summaryrefslogtreecommitdiffstats
path: root/roles
diff options
context:
space:
mode:
authorScott Dodson <sdodson@redhat.com>2017-01-17 15:33:43 -0500
committerGitHub <noreply@github.com>2017-01-17 15:33:43 -0500
commita269ece3556932cebfa2ade968ac2b8638c2abbf (patch)
treebb690323269d929c9582756b4a77c8189217dcf4 /roles
parente810fb6abab0c6fe9198bfc3f39c82ca8054f76e (diff)
parent65eb7e43faf38698b22b90ad3c743d1fecdc0961 (diff)
downloadopenshift-a269ece3556932cebfa2ade968ac2b8638c2abbf.tar.gz
openshift-a269ece3556932cebfa2ade968ac2b8638c2abbf.tar.bz2
openshift-a269ece3556932cebfa2ade968ac2b8638c2abbf.tar.xz
openshift-a269ece3556932cebfa2ade968ac2b8638c2abbf.zip
Merge pull request #2873 from jcantrill/295_metrics_admin_again
Move Metrics to ansible from deployer
Diffstat (limited to 'roles')
-rw-r--r--roles/openshift_metrics/README.md102
-rw-r--r--roles/openshift_metrics/defaults/main.yaml48
-rwxr-xr-xroles/openshift_metrics/files/import_jks_certs.sh118
-rw-r--r--roles/openshift_metrics/meta/main.yaml18
-rw-r--r--roles/openshift_metrics/tasks/generate_certificates.yaml26
-rw-r--r--roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml166
-rw-r--r--roles/openshift_metrics/tasks/generate_heapster_certificates.yaml41
-rw-r--r--roles/openshift_metrics/tasks/generate_rolebindings.yaml33
-rw-r--r--roles/openshift_metrics/tasks/generate_serviceaccounts.yaml27
-rw-r--r--roles/openshift_metrics/tasks/generate_services.yaml46
-rw-r--r--roles/openshift_metrics/tasks/import_jks_certs.yaml120
-rw-r--r--roles/openshift_metrics/tasks/install_cassandra.yaml54
-rw-r--r--roles/openshift_metrics/tasks/install_hawkular.yaml54
-rw-r--r--roles/openshift_metrics/tasks/install_heapster.yaml14
-rw-r--r--roles/openshift_metrics/tasks/install_metrics.yaml37
-rw-r--r--roles/openshift_metrics/tasks/install_support.yaml5
-rw-r--r--roles/openshift_metrics/tasks/main.yaml22
-rw-r--r--roles/openshift_metrics/tasks/oc_apply.yaml32
-rw-r--r--roles/openshift_metrics/tasks/scale.yaml30
-rw-r--r--roles/openshift_metrics/tasks/setup_certificate.yaml52
-rw-r--r--roles/openshift_metrics/tasks/start_metrics.yaml54
-rw-r--r--roles/openshift_metrics/tasks/stop_metrics.yaml55
-rw-r--r--roles/openshift_metrics/tasks/uninstall_metrics.yaml19
-rw-r--r--roles/openshift_metrics/templates/hawkular_cassandra_rc.j2125
-rw-r--r--roles/openshift_metrics/templates/hawkular_metrics_rc.j2119
-rw-r--r--roles/openshift_metrics/templates/heapster.j298
-rw-r--r--roles/openshift_metrics/templates/jks_pod.j238
-rw-r--r--roles/openshift_metrics/templates/pvc.j227
-rw-r--r--roles/openshift_metrics/templates/rolebinding.j223
-rw-r--r--roles/openshift_metrics/templates/route.j235
-rw-r--r--roles/openshift_metrics/templates/secret.j212
-rw-r--r--roles/openshift_metrics/templates/service.j232
-rw-r--r--roles/openshift_metrics/templates/serviceaccount.j216
-rw-r--r--roles/openshift_metrics/vars/main.yaml10
34 files changed, 1708 insertions, 0 deletions
diff --git a/roles/openshift_metrics/README.md b/roles/openshift_metrics/README.md
new file mode 100644
index 000000000..f4c47c7bb
--- /dev/null
+++ b/roles/openshift_metrics/README.md
@@ -0,0 +1,102 @@
+OpenShift Metrics with Hawkular
+====================
+
+OpenShift Metrics Installation
+
+Requirements
+------------
+
+The following variables need to be set and will be validated:
+
+- `openshift_metrics_hostname`: hostname used on the hawkular metrics route.
+
+- `openshift_metrics_project`: project (i.e. namespace) where the components will be
+ deployed.
+
+
+Role Variables
+--------------
+
+For default values, see [`defaults/main.yaml`](defaults/main.yaml).
+
+- `openshift_metrics_image_prefix`: Specify prefix for metrics components; e.g for
+ "openshift/origin-metrics-deployer:v1.1", set prefix "openshift/origin-".
+
+- `openshift_metrics_image_version`: Specify version for metrics components; e.g. for
+ "openshift/origin-metrics-deployer:v1.1", set version "v1.1".
+
+- `openshift_metrics_hawkular_cert:` The certificate used for re-encrypting the route
+ to Hawkular metrics. The certificate must contain the hostname used by the route.
+ The default router certificate will be used if unspecified
+
+- `openshift_metrics_hawkular_key:` The key used with the Hawkular certificate
+
+- `openshift_metrics_hawkular_ca:` An optional certificate used to sign the Hawkular certificate.
+
+- `openshift_metrics_hawkular_replicas:` The number of replicas for Hawkular metrics.
+
+- `openshift_metrics_cassandra_replicas`: The number of Cassandra nodes to deploy for the
+ initial cluster.
+
+- `openshift_metrics_cassandra_storage_type`: Use `emptydir` for ephemeral storage (for
+ testing), `pv` to use persistent volumes (which need to be created before the
+ installation) or `dynamic` for dynamic persistent volumes.
+
+- `openshift_metrics_cassandra_pv_prefix`: The name of persistent volume claims created
+ for cassandra will be this with a serial number appended to the end, starting
+ from 1.
+
+- `openshift_metrics_cassandra_pv_size`: The persistent volume size for each of the
+ Cassandra nodes.
+
+- `openshift_metrics_heapster_standalone`: Deploy only heapster, without the Hawkular Metrics and
+ Cassandra components.
+
+- `openshift_metrics_heapster_allowed_users`: A comma-separated list of CN to accept. By
+ default, this is set to allow the OpenShift service proxy to connect. If you
+ override this, make sure to add `system:master-proxy` to the list in order to
+ allow horizontal pod autoscaling to function properly.
+
+- `openshift_metrics_startup_timeout`: How long in seconds we should wait until
+ Hawkular Metrics and Heapster starts up before attempting a restart.
+
+- `openshift_metrics_duration`: How many days metrics should be stored for.
+
+- `openshift_metrics_resolution`: How often metrics should be gathered.
+
+## Additional variables to control resource limits
+Each metrics component (hawkular, cassandra, heapster) can specify a cpu and memory limits and requests by setting
+the corresponding role variable:
+```
+openshift_metrics_<COMPONENT>_(limits|requests)_(memory|cpu): <VALUE>
+```
+e.g
+```
+openshift_metrics_cassandra_limits_memory: 1G
+openshift_metrics_hawkular_requests_cpu: 100
+```
+
+Dependencies
+------------
+openshift_facts
+
+
+Example Playbook
+----------------
+
+```
+- name: Configure openshift-metrics
+ hosts: oo_first_master
+ roles:
+ - role: openshift_metrics
+```
+
+License
+-------
+
+Apache License, Version 2.0
+
+Author Information
+------------------
+
+Jose David Martín (j.david.nieto@gmail.com)
diff --git a/roles/openshift_metrics/defaults/main.yaml b/roles/openshift_metrics/defaults/main.yaml
new file mode 100644
index 000000000..b99adf779
--- /dev/null
+++ b/roles/openshift_metrics/defaults/main.yaml
@@ -0,0 +1,48 @@
+---
+openshift_metrics_start_cluster: True
+openshift_metrics_install_metrics: True
+openshift_metrics_image_prefix: docker.io/openshift/origin-
+openshift_metrics_image_version: latest
+openshift_metrics_startup_timeout: 500
+
+openshift_metrics_hawkular_replicas: 1
+openshift_metrics_hawkular_limits_memory: 2.5G
+openshift_metrics_hawkular_limits_cpu: null
+openshift_metrics_hawkular_requests_memory: 1.5G
+openshift_metrics_hawkular_requests_cpu: null
+openshift_metrics_hawkular_cert: ""
+openshift_metrics_hawkular_key: ""
+openshift_metrics_hawkular_ca: ""
+
+openshift_metrics_cassandra_replicas: 1
+openshift_metrics_cassandra_storage_type: emptydir
+openshift_metrics_cassandra_pv_size: 10Gi
+openshift_metrics_cassandra_limits_memory: 2G
+openshift_metrics_cassandra_limits_cpu: null
+openshift_metrics_cassandra_requests_memory: 1G
+openshift_metrics_cassandra_requests_cpu: null
+
+openshift_metrics_heapster_standalone: False
+openshift_metrics_heapster_limits_memory: 3.75G
+openshift_metrics_heapster_limits_cpu: null
+openshift_metrics_heapster_requests_memory: 0.9375G
+openshift_metrics_heapster_requests_cpu: null
+
+openshift_metrics_duration: 7
+openshift_metrics_resolution: 15s
+
+#####
+# Caution should be taken for the following defaults before
+# overriding the values here
+#####
+
+openshift_metrics_certs_dir: "{{ openshift.common.config_base }}/master/metrics"
+openshift_metrics_master_url: https://kubernetes.default.svc.cluster.local
+openshift_metrics_node_id: nodename
