summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--.tito/packages/openshift-ansible2
-rw-r--r--inventory/byo/hosts.example9
-rw-r--r--openshift-ansible.spec86
-rw-r--r--playbooks/aws/README.md1
-rw-r--r--playbooks/aws/openshift-cluster/build_ami.yml2
-rw-r--r--playbooks/common/openshift-cluster/openshift_default_storage_class.yml2
-rw-r--r--playbooks/common/openshift-master/additional_config.yml2
-rw-r--r--roles/docker/defaults/main.yml1
-rw-r--r--roles/docker/tasks/package_docker.yml1
-rw-r--r--roles/docker/tasks/registry_auth.yml4
-rw-r--r--roles/lib_openshift/library/oc_secret.py2
-rw-r--r--roles/lib_openshift/src/class/oc_secret.py2
-rw-r--r--roles/openshift_default_storage_class/defaults/main.yml6
-rw-r--r--roles/openshift_default_storage_class/tasks/main.yml2
-rw-r--r--roles/openshift_gcp/templates/provision.j2.sh6
-rw-r--r--roles/openshift_gcp/templates/remove.j2.sh26
-rw-r--r--roles/openshift_master/defaults/main.yml6
-rw-r--r--roles/openshift_master/tasks/bootstrap.yml18
-rw-r--r--roles/openshift_master/tasks/clean_systemd_units.yml9
-rw-r--r--roles/openshift_master/tasks/journald.yml8
-rw-r--r--roles/openshift_master/tasks/registry_auth.yml3
-rw-r--r--roles/openshift_master/tasks/systemd_units.yml16
-rw-r--r--roles/openshift_master/templates/master.yaml.v1.j25
-rw-r--r--roles/openshift_master_facts/tasks/main.yml1
-rw-r--r--roles/openshift_node/defaults/main.yml4
-rw-r--r--roles/openshift_node/tasks/bootstrap.yml2
-rw-r--r--roles/openshift_node/tasks/registry_auth.yml3
-rwxr-xr-xroles/openshift_node_dnsmasq/files/networkmanager/99-origin-dns.sh2
-rw-r--r--roles/openshift_node_dnsmasq/templates/origin-dns.conf.j24
-rw-r--r--roles/openshift_node_upgrade/tasks/registry_auth.yml3
-rw-r--r--roles/openshift_provisioners/tasks/generate_clusterrolebindings.yaml4
-rw-r--r--roles/openshift_provisioners/tasks/generate_secrets.yaml4
-rw-r--r--roles/openshift_provisioners/tasks/generate_serviceaccounts.yaml4
-rw-r--r--roles/openshift_provisioners/tasks/install_efs.yaml8
-rw-r--r--roles/openshift_provisioners/tasks/install_support.yaml17
-rw-r--r--roles/openshift_provisioners/templates/pv.j21
-rw-r--r--roles/openshift_provisioners/templates/pvc.j21
-rw-r--r--roles/template_service_broker/files/openshift-ansible-catalog-console.js2
-rw-r--r--utils/src/ooinstall/oo_config.py6
39 files changed, 191 insertions, 94 deletions
diff --git a/.tito/packages/openshift-ansible b/.tito/packages/openshift-ansible
index 99fd69afc..3fd8b4d26 100644
--- a/.tito/packages/openshift-ansible
+++ b/.tito/packages/openshift-ansible
@@ -1 +1 @@
-3.7.0-0.187.0 ./
+3.7.0-0.189.0 ./
diff --git a/inventory/byo/hosts.example b/inventory/byo/hosts.example
index 75ddf8e10..e49dd5fa2 100644
--- a/inventory/byo/hosts.example
+++ b/inventory/byo/hosts.example
@@ -310,9 +310,6 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true',
#openshift_master_cluster_hostname=openshift-ansible.test.example.com
#openshift_master_cluster_public_hostname=openshift-ansible.test.example.com
-# Override the default controller lease ttl
-#osm_controller_lease_ttl=30
-
# Configure controller arguments
#osm_controller_args={'resource-quota-sync-period': ['10s']}
@@ -1044,6 +1041,12 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true',
# openshift_management_template_parameters={'APPLICATION_MEM_REQ': '512Mi'}
#openshift_management_template_parameters: {}
+# Firewall configuration
+# You can open additional firewall ports by defining them as a list. of service
+# names and ports/port ranges for either masters or nodes.
