summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--.tito/packages/openshift-ansible2
-rw-r--r--filter_plugins/oo_filters.py32
-rw-r--r--inventory/byo/hosts.origin.example43
-rw-r--r--inventory/byo/hosts.ose.example43
-rw-r--r--openshift-ansible.spec92
-rw-r--r--playbooks/common/openshift-loadbalancer/config.yml11
-rw-r--r--roles/cockpit-ui/tasks/main.yml14
-rw-r--r--roles/nuage_common/defaults/main.yaml3
-rw-r--r--roles/nuage_master/meta/main.yml12
-rw-r--r--roles/nuage_master/templates/nuage-openshift-monitor.j29
-rw-r--r--roles/nuage_master/vars/main.yaml1
-rwxr-xr-xroles/openshift_facts/library/openshift_facts.py8
-rw-r--r--roles/openshift_hosted/tasks/registry/registry.yml1
-rw-r--r--roles/openshift_loadbalancer/README.md51
-rw-r--r--roles/openshift_loadbalancer/meta/main.yml4
-rw-r--r--roles/openshift_loadbalancer/tasks/main.yml4
-rw-r--r--roles/openshift_loadbalancer/templates/haproxy.cfg.j28
-rw-r--r--roles/openshift_loadbalancer_facts/README.md34
-rw-r--r--roles/openshift_loadbalancer_facts/meta/main.yml13
-rw-r--r--roles/openshift_loadbalancer_facts/tasks/main.yml30
20 files changed, 293 insertions, 122 deletions
diff --git a/.tito/packages/openshift-ansible b/.tito/packages/openshift-ansible
index eb4b07935..c913ecda8 100644
--- a/.tito/packages/openshift-ansible
+++ b/.tito/packages/openshift-ansible
@@ -1 +1 @@
-3.4.2-1 ./
+3.4.3-1 ./
diff --git a/filter_plugins/oo_filters.py b/filter_plugins/oo_filters.py
index 39e6b0a0b..5358a244e 100644
--- a/filter_plugins/oo_filters.py
+++ b/filter_plugins/oo_filters.py
@@ -7,6 +7,7 @@ Custom filters for use in openshift-ansible
from ansible import errors
from collections import Mapping
+from distutils.util import strtobool
from distutils.version import LooseVersion
from operator import itemgetter
import OpenSSL.crypto
@@ -858,6 +859,35 @@ class FilterModule(object):
# netloc wasn't parsed, assume url was missing scheme and path
return parse_result.path
+ @staticmethod
+ def oo_openshift_loadbalancer_frontends(api_port, servers_hostvars, use_nuage=False, nuage_rest_port=None):
+ loadbalancer_frontends = [{'name': 'atomic-openshift-api',
+ 'mode': 'tcp',
+ 'options': ['tcplog'],
+ 'binds': ["*:{0}".format(api_port)],
+ 'default_backend': 'atomic-openshift-api'}]
+ if bool(strtobool(str(use_nuage))) and nuage_rest_port is not None:
+ loadbalancer_frontends.append({'name': 'nuage-monitor',
+ 'mode': 'tcp',
+ 'options': ['tcplog'],
+ 'binds': ["*:{0}".format(nuage_rest_port)],
+ 'default_backend': 'nuage-monitor'})
+ return loadbalancer_frontends
+
+ @staticmethod
+ def oo_openshift_loadbalancer_backends(api_port, servers_hostvars, use_nuage=False, nuage_rest_port=None):
+ loadbalancer_backends = [{'name': 'atomic-openshift-api',
+ 'mode': 'tcp',
+ 'option': 'tcplog',
+ 'balance': 'source',
+ 'servers': FilterModule.oo_haproxy_backend_masters(servers_hostvars, api_port)}]
+ if bool(strtobool(str(use_nuage))) and nuage_rest_port is not None:
+ loadbalancer_backends.append({'name': 'nuage-monitor',
+ 'mode': 'tcp',
+ 'option': 'tcplog',
+ 'balance': 'source',
+ 'servers': FilterModule.oo_haproxy_backend_masters(servers_hostvars, nuage_rest_port)})
+ return loadbalancer_backends
def filters(self):
""" returns a mapping of filters to methods """
@@ -891,4 +921,6 @@ class FilterModule(object):
"oo_merge_dicts": self.oo_merge_dicts,
"oo_hostname_from_url": self.oo_hostname_from_url,
"oo_merge_hostvars": self.oo_merge_hostvars,
+ "oo_openshift_loadbalancer_frontends": self.oo_openshift_loadbalancer_frontends,
+ "oo_openshift_loadbalancer_backends": self.oo_openshift_loadbalancer_backends
}
diff --git a/inventory/byo/hosts.origin.example b/inventory/byo/hosts.origin.example
index 7febefe95..0513a70fd 100644
