9 files changed, 99 insertions, 10 deletions
diff --git a/playbooks/common/openshift-cluster/config.yml b/playbooks/common/openshift-cluster/config.yml
index 113b401f9..82f711f40 100644
--- a/playbooks/common/openshift-cluster/config.yml
+++ b/playbooks/common/openshift-cluster/config.yml
@@ -27,6 +27,9 @@
     when: openshift_docker_selinux_enabled is not defined
 
 - include: disable_excluder.yml
+  vars:
+    # the excluders needs to be disabled no matter what status says
+    with_status_check: false
   tags:
   - always
 
diff --git a/playbooks/common/openshift-cluster/disable_excluder.yml b/playbooks/common/openshift-cluster/disable_excluder.yml
index eb146bab8..b2e025cb8 100644
--- a/playbooks/common/openshift-cluster/disable_excluder.yml
+++ b/playbooks/common/openshift-cluster/disable_excluder.yml
@@ -3,9 +3,15 @@
   hosts: l_oo_all_hosts
   gather_facts: no
   tasks:
+
+  # During installation the excluders are installed with present state.
+  # So no pre-validation check here as the excluders are either to be installed (present = latest)
+  # or they are not going to be updated if already installed
+
+  # disable excluders based on their status
   - include_role:
       name: openshift_excluder
-      tasks_from: status
-  - include_role:
-      name: openshift_excluder
-      tasks_from: unexclude
+      tasks_from: disable
+    vars:
+      openshift_excluder_package_state: present
+      docker_excluder_package_state: present
diff --git a/playbooks/common/openshift-cluster/initialize_openshift_version.yml b/playbooks/common/openshift-cluster/initialize_openshift_version.yml
index 6b40176e1..7f37c606f 100644
--- a/playbooks/common/openshift-cluster/initialize_openshift_version.yml
+++ b/playbooks/common/openshift-cluster/initialize_openshift_version.yml
@@ -19,6 +19,9 @@
     when: "not openshift.common.is_atomic | bool and 'Plugin \"search-disabled-repos\" requires API 2.7. Supported API is 2.6.' in yum_ver_test.stdout"
 
 - include: disable_excluder.yml
+  vars:
+    # the excluders needs to be disabled no matter what status says
+    with_status_check: false
   tags:
   - always
 
diff --git a/playbooks/common/openshift-cluster/redeploy-certificates/router.yml b/playbooks/common/openshift-cluster/redeploy-certificates/router.yml
index 35eedd5ee..a7b614341 100644
--- a/playbooks/common/openshift-cluster/redeploy-certificates/router.yml
+++ b/playbooks/common/openshift-cluster/redeploy-certificates/router.yml
@@ -51,7 +51,7 @@
         name: router-certs
         namespace: default
         state: absent
-        run_once: true
+      run_once: true
 
     - name: Remove router service annotations
       command: >
diff --git a/playbooks/common/openshift-cluster/reset_excluder.yml b/playbooks/common/openshift-cluster/reset_excluder.yml
index fe86f4c23..7c544ee32 100644
--- a/playbooks/common/openshift-cluster/reset_excluder.yml
+++ b/playbooks/common/openshift-cluster/reset_excluder.yml
@@ -5,4 +5,4 @@
   tasks:
   - include_role:
       name: openshift_excluder
-      tasks_from: reset
+      tasks_from: enable
diff --git a/playbooks/common/openshift-cluster/upgrades/disable_excluder.yml b/playbooks/common/openshift-cluster/upgrades/disable_excluder.yml
new file mode 100644
index 000000000..2a85dc92e
--- /dev/null
+++ b/playbooks/common/openshift-cluster/upgrades/disable_excluder.yml
@@ -0,0 +1,21 @@
+---
+- name: Record excluder state and disable
+  hosts: l_oo_all_hosts
+  gather_facts: no
+  tasks:
+  - include: pre/validate_excluder.yml
+    vars:
+      #repoquery_cmd: repoquery_cmd
+      #openshift_upgrade_target: openshift_upgrade_target
+      excluder: "{{ item }}"
+    with_items:
+    - "{{ openshift.common.service_type }}-docker-excluder"
+    - "{{ openshift.common.service_type }}-excluder"
+
+  # disable excluders based on their status
+  - include_role:
+      name: openshift_excluder
+      tasks_from: disable
+    vars:
+      openshift_excluder_package_state: latest
+      docker_excluder_package_state: latest
diff --git a/playbooks/common/openshift-cluster/upgrades/pre/validate_excluder.yml b/playbooks/common/openshift-cluster/upgrades/pre/validate_excluder.yml
new file mode 100644
index 000000000..5078638b7
--- /dev/null
+++ b/playbooks/common/openshift-cluster/upgrades/pre/validate_excluder.yml
@@ -0,0 +1,22 @@
+---
+# input variables:
+# - repoquery_cmd
+# - excluder
+# - openshift_upgrade_target
+- name: Get available excluder version
+  command: >
+    {{ repoquery_cmd }} --qf '%{version}' "{{ excluder }}"
+  register: excluder_version
+  failed_when: false
+  changed_when: false
+
+- name: Docker excluder version detected
+  debug:
+    msg: "{{ excluder }}: {{ excluder_version.stdout }}"
+
+- name: Check the available {{ excluder }} version is at most of the upgrade target version
+  fail:
+    msg: "Available {{ excluder }} version {{ excluder_version.stdout }} is higher than the upgrade target version {{ openshift_upgrade_target }}"
+  when:
+    - "{{ excluder_version.stdout != '' }}"
+    - "{{ excluder_version.stdout.split('.')[0:2] | join('.') | version_compare(openshift_upgrade_target, '>', strict=True) }}"
diff --git a/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml
index fd01a6625..babb7191d 100644
--- a/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml
+++ b/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml
@@ -173,7 +173,11 @@
   - name: Reconcile Cluster Roles
     command: >
       {{ openshift.common.client_binary }} adm --config={{ openshift.common.config_base }}/master/admin.kubeconfig
-      policy reconcile-cluster-roles --additive-only=true --confirm
+      policy reconcile-cluster-roles --additive-only=true --confirm -o name
+    register: reconcile_cluster_role_result
+    changed_when:
+    - reconcile_cluster_role_result.stdout != ''
+    - reconcile_cluster_role_result.rc == 0
     run_once: true
 
