addressing comments

roles/openshift_logging/defaults/main.yml

@@ -33,7 +33,7 @@ openshift_logging_kibana_ops_proxy_debug: false
 openshift_logging_kibana_ops_proxy_cpu_limit: null
 openshift_logging_kibana_ops_proxy_memory_limit: null
 
-openshift_logging_fluentd_nodeselector: '"logging-infra-fluentd": "true"'
+openshift_logging_fluentd_nodeselector: {'logging-infra-fluentd': 'true'}
 openshift_logging_fluentd_cpu_limit: 100m
 openshift_logging_fluentd_memory_limit: 512Mi
 openshift_logging_fluentd_es_copy: false

roles/openshift_logging/files/util.sh

@@ -1,192 +0,0 @@
-#!/bin/bash
-
-function generate_JKS_chain() {
-  dir=${SCRATCH_DIR:-_output}
-  ADD_OID=$1
-  NODE_NAME=$2
-  CERT_NAMES=${3:-$NODE_NAME}
-  ks_pass=${KS_PASS:-kspass}
-  ts_pass=${TS_PASS:-tspass}
-  rm -rf $NODE_NAME
-
-  extension_names=""
-  for name in ${CERT_NAMES//,/ }; do
-	extension_names="${extension_names},dns:${name}"
-  done
-
-  if [ "$ADD_OID" = true ]; then
-    extension_names="${extension_names},oid:1.2.3.4.5.5"
-  fi
-
-  echo Generating keystore and certificate for node $NODE_NAME
-
-  "$keytool" -genkey \
-        -alias     $NODE_NAME \
-        -keystore  $dir/keystore.jks \
-        -keypass   $ks_pass \
-        -storepass $ks_pass \
-        -keyalg    RSA \
-        -keysize   2048 \
-        -validity  712 \
-        -dname "CN=$NODE_NAME, OU=OpenShift, O=Logging" \
-        -ext san=dns:localhost,ip:127.0.0.1"${extension_names}"
-
-  echo Generating certificate signing request for node $NODE_NAME
-
-  "$keytool" -certreq \
-        -alias      $NODE_NAME \
-        -keystore   $dir/keystore.jks \
-        -storepass  $ks_pass \
-        -file       $dir/$NODE_NAME.csr \
-        -keyalg     rsa \
-        -dname "CN=$NODE_NAME, OU=OpenShift, O=Logging" \
-        -ext san=dns:localhost,ip:127.0.0.1"${extension_names}"
-
-  echo Sign certificate request with CA
-
-  openssl ca \
-    -in $dir/$NODE_NAME.csr \
-    -notext \
-    -out $dir/$NODE_NAME.crt \
-    -config $dir/signing.conf \
-    -extensions v3_req \
-    -batch \
-	-extensions server_ext
-
-  echo "Import back to keystore (including CA chain)"
-
-  "$keytool"  \
-    -import \
-    -file $dir/ca.crt  \
-    -keystore $dir/keystore.jks   \
-    -storepass $ks_pass  \
-    -noprompt -alias sig-ca
-
-  "$keytool" \
-    -import \
-    -file $dir/$NODE_NAME.crt \
-    -keystore $dir/keystore.jks \
-    -storepass $ks_pass \
-    -noprompt \
-    -alias $NODE_NAME
-
-  echo "Import CA to truststore for validating client certs"
-
-  "$keytool"  \
-    -import \
-    -file $dir/ca.crt  \
-    -keystore $dir/truststore.jks   \
-    -storepass $ts_pass  \
-    -noprompt -alias sig-ca
-
-  echo All done for $NODE_NAME
-}
-
-function generate_PEM_cert() {
-  NODE_NAME="$1"
-  dir=${SCRATCH_DIR:-_output}  # for writing files to bundle into secrets
-
-  echo Generating keystore and certificate for node ${NODE_NAME}
-
-  openssl req -out "$dir/$NODE_NAME.csr" -new -newkey rsa:2048 -keyout "$dir/$NODE_NAME.key" -subj "/CN=$NODE_NAME/OU=OpenShift/O=Logging" -days 712 -nodes
-
-  echo Sign certificate request with CA
-  openssl ca \
-    -in "$dir/$NODE_NAME.csr" \
-    -notext \
-    -out "$dir/$NODE_NAME.crt" \
-    -config $dir/signing.conf \
-    -extensions v3_req \
-    -batch \
-	-extensions server_ext
-}
-
-function generate_JKS_client_cert() {
