From d5879135f077e4aaaa09c8e4ebf5d9ef2a063a78 Mon Sep 17 00:00:00 2001 From: Eric Wolinetz Date: Fri, 5 Jan 2018 11:06:43 -0600 Subject: Adding support for ES 5.x tech preview opt in --- roles/openshift_logging_kibana/tasks/main.yaml | 6 +- .../templates/2.x/kibana.j2 | 176 +++++++++++++++++++++ .../templates/2.x/oauth-client.j2 | 16 ++ .../templates/2.x/route_reencrypt.j2 | 36 +++++ .../templates/5.x/kibana.j2 | 170 ++++++++++++++++++++ .../templates/5.x/oauth-client.j2 | 16 ++ .../templates/5.x/route_reencrypt.j2 | 36 +++++ roles/openshift_logging_kibana/templates/kibana.j2 | 176 --------------------- .../templates/oauth-client.j2 | 16 -- .../templates/route_reencrypt.j2 | 36 ----- 10 files changed, 453 insertions(+), 231 deletions(-) create mode 100644 roles/openshift_logging_kibana/templates/2.x/kibana.j2 create mode 100644 roles/openshift_logging_kibana/templates/2.x/oauth-client.j2 create mode 100644 roles/openshift_logging_kibana/templates/2.x/route_reencrypt.j2 create mode 100644 roles/openshift_logging_kibana/templates/5.x/kibana.j2 create mode 100644 roles/openshift_logging_kibana/templates/5.x/oauth-client.j2 create mode 100644 roles/openshift_logging_kibana/templates/5.x/route_reencrypt.j2 delete mode 100644 roles/openshift_logging_kibana/templates/kibana.j2 delete mode 100644 roles/openshift_logging_kibana/templates/oauth-client.j2 delete mode 100644 roles/openshift_logging_kibana/templates/route_reencrypt.j2 (limited to 'roles/openshift_logging_kibana') diff --git a/roles/openshift_logging_kibana/tasks/main.yaml b/roles/openshift_logging_kibana/tasks/main.yaml index c67235c62..58edc5ce5 100644 --- a/roles/openshift_logging_kibana/tasks/main.yaml +++ b/roles/openshift_logging_kibana/tasks/main.yaml @@ -133,7 +133,7 @@ - name: Generating Kibana route template template: - src: route_reencrypt.j2 + src: "{{ __base_file_dir }}/route_reencrypt.j2" dest: "{{ tempdir }}/templates/kibana-route.yaml" vars: obj_name: "{{ kibana_name }}" @@ -174,7 +174,7 @@ # create oauth client - name: Create oauth-client template template: - src: oauth-client.j2 + src: "{{ __base_file_dir }}/oauth-client.j2" dest: "{{ tempdir }}/templates/oauth-client.yml" vars: kibana_hostnames: "{{ proxy_hostnames | unique }}" @@ -233,7 +233,7 @@ # create Kibana DC - name: Generate Kibana DC template template: - src: kibana.j2 + src: "{{ __base_file_dir }}/kibana.j2" dest: "{{ tempdir }}/templates/kibana-dc.yaml" vars: component: "{{ kibana_component }}" diff --git a/roles/openshift_logging_kibana/templates/2.x/kibana.j2 b/roles/openshift_logging_kibana/templates/2.x/kibana.j2 new file mode 100644 index 000000000..ed05b8458 --- /dev/null +++ b/roles/openshift_logging_kibana/templates/2.x/kibana.j2 @@ -0,0 +1,176 @@ +apiVersion: "v1" +kind: "DeploymentConfig" +metadata: + name: "{{ deploy_name }}" + labels: + provider: openshift + component: "{{ component }}" + logging-infra: "{{ logging_component }}" +spec: + replicas: {{ kibana_replicas | default(1) }} + selector: + provider: openshift + component: "{{ component }}" + logging-infra: "{{ logging_component }}" + strategy: + rollingParams: + intervalSeconds: 1 + timeoutSeconds: 600 + updatePeriodSeconds: 1 + type: Rolling + template: + metadata: + name: "{{ deploy_name }}" + labels: + logging-infra: "{{ logging_component }}" + provider: openshift + component: "{{ component }}" + spec: + serviceAccountName: aggregated-logging-kibana +{% if kibana_node_selector is iterable and kibana_node_selector | length > 0 %} + nodeSelector: +{% for key, value in kibana_node_selector.items() %} + {{ key }}: "{{ value }}" +{% endfor %} +{% endif %} + containers: + - + name: "kibana" + image: {{ image }} + imagePullPolicy: IfNotPresent +{% if (kibana_memory_limit is defined and kibana_memory_limit is not none and kibana_memory_limit != "") or (kibana_cpu_limit is defined and kibana_cpu_limit is not none and kibana_cpu_limit != "") or (kibana_cpu_request is defined and kibana_cpu_request is not none and kibana_cpu_request != "") %} + resources: +{% if (kibana_memory_limit is defined and kibana_memory_limit is not none and kibana_memory_limit != "") or (kibana_cpu_limit is defined and kibana_cpu_limit is not none and kibana_cpu_limit != "") %} + limits: +{% if kibana_cpu_limit is not none and kibana_cpu_limit != "" %} + cpu: "{{ kibana_cpu_limit }}" +{% endif %} +{% if kibana_memory_limit is not none and kibana_memory_limit != "" %} + memory: "{{ kibana_memory_limit }}" +{% endif %} +{% endif %} +{% if (kibana_memory_limit is defined and kibana_memory_limit is not none and kibana_memory_limit != "") or (kibana_cpu_request is defined and kibana_cpu_request is not none and kibana_cpu_request != "") %} + requests: +{% if kibana_cpu_request is not none and kibana_cpu_request != "" %} + cpu: "{{ kibana_cpu_request }}" +{% endif %} +{% if kibana_memory_limit is not none and kibana_memory_limit != "" %} + memory: "{{ kibana_memory_limit }}" +{% endif %} +{% endif %} +{% endif %} + env: + - name: "ES_HOST" + value: "{{ es_host }}" + - name: "ES_PORT" + value: "{{ es_port }}" + - + name: "KIBANA_MEMORY_LIMIT" + valueFrom: + resourceFieldRef: + containerName: kibana + resource: limits.memory +{% for key, value in kibana_env_vars.items() %} + - name: "{{ key }}" + value: "{{ value }}" +{% endfor %} + volumeMounts: + - name: kibana + mountPath: /etc/kibana/keys + readOnly: true + readinessProbe: + exec: + command: + - "/usr/share/kibana/probe/readiness.sh" + initialDelaySeconds: 5 + timeoutSeconds: 4 + periodSeconds: 5 + - + name: "kibana-proxy" + image: {{ proxy_image }} + imagePullPolicy: IfNotPresent +{% if (kibana_proxy_memory_limit is defined and kibana_proxy_memory_limit is not none and kibana_proxy_memory_limit != "") or (kibana_proxy_cpu_limit is defined and kibana_proxy_cpu_limit is not none and kibana_proxy_cpu_limit != "") or (kibana_proxy_cpu_request is defined and kibana_proxy_cpu_request is not none and kibana_proxy_cpu_request != "") %} + resources: +{% if (kibana_proxy_memory_limit is defined and kibana_proxy_memory_limit is not none and kibana_proxy_memory_limit != "") or (kibana_proxy_cpu_limit is defined and kibana_proxy_cpu_limit is not none and kibana_proxy_cpu_limit != "") %} + limits: +{% if kibana_proxy_cpu_limit is not none and kibana_proxy_cpu_limit != "" %} + cpu: "{{ kibana_proxy_cpu_limit }}" +{% endif %} +{% if kibana_proxy_memory_limit is not none and kibana_proxy_memory_limit != "" %} + memory: "{{ kibana_proxy_memory_limit }}" +{% endif %} +{% endif %} +{% if (kibana_proxy_memory_limit is defined and kibana_proxy_memory_limit is not none and kibana_proxy_memory_limit != "") or (kibana_proxy_cpu_request is defined and kibana_proxy_cpu_request is not none and kibana_proxy_cpu_request != "") %} + requests: +{% if kibana_proxy_cpu_request is not none and kibana_proxy_cpu_request != "" %} + cpu: "{{ kibana_proxy_cpu_request }}" +{% endif %} +{% if kibana_proxy_memory_limit is not none and kibana_proxy_memory_limit != "" %} + memory: "{{ kibana_proxy_memory_limit }}" +{% endif %} +{% endif %} +{% endif %} + ports: + - + name: "oaproxy" + containerPort: 3000 + env: + - + name: "OAP_BACKEND_URL" + value: "http://localhost:5601" + - + name: "OAP_AUTH_MODE" + value: "oauth2" + - + name: "OAP_TRANSFORM" + value: "user_header,token_header" + - + name: "OAP_OAUTH_ID" + value: kibana-proxy + - + name: "OAP_MASTER_URL" + value: {{ openshift_logging_kibana_master_url }} + - + name: "OAP_PUBLIC_MASTER_URL" + value: {{ openshift_logging_kibana_master_public_url }} + - + name: "OAP_LOGOUT_REDIRECT" + value: {{ openshift_logging_kibana_master_public_url }}/console/logout + - + name: "OAP_MASTER_CA_FILE" + value: "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" + - + name: "OAP_DEBUG" + value: "{{ openshift_logging_kibana_proxy_debug }}" + - + name: "OAP_OAUTH_SECRET_FILE" + value: "/secret/oauth-secret" + - + name: "OAP_SERVER_CERT_FILE" + value: "/secret/server-cert" + - + name: "OAP_SERVER_KEY_FILE" + value: "/secret/server-key" + - + name: "OAP_SERVER_TLS_FILE" + value: "/secret/server-tls.json" + - + name: "OAP_SESSION_SECRET_FILE" + value: "/secret/session-secret" + - + name: "OCP_AUTH_PROXY_MEMORY_LIMIT" + valueFrom: + resourceFieldRef: + containerName: kibana-proxy + resource: limits.memory + volumeMounts: + - name: kibana-proxy + mountPath: /secret + readOnly: true + volumes: + - name: kibana + secret: + secretName: logging-kibana + - name: kibana-proxy + secret: + secretName: logging-kibana-proxy diff --git a/roles/openshift_logging_kibana/templates/2.x/oauth-client.j2 b/roles/openshift_logging_kibana/templates/2.x/oauth-client.j2 new file mode 100644 index 000000000..c80ff3d30 --- /dev/null +++ b/roles/openshift_logging_kibana/templates/2.x/oauth-client.j2 @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: OAuthClient +metadata: + name: kibana-proxy + labels: + logging-infra: support +secret: {{ secret }} +redirectURIs: +{% for host in kibana_hostnames %} +- {{ host }} +{% endfor %} +scopeRestrictions: +- literals: + - user:info + - user:check-access + - user:list-projects diff --git a/roles/openshift_logging_kibana/templates/2.x/route_reencrypt.j2 b/roles/openshift_logging_kibana/templates/2.x/route_reencrypt.j2 new file mode 100644 index 000000000..d2e8b8bcb --- /dev/null +++ b/roles/openshift_logging_kibana/templates/2.x/route_reencrypt.j2 @@ -0,0 +1,36 @@ +apiVersion: "v1" +kind: "Route" +metadata: + name: "{{obj_name}}" +{% if labels is defined%} + labels: +{% for key, value in labels.items() %} + {{key}}: {{value}} +{% endfor %} +{% endif %} +spec: + host: {{ route_host }} + tls: +{% if tls_key is defined and tls_key | length > 0 %} + key: | +{{ tls_key|indent(6, true) }} +{% if tls_cert is defined and tls_cert | length > 0 %} + certificate: | +{{ tls_cert|indent(6, true) }} +{% endif %} +{% endif %} + caCertificate: | +{% for line in tls_ca_cert.split('\n') %} + {{ line }} +{% endfor %} + destinationCACertificate: | +{% for line in tls_dest_ca_cert.split('\n') %} + {{ line }} +{% endfor %} + termination: reencrypt +{% if edge_term_policy is defined and edge_term_policy | length > 0 %} + insecureEdgeTerminationPolicy: {{ edge_term_policy }} +{% endif %} + to: + kind: Service + name: {{ service_name }} diff --git a/roles/openshift_logging_kibana/templates/5.x/kibana.j2 b/roles/openshift_logging_kibana/templates/5.x/kibana.j2 new file mode 100644 index 000000000..0f946573d --- /dev/null +++ b/roles/openshift_logging_kibana/templates/5.x/kibana.j2 @@ -0,0 +1,170 @@ +apiVersion: "v1" +kind: "DeploymentConfig" +metadata: + name: "{{ deploy_name }}" + labels: + provider: openshift + component: "{{ component }}" + logging-infra: "{{ logging_component }}" +spec: + replicas: {{ kibana_replicas | default(1) }} + selector: + provider: openshift + component: "{{ component }}" + logging-infra: "{{ logging_component }}" + strategy: + rollingParams: + intervalSeconds: 1 + timeoutSeconds: 600 + updatePeriodSeconds: 1 + type: Rolling + template: + metadata: + name: "{{ deploy_name }}" + labels: + logging-infra: "{{ logging_component }}" + provider: openshift + component: "{{ component }}" + spec: + serviceAccountName: aggregated-logging-kibana +{% if kibana_node_selector is iterable and kibana_node_selector | length > 0 %} + nodeSelector: +{% for key, value in kibana_node_selector.items() %} + {{ key }}: "{{ value }}" +{% endfor %} +{% endif %} + containers: + - + name: "kibana" + image: {{ image }} + imagePullPolicy: IfNotPresent +{% if (kibana_memory_limit is defined and kibana_memory_limit is not none and kibana_memory_limit != "") or (kibana_cpu_limit is defined and kibana_cpu_limit is not none and kibana_cpu_limit != "") or (kibana_cpu_request is defined and kibana_cpu_request is not none and kibana_cpu_request != "") %} + resources: +{% if (kibana_memory_limit is defined and kibana_memory_limit is not none and kibana_memory_limit != "") or (kibana_cpu_limit is defined and kibana_cpu_limit is not none and kibana_cpu_limit != "") %} + limits: +{% if kibana_cpu_limit is not none and kibana_cpu_limit != "" %} + cpu: "{{ kibana_cpu_limit }}" +{% endif %} +{% if kibana_memory_limit is not none and kibana_memory_limit != "" %} + memory: "{{ kibana_memory_limit }}" +{% endif %} +{% endif %} +{% if (kibana_memory_limit is defined and kibana_memory_limit is not none and kibana_memory_limit != "") or (kibana_cpu_request is defined and kibana_cpu_request is not none and kibana_cpu_request != "") %} + requests: +{% if kibana_cpu_request is not none and kibana_cpu_request != "" %} + cpu: "{{ kibana_cpu_request }}" +{% endif %} +{% if kibana_memory_limit is not none and kibana_memory_limit != "" %} + memory: "{{ kibana_memory_limit }}" +{% endif %} +{% endif %} +{% endif %} + env: + - name: "ES_URL" + value: "https://{{ es_host }}:{{ es_port }}" + - + name: "KIBANA_MEMORY_LIMIT" + valueFrom: + resourceFieldRef: + containerName: kibana + resource: limits.memory + volumeMounts: + - name: kibana + mountPath: /etc/kibana/keys + readOnly: true + readinessProbe: + exec: + command: + - "/usr/share/kibana/probe/readiness.sh" + initialDelaySeconds: 5 + timeoutSeconds: 4 + periodSeconds: 5 + - + name: "kibana-proxy" + image: {{ proxy_image }} + imagePullPolicy: IfNotPresent +{% if (kibana_proxy_memory_limit is defined and kibana_proxy_memory_limit is not none and kibana_proxy_memory_limit != "") or (kibana_proxy_cpu_limit is defined and kibana_proxy_cpu_limit is not none and kibana_proxy_cpu_limit != "") or (kibana_proxy_cpu_request is defined and kibana_proxy_cpu_request is not none and kibana_proxy_cpu_request != "") %} + resources: +{% if (kibana_proxy_memory_limit is defined and kibana_proxy_memory_limit is not none and kibana_proxy_memory_limit != "") or (kibana_proxy_cpu_limit is defined and kibana_proxy_cpu_limit is not none and kibana_proxy_cpu_limit != "") %} + limits: +{% if kibana_proxy_cpu_limit is not none and kibana_proxy_cpu_limit != "" %} + cpu: "{{ kibana_proxy_cpu_limit }}" +{% endif %} +{% if kibana_proxy_memory_limit is not none and kibana_proxy_memory_limit != "" %} + memory: "{{ kibana_proxy_memory_limit }}" +{% endif %} +{% endif %} +{% if (kibana_proxy_memory_limit is defined and kibana_proxy_memory_limit is not none and kibana_proxy_memory_limit != "") or (kibana_proxy_cpu_request is defined and kibana_proxy_cpu_request is not none and kibana_proxy_cpu_request != "") %} + requests: +{% if kibana_proxy_cpu_request is not none and kibana_proxy_cpu_request != "" %} + cpu: "{{ kibana_proxy_cpu_request }}" +{% endif %} +{% if kibana_proxy_memory_limit is not none and kibana_proxy_memory_limit != "" %} + memory: "{{ kibana_proxy_memory_limit }}" +{% endif %} +{% endif %} +{% endif %} + ports: + - + name: "oaproxy" + containerPort: 3000 + env: + - + name: "OAP_BACKEND_URL" + value: "http://localhost:5601" + - + name: "OAP_AUTH_MODE" + value: "oauth2" + - + name: "OAP_TRANSFORM" + value: "user_header,token_header" + - + name: "OAP_OAUTH_ID" + value: kibana-proxy + - + name: "OAP_MASTER_URL" + value: {{ openshift_logging_kibana_master_url }} + - + name: "OAP_PUBLIC_MASTER_URL" + value: {{ openshift_logging_kibana_master_public_url }} + - + name: "OAP_LOGOUT_REDIRECT" + value: {{ openshift_logging_kibana_master_public_url }}/console/logout + - + name: "OAP_MASTER_CA_FILE" + value: "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" + - + name: "OAP_DEBUG" + value: "{{ openshift_logging_kibana_proxy_debug }}" + - + name: "OAP_OAUTH_SECRET_FILE" + value: "/secret/oauth-secret" + - + name: "OAP_SERVER_CERT_FILE" + value: "/secret/server-cert" + - + name: "OAP_SERVER_KEY_FILE" + value: "/secret/server-key" + - + name: "OAP_SERVER_TLS_FILE" + value: "/secret/server-tls.json" + - + name: "OAP_SESSION_SECRET_FILE" + value: "/secret/session-secret" + - + name: "OCP_AUTH_PROXY_MEMORY_LIMIT" + valueFrom: + resourceFieldRef: + containerName: kibana-proxy + resource: limits.memory + volumeMounts: + - name: kibana-proxy + mountPath: /secret + readOnly: true + volumes: + - name: kibana + secret: + secretName: logging-kibana + - name: kibana-proxy + secret: + secretName: logging-kibana-proxy diff --git a/roles/openshift_logging_kibana/templates/5.x/oauth-client.j2 b/roles/openshift_logging_kibana/templates/5.x/oauth-client.j2 new file mode 100644 index 000000000..c80ff3d30 --- /dev/null +++ b/roles/openshift_logging_kibana/templates/5.x/oauth-client.j2 @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: OAuthClient +metadata: + name: kibana-proxy + labels: + logging-infra: support +secret: {{ secret }} +redirectURIs: +{% for host in kibana_hostnames %} +- {{ host }} +{% endfor %} +scopeRestrictions: +- literals: + - user:info + - user:check-access + - user:list-projects diff --git a/roles/openshift_logging_kibana/templates/5.x/route_reencrypt.j2 b/roles/openshift_logging_kibana/templates/5.x/route_reencrypt.j2 new file mode 100644 index 000000000..d2e8b8bcb --- /dev/null +++ b/roles/openshift_logging_kibana/templates/5.x/route_reencrypt.j2 @@ -0,0 +1,36 @@ +apiVersion: "v1" +kind: "Route" +metadata: + name: "{{obj_name}}" +{% if labels is defined%} + labels: +{% for key, value in labels.items() %} + {{key}}: {{value}} +{% endfor %} +{% endif %} +spec: + host: {{ route_host }} + tls: +{% if tls_key is defined and tls_key | length > 0 %} + key: | +{{ tls_key|indent(6, true) }} +{% if tls_cert is defined and tls_cert | length > 0 %} + certificate: | +{{ tls_cert|indent(6, true) }} +{% endif %} +{% endif %} + caCertificate: | +{% for line in tls_ca_cert.split('\n') %} + {{ line }} +{% endfor %} + destinationCACertificate: | +{% for line in tls_dest_ca_cert.split('\n') %} + {{ line }} +{% endfor %} + termination: reencrypt +{% if edge_term_policy is defined and edge_term_policy | length > 0 %} + insecureEdgeTerminationPolicy: {{ edge_term_policy }} +{% endif %} + to: + kind: Service + name: {{ service_name }} diff --git a/roles/openshift_logging_kibana/templates/kibana.j2 b/roles/openshift_logging_kibana/templates/kibana.j2 deleted file mode 100644 index ed05b8458..000000000 --- a/roles/openshift_logging_kibana/templates/kibana.j2 +++ /dev/null @@ -1,176 +0,0 @@ -apiVersion: "v1" -kind: "DeploymentConfig" -metadata: - name: "{{ deploy_name }}" - labels: - provider: openshift - component: "{{ component }}" - logging-infra: "{{ logging_component }}" -spec: - replicas: {{ kibana_replicas | default(1) }} - selector: - provider: openshift - component: "{{ component }}" - logging-infra: "{{ logging_component }}" - strategy: - rollingParams: - intervalSeconds: 1 - timeoutSeconds: 600 - updatePeriodSeconds: 1 - type: Rolling - template: - metadata: - name: "{{ deploy_name }}" - labels: - logging-infra: "{{ logging_component }}" - provider: openshift - component: "{{ component }}" - spec: - serviceAccountName: aggregated-logging-kibana -{% if kibana_node_selector is iterable and kibana_node_selector | length > 0 %} - nodeSelector: -{% for key, value in kibana_node_selector.items() %} - {{ key }}: "{{ value }}" -{% endfor %} -{% endif %} - containers: - - - name: "kibana" - image: {{ image }} - imagePullPolicy: IfNotPresent -{% if (kibana_memory_limit is defined and kibana_memory_limit is not none and kibana_memory_limit != "") or (kibana_cpu_limit is defined and kibana_cpu_limit is not none and kibana_cpu_limit != "") or (kibana_cpu_request is defined and kibana_cpu_request is not none and kibana_cpu_request != "") %} - resources: -{% if (kibana_memory_limit is defined and kibana_memory_limit is not none and kibana_memory_limit != "") or (kibana_cpu_limit is defined and kibana_cpu_limit is not none and kibana_cpu_limit != "") %} - limits: -{% if kibana_cpu_limit is not none and kibana_cpu_limit != "" %} - cpu: "{{ kibana_cpu_limit }}" -{% endif %} -{% if kibana_memory_limit is not none and kibana_memory_limit != "" %} - memory: "{{ kibana_memory_limit }}" -{% endif %} -{% endif %} -{% if (kibana_memory_limit is defined and kibana_memory_limit is not none and kibana_memory_limit != "") or (kibana_cpu_request is defined and kibana_cpu_request is not none and kibana_cpu_request != "") %} - requests: -{% if kibana_cpu_request is not none and kibana_cpu_request != "" %} - cpu: "{{ kibana_cpu_request }}" -{% endif %} -{% if kibana_memory_limit is not none and kibana_memory_limit != "" %} - memory: "{{ kibana_memory_limit }}" -{% endif %} -{% endif %} -{% endif %} - env: - - name: "ES_HOST" - value: "{{ es_host }}" - - name: "ES_PORT" - value: "{{ es_port }}" - - - name: "KIBANA_MEMORY_LIMIT" - valueFrom: - resourceFieldRef: - containerName: kibana - resource: limits.memory -{% for key, value in kibana_env_vars.items() %} - - name: "{{ key }}" - value: "{{ value }}" -{% endfor %} - volumeMounts: - - name: kibana - mountPath: /etc/kibana/keys - readOnly: true - readinessProbe: - exec: - command: - - "/usr/share/kibana/probe/readiness.sh" - initialDelaySeconds: 5 - timeoutSeconds: 4 - periodSeconds: 5 - - - name: "kibana-proxy" - image: {{ proxy_image }} - imagePullPolicy: IfNotPresent -{% if (kibana_proxy_memory_limit is defined and kibana_proxy_memory_limit is not none and kibana_proxy_memory_limit != "") or (kibana_proxy_cpu_limit is defined and kibana_proxy_cpu_limit is not none and kibana_proxy_cpu_limit != "") or (kibana_proxy_cpu_request is defined and kibana_proxy_cpu_request is not none and kibana_proxy_cpu_request != "") %} - resources: -{% if (kibana_proxy_memory_limit is defined and kibana_proxy_memory_limit is not none and kibana_proxy_memory_limit != "") or (kibana_proxy_cpu_limit is defined and kibana_proxy_cpu_limit is not none and kibana_proxy_cpu_limit != "") %} - limits: -{% if kibana_proxy_cpu_limit is not none and kibana_proxy_cpu_limit != "" %} - cpu: "{{ kibana_proxy_cpu_limit }}" -{% endif %} -{% if kibana_proxy_memory_limit is not none and kibana_proxy_memory_limit != "" %} - memory: "{{ kibana_proxy_memory_limit }}" -{% endif %} -{% endif %} -{% if (kibana_proxy_memory_limit is defined and kibana_proxy_memory_limit