summaryrefslogtreecommitdiffstats
path: root/playbooks/common
diff options
context:
space:
mode:
Diffstat (limited to 'playbooks/common')
-rw-r--r--playbooks/common/openshift-cluster/config.yml7
-rw-r--r--playbooks/common/openshift-cluster/disable_excluder.yml16
-rw-r--r--playbooks/common/openshift-cluster/initialize_openshift_version.yml22
-rw-r--r--playbooks/common/openshift-cluster/openshift_hosted.yml8
-rw-r--r--playbooks/common/openshift-cluster/redeploy-certificates/ca.yml4
-rw-r--r--playbooks/common/openshift-cluster/redeploy-certificates/router.yml2
-rw-r--r--playbooks/common/openshift-cluster/reset_excluder.yml4
-rw-r--r--playbooks/common/openshift-cluster/upgrades/disable_excluder.yml21
-rw-r--r--playbooks/common/openshift-cluster/upgrades/post_control_plane.yml2
-rw-r--r--playbooks/common/openshift-cluster/upgrades/pre/validate_excluder.yml29
-rw-r--r--playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml28
-rw-r--r--playbooks/common/openshift-cluster/upgrades/upgrade_nodes.yml4
-rw-r--r--playbooks/common/openshift-cluster/upgrades/v3_5/validator.yml67
-rw-r--r--playbooks/common/openshift-master/config.yml2
-rw-r--r--playbooks/common/openshift-master/scaleup.yml11
-rw-r--r--playbooks/common/openshift-node/config.yml3
-rw-r--r--playbooks/common/openshift-node/scaleup.yml11
17 files changed, 222 insertions, 19 deletions
diff --git a/playbooks/common/openshift-cluster/config.yml b/playbooks/common/openshift-cluster/config.yml
index 113b401f9..ff4c4b0d7 100644
--- a/playbooks/common/openshift-cluster/config.yml
+++ b/playbooks/common/openshift-cluster/config.yml
@@ -27,6 +27,9 @@
when: openshift_docker_selinux_enabled is not defined
- include: disable_excluder.yml
+ vars:
+ # the excluders needs to be disabled no matter what status says
+ with_status_check: false
tags:
- always
@@ -57,3 +60,7 @@
- include: openshift_hosted.yml
tags:
- hosted
+
+- include: reset_excluder.yml
+ tags:
+ - always
diff --git a/playbooks/common/openshift-cluster/disable_excluder.yml b/playbooks/common/openshift-cluster/disable_excluder.yml
index eb146bab8..68bffb5f5 100644
--- a/playbooks/common/openshift-cluster/disable_excluder.yml
+++ b/playbooks/common/openshift-cluster/disable_excluder.yml
@@ -1,11 +1,17 @@
---
- name: Record excluder state and disable
- hosts: l_oo_all_hosts
+ hosts: oo_masters_to_config:oo_nodes_to_config
gather_facts: no
tasks:
+
+ # During installation the excluders are installed with present state.
+ # So no pre-validation check here as the excluders are either to be installed (present = latest)
+ # or they are not going to be updated if already installed
+
+ # disable excluders based on their status
- include_role:
name: openshift_excluder
- tasks_from: status
- - include_role:
- name: openshift_excluder
- tasks_from: unexclude
+ tasks_from: disable
+ vars:
+ openshift_excluder_package_state: present
+ docker_excluder_package_state: present
diff --git a/playbooks/common/openshift-cluster/initialize_openshift_version.yml b/playbooks/common/openshift-cluster/initialize_openshift_version.yml
index 07b38920f..1f74e929f 100644
--- a/playbooks/common/openshift-cluster/initialize_openshift_version.yml
+++ b/playbooks/common/openshift-cluster/initialize_openshift_version.yml
@@ -18,6 +18,18 @@
msg: Incompatible versions of yum and subscription-manager found. You may need to update yum and yum-utils.
