Inicio Explorar Axuda
Rexistro Iniciar sesión
shixiong
/
okd
1
0
Fork 0
Ficheiros Incidencias 0 Pull Requests 0 Wiki
Explorar o código

Add logging es prometheus endpoint

Jeff Cantrill %!s(int64=7) %!d(string=hai) anos
pai
49b352634f
achega
76e00ca0b6
Modificáronse 7 ficheiros con 159 adicións e 5 borrados
Dividir vista Mostrar estatísticas de Diff
  1. 18 1
      roles/openshift_logging/filter_plugins/openshift_logging.py
  2. 1 0
      roles/openshift_logging/tasks/delete_logging.yaml
  3. 2 2
      roles/openshift_logging/tasks/generate_certs.yaml
  4. 6 0
      roles/openshift_logging_elasticsearch/defaults/main.yml
  5. 60 1
      roles/openshift_logging_elasticsearch/tasks/main.yaml
  6. 41 1
      roles/openshift_logging_elasticsearch/templates/es.j2
  7. 31 0
      roles/openshift_logging_elasticsearch/templates/logging-metrics-role.j2

+ 18 - 1
roles/openshift_logging/filter_plugins/openshift_logging.py
Ver ficheiro 

@@ -45,6 +45,21 @@ def map_from_pairs(source, delim="="):
 
     return dict(item.split(delim) for item in source.split(","))
 
 
 
+def serviceaccount_name(qualified_sa):
 
+    ''' Returns the simple name from a fully qualified name '''
 
+    return qualified_sa.split(":")[-1]
 
+
 
+
 
+def serviceaccount_namespace(qualified_sa, default=None):
 
+    ''' Returns the namespace from a fully qualified name '''
 
+    seg = qualified_sa.split(":")
 
+    if len(seg) > 1:
 
+        return seg[-2]
 
+    if default:
 
+        return default
 
+    return seg[-1]
 
+
 
+
 
 # pylint: disable=too-few-public-methods
 
 class FilterModule(object):
 
     ''' OpenShift Logging Filters '''
 
@@ -56,5 +71,7 @@ class FilterModule(object):
 
             'random_word': random_word,
 
             'entry_from_named_pair': entry_from_named_pair,
 
             'map_from_pairs': map_from_pairs,
 
-            'es_storage': es_storage
 
+            'es_storage': es_storage,
 
+            'serviceaccount_name': serviceaccount_name,
 
+            'serviceaccount_namespace': serviceaccount_namespace
 
         }

+ 1 - 0
roles/openshift_logging/tasks/delete_logging.yaml
Ver ficheiro 

@@ -92,6 +92,7 @@
 
   with_items:
 
     - rolebinding-reader
 
     - daemonset-admin
 
+    - prometheus-metrics-viewer
 
 
 # delete our configmaps
 
 - name: delete configmaps

+ 2 - 2
roles/openshift_logging/tasks/generate_certs.yaml
Ver ficheiro 

@@ -139,10 +139,10 @@
 
 
 # TODO: make idempotent
 
 - name: Generate proxy session
 
-  set_fact: session_secret={{'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'|random_word(200)}}
 
+  set_fact: session_secret={{ 200 | oo_random_word}}
 
   check_mode: no
 
 
 # TODO: make idempotent
 
 - name: Generate oauth client secret
 
-  set_fact: oauth_secret={{'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'|random_word(64)}}
 
+  set_fact: oauth_secret={{ 64 | oo_random_word}}
 
   check_mode: no

+ 6 - 0
roles/openshift_logging_elasticsearch/defaults/main.yml
Ver ficheiro 

@@ -40,6 +40,12 @@ openshift_logging_es_pvc_prefix: "{{ openshift_hosted_logging_elasticsearch_pvc_
 
 # config the es plugin to write kibana index based on the index mode
 
 openshift_logging_elasticsearch_kibana_index_mode: 'unique'
 
 
+openshift_logging_elasticsearch_proxy_image_prefix: "openshift/oauth-proxy"
 
+openshift_logging_elasticsearch_proxy_image_version: "v1.0.0"
 
+openshift_logging_elasticsearch_proxy_cpu_limit: "100m"
 
+openshift_logging_elasticsearch_proxy_memory_limit: "64Mi"
 
+openshift_logging_elasticsearch_prometheus_sa: "system:serviceaccount:{{openshift_prometheus_namespace | default('prometheus')}}:prometheus"
 
