summaryrefslogtreecommitdiffstats
path: root/roles
diff options
context:
space:
mode:
authorJason DeTiberus <jdetiber@redhat.com>2015-04-01 15:09:19 -0400
committerJason DeTiberus <jdetiber@redhat.com>2015-04-14 23:29:16 -0400
commit6a4b7a5eb6c4b5e747bab795e2428d7c3992f559 (patch)
tree2519948f1eb8c372192ed4fd8805adc71da8433d /roles
parentc85e91fdca031eba06481a24f74aa076ae9a4d38 (diff)
downloadopenshift-6a4b7a5eb6c4b5e747bab795e2428d7c3992f559.tar.gz
openshift-6a4b7a5eb6c4b5e747bab795e2428d7c3992f559.tar.bz2
openshift-6a4b7a5eb6c4b5e747bab795e2428d7c3992f559.tar.xz
openshift-6a4b7a5eb6c4b5e747bab795e2428d7c3992f559.zip
Configuration updates for latest builds and major refactor
Configuration updates for latest builds - Switch to using create-node-config - Switch sdn services to use etcd over SSL - This re-uses the client certificate deployed on each node - Additional node registration changes - Do not assume that metadata service is available in openshift_facts module - Call systemctl daemon-reload after installing openshift-master, openshift-sdn-master, openshift-node, openshift-sdn-node - Fix bug overriding openshift_hostname and openshift_public_hostname in byo playbooks - Start moving generated configs to /etc/openshift - Some custom module cleanup - Add known issue with ansible-1.9 to README_OSE.md - Update to genericize the kubernetes_register_node module - Default to use kubectl for commands - Allow for overriding kubectl_cmd - In openshift_register_node role, override kubectl_cmd to openshift_kube - Set default openshift_registry_url for enterprise when deployment_type is enterprise - Fix openshift_register_node for client config change - Ensure that master certs directory is created - Add roles and filter_plugin symlinks to playbooks/common/openshift-master and node - Allow non-root user with sudo nopasswd access - Updates for README_OSE.md - Update byo inventory for adding additional comments - Updates for node cert/config sync to work with non-root user using sudo - Move node config/certs to /etc/openshift/node - Don't use path for mktemp. addresses: https://github.com/openshift/openshift-ansible/issues/154 Create common playbooks - create common/openshift-master/config.yml - create common/openshift-node/config.yml - update playbooks to use new common playbooks - update launch playbooks to call update playbooks - fix openshift_registry and openshift_node_ip usage Set default deployment type to origin - openshift_repo updates for enabling origin deployments - also separate repo and gpgkey file structure - remove kubernetes repo since it isn't currently needed - full deployment type support for bin/cluster - honor OS_DEPLOYMENT_TYPE env variable - add --deployment-type option, which will override OS_DEPLOYMENT_TYPE if set - if neither OS_DEPLOYMENT_TYPE or --deployment-type is set, defaults to origin installs Additional changes: - Add separate config action to bin/cluster that runs ansible config but does not update packages - Some more duplication reduction in cluster playbooks. - Rename task files in playbooks dirs to have tasks in their name for clarity. - update aws/gce scripts to use a directory for inventory (otherwise when there are no hosts returned from dynamic inventory there is an error) libvirt refactor and update - add libvirt dynamic inventory - updates to use dynamic inventory for libvirt
Diffstat (limited to 'roles')
-rw-r--r--roles/openshift_common/tasks/main.yml4
-rw-r--r--roles/openshift_common/vars/main.yml4
-rwxr-xr-xroles/openshift_facts/library/openshift_facts.py92
-rw-r--r--roles/openshift_master/tasks/main.yml64
-rw-r--r--roles/openshift_master/vars/main.yml5
-rw-r--r--roles/openshift_node/tasks/main.yml32
-rw-r--r--roles/openshift_node/vars/main.yml2
-rw-r--r--roles/openshift_register_nodes/defaults/main.yml3
-rwxr-xr-xroles/openshift_register_nodes/library/kubernetes_register_node.py63
-rw-r--r--roles/openshift_register_nodes/tasks/main.yml64
-rw-r--r--roles/openshift_register_nodes/vars/main.yml7
-rw-r--r--roles/openshift_repos/README.md2
-rw-r--r--roles/openshift_repos/defaults/main.yaml5
-rw-r--r--roles/openshift_repos/files/online/epel7-kubernetes.repo6
-rw-r--r--roles/openshift_repos/files/online/gpg_keys/RPM-GPG-KEY-redhat-beta (renamed from roles/openshift_repos/files/online/RPM-GPG-KEY-redhat-beta)0
-rw-r--r--roles/openshift_repos/files/online/gpg_keys/RPM-GPG-KEY-redhat-release (renamed from roles/openshift_repos/files/online/RPM-GPG-KEY-redhat-release)0
-rw-r--r--roles/openshift_repos/files/online/repos/epel7-openshift.repo (renamed from roles/openshift_repos/files/online/epel7-openshift.repo)0
-rw-r--r--roles/openshift_repos/files/online/repos/oso-rhui-rhel-7-extras.repo (renamed from roles/openshift_repos/files/online/oso-rhui-rhel-7-extras.repo)0
-rw-r--r--roles/openshift_repos/files/online/repos/oso-rhui-rhel-7-server.repo (renamed from roles/openshift_repos/files/online/oso-rhui-rhel-7-server.repo)0
-rw-r--r--roles/openshift_repos/files/online/repos/rhel-7-libra-candidate.repo (renamed from roles/openshift_repos/files/online/rhel-7-libra-candidate.repo)0
-rw-r--r--roles/openshift_repos/files/origin/repos/maxamillion-origin-next-epel-7.repo7
-rw-r--r--roles/openshift_repos/tasks/main.yaml14
-rw-r--r--roles/openshift_repos/templates/yum_repo.j21
-rw-r--r--roles/openshift_sdn_master/tasks/main.yml11
-rw-r--r--roles/openshift_sdn_node/tasks/main.yml11
