diff options
| -rw-r--r-- | README_GCE.md | 8 | ||||
| -rw-r--r-- | filter_plugins/oo_filters.py | 35 | ||||
| -rw-r--r-- | inventory/byo/hosts.example | 11 | ||||
| -rw-r--r-- | playbooks/adhoc/uninstall.yml | 1 | ||||
| -rw-r--r-- | playbooks/aws/openshift-cluster/tasks/launch_instances.yml | 7 | ||||
| -rw-r--r-- | playbooks/aws/openshift-cluster/templates/user_data.j2 | 4 | ||||
| -rw-r--r-- | playbooks/common/openshift-master/config.yml | 54 | ||||
| -rw-r--r-- | playbooks/gce/openshift-cluster/launch.yml | 4 | ||||
| -rw-r--r-- | playbooks/gce/openshift-cluster/tasks/launch_instances.yml | 4 | ||||
| -rw-r--r-- | playbooks/gce/openshift-cluster/vars.yml | 3 | ||||
| -rwxr-xr-x | roles/openshift_facts/library/openshift_facts.py | 46 | ||||
| -rw-r--r-- | roles/openshift_master/templates/master.yaml.v1.j2 | 7 |
12 files changed, 140 insertions, 44 deletions
diff --git a/README_GCE.md b/README_GCE.md index 50f8ade70..ea673b44d 100644 --- a/README_GCE.md +++ b/README_GCE.md @@ -43,7 +43,11 @@ Mandatory customization variables (check the values according to your tenant): * zone = europe-west1-d * network = default * gce_machine_type = n1-standard-2 +* gce_machine_master_type = n1-standard-1 +* gce_machine_node_type = n1-standard-2 * gce_machine_image = preinstalled-slave-50g-v5 +* gce_machine_master_image = preinstalled-slave-50g-v5 +* gce_machine_node_image = preinstalled-slave-50g-v5 1. vi ~/.gce/gce.ini @@ -56,7 +60,11 @@ gce_project_id = project_id zone = europe-west1-d network = default gce_machine_type = n1-standard-2 +gce_machine_master_type = n1-standard-1 +gce_machine_node_type = n1-standard-2 gce_machine_image = preinstalled-slave-50g-v5 +gce_machine_master_image = preinstalled-slave-50g-v5 +gce_machine_node_image = preinstalled-slave-50g-v5 ``` 1. Define the environment variable GCE_INI_PATH so gce.py can pick it up and bin/cluster can also read it diff --git a/filter_plugins/oo_filters.py b/filter_plugins/oo_filters.py index 2386b5878..1a854f637 100644 --- a/filter_plugins/oo_filters.py +++ b/filter_plugins/oo_filters.py @@ -191,7 +191,11 @@ class FilterModule(object): { 'root': { 'volume_size': 10, 'device_type': 'gp2', 'iops': 500 - } + }, + 'docker': + { 'volume_size': 40, 'device_type': 'gp2', + 'iops': 500, 'ephemeral': 'true' + } }, 'node': { 'root': @@ -216,7 +220,7 @@ class FilterModule(object): root_vol['delete_on_termination'] = True if root_vol['device_type'] != 'io1': root_vol.pop('iops', None) - if host_type == 'node': + if host_type in ['master', 'node'] and 'docker' in data[host_type]: docker_vol = data[host_type]['docker'] docker_vol['device_name'] = '/dev/xvdb' docker_vol['delete_on_termination'] = True @@ -227,7 +231,7 @@ class FilterModule(object): docker_vol.pop('delete_on_termination', None) docker_vol['ephemeral'] = 'ephemeral0' return [root_vol, docker_vol] - elif host_type == 'etcd': + elif host_type == 'etcd' and 'etcd' in data[host_type]: etcd_vol = data[host_type]['etcd'] etcd_vol['device_name'] = '/dev/xvdb' etcd_vol['delete_on_termination'] = True @@ -346,27 +350,27 @@ class FilterModule(object): @staticmethod # pylint: disable=too-many-branches - def oo_parse_certificate_names(certificates, data_dir, internal_hostnames): + def oo_parse_named_certificates(certificates, named_certs_dir, internal_hostnames): ''' Parses names from list of certificate hashes. - Ex: certificates = [{ "certfile": "/etc/origin/master/custom1.crt", - "keyfile": "/etc/origin/master/custom1.key" }, + Ex: certificates = [{ "certfile": "/root/custom1.crt", + "keyfile": "/root/custom1.key" }, { "certfile": "custom2.crt", "keyfile": "custom2.key" }] - returns [{ "certfile": "/etc/origin/master/custom1.crt", - "keyfile": "/etc/origin/master/custom1.key", + returns [{ "certfile": "/etc/origin/master/named_certificates/custom1.crt", + "keyfile": "/etc/origin/master/named_certificates/custom1.key", "names": [ "public-master-host.com", "other-master-host.com" ] }, - { "certfile": "/etc/origin/master/custom2.crt", - "keyfile": "/etc/origin/master/custom2.key", + { "certfile": "/etc/origin/master/named_certificates/custom2.crt", + "keyfile": "/etc/origin/master/named_certificates/custom2.key", "names": [ "some-hostname.com" ] }] ''' if not issubclass(type(certificates), list): raise errors.AnsibleFilterError("|failed expects certificates is a list") - if not issubclass(type(data_dir), unicode): - raise errors.AnsibleFilterError("|failed expects data_dir is unicode") + if not issubclass(type(named_certs_dir), unicode): + raise errors.AnsibleFilterError("|failed expects named_certs_dir is unicode") if not issubclass(type(internal_hostnames), list): raise errors.AnsibleFilterError("|failed expects internal_hostnames is list") @@ -399,6 +403,11 @@ class FilterModule(object): raise errors.AnsibleFilterError(("|failed to parse certificate '%s' or " % certificate['certfile'] + "detected a collision with internal hostname, please specify " + "certificate names in host inventory")) + + for certificate in certificates: + # Update paths for configuration + certificate['certfile'] = os.path.join(named_certs_dir, os.path.basename(certificate['certfile'])) + certificate['keyfile'] = os.path.join(named_certs_dir, os.path.basename(certificate['keyfile'])) return certificates @staticmethod @@ -474,7 +483,7 @@ class FilterModule(object): "oo_split": self.oo_split, "oo_filter_list": self.oo_filter_list, "oo_parse_heat_stack_outputs": self.oo_parse_heat_stack_outputs, - "oo_parse_certificate_names": self.oo_parse_certificate_names, + "oo_parse_named_certificates": self.oo_parse_named_certificates, "oo_haproxy_backend_masters": self.oo_haproxy_backend_masters, "oo_pretty_print_cluster": self.oo_pretty_print_cluster } diff --git a/inventory/byo/hosts.example b/inventory/byo/hosts.example index 56bbb9612..423581281 100644 --- a/inventory/byo/hosts.example +++ b/inventory/byo/hosts.example @@ -111,8 +111,17 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', # set RPM version for debugging purposes #openshift_pkg_version=-3.0.0.0 -# Configure custom master certificates +# Configure custom named certificates +# NOTE: openshift_master_named_certificates is cached on masters and is an +# additive fact, meaning that each run with a different set of certificates +# will add the newly provided certificates to the cached set of certificates. +# If you would like openshift_master_named_certificates to be overwritten with +# the provided value, specify openshift_master_overwrite_named_certificates. +#openshift_master_overwrite_named_certificates: true +# +# Provide local certificate paths which will be deployed to masters #openshift_master_named_certificates=[{"certfile": "/path/to/custom1.crt", "keyfile": "/path/to/custom1.key"}] +# # Detected names may be overridden by specifying the "names" key #openshift_master_named_certificates=[{"certfile": "/path/to/custom1.crt", "keyfile": "/path/to/custom1.key", "names": ["public-master-host.com"]}] diff --git a/playbooks/adhoc/uninstall.yml b/playbooks/adhoc/uninstall.yml index 