diff options
20 files changed, 293 insertions, 122 deletions
diff --git a/.tito/packages/openshift-ansible b/.tito/packages/openshift-ansible index eb4b07935..c913ecda8 100644 --- a/.tito/packages/openshift-ansible +++ b/.tito/packages/openshift-ansible @@ -1 +1 @@ -3.4.2-1 ./ +3.4.3-1 ./ diff --git a/filter_plugins/oo_filters.py b/filter_plugins/oo_filters.py index 39e6b0a0b..5358a244e 100644 --- a/filter_plugins/oo_filters.py +++ b/filter_plugins/oo_filters.py @@ -7,6 +7,7 @@ Custom filters for use in openshift-ansible from ansible import errors from collections import Mapping +from distutils.util import strtobool from distutils.version import LooseVersion from operator import itemgetter import OpenSSL.crypto @@ -858,6 +859,35 @@ class FilterModule(object): # netloc wasn't parsed, assume url was missing scheme and path return parse_result.path + @staticmethod + def oo_openshift_loadbalancer_frontends(api_port, servers_hostvars, use_nuage=False, nuage_rest_port=None): + loadbalancer_frontends = [{'name': 'atomic-openshift-api', + 'mode': 'tcp', + 'options': ['tcplog'], + 'binds': ["*:{0}".format(api_port)], + 'default_backend': 'atomic-openshift-api'}] + if bool(strtobool(str(use_nuage))) and nuage_rest_port is not None: + loadbalancer_frontends.append({'name': 'nuage-monitor', + 'mode': 'tcp', + 'options': ['tcplog'], + 'binds': ["*:{0}".format(nuage_rest_port)], + 'default_backend': 'nuage-monitor'}) + return loadbalancer_frontends + + @staticmethod + def oo_openshift_loadbalancer_backends(api_port, servers_hostvars, use_nuage=False, nuage_rest_port=None): + loadbalancer_backends = [{'name': 'atomic-openshift-api', + 'mode': 'tcp', + 'option': 'tcplog', + 'balance': 'source', + 'servers': FilterModule.oo_haproxy_backend_masters(servers_hostvars, api_port)}] + if bool(strtobool(str(use_nuage))) and nuage_rest_port is not None: + loadbalancer_backends.append({'name': 'nuage-monitor', + 'mode': 'tcp', + 'option': 'tcplog', + 'balance': 'source', + 'servers': FilterModule.oo_haproxy_backend_masters(servers_hostvars, nuage_rest_port)}) + return loadbalancer_backends def filters(self): """ returns a mapping of filters to methods """ @@ -891,4 +921,6 @@ class FilterModule(object): "oo_merge_dicts": self.oo_merge_dicts, "oo_hostname_from_url": self.oo_hostname_from_url, "oo_merge_hostvars": self.oo_merge_hostvars, + "oo_openshift_loadbalancer_frontends": self.oo_openshift_loadbalancer_frontends, + "oo_openshift_loadbalancer_backends": self.oo_openshift_loadbalancer_backends } diff --git a/inventory/byo/hosts.origin.example b/inventory/byo/hosts.origin.example index 7febefe95..0513a70fd 100644 --- a/inventory/byo/hosts.origin.example +++ b/inventory/byo/hosts.origin.example @@ -109,17 +109,46 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', #openshift_master_identity_providers=[{'name': 'allow_all', 'login': 'true', 'challenge': 'true', 'kind': 'AllowAllPasswordIdentityProvider'}] # LDAP auth -#openshift_master_identity_providers=[{'name': 'my_ldap_provider', 'challenge': 'true', 'login': 'true', 'kind': 'LDAPPasswordIdentityProvider', 'attributes': {'id': ['dn'], 'email': ['mail'], 'name': ['cn'], 'preferredUsername': ['uid']}, 'bindDN': '', 'bindPassword': '', 'ca': '', 'insecure': 'false', 'url': 'ldap://ldap.example.com:389/ou=users,dc=example,dc=com?uid'}] -# Configuring the ldap ca certificate +#openshift_master_identity_providers=[{'name': 'my_ldap_provider', 'challenge': 'true', 'login': 'true', 'kind': 'LDAPPasswordIdentityProvider', 'attributes': {'id': ['dn'], 'email': ['mail'], 'name': ['cn'], 'preferredUsername': ['uid']}, 'bindDN': '', 'bindPassword': '', 'ca': 'my-ldap-ca.crt', 'insecure': 'false', 'url': 