-rwxr-xr-xroles/os_firewall/library/os_firewall_manage_iptables.py3
26 files changed, 218 insertions, 182 deletions
diff --git a/roles/openshift_common/tasks/main.yml b/roles/openshift_common/tasks/main.yml
index 941190534..c55677c3f 100644
--- a/roles/openshift_common/tasks/main.yml
+++ b/roles/openshift_common/tasks/main.yml
@@ -1,7 +1,7 @@
---
- name: Set common OpenShift facts
openshift_facts:
- role: 'common'
+ role: common
local_facts:
cluster_id: "{{ openshift_cluster_id | default('default') }}"
debug_level: "{{ openshift_debug_level | default(0) }}"
@@ -10,7 +10,7 @@
public_hostname: "{{ openshift_public_hostname | default(None) }}"
public_ip: "{{ openshift_public_ip | default(None) }}"
use_openshift_sdn: "{{ openshift_use_openshift_sdn | default(None) }}"
-
+ deployment_type: "{{ openshift_deployment_type }}"
- name: Set hostname
hostname: name={{ openshift.common.hostname }}
diff --git a/roles/openshift_common/vars/main.yml b/roles/openshift_common/vars/main.yml
index 50816d319..9f657a2c7 100644
--- a/roles/openshift_common/vars/main.yml
+++ b/roles/openshift_common/vars/main.yml
@@ -5,3 +5,7 @@
# chains with the public zone (or the zone associated with the correct
# interfaces)
os_firewall_use_firewalld: False
+
+openshift_cert_parent_dir: /var/lib/openshift
+openshift_cert_relative_dir: openshift.local.certificates
+openshift_cert_dir: "{{ openshift_cert_parent_dir }}/{{ openshift_cert_relative_dir }}"
diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py
index 0dd343443..1e0d5c605 100755
--- a/roles/openshift_facts/library/openshift_facts.py
+++ b/roles/openshift_facts/library/openshift_facts.py
@@ -21,8 +21,11 @@ class OpenShiftFactsUnsupportedRoleError(Exception):
class OpenShiftFactsFileWriteError(Exception):
pass
+class OpenShiftFactsMetadataUnavailableError(Exception):
+ pass
+
class OpenShiftFacts():
- known_roles = ['common', 'master', 'node', 'master_sdn', 'node_sdn']
+ known_roles = ['common', 'master', 'node', 'master_sdn', 'node_sdn', 'dns']
def __init__(self, role, filename, local_facts):
self.changed = False
@@ -169,20 +172,18 @@ class OpenShiftFacts():
return hostname
def get_defaults(self, roles):
- hardware_facts = self.get_hardware_facts()
- net_facts = self.get_net_facts()
- base_facts = self.get_base_facts()
+ ansible_facts = self.get_ansible_facts()
defaults = dict()
common = dict(use_openshift_sdn=True)
- ip = net_facts['default_ipv4']['address']
+ ip = ansible_facts['default_ipv4']['address']
common['ip'] = ip
common['public_ip'] = ip
rc, output, error = module.run_command(['hostname', '-f'])
hostname_f = output.strip() if rc == 0 else ''
- hostname_values = [hostname_f, base_facts['nodename'], base_facts['fqdn']]
+ hostname_values = [hostname_f, ansible_facts['nodename'], ansible_facts['fqdn']]
hostname = self.choose_hostname(hostname_values)
common['hostname'] = hostname
@@ -196,14 +197,14 @@ class OpenShiftFacts():
master = dict(api_use_ssl=True, api_port='8443',
console_use_ssl=True, console_path='/console',
console_port='8443', etcd_use_ssl=False,
- etcd_port='4001')
+ etcd_port='4001', portal_net='172.30.17.0/24')
defaults['master'] = master
if 'node' in roles:
node = dict(external_id=common['hostname'], pod_cidr='',
labels={}, annotations={})
- node['resources_cpu'] = hardware_facts['processor_cores']
- node['resources_memory'] = int(int(hardware_facts['memtotal_mb']) * 1024 * 1024 * 0.75)
+ node['resources_cpu'] = ansible_facts['processor_cores']
+ node['resources_memory'] = int(int(ansible_facts['memtotal_mb']) * 1024 * 1024 * 0.75)
defaults['node'] = node
return defaults
@@ -226,8 +227,7 @@ class OpenShiftFacts():
def query_metadata(self, metadata_url, headers=None, expect_json=False):
r, info = fetch_url(module, metadata_url, headers=headers)
if info['status'] != 200:
- module.fail_json(msg='Failed to query metadata', result=r,
- info=info)
+ raise OpenShiftFactsMetadataUnavailableError("Metadata unavailable")
if expect_json:
return module.from_json(r.read())
else:
@@ -252,40 +252,27 @@ class OpenShiftFacts():
def get_provider_metadata(self, metadata_url, supports_recursive=False,
headers=None, expect_json=False):
- if supports_recursive:
- metadata = self.query_metadata(metadata_url, headers, expect_json)
- else:
- metadata = self.walk_metadata(metadata_url, headers, expect_json)
+ try:
+ if supports_recursive:
+ metadata = self.query_metadata(metadata_url, headers, expect_json)
+ else:
+ metadata = self.walk_metadata(metadata_url, headers, expect_json)
+ except OpenShiftFactsMetadataUnavailableError as e:
+ metadata = None
return metadata
- def get_hardware_facts(self):
- if not hasattr(self, 'hardware_facts'):
- self.hardware_facts = Hardware().populate()
- return self.hardware_facts
-
- def get_base_facts(self):
- if not hasattr(self, 'base_facts'):
- self.base_facts = Facts().populate()
- return self.base_facts
-
- def get_virt_facts(self):
- if not hasattr(self, 'virt_facts'):
- self.virt_facts = Virtual().populate()
- return self.virt_facts
-
- def get_net_facts(self):
- if not hasattr(self, 'net_facts'):
- self.net_facts = Network(module).populate()
- return self.net_facts
+ def get_ansible_facts(self):
+ if not hasattr(self, 'ansible_facts'):
+ self.ansible_facts = ansible_facts(module)
+ return self.ansible_facts
def guess_host_provider(self):
# TODO: cloud provider facts should probably be submitted upstream
- virt_facts = self.get_virt_facts()
- hardware_facts = self.get_hardware_facts()