-  NODE_NAME="$1"
-  ks_pass=${KS_PASS:-kspass}
-  ts_pass=${TS_PASS:-tspass}
-  dir=${SCRATCH_DIR:-_output}  # for writing files to bundle into secrets
-
-  echo Generating keystore and certificate for node ${NODE_NAME}
-
-  "$keytool" -genkey \
-        -alias     $NODE_NAME \
-        -keystore  $dir/$NODE_NAME.jks \
-        -keyalg    RSA \
-        -keysize   2048 \
-        -validity  712 \
-        -keypass $ks_pass \
-        -storepass $ks_pass \
-        -dname "CN=$NODE_NAME, OU=OpenShift, O=Logging"
-
-  echo Generating certificate signing request for node $NODE_NAME
-
-  "$keytool" -certreq \
-          -alias      $NODE_NAME \
-          -keystore   $dir/$NODE_NAME.jks \
-          -file       $dir/$NODE_NAME.csr \
-          -keyalg     rsa \
-          -keypass $ks_pass \
-          -storepass $ks_pass \
-          -dname "CN=$NODE_NAME, OU=OpenShift, O=Logging"
-
-  echo Sign certificate request with CA
-  openssl ca \
-    -in "$dir/$NODE_NAME.csr" \
-    -notext \
-    -out "$dir/$NODE_NAME.crt" \
-    -config $dir/signing.conf \
-    -extensions v3_req \
-    -batch \
-	-extensions server_ext
-
-  echo "Import back to keystore (including CA chain)"
-
-  "$keytool"  \
-    -import \
-    -file $dir/ca.crt  \
-    -keystore $dir/$NODE_NAME.jks   \
-    -storepass $ks_pass  \
-    -noprompt -alias sig-ca
-
-  "$keytool" \
-    -import \
-    -file $dir/$NODE_NAME.crt \
-    -keystore $dir/$NODE_NAME.jks \
-    -storepass $ks_pass \
-    -noprompt \
-    -alias $NODE_NAME
-
-  echo All done for $NODE_NAME
-}
-
-function join { local IFS="$1"; shift; echo "$*"; }
-
-function get_es_dcs() {
-  oc get dc --selector logging-infra=elasticsearch -o name
-}
-
-function get_curator_dcs() {
-  oc get dc --selector logging-infra=curator -o name
-}
-
-function extract_nodeselector() {
-  local inputstring="${1//\"/}"  # remove any errant double quotes in the inputs
-  local selectors=()
-
-  for keyvalstr in ${inputstring//\,/ }; do
-
-    keyval=( ${keyvalstr//=/ } )
-
-    if [[ -n "${keyval[0]}" && -n "${keyval[1]}" ]]; then
-      selectors+=( "\"${keyval[0]}\": \"${keyval[1]}\"")
-    else
-      echo "Could not make a node selector label from '${keyval[*]}'"
-      exit 255
-    fi
-  done
-
-  if [[ "${#selectors[*]}" -gt 0 ]]; then
-    echo nodeSelector: "{" $(join , "${selectors[@]}") "}"
-  fi
-}

roles/openshift_logging/meta/main.yaml

@@ -1,3 +1,15 @@
 ---
+galaxy_info:
+  author: OpenShift Red Hat
+  description: OpenShift Embedded Router
+  company: Red Hat, Inc.
+  license: Apache License, Version 2.0
+  min_ansible_version: 2.2
+  platforms:
+  - name: EL
+    versions:
+    - 7
+  categories:
+  - cloud
 dependencies:
-  - { role: openshift_facts }
+  - role: openshift_facts

roles/openshift_logging/tasks/generate_certs.yaml

@@ -31,14 +31,10 @@
   register: signing_conf_file
   check_mode: no
 
-- block:
-  - copy: src=signing.conf dest={{generated_certs_dir}}/signing.conf
-    check_mode: no
-
-  - lineinfile: "dest={{generated_certs_dir}}/signing.conf regexp='# Top dir$' line='dir                     = {{generated_certs_dir}}               # Top dir'"
-    check_mode: no
-  when:
-    - not signing_conf_file.stat.exists
+- template: src=signing.conf.j2 dest={{generated_certs_dir}}/signing.conf
+  vars:
+    - top_dir: '{{generated_certs_dir}}'
+  when: not signing_conf_file.stat.exists
 
