summaryrefslogtreecommitdiffstats
path: root/roles/openshift_master
diff options
context:
space:
mode:
authorThomas Wiest <twiest@users.noreply.github.com>2015-12-09 15:49:48 -0500
committerThomas Wiest <twiest@users.noreply.github.com>2015-12-09 15:49:48 -0500
commiteeb164fae0e6721100c4fcc1717d92bb85b9652c (patch)
tree70eee046db8012061c178ab4e686650048265564 /roles/openshift_master
parent898290cb3aabbc9d98883181877ac857a2fe1faf (diff)
parent14c69ad397be8ee101ef5b4edfa223d703e67ad0 (diff)
downloadopenshift-eeb164fae0e6721100c4fcc1717d92bb85b9652c.tar.gz
openshift-eeb164fae0e6721100c4fcc1717d92bb85b9652c.tar.bz2
openshift-eeb164fae0e6721100c4fcc1717d92bb85b9652c.tar.xz
openshift-eeb164fae0e6721100c4fcc1717d92bb85b9652c.zip
Merge pull request #1048 from twiest/prod
Sync master -> Prod
Diffstat (limited to 'roles/openshift_master')
-rw-r--r--roles/openshift_master/tasks/main.yml39
-rw-r--r--roles/openshift_master/templates/master.yaml.v1.j228
-rw-r--r--roles/openshift_master/templates/v1_partials/oauthConfig.j293
3 files changed, 46 insertions, 114 deletions
diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml
index 185bfb8f3..011b5dedd 100644
--- a/roles/openshift_master/tasks/main.yml
+++ b/roles/openshift_master/tasks/main.yml
@@ -1,13 +1,16 @@
---
-# TODO: add validation for openshift_master_identity_providers
# TODO: add ability to configure certificates given either a local file to
# point to or certificate contents, set in default cert locations.
-- assert:
- that:
- - openshift_master_oauth_grant_method in openshift_master_valid_grant_methods
- when: openshift_master_oauth_grant_method is defined
+# Authentication Variable Validation
+# TODO: validate the different identity provider kinds as well
+- fail:
+ msg: >
+ Invalid OAuth grant method: {{ openshift_master_oauth_grant_method }}
+ when: openshift_master_oauth_grant_method is defined and openshift_master_oauth_grant_method not in openshift_master_valid_grant_methods
+
+# HA Variable Validation
- fail:
msg: "openshift_master_cluster_method must be set to either 'native' or 'pacemaker' for multi-master installations"
when: openshift_master_ha | bool and ((openshift_master_cluster_method is not defined) or (openshift_master_cluster_method is defined and openshift_master_cluster_method not in ["native", "pacemaker"]))
@@ -76,16 +79,16 @@
- name: Install Master package
yum: pkg={{ openshift.common.service_type }}-master{{ openshift_version }} state=present
+ when: ansible_pkg_mgr == "yum"
+ register: install_result
+
+- name: Install Master package
+ dnf: pkg={{ openshift.common.service_type }}-master{{ openshift_version }} state=present
+ when: ansible_pkg_mgr == "dnf"
register: install_result
-# TODO: These values need to be configurable
-- name: Set dns facts
+- name: Re-gather package dependent master facts
openshift_facts:
- role: dns
- local_facts:
- ip: "{{ openshift_master_cluster_vip | default(openshift.common.ip, true) | default(None) }}"
- domain: cluster.local
- when: openshift.master.embedded_dns
- name: Create config parent directory if it does not exist
file:
@@ -115,7 +118,12 @@
- name: Install httpd-tools if needed
yum: pkg=httpd-tools state=present
- when: item.kind == 'HTPasswdPasswordIdentityProvider'
+ when: (ansible_pkg_mgr == "yum") and (item.kind == 'HTPasswdPasswordIdentityProvider')
+ with_items: openshift.master.identity_providers
+
+- name: Install httpd-tools if needed
+ dnf: pkg=httpd-tools state=present
+ when: (ansible_pkg_mgr == "dnf") and (item.kind == 'HTPasswdPasswordIdentityProvider')
with_items: openshift.master.identity_providers