- product_name = hardware_facts['product_name']
- product_version = hardware_facts['product_version']
- virt_type = virt_facts['virtualization_type']
- virt_role = virt_facts['virtualization_role']
+ ansible_facts = self.get_ansible_facts()
+ product_name = ansible_facts['product_name']
+ product_version = ansible_facts['product_version']
+ virt_type = ansible_facts['virtualization_type']
+ virt_role = ansible_facts['virtualization_role']
provider = None
metadata = None
@@ -300,8 +287,9 @@ class OpenShiftFacts():
True)
# Filter sshKeys and serviceAccounts from gce metadata
- metadata['project']['attributes'].pop('sshKeys', None)
- metadata['instance'].pop('serviceAccounts', None)
+ if metadata:
+ metadata['project']['attributes'].pop('sshKeys', None)
+ metadata['instance'].pop('serviceAccounts', None)
elif virt_type == 'xen' and virt_role == 'guest' and re.match(r'.*\.amazon$', product_version):
provider = 'ec2'
metadata_url = 'http://169.254.169.254/latest/meta-data/'
@@ -310,12 +298,18 @@ class OpenShiftFacts():
provider = 'openstack'
metadata_url = 'http://169.254.169.254/openstack/latest/meta_data.json'
metadata = self.get_provider_metadata(metadata_url, True, None, True)
- ec2_compat_url = 'http://169.254.169.254/latest/meta-data/'
- metadata['ec2_compat'] = self.get_provider_metadata(ec2_compat_url)
- # Filter public_keys and random_seed from openstack metadata
- metadata.pop('public_keys', None)
- metadata.pop('random_seed', None)
+ if metadata:
+ ec2_compat_url = 'http://169.254.169.254/latest/meta-data/'
+ metadata['ec2_compat'] = self.get_provider_metadata(ec2_compat_url)
+
+ # Filter public_keys and random_seed from openstack metadata
+ metadata.pop('public_keys', None)
+ metadata.pop('random_seed', None)
+
+ if not metadata['ec2_compat']:
+ metadata = None
+
return dict(name=provider, metadata=metadata)
def normalize_provider_facts(self, provider, metadata):
@@ -479,4 +473,6 @@ def main():
from ansible.module_utils.basic import *
from ansible.module_utils.facts import *
from ansible.module_utils.urls import *
-main()
+
+if __name__ == '__main__':
+ main()
diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml
index aa615df39..1b1210007 100644
--- a/roles/openshift_master/tasks/main.yml
+++ b/roles/openshift_master/tasks/main.yml
@@ -11,33 +11,67 @@
api_url: "{{ openshift_master_api_url | default(None) }}"
api_use_ssl: "{{ openshift_master_api_use_ssl | default(None) }}"
public_api_url: "{{ openshift_master_public_api_url | default(None) }}"
+ console_path: "{{ openshift_master_console_path | default(None) }}"
console_port: "{{ openshift_master_console_port | default(None) }}"
console_url: "{{ openshift_master_console_url | default(None) }}"
console_use_ssl: "{{ openshift_master_console_use_ssl | default(None) }}"
public_console_url: "{{ openshift_master_public_console_url | default(None) }}"
+ etcd_port: "{{ openshift_master_etcd_port | default(None) }}"
etcd_use_ssl: "{{ openshift_master_etcd_use_ssl | default(None) }}"
+ portal_net: "{{ openshift_master_portal_net | default(None) }}"
+
+# TODO: These values need to be configurable
+- name: Set dns OpenShift facts
+ openshift_facts:
+ role: 'dns'
+ local_facts:
+ ip: "{{ openshift.common.ip }}"
+ domain: local
- name: Install OpenShift Master package
yum: pkg=openshift-master state=installed
+ register: install_result
+
+- name: Reload systemd units
+ command: systemctl daemon-reload
+ when: install_result | changed
+
+- name: Create certificate parent directory if it doesn't exist
+ file:
+ path: "{{ openshift_cert_parent_dir }}"
+ state: directory
+
+- name: Create config parent directory if it doesn't exist
+ file:
+ path: "{{ openshift_master_config | dirname }}"
+ state: directory
+
+# TODO: should probably use a template lookup for this
+# TODO: should allow for setting --etcd, --kubernetes options
+# TODO: recreate config if values change
+- name: Use enterprise default for openshift_registry_url if not set
+ set_fact:
+ openshift_registry_url: "openshift3_beta/ose-${component}:${version}"
+ when: openshift.common.deployment_type == 'enterprise' and openshift_registry_url is not defined
+- name: Create master config
+ command: >
+ /usr/bin/openshift start master --write-config
+ --config={{ openshift_master_config }}
+ --portal-net={{ openshift.master.portal_net }}
+ --master={{ openshift.master.api_url }}
+ --public-master={{ openshift.master.public_api_url }}
+ --listen={{ 'https' if openshift.master.api_use_ssl else 'http' }}://0.0.0.0:{{ openshift.master.api_port }}
+ {{ ('--images=' ~ openshift_registry_url) if openshift_registry_url is defined else '' }}
+ {{ ('--nodes=' ~ openshift_node_ips | join(',')) if openshift_node_ips is defined else '' }}
+ args:
+ chdir: "{{ openshift_cert_parent_dir }}"
+ creates: "{{ openshift_master_config }}"
-# TODO: We should pre-generate the master config and point to the generated
-# config rather than setting command line flags here
- name: Configure OpenShift settings
lineinfile:
dest: /etc/sysconfig/openshift-master
regexp: '^OPTIONS='
- line: "OPTIONS=\"--master={{ openshift.common.hostname }} --public-master={{ openshift.common.public_hostname }} {% if openshift_node_ips %} --nodes={{ openshift_node_ips | join(',') }} {% endif %} --loglevel={{ openshift.master.debug_level }}\""
- notify:
- - restart openshift-master
-
-# TODO: should this be populated by a fact based on the deployment type
-# (origin, online, enterprise)?
