Merge pull request #7294 from jcantrill/1537857_part2

Automatic merge from submit-queue.

bug 1537857. Additional logging proxy metrics fixes

This PR provides additional fixes to:

* set the password correctly by properly decoding
* modifying the default prometheus namespace if one isnt provided

ref: https://bugzilla.redhat.com/show_bug.cgi?id=1537857

roles/openshift_logging_elasticsearch/defaults/main.yml

@@ -42,7 +42,7 @@ openshift_logging_elasticsearch_kibana_index_mode: 'unique'
 
 openshift_logging_elasticsearch_proxy_cpu_request: "100m"
 openshift_logging_elasticsearch_proxy_memory_limit: "64Mi"
-openshift_logging_elasticsearch_prometheus_sa: "system:serviceaccount:{{openshift_prometheus_namespace | default('prometheus')}}:prometheus"
+openshift_logging_elasticsearch_prometheus_sa: "system:serviceaccount:{{openshift_prometheus_namespace | default('openshift-metrics')}}:prometheus"
 
 # this is used to determine if this is an operations deployment or a non-ops deployment
 # simply used for naming purposes

roles/openshift_logging_elasticsearch/tasks/main.yaml

@@ -120,31 +120,46 @@
     dest: "{{mktemp.stdout}}/templates/logging-metrics-role.yml"
   vars:
     namespace: "{{ openshift_logging_elasticsearch_namespace }}"
+
+- template:
+    src: "{{ __base_file_dir }}/logging-metrics-rolebinding.j2"
+    dest: "{{mktemp.stdout}}/templates/logging-metrics-rolebinding.yml"
+  vars:
+    namespace: "{{ openshift_logging_elasticsearch_namespace }}"
     role_namespace: "{{ openshift_logging_elasticsearch_prometheus_sa | serviceaccount_namespace(openshift_logging_elasticsearch_namespace) }}"
     role_user: "{{ openshift_logging_elasticsearch_prometheus_sa | serviceaccount_name }}"
 
 - name: Create logging-metrics-reader-role
-  command: >
-    {{ openshift_client_binary }}
-    --config={{ openshift.common.config_base }}/master/admin.kubeconfig
-    -n "{{ openshift_logging_elasticsearch_namespace }}"
-    create -f "{{mktemp.stdout}}/templates/logging-metrics-role.yml"
-  register: prometheus_out
-  check_mode: no
-  ignore_errors: yes
+  oc_obj:
+    state: present
+    name: "prometheus-metrics-viewer"
+    kind: role
+    namespace: "{{ openshift_logging_elasticsearch_namespace }}"
+    files:
+    - "{{mktemp.stdout}}/templates/logging-metrics-role.yml"
+    delete_after: true
 
-- fail:
-    msg: "There was an error creating the logging-metrics-role and binding: {{prometheus_out}}"
-  when:
-  - "prometheus_out.stderr | length > 0"
-  - "'already exists' not in prometheus_out.stderr"
+- name: Create logging-metrics-reader-rolebinding
+  oc_obj:
+    state: present
+    name: "prometheus-metrics-viewer"
+    kind: rolebinding
+    namespace: "{{ openshift_logging_elasticsearch_namespace }}"
+    files:
+    - "{{mktemp.stdout}}/templates/logging-metrics-rolebinding.yml"
+    delete_after: true
 
 - name: Checking for passwd.yml
   stat: path="{{ generated_certs_dir }}/passwd.yml"
   register: passwd_file
   check_mode: no
 
-- when: not passwd_file.stat.exists
+- when: passwd_file.stat.exists
+  slurp:
+    src: "{{ generated_certs_dir }}/passwd.yml"
+  register: _logging_metrics_proxy_passwd
+
+- when: not passwd_file.stat.exists or openshift_logging_elasticsearch_prometheus_sa not in ( _logging_metrics_proxy_passwd['content'] | b64decode | from_yaml )
   template:
     src: passwd.j2
     dest: "{{ generated_certs_dir }}/passwd.yml"
@@ -441,7 +456,7 @@
     es_container_security_context: "{{ _es_containers.elasticsearch.securityContext if _es_containers is defined and 'elasticsearch' in _es_containers and 'securityContext' in _es_containers.elasticsearch else None }}"
     deploy_type: "{{ openshift_logging_elasticsearch_deployment_type }}"
     es_replicas: 1
-    basic_auth_passwd: "{{ ( _logging_metrics_proxy_passwd['content'] | b64decode | from_yaml )[openshift_logging_elasticsearch_prometheus_sa]['passwd'] }}"
+    basic_auth_passwd: "{{ ( _logging_metrics_proxy_passwd['content'] | b64decode | from_yaml )[openshift_logging_elasticsearch_prometheus_sa]['passwd'] | b64decode }}"
     es_number_of_shards: "{{ openshift_logging_es_number_of_shards | default(1) }}"
     es_number_of_replicas: "{{ openshift_logging_es_number_of_replicas| default(0) }}"
 