+
 
 # this is used to determine if this is an operations deployment or a non-ops deployment
 
 # simply used for naming purposes
 
 openshift_logging_elasticsearch_ops_deployment: false

+ 60 - 1
roles/openshift_logging_elasticsearch/tasks/main.yaml
Ver ficheiro 

@@ -37,6 +37,7 @@
 
 # we want to make sure we have all the necessary components here
 
 
 # service account
 
+
 
 - name: Create ES service account
 
   oc_serviceaccount:
 
     state: present
 
@@ -77,6 +78,38 @@
 
     resource_name: rolebinding-reader
 
     user: "system:serviceaccount:{{ openshift_logging_elasticsearch_namespace }}:aggregated-logging-elasticsearch"
 
 
+- oc_adm_policy_user:
 
+    state: present
 
+    namespace: "{{ openshift_logging_elasticsearch_namespace }}"
 
+    resource_kind: cluster-role
 
+    resource_name: system:auth-delegator
 
+    user: "system:serviceaccount:{{ openshift_logging_elasticsearch_namespace}}:aggregated-logging-elasticsearch"
 
+
 
+# logging-metrics-reader role
 
+- template:
 
+    src: logging-metrics-role.j2
 
+    dest: "{{mktemp.stdout}}/templates/logging-metrics-role.yml"
 
+  vars:
 
+    namespace: "{{ openshift_logging_elasticsearch_namespace }}"
 
+    role_namespace: "{{ openshift_logging_elasticsearch_prometheus_sa | serviceaccount_namespace(openshift_logging_elasticsearch_namespace) }}"
 
+    role_user: "{{ openshift_logging_elasticsearch_prometheus_sa | serviceaccount_name }}"
 
+
 
+- name: Create logging-metrics-reader-role
 
+  command: >
 
+    {{ openshift.common.client_binary }}
 
+    --config={{ openshift.common.config_base }}/master/admin.kubeconfig
 
+    -n "{{ openshift_logging_elasticsearch_namespace }}"
 
+    create -f "{{mktemp.stdout}}/templates/logging-metrics-role.yml"
 
+  register: prometheus_out
 
+  check_mode: no
 
+  ignore_errors: yes
 
+
 
+- fail:
 
+    msg: "There was an error creating the logging-metrics-role and binding: {{prometheus_out}}"
 
+  when:
 
+  - "prometheus_out.stderr | length > 0"
 
+  - "'already exists' not in prometheus_out.stderr"
 
+
 
 # View role and binding
 
 - name: Generate logging-elasticsearch-view-role
 
   template:
 
@@ -206,6 +239,32 @@
 
     - port: 9200
 
       targetPort: "restapi"
 
 
+- name: Set logging-{{ es_component}}-prometheus service
 
+  oc_service:
 
+    state: present
 
+    name: "logging-{{es_component}}-prometheus"
 
+    namespace: "{{ openshift_logging_elasticsearch_namespace }}"
 
+    labels:
 
+      logging-infra: 'support'
 
+    ports:
 
+    - name: proxy
 
+      port: 443
 
+      targetPort: 4443
 
+    selector:
 
+      component: "{{ es_component }}-prometheus"
 
+      provider: openshift
 
+
 
+- oc_edit:
 
+    kind: service
 
+    name: "logging-{{es_component}}-prometheus"
 
+    namespace: "{{ openshift_logging_elasticsearch_namespace }}"
 
+    separator: '#'
 
+    content:
 
+      metadata#annotations#service.alpha.openshift.io/serving-cert-secret-name: "prometheus-tls"
 
+      metadata#annotations#prometheus.io/scrape: "true"
 
+      metadata#annotations#prometheus.io/scheme: "https"
 
+      metadata#annotations#prometheus.io/path: "_prometheus/metrics"
 
+
 
 - name: Check to see if PVC already exists
 
   oc_obj:
 
     state: list
 
@@ -260,7 +319,7 @@
 
       delete_after: true
 
 
 - set_fact:
 
-    es_deploy_name: "logging-{{ es_component }}-{{ openshift_logging_elasticsearch_deployment_type }}-{{ 'abcdefghijklmnopqrstuvwxyz0123456789' | random_word(8) }}"
 
+    es_deploy_name: "logging-{{ es_component }}-{{ openshift_logging_elasticsearch_deployment_type }}-{{ 8 | oo_random_word('abcdefghijklmnopqrstuvwxyz0123456789') }}"
 
   when: openshift_logging_elasticsearch_deployment_name == ""
 
 
 - set_fact:

+ 41 - 1
roles/openshift_logging_elasticsearch/templates/es.j2
Ver ficheiro 

@@ -37,6 +37,40 @@ spec:
 
