summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--README_OSE.md12
-rw-r--r--README_origin.md6
-rw-r--r--inventory/byo/hosts2
-rw-r--r--playbooks/common/openshift-node/config.yml10
-rw-r--r--roles/openshift_common/tasks/main.yml1
-rwxr-xr-xroles/openshift_facts/library/openshift_facts.py8
-rw-r--r--roles/openshift_master/tasks/main.yml25
-rw-r--r--roles/openshift_master/templates/master.yaml.v1.j229
-rw-r--r--roles/openshift_node/tasks/main.yml28
-rw-r--r--roles/openshift_node/templates/node.yaml.v1.j26
-rw-r--r--roles/openshift_node_certificates/README.md34
-rw-r--r--roles/openshift_node_certificates/meta/main.yml16
-rw-r--r--roles/openshift_node_certificates/tasks/main.yml35
-rw-r--r--roles/openshift_node_certificates/vars/main.yml8
-rw-r--r--roles/openshift_register_nodes/README.md23
-rw-r--r--roles/openshift_register_nodes/tasks/main.yml7
16 files changed, 176 insertions, 74 deletions
diff --git a/README_OSE.md b/README_OSE.md
index dffabc714..5a691053c 100644
--- a/README_OSE.md
+++ b/README_OSE.md
@@ -19,7 +19,7 @@
* Either ssh key based auth for the root user or ssh key based auth for a user
with sudo access (no password)
* A checkout of openshift-ansible from https://github.com/openshift/openshift-ansible/
-
+
```sh
git clone https://github.com/openshift/openshift-ansible.git
cd openshift-ansible
@@ -80,7 +80,7 @@ ansible_ssh_user=root
deployment_type=enterprise
# Pre-release registry URL
-oreg_url=docker-buildvm-rhose.usersys.redhat.com:5000/openshift3_beta/ose-${component}:${version}
+oreg_url=docker-buildvm-rhose.usersys.redhat.com:5000/openshift3/ose-${component}:${version}
# Pre-release additional repo
openshift_additional_repos=[{'id': 'ose-devel', 'name': 'ose-devel',
@@ -120,16 +120,16 @@ inventory file use the -i option for ansible-playbook.
On the master host:
```sh
openshift ex router --create=true \
- --credentials=/var/lib/openshift/openshift.local.certificates/openshift-router/.kubeconfig \
- --images='docker-buildvm-rhose.usersys.redhat.com:5000/openshift3_beta/ose-${component}:${version}'
+ --credentials=/etc/openshift/master/openshift-router.kubeconfig \
+ --images='docker-buildvm-rhose.usersys.redhat.com:5000/openshift3/ose-${component}:${version}'
```
#### Create the default docker-registry
On the master host:
```sh
openshift ex registry --create=true \
- --credentials=/var/lib/openshift/openshift.local.certificates/openshift-registry/.kubeconfig \
- --images='docker-buildvm-rhose.usersys.redhat.com:5000/openshift3_beta/ose-${component}:${version}' \
+ --credentials=/etc/openshift/master/openshift-registry.kubeconfig \
+ --images='docker-buildvm-rhose.usersys.redhat.com:5000/openshift3/ose-${component}:${version}' \
--mount-host=/var/lib/openshift/docker-registry
```
diff --git a/README_origin.md b/README_origin.md
index 5b3fd2435..32287d65c 100644
--- a/README_origin.md
+++ b/README_origin.md
@@ -19,7 +19,7 @@
* Either ssh key based auth for the root user or ssh key based auth for a user
with sudo access (no password)
* A checkout of openshift-ansible from https://github.com/openshift/openshift-ansible/
-
+
```sh
git clone https://github.com/openshift/openshift-ansible.git
cd openshift-ansible
@@ -92,14 +92,14 @@ inventory file use the -i option for ansible-playbook.