--- a/inventory/byo/hosts.origin.example
+++ b/inventory/byo/hosts.origin.example
@@ -109,17 +109,46 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true',
#openshift_master_identity_providers=[{'name': 'allow_all', 'login': 'true', 'challenge': 'true', 'kind': 'AllowAllPasswordIdentityProvider'}]
# LDAP auth
-#openshift_master_identity_providers=[{'name': 'my_ldap_provider', 'challenge': 'true', 'login': 'true', 'kind': 'LDAPPasswordIdentityProvider', 'attributes': {'id': ['dn'], 'email': ['mail'], 'name': ['cn'], 'preferredUsername': ['uid']}, 'bindDN': '', 'bindPassword': '', 'ca': '', 'insecure': 'false', 'url': 'ldap://ldap.example.com:389/ou=users,dc=example,dc=com?uid'}]
-# Configuring the ldap ca certificate
+#openshift_master_identity_providers=[{'name': 'my_ldap_provider', 'challenge': 'true', 'login': 'true', 'kind': 'LDAPPasswordIdentityProvider', 'attributes': {'id': ['dn'], 'email': ['mail'], 'name': ['cn'], 'preferredUsername': ['uid']}, 'bindDN': '', 'bindPassword': '', 'ca': 'my-ldap-ca.crt', 'insecure': 'false', 'url': 'ldap://ldap.example.com:389/ou=users,dc=example,dc=com?uid'}]
+#
+# Configure LDAP CA certificate
+# Specify either the ASCII contents of the certificate or the path to
+# the local file that will be copied to the remote host. CA
+# certificate contents will be copied to master systems and saved
+# within /etc/origin/master/ with a filename matching the "ca" key set
+# within the LDAPPasswordIdentityProvider.
+#
#openshift_master_ldap_ca=<ca text>
# or
#openshift_master_ldap_ca_file=<path to local ca file to use>
-# Available variables for configuring certificates for other identity providers:
-#openshift_master_openid_ca
-#openshift_master_openid_ca_file
-#openshift_master_request_header_ca
-#openshift_master_request_header_ca_file
+# OpenID auth
+#openshift_master_identity_providers=[{"name": "openid_auth", "login": "true", "challenge": "false", "kind": "OpenIDIdentityProvider", "client_id": "my_client_id", "client_secret": "my_client_secret", "claims": {"id": ["sub"], "preferredUsername": ["preferred_username"], "name": ["name"], "email": ["email"]}, "urls": {"authorize": "https://myidp.example.com/oauth2/authorize", "token": "https://myidp.example.com/oauth2/token"}, "ca": "my-openid-ca-bundle.crt"}]
+#
+# Configure OpenID CA certificate
+# Specify either the ASCII contents of the certificate or the path to
+# the local file that will be copied to the remote host. CA
+# certificate contents will be copied to master systems and saved
+# within /etc/origin/master/ with a filename matching the "ca" key set
+# within the OpenIDIdentityProvider.
+#
+#openshift_master_openid_ca=<ca text>
+# or
+#openshift_master_openid_ca_file=<path to local ca file to use>
+
+# Request header auth
+#openshift_master_identity_providers=[{"name": "my_request_header_provider", "challenge": "true", "login": "true", "kind": "RequestHeaderIdentityProvider", "challengeURL": "https://www.example.com/challenging-proxy/oauth/authorize?${query}", "loginURL": "https://www.example.com/login-proxy/oauth/authorize?${query}", "clientCA": "my-request-header-ca.crt", "clientCommonNames": ["my-auth-proxy"], "headers": ["X-Remote-User", "SSO-User"], "emailHeaders": ["X-Remote-User-Email"], "nameHeaders": ["X-Remote-User-Display-Name"], "preferredUsernameHeaders": ["X-Remote-User-Login"]}]
+#
+# Configure request header CA certificate
+# Specify either the ASCII contents of the certificate or the path to
+# the local file that will be copied to the remote host. CA
+# certificate contents will be copied to master systems and saved
+# within /etc/origin/master/ with a filename matching the "clientCA"
+# key set within the RequestHeaderIdentityProvider.
