Add logging es prometheus endpoint

roles/openshift_logging/filter_plugins/openshift_logging.py

@@ -45,6 +45,21 @@ def map_from_pairs(source, delim="="):
     return dict(item.split(delim) for item in source.split(","))
 
 
+def serviceaccount_name(qualified_sa):
+    ''' Returns the simple name from a fully qualified name '''
+    return qualified_sa.split(":")[-1]
+
+
+def serviceaccount_namespace(qualified_sa, default=None):
+    ''' Returns the namespace from a fully qualified name '''
+    seg = qualified_sa.split(":")
+    if len(seg) > 1:
+        return seg[-2]
+    if default:
+        return default
+    return seg[-1]
+
+
 # pylint: disable=too-few-public-methods
 class FilterModule(object):
     ''' OpenShift Logging Filters '''
@@ -56,5 +71,7 @@ class FilterModule(object):
             'random_word': random_word,
             'entry_from_named_pair': entry_from_named_pair,
             'map_from_pairs': map_from_pairs,
-            'es_storage': es_storage
+            'es_storage': es_storage,
+            'serviceaccount_name': serviceaccount_name,
+            'serviceaccount_namespace': serviceaccount_namespace
         }

roles/openshift_logging/tasks/delete_logging.yaml

@@ -92,6 +92,7 @@
   with_items:
     - rolebinding-reader
     - daemonset-admin
+    - prometheus-metrics-viewer
 
 # delete our configmaps
 - name: delete configmaps

roles/openshift_logging/tasks/generate_certs.yaml

@@ -139,10 +139,10 @@
 
 # TODO: make idempotent
 - name: Generate proxy session
-  set_fact: session_secret={{'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'|random_word(200)}}
+  set_fact: session_secret={{ 200 | oo_random_word}}
   check_mode: no
 
 # TODO: make idempotent
 - name: Generate oauth client secret
-  set_fact: oauth_secret={{'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'|random_word(64)}}
+  set_fact: oauth_secret={{ 64 | oo_random_word}}
   check_mode: no

roles/openshift_logging_elasticsearch/defaults/main.yml

@@ -40,6 +40,12 @@ openshift_logging_es_pvc_prefix: "{{ openshift_hosted_logging_elasticsearch_pvc_
 # config the es plugin to write kibana index based on the index mode
 openshift_logging_elasticsearch_kibana_index_mode: 'unique'
 
+openshift_logging_elasticsearch_proxy_image_prefix: "openshift/oauth-proxy"
+openshift_logging_elasticsearch_proxy_image_version: "v1.0.0"
+openshift_logging_elasticsearch_proxy_cpu_limit: "100m"
+openshift_logging_elasticsearch_proxy_memory_limit: "64Mi"
+openshift_logging_elasticsearch_prometheus_sa: "system:serviceaccount:{{openshift_prometheus_namespace | default('prometheus')}}:prometheus"
+
 # this is used to determine if this is an operations deployment or a non-ops deployment
 # simply used for naming purposes
 openshift_logging_elasticsearch_ops_deployment: false

roles/openshift_logging_elasticsearch/tasks/main.yaml

@@ -37,6 +37,7 @@
 # we want to make sure we have all the necessary components here
 
 # service account
+
 - name: Create ES service account
   oc_serviceaccount:
     state: present
@@ -77,6 +78,38 @@
     resource_name: rolebinding-reader
     user: "system:serviceaccount:{{ openshift_logging_elasticsearch_namespace }}:aggregated-logging-elasticsearch"
 
+- oc_adm_policy_user:
+    state: present
+    namespace: "{{ openshift_logging_elasticsearch_namespace }}"
+    resource_kind: cluster-role
+    resource_name: system:auth-delegator
+    user: "system:serviceaccount:{{ openshift_logging_elasticsearch_namespace}}:aggregated-logging-elasticsearch"
+
+# logging-metrics-reader role
+- template:
+    src: logging-metrics-role.j2
+    dest: "{{mktemp.stdout}}/templates/logging-metrics-role.yml"
+  vars:
+    namespace: "{{ openshift_logging_elasticsearch_namespace }}"
+    role_namespace: "{{ openshift_logging_elasticsearch_prometheus_sa | serviceaccount_namespace(openshift_logging_elasticsearch_namespace) }}"
+    role_user: "{{ openshift_logging_elasticsearch_prometheus_sa | serviceaccount_name }}"
+
+- name: Create logging-metrics-reader-role
+  command: >
+    {{ openshift.common.client_binary }}
+    --config={{ openshift.common.config_base }}/master/admin.kubeconfig
+    -n "{{ openshift_logging_elasticsearch_namespace }}"
+    create -f "{{mktemp.stdout}}/templates/logging-metrics-role.yml"
+  register: prometheus_out
+  check_mode: no
+  ignore_errors: yes
+
+- fail:
+    msg: "There was an error creating the logging-metrics-role and binding: {{prometheus_out}}"
+  when:
+  - "prometheus_out.stderr | length > 0"
+  - "'already exists' not in prometheus_out.stderr"
+
 # View role and binding
 - name: Generate logging-elasticsearch-view-role
   template:
@@ -206,6 +239,32 @@
     - port: 9200
       targetPort: "restapi"
 
