diff options
Diffstat (limited to 'roles/openshift_logging')
18 files changed, 615 insertions, 159 deletions
diff --git a/roles/openshift_logging/defaults/main.yml b/roles/openshift_logging/defaults/main.yml index 96ed44011..5ee8d1e2a 100644 --- a/roles/openshift_logging/defaults/main.yml +++ b/roles/openshift_logging/defaults/main.yml @@ -119,6 +119,15 @@ openshift_logging_es_ops_number_of_replicas: 0 # storage related defaults openshift_logging_storage_access_modes: "{{ openshift_hosted_logging_storage_access_modes | default(['ReadWriteOnce']) }}" +# mux - secure_forward listener service +openshift_logging_mux_allow_external: False +openshift_logging_use_mux: "{{ openshift_logging_mux_allow_external | default(False) }}" +# this tells the fluentd node agent to use mux instead of sending directly to Elasticsearch +openshift_logging_use_mux_client: False +openshift_logging_mux_hostname: "{{ 'mux.' ~ (openshift_master_default_subdomain | default('router.default.svc.cluster.local', true)) }}" +openshift_logging_mux_port: 24284 +openshift_logging_mux_cpu_limit: 100m +openshift_logging_mux_memory_limit: 512Mi # following can be uncommented to provide values for configmaps -- take care when providing file contents as it may cause your cluster to not operate correctly #es_logging_contents: @@ -127,3 +136,5 @@ openshift_logging_storage_access_modes: "{{ openshift_hosted_logging_storage_acc #fluentd_config_contents: #fluentd_throttle_contents: #fluentd_secureforward_contents: +#fluentd_mux_config_contents: +#fluentd_mux_secureforward_contents: diff --git a/roles/openshift_logging/tasks/delete_logging.yaml b/roles/openshift_logging/tasks/delete_logging.yaml index 188ea246c..2f5b68b4d 100644 --- a/roles/openshift_logging/tasks/delete_logging.yaml +++ b/roles/openshift_logging/tasks/delete_logging.yaml @@ -44,6 +44,7 @@ - logging-kibana - logging-kibana-proxy - logging-curator + - logging-mux ignore_errors: yes register: delete_result changed_when: delete_result.stdout.find("deleted") != -1 and delete_result.rc == 0 @@ -109,5 +110,6 @@ - logging-curator - logging-elasticsearch - logging-fluentd + - logging-mux register: delete_result changed_when: delete_result.stdout.find("deleted") != -1 and delete_result.rc == 0 diff --git a/roles/openshift_logging/tasks/generate_certs.yaml b/roles/openshift_logging/tasks/generate_certs.yaml index 740e490e1..b34df018d 100644 --- a/roles/openshift_logging/tasks/generate_certs.yaml +++ b/roles/openshift_logging/tasks/generate_certs.yaml @@ -45,6 +45,21 @@ - procure_component: kibana-internal hostnames: "kibana, kibana-ops, {{openshift_logging_kibana_hostname}}, {{openshift_logging_kibana_ops_hostname}}" +- include: procure_server_certs.yaml + loop_control: + loop_var: cert_info + with_items: + - procure_component: mux + hostnames: "logging-mux, {{openshift_logging_mux_hostname}}" + when: openshift_logging_use_mux + +- include: procure_shared_key.yaml + loop_control: + loop_var: shared_key_info + with_items: + - procure_component: mux + when: openshift_logging_use_mux + - name: Copy proxy TLS configuration file copy: src=server-tls.json dest={{generated_certs_dir}}/server-tls.json when: server_tls_json is undefined @@ -85,6 +100,14 @@ loop_control: loop_var: node_name +- name: Generate PEM cert for mux + include: generate_pems.yaml component={{node_name}} + with_items: + - system.logging.mux + loop_control: + loop_var: node_name + when: openshift_logging_use_mux + - name: Creating necessary JKS certs include: generate_jks.yaml diff --git a/roles/openshift_logging/tasks/generate_configmaps.yaml b/roles/openshift_logging/tasks/generate_configmaps.yaml index 253543f54..44bd0058a 100644 --- a/roles/openshift_logging/tasks/generate_configmaps.yaml +++ b/roles/openshift_logging/tasks/generate_configmaps.yaml @@ -134,3 +134,43 @@ when: fluentd_configmap.stdout is defined changed_when: no check_mode: no + +- block: + - copy: + src: fluent.conf + dest: "{{mktemp.stdout}}/fluent-mux.conf" + when: fluentd_mux_config_contents is undefined + changed_when: no + + - copy: + src: secure-forward.conf + dest: "{{mktemp.stdout}}/secure-forward-mux.conf" + when: fluentd_mux_securefoward_contents is undefined + changed_when: no + + - copy: + content: "{{fluentd_mux_config_contents}}" + dest: "{{mktemp.stdout}}/fluent-mux.conf" + when: fluentd_mux_config_contents is defined + changed_when: no + + - copy: + content: "{{fluentd_mux_secureforward_contents}}" + dest: "{{mktemp.stdout}}/secure-forward-mux.conf" + when: fluentd_mux_secureforward_contents is defined + changed_when: no + + - command: > + {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig create configmap logging-mux + --from-file=fluent.conf={{mktemp.stdout}}/fluent-mux.conf + --from-file=secure-forward.conf={{mktemp.stdout}}/secure-forward-mux.conf -o yaml --dry-run + register: mux_configmap + changed_when: no + + - copy: + content: "{{mux_configmap.stdout}}" + dest: "{{mktemp.stdout}}/templates/logging-mux-configmap.yaml" + when: mux_configmap.stdout is defined + changed_when: no + check_mode: no + when: openshift_logging_use_mux diff --git a/roles/openshift_logging/tasks/generate_secrets.yaml b/roles/openshift_logging/tasks/generate_secrets.yaml index f396bcc6d..c1da49fd8 100644 --- a/roles/openshift_logging/tasks/generate_secrets.yaml +++ b/roles/openshift_logging/tasks/generate_secrets.yaml @@ -34,6 +34,36 @@ check_mode: no changed_when: no +- name: Retrieving the cert to use when generating secrets for mux + slurp: src="{{generated_certs_dir}}/{{item.file}}" + register: mux_key_pairs + with_items: + - { name: "ca_file", file: "ca.crt" } + - { name: "mux_key", file: "system.logging.mux.key"} + - { name: "mux_cert", file: "system.logging.mux.crt"} + - { name: "mux_shared_key", file: "mux_shared_key"} + when: openshift_logging_use_mux + +- name: Generating secrets for mux + template: src=secret.j2 dest={{mktemp.stdout}}/templates/{{secret_name}}-secret.yaml + vars: + secret_name: "logging-{{component}}" + secret_key_file: "{{component}}_key" + secret_cert_file: "{{component}}_cert" + secrets: + - {key: ca, value: "{{mux_key_pairs | entry_from_named_pair('ca_file')| b64decode }}"} + - {key: key, value: "{{mux_key_pairs | entry_from_named_pair(secret_key_file)| b64decode }}"} + - {key: cert, value: "{{mux_key_pairs | entry_from_named_pair(secret_cert_file)| b64decode }}"} + - {key: shared_key, value: "{{mux_key_pairs | entry_from_named_pair('mux_shared_key')| b64decode }}"} + secret_keys: ["ca", "cert", "key", "shared_key"] + with_items: + - mux + loop_control: + loop_var: component + check_mode: no + changed_when: no + when: openshift_logging_use_mux + - name: Generating secrets for kibana proxy template: src=secret.j2 dest={{mktemp.stdout}}/templates/{{secret_name}}-secret.yaml vars: @@ -43,7 +73,7 @@ - {key: session-secret, value: "{{session_secret}}"} - {key: server-key, value: "{{kibana_key_file}}"} - {key: server-cert, value: "{{kibana_cert_file}}"} - - {key: server-tls, value: "{{server_tls_file}}"} + - {key: server-tls.json, value: "{{server_tls_file}}"} secret_keys: ["server-tls.json", "server-key", "session-secret", "oauth-secret", "server-cert"] kibana_key_file: "{{key_pairs | entry_from_named_pair('kibana_internal_key')| b64decode }}" kibana_cert_file: "{{key_pairs | entry_from_named_pair('kibana_internal_cert')| b64decode }}" diff --git a/roles/openshift_logging/tasks/generate_services.yaml b/roles/openshift_logging/tasks/generate_services.yaml index 5091c1209..e3a5c5eb3 100644 --- a/roles/openshift_logging/tasks/generate_services.yaml +++ b/roles/openshift_logging/tasks/generate_services.yaml @@ -85,3 +85,35 @@ when: openshift_logging_use_ops | bool check_mode: no changed_when: no + +- name: Generating logging-mux service for external connections + template: src=service.j2 dest={{mktemp.stdout}}/templates/logging-mux-svc.yaml + vars: + obj_name: logging-mux + ports: + - {port: "{{openshift_logging_mux_port}}", targetPort: mux-forward, name: mux-forward} + labels: + logging-infra: support + selector: + provider: openshift + component: mux + externalIPs: + - "{{ ansible_eth0.ipv4.address }}" + check_mode: no + changed_when: no + when: openshift_logging_mux_allow_external + +- name: Generating logging-mux service for intra-cluster connections + template: src=service.j2 dest={{mktemp.stdout}}/templates/logging-mux-svc.yaml + vars: + obj_name: logging-mux + ports: + - {port: "{{openshift_logging_mux_port}}", targetPort: mux-forward, name: mux-forward} + labels: + logging-infra: support + selector: + provider: openshift + component: mux + check_mode: no + changed_when: no + when: openshift_logging_use_mux and not openshift_logging_mux_allow_external diff --git a/roles/openshift_logging/tasks/install_elasticsearch.yaml b/roles/openshift_logging/tasks/install_elasticsearch.yaml index 28fad420b..b80f37892 100644 --- a/roles/openshift_logging/tasks/install_elasticsearch.yaml +++ b/roles/openshift_logging/tasks/install_elasticsearch.yaml @@ -5,60 +5,47 @@ - set_fact: openshift_logging_es_pvc_prefix="logging-es" when: "not openshift_logging_es_pvc_prefix or openshift_logging_es_pvc_prefix == ''" -- set_fact: es_pvc_pool={{[]}} - -- set_fact: openshift_logging_es_pvc_prefix="{{ openshift_logging_es_pvc_prefix | default('logging-es') }}" - -- name: Generate PersistentVolumeClaims - include: "{{ role_path}}/tasks/generate_pvcs.yaml" +### evaluate if the PVC attached to the dc currently matches the provided vars +## if it does then we reuse that pvc in the DC +- include: set_es_storage.yaml vars: - es_pv_selector: "{{openshift_logging_es_pv_selector}}" - es_pvc_dynamic: "{{openshift_logging_es_pvc_dynamic | bool}}" - es_pvc_names: "{{openshift_logging_facts.elasticsearch.pvcs.keys()}}" - es_pvc_prefix: "{{openshift_logging_es_pvc_prefix}}" - es_pvc_size: "{{openshift_logging_es_pvc_size}}" - es_dc_names: "{{openshift_logging_facts.elasticsearch.deploymentconfigs.keys()}}" - es_cluster_size: "{{openshift_logging_es_cluster_size}}" - es_access_modes: "{{ openshift_logging_storage_access_modes }}" - -# we should initialize the es_dc_pool with the current keys -- name: Init pool of DeploymentConfig names for Elasticsearch - set_fact: es_dc_pool={{ es_dc_pool | default([]) + [deploy_name] }} - with_items: "{{ openshift_logging_facts.elasticsearch.deploymentconfigs.keys() }}" + es_component: es + es_name: "{{ deployment.0 }}" + es_spec: "{{ deployment.1 }}" + es_node_selector: "{{ openshift_logging_es_nodeselector | default({}) }}" + es_pvc_names: "{{ openshift_logging_facts.elasticsearch.pvcs.keys() }}" + es_pvc_size: "{{ openshift_logging_es_pvc_size }}" + es_pvc_prefix: "{{ openshift_logging_es_pvc_prefix }}" + es_pvc_dynamic: "{{ openshift_logging_es_pvc_dynamic | bool }}" + es_pv_selector: "{{ openshift_logging_es_pv_selector }}" + es_cpu_limit: "{{ openshift_logging_es_cpu_limit }}" + es_memory_limit: "{{ openshift_logging_es_memory_limit }}" + es_number_of_shards: "{{ openshift_logging_es_number_of_shards }}" + es_number_of_replicas: "{{ openshift_logging_es_number_of_replicas }}" + with_together: + - "{{ openshift_logging_facts.elasticsearch.deploymentconfigs.keys() }}" + - "{{ openshift_logging_facts.elasticsearch.deploymentconfigs.values() }}" loop_control: - loop_var: deploy_name + loop_var: deployment +## if it does not then we should create one that does and attach it -# This should be used to generate new DC names if necessary -- name: Create new DeploymentConfig names for Elasticsearch - set_fact: es_dc_pool={{es_dc_pool|default([]) + [deploy_name]}} +## create new dc/pvc is needed +- include: set_es_storage.yaml vars: - component: es - es_cluster_name: "{{component}}" - deploy_name_prefix: "logging-{{component}}" - deploy_name: "{{deploy_name_prefix}}-{{'abcdefghijklmnopqrstuvwxyz0123456789'|random_word(8)}}" - with_sequence: count={{ openshift_logging_es_cluster_size | int - openshift_logging_current_es_size | int }} - check_mode: no - -- name: Generate Elasticsearch DeploymentConfig - template: src=es.j2 dest={{mktemp.stdout}}/templates/logging-{{deploy_name}}-dc.yaml - vars: - component: es - logging_component: elasticsearch - deploy_name_prefix: "logging-{{component}}" - image: "{{openshift_logging_image_prefix}}logging-elasticsearch:{{openshift_logging_image_version}}" - es_cluster_name: "{{component}}" - es_cpu_limit: "{{openshift_logging_es_cpu_limit }}" - es_memory_limit: "{{openshift_logging_es_memory_limit}}" - pvc_claim: "{{(es_pvc_pool | length > item.0) | ternary(es_pvc_pool[item.0], None)}}" - deploy_name: "{{item.1}}" - es_node_selector: "{{openshift_logging_es_nodeselector | default({}) }}" - es_storage: "{{openshift_logging_facts|es_storage(deploy_name, pvc_claim)}}" + es_component: es + es_name: "logging-es-{{'abcdefghijklmnopqrstuvwxyz0123456789'|random_word(8)}}" + es_spec: "{}" + es_node_selector: "{{ openshift_logging_es_nodeselector | default({}) }}" + es_pvc_names: "{{ openshift_logging_facts.elasticsearch.pvcs.keys() }}" + es_pvc_size: "{{ openshift_logging_es_pvc_size }}" + es_pvc_prefix: "{{ openshift_logging_es_pvc_prefix }}" + es_pvc_dynamic: "{{ openshift_logging_es_pvc_dynamic | bool }}" + es_pv_selector: "{{ openshift_logging_es_pv_selector }}" + es_cpu_limit: "{{ openshift_logging_es_cpu_limit }}" + es_memory_limit: "{{ openshift_logging_es_memory_limit }}" es_number_of_shards: "{{ openshift_logging_es_number_of_shards }}" es_number_of_replicas: "{{ openshift_logging_es_number_of_replicas }}" - with_indexed_items: - - "{{ es_dc_pool }}" - check_mode: no - changed_when: no + with_sequence: count={{ openshift_logging_es_cluster_size | int - openshift_logging_facts.elasticsearch.deploymentconfigs | count }} # --------- Tasks for Operation clusters --------- @@ -73,74 +60,53 @@ es_dcs: "{{openshift_logging_facts.elasticsearch_ops.deploymentconfigs}}" cluster_size: "{{openshift_logging_es_ops_cluster_size|int}}" when: - - openshift_logging_use_ops | bool - - "{{es_dcs | length - openshift_logging_es_ops_cluster_size|int | abs > 1}}" + - openshift_logging_use_ops | bool + - "{{es_dcs | length - openshift_logging_es_ops_cluster_size|int | abs > 1}}" check_mode: no - set_fact: openshift_logging_es_ops_pvc_prefix="logging-es-ops" when: "not openshift_logging_es_ops_pvc_prefix or openshift_logging_es_ops_pvc_prefix == ''" -- set_fact: es_pvc_pool={{[]}} - -- name: Generate PersistentVolumeClaims for Ops - include: "{{ role_path}}/tasks/generate_pvcs.yaml" +- include: set_es_storage.yaml vars: - es_pvc_names: "{{openshift_logging_facts.elasticsearch_ops.pvcs.keys()}}" - es_dc_names: "{{openshift_logging_facts.elasticsearch_ops.deploymentconfigs.keys()}}" - es_pvc_size: "{{openshift_logging_es_ops_pvc_size}}" - es_pvc_prefix: "{{openshift_logging_es_ops_pvc_prefix}}" - es_cluster_size: "{{openshift_logging_es_ops_cluster_size|int}}" - es_pvc_dynamic: "{{openshift_logging_es_ops_pvc_dynamic | bool}}" - es_pv_selector: "{{openshift_logging_es_ops_pv_selector}}" - es_access_modes: "{{ openshift_logging_storage_access_modes }}" - when: - - openshift_logging_use_ops | bool - check_mode: no - -- name: Init pool of DeploymentConfig names for Elasticsearch Ops - set_fact: es_ops_dc_pool={{ es_ops_dc_pool | default([]) + [deploy_name] }} - with_items: "{{ openshift_logging_facts.elasticsearch_ops.deploymentconfigs.keys() }}" + es_component: es-ops + es_name: "{{ deployment.0 }}" + es_spec: "{{ deployment.1 }}" + es_node_selector: "{{ openshift_logging_es_ops_nodeselector | default({}) }}" + es_pvc_names: "{{ openshift_logging_facts.elasticsearch_ops.pvcs.keys() }}" + es_pvc_size: "{{ openshift_logging_es_ops_pvc_size }}" + es_pvc_prefix: "{{ openshift_logging_es_ops_pvc_prefix }}" + es_pvc_dynamic: "{{ openshift_logging_es_ops_pvc_dynamic | bool }}" + es_pv_selector: "{{ openshift_logging_es_ops_pv_selector }}" + es_cpu_limit: "{{ openshift_logging_es_ops_cpu_limit }}" + es_memory_limit: "{{ openshift_logging_es_ops_memory_limit }}" + es_number_of_shards: "{{ openshift_logging_es_ops_number_of_shards }}" + es_number_of_replicas: "{{ openshift_logging_es_ops_number_of_replicas }}" + with_together: + - "{{ openshift_logging_facts.elasticsearch_ops.deploymentconfigs.keys() }}" + - "{{ openshift_logging_facts.elasticsearch_ops.deploymentconfigs.values() }}" loop_control: - loop_var: deploy_name - when: - - openshift_logging_use_ops | bool - -- name: Create new DeploymentConfig names for Elasticsearch Ops - set_fact: es_ops_dc_pool={{es_ops_dc_pool | default([]) + [deploy_name]}} - vars: - component: es-ops - es_cluster_name: "{{component}}" - deploy_name_prefix: "logging-{{component}}" - deploy_name: "{{deploy_name_prefix}}-{{'abcdefghijklmnopqrstuvwxyz0123456789'|random_word(8)}}" - cluster_size: "{{openshift_logging_es_ops_cluster_size|int}}" - with_sequence: count={{ openshift_logging_es_ops_cluster_size | int - openshift_logging_current_es_ops_size | int }} + loop_var: deployment when: - - openshift_logging_use_ops | bool - check_mode: no + - openshift_logging_use_ops | bool +## if it does not then we should create one that does and attach it -- name: Generate Elasticsearch DeploymentConfig for Ops - template: src=es.j2 dest={{mktemp.stdout}}/templates/logging-{{deploy_name}}-dc.yaml +## create new dc/pvc is needed +- include: set_es_storage.yaml vars: - component: es-ops - logging_component: elasticsearch - deploy_name_prefix: "logging-{{component}}" - image: "{{openshift_logging_image_prefix}}logging-elasticsearch:{{openshift_logging_image_version}}" - pvc_claim: "{{(es_pvc_pool | length > item.0) | ternary(es_pvc_pool[item.0], None)}}" - deploy_name: "{{item.1}}" - es_cluster_name: "{{component}}" - es_cpu_limit: "{{openshift_logging_es_ops_cpu_limit }}" - es_memory_limit: "{{openshift_logging_es_ops_memory_limit}}" - es_node_quorum: "{{es_ops_node_quorum}}" - es_recover_after_nodes: "{{es_ops_recover_after_nodes}}" - es_recover_expected_nodes: "{{es_ops_recover_expected_nodes}}" - openshift_logging_es_recover_after_time: "{{openshift_logging_es_ops_recover_after_time}}" - es_node_selector: "{{openshift_logging_es_ops_nodeselector | default({}) }}" - es_storage: "{{openshift_logging_facts|es_storage(deploy_name, pvc_claim,root='elasticsearch_ops')}}" + es_component: es-ops + es_name: "logging-es-ops-{{'abcdefghijklmnopqrstuvwxyz0123456789'|random_word(8)}}" + es_spec: "{}" + es_node_selector: "{{ openshift_logging_es_ops_nodeselector | default({}) }}" + es_pvc_names: "{{ openshift_logging_facts.elasticsearch_ops.pvcs.keys() }}" + es_pvc_size: "{{ openshift_logging_es_ops_pvc_size }}" + es_pvc_prefix: "{{ openshift_logging_es_ops_pvc_prefix }}" + es_pvc_dynamic: "{{ openshift_logging_es_ops_pvc_dynamic | bool }}" + es_pv_selector: "{{ openshift_logging_es_ops_pv_selector }}" + es_cpu_limit: "{{ openshift_logging_es_ops_cpu_limit }}" + es_memory_limit: "{{ openshift_logging_es_ops_memory_limit }}" es_number_of_shards: "{{ openshift_logging_es_ops_number_of_shards }}" es_number_of_replicas: "{{ openshift_logging_es_ops_number_of_replicas }}" - with_indexed_items: - - "{{ es_ops_dc_pool | default([]) }}" + with_sequence: count={{ openshift_logging_es_ops_cluster_size | int - openshift_logging_facts.elasticsearch_ops.deploymentconfigs | count }} when: - - openshift_logging_use_ops | bool - check_mode: no - changed_when: no + - openshift_logging_use_ops | bool diff --git a/roles/openshift_logging/tasks/install_logging.yaml b/roles/openshift_logging/tasks/install_logging.yaml index 83b68fa77..aec455c22 100644 --- a/roles/openshift_logging/tasks/install_logging.yaml +++ b/roles/openshift_logging/tasks/install_logging.yaml @@ -27,6 +27,10 @@ loop_control: loop_var: install_component +- name: Install logging mux + include: "{{ role_path }}/tasks/install_mux.yaml" + when: openshift_logging_use_mux + - find: paths={{ mktemp.stdout }}/templates patterns=*.yaml register: object_def_files changed_when: no diff --git a/roles/openshift_logging/tasks/install_mux.yaml b/roles/openshift_logging/tasks/install_mux.yaml new file mode 100644 index 000000000..296da626f --- /dev/null +++ b/roles/openshift_logging/tasks/install_mux.yaml @@ -0,0 +1,67 @@ +--- +- set_fact: mux_ops_host={{ (openshift_logging_use_ops | bool) | ternary(openshift_logging_es_ops_host, openshift_logging_es_host) }} + check_mode: no + +- set_fact: mux_ops_port={{ (openshift_logging_use_ops | bool) | ternary(openshift_logging_es_ops_port, openshift_logging_es_port) }} + check_mode: no + +- name: Check mux current replica count + command: > + {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get dc/logging-mux + -o jsonpath='{.spec.replicas}' -n {{openshift_logging_namespace}} + register: mux_replica_count + when: not ansible_check_mode + ignore_errors: yes + changed_when: no + +- name: Generating mux deploymentconfig + template: src=mux.j2 dest={{mktemp.stdout}}/templates/logging-mux-dc.yaml + vars: + component: mux + logging_component: mux + deploy_name: "logging-{{component}}" + image: "{{openshift_logging_image_prefix}}logging-fluentd:{{openshift_logging_image_version}}" + es_host: logging-es + es_port: "{{openshift_logging_es_port}}" + ops_host: "{{ mux_ops_host }}" + ops_port: "{{ mux_ops_port }}" + mux_cpu_limit: "{{openshift_logging_mux_cpu_limit}}" + mux_memory_limit: "{{openshift_logging_mux_memory_limit}}" + replicas: "{{mux_replica_count.stdout | default (0)}}" + mux_node_selector: "{{openshift_logging_mux_nodeselector | default({})}}" + check_mode: no + changed_when: no + +- name: "Check mux hostmount-anyuid permissions" + command: > + {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig + get scc/hostmount-anyuid -o jsonpath='{.users}' + register: mux_hostmount_anyuid + check_mode: no + changed_when: no + +- name: "Set hostmount-anyuid permissions for mux" + command: > + {{ openshift.common.admin_binary}} --config={{ mktemp.stdout }}/admin.kubeconfig policy + add-scc-to-user hostmount-anyuid system:serviceaccount:{{openshift_logging_namespace}}:aggregated-logging-fluentd + register: mux_output + failed_when: "mux_output.rc == 1 and 'exists' not in mux_output.stderr" + check_mode: no + when: mux_hostmount_anyuid.stdout.find("system:serviceaccount:{{openshift_logging_namespace}}:aggregated-logging-fluentd") == -1 + +- name: "Check mux cluster-reader permissions" + command: > + {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig + get clusterrolebinding/cluster-readers -o jsonpath='{.userNames}' + register: mux_cluster_reader + check_mode: no + changed_when: no + +- name: "Set cluster-reader permissions for mux" + command: > + {{ openshift.common.admin_binary}} --config={{ mktemp.stdout }}/admin.kubeconfig policy + add-cluster-role-to-user cluster-reader system:serviceaccount:{{openshift_logging_namespace}}:aggregated-logging-fluentd + register: mux2_output + failed_when: "mux2_output.rc == 1 and 'exists' not in mux2_output.stderr" + check_mode: no + when: mux_cluster_reader.stdout.find("system:serviceaccount:{{openshift_logging_namespace}}:aggregated-logging-fluentd") == -1 diff --git a/roles/openshift_logging/tasks/oc_apply.yaml b/roles/openshift_logging/tasks/oc_apply.yaml index cb9509de1..c4db7d033 100644 --- a/roles/openshift_logging/tasks/oc_apply.yaml +++ b/roles/openshift_logging/tasks/oc_apply.yaml @@ -1,52 +1,52 @@ --- -- name: Checking generation of {{file_content.kind}} {{file_content.metadata.name}} - command: > - {{ openshift.common.client_binary }} - --config={{ kubeconfig }} - get {{file_content.kind}} {{file_content.metadata.name}} - -o jsonpath='{.metadata.resourceVersion}' - -n {{namespace}} - register: generation_init - failed_when: "'not found' not in generation_init.stderr and generation_init.stdout == ''" - changed_when: no +- oc_obj: + kind: "{{ file_content.kind }}" + name: "{{ file_content.metadata.name }}" + state: present + namespace: "{{ namespace }}" + files: + - "{{ file_name }}" + when: file_content.kind != "Service" -- name: Applying {{file_name}} - command: > - {{ openshift.common.client_binary }} --config={{ kubeconfig }} - apply -f {{ file_name }} - -n {{ namespace }} - register: generation_apply - failed_when: "'error' in generation_apply.stderr" - changed_when: no +## still need to do this for services until the template logic is replaced by oc_* +- block: + - name: Checking generation of {{file_content.kind}} {{file_content.metadata.name}} + command: > + {{ openshift.common.client_binary }} + --config={{ kubeconfig }} + get {{file_content.kind}} {{file_content.metadata.name}} + -o