okd/roles/openshift_logging_elasticsearch/tasks/main.yaml

---
- name: Validate Elasticsearch cluster size
  fail: msg="The openshift_logging_es_cluster_size may only be scaled down manually. Please see official documentation on how to do this."
  when: openshift_logging_facts.elasticsearch.deploymentconfigs | length > openshift_logging_es_cluster_size|int

- name: Validate Elasticsearch Ops cluster size
  fail: msg="The openshift_logging_es_ops_cluster_size may only be scaled down manually. Please see official documentation on how to do this."
  when: openshift_logging_facts.elasticsearch_ops.deploymentconfigs | length > openshift_logging_es_ops_cluster_size|int

- fail:
    msg: Invalid deployment type, one of ['data-master', 'data-client', 'master', 'client'] allowed
  when: not openshift_logging_elasticsearch_deployment_type in __allowed_es_types

- set_fact:
    elasticsearch_name: "{{ 'logging-elasticsearch' ~ ( (openshift_logging_elasticsearch_ops_deployment | default(false) | bool) | ternary('-ops', '')) }}"
    es_component: "{{ 'es' ~ ( (openshift_logging_elasticsearch_ops_deployment | default(false) | bool) | ternary('-ops', '') ) }}"

- include: determine_version.yaml

# allow passing in a tempdir
- name: Create temp directory for doing work in
  command: mktemp -d /tmp/openshift-logging-ansible-XXXXXX
  register: mktemp
  changed_when: False

- set_fact:
    tempdir: "{{ mktemp.stdout }}"

# This may not be necessary in this role
- name: Create templates subdirectory
  file:
    state: directory
    path: "{{ tempdir }}/templates"
    mode: 0755
  changed_when: False

# we want to make sure we have all the necessary components here

# service account

- name: Create ES service account
  oc_serviceaccount:
    state: present
    name: "aggregated-logging-elasticsearch"
    namespace: "{{ openshift_logging_elasticsearch_namespace }}"
    image_pull_secrets: "{{ openshift_logging_image_pull_secret }}"
  when: openshift_logging_image_pull_secret != ''

- name: Create ES service account
  oc_serviceaccount:
    state: present
    name: "aggregated-logging-elasticsearch"
    namespace: "{{ openshift_logging_elasticsearch_namespace }}"
  when:
  - openshift_logging_image_pull_secret == ''

# rolebinding reader
- copy:
    src: rolebinding-reader.yml
    dest: "{{ tempdir }}/rolebinding-reader.yml"

- name: Create rolebinding-reader role
  oc_obj:
    state: present
    name: "rolebinding-reader"
    kind: clusterrole
    namespace: "{{ openshift_logging_elasticsearch_namespace }}"
    files:
    - "{{ tempdir }}/rolebinding-reader.yml"
    delete_after: true

# SA roles
- name: Set rolebinding-reader permissions for ES
  oc_adm_policy_user:
    state: present
    namespace: "{{ openshift_logging_elasticsearch_namespace }}"
    resource_kind: cluster-role
    resource_name: rolebinding-reader
    user: "system:serviceaccount:{{ openshift_logging_elasticsearch_namespace }}:aggregated-logging-elasticsearch"

- oc_adm_policy_user:
    state: present
    namespace: "{{ openshift_logging_elasticsearch_namespace }}"
    resource_kind: cluster-role
    resource_name: system:auth-delegator
    user: "system:serviceaccount:{{ openshift_logging_elasticsearch_namespace}}:aggregated-logging-elasticsearch"

# logging-metrics-reader role
- template:
    src: logging-metrics-role.j2
    dest: "{{mktemp.stdout}}/templates/logging-metrics-role.yml"
  vars:
    namespace: "{{ openshift_logging_elasticsearch_namespace }}"
    role_namespace: "{{ openshift_logging_elasticsearch_prometheus_sa | serviceaccount_namespace(openshift_logging_elasticsearch_namespace) }}"
    role_user: "{{ openshift_logging_elasticsearch_prometheus_sa | serviceaccount_name }}"

- name: Create logging-metrics-reader-role
  command: >
    {{ openshift.common.client_binary }}
    --config={{ openshift.common.config_base }}/master/admin.kubeconfig
    -n "{{ openshift_logging_elasticsearch_namespace }}"
    create -f "{{mktemp.stdout}}/templates/logging-metrics-role.yml"
  register: prometheus_out
  check_mode: no
  ignore_errors: yes

