keystore.stat.exists or + not cassandra_truststore.stat.exists or + not jgroups_keystore.stat.exists diff --git a/roles/openshift_metrics/tasks/install_metrics.yaml b/roles/openshift_metrics/tasks/install_metrics.yaml index 67d22cbc3..bab37dbfb 100644 --- a/roles/openshift_metrics/tasks/install_metrics.yaml +++ b/roles/openshift_metrics/tasks/install_metrics.yaml @@ -23,10 +23,10 @@ - name: Create objects include: oc_apply.yaml vars: - kubeconfig: "{{ mktemp.stdout }}/admin.kubeconfig" - namespace: "{{ openshift_metrics_project }}" - file_name: "{{ item }}" - file_content: "{{ lookup('file',item) | from_yaml }}" + kubeconfig: "{{ mktemp.stdout }}/admin.kubeconfig" + namespace: "{{ openshift_metrics_project }}" + file_name: "{{ item }}" + file_content: "{{ lookup('file',item) | from_yaml }}" with_fileglob: - "{{ mktemp.stdout }}/templates/*.yaml" diff --git a/roles/openshift_metrics/tasks/oc_apply.yaml b/roles/openshift_metrics/tasks/oc_apply.yaml index c9154f206..dd67703b4 100644 --- a/roles/openshift_metrics/tasks/oc_apply.yaml +++ b/roles/openshift_metrics/tasks/oc_apply.yaml @@ -1,12 +1,13 @@ --- - name: Checking generation of {{file_content.kind}} {{file_content.metadata.name}} command: > - {{ openshift.common.client_binary }} + {{ openshift.common.client_binary }} --config={{ kubeconfig }} get {{file_content.kind}} {{file_content.metadata.name}} - -o jsonpath='{.metadata.resourceVersion}' + -o jsonpath='{.metadata.resourceVersion}' -n {{namespace}} register: generation_init + failed_when: false changed_when: no - name: Applying {{file_name}} @@ -22,7 +23,7 @@ command: > {{ openshift.common.client_binary }} --config={{ kubeconfig }} get {{file_content.kind}} {{file_content.metadata.name}} - -o jsonpath='{.metadata.resourceVersion}' + -o jsonpath='{.metadata.resourceVersion}' -n {{namespace}} register: version_changed vars: diff --git a/roles/openshift_metrics/tasks/setup_certificate.yaml b/roles/openshift_metrics/tasks/setup_certificate.yaml index c185d3f88..5ca8f4462 100644 --- a/roles/openshift_metrics/tasks/setup_certificate.yaml +++ b/roles/openshift_metrics/tasks/setup_certificate.yaml @@ -26,11 +26,11 @@ - name: generate random password for the {{ component }} keystore copy: - content: "{{ 15 | oo_random_word }}" - dest: '{{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}-keystore.pwd' + content: "{{ 15 | oo_random_word }}" + dest: '{{ openshift_metrics_certs_dir }}/{{ component }}-keystore.pwd' when: > not '{{ openshift_metrics_certs_dir }}/{{ component }}-keystore.pwd'|exists - + - slurp: src={{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}-keystore.pwd register: keystore_password @@ -43,21 +43,10 @@ -password 'pass:{{keystore_password.content | b64decode }}' when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.pkcs12'|exists -- name: create the {{ component }} keystore from the pkcs12 file - command: > - keytool -v -importkeystore - -srckeystore '{{ openshift_metrics_certs_dir | quote }}/{{ component | quote }}.pkcs12' - -srcstoretype PKCS12 - -destkeystore '{{ openshift_metrics_certs_dir | quote }}/{{ component | quote}}.keystore' - -deststoretype JKS - -deststorepass '{{keystore_password.content | b64decode }}' - -srcstorepass '{{keystore_password.content | b64decode }}' - when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.keystore'|exists - - name: generate random password for the {{ component }} truststore copy: - content: "{{ 15 | oo_random_word }}" - dest: '{{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}-truststore.pwd' + content: "{{ 15 | oo_random_word }}" + dest: '{{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}-truststore.pwd' when: > not '{{ openshift_metrics_certs_dir | quote }}/{{ component| quote }}-truststore.pwd'|exists diff --git a/roles/openshift_metrics/tasks/stop_metrics.yaml b/roles/openshift_metrics/tasks/stop_metrics.yaml index 524d4227b..bae181e3e 100644 --- a/roles/openshift_metrics/tasks/stop_metrics.yaml +++ b/roles/openshift_metrics/tasks/stop_metrics.yaml @@ -53,4 +53,3 @@ loop_control: loop_var: object when: metrics_cassandra_rc is defined - -- cgit v1.2.3