jsonpath='{.metadata.resourceVersion}' + -n {{namespace}} + register: generation_init + failed_when: "'not found' not in generation_init.stderr and generation_init.stdout == ''" + changed_when: no -- name: Determine change status of {{file_content.kind}} {{file_content.metadata.name}} - command: > - {{ openshift.common.client_binary }} --config={{ kubeconfig }} - get {{file_content.kind}} {{file_content.metadata.name}} - -o jsonpath='{.metadata.resourceVersion}' - -n {{namespace}} - register: generation_changed - failed_when: "'not found' not in generation_changed.stderr and generation_changed.stdout == ''" - changed_when: generation_changed.stdout | default (0) | int > generation_init.stdout | default(0) | int - when: - - "'field is immutable' not in generation_apply.stderr" + - name: Applying {{file_name}} + command: > + {{ openshift.common.client_binary }} --config={{ kubeconfig }} + apply -f {{ file_name }} + -n {{ namespace }} + register: generation_apply + failed_when: "'error' in generation_apply.stderr" + changed_when: no -- name: Removing previous {{file_name}} - command: > - {{ openshift.common.client_binary }} --config={{ kubeconfig }} - delete -f {{ file_name }} - -n {{ namespace }} - register: generation_delete - failed_when: "'error' in generation_delete.stderr" - changed_when: generation_delete.rc == 0 - when: "'field is immutable' in generation_apply.stderr" + - name: Removing previous {{file_name}} + command: > + {{ openshift.common.client_binary }} --config={{ kubeconfig }} + delete -f {{ file_name }} + -n {{ namespace }} + register: generation_delete + failed_when: "'error' in generation_delete.stderr" + changed_when: generation_delete.rc == 0 + when: "'field is immutable' in generation_apply.stderr" -- name: Recreating {{file_name}} - command: > - {{ openshift.common.client_binary }} --config={{ kubeconfig }} - apply -f {{ file_name }} - -n {{ namespace }} - register: generation_apply - failed_when: "'error' in generation_apply.stderr" - changed_when: generation_apply.rc == 0 - when: "'field is immutable' in generation_apply.stderr" + - name: Recreating {{file_name}} + command: > + {{ openshift.common.client_binary }} --config={{ kubeconfig }} + apply -f {{ file_name }} + -n {{ namespace }} + register: generation_apply + failed_when: "'error' in generation_apply.stderr" + changed_when: generation_apply.rc == 0 + when: "'field is immutable' in generation_apply.stderr" + when: file_content.kind == "Service" diff --git a/roles/openshift_logging/tasks/procure_shared_key.yaml b/roles/openshift_logging/tasks/procure_shared_key.yaml new file mode 100644 index 000000000..056ff6b98 --- /dev/null +++ b/roles/openshift_logging/tasks/procure_shared_key.yaml @@ -0,0 +1,25 @@ +--- +- name: Checking for {{ shared_key_info.procure_component }}_shared_key + stat: path="{{generated_certs_dir}}/{{ shared_key_info.procure_component }}_shared_key" + register: component_shared_key_file + check_mode: no + +- name: Trying to discover shared key variable name for {{ shared_key_info.procure_component }} + set_fact: procure_component_shared_key={{ lookup('env', '{{shared_key_info.procure_component}}' + '_shared_key') }} + when: + - shared_key_info[ shared_key_info.procure_component + '_shared_key' ] is defined + check_mode: no + +- name: Creating shared_key for {{ shared_key_info.procure_component }} + copy: content="{{'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'|random_word(64)}}" + dest="{{generated_certs_dir}}/{{shared_key_info.procure_component}}_shared_key" + check_mode: no + when: + - not component_shared_key_file.stat.exists + +- name: Copying shared key for {{ shared_key_info.procure_component }} to generated certs directory + copy: content="{{procure_component_shared_key}}" dest="{{generated_certs_dir}}/{{shared_key_info.procure_component}}_shared_key" + check_mode: no + when: + - shared_key_info[ shared_key_info.procure_component + '_shared_key' ] is defined + - not component_shared_key_file.stat.exists diff --git a/roles/openshift_logging/tasks/set_es_storage.yaml b/roles/openshift_logging/tasks/set_es_storage.yaml new file mode 100644 index 000000000..198b1d04d --- /dev/null +++ b/roles/openshift_logging/tasks/set_es_storage.yaml @@ -0,0 +1,82 @@ +--- +- set_fact: es_storage_type="{{ es_spec.volumes['elasticsearch-storage'] }}" + when: es_spec.volumes is defined + +- set_fact: es_storage_claim="{{ es_spec.volumes['elasticsearch-storage'].persistentVolumeClaim.claimName }}" + when: + - es_spec.volumes is defined + - es_storage_type.persistentVolumeClaim is defined + +- set_fact: es_storage_claim="" + when: + - not es_spec.volumes is defined or not es_storage_type.persistentVolumeClaim is defined + +## take an ES dc and evaluate its storage option +# if it is a hostmount or emptydir we don't do anything with it +# if its a pvc we see if the corresponding pvc matches the provided