- name: Ensure htpasswd directory exists
@@ -172,6 +180,9 @@
- restart master
- restart master api
+- set_fact:
+ translated_identity_providers: "{{ openshift.master.identity_providers | translate_idps('v1') }}"
+
# TODO: add the validate parameter when there is a validation command to run
- name: Create master config
template:
@@ -256,7 +267,7 @@
when: openshift_master_ha | bool and openshift.master.cluster_method == 'native'
- name: Install cluster packages
- yum: pkg=pcs state=present
+ action: "{{ansible_pkg_mgr}} pkg=pcs state=present"
when: openshift_master_ha | bool and openshift.master.cluster_method == 'pacemaker'
register: install_result
diff --git a/roles/openshift_master/templates/master.yaml.v1.j2 b/roles/openshift_master/templates/master.yaml.v1.j2
index bb12a0a0f..cadb02fa3 100644
--- a/roles/openshift_master/templates/master.yaml.v1.j2
+++ b/roles/openshift_master/templates/master.yaml.v1.j2
@@ -27,9 +27,6 @@ corsAllowedOrigins:
{% for custom_origin in openshift.master.custom_cors_origins | default("") %}
- {{ custom_origin }}
{% endfor %}
-{% for name in (named_certificates | map(attribute='names')) | list | oo_flatten %}
- - {{ name }}
-{% endfor %}
{% if 'disabled_features' in openshift.master %}
disabledFeatures: {{ openshift.master.disabled_features | to_json }}
{% endif %}
@@ -86,7 +83,7 @@ kubernetesMasterConfig:
{% endif %}
apiServerArguments: {{ api_server_args if api_server_args is defined else 'null' }}
controllerArguments: {{ controller_args if controller_args is defined else 'null' }}
- masterCount: {{ openshift.master.master_count }}
+ masterCount: {{ openshift.master.master_count if openshift.master.cluster_method | default(None) == 'native' else 1 }}
masterIP: {{ openshift.common.ip }}
podEvictionTimeout: ""
proxyClientInfo:
@@ -110,7 +107,24 @@ networkConfig:
{% endif %}
# serviceNetworkCIDR must match kubernetesMasterConfig.servicesSubnet
serviceNetworkCIDR: {{ openshift.master.portal_net }}
-{% include 'v1_partials/oauthConfig.j2' %}
+oauthConfig:
+ assetPublicURL: {{ openshift.master.public_console_url }}/
+ grantConfig:
+ method: {{ openshift.master.oauth_grant_method }}
+ identityProviders:
+{% for line in translated_identity_providers.splitlines() %}
+ {{ line }}
+{% endfor %}
+ masterCA: ca.crt
+ masterPublicURL: {{ openshift.master.public_api_url }}
+ masterURL: {{ openshift.master.api_url }}
+ sessionConfig:
+ sessionMaxAgeSeconds: {{ openshift.master.session_max_seconds }}
+ sessionName: {{ openshift.master.session_name }}
+ sessionSecretsFile: {{ openshift.master.session_secrets_file }}
+ tokenConfig:
+ accessTokenMaxAgeSeconds: {{ openshift.master.access_token_max_seconds }}
+ authorizeTokenMaxAgeSeconds: {{ openshift.master.auth_token_max_seconds }}
pauseControllers: false
policyConfig:
bootstrapPolicyFile: {{ openshift_master_policy }}
@@ -144,9 +158,9 @@ servingInfo:
keyFile: master.server.key
maxRequestsInFlight: 500
requestTimeoutSeconds: 3600
-{% if named_certificates %}
+{% if openshift.master.named_certificates %}
namedCertificates:
-{% for named_certificate in named_certificates %}
+{% for named_certificate in openshift.master.named_certificates %}
- certFile: {{ named_certificate['certfile'] }}
keyFile: {{ named_certificate['keyfile'] }}
names:
diff --git a/roles/openshift_master/templates/v1_partials/oauthConfig.j2 b/roles/openshift_master/templates/v1_partials/oauthConfig.j2
deleted file mode 100644
index 8a4f5a746..000000000
--- a/roles/openshift_master/templates/v1_partials/oauthConfig.j2
+++ /dev/null
@@ -1,93 +0,0 @@
-{% macro identity_provider_config(identity_provider) %}