565bb20a8..1a55eb053 100644 --- a/playbooks/adhoc/uninstall.yml +++ b/playbooks/adhoc/uninstall.yml @@ -161,6 +161,7 @@ - /etc/sysconfig/origin-master-api - /etc/sysconfig/origin-master-controllers - /etc/sysconfig/origin-node + - /etc/systemd/system/atomic-openshift-node.service.wants - /root/.kube - /run/openshift-sdn - /usr/share/openshift/examples diff --git a/playbooks/aws/openshift-cluster/tasks/launch_instances.yml b/playbooks/aws/openshift-cluster/tasks/launch_instances.yml index c40d5673f..22c617fea 100644 --- a/playbooks/aws/openshift-cluster/tasks/launch_instances.yml +++ b/playbooks/aws/openshift-cluster/tasks/launch_instances.yml @@ -77,7 +77,6 @@ - set_fact: latest_ami: "{{ ami_result.results | oo_ami_selector(ec2_image_name) }}" - user_data: "{{ lookup('template', '../templates/user_data.j2') }}" volume_defs: etcd: root: @@ -93,6 +92,10 @@ volume_size: "{{ lookup('env', 'os_master_root_vol_size') | default(25, true) }}" device_type: "{{ lookup('env', 'os_master_root_vol_type') | default('gp2', true) }}" iops: "{{ lookup('env', 'os_master_root_vol_iops') | default(500, true) }}" + docker: + volume_size: "{{ lookup('env', 'os_docker_vol_size') | default(10, true) }}" + device_type: "{{ lookup('env', 'os_docker_vol_type') | default('gp2', true) }}" + iops: "{{ lookup('env', 'os_docker_vol_iops') | default(500, true) }}" node: root: volume_size: "{{ lookup('env', 'os_node_root_vol_size') | default(85, true) }}" @@ -117,7 +120,7 @@ count: "{{ instances | length }}" vpc_subnet_id: "{{ ec2_vpc_subnet | default(omit, true) }}" assign_public_ip: "{{ ec2_assign_public_ip | default(omit, true) }}" - user_data: "{{ user_data }}" + user_data: "{{ lookup('template', '../templates/user_data.j2') }}" wait: yes instance_tags: created-by: "{{ created_by }}" diff --git a/playbooks/aws/openshift-cluster/templates/user_data.j2 b/playbooks/aws/openshift-cluster/templates/user_data.j2 index ea4c05ca8..3621a7d7d 100644 --- a/playbooks/aws/openshift-cluster/templates/user_data.j2 +++ b/playbooks/aws/openshift-cluster/templates/user_data.j2 @@ -1,5 +1,5 @@ #cloud-config -{% if type =='etcd' %} +{% if type == 'etcd' and 'etcd' in volume_defs[type] %} cloud_config_modules: - disk_setup - mounts @@ -19,7 +19,7 @@ fs_setup: partition: auto {% endif %} -{% if type == 'node' %} +{% if type in ['node', 'master'] and 'docker' in volume_defs[type] %} mounts: - [ xvdb ] - [ ephemeral0 ] diff --git a/playbooks/common/openshift-master/config.yml b/playbooks/common/openshift-master/config.yml index b1da85d5d..ff1579218 100644 --- a/playbooks/common/openshift-master/config.yml +++ b/playbooks/common/openshift-master/config.yml @@ -204,14 +204,6 @@ validate_checksum: yes with_items: masters_needing_certs -- name: Inspect named certificates - hosts: oo_first_master - tasks: - - name: Collect certificate names - set_fact: - parsed_named_certificates: "{{ openshift_master_named_certificates | oo_parse_certificate_names(master_cert_config_dir, openshift.common.internal_hostnames) }}" - when: openshift_master_named_certificates is defined - - name: Compute haproxy_backend_servers hosts: localhost connection: local @@ -272,11 +264,55 @@ | map(attribute='stdout') | list) }}" +- name: Parse named certificates + hosts: localhost + vars: + internal_hostnames: "{{ hostvars[groups.oo_first_master.0].openshift.common.internal_hostnames }}" + named_certificates: "{{ hostvars[groups.oo_first_master.0].openshift_master_named_certificates | default([]) }}" + named_certificates_dir: "{{ hostvars[groups.oo_first_master.0].master_cert_config_dir }}/named_certificates/" + tasks: + - set_fact: + parsed_named_certificates: "{{ named_certificates | oo_parse_named_certificates(named_certificates_dir, internal_hostnames) }}" + when: named_certificates | length > 0 + +- name: Deploy named certificates + hosts: oo_masters_to_config + vars: + named_certs_dir: "{{ master_cert_config_dir }}/named_certificates/" + named_certs_specified: "{{ openshift_master_named_certificates is defined }}" + overwrite_named_certs: "{{ openshift_master_overwrite_named_certificates | default(false) }}" + roles: + - role: openshift_facts + post_tasks: + - openshift_facts: + role: master + local_facts: + named_certificates: "{{ hostvars.localhost.parsed_named_certificates | default([]) }}" + additive_facts_to_overwrite: + - "{{ 'master.named_certificates' if overwrite_named_certs | bool else omit }}" + - name: Clear named certificates + file: + path: "{{ named_certs_dir }}" + state: absent + when: overwrite_named_certs | bool + - name: Ensure named certificate directory exists + file: + path: "{{ named_certs_dir }}" + state: directory + when: named_certs_specified | bool + - name: Land named certificates + copy: src="{{ item.certfile }}" dest="{{ named_certs_dir }}" + with_items: openshift_master_named_certificates + when: named_certs_specified | bool + - name: Land named certificate keys + copy: src="{{ item.keyfile }}" dest="{{ named_certs_dir }}" + with_items: openshift_master_named_certificates + when: named_certs_specified | bool + - name: Configure master instances hosts: oo_masters_to_config serial: 1 vars: - named_certificates: "{{ hostvars[groups['oo_first_master'][0]]['parsed_named_certificates'] | default([])}}" sync_tmpdir: "{{ hostvars.localhost.g_master_mktemp.stdout }}" openshift_master_ha: "{{ groups.oo_masters_to_config | length > 1 }}" openshift_master_count: "{{ groups.oo_masters_to_config | length }}" diff --git a/playbooks/gce/openshift-cluster/launch.yml b/playbooks/gce/openshift-cluster/launch.yml index 8be5d53e7..d6ef57c45 100644 --- a/playbooks/gce/openshift-cluster/launch.yml +++ b/playbooks/gce/openshift-cluster/launch.yml @@ -16,6 +16,8 @@ cluster: "{{ cluster_id }}" type: "{{ k8s_type }}" g_sub_host_type: "default" + gce_machine_type: "{{ lookup('env', 'gce_machine_master_type') | default(lookup('env', 'gce_machine_type'), true) }}" + gce_machine_image: "{{ lookup('env', 'gce_machine_master_image') | default(lookup('env', 'gce_machine_image'), true) }}" - include: ../../common/openshift-cluster/tasks/set_node_launch_facts.yml vars: @@ -27,6 +29,8 @@ cluster: "{{ cluster_id }}" type: "{{ k8s_type }}" g_sub_host_type: "{{ sub_host_type }}" + gce_machine_type: "{{ lookup('env', 'gce_machine_node_type') | default(lookup('env', 'gce_machine_type'), true) }}" + gce_machine_image: "{{ lookup('env', 'gce_machine_node_image') | default(lookup('env', 'gce_machine_image'), true) }}" - include: ../../common/openshift-cluster/tasks/set_node_launch_facts.yml vars: diff --git a/playbooks/gce/openshift-cluster/tasks/launch_instances.yml b/playbooks/gce/openshift-cluster/tasks/launch_instances.yml index c428cb465..de8a75b18 100644 --- a/playbooks/gce/openshift-cluster/tasks/launch_instances.yml +++ b/playbooks/gce/openshift-cluster/tasks/launch_instances.yml @@ -5,8 +5,8 @@ - name: Launch instance(s) gce: instance_names: "{{ instances }}" - machine_type: "{{ lookup('env', 'gce_machine_type') | default('n1-standard-1', true) }}" - image: "{{ lookup('env', 