 {% endfor %}
 
 {% endif %}
 
       containers:
 
+        - name: proxy
 
+          image: {{openshift_logging_elasticsearch_proxy_image_prefix}}:{{openshift_logging_elasticsearch_proxy_image_version}}
 
+          imagePullPolicy: Always
 
+          args:
 
+           - --upstream-ca=/etc/elasticsearch/secret/admin-ca
 
+           - --https-address=:4443
 
+           - -provider=openshift
 
+           - -client-id={{openshift_logging_elasticsearch_prometheus_sa}}
 
+           - -client-secret-file=/var/run/secrets/kubernetes.io/serviceaccount/token
 
+           - -cookie-secret={{ 16 | oo_random_word | b64encode }}
 
+           - -upstream=https://localhost:9200
 
+           - '-openshift-sar={"namespace": "{{ openshift_logging_elasticsearch_namespace}}", "verb": "view", "resource": "prometheus", "group": "metrics.openshift.io"}'
 
+           - '-openshift-delegate-urls={"/": {"resource": "prometheus", "verb": "view", "group": "metrics.openshift.io", "namespace": "{{ openshift_logging_elasticsearch_namespace}}"}}'
 
+           - --tls-cert=/etc/tls/private/tls.crt
 
+           - --tls-key=/etc/tls/private/tls.key
 
+           - -pass-access-token
 
+           - -pass-user-headers
 
+          ports:
 
+          - containerPort: 4443
 
+            name: proxy
 
+            protocol: TCP
 
+          volumeMounts:
 
+          - mountPath: /etc/tls/private
 
+            name: proxy-tls
 
+            readOnly: true
 
+          - mountPath: /etc/elasticsearch/secret
 
+            name: elasticsearch
 
+            readOnly: true
 
+          resources:
 
+            limits:
 
+              cpu: "{{openshift_logging_elasticsearch_proxy_cpu_limit }}"
 
+              memory: "{{openshift_logging_elasticsearch_proxy_memory_limit }}"
 
+            requests:
 
+              memory: "{{openshift_logging_elasticsearch_proxy_memory_limit }}"
 
         -
 
           name: "elasticsearch"
 
           image: {{image}}
 
@@ -94,7 +128,7 @@ spec:
 
               value: "30"
 
             -
 
               name: "POD_LABEL"
 
-              value: "component={{component}}" 
+              value: "component={{component}}"
 
             -
 
               name: "IS_MASTER"
 
               value: "{% if deploy_type in ['data-master', 'master'] %}true{% else %}false{% endif %}"
 
@@ -102,6 +136,9 @@ spec:
 
             -
 
               name: "HAS_DATA"
 
               value: "{% if deploy_type in ['data-master', 'data-client'] %}true{% else %}false{% endif %}"
 
+            -
 
+              name: "PROMETHEUS_USER"
 
+              value: "{{openshift_logging_elasticsearch_prometheus_sa}}"
 
 
           volumeMounts:
 
             - name: elasticsearch
 
@@ -120,6 +157,9 @@ spec:
 
             timeoutSeconds: 30
 
             periodSeconds: 5
 
       volumes:
 
+        - name: proxy-tls
 
+          secret:
 
+            secretName: prometheus-tls
 
         - name: elasticsearch
 
           secret:
 
             secretName: logging-elasticsearch

+ 31 - 0
roles/openshift_logging_elasticsearch/templates/logging-metrics-role.j2
Ver ficheiro 

@@ -0,0 +1,31 @@
 
+---
 
+apiVersion: v1
 
+kind: List
 
+items:
 
+- apiVersion: rbac.authorization.k8s.io/v1beta1
 
+  kind: Role
 
+  metadata:
 
+    annotations:
 
+      rbac.authorization.kubernetes.io/autoupdate: "true"
 
+    name: prometheus-metrics-viewer
 
+    namespace: {{ namespace }}
 
+  rules:
 
+  - apiGroups:
 
+    - metrics.openshift.io
 
+    resources:
 
+    - prometheus
 
+    verbs:
 
+    - view
 
+- apiVersion: rbac.authorization.k8s.io/v1beta1
 
+  kind: RoleBinding
 
+  metadata:
 
+    name: prometheus-metrics-viewer
 
+    namespace: {{ namespace }}
 
+  roleRef:
 
+    apiGroup: rbac.authorization.k8s.io
 
+    kind: Role
 
+    name: prometheus-metrics-viewer
 
+  subjects:
 
+  - kind: ServiceAccount
 
+    namespace: {{ role_namespace }}
 
+    name: {{ role_user }}