diff options
26 files changed, 342 insertions, 64 deletions
diff --git a/.tito/packages/openshift-ansible b/.tito/packages/openshift-ansible index 3cc7946d7..f95b607a9 100644 --- a/.tito/packages/openshift-ansible +++ b/.tito/packages/openshift-ansible @@ -1 +1 @@ -3.0.20-1 ./ +3.0.24-1 ./ diff --git a/README_AEP.md b/README_AEP.md index 83e575ebe..584a7afff 100644 --- a/README_AEP.md +++ b/README_AEP.md @@ -98,6 +98,8 @@ aep3-node[1:2].example.com The hostnames above should resolve both from the hosts themselves and the host where ansible is running (if different). +A more complete example inventory file ([hosts.aep.example](https://github.com/openshift/openshift-ansible/blob/master/inventory/byo/hosts.aep.example)) is available under the [`/inventory/byo`](https://github.com/openshift/openshift-ansible/tree/master/inventory/byo) directory. + ## Running the ansible playbooks From the openshift-ansible checkout run: ```sh diff --git a/README_OSE.md b/README_OSE.md index 524950d51..66fba33e5 100644 --- a/README_OSE.md +++ b/README_OSE.md @@ -105,6 +105,8 @@ ose3-node[1:2].example.com The hostnames above should resolve both from the hosts themselves and the host where ansible is running (if different). +A more complete example inventory file ([hosts.ose.example](https://github.com/openshift/openshift-ansible/blob/master/inventory/byo/hosts.ose.example)) is available under the [`/inventory/byo`](https://github.com/openshift/openshift-ansible/tree/master/inventory/byo) directory. + ## Running the ansible playbooks From the openshift-ansible checkout run: ```sh diff --git a/README_origin.md b/README_origin.md index 12e79791e..0387e213f 100644 --- a/README_origin.md +++ b/README_origin.md @@ -59,12 +59,12 @@ option to ansible-playbook. # This is an example of a bring your own (byo) host inventory # Create an OSEv3 group that contains the masters and nodes groups -[OSv3:children] +[OSEv3:children] masters nodes # Set variables common for all OSEv3 hosts -[OSv3:vars] +[OSEv3:vars] # SSH user, this user should allow ssh based auth without requiring a password ansible_ssh_user=root @@ -95,6 +95,8 @@ osv3-lb.example.com The hostnames above should resolve both from the hosts themselves and the host where ansible is running (if different). +A more complete example inventory file ([hosts.origin.example](https://github.com/openshift/openshift-ansible/blob/master/inventory/byo/hosts.origin.example)) is available under the [`/inventory/byo`](https://github.com/openshift/openshift-ansible/tree/master/inventory/byo) directory. + ## Running the ansible playbooks From the openshift-ansible checkout run: ```sh diff --git a/filter_plugins/oo_filters.py b/filter_plugins/oo_filters.py index 48e27a24a..326c36f6c 100644 --- a/filter_plugins/oo_filters.py +++ b/filter_plugins/oo_filters.py @@ -8,12 +8,11 @@ Custom filters for use in openshift-ansible from ansible import errors from operator import itemgetter import OpenSSL.crypto -import os.path +import os import pdb import re import json - class FilterModule(object): ''' Custom ansible filters ''' @@ -366,9 +365,6 @@ class FilterModule(object): "keyfile": "/etc/origin/master/named_certificates/custom2.key", "names": [ "some-hostname.com" ] }] ''' - if not issubclass(type(certificates), list): - raise errors.AnsibleFilterError("|failed expects certificates is a list") - if not issubclass(type(named_certs_dir), unicode): raise errors.AnsibleFilterError("|failed expects named_certs_dir is unicode") @@ -468,6 +464,16 @@ class FilterModule(object): pass return clusters + @staticmethod + def oo_generate_secret(num_bytes): + ''' generate a session secret ''' + + if not issubclass(type(num_bytes), int): + raise errors.AnsibleFilterError("|failed expects num_bytes is int") + + secret = os.urandom(num_bytes) + return secret.encode('base-64').strip() + def filters(self): ''' returns a mapping of filters to methods ''' return { @@ -486,5 +492,6 @@ class FilterModule(object): "oo_parse_heat_stack_outputs": self.oo_parse_heat_stack_outputs, "oo_parse_named_certificates": self.oo_parse_named_certificates, "oo_haproxy_backend_masters": self.oo_haproxy_backend_masters, - "oo_pretty_print_cluster": self.oo_pretty_print_cluster + "oo_pretty_print_cluster": self.oo_pretty_print_cluster, + "oo_generate_secret": self.oo_generate_secret } diff --git a/filter_plugins/openshift_master.py b/filter_plugins/openshift_master.py