summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--HOOKS.md70
-rw-r--r--README.md6
-rw-r--r--inventory/byo/hosts.origin.example19
-rw-r--r--inventory/byo/hosts.ose.example19
-rw-r--r--playbooks/common/openshift-cluster/config.yml3
-rw-r--r--playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml24
-rw-r--r--playbooks/common/openshift-cluster/upgrades/upgrade_nodes.yml13
-rw-r--r--roles/docker/tasks/main.yml2
-rw-r--r--roles/openshift_builddefaults/vars/main.yml1
-rw-r--r--roles/openshift_buildoverrides/tasks/main.yml9
-rw-r--r--roles/openshift_buildoverrides/vars/main.yml3
-rw-r--r--roles/openshift_docker_facts/tasks/main.yml2
-rwxr-xr-xroles/openshift_facts/library/openshift_facts.py29
-rw-r--r--roles/openshift_loadbalancer/tasks/main.yml2
-rw-r--r--roles/openshift_loadbalancer/templates/haproxy.cfg.j28
-rw-r--r--roles/openshift_loadbalancer/templates/haproxy.docker.service.j22
-rw-r--r--roles/openshift_logging/tasks/generate_certs.yaml48
-rw-r--r--roles/openshift_logging/tasks/generate_jks.yaml27
-rw-r--r--roles/openshift_logging/tasks/label_node.yaml27
-rwxr-xr-xroles/openshift_metrics/files/import_jks_certs.sh2
-rw-r--r--roles/openshift_metrics/tasks/import_jks_certs.yaml146
-rw-r--r--roles/openshift_metrics/tasks/main.yaml7
-rw-r--r--roles/openshift_metrics/templates/jks_pod.j238
-rwxr-xr-xroles/os_firewall/library/os_firewall_manage_iptables.py4
-rw-r--r--roles/os_firewall/tasks/firewall/firewalld.yml5
-rw-r--r--utils/test-requirements.txt2
26 files changed, 288 insertions, 230 deletions
diff --git a/HOOKS.md b/HOOKS.md
new file mode 100644
index 000000000..9c5f80054
--- /dev/null
+++ b/HOOKS.md
@@ -0,0 +1,70 @@
+# Hooks
+
+The ansible installer allows for operators to execute custom tasks during
+specific operations through a system called hooks. Hooks allow operators to
+provide files defining tasks to execute before and/or after specific areas
+during installations and upgrades. This can be very helpful to validate
+or modify custom infrastructure when installing/upgrading OpenShift.
+
+It is important to remember that when a hook fails the operation fails. This
+means a good hook can run multiple times and provide the same results. A great
+hook is idempotent.
+
+**Note**: There is currently not a standard interface for hooks. In the future
+a standard interface will be defined and any hooks that existed previously will
+need to be updated to meet the new standard.
+
+## Using Hooks
+
+Hooks are defined in the ``hosts`` inventory file under the ``OSEv3:vars``
+section.
+
+Each hook should point to a yaml file which defines Ansible tasks. This file
+will be used as an include meaning that the file can not be a playbook but
+a set of tasks. Best practice suggests using absolute paths to the hook file to avoid any ambiguity.
+
+### Example
+```ini
+[OSEv3:vars]
+# <snip>
+openshift_master_upgrade_pre_hook=/usr/share/custom/pre_master.yml
+openshift_master_upgrade_hook=/usr/share/custom/master.yml
+openshift_master_upgrade_post_hook=/usr/share/custom/post_master.yml
+# <snip>
+```
+
+Hook files must be a yaml formatted file that defines a set of Ansible tasks.
+The file may **not** be a playbook.
+
+### Example
+```yaml
+---
+# Trivial example forcing an operator to ack the start of an upgrade
+# file=/usr/share/custom/pre_master.yml
+
+- name: note the start of a master upgrade
+ debug:
+ msg: "Master upgrade of {{ inventory_hostname }} is about to start"
+
+- name: require an operator agree to start an upgrade
+ pause:
+ prompt: "Hit enter to start the master upgrade"
+```
+
+## Upgrade Hooks
+
+### openshift_master_upgrade_pre_hook
+- Runs **before** each master is upgraded.
+- This hook runs against **each master** in serial.
+- If a task needs to run against a different host, said task will need to use [``delegate_to`` or ``local_action``](http://docs.ansible.com/ansible/playbooks_delegation.html#delegation).
+
+### openshift_master_upgrade_hook
+- Runs **after** each master is upgraded but **before** it's service/system restart.
+- This hook runs against **each master** in serial.
+- If a task needs to run against a different host, said task will need to use [``delegate_to`` or ``local_action``](http://docs.ansible.com/ansible/playbooks_delegation.html#delegation).
+
+
+### openshift_master_upgrade_post_hook
+- Runs **after** each master is upgraded and has had it's service/system restart.
+- This hook runs against **each master** in serial.
+- If a task needs to run against a different host, said task will need to use [``delegate_to`` or ``local_action``](http://docs.ansible.com/ansible/playbooks_delegation.html#delegation).
diff --git a/README.md b/README.md
index def8dfdc5..c3c022e59 100644
--- a/README.md
+++ b/README.md
@@ -74,6 +74,12 @@ you are not running a stable release.
