add ability to expose Elasticsearch as an external route

This adds the ability to expose Elastisearch as a route outside of the
cluster.
- `openshift_logging_es_allow_external`: True (default is False) - if this is
  True, Elasticsearch will be exposed as a Route
- `openshift_logging_es_ops_hostname`: The external facing hostname to use for
  the route and the TLS server certificate (default is "es." +
  `openshift_master_default_subdomain`)

There are other similar parameters for the TLS server cert, key, and CA cert.
There are other similar parameters for when the OPS cluster is deployed e.g.
`openshift_logging_es_ops_allow_external`, etc.

3 files changed, 146 insertions, 0 deletions

diff --git a/roles/openshift_logging/tasks/generate_certs.yaml b/roles/openshift_logging/tasks/generate_certs.yaml
index b34df018d..46a7e82c6 100644
--- a/roles/openshift_logging/tasks/generate_certs.yaml
+++ b/roles/openshift_logging/tasks/generate_certs.yaml
@@ -60,6 +60,24 @@
     - procure_component: mux
   when: openshift_logging_use_mux
 
+- include: procure_server_certs.yaml
+  loop_control:
+    loop_var: cert_info
+  with_items:
+    - procure_component: es
+      hostnames: "es, {{openshift_logging_es_hostname}}"
+  when: openshift_logging_es_allow_external | bool
+
+- include: procure_server_certs.yaml
+  loop_control:
+    loop_var: cert_info
+  with_items:
+    - procure_component: es-ops
+      hostnames: "es-ops, {{openshift_logging_es_ops_hostname}}"
+  when:
+    - openshift_logging_es_allow_external | bool
+    - openshift_logging_use_ops | bool
+
 - name: Copy proxy TLS configuration file
   copy: src=server-tls.json dest={{generated_certs_dir}}/server-tls.json
   when: server_tls_json is undefined
@@ -108,6 +126,14 @@
     loop_var: node_name
   when: openshift_logging_use_mux
 
+- name: Generate PEM cert for Elasticsearch external route
+  include: generate_pems.yaml component={{node_name}}
+  with_items:
+    - system.logging.es
+  loop_control:
+    loop_var: node_name
+  when: openshift_logging_es_allow_external | bool
+
 - name: Creating necessary JKS certs
   include: generate_jks.yaml
 
