summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--playbooks/aws/provisioning_vars.yml.example6
-rw-r--r--playbooks/init/base_packages.yml1
-rw-r--r--roles/openshift_aws/defaults/main.yml124
-rw-r--r--roles/openshift_aws/tasks/elb.yml12
-rw-r--r--roles/openshift_aws/tasks/master_facts.yml2
-rw-r--r--roles/openshift_aws/tasks/provision_elb.yml1
-rwxr-xr-xroles/openshift_facts/library/openshift_facts.py4
-rw-r--r--roles/openshift_service_catalog/files/openshift_catalog_clusterroles.yml86
-rw-r--r--roles/openshift_service_catalog/tasks/install.yml79
-rw-r--r--roles/openshift_service_catalog/templates/sc_admin_edit_role_patching.j227
-rw-r--r--roles/openshift_service_catalog/templates/sc_view_role_patching.j211
11 files changed, 184 insertions, 169 deletions
diff --git a/playbooks/aws/provisioning_vars.yml.example b/playbooks/aws/provisioning_vars.yml.example
index a1a8a5b08..78484fdbd 100644
--- a/playbooks/aws/provisioning_vars.yml.example
+++ b/playbooks/aws/provisioning_vars.yml.example
@@ -21,6 +21,12 @@ openshift_release: # v3.7
# This will be dependent on the version provided by the yum repository
openshift_pkg_version: # -3.7.0
+# OpenShift api port
+# Fulfills a chicken/egg scenario with how Ansible treats host inventory file
+# and extra_vars. This is used for SecurityGroups, ELB Listeners as well as
+# an override to installer inventory openshift_master_api_port key
+# openshift_master_api_port: 8443
+
# specify a clusterid
# This value is also used as the default value for many other components.
#openshift_aws_clusterid: default
diff --git a/playbooks/init/base_packages.yml b/playbooks/init/base_packages.yml
index e1052fb6c..0a730a88a 100644
--- a/playbooks/init/base_packages.yml
+++ b/playbooks/init/base_packages.yml
@@ -16,6 +16,7 @@
- iproute
- "{{ 'python3-dbus' if ansible_distribution == 'Fedora' else 'dbus-python' }}"
- "{{ 'python3-PyYAML' if ansible_distribution == 'Fedora' else 'PyYAML' }}"
+ - "{{ 'python-ipaddress' if ansible_distribution != 'Fedora' else omit }}"
- yum-utils
register: result
until: result is succeeded
diff --git a/roles/openshift_aws/defaults/main.yml b/roles/openshift_aws/defaults/main.yml
index e14d57702..178e0849c 100644
--- a/roles/openshift_aws/defaults/main.yml
+++ b/roles/openshift_aws/defaults/main.yml
@@ -42,60 +42,77 @@ openshift_aws_ami_tags:
openshift_aws_s3_mode: create
openshift_aws_s3_bucket_name: "{{ openshift_aws_clusterid }}-docker-registry"
-openshift_aws_elb_health_check:
- ping_protocol: tcp
- ping_port: 443
- response_timeout: 5
- interval: 30
- unhealthy_threshold: 2
- healthy_threshold: 2
-
openshift_aws_elb_basename: "{{ openshift_aws_clusterid }}"
-openshift_aws_elb_name_dict:
- master:
- external: "{{ openshift_aws_elb_basename }}-master-external"
- internal: "{{ openshift_aws_elb_basename }}-master-internal"
- infra:
- external: "{{ openshift_aws_elb_basename }}-infra"
-
-openshift_aws_elb_idle_timout: 400
-
-openshift_aws_elb_cert_arn: ''
openshift_aws_elb_dict:
master:
external:
- - protocol: tcp