+#openshift_master_open_ports=[{"service":"svc1","port":"11/tcp"}]
+#openshift_node_open_ports=[{"service":"svc2","port":"12-13/tcp"},{"service":"svc3","port":"14/udp"}]
+
# host group for masters
[masters]
ose3-master[1:3]-ansible.test.example.com
diff --git a/openshift-ansible.spec b/openshift-ansible.spec
index f1ace9b22..57db94c1f 100644
--- a/openshift-ansible.spec
+++ b/openshift-ansible.spec
@@ -10,7 +10,7 @@
Name: openshift-ansible
Version: 3.7.0
-Release: 0.187.0%{?dist}
+Release: 0.189.0%{?dist}
Summary: Openshift and Atomic Enterprise Ansible
License: ASL 2.0
URL: https://github.com/openshift/openshift-ansible
@@ -21,12 +21,12 @@ Requires: ansible >= 2.3
Requires: python2
Requires: python-six
Requires: tar
-Requires: %{name}-docs = %{version}
-Requires: %{name}-playbooks = %{version}
-Requires: %{name}-roles = %{version}
-Requires: %{name}-filter-plugins = %{version}
-Requires: %{name}-lookup-plugins = %{version}
-Requires: %{name}-callback-plugins = %{version}
+Requires: %{name}-docs = %{version}-%{release}
+Requires: %{name}-playbooks = %{version}-%{release}
+Requires: %{name}-roles = %{version}-%{release}
+Requires: %{name}-filter-plugins = %{version}-%{release}
+Requires: %{name}-lookup-plugins = %{version}-%{release}
+Requires: %{name}-callback-plugins = %{version}-%{release}
Requires: java-1.8.0-openjdk-headless
Requires: httpd-tools
Requires: libselinux-python
@@ -139,7 +139,7 @@ popd
# ----------------------------------------------------------------------------------
%package docs
Summary: Openshift and Atomic Enterprise Ansible documents
-Requires: %{name} = %{version}
+Requires: %{name} = %{version}-%{release}
BuildArch: noarch
%description docs
@@ -153,11 +153,11 @@ BuildArch: noarch
# ----------------------------------------------------------------------------------
%package playbooks
Summary: Openshift and Atomic Enterprise Ansible Playbooks
-Requires: %{name} = %{version}
-Requires: %{name}-roles = %{version}
-Requires: %{name}-lookup-plugins = %{version}
-Requires: %{name}-filter-plugins = %{version}
-Requires: %{name}-callback-plugins = %{version}
+Requires: %{name} = %{version}-%{release}
+Requires: %{name}-roles = %{version}-%{release}
+Requires: %{name}-lookup-plugins = %{version}-%{release}
+Requires: %{name}-filter-plugins = %{version}-%{release}
+Requires: %{name}-callback-plugins = %{version}-%{release}
BuildArch: noarch
%description playbooks
@@ -197,10 +197,10 @@ end
# openshift-ansible-roles subpackage
# ----------------------------------------------------------------------------------
Summary: Openshift and Atomic Enterprise Ansible roles
-Requires: %{name} = %{version}
-Requires: %{name}-lookup-plugins = %{version}
-Requires: %{name}-filter-plugins = %{version}
-Requires: %{name}-callback-plugins = %{version}
+Requires: %{name} = %{version}-%{release}
+Requires: %{name}-lookup-plugins = %{version}-%{release}
+Requires: %{name}-filter-plugins = %{version}-%{release}
+Requires: %{name}-callback-plugins = %{version}-%{release}
BuildArch: noarch
%description roles
@@ -215,7 +215,7 @@ BuildArch: noarch
# ----------------------------------------------------------------------------------
%package filter-plugins
Summary: Openshift and Atomic Enterprise Ansible filter plugins
-Requires: %{name} = %{version}
+Requires: %{name} = %{version}-%{release}
BuildArch: noarch
Requires: pyOpenSSL
@@ -232,7 +232,7 @@ Requires: pyOpenSSL
# ----------------------------------------------------------------------------------
%package lookup-plugins
Summary: Openshift and Atomic Enterprise Ansible lookup plugins
-Requires: %{name} = %{version}
+Requires: %{name} = %{version}-%{release}
BuildArch: noarch
%description lookup-plugins
@@ -248,7 +248,7 @@ BuildArch: noarch
# ----------------------------------------------------------------------------------
%package callback-plugins
Summary: Openshift and Atomic Enterprise Ansible callback plugins
-Requires: %{name} = %{version}
+Requires: %{name} = %{version}-%{release}
BuildArch: noarch
%description callback-plugins
@@ -265,7 +265,7 @@ BuildArch: noarch
%package -n atomic-openshift-utils
Summary: Atomic OpenShift Utilities
BuildRequires: python-setuptools
-Requires: %{name}-playbooks = %{version}
+Requires: %{name}-playbooks = %{version}-%{release}
Requires: python-click
Requires: python-setuptools
Requires: PyYAML
@@ -285,6 +285,50 @@ Atomic OpenShift Utilities includes
%changelog
+* Wed Nov 01 2017 Jenkins CD Merge Bot <smunilla@redhat.com> 3.7.0-0.189.0
+- Stating that certificate it is required when doing SSL on ELB.
+ (kwoodson@redhat.com)
+- Ensure GCP image build instance gets cleaned up on teardown
+ (ccoleman@redhat.com)
+- Switch from bind-interfaces to bind-dynamic (sdodson@redhat.com)
+- Remove unused osm_controller_lease_ttl (mgugino@redhat.com)
+- Delete images located in a family named {{ prefix }}images
+ (ccoleman@redhat.com)
+- Use global IP to indicate node should pick DNS (ccoleman@redhat.com)
+- Remove project metadata prefixed with the cluster prefix
+ (ccoleman@redhat.com)
+- Use openshift.node.registry_url instead of oreg_url (ccoleman@redhat.com)
+- Allow master node group to wait for stable on GCP (ccoleman@redhat.com)
+- GCP cannot use AWS growpart package (ccoleman@redhat.com)
+- dnsmasq cache-size dns-forward-max change (pcameron@redhat.com)
+- Also require that we match the release (sdodson@redhat.com)
+- Add arbitrary firewall port config to master too (sdodson@redhat.com)
+- remove master.service during the non-ha to ha upgrade (jchaloup@redhat.com)
+- Removing unneeded bootstrap which moved into the product.
