summaryrefslogtreecommitdiffstats
path: root/roles/openshift_logging/tasks
diff options
context:
space:
mode:
authorScott Dodson <sdodson@redhat.com>2017-05-19 09:17:58 -0400
committerGitHub <noreply@github.com>2017-05-19 09:17:58 -0400
commitb61044dfa3669d79bd5e99c846ad4d10de172583 (patch)
tree887eead3d5010b4e0bb22ec6e9235528536f549e /roles/openshift_logging/tasks
parent129dd9ccfb329ea296ad526acd4adf02c4004864 (diff)
parenta4c6ae5af5237bc4c09476be1c12e61b9d41fb9b (diff)
downloadopenshift-b61044dfa3669d79bd5e99c846ad4d10de172583.tar.gz
openshift-b61044dfa3669d79bd5e99c846ad4d10de172583.tar.bz2
openshift-b61044dfa3669d79bd5e99c846ad4d10de172583.tar.xz
openshift-b61044dfa3669d79bd5e99c846ad4d10de172583.zip
Merge pull request #4073 from richm/logging-es-route
add ability to expose Elasticsearch as an external route
Diffstat (limited to 'roles/openshift_logging/tasks')
-rw-r--r--roles/openshift_logging/tasks/generate_certs.yaml26
-rw-r--r--roles/openshift_logging/tasks/generate_routes.yaml92
-rw-r--r--roles/openshift_logging/tasks/generate_secrets.yaml28
3 files changed, 146 insertions, 0 deletions
diff --git a/roles/openshift_logging/tasks/generate_certs.yaml b/roles/openshift_logging/tasks/generate_certs.yaml
index b34df018d..46a7e82c6 100644
--- a/roles/openshift_logging/tasks/generate_certs.yaml
+++ b/roles/openshift_logging/tasks/generate_certs.yaml
@@ -60,6 +60,24 @@
- procure_component: mux
when: openshift_logging_use_mux
+- include: procure_server_certs.yaml
+ loop_control:
+ loop_var: cert_info
+ with_items:
+ - procure_component: es
+ hostnames: "es, {{openshift_logging_es_hostname}}"
+ when: openshift_logging_es_allow_external | bool
+
+- include: procure_server_certs.yaml
+ loop_control:
+ loop_var: cert_info
+ with_items:
+ - procure_component: es-ops
+ hostnames: "es-ops, {{openshift_logging_es_ops_hostname}}"
+ when:
+ - openshift_logging_es_allow_external | bool
+ - openshift_logging_use_ops | bool
+
- name: Copy proxy TLS configuration file
copy: src=server-tls.json dest={{generated_certs_dir}}/server-tls.json
when: server_tls_json is undefined
@@ -108,6 +126,14 @@
loop_var: node_name
when: openshift_logging_use_mux
+- name: Generate PEM cert for Elasticsearch external route
+ include: generate_pems.yaml component={{node_name}}
+ with_items:
+ - system.logging.es
+ loop_control:
+ loop_var: node_name
+ when: openshift_logging_es_allow_external | bool
+
- name: Creating necessary JKS certs
include: generate_jks.yaml
diff --git a/roles/openshift_logging/tasks/generate_routes.yaml b/roles/openshift_logging/tasks/generate_routes.yaml
index f76bb3a0a..c45b3d804 100644
--- a/roles/openshift_logging/tasks/generate_routes.yaml
+++ b/roles/openshift_logging/tasks/generate_routes.yaml
@@ -75,3 +75,95 @@
provider: openshift
when: openshift_logging_use_ops | bool
changed_when: no
+
+- set_fact: es_key={{ lookup('file', openshift_logging_es_key) | b64encode }}
+ when:
+ - openshift_logging_es_key | trim | length > 0
+ - openshift_logging_es_allow_external | bool
+ changed_when: false
+
+- set_fact: es_cert={{ lookup('file', openshift_logging_es_cert)| b64encode }}
+ when:
+ - openshift_logging_es_cert | trim | length > 0
+ - openshift_logging_es_allow_external | bool
+ changed_when: false
+
+- set_fact: es_ca={{ lookup('file', openshift_logging_es_ca_ext)| b64encode }}
+ when:
+ - openshift_logging_es_ca_ext | trim | length > 0
+ - openshift_logging_es_allow_external | bool
+ changed_when: false
+
+- set_fact: es_ca={{key_pairs | entry_from_named_pair('ca_file') }}
+ when:
+ - es_ca is not defined
+ - openshift_logging_es_allow_external | bool
+ changed_when: false
+
+- name: Generating Elasticsearch logging routes
+ template: src=route_reencrypt.j2 dest={{mktemp.stdout}}/templates/logging-logging-es-route.yaml
+ tags: routes
+ vars:
+ obj_name: "logging-es"