index f12017967..8d7c62ad1 100644 --- a/filter_plugins/openshift_master.py +++ b/filter_plugins/openshift_master.py @@ -463,7 +463,6 @@ class FilterModule(object): IdentityProviderBase.validate_idp_list(idp_list) return yaml.safe_dump([idp.to_dict() for idp in idp_list], default_flow_style=False) - def filters(self): ''' returns a mapping of filters to methods ''' return {"translate_idps": self.translate_idps} diff --git a/openshift-ansible.spec b/openshift-ansible.spec index 563ea3cae..eef619ede 100644 --- a/openshift-ansible.spec +++ b/openshift-ansible.spec @@ -5,7 +5,7 @@ } Name: openshift-ansible -Version: 3.0.20 +Version: 3.0.24 Release: 1%{?dist} Summary: Openshift and Atomic Enterprise Ansible License: ASL 2.0 @@ -259,6 +259,104 @@ Atomic OpenShift Utilities includes %changelog +* Thu Jan 07 2016 Brenton Leanhardt <bleanhar@redhat.com> 3.0.24-1 +- Setting relative paths in the upgrade playbooks wasn't working + (bleanhar@redhat.com) + +* Wed Jan 06 2016 Brenton Leanhardt <bleanhar@redhat.com> 3.0.23-1 +- Move extra secret validations into openshift_facts. (abutcher@redhat.com) +- Remove not is_containerized restriction on storage plugin includes. + (abutcher@redhat.com) +- We can't enable manageiq for installations less than OSE 3.1 or Origin 1.1 + (bleanhar@redhat.com) +- Fix RHN subscription by explicitly attaching to the right pool + (lhuard@amadeus.com) +- openshift_facts validation (abutcher@redhat.com) +- Secrets validation. (abutcher@redhat.com) +- Clean up idempotency issues with session secrets. (abutcher@redhat.com) + +* Wed Jan 06 2016 Kenny Woodson <kwoodson@redhat.com> 3.0.22-1 +- playbook for restarting SDN (jdiaz@redhat.com) +- Stop haproxy and remove package during uninstall. (abutcher@redhat.com) +- Group name as per hosts.origin.example (donovan.muller@gmail.com) +- I believe the ami id changed since the initial documentation was created for + AWS deployment (rcook@redhat.com) + +* Tue Jan 05 2016 Brenton Leanhardt <bleanhar@redhat.com> 3.0.21-1 +- Fix osm_controller_args and osm_api_server_args settings. + (abutcher@redhat.com) +- Fix error in byo cluster_hosts.yml (jdetiber@redhat.com) +- Cleanup and fixes for cluster_id change (jdetiber@redhat.com) +- Fix typo in etcd service status fact. (abutcher@redhat.com) +- Removing environment and env tags. (kwoodson@redhat.com) +- Add node kubelet args to inventory examples. (abutcher@redhat.com) +- Adding ManageIQ service account by default (efreiber@redhat.com) +- Fixes typo assigning docker_service_status_changed which leads to + misinterpretation in handler. (eric.mountain@amadeus.com) +- Fix restart handlers. (abutcher@redhat.com) +- Remove lb from docker hosts. (abutcher@redhat.com) +- Install iptables, iptables-services when not is_aotmic (sdodson@redhat.com) +- Install all xpaas streams when enabled (sdodson@redhat.com) +- add the necessary URLs for logging and metrics + (git001@users.noreply.github.com) +- Link to Tito Home Page is Broken (lloy0076@adam.com.au) +- Conditionalize for 3.1.1/1.1.1 (abutcher@redhat.com) +- Use notify for workaround controllers unit. (abutcher@redhat.com) +- change dns triggers to average (jdiaz@redhat.com) +- add item/trigger for dns tests on all currently running containers + (jdiaz@redhat.com) +- Add jboss-fuse/application-templates/fis-image-streams.json + (sdodson@redhat.com) +- atomic-openshift-installer: Fix broken nosetest (smunilla@redhat.com) +- Update from jboss-openshift/application-templates ose-v1.2.0-1 + (sdodson@redhat.com) +- fix logic to tolerate occasional failures (jdiaz@redhat.com) +- Clean up versions.sh (sdodson@redhat.com) +- change ovs mount to /var/run/openvswitch will not require a container restart + if openvswitch service is restarted (jdiaz@redhat.com) +- split zagg.server.processor.errors into separate heartbeat and metrics error + items (needed since the scripts are split now). (twiest@redhat.com) +- quick installer tests (smunilla@redhat.com) +- atomic-openshift-installer: Remove HA hint for 3.0 install + (smunilla@redhat.com) +- Add some guards to wait for images to be pulled before moving on + (sdodson@redhat.com) +- Install httpd-tools when not is_atomic (sdodson@redhat.com) +- Properly set use_flannel fact (sbaubeau@redhat.com) +- Fix containerized variable (sdodson@redhat.com) +- Skip yum/dnf ops when is_containerized (sdodson@redhat.com) +- Move all docker config into