+openshift_metrics_project: openshift-infra
+
+openshift_metrics_cassandra_pv_prefix: metrics-cassandra
+
+openshift_metrics_hawkular_user_write_access: False
+
+openshift_metrics_heapster_allowed_users: system:master-proxy
diff --git a/roles/openshift_metrics/files/import_jks_certs.sh b/roles/openshift_metrics/files/import_jks_certs.sh
new file mode 100755
index 000000000..bb046df87
--- /dev/null
+++ b/roles/openshift_metrics/files/import_jks_certs.sh
@@ -0,0 +1,118 @@
+#!/bin/bash
+#
+# Copyright 2014-2015 Red Hat, Inc. and/or its affiliates
+# and other contributors as indicated by the @author tags.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+set -ex
+
+function import_certs() {
+ dir=$CERT_DIR
+ hawkular_metrics_keystore_password=$(echo $METRICS_KEYSTORE_PASSWD | base64 -d)
+ hawkular_cassandra_keystore_password=$(echo $CASSANDRA_KEYSTORE_PASSWD | base64 -d)
+ hawkular_metrics_truststore_password=$(echo $METRICS_TRUSTSTORE_PASSWD | base64 -d)
+ hawkular_cassandra_truststore_password=$(echo $CASSANDRA_TRUSTSTORE_PASSWD | base64 -d)
+ hawkular_jgroups_password=$(echo $JGROUPS_PASSWD | base64 -d)
+
+ cassandra_alias=`keytool -noprompt -list -keystore $dir/hawkular-cassandra.truststore -storepass ${hawkular_cassandra_truststore_password} | sed -n '7~2s/,.*$//p'`
+ hawkular_alias=`keytool -noprompt -list -keystore $dir/hawkular-metrics.truststore -storepass ${hawkular_metrics_truststore_password} | sed -n '7~2s/,.*$//p'`
+
+ if [ ! -f $dir/hawkular-metrics.keystore ]; then
+ echo "Creating the Hawkular Metrics keystore from the PEM file"
+ keytool -importkeystore -v \
+ -srckeystore $dir/hawkular-metrics.pkcs12 \
+ -destkeystore $dir/hawkular-metrics.keystore \
+ -srcstoretype PKCS12 \
+ -deststoretype JKS \
+ -srcstorepass $hawkular_metrics_keystore_password \
+ -deststorepass $hawkular_metrics_keystore_password
+ fi
+
+ if [ ! -f $dir/hawkular-cassandra.keystore ]; then
+ echo "Creating the Hawkular Cassandra keystore from the PEM file"
+ keytool -importkeystore -v \
+ -srckeystore $dir/hawkular-cassandra.pkcs12 \
+ -destkeystore $dir/hawkular-cassandra.keystore \
+ -srcstoretype PKCS12 \
+ -deststoretype JKS \
+ -srcstorepass $hawkular_cassandra_keystore_password \
+ -deststorepass $hawkular_cassandra_keystore_password
+ fi
+
+ if [[ ! ${cassandra_alias[*]} =~ hawkular-metrics ]]; then
+ echo "Importing the Hawkular Certificate into the Cassandra Truststore"
+ keytool -noprompt -import -v -trustcacerts -alias hawkular-metrics \
+ -file $dir/hawkular-metrics.crt \
+ -keystore $dir/hawkular-cassandra.truststore \
+ -trustcacerts \
+ -storepass $hawkular_cassandra_truststore_password
+ fi
+
+ if [[ ! ${hawkular_alias[*]} =~ hawkular-cassandra ]]; then
+ echo "Importing the Cassandra Certificate into the Hawkular Truststore"
+ keytool -noprompt -import -v -trustcacerts -alias hawkular-cassandra \
+ -file $dir/hawkular-cassandra.crt \
+ -keystore $dir/hawkular-metrics.truststore \
+ -trustcacerts \
+ -storepass $hawkular_metrics_truststore_password
+ fi
+
+ if [[ ! ${cassandra_alias[*]} =~ hawkular-cassandra ]]; then
+ echo "Importing the Hawkular Cassandra Certificate into the Cassandra Truststore"
+ keytool -noprompt -import -v -trustcacerts -alias hawkular-cassandra \
+ -file $dir/hawkular-cassandra.crt \
+ -keystore $dir/hawkular-cassandra.truststore \
+ -trustcacerts \
+ -storepass $hawkular_cassandra_truststore_password
+ fi
+
+ cert_alias_names=(ca metricca cassandraca)
+
+ for cert_alias in ${cert_alias_names[*]}; do
+ if [[ ! ${cassandra_alias[*]} =~ "$cert_alias" ]]; then
+ echo "Importing the CA Certificate with alias $cert_alias into the Cassandra Truststore"
+ keytool -noprompt -import -v -trustcacerts -alias $cert_alias \
+ -file ${dir}/ca.crt \
+ -keystore $dir/hawkular-cassandra.truststore \
+ -trustcacerts \
+ -storepass $hawkular_cassandra_truststore_password
+ fi
+ done
+
+ for cert_alias in ${cert_alias_names[*]}; do
+ if [[ ! ${hawkular_alias[*]} =~ "$cert_alias" ]]; then
+ echo "Importing the CA Certificate with alias $cert_alias into the Hawkular Metrics Truststore"
+ keytool -noprompt -import -v -trustcacerts -alias $cert_alias \
+ -file ${dir}/ca.crt \
+ -keystore $dir/hawkular-metrics.truststore \
+ -trustcacerts \
+ -storepass $hawkular_metrics_truststore_password
+ fi
+ done
+
+ if [ ! -f $dir/hawkular-jgroups.keystore ]; then
+ echo "Generating the jgroups keystore"
+ keytool -genseckey -alias hawkular -keypass ${hawkular_jgroups_password} \
+ -storepass ${hawkular_jgroups_password} \
+ -keyalg Blowfish \
+ -keysize 56 \
+ -keystore $dir/hawkular-jgroups.keystore \
+ -storetype JCEKS
+ fi
+}
+
+import_certs
+
+exit 0
diff --git a/roles/openshift_metrics/meta/main.yaml b/roles/openshift_metrics/meta/main.yaml
new file mode 100644
index 000000000..68e94992e
--- /dev/null
+++ b/roles/openshift_metrics/meta/main.yaml
@@ -0,0 +1,18 @@
+---
+galaxy_info:
+ author: OpenShift Development <dev@lists.openshift.redhat.com>
+ description: Deploy OpenShift metrics integration for the cluster
+ company: Red Hat, Inc.
+ license: license (Apache)
+ min_ansible_version: 2.2
+ platforms:
+ - name: EL
+ versions:
+ - 7
+ - name: Fedora
+ versions:
+ - all
+ categories:
+ - openshift
+dependencies:
+- { role: openshift_facts }
diff --git a/roles/openshift_metrics/tasks/generate_certificates.yaml b/roles/openshift_metrics/tasks/generate_certificates.yaml
new file mode 100644
index 000000000..16a967aa7
--- /dev/null
+++ b/roles/openshift_metrics/tasks/generate_certificates.yaml
@@ -0,0 +1,26 @@
+---
+- name: create certificate output directory
+ file:
+ path: "{{ openshift_metrics_certs_dir }}"
+ state: directory
+ mode: 0700
+
+- name: list existing secrets
+ command: >
+ {{ openshift.common.client_binary }} -n {{ openshift_metrics_project }}
+ --config={{ mktemp.stdout }}/admin.kubeconfig
+ get secrets -o name
+ register: metrics_secrets
+ changed_when: false
+
+- name: generate ca certificate chain
+ shell: >
+ {{ openshift.common.admin_binary }} ca create-signer-cert
+ --config={{ mktemp.stdout }}/admin.kubeconfig
+ --key='{{ openshift_metrics_certs_dir }}/ca.key'
+ --cert='{{ openshift_metrics_certs_dir }}/ca.crt'
+ --serial='{{ openshift_metrics_certs_dir }}/ca.serial.txt'
+ --name="metrics-signer@$(date +%s)"
+ when: not '{{ openshift_metrics_certs_dir }}/ca.key' | exists
+- include: generate_heapster_certificates.yaml
+- include: generate_hawkular_certificates.yaml
diff --git a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml
new file mode 100644
index 000000000..9cf4afee0
--- /dev/null
+++ b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml
@@ -0,0 +1,166 @@
+---
+- name: generate hawkular-metrics certificates
+ include: setup_certificate.yaml
+ vars:
+ component: hawkular-metrics
+ hostnames: "hawkular-metrics,{{ openshift_metrics_hawkular_hostname }}"
+ changed_when: no
+
+- name: generate hawkular-cassandra certificates
+ include: setup_certificate.yaml
+ vars:
+ component: hawkular-cassandra
+ hostnames: hawkular-cassandra
+ changed_when: no
+
+- slurp: src={{ openshift_metrics_certs_dir }}/hawkular-cassandra-truststore.pwd
+ register: cassandra_truststore_password
+
+- slurp: src={{ openshift_metrics_certs_dir }}/hawkular-metrics-truststore.pwd
+ register: hawkular_truststore_password
+
+- name: generate password for hawkular metrics and jgroups
+ copy:
+ dest: '{{ openshift_metrics_certs_dir }}/{{ item }}.pwd'
+ content: "{{ 15 | oo_random_word }}"
+ with_items:
+ - hawkular-metrics
+ - hawkular-jgroups-keystore
+ when: not '{{ openshift_metrics_certs_dir }}/{{ item }}.pwd'|exists
+
+- name: generate htpasswd file for hawkular metrics
+ shell: >
+ htpasswd -ci
+ '{{ openshift_metrics_certs_dir }}/hawkular-metrics.htpasswd' hawkular
+ < '{{ openshift_metrics_certs_dir }}/hawkular-metrics.pwd'
+ when: >
+ not '{{ openshift_metrics_certs_dir }}/hawkular-metrics.htpasswd'|exists
+
+- include: import_jks_certs.yaml
+
+- name: read files for the hawkular-metrics secret
+ shell: >
+ printf '%s: ' '{{ item }}'
+ && base64 --wrap 0 '{{ openshift_metrics_certs_dir }}/{{ item }}'
+ register: hawkular_secrets
+ with_items:
+ - ca.crt
+ - hawkular-metrics.crt
+ - hawkular-metrics.keystore
+ - hawkular-metrics-keystore.pwd
+ - hawkular-metrics.truststore
+ - hawkular-metrics-truststore.pwd
+ - hawkular-metrics.pwd