+#
+#openshift_master_request_header_ca=<ca text>
+# or
+#openshift_master_request_header_ca_file=<path to local ca file to use>
# Cloud Provider Configuration
#
diff --git a/inventory/byo/hosts.ose.example b/inventory/byo/hosts.ose.example
index 2645d4510..8515a4c55 100644
--- a/inventory/byo/hosts.ose.example
+++ b/inventory/byo/hosts.ose.example
@@ -109,17 +109,46 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true',
#openshift_master_identity_providers=[{'name': 'allow_all', 'login': 'true', 'challenge': 'true', 'kind': 'AllowAllPasswordIdentityProvider'}]
# LDAP auth
-#openshift_master_identity_providers=[{'name': 'my_ldap_provider', 'challenge': 'true', 'login': 'true', 'kind': 'LDAPPasswordIdentityProvider', 'attributes': {'id': ['dn'], 'email': ['mail'], 'name': ['cn'], 'preferredUsername': ['uid']}, 'bindDN': '', 'bindPassword': '', 'ca': '', 'insecure': 'false', 'url': 'ldap://ldap.example.com:389/ou=users,dc=example,dc=com?uid'}]
-# Configuring the ldap ca certificate
+#openshift_master_identity_providers=[{'name': 'my_ldap_provider', 'challenge': 'true', 'login': 'true', 'kind': 'LDAPPasswordIdentityProvider', 'attributes': {'id': ['dn'], 'email': ['mail'], 'name': ['cn'], 'preferredUsername': ['uid']}, 'bindDN': '', 'bindPassword': '', 'ca': 'my-ldap-ca.crt', 'insecure': 'false', 'url': 'ldap://ldap.example.com:389/ou=users,dc=example,dc=com?uid'}]
+#
+# Configure LDAP CA certificate
+# Specify either the ASCII contents of the certificate or the path to
+# the local file that will be copied to the remote host. CA
+# certificate contents will be copied to master systems and saved
+# within /etc/origin/master/ with a filename matching the "ca" key set
+# within the LDAPPasswordIdentityProvider.
+#
#openshift_master_ldap_ca=<ca text>
# or
#openshift_master_ldap_ca_file=<path to local ca file to use>
-# Available variables for configuring certificates for other identity providers:
-#openshift_master_openid_ca
-#openshift_master_openid_ca_file
-#openshift_master_request_header_ca
-#openshift_master_request_header_ca_file
+# OpenID auth
+#openshift_master_identity_providers=[{"name": "openid_auth", "login": "true", "challenge": "false", "kind": "OpenIDIdentityProvider", "client_id": "my_client_id", "client_secret": "my_client_secret", "claims": {"id": ["sub"], "preferredUsername": ["preferred_username"], "name": ["name"], "email": ["email"]}, "urls": {"authorize": "https://myidp.example.com/oauth2/authorize", "token": "https://myidp.example.com/oauth2/token"}, "ca": "my-openid-ca-bundle.crt"}]
+#
+# Configure OpenID CA certificate
+# Specify either the ASCII contents of the certificate or the path to
+# the local file that will be copied to the remote host. CA
+# certificate contents will be copied to master systems and saved
+# within /etc/origin/master/ with a filename matching the "ca" key set
+# within the OpenIDIdentityProvider.
+#
+#openshift_master_openid_ca=<ca text>
+# or
+#openshift_master_openid_ca_file=<path to local ca file to use>
+
+# Request header auth
+#openshift_master_identity_providers=[{"name": "my_request_header_provider", "challenge": "true", "login": "true", "kind": "RequestHeaderIdentityProvider", "challengeURL": "https://www.example.com/challenging-proxy/oauth/authorize?${query}", "loginURL": "https://www.example.com/login-proxy/oauth/authorize?${query}", "clientCA": "my-request-header-ca.crt", "clientCommonNames": ["my-auth-proxy"], "headers": ["X-Remote-User", "SSO-User"], "emailHeaders": ["X-Remote-User-Email"], "nameHeaders": ["X-Remote-User-Display-Name"], "preferredUsernameHeaders": ["X-Remote-User-Login"]}]
+#
+# Configure request header CA certificate
+# Specify either the ASCII contents of the certificate or the path to
+# the local file that will be copied to the remote host. CA
+# certificate contents will be copied to master systems and saved
+# within /etc/origin/master/ with a filename matching the "clientCA"
+# key set within the RequestHeaderIdentityProvider.
