diff options
| author | Scott Dodson <sdodson@redhat.com> | 2015-06-10 10:31:39 -0400 |
|---|---|---|
| committer | Scott Dodson <sdodson@redhat.com> | 2015-06-16 15:52:44 -0400 |
| commit | 7b316631a2b988318b47d3a50a7b66e3ff3fdbd2 (patch) | |
| tree | 065562cf45a0fb03a6cd66844ee655188325685d | |
| parent | e903a6b5be49728e31756e5114f7c6ed2553747a (diff) | |
| download | openshift-7b316631a2b988318b47d3a50a7b66e3ff3fdbd2.tar.gz openshift-7b316631a2b988318b47d3a50a7b66e3ff3fdbd2.tar.bz2 openshift-7b316631a2b988318b47d3a50a7b66e3ff3fdbd2.tar.xz openshift-7b316631a2b988318b47d3a50a7b66e3ff3fdbd2.zip | |
Update for RC2 changes
Remove openshift-deployer.kubeconfig from master template
Sync config template
Update enterprise image names
Switch to node auto registration
Add deployer to list of serviceAccountConfig.managedNames
Move package installation before registering facts
change default kubeconfig location
Change system:openshift-client to system:openshift-master
Rename node cert/key/kubeconfig per openshift/origin#3160
Update references to /var/lib/openshift/openshift.local.certificates
| -rw-r--r-- | README_OSE.md | 12 | ||||
| -rw-r--r-- | README_origin.md | 6 | ||||
| -rw-r--r-- | inventory/byo/hosts | 2 | ||||
| -rw-r--r-- | playbooks/common/openshift-node/config.yml | 10 | ||||
| -rw-r--r-- | roles/openshift_common/tasks/main.yml | 1 | ||||
| -rwxr-xr-x | roles/openshift_facts/library/openshift_facts.py | 8 | ||||
| -rw-r--r-- | roles/openshift_master/tasks/main.yml | 25 | ||||
| -rw-r--r-- | roles/openshift_master/templates/master.yaml.v1.j2 | 29 | ||||
| -rw-r--r-- | roles/openshift_node/tasks/main.yml | 28 | ||||
| -rw-r--r-- | roles/openshift_node/templates/node.yaml.v1.j2 | 6 | ||||
| -rw-r--r-- | roles/openshift_node_certificates/README.md | 34 | ||||
| -rw-r--r-- | roles/openshift_node_certificates/meta/main.yml | 16 | ||||
| -rw-r--r-- | roles/openshift_node_certificates/tasks/main.yml | 35 | ||||
| -rw-r--r-- | roles/openshift_node_certificates/vars/main.yml | 8 | ||||
| -rw-r--r-- | roles/openshift_register_nodes/README.md | 23 | ||||
| -rw-r--r-- | roles/openshift_register_nodes/tasks/main.yml | 7 |
16 files changed, 176 insertions, 74 deletions
diff --git a/README_OSE.md b/README_OSE.md index dffabc714..5a691053c 100644 --- a/README_OSE.md +++ b/README_OSE.md @@ -19,7 +19,7 @@ * Either ssh key based auth for the root user or ssh key based auth for a user with sudo access (no password) * A checkout of openshift-ansible from https://github.com/openshift/openshift-ansible/ - + ```sh git clone https://github.com/openshift/openshift-ansible.git cd openshift-ansible @@ -80,7 +80,7 @@ ansible_ssh_user=root deployment_type=enterprise # Pre-release registry URL -oreg_url=docker-buildvm-rhose.usersys.redhat.com:5000/openshift3_beta/ose-${component}:${version} +oreg_url=docker-buildvm-rhose.usersys.redhat.com:5000/openshift3/ose-${component}:${version} # Pre-release additional repo openshift_additional_repos=[{'id': 'ose-devel', 'name': 'ose-devel', @@ -120,16 +120,16 @@ inventory file use the -i option for ansible-playbook. On the master host: ```sh openshift ex router --create=true \ - --credentials=/var/lib/openshift/openshift.local.certificates/openshift-router/.kubeconfig \ - --images='docker-buildvm-rhose.usersys.redhat.com:5000/openshift3_beta/ose-${component}:${version}' + --credentials=/etc/openshift/master/openshift-router.kubeconfig \ + --images='docker-buildvm-rhose.usersys.redhat.com:5000/openshift3/ose-${component}:${version}' ``` #### Create the default docker-registry On the master host: ```sh openshift ex registry --create=true \ - --credentials=/var/lib/openshift/openshift.local.certificates/openshift-registry/.kubeconfig \ - --images='docker-buildvm-rhose.usersys.redhat.com:5000/openshift3_beta/ose-${component}:${version}' \ + --credentials=/etc/openshift/master/openshift-registry.kubeconfig \ + --images='docker-buildvm-rhose.usersys.redhat.com:5000/openshift3/ose-${component}:${version}' \ --mount-host=/var/lib/openshift/docker-registry ``` diff --git a/README_origin.md b/README_origin.md index 5b3fd2435..32287d65c 100644 --- a/README_origin.md +++ b/README_origin.md @@ -19,7 +19,7 @@ * Either ssh key based auth for the root user or ssh key based auth for a user with sudo access (no password) * A checkout of openshift-ansible from https://github.com/openshift/openshift-ansible/ - + ```sh git clone https://github.com/openshift/openshift-ansible.git cd openshift-ansible @@ -92,14 +92,14 @@ inventory file use the -i option for ansible-playbook. On the master host: ```sh openshift ex router --create=true \ - --credentials=/var/lib/openshift/openshift.local.certificates/openshift-router/.kubeconfig + --credentials=/etc/openshift/master/openshift-router.kubeconfig ``` #### Create the default docker-registry On the master host: ```sh openshift ex registry --create=true \ - --credentials=/var/lib/openshift/openshift.local.certificates/openshift-registry/.kubeconfig \ + --credentials=/etc/openshift/master/openshift-registry.kubeconfig \ --mount-host=/var/lib/openshift/docker-registry ``` diff --git a/inventory/byo/hosts b/inventory/byo/hosts index 4d4da5468..ab54ce2db 100644 --- a/inventory/byo/hosts +++ b/inventory/byo/hosts @@ -17,7 +17,7 @@ ansible_ssh_user=root deployment_type=enterprise # Pre-release registry URL -oreg_url=docker-buildvm-rhose.usersys.redhat.com:5000/openshift3_beta/ose-${component}:${version} +oreg_url=docker-buildvm-rhose.usersys.redhat.com:5000/openshift3/ose-${component}:${version} # Pre-release additional repo openshift_additional_repos=[{'id': 'ose-devel', 'name': 'ose-devel', 'baseurl': 'http://buildvm-devops.usersys.redhat.com/puddle/build/OpenShiftEnterprise/3.0/latest/RH7-RHOSE-3.0/$basearch/os', 'enabled': 1, 'gpgcheck': 0}] diff --git a/playbooks/common/openshift-node/config.yml b/playbooks/common/openshift-node/config.yml index 9e642f3d3..2d2560db4 100644 --- a/playbooks/common/openshift-node/config.yml +++ b/playbooks/common/openshift-node/config.yml @@ -27,10 +27,12 @@ stat: path: "{{ item }}" with_items: - - "/etc/openshift/node/node.key" - - "/etc/openshift/node/node.kubeconfig" + - "/etc/openshift/node/system:node:{{ openshift.common.hostname }}.crt" + - "/etc/openshift/node/system:node:{{ openshift.common.hostname }}.key" + - "/etc/openshift/node/system:node:{{ openshift.common.hostname }}.kubeconfig" - "/etc/openshift/node/ca.crt" - "/etc/openshift/node/server.key" + - "/etc/openshift/node/server.crt" register: stat_result - set_fact: certs_missing: "{{ stat_result.results | map(attribute='stat.exists') @@ -50,7 +52,7 @@ register: mktemp changed_when: False -- name: Register nodes +- name: Create node certificates hosts: oo_first_master vars: nodes_needing_certs: "{{ hostvars @@ -60,7 +62,7 @@ | oo_select_keys(groups['oo_nodes_to_config']) }}" sync_tmpdir: "{{ hostvars.localhost.mktemp.stdout }}" roles: - - openshift_register_nodes + - openshift_node_certificates post_tasks: - name: Create a tarball of the node config directories command: > diff --git a/roles/openshift_common/tasks/main.yml b/roles/openshift_common/tasks/main.yml index f76dd84ed..a7c565067 