okd/roles/openshift_prometheus/tasks/install_prometheus.yaml

---

# namespace
- name: Add prometheus project
  oc_project:
    state: "{{ state }}"
    name: "{{ openshift_prometheus_namespace }}"
    node_selector: "{{ openshift_prometheus_node_selector | oo_selector_to_string_list() }}"
    description: Prometheus

# secrets
- name: Set alert and prometheus secrets
  oc_secret:
    state: "{{ state }}"
    name: "{{ item }}-proxy"
    namespace: "{{ openshift_prometheus_namespace }}"
    contents:
      - path: session_secret
        data: "{{ 43 | oo_random_word }}="
  with_items:
    - prometheus
    - alerts

# serviceaccount
- name: create prometheus serviceaccount
  oc_serviceaccount:
    state: "{{ state }}"
    name: prometheus
    namespace: "{{ openshift_prometheus_namespace }}"
    #    TODO add annotations when supproted
    #    annotations:
    #      serviceaccounts.openshift.io/oauth-redirectreference.prom: '{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"prometheus"}}'
    #      serviceaccounts.openshift.io/oauth-redirectreference.alerts: '{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"alerts"}}'

    secrets:
      - prometheus-secrets
  changed_when: no

# TODO remove this when annotations are supported by oc_serviceaccount
- name: annotate serviceaccount
  command: >
    {{ openshift.common.client_binary }} annotate --overwrite -n {{ openshift_prometheus_namespace }}
    serviceaccount prometheus
    serviceaccounts.openshift.io/oauth-redirectreference.prom='{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"prometheus"}}'
    serviceaccounts.openshift.io/oauth-redirectreference.alerts='{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"alerts"}}'


# create clusterrolebinding for prometheus serviceaccount
- name: Set cluster-reader permissions for prometheus
  oc_adm_policy_user:
    state: "{{ state }}"
    namespace: "{{ openshift_prometheus_namespace }}"
    resource_kind: cluster-role
    resource_name: cluster-reader
    user: "system:serviceaccount:{{ openshift_prometheus_namespace }}:prometheus"

# create prometheus and alerts services
# TODO join into 1 task with loop
- name: Create prometheus service
  oc_service:
    state: "{{ state }}"
    name: "{{ item.name }}"
    namespace: "{{ openshift_prometheus_namespace }}"
    selector:
      app: prometheus
    labels:
      name: "{{ item.name }}"
      #    TODO add annotations when supported
      #    annotations:
      #      service.alpha.openshift.io/serving-cert-secret-name: "{{item.name}}-tls"
    ports:
      - port: 443
        targetPort: 8443
  with_items:
    - name: prometheus

- name: Create alerts service
  oc_service:
    state: "{{ state }}"
    name: "{{ item.name }}"
    namespace: "{{ openshift_prometheus_namespace }}"
    selector:
      app: prometheus
    labels:
      name: "{{ item.name }}"
      #    TODO add annotations when supported
      #    annotations:
      #      service.alpha.openshift.io/serving-cert-secret-name: "{{item.name}}-tls"
    ports:
      - port: 443
        targetPort: 9443
  with_items:
    - name: alerts


# Annotate services with secret name
# TODO remove this when annotations are supported by oc_service
- name: annotate prometheus service
  command: >
    {{ openshift.common.client_binary }} annotate --overwrite -n {{ openshift_prometheus_namespace }}
    service prometheus
    prometheus.io/scrape='true'
    prometheus.io/scheme=https
    service.alpha.openshift.io/serving-cert-secret-name=prometheus-tls

- name: annotate alerts service
  command: >
    {{ openshift.common.client_binary }} annotate --overwrite -n {{ openshift_prometheus_namespace }}
    service alerts 'service.alpha.openshift.io/serving-cert-secret-name=prometheus-alerts-tls'

# create prometheus and alerts routes
- name: create prometheus and alerts routes
  oc_route:
    state: "{{ state }}"
    name: "{{ item.name }}"
    namespace: "{{ openshift_prometheus_namespace }}"
    service_name: "{{ item.name }}"
    tls_termination: reencrypt
  with_items:
    - name: prometheus
    - name: alerts