- load_balancer_port: 80
- instance_protocol: ssl
- instance_port: 443
- - protocol: ssl
- load_balancer_port: 443
- instance_protocol: ssl
- instance_port: 443
- # ssl certificate required for https or ssl
- ssl_certificate_id: "{{ openshift_aws_elb_cert_arn }}"
+ cross_az_load_balancing: False
+ health_check:
+ ping_protocol: tcp
+ ping_port: "{{ openshift_master_api_port | default(8443) }}"
+ response_timeout: 5
+ interval: 30
+ unhealthy_threshold: 2
+ healthy_threshold: 2
+ idle_timout: 400
+ listeners:
+ - protocol: tcp
+ load_balancer_port: 80
+ instance_protocol: ssl
+ instance_port: "{{ openshift_master_api_port | default(8443) }}"
+ - protocol: ssl
+ load_balancer_port: "{{ openshift_master_api_port | default(8443) }}"
+ instance_protocol: ssl
+ instance_port: "{{ openshift_master_api_port | default(8443) }}"
+ ssl_certificate_id: ''
+ name: "{{ openshift_aws_elb_basename }}-master-external"
+ tags: "{{ openshift_aws_kube_tags }}"
internal:
- - protocol: tcp
- load_balancer_port: 80
- instance_protocol: tcp
- instance_port: 80
- - protocol: tcp
- load_balancer_port: 443
- instance_protocol: tcp
- instance_port: 443
+ cross_az_load_balancing: False
+ health_check:
+ ping_protocol: tcp
+ ping_port: "{{ openshift_master_api_port | default(8443) }}"
+ response_timeout: 5
+ interval: 30
+ unhealthy_threshold: 2
+ healthy_threshold: 2
+ idle_timout: 400
+ listeners:
+ - protocol: tcp
+ load_balancer_port: 80
+ instance_protocol: tcp
+ instance_port: 80
+ - protocol: tcp
+ load_balancer_port: "{{ openshift_master_api_port | default(8443) }}"
+ instance_protocol: tcp
+ instance_port: "{{ openshift_master_api_port | default(8443) }}"
+ name: "{{ openshift_aws_elb_basename }}-master-internal"
+ tags: "{{ openshift_aws_kube_tags }}"
infra:
external:
- - protocol: tcp
- load_balancer_port: 80
- instance_protocol: tcp
- instance_port: 443
- proxy_protocol: True
- - protocol: tcp
- load_balancer_port: 443
- instance_protocol: tcp
- instance_port: 443
- proxy_protocol: True
+ cross_az_load_balancing: False
+ health_check:
+ ping_protocol: tcp
+ ping_port: 443
+ response_timeout: 5
+ interval: 30
+ unhealthy_threshold: 2
+ healthy_threshold: 2
+ idle_timout: 400
+ listeners:
+ - protocol: tcp
+ load_balancer_port: 80
+ instance_protocol: tcp
+ instance_port: 443
+ proxy_protocol: True
+ - protocol: tcp
+ load_balancer_port: 443
+ instance_protocol: tcp
+ instance_port: 443
+ proxy_protocol: True
+ name: "{{ openshift_aws_elb_basename }}-infra"
+ tags: "{{ openshift_aws_kube_tags }}"
openshift_aws_node_group_config_master_volumes:
- device_name: /dev/sda1
@@ -172,7 +189,7 @@ openshift_aws_master_group_config:
iam_role: "{{ openshift_aws_iam_role_name }}"
policy_name: "{{ openshift_aws_iam_role_policy_name }}"
policy_json: "{{ openshift_aws_iam_role_policy_json }}"
- elbs: "{{ openshift_aws_elb_name_dict['master'].keys()| map('extract', openshift_aws_elb_name_dict['master']) | list }}"
+ elbs: "{{ openshift_aws_elb_dict | json_query('master.[*][0][*].name') }}"
openshift_aws_node_group_config:
# The 'compute' key is always required here.
@@ -205,10 +222,7 @@ openshift_aws_node_group_config:
iam_role: "{{ openshift_aws_iam_role_name }}"
policy_name: "{{ openshift_aws_iam_role_policy_name }}"
policy_json: "{{ openshift_aws_iam_role_policy_json }}"
- elbs: "{{ openshift_aws_elb_name_dict['infra'].keys()| map('extract', openshift_aws_elb_name_dict['infra']) | list }}"
-
-openshift_aws_elb_tags: "{{ openshift_aws_kube_tags }}"
-openshift_aws_elb_az_load_balancing: False
+ elbs: "{{ openshift_aws_elb_dict | json_query('infra.[*][0][*].name') }}"
# build_instance_tags is a custom filter in role lib_utils
openshift_aws_kube_tags: "{{ openshift_aws_clusterid | build_instance_tags }}"
@@ -253,8 +267,8 @@ openshift_aws_node_security_groups:
to_port: 80
cidr_ip: 0.0.0.0/0
- proto: tcp
- from_port: 443
- to_port: 443
+ from_port: "{{ openshift_master_api_port | default(8443) }}"
+ to_port: "{{ openshift_master_api_port | default(8443) }}"
cidr_ip: 0.0.0.0/0
compute:
name: "{{ openshift_aws_clusterid }}_compute"
@@ -268,8 +282,8 @@ openshift_aws_node_security_groups:
to_port: 80
cidr_ip: 0.0.0.0/0
- proto: tcp
- from_port: 443
- to_port: 443
+ from_port: "{{ openshift_master_api_port | default(8443) }}"
+ to_port: "{{ openshift_master_api_port | default(8443) }}"
cidr_ip: 0.0.0.0/0
- proto: tcp
from_port: 30000
diff --git a/roles/openshift_aws/tasks/elb.yml b/roles/openshift_aws/tasks/elb.yml
index 6f0028a3d..d8257cf31 100644
--- a/roles/openshift_aws/tasks/elb.yml
+++ b/roles/openshift_aws/tasks/elb.yml
@@ -5,18 +5,18 @@
- name: "Create ELB {{ l_elb_dict_item.key }}"
ec2_elb_lb:
- name: "{{ l_openshift_aws_elb_name_dict[l_elb_dict_item.key][item.key] }}"
+ name: "{{ item.value.name }}"
state: present
- cross_az_load_balancing: "{{ openshift_aws_elb_az_load_balancing }}"
+ cross_az_load_balancing: "{{ item.value.cross_az_load_balancing }}"
security_group_names: "{{ l_elb_security_groups[l_elb_dict_item.key] }}"
- idle_timeout: "{{ openshift_aws_elb_idle_timout }}"
+ idle_timeout: "{{ item.value.idle_timout }}"
region: "{{ openshift_aws_region }}"
subnets:
- "{{ subnetout.subnets[0].id }}"
- health_check: "{{ openshift_aws_elb_health_check }}"
- listeners: "{{ item.value }}"
+ health_check: "{{ item.value.health_check }}"
+ listeners: "{{ item.value.listeners }}"
scheme: "{{ (item.key == 'internal') | ternary('internal','internet-facing') }}"
- tags: "{{ openshift_aws_elb_tags }}"
+ tags: "{{ item.value.tags }}"
wait: True
register: new_elb
with_dict: "{{ l_elb_dict_item.value }}"
diff --git a/roles/openshift_aws/tasks/master_facts.yml b/roles/openshift_aws/tasks/master_facts.yml
index 530b0134d..c2e362acd 100644
--- a/roles/openshift_aws/tasks/master_facts.yml
+++ b/roles/openshift_aws/tasks/master_facts.yml
@@ -3,7 +3,7 @@
ec2_elb_facts:
region: "{{ openshift_aws_region }}"
names:
- - "{{ openshift_aws_elb_name_dict['master']['internal'] }}"
+ - "{{ openshift_aws_elb_dict['master']['internal']['name'] }}"
delegate_to: localhost
register: elbs
diff --git a/roles/openshift_aws/tasks/provision_elb.yml b/roles/openshift_aws/tasks/provision_elb.yml
index a52f63bd5..fcc49c3ea 100644
--- a/roles/openshift_aws/tasks/provision_elb.yml
+++ b/roles/openshift_aws/tasks/provision_elb.yml
@@ -10,6 +10,5 @@
with_dict: "{{ openshift_aws_elb_dict }}"
vars:
l_elb_security_groups: "{{ openshift_aws_elb_security_groups }}"
- l_openshift_aws_elb_name_dict: "{{ openshift_aws_elb_name_dict }}"
loop_control:
loop_var: l_elb_dict_item
diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py
index d6d31effd..452cc4ef6 100755
--- a/roles/openshift_facts/library/openshift_facts.py
+++ b/roles/openshift_facts/library/openshift_facts.py
@@ -15,8 +15,10 @@ import os
import yaml
import struct
import socket
+import ipaddress
from distutils.util import strtobool
from distutils.version import LooseVersion
+from ansible.module_utils.six import u
from ansible.module_utils.six import string_types