specs (if they exist) +- oc_obj: + state: list + kind: pvc + name: "{{ es_storage_claim }}" + namespace: "{{ openshift_logging_namespace }}" + register: pvc_spec + failed_when: pvc_spec.results.stderr is defined + when: + - es_spec.volumes is defined + - es_storage_type.persistentVolumeClaim is defined + +- set_fact: pvc_size="{{ pvc_spec.results.results[0].spec.resources.requests.storage }}" + when: + - pvc_spec.results is defined + - pvc_spec.results.results[0].spec is defined + +# if not create the pvc and use it +- block: + + - name: Generating PersistentVolumeClaims + template: src=pvc.j2 dest={{mktemp.stdout}}/templates/logging-{{obj_name}}-pvc.yaml + vars: + obj_name: "{{ es_pvc_prefix }}-{{ es_pvc_names | count }}" + size: "{{ es_pvc_size }}" + access_modes: "{{ openshift_logging_storage_access_modes }}" + pv_selector: "{{ es_pv_selector }}" + when: not es_pvc_dynamic | bool + check_mode: no + changed_when: no + + - name: Generating PersistentVolumeClaims - Dynamic + template: src=pvc.j2 dest={{mktemp.stdout}}/templates/logging-{{obj_name}}-pvc.yaml + vars: + obj_name: "{{ es_pvc_prefix }}-{{ es_pvc_names | count }}" + annotations: + volume.alpha.kubernetes.io/storage-class: "dynamic" + size: "{{ es_pvc_size }}" + access_modes: "{{ openshift_logging_storage_access_modes }}" + pv_selector: "{{ es_pv_selector }}" + when: es_pvc_dynamic | bool + check_mode: no + changed_when: no + + - set_fact: es_storage_claim="{{ es_pvc_prefix }}-{{ es_pvc_names | count }}" + + when: + - es_pvc_size | search('^\d.*') + - not es_spec.volumes is defined or not es_storage_claim | search( es_pvc_prefix ) or ( not pvc_size | search( es_pvc_size ) and not es_pvc_size | search( pvc_size ) ) + +- name: Generate Elasticsearch DeploymentConfig + template: src=es.j2 dest={{mktemp.stdout}}/templates/logging-{{deploy_name}}-dc.yaml + vars: + component: "{{ es_component }}" + deploy_name: "{{ es_name }}" + logging_component: elasticsearch + deploy_name_prefix: "logging-{{ es_component }}" + image: "{{openshift_logging_image_prefix}}logging-elasticsearch:{{openshift_logging_image_version}}" + es_cluster_name: "{{component}}" + es_cpu_limit: "{{ es_cpu_limit }}" + es_memory_limit: "{{ es_memory_limit }}" + es_node_selector: "{{ es_node_selector }}" + es_storage: "{{ openshift_logging_facts | es_storage( es_name, es_storage_claim ) }}" + es_number_of_shards: "{{ es_number_of_shards }}" + es_number_of_replicas: "{{ es_number_of_replicas }}" + check_mode: no + changed_when: no diff --git a/roles/openshift_logging/tasks/start_cluster.yaml b/roles/openshift_logging/tasks/start_cluster.yaml index edbb62c3e..1042b3daa 100644 --- a/roles/openshift_logging/tasks/start_cluster.yaml +++ b/roles/openshift_logging/tasks/start_cluster.yaml @@ -21,6 +21,26 @@ loop_control: loop_var: fluentd_host +- name: Retrieve mux + oc_obj: + state: list + kind: dc + selector: "component=mux" + namespace: "{{openshift_logging_namespace}}" + register: mux_dc + when: openshift_logging_use_mux + +- name: start mux + oc_scale: + kind: dc + name: "{{ object }}" + namespace: "{{openshift_logging_namespace}}" + replicas: "{{ openshift_logging_mux_replica_count | default (1) }}" + with_items: "{{ mux_dc.results.results[0]['items'] | map(attribute='metadata.name') | list }}" + loop_control: + loop_var: object + when: openshift_logging_use_mux + - name: Retrieve elasticsearch oc_obj: state: list diff --git a/roles/openshift_logging/tasks/stop_cluster.yaml b/roles/openshift_logging/tasks/stop_cluster.yaml index 4b3722e29..d20c57cc1 100644 --- a/roles/openshift_logging/tasks/stop_cluster.yaml +++ b/roles/openshift_logging/tasks/stop_cluster.yaml @@ -21,6 +21,26 @@ loop_control: loop_var: fluentd_host +- name: Retrieve mux + oc_obj: + state: list + kind: dc + selector: "component=mux" + namespace: "{{openshift_logging_namespace}}" + register: mux_dc + when: openshift_logging_use_mux + +- name: stop mux + oc_scale: + kind: dc + name: "{{ object }}" + namespace: "{{openshift_logging_namespace}}" + replicas: 0 + with_items: "{{ mux_dc.results.results[0]['items'] | map(attribute='metadata.name') | list }}" + loop_control: + loop_var: object + when: openshift_logging_use_mux + - name: Retrieve elasticsearch oc_obj: state: list diff --git a/roles/openshift_logging/templates/curator.j2 b/roles/openshift_logging/templates/curator.j2 index a0fefd882..c6284166b 100644 --- a/roles/openshift_logging/templates/curator.j2 +++ b/roles/openshift_logging/templates/curator.j2 @@ -89,9 +89,6 @@ spec: - name: config mountPath: /etc/curator/settings readOnly: true - - name: elasticsearch-storage - mountPath: /elasticsearch/persistent - readOnly: true volumes: - name: certs secret: @@ -99,5 +96,3 @@ spec: - name: config configMap: name: logging-curator - - name: elasticsearch-storage - emptyDir: {} diff --git a/roles/openshift_logging/templates/fluentd.j2 b/roles/openshift_logging/templates/fluentd.j2 