summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--playbooks/openstack/README.md2
-rw-r--r--playbooks/openstack/advanced-configuration.md84
-rw-r--r--roles/openshift_master/tasks/registry_auth.yml8
-rw-r--r--roles/openshift_node/tasks/registry_auth.yml8
-rw-r--r--roles/openshift_openstack/defaults/main.yml3
-rw-r--r--roles/openshift_openstack/tasks/populate-dns.yml9
-rw-r--r--roles/openshift_openstack/templates/heat_stack.yaml.j231
7 files changed, 19 insertions, 126 deletions
diff --git a/playbooks/openstack/README.md b/playbooks/openstack/README.md
index ff0b7adc7..f567242cd 100644
--- a/playbooks/openstack/README.md
+++ b/playbooks/openstack/README.md
@@ -215,7 +215,6 @@ advanced configuration:
* [External Dns][external-dns]
* Multiple Clusters (TODO)
* [Cinder Registry][cinder-registry]
-* [Bastion Node][bastion]
[ansible]: https://www.ansible.com/
@@ -234,4 +233,3 @@ advanced configuration:
[loadbalancer]: ./advanced-configuration.md#multi-master-configuration
[external-dns]: ./advanced-configuration.md#dns-configuration-variables
[cinder-registry]: ./advanced-configuration.md#creating-and-using-a-cinder-volume-for-the-openshift-registry
-[bastion]: ./advanced-configuration.md#configure-static-inventory-and-access-via-a-bastion-node
diff --git a/playbooks/openstack/advanced-configuration.md b/playbooks/openstack/advanced-configuration.md
index c0bdf5020..cb8af4a9e 100644
--- a/playbooks/openstack/advanced-configuration.md
+++ b/playbooks/openstack/advanced-configuration.md
@@ -328,14 +328,6 @@ The `openshift_openstack_required_packages` variable also provides a list of the
prerequisite packages to be installed before to deploy an OpenShift cluster.
Those are ignored though, if the `manage_packages: False`.
-The `openstack_inventory` controls either a static inventory will be created after the
-cluster nodes provisioned on OpenStack cloud. Note, the fully dynamic inventory
-is yet to be supported, so the static inventory will be created anyway.
-
-The `openstack_inventory_path` points the directory to host the generated static inventory.
-It should point to the copied example inventory directory, otherwise ti creates
-a new one for you.
-
## Multi-master configuration
Please refer to the official documentation for the
@@ -538,43 +530,6 @@ You can also run the registry setup playbook directly:
-## Configure static inventory and access via a bastion node
-
-Example inventory variables:
-
- openshift_openstack_use_bastion: true
- openshift_openstack_bastion_ingress_cidr: "{{openshift_openstack_subnet_prefix}}.0/24"
- openstack_private_ssh_key: ~/.ssh/id_rsa
- openstack_inventory: static
- openstack_inventory_path: ../../../../inventory
- openstack_ssh_config_path: /tmp/ssh.config.openshift.ansible.openshift.example.com
-
-The `openshift_openstack_subnet_prefix` is the openstack private network for your cluster.
-And the `openshift_openstack_bastion_ingress_cidr` defines accepted range for SSH connections to nodes
-additionally to the `openshift_openstack_ssh_ingress_cidr`` (see the security notes above).
-
-The SSH config will be stored on the ansible control node by the
-gitven path. Ansible uses it automatically. To access the cluster nodes with
-that ssh config, use the `-F` prefix, f.e.:
-
- ssh -F /tmp/ssh.config.openshift.ansible.openshift.example.com master-0.openshift.example.com echo OK
-
-Note, relative paths will not work for the `openstack_ssh_config_path`, but it
-works for the `openstack_private_ssh_key` and `openstack_inventory_path`. In this
-guide, the latter points to the current directory, where you run ansible commands
-from.
-
-To verify nodes connectivity, use the command:
-
- ansible -v -i inventory/hosts -m ping all
-
-If something is broken, double-check the inventory variables, paths and the
-generated `<openstack_inventory_path>/hosts` and `openstack_ssh_config_path` files.
