diff options
| -rw-r--r-- | playbooks/common/openshift-cluster/upgrades/etcd/upgrade.yml | 96 | ||||
| -rw-r--r-- | roles/calico/defaults/main.yaml | 4 | ||||
| -rw-r--r-- | roles/calico/tasks/main.yml | 6 | ||||
| -rw-r--r-- | roles/docker/tasks/systemcontainer_docker.yml | 27 | ||||
| -rw-r--r-- | roles/docker/templates/systemcontainercustom.conf.j2 | 6 | ||||
| -rw-r--r-- | roles/openshift_common/tasks/main.yml | 10 | ||||
| -rw-r--r-- | roles/openshift_master_facts/defaults/main.yml | 22 | ||||
| -rw-r--r-- | roles/openshift_master_facts/tasks/main.yml | 2 | ||||
| -rw-r--r-- | roles/openshift_repos/files/origin/repos/openshift-ansible-centos-paas-sig.repo | 2 | ||||
| -rw-r--r-- | roles/openshift_version/tasks/main.yml | 11 |
10 files changed, 130 insertions, 56 deletions
diff --git a/playbooks/common/openshift-cluster/upgrades/etcd/upgrade.yml b/playbooks/common/openshift-cluster/upgrades/etcd/upgrade.yml index 45e301315..54f9e21a1 100644 --- a/playbooks/common/openshift-cluster/upgrades/etcd/upgrade.yml +++ b/playbooks/common/openshift-cluster/upgrades/etcd/upgrade.yml @@ -2,43 +2,61 @@ - name: Determine etcd version hosts: oo_etcd_hosts_to_upgrade tasks: - - name: Record RPM based etcd version - command: rpm -qa --qf '%{version}' etcd\* - args: - warn: no - register: etcd_rpm_version - failed_when: false + - block: + - name: Record RPM based etcd version + command: rpm -qa --qf '%{version}' etcd\* + args: + warn: no + register: etcd_rpm_version + failed_when: false + # AUDIT:changed_when: `false` because we are only inspecting + # state, not manipulating anything + changed_when: false + + - debug: + msg: "Etcd rpm version {{ etcd_rpm_version.stdout }} detected" when: not openshift.common.is_containerized | bool - # AUDIT:changed_when: `false` because we are only inspecting - # state, not manipulating anything - changed_when: false - - - name: Record containerized etcd version - command: docker exec etcd_container rpm -qa --qf '%{version}' etcd\* - register: etcd_container_version - failed_when: false - when: openshift.common.is_containerized | bool - # AUDIT:changed_when: `false` because we are only inspecting - # state, not manipulating anything - changed_when: false - - - name: Record containerized etcd version - command: docker exec etcd_container rpm -qa --qf '%{version}' etcd\* - register: etcd_container_version - failed_when: false - when: openshift.common.is_containerized | bool and not openshift.common.is_etcd_system_container | bool - # AUDIT:changed_when: `false` because we are only inspecting - # state, not manipulating anything - changed_when: false - - - name: Record containerized etcd version - command: runc exec etcd_container rpm -qa --qf '%{version}' etcd\* - register: etcd_container_version - failed_when: false - when: openshift.common.is_containerized | bool and openshift.common.is_etcd_system_container | bool - # AUDIT:changed_when: `false` because we are only inspecting - # state, not manipulating anything - changed_when: false + + - block: + - name: Record containerized etcd version (docker) + command: docker exec etcd_container rpm -qa --qf '%{version}' etcd\* + register: etcd_container_version_docker + failed_when: false + # AUDIT:changed_when: `false` because we are only inspecting + # state, not manipulating anything + changed_when: false + when: + - not openshift.common.is_etcd_system_container | bool + + # Given a register variables is set even if the whwen condition + # is false, we need to set etcd_container_version separately + - set_fact: + etcd_container_version: "{{ etcd_container_version_docker.stdout }}" + when: + - not openshift.common.is_etcd_system_container | bool + + - name: Record containerized etcd version (runc) + command: runc exec etcd_container rpm -qa --qf '%{version}' etcd\* + register: etcd_container_version_runc + failed_when: false + # AUDIT:changed_when: `false` because we are only inspecting + # state, not manipulating anything + changed_when: false + when: + - openshift.common.is_etcd_system_container | bool + + # Given a register