17 files changed, 222 insertions, 19 deletions
diff --git a/playbooks/common/openshift-cluster/config.yml b/playbooks/common/openshift-cluster/config.yml
index 113b401f9..ff4c4b0d7 100644
--- a/playbooks/common/openshift-cluster/config.yml
+++ b/playbooks/common/openshift-cluster/config.yml
@@ -27,6 +27,9 @@
     when: openshift_docker_selinux_enabled is not defined
 
 - include: disable_excluder.yml
+  vars:
+    # the excluders needs to be disabled no matter what status says
+    with_status_check: false
   tags:
   - always
 
@@ -57,3 +60,7 @@
 - include: openshift_hosted.yml
   tags:
   - hosted
+
+- include: reset_excluder.yml
+  tags:
+  - always
diff --git a/playbooks/common/openshift-cluster/disable_excluder.yml b/playbooks/common/openshift-cluster/disable_excluder.yml
index eb146bab8..68bffb5f5 100644
--- a/playbooks/common/openshift-cluster/disable_excluder.yml
+++ b/playbooks/common/openshift-cluster/disable_excluder.yml
@@ -1,11 +1,17 @@
 ---
 - name: Record excluder state and disable
-  hosts: l_oo_all_hosts
+  hosts: oo_masters_to_config:oo_nodes_to_config
   gather_facts: no
   tasks:
+
+  # During installation the excluders are installed with present state.
+  # So no pre-validation check here as the excluders are either to be installed (present = latest)
+  # or they are not going to be updated if already installed
+
+  # disable excluders based on their status
   - include_role:
       name: openshift_excluder
-      tasks_from: status
-  - include_role:
-      name: openshift_excluder
-      tasks_from: unexclude
+      tasks_from: disable
+    vars:
+      openshift_excluder_package_state: present
+      docker_excluder_package_state: present
diff --git a/playbooks/common/openshift-cluster/initialize_openshift_version.yml b/playbooks/common/openshift-cluster/initialize_openshift_version.yml
index 07b38920f..1f74e929f 100644
--- a/playbooks/common/openshift-cluster/initialize_openshift_version.yml
+++ b/playbooks/common/openshift-cluster/initialize_openshift_version.yml
@@ -18,6 +18,18 @@
       msg: Incompatible versions of yum and subscription-manager found. You may need to update yum and yum-utils.
     when: "not openshift.common.is_atomic | bool and 'Plugin \"search-disabled-repos\" requires API 2.7. Supported API is 2.6.' in yum_ver_test.stdout"
 
+# TODO(jchaloup): find a different way how to make repoquery --qf '%version` atomic-openshift work without disabling the excluders
+- include: disable_excluder.yml
+  vars:
+    # the excluders needs to be disabled no matter what status says
+    with_status_check: false
+    # Only openshift excluder needs to be temporarily disabled
+    # So ignore the docker one
+    enable_docker_excluder: false
+  tags:
+  - always
+  when: openshift_upgrade_target is not defined
+
 - name: Determine openshift_version to configure on first master
   hosts: oo_first_master
   roles:
@@ -32,3 +44,13 @@
     openshift_version: "{{ hostvars[groups.oo_first_master.0].openshift_version }}"
   roles:
   - openshift_version
+
+  # Re-enable excluders if they are meant to be enabled (and only during installation, upgrade disables the excluders before this play)
+- include: reset_excluder.yml
+  vars:
+    # Only openshift excluder needs to be re-enabled
+    # So ignore the docker one
+    enable_docker_excluder: false
+  tags:
+  - always
+  when: openshift_upgrade_target is not defined
diff --git a/playbooks/common/openshift-cluster/openshift_hosted.yml b/playbooks/common/openshift-cluster/openshift_hosted.yml
index 06cda36a5..5db71b857 100644
--- a/playbooks/common/openshift-cluster/openshift_hosted.yml
+++ b/playbooks/common/openshift-cluster/openshift_hosted.yml
@@ -53,6 +53,8 @@
   pre_tasks:
   - set_fact:
       openshift_logging_kibana_hostname: "{{ openshift_hosted_logging_hostname | default('kibana.' ~ (openshift_master_default_subdomain | default('router.default.svc.cluster.local', true))) }}"
+  - set_fact:
+      openshift_metrics_hawkular_hostname: "{{ g_metrics_hostname | default('hawkular-metrics.' ~ (openshift_master_default_subdomain | default('router.default.svc.cluster.local', true))) }}"
   tasks:
 