-- name: Set default registry url
- lineinfile:
- dest: /etc/sysconfig/openshift-master
- regexp: '^IMAGES='
- line: "IMAGES={{ openshift_registry_url }}"
- when: openshift_registry_url is defined
+ line: "OPTIONS=\"--config={{ openshift_master_config }} --loglevel={{ openshift.master.debug_level }}\""
notify:
- restart openshift-master
@@ -53,6 +87,6 @@
# TODO: Update this file if the contents of the source file are not present in
# the dest file, will need to make sure to ignore things that could be added
- name: Configure root user kubeconfig
- command: cp /var/lib/openshift/openshift.local.certificates/openshift-client/.kubeconfig /root/.kube/.kubeconfig
+ command: cp {{ openshift_cert_dir }}/openshift-client/.kubeconfig /root/.kube/.kubeconfig
args:
creates: /root/.kube/.kubeconfig
diff --git a/roles/openshift_master/vars/main.yml b/roles/openshift_master/vars/main.yml
new file mode 100644
index 000000000..c52d957ac
--- /dev/null
+++ b/roles/openshift_master/vars/main.yml
@@ -0,0 +1,5 @@
+---
+openshift_master_config: /etc/openshift/master.yaml
+openshift_master_ca_dir: "{{ openshift_cert_dir }}/ca"
+openshift_master_ca_cert: "{{ openshift_master_ca_dir }}/cert.crt"
+openshift_master_ca_key: "{{ openshift_master_ca_dir }}/key.key"
diff --git a/roles/openshift_node/tasks/main.yml b/roles/openshift_node/tasks/main.yml
index e3c04585b..3d56bdd67 100644
--- a/roles/openshift_node/tasks/main.yml
+++ b/roles/openshift_node/tasks/main.yml
@@ -13,17 +13,22 @@
failed_when: not result.stat.exists
register: result
with_items:
- - "{{ cert_path }}"
- - "{{ cert_path }}/cert.crt"
- - "{{ cert_path }}/key.key"
- - "{{ cert_path }}/.kubeconfig"
- - "{{ cert_path }}/server.crt"
- - "{{ cert_path }}/server.key"
- - "{{ cert_parent_path }}/ca/cert.crt"
- #- "{{ cert_path }}/node.yaml"
+ - "{{ openshift_node_cert_dir }}"
+ - "{{ openshift_node_cert_dir }}/ca.crt"
+ - "{{ openshift_node_cert_dir }}/client.crt"
+ - "{{ openshift_node_cert_dir }}/client.key"
+ - "{{ openshift_node_cert_dir }}/.kubeconfig"
+ - "{{ openshift_node_cert_dir }}/node-config.yaml"
+ - "{{ openshift_node_cert_dir }}/server.crt"
+ - "{{ openshift_node_cert_dir }}/server.key"
- name: Install OpenShift Node package
yum: pkg=openshift-node state=installed
+ register: install_result
+
+- name: Reload systemd units
+ command: systemctl daemon-reload
+ when: install_result | changed
# --create-certs=false is a temporary workaround until
# https://github.com/openshift/origin/pull/1361 is merged upstream and it is
@@ -32,16 +37,7 @@
lineinfile:
dest: /etc/sysconfig/openshift-node
regexp: '^OPTIONS='
- line: "OPTIONS=\"--hostname={{ openshift.common.hostname }} --loglevel={{ openshift.node.debug_level }} --create-certs=false\""
- notify:
- - restart openshift-node
-
-- name: Set default registry url
- lineinfile:
- dest: /etc/sysconfig/openshift-node
- regexp: '^IMAGES='
- line: "IMAGES={{ openshift_registry_url }}"
- when: openshift_registry_url is defined
+ line: "OPTIONS=\"--loglevel={{ openshift.node.debug_level }} --config={{ openshift_node_cert_dir }}/node-config.yaml\""
notify:
- restart openshift-node
diff --git a/roles/openshift_node/vars/main.yml b/roles/openshift_node/vars/main.yml
new file mode 100644
index 000000000..c6be83139
--- /dev/null
+++ b/roles/openshift_node/vars/main.yml
@@ -0,0 +1,2 @@
+---
+openshift_node_cert_dir: /etc/openshift/node
diff --git a/roles/openshift_register_nodes/defaults/main.yml b/roles/openshift_register_nodes/defaults/main.yml
index 3501e8922..a0befab44 100644
--- a/roles/openshift_register_nodes/defaults/main.yml
+++ b/roles/openshift_register_nodes/defaults/main.yml
@@ -1,5 +1,2 @@
---
openshift_kube_api_version: v1beta1
-openshift_cert_dir: openshift.local.certificates
-openshift_cert_dir_parent: /var/lib/openshift
-openshift_cert_dir_abs: "{{ openshift_cert_dir_parent ~ '/' ~ openshift_cert_dir }}"
diff --git a/roles/openshift_register_nodes/library/kubernetes_register_node.py b/roles/openshift_register_nodes/library/kubernetes_register_node.py
index 8ebeb087a..1ec977716 100755
--- a/roles/openshift_register_nodes/library/kubernetes_register_node.py
+++ b/roles/openshift_register_nodes/library/kubernetes_register_node.py
@@ -97,10 +97,8 @@ class ClientConfigException(Exception):
class ClientConfig:
def __init__(self, client_opts, module):
- _, output, error = module.run_command(["/usr/bin/openshift", "ex",
- "config", "view", "-o",
- "json"] + client_opts,
- check_rc = True)
