diff --git a/roles/lib_utils/action_plugins/master_check_paths_in_config.py b/roles/lib_utils/action_plugins/master_check_paths_in_config.py index 7eb89d90d47..f836ef10040 100644 --- a/roles/lib_utils/action_plugins/master_check_paths_in_config.py +++ b/roles/lib_utils/action_plugins/master_check_paths_in_config.py @@ -23,6 +23,7 @@ ITEMS_TO_POP = ( ('oauthConfig', 'identityProviders'), + ('auditConfig', 'auditFilePath'), ) # Create csv string of dot-separated dictionary keys: # eg: 'oathConfig.identityProviders, something.else.here' @@ -48,8 +49,10 @@ def pop_migrated_fields(mastercfg): field = mastercfg for sub_field in item: parent_field = field + if sub_field not in field: + continue field = field[sub_field] - parent_field.pop(item[len(item) - 1]) + parent_field.pop(item[len(item) - 1], None) def do_item_check(val, strings_to_check): diff --git a/roles/lib_utils/test/test_master_check_paths_in_config.py b/roles/lib_utils/test/test_master_check_paths_in_config.py index bbfcafdb218..632f566bd57 100644 --- a/roles/lib_utils/test/test_master_check_paths_in_config.py +++ b/roles/lib_utils/test/test_master_check_paths_in_config.py @@ -24,6 +24,8 @@ def loaded_config(): 'oauthConfig': {'identityProviders': ['1', '2', '/this/will/fail']}, + 'auditConfig': + {'auditFilePath': "/var/log/audit-ocp.log"}, 'fake_top_item': {'fake_item': {'fake_item2': diff --git a/roles/openshift_control_plane/tasks/main.yml b/roles/openshift_control_plane/tasks/main.yml index a17ab90f4d2..dc30fce7576 100644 --- a/roles/openshift_control_plane/tasks/main.yml +++ b/roles/openshift_control_plane/tasks/main.yml @@ -44,6 +44,18 @@ path: "/usr/libexec/kubernetes/kubelet-plugins/volume/exec/" mode: '0750' +- name: Create openshift audit log directory + file: + state: directory + path: "{{ openshift.master.audit_config.auditFilePath | dirname }}" + mode: 0700 + when: + - openshift.master.audit_config is defined + - openshift.master.audit_config.auditFilePath is defined + - not "/etc/origin/master" in openshift.master.audit_config.auditFilePath + - not "/var/lib/origin" in openshift.master.audit_config.auditFilePath + - not "/etc/origin/cloudprovider" in openshift.master.audit_config.auditFilePath + - name: Create the policy file if it does not already exist command: > {{ openshift_client_binary }} --config={{ openshift.common.config_base }}/master/admin.kubeconfig diff --git a/roles/openshift_control_plane/tasks/static.yml b/roles/openshift_control_plane/tasks/static.yml index 766a3b36d75..835ed6087c9 100644 --- a/roles/openshift_control_plane/tasks/static.yml +++ b/roles/openshift_control_plane/tasks/static.yml @@ -45,6 +45,31 @@ - key: spec.containers[0].readinessProbe.httpGet.port value: "{{ openshift_master_api_port }}" +- name: Add audit volume to master static pod (api) + yedit: + src: "{{ mktemp.stdout }}/apiserver.yaml" + append: true + key: spec.volumes + value: + name: audit-logs + hostPath: + path: "{{ openshift.master.audit_config.auditFilePath | dirname }}" + when: + - openshift.master.audit_config is defined + - openshift.master.audit_config.auditFilePath is defined + +- name: Add audit volumeMounts to master static pod (api) + yedit: + src: "{{ mktemp.stdout }}/apiserver.yaml" + append: true + key: spec.containers[0].volumeMounts + value: + mountPath: "{{ openshift.master.audit_config.auditFilePath | dirname }}" + name: audit-logs + when: + - openshift.master.audit_config is defined + - openshift.master.audit_config.auditFilePath is defined + - name: ensure pod location exists file: path: "{{ openshift_control_plane_static_pod_location }}"