+#
+#openshift_master_request_header_ca=<ca text>
+# or
+#openshift_master_request_header_ca_file=<path to local ca file to use>
# Cloud Provider Configuration
#
diff --git a/openshift-ansible.spec b/openshift-ansible.spec
index d31447d7a..a8f03d17d 100644
--- a/openshift-ansible.spec
+++ b/openshift-ansible.spec
@@ -5,7 +5,7 @@
}
Name: openshift-ansible
-Version: 3.4.2
+Version: 3.4.3
Release: 1%{?dist}
Summary: Openshift and Atomic Enterprise Ansible
License: ASL 2.0
@@ -249,6 +249,96 @@ Atomic OpenShift Utilities includes
%changelog
+* Tue Oct 04 2016 Scott Dodson <sdodson@redhat.com> 3.4.3-1
+- Check if openshift_master_ingress_ip_network_cidr is defined
+ (Mathias.Merscher@dg-i.net)
+- allow networkConfig.ingressIPNetworkCIDRs to be configured
+ (Mathias.Merscher@dg-i.net)
+- Filterize haproxy frontends/backends and add method for providing additional
+ frontends/backends. (abutcher@redhat.com)
+- a-o-i: Force option should allow reinstall (smunilla@redhat.com)
+- a-o-i: Fix openshift_node_labels (smunilla@redhat.com)
+- Enable registry support for image pruning (andrew@andrewklau.com)
+- Default openshift_hosted_{logging,metrics}_deploy to false.
+ (abutcher@redhat.com)
+- README_CONTAINERIZED_INSTALLATION: fixed link markdown
+ (jakub.kramarz@freshmail.pl)
+- README_AWS: makes links consistent and working again
+ (jakub.kramarz@freshmail.pl)
+- a-o-i: Allow better setting of host level variables (smunilla@redhat.com)
+- Further secure registry improvements (abutcher@redhat.com)
+- Delgate handlers to first master (smunilla@redhat.com)
+- Secure registry improvements. (abutcher@redhat.com)
+- Install Registry by Default (smunilla@redhat.com)
+- Update play names for consistency. (abutcher@redhat.com)
+- Addressed review comments (vishal.patil@nuagenetworks.net)
+- Configure ops cluster storage to match normal cluster storage
+ (sdodson@redhat.com)
+- Fix bug with service signer cert on upgrade. (dgoodwin@redhat.com)
+- Add messages to let the user know if some plays were skipped, but it's ok.
+ Also, remove the final 'press a key to continue' prompt.
+ (tbielawa@redhat.com)
+- Set named certificate destinations as basenames of provided paths.
+ (abutcher@redhat.com)
+- 'fix' unittests by removing the users ability to specify an ansible config
+ (tbielawa@redhat.com)
+- Copy and paste more methods (tbielawa@redhat.com)
+- Silence/dot-print more actions in the callback (tbielawa@redhat.com)
+- Fix conflicts in spec file (tbielawa@redhat.com)
+- Use pre_upgrade tag instread of a dry run variable. (dgoodwin@redhat.com)
+- Move etcd backup from pre-upgrade to upgrade itself. (dgoodwin@redhat.com)
+- Allow a couple retries when unscheduling/rescheduling nodes in upgrade.
+ (dgoodwin@redhat.com)
+- Skip the docker role in early upgrade stages. (dgoodwin@redhat.com)
+- Allow filtering nodes to upgrade by label. (dgoodwin@redhat.com)
+- Allow customizing node upgrade serial value. (dgoodwin@redhat.com)
+- Split upgrade for control plane/nodes. (dgoodwin@redhat.com)
+- Set the DomainName or DomainID in the OpenStack cloud provider
+ (lhuard@amadeus.com)
+- Use ansible.module_utils._text.to_text instead of
+ ansible.utils.unicode.to_unicode. (abutcher@redhat.com)
+- Suppress more warnings. (abutcher@redhat.com)
+- Add gitHTTPProxy and gitHTTPSProxy to advanced config json option
+ (sdodson@redhat.com)
+- Don't set IMAGE_PREFIX if openshift_cockpit_deployer_prefix is empty
+ (Robert.Bohne@ConSol.de)
+- Update spec file to install manpage (tbielawa@redhat.com)
+- Verify masters are upgraded before proceeding with node only upgrade.
+ (dgoodwin@redhat.com)
+- Attempt to tease apart pre upgrade for masters/nodes. (dgoodwin@redhat.com)
+- Split upgrade entry points into control plane/node. (dgoodwin@redhat.com)
+- Reunite upgrade reconciliation gating with the play it gates on.
+ (dgoodwin@redhat.com)
+- Drop atomic-enterprise as a valid deployment type in upgrade.
+ (dgoodwin@redhat.com)
+- Stop guarding against pacemaker in upgrade, no longer necessary.
+ (dgoodwin@redhat.com)
+- Support openshift_upgrade_dry_run=true for pre-upgrade checks only.
