diff options
-rw-r--r-- | playbooks/openstack/README.md | 2 | ||||
-rw-r--r-- | playbooks/openstack/advanced-configuration.md | 84 | ||||
-rw-r--r-- | roles/openshift_master/tasks/registry_auth.yml | 8 | ||||
-rw-r--r-- | roles/openshift_node/tasks/registry_auth.yml | 8 | ||||
-rw-r--r-- | roles/openshift_openstack/defaults/main.yml | 3 | ||||
-rw-r--r-- | roles/openshift_openstack/tasks/populate-dns.yml | 9 | ||||
-rw-r--r-- | roles/openshift_openstack/templates/heat_stack.yaml.j2 | 31 |
7 files changed, 19 insertions, 126 deletions
diff --git a/playbooks/openstack/README.md b/playbooks/openstack/README.md index ff0b7adc7..f567242cd 100644 --- a/playbooks/openstack/README.md +++ b/playbooks/openstack/README.md @@ -215,7 +215,6 @@ advanced configuration: * [External Dns][external-dns] * Multiple Clusters (TODO) * [Cinder Registry][cinder-registry] -* [Bastion Node][bastion] [ansible]: https://www.ansible.com/ @@ -234,4 +233,3 @@ advanced configuration: [loadbalancer]: ./advanced-configuration.md#multi-master-configuration [external-dns]: ./advanced-configuration.md#dns-configuration-variables [cinder-registry]: ./advanced-configuration.md#creating-and-using-a-cinder-volume-for-the-openshift-registry -[bastion]: ./advanced-configuration.md#configure-static-inventory-and-access-via-a-bastion-node diff --git a/playbooks/openstack/advanced-configuration.md b/playbooks/openstack/advanced-configuration.md index c0bdf5020..cb8af4a9e 100644 --- a/playbooks/openstack/advanced-configuration.md +++ b/playbooks/openstack/advanced-configuration.md @@ -328,14 +328,6 @@ The `openshift_openstack_required_packages` variable also provides a list of the prerequisite packages to be installed before to deploy an OpenShift cluster. Those are ignored though, if the `manage_packages: False`. -The `openstack_inventory` controls either a static inventory will be created after the -cluster nodes provisioned on OpenStack cloud. Note, the fully dynamic inventory -is yet to be supported, so the static inventory will be created anyway. - -The `openstack_inventory_path` points the directory to host the generated static inventory. -It should point to the copied example inventory directory, otherwise ti creates -a new one for you. - ## Multi-master configuration Please refer to the official documentation for the @@ -538,43 +530,6 @@ You can also run the registry setup playbook directly: -## Configure static inventory and access via a bastion node - -Example inventory variables: - - openshift_openstack_use_bastion: true - openshift_openstack_bastion_ingress_cidr: "{{openshift_openstack_subnet_prefix}}.0/24" - openstack_private_ssh_key: ~/.ssh/id_rsa - openstack_inventory: static - openstack_inventory_path: ../../../../inventory - openstack_ssh_config_path: /tmp/ssh.config.openshift.ansible.openshift.example.com - -The `openshift_openstack_subnet_prefix` is the openstack private network for your cluster. -And the `openshift_openstack_bastion_ingress_cidr` defines accepted range for SSH connections to nodes -additionally to the `openshift_openstack_ssh_ingress_cidr`` (see the security notes above). - -The SSH config will be stored on the ansible control node by the -gitven path. Ansible uses it automatically. To access the cluster nodes with -that ssh config, use the `-F` prefix, f.e.: - - ssh -F /tmp/ssh.config.openshift.ansible.openshift.example.com master-0.openshift.example.com echo OK - -Note, relative paths will not work for the `openstack_ssh_config_path`, but it -works for the `openstack_private_ssh_key` and `openstack_inventory_path`. In this -guide, the latter points to the current directory, where you run ansible commands -from. - -To verify nodes connectivity, use the command: - - ansible -v -i inventory/hosts -m ping all - -If something is broken, double-check the inventory variables, paths and the -generated `<openstack_inventory_path>/hosts` and `openstack_ssh_config_path` files. - -The `inventory: dynamic` can be used instead to access cluster nodes directly via -floating IPs. In this mode you can not use a bastion node and should specify -the dynamic inventory file in your ansible commands , like `-i openstack.py`. - ## Using Docker on the Ansible host If you don't want to worry about the dependencies, you can use the @@ -604,28 +559,6 @@ the playbooks: ansible-playbook openshift-ansible-contrib/playbooks/provisioning/openstack/provision.yaml -### Run the playbook - -Assuming your OpenStack (Keystone) credentials are in the `keystonerc` -this is how you stat the provisioning process from your ansible control node: - - . keystonerc - ansible-playbook openshift-ansible-contrib/playbooks/provisioning/openstack/provision.yaml - -Note, here you start with an empty inventory. The static inventory will be populated -with data so you can omit providing