openshift_docker to minimize docker restarts + (sdodson@redhat.com) +- Create nfs host group with registry volume attachment. (abutcher@redhat.com) +- Add openshift_cli role (sdodson@redhat.com) +- pull docker images only if not already present (jdetiber@redhat.com) +- fixes (jdetiber@redhat.com) +- Containerization work by @sdodson (sdodson@redhat.com) +- Initial containerization work from @ibotty (tob@butter.sh) +- Add zabbix values to track docker container DNS results (jdiaz@redhat.com) +- Fix registry modification for new deployment types. (dgoodwin@redhat.com) +- Updates to ohi to pull cache if specified. Also require version + (kwoodson@redhat.com) +- Zabbix: added trigger to monitor app create over the last hour + (mwoodson@redhat.com) +- added 'Template Zagg Server' (twiest@redhat.com) +- Fixes typo when setting facts to record whether master/node has been + restarted already, to decide whether notify handler should do so or not. + Currently, this causes random SDN network setup failures as openshift-node + gets restarted while the setup script is running, and the subsequent start + fails to configure the SDN because it thinks it's already done. + (eric.mountain@amadeus.com) +- Change controllers service type to simple. (abutcher@redhat.com) +- Updating env-host-type to host patterns (kwoodson@redhat.com) +- Add note that Fedora 23+ is acceptable deployment target for origin + (admiller@redhat.com) +- Enforce connection: local and become: no on all localhost plays + (jdetiber@redhat.com) +- Use join for the uncompress command. (jsteffan@fedoraproject.org) +- Update for latest CentOS-7-x86_64-GenericCloud. - Use xz compressed image - + Update sha256 for new image - Update docs to reflect new settings + (jsteffan@fedoraproject.org) + * Thu Dec 10 2015 Thomas Wiest <twiest@redhat.com> 3.0.20-1 - Revert "Automatic commit of package [openshift-ansible] release [3.0.20-1]." (twiest@redhat.com) diff --git a/playbooks/adhoc/sdn_restart/oo-sdn-restart.yml b/playbooks/adhoc/sdn_restart/oo-sdn-restart.yml new file mode 100755 index 000000000..0dc021fbc --- /dev/null +++ b/playbooks/adhoc/sdn_restart/oo-sdn-restart.yml @@ -0,0 +1,53 @@ +#!/usr/bin/ansible-playbook +--- +#example run: +# ansible-playbook -e "host=ops-node-compute-abcde" oo-sdn-restart.yml +# + +- name: Check vars + hosts: localhost + gather_facts: false + + pre_tasks: + - fail: + msg: "Playbook requires host to be set" + when: host is not defined or host == '' + +- name: Restart openshift/docker (and monitoring containers) + hosts: oo_version_3:&oo_name_{{ host }} + gather_facts: false + user: root + + tasks: + - name: stop openshift/docker + service: + name: "{{ item }}" + state: stopped + with_items: + - atomic-openshift-node + - docker + + - name: restart openvswitch + service: + name: openvswitch + state: restarted + + - name: wait 5 sec + pause: + seconds: 5 + + - name: start openshift/docker + service: + name: "{{ item }}" + state: started + with_items: + - atomic-openshift-node + - docker + + - name: start monitoring containers + service: + name: "{{ item }}" + state: restarted + with_items: + - oso-f22-host-monitoring + - oso-rhel7-zagg-client diff --git a/playbooks/adhoc/uninstall.yml b/playbooks/adhoc/uninstall.yml index 55df78a3f..ac20f5f9b 100644 --- a/playbooks/adhoc/uninstall.yml +++ b/playbooks/adhoc/uninstall.yml @@ -40,6 +40,7 @@ - atomic-openshift-master-controllers - atomic-openshift-node - etcd + - haproxy - openshift-master - openshift-master-api - openshift-master-controllers @@ -67,6 +68,7 @@ - atomic-openshift-sdn-ovs - corosync - etcd + - haproxy - openshift - openshift-master - openshift-node diff --git a/playbooks/aws/openshift-cluster/upgrades/v3_0_to_v3_1/upgrade.yml b/playbooks/aws/openshift-cluster/upgrades/v3_0_to_v3_1/upgrade.yml index 231356798..11026e38d 100644 --- a/playbooks/aws/openshift-cluster/upgrades/v3_0_to_v3_1/upgrade.yml +++ b/playbooks/aws/openshift-cluster/upgrades/v3_0_to_v3_1/upgrade.yml @@ -4,8 +4,8 @@ # ansible-playbook playbooks/aws/openshift-cluster/upgrades/v3_0_to_v3_1/upgrade.yml -e deployment_type=online -e cluster_id=<cluster_id> - include: ../../../../common/openshift-cluster/upgrades/v3_0_to_v3_1/upgrade.yml vars_files: - - ../../../../aws/openshift-cluster/vars.yml - - ../../../../aws/openshift-cluster/cluster_hosts.yml + - "{{lookup('file', '../../../../aws/openshift-cluster/vars.yml')}}" + - "{{lookup('file', '../../../../aws/openshift-cluster/cluster_hosts.yml')}}" vars: g_ssh_user: "{{ deployment_vars[deployment_type].ssh_user }}" g_sudo: "{{ deployment_vars[deployment_type].sudo }}" diff --git a/playbooks/aws/openshift-cluster/vars.yml b/playbooks/aws/openshift-cluster/vars.yml index 452c90d6a..c8ee9bad4 100644 --- a/playbooks/aws/openshift-cluster/vars.yml +++ b/playbooks/aws/openshift-cluster/vars.yml @@ -3,7 +3,7 @@ debug_level: 2 deployment_vars: origin: # centos-7, requires marketplace - image: ami-96a818fe + image: ami-61bbf104 image_name: region: us-east-1 ssh_user: centos diff --git a/playbooks/byo/openshift-cluster/upgrades/v3_0_minor/upgrade.yml b/playbooks/byo/openshift-cluster/upgrades/v3_0_minor/upgrade.yml index 58c04d41d..b52456dcd 100644 --- a/playbooks/byo/openshift-cluster/upgrades/v3_0_minor/upgrade.yml +++ b/playbooks/byo/openshift-cluster/upgrades/v3_0_minor/upgrade.yml @@ -1,7 +1,7 @@ --- - include: ../../../../common/openshift-cluster/upgrades/v3_0_minor/upgrade.yml vars_files: - - ../../../../byo/openshift-cluster/cluster_hosts.yml + - "{{lookup('file', '../../../../byo/openshift-cluster/cluster_hosts.yml')}}" vars: g_etcd_hosts: "{{ groups.etcd | default([]) }}" g_master_hosts: "{{ groups.masters | default([]) }}" diff --git a/playbooks/byo/openshift-cluster/upgrades/v3_0_to_v3_1/upgrade.yml b/playbooks/byo/openshift-cluster/upgrades/v3_0_to_v3_1/upgrade.yml index 2f9e8dc7a..e07e2b88e 100644 --- a/playbooks/byo/openshift-cluster/upgrades/v3_0_to_v3_1/upgrade.yml +++ b/playbooks/byo/openshift-cluster/upgrades/v3_0_to_v3_1/upgrade.yml @@ -1,7 +1,7 @@ --- - include: ../../../../common/openshift-cluster/upgrades/v3_0_to_v3_1/upgrade.yml vars_files: - - ../../../../byo/openshift-cluster/cluster_hosts.yml + - "{{lookup('file', '../../../../byo/openshift-cluster/cluster_hosts.yml')}}" vars: g_etcd_hosts: "{{ groups.etcd | default([]) }}" g_master_hosts: "{{ groups.masters | default([]) }}" diff --git a/playbooks/common/openshift-master/config.yml b/playbooks/common/openshift-master/config.yml index 759656e63..677c274c4 100644 --- a/playbooks/common/openshift-master/config.yml +++ b/playbooks/common/openshift-master/config.yml @@ -236,29 +236,32 @@ - role: haproxy when: groups.oo_masters_to_config | length > 1 -- name: Generate master session keys +- name: Check for cached session secrets hosts: oo_first_master + roles: + - role: openshift_facts + post_tasks: + - openshift_facts: + role: master + local_facts: + session_auth_secrets: "{{ openshift_master_session_auth_secrets | default(openshift.master.session_auth_secrets | default(None)) }}" + session_encryption_secrets: "{{ openshift_master_session_encryption_secrets | default(openshift.master.session_encryption_secrets | default(None)) }}" + +- name: Generate master session secrets + hosts: oo_first_master + vars: + g_session_secrets_present: "{{ (openshift.master.session_auth_secrets | default([]) and openshift.master.session_encryption_secrets | default([])) | length > 0 }}" + g_session_auth_secrets: "{{ [ 24 | oo_generate_secret ] }}" + g_session_encryption_secrets: "{{ [ 24 | oo_generate_secret ] }}" + roles: + - role: openshift_facts tasks: - - fail: - msg: "Both openshift_master_session_auth_secrets and openshift_master_session_encryption_secrets must be provided if either variable is set" - when: (openshift_master_session_auth_secrets is defined and openshift_master_session_encryption_secrets is not defined) or (openshift_master_session_encryption_secrets is defined and openshift_master_session_auth_secrets is not defined) - - fail: - msg: "openshift_master_session_auth_secrets and openshift_master_encryption_secrets must be equal length" - when: (openshift_master_session_auth_secrets is defined and openshift_master_session_encryption_secrets is defined) and (openshift_master_session_auth_secrets | length != openshift_master_session_encryption_secrets | length) - - name: Install OpenSSL package - action: "{{ ansible_pkg_mgr }} name=openssl state=present" - when: not openshift.common.is_atomic | bool - - name: Generate session authentication key - command: /usr/bin/openssl rand -base64 24 - register: session_auth_output - when: openshift_master_session_auth_secrets is undefined - - name: Generate session encryption key - command: /usr/bin/openssl rand -base64 24 - register: session_encryption_output - when: openshift_master_session_encryption_secrets