summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJeff Cantrill <jcantrill@users.noreply.github.com>2017-01-06 11:23:28 -0500
committerJeff Cantrill <jcantril@redhat.com>2017-01-17 11:45:04 -0500
commit1e8928c96627218fdc422bfa3731f790699abfbb (patch)
tree32e948c473ac1bc359fb1318db1226a4c5646fc5
parent765fb5ce39fdca0b56a23f6d13650fe16debf20a (diff)
downloadopenshift-1e8928c96627218fdc422bfa3731f790699abfbb.tar.gz
openshift-1e8928c96627218fdc422bfa3731f790699abfbb.tar.bz2
openshift-1e8928c96627218fdc422bfa3731f790699abfbb.tar.xz
openshift-1e8928c96627218fdc422bfa3731f790699abfbb.zip
User provided certs pushed from control. vars reorg (#12)
Merging per discussion and agreement from @bbguimaraes
-rw-r--r--roles/openshift_metrics/README.md14
-rw-r--r--roles/openshift_metrics/defaults/main.yaml27
-rw-r--r--roles/openshift_metrics/tasks/generate_certificates.yaml2
-rw-r--r--roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml2
-rw-r--r--roles/openshift_metrics/tasks/install_hawkular.yaml47
-rw-r--r--roles/openshift_metrics/tasks/install_metrics.yaml4
-rw-r--r--roles/openshift_metrics/templates/route.j212
-rw-r--r--roles/openshift_metrics/vars/main.yaml6
8 files changed, 79 insertions, 35 deletions
diff --git a/roles/openshift_metrics/README.md b/roles/openshift_metrics/README.md
index 8c67d193d..f4c47c7bb 100644
--- a/roles/openshift_metrics/README.md
+++ b/roles/openshift_metrics/README.md
@@ -25,17 +25,17 @@ For default values, see [`defaults/main.yaml`](defaults/main.yaml).
- `openshift_metrics_image_version`: Specify version for metrics components; e.g. for
"openshift/origin-metrics-deployer:v1.1", set version "v1.1".
-- `openshift_metrics_master_url`: Internal URL for the master, for authentication retrieval.
+- `openshift_metrics_hawkular_cert:` The certificate used for re-encrypting the route
+ to Hawkular metrics. The certificate must contain the hostname used by the route.
+ The default router certificate will be used if unspecified
-- `openshift_metrics_hawkular_user_write_access`: If user accounts should be able to write
- metrics. Defaults to 'false' so that only Heapster can write metrics and not
- individual users. It is recommended to disable user write access, if enabled
- any user will be able to write metrics to the system which can affect
- performance and use Cassandra disk usage to unpredictably increase.
+- `openshift_metrics_hawkular_key:` The key used with the Hawkular certificate
+
+- `openshift_metrics_hawkular_ca:` An optional certificate used to sign the Hawkular certificate.
- `openshift_metrics_hawkular_replicas:` The number of replicas for Hawkular metrics.
-- `openshift_metrics_cassandra_nodes`: The number of Cassandra Nodes to deploy for the
+- `openshift_metrics_cassandra_replicas`: The number of Cassandra nodes to deploy for the
initial cluster.
