Merge pull request #3481 from jpkrohling/JPK-SwitchHeapsterToUseGeneratedCerts

Merged by openshift-bot

roles/openshift_metrics/tasks/generate_heapster_certificates.yaml

@@ -1,40 +0,0 @@
----
-- name: generate heapster key/cert
-  command: >
-    {{ openshift.common.admin_binary }} ca create-server-cert
-    --config={{ mktemp.stdout }}/admin.kubeconfig
-    --key='{{ mktemp.stdout }}/heapster.key'
-    --cert='{{ mktemp.stdout }}/heapster.cert'
-    --hostnames=heapster
-    --signer-cert='{{ mktemp.stdout }}/ca.crt'
-    --signer-key='{{ mktemp.stdout }}/ca.key'
-    --signer-serial='{{ mktemp.stdout }}/ca.serial.txt'
-
-- when: "'secret/heapster-secrets' not in metrics_secrets.stdout_lines"
-  block:
-  - name: read files for the heapster secret
-    slurp: src={{ item }}
-    register: heapster_secret
-    with_items:
-    - "{{ mktemp.stdout }}/heapster.cert"
-    - "{{ mktemp.stdout }}/heapster.key"
-    - "{{ client_ca }}"
-    vars:
-      custom_ca: "{{ mktemp.stdout }}/heapster_client_ca.crt"
-      default_ca: "{{ openshift.common.config_base }}/master/ca-bundle.crt"
-      client_ca: "{{ custom_ca|exists|ternary(custom_ca, default_ca) }}"
-  - name: generate heapster secret template
-    template:
-      src: secret.j2
-      dest: "{{ mktemp.stdout }}/templates/heapster_secrets.yaml"
-      force: no
-    vars:
-      name: heapster-secrets
-      labels:
-        metrics-infra: heapster
-      data:
-        heapster.cert: "{{ heapster_secret.results[0].content }}"
-        heapster.key: "{{ heapster_secret.results[1].content }}"
-        heapster.client-ca: "{{ heapster_secret.results[2].content }}"
-        heapster.allowed-users: >
-          {{ openshift_metrics_heapster_allowed_users|b64encode }}

roles/openshift_metrics/tasks/generate_heapster_secrets.yaml

@@ -0,0 +1,14 @@
+---
+- name: generate heapster secret template
+  template:
+    src: secret.j2
+    dest: "{{ mktemp.stdout }}/templates/heapster_secrets.yaml"
+    force: no
+  vars:
+    name: heapster-secrets
+    labels:
+      metrics-infra: heapster
+    data:
+      heapster.allowed-users: >
+        {{ openshift_metrics_heapster_allowed_users|b64encode }}
+  when: "'secret/heapster-secrets' not in metrics_secrets.stdout_lines"

roles/openshift_metrics/tasks/install_heapster.yaml

@@ -41,6 +41,8 @@
       - {port: 80, targetPort: http-endpoint}
     selector:
       name: "{{obj_name}}"
+    annotations:
+      service.alpha.openshift.io/serving-cert-secret-name: heapster-certs
     labels:
       metrics-infra: "{{obj_name}}"
       name: "{{obj_name}}"
@@ -64,4 +66,4 @@
         namespace: "{{ openshift_metrics_project }}"
   changed_when: no
 
-- include: generate_heapster_certificates.yaml
+- include: generate_heapster_secrets.yaml

roles/openshift_metrics/templates/heapster.j2

@@ -34,9 +34,9 @@ spec:
         - "heapster-wrapper.sh"
         - "--wrapper.allowed_users_file=/secrets/heapster.allowed-users"
         - "--source=kubernetes.summary_api:${MASTER_URL}?useServiceAccount=true&kubeletHttps=true&kubeletPort=10250"
-        - "--tls_cert=/secrets/heapster.cert"
-        - "--tls_key=/secrets/heapster.key"
-        - "--tls_client_ca=/secrets/heapster.client-ca"
+        - "--tls_cert=/heapster-certs/tls.crt"
+        - "--tls_key=/heapster-certs/tls.key"
+        - "--tls_client_ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
         - "--allowed_users=%allowed_users%"
         - "--metric_resolution={{openshift_metrics_resolution}}"
 {% if not openshift_metrics_heapster_standalone %}
@@ -80,6 +80,8 @@ spec:
         volumeMounts:
         - name: heapster-secrets
           mountPath: "/secrets"
+        - name: heapster-certs
+          mountPath: "/heapster-certs"
 {% if not openshift_metrics_heapster_standalone %}
         - name: hawkular-metrics-certs
           mountPath: "/hawkular-metrics-certs"
@@ -94,6 +96,9 @@ spec:
         - name: heapster-secrets
           secret:
             secretName: heapster-secrets
+        - name: heapster-certs
+          secret:
+            secretName: heapster-certs
 {% if not openshift_metrics_heapster_standalone %}
         - name: hawkular-metrics-certs
           secret:

roles/openshift_metrics/templates/service.j2

@@ -2,6 +2,12 @@ apiVersion: "v1"
 kind: "Service"
 metadata:
   name: "{{obj_name}}"
+{% if annotations is defined%}
+  annotations:
+{% for key, value in annotations.iteritems() %}
+    {{key}}: {{value}}
+{% endfor %}
+{% endif %}
 {% if labels is defined%}
   labels:
 {% for key, value in labels.iteritems() %}