-
-The `inventory: dynamic` can be used instead to access cluster nodes directly via
-floating IPs. In this mode you can not use a bastion node and should specify
-the dynamic inventory file in your ansible commands , like `-i openstack.py`.
-
## Using Docker on the Ansible host
If you don't want to worry about the dependencies, you can use the
@@ -604,28 +559,6 @@ the playbooks:
ansible-playbook openshift-ansible-contrib/playbooks/provisioning/openstack/provision.yaml
-### Run the playbook
-
-Assuming your OpenStack (Keystone) credentials are in the `keystonerc`
-this is how you stat the provisioning process from your ansible control node:
-
- . keystonerc
- ansible-playbook openshift-ansible-contrib/playbooks/provisioning/openstack/provision.yaml
-
-Note, here you start with an empty inventory. The static inventory will be populated
-with data so you can omit providing additional arguments for future ansible commands.
-
-If bastion enabled, the generates SSH config must be applied for ansible.
-Otherwise, it is auto included by the previous step. In order to execute it
-as a separate playbook, use the following command:
-
- ansible-playbook openshift-ansible-contrib/playbooks/provisioning/openstack/post-provision-openstack.yml
-
-The first infra node then becomes a bastion node as well and proxies access
-for future ansible commands. The post-provision step also configures Satellite,
-if requested, and DNS server, and ensures other OpenShift requirements to be met.
-
-
## Running Custom Post-Provision Actions
A custom playbook can be run like this:
@@ -733,21 +666,6 @@ Once it succeeds, you can install openshift by running:
OpenShift UI may be accessed via the 1st master node FQDN, port 8443.
-When using a bastion, you may want to make an SSH tunnel from your control node
-to access UI on the `https://localhost:8443`, with this inventory variable:
-
- openshift_openstack_ui_ssh_tunnel: True
-
-Note, this requires sudo rights on the ansible control node and an absolute path
-for the `openstack_private_ssh_key`. You should also update the control node's
-`/etc/hosts`:
-
- 127.0.0.1 master-0.openshift.example.com
-
-In order to access UI, the ssh-tunnel service will be created and started on the
-control node. Make sure to remove these changes and the service manually, when not
-needed anymore.
-
## Scale Deployment up/down
### Scaling up
@@ -766,5 +684,3 @@ Usage:
```
ansible-playbook -i <path to inventory> openshift-ansible-contrib/playbooks/provisioning/openstack/scale-up.yaml` [-e increment_by=<number>] [-e openshift_ansible_dir=<path to openshift-ansible>]
```
-
-Note: This playbook works only without a bastion node (`openshift_openstack_use_bastion: False`).
diff --git a/roles/openshift_master/tasks/registry_auth.yml b/roles/openshift_master/tasks/registry_auth.yml
index c95f562d0..ca04d2243 100644
--- a/roles/openshift_master/tasks/registry_auth.yml
+++ b/roles/openshift_master/tasks/registry_auth.yml
@@ -33,7 +33,7 @@
- openshift_docker_alternative_creds | default(False) | bool
- oreg_auth_user is defined
- (not docker_cli_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool
- register: master_oreg_auth_credentials_create
+ register: master_oreg_auth_credentials_create_alt
notify:
- restart master api
- restart master controllers
@@ -45,4 +45,8 @@
when:
- openshift.common.is_containerized | bool
- oreg_auth_user is defined
- - (master_oreg_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace or master_oreg_auth_credentials_create.changed) | bool
