Pulling in changes from master

roles/openshift_logging/files/curator.yml

@@ -1,18 +0,0 @@
-# Logging example curator config file
-
-# uncomment and use this to override the defaults from env vars
-#.defaults:
-#  delete:
-#    days: 30
-#  runhour: 0
-#  runminute: 0
-
-# to keep ops logs for a different duration:
-#.operations:
-#  delete:
-#    weeks: 8
-
-# example for a normal project
-#myapp:
-#  delete:
-#    weeks: 1

roles/openshift_logging/files/es_migration.sh

@@ -1,79 +0,0 @@
-CA=${1:-/etc/openshift/logging/ca.crt}
-KEY=${2:-/etc/openshift/logging/system.admin.key}
-CERT=${3:-/etc/openshift/logging/system.admin.crt}
-openshift_logging_es_host=${4:-logging-es}
-openshift_logging_es_port=${5:-9200}
-namespace=${6:-logging}
-
-# for each index in _cat/indices
-# skip indices that begin with . - .kibana, .operations, etc.
-# skip indices that contain a uuid
-# get a list of unique project
-# daterx - the date regex that matches the .%Y.%m.%d at the end of the indices
-# we are interested in - the awk will strip that part off
-function get_list_of_indices() {
-    curl -s --cacert $CA --key $KEY --cert $CERT https://$openshift_logging_es_host:$openshift_logging_es_port/_cat/indices | \
-        awk -v daterx='[.]20[0-9]{2}[.][0-1]?[0-9][.][0-9]{1,2}$' \
-        '$3 !~ "^[.]" && $3 !~ "^[^.]+[.][^.]+"daterx && $3 !~ "^project." && $3 ~ daterx {print gensub(daterx, "", "", $3)}' | \
-    sort -u
-}
-
-# for each index in _cat/indices
-# skip indices that begin with . - .kibana, .operations, etc.
-# get a list of unique project.uuid
-# daterx - the date regex that matches the .%Y.%m.%d at the end of the indices
-# we are interested in - the awk will strip that part off
-function get_list_of_proj_uuid_indices() {
-    curl -s --cacert $CA --key $KEY --cert $CERT https://$openshift_logging_es_host:$openshift_logging_es_port/_cat/indices | \
-        awk -v daterx='[.]20[0-9]{2}[.][0-1]?[0-9][.][0-9]{1,2}$' \
-            '$3 !~ "^[.]" && $3 ~ "^[^.]+[.][^.]+"daterx && $3 !~ "^project." && $3 ~ daterx {print gensub(daterx, "", "", $3)}' | \
-        sort -u
-}
-
-if [[ -z "$(oc get pods -l component=es -o jsonpath='{.items[?(@.status.phase == "Running")].metadata.name}')" ]]; then
-  echo "No Elasticsearch pods found running.  Cannot update common data model."
-  exit 1
-fi
-
-count=$(get_list_of_indices | wc -l)
-if [ $count -eq 0 ]; then
-  echo No matching indices found - skipping update_for_uuid
-else
-  echo Creating aliases for $count index patterns . . .
-  {
-    echo '{"actions":['
-    get_list_of_indices | \
-      while IFS=. read proj ; do
-        # e.g. make test.uuid.* an alias of test.* so we can search for
-        # /test.uuid.*/_search and get both the test.uuid.* and
-        # the test.* indices
-        uid=$(oc get project "$proj" -o jsonpath='{.metadata.uid}' 2>/dev/null)
-        [ -n "$uid" ] && echo "{\"add\":{\"index\":\"$proj.*\",\"alias\":\"$proj.$uuid.*\"}}"
-      done
-    echo ']}'
-  } | curl -s --cacert $CA --key $KEY --cert $CERT -XPOST -d @- "https://$openshift_logging_es_host:$openshift_logging_es_port/_aliases"
-fi
-
-count=$(get_list_of_proj_uuid_indices | wc -l)
-if [ $count -eq 0 ] ; then
-    echo No matching indexes found - skipping update_for_common_data_model
-    exit 0
-fi
-
-echo Creating aliases for $count index patterns . . .
-# for each index in _cat/indices
-# skip indices that begin with . - .kibana, .operations, etc.
-# get a list of unique project.uuid
-# daterx - the date regex that matches the .%Y.%m.%d at the end of the indices
-# we are interested in - the awk will strip that part off
-{
-  echo '{"actions":['
-  get_list_of_proj_uuid_indices | \
-    while IFS=. read proj uuid ; do
-      # e.g. make project.test.uuid.* and alias of test.uuid.* so we can search for
-      # /project.test.uuid.*/_search and get both the test.uuid.* and
-      # the project.test.uuid.* indices
-      echo "{\"add\":{\"index\":\"$proj.$uuid.*\",\"alias\":\"${PROJ_PREFIX}$proj.$uuid.*\"}}"
-    done
-  echo ']}'
-} | curl -s --cacert $CA --key $KEY --cert $CERT -XPOST -d @- "https://$openshift_logging_es_host:$openshift_logging_es_port/_aliases"

roles/openshift_logging/files/fluentd-throttle-config.yaml

@@ -1,7 +0,0 @@
-# Logging example fluentd throttling config file
-
-#example-project:
-#  read_lines_limit: 10
-#
-#.operations:
-#  read_lines_limit: 100

roles/openshift_logging/files/logging-deployer-sa.yaml

@@ -1,6 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: logging-deployer
-secrets:
-- name: logging-deployer

roles/openshift_logging/tasks/delete_logging.yaml

@@ -1,7 +1,4 @@
 ---
-- name: stop logging
-  include: stop_cluster.yaml
-
 # delete the deployment objects that we had created
 - name: delete logging api objects
   oc_obj:

roles/openshift_logging/tasks/generate_certs.yaml

@@ -51,14 +51,14 @@
   with_items:
     - procure_component: mux
       hostnames: "logging-mux, {{openshift_logging_mux_hostname}}"
-  when: openshift_logging_use_mux
+  when: openshift_logging_use_mux | bool
 
 - include: procure_shared_key.yaml
   loop_control:
     loop_var: shared_key_info
   with_items:
     - procure_component: mux
-  when: openshift_logging_use_mux
+  when: openshift_logging_use_mux | bool
 
 - include: procure_server_certs.yaml
   loop_control:

roles/openshift_logging/tasks/generate_clusterrolebindings.yaml

@@ -1,13 +0,0 @@
----
-- name: Generate ClusterRoleBindings
-  template: src=clusterrolebinding.j2 dest={{mktemp.stdout}}/templates/logging-15-{{obj_name}}-clusterrolebinding.yaml
-  vars:
-    acct_name: aggregated-logging-elasticsearch
-    obj_name: rolebinding-reader
-    crb_usernames: ["system:serviceaccount:{{openshift_logging_namespace}}:{{acct_name}}"]
-    subjects:
-      - kind: ServiceAccount
-        name: "{{acct_name}}"
-        namespace: "{{openshift_logging_namespace}}"
-  check_mode: no
-  changed_when: no

roles/openshift_logging/tasks/generate_clusterroles.yaml

@@ -1,11 +0,0 @@
----
-- name: Generate ClusterRole for cluster-reader
-  template: src=clusterrole.j2 dest={{mktemp.stdout}}/templates/logging-10-{{obj_name}}-clusterrole.yaml
-  vars:
-    obj_name: rolebinding-reader
-    rules:
-      - resources: [clusterrolebindings]
-        verbs:
-          - get
-  check_mode: no
-  changed_when: no

roles/openshift_logging/tasks/generate_configmaps.yaml

@@ -1,178 +0,0 @@
----
-- block:
-    - fail:
-        msg: "The openshift_logging_es_log_appenders '{{openshift_logging_es_log_appenders}}' has an unrecognized option and only supports the following as a list: {{es_log_appenders | join(', ')}}"
-      when:
-        - es_logging_contents is undefined
-        - "{{ openshift_logging_es_log_appenders | list | difference(es_log_appenders) | length != 0 }}"
-      changed_when: no
-
-    - template:
-        src: elasticsearch-logging.yml.j2
-        dest: "{{mktemp.stdout}}/elasticsearch-logging.yml"
-      vars:
-        root_logger: "{{openshift_logging_es_log_appenders | join(', ')}}"
-      when: es_logging_contents is undefined
-      changed_when: no
-      check_mode: no
-
-    - local_action: >
-        template src=elasticsearch.yml.j2
-        dest="{{local_tmp.stdout}}/elasticsearch-gen-template.yml"
-      vars:
-        - allow_cluster_reader: "{{openshift_logging_es_ops_allow_cluster_reader | lower | default('false')}}"
-        - es_number_of_shards: "{{ openshift_logging_es_number_of_shards | default(1) }}"
-        - es_number_of_replicas: "{{ openshift_logging_es_number_of_replicas | default(0) }}"
-      when: es_config_contents is undefined
-      changed_when: no
-
-    - copy:
-        content: "{{ config_source | combine(override_config,recursive=True) | to_nice_yaml }}"
-        dest: "{{mktemp.stdout}}/elasticsearch.yml"
-      vars:
-        config_source: "{{lookup('file','{{local_tmp.stdout}}/elasticsearch-gen-template.yml') | from_yaml }}"
-        override_config: "{{openshift_logging_es_config | from_yaml}}"
-      when: es_logging_contents is undefined
-      changed_when: no
-
-    - copy:
-        content: "{{es_logging_contents}}"
-        dest: "{{mktemp.stdout}}/elasticsearch-logging.yml"
-      when: es_logging_contents is defined
-      changed_when: no
-
-    - copy:
-        content: "{{es_config_contents}}"
-        dest: "{{mktemp.stdout}}/elasticsearch.yml"
-      when: es_config_contents is defined
-      changed_when: no
-
-    - command: >
-        {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig create configmap logging-elasticsearch
-        --from-file=logging.yml={{mktemp.stdout}}/elasticsearch-logging.yml --from-file=elasticsearch.yml={{mktemp.stdout}}/elasticsearch.yml -o yaml --dry-run
-      register: es_configmap
-      changed_when: no
-
-    - copy:
-        content: "{{es_configmap.stdout}}"
-        dest: "{{mktemp.stdout}}/templates/logging-elasticsearch-configmap.yaml"
-      when: es_configmap.stdout is defined
-      changed_when: no
-  check_mode: no
-
-- block:
-    - copy:
-        src: curator.yml
-        dest: "{{mktemp.stdout}}/curator.yml"
-      when: curator_config_contents is undefined
-      changed_when: no
-
-    - copy:
-        content: "{{curator_config_contents}}"
-        dest: "{{mktemp.stdout}}/curator.yml"
-      when: curator_config_contents is defined
-      changed_when: no
-
-    - command: >
-        {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig create configmap logging-curator
-        --from-file=config.yaml={{mktemp.stdout}}/curator.yml -o yaml --dry-run
-      register: curator_configmap
-      changed_when: no
-
-    - copy:
-        content: "{{curator_configmap.stdout}}"
-        dest: "{{mktemp.stdout}}/templates/logging-curator-configmap.yaml"
-      when: curator_configmap.stdout is defined
-      changed_when: no
-  check_mode: no
-
-- block:
-    - copy:
-        src: fluent.conf
-        dest: "{{mktemp.stdout}}/fluent.conf"
-      when: fluentd_config_contents is undefined
-      changed_when: no
-
-    - copy:
-        src: fluentd-throttle-config.yaml
-        dest: "{{mktemp.stdout}}/fluentd-throttle-config.yaml"
-      when: fluentd_throttle_contents is undefined
-      changed_when: no
-
-    - copy:
-        src: secure-forward.conf
-        dest: "{{mktemp.stdout}}/secure-forward.conf"
-      when: fluentd_securefoward_contents is undefined
-      changed_when: no
-
-    - copy:
-        content: "{{fluentd_config_contents}}"
-        dest: "{{mktemp.stdout}}/fluent.conf"
-      when: fluentd_config_contents is defined
-      changed_when: no
-
-    - copy:
-        content: "{{fluentd_throttle_contents}}"
-        dest: "{{mktemp.stdout}}/fluentd-throttle-config.yaml"
-      when: fluentd_throttle_contents is defined
-      changed_when: no
-
-    - copy:
-        content: "{{fluentd_secureforward_contents}}"
-        dest: "{{mktemp.stdout}}/secure-forward.conf"
-      when: fluentd_secureforward_contents is defined
-      changed_when: no
-
-    - command: >
-        {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig create configmap logging-fluentd
-        --from-file=fluent.conf={{mktemp.stdout}}/fluent.conf --from-file=throttle-config.yaml={{mktemp.stdout}}/fluentd-throttle-config.yaml
-        --from-file=secure-forward.conf={{mktemp.stdout}}/secure-forward.conf -o yaml --dry-run
-      register: fluentd_configmap
-      changed_when: no
-
-    - copy:
-        content: "{{fluentd_configmap.stdout}}"
-        dest: "{{mktemp.stdout}}/templates/logging-fluentd-configmap.yaml"
-      when: fluentd_configmap.stdout is defined
-      changed_when: no
-  check_mode: no
-
-- block:
-    - copy:
-        src: fluent.conf
-        dest: "{{mktemp.stdout}}/fluent-mux.conf"
-      when: fluentd_mux_config_contents is undefined
-      changed_when: no
-
-    - copy:
-        src: secure-forward.conf
-        dest: "{{mktemp.stdout}}/secure-forward-mux.conf"
-      when: fluentd_mux_securefoward_contents is undefined
-      changed_when: no
-
-    - copy:
-        content: "{{fluentd_mux_config_contents}}"
-        dest: "{{mktemp.stdout}}/fluent-mux.conf"
-      when: fluentd_mux_config_contents is defined
-      changed_when: no
-
-    - copy:
-        content: "{{fluentd_mux_secureforward_contents}}"
-        dest: "{{mktemp.stdout}}/secure-forward-mux.conf"
-      when: fluentd_mux_secureforward_contents is defined
-      changed_when: no
-
-    - command: >
-        {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig create configmap logging-mux
-        --from-file=fluent.conf={{mktemp.stdout}}/fluent-mux.conf
-        --from-file=secure-forward.conf={{mktemp.stdout}}/secure-forward-mux.conf -o yaml --dry-run
-      register: mux_configmap
-      changed_when: no
-
-    - copy:
-        content: "{{mux_configmap.stdout}}"
-        dest: "{{mktemp.stdout}}/templates/logging-mux-configmap.yaml"
-      when: mux_configmap.stdout is defined
-      changed_when: no
-  check_mode: no
-  when: openshift_logging_use_mux

roles/openshift_logging/tasks/generate_deploymentconfigs.yaml

@@ -1,65 +0,0 @@
----
-- name: Generate kibana deploymentconfig
-  template: src=kibana.j2 dest={{mktemp.stdout}}/logging-kibana-dc.yaml
-  vars:
-    component: kibana
-    deploy_name: "logging-{{component}}"
-    image: "{{openshift_logging_image_prefix}}logging-kibana:{{openshift_logging_image_version}}"
-    proxy_image: "{{openshift_logging_image_prefix}}logging-auth-proxy:{{openshift_logging_image_version}}"
-    es_host: logging-es
-    es_port: "{{openshift_logging_es_port}}"
-  check_mode: no
-  changed_when: no
-
-- name: Generate OPS kibana deploymentconfig
-  template: src=kibana.j2 dest={{mktemp.stdout}}/logging-kibana-ops-dc.yaml
-  vars:
-    component: kibana-ops
-    deploy_name: "logging-{{component}}"
-    image: "{{openshift_logging_image_prefix}}logging-kibana:{{openshift_logging_image_version}}"
-    proxy_image: "{{openshift_logging_image_prefix}}logging-auth-proxy:{{openshift_logging_image_version}}"
-    es_host: logging-es-ops
-    es_port: "{{openshift_logging_es_ops_port}}"
-  check_mode: no
-  changed_when: no
-
-- name: Generate elasticsearch deploymentconfig
-  template: src=es.j2 dest={{mktemp.stdout}}/logging-es-dc.yaml
-  vars:
-    component: es
-    deploy_name_prefix: "logging-{{component}}"
-    deploy_name: "{{deploy_name_prefix}}-abc123"
-    image: "{{openshift_logging_image_prefix}}logging-elasticsearch:{{openshift_logging_image_version}}"
-    es_cluster_name: "{{component}}"
-  check_mode: no
-  changed_when: no
-
-- name: Generate OPS elasticsearch deploymentconfig
-  template: src=es.j2 dest={{mktemp.stdout}}/logging-es-ops-dc.yaml
-  vars:
-    component: es-ops
-    deploy_name_prefix: "logging-{{component}}"
-    deploy_name: "{{deploy_name_prefix}}-abc123"
-    image: "{{openshift_logging_image_prefix}}logging-elasticsearch:{{openshift_logging_image_version}}"
-    es_cluster_name: "{{component}}"
-  check_mode: no
-  changed_when: no
-
-- name: Generate curator deploymentconfig
-  template: src=curator.j2 dest={{mktemp.stdout}}/logging-curator-dc.yaml
-  vars:
-    component: curator
-    deploy_name: "logging-{{component}}"
-    image: "{{openshift_logging_image_prefix}}logging-curator:{{openshift_logging_image_version}}"
-  check_mode: no
-  changed_when: no
-
-- name: Generate OPS curator deploymentconfig
-  template: src=curator.j2 dest={{mktemp.stdout}}/logging-curator-ops-dc.yaml
-  vars:
-    component: curator-ops
-    deploy_name: "logging-{{component}}"
-    image: "{{openshift_logging_image_prefix}}logging-curator:{{openshift_logging_image_version}}"
-    openshift_logging_es_host: logging-es-ops
-  check_mode: no
-  changed_when: no