roles/openshift_logging_elasticsearch/templates/2.x/es.j2

@@ -137,7 +137,7 @@ spec:
            - --upstream-ca=/etc/elasticsearch/secret/admin-ca
            - --https-address=:4443
            - -provider=openshift
-           - -client-id={{openshift_logging_elasticsearch_prometheus_sa}}
+           - -client-id=system:serviceaccount:{{ openshift_logging_elasticsearch_namespace }}:aggregated-logging-elasticsearch
            - -client-secret-file=/var/run/secrets/kubernetes.io/serviceaccount/token
            - -cookie-secret={{ 16 | lib_utils_oo_random_word | b64encode }}
            - -basic-auth-password={{ basic_auth_passwd }}

roles/openshift_logging_elasticsearch/templates/2.x/logging-metrics-role.j2

@@ -1,31 +1,15 @@
 ---
-apiVersion: v1
-kind: List
-items:
-- apiVersion: rbac.authorization.k8s.io/v1beta1
-  kind: Role
-  metadata:
-    annotations:
-      rbac.authorization.kubernetes.io/autoupdate: "true"
-    name: prometheus-metrics-viewer
-    namespace: {{ namespace }}
-  rules:
-  - apiGroups:
-    - metrics.openshift.io
-    resources:
-    - prometheus
-    verbs:
-    - view
-- apiVersion: rbac.authorization.k8s.io/v1beta1
-  kind: RoleBinding
-  metadata:
-    name: prometheus-metrics-viewer
-    namespace: {{ namespace }}
-  roleRef:
-    apiGroup: rbac.authorization.k8s.io
-    kind: Role
-    name: prometheus-metrics-viewer
-  subjects:
-  - kind: ServiceAccount
-    namespace: {{ role_namespace }}
-    name: {{ role_user }}
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: Role
+metadata:
+  annotations:
+    rbac.authorization.kubernetes.io/autoupdate: "true"
+  name: prometheus-metrics-viewer
+  namespace: {{ namespace }}
+rules:
+- apiGroups:
+  - metrics.openshift.io
+  resources:
+  - prometheus
+  verbs:
+  - view

roles/openshift_logging_elasticsearch/templates/2.x/logging-metrics-rolebinding.j2

@@ -0,0 +1,14 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+  name: prometheus-metrics-viewer
+  namespace: {{ namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: prometheus-metrics-viewer
+subjects:
+- kind: ServiceAccount
+  namespace: {{ role_namespace }}
+  name: {{ role_user }}

roles/openshift_logging_elasticsearch/templates/5.x/es.j2

@@ -145,7 +145,7 @@ spec:
            - --upstream-ca=/etc/elasticsearch/secret/admin-ca
            - --https-address=:4443
            - -provider=openshift
-           - -client-id={{openshift_logging_elasticsearch_prometheus_sa}}
+           - -client-id=system:serviceaccount:{{ openshift_logging_elasticsearch_namespace }}:aggregated-logging-elasticsearch
            - -client-secret-file=/var/run/secrets/kubernetes.io/serviceaccount/token
            - -cookie-secret={{ 16 | lib_utils_oo_random_word | b64encode }}
            - -upstream=https://localhost:9200

roles/openshift_logging_elasticsearch/templates/5.x/logging-metrics-role.j2

@@ -1,31 +1,15 @@
 ---
-apiVersion: v1
-kind: List
-items:
-- apiVersion: rbac.authorization.k8s.io/v1beta1
-  kind: Role
-  metadata:
-    annotations:
-      rbac.authorization.kubernetes.io/autoupdate: "true"
-    name: prometheus-metrics-viewer
-    namespace: {{ namespace }}
-  rules:
-  - apiGroups:
-    - metrics.openshift.io
-    resources:
-    - prometheus
-    verbs:
-    - view
-- apiVersion: rbac.authorization.k8s.io/v1beta1
-  kind: RoleBinding
-  metadata:
-    name: prometheus-metrics-viewer
-    namespace: {{ namespace }}
-  roleRef:
-    apiGroup: rbac.authorization.k8s.io
-    kind: Role
-    name: prometheus-metrics-viewer
-  subjects:
-  - kind: ServiceAccount
-    namespace: {{ role_namespace }}
-    name: {{ role_user }}
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: Role
+metadata:
+  annotations:
+    rbac.authorization.kubernetes.io/autoupdate: "true"
+  name: prometheus-metrics-viewer
+  namespace: {{ namespace }}
+rules:
+- apiGroups:
+  - metrics.openshift.io
+  resources:
+  - prometheus
+  verbs:
+  - view

roles/openshift_logging_elasticsearch/templates/5.x/logging-metrics-rolebinding.j2

@@ -0,0 +1,14 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+  name: prometheus-metrics-viewer
+  namespace: {{ namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: prometheus-metrics-viewer
+subjects:
+- kind: ServiceAccount
+  namespace: {{ role_namespace }}
+  name: {{ role_user }}