diff options
Diffstat (limited to 'roles/openshift_logging')
-rw-r--r-- | roles/openshift_logging/README.md | 3 | ||||
-rw-r--r-- | roles/openshift_logging/tasks/generate_certs.yaml | 48 | ||||
-rw-r--r-- | roles/openshift_logging/tasks/generate_jks.yaml | 27 | ||||
-rw-r--r-- | roles/openshift_logging/tasks/install_curator.yaml | 2 | ||||
-rw-r--r-- | roles/openshift_logging/tasks/install_elasticsearch.yaml | 2 | ||||
-rw-r--r-- | roles/openshift_logging/tasks/install_kibana.yaml | 2 | ||||
-rw-r--r-- | roles/openshift_logging/tasks/label_node.yaml | 27 | ||||
-rw-r--r-- | roles/openshift_logging/templates/curator.j2 | 6 | ||||
-rw-r--r-- | roles/openshift_logging/templates/es.j2 | 6 | ||||
-rw-r--r-- | roles/openshift_logging/templates/kibana.j2 | 6 |
10 files changed, 61 insertions, 68 deletions
diff --git a/roles/openshift_logging/README.md b/roles/openshift_logging/README.md index 9b71dc676..856cfa2b9 100644 --- a/roles/openshift_logging/README.md +++ b/roles/openshift_logging/README.md @@ -35,6 +35,7 @@ When both `openshift_logging_install_logging` and `openshift_logging_upgrade_log - `openshift_logging_curator_log_level`: The log level for the Curator process. Defaults to 'ERROR'. - `openshift_logging_curator_cpu_limit`: The amount of CPU to allocate to Curator. Default is '100m'. - `openshift_logging_curator_memory_limit`: The amount of memory to allocate to Curator. Unset if not specified. +- `openshift_logging_curator_nodeselector`: A map of labels (e.g. {"node":"infra","region":"west"} to select the nodes where the curator pod will land. - `openshift_logging_kibana_hostname`: The Kibana hostname. Defaults to 'kibana.example.com'. - `openshift_logging_kibana_cpu_limit`: The amount of CPU to allocate to Kibana or unset if not specified. @@ -43,6 +44,7 @@ When both `openshift_logging_install_logging` and `openshift_logging_upgrade_log - `openshift_logging_kibana_proxy_cpu_limit`: The amount of CPU to allocate to Kibana proxy or unset if not specified. - `openshift_logging_kibana_proxy_memory_limit`: The amount of memory to allocate to Kibana proxy or unset if not specified. - `openshift_logging_kibana_replica_count`: The number of replicas Kibana should be scaled up to. Defaults to 1. +- `openshift_logging_kibana_nodeselector`: A map of labels (e.g. {"node":"infra","region":"west"} to select the nodes where the pod will land. - `openshift_logging_fluentd_nodeselector`: The node selector that the Fluentd daemonset uses to determine where to deploy to. Defaults to '"logging-infra-fluentd": "true"'. - `openshift_logging_fluentd_cpu_limit`: The CPU limit for Fluentd pods. Defaults to '100m'. @@ -67,6 +69,7 @@ When both `openshift_logging_install_logging` and `openshift_logging_upgrade_log - `openshift_logging_es_pvc_prefix`: The prefix for the generated PVCs. Defaults to 'logging-es'. - `openshift_logging_es_recover_after_time`: The amount of time ES will wait before it tries to recover. Defaults to '5m'. - `openshift_logging_es_storage_group`: The storage group used for ES. Defaults to '65534'. +- `openshift_logging_es_nodeselector`: A map of labels (e.g. {"node":"infra","region":"west"} to select the nodes where the pod will land. When `openshift_logging_use_ops` is `True`, there are some additional vars. These work the same as above for their non-ops counterparts, but apply to the OPS cluster instance: diff --git a/roles/openshift_logging/tasks/generate_certs.yaml b/roles/openshift_logging/tasks/generate_certs.yaml index 20e50482e..740e490e1 100644 --- a/roles/openshift_logging/tasks/generate_certs.yaml +++ b/roles/openshift_logging/tasks/generate_certs.yaml @@ -88,56 +88,12 @@ - name: Creating