roles/openshift_logging/tasks/generate_pvcs.yaml

@@ -1,47 +0,0 @@
----
-- name: Init pool of PersistentVolumeClaim names
-  set_fact: es_pvc_pool={{es_pvc_pool|default([]) + [pvc_name]}}
-  vars:
-    pvc_name: "{{es_pvc_prefix}}-{{item| int}}"
-    start: "{{es_pvc_names | map('regex_search', es_pvc_prefix+'.*')|select('string')|list|length}}"
-  with_sequence: start={{start}} end={{ (start|int > es_cluster_size|int - 1) | ternary(start, es_cluster_size|int - 1)}}
-  when:
-    - "{{ es_dc_names|default([]) | length <= es_cluster_size|int }}"
-    - es_pvc_size | search('^\d.*')
-  check_mode: no
-
-- name: Generating PersistentVolumeClaims
-  template: src=pvc.j2 dest={{mktemp.stdout}}/templates/logging-{{obj_name}}-pvc.yaml
-  vars:
-    obj_name: "{{claim_name}}"
-    size: "{{es_pvc_size}}"
-    access_modes: "{{ es_access_modes | list }}"
-    pv_selector: "{{es_pv_selector}}"
-  with_items:
-    - "{{es_pvc_pool | default([])}}"
-  loop_control:
-    loop_var: claim_name
-  when:
-    - not es_pvc_dynamic
-    - es_pvc_pool is defined
-  check_mode: no
-  changed_when: no
-
-- name: Generating PersistentVolumeClaims - Dynamic
-  template: src=pvc.j2 dest={{mktemp.stdout}}/templates/logging-{{obj_name}}-pvc.yaml
-  vars:
-    obj_name: "{{claim_name}}"
-    annotations:
-      volume.alpha.kubernetes.io/storage-class: "dynamic"
-    size: "{{es_pvc_size}}"
-    access_modes: "{{ es_access_modes | list }}"
-    pv_selector: "{{es_pv_selector}}"
-  with_items:
-    - "{{es_pvc_pool|default([])}}"
-  loop_control:
-    loop_var: claim_name
-  when:
-    - es_pvc_dynamic
-    - es_pvc_pool is defined
-  check_mode: no
-  changed_when: no

roles/openshift_logging/tasks/generate_rolebindings.yaml

@@ -1,12 +0,0 @@
----
-- name: Generate RoleBindings
-  template: src=rolebinding.j2 dest={{mktemp.stdout}}/templates/logging-{{obj_name}}-rolebinding.yaml
-  vars:
-    obj_name: logging-elasticsearch-view-role
-    roleRef:
-      name: view
-    subjects:
-      - kind: ServiceAccount
-        name: aggregated-logging-elasticsearch
-  check_mode: no
-  changed_when: no

roles/openshift_logging/tasks/generate_routes.yaml

@@ -1,169 +0,0 @@
----
-- set_fact: kibana_key={{ lookup('file', openshift_logging_kibana_key) | b64encode }}
-  when: openshift_logging_kibana_key | trim | length > 0
-  changed_when: false
-
-- set_fact: kibana_cert={{ lookup('file', openshift_logging_kibana_cert)| b64encode  }}
-  when: openshift_logging_kibana_cert | trim | length > 0
-  changed_when: false
-
-- set_fact: kibana_ca={{ lookup('file', openshift_logging_kibana_ca)| b64encode  }}
-  when: openshift_logging_kibana_ca | trim | length > 0
-  changed_when: false
-
-- set_fact: kibana_ca={{key_pairs | entry_from_named_pair('ca_file') }}
-  when: kibana_ca is not defined
-  changed_when: false
-
-- name: Generating logging routes
-  template: src=route_reencrypt.j2 dest={{mktemp.stdout}}/templates/logging-logging-kibana-route.yaml
-  tags: routes
-  vars:
-    obj_name: "logging-kibana"
-    route_host: "{{openshift_logging_kibana_hostname}}"
-    service_name: "logging-kibana"
-    tls_key: "{{kibana_key | default('') | b64decode}}"
-    tls_cert: "{{kibana_cert | default('') | b64decode}}"
-    tls_ca_cert: "{{kibana_ca | b64decode}}"
-    tls_dest_ca_cert: "{{key_pairs | entry_from_named_pair('ca_file')| b64decode }}"
-    edge_term_policy: "{{openshift_logging_kibana_edge_term_policy | default('') }}"
-    labels:
-      component: support
-      logging-infra: support
-      provider: openshift
-  changed_when: no
-
-- set_fact: kibana_ops_key={{ lookup('file', openshift_logging_kibana_ops_key) | b64encode }}
-  when:
-  - openshift_logging_use_ops | bool
-  - "{{ openshift_logging_kibana_ops_key | trim | length > 0 }}"
-  changed_when: false
-
-- set_fact: kibana_ops_cert={{ lookup('file', openshift_logging_kibana_ops_cert)| b64encode  }}
-  when:
-  - openshift_logging_use_ops | bool
-  - "{{openshift_logging_kibana_ops_cert | trim | length > 0}}"
-  changed_when: false
-
-- set_fact: kibana_ops_ca={{ lookup('file', openshift_logging_kibana_ops_ca)| b64encode  }}
-  when:
-  - openshift_logging_use_ops | bool
-  - "{{openshift_logging_kibana_ops_ca | trim | length > 0}}"
-  changed_when: false
-
-- set_fact: kibana_ops_ca={{key_pairs | entry_from_named_pair('ca_file') }}
-  when:
-  - openshift_logging_use_ops | bool
-  - kibana_ops_ca is not defined
-  changed_when: false
-
-- name: Generating logging ops routes
-  template: src=route_reencrypt.j2 dest={{mktemp.stdout}}/templates/logging-logging-kibana-ops-route.yaml
-  tags: routes
-  vars:
-    obj_name: "logging-kibana-ops"
-    route_host: "{{openshift_logging_kibana_ops_hostname}}"
-    service_name: "logging-kibana-ops"
-    tls_key: "{{kibana_ops_key | default('') | b64decode}}"
-    tls_cert: "{{kibana_ops_cert | default('') | b64decode}}"
-    tls_ca_cert: "{{kibana_ops_ca | b64decode}}"
-    tls_dest_ca_cert: "{{key_pairs | entry_from_named_pair('ca_file')| b64decode }}"
-    edge_term_policy: "{{openshift_logging_kibana_edge_term_policy | default('') }}"
-    labels:
-      component: support
-      logging-infra: support
-      provider: openshift
-  when: openshift_logging_use_ops | bool
-  changed_when: no
-
-- set_fact: es_key={{ lookup('file', openshift_logging_es_key) | b64encode }}
-  when:
-  - openshift_logging_es_key | trim | length > 0
-  - openshift_logging_es_allow_external | bool
-  changed_when: false
-
-- set_fact: es_cert={{ lookup('file', openshift_logging_es_cert)| b64encode  }}
-  when:
-  - openshift_logging_es_cert | trim | length > 0
-  - openshift_logging_es_allow_external | bool
-  changed_when: false
-
-- set_fact: es_ca={{ lookup('file', openshift_logging_es_ca_ext)| b64encode  }}
-  when:
-  - openshift_logging_es_ca_ext | trim | length > 0
-  - openshift_logging_es_allow_external | bool
-  changed_when: false
-
-- set_fact: es_ca={{key_pairs | entry_from_named_pair('ca_file') }}
-  when:
-  - es_ca is not defined
-  - openshift_logging_es_allow_external | bool
-  changed_when: false
-
-- name: Generating Elasticsearch logging routes
-  template: src=route_reencrypt.j2 dest={{mktemp.stdout}}/templates/logging-logging-es-route.yaml
-  tags: routes
-  vars:
-    obj_name: "logging-es"
-    route_host: "{{openshift_logging_es_hostname}}"
-    service_name: "logging-es"
-    tls_key: "{{es_key | default('') | b64decode}}"
-    tls_cert: "{{es_cert | default('') | b64decode}}"
-    tls_ca_cert: "{{es_ca | b64decode}}"
-    tls_dest_ca_cert: "{{key_pairs | entry_from_named_pair('ca_file')| b64decode }}"
-    edge_term_policy: "{{openshift_logging_es_edge_term_policy | default('') }}"
-    labels:
-      component: support
-      logging-infra: support
-      provider: openshift
-  changed_when: no
-  when: openshift_logging_es_allow_external | bool
-
-- set_fact: es_ops_key={{ lookup('file', openshift_logging_es_ops_key) | b64encode }}
-  when:
-  - openshift_logging_es_ops_allow_external | bool
-  - openshift_logging_use_ops | bool
-  - "{{ openshift_logging_es_ops_key | trim | length > 0 }}"
-  changed_when: false
-
-- set_fact: es_ops_cert={{ lookup('file', openshift_logging_es_ops_cert)| b64encode  }}
-  when:
-  - openshift_logging_es_ops_allow_external | bool
-  - openshift_logging_use_ops | bool
-  - "{{openshift_logging_es_ops_cert | trim | length > 0}}"
-  changed_when: false
-
-- set_fact: es_ops_ca={{ lookup('file', openshift_logging_es_ops_ca_ext)| b64encode  }}
-  when:
-  - openshift_logging_es_ops_allow_external | bool
-  - openshift_logging_use_ops | bool
-  - "{{openshift_logging_es_ops_ca_ext | trim | length > 0}}"
-  changed_when: false
-
-- set_fact: es_ops_ca={{key_pairs | entry_from_named_pair('ca_file') }}
-  when:
-  - openshift_logging_es_ops_allow_external | bool
-  - openshift_logging_use_ops | bool
-  - es_ops_ca is not defined
-  changed_when: false
-
-- name: Generating Elasticsearch logging ops routes
-  template: src=route_reencrypt.j2 dest={{mktemp.stdout}}/templates/logging-logging-es-ops-route.yaml
-  tags: routes
-  vars:
-    obj_name: "logging-es-ops"
-    route_host: "{{openshift_logging_es_ops_hostname}}"
-    service_name: "logging-es-ops"
-    tls_key: "{{es_ops_key | default('') | b64decode}}"
-    tls_cert: "{{es_ops_cert | default('') | b64decode}}"
-    tls_ca_cert: "{{es_ops_ca | b64decode}}"
-    tls_dest_ca_cert: "{{key_pairs | entry_from_named_pair('ca_file')| b64decode }}"
-    edge_term_policy: "{{openshift_logging_es_ops_edge_term_policy | default('') }}"
-    labels:
-      component: support
-      logging-infra: support
-      provider: openshift
-  when:
-  - openshift_logging_es_ops_allow_external | bool
-  - openshift_logging_use_ops | bool
-  changed_when: no

roles/openshift_logging/tasks/generate_secrets.yaml

@@ -1,129 +0,0 @@
----
-- name: Retrieving the cert to use when generating secrets for the logging components
-  slurp: src="{{generated_certs_dir}}/{{item.file}}"
-  register: key_pairs
-  with_items:
-    - { name: "ca_file", file: "ca.crt" }
-    - { name: "kibana_key", file: "system.logging.kibana.key"}
-    - { name: "kibana_cert", file: "system.logging.kibana.crt"}
-    - { name: "curator_key", file: "system.logging.curator.key"}
-    - { name: "curator_cert", file: "system.logging.curator.crt"}
-    - { name: "fluentd_key", file: "system.logging.fluentd.key"}
-    - { name: "fluentd_cert", file: "system.logging.fluentd.crt"}
-    - { name: "kibana_internal_key", file: "kibana-internal.key"}
-    - { name: "kibana_internal_cert", file: "kibana-internal.crt"}
-    - { name: "server_tls", file: "server-tls.json"}
-
-- name: Generating secrets for logging components
-  template: src=secret.j2 dest={{mktemp.stdout}}/templates/{{secret_name}}-secret.yaml
-  vars:
-    secret_name: "logging-{{component}}"
-    secret_key_file: "{{component}}_key"
-    secret_cert_file: "{{component}}_cert"
-    secrets:
-      - {key: ca, value: "{{key_pairs | entry_from_named_pair('ca_file')| b64decode }}"}
-      - {key: key, value: "{{key_pairs | entry_from_named_pair(secret_key_file)| b64decode }}"}
-      - {key: cert, value: "{{key_pairs | entry_from_named_pair(secret_cert_file)| b64decode }}"}
-    secret_keys: ["ca", "cert", "key"]
-  with_items:
-    - kibana
-    - curator
-    - fluentd
-  loop_control:
-    loop_var: component
-  check_mode: no
-  changed_when: no
-
-- name: Retrieving the cert to use when generating secrets for mux
-  slurp: src="{{generated_certs_dir}}/{{item.file}}"
-  register: mux_key_pairs
-  with_items:
-    - { name: "ca_file", file: "ca.crt" }
-    - { name: "mux_key", file: "system.logging.mux.key"}
-    - { name: "mux_cert", file: "system.logging.mux.crt"}
-    - { name: "mux_shared_key", file: "mux_shared_key"}
-  when: openshift_logging_use_mux
-
-- name: Generating secrets for mux
-  template: src=secret.j2 dest={{mktemp.stdout}}/templates/{{secret_name}}-secret.yaml
-  vars:
-    secret_name: "logging-{{component}}"
-    secret_key_file: "{{component}}_key"
-    secret_cert_file: "{{component}}_cert"
-    secrets:
-      - {key: ca, value: "{{mux_key_pairs | entry_from_named_pair('ca_file')| b64decode }}"}
-      - {key: key, value: "{{mux_key_pairs | entry_from_named_pair(secret_key_file)| b64decode }}"}
-      - {key: cert, value: "{{mux_key_pairs | entry_from_named_pair(secret_cert_file)| b64decode }}"}
-      - {key: shared_key, value: "{{mux_key_pairs | entry_from_named_pair('mux_shared_key')| b64decode }}"}
-    secret_keys: ["ca", "cert", "key", "shared_key"]
-  with_items:
-    - mux
-  loop_control:
-    loop_var: component
-  check_mode: no
-  changed_when: no
-  when: openshift_logging_use_mux
-
-- name: Generating secrets for kibana proxy
-  template: src=secret.j2 dest={{mktemp.stdout}}/templates/{{secret_name}}-secret.yaml
-  vars:
-    secret_name: logging-kibana-proxy
-    secrets:
-      - {key: oauth-secret, value: "{{oauth_secret}}"}
-      - {key: session-secret, value: "{{session_secret}}"}
-      - {key: server-key, value: "{{kibana_key_file}}"}
-      - {key: server-cert, value: "{{kibana_cert_file}}"}
-      - {key: server-tls.json, value: "{{server_tls_file}}"}
-    secret_keys: ["server-tls.json", "server-key", "session-secret", "oauth-secret", "server-cert"]
-    kibana_key_file: "{{key_pairs | entry_from_named_pair('kibana_internal_key')| b64decode }}"
-    kibana_cert_file: "{{key_pairs | entry_from_named_pair('kibana_internal_cert')| b64decode }}"
-    server_tls_file: "{{key_pairs | entry_from_named_pair('server_tls')| b64decode }}"
-  check_mode: no
-  changed_when: no
-
-- name: Generating secrets for elasticsearch
-  command: >
-    {{openshift.common.client_binary}} --config={{ mktemp.stdout }}/admin.kubeconfig secrets new {{secret_name}}
-    key={{generated_certs_dir}}/logging-es.jks truststore={{generated_certs_dir}}/truststore.jks
-    searchguard.key={{generated_certs_dir}}/elasticsearch.jks searchguard.truststore={{generated_certs_dir}}/truststore.jks
-    admin-key={{generated_certs_dir}}/system.admin.key admin-cert={{generated_certs_dir}}/system.admin.crt
-    admin-ca={{generated_certs_dir}}/ca.crt admin.jks={{generated_certs_dir}}/system.admin.jks -o yaml
-  vars:
-    secret_name: logging-elasticsearch
-    secret_keys: ["admin-cert", "searchguard.key", "admin-ca", "key", "truststore", "admin-key", "searchguard.truststore"]
-  register: logging_es_secret
-  check_mode: no
-  changed_when: no
-
-- copy: content="{{logging_es_secret.stdout}}" dest={{mktemp.stdout}}/templates/logging-elasticsearch-secret.yaml
-  when: logging_es_secret.stdout is defined
-  check_mode: no
-  changed_when: no
-
-- name: Retrieving the cert to use when generating secrets for Elasticsearch external route
-  slurp: src="{{generated_certs_dir}}/{{item.file}}"
-  register: es_key_pairs
-  with_items:
-    - { name: "ca_file", file: "ca.crt" }
-    - { name: "es_key", file: "system.logging.es.key"}
-    - { name: "es_cert", file: "system.logging.es.crt"}
-  when: openshift_logging_es_allow_external | bool
-
-- name: Generating secrets for Elasticsearch external route
-  template: src=secret.j2 dest={{mktemp.stdout}}/templates/{{secret_name}}-secret.yaml
-  vars:
-    secret_name: "logging-{{component}}"
-    secret_key_file: "{{component}}_key"
-    secret_cert_file: "{{component}}_cert"
-    secrets:
-      - {key: ca, value: "{{es_key_pairs | entry_from_named_pair('ca_file')| b64decode }}"}
-      - {key: key, value: "{{es_key_pairs | entry_from_named_pair(secret_key_file)| b64decode }}"}
-      - {key: cert, value: "{{es_key_pairs | entry_from_named_pair(secret_cert_file)| b64decode }}"}
-    secret_keys: ["ca", "cert", "key"]
-  with_items:
-    - es
-  loop_control:
-    loop_var: component
-  check_mode: no
-  changed_when: no
-  when: openshift_logging_es_allow_external | bool

roles/openshift_logging/tasks/generate_serviceaccounts.yaml

@@ -1,14 +0,0 @@
----
-- name: Generating serviceaccounts
-  template: src=serviceaccount.j2 dest={{mktemp.stdout}}/templates/logging-{{component}}-sa.yaml
-  vars:
-    obj_name: aggregated-logging-{{component}}
-  with_items:
-    - elasticsearch
-    - kibana
-    - fluentd
-    - curator
-  loop_control:
-    loop_var: component
-  check_mode: no
-  changed_when: no