+ - hawkular-metrics.htpasswd
+ - hawkular-jgroups.keystore
+ - hawkular-jgroups-keystore.pwd
+ - hawkular-cassandra.crt
+ - hawkular-cassandra.pem
+ - hawkular-cassandra.keystore
+ - hawkular-cassandra-keystore.pwd
+ - hawkular-cassandra.truststore
+ - hawkular-cassandra-truststore.pwd
+ changed_when: false
+
+- set_fact:
+ hawkular_secrets: |
+ {{ hawkular_secrets.results|map(attribute='stdout')|join('
+ ')|from_yaml }}
+
+- name: generate hawkular-metrics-secrets secret template
+ template:
+ src: secret.j2
+ dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_secrets.yaml"
+ vars:
+ name: hawkular-metrics-secrets
+ labels:
+ metrics-infra: hawkular-metrics
+ data:
+ hawkular-metrics.keystore: >
+ {{ hawkular_secrets['hawkular-metrics.keystore'] }}
+ hawkular-metrics.keystore.password: >
+ {{ hawkular_secrets['hawkular-metrics-keystore.pwd'] }}
+ hawkular-metrics.truststore: >
+ {{ hawkular_secrets['hawkular-metrics.truststore'] }}
+ hawkular-metrics.truststore.password: >
+ {{ hawkular_secrets['hawkular-metrics-truststore.pwd'] }}
+ hawkular-metrics.keystore.alias: "{{ 'hawkular-metrics'|b64encode }}"
+ hawkular-metrics.htpasswd.file: >
+ {{ hawkular_secrets['hawkular-metrics.htpasswd'] }}
+ hawkular-metrics.jgroups.keystore: >
+ {{ hawkular_secrets['hawkular-jgroups.keystore'] }}
+ hawkular-metrics.jgroups.keystore.password: >
+ {{ hawkular_secrets['hawkular-jgroups-keystore.pwd'] }}
+ hawkular-metrics.jgroups.alias: "{{ 'hawkular'|b64encode }}"
+ when: name not in metrics_secrets.stdout_lines
+ changed_when: no
+
+- name: generate hawkular-metrics-certificate secret template
+ template:
+ src: secret.j2
+ dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_certificate.yaml"
+ vars:
+ name: hawkular-metrics-certificate
+ labels:
+ metrics-infra: hawkular-metrics
+ data:
+ hawkular-metrics.certificate: >
+ {{ hawkular_secrets['hawkular-metrics.crt'] }}
+ hawkular-metrics-ca.certificate: >
+ {{ hawkular_secrets['ca.crt'] }}
+ when: name not in metrics_secrets.stdout_lines
+ changed_when: no
+
+- name: generate hawkular-metrics-account secret template
+ template:
+ src: secret.j2
+ dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_account.yaml"
+ vars:
+ name: hawkular-metrics-account
+ labels:
+ metrics-infra: hawkular-metrics
+ data:
+ hawkular-metrics.username: "{{ 'hawkular'|b64encode }}"
+ hawkular-metrics.password: >
+ {{ hawkular_secrets['hawkular-metrics.pwd'] }}
+ when: name not in metrics_secrets.stdout_lines
+ changed_when: no
+
+- name: generate cassandra secret template
+ template:
+ src: secret.j2
+ dest: "{{ mktemp.stdout }}/templates/cassandra_secrets.yaml"
+ vars:
+ name: hawkular-cassandra-secrets
+ labels:
+ metrics-infra: hawkular-cassandra
+ data:
+ cassandra.keystore: >
+ {{ hawkular_secrets['hawkular-cassandra.keystore'] }}
+ cassandra.keystore.password: >
+ {{ hawkular_secrets['hawkular-cassandra-keystore.pwd'] }}
+ cassandra.keystore.alias: "{{ 'hawkular-cassandra'|b64encode }}"
+ cassandra.truststore: >
+ {{ hawkular_secrets['hawkular-cassandra.truststore'] }}
+ cassandra.truststore.password: >
+ {{ hawkular_secrets['hawkular-cassandra-truststore.pwd'] }}
+ cassandra.pem: >
+ {{ hawkular_secrets['hawkular-cassandra.pem'] }}
+ when: name not in metrics_secrets
+ changed_when: no
+
+- name: generate cassandra-certificate secret template
+ template:
+ src: secret.j2
+ dest: "{{ mktemp.stdout }}/templates/cassandra_certificate.yaml"
+ vars:
+ name: hawkular-cassandra-certificate
+ labels:
+ metrics-infra: hawkular-cassandra
+ data:
+ cassandra.certificate: >
+ {{ hawkular_secrets['hawkular-cassandra.crt'] }}
+ cassandra-ca.certificate: >
+ {{ hawkular_secrets['hawkular-cassandra.pem'] }}
+ when: name not in metrics_secrets.stdout_lines
+ changed_when: no
diff --git a/roles/openshift_metrics/tasks/generate_heapster_certificates.yaml b/roles/openshift_metrics/tasks/generate_heapster_certificates.yaml
new file mode 100644
index 000000000..2449b1518
--- /dev/null
+++ b/roles/openshift_metrics/tasks/generate_heapster_certificates.yaml
@@ -0,0 +1,41 @@
+---
+- name: generate heapster key/cert
+ command: >
+ {{ openshift.common.admin_binary }} ca create-server-cert
+ --config={{ mktemp.stdout }}/admin.kubeconfig
+ --key='{{ openshift_metrics_certs_dir }}/heapster.key'
+ --cert='{{ openshift_metrics_certs_dir }}/heapster.cert'
+ --hostnames=heapster
+ --signer-cert='{{ openshift_metrics_certs_dir }}/ca.crt'
+ --signer-key='{{ openshift_metrics_certs_dir }}/ca.key'
+ --signer-serial='{{ openshift_metrics_certs_dir }}/ca.serial.txt'
+ when: not '{{ openshift_metrics_certs_dir }}/heapster.key' | exists
+
+- when: "'secret/heapster-secrets' not in metrics_secrets.stdout_lines"
+ block:
+ - name: read files for the heapster secret
+ slurp: src={{ item }}
+ register: heapster_secret
+ with_items:
+ - "{{ openshift_metrics_certs_dir }}/heapster.cert"
+ - "{{ openshift_metrics_certs_dir }}/heapster.key"
+ - "{{ client_ca }}"
+ vars:
+ custom_ca: "{{ openshift_metrics_certs_dir }}/heapster_client_ca.crt"
+ default_ca: "{{ openshift.common.config_base }}/master/ca-bundle.crt"
+ client_ca: "{{ custom_ca|exists|ternary(custom_ca, default_ca) }}"
+ - name: generate heapster secret template
+ template:
+ src: secret.j2
+ dest: "{{ mktemp.stdout }}/templates/heapster_secrets.yaml"
+ force: no
+ vars:
+ name: heapster-secrets
+ labels:
+ metrics-infra: heapster
+ data:
+ heapster.cert: "{{ heapster_secret.results[0].content }}"
+ heapster.key: "{{ heapster_secret.results[1].content }}"
+ heapster.client-ca: "{{ heapster_secret.results[2].content }}"
+ heapster.allowed-users: >
+ {{ openshift_metrics_heapster_allowed_users|b64encode }}
diff --git a/roles/openshift_metrics/tasks/generate_rolebindings.yaml b/roles/openshift_metrics/tasks/generate_rolebindings.yaml
new file mode 100644
index 000000000..6524c3f32
--- /dev/null
+++ b/roles/openshift_metrics/tasks/generate_rolebindings.yaml
@@ -0,0 +1,33 @@
+---
+- name: generate view role binding for the hawkular service account
+ template:
+ src: rolebinding.j2
+ dest: "{{ mktemp.stdout }}/templates/hawkular-rolebinding.yaml"
+ vars:
+ obj_name: hawkular-view
+ labels:
+ metrics-infra: hawkular
+ roleRef:
+ name: view
+ subjects:
+ - kind: ServiceAccount
+ name: hawkular
+ changed_when: no
+
+- name: generate cluster-reader role binding for the heapster service account
+ template:
+ src: rolebinding.j2
+ dest: "{{ mktemp.stdout }}/templates/heapster-rolebinding.yaml"
+ vars:
+ cluster: True
+ obj_name: heapster-cluster-reader
+ labels:
+ metrics-infra: heapster
+ roleRef:
+ kind: ClusterRole
+ name: cluster-reader
+ subjects:
+ - kind: ServiceAccount
+ name: heapster
+ namespace: "{{ openshift_metrics_project }}"
+ changed_when: no
diff --git a/roles/openshift_metrics/tasks/generate_serviceaccounts.yaml b/roles/openshift_metrics/tasks/generate_serviceaccounts.yaml
new file mode 100644
index 000000000..94f34d860
--- /dev/null
+++ b/roles/openshift_metrics/tasks/generate_serviceaccounts.yaml
@@ -0,0 +1,27 @@
+---
+- name: Generating serviceaccounts for hawkular metrics/cassandra
+ template: src=serviceaccount.j2 dest={{mktemp.stdout}}/templates/metrics-{{obj_name}}-sa.yaml
+ vars:
+ obj_name: "{{item.name}}"
+ labels:
+ metrics-infra: support
+ secrets:
+ - hawkular-{{item.secret}}-secrets
+ with_items:
+ - name: hawkular
+ secret: hawkular-metrics-secrets
+ - name: cassandra
+ secret: hawkular-cassandra-secrets
+ changed_when: no
+
+- name: Generating serviceaccount for heapster
+ template: src=serviceaccount.j2 dest={{mktemp.stdout}}/templates/metrics-{{obj_name}}-sa.yaml
+ vars:
+ obj_name: heapster
+ labels:
+ metrics-infra: support
+ secrets:
+ - heapster-secrets
+ - hawkular-metrics-certificate
+ - hawkular-metrics-account
+ changed_when: no
diff --git a/roles/openshift_metrics/tasks/generate_services.yaml b/roles/openshift_metrics/tasks/generate_services.yaml
new file mode 100644
index 000000000..903d52bff
--- /dev/null
+++ b/roles/openshift_metrics/tasks/generate_services.yaml
@@ -0,0 +1,46 @@
+---
+- name: Generate service for heapster
+ template: src=service.j2 dest={{mktemp.stdout}}/templates/metrics-{{obj_name}}-svc.yaml
+ vars:
+ obj_name: heapster
+ ports:
+ - {port: 80, targetPort: http-endpoint}
+ selector:
+ name: "{{obj_name}}"
+ labels:
+ metrics-infra: "{{obj_name}}"
