diff options
10 files changed, 87 insertions, 50 deletions
diff --git a/.tito/packages/openshift-ansible b/.tito/packages/openshift-ansible index c05d9e64b..120ce408f 100644 --- a/.tito/packages/openshift-ansible +++ b/.tito/packages/openshift-ansible @@ -1 +1 @@ -3.9.0-0.37.0 ./ +3.9.0-0.38.0 ./ diff --git a/openshift-ansible.spec b/openshift-ansible.spec index 5d2d83750..d14eb56cb 100644 --- a/openshift-ansible.spec +++ b/openshift-ansible.spec @@ -10,7 +10,7 @@ Name: openshift-ansible Version: 3.9.0 -Release: 0.37.0%{?dist} +Release: 0.38.0%{?dist} Summary: Openshift and Atomic Enterprise Ansible License: ASL 2.0 URL: https://github.com/openshift/openshift-ansible @@ -201,6 +201,19 @@ Atomic OpenShift Utilities includes %changelog +* Mon Feb 05 2018 Justin Pierce <jupierce@redhat.com> 3.9.0-0.38.0 +- Moving upgrade sg playbook to 3.9 (kwoodson@redhat.com) +- remove openshift_upgrade_{pre,post}_storage_migration_enabled from + failed_when (nakayamakenjiro@gmail.com) +- Fix version handling in 3.8/3.9 control plane upgrades (rteague@redhat.com) +- add S3 bucket cleanup (jdiaz@redhat.com) +- dynamic inventory bug when group exists but its empty (m.judeikis@gmail.com) +- dynamic inventory bug when group exists but its empty (m.judeikis@gmail.com) +- Parameterize user and disable_root options in cloud config + (nelluri@redhat.com) +- Fix softlinks broken by d3fefc32a727fe3c13159c4e9fe4399f35b487a8 + (Klaas-@users.noreply.github.com) + * Fri Feb 02 2018 Justin Pierce <jupierce@redhat.com> 3.9.0-0.37.0 - Don't use 'omit' for package module (vrutkovs@redhat.com) - Adding requirements for logging and metrics (ewolinet@redhat.com) diff --git a/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml index 9b5ba3482..baec057f9 100644 --- a/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml +++ b/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml @@ -3,29 +3,6 @@ # Upgrade Masters ############################################################################### -# Prior to 3.6, openshift-ansible created etcd serving certificates -# without a SubjectAlternativeName entry for the system hostname. The -# SAN list in Go 1.8 is now (correctly) authoritative and since -# openshift-ansible configures masters to talk to etcd hostnames -# rather than IP addresses, we must correct etcd certificates. -# -# This play examines the etcd serving certificate SANs on each etcd -# host and records whether or not the system hostname is missing. -- name: Examine etcd serving certificate SAN - hosts: oo_etcd_to_config - tasks: - - slurp: - src: /etc/etcd/server.crt - register: etcd_serving_cert - - set_fact: - __etcd_cert_lacks_hostname: "{{ (openshift.common.hostname not in (etcd_serving_cert.content | b64decode | lib_utils_oo_parse_certificate_san)) | bool }}" - -# Redeploy etcd certificates when hostnames were missing from etcd -# serving certificate SANs. -- import_playbook: ../../../openshift-etcd/redeploy-certificates.yml - when: - - true in hostvars | lib_utils_oo_select_keys(groups['oo_etcd_to_config']) | lib_utils_oo_collect('__etcd_cert_lacks_hostname') | default([false]) - - name: Backup and upgrade etcd import_playbook: ../../../openshift-etcd/private/upgrade_main.yml diff --git a/playbooks/openshift-etcd/private/upgrade_main.yml b/playbooks/openshift-etcd/private/upgrade_main.yml index 8997680f9..fea588260 100644 --- a/playbooks/openshift-etcd/private/upgrade_main.yml +++ b/playbooks/openshift-etcd/private/upgrade_main.yml @@ -1,4 +1,37 @@ --- +# Prior to 3.6, openshift-ansible created etcd serving certificates +# without a SubjectAlternativeName entry for the system hostname. The +# SAN list in Go 1.8 is now (correctly) authoritative and since +# openshift-ansible configures masters to talk to etcd hostnames +# rather than IP addresses, we must correct etcd certificates. +# +# This play examines the etcd serving certificate SANs on each etcd +# host and records whether or not the system hostname is missing. +- name: Examine etcd serving certificate SAN + hosts: oo_etcd_to_config + tasks: + - slurp: + src: /etc/etcd/server.crt + register: etcd_serving_cert + - set_fact: + __etcd_cert_lacks_hostname: "{{ (openshift.common.hostname not in (etcd_serving_cert.content | b64decode | lib_utils_oo_parse_certificate_san)) | bool }}" + +# Redeploy etcd certificates when hostnames were missing from etcd +# serving certificate SANs. +- import_playbook: redeploy-certificates.yml + when: + - true in hostvars | lib_utils_oo_select_keys(groups['oo_etcd_to_config']) | lib_utils_oo_collect('__etcd_cert_lacks_hostname') | default([false]) + +- import_playbook: restart.yml + vars: + g_etcd_certificates_expired: "{{ ('expired' in (hostvars | lib_utils_oo_select_keys(groups['etcd']) | lib_utils_oo_collect('check_results.check_results.etcd') | lib_utils_oo_collect('health'))) | bool }}" + when: + - true in hostvars | lib_utils_oo_select_keys(groups['oo_etcd_to_config']) | lib_utils_oo_collect('__etcd_cert_lacks_hostname') | default([false]) + +- import_playbook: ../../openshift-master/private/restart.yml + when: + - true in hostvars | lib_utils_oo_select_keys(groups['oo_etcd_to_config']) | lib_utils_oo_collect('__etcd_cert_lacks_hostname') | default([false]) + # For 1.4/3.4 we want to upgrade everyone to etcd-3.0. etcd docs say to # upgrade from 2.0.x to 2.1.x to 2.2.x to 2.3.x to 3.0.x. While this is a tedius # task for RHEL and CENTOS it's simply not possible in Fedora unless you've diff --git a/playbooks/openshift-hosted/private/redeploy-registry-certificates.yml b/playbooks/openshift-hosted/private/redeploy-registry-certificates.yml index b817221b8..d88209593 100644 --- a/playbooks/openshift-hosted/private/redeploy-registry-certificates.yml +++ b/playbooks/openshift-hosted/private/redeploy-registry-certificates.yml @@ -88,8 +88,7 @@ - name: Redeploy docker registry command: > - {{ openshift_client_binary }} deploy dc/docker-registry - --latest + {{ openshift_client_binary }} rollout latest dc/docker-registry --config={{ mktemp.stdout }}/admin.kubeconfig -n default diff --git a/playbooks/openshift-hosted/private/redeploy-router-certificates.yml b/playbooks/openshift-hosted/private/redeploy-router-certificates.yml index 0df748f47..952a5f4ee 100644 --- a/playbooks/openshift-hosted/private/redeploy-router-certificates.yml +++ b/playbooks/openshift-hosted/private/redeploy-router-certificates.yml @@ -129,8 +129,7 @@ - name: Redeploy router command: > - {{ openshift_client_binary }} deploy dc/router - --latest + {{ openshift_client_binary }} rollout latest dc/router --config={{ router_cert_redeploy_tempdir.stdout }}/admin.kubeconfig -n default diff --git a/roles/container_runtime/templates/crio-network.j2 b/roles/container_runtime/templates/crio-network.j2 index 763be97d7..ae8a506fe 100644 --- a/roles/container_runtime/templates/crio-network.j2 +++ b/roles/container_runtime/templates/crio-network.j2 @@ -1,9 +1,9 @@ {% if 'http_proxy' in openshift.common %} -HTTP_PROXY={{ openshift.common.http_proxy }} +export HTTP_PROXY={{ openshift.common.http_proxy }} {% endif %} {% if 'https_proxy' in openshift.common %} -HTTPS_PROXY={{ openshift.common.https_proxy }} +export HTTPS_PROXY={{ openshift.common.https_proxy }} {% endif %} {% if 'no_proxy' in openshift.common %} -NO_PROXY={{ openshift.common.no_proxy }} +export NO_PROXY={{ openshift.common.no_proxy }} {% endif %} diff --git a/roles/openshift_daemonset_config/defaults/main.yml b/roles/openshift_daemonset_config/defaults/main.yml index ebe5671d2..bb9803c2b 100644 --- a/roles/openshift_daemonset_config/defaults/main.yml +++ b/roles/openshift_daemonset_config/defaults/main.yml @@ -1,16 +1,19 @@ --- -openshift_daemonset_config_namespace: openshift-node -openshift_daemonset_config_daemonset_name: ops-node-config -openshift_daemonset_config_configmap_name: "{{ openshift_daemonset_config_daemonset_name }}" +openshift_daemonset_config_image: "centos:7" +openshift_daemonset_config_monitoring_image: "openshifttools/oso-centos7-host-monitoring:latest" +openshift_daemonset_config_namespace: openshift-config +openshift_daemonset_config_daemonset_name: node-config +openshift_daemonset_config_configmap_name: "{{ openshift_daemonset_config_daemonset_name }}-configmap" +openshift_daemonset_config_monitoring_pos: "false" openshift_daemonset_config_node_selector: config: config -openshift_daemonset_config_sa_name: ops +openshift_daemonset_config_sa_name: configurator openshift_daemonset_config_configmap_files: {} openshift_daemonset_config_configmap_literals: {} openshift_daemonset_config_monitoring: False openshift_daemonset_config_interval: 300 openshift_daemonset_config_script: config.sh -openshift_daemonset_config_secret_name: operations-config-secret +openshift_daemonset_config_secret_name: "{{ openshift_daemonset_config_daemonset_name }}-secret" openshift_daemonset_config_secrets: {} openshift_daemonset_config_runasuser: 0 openshift_daemonset_config_privileged: True diff --git a/roles/openshift_daemonset_config/tasks/main.yml b/roles/openshift_daemonset_config/tasks/main.yml index 450cc9dca..f8f42b771 100644 --- a/roles/openshift_daemonset_config/tasks/main.yml +++ b/roles/openshift_daemonset_config/tasks/main.yml @@ -1,4 +1,9 @@ --- +- name: create the namespace + oc_project: + state: present + name: "{{ openshift_daemonset_config_namespace }}" + - name: add a sa oc_serviceaccount: name: "{{ openshift_daemonset_config_sa_name }}" @@ -25,11 +30,6 @@ dest: "{{ item.value }}" with_dict: "{{ openshift_daemonset_config_configmap_files }}" -- name: create the namespace - oc_project: - state: present - name: "{{ openshift_daemonset_config_namespace }}" - - name: lay down secrets oc_secret: state: present @@ -39,6 +39,7 @@ contents: "{{ openshift_daemonset_config_secrets }}" when: - openshift_daemonset_config_secrets != {} + register: secout - name: create the configmap oc_configmap: @@ -47,6 +48,7 @@ namespace: "{{ openshift_daemonset_config_namespace }}" from_literal: "{{ openshift_daemonset_config_configmap_literals }}" from_file: "{{ openshift_daemonset_config_configmap_files }}" + register: cmout - name: deploy daemonset oc_obj: @@ -56,3 +58,4 @@ kind: daemonset files: - /tmp/daemonset.yml + force: "{{ True if cmout.changed or secout.changed else False | bool }}" diff --git a/roles/openshift_daemonset_config/templates/daemonset.yml.j2 b/roles/openshift_daemonset_config/templates/daemonset.yml.j2 index 9792f6d16..02cd5bcfd 100644 --- a/roles/openshift_daemonset_config/templates/daemonset.yml.j2 +++ b/roles/openshift_daemonset_config/templates/daemonset.yml.j2 @@ -33,7 +33,7 @@ spec: hostIPC: true containers: - name: config - image: centos:7 + image: "{{ openshift_daemonset_config_image }}" env: - name: RESYNC_INTERVAL value: "{{ openshift_daemonset_config_interval }}" @@ -50,8 +50,8 @@ spec: sh /opt/config/{{ openshift_daemonset_config_script }} # sleep for ${RESYNC_INTERVAL} minutes, then loop. if we fail Kubelet will restart us again - echo "Success, sleeping for ${RESYNC_INTERVAL}s" - exec sleep ${RESYNC_INTERVAL} + echo "Success, sleeping for ${RESYNC_INTERVAL}s. Date: $(date)" + sleep ${RESYNC_INTERVAL} # Return to perform the config done @@ -68,6 +68,8 @@ spec: # Our node configuration - mountPath: /opt/config name: config + - mountPath: /opt/tmp_shared_config + name: tmp-shared-dir {% if openshift_daemonset_config_secrets != {} %} # Our delivered secrets - mountPath: /opt/secrets @@ -79,12 +81,14 @@ spec: memory: {{ openshift_daemonset_config_resources.memory }} {% if openshift_daemonset_config_monitoring %} - name: monitoring - image: openshifttools/oso-centos7-host-monitoring:latest + image: "{{ openshift_daemonset_config_monitoring_image }}" + env: + - name: OO_PAUSE_ON_START + value: "{{ openshift_daemonset_config_monitoring_pos }}" securityContext: # Must be root to read content runAsUser: 0 privileged: true - volumeMounts: - mountPath: /host name: host @@ -118,17 +122,23 @@ spec: - mountPath: /host/var/cache/yum subPath: var/cache/yum name: host - - mountPath: /container_setup/monitoring-config.yml - subPath: monitoring-config.yaml - name: config + readOnly: true + - mountPath: /container_setup + name: tmp-shared-dir - mountPath: /opt/config name: config +{% if openshift_daemonset_config_secrets != {} %} + - mountPath: /opt/secrets + name: secrets +{% endif %} resources: requests: cpu: 10m memory: 10Mi {% endif %} volumes: + - name: tmp-shared-dir + emptyDir: {} - name: config configMap: name: {{ openshift_daemonset_config_configmap_name }} |