   - name: Reconcile Cluster Role Bindings
@@ -184,19 +188,31 @@
       --exclude-groups=system:authenticated:oauth
       --exclude-groups=system:unauthenticated
       --exclude-users=system:anonymous
-      --additive-only=true --confirm
+      --additive-only=true --confirm -o name
     when: origin_reconcile_bindings | bool or ent_reconcile_bindings | bool
+    register: reconcile_bindings_result
+    changed_when:
+    - reconcile_bindings_result.stdout != ''
+    - reconcile_bindings_result.rc == 0
     run_once: true
 
   - name: Reconcile Jenkins Pipeline Role Bindings
     command: >
-      {{ openshift.common.client_binary }} adm --config={{ openshift.common.config_base }}/master/admin.kubeconfig policy reconcile-cluster-role-bindings system:build-strategy-jenkinspipeline --confirm
+      {{ openshift.common.client_binary }} adm --config={{ openshift.common.config_base }}/master/admin.kubeconfig policy reconcile-cluster-role-bindings system:build-strategy-jenkinspipeline --confirm -o name
     run_once: true
+    register: reconcile_jenkins_role_binding_result
+    changed_when:
+    - reconcile_jenkins_role_binding_result.stdout != ''
+    - reconcile_jenkins_role_binding_result.rc == 0
     when: openshift.common.version_gte_3_4_or_1_4  | bool
 
   - name: Reconcile Security Context Constraints
     command: >
-      {{ openshift.common.client_binary }} adm policy reconcile-sccs --confirm --additive-only=true
+      {{ openshift.common.client_binary }} adm policy reconcile-sccs --confirm --additive-only=true -o name
+    register: reconcile_scc_result
+    changed_when:
+    - reconcile_scc_result.stdout != ''
+    - reconcile_scc_result.rc == 0
     run_once: true
 
   - set_fact:
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_5/validator.yml b/playbooks/common/openshift-cluster/upgrades/v3_5/validator.yml
new file mode 100644
index 000000000..13fd917c5
--- /dev/null
+++ b/playbooks/common/openshift-cluster/upgrades/v3_5/validator.yml
@@ -0,0 +1,18 @@
+---
+###############################################################################
+# Pre upgrade checks for known data problems, if this playbook fails you should
+# contact support. If you're not supported contact users@lists.openshift.com
+#
+# oc_objectvalidator provides these two checks
+# 1 - SDN Data issues, never seen in the wild but known possible due to code audits
+#     https://github.com/openshift/origin/issues/12697
+# 2 - Namespace protections, https://bugzilla.redhat.com/show_bug.cgi?id=1428934
+#
+###############################################################################
+- name: Verify 3.5 specific upgrade checks
+  hosts: oo_first_master
+  roles:
+  - { role: lib_openshift }
+  tasks:
+  - name: Check for invalid namespaces and SDN errors
+    oc_objectvalidator: