From 06c111d22641ba5cc2dbbe0144d9d6722d94f159 Mon Sep 17 00:00:00 2001 From: ewolinetz Date: Wed, 11 Jan 2017 15:26:46 -0600 Subject: addressing comments --- roles/openshift_logging/defaults/main.yml | 2 +- roles/openshift_logging/files/signing.conf | 103 ----------- roles/openshift_logging/files/util.sh | 192 --------------------- roles/openshift_logging/filter_plugins/__init__.py | 0 roles/openshift_logging/library/__init.py__ | 0 roles/openshift_logging/meta/main.yaml | 14 +- roles/openshift_logging/tasks/generate_certs.yaml | 48 ++---- .../tasks/generate_configmaps.yaml | 25 ++- .../tasks/generate_jks_chain.yaml | 60 ------- roles/openshift_logging/tasks/generate_pkcs12.yaml | 24 --- roles/openshift_logging/tasks/install_fluentd.yaml | 15 +- roles/openshift_logging/tasks/install_logging.yaml | 6 +- roles/openshift_logging/tasks/label_node.yaml | 8 +- roles/openshift_logging/tasks/main.yaml | 5 + roles/openshift_logging/tasks/scale.yaml | 16 +- roles/openshift_logging/tasks/start_cluster.yaml | 24 +-- roles/openshift_logging/tasks/stop_cluster.yaml | 24 +-- roles/openshift_logging/tasks/upgrade_logging.yaml | 4 +- roles/openshift_logging/templates/fluentd.j2 | 2 +- roles/openshift_logging/templates/signing.conf.j2 | 103 +++++++++++ 20 files changed, 214 insertions(+), 461 deletions(-) delete mode 100644 roles/openshift_logging/files/signing.conf delete mode 100644 roles/openshift_logging/files/util.sh delete mode 100644 roles/openshift_logging/filter_plugins/__init__.py delete mode 100644 roles/openshift_logging/library/__init.py__ delete mode 100644 roles/openshift_logging/tasks/generate_jks_chain.yaml delete mode 100644 roles/openshift_logging/tasks/generate_pkcs12.yaml create mode 100644 roles/openshift_logging/templates/signing.conf.j2 diff --git a/roles/openshift_logging/defaults/main.yml b/roles/openshift_logging/defaults/main.yml index a441f10b9..4eb852207 100644 --- a/roles/openshift_logging/defaults/main.yml +++ b/roles/openshift_logging/defaults/main.yml @@ -33,7 +33,7 @@ openshift_logging_kibana_ops_proxy_debug: false openshift_logging_kibana_ops_proxy_cpu_limit: null openshift_logging_kibana_ops_proxy_memory_limit: null -openshift_logging_fluentd_nodeselector: '"logging-infra-fluentd": "true"' +openshift_logging_fluentd_nodeselector: {'logging-infra-fluentd': 'true'} openshift_logging_fluentd_cpu_limit: 100m openshift_logging_fluentd_memory_limit: 512Mi openshift_logging_fluentd_es_copy: false diff --git a/roles/openshift_logging/files/signing.conf b/roles/openshift_logging/files/signing.conf deleted file mode 100644 index 810a057d9..000000000 --- a/roles/openshift_logging/files/signing.conf +++ /dev/null @@ -1,103 +0,0 @@ -# Simple Signing CA - -# The [default] section contains global constants that can be referred to from -# the entire configuration file. It may also hold settings pertaining to more -# than one openssl command. - -[ default ] -#dir = _output # Top dir - -# The next part of the configuration file is used by the openssl req command. -# It defines the CA's key pair, its DN, and the desired extensions for the CA -# certificate. - -[ req ] -default_bits = 2048 # RSA key size -encrypt_key = yes # Protect private key -default_md = sha1 # MD to use -utf8 = yes # Input is UTF-8 -string_mask = utf8only # Emit UTF-8 strings -prompt = no # Don't prompt for DN -distinguished_name = ca_dn # DN section -req_extensions = ca_reqext # Desired extensions - -[ ca_dn ] -0.domainComponent = "io" -1.domainComponent = "openshift" -organizationName = "OpenShift Origin" -organizationalUnitName = "Logging Signing CA" -commonName = "Logging Signing CA" - -[ ca_reqext ] -keyUsage = critical,keyCertSign,cRLSign -basicConstraints = critical,CA:true,pathlen:0 -subjectKeyIdentifier = hash - -# The remainder of the configuration file is used by the openssl ca command. -# The CA section defines the locations of CA assets, as well as the policies -# applying to the CA. - -[ ca ] -default_ca = signing_ca # The default CA section - -[ signing_ca ] -certificate = $dir/ca.crt # The CA cert -private_key = $dir/ca.key # CA private key -new_certs_dir = $dir/ # Certificate archive -serial = $dir/ca.serial.txt # Serial number file -crlnumber = $dir/ca.crl.srl # CRL number file -database = $dir/ca.db # Index file -unique_subject = no # Require unique subject -default_days = 730 # How long to certify for -default_md = sha1 # MD to use -policy = any_pol # Default naming policy -email_in_dn = no # Add email to cert DN -preserve = no # Keep passed DN ordering -name_opt = ca_default # Subject DN display options -cert_opt = ca_default # Certificate display options -copy_extensions = copy # Copy extensions from CSR -x509_extensions = client_ext # Default cert extensions -default_crl_days = 7 # How long before next CRL -crl_extensions = crl_ext # CRL extensions - -# Naming policies control which parts of a DN end up in the certificate and -# under what circumstances certification should be denied. - -[ match_pol ] -domainComponent = match # Must match 'simple.org' -organizationName = match # Must match 'Simple Inc' -organizationalUnitName = optional # Included if present -commonName = supplied # Must be present - -[ any_pol ] -domainComponent = optional -countryName = optional -stateOrProvinceName = optional -localityName = optional -organizationName = optional -organizationalUnitName = optional -commonName = optional -emailAddress = optional - -# Certificate extensions define what types of certificates the CA is able to -# create. - -[ client_ext ] -keyUsage = critical,digitalSignature,keyEncipherment -basicConstraints = CA:false -extendedKeyUsage = clientAuth -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid - -[ server_ext ] -keyUsage = critical,digitalSignature,keyEncipherment -basicConstraints = CA:false -extendedKeyUsage = serverAuth,clientAuth -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid - -# CRL extensions exist solely to point to the CA certificate that has issued -# the CRL. - -[ crl_ext ] -authorityKeyIdentifier = keyid diff --git a/roles/openshift_logging/files/util.sh b/roles/openshift_logging/files/util.sh deleted file mode 100644 index 5752a0fcd..000000000 --- a/roles/openshift_logging/files/util.sh +++ /dev/null @@ -1,192 +0,0 @@ -#!/bin/bash - -function generate_JKS_chain() { - dir=${SCRATCH_DIR:-_output} - ADD_OID=$1 - NODE_NAME=$2 - CERT_NAMES=${3:-$NODE_NAME} - ks_pass=${KS_PASS:-kspass} - ts_pass=${TS_PASS:-tspass} - rm -rf $NODE_NAME - - extension_names="" - for name in ${CERT_NAMES//,/ }; do - extension_names="${extension_names},dns:${name}" - done - - if [ "$ADD_OID" = true ]; then - extension_names="${extension_names},oid:1.2.3.4.5.5" - fi - - echo Generating keystore and certificate for node $NODE_NAME - - "$keytool" -genkey \ - -alias $NODE_NAME \ - -keystore $dir/keystore.jks \ - -keypass $ks_pass \ - -storepass $ks_pass \ - -keyalg RSA \ - -keysize 2048 \ - -validity 712 \ - -dname "CN=$NODE_NAME, OU=OpenShift, O=Logging" \ - -ext san=dns:localhost,ip:127.0.0.1"${extension_names}" - - echo Generating certificate signing request for node $NODE_NAME - - "$keytool" -certreq \ - -alias $NODE_NAME \ - -keystore $dir/keystore.jks \ - -storepass $ks_pass \ - -file $dir/$NODE_NAME.csr \ - -keyalg rsa \ - -dname "CN=$NODE_NAME, OU=OpenShift, O=Logging" \ - -ext san=dns:localhost,ip:127.0.0.1"${extension_names}" - - echo Sign certificate request with CA - - openssl ca \ - -in $dir/$NODE_NAME.csr \ - -notext \ - -out $dir/$NODE_NAME.crt \ - -config $dir/signing.conf \ - -extensions v3_req \ - -batch \ - -extensions server_ext - - echo "Import back to keystore (including CA chain)" - - "$keytool" \ - -import \ - -file $dir/ca.crt \ - -keystore $dir/keystore.jks \ - -storepass $ks_pass \ - -noprompt -alias sig-ca - - "$keytool" \ - -import \ - -file $dir/$NODE_NAME.crt \ - -keystore $dir/keystore.jks \ - -storepass $ks_pass \ - -noprompt \ - -alias $NODE_NAME - - echo "Import CA to truststore for validating client certs" - - "$keytool" \ - -import \ - -file $dir/ca.crt \ - -keystore $dir/truststore.jks \ - -storepass $ts_pass \ - -noprompt -alias sig-ca - - echo All done for $NODE_NAME -} - -function generate_PEM_cert() { - NODE_NAME="$1" - dir=${SCRATCH_DIR:-_output} # for writing files to bundle into secrets - - echo Generating keystore and certificate for node ${NODE_NAME} - - openssl req -out "$dir/$NODE_NAME.csr" -new -newkey rsa:2048 -keyout "$dir/$NODE_NAME.key" -subj "/CN=$NODE_NAME/OU=OpenShift/O=Logging" -days 712 -nodes - - echo Sign certificate request with CA - openssl ca \ - -in "$dir/$NODE_NAME.csr" \ - -notext \ - -out "$dir/$NODE_NAME.crt" \ - -config $dir/signing.conf \ - -extensions v3_req \ - -batch \ - -extensions server_ext -} - -function generate_JKS_client_cert() { - NODE_NAME="$1" - ks_pass=${KS_PASS:-kspass} - ts_pass=${TS_PASS:-tspass} - dir=${SCRATCH_DIR:-_output} # for writing files to bundle into secrets - - echo Generating keystore and certificate for node ${NODE_NAME} - - "$keytool" -genkey \ - -alias $NODE_NAME \ - -keystore $dir/$NODE_NAME.jks \ - -keyalg RSA \ - -keysize 2048 \ - -validity 712 \ - -keypass $ks_pass \ - -storepass $ks_pass \ - -dname "CN=$NODE_NAME, OU=OpenShift, O=Logging" - - echo Generating certificate signing request for node $NODE_NAME - - "$keytool" -certreq \ - -alias $NODE_NAME \ - -keystore $dir/$NODE_NAME.jks \ - -file $dir/$NODE_NAME.csr \ - -keyalg rsa \ - -keypass $ks_pass \ - -storepass $ks_pass \ - -dname "CN=$NODE_NAME, OU=OpenShift, O=Logging" - - echo Sign certificate request with CA - openssl ca \ - -in "$dir/$NODE_NAME.csr" \ - -notext \ - -out "$dir/$NODE_NAME.crt" \ - -config $dir/signing.conf \ - -extensions v3_req \ - -batch \ - -extensions server_ext - - echo "Import back to keystore (including CA chain)" - - "$keytool" \ - -import \ - -file $dir/ca.crt \ - -keystore $dir/$NODE_NAME.jks \ - -storepass $ks_pass \ - -noprompt -alias sig-ca - - "$keytool" \ - -import \ - -file $dir/$NODE_NAME.crt \ - -keystore $dir/$NODE_NAME.jks \ - -storepass $ks_pass \ - -noprompt \ - -alias $NODE_NAME - - echo All done for $NODE_NAME -} - -function join { local IFS="$1"; shift; echo "$*"; } - -function get_es_dcs() { - oc get dc --selector logging-infra=elasticsearch -o name -} - -function get_curator_dcs() { - oc get dc --selector logging-infra=curator -o name -} - -function extract_nodeselector() { - local inputstring="${1//\"/}" # remove any errant double quotes in the inputs - local selectors=() - - for keyvalstr in ${inputstring//\,/ }; do - - keyval=( ${keyvalstr//=/ } ) - - if [[ -n "${keyval[0]}" && -n "${keyval[1]}" ]]; then - selectors+=( "\"${keyval[0]}\": \"${keyval[1]}\"") - else - echo "Could not make a node selector label from '${keyval[*]}'" - exit 255 - fi - done - - if [[ "${#selectors[*]}" -gt 0 ]]; then - echo nodeSelector: "{" $(join , "${selectors[@]}") "}" - fi -} diff --git a/roles/openshift_logging/filter_plugins/__init__.py b/roles/openshift_logging/filter_plugins/__init__.py deleted file mode 100644 index e69de29bb..000000000 diff --git a/roles/openshift_logging/library/__init.py__ b/roles/openshift_logging/library/__init.py__ deleted file mode 100644 index e69de29bb..000000000 diff --git a/roles/openshift_logging/meta/main.yaml b/roles/openshift_logging/meta/main.yaml index 8bff6cfb7..a95c84901 100644 --- a/roles/openshift_logging/meta/main.yaml +++ b/roles/openshift_logging/meta/main.yaml @@ -1,3 +1,15 @@ --- +galaxy_info: + author: OpenShift Red Hat + description: OpenShift Embedded Router + company: Red Hat, Inc. + license: Apache License, Version 2.0 + min_ansible_version: 2.2 + platforms: + - name: EL + versions: + - 7 + categories: + - cloud dependencies: - - { role: openshift_facts } + - role: openshift_facts diff --git a/roles/openshift_logging/tasks/generate_certs.yaml b/roles/openshift_logging/tasks/generate_certs.yaml index 6bfeccf61..bcf4881bb 100644 --- a/roles/openshift_logging/tasks/generate_certs.yaml +++ b/roles/openshift_logging/tasks/generate_certs.yaml @@ -31,14 +31,10 @@ register: signing_conf_file check_mode: no -- block: - - copy: src=signing.conf dest={{generated_certs_dir}}/signing.conf - check_mode: no - - - lineinfile: "dest={{generated_certs_dir}}/signing.conf regexp='# Top dir$' line='dir = {{generated_certs_dir}} # Top dir'" - check_mode: no - when: - - not signing_conf_file.stat.exists +- template: src=signing.conf.j2 dest={{generated_certs_dir}}/signing.conf + vars: + - top_dir: '{{generated_certs_dir}}' + when: not signing_conf_file.stat.exists - include: procure_server_certs.yaml loop_control: @@ -49,19 +45,6 @@ - procure_component: kibana-internal hostnames: "kibana, kibana-ops, {{openshift_logging_kibana_hostname}}, {{openshift_logging_kibana_ops_hostname}}" -# - include: procure_server_certs.yaml -# vars: -# - procure_component: kibana - -# - include: procure_server_certs.yaml -# vars: -# - procure_component: kibana-ops - -# - include: procure_server_certs.yaml -# vars: -# - procure_component: kibana-internal -# - hostnames: "kibana, kibana-ops, {{openshift_logging_kibana_hostname}}, {{openshift_logging_kibana_ops_hostname}}" - - name: Copy proxy TLS configuration file copy: src=server-tls.json dest={{generated_certs_dir}}/server-tls.json when: server_tls_json is undefined @@ -116,8 +99,8 @@ - name: Check for hostmount-anyuid scc entry shell: > - {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get scc hostmount-anyuid -o go-template='{{ '{{' }}.users{{ '}}' }}' | - grep system:serviceaccount:{{openshift_logging_namespace}}:jks-generator + {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get scc hostmount-anyuid -o jsonpath='{.users}' | + grep system:serviceaccount:{{openshift_logging_namespace | quote}}:jks-generator register: scc_result ignore_errors: yes when: not ansible_check_mode @@ -131,34 +114,33 @@ copy: src: generate-jks.sh dest: "{{generated_certs_dir}}/generate-jks.sh" + check_mode: no - name: Generate JKS chains template: src: jks_pod.j2 dest: "{{mktemp.stdout}}/jks_pod.yaml" + check_mode: no - name: create pod - shell: > - {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig create -f {{mktemp.stdout}}/jks_pod.yaml -n {{openshift_logging_namespace}} + command: > + {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig create -f {{mktemp.stdout}}/jks_pod.yaml -n {{openshift_logging_namespace}} -o name register: podoutput + check_mode: no -- shell: > - echo {{podoutput.stdout}} | awk -v podname='\\\".