Merge pull request #5637 from wozniakjan/1496271_fix

Automatic merge from submit-queue. Bug 1496271 - Perserve SCC for ES local persistent storage ES can be modified to use node local persistent storage. This requires changing SCC and is described in docs: https://docs.openshift.com/container-platform/3.6/install_config/aggregate_logging.html During an upgrade, SCC defined by the user is ignored. This fix fetches SCC user defined as a fact and adds it to the ES DC which is later used. Also includes cherrypicked fix for - Bug 1482661 - Preserve ES dc nodeSelector and supplementalGroups cc @jcantrill
author: OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> 2017-10-05 03:45:06 -0700
committer: GitHub <noreply@github.com> 2017-10-05 03:45:06 -0700
commit: cdbc995e65921210981e9fb3710a36c7d93a35dc (patch)
tree: 7475e2b3302da859fe60513f7c535c912aab6f0b /roles
parent: 6efc786c94afa7eb9270b92d3d7022f190a3de48 (diff)
parent: f4c7d5e064fad263f618fb633d5c0d37c0a2a553 (diff)
download: openshift-cdbc995e65921210981e9fb3710a36c7d93a35dc.tar.gz
openshift-cdbc995e65921210981e9fb3710a36c7d93a35dc.tar.bz2
openshift-cdbc995e65921210981e9fb3710a36c7d93a35dc.tar.xz
openshift-cdbc995e65921210981e9fb3710a36c7d93a35dc.zip
6 files changed, 28 insertions, 13 deletions
diff --git a/roles/openshift_logging/defaults/main.yml b/roles/openshift_logging/defaults/main.yml
index 0f1f659c6..6e7e2557f 100644
--- a/roles/openshift_logging/defaults/main.yml
+++ b/roles/openshift_logging/defaults/main.yml
@@ -94,7 +94,7 @@ openshift_logging_es_pvc_dynamic: "{{ openshift_logging_elasticsearch_pvc_dynami
 openshift_logging_es_pvc_size: "{{ openshift_logging_elasticsearch_pvc_size | default('') }}"
 openshift_logging_es_pvc_prefix: "{{ openshift_logging_elasticsearch_pvc_prefix | default('logging-es') }}"
 openshift_logging_es_recover_after_time: 5m
-openshift_logging_es_storage_group: "{{ openshift_logging_elasticsearch_storage_group | default('65534') }}"
+openshift_logging_es_storage_group: "65534"
 openshift_logging_es_nodeselector: {}
 # openshift_logging_es_config is a hash to be merged into the defaults for the elasticsearch.yaml
 openshift_logging_es_config: {}
@@ -133,7 +133,7 @@ openshift_logging_es_ops_pvc_dynamic: "{{ openshift_logging_elasticsearch_ops_pv
 openshift_logging_es_ops_pvc_size: "{{ openshift_logging_elasticsearch_ops_pvc_size | default('') }}"
 openshift_logging_es_ops_pvc_prefix: "{{ openshift_logging_elasticsearch_ops_pvc_prefix | default('logging-es-ops') }}"
 openshift_logging_es_ops_recover_after_time: 5m
-openshift_logging_es_ops_storage_group: "{{ openshift_logging_elasticsearch_storage_group | default('65534') }}"
+openshift_logging_es_ops_storage_group: "65534"
 openshift_logging_es_ops_nodeselector: {}
 
 # for exposing es-ops to external (outside of the cluster) clients
diff --git a/roles/openshift_logging/library/openshift_logging_facts.py b/roles/openshift_logging/library/openshift_logging_facts.py
index 35accfb78..f10df8da5 100644
--- a/roles/openshift_logging/library/openshift_logging_facts.py
+++ b/roles/openshift_logging/library/openshift_logging_facts.py
@@ -171,22 +171,25 @@ class OpenshiftLoggingFacts(OCBaseCommand):
             if comp is not None:
                 spec = dc_item["spec"]["template"]["spec"]
                 facts = dict(
+                    name=name,
                     selector=dc_item["spec"]["selector"],
                     replicas=dc_item["spec"]["replicas"],
                     serviceAccount=spec["serviceAccount"],
                     containers=dict(),
                     volumes=dict()
                 )
+                if "nodeSelector" in spec:
+                    facts["nodeSelector"] = spec["nodeSelector"]
+                if "supplementalGroups" in spec["securityContext"]:
+                    facts["storageGroups"] = spec["securityContext"]["supplementalGroups"]
+                facts["spec"] = spec
                 if "volumes" in spec:
                     for vol in spec["volumes"]:
                         clone = copy.deepcopy(vol)
                         clone.pop("name", None)
                         facts["volumes"][vol["name"]] = clone
                 for container in spec["containers"]:
-                    facts["containers"][container["name"]] = dict(
-                        image=container["image"],
-                        resources=container["resources"],
-                    )
+                    facts["containers"][container["name"]] = container
                 self.add_facts_for(comp, "deploymentconfigs", name, facts)
 
