8 years ago · 9edfa73d2c
--- a/roles/openshift_logging/README.md
+++ b/roles/openshift_logging/README.md
@@ -6,6 +6,9 @@ This role is used for installing the Aggregated Logging stack. It should be run
 
				 a single host, it will create any missing certificates and API objects that the current
			
 
				 [logging deployer](https://github.com/openshift/origin-aggregated-logging/tree/master/deployer) does.
			
 
				 
			
 
				+This role requires that the control host it is run on has Java installed as part of keystore
			
 
				+generation for Elasticsearch (it uses JKS).
			
 
				+
			
 
				 As part of the installation, it is recommended that you add the Fluentd node selector label
			
 
				 to the list of persisted [node labels](https://docs.openshift.org/latest/install_config/install/advanced_install.html#configuring-node-host-labels).
			
 
				 
			
--- a/roles/openshift_logging/files/generate-jks.sh
+++ b/roles/openshift_logging/files/generate-jks.sh
@@ -1,6 +1,10 @@
 
				 #! /bin/sh
			
 
				 set -ex
			
 
				 
			
 
				+function usage() {
			
 
				+  echo Usage: `basename $0` cert_directory [logging_namespace] 1>&2
			
 
				+}
			
 
				+
			
 
				 function generate_JKS_chain() {
			
 
				     dir=${SCRATCH_DIR:-_output}
			
 
				     ADD_OID=$1
			
@@ -147,8 +151,14 @@ function createTruststore() {
 
				     -noprompt -alias sig-ca
			
 
				 }
			
 
				 
			
 
				-dir="$CERT_DIR"
			
 
				+if [ $# -lt 1 ]; then
			
 
				+  usage
			
 
				+  exit 1
			
 
				+fi
			
 
				+
			
 
				+dir=$1
			
 
				 SCRATCH_DIR=$dir
			
 
				+PROJECT=${2:-logging}
			
 
				 
			
 
				 if [[ ! -f $dir/system.admin.jks || -z "$(keytool -list -keystore $dir/system.admin.jks -storepass kspass | grep sig-ca)" ]]; then
			
 
				   generate_JKS_client_cert "system.admin"
			
--- a/roles/openshift_logging/tasks/generate_certs.yaml
+++ b/roles/openshift_logging/tasks/generate_certs.yaml
@@ -112,20 +112,12 @@
 
				   register: truststore_jks
			
 
				   check_mode: no
			
 
				 
			
 
				-- name: create JKS generation container
			
 
				-  command: >
			
 
				-    docker run
			
 
				-    -u 0
			
 
				-    -e "PROJECT={{openshift_logging_namespace}}"
			
 
				-    -e "CERT_DIR={{generated_certs_dir}}"
			
 
				-    -v "{{generated_certs_dir}}:{{generated_certs_dir}}"
			
 
				-    --name "jks_gen_{{'abcdefghijklmnopqrstuvwxyz0123456789'|random_word(10)}}"
			
 
				-    --entrypoint="/bin/bash"
			
 
				-    "{{openshift_logging_image_prefix}}logging-deployer:{{openshift_logging_image_version}}"
			
 
				-    "{{generated_certs_dir}}/generate-jks.sh"
			
 
				-  register: container_output
			
 
				+- name: Run JKS generation script
			
 
				+  script: generate-jks.sh {{generate_certs_dir}} {{openshift_logging_namespace}}
			
 
				+  register: script_output
			
 
				   check_mode: no
			
 
				   become: yes
			
 
				+  changed_when: script_output.RC == "0"
			
 
				   when: not elasticsearch_jks.stat.exists or not logging_es_jks.stat.exists or not system_admin_jks.stat.exists or not truststore_jks.stat.exists
			
 
				 
			
 
				 # check for secret/logging-kibana-proxy