Using oc_apply task for idempotent

roles/openshift_logging/tasks/generate_certs.yaml

@@ -162,10 +162,56 @@
   changed_when: no
   when: not elasticsearch_jks.stat.exists or not logging_es_jks.stat.exists or not system_admin_jks.stat.exists or not truststore_jks.stat.exists
 
+# check for secret/logging-kibana-proxy
+- command: >
+    {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get secret/logging-kibana-proxy -n {{openshift_logging_namespace}} -o jsonpath='{.data.oauth-secret}'
+  register: kibana_secret_oauth_check
+  ignore_errors: yes
+  changed_when: no
+  check_mode: no
+
+- command: >
+    {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get secret/logging-kibana-proxy -n {{openshift_logging_namespace}} -o jsonpath='{.data.session-secret}'
+  register: kibana_secret_session_check
+  ignore_errors: yes
+  changed_when: no
+  check_mode: no
+
+# check for oauthclient secret
+- command: >
+    {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get oauthclient/kibana-proxy -n {{openshift_logging_namespace}} -o jsonpath='{.secret}'
+  register: oauth_secret_check
+  ignore_errors: yes
+  changed_when: no
+  check_mode: no
+
+# set or generate as needed
 - name: Generate proxy session
   set_fact: session_secret={{'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'|random_word(200)}}
   check_mode: no
+  when:
+    - kibana_secret_session_check.stdout is not defined or kibana_secret_session_check.stdout == ''
+
+- name: Generate proxy session
+  set_fact: session_secret={{kibana_secret_session_check.stdout | b64decode }}
+  check_mode: no
+  when:
+    - kibana_secret_session_check.stdout is defined
+    - kibana_secret_session_check.stdout != ''
 
 - name: Generate oauth client secret
   set_fact: oauth_secret={{'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'|random_word(64)}}
   check_mode: no
+  when: kibana_secret_oauth_check.stdout is not defined or kibana_secret_oauth_check.stdout == ''
+    or oauth_secret_check.stdout is not defined or oauth_secret_check.stdout == ''
+    or kibana_secret_oauth_check.stdout | b64decode != oauth_secret_check.stdout
+
+- name: Generate oauth client secret
+  set_fact: oauth_secret={{kibana_secret_oauth_check.stdout | b64decode}}
+  check_mode: no
+  when:
+    - kibana_secret_oauth_check is defined
+    - kibana_secret_oauth_check.stdout != ''
+    - oauth_secret_check.stdout is defined
+    - oauth_secret_check.stdout != ''
+    - kibana_secret_oauth_check.stdout | b64decode == oauth_secret_check.stdout

roles/openshift_logging/tasks/install_curator.yaml

@@ -11,7 +11,9 @@
     {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get dc/logging-curator-ops
     -o jsonpath='{.spec.replicas}' -n {{openshift_logging_namespace}}
   register: curator_ops_replica_count
-  when: not ansible_check_mode
+  when:
+    - not ansible_check_mode
+    - openshift_logging_use_ops
   ignore_errors: yes
   changed_when: no
 

roles/openshift_logging/tasks/install_logging.yaml

@@ -23,16 +23,15 @@
   loop_control:
     loop_var: install_component
 
-- name: Register API objects from generated templates
-  command: ls -1 {{mktemp.stdout}}/templates/
-  register: logging_objects
-  check_mode: no
-  changed_when: no
-
-- name: Creating API objects from generated templates
-  command: >
-    {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig apply -f {{mktemp.stdout}}/templates/{{file}} -n {{openshift_logging_namespace}}
-  with_items: "{{logging_objects.stdout_lines | sort}}"
+- name: Create objects
+  include: oc_apply.yaml
+  vars:
+    - kubeconfig: "{{ mktemp.stdout }}/admin.kubeconfig"
+    - namespace: "{{ openshift_logging_namespace }}"
+    - file_name: "{{ file }}"
+    - file_content: "{{ lookup('file', file) | from_yaml }}"
+  with_fileglob:
+    - "{{ mktemp.stdout }}/templates/*.yaml"
   loop_control:
     loop_var: file
   when: not ansible_check_mode

roles/openshift_logging/tasks/oc_apply.yaml

@@ -0,0 +1,29 @@
+---
+- name: Checking generation of {{file_content.kind}} {{file_content.metadata.name}}
+  shell: >
+    {{ openshift.common.client_binary }}
+    --config={{ kubeconfig }}
+    get {{file_content.kind}} {{file_content.metadata.name}}
+    -o jsonpath='{.metadata.resourceVersion}'
+    -n {{namespace}} || echo 0
+  register: generation_init
+  changed_when: no
+
+- name: Applying {{file_name}}
+  command: >
+    {{ openshift.common.client_binary }} --config={{ kubeconfig }}
+    apply -f {{ file_name }}
+    -n {{ namespace }}
+  register: generation_apply
+  failed_when: "'error' in generation_apply.stderr"
+  changed_when: no
+
+- name: Determine change status of {{file_content.kind}} {{file_content.metadata.name}}
+  shell: >
+    {{ openshift.common.client_binary }} --config={{ kubeconfig }}
+    get {{file_content.kind}} {{file_content.metadata.name}}
+    -o jsonpath='{.metadata.resourceVersion}'
+    -n {{namespace}} || echo 0
+  register: generation_changed
+  failed_when: "'error' in generation_changed.stderr"
+  changed_when: generation_changed.stdout | int  > generation_init.stdout | int