100644 --- a/roles/openshift_common/tasks/main.yml +++ b/roles/openshift_common/tasks/main.yml @@ -15,4 +15,3 @@ - name: Set hostname hostname: name={{ openshift.common.hostname }} - diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py index 7bc7c3260..1b789ca89 100755 --- a/roles/openshift_facts/library/openshift_facts.py +++ b/roles/openshift_facts/library/openshift_facts.py @@ -298,10 +298,10 @@ def set_registry_url_if_unset(facts): if 'registry_url' not in facts[role]: registry_url = "openshift/origin-${component}:${version}" if deployment_type == 'enterprise': - registry_url = "openshift3_beta/ose-${component}:${version}" + registry_url = "openshift3/ose-${component}:${version}" elif deployment_type == 'online': registry_url = ("docker-registry.ops.rhcloud.com/" - "openshift3_beta/ose-${component}:${version}") + "openshift3/ose-${component}:${version}") facts[role]['registry_url'] = registry_url return facts @@ -450,7 +450,9 @@ def get_current_config(facts): # TODO: parse the /etc/sysconfig/openshift-{master,node} config to # determine the location of files. - + # TODO: I suspect this isn't working right now, but it doesn't prevent + # anything from working properly as far as I can tell, perhaps because + # we override the kubeconfig path everywhere we use it? # Query kubeconfig settings kubeconfig_dir = '/var/lib/openshift/openshift.local.certificates' if role == 'node': diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml index 23f8b4649..da0a663ec 100644 --- a/roles/openshift_master/tasks/main.yml +++ b/roles/openshift_master/tasks/main.yml @@ -8,6 +8,15 @@ - openshift_master_oauth_grant_method in openshift_master_valid_grant_methods when: openshift_master_oauth_grant_method is defined +- name: Install OpenShift Master package + yum: pkg=openshift-master state=present + register: install_result + +# TODO: Is this necessary or was this a workaround for an old bug in packaging? +- name: Reload systemd units + command: systemctl daemon-reload + when: install_result | changed + - name: Set master OpenShift facts openshift_facts: role: master @@ -51,14 +60,6 @@ domain: cluster.local when: openshift.master.embedded_dns -- name: Install OpenShift Master package - yum: pkg=openshift-master state=present - register: install_result - -- name: Reload systemd units - command: systemctl daemon-reload - when: install_result | changed - - name: Create config parent directory if it doesn't exist file: path: "{{ openshift_master_config_dir }}" @@ -130,7 +131,7 @@ - name: Create the OpenShift client config dir(s) file: - path: "~{{ item }}/.config/openshift" + path: "~{{ item }}/.kube" state: directory mode: 0700 owner: "{{ item }}" @@ -142,16 +143,16 @@ # TODO: Update this file if the contents of the source file are not present in # the dest file, will need to make sure to ignore things that could be added - name: Copy the OpenShift admin client config(s) - command: cp {{ openshift_master_config_dir }}/admin.kubeconfig ~{{ item }}/.config/openshift/.config + command: cp {{ openshift_master_config_dir }}/admin.kubeconfig ~{{ item }}/.kube/config args: - creates: ~{{ item }}/.config/openshift/.config + creates: ~{{ item }}/.kube/config with_items: - root - "{{ ansible_ssh_user }}" - name: Update the permissions on the OpenShift admin client config(s) file: - path: "~{{ item }}/.config/openshift/.config" + path: "~{{ item }}/.kube/config" state: file mode: 0700 owner: "{{ item }}" diff --git a/roles/openshift_master/templates/master.yaml.v1.j2 b/roles/openshift_master/templates/master.yaml.v1.j2 index 1c2d37b63..9df07e925 