when: "not openshift.common.is_atomic | bool and 'Plugin \"search-disabled-repos\" requires API 2.7. Supported API is 2.6.' in yum_ver_test.stdout"
+# TODO(jchaloup): find a different way how to make repoquery --qf '%version` atomic-openshift work without disabling the excluders
+- include: disable_excluder.yml
+ vars:
+ # the excluders needs to be disabled no matter what status says
+ with_status_check: false
+ # Only openshift excluder needs to be temporarily disabled
+ # So ignore the docker one
+ enable_docker_excluder: false
+ tags:
+ - always
+ when: openshift_upgrade_target is not defined
+
- name: Determine openshift_version to configure on first master
hosts: oo_first_master
roles:
@@ -32,3 +44,13 @@
openshift_version: "{{ hostvars[groups.oo_first_master.0].openshift_version }}"
roles:
- openshift_version
+
+ # Re-enable excluders if they are meant to be enabled (and only during installation, upgrade disables the excluders before this play)
+- include: reset_excluder.yml
+ vars:
+ # Only openshift excluder needs to be re-enabled
+ # So ignore the docker one
+ enable_docker_excluder: false
+ tags:
+ - always
+ when: openshift_upgrade_target is not defined
diff --git a/playbooks/common/openshift-cluster/openshift_hosted.yml b/playbooks/common/openshift-cluster/openshift_hosted.yml
index 06cda36a5..5db71b857 100644
--- a/playbooks/common/openshift-cluster/openshift_hosted.yml
+++ b/playbooks/common/openshift-cluster/openshift_hosted.yml
@@ -53,6 +53,8 @@
pre_tasks:
- set_fact:
openshift_logging_kibana_hostname: "{{ openshift_hosted_logging_hostname | default('kibana.' ~ (openshift_master_default_subdomain | default('router.default.svc.cluster.local', true))) }}"
+ - set_fact:
+ openshift_metrics_hawkular_hostname: "{{ g_metrics_hostname | default('hawkular-metrics.' ~ (openshift_master_default_subdomain | default('router.default.svc.cluster.local', true))) }}"
tasks:
- block:
@@ -60,3 +62,9 @@
name: openshift_logging
tasks_from: update_master_config
when: openshift_hosted_logging_deploy | default(false) | bool
+
+ - block:
+ - include_role:
+ name: openshift_metrics
+ tasks_from: update_master_config
+ when: openshift_hosted_metrics_deploy | default(false) | bool
diff --git a/playbooks/common/openshift-cluster/redeploy-certificates/ca.yml b/playbooks/common/openshift-cluster/redeploy-certificates/ca.yml
index 9d4d3ea26..cbb4a2434 100644
--- a/playbooks/common/openshift-cluster/redeploy-certificates/ca.yml
+++ b/playbooks/common/openshift-cluster/redeploy-certificates/ca.yml
@@ -31,7 +31,7 @@
- name: Generate new etcd CA
hosts: oo_first_etcd
roles:
- - role: etcd_ca
+ - role: openshift_etcd_ca
etcd_peers: "{{ groups.oo_etcd_to_config | default([], true) }}"
etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}"
etcd_certificates_etcd_hosts: "{{ groups.oo_etcd_to_config | default([], true) }}"
@@ -294,7 +294,7 @@
client_path: "{{ openshift.common.config_base }}/master/admin.kubeconfig"
ca_path: "{{ openshift.common.config_base }}/master/ca-bundle.crt"
- name: Lookup default group for ansible_ssh_user
- command: "/usr/bin/id -g {{ ansible_ssh_user }}"
+ command: "/usr/bin/id -g {{ ansible_ssh_user | quote }}"
changed_when: false
register: _ansible_ssh_user_gid
- set_fact:
diff --git a/playbooks/common/openshift-cluster/redeploy-certificates/router.yml b/playbooks/common/openshift-cluster/redeploy-certificates/router.yml
index 35eedd5ee..a7b614341 100644
--- a/playbooks/common/openshift-cluster/redeploy-certificates/router.yml
+++ b/playbooks/common/openshift-cluster/redeploy-certificates/router.yml
@@ -51,7 +51,7 @@
name: router-certs
namespace: default
state: absent
- run_once: true
+ run_once: true
- name: Remove router service annotations
command: >
diff --git a/playbooks/common/openshift-cluster/reset_excluder.yml b/playbooks/common/openshift-cluster/reset_excluder.yml
index fe86f4c23..eaa8ce39c 100644
--- a/playbooks/common/openshift-cluster/reset_excluder.yml
+++ b/playbooks/common/openshift-cluster/reset_excluder.yml
@@ -1,8 +1,8 @@
---
- name: Re-enable excluder if it was previously enabled
- hosts: l_oo_all_hosts
+ hosts: oo_masters_to_config:oo_nodes_to_config
