diff options
70 files changed, 637 insertions, 298 deletions
@@ -18,7 +18,8 @@ persistent=no load-plugins= # Use multiple processes to speed up Pylint. -jobs=1 +# Zero means use the total number of CPUs. +jobs=0 # Allow loading of arbitrary C extensions. Extensions are imported into the # active Python interpreter and may run arbitrary code. diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 83c844e28..dafa73bad 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -85,6 +85,24 @@ parallel pip install tox detox ``` +--- + +Note: before running `tox` or `detox`, ensure that the only virtualenvs within +the repository root are the ones managed by `tox`, those in a `.tox` +subdirectory. + +Use this command to list paths that are likely part of a virtualenv not managed +by `tox`: + +``` +$ find . -path '*/bin/python' | grep -vF .tox +``` + +Extraneous virtualenvs cause tools such as `pylint` to take a very long time +going through files that are part of the virtualenv. + +--- + List the test environments available: ``` tox -l diff --git a/inventory/byo/hosts.origin.example b/inventory/byo/hosts.origin.example index a4a01670a..7741730ad 100644 --- a/inventory/byo/hosts.origin.example +++ b/inventory/byo/hosts.origin.example @@ -488,11 +488,11 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', #openshift_master_logging_public_url=https://kibana.example.com # Configure the number of elastic search nodes, unless you're using dynamic provisioning # this value must be 1 -#openshift_logging_es_cluster_size=1 -#openshift_logging_kibana_hostname=logging.apps.example.com +#openshift_hosted_logging_elasticsearch_cluster_size=1 +#openshift_hosted_logging_hostname=logging.apps.example.com # Configure the prefix and version for the deployer image -#openshift_logging_image_prefix=registry.example.com:8888/openshift3/ -#openshift_logging_image_version=3.3.0 +#openshift_hosted_logging_deployer_prefix=registry.example.com:8888/openshift3/ +#openshift_hosted_logging_deployer_version=3.3.0 # Configure the multi-tenant SDN plugin (default is 'redhat/openshift-ovs-subnet') # os_sdn_network_plugin_name='redhat/openshift-ovs-multitenant' diff --git a/inventory/byo/hosts.ose.example b/inventory/byo/hosts.ose.example index 91ebf9936..3da9be081 100644 --- a/inventory/byo/hosts.ose.example +++ b/inventory/byo/hosts.ose.example @@ -482,18 +482,18 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', # pods are deleted # # Other Logging Options -- Common items you may wish to reconfigure, for the complete -# list of options please see roles/openshift_hosted_logging/README.md +# list of options please see roles/openshift_logging/README.md # # Configure loggingPublicURL in the master config for aggregate logging, defaults # to https://kibana.{{ openshift_master_default_subdomain }} #openshift_master_logging_public_url=https://kibana.example.com # Configure the number of elastic search nodes, unless you're using dynamic provisioning # this value must be 1 -#openshift_logging_es_cluster_size=1 -#openshift_logging_kibana_hostname=logging.apps.example.com +#openshift_hosted_logging_elasticsearch_cluster_size=1 +#openshift_hosted_logging_hostname=logging.apps.example.com # Configure the prefix and version for the deployer image -#openshift_logging_image_prefix=registry.example.com:8888/openshift3/ -#openshift_logging_image_version=3.3.0 +#openshift_hosted_logging_deployer_prefix=registry.example.com:8888/openshift3/ +#openshift_hosted_logging_deployer_version=3.3.0 # Configure the multi-tenant SDN plugin (default is 'redhat/openshift-ovs-subnet') # os_sdn_network_plugin_name='redhat/openshift-ovs-multitenant' diff --git a/openshift-ansible.spec b/openshift-ansible.spec index 8cec36bb7..0ec12daa0 100644 --- a/openshift-ansible.spec +++ b/openshift-ansible.spec @@ -3,6 +3,10 @@ %{!?commit: %global commit c64d09e528ca433832c6b6e6f5c7734a9cc8ee6f } +# This is inserted to prevent RPM from requiring "/usr/bin/ansible-playbook" +# The ansible-playbook requirement will be ansibled by the explicit +# "Requires: ansible" directive +%global __requires_exclude ^/usr/bin/ansible-playbook$ Name: openshift-ansible Version: 3.5.3 diff --git a/playbooks/adhoc/openshift_hosted_logging_efk.yaml b/playbooks/adhoc/openshift_hosted_logging_efk.yaml index e83351272..44a2ef534 100644 --- a/playbooks/adhoc/openshift_hosted_logging_efk.yaml +++ b/playbooks/adhoc/openshift_hosted_logging_efk.yaml @@ -8,7 +8,7 @@ hosts: masters:!masters[0] pre_tasks: - set_fact: - logging_hostname: "{{ openshift_hosted_logging_hostname | default('kibana.' ~ (openshift_master_default_subdomain | default('router.default.svc.cluster.local', true))) }}" + openshift_logging_kibana_hostname: "{{ openshift_hosted_logging_hostname | default('kibana.' ~ (openshift_master_default_subdomain | default('router.default.svc.cluster.local', true))) }}" tasks: - include_role: name: openshift_logging diff --git a/playbooks/adhoc/s3_registry/s3_registry.yml b/playbooks/adhoc/s3_registry/s3_registry.yml index 2c79a1b4d..d6758dae5 100644 --- a/playbooks/adhoc/s3_registry/s3_registry.yml +++ b/playbooks/adhoc/s3_registry/s3_registry.yml @@ -51,13 +51,16 @@ command: oc secrets new dockerregistry /root/config.yml when: "'dockerregistry' not in secrets.stdout" - - name: Determine if service account contains secrets - command: oc describe serviceaccount/registry - register: serviceaccount + - name: Load lib_openshift modules + include_role: + name: lib_openshift - name: Add secrets to registry service account - command: oc secrets add serviceaccount/registry secrets/dockerregistry - when: "'dockerregistry' not in serviceaccount.stdout" + oc_serviceaccount_secret: + service_account: registry + secret: dockerregistry + namespace: default + state: present - name: Determine if deployment config contains secrets command: oc volume dc/docker-registry --list diff --git a/playbooks/adhoc/uninstall.yml b/playbooks/adhoc/uninstall.yml index f0cfa7f55..147e84131 100644 --- a/playbooks/adhoc/uninstall.yml +++ b/playbooks/adhoc/uninstall.yml @@ -148,6 +148,29 @@ - vovsbr when: "{{ openshift_remove_all | default(true) | bool }}" + - shell: atomic uninstall "{{ item }}"-master + changed_when: False + failed_when: False + with_items: + - openshift-enterprise + - atomic-enterprise + - origin + + - shell: atomic uninstall "{{ item }}"-node + changed_when: False + failed_when: False + with_items: + - openshift-enterprise + - atomic-enterprise + - origin + + - shell: atomic uninstall "{{ item }}" + changed_when: False + failed_when: False + with_items: + - etcd + - openvswitch + - shell: find /var/lib/origin/openshift.local.volumes -type d -exec umount {} \; 2>/dev/null || true changed_when: False @@ -263,6 +286,9 @@ - /var/lib/atomic-enterprise - /var/lib/openshift + - shell: systemctl daemon-reload + changed_when: False + - name: restart docker service: name=docker state=restarted diff --git a/playbooks/common/openshift-cluster/openshift_hosted.yml b/playbooks/common/openshift-cluster/openshift_hosted.yml index 7b58eebc3..06cda36a5 100644 --- a/playbooks/common/openshift-cluster/openshift_hosted.yml +++ b/playbooks/common/openshift-cluster/openshift_hosted.yml @@ -31,17 +31,17 @@ when: openshift_hosted_metrics_deploy | default(false) | bool - role: openshift_logging when: openshift_hosted_logging_deploy | default(false) | bool - openshift_logging_kibana_hostname: "{{ logging_hostname }}" - openshift_logging_kibana_ops_hostname: "{{ logging_ops_hostname }}" - openshift_logging_master_public_url: "{{ logging_master_public_url }}" - openshift_logging_es_cluster_size: "{{ logging_elasticsearch_cluster_size }}" - openshift_logging_es_pvc_dynamic: "{{ 'true' if openshift_hosted_logging_storage_kind | default(none) == 'dynamic' else '' }}" - openshift_logging_es_pvc_size: "{{ openshift.hosted.logging.storage.volume.size if openshift_hosted_logging_storage_kind | default(none) in ['dynamic','nfs'] else '' }}" - openshift_logging_es_pvc_prefix: "{{ 'logging-es' if openshift_hosted_logging_storage_kind | default(none) == 'dynamic' else '' }}" - openshift_logging_es_ops_cluster_size: "{{ logging_elasticsearch_ops_cluster_size }}" - openshift_logging_es_ops_pvc_dynamic: "{{ 'true' if openshift_hosted_logging_storage_kind | default(none) == 'dynamic' else '' }}" - openshift_logging_es_ops_pvc_size: "{{ openshift.hosted.logging.storage.volume.size if openshift_hosted_logging_storage_kind | default(none) in ['dynamic','nfs' ] else '' }}" - openshift_logging_es_ops_pvc_prefix: "{{ 'logging-es' if openshift_hosted_logging_storage_kind | default(none) =='dynamic' else '' }}" + openshift_hosted_logging_hostname: "{{ logging_hostname }}" + openshift_hosted_logging_ops_hostname: "{{ logging_ops_hostname }}" + openshift_hosted_logging_master_public_url: "{{ logging_master_public_url }}" + openshift_hosted_logging_elasticsearch_cluster_size: "{{ logging_elasticsearch_cluster_size }}" + openshift_hosted_logging_elasticsearch_pvc_dynamic: "{{ 'true' if openshift_hosted_logging_storage_kind | default(none) == 'dynamic' else '' }}" + openshift_hosted_logging_elasticsearch_pvc_size: "{{ openshift.hosted.logging.storage.volume.size if openshift_hosted_logging_storage_kind | default(none) in ['dynamic','nfs'] else '' }}" + openshift_hosted_logging_elasticsearch_pvc_prefix: "{{ 'logging-es' if openshift_hosted_logging_storage_kind | default(none) == 'dynamic' else '' }}" + openshift_hosted_logging_elasticsearch_ops_cluster_size: "{{ logging_elasticsearch_ops_cluster_size }}" + openshift_hosted_logging_elasticsearch_ops_pvc_dynamic: "{{ 'true' if openshift_hosted_loggingops_storage_kind | default(none) == 'dynamic' else '' }}" + openshift_hosted_logging_elasticsearch_ops_pvc_size: "{{ openshift.hosted.logging.storage.volume.size if openshift_hosted_logging_storage_kind | default(none) in ['dynamic','nfs' ] else '' }}" + openshift_hosted_logging_elasticsearch_ops_pvc_prefix: "{{ 'logging-es-ops' if openshift_hosted_loggingops_storage_kind | default(none) =='dynamic' else '' }}" - role: cockpit-ui when: ( openshift.common.version_gte_3_3_or_1_3 | bool ) and ( openshift_hosted_manage_registry | default(true) | bool ) and not (openshift.docker.hosted_registry_insecure | default(false) | bool) @@ -52,11 +52,11 @@ - hosted pre_tasks: - set_fact: - logging_hostname: "{{ openshift_hosted_logging_hostname | default('kibana.' ~ (openshift_master_default_subdomain | default('router.default.svc.cluster.local', true))) }}" + openshift_logging_kibana_hostname: "{{ openshift_hosted_logging_hostname | default('kibana.' ~ (openshift_master_default_subdomain | default('router.default.svc.cluster.local', true))) }}" tasks: - block: - include_role: - name: openshift_hosted_logging + name: openshift_logging tasks_from: update_master_config