from ansible.module_utils.six.moves import configparser
@@ -1146,6 +1148,8 @@ def set_proxy_facts(facts):
if 'no_proxy_internal_hostnames' in common:
common['no_proxy'].extend(common['no_proxy_internal_hostnames'].split(','))
# We always add local dns domain and ourselves no matter what
+ kube_svc_ip = str(ipaddress.ip_network(u(common['portal_net']))[1])
+ common['no_proxy'].append(kube_svc_ip)
common['no_proxy'].append('.' + common['dns_domain'])
common['no_proxy'].append('.svc')
common['no_proxy'].append(common['hostname'])
diff --git a/roles/openshift_service_catalog/files/openshift_catalog_clusterroles.yml b/roles/openshift_service_catalog/files/openshift_catalog_clusterroles.yml
new file mode 100644
index 000000000..28abcbcfc
--- /dev/null
+++ b/roles/openshift_service_catalog/files/openshift_catalog_clusterroles.yml
@@ -0,0 +1,86 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ labels:
+ rbac.authorization.k8s.io/aggregate-to-admin: "true"
+ name: system:service-catalog:aggregate-to-admin
+rules:
+- apiGroups:
+ - "servicecatalog.k8s.io"
+ attributeRestrictions: null
+ resources:
+ - serviceinstances
+ - servicebindings
+ verbs:
+ - create
+ - update
+ - delete
+ - get
+ - list
+ - watch
+ - patch
+- apiGroups:
+ - "settings.k8s.io"
+ attributeRestrictions: null
+ resources:
+ - podpresets
+ verbs:
+ - create
+ - update
+ - delete
+ - get
+ - list
+ - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ labels:
+ rbac.authorization.k8s.io/aggregate-to-edit: "true"
+ name: system:service-catalog:aggregate-to-edit
+rules:
+- apiGroups:
+ - "servicecatalog.k8s.io"
+ attributeRestrictions: null
+ resources:
+ - serviceinstances
+ - servicebindings
+ verbs:
+ - create
+ - update
+ - delete
+ - get
+ - list
+ - watch
+ - patch
+- apiGroups:
+ - "settings.k8s.io"
+ attributeRestrictions: null
+ resources:
+ - podpresets
+ verbs:
+ - create
+ - update
+ - delete
+ - get
+ - list
+ - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ labels:
+ rbac.authorization.k8s.io/aggregate-to-view: "true"
+ name: system:service-catalog:aggregate-to-view
+rules:
+- apiGroups:
+ - "servicecatalog.k8s.io"
+ attributeRestrictions: null
+ resources:
+ - serviceinstances
+ - servicebindings
+ verbs:
+ - get
+ - list
+ - watch
diff --git a/roles/openshift_service_catalog/tasks/install.yml b/roles/openshift_service_catalog/tasks/install.yml
index 9b38a85c4..4d06c1872 100644
--- a/roles/openshift_service_catalog/tasks/install.yml
+++ b/roles/openshift_service_catalog/tasks/install.yml
@@ -74,74 +74,17 @@
template_name: kube-system-service-catalog-role-bindings
namespace: kube-system
-- oc_obj:
- name: edit
- kind: clusterrole
- state: list
- register: edit_yaml
-
-# only do this if we don't already have the updated role info
-- name: Generate apply template for clusterrole/edit
- template:
- src: sc_admin_edit_role_patching.j2
- dest: "{{ mktemp.stdout }}/edit_sc_patch.yml"
- vars:
- original_content: "{{ edit_yaml.results.results[0] | to_yaml }}"
- when:
- - not edit_yaml.results.results[0] | lib_utils_oo_contains_rule(['servicecatalog.k8s.io'], ['serviceinstances', 'servicebindings'], ['create', 'update', 'delete', 'get', 'list', 'watch', 'patch']) or not edit_yaml.results.results[0] | lib_utils_oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch'])
-
-# only do this if we don't already have the updated role info
-- name: update edit role for service catalog and pod preset access
- command: >
- {{ openshift_client_binary }} --config=/etc/origin/master/admin.kubeconfig replace -f {{ mktemp.stdout }}/edit_sc_patch.yml
- when:
- - not edit_yaml.results.results[0] | lib_utils_oo_contains_rule(['servicecatalog.k8s.io'], ['serviceinstances', 'servicebindings'], ['create', 'update', 'delete', 'get', 'list', 'watch', 'patch']) or not edit_yaml.results.results[0] | lib_utils_oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch'])
-
-- oc_obj:
- name: admin
- kind: clusterrole
- state: list
- register: admin_yaml
-
-# only do this if we don't already have the updated role info
-- name: Generate apply template for clusterrole/admin
- template:
- src: sc_admin_edit_role_patching.j2
- dest: "{{ mktemp.stdout }}/admin_sc_patch.yml"
- vars:
- original_content: "{{ admin_yaml.results.results[0] | to_yaml }}"
- when:
- - not admin_yaml.results.results[0] | lib_utils_oo_contains_rule(['servicecatalog.k8s.io'], ['serviceinstances', 'servicebindings'], ['create', 'update', 'delete', 'get', 'list', 'watch', 'patch']) or not admin_yaml.results.results[0] | lib_utils_oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch'])
-
-# only do this if we don't already have the updated role info
-- name: update admin role for service catalog and pod preset access
- command: >
- {{ openshift_client_binary }} --config=/etc/origin/master/admin.kubeconfig replace -f {{ mktemp.stdout }}/admin_sc_patch.yml
- when:
- - not admin_yaml.results.results[0] | lib_utils_oo_contains_rule(['servicecatalog.k8s.io'], ['serviceinstances', 'servicebindings'], ['create', 'update', 'delete', 'get', 'list', 'watch', 'patch']) or not admin_yaml.results.results[0] | lib_utils_oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch'])
-
-- oc_obj:
- name: view
- kind: clusterrole
- state: list
- register: view_yaml
-
-# only do this if we don't already have the updated role info
-- name: Generate apply template for clusterrole/view
- template:
- src: sc_view_role_patching.j2
- dest: "{{ mktemp.stdout }}/view_sc_patch.yml"
- vars:
- original_content: "{{ view_yaml.results.results[0] | to_yaml }}"
- when:
- - not view_yaml.results.results[0] | lib_utils_oo_contains_rule(['servicecatalog.k8s.io'], ['serviceinstances', 'servicebindings'], ['get', 'list', 'watch'])
-
-# only do this if we don't already have the updated role info
-- name: update view role for service catalog access
- command: >
- {{ openshift_client_binary }} --config=/etc/origin/master/admin.kubeconfig replace -f {{ mktemp.stdout }}/view_sc_patch.yml
- when:
- - not view_yaml.results.results[0] | lib_utils_oo_contains_rule(['servicecatalog.k8s.io'], ['serviceinstances', 'servicebindings'], ['get', 'list', 'watch'])
+- copy:
+ src: openshift_catalog_clusterroles.yml
+ dest: "{{ mktemp.stdout }}/openshift_catalog_clusterroles.yml"
+
+- name: Apply Service Catalog cluster roles
+ retries: 5
+ delay: 2
+ register: task_result
+ until: task_result.rc == 0
+ shell: >
+ {{ openshift_client_binary }} auth reconcile --config={{ openshift.common.config_base }}/master/admin.kubeconfig -f {{ mktemp.stdout}}/openshift_catalog_clusterroles.yml
- oc_adm_policy_user:
namespace: kube-service-catalog
diff --git a/roles/openshift_service_catalog/templates/sc_admin_edit_role_patching.j2 b/roles/openshift_service_catalog/templates/sc_admin_edit_role_patching.j2
deleted file mode 100644
index 59cceafcf..000000000
--- a/roles/openshift_service_catalog/templates/sc_admin_edit_role_patching.j2
+++ /dev/null
@@ -1,27 +0,0 @@
-{{ original_content }}
-- apiGroups:
- - "servicecatalog.k8s.io"
- attributeRestrictions: null
- resources:
- - serviceinstances
- - servicebindings
- verbs:
- - create
- - update
- - delete
- - get
- - list
- - watch
- - patch
-- apiGroups:
- - "settings.k8s.io"
- attributeRestrictions: null
- resources:
- - podpresets
- verbs:
- - create
- - update
- - delete
- - get
- - list
- - watch
diff --git a/roles/openshift_service_catalog/templates/sc_view_role_patching.j2 b/roles/openshift_service_catalog/templates/sc_view_role_patching.j2
deleted file mode 100644
index 838993854..000000000
--- a/roles/openshift_service_catalog/templates/sc_view_role_patching.j2
+++ /dev/null
@@ -1,11 +0,0 @@
-{{ original_content }}
-- apiGroups:
- - "servicecatalog.k8s.io"
- attributeRestrictions: null
- resources:
- - serviceinstances
- - servicebindings
- verbs:
- - get
- - list
- - watch