roles/openshift_logging/tasks/install_fluentd.yaml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54

---
- set_fact: fluentd_ops_host={{ (openshift_logging_use_ops | bool) | ternary(openshift_logging_es_ops_host, openshift_logging_es_host) }}
  check_mode: no

- set_fact: fluentd_ops_port={{ (openshift_logging_use_ops | bool) | ternary(openshift_logging_es_ops_port, openshift_logging_es_port) }}
  check_mode: no

- name: Generating Fluentd daemonset
  template: src=fluentd.j2 dest={{mktemp.stdout}}/templates/logging-fluentd.yaml
  vars:
    daemonset_name: logging-fluentd
    daemonset_component: fluentd
    daemonset_container_name: fluentd-elasticsearch
    daemonset_serviceAccount: aggregated-logging-fluentd
    ops_host: "{{ fluentd_ops_host }}"
    ops_port: "{{ fluentd_ops_port }}"
    fluentd_nodeselector_key: "{{openshift_logging_fluentd_nodeselector.keys()[0]}}"
    fluentd_nodeselector_value: "{{openshift_logging_fluentd_nodeselector.values()[0]}}"
  check_mode: no
  changed_when: no

- name: "Check fluentd privileged permissions"
  command: >
    {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig
    get scc/privileged -o jsonpath='{.users}'
  register: fluentd_privileged
  check_mode: no
  changed_when: no

- name: "Set privileged permissions for fluentd"
  command: >
    {{ openshift.common.admin_binary}} --config={{ mktemp.stdout }}/admin.kubeconfig policy
    add-scc-to-user privileged system:serviceaccount:{{openshift_logging_namespace}}:aggregated-logging-fluentd
  register: fluentd_output
  failed_when: "fluentd_output.rc == 1 and 'exists' not in fluentd_output.stderr"
  check_mode: no
  when: fluentd_privileged.stdout.find("system:serviceaccount:{{openshift_logging_namespace}}:aggregated-logging-fluentd") == -1

- name: "Check fluentd cluster-reader permissions"
  command: >
    {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig
    get clusterrolebinding/cluster-readers -o jsonpath='{.userNames}'
  register: fluentd_cluster_reader
  check_mode: no
  changed_when: no

- name: "Set cluster-reader permissions for fluentd"
  command: >
    {{ openshift.common.admin_binary}} --config={{ mktemp.stdout }}/admin.kubeconfig policy
    add-cluster-role-to-user cluster-reader system:serviceaccount:{{openshift_logging_namespace}}:aggregated-logging-fluentd
  register: fluentd2_output
  failed_when: "fluentd2_output.rc == 1 and 'exists' not in fluentd2_output.stderr"
  check_mode: no
  when: fluentd_cluster_reader.stdout.find("system:serviceaccount:{{openshift_logging_namespace}}:aggregated-logging-fluentd") == -1