On the master host:
```sh
openshift ex router --create=true \
- --credentials=/var/lib/openshift/openshift.local.certificates/openshift-router/.kubeconfig
+ --credentials=/etc/openshift/master/openshift-router.kubeconfig
```
#### Create the default docker-registry
On the master host:
```sh
openshift ex registry --create=true \
- --credentials=/var/lib/openshift/openshift.local.certificates/openshift-registry/.kubeconfig \
+ --credentials=/etc/openshift/master/openshift-registry.kubeconfig \
--mount-host=/var/lib/openshift/docker-registry
```
diff --git a/inventory/byo/hosts b/inventory/byo/hosts
index 4d4da5468..ab54ce2db 100644
--- a/inventory/byo/hosts
+++ b/inventory/byo/hosts
@@ -17,7 +17,7 @@ ansible_ssh_user=root
deployment_type=enterprise
# Pre-release registry URL
-oreg_url=docker-buildvm-rhose.usersys.redhat.com:5000/openshift3_beta/ose-${component}:${version}
+oreg_url=docker-buildvm-rhose.usersys.redhat.com:5000/openshift3/ose-${component}:${version}
# Pre-release additional repo
openshift_additional_repos=[{'id': 'ose-devel', 'name': 'ose-devel', 'baseurl': 'http://buildvm-devops.usersys.redhat.com/puddle/build/OpenShiftEnterprise/3.0/latest/RH7-RHOSE-3.0/$basearch/os', 'enabled': 1, 'gpgcheck': 0}]
diff --git a/playbooks/common/openshift-node/config.yml b/playbooks/common/openshift-node/config.yml
index 9e642f3d3..2d2560db4 100644
--- a/playbooks/common/openshift-node/config.yml
+++ b/playbooks/common/openshift-node/config.yml
@@ -27,10 +27,12 @@
stat:
path: "{{ item }}"
with_items:
- - "/etc/openshift/node/node.key"
- - "/etc/openshift/node/node.kubeconfig"
+ - "/etc/openshift/node/system:node:{{ openshift.common.hostname }}.crt"
+ - "/etc/openshift/node/system:node:{{ openshift.common.hostname }}.key"
+ - "/etc/openshift/node/system:node:{{ openshift.common.hostname }}.kubeconfig"
- "/etc/openshift/node/ca.crt"
- "/etc/openshift/node/server.key"
+ - "/etc/openshift/node/server.crt"
register: stat_result
- set_fact:
certs_missing: "{{ stat_result.results | map(attribute='stat.exists')
@@ -50,7 +52,7 @@
register: mktemp
changed_when: False
-- name: Register nodes
+- name: Create node certificates
hosts: oo_first_master
vars:
nodes_needing_certs: "{{ hostvars
@@ -60,7 +62,7 @@
| oo_select_keys(groups['oo_nodes_to_config']) }}"
sync_tmpdir: "{{ hostvars.localhost.mktemp.stdout }}"
roles:
- - openshift_register_nodes
+ - openshift_node_certificates
post_tasks:
- name: Create a tarball of the node config directories
command: >
diff --git a/roles/openshift_common/tasks/main.yml b/roles/openshift_common/tasks/main.yml
index f76dd84ed..a7c565067 100644
--- a/roles/openshift_common/tasks/main.yml
+++ b/roles/openshift_common/tasks/main.yml
@@ -15,4 +15,3 @@
- name: Set hostname
hostname: name={{ openshift.common.hostname }}
-
diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py
index 7bc7c3260..1b789ca89 100755
--- a/roles/openshift_facts/library/openshift_facts.py
+++ b/roles/openshift_facts/library/openshift_facts.py
@@ -298,10 +298,10 @@ def set_registry_url_if_unset(facts):
if 'registry_url' not in facts[role]:
registry_url = "openshift/origin-${component}:${version}"
if deployment_type == 'enterprise':
- registry_url = "openshift3_beta/ose-${component}:${version}"
+ registry_url = "openshift3/ose-${component}:${version}"
elif deployment_type == 'online':
registry_url = ("docker-registry.ops.rhcloud.com/"
- "openshift3_beta/ose-${component}:${version}")
+ "openshift3/ose-${component}:${version}")
facts[role]['registry_url'] = registry_url
return facts
@@ -450,7 +450,9 @@ def get_current_config(facts):
# TODO: parse the /etc/sysconfig/openshift-{master,node} config to
# determine the location of files.
-
+ # TODO: I suspect this isn't working right now, but it doesn't prevent
+ # anything from working properly as far as I can tell, perhaps because
+ # we override the kubeconfig path everywhere we use it?
