7 files changed, 85 insertions, 146 deletions

diff --git a/roles/openshift_metrics/README.md b/roles/openshift_metrics/README.md
index 0f287e944..a61b0db5e 100644
--- a/roles/openshift_metrics/README.md
+++ b/roles/openshift_metrics/README.md
@@ -5,6 +5,10 @@ OpenShift Metrics Installation
 
 Requirements
 ------------
+This role has the following dependencies:
+
+- Java is required on the control node to generate keystores for the Java components
+- httpd-tools is required on the control node to generate various passwords for the metrics components
 
 The following variables need to be set and will be validated:
 
diff --git a/roles/openshift_metrics/files/import_jks_certs.sh b/roles/openshift_metrics/files/import_jks_certs.sh
index bb046df87..f4315ef34 100755
--- a/roles/openshift_metrics/files/import_jks_certs.sh
+++ b/roles/openshift_metrics/files/import_jks_certs.sh
@@ -114,5 +114,3 @@ function import_certs() {
 }
 
 import_certs
-
-exit 0
diff --git a/roles/openshift_metrics/tasks/import_jks_certs.yaml b/roles/openshift_metrics/tasks/import_jks_certs.yaml
index f6bf6c1a6..f5192b005 100644
--- a/roles/openshift_metrics/tasks/import_jks_certs.yaml
+++ b/roles/openshift_metrics/tasks/import_jks_certs.yaml
@@ -1,76 +1,4 @@
 ---
-- name: Check for jks-generator service account
-  command: >
-    {{ openshift.common.client_binary }}
-    --config={{ mktemp.stdout }}/admin.kubeconfig
-    -n {{openshift_metrics_project}}
-    get serviceaccount/jks-generator --no-headers
-  register: serviceaccount_result
-  ignore_errors: yes
-  when: not ansible_check_mode
-  changed_when: no
-
-- name: Create jks-generator service account
-  command: >
-    {{ openshift.common.client_binary }}
-    --config={{ mktemp.stdout }}/admin.kubeconfig
-    -n {{openshift_metrics_project}}
-    create serviceaccount jks-generator
-  when: not ansible_check_mode and "not found" in serviceaccount_result.stderr
-
-- name: Check for hostmount-anyuid scc entry
-  command: >
-    {{ openshift.common.client_binary }}
-    --config={{ mktemp.stdout }}/admin.kubeconfig
-    get scc hostmount-anyuid
-    -o jsonpath='{.users}'
-  register: scc_result
-  when: not ansible_check_mode
-  changed_when: no
-
-- name: Add to hostmount-anyuid scc
-  command: >
-    {{ openshift.common.admin_binary }}
-    --config={{ mktemp.stdout }}/admin.kubeconfig
-    -n {{openshift_metrics_project}}
-    policy add-scc-to-user hostmount-anyuid
-    -z jks-generator
-  when:
-    - not ansible_check_mode
-    - scc_result.stdout.find("system:serviceaccount:{{openshift_metrics_project}}:jks-generator") == -1
-
-- name: Copy JKS generation script
-  copy:
-    src: import_jks_certs.sh
-    dest: "{{openshift_metrics_certs_dir}}/import_jks_certs.sh"
-  check_mode: no
-
-- slurp: src={{ openshift_metrics_certs_dir }}/hawkular-metrics-keystore.pwd
-  register: metrics_keystore_password
-
-- slurp: src={{ openshift_metrics_certs_dir }}/hawkular-cassandra-keystore.pwd
-  register: cassandra_keystore_password
-
-- slurp: src={{ openshift_metrics_certs_dir }}/hawkular-jgroups-keystore.pwd
-  register: jgroups_keystore_password
-
-- name: Generate JKS pod template
-  template:
-    src: jks_pod.j2
-    dest: "{{mktemp.stdout}}/jks_pod.yaml"
-  vars:
-    metrics_keystore_passwd: "{{metrics_keystore_password.content}}"
-    cassandra_keystore_passwd: "{{cassandra_keystore_password.content}}"
-    metrics_truststore_passwd: "{{hawkular_truststore_password.content}}"
-    cassandra_truststore_passwd: "{{cassandra_truststore_password.content}}"
-    jgroups_passwd: "{{jgroups_keystore_password.content}}"
-  check_mode: no
-  changed_when: no
-
-- stat: path="{{openshift_metrics_certs_dir}}/hawkular-metrics.keystore"
-  register: metrics_keystore
-  check_mode: no
-
 - stat: path="{{openshift_metrics_certs_dir}}/hawkular-cassandra.keystore"
   register: cassandra_keystore
   check_mode: no
@@ -79,6 +7,10 @@
   register: cassandra_truststore
   check_mode: no
 
