před 8 roky · 336a796483
--- a/roles/openshift_metrics/tasks/generate_heapster_certificates.yaml
+++ b/roles/openshift_metrics/tasks/generate_heapster_certificates.yaml
@@ -1,40 +0,0 @@
 
				----
			
 
				-- name: generate heapster key/cert
			
 
				-  command: >
			
 
				-    {{ openshift.common.admin_binary }} ca create-server-cert
			
 
				-    --config={{ mktemp.stdout }}/admin.kubeconfig
			
 
				-    --key='{{ mktemp.stdout }}/heapster.key'
			
 
				-    --cert='{{ mktemp.stdout }}/heapster.cert'
			
 
				-    --hostnames=heapster
			
 
				-    --signer-cert='{{ mktemp.stdout }}/ca.crt'
			
 
				-    --signer-key='{{ mktemp.stdout }}/ca.key'
			
 
				-    --signer-serial='{{ mktemp.stdout }}/ca.serial.txt'
			
 
				-
			
 
				-- when: "'secret/heapster-secrets' not in metrics_secrets.stdout_lines"
			
 
				-  block:
			
 
				-  - name: read files for the heapster secret
			
 
				-    slurp: src={{ item }}
			
 
				-    register: heapster_secret
			
 
				-    with_items:
			
 
				-    - "{{ mktemp.stdout }}/heapster.cert"
			
 
				-    - "{{ mktemp.stdout }}/heapster.key"
			
 
				-    - "{{ client_ca }}"
			
 
				-    vars:
			
 
				-      custom_ca: "{{ mktemp.stdout }}/heapster_client_ca.crt"
			
 
				-      default_ca: "{{ openshift.common.config_base }}/master/ca-bundle.crt"
			
 
				-      client_ca: "{{ custom_ca|exists|ternary(custom_ca, default_ca) }}"
			
 
				-  - name: generate heapster secret template
			
 
				-    template:
			
 
				-      src: secret.j2
			
 
				-      dest: "{{ mktemp.stdout }}/templates/heapster_secrets.yaml"
			
 
				-      force: no
			
 
				-    vars:
			
 
				-      name: heapster-secrets
			
 
				-      labels:
			
 
				-        metrics-infra: heapster
			
 
				-      data:
			
 
				-        heapster.cert: "{{ heapster_secret.results[0].content }}"
			
 
				-        heapster.key: "{{ heapster_secret.results[1].content }}"
			
 
				-        heapster.client-ca: "{{ heapster_secret.results[2].content }}"
			
 
				-        heapster.allowed-users: >
			
 
				-          {{ openshift_metrics_heapster_allowed_users|b64encode }}
			
--- a/roles/openshift_metrics/tasks/generate_heapster_secrets.yaml
+++ b/roles/openshift_metrics/tasks/generate_heapster_secrets.yaml
@@ -0,0 +1,14 @@
 
				+---
			
 
				+- name: generate heapster secret template
			
 
				+  template:
			
 
				+    src: secret.j2
			
 
				+    dest: "{{ mktemp.stdout }}/templates/heapster_secrets.yaml"
			
 
				+    force: no
			
 
				+  vars:
			
 
				+    name: heapster-secrets
			
 
				+    labels:
			
 
				+      metrics-infra: heapster
			
 
				+    data:
			
 
				+      heapster.allowed-users: >
			
 
				+        {{ openshift_metrics_heapster_allowed_users|b64encode }}
			
 
				+  when: "'secret/heapster-secrets' not in metrics_secrets.stdout_lines"
			
--- a/roles/openshift_metrics/tasks/install_heapster.yaml
+++ b/roles/openshift_metrics/tasks/install_heapster.yaml
@@ -41,6 +41,8 @@
 
				       - {port: 80, targetPort: http-endpoint}
			
 
				     selector:
			
 
				       name: "{{obj_name}}"
			
 
				+    annotations:
			
 
				+      service.alpha.openshift.io/serving-cert-secret-name: heapster-certs
			
 
				     labels:
			
 
				       metrics-infra: "{{obj_name}}"
			
 
				       name: "{{obj_name}}"
			
@@ -64,4 +66,4 @@
 
				         namespace: "{{ openshift_metrics_project }}"
			
 
				   changed_when: no
			
 
				 
			
 
				-- include: generate_heapster_certificates.yaml
			
 
				+- include: generate_heapster_secrets.yaml
			
--- a/roles/openshift_metrics/templates/heapster.j2
+++ b/roles/openshift_metrics/templates/heapster.j2
@@ -34,9 +34,9 @@ spec:
 
				         - "heapster-wrapper.sh"
			
 
				         - "--wrapper.allowed_users_file=/secrets/heapster.allowed-users"
			
 
				         - "--source=kubernetes.summary_api:${MASTER_URL}?useServiceAccount=true&kubeletHttps=true&kubeletPort=10250"
			
 
				-        - "--tls_cert=/secrets/heapster.cert"
			
 
				-        - "--tls_key=/secrets/heapster.key"
			
 
				-        - "--tls_client_ca=/secrets/heapster.client-ca"
			
 
				+        - "--tls_cert=/heapster-certs/tls.crt"
			
 
				+        - "--tls_key=/heapster-certs/tls.key"
			
 
				+        - "--tls_client_ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
			
 
				         - "--allowed_users=%allowed_users%"
			
 
				         - "--metric_resolution={{openshift_metrics_resolution}}"
			
 
				 {% if not openshift_metrics_heapster_standalone %}
			
@@ -80,6 +80,8 @@ spec:
 
				         volumeMounts:
			
 
				         - name: heapster-secrets
			
 
				           mountPath: "/secrets"
			
 
				+        - name: heapster-certs
			
 
				+          mountPath: "/heapster-certs"
			
 
				 {% if not openshift_metrics_heapster_standalone %}
			
 
				         - name: hawkular-metrics-certs
			
 
				           mountPath: "/hawkular-metrics-certs"
			
@@ -94,6 +96,9 @@ spec:
 
				         - name: heapster-secrets
			
 
				           secret:
			
 
				             secretName: heapster-secrets
			
 
				+        - name: heapster-certs
			
 
				+          secret:
			
 
				+            secretName: heapster-certs
			
 
				 {% if not openshift_metrics_heapster_standalone %}
			
 
				         - name: hawkular-metrics-certs
			
 
				           secret:
			
--- a/roles/openshift_metrics/templates/service.j2
+++ b/roles/openshift_metrics/templates/service.j2
@@ -2,6 +2,12 @@ apiVersion: "v1"
 
				 kind: "Service"
			
 
				 metadata:
			
 
				   name: "{{obj_name}}"
			
 
				+{% if annotations is defined%}
			
 
				+  annotations:
			
 
				+{% for key, value in annotations.iteritems() %}
			
 
				+    {{key}}: {{value}}
			
 
				+{% endfor %}
			
 
				+{% endif %}
			
 
				 {% if labels is defined%}
			
 
				   labels:
			
 
				 {% for key, value in labels.iteritems() %}