*\\\"' '{print $2}' - register: podname - -- shell: > - {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get pod {{podname.stdout}} -o go-template='{{ '{{' }}index .status "phase"{{ '}}' }}' -n {{openshift_logging_namespace}} +- command: > + {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get {{podoutput.stdout}} -o jsonpath='{.status.phase}' -n {{openshift_logging_namespace}} register: result until: result.stdout.find("Succeeded") != -1 retries: 5 delay: 10 - name: Generate proxy session - shell: tr -dc 'a-zA-Z0-9' < /dev/urandom | head -c 200 + command: echo {{'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'|random_word(200)}} register: session_secret check_mode: no - name: Generate oauth client secret - shell: tr -dc 'a-zA-Z0-9' < /dev/urandom | head -c 64 + command: echo {{'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'|random_word(64)}} register: oauth_secret check_mode: no diff --git a/roles/openshift_logging/tasks/generate_configmaps.yaml b/roles/openshift_logging/tasks/generate_configmaps.yaml index 86882a5da..f9f9ee79f 100644 --- a/roles/openshift_logging/tasks/generate_configmaps.yaml +++ b/roles/openshift_logging/tasks/generate_configmaps.yaml @@ -4,37 +4,44 @@ src: elasticsearch-logging.yml dest: "{{mktemp.stdout}}/elasticsearch-logging.yml" when: es_logging_contents is undefined + changed_when: no - copy: src: elasticsearch.yml dest: "{{mktemp.stdout}}/elasticsearch.yml" when: es_config_contents is undefined + changed_when: no - lineinfile: dest: "{{mktemp.stdout}}/elasticsearch.yml" regexp: '^openshift\.operations\.allow_cluster_reader(.)*$' line: "\nopenshift.operations.allow_cluster_reader: {{openshift_logging_es_ops_allow_cluster_reader | lower}}" when: es_config_contents is undefined + changed_when: no - copy: content: "{{es_logging_contents}}" dest: "{{mktemp.stdout}}/elasticsearch-logging.yml" when: es_logging_contents is defined + changed_when: no - copy: content: "{{es_config_contents}}" dest: "{{mktemp.stdout}}/elasticsearch.yml" when: es_config_contents is defined + changed_when: no - - shell: > + - command: > {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig create configmap logging-elasticsearch --from-file=logging.yml={{mktemp.stdout}}/elasticsearch-logging.yml --from-file=elasticsearch.yml={{mktemp.stdout}}/elasticsearch.yml -o yaml --dry-run register: es_configmap + changed_when: no - copy: content: "{{es_configmap.stdout}}" dest: "{{mktemp.stdout}}/templates/logging-elasticsearch-configmap.yaml" when: es_configmap.stdout is defined + changed_when: no check_mode: no - block: @@ -42,21 +49,25 @@ src: curator.yml dest: "{{mktemp.stdout}}/curator.yml" when: curator_config_contents is undefined + changed_when: no - copy: content: "{{curator_config_contents}}" dest: "{{mktemp.stdout}}/curator.yml" when: curator_config_contenets is defined + changed_when: no - - shell: > + - command: > {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig create configmap logging-curator --from-file=config.yaml={{mktemp.stdout}}/curator.yml -o yaml --dry-run register: curator_configmap + changed_when: no - copy: content: "{{curator_configmap.stdout}}" dest: "{{mktemp.stdout}}/templates/logging-curator-configmap.yaml" when: curator_configmap.stdout is defined + changed_when: no check_mode: no - block: @@ -64,40 +75,48 @@ src: fluent.conf dest: "{{mktemp.stdout}}/fluent.conf" when: fluentd_config_contents is undefined + changed_when: no - copy: src: fluentd-throttle-config.yaml dest: "{{mktemp.stdout}}/fluentd-throttle-config.yaml" when: fluentd_throttle_contents is undefined + changed_when: no - copy: src: secure-forward.conf dest: "{{mktemp.stdout}}/secure-forward.conf" when: fluentd_securefoward_contents is undefined + changed_when: no - copy: content: "{{fluentd_config_contents}}" dest: "{{mktemp.stdout}}/fluent.conf" when: fluentd_config_contents is defined + changed_when: no - copy: content: "{{fluentd_throttle_contents}}" dest: "{{mktemp.stdout}}/fluentd-throttle-config.yaml" when: fluentd_throttle_contents is defined + changed_when: no - copy: content: "{{fluentd_secureforward_contents}}" dest: "{{mktemp.stdout}}/secure-forward.conf" when: fluentd_secureforward_contents is defined + changed_when: no - - shell: > + - command: > {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig create configmap logging-fluentd --from-file=fluent.conf={{mktemp.stdout}}/fluent.conf --from-file=throttle-config.yaml={{mktemp.stdout}}/fluentd-throttle-config.yaml --from-file=secure-forward.conf={{mktemp.stdout}}/secure-forward.conf -o yaml --dry-run register: fluentd_configmap + changed_when: no - copy: content: "{{fluentd_configmap.stdout}}" dest: "{{mktemp.stdout}}/templates/logging-fluentd-configmap.yaml" when: fluentd_configmap.stdout is defined + changed_when: no check_mode: no diff --git a/roles/openshift_logging/tasks/generate_jks_chain.yaml b/roles/openshift_logging/tasks/generate_jks_chain.yaml deleted file mode 100644 index 14ffdc51f..000000000 --- a/roles/openshift_logging/tasks/generate_jks_chain.yaml +++ /dev/null @@ -1,60 +0,0 @@ ---- -- debug: msg="certs are {{chain_certs}} and oid is {{oid}}" - when: chain_certs is defined and oid is defined - -- debug: msg="certs are {{chain_certs}}" - when: chain_certs is defined and oid is undefined - -- name: Build extensions with certs - shell: echo "{{chain_certs}}{{ (oid) | ternary(',oid:1.2.3.4.5.5','') }}" - register: cert_ext - when: chain_certs is defined and oid is defined - check_mode: no - -- debug: msg="extensions are {{cert_ext.stdout}}" - when: cert_ext.stdout is defined - -- shell: > - echo {{ (cert_ext.stdout is defined) | ternary( '-ext san=dns:localhost,ip:127.0.0.1','') }}{{ (cert_ext.stdout is defined) | ternary( cert_ext.stdout, '') }} - register: extensions - check_mode: no - -- name: Checking for {{component}}.jks ... - stat: path="{{generated_certs_dir}}/{{component}}.jks" - register: jks_file - check_mode: no - -- name: Checking for truststore... - stat: path="{{generated_certs_dir}}/truststore.jks" - register: jks_truststore - check_mode: no - -- block: - - shell: > - keytool -genkey -alias {{component}} -keystore {{generated_certs_dir}}/{{component}}.jks -keypass kspass -storepass kspass - -keyalg RSA -keysize 2048 -validity 712 -dname "CN={{component}}, OU=OpenShift, O=Logging" {{extensions.stdout}} - - - shell: > - keytool -certreq -alias {{component}} -keystore {{generated_certs_dir}}/{{component}}.jks -storepass kspass - -file {{generated_certs_dir}}/{{component}}-jks.csr -keyalg RSA -dname "CN={{component}}, OU=OpenShift, O=Logging" {{extensions.stdout}} - - - shell: > - openssl ca -in {{generated_certs_dir}}/{{component}}-jks.csr -notext -out {{generated_certs_dir}}/{{component}}-jks.crt - -config {{generated_certs_dir}}/signing.conf -extensions v3_req -batch -extensions server_ext - - - shell: > - keytool -import -file {{generated_certs_dir}}/ca.crt -keystore {{generated_certs_dir}}/{{component}}.jks - -storepass kspass -noprompt -alias sig-ca - - - shell: > - keytool -import -file {{generated_certs_dir}}/{{component}}-jks.crt -keystore {{generated_certs_dir}}/{{component}}.jks - -storepass kspass -noprompt -alias {{component}} - - when: not jks_file.stat.exists - check_mode: no - -- block: - - shell: > - keytool -import -file {{generated_certs_dir}}/ca.crt -keystore {{generated_certs_dir}}/truststore.jks -storepass tspass -noprompt -alias sig-ca - when: not jks_truststore.stat.exists - check_mode: no diff --git a/roles/openshift_logging/tasks/generate_pkcs12.yaml b/roles/openshift_logging/tasks/generate_pkcs12.yaml deleted file mode 100644 index dde65746f..000000000 --- a/roles/openshift_logging/tasks/generate_pkcs12.yaml +++ /dev/null @@ -1,24 +0,0 @@ ---- -- debug: msg="certs are {{chain_certs}} and oid is {{oid}}" - when: chain_certs is defined and oid is defined - -- debug: msg="certs are {{chain_certs}}" - when: chain_certs is defined and oid is undefined - -- name: Build extensions with certs - shell: echo "{{chain_certs}}{{ (oid) | ternary(',oid=1.2.3.4.5.5','') }}" - register: cert_ext - when: chain_certs is defined and oid is defined - -- debug: msg="extensions are {{cert_ext.stdout}}" - when: cert_ext.stdout is defined - -- include: generate_pems.yaml - -- local_action: stat path="{{mktemp.stdout}}/{{component}}.pkcs12" - register: pkcs_file - become: no - -- name: Generating pkcs12 chain for {{component}} - command: openssl pkcs12 -export -out {{generated_certs_dir}}/{{component}}.pkcs12 -inkey {{generated_certs_dir}}/{{component}}.key -in {{generated_certs_dir}}/{{component}}.crt -password pass:pass - when: not pkcs_file.stat.exists diff --git a/roles/openshift_logging/tasks/install_fluentd.yaml b/roles/openshift_logging/tasks/install_fluentd.yaml index 35bd452ed..6f93081d7 100644 --- a/roles/openshift_logging/tasks/install_fluentd.yaml +++ b/roles/openshift_logging/tasks/install_fluentd.yaml @@ -1,14 +1,23 @@ --- -- shell: > +- command: > echo "{{ (openshift_logging_use_ops) | ternary(openshift_logging_es_ops_host, openshift_logging_es_host) }}" register: fluentd_ops_host check_mode: no -- shell: > +- command: > echo "{{ (openshift_logging_use_ops) | ternary(openshift_logging_es_ops_port, openshift_logging_es_port) }}" register: fluentd_ops_port check_mode: no +- command: > + echo "{{openshift_logging_fluentd_nodeselector.keys()[0]}}" + register: openshift_logging_fluentd_nodeselector_key + check_mode: no + +- command: > + echo "{{openshift_logging_fluentd_nodeselector.values()[0]}}" + register: openshift_logging_fluentd_nodeselector_value + check_mode: no - name: Generating Fluentd daemonset template: src=fluentd.j2 dest={{mktemp.stdout}}/templates/logging-fluentd.yaml @@ -19,6 +28,8 @@ daemonset_serviceAccount: aggregated-logging-fluentd ops_host: "{{ fluentd_ops_host.stdout }}" ops_port: "{{ fluentd_ops_port.stdout }}" + fluentd_nodeselector_key: "{{openshift_logging_fluentd_nodeselector_key.stdout}}" + fluentd_nodeselector_value: "{{openshift_logging_fluentd_nodeselector_value.stdout}}" check_mode: no - name: "Set permissions for fluentd" diff --git a/roles/openshift_logging/tasks/install_logging.yaml b/roles/openshift_logging/tasks/install_logging.yaml index 591f11476..09630e213 100644 --- a/roles/openshift_logging/tasks/install_logging.yaml +++ b/roles/openshift_logging/tasks/install_logging.yaml @@ -24,14 +24,14 @@ loop_var: install_component - name: Register API objects from generated templates - shell: ls -d -1 {{mktemp.stdout}}/templates/* | sort + command: ls -1 {{mktemp.stdout}}/templates/ register: logging_objects check_mode: no - name: Creating API objects from generated templates command: > - {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig apply -f {{file}} -n {{openshift_logging_namespace}} - with_items: "{{logging_objects.stdout_lines}}" + {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig apply -f {{mktemp.stdout}}/templates/{{file}} -n {{openshift_logging_namespace}} + with_items: "{{logging_objects.stdout_lines | sort}}" loop_control: loop_var: file when: not ansible_check_mode diff --git a/roles/openshift_logging/tasks/label_node.yaml b/roles/openshift_logging/tasks/label_node.yaml index 55cfea38c..f35ccc3b6 100644 --- a/roles/openshift_logging/tasks/label_node.yaml +++ b/roles/openshift_logging/tasks/label_node.yaml @@ -1,12 +1,12 @@ --- -- shell: > +- command: > {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get node {{host}} - --template='{{ '{{index .metadata.labels "' }}{{label}}{{ '"}}' }}' + -o jsonpath='{.metadata.labels.{{ label }}}' register: label_value failed_when: label_value.rc == 1 and 'exists' not in label_value.stderr when: not ansible_check_mode -- shell: > +- command: > {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig label node {{host}} {{label}}={{value}} --overwrite register: label_result failed_when: label_result.rc == 1 and 'exists' not in label_result.stderr @@ -17,7 +17,7 @@ - unlabel is not defined or not unlabel - not ansible_check_mode -- shell: > +- command: > {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig label node {{host}} {{label}}- register: label_result failed_when: label_result.rc == 1 and 'exists' not in label_result.stderr diff --git a/roles/openshift_logging/tasks/main.yaml b/roles/openshift_logging/tasks/main.yaml index b64c24ade..c4ec1b255 100644 --- a/roles/openshift_logging/tasks/main.yaml +++ b/roles/openshift_logging/tasks/main.yaml @@ -1,4 +1,9 @@ --- +- fail: + msg: Only one Fluentd nodeselector key pair should be provided + when: "{{ openshift_logging_fluentd_nodeselector.keys() | count }} > 1" + + - name: Create temp directory for doing work in command: mktemp -d /tmp/openshift-logging-ansible-XXXXXX register: mktemp diff --git a/roles/openshift_logging/tasks/scale.yaml b/roles/openshift_logging/tasks/scale.yaml index 3d86ea171..aa3e39641 100644 --- a/roles/openshift_logging/tasks/scale.yaml +++ b/roles/openshift_logging/tasks/scale.yaml @@ -1,26 +1,26 @@ --- -- shell: > +- command: > {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get {{object}} - --template='{{ '{{.spec.replicas}}' }}' -n {{openshift_logging_namespace}} + -o jsonpath='{.spec.replicas}' -n {{openshift_logging_namespace}} register: replica_count failed_when: replica_count.rc == 1 and 'exists' not in replica_count.stderr when: not ansible_check_mode -- shell: > +- command: > {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig scale {{object}} --replicas={{desired}} -n {{openshift_logging_namespace}} register: scale_result failed_when: scale_result.rc == 1 and 'exists' not in scale_result.stderr when: - - replica_count.stdout != desired - not ansible_check_mode + - replica_count.stdout|int != desired -- shell: > - {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig describe {{object}} -n {{openshift_logging_namespace}} | awk -v statusrx='Pods Status:' '$0 ~ statusrx {print $3}' +- command: > + {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get {{object}} -n {{openshift_logging_namespace}} -o jsonpath='{.status.replicas}' register: replica_counts - until: replica_counts.stdout.find("{{desired}}") != -1 + until: replica_counts.stdout|int == desired retries: 30 delay: 10 when: - - replica_count.stdout != desired - not ansible_check_mode + - replica_count.stdout|int != desired diff --git a/roles/openshift_logging/tasks/start_cluster.yaml b/roles/openshift_logging/tasks/start_cluster.yaml index cdfc5f2d3..090ca8359 100644 --- a/roles/openshift_logging/tasks/start_cluster.yaml +++ b/roles/openshift_logging/tasks/start_cluster.yaml @@ -1,16 +1,16 @@ --- -- shell: > - echo "{{openshift_logging_fluentd_nodeselector}}" | cut -d':' -f1 +- command: > + echo "{{openshift_logging_fluentd_nodeselector.keys()[0]}}" register: openshift_logging_fluentd_nodeselector_key check_mode: no -- shell: > - echo "{{openshift_logging_fluentd_nodeselector}}" | cut -d' ' -f2 +- command: > + echo "{{openshift_logging_fluentd_nodeselector.values()[0]}}" register: openshift_logging_fluentd_nodeselector_value check_mode: no -- shell: > - {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get node -o name | sed "s,^node/,,g" +- command: > + {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get node -o jsonpath='{.items[*].metadata.name}' register: fluentd_hosts when: "'--all' in openshift_logging_fluentd_hosts" check_mode: no @@ -25,7 +25,7 @@ loop_control: loop_var: fluentd_host -- shell: > +- command: > {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=es -o name -n {{openshift_logging_namespace}} register: es_dc check_mode: no @@ -38,7 +38,7 @@ loop_control: loop_var: object -- shell: > +- command: > {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=kibana -o name -n {{openshift_logging_namespace}} register: kibana_dc check_mode: no @@ -51,7 +51,7 @@ loop_control: loop_var: object -- shell: > +- command: > {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=curator -o name -n {{openshift_logging_namespace}} register: curator_dc check_mode: no @@ -64,7 +64,7 @@ loop_control: loop_var: object -- shell: > +- command: > {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=es-ops -o name -n {{openshift_logging_namespace}} register: es_dc check_mode: no @@ -78,7 +78,7 @@ loop_var: object when: openshift_logging_use_ops -- shell: > +- command: > {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=kibana-ops -o name -n {{openshift_logging_namespace}} register: kibana_dc check_mode: no @@ -92,7 +92,7 @@ loop_var: object when: openshift_logging_use_ops -- shell: > +- command: > {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=curator-ops -o name -n {{openshift_logging_namespace}} register: curator_dc check_mode: no diff --git a/roles/openshift_logging/tasks/stop_cluster.yaml b/roles/openshift_logging/tasks/stop_cluster.yaml index e018d0618..dd3693f7e 100644 --- a/roles/openshift_logging/tasks/stop_cluster.yaml +++ b/roles/openshift_logging/tasks/stop_cluster.yaml @@ -1,14 +1,14 @@ --- -- shell: > - echo "{{openshift_logging_fluentd_nodeselector}}" | cut -d':' -f1 +- command: > + echo "{{openshift_logging_fluentd_nodeselector.keys()[0]}}" register: openshift_logging_fluentd_nodeselector_key -- shell: > - echo "{{openshift_logging_fluentd_nodeselector}}" | cut -d' ' -f2 +- command: > + echo "{{openshift_logging_fluentd_nodeselector.values()[0]}}" register: openshift_logging_fluentd_nodeselector_value -- shell: > - {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get node -o name | sed "s,^node/,,g" +- command: > + {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get node -o jsonpath='{.items[*].metadata.name}' register: fluentd_hosts when: "'--all' in openshift_logging_fluentd_hosts" @@ -22,7 +22,7 @@ loop_control: loop_var: fluentd_host -- shell: > +- command: > {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=es -o name -n {{openshift_logging_namespace}} register: es_dc @@ -34,7 +34,7 @@ loop_control: loop_var: object -- shell: > +- command: > {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=kibana -o name -n {{openshift_logging_namespace}} register: kibana_dc @@ -46,7 +46,7 @@ loop_control: loop_var: object -- shell: > +- command: > {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=curator -o name -n {{openshift_logging_namespace}} register: curator_dc @@ -58,7 +58,7 @@ loop_control: loop_var: object -- shell: > +- command: > {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=es-ops -o name -n {{openshift_logging_namespace}} register: es_dc @@ -71,7 +71,7 @@ loop_var: object when: openshift_logging_use_ops -- shell: > +- command: > {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=kibana-ops -o name -n {{openshift_logging_namespace}} register: kibana_dc @@ -84,7 +84,7 @@ loop_var: object when: openshift_logging_use_ops -- shell: > +- command: > {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=curator-ops -o name -n {{openshift_logging_namespace}} register: curator_dc diff --git a/roles/openshift_logging/tasks/upgrade_logging.yaml b/roles/openshift_logging/tasks/upgrade_logging.yaml index b2c8022d5..9b285a5fe 100644 --- a/roles/openshift_logging/tasks/upgrade_logging.yaml +++ b/roles/openshift_logging/tasks/upgrade_logging.yaml @@ -8,7 +8,7 @@ start_cluster: False # ensure that ES is running -- shell: > +- command: > {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=es -o name -n {{openshift_logging_namespace}} register: es_dc check_mode: no @@ -26,7 +26,7 @@ dest: {{mktemp.stdout}}/es_migration.sh - name: Run upgrade scripts - shell: > + command: > sh {{mktemp.stdout}}/es_migration.sh {{openshift.common.config_base}}/logging/ca.crt {{openshift.common.config_base}}/logging/system.admin.key {{openshift.common.config_base}}/logging/system.admin.crt {{openshift_logging_es_host}} {{openshift_logging_es_port}} {{openshift_logging_namespace}} - name: Start up rest of cluster diff --git a/roles/openshift_logging/templates/fluentd.j2 b/roles/openshift_logging/templates/fluentd.j2 index a09b582a2..b6c91f8ed 100644 --- a/roles/openshift_logging/templates/fluentd.j2 +++ b/roles/openshift_logging/templates/fluentd.j2 @@ -25,7 +25,7 @@ spec: spec: serviceAccountName: "{{daemonset_serviceAccount}}" nodeSelector: - {{openshift_logging_fluentd_nodeselector}} + {{fluentd_nodeselector_key}}: "{{fluentd_nodeselector_value}}" containers: - name: "{{daemonset_container_name}}" image: "{{openshift_logging_image_prefix}}{{daemonset_name}}:{{openshift_logging_image_version}}" diff --git a/roles/openshift_logging/templates/signing.conf.j2 b/roles/openshift_logging/templates/signing.conf.j2 new file mode 100644 index 000000000..727cde4c9 --- /dev/null +++ b/roles/openshift_logging/templates/signing.conf.j2 @@ -0,0 +1,103 @@ +# Simple Signing CA + +# The [default] section contains global constants that can be referred to from +# the entire configuration file. It may also hold settings pertaining to more +# than one openssl command. + +[ default ] +dir = {{top_dir}} # Top dir + +# The next part of the configuration file is used by the openssl req command. +# It defines the CA's key pair, its DN, and the desired extensions for the CA +# certificate. + +[ req ] +default_bits = 2048 # RSA key size +encrypt_key = yes # Protect private key +default_md = sha1 # MD to use +utf8 = yes # Input is UTF-8 +string_mask = utf8only # Emit UTF-8 strings +prompt = no # Don't prompt for DN +distinguished_name = ca_dn # DN section +req_extensions = ca_reqext # Desired extensions + +[ ca_dn ] +0.domainComponent = "io" +1.domainComponent = "openshift" +organizationName = "OpenShift Origin" +organizationalUnitName = "Logging Signing CA" +commonName = "Logging Signing CA" + +[ ca_reqext ] +keyUsage = critical,keyCertSign,cRLSign +basicConstraints = critical,CA:true,pathlen:0 +subjectKeyIdentifier = hash + +# The remainder of the configuration file is used by the openssl ca command. +# The CA section defines the locations of CA assets, as well as the policies +# applying to the CA. + +[ ca ] +default_ca = signing_ca # The default CA section + +[ signing_ca ] +certificate = $dir/ca.crt # The CA cert +private_key = $dir/ca.key # CA private key +new_certs_dir = $dir/ # Certificate archive +serial = $dir/ca.serial.txt # Serial number file +crlnumber = $dir/ca.crl.srl # CRL number file +database = $dir/ca.db # Index file +unique_subject = no # Require unique subject +default_days = 730 # How long to certify for +default_md = sha1 # MD to use +policy = any_pol # Default naming policy +email_in_dn = no # Add email to cert DN +preserve = no # Keep passed DN ordering +name_opt = ca_default # Subject DN display options +cert_opt = ca_default # Certificate display options +copy_extensions = copy # Copy extensions from CSR +x509_extensions = client_ext # Default cert extensions +default_crl_days = 7 # How long before next CRL +crl_extensions = crl_ext # CRL extensions + +# Naming policies control which parts of a DN end up in the certificate and +# under what circumstances certification should be denied. + +[ match_pol ] +domainComponent = match # Must match 'simple.org' +organizationName = match # Must match 'Simple Inc' +organizationalUnitName = optional # Included if present +commonName = supplied # Must be present + +[ any_pol ] +domainComponent = optional +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = optional +emailAddress = optional + +# Certificate extensions define what types of certificates the CA is able to +# create. + +[ client_ext ] +keyUsage = critical,digitalSignature,keyEncipherment +basicConstraints = CA:false +extendedKeyUsage = clientAuth +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid + +[ server_ext ] +keyUsage = critical,digitalSignature,keyEncipherment +basicConstraints = CA:false +extendedKeyUsage = serverAuth,clientAuth +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid + +# CRL extensions exist solely to point to the CA certificate that has issued +# the CRL. + +[ crl_ext ] +authorityKeyIdentifier = keyid -- cgit v1.2.1