when: openshift_hosted_logging_deploy | default(false) | bool diff --git a/playbooks/common/openshift-cluster/redeploy-certificates/masters.yml b/playbooks/common/openshift-cluster/redeploy-certificates/masters.yml index f653a111f..c30889d64 100644 --- a/playbooks/common/openshift-cluster/redeploy-certificates/masters.yml +++ b/playbooks/common/openshift-cluster/redeploy-certificates/masters.yml @@ -36,6 +36,14 @@ - "openshift-master.crt" - "openshift-master.key" - "openshift-master.kubeconfig" + - name: Remove generated etcd client certificates + file: + path: "{{ openshift.common.config_base }}/master/{{ item }}" + state: absent + with_items: + - "master.etcd-client.crt" + - "master.etcd-client.key" + when: groups.oo_etcd_to_config | default([]) | length == 0 roles: - role: openshift_master_certificates openshift_master_etcd_hosts: "{{ hostvars diff --git a/playbooks/common/openshift-cluster/redeploy-certificates/registry.yml b/playbooks/common/openshift-cluster/redeploy-certificates/registry.yml index 18b93e1d6..999e4af65 100644 --- a/playbooks/common/openshift-cluster/redeploy-certificates/registry.yml +++ b/playbooks/common/openshift-cluster/redeploy-certificates/registry.yml @@ -2,6 +2,8 @@ - name: Update registry certificates hosts: oo_first_master vars: + roles: + - lib_openshift tasks: - name: Create temp directory for kubeconfig command: mktemp -d /tmp/openshift-ansible-XXXXXX @@ -70,13 +72,17 @@ --key={{ openshift.common.config_base }}/master/registry.key - name: Update registry certificates secret - shell: > - {{ openshift.common.client_binary }} secret new registry-certificates - {{ openshift.common.config_base }}/master/registry.crt - {{ openshift.common.config_base }}/master/registry.key - --config={{ mktemp.stdout }}/admin.kubeconfig - -n default - -o json | oc replace -f - + oc_secret: + kubeconfig: "{{ mktemp.stdout }}/admin.kubeconfig" + name: registry-certificates + namespace: default + state: present + files: + - name: registry.crt + path: "{{ openshift.common.config_base }}/master/registry.crt" + - name: registry.key + path: "{{ openshift.common.config_base }}/master/registry.key" + run_once: true when: l_docker_registry_dc.rc == 0 and 'registry-certificates' in docker_registry_secrets and 'REGISTRY_HTTP_TLS_CERTIFICATE' in docker_registry_env_vars and 'REGISTRY_HTTP_TLS_KEY' in docker_registry_env_vars - name: Redeploy docker registry diff --git a/playbooks/common/openshift-cluster/redeploy-certificates/router.yml b/playbooks/common/openshift-cluster/redeploy-certificates/router.yml index a9e9f0915..707fb6424 100644 --- a/playbooks/common/openshift-cluster/redeploy-certificates/router.yml +++ b/playbooks/common/openshift-cluster/redeploy-certificates/router.yml @@ -7,6 +7,8 @@ command: mktemp -d /tmp/openshift-ansible-XXXXXX register: mktemp changed_when: false + roles: + - lib_openshift - name: Copy admin client config(s) command: > @@ -45,10 +47,12 @@ - block: - name: Delete existing router certificate secret - command: > - {{ openshift.common.client_binary }} delete secret/router-certs - --config={{ mktemp.stdout }}/admin.kubeconfig - -n default + oc_secret: + kubeconfig: "{{ mktemp.stdout }}/admin.kubeconfig" + name: router-certs + namespace: default + state: absent + run_once: true - name: Remove router service annotations command: > diff --git a/playbooks/common/openshift-cluster/upgrades/etcd/backup.yml b/playbooks/common/openshift-cluster/upgrades/etcd/backup.yml index d0eadf1fc..45aabf3e4 100644 --- a/playbooks/common/openshift-cluster/upgrades/etcd/backup.yml +++ b/playbooks/common/openshift-cluster/upgrades/etcd/backup.yml @@ -4,7 +4,7 @@ vars: embedded_etcd: "{{ groups.oo_etcd_to_config | default([]) | length == 0 }}" timestamp: "{{ lookup('pipe', 'date +%Y%m%d%H%M%S') }}" - etcdctl_command: "{{ 'etcdctl' if not openshift.common.is_containerized or embedded_etcd else 'docker exec etcd_container etcdctl' }}" + etcdctl_command: "{{ 'etcdctl' if not openshift.common.is_containerized or embedded_etcd else 'docker exec etcd_container etcdctl' if not openshift.common.is_etcd_system_container else 'runc exec etcd etcdctl' }}" roles: - openshift_facts tasks: diff --git a/playbooks/common/openshift-cluster/upgrades/etcd/upgrade.yml b/playbooks/common/openshift-cluster/upgrades/etcd/upgrade.yml index 0f8d94737..690858c53 100644 --- a/playbooks/common/openshift-cluster/upgrades/etcd/upgrade.yml +++ b/playbooks/common/openshift-cluster/upgrades/etcd/upgrade.yml @@ -14,6 +14,16 @@ register: etcd_container_version failed_when: false when: openshift.common.is_containerized | bool + - name: Record containerized etcd version + command: docker exec etcd_container rpm -qa --qf '%{version}' etcd\* + register: etcd_container_version + failed_when: false + when: openshift.common.is_containerized | bool and not openshift.common.is_etcd_system_container | bool + - name: Record containerized etcd version + command: runc exec etcd_container rpm -qa --qf '%{version}' etcd\* + register: etcd_container_version + failed_when: false + when: openshift.common.is_containerized | bool and openshift.common.is_etcd_system_container | bool # I really dislike this copy/pasta but I wasn't able to find a way to get it to loop # through hosts, then loop through tasks only when appropriate diff --git a/roles/etcd/defaults/main.yaml b/roles/etcd/defaults/main.yaml index 2ec62c37c..e0746d70d 100644 --- a/roles/etcd/defaults/main.yaml +++ b/roles/etcd/defaults/main.yaml @@ -1,5 +1,5 @@ --- -etcd_service: "{{ 'etcd' if not etcd_is_containerized | bool else 'etcd_container' }}" +etcd_service: "{{ 'etcd' if openshift.common.is_etcd_system_container | bool or not etcd_is_containerized | bool else 'etcd_container' }}" etcd_client_port: 2379 etcd_peer_port: 2380 etcd_url_scheme: http diff --git a/roles/etcd/tasks/main.yml b/roles/etcd/tasks/main.yml index 41f25be70..5f3ca461e 100644 --- a/roles/etcd/tasks/main.yml +++ b/roles/etcd/tasks/main.yml @@ -14,13 +14,17 @@ command: docker pull {{ openshift.etcd.etcd_image }} register: pull_result changed_when: "'Downloaded newer image' in pull_result.stdout" - when: etcd_is_containerized | bool + when: + - etcd_is_containerized | bool + - not openshift.common.is_etcd_system_container | bool - name: Install etcd container service file template: dest: "/etc/systemd/system/etcd_container.service" src: etcd.docker.service - when: etcd_is_containerized | bool + when: + - etcd_is_containerized | bool + - not openshift.common.is_etcd_system_container | bool - name: Ensure etcd datadir exists when containerized file: @@ -36,10 +40,22 @@ enabled: no masked: yes daemon_reload: yes - when: etcd_is_containerized | bool + when: + - etcd_is_containerized | bool + - not openshift.common.is_etcd_system_container | bool register: task_result failed_when: "task_result|failed and 'could not' not in task_result.msg|lower" +- name: Install etcd container service file + template: + dest: "/etc/systemd/system/etcd_container.service" + src: etcd.docker.service + when: etcd_is_containerized | bool and not openshift.common.is_etcd_system_container | bool + +- name: Install Etcd system container + include: system_container.yml + when: etcd_is_containerized | bool and openshift.common.is_etcd_system_container | bool + - name: Validate permissions on the config dir file: path: "{{ etcd_conf_dir }}" @@ -54,7 +70,7 @@ dest: /etc/etcd/etcd.conf backup: true notify: - - restart etcd + - restart etcd - name: Enable etcd systemd: diff --git a/roles/etcd/tasks/system_container.yml b/roles/etcd/tasks/system_container.yml new file mode 100644 index 000000000..241180e2c --- /dev/null +++ b/roles/etcd/tasks/system_container.yml @@ -0,0 +1,63 @@ +--- +- name: Pull etcd system container + command: atomic pull --storage=ostree {{ openshift.etcd.etcd_image }} + register: pull_result + changed_when: "'Pulling layer' in pull_result.stdout" + +- name: Check etcd system container package + command: > + atomic containers list --no-trunc -a -f container=etcd + register: result + +- name: Set initial Etcd cluster + set_fact: + etcd_initial_cluster: > + {% for host in etcd_peers | default([]) -%} + {% if loop.last -%} + {{ hostvars[host].etcd_hostname }}={{ etcd_peer_url_scheme }}://{{ hostvars[host].etcd_ip }}:{{ etcd_peer_port }} + {%- else -%} + {{ hostvars[host].etcd_hostname }}={{ etcd_peer_url_scheme }}://{{ hostvars[host].etcd_ip }}:{{ etcd_peer_port }}, + {%- endif -%} + {% endfor -%} + +- name: Update Etcd system container package + command: > + atomic containers update + --set ETCD_LISTEN_PEER_URLS={{ etcd_listen_peer_urls }} + --set ETCD_NAME={{ etcd_hostname }} + --set ETCD_INITIAL_CLUSTER={{ etcd_initial_cluster | replace('\n', '') }} + --set ETCD_LISTEN_CLIENT_URLS={{ etcd_listen_client_urls }} + --set ETCD_INITIAL_ADVERTISE_PEER_URLS={{ etcd_initial_advertise_peer_urls }} + --set ETCD_INITIAL_CLUSTER_STATE={{ etcd_initial_cluster_state }} + --set ETCD_INITIAL_CLUSTER_TOKEN={{ etcd_initial_cluster_token }} + --set ETCD_ADVERTISE_CLIENT_URLS={{ etcd_advertise_client_urls }} + --set ETCD_CA_FILE={{ etcd_system_container_conf_dir }}/ca.crt + --set ETCD_CERT_FILE={{ etcd_system_container_conf_dir }}/server.crt + --set ETCD_KEY_FILE={{ etcd_system_container_conf_dir }}/server.key + --set ETCD_PEER_CA_FILE={{ etcd_system_container_conf_dir }}/ca.crt + --set ETCD_PEER_CERT_FILE={{ etcd_system_container_conf_dir }}/peer.crt + --set ETCD_PEER_KEY_FILE={{ etcd_system_container_conf_dir }}/peer.key + etcd + when: + - ("etcd" in result.stdout) + +- name: Install Etcd system container package + command: > + atomic install --system --name=etcd + --set ETCD_LISTEN_PEER_URLS={{ etcd_listen_peer_urls }} + --set ETCD_NAME={{ etcd_hostname }} + --set ETCD_INITIAL_CLUSTER={{ etcd_initial_cluster | replace('\n', '') }} + --set ETCD_LISTEN_CLIENT_URLS={{ etcd_listen_client_urls }} + --set ETCD_INITIAL_ADVERTISE_PEER_URLS={{ etcd_initial_advertise_peer_urls }} + --set ETCD_INITIAL_CLUSTER_STATE={{ etcd_initial_cluster_state }} + --set ETCD_INITIAL_CLUSTER_TOKEN={{ etcd_initial_cluster_token }} + --set ETCD_ADVERTISE_CLIENT_URLS={{ etcd_advertise_client_urls }} + --set ETCD_CA_FILE={{ etcd_system_container_conf_dir }}/ca.crt + --set ETCD_CERT_FILE={{ etcd_system_container_conf_dir }}/server.crt + --set ETCD_KEY_FILE={{ etcd_system_container_conf_dir }}/server.key + --set ETCD_PEER_CA_FILE={{ etcd_system_container_conf_dir }}/ca.crt + --set ETCD_PEER_CERT_FILE={{ etcd_system_container_conf_dir }}/peer.crt + --set ETCD_PEER_KEY_FILE={{ etcd_system_container_conf_dir }}/peer.key + {{ openshift.etcd.etcd_image }} + when: + - ("etcd" not in result.stdout) diff --git a/roles/etcd_common/defaults/main.yml b/roles/etcd_common/defaults/main.yml index 93633e3e6..2eb9af921 100644 --- a/roles/etcd_common/defaults/main.yml +++ b/roles/etcd_common/defaults/main.yml @@ -1,6 +1,7 @@ --- # etcd server vars -etcd_conf_dir: /etc/etcd +etcd_conf_dir: "{{ '/etc/etcd' if not openshift.common.is_etcd_system_container else '/var/lib/etcd/etcd.etcd/etc' }}" +etcd_system_container_conf_dir: /var/lib/etcd/etc etcd_ca_file: "{{ etcd_conf_dir }}/ca.crt" etcd_cert_file: "{{ etcd_conf_dir }}/server.crt" etcd_key_file: "{{ etcd_conf_dir }}/server.key" diff --git a/roles/lib_openshift/tasks/main.yml b/roles/lib_openshift/tasks/main.yml index 157cf8f7f..2980c8a8d 100644 --- a/roles/lib_openshift/tasks/main.yml +++ b/roles/lib_openshift/tasks/main.yml @@ -1,12 +1,5 @@ --- - name: lib_openshift ensure python-ruamel-yaml package is on target package: - name: "{{ item }}" + name: python-ruamel-yaml state: present - with_items: - - ruamel.yaml - - ruamel.yaml - - ruamel.yaml - - ruamel.yaml - - ruamel.yaml - - ruamel.yaml diff --git a/roles/nuage_master/meta/main.yml b/roles/nuage_master/meta/main.yml index a8a9bd3b4..e3ed9ac71 100644 --- a/roles/nuage_master/meta/main.yml +++ b/roles/nuage_master/meta/main.yml @@ -17,6 +17,7 @@ dependencies: - role: nuage_common - role: openshift_etcd_client_certificates - role: os_firewall +- role: lib_openshift os_firewall_allow: - service: openshift-monitor port: "{{ nuage_mon_rest_server_port }}/tcp" diff --git a/roles/nuage_master/tasks/serviceaccount.yml b/roles/nuage_master/tasks/serviceaccount.yml index 41143772e..16ea08244 100644 --- a/roles/nuage_master/tasks/serviceaccount.yml +++ b/roles/nuage_master/tasks/serviceaccount.yml @@ -13,20 +13,16 @@ changed_when: false - name: Create Admin Service Account - shell: > - echo {{ nuage_service_account_config | to_json | quote }} | - {{ openshift.common.client_binary }} create - -n default - --config={{nuage_tmp_conf}} - -f - - register: osnuage_create_service_account - failed_when: "'already exists' not in osnuage_create_service_account.stderr and osnuage_create_service_account.rc != 0" - changed_when: osnuage_create_service_account.rc == 0 + oc_serviceaccount: + kubeconfig: "{{ openshift_master_config_dir }}/admin.kubeconfig" + name: nuage + namespace: default + state: present - name: Configure role/user permissions command: > {{ openshift.common.client_binary }} adm {{item}} - --config={{nuage_tmp_conf}} + --config={{ nuage_tmp_conf }} with_items: "{{nuage_tasks}}" register: osnuage_perm_task failed_when: "'the object has been modified' not in osnuage_perm_task.stderr and osnuage_perm_task.rc != 0" diff --git a/roles/nuage_master/vars/main.yaml b/roles/nuage_master/vars/main.yaml index dba399a03..651d5775c 100644 --- a/roles/nuage_master/vars/main.yaml +++ b/roles/nuage_master/vars/main.yaml @@ -22,11 +22,5 @@ nuage_mon_rest_server_host: "{{ openshift.master.cluster_hostname | default(open nuage_master_crt_dir: /usr/share/nuage-openshift-monitor nuage_service_account: system:serviceaccount:default:nuage -nuage_service_account_config: - apiVersion: v1 - kind: ServiceAccount - metadata: - name: nuage - nuage_tasks: - policy add-cluster-role-to-user cluster-reader {{ nuage_service_account }} diff --git a/roles/openshift_etcd_facts/vars/main.yml b/roles/openshift_etcd_facts/vars/main.yml index cae15d61a..82db36eba 100644 --- a/roles/openshift_etcd_facts/vars/main.yml +++ b/roles/openshift_etcd_facts/vars/main.yml @@ -5,6 +5,6 @@ etcd_hostname: "{{ openshift.common.hostname }}" etcd_ip: "{{ openshift.common.ip }}" etcd_cert_subdir: "etcd-{{ openshift.common.hostname }}" etcd_cert_prefix: -etcd_cert_config_dir: /etc/etcd +etcd_cert_config_dir: "{{ '/etc/etcd' if not openshift.common.is_etcd_system_container | bool else '/var/lib/etcd/etcd.etcd/etc' }}" etcd_peer_url_scheme: https etcd_url_scheme: https diff --git a/roles/openshift_examples/files/examples/v1.4/cfme-templates/cfme-template.yaml b/roles/openshift_examples/files/examples/v1.4/cfme-templates/cfme-template.yaml index c8e3d4083..4f25a9c8f 100644 --- a/roles/openshift_examples/files/examples/v1.4/cfme-templates/cfme-template.yaml +++ b/roles/openshift_examples/files/examples/v1.4/cfme-templates/cfme-template.yaml @@ -157,7 +157,7 @@ objects: - type: "ConfigChange" - type: "ImageChange" imageChangeParams: - automatic: false + automatic: true containerNames: - "cloudforms" from: @@ -202,7 +202,7 @@ objects: - type: "ImageChange" imageChangeParams: - automatic: false + automatic: true containerNames: - "memcached" from: @@ -286,7 +286,7 @@ objects: - type: "ImageChange" imageChangeParams: - automatic: false + automatic: true containerNames: - "postgresql" from: diff --git a/roles/openshift_examples/files/examples/v1.5/cfme-templates/cfme-template.yaml b/roles/openshift_examples/files/examples/v1.5/cfme-templates/cfme-template.yaml index c8e3d4083..4f25a9c8f 100644 --- a/roles/openshift_examples/files/examples/v1.5/cfme-templates/cfme-template.yaml +++ b/roles/openshift_examples/files/examples/v1.5/cfme-templates/cfme-template.yaml @@ -157,7 +157,7 @@ objects: - type: "ConfigChange" - type: "ImageChange" imageChangeParams: - automatic: false + automatic: true containerNames: - "cloudforms" from: @@ -202,7 +202,7 @@ objects: - type: "ImageChange" imageChangeParams: - automatic: false + automatic: true containerNames: - "memcached" from: @@ -286,7 +286,7 @@ objects: - type: "ImageChange" imageChangeParams: - automatic: false + automatic: true containerNames: - "postgresql" from: diff --git a/roles/openshift_facts/defaults/main.yml b/roles/openshift_facts/defaults/main.yml new file mode 100644 index 000000000..28b388560 --- /dev/null +++ b/roles/openshift_facts/defaults/main.yml @@ -0,0 +1,2 @@ +--- +use_system_containers: false diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py index ec2942b69..97b3edd6e 100755 --- a/roles/openshift_facts/library/openshift_facts.py +++ b/roles/openshift_facts/library/openshift_facts.py @@ -1785,11 +1785,14 @@ def set_container_facts_if_unset(facts): facts['etcd']['etcd_image'] = etcd_image if 'master' in facts and 'master_image' not in facts['master']: facts['master']['master_image'] = master_image + facts['master']['master_system_image'] = master_image if 'node' in facts: if 'node_image' not in facts['node']: facts['node']['node_image'] = node_image + facts['node']['node_system_image'] = node_image if 'ovs_image' not in facts['node']: facts['node']['ovs_image'] = ovs_image + facts['node']['ovs_system_image'] = ovs_image if safe_get_bool(facts['common']['is_containerized']): facts['common']['admin_binary'] = '/usr/local/bin/oadm' @@ -2078,6 +2081,25 @@ class OpenShiftFacts(object): create_pvc=False ) ), + loggingops=dict( + storage=dict( + kind=None, + volume=dict( + name='logging-es-ops', + size='10Gi' + ), + nfs=dict( + directory='/exports', + options='*(rw,root_squash)' + ), + host=None, + access=dict( + modes=['ReadWriteOnce'] + ), + create_pv=True, + create_pvc=False + ) + ), logging=dict( storage=dict( kind=None, diff --git a/roles/openshift_facts/tasks/main.yml b/roles/openshift_facts/tasks/main.yml index b7b521f1a..9a1982076 100644 --- a/roles/openshift_facts/tasks/main.yml +++ b/roles/openshift_facts/tasks/main.yml @@ -9,6 +9,10 @@ l_is_atomic: "{{ ostree_booted.stat.exists }}" - set_fact: l_is_containerized: "{{ (l_is_atomic | bool) or (containerized | default(false) | bool) }}" + l_is_openvswitch_system_container: "{{ (use_openvswitch_system_container | default(use_system_containers) | bool) }}" + l_is_node_system_container: "{{ (use_node_system_container | default(use_system_containers) | bool) }}" + l_is_master_system_container: "{{ (use_master_system_container | default(use_system_containers) | bool) }}" + l_is_etcd_system_container: "{{ (use_etcd_system_container | default(use_system_containers) | bool) }}" - name: Ensure various deps are installed package: name={{ item }} state=present @@ -27,6 +31,11 @@ hostname: "{{ openshift_hostname | default(None) }}" ip: "{{ openshift_ip | default(None) }}" is_containerized: "{{ l_is_containerized | default(None) }}" + is_openvswitch_system_container: "{{ l_is_openvswitch_system_container | default(false) }}" + is_node_system_container: "{{ l_is_node_system_container | default(false) }}" + is_master_system_container: "{{ l_is_master_system_container | default(false) }}" + is_etcd_system_container: "{{ l_is_etcd_system_container | default(false) }}" + system_images_registry: "{{ system_images_registry | default('') }}" public_hostname: "{{ openshift_public_hostname | default(None) }}" public_ip: "{{ openshift_public_ip | default(None) }}" portal_net: "{{ openshift_portal_net | default(openshift_master_portal_net) | default(None) }}" diff --git a/roles/openshift_hosted/meta/main.yml b/roles/openshift_hosted/meta/main.yml index ca5e88b15..ced71bb41 100644 --- a/roles/openshift_hosted/meta/main.yml +++ b/roles/openshift_hosted/meta/main.yml @@ -14,6 +14,7 @@ galaxy_info: dependencies: - role: openshift_cli - role: openshift_hosted_facts +- role: lib_openshift - role: openshift_projects openshift_projects: "{{ openshift_additional_projects | default({}) | oo_merge_dicts({'default':{'default_node_selector':''},'openshift-infra':{'default_node_selector':''},'logging':{'default_node_selector':''}}) }}" - role: openshift_serviceaccounts diff --git a/roles/openshift_hosted/tasks/registry/secure.yml b/roles/openshift_hosted/tasks/registry/secure.yml index d87a3847c..216a40874 100644 --- a/roles/openshift_hosted/tasks/registry/secure.yml +++ b/roles/openshift_hosted/tasks/registry/secure.yml @@ -43,21 +43,26 @@ when: False in (docker_registry_certificates_stat_result.results | default([]) | oo_collect(attribute='stat.exists') | list) - name: Create the secret for the registry certificates - command: > - {{ openshift.common.client_binary }} secrets new registry-certificates - {{ openshift_master_config_dir }}/registry.crt - {{ openshift_master_config_dir }}/registry.key - --config={{ openshift_hosted_kubeconfig }} - -n default + oc_secret: + kubeconfig: "{{ openshift_hosted_kubeconfig }}" + name: registry-certificates + namespace: default + state: present + files: + - name: registry.crt + path: "{{ openshift_master_config_dir }}/registry.crt" + - name: registry.key + path: "{{ openshift_master_config_dir }}/registry.key" register: create_registry_certificates_secret - changed_when: "'already exists' not in create_registry_certificates_secret.stderr" - failed_when: "'already exists' not in create_registry_certificates_secret.stderr and create_registry_certificates_secret.rc != 0" + run_once: true - name: "Add the secret to the registry's pod service accounts" - command: > - {{ openshift.common.client_binary }} secrets add {{ item }} registry-certificates - --config={{ openshift_hosted_kubeconfig }} - -n default + oc_serviceaccount_secret: + service_account: "{{ item }}" + secret: registry-certificates + namespace: default + kubeconfig: "{{ openshift_hosted_kubeconfig }}" + state: present with_items: - registry - default diff --git a/roles/openshift_hosted/tasks/registry/storage/object_storage.yml b/roles/openshift_hosted/tasks/registry/storage/object_storage.yml index e56a68e27..15128784e 100644 --- a/roles/openshift_hosted/tasks/registry/storage/object_storage.yml +++ b/roles/openshift_hosted/tasks/registry/storage/object_storage.yml @@ -53,23 +53,13 @@ create -f - when: secrets.rc == 1 -- name: Determine if service account contains secrets - command: > - {{ openshift.common.client_binary }} - --config={{ openshift_hosted_kubeconfig }} - --namespace={{ openshift.hosted.registry.namespace | default('default') }} - get serviceaccounts registry - -o jsonpath='{.secrets[?