- fail:
    msg: "There was an error creating the logging-metrics-role and binding: {{prometheus_out}}"
  when:
  - "prometheus_out.stderr | length > 0"
  - "'already exists' not in prometheus_out.stderr"

# View role and binding
- name: Generate logging-elasticsearch-view-role
  template:
    src: rolebinding.j2
    dest: "{{mktemp.stdout}}/logging-elasticsearch-view-role.yaml"
  vars:
    obj_name: logging-elasticsearch-view-role
    roleRef:
      name: view
    subjects:
    - kind: ServiceAccount
      name: aggregated-logging-elasticsearch
  changed_when: no

- name: Set logging-elasticsearch-view-role role
  oc_obj:
    state: present
    name: "logging-elasticsearch-view-role"
    kind: rolebinding
    namespace: "{{ openshift_logging_elasticsearch_namespace }}"
    files:
    - "{{ tempdir }}/logging-elasticsearch-view-role.yaml"
    delete_after: true

# configmap
- assert:
    that:
    - openshift_logging_elasticsearch_kibana_index_mode in __kibana_index_modes
    msg: "The openshift_logging_elasticsearch_kibana_index_mode '{{ openshift_logging_elasticsearch_kibana_index_mode  }}' only supports one of: {{ __kibana_index_modes | join(', ') }}"

- assert:
    that:
    - "{{ openshift_logging_es_log_appenders | length > 0 }}"
    msg: "The openshift_logging_es_log_appenders '{{ openshift_logging_es_log_appenders }}' has an unrecognized option and only supports the following as a list: {{ __es_log_appenders | join(', ') }}"

- template:
    src: elasticsearch-logging.yml.j2
    dest: "{{ tempdir }}/elasticsearch-logging.yml"
  vars:
    root_logger: "{{openshift_logging_es_log_appenders | join(', ')}}"
  when: es_logging_contents is undefined
  changed_when: no

- set_fact:
    __es_num_of_shards: "{{ _es_configmap | default({}) | walk('index.number_of_shards', '1') }}"
    __es_num_of_replicas: "{{ _es_configmap | default({}) | walk('index.number_of_replicas', '0') }}"

- template:
    src: elasticsearch.yml.j2
    dest: "{{ tempdir }}/elasticsearch.yml"
  vars:
    allow_cluster_reader: "{{ openshift_logging_elasticsearch_ops_allow_cluster_reader | lower | default('false') }}"
    es_number_of_shards: "{{ openshift_logging_es_number_of_shards | default(None) or __es_num_of_shards }}"
    es_number_of_replicas: "{{ openshift_logging_es_number_of_replicas | default(None) or __es_num_of_replicas }}"
    es_kibana_index_mode: "{{ openshift_logging_elasticsearch_kibana_index_mode | default('unique') }}"

  when: es_config_contents is undefined
  changed_when: no

- copy:
    content: "{{ es_logging_contents }}"
    dest: "{{ tempdir }}/elasticsearch-logging.yml"
  when: es_logging_contents is defined
  changed_when: no

- copy:
    content: "{{ es_config_contents }}"
    dest: "{{ tempdir }}/elasticsearch.yml"
  when: es_config_contents is defined
  changed_when: no

- name: Set ES configmap
  oc_configmap:
    state: present
    name: "{{ elasticsearch_name }}"
    namespace: "{{ openshift_logging_elasticsearch_namespace }}"
    from_file:
      elasticsearch.yml: "{{ tempdir }}/elasticsearch.yml"
      logging.yml: "{{ tempdir }}/elasticsearch-logging.yml"


# secret
- name: Set ES secret
  oc_secret:
    state: present
    name: "logging-elasticsearch"
    namespace: "{{ openshift_logging_elasticsearch_namespace }}"
    files:
    - name: key
      path: "{{ generated_certs_dir }}/logging-es.jks"
    - name: truststore
      path: "{{ generated_certs_dir }}/truststore.jks"
    - name: searchguard.key
      path: "{{ generated_certs_dir }}/elasticsearch.jks"
    - name: searchguard.truststore
      path: "{{ generated_certs_dir }}/truststore.jks"
    - name: admin-key
      path: "{{ generated_certs_dir }}/system.admin.key"
    - name: admin-cert
      path: "{{ generated_certs_dir }}/system.admin.crt"
    - name: admin-ca
      path: "{{ generated_certs_dir }}/ca.crt"
    - name: admin.jks
      path: "{{ generated_certs_dir }}/system.admin.jks"