+ - >
+ (master_oreg_auth_credentials_stat.stat.exists
+ or oreg_auth_credentials_replace
+ or master_oreg_auth_credentials_create.changed
+ or master_oreg_auth_credentials_create_alt.changed) | bool
diff --git a/roles/openshift_node/tasks/registry_auth.yml b/roles/openshift_node/tasks/registry_auth.yml
index f5428867a..ab43ec049 100644
--- a/roles/openshift_node/tasks/registry_auth.yml
+++ b/roles/openshift_node/tasks/registry_auth.yml
@@ -32,7 +32,7 @@
- openshift_docker_alternative_creds | bool
- oreg_auth_user is defined
- (not node_oreg_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool
- register: node_oreg_auth_credentials_create
+ register: node_oreg_auth_credentials_create_alt
notify:
- restart node
@@ -43,4 +43,8 @@
when:
- openshift.common.is_containerized | bool
- oreg_auth_user is defined
- - (node_oreg_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace or node_oreg_auth_credentials_create.changed) | bool
+ - >
+ (node_oreg_auth_credentials_stat.stat.exists
+ or oreg_auth_credentials_replace
+ or node_oreg_auth_credentials_create.changed
+ or node_oreg_auth_credentials_create_alt.changed) | bool
diff --git a/roles/openshift_openstack/defaults/main.yml b/roles/openshift_openstack/defaults/main.yml
index 5f182e0d6..e72e7a9df 100644
--- a/roles/openshift_openstack/defaults/main.yml
+++ b/roles/openshift_openstack/defaults/main.yml
@@ -4,7 +4,6 @@ openshift_openstack_stack_state: 'present'
openshift_openstack_ssh_ingress_cidr: 0.0.0.0/0
openshift_openstack_node_ingress_cidr: 0.0.0.0/0
openshift_openstack_lb_ingress_cidr: 0.0.0.0/0
-openshift_openstack_bastion_ingress_cidr: 0.0.0.0/0
openshift_openstack_num_etcd: 0
openshift_openstack_num_masters: 1
openshift_openstack_num_nodes: 1
@@ -91,6 +90,4 @@ openshift_openstack_node_volume_size: "{{ openshift_openstack_docker_volume_size
openshift_openstack_etcd_volume_size: 2
openshift_openstack_dns_volume_size: 1
openshift_openstack_lb_volume_size: 5
-openshift_openstack_use_bastion: false
-openshift_openstack_ui_ssh_tunnel: false
openshift_openstack_ephemeral_volumes: false
diff --git a/roles/openshift_openstack/tasks/populate-dns.yml b/roles/openshift_openstack/tasks/populate-dns.yml
index c03aceb94..b5c4da532 100644
--- a/roles/openshift_openstack/tasks/populate-dns.yml
+++ b/roles/openshift_openstack/tasks/populate-dns.yml
@@ -63,15 +63,6 @@
when:
- hostvars[groups.masters[0]].openshift_master_cluster_public_hostname is defined
- openshift_openstack_num_masters == 1
- - not openshift_openstack_use_bastion|bool
-
-- name: "Add public master cluster hostname records to the public A records (single master behind a bastion)"
- set_fact:
- public_records: "{{ public_records | default([]) + [ { 'type': 'A', 'hostname': (hostvars[groups.masters[0]].openshift_master_cluster_public_hostname | replace(openshift_openstack_full_dns_domain, ''))[:-1], 'ip': hostvars[groups.bastions[0]].public_v4 } ] }}"
- when:
- - hostvars[groups.masters[0]].openshift_master_cluster_public_hostname is defined
- - openshift_openstack_num_masters == 1
- - openshift_openstack_use_bastion|bool
- name: "Add public master cluster hostname records to the public A records (multi-master)"
set_fact:
diff --git a/roles/openshift_openstack/templates/heat_stack.yaml.j2 b/roles/openshift_openstack/templates/heat_stack.yaml.j2
index 0e7538629..ec488941e 100644
--- a/roles/openshift_openstack/templates/heat_stack.yaml.j2
+++ b/roles/openshift_openstack/templates/heat_stack.yaml.j2
@@ -72,7 +72,7 @@ outputs:
{% endif %}
conditions:
- no_floating: {% if openshift_openstack_provider_network_name or openshift_openstack_use_bastion|bool %}true{% else %}false{% endif %}
+ no_floating: {% if openshift_openstack_provider_network_name %}true{% else %}false{% endif %}
resources:
@@ -180,13 +180,6 @@ resources:
port_range_min: 22
port_range_max: 22
remote_ip_prefix: {{ openshift_openstack_ssh_ingress_cidr }}
-{% if openshift_openstack_use_bastion|bool %}
- - direction: ingress
- protocol: tcp
- port_range_min: 22
- port_range_max: 22
- remote_ip_prefix: {{ openshift_openstack_bastion_ingress_cidr }}
-{% endif %}
- direction: ingress
protocol: icmp
remote_ip_prefix: {{ openshift_openstack_ssh_ingress_cidr }}
@@ -480,7 +473,7 @@ resources:
remote_ip_prefix: "{{ openshift_openstack_subnet_prefix }}.0/24"
{% endif %}
-{% if openshift_openstack_num_masters|int > 1 or openshift_openstack_ui_ssh_tunnel|bool %}
+{% if openshift_openstack_num_masters|int > 1 %}
lb-secgrp:
type: OS::Neutron::SecurityGroup
properties:
@@ -491,20 +484,13 @@ resources:
protocol: tcp
port_range_min: {{ openshift_master_api_port | default(8443) }}
port_range_max: {{ openshift_master_api_port | default(8443) }}
- remote_ip_prefix: {{ openshift_openstack_lb_ingress_cidr | default(openshift_openstack_bastion_ingress_cidr) }}
-{% if openshift_openstack_ui_ssh_tunnel|bool %}
- - direction: ingress
- protocol: tcp
- port_range_min: {{ openshift_master_api_port | default(8443) }}
- port_range_max: {{ openshift_master_api_port | default(8443) }}
- remote_ip_prefix: {{ openshift_openstack_ssh_ingress_cidr }}
-{% endif %}
+ remote_ip_prefix: {{ openshift_openstack_lb_ingress_cidr }}
{% if openshift_master_console_port is defined and openshift_master_console_port != openshift_master_api_port %}
- direction: ingress
protocol: tcp
port_range_min: {{ openshift_master_console_port | default(8443) }}
port_range_max: {{ openshift_master_console_port | default(8443) }}
- remote_ip_prefix: {{ openshift_openstack_lb_ingress_cidr | default(openshift_openstack_bastion_ingress_cidr) }}
+ remote_ip_prefix: {{ openshift_openstack_lb_ingress_cidr }}
{% endif %}
{% endif %}
@@ -553,7 +539,7 @@ resources:
- no_floating
- null
- {{ openshift_openstack_external_network_name }}
-{% if openshift_openstack_use_bastion|bool or openshift_openstack_provider_network_name %}
+{% if openshift_openstack_provider_network_name %}
attach_float_net: false
{% endif %}
volume_size: {{ openshift_openstack_etcd_volume_size }}
@@ -685,7 +671,7 @@ resources:
- no_floating
- null
- {{ openshift_openstack_external_network_name }}
-{% if openshift_openstack_use_bastion|bool or openshift_openstack_provider_network_name %}
+{% if openshift_openstack_provider_network_name %}
attach_float_net: false
{% endif %}
volume_size: {{ openshift_openstack_master_volume_size }}
@@ -755,7 +741,7 @@ resources:
- no_floating
- null
- {{ openshift_openstack_external_network_name }}
-{% if openshift_openstack_use_bastion|bool or openshift_openstack_provider_network_name %}
+{% if openshift_openstack_provider_network_name %}
attach_float_net: false
{% endif %}
volume_size: {{ openshift_openstack_node_volume_size }}
@@ -818,9 +804,6 @@ resources:
{% else %}
- { get_resource: node-secgrp }
{% endif %}
-{% if openshift_openstack_ui_ssh_tunnel|bool and openshift_openstack_num_masters|int < 2 %}
- - { get_resource: lb-secgrp }
-{% endif %}
- { get_resource: infra-secgrp }
- { get_resource: common-secgrp }
{% if not openshift_openstack_provider_network_name %}