- [OpenShift Enterprise](https://docs.openshift.com/enterprise/latest/install_config/install/advanced_install.html)
- [OpenShift Origin](https://docs.openshift.org/latest/install_config/install/advanced_install.html)
+
+## Installer Hooks
+
+See the [hooks documentation](HOOKS.md).
+
+
## Contributing
See the [contribution guide](CONTRIBUTING.md).
diff --git a/inventory/byo/hosts.origin.example b/inventory/byo/hosts.origin.example
index dde172c4a..0a1b8c5c4 100644
--- a/inventory/byo/hosts.origin.example
+++ b/inventory/byo/hosts.origin.example
@@ -89,6 +89,25 @@ openshift_release=v1.4
# Skip upgrading Docker during an OpenShift upgrade, leaves the current Docker version alone.
# docker_upgrade=False
+
+# Upgrade Hooks
+#
+# Hooks are available to run custom tasks at various points during a cluster
+# upgrade. Each hook should point to a file with Ansible tasks defined. Suggest using
+# absolute paths, if not the path will be treated as relative to the file where the
+# hook is actually used.
+#
+# Tasks to run before each master is upgraded.
+# openshift_master_upgrade_pre_hook=/usr/share/custom/pre_master.yml
+#
+# Tasks to run to upgrade the master. These tasks run after the main openshift-ansible
+# upgrade steps, but before we restart system/services.
+# openshift_master_upgrade_hook=/usr/share/custom/master.yml
+#
+# Tasks to run after each master is upgraded and system/services have been restarted.
+# openshift_master_upgrade_post_hook=/usr/share/custom/post_master.yml
+
+
# Alternate image format string, useful if you've got your own registry mirror
#oreg_url=example.com/openshift3/ose-${component}:${version}
# If oreg_url points to a registry other than registry.access.redhat.com we can
diff --git a/inventory/byo/hosts.ose.example b/inventory/byo/hosts.ose.example
index c0dd8a1e8..89b9d7e48 100644
--- a/inventory/byo/hosts.ose.example
+++ b/inventory/byo/hosts.ose.example
@@ -89,6 +89,25 @@ openshift_release=v3.4
# Skip upgrading Docker during an OpenShift upgrade, leaves the current Docker version alone.
# docker_upgrade=False
+
+# Upgrade Hooks
+#
+# Hooks are available to run custom tasks at various points during a cluster
+# upgrade. Each hook should point to a file with Ansible tasks defined. Suggest using
+# absolute paths, if not the path will be treated as relative to the file where the
+# hook is actually used.
+#
+# Tasks to run before each master is upgraded.
+# openshift_master_upgrade_pre_hook=/usr/share/custom/pre_master.yml
+#
+# Tasks to run to upgrade the master. These tasks run after the main openshift-ansible
+# upgrade steps, but before we restart system/services.
+# openshift_master_upgrade_hook=/usr/share/custom/master.yml
+#
+# Tasks to run after each master is upgraded and system/services have been restarted.
+# openshift_master_upgrade_post_hook=/usr/share/custom/post_master.yml
+
+
# Alternate image format string, useful if you've got your own registry mirror
#oreg_url=example.com/openshift3/ose-${component}:${version}
# If oreg_url points to a registry other than registry.access.redhat.com we can
diff --git a/playbooks/common/openshift-cluster/config.yml b/playbooks/common/openshift-cluster/config.yml
index 0f226f5f9..a95cb68b7 100644
--- a/playbooks/common/openshift-cluster/config.yml
+++ b/playbooks/common/openshift-cluster/config.yml
@@ -38,6 +38,9 @@
- set_fact:
openshift_docker_log_options: "{{ lookup('oo_option', 'docker_log_options') }}"
when: openshift_docker_log_options is not defined
+ - set_fact:
+ openshift_docker_selinux_enabled: "{{ lookup('oo_option', 'docker_selinux_enabled') }}"
+ when: openshift_docker_selinux_enabled is not defined
- include: ../openshift-etcd/config.yml
tags:
diff --git a/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml
index 7f738ea0f..77b37cdc2 100644
--- a/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml
+++ b/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml
@@ -51,6 +51,8 @@
roles:
- openshift_master_facts
+# The main master upgrade play. Should handle all changes to the system in one pass, with
+# support for optional hooks to be defined.