+ name: "{{obj_name}}"
+ changed_when: no
+
+- name: Generate service for hawkular-metrics
+ template: src=service.j2 dest={{mktemp.stdout}}/templates/metrics-{{obj_name}}-svc.yaml
+ vars:
+ obj_name: hawkular-metrics
+ ports:
+ - {port: 443, targetPort: https-endpoint}
+ selector:
+ name: "{{obj_name}}"
+ labels:
+ metrics-infra: "{{obj_name}}"
+ name: "{{obj_name}}"
+ changed_when: no
+
+- name: Generate services for cassandra
+ template: src=service.j2 dest={{mktemp.stdout}}/templates/metrics-{{obj_name}}-svc.yaml
+ vars:
+ obj_name: hawkular-{{item}}
+ ports:
+ - {name: cql-port, port: 9042, targetPort: cql-port}
+ - {name: thrift-port, port: 9160, targetPort: thrift-port}
+ - {name: tcp-port, port: 7000, targetPort: tcp-port}
+ - {name: ssl-port, port: 7001, targetPort: ssl-port}
+ selector:
+ type: hawkular-cassandra
+ labels:
+ metrics-infra: hawkular-cassandra
+ name: hawkular-cassandra
+ headless: "{{ item == 'cassandra-nodes' }}"
+ with_items:
+ - cassandra
+ - cassandra-nodes
+ changed_when: no
diff --git a/roles/openshift_metrics/tasks/import_jks_certs.yaml b/roles/openshift_metrics/tasks/import_jks_certs.yaml
new file mode 100644
index 000000000..f6bf6c1a6
--- /dev/null
+++ b/roles/openshift_metrics/tasks/import_jks_certs.yaml
@@ -0,0 +1,120 @@
+---
+- name: Check for jks-generator service account
+ command: >
+ {{ openshift.common.client_binary }}
+ --config={{ mktemp.stdout }}/admin.kubeconfig
+ -n {{openshift_metrics_project}}
+ get serviceaccount/jks-generator --no-headers
+ register: serviceaccount_result
+ ignore_errors: yes
+ when: not ansible_check_mode
+ changed_when: no
+
+- name: Create jks-generator service account
+ command: >
+ {{ openshift.common.client_binary }}
+ --config={{ mktemp.stdout }}/admin.kubeconfig
+ -n {{openshift_metrics_project}}
+ create serviceaccount jks-generator
+ when: not ansible_check_mode and "not found" in serviceaccount_result.stderr
+
+- name: Check for hostmount-anyuid scc entry
+ command: >
+ {{ openshift.common.client_binary }}
+ --config={{ mktemp.stdout }}/admin.kubeconfig
+ get scc hostmount-anyuid
+ -o jsonpath='{.users}'
+ register: scc_result
+ when: not ansible_check_mode
+ changed_when: no
+
+- name: Add to hostmount-anyuid scc
+ command: >
+ {{ openshift.common.admin_binary }}
+ --config={{ mktemp.stdout }}/admin.kubeconfig
+ -n {{openshift_metrics_project}}
+ policy add-scc-to-user hostmount-anyuid
+ -z jks-generator
+ when:
+ - not ansible_check_mode
+ - scc_result.stdout.find("system:serviceaccount:{{openshift_metrics_project}}:jks-generator") == -1
+
+- name: Copy JKS generation script
+ copy:
+ src: import_jks_certs.sh
+ dest: "{{openshift_metrics_certs_dir}}/import_jks_certs.sh"
+ check_mode: no
+
+- slurp: src={{ openshift_metrics_certs_dir }}/hawkular-metrics-keystore.pwd
+ register: metrics_keystore_password
+
+- slurp: src={{ openshift_metrics_certs_dir }}/hawkular-cassandra-keystore.pwd
+ register: cassandra_keystore_password
+
+- slurp: src={{ openshift_metrics_certs_dir }}/hawkular-jgroups-keystore.pwd
+ register: jgroups_keystore_password
+
+- name: Generate JKS pod template
+ template:
+ src: jks_pod.j2
+ dest: "{{mktemp.stdout}}/jks_pod.yaml"
+ vars:
+ metrics_keystore_passwd: "{{metrics_keystore_password.content}}"
+ cassandra_keystore_passwd: "{{cassandra_keystore_password.content}}"
+ metrics_truststore_passwd: "{{hawkular_truststore_password.content}}"
+ cassandra_truststore_passwd: "{{cassandra_truststore_password.content}}"
+ jgroups_passwd: "{{jgroups_keystore_password.content}}"
+ check_mode: no
+ changed_when: no
+
+- stat: path="{{openshift_metrics_certs_dir}}/hawkular-metrics.keystore"
+ register: metrics_keystore
+ check_mode: no
+
+- stat: path="{{openshift_metrics_certs_dir}}/hawkular-cassandra.keystore"
+ register: cassandra_keystore
+ check_mode: no
+
+- stat: path="{{openshift_metrics_certs_dir}}/hawkular-cassandra.truststore"
+ register: cassandra_truststore
+ check_mode: no
+
+- stat: path="{{openshift_metrics_certs_dir}}/hawkular-metrics.truststore"
+ register: metrics_truststore
+ check_mode: no
+
+- stat: path="{{openshift_metrics_certs_dir}}/hawkular-jgroups.keystore"
+ register: jgroups_keystore
+ check_mode: no
+
+- name: create JKS pod
+ command: >
+ {{ openshift.common.client_binary }}
+ --config={{ mktemp.stdout }}/admin.kubeconfig
+ -n {{openshift_metrics_project}}
+ create -f {{mktemp.stdout}}/jks_pod.yaml
+ -o name
+ register: podoutput
+ check_mode: no
+ when: not metrics_keystore.stat.exists or
+ not metrics_truststore.stat.exists or
+ not cassandra_keystore.stat.exists or
+ not cassandra_truststore.stat.exists or
+ not jgroups_keystore.stat.exists
+
+- command: >
+ {{ openshift.common.client_binary }}
+ --config={{ mktemp.stdout }}/admin.kubeconfig
+ -n {{openshift_metrics_project}}
+ get {{podoutput.stdout}}
+ -o jsonpath='{.status.phase}'
+ register: result
+ until: result.stdout.find("Succeeded") != -1
+ retries: 5
+ delay: 10
+ changed_when: no
+ when: not metrics_keystore.stat.exists or
+ not metrics_truststore.stat.exists or
+ not cassandra_keystore.stat.exists or
+ not cassandra_truststore.stat.exists or
+ not jgroups_keystore.stat.exists
diff --git a/roles/openshift_metrics/tasks/install_cassandra.yaml b/roles/openshift_metrics/tasks/install_cassandra.yaml
new file mode 100644
index 000000000..a9340acc3
--- /dev/null
+++ b/roles/openshift_metrics/tasks/install_cassandra.yaml
@@ -0,0 +1,54 @@
+---
+- shell: >
+ {{ openshift.common.client_binary }} -n {{ openshift_metrics_project | quote }}
+ --config={{ mktemp.stdout }}/admin.kubeconfig
+ get rc hawkular-cassandra-{{node}} -o jsonpath='{.spec.replicas}' || echo 0
+ vars:
+ node: "{{ item }}"
+ register: cassandra_replica_count
+ with_sequence: count={{ openshift_metrics_cassandra_replicas }}
+ changed_when: false
+ failed_when: false
+
+- name: generate hawkular-cassandra replication controllers
+ template:
+ src: hawkular_cassandra_rc.j2
+ dest: "{{ mktemp.stdout }}/templates/hawkular-cassandra-rc{{ item }}.yaml"
+ vars:
+ node: "{{ item }}"
+ master: "{{ (item == '1')|string|lower }}"
+ replica_count: "{{cassandra_replica_count.results[item|int - 1].stdout}}"
+ with_sequence: count={{ openshift_metrics_cassandra_replicas }}
+ changed_when: false
+
+- name: generate hawkular-cassandra persistent volume claims
+ template:
+ src: pvc.j2
+ dest: "{{ mktemp.stdout }}/templates/hawkular-cassandra-pvc{{ item }}.yaml"
+ vars:
+ obj_name: "{{ openshift_metrics_cassandra_pv_prefix }}-{{ item }}"
+ labels:
+ metrics-infra: hawkular-cassandra
+ access_modes:
+ - ReadWriteOnce
+ size: "{{ openshift_metrics_cassandra_pv_size }}"
+ with_sequence: count={{ openshift_metrics_cassandra_replicas }}
+ when: openshift_metrics_cassandra_storage_type == 'pv'
+ changed_when: false
+
+- name: generate hawkular-cassandra persistent volume claims (dynamic)
+ template:
+ src: pvc.j2
+ dest: "{{ mktemp.stdout }}/templates/hawkular-cassandra-pvc{{ item }}.yaml"
+ vars:
+ obj_name: "{{ openshift_metrics_cassandra_pv_prefix }}-{{ item }}"
+ labels:
+ metrics-infra: hawkular-cassandra
+ annotations:
+ volume.alpha.kubernetes.io/storage-class: dynamic
+ access_modes:
+ - ReadWriteOnce
+ size: "{{ openshift_metrics_cassandra_pv_size }}"
+ with_sequence: count={{ openshift_metrics_cassandra_replicas }}
+ when: openshift_metrics_cassandra_storage_type == 'dynamic'
+ changed_when: false
diff --git a/roles/openshift_metrics/tasks/install_hawkular.yaml b/roles/openshift_metrics/tasks/install_hawkular.yaml
new file mode 100644
index 000000000..00f7b2554
--- /dev/null
+++ b/roles/openshift_metrics/tasks/install_hawkular.yaml
@@ -0,0 +1,54 @@
+---
+- command: >
+ {{ openshift.common.client_binary }} -n {{ openshift_metrics_project | quote }}
+ --config={{ mktemp.stdout }}/admin.kubeconfig
+ get rc hawkular-metrics -o jsonpath='{.spec.replicas}'
+ register: hawkular_metrics_replica_count
+ failed_when: false
+ changed_when: false
+
+- name: generate hawkular-metrics replication controller
+ template:
+ src: hawkular_metrics_rc.j2
+ dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_rc.yaml"
+ vars:
+ replica_count: "{{hawkular_metrics_replica_count.stdout | default(0)}}"
+ changed_when: false
+
+- name: read hawkular-metrics route destination ca certificate
+ slurp: src={{ openshift_metrics_certs_dir }}/ca.crt