+ kubectl = module.params['kubectl_cmd']
+ _, output, error = module.run_command(kubectl + ["config", "view", "-o", "json"] + client_opts, check_rc = True)
self.config = json.loads(output)
if not (bool(self.config['clusters']) or
@@ -146,6 +144,9 @@ class ClientConfig:
def get_cluster_for_context(self, context):
return self.get_value_for_context(context, 'cluster')
+ def get_namespace_for_context(self, context):
+ return self.get_value_for_context(context, 'namespace')
+
class Util:
@staticmethod
def remove_empty_elements(mapping):
@@ -247,15 +248,15 @@ class Node:
return Util.remove_empty_elements(node)
def exists(self):
- _, output, error = self.module.run_command(["/usr/bin/osc", "get",
- "nodes"] + self.client_opts,
- check_rc = True)
+ kubectl = self.module.params['kubectl_cmd']
+ _, output, error = self.module.run_command(kubectl + ["get", "nodes"] + self.client_opts, check_rc = True)
if re.search(self.module.params['name'], output, re.MULTILINE):
return True
return False
def create(self):
- cmd = ['/usr/bin/osc'] + self.client_opts + ['create', 'node', '-f', '-']
+ kubectl = self.module.params['kubectl_cmd']
+ cmd = kubectl + self.client_opts + ['create', '-f', '-']
rc, output, error = self.module.run_command(cmd,
data=self.module.jsonify(self.get_node()))
if rc != 0:
@@ -273,24 +274,26 @@ class Node:
def main():
module = AnsibleModule(
- argument_spec = dict(
- name = dict(required = True, type = 'str'),
- host_ip = dict(type = 'str'),
- hostnames = dict(type = 'list', default = []),
- external_ips = dict(type = 'list', default = []),
- internal_ips = dict(type = 'list', default = []),
- api_version = dict(type = 'str', default = 'v1beta1', # TODO: after kube rebase, we can default to v1beta3
- choices = ['v1beta1', 'v1beta3']),
- cpu = dict(type = 'str'),
- memory = dict(type = 'str'),
- labels = dict(type = 'dict', default = {}), # TODO: needs documented
- annotations = dict(type = 'dict', default = {}), # TODO: needs documented
- pod_cidr = dict(type = 'str'), # TODO: needs documented
- external_id = dict(type = 'str'), # TODO: needs documented
- client_config = dict(type = 'str'), # TODO: needs documented
- client_cluster = dict(type = 'str', default = 'master'), # TODO: needs documented
- client_context = dict(type = 'str', default = 'master'), # TODO: needs documented
- client_user = dict(type = 'str', default = 'admin') # TODO: needs documented
+ argument_spec = dict(
+ name = dict(required = True, type = 'str'),
+ host_ip = dict(type = 'str'),
+ hostnames = dict(type = 'list', default = []),
+ external_ips = dict(type = 'list', default = []),
+ internal_ips = dict(type = 'list', default = []),
+ api_version = dict(type = 'str', default = 'v1beta1', # TODO: after kube rebase, we can default to v1beta3
+ choices = ['v1beta1', 'v1beta3']),
+ cpu = dict(type = 'str'),
+ memory = dict(type = 'str'),
+ labels = dict(type = 'dict', default = {}), # TODO: needs documented
+ annotations = dict(type = 'dict', default = {}), # TODO: needs documented
+ pod_cidr = dict(type = 'str'), # TODO: needs documented
+ external_id = dict(type = 'str'), # TODO: needs documented
+ client_config = dict(type = 'str'), # TODO: needs documented
+ client_cluster = dict(type = 'str', default = 'master'), # TODO: needs documented
+ client_context = dict(type = 'str', default = 'default'), # TODO: needs documented
+ client_namespace = dict(type = 'str', default = 'default'), # TODO: needs documented
+ client_user = dict(type = 'str', default = 'system:openshift-client'), # TODO: needs documented
+ kubectl_cmd = dict(type = 'list', default = ['kubectl']) # TODO: needs documented
),
mutually_exclusive = [
['host_ip', 'external_ips'],
@@ -333,14 +336,16 @@ def main():
client_cluster = module.params['client_cluster']
if config.has_cluster(client_cluster):
- if client_cluster != config.get_cluster_for_context(client_cluster):
+ if client_cluster != config.get_cluster_for_context(client_context):
client_opts.append("--cluster=%s" % client_cluster)
else:
module.fail_json(msg="Cluster %s not found in client config" %
client_cluster)
- # TODO: provide sane defaults for some (like hostname, externalIP,
- # internalIP, etc)
+ client_namespace = module.params['client_namespace']
+ if client_namespace != config.get_namespace_for_context(client_context):
+ client_opts.append("--namespace=%s" % client_namespace)
+
node = Node(module, client_opts, module.params['api_version'],
module.params['name'], module.params['host_ip'],