   - block:
@@ -60,3 +62,9 @@
         name: openshift_logging
         tasks_from: update_master_config
     when: openshift_hosted_logging_deploy | default(false) | bool
+
+  - block:
+    - include_role:
+        name: openshift_metrics
+        tasks_from: update_master_config
+    when: openshift_hosted_metrics_deploy | default(false) | bool
diff --git a/playbooks/common/openshift-cluster/redeploy-certificates/ca.yml b/playbooks/common/openshift-cluster/redeploy-certificates/ca.yml
index 9d4d3ea26..cbb4a2434 100644
--- a/playbooks/common/openshift-cluster/redeploy-certificates/ca.yml
+++ b/playbooks/common/openshift-cluster/redeploy-certificates/ca.yml
@@ -31,7 +31,7 @@
 - name: Generate new etcd CA
   hosts: oo_first_etcd
   roles:
-  - role: etcd_ca
+  - role: openshift_etcd_ca
     etcd_peers: "{{ groups.oo_etcd_to_config | default([], true) }}"
     etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}"
     etcd_certificates_etcd_hosts: "{{ groups.oo_etcd_to_config | default([], true) }}"
@@ -294,7 +294,7 @@
       client_path: "{{ openshift.common.config_base }}/master/admin.kubeconfig"
       ca_path: "{{ openshift.common.config_base }}/master/ca-bundle.crt"
   - name: Lookup default group for ansible_ssh_user
-    command: "/usr/bin/id -g {{ ansible_ssh_user }}"
+    command: "/usr/bin/id -g {{ ansible_ssh_user | quote }}"
     changed_when: false
     register: _ansible_ssh_user_gid
   - set_fact:
diff --git a/playbooks/common/openshift-cluster/redeploy-certificates/router.yml b/playbooks/common/openshift-cluster/redeploy-certificates/router.yml
index 35eedd5ee..a7b614341 100644
--- a/playbooks/common/openshift-cluster/redeploy-certificates/router.yml
+++ b/playbooks/common/openshift-cluster/redeploy-certificates/router.yml
@@ -51,7 +51,7 @@
         name: router-certs
         namespace: default
         state: absent
-        run_once: true
+      run_once: true
 
     - name: Remove router service annotations
       command: >
diff --git a/playbooks/common/openshift-cluster/reset_excluder.yml b/playbooks/common/openshift-cluster/reset_excluder.yml
index fe86f4c23..eaa8ce39c 100644
--- a/playbooks/common/openshift-cluster/reset_excluder.yml
+++ b/playbooks/common/openshift-cluster/reset_excluder.yml
@@ -1,8 +1,8 @@
 ---
 - name: Re-enable excluder if it was previously enabled
-  hosts: l_oo_all_hosts
+  hosts: oo_masters_to_config:oo_nodes_to_config
   gather_facts: no
   tasks:
   - include_role:
       name: openshift_excluder
-      tasks_from: reset
+      tasks_from: enable
diff --git a/playbooks/common/openshift-cluster/upgrades/disable_excluder.yml b/playbooks/common/openshift-cluster/upgrades/disable_excluder.yml
new file mode 100644
index 000000000..d1e431c5e
--- /dev/null
+++ b/playbooks/common/openshift-cluster/upgrades/disable_excluder.yml
@@ -0,0 +1,21 @@
+---
+- name: Record excluder state and disable
+  hosts: oo_masters_to_config:oo_nodes_to_config
+  gather_facts: no
+  tasks:
+  - include: pre/validate_excluder.yml
+    vars:
+      #repoquery_cmd: repoquery_cmd
+      #openshift_upgrade_target: openshift_upgrade_target
+      excluder: "{{ item }}"
+    with_items:
+    - "{{ openshift.common.service_type }}-docker-excluder"
+    - "{{ openshift.common.service_type }}-excluder"
+
+  # disable excluders based on their status
+  - include_role:
+      name: openshift_excluder
+      tasks_from: disable
+    vars:
+      openshift_excluder_package_state: latest
+      docker_excluder_package_state: latest
diff --git a/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml
index 01c1e0c15..6f096f705 100644
--- a/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml
+++ b/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml
@@ -22,7 +22,7 @@
       selector: 'router'
     register: all_routers
 