 - include: procure_server_certs.yaml
   loop_control:
@@ -49,19 +45,6 @@
     - procure_component: kibana-internal
       hostnames: "kibana, kibana-ops, {{openshift_logging_kibana_hostname}}, {{openshift_logging_kibana_ops_hostname}}"
 
-# - include: procure_server_certs.yaml
-#   vars:
-#     - procure_component: kibana
-
-# - include: procure_server_certs.yaml
-#   vars:
-#     - procure_component: kibana-ops
-
-# - include: procure_server_certs.yaml
-#   vars:
-#     - procure_component: kibana-internal
-#     - hostnames: "kibana, kibana-ops, {{openshift_logging_kibana_hostname}}, {{openshift_logging_kibana_ops_hostname}}"
-
 - name: Copy proxy TLS configuration file
   copy: src=server-tls.json dest={{generated_certs_dir}}/server-tls.json
   when: server_tls_json is undefined
@@ -116,8 +99,8 @@
 
 - name: Check for hostmount-anyuid scc entry
   shell: >
-    {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get scc hostmount-anyuid -o go-template='{{ '{{' }}.users{{ '}}' }}' |
-    grep system:serviceaccount:{{openshift_logging_namespace}}:jks-generator
+    {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get scc hostmount-anyuid -o jsonpath='{.users}' |
+    grep system:serviceaccount:{{openshift_logging_namespace | quote}}:jks-generator
   register: scc_result
   ignore_errors: yes
   when: not ansible_check_mode
@@ -131,34 +114,33 @@
   copy:
     src: generate-jks.sh
     dest: "{{generated_certs_dir}}/generate-jks.sh"
+  check_mode: no
 
 - name: Generate JKS chains
   template:
     src: jks_pod.j2
     dest: "{{mktemp.stdout}}/jks_pod.yaml"
+  check_mode: no
 
 - name: create pod
-  shell: >
-    {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig create -f {{mktemp.stdout}}/jks_pod.yaml -n {{openshift_logging_namespace}}
+  command: >
+    {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig create -f {{mktemp.stdout}}/jks_pod.yaml -n {{openshift_logging_namespace}} -o name
   register: podoutput
+  check_mode: no
 
-- shell: >
-    echo {{podoutput.stdout}} | awk -v podname='\\\".*\\\"' '{print $2}'
-  register: podname
-
-- shell: >
-    {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get pod {{podname.stdout}} -o go-template='{{ '{{' }}index .status "phase"{{ '}}' }}' -n {{openshift_logging_namespace}}
+- command: >
+    {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get {{podoutput.stdout}} -o jsonpath='{.status.phase}' -n {{openshift_logging_namespace}}
   register: result
   until: result.stdout.find("Succeeded") != -1
   retries: 5
   delay: 10
 
 - name: Generate proxy session
-  shell: tr -dc 'a-zA-Z0-9' < /dev/urandom | head -c 200
+  command: echo {{'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'|random_word(200)}}
   register: session_secret
   check_mode: no
 
 - name: Generate oauth client secret
-  shell: tr -dc 'a-zA-Z0-9' < /dev/urandom | head -c 64
+  command: echo {{'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'|random_word(64)}}
   register: oauth_secret
   check_mode: no

roles/openshift_logging/tasks/generate_configmaps.yaml

@@ -4,37 +4,44 @@
         src: elasticsearch-logging.yml
         dest: "{{mktemp.stdout}}/elasticsearch-logging.yml"
       when: es_logging_contents is undefined
+      changed_when: no
 