+ (dgoodwin@redhat.com)
+- Make rhel_subscribe role default to OpenShift Container Platform 3.3
+ (lhuard@amadeus.com)
+- Addresses most comments from @adellape (tbielawa@redhat.com)
+- Changes for Nuage HA (vishal.patil@nuagenetworks.net)
+- Fix deployer template for enterprise (sdodson@redhat.com)
+- Add a manpage for atomic-openshift-installer (tbielawa@redhat.com)
+- Remove the DNS VM on OpenStack (lhuard@amadeus.com)
+- tweak logic (jdetiber@redhat.com)
+- test fix for systemd changes (sdodson@redhat.com)
+- Set default_subdomain properly for logging (sdodson@redhat.com)
+- Adjust wait for loops (sdodson@redhat.com)
+- Add storage for logging (sdodson@redhat.com)
+- Fix some bugs in OpenShift Hosted Logging role (contact@stephane-klein.info)
+- Add some sample inventory stuff, will update this later (sdodson@redhat.com)
+- Label all nodes for fluentd (sdodson@redhat.com)
+- Rename openshift_hosted_logging_image_{prefix,version} to match metrics
+ (sdodson@redhat.com)
+- Fix deployer template for enterprise (sdodson@redhat.com)
+- Add logging to install playbooks (sdodson@redhat.com)
+- Fix OpenStack cloud provider (lhuard@amadeus.com)
+- Add rhaos-3.4-rhel-7 releaser to tito (sdodson@redhat.com)
+- Fix the nodeName of the OpenShift nodes on OpenStack (lhuard@amadeus.com)
+- Fix GCE Launch (brad@nolab.org)
+
* Mon Sep 26 2016 Scott Dodson <sdodson@redhat.com> 3.4.2-1
- Add an issue template (sdodson@redhat.com)
- Add openshift_hosted_router_name (andrew@andrewklau.com)
diff --git a/playbooks/common/openshift-loadbalancer/config.yml b/playbooks/common/openshift-loadbalancer/config.yml
index f4392173a..c414913bf 100644
--- a/playbooks/common/openshift-loadbalancer/config.yml
+++ b/playbooks/common/openshift-loadbalancer/config.yml
@@ -1,5 +1,16 @@
---
- name: Configure load balancers
hosts: oo_lb_to_config
+ vars:
+ openshift_loadbalancer_frontends: "{{ (openshift_master_api_port | default(8443)
+ | oo_openshift_loadbalancer_frontends(hostvars | oo_select_keys(groups['oo_masters']),
+ openshift_use_nuage | default(false),
+ nuage_mon_rest_server_port | default(none)))
+ + openshift_loadbalancer_additional_frontends | default([]) }}"
+ openshift_loadbalancer_backends: "{{ (openshift_master_api_port | default(8443)
+ | oo_openshift_loadbalancer_backends(hostvars | oo_select_keys(groups['oo_masters']),
+ openshift_use_nuage | default(false),
+ nuage_mon_rest_server_port | default(none)))
+ + openshift_loadbalancer_additional_backends | default([]) }}"
roles:
- role: openshift_loadbalancer
diff --git a/roles/cockpit-ui/tasks/main.yml b/roles/cockpit-ui/tasks/main.yml
index c573da6d6..87ed7fee7 100644
--- a/roles/cockpit-ui/tasks/main.yml
+++ b/roles/cockpit-ui/tasks/main.yml
@@ -12,6 +12,15 @@
cp {{ openshift_master_config_dir }}/admin.kubeconfig {{ openshift_hosted_kubeconfig }}
changed_when: False
+- name: Determine if docker-registry service exists
+ command: >
+ {{ openshift.common.client_binary }} get svc/docker-registry
+ --config={{ openshift_hosted_kubeconfig }}
+ -n default
+ register: check_docker_registry_exists
+ failed_when: false
+ changed_when: false
+
- name: Create passthrough route for docker-registry
command: >
{{ openshift.common.client_binary }} create route passthrough
@@ -21,6 +30,7 @@
register: create_docker_registry_route
changed_when: "'already exists' not in create_docker_registry_route.stderr"
failed_when: "'already exists' not in create_docker_registry_route.stderr and create_docker_registry_route.rc != 0"
+ when: check_docker_registry_exists.rc == 0
- name: Create passthrough route for registry-console
command: >
@@ -32,6 +42,7 @@
register: create_registry_console_route
changed_when: "'already exists' not in create_registry_console_route.stderr"
failed_when: "'already exists' not in create_registry_console_route.stderr and create_registry_console_route.rc != 0"
