summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--.tito/packages/openshift-ansible2
-rw-r--r--files/origin-components/template-service-broker-registration.yaml25
-rw-r--r--lookup_plugins/README.md1
-rw-r--r--lookup_plugins/oo_option.py74
-rw-r--r--openshift-ansible.spec52
-rw-r--r--playbooks/aws/openshift-cluster/build_ami.yml10
-rw-r--r--playbooks/aws/openshift-cluster/provision.yml2
-rw-r--r--playbooks/byo/openshift-cluster/redeploy-certificates.yml18
-rw-r--r--playbooks/byo/openshift-cluster/redeploy-etcd-certificates.yml6
-rw-r--r--playbooks/byo/openshift-cluster/redeploy-master-certificates.yml6
-rw-r--r--playbooks/byo/openshift-cluster/redeploy-node-certificates.yml6
-rw-r--r--playbooks/byo/openshift-etcd/certificates.yml8
-rw-r--r--playbooks/byo/openshift-master/certificates.yml8
-rw-r--r--playbooks/byo/openshift-node/certificates.yml6
-rw-r--r--playbooks/byo/openshift-node/scaleup.yml2
-rw-r--r--playbooks/byo/rhel_subscribe.yml2
-rw-r--r--playbooks/common/openshift-cluster/config.yml12
-rw-r--r--playbooks/common/openshift-cluster/initialize_oo_option_facts.yml18
-rw-r--r--playbooks/common/openshift-cluster/redeploy-certificates/etcd-backup.yml19
-rw-r--r--playbooks/common/openshift-cluster/redeploy-certificates/etcd-ca.yml17
-rw-r--r--playbooks/common/openshift-cluster/redeploy-certificates/etcd.yml54
-rw-r--r--playbooks/common/openshift-cluster/redeploy-certificates/masters-backup.yml38
-rw-r--r--playbooks/common/openshift-cluster/redeploy-certificates/masters.yml63
-rw-r--r--playbooks/common/openshift-cluster/redeploy-certificates/nodes-backup.yml (renamed from playbooks/common/openshift-cluster/redeploy-certificates/nodes.yml)5
-rw-r--r--playbooks/common/openshift-cluster/redeploy-certificates/openshift-ca.yml16
-rw-r--r--playbooks/common/openshift-cluster/redeploy-certificates/router.yml138
-rw-r--r--playbooks/common/openshift-cluster/upgrades/init.yml2
-rw-r--r--playbooks/common/openshift-cluster/upgrades/v3_5/upgrade_control_plane.yml8
-rw-r--r--playbooks/common/openshift-cluster/upgrades/v3_6/upgrade_control_plane.yml16
-rw-r--r--playbooks/common/openshift-cluster/upgrades/v3_6/upgrade_nodes.yml8
-rw-r--r--playbooks/common/openshift-cluster/upgrades/v3_7/upgrade.yml4
-rw-r--r--playbooks/common/openshift-cluster/upgrades/v3_7/upgrade_control_plane.yml16
-rw-r--r--playbooks/common/openshift-cluster/upgrades/v3_7/upgrade_nodes.yml8
-rw-r--r--playbooks/common/openshift-etcd/ca.yml15
-rw-r--r--playbooks/common/openshift-etcd/certificates.yml29
-rw-r--r--playbooks/common/openshift-etcd/scaleup.yml7
-rw-r--r--playbooks/common/openshift-master/ca.yml8
-rw-r--r--playbooks/common/openshift-master/certificates.yml14
-rw-r--r--playbooks/common/openshift-master/config.yml33
-rw-r--r--playbooks/common/openshift-master/scaleup.yml6
-rw-r--r--playbooks/common/openshift-node/additional_config.yml52
-rw-r--r--playbooks/common/openshift-node/certificates.yml8
-rw-r--r--playbooks/common/openshift-node/config.yml101
-rw-r--r--playbooks/common/openshift-node/configure_nodes.yml16
-rw-r--r--playbooks/common/openshift-node/containerized_nodes.yml19
-rw-r--r--playbooks/common/openshift-node/enable_excluders.yml8
-rw-r--r--playbooks/common/openshift-node/etcd_client_config.yml11
-rw-r--r--playbooks/common/openshift-node/manage_node.yml12
-rw-r--r--playbooks/common/openshift-node/setup.yml27
-rw-r--r--roles/etcd/tasks/main.yml2
-rw-r--r--roles/openshift_aws/defaults/main.yml1
-rw-r--r--roles/openshift_aws/tasks/elb.yml8
-rw-r--r--roles/openshift_aws/tasks/iam_cert.yml10
-rw-r--r--roles/openshift_aws/tasks/provision.yml4
-rw-r--r--roles/openshift_ca/defaults/main.yml8
-rw-r--r--roles/openshift_ca/meta/main.yml1
-rw-r--r--roles/openshift_ca/vars/main.yml7
-rw-r--r--roles/openshift_default_storage_class/README.md2
-rwxr-xr-xroles/openshift_facts/library/openshift_facts.py4
-rw-r--r--roles/openshift_hosted/tasks/router.yml6
-rw-r--r--roles/openshift_logging/README.md44
-rw-r--r--roles/openshift_master_certificates/meta/main.yml4
-rw-r--r--roles/openshift_master_facts/defaults/main.yml2
l---------roles/openshift_master_facts/lookup_plugins/oo_option.py1
-rw-r--r--roles/openshift_master_facts/tasks/main.yml1
-rw-r--r--roles/openshift_named_certificates/defaults/main.yml6
-rw-r--r--roles/openshift_named_certificates/vars/main.yml6
-rw-r--r--roles/openshift_node/defaults/main.yml3
-rw-r--r--roles/openshift_node/meta/main.yml2
-rw-r--r--roles/openshift_node/tasks/node_system_container.yml2
-rw-r--r--roles/openshift_node/tasks/registry_auth.yml2
-rw-r--r--roles/openshift_node_certificates/meta/main.yml3
-rw-r--r--roles/openshift_node_facts/tasks/main.yml8
-rw-r--r--roles/openshift_node_upgrade/tasks/registry_auth.yml2
-rw-r--r--roles/openshift_repos/templates/CentOS-OpenShift-Origin.repo.j22
-rw-r--r--roles/openshift_repos/templates/CentOS-OpenShift-Origin14.repo.j22
-rw-r--r--roles/openshift_repos/templates/CentOS-OpenShift-Origin15.repo.j22
-rw-r--r--roles/openshift_repos/templates/CentOS-OpenShift-Origin36.repo.j22
-rw-r--r--roles/openshift_storage_glusterfs/tasks/glusterfs_common.yml11
-rw-r--r--roles/openshift_storage_glusterfs/tasks/glusterfs_deploy.yml10
-rw-r--r--roles/openshift_storage_glusterfs/tasks/heketi_deploy_part2.yml2
-rw-r--r--roles/rhel_subscribe/tasks/enterprise.yml2
-rw-r--r--roles/rhel_subscribe/tasks/main.yml8
-rw-r--r--roles/template_service_broker/tasks/install.yml28
-rw-r--r--roles/template_service_broker/tasks/remove.yml11
-rw-r--r--roles/template_service_broker/vars/main.yml1
-rw-r--r--setup.py2
87 files changed, 675 insertions, 583 deletions
diff --git a/.tito/packages/openshift-ansible b/.tito/packages/openshift-ansible
index 4d61a759b..1541b6a5f 100644
--- a/.tito/packages/openshift-ansible
+++ b/.tito/packages/openshift-ansible
@@ -1 +1 @@
-3.7.0-0.134.0 ./
+3.7.0-0.138.0 ./
diff --git a/files/origin-components/template-service-broker-registration.yaml b/files/origin-components/template-service-broker-registration.yaml
new file mode 100644
index 000000000..2086978f0
--- /dev/null
+++ b/files/origin-components/template-service-broker-registration.yaml
@@ -0,0 +1,25 @@
+apiVersion: template.openshift.io/v1
+kind: Template
+metadata:
+ name: template-service-broker-registration
+parameters:
+- name: TSB_NAMESPACE
+ value: openshift-template-service-broker
+- name: CA_BUNDLE
+ required: true
+objects:
+# register the tsb with the service catalog
+- apiVersion: servicecatalog.k8s.io/v1alpha1
+ kind: ServiceBroker
+ metadata:
+ name: template-service-broker
+ spec:
+ url: https://apiserver.${TSB_NAMESPACE}.svc:443/brokers/template.openshift.io
+ insecureSkipTLSVerify: false
+ caBundle: ${CA_BUNDLE}
+ authInfo:
+ bearer:
+ secretRef:
+ kind: Secret
+ name: templateservicebroker-client
+ namespace: ${TSB_NAMESPACE}
diff --git a/lookup_plugins/README.md b/lookup_plugins/README.md
new file mode 100644
index 000000000..f05d608e5
--- /dev/null
+++ b/lookup_plugins/README.md
@@ -0,0 +1 @@
+openshift-ansible lookup plugins.
diff --git a/lookup_plugins/oo_option.py b/lookup_plugins/oo_option.py
deleted file mode 100644
index 4581cb6b8..000000000
--- a/lookup_plugins/oo_option.py
+++ /dev/null
@@ -1,74 +0,0 @@
-#!/usr/bin/env python2
-# -*- coding: utf-8 -*-
-'''
-oo_option lookup plugin for openshift-ansible
-
-Usage:
-
- - debug:
- msg: "{{ lookup('oo_option', '<key>') | default('<default_value>', True) }}"
-
-This returns, by order of priority:
-
-* if it exists, the `cli_<key>` ansible variable. This variable is set by `bin/cluster --option <key>=<value> …`
-* if it exists, the envirnoment variable named `<key>`
-* if none of the above conditions are met, empty string is returned
-'''
-
-
-import os
-
-# pylint: disable=no-name-in-module,import-error,unused-argument,unused-variable,super-init-not-called,too-few-public-methods,missing-docstring
-try:
- # ansible-2.0
- from ansible.plugins.lookup import LookupBase
-except ImportError:
- # ansible-1.9.x
- class LookupBase(object):
- def __init__(self, basedir=None, runner=None, **kwargs):
- self.runner = runner
- self.basedir = self.runner.basedir
-
- def get_basedir(self, variables):
- return self.basedir
-
-
-# Reason: disable too-few-public-methods because the `run` method is the only
-# one required by the Ansible API
-# Status: permanently disabled
-# pylint: disable=too-few-public-methods
-class LookupModule(LookupBase):
- ''' oo_option lookup plugin main class '''
-
- # Reason: disable unused-argument because Ansible is calling us with many
- # parameters we are not interested in.
- # The lookup plugins of Ansible have this kwargs “catch-all” parameter
- # which is not used
- # Status: permanently disabled unless Ansible API evolves
- # pylint: disable=unused-argument
- def __init__(self, basedir=None, **kwargs):
- ''' Constructor '''
- self.basedir = basedir
-
- # Reason: disable unused-argument because Ansible is calling us with many
- # parameters we are not interested in.
- # The lookup plugins of Ansible have this kwargs “catch-all” parameter
- # which is not used
- # Status: permanently disabled unless Ansible API evolves
- # pylint: disable=unused-argument
- def run(self, terms, variables, **kwargs):
- ''' Main execution path '''
-
- ret = []
-
- for term in terms:
- option_name = term.split()[0]
- cli_key = 'cli_' + option_name
- if 'vars' in variables and cli_key in variables['vars']:
- ret.append(variables['vars'][cli_key])
- elif option_name in os.environ:
- ret.append(os.environ[option_name])
- else:
- ret.append('')
-
- return ret
diff --git a/openshift-ansible.spec b/openshift-ansible.spec
index 1f81893d9..b2db44b86 100644
--- a/openshift-ansible.spec
+++ b/openshift-ansible.spec
@@ -10,7 +10,7 @@
Name: openshift-ansible
Version: 3.7.0
-Release: 0.134.0%{?dist}
+Release: 0.138.0%{?dist}
Summary: Openshift and Atomic Enterprise Ansible
License: ASL 2.0
URL: https://github.com/openshift/openshift-ansible
@@ -84,10 +84,6 @@ touch %{buildroot}%{_datadir}/ansible/%{name}/roles/contiv/.empty_dir
pushd %{buildroot}%{_datadir}/ansible/%{name}/roles/openshift_master_facts/filter_plugins
ln -sf ../../../../../ansible_plugins/filter_plugins/oo_filters.py oo_filters.py
popd
-# openshift_master_facts symlinks lookup_plugins/oo_option.py from ansible_plugins/lookup_plugins
-pushd %{buildroot}%{_datadir}/ansible/%{name}/roles/openshift_master_facts/lookup_plugins
-ln -sf ../../../../../ansible_plugins/lookup_plugins/oo_option.py oo_option.py
-popd
# openshift-ansible-filter-plugins install
cp -rp filter_plugins %{buildroot}%{_datadir}/ansible_plugins/
@@ -280,6 +276,52 @@ Atomic OpenShift Utilities includes
%changelog
+* Mon Oct 02 2017 Jenkins CD Merge Bot <smunilla@redhat.com> 3.7.0-0.138.0
+- Fix typo in openshift_default_storage_class/README (hansmi@vshn.ch)
+- GlusterFS: make ServiceAccounts privileged when either glusterfs or heketi is
+ native (jarrpa@redhat.com)
+- Fix some provisioning variables (mgugino@redhat.com)
+
+* Mon Oct 02 2017 Jenkins CD Merge Bot <smunilla@redhat.com> 3.7.0-0.137.0
+- openshift_node: Add MASTER_SERVICE on system container install
+ (smilner@redhat.com)
+- openshift_node: Set DOCKER_SERVICE for system container (smilner@redhat.com)
+
+* Sun Oct 01 2017 Jenkins CD Merge Bot <smunilla@redhat.com> 3.7.0-0.136.0
+- Include openshift_hosted when redeploying router certificates to handle auto-
+ generated wildcard certificate or custom openshift_hosted_router_certificate.
+ (abutcher@redhat.com)
+- Check for router service annotations when redeploying router certificates.