- name: Upgrade master
hosts: oo_masters_to_config
vars:
@@ -62,6 +64,14 @@
roles:
- openshift_facts
post_tasks:
+
+ # Run the pre-upgrade hook if defined:
+ - debug: msg="Running master pre-upgrade hook {{ openshift_master_upgrade_pre_hook }}"
+ when: openshift_master_upgrade_pre_hook is defined
+
+ - include: "{{ openshift_master_upgrade_pre_hook }}"
+ when: openshift_master_upgrade_pre_hook is defined
+
- include: rpm_upgrade.yml component=master
when: not openshift.common.is_containerized | bool
@@ -102,12 +112,26 @@
state: link
when: ca_crt_stat.stat.isreg and not ca_bundle_stat.stat.exists
+ # Run the upgrade hook prior to restarting services/system if defined:
+ - debug: msg="Running master upgrade hook {{ openshift_master_upgrade_hook }}"
+ when: openshift_master_upgrade_hook is defined
+
+ - include: "{{ openshift_master_upgrade_hook }}"
+ when: openshift_master_upgrade_hook is defined
+
- include: ../../openshift-master/restart_hosts.yml
when: openshift.common.rolling_restart_mode == 'system'
- include: ../../openshift-master/restart_services.yml
when: openshift.common.rolling_restart_mode == 'services'
+ # Run the post-upgrade hook if defined:
+ - debug: msg="Running master post-upgrade hook {{ openshift_master_upgrade_post_hook }}"
+ when: openshift_master_upgrade_post_hook is defined
+
+ - include: "{{ openshift_master_upgrade_post_hook }}"
+ when: openshift_master_upgrade_post_hook is defined
+
- set_fact:
master_update_complete: True
diff --git a/playbooks/common/openshift-cluster/upgrades/upgrade_nodes.yml b/playbooks/common/openshift-cluster/upgrades/upgrade_nodes.yml
index 86b344d7a..2bb460815 100644
--- a/playbooks/common/openshift-cluster/upgrades/upgrade_nodes.yml
+++ b/playbooks/common/openshift-cluster/upgrades/upgrade_nodes.yml
@@ -87,6 +87,19 @@
- name: Restart rpm node service
service: name="{{ openshift.common.service_type }}-node" state=restarted
when: inventory_hostname in groups.oo_nodes_to_upgrade and not openshift.common.is_containerized | bool
+
+ - name: Wait for node to be ready
+ command: >
+ {{ hostvars[groups.oo_first_master.0].openshift.common.client_binary }} get node {{ openshift.common.hostname | lower }} --no-headers
+ register: node_output
+ delegate_to: "{{ groups.oo_first_master.0 }}"
+ when: inventory_hostname in groups.oo_nodes_to_upgrade
+ until: "{{ node_output.stdout.split()[1].startswith('Ready')}}"
+ # Give the node two minutes to come back online. Note that we pre-pull images now
+ # so containerized services should restart quickly as well.
+ retries: 24
+ delay: 5
+
- name: Set node schedulability
command: >
{{ hostvars[groups.oo_first_master.0].openshift.common.client_binary }} adm manage-node {{ openshift.node.nodename | lower }} --schedulable=true
diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml
index a8935370a..66c9cfa0f 100644
--- a/roles/docker/tasks/main.yml
+++ b/roles/docker/tasks/main.yml
@@ -96,7 +96,7 @@
dest: /etc/sysconfig/docker
regexp: '^OPTIONS=.*$'
line: "OPTIONS='\
- {% if ansible_selinux and ansible_selinux.status == '''enabled''' %} --selinux-enabled{% endif %}\
+ {% if ansible_selinux.status | default(None) == '''enabled''' and docker_selinux_enabled | default(true) %} --selinux-enabled {% endif %}\
{% if docker_log_driver is defined %} --log-driver {{ docker_log_driver }}{% endif %}\
{% if docker_log_options is defined %} {{ docker_log_options | oo_split() | oo_prepend_strings_in_list('--log-opt ') | join(' ')}}{% endif %}\
{% if docker_options is defined %} {{ docker_options }}{% endif %}\
diff --git a/roles/openshift_builddefaults/vars/main.yml b/roles/openshift_builddefaults/vars/main.yml
index c9ec3b82f..fe6069ea9 100644
--- a/roles/openshift_builddefaults/vars/main.yml
+++ b/roles/openshift_builddefaults/vars/main.yml
@@ -23,7 +23,6 @@ builddefaults_yaml:
imageLabels: "{{ openshift_builddefaults_image_labels | default(None) }}"
nodeSelector: "{{ openshift_builddefaults_nodeselectors | default(None) }}"
annotations: "{{ openshift_builddefaults_annotations | default(None) }}"
- #resources: "{{ openshift.builddefaults.resources | default(None) }}"
resources:
requests:
cpu: "{{ openshift_builddefaults_resources_requests_cpu | default(None) }}"
diff --git a/roles/openshift_buildoverrides/tasks/main.yml b/roles/openshift_buildoverrides/tasks/main.yml
index 82fce1c5b..87d0e6f21 100644
--- a/roles/openshift_buildoverrides/tasks/main.yml
+++ b/roles/openshift_buildoverrides/tasks/main.yml
@@ -1,13 +1,4 @@
---
-#- name: Set buildoverrides
-# openshift_facts:
-# role: buildoverrides
-# local_facts:
-# force_pull: "{{ openshift_buildoverrides_force_pull | default(None) }}"
-# image_labels: "{{ openshift_buildoverrides_image_labels | default(None) }}"
-# nodeselectors: "{{ openshift_buildoverrides_nodeselectors | default(None) }}"
