diff options
Diffstat (limited to 'playbooks/common')
3 files changed, 39 insertions, 5 deletions
diff --git a/playbooks/common/openshift-cluster/redeploy-certificates/router.yml b/playbooks/common/openshift-cluster/redeploy-certificates/router.yml index 35eedd5ee..a7b614341 100644 --- a/playbooks/common/openshift-cluster/redeploy-certificates/router.yml +++ b/playbooks/common/openshift-cluster/redeploy-certificates/router.yml @@ -51,7 +51,7 @@ name: router-certs namespace: default state: absent - run_once: true + run_once: true - name: Remove router service annotations command: > diff --git a/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml index fd01a6625..babb7191d 100644 --- a/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml +++ b/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml @@ -173,7 +173,11 @@ - name: Reconcile Cluster Roles command: > {{ openshift.common.client_binary }} adm --config={{ openshift.common.config_base }}/master/admin.kubeconfig - policy reconcile-cluster-roles --additive-only=true --confirm + policy reconcile-cluster-roles --additive-only=true --confirm -o name + register: reconcile_cluster_role_result + changed_when: + - reconcile_cluster_role_result.stdout != '' + - reconcile_cluster_role_result.rc == 0 run_once: true - name: Reconcile Cluster Role Bindings @@ -184,19 +188,31 @@ --exclude-groups=system:authenticated:oauth --exclude-groups=system:unauthenticated --exclude-users=system:anonymous - --additive-only=true --confirm + --additive-only=true --confirm -o name when: origin_reconcile_bindings | bool or ent_reconcile_bindings | bool + register: reconcile_bindings_result + changed_when: + - reconcile_bindings_result.stdout != '' + - reconcile_bindings_result.rc == 0 run_once: true - name: Reconcile Jenkins Pipeline Role Bindings command: > - {{ openshift.common.client_binary }} adm --config={{ openshift.common.config_base }}/master/admin.kubeconfig policy reconcile-cluster-role-bindings system:build-strategy-jenkinspipeline --confirm + {{ openshift.common.client_binary }} adm --config={{ openshift.common.config_base }}/master/admin.kubeconfig policy reconcile-cluster-role-bindings system:build-strategy-jenkinspipeline --confirm -o name run_once: true + register: reconcile_jenkins_role_binding_result + changed_when: + - reconcile_jenkins_role_binding_result.stdout != '' + - reconcile_jenkins_role_binding_result.rc == 0 when: openshift.common.version_gte_3_4_or_1_4 | bool - name: Reconcile Security Context Constraints command: > - {{ openshift.common.client_binary }} adm policy reconcile-sccs --confirm --additive-only=true + {{ openshift.common.client_binary }} adm policy reconcile-sccs --confirm --additive-only=true -o name + register: reconcile_scc_result + changed_when: + - reconcile_scc_result.stdout != '' + - reconcile_scc_result.rc == 0 run_once: true - set_fact: diff --git a/playbooks/common/openshift-cluster/upgrades/v3_5/validator.yml b/playbooks/common/openshift-cluster/upgrades/v3_5/validator.yml new file mode 100644 index 000000000..13fd917c5 --- /dev/null +++ b/playbooks/common/openshift-cluster/upgrades/v3_5/validator.yml @@ -0,0 +1,18 @@ +--- +############################################################################### +# Pre upgrade checks for known data problems, if this playbook fails you should +# contact support. If you're not supported contact users@lists.openshift.com +# +# oc_objectvalidator provides these two checks +# 1 - SDN Data issues, never seen in the wild but known possible due to code audits +# https://github.com/openshift/origin/issues/12697 +# 2 - Namespace protections, https://bugzilla.redhat.com/show_bug.cgi?id=1428934 +# +############################################################################### +- name: Verify 3.5 specific upgrade checks + hosts: oo_first_master + roles: + - { role: lib_openshift } + tasks: + - name: Check for invalid namespaces and SDN errors + oc_objectvalidator: |