+ (kwoodson@redhat.com)
+- Add retry logic to docker auth credentials (mgugino@redhat.com)
+- Retry restarting journald (mgugino@redhat.com)
+- Modify StorageClass name to standard (piqin@redhat.com)
+- Give PV & PVC empty storage class to avoid being assigned default gp2
+ (mawong@redhat.com)
+- Use oc_project to ensure openshift_provisioners_project present
+ (mawong@redhat.com)
+- Fix yaml formatting (mawong@redhat.com)
+- Create default storageclass for cloudprovider openstack (piqin@redhat.com)
+- preserve the oo-install ansible_inventory_path value (rmeggins@redhat.com)
+
+* Tue Oct 31 2017 Jenkins CD Merge Bot <smunilla@redhat.com> 3.7.0-0.188.0
+- Add dm_thin_pool for gluster use (sdodson@redhat.com)
+- Fix broken oc_secret update function (barlik@gmx.com)
+- add new clusterNetworks fields to new installs (jtanenba@redhat.com)
+- docker: Create openshift_docker_is_node_or_master variable
+ (smilner@redhat.com)
+- Correctly install cockpit (sdodson@redhat.com)
+- Glusterfs storage templates for v1.5 added (chinacoolhacker@gmail.com)
+- bug 1501599. Omit logging project from overcommit restrictions
+ (jcantril@redhat.com)
+- GlusterFS: Remove image option from heketi command (jarrpa@redhat.com)
+
* Mon Oct 30 2017 Jenkins CD Merge Bot <smunilla@redhat.com> 3.7.0-0.187.0
-
diff --git a/playbooks/aws/README.md b/playbooks/aws/README.md
index 4e5c1017b..417fb539a 100644
--- a/playbooks/aws/README.md
+++ b/playbooks/aws/README.md
@@ -65,6 +65,7 @@ openshift_release: # example: v3.7
openshift_pkg_version: # example: -3.7.0
openshift_aws_ssh_key_name: # example: myuser_key
openshift_aws_base_ami: # example: ami-12345678
+# These are required when doing SSL on the ELBs
openshift_aws_iam_cert_path: # example: '/path/to/wildcard.<clusterid>.example.com.crt'
openshift_aws_iam_cert_key_path: # example: '/path/to/wildcard.<clusterid>.example.com.key'
```
diff --git a/playbooks/aws/openshift-cluster/build_ami.yml b/playbooks/aws/openshift-cluster/build_ami.yml
index 5b4a6a1e8..fae30eb0a 100644
--- a/playbooks/aws/openshift-cluster/build_ami.yml
+++ b/playbooks/aws/openshift-cluster/build_ami.yml
@@ -28,6 +28,8 @@
set_fact:
ansible_ssh_user: "{{ openshift_aws_build_ami_ssh_user | default(ansible_ssh_user) }}"
openshift_node_bootstrap: True
+ openshift_node_image_prep_packages:
+ - cloud-utils-growpart
# This is the part that installs all of the software and configs for the instance
# to become a node.
diff --git a/playbooks/common/openshift-cluster/openshift_default_storage_class.yml b/playbooks/common/openshift-cluster/openshift_default_storage_class.yml
index 4b4f19690..62fe0dd60 100644
--- a/playbooks/common/openshift-cluster/openshift_default_storage_class.yml
+++ b/playbooks/common/openshift-cluster/openshift_default_storage_class.yml
@@ -3,4 +3,4 @@
hosts: oo_first_master
roles:
- role: openshift_default_storage_class
- when: openshift_cloudprovider_kind is defined and (openshift_cloudprovider_kind == 'aws' or openshift_cloudprovider_kind == 'gce')
+ when: openshift_cloudprovider_kind is defined and (openshift_cloudprovider_kind == 'aws' or openshift_cloudprovider_kind == 'gce' or openshift_cloudprovider_kind == 'openstack')
diff --git a/playbooks/common/openshift-master/additional_config.yml b/playbooks/common/openshift-master/additional_config.yml
index e1472ce38..350557f19 100644
--- a/playbooks/common/openshift-master/additional_config.yml
+++ b/playbooks/common/openshift-master/additional_config.yml
@@ -28,7 +28,7 @@
when: openshift_use_manageiq | default(true) | bool
- role: cockpit
when:
- - openshift.common.is_atomic
+ - not openshift.common.is_atomic | bool
- deployment_type == 'openshift-enterprise'
- osm_use_cockpit is undefined or osm_use_cockpit | bool
- openshift.common.deployment_subtype != 'registry'
diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml
index fe938e52b..f6f2bd77e 100644
--- a/roles/docker/defaults/main.yml
+++ b/roles/docker/defaults/main.yml
@@ -20,6 +20,7 @@ l2_docker_additional_registries: "{% if openshift_docker_additional_registries i
l2_docker_blocked_registries: "{% if openshift_docker_blocked_registries is string %}{% if openshift_docker_blocked_registries == '' %}[]{% elif ',' in openshift_docker_blocked_registries %}{{ openshift_docker_blocked_registries.split(',') | list }}{% else %}{{ [ openshift_docker_blocked_registries ] }}{% endif %}{% else %}{{ openshift_docker_blocked_registries }}{% endif %}"
l2_docker_insecure_registries: "{% if openshift_docker_insecure_registries is string %}{% if openshift_docker_insecure_registries == '' %}[]{% elif ',' in openshift_docker_insecure_registries %}{{ openshift_docker_insecure_registries.split(',') | list }}{% else %}{{ [ openshift_docker_insecure_registries ] }}{% endif %}{% else %}{{ openshift_docker_insecure_registries }}{% endif %}"
+openshift_docker_use_etc_containers: False
containers_registries_conf_path: /etc/containers/registries.conf
r_crio_firewall_enabled: "{{ os_firewall_enabled | default(True) }}"
diff --git a/roles/docker/tasks/package_docker.yml b/roles/docker/tasks/package_docker.yml
index b16413f72..c1aedf879 100644
--- a/roles/docker/tasks/package_docker.yml
+++ b/roles/docker/tasks/package_docker.yml
@@ -81,6 +81,7 @@
template:
dest: "{{ containers_registries_conf_path }}"
src: registries.conf
+ when: openshift_docker_use_etc_containers | bool
notify:
- restart docker
diff --git a/roles/docker/tasks/registry_auth.yml b/roles/docker/tasks/registry_auth.yml
index 65ed60efa..d05b7f2b8 100644
--- a/roles/docker/tasks/registry_auth.yml
+++ b/roles/docker/tasks/registry_auth.yml
@@ -7,6 +7,10 @@
- name: Create credentials for docker cli registry auth
command: "docker --config={{ docker_cli_auth_config_path }} login -u {{ oreg_auth_user }} -p {{ oreg_auth_password }} {{ oreg_host }}"
+ register: openshift_docker_credentials_create_res
+ retries: 3
+ delay: 5
+ until: openshift_docker_credentials_create_res.rc == 0
when:
- oreg_auth_user is defined
- (not docker_cli_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool
diff --git a/roles/lib_openshift/library/oc_secret.py b/roles/lib_openshift/library/oc_secret.py
index 0614f359d..62bda33ad 100644
--- a/roles/lib_openshift/library/oc_secret.py
+++ b/roles/lib_openshift/library/oc_secret.py
@@ -1633,7 +1633,7 @@ class OCSecret(OpenShiftCLI):
This receives a list of file names and converts it into a secret.