-# annotations: "{{ openshift_buildoverrides_annotations | default(None) }}"
-
- name: Set buildoverrides config structure
openshift_facts:
role: buildoverrides
diff --git a/roles/openshift_buildoverrides/vars/main.yml b/roles/openshift_buildoverrides/vars/main.yml
index f0f9c255b..cf49a6ebf 100644
--- a/roles/openshift_buildoverrides/vars/main.yml
+++ b/roles/openshift_buildoverrides/vars/main.yml
@@ -1,10 +1,11 @@
---
+force_pull: "{{ openshift_buildoverrides_force_pull | default('') }}"
buildoverrides_yaml:
BuildOverrides:
configuration:
apiVersion: v1
kind: BuildOverridesConfig
- forcePull: "{{ openshift_buildoverrides_force_pull | default('', true) }}"
+ forcePull: "{{ '' if force_pull == '' else force_pull | bool }}"
imageLabels: "{{ openshift_buildoverrides_image_labels | default(None) }}"
nodeSelector: "{{ openshift_buildoverrides_nodeselectors | default(None) }}"
annotations: "{{ openshift_buildoverrides_annotations | default(None) }}"
diff --git a/roles/openshift_docker_facts/tasks/main.yml b/roles/openshift_docker_facts/tasks/main.yml
index 613c237a3..049ceffe0 100644
--- a/roles/openshift_docker_facts/tasks/main.yml
+++ b/roles/openshift_docker_facts/tasks/main.yml
@@ -9,6 +9,7 @@
additional_registries: "{{ openshift_docker_additional_registries | default(None) }}"
blocked_registries: "{{ openshift_docker_blocked_registries | default(None) }}"
insecure_registries: "{{ openshift_docker_insecure_registries | default(None) }}"
+ selinux_enabled: "{{ openshift_docker_selinux_enabled | default(None) }}"
log_driver: "{{ openshift_docker_log_driver | default(None) }}"
log_options: "{{ openshift_docker_log_options | default(None) }}"
options: "{{ openshift_docker_options | default(None) }}"
@@ -23,6 +24,7 @@
| default(omit) }}"
docker_insecure_registries: "{{ openshift.docker.insecure_registries
| default(omit) }}"
+ docker_selinux_enabled: "{{ openshift.docker.selinux_enabled | default(omit) }}"
docker_log_driver: "{{ openshift.docker.log_driver | default(omit) }}"
docker_log_options: "{{ openshift.docker.log_options | default(omit) }}"
docker_push_dockerhub: "{{ openshift.docker.disable_push_dockerhub
diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py
index 10121f82a..c99452062 100755
--- a/roles/openshift_facts/library/openshift_facts.py
+++ b/roles/openshift_facts/library/openshift_facts.py
@@ -1690,9 +1690,38 @@ def set_builddefaults_facts(facts):
if 'admission_plugin_config' not in facts['master']:
facts['master']['admission_plugin_config'] = dict()
facts['master']['admission_plugin_config'].update(builddefaults['config'])
+ # if the user didn't actually provide proxy values, delete the proxy env variable defaults.
+ delete_empty_keys(facts['master']['admission_plugin_config']['BuildDefaults']['configuration']['env'])
+
return facts
+def delete_empty_keys(keylist):
+ """ Delete dictionary elements from keylist where "value" is empty.
+
+ Args:
+ keylist(list): A list of builddefault configuration envs.
+
+ Returns:
+ none
+
+ Example:
+ keylist = [{'name': 'HTTP_PROXY', 'value': 'http://file.rdu.redhat.com:3128'},
+ {'name': 'HTTPS_PROXY', 'value': 'http://file.rdu.redhat.com:3128'},
+ {'name': 'NO_PROXY', 'value': ''}]
+
+ After calling delete_empty_keys the provided list is modified to become:
+
+ [{'name': 'HTTP_PROXY', 'value': 'http://file.rdu.redhat.com:3128'},
+ {'name': 'HTTPS_PROXY', 'value': 'http://file.rdu.redhat.com:3128'}]
+ """
+ count = 0
+ for i in range(0, len(keylist)):
+ if len(keylist[i - count]['value']) == 0:
+ del keylist[i - count]
+ count += 1
+
+
def set_buildoverrides_facts(facts):
""" Set build overrides
diff --git a/roles/openshift_loadbalancer/tasks/main.yml b/roles/openshift_loadbalancer/tasks/main.yml
index e9bc8b4ab..68bb4ace8 100644
--- a/roles/openshift_loadbalancer/tasks/main.yml
+++ b/roles/openshift_loadbalancer/tasks/main.yml
@@ -17,7 +17,7 @@
- name: Create the systemd unit files
template:
src: "haproxy.docker.service.j2"
- dest: "{{ containerized_svc_dir }}/haproxy.service"
+ dest: "/etc/systemd/system/haproxy.service"
when: openshift.common.is_containerized | bool
notify: restart haproxy
diff --git a/roles/openshift_loadbalancer/templates/haproxy.cfg.j2 b/roles/openshift_loadbalancer/templates/haproxy.cfg.j2
index 79e695001..24fd635ec 100644
--- a/roles/openshift_loadbalancer/templates/haproxy.cfg.j2
+++ b/roles/openshift_loadbalancer/templates/haproxy.cfg.j2
@@ -1,16 +1,20 @@
# Global settings
#---------------------------------------------------------------------
global
+ maxconn {{ openshift_loadbalancer_global_maxconn | default(20000) }}
+ log /dev/log local0 info
+{% if openshift.common.is_containerized | bool %}
+ stats socket /var/lib/haproxy/run/haproxy.sock mode 600 level admin
+{% else %}
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
- maxconn {{ openshift_loadbalancer_global_maxconn | default(20000) }}
user haproxy
group haproxy
daemon
- log /dev/log local0 info
# turn on stats unix socket
stats socket /var/lib/haproxy/stats
+{% endif %}
#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
diff --git a/roles/openshift_loadbalancer/templates/haproxy.docker.service.j2 b/roles/openshift_loadbalancer/templates/haproxy.docker.service.j2
index 624876ab0..5385df3b7 100644
--- a/roles/openshift_loadbalancer/templates/haproxy.docker.service.j2
+++ b/roles/openshift_loadbalancer/templates/haproxy.docker.service.j2
@@ -5,7 +5,7 @@ PartOf=docker.service
[Service]
ExecStartPre=-/usr/bin/docker rm -f openshift_loadbalancer
-ExecStart=/usr/bin/docker run --rm --name openshift_loadbalancer -p {{ openshift_master_api_port | default(8443) }}:{{ openshift_master_api_port | default(8443) }} -v /etc/haproxy/haproxy.cfg:/etc/haproxy/haproxy.cfg:ro --entrypoint="haproxy -f /etc/haproxy/haproxy.cfg" {{ openshift.common.router_image }}:{{ openshift_image_tag }}
+ExecStart=/usr/bin/docker run --rm --name openshift_loadbalancer -p {{ openshift_master_api_port | default(8443) }}:{{ openshift_master_api_port | default(8443) }} -v /etc/haproxy/haproxy.cfg:/etc/haproxy/haproxy.cfg:ro --entrypoint=haproxy {{ openshift.common.router_image }}:{{ openshift_image_tag }} -f /etc/haproxy/haproxy.cfg
ExecStartPost=/usr/bin/sleep 10
ExecStop=/usr/bin/docker stop openshift_loadbalancer
LimitNOFILE={{ openshift_loadbalancer_limit_nofile | default(100000) }}
diff --git a/roles/openshift_logging/tasks/generate_certs.yaml b/roles/openshift_logging/tasks/generate_certs.yaml
index 20e50482e..740e490e1 100644
--- a/roles/openshift_logging/tasks/generate_certs.yaml
+++ b/roles/openshift_logging/tasks/generate_certs.yaml
@@ -88,56 +88,12 @@
- name: Creating necessary JKS certs
include: generate_jks.yaml
-# check for secret/logging-kibana-proxy
-- command: >
- {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get secret/logging-kibana-proxy -n {{openshift_logging_namespace}} -o jsonpath='{.data.oauth-secret}'
- register: kibana_secret_oauth_check
- ignore_errors: yes
- changed_when: no
- check_mode: no
-
-- command: >
- {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get secret/logging-kibana-proxy -n {{openshift_logging_namespace}} -o jsonpath='{.data.session-secret}'
- register: kibana_secret_session_check
- ignore_errors: yes
- changed_when: no
- check_mode: no
-
-# check for oauthclient secret
-- command: >
- {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get oauthclient/kibana-proxy -n {{openshift_logging_namespace}} -o jsonpath='{.secret}'
- register: oauth_secret_check
- ignore_errors: yes
- changed_when: no
- check_mode: no
-
-# set or generate as needed
+# TODO: make idempotent
- name: Generate proxy session
set_fact: session_secret={{'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'|random_word(200)}}
check_mode: no
- when:
- - kibana_secret_session_check.stdout is not defined or kibana_secret_session_check.stdout == ''
-
-- name: Generate proxy session
- set_fact: session_secret={{kibana_secret_session_check.stdout | b64decode }}
- check_mode: no
- when:
- - kibana_secret_session_check.stdout is defined
- - kibana_secret_session_check.stdout != ''
+# TODO: make idempotent
- name: Generate oauth client secret
set_fact: oauth_secret={{'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'|random_word(64)}}
check_mode: no
- when: kibana_secret_oauth_check.stdout is not defined or kibana_secret_oauth_check.stdout == ''
- or oauth_secret_check.stdout is not defined or oauth_secret_check.stdout == ''
- or kibana_secret_oauth_check.stdout | b64decode != oauth_secret_check.stdout
-
-- name: Generate oauth client secret
- set_fact: oauth_secret={{kibana_secret_oauth_check.stdout | b64decode}}
- check_mode: no
- when:
- - kibana_secret_oauth_check is defined
- - kibana_secret_oauth_check.stdout != ''
- - oauth_secret_check.stdout is defined
- - oauth_secret_check.stdout != ''
- - kibana_secret_oauth_check.stdout | b64decode == oauth_secret_check.stdout
diff --git a/roles/openshift_logging/tasks/generate_jks.yaml b/roles/openshift_logging/tasks/generate_jks.yaml
index adb6c2b2d..c6e2ccbc0 100644
--- a/roles/openshift_logging/tasks/generate_jks.yaml
+++ b/roles/openshift_logging/tasks/generate_jks.yaml
@@ -27,34 +27,22 @@
check_mode: no
- name: Create placeholder for previously created JKS certs to prevent recreating...
- file:
- path: "{{local_tmp.stdout}}/elasticsearch.jks"
- state: touch
- mode: "u=rw,g=r,o=r"
+ local_action: file path="{{local_tmp.stdout}}/elasticsearch.jks" state=touch mode="u=rw,g=r,o=r"
when: elasticsearch_jks.stat.exists
changed_when: False
- name: Create placeholder for previously created JKS certs to prevent recreating...