+ (abutcher@redhat.com)
+- Remove oo_option symlink from specfile. (abutcher@redhat.com)
+- Add a README.md to lookup_plugins/ (abutcher@redhat.com)
+- Remove oo_option facts. (abutcher@redhat.com)
+- block 3.6->3.7 upgrade if storage backend is not set to etcd3
+ (jchaloup@redhat.com)
+- Changes necessary to support AMI building (mgugino@redhat.com)
+
+* Sat Sep 30 2017 Jenkins CD Merge Bot <smunilla@redhat.com> 3.7.0-0.135.0
+- fix whitespace for centos repos (jdetiber@redhat.com)
+- Fix registry auth variable (mgugino@redhat.com)
+- move health-checks and control-plane-verification before excluders
+ (jchaloup@redhat.com)
+- Fix typo in files (Docker registries) (william17.burton@gmail.com)
+- Registering the broker for TSB (ewolinet@redhat.com)
+- Quick formatting updates to the logging README. (steveqtran@gmail.com)
+- openshift_facts: coerce docker_use_system_container to bool
+ (smilner@redhat.com)
+- Migrate enterprise registry logic to docker role (mgugino@redhat.com)
+- minor update to README and removed dead file (steveqtran@gmail.com)
+- Added new variables for logging role for remote-syslog plugin
+ (steveqtran@gmail.com)
+- Remove some reminants of Atomic Enterprise (sdodson@redhat.com)
+- Allow examples management to be disabled (sdodson@redhat.com)
+- rename vars to avoid double negatives and ensuing confusion
+ (jsanda@redhat.com)
+- set prometheus endpoint properties to false by default (jsanda@redhat.com)
+- add options to disable prometheus endpoints (jsanda@redhat.com)
+- Enable JMX reporting of internal metrics (jsanda@redhat.com)
+
* Thu Sep 28 2017 Jenkins CD Merge Bot <smunilla@redhat.com> 3.7.0-0.134.0
- OpenShift-Ansible Installer Checkpointing (rteague@redhat.com)
- evaluate etcd_backup_tag variable (jchaloup@redhat.com)
diff --git a/playbooks/aws/openshift-cluster/build_ami.yml b/playbooks/aws/openshift-cluster/build_ami.yml
index 86b2a2544..1e54f0467 100644
--- a/playbooks/aws/openshift-cluster/build_ami.yml
+++ b/playbooks/aws/openshift-cluster/build_ami.yml
@@ -66,8 +66,14 @@
- name: run the std_include
include: ../../common/openshift-cluster/initialize_openshift_repos.yml
-- name: install node config
- include: ../../common/openshift-node/config.yml
+- name: run node config setup
+ include: ../../common/openshift-node/setup.yml
+
+- name: run node config
+ include: ../../common/openshift-node/configure_nodes.yml
+
+- name: Re-enable excluders
+ include: ../../common/openshift-node/enable_excluders.yml
- hosts: localhost
connection: local
diff --git a/playbooks/aws/openshift-cluster/provision.yml b/playbooks/aws/openshift-cluster/provision.yml
index db7afac6f..8f018abd0 100644
--- a/playbooks/aws/openshift-cluster/provision.yml
+++ b/playbooks/aws/openshift-cluster/provision.yml
@@ -11,7 +11,7 @@
debug:
msg: "openshift_aws_region={{ openshift_aws_region | default('us-east-1') }}"
- - name: create default vpc
+ - name: provision cluster
include_role:
name: openshift_aws
tasks_from: provision.yml
diff --git a/playbooks/byo/openshift-cluster/redeploy-certificates.yml b/playbooks/byo/openshift-cluster/redeploy-certificates.yml
index 073ded6e0..255b0dbf7 100644
--- a/playbooks/byo/openshift-cluster/redeploy-certificates.yml
+++ b/playbooks/byo/openshift-cluster/redeploy-certificates.yml
@@ -11,11 +11,23 @@
vars:
g_check_expiry_hosts: 'oo_etcd_to_config'
-- include: ../../common/openshift-cluster/redeploy-certificates/etcd.yml
+- include: ../../common/openshift-cluster/redeploy-certificates/etcd-backup.yml
-- include: ../../common/openshift-cluster/redeploy-certificates/masters.yml
+- include: ../../common/openshift-etcd/certificates.yml
+ vars:
+ etcd_certificates_redeploy: true
+
+- include: ../../common/openshift-cluster/redeploy-certificates/masters-backup.yml
+
+- include: ../../common/openshift-master/certificates.yml
+ vars:
+ openshift_certificates_redeploy: true
+
+- include: ../../common/openshift-cluster/redeploy-certificates/nodes-backup.yml
-- include: ../../common/openshift-cluster/redeploy-certificates/nodes.yml
+- include: ../../common/openshift-node/certificates.yml
+ vars:
+ openshift_certificates_redeploy: true
- include: ../../common/openshift-etcd/restart.yml
vars:
diff --git a/playbooks/byo/openshift-cluster/redeploy-etcd-certificates.yml b/playbooks/byo/openshift-cluster/redeploy-etcd-certificates.yml
index 0f86eb997..f4f2ce00d 100644
--- a/playbooks/byo/openshift-cluster/redeploy-etcd-certificates.yml
+++ b/playbooks/byo/openshift-cluster/redeploy-etcd-certificates.yml
@@ -11,7 +11,11 @@
vars:
g_check_expiry_hosts: 'oo_etcd_to_config'
-- include: ../../common/openshift-cluster/redeploy-certificates/etcd.yml
+- include: ../../common/openshift-cluster/redeploy-certificates/etcd-backup.yml
+
+- include: ../../common/openshift-etcd/certificates.yml
+ vars:
+ etcd_certificates_redeploy: true
- include: ../../common/openshift-etcd/restart.yml
vars:
diff --git a/playbooks/byo/openshift-cluster/redeploy-master-certificates.yml b/playbooks/byo/openshift-cluster/redeploy-master-certificates.yml
index 566e8b261..049bad8e7 100644
--- a/playbooks/byo/openshift-cluster/redeploy-master-certificates.yml
+++ b/playbooks/byo/openshift-cluster/redeploy-master-certificates.yml
@@ -7,6 +7,10 @@
tags:
- always
-- include: ../../common/openshift-cluster/redeploy-certificates/masters.yml
+- include: ../../common/openshift-cluster/redeploy-certificates/masters-backup.yml
+
+- include: ../../common/openshift-master/certificates.yml
+ vars:
+ openshift_certificates_redeploy: true
- include: ../../common/openshift-master/restart.yml
diff --git a/playbooks/byo/openshift-cluster/redeploy-node-certificates.yml b/playbooks/byo/openshift-cluster/redeploy-node-certificates.yml
index 42777e5e6..345b0c689 100644
--- a/playbooks/byo/openshift-cluster/redeploy-node-certificates.yml
+++ b/playbooks/byo/openshift-cluster/redeploy-node-certificates.yml
@@ -7,6 +7,10 @@
tags:
- always
-- include: ../../common/openshift-cluster/redeploy-certificates/nodes.yml
+- include: ../../common/openshift-cluster/redeploy-certificates/nodes-backup.yml
+
+- include: ../../common/openshift-node/certificates.yml
+ vars:
+ openshift_certificates_redeploy: true
- include: ../../common/openshift-node/restart.yml
diff --git a/playbooks/byo/openshift-etcd/certificates.yml b/playbooks/byo/openshift-etcd/certificates.yml
new file mode 100644
index 000000000..e35cf243f
--- /dev/null
+++ b/playbooks/byo/openshift-etcd/certificates.yml
@@ -0,0 +1,8 @@
+---
+- include: ../openshift-cluster/initialize_groups.yml
+
+- include: ../../common/openshift-cluster/std_include.yml
+
+- include: ../../common/openshift-etcd/ca.yml
+
+- include: ../../common/openshift-etcd/certificates.yml
diff --git a/playbooks/byo/openshift-master/certificates.yml b/playbooks/byo/openshift-master/certificates.yml
new file mode 100644
index 000000000..26b964034
--- /dev/null
+++ b/playbooks/byo/openshift-master/certificates.yml
@@ -0,0 +1,8 @@
+---
+- include: ../openshift-cluster/initialize_groups.yml
+
+- include: ../../common/openshift-cluster/std_include.yml
+
+- include: ../../common/openshift-master/ca.yml
+
+- include: ../../common/openshift-master/certificates.yml
diff --git a/playbooks/byo/openshift-node/certificates.yml b/playbooks/byo/openshift-node/certificates.yml
new file mode 100644
index 000000000..3d2de74a9
--- /dev/null
+++ b/playbooks/byo/openshift-node/certificates.yml
@@ -0,0 +1,6 @@
+---
+- include: ../openshift-cluster/initialize_groups.yml
+
+- include: ../../common/openshift-cluster/std_include.yml
+
+- include: ../../common/openshift-node/certificates.yml
diff --git a/playbooks/byo/openshift-node/scaleup.yml b/playbooks/byo/openshift-node/scaleup.yml
index e0c36fb69..9f992cca6 100644
--- a/playbooks/byo/openshift-node/scaleup.yml
+++ b/playbooks/byo/openshift-node/scaleup.yml
@@ -16,4 +16,6 @@
- include: ../../common/openshift-cluster/std_include.yml
+- include: ../../common/openshift-node/certificates.yml
+
- include: ../../common/openshift-node/config.yml
diff --git a/playbooks/byo/rhel_subscribe.yml b/playbooks/byo/rhel_subscribe.yml
index 06f914981..bc3109a31 100644
--- a/playbooks/byo/rhel_subscribe.yml
+++ b/playbooks/byo/rhel_subscribe.yml
@@ -11,6 +11,6 @@
when:
- deployment_type == 'openshift-enterprise'
- ansible_distribution == "RedHat"
- - lookup('oo_option', 'rhel_skip_subscription') | default(rhsub_skip, True) | default('no', True) | lower in ['no', 'false']
+ - lookup('env', 'rhel_skip_subscription') | default(rhsub_skip, True) | default('no', True) | lower in ['no', 'false']
- role: openshift_repos
- role: os_update_latest
diff --git a/playbooks/common/openshift-cluster/config.yml b/playbooks/common/openshift-cluster/config.yml
index bf6f4e7cd..4ca0d48e4 100644
--- a/playbooks/common/openshift-cluster/config.yml
+++ b/playbooks/common/openshift-cluster/config.yml
@@ -18,9 +18,9 @@
- docker_image_availability
- docker_storage
-- include: initialize_oo_option_facts.yml
- tags:
- - always
+- include: ../openshift-etcd/ca.yml
+
+- include: ../openshift-etcd/certificates.yml
- include: ../openshift-etcd/config.yml
@@ -30,10 +30,16 @@
- include: ../openshift-loadbalancer/config.yml
when: groups.oo_lb_to_config | default([]) | count > 0
+- include: ../openshift-master/ca.yml
+
+- include: ../openshift-master/certificates.yml
+
- include: ../openshift-master/config.yml
- include: ../openshift-master/additional_config.yml
+- include: ../openshift-node/certificates.yml
+
- include: ../openshift-node/config.yml
- include: ../openshift-glusterfs/config.yml
diff --git a/playbooks/common/openshift-cluster/initialize_oo_option_facts.yml b/playbooks/common/openshift-cluster/initialize_oo_option_facts.yml
deleted file mode 100644
index dab17aaa9..000000000
--- a/playbooks/common/openshift-cluster/initialize_oo_option_facts.yml
+++ /dev/null
@@ -1,18 +0,0 @@
----
-- name: Set oo_option facts
- hosts: oo_all_hosts
- tags:
- - always
- tasks:
- - set_fact:
- openshift_docker_options: "{{ lookup('oo_option', 'docker_options') }}"
- when: openshift_docker_options is not defined
- - set_fact:
- openshift_docker_log_driver: "{{ lookup('oo_option', 'docker_log_driver') }}"
- when: openshift_docker_log_driver is not defined
- - set_fact:
- openshift_docker_log_options: "{{ lookup('oo_option', 'docker_log_options') }}"
- when: openshift_docker_log_options is not defined
- - set_fact:
- openshift_docker_selinux_enabled: "{{ lookup('oo_option', 'docker_selinux_enabled') }}"
- when: openshift_docker_selinux_enabled is not defined
diff --git a/playbooks/common/openshift-cluster/redeploy-certificates/etcd-backup.yml b/playbooks/common/openshift-cluster/redeploy-certificates/etcd-backup.yml
new file mode 100644
index 000000000..d738c8207
--- /dev/null
+++ b/playbooks/common/openshift-cluster/redeploy-certificates/etcd-backup.yml
@@ -0,0 +1,19 @@
+---
+- name: Backup and remove generated etcd certificates
+ hosts: oo_first_etcd
+ any_errors_fatal: true
+ tasks:
+ - include_role:
+ name: etcd
+ tasks_from: backup_generated_certificates
+ - include_role:
+ name: etcd
+ tasks_from: remove_generated_certificates
+
+- name: Backup deployed etcd certificates
+ hosts: oo_etcd_to_config
+ any_errors_fatal: true
+ tasks:
+ - include_role:
+ name: etcd
+ tasks_from: backup_server_certificates
diff --git a/playbooks/common/openshift-cluster/redeploy-certificates/etcd-ca.yml b/playbooks/common/openshift-cluster/redeploy-certificates/etcd-ca.yml
index 3da22bce6..044875d1c 100644
--- a/playbooks/common/openshift-cluster/redeploy-certificates/etcd-ca.yml
+++ b/playbooks/common/openshift-cluster/redeploy-certificates/etcd-ca.yml
@@ -21,20 +21,7 @@
name: etcd
tasks_from: remove_ca_certificates
-- name: Generate new etcd CA
- hosts: oo_first_etcd
- roles:
- - role: openshift_etcd_facts
- tasks:
- - include_role:
- name: etcd
- tasks_from: ca
- vars:
- etcd_peers: "{{ groups.oo_etcd_to_config | default([], true) }}"
- etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}"
- etcd_certificates_etcd_hosts: "{{ groups.oo_etcd_to_config | default([], true) }}"
