From 4995672c464ef0e0cb26fc12fb6ad81b479f0b53 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ra=C3=BAl=20Sevilla?= Date: Tue, 11 Dec 2018 02:17:51 +0100 Subject: [PATCH] Handle audit log path in /var/log/origin --- .../master_check_paths_in_config.py | 1 + .../test/test_master_check_paths_in_config.py | 2 ++ roles/openshift_control_plane/tasks/main.yml | 10 +++++++ .../openshift_control_plane/tasks/static.yml | 27 +++++++++++++++++++ 4 files changed, 40 insertions(+) diff --git a/roles/lib_utils/action_plugins/master_check_paths_in_config.py b/roles/lib_utils/action_plugins/master_check_paths_in_config.py index d7ad3a0e233..76670d972e5 100644 --- a/roles/lib_utils/action_plugins/master_check_paths_in_config.py +++ b/roles/lib_utils/action_plugins/master_check_paths_in_config.py @@ -34,6 +34,7 @@ '/etc/origin/cloudprovider', '/etc/origin/kubelet-plugins', '/usr/libexec/kubernetes/kubelet-plugins', + '/var/log/origin', ) ALLOWED_DIRS_STRING = ', '.join(ALLOWED_DIRS) diff --git a/roles/lib_utils/test/test_master_check_paths_in_config.py b/roles/lib_utils/test/test_master_check_paths_in_config.py index bbfcafdb218..b65c5390211 100644 --- a/roles/lib_utils/test/test_master_check_paths_in_config.py +++ b/roles/lib_utils/test/test_master_check_paths_in_config.py @@ -24,6 +24,8 @@ def loaded_config(): 'oauthConfig': {'identityProviders': ['1', '2', '/this/will/fail']}, + 'auditConfig': + {'auditFilePath': "/var/log/origin/audit-ocp.log"}, 'fake_top_item': {'fake_item': {'fake_item2': diff --git a/roles/openshift_control_plane/tasks/main.yml b/roles/openshift_control_plane/tasks/main.yml index 21ba4b23a3a..4ee9d64846b 100644 --- a/roles/openshift_control_plane/tasks/main.yml +++ b/roles/openshift_control_plane/tasks/main.yml @@ -45,6 +45,16 @@ mode: '0750' when: not openshift_is_atomic | bool +- name: Create openshift audit log directory + file: + state: directory + path: "/var/log/origin" + mode: 0700 + when: + - openshift.master.audit_config is defined + - openshift.master.audit_config.auditFilePath is defined + - '"/var/log/origin" in openshift.master.audit_config.auditFilePath' + - name: Create the policy file if it does not already exist command: > {{ openshift_client_binary }} --config={{ openshift.common.config_base }}/master/admin.kubeconfig diff --git a/roles/openshift_control_plane/tasks/static.yml b/roles/openshift_control_plane/tasks/static.yml index f61a45d819e..1839feeb179 100644 --- a/roles/openshift_control_plane/tasks/static.yml +++ b/roles/openshift_control_plane/tasks/static.yml @@ -62,6 +62,33 @@ value: "/etc/origin/kubelet-plugins" when: openshift_is_atomic | bool +- name: Add audit volume to master static pod (api) + yedit: + src: "{{ mktemp.stdout }}/apiserver.yaml" + append: true + key: spec.volumes + value: + name: audit-logs + hostPath: + path: "/var/log/origin" + when: + - openshift.master.audit_config is defined + - openshift.master.audit_config.auditFilePath is defined + - '"/var/log/origin" in openshift.master.audit_config.auditFilePath' + +- name: Add audit volumeMounts to master static pod (api) + yedit: + src: "{{ mktemp.stdout }}/apiserver.yaml" + append: true + key: spec.containers[0].volumeMounts + value: + mountPath: "/var/log/origin" + name: audit-logs + when: + - openshift.master.audit_config is defined + - openshift.master.audit_config.auditFilePath is defined + - '"/var/log/origin" in openshift.master.audit_config.auditFilePath' + - name: ensure pod location exists file: path: "{{ openshift_control_plane_static_pod_location }}"