diff options
author | Scott Dodson <sdodson@redhat.com> | 2017-05-19 09:17:58 -0400 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-05-19 09:17:58 -0400 |
commit | b61044dfa3669d79bd5e99c846ad4d10de172583 (patch) | |
tree | 887eead3d5010b4e0bb22ec6e9235528536f549e /roles/openshift_logging/tasks | |
parent | 129dd9ccfb329ea296ad526acd4adf02c4004864 (diff) | |
parent | a4c6ae5af5237bc4c09476be1c12e61b9d41fb9b (diff) | |
download | openshift-b61044dfa3669d79bd5e99c846ad4d10de172583.tar.gz openshift-b61044dfa3669d79bd5e99c846ad4d10de172583.tar.bz2 openshift-b61044dfa3669d79bd5e99c846ad4d10de172583.tar.xz openshift-b61044dfa3669d79bd5e99c846ad4d10de172583.zip |
Merge pull request #4073 from richm/logging-es-route
add ability to expose Elasticsearch as an external route
Diffstat (limited to 'roles/openshift_logging/tasks')
-rw-r--r-- | roles/openshift_logging/tasks/generate_certs.yaml | 26 | ||||
-rw-r--r-- | roles/openshift_logging/tasks/generate_routes.yaml | 92 | ||||
-rw-r--r-- | roles/openshift_logging/tasks/generate_secrets.yaml | 28 |
3 files changed, 146 insertions, 0 deletions
diff --git a/roles/openshift_logging/tasks/generate_certs.yaml b/roles/openshift_logging/tasks/generate_certs.yaml index b34df018d..46a7e82c6 100644 --- a/roles/openshift_logging/tasks/generate_certs.yaml +++ b/roles/openshift_logging/tasks/generate_certs.yaml @@ -60,6 +60,24 @@ - procure_component: mux when: openshift_logging_use_mux +- include: procure_server_certs.yaml + loop_control: + loop_var: cert_info + with_items: + - procure_component: es + hostnames: "es, {{openshift_logging_es_hostname}}" + when: openshift_logging_es_allow_external | bool + +- include: procure_server_certs.yaml + loop_control: + loop_var: cert_info + with_items: + - procure_component: es-ops + hostnames: "es-ops, {{openshift_logging_es_ops_hostname}}" + when: + - openshift_logging_es_allow_external | bool + - openshift_logging_use_ops | bool + - name: Copy proxy TLS configuration file copy: src=server-tls.json dest={{generated_certs_dir}}/server-tls.json when: server_tls_json is undefined @@ -108,6 +126,14 @@ loop_var: node_name when: openshift_logging_use_mux +- name: Generate PEM cert for Elasticsearch external route + include: generate_pems.yaml component={{node_name}} + with_items: + - system.logging.es + loop_control: + loop_var: node_name + when: openshift_logging_es_allow_external | bool + - name: Creating necessary JKS certs include: generate_jks.yaml diff --git a/roles/openshift_logging/tasks/generate_routes.yaml b/roles/openshift_logging/tasks/generate_routes.yaml index f76bb3a0a..c45b3d804 100644 --- a/roles/openshift_logging/tasks/generate_routes.yaml +++ b/roles/openshift_logging/tasks/generate_routes.yaml @@ -75,3 +75,95 @@ provider: openshift when: openshift_logging_use_ops | bool changed_when: no + +- set_fact: es_key={{ lookup('file', openshift_logging_es_key) | b64encode }} + when: + - openshift_logging_es_key | trim | length > 0 + - openshift_logging_es_allow_external | bool + changed_when: false + +- set_fact: es_cert={{ lookup('file', openshift_logging_es_cert)| b64encode }} + when: + - openshift_logging_es_cert | trim | length > 0 + - openshift_logging_es_allow_external | bool + changed_when: false + +- set_fact: es_ca={{ lookup('file', openshift_logging_es_ca_ext)| b64encode }} + when: + - openshift_logging_es_ca_ext | trim | length > 0 + - openshift_logging_es_allow_external | bool + changed_when: false + +- set_fact: es_ca={{key_pairs | entry_from_named_pair('ca_file') }} + when: + - es_ca is not defined + - openshift_logging_es_allow_external | bool + changed_when: false + +- name: Generating Elasticsearch logging routes + template: src=route_reencrypt.j2 dest={{mktemp.stdout}}/templates/logging-logging-es-route.yaml + tags: routes + vars: + obj_name: "logging-es" + route_host: "{{openshift_logging_es_hostname}}" + service_name: "logging-es" + tls_key: "{{es_key | default('') | b64decode}}" + tls_cert: "{{es_cert | default('') | b64decode}}" + tls_ca_cert: "{{es_ca | b64decode}}" + tls_dest_ca_cert: "{{key_pairs | entry_from_named_pair('ca_file')| b64decode }}" + edge_term_policy: "{{openshift_logging_es_edge_term_policy | default('') }}" + labels: + component: support + logging-infra: support + provider: openshift + changed_when: no + when: openshift_logging_es_allow_external | bool + +- set_fact: es_ops_key={{ lookup('file', openshift_logging_es_ops_key) | b64encode }} + when: + - openshift_logging_es_ops_allow_external | bool + - openshift_logging_use_ops | bool + - "{{ openshift_logging_es_ops_key | trim | length > 0 }}" + changed_when: false + +- set_fact: es_ops_cert={{ lookup('file', openshift_logging_es_ops_cert)| b64encode }} + when: + - openshift_logging_es_ops_allow_external | bool + - openshift_logging_use_ops | bool + - "{{openshift_logging_es_ops_cert | trim | length > 0}}" + changed_when: false + +- set_fact: es_ops_ca={{ lookup('file', openshift_logging_es_ops_ca_ext)| b64encode }} + when: + - openshift_logging_es_ops_allow_external | bool + - openshift_logging_use_ops | bool + - "{{openshift_logging_es_ops_ca_ext | trim | length > 0}}" + changed_when: false + +- set_fact: es_ops_ca={{key_pairs | entry_from_named_pair('ca_file') }} + when: + - openshift_logging_es_ops_allow_external | bool + - openshift_logging_use_ops | bool + - es_ops_ca is not defined + changed_when: false + +- name: Generating Elasticsearch logging ops routes + template: src=route_reencrypt.j2 dest={{mktemp.stdout}}/templates/logging-logging-es-ops-route.yaml + tags: routes + vars: + obj_name: "logging-es-ops" + route_host: "{{openshift_logging_es_ops_hostname}}" + service_name: "logging-es-ops" + tls_key: "{{es_ops_key | default('') | b64decode}}" + tls_cert: "{{es_ops_cert | default('') | b64decode}}" + tls_ca_cert: "{{es_ops_ca | b64decode}}" + tls_dest_ca_cert: "{{key_pairs | entry_from_named_pair('ca_file')| b64decode }}" + edge_term_policy: "{{openshift_logging_es_ops_edge_term_policy | default('') }}" + labels: + component: support + logging-infra: support + provider: openshift + when: + - openshift_logging_es_ops_allow_external | bool + - openshift_logging_use_ops | bool + changed_when: no diff --git a/roles/openshift_logging/tasks/generate_secrets.yaml b/roles/openshift_logging/tasks/generate_secrets.yaml index c1da49fd8..b629bd995 100644 --- a/roles/openshift_logging/tasks/generate_secrets.yaml +++ b/roles/openshift_logging/tasks/generate_secrets.yaml @@ -99,3 +99,31 @@ when: logging_es_secret.stdout is defined check_mode: no changed_when: no + +- name: Retrieving the cert to use when generating secrets for Elasticsearch external route + slurp: src="{{generated_certs_dir}}/{{item.file}}" + register: es_key_pairs + with_items: + - { name: "ca_file", file: "ca.crt" } + - { name: "es_key", file: "system.logging.es.key"} + - { name: "es_cert", file: "system.logging.es.crt"} + when: openshift_logging_es_allow_external | bool + +- name: Generating secrets for Elasticsearch external route + template: src=secret.j2 dest={{mktemp.stdout}}/templates/{{secret_name}}-secret.yaml + vars: + secret_name: "logging-{{component}}" + secret_key_file: "{{component}}_key" + secret_cert_file: "{{component}}_cert" + secrets: + - {key: ca, value: "{{es_key_pairs | entry_from_named_pair('ca_file')| b64decode }}"} + - {key: key, value: "{{es_key_pairs | entry_from_named_pair(secret_key_file)| b64decode }}"} + - {key: cert, value: "{{es_key_pairs | entry_from_named_pair(secret_cert_file)| b64decode }}"} + secret_keys: ["ca", "cert", "key"] + with_items: + - es + loop_control: + loop_var: component + check_mode: no + changed_when: no + when: openshift_logging_es_allow_external | bool |