- when:
- - etcd_ca_setup | default(True) | bool
+- include: ../../openshift-etcd/ca.yml
- name: Create temp directory for syncing certs
hosts: localhost
@@ -72,7 +59,7 @@
name: etcd
tasks_from: retrieve_ca_certificates
vars:
- etcd_sync_cert_dir: hostvars['localhost'].g_etcd_mktemp.stdout
+ etcd_sync_cert_dir: "{{ hostvars['localhost'].g_etcd_mktemp.stdout }}"
r_etcd_common_etcd_runtime: "{{ openshift.common.etcd_runtime }}"
- name: Distribute etcd CA to masters
diff --git a/playbooks/common/openshift-cluster/redeploy-certificates/etcd.yml b/playbooks/common/openshift-cluster/redeploy-certificates/etcd.yml
deleted file mode 100644
index 48a5a13ac..000000000
--- a/playbooks/common/openshift-cluster/redeploy-certificates/etcd.yml
+++ /dev/null
@@ -1,54 +0,0 @@
----
-- name: Backup and remove generated etcd certificates
- hosts: oo_first_etcd
- any_errors_fatal: true
- tasks:
- - include_role:
- name: etcd
- tasks_from: backup_generated_certificates
- - include_role:
- name: etcd
- tasks_from: remove_generated_certificates
-
-- name: Backup and removed deployed etcd certificates
- hosts: oo_etcd_to_config
- any_errors_fatal: true
- tasks:
- - include_role:
- name: etcd
- tasks_from: backup_server_certificates
- vars:
- r_etcd_common_etcd_runtime: "{{ openshift.common.etcd_runtime }}"
-
-- name: Redeploy etcd certificates
- hosts: oo_etcd_to_config
- any_errors_fatal: true
- roles:
- - role: openshift_etcd_facts
- tasks:
- - include_role:
- name: etcd
- tasks_from: server_certificates
- vars:
- etcd_certificates_redeploy: true
- etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}"
- etcd_peers: "{{ groups.oo_etcd_to_config | default([], true) }}"
- etcd_certificates_etcd_hosts: "{{ groups.oo_etcd_to_config | default([], true) }}"
- openshift_ca_host: "{{ groups.oo_first_master.0 }}"
- r_etcd_common_etcd_runtime: "{{ openshift.common.etcd_runtime }}"
-
-- name: Redeploy etcd client certificates for masters
- hosts: oo_masters_to_config
- any_errors_fatal: true
- roles:
- - role: openshift_etcd_facts
- - role: openshift_etcd_client_certificates
- etcd_certificates_redeploy: true
- etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}"
- etcd_cert_subdir: "openshift-master-{{ openshift.common.hostname }}"
- etcd_cert_config_dir: "{{ openshift.common.config_base }}/master"
- etcd_cert_prefix: "master.etcd-"
- openshift_ca_host: "{{ groups.oo_first_master.0 }}"
- openshift_master_count: "{{ openshift.master.master_count | default(groups.oo_masters | length) }}"
- r_etcd_common_etcd_runtime: "{{ openshift.common.etcd_runtime }}"
- when: groups.oo_etcd_to_config is defined and groups.oo_etcd_to_config
diff --git a/playbooks/common/openshift-cluster/redeploy-certificates/masters-backup.yml b/playbooks/common/openshift-cluster/redeploy-certificates/masters-backup.yml
new file mode 100644
index 000000000..4dbc041b0
--- /dev/null
+++ b/playbooks/common/openshift-cluster/redeploy-certificates/masters-backup.yml
@@ -0,0 +1,38 @@
+---
+- name: Backup and remove master cerftificates
+ hosts: oo_masters_to_config
+ any_errors_fatal: true
+ vars:
+ openshift_ca_host: "{{ groups.oo_first_master.0 }}"
+ openshift_master_count: "{{ openshift.master.master_count | default(groups.oo_masters | length) }}"
+ pre_tasks:
+ - stat:
+ path: "{{ openshift.common.config_base }}/generated-configs"
+ register: openshift_generated_configs_dir_stat
+ - name: Backup generated certificate and config directories
+ command: >
+ tar -czvf /etc/origin/master-node-cert-config-backup-{{ ansible_date_time.epoch }}.tgz
+ {{ openshift.common.config_base }}/generated-configs
+ {{ openshift.common.config_base }}/master
+ when: openshift_generated_configs_dir_stat.stat.exists
+ delegate_to: "{{ openshift_ca_host }}"
+ run_once: true
+ - name: Remove generated certificate directories
+ file:
+ path: "{{ item }}"
+ state: absent
+ with_items:
+ - "{{ openshift.common.config_base }}/generated-configs"
+ - name: Remove generated certificates
+ file:
+ path: "{{ openshift.common.config_base }}/master/{{ item }}"
+ state: absent
+ with_items:
+ - "{{ hostvars[inventory_hostname] | certificates_to_synchronize(include_keys=false, include_ca=false) }}"
+ - "etcd.server.crt"
+ - "etcd.server.key"
+ - "master.server.crt"
+ - "master.server.key"
+ - "openshift-master.crt"
+ - "openshift-master.key"
+ - "openshift-master.kubeconfig"
diff --git a/playbooks/common/openshift-cluster/redeploy-certificates/masters.yml b/playbooks/common/openshift-cluster/redeploy-certificates/masters.yml
deleted file mode 100644
index 51b196299..000000000
--- a/playbooks/common/openshift-cluster/redeploy-certificates/masters.yml
+++ /dev/null
@@ -1,63 +0,0 @@
----
-- name: Redeploy master certificates
- hosts: oo_masters_to_config
- any_errors_fatal: true
- vars:
- openshift_ca_host: "{{ groups.oo_first_master.0 }}"
- openshift_master_count: "{{ openshift.master.master_count | default(groups.oo_masters | length) }}"
- pre_tasks:
- - stat:
- path: "{{ openshift_generated_configs_dir }}"
- register: openshift_generated_configs_dir_stat
- - name: Backup generated certificate and config directories
- command: >
- tar -czvf /etc/origin/master-node-cert-config-backup-{{ ansible_date_time.epoch }}.tgz
- {{ openshift_generated_configs_dir }}
- {{ openshift.common.config_base }}/master
- when: openshift_generated_configs_dir_stat.stat.exists
- delegate_to: "{{ openshift_ca_host }}"
- run_once: true
- - name: Remove generated certificate directories
- file:
- path: "{{ item }}"
- state: absent
- with_items:
- - "{{ openshift_generated_configs_dir }}"
- - name: Remove generated certificates
- file:
- path: "{{ openshift.common.config_base }}/master/{{ item }}"
- state: absent
- with_items:
- - "{{ hostvars[inventory_hostname] | certificates_to_synchronize(include_keys=false, include_ca=false) }}"
- - "etcd.server.crt"
- - "etcd.server.key"
- - "master.server.crt"
- - "master.server.key"
- - "openshift-master.crt"
- - "openshift-master.key"
- - "openshift-master.kubeconfig"
- - name: Remove generated etcd client certificates
- file:
- path: "{{ openshift.common.config_base }}/master/{{ item }}"
- state: absent
- with_items:
- - "master.etcd-client.crt"
- - "master.etcd-client.key"
- when: groups.oo_etcd_to_config | default([]) | length == 0
- roles:
- - role: openshift_master_certificates
- openshift_master_etcd_hosts: "{{ hostvars
- | oo_select_keys(groups['oo_etcd_to_config'] | default([]))
- | oo_collect('openshift.common.hostname')
- | default(none, true) }}"
- openshift_certificates_redeploy: true
- - role: lib_utils
- post_tasks:
- - yedit:
- src: "{{ openshift.common.config_base }}/master/master-config.yaml"
- key: servingInfo.namedCertificates
- value: "{{ openshift.master.named_certificates | default([]) | oo_named_certificates_list }}"
- when:
- - ('named_certificates' in openshift.master)
- - openshift.master.named_certificates | default([]) | length > 0
- - openshift_master_overwrite_named_certificates | default(false) | bool
diff --git a/playbooks/common/openshift-cluster/redeploy-certificates/nodes.yml b/playbooks/common/openshift-cluster/redeploy-certificates/nodes-backup.yml
index 4990a03f2..2ad84b3b9 100644
--- a/playbooks/common/openshift-cluster/redeploy-certificates/nodes.yml
+++ b/playbooks/common/openshift-cluster/redeploy-certificates/nodes-backup.yml
@@ -22,8 +22,3 @@
state: absent
with_items:
- "{{ openshift.common.config_base }}/node/ca.crt"
- roles:
- - role: openshift_node_certificates
- openshift_node_master_api_url: "{{ hostvars[groups.oo_first_master.0].openshift.master.api_url }}"
- openshift_ca_host: "{{ groups.oo_first_master.0 }}"
- openshift_certificates_redeploy: true
diff --git a/playbooks/common/openshift-cluster/redeploy-certificates/openshift-ca.yml b/playbooks/common/openshift-cluster/redeploy-certificates/openshift-ca.yml
index b54acae6c..12cd209d2 100644
--- a/playbooks/common/openshift-cluster/redeploy-certificates/openshift-ca.yml
+++ b/playbooks/common/openshift-cluster/redeploy-certificates/openshift-ca.yml
@@ -105,25 +105,21 @@
- "ca.serial.txt"
- "ca-bundle.crt"
-- name: Generate new OpenShift CA certificate
+- name: Create temporary directory for creating new CA certificate
hosts: oo_first_master
- pre_tasks:
+ tasks:
- name: Create temporary directory for creating new CA certificate
command: >
mktemp -d /tmp/openshift-ansible-XXXXXXX
register: g_new_openshift_ca_mktemp
changed_when: false
- roles:
- - role: openshift_ca
+
+- include: ../../openshift-master/ca.yml
+ vars:
# Set openshift_ca_config_dir to a temporary directory where CA
# will be created. We'll replace the existing CA with the CA
# created in the temporary directory.
- openshift_ca_config_dir: "{{ g_new_openshift_ca_mktemp.stdout }}"
- openshift_ca_host: "{{ groups.oo_first_master.0 }}"
- openshift_master_hostnames: "{{ hostvars
- | oo_select_keys(groups['oo_masters_to_config'] | default([]))
- | oo_collect('openshift.common.all_hostnames')
- | oo_flatten | unique }}"
+ openshift_ca_config_dir: "{{ hostvars[groups.oo_first_master.0].g_new_openshift_ca_mktemp.stdout }}"
- name: Create temp directory for syncing certs
hosts: localhost
diff --git a/playbooks/common/openshift-cluster/redeploy-certificates/router.yml b/playbooks/common/openshift-cluster/redeploy-certificates/router.yml
index 748bbbf91..2116c745c 100644
--- a/playbooks/common/openshift-cluster/redeploy-certificates/router.yml
+++ b/playbooks/common/openshift-cluster/redeploy-certificates/router.yml
@@ -7,23 +7,34 @@
tasks:
- name: Create temp directory for kubeconfig
command: mktemp -d /tmp/openshift-ansible-XXXXXX
- register: mktemp
+ register: router_cert_redeploy_tempdir
changed_when: false
+
- name: Copy admin client config(s)
command: >
- cp {{ openshift.common.config_base }}/master//admin.kubeconfig {{ mktemp.stdout }}/admin.kubeconfig
+ cp {{ openshift.common.config_base }}/master//admin.kubeconfig {{ router_cert_redeploy_tempdir.stdout }}/admin.kubeconfig
changed_when: false
- name: Determine if router exists
command: >
{{ openshift.common.client_binary }} get dc/router -o json
- --config={{ mktemp.stdout }}/admin.kubeconfig
+ --config={{ router_cert_redeploy_tempdir.stdout }}/admin.kubeconfig
-n default
register: l_router_dc
failed_when: false
changed_when: false
- - set_fact:
+ - name: Determine if router service exists
+ command: >
+ {{ openshift.common.client_binary }} get svc/router -o json
+ --config={{ router_cert_redeploy_tempdir.stdout }}/admin.kubeconfig
+ -n default
+ register: l_router_svc
+ failed_when: false
+ changed_when: false
+
+ - name: Collect router environment variables and secrets
+ set_fact:
router_env_vars: "{{ ((l_router_dc.stdout | from_json)['spec']['template']['spec']['containers'][0]['env']
| oo_collect('name'))
| default([]) }}"
@@ -34,20 +45,32 @@
changed_when: false
when: l_router_dc.rc == 0
+ - name: Collect router service annotations
+ set_fact:
+ router_service_annotations: "{{ (l_router_svc.stdout | from_json)['metadata']['annotations'] if 'annotations' in (l_router_svc.stdout | from_json)['metadata'] else [] }}"
+ when: l_router_svc.rc == 0
+
- name: Update router environment variables
shell: >
{{ openshift.common.client_binary }} env dc/router
OPENSHIFT_CA_DATA="$(cat /etc/origin/master/ca.crt)"
OPENSHIFT_CERT_DATA="$(cat /etc/origin/master/openshift-router.crt)"
OPENSHIFT_KEY_DATA="$(cat /etc/origin/master/openshift-router.key)"
- --config={{ mktemp.stdout }}/admin.kubeconfig
+ --config={{ router_cert_redeploy_tempdir.stdout }}/admin.kubeconfig
-n default
- when: l_router_dc.rc == 0 and 'OPENSHIFT_CA_DATA' in router_env_vars and 'OPENSHIFT_CERT_DATA' in router_env_vars and 'OPENSHIFT_KEY_DATA' in router_env_vars
+ when:
+ - l_router_dc.rc == 0
+ - ('OPENSHIFT_CA_DATA' in router_env_vars)
+ - ('OPENSHIFT_CERT_DATA' in router_env_vars)
+ - ('OPENSHIFT_KEY_DATA' in router_env_vars)
+ # When the router service contains service signer annotations we
+ # will delete the existing certificate secret and allow OpenShift to
+ # replace the secret.