- file:
- path: "{{local_tmp.stdout}}/logging-es.jks"
- state: touch
- mode: "u=rw,g=r,o=r"
+ local_action: file path="{{local_tmp.stdout}}/logging-es.jks" state=touch mode="u=rw,g=r,o=r"
when: logging_es_jks.stat.exists
changed_when: False
- name: Create placeholder for previously created JKS certs to prevent recreating...
- file:
- path: "{{local_tmp.stdout}}/system.admin.jks"
- state: touch
- mode: "u=rw,g=r,o=r"
+ local_action: file path="{{local_tmp.stdout}}/system.admin.jks" state=touch mode="u=rw,g=r,o=r"
when: system_admin_jks.stat.exists
changed_when: False
- name: Create placeholder for previously created JKS certs to prevent recreating...
- file:
- path: "{{local_tmp.stdout}}/truststore.jks"
- state: touch
- mode: "u=rw,g=r,o=r"
+ local_action: file path="{{local_tmp.stdout}}/truststore.jks" state=touch mode="u=rw,g=r,o=r"
when: truststore_jks.stat.exists
changed_when: False
@@ -69,15 +57,16 @@
- ca.serial.txt
- ca.crl.srl
- ca.db
+ when: not elasticsearch_jks.stat.exists or not logging_es_jks.stat.exists or not system_admin_jks.stat.exists or not truststore_jks.stat.exists
- local_action: template src=signing.conf.j2 dest={{local_tmp.stdout}}/signing.conf
vars:
- top_dir: "{{local_tmp.stdout}}"
+ when: not elasticsearch_jks.stat.exists or not logging_es_jks.stat.exists or not system_admin_jks.stat.exists or not truststore_jks.stat.exists
- name: Run JKS generation script
local_action: script generate-jks.sh {{local_tmp.stdout}} {{openshift_logging_namespace}}
check_mode: no
- become: yes
when: not elasticsearch_jks.stat.exists or not logging_es_jks.stat.exists or not system_admin_jks.stat.exists or not truststore_jks.stat.exists
- name: Pushing locally generated JKS certs to remote host...
@@ -105,7 +94,5 @@
when: not truststore_jks.stat.exists
- name: Cleaning up temp dir
- file:
- path: "{{local_tmp.stdout}}"
- state: absent
+ local_action: file path="{{local_tmp.stdout}}" state=absent
changed_when: False
diff --git a/roles/openshift_logging/tasks/label_node.yaml b/roles/openshift_logging/tasks/label_node.yaml
index aecb5d81b..bd5073381 100644
--- a/roles/openshift_logging/tasks/label_node.yaml
+++ b/roles/openshift_logging/tasks/label_node.yaml
@@ -1,11 +1,34 @@
---
- command: >
{{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get node {{host}}
+ -o jsonpath='{.metadata.labels}'
+ register: node_labels
+ when: not ansible_check_mode
+ changed_when: no
+
+- command: >
+ {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig label node {{host}} {{label}}={{value}}
+ register: label_result
+ failed_when: label_result.rc == 1 and 'exists' not in label_result.stderr
+ when:
+ - value is defined
+ - node_labels.stdout is defined
+ - label not in node_labels.stdout
+ - unlabel is not defined or not unlabel
+ - not ansible_check_mode
+
+- command: >
+ {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get node {{host}}
-o jsonpath='{.metadata.labels.{{ label }}}'
register: label_value
- failed_when: label_value.rc == 1 and 'exists' not in label_value.stderr
- when: not ansible_check_mode
+ ignore_errors: yes
changed_when: no
+ when:
+ - value is defined
+ - node_labels.stdout is defined
+ - label in node_labels.stdout
+ - unlabel is not defined or not unlabel
+ - not ansible_check_mode
- command: >
{{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig label node {{host}} {{label}}={{value}} --overwrite
diff --git a/roles/openshift_metrics/files/import_jks_certs.sh b/roles/openshift_metrics/files/import_jks_certs.sh
index bb046df87..f4315ef34 100755
--- a/roles/openshift_metrics/files/import_jks_certs.sh
+++ b/roles/openshift_metrics/files/import_jks_certs.sh
@@ -114,5 +114,3 @@ function import_certs() {
}
import_certs
-
-exit 0
diff --git a/roles/openshift_metrics/tasks/import_jks_certs.yaml b/roles/openshift_metrics/tasks/import_jks_certs.yaml
index f6bf6c1a6..f5192b005 100644
--- a/roles/openshift_metrics/tasks/import_jks_certs.yaml
+++ b/roles/openshift_metrics/tasks/import_jks_certs.yaml
@@ -1,76 +1,4 @@
---
-- name: Check for jks-generator service account
- command: >
- {{ openshift.common.client_binary }}
- --config={{ mktemp.stdout }}/admin.kubeconfig
- -n {{openshift_metrics_project}}
- get serviceaccount/jks-generator --no-headers
- register: serviceaccount_result
- ignore_errors: yes
- when: not ansible_check_mode