+- name: Set logging-{{ es_component}}-prometheus service
+  oc_service:
+    state: present
+    name: "logging-{{es_component}}-prometheus"
+    namespace: "{{ openshift_logging_elasticsearch_namespace }}"
+    labels:
+      logging-infra: 'support'
+    ports:
+    - name: proxy
+      port: 443
+      targetPort: 4443
+    selector:
+      component: "{{ es_component }}-prometheus"
+      provider: openshift
+
+- oc_edit:
+    kind: service
+    name: "logging-{{es_component}}-prometheus"
+    namespace: "{{ openshift_logging_elasticsearch_namespace }}"
+    separator: '#'
+    content:
+      metadata#annotations#service.alpha.openshift.io/serving-cert-secret-name: "prometheus-tls"
+      metadata#annotations#prometheus.io/scrape: "true"
+      metadata#annotations#prometheus.io/scheme: "https"
+      metadata#annotations#prometheus.io/path: "_prometheus/metrics"
+
 - name: Check to see if PVC already exists
   oc_obj:
     state: list
@@ -260,7 +319,7 @@
       delete_after: true
 
 - set_fact:
-    es_deploy_name: "logging-{{ es_component }}-{{ openshift_logging_elasticsearch_deployment_type }}-{{ 'abcdefghijklmnopqrstuvwxyz0123456789' | random_word(8) }}"
+    es_deploy_name: "logging-{{ es_component }}-{{ openshift_logging_elasticsearch_deployment_type }}-{{ 8 | oo_random_word('abcdefghijklmnopqrstuvwxyz0123456789') }}"
   when: openshift_logging_elasticsearch_deployment_name == ""
 
 - set_fact:

roles/openshift_logging_elasticsearch/templates/es.j2

@@ -37,6 +37,40 @@ spec:
 {% endfor %}
 {% endif %}
       containers:
+        - name: proxy
+          image: {{openshift_logging_elasticsearch_proxy_image_prefix}}:{{openshift_logging_elasticsearch_proxy_image_version}}
+          imagePullPolicy: Always
+          args:
+           - --upstream-ca=/etc/elasticsearch/secret/admin-ca
+           - --https-address=:4443
+           - -provider=openshift
+           - -client-id={{openshift_logging_elasticsearch_prometheus_sa}}
+           - -client-secret-file=/var/run/secrets/kubernetes.io/serviceaccount/token
+           - -cookie-secret={{ 16 | oo_random_word | b64encode }}
+           - -upstream=https://localhost:9200
+           - '-openshift-sar={"namespace": "{{ openshift_logging_elasticsearch_namespace}}", "verb": "view", "resource": "prometheus", "group": "metrics.openshift.io"}'
+           - '-openshift-delegate-urls={"/": {"resource": "prometheus", "verb": "view", "group": "metrics.openshift.io", "namespace": "{{ openshift_logging_elasticsearch_namespace}}"}}'
+           - --tls-cert=/etc/tls/private/tls.crt
+           - --tls-key=/etc/tls/private/tls.key
+           - -pass-access-token
+           - -pass-user-headers
+          ports:
+          - containerPort: 4443
+            name: proxy
+            protocol: TCP
+          volumeMounts:
+          - mountPath: /etc/tls/private
+            name: proxy-tls
+            readOnly: true
+          - mountPath: /etc/elasticsearch/secret
+            name: elasticsearch
+            readOnly: true
+          resources:
+            limits:
+              cpu: "{{openshift_logging_elasticsearch_proxy_cpu_limit }}"
+              memory: "{{openshift_logging_elasticsearch_proxy_memory_limit }}"
+            requests:
+              memory: "{{openshift_logging_elasticsearch_proxy_memory_limit }}"
         -
           name: "elasticsearch"
           image: {{image}}
@@ -94,7 +128,7 @@ spec:
               value: "30"
             -
               name: "POD_LABEL"
-              value: "component={{component}}" 
+              value: "component={{component}}"
             -
               name: "IS_MASTER"
               value: "{% if deploy_type in ['data-master', 'master'] %}true{% else %}false{% endif %}"
@@ -102,6 +136,9 @@ spec:
             -
               name: "HAS_DATA"
               value: "{% if deploy_type in ['data-master', 'data-client'] %}true{% else %}false{% endif %}"
+            -
+              name: "PROMETHEUS_USER"
+              value: "{{openshift_logging_elasticsearch_prometheus_sa}}"
 
           volumeMounts:
             - name: elasticsearch
@@ -120,6 +157,9 @@ spec:
             timeoutSeconds: 30
             periodSeconds: 5
       volumes:
+        - name: proxy-tls
+          secret:
+            secretName: prometheus-tls
         - name: elasticsearch
           secret:
             secretName: logging-elasticsearch

roles/openshift_logging_elasticsearch/templates/logging-metrics-role.j2

@@ -0,0 +1,31 @@
+---
+apiVersion: v1
+kind: List
+items:
+- apiVersion: rbac.authorization.k8s.io/v1beta1
+  kind: Role
+  metadata:
+    annotations:
+      rbac.authorization.kubernetes.io/autoupdate: "true"
+    name: prometheus-metrics-viewer
+    namespace: {{ namespace }}
+  rules:
+  - apiGroups:
+    - metrics.openshift.io
+    resources:
+    - prometheus
+    verbs:
+    - view
+- apiVersion: rbac.authorization.k8s.io/v1beta1
+  kind: RoleBinding
+  metadata:
+    name: prometheus-metrics-viewer
+    namespace: {{ namespace }}
+  roleRef:
+    apiGroup: rbac.authorization.k8s.io
+    kind: Role
+    name: prometheus-metrics-viewer
+  subjects:
+  - kind: ServiceAccount
+    namespace: {{ role_namespace }}
+    name: {{ role_user }}