From 3973b9fd6fcb80c639c1435e017976319b8c08df Mon Sep 17 00:00:00 2001
From: Rich Megginson <rmeggins@redhat.com>
Date: Wed, 24 May 2017 10:48:49 -0600
Subject: fix es routes for new logging roles

port the code that creates the external Elasticsearch routes to the
new logging roles
Have to suppress this error message:

SSL Problem illegal change cipher spec msg, conn state = 6, handshake state = 1

which is coming from the router health check, until
https://github.com/openshift/origin/issues/14515
is fixed - otherwise, the es log is spammed relentlessly
---
 .../tasks/main.yaml                                | 69 ++++++++++++++++++++++
 1 file changed, 69 insertions(+)

(limited to 'roles/openshift_logging_elasticsearch/tasks/main.yaml')

diff --git a/roles/openshift_logging_elasticsearch/tasks/main.yaml b/roles/openshift_logging_elasticsearch/tasks/main.yaml
index 7e88a7498..8c62a76a5 100644
--- a/roles/openshift_logging_elasticsearch/tasks/main.yaml
+++ b/roles/openshift_logging_elasticsearch/tasks/main.yaml
@@ -269,6 +269,75 @@
     - "{{ tempdir }}/templates/logging-es-dc.yml"
     delete_after: true
 
+- name: Retrieving the cert to use when generating secrets for the {{ es_component }} component
+  slurp:
+    src: "{{ generated_certs_dir }}/{{ item.file }}"
+  register: key_pairs
+  with_items:
+  - { name: "ca_file", file: "ca.crt" }
+  - { name: "es_key", file: "system.logging.es.key" }
+  - { name: "es_cert", file: "system.logging.es.crt" }
+  when: openshift_logging_es_allow_external | bool
+
+- set_fact:
+    es_key: "{{ lookup('file', openshift_logging_es_key) | b64encode }}"
+  when:
+  - openshift_logging_es_key | trim | length > 0
+  - openshift_logging_es_allow_external | bool
+  changed_when: false
+
+- set_fact:
+    es_cert: "{{ lookup('file', openshift_logging_es_cert) | b64encode  }}"
+  when:
+  - openshift_logging_es_cert | trim | length > 0
+  - openshift_logging_es_allow_external | bool
+  changed_when: false
+
+- set_fact:
+    es_ca: "{{ lookup('file', openshift_logging_es_ca_ext) | b64encode  }}"
+  when:
+  - openshift_logging_es_ca_ext | trim | length > 0
+  - openshift_logging_es_allow_external | bool
+  changed_when: false
+
+- set_fact:
+    es_ca: "{{ key_pairs | entry_from_named_pair('ca_file') }}"
+  when:
+  - es_ca is not defined
+  - openshift_logging_es_allow_external | bool
+  changed_when: false
+
+- name: Generating Elasticsearch {{ es_component }} route template
+  template:
+    src: route_reencrypt.j2
+    dest: "{{mktemp.stdout}}/templates/logging-{{ es_component }}-route.yaml"
+  vars:
+    obj_name: "logging-{{ es_component }}"
+    route_host: "{{ openshift_logging_es_hostname }}"
+    service_name: "logging-{{ es_component }}"
+    tls_key: "{{ es_key | default('') | b64decode }}"
+    tls_cert: "{{ es_cert | default('') | b64decode }}"
+    tls_ca_cert: "{{ es_ca | b64decode }}"
+    tls_dest_ca_cert: "{{ key_pairs | entry_from_named_pair('ca_file') | b64decode }}"
+    edge_term_policy: "{{ openshift_logging_es_edge_term_policy | default('') }}"
+    labels:
+      component: support
+      logging-infra: support
+      provider: openshift
+  changed_when: no
+  when: openshift_logging_es_allow_external | bool
+
+# This currently has an issue if the host name changes
+- name: Setting Elasticsearch {{ es_component }} route
+  oc_obj:
+    state: present
+    name: "logging-{{ es_component }}"
+    namespace: "{{ openshift_logging_elasticsearch_namespace }}"
+    kind: route
+    files:
+    - "{{ tempdir }}/templates/logging-{{ es_component }}-route.yaml"
+  when: openshift_logging_es_allow_external | bool
+
 ## Placeholder for migration when necessary ##
 
 - name: Delete temp directory
-- 
cgit v1.2.1