is undefined - - set_fact: - session_auth_secret: "{{ openshift_master_session_auth_secrets | default([session_auth_output.stdout]) }}" - session_encryption_secret: "{{ openshift_master_session_encryption_secrets | default([session_encryption_output.stdout]) }}" + - openshift_facts: + role: master + local_facts: + session_auth_secrets: "{{ g_session_auth_secrets }}" + session_encryption_secrets: "{{ g_session_encryption_secrets }}" + when: not g_session_secrets_present | bool - name: Parse named certificates hosts: localhost @@ -314,8 +317,8 @@ sync_tmpdir: "{{ hostvars.localhost.g_master_mktemp.stdout }}" openshift_master_ha: "{{ groups.oo_masters_to_config | length > 1 }}" openshift_master_count: "{{ groups.oo_masters_to_config | length }}" - openshift_master_session_auth_secrets: "{{ hostvars[groups['oo_first_master'][0]]['session_auth_secret'] }}" - openshift_master_session_encryption_secrets: "{{ hostvars[groups['oo_first_master'][0]]['session_encryption_secret'] }}" + openshift_master_session_auth_secrets: "{{ hostvars[groups.oo_first_master.0].openshift.master.session_auth_secrets }}" + openshift_master_session_encryption_secrets: "{{ hostvars[groups.oo_first_master.0].openshift.master.session_encryption_secrets }}" pre_tasks: - name: Ensure certificate directory exists file: diff --git a/playbooks/openstack/openshift-cluster/terminate.yml b/playbooks/openstack/openshift-cluster/terminate.yml index d0abe9fa5..d4ab51fa7 100644 --- a/playbooks/openstack/openshift-cluster/terminate.yml +++ b/playbooks/openstack/openshift-cluster/terminate.yml @@ -11,7 +11,7 @@ groups: oo_hosts_to_terminate ansible_ssh_user: "{{ deployment_vars[deployment_type].ssh_user }}" ansible_sudo: "{{ deployment_vars[deployment_type].sudo }}" - with_items: (groups['tag_environment_' ~ cluster_env]|default([])) | groups['tag_clusterid_' ~ cluster_id ] | default([]) + with_items: (groups['tag_environment_' ~ cluster_env]|default([])) | intersect(groups['tag_clusterid_' ~ cluster_id ]|default([])) - name: Unsubscribe VMs hosts: oo_hosts_to_terminate diff --git a/roles/etcd/tasks/main.yml b/roles/etcd/tasks/main.yml index 663f6e537..e83cfc33c 100644 --- a/roles/etcd/tasks/main.yml +++ b/roles/etcd/tasks/main.yml @@ -104,4 +104,4 @@ register: start_result - set_fact: - etcd_service_status_changed = "{{ start_result | changed }}" + etcd_service_status_changed: "{{ start_result | changed }}" diff --git a/roles/openshift_cli/templates/openshift.j2 b/roles/openshift_cli/templates/openshift.j2 index cade4d1a7..a7c148a22 100644 --- a/roles/openshift_cli/templates/openshift.j2 +++ b/roles/openshift_cli/templates/openshift.j2 @@ -6,11 +6,18 @@ cmd=`basename $0` user=`id -u` group=`id -g` -# docker can only split stderr and stdin when run without -t -# https://github.com/docker/docker/issues/725 -# ansible checks various streams DO NOT CROSS THE STREAMS -if [ -z $TERM ]; then - $t = '-it' -fi +>&2 echo """ +================================================================================ +ATTENTION: You are running ${cmd} via a wrapper around 'docker run {{ openshift.common.cli_image }}'. +This wrapper is intended only to be used to bootstrap an environment. Please +install client tools on another host once you have granted cluster-admin +privileges to a user. +{% if openshift.common.deployment_type in ['openshift-enterprise','atomic-enterprise'] %} +See https://docs.openshift.com/enterprise/latest/cli_reference/get_started_cli.html +{% else %} +See https://docs.openshift.org/latest/cli_reference/get_started_cli.html +{% endif %} +================================================================================= +""" -docker run ${t} -a STDERR -a STDOUT -a STDIN --privileged --net=host --user=${user}:${group} -v ~/.kube:/root/.kube -v /tmp:/tmp -v {{ openshift.common.config_base}}:{{ openshift.common.config_base }} -e KUBECONFIG=/root/.kube/config --entrypoint ${cmd} --rm {{ openshift.common.cli_image }} ${@}