# Storage
- name: create prometheus pvc
  oc_pvc:
    namespace: "{{ openshift_prometheus_namespace }}"
    name: "{{ openshift_prometheus_pvc_name }}"
    access_modes: "{{ openshift_prometheus_pvc_access_modes }}"
    volume_capacity: "{{ openshift_prometheus_pvc_size }}"
    selector: "{{ openshift_prometheus_pvc_pv_selector }}"

- name: create alertmanager pvc
  oc_pvc:
    namespace: "{{ openshift_prometheus_namespace }}"
    name: "{{ openshift_prometheus_alertmanager_pvc_name }}"
    access_modes: "{{ openshift_prometheus_alertmanager_pvc_access_modes }}"
    volume_capacity: "{{ openshift_prometheus_alertmanager_pvc_size }}"
    selector: "{{ openshift_prometheus_alertmanager_pvc_pv_selector }}"

- name: create alertbuffer pvc
  oc_pvc:
    namespace: "{{ openshift_prometheus_namespace }}"
    name: "{{ openshift_prometheus_alertbuffer_pvc_name }}"
    access_modes: "{{ openshift_prometheus_alertbuffer_pvc_access_modes }}"
    volume_capacity: "{{ openshift_prometheus_alertbuffer_pvc_size }}"
    selector: "{{ openshift_prometheus_alertbuffer_pvc_pv_selector }}"

# create prometheus deployment
- name: Set prometheus deployment template
  template:
    src: prometheus_deployment.j2
    dest: "{{ tempdir }}/templates/prometheus.yaml"
  vars:
    namespace: "{{ openshift_prometheus_namespace }}"
    prom_replicas: "{{ openshift_prometheus_replicas }}"

- name: Set prometheus deployment
  oc_obj:
    state: "{{ state }}"
    name: "prometheus"
    namespace: "{{ openshift_prometheus_namespace }}"
    kind: deployment
    files:
      - "{{ tempdir }}/templates/prometheus.yaml"
    delete_after: true

# prometheus configmap
# Copy the additional rules file if it is defined
- name: Copy additional rules file to host
  copy:
    src: "{{ openshift_prometheus_additional_rules_file }}"
    dest: "{{ tempdir }}/prometheus.additional.rules"
  when:
    - openshift_prometheus_additional_rules_file is defined
    - openshift_prometheus_additional_rules_file is not none
    - openshift_prometheus_additional_rules_file | trim | length > 0

- stat:
    path: "{{ tempdir }}/prometheus.additional.rules"
  register: additional_rules_stat

# The kubernetes version impacts the prometheus scraping endpoint
# so gathering it before constructing the configmap
- name: get oc version
  oc_version:
  register: oc_version

- set_fact:
    kubernetes_version: "{{ oc_version.results.kubernetes_short | float }}"

- template:
    src: prometheus.yml.j2
    dest: "{{ tempdir }}/prometheus.yml"
  changed_when: no

- template:
    src: prometheus.rules.j2
    dest: "{{ tempdir }}/prometheus.rules"
  changed_when: no

# In prometheus configmap create "additional.rules" section if file exists
- name: Set prometheus configmap
  oc_configmap:
    state: "{{ state }}"
    name: "prometheus"
    namespace: "{{ openshift_prometheus_namespace }}"
    from_file:
      prometheus.rules: "{{ tempdir }}/prometheus.rules"
      prometheus.additional.rules: "{{ tempdir }}/prometheus.additional.rules"
      prometheus.yml: "{{ tempdir }}/prometheus.yml"
  when: additional_rules_stat.stat.exists == True

- name: Set prometheus configmap
  oc_configmap:
    state: "{{ state }}"
    name: "prometheus"
    namespace: "{{ openshift_prometheus_namespace }}"
    from_file:
      prometheus.rules: "{{ tempdir }}/prometheus.rules"
      prometheus.yml: "{{ tempdir }}/prometheus.yml"
  when: additional_rules_stat.stat.exists == False

# alertmanager configmap
- template:
    src: alertmanager.yml.j2
    dest: "{{ tempdir }}/alertmanager.yml"
  changed_when: no

- name: Set alertmanager configmap
  oc_configmap:
    state: "{{ state }}"
    name: "prometheus-alerts"
    namespace: "{{ openshift_prometheus_namespace }}"
    from_file:
      alertmanager.yml: "{{ tempdir }}/alertmanager.yml"