gather_facts: no
tasks:
- include_role:
name: openshift_excluder
- tasks_from: reset
+ tasks_from: enable
diff --git a/playbooks/common/openshift-cluster/upgrades/disable_excluder.yml b/playbooks/common/openshift-cluster/upgrades/disable_excluder.yml
new file mode 100644
index 000000000..d1e431c5e
--- /dev/null
+++ b/playbooks/common/openshift-cluster/upgrades/disable_excluder.yml
@@ -0,0 +1,21 @@
+---
+- name: Record excluder state and disable
+ hosts: oo_masters_to_config:oo_nodes_to_config
+ gather_facts: no
+ tasks:
+ - include: pre/validate_excluder.yml
+ vars:
+ #repoquery_cmd: repoquery_cmd
+ #openshift_upgrade_target: openshift_upgrade_target
+ excluder: "{{ item }}"
+ with_items:
+ - "{{ openshift.common.service_type }}-docker-excluder"
+ - "{{ openshift.common.service_type }}-excluder"
+
+ # disable excluders based on their status
+ - include_role:
+ name: openshift_excluder
+ tasks_from: disable
+ vars:
+ openshift_excluder_package_state: latest
+ docker_excluder_package_state: latest
diff --git a/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml
index 01c1e0c15..6f096f705 100644
--- a/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml
+++ b/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml
@@ -22,7 +22,7 @@
selector: 'router'
register: all_routers
- - set_fact: haproxy_routers="{{ (all_routers.reults.results[0]['items'] | oo_pods_match_component(openshift_deployment_type, 'haproxy-router') | oo_select_keys_from_list(['metadata']) }}"
+ - set_fact: haproxy_routers="{{ all_routers.results.results[0]['items'] | oo_pods_match_component(openshift_deployment_type, 'haproxy-router') | oo_select_keys_from_list(['metadata']) }}"
when:
- all_routers.results.returncode == 0
diff --git a/playbooks/common/openshift-cluster/upgrades/pre/validate_excluder.yml b/playbooks/common/openshift-cluster/upgrades/pre/validate_excluder.yml
new file mode 100644
index 000000000..6de1ed061
--- /dev/null
+++ b/playbooks/common/openshift-cluster/upgrades/pre/validate_excluder.yml
@@ -0,0 +1,29 @@
+---
+# input variables:
+# - repoquery_cmd
+# - excluder
+# - openshift_upgrade_target
+- block:
+ - name: Get available excluder version
+ command: >
+ {{ repoquery_cmd }} --qf '%{version}' "{{ excluder }}"
+ register: excluder_version
+ failed_when: false
+ changed_when: false
+
+ - name: Docker excluder version detected
+ debug:
+ msg: "{{ excluder }}: {{ excluder_version.stdout }}"
+
+ - name: Printing upgrade target version
+ debug:
+ msg: "{{ openshift_upgrade_target }}"
+
+ - name: Check the available {{ excluder }} version is at most of the upgrade target version
+ fail:
+ msg: "Available {{ excluder }} version {{ excluder_version.stdout }} is higher than the upgrade target version"
+ when:
+ - "{{ excluder_version.stdout != '' }}"
+ - "{{ excluder_version.stdout.split('.')[0:2] | join('.') | version_compare(openshift_upgrade_target.split('.')[0:2] | join('.'), '>', strict=True) }}"
+ when:
+ - not openshift.common.is_atomic | bool
diff --git a/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml
index fd01a6625..e16a1f6d0 100644
--- a/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml
+++ b/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml
@@ -173,7 +173,11 @@
- name: Reconcile Cluster Roles
command: >
{{ openshift.common.client_binary }} adm --config={{ openshift.common.config_base }}/master/admin.kubeconfig
- policy reconcile-cluster-roles --additive-only=true --confirm
+ policy reconcile-cluster-roles --additive-only=true --confirm -o name
+ register: reconcile_cluster_role_result
+ changed_when:
+ - reconcile_cluster_role_result.stdout != ''
+ - reconcile_cluster_role_result.rc == 0
run_once: true
- name: Reconcile Cluster Role Bindings
@@ -184,19 +188,31 @@
--exclude-groups=system:authenticated:oauth
--exclude-groups=system:unauthenticated
--exclude-users=system:anonymous
- --additive-only=true --confirm
+ --additive-only=true --confirm -o name
when: origin_reconcile_bindings | bool or ent_reconcile_bindings | bool
+ register: reconcile_bindings_result
+ changed_when:
+ - reconcile_bindings_result.stdout != ''
+ - reconcile_bindings_result.rc == 0
run_once: true
