summaryrefslogtreecommitdiffstats
path: root/playbooks/openshift-hosted
diff options
context:
space:
mode:
Diffstat (limited to 'playbooks/openshift-hosted')
-rw-r--r--playbooks/openshift-hosted/config.yml4
-rw-r--r--playbooks/openshift-hosted/private/cockpit-ui.yml8
-rw-r--r--playbooks/openshift-hosted/private/config.yml45
-rw-r--r--playbooks/openshift-hosted/private/create_persistent_volumes.yml5
-rw-r--r--playbooks/openshift-hosted/private/install_docker_gc.yml7
-rw-r--r--playbooks/openshift-hosted/private/openshift_default_storage_class.yml6
-rw-r--r--playbooks/openshift-hosted/private/openshift_hosted_create_projects.yml7
-rw-r--r--playbooks/openshift-hosted/private/openshift_hosted_registry.yml13
-rw-r--r--playbooks/openshift-hosted/private/openshift_hosted_registry_storage.yml13
-rw-r--r--playbooks/openshift-hosted/private/openshift_hosted_router.yml13
-rw-r--r--playbooks/openshift-hosted/private/openshift_hosted_wait_for_pods.yml26
-rw-r--r--playbooks/openshift-hosted/private/redeploy-registry-certificates.yml100
-rw-r--r--playbooks/openshift-hosted/private/redeploy-router-certificates.yml141
l---------playbooks/openshift-hosted/private/roles1
-rw-r--r--playbooks/openshift-hosted/redeploy-registry-certificates.yml4
-rw-r--r--playbooks/openshift-hosted/redeploy-router-certificates.yml4
16 files changed, 397 insertions, 0 deletions
diff --git a/playbooks/openshift-hosted/config.yml b/playbooks/openshift-hosted/config.yml
new file mode 100644
index 000000000..c7814207c
--- /dev/null
+++ b/playbooks/openshift-hosted/config.yml
@@ -0,0 +1,4 @@
+---
+- import_playbook: ../init/main.yml
+
+- import_playbook: private/config.yml
diff --git a/playbooks/openshift-hosted/private/cockpit-ui.yml b/playbooks/openshift-hosted/private/cockpit-ui.yml
new file mode 100644
index 000000000..d6529425b
--- /dev/null
+++ b/playbooks/openshift-hosted/private/cockpit-ui.yml
@@ -0,0 +1,8 @@
+---
+- name: Create Hosted Resources - cockpit-ui
+ hosts: oo_first_master
+ roles:
+ - role: cockpit-ui
+ when:
+ - openshift_hosted_manage_registry | default(true) | bool
+ - not (openshift_docker_hosted_registry_insecure | default(false)) | bool
diff --git a/playbooks/openshift-hosted/private/config.yml b/playbooks/openshift-hosted/private/config.yml
new file mode 100644
index 000000000..4e7b98da2
--- /dev/null
+++ b/playbooks/openshift-hosted/private/config.yml
@@ -0,0 +1,45 @@
+---
+- name: Hosted Install Checkpoint Start
+ hosts: all
+ gather_facts: false
+ tasks:
+ - name: Set Hosted install 'In Progress'
+ run_once: true
+ set_stats:
+ data:
+ installer_phase_hosted:
+ status: "In Progress"
+ start: "{{ lookup('pipe', 'date +%Y%m%d%H%M%SZ') }}"
+
+- import_playbook: create_persistent_volumes.yml
+
+- import_playbook: openshift_default_storage_class.yml
+
+- import_playbook: openshift_hosted_create_projects.yml
+
+- import_playbook: openshift_hosted_router.yml
+
+- import_playbook: openshift_hosted_registry.yml
+
+- import_playbook: openshift_hosted_wait_for_pods.yml
+
+- import_playbook: openshift_hosted_registry_storage.yml
+
+- import_playbook: cockpit-ui.yml
+
+- import_playbook: install_docker_gc.yml
+ when:
+ - openshift_use_crio | default(False) | bool
+ - openshift_crio_enable_docker_gc | default(False) | bool
+
+- name: Hosted Install Checkpoint End
+ hosts: all
+ gather_facts: false
+ tasks:
+ - name: Set Hosted install 'Complete'
+ run_once: true
+ set_stats:
+ data:
+ installer_phase_hosted:
+ status: "Complete"
+ end: "{{ lookup('pipe', 'date +%Y%m%d%H%M%SZ') }}"
diff --git a/playbooks/openshift-hosted/private/create_persistent_volumes.yml b/playbooks/openshift-hosted/private/create_persistent_volumes.yml
new file mode 100644
index 000000000..41ae2eb69
--- /dev/null
+++ b/playbooks/openshift-hosted/private/create_persistent_volumes.yml
@@ -0,0 +1,5 @@
+---
+- name: Create Hosted Resources - persistent volumes
+ hosts: oo_first_master
+ roles:
+ - role: openshift_persistent_volumes
diff --git a/playbooks/openshift-hosted/private/install_docker_gc.yml b/playbooks/openshift-hosted/private/install_docker_gc.yml
new file mode 100644
index 000000000..03eb542d3
--- /dev/null
+++ b/playbooks/openshift-hosted/private/install_docker_gc.yml