roles/openshift_logging/tasks/generate_services.yaml

@@ -1,119 +0,0 @@
----
-- name: Generating logging-es service
-  template: src=service.j2 dest={{mktemp.stdout}}/templates/logging-es-svc.yaml
-  vars:
-    obj_name: logging-es
-    ports:
-    - {port: 9200, targetPort: restapi}
-    labels:
-      logging-infra: support
-    selector:
-      provider: openshift
-      component: es
-  check_mode: no
-  changed_when: no
-
-- name: Generating logging-es-cluster service
-  template: src=service.j2 dest={{mktemp.stdout}}/templates/logging-es-cluster-svc.yaml
-  vars:
-    obj_name: logging-es-cluster
-    ports:
-    - {port: 9300}
-    labels:
-      logging-infra: support
-    selector:
-      provider: openshift
-      component: es
-  check_mode: no
-  changed_when: no
-
-- name: Generating logging-kibana service
-  template: src=service.j2 dest={{mktemp.stdout}}/templates/logging-kibana-svc.yaml
-  vars:
-    obj_name: logging-kibana
-    ports:
-    - {port: 443, targetPort: oaproxy}
-    labels:
-      logging-infra: support
-    selector:
-      provider: openshift
-      component: kibana
-  check_mode: no
-  changed_when: no
-
-- name: Generating logging-es-ops service
-  template: src=service.j2 dest={{mktemp.stdout}}/templates/logging-es-ops-svc.yaml
-  vars:
-    obj_name: logging-es-ops
-    ports:
-    - {port: 9200, targetPort: restapi}
-    labels:
-      logging-infra: support
-    selector:
-      provider: openshift
-      component: es-ops
-  when: openshift_logging_use_ops | bool
-  check_mode: no
-  changed_when: no
-
-- name: Generating logging-es-ops-cluster service
-  template: src=service.j2 dest={{mktemp.stdout}}/templates/logging-es-ops-cluster-svc.yaml
-  vars:
-    obj_name: logging-es-ops-cluster
-    ports:
-    - {port: 9300}
-    labels:
-      logging-infra: support
-    selector:
-      provider: openshift
-      component: es-ops
-  when: openshift_logging_use_ops | bool
-  check_mode: no
-  changed_when: no
-
-- name: Generating logging-kibana-ops service
-  template: src=service.j2 dest={{mktemp.stdout}}/templates/logging-kibana-ops-svc.yaml
-  vars:
-    obj_name: logging-kibana-ops
-    ports:
-    - {port: 443, targetPort: oaproxy}
-    labels:
-      logging-infra: support
-    selector:
-      provider: openshift
-      component: kibana-ops
-  when: openshift_logging_use_ops | bool
-  check_mode: no
-  changed_when: no
-
-- name: Generating logging-mux service for external connections
-  template: src=service.j2 dest={{mktemp.stdout}}/templates/logging-mux-svc.yaml
-  vars:
-    obj_name: logging-mux
-    ports:
-    - {port: "{{openshift_logging_mux_port}}", targetPort: mux-forward, name: mux-forward}
-    labels:
-      logging-infra: support
-    selector:
-      provider: openshift
-      component: mux
-    externalIPs:
-    - "{{ ansible_eth0.ipv4.address }}"
-  check_mode: no
-  changed_when: no
-  when: openshift_logging_mux_allow_external
-
-- name: Generating logging-mux service for intra-cluster connections
-  template: src=service.j2 dest={{mktemp.stdout}}/templates/logging-mux-svc.yaml
-  vars:
-    obj_name: logging-mux
-    ports:
-    - {port: "{{openshift_logging_mux_port}}", targetPort: mux-forward, name: mux-forward}
-    labels:
-      logging-infra: support
-    selector:
-      provider: openshift
-      component: mux
-  check_mode: no
-  changed_when: no
-  when: openshift_logging_use_mux and not openshift_logging_mux_allow_external

roles/openshift_logging/tasks/install_curator.yaml

@@ -1,53 +0,0 @@
----
-- name: Check Curator current replica count
-  command: >
-    {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get dc/logging-curator
-    -o jsonpath='{.spec.replicas}' -n {{openshift_logging_namespace}}
-  register: curator_replica_count
-  when: not ansible_check_mode
-  ignore_errors: yes
-  changed_when: no
-
-- name: Check Curator ops current replica count
-  command: >
-    {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get dc/logging-curator-ops
-    -o jsonpath='{.spec.replicas}' -n {{openshift_logging_namespace}}
-  register: curator_ops_replica_count
-  when:
-    - not ansible_check_mode
-    - openshift_logging_use_ops | bool
-  ignore_errors: yes
-  changed_when: no
-
-- name: Generate curator deploymentconfig
-  template: src=curator.j2 dest={{mktemp.stdout}}/templates/logging-curator-dc.yaml
-  vars:
-    component: curator
-    logging_component: curator
-    deploy_name: "logging-{{component}}"
-    image: "{{openshift_logging_image_prefix}}logging-curator:{{openshift_logging_image_version}}"
-    es_host: logging-es
-    es_port: "{{openshift_logging_es_port}}"
-    curator_cpu_limit: "{{openshift_logging_curator_cpu_limit }}"
-    curator_memory_limit: "{{openshift_logging_curator_memory_limit }}"
-    replicas: "{{curator_replica_count.stdout | default (0)}}"
-    curator_node_selector: "{{openshift_logging_curator_nodeselector | default({})}}"
-  check_mode: no
-  changed_when: no
-
-- name: Generate OPS curator deploymentconfig
-  template: src=curator.j2 dest={{mktemp.stdout}}/templates/logging-curator-ops-dc.yaml
-  vars:
-    component: curator-ops
-    logging_component: curator
-    deploy_name: "logging-{{component}}"
-    image: "{{openshift_logging_image_prefix}}logging-curator:{{openshift_logging_image_version}}"
-    es_host: logging-es-ops
-    es_port: "{{openshift_logging_es_ops_port}}"
-    curator_cpu_limit: "{{openshift_logging_curator_ops_cpu_limit }}"
-    curator_memory_limit: "{{openshift_logging_curator_ops_memory_limit }}"
-    replicas: "{{curator_ops_replica_count.stdout | default (0)}}"
-    curator_node_selector: "{{openshift_logging_curator_ops_nodeselector | default({}) }}"
-  when: openshift_logging_use_ops | bool
-  check_mode: no
-  changed_when: no

roles/openshift_logging/tasks/install_elasticsearch.yaml

@@ -1,118 +0,0 @@
----
-- name: Getting current ES deployment size
-  set_fact: openshift_logging_current_es_size={{ openshift_logging_facts.elasticsearch.deploymentconfigs.keys() | length }}
-
-- set_fact: openshift_logging_es_pvc_prefix="logging-es"
-  when: not openshift_logging_es_pvc_prefix or openshift_logging_es_pvc_prefix == ''
-
-- set_fact: es_indices={{ es_indices | default([]) + [item | int - 1] }}
-  with_sequence: count={{ openshift_logging_facts.elasticsearch.deploymentconfigs.keys() | count }}
-
-### evaluate if the PVC attached to the dc currently matches the provided vars
-## if it does then we reuse that pvc in the DC
-- include: set_es_storage.yaml
-  vars:
-    es_component: es
-    es_name: "{{ deployment.0 }}"
-    es_spec: "{{ deployment.1 }}"
-    es_pvc_count: "{{ deployment.2 | int }}"
-    es_node_selector: "{{ openshift_logging_es_nodeselector | default({}) }}"
-    es_pvc_names_count: "{{ openshift_logging_facts.elasticsearch.pvcs.keys() | count }}"
-    es_pvc_size: "{{ openshift_logging_es_pvc_size }}"
-    es_pvc_prefix: "{{ openshift_logging_es_pvc_prefix }}"
-    es_pvc_dynamic: "{{ openshift_logging_es_pvc_dynamic | bool }}"
-    es_pv_selector: "{{ openshift_logging_es_pv_selector }}"
-    es_cpu_limit: "{{ openshift_logging_es_cpu_limit }}"
-    es_memory_limit: "{{ openshift_logging_es_memory_limit }}"
-  with_together:
-  - "{{ openshift_logging_facts.elasticsearch.deploymentconfigs.keys() }}"
-  - "{{ openshift_logging_facts.elasticsearch.deploymentconfigs.values() }}"
-  - "{{ es_indices | default([]) }}"
-  loop_control:
-    loop_var: deployment
-## if it does not then we should create one that does and attach it
-
-## create new dc/pvc is needed
-- include: set_es_storage.yaml
-  vars:
-    es_component: es
-    es_name: "logging-es-{{'abcdefghijklmnopqrstuvwxyz0123456789'|random_word(8)}}"
-    es_spec: "{}"
-    es_pvc_count: "{{ item | int - 1 }}"
-    es_node_selector: "{{ openshift_logging_es_nodeselector | default({}) }}"
-    es_pvc_names_count: "{{ [openshift_logging_facts.elasticsearch.pvcs.keys() | count, openshift_logging_facts.elasticsearch.deploymentconfigs.keys() | count] | max }}"
-    es_pvc_size: "{{ openshift_logging_es_pvc_size }}"
-    es_pvc_prefix: "{{ openshift_logging_es_pvc_prefix }}"
-    es_pvc_dynamic: "{{ openshift_logging_es_pvc_dynamic | bool }}"
-    es_pv_selector: "{{ openshift_logging_es_pv_selector }}"
-    es_cpu_limit: "{{ openshift_logging_es_cpu_limit }}"
-    es_memory_limit: "{{ openshift_logging_es_memory_limit }}"
-  with_sequence: count={{ openshift_logging_es_cluster_size | int - openshift_logging_facts.elasticsearch.deploymentconfigs | count }}
-
-# --------- Tasks for Operation clusters ---------
-
-- name: Getting current ES deployment size
-  set_fact: openshift_logging_current_es_ops_size={{ openshift_logging_facts.elasticsearch_ops.deploymentconfigs.keys() | length }}
-
-- set_fact: openshift_logging_es_ops_pvc_prefix="{{ openshift_logging_es_ops_pvc_prefix | default('logging-es-ops') }}"
-
-- name: Validate Elasticsearch cluster size for Ops
-  fail: msg="The openshift_logging_es_ops_cluster_size may not be scaled down more than 1 less (or 0) the number of Elasticsearch nodes already deployed"
-  vars:
-    es_dcs: "{{openshift_logging_facts.elasticsearch_ops.deploymentconfigs}}"
-    cluster_size: "{{openshift_logging_es_ops_cluster_size|int}}"
-  when:
-  - openshift_logging_use_ops | bool
-  - "{{es_dcs | length - openshift_logging_es_ops_cluster_size|int | abs > 1}}"
-  check_mode: no
-
-- set_fact: openshift_logging_es_ops_pvc_prefix="logging-es-ops"
-  when: not openshift_logging_es_ops_pvc_prefix or openshift_logging_es_ops_pvc_prefix == ''
-
-- set_fact: es_ops_indices={{ es_ops_indices | default([]) + [item | int - 1] }}
-  with_sequence: count={{ openshift_logging_facts.elasticsearch_ops.deploymentconfigs.keys() | count }}
-  when:
-  - openshift_logging_use_ops | bool
-
-- include: set_es_storage.yaml
-  vars:
-    es_component: es-ops
-    es_name: "{{ deployment.0 }}"
-    es_spec: "{{ deployment.1 }}"
-    es_pvc_count: "{{ deployment.2 | int }}"
-    es_node_selector: "{{ openshift_logging_es_ops_nodeselector | default({}) }}"
-    es_pvc_names_count: "{{ openshift_logging_facts.elasticsearch_ops.pvcs.keys() | count }}"
-    es_pvc_size: "{{ openshift_logging_es_ops_pvc_size }}"
-    es_pvc_prefix: "{{ openshift_logging_es_ops_pvc_prefix }}"
-    es_pvc_dynamic: "{{ openshift_logging_es_ops_pvc_dynamic | bool }}"
-    es_pv_selector: "{{ openshift_logging_es_ops_pv_selector }}"
-    es_cpu_limit: "{{ openshift_logging_es_ops_cpu_limit }}"
-    es_memory_limit: "{{ openshift_logging_es_ops_memory_limit }}"
-  with_together:
-  - "{{ openshift_logging_facts.elasticsearch_ops.deploymentconfigs.keys() }}"
-  - "{{ openshift_logging_facts.elasticsearch_ops.deploymentconfigs.values() }}"
-  - "{{ es_ops_indices | default([]) }}"
-  loop_control:
-    loop_var: deployment
-  when:
-  - openshift_logging_use_ops | bool
-## if it does not then we should create one that does and attach it
-
-## create new dc/pvc is needed
-- include: set_es_storage.yaml
-  vars:
-    es_component: es-ops
-    es_name: "logging-es-ops-{{'abcdefghijklmnopqrstuvwxyz0123456789'|random_word(8)}}"
-    es_spec: "{}"
-    es_pvc_count: "{{ item | int - 1 }}"
-    es_node_selector: "{{ openshift_logging_es_ops_nodeselector | default({}) }}"
-    es_pvc_names_count: "{{ [openshift_logging_facts.elasticsearch_ops.pvcs.keys() | count, openshift_logging_facts.elasticsearch_ops.deploymentconfigs.keys() | count] | max }}"
-    es_pvc_size: "{{ openshift_logging_es_ops_pvc_size }}"
-    es_pvc_prefix: "{{ openshift_logging_es_ops_pvc_prefix }}"
-    es_pvc_dynamic: "{{ openshift_logging_es_ops_pvc_dynamic | bool }}"
-    es_pv_selector: "{{ openshift_logging_es_ops_pv_selector }}"
-    es_cpu_limit: "{{ openshift_logging_es_ops_cpu_limit }}"
-    es_memory_limit: "{{ openshift_logging_es_ops_memory_limit }}"
-  with_sequence: count={{ openshift_logging_es_ops_cluster_size | int - openshift_logging_facts.elasticsearch_ops.deploymentconfigs | count }}
-  when:
-  - openshift_logging_use_ops | bool

roles/openshift_logging/tasks/install_fluentd.yaml

@@ -1,54 +0,0 @@
----
-- set_fact: fluentd_ops_host={{ (openshift_logging_use_ops | bool) | ternary(openshift_logging_es_ops_host, openshift_logging_es_host) }}
-  check_mode: no
-
-- set_fact: fluentd_ops_port={{ (openshift_logging_use_ops | bool) | ternary(openshift_logging_es_ops_port, openshift_logging_es_port) }}
-  check_mode: no
-
-- name: Generating Fluentd daemonset
-  template: src=fluentd.j2 dest={{mktemp.stdout}}/templates/logging-fluentd.yaml
-  vars:
-    daemonset_name: logging-fluentd
-    daemonset_component: fluentd
-    daemonset_container_name: fluentd-elasticsearch
-    daemonset_serviceAccount: aggregated-logging-fluentd
-    ops_host: "{{ fluentd_ops_host }}"
-    ops_port: "{{ fluentd_ops_port }}"
-    fluentd_nodeselector_key: "{{openshift_logging_fluentd_nodeselector.keys()[0]}}"
-    fluentd_nodeselector_value: "{{openshift_logging_fluentd_nodeselector.values()[0]}}"
-  check_mode: no
-  changed_when: no
-
-- name: "Check fluentd privileged permissions"
-  command: >
-    {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig
-    get scc/privileged -o jsonpath='{.users}'
-  register: fluentd_privileged
-  check_mode: no
-  changed_when: no
-
-- name: "Set privileged permissions for fluentd"
-  command: >
-    {{ openshift.common.admin_binary}} --config={{ mktemp.stdout }}/admin.kubeconfig policy
-    add-scc-to-user privileged system:serviceaccount:{{openshift_logging_namespace}}:aggregated-logging-fluentd
-  register: fluentd_output
-  failed_when: fluentd_output.rc == 1 and 'exists' not in fluentd_output.stderr
-  check_mode: no
-  when: fluentd_privileged.stdout.find("system:serviceaccount:{{openshift_logging_namespace}}:aggregated-logging-fluentd") == -1
-
-- name: "Check fluentd cluster-reader permissions"
-  command: >
-    {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig
-    get clusterrolebinding/cluster-readers -o jsonpath='{.userNames}'
-  register: fluentd_cluster_reader
-  check_mode: no
-  changed_when: no
-
-- name: "Set cluster-reader permissions for fluentd"
-  command: >
-    {{ openshift.common.admin_binary}} --config={{ mktemp.stdout }}/admin.kubeconfig policy
-    add-cluster-role-to-user cluster-reader system:serviceaccount:{{openshift_logging_namespace}}:aggregated-logging-fluentd
-  register: fluentd2_output
-  failed_when: fluentd2_output.rc == 1 and 'exists' not in fluentd2_output.stderr
-  check_mode: no
-  when: fluentd_cluster_reader.stdout.find("system:serviceaccount:{{openshift_logging_namespace}}:aggregated-logging-fluentd") == -1

roles/openshift_logging/tasks/install_kibana.yaml

@@ -1,60 +0,0 @@
----
-- name: Check Kibana current replica count
-  command: >
-    {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get dc/logging-kibana
-    -o jsonpath='{.spec.replicas}' -n {{openshift_logging_namespace}}
-  register: kibana_replica_count
-  when: not ansible_check_mode
-  ignore_errors: yes
-  changed_when: no
-
-- name: Check Kibana ops current replica count
-  command: >
-    {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get dc/logging-kibana-ops
-    -o jsonpath='{.spec.replicas}' -n {{openshift_logging_namespace}}
-  register: kibana_ops_replica_count
-  when:
-    - not ansible_check_mode
-    - openshift_logging_use_ops | bool
-  ignore_errors: yes
-  changed_when: no
-
-
-- name: Generate kibana deploymentconfig
-  template: src=kibana.j2 dest={{mktemp.stdout}}/templates/logging-kibana-dc.yaml
-  vars:
-    component: kibana
-    logging_component: kibana
-    deploy_name: "logging-{{component}}"
-    image: "{{openshift_logging_image_prefix}}logging-kibana:{{openshift_logging_image_version}}"
-    proxy_image: "{{openshift_logging_image_prefix}}logging-auth-proxy:{{openshift_logging_image_version}}"
-    es_host: logging-es
-    es_port: "{{openshift_logging_es_port}}"
-    kibana_cpu_limit: "{{openshift_logging_kibana_cpu_limit }}"
-    kibana_memory_limit: "{{openshift_logging_kibana_memory_limit }}"
-    kibana_proxy_cpu_limit: "{{openshift_logging_kibana_proxy_cpu_limit }}"
-    kibana_proxy_memory_limit: "{{openshift_logging_kibana_proxy_memory_limit }}"
-    replicas: "{{kibana_replica_count.stdout | default (0)}}"
-    kibana_node_selector: "{{openshift_logging_kibana_nodeselector | default({})}}"
-  check_mode: no
-  changed_when: no
-
-- name: Generate OPS kibana deploymentconfig
-  template: src=kibana.j2 dest={{mktemp.stdout}}/templates/logging-kibana-ops-dc.yaml
-  vars:
-    component: kibana-ops
-    logging_component: kibana
-    deploy_name: "logging-{{component}}"
-    image: "{{openshift_logging_image_prefix}}logging-kibana:{{openshift_logging_image_version}}"
-    proxy_image: "{{openshift_logging_image_prefix}}logging-auth-proxy:{{openshift_logging_image_version}}"
-    es_host: logging-es-ops
-    es_port: "{{openshift_logging_es_ops_port}}"
-    kibana_cpu_limit: "{{openshift_logging_kibana_ops_cpu_limit }}"
-    kibana_memory_limit: "{{openshift_logging_kibana_ops_memory_limit }}"
-    kibana_proxy_cpu_limit: "{{openshift_logging_kibana_ops_proxy_cpu_limit }}"
-    kibana_proxy_memory_limit: "{{openshift_logging_kibana_ops_proxy_memory_limit }}"
-    replicas: "{{kibana_ops_replica_count.stdout | default (0)}}"
-    kibana_node_selector: "{{openshift_logging_kibana_ops_nodeselector | default({})}}"
-  when: openshift_logging_use_ops | bool
-  check_mode: no
-  changed_when: no

roles/openshift_logging/tasks/install_logging.yaml

@@ -8,14 +8,33 @@
   oc_project:
     state: present
     name: "{{ openshift_logging_namespace }}"
+    node_selector: "{{ openshift_logging_nodeselector | default(null) }}"
 
