Adding to ansible spec and changing logging jks generation to be a local_action

openshift-ansible.spec

@@ -18,6 +18,7 @@ Requires:      python2
 Requires:      python-six
 Requires:      tar
 Requires:      openshift-ansible-docs = %{version}-%{release}
+Requires:      java-1.8.0-openjdk-headless
 
 %description
 Openshift and Atomic Enterprise Ansible

roles/openshift_logging/README.md

@@ -7,7 +7,7 @@ a single host, it will create any missing certificates and API objects that the
 [logging deployer](https://github.com/openshift/origin-aggregated-logging/tree/master/deployer) does.
 
 This role requires that the control host it is run on has Java installed as part of keystore
-generation for Elasticsearch (it uses JKS).
+generation for Elasticsearch (it uses JKS) as well as openssl to sign certificates.
 
 As part of the installation, it is recommended that you add the Fluentd node selector label
 to the list of persisted [node labels](https://docs.openshift.org/latest/install_config/install/advanced_install.html#configuring-node-host-labels).

roles/openshift_logging/tasks/generate_certs.yaml

@@ -85,40 +85,8 @@
   loop_control:
     loop_var: node_name
 
-- name: Copy JKS generation script
-  copy:
-    src: generate-jks.sh
-    dest: "{{generated_certs_dir}}/generate-jks.sh"
-  check_mode: no
-
-# check if pod generated files exist -- if they all do don't run the pod
-- name: Checking for elasticsearch.jks
-  stat: path="{{generated_certs_dir}}/elasticsearch.jks"
-  register: elasticsearch_jks
-  check_mode: no
-
-- name: Checking for logging-es.jks
-  stat: path="{{generated_certs_dir}}/logging-es.jks"
-  register: logging_es_jks
-  check_mode: no
-
-- name: Checking for system.admin.jks
-  stat: path="{{generated_certs_dir}}/system.admin.jks"
-  register: system_admin_jks
-  check_mode: no
-
-- name: Checking for truststore.jks
-  stat: path="{{generated_certs_dir}}/truststore.jks"
-  register: truststore_jks
-  check_mode: no
-
-- name: Run JKS generation script
-  script: generate-jks.sh {{generate_certs_dir}} {{openshift_logging_namespace}}
-  register: script_output
-  check_mode: no
-  become: yes
-  changed_when: script_output.RC == "0"
-  when: not elasticsearch_jks.stat.exists or not logging_es_jks.stat.exists or not system_admin_jks.stat.exists or not truststore_jks.stat.exists
+- name: Creating necessary JKS certs
+  include: generate_jks.yaml
 
 # check for secret/logging-kibana-proxy
 - command: >

roles/openshift_logging/tasks/generate_jks.yaml

@@ -0,0 +1,111 @@
+---
+# check if pod generated files exist -- if they all do don't run the pod
+- name: Checking for elasticsearch.jks
+  stat: path="{{generated_certs_dir}}/elasticsearch.jks"
+  register: elasticsearch_jks
+  check_mode: no
+
+- name: Checking for logging-es.jks
+  stat: path="{{generated_certs_dir}}/logging-es.jks"
+  register: logging_es_jks
+  check_mode: no
+
+- name: Checking for system.admin.jks
+  stat: path="{{generated_certs_dir}}/system.admin.jks"
+  register: system_admin_jks
+  check_mode: no
+
+- name: Checking for truststore.jks
+  stat: path="{{generated_certs_dir}}/truststore.jks"
+  register: truststore_jks
+  check_mode: no
+
+- name: Create temp directory for doing work in
+  local_action: command mktemp -d /tmp/openshift-logging-ansible-XXXXXX
+  register: local_tmp
+  changed_when: False
+  check_mode: no
+
+- name: Create placeholder for previously created JKS certs to prevent recreating...
+  file:
+    path: "{{local_tmp.stdout}}/elasticsearch.jks"
+    state: touch
+    mode: "u=rw,g=r,o=r"
+  when: elasticsearch_jks.stat.exists
+  changed_when: False
+
+- name: Create placeholder for previously created JKS certs to prevent recreating...
+  file:
+    path: "{{local_tmp.stdout}}/logging-es.jks"
+    state: touch
+    mode: "u=rw,g=r,o=r"
+  when: logging_es_jks.stat.exists
+  changed_when: False
+
+- name: Create placeholder for previously created JKS certs to prevent recreating...
+  file:
+    path: "{{local_tmp.stdout}}/system.admin.jks"
+    state: touch
+    mode: "u=rw,g=r,o=r"
+  when: system_admin_jks.stat.exists
+  changed_when: False
+
+- name: Create placeholder for previously created JKS certs to prevent recreating...
+  file:
+    path: "{{local_tmp.stdout}}/truststore.jks"
+    state: touch
+    mode: "u=rw,g=r,o=r"
+  when: truststore_jks.stat.exists
+  changed_when: False
+
+- name: pulling down signing items from host
+  fetch:
+    src: "{{generated_certs_dir}}/{{item}}"
+    dest: "{{local_tmp.stdout}}/{{item}}"
+    flat: yes
+  with_items:
+    - ca.crt
+    - ca.key
+    - ca.serial.txt
+    - ca.crl.srl
+    - ca.db
+
+- local_action: template src=signing.conf.j2 dest={{local_tmp.stdout}}/signing.conf
+  vars:
+    - top_dir: "{{local_tmp.stdout}}"
+
+- name: Run JKS generation script
+  local_action: script generate-jks.sh {{local_tmp.stdout}} {{openshift_logging_namespace}}
+  check_mode: no
+  become: yes
+  when: not elasticsearch_jks.stat.exists or not logging_es_jks.stat.exists or not system_admin_jks.stat.exists or not truststore_jks.stat.exists
+
+- name: Pushing locally generated JKS certs to remote host...
+  copy:
+    src: "{{local_tmp.stdout}}/elasticsearch.jks"
+    dest: "{{generated_certs_dir}}/elasticsearch.jks"
+  when: not elasticsearch_jks.stat.exists
+
+- name: Pushing locally generated JKS certs to remote host...
+  copy:
+    src: "{{local_tmp.stdout}}/logging-es.jks"
+    dest: "{{generated_certs_dir}}/logging-es.jks"
+  when: not logging_es_jks.stat.exists
+
+- name: Pushing locally generated JKS certs to remote host...
+  copy:
+    src: "{{local_tmp.stdout}}/system.admin.jks"
+    dest: "{{generated_certs_dir}}/system.admin.jks"
+  when: not system_admin_jks.stat.exists
+
+- name: Pushing locally generated JKS certs to remote host...
+  copy:
+    src: "{{local_tmp.stdout}}/truststore.jks"
+    dest: "{{generated_certs_dir}}/truststore.jks"
+  when: not truststore_jks.stat.exists
+
+- name: Cleaning up temp dir
+  file:
+    path: "{{local_tmp.stdout}}"
+    state: absent
+  changed_when: False

roles/openshift_logging/tasks/main.yaml

@@ -3,7 +3,6 @@
     msg: Only one Fluentd nodeselector key pair should be provided
   when: "{{ openshift_logging_fluentd_nodeselector.keys() | count }} > 1"
 
-
 - name: Create temp directory for doing work in
   command: mktemp -d /tmp/openshift-logging-ansible-XXXXXX
   register: mktemp