additional arguments for future ansible commands. - -If bastion enabled, the generates SSH config must be applied for ansible. -Otherwise, it is auto included by the previous step. In order to execute it -as a separate playbook, use the following command: - - ansible-playbook openshift-ansible-contrib/playbooks/provisioning/openstack/post-provision-openstack.yml - -The first infra node then becomes a bastion node as well and proxies access -for future ansible commands. The post-provision step also configures Satellite, -if requested, and DNS server, and ensures other OpenShift requirements to be met. - - ## Running Custom Post-Provision Actions A custom playbook can be run like this: @@ -733,21 +666,6 @@ Once it succeeds, you can install openshift by running: OpenShift UI may be accessed via the 1st master node FQDN, port 8443. -When using a bastion, you may want to make an SSH tunnel from your control node -to access UI on the `https://localhost:8443`, with this inventory variable: - - openshift_openstack_ui_ssh_tunnel: True - -Note, this requires sudo rights on the ansible control node and an absolute path -for the `openstack_private_ssh_key`. You should also update the control node's -`/etc/hosts`: - - 127.0.0.1 master-0.openshift.example.com - -In order to access UI, the ssh-tunnel service will be created and started on the -control node. Make sure to remove these changes and the service manually, when not -needed anymore. - ## Scale Deployment up/down ### Scaling up @@ -766,5 +684,3 @@ Usage: ``` ansible-playbook -i <path to inventory> openshift-ansible-contrib/playbooks/provisioning/openstack/scale-up.yaml` [-e increment_by=<number>] [-e openshift_ansible_dir=<path to openshift-ansible>] ``` - -Note: This playbook works only without a bastion node (`openshift_openstack_use_bastion: False`). diff --git a/roles/openshift_master/tasks/registry_auth.yml b/roles/openshift_master/tasks/registry_auth.yml index c95f562d0..ca04d2243 100644 --- a/roles/openshift_master/tasks/registry_auth.yml +++ b/roles/openshift_master/tasks/registry_auth.yml @@ -33,7 +33,7 @@ - openshift_docker_alternative_creds | default(False) | bool - oreg_auth_user is defined - (not docker_cli_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool - register: master_oreg_auth_credentials_create + register: master_oreg_auth_credentials_create_alt notify: - restart master api - restart master controllers @@ -45,4 +45,8 @@ when: - openshift.common.is_containerized | bool - oreg_auth_user is defined - - (master_oreg_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace or master_oreg_auth_credentials_create.changed) | bool + - > + (master_oreg_auth_credentials_stat.stat.exists + or oreg_auth_credentials_replace + or master_oreg_auth_credentials_create.changed + or master_oreg_auth_credentials_create_alt.changed) | bool diff --git a/roles/openshift_node/tasks/registry_auth.yml b/roles/openshift_node/tasks/registry_auth.yml index f5428867a..ab43ec049 100644 --- a/roles/openshift_node/tasks/registry_auth.yml +++ b/roles/openshift_node/tasks/registry_auth.yml @@ -32,7 +32,7 @@ - openshift_docker_alternative_creds | bool - oreg_auth_user is defined - (not node_oreg_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool - register: node_oreg_auth_credentials_create + register: node_oreg_auth_credentials_create_alt notify: - restart node @@ -43,4 +43,8 @@ when: - openshift.common.is_containerized | bool - oreg_auth_user is defined - - (node_oreg_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace or node_oreg_auth_credentials_create.changed) | bool + - > + (node_oreg_auth_credentials_stat.stat.exists + or oreg_auth_credentials_replace + or node_oreg_auth_credentials_create.changed + or node_oreg_auth_credentials_create_alt.changed) | bool diff --git a/roles/openshift_openstack/defaults/main.yml b/roles/openshift_openstack/defaults/main.yml index 5f182e0d6..e72e7a9df 100644 --- a/roles/openshift_openstack/defaults/main.yml +++ b/roles/openshift_openstack/defaults/main.yml @@ -4,7 +4,6 @@ openshift_openstack_stack_state: 'present' openshift_openstack_ssh_ingress_cidr: 0.0.0.0/0 openshift_openstack_node_ingress_cidr: 0.0.0.0/0 openshift_openstack_lb_ingress_cidr: 0.0.0.0/0 -openshift_openstack_bastion_ingress_cidr: 0.0.0.0/0 openshift_openstack_num_etcd: 0 openshift_openstack_num_masters: 1 openshift_openstack_num_nodes: 1 @@ -91,6 +90,4 @@ openshift_openstack_node_volume_size: "{{ openshift_openstack_docker_volume_size openshift_openstack_etcd_volume_size: 2 openshift_openstack_dns_volume_size: 1 openshift_openstack_lb_volume_size: 5 -openshift_openstack_use_bastion: false -openshift_openstack_ui_ssh_tunnel: false openshift_openstack_ephemeral_volumes: false diff --git a/roles/openshift_openstack/tasks/populate-dns.yml b/roles/openshift_openstack/tasks/populate-dns.yml