is not none and kibana_proxy_memory_limit != "") or (kibana_proxy_cpu_request is defined and kibana_proxy_cpu_request is not none and kibana_proxy_cpu_request != "") %} - requests: -{% if kibana_proxy_cpu_request is not none and kibana_proxy_cpu_request != "" %} - cpu: "{{ kibana_proxy_cpu_request }}" -{% endif %} -{% if kibana_proxy_memory_limit is not none and kibana_proxy_memory_limit != "" %} - memory: "{{ kibana_proxy_memory_limit }}" -{% endif %} -{% endif %} -{% endif %} - ports: - - - name: "oaproxy" - containerPort: 3000 - env: - - - name: "OAP_BACKEND_URL" - value: "http://localhost:5601" - - - name: "OAP_AUTH_MODE" - value: "oauth2" - - - name: "OAP_TRANSFORM" - value: "user_header,token_header" - - - name: "OAP_OAUTH_ID" - value: kibana-proxy - - - name: "OAP_MASTER_URL" - value: {{ openshift_logging_kibana_master_url }} - - - name: "OAP_PUBLIC_MASTER_URL" - value: {{ openshift_logging_kibana_master_public_url }} - - - name: "OAP_LOGOUT_REDIRECT" - value: {{ openshift_logging_kibana_master_public_url }}/console/logout - - - name: "OAP_MASTER_CA_FILE" - value: "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" - - - name: "OAP_DEBUG" - value: "{{ openshift_logging_kibana_proxy_debug }}" - - - name: "OAP_OAUTH_SECRET_FILE" - value: "/secret/oauth-secret" - - - name: "OAP_SERVER_CERT_FILE" - value: "/secret/server-cert" - - - name: "OAP_SERVER_KEY_FILE" - value: "/secret/server-key" - - - name: "OAP_SERVER_TLS_FILE" - value: "/secret/server-tls.json" - - - name: "OAP_SESSION_SECRET_FILE" - value: "/secret/session-secret" - - - name: "OCP_AUTH_PROXY_MEMORY_LIMIT" - valueFrom: - resourceFieldRef: - containerName: kibana-proxy - resource: limits.memory - volumeMounts: - - name: kibana-proxy - mountPath: /secret - readOnly: true - volumes: - - name: kibana - secret: - secretName: logging-kibana - - name: kibana-proxy - secret: - secretName: logging-kibana-proxy diff --git a/roles/openshift_logging_kibana/templates/oauth-client.j2 b/roles/openshift_logging_kibana/templates/oauth-client.j2 deleted file mode 100644 index c80ff3d30..000000000 --- a/roles/openshift_logging_kibana/templates/oauth-client.j2 +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -kind: OAuthClient -metadata: - name: kibana-proxy - labels: - logging-infra: support -secret: {{ secret }} -redirectURIs: -{% for host in kibana_hostnames %} -- {{ host }} -{% endfor %} -scopeRestrictions: -- literals: - - user:info - - user:check-access - - user:list-projects diff --git a/roles/openshift_logging_kibana/templates/route_reencrypt.j2 b/roles/openshift_logging_kibana/templates/route_reencrypt.j2 deleted file mode 100644 index d2e8b8bcb..000000000 --- a/roles/openshift_logging_kibana/templates/route_reencrypt.j2 +++ /dev/null @@ -1,36 +0,0 @@ -apiVersion: "v1" -kind: "Route" -metadata: - name: "{{obj_name}}" -{% if labels is defined%} - labels: -{% for key, value in labels.items() %} - {{key}}: {{value}} -{% endfor %} -{% endif %} -spec: - host: {{ route_host }} - tls: -{% if tls_key is defined and tls_key | length > 0 %} - key: | -{{ tls_key|indent(6, true) }} -{% if tls_cert is defined and tls_cert | length > 0 %} - certificate: | -{{ tls_cert|indent(6, true) }} -{% endif %} -{% endif %} - caCertificate: | -{% for line in tls_ca_cert.split('\n') %} - {{ line }} -{% endfor %} - destinationCACertificate: | -{% for line in tls_dest_ca_cert.split('\n') %} - {{ line }} -{% endfor %} - termination: reencrypt -{% if edge_term_policy is defined and edge_term_policy | length > 0 %} - insecureEdgeTerminationPolicy: {{ edge_term_policy }} -{% endif %} - to: - kind: Service - name: {{ service_name }} -- cgit v1.2.1