diff options
38 files changed, 490 insertions, 238 deletions
diff --git a/.tito/packages/openshift-ansible b/.tito/packages/openshift-ansible index 2f7416283..6c9176ad0 100644 --- a/.tito/packages/openshift-ansible +++ b/.tito/packages/openshift-ansible @@ -1 +1 @@ -3.0.21-1 ./ +3.0.27-1 ./ diff --git a/README_AEP.md b/README_AEP.md index 584a7afff..7cdb1c5d5 100644 --- a/README_AEP.md +++ b/README_AEP.md @@ -81,10 +81,10 @@ deployment_type=atomic-enterprise # Pre-release registry URL; note that in the future these images # may have an atomicenterprise/aep- prefix or so. -oreg_url=rcm-img-docker01.build.eng.bos.redhat.com:5001/openshift3/ose-${component}:${version} +oreg_url=rcm-img-docker:5001/openshift3/ose-${component}:${version} # Pre-release additional repo -openshift_additional_repos=[{'id': 'ose-devel', 'name': 'ose-devel', 'baseurl': 'http://buildvm-devops.usersys.redhat.com/puddle/build/AtomicOpenShift/3.1/2015-10-27.1', 'enabled': 1, 'gpgcheck': 0}] +openshift_additional_repos=[{'id': 'ose-devel', 'name': 'ose-devel', 'baseurl': 'http://buildvm/puddle/build/AtomicOpenShift/3.1/2015-10-27.1', 'enabled': 1, 'gpgcheck': 0}] # host group for masters [masters] diff --git a/README_OSE.md b/README_OSE.md index 66fba33e5..fdb6a75b8 100644 --- a/README_OSE.md +++ b/README_OSE.md @@ -82,7 +82,7 @@ deployment_type=enterprise # Pre-release additional repo openshift_additional_repos=[{'id': 'ose-devel', 'name': 'ose-devel', 'baseurl': -'http://buildvm-devops.usersys.redhat.com/puddle/build/OpenShiftEnterprise/3.0/latest/RH7-RHOSE-3.0/$basearch/os', +'http://buildvm/puddle/build/OpenShiftEnterprise/3.0/latest/RH7-RHOSE-3.0/$basearch/os', 'enabled': 1, 'gpgcheck': 0}] # Origin copr repo diff --git a/bin/cluster b/bin/cluster index 3081ebd4a..c2765ff92 100755 --- a/bin/cluster +++ b/bin/cluster @@ -294,11 +294,8 @@ if __name__ == '__main__': meta_parser.add_argument('cluster_id', help='prefix for cluster VM names') meta_parser.add_argument('-t', '--deployment-type', - choices=['origin', 'online', 'enterprise'], + choices=['origin', 'online', 'enterprise', 'atomic-enterprise', 'openshift-enterprise'], help='Deployment type. (default: origin)') - meta_parser.add_argument('-T', '--product-type', - choices=['openshift', 'atomic-enterprise'], - help='Product type. (default: openshift)') meta_parser.add_argument('-o', '--option', action='append', help='options') @@ -48,28 +48,18 @@ class Ohi(object): self.aws.print_host_types() return 0 - hosts = None - if self.args.host_type is not None and \ - self.args.env is not None: - # Both env and host-type specified - hosts = self.aws.get_host_list(host_type=self.args.host_type, - envs=self.args.env, - version=self.args.openshift_version, - cached=self.args.cache_only) - - if self.args.host_type is None and \ - self.args.env is not None: - # Only env specified - hosts = self.aws.get_host_list(envs=self.args.env, - version=self.args.openshift_version, - cached=self.args.cache_only) - - if self.args.host_type is not None and \ - self.args.env is None: - # Only host-type specified - hosts = self.aws.get_host_list(host_type=self.args.host_type, - version=self.args.openshift_version, - cached=self.args.cache_only) + if self.args.v3: + version = '3' + elif self.args.all_versions: + version = 'all' + else: + version = '2' + + hosts = self.aws.get_host_list(clusters=self.args.cluster, + host_type=self.args.host_type, + envs=self.args.env, + version=version, + cached=self.args.cache_only) if hosts is None: # We weren't able to determine what they wanted to do @@ -104,19 +94,26 @@ class Ohi(object): parser = argparse.ArgumentParser(description='OpenShift Host Inventory') parser.add_argument('--list-host-types', default=False, action='store_true', help='List all of the host types') + parser.add_argument('--list', default=False, action='store_true', help='List all hosts') - parser.add_argument('-e', '--env', action="store", help="Which environment to use") + parser.add_argument('-c', '--cluster', action="append", help="Which clusterid to use") + parser.add_argument('-e', '--env', action="append", help="Which environment to use") parser.add_argument('-t', '--host-type', action="store", help="Which host type to use") parser.add_argument('-l', '--user', action='store', default=None, help='username') - parser.add_argument('-c', '--cache-only', action='store_true', default=False, + parser.add_argument('--cache-only', action='store_true', default=False, help='Retrieve the host inventory by cache only. Default is false.') - parser.add_argument('-o', '--openshift-version', action='store', default='2', + parser.add_argument('--v2', action='store_true', default=True, help='Specify the openshift version. Default is 2') + parser.add_argument('--v3', action='store_true', default=False, + help='Specify the openshift version.') + + parser.add_argument('--all-versions', action='store_true', default=False, + help='Specify the openshift version. Return all versions') self.args = parser.parse_args() diff --git a/bin/openshift_ansible/awsutil.py b/bin/openshift_ansible/awsutil.py index 76b4f4f51..e03c0ab15 100644 --- a/bin/openshift_ansible/awsutil.py +++ b/bin/openshift_ansible/awsutil.py @@ -59,9 +59,23 @@ class AwsUtil(object): minv.run() return minv.result + def get_clusters(self): + """Searches for cluster tags in the inventory and returns all of the clusters found.""" + pattern = re.compile(r'^oo_clusterid_(.*)') + + clusters = [] + inv = self.get_inventory() + for key in inv.keys(): + matched = pattern.match(key) + if matched: + clusters.append(matched.group(1)) + + clusters.sort() + return clusters + def get_environments(self): """Searches for env tags in the inventory and returns all of the envs found.""" - pattern = re.compile(r'^tag_environment_(.*)') + pattern = re.compile(r'^oo_environment_(.*)') envs = [] inv = self.get_inventory() @@ -75,7 +89,7 @@ class AwsUtil(object): def get_host_types(self): """Searches for host-type tags in the inventory and returns all host-types found.""" - pattern = re.compile(r'^tag_host-type_(.*)') + pattern = re.compile(r'^oo_host-type_(.*)') host_types = [] inv = self.get_inventory() @@ -154,6 +168,18 @@ class AwsUtil(object): return host_type @staticmethod + def gen_version_tag(ver): + """Generate the version tag + """ + return "oo_version_%s" % ver + + @staticmethod + def gen_clusterid_tag(clu): + """Generate the clusterid tag + """ + return "tag_clusterid_%s" % clu + + @staticmethod def gen_env_tag(env): """Generate the environment tag """ @@ -165,41 +191,44 @@ class AwsUtil(object): host_type = self.resolve_host_type(host_type) return "tag_host-type_%s" % host_type - def get_host_list(self, host_type=None, envs=None, version=None, cached=False): + # This function uses all of these params to perform a filters on our host inventory. + # pylint: disable=too-many-arguments + def get_host_list(self, clusters=None, host_type=None, envs=None, version=None, cached=False): """Get the list of hosts from the inventory using host-type and environment """ retval = set([]) envs = envs or [] + inv = self.get_inventory(cached=cached) - # We prefer to deal with a list of environments - if issubclass(type(envs), basestring): - if envs == 