'ldap://ldap.example.com:389/ou=users,dc=example,dc=com?uid'}] +# +# Configure LDAP CA certificate +# Specify either the ASCII contents of the certificate or the path to +# the local file that will be copied to the remote host. CA +# certificate contents will be copied to master systems and saved +# within /etc/origin/master/ with a filename matching the "ca" key set +# within the LDAPPasswordIdentityProvider. +# #openshift_master_ldap_ca=<ca text> # or #openshift_master_ldap_ca_file=<path to local ca file to use> -# Available variables for configuring certificates for other identity providers: -#openshift_master_openid_ca -#openshift_master_openid_ca_file -#openshift_master_request_header_ca -#openshift_master_request_header_ca_file +# OpenID auth +#openshift_master_identity_providers=[{"name": "openid_auth", "login": "true", "challenge": "false", "kind": "OpenIDIdentityProvider", "client_id": "my_client_id", "client_secret": "my_client_secret", "claims": {"id": ["sub"], "preferredUsername": ["preferred_username"], "name": ["name"], "email": ["email"]}, "urls": {"authorize": "https://myidp.example.com/oauth2/authorize", "token": "https://myidp.example.com/oauth2/token"}, "ca": "my-openid-ca-bundle.crt"}] +# +# Configure OpenID CA certificate +# Specify either the ASCII contents of the certificate or the path to +# the local file that will be copied to the remote host. CA +# certificate contents will be copied to master systems and saved +# within /etc/origin/master/ with a filename matching the "ca" key set +# within the OpenIDIdentityProvider. +# +#openshift_master_openid_ca=<ca text> +# or +#openshift_master_openid_ca_file=<path to local ca file to use> + +# Request header auth +#openshift_master_identity_providers=[{"name": "my_request_header_provider", "challenge": "true", "login": "true", "kind": "RequestHeaderIdentityProvider", "challengeURL": "https://www.example.com/challenging-proxy/oauth/authorize?${query}", "loginURL": "https://www.example.com/login-proxy/oauth/authorize?${query}", "clientCA": "my-request-header-ca.crt", "clientCommonNames": ["my-auth-proxy"], "headers": ["X-Remote-User", "SSO-User"], "emailHeaders": ["X-Remote-User-Email"], "nameHeaders": ["X-Remote-User-Display-Name"], "preferredUsernameHeaders": ["X-Remote-User-Login"]}] +# +# Configure request header CA certificate +# Specify either the ASCII contents of the certificate or the path to +# the local file that will be copied to the remote host. CA +# certificate contents will be copied to master systems and saved +# within /etc/origin/master/ with a filename matching the "clientCA" +# key set within the RequestHeaderIdentityProvider. +# +#openshift_master_request_header_ca=<ca text> +# or +#openshift_master_request_header_ca_file=<path to local ca file to use> # Cloud Provider Configuration # diff --git a/inventory/byo/hosts.ose.example b/inventory/byo/hosts.ose.example index 2645d4510..8515a4c55 100644 --- a/inventory/byo/hosts.ose.example +++ b/inventory/byo/hosts.ose.example @@ -109,17 +109,46 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', #openshift_master_identity_providers=[{'name': 'allow_all', 'login': 'true', 'challenge': 'true', 'kind': 'AllowAllPasswordIdentityProvider'}] # LDAP auth -#openshift_master_identity_providers=[{'name': 'my_ldap_provider', 'challenge': 'true', 'login': 'true', 'kind': 'LDAPPasswordIdentityProvider', 'attributes': {'id': ['dn'], 'email': ['mail'], 'name': ['cn'], 'preferredUsername': ['uid']}, 'bindDN': '', 'bindPassword': '', 'ca': '', 'insecure': 'false', 'url': 'ldap://ldap.example.com:389/ou=users,dc=example,dc=com?uid'}] -# Configuring the ldap ca certificate +#openshift_master_identity_providers=[{'name': 'my_ldap_provider', 'challenge': 'true', 'login': 'true', 