@@ -0,0 +1,7 @@
+---
+- name: Install docker gc
+ hosts: oo_first_master
+ gather_facts: false
+ tasks:
+ - import_role:
+ name: openshift_docker_gc
diff --git a/playbooks/openshift-hosted/private/openshift_default_storage_class.yml b/playbooks/openshift-hosted/private/openshift_default_storage_class.yml
new file mode 100644
index 000000000..62fe0dd60
--- /dev/null
+++ b/playbooks/openshift-hosted/private/openshift_default_storage_class.yml
@@ -0,0 +1,6 @@
+---
+- name: Create Hosted Resources - openshift_default_storage_class
+ hosts: oo_first_master
+ roles:
+ - role: openshift_default_storage_class
+ when: openshift_cloudprovider_kind is defined and (openshift_cloudprovider_kind == 'aws' or openshift_cloudprovider_kind == 'gce' or openshift_cloudprovider_kind == 'openstack')
diff --git a/playbooks/openshift-hosted/private/openshift_hosted_create_projects.yml b/playbooks/openshift-hosted/private/openshift_hosted_create_projects.yml
new file mode 100644
index 000000000..b09432da2
--- /dev/null
+++ b/playbooks/openshift-hosted/private/openshift_hosted_create_projects.yml
@@ -0,0 +1,7 @@
+---
+- name: Create Hosted Resources - openshift projects
+ hosts: oo_first_master
+ tasks:
+ - import_role:
+ name: openshift_hosted
+ tasks_from: create_projects.yml
diff --git a/playbooks/openshift-hosted/private/openshift_hosted_registry.yml b/playbooks/openshift-hosted/private/openshift_hosted_registry.yml
new file mode 100644
index 000000000..659c95eda
--- /dev/null
+++ b/playbooks/openshift-hosted/private/openshift_hosted_registry.yml
@@ -0,0 +1,13 @@
+---
+- name: Create Hosted Resources - registry
+ hosts: oo_first_master
+ tasks:
+ - set_fact:
+ openshift_hosted_registry_registryurl: "{{ hostvars[groups.oo_first_master.0].openshift.master.registry_url }}"
+ when: "'master' in hostvars[groups.oo_first_master.0].openshift and 'registry_url' in hostvars[groups.oo_first_master.0].openshift.master"
+ - import_role:
+ name: openshift_hosted
+ tasks_from: registry.yml
+ when:
+ - openshift_hosted_manage_registry | default(True) | bool
+ - openshift_hosted_registry_registryurl is defined
diff --git a/playbooks/openshift-hosted/private/openshift_hosted_registry_storage.yml b/playbooks/openshift-hosted/private/openshift_hosted_registry_storage.yml
new file mode 100644
index 000000000..cfc47c9b2
--- /dev/null
+++ b/playbooks/openshift-hosted/private/openshift_hosted_registry_storage.yml
@@ -0,0 +1,13 @@
+---
+# This playbook waits for registry and router pods after both have been
+# created. It is intended to allow the tasks of deploying both to complete
+# before polling to save time.
+- name: Poll for hosted pod deployments
+ hosts: oo_first_master
+ tasks:
+ - import_role:
+ name: openshift_hosted
+ tasks_from: registry_storage.yml
+ when:
+ - openshift_hosted_manage_registry | default(True) | bool
+ - openshift_hosted_registry_registryurl is defined
diff --git a/playbooks/openshift-hosted/private/openshift_hosted_router.yml b/playbooks/openshift-hosted/private/openshift_hosted_router.yml
new file mode 100644
index 000000000..353377189
--- /dev/null
+++ b/playbooks/openshift-hosted/private/openshift_hosted_router.yml
@@ -0,0 +1,13 @@
+---
+- name: Create Hosted Resources - router
+ hosts: oo_first_master
+ tasks:
+ - set_fact:
+ openshift_hosted_router_registryurl: "{{ hostvars[groups.oo_first_master.0].openshift.master.registry_url }}"
+ when: "'master' in hostvars[groups.oo_first_master.0].openshift and 'registry_url' in hostvars[groups.oo_first_master.0].openshift.master"
+ - import_role:
+ name: openshift_hosted
+ tasks_from: router.yml
+ when:
+ - openshift_hosted_manage_router | default(True) | bool
+ - openshift_hosted_router_registryurl is defined
diff --git a/playbooks/openshift-hosted/private/openshift_hosted_wait_for_pods.yml b/playbooks/openshift-hosted/private/openshift_hosted_wait_for_pods.yml
new file mode 100644
index 000000000..1f6868c2a
--- /dev/null
+++ b/playbooks/openshift-hosted/private/openshift_hosted_wait_for_pods.yml
@@ -0,0 +1,26 @@
+---
+# This playbook waits for registry and router pods after both have been
+# created. It is intended to allow the tasks of deploying both to complete
+# before polling to save time.