     - copy:
         src: elasticsearch.yml
         dest: "{{mktemp.stdout}}/elasticsearch.yml"
       when: es_config_contents is undefined
+      changed_when: no
 
     - lineinfile:
         dest: "{{mktemp.stdout}}/elasticsearch.yml"
         regexp: '^openshift\.operations\.allow_cluster_reader(.)*$'
         line: "\nopenshift.operations.allow_cluster_reader: {{openshift_logging_es_ops_allow_cluster_reader | lower}}"
       when: es_config_contents is undefined
+      changed_when: no
 
     - copy:
         content: "{{es_logging_contents}}"
         dest: "{{mktemp.stdout}}/elasticsearch-logging.yml"
       when: es_logging_contents is defined
+      changed_when: no
 
     - copy:
         content: "{{es_config_contents}}"
         dest: "{{mktemp.stdout}}/elasticsearch.yml"
       when: es_config_contents is defined
+      changed_when: no
 
-    - shell: >
+    - command: >
         {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig create configmap logging-elasticsearch
         --from-file=logging.yml={{mktemp.stdout}}/elasticsearch-logging.yml --from-file=elasticsearch.yml={{mktemp.stdout}}/elasticsearch.yml -o yaml --dry-run
       register: es_configmap
+      changed_when: no
 
     - copy:
         content: "{{es_configmap.stdout}}"
         dest: "{{mktemp.stdout}}/templates/logging-elasticsearch-configmap.yaml"
       when: es_configmap.stdout is defined
+      changed_when: no
   check_mode: no
 
 - block:
@@ -42,21 +49,25 @@
         src: curator.yml
         dest: "{{mktemp.stdout}}/curator.yml"
       when: curator_config_contents is undefined
+      changed_when: no
 
     - copy:
         content: "{{curator_config_contents}}"
         dest: "{{mktemp.stdout}}/curator.yml"
       when: curator_config_contenets is defined
+      changed_when: no
 
-    - shell: >
+    - command: >
         {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig create configmap logging-curator
         --from-file=config.yaml={{mktemp.stdout}}/curator.yml -o yaml --dry-run
       register: curator_configmap
+      changed_when: no
 
     - copy:
         content: "{{curator_configmap.stdout}}"
         dest: "{{mktemp.stdout}}/templates/logging-curator-configmap.yaml"
       when: curator_configmap.stdout is defined
+      changed_when: no
   check_mode: no
 
 - block:
@@ -64,40 +75,48 @@
         src: fluent.conf
         dest: "{{mktemp.stdout}}/fluent.conf"
       when: fluentd_config_contents is undefined
+      changed_when: no
 
     - copy:
         src: fluentd-throttle-config.yaml
         dest: "{{mktemp.stdout}}/fluentd-throttle-config.yaml"
       when: fluentd_throttle_contents is undefined
+      changed_when: no
 
     - copy:
         src: secure-forward.conf
         dest: "{{mktemp.stdout}}/secure-forward.conf"
       when: fluentd_securefoward_contents is undefined
+      changed_when: no
 
     - copy:
         content: "{{fluentd_config_contents}}"
         dest: "{{mktemp.stdout}}/fluent.conf"
       when: fluentd_config_contents is defined
+      changed_when: no
 
     - copy:
         content: "{{fluentd_throttle_contents}}"
         dest: "{{mktemp.stdout}}/fluentd-throttle-config.yaml"
       when: fluentd_throttle_contents is defined
+      changed_when: no
 
     - copy:
         content: "{{fluentd_secureforward_contents}}"
         dest: "{{mktemp.stdout}}/secure-forward.conf"
       when: fluentd_secureforward_contents is defined
+      changed_when: no
 
-    - shell: >
+    - command: >
         {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig create configmap logging-fluentd
         --from-file=fluent.conf={{mktemp.stdout}}/fluent.conf --from-file=throttle-config.yaml={{mktemp.stdout}}/fluentd-throttle-config.yaml
         --from-file=secure-forward.conf={{mktemp.stdout}}/secure-forward.conf -o yaml --dry-run
       register: fluentd_configmap
+      changed_when: no
 