+ route_host: "{{openshift_logging_es_hostname}}"
+ service_name: "logging-es"
+ tls_key: "{{es_key | default('') | b64decode}}"
+ tls_cert: "{{es_cert | default('') | b64decode}}"
+ tls_ca_cert: "{{es_ca | b64decode}}"
+ tls_dest_ca_cert: "{{key_pairs | entry_from_named_pair('ca_file')| b64decode }}"
+ edge_term_policy: "{{openshift_logging_es_edge_term_policy | default('') }}"
+ labels:
+ component: support
+ logging-infra: support
+ provider: openshift
+ changed_when: no
+ when: openshift_logging_es_allow_external | bool
+
+- set_fact: es_ops_key={{ lookup('file', openshift_logging_es_ops_key) | b64encode }}
+ when:
+ - openshift_logging_es_ops_allow_external | bool
+ - openshift_logging_use_ops | bool
+ - "{{ openshift_logging_es_ops_key | trim | length > 0 }}"
+ changed_when: false
+
+- set_fact: es_ops_cert={{ lookup('file', openshift_logging_es_ops_cert)| b64encode }}
+ when:
+ - openshift_logging_es_ops_allow_external | bool
+ - openshift_logging_use_ops | bool
+ - "{{openshift_logging_es_ops_cert | trim | length > 0}}"
+ changed_when: false
+
+- set_fact: es_ops_ca={{ lookup('file', openshift_logging_es_ops_ca_ext)| b64encode }}
+ when:
+ - openshift_logging_es_ops_allow_external | bool
+ - openshift_logging_use_ops | bool
+ - "{{openshift_logging_es_ops_ca_ext | trim | length > 0}}"
+ changed_when: false
+
+- set_fact: es_ops_ca={{key_pairs | entry_from_named_pair('ca_file') }}
+ when:
+ - openshift_logging_es_ops_allow_external | bool
+ - openshift_logging_use_ops | bool
+ - es_ops_ca is not defined
+ changed_when: false
+
+- name: Generating Elasticsearch logging ops routes
+ template: src=route_reencrypt.j2 dest={{mktemp.stdout}}/templates/logging-logging-es-ops-route.yaml
+ tags: routes
+ vars:
+ obj_name: "logging-es-ops"
+ route_host: "{{openshift_logging_es_ops_hostname}}"
+ service_name: "logging-es-ops"
+ tls_key: "{{es_ops_key | default('') | b64decode}}"
+ tls_cert: "{{es_ops_cert | default('') | b64decode}}"
+ tls_ca_cert: "{{es_ops_ca | b64decode}}"
+ tls_dest_ca_cert: "{{key_pairs | entry_from_named_pair('ca_file')| b64decode }}"
+ edge_term_policy: "{{openshift_logging_es_ops_edge_term_policy | default('') }}"
+ labels:
+ component: support
+ logging-infra: support
+ provider: openshift
+ when:
+ - openshift_logging_es_ops_allow_external | bool
+ - openshift_logging_use_ops | bool
+ changed_when: no
diff --git a/roles/openshift_logging/tasks/generate_secrets.yaml b/roles/openshift_logging/tasks/generate_secrets.yaml
index c1da49fd8..b629bd995 100644
--- a/roles/openshift_logging/tasks/generate_secrets.yaml
+++ b/roles/openshift_logging/tasks/generate_secrets.yaml
@@ -99,3 +99,31 @@
when: logging_es_secret.stdout is defined
check_mode: no
changed_when: no
+
+- name: Retrieving the cert to use when generating secrets for Elasticsearch external route
+ slurp: src="{{generated_certs_dir}}/{{item.file}}"
+ register: es_key_pairs
+ with_items:
+ - { name: "ca_file", file: "ca.crt" }
+ - { name: "es_key", file: "system.logging.es.key"}
+ - { name: "es_cert", file: "system.logging.es.crt"}
+ when: openshift_logging_es_allow_external | bool
+
+- name: Generating secrets for Elasticsearch external route
+ template: src=secret.j2 dest={{mktemp.stdout}}/templates/{{secret_name}}-secret.yaml
+ vars:
+ secret_name: "logging-{{component}}"
+ secret_key_file: "{{component}}_key"
+ secret_cert_file: "{{component}}_cert"
+ secrets:
+ - {key: ca, value: "{{es_key_pairs | entry_from_named_pair('ca_file')| b64decode }}"}
+ - {key: key, value: "{{es_key_pairs | entry_from_named_pair(secret_key_file)| b64decode }}"}
+ - {key: cert, value: "{{es_key_pairs | entry_from_named_pair(secret_cert_file)| b64decode }}"}
+ secret_keys: ["ca", "cert", "key"]
+ with_items:
+ - es
+ loop_control:
+ loop_var: component
+ check_mode: no
+ changed_when: no
+ when: openshift_logging_es_allow_external | bool