# Query kubeconfig settings
kubeconfig_dir = '/var/lib/openshift/openshift.local.certificates'
if role == 'node':
diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml
index 23f8b4649..da0a663ec 100644
--- a/roles/openshift_master/tasks/main.yml
+++ b/roles/openshift_master/tasks/main.yml
@@ -8,6 +8,15 @@
- openshift_master_oauth_grant_method in openshift_master_valid_grant_methods
when: openshift_master_oauth_grant_method is defined
+- name: Install OpenShift Master package
+ yum: pkg=openshift-master state=present
+ register: install_result
+
+# TODO: Is this necessary or was this a workaround for an old bug in packaging?
+- name: Reload systemd units
+ command: systemctl daemon-reload
+ when: install_result | changed
+
- name: Set master OpenShift facts
openshift_facts:
role: master
@@ -51,14 +60,6 @@
domain: cluster.local
when: openshift.master.embedded_dns
-- name: Install OpenShift Master package
- yum: pkg=openshift-master state=present
- register: install_result
-
-- name: Reload systemd units
- command: systemctl daemon-reload
- when: install_result | changed
-
- name: Create config parent directory if it doesn't exist
file:
path: "{{ openshift_master_config_dir }}"
@@ -130,7 +131,7 @@
- name: Create the OpenShift client config dir(s)
file:
- path: "~{{ item }}/.config/openshift"
+ path: "~{{ item }}/.kube"
state: directory
mode: 0700
owner: "{{ item }}"
@@ -142,16 +143,16 @@
# TODO: Update this file if the contents of the source file are not present in
# the dest file, will need to make sure to ignore things that could be added
- name: Copy the OpenShift admin client config(s)
- command: cp {{ openshift_master_config_dir }}/admin.kubeconfig ~{{ item }}/.config/openshift/.config
+ command: cp {{ openshift_master_config_dir }}/admin.kubeconfig ~{{ item }}/.kube/config
args:
- creates: ~{{ item }}/.config/openshift/.config
+ creates: ~{{ item }}/.kube/config
with_items:
- root
- "{{ ansible_ssh_user }}"
- name: Update the permissions on the OpenShift admin client config(s)
file:
- path: "~{{ item }}/.config/openshift/.config"
+ path: "~{{ item }}/.kube/config"
state: file
mode: 0700
owner: "{{ item }}"
diff --git a/roles/openshift_master/templates/master.yaml.v1.j2 b/roles/openshift_master/templates/master.yaml.v1.j2
index 1c2d37b63..9df07e925 100644
--- a/roles/openshift_master/templates/master.yaml.v1.j2
+++ b/roles/openshift_master/templates/master.yaml.v1.j2
@@ -1,3 +1,6 @@
+apiLevels:
+- v1beta3
+- v1
apiVersion: v1
assetConfig:
logoutURL: ""
@@ -8,6 +11,8 @@ assetConfig:
certFile: master.server.crt
clientCA: ""
keyFile: master.server.key
+ maxRequestsInFlight: 0
+ requestTimeoutSeconds: 0
corsAllowedOrigins:
{# TODO: add support for user specified corsAllowedOrigins #}
{% for origin in ['127.0.0.1', 'localhost', openshift.common.hostname, openshift.common.ip, openshift.common.public_hostname, openshift.common.public_ip] %}
@@ -43,9 +48,9 @@ etcdConfig:
{% endif %}
etcdStorageConfig:
kubernetesStoragePrefix: kubernetes.io
- kubernetesStorageVersion: v1beta3
- kubernetesStoragePrefix: kubernetes.io
- openShiftStorageVersion: v1beta3
+ kubernetesStorageVersion: v1
+ openShiftStoragePrefix: openshift.io
+ openShiftStorageVersion: v1
imageConfig:
format: {{ openshift.master.registry_url }}
