From a8e826248539179c5ef69ec003701be608e89b70 Mon Sep 17 00:00:00 2001 From: ewolinetz Date: Mon, 27 Feb 2017 12:07:14 -0600 Subject: Decomposing openshift_logging role into subcomponent roles --- roles/openshift_logging_kibana/defaults/main.yml | 41 ++++ roles/openshift_logging_kibana/meta/main.yaml | 15 ++ .../tasks/determine_version.yaml | 17 ++ roles/openshift_logging_kibana/tasks/main.yaml | 222 +++++++++++++++++++++ roles/openshift_logging_kibana/templates/kibana.j2 | 116 +++++++++++ .../templates/oauth-client.j2 | 14 ++ .../templates/route_reencrypt.j2 | 36 ++++ roles/openshift_logging_kibana/vars/main.yml | 3 + 8 files changed, 464 insertions(+) create mode 100644 roles/openshift_logging_kibana/defaults/main.yml create mode 100644 roles/openshift_logging_kibana/meta/main.yaml create mode 100644 roles/openshift_logging_kibana/tasks/determine_version.yaml create mode 100644 roles/openshift_logging_kibana/tasks/main.yaml create mode 100644 roles/openshift_logging_kibana/templates/kibana.j2 create mode 100644 roles/openshift_logging_kibana/templates/oauth-client.j2 create mode 100644 roles/openshift_logging_kibana/templates/route_reencrypt.j2 create mode 100644 roles/openshift_logging_kibana/vars/main.yml (limited to 'roles/openshift_logging_kibana') diff --git a/roles/openshift_logging_kibana/defaults/main.yml b/roles/openshift_logging_kibana/defaults/main.yml new file mode 100644 index 000000000..6474cd504 --- /dev/null +++ b/roles/openshift_logging_kibana/defaults/main.yml @@ -0,0 +1,41 @@ +--- +### Common settings +openshift_logging_kibana_master_url: "https://kubernetes.default.svc.cluster.local" +openshift_logging_kibana_master_public_url: "https://kubernetes.default.svc.cluster.local" +openshift_logging_kibana_image_prefix: "{{ openshift_hosted_logging_deployer_prefix | default('docker.io/openshift/origin-') }}" +openshift_logging_kibana_image_version: "{{ openshift_hosted_logging_deployer_version | default('latest') }}" +openshift_logging_kibana_image_pull_secret: "{{ openshift_hosted_logging_image_pull_secret | default('') }}" +openshift_logging_kibana_namespace: logging + +openshift_logging_kibana_nodeselector: "" +openshift_logging_kibana_cpu_limit: null +openshift_logging_kibana_memory_limit: null + +openshift_logging_kibana_hostname: "kibana.router.default.svc.cluster.local" + +openshift_logging_kibana_es_host: "logging-es" +openshift_logging_kibana_es_port: 9200 + +openshift_logging_kibana_replicas: 1 +openshift_logging_kibana_edge_term_policy: Redirect + +# this is used to determine if this is an operations deployment or a non-ops deployment +# simply used for naming purposes +openshift_logging_kibana_ops_deployment: false + +# Proxy settings +openshift_logging_kibana_proxy_debug: false +openshift_logging_kibana_proxy_cpu_limit: null +openshift_logging_kibana_proxy_memory_limit: null + +#The absolute path on the control node to the cert file to use +#for the public facing kibana certs +openshift_logging_kibana_cert: "" + +#The absolute path on the control node to the key file to use +#for the public facing kibana certs +openshift_logging_kibana_key: "" + +#The absolute path on the control node to the CA file to use +#for the public facing kibana certs +openshift_logging_kibana_ca: "" diff --git a/roles/openshift_logging_kibana/meta/main.yaml b/roles/openshift_logging_kibana/meta/main.yaml new file mode 100644 index 000000000..89e08abc0 --- /dev/null +++ b/roles/openshift_logging_kibana/meta/main.yaml @@ -0,0 +1,15 @@ +--- +galaxy_info: + author: OpenShift Red Hat + description: OpenShift Aggregated Logging Kibana Component + company: Red Hat, Inc. + license: Apache License, Version 2.0 + min_ansible_version: 2.2 + platforms: + - name: EL + versions: + - 7 + categories: + - cloud +dependencies: +- role: lib_openshift diff --git a/roles/openshift_logging_kibana/tasks/determine_version.yaml b/roles/openshift_logging_kibana/tasks/determine_version.yaml new file mode 100644 index 000000000..53e15af5f --- /dev/null +++ b/roles/openshift_logging_kibana/tasks/determine_version.yaml @@ -0,0 +1,17 @@ +--- +# debating making this a module instead? +- fail: + msg: Missing version to install provided by 'openshift_logging_image_version' + when: not openshift_logging_image_version or openshift_logging_image_version == '' + +- set_fact: + kibana_version: "{{ __latest_kibana_version }}" + when: openshift_logging_image_version == 'latest' + +# should we just assume that we will have the correct major version? +- set_fact: kibana_version="{{ openshift_logging_image_version | regex_replace('^v?(?P\d)\.(?P\d).*$', '3_\\g') }}" + when: openshift_logging_image_version != 'latest' + +- fail: + msg: Invalid version specified for Kibana + when: kibana_version not in __allowed_kibana_versions diff --git a/roles/openshift_logging_kibana/tasks/main.yaml b/roles/openshift_logging_kibana/tasks/main.yaml new file mode 100644 index 000000000..a8ab3f4ef --- /dev/null +++ b/roles/openshift_logging_kibana/tasks/main.yaml @@ -0,0 +1,222 @@ +--- +# fail is we don't have an endpoint for ES to connect to? + +- include: determine_version.yaml + +- debug: var=tempdir + +# allow passing in a tempdir +- name: Create temp directory for doing work in + command: mktemp -d /tmp/openshift-logging-ansible-XXXXXX + register: mktemp + changed_when: False + +- set_fact: + tempdir: "{{ mktemp.stdout }}" + +# This may not be necessary in this role +- name: Create templates subdirectory + file: + state: directory + path: "{{ tempdir }}/templates" + mode: 0755 + changed_when: False + +# we want to make sure we have all the necessary components here + +# create service account +- name: Create Kibana service account + oc_serviceaccount: + state: present + name: "aggregated-logging-kibana" + namespace: "{{ openshift_logging_namespace }}" + image_pull_secrets: "{{ openshift_logging_image_pull_secret }}" + when: openshift_logging_image_pull_secret != '' + +- name: Create Kibana service account + oc_serviceaccount: + state: present + name: "aggregated-logging-kibana" + namespace: "{{ openshift_logging_namespace }}" + when: + - openshift_logging_image_pull_secret == '' + +- set_fact: kibana_name="{{ 'logging-kibana' ~ ( (openshift_logging_kibana_ops_deployment | default(false) | bool) | ternary('-ops', '')) }}" + +- name: Retrieving the cert to use when generating secrets for the logging components + slurp: + src: "{{ generated_certs_dir }}/{{ item.file }}" + register: key_pairs + with_items: + - { name: "ca_file", file: "ca.crt" } + - { name: "kibana_internal_key", file: "kibana-internal.key"} + - { name: "kibana_internal_cert", file: "kibana-internal.crt"} + - { name: "server_tls", file: "server-tls.json"} + +# create routes +# TODO: set up these certs differently? +- set_fact: + kibana_key: "{{ lookup('file', openshift_logging_kibana_key) | b64encode }}" + when: "{{ openshift_logging_kibana_key | trim | length > 0 }}" + changed_when: false + +- set_fact: + kibana_cert: "{{ lookup('file', openshift_logging_kibana_cert) | b64encode }}" + when: "{{ openshift_logging_kibana_cert | trim | length > 0 }}" + changed_when: false + +- set_fact: + kibana_ca: "{{ lookup('file', openshift_logging_kibana_ca) | b64encode }}" + when: "{{ openshift_logging_kibana_ca | trim | length > 0 }}" + changed_when: false + +- set_fact: + kibana_ca: "{{ key_pairs | entry_from_named_pair('ca_file') }}" + when: kibana_ca is not defined + changed_when: false + +- name: Generating Kibana route template + template: + src: route_reencrypt.j2 + dest: "{{ tempdir }}/templates/kibana-route.yaml" + vars: + obj_name: "{{ kibana_name }}" + route_host: "{{ openshift_logging_kibana_hostname }}" + service_name: "{{ kibana_name }}" + tls_key: "{{ kibana_key | default('') | b64decode }}" + tls_cert: "{{ kibana_cert | default('') | b64decode }}" + tls_ca_cert: "{{ kibana_ca | b64decode }}" + tls_dest_ca_cert: "{{ key_pairs | entry_from_named_pair('ca_file') | b64decode }}" + edge_term_policy: "{{ openshift_logging_kibana_edge_term_policy | default('') }}" + labels: + component: support + logging-infra: support + provider: openshift + changed_when: no + +- name: Setting Kibana route + oc_obj: + state: present + name: "{{ kibana_name }}" + namespace: "{{ openshift_logging_namespace }}" + kind: route + files: + - "{{ tempdir }}/templates/kibana-route.yaml" + +# gen session_secret -- if necessary +# TODO: make idempotent +- name: Generate proxy session + set_fact: + session_secret: "{{ 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789' | random_word(200) }}" + check_mode: no + +# gen oauth_secret -- if necessary +# TODO: make idempotent +- name: Generate oauth client secret + set_fact: + oauth_secret: "{{ 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789' | random_word(64) }}" + check_mode: no + +# create oauth client +- name: Create oauth-client template + template: + src: oauth-client.j2 + dest: "{{ tempdir }}/templates/oauth-client.yml" + vars: + kibana_hostname: "{{ openshift_logging_kibana_hostname }}" + secret: "{{ oauth_secret }}" + +- name: Set kibana-proxy oauth-client + oc_obj: + state: present + name: "kibana-proxy" + namespace: "{{ openshift_logging_namespace }}" + kind: oauthclient + files: + - "{{ tempdir }}/templates/oauth-client.yml" + delete_after: true + +# create Kibana secret +- name: Set Kibana secret + oc_secret: + state: present + name: "logging-kibana" + namespace: "{{ openshift_logging_namespace }}" + files: + - name: ca + path: "{{ generated_certs_dir }}/ca.crt" + - name: key + path: "{{ generated_certs_dir }}/system.logging.kibana.key" + - name: cert + path: "{{ generated_certs_dir }}/system.logging.kibana.crt" + +# create Kibana-proxy secret +- name: Set Kibana Proxy secret + oc_secret: + state: present + name: "logging-kibana-proxy" + namespace: "{{ openshift_logging_namespace }}" +# files: +# - name: server-key +# path: "{{ generated_certs_dir }}/kibana-internal.key" +# - name: server-cert +# path: "{{ generated_certs_dir }}/kibana-internal.crt" +# - name: server-tls +# path: "{{ generated_certs_dir }}/server-tls.json" + contents: + - path: oauth-secret + data: "{{ oauth_secret }}" + - path: session-secret + data: "{{ session_secret }}" + - path: server-key + data: "{{ key_pairs | entry_from_named_pair('kibana_internal_key') | b64decode }}" + - path: server-cert + data: "{{ key_pairs | entry_from_named_pair('kibana_internal_cert') | b64decode }}" + - path: server-tls + data: "{{ key_pairs | entry_from_named_pair('server_tls') | b64decode }}" + +# create Kibana DC +- name: Generate Kibana DC template + template: + src: kibana.j2 + dest: "{{ tempdir }}/templates/kibana-dc.yaml" + vars: + component: kibana + logging_component: kibana + deploy_name: "{{ kibana_name }}" + image: "{{ openshift_logging_image_prefix }}logging-kibana:{{ openshift_logging_image_version }}" + proxy_image: "{{ openshift_logging_image_prefix }}logging-auth-proxy:{{ openshift_logging_image_version }}" + es_host: "{{ openshift_logging_kibana_es_host }}" + es_port: "{{ openshift_logging_kibana_es_port }}" + kibana_cpu_limit: "{{ openshift_logging_kibana_cpu_limit }}" + kibana_memory_limit: "{{ openshift_logging_kibana_memory_limit }}" + kibana_proxy_cpu_limit: "{{ openshift_logging_kibana_proxy_cpu_limit }}" + kibana_proxy_memory_limit: "{{ openshift_logging_kibana_proxy_memory_limit }}" + replicas: "{{ openshift_logging_kibana_replicas | default (0) }}" + kibana_node_selector: "{{ openshift_logging_kibana_nodeselector | default({}) }}" + +- name: Set Kibana DC + oc_obj: + state: present + name: "{{ kibana_name }}" + namespace: "{{ openshift_logging_namespace }}" + kind: dc + files: + - "{{ tempdir }}/templates/kibana-dc.yaml" + delete_after: true + +# Scale up Kibana -- is this really necessary? +- name: Start Kibana + oc_scale: + kind: dc + name: "{{ kibana_name }}" + namespace: "{{ openshift_logging_namespace }}" + replicas: "{{ openshift_logging_kibana_replicas | default (1) }}" + +# update master configs? + +- name: Delete temp directory + file: + name: "{{ tempdir }}" + state: absent + changed_when: False diff --git a/roles/openshift_logging_kibana/templates/kibana.j2 b/roles/openshift_logging_kibana/templates/kibana.j2 new file mode 100644 index 000000000..9fefef9b7 --- /dev/null +++ b/roles/openshift_logging_kibana/templates/kibana.j2 @@ -0,0 +1,116 @@ +apiVersion: "v1" +kind: "DeploymentConfig" +metadata: + name: "{{ deploy_name }}" + labels: + provider: openshift + component: "{{ component }}" + logging-infra: "{{ logging_component }}" +spec: + replicas: {{ replicas | default(0) }} + selector: + provider: openshift + component: "{{ component }}" + logging-infra: "{{ logging_component }}" + strategy: + rollingParams: + intervalSeconds: 1 + timeoutSeconds: 600 + updatePeriodSeconds: 1 + type: Rolling + template: + metadata: + name: "{{ deploy_name }}" + labels: + logging-infra: "{{ logging_component }}" + provider: openshift + component: "{{ component }}" + spec: + serviceAccountName: aggregated-logging-kibana +{% if kibana_node_selector is iterable and kibana_node_selector | length > 0 %} + nodeSelector: +{% for key, value in kibana_node_selector.iteritems() %} + {{ key }}: "{{ value }}" +{% endfor %} +{% endif %} + containers: + - + name: "kibana" + image: {{ image }} + imagePullPolicy: Always +{% if (kibana_memory_limit is defined and kibana_memory_limit is not none and kibana_memory_limit != "") or (kibana_cpu_limit is defined and kibana_cpu_limit is not none and kibana_cpu_limit != "") %} + resources: + limits: +{% if kibana_cpu_limit is not none and kibana_cpu_limit != "" %} + cpu: "{{ kibana_cpu_limit }}" +{% endif %} +{% if kibana_memory_limit is not none and kibana_memory_limit != "" %} + memory: "{{ kibana_memory_limit }}" +{% endif %} +{% endif %} + env: + - name: "ES_HOST" + value: "{{ es_host }}" + - name: "ES_PORT" + value: "{{ es_port }}" + volumeMounts: + - name: kibana + mountPath: /etc/kibana/keys + readOnly: true + - + name: "kibana-proxy" + image: {{ proxy_image }} + imagePullPolicy: Always +{% if (kibana_proxy_memory_limit is defined and kibana_proxy_memory_limit is not none and kibana_proxy_memory_limit != "") or (kibana_proxy_cpu_limit is defined and kibana_proxy_cpu_limit is not none and kibana_proxy_cpu_limit != "") %} + resources: + limits: +{% if kibana_proxy_cpu_limit is not none and kibana_proxy_cpu_limit != "" %} + cpu: "{{ kibana_proxy_cpu_limit }}" +{% endif %} +{% if kibana_proxy_memory_limit