     - copy:
         content: "{{fluentd_configmap.stdout}}"
         dest: "{{mktemp.stdout}}/templates/logging-fluentd-configmap.yaml"
       when: fluentd_configmap.stdout is defined
+      changed_when: no
   check_mode: no

roles/openshift_logging/tasks/generate_jks_chain.yaml

@@ -1,60 +0,0 @@
----
-- debug: msg="certs are {{chain_certs}} and oid is {{oid}}"
-  when: chain_certs is defined and oid is defined
-
-- debug: msg="certs are {{chain_certs}}"
-  when: chain_certs is defined and oid is undefined
-
-- name: Build extensions with certs
-  shell: echo "{{chain_certs}}{{ (oid) | ternary(',oid:1.2.3.4.5.5','') }}"
-  register: cert_ext
-  when: chain_certs is defined and oid is defined
-  check_mode: no
-
-- debug: msg="extensions are {{cert_ext.stdout}}"
-  when: cert_ext.stdout is defined
-
-- shell: >
-    echo {{ (cert_ext.stdout is defined) | ternary( '-ext san=dns:localhost,ip:127.0.0.1','') }}{{ (cert_ext.stdout is defined) | ternary( cert_ext.stdout, '') }}
-  register: extensions
-  check_mode: no
-
-- name: Checking for {{component}}.jks ...
-  stat: path="{{generated_certs_dir}}/{{component}}.jks"
-  register: jks_file
-  check_mode: no
-
-- name: Checking for truststore...
-  stat: path="{{generated_certs_dir}}/truststore.jks"
-  register: jks_truststore
-  check_mode: no
-
-- block:
-    - shell: >
-        keytool -genkey -alias {{component}} -keystore {{generated_certs_dir}}/{{component}}.jks -keypass kspass -storepass kspass
-        -keyalg RSA -keysize 2048 -validity 712 -dname "CN={{component}}, OU=OpenShift, O=Logging" {{extensions.stdout}}
-
-    - shell: >
-        keytool -certreq -alias {{component}} -keystore {{generated_certs_dir}}/{{component}}.jks -storepass kspass
-        -file {{generated_certs_dir}}/{{component}}-jks.csr -keyalg RSA -dname "CN={{component}}, OU=OpenShift, O=Logging" {{extensions.stdout}}
-
-    - shell: >
-        openssl ca -in {{generated_certs_dir}}/{{component}}-jks.csr -notext -out {{generated_certs_dir}}/{{component}}-jks.crt
-        -config {{generated_certs_dir}}/signing.conf -extensions v3_req -batch -extensions server_ext
-
-    - shell: >
-        keytool -import -file {{generated_certs_dir}}/ca.crt -keystore {{generated_certs_dir}}/{{component}}.jks
-        -storepass kspass -noprompt -alias sig-ca
-
-    - shell: >
-         keytool -import -file {{generated_certs_dir}}/{{component}}-jks.crt -keystore {{generated_certs_dir}}/{{component}}.jks
-         -storepass kspass -noprompt -alias {{component}}
-
-  when: not jks_file.stat.exists
-  check_mode: no
-
-- block:
-    - shell: >
-        keytool -import -file {{generated_certs_dir}}/ca.crt -keystore {{generated_certs_dir}}/truststore.jks -storepass tspass -noprompt -alias sig-ca
-  when: not jks_truststore.stat.exists
-  check_mode: no

roles/openshift_logging/tasks/generate_pkcs12.yaml

@@ -1,24 +0,0 @@
----
-- debug: msg="certs are {{chain_certs}} and oid is {{oid}}"
-  when: chain_certs is defined and oid is defined
-
-- debug: msg="certs are {{chain_certs}}"
-  when: chain_certs is defined and oid is undefined
-
-- name: Build extensions with certs
-  shell: echo "{{chain_certs}}{{ (oid) | ternary(',oid=1.2.3.4.5.5','') }}"
-  register: cert_ext
-  when: chain_certs is defined and oid is defined
-
-- debug: msg="extensions are {{cert_ext.stdout}}"
-  when: cert_ext.stdout is defined
-
-- include: generate_pems.yaml
-
-- local_action: stat path="{{mktemp.stdout}}/{{component}}.pkcs12"
-  register: pkcs_file
-  become: no
-
-- name: Generating pkcs12 chain for {{component}}
-  command: openssl pkcs12 -export -out {{generated_certs_dir}}/{{component}}.pkcs12 -inkey {{generated_certs_dir}}/{{component}}.key -in {{generated_certs_dir}}/{{component}}.crt -password pass:pass
-  when: not pkcs_file.stat.exists

