shixiong
/
okd


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241
							---

# namespace
- name: Add prometheus project
  oc_project:
    state: "{{ state }}"
    name: "{{ openshift_prometheus_namespace }}"
    node_selector: "{{ openshift_prometheus_node_selector | oo_selector_to_string_list() }}"
    description: Prometheus

# secrets
- name: Set alert and prometheus secrets
  oc_secret:
    state: "{{ state }}"
    name: "{{ item }}-proxy"
    namespace: "{{ openshift_prometheus_namespace }}"
    contents:
      - path: session_secret
        data: "{{ 43 | oo_random_word }}="
  with_items:
    - prometheus
    - alerts

# serviceaccount
- name: create prometheus serviceaccount
  oc_serviceaccount:
    state: "{{ state }}"
    name: prometheus
    namespace: "{{ openshift_prometheus_namespace }}"
    #    TODO add annotations when supproted
    #    annotations:
    #      serviceaccounts.openshift.io/oauth-redirectreference.prom: '{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"prometheus"}}'
    #      serviceaccounts.openshift.io/oauth-redirectreference.alerts: '{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"alerts"}}'

    secrets:
      - prometheus-secrets
  changed_when: no

# TODO remove this when annotations are supported by oc_serviceaccount
- name: annotate serviceaccount
  command: >
    {{ openshift.common.client_binary }} annotate --overwrite -n {{ openshift_prometheus_namespace }}
    serviceaccount prometheus
    serviceaccounts.openshift.io/oauth-redirectreference.prom='{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"prometheus"}}'
    serviceaccounts.openshift.io/oauth-redirectreference.alerts='{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"alerts"}}'


# create clusterrolebinding for prometheus serviceaccount
- name: Set cluster-reader permissions for prometheus
  oc_adm_policy_user:
    state: "{{ state }}"
    namespace: "{{ openshift_prometheus_namespace }}"
    resource_kind: cluster-role
    resource_name: cluster-reader
    user: "system:serviceaccount:{{ openshift_prometheus_namespace }}:prometheus"


######################################################################
# NFS
# In the case that we are not running on a cloud provider, volumes must be statically provisioned

- include: nfs.yaml
  when: not (openshift_cloudprovider_kind is defined and (openshift_cloudprovider_kind == 'aws' or openshift_cloudprovider_kind == 'gce'))


# create prometheus and alerts services
# TODO join into 1 task with loop
- name: Create prometheus service
  oc_service:
    state: "{{ state }}"
    name: "{{ item.name }}"
    namespace: "{{ openshift_prometheus_namespace }}"
    selector:
      app: prometheus
    labels:
      name: "{{ item.name }}"
      #    TODO add annotations when supported
      #    annotations:
      #      service.alpha.openshift.io/serving-cert-secret-name: "{{item.name}}-tls"
    ports:
      - port: 443
        targetPort: 8443
  with_items:
    - name: prometheus

- name: Create alerts service
  oc_service:
    state: "{{ state }}"
    name: "{{ item.name }}"
    namespace: "{{ openshift_prometheus_namespace }}"
    selector:
      app: prometheus
    labels:
      name: "{{ item.name }}"
      #    TODO add annotations when supported
      #    annotations:
      #      service.alpha.openshift.io/serving-cert-secret-name: "{{item.name}}-tls"
    ports:
      - port: 443
        targetPort: 9443
  with_items:
    - name: alerts


# Annotate services with secret name
# TODO remove this when annotations are supported by oc_service
- name: annotate prometheus service
  command: >
    {{ openshift.common.client_binary }} annotate --overwrite -n {{ openshift_prometheus_namespace }}
    service prometheus 'service.alpha.openshift.io/serving-cert-secret-name=prometheus-tls'

- name: annotate alerts service
  command: >
    {{ openshift.common.client_binary }} annotate --overwrite -n {{ openshift_prometheus_namespace }}
    service alerts 'service.alpha.openshift.io/serving-cert-secret-name=prometheus-alerts-tls'

# create prometheus and alerts routes
- name: create prometheus and alerts routes
  oc_route:
    state: "{{ state }}"
    name: "{{ item.name }}"
    namespace: "{{ openshift_prometheus_namespace }}"
    service_name: "{{ item.name }}"
    tls_termination: reencrypt
  with_items:
    - name: prometheus
    - name: alerts