+- stat: path="{{openshift_metrics_certs_dir}}/hawkular-metrics.keystore"
+  register: metrics_keystore
+  check_mode: no
+
 - stat: path="{{openshift_metrics_certs_dir}}/hawkular-metrics.truststore"
   register: metrics_truststore
   check_mode: no
@@ -87,32 +19,52 @@
   register: jgroups_keystore
   check_mode: no
 
-- name: create JKS pod
-  command: >
-    {{ openshift.common.client_binary }}
-    --config={{ mktemp.stdout }}/admin.kubeconfig
-    -n {{openshift_metrics_project}}
-    create -f {{mktemp.stdout}}/jks_pod.yaml
-    -o name
-  register: podoutput
-  check_mode: no
-  when: not metrics_keystore.stat.exists or
-        not metrics_truststore.stat.exists or
-        not cassandra_keystore.stat.exists or
-        not cassandra_truststore.stat.exists or
-        not jgroups_keystore.stat.exists
+- block:
+  - slurp: src={{ openshift_metrics_certs_dir }}/hawkular-metrics-keystore.pwd
+    register: metrics_keystore_password
+
+  - slurp: src={{ openshift_metrics_certs_dir }}/hawkular-cassandra-keystore.pwd
+    register: cassandra_keystore_password
+
+  - slurp: src={{ openshift_metrics_certs_dir }}/hawkular-jgroups-keystore.pwd
+    register: jgroups_keystore_password
+
+  - local_action: command mktemp -d
+    register: local_tmp
+    changed_when: False
+
+  - fetch:
+      dest: "{{local_tmp.stdout}}/"
+      src: "{{ openshift_metrics_certs_dir }}/{{item}}"
+      flat: yes
+    changed_when: False
+    with_items:
+    - hawkular-metrics.pkcs12
+    - hawkular-cassandra.pkcs12
+    - hawkular-metrics.crt
+    - hawkular-cassandra.crt
+    - ca.crt
+
+  - local_action: command {{role_path}}/files/import_jks_certs.sh
+    environment:
+      CERT_DIR: "{{local_tmp.stdout}}"
+      METRICS_KEYSTORE_PASSWD: "{{metrics_keystore_password.content}}"
+      CASSANDRA_KEYSTORE_PASSWD: "{{cassandra_keystore_password.content}}"
+      METRICS_TRUSTSTORE_PASSWD: "{{hawkular_truststore_password.content}}"
+      CASSANDRA_TRUSTSTORE_PASSWD: "{{cassandra_truststore_password.content}}"
+      JGROUPS_PASSWD: "{{jgroups_keystore_password.content}}"
+    changed_when: False
+
+  - copy:
+      dest: "{{openshift_metrics_certs_dir}}/"
+      src: "{{item}}"
+    with_fileglob: "{{local_tmp.stdout}}/*.*store"
+
+  - file:
+      path: "{{local_tmp.stdout}}"
+      state: absent
+    changed_when: False
 
-- command: >
-    {{ openshift.common.client_binary }}
-    --config={{ mktemp.stdout }}/admin.kubeconfig
-    -n {{openshift_metrics_project}}
-    get {{podoutput.stdout}}
-    -o jsonpath='{.status.phase}'
-  register: result
-  until: result.stdout.find("Succeeded") != -1
-  retries: 5
-  delay: 10
-  changed_when: no
   when: not metrics_keystore.stat.exists or
         not metrics_truststore.stat.exists or
         not cassandra_keystore.stat.exists or
diff --git a/roles/openshift_metrics/tasks/install_metrics.yaml b/roles/openshift_metrics/tasks/install_metrics.yaml
index bab37dbfb..ddaa54438 100644
--- a/roles/openshift_metrics/tasks/install_metrics.yaml
+++ b/roles/openshift_metrics/tasks/install_metrics.yaml
@@ -20,15 +20,23 @@
   loop_control:
     loop_var: include_file
 
+- find: paths={{ mktemp.stdout }}/templates patterns=*.yaml
+  register: object_def_files
+  changed_when: no
+
+- slurp: src={{item.path}}
+  register: object_defs
+  with_items: "{{object_def_files.files}}"
+  changed_when: no
+
 - name: Create objects
   include: oc_apply.yaml
   vars:
     kubeconfig: "{{ mktemp.stdout }}/admin.kubeconfig"
     namespace: "{{ openshift_metrics_project }}"
-    file_name: "{{ item }}"
-    file_content: "{{ lookup('file',item) | from_yaml }}"
-  with_fileglob:
-    - "{{ mktemp.stdout }}/templates/*.yaml"
+    file_name: "{{ item.source }}"
+    file_content: "{{ item.content | b64decode | from_yaml }}"
+  with_items: "{{ object_defs.results }}"
 