-- name: Install logging mux
-  include: "{{ role_path }}/tasks/install_mux.yaml"
-  when: openshift_logging_use_mux
+- name: Labelling logging project
+  oc_label:
+    state: present
+    kind: namespace
+    name: "{{ openshift_logging_namespace }}"
+    labels:
+    - key: "{{ item.key }}"
+      value: "{{ item.value }}"
+  with_dict: "{{ openshift_logging_labels | default({}) }}"
+  when:
+  - openshift_logging_labels is defined
+  - openshift_logging_labels is dict
 
-- find: paths={{ mktemp.stdout }}/templates patterns=*.yaml
-  register: object_def_files
-  changed_when: no
+- name: Labelling logging project
+  oc_label:
+    state: present
+    kind: namespace
+    name: "{{ openshift_logging_namespace }}"
+    labels:
+    - key: "{{ openshift_logging_label_key }}"
+      value: "{{ openshift_logging_label_value }}"
+  when:
+  - openshift_logging_label_key is defined
+  - openshift_logging_label_key != ""
+  - openshift_logging_label_value is defined
 
 - name: Create logging cert directory
   file:
@@ -166,6 +185,20 @@
   when:
   - openshift_logging_use_ops | bool
 
+## Mux
+- include_role:
+    name: openshift_logging_mux
+  vars:
+    generated_certs_dir: "{{openshift.common.config_base}}/logging"
+    openshift_logging_mux_ops_host: "{{ ( openshift_logging_use_ops | bool ) | ternary('logging-es-ops', 'logging-es') }}"
+    openshift_logging_mux_namespace: "{{ openshift_logging_namespace }}"
+    openshift_logging_mux_master_url: "{{ openshift_logging_master_url }}"
+    openshift_logging_mux_image_prefix: "{{ openshift_logging_image_prefix }}"
+    openshift_logging_mux_image_version: "{{ openshift_logging_image_version }}"
+    openshift_logging_mux_image_pull_secret: "{{ openshift_logging_image_pull_secret }}"
+  when:
+  - openshift_logging_use_mux | bool
+
 
 ## Fluentd
 - include_role:
@@ -174,5 +207,10 @@
     generated_certs_dir: "{{openshift.common.config_base}}/logging"
     openshift_logging_fluentd_ops_host: "{{ ( openshift_logging_use_ops | bool ) | ternary('logging-es-ops', 'logging-es') }}"
     openshift_logging_fluentd_use_journal: "{{ openshift.docker.options | search('journald') }}"
+    openshift_logging_fluentd_image_prefix: "{{ openshift_logging_image_prefix }}"
+    openshift_logging_fluentd_image_version: "{{ openshift_logging_image_version }}"
+    openshift_logging_fluentd_image_pull_secret: "{{ openshift_logging_image_pull_secret }}"
+    openshift_logging_fluentd_master_url: "{{ openshift_logging_master_url }}"
+    openshift_logging_fluentd_namespace: "{{ openshift_logging_namespace }}"
 
 - include: update_master_config.yaml

roles/openshift_logging/tasks/install_mux.yaml

@@ -1,67 +0,0 @@
----
-- set_fact: mux_ops_host={{ (openshift_logging_use_ops | bool) | ternary(openshift_logging_es_ops_host, openshift_logging_es_host) }}
-  check_mode: no
-
-- set_fact: mux_ops_port={{ (openshift_logging_use_ops | bool) | ternary(openshift_logging_es_ops_port, openshift_logging_es_port) }}
-  check_mode: no
-
-- name: Check mux current replica count
-  command: >
-    {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get dc/logging-mux
-    -o jsonpath='{.spec.replicas}' -n {{openshift_logging_namespace}}
-  register: mux_replica_count
-  when: not ansible_check_mode
-  ignore_errors: yes
-  changed_when: no
-
-- name: Generating mux deploymentconfig
-  template: src=mux.j2 dest={{mktemp.stdout}}/templates/logging-mux-dc.yaml
-  vars:
-    component: mux
-    logging_component: mux
-    deploy_name: "logging-{{component}}"
-    image: "{{openshift_logging_image_prefix}}logging-fluentd:{{openshift_logging_image_version}}"
-    es_host: logging-es
-    es_port: "{{openshift_logging_es_port}}"
-    ops_host: "{{ mux_ops_host }}"
-    ops_port: "{{ mux_ops_port }}"
-    mux_cpu_limit: "{{openshift_logging_mux_cpu_limit}}"
-    mux_memory_limit: "{{openshift_logging_mux_memory_limit}}"
-    replicas: "{{mux_replica_count.stdout | default (0)}}"
-    mux_node_selector: "{{openshift_logging_mux_nodeselector | default({})}}"
-  check_mode: no
-  changed_when: no
-
-- name: "Check mux hostmount-anyuid permissions"
-  command: >
-    {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig
-    get scc/hostmount-anyuid -o jsonpath='{.users}'
-  register: mux_hostmount_anyuid
-  check_mode: no
-  changed_when: no
-
-- name: "Set hostmount-anyuid permissions for mux"
-  command: >
-    {{ openshift.common.admin_binary}} --config={{ mktemp.stdout }}/admin.kubeconfig policy
-    add-scc-to-user hostmount-anyuid system:serviceaccount:{{openshift_logging_namespace}}:aggregated-logging-fluentd
-  register: mux_output
-  failed_when: mux_output.rc == 1 and 'exists' not in mux_output.stderr
-  check_mode: no
-  when: mux_hostmount_anyuid.stdout.find("system:serviceaccount:{{openshift_logging_namespace}}:aggregated-logging-fluentd") == -1
-
-- name: "Check mux cluster-reader permissions"
-  command: >
-    {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig
-    get clusterrolebinding/cluster-readers -o jsonpath='{.userNames}'
-  register: mux_cluster_reader
-  check_mode: no
-  changed_when: no
-
-- name: "Set cluster-reader permissions for mux"
-  command: >
-    {{ openshift.common.admin_binary}} --config={{ mktemp.stdout }}/admin.kubeconfig policy
-    add-cluster-role-to-user cluster-reader system:serviceaccount:{{openshift_logging_namespace}}:aggregated-logging-fluentd
-  register: mux2_output
-  failed_when: mux2_output.rc == 1 and 'exists' not in mux2_output.stderr
-  check_mode: no
-  when: mux_cluster_reader.stdout.find("system:serviceaccount:{{openshift_logging_namespace}}:aggregated-logging-fluentd") == -1

roles/openshift_logging/tasks/install_support.yaml

@@ -1,47 +0,0 @@
----
-# This is the base configuration for installing the other components
-- name: Set logging project
-  oc_project:
-    state: present
-    name: "{{ openshift_logging_namespace }}"
-    node_selector: "{{ openshift_logging_nodeselector | default(null) }}"
-
-- name: Labelling logging project
-  oc_label:
-    state: present
-    kind: namespace
-    name: "{{ openshift_logging_namespace }}"
-    labels:
-    - key: "{{ item.key }}"
-      value: "{{ item.value }}"
-  with_dict: "{{ openshift_logging_labels | default({}) }}"
-  when:
-  - openshift_logging_labels is defined
-  - openshift_logging_labels is dict
-
-- name: Labelling logging project
-  oc_label:
-    state: present
-    kind: namespace
-    name: "{{ openshift_logging_namespace }}"
-    labels:
-    - key: "{{ openshift_logging_label_key }}"
-      value: "{{ openshift_logging_label_value }}"
-  when:
-  - openshift_logging_label_key is defined
-  - openshift_logging_label_key != ""
-  - openshift_logging_label_value is defined
-
-- name: Create logging cert directory
-  file: path={{openshift.common.config_base}}/logging state=directory mode=0755
-  changed_when: False
-  check_mode: no
-
-- include: generate_certs.yaml
-  vars:
-    generated_certs_dir: "{{openshift.common.config_base}}/logging"
-
-- name: Create temp directory for all our templates
-  file: path={{mktemp.stdout}}/templates state=directory mode=0755
-  changed_when: False
-  check_mode: no

roles/openshift_logging/tasks/oc_apply.yaml

@@ -1,52 +0,0 @@
----
-- oc_obj:
-    kind: "{{ file_content.kind }}"
-    name: "{{ file_content.metadata.name }}"
-    state: present
-    namespace: "{{ namespace }}"
-    files:
-    - "{{ file_name }}"
-  when: file_content.kind not in ["Service", "Route"]
-
-## still need to do this for services until the template logic is replaced by oc_*
-- block:
-  - name: Checking generation of {{file_content.kind}} {{file_content.metadata.name}}
-    command: >
-      {{ openshift.common.client_binary }}
-      --config={{ kubeconfig }}
-      get {{file_content.kind}} {{file_content.metadata.name}}
-      -o jsonpath='{.metadata.resourceVersion}'
-      -n {{namespace}}
-    register: generation_init
-    failed_when: "'not found' not in generation_init.stderr and generation_init.stdout == ''"
-    changed_when: no
-
-  - name: Applying {{file_name}}
-    command: >
-      {{ openshift.common.client_binary }} --config={{ kubeconfig }}
-      apply -f {{ file_name }}
-      -n {{ namespace }}
-    register: generation_apply
-    failed_when: "'error' in generation_apply.stderr"
-    changed_when: no
-
-  - name: Removing previous {{file_name}}
-    command: >
-      {{ openshift.common.client_binary }} --config={{ kubeconfig }}
-      delete -f {{ file_name }}
-      -n {{ namespace }}
-    register: generation_delete
-    failed_when: "'error' in generation_delete.stderr"
-    changed_when: generation_delete.rc == 0
-    when: "'field is immutable' in generation_apply.stderr"
-
-  - name: Recreating {{file_name}}
-    command: >
-      {{ openshift.common.client_binary }} --config={{ kubeconfig }}
-      apply -f {{ file_name }}
-      -n {{ namespace }}
-    register: generation_apply
-    failed_when: "'error' in generation_apply.stderr"
-    changed_when: generation_apply.rc == 0
-    when: "'field is immutable' in generation_apply.stderr"
-  when: file_content.kind in ["Service", "Route"]

roles/openshift_logging/tasks/oc_secret.yaml

@@ -1,7 +0,0 @@
----
-- command: >
-    {{ openshift.common.client_binary }}
-    --config={{ kubeconfig }}
-    secret {{subcommand}} {{service_account}} {{secret_name}}
-    {{add_args}}
-    -n {{openshift_logging_namespace}}

roles/openshift_logging/tasks/set_es_storage.yaml

@@ -1,80 +0,0 @@
----
-- set_fact: es_storage_type="{{ es_spec.volumes['elasticsearch-storage'] }}"
-  when: es_spec.volumes is defined
-
-- set_fact: es_storage_claim="{{ es_spec.volumes['elasticsearch-storage'].persistentVolumeClaim.claimName }}"
-  when:
-  - es_spec.volumes is defined
-  - es_storage_type.persistentVolumeClaim is defined
-
-- set_fact: es_storage_claim=""
-  when:
-  - not es_spec.volumes is defined or not es_storage_type.persistentVolumeClaim is defined
-
-## take an ES dc and evaluate its storage option
-# if it is a hostmount or emptydir we don't do anything with it
-# if its a pvc we see if the corresponding pvc matches the provided specs (if they exist)
-- oc_obj:
-    state: list
-    kind: pvc
-    name: "{{ es_storage_claim }}"
-    namespace: "{{ openshift_logging_namespace }}"
-  register: pvc_spec
-  failed_when: pvc_spec.results.stderr is defined
-  when:
-  - es_spec.volumes is defined
-  - es_storage_type.persistentVolumeClaim is defined
-
-- set_fact: pvc_size="{{ pvc_spec.results.results[0].spec.resources.requests.storage }}"
-  when:
-  - pvc_spec.results is defined
-  - pvc_spec.results.results[0].spec is defined
-
-# if not create the pvc and use it
-- block:
-
-  - name: Generating PersistentVolumeClaims
-    template: src=pvc.j2 dest={{mktemp.stdout}}/templates/logging-{{obj_name}}-pvc.yaml
-    vars:
-      obj_name: "{{ es_pvc_prefix }}-{{ es_pvc_names_count | int + es_pvc_count | int }}"
-      size: "{{ es_pvc_size }}"
-      access_modes: "{{ openshift_logging_storage_access_modes }}"
-      pv_selector: "{{ es_pv_selector }}"
-    when: not es_pvc_dynamic | bool
-    check_mode: no
-    changed_when: no
-
-  - name: Generating PersistentVolumeClaims - Dynamic
-    template: src=pvc.j2 dest={{mktemp.stdout}}/templates/logging-{{obj_name}}-pvc.yaml
-    vars:
-      obj_name: "{{ es_pvc_prefix }}-{{ es_pvc_names_count | int + es_pvc_count | int }}"
-      annotations:
-        volume.alpha.kubernetes.io/storage-class: "dynamic"
-      size: "{{ es_pvc_size }}"
-      access_modes: "{{ openshift_logging_storage_access_modes }}"
-      pv_selector: "{{ es_pv_selector }}"
-    when: es_pvc_dynamic | bool
-    check_mode: no
-    changed_when: no
-
-  - set_fact: es_storage_claim="{{ es_pvc_prefix }}-{{ es_pvc_names_count | int + es_pvc_count | int }}"
-
-  when:
-  - es_pvc_size | search('^\d.*')
-  - not es_spec.volumes is defined or not es_storage_claim | search( es_pvc_prefix ) or ( not pvc_size | search( es_pvc_size ) and not es_pvc_size | search( pvc_size ) )
-
-- name: Generate Elasticsearch DeploymentConfig
-  template: src=es.j2 dest={{mktemp.stdout}}/templates/logging-{{deploy_name}}-dc.yaml
-  vars:
-    component: "{{ es_component }}"
-    deploy_name: "{{ es_name }}"
-    logging_component: elasticsearch
-    deploy_name_prefix: "logging-{{ es_component }}"
-    image: "{{openshift_logging_image_prefix}}logging-elasticsearch:{{openshift_logging_image_version}}"
-    es_cluster_name: "{{component}}"
-    es_cpu_limit: "{{ es_cpu_limit }}"
-    es_memory_limit: "{{ es_memory_limit }}"
-    es_node_selector: "{{ es_node_selector }}"
-    es_storage: "{{ openshift_logging_facts | es_storage( es_name, es_storage_claim ) }}"
-  check_mode: no
-  changed_when: no

roles/openshift_logging/tasks/start_cluster.yaml

@@ -1,156 +0,0 @@
----
-- name: Retrieve list of fluentd hosts
-  oc_obj:
-    state: list
-    kind: node
-  when: "'--all' in openshift_logging_fluentd_hosts"
-  register: fluentd_hosts
-
-- name: Set fact openshift_logging_fluentd_hosts
-  set_fact:
-    openshift_logging_fluentd_hosts: "{{ fluentd_hosts.results.results[0]['items'] | map(attribute='metadata.name') | list }}"
-  when: "'--all' in openshift_logging_fluentd_hosts"
-
-- name: start fluentd
-  oc_label:
-    name: "{{ fluentd_host }}"
-    kind: node
-    state: add
-    labels: "{{ openshift_logging_fluentd_nodeselector | oo_dict_to_list_of_dict }}"
-  with_items: "{{ openshift_logging_fluentd_hosts }}"
-  loop_control:
-    loop_var: fluentd_host
-
-- name: Retrieve mux
-  oc_obj:
-    state: list
-    kind: dc
-    selector: "component=mux"
-    namespace: "{{openshift_logging_namespace}}"
-  register: mux_dc
-  when: openshift_logging_use_mux
-
-- name: start mux
-  oc_scale:
-    kind: dc
-    name: "{{ object }}"
-    namespace: "{{openshift_logging_namespace}}"
-    replicas: "{{ openshift_logging_mux_replica_count | default (1) }}"
-  with_items: "{{ mux_dc.results.results[0]['items'] | map(attribute='metadata.name') | list if 'results' in mux_dc else [] }}"
-  loop_control:
-    loop_var: object
-  when:
-  - mux_dc.results is defined
-  - mux_dc.results.results is defined
-  - openshift_logging_use_mux
-
-- name: Retrieve elasticsearch
-  oc_obj:
-    state: list
-    kind: dc
-    selector: "component=es"
-    namespace: "{{openshift_logging_namespace}}"
-  register: es_dc
-
-- name: start elasticsearch
-  oc_scale:
-    kind: dc
-    name: "{{ object }}"
-    namespace: "{{openshift_logging_namespace}}"
-    replicas: 1
-  with_items: "{{ es_dc.results.results[0]['items'] | map(attribute='metadata.name') | list }}"
-  loop_control:
-    loop_var: object
-
-- name: Retrieve kibana
-  oc_obj:
-    state: list
-    kind: dc
-    selector: "component=kibana"
-    namespace: "{{openshift_logging_namespace}}"
-  register: kibana_dc
-
-- name: start kibana
-  oc_scale:
-    kind: dc
-    name: "{{ object }}"
-    namespace: "{{openshift_logging_namespace}}"
-    replicas: "{{ openshift_logging_kibana_replica_count | default (1) }}"
-  with_items: "{{ kibana_dc.results.results[0]['items'] | map(attribute='metadata.name') | list }}"
-  loop_control:
-    loop_var: object
-
-- name: Retrieve curator
-  oc_obj:
-    state: list
-    kind: dc
-    selector: "component=curator"
-    namespace: "{{openshift_logging_namespace}}"
-  register: curator_dc
-
-- name: start curator
-  oc_scale:
-    kind: dc
-    name: "{{ object }}"
-    namespace: "{{openshift_logging_namespace}}"
-    replicas: 1
-  with_items: "{{ curator_dc.results.results[0]['items'] | map(attribute='metadata.name') | list }}"
-  loop_control:
-    loop_var: object
-
-- name: Retrieve elasticsearch-ops
-  oc_obj:
-    state: list
-    kind: dc
-    selector: "component=es-ops"
-    namespace: "{{openshift_logging_namespace}}"
-  register: es_dc
-
-- name: start elasticsearch-ops
-  oc_scale:
-    kind: dc
-    name: "{{ object }}"
-    namespace: "{{openshift_logging_namespace}}"
-    replicas: 1
-  with_items: "{{ es_dc.results.results[0]['items'] | map(attribute='metadata.name') | list }}"
-  loop_control:
-    loop_var: object
-  when: openshift_logging_use_ops | bool
-
-- name: Retrieve kibana-ops
-  oc_obj:
-    state: list
-    kind: dc
-    selector: "component=kibana-ops"
-    namespace: "{{openshift_logging_namespace}}"
-  register: kibana_dc
-
-- name: start kibana-ops
-  oc_scale:
-    kind: dc
-    name: "{{ object }}"
-    namespace: "{{openshift_logging_namespace}}"
-    replicas: "{{ openshift_logging_kibana_ops_replica_count | default (1) }}"
-  with_items: "{{ kibana_dc.results.results[0]['items'] | map(attribute='metadata.name') | list }}"
-  loop_control:
-    loop_var: object
-  when: openshift_logging_use_ops | bool
-
-- name: Retrieve curator
-  oc_obj:
-    state: list
-    kind: dc
-    selector: "component=curator-ops"
-    namespace: "{{openshift_logging_namespace}}"
-  register: curator_dc
-
-- name: start curator-ops
-  oc_scale:
-    kind: dc
-    name: "{{ object }}"
-    namespace: "{{openshift_logging_namespace}}"
-    replicas: 1
-  with_items: "{{ curator_dc.results.results[0]['items'] | map(attribute='metadata.name') | list }}"
-  loop_control:
-    loop_var: object
-  when: openshift_logging_use_ops | bool

roles/openshift_logging/tasks/stop_cluster.yaml

@@ -1,153 +0,0 @@
----
-- name: Retrieve list of fluentd hosts
-  oc_obj:
-    state: list
-    kind: node
-  when: "'--all' in openshift_logging_fluentd_hosts"
-  register: fluentd_hosts
-
-- name: Set fact openshift_logging_fluentd_hosts
-  set_fact:
-    openshift_logging_fluentd_hosts: "{{ fluentd_hosts.results.results[0]['items'] | map(attribute='metadata.name') | list }}"
-  when: "'--all' in openshift_logging_fluentd_hosts"
-
-- name: stop fluentd
-  oc_label:
-    name: "{{ fluentd_host }}"
-    kind: node
-    state: absent
-    labels: "{{ openshift_logging_fluentd_nodeselector | oo_dict_to_list_of_dict }}"
-  with_items: "{{ openshift_logging_fluentd_hosts }}"
-  loop_control:
-    loop_var: fluentd_host
-
-- name: Retrieve mux
-  oc_obj:
-    state: list
-    kind: dc
-    selector: "component=mux"
-    namespace: "{{openshift_logging_namespace}}"
-  register: mux_dc
-  when: openshift_logging_use_mux
-
-- name: stop mux
-  oc_scale:
-    kind: dc
-    name: "{{ object }}"
-    namespace: "{{openshift_logging_namespace}}"
-    replicas: 0
-  with_items: "{{ mux_dc.results.results[0]['items'] | map(attribute='metadata.name') | list if 'results' in mux_dc else [] }}"
-  loop_control:
-    loop_var: object
-  when: openshift_logging_use_mux
-
-- name: Retrieve elasticsearch
-  oc_obj:
-    state: list
-    kind: dc
-    selector: "component=es"
-    namespace: "{{openshift_logging_namespace}}"
-  register: es_dc
-
-- name: stop elasticsearch
-  oc_scale:
-    kind: dc
-    name: "{{ object }}"
-    namespace: "{{openshift_logging_namespace}}"
-    replicas: 0
-  with_items: "{{ es_dc.results.results[0]['items'] | map(attribute='metadata.name') | list }}"
-  loop_control:
-    loop_var: object
-
-- name: Retrieve kibana
-  oc_obj:
-    state: list
-    kind: dc
-    selector: "component=kibana"
-    namespace: "{{openshift_logging_namespace}}"
-  register: kibana_dc
-
-- name: stop kibana
-  oc_scale:
-    kind: dc
-    name: "{{ object }}"
-    namespace: "{{openshift_logging_namespace}}"
-    replicas: 0
-  with_items: "{{ kibana_dc.results.results[0]['items'] | map(attribute='metadata.name') | list }}"
-  loop_control:
-    loop_var: object
-
-- name: Retrieve curator
-  oc_obj:
-    state: list
-    kind: dc
-    selector: "component=curator"
-    namespace: "{{openshift_logging_namespace}}"
-  register: curator_dc
-
-- name: stop curator
-  oc_scale:
-    kind: dc
-    name: "{{ object }}"
-    namespace: "{{openshift_logging_namespace}}"
-    replicas: 0
-  with_items: "{{ curator_dc.results.results[0]['items'] | map(attribute='metadata.name') | list }}"
-  loop_control:
-    loop_var: object
-
-- name: Retrieve elasticsearch-ops
-  oc_obj:
-    state: list
-    kind: dc
-    selector: "component=es-ops"
-    namespace: "{{openshift_logging_namespace}}"
-  register: es_dc
-
-- name: stop elasticsearch-ops
-  oc_scale:
-    kind: dc
-    name: "{{ object }}"
-    namespace: "{{openshift_logging_namespace}}"
-    replicas: 0
-  with_items: "{{ es_dc.results.results[0]['items'] | map(attribute='metadata.name') | list }}"
-  loop_control:
-    loop_var: object
-  when: openshift_logging_use_ops | bool
-
-- name: Retrieve kibana-ops
-  oc_obj:
-    state: list
-    kind: dc
-    selector: "component=kibana-ops"
-    namespace: "{{openshift_logging_namespace}}"
-  register: kibana_dc
-
-- name: stop kibana-ops
-  oc_scale:
-    kind: dc
-    name: "{{ object }}"
-    namespace: "{{openshift_logging_namespace}}"
-    replicas: 0
-  with_items: "{{ kibana_dc.results.results[0]['items'] | map(attribute='metadata.name') | list }}"
-  loop_control:
-    loop_var: object
-  when: openshift_logging_use_ops | bool
-
-- name: Retrieve curator
-  oc_obj:
-    state: list
-    kind: dc
-    selector: "component=curator-ops"
-    namespace: "{{openshift_logging_namespace}}"
-  register: curator_dc
-
-- name: stop curator-ops
-  oc_scale:
-    kind: dc
-    name: "{{ object }}"
-    namespace: "{{openshift_logging_namespace}}"
-    replicas: 0
-  with_items: "{{ curator_dc.results.results[0]['items'] | map(attribute='metadata.name') | list }}"
-  loop_control:
-    loop_var: object
-  when: openshift_logging_use_ops | bool

roles/openshift_logging/tasks/upgrade_logging.yaml

@@ -1,48 +0,0 @@
----
-- name: Stop the Cluster
-  include: stop_cluster.yaml
-
-- name: Upgrade logging
-  include: install_logging.yaml
-  vars:
-    start_cluster: False
-
-# start ES so that we can run migrate script
-- name: Retrieve elasticsearch
-  oc_obj:
-    state: list
-    kind: dc
-    selector: "component=es"
-    namespace: "{{openshift_logging_namespace}}"
-  register: es_dc
-
-- name: start elasticsearch
-  oc_scale:
-    kind: dc
-    name: "{{ object }}"
-    namespace: "{{openshift_logging_namespace}}"
-    replicas: 1
-  with_items: "{{ es_dc.results.results[0]['items'] | map(attribute='metadata.name') | list }}"
-  loop_control:
-    loop_var: object
-
-- name: Wait for pods to start
-  oc_obj:
-    state: list
-    kind: pods
-    selector: "component=es"
-    namespace: "{{openshift_logging_namespace}}"
-  register: running_pod
-  until: running_pod.results.results[0]['items'] | selectattr('status.phase', 'match', '^Running$') | map(attribute='metadata.name') | list | length != 0
-  retries: 30
-  delay: 10
-
-- name: Run upgrade script
-  script: es_migration.sh {{openshift.common.config_base}}/logging/ca.crt {{openshift.common.config_base}}/logging/system.admin.key {{openshift.common.config_base}}/logging/system.admin.crt {{openshift_logging_es_host}} {{openshift_logging_es_port}} {{openshift_logging_namespace}}
-  register: script_output
-  changed_when:
-    - script_output.rc == 0
-    - script_output.stdout.find("skipping update_for_uuid") == -1 or script_output.stdout.find("skipping update_for_common_data_model") == -1
-
-- name: Start up rest of cluster
-  include: start_cluster.yaml

roles/openshift_logging/templates/clusterrole.j2

@@ -1,21 +0,0 @@
-apiVersion: v1
-kind: ClusterRole
-metadata:
-  name: {{obj_name}}
-rules:
-{% for rule in rules %}
-- resources:
-{% for kind in rule.resources %}
-    - {{ kind }}
-{% endfor %}
-  apiGroups:
-{% if rule.api_groups is defined %}
-{% for group in rule.api_groups %}
-    - {{ group }}
-{% endfor %}
-{% endif %}
-  verbs:
-{% for verb in rule.verbs %}
-    - {{ verb }}
-{% endfor %}
-{% endfor %}

roles/openshift_logging/templates/clusterrolebinding.j2

@@ -1,24 +0,0 @@
-apiVersion: v1
-kind: ClusterRoleBinding
-metadata:
-  name: {{obj_name}}
-{% if crb_usernames is defined %}
-userNames:
-{% for name in crb_usernames %}
-  - {{ name }}
-{% endfor %}
-{% endif %}
-{% if crb_groupnames is defined %}
-groupNames:
-{% for name in crb_groupnames %}
-  - {{ name }}
-{% endfor %}
-{% endif %}
-subjects:
-{% for sub in subjects %}
-  - kind: {{ sub.kind }}
-    name: {{ sub.name }}
-    namespace: {{sub.namespace}}
-{% endfor %}
-roleRef:
-  name: {{obj_name}}

roles/openshift_logging/templates/curator.j2

@@ -1,98 +0,0 @@
-apiVersion: "v1"
-kind: "DeploymentConfig"
-metadata:
-  name: "{{deploy_name}}"
-  labels:
-    provider: openshift
-    component: "{{component}}"
-    logging-infra: "{{logging_component}}"
-spec:
-  replicas: {{replicas|default(0)}}
-  selector:
-    provider: openshift
-    component: "{{component}}"
-    logging-infra: "{{logging_component}}"
-  strategy:
-    rollingParams:
-      intervalSeconds: 1
-      timeoutSeconds: 600
-      updatePeriodSeconds: 1
-    type: Recreate
-  template:
-    metadata:
-      name: "{{deploy_name}}"
-      labels:
-        logging-infra: "{{logging_component}}"
-        provider: openshift
-        component: "{{component}}"
-    spec:
-      terminationGracePeriod: 600
-      serviceAccountName: aggregated-logging-curator
-{% if curator_node_selector is iterable and curator_node_selector | length > 0 %}
-      nodeSelector:
-{% for key, value in curator_node_selector.iteritems() %}
-        {{key}}: "{{value}}"
-{% endfor %}
-{% endif %}
-      containers:
-        -
-          name: "curator"
-          image: {{image}}
-          imagePullPolicy: Always
-          resources:
-            limits:
-              cpu: "{{curator_cpu_limit}}"
-{% if curator_memory_limit is defined and curator_memory_limit is not none %}
-              memory: "{{curator_memory_limit}}"
-{% endif %}
-          env:
-            -
-              name: "K8S_HOST_URL"
-              value: "{{openshift_logging_master_url}}"
-            -
-              name: "ES_HOST"
-              value: "{{es_host}}"
-            -
-              name: "ES_PORT"
-              value: "{{es_port}}"
-            -
-              name: "ES_CLIENT_CERT"
-              value: "/etc/curator/keys/cert"
-            -
-              name: "ES_CLIENT_KEY"
-              value: "/etc/curator/keys/key"
-            -
-              name: "ES_CA"
-              value: "/etc/curator/keys/ca"
-            -
-              name: "CURATOR_DEFAULT_DAYS"
-              value: "{{openshift_logging_curator_default_days}}"
-            -
-              name: "CURATOR_RUN_HOUR"
-              value: "{{openshift_logging_curator_run_hour}}"
-            -
-              name: "CURATOR_RUN_MINUTE"
-              value: "{{openshift_logging_curator_run_minute}}"
-            -
-              name: "CURATOR_RUN_TIMEZONE"
-              value: "{{openshift_logging_curator_run_timezone}}"
-            -
-              name: "CURATOR_SCRIPT_LOG_LEVEL"
-              value: "{{openshift_logging_curator_script_log_level}}"
-            -
-              name: "CURATOR_LOG_LEVEL"
-              value: "{{openshift_logging_curator_log_level}}"
-          volumeMounts:
-            - name: certs
-              mountPath: /etc/curator/keys
-              readOnly: true
-            - name: config
-              mountPath: /etc/curator/settings
-              readOnly: true
-      volumes:
-        - name: certs
-          secret:
-            secretName: logging-curator
-        - name: config
-          configMap:
-            name: logging-curator

roles/openshift_logging/templates/elasticsearch-logging.yml.j2

@@ -1,81 +0,0 @@
-# you can override this using by setting a system property, for example -Des.logger.level=DEBUG
-es.logger.level: INFO
-rootLogger: ${es.logger.level}, {{root_logger}}
-logger:
-  # log action execution errors for easier debugging
-  action: WARN
-
-  # deprecation logging, turn to DEBUG to see them
-  deprecation: WARN, deprecation_log_file
-
-  # reduce the logging for aws, too much is logged under the default INFO
-  com.amazonaws: WARN
-
-  io.fabric8.elasticsearch: ${PLUGIN_LOGLEVEL}
-  io.fabric8.kubernetes: ${PLUGIN_LOGLEVEL}
-
-  # aws will try to do some sketchy JMX stuff, but its not needed.
-  com.amazonaws.jmx.SdkMBeanRegistrySupport: ERROR
-  com.amazonaws.metrics.AwsSdkMetrics: ERROR
-
-  org.apache.http: INFO
-
-  # gateway
-  #gateway: DEBUG
-  #index.gateway: DEBUG
-
-  # peer shard recovery
-  #indices.recovery: DEBUG
-
-  # discovery
-  #discovery: TRACE
-
-  index.search.slowlog: TRACE, index_search_slow_log_file
-  index.indexing.slowlog: TRACE, index_indexing_slow_log_file
-
-  # search-guard
-  com.floragunn.searchguard: WARN
-
-additivity:
-  index.search.slowlog: false
-  index.indexing.slowlog: false
-  deprecation: false
-
-appender:
-  console:
-    type: console
-    layout:
-      type: consolePattern
-      conversionPattern: "[%d{ISO8601}][%-5p][%-25c] %.10000m%n"
-
-  file:
-    type: dailyRollingFile
-    file: ${path.logs}/${cluster.name}.log
-    datePattern: "'.'yyyy-MM-dd"
-    layout:
-      type: pattern
-      conversionPattern: "[%d{ISO8601}][%-5p][%-25c] %m%n"
-
-  deprecation_log_file:
-    type: dailyRollingFile
-    file: ${path.logs}/${cluster.name}_deprecation.log
-    datePattern: "'.'yyyy-MM-dd"
-    layout:
-      type: pattern
-      conversionPattern: "[%d{ISO8601}][%-5p][%-25c] %m%n"
-
-  index_search_slow_log_file:
-    type: dailyRollingFile
-    file: ${path.logs}/${cluster.name}_index_search_slowlog.log
-    datePattern: "'.'yyyy-MM-dd"
-    layout:
-      type: pattern
-      conversionPattern: "[%d{ISO8601}][%-5p][%-25c] %m%n"
-
-  index_indexing_slow_log_file:
-    type: dailyRollingFile
-    file: ${path.logs}/${cluster.name}_index_indexing_slowlog.log
-    datePattern: "'.'yyyy-MM-dd"
-    layout:
-      type: pattern
-      conversionPattern: "[%d{ISO8601}][%-5p][%-25c] %m%n"

roles/openshift_logging/templates/elasticsearch.yml.j2

@@ -1,81 +0,0 @@
-cluster:
-  name: ${CLUSTER_NAME}
-
-script:
-  inline: on
-  indexed: on
-
-index:
-  number_of_shards: {{ es_number_of_shards | default ('1') }}
-  number_of_replicas: {{ es_number_of_replicas | default ('0') }}
-  unassigned.node_left.delayed_timeout: 2m
-  translog:
-    flush_threshold_size: 256mb
-    flush_threshold_period: 5m
-
-node:
-  master: true
-  data: true
-
-network:
-  host: 0.0.0.0
-
-cloud:
-  kubernetes:
-    service: ${SERVICE_DNS}
-    namespace: ${NAMESPACE}
-
-discovery:
-  type: kubernetes
-  zen.ping.multicast.enabled: false
-  zen.minimum_master_nodes: ${NODE_QUORUM}
-
-gateway:
-  recover_after_nodes: ${NODE_QUORUM}
-  expected_nodes: ${RECOVER_EXPECTED_NODES}
-  recover_after_time: ${RECOVER_AFTER_TIME}
-
-io.fabric8.elasticsearch.authentication.users: ["system.logging.kibana", "system.logging.fluentd", "system.logging.curator", "system.admin"]
-io.fabric8.elasticsearch.kibana.mapping.app: /usr/share/elasticsearch/index_patterns/com.redhat.viaq-openshift.index-pattern.json
-io.fabric8.elasticsearch.kibana.mapping.ops: /usr/share/elasticsearch/index_patterns/com.redhat.viaq-openshift.index-pattern.json
-
-openshift.config:
-  use_common_data_model: true
-  project_index_prefix: "project"
-  time_field_name: "@timestamp"
-
-openshift.searchguard:
-  keystore.path: /etc/elasticsearch/secret/admin.jks
-  truststore.path: /etc/elasticsearch/secret/searchguard.truststore
-
-openshift.operations.allow_cluster_reader: {{allow_cluster_reader | default (false)}}
-
-path:
-  data: /elasticsearch/persistent/${CLUSTER_NAME}/data
-  logs: /elasticsearch/${CLUSTER_NAME}/logs
-  work: /elasticsearch/${CLUSTER_NAME}/work
-  scripts: /elasticsearch/${CLUSTER_NAME}/scripts
-
-searchguard:
-  authcz.admin_dn:
-  - CN=system.admin,OU=OpenShift,O=Logging
-  config_index_name: ".searchguard.${HOSTNAME}"
-  ssl:
-    transport:
-      enabled: true
-      enforce_hostname_verification: false
-      keystore_type: JKS
-      keystore_filepath: /etc/elasticsearch/secret/searchguard.key
-      keystore_password: kspass
-      truststore_type: JKS
-      truststore_filepath: /etc/elasticsearch/secret/searchguard.truststore
-      truststore_password: tspass
-    http:
-      enabled: true
-      keystore_type: JKS
-      keystore_filepath: /etc/elasticsearch/secret/key
-      keystore_password: kspass
-      clientauth_mode: OPTIONAL
-      truststore_type: JKS
-      truststore_filepath: /etc/elasticsearch/secret/truststore
-      truststore_password: tspass