+ when: check_docker_registry_exists.rc == 0
- name: Retrieve docker-registry route
command: >
@@ -41,6 +52,7 @@
-n default
register: docker_registry_route
changed_when: false
+ when: check_docker_registry_exists.rc == 0
- name: Retrieve cockpit kube url
command: >
@@ -49,6 +61,7 @@
-n default
register: registry_console_cockpit_kube_url
changed_when: false
+ when: check_docker_registry_exists.rc == 0
- name: Deploy registry-console
command: >
@@ -62,6 +75,7 @@
register: deploy_registry_console
changed_when: "'already exists' not in deploy_registry_console.stderr"
failed_when: "'already exists' not in deploy_registry_console.stderr and deploy_registry_console.rc != 0"
+ when: check_docker_registry_exists.rc == 0
- name: Delete temp directory
file:
diff --git a/roles/nuage_common/defaults/main.yaml b/roles/nuage_common/defaults/main.yaml
index d285bdfa3..9b777213e 100644
--- a/roles/nuage_common/defaults/main.yaml
+++ b/roles/nuage_common/defaults/main.yaml
@@ -8,3 +8,6 @@ nuage_ca_serial: "{{ nuage_ca_dir }}/nuageMonCA.serial.txt"
nuage_master_mon_dir: /usr/share/nuage-openshift-monitor
nuage_node_plugin_dir: /usr/share/vsp-openshift
+
+nuage_mon_rest_server_port: "{{ nuage_openshift_monitor_rest_server_port | default('9443') }}"
+
diff --git a/roles/nuage_master/meta/main.yml b/roles/nuage_master/meta/main.yml
index fdead100c..51b89fbf6 100644
--- a/roles/nuage_master/meta/main.yml
+++ b/roles/nuage_master/meta/main.yml
@@ -13,8 +13,10 @@ galaxy_info:
- cloud
- system
dependencies:
-- role: nuage_ca
-- role: os_firewall
- os_firewall_allow:
- - service: openshift-monitor
- port: "{{ nuage_mon_rest_server_port }}/tcp"
+ - role: nuage_ca
+ - role: nuage_common
+ - role: openshift_etcd_client_certificates
+ - role: os_firewall
+ os_firewall_allow:
+ - service: openshift-monitor
+ port: "{{ nuage_mon_rest_server_port }}/tcp"
diff --git a/roles/nuage_master/templates/nuage-openshift-monitor.j2 b/roles/nuage_master/templates/nuage-openshift-monitor.j2
index 075de9d9e..b2539517b 100644
--- a/roles/nuage_master/templates/nuage-openshift-monitor.j2
+++ b/roles/nuage_master/templates/nuage-openshift-monitor.j2
@@ -30,4 +30,11 @@ logLevel: {{ nuage_mon_log_level }}
# Parameters related to the nuage monitor REST server
nuageMonServer:
URL: {{ nuage_mon_rest_server_url }}
- certificateDirectory: {{ cert_output_dir }}
+ certificateDirectory: {{ cert_output_dir }}
+# etcd config required for HA
+etcdClientConfig:
+ ca: {{ openshift_master_config_dir }}/{{ "ca.crt" if (openshift.master.embedded_etcd | bool) else "master.etcd-ca.crt" }}
+ certFile: {{ openshift_master_config_dir }}/master.etcd-client.crt
+ keyFile: {{ openshift_master_config_dir }}/master.etcd-client.key
+ urls:
+ - {{ openshift.master.etcd_urls }}
diff --git a/roles/nuage_master/vars/main.yaml b/roles/nuage_master/vars/main.yaml
index 92e716a45..b395eba99 100644
--- a/roles/nuage_master/vars/main.yaml
+++ b/roles/nuage_master/vars/main.yaml
@@ -8,7 +8,6 @@ cert_output_dir: /usr/share/nuage-openshift-monitor
kube_config: /usr/share/nuage-openshift-monitor/nuage.kubeconfig
kubemon_yaml: /usr/share/nuage-openshift-monitor/nuage-openshift-monitor.yaml
master_config_yaml: "{{ openshift_master_config_dir }}/master-config.yaml"
-nuage_mon_rest_server_port: "{{ nuage_openshift_monitor_rest_server_port | default('9443') }}"
nuage_mon_rest_server_url: "0.0.0.0:{{ nuage_mon_rest_server_port }}"
nuage_mon_rest_server_logdir: "{{ nuage_openshift_monitor_log_dir | default('/var/log/nuage-openshift-monitor') }}"
nuage_mon_log_level: "{{ nuage_openshift_monitor_log_level | default('3') }}"
diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py
index d36926e08..9ffd399bc 100755
--- a/roles/openshift_facts/library/openshift_facts.py
+++ b/roles/openshift_facts/library/openshift_facts.py