# services
- name: Set logging-{{ es_component }}-cluster service
  oc_service:
    state: present
    name: "logging-{{ es_component }}-cluster"
    namespace: "{{ openshift_logging_elasticsearch_namespace }}"
    selector:
      component: "{{ es_component }}"
      provider: openshift
    labels:
      logging-infra: 'support'
    ports:
    - port: 9300

- name: Set logging-{{ es_component }} service
  oc_service:
    state: present
    name: "logging-{{ es_component }}"
    namespace: "{{ openshift_logging_elasticsearch_namespace }}"
    selector:
      component: "{{ es_component }}"
      provider: openshift
    labels:
      logging-infra: 'support'
    ports:
    - port: 9200
      targetPort: "restapi"

- name: Set logging-{{ es_component}}-prometheus service
  oc_service:
    state: present
    name: "logging-{{es_component}}-prometheus"
    namespace: "{{ openshift_logging_elasticsearch_namespace }}"
    labels:
      logging-infra: 'support'
    ports:
    - name: proxy
      port: 443
      targetPort: 4443
    selector:
      component: "{{ es_component }}-prometheus"
      provider: openshift

- oc_edit:
    kind: service
    name: "logging-{{es_component}}-prometheus"
    namespace: "{{ openshift_logging_elasticsearch_namespace }}"
    separator: '#'
    content:
      metadata#annotations#service.alpha.openshift.io/serving-cert-secret-name: "prometheus-tls"
      metadata#annotations#prometheus.io/scrape: "true"
      metadata#annotations#prometheus.io/scheme: "https"
      metadata#annotations#prometheus.io/path: "_prometheus/metrics"

- name: Check to see if PVC already exists
  oc_obj:
    state: list
    kind: pvc
    name: "{{ openshift_logging_elasticsearch_pvc_name }}"
    namespace: "{{ openshift_logging_elasticsearch_namespace }}"
  register: logging_elasticsearch_pvc

# logging_elasticsearch_pvc.results.results | length > 0 returns a false positive
# so we check for the presence of 'stderr' to determine if the obj exists or not
# the RC for existing and not existing is both 0
- when:
  - logging_elasticsearch_pvc.results.stderr is defined
  - openshift_logging_elasticsearch_storage_type == "pvc"
  block:
  # storageclasses are used by default but if static then disable
  # storageclasses with the storageClassName set to "" in pvc.j2
  - name: Creating ES storage template - static
    template:
      src: pvc.j2
      dest: "{{ tempdir }}/templates/logging-es-pvc.yml"
    vars:
      obj_name: "{{ openshift_logging_elasticsearch_pvc_name }}"
      size: "{{ (openshift_logging_elasticsearch_pvc_size | trim | length == 0) | ternary('10Gi', openshift_logging_elasticsearch_pvc_size) }}"
      access_modes: "{{ openshift_logging_elasticsearch_pvc_access_modes | list }}"
      pv_selector: "{{ openshift_logging_elasticsearch_pvc_pv_selector }}"
      storage_class_name: "{{ openshift_logging_elasticsearch_pvc_storage_class_name | default('', true) }}"
    when:
    - not openshift_logging_elasticsearch_pvc_dynamic | bool

  # Storageclasses are used by default if configured
  - name: Creating ES storage template - dynamic
    template:
      src: pvc.j2
      dest: "{{ tempdir }}/templates/logging-es-pvc.yml"
    vars:
      obj_name: "{{ openshift_logging_elasticsearch_pvc_name }}"
      size: "{{ (openshift_logging_elasticsearch_pvc_size | trim | length == 0) | ternary('10Gi', openshift_logging_elasticsearch_pvc_size) }}"
      access_modes: "{{ openshift_logging_elasticsearch_pvc_access_modes | list }}"
      pv_selector: "{{ openshift_logging_elasticsearch_pvc_pv_selector }}"
    when:
    - openshift_logging_elasticsearch_pvc_dynamic | bool

  - name: Set ES storage
    oc_obj:
      state: present
      kind: pvc
      name: "{{ openshift_logging_elasticsearch_pvc_name }}"
      namespace: "{{ openshift_logging_elasticsearch_namespace }}"
      files:
      - "{{ tempdir }}/templates/logging-es-pvc.yml"
      delete_after: true

- set_fact:
    es_deploy_name: "logging-{{ es_component }}-{{ openshift_logging_elasticsearch_deployment_type }}-{{ 8 | oo_random_word('abcdefghijklmnopqrstuvwxyz0123456789') }}"
  when: openshift_logging_elasticsearch_deployment_name == ""