'kind': 'LDAPPasswordIdentityProvider', 'attributes': {'id': ['dn'], 'email': ['mail'], 'name': ['cn'], 'preferredUsername': ['uid']}, 'bindDN': '', 'bindPassword': '', 'ca': 'my-ldap-ca.crt', 'insecure': 'false', 'url': 'ldap://ldap.example.com:389/ou=users,dc=example,dc=com?uid'}] +# +# Configure LDAP CA certificate +# Specify either the ASCII contents of the certificate or the path to +# the local file that will be copied to the remote host. CA +# certificate contents will be copied to master systems and saved +# within /etc/origin/master/ with a filename matching the "ca" key set +# within the LDAPPasswordIdentityProvider. +# #openshift_master_ldap_ca=<ca text> # or #openshift_master_ldap_ca_file=<path to local ca file to use> -# Available variables for configuring certificates for other identity providers: -#openshift_master_openid_ca -#openshift_master_openid_ca_file -#openshift_master_request_header_ca -#openshift_master_request_header_ca_file +# OpenID auth +#openshift_master_identity_providers=[{"name": "openid_auth", "login": "true", "challenge": "false", "kind": "OpenIDIdentityProvider", "client_id": "my_client_id", "client_secret": "my_client_secret", "claims": {"id": ["sub"], "preferredUsername": ["preferred_username"], "name": ["name"], "email": ["email"]}, "urls": {"authorize": "https://myidp.example.com/oauth2/authorize", "token": "https://myidp.example.com/oauth2/token"}, "ca": "my-openid-ca-bundle.crt"}] +# +# Configure OpenID CA certificate +# Specify either the ASCII contents of the certificate or the path to +# the local file that will be copied to the remote host. CA +# certificate contents will be copied to master systems and saved +# within /etc/origin/master/ with a filename matching the "ca" key set +# within the OpenIDIdentityProvider. +# +#openshift_master_openid_ca=<ca text> +# or +#openshift_master_openid_ca_file=<path to local ca file to use> + +# Request header auth +#openshift_master_identity_providers=[{"name": "my_request_header_provider", "challenge": "true", "login": "true", "kind": "RequestHeaderIdentityProvider", "challengeURL": "https://www.example.com/challenging-proxy/oauth/authorize?${query}", "loginURL": "https://www.example.com/login-proxy/oauth/authorize?${query}", "clientCA": "my-request-header-ca.crt", "clientCommonNames": ["my-auth-proxy"], "headers": ["X-Remote-User", "SSO-User"], "emailHeaders": ["X-Remote-User-Email"], "nameHeaders": ["X-Remote-User-Display-Name"], "preferredUsernameHeaders": ["X-Remote-User-Login"]}] +# +# Configure request header CA certificate +# Specify either the ASCII contents of the certificate or the path to +# the local file that will be copied to the remote host. CA +# certificate contents will be copied to master systems and saved +# within /etc/origin/master/ with a filename matching the "clientCA" +# key set within the RequestHeaderIdentityProvider. +# +#openshift_master_request_header_ca=<ca text> +# or +#openshift_master_request_header_ca_file=<path to local ca file to use> # Cloud Provider Configuration # diff --git a/openshift-ansible.spec b/openshift-ansible.spec index d31447d7a..a8f03d17d 100644 --- a/openshift-ansible.spec +++ b/openshift-ansible.spec @@ -5,7 +5,7 @@ } Name: openshift-ansible -Version: 3.4.2 +Version: 3.4.3 Release: 1%{?dist} Summary: Openshift and Atomic Enterprise Ansible License: ASL 2.0 @@ -249,6 +249,96 @@ Atomic OpenShift Utilities includes %changelog +* Tue Oct 04 2016 Scott Dodson <sdodson@redhat.com> 3.4.3-1 +- Check if openshift_master_ingress_ip_network_cidr is defined + (Mathias.Merscher@dg-i.net) +- allow networkConfig.ingressIPNetworkCIDRs to be configured + (Mathias.Merscher@dg-i.net) +- Filterize haproxy frontends/backends and add