\ No newline at end of file +docker run -i --privileged --net=host --user=${user}:${group} -v ~/.kube:/root/.kube -v /tmp:/tmp -v {{ openshift.common.config_base}}:{{ openshift.common.config_base }} -e KUBECONFIG=/root/.kube/config --entrypoint ${cmd} --rm {{ openshift.common.cli_image }} "${@}" diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py index 911a684fc..be2818dce 100755 --- a/roles/openshift_facts/library/openshift_facts.py +++ b/roles/openshift_facts/library/openshift_facts.py @@ -628,7 +628,7 @@ def set_deployment_facts_if_unset(facts): facts['common']['service_type'] = service_type if 'config_base' not in facts['common']: config_base = '/etc/origin' - if deployment_type in ['enterprise', 'online']: + if deployment_type in ['enterprise']: config_base = '/etc/openshift' # Handle upgrade scenarios when symlinks don't yet exist: if not os.path.exists(config_base) and os.path.exists('/etc/openshift'): @@ -636,7 +636,7 @@ def set_deployment_facts_if_unset(facts): facts['common']['config_base'] = config_base if 'data_dir' not in facts['common']: data_dir = '/var/lib/origin' - if deployment_type in ['enterprise', 'online']: + if deployment_type in ['enterprise']: data_dir = '/var/lib/openshift' # Handle upgrade scenarios when symlinks don't yet exist: if not os.path.exists(data_dir) and os.path.exists('/var/lib/openshift'): @@ -715,6 +715,26 @@ def set_version_facts_if_unset(facts): return facts +def set_manageiq_facts_if_unset(facts): + """ Set manageiq facts. This currently includes common.use_manageiq. + + Args: + facts (dict): existing facts + Returns: + dict: the facts dict updated with version facts. + Raises: + OpenShiftFactsInternalError: + """ + if 'common' not in facts: + if 'version_greater_than_3_1_or_1_1' not in facts['common']: + raise OpenShiftFactsInternalError( + "Invalid invocation: The required facts are not set" + ) + if 'use_mangeiq' not in facts['common']: + facts['common']['use_manageiq'] = facts['common']['version_greater_than_3_1_or_1_1'] + + return facts + def set_sdn_facts_if_unset(facts, system_facts): """ Set sdn facts if not already present in facts dict @@ -1021,6 +1041,11 @@ def set_container_facts_if_unset(facts): return facts +class OpenShiftFactsInternalError(Exception): + """Origin Facts Error""" + pass + + class OpenShiftFactsUnsupportedRoleError(Exception): """Origin Facts Unsupported Role Error""" pass @@ -1043,6 +1068,7 @@ class OpenShiftFacts(object): facts (dict): facts for the host Args: + module (AnsibleModule): an AnsibleModule object role (str): role for setting local facts filename (str): local facts file to use local_facts (dict): local facts to set @@ -1096,6 +1122,7 @@ class OpenShiftFacts(object): facts = set_sdn_facts_if_unset(facts, self.system_facts) facts = set_deployment_facts_if_unset(facts) facts = set_version_facts_if_unset(facts) + facts = set_manageiq_facts_if_unset(facts) facts = set_aggregate_facts(facts) facts = set_etcd_facts_if_unset(facts) facts = set_container_facts_if_unset(facts) @@ -1121,7 +1148,7 @@ class OpenShiftFacts(object): common = dict(use_openshift_sdn=True, ip=ip_addr, public_ip=ip_addr, deployment_type='origin', hostname=hostname, - public_hostname=hostname, use_manageiq=True) + public_hostname=hostname) common['client_binary'] = 'oc' common['admin_binary'] = 'oadm' common['dns_domain'] = 'cluster.local' @@ -1263,14 +1290,78 @@ class OpenShiftFacts(object): del facts[key] if new_local_facts != local_facts: + self.validate_local_facts(new_local_facts) changed = True - if not module.check_mode: save_local_facts(self.filename, new_local_facts) self.changed = changed return new_local_facts + def validate_local_facts(self, facts=None): + """ Validate local facts + + Args: + facts (dict): local facts to validate + """ + invalid_facts = dict() + invalid_facts = self.validate_master_facts(facts, invalid_facts) + if invalid_facts: + msg = 'Invalid facts detected:\n' + for key in invalid_facts.keys(): + msg += '{0}: {1}\n'.format(key, invalid_facts[key]) + module.fail_json(msg=msg, + changed=self.changed) + + # disabling pylint errors for line-too-long since we're dealing + # with best effort reduction of error messages here. + # disabling errors for too-many-branches since we require checking + # many conditions. + # pylint: disable=line-too-long, too-many-branches + @staticmethod + def validate_master_facts(facts, invalid_facts): + """ Validate master facts + + Args: + facts (dict): local facts to validate + invalid_facts (dict): collected invalid_facts + + Returns: + dict: Invalid facts + """ + if 'master' in facts: + # openshift.master.session_auth_secrets + if 'session_auth_secrets' in facts['master']: + session_auth_secrets = facts['master']['session_auth_secrets'] + if not issubclass(type(session_auth_secrets), list): + invalid_facts['session_auth_secrets'] = 'Expects