index c03aceb94..b5c4da532 100644 --- a/roles/openshift_openstack/tasks/populate-dns.yml +++ b/roles/openshift_openstack/tasks/populate-dns.yml @@ -63,15 +63,6 @@ when: - hostvars[groups.masters[0]].openshift_master_cluster_public_hostname is defined - openshift_openstack_num_masters == 1 - - not openshift_openstack_use_bastion|bool - -- name: "Add public master cluster hostname records to the public A records (single master behind a bastion)" - set_fact: - public_records: "{{ public_records | default([]) + [ { 'type': 'A', 'hostname': (hostvars[groups.masters[0]].openshift_master_cluster_public_hostname | replace(openshift_openstack_full_dns_domain, ''))[:-1], 'ip': hostvars[groups.bastions[0]].public_v4 } ] }}" - when: - - hostvars[groups.masters[0]].openshift_master_cluster_public_hostname is defined - - openshift_openstack_num_masters == 1 - - openshift_openstack_use_bastion|bool - name: "Add public master cluster hostname records to the public A records (multi-master)" set_fact: diff --git a/roles/openshift_openstack/templates/heat_stack.yaml.j2 b/roles/openshift_openstack/templates/heat_stack.yaml.j2 index 0e7538629..ec488941e 100644 --- a/roles/openshift_openstack/templates/heat_stack.yaml.j2 +++ b/roles/openshift_openstack/templates/heat_stack.yaml.j2 @@ -72,7 +72,7 @@ outputs: {% endif %} conditions: - no_floating: {% if openshift_openstack_provider_network_name or openshift_openstack_use_bastion|bool %}true{% else %}false{% endif %} + no_floating: {% if openshift_openstack_provider_network_name %}true{% else %}false{% endif %} resources: @@ -180,13 +180,6 @@ resources: port_range_min: 22 port_range_max: 22 remote_ip_prefix: {{ openshift_openstack_ssh_ingress_cidr }} -{% if openshift_openstack_use_bastion|bool %} - - direction: ingress - protocol: tcp - port_range_min: 22 - port_range_max: 22 - remote_ip_prefix: {{ openshift_openstack_bastion_ingress_cidr }} -{% endif %} - direction: ingress protocol: icmp remote_ip_prefix: {{ openshift_openstack_ssh_ingress_cidr }} @@ -480,7 +473,7 @@ resources: remote_ip_prefix: "{{ openshift_openstack_subnet_prefix }}.0/24" {% endif %} -{% if openshift_openstack_num_masters|int > 1 or openshift_openstack_ui_ssh_tunnel|bool %} +{% if openshift_openstack_num_masters|int > 1 %} lb-secgrp: type: OS::Neutron::SecurityGroup properties: @@ -491,20 +484,13 @@ resources: protocol: tcp port_range_min: {{ openshift_master_api_port | default(8443) }} port_range_max: {{ openshift_master_api_port | default(8443) }} - remote_ip_prefix: {{ openshift_openstack_lb_ingress_cidr | default(openshift_openstack_bastion_ingress_cidr) }} -{% if openshift_openstack_ui_ssh_tunnel|bool %} - - direction: ingress - protocol: tcp - port_range_min: {{ openshift_master_api_port | default(8443) }} - port_range_max: {{ openshift_master_api_port | default(8443) }} - remote_ip_prefix: {{ openshift_openstack_ssh_ingress_cidr }} -{% endif %} + remote_ip_prefix: {{ openshift_openstack_lb_ingress_cidr }} {% if openshift_master_console_port is defined and openshift_master_console_port != openshift_master_api_port %} - direction: ingress protocol: tcp port_range_min: {{ openshift_master_console_port | default(8443) }} port_range_max: {{ openshift_master_console_port | default(8443) }} - remote_ip_prefix: {{ openshift_openstack_lb_ingress_cidr | default(openshift_openstack_bastion_ingress_cidr) }} + remote_ip_prefix: {{ openshift_openstack_lb_ingress_cidr }} {% endif %} {% endif %} @@ -553,7 +539,7 @@ resources: - no_floating - null - {{ openshift_openstack_external_network_name }} -{% if openshift_openstack_use_bastion|bool or openshift_openstack_provider_network_name %} +{% if openshift_openstack_provider_network_name %} attach_float_net: false {% endif %} volume_size: {{ openshift_openstack_etcd_volume_size }} @@ -685,7 +671,7 @@ resources: - no_floating - null - {{ openshift_openstack_external_network_name }} -{% if openshift_openstack_use_bastion|bool or openshift_openstack_provider_network_name %} +{% if openshift_openstack_provider_network_name %} attach_float_net: false {% endif %} volume_size: {{ openshift_openstack_master_volume_size }} @@ -755,7 +741,7 @@ resources: - no_floating - null - {{ openshift_openstack_external_network_name }} -{% if openshift_openstack_use_bastion|bool or openshift_openstack_provider_network_name %} +{% if openshift_openstack_provider_network_name %} attach_float_net: false {% endif %} volume_size: {{ openshift_openstack_node_volume_size }} @@ -818,9 +804,6 @@ resources: {% else %} - { get_resource: node-secgrp } {% endif %} -{% if openshift_openstack_ui_ssh_tunnel|bool and openshift_openstack_num_masters|int < 2 %} - - { get_resource: lb-secgrp } -{% endif %} - { get_resource: infra-secgrp } - { get_resource: common-secgrp } {% if not openshift_openstack_provider_network_name %} |