is not none and kibana_proxy_memory_limit != "" %} + memory: "{{ kibana_proxy_memory_limit }}" +{% endif %} +{% endif %} + ports: + - + name: "oaproxy" + containerPort: 3000 + env: + - + name: "OAP_BACKEND_URL" + value: "http://localhost:5601" + - + name: "OAP_AUTH_MODE" + value: "oauth2" + - + name: "OAP_TRANSFORM" + value: "user_header,token_header" + - + name: "OAP_OAUTH_ID" + value: kibana-proxy + - + name: "OAP_MASTER_URL" + value: {{ openshift_logging_kibana_master_url }} + - + name: "OAP_PUBLIC_MASTER_URL" + value: {{ openshift_logging_kibana_master_public_url }} + - + name: "OAP_LOGOUT_REDIRECT" + value: {{ openshift_logging_kibana_master_public_url }}/console/logout + - + name: "OAP_MASTER_CA_FILE" + value: "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" + - + name: "OAP_DEBUG" + value: "{{ openshift_logging_kibana_proxy_debug }}" + volumeMounts: + - name: kibana-proxy + mountPath: /secret + readOnly: true + volumes: + - name: kibana + secret: + secretName: logging-kibana + - name: kibana-proxy + secret: + secretName: logging-kibana-proxy diff --git a/roles/openshift_logging_kibana/templates/oauth-client.j2 b/roles/openshift_logging_kibana/templates/oauth-client.j2 new file mode 100644 index 000000000..6767f6d89 --- /dev/null +++ b/roles/openshift_logging_kibana/templates/oauth-client.j2 @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: OAuthClient +metadata: + name: kibana-proxy + labels: + logging-infra: support +secret: {{secret}} +redirectURIs: +- https://{{kibana_hostname}} +scopeRestrictions: +- literals: + - user:info + - user:check-access + - user:list-projects diff --git a/roles/openshift_logging_kibana/templates/route_reencrypt.j2 b/roles/openshift_logging_kibana/templates/route_reencrypt.j2 new file mode 100644 index 000000000..cf8a9e65f --- /dev/null +++ b/roles/openshift_logging_kibana/templates/route_reencrypt.j2 @@ -0,0 +1,36 @@ +apiVersion: "v1" +kind: "Route" +metadata: + name: "{{obj_name}}" +{% if labels is defined%} + labels: +{% for key, value in labels.iteritems() %} + {{key}}: {{value}} +{% endfor %} +{% endif %} +spec: + host: {{ route_host }} + tls: +{% if tls_key is defined and tls_key | length > 0 %} + key: | +{{ tls_key|indent(6, true) }} +{% if tls_cert is defined and tls_cert | length > 0 %} + certificate: | +{{ tls_cert|indent(6, true) }} +{% endif %} +{% endif %} + caCertificate: | +{% for line in tls_ca_cert.split('\n') %} + {{ line }} +{% endfor %} + destinationCACertificate: | +{% for line in tls_dest_ca_cert.split('\n') %} + {{ line }} +{% endfor %} + termination: reencrypt +{% if edge_term_policy is defined and edge_term_policy | length > 0 %} + insecureEdgeTerminationPolicy: {{ edge_term_policy }} +{% endif %} + to: + kind: Service + name: {{ service_name }} diff --git a/roles/openshift_logging_kibana/vars/main.yml b/roles/openshift_logging_kibana/vars/main.yml new file mode 100644 index 000000000..87b281c4b --- /dev/null +++ b/roles/openshift_logging_kibana/vars/main.yml @@ -0,0 +1,3 @@ +--- +__latest_kibana_version: "3_5" +__allowed_kibana_versions: ["3_5", "3_6"] -- cgit v1.2.3 From 60ad4626f03cbfb119290a4bfaf9ecba53dc762b Mon Sep 17 00:00:00 2001 From: ewolinetz Date: Tue, 2 May 2017 11:21:56 -0500 Subject: Pulling in changes from master --- roles/openshift_logging_kibana/tasks/main.yaml | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) (limited to 'roles/openshift_logging_kibana') diff --git a/roles/openshift_logging_kibana/tasks/main.yaml b/roles/openshift_logging_kibana/tasks/main.yaml index a8ab3f4ef..3bc903181 100644 --- a/roles/openshift_logging_kibana/tasks/main.yaml +++ b/roles/openshift_logging_kibana/tasks/main.yaml @@ -41,7 +41,9 @@ when: - openshift_logging_image_pull_secret == '' -- set_fact: kibana_name="{{ 'logging-kibana' ~ ( (openshift_logging_kibana_ops_deployment | default(false) | bool) | ternary('-ops', '')) }}" +- set_fact: + kibana_name: "{{ 'logging-kibana' ~ ( (openshift_logging_kibana_ops_deployment | default(false) | bool) | ternary('-ops', '')) }}" + kibana_component: "{{ 'kibana' ~ ( (openshift_logging_kibana_ops_deployment | default(false) | bool) | ternary('-ops', '')) }}" - name: Retrieving the cert to use when generating secrets for the logging components slurp: @@ -53,6 +55,21 @@ - { name: "kibana_internal_cert", file: "kibana-internal.crt"} - { name: "server_tls", file: "server-tls.json"} +# services +- name: Set {{ kibana_name }} service + oc_service: + state: present + name: "{{ kibana_name }}" + namespace: "{{ openshift_logging_kibana_namespace }}" + selector: + component: "{{ kibana_component }}" + provider: openshift +# labels: +# - logging-infra: 'support' + ports: + - port: 443 + targetPort: "oaproxy" + # create routes # TODO: set up these certs differently? - set_fact: @@ -94,6 +111,7 @@ provider: openshift changed_when: no +# This currently has an issue if the host name changes - name: Setting Kibana route oc_obj: state: present @@ -181,7 +199,7 @@ src: kibana.j2 dest: "{{ tempdir }}/templates/kibana-dc.yaml" vars: - component: kibana + component: "{{ kibana_component }}" logging_component: kibana deploy_name: "{{ kibana_name }}" image: "{{ openshift_logging_image_prefix }}logging-kibana:{{ openshift_logging_image_version }}" -- cgit v1.2.3 From 7426996929fe298f4da0b238e38d91fb929b5112 Mon Sep 17 00:00:00 2001 From: ewolinetz Date: Thu, 18 May 2017 19:45:19 -0500 Subject: Pulling changes from master branch --- roles/openshift_logging_kibana/defaults/main.yml | 4 ++-- roles/openshift_logging_kibana/templates/kibana.j2 | 27 ++++++++++++++++++++++ 2 files changed, 29 insertions(+), 2 deletions(-) (limited to 'roles/openshift_logging_kibana') diff --git a/roles/openshift_logging_kibana/defaults/main.yml b/roles/openshift_logging_kibana/defaults/main.yml index 6474cd504..23337bcd2 100644 --- a/roles/openshift_logging_kibana/defaults/main.yml +++ b/roles/openshift_logging_kibana/defaults/main.yml @@ -9,7 +9,7 @@ openshift_logging_kibana_namespace: logging openshift_logging_kibana_nodeselector: "" openshift_logging_kibana_cpu_limit: null -openshift_logging_kibana_memory_limit: null +openshift_logging_kibana_memory_limit: 736Mi openshift_logging_kibana_hostname: "kibana.router.default.svc.cluster.local" @@ -26,7 +26,7 @@ openshift_logging_kibana_ops_deployment: false # Proxy settings openshift_logging_kibana_proxy_debug: false openshift_logging_kibana_proxy_cpu_limit: null -openshift_logging_kibana_proxy_memory_limit: null +openshift_logging_kibana_proxy_memory_limit: 96Mi #The absolute path on the control node to the cert file to use #for the public facing kibana certs diff --git a/roles/openshift_logging_kibana/templates/kibana.j2 b/roles/openshift_logging_kibana/templates/kibana.j2 index 9fefef9b7..ea506b12b 100644 --- a/roles/openshift_logging_kibana/templates/kibana.j2 +++ b/roles/openshift_logging_kibana/templates/kibana.j2 @@ -53,6 +53,12 @@ spec: value: "{{ es_host }}" - name: "ES_PORT" value: "{{ es_port }}" + - + name: "KIBANA_MEMORY_LIMIT" + valueFrom: + resourceFieldRef: + containerName: kibana + resource: limits.memory volumeMounts: - name: kibana mountPath: /etc/kibana/keys @@ -103,6 +109,27 @@ spec: - name: "OAP_DEBUG" value: "{{ openshift_logging_kibana_proxy_debug }}" + - + name: "OAP_OAUTH_SECRET_FILE" + value: "/secret/oauth-secret" + - + name: "OAP_SERVER_CERT_FILE" + value: "/secret/server-cert" + - + name: "OAP_SERVER_KEY_FILE" + value: "/secret/server-key" + - + name: "OAP_SERVER_TLS_FILE" + value: "/secret/server-tls.json" + - + name: "OAP_SESSION_SECRET_FILE" + value: "/secret/session-secret" + - + name: "OCP_AUTH_PROXY_MEMORY_LIMIT" + valueFrom: + resourceFieldRef: + containerName: kibana-proxy + resource: limits.memory volumeMounts: - name: kibana-proxy mountPath: /secret -- cgit v1.2.3 From 108a42cbbdbfc8094d1d8bf8d0d8826adfdf760d Mon Sep 17 00:00:00 2001 From: Steve Kuznetsov Date: Mon, 22 May 2017 09:42:19 -0700 Subject: Create logging deployments with non-zero replica counts When we currently create the set of logging `DeploymentConfig`s, we create them with zero desired replicas. This causes the deployment to immediately succeed as there is no work to be done. This inhibits our ability to use nice CLI UX features like `oc rollout status` to monitor the logging stack deployments. Instead, we should can create the configs with the correct number of replicas in the first place and stop using `oc scale` to bring them up after the fact. Signed-off-by: Steve Kuznetsov --- roles/openshift_logging_kibana/tasks/main.yaml | 10 +--------- roles/openshift_logging_kibana/templates/kibana.j2 | 2 +- 2 files changed, 2 insertions(+), 10 deletions(-) (limited to 'roles/openshift_logging_kibana') diff --git a/roles/openshift_logging_kibana/tasks/main.yaml b/roles/openshift_logging_kibana/tasks/main.yaml index 3bc903181..4444413e1 100644 --- a/roles/openshift_logging_kibana/tasks/main.yaml +++ b/roles/openshift_logging_kibana/tasks/main.yaml @@ -210,7 +210,7 @@ kibana_memory_limit: "{{ openshift_logging_kibana_memory_limit }}" kibana_proxy_cpu_limit: "{{ openshift_logging_kibana_proxy_cpu_limit }}" kibana_proxy_memory_limit: "{{ openshift_logging_kibana_proxy_memory_limit }}" - replicas: "{{ openshift_logging_kibana_replicas | default (0) }}" + replicas: "{{ openshift_logging_kibana_replicas | default (1) }}" kibana_node_selector: "{{ openshift_logging_kibana_nodeselector | default({}) }}" - name: Set Kibana DC @@ -223,14 +223,6 @@ - "{{ tempdir }}/templates/kibana-dc.yaml" delete_after: true -# Scale up Kibana -- is this really necessary? -- name: Start Kibana - oc_scale: - kind: dc - name: "{{ kibana_name }}" - namespace: "{{ openshift_logging_namespace }}" - replicas: "{{ openshift_logging_kibana_replicas | default (1) }}" - # update master configs? - name: Delete temp directory diff --git a/roles/openshift_logging_kibana/templates/kibana.j2 b/roles/openshift_logging_kibana/templates/kibana.j2 index ea506b12b..2298aa6d5 100644 --- a/roles/openshift_logging_kibana/templates/kibana.j2 +++ b/roles/openshift_logging_kibana/templates/kibana.j2 @@ -7,7 +7,7 @@ metadata: component: "{{ component }}" logging-infra: "{{ logging_component }}" spec: - replicas: {{ replicas | default(0) }} + replicas: {{ replicas | default(1) }} selector: provider: openshift component: "{{ component }}" -- cgit v1.2.3 From 2740dff958cb3c619ca508d83edb3b351f83c31d Mon Sep 17 00:00:00 2001 From: Steve Kuznetsov Date: Mon, 22 May 2017 09:45:09 -0700 Subject: Add a readiness probe to the Kibana container In order to ensure that the Kubernetes machinery can determine when the Kibana Pods are becoming ready, we need to add a readiness probe to the Containers that make up those pods. The Kibana readiness probe simply hits the base URL at `http://localhost:5601/` and expects a 200. Signed-off-by: Steve Kuznetsov --- roles/openshift_logging_kibana/templates/kibana.j2 | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'roles/openshift_logging_kibana') diff --git a/roles/openshift_logging_kibana/templates/kibana.j2 b/roles/openshift_logging_kibana/templates/kibana.j2 index 2298aa6d5..f8043812b 100644 --- a/roles/openshift_logging_kibana/templates/kibana.j2 +++ b/roles/openshift_logging_kibana/templates/kibana.j2 @@ -63,6 +63,13 @@ spec: - name: kibana mountPath: /etc/kibana/keys readOnly: true + readinessProbe: + exec: + command: + - "/usr/share/kibana/probe/readiness.sh" + initialDelaySeconds: 5 + timeoutSeconds: 4 + periodSeconds: 5 - name: "kibana-proxy" image: {{ proxy_image }} -- cgit v1.2.3 From 1a024097cd504c2a5612e7a1272cd0200da20b4b Mon Sep 17 00:00:00 2001 From: Scott Dodson Date: Mon, 22 May 2017 21:26:49 -0400 Subject: Appease travis --- roles/openshift_logging_kibana/tasks/main.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'roles/openshift_logging_kibana') diff --git a/roles/openshift_logging_kibana/tasks/main.yaml b/roles/openshift_logging_kibana/tasks/main.yaml index 4444413e1..72a41af5e 100644 --- a/roles/openshift_logging_kibana/tasks/main.yaml +++ b/roles/openshift_logging_kibana/tasks/main.yaml @@ -50,10 +50,10 @@ src: "{{ generated_certs_dir }}/{{ item.file }}" register: key_pairs with_items: - - { name: "ca_file", file: "ca.crt" } - - { name: "kibana_internal_key", file: "kibana-internal.key"} - - { name: "kibana_internal_cert", file: "kibana-internal.crt"} - - { name: "server_tls", file: "server-tls.json"} + - { name: "ca_file", file: "ca.crt" } + - { name: "kibana_internal_key", file: "kibana-internal.key"} + - { name: "kibana_internal_cert", file: "kibana-internal.crt"} + - { name: "server_tls", file: "server-tls.json"} # services - name: Set {{ kibana_name }} service -- cgit v1.2.3 From 68f8a50abc0acd3005dbd98d0e7964bcf7900e26 Mon Sep 17 00:00:00 2001 From: ewolinetz Date: Tue, 23 May 2017 11:21:20 -0500 Subject: Fixing tux warnings and some final clean up --- roles/openshift_logging_kibana/tasks/main.yaml | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) (limited to 'roles/openshift_logging_kibana') diff --git a/roles/openshift_logging_kibana/tasks/main.yaml b/roles/openshift_logging_kibana/tasks/main.yaml index 72a41af5e..55b28ee24 100644 --- a/roles/openshift_logging_kibana/tasks/main.yaml +++ b/roles/openshift_logging_kibana/tasks/main.yaml @@ -3,8 +3,6 @@ - include: determine_version.yaml -- debug: var=tempdir - # allow passing in a tempdir - name: Create temp directory for doing work in command: mktemp -d /tmp/openshift-logging-ansible-XXXXXX @@ -64,8 +62,9 @@ selector: component: "{{ kibana_component }}" provider: openshift -# labels: -# - logging-infra: 'support' + # pending #4091 + #labels: + #- logging-infra: 'support' ports: - port: 443 targetPort: "oaproxy" @@ -174,13 +173,14 @@ state: present name: "logging-kibana-proxy" namespace: "{{ openshift_logging_namespace }}" -# files: -# - name: server-key -# path: "{{ generated_certs_dir }}/kibana-internal.key" -# - name: server-cert -# path: "{{ generated_certs_dir }}/kibana-internal.crt" -# - name: server-tls -# path: "{{ generated_certs_dir }}/server-tls.json" + # TODO: when possible to have both files and contents for oc_secret use this + #files: + #- name: server-key + # path: "{{ generated_certs_dir }}/kibana-internal.key" + #- name: server-cert + # path: "{{ generated_certs_dir }}/kibana-internal.crt" + #- name: server-tls + # path: "{{ generated_certs_dir }}/server-tls.json" contents: - path: oauth-secret data: "{{ oauth_secret }}" -- cgit v1.2.3