+ register: metrics_route_dest_ca_cert
+ changed_when: false
+
+- block:
+ - set_fact: hawkular_key={{ lookup('file', openshift_metrics_hawkular_key) }}
+ when: openshift_metrics_hawkular_key | exists
+ changed_when: false
+
+ - set_fact: hawkular_cert={{ lookup('file', openshift_metrics_hawkular_cert) }}
+ when: openshift_metrics_hawkular_cert | exists
+ changed_when: false
+
+ - set_fact: hawkular_ca={{ lookup('file', openshift_metrics_hawkular_ca) }}
+ when: openshift_metrics_hawkular_ca | exists
+ changed_when: false
+
+ - name: generate the hawkular-metrics route
+ template:
+ src: route.j2
+ dest: "{{ mktemp.stdout }}/templates/hawkular-metrics-route.yaml"
+ vars:
+ name: hawkular-metrics
+ labels:
+ metrics-infra: hawkular-metrics
+ host: "{{ openshift_metrics_hawkular_hostname }}"
+ to:
+ kind: Service
+ name: hawkular-metrics
+ tls:
+ termination: reencrypt
+ key: "{{ hawkular_key | default('') }}"
+ certificate: "{{ hawkular_cert | default('') }}"
+ ca_certificate: "{{ hawkular_ca | default('') }}"
+ destination_ca_certificate: "{{ metrics_route_dest_ca_cert.content | b64decode }}"
+ changed_when: false
diff --git a/roles/openshift_metrics/tasks/install_heapster.yaml b/roles/openshift_metrics/tasks/install_heapster.yaml
new file mode 100644
index 000000000..39df797ab
--- /dev/null
+++ b/roles/openshift_metrics/tasks/install_heapster.yaml
@@ -0,0 +1,14 @@
+---
+- command: >
+ {{ openshift.common.client_binary }} -n {{ openshift_metrics_project | quote }}
+ --config={{ mktemp.stdout }}/admin.kubeconfig
+ get rc heapster -o jsonpath='{.spec.replicas}'
+ register: heapster_replica_count
+ failed_when: false
+ changed_when: no
+
+- name: Generate heapster replication controller
+ template: src=heapster.j2 dest={{mktemp.stdout}}/templates/metrics-heapster-rc.yaml
+ vars:
+ replica_count: "{{heapster_replica_count.stdout | default(0)}}"
+ changed_when: no
diff --git a/roles/openshift_metrics/tasks/install_metrics.yaml b/roles/openshift_metrics/tasks/install_metrics.yaml
new file mode 100644
index 000000000..bab37dbfb
--- /dev/null
+++ b/roles/openshift_metrics/tasks/install_metrics.yaml
@@ -0,0 +1,37 @@
+---
+- name: Check that hawkular_metrics_hostname is set
+ fail: msg='the openshift_metrics_hawkular_hostname variable is required'
+ when: openshift_metrics_hawkular_hostname is not defined
+
+- name: Check the value of openshift_metrics_cassandra_storage_type
+ fail:
+ msg: >
+ openshift_metrics_cassandra_storage_type ({{ openshift_metrics_cassandra_storage_type }})
+ is invalid, must be one of: emptydir, pv, dynamic
+ when: openshift_metrics_cassandra_storage_type not in openshift_metrics_cassandra_storage_types
+
+- name: Install Metrics
+ include: "{{ role_path }}/tasks/install_{{ include_file }}.yaml"
+ with_items:
+ - support
+ - heapster
+ - hawkular
+ - cassandra
+ loop_control:
+ loop_var: include_file
+
+- name: Create objects
+ include: oc_apply.yaml
+ vars:
+ kubeconfig: "{{ mktemp.stdout }}/admin.kubeconfig"
+ namespace: "{{ openshift_metrics_project }}"
+ file_name: "{{ item }}"
+ file_content: "{{ lookup('file',item) | from_yaml }}"
+ with_fileglob:
+ - "{{ mktemp.stdout }}/templates/*.yaml"
+
+- name: Scaling up cluster
+ include: start_metrics.yaml
+ tags: openshift_metrics_start_cluster
+ when:
+ - openshift_metrics_start_cluster | default(true) | bool
diff --git a/roles/openshift_metrics/tasks/install_support.yaml b/roles/openshift_metrics/tasks/install_support.yaml
new file mode 100644
index 000000000..b0e4bec80
--- /dev/null
+++ b/roles/openshift_metrics/tasks/install_support.yaml
@@ -0,0 +1,5 @@
+---
+- include: generate_certificates.yaml
+- include: generate_serviceaccounts.yaml
+- include: generate_services.yaml
+- include: generate_rolebindings.yaml
diff --git a/roles/openshift_metrics/tasks/main.yaml b/roles/openshift_metrics/tasks/main.yaml
new file mode 100644
index 000000000..c42440130
--- /dev/null
+++ b/roles/openshift_metrics/tasks/main.yaml
@@ -0,0 +1,22 @@
+---
+- name: Create temp directory for doing work in
+ command: mktemp -td openshift-metrics-ansible-XXXXXX
+ register: mktemp
+ changed_when: False
+
+- name: Create temp directory for all our templates
+ file: path={{mktemp.stdout}}/templates state=directory mode=0755
+ changed_when: False
+
+- name: Copy the admin client config(s)
+ command: >
+ cp {{ openshift.common.config_base}}/master/admin.kubeconfig {{ mktemp.stdout }}/admin.kubeconfig
+ changed_when: False
+ check_mode: no
+ tags: metrics_init
+
+- include: install_metrics.yaml
+ when: openshift_metrics_install_metrics | default(false) | bool
+
+- include: uninstall_metrics.yaml
+ when: not openshift_metrics_install_metrics | default(false) | bool
diff --git a/roles/openshift_metrics/tasks/oc_apply.yaml b/roles/openshift_metrics/tasks/oc_apply.yaml
new file mode 100644
index 000000000..dd67703b4
--- /dev/null
+++ b/roles/openshift_metrics/tasks/oc_apply.yaml
@@ -0,0 +1,32 @@
+---
+- name: Checking generation of {{file_content.kind}} {{file_content.metadata.name}}
+ command: >
+ {{ openshift.common.client_binary }}
+ --config={{ kubeconfig }}
+ get {{file_content.kind}} {{file_content.metadata.name}}
+ -o jsonpath='{.metadata.resourceVersion}'
+ -n {{namespace}}
+ register: generation_init
+ failed_when: false
+ changed_when: no
+
+- name: Applying {{file_name}}
+ command: >
+ {{ openshift.common.client_binary }} --config={{ kubeconfig }}
+ apply -f {{ file_name }}
+ -n {{ openshift_metrics_project }}
+ register: generation_apply
+ failed_when: "'error' in generation_apply.stderr"
+ changed_when: no
+
+- name: Determine change status of {{file_content.kind}} {{file_content.metadata.name}}
+ command: >
+ {{ openshift.common.client_binary }} --config={{ kubeconfig }}
+ get {{file_content.kind}} {{file_content.metadata.name}}
+ -o jsonpath='{.metadata.resourceVersion}'
+ -n {{namespace}}
+ register: version_changed
+ vars:
+ init_version: "{{ (generation_init is defined) | ternary(generation_init.stdout, '0') }}"
+ failed_when: "'error' in version_changed.stderr"
+ changed_when: version_changed.stdout | int > init_version | int
diff --git a/roles/openshift_metrics/tasks/scale.yaml b/roles/openshift_metrics/tasks/scale.yaml
new file mode 100644
index 000000000..bb4fa621b
--- /dev/null
+++ b/roles/openshift_metrics/tasks/scale.yaml
@@ -0,0 +1,30 @@
+---
+- command: >
+ {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get {{object}}
+ -o jsonpath='{.spec.replicas}' -n {{openshift_metrics_project}}
+ register: replica_count
+ failed_when: "replica_count.rc == 1 and 'exists' not in replica_count.stderr"
+ when: not ansible_check_mode
+ changed_when: no
+
+- command: >
+ {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig scale {{object}}
+ --replicas={{desired}} -n {{openshift_metrics_project}}
+ register: scale_result
+ failed_when: scale_result.rc == 1 and 'exists' not in scale_result.stderr
+ when:
+ - replica_count.stdout != (desired | string)
+ - not ansible_check_mode
+ changed_when: no
+
+- name: Waiting for {{object}} to scale to {{desired}}
+ command: >
+ {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig
+ get {{object}} -n {{openshift_metrics_project|quote}} -o jsonpath='{.status.replicas}'
+ register: replica_counts
+ until: replica_counts.stdout.find("{{desired}}") != -1
+ retries: 30
+ delay: 10
+ when:
+ - replica_count.stdout != (desired | string)
+ - not ansible_check_mode
diff --git a/roles/openshift_metrics/tasks/setup_certificate.yaml b/roles/openshift_metrics/tasks/setup_certificate.yaml
new file mode 100644
index 000000000..5ca8f4462
--- /dev/null
+++ b/roles/openshift_metrics/tasks/setup_certificate.yaml
@@ -0,0 +1,52 @@
+---
+- name: generate {{ component }} keys
+ command: >
+ {{ openshift.common.admin_binary }} ca create-server-cert
+ --config={{ mktemp.stdout }}/admin.kubeconfig
+ --key='{{ openshift_metrics_certs_dir }}/{{ component }}.key'
+ --cert='{{ openshift_metrics_certs_dir }}/{{ component }}.crt'
+ --hostnames='{{ hostnames }}'
+ --signer-cert='{{ openshift_metrics_certs_dir }}/ca.crt'
+ --signer-key='{{ openshift_metrics_certs_dir }}/ca.key'
+ --signer-serial='{{ openshift_metrics_certs_dir }}/ca.serial.txt'
+ when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.key'|exists
+
+- slurp: src={{item}}
+ register: component_certs
