Removing docker run strategy and make java a requirement for control host

roles/openshift_logging/README.md

@@ -6,6 +6,9 @@ This role is used for installing the Aggregated Logging stack. It should be run
 a single host, it will create any missing certificates and API objects that the current
 [logging deployer](https://github.com/openshift/origin-aggregated-logging/tree/master/deployer) does.
 
+This role requires that the control host it is run on has Java installed as part of keystore
+generation for Elasticsearch (it uses JKS).
+
 As part of the installation, it is recommended that you add the Fluentd node selector label
 to the list of persisted [node labels](https://docs.openshift.org/latest/install_config/install/advanced_install.html#configuring-node-host-labels).
 

roles/openshift_logging/files/generate-jks.sh

@@ -1,6 +1,10 @@
 #! /bin/sh
 set -ex
 
+function usage() {
+  echo Usage: `basename $0` cert_directory [logging_namespace] 1>&2
+}
+
 function generate_JKS_chain() {
     dir=${SCRATCH_DIR:-_output}
     ADD_OID=$1
@@ -147,8 +151,14 @@ function createTruststore() {
     -noprompt -alias sig-ca
 }
 
-dir="$CERT_DIR"
+if [ $# -lt 1 ]; then
+  usage
+  exit 1
+fi
+
+dir=$1
 SCRATCH_DIR=$dir
+PROJECT=${2:-logging}
 
 if [[ ! -f $dir/system.admin.jks || -z "$(keytool -list -keystore $dir/system.admin.jks -storepass kspass | grep sig-ca)" ]]; then
   generate_JKS_client_cert "system.admin"

roles/openshift_logging/tasks/generate_certs.yaml

@@ -112,20 +112,12 @@
   register: truststore_jks
   check_mode: no
 
-- name: create JKS generation container
-  command: >
-    docker run
-    -u 0
-    -e "PROJECT={{openshift_logging_namespace}}"
-    -e "CERT_DIR={{generated_certs_dir}}"
-    -v "{{generated_certs_dir}}:{{generated_certs_dir}}"
-    --name "jks_gen_{{'abcdefghijklmnopqrstuvwxyz0123456789'|random_word(10)}}"
-    --entrypoint="/bin/bash"
-    "{{openshift_logging_image_prefix}}logging-deployer:{{openshift_logging_image_version}}"
-    "{{generated_certs_dir}}/generate-jks.sh"
-  register: container_output
+- name: Run JKS generation script
+  script: generate-jks.sh {{generate_certs_dir}} {{openshift_logging_namespace}}
+  register: script_output
   check_mode: no
   become: yes
+  changed_when: script_output.RC == "0"
   when: not elasticsearch_jks.stat.exists or not logging_es_jks.stat.exists or not system_admin_jks.stat.exists or not truststore_jks.stat.exists
 
 # check for secret/logging-kibana-proxy