     def facts_for_services(self, namespace):
diff --git a/roles/openshift_logging/tasks/install_logging.yaml b/roles/openshift_logging/tasks/install_logging.yaml
index a3e653cb8..21fd79c28 100644
--- a/roles/openshift_logging/tasks/install_logging.yaml
+++ b/roles/openshift_logging/tasks/install_logging.yaml
@@ -69,15 +69,18 @@
   vars:
     generated_certs_dir: "{{openshift.common.config_base}}/logging"
     openshift_logging_elasticsearch_namespace: "{{ openshift_logging_namespace }}"
-    openshift_logging_elasticsearch_deployment_name: "{{ item.0 }}"
+    openshift_logging_elasticsearch_deployment_name: "{{ item.0.name }}"
     openshift_logging_elasticsearch_pvc_name: "{{ openshift_logging_es_pvc_prefix ~ '-' ~ item.2 if item.1 is none else item.1 }}"
     openshift_logging_elasticsearch_replica_count: "{{ openshift_logging_es_cluster_size | int }}"
 
     openshift_logging_elasticsearch_storage_type: "{{ elasticsearch_storage_type }}"
     openshift_logging_elasticsearch_pvc_pv_selector: "{{ openshift_logging_es_pv_selector }}"
+    openshift_logging_elasticsearch_nodeselector: "{{ openshift_logging_es_nodeselector if item.0.nodeSelector | default(None) is none else item.0.nodeSelector }}"
+    openshift_logging_elasticsearch_storage_group: "{{ [openshift_logging_es_storage_group] if item.0.storageGroups | default([]) | length == 0 else item.0.storageGroups }}"
+    _es_containers: "{{item.0.containers}}"
 
   with_together:
-  - "{{ openshift_logging_facts.elasticsearch.deploymentconfigs }}"
+  - "{{ openshift_logging_facts.elasticsearch.deploymentconfigs.values() }}"
   - "{{ openshift_logging_facts.elasticsearch.pvcs }}"
   - "{{ es_indices }}"
   when:
@@ -119,7 +122,7 @@
   vars:
     generated_certs_dir: "{{openshift.common.config_base}}/logging"
     openshift_logging_elasticsearch_namespace: "{{ openshift_logging_namespace }}"
-    openshift_logging_elasticsearch_deployment_name: "{{ item.0 }}"
+    openshift_logging_elasticsearch_deployment_name: "{{ item.0.name }}"
     openshift_logging_elasticsearch_pvc_name: "{{ openshift_logging_es_ops_pvc_prefix ~ '-' ~ item.2 if item.1 is none else item.1 }}"
     openshift_logging_elasticsearch_ops_deployment: true
     openshift_logging_elasticsearch_replica_count: "{{ openshift_logging_es_ops_cluster_size | int }}"
@@ -130,16 +133,18 @@
     openshift_logging_elasticsearch_pvc_pv_selector: "{{ openshift_logging_es_ops_pv_selector }}"
     openshift_logging_elasticsearch_memory_limit: "{{ openshift_logging_es_ops_memory_limit }}"
     openshift_logging_elasticsearch_cpu_limit: "{{ openshift_logging_es_ops_cpu_limit }}"
-    openshift_logging_elasticsearch_nodeselector: "{{ openshift_logging_es_ops_nodeselector }}"
+    openshift_logging_elasticsearch_nodeselector: "{{ openshift_logging_es_ops_nodeselector if item.0.nodeSelector | default(None) is none else item.0.nodeSelector }}"
+    openshift_logging_elasticsearch_storage_group: "{{ [openshift_logging_es_ops_storage_group] if item.0.storageGroups | default([]) | length == 0 else item.0.storageGroups }}"
     openshift_logging_es_key: "{{ openshift_logging_es_ops_key }}"
     openshift_logging_es_cert: "{{ openshift_logging_es_ops_cert }}"
     openshift_logging_es_ca_ext: "{{ openshift_logging_es_ops_ca_ext }}"
     openshift_logging_es_hostname: "{{ openshift_logging_es_ops_hostname }}"
     openshift_logging_es_edge_term_policy: "{{ openshift_logging_es_ops_edge_term_policy | default('') }}"
     openshift_logging_es_allow_external: "{{ openshift_logging_es_ops_allow_external }}"
+    _es_containers: "{{item.0.containers}}"
 