latest: false
@@ -58,18 +63,24 @@ kubeletClientInfo:
port: 10250
{% if openshift.master.embedded_kube %}
kubernetesMasterConfig:
+ apiLevels:
+ - v1beta3
+ - v1
+ apiServerArguments: null
+ controllerArguments: null
{# TODO: support overriding masterCount #}
masterCount: 1
masterIP: ""
+ podEvictionTimeout: ""
schedulerConfigFile: {{ openshift_master_scheduler_conf }}
+ servicesNodePortRange: ""
servicesSubnet: {{ openshift.master.portal_net }}
staticNodeNames: {{ openshift_node_ips | default([], true) }}
{% endif %}
masterClients:
{# TODO: allow user to set externalKubernetesKubeConfig #}
- deployerKubeConfig: openshift-deployer.kubeconfig
externalKubernetesKubeConfig: ""
- openshiftLoopbackKubeConfig: openshift-client.kubeconfig
+ openshiftLoopbackKubeConfig: openshift-master.kubeconfig
masterPublicURL: {{ openshift.master.public_api_url }}
networkConfig:
clusterNetworkCIDR: {{ openshift.master.sdn_cluster_network_cidr }}
@@ -78,16 +89,22 @@ networkConfig:
{% include 'v1_partials/oauthConfig.j2' %}
policyConfig:
bootstrapPolicyFile: {{ openshift_master_policy }}
+ openshiftInfrastructureNamespace: openshift-infra
openshiftSharedResourcesNamespace: openshift
{# TODO: Allow users to override projectConfig items #}
projectConfig:
defaultNodeSelector: ""
projectRequestMessage: ""
projectRequestTemplate: ""
+ securityAllocator:
+ mcsAllocatorRange: s0:/2
+ mcsLabelsPerProject: 5
+ uidAllocatorRange: 1000000000-1999999999/10000
serviceAccountConfig:
managedNames:
- default
- builder
+ - deployer
privateKeyFile: serviceaccounts.private.key
publicKeyFiles:
- serviceaccounts.public.key
@@ -96,3 +113,5 @@ servingInfo:
certFile: master.server.crt
clientCA: ca.crt
keyFile: master.server.key
+ maxRequestsInFlight: 0
+ requestTimeoutSeconds: 0
diff --git a/roles/openshift_node/tasks/main.yml b/roles/openshift_node/tasks/main.yml
index 15d18f510..770b55351 100644
--- a/roles/openshift_node/tasks/main.yml
+++ b/roles/openshift_node/tasks/main.yml
@@ -1,6 +1,20 @@
---
# TODO: allow for overriding default ports where possible
+- name: Install OpenShift Node package
+ yum: pkg=openshift-node state=present
+ register: node_install_result
+
+- name: Install openshift-sdn-ovs
+ yum: pkg=openshift-sdn-ovs state=present
+ register: sdn_install_result
+ when: openshift.common.use_openshift_sdn
+
+- name: Reload systemd units
+ command: systemctl daemon-reload
+ when: (node_install_result | changed or (openshift.common.use_openshift_sdn
+ and sdn_install_result | changed))
+
- name: Set node OpenShift facts
openshift_facts:
role: "{{ item.role }}"
@@ -22,20 +36,6 @@
debug_level: "{{ openshift_node_debug_level | default(openshift.common.debug_level) }}"
portal_net: "{{ openshift_master_portal_net | default(None) }}"
-- name: Install OpenShift Node package
- yum: pkg=openshift-node state=present
- register: node_install_result
-
-- name: Install openshift-sdn-ovs
- yum: pkg=openshift-sdn-ovs state=present
- register: sdn_install_result
- when: openshift.common.use_openshift_sdn
-
-- name: Reload systemd units
- command: systemctl daemon-reload
- when: (node_install_result | changed or (openshift.common.use_openshift_sdn
- and sdn_install_result | changed))
-