roles/openshift_logging/tasks/install_fluentd.yaml

@@ -1,14 +1,23 @@
 ---
-- shell: >
+- command: >
     echo "{{ (openshift_logging_use_ops) | ternary(openshift_logging_es_ops_host, openshift_logging_es_host) }}"
   register: fluentd_ops_host
   check_mode: no
 
-- shell: >
+- command: >
     echo "{{ (openshift_logging_use_ops) | ternary(openshift_logging_es_ops_port, openshift_logging_es_port) }}"
   register: fluentd_ops_port
   check_mode: no
 
+- command: >
+    echo "{{openshift_logging_fluentd_nodeselector.keys()[0]}}"
+  register: openshift_logging_fluentd_nodeselector_key
+  check_mode: no
+
+- command: >
+    echo "{{openshift_logging_fluentd_nodeselector.values()[0]}}"
+  register: openshift_logging_fluentd_nodeselector_value
+  check_mode: no
 
 - name: Generating Fluentd daemonset
   template: src=fluentd.j2 dest={{mktemp.stdout}}/templates/logging-fluentd.yaml
@@ -19,6 +28,8 @@
     daemonset_serviceAccount: aggregated-logging-fluentd
     ops_host: "{{ fluentd_ops_host.stdout }}"
     ops_port: "{{ fluentd_ops_port.stdout }}"
+    fluentd_nodeselector_key: "{{openshift_logging_fluentd_nodeselector_key.stdout}}"
+    fluentd_nodeselector_value: "{{openshift_logging_fluentd_nodeselector_value.stdout}}"
   check_mode: no
 
 - name: "Set permissions for fluentd"

roles/openshift_logging/tasks/install_logging.yaml

@@ -24,14 +24,14 @@
     loop_var: install_component
 
 - name: Register API objects from generated templates
-  shell: ls -d -1 {{mktemp.stdout}}/templates/* | sort
+  command: ls -1 {{mktemp.stdout}}/templates/
   register: logging_objects
   check_mode: no
 
 - name: Creating API objects from generated templates
   command: >
-    {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig apply -f {{file}} -n {{openshift_logging_namespace}}
-  with_items: "{{logging_objects.stdout_lines}}"
+    {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig apply -f {{mktemp.stdout}}/templates/{{file}} -n {{openshift_logging_namespace}}
+  with_items: "{{logging_objects.stdout_lines | sort}}"
   loop_control:
     loop_var: file
   when: not ansible_check_mode

roles/openshift_logging/tasks/label_node.yaml

@@ -1,12 +1,12 @@
 ---
-- shell: >
+- command: >
     {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get node {{host}}
-    --template='{{ '{{index .metadata.labels "' }}{{label}}{{ '"}}' }}'
+    -o jsonpath='{.metadata.labels.{{ label }}}'
   register: label_value
   failed_when: label_value.rc == 1 and 'exists' not in label_value.stderr
   when: not ansible_check_mode
 
-- shell: >
+- command: >
     {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig label node {{host}} {{label}}={{value}} --overwrite
   register: label_result
   failed_when: label_result.rc == 1 and 'exists' not in label_result.stderr
@@ -17,7 +17,7 @@
   - unlabel is not defined or not unlabel
   - not ansible_check_mode
 
-- shell: >
+- command: >
     {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig label node {{host}} {{label}}-
   register: label_result
   failed_when: label_result.rc == 1 and 'exists' not in label_result.stderr

roles/openshift_logging/tasks/main.yaml

@@ -1,4 +1,9 @@
 ---
+- fail:
+    msg: Only one Fluentd nodeselector key pair should be provided
+  when: "{{ openshift_logging_fluentd_nodeselector.keys() | count }} > 1"
+
+
 - name: Create temp directory for doing work in
   command: mktemp -d /tmp/openshift-logging-ansible-XXXXXX
   register: mktemp

roles/openshift_logging/tasks/scale.yaml

@@ -1,26 +1,26 @@
 ---
-- shell: >
+- command: >
     {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get {{object}}
-    --template='{{ '{{.spec.replicas}}' }}' -n {{openshift_logging_namespace}}
+    -o jsonpath='{.spec.replicas}' -n {{openshift_logging_namespace}}
   register: replica_count
   failed_when: replica_count.rc == 1 and 'exists' not in replica_count.stderr
   when: not ansible_check_mode
 
-- shell: >
+- command: >
     {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig scale {{object}}
     --replicas={{desired}} -n {{openshift_logging_namespace}}
   register: scale_result
   failed_when: scale_result.rc == 1 and 'exists' not in scale_result.stderr
   when:
-  - replica_count.stdout != desired
   - not ansible_check_mode
+  - replica_count.stdout|int != desired
 
-- shell: >
-    {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig describe {{object}} -n {{openshift_logging_namespace}} | awk -v statusrx='Pods Status:' '$0 ~ statusrx {print $3}'
+- command: >
+    {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get {{object}} -n {{openshift_logging_namespace}} -o jsonpath='{.status.replicas}'
   register: replica_counts
-  until: replica_counts.stdout.find("{{desired}}") != -1
+  until: replica_counts.stdout|int == desired
   retries: 30
   delay: 10
   when:
-    - replica_count.stdout != desired
     - not ansible_check_mode
+    - replica_count.stdout|int != desired

roles/openshift_logging/tasks/start_cluster.yaml

@@ -1,16 +1,16 @@
 ---
-- shell: >
-    echo "{{openshift_logging_fluentd_nodeselector}}" | cut -d':' -f1
+- command: >
+    echo "{{openshift_logging_fluentd_nodeselector.keys()[0]}}"
   register: openshift_logging_fluentd_nodeselector_key
   check_mode: no
 
-- shell: >
-    echo "{{openshift_logging_fluentd_nodeselector}}" | cut -d' ' -f2
+- command: >
+    echo "{{openshift_logging_fluentd_nodeselector.values()[0]}}"
   register: openshift_logging_fluentd_nodeselector_value
   check_mode: no
 
-- shell: >
-    {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get node -o name | sed "s,^node/,,g"
+- command: >
+    {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get node -o jsonpath='{.items[*].metadata.name}'
   register: fluentd_hosts
   when: "'--all' in openshift_logging_fluentd_hosts"
   check_mode: no
@@ -25,7 +25,7 @@
   loop_control:
     loop_var: fluentd_host
 
-- shell: >
+- command: >
     {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=es -o name -n {{openshift_logging_namespace}}
   register: es_dc
   check_mode: no
@@ -38,7 +38,7 @@
   loop_control:
     loop_var: object
 
-- shell: >
+- command: >
     {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=kibana -o name -n {{openshift_logging_namespace}}
   register: kibana_dc
   check_mode: no
@@ -51,7 +51,7 @@
   loop_control:
     loop_var: object
 
-- shell: >
+- command: >
     {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=curator -o name -n {{openshift_logging_namespace}}
   register: curator_dc
   check_mode: no
@@ -64,7 +64,7 @@
   loop_control:
     loop_var: object
 
-- shell: >
+- command: >
     {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=es-ops -o name -n {{openshift_logging_namespace}}
   register: es_dc
   check_mode: no
@@ -78,7 +78,7 @@
     loop_var: object
   when: openshift_logging_use_ops
 
-- shell: >
+- command: >
     {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=kibana-ops -o name -n {{openshift_logging_namespace}}
   register: kibana_dc
   check_mode: no
@@ -92,7 +92,7 @@
     loop_var: object
   when: openshift_logging_use_ops
 