The secret is then written to disk and passed into the `oc replace` command.
'''
- secret = self.prep_secret(files, force)
+ secret = self.prep_secret(files, force=force)
if secret['returncode'] != 0:
return secret
diff --git a/roles/lib_openshift/src/class/oc_secret.py b/roles/lib_openshift/src/class/oc_secret.py
index 5322d6241..89e70b6b2 100644
--- a/roles/lib_openshift/src/class/oc_secret.py
+++ b/roles/lib_openshift/src/class/oc_secret.py
@@ -67,7 +67,7 @@ class OCSecret(OpenShiftCLI):
This receives a list of file names and converts it into a secret.
The secret is then written to disk and passed into the `oc replace` command.
'''
- secret = self.prep_secret(files, force)
+ secret = self.prep_secret(files, force=force)
if secret['returncode'] != 0:
return secret
diff --git a/roles/openshift_default_storage_class/defaults/main.yml b/roles/openshift_default_storage_class/defaults/main.yml
index bdece7640..014c06641 100644
--- a/roles/openshift_default_storage_class/defaults/main.yml
+++ b/roles/openshift_default_storage_class/defaults/main.yml
@@ -13,6 +13,12 @@ openshift_storageclass_defaults:
parameters:
type: pd-standard
+ openstack:
+ name: standard
+ provisioner: cinder
+ parameters:
+ fstype: xfs
+
openshift_storageclass_default: "true"
openshift_storageclass_name: "{{ openshift_storageclass_defaults[openshift_cloudprovider_kind]['name'] }}"
openshift_storageclass_provisioner: "{{ openshift_storageclass_defaults[openshift_cloudprovider_kind]['provisioner'] }}"
diff --git a/roles/openshift_default_storage_class/tasks/main.yml b/roles/openshift_default_storage_class/tasks/main.yml
index 172e2ac25..281ec8ed5 100644
--- a/roles/openshift_default_storage_class/tasks/main.yml
+++ b/roles/openshift_default_storage_class/tasks/main.yml
@@ -1,5 +1,5 @@
---
-# Install default storage classes in GCE & AWS
+# Install default storage classes in GCE & AWS & OPENSTACK
- name: Ensure storageclass object
oc_storageclass:
name: "{{ openshift_storageclass_name }}"
diff --git a/roles/openshift_gcp/templates/provision.j2.sh b/roles/openshift_gcp/templates/provision.j2.sh
index 5ed6d9f84..4d150bc74 100644
--- a/roles/openshift_gcp/templates/provision.j2.sh
+++ b/roles/openshift_gcp/templates/provision.j2.sh
@@ -313,11 +313,11 @@ fi
# wait until all node groups are stable
{% for node_group in openshift_gcp_node_group_config %}
-{% if node_group.bootstrap | default(False) %}
-# not waiting for {{ node_group.name }} due to bootstrapping
-{% else %}
+{% if node_group.wait_for_stable | default(False) or not (node_group.bootstrap | default(False)) %}
# wait for stable {{ node_group.name }}
( gcloud --project "{{ openshift_gcp_project }}" compute instance-groups managed wait-until-stable "{{ openshift_gcp_prefix }}ig-{{ node_group.suffix }}" --zone "{{ openshift_gcp_zone }}" --timeout=600 ) &
+{% else %}
+# not waiting for {{ node_group.name }} due to bootstrapping
{% endif %}
{% endfor %}
diff --git a/roles/openshift_gcp/templates/remove.j2.sh b/roles/openshift_gcp/templates/remove.j2.sh
index a1e0affec..c9213b800 100644
--- a/roles/openshift_gcp/templates/remove.j2.sh
+++ b/roles/openshift_gcp/templates/remove.j2.sh
@@ -37,7 +37,7 @@ function teardown() {
# scale down {{ node_group.name }}
(
# performs a delete and scale down as one operation to ensure maximum parallelism
- if ! instances=$( gcloud --project "{{ openshift_gcp_project }}" compute instance-groups managed list-instances "{{ openshift_gcp_prefix }}ig-{{ node_group.suffix }}" --zone "{{ openshift_gcp_zone }}" --format='value[terminator=","](instance)' ); then
+ if ! instances=$( gcloud --project "{{ openshift_gcp_project }}" compute instance-groups managed list-instances "{{ openshift_gcp_prefix }}ig-{{ node_group.suffix }}" --zone "{{ openshift_gcp_zone }}" --format='value[terminator=","](instance)' 2>/dev/null ); then
