diff options
39 files changed, 191 insertions, 94 deletions
diff --git a/.tito/packages/openshift-ansible b/.tito/packages/openshift-ansible index 99fd69afc..3fd8b4d26 100644 --- a/.tito/packages/openshift-ansible +++ b/.tito/packages/openshift-ansible @@ -1 +1 @@ -3.7.0-0.187.0 ./ +3.7.0-0.189.0 ./ diff --git a/inventory/byo/hosts.example b/inventory/byo/hosts.example index 75ddf8e10..e49dd5fa2 100644 --- a/inventory/byo/hosts.example +++ b/inventory/byo/hosts.example @@ -310,9 +310,6 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', #openshift_master_cluster_hostname=openshift-ansible.test.example.com #openshift_master_cluster_public_hostname=openshift-ansible.test.example.com -# Override the default controller lease ttl -#osm_controller_lease_ttl=30 - # Configure controller arguments #osm_controller_args={'resource-quota-sync-period': ['10s']} @@ -1044,6 +1041,12 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', # openshift_management_template_parameters={'APPLICATION_MEM_REQ': '512Mi'} #openshift_management_template_parameters: {} +# Firewall configuration +# You can open additional firewall ports by defining them as a list. of service +# names and ports/port ranges for either masters or nodes. +#openshift_master_open_ports=[{"service":"svc1","port":"11/tcp"}] +#openshift_node_open_ports=[{"service":"svc2","port":"12-13/tcp"},{"service":"svc3","port":"14/udp"}] + # host group for masters [masters] ose3-master[1:3]-ansible.test.example.com diff --git a/openshift-ansible.spec b/openshift-ansible.spec index f1ace9b22..57db94c1f 100644 --- a/openshift-ansible.spec +++ b/openshift-ansible.spec @@ -10,7 +10,7 @@ Name: openshift-ansible Version: 3.7.0 -Release: 0.187.0%{?dist} +Release: 0.189.0%{?dist} Summary: Openshift and Atomic Enterprise Ansible License: ASL 2.0 URL: https://github.com/openshift/openshift-ansible @@ -21,12 +21,12 @@ Requires: ansible >= 2.3 Requires: python2 Requires: python-six Requires: tar -Requires: %{name}-docs = %{version} -Requires: %{name}-playbooks = %{version} -Requires: %{name}-roles = %{version} -Requires: %{name}-filter-plugins = %{version} -Requires: %{name}-lookup-plugins = %{version} -Requires: %{name}-callback-plugins = %{version} +Requires: %{name}-docs = %{version}-%{release} +Requires: %{name}-playbooks = %{version}-%{release} +Requires: %{name}-roles = %{version}-%{release} +Requires: %{name}-filter-plugins = %{version}-%{release} +Requires: %{name}-lookup-plugins = %{version}-%{release} +Requires: %{name}-callback-plugins = %{version}-%{release} Requires: java-1.8.0-openjdk-headless Requires: httpd-tools Requires: libselinux-python @@ -139,7 +139,7 @@ popd # ---------------------------------------------------------------------------------- %package docs Summary: Openshift and Atomic Enterprise Ansible documents -Requires: %{name} = %{version} +Requires: %{name} = %{version}-%{release} BuildArch: noarch %description docs @@ -153,11 +153,11 @@ BuildArch: noarch # ---------------------------------------------------------------------------------- %package playbooks Summary: Openshift and Atomic Enterprise Ansible Playbooks -Requires: %{name} = %{version} -Requires: %{name}-roles = %{version} -Requires: %{name}-lookup-plugins = %{version} -Requires: %{name}-filter-plugins = %{version} -Requires: %{name}-callback-plugins = %{version} +Requires: %{name} = %{version}-%{release} +Requires: %{name}-roles = %{version}-%{release} +Requires: %{name}-lookup-plugins = %{version}-%{release} +Requires: %{name}-filter-plugins = %{version}-%{release} +Requires: %{name}-callback-plugins = %{version}-%{release} BuildArch: noarch %description playbooks @@ -197,10 +197,10 @@ end # openshift-ansible-roles subpackage # ---------------------------------------------------------------------------------- Summary: Openshift and Atomic Enterprise Ansible roles -Requires: %{name} = %{version} -Requires: %{name}-lookup-plugins = %{version} -Requires: %{name}-filter-plugins = %{version} -Requires: %{name}-callback-plugins = %{version} +Requires: %{name} = %{version}-%{release} +Requires: %{name}-lookup-plugins = %{version}-%{release} +Requires: %{name}-filter-plugins = %{version}-%{release} +Requires: %{name}-callback-plugins = %{version}-%{release} BuildArch: noarch %description roles @@ -215,7 +215,7 @@ BuildArch: noarch # ---------------------------------------------------------------------------------- %package filter-plugins Summary: Openshift and Atomic Enterprise Ansible filter plugins -Requires: %{name} = %{version} +Requires: %{name} = %{version}-%{release} BuildArch: noarch Requires: pyOpenSSL @@ -232,7 +232,7 @@ Requires: pyOpenSSL # ---------------------------------------------------------------------------------- %package lookup-plugins Summary: Openshift and Atomic Enterprise Ansible lookup plugins -Requires: %{name} = %{version} +Requires: %{name} = %{version}-%{release} BuildArch: noarch %description lookup-plugins @@ -248,7 +248,7 @@ BuildArch: noarch # ---------------------------------------------------------------------------------- %package callback-plugins Summary: Openshift and Atomic Enterprise Ansible callback plugins -Requires: %{name} = %{version} +Requires: %{name} = %{version}-%{release} BuildArch: noarch %description callback-plugins @@ -265,7 +265,7 @@ BuildArch: noarch %package -n atomic-openshift-utils Summary: Atomic OpenShift Utilities BuildRequires: python-setuptools -Requires: %{name}-playbooks = %{version} +Requires: %{name}-playbooks = %{version}-%{release} Requires: python-click Requires: python-setuptools Requires: PyYAML @@ -285,6 +285,50 @@ Atomic OpenShift Utilities includes %changelog +* Wed Nov 01 2017 Jenkins CD Merge Bot <smunilla@redhat.com> 3.7.0-0.189.0 +- Stating that certificate it is required when doing SSL on ELB. + (kwoodson@redhat.com) +- Ensure GCP image build instance gets cleaned up on teardown + (ccoleman@redhat.com) +- Switch from bind-interfaces to bind-dynamic (sdodson@redhat.com) +- Remove unused osm_controller_lease_ttl (mgugino@redhat.com) +- Delete images located in a family named {{ prefix }}images + (ccoleman@redhat.com) +- Use global IP to indicate node should pick DNS (ccoleman@redhat.com) +- Remove project metadata prefixed with the cluster prefix + (ccoleman@redhat.com) +- Use openshift.node.registry_url instead of oreg_url (ccoleman@redhat.com) +- Allow master node group to wait for stable on GCP (ccoleman@redhat.com) +- GCP cannot use AWS growpart package (ccoleman@redhat.com) +- dnsmasq cache-size dns-forward-max change (pcameron@redhat.com) +- Also require that we match the release (sdodson@redhat.com) +- Add arbitrary firewall port config to master too (sdodson@redhat.com) +- remove master.service during the non-ha to ha upgrade (jchaloup@redhat.com) +- Removing unneeded bootstrap which moved into the product. + (kwoodson@redhat.com) +- Add retry logic to docker auth credentials (mgugino@redhat.com) +- Retry restarting journald (mgugino@redhat.com) +- Modify StorageClass name to standard (piqin@redhat.com) +- Give PV & PVC empty storage class to avoid being assigned default gp2 + (mawong@redhat.com) +- Use oc_project to ensure openshift_provisioners_project present + (mawong@redhat.com) +- Fix yaml formatting (mawong@redhat.com) +- Create default storageclass for cloudprovider openstack (piqin@redhat.com) +- preserve the oo-install ansible_inventory_path value (rmeggins@redhat.com) + +* Tue Oct 31 2017 Jenkins CD Merge Bot <smunilla@redhat.com> 3.7.0-0.188.0 +- Add dm_thin_pool for gluster use (sdodson@redhat.com) +- Fix broken oc_secret update function (barlik@gmx.com) +- add new clusterNetworks fields to new installs (jtanenba@redhat.com) +- docker: Create openshift_docker_is_node_or_master variable + (smilner@redhat.com) +- Correctly install cockpit (sdodson@redhat.com) +- Glusterfs storage templates for v1.5 added (chinacoolhacker@gmail.com) +- bug 1501599. Omit logging project from overcommit restrictions + (jcantril@redhat.com) +- GlusterFS: Remove image option from heketi command (jarrpa@redhat.com) + * Mon Oct 30 2017 Jenkins CD Merge Bot <smunilla@redhat.com> 3.7.0-0.187.0 - diff --git a/playbooks/aws/README.md b/playbooks/aws/README.md index 4e5c1017b..417fb539a 100644 --- a/playbooks/aws/README.md +++ b/playbooks/aws/README.md @@ -65,6 +65,7 @@ openshift_release: # example: v3.7 openshift_pkg_version: # example: -3.7.0 openshift_aws_ssh_key_name: # example: myuser_key openshift_aws_base_ami: # example: ami-12345678 +# These are required when doing SSL on the ELBs openshift_aws_iam_cert_path: # example: '/path/to/wildcard.<clusterid>.example.com.crt' openshift_aws_iam_cert_key_path: # example: '/path/to/wildcard.<clusterid>.example.com.key' ``` diff --git a/playbooks/aws/openshift-cluster/build_ami.yml b/playbooks/aws/openshift-cluster/build_ami.yml index 5b4a6a1e8..fae30eb0a 100644 --- a/playbooks/aws/openshift-cluster/build_ami.yml +++ b/playbooks/aws/openshift-cluster/build_ami.yml @@ -28,6 +28,8 @@ set_fact: ansible_ssh_user: "{{ openshift_aws_build_ami_ssh_user | default(ansible_ssh_user) }}" openshift_node_bootstrap: True + openshift_node_image_prep_packages: + - cloud-utils-growpart # This is the part that installs all of the software and configs for the instance # to become a node. diff --git a/playbooks/common/openshift-cluster/openshift_default_storage_class.yml b/playbooks/common/openshift-cluster/openshift_default_storage_class.yml index 4b4f19690..62fe0dd60 100644 --- a/playbooks/common/openshift-cluster/openshift_default_storage_class.yml +++ b/playbooks/common/openshift-cluster/openshift_default_storage_class.yml @@ -3,4 +3,4 @@ hosts: oo_first_master roles: - role: openshift_default_storage_class - when: openshift_cloudprovider_kind is defined and (openshift_cloudprovider_kind == 'aws' or openshift_cloudprovider_kind == 'gce') + when: openshift_cloudprovider_kind is defined and (openshift_cloudprovider_kind == 'aws' or openshift_cloudprovider_kind == 'gce' or openshift_cloudprovider_kind == 'openstack') diff --git a/playbooks/common/openshift-master/additional_config.yml b/playbooks/common/openshift-master/additional_config.yml index e1472ce38..350557f19 100644 --- a/playbooks/common/openshift-master/additional_config.yml +++ b/playbooks/common/openshift-master/additional_config.yml @@ -28,7 +28,7 @@ when: openshift_use_manageiq | default(true) | bool - role: cockpit when: - - openshift.common.is_atomic + - not openshift.common.is_atomic | bool - deployment_type == 'openshift-enterprise' - osm_use_cockpit is undefined or osm_use_cockpit | bool - openshift.common.deployment_subtype != 'registry' diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index fe938e52b..f6f2bd77e 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -20,6 +20,7 @@ l2_docker_additional_registries: "{% if openshift_docker_additional_registries i l2_docker_blocked_registries: "{% if openshift_docker_blocked_registries is string %}{% if openshift_docker_blocked_registries == '' %}[]{% elif ',' in openshift_docker_blocked_registries %}{{ openshift_docker_blocked_registries.split(',') | list }}{% else %}{{ [ openshift_docker_blocked_registries ] }}{% endif %}{% else %}{{ openshift_docker_blocked_registries }}{% endif %}" l2_docker_insecure_registries: "{% if openshift_docker_insecure_registries is string %}{% if openshift_docker_insecure_registries == '' %}[]{% elif ',' in openshift_docker_insecure_registries %}{{ openshift_docker_insecure_registries.split(',') | list }}{% else %}{{ [ openshift_docker_insecure_registries ] }}{% endif %}{% else %}{{ openshift_docker_insecure_registries }}{% endif %}" +openshift_docker_use_etc_containers: False containers_registries_conf_path: /etc/containers/registries.conf r_crio_firewall_enabled: "{{ os_firewall_enabled | default(True) }}" diff --git a/roles/docker/tasks/package_docker.yml b/roles/docker/tasks/package_docker.yml index b16413f72..c1aedf879 100644 --- a/roles/docker/tasks/package_docker.yml +++ b/roles/docker/tasks/package_docker.yml @@ -81,6 +81,7 @@ template: dest: "{{ containers_registries_conf_path }}" src: registries.conf + when: openshift_docker_use_etc_containers | bool notify: - restart docker diff --git a/roles/docker/tasks/registry_auth.yml b/roles/docker/tasks/registry_auth.yml index 65ed60efa..d05b7f2b8 100644 --- a/roles/docker/tasks/registry_auth.yml +++ b/roles/docker/tasks/registry_auth.yml @@ -7,6 +7,10 @@ - name: Create credentials for docker cli registry auth command: "docker --config={{ docker_cli_auth_config_path }} login -u {{ oreg_auth_user }} -p {{ oreg_auth_password }} {{ oreg_host }}" + register: openshift_docker_credentials_create_res + retries: 3 + delay: 5 + until: openshift_docker_credentials_create_res.rc == 0 when: - oreg_auth_user is defined - (not docker_cli_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool diff --git a/roles/lib_openshift/library/oc_secret.py b/roles/lib_openshift/library/oc_secret.py index 0614f359d..62bda33ad 100644 --- a/roles/lib_openshift/library/oc_secret.py +++ b/roles/lib_openshift/library/oc_secret.py @@ -1633,7 +1633,7 @@ class OCSecret(OpenShiftCLI): This receives a list of file names and converts it into a secret. The secret is then written to disk and passed into the `oc replace` command. ''' - secret = self.prep_secret(files, force) + secret = self.prep_secret(files, force=force) if secret['returncode'] != 0: return secret diff --git a/roles/lib_openshift/src/class/oc_secret.py b/roles/lib_openshift/src/class/oc_secret.py index 5322d6241..89e70b6b2 100644 --- a/roles/lib_openshift/src/class/oc_secret.py +++ b/roles/lib_openshift/src/class/oc_secret.py @@ -67,7 +67,7 @@ class OCSecret(OpenShiftCLI): This receives a list of file names and converts it into a secret. The secret is then written to disk and passed into the `oc replace` command. ''' - secret = self.prep_secret(files, force) + secret = self.prep_secret(files, force=force) if secret['returncode'] != 0: return secret diff --git a/roles/openshift_default_storage_class/defaults/main.yml b/roles/openshift_default_storage_class/defaults/main.yml index bdece7640..014c06641 100644 --- a/roles/openshift_default_storage_class/defaults/main.yml +++ b/roles/openshift_default_storage_class/defaults/main.yml @@ -13,6 +13,12 @@ openshift_storageclass_defaults: parameters: type: pd-standard + openstack: + name: standard + provisioner: cinder + parameters: + fstype: xfs + openshift_storageclass_default: "true" openshift_storageclass_name: "{{ openshift_storageclass_defaults[openshift_cloudprovider_kind]['name'] }}" openshift_storageclass_provisioner: "{{ openshift_storageclass_defaults[openshift_cloudprovider_kind]['provisioner'] }}" diff --git a/roles/openshift_default_storage_class/tasks/main.yml b/roles/openshift_default_storage_class/tasks/main.yml index 172e2ac25..281ec8ed5 100644 --- a/roles/openshift_default_storage_class/tasks/main.yml +++ b/roles/openshift_default_storage_class/tasks/main.yml @@ -1,5 +1,5 @@ --- -# Install default storage classes in GCE & AWS +# Install default storage classes in GCE & AWS & OPENSTACK - name: Ensure storageclass object oc_storageclass: name: "{{ openshift_storageclass_name }}" diff --git a/roles/openshift_gcp/templates/provision.j2.sh b/roles/openshift_gcp/templates/provision.j2.sh index 5ed6d9f84..4d150bc74 100644 --- a/roles/openshift_gcp/templates/provision.j2.sh +++ b/roles/openshift_gcp/templates/provision.j2.sh @@ -313,11 +313,11 @@ fi # wait until all node groups are stable {% for node_group in openshift_gcp_node_group_config %} -{% if node_group.bootstrap | default(False) %} -# not waiting for {{ node_group.name }} due to bootstrapping -{% else %} +{% if node_group.wait_for_stable | default(False) or not (node_group.bootstrap | default(False)) %} # wait for stable {{ node_group.name }} ( gcloud --project "{{ openshift_gcp_project }}" compute instance-groups managed wait-until-stable "{{ openshift_gcp_prefix }}ig-{{ node_group.suffix }}" --zone "{{ openshift_gcp_zone }}" --timeout=600 ) & +{% else %} +# not waiting for {{ node_group.name }} due to bootstrapping {% endif %} {% endfor %} diff --git a/roles/openshift_gcp/templates/remove.j2.sh b/roles/openshift_gcp/templates/remove.j2.sh index a1e0affec..c9213b800 100644 --- a/roles/openshift_gcp/templates/remove.j2.sh +++ b/roles/openshift_gcp/templates/remove.j2.sh @@ -37,7 +37,7 @@ function teardown() { # scale down {{ node_group.name }} ( # performs a delete and scale down as one operation to ensure maximum parallelism - if ! instances=$( gcloud --project "{{ openshift_gcp_project }}" compute instance-groups managed list-instances "{{ openshift_gcp_prefix }}ig-{{ node_group.suffix }}" --zone "{{ openshift_gcp_zone }}" --format='value[terminator=","](instance)' ); then + if ! instances=$( gcloud --project "{{ openshift_gcp_project }}" compute instance-groups managed list-instances "{{ openshift_gcp_prefix }}ig-{{ node_group.suffix }}" --zone "{{ openshift_gcp_zone }}" --format='value[terminator=","](instance)' 2>/dev/null ); then exit 0 fi instances="${instances%?}" @@ -59,6 +59,21 @@ if gsutil ls -p "{{ openshift_gcp_project }}" "gs://{{ openshift_gcp_registry_bu fi ) & +# Project metadata prefixed with {{ openshift_gcp_prefix }} +( + for key in $( gcloud --project "{{ openshift_gcp_project }}" compute project-info describe --flatten=commonInstanceMetadata.items[] '--format=value(commonInstanceMetadata.items.key)' ); do + if [[ "${key}" == "{{ openshift_gcp_prefix }}"* ]]; then + gcloud --project "{{ openshift_gcp_project }}" compute project-info remove-metadata "--keys=${key}" + fi + done +) & + +# Instances and disks used for image building +( + teardown "{{ openshift_gcp_prefix }}build-image-instance" compute instances --zone "{{ openshift_gcp_zone }}" + teardown "{{ openshift_gcp_prefix }}build-image-instance" compute disks --zone "{{ openshift_gcp_zone }}" +) & + # DNS ( dns_zone="{{ dns_managed_zone | default(openshift_gcp_prefix + 'managed-zone') }}" @@ -152,5 +167,12 @@ for i in `jobs -p`; do wait $i; done for i in `jobs -p`; do wait $i; done +# Images specifically located under this cluster prefix family +for name in $( gcloud --project "{{ openshift_gcp_project }}" compute images list "--filter=family={{ openshift_gcp_prefix }}images" '--format=value(name)' ); do + ( gcloud --project "{{ openshift_gcp_project }}" compute images delete "${name}" ) & +done + # Network -teardown "{{ openshift_gcp_network_name }}" compute networks +( teardown "{{ openshift_gcp_network_name }}" compute networks ) & + +for i in `jobs -p`; do wait $i; done
\ No newline at end of file diff --git a/roles/openshift_master/defaults/main.yml b/roles/openshift_master/defaults/main.yml index 3da861d03..dafafda08 100644 --- a/roles/openshift_master/defaults/main.yml +++ b/roles/openshift_master/defaults/main.yml @@ -12,7 +12,7 @@ r_openshift_master_clean_install: false r_openshift_master_etcd3_storage: false r_openshift_master_os_firewall_enable: true r_openshift_master_os_firewall_deny: [] -r_openshift_master_os_firewall_allow: +default_r_openshift_master_os_firewall_allow: - service: api server https port: "{{ openshift.master.api_port }}/tcp" - service: api controllers https @@ -24,6 +24,8 @@ r_openshift_master_os_firewall_allow: - service: etcd embedded port: 4001/tcp cond: "{{ groups.oo_etcd_to_config | default([]) | length == 0 }}" +r_openshift_master_os_firewall_allow: "{{ default_r_openshift_master_os_firewall_allow | union(openshift_master_open_ports | default([])) }}" + # oreg_url is defined by user input oreg_host: "{{ oreg_url.split('/')[0] if (oreg_url is defined and '.' in oreg_url.split('/')[0]) else '' }}" @@ -71,7 +73,7 @@ openshift_master_bootstrap_enabled: False openshift_master_client_binary: "{{ openshift.common.client_binary if openshift is defined else 'oc' }}" -openshift_master_config_imageconfig_format: "{{ oreg_url if oreg_url != '' else 'registry.access.redhat.com/openshift3/ose-${component}:${version}' }}" +openshift_master_config_imageconfig_format: "{{ openshift.node.registry_url }}" # these are for the default settings in a generated node-config.yaml openshift_master_node_config_default_edits: diff --git a/roles/openshift_master/tasks/bootstrap.yml b/roles/openshift_master/tasks/bootstrap.yml index eee89743c..1c30c1dea 100644 --- a/roles/openshift_master/tasks/bootstrap.yml +++ b/roles/openshift_master/tasks/bootstrap.yml @@ -1,21 +1,4 @@ --- - -- name: ensure the node-bootstrap service account exists - oc_serviceaccount: - name: node-bootstrapper - namespace: openshift-infra - state: present - run_once: true - -- name: grant node-bootstrapper the correct permissions to bootstrap - oc_adm_policy_user: - namespace: openshift-infra - user: system:serviceaccount:openshift-infra:node-bootstrapper - resource_kind: cluster-role - resource_name: system:node-bootstrapper - state: present - run_once: true - # TODO: create a module for this command. # oc_serviceaccounts_kubeconfig - name: create service account kubeconfig with csr rights @@ -42,6 +25,7 @@ --node-dir={{ mktempout.stdout }}/ --node=CONFIGMAP --hostnames=test + --dns-ip=0.0.0.0 --certificate-authority={{ openshift_master_config_dir }}/ca.crt --signer-cert={{ openshift_master_config_dir }}/ca.crt --signer-key={{ openshift_master_config_dir }}/ca.key diff --git a/roles/openshift_master/tasks/clean_systemd_units.yml b/roles/openshift_master/tasks/clean_systemd_units.yml deleted file mode 100644 index e641f84d4..000000000 --- a/roles/openshift_master/tasks/clean_systemd_units.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- - -- name: Disable master service - systemd: - name: "{{ openshift.common.service_type }}-master" - state: stopped - enabled: no - masked: yes - ignore_errors: true diff --git a/roles/openshift_master/tasks/journald.yml b/roles/openshift_master/tasks/journald.yml index e2edd5ef4..a16cbe78e 100644 --- a/roles/openshift_master/tasks/journald.yml +++ b/roles/openshift_master/tasks/journald.yml @@ -21,7 +21,9 @@ # I need to restart journald immediatelly, otherwise it gets into way during # further steps in ansible - name: Restart journald - systemd: - name: systemd-journald - state: restarted + command: "systemctl restart systemd-journald" + retries: 3 + delay: 5 + register: result + until: result.rc == 0 when: journald_update | changed diff --git a/roles/openshift_master/tasks/registry_auth.yml b/roles/openshift_master/tasks/registry_auth.yml index 63d483760..cde01c49e 100644 --- a/roles/openshift_master/tasks/registry_auth.yml +++ b/roles/openshift_master/tasks/registry_auth.yml @@ -11,6 +11,9 @@ - oreg_auth_user is defined - (not master_oreg_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool register: master_oreg_auth_credentials_create + retries: 3 + delay: 5 + until: master_oreg_auth_credentials_create.rc == 0 notify: - restart master api - restart master controllers diff --git a/roles/openshift_master/tasks/systemd_units.yml b/roles/openshift_master/tasks/systemd_units.yml index fcc66044b..5751723ab 100644 --- a/roles/openshift_master/tasks/systemd_units.yml +++ b/roles/openshift_master/tasks/systemd_units.yml @@ -14,8 +14,22 @@ - include: registry_auth.yml +- name: Disable the legacy master service if it exists + systemd: + name: "{{ openshift.common.service_type }}-master" + state: stopped + enabled: no + masked: yes + ignore_errors: true + - name: Remove the legacy master service if it exists - include: clean_systemd_units.yml + file: + path: "{{ containerized_svc_dir }}/{{ openshift.common.service_type }}-master.service" + state: absent + ignore_errors: true + when: + - openshift.master.cluster_method == "native" + - not openshift.common.is_master_system_container | bool # This is the image used for both HA and non-HA clusters: - name: Pre-pull master image diff --git a/roles/openshift_master/templates/master.yaml.v1.j2 b/roles/openshift_master/templates/master.yaml.v1.j2 index a1a0bfaa9..c83fc9fbb 100644 --- a/roles/openshift_master/templates/master.yaml.v1.j2 +++ b/roles/openshift_master/templates/master.yaml.v1.j2 @@ -58,11 +58,12 @@ controllerConfig: {% endif %} controllers: '*' corsAllowedOrigins: + # anchor with start (\A) and end (\z) of the string, make the check case insensitive ((?i)) and escape hostname {% for origin in ['127.0.0.1', 'localhost', openshift.common.ip, openshift.common.public_ip] | union(openshift.common.all_hostnames) | unique %} - - {{ origin }} + - (?i)\A{{ origin | regex_escape() }}\z {% endfor %} {% for custom_origin in openshift.master.custom_cors_origins | default("") %} - - {{ custom_origin }} + - (?i)\A{{ custom_origin | regex_escape() }}\z {% endfor %} {% if 'disabled_features' in openshift.master %} disabledFeatures: {{ openshift.master.disabled_features | to_json }} diff --git a/roles/openshift_master_facts/tasks/main.yml b/roles/openshift_master_facts/tasks/main.yml index 501be148e..cf0be3bef 100644 --- a/roles/openshift_master_facts/tasks/main.yml +++ b/roles/openshift_master_facts/tasks/main.yml @@ -88,7 +88,6 @@ controller_args: "{{ osm_controller_args | default(None) }}" disabled_features: "{{ osm_disabled_features | default(None) }}" master_count: "{{ openshift_master_count | default(None) }}" - controller_lease_ttl: "{{ osm_controller_lease_ttl | default(None) }}" master_image: "{{ osm_image | default(None) }}" admission_plugin_config: "{{openshift_master_admission_plugin_config }}" kube_admission_plugin_config: "{{openshift_master_kube_admission_plugin_config | default(None) }}" # deprecated, merged with admission_plugin_config diff --git a/roles/openshift_node/defaults/main.yml b/roles/openshift_node/defaults/main.yml index b9f16dfd4..37f48e724 100644 --- a/roles/openshift_node/defaults/main.yml +++ b/roles/openshift_node/defaults/main.yml @@ -9,7 +9,7 @@ openshift_service_type: "{{ 'origin' if openshift_deployment_type == 'origin' el openshift_image_tag: '' -openshift_node_ami_prep_packages: +default_r_openshift_node_image_prep_packages: - "{{ openshift_service_type }}-master" - "{{ openshift_service_type }}-node" - "{{ openshift_service_type }}-docker-excluder" @@ -33,7 +33,6 @@ openshift_node_ami_prep_packages: - python-dbus - PyYAML - yum-utils -- cloud-utils-growpart # gluster - glusterfs-fuse # nfs @@ -54,6 +53,7 @@ openshift_node_ami_prep_packages: # - container-selinux # - atomic # +r_openshift_node_image_prep_packages: "{{ default_r_openshift_node_image_prep_packages | union(openshift_node_image_prep_packages | default([])) }}" openshift_node_bootstrap: False diff --git a/roles/openshift_node/tasks/bootstrap.yml b/roles/openshift_node/tasks/bootstrap.yml index 2deb005da..cf22181a8 100644 --- a/roles/openshift_node/tasks/bootstrap.yml +++ b/roles/openshift_node/tasks/bootstrap.yml @@ -3,7 +3,7 @@ package: name: "{{ item }}" state: present - with_items: "{{ openshift_node_ami_prep_packages }}" + with_items: "{{ r_openshift_node_image_prep_packages }}" - name: create the directory for node file: diff --git a/roles/openshift_node/tasks/registry_auth.yml b/roles/openshift_node/tasks/registry_auth.yml index de396fb4b..5e5e4f94a 100644 --- a/roles/openshift_node/tasks/registry_auth.yml +++ b/roles/openshift_node/tasks/registry_auth.yml @@ -11,6 +11,9 @@ - oreg_auth_user is defined - (not node_oreg_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool register: node_oreg_auth_credentials_create + retries: 3 + delay: 5 + until: node_oreg_auth_credentials_create.rc == 0 notify: - restart node diff --git a/roles/openshift_node_dnsmasq/files/networkmanager/99-origin-dns.sh b/roles/openshift_node_dnsmasq/files/networkmanager/99-origin-dns.sh index 230f0a28c..f4e48b5b7 100755 --- a/roles/openshift_node_dnsmasq/files/networkmanager/99-origin-dns.sh +++ b/roles/openshift_node_dnsmasq/files/networkmanager/99-origin-dns.sh @@ -54,6 +54,8 @@ domain-needed server=/cluster.local/172.30.0.1 server=/30.172.in-addr.arpa/172.30.0.1 enable-dbus +dns-forward-max=5000 +cache-size=5000 EOF # New config file, must restart NEEDS_RESTART=1 diff --git a/roles/openshift_node_dnsmasq/templates/origin-dns.conf.j2 b/roles/openshift_node_dnsmasq/templates/origin-dns.conf.j2 index 5c9601277..6543c7c3e 100644 --- a/roles/openshift_node_dnsmasq/templates/origin-dns.conf.j2 +++ b/roles/openshift_node_dnsmasq/templates/origin-dns.conf.j2 @@ -3,7 +3,9 @@ domain-needed no-negcache max-cache-ttl=1 enable-dbus -bind-interfaces +dns-forward-max=5000 +cache-size=5000 +bind-dynamic {% for interface in openshift_node_dnsmasq_except_interfaces %} except-interface={{ interface }} {% endfor %} diff --git a/roles/openshift_node_upgrade/tasks/registry_auth.yml b/roles/openshift_node_upgrade/tasks/registry_auth.yml index de396fb4b..5e5e4f94a 100644 --- a/roles/openshift_node_upgrade/tasks/registry_auth.yml +++ b/roles/openshift_node_upgrade/tasks/registry_auth.yml @@ -11,6 +11,9 @@ - oreg_auth_user is defined - (not node_oreg_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool register: node_oreg_auth_credentials_create + retries: 3 + delay: 5 + until: node_oreg_auth_credentials_create.rc == 0 notify: - restart node diff --git a/roles/openshift_provisioners/tasks/generate_clusterrolebindings.yaml b/roles/openshift_provisioners/tasks/generate_clusterrolebindings.yaml index ac21a5e37..1e6aafd00 100644 --- a/roles/openshift_provisioners/tasks/generate_clusterrolebindings.yaml +++ b/roles/openshift_provisioners/tasks/generate_clusterrolebindings.yaml @@ -1,6 +1,8 @@ --- - name: Generate ClusterRoleBindings - template: src=clusterrolebinding.j2 dest={{mktemp.stdout}}/templates/{{obj_name}}-clusterrolebinding.yaml + template: + src: clusterrolebinding.j2 + dest: "{{ mktemp.stdout }}/templates/{{ obj_name }}-clusterrolebinding.yaml" vars: acct_name: provisioners-{{item}} obj_name: run-provisioners-{{item}} diff --git a/roles/openshift_provisioners/tasks/generate_secrets.yaml b/roles/openshift_provisioners/tasks/generate_secrets.yaml index e6cbb1bbf..fe5ff9f18 100644 --- a/roles/openshift_provisioners/tasks/generate_secrets.yaml +++ b/roles/openshift_provisioners/tasks/generate_secrets.yaml @@ -1,6 +1,8 @@ --- - name: Generate secret for efs - template: src=secret.j2 dest={{mktemp.stdout}}/templates/{{obj_name}}-secret.yaml + template: + src: secret.j2 + dest: "{{ mktemp.stdout }}/templates/{{ obj_name }}-secret.yaml" vars: name: efs obj_name: "provisioners-efs" diff --git a/roles/openshift_provisioners/tasks/generate_serviceaccounts.yaml b/roles/openshift_provisioners/tasks/generate_serviceaccounts.yaml index 4fe0583ee..000f19994 100644 --- a/roles/openshift_provisioners/tasks/generate_serviceaccounts.yaml +++ b/roles/openshift_provisioners/tasks/generate_serviceaccounts.yaml @@ -1,6 +1,8 @@ --- - name: Generating serviceaccounts - template: src=serviceaccount.j2 dest={{mktemp.stdout}}/templates/{{obj_name}}-sa.yaml + template: + src: serviceaccount.j2 + dest: "{{ mktemp.stdout }}/templates/{{ obj_name }}-sa.yaml" vars: obj_name: provisioners-{{item}} labels: diff --git a/roles/openshift_provisioners/tasks/install_efs.yaml b/roles/openshift_provisioners/tasks/install_efs.yaml index 4a6e00513..6e8792446 100644 --- a/roles/openshift_provisioners/tasks/install_efs.yaml +++ b/roles/openshift_provisioners/tasks/install_efs.yaml @@ -9,7 +9,9 @@ changed_when: no - name: Generate efs PersistentVolumeClaim - template: src=pvc.j2 dest={{mktemp.stdout}}/templates/{{obj_name}}-pvc.yaml + template: + src: pvc.j2 + dest: "{{ mktemp.stdout }}/templates/{{ obj_name }}-pvc.yaml" vars: obj_name: "provisioners-efs" size: "1Mi" @@ -21,7 +23,9 @@ changed_when: no - name: Generate efs PersistentVolume - template: src=pv.j2 dest={{mktemp.stdout}}/templates/{{obj_name}}-pv.yaml + template: + src: pv.j2 + dest: "{{ mktemp.stdout }}/templates/{{ obj_name }}-pv.yaml" vars: obj_name: "provisioners-efs" size: "1Mi" diff --git a/roles/openshift_provisioners/tasks/install_support.yaml b/roles/openshift_provisioners/tasks/install_support.yaml index ba472f1c9..d6db81ab9 100644 --- a/roles/openshift_provisioners/tasks/install_support.yaml +++ b/roles/openshift_provisioners/tasks/install_support.yaml @@ -1,16 +1,9 @@ --- -- name: Check for provisioners project already exists - command: > - {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get project {{openshift_provisioners_project}} --no-headers - register: provisioners_project_result - ignore_errors: yes - when: not ansible_check_mode - changed_when: no - -- name: Create provisioners project - command: > - {{ openshift.common.admin_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig new-project {{openshift_provisioners_project}} - when: not ansible_check_mode and "not found" in provisioners_project_result.stderr +- name: Set provisioners project + oc_project: + state: present + kubeconfig: "{{ mktemp.stdout }}/admin.kubeconfig" + name: "{{ openshift_provisioners_project }}" - name: Create temp directory for all our templates file: path={{mktemp.stdout}}/templates state=directory mode=0755 diff --git a/roles/openshift_provisioners/templates/pv.j2 b/roles/openshift_provisioners/templates/pv.j2 index f4128f9f0..f81b1617a 100644 --- a/roles/openshift_provisioners/templates/pv.j2 +++ b/roles/openshift_provisioners/templates/pv.j2 @@ -30,3 +30,4 @@ spec: name: {{claim_name}} namespace: {{openshift_provisioners_project}} {% endif %} + storageClassName: "" diff --git a/roles/openshift_provisioners/templates/pvc.j2 b/roles/openshift_provisioners/templates/pvc.j2 index 83d503056..0dd8772eb 100644 --- a/roles/openshift_provisioners/templates/pvc.j2 +++ b/roles/openshift_provisioners/templates/pvc.j2 @@ -23,4 +23,5 @@ spec: resources: requests: storage: {{size}} + storageClassName: "" diff --git a/roles/template_service_broker/files/openshift-ansible-catalog-console.js b/roles/template_service_broker/files/openshift-ansible-catalog-console.js index b3a3d3428..622afb6bd 100644 --- a/roles/template_service_broker/files/openshift-ansible-catalog-console.js +++ b/roles/template_service_broker/files/openshift-ansible-catalog-console.js @@ -1 +1 @@ -window.OPENSHIFT_CONSTANTS.ENABLE_TECH_PREVIEW_FEATURE.template_service_broker = true; +window.OPENSHIFT_CONSTANTS.TEMPLATE_SERVICE_BROKER_ENABLED = true; diff --git a/utils/src/ooinstall/oo_config.py b/utils/src/ooinstall/oo_config.py index c3501c018..9ecd63a80 100644 --- a/utils/src/ooinstall/oo_config.py +++ b/utils/src/ooinstall/oo_config.py @@ -220,6 +220,7 @@ class OOConfig(object): persisted_value = loaded_config.get(setting) if persisted_value is not None: self.settings[setting] = str(persisted_value) + installer_log.debug("config: set (%s) to value (%s)", setting, persisted_value) # We've loaded any persisted configs, let's verify any # paths which are required for a correct and complete @@ -344,8 +345,9 @@ class OOConfig(object): if 'ansible_ssh_user' not in self.settings: self.settings['ansible_ssh_user'] = '' - self.settings['ansible_inventory_path'] = \ - '{}/hosts'.format(os.path.dirname(self.config_path)) + if 'ansible_inventory_path' not in self.settings: + self.settings['ansible_inventory_path'] = \ + '{}/hosts'.format(os.path.dirname(self.config_path)) # clean up any empty sets empty_keys = [] |