index 0bf1686ad..d13691259 100644 --- a/roles/openshift_logging/templates/fluentd.j2 +++ b/roles/openshift_logging/templates/fluentd.j2 @@ -59,6 +59,11 @@ spec: - name: dockercfg mountPath: /etc/sysconfig/docker readOnly: true +{% if openshift_logging_use_mux_client | bool %} + - name: muxcerts + mountPath: /etc/fluent/muxkeys + readOnly: true +{% endif %} env: - name: "K8S_HOST_URL" value: "{{openshift_logging_master_url}}" @@ -122,6 +127,8 @@ spec: value: "{{openshift_logging_fluentd_journal_source | default('')}}" - name: "JOURNAL_READ_FROM_HEAD" value: "{{openshift_logging_fluentd_journal_read_from_head|lower}}" + - name: "USE_MUX_CLIENT" + value: "{{openshift_logging_use_mux_client| default('false')}}" volumes: - name: runlogjournal hostPath: @@ -147,3 +154,8 @@ spec: - name: dockercfg hostPath: path: /etc/sysconfig/docker +{% if openshift_logging_use_mux_client | bool %} + - name: muxcerts + secret: + secretName: logging-mux +{% endif %} diff --git a/roles/openshift_logging/templates/mux.j2 b/roles/openshift_logging/templates/mux.j2 new file mode 100644 index 000000000..41e6abd52 --- /dev/null +++ b/roles/openshift_logging/templates/mux.j2 @@ -0,0 +1,121 @@ +apiVersion: "v1" +kind: "DeploymentConfig" +metadata: + name: "{{deploy_name}}" + labels: + provider: openshift + component: "{{component}}" + logging-infra: "{{logging_component}}" +spec: + replicas: {{replicas|default(0)}} + selector: + provider: openshift + component: "{{component}}" + logging-infra: "{{logging_component}}" + strategy: + rollingParams: + intervalSeconds: 1 + timeoutSeconds: 600 + updatePeriodSeconds: 1 + type: Rolling + template: + metadata: + name: "{{deploy_name}}" + labels: + logging-infra: "{{logging_component}}" + provider: openshift + component: "{{component}}" + spec: + serviceAccountName: aggregated-logging-fluentd +{% if mux_node_selector is iterable and mux_node_selector | length > 0 %} + nodeSelector: +{% for key, value in mux_node_selector.iteritems() %} + {{key}}: "{{value}}" +{% endfor %} +{% endif %} + containers: + - name: "mux" + image: {{image}} + imagePullPolicy: Always +{% if (mux_memory_limit is defined and mux_memory_limit is not none) or (mux_cpu_limit is defined and mux_cpu_limit is not none) %} + resources: + limits: +{% if mux_cpu_limit is not none %} + cpu: "{{mux_cpu_limit}}" +{% endif %} +{% if mux_memory_limit is not none %} + memory: "{{mux_memory_limit}}" +{% endif %} +{% endif %} + ports: + - containerPort: "{{ openshift_logging_mux_port }}" + name: mux-forward + volumeMounts: + - name: config + mountPath: /etc/fluent/configs.d/user + readOnly: true + - name: certs + mountPath: /etc/fluent/keys + readOnly: true + - name: dockerhostname + mountPath: /etc/docker-hostname + readOnly: true + - name: localtime + mountPath: /etc/localtime + readOnly: true + - name: muxcerts + mountPath: /etc/fluent/muxkeys + readOnly: true + env: + - name: "K8S_HOST_URL" + value: "{{openshift_logging_master_url}}" + - name: "ES_HOST" + value: "{{openshift_logging_es_host}}" + - name: "ES_PORT" + value: "{{openshift_logging_es_port}}" + - name: "ES_CLIENT_CERT" + value: "{{openshift_logging_es_client_cert}}" + - name: "ES_CLIENT_KEY" + value: "{{openshift_logging_es_client_key}}" + - name: "ES_CA" + value: "{{openshift_logging_es_ca}}" + - name: "OPS_HOST" + value: "{{ops_host}}" + - name: "OPS_PORT" + value: "{{ops_port}}" + - name: "OPS_CLIENT_CERT" + value: "{{openshift_logging_es_ops_client_cert}}" + - name: "OPS_CLIENT_KEY" + value: "{{openshift_logging_es_ops_client_key}}" + - name: "OPS_CA" + value: "{{openshift_logging_es_ops_ca}}" + - name: "USE_JOURNAL" + value: "false" + - name: "JOURNAL_SOURCE" + value: "{{openshift_logging_fluentd_journal_source | default('')}}" + - name: "JOURNAL_READ_FROM_HEAD" + value: "{{openshift_logging_fluentd_journal_read_from_head|lower}}" + - name: FORWARD_LISTEN_HOST + value: "{{ openshift_logging_mux_hostname }}" + - name: FORWARD_LISTEN_PORT + value: "{{ openshift_logging_mux_port }}" + - name: USE_MUX + value: "true" + - name: MUX_ALLOW_EXTERNAL + value: "{{ openshift_logging_mux_allow_external| default('false') }}" + volumes: + - name: config + configMap: + name: logging-mux + - name: certs + secret: + secretName: logging-fluentd + - name: dockerhostname + hostPath: + path: /etc/hostname + - name: localtime + hostPath: + path: /etc/localtime + - name: muxcerts + secret: + secretName: logging-mux diff --git a/roles/openshift_logging/templates/service.j2 b/roles/openshift_logging/templates/service.j2 index 6c4ec0c76..70644a39c 100644 --- a/roles/openshift_logging/templates/service.j2 +++ b/roles/openshift_logging/templates/service.j2 @@ -26,3 +26,9 @@ spec: {% for key, value in selector.iteritems() %} {{key}}: {{value}} {% endfor %} +{% if externalIPs is defined -%} + externalIPs: +{% for ip in externalIPs %} + - {{ ip }} +{% endfor %} +{% endif %} |