exit 0
fi
instances="${instances%?}"
@@ -59,6 +59,21 @@ if gsutil ls -p "{{ openshift_gcp_project }}" "gs://{{ openshift_gcp_registry_bu
fi
) &
+# Project metadata prefixed with {{ openshift_gcp_prefix }}
+(
+ for key in $( gcloud --project "{{ openshift_gcp_project }}" compute project-info describe --flatten=commonInstanceMetadata.items[] '--format=value(commonInstanceMetadata.items.key)' ); do
+ if [[ "${key}" == "{{ openshift_gcp_prefix }}"* ]]; then
+ gcloud --project "{{ openshift_gcp_project }}" compute project-info remove-metadata "--keys=${key}"
+ fi
+ done
+) &
+
+# Instances and disks used for image building
+(
+ teardown "{{ openshift_gcp_prefix }}build-image-instance" compute instances --zone "{{ openshift_gcp_zone }}"
+ teardown "{{ openshift_gcp_prefix }}build-image-instance" compute disks --zone "{{ openshift_gcp_zone }}"
+) &
+
# DNS
(
dns_zone="{{ dns_managed_zone | default(openshift_gcp_prefix + 'managed-zone') }}"
@@ -152,5 +167,12 @@ for i in `jobs -p`; do wait $i; done
for i in `jobs -p`; do wait $i; done
+# Images specifically located under this cluster prefix family
+for name in $( gcloud --project "{{ openshift_gcp_project }}" compute images list "--filter=family={{ openshift_gcp_prefix }}images" '--format=value(name)' ); do
+ ( gcloud --project "{{ openshift_gcp_project }}" compute images delete "${name}" ) &
+done
+
# Network
-teardown "{{ openshift_gcp_network_name }}" compute networks
+( teardown "{{ openshift_gcp_network_name }}" compute networks ) &
+
+for i in `jobs -p`; do wait $i; done \ No newline at end of file
diff --git a/roles/openshift_master/defaults/main.yml b/roles/openshift_master/defaults/main.yml
index 3da861d03..dafafda08 100644
--- a/roles/openshift_master/defaults/main.yml
+++ b/roles/openshift_master/defaults/main.yml
@@ -12,7 +12,7 @@ r_openshift_master_clean_install: false
r_openshift_master_etcd3_storage: false
r_openshift_master_os_firewall_enable: true
r_openshift_master_os_firewall_deny: []
-r_openshift_master_os_firewall_allow:
+default_r_openshift_master_os_firewall_allow:
- service: api server https
port: "{{ openshift.master.api_port }}/tcp"
- service: api controllers https
@@ -24,6 +24,8 @@ r_openshift_master_os_firewall_allow:
- service: etcd embedded
port: 4001/tcp
cond: "{{ groups.oo_etcd_to_config | default([]) | length == 0 }}"
+r_openshift_master_os_firewall_allow: "{{ default_r_openshift_master_os_firewall_allow | union(openshift_master_open_ports | default([])) }}"
+
# oreg_url is defined by user input
oreg_host: "{{ oreg_url.split('/')[0] if (oreg_url is defined and '.' in oreg_url.split('/')[0]) else '' }}"
@@ -71,7 +73,7 @@ openshift_master_bootstrap_enabled: False
openshift_master_client_binary: "{{ openshift.common.client_binary if openshift is defined else 'oc' }}"
-openshift_master_config_imageconfig_format: "{{ oreg_url if oreg_url != '' else 'registry.access.redhat.com/openshift3/ose-${component}:${version}' }}"
+openshift_master_config_imageconfig_format: "{{ openshift.node.registry_url }}"
# these are for the default settings in a generated node-config.yaml
openshift_master_node_config_default_edits:
diff --git a/roles/openshift_master/tasks/bootstrap.yml b/roles/openshift_master/tasks/bootstrap.yml
index eee89743c..1c30c1dea 100644
--- a/roles/openshift_master/tasks/bootstrap.yml
+++ b/roles/openshift_master/tasks/bootstrap.yml
@@ -1,21 +1,4 @@
---
-
-- name: ensure the node-bootstrap service account exists
- oc_serviceaccount:
- name: node-bootstrapper
- namespace: openshift-infra
- state: present
- run_once: true
-
-- name: grant node-bootstrapper the correct permissions to bootstrap
- oc_adm_policy_user:
- namespace: openshift-infra
- user: system:serviceaccount:openshift-infra:node-bootstrapper
- resource_kind: cluster-role
- resource_name: system:node-bootstrapper
- state: present
- run_once: true
-
# TODO: create a module for this command.
# oc_serviceaccounts_kubeconfig
- name: create service account kubeconfig with csr rights
@@ -42,6 +25,7 @@
--node-dir={{ mktempout.stdout }}/
--node=CONFIGMAP
--hostnames=test
+ --dns-ip=0.0.0.0
--certificate-authority={{ openshift_master_config_dir }}/ca.crt
--signer-cert={{ openshift_master_config_dir }}/ca.crt
--signer-key={{ openshift_master_config_dir }}/ca.key
diff --git a/roles/openshift_master/tasks/clean_systemd_units.yml b/roles/openshift_master/tasks/clean_systemd_units.yml
deleted file mode 100644
index e641f84d4..000000000
--- a/roles/openshift_master/tasks/clean_systemd_units.yml
+++ /dev/null
@@ -1,9 +0,0 @@
----
-
-- name: Disable master service
- systemd:
- name: "{{ openshift.common.service_type }}-master"
- state: stopped
- enabled: no
- masked: yes
- ignore_errors: true
diff --git a/roles/openshift_master/tasks/journald.yml b/roles/openshift_master/tasks/journald.yml
index e2edd5ef4..a16cbe78e 100644
--- a/roles/openshift_master/tasks/journald.yml
+++ b/roles/openshift_master/tasks/journald.yml
@@ -21,7 +21,9 @@
# I need to restart journald immediatelly, otherwise it gets into way during
# further steps in ansible
- name: Restart journald
- systemd:
- name: systemd-journald
- state: restarted
+ command: "systemctl restart systemd-journald"
+ retries: 3
+ delay: 5
+ register: result
+ until: result.rc == 0
when: journald_update | changed
diff --git a/roles/openshift_master/tasks/registry_auth.yml b/roles/openshift_master/tasks/registry_auth.yml
index 63d483760..cde01c49e 100644
--- a/roles/openshift_master/tasks/registry_auth.yml
+++ b/roles/openshift_master/tasks/registry_auth.yml
@@ -11,6 +11,9 @@
- oreg_auth_user is defined
- (not master_oreg_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool
register: master_oreg_auth_credentials_create
+ retries: 3
+ delay: 5
+ until: master_oreg_auth_credentials_create.rc == 0
notify:
- restart master api
- restart master controllers
diff --git a/roles/openshift_master/tasks/systemd_units.yml b/roles/openshift_master/tasks/systemd_units.yml
index fcc66044b..5751723ab 100644
--- a/roles/openshift_master/tasks/systemd_units.yml
+++ b/roles/openshift_master/tasks/systemd_units.yml
@@ -14,8 +14,22 @@
- include: registry_auth.yml
+- name: Disable the legacy master service if it exists
+ systemd:
+ name: "{{ openshift.common.service_type }}-master"
+ state: stopped
+ enabled: no
+ masked: yes
+ ignore_errors: true
+
- name: Remove the legacy master service if it exists
- include: clean_systemd_units.yml
+ file:
+ path: "{{ containerized_svc_dir }}/{{ openshift.common.service_type }}-master.service"
+ state: absent
+ ignore_errors: true
+ when:
+ - openshift.master.cluster_method == "native"
+ - not openshift.common.is_master_system_container | bool
# This is the image used for both HA and non-HA clusters:
- name: Pre-pull master image
diff --git a/roles/openshift_master/templates/master.yaml.v1.j2 b/roles/openshift_master/templates/master.yaml.v1.j2
index a1a0bfaa9..c83fc9fbb 100644
--- a/roles/openshift_master/templates/master.yaml.v1.j2
+++ b/roles/openshift_master/templates/master.yaml.v1.j2
@@ -58,11 +58,12 @@ controllerConfig:
{% endif %}
controllers: '*'
corsAllowedOrigins:
+ # anchor with start (\A) and end (\z) of the string, make the check case insensitive ((?i)) and escape hostname
{% for origin in ['127.0.0.1', 'localhost', openshift.common.ip, openshift.common.public_ip] | union(openshift.common.all_hostnames) | unique %}
- - {{ origin }}
+ - (?i)\A{{ origin | regex_escape() }}\z
{% endfor %}
{% for custom_origin in openshift.master.custom_cors_origins | default("") %}
- - {{ custom_origin }}
+ - (?i)\A{{ custom_origin | regex_escape() }}\z
{% endfor %}
{% if 'disabled_features' in openshift.master %}
disabledFeatures: {{ openshift.master.disabled_features | to_json }}
diff --git a/roles/openshift_master_facts/tasks/main.yml b/roles/openshift_master_facts/tasks/main.yml
index 501be148e..cf0be3bef 100644
--- a/roles/openshift_master_facts/tasks/main.yml
+++ b/roles/openshift_master_facts/tasks/main.yml
@@ -88,7 +88,6 @@
controller_args: "{{ osm_controller_args | default(None) }}"
disabled_features: "{{ osm_disabled_features | default(None) }}"
master_count: "{{ openshift_master_count | default(None) }}"
- controller_lease_ttl: "{{ osm_controller_lease_ttl | default(None) }}"
master_image: "{{ osm_image | default(None) }}"
admission_plugin_config: "{{openshift_master_admission_plugin_config }}"
kube_admission_plugin_config: "{{openshift_master_kube_admission_plugin_config | default(None) }}" # deprecated, merged with admission_plugin_config
diff --git a/roles/openshift_node/defaults/main.yml b/roles/openshift_node/defaults/main.yml
index b9f16dfd4..37f48e724 100644
--- a/roles/openshift_node/defaults/main.yml
+++ b/roles/openshift_node/defaults/main.yml
@@ -9,7 +9,7 @@ openshift_service_type: "{{ 'origin' if openshift_deployment_type == 'origin' el
openshift_image_tag: ''
-openshift_node_ami_prep_packages:
+default_r_openshift_node_image_prep_packages:
- "{{ openshift_service_type }}-master"
- "{{ openshift_service_type }}-node"
- "{{ openshift_service_type }}-docker-excluder"
@@ -33,7 +33,6 @@ openshift_node_ami_prep_packages:
- python-dbus
- PyYAML
- yum-utils
-- cloud-utils-growpart
# gluster
- glusterfs-fuse
# nfs
@@ -54,6 +53,7 @@ openshift_node_ami_prep_packages:
# - container-selinux
# - atomic
#
+r_openshift_node_image_prep_packages: "{{ default_r_openshift_node_image_prep_packages | union(openshift_node_image_prep_packages | default([])) }}"
openshift_node_bootstrap: False
diff --git a/roles/openshift_node/tasks/bootstrap.yml b/roles/openshift_node/tasks/bootstrap.yml
index 2deb005da..cf22181a8 100644
--- a/roles/openshift_node/tasks/bootstrap.yml
+++ b/roles/openshift_node/tasks/bootstrap.yml
@@ -3,7 +3,7 @@
package:
name: "{{ item }}"
state: present
- with_items: "{{ openshift_node_ami_prep_packages }}"
+ with_items: "{{ r_openshift_node_image_prep_packages }}"
- name: create the directory for node
file:
diff --git a/roles/openshift_node/tasks/registry_auth.yml b/roles/openshift_node/tasks/registry_auth.yml
index de396fb4b..5e5e4f94a 100644
--- a/roles/openshift_node/tasks/registry_auth.yml
+++ b/roles/openshift_node/tasks/registry_auth.yml
@@ -11,6 +11,9 @@
- oreg_auth_user is defined
- (not node_oreg_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool
register: node_oreg_auth_credentials_create
+ retries: 3
+ delay: 5
+ until: node_oreg_auth_credentials_create.rc == 0
notify:
- restart node
diff --git a/roles/openshift_node_dnsmasq/files/networkmanager/99-origin-dns.sh b/roles/openshift_node_dnsmasq/files/networkmanager/99-origin-dns.sh
index 230f0a28c..f4e48b5b7 100755
--- a/roles/openshift_node_dnsmasq/files/networkmanager/99-origin-dns.sh
+++ b/roles/openshift_node_dnsmasq/files/networkmanager/99-origin-dns.sh
@@ -54,6 +54,8 @@ domain-needed
server=/cluster.local/172.30.0.1
server=/30.172.in-addr.arpa/172.30.0.1
enable-dbus
+dns-forward-max=5000
+cache-size=5000
EOF
# New config file, must restart
NEEDS_RESTART=1
diff --git a/roles/openshift_node_dnsmasq/templates/origin-dns.conf.j2 b/roles/openshift_node_dnsmasq/templates/origin-dns.conf.j2
index 5c9601277..6543c7c3e 100644
--- a/roles/openshift_node_dnsmasq/templates/origin-dns.conf.j2
+++ b/roles/openshift_node_dnsmasq/templates/origin-dns.conf.j2
@@ -3,7 +3,9 @@ domain-needed
no-negcache
max-cache-ttl=1
enable-dbus
-bind-interfaces
+dns-forward-max=5000
+cache-size=5000
+bind-dynamic
{% for interface in openshift_node_dnsmasq_except_interfaces %}
except-interface={{ interface }}
{% endfor %}
diff --git a/roles/openshift_node_upgrade/tasks/registry_auth.yml b/roles/openshift_node_upgrade/tasks/registry_auth.yml
index de396fb4b..5e5e4f94a 100644
--- a/roles/openshift_node_upgrade/tasks/registry_auth.yml
+++ b/roles/openshift_node_upgrade/tasks/registry_auth.yml
@@ -11,6 +11,9 @@
- oreg_auth_user is defined
- (not node_oreg_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool
register: node_oreg_auth_credentials_create
+ retries: 3
+ delay: 5
+ until: node_oreg_auth_credentials_create.rc == 0
notify:
- restart node
diff --git a/roles/openshift_provisioners/tasks/generate_clusterrolebindings.yaml b/roles/openshift_provisioners/tasks/generate_clusterrolebindings.yaml
index ac21a5e37..1e6aafd00 100644
--- a/roles/openshift_provisioners/tasks/generate_clusterrolebindings.yaml
+++ b/roles/openshift_provisioners/tasks/generate_clusterrolebindings.yaml
@@ -1,6 +1,8 @@
---
- name: Generate ClusterRoleBindings
- template: src=clusterrolebinding.j2 dest={{mktemp.stdout}}/templates/{{obj_name}}-clusterrolebinding.yaml
+ template:
+ src: clusterrolebinding.j2
+ dest: "{{ mktemp.stdout }}/templates/{{ obj_name }}-clusterrolebinding.yaml"
vars:
acct_name: provisioners-{{item}}
obj_name: run-provisioners-{{item}}
diff --git a/roles/openshift_provisioners/tasks/generate_secrets.yaml b/roles/openshift_provisioners/tasks/generate_secrets.yaml
index e6cbb1bbf..fe5ff9f18 100644
--- a/roles/openshift_provisioners/tasks/generate_secrets.yaml
+++ b/roles/openshift_provisioners/tasks/generate_secrets.yaml
@@ -1,6 +1,8 @@
---
- name: Generate secret for efs
- template: src=secret.j2 dest={{mktemp.stdout}}/templates/{{obj_name}}-secret.yaml
+ template:
+ src: secret.j2
+ dest: "{{ mktemp.stdout }}/templates/{{ obj_name }}-secret.yaml"
vars:
name: efs
obj_name: "provisioners-efs"
diff --git a/roles/openshift_provisioners/tasks/generate_serviceaccounts.yaml b/roles/openshift_provisioners/tasks/generate_serviceaccounts.yaml
index 4fe0583ee..000f19994 100644
--- a/roles/openshift_provisioners/tasks/generate_serviceaccounts.yaml
+++ b/roles/openshift_provisioners/tasks/generate_serviceaccounts.yaml
@@ -1,6 +1,8 @@
---
- name: Generating serviceaccounts
- template: src=serviceaccount.j2 dest={{mktemp.stdout}}/templates/{{obj_name}}-sa.yaml
+ template:
+ src: serviceaccount.j2
+ dest: "{{ mktemp.stdout }}/templates/{{ obj_name }}-sa.yaml"
vars:
obj_name: provisioners-{{item}}
labels:
diff --git a/roles/openshift_provisioners/tasks/install_efs.yaml b/roles/openshift_provisioners/tasks/install_efs.yaml
index 4a6e00513..6e8792446 100644
--- a/roles/openshift_provisioners/tasks/install_efs.yaml
+++ b/roles/openshift_provisioners/tasks/install_efs.yaml
@@ -9,7 +9,9 @@
changed_when: no
- name: Generate efs PersistentVolumeClaim
- template: src=pvc.j2 dest={{mktemp.stdout}}/templates/{{obj_name}}-pvc.yaml
+ template:
+ src: pvc.j2
+ dest: "{{ mktemp.stdout }}/templates/{{ obj_name }}-pvc.yaml"
vars:
obj_name: "provisioners-efs"
size: "1Mi"
@@ -21,7 +23,9 @@
changed_when: no
- name: Generate efs PersistentVolume
- template: src=pv.j2 dest={{mktemp.stdout}}/templates/{{obj_name}}-pv.yaml
+ template:
+ src: pv.j2
+ dest: "{{ mktemp.stdout }}/templates/{{ obj_name }}-pv.yaml"
vars:
obj_name: "provisioners-efs"
size: "1Mi"
diff --git a/roles/openshift_provisioners/tasks/install_support.yaml b/roles/openshift_provisioners/tasks/install_support.yaml
index ba472f1c9..d6db81ab9 100644
--- a/roles/openshift_provisioners/tasks/install_support.yaml
+++ b/roles/openshift_provisioners/tasks/install_support.yaml
@@ -1,16 +1,9 @@
---
-- name: Check for provisioners project already exists
- command: >
- {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get project {{openshift_provisioners_project}} --no-headers
- register: provisioners_project_result
- ignore_errors: yes
- when: not ansible_check_mode
- changed_when: no
-
-- name: Create provisioners project
- command: >
- {{ openshift.common.admin_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig new-project {{openshift_provisioners_project}}
- when: not ansible_check_mode and "not found" in provisioners_project_result.stderr
+- name: Set provisioners project
+ oc_project:
+ state: present
+ kubeconfig: "{{ mktemp.stdout }}/admin.kubeconfig"
+ name: "{{ openshift_provisioners_project }}"
- name: Create temp directory for all our templates
file: path={{mktemp.stdout}}/templates state=directory mode=0755
diff --git a/roles/openshift_provisioners/templates/pv.j2 b/roles/openshift_provisioners/templates/pv.j2
index f4128f9f0..f81b1617a 100644
--- a/roles/openshift_provisioners/templates/pv.j2
+++ b/roles/openshift_provisioners/templates/pv.j2
@@ -30,3 +30,4 @@ spec:
name: {{claim_name}}
namespace: {{openshift_provisioners_project}}
{% endif %}
+ storageClassName: ""
diff --git a/roles/openshift_provisioners/templates/pvc.j2 b/roles/openshift_provisioners/templates/pvc.j2
index 83d503056..0dd8772eb 100644
--- a/roles/openshift_provisioners/templates/pvc.j2
+++ b/roles/openshift_provisioners/templates/pvc.j2
@@ -23,4 +23,5 @@ spec:
resources:
requests:
storage: {{size}}
+ storageClassName: ""
diff --git a/roles/template_service_broker/files/openshift-ansible-catalog-console.js b/roles/template_service_broker/files/openshift-ansible-catalog-console.js
index b3a3d3428..622afb6bd 100644
--- a/roles/template_service_broker/files/openshift-ansible-catalog-console.js
+++ b/roles/template_service_broker/files/openshift-ansible-catalog-console.js
@@ -1 +1 @@
-window.OPENSHIFT_CONSTANTS.ENABLE_TECH_PREVIEW_FEATURE.template_service_broker = true;
+window.OPENSHIFT_CONSTANTS.TEMPLATE_SERVICE_BROKER_ENABLED = true;
diff --git a/utils/src/ooinstall/oo_config.py b/utils/src/ooinstall/oo_config.py
index c3501c018..9ecd63a80 100644
--- a/utils/src/ooinstall/oo_config.py
+++ b/utils/src/ooinstall/oo_config.py
@@ -220,6 +220,7 @@ class OOConfig(object):
persisted_value = loaded_config.get(setting)
if persisted_value is not None:
self.settings[setting] = str(persisted_value)
+ installer_log.debug("config: set (%s) to value (%s)", setting, persisted_value)
# We've loaded any persisted configs, let's verify any
# paths which are required for a correct and complete
@@ -344,8 +345,9 @@ class OOConfig(object):
if 'ansible_ssh_user' not in self.settings:
self.settings['ansible_ssh_user'] = ''
- self.settings['ansible_inventory_path'] = \
- '{}/hosts'.format(os.path.dirname(self.config_path))
+ if 'ansible_inventory_path' not in self.settings:
+ self.settings['ansible_inventory_path'] = \
+ '{}/hosts'.format(os.path.dirname(self.config_path))
# clean up any empty sets
empty_keys = []