necessary JKS certs include: generate_jks.yaml -# check for secret/logging-kibana-proxy -- command: > - {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get secret/logging-kibana-proxy -n {{openshift_logging_namespace}} -o jsonpath='{.data.oauth-secret}' - register: kibana_secret_oauth_check - ignore_errors: yes - changed_when: no - check_mode: no - -- command: > - {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get secret/logging-kibana-proxy -n {{openshift_logging_namespace}} -o jsonpath='{.data.session-secret}' - register: kibana_secret_session_check - ignore_errors: yes - changed_when: no - check_mode: no - -# check for oauthclient secret -- command: > - {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get oauthclient/kibana-proxy -n {{openshift_logging_namespace}} -o jsonpath='{.secret}' - register: oauth_secret_check - ignore_errors: yes - changed_when: no - check_mode: no - -# set or generate as needed +# TODO: make idempotent - name: Generate proxy session set_fact: session_secret={{'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'|random_word(200)}} check_mode: no - when: - - kibana_secret_session_check.stdout is not defined or kibana_secret_session_check.stdout == '' - -- name: Generate proxy session - set_fact: session_secret={{kibana_secret_session_check.stdout | b64decode }} - check_mode: no - when: - - kibana_secret_session_check.stdout is defined - - kibana_secret_session_check.stdout != '' +# TODO: make idempotent - name: Generate oauth client secret set_fact: oauth_secret={{'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'|random_word(64)}} check_mode: no - when: kibana_secret_oauth_check.stdout is not defined or kibana_secret_oauth_check.stdout == '' - or oauth_secret_check.stdout is not defined or oauth_secret_check.stdout == '' - or kibana_secret_oauth_check.stdout | b64decode != oauth_secret_check.stdout - -- name: Generate oauth client secret - set_fact: oauth_secret={{kibana_secret_oauth_check.stdout | b64decode}} - check_mode: no - when: - - kibana_secret_oauth_check is defined - - kibana_secret_oauth_check.stdout != '' - - oauth_secret_check.stdout is defined - - oauth_secret_check.stdout != '' - - kibana_secret_oauth_check.stdout | b64decode == oauth_secret_check.stdout diff --git a/roles/openshift_logging/tasks/generate_jks.yaml b/roles/openshift_logging/tasks/generate_jks.yaml index adb6c2b2d..c6e2ccbc0 100644 --- a/roles/openshift_logging/tasks/generate_jks.yaml +++ b/roles/openshift_logging/tasks/generate_jks.yaml @@ -27,34 +27,22 @@ check_mode: no - name: Create placeholder for previously created JKS certs to prevent recreating... - file: - path: "{{local_tmp.stdout}}/elasticsearch.jks" - state: touch - mode: "u=rw,g=r,o=r" + local_action: file path="{{local_tmp.stdout}}/elasticsearch.jks" state=touch mode="u=rw,g=r,o=r" when: elasticsearch_jks.stat.exists changed_when: False - name: Create placeholder for previously created JKS certs to prevent recreating... - file: - path: "{{local_tmp.stdout}}/logging-es.jks" - state: touch - mode: "u=rw,g=r,o=r" + local_action: file path="{{local_tmp.stdout}}/logging-es.jks" state=touch mode="u=rw,g=r,o=r" when: logging_es_jks.stat.exists changed_when: False - name: Create placeholder for previously created JKS certs to prevent recreating... - file: - path: "{{local_tmp.stdout}}/system.admin.jks" - state: touch - mode: "u=rw,g=r,o=r" + local_action: file path="{{local_tmp.stdout}}/system.admin.jks" state=touch mode="u=rw,g=r,o=r" when: system_admin_jks.stat.exists changed_when: False - name: Create placeholder for previously created JKS certs to prevent recreating... - file: - path: "{{local_tmp.stdout}}/truststore.jks" - state: touch - mode: "u=rw,g=r,o=r" + local_action: file path="{{local_tmp.stdout}}/truststore.jks" state=touch mode="u=rw,g=r,o=r" when: truststore_jks.stat.exists changed_when: False @@ -69,15 +57,16 @@ - ca.serial.txt - ca.crl.srl - ca.db + when: not elasticsearch_jks.stat.exists or not logging_es_jks.stat.exists or not system_admin_jks.stat.exists or not truststore_jks.stat.exists - local_action: template src=signing.conf.j2 dest={{local_tmp.stdout}}/signing.conf vars: - top_dir: "{{local_tmp.stdout}}" + when: not elasticsearch_jks.stat.exists or not logging_es_jks.stat.exists or not system_admin_jks.stat.exists or not truststore_jks.stat.exists - name: Run JKS generation script local_action: script generate-jks.sh {{local_tmp.stdout}} {{openshift_logging_namespace}} check_mode: no - become: yes when: not elasticsearch_jks.stat.exists or not logging_es_jks.stat.exists or not system_admin_jks.stat.exists or not truststore_jks.stat.exists - name: Pushing locally generated JKS certs to remote host... @@ -105,7 +94,5 @@ when: not truststore_jks.stat.exists - name: Cleaning up temp dir - file: - path: "{{local_tmp.stdout}}" - state: absent + local_action: file path="{{local_tmp.stdout}}" state=absent changed_when: False diff --git a/roles/openshift_logging/tasks/install_curator.yaml b/roles/openshift_logging/tasks/install_curator.yaml index 8f2825552..fcfce4e1e 100644 --- a/roles/openshift_logging/tasks/install_curator.yaml +++ b/roles/openshift_logging/tasks/install_curator.yaml @@ -31,6 +31,7 @@ curator_cpu_limit: "{{openshift_logging_curator_cpu_limit }}" curator_memory_limit: "{{openshift_logging_curator_memory_limit }}" replicas: "{{curator_replica_count.stdout | default (0)}}" + curator_node_selector: "{{openshift_logging_curator_nodeselector | default({}) }}" check_mode: no changed_when: no @@ -46,6 +47,7 @@ curator_cpu_limit: "{{openshift_logging_curator_ops_cpu_limit }}" curator_memory_limit: "{{openshift_logging_curator_ops_memory_limit }}" replicas: "{{curator_ops_replica_count.stdout | default (0)}}" + curator_node_selector: "{{openshift_logging_curator_ops_nodeselector | default({}) }}" when: openshift_logging_use_ops check_mode: no changed_when: no diff --git a/roles/openshift_logging/tasks/install_elasticsearch.yaml b/roles/openshift_logging/tasks/install_elasticsearch.yaml index fbba46a35..9b1c004f2 100644 --- a/roles/openshift_logging/tasks/install_elasticsearch.yaml +++ b/roles/openshift_logging/tasks/install_elasticsearch.yaml @@ -33,6 +33,7 @@ volume_names: "{{es_pvc_pool | default([])}}" pvc_claim: "{{(volume_names | length > item.0) | ternary(volume_names[item.0], None)}}" deploy_name: "{{item.1}}" + es_node_selector: "{{openshift_logging_es_nodeselector | default({})}}" with_indexed_items: - "{{es_dc_pool | default([])}}" check_mode: no @@ -98,6 +99,7 @@ es_recover_after_nodes: "{{es_ops_recover_after_nodes}}" es_recover_expected_nodes: "{{es_ops_recover_expected_nodes}}" openshift_logging_es_recover_after_time: "{{openshift_logging_es_ops_recover_after_time}}" + es_node_selector: "{{openshift_logging_es_ops_nodeselector | default({})}}" with_indexed_items: - "{{es_dc_pool_ops | default([])}}" when: diff --git a/roles/openshift_logging/tasks/install_kibana.yaml b/roles/openshift_logging/tasks/install_kibana.yaml index de4b018dd..f4df7de0c 100644 --- a/roles/openshift_logging/tasks/install_kibana.yaml +++ b/roles/openshift_logging/tasks/install_kibana.yaml @@ -35,6 +35,7 @@ kibana_proxy_cpu_limit: "{{openshift_logging_kibana_proxy_cpu_limit }}" kibana_proxy_memory_limit: "{{openshift_logging_kibana_proxy_memory_limit }}" replicas: "{{kibana_replica_count.stdout | default (0)}}" + kibana_node_selector: "{{openshift_logging_kibana_nodeselector | default({}) }}" check_mode: no changed_when: no @@ -53,6 +54,7 @@ kibana_proxy_cpu_limit: "{{openshift_logging_kibana_ops_proxy_cpu_limit }}" kibana_proxy_memory_limit: "{{openshift_logging_kibana_ops_proxy_memory_limit }}" replicas: "{{kibana_ops_replica_count.stdout | default (0)}}" + kibana_node_selector: "{{openshift_logging_kibana_ops_nodeselector | default({}) }}" when: openshift_logging_use_ops check_mode: no changed_when: no diff --git a/roles/openshift_logging/tasks/label_node.yaml b/roles/openshift_logging/tasks/label_node.yaml index aecb5d81b..bd5073381 100644 --- a/roles/openshift_logging/tasks/label_node.yaml +++ b/roles/openshift_logging/tasks/label_node.yaml @@ -1,11 +1,34 @@ --- - command: > {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get node {{host}} + -o jsonpath='{.metadata.labels}' + register: node_labels + when: not ansible_check_mode + changed_when: no + +- command: > + {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig label node {{host}} {{label}}={{value}} + register: label_result + failed_when: label_result.rc == 1 and 'exists' not in label_result.stderr + when: + - value is defined + - node_labels.stdout is defined + - label not in node_labels.stdout + - unlabel is not defined or not unlabel + - not ansible_check_mode + +- command: > + {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get node {{host}} -o jsonpath='{.metadata.labels.{{ label }}}' register: label_value - failed_when: label_value.rc == 1 and 'exists' not in label_value.stderr - when: not ansible_check_mode + ignore_errors: yes changed_when: no + when: + - value is defined + - node_labels.stdout is defined + - label in node_labels.stdout + - unlabel is not defined or not unlabel + - not ansible_check_mode - command: > {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig label node {{host}} {{label}}={{value}} --overwrite diff --git a/roles/openshift_logging/templates/curator.j2 b/roles/openshift_logging/templates/curator.j2 index d3b5d33a2..de6258eaa 100644 --- a/roles/openshift_logging/templates/curator.j2 +++ b/roles/openshift_logging/templates/curator.j2 @@ -28,6 +28,12 @@ spec: spec: terminationGracePeriod: 600 serviceAccountName: aggregated-logging-curator +{% if curator_node_selector is iterable and curator_node_selector | length > 0 %} + nodeSelector: +{% for key, value in curator_node_selector.iteritems() %} + {{key}}: {{value}} +{% endfor %} +{% endif %} containers: - name: "curator" diff --git a/roles/openshift_logging/templates/es.j2 b/roles/openshift_logging/templates/es.j2 index 291589690..ec84c6b76 100644 --- a/roles/openshift_logging/templates/es.j2 +++ b/roles/openshift_logging/templates/es.j2 @@ -30,6 +30,12 @@ spec: securityContext: supplementalGroups: - {{openshift_logging_es_storage_group}} +{% if es_node_selector is iterable and es_node_selector | length > 0 %} + nodeSelector: +{% for key, value in es_node_selector.iteritems() %} + {{key}}: {{value}} +{% endfor %} +{% endif %} containers: - name: "elasticsearch" diff --git a/roles/openshift_logging/templates/kibana.j2 b/roles/openshift_logging/templates/kibana.j2 index 1ec97701a..b42f62850 100644 --- a/roles/openshift_logging/templates/kibana.j2 +++ b/roles/openshift_logging/templates/kibana.j2 @@ -27,6 +27,12 @@ spec: component: "{{component}}" spec: serviceAccountName: aggregated-logging-kibana +{% if kibana_node_selector is iterable and kibana_node_selector | length > 0 %} + nodeSelector: +{% for key, value in kibana_node_selector.iteritems() %} + {{key}}: {{value}} +{% endfor %} +{% endif %} containers: - name: "kibana" |