# TODO: add the validate parameter when there is a validation command to run
- name: Create the Node config
template:
diff --git a/roles/openshift_node/templates/node.yaml.v1.j2 b/roles/openshift_node/templates/node.yaml.v1.j2
index cab75cd49..f313f6a4b 100644
--- a/roles/openshift_node/templates/node.yaml.v1.j2
+++ b/roles/openshift_node/templates/node.yaml.v1.j2
@@ -2,14 +2,16 @@ allowDisabledDocker: false
apiVersion: v1
dnsDomain: {{ hostvars[openshift_first_master].openshift.dns.domain }}
dnsIP: {{ hostvars[openshift_first_master].openshift.dns.ip }}
+dockerConfig:
+ execHandlerName: ""
imageConfig:
format: {{ openshift.node.registry_url }}
latest: false
kind: NodeConfig
-masterKubeConfig: node.kubeconfig
+masterKubeConfig: system:node:{{ openshift.common.hostname }}.kubeconfig
networkPluginName: {{ openshift.common.sdn_network_plugin_name }}
nodeName: {{ openshift.common.hostname }}
-podManifestConfig: null
+podManifestConfig:
servingInfo:
bindAddress: 0.0.0.0:10250
certFile: server.crt
diff --git a/roles/openshift_node_certificates/README.md b/roles/openshift_node_certificates/README.md
new file mode 100644
index 000000000..c6304e4b0
--- /dev/null
+++ b/roles/openshift_node_certificates/README.md
@@ -0,0 +1,34 @@
+OpenShift Node Certificates
+========================
+
+TODO
+
+Requirements
+------------
+
+TODO
+
+Role Variables
+--------------
+
+TODO
+
+Dependencies
+------------
+
+TODO
+
+Example Playbook
+----------------
+
+TODO
+
+License
+-------
+
+Apache License Version 2.0
+
+Author Information
+------------------
+
+Jason DeTiberus (jdetiber@redhat.com)
diff --git a/roles/openshift_node_certificates/meta/main.yml b/roles/openshift_node_certificates/meta/main.yml
new file mode 100644
index 000000000..f3236e850
--- /dev/null
+++ b/roles/openshift_node_certificates/meta/main.yml
@@ -0,0 +1,16 @@
+---
+galaxy_info:
+ author: Jason DeTiberus
+ description:
+ company: Red Hat, Inc.
+ license: Apache License, Version 2.0
+ min_ansible_version: 1.8
+ platforms:
+ - name: EL
+ versions:
+ - 7
+ categories:
+ - cloud
+ - system
+dependencies:
+- { role: openshift_facts }
diff --git a/roles/openshift_node_certificates/tasks/main.yml b/roles/openshift_node_certificates/tasks/main.yml
new file mode 100644
index 000000000..1b68bc673
--- /dev/null
+++ b/roles/openshift_node_certificates/tasks/main.yml
@@ -0,0 +1,35 @@
+---
+- name: Create openshift_generated_configs_dir if it doesn't exist
+ file:
+ path: "{{ openshift_generated_configs_dir }}"
+ state: directory
+
+- name: Generate the node client config
+ command: >
+ {{ openshift.common.admin_binary }} create-api-client-config
+ --certificate-authority={{ openshift_master_ca_cert }}
+ --client-dir={{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}
+ --groups=system:nodes
+ --master={{ openshift.master.api_url }}
+ --signer-cert={{ openshift_master_ca_cert }}
+ --signer-key={{ openshift_master_ca_key }}
+ --signer-serial={{ openshift_master_ca_serial }}
+ --user=system:node:{{ item.openshift.common.hostname }}
+ args:
+ chdir: "{{ openshift_generated_configs_dir }}"
+ creates: "{{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}"
+ with_items: nodes_needing_certs
+
+- name: Generate the node server certificate
+ delegate_to: "{{ openshift_first_master }}"
+ command: >