variables is set even if the whwen condition + # is false, we need to set etcd_container_version separately + - set_fact: + etcd_container_version: "{{ etcd_container_version_runc.stdout }}" + when: + - openshift.common.is_etcd_system_container | bool + + - debug: + msg: "Etcd containerized version {{ etcd_container_version }} detected" + + when: + - openshift.common.is_containerized | bool # I really dislike this copy/pasta but I wasn't able to find a way to get it to loop # through hosts, then loop through tasks only when appropriate @@ -67,7 +85,7 @@ upgrade_version: 2.2.5 tasks: - include: containerized_tasks.yml - when: etcd_container_version.stdout | default('99') | version_compare('2.2','<') and openshift.common.is_containerized | bool + when: etcd_container_version | default('99') | version_compare('2.2','<') and openshift.common.is_containerized | bool - name: Upgrade RPM hosts to 2.3 hosts: oo_etcd_hosts_to_upgrade @@ -85,7 +103,7 @@ upgrade_version: 2.3.7 tasks: - include: containerized_tasks.yml - when: etcd_container_version.stdout | default('99') | version_compare('2.3','<') and openshift.common.is_containerized | bool + when: etcd_container_version | default('99') | version_compare('2.3','<') and openshift.common.is_containerized | bool - name: Upgrade RPM hosts to 3.0 hosts: oo_etcd_hosts_to_upgrade @@ -103,7 +121,7 @@ upgrade_version: 3.0.15 tasks: - include: containerized_tasks.yml - when: etcd_container_version.stdout | default('99') | version_compare('3.0','<') and openshift.common.is_containerized | bool + when: etcd_container_version | default('99') | version_compare('3.0','<') and openshift.common.is_containerized | bool - name: Upgrade fedora to latest hosts: oo_etcd_hosts_to_upgrade diff --git a/roles/calico/defaults/main.yaml b/roles/calico/defaults/main.yaml index a81fc3af7..a16a7da71 100644 --- a/roles/calico/defaults/main.yaml +++ b/roles/calico/defaults/main.yaml @@ -4,7 +4,11 @@ etcd_endpoints: "{{ hostvars[groups.oo_first_master.0].openshift.master.etcd_url cni_conf_dir: "/etc/cni/net.d/" cni_bin_dir: "/opt/cni/bin/" +cni_url: "https://github.com/containernetworking/cni/releases/download/v0.4.0/cni-amd64-v0.4.0.tgz" calico_etcd_ca_cert_file: "/etc/origin/calico/calico.etcd-ca.crt" calico_etcd_cert_file: "/etc/origin/calico/calico.etcd-client.crt" calico_etcd_key_file: "/etc/origin/calico/calico.etcd-client.key" + +calico_url_cni: "https://github.com/projectcalico/cni-plugin/releases/download/v1.5.5/calico" +calico_url_ipam: "https://github.com/projectcalico/cni-plugin/releases/download/v1.5.5/calico-ipam" diff --git a/roles/calico/tasks/main.yml b/roles/calico/tasks/main.yml index 287fed321..abdbcf8d6 100644 --- a/roles/calico/tasks/main.yml +++ b/roles/calico/tasks/main.yml @@ -46,14 +46,14 @@ - name: Download Calico CNI Plugin become: yes get_url: - url: https://github.com/projectcalico/cni-plugin/releases/download/v1.5.5/calico + url: "{{ calico_url_cni }}" dest: "{{ cni_bin_dir }}" mode: a+x - name: Download Calico IPAM Plugin become: yes get_url: - url: https://github.com/projectcalico/cni-plugin/releases/download/v1.5.5/calico-ipam + url: "{{ calico_url_ipam }}" dest: "{{ cni_bin_dir }}" mode: a+x @@ -61,7 +61,7 @@ become: yes unarchive: remote_src: True - src: https://github.com/containernetworking/cni/releases/download/v0.4.0/cni-amd64-v0.4.0.tgz + src: "{{ cni_url }}" dest: "{{ cni_bin_dir }}" - name: Assure Calico conf dir exists diff --git a/roles/docker/tasks/systemcontainer_docker.yml b/roles/docker/tasks/systemcontainer_docker.yml index c85801546..3af3e00b2 100644 --- a/roles/docker/tasks/systemcontainer_docker.yml +++ b/roles/docker/tasks/systemcontainer_docker.yml @@ -41,25 +41,38 @@ daemon_reload: yes ignore_errors: True -# Set http_proxy and https_proxy in /etc/atomic.conf +# Set http_proxy, https_proxy, and no_proxy in /etc/atomic.conf +# regexp: the line starts with or without #, followed by the string +# http_proxy, then either : or = - block: - name: Add http_proxy to /etc/atomic.conf lineinfile: - path: /etc/atomic.conf - line: "http_proxy={{ openshift.common.http_proxy | default('') }}" + dest: /etc/atomic.conf + regexp: "^#?http_proxy[:=]{1}" + line: "http_proxy: {{ openshift.common.http_proxy | default('') }}" when: - openshift.common.http_proxy is defined - openshift.common.http_proxy != '' - name: Add https_proxy to /etc/atomic.conf lineinfile: - path: /etc/atomic.conf - line: "https_proxy={{ openshift.common.https_proxy | default('') }}" + dest: /etc/atomic.conf + regexp: "^#?https_proxy[:=]{1}" + line: "https_proxy: {{ openshift.common.https_proxy | default('') }}" when: - openshift.common.https_proxy is defined - openshift.common.https_proxy != '' + - name: Add no_proxy to /etc/atomic.conf + lineinfile: + dest: /etc/atomic.conf + regexp: "^#?no_proxy[:=]{1}" + line: "no_proxy: {{ openshift.common.no_proxy | default('') }}" + when: + - openshift.common.no_proxy is defined + - openshift.common.no_proxy != '' + - block: - name: Set to default prepend @@ -88,9 +101,13 @@ set_fact: l_docker_image: "{{ l_docker_image_prepend }}/{{ openshift.docker.service_name }}:latest" +# NOTE: no_proxy added as a workaround until https://github.com/projectatomic/atomic/pull/999 is released - name: Pre-pull Container Enginer System Container image command: "atomic pull --storage ostree {{ l_docker_image }}" changed_when: false + environment: + NO_PROXY: "{{ openshift.common.no_proxy | default('') }}" + - name: Ensure container-engine.service.d directory exists file: diff --git a/roles/docker/templates/systemcontainercustom.conf.j2 b/roles/docker/templates/systemcontainercustom.conf.j2 index b727c57d4..86eebfba6 100644 --- a/roles/docker/templates/systemcontainercustom.conf.j2 +++ b/roles/docker/templates/systemcontainercustom.conf.j2 @@ -2,13 +2,13 @@ [Service] {% if "http_proxy" in openshift.common %} -ENVIRONMENT=HTTP_PROXY={{ docker_http_proxy }} +Environment=HTTP_PROXY={{ docker_http_proxy }} {% endif -%} {% if "https_proxy" in openshift.common %} -ENVIRONMENT=HTTPS_PROXY={{ docker_http_proxy }} +Environment=HTTPS_PROXY={{ docker_http_proxy }} {% endif -%} {% if "no_proxy" in openshift.common %} -ENVIRONMENT=NO_PROXY={{ docker_no_proxy }} +Environment=NO_PROXY={{ docker_no_proxy }} {% endif %} {%- if os_firewall_use_firewalld|default(false) %} [Unit] diff --git a/roles/openshift_common/tasks/main.yml b/roles/openshift_common/tasks/main.yml index d9ccf87bc..51313a258 100644 --- a/roles/openshift_common/tasks/main.yml +++ b/roles/openshift_common/tasks/main.yml @@ -28,10 +28,18 @@ when: openshift_use_openshift_sdn | default(true) | bool and openshift_use_calico | default(false) | bool - fail: - msg: Calico cannot currently be used with Flannel in Openshift. Set either openshift_use_calico or openshift_use_flannel, but not both + msg: The Calico playbook does not yet integrate with the Flannel playbook in Openshift. Set either openshift_use_calico or openshift_use_flannel, but not both. when: openshift_use_calico | default(false) | bool and openshift_use_flannel | default(false) | bool - fail: + msg: Calico can not be used with Nuage in Openshift. Set either openshift_use_calico or openshift_use_nuage, but not both + when: openshift_use_calico | default(false) | bool and openshift_use_nuage | default(false) | bool + +- fail: + msg: Calico can not be used with Contiv in Openshift. Set either openshift_use_calico or openshift_use_contiv, but not both + when: openshift_use_calico | default(false) | bool and openshift_use_contiv | default(false) | bool + +- fail: msg: openshift_hostname must be 64 characters or less when: openshift_hostname is defined and openshift_hostname | length > 64 diff --git a/roles/openshift_master_facts/defaults/main.yml b/roles/openshift_master_facts/defaults/main.yml index f1cbbeb2d..a80313505 100644 --- a/roles/openshift_master_facts/defaults/main.yml +++ b/roles/openshift_master_facts/defaults/main.yml @@ -1,2 +1,24 @@ --- openshift_master_default_subdomain: "{{ lookup('oo_option', 'openshift_master_default_subdomain') | default(None, true) }}" +openshift_master_admission_plugin_config: + openshift.io/ImagePolicy: + configuration: + kind: ImagePolicyConfig + apiVersion: v1 + # To require that all images running on the platform be imported first, you may uncomment the + # following rule. Any image that refers to a registry outside of OpenShift will be rejected unless it + # unless it points directly to an image digest (myregistry.com/myrepo/image@sha256:ea83bcf...) and that + # digest has been imported via the import-image flow. + #resolveImages: Required + executionRules: + - name: execution-denied + # Reject all images that have the annotation images.openshift.io/deny-execution set to true. + # This annotation may be set by infrastructure that wishes to flag particular images as dangerous + onResources: + - resource: pods + - resource: builds + reject: true + matchImageAnnotations: + - key: images.openshift.io/deny-execution + value: "true" + skipOnResolutionFailure: true diff --git a/roles/openshift_master_facts/tasks/main.yml b/roles/openshift_master_facts/tasks/main.yml index f048e0aef..79f054b42 100644 --- a/roles/openshift_master_facts/tasks/main.yml +++ b/roles/openshift_master_facts/tasks/main.yml @@ -92,7 +92,7 @@ master_count: "{{ openshift_master_count | default(None) }}" controller_lease_ttl: "{{ osm_controller_lease_ttl | default(None) }}" master_image: "{{ osm_image | default(None) }}" - admission_plugin_config: "{{openshift_master_admission_plugin_config | default(None) }}" + admission_plugin_config: "{{openshift_master_admission_plugin_config }}" kube_admission_plugin_config: "{{openshift_master_kube_admission_plugin_config | default(None) }}" # deprecated, merged with admission_plugin_config oauth_template: "{{ openshift_master_oauth_template | default(None) }}" # deprecated in origin 1.2 / OSE 3.2 oauth_templates: "{{ openshift_master_oauth_templates | default(None) }}" diff --git a/roles/openshift_repos/files/origin/repos/openshift-ansible-centos-paas-sig.repo b/roles/openshift_repos/files/origin/repos/openshift-ansible-centos-paas-sig.repo index 124bff09d..09364c26f 100644 --- a/roles/openshift_repos/files/origin/repos/openshift-ansible-centos-paas-sig.repo +++ b/roles/openshift_repos/files/origin/repos/openshift-ansible-centos-paas-sig.repo @@ -3,7 +3,7 @@ name=CentOS OpenShift Origin baseurl=http://mirror.centos.org/centos/7/paas/x86_64/openshift-origin/ enabled=1 gpgcheck=1 -gpgkey=file:///etc/pki/rpm-gpg/openshift-ansible-CentOS-SIG-PaaS +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-PaaS [centos-openshift-origin-testing] name=CentOS OpenShift Origin Testing diff --git a/roles/openshift_version/tasks/main.yml b/roles/openshift_version/tasks/main.yml index 2e9b4cad3..f2f4d16f0 100644 --- a/roles/openshift_version/tasks/main.yml +++ b/roles/openshift_version/tasks/main.yml @@ -3,6 +3,7 @@ - set_fact: is_containerized: "{{ openshift.common.is_containerized | default(False) | bool }}" + is_atomic: "{{ openshift.common.is_atomic | default(False) | bool }}" # Block attempts to install origin without specifying some kind of version information. # This is because the latest tags for origin are usually alpha builds, which should not @@ -86,9 +87,11 @@ include: set_version_rpm.yml when: not is_containerized | bool +- name: Set openshift_version for containerized installation + include: set_version_containerized.yml + when: is_containerized | bool + - block: - - name: Set openshift_version for containerized installation - include: set_version_containerized.yml - name: Get available {{ openshift.common.service_type}} version repoquery: name: "{{ openshift.common.service_type}}" @@ -104,7 +107,9 @@ msg: "OCP rpm version {{ openshift_rpm_version }} is different from OCP image version {{ openshift_version }}" # Both versions have the same string representation when: openshift_rpm_version != openshift_version - when: is_containerized | bool + when: + - is_containerized | bool + - not is_atomic | bool # Warn if the user has provided an openshift_image_tag but is not doing a containerized install # NOTE: This will need to be modified/removed for future container + rpm installations work. |