diff --git a/roles/openshift_logging/tasks/generate_routes.yaml b/roles/openshift_logging/tasks/generate_routes.yaml
index f76bb3a0a..c45b3d804 100644
--- a/roles/openshift_logging/tasks/generate_routes.yaml
+++ b/roles/openshift_logging/tasks/generate_routes.yaml
@@ -75,3 +75,95 @@
       provider: openshift
   when: openshift_logging_use_ops | bool
   changed_when: no
+
+- set_fact: es_key={{ lookup('file', openshift_logging_es_key) | b64encode }}
+  when:
+    - openshift_logging_es_key | trim | length > 0
+    - openshift_logging_es_allow_external | bool
+  changed_when: false
+
+- set_fact: es_cert={{ lookup('file', openshift_logging_es_cert)| b64encode  }}
+  when:
+    - openshift_logging_es_cert | trim | length > 0
+    - openshift_logging_es_allow_external | bool
+  changed_when: false
+
+- set_fact: es_ca={{ lookup('file', openshift_logging_es_ca_ext)| b64encode  }}
+  when:
+    - openshift_logging_es_ca_ext | trim | length > 0
+    - openshift_logging_es_allow_external | bool
+  changed_when: false
+
+- set_fact: es_ca={{key_pairs | entry_from_named_pair('ca_file') }}
+  when:
+    - es_ca is not defined
+    - openshift_logging_es_allow_external | bool
+  changed_when: false
+
+- name: Generating Elasticsearch logging routes
+  template: src=route_reencrypt.j2 dest={{mktemp.stdout}}/templates/logging-logging-es-route.yaml
+  tags: routes
+  vars:
+    obj_name: "logging-es"
+    route_host: "{{openshift_logging_es_hostname}}"
+    service_name: "logging-es"
+    tls_key: "{{es_key | default('') | b64decode}}"
+    tls_cert: "{{es_cert | default('') | b64decode}}"
+    tls_ca_cert: "{{es_ca | b64decode}}"
+    tls_dest_ca_cert: "{{key_pairs | entry_from_named_pair('ca_file')| b64decode }}"
+    edge_term_policy: "{{openshift_logging_es_edge_term_policy | default('') }}"
+    labels:
+      component: support
+      logging-infra: support
+      provider: openshift
+  changed_when: no
+  when: openshift_logging_es_allow_external | bool
+
+- set_fact: es_ops_key={{ lookup('file', openshift_logging_es_ops_key) | b64encode }}
+  when:
+  - openshift_logging_es_ops_allow_external | bool
+  - openshift_logging_use_ops | bool
+  - "{{ openshift_logging_es_ops_key | trim | length > 0 }}"
+  changed_when: false
+
+- set_fact: es_ops_cert={{ lookup('file', openshift_logging_es_ops_cert)| b64encode  }}
+  when:
+  - openshift_logging_es_ops_allow_external | bool
+  - openshift_logging_use_ops | bool
+  - "{{openshift_logging_es_ops_cert | trim | length > 0}}"
+  changed_when: false
+
+- set_fact: es_ops_ca={{ lookup('file', openshift_logging_es_ops_ca_ext)| b64encode  }}
+  when:
+  - openshift_logging_es_ops_allow_external | bool
+  - openshift_logging_use_ops | bool
+  - "{{openshift_logging_es_ops_ca_ext | trim | length > 0}}"
+  changed_when: false
+
+- set_fact: es_ops_ca={{key_pairs | entry_from_named_pair('ca_file') }}
+  when:
+  - openshift_logging_es_ops_allow_external | bool
+  - openshift_logging_use_ops | bool
+  - es_ops_ca is not defined
+  changed_when: false
+
+- name: Generating Elasticsearch logging ops routes
+  template: src=route_reencrypt.j2 dest={{mktemp.stdout}}/templates/logging-logging-es-ops-route.yaml
+  tags: routes
+  vars:
+    obj_name: "logging-es-ops"
+    route_host: "{{openshift_logging_es_ops_hostname}}"
+    service_name: "logging-es-ops"
+    tls_key: "{{es_ops_key | default('') | b64decode}}"
+    tls_cert: "{{es_ops_cert | default('') | b64decode}}"
+    tls_ca_cert: "{{es_ops_ca | b64decode}}"
+    tls_dest_ca_cert: "{{key_pairs | entry_from_named_pair('ca_file')| b64decode }}"
+    edge_term_policy: "{{openshift_logging_es_ops_edge_term_policy | default('') }}"
+    labels:
+      component: support
+      logging-infra: support
+      provider: openshift
+  when:
+  - openshift_logging_es_ops_allow_external | bool
+  - openshift_logging_use_ops | bool
+  changed_when: no
diff --git a/roles/openshift_logging/tasks/generate_secrets.yaml b/roles/openshift_logging/tasks/generate_secrets.yaml
index c1da49fd8..b629bd995 100644
--- a/roles/openshift_logging/tasks/generate_secrets.yaml
+++ b/roles/openshift_logging/tasks/generate_secrets.yaml
@@ -99,3 +99,31 @@
   when: logging_es_secret.stdout is defined
   check_mode: no
   changed_when: no
+
+- name: Retrieving the cert to use when generating secrets for Elasticsearch external route
+  slurp: src="{{generated_certs_dir}}/{{item.file}}"
+  register: es_key_pairs
+  with_items:
+    - { name: "ca_file", file: "ca.crt" }
+    - { name: "es_key", file: "system.logging.es.key"}
+    - { name: "es_cert", file: "system.logging.es.crt"}
+  when: openshift_logging_es_allow_external | bool
+
+- name: Generating secrets for Elasticsearch external route
+  template: src=secret.j2 dest={{mktemp.stdout}}/templates/{{secret_name}}-secret.yaml
+  vars:
+    secret_name: "logging-{{component}}"
+    secret_key_file: "{{component}}_key"
+    secret_cert_file: "{{component}}_cert"
+    secrets:
+      - {key: ca, value: "{{es_key_pairs | entry_from_named_pair('ca_file')| b64decode }}"}
+      - {key: key, value: "{{es_key_pairs | entry_from_named_pair(secret_key_file)| b64decode }}"}
+      - {key: cert, value: "{{es_key_pairs | entry_from_named_pair(secret_cert_file)| b64decode }}"}
+    secret_keys: ["ca", "cert", "key"]
+  with_items:
+    - es
+  loop_control:
+    loop_var: component
+  check_mode: no
+  changed_when: no
+  when: openshift_logging_es_allow_external | bool