+ with_items:
+ - '{{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}.key'
+ - '{{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}.crt'
+ when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.pem'|exists
+
+- name: generate {{ component }} certificate
+ copy:
+ dest: '{{ openshift_metrics_certs_dir }}/{{ component }}.pem'
+ content: "{{ component_certs.results | map(attribute='content') | map('b64decode') | join('') }}"
+ when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.pem'|exists
+
+- name: generate random password for the {{ component }} keystore
+ copy:
+ content: "{{ 15 | oo_random_word }}"
+ dest: '{{ openshift_metrics_certs_dir }}/{{ component }}-keystore.pwd'
+ when: >
+ not '{{ openshift_metrics_certs_dir }}/{{ component }}-keystore.pwd'|exists
+
+- slurp: src={{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}-keystore.pwd
+ register: keystore_password
+
+- name: create the {{ component }} pkcs12 from the pem file
+ command: >
+ openssl pkcs12 -export
+ -in '{{ openshift_metrics_certs_dir }}/{{ component }}.pem'
+ -out '{{ openshift_metrics_certs_dir }}/{{ component }}.pkcs12'
+ -name '{{ component }}' -noiter -nomaciter
+ -password 'pass:{{keystore_password.content | b64decode }}'
+ when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.pkcs12'|exists
+
+- name: generate random password for the {{ component }} truststore
+ copy:
+ content: "{{ 15 | oo_random_word }}"
+ dest: '{{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}-truststore.pwd'
+ when: >
+ not
+ '{{ openshift_metrics_certs_dir | quote }}/{{ component| quote }}-truststore.pwd'|exists
diff --git a/roles/openshift_metrics/tasks/start_metrics.yaml b/roles/openshift_metrics/tasks/start_metrics.yaml
new file mode 100644
index 000000000..c4cae4aff
--- /dev/null
+++ b/roles/openshift_metrics/tasks/start_metrics.yaml
@@ -0,0 +1,54 @@
+---
+- command: >
+ {{openshift.common.client_binary}}
+ --config={{mktemp.stdout}}/admin.kubeconfig
+ get rc
+ -l metrics-infra=hawkular-cassandra
+ -o name
+ -n {{openshift_metrics_project}}
+ register: metrics_cassandra_rc
+ changed_when: no
+
+- name: Start Hawkular Cassandra
+ include: scale.yaml
+ vars:
+ desired: 1
+ with_items: "{{metrics_cassandra_rc.stdout_lines}}"
+ loop_control:
+ loop_var: object
+
+- command: >
+ {{openshift.common.client_binary}}
+ --config={{mktemp.stdout}}/admin.kubeconfig
+ get rc
+ -l metrics-infra=hawkular-metrics
+ -o name
+ -n {{openshift_metrics_project}}
+ register: metrics_metrics_rc
+ changed_when: no
+
+- name: Start Hawkular Metrics
+ include: scale.yaml
+ vars:
+ desired: "{{openshift_metrics_hawkular_replicas}}"
+ with_items: "{{metrics_metrics_rc.stdout_lines}}"
+ loop_control:
+ loop_var: object
+
+- command: >
+ {{openshift.common.client_binary}}
+ --config={{mktemp.stdout}}/admin.kubeconfig
+ get rc
+ -l metrics-infra=heapster
+ -o name
+ -n {{openshift_metrics_project}}
+ register: metrics_heapster_rc
+ changed_when: no
+
+- name: Start Heapster
+ include: scale.yaml
+ vars:
+ desired: 1
+ with_items: "{{metrics_heapster_rc.stdout_lines}}"
+ loop_control:
+ loop_var: object
diff --git a/roles/openshift_metrics/tasks/stop_metrics.yaml b/roles/openshift_metrics/tasks/stop_metrics.yaml
new file mode 100644
index 000000000..bae181e3e
--- /dev/null
+++ b/roles/openshift_metrics/tasks/stop_metrics.yaml
@@ -0,0 +1,55 @@
+---
+- command: >
+ {{openshift.common.client_binary}}
+ --config={{mktemp.stdout}}/admin.kubeconfig
+ get rc
+ -l metrics-infra=heapster
+ -o name
+ -n {{openshift_metrics_project}}
+ register: metrics_heapster_rc
+ changed_when: "'No resources found' not in metrics_heapster_rc.stderr"
+ check_mode: no
+
+- name: Stop Heapster
+ include: scale.yaml
+ vars:
+ desired: 0
+ with_items: "{{metrics_heapster_rc.stdout_lines}}"
+ loop_control:
+ loop_var: object
+
+- command: >
+ {{openshift.common.client_binary}}
+ --config={{mktemp.stdout}}/admin.kubeconfig
+ get rc
+ -l metrics-infra=hawkular-metrics
+ -o name
+ -n {{openshift_metrics_project}}
+ register: metrics_hawkular_rc
+ changed_when: "'No resources found' not in metrics_hawkular_rc.stderr"
+
+- name: Stop Hawkular Metrics
+ include: scale.yaml
+ vars:
+ desired: 0
+ with_items: "{{metrics_hawkular_rc.stdout_lines}}"
+ loop_control:
+ loop_var: object
+
+- command: >
+ {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig
+ get rc
+ -o name
+ -l metrics-infra=hawkular-cassandra
+ -n {{openshift_metrics_project}}
+ register: metrics_cassandra_rc
+ changed_when: "'No resources found' not in metrics_cassandra_rc.stderr"
+
+- name: Stop Hawkular Cassandra
+ include: scale.yaml
+ vars:
+ desired: 0
+ with_items: "{{metrics_cassandra_rc.stdout_lines}}"
+ loop_control:
+ loop_var: object
+ when: metrics_cassandra_rc is defined
diff --git a/roles/openshift_metrics/tasks/uninstall_metrics.yaml b/roles/openshift_metrics/tasks/uninstall_metrics.yaml
new file mode 100644
index 000000000..8a6be6237
--- /dev/null
+++ b/roles/openshift_metrics/tasks/uninstall_metrics.yaml
@@ -0,0 +1,19 @@
+---
+- name: stop metrics
+ include: stop_metrics.yaml
+
+- name: remove metrics components
+ command: >
+ {{ openshift.common.client_binary }} -n {{ openshift_metrics_project }} --config={{ mktemp.stdout }}/admin.kubeconfig
+ delete --ignore-not-found --selector=metrics-infra
+ all,sa,secrets,templates,routes,pvc,rolebindings,clusterrolebindings
+ register: delete_metrics
+ changed_when: "delete_metrics.stdout != 'No resources found'"
+
+- name: remove rolebindings
+ command: >
+ {{ openshift.common.client_binary }} -n {{ openshift_metrics_project }} --config={{ mktemp.stdout }}/admin.kubeconfig
+ delete --ignore-not-found
+ rolebinding/hawkular-view
+ clusterrolebinding/heapster-cluster-reader
+ changed_when: "delete_metrics.stdout != 'No resources found'"
diff --git a/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 b/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2
new file mode 100644
index 000000000..abd4ff939
--- /dev/null
+++ b/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2
@@ -0,0 +1,125 @@
+apiVersion: v1
+kind: ReplicationController
+metadata:
+ name: hawkular-cassandra-{{ node }}
+ labels:
+ metrics-infra: hawkular-cassandra
+ name: hawkular-cassandra
+ type: hawkular-cassandra
+spec:
+ selector:
+ name: hawkular-cassandra-{{ node }}
+ replicas: {{replica_count}}
+ template:
+ version: v1
+ metadata:
+ labels:
+ metrics-infra: hawkular-cassandra
+ name: hawkular-cassandra-{{ node }}
+ type: hawkular-cassandra
+ spec:
+ serviceAccount: cassandra
+ containers:
+ - image: "{{ openshift_metrics_image_prefix }}metrics-cassandra:{{ openshift_metrics_image_version }}"
+ name: hawkular-cassandra-{{ node }}
+ ports:
+ - name: cql-port
+ containerPort: 9042
+ - name: thift-port
+ containerPort: 9160
+ - name: tcp-port
+ containerPort: 7000
+ - name: ssl-port
+ containerPort: 7001
+ command:
+ - "/opt/apache-cassandra/bin/cassandra-docker.sh"
+ - "--cluster_name=hawkular-metrics"
+ - "--data_volume=/cassandra_data"
+ - "--internode_encryption=all"
+ - "--require_node_auth=true"
+ - "--enable_client_encryption=true"
+ - "--require_client_auth=true"
+ - "--keystore_file=/secret/cassandra.keystore"
+ - "--keystore_password_file=/secret/cassandra.keystore.password"
+ - "--truststore_file=/secret/cassandra.truststore"
+ - "--truststore_password_file=/secret/cassandra.truststore.password"
+ - "--cassandra_pem_file=/secret/cassandra.pem"
+ env:
+ - name: CASSANDRA_MASTER
+ value: "{{ master }}"
+ - name: CASSANDRA_DATA_VOLUME
+ value: "/cassandra_data"
+ - name: JVM_OPTS
+ value: "-Dcassandra.commitlog.ignorereplayerrors=true"
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: MEMORY_LIMIT
+ valueFrom:
+ resourceFieldRef:
+ resource: limits.memory
+ - name: CPU_LIMIT
+ valueFrom:
+ resourceFieldRef:
+ resource: limits.cpu
+ divisor: 1m
+ volumeMounts:
+ - name: cassandra-data
+ mountPath: "/cassandra_data"
+ - name: hawkular-cassandra-secrets
+ mountPath: "/secret"
+{% if ((openshift_metrics_cassandra_limits_cpu is defined and openshift_metrics_cassandra_limits_cpu is not none)
+ or (openshift_metrics_cassandra_limits_memory is defined and openshift_metrics_cassandra_limits_memory is not none)
+ or (openshift_metrics_cassandra_requests_cpu is defined and openshift_metrics_cassandra_requests_cpu is not none)
+ or (openshift_metrics_cassandra_requests_memory is defined and openshift_metrics_cassandra_requests_memory is not none))
+%}
+ resources:
+{% if (openshift_metrics_cassandra_limits_cpu is not none
+ or openshift_metrics_cassandra_limits_memory is not none)
+%}
+ limits:
+{% if openshift_metrics_cassandra_limits_cpu is not none %}
+ cpu: "{{openshift_metrics_cassandra_limits_cpu}}"
+{% endif %}
+{% if openshift_metrics_cassandra_limits_memory is not none %}
+ memory: "{{openshift_metrics_cassandra_limits_memory}}"
+{% endif %}
+{% endif %}
+{% if (openshift_metrics_cassandra_requests_cpu is not none
+ or openshift_metrics_cassandra_requests_memory is not none)
+%}
+ requests:
+{% if openshift_metrics_cassandra_requests_cpu is not none %}
+ cpu: "{{openshift_metrics_cassandra_requests_cpu}}"
+{% endif %}
+{% if openshift_metrics_cassandra_requests_memory is not none %}
+ memory: "{{openshift_metrics_cassandra_requests_memory}}"
+{% endif %}
+{% endif %}
+{% endif %}
+ readinessProbe:
+ exec:
+ command:
+ - "/opt/apache-cassandra/bin/cassandra-docker-ready.sh"
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - "/opt/apache-cassandra/bin/cassandra-prestop.sh"
+ postStart:
+ exec:
+ command:
+ - "/opt/apache-cassandra/bin/cassandra-poststart.sh"
+ terminationGracePeriodSeconds: 1800
+ volumes:
+ - name: cassandra-data
+{% if openshift_metrics_cassandra_storage_type == 'emptydir' %}
+ emptyDir: {}
+{% else %}
+ persistentVolumeClaim:
+ claimName: "{{ openshift_metrics_cassandra_pv_prefix }}-{{ node }}"
+{% endif %}
+ - name: hawkular-cassandra-secrets
+ secret:
+ secretName: hawkular-cassandra-secrets
diff --git a/roles/openshift_metrics/templates/hawkular_metrics_rc.j2 b/roles/openshift_metrics/templates/hawkular_metrics_rc.j2
new file mode 100644
index 000000000..e6954ea44
--- /dev/null
+++ b/roles/openshift_metrics/templates/hawkular_metrics_rc.j2
@@ -0,0 +1,119 @@
+apiVersion: v1
+kind: ReplicationController
+metadata:
+ name: hawkular-metrics
+ labels:
+ metrics-infra: hawkular-metrics
+ name: hawkular-metrics
+spec:
+ selector:
+ name: hawkular-metrics
+ replicas: {{replica_count}}
+ template:
+ version: v1
+ metadata:
+ labels:
+ metrics-infra: hawkular-metrics
+ name: hawkular-metrics
+ spec:
+ serviceAccount: hawkular
+ containers:
+ - image: {{openshift_metrics_image_prefix}}metrics-hawkular-metrics:{{openshift_metrics_image_version}}
+ name: hawkular-metrics
+ ports:
+ - name: http-endpoint
+ containerPort: 8080
+ - name: https-endpoint
+ containerPort: 8443
+ - name: ping
+ containerPort: 8888
+ command:
+ - "/opt/hawkular/scripts/hawkular-metrics-wrapper.sh"
+ - "-b"
+ - 0.0.0.0
+ - "-Dhawkular.metrics.cassandra.nodes=hawkular-cassandra"
+ - "-Dhawkular.metrics.cassandra.use-ssl"
+ - "-Dhawkular.metrics.openshift.auth-methods=openshift-oauth,htpasswd"
+ - "-Dhawkular.metrics.openshift.htpasswd-file=/secrets/hawkular-metrics.htpasswd.file"
+ - "-Dhawkular.metrics.allowed-cors-access-control-allow-headers=authorization"
+ - "-Dhawkular.metrics.default-ttl={{openshift_metrics_duration}}"
+ - "-Dhawkular-alerts.cassandra-nodes=hawkular-cassandra"
+ - "-Dhawkular-alerts.cassandra-use-ssl"
+ - "-Dhawkular.alerts.openshift.auth-methods=openshift-oauth,htpasswd"
+ - "-Dhawkular.alerts.openshift.htpasswd-file=/secrets/hawkular-metrics.htpasswd.file"
+ - "-Dhawkular.alerts.allowed-cors-access-control-allow-headers=authorization"
+ - "-Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true"
+ - "-Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true"
+ - "-DKUBERNETES_MASTER_URL={{openshift_metrics_master_url}}"
+ - "-DUSER_WRITE_ACCESS={{openshift_metrics_hawkular_user_write_access}}"
+ - "--hmw.keystore=/secrets/hawkular-metrics.keystore"
+ - "--hmw.truststore=/secrets/hawkular-metrics.truststore"
+ - "--hmw.keystore_password_file=/secrets/hawkular-metrics.keystore.password"
+ - "--hmw.truststore_password_file=/secrets/hawkular-metrics.truststore.password"
+ - "--hmw.jgroups_keystore=/secrets/hawkular-metrics.jgroups.keystore"
+ - "--hmw.jgroups_keystore_password_file=/secrets/hawkular-metrics.jgroups.keystore.password"
+ - "--hmw.jgroups_alias_file=/secrets/hawkular-metrics.jgroups.alias"
+ env:
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: MASTER_URL
+ value: "{{ openshift_metrics_master_url }}"
+ - name: OPENSHIFT_KUBE_PING_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: OPENSHIFT_KUBE_PING_LABELS
+ value: "metrics-infra=hawkular-metrics,name=hawkular-metrics"
+ - name: STARTUP_TIMEOUT
+ value: "{{ openshift_metrics_startup_timeout }}"
+ volumeMounts:
+ - name: hawkular-metrics-secrets
+ mountPath: "/secrets"
+ - name: hawkular-metrics-client-secrets
+ mountPath: "/client-secrets"
+{% if ((openshift_metrics_hawkular_limits_cpu is defined and openshift_metrics_hawkular_limits_cpu is not none)
+ or (openshift_metrics_hawkular_limits_memory is defined and openshift_metrics_hawkular_limits_memory is not none)
+ or (openshift_metrics_hawkular_requests_cpu is defined and openshift_metrics_hawkular_requests_cpu is not none)
+ or (openshift_metrics_hawkular_requests_memory is defined and openshift_metrics_hawkular_requests_memory is not none))
+%}
+ resources:
+{% if (openshift_metrics_hawkular_limits_cpu is not none
+ or openshift_metrics_hawkular_limits_memory is not none)
+%}
+ limits:
+{% if openshift_metrics_hawkular_limits_cpu is not none %}
+ cpu: "{{openshift_metrics_hawkular_limits_cpu}}"
+{% endif %}
+{% if openshift_metrics_hawkular_limits_memory is not none %}
+ memory: "{{openshift_metrics_hawkular_limits_memory}}"
+{% endif %}
+{% endif %}
+{% if (openshift_metrics_hawkular_requests_cpu is not none
+ or openshift_metrics_hawkular_requests_memory is not none)
+%}
+ requests:
+{% if openshift_metrics_hawkular_requests_cpu is not none %}
+ cpu: "{{openshift_metrics_hawkular_requests_cpu}}"
+{% endif %}
+{% if openshift_metrics_hawkular_requests_memory is not none %}
+ memory: "{{openshift_metrics_hawkular_requests_memory}}"
+{% endif %}
+{% endif %}
+{% endif %}
+ readinessProbe:
+ exec:
+ command:
+ - "/opt/hawkular/scripts/hawkular-metrics-readiness.py"
+ livenessProbe:
+ exec:
+ command:
+ - "/opt/hawkular/scripts/hawkular-metrics-liveness.py"
+ volumes:
+ - name: hawkular-metrics-secrets
+ secret:
+ secretName: hawkular-metrics-secrets
+ - name: hawkular-metrics-client-secrets
+ secret:
+ secretName: hawkular-metrics-account
diff --git a/roles/openshift_metrics/templates/heapster.j2 b/roles/openshift_metrics/templates/heapster.j2
new file mode 100644
index 000000000..eeca03be0
--- /dev/null
+++ b/roles/openshift_metrics/templates/heapster.j2
@@ -0,0 +1,98 @@
+apiVersion: "v1"
+kind: "ReplicationController"
+metadata:
+ name: heapster
+ labels:
+ metrics-infra: heapster
+ name: heapster
+spec:
+ selector:
+ name: heapster
+ replicas: {{replica_count}}
+ template:
+ version: v1
+ metadata:
+ name: heapster
+ labels:
+ metrics-infra: heapster
+ name: heapster
+ spec:
+ serviceAccountName: heapster
+ containers:
+ - name: heapster
+ image: {{openshift_metrics_image_prefix}}metrics-heapster:{{openshift_metrics_image_version}}
+ ports:
+ - containerPort: 8082
+ name: "http-endpoint"
+ command:
+ - "heapster-wrapper.sh"
+ - "--wrapper.allowed_users_file=/secrets/heapster.allowed-users"
+ - "--source=kubernetes.summary_api:${MASTER_URL}?useServiceAccount=true&kubeletHttps=true&kubeletPort=10250"
+ - "--tls_cert=/secrets/heapster.cert"
+ - "--tls_key=/secrets/heapster.key"
+ - "--tls_client_ca=/secrets/heapster.client-ca"
+ - "--allowed_users=%allowed_users%"
+ - "--metric_resolution={{openshift_metrics_resolution}}"
+{% if not openshift_metrics_heapster_standalone %}
+ - "--wrapper.username_file=/hawkular-account/hawkular-metrics.username"
+ - "--wrapper.password_file=/hawkular-account/hawkular-metrics.password"
+ - "--wrapper.endpoint_check=https://hawkular-metrics:443/hawkular/metrics/status"
+ - "--sink=hawkular:https://hawkular-metrics:443?tenant=_system&labelToTenant=pod_namespace&labelNodeId={{openshift_metrics_node_id}}&caCert=/hawkular-cert/hawkular-metrics-ca.certificate&user=%username%&pass=%password%&filter=label(container_name:^system.slice.*|^user.slice)"
+{% endif %}
+ env:
+ - name: STARTUP_TIMEOUT
+ value: "{{ openshift_metrics_startup_timeout }}"
