diff options
| -rw-r--r-- | roles/openshift_logging/README.md | 3 | ||||
| -rw-r--r-- | roles/openshift_logging/files/generate-jks.sh | 12 | ||||
| -rw-r--r-- | roles/openshift_logging/tasks/generate_certs.yaml | 16 |
3 files changed, 18 insertions, 13 deletions
diff --git a/roles/openshift_logging/README.md b/roles/openshift_logging/README.md index 2cc2c48ee..07b9cf13e 100644 --- a/roles/openshift_logging/README.md +++ b/roles/openshift_logging/README.md @@ -6,6 +6,9 @@ This role is used for installing the Aggregated Logging stack. It should be run a single host, it will create any missing certificates and API objects that the current [logging deployer](https://github.com/openshift/origin-aggregated-logging/tree/master/deployer) does. +This role requires that the control host it is run on has Java installed as part of keystore +generation for Elasticsearch (it uses JKS). + As part of the installation, it is recommended that you add the Fluentd node selector label to the list of persisted [node labels](https://docs.openshift.org/latest/install_config/install/advanced_install.html#configuring-node-host-labels). diff --git a/roles/openshift_logging/files/generate-jks.sh b/roles/openshift_logging/files/generate-jks.sh index 995ec0b98..9fe557f83 100644 --- a/roles/openshift_logging/files/generate-jks.sh +++ b/roles/openshift_logging/files/generate-jks.sh @@ -1,6 +1,10 @@ #! /bin/sh set -ex +function usage() { + echo Usage: `basename $0` cert_directory [logging_namespace] 1>&2 +} + function generate_JKS_chain() { dir=${SCRATCH_DIR:-_output} ADD_OID=$1 @@ -147,8 +151,14 @@ function createTruststore() { -noprompt -alias sig-ca } -dir="$CERT_DIR" +if [ $# -lt 1 ]; then + usage + exit 1 +fi + +dir=$1 SCRATCH_DIR=$dir +PROJECT=${2:-logging} if [[ ! -f $dir/system.admin.jks || -z "$(keytool -list -keystore $dir/system.admin.jks -storepass kspass | grep sig-ca)" ]]; then generate_JKS_client_cert "system.admin" diff --git a/roles/openshift_logging/tasks/generate_certs.yaml b/roles/openshift_logging/tasks/generate_certs.yaml index b3826838a..3940ff971 100644 --- a/roles/openshift_logging/tasks/generate_certs.yaml +++ b/roles/openshift_logging/tasks/generate_certs.yaml @@ -112,20 +112,12 @@ register: truststore_jks check_mode: no -- name: create JKS generation container - command: > - docker run - -u 0 - -e "PROJECT={{openshift_logging_namespace}}" - -e "CERT_DIR={{generated_certs_dir}}" - -v "{{generated_certs_dir}}:{{generated_certs_dir}}" - --name "jks_gen_{{'abcdefghijklmnopqrstuvwxyz0123456789'|random_word(10)}}" - --entrypoint="/bin/bash" - "{{openshift_logging_image_prefix}}logging-deployer:{{openshift_logging_image_version}}" - "{{generated_certs_dir}}/generate-jks.sh" - register: container_output +- name: Run JKS generation script + script: generate-jks.sh {{generate_certs_dir}} {{openshift_logging_namespace}} + register: script_output check_mode: no become: yes + changed_when: script_output.RC == "0" when: not elasticsearch_jks.stat.exists or not logging_es_jks.stat.exists or not system_admin_jks.stat.exists or not truststore_jks.stat.exists # check for secret/logging-kibana-proxy |