-  - set_fact: haproxy_routers="{{ (all_routers.reults.results[0]['items'] | oo_pods_match_component(openshift_deployment_type, 'haproxy-router') | oo_select_keys_from_list(['metadata']) }}"
+  - set_fact: haproxy_routers="{{ all_routers.results.results[0]['items'] | oo_pods_match_component(openshift_deployment_type, 'haproxy-router') | oo_select_keys_from_list(['metadata']) }}"
     when:
     - all_routers.results.returncode == 0
 
diff --git a/playbooks/common/openshift-cluster/upgrades/pre/validate_excluder.yml b/playbooks/common/openshift-cluster/upgrades/pre/validate_excluder.yml
new file mode 100644
index 000000000..6de1ed061
--- /dev/null
+++ b/playbooks/common/openshift-cluster/upgrades/pre/validate_excluder.yml
@@ -0,0 +1,29 @@
+---
+# input variables:
+# - repoquery_cmd
+# - excluder
+# - openshift_upgrade_target
+- block:
+  - name: Get available excluder version
+    command: >
+      {{ repoquery_cmd }} --qf '%{version}' "{{ excluder }}"
+    register: excluder_version
+    failed_when: false
+    changed_when: false
+
+  - name: Docker excluder version detected
+    debug:
+      msg: "{{ excluder }}: {{ excluder_version.stdout }}"
+
+  - name: Printing upgrade target version
+    debug:
+      msg: "{{ openshift_upgrade_target }}"
+
+  - name: Check the available {{ excluder }} version is at most of the upgrade target version
+    fail:
+      msg: "Available {{ excluder }} version {{ excluder_version.stdout }} is higher than the upgrade target version"
+    when:
+    - "{{ excluder_version.stdout != '' }}"
+    - "{{ excluder_version.stdout.split('.')[0:2] | join('.') | version_compare(openshift_upgrade_target.split('.')[0:2] | join('.'), '>', strict=True) }}"
+  when:
+  - not openshift.common.is_atomic | bool
diff --git a/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml
index fd01a6625..e16a1f6d0 100644
--- a/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml
+++ b/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml
@@ -173,7 +173,11 @@
   - name: Reconcile Cluster Roles
     command: >
       {{ openshift.common.client_binary }} adm --config={{ openshift.common.config_base }}/master/admin.kubeconfig
-      policy reconcile-cluster-roles --additive-only=true --confirm
+      policy reconcile-cluster-roles --additive-only=true --confirm -o name
+    register: reconcile_cluster_role_result
+    changed_when:
+    - reconcile_cluster_role_result.stdout != ''
+    - reconcile_cluster_role_result.rc == 0
     run_once: true
 
   - name: Reconcile Cluster Role Bindings
@@ -184,19 +188,31 @@
       --exclude-groups=system:authenticated:oauth
       --exclude-groups=system:unauthenticated
       --exclude-users=system:anonymous
-      --additive-only=true --confirm
+      --additive-only=true --confirm -o name
     when: origin_reconcile_bindings | bool or ent_reconcile_bindings | bool
+    register: reconcile_bindings_result
+    changed_when:
+    - reconcile_bindings_result.stdout != ''
+    - reconcile_bindings_result.rc == 0
     run_once: true
 
   - name: Reconcile Jenkins Pipeline Role Bindings
     command: >
-      {{ openshift.common.client_binary }} adm --config={{ openshift.common.config_base }}/master/admin.kubeconfig policy reconcile-cluster-role-bindings system:build-strategy-jenkinspipeline --confirm
+      {{ openshift.common.client_binary }} adm --config={{ openshift.common.config_base }}/master/admin.kubeconfig policy reconcile-cluster-role-bindings system:build-strategy-jenkinspipeline --confirm -o name
     run_once: true
+    register: reconcile_jenkins_role_binding_result
+    changed_when:
+    - reconcile_jenkins_role_binding_result.stdout != ''
+    - reconcile_jenkins_role_binding_result.rc == 0
     when: openshift.common.version_gte_3_4_or_1_4  | bool
 