roles/openshift_logging/templates/es-storage-emptydir.partial

@@ -1 +0,0 @@
-          emptyDir: {}

roles/openshift_logging/templates/es-storage-hostpath.partial

@@ -1,2 +0,0 @@
-          hostPath:
-            path: {{es_storage['path']}}

roles/openshift_logging/templates/es-storage-pvc.partial

@@ -1,2 +0,0 @@
-          persistentVolumeClaim:
-            claimName: {{es_storage['pvc_claim']}}

roles/openshift_logging/templates/es.j2

@@ -1,110 +0,0 @@
-apiVersion: "v1"
-kind: "DeploymentConfig"
-metadata:
-  name: "{{deploy_name}}"
-  labels:
-    provider: openshift
-    component: "{{component}}"
-    deployment: "{{deploy_name}}"
-    logging-infra: "{{logging_component}}"
-spec:
-  replicas: {{replicas|default(0)}}
-  selector:
-    provider: openshift
-    component: "{{component}}"
-    deployment: "{{deploy_name}}"
-    logging-infra: "{{logging_component}}"
-  strategy:
-    type: Recreate
-  template:
-    metadata:
-      name: "{{deploy_name}}"
-      labels:
-        logging-infra: "{{logging_component}}"
-        provider: openshift
-        component: "{{component}}"
-        deployment: "{{deploy_name}}"
-    spec:
-      terminationGracePeriod: 600
-      serviceAccountName: aggregated-logging-elasticsearch
-      securityContext:
-        supplementalGroups:
-        - {{openshift_logging_es_storage_group}}
-{% if es_node_selector is iterable and es_node_selector | length > 0 %}
-      nodeSelector:
-{% for key, value in es_node_selector.iteritems() %}
-        {{key}}: "{{value}}"
-{% endfor %}
-{% endif %}
-      containers:
-        -
-          name: "elasticsearch"
-          image: {{image}}
-          imagePullPolicy: Always
-          resources:
-            limits:
-              memory: "{{es_memory_limit}}"
-{% if es_cpu_limit is defined and es_cpu_limit is not none %}
-              cpu: "{{es_cpu_limit}}"
-{% endif %}
-            requests:
-              memory: "512Mi"
-          ports:
-            -
-              containerPort: 9200
-              name: "restapi"
-            -
-              containerPort: 9300
-              name: "cluster"
-          env:
-            -
-              name: "NAMESPACE"
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
-            -
-              name: "KUBERNETES_TRUST_CERT"
-              value: "true"
-            -
-              name: "SERVICE_DNS"
-              value: "logging-{{es_cluster_name}}-cluster"
-            -
-              name: "CLUSTER_NAME"
-              value: "logging-{{es_cluster_name}}"
-            -
-              name: "INSTANCE_RAM"
-              value: "{{openshift_logging_es_memory_limit}}"
-            -
-              name: "NODE_QUORUM"
-              value: "{{es_node_quorum | int}}"
-            -
-              name: "RECOVER_EXPECTED_NODES"
-              value: "{{es_recover_expected_nodes}}"
-            -
-              name: "RECOVER_AFTER_TIME"
-              value: "{{openshift_logging_es_recover_after_time}}"
-          volumeMounts:
-            - name: elasticsearch
-              mountPath: /etc/elasticsearch/secret
-              readOnly: true
-            - name: elasticsearch-config
-              mountPath: /usr/share/java/elasticsearch/config
-              readOnly: true
-            - name: elasticsearch-storage
-              mountPath: /elasticsearch/persistent
-          readinessProbe:
-            exec:
-              command:
-              - "/usr/share/elasticsearch/probe/readiness.sh"
-            initialDelaySeconds: 5
-            timeoutSeconds: 4
-            periodSeconds: 5
-      volumes:
-        - name: elasticsearch
-          secret:
-            secretName: logging-elasticsearch
-        - name: elasticsearch-config
-          configMap:
-            name: logging-elasticsearch
-        - name: elasticsearch-storage
-{% include 'es-storage-'+ es_storage['kind'] + '.partial' %}

roles/openshift_logging/templates/fluentd.j2

@@ -1,167 +0,0 @@
-apiVersion: extensions/v1beta1
-kind: "DaemonSet"
-metadata:
-  name: "{{daemonset_name}}"
-  labels:
-    provider: openshift
-    component: "{{daemonset_component}}"
-    logging-infra: "{{daemonset_component}}"
-spec:
-  selector:
-    matchLabels:
-      provider: openshift
-      component: "{{daemonset_component}}"
-  updateStrategy:
-    type: RollingUpdate
-    rollingUpdate:
-      minReadySeconds: 600
-  template:
-    metadata:
-      name: "{{daemonset_container_name}}"
-      labels:
-        logging-infra: "{{daemonset_component}}"
-        provider: openshift
-        component: "{{daemonset_component}}"
-    spec:
-      serviceAccountName: "{{daemonset_serviceAccount}}"
-      nodeSelector:
-        {{fluentd_nodeselector_key}}: "{{fluentd_nodeselector_value}}"
-      containers:
-      - name: "{{daemonset_container_name}}"
-        image: "{{openshift_logging_image_prefix}}{{daemonset_name}}:{{openshift_logging_image_version}}"
-        imagePullPolicy: Always
-        securityContext:
-          privileged: true
-        resources:
-          limits:
-            cpu: {{openshift_logging_fluentd_cpu_limit}}
-            memory: {{openshift_logging_fluentd_memory_limit}}
-        volumeMounts:
-        - name: runlogjournal
-          mountPath: /run/log/journal
-        - name: varlog
-          mountPath: /var/log
-        - name: varlibdockercontainers
-          mountPath: /var/lib/docker/containers
-          readOnly: true
-        - name: config
-          mountPath: /etc/fluent/configs.d/user
-          readOnly: true
-        - name: certs
-          mountPath: /etc/fluent/keys
-          readOnly: true
-        - name: dockerhostname
-          mountPath: /etc/docker-hostname
-          readOnly: true
-        - name: localtime
-          mountPath: /etc/localtime
-          readOnly: true
-        - name: dockercfg
-          mountPath: /etc/sysconfig/docker
-          readOnly: true
-        - name: dockerdaemoncfg
-          mountPath: /etc/docker
-          readOnly: true
-{% if openshift_logging_use_mux_client | bool %}
-        - name: muxcerts
-          mountPath: /etc/fluent/muxkeys
-          readOnly: true
-{% endif %}
-        env:
-        - name: "K8S_HOST_URL"
-          value: "{{openshift_logging_master_url}}"
-        - name: "ES_HOST"
-          value: "{{openshift_logging_es_host}}"
-        - name: "ES_PORT"
-          value: "{{openshift_logging_es_port}}"
-        - name: "ES_CLIENT_CERT"
-          value: "{{openshift_logging_es_client_cert}}"
-        - name: "ES_CLIENT_KEY"
-          value: "{{openshift_logging_es_client_key}}"
-        - name: "ES_CA"
-          value: "{{openshift_logging_es_ca}}"
-        - name: "OPS_HOST"
-          value: "{{ops_host}}"
-        - name: "OPS_PORT"
-          value: "{{ops_port}}"
-        - name: "OPS_CLIENT_CERT"
-          value: "{{openshift_logging_es_ops_client_cert}}"
-        - name: "OPS_CLIENT_KEY"
-          value: "{{openshift_logging_es_ops_client_key}}"
-        - name: "OPS_CA"
-          value: "{{openshift_logging_es_ops_ca}}"
-        - name: "ES_COPY"
-          value: "{{openshift_logging_fluentd_es_copy|lower}}"
-        - name: "ES_COPY_HOST"
-          value: "{{es_copy_host | default('')}}"
-        - name: "ES_COPY_PORT"
-          value: "{{es_copy_port | default('')}}"
-        - name: "ES_COPY_SCHEME"
-          value: "{{es_copy_scheme | default('https')}}"
-        - name: "ES_COPY_CLIENT_CERT"
-          value: "{{es_copy_client_cert | default('')}}"
-        - name: "ES_COPY_CLIENT_KEY"
-          value: "{{es_copy_client_key | default('')}}"
-        - name: "ES_COPY_CA"
-          value: "{{es_copy_ca | default('')}}"
-        - name: "ES_COPY_USERNAME"
-          value: "{{es_copy_username | default('')}}"
-        - name: "ES_COPY_PASSWORD"
-          value: "{{es_copy_password | default('')}}"
-        - name: "OPS_COPY_HOST"
-          value: "{{ops_copy_host | default('')}}"
-        - name: "OPS_COPY_PORT"
-          value: "{{ops_copy_port | default('')}}"
-        - name: "OPS_COPY_SCHEME"
-          value: "{{ops_copy_scheme | default('https')}}"
-        - name: "OPS_COPY_CLIENT_CERT"
-          value: "{{ops_copy_client_cert | default('')}}"
-        - name: "OPS_COPY_CLIENT_KEY"
-          value: "{{ops_copy_client_key | default('')}}"
-        - name: "OPS_COPY_CA"
-          value: "{{ops_copy_ca | default('')}}"
-        - name: "OPS_COPY_USERNAME"
-          value: "{{ops_copy_username | default('')}}"
-        - name: "OPS_COPY_PASSWORD"
-          value: "{{ops_copy_password | default('')}}"
-        - name: "USE_JOURNAL"
-          value: "{{openshift_logging_fluentd_use_journal|lower}}"
-        - name: "JOURNAL_SOURCE"
-          value: "{{openshift_logging_fluentd_journal_source | default('')}}"
-        - name: "JOURNAL_READ_FROM_HEAD"
-          value: "{{openshift_logging_fluentd_journal_read_from_head|lower}}"
-        - name: "USE_MUX_CLIENT"
-          value: "{{openshift_logging_use_mux_client| default('false')}}"
-      volumes:
-      - name: runlogjournal
-        hostPath:
-          path: /run/log/journal
-      - name: varlog
-        hostPath:
-          path: /var/log
-      - name: varlibdockercontainers
-        hostPath:
-          path: /var/lib/docker/containers
-      - name: config
-        configMap:
-          name: logging-fluentd
-      - name: certs
-        secret:
-          secretName: logging-fluentd
-      - name: dockerhostname
-        hostPath:
-          path: /etc/hostname
-      - name: localtime
-        hostPath:
-          path: /etc/localtime
-      - name: dockercfg
-        hostPath:
-          path: /etc/sysconfig/docker
-      - name: dockerdaemoncfg
-        hostPath:
-          path: /etc/docker
-{% if openshift_logging_use_mux_client | bool %}
-      - name: muxcerts
-        secret:
-          secretName: logging-mux
-{% endif %}

roles/openshift_logging/templates/kibana.j2

@@ -1,139 +0,0 @@
-apiVersion: "v1"
-kind: "DeploymentConfig"
-metadata:
-  name: "{{deploy_name}}"
-  labels:
-    provider: openshift
-    component: "{{component}}"
-    logging-infra: "{{logging_component}}"
-spec:
-  replicas: {{replicas|default(0)}}
-  selector:
-    provider: openshift
-    component: "{{component}}"
-    logging-infra: "{{logging_component}}"
-  strategy:
-    rollingParams:
-      intervalSeconds: 1
-      timeoutSeconds: 600
-      updatePeriodSeconds: 1
-    type: Rolling
-  template:
-    metadata:
-      name: "{{deploy_name}}"
-      labels:
-        logging-infra: "{{logging_component}}"
-        provider: openshift
-        component: "{{component}}"
-    spec:
-      serviceAccountName: aggregated-logging-kibana
-{% if kibana_node_selector is iterable and kibana_node_selector | length > 0 %}
-      nodeSelector:
-{% for key, value in kibana_node_selector.iteritems() %}
-        {{key}}: "{{value}}"
-{% endfor %}
-{% endif %}
-      containers:
-        -
-          name: "kibana"
-          image: {{image}}
-          imagePullPolicy: Always
-{% if (kibana_memory_limit is defined and kibana_memory_limit is not none) or (kibana_cpu_limit is defined and kibana_cpu_limit is not none) %}
-          resources:
-            limits:
-{% if kibana_cpu_limit is not none %}
-              cpu: "{{kibana_cpu_limit}}"
-{% endif %}
-              memory: "{{kibana_memory_limit | default('736Mi') }}"
-{% endif %}
-          env:
-            - name: "ES_HOST"
-              value: "{{es_host}}"
-            - name: "ES_PORT"
-              value: "{{es_port}}"
-            -
-              name: "KIBANA_MEMORY_LIMIT"
-              valueFrom:
-                resourceFieldRef:
-                  containerName: kibana
-                  resource: limits.memory
-          volumeMounts:
-            - name: kibana
-              mountPath: /etc/kibana/keys
-              readOnly: true
-        -
-          name: "kibana-proxy"
-          image: {{proxy_image}}
-          imagePullPolicy: Always
-{% if (kibana_proxy_memory_limit is defined and kibana_proxy_memory_limit is not none) or (kibana_proxy_cpu_limit is defined and kibana_proxy_cpu_limit is not none) %}
-          resources:
-            limits:
-{% if kibana_proxy_cpu_limit is not none %}
-              cpu: "{{kibana_proxy_cpu_limit}}"
-{% endif %}
-              memory: "{{kibana_proxy_memory_limit | default('96Mi') }}"
-{% endif %}
-          ports:
-            -
-              name: "oaproxy"
-              containerPort: 3000
-          env:
-            -
-             name: "OAP_BACKEND_URL"
-             value: "http://localhost:5601"
-            -
-             name: "OAP_AUTH_MODE"
-             value: "oauth2"
-            -
-             name: "OAP_TRANSFORM"
-             value: "user_header,token_header"
-            -
-             name: "OAP_OAUTH_ID"
-             value: kibana-proxy
-            -
-             name: "OAP_MASTER_URL"
-             value: {{openshift_logging_master_url}}
-            -
-             name: "OAP_PUBLIC_MASTER_URL"
-             value: {{openshift_logging_master_public_url}}
-            -
-             name: "OAP_LOGOUT_REDIRECT"
-             value: {{openshift_logging_master_public_url}}/console/logout
-            -
-             name: "OAP_MASTER_CA_FILE"
-             value: "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
-            -
-             name: "OAP_DEBUG"
-             value: "{{openshift_logging_kibana_proxy_debug}}"
-            -
-             name: "OAP_OAUTH_SECRET_FILE"
-             value: "/secret/oauth-secret"
-            -
-             name: "OAP_SERVER_CERT_FILE"
-             value: "/secret/server-cert"
-            -
-             name: "OAP_SERVER_KEY_FILE"
-             value: "/secret/server-key"
-            -
-             name: "OAP_SERVER_TLS_FILE"
-             value: "/secret/server-tls.json"
-            -
-             name: "OAP_SESSION_SECRET_FILE"
-             value: "/secret/session-secret"
-            -
-             name: "OCP_AUTH_PROXY_MEMORY_LIMIT"
-             valueFrom:
-               resourceFieldRef:
-                 containerName: kibana-proxy
-                 resource: limits.memory
-          volumeMounts:
-            - name: kibana-proxy
-              mountPath: /secret
-              readOnly: true
-      volumes:
-        - name: kibana
-          secret:
-            secretName: logging-kibana
-        - name: kibana-proxy
-          secret:
-            secretName: logging-kibana-proxy

roles/openshift_logging/templates/oauth-client.j2

@@ -1,15 +0,0 @@
-apiVersion: v1
-kind: OAuthClient
-metadata:
-  name: kibana-proxy
-  labels:
-    logging-infra: support
-secret: {{secret}}
-redirectURIs:
-- https://{{openshift_logging_kibana_hostname}}
-- https://{{openshift_logging_kibana_ops_hostname}}
-scopeRestrictions:
-- literals:
-  - user:info
-  - user:check-access
-  - user:list-projects

roles/openshift_logging/templates/pvc.j2

@@ -1,27 +0,0 @@
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: "{{obj_name}}"
-  labels:
-    logging-infra: support
-{% if annotations is defined %}
-  annotations:
-{% for key,value in annotations.iteritems() %}
-    {{key}}: {{value}}
-{% endfor %}
-{% endif %}
-spec:
-{% if pv_selector is defined and pv_selector is mapping %}
-  selector:
-    matchLabels:
-{% for key,value in pv_selector.iteritems() %}
-      {{key}}: {{value}}
-{% endfor %}
-{% endif %}
-  accessModes:
-{% for mode in access_modes %}
-    - {{ mode }}
-{% endfor %}
-  resources:
-    requests:
-      storage: {{size}}

roles/openshift_logging/templates/route_reencrypt.j2

@@ -1,36 +0,0 @@
-apiVersion: "v1"
-kind: "Route"
-metadata:
-  name: "{{obj_name}}"
-{% if labels is defined%}
-  labels:
-{% for key, value in labels.iteritems() %}
-    {{key}}: {{value}}
-{% endfor %}
-{% endif %}
-spec:
-  host: {{ route_host }}
-  tls:
-{% if tls_key is defined and tls_key | length > 0 %}
-    key: |
-{{ tls_key|indent(6, true) }}
-{% if tls_cert is defined and tls_cert | length > 0 %}
-    certificate: |
-{{ tls_cert|indent(6, true) }}
-{% endif %}
-{% endif %}
-    caCertificate: |
-{% for line in tls_ca_cert.split('\n') %}
-      {{ line }}
-{% endfor %}
-    destinationCACertificate: |
-{% for line in tls_dest_ca_cert.split('\n') %}
-      {{ line }}
-{% endfor %}
-    termination: reencrypt
-{% if edge_term_policy is defined and edge_term_policy | length > 0 %}
-    insecureEdgeTerminationPolicy: {{ edge_term_policy }}
-{% endif %}
-  to:
-    kind: Service
-    name: {{ service_name }}

roles/openshift_logging/templates/secret.j2

@@ -1,9 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: "{{secret_name}}"
-type: Opaque
-data:
-{% for s in secrets %}
-  "{{s.key}}" : "{{s.value | b64encode}}"
-{% endfor %}

roles/openshift_logging/templates/service.j2

@@ -1,34 +0,0 @@
-apiVersion: "v1"
-kind: "Service"
-metadata:
-  name: "{{obj_name}}"
-{% if labels is defined%}
-  labels:
-{% for key, value in labels.iteritems() %}
-    {{key}}: {{value}}
-{% endfor %}
-{% endif %}
-spec:
-  ports:
-{% for port in ports %}
-  -
-{% for key, value in port.iteritems() %}
-    {{key}}: {{value}}
-{% endfor %}
-{% if port.targetPort is undefined %}
-    clusterIP: "None"
-{% endif %}
-{% endfor %}
-{% if service_targetPort is defined %}
-    targetPort: {{service_targetPort}}
-{% endif %}
-  selector:
-  {% for key, value in selector.iteritems() %}
-  {{key}}: {{value}}
-  {% endfor %}
-{% if externalIPs is defined -%}
-  externalIPs:
-{% for ip in externalIPs %}
-  - {{ ip }}
-{% endfor %}
-{% endif %}

roles/openshift_logging/templates/serviceaccount.j2

@@ -1,16 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{obj_name}}
-{% if labels is defined%}
-  labels:
-{% for key, value in labels.iteritems() %}
-    {{key}}: {{value}}
-{% endfor %}
-{% endif %}
-{% if secrets is defined %}
-secrets:
-{% for name in secrets %}
-- name: {{ name }}
-{% endfor %}
-{% endif %}

roles/openshift_logging_elasticsearch/tasks/main.yaml

@@ -11,7 +11,9 @@
     msg: Invalid deployment type, one of ['data-master', 'data-client', 'master', 'client'] allowed
   when: not openshift_logging_elasticsearch_deployment_type in __allowed_es_types
 