session_auth_secrets is a list.' + elif 'session_encryption_secrets' not in facts['master']: + invalid_facts['session_auth_secrets'] = ('openshift_master_session_encryption secrets must be set ' + 'if openshift_master_session_auth_secrets is provided.') + elif len(session_auth_secrets) != len(facts['master']['session_encryption_secrets']): + invalid_facts['session_auth_secrets'] = ('openshift_master_session_auth_secrets and ' + 'openshift_master_session_encryption_secrets must be ' + 'equal length.') + else: + for secret in session_auth_secrets: + if len(secret) < 32: + invalid_facts['session_auth_secrets'] = ('Invalid secret in session_auth_secrets. ' + 'Secrets must be at least 32 characters in length.') + # openshift.master.session_encryption_secrets + if 'session_encryption_secrets' in facts['master']: + session_encryption_secrets = facts['master']['session_encryption_secrets'] + if not issubclass(type(session_encryption_secrets), list): + invalid_facts['session_encryption_secrets'] = 'Expects session_encryption_secrets is a list.' + elif 'session_auth_secrets' not in facts['master']: + invalid_facts['session_encryption_secrets'] = ('openshift_master_session_auth_secrets must be ' + 'set if openshift_master_session_encryption_secrets ' + 'is provided.') + else: + for secret in session_encryption_secrets: + if len(secret) not in [16, 24, 32]: + invalid_facts['session_encryption_secrets'] = ('Invalid secret in session_encryption_secrets. ' + 'Secrets must be 16, 24, or 32 characters in length.') + return invalid_facts def main(): """ main """ diff --git a/roles/openshift_manageiq/tasks/main.yaml b/roles/openshift_manageiq/tasks/main.yaml index 2d3187e21..0357fc85a 100644 --- a/roles/openshift_manageiq/tasks/main.yaml +++ b/roles/openshift_manageiq/tasks/main.yaml @@ -1,4 +1,8 @@ --- +- fail: + msg: "The openshift_manageiq role requires OpenShift Enterprise 3.1 or Origin 1.1." + when: not openshift.common.version_greater_than_3_1_or_1_1 | bool + - name: Copy Configuration to temporary conf command: > cp {{ openshift.common.config_base }}/master/admin.kubeconfig {{manage_iq_tmp_conf}} diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml index a22654678..397122631 100644 --- a/roles/openshift_master/tasks/main.yml +++ b/roles/openshift_master/tasks/main.yml @@ -9,7 +9,6 @@ Invalid OAuth grant method: {{ openshift_master_oauth_grant_method }} when: openshift_master_oauth_grant_method is defined and openshift_master_oauth_grant_method not in openshift_master_valid_grant_methods - # HA Variable Validation - fail: msg: "openshift_master_cluster_method must be set to either 'native' or 'pacemaker' for multi-master installations" @@ -55,9 +54,9 @@ portal_net: "{{ openshift_master_portal_net | default(None) }}" session_max_seconds: "{{ openshift_master_session_max_seconds | default(None) }}" session_name: "{{ openshift_master_session_name | default(None) }}" + session_secrets_file: "{{ openshift_master_session_secrets_file | default(None) }}" session_auth_secrets: "{{ openshift_master_session_auth_secrets | default(None) }}" session_encryption_secrets: "{{ openshift_master_session_encryption_secrets | default(None) }}" - session_secrets_file: "{{ openshift_master_session_secrets_file | default(None) }}" access_token_max_seconds: "{{ openshift_master_access_token_max_seconds | default(None) }}" auth_token_max_seconds: "{{ openshift_master_auth_token_max_seconds | default(None) }}" identity_providers: "{{ openshift_master_identity_providers | default(None) }}" @@ -221,7 +220,7 @@ template: dest: "{{ openshift.master.session_secrets_file }}" src: sessionSecretsFile.yaml.v1.j2 - force: no + when: openshift.master.session_auth_secrets is defined and openshift.master.session_encryption_secrets is defined notify: - restart master - restart master api diff --git a/roles/openshift_master/templates/master.yaml.v1.j2 b/roles/openshift_master/templates/master.yaml.v1.j2 index 317049c44..647476b7f 100644 --- a/roles/openshift_master/templates/master.yaml.v1.j2 +++ b/roles/openshift_master/templates/master.yaml.v1.j2 @@ -127,7 +127,9 @@ oauthConfig: sessionConfig: sessionMaxAgeSeconds: {{ openshift.master.session_max_seconds }} sessionName: {{ openshift.master.session_name }} +{% if openshift.master.session_auth_secrets is defined and openshift.master.session_encryption_secrets is defined %} sessionSecretsFile: {{ openshift.master.session_secrets_file }} +{% endif %} tokenConfig: accessTokenMaxAgeSeconds: {{ openshift.master.access_token_max_seconds }} authorizeTokenMaxAgeSeconds: {{ openshift.master.auth_token_max_seconds }} diff --git a/roles/openshift_master/templates/sessionSecretsFile.yaml.v1.j2 b/roles/openshift_master/templates/sessionSecretsFile.yaml.v1.j2 index d12d9db90..3d4b573a9 100644 --- a/roles/openshift_master/templates/sessionSecretsFile.yaml.v1.j2 +++ b/roles/openshift_master/templates/sessionSecretsFile.yaml.v1.j2 @@ -1,7 +1,7 @@ apiVersion: v1 kind: SessionSecrets secrets: -{% for secret in openshift_master_session_auth_secrets %} -- authentication: "{{ openshift_master_session_auth_secrets[loop.index0] }}" - encryption: "{{ openshift_master_session_encryption_secrets[loop.index0] }}" +{% for secret in openshift.master.session_auth_secrets %} +- authentication: "{{ openshift.master.session_auth_secrets[loop.index0] }}" + encryption: "{{ openshift.master.session_encryption_secrets[loop.index0] }}" {% endfor %} diff --git a/roles/openshift_node/tasks/storage_plugins/ceph.yml b/roles/openshift_node/tasks/storage_plugins/ceph.yml index 119ad62ef..eed3c99a3 100644 --- a/roles/openshift_node/tasks/storage_plugins/ceph.yml +++ b/roles/openshift_node/tasks/storage_plugins/ceph.yml @@ -1,4 +1,4 @@ --- - name: Install Ceph storage plugin dependencies action: "{{ ansible_pkg_mgr }} name=ceph-common state=present" - when: not openshift.common.is_containerized | bool
\ No newline at end of file + when: not openshift.common.is_atomic | bool
\ No newline at end of file diff --git a/roles/openshift_node/tasks/storage_plugins/glusterfs.yml b/roles/openshift_node/tasks/storage_plugins/glusterfs.yml index 91ee77e7e..8fc8497fa 100644 --- a/roles/openshift_node/tasks/storage_plugins/glusterfs.yml +++ b/roles/openshift_node/tasks/storage_plugins/glusterfs.yml @@ -1,7 +1,7 @@ --- - name: Install GlusterFS storage plugin dependencies action: "{{ ansible_pkg_mgr }} name=glusterfs-fuse state=present" - when: not openshift.common.is_containerized | bool + when: not openshift.common.is_atomic | bool - name: Set sebooleans to allow gluster storage plugin access from containers seboolean: diff --git a/roles/openshift_node/tasks/storage_plugins/main.yml b/roles/openshift_node/tasks/storage_plugins/main.yml index d237c26ec..39c7b9390 100644 --- a/roles/openshift_node/tasks/storage_plugins/main.yml +++ b/roles/openshift_node/tasks/storage_plugins/main.yml @@ -3,12 +3,11 @@ # additional package dependencies - name: NFS storage plugin configuration include: nfs.yml - when: not openshift.common.is_containerized | bool - name: GlusterFS storage plugin configuration include: glusterfs.yml - when: "'glusterfs' in openshift.node.storage_plugin_deps and not openshift.common.is_containerized | bool " + when: "'glusterfs' in openshift.node.storage_plugin_deps" - name: Ceph storage plugin configuration include: ceph.yml - when: "'ceph' in openshift.node.storage_plugin_deps and not openshift.common.is_containerized | bool" + when: "'ceph' in openshift.node.storage_plugin_deps" diff --git a/roles/rhel_subscribe/tasks/main.yml b/roles/rhel_subscribe/tasks/main.yml index 30c0920a1..c160ea4e9 100644 --- a/roles/rhel_subscribe/tasks/main.yml +++ b/roles/rhel_subscribe/tasks/main.yml @@ -4,6 +4,7 @@ # to make it able to enable repositories - set_fact: + rhel_subscription_pool: "{{ lookup('oo_option', 'rhel_subscription_pool') | default(rhsub_pool, True) | default('OpenShift Enterprise, Premium*', True) }}" rhel_subscription_user: "{{ lookup('oo_option', 'rhel_subscription_user') | default(rhsub_user, True) | default(omit, True) }}" rhel_subscription_pass: "{{ lookup('oo_option', 'rhel_subscription_pass') | default(rhsub_pass, True) | default(omit, True) }}" rhel_subscription_server: "{{ lookup('oo_option', 'rhel_subscription_server') | default(rhsub_server) }}" @@ -30,7 +31,14 @@ redhat_subscription: username: "{{ rhel_subscription_user }}" password: "{{ rhel_subscription_pass }}" - autosubscribe: yes + +- name: Retrieve the OpenShift Pool ID + command: subscription-manager list --available --matches="{{ rhel_subscription_pool }}" --pool-only + register: openshift_pool_id + changed_when: False + +- name: Attach to OpenShift Pool + command: subscription-manager subscribe --pool {{ openshift_pool_id.stdout_lines[0] }} - include: enterprise.yml when: deployment_type == 'enterprise' |