'gce_machine_image') | default(deployment_vars[deployment_type].image, true) }}" + machine_type: "{{ gce_machine_type | default(deployment_vars[deployment_type].machine_type, true) }}" + image: "{{ gce_machine_image | default(deployment_vars[deployment_type].image, true) }}" service_account_email: "{{ lookup('env', 'gce_service_account_email_address') }}" pem_file: "{{ lookup('env', 'gce_service_account_pem_file_path') }}" project_id: "{{ lookup('env', 'gce_project_id') }}" diff --git a/playbooks/gce/openshift-cluster/vars.yml b/playbooks/gce/openshift-cluster/vars.yml index 6de007807..a8ce8eb22 100644 --- a/playbooks/gce/openshift-cluster/vars.yml +++ b/playbooks/gce/openshift-cluster/vars.yml @@ -5,13 +5,16 @@ sdn_network_plugin: redhat/openshift-ovs-subnet deployment_vars: origin: image: preinstalled-slave-50g-v5 + machine_type: n1-standard-1 ssh_user: root sudo: yes online: image: libra-rhel7 + machine_type: n1-standard-1 ssh_user: root sudo: no enterprise: image: rhel-7 + machine_type: n1-standard-1 ssh_user: sudo: yes diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py index 51e3ef1c0..6006bfa9d 100755 --- a/roles/openshift_facts/library/openshift_facts.py +++ b/roles/openshift_facts/library/openshift_facts.py @@ -864,20 +864,38 @@ def apply_provider_facts(facts, provider_facts): return facts -def merge_facts(orig, new): +def merge_facts(orig, new, additive_facts_to_overwrite): """ Recursively merge facts dicts Args: orig (dict): existing facts new (dict): facts to update + + additive_facts_to_overwrite (list): additive facts to overwrite in jinja + '.' notation ex: ['master.named_certificates'] + Returns: dict: the merged facts """ + additive_facts = ['named_certificates'] facts = dict() for key, value in orig.iteritems(): if key in new: if isinstance(value, dict) and isinstance(new[key], dict): - facts[key] = merge_facts(value, new[key]) + relevant_additive_facts = [] + # Keep additive_facts_to_overwrite if key matches + for item in additive_facts_to_overwrite: + if '.' in item and item.startswith(key + '.'): + relevant_additive_facts.append(item) + facts[key] = merge_facts(value, new[key], relevant_additive_facts) + elif key in additive_facts and key not in [x.split('.')[-1] for x in additive_facts_to_overwrite]: + # Fact is additive so we'll combine orig and new. + if isinstance(value, list) and isinstance(new[key], list): + new_fact = [] + for item in copy.deepcopy(value) + copy.copy(new[key]): + if item not in new_fact: + new_fact.append(item) + facts[key] = new_fact else: facts[key] = copy.copy(new[key]) else: @@ -961,13 +979,15 @@ class OpenShiftFacts(object): role (str): role for setting local facts filename (str): local facts file to use local_facts (dict): local facts to set + additive_facts_to_overwrite (list): additive facts to overwrite in jinja + '.' notation ex: ['master.named_certificates'] Raises: OpenShiftFactsUnsupportedRoleError: """ known_roles = ['common', 'master', 'node', 'master_sdn', 'node_sdn', 'dns', 'etcd'] - def __init__(self, role, filename, local_facts): + def __init__(self, role, filename, local_facts, additive_facts_to_overwrite=False): self.changed = False self.filename = filename if role not in self.known_roles: @@ -976,25 +996,27 @@ class OpenShiftFacts(object): ) self.role = role self.system_facts = ansible_facts(module) - self.facts = self.generate_facts(local_facts) + self.facts = self.generate_facts(local_facts, additive_facts_to_overwrite) - def generate_facts(self, local_facts): + def