- `openshift_metrics_cassandra_storage_type`: Use `emptydir` for ephemeral storage (for
diff --git a/roles/openshift_metrics/defaults/main.yaml b/roles/openshift_metrics/defaults/main.yaml
index c27943220..b99adf779 100644
--- a/roles/openshift_metrics/defaults/main.yaml
+++ b/roles/openshift_metrics/defaults/main.yaml
@@ -3,22 +3,19 @@ openshift_metrics_start_cluster: True
openshift_metrics_install_metrics: True
openshift_metrics_image_prefix: docker.io/openshift/origin-
openshift_metrics_image_version: latest
-openshift_metrics_master_url: https://kubernetes.default.svc.cluster.local
-openshift_metrics_project: openshift-infra
-openshift_metrics_certs_dir: "{{ openshift.common.config_base }}/master/metrics"
openshift_metrics_startup_timeout: 500
-openshift_metrics_certs_dir: "{{ openshift.common.config_base }}/master/metrics"
-openshift_metrics_hawkular_user_write_access: False
openshift_metrics_hawkular_replicas: 1
openshift_metrics_hawkular_limits_memory: 2.5G
openshift_metrics_hawkular_limits_cpu: null
openshift_metrics_hawkular_requests_memory: 1.5G
openshift_metrics_hawkular_requests_cpu: null
+openshift_metrics_hawkular_cert: ""
+openshift_metrics_hawkular_key: ""
+openshift_metrics_hawkular_ca: ""
-openshift_metrics_cassandra_nodes: 1
+openshift_metrics_cassandra_replicas: 1
openshift_metrics_cassandra_storage_type: emptydir
-openshift_metrics_cassandra_pv_prefix: metrics-cassandra
openshift_metrics_cassandra_pv_size: 10Gi
openshift_metrics_cassandra_limits_memory: 2G
openshift_metrics_cassandra_limits_cpu: null
@@ -26,7 +23,6 @@ openshift_metrics_cassandra_requests_memory: 1G
openshift_metrics_cassandra_requests_cpu: null
openshift_metrics_heapster_standalone: False
-openshift_metrics_heapster_allowed_users: system:master-proxy
openshift_metrics_heapster_limits_memory: 3.75G
openshift_metrics_heapster_limits_cpu: null
openshift_metrics_heapster_requests_memory: 0.9375G
@@ -34,4 +30,19 @@ openshift_metrics_heapster_requests_cpu: null
openshift_metrics_duration: 7
openshift_metrics_resolution: 15s
+
+#####
+# Caution should be taken for the following defaults before
+# overriding the values here
+#####
+
+openshift_metrics_certs_dir: "{{ openshift.common.config_base }}/master/metrics"
+openshift_metrics_master_url: https://kubernetes.default.svc.cluster.local
openshift_metrics_node_id: nodename
+openshift_metrics_project: openshift-infra
+
+openshift_metrics_cassandra_pv_prefix: metrics-cassandra
+
+openshift_metrics_hawkular_user_write_access: False
+
+openshift_metrics_heapster_allowed_users: system:master-proxy
diff --git a/roles/openshift_metrics/tasks/generate_certificates.yaml b/roles/openshift_metrics/tasks/generate_certificates.yaml
index 66cfbca03..16a967aa7 100644
--- a/roles/openshift_metrics/tasks/generate_certificates.yaml
+++ b/roles/openshift_metrics/tasks/generate_certificates.yaml
@@ -4,6 +4,7 @@
path: "{{ openshift_metrics_certs_dir }}"
state: directory
mode: 0700
+
- name: list existing secrets
command: >
{{ openshift.common.client_binary }} -n {{ openshift_metrics_project }}
@@ -11,6 +12,7 @@
get secrets -o name
register: metrics_secrets
changed_when: false
+
- name: generate ca certificate chain
shell: >
{{ openshift.common.admin_binary }} ca create-signer-cert
diff --git a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml
index 4e032ca7e..f36175735 100644
--- a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml
+++ b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml
@@ -3,7 +3,7 @@
include: setup_certificate.yaml
vars:
component: hawkular-metrics
- hostnames: "hawkular-metrics,{{ openshift_metrics_hawkular_metrics_hostname }}"
+ hostnames: "hawkular-metrics,{{ openshift_metrics_hawkular_hostname }}"
- name: generate hawkular-cassandra certificates
include: setup_certificate.yaml
vars:
diff --git a/roles/openshift_metrics/tasks/install_hawkular.yaml b/roles/openshift_metrics/tasks/install_hawkular.yaml
index 1acc8948d..34a8c58b8 100644
--- a/roles/openshift_metrics/tasks/install_hawkular.yaml
+++ b/roles/openshift_metrics/tasks/install_hawkular.yaml
@@ -11,7 +11,7 @@
vars:
node: "{{ item }}"
master: "{{ (item == '1')|string|lower }}"
- with_sequence: count={{ openshift_metrics_cassandra_nodes }}