-- set_fact: elasticsearch_name="{{ 'logging-elasticsearch' ~ ( (openshift_logging_elasticsearch_ops_deployment | default(false) | bool) | ternary('-ops', '')) }}"
+- set_fact:
+    elasticsearch_name: "{{ 'logging-elasticsearch' ~ ( (openshift_logging_elasticsearch_ops_deployment | default(false) | bool) | ternary('-ops', '')) }}"
+    es_component: "{{ 'es' ~ ( (openshift_logging_elasticsearch_ops_deployment | default(false) | bool) | ternary('-ops', '') ) }}"
 
 - include: determine_version.yaml
 
@@ -39,7 +41,7 @@
   oc_serviceaccount:
     state: present
     name: "aggregated-logging-elasticsearch"
-    namespace: "{{ openshift_logging_namespace }}"
+    namespace: "{{ openshift_logging_elasticsearch_namespace }}"
     image_pull_secrets: "{{ openshift_logging_image_pull_secret }}"
   when: openshift_logging_image_pull_secret != ''
 
@@ -47,7 +49,7 @@
   oc_serviceaccount:
     state: present
     name: "aggregated-logging-elasticsearch"
-    namespace: "{{ openshift_logging_namespace }}"
+    namespace: "{{ openshift_logging_elasticsearch_namespace }}"
   when:
   - openshift_logging_image_pull_secret == ''
 
@@ -61,7 +63,7 @@
     state: present
     name: "rolebinding-reader"
     kind: clusterrole
-    namespace: "{{ openshift_logging_namespace }}"
+    namespace: "{{ openshift_logging_elasticsearch_namespace }}"
     files:
     - "{{ tempdir }}/rolebinding-reader.yml"
     delete_after: true
@@ -70,10 +72,34 @@
 - name: Set rolebinding-reader permissions for ES
   oc_adm_policy_user:
     state: present
-    namespace: "{{ openshift_logging_namespace }}"
+    namespace: "{{ openshift_logging_elasticsearch_namespace }}"
     resource_kind: cluster-role
     resource_name: rolebinding-reader
-    user: "system:serviceaccount:{{ openshift_logging_namespace }}:aggregated-logging-elasticsearch"
+    user: "system:serviceaccount:{{ openshift_logging_elasticsearch_namespace }}:aggregated-logging-elasticsearch"
+
+# View role and binding
+- name: Generate logging-elasticsearch-view-role
+  template:
+    src: rolebinding.j2
+    dest: "{{mktemp.stdout}}/logging-elasticsearch-view-role.yaml"
+  vars:
+    obj_name: logging-elasticsearch-view-role
+    roleRef:
+      name: view
+    subjects:
+      - kind: ServiceAccount
+        name: aggregated-logging-elasticsearch
+  changed_when: no
+
+- name: Set logging-elasticsearch-view-role role
+  oc_obj:
+    state: present
+    name: "logging-elasticsearch-view-role"
+    kind: rolebinding
+    namespace: "{{ openshift_logging_elasticsearch_namespace }}"
+    files:
+    - "{{ tempdir }}/logging-elasticsearch-view-role.yaml"
+    delete_after: true
 
 # configmap
 - template:
@@ -87,7 +113,6 @@
     dest: "{{ tempdir }}/elasticsearch.yml"
   vars:
     allow_cluster_reader: "{{ openshift_logging_elasticsearch_ops_allow_cluster_reader | lower | default('false') }}"
-    deploy_type: "{{ openshift_logging_elasticsearch_deployment_type }}"
   when: es_config_contents is undefined
   changed_when: no
 
@@ -106,8 +131,8 @@
 - name: Set ES configmap
   oc_configmap:
     state: present
-    name: "{{ elasticsearch_name }}-{{ openshift_logging_elasticsearch_deployment_type }}"
-    namespace: "{{ openshift_logging_namespace }}"
+    name: "{{ elasticsearch_name }}"
+    namespace: "{{ openshift_logging_elasticsearch_namespace }}"
     from_file:
       elasticsearch.yml: "{{ tempdir }}/elasticsearch.yml"
       logging.yml: "{{ tempdir }}/elasticsearch-logging.yml"
@@ -119,7 +144,7 @@
   oc_secret:
     state: present
     name: "logging-elasticsearch"
-    namespace: "{{ openshift_logging_namespace }}"
+    namespace: "{{ openshift_logging_elasticsearch_namespace }}"
     files:
     - name: key
       path: "{{ generated_certs_dir }}/logging-es.jks"
@@ -138,6 +163,34 @@
     - name: admin.jks
       path: "{{ generated_certs_dir }}/system.admin.jks"
 
+# services
+- name: Set logging-{{ es_component }}-cluster service
+  oc_service:
+    state: present
+    name: "logging-{{ es_component }}-cluster"
+    namespace: "{{ openshift_logging_elasticsearch_namespace }}"
+    selector:
+      component: "{{ es_component }}"
+      provider: openshift
+#    labels:
+#    - logging-infra: 'support'
+    ports:
+    - port: 9300
+
+- name: Set logging-{{ es_component }} service
+  oc_service:
+    state: present
+    name: "logging-{{ es_component }}"
+    namespace: "{{ openshift_logging_elasticsearch_namespace }}"
+    selector:
+      component: "{{ es_component }}"
+      provider: openshift
+#    labels:
+#    - logging-infra: 'support'
+    ports:
+    - port: 9200
+      targetPort: "restapi"
+
 - name: Creating ES storage template
   template:
     src: pvc.j2
@@ -171,7 +224,7 @@
     state: present
     kind: pvc
     name: "{{ openshift_logging_elasticsearch_pvc_name }}"
-    namespace: "{{ openshift_logging_namespace }}"
+    namespace: "{{ openshift_logging_elasticsearch_namespace }}"
     files:
     - "{{ tempdir }}/templates/logging-es-pvc.yml"
     delete_after: true
@@ -179,9 +232,6 @@
   - openshift_logging_elasticsearch_storage_type == "pvc"
 
 - set_fact:
-    es_component: "{{ 'es' ~ ( (openshift_logging_elasticsearch_ops_deployment | default(false) | bool) | ternary('-ops', '') ) }}"
-
-- set_fact:
     es_deploy_name: "logging-{{ es_component }}-{{ openshift_logging_elasticsearch_deployment_type }}-{{ 'abcdefghijklmnopqrstuvwxyz0123456789' | random_word(8) }}"
   when: openshift_logging_elasticsearch_deployment_name == ""
 
@@ -195,20 +245,21 @@
     src: es.j2
     dest: "{{ tempdir }}/templates/logging-es-dc.yml"
   vars:
-    es_configmap: "{{ elasticsearch_name }}-{{ openshift_logging_elasticsearch_deployment_type }}"
     es_cluster_name: "{{ es_component }}"
-    logging_component: "{{ es_component }}"
+    component: "{{ es_component }}"
+    logging_component: elasticsearch
     deploy_name: "{{ es_deploy_name }}"
     image: "{{ openshift_logging_image_prefix }}logging-elasticsearch:{{ openshift_logging_image_version }}"
     es_cpu_limit: "{{ openshift_logging_elasticsearch_cpu_limit }}"
     es_memory_limit: "{{ openshift_logging_elasticsearch_memory_limit }}"
     es_node_selector: "{{ openshift_logging_elasticsearch_nodeselector | default({}) }}"
+    deploy_type: "{{ openshift_logging_elasticsearch_deployment_type }}"
 
 - name: Set ES dc
   oc_obj:
     state: present
     name: "{{ es_deploy_name }}"
-    namespace: "{{ openshift_logging_namespace }}"
+    namespace: "{{ openshift_logging_elasticsearch_namespace }}"
     kind: dc
     files:
     - "{{ tempdir }}/templates/logging-es-dc.yml"
@@ -219,7 +270,7 @@
   oc_scale:
     kind: dc
     name: "{{ es_deploy_name }}"
-    namespace: "{{ openshift_logging_namespace }}"
+    namespace: "{{ openshift_logging_elasticsearch_namespace }}"
     replicas: 1
 
 ## Placeholder for migration when necessary ##

roles/openshift_logging_elasticsearch/templates/elasticsearch.yml.j2

@@ -15,8 +15,8 @@ index:
     flush_threshold_period: 5m
 
 node:
-  master: {% if deploy_type in ['data-master', 'master'] %}true{% else %}false{% endif %}
-  data: {% if deploy_type in ['data-master', 'data-client'] %}true{% else %}false{% endif %}
+  master: ${IS_MASTER}
+  data: ${HAS_DATA}
 
 network:
   host: 0.0.0.0

roles/openshift_logging_elasticsearch/templates/es.j2

@@ -4,14 +4,14 @@ metadata:
   name: "{{deploy_name}}"
   labels:
     provider: openshift
-    component: elasticsearch
+    component: "{{component}}"
     deployment: "{{deploy_name}}"
     logging-infra: "{{logging_component}}"
 spec:
   replicas: {{replicas|default(0)}}
   selector:
     provider: openshift
-    component: elasticsearch
+    component: "{{component}}"
     deployment: "{{deploy_name}}"
     logging-infra: "{{logging_component}}"
   strategy:
@@ -22,7 +22,7 @@ spec:
       labels:
         logging-infra: "{{logging_component}}"
         provider: openshift
-        component: elasticsearch
+        component: "{{component}}"
         deployment: "{{deploy_name}}"
     spec:
       terminationGracePeriod: 600
@@ -86,6 +86,14 @@ spec:
             -
               name: "RECOVER_AFTER_TIME"
               value: "{{openshift_logging_elasticsearch_recover_after_time}}"
+            -
+              name: "IS_MASTER"
+              value: "{% if deploy_type in ['data-master', 'master'] %}true{% else %}false{% endif %}"
+
+            -
+              name: "HAS_DATA"
+              value: "{% if deploy_type in ['data-master', 'data-client'] %}true{% else %}false{% endif %}"
+
           volumeMounts:
             - name: elasticsearch
               mountPath: /etc/elasticsearch/secret
@@ -101,7 +109,7 @@ spec:
             secretName: logging-elasticsearch
         - name: elasticsearch-config
           configMap:
-            name: {{ es_configmap }}
+            name: logging-elasticsearch
         - name: elasticsearch-storage
 {% if openshift_logging_elasticsearch_storage_type == 'pvc' %}
           persistentVolumeClaim:

roles/openshift_logging_fluentd/defaults/main.yml

@@ -1,11 +1,10 @@
 ---
 ### General logging settings
-openshift_logging_image_prefix: "{{ openshift_hosted_logging_deployer_prefix | default('docker.io/openshift/origin-') }}"
-openshift_logging_image_version: "{{ openshift_hosted_logging_deployer_version | default('latest') }}"
-openshift_logging_image_pull_secret: "{{ openshift_hosted_logging_image_pull_secret | default('') }}"
-openshift_logging_master_url: "https://kubernetes.default.svc.{{ openshift.common.dns_domain }}"
-openshift_logging_master_public_url: "{{ openshift_hosted_logging_master_public_url | default('https://' + openshift.common.public_hostname + ':' ~ (openshift_master_api_port | default('8443', true))) }}"
-openshift_logging_namespace: logging
+openshift_logging_fluentd_image_prefix: "{{ openshift_hosted_logging_deployer_prefix | default('docker.io/openshift/origin-') }}"
+openshift_logging_fluentd_image_version: "{{ openshift_hosted_logging_deployer_version | default('latest') }}"
+openshift_logging_fluentd_image_pull_secret: "{{ openshift_hosted_logging_image_pull_secret | default('') }}"
+openshift_logging_fluentd_master_url: "https://kubernetes.default.svc.{{ openshift.common.dns_domain }}"
+openshift_logging_fluentd_namespace: logging
 
 ### Common settings
 openshift_logging_fluentd_nodeselector: "{{ openshift_hosted_logging_fluentd_nodeselector_label | default('logging-infra-fluentd=true') | map_from_pairs }}"
@@ -33,6 +32,23 @@ openshift_logging_fluentd_use_journal: "{{ openshift_hosted_logging_use_journal
 openshift_logging_fluentd_journal_source: "{{ openshift_hosted_logging_journal_source | default('') }}"
 openshift_logging_fluentd_journal_read_from_head: "{{ openshift_hosted_logging_journal_read_from_head | default('') }}"
 
+openshift_logging_fluentd_app_client_cert: /etc/fluent/keys/cert
+openshift_logging_fluentd_app_client_key: /etc/fluent/keys/key
+openshift_logging_fluentd_app_ca: /etc/fluent/keys/ca
+openshift_logging_fluentd_ops_client_cert: /etc/fluent/keys/cert
+openshift_logging_fluentd_ops_client_key: /etc/fluent/keys/key
+openshift_logging_fluentd_ops_ca: /etc/fluent/keys/ca
+
+
+# used by "secure-host" and "secure-aggregator" deployments
+openshift_logging_fluentd_shared_key: "{{ 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789' | random_word(128) }}"
+openshift_logging_fluentd_aggregating_port: 24284
+openshift_logging_fluentd_aggregating_host: "${HOSTNAME}"
+openshift_logging_fluentd_aggregating_secure: "no"
+openshift_logging_fluentd_aggregating_strict: "no"
+openshift_logging_fluentd_aggregating_cert_path: none
+openshift_logging_fluentd_aggregating_key_path: none
+openshift_logging_fluentd_aggregating_passphrase: none
 
 ### Deprecating in 3.6
 openshift_logging_fluentd_es_copy: false

roles/openshift_logging_fluentd/tasks/main.yaml

@@ -40,7 +40,7 @@
   oc_serviceaccount:
     state: present
     name: "aggregated-logging-fluentd"
-    namespace: "{{ openshift_logging_namespace }}"
+    namespace: "{{ openshift_logging_fluentd_namespace }}"
     image_pull_secrets: "{{ openshift_logging_image_pull_secret }}"
   when: openshift_logging_image_pull_secret != ''
 
@@ -48,27 +48,27 @@
   oc_serviceaccount:
     state: present
     name: "aggregated-logging-fluentd"
-    namespace: "{{ openshift_logging_namespace }}"
+    namespace: "{{ openshift_logging_fluentd_namespace }}"
   when:
   - openshift_logging_image_pull_secret == ''
 
 # set service account scc
 - name: Set privileged permissions for Fluentd
   oc_adm_policy_user:
-    namespace: "{{ openshift_logging_namespace }}"
+    namespace: "{{ openshift_logging_fluentd_namespace }}"
     resource_kind: scc
     resource_name: privileged
     state: present
-    user: "system:serviceaccount:{{ openshift_logging_namespace }}:aggregated-logging-fluentd"
+    user: "system:serviceaccount:{{ openshift_logging_fluentd_namespace }}:aggregated-logging-fluentd"
 
 # set service account permissions
 - name: Set cluster-reader permissions for Fluentd
   oc_adm_policy_user:
-    namespace: "{{ openshift_logging_namespace }}"
+    namespace: "{{ openshift_logging_fluentd_namespace }}"
     resource_kind: cluster-role
     resource_name: cluster-reader
     state: present
-    user: "system:serviceaccount:{{ openshift_logging_namespace }}:aggregated-logging-fluentd"
+    user: "system:serviceaccount:{{ openshift_logging_fluentd_namespace }}:aggregated-logging-fluentd"
 
 # create Fluentd configmap
 - template:
@@ -114,9 +114,9 @@
   oc_configmap:
     state: present
     name: "logging-fluentd"
-    namespace: "{{ openshift_logging_namespace }}"
+    namespace: "{{ openshift_logging_fluentd_namespace }}"
     from_file:
-      fluentd.conf: "{{ tempdir }}/fluent.conf"
+      fluent.conf: "{{ tempdir }}/fluent.conf"
       throttle-config.yaml: "{{ tempdir }}/fluentd-throttle-config.yaml"
       secure-forward.conf: "{{ tempdir }}/secure-forward.conf"
 