 - name: Scaling up cluster
   include: start_metrics.yaml
diff --git a/roles/openshift_metrics/tasks/install_support.yaml b/roles/openshift_metrics/tasks/install_support.yaml
index b0e4bec80..cc5acc6e5 100644
--- a/roles/openshift_metrics/tasks/install_support.yaml
+++ b/roles/openshift_metrics/tasks/install_support.yaml
@@ -1,4 +1,22 @@
 ---
+- name: Check control node to see if htpasswd is installed
+  local_action: command which htpasswd
+  register: htpasswd_check
+  failed_when: no
+  changed_when: no
+
+- fail: msg="'htpasswd' is unavailable. Please install httpd-tools on the control node"
+  when: htpasswd_check.rc  == 1
+
+- name: Check control node to see if keytool is installed
+  local_action: command which htpasswd
+  register: keytool_check
+  failed_when: no
+  changed_when: no
+
+- fail: msg="'keytool' is unavailable. Please install java-1.8.0-openjdk-headless on the control node"
+  when: keytool_check.rc  == 1
+
 - include: generate_certificates.yaml
 - include: generate_serviceaccounts.yaml
 - include: generate_services.yaml
diff --git a/roles/openshift_metrics/tasks/main.yaml b/roles/openshift_metrics/tasks/main.yaml
index c42440130..1808db5d5 100644
--- a/roles/openshift_metrics/tasks/main.yaml
+++ b/roles/openshift_metrics/tasks/main.yaml
@@ -7,6 +7,7 @@
 - name: Create temp directory for all our templates
   file: path={{mktemp.stdout}}/templates state=directory mode=0755
   changed_when: False
+  when: "{{ openshift_metrics_install_metrics | bool }}"
 
 - name: Copy the admin client config(s)
   command: >
@@ -15,8 +16,4 @@
   check_mode: no
   tags: metrics_init
 
-- include: install_metrics.yaml
-  when: openshift_metrics_install_metrics | default(false) | bool
-
-- include: uninstall_metrics.yaml
-  when: not openshift_metrics_install_metrics | default(false) | bool
+- include: "{{ (openshift_metrics_install_metrics | bool) | ternary('install_metrics.yaml','uninstall_metrics.yaml') }}"
diff --git a/roles/openshift_metrics/templates/jks_pod.j2 b/roles/openshift_metrics/templates/jks_pod.j2
deleted file mode 100644
index e86fe38a4..000000000
--- a/roles/openshift_metrics/templates/jks_pod.j2
+++ /dev/null
@@ -1,38 +0,0 @@
-apiVersion: v1
-kind: Pod
-metadata:
-  labels:
-    metrics-infra: support
-  generateName: jks-cert-gen-
-spec:
-  containers:
-  - name: jks-cert-gen
-    image: {{openshift_metrics_image_prefix}}metrics-deployer:{{openshift_metrics_image_version}}
-    imagePullPolicy: Always
-    command: ["sh",  "{{openshift_metrics_certs_dir}}/import_jks_certs.sh"]
-    securityContext:
-      runAsUser: 0
-    volumeMounts:
-    - mountPath: {{openshift_metrics_certs_dir}}
-      name: certmount
-    env:
-    - name: CERT_DIR
-      value: {{openshift_metrics_certs_dir}}
-    - name: METRICS_KEYSTORE_PASSWD
-      value: {{metrics_keystore_passwd}}
-    - name: CASSANDRA_KEYSTORE_PASSWD
-      value: {{cassandra_keystore_passwd}}
-    - name: METRICS_TRUSTSTORE_PASSWD
-      value: {{metrics_truststore_passwd}}
-    - name: CASSANDRA_TRUSTSTORE_PASSWD
-      value: {{cassandra_truststore_passwd}}
-    - name: hawkular_cassandra_alias
-      value: {{cassandra_keystore_passwd}}
-    - name: JGROUPS_PASSWD
-      value: {{jgroups_passwd}}
-  restartPolicy: Never
-  serviceAccount: jks-generator
-  volumes:
-  - hostPath:
-      path: "{{openshift_metrics_certs_dir}}"
-    name: certmount