# Storage
- name: create prometheus pvc
  oc_pvc:
    namespace: "{{ openshift_prometheus_namespace }}"
    name: "{{ openshift_prometheus_pvc_name }}"
    access_modes: "{{ openshift_prometheus_pvc_access_modes }}"
    volume_capacity: "{{ openshift_prometheus_pvc_size }}"
    selector: "{{ openshift_prometheus_pvc_pv_selector }}"

- name: create alertmanager pvc
  oc_pvc:
    namespace: "{{ openshift_prometheus_namespace }}"
    name: "{{ openshift_prometheus_alertmanager_pvc_name }}"
    access_modes: "{{ openshift_prometheus_alertmanager_pvc_access_modes }}"
    volume_capacity: "{{ openshift_prometheus_alertmanager_pvc_size }}"
    selector: "{{ openshift_prometheus_alertmanager_pvc_pv_selector }}"

- name: create alertbuffer pvc
  oc_pvc:
    namespace: "{{ openshift_prometheus_namespace }}"
    name: "{{ openshift_prometheus_alertbuffer_pvc_name }}"
    access_modes: "{{ openshift_prometheus_alertbuffer_pvc_access_modes }}"
    volume_capacity: "{{ openshift_prometheus_alertbuffer_pvc_size }}"
    selector: "{{ openshift_prometheus_alertbuffer_pvc_pv_selector }}"

# create prometheus deployment
- name: Set prometheus deployment template
  template:
    src: prometheus_deployment.j2
    dest: "{{ tempdir }}/templates/prometheus.yaml"
  vars:
    namespace: "{{ openshift_prometheus_namespace }}"
    prom_replicas: "{{ openshift_prometheus_replicas }}"

- name: Set prometheus deployment
  oc_obj:
    state: "{{ state }}"
    name: "prometheus"
    namespace: "{{ openshift_prometheus_namespace }}"
    kind: deployment
    files:
      - "{{ tempdir }}/templates/prometheus.yaml"
    delete_after: true

# prometheus configmap
# Copy the additional rules file if it is defined
- name: Copy additional rules file to host
  copy:
    src: "{{ openshift_prometheus_additional_rules_file }}"
    dest: "{{ tempdir }}/prometheus.additional.rules"
  when:
    - openshift_prometheus_additional_rules_file is defined
    - openshift_prometheus_additional_rules_file is not none
    - openshift_prometheus_additional_rules_file | trim | length > 0

- stat:
    path: "{{ tempdir }}/prometheus.additional.rules"
  register: additional_rules_stat

# The kubernetes version impacts the prometheus scraping endpoint
# so gathering it before constructing the configmap
- name: get oc version
  oc_version:
  register: oc_version

- set_fact:
    kubernetes_version: "{{ oc_version.results.kubernetes_short | float }}"

- template:
    src: prometheus.yml.j2
    dest: "{{ tempdir }}/prometheus.yml"
  changed_when: no

- template:
    src: prometheus.rules.j2
    dest: "{{ tempdir }}/prometheus.rules"
  changed_when: no

# In prometheus configmap create "additional.rules" section if file exists
- name: Set prometheus configmap
  oc_configmap:
    state: "{{ state }}"
    name: "prometheus"
    namespace: "{{ openshift_prometheus_namespace }}"
    from_file:
      prometheus.rules: "{{ tempdir }}/prometheus.rules"
      prometheus.additional.rules: "{{ tempdir }}/prometheus.additional.rules"
      prometheus.yml: "{{ tempdir }}/prometheus.yml"
  when: additional_rules_stat.stat.exists == True

- name: Set prometheus configmap
  oc_configmap:
    state: "{{ state }}"
    name: "prometheus"
    namespace: "{{ openshift_prometheus_namespace }}"
    from_file:
      prometheus.rules: "{{ tempdir }}/prometheus.rules"
      prometheus.yml: "{{ tempdir }}/prometheus.yml"
  when: additional_rules_stat.stat.exists == False

# alertmanager configmap
- template:
    src: alertmanager.yml.j2
    dest: "{{ tempdir }}/alertmanager.yml"
  changed_when: no

- name: Set alertmanager configmap
  oc_configmap:
    state: "{{ state }}"
    name: "prometheus-alerts"
    namespace: "{{ openshift_prometheus_namespace }}"
    from_file:
      alertmanager.yml: "{{ tempdir }}/alertmanager.yml"