diff options
| -rw-r--r-- | .tito/packages/openshift-ansible | 2 | ||||
| -rw-r--r-- | images/installer/Dockerfile | 9 | ||||
| -rw-r--r-- | images/installer/origin-extra-root/etc/yum.repos.d/google-cloud-sdk.repo | 8 | ||||
| -rw-r--r-- | openshift-ansible.spec | 44 | ||||
| -rw-r--r-- | playbooks/aws/provisioning_vars.yml.example | 2 | ||||
| -rw-r--r-- | roles/container_runtime/tasks/registry_auth.yml | 2 | ||||
| -rw-r--r-- | roles/openshift_daemonset_config/defaults/main.yml | 19 | ||||
| -rw-r--r-- | roles/openshift_daemonset_config/meta/main.yml | 3 | ||||
| -rw-r--r-- | roles/openshift_daemonset_config/tasks/main.yml | 58 | ||||
| -rw-r--r-- | roles/openshift_daemonset_config/templates/daemonset.yml.j2 | 142 |
10 files changed, 278 insertions, 11 deletions
diff --git a/.tito/packages/openshift-ansible b/.tito/packages/openshift-ansible index 1ca23082d..f352f0079 100644 --- a/.tito/packages/openshift-ansible +++ b/.tito/packages/openshift-ansible @@ -1 +1 @@ -3.9.0-0.10.0 ./ +3.9.0-0.12.0 ./ diff --git a/images/installer/Dockerfile b/images/installer/Dockerfile index 9a10ff257..db362bd65 100644 --- a/images/installer/Dockerfile +++ b/images/installer/Dockerfile @@ -10,14 +10,7 @@ COPY images/installer/origin-extra-root / # install ansible and deps RUN INSTALL_PKGS="python-lxml pyOpenSSL python2-cryptography openssl java-1.8.0-openjdk-headless python2-passlib httpd-tools openssh-clients origin-clients" \ && yum install -y --setopt=tsflags=nodocs $INSTALL_PKGS \ - && echo '[google-cloud-sdk]' > /etc/yum.repos.d/google-cloud-sdk.repo \ - && echo 'baseurl=https://packages.cloud.google.com/yum/repos/cloud-sdk-el7-x86_64' >> /etc/yum.repos.d/google-cloud-sdk.repo \ - && echo 'enabled=1' >> /etc/yum.repos.d/google-cloud-sdk.repo \ - && echo 'gpgcheck=1' >> /etc/yum.repos.d/google-cloud-sdk.repo \ - && echo 'repo_gpgcheck=1' >> /etc/yum.repos.d/google-cloud-sdk.repo \ - && echo 'gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg' >> /etc/yum.repos.d/google-cloud-sdk.repo \ - && echo ' https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg' >> /etc/yum.repos.d/google-cloud-sdk.repo \ - && EPEL_PKGS="ansible python2-boto google-cloud-cdk" \ + && EPEL_PKGS="ansible python2-boto google-cloud-sdk-183.0.0 which" \ && yum install -y epel-release \ && yum install -y --setopt=tsflags=nodocs $EPEL_PKGS \ && rpm -V $INSTALL_PKGS $EPEL_PKGS \ diff --git a/images/installer/origin-extra-root/etc/yum.repos.d/google-cloud-sdk.repo b/images/installer/origin-extra-root/etc/yum.repos.d/google-cloud-sdk.repo new file mode 100644 index 000000000..7bb8502e9 --- /dev/null +++ b/images/installer/origin-extra-root/etc/yum.repos.d/google-cloud-sdk.repo @@ -0,0 +1,8 @@ +[google-cloud-sdk] +name=google-cloud-sdk +baseurl=https://packages.cloud.google.com/yum/repos/cloud-sdk-el7-x86_64 +enabled=1 +gpgcheck=1 +repo_gpgcheck=1 +gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg + https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg diff --git a/openshift-ansible.spec b/openshift-ansible.spec index 2be8ebd5b..e593cc4dc 100644 --- a/openshift-ansible.spec +++ b/openshift-ansible.spec @@ -10,7 +10,7 @@ Name: openshift-ansible Version: 3.9.0 -Release: 0.10.0%{?dist} +Release: 0.12.0%{?dist} Summary: Openshift and Atomic Enterprise Ansible License: ASL 2.0 URL: https://github.com/openshift/openshift-ansible @@ -202,6 +202,48 @@ Atomic OpenShift Utilities includes %changelog +* Tue Jan 02 2018 Jenkins CD Merge Bot <smunilla@redhat.com> 3.9.0-0.12.0 +- + +* Mon Jan 01 2018 Jenkins CD Merge Bot <smunilla@redhat.com> 3.9.0-0.11.0 +- aws: Fix misnamed variable in provisioning_vars.yml.example + (mbarnes@fedoraproject.org) +- Fix container_runtime openshift_containerized_host_groups + (mgugino@redhat.com) +- Remove references to deployment_type (mgugino@redhat.com) +- Must directly specify google-cloud-sdk version (ccoleman@redhat.com) +- daemonset config role. (kwoodson@redhat.com) +- Move validate_hosts to prerequisites.yml (mgugino@redhat.com) +- Move sanity_checks into custom action plugin (mgugino@redhat.com) +- Remove openshift.common.{is_atomic|is_containerized} (mgugino@redhat.com) +- Adding support for docker-storage-setup on overlay (kwoodson@redhat.com) +- Add gcloud to the installer image (ccoleman@redhat.com) +- Remove some small items from openshift_facts (mgugino@redhat.com) +- Relocate filter plugins to lib_utils (mgugino@redhat.com) +- Fix hosted_reg_router selectors (mgugino@redhat.com) +- set repos after registration: convert to match task -> import_role model. + (markllama@gmail.com) +- Remove openshift_node_facts role (mgugino@redhat.com) +- Move node group tags to openshift_aws_{master,node}_group. + (abutcher@redhat.com) +- Add CentOS-OpenShift-Origin37 repo template. (abutcher@redhat.com) +- Adding no_log to registry_auth. (kwoodson@redhat.com) +- Fix rhel_repos disable command (mazzystr@gmail.com) +- Fix rhel_subscribe boolean (mgugino@redhat.com) +- Move repo and subscribe to prerequisites (mgugino@redhat.com) +- Deprecate using Ansible tests as filters (rteague@redhat.com) +- Removing config trigger for ES DC, updating to use a handler to rollout ES at + the end of a deployment, allowing for override with variable + (ewolinet@redhat.com) +- openshift_logging_{fluentd,mux}_file_buffer_limit mismatch + (nhosoi@redhat.com) +- Update version check to Ansible 2.4.1 (rteague@redhat.com) +- Remove openshift_node_facts part 1 (mgugino@redhat.com) +- Validate node hostname and IP address (rteague@redhat.com) +- Add missing openshift_service_type (mgugino@redhat.com) +- prevent TSB pods from spinning on inappropriate nodes (jminter@redhat.com) +- Add readiness probe to kuryr controller pod (ltomasbo@redhat.com) + * Thu Dec 14 2017 Jenkins CD Merge Bot <smunilla@redhat.com> 3.9.0-0.10.0 - Bump requirements.txt to Ansible 2.4.1 (rteague@redhat.com) - Commit to stabalize RHSM operations. This code is derived from contrib diff --git a/playbooks/aws/provisioning_vars.yml.example b/playbooks/aws/provisioning_vars.yml.example index 1491fb868..2eb7d23d4 100644 --- a/playbooks/aws/provisioning_vars.yml.example +++ b/playbooks/aws/provisioning_vars.yml.example @@ -46,7 +46,7 @@ openshift_pkg_version: # -3.7.0 # Name of the subnet in the vpc to use. Needs to be set if using a pre-existing # vpc + subnet. -#openshift_aws_subnet_name: +#openshift_aws_subnet_az: # -------------- # # Security Group # diff --git a/roles/container_runtime/tasks/registry_auth.yml b/roles/container_runtime/tasks/registry_auth.yml index 2c7bc5711..4f1abd59a 100644 --- a/roles/container_runtime/tasks/registry_auth.yml +++ b/roles/container_runtime/tasks/registry_auth.yml @@ -15,6 +15,7 @@ - not openshift_docker_alternative_creds | bool - oreg_auth_user is defined - (not docker_cli_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool + no_log: True # docker_creds is a custom module from lib_utils # 'docker login' requires a docker.service running on the local host, this is an @@ -30,3 +31,4 @@ - openshift_docker_alternative_creds | bool - oreg_auth_user is defined - (not docker_cli_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool + no_log: True diff --git a/roles/openshift_daemonset_config/defaults/main.yml b/roles/openshift_daemonset_config/defaults/main.yml new file mode 100644 index 000000000..ebe5671d2 --- /dev/null +++ b/roles/openshift_daemonset_config/defaults/main.yml @@ -0,0 +1,19 @@ +--- +openshift_daemonset_config_namespace: openshift-node +openshift_daemonset_config_daemonset_name: ops-node-config +openshift_daemonset_config_configmap_name: "{{ openshift_daemonset_config_daemonset_name }}" +openshift_daemonset_config_node_selector: + config: config +openshift_daemonset_config_sa_name: ops +openshift_daemonset_config_configmap_files: {} +openshift_daemonset_config_configmap_literals: {} +openshift_daemonset_config_monitoring: False +openshift_daemonset_config_interval: 300 +openshift_daemonset_config_script: config.sh +openshift_daemonset_config_secret_name: operations-config-secret +openshift_daemonset_config_secrets: {} +openshift_daemonset_config_runasuser: 0 +openshift_daemonset_config_privileged: True +openshift_daemonset_config_resources: + cpu: 10m + memory: 10Mi diff --git a/roles/openshift_daemonset_config/meta/main.yml b/roles/openshift_daemonset_config/meta/main.yml new file mode 100644 index 000000000..d2bbd2576 --- /dev/null +++ b/roles/openshift_daemonset_config/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: +- lib_openshift diff --git a/roles/openshift_daemonset_config/tasks/main.yml b/roles/openshift_daemonset_config/tasks/main.yml new file mode 100644 index 000000000..450cc9dca --- /dev/null +++ b/roles/openshift_daemonset_config/tasks/main.yml @@ -0,0 +1,58 @@ +--- +- name: add a sa + oc_serviceaccount: + name: "{{ openshift_daemonset_config_sa_name }}" + namespace: "{{ openshift_daemonset_config_namespace }}" + +- name: add sa to privileged scc + oc_adm_policy_user: + namespace: "{{ openshift_daemonset_config_namespace }}" + resource_kind: scc + resource_name: privileged + state: present + user: "system:serviceaccount:{{ openshift_daemonset_config_namespace }}:{{ openshift_daemonset_config_sa_name }}" + +- name: copy template to disk + template: + dest: "/tmp/{{ item.name }}" + src: "{{ item.name }}.j2" + with_items: + - name: daemonset.yml + +- name: copy files to disk + copy: + src: "{{ item.key }}" + dest: "{{ item.value }}" + with_dict: "{{ openshift_daemonset_config_configmap_files }}" + +- name: create the namespace + oc_project: + state: present + name: "{{ openshift_daemonset_config_namespace }}" + +- name: lay down secrets + oc_secret: + state: present + name: "{{ openshift_daemonset_config_secret_name }}" + namespace: "{{ openshift_daemonset_config_namespace }}" + delete_after: true + contents: "{{ openshift_daemonset_config_secrets }}" + when: + - openshift_daemonset_config_secrets != {} + +- name: create the configmap + oc_configmap: + state: present + name: "{{ openshift_daemonset_config_configmap_name }}" + namespace: "{{ openshift_daemonset_config_namespace }}" + from_literal: "{{ openshift_daemonset_config_configmap_literals }}" + from_file: "{{ openshift_daemonset_config_configmap_files }}" + +- name: deploy daemonset + oc_obj: + state: present + namespace: "{{ openshift_daemonset_config_namespace }}" # openshift-node?? + name: "{{ openshift_daemonset_config_daemonset_name }}" + kind: daemonset + files: + - /tmp/daemonset.yml diff --git a/roles/openshift_daemonset_config/templates/daemonset.yml.j2 b/roles/openshift_daemonset_config/templates/daemonset.yml.j2 new file mode 100644 index 000000000..9792f6d16 --- /dev/null +++ b/roles/openshift_daemonset_config/templates/daemonset.yml.j2 @@ -0,0 +1,142 @@ +--- +kind: DaemonSet +apiVersion: extensions/v1beta1 +metadata: + name: {{ openshift_daemonset_config_daemonset_name }} + annotations: + kubernetes.io/description: | + This daemon set manages the operational configuration for a cluster and ensures all nodes have + a concrete set of config in place. It could also use a local ansible run against the /host directory. +spec: + selector: + matchLabels: + app: {{ openshift_daemonset_config_daemonset_name }} + confighosts: ops + ops.openshift.io/role: operations + updateStrategy: + type: RollingUpdate + template: + metadata: + labels: + app: {{ openshift_daemonset_config_daemonset_name }} + confighosts: ops + ops.openshift.io/role: operations + annotations: + scheduler.alpha.kubernetes.io/critical-pod: '' + spec: +{% if openshift_daemonset_config_node_selector is defined and openshift_daemonset_config_node_selector != {} %} + nodeSelector: {{ openshift_daemonset_config_node_selector | to_json }} +{% endif %} + serviceAccountName: {{ openshift_daemonset_config_sa_name }} + hostNetwork: true + hostPID: true + hostIPC: true + containers: + - name: config + image: centos:7 + env: + - name: RESYNC_INTERVAL + value: "{{ openshift_daemonset_config_interval }}" + command: + - /bin/bash + - -c + - | + #!/bin/sh + set -o errexit + + while true; do + + # execute user defined script + sh /opt/config/{{ openshift_daemonset_config_script }} + + # sleep for ${RESYNC_INTERVAL} minutes, then loop. if we fail Kubelet will restart us again + echo "Success, sleeping for ${RESYNC_INTERVAL}s" + exec sleep ${RESYNC_INTERVAL} + + # Return to perform the config + done + securityContext: + # Must be root to modify host system + runAsUser: {{ openshift_daemonset_config_runasuser }} + # Permission could be reduced by selecting an appropriate SELinux policy that allows + # us to update the named directories + privileged: {{ openshift_daemonset_config_privileged }} + volumeMounts: + # Directory which contains the host volume. + - mountPath: /host + name: host + # Our node configuration + - mountPath: /opt/config + name: config +{% if openshift_daemonset_config_secrets != {} %} + # Our delivered secrets + - mountPath: /opt/secrets + name: secrets +{% endif %} + resources: + requests: + cpu: {{ openshift_daemonset_config_resources.cpu }} + memory: {{ openshift_daemonset_config_resources.memory }} +{% if openshift_daemonset_config_monitoring %} + - name: monitoring + image: openshifttools/oso-centos7-host-monitoring:latest + securityContext: + # Must be root to read content + runAsUser: 0 + privileged: true + + volumeMounts: + - mountPath: /host + name: host + readOnly: true + - mountPath: /etc/localtime + subPath: etc/localtime + name: host + readOnly: true + - mountPath: /sys + subPath: sys + name: host + readOnly: true + - mountPath: /var/run/docker.sock + subPath: var/run/docker.sock + name: host + readOnly: true + - mountPath: /var/run/openvswitch + subPath: var/run/openvswitch + name: host + readOnly: true + - mountPath: /etc/origin + subPath: etc/origin + name: host + readOnly: true + - mountPath: /usr/bin/oc + subPath: usr/bin/oc + name: host + readOnly: true + name: host + readOnly: true + - mountPath: /host/var/cache/yum + subPath: var/cache/yum + name: host + - mountPath: /container_setup/monitoring-config.yml + subPath: monitoring-config.yaml + name: config + - mountPath: /opt/config + name: config + resources: + requests: + cpu: 10m + memory: 10Mi +{% endif %} + volumes: + - name: config + configMap: + name: {{ openshift_daemonset_config_configmap_name }} +{% if openshift_daemonset_config_secrets != {} %} + - name: secrets + secret: + secretName: {{ openshift_daemonset_config_secret_name }} +{% endif %} + - name: host + hostPath: + path: / |