-- shell: >
+- command: >
     {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=curator-ops -o name -n {{openshift_logging_namespace}}
   register: curator_dc
   check_mode: no

roles/openshift_logging/tasks/stop_cluster.yaml

@@ -1,14 +1,14 @@
 ---
-- shell: >
-    echo "{{openshift_logging_fluentd_nodeselector}}" | cut -d':' -f1
+- command: >
+    echo "{{openshift_logging_fluentd_nodeselector.keys()[0]}}"
   register: openshift_logging_fluentd_nodeselector_key
 
-- shell: >
-    echo "{{openshift_logging_fluentd_nodeselector}}" | cut -d' ' -f2
+- command: >
+    echo "{{openshift_logging_fluentd_nodeselector.values()[0]}}"
   register: openshift_logging_fluentd_nodeselector_value
 
-- shell: >
-    {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get node -o name | sed "s,^node/,,g"
+- command: >
+    {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get node -o jsonpath='{.items[*].metadata.name}'
   register: fluentd_hosts
   when: "'--all' in openshift_logging_fluentd_hosts"
 
@@ -22,7 +22,7 @@
   loop_control:
     loop_var: fluentd_host
 
-- shell: >
+- command: >
     {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=es -o name -n {{openshift_logging_namespace}}
   register: es_dc
 
@@ -34,7 +34,7 @@
   loop_control:
     loop_var: object
 
-- shell: >
+- command: >
     {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=kibana -o name -n {{openshift_logging_namespace}}
   register: kibana_dc
 
@@ -46,7 +46,7 @@
   loop_control:
     loop_var: object
 
-- shell: >
+- command: >
     {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=curator -o name -n {{openshift_logging_namespace}}
   register: curator_dc
 
@@ -58,7 +58,7 @@
   loop_control:
     loop_var: object
 
-- shell: >
+- command: >
     {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=es-ops -o name -n {{openshift_logging_namespace}}
   register: es_dc
 
@@ -71,7 +71,7 @@
     loop_var: object
   when: openshift_logging_use_ops
 
-- shell: >
+- command: >
     {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=kibana-ops -o name -n {{openshift_logging_namespace}}
   register: kibana_dc
 
@@ -84,7 +84,7 @@
     loop_var: object
   when: openshift_logging_use_ops
 
-- shell: >
+- command: >
     {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=curator-ops -o name -n {{openshift_logging_namespace}}
   register: curator_dc
 

roles/openshift_logging/tasks/upgrade_logging.yaml

@@ -8,7 +8,7 @@
     start_cluster: False
 
 # ensure that ES is running
-- shell: >
+- command: >
     {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=es -o name -n {{openshift_logging_namespace}}
   register: es_dc
   check_mode: no
@@ -26,7 +26,7 @@
     dest: {{mktemp.stdout}}/es_migration.sh
 
 - name: Run upgrade scripts
-  shell: >
+  command: >
     sh {{mktemp.stdout}}/es_migration.sh {{openshift.common.config_base}}/logging/ca.crt {{openshift.common.config_base}}/logging/system.admin.key {{openshift.common.config_base}}/logging/system.admin.crt {{openshift_logging_es_host}} {{openshift_logging_es_port}} {{openshift_logging_namespace}}
 
 - name: Start up rest of cluster

roles/openshift_logging/templates/fluentd.j2

@@ -25,7 +25,7 @@ spec:
     spec:
       serviceAccountName: "{{daemonset_serviceAccount}}"
       nodeSelector:
-        {{openshift_logging_fluentd_nodeselector}}
+        {{fluentd_nodeselector_key}}: "{{fluentd_nodeselector_value}}"
       containers:
       - name: "{{daemonset_container_name}}"
         image: "{{openshift_logging_image_prefix}}{{daemonset_name}}:{{openshift_logging_image_version}}"

roles/openshift_logging/files/signing.conf

@@ -5,7 +5,7 @@
 # than one openssl command.
 
 [ default ]
-#dir                     = _output               # Top dir
+dir                     = {{top_dir}}               # Top dir
 
 # The next part of the configuration file is used by the openssl req command.
 # It defines the CA's key pair, its DN, and the desired extensions for the CA