generate_facts(self, local_facts, additive_facts_to_overwrite): """ Generate facts Args: local_facts (dict): local_facts for overriding generated defaults + additive_facts_to_overwrite (list): additive facts to overwrite in jinja + '.' notation ex: ['master.named_certificates'] Returns: dict: The generated facts """ - local_facts = self.init_local_facts(local_facts) + local_facts = self.init_local_facts(local_facts, additive_facts_to_overwrite) roles = local_facts.keys() defaults = self.get_defaults(roles) provider_facts = self.init_provider_facts() facts = apply_provider_facts(defaults, provider_facts) - facts = merge_facts(facts, local_facts) + facts = merge_facts(facts, local_facts, additive_facts_to_overwrite) facts['current_config'] = get_current_config(facts) facts = set_url_facts_if_unset(facts) facts = set_project_cfg_facts_if_unset(facts) @@ -1132,11 +1154,13 @@ class OpenShiftFacts(object): ) return provider_facts - def init_local_facts(self, facts=None): + def init_local_facts(self, facts=None, additive_facts_to_overwrite=False): """ Initialize the provider facts Args: facts (dict): local facts to set + additive_facts_to_overwrite (list): additive facts to overwrite in jinja + '.' notation ex: ['master.named_certificates'] Returns: dict: The result of merging the provided facts with existing @@ -1154,7 +1178,7 @@ class OpenShiftFacts(object): basestring): facts_to_set[arg] = module.from_json(facts_to_set[arg]) - new_local_facts = merge_facts(local_facts, facts_to_set) + new_local_facts = merge_facts(local_facts, facts_to_set, additive_facts_to_overwrite) for facts in new_local_facts.values(): keys_to_delete = [] for fact, value in facts.iteritems(): @@ -1184,6 +1208,7 @@ def main(): role=dict(default='common', required=False, choices=OpenShiftFacts.known_roles), local_facts=dict(default=None, type='dict', required=False), + additive_facts_to_overwrite=dict(default=[], type='list', required=False), ), supports_check_mode=True, add_file_common_args=True, @@ -1191,9 +1216,10 @@ def main(): role = module.params['role'] local_facts = module.params['local_facts'] + additive_facts_to_overwrite = module.params['additive_facts_to_overwrite'] fact_file = '/etc/ansible/facts.d/openshift.fact' - openshift_facts = OpenShiftFacts(role, fact_file, local_facts) + openshift_facts = OpenShiftFacts(role, fact_file, local_facts, additive_facts_to_overwrite) file_params = module.params.copy() file_params['path'] = fact_file diff --git a/roles/openshift_master/templates/master.yaml.v1.j2 b/roles/openshift_master/templates/master.yaml.v1.j2 index bb12a0a0f..2a37c06d9 100644 --- a/roles/openshift_master/templates/master.yaml.v1.j2 +++ b/roles/openshift_master/templates/master.yaml.v1.j2 @@ -27,9 +27,6 @@ corsAllowedOrigins: {% for custom_origin in openshift.master.custom_cors_origins | default("") %} - {{ custom_origin }} {% endfor %} -{% for name in (named_certificates | map(attribute='names')) | list | oo_flatten %} - - {{ name }} -{% endfor %} {% if 'disabled_features' in openshift.master %} disabledFeatures: {{ openshift.master.disabled_features | to_json }} {% endif %} @@ -144,9 +141,9 @@ servingInfo: keyFile: master.server.key maxRequestsInFlight: 500 requestTimeoutSeconds: 3600 -{% if named_certificates %} +{% if openshift.master.named_certificates %} namedCertificates: -{% for named_certificate in named_certificates %} +{% for named_certificate in openshift.master.named_certificates %} - certFile: {{ named_certificate['certfile'] }} keyFile: {{ named_certificate['keyfile'] }} names: |