okd/roles/openshift_logging/tasks/generate_secrets.yaml

---
- name: Retrieving the cert to use when generating secrets for the logging components
  slurp: src="{{generated_certs_dir}}/{{item.file}}"
  register: key_pairs
  with_items:
    - { name: "ca_file", file: "ca.crt" }
    - { name: "kibana_key", file: "system.logging.kibana.key"}
    - { name: "kibana_cert", file: "system.logging.kibana.crt"}
    - { name: "curator_key", file: "system.logging.curator.key"}
    - { name: "curator_cert", file: "system.logging.curator.crt"}
    - { name: "fluentd_key", file: "system.logging.fluentd.key"}
    - { name: "fluentd_cert", file: "system.logging.fluentd.crt"}
    - { name: "kibana_internal_key", file: "kibana-internal.key"}
    - { name: "kibana_internal_cert", file: "kibana-internal.crt"}
    - { name: "server_tls", file: "server-tls.json"}

- name: Generating secrets for logging components
  template: src=secret.j2 dest={{mktemp.stdout}}/templates/{{secret_name}}-secret.yaml
  vars:
    secret_name: logging-{{component}}
    secret_key_file: "{{component}}_key"
    secret_cert_file: "{{component}}_cert"
    secrets:
      - {key: ca, value: "{{key_pairs | entry_from_named_pair('ca_file')| b64decode }}"}
      - {key: key, value: "{{key_pairs | entry_from_named_pair(secret_key_file)| b64decode }}"}
      - {key: cert, value: "{{key_pairs | entry_from_named_pair(secret_cert_file)| b64decode }}"}
    secret_keys: ["ca", "cert", "key"]
  with_items:
    - kibana
    - curator
    - fluentd
  loop_control:
    loop_var: component
  when: secret_name not in openshift_logging_facts.{{component}}.secrets or
        secret_keys | difference(openshift_logging_facts.{{component}}.secrets["{{secret_name}}"]["keys"]) | length != 0
  check_mode: no
  changed_when: no

- name: Generating secrets for kibana proxy
  template: src=secret.j2 dest={{mktemp.stdout}}/templates/{{secret_name}}-secret.yaml
  vars:
    secret_name: logging-kibana-proxy
    secrets:
      - {key: oauth-secret, value: "{{oauth_secret}}"}
      - {key: session-secret, value: "{{session_secret}}"}
      - {key: server-key, value: "{{kibana_key_file}}"}
      - {key: server-cert, value: "{{kibana_cert_file}}"}
      - {key: server-tls, value: "{{server_tls_file}}"}
    secret_keys: ["server-tls.json", "server-key", "session-secret", "oauth-secret", "server-cert"]
    kibana_key_file: "{{key_pairs | entry_from_named_pair('kibana_internal_key')| b64decode }}"
    kibana_cert_file: "{{key_pairs | entry_from_named_pair('kibana_internal_cert')| b64decode }}"
    server_tls_file: "{{key_pairs | entry_from_named_pair('server_tls')| b64decode }}"
  when: secret_name not in openshift_logging_facts.kibana.secrets or
        secret_keys | difference(openshift_logging_facts.kibana.secrets["{{secret_name}}"]["keys"]) | length != 0
  check_mode: no
  changed_when: no

- name: Generating secrets for elasticsearch
  command: >
    {{openshift.common.client_binary}} --config={{ mktemp.stdout }}/admin.kubeconfig secrets new {{secret_name}}
    key={{generated_certs_dir}}/logging-es.jks truststore={{generated_certs_dir}}/truststore.jks
    searchguard.key={{generated_certs_dir}}/elasticsearch.jks searchguard.truststore={{generated_certs_dir}}/truststore.jks
    admin-key={{generated_certs_dir}}/system.admin.key admin-cert={{generated_certs_dir}}/system.admin.crt
    admin-ca={{generated_certs_dir}}/ca.crt admin.jks={{generated_certs_dir}}/system.admin.jks -o yaml
  vars:
    secret_name: logging-elasticsearch
    secret_keys: ["admin-cert", "searchguard.key", "admin-ca", "key", "truststore", "admin-key"]
  register: logging_es_secret
  when: secret_name not in openshift_logging_facts.elasticsearch.secrets or
        secret_keys | difference(openshift_logging_facts.elasticsearch.secrets["{{secret_name}}"]["keys"]) | length != 0
  check_mode: no
  changed_when: no

- copy: content="{{logging_es_secret.stdout}}" dest={{mktemp.stdout}}/templates/logging-elasticsearch-secret.yaml
  when: logging_es_secret.stdout is defined
  check_mode: no
  changed_when: no