From 04c1500801f4d88635001bda1e4f73473fe8e33a Mon Sep 17 00:00:00 2001 From: Jeff Cantrill Date: Tue, 29 Nov 2016 16:31:13 -0500 Subject: =?UTF-8?q?Bruno=20Barcarol=20Guimar=C3=A3es=20work=20to=20move=20?= =?UTF-8?q?metrics=20to=20ansible=20from=20deployer?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- roles/openshift_metrics/README.md | 86 ++++++++ roles/openshift_metrics/defaults/main.yaml | 17 ++ roles/openshift_metrics/meta/main.yaml | 2 + roles/openshift_metrics/tasks/cleanup.yaml | 14 ++ .../tasks/generate_certificates.yaml | 233 +++++++++++++++++++++ .../tasks/generate_rolebindings.yaml | 30 +++ .../tasks/generate_serviceaccounts.yaml | 25 +++ .../openshift_metrics/tasks/generate_services.yaml | 43 ++++ .../openshift_metrics/tasks/install_hawkular.yaml | 57 +++++ .../openshift_metrics/tasks/install_heapster.yaml | 3 + roles/openshift_metrics/tasks/install_metrics.yaml | 17 ++ roles/openshift_metrics/tasks/main.yaml | 24 +++ .../openshift_metrics/tasks/setup_certificate.yaml | 50 +++++ .../templates/hawkular_cassandra_rc.j2 | 94 +++++++++ .../templates/hawkular_metrics_rc.j2 | 88 ++++++++ roles/openshift_metrics/templates/heapster.j2 | 66 ++++++ roles/openshift_metrics/templates/pvc.j2 | 27 +++ roles/openshift_metrics/templates/rolebinding.j2 | 23 ++ roles/openshift_metrics/templates/route.j2 | 23 ++ roles/openshift_metrics/templates/secret.j2 | 12 ++ roles/openshift_metrics/templates/service.j2 | 32 +++ .../openshift_metrics/templates/serviceaccount.j2 | 16 ++ roles/openshift_metrics/vars/main.yaml | 4 + 23 files changed, 986 insertions(+) create mode 100644 roles/openshift_metrics/README.md create mode 100644 roles/openshift_metrics/defaults/main.yaml create mode 100644 roles/openshift_metrics/meta/main.yaml create mode 100644 roles/openshift_metrics/tasks/cleanup.yaml create mode 100644 roles/openshift_metrics/tasks/generate_certificates.yaml create mode 100644 roles/openshift_metrics/tasks/generate_rolebindings.yaml create mode 100644 roles/openshift_metrics/tasks/generate_serviceaccounts.yaml create mode 100644 roles/openshift_metrics/tasks/generate_services.yaml create mode 100644 roles/openshift_metrics/tasks/install_hawkular.yaml create mode 100644 roles/openshift_metrics/tasks/install_heapster.yaml create mode 100644 roles/openshift_metrics/tasks/install_metrics.yaml create mode 100644 roles/openshift_metrics/tasks/main.yaml create mode 100644 roles/openshift_metrics/tasks/setup_certificate.yaml create mode 100644 roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 create mode 100644 roles/openshift_metrics/templates/hawkular_metrics_rc.j2 create mode 100644 roles/openshift_metrics/templates/heapster.j2 create mode 100644 roles/openshift_metrics/templates/pvc.j2 create mode 100644 roles/openshift_metrics/templates/rolebinding.j2 create mode 100644 roles/openshift_metrics/templates/route.j2 create mode 100644 roles/openshift_metrics/templates/secret.j2 create mode 100644 roles/openshift_metrics/templates/service.j2 create mode 100644 roles/openshift_metrics/templates/serviceaccount.j2 create mode 100644 roles/openshift_metrics/vars/main.yaml (limited to 'roles') diff --git a/roles/openshift_metrics/README.md b/roles/openshift_metrics/README.md new file mode 100644 index 000000000..ac5353886 --- /dev/null +++ b/roles/openshift_metrics/README.md @@ -0,0 +1,86 @@ +OpenShift Metrics with Hawkular +==================== + +OpenShift Metrics Installation + +Requirements +------------ + +The following variables need to be set and will be validated: + +- `metrics_hostname`: hostname used on the hawkular metrics route. + +- `metrics_project`: project (i.e. namespace) where the components will be + deployed. + + +Role Variables +-------------- + +For default values, see [`defaults/main.yaml`](defaults/main.yaml). + +- `image_prefix`: Specify prefix for metrics components; e.g for + "openshift/origin-metrics-deployer:v1.1", set prefix "openshift/origin-". + +- `image_version`: Specify version for metrics components; e.g. for + "openshift/origin-metrics-deployer:v1.1", set version "v1.1". + +- `master_url`: Internal URL for the master, for authentication retrieval. + +- `hawkular_user_write_access`: If user accounts should be able to write + metrics. Defaults to 'false' so that only Heapster can write metrics and not + individual users. It is recommended to disable user write access, if enabled + any user will be able to write metrics to the system which can affect + performance and use Cassandra disk usage to unpredictably increase. + +- `hawkular_cassandra_nodes`: The number of Cassandra Nodes to deploy for the + initial cluster. + +- `hawkular_cassandra_storage_type`: Use `emptydir` for ephemeral storage (for + testing), `pv` to use persistent volumes (which need to be created before the + installation) or `dynamic` for dynamic persistent volumes. + +- `hawkular_cassandra_pv_prefix`: The name of persistent volume claims created + for cassandra will be this with a serial number appended to the end, starting + from 1. + +- `hawkular_cassandra_pv_size`: The persistent volume size for each of the + Cassandra nodes. + +- `heapster_standalone`: Deploy only heapster, without the Hawkular Metrics and + Cassandra components. + +- `heapster_allowed_users`: A comma-separated list of CN to accept. By + default, this is set to allow the OpenShift service proxy to connect. If you + override this, make sure to add `system:master-proxy` to the list in order to + allow horizontal pod autoscaling to function properly. + +- `metrics_duration`: How many days metrics should be stored for. + +- `metrics_resolution`: How often metrics should be gathered. + + +Dependencies +------------ +openshift_facts + + +Example Playbook +---------------- + +``` +- name: Configure openshift-metrics + hosts: oo_first_master + roles: + - role: openshift_metrics +``` + +License +------- + +Apache License, Version 2.0 + +Author Information +------------------ + +Jose David Martín (j.david.nieto@gmail.com) diff --git a/roles/openshift_metrics/defaults/main.yaml b/roles/openshift_metrics/defaults/main.yaml new file mode 100644 index 000000000..cb4fbdee2 --- /dev/null +++ b/roles/openshift_metrics/defaults/main.yaml @@ -0,0 +1,17 @@ +--- +image_prefix: docker.io/openshift/origin- +image_version: latest +master_url: https://kubernetes.default.svc.cluster.local + +hawkular_user_write_access: False +hawkular_cassandra_nodes: 1 +hawkular_cassandra_storage_type: emptydir +hawkular_cassandra_pv_prefix: metrics-cassandra +hawkular_cassandra_pv_size: 10Gi + +heapster_standalone: False +heapster_allowed_users: system:master-proxy + +metrics_duration: 7 +metrics_resolution: 15s +metrics_node_id: nodename diff --git a/roles/openshift_metrics/meta/main.yaml b/roles/openshift_metrics/meta/main.yaml new file mode 100644 index 000000000..a8fbeff02 --- /dev/null +++ b/roles/openshift_metrics/meta/main.yaml @@ -0,0 +1,2 @@ +dependencies: +- { role: openshift_facts } diff --git a/roles/openshift_metrics/tasks/cleanup.yaml b/roles/openshift_metrics/tasks/cleanup.yaml new file mode 100644 index 000000000..a61fed7b4 --- /dev/null +++ b/roles/openshift_metrics/tasks/cleanup.yaml @@ -0,0 +1,14 @@ +--- +- name: remove metrics components + command: > + {{ openshift.common.client_binary }} -n '{{ metrics_project }}' + delete --selector=metrics-infra + all,sa,secrets,templates,routes,pvc,rolebindings,clusterrolebindings + register: delete_metrics + changed_when: "delete_metrics.stdout != 'No resources found'" +- name: remove rolebindings + command: > + {{ openshift.common.client_binary }} -n {{ metrics_project }} + delete --ignore-not-found + rolebinding/hawkular-view + clusterrolebinding/heapster-cluster-reader diff --git a/roles/openshift_metrics/tasks/generate_certificates.yaml b/roles/openshift_metrics/tasks/generate_certificates.yaml new file mode 100644 index 000000000..b1ecf46b9 --- /dev/null +++ b/roles/openshift_metrics/tasks/generate_certificates.yaml @@ -0,0 +1,233 @@ +--- +# TODO idempotency? +# TODO support providing custom certificates +- name: create certificate output directory + file: + path: "{{ mktemp.stdout }}/certs" + state: directory + mode: 0700 +- name: generate ca certificate chain + shell: > + {{ openshift.common.admin_binary }} ca create-signer-cert + --key='{{ mktemp.stdout }}/certs/ca.key' + --cert='{{ mktemp.stdout }}/certs/ca.crt' + --serial='{{ mktemp.stdout }}/certs/ca.serial.txt' + --name="metrics-signer@$(date +%s)" +- name: generate heapster key/cert + command: > + {{ openshift.common.admin_binary }} ca create-server-cert + --key='{{ mktemp.stdout }}/certs/heapster.key' + --cert='{{ mktemp.stdout }}/certs/heapster.cert' + --hostnames=heapster + --signer-cert='{{ mktemp.stdout }}/certs/ca.crt' + --signer-key='{{ mktemp.stdout }}/certs/ca.key' + --signer-serial='{{ mktemp.stdout }}/certs/ca.serial.txt' +# TODO maybe there's an easier way to get the service accounts' ca crt? +- name: get heapster service account secrets + shell: > + {{ openshift.common.client_binary }} -n '{{ metrics_project }}' + get serviceaccount/default + --template '{{ '{{range .secrets}}{{println .name}}{{end}}' }}' + | grep ^default-token- + register: sa_secret +- name: get heapster service account ca + command: > + {{ openshift.common.client_binary }} -n '{{ metrics_project }}' + get 'secret/{{ sa_secret.stdout }}' + --template '{{ '{{index .data "ca.crt"}}' }}' + register: sa_secret +- name: read files for the heapster secret + command: base64 --wrap 0 "{{ mktemp.stdout }}/certs/heapster.{{ item }}" + register: heapster_secret + with_items: + - cert + - key +- name: generate heapster secret template + template: + src: secret.j2 + dest: "{{ mktemp.stdout }}/templates/heapster_secrets.yaml" + vars: + name: heapster-secrets + labels: + metrics-infra: heapster + data: + heapster.cert: "{{ heapster_secret.results[0].stdout }}" + heapster.key: "{{ heapster_secret.results[1].stdout }}" + heapster.client-ca: "{{ sa_secret.stdout }}" + heapster.allowed-users: "{{ heapster_allowed_users|b64encode }}" +- name: generate hawkular-metrics certificates + include: setup_certificate.yaml + vars: + component: hawkular-metrics + hostnames: "hawkular-metrics,{{ hawkular_metrics_hostname }}" +- name: generate hawkular-cassandra certificates + include: setup_certificate.yaml + vars: + component: hawkular-cassandra + hostnames: hawkular-cassandra +# TODO keytool as dependency? move key/trust store generation to containers? +- name: import the hawkular metrics cert into the cassandra truststore + shell: > + keytool -noprompt -import -v -trustcacerts + -alias hawkular-metrics + -file '{{ mktemp.stdout|quote }}/certs/hawkular-metrics.cert' + -keystore '{{ mktemp.stdout|quote }}/certs/hawkular-cassandra.truststore' + -storepass + "$(< "{{ mktemp.stdout|quote }}/certs/hawkular-cassandra-truststore.pwd")" +- name: import the hawkular cassandra cert into the hawkular metrics truststore + shell: > + keytool -noprompt -import -v -trustcacerts + -alias hawkular-cassandra + -file '{{ mktemp.stdout }}/certs/hawkular-cassandra.cert' + -keystore '{{ mktemp.stdout }}/certs/hawkular-metrics.truststore' + -storepass + "$(< "{{ mktemp.stdout|quote }}/certs/hawkular-metrics-truststore.pwd")" +- name: import the hawkular cassandra cert into the cassandra truststore + shell: > + keytool -noprompt -import -v -trustcacerts + -alias hawkular-cassandra + -file '{{ mktemp.stdout }}/certs/hawkular-cassandra.cert' + -keystore '{{ mktemp.stdout }}/certs/hawkular-cassandra.truststore' + -storepass + "$(< "{{ mktemp.stdout|quote }}/certs/hawkular-cassandra-truststore.pwd")" +- name: import the ca certificate into the cassandra truststore + shell: > + keytool -noprompt -import -v -trustcacerts + -alias '{{ item }}' + -file '{{ mktemp.stdout }}/certs/ca.crt' + -keystore '{{ mktemp.stdout }}/certs/hawkular-cassandra.truststore' + -storepass + "$(< "{{ mktemp.stdout|quote }}/certs/hawkular-cassandra-truststore.pwd")" + with_items: + - ca + - metricca + - cassandraca +- name: import the ca certificate into the hawkular metrics truststore + shell: > + keytool -noprompt -import -v -trustcacerts + -alias '{{ item }}' + -file '{{ mktemp.stdout }}/certs/ca.crt' + -keystore '{{ mktemp.stdout }}/certs/hawkular-metrics.truststore' + -storepass + "$(< "{{ mktemp.stdout|quote }}/certs/hawkular-metrics-truststore.pwd")" + with_items: + - ca + - metricca + - cassandraca +- name: generate password for htpasswd file for hawkular metrics + shell: cat /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c15 + register: hawkular_metrics_password +- name: generate password for hawkular metrics jgroups + shell: cat /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c15 + register: hawkular_metrics_jgroups_password +- name: generate htpasswd file for hawkular metrics + shell: > + htpasswd -cb + "{{ mktemp.stdout|quote }}/certs/hawkular-metrics.htpasswd" hawkular + '{{ hawkular_metrics_password.stdout }}' +- name: generate the jgroups keystore + command: > + keytool -genseckey -alias hawkular + -keypass {{ hawkular_metrics_jgroups_password.stdout }} + -storepass {{ hawkular_metrics_jgroups_password.stdout }} + -keyalg Blowfish -keysize 56 -storetype JCEKS + -keystore {{ mktemp.stdout }}/certs/hawkular-jgroups.keystore +- name: read files for the hawkular-metrics secret + command: > + base64 --wrap 0 "{{ mktemp.stdout }}/certs/{{ item }}" + register: hawkular_metrics_secret + with_items: + - hawkular-metrics.keystore + - hawkular-metrics-keystore.pwd + - hawkular-metrics.truststore + - hawkular-metrics-truststore.pwd + - hawkular-metrics.htpasswd + - hawkular-metrics.cert + - ca.crt + - hawkular-cassandra.keystore + - hawkular-cassandra-keystore.pwd + - hawkular-cassandra.truststore + - hawkular-cassandra-truststore.pwd + - hawkular-cassandra.pem + - hawkular-cassandra.cert + - hawkular-jgroups.keystore +- name: generate hawkular-metrics-secrets secret template + template: + src: secret.j2 + dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_secrets.yaml" + vars: + name: hawkular-metrics-secrets + labels: + metrics-infra: hawkular-metrics + data: + hawkular-metrics.keystore: > + "{{ hawkular_metrics_secret.results[0].stdout }}" + hawkular-metrics.keystore.password: > + "{{ hawkular_metrics_secret.results[1].stdout }}" + hawkular-metrics.truststore: > + "{{ hawkular_metrics_secret.results[2].stdout }}" + hawkular-metrics.truststore.password: > + "{{ hawkular_metrics_secret.results[3].stdout }}" + hawkular-metrics.keystore.alias: "{{ 'hawkular-metrics'|b64encode }}" + hawkular-metrics.htpasswd.file: > + "{{ hawkular_metrics_secret.results[4].stdout }}" + hawkular-metrics.jgroups.keystore.password: > + "{{ hawkular_metrics_jgroups_password.stdout|b64encode }}" + hawkular-metrics.jgroups.keystore: > + "{{ hawkular_metrics_secret.results[13].stdout }}" + hawkular-metrics.jgroups.alias: "{{ 'hawkular'|b64encode }}" +- name: generate hawkular-metrics-certificate secret template + template: + src: secret.j2 + dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_certificate.yaml" + vars: + name: hawkular-metrics-certificate + labels: + metrics-infra: hawkular-metrics + data: + hawkular-metrics.certificate: > + "{{ hawkular_metrics_secret.results[5].stdout }}" + hawkular-metrics-ca.certificate: > + "{{ hawkular_metrics_secret.results[6].stdout }}" +- name: generate hawkular-metrics-account secret template + template: + src: secret.j2 + dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_account.yaml" + vars: + name: hawkular-metrics-account + labels: + metrics-infra: hawkular-metrics + data: + hawkular-metrics.username: "{{ 'hawkular'|b64encode }}" + hawkular-metrics.password: > + "{{ hawkular_metrics_password.stdout|b64encode }}" +- name: generate cassandra secret template + template: + src: secret.j2 + dest: "{{ mktemp.stdout }}/templates/cassandra_secrets.yaml" + vars: + name: hawkular-cassandra-secrets + labels: + metrics-infra: hawkular-cassandra + data: + cassandra.keystore: "{{ hawkular_metrics_secret.results[7].stdout }}" + cassandra.keystore.password: > + {{ hawkular_metrics_secret.results[8].stdout }} + cassandra.keystore.alias: "{{ 'hawkular-cassandra'|b64encode }}" + cassandra.truststore: "{{ hawkular_metrics_secret.results[9].stdout }}" + cassandra.truststore.password: > + {{ hawkular_metrics_secret.results[10].stdout }} + cassandra.pem: "{{ hawkular_metrics_secret.results[10].stdout }}" +- name: generate cassandra-certificate secret template + template: + src: secret.j2 + dest: "{{ mktemp.stdout }}/templates/cassandra_certificate.yaml" + vars: + name: hawkular-cassandra-certificate + labels: + metrics-infra: hawkular-cassandra + data: + cassandra.certificate: > + {{ hawkular_metrics_secret.results[11].stdout }} + cassandra-ca.certificate: > + {{ hawkular_metrics_secret.results[7].stdout }} diff --git a/roles/openshift_metrics/tasks/generate_rolebindings.yaml b/roles/openshift_metrics/tasks/generate_rolebindings.yaml new file mode 100644 index 000000000..d1bc7374a --- /dev/null +++ b/roles/openshift_metrics/tasks/generate_rolebindings.yaml @@ -0,0 +1,30 @@ +--- +- name: generate view role binding for the hawkular service account + template: + src: rolebinding.j2 + dest: "{{ mktemp.stdout }}/templates/hawkular-rolebinding.yaml" + vars: + obj_name: hawkular-view + labels: + metrics-infra: hawkular + roleRef: + name: view + subjects: + - kind: ServiceAccount + name: hawkular +- name: generate cluster-reader role binding for the heapster service account + template: + src: rolebinding.j2 + dest: "{{ mktemp.stdout }}/templates/heapster-rolebinding.yaml" + vars: + cluster: True + obj_name: heapster-cluster-reader + labels: + metrics-infra: heapster + roleRef: + kind: ClusterRole + name: cluster-reader + subjects: + - kind: ServiceAccount + name: heapster + namespace: "{{ metrics_project }}" diff --git a/roles/openshift_metrics/tasks/generate_serviceaccounts.yaml b/roles/openshift_metrics/tasks/generate_serviceaccounts.yaml new file mode 100644 index 000000000..9230e0423 --- /dev/null +++ b/roles/openshift_metrics/tasks/generate_serviceaccounts.yaml @@ -0,0 +1,25 @@ +--- +- name: Generating serviceaccounts for hawkular metrics/cassandra + template: src=serviceaccount.j2 dest={{mktemp.stdout}}/templates/metrics-{{obj_name}}-sa.yaml + vars: + obj_name: "{{item.name}}" + labels: + metrics-infra: support + secrets: + - hawkular-{{item.secret}}-secrets + with_items: + - name: hawkular + secret: hawkular-metrics-secrets + - name: cassandra + secret: hawkular-cassandra-secrets + +- name: Generating serviceaccount for heapster + template: src=serviceaccount.j2 dest={{mktemp.stdout}}/templates/metrics-{{obj_name}}-sa.yaml + vars: + obj_name: heapster + labels: + metrics-infra: support + secrets: + - heapster-secrets + - hawkular-metrics-certificate + - hawkular-metrics-account diff --git a/roles/openshift_metrics/tasks/generate_services.yaml b/roles/openshift_metrics/tasks/generate_services.yaml new file mode 100644 index 000000000..4f7616a1c --- /dev/null +++ b/roles/openshift_metrics/tasks/generate_services.yaml @@ -0,0 +1,43 @@ +--- +- name: Generate service for heapster + template: src=service.j2 dest={{mktemp.stdout}}/templates/metrics-{{obj_name}}-svc.yaml + vars: + obj_name: heapster + ports: + - {port: 80, targetPort: http-endpoint} + selector: + name: "{{obj_name}}" + labels: + metrics-infra: "{{obj_name}}" + name: "{{obj_name}}" + +- name: Generate service for hawkular-metrics + template: src=service.j2 dest={{mktemp.stdout}}/templates/metrics-{{obj_name}}-svc.yaml + vars: + obj_name: hawkular-metrics + ports: + - {port: 443, targetPort: https-endpoint} + selector: + name: "{{obj_name}}" + labels: + metrics-infra: "{{obj_name}}" + name: "{{obj_name}}" + +- name: Generate services for cassandra + template: src=service.j2 dest={{mktemp.stdout}}/templates/metrics-{{obj_name}}-svc.yaml + vars: + obj_name: hawkular-{{item}} + ports: + - {name: cql-port, port: 9042, targetPort: cql-port} + - {name: thrift-port, port: 9160, targetPort: thrift-port} + - {name: tcp-port, port: 7000, targetPort: tcp-port} + - {name: ssl-port, port: 7001, targetPort: ssl-port} + selector: + type: hawkular-cassandra + labels: + metrics-infra: hawkular-cassandra + name: hawkular-cassandra + headless: "{{ item == 'cassandra-nodes' }}" + with_items: + - cassandra + - cassandra-nodes diff --git a/roles/openshift_metrics/tasks/install_hawkular.yaml b/roles/openshift_metrics/tasks/install_hawkular.yaml new file mode 100644 index 000000000..670396f6e --- /dev/null +++ b/roles/openshift_metrics/tasks/install_hawkular.yaml @@ -0,0 +1,57 @@ +--- +- name: generate hawkular-metrics replication controller + template: + src: hawkular_metrics_rc.j2 + dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_rc.yaml" +- name: generate hawkular-cassandra replication controllers + template: + src: hawkular_cassandra_rc.j2 + dest: "{{ mktemp.stdout }}/templates/hawkular-cassandra-rc{{ item }}.yaml" + vars: + node: "{{ item }}" + master: "{{ (item == '1')|string|lower }}" + with_sequence: count={{ hawkular_cassandra_nodes }} +- name: generate hawkular-cassandra persistent volume claims + template: + src: pvc.j2 + dest: "{{ mktemp.stdout }}/templates/hawkular-cassandra-pvc{{ item }}.yaml" + vars: + obj_name: "{{ hawkular_cassandra_pv_prefix }}-{{ item }}" + labels: + metrics-infra: hawkular-cassandra + access_modes: + - ReadWriteOnce + size: "{{ hawkular_cassandra_pv_size }}" + with_sequence: count={{ hawkular_cassandra_nodes }} + when: hawkular_cassandra_storage_type == 'pv' +- name: generate hawkular-cassandra persistent volume claims (dynamic) + template: + src: pvc.j2 + dest: "{{ mktemp.stdout }}/templates/hawkular-cassandra-pvc{{ item }}.yaml" + vars: + obj_name: "{{ hawkular_cassandra_pv_prefix }}-{{ item }}" + labels: + metrics-infra: hawkular-cassandra + annotations: + volume.alpha.kubernetes.io/storage-class: dynamic + access_modes: + - ReadWriteOnce + size: "{{ hawkular_cassandra_pv_size }}" + with_sequence: count={{ hawkular_cassandra_nodes }} + when: hawkular_cassandra_storage_type == 'dynamic' +- name: generate the hawkular-metrics route + template: + src: route.j2 + dest: "{{ mktemp.stdout }}/templates/hawkular-metrics-route.yaml" + vars: + name: hawkular-metrics + labels: + metrics-infra: hawkular-metrics + host: hawkular-metrics.example.com + to: + kind: Service + name: hawkular-metrics + tls: + termination: reencrypt + destination_ca_certificate: > + {{ hawkular_metrics_secret.results[6].stdout|b64decode }} diff --git a/roles/openshift_metrics/tasks/install_heapster.yaml b/roles/openshift_metrics/tasks/install_heapster.yaml new file mode 100644 index 000000000..a8f849a88 --- /dev/null +++ b/roles/openshift_metrics/tasks/install_heapster.yaml @@ -0,0 +1,3 @@ +--- +- name: Generate heapster replication controller + template: src=heapster.j2 dest={{mktemp.stdout}}/templates/metrics-heapster-rc.yaml diff --git a/roles/openshift_metrics/tasks/install_metrics.yaml b/roles/openshift_metrics/tasks/install_metrics.yaml new file mode 100644 index 000000000..34b4a47fe --- /dev/null +++ b/roles/openshift_metrics/tasks/install_metrics.yaml @@ -0,0 +1,17 @@ +--- +# This is the base configuration for installing the other components +- name: Create temp directory for doing work in + command: mktemp -td openshift-metrics-ansible-XXXXXX + register: mktemp + changed_when: False + +- debug: msg="Created temp dir {{mktemp.stdout}}" + +- name: Create temp directory for all our templates + file: path={{mktemp.stdout}}/templates state=directory mode=0755 + changed_when: False + +- include: generate_serviceaccounts.yaml +- include: generate_services.yaml +- include: generate_certificates.yaml +- include: generate_rolebindings.yaml diff --git a/roles/openshift_metrics/tasks/main.yaml b/roles/openshift_metrics/tasks/main.yaml new file mode 100644 index 000000000..e9a5fbebd --- /dev/null +++ b/roles/openshift_metrics/tasks/main.yaml @@ -0,0 +1,24 @@ +--- +- name: check that hawkular_metrics_hostname is set + fail: msg='the hawkular_metrics_hostname variable is required' + when: "{{ hawkular_metrics_hostname is not defined }}" +- name: check the value of hawkular_cassandra_storage_type + fail: + msg: > + hawkular_cassandra_storage_type ({{ hawkular_cassandra_storage_type }}) + is invalid, must be one of: emptydir, pv, dynamic + when: hawkular_cassandra_storage_type not in hawkular_cassandra_storage_types +- name: Install Metrics + include: "{{ role_path }}/tasks/install_{{ include_file }}.yaml" + with_items: + - metrics + - heapster + - hawkular + loop_control: + loop_var: include_file +- name: create objects + command: > + {{ openshift.common.client_binary }} -n '{{ metrics_project }}' + apply -f {{ item }} + with_fileglob: + - "{{ mktemp.stdout }}/templates/*.yaml" diff --git a/roles/openshift_metrics/tasks/setup_certificate.yaml b/roles/openshift_metrics/tasks/setup_certificate.yaml new file mode 100644 index 000000000..46ac4ea7f --- /dev/null +++ b/roles/openshift_metrics/tasks/setup_certificate.yaml @@ -0,0 +1,50 @@ +--- +- name: generate {{ component }} keys + command: > + {{ openshift.common.admin_binary }} ca create-server-cert + --key='{{ mktemp.stdout }}/certs/{{ component }}.key' + --cert='{{ mktemp.stdout }}/certs/{{ component }}.crt' + --hostnames='{{ hostnames }}' + --signer-cert='{{ mktemp.stdout }}/certs/ca.crt' + --signer-key='{{ mktemp.stdout }}/certs/ca.key' + --signer-serial='{{ mktemp.stdout }}/certs/ca.serial.txt' +- name: generate {{ component }} certificate + shell: > + cat + '{{ mktemp.stdout|quote }}/certs/{{ component|quote }}.key' + '{{ mktemp.stdout|quote }}/certs/{{ component|quote }}.crt' + > '{{ mktemp.stdout|quote }}/certs/{{ component|quote }}.pem' +- name: generate random password for the {{ component }} keystore + shell: tr -dc _A-Z-a-z-0-9 < /dev/urandom | head -c15 + register: keystore_pwd +- name: create the password file for {{ component }} + shell: > + echo '{{ keystore_pwd.stdout|quote }}' + > '{{ mktemp.stdout }}/certs/{{ component|quote }}-keystore.pwd' +- name: create the {{ component }} pkcs12 from the pem file + command: > + openssl pkcs12 -export + -in '{{ mktemp.stdout }}/certs/{{ component }}.pem' + -out '{{ mktemp.stdout }}/certs/{{ component }}.pkcs12' + -name '{{ component }}' -noiter -nomaciter + -password 'pass:{{ keystore_pwd.stdout }}' +- name: create the {{ component }} keystore from the pkcs12 file + command: > + keytool -v -importkeystore + -srckeystore '{{ mktemp.stdout }}/certs/{{ component }}.pkcs12' + -srcstoretype PKCS12 + -destkeystore '{{ mktemp.stdout }}/certs/{{ component }}.keystore' + -deststoretype JKS + -deststorepass '{{ keystore_pwd.stdout }}' + -srcstorepass '{{ keystore_pwd.stdout }}' +- name: create the {{ component }} certificate + command: > + keytool -noprompt -export + -alias '{{ component }}' + -file '{{ mktemp.stdout }}/certs/{{ component }}.cert' + -keystore '{{ mktemp.stdout }}/certs/{{ component }}.keystore' + -storepass '{{ keystore_pwd.stdout }}' +- name: generate random password for the {{ component }} truststore + shell: > + tr -dc _A-Z-a-z-0-9 < /dev/urandom | head -c15 + > '{{ mktemp.stdout }}/certs/{{ component|quote }}-truststore.pwd' diff --git a/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 b/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 new file mode 100644 index 000000000..bb8866263 --- /dev/null +++ b/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 @@ -0,0 +1,94 @@ +apiVersion: v1 +kind: ReplicationController +metadata: + name: hawkular-cassandra-{{ node }} + labels: + metrics-infra: hawkular-cassandra + name: hawkular-cassandra + type: hawkular-cassandra +spec: + selector: + name: hawkular-cassandra-{{ node }} + replicas: 1 + template: + version: v1 + metadata: + labels: + metrics-infra: hawkular-cassandra + name: hawkular-cassandra-{{ node }} + type: hawkular-cassandra + spec: + serviceAccount: cassandra + containers: + - image: "{{ image_prefix }}metrics-cassandra:{{ image_version }}" + name: hawkular-cassandra-{{ node }} + ports: + - name: cql-port + containerPort: 9042 + - name: thift-port + containerPort: 9160 + - name: tcp-port + containerPort: 7000 + - name: ssl-port + containerPort: 7001 + command: + - "/opt/apache-cassandra/bin/cassandra-docker.sh" + - "--cluster_name=hawkular-metrics" + - "--data_volume=/cassandra_data" + - "--internode_encryption=all" + - "--require_node_auth=true" + - "--enable_client_encryption=true" + - "--require_client_auth=true" + - "--keystore_file=/secret/cassandra.keystore" + - "--keystore_password_file=/secret/cassandra.keystore.password" + - "--truststore_file=/secret/cassandra.truststore" + - "--truststore_password_file=/secret/cassandra.truststore.password" + - "--cassandra_pem_file=/secret/cassandra.pem" + env: + - name: CASSANDRA_MASTER + value: "{{ master }}" + - name: CASSANDRA_DATA_VOLUME + value: "/cassandra_data" + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: MEMORY_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + divisor: 1m + volumeMounts: + - name: cassandra-data + mountPath: "/cassandra_data" + - name: hawkular-cassandra-secrets + mountPath: "/secret" + readinessProbe: + exec: + command: + - "/opt/apache-cassandra/bin/cassandra-docker-ready.sh" + lifecycle: + preStop: + exec: + command: + - "/opt/apache-cassandra/bin/cassandra-prestop.sh" + postStart: + exec: + command: + - "/opt/apache-cassandra/bin/cassandra-poststart.sh" + terminationGracePeriodSeconds: 1800 + volumes: + - name: cassandra-data +{% if hawkular_cassandra_storage_type == 'emptydir' %} + emptyDir: {} +{% else %} + persistentVolumeClaim: + claimName: "{{ hawkular_cassandra_pv_prefix }}-{{ node }}" +{% endif %} + - name: hawkular-cassandra-secrets + secret: + secretName: hawkular-cassandra-secrets diff --git a/roles/openshift_metrics/templates/hawkular_metrics_rc.j2 b/roles/openshift_metrics/templates/hawkular_metrics_rc.j2 new file mode 100644 index 000000000..bcfe9dc84 --- /dev/null +++ b/roles/openshift_metrics/templates/hawkular_metrics_rc.j2 @@ -0,0 +1,88 @@ +apiVersion: v1 +kind: ReplicationController +metadata: + name: hawkular-metrics + labels: + metrics-infra: hawkular-metrics + name: hawkular-metrics +spec: + selector: + name: hawkular-metrics + replicas: 1 + template: + version: v1 + metadata: + labels: + metrics-infra: hawkular-metrics + name: hawkular-metrics + spec: + serviceAccount: hawkular + containers: + - image: {{image_prefix}}metrics-hawkular-metrics:{{image_version}} + name: hawkular-metrics + ports: + - name: http-endpoint + containerPort: 8080 + - name: https-endpoint + containerPort: 8443 + - name: ping + containerPort: 8888 + command: + - "/opt/hawkular/scripts/hawkular-metrics-wrapper.sh" + - "-b" + - 0.0.0.0 + - "-Dhawkular.metrics.cassandra.nodes=hawkular-cassandra" + - "-Dhawkular.metrics.cassandra.use-ssl" + - "-Dhawkular.metrics.openshift.auth-methods=openshift-oauth,htpasswd" + - "-Dhawkular.metrics.openshift.htpasswd-file=/secrets/hawkular-metrics.htpasswd.file" + - "-Dhawkular.metrics.allowed-cors-access-control-allow-headers=authorization" + - "-Dhawkular.metrics.default-ttl={{metrics_duration}}" + - "-Dhawkular-alerts.cassandra-nodes=hawkular-cassandra" + - "-Dhawkular-alerts.cassandra-use-ssl" + - "-Dhawkular.alerts.openshift.auth-methods=openshift-oauth,htpasswd" + - "-Dhawkular.alerts.openshift.htpasswd-file=/secrets/hawkular-metrics.htpasswd.file" + - "-Dhawkular.alerts.allowed-cors-access-control-allow-headers=authorization" + - "-Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true" + - "-Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true" + - "-DKUBERNETES_MASTER_URL={{master_url}}" + - "-DUSER_WRITE_ACCESS={{hawkular_user_write_access}}" + - "--hmw.keystore=/secrets/hawkular-metrics.keystore" + - "--hmw.truststore=/secrets/hawkular-metrics.truststore" + - "--hmw.keystore_password_file=/secrets/hawkular-metrics.keystore.password" + - "--hmw.truststore_password_file=/secrets/hawkular-metrics.truststore.password" + - "--hmw.jgroups_keystore=/secrets/hawkular-metrics.jgroups.keystore" + - "--hmw.jgroups_keystore_password_file=/secrets/hawkular-metrics.jgroups.keystore.password" + - "--hmw.jgroups_alias_file=/secrets/hawkular-metrics.jgroups.alias" + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: MASTER_URL + value: "{{ master_url }}" + - name: OPENSHIFT_KUBE_PING_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: OPENSHIFT_KUBE_PING_LABELS + value: "metrics-infra=hawkular-metrics,name=hawkular-metrics" + volumeMounts: + - name: hawkular-metrics-secrets + mountPath: "/secrets" + - name: hawkular-metrics-client-secrets + mountPath: "/client-secrets" + readinessProbe: + exec: + command: + - "/opt/hawkular/scripts/hawkular-metrics-readiness.py" + livenessProbe: + exec: + command: + - "/opt/hawkular/scripts/hawkular-metrics-liveness.py" + volumes: + - name: hawkular-metrics-secrets + secret: + secretName: hawkular-metrics-secrets + - name: hawkular-metrics-client-secrets + secret: + secretName: hawkular-metrics-account diff --git a/roles/openshift_metrics/templates/heapster.j2 b/roles/openshift_metrics/templates/heapster.j2 new file mode 100644 index 000000000..779be0145 --- /dev/null +++ b/roles/openshift_metrics/templates/heapster.j2 @@ -0,0 +1,66 @@ +apiVersion: "v1" +kind: "ReplicationController" +metadata: + name: heapster + labels: + metrics-infra: heapster + name: heapster +spec: + selector: + name: heapster + replicas: 1 + template: + version: v1 + metadata: + name: heapster + labels: + metrics-infra: heapster + name: heapster + spec: + serviceAccountName: heapster + containers: + - name: heapster + image: {{image_prefix}}metrics-heapster:{{image_version}} + ports: + - containerPort: 8082 + name: "http-endpoint" + command: + - "heapster-wrapper.sh" + - "--wrapper.allowed_users_file=/secrets/heapster.allowed-users" + - "--source=kubernetes:{{master_url}}?useServiceAccount=true&kubeletHttps=true&kubeletPort=10250" + - "--tls_cert=/secrets/heapster.cert" + - "--tls_key=/secrets/heapster.key" + - "--tls_client_ca=/secrets/heapster.client-ca" + - "--allowed_users=%allowed_users%" + - "--metric_resolution={{metrics_resolution}}" +{% if not heapster_standalone %} + - "--wrapper.username_file=/hawkular-account/hawkular-metrics.username" + - "--wrapper.password_file=/hawkular-account/hawkular-metrics.password" + - "--wrapper.endpoint_check=https://hawkular-metrics:443/hawkular/metrics/status" + - "--sink=hawkular:https://hawkular-metrics:443?tenant=_system&labelToTenant=pod_namespace&labelNodeId={{metrics_node_id}}&caCert=/hawkular-cert/hawkular-metrics-ca.certificate&user=%username%&pass=%password%&filter=label(container_name:^system.slice.*|^user.slice)" +{% endif %} + volumeMounts: + - name: heapster-secrets + mountPath: "/secrets" +{% if not heapster_standalone %} + - name: hawkular-metrics-certificate + mountPath: "/hawkular-cert" + - name: hawkular-metrics-account + mountPath: "/hawkular-account" + readinessProbe: + exec: + command: + - "/opt/heapster-readiness.sh" +{% endif %} + volumes: + - name: heapster-secrets + secret: + secretName: heapster-secrets +{% if not heapster_standalone %} + - name: hawkular-metrics-certificate + secret: + secretName: hawkular-metrics-certificate + - name: hawkular-metrics-account + secret: + secretName: hawkular-metrics-account +{% endif %} diff --git a/roles/openshift_metrics/templates/pvc.j2 b/roles/openshift_metrics/templates/pvc.j2 new file mode 100644 index 000000000..8fbfa8b5d --- /dev/null +++ b/roles/openshift_metrics/templates/pvc.j2 @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{obj_name}} +{% if labels is not defined %} + labels: + logging-infra: support +{% elif labels %} + labels: +{% for key, value in labels.iteritems() %} + {{ key }}: {{ value }} +{% endfor %} +{% endif %} +{% if annotations is defined and annotations %} + annotations: +{% for key,value in annotations.iteritems() %} + {{key}}: {{value}} +{% endfor %} +{% endif %} +spec: + accessModes: +{% for mode in access_modes %} + - {{ mode }} +{% endfor %} + resources: + requests: + storage: {{size}} diff --git a/roles/openshift_metrics/templates/rolebinding.j2 b/roles/openshift_metrics/templates/rolebinding.j2 new file mode 100644 index 000000000..5230f0780 --- /dev/null +++ b/roles/openshift_metrics/templates/rolebinding.j2 @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: {% if cluster is defined and cluster %}Cluster{% endif %}RoleBinding +metadata: + name: {{obj_name}} +{% if labels is defined %} + labels: +{% for k, v in labels.iteritems() %} + {{ k }}: {{ v }} +{% endfor %} +{% endif %} +roleRef: +{% if 'kind' in roleRef %} + kind: {{ roleRef.kind }} +{% endif %} + name: {{ roleRef.name }} +subjects: +{% for sub in subjects %} + - kind: {{ sub.kind }} + name: {{ sub.name }} +{% if 'namespace' in sub %} + namespace: {{ sub.namespace }} +{% endif %} +{% endfor %} diff --git a/roles/openshift_metrics/templates/route.j2 b/roles/openshift_metrics/templates/route.j2 new file mode 100644 index 000000000..a720c4959 --- /dev/null +++ b/roles/openshift_metrics/templates/route.j2 @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Route +metadata: + name: {{ name }} +{% if labels is defined and labels %} + labels: +{% for k, v in labels.iteritems() %} + {{ k }}: {{ v }} +{% endfor %} +{% endif %} +spec: + host: {{ host }} + to: + kind: {{ to.kind }} + name: {{ to.name }} +{% if tls is defined %} + tls: + termination: {{ tls.termination }} +{% if tls.termination == 'reencrypt' %} + destinationCACertificate: | +{{ tls.destination_ca_certificate|indent(6, true) }} +{% endif %} +{% endif %} diff --git a/roles/openshift_metrics/templates/secret.j2 b/roles/openshift_metrics/templates/secret.j2 new file mode 100644 index 000000000..370890c7d --- /dev/null +++ b/roles/openshift_metrics/templates/secret.j2 @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Secret +metadata: + name: "{{ name }}" + labels: +{% for k, v in labels.iteritems() %} + {{ k }}: {{ v }} +{% endfor %} +data: +{% for k, v in data.iteritems() %} + {{ k }}: {{ v }} +{% endfor %} diff --git a/roles/openshift_metrics/templates/service.j2 b/roles/openshift_metrics/templates/service.j2 new file mode 100644 index 000000000..8df89127b --- /dev/null +++ b/roles/openshift_metrics/templates/service.j2 @@ -0,0 +1,32 @@ +apiVersion: "v1" +kind: "Service" +metadata: + name: "{{obj_name}}" +{% if labels is defined%} + labels: +{% for key, value in labels.iteritems() %} + {{key}}: {{value}} +{% endfor %} +{% endif %} +spec: +{% if headless is defined and headless %} + portalIP: None + clusterIP: None +{% endif %} + ports: +{% for port in ports %} + - +{% for key, value in port.iteritems() %} + {{key}}: {{value}} +{% endfor %} +{% if port.targetPort is undefined %} + clusterIP: "None" +{% endif %} +{% endfor %} +{% if service_targetPort is defined %} + targetPort: {{service_targetPort}} +{% endif %} + selector: + {% for key, value in selector.iteritems() %} + {{key}}: {{value}} + {% endfor %} diff --git a/roles/openshift_metrics/templates/serviceaccount.j2 b/roles/openshift_metrics/templates/serviceaccount.j2 new file mode 100644 index 000000000..b22acc594 --- /dev/null +++ b/roles/openshift_metrics/templates/serviceaccount.j2 @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{obj_name}} +{% if labels is defined%} + labels: +{% for key, value in labels.iteritems() %} + {{key}}: {{value}} +{% endfor %} +{% endif %} +{% if secrets is defined %} +secrets: +{% for name in secrets %} +- name: {{ name }} +{% endfor %} +{% endif %} diff --git a/roles/openshift_metrics/vars/main.yaml b/roles/openshift_metrics/vars/main.yaml new file mode 100644 index 000000000..eb02a87fd --- /dev/null +++ b/roles/openshift_metrics/vars/main.yaml @@ -0,0 +1,4 @@ +hawkular_cassandra_storage_types: +- emptydir +- pv +- dynamic -- cgit v1.2.3 From f3f1f610c9e0fdf8115dd8ea61e647080ad42006 Mon Sep 17 00:00:00 2001 From: Jeff Cantrill Date: Wed, 30 Nov 2016 12:12:14 -0500 Subject: prefix vars with metrics role (#4) --- roles/openshift_metrics/README.md | 28 +++++++++++----------- roles/openshift_metrics/defaults/main.yaml | 27 +++++++++++---------- roles/openshift_metrics/tasks/cleanup.yaml | 4 ++-- .../tasks/generate_certificates.yaml | 8 +++---- .../tasks/generate_rolebindings.yaml | 2 +- .../openshift_metrics/tasks/install_hawkular.yaml | 18 +++++++------- roles/openshift_metrics/tasks/main.yaml | 12 +++++----- .../templates/hawkular_cassandra_rc.j2 | 6 ++--- .../templates/hawkular_metrics_rc.j2 | 10 ++++---- roles/openshift_metrics/templates/heapster.j2 | 14 +++++------ roles/openshift_metrics/vars/main.yaml | 2 +- 11 files changed, 66 insertions(+), 65 deletions(-) (limited to 'roles') diff --git a/roles/openshift_metrics/README.md b/roles/openshift_metrics/README.md index ac5353886..b79b472d3 100644 --- a/roles/openshift_metrics/README.md +++ b/roles/openshift_metrics/README.md @@ -8,9 +8,9 @@ Requirements The following variables need to be set and will be validated: -- `metrics_hostname`: hostname used on the hawkular metrics route. +- `openshift_metrics_hostname`: hostname used on the hawkular metrics route. -- `metrics_project`: project (i.e. namespace) where the components will be +- `openshift_metrics_project`: project (i.e. namespace) where the components will be deployed. @@ -19,45 +19,45 @@ Role Variables For default values, see [`defaults/main.yaml`](defaults/main.yaml). -- `image_prefix`: Specify prefix for metrics components; e.g for +- `openshift_metrics_image_prefix`: Specify prefix for metrics components; e.g for "openshift/origin-metrics-deployer:v1.1", set prefix "openshift/origin-". -- `image_version`: Specify version for metrics components; e.g. for +- `openshift_metrics_image_version`: Specify version for metrics components; e.g. for "openshift/origin-metrics-deployer:v1.1", set version "v1.1". -- `master_url`: Internal URL for the master, for authentication retrieval. +- `openshift_metrics_master_url`: Internal URL for the master, for authentication retrieval. -- `hawkular_user_write_access`: If user accounts should be able to write +- `openshift_metrics_hawkular_user_write_access`: If user accounts should be able to write metrics. Defaults to 'false' so that only Heapster can write metrics and not individual users. It is recommended to disable user write access, if enabled any user will be able to write metrics to the system which can affect performance and use Cassandra disk usage to unpredictably increase. -- `hawkular_cassandra_nodes`: The number of Cassandra Nodes to deploy for the +- `openshift_metrics_hawkular_cassandra_nodes`: The number of Cassandra Nodes to deploy for the initial cluster. -- `hawkular_cassandra_storage_type`: Use `emptydir` for ephemeral storage (for +- `openshift_metrics_hawkular_cassandra_storage_type`: Use `emptydir` for ephemeral storage (for testing), `pv` to use persistent volumes (which need to be created before the installation) or `dynamic` for dynamic persistent volumes. -- `hawkular_cassandra_pv_prefix`: The name of persistent volume claims created +- `openshift_metrics_hawkular_cassandra_pv_prefix`: The name of persistent volume claims created for cassandra will be this with a serial number appended to the end, starting from 1. -- `hawkular_cassandra_pv_size`: The persistent volume size for each of the +- `openshift_metrics_hawkular_cassandra_pv_size`: The persistent volume size for each of the Cassandra nodes. -- `heapster_standalone`: Deploy only heapster, without the Hawkular Metrics and +- `openshift_metrics_heapster_standalone`: Deploy only heapster, without the Hawkular Metrics and Cassandra components. -- `heapster_allowed_users`: A comma-separated list of CN to accept. By +- `openshift_metrics_heapster_allowed_users`: A comma-separated list of CN to accept. By default, this is set to allow the OpenShift service proxy to connect. If you override this, make sure to add `system:master-proxy` to the list in order to allow horizontal pod autoscaling to function properly. -- `metrics_duration`: How many days metrics should be stored for. +- `openshift_metrics_duration`: How many days metrics should be stored for. -- `metrics_resolution`: How often metrics should be gathered. +- `openshift_metrics_resolution`: How often metrics should be gathered. Dependencies diff --git a/roles/openshift_metrics/defaults/main.yaml b/roles/openshift_metrics/defaults/main.yaml index cb4fbdee2..8d2ff8a62 100644 --- a/roles/openshift_metrics/defaults/main.yaml +++ b/roles/openshift_metrics/defaults/main.yaml @@ -1,17 +1,18 @@ --- -image_prefix: docker.io/openshift/origin- -image_version: latest -master_url: https://kubernetes.default.svc.cluster.local +openshift_metrics_image_prefix: docker.io/openshift/origin- +openshift_metrics_image_version: latest +openshift_metrics_master_url: https://kubernetes.default.svc.cluster.local +openshift_metrics_project: openshift-infra -hawkular_user_write_access: False -hawkular_cassandra_nodes: 1 -hawkular_cassandra_storage_type: emptydir -hawkular_cassandra_pv_prefix: metrics-cassandra -hawkular_cassandra_pv_size: 10Gi +openshift_metrics_hawkular_user_write_access: False +openshift_metrics_hawkular_cassandra_nodes: 1 +openshift_metrics_hawkular_cassandra_storage_type: emptydir +openshift_metrics_hawkular_cassandra_pv_prefix: metrics-cassandra +openshift_metrics_hawkular_cassandra_pv_size: 10Gi -heapster_standalone: False -heapster_allowed_users: system:master-proxy +openshift_metrics_heapster_standalone: False +openshift_metrics_heapster_allowed_users: system:master-proxy -metrics_duration: 7 -metrics_resolution: 15s -metrics_node_id: nodename +openshift_metrics_duration: 7 +openshift_metrics_resolution: 15s +openshift_metrics_node_id: nodename diff --git a/roles/openshift_metrics/tasks/cleanup.yaml b/roles/openshift_metrics/tasks/cleanup.yaml index a61fed7b4..a29faef31 100644 --- a/roles/openshift_metrics/tasks/cleanup.yaml +++ b/roles/openshift_metrics/tasks/cleanup.yaml @@ -1,14 +1,14 @@ --- - name: remove metrics components command: > - {{ openshift.common.client_binary }} -n '{{ metrics_project }}' + {{ openshift.common.client_binary }} -n '{{ openshift_metrics_project }}' delete --selector=metrics-infra all,sa,secrets,templates,routes,pvc,rolebindings,clusterrolebindings register: delete_metrics changed_when: "delete_metrics.stdout != 'No resources found'" - name: remove rolebindings command: > - {{ openshift.common.client_binary }} -n {{ metrics_project }} + {{ openshift.common.client_binary }} -n {{ openshift_metrics_project }} delete --ignore-not-found rolebinding/hawkular-view clusterrolebinding/heapster-cluster-reader diff --git a/roles/openshift_metrics/tasks/generate_certificates.yaml b/roles/openshift_metrics/tasks/generate_certificates.yaml index b1ecf46b9..9f6a3348e 100644 --- a/roles/openshift_metrics/tasks/generate_certificates.yaml +++ b/roles/openshift_metrics/tasks/generate_certificates.yaml @@ -25,14 +25,14 @@ # TODO maybe there's an easier way to get the service accounts' ca crt? - name: get heapster service account secrets shell: > - {{ openshift.common.client_binary }} -n '{{ metrics_project }}' + {{ openshift.common.client_binary }} -n '{{ openshift_metrics_project }}' get serviceaccount/default --template '{{ '{{range .secrets}}{{println .name}}{{end}}' }}' | grep ^default-token- register: sa_secret - name: get heapster service account ca command: > - {{ openshift.common.client_binary }} -n '{{ metrics_project }}' + {{ openshift.common.client_binary }} -n '{{ openshift_metrics_project }}' get 'secret/{{ sa_secret.stdout }}' --template '{{ '{{index .data "ca.crt"}}' }}' register: sa_secret @@ -54,12 +54,12 @@ heapster.cert: "{{ heapster_secret.results[0].stdout }}" heapster.key: "{{ heapster_secret.results[1].stdout }}" heapster.client-ca: "{{ sa_secret.stdout }}" - heapster.allowed-users: "{{ heapster_allowed_users|b64encode }}" + heapster.allowed-users: "{{ openshift_metrics_heapster_allowed_users|b64encode }}" - name: generate hawkular-metrics certificates include: setup_certificate.yaml vars: component: hawkular-metrics - hostnames: "hawkular-metrics,{{ hawkular_metrics_hostname }}" + hostnames: "hawkular-metrics,{{ openshift_metrics_hawkular_metrics_hostname }}" - name: generate hawkular-cassandra certificates include: setup_certificate.yaml vars: diff --git a/roles/openshift_metrics/tasks/generate_rolebindings.yaml b/roles/openshift_metrics/tasks/generate_rolebindings.yaml index d1bc7374a..9a72b24fe 100644 --- a/roles/openshift_metrics/tasks/generate_rolebindings.yaml +++ b/roles/openshift_metrics/tasks/generate_rolebindings.yaml @@ -27,4 +27,4 @@ subjects: - kind: ServiceAccount name: heapster - namespace: "{{ metrics_project }}" + namespace: "{{ openshift_metrics_project }}" diff --git a/roles/openshift_metrics/tasks/install_hawkular.yaml b/roles/openshift_metrics/tasks/install_hawkular.yaml index 670396f6e..9a39cce34 100644 --- a/roles/openshift_metrics/tasks/install_hawkular.yaml +++ b/roles/openshift_metrics/tasks/install_hawkular.yaml @@ -10,35 +10,35 @@ vars: node: "{{ item }}" master: "{{ (item == '1')|string|lower }}" - with_sequence: count={{ hawkular_cassandra_nodes }} + with_sequence: count={{ openshift_metrics_hawkular_cassandra_nodes }} - name: generate hawkular-cassandra persistent volume claims template: src: pvc.j2 dest: "{{ mktemp.stdout }}/templates/hawkular-cassandra-pvc{{ item }}.yaml" vars: - obj_name: "{{ hawkular_cassandra_pv_prefix }}-{{ item }}" + obj_name: "{{ openshift_metrics_hawkular_cassandra_pv_prefix }}-{{ item }}" labels: metrics-infra: hawkular-cassandra access_modes: - ReadWriteOnce - size: "{{ hawkular_cassandra_pv_size }}" - with_sequence: count={{ hawkular_cassandra_nodes }} - when: hawkular_cassandra_storage_type == 'pv' + size: "{{ openshift_metrics_hawkular_cassandra_pv_size }}" + with_sequence: count={{ openshift_metrics_hawkular_cassandra_nodes }} + when: openshift_metrics_hawkular_cassandra_storage_type == 'pv' - name: generate hawkular-cassandra persistent volume claims (dynamic) template: src: pvc.j2 dest: "{{ mktemp.stdout }}/templates/hawkular-cassandra-pvc{{ item }}.yaml" vars: - obj_name: "{{ hawkular_cassandra_pv_prefix }}-{{ item }}" + obj_name: "{{ openshift_metrics_hawkular_cassandra_pv_prefix }}-{{ item }}" labels: metrics-infra: hawkular-cassandra annotations: volume.alpha.kubernetes.io/storage-class: dynamic access_modes: - ReadWriteOnce - size: "{{ hawkular_cassandra_pv_size }}" - with_sequence: count={{ hawkular_cassandra_nodes }} - when: hawkular_cassandra_storage_type == 'dynamic' + size: "{{ openshift_metrics_hawkular_cassandra_pv_size }}" + with_sequence: count={{ openshift_metrics_hawkular_cassandra_nodes }} + when: openshift_metrics_hawkular_cassandra_storage_type == 'dynamic' - name: generate the hawkular-metrics route template: src: route.j2 diff --git a/roles/openshift_metrics/tasks/main.yaml b/roles/openshift_metrics/tasks/main.yaml index e9a5fbebd..79aae1e0b 100644 --- a/roles/openshift_metrics/tasks/main.yaml +++ b/roles/openshift_metrics/tasks/main.yaml @@ -1,13 +1,13 @@ --- - name: check that hawkular_metrics_hostname is set - fail: msg='the hawkular_metrics_hostname variable is required' - when: "{{ hawkular_metrics_hostname is not defined }}" -- name: check the value of hawkular_cassandra_storage_type + fail: msg='the openshift_metrics_hawkular_metrics_hostname variable is required' + when: "{{ openshift_metrics_hawkular_metrics_hostname is not defined }}" +- name: check the value of openshift_metrics_hawkular_cassandra_storage_type fail: msg: > - hawkular_cassandra_storage_type ({{ hawkular_cassandra_storage_type }}) + openshift_metrics_hawkular_cassandra_storage_type ({{ openshift_metrics_hawkular_cassandra_storage_type }}) is invalid, must be one of: emptydir, pv, dynamic - when: hawkular_cassandra_storage_type not in hawkular_cassandra_storage_types + when: openshift_metrics_hawkular_cassandra_storage_type not in openshift_metrics_hawkular_cassandra_storage_types - name: Install Metrics include: "{{ role_path }}/tasks/install_{{ include_file }}.yaml" with_items: @@ -18,7 +18,7 @@ loop_var: include_file - name: create objects command: > - {{ openshift.common.client_binary }} -n '{{ metrics_project }}' + {{ openshift.common.client_binary }} -n '{{ openshift_metrics_project }}' apply -f {{ item }} with_fileglob: - "{{ mktemp.stdout }}/templates/*.yaml" diff --git a/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 b/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 index bb8866263..525f32859 100644 --- a/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 +++ b/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 @@ -20,7 +20,7 @@ spec: spec: serviceAccount: cassandra containers: - - image: "{{ image_prefix }}metrics-cassandra:{{ image_version }}" + - image: "{{ openshift_metrics_image_prefix }}metrics-cassandra:{{ openshift_metrics_image_version }}" name: hawkular-cassandra-{{ node }} ports: - name: cql-port @@ -83,11 +83,11 @@ spec: terminationGracePeriodSeconds: 1800 volumes: - name: cassandra-data -{% if hawkular_cassandra_storage_type == 'emptydir' %} +{% if