- name: Reconcile Jenkins Pipeline Role Bindings
command: >
- {{ openshift.common.client_binary }} adm --config={{ openshift.common.config_base }}/master/admin.kubeconfig policy reconcile-cluster-role-bindings system:build-strategy-jenkinspipeline --confirm
+ {{ openshift.common.client_binary }} adm --config={{ openshift.common.config_base }}/master/admin.kubeconfig policy reconcile-cluster-role-bindings system:build-strategy-jenkinspipeline --confirm -o name
run_once: true
+ register: reconcile_jenkins_role_binding_result
+ changed_when:
+ - reconcile_jenkins_role_binding_result.stdout != ''
+ - reconcile_jenkins_role_binding_result.rc == 0
when: openshift.common.version_gte_3_4_or_1_4 | bool
- name: Reconcile Security Context Constraints
command: >
- {{ openshift.common.client_binary }} adm policy reconcile-sccs --confirm --additive-only=true
+ {{ openshift.common.client_binary }} adm policy reconcile-sccs --confirm --additive-only=true -o name
+ register: reconcile_scc_result
+ changed_when:
+ - reconcile_scc_result.stdout != ''
+ - reconcile_scc_result.rc == 0
run_once: true
- set_fact:
@@ -246,7 +262,7 @@
# or docker actually needs an upgrade before proceeding. Perhaps best to save this until
# we merge upgrade functionality into the base roles and a normal config.yml playbook run.
- name: Mark node unschedulable
- oadm_manage_node:
+ oc_adm_manage_node:
node: "{{ openshift.node.nodename | lower }}"
schedulable: False
delegate_to: "{{ groups.oo_first_master.0 }}"
@@ -268,7 +284,7 @@
post_tasks:
- name: Set node schedulability
- oadm_manage_node:
+ oc_adm_manage_node:
node: "{{ openshift.node.nodename | lower }}"
schedulable: True
delegate_to: "{{ groups.oo_first_master.0 }}"
diff --git a/playbooks/common/openshift-cluster/upgrades/upgrade_nodes.yml b/playbooks/common/openshift-cluster/upgrades/upgrade_nodes.yml
index 4e1838c71..e9f894942 100644
--- a/playbooks/common/openshift-cluster/upgrades/upgrade_nodes.yml
+++ b/playbooks/common/openshift-cluster/upgrades/upgrade_nodes.yml
@@ -15,7 +15,7 @@
# or docker actually needs an upgrade before proceeding. Perhaps best to save this until
# we merge upgrade functionality into the base roles and a normal config.yml playbook run.
- name: Mark node unschedulable
- oadm_manage_node:
+ oc_adm_manage_node:
node: "{{ openshift.node.nodename | lower }}"
schedulable: False
delegate_to: "{{ groups.oo_first_master.0 }}"
@@ -37,7 +37,7 @@
post_tasks:
- name: Set node schedulability
- oadm_manage_node:
+ oc_adm_manage_node:
node: "{{ openshift.node.nodename | lower }}"
schedulable: True
delegate_to: "{{ groups.oo_first_master.0 }}"
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_5/validator.yml b/playbooks/common/openshift-cluster/upgrades/v3_5/validator.yml
new file mode 100644
index 000000000..ae63c9ca9
--- /dev/null
+++ b/playbooks/common/openshift-cluster/upgrades/v3_5/validator.yml
@@ -0,0 +1,67 @@
+---
+###############################################################################
+# Pre upgrade checks for known data problems, if this playbook fails you should
+# contact support. If you're not supported contact users@lists.openshift.com
+#
+# oc_objectvalidator provides these two checks
+# 1 - SDN Data issues, never seen in the wild but known possible due to code audits
+# https://github.com/openshift/origin/issues/12697
+# 2 - Namespace protections, https://bugzilla.redhat.com/show_bug.cgi?id=1428934
+#
+###############################################################################
+- name: Verify 3.5 specific upgrade checks
+ hosts: oo_first_master
+ roles:
+ - { role: lib_openshift }
+ tasks:
+ - name: Check for invalid namespaces and SDN errors
+ oc_objectvalidator:
+
+ # What's all this PetSet business about?
+ #
+ # 'PetSets' were ALPHA resources in Kube <= 3.4. In >= 3.5 they are
+ # no longer supported. The BETA resource 'StatefulSets' replaces
+ # them. We can't migrate clients PetSets to
+ # StatefulSets. Additionally, Red Hat has never officially supported
+ # these resource types. Sorry users, but if you were using
+ # unsupported resources from the Kube documentation then we can't
+ # help you at this time.