'all': - envs = self.get_environments() + retval.update(inv.get('all_hosts', [])) + + if clusters: + cluster_hosts = set([]) + if len(clusters) > 1: + for cluster in clusters: + clu_tag = AwsUtil.gen_clusterid_tag(cluster) + cluster_hosts.update(inv.get(clu_tag, [])) else: - envs = [envs] + cluster_hosts.update(inv.get(AwsUtil.gen_clusterid_tag(clusters[0]), [])) + + retval.intersection_update(cluster_hosts) + + if envs: + env_hosts = set([]) + if len(envs) > 1: + for env in envs: + env_tag = AwsUtil.gen_env_tag(env) + env_hosts.update(inv.get(env_tag, [])) + else: + env_hosts.update(inv.get(AwsUtil.gen_env_tag(envs[0]), [])) + + retval.intersection_update(env_hosts) - if host_type and envs: - # Both host type and environment were specified - for env in envs: - retval.update(inv.get('tag_environment_%s' % env, [])) + if host_type: retval.intersection_update(inv.get(self.gen_host_type_tag(host_type), [])) - elif envs and not host_type: - # Just environment was specified - for env in envs: - env_tag = AwsUtil.gen_env_tag(env) - if env_tag in inv.keys(): - retval.update(inv.get(env_tag, [])) - - elif host_type and not envs: - # Just host-type was specified - host_type_tag = self.gen_host_type_tag(host_type) - if host_type_tag in inv.keys(): - retval.update(inv.get(host_type_tag, [])) - - # If version is specified then return only hosts in that version - if version: - retval.intersection_update(inv.get('oo_version_%s' % version, [])) + if version != 'all': + retval.intersection_update(inv.get(AwsUtil.gen_version_tag(version), [])) return retval @@ -13,6 +13,8 @@ Options: -p PAR, --par=PAR max number of parallel threads (OPTIONAL) --outdir=OUTDIR output directory for stdout files (OPTIONAL) --errdir=ERRDIR output directory for stderr files (OPTIONAL) + -c CLUSTER, --cluster CLUSTER + which cluster to use -e ENV, --env ENV which environment to use -t HOST_TYPE, --host-type HOST_TYPE which host type to use @@ -45,9 +47,9 @@ fi # See if ohi is installed if ! which ohi &>/dev/null ; then - echo "ERROR: can't find ohi (OpenShift Host Inventory) on your system, please either install the openshift-ansible-bin package, or add openshift-ansible/bin to your path." + echo "ERROR: can't find ohi (OpenShift Host Inventory) on your system, please either install the openshift-ansible-bin package, or add openshift-ansible/bin to your path." - exit 10 + exit 10 fi PAR=200 @@ -64,12 +66,23 @@ while [ $# -gt 0 ] ; do shift # get past the value of the option ;; + -c) + shift # get past the option + CLUSTER=$1 + shift # get past the value of the option + ;; + -e) shift # get past the option ENV=$1 shift # get past the value of the option ;; + --v3) + OPENSHIFT_VERSION="--v3" + shift # get past the value of the option + ;; + --timeout) shift # get past the option TIMEOUT=$1 @@ -106,20 +119,26 @@ while [ $# -gt 0 ] ; do done # Get host list from ohi -if [ -n "$ENV" -a -n "$HOST_TYPE" ] ; then - HOSTS="$(ohi -t "$HOST_TYPE" -e "$ENV" 2>/dev/null)" - OHI_ECODE=$? -elif [ -n "$ENV" ] ; then - HOSTS="$(ohi -e "$ENV" 2>/dev/null)" - OHI_ECODE=$? -elif [ -n "$HOST_TYPE" ] ; then - HOSTS="$(ohi -t "$HOST_TYPE" 2>/dev/null)" +CMD="" +if [ -n "$CLUSTER" ] ; then + CMD="$CMD -c $CLUSTER" +fi + +if [ -n "$ENV" ] ; then + CMD="$CMD -e $ENV" +fi + +if [ -n "$HOST_TYPE" ] ; then + CMD="$CMD -t $HOST_TYPE" +fi + +if [ -n "$OPENSHIFT_VERSION" ] ; then + CMD="$CMD $OPENSHIFT_VERSION" +fi + +if [ -n "$CMD" ] ; then + HOSTS="$(ohi $CMD 2>/dev/null)" OHI_ECODE=$? -else - echo - echo "Error: either -e or -t must be specified" - echo - exit 10 fi if [ $OHI_ECODE -ne 0 ] ; then @@ -138,7 +138,7 @@ class Oscp(object): # attempt to select the correct environment if specified if self.env: - results = filter(lambda result: result[1]['ec2_tag_env'] == self.env, results) + results = filter(lambda result: result[1]['oo_environment'] == self.env, results) if results: return results @@ -164,10 +164,8 @@ class Oscp(object): print '{0:<35} {1}'.format(key, server_info[key]) else: for host_id, server_info in results[:limit]: - name = server_info['ec2_tag_Name'] - ec2_id = server_info['ec2_id'] - ip = server_info['ec2_ip_address'] - print '{ec2_tag_Name:<35} {ec2_tag_env:<8} {ec2_id:<15} {ec2_ip_address:<18} {ec2_private_ip_address}'.format(**server_info) + print '{oo_name:<35} {oo_clusterid:<10} {oo_environment:<8} ' \ + '{oo_id:<15} {oo_public_ip:<18} {oo_private_ip:<18}'.format(**server_info) if limit: print @@ -177,10 +175,9 @@ class Oscp(object): else: for env, host_ids in self.host_inventory.items(): for host_id, server_info in host_ids.items(): - name = server_info['ec2_tag_Name'] - ec2_id = server_info['ec2_id'] - ip = server_info['ec2_ip_address'] - print '{ec2_tag_Name:<35} {ec2_tag_env:<8} {ec2_id:<15} {ec2_ip_address:<18} {ec2_private_ip_address}'.format(**server_info) + print '{oo_name:<35} {oo_clusterid:<10} {oo_environment:<8} ' \ + '{oo_id:<15} {oo_public_ip:<18} {oo_private_ip:<18}'.format(**server_info) + def scp(self): '''scp files to or from a specified host @@ -209,12 +206,12 @@ class Oscp(object): if len(results) > 1: print "Multiple results found for %s." % self.host for result in results: - print "{ec2_tag_Name:<35} {ec2_tag_env:<5} {ec2_id:<10}".format(**result[1]) + print "{oo_name:<35} {oo_clusterid:<5} {oo_environment:<5} {oo_id:<10}".format(**result[1]) return # early exit, too many results # Assume we have one and only one. hostname, server_info = results[0] - dns = server_info['ec2_public_dns_name'] + dns = server_info['oo_pulic_ip'] host_str = "%s%s%s" % (self.user, dns, self.path) @@ -55,15 +55,15 @@ class Ossh(object): def parse_cli_args(self): parser = argparse.ArgumentParser(description='OpenShift Online SSH Tool.') parser.add_argument('-e', '--env', action="store", - help="Which environment to search for the host ") + help="Which environment to search for the host ") parser.add_argument('-d', '--debug', default=False, - action="store_true", help="debug mode") + action="store_true", help="debug mode") parser.add_argument('-v', '--verbose', default=False, - action="store_true", help="Verbose?") + action="store_true", help="Verbose?") parser.add_argument('--refresh-cache', default=False, - action="store_true", help="Force a refresh on the host cache.") + action="store_true", help="Force a refresh on the host cache.") parser.add_argument('--list', default=False, - action="store_true", help="list out hosts") + action="store_true", help="list out hosts") parser.add_argument('-c', '--command', action='store', help='Command to run on remote host') parser.add_argument('-l', '--login_name', action='store', @@ -127,7 +127,7 @@ class Ossh(object): # attempt to select the correct environment if specified if self.env: - results = filter(lambda result: result[1]['ec2_tag_env'] == self.env, results) + results = filter(lambda result: result[1]['oo_environment'] == self.env, results) if results: return results @@ -153,10 +153,8 @@ class Ossh(object): print '{0:<35} {1}'.format(key, server_info[key]) else: for host_id, server_info in results[:limit]: - name = server_info['ec2_tag_Name'] - ec2_id = server_info['ec2_id'] - ip = server_info['ec2_ip_address'] - print '{ec2_tag_Name:<35} {ec2_tag_env:<8} {ec2_id:<15} {ec2_ip_address:<18} {ec2_private_ip_address}'.format(**server_info) + print '{oo_name:<35} {oo_clusterid:<10} {oo_environment:<8} ' \ + '{oo_id:<15} {oo_public_ip:<18} {oo_private_ip:<18}'.format(**server_info) if limit: print @@ -166,10 +164,8 @@ class Ossh(object): else: for env, host_ids in self.host_inventory.items(): for host_id, server_info in host_ids.items(): - name = server_info['ec2_tag_Name'] - ec2_id = server_info['ec2_id'] - ip = server_info['ec2_ip_address'] - print '{ec2_tag_Name:<35} {ec2_tag_env:<8} {ec2_id:<15} {ec2_ip_address:<18} {ec2_private_ip_address}'.format(**server_info) + print '{oo_name:<35} {oo_clusterid:<10} {oo_environment:<8} ' \ + '{oo_id:<15} {oo_public_ip:<18} {oo_private_ip:<18}'.format(**server_info) def ssh(self): '''SSH to a specified host @@ -195,12 +191,12 @@ class Ossh(object): if len(results) > 1: print "Multiple results found for %s." % self.host for result in results: - print "{ec2_tag_Name:<35} {ec2_tag_env:<5} {ec2_id:<10}".format(**result[1]) + print "{oo_name:<35} {oo_clusterid:<5} {oo_environment:<5} {oo_id:<10}".format(**result[1]) return # early exit, too many results # Assume we have one and only one. - hostname, server_info = results[0] - dns = server_info['ec2_public_dns_name'] + _, server_info = results[0] + dns = server_info['oo_public_ip'] ssh_args.append(dns) diff --git a/filter_plugins/oo_filters.py b/filter_plugins/oo_filters.py index 48e27a24a..326c36f6c 100644 --- a/filter_plugins/oo_filters.py +++ b/filter_plugins/oo_filters.py @@ -8,12 +8,11 @@ Custom filters for use in openshift-ansible from ansible import errors from operator import itemgetter import OpenSSL.crypto -import os.path +import os import pdb import re import json - class FilterModule(object): ''' Custom ansible filters ''' @@ -366,9 +365,6 @@ class FilterModule(object): "keyfile": "/etc/origin/master/named_certificates/custom2.key", "names": [ "some-hostname.com" ] }] ''' - if not issubclass(type(certificates), list): - raise errors.AnsibleFilterError("|failed expects certificates is a list") - if not issubclass(type(named_certs_dir), unicode): raise errors.AnsibleFilterError("|failed expects named_certs_dir is unicode") @@ -468,6 +464,16 @@ class FilterModule(object): pass return clusters + @staticmethod + def oo_generate_secret(num_bytes): + ''' generate a session secret ''' + + if not issubclass(type(num_bytes), int): + raise errors.AnsibleFilterError("|failed expects num_bytes is int") + + secret = os.urandom(num_bytes) + return secret.encode('base-64').strip() + def filters(self): ''' returns a mapping of filters to methods ''' return { @@ -486,5 +492,6 @@ class FilterModule(object): "oo_parse_heat_stack_outputs": self.oo_parse_heat_stack_outputs, "oo_parse_named_certificates": self.oo_parse_named_certificates, "oo_haproxy_backend_masters": self.oo_haproxy_backend_masters, - "oo_pretty_print_cluster": self.oo_pretty_print_cluster + "oo_pretty_print_cluster": self.oo_pretty_print_cluster, + "oo_generate_secret": self.oo_generate_secret } diff --git a/filter_plugins/openshift_master.py b/filter_plugins/openshift_master.py index f12017967..8d7c62ad1 100644 --- a/filter_plugins/openshift_master.py +++ b/filter_plugins/openshift_master.py @@ -463,7 +463,6 @@ class FilterModule(object): IdentityProviderBase.validate_idp_list(idp_list) return yaml.safe_dump([idp.to_dict() for idp in idp_list], default_flow_style=False) - def filters(self): ''' returns a mapping of filters to methods ''' return {"translate_idps": self.translate_idps} diff --git a/openshift-ansible.spec b/openshift-ansible.spec index 59650bba9..d6f04adde 100644 --- a/openshift-ansible.spec +++ b/openshift-ansible.spec @@ -5,7 +5,7 @@ } Name: openshift-ansible -Version: 3.0.21 +Version: 3.0.27 Release: 1%{?dist} Summary: Openshift and Atomic Enterprise Ansible License: ASL 2.0 @@ -259,6 +259,50 @@ Atomic OpenShift Utilities includes %changelog +* Fri Jan 08 2016 Kenny Woodson <kwoodson@redhat.com> 3.0.27-1 +- Update to metadata tooling. (kwoodson@redhat.com) +- Fix VM drive cleanup during terminate on libvirt (lhuard@amadeus.com) + +* Fri Jan 08 2016 Brenton Leanhardt <bleanhar@redhat.com> 3.0.26-1 +- Bug 1296388 - fixing typo (bleanhar@redhat.com) + +* Thu Jan 07 2016 Brenton Leanhardt <bleanhar@redhat.com> 3.0.25-1 +- Bug 1296388 - The playbook still configure ManageIQ when + openshift_use_manageiq is false (bleanhar@redhat.com) +- Add a banner to CLI wrapper instructing users that it's only for + bootstrapping (sdodson@redhat.com) +- Rename env into clusterid and add environment in the OpenStack VMs tags + (lhuard@amadeus.com) +- Fix terminate.yml on OpenStack (lhuard@amadeus.com) +- Install gluster and ceph packages when containerized but not atomic + (sdodson@redhat.com) +- Update openshift_facts config_base for Online deployments (whearn@redhat.com) +- Fix multi-word arguments & cli wrapper stdin plumbing (sdodson@redhat.com) +- Improve 3.1/1.1 upgrade check (jdetiber@redhat.com) + +* Thu Jan 07 2016 Brenton Leanhardt <bleanhar@redhat.com> 3.0.24-1 +- Setting relative paths in the upgrade playbooks wasn't working + (bleanhar@redhat.com) + +* Wed Jan 06 2016 Brenton Leanhardt <bleanhar@redhat.com> 3.0.23-1 +- Move extra secret validations into openshift_facts. (abutcher@redhat.com) +- Remove not is_containerized restriction on storage plugin includes. + (abutcher@redhat.com) +- We can't enable manageiq for installations less than OSE 3.1 or Origin 1.1 + (bleanhar@redhat.com) +- Fix RHN subscription by explicitly attaching to the right pool + (lhuard@amadeus.com) +- openshift_facts validation (abutcher@redhat.com) +- Secrets validation. (abutcher@redhat.com) +- Clean up idempotency issues with session secrets. (abutcher@redhat.com) + +* Wed Jan 06 2016 Kenny Woodson <kwoodson@redhat.com> 3.0.22-1 +- playbook for restarting SDN (jdiaz@redhat.com) +- Stop haproxy and remove package during uninstall. (abutcher@redhat.com) +- Group name as per hosts.origin.example (donovan.muller@gmail.com) +- I believe the ami id changed since the initial documentation was created for + AWS deployment (rcook@redhat.com) + * Tue Jan 05 2016 Brenton Leanhardt <bleanhar@redhat.com> 3.0.21-1 - Fix osm_controller_args and osm_api_server_args settings. (abutcher@redhat.com) diff --git a/playbooks/aws/openshift-cluster/upgrades/v3_0_to_v3_1/upgrade.yml b/playbooks/aws/openshift-cluster/upgrades/v3_0_to_v3_1/upgrade.yml index 231356798..11026e38d 100644 --- a/playbooks/aws/openshift-cluster/upgrades/v3_0_to_v3_1/upgrade.yml +++ b/playbooks/aws/openshift-cluster/upgrades/v3_0_to_v3_1/upgrade.yml @@ -4,8 +4,8 @@ # ansible-playbook playbooks/aws/openshift-cluster/upgrades/v3_0_to_v3_1/upgrade.yml -e deployment_type=online -e cluster_id=<cluster_id> - include: ../../../../common/openshift-cluster/upgrades/v3_0_to_v3_1/upgrade.yml vars_files: - - ../../../../aws/openshift-cluster/vars.yml - - ../../../../aws/openshift-cluster/cluster_hosts.yml + - "{{lookup('file', '../../../../aws/openshift-cluster/vars.yml')}}" + - "{{lookup('file', '../../../../aws/openshift-cluster/cluster_hosts.yml')}}" vars: g_ssh_user: "{{ deployment_vars[deployment_type].ssh_user }}" g_sudo: "{{ deployment_vars[deployment_type].sudo }}" diff --git a/playbooks/aws/openshift-cluster/vars.yml b/playbooks/aws/openshift-cluster/vars.yml index c8ee9bad4..ae12286bd 100644 --- a/playbooks/aws/openshift-cluster/vars.yml +++ b/playbooks/aws/openshift-cluster/vars.yml @@ -1,5 +1,19 @@ --- debug_level: 2 + +deployment_rhel7_ent_base: + # rhel-7.1, requires cloud access subscription + image: ami-10663b78 + image_name: + region: us-east-1 + ssh_user: ec2-user + sudo: yes + keypair: libra + type: m4.large + security_groups: [ 'public' ] + vpc_subnet: + assign_public_ip: + deployment_vars: origin: # centos-7, requires marketplace @@ -25,15 +39,6 @@ deployment_vars: security_groups: [ 'public' ] vpc_subnet: assign_public_ip: - enterprise: - # rhel-7.1, requires cloud access subscription - image: ami-10663b78 - image_name: - region: us-east-1 - ssh_user: ec2-user - sudo: yes - keypair: libra - type: m4.large - security_groups: [ 'public' ] - vpc_subnet: - assign_public_ip: + enterprise: "{{ deployment_rhel7_ent_base }}" + openshift-enterprise: "{{ deployment_rhel7_ent_base }}" + atomic-enterprise: "{{ deployment_rhel7_ent_base }}" diff --git a/playbooks/byo/openshift-cluster/upgrades/v3_0_minor/upgrade.yml b/playbooks/byo/openshift-cluster/upgrades/v3_0_minor/upgrade.yml index 58c04d41d..b52456dcd 100644 --- a/playbooks/byo/openshift-cluster/upgrades/v3_0_minor/upgrade.yml +++ b/playbooks/byo/openshift-cluster/upgrades/v3_0_minor/upgrade.yml @@ -1,7 +1,7 @@ --- - include: ../../../../common/openshift-cluster/upgrades/v3_0_minor/upgrade.yml vars_files: - - ../../../../byo/openshift-cluster/cluster_hosts.yml + - "{{lookup('file', '../../../../byo/openshift-cluster/cluster_hosts.yml')}}" vars: g_etcd_hosts: "{{ groups.etcd | default([]) }}" g_master_hosts: "{{ groups.masters | default([]) }}" diff --git a/playbooks/byo/openshift-cluster/upgrades/v3_0_to_v3_1/upgrade.yml b/playbooks/byo/openshift-cluster/upgrades/v3_0_to_v3_1/upgrade.yml index 2f9e8dc7a..e07e2b88e 100644 --- a/playbooks/byo/openshift-cluster/upgrades/v3_0_to_v3_1/upgrade.yml +++ b/playbooks/byo/openshift-cluster/upgrades/v3_0_to_v3_1/upgrade.yml @@ -1,7 +1,7 @@ --- - include: ../../../../common/openshift-cluster/upgrades/v3_0_to_v3_1/upgrade.yml vars_files: - - ../../../../byo/openshift-cluster/cluster_hosts.yml + - "{{lookup('file', '../../../../byo/openshift-cluster/cluster_hosts.yml')}}" vars: g_etcd_hosts: "{{ groups.etcd | default([]) }}" g_master_hosts: "{{ groups.masters | default([]) }}" diff --git a/playbooks/common/openshift-cluster/update_repos_and_packages.yml b/playbooks/common/openshift-cluster/update_repos_and_packages.yml index 9a303c62d..88736ee03 100644 --- a/playbooks/common/openshift-cluster/update_repos_and_packages.yml +++ b/playbooks/common/openshift-cluster/update_repos_and_packages.yml @@ -4,7 +4,7 @@ openshift_deployment_type: "{{ deployment_type }}" roles: - role: rhel_subscribe - when: deployment_type == "enterprise" and + when: deployment_type in ["enterprise", "atomic-enterprise", "openshift-enterprise"] and ansible_distribution == "RedHat" and lookup('oo_option', 'rhel_skip_subscription') | default(rhsub_skip, True) | default('no', True) | lower in ['no', 'false'] diff --git a/playbooks/common/openshift-cluster/upgrades/v3_0_to_v3_1/upgrade.yml b/playbooks/common/openshift-cluster/upgrades/v3_0_to_v3_1/upgrade.yml index 1f9c6afd3..68df2153d 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_0_to_v3_1/upgrade.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_0_to_v3_1/upgrade.yml @@ -29,6 +29,7 @@ hosts: oo_first_master vars: openshift_master_ha: "{{ groups.oo_masters_to_config | length > 1 }}" + target_version: "{{ '1.1' if deployment_type == 'origin' else '3.1' }}" gather_facts: no tasks: # Pacemaker is currently the only supported upgrade path for multiple masters @@ -45,8 +46,8 @@ - fail: msg: > openshift_pkg_version is {{ openshift_pkg_version }} which is not a - valid version for a 3.1 upgrade - when: openshift_pkg_version is defined and openshift_pkg_version.split('-',1).1 | version_compare('3.0.2.900','<') + valid version for a {{ target_version }} upgrade + when: openshift_pkg_version is defined and openshift_pkg_version.split('-',1).1 | version_compare(target_version ,'<') # If this script errors out ansible will show the default stdout/stderr # which contains details for the user: @@ -55,6 +56,8 @@ - name: Verify upgrade can proceed hosts: oo_masters_to_config:oo_nodes_to_config + vars: + target_version: "{{ '1.1' if deployment_type == 'origin' else '3.1' }}" tasks: - name: Clean package cache command: "{{ ansible_pkg_mgr }} clean all" @@ -77,8 +80,8 @@ when: deployment_type == 'origin' and g_aos_versions.curr_version | version_compare('1.0.6','<') - fail: - msg: Atomic OpenShift 3.1 packages not found - when: g_aos_versions.curr_version | version_compare('3.0.2.900','<') and (g_aos_versions.avail_version is none or g_aos_versions.avail_version | version_compare('3.0.2.900','<')) + msg: Upgrade packages not found + when: (g_aos_versions.avail_version | default(g_aos_versions.curr_version, true) | version_compare(target_version, '<')) - set_fact: pre_upgrade_complete: True diff --git a/playbooks/common/openshift-master/config.yml b/playbooks/common/openshift-master/config.yml index 759656e63..677c274c4 100644 --- a/playbooks/common/openshift-master/config.yml +++ b/playbooks/common/openshift-master/config.yml @@ -236,29 +236,32 @@ - role: haproxy when: groups.oo_masters_to_config | length > 1 -- name: Generate master session keys +- name: Check for cached session secrets hosts: oo_first_master + roles: + - role: openshift_facts + post_tasks: + - openshift_facts: + role: master + local_facts: + session_auth_secrets: "{{ openshift_master_session_auth_secrets | default(openshift.master.session_auth_secrets | default(None)) }}" + session_encryption_secrets: "{{ openshift_master_session_encryption_secrets | default(openshift.master.session_encryption_secrets | default(None)) }}" + +- name: Generate master session secrets + hosts: oo_first_master + vars: + g_session_secrets_present: "{{ (openshift.master.session_auth_secrets | default([]) and openshift.master.session_encryption_secrets | default([])) | length > 0 }}" + g_session_auth_secrets: "{{ [ 24 | oo_generate_secret ] }}" + g_session_encryption_secrets: "{{ [ 24 | oo_generate_secret ] }}" + roles: + - role: openshift_facts tasks: - - fail: - msg: "Both openshift_master_session_auth_secrets and openshift_master_session_encryption_secrets must be provided if either variable is set" - when: (openshift_master_session_auth_secrets is defined and openshift_master_session_encryption_secrets is not defined) or (openshift_master_session_encryption_secrets is defined and openshift_master_session_auth_secrets is not defined) - - fail: - msg: "openshift_master_session_auth_secrets and openshift_master_encryption_secrets must be equal length" - when: (openshift_master_session_auth_secrets is defined and openshift_master_session_encryption_secrets is defined) and (openshift_master_session_auth_secrets | length != openshift_master_session_encryption_secrets | length) - - name: Install OpenSSL package - action: "{{ ansible_pkg_mgr }} name=openssl state=present" - when: not openshift.common.is_atomic | bool - - name: Generate session authentication key - command: /usr/bin/openssl rand -base64 24 - register: session_auth_output - when: openshift_master_session_auth_secrets is undefined - - name: Generate session encryption key - command: /usr/bin/openssl rand -base64 24 - register: session_encryption_output - when: openshift_master_session_encryption_secrets is undefined - - set_fact: - session_auth_secret: "{{ openshift_master_session_auth_secrets | default([session_auth_output.stdout]) }}" - session_encryption_secret: "{{ openshift_master_session_encryption_secrets | default([session_encryption_output.stdout]) }}" + - openshift_facts: + role: master + local_facts: + session_auth_secrets: "{{ g_session_auth_secrets }}" + session_encryption_secrets: "{{ g_session_encryption_secrets }}" + when: not g_session_secrets_present | bool - name: Parse named certificates hosts: localhost @@ -314,8 +317,8 @@ sync_tmpdir: "{{ hostvars.localhost.g_master_mktemp.stdout }}" openshift_master_ha: "{{ groups.oo_masters_to_config | length > 1 }}" openshift_master_count: "{{ groups.oo_masters_to_config | length }}" - openshift_master_session_auth_secrets: "{{ hostvars[groups['oo_first_master'][0]]['session_auth_secret'] }}" - openshift_master_session_encryption_secrets: "{{ hostvars[groups['oo_first_master'][0]]['session_encryption_secret'] }}" + openshift_master_session_auth_secrets: "{{ hostvars[groups.oo_first_master.0].openshift.master.session_auth_secrets }}" + openshift_master_session_encryption_secrets: "{{ hostvars[groups.oo_first_master.0].openshift.master.session_encryption_secrets }}" pre_tasks: - name: Ensure certificate directory exists file: diff --git a/playbooks/gce/openshift-cluster/vars.yml b/playbooks/gce/openshift-cluster/vars.yml index bdb39923e..7fb13c7a6 100644 --- a/playbooks/gce/openshift-cluster/vars.yml +++ b/playbooks/gce/openshift-cluster/vars.yml @@ -3,6 +3,13 @@ do_we_use_openshift_sdn: true sdn_network_plugin: redhat/openshift-ovs-subnet debug_level: 2 # os_sdn_network_plugin_name can be ovssubnet or multitenant, see https://docs.openshift.org/latest/architecture/additional_concepts/sdn.html#ovssubnet-plugin-operation + +deployment_rhel7_ent_base: + image: rhel-7 + machine_type: n1-standard-1 + ssh_user: + sudo: yes + deployment_vars: origin: image: preinstalled-slave-50g-v5 @@ -14,8 +21,6 @@ deployment_vars: machine_type: n1-standard-1 ssh_user: root sudo: no - enterprise: - image: rhel-7 - machine_type: n1-standard-1 - ssh_user: - sudo: yes + enterprise: "{{ deployment_rhel7_ent_base }}" + openshift-enterprise: "{{ deployment_rhel7_ent_base }}" + atomic-enterprise: "{{ deployment_rhel7_ent_base }}" diff --git a/playbooks/libvirt/openshift-cluster/tasks/configure_libvirt_storage_pool.yml b/playbooks/libvirt/openshift-cluster/tasks/configure_libvirt_storage_pool.yml index 8a67d713f..397158b9e 100644 --- a/playbooks/libvirt/openshift-cluster/tasks/configure_libvirt_storage_pool.yml +++ b/playbooks/libvirt/openshift-cluster/tasks/configure_libvirt_storage_pool.yml @@ -4,13 +4,17 @@ dest: "{{ libvirt_storage_pool_path }}" state: directory +# We need to set permissions on the directory and any items created under the directory, so we need to call the acl module with and without default set. - acl: - default: yes + default: "{{ item }}" entity: kvm etype: group name: "{{ libvirt_storage_pool_path }}" permissions: rwx state: present + with_items: + - no + - yes - name: Test if libvirt storage pool for openshift already exists command: "virsh -c {{ libvirt_uri }} pool-info {{ libvirt_storage_pool }}" diff --git a/playbooks/libvirt/openshift-cluster/vars.yml b/playbooks/libvirt/openshift-cluster/vars.yml index 8b170f99e..da628786b 100644 --- a/playbooks/libvirt/openshift-cluster/vars.yml +++ b/playbooks/libvirt/openshift-cluster/vars.yml @@ -5,6 +5,19 @@ libvirt_network: openshift-ansible libvirt_uri: 'qemu:///system' debug_level: 2 +# Automatic download of the qcow2 image for RHEL cannot be done directly from the RedHat portal because it requires authentication. +# The default value of image_url for enterprise and openshift-enterprise deployment types below won't work. +deployment_rhel7_ent_base: + image: + url: "{{ lookup('oo_option', 'image_url') | + default('https://access.cdn.redhat.com//content/origin/files/sha256/25/25f880767ec6bf71beb532e17f1c45231640bbfdfbbb1dffb79d2c1b328388e0/rhel-guest-image-7.2-20151102.0.x86_64.qcow2', True) }}" + name: "{{ lookup('oo_option', 'image_name') | + default('rhel-guest-image-7.2-20151102.0.x86_64.qcow2', True) }}" + sha256: "{{ lookup('oo_option', 'image_sha256') | + default('25f880767ec6bf71beb532e17f1c45231640bbfdfbbb1dffb79d2c1b328388e0', True) }}" + ssh_user: openshift + sudo: yes + deployment_vars: origin: image: @@ -25,18 +38,6 @@ deployment_vars: sha256: ssh_user: root sudo: no - enterprise: - image: - url: "{{ lookup('oo_option', 'image_url') | - default('https://access.cdn.redhat.com//content/origin/files/sha256/ff/ff8198653cfd9c39411fc57077451ac291b3a605d305e905932fd6d5b1890bf3/rhel-guest-image-7.1-20150224.0.x86_64.qcow2', True) }}" - name: "{{ lookup('oo_option', 'image_name') | - default('rhel-guest-image-7.1-20150224.0.x86_64.qcow2', True) }}" - sha256: "{{ lookup('oo_option', 'image_sha256') | - default('ff8198653cfd9c39411fc57077451ac291b3a605d305e905932fd6d5b1890bf3', True) }}" - ssh_user: openshift - sudo: yes -# origin: -# fedora: -# url: "http://download.fedoraproject.org/pub/fedora/linux/releases/21/Cloud/Images/x86_64/Fedora-Cloud-Base-20141203-21.x86_64.qcow2" -# name: Fedora-Cloud-Base-20141203-21.x86_64.qcow2 -# sha256: 3a99bb89f33e3d4ee826c8160053cdb8a72c80cd23350b776ce73cd244467d86 + enterprise: "{{ deployment_rhel7_ent_base }}" + openshift-enterprise: "{{ deployment_rhel7_ent_base }}" + atomic-enterprise: "{{ deployment_rhel7_ent_base }}" diff --git a/playbooks/openstack/openshift-cluster/files/heat_stack.yaml b/playbooks/openstack/openshift-cluster/files/heat_stack.yaml index bfd73c777..4f6a59a30 100644 --- a/playbooks/openstack/openshift-cluster/files/heat_stack.yaml +++ b/playbooks/openstack/openshift-cluster/files/heat_stack.yaml @@ -4,6 +4,11 @@ description: OpenShift cluster parameters: + cluster_env: + type: string + label: Cluster environment + description: Environment of the cluster + cluster_id: type: string label: Cluster ID @@ -345,13 +350,14 @@ resources: params: cluster_id: { get_param: cluster_id } k8s_type: etcd - cluster_id: { get_param: cluster_id } - type: etcd - image: { get_param: etcd_image } - flavor: { get_param: etcd_flavor } - key_name: { get_resource: keypair } - net: { get_resource: net } - subnet: { get_resource: subnet } + cluster_env: { get_param: cluster_env } + cluster_id: { get_param: cluster_id } + type: etcd + image: { get_param: etcd_image } + flavor: { get_param: etcd_flavor } + key_name: { get_resource: keypair } + net: { get_resource: net } + subnet: { get_resource: subnet } secgrp: - { get_resource: etcd-secgrp } floating_network: { get_param: floating_ip_pool } @@ -375,13 +381,14 @@ resources: params: cluster_id: { get_param: cluster_id } k8s_type: master - cluster_id: { get_param: cluster_id } - type: master - image: { get_param: master_image } - flavor: { get_param: master_flavor } - key_name: { get_resource: keypair } - net: { get_resource: net } - subnet: { get_resource: subnet } + cluster_env: { get_param: cluster_env } + cluster_id: { get_param: cluster_id } + type: master + image: { get_param: master_image } + flavor: { get_param: master_flavor } + key_name: { get_resource: keypair } + net: { get_resource: net } + subnet: { get_resource: subnet } secgrp: - { get_resource: master-secgrp } floating_network: { get_param: floating_ip_pool } @@ -406,14 +413,15 @@ resources: cluster_id: { get_param: cluster_id } k8s_type: node sub_host_type: compute - cluster_id: { get_param: cluster_id } - type: node - subtype: compute - image: { get_param: node_image } - flavor: { get_param: node_flavor } - key_name: { get_resource: keypair } - net: { get_resource: net } - subnet: { get_resource: subnet } + cluster_env: { get_param: cluster_env } + cluster_id: { get_param: cluster_id } + type: node + subtype: compute + image: { get_param: node_image } + flavor: { get_param: node_flavor } + key_name: { get_resource: keypair } + net: { get_resource: net } + subnet: { get_resource: subnet } secgrp: - { get_resource: node-secgrp } floating_network: { get_param: floating_ip_pool } @@ -438,14 +446,15 @@ resources: cluster_id: { get_param: cluster_id } k8s_type: node sub_host_type: infra - cluster_id: { get_param: cluster_id } - type: node - subtype: infra - image: { get_param: infra_image } - flavor: { get_param: infra_flavor } - key_name: { get_resource: keypair } - net: { get_resource: net } - subnet: { get_resource: subnet } + cluster_env: { get_param: cluster_env } + cluster_id: { get_param: cluster_id } + type: node + subtype: infra + image: { get_param: infra_image } + flavor: { get_param: infra_flavor } + key_name: { get_resource: keypair } + net: { get_resource: net } + subnet: { get_resource: subnet } secgrp: - { get_resource: node-secgrp } - { get_resource: infra-secgrp } diff --git a/playbooks/openstack/openshift-cluster/files/heat_stack_server.yaml b/playbooks/openstack/openshift-cluster/files/heat_stack_server.yaml index 3f24a3e45..f83f2c984 100644 --- a/playbooks/openstack/openshift-cluster/files/heat_stack_server.yaml +++ b/playbooks/openstack/openshift-cluster/files/heat_stack_server.yaml @@ -9,6 +9,11 @@ parameters: label: Name description: Name + cluster_env: + type: string + label: Cluster environment + description: Environment of the cluster + cluster_id: type: string label: Cluster ID @@ -105,7 +110,8 @@ resources: user_data: { get_file: user-data } user_data_format: RAW metadata: - env: { get_param: cluster_id } + environment: { get_param: cluster_env } + clusterid: { get_param: cluster_id } host-type: { get_param: type } sub-host-type: { get_param: subtype } diff --git a/playbooks/openstack/openshift-cluster/launch.yml b/playbooks/openstack/openshift-cluster/launch.yml index f07ca684f..fdcb77acc 100644 --- a/playbooks/openstack/openshift-cluster/launch.yml +++ b/playbooks/openstack/openshift-cluster/launch.yml @@ -29,6 +29,7 @@ - name: Create or Update OpenStack Stack command: 'heat {{ heat_stack_action }} -f {{ openstack_infra_heat_stack }} + -P cluster_env={{ cluster_env }} -P cluster_id={{ cluster_id }} -P cidr={{ openstack_network_cidr }} -P dns_nameservers={{ openstack_network_dns | join(",") }} diff --git a/playbooks/openstack/openshift-cluster/terminate.yml b/playbooks/openstack/openshift-cluster/terminate.yml index d0abe9fa5..d4ab51fa7 100644 --- a/playbooks/openstack/openshift-cluster/terminate.yml +++ b/playbooks/openstack/openshift-cluster/terminate.yml @@ -11,7 +11,7 @@ groups: oo_hosts_to_terminate ansible_ssh_user: "{{ deployment_vars[deployment_type].ssh_user }}" ansible_sudo: "{{ deployment_vars[deployment_type].sudo }}" - with_items: (groups['tag_environment_' ~ cluster_env]|default([])) | groups['tag_clusterid_' ~ cluster_id ] | default([]) + with_items: (groups['tag_environment_' ~ cluster_env]|default([])) | intersect(groups['tag_clusterid_' ~ cluster_id ]|default([])) - name: Unsubscribe VMs hosts: oo_hosts_to_terminate diff --git a/playbooks/openstack/openshift-cluster/vars.yml b/playbooks/openstack/openshift-cluster/vars.yml index f8d15999e..76cde1706 100644 --- a/playbooks/openstack/openshift-cluster/vars.yml +++ b/playbooks/openstack/openshift-cluster/vars.yml @@ -20,6 +20,11 @@ openstack_flavor: infra: "{{ lookup('oo_option', 'infra_flavor' ) | default('m1.small', True) }}" node: "{{ lookup('oo_option', 'node_flavor' ) | default('m1.medium', True) }}" +deployment_rhel7_ent_base: + image: "{{ lookup('oo_option', 'image_name') | default('rhel-guest-image-7.2-20151102.0.x86_64', True) }}" + ssh_user: openshift + sudo: yes + deployment_vars: origin: image: "{{ lookup('oo_option', 'image_name') | default('centos-70-raw', True) }}" @@ -29,7 +34,6 @@ deployment_vars: image: ssh_user: root sudo: no - enterprise: - image: "{{ lookup('oo_option', 'image_name') | default('rhel-guest-image-7.1-20150224.0.x86_64', True) }}" - ssh_user: openshift - sudo: yes + enterprise: "{{ deployment_rhel7_ent_base }}" + openshift-enterprise: "{{ deployment_rhel7_ent_base }}" + atomic-enterprise: "{{ deployment_rhel7_ent_base }}" diff --git a/roles/openshift_cli/templates/openshift.j2 b/roles/openshift_cli/templates/openshift.j2 index cade4d1a7..a7c148a22 100644 --- a/roles/openshift_cli/templates/openshift.j2 +++ b/roles/openshift_cli/templates/openshift.j2 @@ -6,11 +6,18 @@ cmd=`basename $0` user=`id -u` group=`id -g` -# docker can only split stderr and stdin when run without -t -# https://github.com/docker/docker/issues/725 -# ansible checks various streams DO NOT CROSS THE STREAMS -if [ -z $TERM ]; then - $t = '-it' -fi +>&2 echo """ +================================================================================ +ATTENTION: You are running ${cmd} via a wrapper around 'docker run {{ openshift.common.cli_image }}'. +This wrapper is intended only to be used to bootstrap an environment. Please +install client tools on another host once you have granted cluster-admin +privileges to a user. +{% if openshift.common.deployment_type in ['openshift-enterprise','atomic-enterprise'] %} +See https://docs.openshift.com/enterprise/latest/cli_reference/get_started_cli.html +{% else %} +See https://docs.openshift.org/latest/cli_reference/get_started_cli.html +{% endif %} +================================================================================= +""" -docker run ${t} -a STDERR -a STDOUT -a STDIN --privileged --net=host --user=${user}:${group} -v ~/.kube:/root/.kube -v /tmp:/tmp -v {{ openshift.common.config_base}}:{{ openshift.common.config_base }} -e KUBECONFIG=/root/.kube/config --entrypoint ${cmd} --rm {{ openshift.common.cli_image }} ${@}
\ No newline at end of file +docker run -i --privileged --net=host --user=${user}:${group} -v ~/.kube:/root/.kube -v /tmp:/tmp -v {{ openshift.common.config_base}}:{{ openshift.common.config_base }} -e KUBECONFIG=/root/.kube/config --entrypoint ${cmd} --rm {{ openshift.common.cli_image }} "${@}" diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py index 911a684fc..2a3d4acbd 100755 --- a/roles/openshift_facts/library/openshift_facts.py +++ b/roles/openshift_facts/library/openshift_facts.py @@ -628,7 +628,7 @@ def set_deployment_facts_if_unset(facts): facts['common']['service_type'] = service_type if 'config_base' not in facts['common']: config_base = '/etc/origin' - if deployment_type in ['enterprise', 'online']: + if deployment_type in ['enterprise']: config_base = '/etc/openshift' # Handle upgrade scenarios when symlinks don't yet exist: if not os.path.exists(config_base) and os.path.exists('/etc/openshift'): @@ -636,7 +636,7 @@ def set_deployment_facts_if_unset(facts): facts['common']['config_base'] = config_base if 'data_dir' not in facts['common']: data_dir = '/var/lib/origin' - if deployment_type in ['enterprise', 'online']: + if deployment_type in ['enterprise']: data_dir = '/var/lib/openshift' # Handle upgrade scenarios when symlinks don't yet exist: if not os.path.exists(data_dir) and os.path.exists('/var/lib/openshift'): @@ -715,6 +715,26 @@ def set_version_facts_if_unset(facts): return facts +def set_manageiq_facts_if_unset(facts): + """ Set manageiq facts. This currently includes common.use_manageiq. + + Args: + facts (dict): existing facts + Returns: + dict: the facts dict updated with version facts. + Raises: + OpenShiftFactsInternalError: + """ + if 'common' not in facts: + if 'version_greater_than_3_1_or_1_1' not in facts['common']: + raise OpenShiftFactsInternalError( + "Invalid invocation: The required facts are not set" + ) + if 'use_manageiq' not in facts['common']: + facts['common']['use_manageiq'] = facts['common']['version_greater_than_3_1_or_1_1'] + + return facts + def set_sdn_facts_if_unset(facts, system_facts): """ Set sdn facts if not already present in facts dict @@ -1021,6 +1041,11 @@ def set_container_facts_if_unset(facts): return facts +class OpenShiftFactsInternalError(Exception): + """Origin Facts Error""" + pass + + class OpenShiftFactsUnsupportedRoleError(Exception): """Origin Facts Unsupported Role Error""" pass @@ -1043,6 +1068,7 @@ class OpenShiftFacts(object): facts (dict): facts for the host Args: + module (AnsibleModule): an AnsibleModule object role (str): role for setting local facts filename (str): local facts file to use local_facts (dict): local facts to set @@ -1096,6 +1122,7 @@ class OpenShiftFacts(object): facts = set_sdn_facts_if_unset(facts, self.system_facts) facts = set_deployment_facts_if_unset(facts) facts = set_version_facts_if_unset(facts) + facts = set_manageiq_facts_if_unset(facts) facts = set_aggregate_facts(facts) facts = set_etcd_facts_if_unset(facts) facts = set_container_facts_if_unset(facts) @@ -1121,7 +1148,7 @@ class OpenShiftFacts(object): common = dict(use_openshift_sdn=True, ip=ip_addr, public_ip=ip_addr, deployment_type='origin', hostname=hostname, - public_hostname=hostname, use_manageiq=True) + public_hostname=hostname) common['client_binary'] = 'oc' common['admin_binary'] = 'oadm' common['dns_domain'] = 'cluster.local' @@ -1263,14 +1290,78 @@ class OpenShiftFacts(object): del facts[key] if new_local_facts != local_facts: + self.validate_local_facts(new_local_facts) changed = True - if not module.check_mode: save_local_facts(self.filename, new_local_facts) self.changed = changed return new_local_facts + def validate_local_facts(self, facts=None): + """ Validate local facts + + Args: + facts (dict): local facts to validate + """ + invalid_facts = dict() + invalid_facts = self.validate_master_facts(facts, invalid_facts) + if invalid_facts: + msg = 'Invalid facts detected:\n' + for key in invalid_facts.keys(): + msg += '{0}: {1}\n'.format(key, invalid_facts[key]) + module.fail_json(msg=msg, + changed=self.changed) + + # disabling pylint errors for line-too-long since we're dealing + # with best effort reduction of error messages here. + # disabling errors for too-many-branches since we require checking + # many conditions. + # pylint: disable=line-too-long, too-many-branches + @staticmethod + def validate_master_facts(facts, invalid_facts): + """ Validate master facts + + Args: + facts (dict): local facts to validate + invalid_facts (dict): collected invalid_facts + + Returns: + dict: Invalid facts + """ + if 'master' in facts: + # openshift.master.session_auth_secrets + if 'session_auth_secrets' in facts['master']: + session_auth_secrets = facts['master']['session_auth_secrets'] + if not issubclass(type(session_auth_secrets), list): + invalid_facts['session_auth_secrets'] = 'Expects session_auth_secrets is a list.' + elif 'session_encryption_secrets' not in facts['master']: + invalid_facts['session_auth_secrets'] = ('openshift_master_session_encryption secrets must be set ' + 'if openshift_master_session_auth_secrets is provided.') + elif len(session_auth_secrets) != len(facts['master']['session_encryption_secrets']): + invalid_facts['session_auth_secrets'] = ('openshift_master_session_auth_secrets and ' + 'openshift_master_session_encryption_secrets must be ' + 'equal length.') + else: + for secret in session_auth_secrets: + if len(secret) < 32: + invalid_facts['session_auth_secrets'] = ('Invalid secret in session_auth_secrets. ' + 'Secrets must be at least 32 characters in length.') + # openshift.master.session_encryption_secrets + if 'session_encryption_secrets' in facts['master']: + session_encryption_secrets = facts['master']['session_encryption_secrets'] + if not issubclass(type(session_encryption_secrets), list): + invalid_facts['session_encryption_secrets'] = 'Expects session_encryption_secrets is a list.' + elif 'session_auth_secrets' not in facts['master']: + invalid_facts['session_encryption_secrets'] = ('openshift_master_session_auth_secrets must be ' + 'set if openshift_master_session_encryption_secrets ' + 'is provided.') + else: + for secret in session_encryption_secrets: + if len(secret) not in [16, 24, 32]: + invalid_facts['session_encryption_secrets'] = ('Invalid secret in session_encryption_secrets. ' + 'Secrets must be 16, 24, or 32 characters in length.') + return invalid_facts def main(): """ main """ diff --git a/roles/openshift_manageiq/tasks/main.yaml b/roles/openshift_manageiq/tasks/main.yaml index 2d3187e21..0357fc85a 100644 --- a/roles/openshift_manageiq/tasks/main.yaml +++ b/roles/openshift_manageiq/tasks/main.yaml @@ -1,4 +1,8 @@ --- +- fail: + msg: "The openshift_manageiq role requires OpenShift Enterprise 3.1 or Origin 1.1." + when: not openshift.common.version_greater_than_3_1_or_1_1 | bool + - name: Copy Configuration to temporary conf command: > cp {{ openshift.common.config_base }}/master/admin.kubeconfig {{manage_iq_tmp_conf}} diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml index a22654678..397122631 100644 --- a/roles/openshift_master/tasks/main.yml +++ b/roles/openshift_master/tasks/main.yml @@ -9,7 +9,6 @@ Invalid OAuth grant method: {{ openshift_master_oauth_grant_method }} when: openshift_master_oauth_grant_method is defined and openshift_master_oauth_grant_method not in openshift_master_valid_grant_methods - # HA Variable Validation - fail: msg: "openshift_master_cluster_method must be set to either 'native' or 'pacemaker' for multi-master installations" @@ -55,9 +54,9 @@ portal_net: "{{ openshift_master_portal_net | default(None) }}" session_max_seconds: "{{ openshift_master_session_max_seconds | default(None) }}" session_name: "{{ openshift_master_session_name | default(None) }}" + session_secrets_file: "{{ openshift_master_session_secrets_file | default(None) }}" session_auth_secrets: "{{ openshift_master_session_auth_secrets | default(None) }}" session_encryption_secrets: "{{ openshift_master_session_encryption_secrets | default(None) }}" - session_secrets_file: "{{ openshift_master_session_secrets_file | default(None) }}" access_token_max_seconds: "{{ openshift_master_access_token_max_seconds | default(None) }}" auth_token_max_seconds: "{{ openshift_master_auth_token_max_seconds | default(None) }}" identity_providers: "{{ openshift_master_identity_providers | default(None) }}" @@ -221,7 +220,7 @@ template: dest: "{{ openshift.master.session_secrets_file }}" src: sessionSecretsFile.yaml.v1.j2 - force: no + when: openshift.master.session_auth_secrets is defined and openshift.master.session_encryption_secrets is defined notify: - restart master - restart master api diff --git a/roles/openshift_master/templates/master.yaml.v1.j2 b/roles/openshift_master/templates/master.yaml.v1.j2 index 317049c44..647476b7f 100644 --- a/roles/openshift_master/templates/master.yaml.v1.j2 +++ b/roles/openshift_master/templates/master.yaml.v1.j2 @@ -127,7 +127,9 @@ oauthConfig: sessionConfig: sessionMaxAgeSeconds: {{ openshift.master.session_max_seconds }} sessionName: {{ openshift.master.session_name }} +{% if openshift.master.session_auth_secrets is defined and openshift.master.session_encryption_secrets is defined %} sessionSecretsFile: {{ openshift.master.session_secrets_file }} +{% endif %} tokenConfig: accessTokenMaxAgeSeconds: {{ openshift.master.access_token_max_seconds }} authorizeTokenMaxAgeSeconds: {{ openshift.master.auth_token_max_seconds }} diff --git a/roles/openshift_master/templates/sessionSecretsFile.yaml.v1.j2 b/roles/openshift_master/templates/sessionSecretsFile.yaml.v1.j2 index d12d9db90..3d4b573a9 100644 --- a/roles/openshift_master/templates/sessionSecretsFile.yaml.v1.j2 +++ b/roles/openshift_master/templates/sessionSecretsFile.yaml.v1.j2 @@ -1,7 +1,7 @@ apiVersion: v1 kind: SessionSecrets secrets: -{% for secret in openshift_master_session_auth_secrets %} -- authentication: "{{ openshift_master_session_auth_secrets[loop.index0] }}" - encryption: "{{ openshift_master_session_encryption_secrets[loop.index0] }}" +{% for secret in openshift.master.session_auth_secrets %} +- authentication: "{{ openshift.master.session_auth_secrets[loop.index0] }}" + encryption: "{{ openshift.master.session_encryption_secrets[loop.index0] }}" {% endfor %} diff --git a/roles/openshift_node/tasks/storage_plugins/ceph.yml b/roles/openshift_node/tasks/storage_plugins/ceph.yml index 119ad62ef..eed3c99a3 100644 --- a/roles/openshift_node/tasks/storage_plugins/ceph.yml +++ b/roles/openshift_node/tasks/storage_plugins/ceph.yml @@ -1,4 +1,4 @@ --- - name: Install Ceph storage plugin dependencies action: "{{ ansible_pkg_mgr }} name=ceph-common state=present" - when: not openshift.common.is_containerized | bool
\ No newline at end of file + when: not openshift.common.is_atomic | bool
\ No newline at end of file diff --git a/roles/openshift_node/tasks/storage_plugins/glusterfs.yml b/roles/openshift_node/tasks/storage_plugins/glusterfs.yml index 91ee77e7e..8fc8497fa 100644 --- a/roles/openshift_node/tasks/storage_plugins/glusterfs.yml +++ b/roles/openshift_node/tasks/storage_plugins/glusterfs.yml @@ -1,7 +1,7 @@ --- - name: Install GlusterFS storage plugin dependencies action: "{{ ansible_pkg_mgr }} name=glusterfs-fuse state=present" - when: not openshift.common.is_containerized | bool + when: not openshift.common.is_atomic | bool - name: Set sebooleans to allow gluster storage plugin access from containers seboolean: diff --git a/roles/openshift_node/tasks/storage_plugins/main.yml b/roles/openshift_node/tasks/storage_plugins/main.yml index d237c26ec..39c7b9390 100644 --- a/roles/openshift_node/tasks/storage_plugins/main.yml +++ b/roles/openshift_node/tasks/storage_plugins/main.yml @@ -3,12 +3,11 @@ # additional package dependencies - name: NFS storage plugin configuration include: nfs.yml - when: not openshift.common.is_containerized | bool - name: GlusterFS storage plugin configuration include: glusterfs.yml - when: "'glusterfs' in openshift.node.storage_plugin_deps and not openshift.common.is_containerized | bool " + when: "'glusterfs' in openshift.node.storage_plugin_deps" - name: Ceph storage plugin configuration include: ceph.yml - when: "'ceph' in openshift.node.storage_plugin_deps and not openshift.common.is_containerized | bool" + when: "'ceph' in openshift.node.storage_plugin_deps" diff --git a/roles/rhel_subscribe/tasks/enterprise.yml b/roles/rhel_subscribe/tasks/enterprise.yml index e9e6e4bd4..08540f440 100644 --- a/roles/rhel_subscribe/tasks/enterprise.yml +++ b/roles/rhel_subscribe/tasks/enterprise.yml @@ -2,8 +2,24 @@ - name: Disable all repositories command: subscription-manager repos --disable="*" +- set_fact: + default_ose_version: '3.0' + when: deployment_type == 'enterprise' + +- set_fact: + default_ose_version: '3.1' + when: deployment_type in ['atomic-enterprise', 'openshift-enterprise'] + +- set_fact: + ose_version: "{{ lookup('oo_option', 'ose_version') | default(default_ose_version, True) }}" + +- fail: + msg: "{{ ose_version }} is not a valid version for {{ deployment_type }} deployment type" + when: ( deployment_type == 'enterprise' and ose_version not in ['3.0'] ) or + ( deployment_type in ['atomic-enterprise', 'openshift-enterprise'] and ose_version not in ['3.1'] ) + - name: Enable RHEL repositories command: subscription-manager repos \ --enable="rhel-7-server-rpms" \ --enable="rhel-7-server-extras-rpms" \ - --enable="rhel-7-server-ose-3.0-rpms" + --enable="rhel-7-server-ose-{{ ose_version }}-rpms" diff --git a/roles/rhel_subscribe/tasks/main.yml b/roles/rhel_subscribe/tasks/main.yml index 30c0920a1..eecfd04a0 100644 --- a/roles/rhel_subscribe/tasks/main.yml +++ b/roles/rhel_subscribe/tasks/main.yml @@ -4,6 +4,7 @@ # to make it able to enable repositories - set_fact: + rhel_subscription_pool: "{{ lookup('oo_option', 'rhel_subscription_pool') | default(rhsub_pool, True) | default('OpenShift Enterprise, Premium*', True) }}" rhel_subscription_user: "{{ lookup('oo_option', 'rhel_subscription_user') | default(rhsub_user, True) | default(omit, True) }}" rhel_subscription_pass: "{{ lookup('oo_option', 'rhel_subscription_pass') | default(rhsub_pass, True) | default(omit, True) }}" rhel_subscription_server: "{{ lookup('oo_option', 'rhel_subscription_server') | default(rhsub_server) }}" @@ -30,7 +31,14 @@ redhat_subscription: username: "{{ rhel_subscription_user }}" password: "{{ rhel_subscription_pass }}" - autosubscribe: yes + +- name: Retrieve the OpenShift Pool ID + command: subscription-manager list --available --matches="{{ rhel_subscription_pool }}" --pool-only + register: openshift_pool_id + changed_when: False + +- name: Attach to OpenShift Pool + command: subscription-manager subscribe --pool {{ openshift_pool_id.stdout_lines[0] }} - include: enterprise.yml - when: deployment_type == 'enterprise' + when: deployment_type in [ 'enterprise', 'atomic-enterprise', 'openshift-enterprise' ] |