+- name: Poll for hosted pod deployments
+ hosts: oo_first_master
+ tasks:
+ - import_role:
+ name: openshift_hosted
+ tasks_from: wait_for_pod.yml
+ vars:
+ l_openshift_hosted_wait_for_pod: "{{ openshift_hosted_router_wait }}"
+ l_openshift_hosted_wfp_items: "{{ openshift_hosted_routers }}"
+ when:
+ - openshift_hosted_manage_router | default(True) | bool
+ - openshift_hosted_router_registryurl is defined
+
+ - import_role:
+ name: openshift_hosted
+ tasks_from: wait_for_pod.yml
+ vars:
+ l_openshift_hosted_wait_for_pod: "{{ openshift_hosted_registry_wait }}"
+ l_openshift_hosted_wfp_items: "{{ r_openshift_hosted_registry_list }}"
+ when:
+ - openshift_hosted_manage_registry | default(True) | bool
+ - openshift_hosted_registry_registryurl is defined
diff --git a/playbooks/openshift-hosted/private/redeploy-registry-certificates.yml b/playbooks/openshift-hosted/private/redeploy-registry-certificates.yml
new file mode 100644
index 000000000..b817221b8
--- /dev/null
+++ b/playbooks/openshift-hosted/private/redeploy-registry-certificates.yml
@@ -0,0 +1,100 @@
+---
+- name: Update registry certificates
+ hosts: oo_first_master
+ vars:
+ roles:
+ - lib_openshift
+ tasks:
+ - name: Create temp directory for kubeconfig
+ command: mktemp -d /tmp/openshift-ansible-XXXXXX
+ register: mktemp
+ changed_when: false
+
+ - name: Copy admin client config(s)
+ command: >
+ cp {{ openshift.common.config_base }}/master//admin.kubeconfig {{ mktemp.stdout }}/admin.kubeconfig
+ changed_when: false
+
+ - name: Determine if docker-registry exists
+ command: >
+ {{ openshift_client_binary }} get dc/docker-registry -o json
+ --config={{ mktemp.stdout }}/admin.kubeconfig
+ -n default
+ register: l_docker_registry_dc
+ failed_when: false
+ changed_when: false
+
+ - set_fact:
+ docker_registry_env_vars: "{{ ((l_docker_registry_dc.stdout | from_json)['spec']['template']['spec']['containers'][0]['env']
+ | lib_utils_oo_collect('name'))
+ | default([]) }}"
+ docker_registry_secrets: "{{ ((l_docker_registry_dc.stdout | from_json)['spec']['template']['spec']['volumes']
+ | lib_utils_oo_collect('secret')
+ | lib_utils_oo_collect('secretName'))
+ | default([]) }}"
+ changed_when: false
+ when: l_docker_registry_dc.rc == 0
+
+ # Replace dc/docker-registry environment variable certificate data if set.
+ - name: Update docker-registry environment variables
+ shell: >
+ {{ openshift_client_binary }} env dc/docker-registry
+ OPENSHIFT_CA_DATA="$(cat /etc/origin/master/ca.crt)"
+ OPENSHIFT_CERT_DATA="$(cat /etc/origin/master/openshift-registry.crt)"
+ OPENSHIFT_KEY_DATA="$(cat /etc/origin/master/openshift-registry.key)"
+ --config={{ mktemp.stdout }}/admin.kubeconfig
+ -n default
+ when: l_docker_registry_dc.rc == 0 and 'OPENSHIFT_CA_DATA' in docker_registry_env_vars and 'OPENSHIFT_CERT_DATA' in docker_registry_env_vars and 'OPENSHIFT_KEY_DATA' in docker_registry_env_vars
+
+ # Replace dc/docker-registry certificate secret contents if set.