+ #
+ # Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1428229
+ - name: Check if legacy PetSets exist
+ oc_obj:
+ state: list
+ all_namespaces: true
+ kind: petsets
+ register: l_do_petsets_exist
+
+ - name: Fail on unsupported resource migration 'PetSets'
+ fail:
+ msg: >
+ PetSet objects were detected in your cluster. These are an
+ Alpha feature in upstream Kubernetes 1.4 and are not supported
+ by Red Hat. In Kubernetes 1.5, they are replaced by the Beta
+ feature StatefulSets. Red Hat currently does not offer support
+ for either PetSets or StatefulSets.
+
+ Automatically migrating PetSets to StatefulSets in OpenShift
+ Container Platform (OCP) 3.5 is not supported. See the
+ Kubernetes "Upgrading from PetSets to StatefulSets"
+ documentation for additional information:
+
+ https://kubernetes.io/docs/tasks/manage-stateful-set/upgrade-pet-set-to-stateful-set/
+
+ PetSets MUST be removed before upgrading to OCP 3.5. Red Hat
+ strongly recommends reading the above referenced documentation
+ in its entirety before taking any destructive actions.
+
+ If you want to simply remove all PetSets without manually
+ migrating to StatefulSets, run this command as a user with
+ cluster-admin privileges:
+
+ $ oc get petsets --all-namespaces -o yaml | oc delete -f - --cascade=false
+ when:
+ # Search did not fail, valid resource type found
+ - l_do_petsets_exist.results.returncode == 0
+ # Items do exist in the search results
+ - l_do_petsets_exist.results.results.0['items'] | length > 0
diff --git a/playbooks/common/openshift-master/config.yml b/playbooks/common/openshift-master/config.yml
index 7a334e771..68b9db03a 100644
--- a/playbooks/common/openshift-master/config.yml
+++ b/playbooks/common/openshift-master/config.yml
@@ -127,6 +127,8 @@
etcd_cert_subdir: "openshift-master-{{ openshift.common.hostname }}"
etcd_cert_config_dir: "{{ openshift.common.config_base }}/master"
etcd_cert_prefix: "master.etcd-"
+ - role: nuage_master
+ when: openshift.common.use_nuage | bool
post_tasks:
- name: Create group for deployment type
diff --git a/playbooks/common/openshift-master/scaleup.yml b/playbooks/common/openshift-master/scaleup.yml
index 18e5c665f..c59747081 100644
--- a/playbooks/common/openshift-master/scaleup.yml
+++ b/playbooks/common/openshift-master/scaleup.yml
@@ -60,8 +60,19 @@
- openshift_facts
- openshift_docker
+- include: ../openshift-cluster/disable_excluder.yml
+ vars:
+ # the excluders needs to be disabled no matter what status says
+ with_status_check: false
+ tags:
+ - always
+
- include: ../openshift-master/config.yml
- include: ../openshift-loadbalancer/config.yml
- include: ../openshift-node/config.yml
+
+- include: ../openshift-cluster/reset_excluder.yml
+ tags:
+ - always
diff --git a/playbooks/common/openshift-node/config.yml b/playbooks/common/openshift-node/config.yml
index 933fd584d..6c5a299c1 100644
--- a/playbooks/common/openshift-node/config.yml
+++ b/playbooks/common/openshift-node/config.yml
@@ -84,6 +84,9 @@
when: openshift.common.use_flannel | bool
- role: nuage_node
when: openshift.common.use_nuage | bool
+ - role: contiv
+ contiv_role: netplugin
+ when: openshift.common.use_contiv | bool
- role: nickhammond.logrotate
- role: openshift_manage_node
openshift_master_host: "{{ groups.oo_first_master.0 }}"
diff --git a/playbooks/common/openshift-node/scaleup.yml b/playbooks/common/openshift-node/scaleup.yml
index bb3b1e780..d81bd152e 100644
--- a/playbooks/common/openshift-node/scaleup.yml
+++ b/playbooks/common/openshift-node/scaleup.yml
@@ -27,4 +27,15 @@
- openshift_facts
- openshift_docker
+- include: ../openshift-cluster/disable_excluder.yml
+ vars:
+ # the excluders needs to be disabled no matter what status says
+ with_status_check: false
+ tags:
+ - always
+
- include: ../openshift-node/config.yml
+
+- include: ../openshift-cluster/reset_excluder.yml
+ tags:
+ - always