From f1e622ae0acb52fbd7ecd1b07b26b1b6884deb65 Mon Sep 17 00:00:00 2001 From: Jeff Cantrill Date: Thu, 9 Feb 2017 13:28:47 -0500 Subject: bug 1420425. Allow setting of public facing certs for kibana in openshift_logging role --- roles/openshift_logging/defaults/main.yml | 12 ++++++++++++ roles/openshift_logging/tasks/generate_routes.yaml | 20 +++++++++++++++++++- roles/openshift_logging/templates/route_reencrypt.j2 | 8 ++++++++ 3 files changed, 39 insertions(+), 1 deletion(-) (limited to 'roles/openshift_logging') diff --git a/roles/openshift_logging/defaults/main.yml b/roles/openshift_logging/defaults/main.yml index 73849f46a..dc1e66d55 100644 --- a/roles/openshift_logging/defaults/main.yml +++ b/roles/openshift_logging/defaults/main.yml @@ -27,6 +27,18 @@ openshift_logging_kibana_proxy_cpu_limit: null openshift_logging_kibana_proxy_memory_limit: null openshift_logging_kibana_replica_count: 1 +#The absolute path on the control node to the cert file to use +#for the public facing kibana certs +openshift_logging_kibana_cert: "" + +#The absolute path on the control node to the key file to use +#for the public facing kibana certs +openshift_logging_kibana_key: "" + +#The absolute path on the control node to the CA file to use +#for the public facing kibana certs +openshift_logging_kibana_ca: "" + openshift_logging_kibana_ops_hostname: "{{ openshift_hosted_logging_ops_hostname | default(kibana-ops.{{openshift.common.dns_domain}}) }}" openshift_logging_kibana_ops_cpu_limit: null openshift_logging_kibana_ops_memory_limit: null diff --git a/roles/openshift_logging/tasks/generate_routes.yaml b/roles/openshift_logging/tasks/generate_routes.yaml index 60694f67e..3c462378b 100644 --- a/roles/openshift_logging/tasks/generate_routes.yaml +++ b/roles/openshift_logging/tasks/generate_routes.yaml @@ -1,4 +1,20 @@ --- +- set_fact: kibana_key={{ lookup('file', openshift_logging_kibana_key) | b64encode }} + when: "{{ openshift_logging_kibana_key | trim | length > 0 }}" + changed_when: false + +- set_fact: kibana_cert={{ lookup('file', openshift_logging_kibana_cert)| b64encode }} + when: "{{openshift_logging_kibana_cert | trim | length > 0}}" + changed_when: false + +- set_fact: kibana_ca={{ lookup('file', openshift_logging_kibana_ca)| b64encode }} + when: "{{openshift_logging_kibana_ca | trim | length > 0}}" + changed_when: false + +- set_fact: kibana_ca={{key_pairs | entry_from_named_pair('ca_file') }} + when: kibana_ca is not defined + changed_when: false + - name: Generating logging routes template: src=route_reencrypt.j2 dest={{mktemp.stdout}}/templates/logging-{{route_info.name}}-route.yaml tags: routes @@ -6,7 +22,9 @@ obj_name: "{{route_info.name}}" route_host: "{{route_info.host}}" service_name: "{{route_info.name}}" - tls_ca_cert: "{{key_pairs | entry_from_named_pair('ca_file')| b64decode }}" + tls_key: "{{kibana_key | default('') | b64decode}}" + tls_cert: "{{kibana_cert | default('') | b64decode}}" + tls_ca_cert: "{{kibana_ca | b64decode}}" tls_dest_ca_cert: "{{key_pairs | entry_from_named_pair('ca_file')| b64decode }}" labels: component: support diff --git a/roles/openshift_logging/templates/route_reencrypt.j2 b/roles/openshift_logging/templates/route_reencrypt.j2 index 8be30a2c4..341ffdd84 100644 --- a/roles/openshift_logging/templates/route_reencrypt.j2 +++ b/roles/openshift_logging/templates/route_reencrypt.j2 @@ -11,6 +11,14 @@ metadata: spec: host: {{ route_host }} tls: +{% if tls_key is defined and tls_key | length > 0 %} + key: | +{{ tls_key|indent(6, true) }} +{% if tls_cert is defined and tls_cert | length > 0 %} + certificate: | +{{ tls_cert|indent(6, true) }} +{% endif %} +{% endif %} caCertificate: | {% for line in tls_ca_cert.split('\n') %} {{ line }} -- cgit v1.2.3