(@.name=="{{ registry_config_secret_name }}")].name}' - register: serviceaccount - changed_when: false - - name: Add secrets to registry service account - command: > - {{ openshift.common.client_binary }} - --config={{ openshift_hosted_kubeconfig }} - --namespace={{ openshift.hosted.registry.namespace | default('default') }} - secrets add serviceaccount/registry secrets/{{ registry_config_secret_name }} - when: serviceaccount.stdout == '' + oc_serviceaccount_secret: + service_account: registry + secret: "{{ registry_config_secret_name }}" + namespace: "{{ openshift.hosted.registry.namespace | default('default') }}" + kubeconfig: "{{ openshift_hosted_kubeconfig }}" + state: present - name: Determine if deployment config contains secrets command: > diff --git a/roles/openshift_logging/README.md b/roles/openshift_logging/README.md index 9394977c0..f7b2f7743 100644 --- a/roles/openshift_logging/README.md +++ b/roles/openshift_logging/README.md @@ -24,8 +24,8 @@ When both `openshift_logging_install_logging` and `openshift_logging_upgrade_log - `openshift_logging_image_prefix`: The prefix for the logging images to use. Defaults to 'docker.io/openshift/origin-'. - `openshift_logging_image_version`: The image version for the logging images to use. Defaults to 'latest'. - `openshift_logging_use_ops`: If 'True', set up a second ES and Kibana cluster for infrastructure logs. Defaults to 'False'. -- `master_url`: The URL for the Kubernetes master, this does not need to be public facing but should be accessible from within the cluster. Defaults to 'https://kubernetes.default.svc.cluster.local'. -- `openshift_logging_master_public_url`: The public facing URL for the Kubernetes master, this is used for Authentication redirection. Defaults to 'https://localhost:8443'. +- `openshift_logging_master_url`: The URL for the Kubernetes master, this does not need to be public facing but should be accessible from within the cluster. Defaults to 'https://kubernetes.default.svc.{{openshift.common.dns_domain}}'. +- `openshift_logging_master_public_url`: The public facing URL for the Kubernetes master, this is used for Authentication redirection. Defaults to 'https://{{openshift.common.public_hostname}}:8443'. - `openshift_logging_namespace`: The namespace that Aggregated Logging will be installed in. Defaults to 'logging'. - `openshift_logging_curator_default_days`: The default minimum age (in days) Curator uses for deleting log records. Defaults to '30'. - `openshift_logging_curator_run_hour`: The hour of the day that Curator will run at. Defaults to '0'. @@ -51,8 +51,8 @@ When both `openshift_logging_install_logging` and `openshift_logging_upgrade_log - `openshift_logging_fluentd_cpu_limit`: The CPU limit for Fluentd pods. Defaults to '100m'. - `openshift_logging_fluentd_memory_limit`: The memory limit for Fluentd pods. Defaults to '512Mi'. - `openshift_logging_fluentd_es_copy`: Whether or not to use the ES_COPY feature for Fluentd (DEPRECATED). Defaults to 'False'. -- `openshift_logging_fluentd_use_journal`: Whether or not Fluentd should read log entries from Journal. Defaults to 'False'. NOTE: Fluentd will attempt to detect whether or not Docker is using the journald log driver and may overwrite this value. -- `openshift_logging_fluentd_journal_read_from_head`: Whether or not Fluentd will try to read from the head of Journal when first starting up, using this may cause a delay in ES receiving current log records. Defaults to 'False'. +- `openshift_logging_fluentd_use_journal`: NOTE: Fluentd will attempt to detect whether or not Docker is using the journald log driver when using the default of empty. +- `openshift_logging_fluentd_journal_read_from_head`: If empty, Fluentd will use its internal default, which is false. - `openshift_logging_fluentd_hosts`: List of nodes that should be labeled for Fluentd to be deployed to. Defaults to ['--all']. - `openshift_logging_es_host`: The name of the ES service Fluentd should send logs to. Defaults to 'logging-es'. diff --git a/roles/openshift_logging/defaults/main.yml b/roles/openshift_logging/defaults/main.yml index ead59c029..bdb168921 100644 --- a/roles/openshift_logging/defaults/main.yml +++ b/roles/openshift_logging/defaults/main.yml @@ -1,9 +1,9 @@ --- -openshift_logging_image_prefix: docker.io/openshift/origin- -openshift_logging_image_version: latest +openshift_logging_image_prefix: "{{ openshift_hosted_logging_deployer_prefix | default('docker.io/openshift/origin-') }}" +openshift_logging_image_version: "{{ openshift_hosted_logging_deployer_version | default('latest') }}" openshift_logging_use_ops: False -master_url: "https://kubernetes.default.svc.{{ openshift.common.dns_domain }}" -openshift_logging_master_public_url: "https://{{openshift.common.public_hostname}}:8443" +openshift_logging_master_url: "https://kubernetes.default.svc.{{ openshift.common.dns_domain }}" +openshift_logging_master_public_url: "{{ openshift_hosted_logging_master_public_url | default('https://{{openshift.common.public_hostname}}:8443') }}" openshift_logging_namespace: logging openshift_logging_install_logging: True @@ -19,7 +19,7 @@ openshift_logging_curator_memory_limit: null openshift_logging_curator_ops_cpu_limit: 100m openshift_logging_curator_ops_memory_limit: null -openshift_logging_kibana_hostname: "kibana.{{openshift.common.dns_domain}}" +openshift_logging_kibana_hostname: "{{ openshift_hosted_logging_hostname | default(kibana.{{openshift.common.dns_domain}}) }}" openshift_logging_kibana_cpu_limit: null openshift_logging_kibana_memory_limit: null openshift_logging_kibana_proxy_debug: false @@ -27,7 +27,19 @@ openshift_logging_kibana_proxy_cpu_limit: null openshift_logging_kibana_proxy_memory_limit: null openshift_logging_kibana_replica_count: 1 -openshift_logging_kibana_ops_hostname: "kibana-ops.{{openshift.common.dns_domain}}" +#The absolute path on the control node to the cert file to use +#for the public facing kibana certs +openshift_logging_kibana_cert: "" + +#The absolute path on the control node to the key file to use +#for the public facing kibana certs +openshift_logging_kibana_key: "" + +#The absolute path on the control node to the CA file to use +#for the public facing kibana certs +openshift_logging_kibana_ca: "" + +openshift_logging_kibana_ops_hostname: "{{ openshift_hosted_logging_ops_hostname | default('kibana-ops.{{openshift.common.dns_domain}}') }}" openshift_logging_kibana_ops_cpu_limit: null openshift_logging_kibana_ops_memory_limit: null openshift_logging_kibana_ops_proxy_debug: false @@ -39,8 +51,8 @@ openshift_logging_fluentd_nodeselector: {'logging-infra-fluentd': 'true'} openshift_logging_fluentd_cpu_limit: 100m openshift_logging_fluentd_memory_limit: 512Mi openshift_logging_fluentd_es_copy: false -openshift_logging_fluentd_use_journal: false -openshift_logging_fluentd_journal_read_from_head: false +openshift_logging_fluentd_use_journal: '' +openshift_logging_fluentd_journal_read_from_head: '' openshift_logging_fluentd_hosts: ['--all'] openshift_logging_es_host: logging-es @@ -48,13 +60,13 @@ openshift_logging_es_port: 9200 openshift_logging_es_ca: /etc/fluent/keys/ca openshift_logging_es_client_cert: /etc/fluent/keys/cert openshift_logging_es_client_key: /etc/fluent/keys/key -openshift_logging_es_cluster_size: 1 +openshift_logging_es_cluster_size: "{{ openshift_hosted_logging_elasticsearch_cluster_size | default(1) }}" openshift_logging_es_cpu_limit: null openshift_logging_es_memory_limit: 1024Mi openshift_logging_es_pv_selector: null -openshift_logging_es_pvc_dynamic: False -openshift_logging_es_pvc_size: "" -openshift_logging_es_pvc_prefix: logging-es +openshift_logging_es_pvc_dynamic: "{{ openshift_hosted_logging_elasticsearch_pvc_dynamic | default(False) }}" +openshift_logging_es_pvc_size: "{{ openshift_hosted_logging_elasticsearch_pvc_size | default('') }}" +openshift_logging_es_pvc_prefix: "{{ openshift_hosted_logging_elasticsearch_pvc_prefix | default('logging-es') }}" openshift_logging_es_recover_after_time: 5m openshift_logging_es_storage_group: 65534 @@ -66,13 +78,13 @@ openshift_logging_es_ops_port: 9200 openshift_logging_es_ops_ca: /etc/fluent/keys/ca openshift_logging_es_ops_client_cert: /etc/fluent/keys/cert openshift_logging_es_ops_client_key: /etc/fluent/keys/key -openshift_logging_es_ops_cluster_size: 1 +openshift_logging_es_ops_cluster_size: "{{ openshift_hosted_logging_elasticsearch_ops_cluster_size | default(1) }}" openshift_logging_es_ops_cpu_limit: null openshift_logging_es_ops_memory_limit: 1024Mi openshift_logging_es_ops_pv_selector: None -openshift_logging_es_ops_pvc_dynamic: False -openshift_logging_es_ops_pvc_size: "" -openshift_logging_es_ops_pvc_prefix: logging-es-ops +openshift_logging_es_ops_pvc_dynamic: "{{ openshift_hosted_logging_elasticsearch_ops_pvc_dynamic | default(False) }}" +openshift_logging_es_ops_pvc_size: "{{ openshift_hosted_logging_elasticsearch_ops_pvc_size | default('') }}" +openshift_logging_es_ops_pvc_prefix: "{{ openshift_hosted_logging_elasticsearch_ops_pvc_prefix | default('logging-es-ops') }}" openshift_logging_es_ops_recover_after_time: 5m openshift_logging_es_ops_storage_group: 65534 diff --git a/roles/openshift_logging/tasks/delete_logging.yaml b/roles/openshift_logging/tasks/delete_logging.yaml index 908f3ee88..9621d0d1a 100644 --- a/roles/openshift_logging/tasks/delete_logging.yaml +++ b/roles/openshift_logging/tasks/delete_logging.yaml @@ -80,16 +80,16 @@ # delete our service accounts - name: delete service accounts - command: > - {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig - delete serviceaccount {{ item }} -n {{ openshift_logging_namespace }} --ignore-not-found=true + oc_serviceaccount: + kubeconfig: "{{ mktemp.stdout }}/admin.kubeconfig" + name: "{{ item }}" + namespace: "{{ openshift_logging_namespace }}" + state: absent with_items: - aggregated-logging-elasticsearch - aggregated-logging-kibana - aggregated-logging-curator - aggregated-logging-fluentd - register: delete_result - changed_when: delete_result.stdout.find("deleted") != -1 and delete_result.rc == 0 # delete our roles - name: delete roles diff --git a/roles/openshift_logging/tasks/generate_pvcs.yaml b/roles/openshift_logging/tasks/generate_pvcs.yaml index 601ec9e83..d782d621e 100644 --- a/roles/openshift_logging/tasks/generate_pvcs.yaml +++ b/roles/openshift_logging/tasks/generate_pvcs.yaml @@ -4,10 +4,10 @@ vars: pvc_name: "{{openshift_logging_es_pvc_prefix}}-{{item| int}}" start: "{{es_pvc_names | map('regex_search',openshift_logging_es_pvc_prefix+'.