+{% if ((openshift_metrics_heapster_limits_cpu is defined and openshift_metrics_heapster_limits_cpu is not none)
+ or (openshift_metrics_heapster_limits_memory is defined and openshift_metrics_heapster_limits_memory is not none)
+ or (openshift_metrics_heapster_requests_cpu is defined and openshift_metrics_heapster_requests_cpu is not none)
+ or (openshift_metrics_heapster_requests_memory is defined and openshift_metrics_heapster_requests_memory is not none))
+%}
+ resources:
+{% if (openshift_metrics_heapster_limits_cpu is not none
+ or openshift_metrics_heapster_limits_memory is not none)
+%}
+ limits:
+{% if openshift_metrics_heapster_limits_cpu is not none %}
+ cpu: "{{openshift_metrics_heapster_limits_cpu}}"
+{% endif %}
+{% if openshift_metrics_heapster_limits_memory is not none %}
+ memory: "{{openshift_metrics_heapster_limits_memory}}"
+{% endif %}
+{% endif %}
+{% if (openshift_metrics_heapster_requests_cpu is not none
+ or openshift_metrics_heapster_requests_memory is not none)
+%}
+ requests:
+{% if openshift_metrics_heapster_requests_cpu is not none %}
+ cpu: "{{openshift_metrics_heapster_requests_cpu}}"
+{% endif %}
+{% if openshift_metrics_heapster_requests_memory is not none %}
+ memory: "{{openshift_metrics_heapster_requests_memory}}"
+{% endif %}
+{% endif %}
+{% endif %}
+ volumeMounts:
+ - name: heapster-secrets
+ mountPath: "/secrets"
+{% if not openshift_metrics_heapster_standalone %}
+ - name: hawkular-metrics-certificate
+ mountPath: "/hawkular-cert"
+ - name: hawkular-metrics-account
+ mountPath: "/hawkular-account"
+ readinessProbe:
+ exec:
+ command:
+ - "/opt/heapster-readiness.sh"
+{% endif %}
+ volumes:
+ - name: heapster-secrets
+ secret:
+ secretName: heapster-secrets
+{% if not openshift_metrics_heapster_standalone %}
+ - name: hawkular-metrics-certificate
+ secret:
+ secretName: hawkular-metrics-certificate
+ - name: hawkular-metrics-account
+ secret:
+ secretName: hawkular-metrics-account
+{% endif %}
diff --git a/roles/openshift_metrics/templates/jks_pod.j2 b/roles/openshift_metrics/templates/jks_pod.j2
new file mode 100644
index 000000000..e86fe38a4
--- /dev/null
+++ b/roles/openshift_metrics/templates/jks_pod.j2
@@ -0,0 +1,38 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ labels:
+ metrics-infra: support
+ generateName: jks-cert-gen-
+spec:
+ containers:
+ - name: jks-cert-gen
+ image: {{openshift_metrics_image_prefix}}metrics-deployer:{{openshift_metrics_image_version}}
+ imagePullPolicy: Always
+ command: ["sh", "{{openshift_metrics_certs_dir}}/import_jks_certs.sh"]
+ securityContext:
+ runAsUser: 0
+ volumeMounts:
+ - mountPath: {{openshift_metrics_certs_dir}}
+ name: certmount
+ env:
+ - name: CERT_DIR
+ value: {{openshift_metrics_certs_dir}}
+ - name: METRICS_KEYSTORE_PASSWD
+ value: {{metrics_keystore_passwd}}
+ - name: CASSANDRA_KEYSTORE_PASSWD
+ value: {{cassandra_keystore_passwd}}
+ - name: METRICS_TRUSTSTORE_PASSWD
+ value: {{metrics_truststore_passwd}}
+ - name: CASSANDRA_TRUSTSTORE_PASSWD
+ value: {{cassandra_truststore_passwd}}
+ - name: hawkular_cassandra_alias
+ value: {{cassandra_keystore_passwd}}
+ - name: JGROUPS_PASSWD
+ value: {{jgroups_passwd}}
+ restartPolicy: Never
+ serviceAccount: jks-generator
+ volumes:
+ - hostPath:
+ path: "{{openshift_metrics_certs_dir}}"
+ name: certmount
diff --git a/roles/openshift_metrics/templates/pvc.j2 b/roles/openshift_metrics/templates/pvc.j2
new file mode 100644
index 000000000..8fbfa8b5d
--- /dev/null
+++ b/roles/openshift_metrics/templates/pvc.j2
@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+ name: {{obj_name}}
+{% if labels is not defined %}
+ labels:
+ logging-infra: support
+{% elif labels %}
+ labels:
+{% for key, value in labels.iteritems() %}
+ {{ key }}: {{ value }}
+{% endfor %}
+{% endif %}
+{% if annotations is defined and annotations %}
+ annotations:
+{% for key,value in annotations.iteritems() %}
+ {{key}}: {{value}}
+{% endfor %}
+{% endif %}
+spec:
+ accessModes:
+{% for mode in access_modes %}
+ - {{ mode }}
+{% endfor %}
+ resources:
+ requests:
+ storage: {{size}}
diff --git a/roles/openshift_metrics/templates/rolebinding.j2 b/roles/openshift_metrics/templates/rolebinding.j2
new file mode 100644
index 000000000..5230f0780
--- /dev/null
+++ b/roles/openshift_metrics/templates/rolebinding.j2
@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: {% if cluster is defined and cluster %}Cluster{% endif %}RoleBinding
+metadata:
+ name: {{obj_name}}
+{% if labels is defined %}
+ labels:
+{% for k, v in labels.iteritems() %}
+ {{ k }}: {{ v }}
+{% endfor %}
+{% endif %}
+roleRef:
+{% if 'kind' in roleRef %}
+ kind: {{ roleRef.kind }}
+{% endif %}
+ name: {{ roleRef.name }}
+subjects:
+{% for sub in subjects %}
+ - kind: {{ sub.kind }}
+ name: {{ sub.name }}
+{% if 'namespace' in sub %}
+ namespace: {{ sub.namespace }}
+{% endif %}
+{% endfor %}
diff --git a/roles/openshift_metrics/templates/route.j2 b/roles/openshift_metrics/templates/route.j2
new file mode 100644
index 000000000..08ca87288
--- /dev/null
+++ b/roles/openshift_metrics/templates/route.j2
@@ -0,0 +1,35 @@
+apiVersion: v1
+kind: Route
+metadata:
+ name: {{ name }}
+{% if labels is defined and labels %}
+ labels:
+{% for k, v in labels.iteritems() %}
+ {{ k }}: {{ v }}
+{% endfor %}
+{% endif %}
+spec:
+ host: {{ host }}
+ to:
+ kind: {{ to.kind }}
+ name: {{ to.name }}
+{% if tls is defined %}
+ tls:
+ termination: {{ tls.termination }}
+{% if tls.ca_certificate is defined and tls.ca_certificate | length > 0 %}
+ CACertificate: |
+{{ tls.ca_certificate|indent(6, true) }}
+{% endif %}
+{% if tls.key is defined and tls.key | length > 0 %}
+ key: |
+{{ tls.key|indent(6, true) }}
+{% endif %}
+{% if tls.certificate is defined and tls.certificate | length > 0 %}
+ certificate: |
+{{ tls.certificate|indent(6, true) }}
+{% endif %}
+{% if tls.termination == 'reencrypt' %}
+ destinationCACertificate: |
+{{ tls.destination_ca_certificate|indent(6, true) }}
+{% endif %}
+{% endif %}
diff --git a/roles/openshift_metrics/templates/secret.j2 b/roles/openshift_metrics/templates/secret.j2
new file mode 100644
index 000000000..370890c7d
--- /dev/null
+++ b/roles/openshift_metrics/templates/secret.j2
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Secret
+metadata:
+ name: "{{ name }}"
+ labels:
+{% for k, v in labels.iteritems() %}
+ {{ k }}: {{ v }}
+{% endfor %}
+data:
+{% for k, v in data.iteritems() %}
+ {{ k }}: {{ v }}
+{% endfor %}
diff --git a/roles/openshift_metrics/templates/service.j2 b/roles/openshift_metrics/templates/service.j2
new file mode 100644
index 000000000..8df89127b
--- /dev/null
+++ b/roles/openshift_metrics/templates/service.j2
@@ -0,0 +1,32 @@
+apiVersion: "v1"
+kind: "Service"
+metadata:
+ name: "{{obj_name}}"
+{% if labels is defined%}
+ labels:
+{% for key, value in labels.iteritems() %}
+ {{key}}: {{value}}
+{% endfor %}
+{% endif %}
+spec:
+{% if headless is defined and headless %}
+ portalIP: None
+ clusterIP: None
+{% endif %}
+ ports:
+{% for port in ports %}
+ -
+{% for key, value in port.iteritems() %}
+ {{key}}: {{value}}
+{% endfor %}
+{% if port.targetPort is undefined %}
+ clusterIP: "None"
+{% endif %}
+{% endfor %}
+{% if service_targetPort is defined %}
+ targetPort: {{service_targetPort}}
+{% endif %}
+ selector:
+ {% for key, value in selector.iteritems() %}
+ {{key}}: {{value}}
+ {% endfor %}
diff --git a/roles/openshift_metrics/templates/serviceaccount.j2 b/roles/openshift_metrics/templates/serviceaccount.j2
new file mode 100644
index 000000000..b22acc594
--- /dev/null
+++ b/roles/openshift_metrics/templates/serviceaccount.j2
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: {{obj_name}}
+{% if labels is defined%}
+ labels:
+{% for key, value in labels.iteritems() %}
+ {{key}}: {{value}}
+{% endfor %}
+{% endif %}
+{% if secrets is defined %}
+secrets:
+{% for name in secrets %}
+- name: {{ name }}
+{% endfor %}
+{% endif %}
diff --git a/roles/openshift_metrics/vars/main.yaml b/roles/openshift_metrics/vars/main.yaml
new file mode 100644
index 000000000..4a3724e3f
--- /dev/null
+++ b/roles/openshift_metrics/vars/main.yaml
@@ -0,0 +1,10 @@
+---
+#
+# These vars are generally considered private and not expected to be altered
+# by end users
+#
+
+openshift_metrics_cassandra_storage_types:
+- emptydir
+- pv
+- dynamic