100644 --- a/roles/openshift_master/templates/master.yaml.v1.j2 +++ b/roles/openshift_master/templates/master.yaml.v1.j2 @@ -1,3 +1,6 @@ +apiLevels: +- v1beta3 +- v1 apiVersion: v1 assetConfig: logoutURL: "" @@ -8,6 +11,8 @@ assetConfig: certFile: master.server.crt clientCA: "" keyFile: master.server.key + maxRequestsInFlight: 0 + requestTimeoutSeconds: 0 corsAllowedOrigins: {# TODO: add support for user specified corsAllowedOrigins #} {% for origin in ['127.0.0.1', 'localhost', openshift.common.hostname, openshift.common.ip, openshift.common.public_hostname, openshift.common.public_ip] %} @@ -43,9 +48,9 @@ etcdConfig: {% endif %} etcdStorageConfig: kubernetesStoragePrefix: kubernetes.io - kubernetesStorageVersion: v1beta3 - kubernetesStoragePrefix: kubernetes.io - openShiftStorageVersion: v1beta3 + kubernetesStorageVersion: v1 + openShiftStoragePrefix: openshift.io + openShiftStorageVersion: v1 imageConfig: format: {{ openshift.master.registry_url }} latest: false @@ -58,18 +63,24 @@ kubeletClientInfo: port: 10250 {% if openshift.master.embedded_kube %} kubernetesMasterConfig: + apiLevels: + - v1beta3 + - v1 + apiServerArguments: null + controllerArguments: null {# TODO: support overriding masterCount #} masterCount: 1 masterIP: "" + podEvictionTimeout: "" schedulerConfigFile: {{ openshift_master_scheduler_conf }} + servicesNodePortRange: "" servicesSubnet: {{ openshift.master.portal_net }} staticNodeNames: {{ openshift_node_ips | default([], true) }} {% endif %} masterClients: {# TODO: allow user to set externalKubernetesKubeConfig #} - deployerKubeConfig: openshift-deployer.kubeconfig externalKubernetesKubeConfig: "" - openshiftLoopbackKubeConfig: openshift-client.kubeconfig + openshiftLoopbackKubeConfig: openshift-master.kubeconfig masterPublicURL: {{ openshift.master.public_api_url }} networkConfig: clusterNetworkCIDR: {{ openshift.master.sdn_cluster_network_cidr }} @@ -78,16 +89,22 @@ networkConfig: {% include 'v1_partials/oauthConfig.j2' %} policyConfig: bootstrapPolicyFile: {{ openshift_master_policy }} + openshiftInfrastructureNamespace: openshift-infra openshiftSharedResourcesNamespace: openshift {# TODO: Allow users to override projectConfig items #} projectConfig: defaultNodeSelector: "" projectRequestMessage: "" projectRequestTemplate: "" + securityAllocator: + mcsAllocatorRange: s0:/2 + mcsLabelsPerProject: 5 + uidAllocatorRange: 1000000000-1999999999/10000 serviceAccountConfig: managedNames: - default - builder + - deployer privateKeyFile: serviceaccounts.private.key publicKeyFiles: - serviceaccounts.public.key @@ -96,3 +113,5 @@ servingInfo: certFile: master.server.crt clientCA: ca.crt keyFile: master.server.key + maxRequestsInFlight: 0 + requestTimeoutSeconds: 0 diff --git a/roles/openshift_node/tasks/main.yml b/roles/openshift_node/tasks/main.yml index 15d18f510..770b55351 100644 --- a/roles/openshift_node/tasks/main.yml +++ b/roles/openshift_node/tasks/main.yml @@ -1,6 +1,20 @@ --- # TODO: allow for overriding default ports where possible +- name: Install OpenShift Node package + yum: pkg=openshift-node state=present + register: node_install_result + +- name: Install openshift-sdn-ovs + yum: pkg=openshift-sdn-ovs state=present + register: sdn_install_result + when: openshift.common.use_openshift_sdn + +- name: Reload systemd units + command: systemctl daemon-reload + when: (node_install_result | changed or (openshift.common.use_openshift_sdn + and sdn_install_result | changed)) + - name: Set node OpenShift facts openshift_facts: role: "{{ item.role }}" @@ -22,20 +36,6 @@ debug_level: "{{ openshift_node_debug_level | default(openshift.common.debug_level) }}" portal_net: "{{ openshift_master_portal_net | default(None) }}" -- name: Install OpenShift Node package - yum: pkg=openshift-node state=present - register: node_install_result - -- name: Install openshift-sdn-ovs - yum: pkg=openshift-sdn-ovs state=present - register: sdn_install_result - when: openshift.common.use_openshift_sdn - -- name: Reload systemd units - command: systemctl daemon-reload - when: (node_install_result | changed or (openshift.common.use_openshift_sdn - and sdn_install_result | changed)) - # TODO: add the validate parameter when there is a validation command to run - name: Create the Node config template: diff --git a/roles/openshift_node/templates/node.yaml.v1.j2 b/roles/openshift_node/templates/node.yaml.v1.j2 index cab75cd49..f313f6a4b 100644 --- a/roles/openshift_node/templates/node.yaml.v1.j2 +++ b/roles/openshift_node/templates/node.yaml.v1.j2 @@ -2,14 +2,16 @@ allowDisabledDocker: false apiVersion: v1 dnsDomain: {{ hostvars[openshift_first_master].openshift.dns.domain }} dnsIP: {{ hostvars[openshift_first_master].openshift.dns.ip }} +dockerConfig: + execHandlerName: "" imageConfig: format: {{ openshift.node.registry_url }} latest: false kind: NodeConfig -masterKubeConfig: node.kubeconfig +masterKubeConfig: system:node:{{ openshift.common.hostname }}.kubeconfig networkPluginName: {{ openshift.common.sdn_network_plugin_name }} nodeName: {{ openshift.common.hostname }} -podManifestConfig: null +podManifestConfig: servingInfo: bindAddress: 0.0.0.0:10250 certFile: server.crt diff --git a/roles/openshift_node_certificates/README.md b/roles/openshift_node_certificates/README.md new file mode 100644 index 000000000..c6304e4b0 --- /dev/null +++ b/roles/openshift_node_certificates/README.md @@ -0,0 +1,34 @@ +OpenShift Node Certificates +======================== + +TODO + +Requirements +------------ + +TODO + +Role Variables +-------------- + +TODO + +Dependencies +------------ + +TODO + +Example Playbook +---------------- + +TODO + +License +------- + +Apache License Version 2.0 + +Author Information +------------------ + +Jason DeTiberus (jdetiber@redhat.com) diff --git a/roles/openshift_node_certificates/meta/main.yml b/roles/openshift_node_certificates/meta/main.yml new file mode 100644 index 000000000..f3236e850 --- /dev/null +++ b/roles/openshift_node_certificates/meta/main.yml @@ -0,0 +1,16 @@ +--- +galaxy_info: + author: Jason DeTiberus + description: + company: Red Hat, Inc. + license: Apache License, Version 2.0 + min_ansible_version: 1.8 + platforms: + - name: EL + versions: + - 7 + categories: + - cloud + - system +dependencies: +- { role: openshift_facts } diff --git a/roles/openshift_node_certificates/tasks/main.yml b/roles/openshift_node_certificates/tasks/main.yml new file mode 100644 index 000000000..1b68bc673 --- /dev/null +++ b/roles/openshift_node_certificates/tasks/main.yml @@ -0,0 +1,35 @@ +--- +- name: Create openshift_generated_configs_dir if it doesn't exist + file: + path: "{{ openshift_generated_configs_dir }}" + state: directory + +- name: Generate the node client config + command: > + {{ openshift.common.admin_binary }} create-api-client-config + --certificate-authority={{ openshift_master_ca_cert }} + --client-dir={{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }} + --groups=system:nodes + --master={{ openshift.master.api_url }} + --signer-cert={{ openshift_master_ca_cert }} + --signer-key={{ openshift_master_ca_key }} + --signer-serial={{ openshift_master_ca_serial }} + --user=system:node:{{ item.openshift.common.hostname }} + args: + chdir: "{{ openshift_generated_configs_dir }}" + creates: "{{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}" + with_items: nodes_needing_certs + +- name: Generate the node server certificate + delegate_to: "{{ openshift_first_master }}" + command: > + {{ openshift.common.admin_binary }} create-server-cert + --cert=server.crt --key=server.key --overwrite=true + --hostnames={{ [item.openshift.common.hostname, item.openshift.common.public_hostname]|unique|join(",") }} + --signer-cert={{ openshift_master_ca_cert }} + --signer-key={{ openshift_master_ca_key }} + --signer-serial={{ openshift_master_ca_serial }} + args: + chdir: "{{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}" + creates: "{{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}/server.crt" + with_items: nodes_needing_certs diff --git a/roles/openshift_node_certificates/vars/main.yml b/roles/openshift_node_certificates/vars/main.yml new file mode 100644 index 000000000..3801b8427 --- /dev/null +++ b/roles/openshift_node_certificates/vars/main.yml @@ -0,0 +1,8 @@ +--- +openshift_node_config_dir: /etc/openshift/node +openshift_master_config_dir: /etc/openshift/master +openshift_generated_configs_dir: /etc/openshift/generated-configs +openshift_master_ca_cert: "{{ openshift_master_config_dir }}/ca.crt" +openshift_master_ca_key: "{{ openshift_master_config_dir }}/ca.key" +openshift_master_ca_serial: "{{ openshift_master_config_dir }}/ca.serial.txt" +openshift_kube_api_version: v1beta3 diff --git a/roles/openshift_register_nodes/README.md b/roles/openshift_register_nodes/README.md index b96faa044..b1d2000f1 100644 --- a/roles/openshift_register_nodes/README.md +++ b/roles/openshift_register_nodes/README.md @@ -1,27 +1,8 @@ OpenShift Register Nodes ======================== -TODO - -Requirements ------------- - -TODO - -Role Variables --------------- - -TODO - -Dependencies ------------- - -TODO - -Example Playbook ----------------- - -TODO +DEPRECATED!!! +Nodes should now auto register themselves. Use openshift_node_certificates role instead. License ------- diff --git a/roles/openshift_register_nodes/tasks/main.yml b/roles/openshift_register_nodes/tasks/main.yml index 11097a7cf..502dffc26 100644 --- a/roles/openshift_register_nodes/tasks/main.yml +++ b/roles/openshift_register_nodes/tasks/main.yml @@ -14,7 +14,7 @@ --signer-cert={{ openshift_master_ca_cert }} --signer-key={{ openshift_master_ca_key }} --signer-serial={{ openshift_master_ca_serial }} - --user=system:node-{{ item.openshift.common.hostname }} + --user=system:node:{{ item.openshift.common.hostname }} args: chdir: "{{ openshift_generated_configs_dir }}" creates: "{{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}" @@ -37,7 +37,7 @@ - name: Register unregistered nodes kubernetes_register_node: kubectl_cmd: "{{ [openshift.common.client_binary] }}" - default_client_config: '~/.config/openshift/.config' + default_client_config: '~/.kube/config' name: "{{ item.openshift.common.hostname }}" api_version: "{{ openshift_kube_api_version }}" cpu: "{{ item.openshift.node.resources_cpu | default(None) }}" @@ -46,5 +46,8 @@ host_ip: "{{ item.openshift.common.ip }}" labels: "{{ item.openshift.node.labels | default({}) }}" annotations: "{{ item.openshift.node.annotations | default({}) }}" + client_context: default/ose3-master-example-com:8443/system:openshift-master + client_user: system:openshift-master/ose3-master-example-com:8443 + client_cluster: ose3-master-example-com:8443 with_items: openshift_nodes register: register_result |