diff options
-rw-r--r-- | playbooks/aws/provisioning_vars.yml.example | 6 | ||||
-rw-r--r-- | playbooks/init/base_packages.yml | 1 | ||||
-rw-r--r-- | roles/openshift_aws/defaults/main.yml | 124 | ||||
-rw-r--r-- | roles/openshift_aws/tasks/elb.yml | 12 | ||||
-rw-r--r-- | roles/openshift_aws/tasks/master_facts.yml | 2 | ||||
-rw-r--r-- | roles/openshift_aws/tasks/provision_elb.yml | 1 | ||||
-rwxr-xr-x | roles/openshift_facts/library/openshift_facts.py | 4 | ||||
-rw-r--r-- | roles/openshift_service_catalog/files/openshift_catalog_clusterroles.yml | 86 | ||||
-rw-r--r-- | roles/openshift_service_catalog/tasks/install.yml | 79 | ||||
-rw-r--r-- | roles/openshift_service_catalog/templates/sc_admin_edit_role_patching.j2 | 27 | ||||
-rw-r--r-- | roles/openshift_service_catalog/templates/sc_view_role_patching.j2 | 11 |
11 files changed, 184 insertions, 169 deletions
diff --git a/playbooks/aws/provisioning_vars.yml.example b/playbooks/aws/provisioning_vars.yml.example index a1a8a5b08..78484fdbd 100644 --- a/playbooks/aws/provisioning_vars.yml.example +++ b/playbooks/aws/provisioning_vars.yml.example @@ -21,6 +21,12 @@ openshift_release: # v3.7 # This will be dependent on the version provided by the yum repository openshift_pkg_version: # -3.7.0 +# OpenShift api port +# Fulfills a chicken/egg scenario with how Ansible treats host inventory file +# and extra_vars. This is used for SecurityGroups, ELB Listeners as well as +# an override to installer inventory openshift_master_api_port key +# openshift_master_api_port: 8443 + # specify a clusterid # This value is also used as the default value for many other components. #openshift_aws_clusterid: default diff --git a/playbooks/init/base_packages.yml b/playbooks/init/base_packages.yml index e1052fb6c..0a730a88a 100644 --- a/playbooks/init/base_packages.yml +++ b/playbooks/init/base_packages.yml @@ -16,6 +16,7 @@ - iproute - "{{ 'python3-dbus' if ansible_distribution == 'Fedora' else 'dbus-python' }}" - "{{ 'python3-PyYAML' if ansible_distribution == 'Fedora' else 'PyYAML' }}" + - "{{ 'python-ipaddress' if ansible_distribution != 'Fedora' else omit }}" - yum-utils register: result until: result is succeeded diff --git a/roles/openshift_aws/defaults/main.yml b/roles/openshift_aws/defaults/main.yml index e14d57702..178e0849c 100644 --- a/roles/openshift_aws/defaults/main.yml +++ b/roles/openshift_aws/defaults/main.yml @@ -42,60 +42,77 @@ openshift_aws_ami_tags: openshift_aws_s3_mode: create openshift_aws_s3_bucket_name: "{{ openshift_aws_clusterid }}-docker-registry" -openshift_aws_elb_health_check: - ping_protocol: tcp - ping_port: 443 - response_timeout: 5 - interval: 30 - unhealthy_threshold: 2 - healthy_threshold: 2 - openshift_aws_elb_basename: "{{ openshift_aws_clusterid }}" -openshift_aws_elb_name_dict: - master: - external: "{{ openshift_aws_elb_basename }}-master-external" - internal: "{{ openshift_aws_elb_basename }}-master-internal" - infra: - external: "{{ openshift_aws_elb_basename }}-infra" - -openshift_aws_elb_idle_timout: 400 - -openshift_aws_elb_cert_arn: '' openshift_aws_elb_dict: master: external: - - protocol: tcp - load_balancer_port: 80 - instance_protocol: ssl - instance_port: 443 - - protocol: ssl - load_balancer_port: 443 - instance_protocol: ssl - instance_port: 443 - # ssl certificate required for https or ssl - ssl_certificate_id: "{{ openshift_aws_elb_cert_arn }}" + cross_az_load_balancing: False + health_check: + ping_protocol: tcp + ping_port: "{{ openshift_master_api_port | default(8443) }}" + response_timeout: 