*')|select('string')|list|length}}" - with_sequence: start={{start}} end={{ (start|int > openshift_logging_es_cluster_size - 1) | ternary(start, openshift_logging_es_cluster_size - 1)}} + with_sequence: start={{start}} end={{ (start|int > openshift_logging_es_cluster_size|int - 1) | ternary(start, openshift_logging_es_cluster_size|int - 1)}} when: - openshift_logging_es_pvc_size | search('^\d.*') - - "{{ es_dc_names|default([]) | length < openshift_logging_es_cluster_size }}" + - "{{ es_dc_names|default([]) | length < openshift_logging_es_cluster_size|int }}" check_mode: no - name: Generating PersistentVolumeClaims diff --git a/roles/openshift_logging/tasks/generate_routes.yaml b/roles/openshift_logging/tasks/generate_routes.yaml index 60694f67e..3c462378b 100644 --- a/roles/openshift_logging/tasks/generate_routes.yaml +++ b/roles/openshift_logging/tasks/generate_routes.yaml @@ -1,4 +1,20 @@ --- +- set_fact: kibana_key={{ lookup('file', openshift_logging_kibana_key) | b64encode }} + when: "{{ openshift_logging_kibana_key | trim | length > 0 }}" + changed_when: false + +- set_fact: kibana_cert={{ lookup('file', openshift_logging_kibana_cert)| b64encode }} + when: "{{openshift_logging_kibana_cert | trim | length > 0}}" + changed_when: false + +- set_fact: kibana_ca={{ lookup('file', openshift_logging_kibana_ca)| b64encode }} + when: "{{openshift_logging_kibana_ca | trim | length > 0}}" + changed_when: false + +- set_fact: kibana_ca={{key_pairs | entry_from_named_pair('ca_file') }} + when: kibana_ca is not defined + changed_when: false + - name: Generating logging routes template: src=route_reencrypt.j2 dest={{mktemp.stdout}}/templates/logging-{{route_info.name}}-route.yaml tags: routes @@ -6,7 +22,9 @@ obj_name: "{{route_info.name}}" route_host: "{{route_info.host}}" service_name: "{{route_info.name}}" - tls_ca_cert: "{{key_pairs | entry_from_named_pair('ca_file')| b64decode }}" + tls_key: "{{kibana_key | default('') | b64decode}}" + tls_cert: "{{kibana_cert | default('') | b64decode}}" + tls_ca_cert: "{{kibana_ca | b64decode}}" tls_dest_ca_cert: "{{key_pairs | entry_from_named_pair('ca_file')| b64decode }}" labels: component: support diff --git a/roles/openshift_logging/tasks/install_elasticsearch.yaml b/roles/openshift_logging/tasks/install_elasticsearch.yaml index 1d6e55e44..f9c2c81fb 100644 --- a/roles/openshift_logging/tasks/install_elasticsearch.yaml +++ b/roles/openshift_logging/tasks/install_elasticsearch.yaml @@ -54,10 +54,10 @@ fail: msg="The openshift_logging_es_ops_cluster_size may not be scaled down more than 1 less (or 0) the number of Elasticsearch nodes already deployed" vars: es_dcs: "{{openshift_logging_facts.elasticsearch_ops.deploymentconfigs}}" - cluster_size: "{{openshift_logging_es_ops_cluster_size}}" + cluster_size: "{{openshift_logging_es_ops_cluster_size|int}}" when: - openshift_logging_use_ops | bool - - "{{es_dcs | length - openshift_logging_es_ops_cluster_size | abs > 1}}" + - "{{es_dcs | length - openshift_logging_es_ops_cluster_size|int | abs > 1}}" check_mode: no - name: Generate PersistentVolumeClaims for Ops @@ -66,7 +66,7 @@ es_pvc_names: "{{openshift_logging_facts.elasticsearch_ops.pvcs.keys()}}" es_dc_names: "{{openshift_logging_facts.elasticsearch_ops.deploymentconfigs.keys()}}" openshift_logging_es_pvc_prefix: "{{openshift_logging_es_ops_pvc_prefix}}" - openshift_logging_es_cluster_size: "{{openshift_logging_es_ops_cluster_size}}" + openshift_logging_es_cluster_size: "{{openshift_logging_es_ops_cluster_size|int}}" openshift_logging_es_pvc_size: "{{openshift_logging_es_ops_pvc_size}}" openshift_logging_es_pvc_dynamic: "{{openshift_logging_es_ops_pvc_dynamic}}" openshift_logging_es_pv_selector: "{{openshift_logging_es_ops_pv_selector}}" @@ -89,7 +89,7 @@ es_cluster_name: "{{component}}" deploy_name_prefix: "logging-{{component}}" deploy_name: "{{deploy_name_prefix}}-{{'abcdefghijklmnopqrstuvwxyz0123456789'|random_word(8)}}" - cluster_size: "{{openshift_logging_es_ops_cluster_size}}" + cluster_size: "{{openshift_logging_es_ops_cluster_size|int}}" with_sequence: count={{ openshift_logging_es_ops_cluster_size | int - openshift_logging_current_es_ops_size | int }} when: - openshift_logging_use_ops | bool diff --git a/roles/openshift_logging/tasks/install_logging.yaml b/roles/openshift_logging/tasks/install_logging.yaml index d52429f03..e23c3f9f1 100644 --- a/roles/openshift_logging/tasks/install_logging.yaml +++ b/roles/openshift_logging/tasks/install_logging.yaml @@ -9,11 +9,11 @@ - name: Validate Elasticsearch cluster size fail: msg="The openshift_logging_es_cluster_size may only be scaled down manually. Please see official documentation on how to do this." - when: openshift_logging_facts.elasticsearch.deploymentconfigs | length > openshift_logging_es_cluster_size + when: openshift_logging_facts.elasticsearch.deploymentconfigs | length > openshift_logging_es_cluster_size|int - name: Validate Elasticsearch Ops cluster size fail: msg="The openshift_logging_es_ops_cluster_size may only be scaled down manually. Please see official documentation on how to do this." - when: openshift_logging_facts.elasticsearch_ops.deploymentconfigs | length > openshift_logging_es_ops_cluster_size + when: openshift_logging_facts.elasticsearch_ops.deploymentconfigs | length > openshift_logging_es_ops_cluster_size|int - name: Install logging include: "{{ role_path }}/tasks/install_{{ install_component }}.yaml" diff --git a/roles/openshift_logging/templates/curator.j2 b/roles/openshift_logging/templates/curator.j2 index de6258eaa..b7bc15b62 100644 --- a/roles/openshift_logging/templates/curator.j2 +++ b/roles/openshift_logging/templates/curator.j2 @@ -48,7 +48,7 @@ spec: env: - name: "K8S_HOST_URL" - value: "{{master_url}}" + value: "{{openshift_logging_master_url}}" - name: "ES_HOST" value: "{{es_host}}" diff --git a/roles/openshift_logging/templates/fluentd.j2 b/roles/openshift_logging/templates/fluentd.j2 index b6c91f8ed..223d342b9 100644 --- a/roles/openshift_logging/templates/fluentd.j2 +++ b/roles/openshift_logging/templates/fluentd.j2 @@ -61,7 +61,7 @@ spec: readOnly: true env: - name: "K8S_HOST_URL" - value: "{{master_url}}" + value: "{{openshift_logging_master_url}}" - name: "ES_HOST" value: "{{openshift_logging_es_host}}" - name: "ES_PORT" diff --git a/roles/openshift_logging/templates/kibana.j2 b/roles/openshift_logging/templates/kibana.j2 index 3a9e03768..be9b45ab4 100644 --- a/roles/openshift_logging/templates/kibana.j2 +++ b/roles/openshift_logging/templates/kibana.j2 @@ -90,7 +90,7 @@ spec: value: kibana-proxy - name: "OAP_MASTER_URL" - value: {{master_url}} + value: {{openshift_logging_master_url}} - name: "OAP_PUBLIC_MASTER_URL" value: {{openshift_logging_master_public_url}} diff --git a/roles/openshift_logging/templates/route_reencrypt.j2 b/roles/openshift_logging/templates/route_reencrypt.j2 index 8be30a2c4..341ffdd84 100644 --- a/roles/openshift_logging/templates/route_reencrypt.j2 +++ b/roles/openshift_logging/templates/route_reencrypt.j2 @@ -11,6 +11,14 @@ metadata: spec: host: {{ route_host }} tls: +{% if tls_key is defined and tls_key | length > 0 %} + key: | +{{ tls_key|indent(6, true) }} +{% if tls_cert is defined and tls_cert | length > 0 %} + certificate: | +{{ tls_cert|indent(6, true) }} +{% endif %} +{% endif %} caCertificate: | {% for line in tls_ca_cert.split('\n') %} {{ line }} diff --git a/roles/openshift_logging/vars/main.yaml b/roles/openshift_logging/vars/main.yaml index 11662c446..07cc05683 100644 --- a/roles/openshift_logging/vars/main.yaml +++ b/roles/openshift_logging/vars/main.yaml @@ -1,8 +1,8 @@ --- openshift_master_config_dir: "{{ openshift.common.config_base }}/master" -es_node_quorum: "{{openshift_logging_es_cluster_size/2 + 1}}" -es_recover_after_nodes: "{{openshift_logging_es_cluster_size - 1}}" -es_recover_expected_nodes: "{{openshift_logging_es_cluster_size}}" -es_ops_node_quorum: "{{openshift_logging_es_ops_cluster_size/2 + 1}}" -es_ops_recover_after_nodes: "{{openshift_logging_es_ops_cluster_size - 1}}" -es_ops_recover_expected_nodes: "{{openshift_logging_es_ops_cluster_size}}" +es_node_quorum: "{{openshift_logging_es_cluster_size|int/2 + 1}}" +es_recover_after_nodes: "{{openshift_logging_es_cluster_size|int - 1}}" +es_recover_expected_nodes: "{{openshift_logging_es_cluster_size|int}}" +es_ops_node_quorum: "{{openshift_logging_es_ops_cluster_size|int/2 + 1}}" +es_ops_recover_after_nodes: "{{openshift_logging_es_ops_cluster_size|int - 1}}" +es_ops_recover_expected_nodes: "{{openshift_logging_es_ops_cluster_size|int}}" diff --git a/roles/openshift_manageiq/meta/main.yml b/roles/openshift_manageiq/meta/main.yml new file mode 100644 index 000000000..6c96a91bf --- /dev/null +++ b/roles/openshift_manageiq/meta/main.yml @@ -0,0 +1,15 @@ +--- +galaxy_info: + author: Erez Freiberger + description: ManageIQ + company: Red Hat, Inc. + license: Apache License, Version 2.0 + min_ansible_version: 2.1 + platforms: + - name: EL + versions: + - 7 + categories: + - cloud +dependencies: +- role: lib_openshift diff --git a/roles/openshift_manageiq/tasks/main.yaml b/roles/openshift_manageiq/tasks/main.yaml index a7214482f..e58947fd2 100644 --- a/roles/openshift_manageiq/tasks/main.yaml +++ b/roles/openshift_manageiq/tasks/main.yaml @@ -18,27 +18,15 @@ failed_when: "'already exists' not in osmiq_create_mi_project.stderr and osmiq_create_mi_project.rc != 0" changed_when: osmiq_create_mi_project.rc == 0 -- name: Create Admin Service Account - shell: > - echo {{ manageiq_service_account | to_json | quote }} | - {{ openshift.common.client_binary }} create - -n management-infra - --config={{manage_iq_tmp_conf}} - -f - - register: osmiq_create_service_account - failed_when: "'already exists' not in osmiq_create_service_account.stderr and osmiq_create_service_account.rc != 0" - changed_when: osmiq_create_service_account.rc == 0 - -- name: Create Image Inspector Service Account - shell: > - echo {{ manageiq_image_inspector_service_account | to_json | quote }} | - {{ openshift.common.client_binary }} create - -n management-infra - --config={{manage_iq_tmp_conf}} - -f - - register: osmiq_create_service_account - failed_when: "'already exists' not in osmiq_create_service_account.stderr and osmiq_create_service_account.rc != 0" - changed_when: osmiq_create_service_account.rc == 0 +- name: Create Admin and Image Inspector Service Account + oc_serviceaccount: + kubeconfig: "{{ openshift_master_config_dir }}/admin.kubeconfig" + name: "{{ item }}" + namespace: management-infra + state: present + with_items: + - management-admin + - inspector-admin - name: Create Cluster Role shell: > diff --git a/roles/openshift_manageiq/vars/main.yml b/roles/openshift_manageiq/vars/main.yml index 3f24fd6be..9936bb126 100644 --- a/roles/openshift_manageiq/vars/main.yml +++ b/roles/openshift_manageiq/vars/main.yml @@ -1,4 +1,5 @@ --- +openshift_master_config_dir: "{{ openshift.common.config_base }}/master" manageiq_cluster_role: apiVersion: v1 kind: ClusterRole @@ -24,18 +25,6 @@ manageiq_metrics_admin_clusterrole: verbs: - '*' -manageiq_service_account: - apiVersion: v1 - kind: ServiceAccount - metadata: - name: management-admin - -manageiq_image_inspector_service_account: - apiVersion: v1 - kind: ServiceAccount - metadata: - name: inspector-admin - manage_iq_tmp_conf: /tmp/manageiq_admin.kubeconfig manage_iq_tasks: diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml index 9cd6b6c81..2ef61cddf 100644 --- a/roles/openshift_master/tasks/main.yml +++ b/roles/openshift_master/tasks/main.yml @@ -131,6 +131,10 @@ - name: Install the systemd units include: systemd_units.yml +- name: Install Master system container + include: system_container.yml + when: openshift.common.is_containerized | bool and openshift.common.is_master_system_container | bool + - name: Create session secrets file template: dest: "{{ openshift.master.session_secrets_file }}" diff --git a/roles/openshift_master/tasks/system_container.yml b/roles/openshift_master/tasks/system_container.yml new file mode 100644 index 000000000..e3e3d7948 --- /dev/null +++ b/roles/openshift_master/tasks/system_container.yml @@ -0,0 +1,36 @@ +--- +- name: Pre-pull master system container image + command: > + atomic pull --storage=ostree {{ openshift.common.system_images_registry }}/{{ openshift.master.master_system_image }}:{{ openshift_image_tag }} + register: pull_result + changed_when: "'Pulling layer' in pull_result.stdout" + +- name: Check Master system container package + command: > + atomic containers list --no-trunc -a -f container={{ openshift.common.service_type }}-master + register: result + +- name: Update Master system container package + command: > + atomic containers update {{ openshift.common.service_type }}-master + register: update_result + changed_when: "'Extracting' in update_result.stdout" + when: + - ("master" in result.stdout) + - (openshift.common.version is defined) and (openshift.common.version == openshift_version) | bool + +- name: Uninstall Master system container package + command: > + atomic uninstall {{ openshift.common.service_type }}-master + failed_when: False + when: + - ("master" in result.stdout) + - (openshift.common.version is not defined) or (openshift.common.version != openshift_version) | bool + +- name: Install Master system container package + command: > + atomic install --system --name={{ openshift.common.service_type }}-master {{ openshift.common.system_images_registry }}/{{ openshift.master.master_system_image }}:{{ openshift_image_tag }} + when: + - (openshift.common.version is not defined) or (openshift.common.version != openshift_version) or ("master" not in result.stdout) | bool + notify: + - restart master diff --git a/roles/openshift_master/tasks/systemd_units.yml b/roles/openshift_master/tasks/systemd_units.yml index 39ea42ab3..4ab98cbbb 100644 --- a/roles/openshift_master/tasks/systemd_units.yml +++ b/roles/openshift_master/tasks/systemd_units.yml @@ -20,14 +20,14 @@ docker pull {{ openshift.master.master_image }}:{{ openshift_image_tag }} register: pull_result changed_when: "'Downloaded newer image' in pull_result.stdout" - when: openshift.common.is_containerized | bool + when: openshift.common.is_containerized | bool and not openshift.common.is_master_system_container | bool # workaround for missing systemd unit files - name: Create the systemd unit files template: src: "master_docker/master.docker.service.j2" dest: "{{ containerized_svc_dir }}/{{ openshift.common.service_type }}-master.service" - when: openshift.common.is_containerized | bool and (openshift.master.ha is not defined or not openshift.master.ha | bool) + when: openshift.common.is_containerized | bool and (openshift.master.ha is not defined or not openshift.master.ha | bool and not openshift.common.is_master_system_container | bool) register: create_master_unit_file - command: systemctl daemon-reload @@ -132,7 +132,7 @@ dest: "/etc/systemd/system/{{ openshift.common.service_type }}-master.service" src: master_docker/master.docker.service.j2 register: install_result - when: openshift.common.is_containerized | bool and openshift.master.ha is defined and not openshift.master.ha | bool + when: openshift.common.is_containerized | bool and openshift.master.ha is defined and not openshift.master.ha | bool and not openshift.common.is_master_system_container | bool - name: Preserve Master Proxy Config options command: grep PROXY /etc/sysconfig/{{ openshift.common.service_type }}-master diff --git a/roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_predicates.py b/roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_predicates.py index 0c94228c6..ef322bd7d 100644 --- a/roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_predicates.py +++ b/roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_predicates.py @@ -52,6 +52,9 @@ class LookupModule(LookupBase): # convert short_version to origin short_version short_version = re.sub('^3.', '1.', short_version) + if short_version == 'latest': + short_version = '1.6' + # Predicates ordered according to OpenShift Origin source: # origin/vendor/k8s.io/kubernetes/plugin/pkg/scheduler/algorithmprovider/defaults/defaults.go diff --git a/roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_priorities.py b/roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_priorities.py index 95ace7923..6ad40e748 100644 --- a/roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_priorities.py +++ b/roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_priorities.py @@ -53,6 +53,9 @@ class LookupModule(LookupBase): # convert short_version to origin short_version short_version = re.sub('^3.', '1.', short_version) + if short_version == 'latest': + short_version = '1.6' + if short_version == '1.1': priorities.extend([ {'name': 'LeastRequestedPriority', 'weight': 1}, diff --git a/roles/openshift_metrics/defaults/main.yaml b/roles/openshift_metrics/defaults/main.yaml index 17614f716..0cfbac8a9 100644 --- a/roles/openshift_metrics/defaults/main.yaml +++ b/roles/openshift_metrics/defaults/main.yaml @@ -23,6 +23,7 @@ openshift_metrics_cassandra_limits_cpu: null openshift_metrics_cassandra_requests_memory: 1G openshift_metrics_cassandra_requests_cpu: null openshift_metrics_cassandra_nodeselector: "" +openshift_metrics_cassandra_storage_group: 65534 openshift_metrics_heapster_standalone: False openshift_metrics_heapster_limits_memory: 3.75G @@ -31,6 +32,8 @@ openshift_metrics_heapster_requests_memory: 0.9375G openshift_metrics_heapster_requests_cpu: null openshift_metrics_heapster_nodeselector: "" +openshift_metrics_hostname: "hawkular-metrics.{{openshift_master_default_subdomain}}" + openshift_metrics_duration: 7 openshift_metrics_resolution: 15s @@ -39,7 +42,6 @@ openshift_metrics_resolution: 15s # overriding the values here ##### -openshift_metrics_certs_dir: "{{ openshift.common.config_base }}/master/metrics" openshift_metrics_master_url: https://kubernetes.default.svc.cluster.local openshift_metrics_node_id: nodename openshift_metrics_project: openshift-infra diff --git a/roles/openshift_metrics/tasks/generate_certificates.yaml b/roles/openshift_metrics/tasks/generate_certificates.yaml index 4925275e8..f7cba0093 100644 --- a/roles/openshift_metrics/tasks/generate_certificates.yaml +++ b/roles/openshift_metrics/tasks/generate_certificates.yaml @@ -1,11 +1,11 @@ --- - name: generate ca certificate chain - shell: > + command: > {{ openshift.common.admin_binary }} ca create-signer-cert --config={{ mktemp.stdout }}/admin.kubeconfig - --key='{{ openshift_metrics_certs_dir }}/ca.key' - --cert='{{ openshift_metrics_certs_dir }}/ca.crt' - --serial='{{ openshift_metrics_certs_dir }}/ca.serial.txt' + --key='{{ mktemp.stdout }}/ca.key' + --cert='{{ mktemp.stdout }}/ca.crt' + --serial='{{ mktemp.stdout }}/ca.serial.txt' --name="metrics-signer@$(date +%s)" - when: not '{{ openshift_metrics_certs_dir }}/ca.key' | exists + - include: generate_hawkular_certificates.yaml diff --git a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml index 9333d341c..854697abb 100644 --- a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml +++ b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml @@ -13,13 +13,13 @@ hostnames: hawkular-cassandra changed_when: no -- slurp: src={{ openshift_metrics_certs_dir }}/hawkular-cassandra-truststore.pwd +- slurp: src={{ mktemp.stdout }}/hawkular-cassandra-truststore.pwd register: cassandra_truststore_password -- slurp: src={{ openshift_metrics_certs_dir }}/hawkular-metrics-truststore.pwd +- slurp: src={{ mktemp.stdout }}/hawkular-metrics-truststore.pwd register: hawkular_truststore_password -- stat: path="{{openshift_metrics_certs_dir}}/{{item}}" +- stat: path="{{mktemp.stdout}}/{{item}}" register: pwd_file_stat with_items: - hawkular-metrics.pwd @@ -32,44 +32,33 @@ with_items: "{{pwd_file_stat.results}}" changed_when: no -- name: Create temp directory local on control node - local_action: command mktemp -d - register: local_tmp - changed_when: False - - name: generate password for hawkular metrics and jgroups local_action: copy dest="{{ local_tmp.stdout}}/{{ item }}.pwd" content="{{ 15 | oo_random_word }}" with_items: - hawkular-metrics - hawkular-jgroups-keystore - when: "not pwd_files['{{ item }}.pwd'].exists" - name: generate htpasswd file for hawkular metrics local_action: > shell htpasswd -ci '{{ local_tmp.stdout }}/hawkular-metrics.htpasswd' hawkular < '{{ local_tmp.stdout }}/hawkular-metrics.pwd' - when: "not pwd_files['hawkular-metrics.htpasswd'].exists" - name: copy local generated passwords to target copy: src: "{{local_tmp.stdout}}/{{item}}" - dest: "{{openshift_metrics_certs_dir}}/{{item}}" + dest: "{{mktemp.stdout}}/{{item}}" with_items: - hawkular-metrics.pwd - hawkular-metrics.htpasswd - hawkular-jgroups-keystore.pwd - when: "not pwd_files['{{ item }}'].exists" - include: import_jks_certs.yaml -- local_action: file path="{{local_tmp.stdout}}" state=absent - changed_when: False - - name: read files for the hawkular-metrics secret shell: > printf '%s: ' '{{ item }}' - && base64 --wrap 0 '{{ openshift_metrics_certs_dir }}/{{ item }}' + && base64 --wrap 0 '{{ mktemp.stdout }}/{{ item }}' register: hawkular_secrets with_items: - ca.crt diff --git a/roles/openshift_metrics/tasks/generate_heapster_certificates.yaml b/roles/openshift_metrics/tasks/generate_heapster_certificates.yaml index 2449b1518..ced2df1d0 100644 --- a/roles/openshift_metrics/tasks/generate_heapster_certificates.yaml +++ b/roles/openshift_metrics/tasks/generate_heapster_certificates.yaml @@ -3,13 +3,12 @@ command: > {{ openshift.common.admin_binary }} ca create-server-cert --config={{ mktemp.stdout }}/admin.kubeconfig - --key='{{ openshift_metrics_certs_dir }}/heapster.key' - --cert='{{ openshift_metrics_certs_dir }}/heapster.cert' + --key='{{ mktemp.stdout }}/heapster.key' + --cert='{{ mktemp.stdout }}/heapster.cert' --hostnames=heapster - --signer-cert='{{ openshift_metrics_certs_dir }}/ca.crt' - --signer-key='{{ openshift_metrics_certs_dir }}/ca.key' - --signer-serial='{{ openshift_metrics_certs_dir }}/ca.serial.txt' - when: not '{{ openshift_metrics_certs_dir }}/heapster.key' | exists + --signer-cert='{{ mktemp.stdout }}/ca.crt' + --signer-key='{{ mktemp.stdout }}/ca.key' + --signer-serial='{{ mktemp.stdout }}/ca.serial.txt' - when: "'secret/heapster-secrets' not in metrics_secrets.stdout_lines" block: @@ -17,11 +16,11 @@ slurp: src={{ item }} register: heapster_secret with_items: - - "{{ openshift_metrics_certs_dir }}/heapster.cert" - - "{{ openshift_metrics_certs_dir }}/heapster.key" + - "{{ mktemp.stdout }}/heapster.cert" + - "{{ mktemp.stdout }}/heapster.key" - "{{ client_ca }}" vars: - custom_ca: "{{ openshift_metrics_certs_dir }}/heapster_client_ca.crt" + custom_ca: "{{ mktemp.stdout }}/heapster_client_ca.crt" default_ca: "{{ openshift.common.config_base }}/master/ca-bundle.crt" client_ca: "{{ custom_ca|exists|ternary(custom_ca, default_ca) }}" - name: generate heapster secret template diff --git a/roles/openshift_metrics/tasks/import_jks_certs.yaml b/roles/openshift_metrics/tasks/import_jks_certs.yaml index 16fd8d9f8..57ec70c79 100644 --- a/roles/openshift_metrics/tasks/import_jks_certs.yaml +++ b/roles/openshift_metrics/tasks/import_jks_certs.yaml @@ -1,37 +1,37 @@ --- -- stat: path="{{openshift_metrics_certs_dir}}/hawkular-cassandra.keystore" +- stat: path="{{mktemp.stdout}}/hawkular-cassandra.keystore" register: cassandra_keystore check_mode: no -- stat: path="{{openshift_metrics_certs_dir}}/hawkular-cassandra.truststore" +- stat: path="{{mktemp.stdout}}/hawkular-cassandra.truststore" register: cassandra_truststore check_mode: no -- stat: path="{{openshift_metrics_certs_dir}}/hawkular-metrics.keystore" +- stat: path="{{mktemp.stdout}}/hawkular-metrics.keystore" register: metrics_keystore check_mode: no -- stat: path="{{openshift_metrics_certs_dir}}/hawkular-metrics.truststore" +- stat: path="{{mktemp.stdout}}/hawkular-metrics.truststore" register: metrics_truststore check_mode: no -- stat: path="{{openshift_metrics_certs_dir}}/hawkular-jgroups.keystore" +- stat: path="{{mktemp.stdout}}/hawkular-jgroups.keystore" register: jgroups_keystore check_mode: no - block: - - slurp: src={{ openshift_metrics_certs_dir }}/hawkular-metrics-keystore.pwd + - slurp: src={{ mktemp.stdout }}/hawkular-metrics-keystore.pwd register: metrics_keystore_password - - slurp: src={{ openshift_metrics_certs_dir }}/hawkular-cassandra-keystore.pwd + - slurp: src={{ mktemp.stdout }}/hawkular-cassandra-keystore.pwd register: cassandra_keystore_password - - slurp: src={{ openshift_metrics_certs_dir }}/hawkular-jgroups-keystore.pwd + - slurp: src={{ mktemp.stdout }}/hawkular-jgroups-keystore.pwd register: jgroups_keystore_password - fetch: dest: "{{local_tmp.stdout}}/" - src: "{{ openshift_metrics_certs_dir }}/{{item}}" + src: "{{ mktemp.stdout }}/{{item}}" flat: yes changed_when: False with_items: @@ -52,7 +52,7 @@ changed_when: False - copy: - dest: "{{openshift_metrics_certs_dir}}/" + dest: "{{mktemp.stdout}}/" src: "{{item}}" with_fileglob: "{{local_tmp.stdout}}/*.*store" diff --git a/roles/openshift_metrics/tasks/install_hawkular.yaml b/roles/openshift_metrics/tasks/install_hawkular.yaml index 1ba11efa8..6b37f85ab 100644 --- a/roles/openshift_metrics/tasks/install_hawkular.yaml +++ b/roles/openshift_metrics/tasks/install_hawkular.yaml @@ -17,7 +17,7 @@ changed_when: false - name: read hawkular-metrics route destination ca certificate - slurp: src={{ openshift_metrics_certs_dir }}/ca.crt + slurp: src={{ mktemp.stdout }}/ca.crt register: metrics_route_dest_ca_cert changed_when: false diff --git a/roles/openshift_metrics/tasks/install_metrics.yaml b/roles/openshift_metrics/tasks/install_metrics.yaml index 66925c113..66a3abdbd 100644 --- a/roles/openshift_metrics/tasks/install_metrics.yaml +++ b/roles/openshift_metrics/tasks/install_metrics.yaml @@ -34,6 +34,20 @@ file_content: "{{ item.content | b64decode | from_yaml }}" with_items: "{{ object_defs.results }}" +- command: > + {{openshift.common.client_binary}} + --config={{mktemp.stdout}}/admin.kubeconfig + get rc + -l metrics-infra + -o name + -n {{openshift_metrics_project}} + register: existing_metrics_rc + changed_when: no + +- name: Scaling down cluster to recognize changes + include: stop_metrics.yaml + when: "{{ existing_metrics_rc.stdout_lines | length > 0 }}" + - name: Scaling up cluster include: start_metrics.yaml tags: openshift_metrics_start_cluster diff --git a/roles/openshift_metrics/tasks/main.yaml b/roles/openshift_metrics/tasks/main.yaml index d03d4176b..1eebff3bf 100644 --- a/roles/openshift_metrics/tasks/main.yaml +++ b/roles/openshift_metrics/tasks/main.yaml @@ -9,6 +9,11 @@ changed_when: False when: "{{ openshift_metrics_install_metrics | bool }}" +- name: Create temp directory local on control node + local_action: command mktemp -d + register: local_tmp + changed_when: False + - name: Copy the admin client config(s) command: > cp {{ openshift.common.config_base}}/master/admin.kubeconfig {{ mktemp.stdout }}/admin.kubeconfig @@ -17,3 +22,9 @@ tags: metrics_init - include: "{{ (openshift_metrics_install_metrics | bool) | ternary('install_metrics.yaml','uninstall_metrics.yaml') }}" + +- name: Delete temp directory + local_action: file path=local_tmp.stdout state=absent + tags: metrics_cleanup + changed_when: False + check_mode: no diff --git a/roles/openshift_metrics/tasks/pre_install.yaml b/roles/openshift_metrics/tasks/pre_install.yaml index 262acd546..2e2013d40 100644 --- a/roles/openshift_metrics/tasks/pre_install.yaml +++ b/roles/openshift_metrics/tasks/pre_install.yaml @@ -12,12 +12,6 @@ - openshift_metrics_cassandra_storage_type not in openshift_metrics_cassandra_storage_types - "not {{ openshift_metrics_heapster_standalone | bool }}" -- name: create certificate output directory - file: - path: "{{ openshift_metrics_certs_dir }}" - state: directory - mode: 0700 - - name: list existing secrets command: > {{ openshift.common.client_binary }} -n {{ openshift_metrics_project }} diff --git a/roles/openshift_metrics/tasks/setup_certificate.yaml b/roles/openshift_metrics/tasks/setup_certificate.yaml index 5ca8f4462..199968579 100644 --- a/roles/openshift_metrics/tasks/setup_certificate.yaml +++ b/roles/openshift_metrics/tasks/setup_certificate.yaml @@ -3,50 +3,41 @@ command: > {{ openshift.common.admin_binary }} ca create-server-cert --config={{ mktemp.stdout }}/admin.kubeconfig - --key='{{ openshift_metrics_certs_dir }}/{{ component }}.key' - --cert='{{ openshift_metrics_certs_dir }}/{{ component }}.crt' + --key='{{ mktemp.stdout }}/{{ component }}.key' + --cert='{{ mktemp.stdout }}/{{ component }}.crt' --hostnames='{{ hostnames }}' - --signer-cert='{{ openshift_metrics_certs_dir }}/ca.crt' - --signer-key='{{ openshift_metrics_certs_dir }}/ca.key' - --signer-serial='{{ openshift_metrics_certs_dir }}/ca.serial.txt' - when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.key'|exists + --signer-cert='{{ mktemp.stdout }}/ca.crt' + --signer-key='{{ mktemp.stdout }}/ca.key' + --signer-serial='{{ mktemp.stdout }}/ca.serial.txt' - slurp: src={{item}} register: component_certs with_items: - - '{{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}.key' - - '{{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}.crt' - when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.pem'|exists + - '{{ mktemp.stdout | quote }}/{{ component|quote }}.key' + - '{{ mktemp.stdout | quote }}/{{ component|quote }}.crt' - name: generate {{ component }} certificate copy: - dest: '{{ openshift_metrics_certs_dir }}/{{ component }}.pem' + dest: '{{ mktemp.stdout }}/{{ component }}.pem' content: "{{ component_certs.results | map(attribute='content') | map('b64decode') | join('') }}" - when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.pem'|exists - name: generate random password for the {{ component }} keystore copy: content: "{{ 15 | oo_random_word }}" - dest: '{{ openshift_metrics_certs_dir }}/{{ component }}-keystore.pwd' - when: > - not '{{ openshift_metrics_certs_dir }}/{{ component }}-keystore.pwd'|exists + dest: '{{ mktemp.stdout }}/{{ component }}-keystore.pwd' -- slurp: src={{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}-keystore.pwd +- slurp: src={{ mktemp.stdout | quote }}/{{ component|quote }}-keystore.pwd register: keystore_password - name: create the {{ component }} pkcs12 from the pem file command: > openssl pkcs12 -export - -in '{{ openshift_metrics_certs_dir }}/{{ component }}.pem' - -out '{{ openshift_metrics_certs_dir }}/{{ component }}.pkcs12' + -in '{{ mktemp.stdout }}/{{ component }}.pem' + -out '{{ mktemp.stdout }}/{{ component }}.pkcs12' -name '{{ component }}' -noiter -nomaciter -password 'pass:{{keystore_password.content | b64decode }}' - when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.pkcs12'|exists - name: generate random password for the {{ component }} truststore copy: content: "{{ 15 | oo_random_word }}" - dest: '{{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}-truststore.pwd' - when: > - not - '{{ openshift_metrics_certs_dir | quote }}/{{ component| quote }}-truststore.pwd'|exists + dest: '{{ mktemp.stdout | quote }}/{{ component|quote }}-truststore.pwd' diff --git a/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 b/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 index 6f6efc469..504476dc4 100644 --- a/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 +++ b/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 @@ -19,6 +19,9 @@ spec: type: hawkular-cassandra spec: serviceAccount: cassandra + securityContext: + supplementalGroups: + - {{openshift_metrics_cassandra_storage_group}} {% if node_selector is iterable and node_selector | length > 0 %} nodeSelector: {% for key, value in node_selector.iteritems() %} diff --git a/roles/openshift_node/tasks/main.yml