+ {{ openshift.common.admin_binary }} create-server-cert
+ --cert=server.crt --key=server.key --overwrite=true
+ --hostnames={{ [item.openshift.common.hostname, item.openshift.common.public_hostname]|unique|join(",") }}
+ --signer-cert={{ openshift_master_ca_cert }}
+ --signer-key={{ openshift_master_ca_key }}
+ --signer-serial={{ openshift_master_ca_serial }}
+ args:
+ chdir: "{{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}"
+ creates: "{{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}/server.crt"
+ with_items: nodes_needing_certs
diff --git a/roles/openshift_node_certificates/vars/main.yml b/roles/openshift_node_certificates/vars/main.yml
new file mode 100644
index 000000000..3801b8427
--- /dev/null
+++ b/roles/openshift_node_certificates/vars/main.yml
@@ -0,0 +1,8 @@
+---
+openshift_node_config_dir: /etc/openshift/node
+openshift_master_config_dir: /etc/openshift/master
+openshift_generated_configs_dir: /etc/openshift/generated-configs
+openshift_master_ca_cert: "{{ openshift_master_config_dir }}/ca.crt"
+openshift_master_ca_key: "{{ openshift_master_config_dir }}/ca.key"
+openshift_master_ca_serial: "{{ openshift_master_config_dir }}/ca.serial.txt"
+openshift_kube_api_version: v1beta3
diff --git a/roles/openshift_register_nodes/README.md b/roles/openshift_register_nodes/README.md
index b96faa044..b1d2000f1 100644
--- a/roles/openshift_register_nodes/README.md
+++ b/roles/openshift_register_nodes/README.md
@@ -1,27 +1,8 @@
OpenShift Register Nodes
========================
-TODO
-
-Requirements
-------------
-
-TODO
-
-Role Variables
---------------
-
-TODO
-
-Dependencies
-------------
-
-TODO
-
-Example Playbook
-----------------
-
-TODO
+DEPRECATED!!!
+Nodes should now auto register themselves. Use openshift_node_certificates role instead.
License
-------
diff --git a/roles/openshift_register_nodes/tasks/main.yml b/roles/openshift_register_nodes/tasks/main.yml
index 11097a7cf..502dffc26 100644
--- a/roles/openshift_register_nodes/tasks/main.yml
+++ b/roles/openshift_register_nodes/tasks/main.yml
@@ -14,7 +14,7 @@
--signer-cert={{ openshift_master_ca_cert }}
--signer-key={{ openshift_master_ca_key }}
--signer-serial={{ openshift_master_ca_serial }}
- --user=system:node-{{ item.openshift.common.hostname }}
+ --user=system:node:{{ item.openshift.common.hostname }}
args:
chdir: "{{ openshift_generated_configs_dir }}"
creates: "{{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}"
@@ -37,7 +37,7 @@
- name: Register unregistered nodes
kubernetes_register_node:
kubectl_cmd: "{{ [openshift.common.client_binary] }}"
- default_client_config: '~/.config/openshift/.config'
+ default_client_config: '~/.kube/config'
name: "{{ item.openshift.common.hostname }}"
api_version: "{{ openshift_kube_api_version }}"
cpu: "{{ item.openshift.node.resources_cpu | default(None) }}"
@@ -46,5 +46,8 @@
host_ip: "{{ item.openshift.common.ip }}"
labels: "{{ item.openshift.node.labels | default({}) }}"
annotations: "{{ item.openshift.node.annotations | default({}) }}"
+ client_context: default/ose3-master-example-com:8443/system:openshift-master
+ client_user: system:openshift-master/ose3-master-example-com:8443
+ client_cluster: ose3-master-example-com:8443
with_items: openshift_nodes
register: register_result