5 + interval: 30 + unhealthy_threshold: 2 + healthy_threshold: 2 + idle_timout: 400 + listeners: + - protocol: tcp + load_balancer_port: 80 + instance_protocol: ssl + instance_port: "{{ openshift_master_api_port | default(8443) }}" + - protocol: ssl + load_balancer_port: "{{ openshift_master_api_port | default(8443) }}" + instance_protocol: ssl + instance_port: "{{ openshift_master_api_port | default(8443) }}" + ssl_certificate_id: '' + name: "{{ openshift_aws_elb_basename }}-master-external" + tags: "{{ openshift_aws_kube_tags }}" internal: - - protocol: tcp - load_balancer_port: 80 - instance_protocol: tcp - instance_port: 80 - - protocol: tcp - load_balancer_port: 443 - instance_protocol: tcp - instance_port: 443 + cross_az_load_balancing: False + health_check: + ping_protocol: tcp + ping_port: "{{ openshift_master_api_port | default(8443) }}" + response_timeout: 5 + interval: 30 + unhealthy_threshold: 2 + healthy_threshold: 2 + idle_timout: 400 + listeners: + - protocol: tcp + load_balancer_port: 80 + instance_protocol: tcp + instance_port: 80 + - protocol: tcp + load_balancer_port: "{{ openshift_master_api_port | default(8443) }}" + instance_protocol: tcp + instance_port: "{{ openshift_master_api_port | default(8443) }}" + name: "{{ openshift_aws_elb_basename }}-master-internal" + tags: "{{ openshift_aws_kube_tags }}" infra: external: - - protocol: tcp - load_balancer_port: 80 - instance_protocol: tcp - instance_port: 443 - proxy_protocol: True - - protocol: tcp - load_balancer_port: 443 - instance_protocol: tcp - instance_port: 443 - proxy_protocol: True + cross_az_load_balancing: False + health_check: + ping_protocol: tcp + ping_port: 443 + response_timeout: 5 + interval: 30 + unhealthy_threshold: 2 + healthy_threshold: 2 + idle_timout: 400 + listeners: + - protocol: tcp + load_balancer_port: 80 + instance_protocol: tcp + instance_port: 443 + proxy_protocol: True + - protocol: tcp + load_balancer_port: 443 + instance_protocol: tcp + instance_port: 443 + proxy_protocol: True + name: "{{ openshift_aws_elb_basename }}-infra" + tags: "{{ openshift_aws_kube_tags }}" openshift_aws_node_group_config_master_volumes: - device_name: /dev/sda1 @@ -172,7 +189,7 @@ openshift_aws_master_group_config: iam_role: "{{ openshift_aws_iam_role_name }}" policy_name: "{{ openshift_aws_iam_role_policy_name }}" policy_json: "{{ openshift_aws_iam_role_policy_json }}" - elbs: "{{ openshift_aws_elb_name_dict['master'].keys()| map('extract', openshift_aws_elb_name_dict['master']) | list }}" + elbs: "{{ openshift_aws_elb_dict | json_query('master.[*][0][*].name') }}" openshift_aws_node_group_config: # The 'compute' key is always required here. @@ -205,10 +222,7 @@ openshift_aws_node_group_config: iam_role: "{{ openshift_aws_iam_role_name }}" policy_name: "{{ openshift_aws_iam_role_policy_name }}" policy_json: "{{ openshift_aws_iam_role_policy_json }}" - elbs: "{{ openshift_aws_elb_name_dict['infra'].keys()| map('extract', openshift_aws_elb_name_dict['infra']) | list }}" - -openshift_aws_elb_tags: "{{ openshift_aws_kube_tags }}" -openshift_aws_elb_az_load_balancing: False + elbs: "{{ openshift_aws_elb_dict | json_query('infra.