method for providing additional + frontends/backends. (abutcher@redhat.com) +- a-o-i: Force option should allow reinstall (smunilla@redhat.com) +- a-o-i: Fix openshift_node_labels (smunilla@redhat.com) +- Enable registry support for image pruning (andrew@andrewklau.com) +- Default openshift_hosted_{logging,metrics}_deploy to false. + (abutcher@redhat.com) +- README_CONTAINERIZED_INSTALLATION: fixed link markdown + (jakub.kramarz@freshmail.pl) +- README_AWS: makes links consistent and working again + (jakub.kramarz@freshmail.pl) +- a-o-i: Allow better setting of host level variables (smunilla@redhat.com) +- Further secure registry improvements (abutcher@redhat.com) +- Delgate handlers to first master (smunilla@redhat.com) +- Secure registry improvements. (abutcher@redhat.com) +- Install Registry by Default (smunilla@redhat.com) +- Update play names for consistency. (abutcher@redhat.com) +- Addressed review comments (vishal.patil@nuagenetworks.net) +- Configure ops cluster storage to match normal cluster storage + (sdodson@redhat.com) +- Fix bug with service signer cert on upgrade. (dgoodwin@redhat.com) +- Add messages to let the user know if some plays were skipped, but it's ok. + Also, remove the final 'press a key to continue' prompt. + (tbielawa@redhat.com) +- Set named certificate destinations as basenames of provided paths. + (abutcher@redhat.com) +- 'fix' unittests by removing the users ability to specify an ansible config + (tbielawa@redhat.com) +- Copy and paste more methods (tbielawa@redhat.com) +- Silence/dot-print more actions in the callback (tbielawa@redhat.com) +- Fix conflicts in spec file (tbielawa@redhat.com) +- Use pre_upgrade tag instread of a dry run variable. (dgoodwin@redhat.com) +- Move etcd backup from pre-upgrade to upgrade itself. (dgoodwin@redhat.com) +- Allow a couple retries when unscheduling/rescheduling nodes in upgrade. + (dgoodwin@redhat.com) +- Skip the docker role in early upgrade stages. (dgoodwin@redhat.com) +- Allow filtering nodes to upgrade by label. (dgoodwin@redhat.com) +- Allow customizing node upgrade serial value. (dgoodwin@redhat.com) +- Split upgrade for control plane/nodes. (dgoodwin@redhat.com) +- Set the DomainName or DomainID in the OpenStack cloud provider + (lhuard@amadeus.com) +- Use ansible.module_utils._text.to_text instead of + ansible.utils.unicode.to_unicode. (abutcher@redhat.com) +- Suppress more warnings. (abutcher@redhat.com) +- Add gitHTTPProxy and gitHTTPSProxy to advanced config json option + (sdodson@redhat.com) +- Don't set IMAGE_PREFIX if openshift_cockpit_deployer_prefix is empty + (Robert.Bohne@ConSol.de) +- Update spec file to install manpage (tbielawa@redhat.com) +- Verify masters are upgraded before proceeding with node only upgrade. + (dgoodwin@redhat.com) +- Attempt to tease apart pre upgrade for masters/nodes. (dgoodwin@redhat.com) +- Split upgrade entry points into control plane/node. (dgoodwin@redhat.com) +- Reunite upgrade reconciliation gating with the play it gates on. + (dgoodwin@redhat.com) +- Drop atomic-enterprise as a valid deployment type in upgrade. + (dgoodwin@redhat.com) +- Stop guarding against pacemaker in upgrade, no longer necessary. + (dgoodwin@redhat.com) +- Support openshift_upgrade_dry_run=true for pre-upgrade checks only. + (dgoodwin@redhat.com) +- Make rhel_subscribe role default to OpenShift Container Platform 3.3 + (lhuard@amadeus.com) +- Addresses most comments from @adellape (tbielawa@redhat.com) +- Changes for Nuage HA (vishal.patil@nuagenetworks.net) +- Fix deployer template for enterprise (sdodson@redhat.com) +- Add a manpage for atomic-openshift-installer (tbielawa@redhat.com) +- Remove the DNS VM on OpenStack (lhuard@amadeus.com) +- tweak logic (jdetiber@redhat.com) +- test fix for systemd changes (sdodson@redhat.com) +- Set default_subdomain properly for logging (sdodson@redhat.com) +- Adjust wait for loops (sdodson@redhat.com) +- Add storage for logging (sdodson@redhat.com) +- Fix some bugs in OpenShift Hosted Logging role (contact@stephane-klein.info) +- Add some sample inventory stuff, will update this later (sdodson@redhat.com) +- Label all nodes for fluentd (sdodson@redhat.com) +- Rename openshift_hosted_logging_image_{prefix,version} to match metrics + (sdodson@redhat.com) +- Fix deployer template for enterprise (sdodson@redhat.com) +- Add logging to install playbooks (sdodson@redhat.com) +- Fix OpenStack cloud provider (lhuard@amadeus.com) +- Add rhaos-3.4-rhel-7 releaser to tito (sdodson@redhat.com) +- Fix the nodeName of the OpenShift nodes on OpenStack (lhuard@amadeus.com) +- Fix GCE Launch (brad@nolab.org) + * Mon Sep 26 2016 Scott Dodson <sdodson@redhat.com> 3.4.2-1 - Add an issue template (sdodson@redhat.com) - Add openshift_hosted_router_name (andrew@andrewklau.com) diff --git a/playbooks/common/openshift-loadbalancer/config.yml b/playbooks/common/openshift-loadbalancer/config.yml index f4392173a..c414913bf 100644 --- a/playbooks/common/openshift-loadbalancer/config.yml +++ b/playbooks/common/openshift-loadbalancer/config.yml @@ -1,5 +1,16 @@ --- - name: Configure load balancers hosts: oo_lb_to_config + vars: + openshift_loadbalancer_frontends: "{{ (openshift_master_api_port | default(8443) + | oo_openshift_loadbalancer_frontends(hostvars | oo_select_keys(groups['oo_masters']), + openshift_use_nuage | default(false), + nuage_mon_rest_server_port | default(none))) + + openshift_loadbalancer_additional_frontends | default([]) }}" + openshift_loadbalancer_backends: "{{ (openshift_master_api_port | default(8443) + | oo_openshift_loadbalancer_backends(hostvars | oo_select_keys(groups['oo_masters']), + openshift_use_nuage | default(false), + nuage_mon_rest_server_port | default(none))) + + openshift_loadbalancer_additional_backends | default([]) }}" roles: - role: openshift_loadbalancer diff --git a/roles/cockpit-ui/tasks/main.yml b/roles/cockpit-ui/tasks/main.yml index c573da6d6..87ed7fee7 100644 --- a/roles/cockpit-ui/tasks/main.yml +++ b/roles/cockpit-ui/tasks/main.yml @@ -12,6 +12,15 @@ cp {{ openshift_master_config_dir }}/admin.kubeconfig {{ openshift_hosted_kubeconfig }} changed_when: False +- name: Determine if docker-registry service exists + command: > + {{ openshift.common.client_binary }} get svc/docker-registry + --config={{ openshift_hosted_kubeconfig }} + -n default + register: check_docker_registry_exists + failed_when: false + changed_when: false + - name: Create passthrough route for docker-registry command: > {{ openshift.common.client_binary }} create route passthrough @@ -21,6 +30,7 @@ register: create_docker_registry_route changed_when: "'already exists' not in create_docker_registry_route.stderr" failed_when: "'already exists' not in create_docker_registry_route.stderr and create_docker_registry_route.rc != 0" + when: check_docker_registry_exists.rc == 0 - name: Create passthrough route for registry-console command: > @@ -32,6 +42,7 @@ register: create_registry_console_route changed_when: "'already exists' not in create_registry_console_route.stderr" failed_when: "'already exists' not in create_registry_console_route.stderr and create_registry_console_route.rc != 0" + when: check_docker_registry_exists.rc == 0 - name: Retrieve docker-registry route command: > @@ -41,6 +52,7 @@ -n default register: docker_registry_route changed_when: false + when: check_docker_registry_exists.rc == 0 - name: Retrieve cockpit kube url command: > @@ -49,6 +61,7 @@ -n default register: registry_console_cockpit_kube_url changed_when: false + when: check_docker_registry_exists.rc == 0 - name: Deploy registry-console command: > @@ -62,6 +75,7 @@ register: deploy_registry_console changed_when: "'already exists' not in deploy_registry_console.stderr" failed_when: "'already exists' not in deploy_registry_console.stderr and deploy_registry_console.rc != 0" + when: check_docker_registry_exists.rc == 0 - name: Delete temp directory file: diff --git a/roles/nuage_common/defaults/main.yaml b/roles/nuage_common/defaults/main.yaml index d285bdfa3..9b777213e 100644 --- a/roles/nuage_common/defaults/main.yaml +++ b/roles/nuage_common/defaults/main.yaml @@ -8,3 +8,6 @@ nuage_ca_serial: "{{ nuage_ca_dir }}/nuageMonCA.serial.txt" nuage_master_mon_dir: /usr/share/nuage-openshift-monitor nuage_node_plugin_dir: /usr/share/vsp-openshift + +nuage_mon_rest_server_port: "{{ nuage_openshift_monitor_rest_server_port | default('9443') }}" + diff --git a/roles/nuage_master/meta/main.yml b/roles/nuage_master/meta/main.yml index fdead100c..51b89fbf6 100644 --- a/roles/nuage_master/meta/main.yml +++ b/roles/nuage_master/meta/main.yml @@ -13,8 +13,10 @@ galaxy_info: - cloud - system dependencies: -- role: nuage_ca -- role: os_firewall - os_firewall_allow: - - service: openshift-monitor - port: "{{ nuage_mon_rest_server_port }}/tcp" + - role: nuage_ca + - role: nuage_common + - role: openshift_etcd_client_certificates + - role: os_firewall + os_firewall_allow: + - service: openshift-monitor + port: "{{ nuage_mon_rest_server_port }}/tcp" diff --git a/roles/nuage_master/templates/nuage-openshift-monitor.j2 b/roles/nuage_master/templates/nuage-openshift-monitor.j2 index 075de9d9e..b2539517b 100644 --- a/roles/nuage_master/templates/nuage-openshift-monitor.j2 +++ b/roles/nuage_master/templates/nuage-openshift-monitor.j2 @@ -30,4 +30,11 @@ logLevel: {{ nuage_mon_log_level }} # Parameters related to the nuage monitor REST server nuageMonServer: URL: {{ nuage_mon_rest_server_url }} - certificateDirectory: {{ cert_output_dir }} + certificateDirectory: {{ cert_output_dir }} +# etcd config required for HA +etcdClientConfig: + ca: {{ openshift_master_config_dir }}/{{ "ca.crt" if (openshift.master.embedded_etcd | bool) else "master.etcd-ca.crt" }} + certFile: {{ openshift_master_config_dir }}/master.etcd-client.crt + keyFile: {{ openshift_master_config_dir }}/master.etcd-client.key + urls: + - {{ openshift.master.etcd_urls }} diff --git a/roles/nuage_master/vars/main.yaml b/roles/nuage_master/vars/main.yaml index 92e716a45..b395eba99 100644 --- a/roles/nuage_master/vars/main.yaml +++ b/roles/nuage_master/vars/main.yaml @@ -8,7 +8,6 @@ cert_output_dir: /usr/share/nuage-openshift-monitor kube_config: /usr/share/nuage-openshift-monitor/nuage.kubeconfig kubemon_yaml: /usr/share/nuage-openshift-monitor/nuage-openshift-monitor.yaml master_config_yaml: "{{ openshift_master_config_dir }}/master-config.yaml" -nuage_mon_rest_server_port: "{{ nuage_openshift_monitor_rest_server_port | default('9443') }}" nuage_mon_rest_server_url: "0.0.0.0:{{ nuage_mon_rest_server_port }}" nuage_mon_rest_server_logdir: "{{ nuage_openshift_monitor_log_dir | default('/var/log/nuage-openshift-monitor') }}" nuage_mon_log_level: "{{ nuage_openshift_monitor_log_level | default('3') }}" diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py index d36926e08..9ffd399bc 100755 --- a/roles/openshift_facts/library/openshift_facts.py +++ b/roles/openshift_facts/library/openshift_facts.py @@ -1609,7 +1609,6 @@ class OpenShiftFacts(object): 'docker', 'etcd', 'hosted', - 'loadbalancer', 'master', 'node'] @@ -1865,13 +1864,6 @@ class OpenShiftFacts(object): router=dict() ) - if 'loadbalancer' in roles: - loadbalancer = dict(frontend_port='8443', - default_maxconn='20000', - global_maxconn='20000', - limit_nofile='100000') - defaults['loadbalancer'] = loadbalancer - return defaults def guess_host_provider(self): diff --git a/roles/openshift_hosted/tasks/registry/registry.yml b/roles/openshift_hosted/tasks/registry/registry.yml index ed0a2b38d..4e525a2da 100644 --- a/roles/openshift_hosted/tasks/registry/registry.yml +++ b/roles/openshift_hosted/tasks/registry/registry.yml @@ -53,6 +53,7 @@ - include: secure.yml static: no + when: replicas | int > 0 - include: storage/object_storage.yml static: no diff --git a/roles/openshift_loadbalancer/README.md b/roles/openshift_loadbalancer/README.md index 81fc282be..03e837e46 100644 --- a/roles/openshift_loadbalancer/README.md +++ b/roles/openshift_loadbalancer/README.md @@ -1,27 +1,68 @@ OpenShift HAProxy Loadbalancer ============================== -TODO +OpenShift HaProxy Loadbalancer Configuration Requirements ------------ -TODO +This role is intended to be applied to the [lb] host group which is +separate from OpenShift infrastructure components. + +This role is not re-entrant. All haproxy configuration lives in a single file. Role Variables -------------- -TODO +From this role: + +| Name | Default value | | +|----------------------------------------|---------------|-------------------------------------------------------| +| openshift_loadbalancer_limit_nofile | 100000 | Limit number of open files. | +| openshift_loadbalancer_global_maxconn | 20000 | Maximum per-process number of concurrent connections. | +| openshift_loadbalancer_default_maxconn | 20000 | Maximum per-process number of concurrent connections. | +| openshift_loadbalancer_frontends | none | List of frontends. See example below. | +| openshift_loadbalancer_backends | none | List of backends. See example below. | Dependencies ------------ -TODO +* openshift_facts +* os_firewall +* openshift_repos Example Playbook ---------------- -TODO +``` +- name: Configure loadbalancer hosts + hosts: lb + roles: + - role: openshift_loadbalancer + openshift_loadbalancer_frontends: + - name: atomic-openshift-api + mode: tcp + options: + - tcplog + binds: + - "*:8443" + default_backend: atomic-openshift-api + openshift_loadbalancer_backends: + - name: atomic-openshift-api + mode: tcp + option: tcplog + balance: source + servers: + - name: master1 + address: "192.168.122.221:8443" + opts: check + - name: master2 + address: "192.168.122.222:8443" + opts: check + - name: master3 + address: "192.168.122.223:8443" + opts: check +``` License ------- diff --git a/roles/openshift_loadbalancer/meta/main.yml b/roles/openshift_loadbalancer/meta/main.yml index ed846a1ba..e1d78cfd0 100644 --- a/roles/openshift_loadbalancer/meta/main.yml +++ b/roles/openshift_loadbalancer/meta/main.yml @@ -10,11 +10,11 @@ galaxy_info: versions: - 7 dependencies: -- role: openshift_loadbalancer_facts +- role: openshift_facts - role: os_firewall os_firewall_allow: - service: haproxy stats port: "9000/tcp" - service: haproxy balance - port: "{{ openshift.loadbalancer.frontend_port }}/tcp" + port: "{{ openshift_master_api_port | default(8443) }}/tcp" - role: openshift_repos diff --git a/roles/openshift_loadbalancer/tasks/main.yml b/roles/openshift_loadbalancer/tasks/main.yml index 03a7c0e4a..bb4982e2d 100644 --- a/roles/openshift_loadbalancer/tasks/main.yml +++ b/roles/openshift_loadbalancer/tasks/main.yml @@ -7,15 +7,13 @@ file: path: /etc/systemd/system/haproxy.service.d state: directory - when: "'limit_nofile' in openshift.loadbalancer" - name: Configure the nofile limits for haproxy ini_file: dest: /etc/systemd/system/haproxy.service.d/limits.conf section: Service option: LimitNOFILE - value: "{{ openshift.loadbalancer.limit_nofile }}" - when: "'limit_nofile' in openshift.loadbalancer" + value: "{{ openshift_loadbalancer_limit_nofile | default(100000) }}" notify: restart haproxy register: nofile_limit_result diff --git a/roles/openshift_loadbalancer/templates/haproxy.cfg.j2 b/roles/openshift_loadbalancer/templates/haproxy.cfg.j2 index b9a279f5f..79e695001 100644 --- a/roles/openshift_loadbalancer/templates/haproxy.cfg.j2 +++ b/roles/openshift_loadbalancer/templates/haproxy.cfg.j2 @@ -3,7 +3,7 @@ global chroot /var/lib/haproxy pidfile /var/run/haproxy.pid - maxconn {{ openshift.loadbalancer.global_maxconn }} + maxconn {{ openshift_loadbalancer_global_maxconn | default(20000) }} user haproxy group haproxy daemon @@ -32,14 +32,14 @@ defaults timeout server 300s timeout http-keep-alive 10s timeout check 10s - maxconn {{ openshift.loadbalancer.default_maxconn }} + maxconn {{ openshift_loadbalancer_default_maxconn | default(20000) }} listen stats :9000 mode http stats enable stats uri / -{% for frontend in openshift.loadbalancer.frontends %} +{% for frontend in openshift_loadbalancer_frontends %} frontend {{ frontend.name }} {% for bind in frontend.binds %} bind {{ bind }} @@ -60,7 +60,7 @@ frontend {{ frontend.name }} {% endif %} {% endfor %} -{% for backend in openshift.loadbalancer.backends %} +{% for backend in openshift_loadbalancer_backends %} backend {{ backend.name }} balance {{ backend.balance }} {% if 'mode' in backend %} diff --git a/roles/openshift_loadbalancer_facts/README.md b/roles/openshift_loadbalancer_facts/README.md deleted file mode 100644 index 57537cc03..000000000 --- a/roles/openshift_loadbalancer_facts/README.md +++ /dev/null @@ -1,34 +0,0 @@ -OpenShift HAProxy Loadbalancer Facts -==================================== - -TODO - -Requirements ------------- - -TODO - -Role Variables --------------- - -TODO - -Dependencies ------------- - -TODO - -Example Playbook ----------------- - -TODO - -License -------- - -Apache License, Version 2.0 - -Author Information ------------------- - -Andrew Butcher (abutcher@redhat.com) diff --git a/roles/openshift_loadbalancer_facts/meta/main.yml b/roles/openshift_loadbalancer_facts/meta/main.yml deleted file mode 100644 index 4c5b6552b..000000000 --- a/roles/openshift_loadbalancer_facts/meta/main.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- -galaxy_info: - author: Andrew Butcher - description: OpenShift loadbalancer facts - company: Red Hat, Inc. - license: Apache License, Version 2.0 - min_ansible_version: 1.9 - platforms: - - name: EL - versions: - - 7 -dependencies: -- role: openshift_facts diff --git a/roles/openshift_loadbalancer_facts/tasks/main.yml b/roles/openshift_loadbalancer_facts/tasks/main.yml deleted file mode 100644 index dc244c0be..000000000 --- a/roles/openshift_loadbalancer_facts/tasks/main.yml +++ /dev/null @@ -1,30 +0,0 @@ ---- -- name: Set haproxy frontend port - openshift_facts: - role: loadbalancer - local_facts: - frontend_port: "{{ openshift_master_api_port | default(None) }}" - -- name: Set loadbalancer facts - openshift_facts: - role: loadbalancer - local_facts: - limit_nofile: "{{ openshift_loadbalancer_limit_nofile | default(None) }}" - default_maxconn: "{{ openshift_loadbalancer_default_maxconn | default(None) }}" - global_maxconn: "{{ openshift_loadbalancer_global_maxconn | default(None) }}" - frontends: - - name: atomic-openshift-api - mode: tcp - options: - - tcplog - binds: - - "*:{{ openshift.loadbalancer.frontend_port }}" - default_backend: atomic-openshift-api - backends: - - name: atomic-openshift-api - mode: tcp - option: tcplog - balance: source - servers: "{{ hostvars - | oo_select_keys(groups['oo_masters']) - | oo_haproxy_backend_masters(openshift.loadbalancer.frontend_port) }}" |