diff options
Diffstat (limited to 'playbooks/common')
17 files changed, 222 insertions, 19 deletions
diff --git a/playbooks/common/openshift-cluster/config.yml b/playbooks/common/openshift-cluster/config.yml index 113b401f9..ff4c4b0d7 100644 --- a/playbooks/common/openshift-cluster/config.yml +++ b/playbooks/common/openshift-cluster/config.yml @@ -27,6 +27,9 @@ when: openshift_docker_selinux_enabled is not defined - include: disable_excluder.yml + vars: + # the excluders needs to be disabled no matter what status says + with_status_check: false tags: - always @@ -57,3 +60,7 @@ - include: openshift_hosted.yml tags: - hosted + +- include: reset_excluder.yml + tags: + - always diff --git a/playbooks/common/openshift-cluster/disable_excluder.yml b/playbooks/common/openshift-cluster/disable_excluder.yml index eb146bab8..68bffb5f5 100644 --- a/playbooks/common/openshift-cluster/disable_excluder.yml +++ b/playbooks/common/openshift-cluster/disable_excluder.yml @@ -1,11 +1,17 @@ --- - name: Record excluder state and disable - hosts: l_oo_all_hosts + hosts: oo_masters_to_config:oo_nodes_to_config gather_facts: no tasks: + + # During installation the excluders are installed with present state. + # So no pre-validation check here as the excluders are either to be installed (present = latest) + # or they are not going to be updated if already installed + + # disable excluders based on their status - include_role: name: openshift_excluder - tasks_from: status - - include_role: - name: openshift_excluder - tasks_from: unexclude + tasks_from: disable + vars: + openshift_excluder_package_state: present + docker_excluder_package_state: present diff --git a/playbooks/common/openshift-cluster/initialize_openshift_version.yml b/playbooks/common/openshift-cluster/initialize_openshift_version.yml index 07b38920f..1f74e929f 100644 --- a/playbooks/common/openshift-cluster/initialize_openshift_version.yml +++ b/playbooks/common/openshift-cluster/initialize_openshift_version.yml @@ -18,6 +18,18 @@ msg: Incompatible versions of yum and subscription-manager found. You may need to update yum and yum-utils. when: "not openshift.common.is_atomic | bool and 'Plugin \"search-disabled-repos\" requires API 2.7. Supported API is 2.6.' in yum_ver_test.stdout" +# TODO(jchaloup): find a different way how to make repoquery --qf '%version` atomic-openshift work without disabling the excluders +- include: disable_excluder.yml + vars: + # the excluders needs to be disabled no matter what status says + with_status_check: false + # Only openshift excluder needs to be temporarily disabled + # So ignore the docker one + enable_docker_excluder: false + tags: + - always + when: openshift_upgrade_target is not defined + - name: Determine openshift_version to configure on first master hosts: oo_first_master roles: @@ -32,3 +44,13 @@ openshift_version: "{{ hostvars[groups.oo_first_master.0].openshift_version }}" roles: - openshift_version + + # Re-enable excluders if they are meant to be enabled (and only during installation, upgrade disables the excluders before this play) +- include: reset_excluder.yml + vars: + # Only openshift excluder needs to be re-enabled + # So ignore the docker one + enable_docker_excluder: false + tags: + - always + when: openshift_upgrade_target is not defined diff --git a/playbooks/common/openshift-cluster/openshift_hosted.yml b/playbooks/common/openshift-cluster/openshift_hosted.yml index 06cda36a5..5db71b857 100644 --- a/playbooks/common/openshift-cluster/openshift_hosted.yml +++ b/playbooks/common/openshift-cluster/openshift_hosted.yml @@ -53,6 +53,8 @@ pre_tasks: - set_fact: openshift_logging_kibana_hostname: "{{ openshift_hosted_logging_hostname | default('kibana.' ~ (openshift_master_default_subdomain | default('router.default.svc.cluster.local', true))) }}" + - set_fact: + openshift_metrics_hawkular_hostname: "{{ g_metrics_hostname | default('hawkular-metrics.' ~ (openshift_master_default_subdomain | default('router.default.svc.cluster.local', true))) }}" tasks: - block: @@ -60,3 +62,9 @@ name: openshift_logging tasks_from: update_master_config when: openshift_hosted_logging_deploy | default(false) | bool + + - block: + - include_role: + name: openshift_metrics + tasks_from: update_master_config + when: openshift_hosted_metrics_deploy | default(false) | bool diff --git a/playbooks/common/openshift-cluster/redeploy-certificates/ca.yml b/playbooks/common/openshift-cluster/redeploy-certificates/ca.yml index 9d4d3ea26..cbb4a2434 100644 --- a/playbooks/common/openshift-cluster/redeploy-certificates/ca.yml +++ b/playbooks/common/openshift-cluster/redeploy-certificates/ca.yml @@ -31,7 +31,7 @@ - name: Generate new etcd CA hosts: oo_first_etcd roles: - - role: etcd_ca + - role: openshift_etcd_ca etcd_peers: "{{ groups.oo_etcd_to_config | default([], true) }}" etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}" etcd_certificates_etcd_hosts: "{{ groups.oo_etcd_to_config | default([], true) }}" @@ -294,7 +294,7 @@ client_path: "{{ openshift.common.config_base }}/master/admin.kubeconfig" ca_path: "{{ openshift.common.config_base }}/master/ca-bundle.crt" - name: Lookup default group for ansible_ssh_user - command: "/usr/bin/id -g {{ ansible_ssh_user }}" + command: "/usr/bin/id -g {{ ansible_ssh_user | quote }}" changed_when: false register: _ansible_ssh_user_gid - set_fact: diff --git a/playbooks/common/openshift-cluster/redeploy-certificates/router.yml b/playbooks/common/openshift-cluster/redeploy-certificates/router.yml index 35eedd5ee..a7b614341 100644 --- a/playbooks/common/openshift-cluster/redeploy-certificates/router.yml +++ b/playbooks/common/openshift-cluster/redeploy-certificates/router.yml @@ -51,7 +51,7 @@ name: router-certs namespace: default state: absent - run_once: true + run_once: true - name: Remove router service annotations command: > diff --git a/playbooks/common/openshift-cluster/reset_excluder.yml b/playbooks/common/openshift-cluster/reset_excluder.yml index fe86f4c23..eaa8ce39c 100644 --- a/playbooks/common/openshift-cluster/reset_excluder.yml +++ b/playbooks/common/openshift-cluster/reset_excluder.yml @@ -1,8 +1,8 @@ --- - name: Re-enable excluder if it was previously enabled - hosts: l_oo_all_hosts + hosts: oo_masters_to_config:oo_nodes_to_config gather_facts: no tasks: - include_role: name: openshift_excluder - tasks_from: reset + tasks_from: enable diff --git a/playbooks/common/openshift-cluster/upgrades/disable_excluder.yml b/playbooks/common/openshift-cluster/upgrades/disable_excluder.yml new file mode 100644 index 000000000..d1e431c5e --- /dev/null +++ b/playbooks/common/openshift-cluster/upgrades/disable_excluder.yml @@ -0,0 +1,21 @@ +--- +- name: Record excluder state and disable + hosts: oo_masters_to_config:oo_nodes_to_config + gather_facts: no + tasks: + - include: pre/validate_excluder.yml + vars: + #repoquery_cmd: repoquery_cmd + #openshift_upgrade_target: openshift_upgrade_target + excluder: "{{ item }}" + with_items: + - "{{ openshift.common.service_type }}-docker-excluder" + - "{{ openshift.common.service_type }}-excluder" + + # disable excluders based on their status + - include_role: + name: openshift_excluder + tasks_from: disable + vars: + openshift_excluder_package_state: latest + docker_excluder_package_state: latest diff --git a/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml index 01c1e0c15..6f096f705 100644 --- a/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml +++ b/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml @@ -22,7 +22,7 @@ selector: 'router' register: all_routers - - set_fact: haproxy_routers="{{ (all_routers.reults.results[0]['items'] | oo_pods_match_component(openshift_deployment_type, 'haproxy-router') | oo_select_keys_from_list(['metadata']) }}" + - set_fact: haproxy_routers="{{ all_routers.results.results[0]['items'] | oo_pods_match_component(openshift_deployment_type, 'haproxy-router') | oo_select_keys_from_list(['metadata']) }}" when: - all_routers.results.returncode == 0 diff --git a/playbooks/common/openshift-cluster/upgrades/pre/validate_excluder.yml b/playbooks/common/openshift-cluster/upgrades/pre/validate_excluder.yml new file mode 100644 index 000000000..6de1ed061 --- /dev/null +++ b/playbooks/common/openshift-cluster/upgrades/pre/validate_excluder.yml @@ -0,0 +1,29 @@ +--- +# input variables: +# - repoquery_cmd +# - excluder +# - openshift_upgrade_target +- block: + - name: Get available excluder version + command: > + {{ repoquery_cmd }} --qf '%{version}' "{{ excluder }}" + register: excluder_version + failed_when: false + changed_when: false + + - name: Docker excluder version detected + debug: + msg: "{{ excluder }}: {{ excluder_version.stdout }}" + + - name: Printing upgrade target version + debug: + msg: "{{ openshift_upgrade_target }}" + + - name: Check the available {{ excluder }} version is at most of the upgrade target version + fail: + msg: "Available {{ excluder }} version {{ excluder_version.stdout }} is higher than the upgrade target version" + when: + - "{{ excluder_version.stdout != '' }}" + - "{{ excluder_version.stdout.split('.')[0:2] | join('.') | version_compare(openshift_upgrade_target.split('.')[0:2] | join('.'), '>', strict=True) }}" + when: + - not openshift.common.is_atomic | bool diff --git a/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml index fd01a6625..e16a1f6d0 100644 --- a/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml +++ b/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml @@ -173,7 +173,11 @@ - name: Reconcile Cluster Roles command: > {{ openshift.common.client_binary }} adm --config={{ openshift.common.config_base }}/master/admin.kubeconfig - policy reconcile-cluster-roles --additive-only=true --confirm + policy reconcile-cluster-roles --additive-only=true --confirm -o name + register: reconcile_cluster_role_result + changed_when: + - reconcile_cluster_role_result.stdout != '' + - reconcile_cluster_role_result.rc == 0 run_once: true - name: Reconcile Cluster Role Bindings @@ -184,19 +188,31 @@ --exclude-groups=system:authenticated:oauth --exclude-groups=system:unauthenticated --exclude-users=system:anonymous - --additive-only=true --confirm + --additive-only=true --confirm -o name when: origin_reconcile_bindings | bool or ent_reconcile_bindings | bool + register: reconcile_bindings_result + changed_when: + - reconcile_bindings_result.stdout != '' + - reconcile_bindings_result.rc == 0 run_once: true - name: Reconcile Jenkins Pipeline Role Bindings command: > - {{ openshift.common.client_binary }} adm --config={{ openshift.common.config_base }}/master/admin.kubeconfig policy reconcile-cluster-role-bindings system:build-strategy-jenkinspipeline --confirm + {{ openshift.common.client_binary }} adm --config={{ openshift.common.config_base }}/master/admin.kubeconfig policy reconcile-cluster-role-bindings system:build-strategy-jenkinspipeline --confirm -o name run_once: true + register: reconcile_jenkins_role_binding_result + changed_when: + - reconcile_jenkins_role_binding_result.stdout != '' + - reconcile_jenkins_role_binding_result.rc == 0 when: openshift.common.version_gte_3_4_or_1_4 | bool - name: Reconcile Security Context Constraints command: > - {{ openshift.common.client_binary }} adm policy reconcile-sccs --confirm --additive-only=true + {{ openshift.common.client_binary }} adm policy reconcile-sccs --confirm --additive-only=true -o name + register: reconcile_scc_result + changed_when: + - reconcile_scc_result.stdout != '' + - reconcile_scc_result.rc == 0 run_once: true - set_fact: @@ -246,7 +262,7 @@ # or docker actually needs an upgrade before proceeding. Perhaps best to save this until # we merge upgrade functionality into the base roles and a normal config.yml playbook run. - name: Mark node unschedulable - oadm_manage_node: + oc_adm_manage_node: node: "{{ openshift.node.nodename | lower }}" schedulable: False delegate_to: "{{ groups.oo_first_master.0 }}" @@ -268,7 +284,7 @@ post_tasks: - name: Set node schedulability - oadm_manage_node: + oc_adm_manage_node: node: "{{ openshift.node.nodename | lower }}" schedulable: True delegate_to: "{{ groups.oo_first_master.0 }}" diff --git a/playbooks/common/openshift-cluster/upgrades/upgrade_nodes.yml b/playbooks/common/openshift-cluster/upgrades/upgrade_nodes.yml index 4e1838c71..e9f894942 100644 --- a/playbooks/common/openshift-cluster/upgrades/upgrade_nodes.yml +++ b/playbooks/common/openshift-cluster/upgrades/upgrade_nodes.yml @@ -15,7 +15,7 @@ # or docker actually needs an upgrade before proceeding. Perhaps best to save this until # we merge upgrade functionality into the base roles and a normal config.yml playbook run. - name: Mark node unschedulable - oadm_manage_node: + oc_adm_manage_node: node: "{{ openshift.node.nodename | lower }}" schedulable: False delegate_to: "{{ groups.oo_first_master.0 }}" @@ -37,7 +37,7 @@ post_tasks: - name: Set node schedulability - oadm_manage_node: + oc_adm_manage_node: node: "{{ openshift.node.nodename | lower }}" schedulable: True delegate_to: "{{ groups.oo_first_master.0 }}" diff --git a/playbooks/common/openshift-cluster/upgrades/v3_5/validator.yml b/playbooks/common/openshift-cluster/upgrades/v3_5/validator.yml new file mode 100644 index 000000000..ae63c9ca9 --- /dev/null +++ b/playbooks/common/openshift-cluster/upgrades/v3_5/validator.yml @@ -0,0 +1,67 @@ +--- +############################################################################### +# Pre upgrade checks for known data problems, if this playbook fails you should +# contact support. If you're not supported contact users@lists.openshift.com +# +# oc_objectvalidator provides these two checks +# 1 - SDN Data issues, never seen in the wild but known possible due to code audits +# https://github.com/openshift/origin/issues/12697 +# 2 - Namespace protections, https://bugzilla.redhat.com/show_bug.cgi?id=1428934 +# +############################################################################### +- name: Verify 3.5 specific upgrade checks + hosts: oo_first_master + roles: + - { role: lib_openshift } + tasks: + - name: Check for invalid namespaces and SDN errors + oc_objectvalidator: + + # What's all this PetSet business about? + # + # 'PetSets' were ALPHA resources in Kube <= 3.4. In >= 3.5 they are + # no longer supported. The BETA resource 'StatefulSets' replaces + # them. We can't migrate clients PetSets to + # StatefulSets. Additionally, Red Hat has never officially supported + # these resource types. Sorry users, but if you were using + # unsupported resources from the Kube documentation then we can't + # help you at this time. + # + # Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1428229 + - name: Check if legacy PetSets exist + oc_obj: + state: list + all_namespaces: true + kind: petsets + register: l_do_petsets_exist + + - name: Fail on unsupported resource migration 'PetSets' + fail: + msg: > + PetSet objects were detected in your cluster. These are an + Alpha feature in upstream Kubernetes 1.4 and are not supported + by Red Hat. In Kubernetes 1.5, they are replaced by the Beta + feature StatefulSets. Red Hat currently does not offer support + for either PetSets or StatefulSets. + + Automatically migrating PetSets to StatefulSets in OpenShift + Container Platform (OCP) 3.5 is not supported. See the + Kubernetes "Upgrading from PetSets to StatefulSets" + documentation for additional information: + + https://kubernetes.io/docs/tasks/manage-stateful-set/upgrade-pet-set-to-stateful-set/ + + PetSets MUST be removed before upgrading to OCP 3.5. Red Hat + strongly recommends reading the above referenced documentation + in its entirety before taking any destructive actions. + + If you want to simply remove all PetSets without manually + migrating to StatefulSets, run this command as a user with + cluster-admin privileges: + + $ oc get petsets --all-namespaces -o yaml | oc delete -f - --cascade=false + when: + # Search did not fail, valid resource type found + - l_do_petsets_exist.results.returncode == 0 + # Items do exist in the search results + - l_do_petsets_exist.results.results.0['items'] | length > 0 diff --git a/playbooks/common/openshift-master/config.yml b/playbooks/common/openshift-master/config.yml index 7a334e771..68b9db03a 100644 --- a/playbooks/common/openshift-master/config.yml +++ b/playbooks/common/openshift-master/config.yml @@ -127,6 +127,8 @@ etcd_cert_subdir: "openshift-master-{{ openshift.common.hostname }}" etcd_cert_config_dir: "{{ openshift.common.config_base }}/master" etcd_cert_prefix: "master.etcd-" + - role: nuage_master + when: openshift.common.use_nuage | bool post_tasks: - name: Create group for deployment type diff --git a/playbooks/common/openshift-master/scaleup.yml b/playbooks/common/openshift-master/scaleup.yml index 18e5c665f..c59747081 100644 --- a/playbooks/common/openshift-master/scaleup.yml +++ b/playbooks/common/openshift-master/scaleup.yml @@ -60,8 +60,19 @@ - openshift_facts - openshift_docker +- include: ../openshift-cluster/disable_excluder.yml + vars: + # the excluders needs to be disabled no matter what status says + with_status_check: false + tags: + - always + - include: ../openshift-master/config.yml - include: ../openshift-loadbalancer/config.yml - include: ../openshift-node/config.yml + +- include: ../openshift-cluster/reset_excluder.yml + tags: + - always diff --git a/playbooks/common/openshift-node/config.yml b/playbooks/common/openshift-node/config.yml index 933fd584d..6c5a299c1 100644 --- a/playbooks/common/openshift-node/config.yml +++ b/playbooks/common/openshift-node/config.yml @@ -84,6 +84,9 @@ when: openshift.common.use_flannel | bool - role: nuage_node when: openshift.common.use_nuage | bool + - role: contiv + contiv_role: netplugin + when: openshift.common.use_contiv | bool - role: nickhammond.logrotate - role: openshift_manage_node openshift_master_host: "{{ groups.oo_first_master.0 }}" diff --git a/playbooks/common/openshift-node/scaleup.yml b/playbooks/common/openshift-node/scaleup.yml index bb3b1e780..d81bd152e 100644 --- a/playbooks/common/openshift-node/scaleup.yml +++ b/playbooks/common/openshift-node/scaleup.yml @@ -27,4 +27,15 @@ - openshift_facts - openshift_docker +- include: ../openshift-cluster/disable_excluder.yml + vars: + # the excluders needs to be disabled no matter what status says + with_status_check: false + tags: + - always + - include: ../openshift-node/config.yml + +- include: ../openshift-cluster/reset_excluder.yml + tags: + - always |