- block:
- name: Delete existing router certificate secret
oc_secret:
- kubeconfig: "{{ mktemp.stdout }}/admin.kubeconfig"
+ kubeconfig: "{{ router_cert_redeploy_tempdir.stdout }}/admin.kubeconfig"
name: router-certs
namespace: default
state: absent
@@ -58,86 +81,61 @@
{{ openshift.common.client_binary }} annotate service/router
service.alpha.openshift.io/serving-cert-secret-name-
service.alpha.openshift.io/serving-cert-signed-by-
- --config={{ mktemp.stdout }}/admin.kubeconfig
+ --config={{ router_cert_redeploy_tempdir.stdout }}/admin.kubeconfig
-n default
- name: Add serving-cert-secret annotation to router service
command: >
{{ openshift.common.client_binary }} annotate service/router
service.alpha.openshift.io/serving-cert-secret-name=router-certs
- --config={{ mktemp.stdout }}/admin.kubeconfig
+ --config={{ router_cert_redeploy_tempdir.stdout }}/admin.kubeconfig
-n default
- when: l_router_dc.rc == 0 and 'router-certs' in router_secrets and openshift_hosted_router_certificate is undefined
+ when:
+ - l_router_dc.rc == 0
+ - l_router_svc.rc == 0
+ - ('router-certs' in router_secrets)
+ - openshift_hosted_router_certificate is undefined
+ - ('service.alpha.openshift.io/serving-cert-secret-name') in router_service_annotations
+ - ('service.alpha.openshift.io/serving-cert-signed-by') in router_service_annotations
- - block:
- - assert:
- that:
- - "'certfile' in openshift_hosted_router_certificate"
- - "'keyfile' in openshift_hosted_router_certificate"
- - "'cafile' in openshift_hosted_router_certificate"
- msg: |-
- openshift_hosted_router_certificate has been set in the inventory but is
- missing one or more required keys. Ensure that 'certfile', 'keyfile',
- and 'cafile' keys have been specified for the openshift_hosted_router_certificate
- inventory variable.
-
- - name: Read router certificate and key
- become: no
- local_action:
- module: slurp
- src: "{{ item }}"
- register: openshift_router_certificate_output
- # Defaulting dictionary keys to none to avoid deprecation warnings
- # (future fatal errors) during template evaluation. Dictionary keys
- # won't be accessed unless openshift_hosted_router_certificate is
- # defined and has all keys (certfile, keyfile, cafile) which we
- # check above.
- with_items:
- - "{{ (openshift_hosted_router_certificate | default({'certfile':none})).certfile }}"
- - "{{ (openshift_hosted_router_certificate | default({'keyfile':none})).keyfile }}"
- - "{{ (openshift_hosted_router_certificate | default({'cafile':none})).cafile }}"
-
- - name: Write temporary router certificate file
- copy:
- content: "{% for certificate in openshift_router_certificate_output.results -%}{{ certificate.content | b64decode }}{% endfor -%}"
- dest: "{{ mktemp.stdout }}/openshift-hosted-router-certificate.pem"
- mode: 0600
-
- - name: Write temporary router key file
- copy:
- content: "{{ (openshift_router_certificate_output.results
- | oo_collect('content', {'source':(openshift_hosted_router_certificate | default({'keyfile':none})).keyfile}))[0] | b64decode }}"
- dest: "{{ mktemp.stdout }}/openshift-hosted-router-certificate.key"
- mode: 0600
-
- - name: Replace router-certs secret
- shell: >
- {{ openshift.common.client_binary }} secrets new router-certs
- tls.crt="{{ mktemp.stdout }}/openshift-hosted-router-certificate.pem"
- tls.key="{{ mktemp.stdout }}/openshift-hosted-router-certificate.key"
- --type=kubernetes.io/tls
- --config={{ mktemp.stdout }}/admin.kubeconfig
- --confirm
- -o json | {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig replace -f -
+ # When there are no annotations on the router service we will allow
+ # the openshift_hosted role to either create a new wildcard
+ # certificate (since we deleted the original) or reapply a custom
+ # openshift_hosted_router_certificate.
+ - file:
+ path: "{{ item }}"
+ state: absent
+ with_items:
+ - /etc/origin/master/openshift-router.crt
+ - /etc/origin/master/openshift-router.key
+ when:
+ - l_router_dc.rc == 0
+ - l_router_svc.rc == 0
+ - ('router-certs' in router_secrets)
+ - ('service.alpha.openshift.io/serving-cert-secret-name') not in router_service_annotations
+ - ('service.alpha.openshift.io/serving-cert-signed-by') not in router_service_annotations
- - name: Remove temporary router certificate and key files
- file:
- path: "{{ item }}"
- state: absent
- with_items:
- - "{{ mktemp.stdout }}/openshift-hosted-router-certificate.pem"
- - "{{ mktemp.stdout }}/openshift-hosted-router-certificate.key"
- when: l_router_dc.rc == 0 and 'router-certs' in router_secrets and openshift_hosted_router_certificate is defined
+ - include_role:
+ name: openshift_hosted
+ tasks_from: main
+ vars:
+ openshift_hosted_manage_registry: false
+ when:
+ - l_router_dc.rc == 0
+ - l_router_svc.rc == 0
+ - ('router-certs' in router_secrets)
+ - ('service.alpha.openshift.io/serving-cert-secret-name') not in router_service_annotations
+ - ('service.alpha.openshift.io/serving-cert-signed-by') not in router_service_annotations
- name: Redeploy router
command: >
{{ openshift.common.client_binary }} deploy dc/router
--latest
- --config={{ mktemp.stdout }}/admin.kubeconfig
+ --config={{ router_cert_redeploy_tempdir.stdout }}/admin.kubeconfig
-n default
- name: Delete temp directory
file:
- name: "{{ mktemp.stdout }}"
+ name: "{{ router_cert_redeploy_tempdir.stdout }}"
state: absent
changed_when: False
diff --git a/playbooks/common/openshift-cluster/upgrades/init.yml b/playbooks/common/openshift-cluster/upgrades/init.yml
index c98065cf4..2826951e6 100644
--- a/playbooks/common/openshift-cluster/upgrades/init.yml
+++ b/playbooks/common/openshift-cluster/upgrades/init.yml
@@ -5,8 +5,6 @@
g_new_master_hosts: []
g_new_node_hosts: []
-- include: ../initialize_oo_option_facts.yml
-
- include: ../initialize_facts.yml
- name: Ensure firewall is not switched during upgrade
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_5/upgrade_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/v3_5/upgrade_control_plane.yml
index 5fee56615..6cdea7b84 100644
--- a/playbooks/common/openshift-cluster/upgrades/v3_5/upgrade_control_plane.yml
+++ b/playbooks/common/openshift-cluster/upgrades/v3_5/upgrade_control_plane.yml
@@ -55,6 +55,10 @@
tags:
- pre_upgrade
+- include: ../pre/verify_control_plane_running.yml
+ tags:
+ - pre_upgrade
+
- include: ../disable_master_excluders.yml
tags:
- pre_upgrade
@@ -75,10 +79,6 @@
# docker is configured and running.
skip_docker_role: True
-- include: ../pre/verify_control_plane_running.yml
- tags:
- - pre_upgrade
-
- include: ../../../openshift-master/validate_restart.yml
tags:
- pre_upgrade
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_6/upgrade_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/v3_6/upgrade_control_plane.yml
index 7c72564b6..8ab68002d 100644
--- a/playbooks/common/openshift-cluster/upgrades/v3_6/upgrade_control_plane.yml
+++ b/playbooks/common/openshift-cluster/upgrades/v3_6/upgrade_control_plane.yml
@@ -55,6 +55,14 @@
tags:
- pre_upgrade
+- include: ../pre/verify_health_checks.yml
+ tags:
+ - pre_upgrade
+
+- include: ../pre/verify_control_plane_running.yml
+ tags:
+ - pre_upgrade
+
- include: ../disable_master_excluders.yml
tags:
- pre_upgrade
@@ -75,14 +83,6 @@
# docker is configured and running.
skip_docker_role: True
-- include: ../pre/verify_health_checks.yml
- tags:
- - pre_upgrade
-
-- include: ../pre/verify_control_plane_running.yml
- tags:
- - pre_upgrade
-
- include: ../../../openshift-master/validate_restart.yml
tags:
- pre_upgrade
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_6/upgrade_nodes.yml b/playbooks/common/openshift-cluster/upgrades/v3_6/upgrade_nodes.yml
index 6c1c7c921..ba6fcc3f8 100644
--- a/playbooks/common/openshift-cluster/upgrades/v3_6/upgrade_nodes.yml
+++ b/playbooks/common/openshift-cluster/upgrades/v3_6/upgrade_nodes.yml
@@ -48,6 +48,10 @@
tags:
- pre_upgrade
+- include: ../pre/verify_health_checks.yml
+ tags:
+ - pre_upgrade
+
- include: ../disable_node_excluders.yml
tags:
- pre_upgrade
@@ -68,10 +72,6 @@
# docker is configured and running.
skip_docker_role: True
-- include: ../pre/verify_health_checks.yml
- tags:
- - pre_upgrade
-
- name: Verify masters are already upgraded
hosts: oo_masters_to_config
tags:
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_7/upgrade.yml b/playbooks/common/openshift-cluster/upgrades/v3_7/upgrade.yml
index 87621dc85..f1ca1edb9 100644
--- a/playbooks/common/openshift-cluster/upgrades/v3_7/upgrade.yml
+++ b/playbooks/common/openshift-cluster/upgrades/v3_7/upgrade.yml
@@ -21,6 +21,10 @@
tags:
- pre_upgrade
+- include: ../pre/verify_etcd3_backend.yml
+ tags:
+ - pre_upgrade
+
- name: Update repos and initialize facts on all hosts
hosts: oo_masters_to_config:oo_nodes_to_upgrade:oo_etcd_to_config:oo_lb_to_config
tags:
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_7/upgrade_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/v3_7/upgrade_control_plane.yml
index 6cd3bd3e5..82faf743e 100644
--- a/playbooks/common/openshift-cluster/upgrades/v3_7/upgrade_control_plane.yml
+++ b/playbooks/common/openshift-cluster/upgrades/v3_7/upgrade_control_plane.yml
@@ -59,6 +59,14 @@
tags:
- pre_upgrade
+- include: ../pre/verify_health_checks.yml
+ tags:
+ - pre_upgrade
+
+- include: ../pre/verify_control_plane_running.yml
+ tags:
+ - pre_upgrade
+
- include: ../disable_master_excluders.yml
tags:
- pre_upgrade
@@ -79,14 +87,6 @@
# docker is configured and running.
skip_docker_role: True
-- include: ../pre/verify_health_checks.yml
- tags:
- - pre_upgrade
-
-- include: ../pre/verify_control_plane_running.yml
- tags:
- - pre_upgrade
-
- include: ../../../openshift-master/validate_restart.yml
tags:
- pre_upgrade
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_7/upgrade_nodes.yml b/playbooks/common/openshift-cluster/upgrades/v3_7/upgrade_nodes.yml
index e5e04e643..bc080f9a3 100644
--- a/playbooks/common/openshift-cluster/upgrades/v3_7/upgrade_nodes.yml
+++ b/playbooks/common/openshift-cluster/upgrades/v3_7/upgrade_nodes.yml
@@ -48,6 +48,10 @@
tags:
- pre_upgrade
+- include: ../pre/verify_health_checks.yml
+ tags:
+ - pre_upgrade
+
- include: ../disable_node_excluders.yml
tags:
- pre_upgrade
@@ -68,10 +72,6 @@
# docker is configured and running.
skip_docker_role: True
-- include: ../pre/verify_health_checks.yml
- tags:
- - pre_upgrade
-
- name: Verify masters are already upgraded
hosts: oo_masters_to_config
tags:
diff --git a/playbooks/common/openshift-etcd/ca.yml b/playbooks/common/openshift-etcd/ca.yml
new file mode 100644
index 000000000..ac5543be9
--- /dev/null
+++ b/playbooks/common/openshift-etcd/ca.yml
@@ -0,0 +1,15 @@
+---
+- name: Generate new etcd CA
+ hosts: oo_first_etcd
+ roles:
+ - role: openshift_etcd_facts
+ tasks:
+ - include_role:
+ name: etcd
+ tasks_from: ca
+ vars:
+ etcd_peers: "{{ groups.oo_etcd_to_config | default([], true) }}"
+ etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}"
+ etcd_certificates_etcd_hosts: "{{ groups.oo_etcd_to_config | default([], true) }}"
+ when:
+ - etcd_ca_setup | default(True) | bool
diff --git a/playbooks/common/openshift-etcd/certificates.yml b/playbooks/common/openshift-etcd/certificates.yml
new file mode 100644
index 000000000..31a0f50d8
--- /dev/null
+++ b/playbooks/common/openshift-etcd/certificates.yml
@@ -0,0 +1,29 @@
+---
+- name: Create etcd server certificates for etcd hosts
+ hosts: oo_etcd_to_config
+ any_errors_fatal: true
+ roles:
+ - role: openshift_etcd_facts
+ post_tasks:
+ - include_role:
+ name: etcd
+ tasks_from: server_certificates
+ vars:
+ etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}"
+ etcd_peers: "{{ groups.oo_etcd_to_config | default([], true) }}"
+ etcd_certificates_etcd_hosts: "{{ groups.oo_etcd_to_config | default([], true) }}"
+ r_etcd_common_etcd_runtime: "{{ openshift.common.etcd_runtime }}"
+
+- name: Create etcd client certificates for master hosts
+ hosts: oo_masters_to_config
+ any_errors_fatal: true
+ roles:
+ - role: openshift_etcd_facts
+ - role: openshift_etcd_client_certificates
+ etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}"
+ etcd_cert_subdir: "openshift-master-{{ openshift.common.hostname }}"
+ etcd_cert_config_dir: "{{ openshift.common.config_base }}/master"
+ etcd_cert_prefix: "master.etcd-"
+ openshift_ca_host: "{{ groups.oo_first_master.0 }}"
+ r_etcd_common_etcd_runtime: "{{ openshift.common.etcd_runtime }}"
+ when: groups.oo_etcd_to_config is defined and groups.oo_etcd_to_config
diff --git a/playbooks/common/openshift-etcd/scaleup.yml b/playbooks/common/openshift-etcd/scaleup.yml
index 4f83264d0..8aa508119 100644
--- a/playbooks/common/openshift-etcd/scaleup.yml
+++ b/playbooks/common/openshift-etcd/scaleup.yml
@@ -30,6 +30,13 @@
retries: 3
delay: 10
until: etcd_add_check.rc == 0
+ - include_role:
+ name: etcd
+ tasks_from: server_certificates
+ vars:
+ etcd_peers: "{{ groups.oo_new_etcd_to_config | default([], true) }}"
+ etcd_certificates_etcd_hosts: "{{ groups.oo_new_etcd_to_config | default([], true) }}"
+ r_etcd_common_etcd_runtime: "{{ openshift.common.etcd_runtime }}"
roles:
- role: os_firewall
when: etcd_add_check.rc == 0
diff --git a/playbooks/common/openshift-master/ca.yml b/playbooks/common/openshift-master/ca.yml
new file mode 100644
index 000000000..5bb796fa3
--- /dev/null
+++ b/playbooks/common/openshift-master/ca.yml
@@ -0,0 +1,8 @@
+---
+- name: Create OpenShift CA
+ hosts: oo_masters_to_config
+ roles:
+ - role: openshift_master_facts
+ - role: openshift_named_certificates
+ - role: openshift_ca
+ openshift_ca_host: "{{ groups.oo_first_master.0 }}"
diff --git a/playbooks/common/openshift-master/certificates.yml b/playbooks/common/openshift-master/certificates.yml
new file mode 100644
index 000000000..f6afbc36f
--- /dev/null
+++ b/playbooks/common/openshift-master/certificates.yml
@@ -0,0 +1,14 @@
+---
+- name: Create OpenShift certificates for master hosts
+ hosts: oo_masters_to_config
+ vars:
+ openshift_ca_host: "{{ groups.oo_first_master.0 }}"
+ roles:
+ - role: openshift_master_facts
+ - role: openshift_named_certificates
+ - role: openshift_ca
+ - role: openshift_master_certificates
+ openshift_master_etcd_hosts: "{{ hostvars
+ | oo_select_keys(groups['oo_etcd_to_config'] | default([]))
+ | oo_collect('openshift.common.hostname')
+ | default(none, true) }}"
diff --git a/playbooks/common/openshift-master/config.yml b/playbooks/common/openshift-master/config.yml
index 38257b803..766e0e501 100644
--- a/playbooks/common/openshift-master/config.yml
+++ b/playbooks/common/openshift-master/config.yml
@@ -20,9 +20,6 @@
- name: Gather and set facts for master hosts
hosts: oo_masters_to_config
- vars:
- t_oo_option_master_debug_level: "{{ lookup('oo_option', 'openshift_master_debug_level') }}"
-
pre_tasks:
# Per https://bugzilla.redhat.com/show_bug.cgi?id=1469336
#
@@ -55,33 +52,12 @@
- .config_managed
- set_fact:
- openshift_master_pod_eviction_timeout: "{{ lookup('oo_option', 'openshift_master_pod_eviction_timeout') | default(none, true) }}"
- when: openshift_master_pod_eviction_timeout is not defined
-
- - set_fact:
openshift_master_etcd_port: "{{ (etcd_client_port | default('2379')) if (groups.oo_etcd_to_config is defined and groups.oo_etcd_to_config) else none }}"
openshift_master_etcd_hosts: "{{ hostvars
| oo_select_keys(groups['oo_etcd_to_config']
| default([]))
| oo_collect('openshift.common.hostname')
| default(none, true) }}"
-
- - set_fact:
- openshift_master_debug_level: "{{ t_oo_option_master_debug_level }}"
- when: openshift_master_debug_level is not defined and t_oo_option_master_debug_level != ""
-
- - set_fact:
- openshift_master_default_subdomain: "{{ lookup('oo_option', 'openshift_master_default_subdomain') | default(None, true) }}"
- when: openshift_master_default_subdomain is not defined
- - set_fact:
- openshift_hosted_metrics_deploy: "{{ lookup('oo_option', 'openshift_hosted_metrics_deploy') | default(false, true) }}"
- when: openshift_hosted_metrics_deploy is not defined
- - set_fact:
- openshift_hosted_metrics_duration: "{{ lookup('oo_option', 'openshift_hosted_metrics_duration') | default(7) }}"
- when: openshift_hosted_metrics_duration is not defined
- - set_fact:
- openshift_hosted_metrics_resolution: "{{ lookup('oo_option', 'openshift_hosted_metrics_resolution') | default('10s', true) }}"
- when: openshift_hosted_metrics_resolution is not defined
roles:
- openshift_facts
post_tasks:
@@ -204,15 +180,6 @@
- role: os_firewall
- role: openshift_master_facts
- role: openshift_hosted_facts
- - role: openshift_master_certificates
- - role: openshift_etcd_facts
- - role: openshift_etcd_client_certificates
- etcd_cert_subdir: "openshift-master-{{ openshift.common.hostname }}"
- etcd_cert_config_dir: "{{ openshift.common.config_base }}/master"
- etcd_cert_prefix: "master.etcd-"
- r_etcd_common_etcd_runtime: "{{ openshift.common.etcd_runtime }}"
- etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}"
- when: groups.oo_etcd_to_config | default([]) | length != 0
- role: openshift_clock
- role: openshift_cloud_provider
- role: openshift_builddefaults
diff --git a/playbooks/common/openshift-master/scaleup.yml b/playbooks/common/openshift-master/scaleup.yml
index 8c366e038..d007fac85 100644
--- a/playbooks/common/openshift-master/scaleup.yml
+++ b/playbooks/common/openshift-master/scaleup.yml
@@ -45,8 +45,14 @@
- include: ../openshift-master/set_network_facts.yml
+- include: ../openshift-etcd/certificates.yml
+
+- include: ../openshift-master/certificates.yml
+
- include: ../openshift-master/config.yml
- include: ../openshift-loadbalancer/config.yml
+- include: ../openshift-node/certificates.yml
+
- include: ../openshift-node/config.yml
diff --git a/playbooks/common/openshift-node/additional_config.yml b/playbooks/common/openshift-node/additional_config.yml
new file mode 100644
index 000000000..fe51ef833
--- /dev/null
+++ b/playbooks/common/openshift-node/additional_config.yml
@@ -0,0 +1,52 @@
+---
+- name: create additional node network plugin groups
+ hosts: "{{ openshift_node_scale_up_group | default('oo_nodes_to_config') }}"
+ tasks:
+ # Creating these node groups will prevent a ton of skipped tasks.
+ # Create group for flannel nodes
+ - group_by:
+ key: oo_nodes_use_{{ (openshift_use_flannel | default(False)) | ternary('flannel','nothing') }}
+ changed_when: False
+ # Create group for calico nodes
+ - group_by:
+ key: oo_nodes_use_{{ (openshift_use_calico | default(False)) | ternary('calico','nothing') }}
+ changed_when: False
+ # Create group for nuage nodes
+ - group_by:
+ key: oo_nodes_use_{{ (openshift_use_nuage | default(False)) | ternary('nuage','nothing') }}
+ changed_when: False
+ # Create group for contiv nodes
+ - group_by:
+ key: oo_nodes_use_{{ (openshift_use_contiv | default(False)) | ternary('contiv','nothing') }}
+ changed_when: False
+
+- include: etcd_client_config.yml
+ vars:
+ openshift_node_scale_up_group: "oo_nodes_use_flannel:oo_nodes_use_calico:oo_nodes_use_contiv"
+
+- name: Additional node config
+ hosts: oo_nodes_use_flannel
+ roles:
+ - role: flannel
+ etcd_urls: "{{ hostvars[groups.oo_first_master.0].openshift.master.etcd_urls }}"
+ embedded_etcd: "{{ hostvars[groups.oo_first_master.0].openshift.master.embedded_etcd }}"
+ when: openshift_use_flannel | default(false) | bool
+
+- name: Additional node config
+ hosts: oo_nodes_use_calico
+ roles:
+ - role: calico
+ when: openshift_use_calico | default(false) | bool
+
+- name: Additional node config
+ hosts: oo_nodes_use_nuage
+ roles:
+ - role: nuage_node
+ when: openshift_use_nuage | default(false) | bool
+
+- name: Additional node config
+ hosts: oo_nodes_use_contiv
+ roles:
+ - role: contiv
+ contiv_role: netplugin
+ when: openshift_use_contiv | default(false) | bool
diff --git a/playbooks/common/openshift-node/certificates.yml b/playbooks/common/openshift-node/certificates.yml
new file mode 100644
index 000000000..908885ee6
--- /dev/null
+++ b/playbooks/common/openshift-node/certificates.yml
@@ -0,0 +1,8 @@
+---
+- name: Create OpenShift certificates for node hosts
+ hosts: oo_nodes_to_config
+ gather_facts: no
+ roles:
+ - role: openshift_node_certificates
+ openshift_ca_host: "{{ groups.oo_first_master.0 }}"
+ when: not openshift_node_bootstrap | default(false) | bool
diff --git a/playbooks/common/openshift-node/config.yml b/playbooks/common/openshift-node/config.yml
index 15693e633..6fd8aa6f1 100644
--- a/playbooks/common/openshift-node/config.yml
+++ b/playbooks/common/openshift-node/config.yml
@@ -10,106 +10,17 @@
installer_phase_node: "In Progress"
aggregate: false
-- name: Disable excluders
- hosts: oo_nodes_to_config
- gather_facts: no
- roles:
- - role: openshift_excluder
- r_openshift_excluder_action: disable
- r_openshift_excluder_service_type: "{{ openshift.common.service_type }}"
+- include: setup.yml
-- name: Evaluate node groups
- hosts: localhost
- become: no
- connection: local
- tasks:
- - name: Evaluate oo_containerized_master_nodes
- add_host:
- name: "{{ item }}"
- groups: oo_containerized_master_nodes
- ansible_ssh_user: "{{ g_ssh_user | default(omit) }}"
- ansible_become: "{{ g_sudo | default(omit) }}"
- with_items: "{{ groups.oo_nodes_to_config | default([]) }}"
- when:
- - hostvars[item].openshift is defined
- - hostvars[item].openshift.common is defined
- - hostvars[item].openshift.common.is_containerized | bool
- - (item in groups.oo_nodes_to_config and item in groups.oo_masters_to_config)
- changed_when: False
+- include: containerized_nodes.yml
-- name: Configure containerized nodes
- hosts: oo_containerized_master_nodes
- serial: 1
- vars:
- openshift_node_master_api_url: "{{ hostvars[groups.oo_first_master.0].openshift.master.api_url }}"
- openshift_node_first_master_ip: "{{ hostvars[groups.oo_first_master.0].openshift.common.ip }}"
- openshift_docker_hosted_registry_network: "{{ hostvars[groups.oo_first_master.0].openshift.common.portal_net }}"
- openshift_no_proxy_internal_hostnames: "{{ hostvars | oo_select_keys(groups['oo_nodes_to_config']
- | union(groups['oo_masters_to_config'])
- | union(groups['oo_etcd_to_config'] | default([])))
- | oo_collect('openshift.common.hostname') | default([]) | join (',')
- }}"
+- include: configure_nodes.yml
- roles:
- - role: os_firewall
- - role: openshift_node
- openshift_ca_host: "{{ groups.oo_first_master.0 }}"
+- include: additional_config.yml
-- name: Configure nodes
- hosts: oo_nodes_to_config:!oo_containerized_master_nodes
- vars:
- openshift_node_master_api_url: "{{ hostvars[groups.oo_first_master.0].openshift.master.api_url }}"
- openshift_node_first_master_ip: "{{ hostvars[groups.oo_first_master.0].openshift.common.ip }}"
- openshift_docker_hosted_registry_network: "{{ hostvars[groups.oo_first_master.0].openshift.common.portal_net }}"
- openshift_no_proxy_internal_hostnames: "{{ hostvars | oo_select_keys(groups['oo_nodes_to_config']
- | union(groups['oo_masters_to_config'])
- | union(groups['oo_etcd_to_config'] | default([])))
- | oo_collect('openshift.common.hostname') | default([]) | join (',')
- }}"
- roles:
- - role: os_firewall
- - role: openshift_node
- openshift_ca_host: "{{ groups.oo_first_master.0 }}"
-
-- name: Additional node config
- hosts: oo_nodes_to_config
- vars:
- openshift_node_master_api_url: "{{ hostvars[groups.oo_first_master.0].openshift.master.api_url }}"
- roles:
- - role: openshift_facts
- - role: openshift_etcd_facts
- - role: openshift_etcd_client_certificates
- etcd_cert_prefix: flannel.etcd-
- etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}"
- etcd_cert_subdir: "openshift-node-{{ openshift.common.hostname }}"
- etcd_cert_config_dir: "{{ openshift.common.config_base }}/node"
- - role: flannel
- etcd_urls: "{{ hostvars[groups.oo_first_master.0].openshift.master.etcd_urls }}"
- embedded_etcd: "{{ hostvars[groups.oo_first_master.0].openshift.master.embedded_etcd }}"
- when: openshift_use_flannel | default(false) | bool
- - role: calico
- when: openshift_use_calico | default(false) | bool
- - role: nuage_node
- when: openshift_use_nuage | default(false) | bool
- - role: contiv
- contiv_role: netplugin
- when: openshift_use_contiv | default(false) | bool
- - role: nickhammond.logrotate
- - role: openshift_manage_node
- openshift_master_host: "{{ groups.oo_first_master.0 }}"
- when: not openshift_node_bootstrap | default(False)
- tasks:
- - name: Create group for deployment type
- group_by: key=oo_nodes_deployment_type_{{ openshift.common.deployment_type }}
- changed_when: False
+- include: manage_node.yml
-- name: Re-enable excluder if it was previously enabled
- hosts: oo_nodes_to_config
- gather_facts: no
- roles:
- - role: openshift_excluder
- r_openshift_excluder_action: enable
- r_openshift_excluder_service_type: "{{ openshift.common.service_type }}"
+- include: enable_excluders.yml
- name: Node Install Checkpoint End
hosts: localhost
diff --git a/playbooks/common/openshift-node/configure_nodes.yml b/playbooks/common/openshift-node/configure_nodes.yml
new file mode 100644
index 000000000..c96e4921c
--- /dev/null
+++ b/playbooks/common/openshift-node/configure_nodes.yml
@@ -0,0 +1,16 @@
+---
+- name: Configure nodes
+ hosts: oo_nodes_to_config:!oo_containerized_master_nodes
+ vars:
+ openshift_node_master_api_url: "{{ hostvars[groups.oo_first_master.0].openshift.master.api_url }}"
+ openshift_node_first_master_ip: "{{ hostvars[groups.oo_first_master.0].openshift.common.ip }}"
+ openshift_docker_hosted_registry_network: "{{ hostvars[groups.oo_first_master.0].openshift.common.portal_net }}"
+ openshift_no_proxy_internal_hostnames: "{{ hostvars | oo_select_keys(groups['oo_nodes_to_config']
+ | union(groups['oo_masters_to_config'])
+ | union(groups['oo_etcd_to_config'] | default([])))
+ | oo_collect('openshift.common.hostname') | default([]) | join (',')
+ }}"
+ roles:
+ - role: os_firewall
+ - role: openshift_node
+ - role: nickhammond.logrotate
diff --git a/playbooks/common/openshift-node/containerized_nodes.yml b/playbooks/common/openshift-node/containerized_nodes.yml
new file mode 100644
index 000000000..6fac937e3
--- /dev/null
+++ b/playbooks/common/openshift-node/containerized_nodes.yml
@@ -0,0 +1,19 @@
+---
+- name: Configure containerized nodes
+ hosts: oo_containerized_master_nodes
+ serial: 1
+ vars:
+ openshift_node_master_api_url: "{{ hostvars[groups.oo_first_master.0].openshift.master.api_url }}"
+ openshift_node_first_master_ip: "{{ hostvars[groups.oo_first_master.0].openshift.common.ip }}"
+ openshift_docker_hosted_registry_network: "{{ hostvars[groups.oo_first_master.0].openshift.common.portal_net }}"
+ openshift_no_proxy_internal_hostnames: "{{ hostvars | oo_select_keys(groups['oo_nodes_to_config']
+ | union(groups['oo_masters_to_config'])
+ | union(groups['oo_etcd_to_config'] | default([])))
+ | oo_collect('openshift.common.hostname') | default([]) | join (',')
+ }}"
+
+ roles:
+ - role: os_firewall
+ - role: openshift_node
+ openshift_ca_host: "{{ groups.oo_first_master.0 }}"
+ - role: nickhammond.logrotate
diff --git a/playbooks/common/openshift-node/enable_excluders.yml b/playbooks/common/openshift-node/enable_excluders.yml
new file mode 100644
index 000000000..5288b14f9
--- /dev/null
+++ b/playbooks/common/openshift-node/enable_excluders.yml
@@ -0,0 +1,8 @@
+---
+- name: Re-enable excluder if it was previously enabled
+ hosts: oo_nodes_to_config
+ gather_facts: no
+ roles:
+ - role: openshift_excluder
+ r_openshift_excluder_action: enable
+ r_openshift_excluder_service_type: "{{ openshift.common.service_type }}"
diff --git a/playbooks/common/openshift-node/etcd_client_config.yml b/playbooks/common/openshift-node/etcd_client_config.yml
new file mode 100644
index 000000000..c3fa38a81
--- /dev/null
+++ b/playbooks/common/openshift-node/etcd_client_config.yml
@@ -0,0 +1,11 @@
+---
+- name: etcd_client node config
+ hosts: "{{ openshift_node_scale_up_group | default('this_group_does_not_exist') }}"
+ roles:
+ - role: openshift_facts
+ - role: openshift_etcd_facts
+ - role: openshift_etcd_client_certificates
+ etcd_cert_prefix: flannel.etcd-
+ etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}"
+ etcd_cert_subdir: "openshift-node-{{ openshift.common.hostname }}"
+ etcd_cert_config_dir: "{{ openshift.common.config_base }}/node"
diff --git a/playbooks/common/openshift-node/manage_node.yml b/playbooks/common/openshift-node/manage_node.yml
new file mode 100644
index 000000000..f48a19a9c
--- /dev/null
+++ b/playbooks/common/openshift-node/manage_node.yml
@@ -0,0 +1,12 @@
+---
+- name: Additional node config
+ hosts: "{{ openshift_node_scale_up_group | default('oo_nodes_to_config') }}"
+ vars:
+ openshift_node_master_api_url: "{{ hostvars[groups.oo_first_master.0].openshift.master.api_url }}"
+ roles:
+ - role: openshift_manage_node
+ openshift_master_host: "{{ groups.oo_first_master.0 }}"
+ tasks:
+ - name: Create group for deployment type
+ group_by: key=oo_nodes_deployment_type_{{ openshift.common.deployment_type }}
+ changed_when: False
diff --git a/playbooks/common/openshift-node/setup.yml b/playbooks/common/openshift-node/setup.yml
new file mode 100644
index 000000000..794c03a67
--- /dev/null
+++ b/playbooks/common/openshift-node/setup.yml
@@ -0,0 +1,27 @@
+---
+- name: Disable excluders
+ hosts: oo_nodes_to_config
+ gather_facts: no
+ roles:
+ - role: openshift_excluder
+ r_openshift_excluder_action: disable
+ r_openshift_excluder_service_type: "{{ openshift.common.service_type }}"
+
+- name: Evaluate node groups
+ hosts: localhost
+ become: no
+ connection: local
+ tasks:
+ - name: Evaluate oo_containerized_master_nodes
+ add_host:
+ name: "{{ item }}"
+ groups: oo_containerized_master_nodes
+ ansible_ssh_user: "{{ g_ssh_user | default(omit) }}"
+ ansible_become: "{{ g_sudo | default(omit) }}"
+ with_items: "{{ groups.oo_nodes_to_config | default([]) }}"
+ when:
+ - hostvars[item].openshift is defined
+ - hostvars[item].openshift.common is defined
+ - hostvars[item].openshift.common.is_containerized | bool
+ - (item in groups.oo_nodes_to_config and item in groups.oo_masters_to_config)
+ changed_when: False
diff --git a/roles/etcd/tasks/main.yml b/roles/etcd/tasks/main.yml
index f643d292d..3e69af314 100644
--- a/roles/etcd/tasks/main.yml
+++ b/roles/etcd/tasks/main.yml
@@ -1,6 +1,4 @@
---
-- include: server_certificates.yml
-
- name: Set hostname and ip facts
set_fact:
# Store etcd_hostname and etcd_ip such that they will be available
diff --git a/roles/openshift_aws/defaults/main.yml b/roles/openshift_aws/defaults/main.yml
index 4d88db037..ca39c1aec 100644
--- a/roles/openshift_aws/defaults/main.yml
+++ b/roles/openshift_aws/defaults/main.yml
@@ -17,7 +17,6 @@ openshift_aws_build_ami_group: "{{ openshift_aws_clusterid }}"
openshift_aws_iam_cert_name: "{{ openshift_aws_clusterid }}-master-external"
openshift_aws_iam_cert_path: ''
-openshift_aws_iam_cert_chain_path: ''
openshift_aws_iam_cert_key_path: ''
openshift_aws_scale_group_name: "{{ openshift_aws_clusterid }} openshift {{ openshift_aws_node_group_type }}"
diff --git a/roles/openshift_aws/tasks/elb.yml b/roles/openshift_aws/tasks/elb.yml
index a1fdd66fc..7bc3184df 100644
--- a/roles/openshift_aws/tasks/elb.yml
+++ b/roles/openshift_aws/tasks/elb.yml
@@ -29,9 +29,9 @@
if 'master' in openshift_aws_node_group_type or 'infra' in openshift_aws_node_group_type
else openshift_aws_elb_listeners }}"
-- name: "Create ELB {{ openshift_aws_elb_name }}"
+- name: "Create ELB {{ l_openshift_aws_elb_name }}"
ec2_elb_lb:
- name: "{{ openshift_aws_elb_name }}"
+ name: "{{ l_openshift_aws_elb_name }}"
state: present
security_group_names: "{{ openshift_aws_elb_security_groups }}"
idle_timeout: "{{ openshift_aws_elb_idle_timout }}"
@@ -49,10 +49,10 @@
# It is necessary to ignore_errors here because the instances are not in 'ready'
# state when first added to ELB
-- name: "Add instances to ELB {{ openshift_aws_elb_name }}"
+- name: "Add instances to ELB {{ l_openshift_aws_elb_name }}"
ec2_elb:
instance_id: "{{ item.id }}"
- ec2_elbs: "{{ openshift_aws_elb_name }}"
+ ec2_elbs: "{{ l_openshift_aws_elb_name }}"
state: present
region: "{{ openshift_aws_region }}"
wait: False
diff --git a/roles/openshift_aws/tasks/iam_cert.yml b/roles/openshift_aws/tasks/iam_cert.yml
index cd9772a25..f74a62b8b 100644
--- a/roles/openshift_aws/tasks/iam_cert.yml
+++ b/roles/openshift_aws/tasks/iam_cert.yml
@@ -11,17 +11,23 @@
- "'failed' in elb_cert_chain"
- elb_cert_chain.failed
- "'msg' in elb_cert_chain"
- - "'already exists and has a different certificate body' in elb_cert_chain.msg"
- - "'BotoServerError' in elb_cert_chain.msg"
+ - "'already exists and has a different certificate body' in elb_cert_chain.msg or 'BotoServerError' in elb_cert_chain.msg or 'Traceback' in elb_cert_chain.msg.module_stderr"
when:
- openshift_aws_create_iam_cert | bool
- openshift_aws_iam_cert_path != ''
- openshift_aws_iam_cert_key_path != ''
- openshift_aws_elb_cert_arn == ''
+- debug: msg="{{ elb_cert_chain }}"
+
- name: set_fact openshift_aws_elb_cert_arn
set_fact:
openshift_aws_elb_cert_arn: "{{ elb_cert_chain.arn }}"
+ when:
+ - openshift_aws_create_iam_cert | bool
+ - openshift_aws_iam_cert_path != ''
+ - openshift_aws_iam_cert_key_path != ''
+ - openshift_aws_elb_cert_arn == ''
- name: wait for cert to propagate
pause:
diff --git a/roles/openshift_aws/tasks/provision.yml b/roles/openshift_aws/tasks/provision.yml
index 189caeaee..a2920b744 100644
--- a/roles/openshift_aws/tasks/provision.yml
+++ b/roles/openshift_aws/tasks/provision.yml
@@ -34,14 +34,14 @@
include: elb.yml
vars:
openshift_aws_elb_direction: internal
- openshift_aws_elb_name: "{{ openshift_aws_clusterid }}-{{openshift_aws_node_group_type }}-internal"
+ l_openshift_aws_elb_name: "{{ openshift_aws_elb_name }}-internal"
openshift_aws_elb_scheme: internal
- name: create our master external load balancers
include: elb.yml
vars:
openshift_aws_elb_direction: external
- openshift_aws_elb_name: "{{ openshift_aws_clusterid }}-{{openshift_aws_node_group_type }}-external"
+ l_openshift_aws_elb_name: "{{ openshift_aws_elb_name }}-external"
openshift_aws_elb_scheme: internet-facing
- name: wait for ssh to become available
diff --git a/roles/openshift_ca/defaults/main.yml b/roles/openshift_ca/defaults/main.yml
index ecfcc88b3..742b15df4 100644
--- a/roles/openshift_ca/defaults/main.yml
+++ b/roles/openshift_ca/defaults/main.yml
@@ -1,3 +1,11 @@
---
openshift_ca_cert_expire_days: 1825
openshift_master_cert_expire_days: 730
+
+openshift_ca_config_dir: "{{ openshift.common.config_base }}/master"
+openshift_ca_cert: "{{ openshift_ca_config_dir }}/ca.crt"
+openshift_ca_key: "{{ openshift_ca_config_dir }}/ca.key"
+openshift_ca_serial: "{{ openshift_ca_config_dir }}/ca.serial.txt"
+openshift_master_loopback_config: "{{ openshift_ca_config_dir }}/openshift-master.kubeconfig"
+
+openshift_version: "{{ openshift_pkg_version | default('') }}"
diff --git a/roles/openshift_ca/meta/main.yml b/roles/openshift_ca/meta/main.yml
index dfbdf0cc7..f8b784a63 100644
--- a/roles/openshift_ca/meta/main.yml
+++ b/roles/openshift_ca/meta/main.yml
@@ -14,4 +14,3 @@ galaxy_info:
- system
dependencies:
- role: openshift_cli
-- role: openshift_named_certificates
diff --git a/roles/openshift_ca/vars/main.yml b/roles/openshift_ca/vars/main.yml
index d04c1766d..4d80bf921 100644
--- a/roles/openshift_ca/vars/main.yml
+++ b/roles/openshift_ca/vars/main.yml
@@ -1,9 +1,2 @@
---
-openshift_ca_config_dir: "{{ openshift.common.config_base }}/master"
-openshift_ca_cert: "{{ openshift_ca_config_dir }}/ca.crt"
-openshift_ca_key: "{{ openshift_ca_config_dir }}/ca.key"
-openshift_ca_serial: "{{ openshift_ca_config_dir }}/ca.serial.txt"
-openshift_version: "{{ openshift_pkg_version | default('') }}"
-
-openshift_master_loopback_config: "{{ openshift_ca_config_dir }}/openshift-master.kubeconfig"
loopback_context_string: "current-context: {{ openshift.master.loopback_context_name }}"
diff --git a/roles/openshift_default_storage_class/README.md b/roles/openshift_default_storage_class/README.md
index 198163127..57e732f37 100644
--- a/roles/openshift_default_storage_class/README.md
+++ b/roles/openshift_default_storage_class/README.md
@@ -1,7 +1,7 @@
openshift_master_storage_class
=========
-A role that deploys configuratons for Openshift StorageClass
+A role that deploys configurations for Openshift StorageClass
Requirements
------------
diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py
index 11ef9fa97..215ff4b72 100755
--- a/roles/openshift_facts/library/openshift_facts.py
+++ b/roles/openshift_facts/library/openshift_facts.py
@@ -1669,7 +1669,9 @@ def set_container_facts_if_unset(facts):
facts['common']['is_atomic'] = os.path.isfile('/run/ostree-booted')
# If openshift_docker_use_system_container is set and is True ....
if 'use_system_container' in list(facts['docker'].keys()):
- if facts['docker']['use_system_container']:
+ # use safe_get_bool as the inventory variable may not be a
+ # valid boolean on it's own.
+ if safe_get_bool(facts['docker']['use_system_container']):
# ... set the service name to container-engine
facts['docker']['service_name'] = 'container-engine'
diff --git a/roles/openshift_hosted/tasks/router.yml b/roles/openshift_hosted/tasks/router.yml
index 2aeecc943..2aceef9e4 100644
--- a/roles/openshift_hosted/tasks/router.yml
+++ b/roles/openshift_hosted/tasks/router.yml
@@ -52,9 +52,9 @@
certfile: "{{ openshift_master_config_dir ~ '/openshift-router.crt' }}"
keyfile: "{{ openshift_master_config_dir ~ '/openshift-router.key' }}"
cafile: "{{ openshift_master_config_dir ~ '/ca.crt' }}"
-
- # End Block
- when: ( openshift_hosted_router_create_certificate | bool ) and openshift_hosted_router_certificate == {}
+ when:
+ - openshift_hosted_router_create_certificate | bool
+ - openshift_hosted_router_certificate == {}
- name: Create the router service account(s)
oc_serviceaccount:
diff --git a/roles/openshift_logging/README.md b/roles/openshift_logging/README.md
index 45477f60d..829c78728 100644
--- a/roles/openshift_logging/README.md
+++ b/roles/openshift_logging/README.md
@@ -169,7 +169,7 @@ Elasticsearch OPS too, if using an OPS cluster:
send the raw logs to mux for processing. We do not currently recommend using
this mode, and ansible will warn you about this.
- `openshift_logging_mux_hostname`: Default is "mux." +
- `openshift_master_default_subdomain`. This is the hostname *external*_
+ `openshift_master_default_subdomain`. This is the hostname *external*
clients will use to connect to mux, and will be used in the TLS server cert
subject.
- `openshift_logging_mux_port`: 24284
@@ -201,24 +201,24 @@ Elasticsearch OPS too, if using an OPS cluster:
Defaults to '65534'.
### remote syslog forwarding
-`openshift_logging_fluentd_remote_syslog`: Set `true` to enable remote syslog forwarding, defaults to `false`
-`openshift_logging_fluentd_remote_syslog_host`: Required, hostname or IP of remote syslog server
-`openshift_logging_fluentd_remote_syslog_port`: Port of remote syslog server, defaults to `514`
-`openshift_logging_fluentd_remote_syslog_severity`: Syslog severity level, defaults to `debug`
-`openshift_logging_fluentd_remote_syslog_facility`: Syslog facility, defaults to `local0`
-`openshift_logging_fluentd_remote_syslog_remove_tag_prefix`: Remove the prefix from the tag, defaults to `''` (empty)
-`openshift_logging_fluentd_remote_syslog_tag_key`: If string specified, use this field from the record to set the key field on the syslog message
-`openshift_logging_fluentd_remote_syslog_use_record`: Set `true` to use the severity and facility from the record, defaults to `false`
-`openshift_logging_fluentd_remote_syslog_payload_key`: If string is specified, use this field from the record as the payload on the syslog message
-
-The corresponding openshift_logging_mux_ parameters are below.
-
-`openshift_logging_mux_remote_syslog`: Set `true` to enable remote syslog forwarding, defaults to `false`
-`openshift_logging_mux_remote_syslog_host`: Required, hostname or IP of remote syslog server
-`openshift_logging_mux_remote_syslog_port`: Port of remote syslog server, defaults to `514`
-`openshift_logging_mux_remote_syslog_severity`: Syslog severity level, defaults to `debug`
-`openshift_logging_mux_remote_syslog_facility`: Syslog facility, defaults to `local0`
-`openshift_logging_mux_remote_syslog_remove_tag_prefix`: Remove the prefix from the tag, defaults to `''` (empty)
-`openshift_logging_mux_remote_syslog_tag_key`: If string specified, use this field from the record to set the key field on the syslog message
-`openshift_logging_mux_remote_syslog_use_record`: Set `true` to use the severity and facility from the record, defaults to `false`
-`openshift_logging_mux_remote_syslog_payload_key`: If string is specified, use this field from the record as the payload on the syslog message
+- `openshift_logging_fluentd_remote_syslog`: Set `true` to enable remote syslog forwarding, defaults to `false`
+- `openshift_logging_fluentd_remote_syslog_host`: Required, hostname or IP of remote syslog server
+- `openshift_logging_fluentd_remote_syslog_port`: Port of remote syslog server, defaults to `514`
+- `openshift_logging_fluentd_remote_syslog_severity`: Syslog severity level, defaults to `debug`
+- `openshift_logging_fluentd_remote_syslog_facility`: Syslog facility, defaults to `local0`
+- `openshift_logging_fluentd_remote_syslog_remove_tag_prefix`: Remove the prefix from the tag, defaults to `''` (empty)
+- `openshift_logging_fluentd_remote_syslog_tag_key`: If string specified, use this field from the record to set the key field on the syslog message
+- `openshift_logging_fluentd_remote_syslog_use_record`: Set `true` to use the severity and facility from the record, defaults to `false`
+- `openshift_logging_fluentd_remote_syslog_payload_key`: If string is specified, use this field from the record as the payload on the syslog message
+
+The corresponding openshift\_logging\_mux\_* parameters are below.
+
+- `openshift_logging_mux_remote_syslog`: Set `true` to enable remote syslog forwarding, defaults to `false`
+- `openshift_logging_mux_remote_syslog_host`: Required, hostname or IP of remote syslog server
+- `openshift_logging_mux_remote_syslog_port`: Port of remote syslog server, defaults to `514`
+- `openshift_logging_mux_remote_syslog_severity`: Syslog severity level, defaults to `debug`
+- `openshift_logging_mux_remote_syslog_facility`: Syslog facility, defaults to `local0`
+- `openshift_logging_mux_remote_syslog_remove_tag_prefix`: Remove the prefix from the tag, defaults to `''` (empty)
+- `openshift_logging_mux_remote_syslog_tag_key`: If string specified, use this field from the record to set the key field on the syslog message
+- `openshift_logging_mux_remote_syslog_use_record`: Set `true` to use the severity and facility from the record, defaults to `false`
+- `openshift_logging_mux_remote_syslog_payload_key`: If string is specified, use this field from the record as the payload on the syslog message
diff --git a/roles/openshift_master_certificates/meta/main.yml b/roles/openshift_master_certificates/meta/main.yml
index 018186e86..300b2cbff 100644
--- a/roles/openshift_master_certificates/meta/main.yml
+++ b/roles/openshift_master_certificates/meta/main.yml
@@ -12,6 +12,4 @@ galaxy_info:
categories:
- cloud
- system
-dependencies:
-- role: openshift_master_facts
-- role: openshift_ca
+dependencies: []
diff --git a/roles/openshift_master_facts/defaults/main.yml b/roles/openshift_master_facts/defaults/main.yml
index a80313505..d0dcdae4b 100644
--- a/roles/openshift_master_facts/defaults/main.yml
+++ b/roles/openshift_master_facts/defaults/main.yml
@@ -1,5 +1,5 @@
---
-openshift_master_default_subdomain: "{{ lookup('oo_option', 'openshift_master_default_subdomain') | default(None, true) }}"
+openshift_master_default_subdomain: "router.default.svc.cluster.local"
openshift_master_admission_plugin_config:
openshift.io/ImagePolicy:
configuration:
diff --git a/roles/openshift_master_facts/lookup_plugins/oo_option.py b/roles/openshift_master_facts/lookup_plugins/oo_option.py
deleted file mode 120000
index 5ae43f8dd..000000000
--- a/roles/openshift_master_facts/lookup_plugins/oo_option.py
+++ /dev/null
@@ -1 +0,0 @@
-../../../lookup_plugins/oo_option.py \ No newline at end of file
diff --git a/roles/openshift_master_facts/tasks/main.yml b/roles/openshift_master_facts/tasks/main.yml
index fa228af2a..a95570d38 100644
--- a/roles/openshift_master_facts/tasks/main.yml
+++ b/roles/openshift_master_facts/tasks/main.yml
@@ -1,5 +1,4 @@
---
-
# Ensure the default sub-domain is set:
- name: Migrate legacy osm_default_subdomain fact
set_fact:
diff --git a/roles/openshift_named_certificates/defaults/main.yml b/roles/openshift_named_certificates/defaults/main.yml
new file mode 100644
index 000000000..a32e385ec
--- /dev/null
+++ b/roles/openshift_named_certificates/defaults/main.yml
@@ -0,0 +1,6 @@
+---
+openshift_ca_config_dir: "{{ openshift.common.config_base }}/master"
+openshift_ca_cert: "{{ openshift_ca_config_dir }}/ca.crt"
+openshift_ca_key: "{{ openshift_ca_config_dir }}/ca.key"
+openshift_ca_serial: "{{ openshift_ca_config_dir }}/ca.serial.txt"
+openshift_version: "{{ openshift_pkg_version | default('') }}"
diff --git a/roles/openshift_named_certificates/vars/main.yml b/roles/openshift_named_certificates/vars/main.yml
index 368e9bdac..7f891441d 100644
--- a/roles/openshift_named_certificates/vars/main.yml
+++ b/roles/openshift_named_certificates/vars/main.yml
@@ -1,10 +1,4 @@
---
-openshift_ca_config_dir: "{{ openshift.common.config_base }}/master"
-openshift_ca_cert: "{{ openshift_ca_config_dir }}/ca.crt"
-openshift_ca_key: "{{ openshift_ca_config_dir }}/ca.key"
-openshift_ca_serial: "{{ openshift_ca_config_dir }}/ca.serial.txt"
-openshift_version: "{{ openshift_pkg_version | default('') }}"
-
overwrite_named_certs: "{{ openshift_master_overwrite_named_certificates | default(false) }}"
named_certs_dir: "{{ openshift.common.config_base }}/master/named_certificates/"
internal_hostnames: "{{ openshift.common.internal_hostnames }}"
diff --git a/roles/openshift_node/defaults/main.yml b/roles/openshift_node/defaults/main.yml
index ed3516d04..1214c08e5 100644
--- a/roles/openshift_node/defaults/main.yml
+++ b/roles/openshift_node/defaults/main.yml
@@ -31,12 +31,9 @@ openshift_node_ami_prep_packages:
- python-dbus
- PyYAML
- yum-utils
-- python2-boto
-- python2-boto3
- cloud-utils-growpart
# gluster
- glusterfs-fuse
-- heketi-client
# nfs
- nfs-utils
- flannel
diff --git a/roles/openshift_node/meta/main.yml b/roles/openshift_node/meta/main.yml
index ce5ecb9d0..5bc7b9869 100644
--- a/roles/openshift_node/meta/main.yml
+++ b/roles/openshift_node/meta/main.yml
@@ -17,7 +17,5 @@ dependencies:
- role: lib_os_firewall
- role: openshift_clock
- role: openshift_docker
-- role: openshift_node_certificates
- when: not openshift_node_bootstrap
- role: openshift_cloud_provider
- role: openshift_node_dnsmasq
diff --git a/roles/openshift_node/tasks/node_system_container.yml b/roles/openshift_node/tasks/node_system_container.yml
index 0ca44c292..20d7a9539 100644
--- a/roles/openshift_node/tasks/node_system_container.yml
+++ b/roles/openshift_node/tasks/node_system_container.yml
@@ -11,4 +11,6 @@
image: "{{ 'docker:' if openshift.common.system_images_registry == 'docker' else openshift.common.system_images_registry + '/' }}{{ openshift.node.node_system_image }}:{{ openshift_image_tag }}"
values:
- "DNS_DOMAIN={{ openshift.common.dns_domain }}"
+ - "DOCKER_SERVICE={{ openshift.docker.service_name }}.service"
+ - "MASTER_SERVICE={{ openshift.common.service_type }}.service"
state: latest
diff --git a/roles/openshift_node/tasks/registry_auth.yml b/roles/openshift_node/tasks/registry_auth.yml
index 3d2831742..de396fb4b 100644
--- a/roles/openshift_node/tasks/registry_auth.yml
+++ b/roles/openshift_node/tasks/registry_auth.yml
@@ -21,4 +21,4 @@
when:
- openshift.common.is_containerized | bool
- oreg_auth_user is defined
- - (node_oreg_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace or oreg_auth_credentials_replace.changed) | bool
+ - (node_oreg_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace or node_oreg_auth_credentials_create.changed) | bool
diff --git a/roles/openshift_node_certificates/meta/main.yml b/roles/openshift_node_certificates/meta/main.yml
index 93216c1d2..0440bf11a 100644
--- a/roles/openshift_node_certificates/meta/main.yml
+++ b/roles/openshift_node_certificates/meta/main.yml
@@ -12,5 +12,4 @@ galaxy_info:
categories:
- cloud
- system
-dependencies:
-- role: openshift_facts
+dependencies: []
diff --git a/roles/openshift_node_facts/tasks/main.yml b/roles/openshift_node_facts/tasks/main.yml
index fd4c49504..0d5fa664c 100644
--- a/roles/openshift_node_facts/tasks/main.yml
+++ b/roles/openshift_node_facts/tasks/main.yml
@@ -1,10 +1,4 @@
---
-- set_fact:
- openshift_node_debug_level: "{{ lookup('oo_option', 'openshift_node_debug_level') }}"
- when:
- - openshift_node_debug_level is not defined
- - lookup('oo_option', 'openshift_node_debug_level') != ""
-
- name: Set node facts
openshift_facts:
role: "{{ item.role }}"
@@ -20,7 +14,7 @@
debug_level: "{{ openshift_node_debug_level | default(openshift.common.debug_level) }}"
iptables_sync_period: "{{ openshift_node_iptables_sync_period | default(None) }}"
kubelet_args: "{{ openshift_node_kubelet_args | default(None) }}"
- labels: "{{ lookup('oo_option', 'openshift_node_labels') | default( openshift_node_labels | default(none), true) }}"
+ labels: "{{ openshift_node_labels | default(None) }}"
registry_url: "{{ oreg_url_node | default(oreg_url) | default(None) }}"
schedulable: "{{ openshift_schedulable | default(openshift_scheduleable) | default(None) }}"
sdn_mtu: "{{ openshift_node_sdn_mtu | default(None) }}"
diff --git a/roles/openshift_node_upgrade/tasks/registry_auth.yml b/roles/openshift_node_upgrade/tasks/registry_auth.yml
index 3d2831742..de396fb4b 100644
--- a/roles/openshift_node_upgrade/tasks/registry_auth.yml
+++ b/roles/openshift_node_upgrade/tasks/registry_auth.yml
@@ -21,4 +21,4 @@
when:
- openshift.common.is_containerized | bool
- oreg_auth_user is defined
- - (node_oreg_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace or oreg_auth_credentials_replace.changed) | bool
+ - (node_oreg_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace or node_oreg_auth_credentials_create.changed) | bool
diff --git a/roles/openshift_repos/templates/CentOS-OpenShift-Origin.repo.j2 b/roles/openshift_repos/templates/CentOS-OpenShift-Origin.repo.j2
index 0e2d57cb6..b0c036e7c 100644
--- a/roles/openshift_repos/templates/CentOS-OpenShift-Origin.repo.j2
+++ b/roles/openshift_repos/templates/CentOS-OpenShift-Origin.repo.j2
@@ -8,7 +8,7 @@ gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-PaaS
[centos-openshift-origin-testing]
name=CentOS OpenShift Origin Testing
baseurl=http://buildlogs.centos.org/centos/7/paas/x86_64/openshift-origin/
-enabled={% if openshift_repos_enable_testing %}1{% else %}0{% endif %}
+enabled={{ 1 if openshift_repos_enable_testing else 0 }}
gpgcheck=0
gpgkey=file:///etc/pki/rpm-gpg/openshift-ansible-CentOS-SIG-PaaS
diff --git a/roles/openshift_repos/templates/CentOS-OpenShift-Origin14.repo.j2 b/roles/openshift_repos/templates/CentOS-OpenShift-Origin14.repo.j2
index 2470931e1..97e855d58 100644
--- a/roles/openshift_repos/templates/CentOS-OpenShift-Origin14.repo.j2
+++ b/roles/openshift_repos/templates/CentOS-OpenShift-Origin14.repo.j2
@@ -8,7 +8,7 @@ gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-PaaS
[centos-openshift-origin14-testing]
name=CentOS OpenShift Origin Testing
baseurl=http://buildlogs.centos.org/centos/7/paas/x86_64/openshift-origin14/
-enabled={% if openshift_repos_enable_testing %}1{% else %}0{% endif %}
+enabled={{ 1 if openshift_repos_enable_testing else 0 }}
gpgcheck=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-PaaS
diff --git a/roles/openshift_repos/templates/CentOS-OpenShift-Origin15.repo.j2 b/roles/openshift_repos/templates/CentOS-OpenShift-Origin15.repo.j2
index 901f02cf4..5e756e680 100644
--- a/roles/openshift_repos/templates/CentOS-OpenShift-Origin15.repo.j2
+++ b/roles/openshift_repos/templates/CentOS-OpenShift-Origin15.repo.j2
@@ -8,7 +8,7 @@ gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-PaaS
[centos-openshift-origin15-testing]
name=CentOS OpenShift Origin Testing
baseurl=http://buildlogs.centos.org/centos/7/paas/x86_64/openshift-origin15/
-enabled={% if openshift_repos_enable_testing %}1{% else %}0{% endif %}
+enabled={{ 1 if openshift_repos_enable_testing else 0 }}
gpgcheck=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-PaaS
diff --git a/roles/openshift_repos/templates/CentOS-OpenShift-Origin36.repo.j2 b/roles/openshift_repos/templates/CentOS-OpenShift-Origin36.repo.j2
index abc4ad1b5..7050c95f5 100644
--- a/roles/openshift_repos/templates/CentOS-OpenShift-Origin36.repo.j2
+++ b/roles/openshift_repos/templates/CentOS-OpenShift-Origin36.repo.j2
@@ -8,7 +8,7 @@ gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-PaaS
[centos-openshift-origin36-testing]
name=CentOS OpenShift Origin Testing
baseurl=http://buildlogs.centos.org/centos/7/paas/x86_64/openshift-origin36/
-enabled={% if openshift_repos_enable_testing %}1{% else %}0{% endif %}
+enabled={{ 1 if openshift_repos_enable_testing else 0 }}
gpgcheck=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-PaaS
diff --git a/roles/openshift_storage_glusterfs/tasks/glusterfs_common.yml b/roles/openshift_storage_glusterfs/tasks/glusterfs_common.yml
index 3f6dab78b..51724f979 100644
--- a/roles/openshift_storage_glusterfs/tasks/glusterfs_common.yml
+++ b/roles/openshift_storage_glusterfs/tasks/glusterfs_common.yml
@@ -18,6 +18,17 @@
node_selector: "{% if glusterfs_use_default_selector %}{{ omit }}{% endif %}"
when: glusterfs_is_native or glusterfs_heketi_is_native or glusterfs_storageclass
+- name: Add namespace service accounts to privileged SCC
+ oc_adm_policy_user:
+ user: "system:serviceaccount:{{ glusterfs_namespace }}:{{ item }}"
+ resource_kind: scc
+ resource_name: privileged
+ state: present
+ with_items:
+ - 'default'
+ - 'router'
+ when: glusterfs_is_native or glusterfs_heketi_is_native
+
- name: Delete pre-existing heketi resources
oc_obj:
namespace: "{{ glusterfs_namespace }}"
diff --git a/roles/openshift_storage_glusterfs/tasks/glusterfs_deploy.yml b/roles/openshift_storage_glusterfs/tasks/glusterfs_deploy.yml
index 8c3e31fc9..932d06038 100644
--- a/roles/openshift_storage_glusterfs/tasks/glusterfs_deploy.yml
+++ b/roles/openshift_storage_glusterfs/tasks/glusterfs_deploy.yml
@@ -55,16 +55,6 @@
- glusterfs_wipe
- item.stdout_lines | count > 0
-- name: Add service accounts to privileged SCC
- oc_adm_policy_user:
- user: "system:serviceaccount:{{ glusterfs_namespace }}:{{ item }}"
- resource_kind: scc
- resource_name: privileged
- state: present
- with_items:
- - 'default'
- - 'router'
-
- name: Label GlusterFS nodes
oc_label:
name: "{{ hostvars[item].openshift.node.nodename }}"
diff --git a/roles/openshift_storage_glusterfs/tasks/heketi_deploy_part2.yml b/roles/openshift_storage_glusterfs/tasks/heketi_deploy_part2.yml
index 54a6dd7c3..074904bec 100644
--- a/roles/openshift_storage_glusterfs/tasks/heketi_deploy_part2.yml
+++ b/roles/openshift_storage_glusterfs/tasks/heketi_deploy_part2.yml
@@ -1,6 +1,6 @@
---
- name: Create heketi DB volume
- command: "{{ glusterfs_heketi_client }} setup-openshift-heketi-storage --listfile /tmp/heketi-storage.json"
+ command: "{{ glusterfs_heketi_client }} setup-openshift-heketi-storage --image {{ glusterfs_heketi_image}}:{{ glusterfs_heketi_version }} --listfile /tmp/heketi-storage.json"
register: setup_storage
- name: Copy heketi-storage list
diff --git a/roles/rhel_subscribe/tasks/enterprise.yml b/roles/rhel_subscribe/tasks/enterprise.yml
index 9738929d2..fa74c9953 100644
--- a/roles/rhel_subscribe/tasks/enterprise.yml
+++ b/roles/rhel_subscribe/tasks/enterprise.yml
@@ -7,7 +7,7 @@
when: deployment_type == 'openshift-enterprise'
- set_fact:
- ose_version: "{{ lookup('oo_option', 'ose_version') | default(default_ose_version, True) }}"
+ ose_version: "{{ lookup('env', 'ose_version') | default(default_ose_version, True) }}"
- fail:
msg: "{{ ose_version }} is not a valid version for {{ deployment_type }} deployment type"
diff --git a/roles/rhel_subscribe/tasks/main.yml b/roles/rhel_subscribe/tasks/main.yml
index c43e5513d..b06f51908 100644
--- a/roles/rhel_subscribe/tasks/main.yml
+++ b/roles/rhel_subscribe/tasks/main.yml
@@ -4,10 +4,10 @@
# to make it able to enable repositories
- set_fact:
- rhel_subscription_pool: "{{ lookup('oo_option', 'rhel_subscription_pool') | default(rhsub_pool, True) | default('Red Hat OpenShift Container Platform, Premium*', True) }}"
- rhel_subscription_user: "{{ lookup('oo_option', 'rhel_subscription_user') | default(rhsub_user, True) | default(omit, True) }}"
- rhel_subscription_pass: "{{ lookup('oo_option', 'rhel_subscription_pass') | default(rhsub_pass, True) | default(omit, True) }}"
- rhel_subscription_server: "{{ lookup('oo_option', 'rhel_subscription_server') | default(rhsub_server) }}"
+ rhel_subscription_pool: "{{ lookup('env', 'rhel_subscription_pool') | default(rhsub_pool | default('Red Hat OpenShift Container Platform, Premium*')) }}"
+ rhel_subscription_user: "{{ lookup('env', 'rhel_subscription_user') | default(rhsub_user | default(omit, True)) }}"
+ rhel_subscription_pass: "{{ lookup('env', 'rhel_subscription_pass') | default(rhsub_pass | default(omit, True)) }}"
+ rhel_subscription_server: "{{ lookup('env', 'rhel_subscription_server') | default(rhsub_server | default(omit, True)) }}"
- fail:
msg: "This role is only supported for Red Hat hosts"
diff --git a/roles/template_service_broker/tasks/install.yml b/roles/template_service_broker/tasks/install.yml
index a9d22aa06..f5fd6487c 100644
--- a/roles/template_service_broker/tasks/install.yml
+++ b/roles/template_service_broker/tasks/install.yml
@@ -27,6 +27,7 @@
with_items:
- "{{ __tsb_template_file }}"
- "{{ __tsb_rbac_file }}"
+ - "{{ __tsb_broker_file }}"
- name: Apply template file
shell: >
@@ -42,6 +43,33 @@
src: openshift-ansible-catalog-console.js
dest: /etc/origin/master/openshift-ansible-catalog-console.js
+# Check that the TSB is running
+- name: Verify that TSB is running
+ command: >
+ curl -k https://apiserver.openshift-template-service-broker.svc/healthz
+ args:
+ # Disables the following warning:
+ # Consider using get_url or uri module rather than running curl
+ warn: no
+ register: api_health
+ until: api_health.stdout == 'ok'
+ retries: 120
+ delay: 1
+ changed_when: false
+
+- set_fact:
+ openshift_master_config_dir: "{{ openshift.common.config_base }}/master"
+ when: openshift_master_config_dir is undefined
+
+- slurp:
+ src: "{{ openshift_master_config_dir }}/ca.crt"
+ register: __ca_bundle
+
+# Register with broker
+- name: Register TSB with broker
+ shell: >
+ oc process -f "{{ mktemp.stdout }}/{{ __tsb_broker_file }}" --param CA_BUNDLE="{{ __ca_bundle.content }}" | oc apply -f -
+
- file:
state: absent
name: "{{ mktemp.stdout }}"
diff --git a/roles/template_service_broker/tasks/remove.yml b/roles/template_service_broker/tasks/remove.yml
index 207dd9bdb..f3afe65ed 100644
--- a/roles/template_service_broker/tasks/remove.yml
+++ b/roles/template_service_broker/tasks/remove.yml
@@ -6,11 +6,18 @@
- copy:
src: "{{ __tsb_files_location }}/{{ item }}"
- dest: "{{ mktemp.stdout }}/{{ __tsb_template_file }}"
+ dest: "{{ mktemp.stdout }}/{{ item }}"
+ with_items:
+ - "{{ __tsb_template_file }}"
+ - "{{ __tsb_broker_file }}"
+
+- name: Delete TSB broker
+ shell: >
+ oc process -f "{{ mktemp.stdout }}/{{ __tsb_broker_file }}" | oc delete -f -
- name: Delete TSB objects
shell: >
- oc process -f "{{ __tsb_files_location }}/{{ __tsb_template_file }}" | kubectl delete -f -
+ oc process -f "{{ mktemp.stdout }}/{{ __tsb_template_file }}" | kubectl delete -f -
- name: empty out tech preview extension file for service console UI
copy:
diff --git a/roles/template_service_broker/vars/main.yml b/roles/template_service_broker/vars/main.yml
index 372ab8f6f..a65340f16 100644
--- a/roles/template_service_broker/vars/main.yml
+++ b/roles/template_service_broker/vars/main.yml
@@ -4,3 +4,4 @@ __tsb_files_location: "../../../files/origin-components/"
__tsb_template_file: "apiserver-template.yaml"
__tsb_config_file: "apiserver-config.yaml"
__tsb_rbac_file: "rbac-template.yaml"
+__tsb_broker_file: "template-service-broker-registration.yaml"
diff --git a/setup.py b/setup.py
index eaf23d47a..3b786e0fb 100644
--- a/setup.py
+++ b/setup.py
@@ -165,7 +165,7 @@ class OpenShiftAnsibleYamlLint(Command):
has_warnings = True
if has_errors or has_warnings:
- print('yammlint issues found')
+ print('yamllint issues found')
raise SystemExit(1)