   - name: Reconcile Security Context Constraints
     command: >
-      {{ openshift.common.client_binary }} adm policy reconcile-sccs --confirm --additive-only=true
+      {{ openshift.common.client_binary }} adm policy reconcile-sccs --confirm --additive-only=true -o name
+    register: reconcile_scc_result
+    changed_when:
+    - reconcile_scc_result.stdout != ''
+    - reconcile_scc_result.rc == 0
     run_once: true
 
   - set_fact:
@@ -246,7 +262,7 @@
   # or docker actually needs an upgrade before proceeding. Perhaps best to save this until
   # we merge upgrade functionality into the base roles and a normal config.yml playbook run.
   - name: Mark node unschedulable
-    oadm_manage_node:
+    oc_adm_manage_node:
       node: "{{ openshift.node.nodename | lower }}"
       schedulable: False
     delegate_to: "{{ groups.oo_first_master.0 }}"
@@ -268,7 +284,7 @@
 
   post_tasks:
   - name: Set node schedulability
-    oadm_manage_node:
+    oc_adm_manage_node:
       node: "{{ openshift.node.nodename | lower }}"
       schedulable: True
     delegate_to: "{{ groups.oo_first_master.0 }}"
diff --git a/playbooks/common/openshift-cluster/upgrades/upgrade_nodes.yml b/playbooks/common/openshift-cluster/upgrades/upgrade_nodes.yml
index 4e1838c71..e9f894942 100644
--- a/playbooks/common/openshift-cluster/upgrades/upgrade_nodes.yml
+++ b/playbooks/common/openshift-cluster/upgrades/upgrade_nodes.yml
@@ -15,7 +15,7 @@
   # or docker actually needs an upgrade before proceeding. Perhaps best to save this until
   # we merge upgrade functionality into the base roles and a normal config.yml playbook run.
   - name: Mark node unschedulable
-    oadm_manage_node:
+    oc_adm_manage_node:
       node: "{{ openshift.node.nodename | lower }}"
       schedulable: False
     delegate_to: "{{ groups.oo_first_master.0 }}"
@@ -37,7 +37,7 @@
 
   post_tasks:
   - name: Set node schedulability
-    oadm_manage_node:
+    oc_adm_manage_node:
       node: "{{ openshift.node.nodename | lower }}"
       schedulable: True
     delegate_to: "{{ groups.oo_first_master.0 }}"
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_5/validator.yml b/playbooks/common/openshift-cluster/upgrades/v3_5/validator.yml
new file mode 100644
index 000000000..ae63c9ca9
--- /dev/null
+++ b/playbooks/common/openshift-cluster/upgrades/v3_5/validator.yml
@@ -0,0 +1,67 @@
+---
+###############################################################################
+# Pre upgrade checks for known data problems, if this playbook fails you should
+# contact support. If you're not supported contact users@lists.openshift.com
+#
+# oc_objectvalidator provides these two checks
+# 1 - SDN Data issues, never seen in the wild but known possible due to code audits
+#     https://github.com/openshift/origin/issues/12697
+# 2 - Namespace protections, https://bugzilla.redhat.com/show_bug.cgi?id=1428934
+#
+###############################################################################
+- name: Verify 3.5 specific upgrade checks
+  hosts: oo_first_master
+  roles:
+  - { role: lib_openshift }
+  tasks:
+  - name: Check for invalid namespaces and SDN errors
+    oc_objectvalidator:
+
+  # What's all this PetSet business about?
+  #
+  # 'PetSets' were ALPHA resources in Kube <= 3.4. In >= 3.5 they are
+  # no longer supported. The BETA resource 'StatefulSets' replaces
+  # them. We can't migrate clients PetSets to
+  # StatefulSets. Additionally, Red Hat has never officially supported
+  # these resource types. Sorry users, but if you were using
+  # unsupported resources from the Kube documentation then we can't
+  # help you at this time.
+  #
+  # Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1428229
+  - name: Check if legacy PetSets exist
+    oc_obj:
+      state: list
+      all_namespaces: true
+      kind: petsets
+    register: l_do_petsets_exist
+
+  - name: Fail on unsupported resource migration 'PetSets'
+    fail:
+      msg: >
+        PetSet objects were detected in your cluster. These are an
+        Alpha feature in upstream Kubernetes 1.4 and are not supported
+        by Red Hat. In Kubernetes 1.5, they are replaced by the Beta
+        feature StatefulSets. Red Hat currently does not offer support
+        for either PetSets or StatefulSets.
+
+        Automatically migrating PetSets to StatefulSets in OpenShift
+        Container Platform (OCP) 3.5 is not supported. See the
+        Kubernetes "Upgrading from PetSets to StatefulSets"
+        documentation for additional information:
+
+        https://kubernetes.io/docs/tasks/manage-stateful-set/upgrade-pet-set-to-stateful-set/
+
+        PetSets MUST be removed before upgrading to OCP 3.5. Red Hat
+        strongly recommends reading the above referenced documentation
+        in its entirety before taking any destructive actions.
+
+        If you want to simply remove all PetSets without manually
+        migrating to StatefulSets, run this command as a user with
+        cluster-admin privileges:
+
+        $ oc get petsets --all-namespaces -o yaml | oc delete -f - --cascade=false
+    when:
+    # Search did not fail, valid resource type found
+    - l_do_petsets_exist.results.returncode == 0
+    # Items do exist in the search results
+    - l_do_petsets_exist.results.results.0['items'] | length > 0
diff --git a/playbooks/common/openshift-master/config.yml b/playbooks/common/openshift-master/config.yml
index 7a334e771..68b9db03a 100644
--- a/playbooks/common/openshift-master/config.yml
+++ b/playbooks/common/openshift-master/config.yml
@@ -127,6 +127,8 @@
     etcd_cert_subdir: "openshift-master-{{ openshift.common.hostname }}"
     etcd_cert_config_dir: "{{ openshift.common.config_base }}/master"
     etcd_cert_prefix: "master.etcd-"
+  - role: nuage_master
+    when: openshift.common.use_nuage | bool
 
   post_tasks:
   - name: Create group for deployment type
diff --git a/playbooks/common/openshift-master/scaleup.yml b/playbooks/common/openshift-master/scaleup.yml
index 18e5c665f..c59747081 100644
--- a/playbooks/common/openshift-master/scaleup.yml
+++ b/playbooks/common/openshift-master/scaleup.yml
@@ -60,8 +60,19 @@
   - openshift_facts
   - openshift_docker
 
+- include: ../openshift-cluster/disable_excluder.yml
+  vars:
+    # the excluders needs to be disabled no matter what status says
+    with_status_check: false
+  tags:
+  - always
+
 - include: ../openshift-master/config.yml
 
 - include: ../openshift-loadbalancer/config.yml
 
 - include: ../openshift-node/config.yml
+
+- include: ../openshift-cluster/reset_excluder.yml
+  tags:
+  - always
diff --git a/playbooks/common/openshift-node/config.yml b/playbooks/common/openshift-node/config.yml
index 933fd584d..6c5a299c1 100644
--- a/playbooks/common/openshift-node/config.yml
+++ b/playbooks/common/openshift-node/config.yml
@@ -84,6 +84,9 @@
     when: openshift.common.use_flannel | bool
   - role: nuage_node
     when: openshift.common.use_nuage | bool
+  - role: contiv
+    contiv_role: netplugin
+    when: openshift.common.use_contiv | bool
   - role: nickhammond.logrotate
   - role: openshift_manage_node
     openshift_master_host: "{{ groups.oo_first_master.0 }}"
diff --git a/playbooks/common/openshift-node/scaleup.yml b/playbooks/common/openshift-node/scaleup.yml
index bb3b1e780..d81bd152e 100644
--- a/playbooks/common/openshift-node/scaleup.yml
+++ b/playbooks/common/openshift-node/scaleup.yml
@@ -27,4 +27,15 @@
   - openshift_facts
   - openshift_docker
 
+- include: ../openshift-cluster/disable_excluder.yml
+  vars:
+    # the excluders needs to be disabled no matter what status says
+    with_status_check: false
+  tags:
+  - always
+
 - include: ../openshift-node/config.yml
+
+- include: ../openshift-cluster/reset_excluder.yml
+  tags:
+  - always