module.params['hostnames'], module.params['external_ips'],
diff --git a/roles/openshift_register_nodes/tasks/main.yml b/roles/openshift_register_nodes/tasks/main.yml
index 7319b88b1..85f490f70 100644
--- a/roles/openshift_register_nodes/tasks/main.yml
+++ b/roles/openshift_register_nodes/tasks/main.yml
@@ -3,53 +3,37 @@
# TODO: recreate master/node configs if settings that affect the configs
# change (hostname, public_hostname, ip, public_ip, etc)
-# TODO: create a failed_when condition
-- name: Create node server certificates
- command: >
- /usr/bin/openshift admin create-server-cert
- --overwrite=false
- --cert={{ openshift_cert_dir }}/node-{{ item.openshift.common.hostname }}/server.crt
- --key={{ openshift_cert_dir }}/node-{{ item.openshift.common.hostname }}/server.key
- --hostnames={{ [item.openshift.common.hostname,
- item.openshift.common.public_hostname]|unique|join(",") }}
- args:
- chdir: "{{ openshift_cert_dir_parent }}"
- creates: "{{ openshift_cert_dir_abs }}/node-{{ item.openshift.common.hostname }}/server.crt"
- with_items: openshift_nodes
- register: server_cert_result
-
-# TODO: create a failed_when condition
-- name: Create node client certificates
- command: >
- /usr/bin/openshift admin create-node-cert
- --overwrite=false
- --cert={{ openshift_cert_dir }}/node-{{ item.openshift.common.hostname }}/cert.crt
- --key={{ openshift_cert_dir }}/node-{{ item.openshift.common.hostname }}/key.key
- --node-name={{ item.openshift.common.hostname }}
- args:
- chdir: "{{ openshift_cert_dir_parent }}"
- creates: "{{ openshift_cert_dir_abs }}/node-{{ item.openshift.common.hostname }}/cert.crt"
- with_items: openshift_nodes
- register: node_cert_result
+# TODO: use a template lookup here
# TODO: create a failed_when condition
-- name: Create kubeconfigs for nodes
+- name: Use enterprise default for openshift_registry_url if not set
+ set_fact:
+ openshift_registry_url: "openshift3_beta/ose-${component}:${version}"
+ when: openshift.common.deployment_type == 'enterprise' and openshift_registry_url is not defined
+- name: Create node config
command: >
- /usr/bin/openshift admin create-kubeconfig
- --client-certificate={{ openshift_cert_dir }}/node-{{ item.openshift.common.hostname }}/cert.crt
- --client-key={{ openshift_cert_dir }}/node-{{ item.openshift.common.hostname }}/key.key
- --kubeconfig={{ openshift_cert_dir }}/node-{{ item.openshift.common.hostname }}/.kubeconfig
- --master={{ openshift.master.api_url }}
- --public-master={{ openshift.master.public_api_url }}
+ /usr/bin/openshift admin create-node-config
+ --node-dir={{ openshift_cert_dir }}/node-{{ item.openshift.common.hostname }}
+ --node={{ item.openshift.common.hostname }}
+ --hostnames={{ [item.openshift.common.hostname, item.openshift.common.public_hostname]|unique|join(",") }}
+ --dns-domain={{ openshift.dns.domain }}
+ --dns-ip={{ openshift.dns.ip }}
+ --master={{ openshift.master.api_url }}
+ --signer-key={{ openshift_master_ca_key }}
+ --signer-cert={{ openshift_master_ca_cert }}
+ --certificate-authority={{ openshift_master_ca_cert }}
+ --signer-serial={{ openshift_master_ca_dir }}/serial.txt
+ --node-client-certificate-authority={{ openshift_master_ca_cert }}
+ {{ ('--images=' ~ openshift_registry_url) if openshift_registry_url is defined else '' }}
+ --listen=https://0.0.0.0:10250
args:
- chdir: "{{ openshift_cert_dir_parent }}"
- creates: "{{ openshift_cert_dir_abs }}/node-{{ item.openshift.common.hostname }}/.kubeconfig"
+ chdir: "{{ openshift_cert_parent_dir }}"
+ creates: "{{ openshift_cert_dir }}/node-{{ item.openshift.common.hostname }}"
with_items: openshift_nodes
- register: kubeconfig_result
- name: Register unregistered nodes
kubernetes_register_node:
- client_user: openshift-client
+ kubectl_cmd: ['openshift', 'kube']
name: "{{ item.openshift.common.hostname }}"
api_version: "{{ openshift_kube_api_version }}"
cpu: "{{ item.openshift.node.resources_cpu | default(None) }}"
@@ -61,7 +45,5 @@
external_id: "{{ item.openshift.node.external_id }}"
# TODO: support customizing other attributes such as: client_config,
# client_cluster, client_context, client_user
- # TODO: update for v1beta3 changes after rebase: hostnames, external_ips,
- # internal_ips, external_id
with_items: openshift_nodes
register: register_result
diff --git a/roles/openshift_register_nodes/vars/main.yml b/roles/openshift_register_nodes/vars/main.yml
new file mode 100644
index 000000000..bd497f08f
--- /dev/null
+++ b/roles/openshift_register_nodes/vars/main.yml
@@ -0,0 +1,7 @@
+---
+openshift_cert_parent_dir: /var/lib/openshift
+openshift_cert_relative_dir: openshift.local.certificates
+openshift_cert_dir: "{{ openshift_cert_parent_dir }}/{{ openshift_cert_relative_dir }}"
+openshift_master_ca_dir: "{{ openshift_cert_dir }}/ca"
+openshift_master_ca_cert: "{{ openshift_master_ca_dir }}/cert.crt"
+openshift_master_ca_key: "{{ openshift_master_ca_dir }}/key.key"
diff --git a/roles/openshift_repos/README.md b/roles/openshift_repos/README.md
index 6713e11fc..6bbedd839 100644
--- a/roles/openshift_repos/README.md
+++ b/roles/openshift_repos/README.md
@@ -14,7 +14,7 @@ Role Variables
| Name | Default value | |
|-------------------------------|---------------|----------------------------------------------|
-| openshift_deployment_type | online | Possible values enterprise, origin, online |
+| openshift_deployment_type | None | Possible values enterprise, origin, online |
| openshift_additional_repos | {} | TODO |
Dependencies
diff --git a/roles/openshift_repos/defaults/main.yaml b/roles/openshift_repos/defaults/main.yaml
index 1730207f4..7c5a14cd7 100644
--- a/roles/openshift_repos/defaults/main.yaml
+++ b/roles/openshift_repos/defaults/main.yaml
@@ -1,7 +1,2 @@
---
-# TODO: once we are able to configure/deploy origin using the openshift roles,
-# then we should default to origin
-
-# TODO: push the defaulting of these values to the openshift_facts module
-openshift_deployment_type: online
openshift_additional_repos: {}
diff --git a/roles/openshift_repos/files/online/epel7-kubernetes.repo b/roles/openshift_repos/files/online/epel7-kubernetes.repo
deleted file mode 100644
index 1deae2939..000000000
--- a/roles/openshift_repos/files/online/epel7-kubernetes.repo
+++ /dev/null
@@ -1,6 +0,0 @@
-[maxamillion-epel7-kubernetes]
-name=Copr repo for epel7-kubernetes owned by maxamillion
-baseurl=http://copr-be.cloud.fedoraproject.org/results/maxamillion/epel7-kubernetes/epel-7-$basearch/
-skip_if_unavailable=True
-gpgcheck=0
-enabled=1
diff --git a/roles/openshift_repos/files/online/RPM-GPG-KEY-redhat-beta b/roles/openshift_repos/files/online/gpg_keys/RPM-GPG-KEY-redhat-beta
index 7b40671a4..7b40671a4 100644
--- a/roles/openshift_repos/files/online/RPM-GPG-KEY-redhat-beta
+++ b/roles/openshift_repos/files/online/gpg_keys/RPM-GPG-KEY-redhat-beta
diff --git a/roles/openshift_repos/files/online/RPM-GPG-KEY-redhat-release b/roles/openshift_repos/files/online/gpg_keys/RPM-GPG-KEY-redhat-release
index 0f83b622d..0f83b622d 100644
--- a/roles/openshift_repos/files/online/RPM-GPG-KEY-redhat-release
+++ b/roles/openshift_repos/files/online/gpg_keys/RPM-GPG-KEY-redhat-release
diff --git a/roles/openshift_repos/files/online/epel7-openshift.repo b/roles/openshift_repos/files/online/repos/epel7-openshift.repo
index c7629872d..c7629872d 100644
--- a/roles/openshift_repos/files/online/epel7-openshift.repo
+++ b/roles/openshift_repos/files/online/repos/epel7-openshift.repo
diff --git a/roles/openshift_repos/files/online/oso-rhui-rhel-7-extras.repo b/roles/openshift_repos/files/online/repos/oso-rhui-rhel-7-extras.repo
index cfe41f691..cfe41f691 100644
--- a/roles/openshift_repos/files/online/oso-rhui-rhel-7-extras.repo
+++ b/roles/openshift_repos/files/online/repos/oso-rhui-rhel-7-extras.repo
diff --git a/roles/openshift_repos/files/online/oso-rhui-rhel-7-server.repo b/roles/openshift_repos/files/online/repos/oso-rhui-rhel-7-server.repo
index ddc93193d..ddc93193d 100644
--- a/roles/openshift_repos/files/online/oso-rhui-rhel-7-server.repo
+++ b/roles/openshift_repos/files/online/repos/oso-rhui-rhel-7-server.repo
diff --git a/roles/openshift_repos/files/online/rhel-7-libra-candidate.repo b/roles/openshift_repos/files/online/repos/rhel-7-libra-candidate.repo
index b4215679f..b4215679f 100644
--- a/roles/openshift_repos/files/online/rhel-7-libra-candidate.repo
+++ b/roles/openshift_repos/files/online/repos/rhel-7-libra-candidate.repo
diff --git a/roles/openshift_repos/files/origin/repos/maxamillion-origin-next-epel-7.repo b/roles/openshift_repos/files/origin/repos/maxamillion-origin-next-epel-7.repo
new file mode 100644
index 000000000..0b21e0a65
--- /dev/null
+++ b/roles/openshift_repos/files/origin/repos/maxamillion-origin-next-epel-7.repo
@@ -0,0 +1,7 @@
+[maxamillion-origin-next]
+name=Copr repo for origin-next owned by maxamillion
+baseurl=https://copr-be.cloud.fedoraproject.org/results/maxamillion/origin-next/epel-7-$basearch/
+skip_if_unavailable=True