+ - block:
+ - name: Retrieve registry service IP
+ oc_service:
+ namespace: default
+ name: docker-registry
+ state: list
+ register: docker_registry_service_ip
+ changed_when: false
+
+ - set_fact:
+ docker_registry_route_hostname: "{{ 'docker-registry-default.' ~ (openshift.master.default_subdomain | default('router.default.svc.cluster.local', true)) }}"
+ changed_when: false
+
+ - name: Generate registry certificate
+ command: >
+ {{ openshift_client_binary }} adm ca create-server-cert
+ --signer-cert={{ openshift.common.config_base }}/master/ca.crt
+ --signer-key={{ openshift.common.config_base }}/master/ca.key
+ --signer-serial={{ openshift.common.config_base }}/master/ca.serial.txt
+ --config={{ mktemp.stdout }}/admin.kubeconfig
+ --hostnames="{{ docker_registry_service_ip.results.clusterip }},docker-registry.default.svc,docker-registry.default.svc.cluster.local,{{ docker_registry_route_hostname }}"
+ --cert={{ openshift.common.config_base }}/master/registry.crt
+ --key={{ openshift.common.config_base }}/master/registry.key
+ --expire-days={{ openshift_hosted_registry_cert_expire_days | default(730) }}
+
+ - name: Update registry certificates secret
+ oc_secret:
+ kubeconfig: "{{ mktemp.stdout }}/admin.kubeconfig"
+ name: registry-certificates
+ namespace: default
+ state: present
+ files:
+ - name: registry.crt
+ path: "{{ openshift.common.config_base }}/master/registry.crt"
+ - name: registry.key
+ path: "{{ openshift.common.config_base }}/master/registry.key"
+ run_once: true
+ when: l_docker_registry_dc.rc == 0 and 'registry-certificates' in docker_registry_secrets and 'REGISTRY_HTTP_TLS_CERTIFICATE' in docker_registry_env_vars and 'REGISTRY_HTTP_TLS_KEY' in docker_registry_env_vars
+
+ - name: Redeploy docker registry
+ command: >
+ {{ openshift_client_binary }} deploy dc/docker-registry
+ --latest
+ --config={{ mktemp.stdout }}/admin.kubeconfig
+ -n default
+
+ - name: Delete temp directory
+ file:
+ name: "{{ mktemp.stdout }}"
+ state: absent
+ changed_when: False
diff --git a/playbooks/openshift-hosted/private/redeploy-router-certificates.yml b/playbooks/openshift-hosted/private/redeploy-router-certificates.yml
new file mode 100644
index 000000000..0df748f47
--- /dev/null
+++ b/playbooks/openshift-hosted/private/redeploy-router-certificates.yml
@@ -0,0 +1,141 @@
+---
+- name: Update router certificates
+ hosts: oo_first_master
+ vars:
+ roles:
+ - lib_openshift
+ tasks:
+ - name: Create temp directory for kubeconfig
+ command: mktemp -d /tmp/openshift-ansible-XXXXXX
+ register: router_cert_redeploy_tempdir
+ changed_when: false
+
+ - name: Copy admin client config(s)
+ command: >
+ cp {{ openshift.common.config_base }}/master//admin.kubeconfig {{ router_cert_redeploy_tempdir.stdout }}/admin.kubeconfig
+ changed_when: false
+
+ - name: Determine if router exists
+ command: >
+ {{ openshift_client_binary }} get dc/router -o json
+ --config={{ router_cert_redeploy_tempdir.stdout }}/admin.kubeconfig
+ -n default
+ register: l_router_dc
+ failed_when: false
+ changed_when: false
+
+ - name: Determine if router service exists
+ command: >
+ {{ openshift_client_binary }} get svc/router -o json
+ --config={{ router_cert_redeploy_tempdir.stdout }}/admin.kubeconfig
+ -n default
+ register: l_router_svc
+ failed_when: false
+ changed_when: false
+
+ - name: Collect router environment variables and secrets
+ set_fact:
+ router_env_vars: "{{ ((l_router_dc.stdout | from_json)['spec']['template']['spec']['containers'][0]['env']
+ | lib_utils_oo_collect('name'))
+ | default([]) }}"
+ router_secrets: "{{ ((l_router_dc.stdout | from_json)['spec']['template']['spec']['volumes']
+ | lib_utils_oo_collect('secret')
+ | lib_utils_oo_collect('secretName'))
+ | default([]) }}"
+ changed_when: false
+ when: l_router_dc.rc == 0
+
+ - name: Collect router service annotations
+ set_fact:
+ router_service_annotations: "{{ (l_router_svc.stdout | from_json)['metadata']['annotations'] if 'annotations' in (l_router_svc.stdout | from_json)['metadata'] else [] }}"
+ when: l_router_svc.rc == 0
+
+ - name: Update router environment variables
+ shell: >
+ {{ openshift_client_binary }} env dc/router
+ OPENSHIFT_CA_DATA="$(cat /etc/origin/master/ca.crt)"
+ OPENSHIFT_CERT_DATA="$(cat /etc/origin/master/openshift-router.crt)"
+ OPENSHIFT_KEY_DATA="$(cat /etc/origin/master/openshift-router.key)"
+ --config={{ router_cert_redeploy_tempdir.stdout }}/admin.kubeconfig
+ -n default
+ when:
+ - l_router_dc.rc == 0
+ - ('OPENSHIFT_CA_DATA' in router_env_vars)
+ - ('OPENSHIFT_CERT_DATA' in router_env_vars)
+ - ('OPENSHIFT_KEY_DATA' in router_env_vars)
+
+ # When the router service contains service signer annotations we
+ # will delete the existing certificate secret and allow OpenShift to
+ # replace the secret.