@@ -1609,7 +1609,6 @@ class OpenShiftFacts(object):
'docker',
'etcd',
'hosted',
- 'loadbalancer',
'master',
'node']
@@ -1865,13 +1864,6 @@ class OpenShiftFacts(object):
router=dict()
)
- if 'loadbalancer' in roles:
- loadbalancer = dict(frontend_port='8443',
- default_maxconn='20000',
- global_maxconn='20000',
- limit_nofile='100000')
- defaults['loadbalancer'] = loadbalancer
-
return defaults
def guess_host_provider(self):
diff --git a/roles/openshift_hosted/tasks/registry/registry.yml b/roles/openshift_hosted/tasks/registry/registry.yml
index ed0a2b38d..4e525a2da 100644
--- a/roles/openshift_hosted/tasks/registry/registry.yml
+++ b/roles/openshift_hosted/tasks/registry/registry.yml
@@ -53,6 +53,7 @@
- include: secure.yml
static: no
+ when: replicas | int > 0
- include: storage/object_storage.yml
static: no
diff --git a/roles/openshift_loadbalancer/README.md b/roles/openshift_loadbalancer/README.md
index 81fc282be..03e837e46 100644
--- a/roles/openshift_loadbalancer/README.md
+++ b/roles/openshift_loadbalancer/README.md
@@ -1,27 +1,68 @@
OpenShift HAProxy Loadbalancer
==============================
-TODO
+OpenShift HaProxy Loadbalancer Configuration
Requirements
------------
-TODO
+This role is intended to be applied to the [lb] host group which is
+separate from OpenShift infrastructure components.
+
+This role is not re-entrant. All haproxy configuration lives in a single file.
Role Variables
--------------
-TODO
+From this role:
+
+| Name | Default value | |
+|----------------------------------------|---------------|-------------------------------------------------------|
+| openshift_loadbalancer_limit_nofile | 100000 | Limit number of open files. |
+| openshift_loadbalancer_global_maxconn | 20000 | Maximum per-process number of concurrent connections. |
+| openshift_loadbalancer_default_maxconn | 20000 | Maximum per-process number of concurrent connections. |
+| openshift_loadbalancer_frontends | none | List of frontends. See example below. |
+| openshift_loadbalancer_backends | none | List of backends. See example below. |
Dependencies
------------
-TODO
+* openshift_facts
+* os_firewall
+* openshift_repos
Example Playbook
----------------
-TODO
+```
+- name: Configure loadbalancer hosts
+ hosts: lb
+ roles:
+ - role: openshift_loadbalancer
+ openshift_loadbalancer_frontends:
+ - name: atomic-openshift-api
+ mode: tcp
+ options:
+ - tcplog
+ binds:
+ - "*:8443"
+ default_backend: atomic-openshift-api
+ openshift_loadbalancer_backends:
+ - name: atomic-openshift-api
+ mode: tcp
+ option: tcplog
+ balance: source
+ servers:
+ - name: master1
+ address: "192.168.122.221:8443"
+ opts: check
+ - name: master2
+ address: "192.168.122.222:8443"
+ opts: check
+ - name: master3
+ address: "192.168.122.223:8443"
+ opts: check
+```
License
-------
diff --git a/roles/openshift_loadbalancer/meta/main.yml b/roles/openshift_loadbalancer/meta/main.yml
index ed846a1ba..e1d78cfd0 100644
--- a/roles/openshift_loadbalancer/meta/main.yml
+++ b/roles/openshift_loadbalancer/meta/main.yml
@@ -10,11 +10,11 @@ galaxy_info:
versions:
- 7
dependencies:
-- role: openshift_loadbalancer_facts
+- role: openshift_facts
- role: os_firewall
os_firewall_allow:
- service: haproxy stats
port: "9000/tcp"
- service: haproxy balance
- port: "{{ openshift.loadbalancer.frontend_port }}/tcp"
+ port: "{{ openshift_master_api_port | default(8443) }}/tcp"
- role: openshift_repos
diff --git a/roles/openshift_loadbalancer/tasks/main.yml b/roles/openshift_loadbalancer/tasks/main.yml
index 03a7c0e4a..bb4982e2d 100644
--- a/roles/openshift_loadbalancer/tasks/main.yml
+++ b/roles/openshift_loadbalancer/tasks/main.yml
@@ -7,15 +7,13 @@
file:
path: /etc/systemd/system/haproxy.service.d
state: directory
- when: "'limit_nofile' in openshift.loadbalancer"
- name: Configure the nofile limits for haproxy
ini_file:
dest: /etc/systemd/system/haproxy.service.d/limits.conf
section: Service
option: LimitNOFILE
- value: "{{ openshift.loadbalancer.limit_nofile }}"
- when: "'limit_nofile' in openshift.loadbalancer"
+ value: "{{ openshift_loadbalancer_limit_nofile | default(100000) }}"
notify: restart haproxy
register: nofile_limit_result
diff --git a/roles/openshift_loadbalancer/templates/haproxy.cfg.j2 b/roles/openshift_loadbalancer/templates/haproxy.cfg.j2
index b9a279f5f..79e695001 100644
--- a/roles/openshift_loadbalancer/templates/haproxy.cfg.j2
+++ b/roles/openshift_loadbalancer/templates/haproxy.cfg.j2
@@ -3,7 +3,7 @@
global
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
- maxconn {{ openshift.loadbalancer.global_maxconn }}
+ maxconn {{ openshift_loadbalancer_global_maxconn | default(20000) }}
user haproxy
group haproxy
daemon
@@ -32,14 +32,14 @@ defaults
timeout server 300s
timeout http-keep-alive 10s
timeout check 10s
- maxconn {{ openshift.loadbalancer.default_maxconn }}
+ maxconn {{ openshift_loadbalancer_default_maxconn | default(20000) }}
listen stats :9000
mode http
stats enable
stats uri /
-{% for frontend in openshift.loadbalancer.frontends %}
+{% for frontend in openshift_loadbalancer_frontends %}
frontend {{ frontend.name }}
{% for bind in frontend.binds %}
bind {{ bind }}
@@ -60,7 +60,7 @@ frontend {{ frontend.name }}
{% endif %}
{% endfor %}
-{% for backend in openshift.loadbalancer.backends %}
+{% for backend in openshift_loadbalancer_backends %}
backend {{ backend.name }}
balance {{ backend.balance }}
{% if 'mode' in backend %}
diff --git a/roles/openshift_loadbalancer_facts/README.md b/roles/openshift_loadbalancer_facts/README.md
deleted file mode 100644
index 57537cc03..000000000
--- a/roles/openshift_loadbalancer_facts/README.md
+++ /dev/null
@@ -1,34 +0,0 @@
-OpenShift HAProxy Loadbalancer Facts
-====================================
-
-TODO
-
-Requirements
-------------
-
-TODO
-
-Role Variables
---------------
-
-TODO
-
-Dependencies
-------------
-
-TODO
-
-Example Playbook
-----------------
-
-TODO
-
-License
--------
-
-Apache License, Version 2.0
-
-Author Information
-------------------
-
-Andrew Butcher (abutcher@redhat.com)
diff --git a/roles/openshift_loadbalancer_facts/meta/main.yml b/roles/openshift_loadbalancer_facts/meta/main.yml
deleted file mode 100644
index 4c5b6552b..000000000
--- a/roles/openshift_loadbalancer_facts/meta/main.yml
+++ /dev/null
@@ -1,13 +0,0 @@
----
-galaxy_info:
- author: Andrew Butcher
- description: OpenShift loadbalancer facts
- company: Red Hat, Inc.
- license: Apache License, Version 2.0
- min_ansible_version: 1.9
- platforms:
- - name: EL
- versions:
- - 7
-dependencies:
-- role: openshift_facts
diff --git a/roles/openshift_loadbalancer_facts/tasks/main.yml b/roles/openshift_loadbalancer_facts/tasks/main.yml
deleted file mode 100644
index dc244c0be..000000000
--- a/roles/openshift_loadbalancer_facts/tasks/main.yml
+++ /dev/null
@@ -1,30 +0,0 @@
----
-- name: Set haproxy frontend port
- openshift_facts:
- role: loadbalancer
- local_facts:
- frontend_port: "{{ openshift_master_api_port | default(None) }}"
-
-- name: Set loadbalancer facts
- openshift_facts:
- role: loadbalancer
- local_facts:
- limit_nofile: "{{ openshift_loadbalancer_limit_nofile | default(None) }}"
- default_maxconn: "{{ openshift_loadbalancer_default_maxconn | default(None) }}"
- global_maxconn: "{{ openshift_loadbalancer_global_maxconn | default(None) }}"
- frontends:
- - name: atomic-openshift-api
- mode: tcp
- options:
- - tcplog
- binds:
- - "*:{{ openshift.loadbalancer.frontend_port }}"
- default_backend: atomic-openshift-api
- backends:
- - name: atomic-openshift-api
- mode: tcp
- option: tcplog
- balance: source
- servers: "{{ hostvars
- | oo_select_keys(groups['oo_masters'])
- | oo_haproxy_backend_masters(openshift.loadbalancer.frontend_port) }}"