+ with_sequence: count={{ openshift_metrics_cassandra_replicas }}
- name: generate hawkular-cassandra persistent volume claims
template:
@@ -24,7 +24,7 @@
access_modes:
- ReadWriteOnce
size: "{{ openshift_metrics_cassandra_pv_size }}"
- with_sequence: count={{ openshift_metrics_cassandra_nodes }}
+ with_sequence: count={{ openshift_metrics_cassandra_replicas }}
when: openshift_metrics_cassandra_storage_type == 'pv'
- name: generate hawkular-cassandra persistent volume claims (dynamic)
@@ -40,25 +40,38 @@
access_modes:
- ReadWriteOnce
size: "{{ openshift_metrics_cassandra_pv_size }}"
- with_sequence: count={{ openshift_metrics_cassandra_nodes }}
+ with_sequence: count={{ openshift_metrics_cassandra_replicas }}
when: openshift_metrics_cassandra_storage_type == 'dynamic'
- name: read hawkular-metrics route destination ca certificate
slurp: src={{ openshift_metrics_certs_dir }}/ca.crt
register: metrics_route_dest_ca_cert
-- name: generate the hawkular-metrics route
- template:
- src: route.j2
- dest: "{{ mktemp.stdout }}/templates/hawkular-metrics-route.yaml"
- vars:
- name: hawkular-metrics
- labels:
- metrics-infra: hawkular-metrics
- host: "{{ openshift_metrics_hawkular_metrics_hostname }}"
- to:
- kind: Service
+- block:
+ - set_fact: hawkular_key={{ lookup('file', openshift_metrics_hawkular_key) }}
+ when: openshift_metrics_hawkular_key | exists
+
+ - set_fact: hawkular_cert={{ lookup('file', openshift_metrics_hawkular_cert) }}
+ when: openshift_metrics_hawkular_cert | exists
+
+ - set_fact: hawkular_ca={{ lookup('file', openshift_metrics_hawkular_ca) }}
+ when: openshift_metrics_hawkular_ca | exists
+
+ - name: generate the hawkular-metrics route
+ template:
+ src: route.j2
+ dest: "{{ mktemp.stdout }}/templates/hawkular-metrics-route.yaml"
+ vars:
name: hawkular-metrics
- tls:
- termination: reencrypt
- destination_ca_certificate: "{{ metrics_route_dest_ca_cert.content }}"
+ labels:
+ metrics-infra: hawkular-metrics
+ host: "{{ openshift_metrics_hawkular_hostname }}"
+ to:
+ kind: Service
+ name: hawkular-metrics
+ tls:
+ termination: reencrypt
+ key: "{{ hawkular_key | default('') }}"
+ certificate: "{{ hawkular_cert | default('') }}"
+ ca_certificate: "{{ hawkular_ca | default('') }}"
+ destination_ca_certificate: "{{ metrics_route_dest_ca_cert.content | b64decode }}"
diff --git a/roles/openshift_metrics/tasks/install_metrics.yaml b/roles/openshift_metrics/tasks/install_metrics.yaml
index a6a094a83..b45629b70 100644
--- a/roles/openshift_metrics/tasks/install_metrics.yaml
+++ b/roles/openshift_metrics/tasks/install_metrics.yaml
@@ -1,7 +1,7 @@
---
- name: check that hawkular_metrics_hostname is set
- fail: msg='the openshift_metrics_hawkular_metrics_hostname variable is required'
- when: openshift_metrics_hawkular_metrics_hostname is not defined
+ fail: msg='the openshift_metrics_hawkular_hostname variable is required'
+ when: openshift_metrics_hawkular_hostname is not defined
- name: check the value of openshift_metrics_cassandra_storage_type
fail:
diff --git a/roles/openshift_metrics/templates/route.j2 b/roles/openshift_metrics/templates/route.j2
index a720c4959..08ca87288 100644
--- a/roles/openshift_metrics/templates/route.j2
+++ b/roles/openshift_metrics/templates/route.j2
@@ -16,6 +16,18 @@ spec:
{% if tls is defined %}
tls:
termination: {{ tls.termination }}
+{% if tls.ca_certificate is defined and tls.ca_certificate | length > 0 %}
+ CACertificate: |
+{{ tls.ca_certificate|indent(6, true) }}
+{% endif %}
+{% if tls.key is defined and tls.key | length > 0 %}
+ key: |
+{{ tls.key|indent(6, true) }}
+{% endif %}
+{% if tls.certificate is defined and tls.certificate | length > 0 %}
+ certificate: |
+{{ tls.certificate|indent(6, true) }}
+{% endif %}
{% if tls.termination == 'reencrypt' %}
destinationCACertificate: |
{{ tls.destination_ca_certificate|indent(6, true) }}
diff --git a/roles/openshift_metrics/vars/main.yaml b/roles/openshift_metrics/vars/main.yaml
index de3bb878d..4a3724e3f 100644
--- a/roles/openshift_metrics/vars/main.yaml
+++ b/roles/openshift_metrics/vars/main.yaml
@@ -1,3 +1,9 @@
+---
+#
+# These vars are generally considered private and not expected to be altered
+# by end users
+#
+
openshift_metrics_cassandra_storage_types:
- emptydir
- pv