diff options
35 files changed, 304 insertions, 142 deletions
diff --git a/.tito/packages/openshift-ansible b/.tito/packages/openshift-ansible index 98939a7de..9bbf7f181 100644 --- a/.tito/packages/openshift-ansible +++ b/.tito/packages/openshift-ansible @@ -1 +1 @@ -3.7.0-0.157.0 ./ +3.7.0-0.159.0 ./ diff --git a/inventory/byo/hosts.example b/inventory/byo/hosts.example index 3f4d20ee7..499a9d8e7 100644 --- a/inventory/byo/hosts.example +++ b/inventory/byo/hosts.example @@ -876,8 +876,13 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', # Or you may optionally define your own build overrides configuration serialized as json #openshift_buildoverrides_json='{"BuildOverrides":{"configuration":{"apiVersion":"v1","kind":"BuildDefaultsConfig","forcePull":"true"}}}' -# Enable template service broker by specifying one of more namespaces whose -# templates will be served by the broker +# Enable service catalog +#openshift_enable_service_catalog=true + +# Enable template service broker (requires service catalog to be enabled, above) +#template_service_broker_install=true + +# Configure one of more namespaces whose templates will be served by the TSB #openshift_template_service_broker_namespaces=['openshift'] # masterConfig.volumeConfig.dynamicProvisioningEnabled, configurable as of 1.2/3.2, enabled by default diff --git a/openshift-ansible.spec b/openshift-ansible.spec index 458e0fe7b..0372960c6 100644 --- a/openshift-ansible.spec +++ b/openshift-ansible.spec @@ -10,7 +10,7 @@ Name: openshift-ansible Version: 3.7.0 -Release: 0.157.0%{?dist} +Release: 0.159.0%{?dist} Summary: Openshift and Atomic Enterprise Ansible License: ASL 2.0 URL: https://github.com/openshift/openshift-ansible @@ -64,6 +64,9 @@ rm -f %{buildroot}%{python_sitelib}/openshift_ansible/gce mkdir -p docs/example-inventories cp inventory/byo/* docs/example-inventories/ +# openshift-ansible-files install +cp -rp files %{buildroot}%{_datadir}/ansible/%{name}/ + # openshift-ansible-playbooks install cp -rp playbooks %{buildroot}%{_datadir}/ansible/%{name}/ # remove contiv plabooks @@ -122,6 +125,7 @@ popd %doc README* %license LICENSE %dir %{_datadir}/ansible/%{name} +%{_datadir}/ansible/%{name}/files %{_datadir}/ansible/%{name}/library %ghost %{_datadir}/ansible/%{name}/playbooks/common/openshift-master/library.rpmmoved @@ -276,6 +280,29 @@ Atomic OpenShift Utilities includes %changelog +* Wed Oct 18 2017 Jenkins CD Merge Bot <smunilla@redhat.com> 3.7.0-0.159.0 +- Updating openshift-ansible.spec file to include files dir + (sdodson@redhat.com) +- Bug 1501768: fix eventrouter nodeSelector padding (jwozniak@redhat.com) +- Reverting proxy image version to v1.0.0 to pass CI (ewolinet@redhat.com) +- Making travis happy (ewolinet@redhat.com) +- cri-o: error out when node is a Docker container (gscrivan@redhat.com) +- Rewire openshift_template_service_broker_namespaces configurable + (jminter@redhat.com) +- Ensure controllerConfig.serviceServingCert is correctly set during upgrade. + (abutcher@redhat.com) +- Updating pattern for elasticsearch_proxy images (ewolinet@redhat.com) +- Updating ES proxy image prefix and version to match other components + (ewolinet@redhat.com) +- Add ability to set node and master imageConfig to latest (mgugino@redhat.com) +- Restart all controllers to force reconfiguration during upgrade + (sdodson@redhat.com) + +* Tue Oct 17 2017 Jenkins CD Merge Bot <smunilla@redhat.com> 3.7.0-0.158.0 +- Refactor openshift-management entry point (rteague@redhat.com) +- Add switch to enable/disable container engine's audit log being stored in ES. + (jkarasek@redhat.com) + * Mon Oct 16 2017 Jenkins CD Merge Bot <smunilla@redhat.com> 3.7.0-0.157.0 - data migration of embedded etcd not allowed (jchaloup@redhat.com) - GlusterFS: remove topology reference from deploy-heketi (jarrpa@redhat.com) diff --git a/playbooks/byo/openshift-management/config.yml b/playbooks/byo/openshift-management/config.yml index 33a555cc1..e8795ef85 100644 --- a/playbooks/byo/openshift-management/config.yml +++ b/playbooks/byo/openshift-management/config.yml @@ -1,7 +1,5 @@ --- - include: ../openshift-cluster/initialize_groups.yml - tags: - - always - include: ../../common/openshift-cluster/evaluate_groups.yml diff --git a/playbooks/byo/openshift-management/uninstall.yml b/playbooks/byo/openshift-management/uninstall.yml index ebd6fb261..a1fb1cdc4 100644 --- a/playbooks/byo/openshift-management/uninstall.yml +++ b/playbooks/byo/openshift-management/uninstall.yml @@ -1,6 +1,4 @@ --- # - include: ../openshift-cluster/initialize_groups.yml -# tags: -# - always - include: ../../common/openshift-management/uninstall.yml diff --git a/playbooks/common/openshift-cluster/config.yml b/playbooks/common/openshift-cluster/config.yml index dbe09dce2..395eb51f1 100644 --- a/playbooks/common/openshift-cluster/config.yml +++ b/playbooks/common/openshift-cluster/config.yml @@ -55,7 +55,7 @@ - include: service_catalog.yml when: openshift_enable_service_catalog | default(false) | bool -- include: openshift_management.yml +- include: ../openshift-management/config.yml when: openshift_management_install_management | default(false) | bool - name: Print deprecated variable warning message if necessary diff --git a/playbooks/common/openshift-cluster/openshift_management.yml b/playbooks/common/openshift-cluster/openshift_management.yml deleted file mode 100644 index 6e582920b..000000000 --- a/playbooks/common/openshift-cluster/openshift_management.yml +++ /dev/null @@ -1,25 +0,0 @@ ---- -- name: Management Install Checkpoint Start - hosts: localhost - connection: local - gather_facts: false - tasks: - - name: Set Management install 'In Progress' - set_stats: - data: - installer_phase_Management: "In Progress" - aggregate: false - -- name: Management - include: ../openshift-management/config.yml - -- name: Management Install Checkpoint End - hosts: localhost - connection: local - gather_facts: false - tasks: - - name: Set Management install 'Complete' - set_stats: - data: - installer_phase_Management: "Complete" - aggregate: false diff --git a/playbooks/common/openshift-cluster/upgrades/v3_3/master_config_upgrade.yml b/playbooks/common/openshift-cluster/upgrades/v3_3/master_config_upgrade.yml index d69472fad..5e7a66171 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_3/master_config_upgrade.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_3/master_config_upgrade.yml @@ -41,12 +41,12 @@ - modify_yaml: dest: "{{ openshift.common.config_base}}/master/master-config.yaml" - yaml_key: 'controllerConfig.servicesServingCert.signer.certFile' + yaml_key: 'controllerConfig.serviceServingCert.signer.certFile' yaml_value: service-signer.crt - modify_yaml: dest: "{{ openshift.common.config_base}}/master/master-config.yaml" - yaml_key: 'controllerConfig.servicesServingCert.signer.keyFile' + yaml_key: 'controllerConfig.serviceServingCert.signer.keyFile' yaml_value: service-signer.key - modify_yaml: diff --git a/playbooks/common/openshift-cluster/upgrades/v3_4/master_config_upgrade.yml b/playbooks/common/openshift-cluster/upgrades/v3_4/master_config_upgrade.yml index ed89dbe8d..763922439 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_4/master_config_upgrade.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_4/master_config_upgrade.yml @@ -14,3 +14,13 @@ dest: "{{ openshift.common.config_base}}/master/master-config.yaml" yaml_key: 'kubernetesMasterConfig.admissionConfig' yaml_value: + +- modify_yaml: + dest: "{{ openshift.common.config_base}}/master/master-config.yaml" + yaml_key: 'controllerConfig.serviceServingCert.signer.certFile' + yaml_value: service-signer.crt + +- modify_yaml: + dest: "{{ openshift.common.config_base}}/master/master-config.yaml" + yaml_key: 'controllerConfig.serviceServingCert.signer.keyFile' + yaml_value: service-signer.key diff --git a/playbooks/common/openshift-cluster/upgrades/v3_5/master_config_upgrade.yml b/playbooks/common/openshift-cluster/upgrades/v3_5/master_config_upgrade.yml index ed89dbe8d..763922439 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_5/master_config_upgrade.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_5/master_config_upgrade.yml @@ -14,3 +14,13 @@ dest: "{{ openshift.common.config_base}}/master/master-config.yaml" yaml_key: 'kubernetesMasterConfig.admissionConfig' yaml_value: + +- modify_yaml: + dest: "{{ openshift.common.config_base}}/master/master-config.yaml" + yaml_key: 'controllerConfig.serviceServingCert.signer.certFile' + yaml_value: service-signer.crt + +- modify_yaml: + dest: "{{ openshift.common.config_base}}/master/master-config.yaml" + yaml_key: 'controllerConfig.serviceServingCert.signer.keyFile' + yaml_value: service-signer.key diff --git a/playbooks/common/openshift-cluster/upgrades/v3_6/master_config_upgrade.yml b/playbooks/common/openshift-cluster/upgrades/v3_6/master_config_upgrade.yml index ed89dbe8d..763922439 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_6/master_config_upgrade.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_6/master_config_upgrade.yml @@ -14,3 +14,13 @@ dest: "{{ openshift.common.config_base}}/master/master-config.yaml" yaml_key: 'kubernetesMasterConfig.admissionConfig' yaml_value: + +- modify_yaml: + dest: "{{ openshift.common.config_base}}/master/master-config.yaml" + yaml_key: 'controllerConfig.serviceServingCert.signer.certFile' + yaml_value: service-signer.crt + +- modify_yaml: + dest: "{{ openshift.common.config_base}}/master/master-config.yaml" + yaml_key: 'controllerConfig.serviceServingCert.signer.keyFile' + yaml_value: service-signer.key diff --git a/playbooks/common/openshift-cluster/upgrades/v3_7/master_config_upgrade.yml b/playbooks/common/openshift-cluster/upgrades/v3_7/master_config_upgrade.yml index df59a8782..c21ab97bc 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_7/master_config_upgrade.