- apiVersion: v1
- kind: {{ identity_provider.kind }}
-{% if identity_provider.kind == 'HTPasswdPasswordIdentityProvider' %}
- file: {{ identity_provider.filename }}
-{% elif identity_provider.kind == 'BasicAuthPasswordIdentityProvider' %}
- url: {{ identity_provider.url }}
-{% for key in ('ca', 'certFile', 'keyFile') %}
-{% if key in identity_provider %}
- {{ key }}: "{{ identity_provider[key] }}"
-{% endif %}
-{% endfor %}
-{% elif identity_provider.kind == 'LDAPPasswordIdentityProvider' %}
- attributes:
-{% for attribute_key in identity_provider.attributes %}
- {{ attribute_key }}:
-{% for attribute_value in identity_provider.attributes[attribute_key] %}
- - {{ attribute_value }}
-{% endfor %}
-{% endfor %}
-{% for key in ('bindDN', 'bindPassword', 'ca') %}
- {{ key }}: "{{ identity_provider[key] }}"
-{% endfor %}
-{% for key in ('insecure', 'url') %}
- {{ key }}: {{ identity_provider[key] }}
-{% endfor %}
-{% elif identity_provider.kind == 'RequestHeaderIdentityProvider' %}
- headers: {{ identity_provider.headers }}
-{% if 'clientCA' in identity_provider %}
- clientCA: {{ identity_provider.clientCA }}
-{% endif %}
-{% elif identity_provider.kind == 'GitHubIdentityProvider' %}
- clientID: {{ identity_provider.clientID }}
- clientSecret: {{ identity_provider.clientSecret }}
-{% elif identity_provider.kind == 'GoogleIdentityProvider' %}
- clientID: {{ identity_provider.clientID }}
- clientSecret: {{ identity_provider.clientSecret }}
-{% if 'hostedDomain' in identity_provider %}
- hostedDomain: {{ identity_provider.hostedDomain }}
-{% endif %}
-{% elif identity_provider.kind == 'OpenIDIdentityProvider' %}
- clientID: {{ identity_provider.clientID }}
- clientSecret: {{ identity_provider.clientSecret }}
- claims:
- id: identity_provider.claims.id
-{% for claim_key in ('preferredUsername', 'name', 'email') %}
-{% if claim_key in identity_provider.claims %}
- {{ claim_key }}: {{ identity_provider.claims[claim_key] }}
-{% endif %}
-{% endfor %}
- urls:
- authorize: {{ identity_provider.urls.authorize }}
- token: {{ identity_provider.urls.token }}
-{% if 'userInfo' in identity_provider.urls %}
- userInfo: {{ identity_provider.userInfo }}
-{% endif %}
-{% if 'extraScopes' in identity_provider %}
- extraScopes:
-{% for scope in identity_provider.extraScopes %}
- - {{ scope }}
-{% endfor %}
-{% endif %}
-{% if 'extraAuthorizeParameters' in identity_provider %}
- extraAuthorizeParameters:
-{% for param_key, param_value in identity_provider.extraAuthorizeParameters.iteritems() %}
- {{ param_key }}: {{ param_value }}
-{% endfor %}
-{% endif %}
-{% endif %}
-{% endmacro %}
-oauthConfig:
- assetPublicURL: {{ openshift.master.public_console_url }}/
- grantConfig:
- method: {{ openshift.master.oauth_grant_method }}
- identityProviders:
-{% for identity_provider in openshift.master.identity_providers %}
- - name: {{ identity_provider.name }}
- challenge: {{ identity_provider.challenge }}
- login: {{ identity_provider.login }}
- provider:
-{{ identity_provider_config(identity_provider) }}
-{%- endfor %}
- masterCA: ca.crt
- masterPublicURL: {{ openshift.master.public_api_url }}
- masterURL: {{ openshift.master.api_url }}
- sessionConfig:
- sessionMaxAgeSeconds: {{ openshift.master.session_max_seconds }}
- sessionName: {{ openshift.master.session_name }}
- sessionSecretsFile: {{ openshift.master.session_secrets_file }}
- tokenConfig:
- accessTokenMaxAgeSeconds: {{ openshift.master.access_token_max_seconds }}
- authorizeTokenMaxAgeSeconds: {{ openshift.master.auth_token_max_seconds }}
-{# Comment to preserve newline after authorizeTokenMaxAgeSeconds #}