   with_together:
-  - "{{ openshift_logging_facts.elasticsearch_ops.deploymentconfigs }}"
+  - "{{ openshift_logging_facts.elasticsearch_ops.deploymentconfigs.values() }}"
   - "{{ openshift_logging_facts.elasticsearch_ops.pvcs }}"
   - "{{ es_ops_indices }}"
   when:
diff --git a/roles/openshift_logging_elasticsearch/defaults/main.yml b/roles/openshift_logging_elasticsearch/defaults/main.yml
index 72d5cab96..554aa5bb2 100644
--- a/roles/openshift_logging_elasticsearch/defaults/main.yml
+++ b/roles/openshift_logging_elasticsearch/defaults/main.yml
@@ -33,7 +33,7 @@ openshift_logging_elasticsearch_pvc_size: ""
 openshift_logging_elasticsearch_pvc_dynamic: false
 openshift_logging_elasticsearch_pvc_pv_selector: {}
 openshift_logging_elasticsearch_pvc_access_modes: ['ReadWriteOnce']
-openshift_logging_elasticsearch_storage_group: '65534'
+openshift_logging_elasticsearch_storage_group: ['65534']
 
 openshift_logging_es_pvc_prefix: "{{ openshift_hosted_logging_elasticsearch_pvc_prefix | default('logging-es') }}"
 
diff --git a/roles/openshift_logging_elasticsearch/tasks/main.yaml b/roles/openshift_logging_elasticsearch/tasks/main.yaml
index e0049998c..df2c17aa0 100644
--- a/roles/openshift_logging_elasticsearch/tasks/main.yaml
+++ b/roles/openshift_logging_elasticsearch/tasks/main.yaml
@@ -340,6 +340,8 @@
     es_cpu_limit: "{{ openshift_logging_elasticsearch_cpu_limit }}"
     es_memory_limit: "{{ openshift_logging_elasticsearch_memory_limit }}"
     es_node_selector: "{{ openshift_logging_elasticsearch_nodeselector | default({}) }}"
+    es_storage_groups: "{{ openshift_logging_elasticsearch_storage_group | default([]) }}"
+    es_container_security_context: "{{ _es_containers.elasticsearch.securityContext if _es_containers is defined and 'elasticsearch' in _es_containers and 'securityContext' in _es_containers.elasticsearch else None }}"
     deploy_type: "{{ openshift_logging_elasticsearch_deployment_type }}"
     es_replicas: 1
 
diff --git a/roles/openshift_logging_elasticsearch/templates/es.j2 b/roles/openshift_logging_elasticsearch/templates/es.j2
index cca5bf8a3..1ed886627 100644
--- a/roles/openshift_logging_elasticsearch/templates/es.j2
+++ b/roles/openshift_logging_elasticsearch/templates/es.j2
@@ -29,7 +29,9 @@ spec:
       serviceAccountName: aggregated-logging-elasticsearch
       securityContext:
         supplementalGroups:
-        - {{openshift_logging_elasticsearch_storage_group}}
+{% for group in es_storage_groups %}
+        - {{group}}
+{% endfor %}
 {% if es_node_selector is iterable and es_node_selector | length > 0 %}
       nodeSelector:
 {% for key, value in es_node_selector.iteritems() %}
@@ -83,6 +85,9 @@ spec:
 {% endif %}
             requests:
               memory: "{{es_memory_limit}}"
+{% if es_container_security_context %}
+          securityContext: {{ es_container_security_context | to_yaml }} 
+{% endif %}
           ports:
             -
               containerPort: 9200
author	OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com>	2017-10-05 03:45:06 -0700
committer	GitHub <noreply@github.com>	2017-10-05 03:45:06 -0700
commit	cdbc995e65921210981e9fb3710a36c7d93a35dc (patch)
tree	7475e2b3302da859fe60513f7c535c912aab6f0b /roles
parent	6efc786c94afa7eb9270b92d3d7022f190a3de48 (diff)
parent	f4c7d5e064fad263f618fb633d5c0d37c0a2a553 (diff)
download	openshift-cdbc995e65921210981e9fb3710a36c7d93a35dc.tar.gz openshift-cdbc995e65921210981e9fb3710a36c7d93a35dc.tar.bz2 openshift-cdbc995e65921210981e9fb3710a36c7d93a35dc.tar.xz openshift-cdbc995e65921210981e9fb3710a36c7d93a35dc.zip