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_7/master_config_upgrade.yml @@ -19,3 +19,13 @@ dest: "{{ openshift.common.config_base}}/master/master-config.yaml" yaml_key: 'controllerConfig.election.lockName' yaml_value: 'openshift-master-controllers' + +- modify_yaml: + dest: "{{ openshift.common.config_base}}/master/master-config.yaml" + yaml_key: 'controllerConfig.serviceServingCert.signer.certFile' + yaml_value: service-signer.crt + +- modify_yaml: + dest: "{{ openshift.common.config_base}}/master/master-config.yaml" + yaml_key: 'controllerConfig.serviceServingCert.signer.keyFile' + yaml_value: service-signer.key diff --git a/playbooks/common/openshift-cluster/upgrades/v3_7/upgrade.yml b/playbooks/common/openshift-cluster/upgrades/v3_7/upgrade.yml index f1ca1edb9..bf3b94682 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_7/upgrade.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_7/upgrade.yml @@ -119,8 +119,24 @@ tasks: - include: ../cleanup_unused_images.yml +#TODO: Why doesn't this compose using ./upgrade_control_plane rather than +# ../upgrade_control_plane? - include: ../upgrade_control_plane.yml +# All controllers must be stopped at the same time then restarted +- name: Cycle all controller services to force new leader election mode + hosts: oo_etcd_to_config + gather_facts: no + tasks: + - name: Stop {{ openshift.common.service_type }}-master-controllers + systemd: + name: "{{ openshift.common.service_type }}-master-controllers" + state: stopped + - name: Start {{ openshift.common.service_type }}-master-controllers + systemd: + name: "{{ openshift.common.service_type }}-master-controllers" + state: started + - include: ../upgrade_nodes.yml - include: ../post_control_plane.yml diff --git a/playbooks/common/openshift-cluster/upgrades/v3_7/upgrade_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/v3_7/upgrade_control_plane.yml index 6c4f9671b..b91bea617 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_7/upgrade_control_plane.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_7/upgrade_control_plane.yml @@ -128,4 +128,18 @@ vars: master_config_hook: "v3_7/master_config_upgrade.yml" +# All controllers must be stopped at the same time then restarted +- name: Cycle all controller services to force new leader election mode + hosts: oo_etcd_to_config + gather_facts: no + tasks: + - name: Stop {{ openshift.common.service_type }}-master-controllers + systemd: + name: "{{ openshift.common.service_type }}-master-controllers" + state: stopped + - name: Start {{ openshift.common.service_type }}-master-controllers + systemd: + name: "{{ openshift.common.service_type }}-master-controllers" + state: started + - include: ../post_control_plane.yml diff --git a/playbooks/common/openshift-management/config.yml b/playbooks/common/openshift-management/config.yml index 0aaafe440..908679e81 100644 --- a/playbooks/common/openshift-management/config.yml +++ b/playbooks/common/openshift-management/config.yml @@ -1,4 +1,14 @@ --- +- name: Management Install Checkpoint Start + hosts: oo_all_hosts + gather_facts: false + tasks: + - name: Set Management install 'In Progress' + set_stats: + data: + installer_phase_management: "In Progress" + aggregate: false + - name: Setup CFME hosts: oo_first_master pre_tasks: @@ -13,3 +23,13 @@ name: openshift_management vars: template_dir: "{{ hostvars[groups.masters.0].r_openshift_management_mktemp.stdout }}" + +- name: Management Install Checkpoint End + hosts: oo_all_hosts + gather_facts: false + tasks: + - name: Set Management install 'Complete' + set_stats: + data: + installer_phase_management: "Complete" + aggregate: false diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index e36dfa7b9..1c830cb4e 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -1,5 +1,6 @@ --- docker_cli_auth_config_path: '/root/.docker' +openshift_docker_signature_verification: False # oreg_url is defined by user input. oreg_host: "{{ oreg_url.split('/')[0] if (oreg_url is defined and '.' in oreg_url.split('/')[0]) else '' }}" diff --git a/roles/docker/tasks/package_docker.yml b/roles/docker/tasks/package_docker.yml index 888ae40e7..7ccab37a5 100644 --- a/roles/docker/tasks/package_docker.yml +++ b/roles/docker/tasks/package_docker.yml @@ -115,11 +115,12 @@ dest: /etc/sysconfig/docker regexp: '^OPTIONS=.*$' line: "OPTIONS='\ - {% if ansible_selinux.status | default(None) == 'enabled' and docker_selinux_enabled | default(true) | bool %} --selinux-enabled {% endif %}\ - {% if docker_log_driver is defined %} --log-driver {{ docker_log_driver }}{% endif %}\ - {% if docker_log_options is defined %} {{ docker_log_options | oo_split() | oo_prepend_strings_in_list('--log-opt ') | join(' ')}}{% endif %}\ - {% if docker_options is defined %} {{ docker_options }}{% endif %}\ - {% if docker_disable_push_dockerhub is defined %} --confirm-def-push={{ docker_disable_push_dockerhub | bool }}{% endif %}'" + {% if ansible_selinux.status | default(None) == 'enabled' and docker_selinux_enabled | default(true) | bool %} --selinux-enabled {% endif %} \ + {% if docker_log_driver is defined %} --log-driver {{ docker_log_driver }}{% endif %} \ + {% if docker_log_options is defined %} {{ docker_log_options | oo_split() | oo_prepend_strings_in_list('--log-opt ') | join(' ')}}{% endif %} \ + {% if docker_options is defined %} {{ docker_options }}{% endif %} \ + {% if docker_disable_push_dockerhub is defined %} --confirm-def-push={{ docker_disable_push_dockerhub | bool }}{% endif %} \ + --signature-verification={{ openshift_docker_signature_verification | bool }}'" when: docker_check.stat.isreg is defined and docker_check.stat.isreg notify: - restart docker diff --git a/roles/docker/tasks/systemcontainer_crio.yml b/roles/docker/tasks/systemcontainer_crio.yml index fdc6cd24a..a79600930 100644 --- a/roles/docker/tasks/systemcontainer_crio.yml +++ b/roles/docker/tasks/systemcontainer_crio.yml @@ -36,6 +36,12 @@ state: present when: not openshift.common.is_atomic | bool +- name: Check we are not using node as a Docker container with CRI-O + fail: msg='Cannot use CRI-O with node configured as a Docker container' + when: + - openshift.common.is_containerized | bool + - not openshift.common.is_node_system_container | bool + # Used to pull and install the system container - name: Ensure atomic is installed package: diff --git a/roles/installer_checkpoint/callback_plugins/installer_checkpoint.py b/roles/installer_checkpoint/callback_plugins/installer_checkpoint.py index ac369b882..25f9405af 100644 --- a/roles/installer_checkpoint/callback_plugins/installer_checkpoint.py +++ b/roles/installer_checkpoint/callback_plugins/installer_checkpoint.py @@ -136,7 +136,7 @@ class CallbackModule(CallbackBase): }, 'installer_phase_management': { 'title': 'Management Install', - 'playbook': 'playbooks/common/openshift-cluster/openshift_management.yml' + 'playbook': 'playbooks/byo/openshift-management/config.yml' }, } diff --git a/roles/openshift_logging/README.md b/roles/openshift_logging/README.md index 829c78728..69eb9283d 100644 --- a/roles/openshift_logging/README.md +++ b/roles/openshift_logging/README.md @@ -69,6 +69,9 @@ When `openshift_logging_install_logging` is set to `False` the `openshift_loggin - `openshift_logging_fluentd_buffer_size_limit`: Buffer chunk limit for Fluentd. Defaults to 1m. - `openshift_logging_fluentd_file_buffer_limit`: Fluentd will set the value to the file buffer limit. Defaults to '1Gi' per destination. +- `openshift_logging_fluentd_audit_container_engine`: When `openshift_logging_fluentd_audit_container_engine` is set to `True`, the audit log of the container engine will be collected and stored in ES. +- `openshift_logging_fluentd_audit_file`: Location of audit log file. The default is `/var/log/audit/audit.log` +- `openshift_logging_fluentd_audit_pos_file`: Location of fluentd in_tail position file for the audit log file. The default is `/var/log/audit/audit.log.pos` - `openshift_logging_es_host`: The name of the ES service Fluentd should send logs to. Defaults to 'logging-es'. - `openshift_logging_es_port`: The port for the ES service Fluentd should sent its logs to. Defaults to '9200'. diff --git a/roles/openshift_logging_elasticsearch/defaults/main.yml b/roles/openshift_logging_elasticsearch/defaults/main.yml index 554aa5bb2..fc48b7f71 100644 --- a/roles/openshift_logging_elasticsearch/defaults/main.yml +++ b/roles/openshift_logging_elasticsearch/defaults/main.yml @@ -40,8 +40,6 @@ openshift_logging_es_pvc_prefix: "{{ openshift_hosted_logging_elasticsearch_pvc_ # config the es plugin to write kibana index based on the index mode openshift_logging_elasticsearch_kibana_index_mode: 'unique' -openshift_logging_elasticsearch_proxy_image_prefix: "openshift/oauth-proxy" -openshift_logging_elasticsearch_proxy_image_version: "v1.0.0" openshift_logging_elasticsearch_proxy_cpu_limit: "100m" openshift_logging_elasticsearch_proxy_memory_limit: "64Mi" openshift_logging_elasticsearch_prometheus_sa: "system:serviceaccount:{{openshift_prometheus_namespace | default('prometheus')}}:prometheus" diff --git a/roles/openshift_logging_elasticsearch/tasks/main.yaml b/roles/openshift_logging_elasticsearch/tasks/main.yaml index df2c17aa0..aeff2d198 100644 --- a/roles/openshift_logging_elasticsearch/tasks/main.yaml +++ b/roles/openshift_logging_elasticsearch/tasks/main.yaml @@ -17,6 +17,17 @@ - include: determine_version.yaml +- name: Set default image variables based on deployment_type + include_vars: "{{ item }}" + with_first_found: + - "{{ openshift_deployment_type | default(deployment_type) }}.yml" + - "default_images.yml" + +- name: Set elasticsearch_prefix image facts + set_fact: + openshift_logging_elasticsearch_proxy_image_prefix: "{{ openshift_logging_elasticsearch_proxy_image_prefix | default(__openshift_logging_elasticsearch_proxy_image_prefix) }}" + openshift_logging_elasticsearch_proxy_image_version: "{{ openshift_logging_elasticsearch_proxy_image_version | default(__openshift_logging_elasticsearch_proxy_image_version) }}" + # allow passing in a tempdir - name: Create temp directory for doing work in command: mktemp -d /tmp/openshift-logging-ansible-XXXXXX @@ -52,7 +63,7 @@ name: "aggregated-logging-elasticsearch" namespace: "{{ openshift_logging_elasticsearch_namespace }}" when: - - openshift_logging_image_pull_secret == '' + - openshift_logging_image_pull_secret == '' # rolebinding reader - copy: @@ -66,7 +77,7 @@ kind: clusterrole namespace: "{{ openshift_logging_elasticsearch_namespace }}" files: - - "{{ tempdir }}/rolebinding-reader.yml" + - "{{ tempdir }}/rolebinding-reader.yml" delete_after: true # SA roles @@ -107,8 +118,8 @@ - fail: msg: "There was an error creating the logging-metrics-role and binding: {{prometheus_out}}" when: - - "prometheus_out.stderr | length > 0" - - "'already exists' not in prometheus_out.stderr" + - "prometheus_out.stderr | length > 0" + - "'already exists' not in prometheus_out.stderr" # View role and binding - name: Generate logging-elasticsearch-view-role @@ -120,8 +131,8 @@ roleRef: name: view subjects: - - kind: ServiceAccount - name: aggregated-logging-elasticsearch + - kind: ServiceAccount + name: aggregated-logging-elasticsearch changed_when: no - name: Set logging-elasticsearch-view-role role @@ -131,18 +142,18 @@ kind: rolebinding namespace: "{{ openshift_logging_elasticsearch_namespace }}" files: - - "{{ tempdir }}/logging-elasticsearch-view-role.yaml" + - "{{ tempdir }}/logging-elasticsearch-view-role.yaml" delete_after: true # configmap - assert: that: - - openshift_logging_elasticsearch_kibana_index_mode in __kibana_index_modes + - openshift_logging_elasticsearch_kibana_index_mode in __kibana_index_modes msg: "The openshift_logging_elasticsearch_kibana_index_mode '{{ openshift_logging_elasticsearch_kibana_index_mode }}' only supports one of: {{ __kibana_index_modes | join(', ') }}" - assert: that: - - "{{ openshift_logging_es_log_appenders | length > 0 }}" + - "{{ openshift_logging_es_log_appenders | length > 0 }}" msg: "The openshift_logging_es_log_appenders '{{ openshift_logging_es_log_appenders }}' has an unrecognized option and only supports the following as a list: {{ __es_log_appenders | join(', ') }}" - template: @@ -194,22 +205,22 @@ name: "logging-elasticsearch" namespace: "{{ openshift_logging_elasticsearch_namespace }}" files: - - name: key - path: "{{ generated_certs_dir }}/logging-es.jks" - - name: truststore - path: "{{ generated_certs_dir }}/truststore.jks" - - name: searchguard.key - path: "{{ generated_certs_dir }}/elasticsearch.jks" - - name: searchguard.truststore - path: "{{ generated_certs_dir }}/truststore.jks" - - name: admin-key - path: "{{ generated_certs_dir }}/system.admin.key" - - name: admin-cert - path: "{{ generated_certs_dir }}/system.admin.crt" - - name: admin-ca - path: "{{ generated_certs_dir }}/ca.crt" - - name: admin.jks - path: "{{ generated_certs_dir }}/system.admin.jks" + - name: key + path: "{{ generated_certs_dir }}/logging-es.jks" + - name: truststore + path: "{{ generated_certs_dir }}/truststore.jks" + - name: searchguard.key + path: "{{ generated_certs_dir }}/elasticsearch.jks" + - name: searchguard.truststore + path: "{{ generated_certs_dir }}/truststore.jks" + - name: admin-key + path: "{{ generated_certs_dir }}/system.admin.key" + - name: admin-cert + path: "{{ generated_certs_dir }}/system.admin.crt" + - name: admin-ca + path: "{{ generated_certs_dir }}/ca.crt" + - name: admin.jks + path: "{{ generated_certs_dir }}/system.admin.jks" # services - name: Set logging-{{ es_component }}-cluster service @@ -223,7 +234,7 @@ labels: logging-infra: 'support' ports: - - port: 9300 + - port: 9300 - name: Set logging-{{ es_component }} service oc_service: @@ -236,8 +247,8 @@ labels: logging-infra: 'support' ports: - - port: 9200 - targetPort: "restapi" + - port: 9200 + targetPort: "restapi" - name: Set logging-{{ es_component}}-prometheus service oc_service: @@ -247,9 +258,9 @@ labels: logging-infra: 'support' ports: - - name: proxy - port: 443 - targetPort: 4443 + - name: proxy + port: 443 + targetPort: 4443 selector: component: "{{ es_component }}-prometheus" provider: openshift @@ -277,46 +288,46 @@ # so we check for the presence of 'stderr' to determine if the obj exists or not # the RC for existing and not existing is both 0 - when: - - logging_elasticsearch_pvc.results.stderr is defined - - openshift_logging_elasticsearch_storage_type == "pvc" + - logging_elasticsearch_pvc.results.stderr is defined + - openshift_logging_elasticsearch_storage_type == "pvc" block: - # storageclasses are used by default but if static then disable - # storageclasses with the storageClassName set to "" in pvc.j2 - - name: Creating ES storage template - static - template: - src: pvc.j2 - dest: "{{ tempdir }}/templates/logging-es-pvc.yml" - vars: - obj_name: "{{ openshift_logging_elasticsearch_pvc_name }}" - size: "{{ (openshift_logging_elasticsearch_pvc_size | trim | length == 0) | ternary('10Gi', openshift_logging_elasticsearch_pvc_size) }}" - access_modes: "{{ openshift_logging_elasticsearch_pvc_access_modes | list }}" - pv_selector: "{{ openshift_logging_elasticsearch_pvc_pv_selector }}" - storage_class_name: "{{ openshift_logging_elasticsearch_pvc_storage_class_name | default('', true) }}" - when: - - not openshift_logging_elasticsearch_pvc_dynamic | bool - - # Storageclasses are used by default if configured - - name: Creating ES storage template - dynamic - template: - src: pvc.j2 - dest: "{{ tempdir }}/templates/logging-es-pvc.yml" - vars: - obj_name: "{{ openshift_logging_elasticsearch_pvc_name }}" - size: "{{ (openshift_logging_elasticsearch_pvc_size | trim | length == 0) | ternary('10Gi', openshift_logging_elasticsearch_pvc_size) }}" - access_modes: "{{ openshift_logging_elasticsearch_pvc_access_modes | list }}" - pv_selector: "{{ openshift_logging_elasticsearch_pvc_pv_selector }}" - when: - - openshift_logging_elasticsearch_pvc_dynamic | bool - - - name: Set ES storage - oc_obj: - state: present - kind: pvc - name: "{{ openshift_logging_elasticsearch_pvc_name }}" - namespace: "{{ openshift_logging_elasticsearch_namespace }}" - files: - - "{{ tempdir }}/templates/logging-es-pvc.yml" - delete_after: true + # storageclasses are used by default but if static then disable + # storageclasses with the storageClassName set to "" in pvc.j2 + - name: Creating ES storage template - static + template: + src: pvc.j2 + dest: "{{ tempdir }}/templates/logging-es-pvc.yml" + vars: + obj_name: "{{ openshift_logging_elasticsearch_pvc_name }}" + size: "{{ (openshift_logging_elasticsearch_pvc_size | trim | length == 0) | ternary('10Gi', openshift_logging_elasticsearch_pvc_size) }}" + access_modes: "{{ openshift_logging_elasticsearch_pvc_access_modes | list }}" + pv_selector: "{{ openshift_logging_elasticsearch_pvc_pv_selector }}" + storage_class_name: "{{ openshift_logging_elasticsearch_pvc_storage_class_name | default('', true) }}" + when: + - not openshift_logging_elasticsearch_pvc_dynamic | bool + + # Storageclasses are used by default if configured + - name: Creating ES storage template - dynamic + template: + src: pvc.j2 + dest: "{{ tempdir }}/templates/logging-es-pvc.yml" + vars: + obj_name: "{{ openshift_logging_elasticsearch_pvc_name }}" + size: "{{ (openshift_logging_elasticsearch_pvc_size | trim | length == 0) | ternary('10Gi', openshift_logging_elasticsearch_pvc_size) }}" + access_modes: "{{ openshift_logging_elasticsearch_pvc_access_modes | list }}" + pv_selector: "{{ openshift_logging_elasticsearch_pvc_pv_selector }}" + when: + - openshift_logging_elasticsearch_pvc_dynamic | bool + + - name: Set ES storage + oc_obj: + state: present + kind: pvc + name: "{{ openshift_logging_elasticsearch_pvc_name }}" + namespace: "{{ openshift_logging_elasticsearch_namespace }}" + files: + - "{{ tempdir }}/templates/logging-es-pvc.yml" + delete_after: true - set_fact: es_deploy_name: "logging-{{ es_component }}-{{ openshift_logging_elasticsearch_deployment_type }}-{{ 8 | oo_random_word('abcdefghijklmnopqrstuvwxyz0123456789') }}" @@ -337,6 +348,7 @@ logging_component: elasticsearch deploy_name: "{{ es_deploy_name }}" image: "{{ openshift_logging_elasticsearch_image_prefix }}logging-elasticsearch:{{ openshift_logging_elasticsearch_image_version }}" + proxy_image: "{{ openshift_logging_elasticsearch_proxy_image_prefix }}oauth-proxy:{{ openshift_logging_elasticsearch_proxy_image_version }}" es_cpu_limit: "{{ openshift_logging_elasticsearch_cpu_limit }}" es_memory_limit: "{{ openshift_logging_elasticsearch_memory_limit }}" es_node_selector: "{{ openshift_logging_elasticsearch_nodeselector | default({}) }}" @@ -352,7 +364,7 @@ namespace: "{{ openshift_logging_elasticsearch_namespace }}" kind: dc files: - - "{{ tempdir }}/templates/logging-es-dc.yml" + - "{{ tempdir }}/templates/logging-es-dc.yml" delete_after: true - name: Retrieving the cert to use when generating secrets for the {{ es_component }} component @@ -360,37 +372,37 @@ src: "{{ generated_certs_dir }}/{{ item.file }}" register: key_pairs with_items: - - { name: "ca_file", file: "ca.crt" } - - { name: "es_key", file: "system.logging.es.key" } - - { name: "es_cert", file: "system.logging.es.crt" } + - { name: "ca_file", file: "ca.crt" } + - { name: "es_key", file: "system.logging.es.key" } + - { name: "es_cert", file: "system.logging.es.crt" } when: openshift_logging_es_allow_external | bool - set_fact: es_key: "{{ lookup('file', openshift_logging_es_key) | b64encode }}" when: - - openshift_logging_es_key | trim | length > 0 - - openshift_logging_es_allow_external | bool + - openshift_logging_es_key | trim | length > 0 + - openshift_logging_es_allow_external | bool changed_when: false - set_fact: es_cert: "{{ lookup('file', openshift_logging_es_cert) | b64encode }}" when: - - openshift_logging_es_cert | trim | length > 0 - - openshift_logging_es_allow_external | bool + - openshift_logging_es_cert | trim | length > 0 + - openshift_logging_es_allow_external | bool changed_when: false - set_fact: es_ca: "{{ lookup('file', openshift_logging_es_ca_ext) | b64encode }}" when: - - openshift_logging_es_ca_ext | trim | length > 0 - - openshift_logging_es_allow_external | bool + - openshift_logging_es_ca_ext | trim | length > 0 + - openshift_logging_es_allow_external | bool changed_when: false - set_fact: es_ca: "{{ key_pairs | entry_from_named_pair('ca_file') }}" when: - - es_ca is not defined - - openshift_logging_es_allow_external | bool + - es_ca is not defined + - openshift_logging_es_allow_external | bool changed_when: false - name: Generating Elasticsearch {{ es_component }} route template @@ -421,7 +433,7 @@ namespace: "{{ openshift_logging_elasticsearch_namespace }}" kind: route files: - - "{{ tempdir }}/templates/logging-{{ es_component }}-route.yaml" + - "{{ tempdir }}/templates/logging-{{ es_component }}-route.yaml" when: openshift_logging_es_allow_external | bool ## Placeholder for migration when necessary ## diff --git a/roles/openshift_logging_elasticsearch/templates/es.j2 b/roles/openshift_logging_elasticsearch/templates/es.j2 index 1ed886627..ce3b2eb83 100644 --- a/roles/openshift_logging_elasticsearch/templates/es.j2 +++ b/roles/openshift_logging_elasticsearch/templates/es.j2 @@ -40,7 +40,7 @@ spec: {% endif %} containers: - name: proxy - image: {{openshift_logging_elasticsearch_proxy_image_prefix}}:{{openshift_logging_elasticsearch_proxy_image_version}} + image: {{ proxy_image }} imagePullPolicy: Always args: - --upstream-ca=/etc/elasticsearch/secret/admin-ca @@ -86,7 +86,7 @@ spec: requests: memory: "{{es_memory_limit}}" {% if es_container_security_context %} - securityContext: {{ es_container_security_context | to_yaml }} + securityContext: {{ es_container_security_context | to_yaml }} {% endif %} ports: - diff --git a/roles/openshift_logging_elasticsearch/vars/default_images.yml b/roles/openshift_logging_elasticsearch/vars/default_images.yml new file mode 100644 index 000000000..b7d105caf --- /dev/null +++ b/roles/openshift_logging_elasticsearch/vars/default_images.yml @@ -0,0 +1,3 @@ +--- +__openshift_logging_elasticsearch_proxy_image_prefix: "docker.io/openshift/" +__openshift_logging_elasticsearch_proxy_image_version: "v1.0.0" diff --git a/roles/openshift_logging_elasticsearch/vars/openshift-enterprise.yml b/roles/openshift_logging_elasticsearch/vars/openshift-enterprise.yml new file mode 100644 index 000000000..c87d48e27 --- /dev/null +++ b/roles/openshift_logging_elasticsearch/vars/openshift-enterprise.yml @@ -0,0 +1,3 @@ +--- +__openshift_logging_elasticsearch_proxy_image_prefix: "registry.access.redhat.com/openshift3/" +__openshift_logging_elasticsearch_proxy_image_version: "v3.7" diff --git a/roles/openshift_logging_eventrouter/templates/eventrouter-template.j2 b/roles/openshift_logging_eventrouter/templates/eventrouter-template.j2 index 9ff4c7e80..ea1fd3efd 100644 --- a/roles/openshift_logging_eventrouter/templates/eventrouter-template.j2 +++ b/roles/openshift_logging_eventrouter/templates/eventrouter-template.j2 @@ -54,9 +54,9 @@ objects: serviceAccount: aggregated-logging-eventrouter serviceAccountName: aggregated-logging-eventrouter {% if node_selector is iterable and node_selector | length > 0 %} - nodeSelector: + nodeSelector: {% for key, value in node_selector.iteritems() %} - {{ key }}: "{{ value }}" + {{ key }}: "{{ value }}" {% endfor %} {% endif %} containers: diff --git a/roles/openshift_logging_fluentd/defaults/main.yml b/roles/openshift_logging_fluentd/defaults/main.yml index 82326bdd1..25f7580a4 100644 --- a/roles/openshift_logging_fluentd/defaults/main.yml +++ b/roles/openshift_logging_fluentd/defaults/main.yml @@ -56,3 +56,7 @@ openshift_logging_fluentd_aggregating_passphrase: none #fluentd_secureforward_contents: openshift_logging_fluentd_file_buffer_limit: 1Gi + +# Configure fluentd to tail audit log file and filter out container engine's logs from there +# These logs are then stored in ES operation index +openshift_logging_fluentd_audit_container_engine: False diff --git a/roles/openshift_logging_fluentd/tasks/main.yaml b/roles/openshift_logging_fluentd/tasks/main.yaml index 37960afd1..06bb35dbc 100644 --- a/roles/openshift_logging_fluentd/tasks/main.yaml +++ b/roles/openshift_logging_fluentd/tasks/main.yaml @@ -108,7 +108,6 @@ src: secure-forward.conf dest: "{{ tempdir }}/secure-forward.conf" when: fluentd_secureforward_contents is undefined - changed_when: no - copy: @@ -173,6 +172,9 @@ ops_port: "{{ openshift_logging_fluentd_ops_port }}" fluentd_nodeselector_key: "{{ openshift_logging_fluentd_nodeselector.keys()[0] }}" fluentd_nodeselector_value: "{{ openshift_logging_fluentd_nodeselector.values()[0] }}" + audit_container_engine: "{{ openshift_logging_fluentd_audit_container_engine | default(False) | bool }}" + audit_log_file: "{{ openshift_logging_fluentd_audit_file | default() }}" + audit_pos_log_file: "{{ openshift_logging_fluentd_audit_pos_file | default() }}" check_mode: no changed_when: no diff --git a/roles/openshift_logging_fluentd/templates/fluentd.j2 b/roles/openshift_logging_fluentd/templates/fluentd.j2 index f286b0656..644b70031 100644 --- a/roles/openshift_logging_fluentd/templates/fluentd.j2 +++ b/roles/openshift_logging_fluentd/templates/fluentd.j2 @@ -172,6 +172,28 @@ spec: value: "{{ openshift_logging_fluentd_remote_syslog_payload_key }}" {% endif %} +{% if audit_container_engine %} + - name: "AUDIT_CONTAINER_ENGINE" + value: "{{ audit_container_engine | lower }}" +{% endif %} + +{% if audit_container_engine %} + - name: "NODE_NAME" + valueFrom: + fieldRef: + fieldPath: spec.nodeName +{% endif %} + +{% if audit_log_file != '' %} + - name: AUDIT_FILE + value: "{{ audit_log_file }}" +{% endif %} + +{% if audit_pos_log_file != '' %} + - name: AUDIT_POS_FILE + value: "{{ audit_pos_log_file }}" +{% endif %} + volumes: - name: runlogjournal hostPath: diff --git a/roles/openshift_master/defaults/main.yml b/roles/openshift_master/defaults/main.yml index 7e62a8c6d..f861a8e4d 100644 --- a/roles/openshift_master/defaults/main.yml +++ b/roles/openshift_master/defaults/main.yml @@ -51,3 +51,6 @@ r_openshift_master_data_dir: "{{ r_openshift_master_data_dir_default }}" r_openshift_master_sdn_network_plugin_name_default: "{{ os_sdn_network_plugin_name | default('redhat/openshift-ovs-subnet') }}" r_openshift_master_sdn_network_plugin_name: "{{ r_openshift_master_sdn_network_plugin_name_default }}" + +openshift_master_image_config_latest_default: "{{ openshift_image_config_latest | default(False) }}" +openshift_master_image_config_latest: "{{ openshift_master_image_config_latest_default }}" diff --git a/roles/openshift_master/templates/master.yaml.v1.j2 b/roles/openshift_master/templates/master.yaml.v1.j2 index 9b3fbcf49..7159ccc7f 100644 --- a/roles/openshift_master/templates/master.yaml.v1.j2 +++ b/roles/openshift_master/templates/master.yaml.v1.j2 @@ -115,7 +115,7 @@ etcdStorageConfig: openShiftStorageVersion: v1 imageConfig: format: {{ openshift.master.registry_url }} - latest: false + latest: {{ openshift_master_image_config_latest }} {% if 'image_policy_config' in openshift.master %} imagePolicyConfig:{{ openshift.master.image_policy_config | to_padded_yaml(level=1) }} {% endif %} @@ -275,12 +275,5 @@ servingInfo: - {{ cipher_suite }} {% endfor %} {% endif %} -{% if openshift_template_service_broker_namespaces is defined %} -templateServiceBrokerConfig: - templateNamespaces: -{% for namespace in openshift_template_service_broker_namespaces %} - - {{ namespace }} -{% endfor %} -{% endif %} volumeConfig: dynamicProvisioningEnabled: {{ openshift.master.dynamic_provisioning_enabled }} diff --git a/roles/openshift_node/defaults/main.yml b/roles/openshift_node/defaults/main.yml index 298d1013f..739b0d968 100644 --- a/roles/openshift_node/defaults/main.yml +++ b/roles/openshift_node/defaults/main.yml @@ -107,3 +107,6 @@ openshift_node_use_contiv: "{{ openshift_node_use_contiv_default }}" openshift_node_data_dir_default: "{{ openshift_data_dir | default('/var/lib/origin') }}" openshift_node_data_dir: "{{ openshift_node_data_dir_default }}" + +openshift_node_image_config_latest_default: "{{ openshift_image_config_latest | default(False) }}" +openshift_node_image_config_latest: "{{ openshift_node_image_config_latest_default }}" diff --git a/roles/openshift_node/templates/node.yaml.v1.j2 b/roles/openshift_node/templates/node.yaml.v1.j2 index 7049f7189..08e1c7f4f 100644 --- a/roles/openshift_node/templates/node.yaml.v1.j2 +++ b/roles/openshift_node/templates/node.yaml.v1.j2 @@ -13,7 +13,7 @@ dockerConfig: iptablesSyncPeriod: "{{ openshift.node.iptables_sync_period }}" imageConfig: format: {{ openshift.node.registry_url }} - latest: false + latest: {{ openshift_node_image_config_latest }} kind: NodeConfig kubeletArguments: {{ openshift.node.kubelet_args | default(None) | to_padded_yaml(level=1) }} {% if openshift_use_crio | default(False) %} diff --git a/roles/template_service_broker/defaults/main.yml b/roles/template_service_broker/defaults/main.yml index fb407c4a2..a92a138b0 100644 --- a/roles/template_service_broker/defaults/main.yml +++ b/roles/template_service_broker/defaults/main.yml @@ -2,3 +2,4 @@ # placeholder file? template_service_broker_remove: False template_service_broker_install: False +openshift_template_service_broker_namespaces: ['openshift'] diff --git a/roles/template_service_broker/tasks/install.yml b/roles/template_service_broker/tasks/install.yml index f5fd6487c..54008bbf1 100644 --- a/roles/template_service_broker/tasks/install.yml +++ b/roles/template_service_broker/tasks/install.yml @@ -28,10 +28,24 @@ - "{{ __tsb_template_file }}" - "{{ __tsb_rbac_file }}" - "{{ __tsb_broker_file }}" + - "{{ __tsb_config_file }}" + +- yedit: + src: "{{ mktemp.stdout }}/{{ __tsb_config_file }}" + key: templateNamespaces + value: "{{ openshift_template_service_broker_namespaces }}" + value_type: list + +- slurp: + src: "{{ mktemp.stdout }}/{{ __tsb_config_file }}" + register: config - name: Apply template file shell: > - oc process -f "{{ mktemp.stdout }}/{{ __tsb_template_file }}" --param API_SERVER_CONFIG="{{ lookup('file', __tsb_files_location ~ '/' ~ __tsb_config_file) }}" --param IMAGE="{{ template_service_broker_prefix }}{{ template_service_broker_image_name }}:{{ template_service_broker_version }}" | kubectl apply -f - + oc process -f "{{ mktemp.stdout }}/{{ __tsb_template_file }}" + --param API_SERVER_CONFIG="{{ config['content'] | b64decode }}" + --param IMAGE="{{ template_service_broker_prefix }}{{ template_service_broker_image_name }}:{{ template_service_broker_version }}" + | kubectl apply -f - # reconcile with rbac - name: Reconcile with RBAC file |