[*][0][*].name') }}" # build_instance_tags is a custom filter in role lib_utils openshift_aws_kube_tags: "{{ openshift_aws_clusterid | build_instance_tags }}" @@ -253,8 +267,8 @@ openshift_aws_node_security_groups: to_port: 80 cidr_ip: 0.0.0.0/0 - proto: tcp - from_port: 443 - to_port: 443 + from_port: "{{ openshift_master_api_port | default(8443) }}" + to_port: "{{ openshift_master_api_port | default(8443) }}" cidr_ip: 0.0.0.0/0 compute: name: "{{ openshift_aws_clusterid }}_compute" @@ -268,8 +282,8 @@ openshift_aws_node_security_groups: to_port: 80 cidr_ip: 0.0.0.0/0 - proto: tcp - from_port: 443 - to_port: 443 + from_port: "{{ openshift_master_api_port | default(8443) }}" + to_port: "{{ openshift_master_api_port | default(8443) }}" cidr_ip: 0.0.0.0/0 - proto: tcp from_port: 30000 diff --git a/roles/openshift_aws/tasks/elb.yml b/roles/openshift_aws/tasks/elb.yml index 6f0028a3d..d8257cf31 100644 --- a/roles/openshift_aws/tasks/elb.yml +++ b/roles/openshift_aws/tasks/elb.yml @@ -5,18 +5,18 @@ - name: "Create ELB {{ l_elb_dict_item.key }}" ec2_elb_lb: - name: "{{ l_openshift_aws_elb_name_dict[l_elb_dict_item.key][item.key] }}" + name: "{{ item.value.name }}" state: present - cross_az_load_balancing: "{{ openshift_aws_elb_az_load_balancing }}" + cross_az_load_balancing: "{{ item.value.cross_az_load_balancing }}" security_group_names: "{{ l_elb_security_groups[l_elb_dict_item.key] }}" - idle_timeout: "{{ openshift_aws_elb_idle_timout }}" + idle_timeout: "{{ item.value.idle_timout }}" region: "{{ openshift_aws_region }}" subnets: - "{{ subnetout.subnets[0].id }}" - health_check: "{{ openshift_aws_elb_health_check }}" - listeners: "{{ item.value }}" + health_check: "{{ item.value.health_check }}" + listeners: "{{ item.value.listeners }}" scheme: "{{ (item.key == 'internal') | ternary('internal','internet-facing') }}" - tags: "{{ openshift_aws_elb_tags }}" + tags: "{{ item.value.tags }}" wait: True register: new_elb with_dict: "{{ l_elb_dict_item.value }}" diff --git a/roles/openshift_aws/tasks/master_facts.yml b/roles/openshift_aws/tasks/master_facts.yml index 530b0134d..c2e362acd 100644 --- a/roles/openshift_aws/tasks/master_facts.yml +++ b/roles/openshift_aws/tasks/master_facts.yml @@ -3,7 +3,7 @@ ec2_elb_facts: region: "{{ openshift_aws_region }}" names: - - "{{ openshift_aws_elb_name_dict['master']['internal'] }}" + - "{{ openshift_aws_elb_dict['master']['internal']['name'] }}" delegate_to: localhost register: elbs diff --git a/roles/openshift_aws/tasks/provision_elb.yml b/roles/openshift_aws/tasks/provision_elb.yml index a52f63bd5..fcc49c3ea 100644 --- a/roles/openshift_aws/tasks/provision_elb.yml +++ b/roles/openshift_aws/tasks/provision_elb.yml @@ -10,6 +10,5 @@ with_dict: "{{ openshift_aws_elb_dict }}" vars: l_elb_security_groups: "{{ openshift_aws_elb_security_groups }}" - l_openshift_aws_elb_name_dict: "{{ openshift_aws_elb_name_dict }}" loop_control: loop_var: l_elb_dict_item diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py index d6d31effd..452cc4ef6 100755 --- a/roles/openshift_facts/library/openshift_facts.py +++ b/roles/openshift_facts/library/openshift_facts.py @@ -15,8 +15,10 @@ import os import yaml import struct import socket +import ipaddress from distutils.util import strtobool from distutils.version import LooseVersion +from ansible.module_utils.six import u from ansible.module_utils.six import string_types from ansible.module_utils.six.moves import configparser @@ -1146,6 +1148,8 @@ def set_proxy_facts(facts): if 'no_proxy_internal_hostnames' in common: common['no_proxy'].extend(common['no_proxy_internal_hostnames'].split(',')) # We always add local dns domain and ourselves no matter what + kube_svc_ip = str(ipaddress.ip_network(u(common['portal_net']))[1]) + common['no_proxy'].append(kube_svc_ip) common['no_proxy'].append('.' + common['dns_domain']) common['no_proxy'].append('.svc') common['no_proxy'].append(common['hostname']) diff --git a/roles/openshift_service_catalog/files/openshift_catalog_clusterroles.yml b/roles/openshift_service_catalog/files/openshift_catalog_clusterroles.yml new file mode 100644 index 000000000..28abcbcfc --- /dev/null +++ b/roles/openshift_service_catalog/files/openshift_catalog_clusterroles.yml @@ -0,0 +1,86 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-admin: "true" + name: system:service-catalog:aggregate-to-admin +rules: +- apiGroups: + - "servicecatalog.k8s.io" + attributeRestrictions: null + resources: + - serviceinstances + - servicebindings + verbs: + - create + - update + - delete + - get + - list + - watch + - patch +- apiGroups: + - "settings.k8s.io" + attributeRestrictions: null + resources: + - podpresets + verbs: + - create + - update + - delete + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: system:service-catalog:aggregate-to-edit +rules: +- apiGroups: + - "servicecatalog.k8s.io" + attributeRestrictions: null + resources: + - serviceinstances + - servicebindings + verbs: + - create + - update + - delete + - get + - list + - watch + - patch +- apiGroups: + - "settings.k8s.io" + attributeRestrictions: null + resources: + - podpresets + verbs: + - create + - update + - delete + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: system:service-catalog:aggregate-to-view +rules: +- apiGroups: + - "servicecatalog.k8s.io" + attributeRestrictions: null + resources: + - serviceinstances + - servicebindings + verbs: + - get + - list + - watch diff --git a/roles/openshift_service_catalog/tasks/install.yml b/roles/openshift_service_catalog/tasks/install.yml index 9b38a85c4..4d06c1872 100644 --- a/roles/openshift_service_catalog/tasks/install.yml +++ b/roles/openshift_service_catalog/tasks/install.yml @@ -74,74 +74,17 @@ template_name: kube-system-service-catalog-role-bindings namespace: kube-system -- oc_obj: - name: edit - kind: clusterrole - state: list - register: edit_yaml - -# only do this if we don't already have the updated role info -- name: Generate apply template for clusterrole/edit - template: - src: sc_admin_edit_role_patching.j2 - dest: "{{ mktemp.stdout }}/edit_sc_patch.yml" - vars: - original_content: "{{ edit_yaml.results.results[0] | to_yaml }}" - when: - - not edit_yaml.results.results[0] | lib_utils_oo_contains_rule(['servicecatalog.k8s.io'], ['serviceinstances', 'servicebindings'], ['create', 'update', 'delete', 'get', 'list', 'watch', 'patch']) or not edit_yaml.results.results[0] | lib_utils_oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch']) - -# only do this if we don't already have the updated role info -- name: update edit role for service catalog and pod preset access - command: > - {{ openshift_client_binary }} --config=/etc/origin/master/admin.kubeconfig replace -f {{ mktemp.stdout }}/edit_sc_patch.yml - when: - - not edit_yaml.results.results[0] | lib_utils_oo_contains_rule(['servicecatalog.k8s.io'], ['serviceinstances', 'servicebindings'], ['create', 'update', 'delete', 'get', 'list', 'watch', 'patch']) or not edit_yaml.results.results[0] | lib_utils_oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch']) - -- oc_obj: - name: admin - kind: clusterrole - state: list - register: admin_yaml - -# only do this if we don't already have the updated role info -- name: Generate apply template for clusterrole/admin - template: - src: sc_admin_edit_role_patching.j2 - dest: "{{ mktemp.stdout }}/admin_sc_patch.yml" - vars: - original_content: "{{ admin_yaml.results.results[0] | to_yaml }}" - when: - - not