- set_fact:
    es_deploy_name: "{{ openshift_logging_elasticsearch_deployment_name }}"
  when: openshift_logging_elasticsearch_deployment_name != ""

# DC
- name: Set ES dc templates
  template:
    src: es.j2
    dest: "{{ tempdir }}/templates/logging-es-dc.yml"
  vars:
    es_cluster_name: "{{ es_component }}"
    component: "{{ es_component }}"
    logging_component: elasticsearch
    deploy_name: "{{ es_deploy_name }}"
    image: "{{ openshift_logging_elasticsearch_image_prefix }}logging-elasticsearch:{{ openshift_logging_elasticsearch_image_version }}"
    es_cpu_limit: "{{ openshift_logging_elasticsearch_cpu_limit }}"
    es_memory_limit: "{{ openshift_logging_elasticsearch_memory_limit }}"
    es_node_selector: "{{ openshift_logging_elasticsearch_nodeselector | default({}) }}"
    es_storage_groups: "{{ openshift_logging_elasticsearch_storage_group | default([]) }}"
    es_container_security_context: "{{ _es_containers.elasticsearch.securityContext if _es_containers is defined and 'elasticsearch' in _es_containers and 'securityContext' in _es_containers.elasticsearch else None }}"
    deploy_type: "{{ openshift_logging_elasticsearch_deployment_type }}"
    es_replicas: 1

- name: Set ES dc
  oc_obj:
    state: present
    name: "{{ es_deploy_name }}"
    namespace: "{{ openshift_logging_elasticsearch_namespace }}"
    kind: dc
    files:
    - "{{ tempdir }}/templates/logging-es-dc.yml"
    delete_after: true

- name: Retrieving the cert to use when generating secrets for the {{ es_component }} component
  slurp:
    src: "{{ generated_certs_dir }}/{{ item.file }}"
  register: key_pairs
  with_items:
  - { name: "ca_file", file: "ca.crt" }
  - { name: "es_key", file: "system.logging.es.key" }
  - { name: "es_cert", file: "system.logging.es.crt" }
  when: openshift_logging_es_allow_external | bool

- set_fact:
    es_key: "{{ lookup('file', openshift_logging_es_key) | b64encode }}"
  when:
  - openshift_logging_es_key | trim | length > 0
  - openshift_logging_es_allow_external | bool
  changed_when: false

- set_fact:
    es_cert: "{{ lookup('file', openshift_logging_es_cert) | b64encode  }}"
  when:
  - openshift_logging_es_cert | trim | length > 0
  - openshift_logging_es_allow_external | bool
  changed_when: false

- set_fact:
    es_ca: "{{ lookup('file', openshift_logging_es_ca_ext) | b64encode  }}"
  when:
  - openshift_logging_es_ca_ext | trim | length > 0
  - openshift_logging_es_allow_external | bool
  changed_when: false

- set_fact:
    es_ca: "{{ key_pairs | entry_from_named_pair('ca_file') }}"
  when:
  - es_ca is not defined
  - openshift_logging_es_allow_external | bool
  changed_when: false

- name: Generating Elasticsearch {{ es_component }} route template
  template:
    src: route_reencrypt.j2
    dest: "{{mktemp.stdout}}/templates/logging-{{ es_component }}-route.yaml"
  vars:
    obj_name: "logging-{{ es_component }}"
    route_host: "{{ openshift_logging_es_hostname }}"
    service_name: "logging-{{ es_component }}"
    tls_key: "{{ es_key | default('') | b64decode }}"
    tls_cert: "{{ es_cert | default('') | b64decode }}"
    tls_ca_cert: "{{ es_ca | b64decode }}"
    tls_dest_ca_cert: "{{ key_pairs | entry_from_named_pair('ca_file') | b64decode }}"
    edge_term_policy: "{{ openshift_logging_es_edge_term_policy | default('') }}"
    labels:
      component: support
      logging-infra: support
      provider: openshift
  changed_when: no
  when: openshift_logging_es_allow_external | bool

# This currently has an issue if the host name changes
- name: Setting Elasticsearch {{ es_component }} route
  oc_obj:
    state: present
    name: "logging-{{ es_component }}"
    namespace: "{{ openshift_logging_elasticsearch_namespace }}"
    kind: route
    files:
    - "{{ tempdir }}/templates/logging-{{ es_component }}-route.yaml"
  when: openshift_logging_es_allow_external | bool

## Placeholder for migration when necessary ##

- name: Delete temp directory
  file:
    name: "{{ tempdir }}"
    state: absent
  changed_when: False