- changed_when: no
-
-- name: Create jks-generator service account
- command: >
- {{ openshift.common.client_binary }}
- --config={{ mktemp.stdout }}/admin.kubeconfig
- -n {{openshift_metrics_project}}
- create serviceaccount jks-generator
- when: not ansible_check_mode and "not found" in serviceaccount_result.stderr
-
-- name: Check for hostmount-anyuid scc entry
- command: >
- {{ openshift.common.client_binary }}
- --config={{ mktemp.stdout }}/admin.kubeconfig
- get scc hostmount-anyuid
- -o jsonpath='{.users}'
- register: scc_result
- when: not ansible_check_mode
- changed_when: no
-
-- name: Add to hostmount-anyuid scc
- command: >
- {{ openshift.common.admin_binary }}
- --config={{ mktemp.stdout }}/admin.kubeconfig
- -n {{openshift_metrics_project}}
- policy add-scc-to-user hostmount-anyuid
- -z jks-generator
- when:
- - not ansible_check_mode
- - scc_result.stdout.find("system:serviceaccount:{{openshift_metrics_project}}:jks-generator") == -1
-
-- name: Copy JKS generation script
- copy:
- src: import_jks_certs.sh
- dest: "{{openshift_metrics_certs_dir}}/import_jks_certs.sh"
- check_mode: no
-
-- slurp: src={{ openshift_metrics_certs_dir }}/hawkular-metrics-keystore.pwd
- register: metrics_keystore_password
-
-- slurp: src={{ openshift_metrics_certs_dir }}/hawkular-cassandra-keystore.pwd
- register: cassandra_keystore_password
-
-- slurp: src={{ openshift_metrics_certs_dir }}/hawkular-jgroups-keystore.pwd
- register: jgroups_keystore_password
-
-- name: Generate JKS pod template
- template:
- src: jks_pod.j2
- dest: "{{mktemp.stdout}}/jks_pod.yaml"
- vars:
- metrics_keystore_passwd: "{{metrics_keystore_password.content}}"
- cassandra_keystore_passwd: "{{cassandra_keystore_password.content}}"
- metrics_truststore_passwd: "{{hawkular_truststore_password.content}}"
- cassandra_truststore_passwd: "{{cassandra_truststore_password.content}}"
- jgroups_passwd: "{{jgroups_keystore_password.content}}"
- check_mode: no
- changed_when: no
-
-- stat: path="{{openshift_metrics_certs_dir}}/hawkular-metrics.keystore"
- register: metrics_keystore
- check_mode: no
-
- stat: path="{{openshift_metrics_certs_dir}}/hawkular-cassandra.keystore"
register: cassandra_keystore
check_mode: no
@@ -79,6 +7,10 @@
register: cassandra_truststore
check_mode: no
+- stat: path="{{openshift_metrics_certs_dir}}/hawkular-metrics.keystore"
+ register: metrics_keystore
+ check_mode: no
+
- stat: path="{{openshift_metrics_certs_dir}}/hawkular-metrics.truststore"
register: metrics_truststore
check_mode: no
@@ -87,32 +19,52 @@
register: jgroups_keystore
check_mode: no
-- name: create JKS pod
- command: >
- {{ openshift.common.client_binary }}
- --config={{ mktemp.stdout }}/admin.kubeconfig
- -n {{openshift_metrics_project}}
- create -f {{mktemp.stdout}}/jks_pod.yaml
- -o name
- register: podoutput
- check_mode: no
- when: not metrics_keystore.stat.exists or
- not metrics_truststore.stat.exists or
- not cassandra_keystore.stat.exists or
- not cassandra_truststore.stat.exists or
- not jgroups_keystore.stat.exists
+- block:
+ - slurp: src={{ openshift_metrics_certs_dir }}/hawkular-metrics-keystore.pwd
+ register: metrics_keystore_password
+
+ - slurp: src={{ openshift_metrics_certs_dir }}/hawkular-cassandra-keystore.pwd
+ register: cassandra_keystore_password
+
+ - slurp: src={{ openshift_metrics_certs_dir }}/hawkular-jgroups-keystore.pwd
+ register: jgroups_keystore_password
+
+ - local_action: command mktemp -d
+ register: local_tmp
+ changed_when: False
+
+ - fetch:
+ dest: "{{local_tmp.stdout}}/"
+ src: "{{ openshift_metrics_certs_dir }}/{{item}}"
+ flat: yes
+ changed_when: False
+ with_items:
+ - hawkular-metrics.pkcs12
+ - hawkular-cassandra.pkcs12
+ - hawkular-metrics.crt
+ - hawkular-cassandra.crt
+ - ca.crt
+
+ - local_action: command {{role_path}}/files/import_jks_certs.sh
+ environment:
+ CERT_DIR: "{{local_tmp.stdout}}"
+ METRICS_KEYSTORE_PASSWD: "{{metrics_keystore_password.content}}"
+ CASSANDRA_KEYSTORE_PASSWD: "{{cassandra_keystore_password.content}}"
+ METRICS_TRUSTSTORE_PASSWD: "{{hawkular_truststore_password.content}}"
+ CASSANDRA_TRUSTSTORE_PASSWD: "{{cassandra_truststore_password.content}}"
+ JGROUPS_PASSWD: "{{jgroups_keystore_password.content}}"
+ changed_when: False
+
+ - copy:
+ dest: "{{openshift_metrics_certs_dir}}/"
+ src: "{{item}}"