@@ -126,7 +126,7 @@
   oc_secret:
     state: present
     name: logging-fluentd
-    namespace: "{{ openshift_logging_namespace }}"
+    namespace: "{{ openshift_logging_fluentd_namespace }}"
     files:
     - name: ca
       path: "{{ generated_certs_dir }}/ca.crt"
@@ -161,7 +161,7 @@
   oc_obj:
     state: present
     name: logging-fluentd
-    namespace: "{{ openshift_logging_namespace }}"
+    namespace: "{{ openshift_logging_fluentd_namespace }}"
     kind: daemonset
     files:
     - "{{ tempdir }}/templates/logging-fluentd.yaml"

roles/openshift_logging_fluentd/templates/fluentd.j2

@@ -61,27 +61,27 @@ spec:
           readOnly: true
         env:
         - name: "K8S_HOST_URL"
-          value: "{{ openshift_logging_master_url }}"
+          value: "{{ openshift_logging_fluentd_master_url }}"
         - name: "ES_HOST"
           value: "{{ app_host }}"
         - name: "ES_PORT"
           value: "{{ app_port }}"
         - name: "ES_CLIENT_CERT"
-          value: "{{ openshift_logging_es_client_cert }}"
+          value: "{{ openshift_logging_fluentd_app_client_cert }}"
         - name: "ES_CLIENT_KEY"
-          value: "{{ openshift_logging_es_client_key }}"
+          value: "{{ openshift_logging_fluentd_app_client_key }}"
         - name: "ES_CA"
-          value: "{{ openshift_logging_es_ca }}"
+          value: "{{ openshift_logging_fluentd_app_ca }}"
         - name: "OPS_HOST"
           value: "{{ ops_host }}"
         - name: "OPS_PORT"
           value: "{{ ops_port }}"
         - name: "OPS_CLIENT_CERT"
-          value: "{{ openshift_logging_es_ops_client_cert }}"
+          value: "{{ openshift_logging_fluentd_ops_client_cert }}"
         - name: "OPS_CLIENT_KEY"
-          value: "{{ openshift_logging_es_ops_client_key }}"
+          value: "{{ openshift_logging_fluentd_ops_client_key }}"
         - name: "OPS_CA"
-          value: "{{ openshift_logging_es_ops_ca }}"
+          value: "{{ openshift_logging_fluentd_ops_ca }}"
         - name: "ES_COPY"
           value: "false"
         - name: "USE_JOURNAL"

roles/openshift_logging_kibana/tasks/main.yaml

@@ -41,7 +41,9 @@
   when:
   - openshift_logging_image_pull_secret == ''
 
-- set_fact: kibana_name="{{ 'logging-kibana' ~ ( (openshift_logging_kibana_ops_deployment | default(false) | bool) | ternary('-ops', '')) }}"
+- set_fact:
+    kibana_name: "{{ 'logging-kibana' ~ ( (openshift_logging_kibana_ops_deployment | default(false) | bool) | ternary('-ops', '')) }}"
+    kibana_component: "{{ 'kibana' ~ ( (openshift_logging_kibana_ops_deployment | default(false) | bool) | ternary('-ops', '')) }}"
 
 - name: Retrieving the cert to use when generating secrets for the logging components
   slurp:
@@ -53,6 +55,21 @@
     - { name: "kibana_internal_cert", file: "kibana-internal.crt"}
     - { name: "server_tls", file: "server-tls.json"}
 
+# services
+- name: Set {{ kibana_name }} service
+  oc_service:
+    state: present
+    name: "{{ kibana_name }}"
+    namespace: "{{ openshift_logging_kibana_namespace }}"
+    selector:
+      component: "{{ kibana_component }}"
+      provider: openshift
+#    labels:
+#    - logging-infra: 'support'
+    ports:
+    - port: 443
+      targetPort: "oaproxy"
+
 # create routes
 # TODO: set up these certs differently?
 - set_fact:
@@ -94,6 +111,7 @@
       provider: openshift
   changed_when: no
 
+# This currently has an issue if the host name changes
 - name: Setting Kibana route
   oc_obj:
     state: present
@@ -181,7 +199,7 @@
     src: kibana.j2
     dest: "{{ tempdir }}/templates/kibana-dc.yaml"
   vars:
-    component: kibana
+    component: "{{ kibana_component }}"
     logging_component: kibana
     deploy_name: "{{ kibana_name }}"
     image: "{{ openshift_logging_image_prefix }}logging-kibana:{{ openshift_logging_image_version }}"

roles/openshift_logging_mux/defaults/main.yml

@@ -0,0 +1,43 @@
+---
+### General logging settings
+openshift_logging_mux_image_prefix: "{{ openshift_hosted_logging_deployer_prefix | default('docker.io/openshift/origin-') }}"
+openshift_logging_mux_image_version: "{{ openshift_hosted_logging_deployer_version | default('latest') }}"
+openshift_logging_mux_image_pull_secret: "{{ openshift_hosted_logging_image_pull_secret | default('') }}"
+openshift_logging_mux_master_url: "https://kubernetes.default.svc.{{ openshift.common.dns_domain }}"
+openshift_logging_mux_master_public_url: "{{ openshift_hosted_logging_master_public_url | default('https://' + openshift.common.public_hostname + ':' ~ (openshift_master_api_port | default('8443', true))) }}"
+openshift_logging_mux_namespace: logging
+
+### Common settings
+openshift_logging_mux_nodeselector: "{{ openshift_hosted_logging_mux_nodeselector_label | default('') | map_from_pairs }}"
+openshift_logging_mux_cpu_limit: 100m
+openshift_logging_mux_memory_limit: 512Mi
+
+openshift_logging_mux_replicas: 1
+
+# Destination for the application based logs
+openshift_logging_mux_app_host: "logging-es"
+openshift_logging_mux_app_port: 9200
+# Destination for the operations based logs
+openshift_logging_mux_ops_host: "{{ openshift_logging_mux_app_host }}"
+openshift_logging_mux_ops_port: "{{ openshift_logging_mux_app_port }}"
+
+### Used by "hosted" and "secure-aggregator" deployments
+openshift_logging_mux_use_journal: "{{ openshift_hosted_logging_use_journal | default('') }}"
+openshift_logging_mux_journal_source: "{{ openshift_hosted_logging_journal_source | default('') }}"
+openshift_logging_mux_journal_read_from_head: "{{ openshift_hosted_logging_journal_read_from_head | default('') }}"
+
+openshift_logging_mux_allow_external: false
+openshift_logging_mux_hostname: "{{ 'mux.' ~ (openshift_master_default_subdomain | default('router.default.svc.cluster.local', true)) }}"
+openshift_logging_mux_port: 24284
+
+openshift_logging_mux_app_client_cert: /etc/fluent/keys/cert
+openshift_logging_mux_app_client_key: /etc/fluent/keys/key
+openshift_logging_mux_app_ca: /etc/fluent/keys/ca
+openshift_logging_mux_ops_client_cert: /etc/fluent/keys/cert
+openshift_logging_mux_ops_client_key: /etc/fluent/keys/key
+openshift_logging_mux_ops_ca: /etc/fluent/keys/ca
+
+# following can be uncommented to provide values for configmaps -- take care when providing file contents as it may cause your cluster to not operate correctly
+#mux_config_contents:
+#mux_throttle_contents:
+#mux_secureforward_contents:

roles/openshift_logging_mux/meta/main.yaml

@@ -0,0 +1,15 @@
+---
+galaxy_info:
+  author: OpenShift Red Hat
+  description: OpenShift Aggregated Logging Mux Component
+  company: Red Hat, Inc.
+  license: Apache License, Version 2.0
+  min_ansible_version: 2.2
+  platforms:
+  - name: EL
+    versions:
+    - 7
+  categories:
+  - cloud
+dependencies:
+- role: lib_openshift

roles/openshift_logging_mux/tasks/determine_version.yaml

@@ -0,0 +1,17 @@
+---
+# debating making this a module instead?
+- fail:
+    msg: Missing version to install provided by 'openshift_logging_image_version'
+  when: not openshift_logging_image_version or openshift_logging_image_version == ''
+
+- set_fact:
+    mux_version: "{{ __latest_mux_version }}"
+  when: openshift_logging_image_version == 'latest'
+
+# should we just assume that we will have the correct major version?
+- set_fact: mux_version="{{ openshift_logging_image_version | regex_replace('^v?(?P<major>\d)\.(?P<minor>\d).*$', '3_\\g<minor>') }}"
+  when: openshift_logging_image_version != 'latest'
+
+- fail:
+    msg: Invalid version specified for mux
+  when: mux_version not in __allowed_mux_versions

roles/openshift_logging_mux/tasks/main.yaml

@@ -0,0 +1,202 @@
+---
+- fail:
+    msg: Application logs destination is required
+  when: not openshift_logging_mux_app_host or openshift_logging_mux_app_host == ''
+
+- fail:
+    msg: Operations logs destination is required
+  when: not openshift_logging_mux_ops_host or openshift_logging_mux_ops_host == ''
+
+- include: determine_version.yaml
+
+# allow passing in a tempdir
+- name: Create temp directory for doing work in
+  command: mktemp -d /tmp/openshift-logging-ansible-XXXXXX
+  register: mktemp
+  changed_when: False
+
+- set_fact:
+    tempdir: "{{ mktemp.stdout }}"
+
+- name: Create templates subdirectory
+  file:
+    state: directory
+    path: "{{ tempdir }}/templates"
+    mode: 0755
+  changed_when: False
+
+# we want to make sure we have all the necessary components here
+
+# create service account
+- name: Create Mux service account
+  oc_serviceaccount:
+    state: present
+    name: "aggregated-logging-mux"
+    namespace: "{{ openshift_logging_mux_namespace }}"
+    image_pull_secrets: "{{ openshift_logging_image_pull_secret }}"
+  when: openshift_logging_image_pull_secret != ''
+
+- name: Create Mux service account
+  oc_serviceaccount:
+    state: present
+    name: "aggregated-logging-mux"
+    namespace: "{{ openshift_logging_mux_namespace }}"
+  when:
+  - openshift_logging_image_pull_secret == ''
+
+# set service account scc
+- name: Set privileged permissions for Mux
+  oc_adm_policy_user:
+    namespace: "{{ openshift_logging_mux_namespace }}"
+    resource_kind: scc
+    resource_name: privileged
+    state: present
+    user: "system:serviceaccount:{{ openshift_logging_mux_namespace }}:aggregated-logging-mux"
+
+# set service account permissions
+- name: Set cluster-reader permissions for Mux
+  oc_adm_policy_user:
+    namespace: "{{ openshift_logging_mux_namespace }}"
+    resource_kind: cluster-role
+    resource_name: cluster-reader
+    state: present
+    user: "system:serviceaccount:{{ openshift_logging_mux_namespace }}:aggregated-logging-mux"
+
+# set hostmount-anyuid permissions
+- name: Set hostmount-anyuid permissions for Mux
+  oc_adm_policy_user:
+    namespace: "{{ openshift_logging_mux_namespace }}"
+    resource_kind: scc
+    resource_name: hostmount-anyuid
+    state: present
+    user: "system:serviceaccount:{{ openshift_logging_mux_namespace }}:aggregated-logging-mux"
+
+# create Mux configmap
+- copy:
+    src: fluent.conf
+    dest: "{{mktemp.stdout}}/fluent-mux.conf"
+  when: fluentd_mux_config_contents is undefined
+  changed_when: no
+
+- copy:
+    src: secure-forward.conf
+    dest: "{{mktemp.stdout}}/secure-forward-mux.conf"
+  when: fluentd_mux_securefoward_contents is undefined
+  changed_when: no
+
+- copy:
+    content: "{{fluentd_mux_config_contents}}"
+    dest: "{{mktemp.stdout}}/fluent-mux.conf"
+  when: fluentd_mux_config_contents is defined
+  changed_when: no
+
+- copy:
+    content: "{{fluentd_mux_secureforward_contents}}"
+    dest: "{{mktemp.stdout}}/secure-forward-mux.conf"
+  when: fluentd_mux_secureforward_contents is defined
+  changed_when: no
+
+- name: Set Mux configmap
+  oc_configmap:
+    state: present
+    name: "logging-mux"
+    namespace: "{{ openshift_logging_mux_namespace }}"
+    from_file:
+      fluent.conf: "{{ tempdir }}/fluent-mux.conf"
+      secure-forward.conf: "{{ tempdir }}/secure-forward-mux.conf"
+
+# create Mux secret
+- name: Set logging-mux secret
+  oc_secret:
+    state: present
+    name: logging-mux
+    namespace: "{{ openshift_logging_mux_namespace }}"
+    files:
+    - name: ca
+      path: "{{ generated_certs_dir }}/ca.crt"
+    - name: key
+      path: "{{ generated_certs_dir }}/system.logging.mux.key"
+    - name: cert
+      path: "{{ generated_certs_dir }}/system.logging.mux.crt"
+    - name: shared_key
+      path: "{{ generated_certs_dir }}/mux_shared_key"
+
+# services
+- name: Set logging-mux service for external communication
+  oc_service:
+    state: present
+    name: "logging-mux"
+    namespace: "{{ openshift_logging_mux_namespace }}"
+    selector:
+      component: mux
+      provider: openshift
+#    labels:
+#    - logging-infra: 'support'
+    ports:
+    - name: mux-forward
+      port: "{{ openshift_logging_mux_port }}"
+      targetPort: "mux-forward"
+#    externalIPs:
+#    - "{{ ansible_eth0.ipv4.address }}"
+  when: openshift_logging_mux_allow_external | bool
+
+- name: Set logging-mux service for internal communication
+  oc_service:
+    state: present
+    name: "logging-mux"
+    namespace: "{{ openshift_logging_mux_namespace }}"
+    selector:
+      component: mux
+      provider: openshift
+#    labels:
+#    - logging-infra: 'support'
+    ports:
+    - name: mux-forward
+      port: "{{ openshift_logging_mux_port }}"
+      targetPort: "mux-forward"
+  when: not openshift_logging_mux_allow_external | bool
+
+# create Mux DC
+- name: Generating mux deploymentconfig
+  template:
+    src: mux.j2
+    dest: "{{mktemp.stdout}}/templates/logging-mux-dc.yaml"
+  vars:
+    component: mux
+    logging_component: mux
+    deploy_name: "logging-{{ component }}"
+    image: "{{ openshift_logging_image_prefix }}logging-fluentd:{{ openshift_logging_image_version }}"
+    es_host: "{{ openshift_logging_mux_app_host }}"
+    es_port: "{{ openshift_logging_mux_app_port }}"
+    ops_host: "{{ openshift_logging_mux_ops_host }}"
+    ops_port: "{{ openshift_logging_mux_ops_port }}"
+    mux_cpu_limit: "{{ openshift_logging_mux_cpu_limit }}"
+    mux_memory_limit: "{{ openshift_logging_mux_memory_limit }}"
+    replicas: "{{ openshift_logging_mux_replicas | default(0) }}"
+    mux_node_selector: "{{ openshift_logging_mux_nodeselector | default({}) }}"
+  check_mode: no
+  changed_when: no
+
+- name: Set logging-mux DC
+  oc_obj:
+    state: present
+    name: logging-mux
+    namespace: "{{ openshift_logging_mux_namespace }}"
+    kind: dc
+    files:
+    - "{{ tempdir }}/templates/logging-mux-dc.yaml"
+    delete_after: true
+
+# Scale up Mux
+- name: Start Mux
+  oc_scale:
+    kind: dc
+    name: "logging-mux"
+    namespace: "{{ openshift_logging_mux_namespace }}"
+    replicas: "{{ openshift_logging_mux_replicas | default (1) }}"
+
+- name: Delete temp directory
+  file:
+    name: "{{ tempdir }}"
+    state: absent
+  changed_when: False

roles/openshift_logging/templates/mux.j2

@@ -26,7 +26,7 @@ spec:
         provider: openshift
         component: "{{component}}"
     spec:
-      serviceAccountName: aggregated-logging-fluentd
+      serviceAccountName: aggregated-logging-mux
 {% if mux_node_selector is iterable and mux_node_selector | length > 0 %}
       nodeSelector:
 {% for key, value in mux_node_selector.iteritems() %}
@@ -68,33 +68,33 @@ spec:
           readOnly: true
         env:
         - name: "K8S_HOST_URL"
-          value: "{{openshift_logging_master_url}}"
+          value: "{{openshift_logging_mux_master_url}}"
         - name: "ES_HOST"
-          value: "{{openshift_logging_es_host}}"
+          value: "{{openshift_logging_mux_app_host}}"
         - name: "ES_PORT"
-          value: "{{openshift_logging_es_port}}"
+          value: "{{openshift_logging_mux_app_port}}"
         - name: "ES_CLIENT_CERT"
-          value: "{{openshift_logging_es_client_cert}}"
+          value: "{{openshift_logging_mux_app_client_cert}}"
         - name: "ES_CLIENT_KEY"
-          value: "{{openshift_logging_es_client_key}}"
+          value: "{{openshift_logging_mux_app_client_key}}"
         - name: "ES_CA"
-          value: "{{openshift_logging_es_ca}}"
+          value: "{{openshift_logging_mux_app_ca}}"
         - name: "OPS_HOST"
-          value: "{{ops_host}}"
+          value: "{{openshift_logging_mux_ops_host}}"
         - name: "OPS_PORT"
-          value: "{{ops_port}}"
+          value: "{{openshift_logging_mux_ops_port}}"
         - name: "OPS_CLIENT_CERT"
-          value: "{{openshift_logging_es_ops_client_cert}}"
+          value: "{{openshift_logging_mux_ops_client_cert}}"
         - name: "OPS_CLIENT_KEY"
-          value: "{{openshift_logging_es_ops_client_key}}"
+          value: "{{openshift_logging_mux_ops_client_key}}"
         - name: "OPS_CA"
-          value: "{{openshift_logging_es_ops_ca}}"
+          value: "{{openshift_logging_mux_ops_ca}}"
         - name: "USE_JOURNAL"
           value: "false"
         - name: "JOURNAL_SOURCE"
-          value: "{{openshift_logging_fluentd_journal_source | default('')}}"
+          value: "{{openshift_logging_mux_journal_source | default('')}}"
         - name: "JOURNAL_READ_FROM_HEAD"
-          value: "{{openshift_logging_fluentd_journal_read_from_head|lower}}"
+          value: "{{openshift_logging_mux_journal_read_from_head|lower}}"
         - name: FORWARD_LISTEN_HOST
           value: "{{ openshift_logging_mux_hostname }}"
         - name: FORWARD_LISTEN_PORT
@@ -102,14 +102,14 @@ spec:
         - name: USE_MUX
           value: "true"
         - name: MUX_ALLOW_EXTERNAL
-          value: "{{ openshift_logging_mux_allow_external| default('false') }}"
+          value: "{{ openshift_logging_mux_allow_external | default('false') }}"
       volumes:
       - name: config
         configMap:
           name: logging-mux
       - name: certs
         secret:
-          secretName: logging-fluentd
+          secretName: logging-mux
       - name: dockerhostname
         hostPath:
           path: /etc/hostname

roles/openshift_logging_mux/vars/main.yml

@@ -0,0 +1,3 @@
+---
+__latest_mux_version: "3_5"
+__allowed_mux_versions: ["3_5", "3_6"]