luckylittle · February 12, 2021 10:41
diff --git a/ocp3-etcd-monitoring.yml b/ocp3-etcd-monitoring.yml
 ---
 # Configuring ETCD monitoring in OCP3
 # Lucian Maly - Red Hat, Inc.
 - name: Configuring etcd monitoring
  hosts: masters[0]
  gather_facts: no
  tasks:
    - name: 1.0 | ocp3-etcd-monitoring.yml | Fetch certificates from one master node to the local machine
      fetch:
        src: /etc/etcd/ca/{{ item }}
        dest: /tmp/
        flat: yes
      loop:
        - ca.crt
        - ca.key

    - name: 1.1 | ocp3-etcd-monitoring.yml | Create the openssl.cnf file locally
      copy:
        content: |
          [ req ]
          req_extensions = v3_req
          distinguished_name = req_distinguished_name
          [ req_distinguished_name ]
          [ v3_req ]
          basicConstraints = CA:FALSE
          keyUsage = nonRepudiation, keyEncipherment, digitalSignature
          extendedKeyUsage=serverAuth, clientAuth
        dest: /tmp/openssl.cnf
      delegate_to: localhost

    - name: 1.2 | ocp3-etcd-monitoring.yml | Generate the etcd.key private key file locally
      shell: "openssl genrsa -out /tmp/etcd.key 2048"
      delegate_to: localhost

    - name: 1.3 | ocp3-etcd-monitoring.yml | Generate the etcd.csr certificate signing request file locally
      shell: 'openssl req -new -key /tmp/etcd.key -out /tmp/etcd.csr -subj "/CN=etcd" -config /tmp/openssl.cnf'
      delegate_to: localhost

    - name: 1.4 | ocp3-etcd-monitoring.yml | Generate the etcd.crt certificate file locally
      shell: "openssl x509 -req -in /tmp/etcd.csr -CA /tmp/ca.crt -CAkey /tmp/ca.key -CAcreateserial -out /tmp/etcd.crt -days 365 -extensions v3_req -extfile /tmp/openssl.cnf"
      delegate_to: localhost

    - name: 1.5 | ocp3-etcd-monitoring.yml | Create the /tmp/etcd-cert-secret.yml locally
      shell: |
        cat <<-EOF > /tmp/etcd-cert-secret.yml
        apiVersion: v1
        data:
          etcd-client-ca.crt: "$(cat /tmp/ca.crt | base64 --wrap=0)"
          etcd-client.crt: "$(cat /tmp/etcd.crt | base64 --wrap=0)"
          etcd-client.key: "$(cat /tmp/etcd.key | base64 --wrap=0)"
        kind: Secret
        metadata:
          name: kube-etcd-client-certs
          namespace: openshift-monitoring
        type: Opaque
        EOF
      delegate_to: localhost

    - name: 1.6 | ocp3-etcd-monitoring.yml | Change permission of the /tmp/etcd-cert-secret.yml file locally
      file:
        path: /tmp/etcd-cert-secret.yml
        mode: 0666
      delegate_to: localhost

    - name: 1.7 | ocp3-etcd-monitoring.yml | Transfer /tmp/etcd-cert-secret.yml to one of the master's /root folder
      copy:
        src: /tmp/etcd-cert-secret.yml
        dest: '/root'

    - name: 1.8 | ocp3-etcd-monitoring.yml | Cleanup of the local files
      file:
        path: /tmp/{{ item }}
        state: absent
      loop:
        - ca.crt
        - ca.key
        - openssl.cnf
        - etcd.key
        - etcd.csr
        - etcd.crt
        - etcd-cert-secret.yml
      delegate_to: localhost

    - name: 1.8 | ocp3-etcd-monitoring.yml | Apply the secret on the master
      shell: 'oc apply -f /root/etcd-cert-secret.yml'
      register: oc_apply

    - name: 1.9 | ocp3-etcd-monitoring.yml | Show the output of the previous apply command
      debug:
        msg: "{{ oc_apply }}"
      
    - name: 1.10 | ocp3-etcd-monitoring.yml | Download the contents of a ConfigMap into a /root folder as config.yaml
      shell: 'oc extract cm/cluster-monitoring-config --to=/root -n openshift-monitoring'

    - name: 1.11 | ocp3-etcd-monitoring.yml | Append ETCD monitoring stanza to config.yaml
      shell: |
        echo -e 'etcd:\n  targets:\n    selector:\n      openshift.io/component: etcd\n      openshift.io/control-plane: "true"' >> /root/config.yaml

    - name: 1.12 | ocp3-etcd-monitoring.yml | Apply/update the existing ConfigMap in openshift-monitoring
      shell: |
        oc create configmap cluster-monitoring-config --from-file=config.yaml -n openshift-monitoring --dry-run -o yaml | oc apply -f -

    - name: 1.13 | ocp3-etcd-monitoring.yml | Cleanup of the remote file
      file:
        path: /root/{{ item }}
        state: absent
      loop:
        - etcd-cert-secret.yml
        - config.yaml
	---
	# Configuring ETCD monitoring in OCP3
	# Lucian Maly - Red Hat, Inc.
	- name: Configuring etcd monitoring
	hosts: masters[0]
	gather_facts: no
	tasks:
	- name: 1.0 \| ocp3-etcd-monitoring.yml \| Fetch certificates from one master node to the local machine
	fetch:
	src: /etc/etcd/ca/{{ item }}
	dest: /tmp/
	flat: yes
	loop:
	- ca.crt
	- ca.key

	- name: 1.1 \| ocp3-etcd-monitoring.yml \| Create the openssl.cnf file locally
	copy:
	content: \|
	[ req ]
	req_extensions = v3_req
	distinguished_name = req_distinguished_name
	[ req_distinguished_name ]
	[ v3_req ]
	basicConstraints = CA:FALSE
	keyUsage = nonRepudiation, keyEncipherment, digitalSignature
	extendedKeyUsage=serverAuth, clientAuth
	dest: /tmp/openssl.cnf
	delegate_to: localhost

	- name: 1.2 \| ocp3-etcd-monitoring.yml \| Generate the etcd.key private key file locally
	shell: "openssl genrsa -out /tmp/etcd.key 2048"
	delegate_to: localhost

	- name: 1.3 \| ocp3-etcd-monitoring.yml \| Generate the etcd.csr certificate signing request file locally
	shell: 'openssl req -new -key /tmp/etcd.key -out /tmp/etcd.csr -subj "/CN=etcd" -config /tmp/openssl.cnf'
	delegate_to: localhost

	- name: 1.4 \| ocp3-etcd-monitoring.yml \| Generate the etcd.crt certificate file locally
	shell: "openssl x509 -req -in /tmp/etcd.csr -CA /tmp/ca.crt -CAkey /tmp/ca.key -CAcreateserial -out /tmp/etcd.crt -days 365 -extensions v3_req -extfile /tmp/openssl.cnf"
	delegate_to: localhost

	- name: 1.5 \| ocp3-etcd-monitoring.yml \| Create the /tmp/etcd-cert-secret.yml locally
	shell: \|
	cat <<-EOF > /tmp/etcd-cert-secret.yml
	apiVersion: v1
	data:
	etcd-client-ca.crt: "$(cat /tmp/ca.crt \| base64 --wrap=0)"
	etcd-client.crt: "$(cat /tmp/etcd.crt \| base64 --wrap=0)"
	etcd-client.key: "$(cat /tmp/etcd.key \| base64 --wrap=0)"
	kind: Secret
	metadata:
	name: kube-etcd-client-certs
	namespace: openshift-monitoring
	type: Opaque
	EOF
	delegate_to: localhost

	- name: 1.6 \| ocp3-etcd-monitoring.yml \| Change permission of the /tmp/etcd-cert-secret.yml file locally
	file:
	path: /tmp/etcd-cert-secret.yml
	mode: 0666
	delegate_to: localhost

	- name: 1.7 \| ocp3-etcd-monitoring.yml \| Transfer /tmp/etcd-cert-secret.yml to one of the master's /root folder
	copy:
	src: /tmp/etcd-cert-secret.yml
	dest: '/root'

	- name: 1.8 \| ocp3-etcd-monitoring.yml \| Cleanup of the local files
	file:
	path: /tmp/{{ item }}
	state: absent
	loop:
	- ca.crt
	- ca.key
	- openssl.cnf
	- etcd.key
	- etcd.csr
	- etcd.crt
	- etcd-cert-secret.yml
	delegate_to: localhost

	- name: 1.8 \| ocp3-etcd-monitoring.yml \| Apply the secret on the master
	shell: 'oc apply -f /root/etcd-cert-secret.yml'
	register: oc_apply

	- name: 1.9 \| ocp3-etcd-monitoring.yml \| Show the output of the previous apply command
	debug:
	msg: "{{ oc_apply }}"

	- name: 1.10 \| ocp3-etcd-monitoring.yml \| Download the contents of a ConfigMap into a /root folder as config.yaml
	shell: 'oc extract cm/cluster-monitoring-config --to=/root -n openshift-monitoring'

	- name: 1.11 \| ocp3-etcd-monitoring.yml \| Append ETCD monitoring stanza to config.yaml
	shell: \|
	echo -e 'etcd:\n targets:\n selector:\n openshift.io/component: etcd\n openshift.io/control-plane: "true"' >> /root/config.yaml

	- name: 1.12 \| ocp3-etcd-monitoring.yml \| Apply/update the existing ConfigMap in openshift-monitoring
	shell: \|
	oc create configmap cluster-monitoring-config --from-file=config.yaml -n openshift-monitoring --dry-run -o yaml \| oc apply -f -

	- name: 1.13 \| ocp3-etcd-monitoring.yml \| Cleanup of the remote file
	file:
	path: /root/{{ item }}
	state: absent
	loop:
	- etcd-cert-secret.yml
	- config.yaml
No results found