openshift_metrics_hawkular_cassandra_storage_type == 'emptydir' %} emptyDir: {} {% else %} persistentVolumeClaim: - claimName: "{{ hawkular_cassandra_pv_prefix }}-{{ node }}" + claimName: "{{ openshift_metrics_hawkular_cassandra_pv_prefix }}-{{ node }}" {% endif %} - name: hawkular-cassandra-secrets secret: diff --git a/roles/openshift_metrics/templates/hawkular_metrics_rc.j2 b/roles/openshift_metrics/templates/hawkular_metrics_rc.j2 index bcfe9dc84..6f1275809 100644 --- a/roles/openshift_metrics/templates/hawkular_metrics_rc.j2 +++ b/roles/openshift_metrics/templates/hawkular_metrics_rc.j2 @@ -18,7 +18,7 @@ spec: spec: serviceAccount: hawkular containers: - - image: {{image_prefix}}metrics-hawkular-metrics:{{image_version}} + - image: {{openshift_metrics_image_prefix}}metrics-hawkular-metrics:{{openshift_metrics_image_version}} name: hawkular-metrics ports: - name: http-endpoint @@ -36,7 +36,7 @@ spec: - "-Dhawkular.metrics.openshift.auth-methods=openshift-oauth,htpasswd" - "-Dhawkular.metrics.openshift.htpasswd-file=/secrets/hawkular-metrics.htpasswd.file" - "-Dhawkular.metrics.allowed-cors-access-control-allow-headers=authorization" - - "-Dhawkular.metrics.default-ttl={{metrics_duration}}" + - "-Dhawkular.metrics.default-ttl={{openshift_metrics_duration}}" - "-Dhawkular-alerts.cassandra-nodes=hawkular-cassandra" - "-Dhawkular-alerts.cassandra-use-ssl" - "-Dhawkular.alerts.openshift.auth-methods=openshift-oauth,htpasswd" @@ -44,8 +44,8 @@ spec: - "-Dhawkular.alerts.allowed-cors-access-control-allow-headers=authorization" - "-Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true" - "-Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true" - - "-DKUBERNETES_MASTER_URL={{master_url}}" - - "-DUSER_WRITE_ACCESS={{hawkular_user_write_access}}" + - "-DKUBERNETES_MASTER_URL={{openshift_metrics_master_url}}" + - "-DUSER_WRITE_ACCESS={{openshift_metrics_hawkular_user_write_access}}" - "--hmw.keystore=/secrets/hawkular-metrics.keystore" - "--hmw.truststore=/secrets/hawkular-metrics.truststore" - "--hmw.keystore_password_file=/secrets/hawkular-metrics.keystore.password" @@ -59,7 +59,7 @@ spec: fieldRef: fieldPath: metadata.namespace - name: MASTER_URL - value: "{{ master_url }}" + value: "{{ openshift_metrics_master_url }}" - name: OPENSHIFT_KUBE_PING_NAMESPACE valueFrom: fieldRef: diff --git a/roles/openshift_metrics/templates/heapster.j2 b/roles/openshift_metrics/templates/heapster.j2 index 779be0145..e4b4b9739 100644 --- a/roles/openshift_metrics/templates/heapster.j2 +++ b/roles/openshift_metrics/templates/heapster.j2 @@ -20,29 +20,29 @@ spec: serviceAccountName: heapster containers: - name: heapster - image: {{image_prefix}}metrics-heapster:{{image_version}} + image: {{openshift_metrics_image_prefix}}metrics-heapster:{{openshift_metrics_image_version}} ports: - containerPort: 8082 name: "http-endpoint" command: - "heapster-wrapper.sh" - "--wrapper.allowed_users_file=/secrets/heapster.allowed-users" - - "--source=kubernetes:{{master_url}}?useServiceAccount=true&kubeletHttps=true&kubeletPort=10250" + - "--source=kubernetes:{{openshift_metrics_master_url}}?useServiceAccount=true&kubeletHttps=true&kubeletPort=10250" - "--tls_cert=/secrets/heapster.cert" - "--tls_key=/secrets/heapster.key" - "--tls_client_ca=/secrets/heapster.client-ca" - "--allowed_users=%allowed_users%" - - "--metric_resolution={{metrics_resolution}}" -{% if not heapster_standalone %} + - "--metric_resolution={{openshift_metrics_resolution}}" +{% if not openshift_metrics_heapster_standalone %} - "--wrapper.username_file=/hawkular-account/hawkular-metrics.username" - "--wrapper.password_file=/hawkular-account/hawkular-metrics.password" - "--wrapper.endpoint_check=https://hawkular-metrics:443/hawkular/metrics/status" - - "--sink=hawkular:https://hawkular-metrics:443?tenant=_system&labelToTenant=pod_namespace&labelNodeId={{metrics_node_id}}&caCert=/hawkular-cert/hawkular-metrics-ca.certificate&user=%username%&pass=%password%&filter=label(container_name:^system.slice.*|^user.slice)" + - "--sink=hawkular:https://hawkular-metrics:443?tenant=_system&labelToTenant=pod_namespace&labelNodeId={{openshift_metrics_node_id}}&caCert=/hawkular-cert/hawkular-metrics-ca.certificate&user=%username%&pass=%password%&filter=label(container_name:^system.slice.*|^user.slice)" {% endif %} volumeMounts: - name: heapster-secrets mountPath: "/secrets" -{% if not heapster_standalone %} +{% if not openshift_metrics_heapster_standalone %} - name: hawkular-metrics-certificate mountPath: "/hawkular-cert" - name: hawkular-metrics-account @@ -56,7 +56,7 @@ spec: - name: heapster-secrets secret: secretName: heapster-secrets -{% if not heapster_standalone %} +{% if not openshift_metrics_heapster_standalone %} - name: hawkular-metrics-certificate secret: secretName: hawkular-metrics-certificate diff --git a/roles/openshift_metrics/vars/main.yaml b/roles/openshift_metrics/vars/main.yaml index eb02a87fd..25307c23c 100644 --- a/roles/openshift_metrics/vars/main.yaml +++ b/roles/openshift_metrics/vars/main.yaml @@ -1,4 +1,4 @@ -hawkular_cassandra_storage_types: +openshift_metrics_hawkular_cassandra_storage_types: - emptydir - pv - dynamic -- cgit v1.2.3 From b6ce0464142403785a7ba8eae664286082f4d30e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bruno=20Barcarol=20Guimar=C3=A3es?= Date: Mon, 5 Dec 2016 16:34:32 +0000 Subject: Custom certificates (#5) * Generate secrets on a persistent directory. * Split certificate generation files. * Custom certificates. * Minor fixes. - use `slurp` instead of `shell: base64` - fix route hostname * Updates on origin-metrics. --- roles/openshift_metrics/README.md | 3 + roles/openshift_metrics/defaults/main.yaml | 3 + .../tasks/generate_certificates.yaml | 237 ++------------------- .../tasks/generate_hawkular_certificates.yaml | 227 ++++++++++++++++++++ .../tasks/generate_heapster_certificates.yaml | 39 ++++ .../openshift_metrics/tasks/install_hawkular.yaml | 8 +- roles/openshift_metrics/tasks/install_metrics.yaml | 2 +- .../openshift_metrics/tasks/setup_certificate.yaml | 60 +++--- .../templates/hawkular_cassandra_rc.j2 | 2 + .../templates/hawkular_metrics_rc.j2 | 2 + roles/openshift_metrics/templates/heapster.j2 | 5 +- 11 files changed, 330 insertions(+), 258 deletions(-) create mode 100644 roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml create mode 100644 roles/openshift_metrics/tasks/generate_heapster_certificates.yaml (limited to 'roles') diff --git a/roles/openshift_metrics/README.md b/roles/openshift_metrics/README.md index b79b472d3..092844870 100644 --- a/roles/openshift_metrics/README.md +++ b/roles/openshift_metrics/README.md @@ -55,6 +55,9 @@ For default values, see [`defaults/main.yaml`](defaults/main.yaml). override this, make sure to add `system:master-proxy` to the list in order to allow horizontal pod autoscaling to function properly. +- `openshift_metrics_startup_timeout`: How long in seconds we should wait until + Hawkular Metrics and Heapster starts up before attempting a restart. + - `openshift_metrics_duration`: How many days metrics should be stored for. - `openshift_metrics_resolution`: How often metrics should be gathered. diff --git a/roles/openshift_metrics/defaults/main.yaml b/roles/openshift_metrics/defaults/main.yaml index 8d2ff8a62..4b5ecadbf 100644 --- a/roles/openshift_metrics/defaults/main.yaml +++ b/roles/openshift_metrics/defaults/main.yaml @@ -3,12 +3,15 @@ openshift_metrics_image_prefix: docker.io/openshift/origin- openshift_metrics_image_version: latest openshift_metrics_master_url: https://kubernetes.default.svc.cluster.local openshift_metrics_project: openshift-infra +openshift_metrics_startup_timeout: 500 openshift_metrics_hawkular_user_write_access: False openshift_metrics_hawkular_cassandra_nodes: 1 openshift_metrics_hawkular_cassandra_storage_type: emptydir openshift_metrics_hawkular_cassandra_pv_prefix: metrics-cassandra openshift_metrics_hawkular_cassandra_pv_size: 10Gi +openshift_metrics_certs_dir: > + {{ openshift.common.config_base }}/master/metrics openshift_metrics_heapster_standalone: False openshift_metrics_heapster_allowed_users: system:master-proxy diff --git a/roles/openshift_metrics/tasks/generate_certificates.yaml b/roles/openshift_metrics/tasks/generate_certificates.yaml index 9f6a3348e..92ce919a1 100644 --- a/roles/openshift_metrics/tasks/generate_certificates.yaml +++ b/roles/openshift_metrics/tasks/generate_certificates.yaml @@ -1,233 +1,22 @@ --- -# TODO idempotency? -# TODO support providing custom certificates - name: create certificate output directory file: - path: "{{ mktemp.stdout }}/certs" + path: "{{ openshift_metrics_certs_dir }}" state: directory mode: 0700 +- name: list existing secrets + command: > + {{ openshift.common.client_binary }} -n {{ openshift_metrics_project }} + get secrets -o name + register: metrics_secrets + changed_when: false - name: generate ca certificate chain shell: > {{ openshift.common.admin_binary }} ca create-signer-cert - --key='{{ mktemp.stdout }}/certs/ca.key' - --cert='{{ mktemp.stdout }}/certs/ca.crt' - --serial='{{ mktemp.stdout }}/certs/ca.serial.txt' + --key='{{ openshift_metrics_certs_dir }}/ca.key' + --cert='{{ openshift_metrics_certs_dir }}/ca.crt' + --serial='{{ openshift_metrics_certs_dir }}/ca.serial.txt' --name="metrics-signer@$(date +%s)" -- name: generate heapster key/cert - command: > - {{ openshift.common.admin_binary }} ca create-server-cert - --key='{{ mktemp.stdout }}/certs/heapster.key' - --cert='{{ mktemp.stdout }}/certs/heapster.cert' - --hostnames=heapster - --signer-cert='{{ mktemp.stdout }}/certs/ca.crt' - --signer-key='{{ mktemp.stdout }}/certs/ca.key' - --signer-serial='{{ mktemp.stdout }}/certs/ca.serial.txt' -# TODO maybe there's an easier way to get the service accounts' ca crt? -- name: get heapster service account secrets - shell: > - {{ openshift.common.client_binary }} -n '{{ openshift_metrics_project }}' - get serviceaccount/default - --template '{{ '{{range .secrets}}{{println .name}}{{end}}' }}' - | grep ^default-token- - register: sa_secret -- name: get heapster service account ca - command: > - {{ openshift.common.client_binary }} -n '{{ openshift_metrics_project }}' - get 'secret/{{ sa_secret.stdout }}' - --template '{{ '{{index .data "ca.crt"}}' }}' - register: sa_secret -- name: read files for the heapster secret - command: base64 --wrap 0 "{{ mktemp.stdout }}/certs/heapster.{{ item }}" - register: heapster_secret - with_items: - - cert - - key -- name: generate heapster secret template - template: - src: secret.j2 - dest: "{{ mktemp.stdout }}/templates/heapster_secrets.yaml" - vars: - name: heapster-secrets - labels: - metrics-infra: heapster - data: - heapster.cert: "{{ heapster_secret.results[0].stdout }}" - heapster.key: "{{ heapster_secret.results[1].stdout }}" - heapster.client-ca: "{{ sa_secret.stdout }}" - heapster.allowed-users: "{{ openshift_metrics_heapster_allowed_users|b64encode }}" -- name: generate hawkular-metrics certificates - include: setup_certificate.yaml - vars: - component: hawkular-metrics - hostnames: "hawkular-metrics,{{ openshift_metrics_hawkular_metrics_hostname }}" -- name: generate hawkular-cassandra certificates - include: setup_certificate.yaml - vars: - component: hawkular-cassandra - hostnames: hawkular-cassandra -# TODO keytool as dependency? move key/trust store generation to containers? -- name: import the hawkular metrics cert into the cassandra truststore - shell: > - keytool -noprompt -import -v -trustcacerts - -alias hawkular-metrics - -file '{{ mktemp.stdout|quote }}/certs/hawkular-metrics.cert' - -keystore '{{ mktemp.stdout|quote }}/certs/hawkular-cassandra.truststore' - -storepass - "$(< "{{ mktemp.stdout|quote }}/certs/hawkular-cassandra-truststore.pwd")" -- name: import the hawkular cassandra cert into the hawkular metrics truststore - shell: > - keytool -noprompt -import -v -trustcacerts - -alias hawkular-cassandra - -file '{{ mktemp.stdout }}/certs/hawkular-cassandra.cert' - -keystore '{{ mktemp.stdout }}/certs/hawkular-metrics.truststore' - -storepass - "$(< "{{ mktemp.stdout|quote }}/certs/hawkular-metrics-truststore.pwd")" -- name: import the hawkular cassandra cert into the cassandra truststore - shell: > - keytool -noprompt -import -v -trustcacerts - -alias hawkular-cassandra - -file '{{ mktemp.stdout }}/certs/hawkular-cassandra.cert' - -keystore '{{ mktemp.stdout }}/certs/hawkular-cassandra.truststore' - -storepass - "$(< "{{ mktemp.stdout|quote }}/certs/hawkular-cassandra-truststore.pwd")" -- name: import the ca certificate into the cassandra truststore - shell: > - keytool -noprompt -import -v -trustcacerts - -alias '{{ item }}' - -file '{{ mktemp.stdout }}/certs/ca.crt' - -keystore '{{ mktemp.stdout }}/certs/hawkular-cassandra.truststore' - -storepass - "$(< "{{ mktemp.stdout|quote }}/certs/hawkular-cassandra-truststore.pwd")" - with_items: - - ca - - metricca - - cassandraca -- name: import the ca certificate into the hawkular metrics truststore - shell: > - keytool -noprompt -import -v -trustcacerts - -alias '{{ item }}' - -file '{{ mktemp.stdout }}/certs/ca.crt' - -keystore '{{ mktemp.stdout }}/certs/hawkular-metrics.truststore' - -storepass - "$(< "{{ mktemp.stdout|quote }}/certs/hawkular-metrics-truststore.pwd")" - with_items: - - ca - - metricca - - cassandraca -- name: generate password for htpasswd file for hawkular metrics - shell: cat /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c15 - register: hawkular_metrics_password -- name: generate password for hawkular metrics jgroups - shell: cat /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c15 - register: hawkular_metrics_jgroups_password -- name: generate htpasswd file for hawkular metrics - shell: > - htpasswd -cb - "{{ mktemp.stdout|quote }}/certs/hawkular-metrics.htpasswd" hawkular - '{{ hawkular_metrics_password.stdout }}' -- name: generate the jgroups keystore - command: > - keytool -genseckey -alias hawkular - -keypass {{ hawkular_metrics_jgroups_password.stdout }} - -storepass {{ hawkular_metrics_jgroups_password.stdout }} - -keyalg Blowfish -keysize 56 -storetype JCEKS - -keystore {{ mktemp.stdout }}/certs/hawkular-jgroups.keystore -- name: read files for the hawkular-metrics secret - command: > - base64 --wrap 0 "{{ mktemp.stdout }}/certs/{{ item }}" - register: hawkular_metrics_secret - with_items: - - hawkular-metrics.keystore - - hawkular-metrics-keystore.pwd - - hawkular-metrics.truststore - - hawkular-metrics-truststore.pwd - - hawkular-metrics.htpasswd - - hawkular-metrics.cert - - ca.crt - - hawkular-cassandra.keystore - - hawkular-cassandra-keystore.pwd - - hawkular-cassandra.truststore - - hawkular-cassandra-truststore.pwd - - hawkular-cassandra.pem - - hawkular-cassandra.cert - - hawkular-jgroups.keystore -- name: generate hawkular-metrics-secrets secret template - template: - src: secret.j2 - dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_secrets.yaml" - vars: - name: hawkular-metrics-secrets - labels: - metrics-infra: hawkular-metrics - data: - hawkular-metrics.keystore: > - "{{ hawkular_metrics_secret.results[0].stdout }}" - hawkular-metrics.keystore.password: > - "{{ hawkular_metrics_secret.results[1].stdout }}" - hawkular-metrics.truststore: > - "{{ hawkular_metrics_secret.results[2].stdout }}" - hawkular-metrics.truststore.password: > - "{{ hawkular_metrics_secret.results[3].stdout }}" - hawkular-metrics.keystore.alias: "{{ 'hawkular-metrics'|b64encode }}" - hawkular-metrics.htpasswd.file: > - "{{ hawkular_metrics_secret.results[4].stdout }}" - hawkular-metrics.jgroups.keystore.password: > - "{{ hawkular_metrics_jgroups_password.stdout|b64encode }}" - hawkular-metrics.jgroups.keystore: > - "{{ hawkular_metrics_secret.results[13].stdout }}" - hawkular-metrics.jgroups.alias: "{{ 'hawkular'|b64encode }}" -- name: generate hawkular-metrics-certificate secret template - template: - src: secret.j2 - dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_certificate.yaml" - vars: - name: hawkular-metrics-certificate - labels: - metrics-infra: hawkular-metrics - data: - hawkular-metrics.certificate: > - "{{ hawkular_metrics_secret.results[5].stdout }}" - hawkular-metrics-ca.certificate: > - "{{ hawkular_metrics_secret.results[6].stdout }}" -- name: generate hawkular-metrics-account secret template - template: - src: secret.j2 - dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_account.yaml" - vars: - name: hawkular-metrics-account - labels: - metrics-infra: hawkular-metrics - data: - hawkular-metrics.username: "{{ 'hawkular'|b64encode }}" - hawkular-metrics.password: > - "{{ hawkular_metrics_password.stdout|b64encode }}" -- name: generate cassandra secret template - template: - src: secret.j2 - dest: "{{ mktemp.stdout }}/templates/cassandra_secrets.yaml" - vars: - name: hawkular-cassandra-secrets - labels: - metrics-infra: hawkular-cassandra - data: - cassandra.keystore: "{{ hawkular_metrics_secret.results[7].stdout }}" - cassandra.keystore.password: > - {{ hawkular_metrics_secret.results[8].stdout }} - cassandra.keystore.alias: "{{ 'hawkular-cassandra'|b64encode }}" - cassandra.truststore: "{{ hawkular_metrics_secret.results[9].stdout }}" - cassandra.truststore.password: > - {{ hawkular_metrics_secret.results[10].stdout }} - cassandra.pem: "{{ hawkular_metrics_secret.results[10].stdout }}" -- name: generate cassandra-certificate secret template - template: - src: secret.j2 - dest: "{{ mktemp.stdout }}/templates/cassandra_certificate.yaml" - vars: - name: hawkular-cassandra-certificate - labels: - metrics-infra: hawkular-cassandra - data: - cassandra.certificate: > - {{ hawkular_metrics_secret.results[11].stdout }} - cassandra-ca.certificate: > - {{ hawkular_metrics_secret.results[7].stdout }} + when: not '{{ openshift_metrics_certs_dir }}/ca.key'|exists +- include: generate_heapster_certificates.yaml +- include: generate_hawkular_certificates.yaml diff --git a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml new file mode 100644 index 000000000..4e032ca7e --- /dev/null +++ b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml @@ -0,0 +1,227 @@ +--- +- name: generate hawkular-metrics certificates + include: setup_certificate.yaml + vars: + component: hawkular-metrics + hostnames: "hawkular-metrics,{{ openshift_metrics_hawkular_metrics_hostname }}" +- name: generate hawkular-cassandra certificates + include: setup_certificate.yaml + vars: + component: hawkular-cassandra + hostnames: hawkular-cassandra +- name: check existing aliases on the hawkular-cassandra truststore + shell: > + keytool -noprompt -list + -keystore {{ openshift_metrics_certs_dir }}/hawkular-cassandra.truststore + -storepass "$(< + '{{ openshift_metrics_certs_dir }}/hawkular-cassandra-truststore.pwd')" + | sed -n '7~2s/,.*$//p' + register: hawkular_cassandra_truststore_aliases + changed_when: false +- name: check existing aliases on the hawkular-metrics truststore + shell: > + keytool -noprompt -list + -keystore {{ openshift_metrics_certs_dir }}/hawkular-metrics.truststore + -storepass "$(< + '{{ openshift_metrics_certs_dir }}/hawkular-metrics-truststore.pwd')" + | sed -n '7~2s/,.*$//p' + register: hawkular_metrics_truststore_aliases + changed_when: false +- name: import the hawkular metrics cert into the cassandra truststore + shell: > + keytool -noprompt -import -v -trustcacerts + -alias hawkular-metrics + -file '{{ openshift_metrics_certs_dir }}/hawkular-metrics.crt' + -keystore '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.truststore' + -storepass "$(< + '{{ openshift_metrics_certs_dir }}/hawkular-cassandra-truststore.pwd')" + when: > + 'hawkular-metrics' not in + hawkular_cassandra_truststore_aliases.stdout_lines +- name: import the hawkular cassandra cert into the hawkular metrics truststore + shell: > + keytool -noprompt -import -v -trustcacerts + -alias hawkular-cassandra + -file '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.crt' + -keystore '{{ openshift_metrics_certs_dir }}/hawkular-metrics.truststore' + -storepass "$(< + '{{ openshift_metrics_certs_dir }}/hawkular-metrics-truststore.pwd')" + when: > + 'hawkular-cassandra' not in + hawkular_metrics_truststore_aliases.stdout_lines +- name: import the hawkular cassandra cert into the cassandra truststore + shell: > + keytool -noprompt -import -v -trustcacerts + -alias hawkular-cassandra + -file '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.crt' + -keystore '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.truststore' + -storepass "$(< + '{{ openshift_metrics_certs_dir }}/hawkular-cassandra-truststore.pwd')" + when: > + 'hawkular-cassandra' not in + hawkular_cassandra_truststore_aliases.stdout_lines +- name: import the ca certificate into the cassandra truststore + shell: > + keytool -noprompt -import -v -trustcacerts + -alias '{{ item }}' + -file '{{ openshift_metrics_certs_dir }}/ca.crt' + -keystore '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.truststore' + -storepass "$(< + '{{ openshift_metrics_certs_dir }}/hawkular-cassandra-truststore.pwd')" + with_items: + - ca + - metricca + - cassandraca + when: item not in hawkular_cassandra_truststore_aliases.stdout_lines +- name: import the ca certificate into the hawkular metrics truststore + shell: > + keytool -noprompt -import -v -trustcacerts + -alias '{{ item }}' + -file '{{ openshift_metrics_certs_dir }}/ca.crt' + -keystore '{{ openshift_metrics_certs_dir }}/hawkular-metrics.truststore' + -storepass "$(< + '{{ openshift_metrics_certs_dir }}/hawkular-metrics-truststore.pwd')" + with_items: + - ca + - metricca + - cassandraca + when: item not in hawkular_metrics_truststore_aliases.stdout_lines +- name: generate password for hawkular metrics and jgroups + shell: > + tr -dc _A-Z-a-z-0-9 < /dev/urandom | head -c15 + > '{{ openshift_metrics_certs_dir }}/{{ item }}.pwd' + with_items: + - hawkular-metrics + - hawkular-jgroups-keystore + when: not '{{ openshift_metrics_certs_dir }}/{{ item }}.pwd'|exists +- name: generate htpasswd file for hawkular metrics + shell: > + htpasswd -ci + '{{ openshift_metrics_certs_dir }}/hawkular-metrics.htpasswd' hawkular + < '{{ openshift_metrics_certs_dir }}/hawkular-metrics.pwd' + when: > + not '{{ openshift_metrics_certs_dir }}/hawkular-metrics.htpasswd'|exists +- name: generate the jgroups keystore + shell: > + p=$(< '{{ openshift_metrics_certs_dir }}/hawkular-jgroups-keystore.pwd' ) + && + keytool -genseckey -alias hawkular + -keypass "$p" -storepass "$p" -keyalg Blowfish -keysize 56 -storetype JCEKS + -keystore '{{ openshift_metrics_certs_dir }}/hawkular-jgroups.keystore' + when: > + not '{{ openshift_metrics_certs_dir }}/hawkular-jgroups.keystore'|exists +- name: read files for the hawkular-metrics secret + shell: > + printf '%s: ' '{{ item }}' + && base64 --wrap 0 '{{ openshift_metrics_certs_dir }}/{{ item }}' + register: hawkular_secrets + with_items: + - ca.crt + - hawkular-metrics.crt + - hawkular-metrics.keystore + - hawkular-metrics-keystore.pwd + - hawkular-metrics.truststore + - hawkular-metrics-truststore.pwd + - hawkular-metrics.pwd + - hawkular-metrics.htpasswd + - hawkular-jgroups.keystore + - hawkular-jgroups-keystore.pwd + - hawkular-cassandra.crt + - hawkular-cassandra.pem + - hawkular-cassandra.keystore + - hawkular-cassandra-keystore.pwd + - hawkular-cassandra.truststore + - hawkular-cassandra-truststore.pwd + changed_when: false +- set_fact: + hawkular_secrets: | + {{ hawkular_secrets.results|map(attribute='stdout')|join(' + ')|from_yaml }} +- name: generate hawkular-metrics-secrets secret template + template: + src: secret.j2 + dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_secrets.yaml" + vars: + name: hawkular-metrics-secrets + labels: + metrics-infra: hawkular-metrics + data: + hawkular-metrics.keystore: > + {{ hawkular_secrets['hawkular-metrics.keystore'] }} + hawkular-metrics.keystore.password: > + {{ hawkular_secrets['hawkular-metrics-keystore.pwd'] }} + hawkular-metrics.truststore: > + {{ hawkular_secrets['hawkular-metrics.truststore'] }} + hawkular-metrics.truststore.password: > + {{ hawkular_secrets['hawkular-metrics-truststore.pwd'] }} + hawkular-metrics.keystore.alias: "{{ 'hawkular-metrics'|b64encode }}" + hawkular-metrics.htpasswd.file: > + {{ hawkular_secrets['hawkular-metrics.htpasswd'] }} + hawkular-metrics.jgroups.keystore: > + {{ hawkular_secrets['hawkular-jgroups.keystore'] }} + hawkular-metrics.jgroups.keystore.password: > + {{ hawkular_secrets['hawkular-jgroups-keystore.pwd'] }} + hawkular-metrics.jgroups.alias: "{{ 'hawkular'|b64encode }}" + when: name not in metrics_secrets.stdout_lines +- name: generate hawkular-metrics-certificate secret template + template: + src: secret.j2 + dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_certificate.yaml" + vars: + name: hawkular-metrics-certificate + labels: + metrics-infra: hawkular-metrics + data: + hawkular-metrics.certificate: > + {{ hawkular_secrets['hawkular-metrics.crt'] }} + hawkular-metrics-ca.certificate: > + {{ hawkular_secrets['ca.crt'] }} + when: name not in metrics_secrets.stdout_lines +- name: generate hawkular-metrics-account secret template + template: + src: secret.j2 + dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_account.yaml" + vars: + name: hawkular-metrics-account + labels: + metrics-infra: hawkular-metrics + data: + hawkular-metrics.username: "{{ 'hawkular'|b64encode }}" + hawkular-metrics.password: > + {{ hawkular_secrets['hawkular-metrics.pwd'] }} + when: name not in metrics_secrets.stdout_lines +- name: generate cassandra secret template + template: + src: secret.j2 + dest: "{{ mktemp.stdout }}/templates/cassandra_secrets.yaml" + vars: + name: hawkular-cassandra-secrets + labels: + metrics-infra: hawkular-cassandra + data: + cassandra.keystore: > + {{ hawkular_secrets['hawkular-cassandra.keystore'] }} + cassandra.keystore.password: > + {{ hawkular_secrets['hawkular-cassandra-keystore.pwd'] }} + cassandra.keystore.alias: "{{ 'hawkular-cassandra'|b64encode }}" + cassandra.truststore: > + {{ hawkular_secrets['hawkular-cassandra.truststore'] }} + cassandra.truststore.password: > + {{ hawkular_secrets['hawkular-cassandra-truststore.pwd'] }} + cassandra.pem: > + {{ hawkular_secrets['hawkular-cassandra.pem'] }} + when: name not in metrics_secrets +- name: generate cassandra-certificate secret template + template: + src: secret.j2 + dest: "{{ mktemp.stdout }}/templates/cassandra_certificate.yaml" + vars: + name: hawkular-cassandra-certificate + labels: + metrics-infra: hawkular-cassandra + data: + cassandra.certificate: > + {{ hawkular_secrets['hawkular-cassandra.crt'] }} + cassandra-ca.certificate: > + {{ hawkular_secrets['hawkular-cassandra.pem'] }} + when: name not in metrics_secrets.stdout_lines diff --git a/roles/openshift_metrics/tasks/generate_heapster_certificates.yaml b/roles/openshift_metrics/tasks/generate_heapster_certificates.yaml new file mode 100644 index 000000000..2fc449520 --- /dev/null +++ b/roles/openshift_metrics/tasks/generate_heapster_certificates.yaml @@ -0,0 +1,39 @@ +--- +- name: generate heapster key/cert + command: > + {{ openshift.common.admin_binary }} ca create-server-cert + --key='{{ openshift_metrics_certs_dir }}/heapster.key' + --cert='{{ openshift_metrics_certs_dir }}/heapster.cert' + --hostnames=heapster + --signer-cert='{{ openshift_metrics_certs_dir }}/ca.crt' + --signer-key='{{ openshift_metrics_certs_dir }}/ca.key' + --signer-serial='{{ openshift_metrics_certs_dir }}/ca.serial.txt' + when: not '{{ openshift_metrics_certs_dir }}/heapster.key'|exists +- when: "'secret/heapster-secrets' not in metrics_secrets.stdout_lines" + block: + - name: read files for the heapster secret + slurp: src={{ item }} + register: heapster_secret + with_items: + - "{{ openshift_metrics_certs_dir }}/heapster.cert" + - "{{ openshift_metrics_certs_dir }}/heapster.key" + - "{{ client_ca }}" + vars: + custom_ca: "{{ openshift_metrics_certs_dir }}/heapster_client_ca.crt" + default_ca: "{{ openshift.common.config_base }}/master/ca-bundle.crt" + client_ca: "{{ custom_ca|exists|ternary(custom_ca, default_ca) }}" + - name: generate heapster secret template + template: + src: secret.j2 + dest: "{{ mktemp.stdout }}/templates/heapster_secrets.yaml" + force: no + vars: + name: heapster-secrets + labels: + metrics-infra: heapster + data: + heapster.cert: "{{ heapster_secret.results[0].content }}" + heapster.key: "{{ heapster_secret.results[1].content }}" + heapster.client-ca: "{{ heapster_secret.results[2].content }}" + heapster.allowed-users: > + {{ openshift_metrics_heapster_allowed_users|b64encode }} diff --git a/roles/openshift_metrics/tasks/install_hawkular.yaml b/roles/openshift_metrics/tasks/install_hawkular.yaml index 9a39cce34..d7a029fa8 100644 --- a/roles/openshift_metrics/tasks/install_hawkular.yaml +++ b/roles/openshift_metrics/tasks/install_hawkular.yaml @@ -39,6 +39,9 @@ size: "{{ openshift_metrics_hawkular_cassandra_pv_size }}" with_sequence: count={{ openshift_metrics_hawkular_cassandra_nodes }} when: openshift_metrics_hawkular_cassandra_storage_type == 'dynamic' +- name: read hawkular-metrics route destination ca certificate + slurp: src={{ openshift_metrics_certs_dir }}/ca.crt + register: metrics_route_dest_ca_cert - name: generate the hawkular-metrics route template: src: route.j2 @@ -47,11 +50,10 @@ name: hawkular-metrics labels: metrics-infra: hawkular-metrics - host: hawkular-metrics.example.com + host: "{{ openshift_metrics_hawkular_metrics_hostname }}" to: kind: Service name: hawkular-metrics tls: termination: reencrypt - destination_ca_certificate: > - {{ hawkular_metrics_secret.results[6].stdout|b64decode }} + destination_ca_certificate: "{{ metrics_route_dest_ca_cert.content }}" diff --git a/roles/openshift_metrics/tasks/install_metrics.yaml b/roles/openshift_metrics/tasks/install_metrics.yaml index 34b4a47fe..5d95fa112 100644 --- a/roles/openshift_metrics/tasks/install_metrics.yaml +++ b/roles/openshift_metrics/tasks/install_metrics.yaml @@ -11,7 +11,7 @@ file: path={{mktemp.stdout}}/templates state=directory mode=0755 changed_when: False +- include: generate_certificates.yaml - include: generate_serviceaccounts.yaml - include: generate_services.yaml -- include: generate_certificates.yaml - include: generate_rolebindings.yaml diff --git a/roles/openshift_metrics/tasks/setup_certificate.yaml b/roles/openshift_metrics/tasks/setup_certificate.yaml index 46ac4ea7f..d6ee4167b 100644 --- a/roles/openshift_metrics/tasks/setup_certificate.yaml +++ b/roles/openshift_metrics/tasks/setup_certificate.yaml @@ -2,49 +2,51 @@ - name: generate {{ component }} keys command: > {{ openshift.common.admin_binary }} ca create-server-cert - --key='{{ mktemp.stdout }}/certs/{{ component }}.key' - --cert='{{ mktemp.stdout }}/certs/{{ component }}.crt' + --key='{{ openshift_metrics_certs_dir }}/{{ component }}.key' + --cert='{{ openshift_metrics_certs_dir }}/{{ component }}.crt' --hostnames='{{ hostnames }}' - --signer-cert='{{ mktemp.stdout }}/certs/ca.crt' - --signer-key='{{ mktemp.stdout }}/certs/ca.key' - --signer-serial='{{ mktemp.stdout }}/certs/ca.serial.txt' + --signer-cert='{{ openshift_metrics_certs_dir }}/ca.crt' + --signer-key='{{ openshift_metrics_certs_dir }}/ca.key' + --signer-serial='{{ openshift_metrics_certs_dir }}/ca.serial.txt' + when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.key'|exists - name: generate {{ component }} certificate shell: > cat - '{{ mktemp.stdout|quote }}/certs/{{ component|quote }}.key' - '{{ mktemp.stdout|quote }}/certs/{{ component|quote }}.crt' - > '{{ mktemp.stdout|quote }}/certs/{{ component|quote }}.pem' + '{{ openshift_metrics_certs_dir }}/{{ component|quote }}.key' + '{{ openshift_metrics_certs_dir }}/{{ component|quote }}.crt' + > '{{ openshift_metrics_certs_dir }}/{{ component|quote }}.pem' + when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.pem'|exists - name: generate random password for the {{ component }} keystore - shell: tr -dc _A-Z-a-z-0-9 < /dev/urandom | head -c15 - register: keystore_pwd -- name: create the password file for {{ component }} shell: > - echo '{{ keystore_pwd.stdout|quote }}' - > '{{ mktemp.stdout }}/certs/{{ component|quote }}-keystore.pwd' + tr -dc _A-Z-a-z-0-9 < /dev/urandom | head -c15 + > '{{ openshift_metrics_certs_dir }}/{{ component|quote }}-keystore.pwd' + when: > + not '{{ openshift_metrics_certs_dir }}/{{ component }}-keystore.pwd'|exists - name: create the {{ component }} pkcs12 from the pem file command: > openssl pkcs12 -export - -in '{{ mktemp.stdout }}/certs/{{ component }}.pem' - -out '{{ mktemp.stdout }}/certs/{{ component }}.pkcs12' + -in '{{ openshift_metrics_certs_dir }}/{{ component }}.pem' + -out '{{ openshift_metrics_certs_dir }}/{{ component }}.pkcs12' -name '{{ component }}' -noiter -nomaciter - -password 'pass:{{ keystore_pwd.stdout }}' + -password + 'file:{{ openshift_metrics_certs_dir }}/{{ component }}-keystore.pwd' + when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.pkcs12'|exists - name: create the {{ component }} keystore from the pkcs12 file - command: > + shell: > + p=$(< {{ openshift_metrics_certs_dir }}/{{ component }}-keystore.pwd) + && keytool -v -importkeystore - -srckeystore '{{ mktemp.stdout }}/certs/{{ component }}.pkcs12' + -srckeystore '{{ openshift_metrics_certs_dir }}/{{ component }}.pkcs12' -srcstoretype PKCS12 - -destkeystore '{{ mktemp.stdout }}/certs/{{ component }}.keystore' + -destkeystore '{{ openshift_metrics_certs_dir }}/{{ component }}.keystore' -deststoretype JKS - -deststorepass '{{ keystore_pwd.stdout }}' - -srcstorepass '{{ keystore_pwd.stdout }}' -- name: create the {{ component }} certificate - command: > - keytool -noprompt -export - -alias '{{ component }}' - -file '{{ mktemp.stdout }}/certs/{{ component }}.cert' - -keystore '{{ mktemp.stdout }}/certs/{{ component }}.keystore' - -storepass '{{ keystore_pwd.stdout }}' + -deststorepass "$p" + -srcstorepass "$p" + when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.keystore'|exists - name: generate random password for the {{ component }} truststore shell: > tr -dc _A-Z-a-z-0-9 < /dev/urandom | head -c15 - > '{{ mktemp.stdout }}/certs/{{ component|quote }}-truststore.pwd' + > '{{ openshift_metrics_certs_dir }}/{{ component|quote }}-truststore.pwd' + when: > + not + '{{ openshift_metrics_certs_dir }}/{{ component }}-truststore.pwd'|exists diff --git a/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 b/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 index 525f32859..158d0d1a3 100644 --- a/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 +++ b/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 @@ -49,6 +49,8 @@ spec: value: "{{ master }}" - name: CASSANDRA_DATA_VOLUME value: "/cassandra_data" + - name: JVM_OPTS + value: "-Dcassandra.commitlog.ignorereplayerrors=true" - name: POD_NAMESPACE valueFrom: fieldRef: diff --git a/roles/openshift_metrics/templates/hawkular_metrics_rc.j2 b/roles/openshift_metrics/templates/hawkular_metrics_rc.j2 index 6f1275809..647a4bfbb 100644 --- a/roles/openshift_metrics/templates/hawkular_metrics_rc.j2 +++ b/roles/openshift_metrics/templates/hawkular_metrics_rc.j2 @@ -66,6 +66,8 @@ spec: fieldPath: metadata.namespace - name: OPENSHIFT_KUBE_PING_LABELS value: "metrics-infra=hawkular-metrics,name=hawkular-metrics" + - name: STARTUP_TIMEOUT + value: "{{ openshift_metrics_startup_timeout }}" volumeMounts: - name: hawkular-metrics-secrets mountPath: "/secrets" diff --git a/roles/openshift_metrics/templates/heapster.j2 b/roles/openshift_metrics/templates/heapster.j2 index e4b4b9739..90227db68 100644 --- a/roles/openshift_metrics/templates/heapster.j2 +++ b/roles/openshift_metrics/templates/heapster.j2 @@ -27,7 +27,7 @@ spec: command: - "heapster-wrapper.sh" - "--wrapper.allowed_users_file=/secrets/heapster.allowed-users" - - "--source=kubernetes:{{openshift_metrics_master_url}}?useServiceAccount=true&kubeletHttps=true&kubeletPort=10250" + - "--source=kubernetes.summary_api:${MASTER_URL}?useServiceAccount=true&kubeletHttps=true&kubeletPort=10250" - "--tls_cert=/secrets/heapster.cert" - "--tls_key=/secrets/heapster.key" - "--tls_client_ca=/secrets/heapster.client-ca" @@ -39,6 +39,9 @@ spec: - "--wrapper.endpoint_check=https://hawkular-metrics:443/hawkular/metrics/status" - "--sink=hawkular:https://hawkular-metrics:443?tenant=_system&labelToTenant=pod_namespace&labelNodeId={{openshift_metrics_node_id}}&caCert=/hawkular-cert/hawkular-metrics-ca.certificate&user=%username%&pass=%password%&filter=label(container_name:^system.slice.*|^user.slice)" {% endif %} + env: + - name: STARTUP_TIMEOUT + value: "{{ openshift_metrics_startup_timeout }}" volumeMounts: - name: heapster-secrets mountPath: "/secrets" -- cgit v1.2.3 From ee931f90dbab01596bd90fa8007ac49de5178a17 Mon Sep 17 00:00:00 2001 From: Jeff Cantrill Date: Wed, 14 Dec 2016 14:36:28 -0500 Subject: Add tasks to uninstall metrics (#7) --- roles/openshift_metrics/defaults/main.yaml | 4 ++-- roles/openshift_metrics/tasks/cleanup.yaml | 14 ----------- roles/openshift_metrics/tasks/install_metrics.yaml | 24 +++++++------------ roles/openshift_metrics/tasks/install_support.yaml | 5 ++++ roles/openshift_metrics/tasks/main.yaml | 27 +++++++++++++++------- .../openshift_metrics/tasks/uninstall_metrics.yaml | 14 +++++++++++ 6 files changed, 48 insertions(+), 40 deletions(-) delete mode 100644 roles/openshift_metrics/tasks/cleanup.yaml create mode 100644 roles/openshift_metrics/tasks/install_support.yaml create mode 100644 roles/openshift_metrics/tasks/uninstall_metrics.yaml (limited to 'roles') diff --git a/roles/openshift_metrics/defaults/main.yaml b/roles/openshift_metrics/defaults/main.yaml index 4b5ecadbf..7f9a5f36a 100644 --- a/roles/openshift_metrics/defaults/main.yaml +++ b/roles/openshift_metrics/defaults/main.yaml @@ -1,4 +1,5 @@ --- +openshift_metrics_install_metrics: True openshift_metrics_image_prefix: docker.io/openshift/origin- openshift_metrics_image_version: latest openshift_metrics_master_url: https://kubernetes.default.svc.cluster.local @@ -10,8 +11,7 @@ openshift_metrics_hawkular_cassandra_nodes: 1 openshift_metrics_hawkular_cassandra_storage_type: emptydir openshift_metrics_hawkular_cassandra_pv_prefix: metrics-cassandra openshift_metrics_hawkular_cassandra_pv_size: 10Gi -openshift_metrics_certs_dir: > - {{ openshift.common.config_base }}/master/metrics +openshift_metrics_certs_dir: "{{ openshift.common.config_base }}/master/metrics" openshift_metrics_heapster_standalone: False openshift_metrics_heapster_allowed_users: system:master-proxy diff --git a/roles/openshift_metrics/tasks/cleanup.yaml b/roles/openshift_metrics/tasks/cleanup.yaml deleted file mode 100644 index a29faef31..000000000 --- a/roles/openshift_metrics/tasks/cleanup.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -- name: remove metrics components - command: > - {{ openshift.common.client_binary }} -n '{{ openshift_metrics_project }}' - delete --selector=metrics-infra - all,sa,secrets,templates,routes,pvc,rolebindings,clusterrolebindings - register: delete_metrics - changed_when: "delete_metrics.stdout != 'No resources found'" -- name: remove rolebindings - command: > - {{ openshift.common.client_binary }} -n {{ openshift_metrics_project }} - delete --ignore-not-found - rolebinding/hawkular-view - clusterrolebinding/heapster-cluster-reader diff --git a/roles/openshift_metrics/tasks/install_metrics.yaml b/roles/openshift_metrics/tasks/install_metrics.yaml index 5d95fa112..db023e6a2 100644 --- a/roles/openshift_metrics/tasks/install_metrics.yaml +++ b/roles/openshift_metrics/tasks/install_metrics.yaml @@ -1,17 +1,9 @@ --- -# This is the base configuration for installing the other components -- name: Create temp directory for doing work in - command: mktemp -td openshift-metrics-ansible-XXXXXX - register: mktemp - changed_when: False - -- debug: msg="Created temp dir {{mktemp.stdout}}" - -- name: Create temp directory for all our templates - file: path={{mktemp.stdout}}/templates state=directory mode=0755 - changed_when: False - -- include: generate_certificates.yaml -- include: generate_serviceaccounts.yaml -- include: generate_services.yaml -- include: generate_rolebindings.yaml +- name: Install Metrics + include: "{{ role_path }}/tasks/install_{{ include_file }}.yaml" + with_items: + - support + - heapster + - hawkular + loop_control: + loop_var: include_file diff --git a/roles/openshift_metrics/tasks/install_support.yaml b/roles/openshift_metrics/tasks/install_support.yaml new file mode 100644 index 000000000..b0e4bec80 --- /dev/null +++ b/roles/openshift_metrics/tasks/install_support.yaml @@ -0,0 +1,5 @@ +--- +- include: generate_certificates.yaml +- include: generate_serviceaccounts.yaml +- include: generate_services.yaml +- include: generate_rolebindings.yaml diff --git a/roles/openshift_metrics/tasks/main.yaml b/roles/openshift_metrics/tasks/main.yaml index 79aae1e0b..adedd4069 100644 --- a/roles/openshift_metrics/tasks/main.yaml +++ b/roles/openshift_metrics/tasks/main.yaml @@ -2,20 +2,31 @@ - name: check that hawkular_metrics_hostname is set fail: msg='the openshift_metrics_hawkular_metrics_hostname variable is required' when: "{{ openshift_metrics_hawkular_metrics_hostname is not defined }}" + - name: check the value of openshift_metrics_hawkular_cassandra_storage_type fail: msg: > openshift_metrics_hawkular_cassandra_storage_type ({{ openshift_metrics_hawkular_cassandra_storage_type }}) is invalid, must be one of: emptydir, pv, dynamic when: openshift_metrics_hawkular_cassandra_storage_type not in openshift_metrics_hawkular_cassandra_storage_types -- name: Install Metrics - include: "{{ role_path }}/tasks/install_{{ include_file }}.yaml" - with_items: - - metrics - - heapster - - hawkular - loop_control: - loop_var: include_file + +- name: Create temp directory for doing work in + command: mktemp -td openshift-metrics-ansible-XXXXXX + register: mktemp + changed_when: False + +- debug: msg="Created temp dir {{mktemp.stdout}}" + +- name: Create temp directory for all our templates + file: path={{mktemp.stdout}}/templates state=directory mode=0755 + changed_when: False + +- include: "{{role_path}}/tasks/install_metrics.yaml" + when: openshift_metrics_install_metrics | default(false) | bool + +- include: "{{role_path}}/tasks/uninstall_metrics.yaml" + when: not openshift_metrics_install_metrics | default(false) | bool + - name: create objects command: > {{ openshift.common.client_binary }} -n '{{ openshift_metrics_project }}' diff --git a/roles/openshift_metrics/tasks/uninstall_metrics.yaml b/roles/openshift_metrics/tasks/uninstall_metrics.yaml new file mode 100644 index 000000000..a29faef31 --- /dev/null +++ b/roles/openshift_metrics/tasks/uninstall_metrics.yaml @@ -0,0 +1,14 @@ +--- +- name: remove metrics components + command: > + {{ openshift.common.client_binary }} -n '{{ openshift_metrics_project }}' + delete --selector=metrics-infra + all,sa,secrets,templates,routes,pvc,rolebindings,clusterrolebindings + register: delete_metrics + changed_when: "delete_metrics.stdout != 'No resources found'" +- name: remove rolebindings + command: > + {{ openshift.common.client_binary }} -n {{ openshift_metrics_project }} + delete --ignore-not-found + rolebinding/hawkular-view + clusterrolebinding/heapster-cluster-reader -- cgit v1.2.3 From 84b1c4848f610c5792809bb2e9e5b0d8f77ea50c Mon Sep 17 00:00:00 2001 From: Jeff Cantrill Date: Wed, 14 Dec 2016 14:40:36 -0500 Subject: copy admin cert for use in subsequent tasks (#8) --- roles/openshift_metrics/tasks/generate_certificates.yaml | 4 +++- .../tasks/generate_heapster_certificates.yaml | 4 +++- roles/openshift_metrics/tasks/main.yaml | 12 ++++++++++-- roles/openshift_metrics/tasks/setup_certificate.yaml | 1 + roles/openshift_metrics/tasks/uninstall_metrics.yaml | 4 ++-- 5 files changed, 19 insertions(+), 6 deletions(-) (limited to 'roles') diff --git a/roles/openshift_metrics/tasks/generate_certificates.yaml b/roles/openshift_metrics/tasks/generate_certificates.yaml index 92ce919a1..66cfbca03 100644 --- a/roles/openshift_metrics/tasks/generate_certificates.yaml +++ b/roles/openshift_metrics/tasks/generate_certificates.yaml @@ -7,16 +7,18 @@ - name: list existing secrets command: > {{ openshift.common.client_binary }} -n {{ openshift_metrics_project }} + --config={{ mktemp.stdout }}/admin.kubeconfig get secrets -o name register: metrics_secrets changed_when: false - name: generate ca certificate chain shell: > {{ openshift.common.admin_binary }} ca create-signer-cert + --config={{ mktemp.stdout }}/admin.kubeconfig --key='{{ openshift_metrics_certs_dir }}/ca.key' --cert='{{ openshift_metrics_certs_dir }}/ca.crt' --serial='{{ openshift_metrics_certs_dir }}/ca.serial.txt' --name="metrics-signer@$(date +%s)" - when: not '{{ openshift_metrics_certs_dir }}/ca.key'|exists + when: not '{{ openshift_metrics_certs_dir }}/ca.key' | exists - include: generate_heapster_certificates.yaml - include: generate_hawkular_certificates.yaml diff --git a/roles/openshift_metrics/tasks/generate_heapster_certificates.yaml b/roles/openshift_metrics/tasks/generate_heapster_certificates.yaml index 2fc449520..2449b1518 100644 --- a/roles/openshift_metrics/tasks/generate_heapster_certificates.yaml +++ b/roles/openshift_metrics/tasks/generate_heapster_certificates.yaml @@ -2,13 +2,15 @@ - name: generate heapster key/cert command: > {{ openshift.common.admin_binary }} ca create-server-cert + --config={{ mktemp.stdout }}/admin.kubeconfig --key='{{ openshift_metrics_certs_dir }}/heapster.key' --cert='{{ openshift_metrics_certs_dir }}/heapster.cert' --hostnames=heapster --signer-cert='{{ openshift_metrics_certs_dir }}/ca.crt' --signer-key='{{ openshift_metrics_certs_dir }}/ca.key' --signer-serial='{{ openshift_metrics_certs_dir }}/ca.serial.txt' - when: not '{{ openshift_metrics_certs_dir }}/heapster.key'|exists + when: not '{{ openshift_metrics_certs_dir }}/heapster.key' | exists + - when: "'secret/heapster-secrets' not in metrics_secrets.stdout_lines" block: - name: read files for the heapster secret diff --git a/roles/openshift_metrics/tasks/main.yaml b/roles/openshift_metrics/tasks/main.yaml index adedd4069..d4bafdc30 100644 --- a/roles/openshift_metrics/tasks/main.yaml +++ b/roles/openshift_metrics/tasks/main.yaml @@ -1,7 +1,7 @@ --- - name: check that hawkular_metrics_hostname is set fail: msg='the openshift_metrics_hawkular_metrics_hostname variable is required' - when: "{{ openshift_metrics_hawkular_metrics_hostname is not defined }}" + when: openshift_metrics_hawkular_metrics_hostname is not defined - name: check the value of openshift_metrics_hawkular_cassandra_storage_type fail: @@ -21,6 +21,13 @@ file: path={{mktemp.stdout}}/templates state=directory mode=0755 changed_when: False +- name: Copy the admin client config(s) + command: > + cp {{ openshift.common.config_base}}/master/admin.kubeconfig {{ mktemp.stdout }}/admin.kubeconfig + changed_when: False + check_mode: no + tags: metrics_init + - include: "{{role_path}}/tasks/install_metrics.yaml" when: openshift_metrics_install_metrics | default(false) | bool @@ -29,7 +36,8 @@ - name: create objects command: > - {{ openshift.common.client_binary }} -n '{{ openshift_metrics_project }}' + {{ openshift.common.client_binary }} -n {{ openshift_metrics_project }} + --config={{ mktemp.stdout }}/admin.kubeconfig apply -f {{ item }} with_fileglob: - "{{ mktemp.stdout }}/templates/*.yaml" diff --git a/roles/openshift_metrics/tasks/setup_certificate.yaml b/roles/openshift_metrics/tasks/setup_certificate.yaml index d6ee4167b..52e748234 100644 --- a/roles/openshift_metrics/tasks/setup_certificate.yaml +++ b/roles/openshift_metrics/tasks/setup_certificate.yaml @@ -2,6 +2,7 @@ - name: generate {{ component }} keys command: > {{ openshift.common.admin_binary }} ca create-server-cert + --config={{ mktemp.stdout }}/admin.kubeconfig --key='{{ openshift_metrics_certs_dir }}/{{ component }}.key' --cert='{{ openshift_metrics_certs_dir }}/{{ component }}.crt' --hostnames='{{ hostnames }}' diff --git a/roles/openshift_metrics/tasks/uninstall_metrics.yaml b/roles/openshift_metrics/tasks/uninstall_metrics.yaml index a29faef31..cf9b5171c 100644 --- a/roles/openshift_metrics/tasks/uninstall_metrics.yaml +++ b/roles/openshift_metrics/tasks/uninstall_metrics.yaml @@ -1,14 +1,14 @@ --- - name: remove metrics components command: > - {{ openshift.common.client_binary }} -n '{{ openshift_metrics_project }}' + {{ openshift.common.client_binary }} -n {{ openshift_metrics_project }} --config={{ mktemp.stdout }}/admin.kubeconfig delete --selector=metrics-infra all,sa,secrets,templates,routes,pvc,rolebindings,clusterrolebindings register: delete_metrics changed_when: "delete_metrics.stdout != 'No resources found'" - name: remove rolebindings command: > - {{ openshift.common.client_binary }} -n {{ openshift_metrics_project }} + {{ openshift.common.client_binary }} -n {{ openshift_metrics_project }} --config={{ mktemp.stdout }}/admin.kubeconfig delete --ignore-not-found rolebinding/hawkular-view clusterrolebinding/heapster-cluster-reader -- cgit v1.2.3 From 9d0b2eed6f2b897280660949d12e09a3b7993b2b Mon Sep 17 00:00:00 2001 From: Jeff Cantrill Date: Thu, 15 Dec 2016 10:34:58 -0500 Subject: rename variables to be less extraneous (#10) --- roles/openshift_metrics/README.md | 10 ++++++---- roles/openshift_metrics/defaults/main.yaml | 10 ++++++---- roles/openshift_metrics/tasks/install_hawkular.yaml | 21 ++++++++++++--------- roles/openshift_metrics/tasks/main.yaml | 6 +++--- .../templates/hawkular_cassandra_rc.j2 | 4 ++-- roles/openshift_metrics/vars/main.yaml | 2 +- 6 files changed, 30 insertions(+), 23 deletions(-) (limited to 'roles') diff --git a/roles/openshift_metrics/README.md b/roles/openshift_metrics/README.md index 092844870..d1b9a79a9 100644 --- a/roles/openshift_metrics/README.md +++ b/roles/openshift_metrics/README.md @@ -33,18 +33,20 @@ For default values, see [`defaults/main.yaml`](defaults/main.yaml). any user will be able to write metrics to the system which can affect performance and use Cassandra disk usage to unpredictably increase. -- `openshift_metrics_hawkular_cassandra_nodes`: The number of Cassandra Nodes to deploy for the +- `openshift_metrics_hawkular_replicas:` The number of replicas for Hawkular metrics. + +- `openshift_metrics_cassandra_nodes`: The number of Cassandra Nodes to deploy for the initial cluster. -- `openshift_metrics_hawkular_cassandra_storage_type`: Use `emptydir` for ephemeral storage (for +- `openshift_metrics_cassandra_storage_type`: Use `emptydir` for ephemeral storage (for testing), `pv` to use persistent volumes (which need to be created before the installation) or `dynamic` for dynamic persistent volumes. -- `openshift_metrics_hawkular_cassandra_pv_prefix`: The name of persistent volume claims created +- `openshift_metrics_cassandra_pv_prefix`: The name of persistent volume claims created for cassandra will be this with a serial number appended to the end, starting from 1. -- `openshift_metrics_hawkular_cassandra_pv_size`: The persistent volume size for each of the +- `openshift_metrics_cassandra_pv_size`: The persistent volume size for each of the Cassandra nodes. - `openshift_metrics_heapster_standalone`: Deploy only heapster, without the Hawkular Metrics and diff --git a/roles/openshift_metrics/defaults/main.yaml b/roles/openshift_metrics/defaults/main.yaml index 7f9a5f36a..4538099a3 100644 --- a/roles/openshift_metrics/defaults/main.yaml +++ b/roles/openshift_metrics/defaults/main.yaml @@ -7,10 +7,12 @@ openshift_metrics_project: openshift-infra openshift_metrics_startup_timeout: 500 openshift_metrics_hawkular_user_write_access: False -openshift_metrics_hawkular_cassandra_nodes: 1 -openshift_metrics_hawkular_cassandra_storage_type: emptydir -openshift_metrics_hawkular_cassandra_pv_prefix: metrics-cassandra -openshift_metrics_hawkular_cassandra_pv_size: 10Gi +openshift_metrics_hawkular_replicas: 1 + +openshift_metrics_cassandra_nodes: 1 +openshift_metrics_cassandra_storage_type: emptydir +openshift_metrics_cassandra_pv_prefix: metrics-cassandra +openshift_metrics_cassandra_pv_size: 10Gi openshift_metrics_certs_dir: "{{ openshift.common.config_base }}/master/metrics" openshift_metrics_heapster_standalone: False diff --git a/roles/openshift_metrics/tasks/install_hawkular.yaml b/roles/openshift_metrics/tasks/install_hawkular.yaml index d7a029fa8..6e503c8c1 100644 --- a/roles/openshift_metrics/tasks/install_hawkular.yaml +++ b/roles/openshift_metrics/tasks/install_hawkular.yaml @@ -10,35 +10,38 @@ vars: node: "{{ item }}" master: "{{ (item == '1')|string|lower }}" - with_sequence: count={{ openshift_metrics_hawkular_cassandra_nodes }} + with_sequence: count={{ openshift_metrics_cassandra_nodes }} + - name: generate hawkular-cassandra persistent volume claims template: src: pvc.j2 dest: "{{ mktemp.stdout }}/templates/hawkular-cassandra-pvc{{ item }}.yaml" vars: - obj_name: "{{ openshift_metrics_hawkular_cassandra_pv_prefix }}-{{ item }}" + obj_name: "{{ openshift_metrics_cassandra_pv_prefix }}-{{ item }}" labels: metrics-infra: hawkular-cassandra access_modes: - ReadWriteOnce - size: "{{ openshift_metrics_hawkular_cassandra_pv_size }}" - with_sequence: count={{ openshift_metrics_hawkular_cassandra_nodes }} - when: openshift_metrics_hawkular_cassandra_storage_type == 'pv' + size: "{{ openshift_metrics_cassandra_pv_size }}" + with_sequence: count={{ openshift_metrics_cassandra_nodes }} + when: openshift_metrics_cassandra_storage_type == 'pv' + - name: generate hawkular-cassandra persistent volume claims (dynamic) template: src: pvc.j2 dest: "{{ mktemp.stdout }}/templates/hawkular-cassandra-pvc{{ item }}.yaml" vars: - obj_name: "{{ openshift_metrics_hawkular_cassandra_pv_prefix }}-{{ item }}" + obj_name: "{{ openshift_metrics_cassandra_pv_prefix }}-{{ item }}" labels: metrics-infra: hawkular-cassandra annotations: volume.alpha.kubernetes.io/storage-class: dynamic access_modes: - ReadWriteOnce - size: "{{ openshift_metrics_hawkular_cassandra_pv_size }}" - with_sequence: count={{ openshift_metrics_hawkular_cassandra_nodes }} - when: openshift_metrics_hawkular_cassandra_storage_type == 'dynamic' + size: "{{ openshift_metrics_cassandra_pv_size }}" + with_sequence: count={{ openshift_metrics_cassandra_nodes }} + when: openshift_metrics_cassandra_storage_type == 'dynamic' + - name: read hawkular-metrics route destination ca certificate slurp: src={{ openshift_metrics_certs_dir }}/ca.crt register: metrics_route_dest_ca_cert diff --git a/roles/openshift_metrics/tasks/main.yaml b/roles/openshift_metrics/tasks/main.yaml index d4bafdc30..74abd120f 100644 --- a/roles/openshift_metrics/tasks/main.yaml +++ b/roles/openshift_metrics/tasks/main.yaml @@ -3,12 +3,12 @@ fail: msg='the openshift_metrics_hawkular_metrics_hostname variable is required' when: openshift_metrics_hawkular_metrics_hostname is not defined -- name: check the value of openshift_metrics_hawkular_cassandra_storage_type +- name: check the value of openshift_metrics_cassandra_storage_type fail: msg: > - openshift_metrics_hawkular_cassandra_storage_type ({{ openshift_metrics_hawkular_cassandra_storage_type }}) + openshift_metrics_cassandra_storage_type ({{ openshift_metrics_cassandra_storage_type }}) is invalid, must be one of: emptydir, pv, dynamic - when: openshift_metrics_hawkular_cassandra_storage_type not in openshift_metrics_hawkular_cassandra_storage_types + when: openshift_metrics_cassandra_storage_type not in openshift_metrics_cassandra_storage_types - name: Create temp directory for doing work in command: mktemp -td openshift-metrics-ansible-XXXXXX diff --git a/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 b/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 index 158d0d1a3..7cea5f040 100644 --- a/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 +++ b/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 @@ -85,11 +85,11 @@ spec: terminationGracePeriodSeconds: 1800 volumes: - name: cassandra-data -{% if openshift_metrics_hawkular_cassandra_storage_type == 'emptydir' %} +{% if openshift_metrics_cassandra_storage_type == 'emptydir' %} emptyDir: {} {% else %} persistentVolumeClaim: - claimName: "{{ openshift_metrics_hawkular_cassandra_pv_prefix }}-{{ node }}" + claimName: "{{ openshift_metrics_cassandra_pv_prefix }}-{{ node }}" {% endif %} - name: hawkular-cassandra-secrets secret: diff --git a/roles/openshift_metrics/vars/main.yaml b/roles/openshift_metrics/vars/main.yaml index 25307c23c..de3bb878d 100644 --- a/roles/openshift_metrics/vars/main.yaml +++ b/roles/openshift_metrics/vars/main.yaml @@ -1,4 +1,4 @@ -openshift_metrics_hawkular_cassandra_storage_types: +openshift_metrics_cassandra_storage_types: - emptydir - pv - dynamic -- cgit v1.2.3 From b335bd4e88d5ec50aa3106f789f4e08a8baac9b2 Mon Sep 17 00:00:00 2001 From: Jeff Cantrill Date: Thu, 15 Dec 2016 15:46:10 -0500 Subject: allow definition of cpu/memory limits/resources (#11) --- roles/openshift_metrics/README.md | 11 ++++++++ roles/openshift_metrics/defaults/main.yaml | 14 ++++++++++- .../templates/hawkular_cassandra_rc.j2 | 29 ++++++++++++++++++++++ .../templates/hawkular_metrics_rc.j2 | 29 ++++++++++++++++++++++ roles/openshift_metrics/templates/heapster.j2 | 29 ++++++++++++++++++++++ 5 files changed, 111 insertions(+), 1 deletion(-) (limited to 'roles') diff --git a/roles/openshift_metrics/README.md b/roles/openshift_metrics/README.md index d1b9a79a9..8c67d193d 100644 --- a/roles/openshift_metrics/README.md +++ b/roles/openshift_metrics/README.md @@ -64,6 +64,17 @@ For default values, see [`defaults/main.yaml`](defaults/main.yaml). - `openshift_metrics_resolution`: How often metrics should be gathered. +## Additional variables to control resource limits +Each metrics component (hawkular, cassandra, heapster) can specify a cpu and memory limits and requests by setting +the corresponding role variable: +``` +openshift_metrics__(limits|requests)_(memory|cpu): +``` +e.g +``` +openshift_metrics_cassandra_limits_memory: 1G +openshift_metrics_hawkular_requests_cpu: 100 +``` Dependencies ------------ diff --git a/roles/openshift_metrics/defaults/main.yaml b/roles/openshift_metrics/defaults/main.yaml index 4538099a3..ae24e1972 100644 --- a/roles/openshift_metrics/defaults/main.yaml +++ b/roles/openshift_metrics/defaults/main.yaml @@ -5,18 +5,30 @@ openshift_metrics_image_version: latest openshift_metrics_master_url: https://kubernetes.default.svc.cluster.local openshift_metrics_project: openshift-infra openshift_metrics_startup_timeout: 500 +openshift_metrics_certs_dir: "{{ openshift.common.config_base }}/master/metrics" openshift_metrics_hawkular_user_write_access: False openshift_metrics_hawkular_replicas: 1 +openshift_metrics_hawkular_limits_memory: 2.5G +openshift_metrics_hawkular_limits_cpu: null +openshift_metrics_hawkular_requests_memory: 1.5G +openshift_metrics_hawkular_requests_cpu: null openshift_metrics_cassandra_nodes: 1 openshift_metrics_cassandra_storage_type: emptydir openshift_metrics_cassandra_pv_prefix: metrics-cassandra openshift_metrics_cassandra_pv_size: 10Gi -openshift_metrics_certs_dir: "{{ openshift.common.config_base }}/master/metrics" +openshift_metrics_cassandra_limits_memory: 2G +openshift_metrics_cassandra_limits_cpu: null +openshift_metrics_cassandra_requests_memory: 1G +openshift_metrics_cassandra_requests_cpu: null openshift_metrics_heapster_standalone: False openshift_metrics_heapster_allowed_users: system:master-proxy +openshift_metrics_heapster_limits_memory: 3.75G +openshift_metrics_heapster_limits_cpu: null +openshift_metrics_heapster_requests_memory: 0.9375G +openshift_metrics_heapster_requests_cpu: null openshift_metrics_duration: 7 openshift_metrics_resolution: 15s diff --git a/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 b/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 index 7cea5f040..7ce1a6a87 100644 --- a/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 +++ b/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 @@ -69,6 +69,35 @@ spec: mountPath: "/cassandra_data" - name: hawkular-cassandra-secrets mountPath: "/secret" +{% if ((openshift_metrics_cassandra_limits_cpu is defined and openshift_metrics_cassandra_limits_cpu is not none) + or (openshift_metrics_cassandra_limits_memory is defined and openshift_metrics_cassandra_limits_memory is not none) + or (openshift_metrics_cassandra_requests_cpu is defined and openshift_metrics_cassandra_requests_cpu is not none) + or (openshift_metrics_cassandra_requests_memory is defined and openshift_metrics_cassandra_requests_memory is not none)) +%} + resources: +{% if (openshift_metrics_cassandra_limits_cpu is not none + or openshift_metrics_cassandra_limits_memory is not none) +%} + limits: +{% if openshift_metrics_cassandra_limits_cpu is not none %} + cpu: "{{openshift_metrics_cassandra_limits_cpu}}" +{% endif %} +{% if openshift_metrics_cassandra_limits_memory is not none %} + memory: "{{openshift_metrics_cassandra_limits_memory}}" +{% endif %} +{% endif %} +{% if (openshift_metrics_cassandra_requests_cpu is not none + or openshift_metrics_cassandra_requests_memory is not none) +%} + requests: +{% if openshift_metrics_cassandra_requests_cpu is not none %} + cpu: "{{openshift_metrics_cassandra_requests_cpu}}" +{% endif %} +{% if openshift_metrics_cassandra_requests_memory is not none %} + memory: "{{openshift_metrics_cassandra_requests_memory}}" +{% endif %} +{% endif %} +{% endif %} readinessProbe: exec: command: diff --git a/roles/openshift_metrics/templates/hawkular_metrics_rc.j2 b/roles/openshift_metrics/templates/hawkular_metrics_rc.j2 index 647a4bfbb..4314800a3 100644 --- a/roles/openshift_metrics/templates/hawkular_metrics_rc.j2 +++ b/roles/openshift_metrics/templates/hawkular_metrics_rc.j2 @@ -73,6 +73,35 @@ spec: mountPath: "/secrets" - name: hawkular-metrics-client-secrets mountPath: "/client-secrets" +{% if ((openshift_metrics_hawkular_limits_cpu is defined and openshift_metrics_hawkular_limits_cpu is not none) + or (openshift_metrics_hawkular_limits_memory is defined and openshift_metrics_hawkular_limits_memory is not none) + or (openshift_metrics_hawkular_requests_cpu is defined and openshift_metrics_hawkular_requests_cpu is not none) + or (openshift_metrics_hawkular_requests_memory is defined and openshift_metrics_hawkular_requests_memory is not none)) +%} + resources: +{% if (openshift_metrics_hawkular_limits_cpu is not none + or openshift_metrics_hawkular_limits_memory is not none) +%} + limits: +{% if openshift_metrics_hawkular_limits_cpu is not none %} + cpu: "{{openshift_metrics_hawkular_limits_cpu}}" +{% endif %} +{% if openshift_metrics_hawkular_limits_memory is not none %} + memory: "{{openshift_metrics_hawkular_limits_memory}}" +{% endif %} +{% endif %} +{% if (openshift_metrics_hawkular_requests_cpu is not none + or openshift_metrics_hawkular_requests_memory is not none) +%} + requests: +{% if openshift_metrics_hawkular_requests_cpu is not none %} + cpu: "{{openshift_metrics_hawkular_requests_cpu}}" +{% endif %} +{% if openshift_metrics_hawkular_requests_memory is not none %} + memory: "{{openshift_metrics_hawkular_requests_memory}}" +{% endif %} +{% endif %} +{% endif %} readinessProbe: exec: command: diff --git a/roles/openshift_metrics/templates/heapster.j2 b/roles/openshift_metrics/templates/heapster.j2 index 90227db68..04fb76982 100644 --- a/roles/openshift_metrics/templates/heapster.j2 +++ b/roles/openshift_metrics/templates/heapster.j2 @@ -42,6 +42,35 @@ spec: env: - name: STARTUP_TIMEOUT value: "{{ openshift_metrics_startup_timeout }}" +{% if ((openshift_metrics_heapster_limits_cpu is defined and openshift_metrics_heapster_limits_cpu is not none) + or (openshift_metrics_heapster_limits_memory is defined and openshift_metrics_heapster_limits_memory is not none) + or (openshift_metrics_heapster_requests_cpu is defined and openshift_metrics_heapster_requests_cpu is not none) + or (openshift_metrics_heapster_requests_memory is defined and openshift_metrics_heapster_requests_memory is not none)) +%} + resources: +{% if (openshift_metrics_heapster_limits_cpu is not none + or openshift_metrics_heapster_limits_memory is not none) +%} + limits: +{% if openshift_metrics_heapster_limits_cpu is not none %} + cpu: "{{openshift_metrics_heapster_limits_cpu}}" +{% endif %} +{% if openshift_metrics_heapster_limits_memory is not none %} + memory: "{{openshift_metrics_heapster_limits_memory}}" +{% endif %} +{% endif %} +{% if (openshift_metrics_heapster_requests_cpu is not none + or openshift_metrics_heapster_requests_memory is not none) +%} + requests: +{% if openshift_metrics_heapster_requests_cpu is not none %} + cpu: "{{openshift_metrics_heapster_requests_cpu}}" +{% endif %} +{% if openshift_metrics_heapster_requests_memory is not none %} + memory: "{{openshift_metrics_heapster_requests_memory}}" +{% endif %} +{% endif %} +{% endif %} volumeMounts: - name: heapster-secrets mountPath: "/secrets" -- cgit v1.2.3 From 765fb5ce39fdca0b56a23f6d13650fe16debf20a Mon Sep 17 00:00:00 2001 From: Jeff Cantrill Date: Thu, 15 Dec 2016 15:48:09 -0500 Subject: update vars to allow scaling of components (#9) --- roles/openshift_metrics/defaults/main.yaml | 2 + .../openshift_metrics/tasks/install_hawkular.yaml | 2 + roles/openshift_metrics/tasks/install_metrics.yaml | 25 ++++++++++ roles/openshift_metrics/tasks/main.yaml | 19 -------- roles/openshift_metrics/tasks/scale.yaml | 27 +++++++++++ roles/openshift_metrics/tasks/start_metrics.yaml | 52 ++++++++++++++++++++ roles/openshift_metrics/tasks/stop_metrics.yaml | 56 ++++++++++++++++++++++ .../openshift_metrics/tasks/uninstall_metrics.yaml | 7 ++- .../templates/hawkular_cassandra_rc.j2 | 2 +- .../templates/hawkular_metrics_rc.j2 | 2 +- roles/openshift_metrics/templates/heapster.j2 | 2 +- 11 files changed, 173 insertions(+), 23 deletions(-) create mode 100644 roles/openshift_metrics/tasks/scale.yaml create mode 100644 roles/openshift_metrics/tasks/start_metrics.yaml create mode 100644 roles/openshift_metrics/tasks/stop_metrics.yaml (limited to 'roles') diff --git a/roles/openshift_metrics/defaults/main.yaml b/roles/openshift_metrics/defaults/main.yaml index ae24e1972..c27943220 100644 --- a/roles/openshift_metrics/defaults/main.yaml +++ b/roles/openshift_metrics/defaults/main.yaml @@ -1,9 +1,11 @@ --- +openshift_metrics_start_cluster: True openshift_metrics_install_metrics: True openshift_metrics_image_prefix: docker.io/openshift/origin- openshift_metrics_image_version: latest openshift_metrics_master_url: https://kubernetes.default.svc.cluster.local openshift_metrics_project: openshift-infra +openshift_metrics_certs_dir: "{{ openshift.common.config_base }}/master/metrics" openshift_metrics_startup_timeout: 500 openshift_metrics_certs_dir: "{{ openshift.common.config_base }}/master/metrics" diff --git a/roles/openshift_metrics/tasks/install_hawkular.yaml b/roles/openshift_metrics/tasks/install_hawkular.yaml index 6e503c8c1..1acc8948d 100644 --- a/roles/openshift_metrics/tasks/install_hawkular.yaml +++ b/roles/openshift_metrics/tasks/install_hawkular.yaml @@ -3,6 +3,7 @@ template: src: hawkular_metrics_rc.j2 dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_rc.yaml" + - name: generate hawkular-cassandra replication controllers template: src: hawkular_cassandra_rc.j2 @@ -45,6 +46,7 @@ - name: read hawkular-metrics route destination ca certificate slurp: src={{ openshift_metrics_certs_dir }}/ca.crt register: metrics_route_dest_ca_cert + - name: generate the hawkular-metrics route template: src: route.j2 diff --git a/roles/openshift_metrics/tasks/install_metrics.yaml b/roles/openshift_metrics/tasks/install_metrics.yaml index db023e6a2..a6a094a83 100644 --- a/roles/openshift_metrics/tasks/install_metrics.yaml +++ b/roles/openshift_metrics/tasks/install_metrics.yaml @@ -1,4 +1,15 @@ --- +- name: check that hawkular_metrics_hostname is set + fail: msg='the openshift_metrics_hawkular_metrics_hostname variable is required' + when: openshift_metrics_hawkular_metrics_hostname is not defined + +- name: check the value of openshift_metrics_cassandra_storage_type + fail: + msg: > + openshift_metrics_cassandra_storage_type ({{ openshift_metrics_cassandra_storage_type }}) + is invalid, must be one of: emptydir, pv, dynamic + when: openshift_metrics_cassandra_storage_type not in openshift_metrics_cassandra_storage_types + - name: Install Metrics include: "{{ role_path }}/tasks/install_{{ include_file }}.yaml" with_items: @@ -7,3 +18,17 @@ - hawkular loop_control: loop_var: include_file + +- name: create objects + command: > + {{ openshift.common.client_binary }} -n {{ openshift_metrics_project }} + --config={{ mktemp.stdout }}/admin.kubeconfig + apply -f {{ item }} + with_fileglob: + - "{{ mktemp.stdout }}/templates/*.yaml" + +- name: Scaling up cluster + include: start_metrics.yaml + tags: openshift_metrics_start_cluster + when: + - openshift_metrics_start_cluster | default(true) | bool diff --git a/roles/openshift_metrics/tasks/main.yaml b/roles/openshift_metrics/tasks/main.yaml index 74abd120f..e8c74b8dc 100644 --- a/roles/openshift_metrics/tasks/main.yaml +++ b/roles/openshift_metrics/tasks/main.yaml @@ -1,15 +1,4 @@ --- -- name: check that hawkular_metrics_hostname is set - fail: msg='the openshift_metrics_hawkular_metrics_hostname variable is required' - when: openshift_metrics_hawkular_metrics_hostname is not defined - -- name: check the value of openshift_metrics_cassandra_storage_type - fail: - msg: > - openshift_metrics_cassandra_storage_type ({{ openshift_metrics_cassandra_storage_type }}) - is invalid, must be one of: emptydir, pv, dynamic - when: openshift_metrics_cassandra_storage_type not in openshift_metrics_cassandra_storage_types - - name: Create temp directory for doing work in command: mktemp -td openshift-metrics-ansible-XXXXXX register: mktemp @@ -33,11 +22,3 @@ - include: "{{role_path}}/tasks/uninstall_metrics.yaml" when: not openshift_metrics_install_metrics | default(false) | bool - -- name: create objects - command: > - {{ openshift.common.client_binary }} -n {{ openshift_metrics_project }} - --config={{ mktemp.stdout }}/admin.kubeconfig - apply -f {{ item }} - with_fileglob: - - "{{ mktemp.stdout }}/templates/*.yaml" diff --git a/roles/openshift_metrics/tasks/scale.yaml b/roles/openshift_metrics/tasks/scale.yaml new file mode 100644 index 000000000..031336a01 --- /dev/null +++ b/roles/openshift_metrics/tasks/scale.yaml @@ -0,0 +1,27 @@ +--- +- shell: > + {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get {{object}} + --template='{{ '{{.spec.replicas}}' }}' -n {{openshift_metrics_project}} + register: replica_count + failed_when: "replica_count.rc == 1 and 'exists' not in replica_count.stderr" + when: not ansible_check_mode + +- shell: > + {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig scale {{object}} + --replicas={{desired}} -n {{openshift_metrics_project}} + register: scale_result + failed_when: scale_result.rc == 1 and 'exists' not in scale_result.stderr + when: + - replica_count.stdout != desired + - not ansible_check_mode + +- name: Waiting for {{object}} to scale to {{desired}} + shell: > + {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig describe {{object}} -n {{openshift_metrics_project}} | awk -v statusrx='Pods Status:' '$0 ~ statusrx {print $3}' + register: replica_counts + until: replica_counts.stdout.find("{{desired}}") != -1 + retries: 30 + delay: 10 + when: + - replica_count.stdout != desired + - not ansible_check_mode diff --git a/roles/openshift_metrics/tasks/start_metrics.yaml b/roles/openshift_metrics/tasks/start_metrics.yaml new file mode 100644 index 000000000..99d593dd7 --- /dev/null +++ b/roles/openshift_metrics/tasks/start_metrics.yaml @@ -0,0 +1,52 @@ +--- +- shell: > + {{openshift.common.client_binary}} + --config={{mktemp.stdout}}/admin.kubeconfig + get rc + -l metrics-infra=hawkular-cassandra + -o name + -n {{openshift_metrics_project}} + register: metrics_cassandra_rc + +- name: Start Hawkular Cassandra + include: scale.yaml + vars: + desired: 1 + with_items: "{{metrics_cassandra_rc.stdout_lines}}" + loop_control: + loop_var: object + +- shell: > + {{openshift.common.client_binary}} + --config={{mktemp.stdout}}/admin.kubeconfig + get rc + -l metrics-infra=hawkular-metrics + -o name + -n {{openshift_metrics_project}} + register: metrics_metrics_rc + +- name: Start Hawkular Metrics + include: scale.yaml + vars: + desired: "{{openshift_metrics_hawkular_replicas}}" + with_items: "{{metrics_metrics_rc.stdout_lines}}" + loop_control: + loop_var: object + +- shell: > + {{openshift.common.client_binary}} + --config={{mktemp.stdout}}/admin.kubeconfig + get rc + -l metrics-infra=heapster + -o name + -n {{openshift_metrics_project}} + register: metrics_heapster_rc + check_mode: no + +- name: Start Heapster + include: scale.yaml + vars: + desired: 1 + with_items: "{{metrics_heapster_rc.stdout_lines}}" + loop_control: + loop_var: object diff --git a/roles/openshift_metrics/tasks/stop_metrics.yaml b/roles/openshift_metrics/tasks/stop_metrics.yaml new file mode 100644 index 000000000..79556e923 --- /dev/null +++ b/roles/openshift_metrics/tasks/stop_metrics.yaml @@ -0,0 +1,56 @@ +--- +- shell: > + {{openshift.common.client_binary}} + --config={{mktemp.stdout}}/admin.kubeconfig + get rc + -l metrics-infra=heapster + -o name + -n {{openshift_metrics_project}} + register: metrics_heapster_rc + changed_when: "'No resources found' not in metrics_heapster_rc.stderr" + check_mode: no + +- name: Stop Heapster + include: scale.yaml + vars: + desired: 0 + with_items: "{{metrics_heapster_rc.stdout_lines}}" + loop_control: + loop_var: object + +- shell: > + {{openshift.common.client_binary}} + --config={{mktemp.stdout}}/admin.kubeconfig + get rc + -l metrics-infra=hawkular-metrics + -o name + -n {{openshift_metrics_project}} + register: metrics_hawkular_rc + changed_when: "'No resources found' not in metrics_hawkular_rc.stderr" + +- name: Stop Hawkular Metrics + include: scale.yaml + vars: + desired: 0 + with_items: "{{metrics_hawkular_rc.stdout_lines}}" + loop_control: + loop_var: object + +- shell: > + {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig + get rc + -o name + -l metrics-infra=hawkular-cassandra + -n {{openshift_metrics_project}} + register: metrics_cassandra_rc + changed_when: "'No resources found' not in metrics_cassandra_rc.stderr" + +- name: Stop Hawkular Cassandra + include: scale.yaml + vars: + desired: 0 + with_items: "{{metrics_cassandra_rc.stdout_lines}}" + loop_control: + loop_var: object + when: metrics_cassandra_rc is defined + diff --git a/roles/openshift_metrics/tasks/uninstall_metrics.yaml b/roles/openshift_metrics/tasks/uninstall_metrics.yaml index cf9b5171c..8a6be6237 100644 --- a/roles/openshift_metrics/tasks/uninstall_metrics.yaml +++ b/roles/openshift_metrics/tasks/uninstall_metrics.yaml @@ -1,14 +1,19 @@ --- +- name: stop metrics + include: stop_metrics.yaml + - name: remove metrics components command: > {{ openshift.common.client_binary }} -n {{ openshift_metrics_project }} --config={{ mktemp.stdout }}/admin.kubeconfig - delete --selector=metrics-infra + delete --ignore-not-found --selector=metrics-infra all,sa,secrets,templates,routes,pvc,rolebindings,clusterrolebindings register: delete_metrics changed_when: "delete_metrics.stdout != 'No resources found'" + - name: remove rolebindings command: > {{ openshift.common.client_binary }} -n {{ openshift_metrics_project }} --config={{ mktemp.stdout }}/admin.kubeconfig delete --ignore-not-found rolebinding/hawkular-view clusterrolebinding/heapster-cluster-reader + changed_when: "delete_metrics.stdout != 'No resources found'" diff --git a/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 b/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 index 7ce1a6a87..9a1c446cd 100644 --- a/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 +++ b/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 @@ -9,7 +9,7 @@ metadata: spec: selector: name: hawkular-cassandra-{{ node }} - replicas: 1 + replicas: 0 template: version: v1 metadata: diff --git a/roles/openshift_metrics/templates/hawkular_metrics_rc.j2 b/roles/openshift_metrics/templates/hawkular_metrics_rc.j2 index 4314800a3..1397276e6 100644 --- a/roles/openshift_metrics/templates/hawkular_metrics_rc.j2 +++ b/roles/openshift_metrics/templates/hawkular_metrics_rc.j2 @@ -8,7 +8,7 @@ metadata: spec: selector: name: hawkular-metrics - replicas: 1 + replicas: 0 template: version: v1 metadata: diff --git a/roles/openshift_metrics/templates/heapster.j2 b/roles/openshift_metrics/templates/heapster.j2 index 04fb76982..f64c6696e 100644 --- a/roles/openshift_metrics/templates/heapster.j2 +++ b/roles/openshift_metrics/templates/heapster.j2 @@ -8,7 +8,7 @@ metadata: spec: selector: name: heapster - replicas: 1 + replicas: 0 template: version: v1 metadata: -- cgit v1.2.3 From 1e8928c96627218fdc422bfa3731f790699abfbb Mon Sep 17 00:00:00 2001 From: Jeff Cantrill Date: Fri, 6 Jan 2017 11:23:28 -0500 Subject: User provided certs pushed from control. vars reorg (#12) Merging per discussion and agreement from @bbguimaraes --- roles/openshift_metrics/README.md | 14 +++---- roles/openshift_metrics/defaults/main.yaml | 27 +++++++++---- .../tasks/generate_certificates.yaml | 2 + .../tasks/generate_hawkular_certificates.yaml | 2 +- .../openshift_metrics/tasks/install_hawkular.yaml | 47 ++++++++++++++-------- roles/openshift_metrics/tasks/install_metrics.yaml | 4 +- roles/openshift_metrics/templates/route.j2 | 12 ++++++ roles/openshift_metrics/vars/main.yaml | 6 +++ 8 files changed, 79 insertions(+), 35 deletions(-) (limited to 'roles') diff --git a/roles/openshift_metrics/README.md b/roles/openshift_metrics/README.md index 8c67d193d..f4c47c7bb 100644 --- a/roles/openshift_metrics/README.md +++ b/roles/openshift_metrics/README.md @@ -25,17 +25,17 @@ For default values, see [`defaults/main.yaml`](defaults/main.yaml). - `openshift_metrics_image_version`: Specify version for metrics components; e.g. for "openshift/origin-metrics-deployer:v1.1", set version "v1.1". -- `openshift_metrics_master_url`: Internal URL for the master, for authentication retrieval. +- `openshift_metrics_hawkular_cert:` The certificate used for re-encrypting the route + to Hawkular metrics. The certificate must contain the hostname used by the route. + The default router certificate will be used if unspecified -- `openshift_metrics_hawkular_user_write_access`: If user accounts should be able to write - metrics. Defaults to 'false' so that only Heapster can write metrics and not - individual users. It is recommended to disable user write access, if enabled - any user will be able to write metrics to the system which can affect - performance and use Cassandra disk usage to unpredictably increase. +- `openshift_metrics_hawkular_key:` The key used with the Hawkular certificate + +- `openshift_metrics_hawkular_ca:` An optional certificate used to sign the Hawkular certificate. - `openshift_metrics_hawkular_replicas:` The number of replicas for Hawkular metrics. -- `openshift_metrics_cassandra_nodes`: The number of Cassandra Nodes to deploy for the +- `openshift_metrics_cassandra_replicas`: The number of Cassandra nodes to deploy for the initial cluster. - `openshift_metrics_cassandra_storage_type`: Use `emptydir` for ephemeral storage (for diff --git a/roles/openshift_metrics/defaults/main.yaml b/roles/openshift_metrics/defaults/main.yaml index c27943220..b99adf779 100644 --- a/roles/openshift_metrics/defaults/main.yaml +++ b/roles/openshift_metrics/defaults/main.yaml @@ -3,22 +3,19 @@ openshift_metrics_start_cluster: True openshift_metrics_install_metrics: True openshift_metrics_image_prefix: docker.io/openshift/origin- openshift_metrics_image_version: latest -openshift_metrics_master_url: https://kubernetes.default.svc.cluster.local -openshift_metrics_project: openshift-infra -openshift_metrics_certs_dir: "{{ openshift.common.config_base }}/master/metrics" openshift_metrics_startup_timeout: 500 -openshift_metrics_certs_dir: "{{ openshift.common.config_base }}/master/metrics" -openshift_metrics_hawkular_user_write_access: False openshift_metrics_hawkular_replicas: 1 openshift_metrics_hawkular_limits_memory: 2.5G openshift_metrics_hawkular_limits_cpu: null openshift_metrics_hawkular_requests_memory: 1.5G openshift_metrics_hawkular_requests_cpu: null +openshift_metrics_hawkular_cert: "" +openshift_metrics_hawkular_key: "" +openshift_metrics_hawkular_ca: "" -openshift_metrics_cassandra_nodes: 1 +openshift_metrics_cassandra_replicas: 1 openshift_metrics_cassandra_storage_type: emptydir -openshift_metrics_cassandra_pv_prefix: metrics-cassandra openshift_metrics_cassandra_pv_size: 10Gi openshift_metrics_cassandra_limits_memory: 2G openshift_metrics_cassandra_limits_cpu: null @@ -26,7 +23,6 @@ openshift_metrics_cassandra_requests_memory: 1G openshift_metrics_cassandra_requests_cpu: null openshift_metrics_heapster_standalone: False -openshift_metrics_heapster_allowed_users: system:master-proxy openshift_metrics_heapster_limits_memory: 3.75G openshift_metrics_heapster_limits_cpu: null openshift_metrics_heapster_requests_memory: 0.9375G @@ -34,4 +30,19 @@ openshift_metrics_heapster_requests_cpu: null openshift_metrics_duration: 7 openshift_metrics_resolution: 15s + +##### +# Caution should be taken for the following defaults before +# overriding the values here +##### + +openshift_metrics_certs_dir: "{{ openshift.common.config_base }}/master/metrics" +openshift_metrics_master_url: https://kubernetes.default.svc.cluster.local openshift_metrics_node_id: nodename +openshift_metrics_project: openshift-infra + +openshift_metrics_cassandra_pv_prefix: metrics-cassandra + +openshift_metrics_hawkular_user_write_access: False + +openshift_metrics_heapster_allowed_users: system:master-proxy diff --git a/roles/openshift_metrics/tasks/generate_certificates.yaml b/roles/openshift_metrics/tasks/generate_certificates.yaml index 66cfbca03..16a967aa7 100644 --- a/roles/openshift_metrics/tasks/generate_certificates.yaml +++ b/roles/openshift_metrics/tasks/generate_certificates.yaml @@ -4,6 +4,7 @@ path: "{{ openshift_metrics_certs_dir }}" state: directory mode: 0700 + - name: list existing secrets command: > {{ openshift.common.client_binary }} -n {{ openshift_metrics_project }} @@ -11,6 +12,7 @@ get secrets -o name register: metrics_secrets changed_when: false + - name: generate ca certificate chain shell: > {{ openshift.common.admin_binary }} ca create-signer-cert diff --git a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml index 4e032ca7e..f36175735 100644 --- a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml +++ b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml @@ -3,7 +3,7 @@ include: setup_certificate.yaml vars: component: hawkular-metrics - hostnames: "hawkular-metrics,{{ openshift_metrics_hawkular_metrics_hostname }}" + hostnames: "hawkular-metrics,{{ openshift_metrics_hawkular_hostname }}" - name: generate hawkular-cassandra certificates include: setup_certificate.yaml vars: diff --git a/roles/openshift_metrics/tasks/install_hawkular.yaml b/roles/openshift_metrics/tasks/install_hawkular.yaml index 1acc8948d..34a8c58b8 100644 --- a/roles/openshift_metrics/tasks/install_hawkular.yaml +++ b/roles/openshift_metrics/tasks/install_hawkular.yaml @@ -11,7 +11,7 @@ vars: node: "{{ item }}" master: "{{ (item == '1')|string|lower }}" - with_sequence: count={{ openshift_metrics_cassandra_nodes }} + with_sequence: count={{ openshift_metrics_cassandra_replicas }} - name: generate hawkular-cassandra persistent volume claims template: @@ -24,7 +24,7 @@ access_modes: - ReadWriteOnce size: "{{ openshift_metrics_cassandra_pv_size }}" - with_sequence: count={{ openshift_metrics_cassandra_nodes }} + with_sequence: count={{ openshift_metrics_cassandra_replicas }} when: openshift_metrics_cassandra_storage_type == 'pv' - name: generate hawkular-cassandra persistent volume claims (dynamic) @@ -40,25 +40,38 @@ access_modes: - ReadWriteOnce size: "{{ openshift_metrics_cassandra_pv_size }}" - with_sequence: count={{ openshift_metrics_cassandra_nodes }} + with_sequence: count={{ openshift_metrics_cassandra_replicas }} when: openshift_metrics_cassandra_storage_type == 'dynamic' - name: read hawkular-metrics route destination ca certificate slurp: src={{ openshift_metrics_certs_dir }}/ca.crt register: metrics_route_dest_ca_cert -- name: generate the hawkular-metrics route - template: - src: route.j2 - dest: "{{ mktemp.stdout }}/templates/hawkular-metrics-route.yaml" - vars: - name: hawkular-metrics - labels: - metrics-infra: hawkular-metrics - host: "{{ openshift_metrics_hawkular_metrics_hostname }}" - to: - kind: Service +- block: + - set_fact: hawkular_key={{ lookup('file', openshift_metrics_hawkular_key) }} + when: openshift_metrics_hawkular_key | exists + + - set_fact: hawkular_cert={{ lookup('file', openshift_metrics_hawkular_cert) }} + when: openshift_metrics_hawkular_cert | exists + + - set_fact: hawkular_ca={{ lookup('file', openshift_metrics_hawkular_ca) }} + when: openshift_metrics_hawkular_ca | exists + + - name: generate the hawkular-metrics route + template: + src: route.j2 + dest: "{{ mktemp.stdout }}/templates/hawkular-metrics-route.yaml" + vars: name: hawkular-metrics - tls: - termination: reencrypt - destination_ca_certificate: "{{ metrics_route_dest_ca_cert.content }}" + labels: + metrics-infra: hawkular-metrics + host: "{{ openshift_metrics_hawkular_hostname }}" + to: + kind: Service + name: hawkular-metrics + tls: + termination: reencrypt + key: "{{ hawkular_key | default('') }}" + certificate: "{{ hawkular_cert | default('') }}" + ca_certificate: "{{ hawkular_ca | default('') }}" + destination_ca_certificate: "{{ metrics_route_dest_ca_cert.content | b64decode }}" diff --git a/roles/openshift_metrics/tasks/install_metrics.yaml b/roles/openshift_metrics/tasks/install_metrics.yaml index a6a094a83..b45629b70 100644 --- a/roles/openshift_metrics/tasks/install_metrics.yaml +++ b/roles/openshift_metrics/tasks/install_metrics.yaml @@ -1,7 +1,7 @@ --- - name: check that hawkular_metrics_hostname is set - fail: msg='the openshift_metrics_hawkular_metrics_hostname variable is required' - when: openshift_metrics_hawkular_metrics_hostname is not defined + fail: msg='the openshift_metrics_hawkular_hostname variable is required' + when: openshift_metrics_hawkular_hostname is not defined - name: check the value of openshift_metrics_cassandra_storage_type fail: diff --git a/roles/openshift_metrics/templates/route.j2 b/roles/openshift_metrics/templates/route.j2 index a720c4959..08ca87288 100644 --- a/roles/openshift_metrics/templates/route.j2 +++ b/roles/openshift_metrics/templates/route.j2 @@ -16,6 +16,18 @@ spec: {% if tls is defined %} tls: termination: {{ tls.termination }} +{% if tls.ca_certificate is defined and tls.ca_certificate | length > 0 %} + CACertificate: | +{{ tls.ca_certificate|indent(6, true) }} +{% endif %} +{% if tls.key is defined and tls.key | length > 0 %} + key: | +{{ tls.key|indent(6, true) }} +{% endif %} +{% if tls.certificate is defined and tls.certificate | length > 0 %} + certificate: | +{{ tls.certificate|indent(6, true) }} +{% endif %} {% if tls.termination == 'reencrypt' %} destinationCACertificate: | {{ tls.destination_ca_certificate|indent(6, true) }} diff --git a/roles/openshift_metrics/vars/main.yaml b/roles/openshift_metrics/vars/main.yaml index de3bb878d..4a3724e3f 100644 --- a/roles/openshift_metrics/vars/main.yaml +++ b/roles/openshift_metrics/vars/main.yaml @@ -1,3 +1,9 @@ +--- +# +# These vars are generally considered private and not expected to be altered +# by end users +# + openshift_metrics_cassandra_storage_types: - emptydir - pv -- cgit v1.2.3 From b097d9f595c378ce35a2d35f2bd4749c3aa5d77d Mon Sep 17 00:00:00 2001 From: Jeff Cantrill Date: Fri, 6 Jan 2017 11:27:18 -0500 Subject: set replicas to current value so not to disrupt current pods (#13) --- roles/openshift_metrics/tasks/install_hawkular.yaml | 20 ++++++++++++++++++++ roles/openshift_metrics/tasks/install_heapster.yaml | 9 +++++++++ .../templates/hawkular_cassandra_rc.j2 | 2 +- .../templates/hawkular_metrics_rc.j2 | 2 +- roles/openshift_metrics/templates/heapster.j2 | 2 +- 5 files changed, 32 insertions(+), 3 deletions(-) (limited to 'roles') diff --git a/roles/openshift_metrics/tasks/install_hawkular.yaml b/roles/openshift_metrics/tasks/install_hawkular.yaml index 34a8c58b8..b377b6299 100644 --- a/roles/openshift_metrics/tasks/install_hawkular.yaml +++ b/roles/openshift_metrics/tasks/install_hawkular.yaml @@ -1,8 +1,27 @@ --- +- shell: > + {{ openshift.common.client_binary }} -n {{ openshift_metrics_project }} + --config={{ mktemp.stdout }}/admin.kubeconfig + get rc hawkular-metrics --template=\{\{.spec.replicas\}\} || echo 0 + register: hawkular_metrics_replica_count + changed_when: false + - name: generate hawkular-metrics replication controller template: src: hawkular_metrics_rc.j2 dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_rc.yaml" + vars: + replica_count: "{{hawkular_metrics_replica_count.stdout}}" + +- shell: > + {{ openshift.common.client_binary }} -n {{ openshift_metrics_project }} + --config={{ mktemp.stdout }}/admin.kubeconfig + get rc hawkular-cassandra-{{node}} --template=\{\{.spec.replicas\}\} || echo 0 + vars: + node: "{{ item }}" + register: cassandra_replica_count + changed_when: false + with_sequence: count={{ openshift_metrics_cassandra_replicas }} - name: generate hawkular-cassandra replication controllers template: @@ -11,6 +30,7 @@ vars: node: "{{ item }}" master: "{{ (item == '1')|string|lower }}" + replica_count: "{{cassandra_replica_count.results[item|int - 1].stdout}}" with_sequence: count={{ openshift_metrics_cassandra_replicas }} - name: generate hawkular-cassandra persistent volume claims diff --git a/roles/openshift_metrics/tasks/install_heapster.yaml b/roles/openshift_metrics/tasks/install_heapster.yaml index a8f849a88..63ea7e943 100644 --- a/roles/openshift_metrics/tasks/install_heapster.yaml +++ b/roles/openshift_metrics/tasks/install_heapster.yaml @@ -1,3 +1,12 @@ --- +- shell: > + {{ openshift.common.client_binary }} -n {{ openshift_metrics_project }} + --config={{ mktemp.stdout }}/admin.kubeconfig + get rc heapster --template=\{\{.spec.replicas\}\} || echo 0 + register: heapster_replica_count + changed_when: false + - name: Generate heapster replication controller template: src=heapster.j2 dest={{mktemp.stdout}}/templates/metrics-heapster-rc.yaml + vars: + replica_count: "{{heapster_replica_count.stdout}}" diff --git a/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 b/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 index 9a1c446cd..48ef3290d 100644 --- a/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 +++ b/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 @@ -9,7 +9,7 @@ metadata: spec: selector: name: hawkular-cassandra-{{ node }} - replicas: 0 + replicas: {{replica_count}} template: version: v1 metadata: diff --git a/roles/openshift_metrics/templates/hawkular_metrics_rc.j2 b/roles/openshift_metrics/templates/hawkular_metrics_rc.j2 index 1397276e6..e6954ea44 100644 --- a/roles/openshift_metrics/templates/hawkular_metrics_rc.j2 +++ b/roles/openshift_metrics/templates/hawkular_metrics_rc.j2 @@ -8,7 +8,7 @@ metadata: spec: selector: name: hawkular-metrics - replicas: 0 + replicas: {{replica_count}} template: version: v1 metadata: diff --git a/roles/openshift_metrics/templates/heapster.j2 b/roles/openshift_metrics/templates/heapster.j2 index f64c6696e..eeca03be0 100644 --- a/roles/openshift_metrics/templates/heapster.j2 +++ b/roles/openshift_metrics/templates/heapster.j2 @@ -8,7 +8,7 @@ metadata: spec: selector: name: heapster - replicas: 0 + replicas: {{replica_count}} template: version: v1 metadata: -- cgit v1.2.3 From a5f6e3f684a3294056d4d4e224226b90acc062e6 Mon Sep 17 00:00:00 2001 From: Jeff Cantrill Date: Wed, 11 Jan 2017 14:07:19 -0500 Subject: additional code reviews --- roles/openshift_metrics/meta/main.yaml | 16 ++++++++ .../tasks/generate_hawkular_certificates.yaml | 43 +++++++++++++++++----- .../tasks/generate_rolebindings.yaml | 3 ++ .../tasks/generate_serviceaccounts.yaml | 2 + .../openshift_metrics/tasks/generate_services.yaml | 4 ++ .../openshift_metrics/tasks/install_hawkular.yaml | 19 +++++++--- .../openshift_metrics/tasks/install_heapster.yaml | 7 ++-- roles/openshift_metrics/tasks/main.yaml | 6 +-- roles/openshift_metrics/tasks/scale.yaml | 17 +++++---- .../openshift_metrics/tasks/setup_certificate.yaml | 21 +++++++---- roles/openshift_metrics/tasks/start_metrics.yaml | 8 ++-- roles/openshift_metrics/tasks/stop_metrics.yaml | 6 +-- .../templates/hawkular_cassandra_rc.j2 | 20 +++++----- 13 files changed, 120 insertions(+), 52 deletions(-) (limited to 'roles') diff --git a/roles/openshift_metrics/meta/main.yaml b/roles/openshift_metrics/meta/main.yaml index a8fbeff02..9eb3bf579 100644 --- a/roles/openshift_metrics/meta/main.yaml +++ b/roles/openshift_metrics/meta/main.yaml @@ -1,2 +1,18 @@ +--- +galaxy_info: + author: OpenShift Development + description: Deploy OpenShift metrics integration for the cluster + company: Red Hat, Inc. + license: license (Apache) + min_ansible_version: 2.2 + platforms: + - name: EL + versions: + - 7 + - name: Fedora + versions: + - all + categories: + - openshift dependencies: - { role: openshift_facts } diff --git a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml index f36175735..995440598 100644 --- a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml +++ b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml @@ -4,31 +4,37 @@ vars: component: hawkular-metrics hostnames: "hawkular-metrics,{{ openshift_metrics_hawkular_hostname }}" + changed_when: no + - name: generate hawkular-cassandra certificates include: setup_certificate.yaml vars: component: hawkular-cassandra hostnames: hawkular-cassandra + changed_when: no + - name: check existing aliases on the hawkular-cassandra truststore shell: > keytool -noprompt -list - -keystore {{ openshift_metrics_certs_dir }}/hawkular-cassandra.truststore + -keystore {{ openshift_metrics_certs_dir|quote }}/hawkular-cassandra.truststore -storepass "$(< - '{{ openshift_metrics_certs_dir }}/hawkular-cassandra-truststore.pwd')" + '{{ openshift_metrics_certs_dir|quote }}/hawkular-cassandra-truststore.pwd')" | sed -n '7~2s/,.*$//p' register: hawkular_cassandra_truststore_aliases changed_when: false + - name: check existing aliases on the hawkular-metrics truststore shell: > keytool -noprompt -list - -keystore {{ openshift_metrics_certs_dir }}/hawkular-metrics.truststore + -keystore {{ openshift_metrics_certs_dir|quote }}/hawkular-metrics.truststore -storepass "$(< - '{{ openshift_metrics_certs_dir }}/hawkular-metrics-truststore.pwd')" + '{{ openshift_metrics_certs_dir|quote }}/hawkular-metrics-truststore.pwd')" | sed -n '7~2s/,.*$//p' register: hawkular_metrics_truststore_aliases changed_when: false + - name: import the hawkular metrics cert into the cassandra truststore - shell: > + command: > keytool -noprompt -import -v -trustcacerts -alias hawkular-metrics -file '{{ openshift_metrics_certs_dir }}/hawkular-metrics.crt' @@ -38,8 +44,9 @@ when: > 'hawkular-metrics' not in hawkular_cassandra_truststore_aliases.stdout_lines + - name: import the hawkular cassandra cert into the hawkular metrics truststore - shell: > + command: > keytool -noprompt -import -v -trustcacerts -alias hawkular-cassandra -file '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.crt' @@ -49,8 +56,9 @@ when: > 'hawkular-cassandra' not in hawkular_metrics_truststore_aliases.stdout_lines + - name: import the hawkular cassandra cert into the cassandra truststore - shell: > + command: > keytool -noprompt -import -v -trustcacerts -alias hawkular-cassandra -file '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.crt' @@ -60,8 +68,9 @@ when: > 'hawkular-cassandra' not in hawkular_cassandra_truststore_aliases.stdout_lines + - name: import the ca certificate into the cassandra truststore - shell: > + command: > keytool -noprompt -import -v -trustcacerts -alias '{{ item }}' -file '{{ openshift_metrics_certs_dir }}/ca.crt' @@ -73,8 +82,9 @@ - metricca - cassandraca when: item not in hawkular_cassandra_truststore_aliases.stdout_lines + - name: import the ca certificate into the hawkular metrics truststore - shell: > + command: > keytool -noprompt -import -v -trustcacerts -alias '{{ item }}' -file '{{ openshift_metrics_certs_dir }}/ca.crt' @@ -86,6 +96,7 @@ - metricca - cassandraca when: item not in hawkular_metrics_truststore_aliases.stdout_lines + - name: generate password for hawkular metrics and jgroups shell: > tr -dc _A-Z-a-z-0-9 < /dev/urandom | head -c15 @@ -94,6 +105,7 @@ - hawkular-metrics - hawkular-jgroups-keystore when: not '{{ openshift_metrics_certs_dir }}/{{ item }}.pwd'|exists + - name: generate htpasswd file for hawkular metrics shell: > htpasswd -ci @@ -101,6 +113,7 @@ < '{{ openshift_metrics_certs_dir }}/hawkular-metrics.pwd' when: > not '{{ openshift_metrics_certs_dir }}/hawkular-metrics.htpasswd'|exists + - name: generate the jgroups keystore shell: > p=$(< '{{ openshift_metrics_certs_dir }}/hawkular-jgroups-keystore.pwd' ) @@ -110,6 +123,7 @@ -keystore '{{ openshift_metrics_certs_dir }}/hawkular-jgroups.keystore' when: > not '{{ openshift_metrics_certs_dir }}/hawkular-jgroups.keystore'|exists + - name: read files for the hawkular-metrics secret shell: > printf '%s: ' '{{ item }}' @@ -133,10 +147,12 @@ - hawkular-cassandra.truststore - hawkular-cassandra-truststore.pwd changed_when: false + - set_fact: hawkular_secrets: | {{ hawkular_secrets.results|map(attribute='stdout')|join(' ')|from_yaml }} + - name: generate hawkular-metrics-secrets secret template template: src: secret.j2 @@ -163,6 +179,8 @@ {{ hawkular_secrets['hawkular-jgroups-keystore.pwd'] }} hawkular-metrics.jgroups.alias: "{{ 'hawkular'|b64encode }}" when: name not in metrics_secrets.stdout_lines + changed_when: no + - name: generate hawkular-metrics-certificate secret template template: src: secret.j2 @@ -177,6 +195,8 @@ hawkular-metrics-ca.certificate: > {{ hawkular_secrets['ca.crt'] }} when: name not in metrics_secrets.stdout_lines + changed_when: no + - name: generate hawkular-metrics-account secret template template: src: secret.j2 @@ -190,6 +210,8 @@ hawkular-metrics.password: > {{ hawkular_secrets['hawkular-metrics.pwd'] }} when: name not in metrics_secrets.stdout_lines + changed_when: no + - name: generate cassandra secret template template: src: secret.j2 @@ -211,6 +233,8 @@ cassandra.pem: > {{ hawkular_secrets['hawkular-cassandra.pem'] }} when: name not in metrics_secrets + changed_when: no + - name: generate cassandra-certificate secret template template: src: secret.j2 @@ -225,3 +249,4 @@ cassandra-ca.certificate: > {{ hawkular_secrets['hawkular-cassandra.pem'] }} when: name not in metrics_secrets.stdout_lines + changed_when: no diff --git a/roles/openshift_metrics/tasks/generate_rolebindings.yaml b/roles/openshift_metrics/tasks/generate_rolebindings.yaml index 9a72b24fe..6524c3f32 100644 --- a/roles/openshift_metrics/tasks/generate_rolebindings.yaml +++ b/roles/openshift_metrics/tasks/generate_rolebindings.yaml @@ -12,6 +12,8 @@ subjects: - kind: ServiceAccount name: hawkular + changed_when: no + - name: generate cluster-reader role binding for the heapster service account template: src: rolebinding.j2 @@ -28,3 +30,4 @@ - kind: ServiceAccount name: heapster namespace: "{{ openshift_metrics_project }}" + changed_when: no diff --git a/roles/openshift_metrics/tasks/generate_serviceaccounts.yaml b/roles/openshift_metrics/tasks/generate_serviceaccounts.yaml index 9230e0423..94f34d860 100644 --- a/roles/openshift_metrics/tasks/generate_serviceaccounts.yaml +++ b/roles/openshift_metrics/tasks/generate_serviceaccounts.yaml @@ -12,6 +12,7 @@ secret: hawkular-metrics-secrets - name: cassandra secret: hawkular-cassandra-secrets + changed_when: no - name: Generating serviceaccount for heapster template: src=serviceaccount.j2 dest={{mktemp.stdout}}/templates/metrics-{{obj_name}}-sa.yaml @@ -23,3 +24,4 @@ - heapster-secrets - hawkular-metrics-certificate - hawkular-metrics-account + changed_when: no diff --git a/roles/openshift_metrics/tasks/generate_services.yaml b/roles/openshift_metrics/tasks/generate_services.yaml index 4f7616a1c..115053012 100644 --- a/roles/openshift_metrics/tasks/generate_services.yaml +++ b/roles/openshift_metrics/tasks/generate_services.yaml @@ -10,6 +10,7 @@ labels: metrics-infra: "{{obj_name}}" name: "{{obj_name}}" + changed_when: no - name: Generate service for hawkular-metrics template: src=service.j2 dest={{mktemp.stdout}}/templates/metrics-{{obj_name}}-svc.yaml @@ -22,6 +23,7 @@ labels: metrics-infra: "{{obj_name}}" name: "{{obj_name}}" + changed_when: no - name: Generate services for cassandra template: src=service.j2 dest={{mktemp.stdout}}/templates/metrics-{{obj_name}}-svc.yaml @@ -41,3 +43,5 @@ with_items: - cassandra - cassandra-nodes + changed_when: no + diff --git a/roles/openshift_metrics/tasks/install_hawkular.yaml b/roles/openshift_metrics/tasks/install_hawkular.yaml index b377b6299..d49c83138 100644 --- a/roles/openshift_metrics/tasks/install_hawkular.yaml +++ b/roles/openshift_metrics/tasks/install_hawkular.yaml @@ -1,8 +1,8 @@ --- - shell: > - {{ openshift.common.client_binary }} -n {{ openshift_metrics_project }} + {{ openshift.common.client_binary }} -n {{ openshift_metrics_project | quote }} --config={{ mktemp.stdout }}/admin.kubeconfig - get rc hawkular-metrics --template=\{\{.spec.replicas\}\} || echo 0 + get rc hawkular-metrics -o jsonpath='{.spec.replicas}' || echo 0 register: hawkular_metrics_replica_count changed_when: false @@ -12,16 +12,17 @@ dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_rc.yaml" vars: replica_count: "{{hawkular_metrics_replica_count.stdout}}" + changed_when: false - shell: > - {{ openshift.common.client_binary }} -n {{ openshift_metrics_project }} + {{ openshift.common.client_binary }} -n {{ openshift_metrics_project | quote }} --config={{ mktemp.stdout }}/admin.kubeconfig - get rc hawkular-cassandra-{{node}} --template=\{\{.spec.replicas\}\} || echo 0 + get rc hawkular-cassandra-{{node}} -o jsonpath='{.spec.replicas}' || echo 0 vars: node: "{{ item }}" register: cassandra_replica_count - changed_when: false with_sequence: count={{ openshift_metrics_cassandra_replicas }} + changed_when: false - name: generate hawkular-cassandra replication controllers template: @@ -32,6 +33,7 @@ master: "{{ (item == '1')|string|lower }}" replica_count: "{{cassandra_replica_count.results[item|int - 1].stdout}}" with_sequence: count={{ openshift_metrics_cassandra_replicas }} + changed_when: false - name: generate hawkular-cassandra persistent volume claims template: @@ -46,6 +48,7 @@ size: "{{ openshift_metrics_cassandra_pv_size }}" with_sequence: count={{ openshift_metrics_cassandra_replicas }} when: openshift_metrics_cassandra_storage_type == 'pv' + changed_when: false - name: generate hawkular-cassandra persistent volume claims (dynamic) template: @@ -62,20 +65,25 @@ size: "{{ openshift_metrics_cassandra_pv_size }}" with_sequence: count={{ openshift_metrics_cassandra_replicas }} when: openshift_metrics_cassandra_storage_type == 'dynamic' + changed_when: false - name: read hawkular-metrics route destination ca certificate slurp: src={{ openshift_metrics_certs_dir }}/ca.crt register: metrics_route_dest_ca_cert + changed_when: false - block: - set_fact: hawkular_key={{ lookup('file', openshift_metrics_hawkular_key) }} when: openshift_metrics_hawkular_key | exists + changed_when: false - set_fact: hawkular_cert={{ lookup('file', openshift_metrics_hawkular_cert) }} when: openshift_metrics_hawkular_cert | exists + changed_when: false - set_fact: hawkular_ca={{ lookup('file', openshift_metrics_hawkular_ca) }} when: openshift_metrics_hawkular_ca | exists + changed_when: false - name: generate the hawkular-metrics route template: @@ -95,3 +103,4 @@ certificate: "{{ hawkular_cert | default('') }}" ca_certificate: "{{ hawkular_ca | default('') }}" destination_ca_certificate: "{{ metrics_route_dest_ca_cert.content | b64decode }}" + changed_when: false diff --git a/roles/openshift_metrics/tasks/install_heapster.yaml b/roles/openshift_metrics/tasks/install_heapster.yaml index 63ea7e943..e650391a8 100644 --- a/roles/openshift_metrics/tasks/install_heapster.yaml +++ b/roles/openshift_metrics/tasks/install_heapster.yaml @@ -1,12 +1,13 @@ --- - shell: > - {{ openshift.common.client_binary }} -n {{ openshift_metrics_project }} + {{ openshift.common.client_binary }} -n {{ openshift_metrics_project | quote }} --config={{ mktemp.stdout }}/admin.kubeconfig - get rc heapster --template=\{\{.spec.replicas\}\} || echo 0 + get rc heapster -o jsonpath='{.spec.replicas}' || echo 0 register: heapster_replica_count - changed_when: false + changed_when: no - name: Generate heapster replication controller template: src=heapster.j2 dest={{mktemp.stdout}}/templates/metrics-heapster-rc.yaml vars: replica_count: "{{heapster_replica_count.stdout}}" + changed_when: no diff --git a/roles/openshift_metrics/tasks/main.yaml b/roles/openshift_metrics/tasks/main.yaml index e8c74b8dc..c42440130 100644 --- a/roles/openshift_metrics/tasks/main.yaml +++ b/roles/openshift_metrics/tasks/main.yaml @@ -4,8 +4,6 @@ register: mktemp changed_when: False -- debug: msg="Created temp dir {{mktemp.stdout}}" - - name: Create temp directory for all our templates file: path={{mktemp.stdout}}/templates state=directory mode=0755 changed_when: False @@ -17,8 +15,8 @@ check_mode: no tags: metrics_init -- include: "{{role_path}}/tasks/install_metrics.yaml" +- include: install_metrics.yaml when: openshift_metrics_install_metrics | default(false) | bool -- include: "{{role_path}}/tasks/uninstall_metrics.yaml" +- include: uninstall_metrics.yaml when: not openshift_metrics_install_metrics | default(false) | bool diff --git a/roles/openshift_metrics/tasks/scale.yaml b/roles/openshift_metrics/tasks/scale.yaml index 031336a01..65f35fb46 100644 --- a/roles/openshift_metrics/tasks/scale.yaml +++ b/roles/openshift_metrics/tasks/scale.yaml @@ -1,27 +1,30 @@ --- -- shell: > +- command: > {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get {{object}} - --template='{{ '{{.spec.replicas}}' }}' -n {{openshift_metrics_project}} + -o jsonpath='{.spec.replicas}' -n {{openshift_metrics_project}} register: replica_count failed_when: "replica_count.rc == 1 and 'exists' not in replica_count.stderr" when: not ansible_check_mode + changed_when: no -- shell: > +- command: > {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig scale {{object}} --replicas={{desired}} -n {{openshift_metrics_project}} register: scale_result failed_when: scale_result.rc == 1 and 'exists' not in scale_result.stderr when: - - replica_count.stdout != desired + - replica_count.stdout != (desired | string) - not ansible_check_mode + changed_when: no - name: Waiting for {{object}} to scale to {{desired}} - shell: > - {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig describe {{object}} -n {{openshift_metrics_project}} | awk -v statusrx='Pods Status:' '$0 ~ statusrx {print $3}' + command: > + {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig + get {{object}} -n {{openshift_metrics_project|quote}} -o jsonpath='{.status.replicas}' register: replica_counts until: replica_counts.stdout.find("{{desired}}") != -1 retries: 30 delay: 10 when: - - replica_count.stdout != desired + - replica_count.stdout != (desired | string) - not ansible_check_mode diff --git a/roles/openshift_metrics/tasks/setup_certificate.yaml b/roles/openshift_metrics/tasks/setup_certificate.yaml index 52e748234..07c8365b1 100644 --- a/roles/openshift_metrics/tasks/setup_certificate.yaml +++ b/roles/openshift_metrics/tasks/setup_certificate.yaml @@ -10,19 +10,22 @@ --signer-key='{{ openshift_metrics_certs_dir }}/ca.key' --signer-serial='{{ openshift_metrics_certs_dir }}/ca.serial.txt' when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.key'|exists + - name: generate {{ component }} certificate shell: > cat - '{{ openshift_metrics_certs_dir }}/{{ component|quote }}.key' - '{{ openshift_metrics_certs_dir }}/{{ component|quote }}.crt' - > '{{ openshift_metrics_certs_dir }}/{{ component|quote }}.pem' + '{{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}.key' + '{{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}.crt' + > '{{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}.pem' when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.pem'|exists + - name: generate random password for the {{ component }} keystore shell: > tr -dc _A-Z-a-z-0-9 < /dev/urandom | head -c15 - > '{{ openshift_metrics_certs_dir }}/{{ component|quote }}-keystore.pwd' + > '{{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}-keystore.pwd' when: > not '{{ openshift_metrics_certs_dir }}/{{ component }}-keystore.pwd'|exists + - name: create the {{ component }} pkcs12 from the pem file command: > openssl pkcs12 -export @@ -32,22 +35,24 @@ -password 'file:{{ openshift_metrics_certs_dir }}/{{ component }}-keystore.pwd' when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.pkcs12'|exists + - name: create the {{ component }} keystore from the pkcs12 file shell: > p=$(< {{ openshift_metrics_certs_dir }}/{{ component }}-keystore.pwd) && keytool -v -importkeystore - -srckeystore '{{ openshift_metrics_certs_dir }}/{{ component }}.pkcs12' + -srckeystore '{{ openshift_metrics_certs_dir | quote }}/{{ component | quote }}.pkcs12' -srcstoretype PKCS12 - -destkeystore '{{ openshift_metrics_certs_dir }}/{{ component }}.keystore' + -destkeystore '{{ openshift_metrics_certs_dir | quote }}/{{ component | quote}}.keystore' -deststoretype JKS -deststorepass "$p" -srcstorepass "$p" when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.keystore'|exists + - name: generate random password for the {{ component }} truststore shell: > tr -dc _A-Z-a-z-0-9 < /dev/urandom | head -c15 - > '{{ openshift_metrics_certs_dir }}/{{ component|quote }}-truststore.pwd' + > '{{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}-truststore.pwd' when: > not - '{{ openshift_metrics_certs_dir }}/{{ component }}-truststore.pwd'|exists + '{{ openshift_metrics_certs_dir | quote }}/{{ component| quote }}-truststore.pwd'|exists diff --git a/roles/openshift_metrics/tasks/start_metrics.yaml b/roles/openshift_metrics/tasks/start_metrics.yaml index 99d593dd7..0906d71a2 100644 --- a/roles/openshift_metrics/tasks/start_metrics.yaml +++ b/roles/openshift_metrics/tasks/start_metrics.yaml @@ -1,5 +1,5 @@ --- -- shell: > +- command: > {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get rc @@ -7,6 +7,7 @@ -o name -n {{openshift_metrics_project}} register: metrics_cassandra_rc + changed_when: no - name: Start Hawkular Cassandra include: scale.yaml @@ -16,7 +17,7 @@ loop_control: loop_var: object -- shell: > +- command: > {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get rc @@ -24,6 +25,7 @@ -o name -n {{openshift_metrics_project}} register: metrics_metrics_rc + changed_when: no - name: Start Hawkular Metrics include: scale.yaml @@ -33,7 +35,7 @@ loop_control: loop_var: object -- shell: > +- command: > {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get rc diff --git a/roles/openshift_metrics/tasks/stop_metrics.yaml b/roles/openshift_metrics/tasks/stop_metrics.yaml index 79556e923..cdb029c2f 100644 --- a/roles/openshift_metrics/tasks/stop_metrics.yaml +++ b/roles/openshift_metrics/tasks/stop_metrics.yaml @@ -1,5 +1,5 @@ --- -- shell: > +- command: > {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get rc @@ -18,7 +18,7 @@ loop_control: loop_var: object -- shell: > +- command: > {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get rc @@ -36,7 +36,7 @@ loop_control: loop_var: object -- shell: > +- command: > {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get rc -o name diff --git a/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 b/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 index 48ef3290d..abd4ff939 100644 --- a/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 +++ b/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 @@ -75,25 +75,25 @@ spec: or (openshift_metrics_cassandra_requests_memory is defined and openshift_metrics_cassandra_requests_memory is not none)) %} resources: -{% if (openshift_metrics_cassandra_limits_cpu is not none - or openshift_metrics_cassandra_limits_memory is not none) +{% if (openshift_metrics_cassandra_limits_cpu is not none + or openshift_metrics_cassandra_limits_memory is not none) %} limits: -{% if openshift_metrics_cassandra_limits_cpu is not none %} +{% if openshift_metrics_cassandra_limits_cpu is not none %} cpu: "{{openshift_metrics_cassandra_limits_cpu}}" {% endif %} -{% if openshift_metrics_cassandra_limits_memory is not none %} +{% if openshift_metrics_cassandra_limits_memory is not none %} memory: "{{openshift_metrics_cassandra_limits_memory}}" {% endif %} {% endif %} -{% if (openshift_metrics_cassandra_requests_cpu is not none - or openshift_metrics_cassandra_requests_memory is not none) +{% if (openshift_metrics_cassandra_requests_cpu is not none + or openshift_metrics_cassandra_requests_memory is not none) %} requests: -{% if openshift_metrics_cassandra_requests_cpu is not none %} +{% if openshift_metrics_cassandra_requests_cpu is not none %} cpu: "{{openshift_metrics_cassandra_requests_cpu}}" {% endif %} -{% if openshift_metrics_cassandra_requests_memory is not none %} +{% if openshift_metrics_cassandra_requests_memory is not none %} memory: "{{openshift_metrics_cassandra_requests_memory}}" {% endif %} {% endif %} @@ -114,9 +114,9 @@ spec: terminationGracePeriodSeconds: 1800 volumes: - name: cassandra-data -{% if openshift_metrics_cassandra_storage_type == 'emptydir' %} +{% if openshift_metrics_cassandra_storage_type == 'emptydir' %} emptyDir: {} -{% else %} +{% else %} persistentVolumeClaim: claimName: "{{ openshift_metrics_cassandra_pv_prefix }}-{{ node }}" {% endif %} -- cgit v1.2.3 From 9c6766e8588ff96bffc0479251dbbb5dd9c80521 Mon Sep 17 00:00:00 2001 From: Jeff Cantrill Date: Thu, 12 Jan 2017 08:38:06 -0500 Subject: metrics fixes for yamlint --- roles/openshift_metrics/meta/main.yaml | 28 +++++++++++----------- .../tasks/generate_hawkular_certificates.yaml | 2 +- .../openshift_metrics/tasks/generate_services.yaml | 5 ++-- .../openshift_metrics/tasks/install_hawkular.yaml | 2 +- roles/openshift_metrics/tasks/install_metrics.yaml | 4 ++-- roles/openshift_metrics/tasks/scale.yaml | 6 ++--- roles/openshift_metrics/tasks/start_metrics.yaml | 28 +++++++++++----------- roles/openshift_metrics/tasks/stop_metrics.yaml | 18 +++++++------- 8 files changed, 46 insertions(+), 47 deletions(-) (limited to 'roles') diff --git a/roles/openshift_metrics/meta/main.yaml b/roles/openshift_metrics/meta/main.yaml index 9eb3bf579..567584079 100644 --- a/roles/openshift_metrics/meta/main.yaml +++ b/roles/openshift_metrics/meta/main.yaml @@ -1,18 +1,18 @@ --- galaxy_info: - author: OpenShift Development - description: Deploy OpenShift metrics integration for the cluster - company: Red Hat, Inc. - license: license (Apache) - min_ansible_version: 2.2 - platforms: - - name: EL - versions: - - 7 - - name: Fedora - versions: - - all - categories: - - openshift + author: OpenShift Development + description: Deploy OpenShift metrics integration for the cluster + company: Red Hat, Inc. + license: license (Apache) + min_ansible_version: 2.2 + platforms: + - name: EL + versions: + - 7 + - name: Fedora + versions: + - all + categories: + - openshift dependencies: - { role: openshift_facts } diff --git a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml index 995440598..1306d0ccd 100644 --- a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml +++ b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml @@ -211,7 +211,7 @@ {{ hawkular_secrets['hawkular-metrics.pwd'] }} when: name not in metrics_secrets.stdout_lines changed_when: no - + - name: generate cassandra secret template template: src: secret.j2 diff --git a/roles/openshift_metrics/tasks/generate_services.yaml b/roles/openshift_metrics/tasks/generate_services.yaml index 115053012..903d52bff 100644 --- a/roles/openshift_metrics/tasks/generate_services.yaml +++ b/roles/openshift_metrics/tasks/generate_services.yaml @@ -41,7 +41,6 @@ name: hawkular-cassandra headless: "{{ item == 'cassandra-nodes' }}" with_items: - - cassandra - - cassandra-nodes + - cassandra + - cassandra-nodes changed_when: no - diff --git a/roles/openshift_metrics/tasks/install_hawkular.yaml b/roles/openshift_metrics/tasks/install_hawkular.yaml index d49c83138..7c06bc1db 100644 --- a/roles/openshift_metrics/tasks/install_hawkular.yaml +++ b/roles/openshift_metrics/tasks/install_hawkular.yaml @@ -11,7 +11,7 @@ src: hawkular_metrics_rc.j2 dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_rc.yaml" vars: - replica_count: "{{hawkular_metrics_replica_count.stdout}}" + replica_count: "{{hawkular_metrics_replica_count.stdout}}" changed_when: false - shell: > diff --git a/roles/openshift_metrics/tasks/install_metrics.yaml b/roles/openshift_metrics/tasks/install_metrics.yaml index b45629b70..5f4b84418 100644 --- a/roles/openshift_metrics/tasks/install_metrics.yaml +++ b/roles/openshift_metrics/tasks/install_metrics.yaml @@ -25,10 +25,10 @@ --config={{ mktemp.stdout }}/admin.kubeconfig apply -f {{ item }} with_fileglob: - - "{{ mktemp.stdout }}/templates/*.yaml" + - "{{ mktemp.stdout }}/templates/*.yaml" - name: Scaling up cluster include: start_metrics.yaml tags: openshift_metrics_start_cluster when: - - openshift_metrics_start_cluster | default(true) | bool + - openshift_metrics_start_cluster | default(true) | bool diff --git a/roles/openshift_metrics/tasks/scale.yaml b/roles/openshift_metrics/tasks/scale.yaml index 65f35fb46..bb4fa621b 100644 --- a/roles/openshift_metrics/tasks/scale.yaml +++ b/roles/openshift_metrics/tasks/scale.yaml @@ -19,12 +19,12 @@ - name: Waiting for {{object}} to scale to {{desired}} command: > - {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig + {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get {{object}} -n {{openshift_metrics_project|quote}} -o jsonpath='{.status.replicas}' register: replica_counts until: replica_counts.stdout.find("{{desired}}") != -1 retries: 30 delay: 10 when: - - replica_count.stdout != (desired | string) - - not ansible_check_mode + - replica_count.stdout != (desired | string) + - not ansible_check_mode diff --git a/roles/openshift_metrics/tasks/start_metrics.yaml b/roles/openshift_metrics/tasks/start_metrics.yaml index 0906d71a2..31f303c86 100644 --- a/roles/openshift_metrics/tasks/start_metrics.yaml +++ b/roles/openshift_metrics/tasks/start_metrics.yaml @@ -1,10 +1,10 @@ --- - command: > - {{openshift.common.client_binary}} - --config={{mktemp.stdout}}/admin.kubeconfig - get rc - -l metrics-infra=hawkular-cassandra - -o name + {{openshift.common.client_binary}} + --config={{mktemp.stdout}}/admin.kubeconfig + get rc + -l metrics-infra=hawkular-cassandra + -o name -n {{openshift_metrics_project}} register: metrics_cassandra_rc changed_when: no @@ -18,11 +18,11 @@ loop_var: object - command: > - {{openshift.common.client_binary}} - --config={{mktemp.stdout}}/admin.kubeconfig - get rc - -l metrics-infra=hawkular-metrics - -o name + {{openshift.common.client_binary}} + --config={{mktemp.stdout}}/admin.kubeconfig + get rc + -l metrics-infra=hawkular-metrics + -o name -n {{openshift_metrics_project}} register: metrics_metrics_rc changed_when: no @@ -36,11 +36,11 @@ loop_var: object - command: > - {{openshift.common.client_binary}} - --config={{mktemp.stdout}}/admin.kubeconfig - get rc + {{openshift.common.client_binary}} + --config={{mktemp.stdout}}/admin.kubeconfig + get rc -l metrics-infra=heapster - -o name + -o name -n {{openshift_metrics_project}} register: metrics_heapster_rc check_mode: no diff --git a/roles/openshift_metrics/tasks/stop_metrics.yaml b/roles/openshift_metrics/tasks/stop_metrics.yaml index cdb029c2f..524d4227b 100644 --- a/roles/openshift_metrics/tasks/stop_metrics.yaml +++ b/roles/openshift_metrics/tasks/stop_metrics.yaml @@ -1,10 +1,10 @@ --- - command: > - {{openshift.common.client_binary}} - --config={{mktemp.stdout}}/admin.kubeconfig - get rc + {{openshift.common.client_binary}} + --config={{mktemp.stdout}}/admin.kubeconfig + get rc -l metrics-infra=heapster - -o name + -o name -n {{openshift_metrics_project}} register: metrics_heapster_rc changed_when: "'No resources found' not in metrics_heapster_rc.stderr" @@ -19,11 +19,11 @@ loop_var: object - command: > - {{openshift.common.client_binary}} - --config={{mktemp.stdout}}/admin.kubeconfig + {{openshift.common.client_binary}} + --config={{mktemp.stdout}}/admin.kubeconfig get rc -l metrics-infra=hawkular-metrics - -o name + -o name -n {{openshift_metrics_project}} register: metrics_hawkular_rc changed_when: "'No resources found' not in metrics_hawkular_rc.stderr" @@ -37,10 +37,10 @@ loop_var: object - command: > - {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig + {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get rc -o name - -l metrics-infra=hawkular-cassandra + -l metrics-infra=hawkular-cassandra -n {{openshift_metrics_project}} register: metrics_cassandra_rc changed_when: "'No resources found' not in metrics_cassandra_rc.stderr" -- cgit v1.2.3 From 868e800a1325a726c24afc752033434a80d13b2d Mon Sep 17 00:00:00 2001 From: Jeff Cantrill Date: Thu, 12 Jan 2017 16:52:23 -0500 Subject: additional cr fixes --- .../tasks/generate_hawkular_certificates.yaml | 27 +++++----- .../openshift_metrics/tasks/install_cassandra.yaml | 54 +++++++++++++++++++ .../openshift_metrics/tasks/install_hawkular.yaml | 60 ++-------------------- .../openshift_metrics/tasks/install_heapster.yaml | 7 +-- roles/openshift_metrics/tasks/install_metrics.yaml | 1 + .../openshift_metrics/tasks/setup_certificate.yaml | 41 ++++++++------- 6 files changed, 99 insertions(+), 91 deletions(-) create mode 100644 roles/openshift_metrics/tasks/install_cassandra.yaml (limited to 'roles') diff --git a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml index 1306d0ccd..489856c27 100644 --- a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml +++ b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml @@ -13,22 +13,26 @@ hostnames: hawkular-cassandra changed_when: no +- slurp: src={{ openshift_metrics_certs_dir|quote }}/hawkular-cassandra-truststore.pwd + register: cassandra_truststore_password + - name: check existing aliases on the hawkular-cassandra truststore shell: > keytool -noprompt -list -keystore {{ openshift_metrics_certs_dir|quote }}/hawkular-cassandra.truststore - -storepass "$(< - '{{ openshift_metrics_certs_dir|quote }}/hawkular-cassandra-truststore.pwd')" + -storepass {{cassandra_truststore_password.content | b64decode }} | sed -n '7~2s/,.*$//p' register: hawkular_cassandra_truststore_aliases changed_when: false +- slurp: src={{ openshift_metrics_certs_dir|quote }}/hawkular-metrics-truststore.pwd + register: hawkular_truststore_password + - name: check existing aliases on the hawkular-metrics truststore shell: > keytool -noprompt -list -keystore {{ openshift_metrics_certs_dir|quote }}/hawkular-metrics.truststore - -storepass "$(< - '{{ openshift_metrics_certs_dir|quote }}/hawkular-metrics-truststore.pwd')" + -storepass {{ hawkular_truststore_password.content | b64decode }} | sed -n '7~2s/,.*$//p' register: hawkular_metrics_truststore_aliases changed_when: false @@ -39,8 +43,7 @@ -alias hawkular-metrics -file '{{ openshift_metrics_certs_dir }}/hawkular-metrics.crt' -keystore '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.truststore' - -storepass "$(< - '{{ openshift_metrics_certs_dir }}/hawkular-cassandra-truststore.pwd')" + -storepass {{cassandra_truststore_password.content | b64decode }} when: > 'hawkular-metrics' not in hawkular_cassandra_truststore_aliases.stdout_lines @@ -51,8 +54,7 @@ -alias hawkular-cassandra -file '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.crt' -keystore '{{ openshift_metrics_certs_dir }}/hawkular-metrics.truststore' - -storepass "$(< - '{{ openshift_metrics_certs_dir }}/hawkular-metrics-truststore.pwd')" + -storepass {{ hawkular_truststore_password.content | b64decode }} when: > 'hawkular-cassandra' not in hawkular_metrics_truststore_aliases.stdout_lines @@ -63,8 +65,7 @@ -alias hawkular-cassandra -file '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.crt' -keystore '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.truststore' - -storepass "$(< - '{{ openshift_metrics_certs_dir }}/hawkular-cassandra-truststore.pwd')" + -storepass {{cassandra_truststore_password.content | b64decode }} when: > 'hawkular-cassandra' not in hawkular_cassandra_truststore_aliases.stdout_lines @@ -75,8 +76,7 @@ -alias '{{ item }}' -file '{{ openshift_metrics_certs_dir }}/ca.crt' -keystore '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.truststore' - -storepass "$(< - '{{ openshift_metrics_certs_dir }}/hawkular-cassandra-truststore.pwd')" + -storepass {{cassandra_truststore_password.content | b64decode }} with_items: - ca - metricca @@ -89,8 +89,7 @@ -alias '{{ item }}' -file '{{ openshift_metrics_certs_dir }}/ca.crt' -keystore '{{ openshift_metrics_certs_dir }}/hawkular-metrics.truststore' - -storepass "$(< - '{{ openshift_metrics_certs_dir }}/hawkular-metrics-truststore.pwd')" + -storepass {{ hawkular_truststore_password.content | b64decode }} with_items: - ca - metricca diff --git a/roles/openshift_metrics/tasks/install_cassandra.yaml b/roles/openshift_metrics/tasks/install_cassandra.yaml new file mode 100644 index 000000000..a9340acc3 --- /dev/null +++ b/roles/openshift_metrics/tasks/install_cassandra.yaml @@ -0,0 +1,54 @@ +--- +- shell: > + {{ openshift.common.client_binary }} -n {{ openshift_metrics_project | quote }} + --config={{ mktemp.stdout }}/admin.kubeconfig + get rc hawkular-cassandra-{{node}} -o jsonpath='{.spec.replicas}' || echo 0 + vars: + node: "{{ item }}" + register: cassandra_replica_count + with_sequence: count={{ openshift_metrics_cassandra_replicas }} + changed_when: false + failed_when: false + +- name: generate hawkular-cassandra replication controllers + template: + src: hawkular_cassandra_rc.j2 + dest: "{{ mktemp.stdout }}/templates/hawkular-cassandra-rc{{ item }}.yaml" + vars: + node: "{{ item }}" + master: "{{ (item == '1')|string|lower }}" + replica_count: "{{cassandra_replica_count.results[item|int - 1].stdout}}" + with_sequence: count={{ openshift_metrics_cassandra_replicas }} + changed_when: false + +- name: generate hawkular-cassandra persistent volume claims + template: + src: pvc.j2 + dest: "{{ mktemp.stdout }}/templates/hawkular-cassandra-pvc{{ item }}.yaml" + vars: + obj_name: "{{ openshift_metrics_cassandra_pv_prefix }}-{{ item }}" + labels: + metrics-infra: hawkular-cassandra + access_modes: + - ReadWriteOnce + size: "{{ openshift_metrics_cassandra_pv_size }}" + with_sequence: count={{ openshift_metrics_cassandra_replicas }} + when: openshift_metrics_cassandra_storage_type == 'pv' + changed_when: false + +- name: generate hawkular-cassandra persistent volume claims (dynamic) + template: + src: pvc.j2 + dest: "{{ mktemp.stdout }}/templates/hawkular-cassandra-pvc{{ item }}.yaml" + vars: + obj_name: "{{ openshift_metrics_cassandra_pv_prefix }}-{{ item }}" + labels: + metrics-infra: hawkular-cassandra + annotations: + volume.alpha.kubernetes.io/storage-class: dynamic + access_modes: + - ReadWriteOnce + size: "{{ openshift_metrics_cassandra_pv_size }}" + with_sequence: count={{ openshift_metrics_cassandra_replicas }} + when: openshift_metrics_cassandra_storage_type == 'dynamic' + changed_when: false diff --git a/roles/openshift_metrics/tasks/install_hawkular.yaml b/roles/openshift_metrics/tasks/install_hawkular.yaml index 7c06bc1db..00f7b2554 100644 --- a/roles/openshift_metrics/tasks/install_hawkular.yaml +++ b/roles/openshift_metrics/tasks/install_hawkular.yaml @@ -1,9 +1,10 @@ --- -- shell: > +- command: > {{ openshift.common.client_binary }} -n {{ openshift_metrics_project | quote }} --config={{ mktemp.stdout }}/admin.kubeconfig - get rc hawkular-metrics -o jsonpath='{.spec.replicas}' || echo 0 + get rc hawkular-metrics -o jsonpath='{.spec.replicas}' register: hawkular_metrics_replica_count + failed_when: false changed_when: false - name: generate hawkular-metrics replication controller @@ -11,60 +12,7 @@ src: hawkular_metrics_rc.j2 dest: "{{ mktemp.stdout }}/templates/hawkular_metrics_rc.yaml" vars: - replica_count: "{{hawkular_metrics_replica_count.stdout}}" - changed_when: false - -- shell: > - {{ openshift.common.client_binary }} -n {{ openshift_metrics_project | quote }} - --config={{ mktemp.stdout }}/admin.kubeconfig - get rc hawkular-cassandra-{{node}} -o jsonpath='{.spec.replicas}' || echo 0 - vars: - node: "{{ item }}" - register: cassandra_replica_count - with_sequence: count={{ openshift_metrics_cassandra_replicas }} - changed_when: false - -- name: generate hawkular-cassandra replication controllers - template: - src: hawkular_cassandra_rc.j2 - dest: "{{ mktemp.stdout }}/templates/hawkular-cassandra-rc{{ item }}.yaml" - vars: - node: "{{ item }}" - master: "{{ (item == '1')|string|lower }}" - replica_count: "{{cassandra_replica_count.results[item|int - 1].stdout}}" - with_sequence: count={{ openshift_metrics_cassandra_replicas }} - changed_when: false - -- name: generate hawkular-cassandra persistent volume claims - template: - src: pvc.j2 - dest: "{{ mktemp.stdout }}/templates/hawkular-cassandra-pvc{{ item }}.yaml" - vars: - obj_name: "{{ openshift_metrics_cassandra_pv_prefix }}-{{ item }}" - labels: - metrics-infra: hawkular-cassandra - access_modes: - - ReadWriteOnce - size: "{{ openshift_metrics_cassandra_pv_size }}" - with_sequence: count={{ openshift_metrics_cassandra_replicas }} - when: openshift_metrics_cassandra_storage_type == 'pv' - changed_when: false - -- name: generate hawkular-cassandra persistent volume claims (dynamic) - template: - src: pvc.j2 - dest: "{{ mktemp.stdout }}/templates/hawkular-cassandra-pvc{{ item }}.yaml" - vars: - obj_name: "{{ openshift_metrics_cassandra_pv_prefix }}-{{ item }}" - labels: - metrics-infra: hawkular-cassandra - annotations: - volume.alpha.kubernetes.io/storage-class: dynamic - access_modes: - - ReadWriteOnce - size: "{{ openshift_metrics_cassandra_pv_size }}" - with_sequence: count={{ openshift_metrics_cassandra_replicas }} - when: openshift_metrics_cassandra_storage_type == 'dynamic' + replica_count: "{{hawkular_metrics_replica_count.stdout | default(0)}}" changed_when: false - name: read hawkular-metrics route destination ca certificate diff --git a/roles/openshift_metrics/tasks/install_heapster.yaml b/roles/openshift_metrics/tasks/install_heapster.yaml index e650391a8..39df797ab 100644 --- a/roles/openshift_metrics/tasks/install_heapster.yaml +++ b/roles/openshift_metrics/tasks/install_heapster.yaml @@ -1,13 +1,14 @@ --- -- shell: > +- command: > {{ openshift.common.client_binary }} -n {{ openshift_metrics_project | quote }} --config={{ mktemp.stdout }}/admin.kubeconfig - get rc heapster -o jsonpath='{.spec.replicas}' || echo 0 + get rc heapster -o jsonpath='{.spec.replicas}' register: heapster_replica_count + failed_when: false changed_when: no - name: Generate heapster replication controller template: src=heapster.j2 dest={{mktemp.stdout}}/templates/metrics-heapster-rc.yaml vars: - replica_count: "{{heapster_replica_count.stdout}}" + replica_count: "{{heapster_replica_count.stdout | default(0)}}" changed_when: no diff --git a/roles/openshift_metrics/tasks/install_metrics.yaml b/roles/openshift_metrics/tasks/install_metrics.yaml index 5f4b84418..e550f6e8d 100644 --- a/roles/openshift_metrics/tasks/install_metrics.yaml +++ b/roles/openshift_metrics/tasks/install_metrics.yaml @@ -16,6 +16,7 @@ - support - heapster - hawkular + - cassandra loop_control: loop_var: include_file diff --git a/roles/openshift_metrics/tasks/setup_certificate.yaml b/roles/openshift_metrics/tasks/setup_certificate.yaml index 07c8365b1..c185d3f88 100644 --- a/roles/openshift_metrics/tasks/setup_certificate.yaml +++ b/roles/openshift_metrics/tasks/setup_certificate.yaml @@ -11,20 +11,28 @@ --signer-serial='{{ openshift_metrics_certs_dir }}/ca.serial.txt' when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.key'|exists +- slurp: src={{item}} + register: component_certs + with_items: + - '{{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}.key' + - '{{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}.crt' + when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.pem'|exists + - name: generate {{ component }} certificate - shell: > - cat - '{{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}.key' - '{{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}.crt' - > '{{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}.pem' + copy: + dest: '{{ openshift_metrics_certs_dir }}/{{ component }}.pem' + content: "{{ component_certs.results | map(attribute='content') | map('b64decode') | join('') }}" when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.pem'|exists - name: generate random password for the {{ component }} keystore - shell: > - tr -dc _A-Z-a-z-0-9 < /dev/urandom | head -c15 - > '{{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}-keystore.pwd' + copy: + content: "{{ 15 | oo_random_word }}" + dest: '{{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}-keystore.pwd' when: > not '{{ openshift_metrics_certs_dir }}/{{ component }}-keystore.pwd'|exists + +- slurp: src={{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}-keystore.pwd + register: keystore_password - name: create the {{ component }} pkcs12 from the pem file command: > @@ -32,27 +40,24 @@ -in '{{ openshift_metrics_certs_dir }}/{{ component }}.pem' -out '{{ openshift_metrics_certs_dir }}/{{ component }}.pkcs12' -name '{{ component }}' -noiter -nomaciter - -password - 'file:{{ openshift_metrics_certs_dir }}/{{ component }}-keystore.pwd' + -password 'pass:{{keystore_password.content | b64decode }}' when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.pkcs12'|exists - name: create the {{ component }} keystore from the pkcs12 file - shell: > - p=$(< {{ openshift_metrics_certs_dir }}/{{ component }}-keystore.pwd) - && + command: > keytool -v -importkeystore -srckeystore '{{ openshift_metrics_certs_dir | quote }}/{{ component | quote }}.pkcs12' -srcstoretype PKCS12 -destkeystore '{{ openshift_metrics_certs_dir | quote }}/{{ component | quote}}.keystore' -deststoretype JKS - -deststorepass "$p" - -srcstorepass "$p" + -deststorepass '{{keystore_password.content | b64decode }}' + -srcstorepass '{{keystore_password.content | b64decode }}' when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.keystore'|exists - name: generate random password for the {{ component }} truststore - shell: > - tr -dc _A-Z-a-z-0-9 < /dev/urandom | head -c15 - > '{{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}-truststore.pwd' + copy: + content: "{{ 15 | oo_random_word }}" + dest: '{{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}-truststore.pwd' when: > not '{{ openshift_metrics_certs_dir | quote }}/{{ component| quote }}-truststore.pwd'|exists -- cgit v1.2.3 From e96de3d7eb0b0ce6a8df96d4e3afa02f0859b94b Mon Sep 17 00:00:00 2001 From: Jeff Cantrill Date: Fri, 13 Jan 2017 12:19:55 -0500 Subject: properly set changes when oc apply --- roles/openshift_metrics/tasks/install_metrics.yaml | 16 ++++++----- roles/openshift_metrics/tasks/oc_apply.yaml | 31 ++++++++++++++++++++++ roles/openshift_metrics/tasks/start_metrics.yaml | 2 +- 3 files changed, 41 insertions(+), 8 deletions(-) create mode 100644 roles/openshift_metrics/tasks/oc_apply.yaml (limited to 'roles') diff --git a/roles/openshift_metrics/tasks/install_metrics.yaml b/roles/openshift_metrics/tasks/install_metrics.yaml index e550f6e8d..67d22cbc3 100644 --- a/roles/openshift_metrics/tasks/install_metrics.yaml +++ b/roles/openshift_metrics/tasks/install_metrics.yaml @@ -1,9 +1,9 @@ --- -- name: check that hawkular_metrics_hostname is set +- name: Check that hawkular_metrics_hostname is set fail: msg='the openshift_metrics_hawkular_hostname variable is required' when: openshift_metrics_hawkular_hostname is not defined -- name: check the value of openshift_metrics_cassandra_storage_type +- name: Check the value of openshift_metrics_cassandra_storage_type fail: msg: > openshift_metrics_cassandra_storage_type ({{ openshift_metrics_cassandra_storage_type }}) @@ -20,11 +20,13 @@ loop_control: loop_var: include_file -- name: create objects - command: > - {{ openshift.common.client_binary }} -n {{ openshift_metrics_project }} - --config={{ mktemp.stdout }}/admin.kubeconfig - apply -f {{ item }} +- name: Create objects + include: oc_apply.yaml + vars: + kubeconfig: "{{ mktemp.stdout }}/admin.kubeconfig" + namespace: "{{ openshift_metrics_project }}" + file_name: "{{ item }}" + file_content: "{{ lookup('file',item) | from_yaml }}" with_fileglob: - "{{ mktemp.stdout }}/templates/*.yaml" diff --git a/roles/openshift_metrics/tasks/oc_apply.yaml b/roles/openshift_metrics/tasks/oc_apply.yaml new file mode 100644 index 000000000..c9154f206 --- /dev/null +++ b/roles/openshift_metrics/tasks/oc_apply.yaml @@ -0,0 +1,31 @@ +--- +- name: Checking generation of {{file_content.kind}} {{file_content.metadata.name}} + command: > + {{ openshift.common.client_binary }} + --config={{ kubeconfig }} + get {{file_content.kind}} {{file_content.metadata.name}} + -o jsonpath='{.metadata.resourceVersion}' + -n {{namespace}} + register: generation_init + changed_when: no + +- name: Applying {{file_name}} + command: > + {{ openshift.common.client_binary }} --config={{ kubeconfig }} + apply -f {{ file_name }} + -n {{ openshift_metrics_project }} + register: generation_apply + failed_when: "'error' in generation_apply.stderr" + changed_when: no + +- name: Determine change status of {{file_content.kind}} {{file_content.metadata.name}} + command: > + {{ openshift.common.client_binary }} --config={{ kubeconfig }} + get {{file_content.kind}} {{file_content.metadata.name}} + -o jsonpath='{.metadata.resourceVersion}' + -n {{namespace}} + register: version_changed + vars: + init_version: "{{ (generation_init is defined) | ternary(generation_init.stdout, '0') }}" + failed_when: "'error' in version_changed.stderr" + changed_when: version_changed.stdout | int > init_version | int diff --git a/roles/openshift_metrics/tasks/start_metrics.yaml b/roles/openshift_metrics/tasks/start_metrics.yaml index 31f303c86..c4cae4aff 100644 --- a/roles/openshift_metrics/tasks/start_metrics.yaml +++ b/roles/openshift_metrics/tasks/start_metrics.yaml @@ -43,7 +43,7 @@ -o name -n {{openshift_metrics_project}} register: metrics_heapster_rc - check_mode: no + changed_when: no - name: Start Heapster include: scale.yaml -- cgit v1.2.3 From 65eb7e43faf38698b22b90ad3c743d1fecdc0961 Mon Sep 17 00:00:00 2001 From: Jeff Cantrill Date: Tue, 17 Jan 2017 11:42:23 -0500 Subject: use pod to generate keystores (#14) --- roles/openshift_metrics/files/import_jks_certs.sh | 118 ++++++++++++++++++++ roles/openshift_metrics/meta/main.yaml | 28 ++--- .../tasks/generate_hawkular_certificates.yaml | 97 ++--------------- .../openshift_metrics/tasks/import_jks_certs.yaml | 120 +++++++++++++++++++++ roles/openshift_metrics/tasks/install_metrics.yaml | 8 +- roles/openshift_metrics/tasks/oc_apply.yaml | 7 +- .../openshift_metrics/tasks/setup_certificate.yaml | 21 +--- roles/openshift_metrics/tasks/stop_metrics.yaml | 1 - roles/openshift_metrics/templates/jks_pod.j2 | 38 +++++++ 9 files changed, 309 insertions(+), 129 deletions(-) create mode 100755 roles/openshift_metrics/files/import_jks_certs.sh create mode 100644 roles/openshift_metrics/tasks/import_jks_certs.yaml create mode 100644 roles/openshift_metrics/templates/jks_pod.j2 (limited to 'roles') diff --git a/roles/openshift_metrics/files/import_jks_certs.sh b/roles/openshift_metrics/files/import_jks_certs.sh new file mode 100755 index 000000000..bb046df87 --- /dev/null +++ b/roles/openshift_metrics/files/import_jks_certs.sh @@ -0,0 +1,118 @@ +#!/bin/bash +# +# Copyright 2014-2015 Red Hat, Inc. and/or its affiliates +# and other contributors as indicated by the @author tags. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +set -ex + +function import_certs() { + dir=$CERT_DIR + hawkular_metrics_keystore_password=$(echo $METRICS_KEYSTORE_PASSWD | base64 -d) + hawkular_cassandra_keystore_password=$(echo $CASSANDRA_KEYSTORE_PASSWD | base64 -d) + hawkular_metrics_truststore_password=$(echo $METRICS_TRUSTSTORE_PASSWD | base64 -d) + hawkular_cassandra_truststore_password=$(echo $CASSANDRA_TRUSTSTORE_PASSWD | base64 -d) + hawkular_jgroups_password=$(echo $JGROUPS_PASSWD | base64 -d) + + cassandra_alias=`keytool -noprompt -list -keystore $dir/hawkular-cassandra.truststore -storepass ${hawkular_cassandra_truststore_password} | sed -n '7~2s/,.*$//p'` + hawkular_alias=`keytool -noprompt -list -keystore $dir/hawkular-metrics.truststore -storepass ${hawkular_metrics_truststore_password} | sed -n '7~2s/,.*$//p'` + + if [ ! -f $dir/hawkular-metrics.keystore ]; then + echo "Creating the Hawkular Metrics keystore from the PEM file" + keytool -importkeystore -v \ + -srckeystore $dir/hawkular-metrics.pkcs12 \ + -destkeystore $dir/hawkular-metrics.keystore \ + -srcstoretype PKCS12 \ + -deststoretype JKS \ + -srcstorepass $hawkular_metrics_keystore_password \ + -deststorepass $hawkular_metrics_keystore_password + fi + + if [ ! -f $dir/hawkular-cassandra.keystore ]; then + echo "Creating the Hawkular Cassandra keystore from the PEM file" + keytool -importkeystore -v \ + -srckeystore $dir/hawkular-cassandra.pkcs12 \ + -destkeystore $dir/hawkular-cassandra.keystore \ + -srcstoretype PKCS12 \ + -deststoretype JKS \ + -srcstorepass $hawkular_cassandra_keystore_password \ + -deststorepass $hawkular_cassandra_keystore_password + fi + + if [[ ! ${cassandra_alias[*]} =~ hawkular-metrics ]]; then + echo "Importing the Hawkular Certificate into the Cassandra Truststore" + keytool -noprompt -import -v -trustcacerts -alias hawkular-metrics \ + -file $dir/hawkular-metrics.crt \ + -keystore $dir/hawkular-cassandra.truststore \ + -trustcacerts \ + -storepass $hawkular_cassandra_truststore_password + fi + + if [[ ! ${hawkular_alias[*]} =~ hawkular-cassandra ]]; then + echo "Importing the Cassandra Certificate into the Hawkular Truststore" + keytool -noprompt -import -v -trustcacerts -alias hawkular-cassandra \ + -file $dir/hawkular-cassandra.crt \ + -keystore $dir/hawkular-metrics.truststore \ + -trustcacerts \ + -storepass $hawkular_metrics_truststore_password + fi + + if [[ ! ${cassandra_alias[*]} =~ hawkular-cassandra ]]; then + echo "Importing the Hawkular Cassandra Certificate into the Cassandra Truststore" + keytool -noprompt -import -v -trustcacerts -alias hawkular-cassandra \ + -file $dir/hawkular-cassandra.crt \ + -keystore $dir/hawkular-cassandra.truststore \ + -trustcacerts \ + -storepass $hawkular_cassandra_truststore_password + fi + + cert_alias_names=(ca metricca cassandraca) + + for cert_alias in ${cert_alias_names[*]}; do + if [[ ! ${cassandra_alias[*]} =~ "$cert_alias" ]]; then + echo "Importing the CA Certificate with alias $cert_alias into the Cassandra Truststore" + keytool -noprompt -import -v -trustcacerts -alias $cert_alias \ + -file ${dir}/ca.crt \ + -keystore $dir/hawkular-cassandra.truststore \ + -trustcacerts \ + -storepass $hawkular_cassandra_truststore_password + fi + done + + for cert_alias in ${cert_alias_names[*]}; do + if [[ ! ${hawkular_alias[*]} =~ "$cert_alias" ]]; then + echo "Importing the CA Certificate with alias $cert_alias into the Hawkular Metrics Truststore" + keytool -noprompt -import -v -trustcacerts -alias $cert_alias \ + -file ${dir}/ca.crt \ + -keystore $dir/hawkular-metrics.truststore \ + -trustcacerts \ + -storepass $hawkular_metrics_truststore_password + fi + done + + if [ ! -f $dir/hawkular-jgroups.keystore ]; then + echo "Generating the jgroups keystore" + keytool -genseckey -alias hawkular -keypass ${hawkular_jgroups_password} \ + -storepass ${hawkular_jgroups_password} \ + -keyalg Blowfish \ + -keysize 56 \ + -keystore $dir/hawkular-jgroups.keystore \ + -storetype JCEKS + fi +} + +import_certs + +exit 0 diff --git a/roles/openshift_metrics/meta/main.yaml b/roles/openshift_metrics/meta/main.yaml index 567584079..68e94992e 100644 --- a/roles/openshift_metrics/meta/main.yaml +++ b/roles/openshift_metrics/meta/main.yaml @@ -1,18 +1,18 @@ --- galaxy_info: - author: OpenShift Development - description: Deploy OpenShift metrics integration for the cluster - company: Red Hat, Inc. - license: license (Apache) - min_ansible_version: 2.2 - platforms: - - name: EL - versions: - - 7 - - name: Fedora - versions: - - all - categories: - - openshift + author: OpenShift Development + description: Deploy OpenShift metrics integration for the cluster + company: Red Hat, Inc. + license: license (Apache) + min_ansible_version: 2.2 + platforms: + - name: EL + versions: + - 7 + - name: Fedora + versions: + - all + categories: + - openshift dependencies: - { role: openshift_facts } diff --git a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml index 489856c27..9cf4afee0 100644 --- a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml +++ b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml @@ -13,93 +13,16 @@ hostnames: hawkular-cassandra changed_when: no -- slurp: src={{ openshift_metrics_certs_dir|quote }}/hawkular-cassandra-truststore.pwd +- slurp: src={{ openshift_metrics_certs_dir }}/hawkular-cassandra-truststore.pwd register: cassandra_truststore_password -- name: check existing aliases on the hawkular-cassandra truststore - shell: > - keytool -noprompt -list - -keystore {{ openshift_metrics_certs_dir|quote }}/hawkular-cassandra.truststore - -storepass {{cassandra_truststore_password.content | b64decode }} - | sed -n '7~2s/,.*$//p' - register: hawkular_cassandra_truststore_aliases - changed_when: false - -- slurp: src={{ openshift_metrics_certs_dir|quote }}/hawkular-metrics-truststore.pwd +- slurp: src={{ openshift_metrics_certs_dir }}/hawkular-metrics-truststore.pwd register: hawkular_truststore_password -- name: check existing aliases on the hawkular-metrics truststore - shell: > - keytool -noprompt -list - -keystore {{ openshift_metrics_certs_dir|quote }}/hawkular-metrics.truststore - -storepass {{ hawkular_truststore_password.content | b64decode }} - | sed -n '7~2s/,.*$//p' - register: hawkular_metrics_truststore_aliases - changed_when: false - -- name: import the hawkular metrics cert into the cassandra truststore - command: > - keytool -noprompt -import -v -trustcacerts - -alias hawkular-metrics - -file '{{ openshift_metrics_certs_dir }}/hawkular-metrics.crt' - -keystore '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.truststore' - -storepass {{cassandra_truststore_password.content | b64decode }} - when: > - 'hawkular-metrics' not in - hawkular_cassandra_truststore_aliases.stdout_lines - -- name: import the hawkular cassandra cert into the hawkular metrics truststore - command: > - keytool -noprompt -import -v -trustcacerts - -alias hawkular-cassandra - -file '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.crt' - -keystore '{{ openshift_metrics_certs_dir }}/hawkular-metrics.truststore' - -storepass {{ hawkular_truststore_password.content | b64decode }} - when: > - 'hawkular-cassandra' not in - hawkular_metrics_truststore_aliases.stdout_lines - -- name: import the hawkular cassandra cert into the cassandra truststore - command: > - keytool -noprompt -import -v -trustcacerts - -alias hawkular-cassandra - -file '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.crt' - -keystore '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.truststore' - -storepass {{cassandra_truststore_password.content | b64decode }} - when: > - 'hawkular-cassandra' not in - hawkular_cassandra_truststore_aliases.stdout_lines - -- name: import the ca certificate into the cassandra truststore - command: > - keytool -noprompt -import -v -trustcacerts - -alias '{{ item }}' - -file '{{ openshift_metrics_certs_dir }}/ca.crt' - -keystore '{{ openshift_metrics_certs_dir }}/hawkular-cassandra.truststore' - -storepass {{cassandra_truststore_password.content | b64decode }} - with_items: - - ca - - metricca - - cassandraca - when: item not in hawkular_cassandra_truststore_aliases.stdout_lines - -- name: import the ca certificate into the hawkular metrics truststore - command: > - keytool -noprompt -import -v -trustcacerts - -alias '{{ item }}' - -file '{{ openshift_metrics_certs_dir }}/ca.crt' - -keystore '{{ openshift_metrics_certs_dir }}/hawkular-metrics.truststore' - -storepass {{ hawkular_truststore_password.content | b64decode }} - with_items: - - ca - - metricca - - cassandraca - when: item not in hawkular_metrics_truststore_aliases.stdout_lines - - name: generate password for hawkular metrics and jgroups - shell: > - tr -dc _A-Z-a-z-0-9 < /dev/urandom | head -c15 - > '{{ openshift_metrics_certs_dir }}/{{ item }}.pwd' + copy: + dest: '{{ openshift_metrics_certs_dir }}/{{ item }}.pwd' + content: "{{ 15 | oo_random_word }}" with_items: - hawkular-metrics - hawkular-jgroups-keystore @@ -113,15 +36,7 @@ when: > not '{{ openshift_metrics_certs_dir }}/hawkular-metrics.htpasswd'|exists -- name: generate the jgroups keystore - shell: > - p=$(< '{{ openshift_metrics_certs_dir }}/hawkular-jgroups-keystore.pwd' ) - && - keytool -genseckey -alias hawkular - -keypass "$p" -storepass "$p" -keyalg Blowfish -keysize 56 -storetype JCEKS - -keystore '{{ openshift_metrics_certs_dir }}/hawkular-jgroups.keystore' - when: > - not '{{ openshift_metrics_certs_dir }}/hawkular-jgroups.keystore'|exists +- include: import_jks_certs.yaml - name: read files for the hawkular-metrics secret shell: > diff --git a/roles/openshift_metrics/tasks/import_jks_certs.yaml b/roles/openshift_metrics/tasks/import_jks_certs.yaml new file mode 100644 index 000000000..f6bf6c1a6 --- /dev/null +++ b/roles/openshift_metrics/tasks/import_jks_certs.yaml @@ -0,0 +1,120 @@ +--- +- name: Check for jks-generator service account + command: > + {{ openshift.common.client_binary }} + --config={{ mktemp.stdout }}/admin.kubeconfig + -n {{openshift_metrics_project}} + get serviceaccount/jks-generator --no-headers + register: serviceaccount_result + ignore_errors: yes + when: not ansible_check_mode + changed_when: no + +- name: Create jks-generator service account + command: > + {{ openshift.common.client_binary }} + --config={{ mktemp.stdout }}/admin.kubeconfig + -n {{openshift_metrics_project}} + create serviceaccount jks-generator + when: not ansible_check_mode and "not found" in serviceaccount_result.stderr + +- name: Check for hostmount-anyuid scc entry + command: > + {{ openshift.common.client_binary }} + --config={{ mktemp.stdout }}/admin.kubeconfig + get scc hostmount-anyuid + -o jsonpath='{.users}' + register: scc_result + when: not ansible_check_mode + changed_when: no + +- name: Add to hostmount-anyuid scc + command: > + {{ openshift.common.admin_binary }} + --config={{ mktemp.stdout }}/admin.kubeconfig + -n {{openshift_metrics_project}} + policy add-scc-to-user hostmount-anyuid + -z jks-generator + when: + - not ansible_check_mode + - scc_result.stdout.find("system:serviceaccount:{{openshift_metrics_project}}:jks-generator") == -1 + +- name: Copy JKS generation script + copy: + src: import_jks_certs.sh + dest: "{{openshift_metrics_certs_dir}}/import_jks_certs.sh" + check_mode: no + +- slurp: src={{ openshift_metrics_certs_dir }}/hawkular-metrics-keystore.pwd + register: metrics_keystore_password + +- slurp: src={{ openshift_metrics_certs_dir }}/hawkular-cassandra-keystore.pwd + register: cassandra_keystore_password + +- slurp: src={{ openshift_metrics_certs_dir }}/hawkular-jgroups-keystore.pwd + register: jgroups_keystore_password + +- name: Generate JKS pod template + template: + src: jks_pod.j2 + dest: "{{mktemp.stdout}}/jks_pod.yaml" + vars: + metrics_keystore_passwd: "{{metrics_keystore_password.content}}" + cassandra_keystore_passwd: "{{cassandra_keystore_password.content}}" + metrics_truststore_passwd: "{{hawkular_truststore_password.content}}" + cassandra_truststore_passwd: "{{cassandra_truststore_password.content}}" + jgroups_passwd: "{{jgroups_keystore_password.content}}" + check_mode: no + changed_when: no + +- stat: path="{{openshift_metrics_certs_dir}}/hawkular-metrics.keystore" + register: metrics_keystore + check_mode: no + +- stat: path="{{openshift_metrics_certs_dir}}/hawkular-cassandra.keystore" + register: cassandra_keystore + check_mode: no + +- stat: path="{{openshift_metrics_certs_dir}}/hawkular-cassandra.truststore" + register: cassandra_truststore + check_mode: no + +- stat: path="{{openshift_metrics_certs_dir}}/hawkular-metrics.truststore" + register: metrics_truststore + check_mode: no + +- stat: path="{{openshift_metrics_certs_dir}}/hawkular-jgroups.keystore" + register: jgroups_keystore + check_mode: no + +- name: create JKS pod + command: > + {{ openshift.common.client_binary }} + --config={{ mktemp.stdout }}/admin.kubeconfig + -n {{openshift_metrics_project}} + create -f {{mktemp.stdout}}/jks_pod.yaml + -o name + register: podoutput + check_mode: no + when: not metrics_keystore.stat.exists or + not metrics_truststore.stat.exists or + not cassandra_keystore.stat.exists or + not cassandra_truststore.stat.exists or + not jgroups_keystore.stat.exists + +- command: > + {{ openshift.common.client_binary }} + --config={{ mktemp.stdout }}/admin.kubeconfig + -n {{openshift_metrics_project}} + get {{podoutput.stdout}} + -o jsonpath='{.status.phase}' + register: result + until: result.stdout.find("Succeeded") != -1 + retries: 5 + delay: 10 + changed_when: no + when: not metrics_keystore.stat.exists or + not metrics_truststore.stat.exists or + not cassandra_keystore.stat.exists or + not cassandra_truststore.stat.exists or + not jgroups_keystore.stat.exists diff --git a/roles/openshift_metrics/tasks/install_metrics.yaml b/roles/openshift_metrics/tasks/install_metrics.yaml index 67d22cbc3..bab37dbfb 100644 --- a/roles/openshift_metrics/tasks/install_metrics.yaml +++ b/roles/openshift_metrics/tasks/install_metrics.yaml @@ -23,10 +23,10 @@ - name: Create objects include: oc_apply.yaml vars: - kubeconfig: "{{ mktemp.stdout }}/admin.kubeconfig" - namespace: "{{ openshift_metrics_project }}" - file_name: "{{ item }}" - file_content: "{{ lookup('file',item) | from_yaml }}" + kubeconfig: "{{ mktemp.stdout }}/admin.kubeconfig" + namespace: "{{ openshift_metrics_project }}" + file_name: "{{ item }}" + file_content: "{{ lookup('file',item) | from_yaml }}" with_fileglob: - "{{ mktemp.stdout }}/templates/*.yaml" diff --git a/roles/openshift_metrics/tasks/oc_apply.yaml b/roles/openshift_metrics/tasks/oc_apply.yaml index c9154f206..dd67703b4 100644 --- a/roles/openshift_metrics/tasks/oc_apply.yaml +++ b/roles/openshift_metrics/tasks/oc_apply.yaml @@ -1,12 +1,13 @@ --- - name: Checking generation of {{file_content.kind}} {{file_content.metadata.name}} command: > - {{ openshift.common.client_binary }} + {{ openshift.common.client_binary }} --config={{ kubeconfig }} get {{file_content.kind}} {{file_content.metadata.name}} - -o jsonpath='{.metadata.resourceVersion}' + -o jsonpath='{.metadata.resourceVersion}' -n {{namespace}} register: generation_init + failed_when: false changed_when: no - name: Applying {{file_name}} @@ -22,7 +23,7 @@ command: > {{ openshift.common.client_binary }} --config={{ kubeconfig }} get {{file_content.kind}} {{file_content.metadata.name}} - -o jsonpath='{.metadata.resourceVersion}' + -o jsonpath='{.metadata.resourceVersion}' -n {{namespace}} register: version_changed vars: diff --git a/roles/openshift_metrics/tasks/setup_certificate.yaml b/roles/openshift_metrics/tasks/setup_certificate.yaml index c185d3f88..5ca8f4462 100644 --- a/roles/openshift_metrics/tasks/setup_certificate.yaml +++ b/roles/openshift_metrics/tasks/setup_certificate.yaml @@ -26,11 +26,11 @@ - name: generate random password for the {{ component }} keystore copy: - content: "{{ 15 | oo_random_word }}" - dest: '{{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}-keystore.pwd' + content: "{{ 15 | oo_random_word }}" + dest: '{{ openshift_metrics_certs_dir }}/{{ component }}-keystore.pwd' when: > not '{{ openshift_metrics_certs_dir }}/{{ component }}-keystore.pwd'|exists - + - slurp: src={{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}-keystore.pwd register: keystore_password @@ -43,21 +43,10 @@ -password 'pass:{{keystore_password.content | b64decode }}' when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.pkcs12'|exists -- name: create the {{ component }} keystore from the pkcs12 file - command: > - keytool -v -importkeystore - -srckeystore '{{ openshift_metrics_certs_dir | quote }}/{{ component | quote }}.pkcs12' - -srcstoretype PKCS12 - -destkeystore '{{ openshift_metrics_certs_dir | quote }}/{{ component | quote}}.keystore' - -deststoretype JKS - -deststorepass '{{keystore_password.content | b64decode }}' - -srcstorepass '{{keystore_password.content | b64decode }}' - when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.keystore'|exists - - name: generate random password for the {{ component }} truststore copy: - content: "{{ 15 | oo_random_word }}" - dest: '{{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}-truststore.pwd' + content: "{{ 15 | oo_random_word }}" + dest: '{{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}-truststore.pwd' when: > not '{{ openshift_metrics_certs_dir | quote }}/{{ component| quote }}-truststore.pwd'|exists diff --git a/roles/openshift_metrics/tasks/stop_metrics.yaml b/roles/openshift_metrics/tasks/stop_metrics.yaml index 524d4227b..bae181e3e 100644 --- a/roles/openshift_metrics/tasks/stop_metrics.yaml +++ b/roles/openshift_metrics/tasks/stop_metrics.yaml @@ -53,4 +53,3 @@ loop_control: loop_var: object when: metrics_cassandra_rc is defined - diff --git a/roles/openshift_metrics/templates/jks_pod.j2 b/roles/openshift_metrics/templates/jks_pod.j2 new file mode 100644 index 000000000..e86fe38a4 --- /dev/null +++ b/roles/openshift_metrics/templates/jks_pod.j2 @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: Pod +metadata: + labels: + metrics-infra: support + generateName: jks-cert-gen- +spec: + containers: + - name: jks-cert-gen + image: {{openshift_metrics_image_prefix}}metrics-deployer:{{openshift_metrics_image_version}} + imagePullPolicy: Always + command: ["sh", "{{openshift_metrics_certs_dir}}/import_jks_certs.sh"] + securityContext: + runAsUser: 0 + volumeMounts: + - mountPath: {{openshift_metrics_certs_dir}} + name: certmount + env: + - name: CERT_DIR + value: {{openshift_metrics_certs_dir}} + - name: METRICS_KEYSTORE_PASSWD + value: {{metrics_keystore_passwd}} + - name: CASSANDRA_KEYSTORE_PASSWD + value: {{cassandra_keystore_passwd}} + - name: METRICS_TRUSTSTORE_PASSWD + value: {{metrics_truststore_passwd}} + - name: CASSANDRA_TRUSTSTORE_PASSWD + value: {{cassandra_truststore_passwd}} + - name: hawkular_cassandra_alias + value: {{cassandra_keystore_passwd}} + - name: JGROUPS_PASSWD + value: {{jgroups_passwd}} + restartPolicy: Never + serviceAccount: jks-generator + volumes: + - hostPath: + path: "{{openshift_metrics_certs_dir}}" + name: certmount -- cgit v1.2.3