admin_yaml.results.results[0] | lib_utils_oo_contains_rule(['servicecatalog.k8s.io'], ['serviceinstances', 'servicebindings'], ['create', 'update', 'delete', 'get', 'list', 'watch', 'patch']) or not admin_yaml.results.results[0] | lib_utils_oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch']) - -# only do this if we don't already have the updated role info -- name: update admin role for service catalog and pod preset access - command: > - {{ openshift_client_binary }} --config=/etc/origin/master/admin.kubeconfig replace -f {{ mktemp.stdout }}/admin_sc_patch.yml - when: - - not admin_yaml.results.results[0] | lib_utils_oo_contains_rule(['servicecatalog.k8s.io'], ['serviceinstances', 'servicebindings'], ['create', 'update', 'delete', 'get', 'list', 'watch', 'patch']) or not admin_yaml.results.results[0] | lib_utils_oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch']) - -- oc_obj: - name: view - kind: clusterrole - state: list - register: view_yaml - -# only do this if we don't already have the updated role info -- name: Generate apply template for clusterrole/view - template: - src: sc_view_role_patching.j2 - dest: "{{ mktemp.stdout }}/view_sc_patch.yml" - vars: - original_content: "{{ view_yaml.results.results[0] | to_yaml }}" - when: - - not view_yaml.results.results[0] | lib_utils_oo_contains_rule(['servicecatalog.k8s.io'], ['serviceinstances', 'servicebindings'], ['get', 'list', 'watch']) - -# only do this if we don't already have the updated role info -- name: update view role for service catalog access - command: > - {{ openshift_client_binary }} --config=/etc/origin/master/admin.kubeconfig replace -f {{ mktemp.stdout }}/view_sc_patch.yml - when: - - not view_yaml.results.results[0] | lib_utils_oo_contains_rule(['servicecatalog.k8s.io'], ['serviceinstances', 'servicebindings'], ['get', 'list', 'watch']) +- copy: + src: openshift_catalog_clusterroles.yml + dest: "{{ mktemp.stdout }}/openshift_catalog_clusterroles.yml" + +- name: Apply Service Catalog cluster roles + retries: 5 + delay: 2 + register: task_result + until: task_result.rc == 0 + shell: > + {{ openshift_client_binary }} auth reconcile --config={{ openshift.common.config_base }}/master/admin.kubeconfig -f {{ mktemp.stdout}}/openshift_catalog_clusterroles.yml - oc_adm_policy_user: namespace: kube-service-catalog diff --git a/roles/openshift_service_catalog/templates/sc_admin_edit_role_patching.j2 b/roles/openshift_service_catalog/templates/sc_admin_edit_role_patching.j2 deleted file mode 100644 index 59cceafcf..000000000 --- a/roles/openshift_service_catalog/templates/sc_admin_edit_role_patching.j2 +++ /dev/null @@ -1,27 +0,0 @@ -{{ original_content }} -- apiGroups: - - "servicecatalog.k8s.io" - attributeRestrictions: null - resources: - - serviceinstances - - servicebindings - verbs: - - create - - update - - delete - - get - - list - - watch - - patch -- apiGroups: - - "settings.k8s.io" - attributeRestrictions: null - resources: - - podpresets - verbs: - - create - - update - - delete - - get - - list - - watch diff --git a/roles/openshift_service_catalog/templates/sc_view_role_patching.j2 b/roles/openshift_service_catalog/templates/sc_view_role_patching.j2 deleted file mode 100644 index 838993854..000000000 --- a/roles/openshift_service_catalog/templates/sc_view_role_patching.j2 +++ /dev/null @@ -1,11 +0,0 @@ -{{ original_content }} -- apiGroups: - - "servicecatalog.k8s.io" - attributeRestrictions: null - resources: - - serviceinstances - - servicebindings - verbs: - - get - - list - - watch |