b/roles/openshift_node/tasks/main.yml index e970c4cd1..691227915 100644 --- a/roles/openshift_node/tasks/main.yml +++ b/roles/openshift_node/tasks/main.yml @@ -60,6 +60,12 @@ state: present when: openshift.common.use_openshift_sdn and not openshift.common.is_containerized | bool +- name: Install conntrack-tools package + package: + name: "conntrack-tools" + state: present + when: not openshift.common.is_containerized | bool + - name: Install the systemd units include: systemd_units.yml @@ -69,7 +75,7 @@ - name: Persist net.ipv4.ip_forward sysctl entry sysctl: name="net.ipv4.ip_forward" value=1 sysctl_set=yes state=present reload=yes -- name: Start and enable openvswitch docker service +- name: Start and enable openvswitch service systemd: name: openvswitch.service enabled: yes diff --git a/roles/openshift_node/tasks/node_system_container.yml b/roles/openshift_node/tasks/node_system_container.yml new file mode 100644 index 000000000..01e2d33c7 --- /dev/null +++ b/roles/openshift_node/tasks/node_system_container.yml @@ -0,0 +1,34 @@ +--- +- name: Pre-pull node system container image + command: > + atomic pull --storage=ostree {{ openshift.common.system_images_registry }}/{{ openshift.node.node_system_image }}:{{ openshift_image_tag }} + register: pull_result + changed_when: "'Pulling layer' in pull_result.stdout" + +- name: Check Node system container package + command: > + atomic containers list --no-trunc -a -f container={{ openshift.common.service_type }}-node + register: result + +- name: Update Node system container package + command: > + atomic containers update {{ openshift.common.service_type }}-node + register: update_result + changed_when: "'Extracting' in update_result.stdout" + when: + - (openshift.common.version is defined) and (openshift.common.version == openshift_version) and ("node" in result.stdout) | bool + +- name: Uninstall Node system container package + command: > + atomic uninstall {{ openshift.common.service_type }}-node + failed_when: False + when: + - (openshift.common.version is not defined) or (openshift.common.version != openshift_version) and ("node" in result.stdout) | bool + +- name: Install Node system container package + command: > + atomic install --system --name={{ openshift.common.service_type }}-node {{ openshift.common.system_images_registry }}/{{ openshift.node.node_system_image }}:{{ openshift_image_tag }} + register: install_node_result + changed_when: "'Extracting' in pull_result.stdout" + when: + - (openshift.common.version is not defined) or (openshift.common.version != openshift_version) or ("node" not in result.stdout) | bool diff --git a/roles/openshift_node/tasks/openvswitch_system_container.yml b/roles/openshift_node/tasks/openvswitch_system_container.yml new file mode 100644 index 000000000..47fac99eb --- /dev/null +++ b/roles/openshift_node/tasks/openvswitch_system_container.yml @@ -0,0 +1,36 @@ +--- +- name: Pre-pull OpenVSwitch system container image + command: > + atomic pull --storage=ostree {{ openshift.common.system_images_registry }}/{{ openshift.node.ovs_system_image }}:{{ openshift_image_tag }} + register: pull_result + changed_when: "'Pulling layer' in pull_result.stdout" + +- name: Check OpenvSwitch system container package + command: > + atomic containers list --no-trunc -a -f container=openvswitch + register: result + when: + - openshift.common.is_openvswitch_system_container | bool + +- name: Update OpenvSwitch system container package + command: > + atomic containers update openvswitch + register: update_result + changed_when: "'Extracting' in update_result.stdout" + when: + - (openshift.common.version is defined) and (openshift.common.version == openshift_version) and ("openvswitch" in result.stdout) | bool + +- name: Uninstall OpenvSwitch system container package + command: > + atomic uninstall openvswitch + failed_when: False + when: + - (openshift.common.version is not defined) or (openshift.common.version != openshift_version) and ("openvswitch" in result.stdout) | bool + +- name: Install OpenvSwitch system container package + command: > + atomic install --system --name=openvswitch {{ openshift.common.system_images_registry }}/{{ openshift.node.ovs_system_image }}:{{ openshift_image_tag }} + when: + - (openshift.common.version is not defined) or (openshift.common.version != openshift_version) or ("openvswitch" not in result.stdout) | bool + notify: + - restart docker diff --git a/roles/openshift_node/tasks/systemd_units.yml b/roles/openshift_node/tasks/systemd_units.yml index 5243a87fe..52482d09b 100644 --- a/roles/openshift_node/tasks/systemd_units.yml +++ b/roles/openshift_node/tasks/systemd_units.yml @@ -2,20 +2,6 @@ # This file is included both in the openshift_master role and in the upgrade # playbooks. -- name: Pre-pull node image - command: > - docker pull {{ openshift.node.node_image }}:{{ openshift_image_tag }} - register: pull_result - changed_when: "'Downloaded newer image' in pull_result.stdout" - when: openshift.common.is_containerized | bool - -- name: Pre-pull openvswitch image - command: > - docker pull {{ openshift.node.ovs_image }}:{{ openshift_image_tag }} - register: pull_result - changed_when: "'Downloaded newer image' in pull_result.stdout" - when: openshift.common.is_containerized | bool and openshift.common.use_openshift_sdn | bool - - name: Install Node dependencies docker service file template: dest: "/etc/systemd/system/{{ openshift.common.service_type }}-node-dep.service" @@ -23,12 +9,21 @@ register: install_node_dep_result when: openshift.common.is_containerized | bool -- name: Install Node docker service file - template: - dest: "/etc/systemd/system/{{ openshift.common.service_type }}-node.service" - src: openshift.docker.node.service - register: install_node_result - when: openshift.common.is_containerized | bool +- block: + - name: Pre-pull node image + command: > + docker pull {{ openshift.node.node_image }}:{{ openshift_image_tag }} + register: pull_result + changed_when: "'Downloaded newer image' in pull_result.stdout" + + - name: Install Node docker service file + template: + dest: "/etc/systemd/system/{{ openshift.common.service_type }}-node.service" + src: openshift.docker.node.service + register: install_node_result + when: + - openshift.common.is_containerized | bool + - not openshift.common.is_node_system_container | bool - name: Create the openvswitch service env file template: @@ -39,6 +34,19 @@ notify: - restart openvswitch +- name: Install Node system container + include: node_system_container.yml + when: + - openshift.common.is_containerized | bool + - openshift.common.is_node_system_container | bool + +- name: Install OpenvSwitch system containers + include: openvswitch_system_container.yml + when: + - openshift.common.use_openshift_sdn | default(true) | bool + - openshift.common.is_containerized | bool + - openshift.common.is_openvswitch_system_container | bool + # May be a temporary workaround. # https://bugzilla.redhat.com/show_bug.cgi?id=1331590 - name: Create OpenvSwitch service.d directory @@ -54,13 +62,23 @@ notify: - restart openvswitch -- name: Install OpenvSwitch docker service file - template: - dest: "/etc/systemd/system/openvswitch.service" - src: openvswitch.docker.service - when: openshift.common.is_containerized | bool and openshift.common.use_openshift_sdn | default(true) | bool - notify: - - restart openvswitch +- block: + - name: Pre-pull openvswitch image + command: > + docker pull {{ openshift.node.ovs_image }}:{{ openshift_image_tag }} + register: pull_result + changed_when: "'Downloaded newer image' in pull_result.stdout" + + - name: Install OpenvSwitch docker service file + template: + dest: "/etc/systemd/system/openvswitch.service" + src: openvswitch.docker.service + notify: + - restart openvswitch + when: + - openshift.common.is_containerized | bool + - openshift.common.use_openshift_sdn | default(true) | bool + - not openshift.common.is_openvswitch_system_container | bool - name: Configure Node settings lineinfile: diff --git a/roles/openshift_serviceaccounts/meta/main.yml b/roles/openshift_serviceaccounts/meta/main.yml index a2c9fee70..7a30c220f 100644 --- a/roles/openshift_serviceaccounts/meta/main.yml +++ b/roles/openshift_serviceaccounts/meta/main.yml @@ -13,3 +13,4 @@ galaxy_info: - cloud dependencies: - { role: openshift_facts } +- { role: lib_openshift } diff --git a/roles/openshift_serviceaccounts/tasks/main.yml b/roles/openshift_serviceaccounts/tasks/main.yml index d83ccf7de..1d570fa5b 100644 --- a/roles/openshift_serviceaccounts/tasks/main.yml +++ b/roles/openshift_serviceaccounts/tasks/main.yml @@ -1,21 +1,11 @@ --- -- name: test if service accounts exists - command: > - {{ openshift.common.client_binary }} get sa {{ item }} -n {{ openshift_serviceaccounts_namespace }} - with_items: "{{ openshift_serviceaccounts_names }}" - failed_when: false - changed_when: false - register: account_test - - name: create the service account - shell: > - echo {{ lookup('template', '../templates/serviceaccount.j2') - | from_yaml | to_json | quote }} | {{ openshift.common.client_binary }} - -n {{ openshift_serviceaccounts_namespace }} create -f - - when: item.1.rc != 0 - with_together: + oc_serviceaccount: + name: "{{ item }}" + namespace: "{{ openshift_serviceaccounts_namespace }}" + state: present + with_items: - "{{ openshift_serviceaccounts_names }}" - - "{{ account_test.results }}" - name: test if scc needs to be updated command: > diff --git a/roles/openshift_storage_nfs/tasks/main.yml b/roles/openshift_storage_nfs/tasks/main.yml index fd935f105..0d6b8b7d4 100644 --- a/roles/openshift_storage_nfs/tasks/main.yml +++ b/roles/openshift_storage_nfs/tasks/main.yml @@ -29,6 +29,7 @@ - "{{ openshift.hosted.registry }}" - "{{ openshift.hosted.metrics }}" - "{{ openshift.hosted.logging }}" + - "{{ openshift.hosted.loggingops }}" - name: Configure exports diff --git a/roles/openshift_storage_nfs/templates/exports.j2 b/roles/openshift_storage_nfs/templates/exports.j2 index 2d6dd85e3..8c6d4105c 100644 --- a/roles/openshift_storage_nfs/templates/exports.j2 +++ b/roles/openshift_storage_nfs/templates/exports.j2 @@ -1,3 +1,4 @@ {{ openshift.hosted.registry.storage.nfs.directory }}/{{ openshift.hosted.registry.storage.volume.name }} {{ openshift.hosted.registry.storage.nfs.options }} {{ openshift.hosted.metrics.storage.nfs.directory }}/{{ openshift.hosted.metrics.storage.volume.name }} {{ openshift.hosted.metrics.storage.nfs.options }} {{ openshift.hosted.logging.storage.nfs.directory }}/{{ openshift.hosted.logging.storage.volume.name }} {{ openshift.hosted.logging.storage.nfs.options }} +{{ openshift.hosted.loggingops.storage.nfs.directory }}/{{ openshift.hosted.loggingops.storage.volume.name }} {{ openshift.hosted.loggingops.storage.nfs.options }} |