+ with_fileglob: "{{local_tmp.stdout}}/*.*store"
+
+ - file:
+ path: "{{local_tmp.stdout}}"
+ state: absent
+ changed_when: False
-- command: >
- {{ openshift.common.client_binary }}
- --config={{ mktemp.stdout }}/admin.kubeconfig
- -n {{openshift_metrics_project}}
- get {{podoutput.stdout}}
- -o jsonpath='{.status.phase}'
- register: result
- until: result.stdout.find("Succeeded") != -1
- retries: 5
- delay: 10
- changed_when: no
when: not metrics_keystore.stat.exists or
not metrics_truststore.stat.exists or
not cassandra_keystore.stat.exists or
diff --git a/roles/openshift_metrics/tasks/main.yaml b/roles/openshift_metrics/tasks/main.yaml
index c42440130..1808db5d5 100644
--- a/roles/openshift_metrics/tasks/main.yaml
+++ b/roles/openshift_metrics/tasks/main.yaml
@@ -7,6 +7,7 @@
- name: Create temp directory for all our templates
file: path={{mktemp.stdout}}/templates state=directory mode=0755
changed_when: False
+ when: "{{ openshift_metrics_install_metrics | bool }}"
- name: Copy the admin client config(s)
command: >
@@ -15,8 +16,4 @@
check_mode: no
tags: metrics_init
-- include: install_metrics.yaml
- when: openshift_metrics_install_metrics | default(false) | bool
-
-- include: uninstall_metrics.yaml
- when: not openshift_metrics_install_metrics | default(false) | bool
+- include: "{{ (openshift_metrics_install_metrics | bool) | ternary('install_metrics.yaml','uninstall_metrics.yaml') }}"
diff --git a/roles/openshift_metrics/templates/jks_pod.j2 b/roles/openshift_metrics/templates/jks_pod.j2
deleted file mode 100644
index e86fe38a4..000000000
--- a/roles/openshift_metrics/templates/jks_pod.j2
+++ /dev/null
@@ -1,38 +0,0 @@
-apiVersion: v1
-kind: Pod
-metadata:
- labels:
- metrics-infra: support
- generateName: jks-cert-gen-
-spec:
- containers:
- - name: jks-cert-gen
- image: {{openshift_metrics_image_prefix}}metrics-deployer:{{openshift_metrics_image_version}}
- imagePullPolicy: Always
- command: ["sh", "{{openshift_metrics_certs_dir}}/import_jks_certs.sh"]
- securityContext:
- runAsUser: 0
- volumeMounts:
- - mountPath: {{openshift_metrics_certs_dir}}
- name: certmount
- env:
- - name: CERT_DIR
- value: {{openshift_metrics_certs_dir}}
- - name: METRICS_KEYSTORE_PASSWD
- value: {{metrics_keystore_passwd}}
- - name: CASSANDRA_KEYSTORE_PASSWD
- value: {{cassandra_keystore_passwd}}
- - name: METRICS_TRUSTSTORE_PASSWD
- value: {{metrics_truststore_passwd}}
- - name: CASSANDRA_TRUSTSTORE_PASSWD
- value: {{cassandra_truststore_passwd}}
- - name: hawkular_cassandra_alias
- value: {{cassandra_keystore_passwd}}
- - name: JGROUPS_PASSWD
- value: {{jgroups_passwd}}
- restartPolicy: Never
- serviceAccount: jks-generator
- volumes:
- - hostPath:
- path: "{{openshift_metrics_certs_dir}}"
- name: certmount
diff --git a/roles/os_firewall/library/os_firewall_manage_iptables.py b/roles/os_firewall/library/os_firewall_manage_iptables.py
index 4ba38b721..8d4878fa7 100755
--- a/roles/os_firewall/library/os_firewall_manage_iptables.py
+++ b/roles/os_firewall/library/os_firewall_manage_iptables.py
@@ -224,8 +224,8 @@ class IpTablesManager(object): # pylint: disable=too-many-instance-attributes
def gen_cmd(self):
cmd = 'iptables' if self.ip_version == 'ipv4' else 'ip6tables'
# Include -w (wait for xtables lock) in default arguments.
- default_args = '-w'
- return ["/usr/sbin/%s %s" % (cmd, default_args)]
+ default_args = ['-w']
+ return ["/usr/sbin/%s" % cmd] + default_args
def gen_save_cmd(self): # pylint: disable=no-self-use
return ['/usr/libexec/iptables/iptables.init', 'save']
diff --git a/roles/os_firewall/tasks/firewall/firewalld.yml b/roles/os_firewall/tasks/firewall/firewalld.yml
index 1101870be..c4db197ca 100644
--- a/roles/os_firewall/tasks/firewall/firewalld.yml
+++ b/roles/os_firewall/tasks/firewall/firewalld.yml
@@ -1,7 +1,8 @@
---
- name: Install firewalld packages
- package: name=firewalld state=present
- when: not openshift.common.is_containerized | bool
+ package:
+ name: firewalld
+ state: present
- name: Ensure iptables services are not enabled
systemd:
diff --git a/utils/test-requirements.txt b/utils/test-requirements.txt
index f6a7bde10..aebfe7c39 100644
--- a/utils/test-requirements.txt
+++ b/utils/test-requirements.txt
@@ -13,3 +13,5 @@ pyOpenSSL
yamllint
tox
detox
+# Temporary work-around for flake8 vs maccabe version conflict
+mccabe==0.5.3