+gpgcheck=1
+gpgkey=https://copr-be.cloud.fedoraproject.org/results/maxamillion/origin-next/pubkey.gpg
+enabled=1
diff --git a/roles/openshift_repos/tasks/main.yaml b/roles/openshift_repos/tasks/main.yaml
index bb1551d37..12e98b7a1 100644
--- a/roles/openshift_repos/tasks/main.yaml
+++ b/roles/openshift_repos/tasks/main.yaml
@@ -10,10 +10,6 @@
- assert:
that: openshift_deployment_type in known_openshift_deployment_types
-# TODO: remove this when origin support actually works
-- fail: msg="OpenShift Origin support is not currently enabled"
- when: openshift_deployment_type == 'origin'
-
- name: Ensure libselinux-python is installed
yum:
pkg: libselinux-python
@@ -36,17 +32,15 @@
path: "/etc/yum.repos.d/{{ item | basename }}"
state: absent
with_fileglob:
- - '*/*'
- when: not (item | search("/files/" + openshift_deployment_type + "/")) and (item | search(".repo$"))
+ - '*/repos/*'
+ when: not (item | search("/files/" ~ openshift_deployment_type ~ "/repos"))
- name: Configure gpg keys if needed
copy: src={{ item }} dest=/etc/pki/rpm-gpg/
with_fileglob:
- - "{{ openshift_deployment_type }}/*"
- when: item | basename | match("RPM-GPG-KEY-")
+ - "{{ openshift_deployment_type }}/gpg_keys/*"
- name: Configure yum repositories
copy: src={{ item }} dest=/etc/yum.repos.d/
with_fileglob:
- - "{{ openshift_deployment_type }}/*"
- when: item | basename | search(".*\.repo$")
+ - "{{ openshift_deployment_type }}/repos/*"
diff --git a/roles/openshift_repos/templates/yum_repo.j2 b/roles/openshift_repos/templates/yum_repo.j2
index 7ea2c7460..2d9243545 100644
--- a/roles/openshift_repos/templates/yum_repo.j2
+++ b/roles/openshift_repos/templates/yum_repo.j2
@@ -1,4 +1,3 @@
-# {{ ansible_managed }}
{% for repo in openshift_additional_repos %}
[{{ repo.id }}]
name={{ repo.name | default(repo.id) }}
diff --git a/roles/openshift_sdn_master/tasks/main.yml b/roles/openshift_sdn_master/tasks/main.yml
index f2d61043b..77e7a80ba 100644
--- a/roles/openshift_sdn_master/tasks/main.yml
+++ b/roles/openshift_sdn_master/tasks/main.yml
@@ -12,12 +12,21 @@
yum:
pkg: openshift-sdn-master
state: installed
+ register: install_result
+- name: Reload systemd units
+ command: systemctl daemon-reload
+ when: install_result | changed
+
+# TODO: we should probably generate certs specifically for sdn
- name: Configure openshift-sdn-master settings
lineinfile:
dest: /etc/sysconfig/openshift-sdn-master
regexp: '^OPTIONS='
- line: "OPTIONS=\"-v={{ openshift.master_sdn.debug_level }}\""
+ line: "OPTIONS=\"-v={{ openshift.master_sdn.debug_level }} -etcd-endpoints={{ openshift_sdn_master_url}}
+ -etcd-cafile={{ openshift_cert_dir }}/ca/ca.crt
+ -etcd-certfile={{ openshift_cert_dir }}/openshift-client/cert.crt
+ -etcd-keyfile={{ openshift_cert_dir }}/openshift-client/key.key\""
notify:
- restart openshift-sdn-master
diff --git a/roles/openshift_sdn_node/tasks/main.yml b/roles/openshift_sdn_node/tasks/main.yml
index 729c28879..c2329dd6f 100644
--- a/roles/openshift_sdn_node/tasks/main.yml
+++ b/roles/openshift_sdn_node/tasks/main.yml
@@ -9,9 +9,15 @@
yum:
pkg: openshift-sdn-node
state: installed
+ register: install_result
+
+- name: Reload systemd units
+ command: systemctl daemon-reload
+ when: install_result | changed
# TODO: we are specifying -hostname= for OPTIONS as a workaround for
# openshift-sdn-node not properly detecting the hostname.
+# TODO: we should probably generate certs specifically for sdn
- name: Configure openshift-sdn-node settings
lineinfile:
dest: /etc/sysconfig/openshift-sdn-node
@@ -20,7 +26,10 @@
backrefs: yes
with_items:
- regex: '^(OPTIONS=)'
- line: '\1"-v={{ openshift.node_sdn.debug_level }} -hostname={{ openshift.common.hostname }}"'
+ line: '\1"-v={{ openshift.node_sdn.debug_level }} -hostname={{ openshift.common.hostname }}
+ -etcd-cafile={{ openshift_node_cert_dir }}/ca.crt
+ -etcd-certfile={{ openshift_node_cert_dir }}/client.crt
+ -etcd-keyfile={{ openshift_node_cert_dir }}/client.key\"'
- regex: '^(MASTER_URL=)'
line: '\1"{{ openshift_sdn_master_url }}"'
- regex: '^(MINION_IP=)'
diff --git a/roles/os_firewall/library/os_firewall_manage_iptables.py b/roles/os_firewall/library/os_firewall_manage_iptables.py
index 90588d2ae..9d0af497d 100755
--- a/roles/os_firewall/library/os_firewall_manage_iptables.py
+++ b/roles/os_firewall/library/os_firewall_manage_iptables.py
@@ -270,4 +270,5 @@ def main():
# import module snippets
from ansible.module_utils.basic import *
-main()
+if __name__ == '__main__':
+ main()