+ - block:
+ - name: Delete existing router certificate secret
+ oc_secret:
+ kubeconfig: "{{ router_cert_redeploy_tempdir.stdout }}/admin.kubeconfig"
+ name: router-certs
+ namespace: default
+ state: absent
+ run_once: true
+
+ - name: Remove router service annotations
+ command: >
+ {{ openshift_client_binary }} annotate service/router
+ service.alpha.openshift.io/serving-cert-secret-name-
+ service.alpha.openshift.io/serving-cert-signed-by-
+ --config={{ router_cert_redeploy_tempdir.stdout }}/admin.kubeconfig
+ -n default
+
+ - name: Add serving-cert-secret annotation to router service
+ command: >
+ {{ openshift_client_binary }} annotate service/router
+ service.alpha.openshift.io/serving-cert-secret-name=router-certs
+ --config={{ router_cert_redeploy_tempdir.stdout }}/admin.kubeconfig
+ -n default
+ when:
+ - l_router_dc.rc == 0
+ - l_router_svc.rc == 0
+ - ('router-certs' in router_secrets)
+ - openshift_hosted_router_certificate is undefined
+ - ('service.alpha.openshift.io/serving-cert-secret-name') in router_service_annotations
+ - ('service.alpha.openshift.io/serving-cert-signed-by') in router_service_annotations
+
+ # When there are no annotations on the router service we will allow
+ # the openshift_hosted role to either create a new wildcard
+ # certificate (since we deleted the original) or reapply a custom
+ # openshift_hosted_router_certificate.
+ - file:
+ path: "{{ item }}"
+ state: absent
+ with_items:
+ - /etc/origin/master/openshift-router.crt
+ - /etc/origin/master/openshift-router.key
+ when:
+ - l_router_dc.rc == 0
+ - l_router_svc.rc == 0
+ - ('router-certs' in router_secrets)
+ - ('service.alpha.openshift.io/serving-cert-secret-name') not in router_service_annotations
+ - ('service.alpha.openshift.io/serving-cert-signed-by') not in router_service_annotations
+
+ - import_role:
+ name: openshift_hosted
+ tasks_from: main
+ vars:
+ openshift_hosted_manage_registry: false
+ when:
+ - l_router_dc.rc == 0
+ - l_router_svc.rc == 0
+ - ('router-certs' in router_secrets)
+ - ('service.alpha.openshift.io/serving-cert-secret-name') not in router_service_annotations
+ - ('service.alpha.openshift.io/serving-cert-signed-by') not in router_service_annotations
+
+ - name: Redeploy router
+ command: >
+ {{ openshift_client_binary }} deploy dc/router
+ --latest
+ --config={{ router_cert_redeploy_tempdir.stdout }}/admin.kubeconfig
+ -n default
+
+ - name: Delete temp directory
+ file:
+ name: "{{ router_cert_redeploy_tempdir.stdout }}"
+ state: absent
+ changed_when: False
diff --git a/playbooks/openshift-hosted/private/roles b/playbooks/openshift-hosted/private/roles
new file mode 120000
index 000000000..20c4c58cf
--- /dev/null
+++ b/playbooks/openshift-hosted/private/roles
@@ -0,0 +1 @@
+../../../roles \ No newline at end of file
diff --git a/playbooks/openshift-hosted/redeploy-registry-certificates.yml b/playbooks/openshift-hosted/redeploy-registry-certificates.yml
new file mode 100644
index 000000000..518a1d624
--- /dev/null
+++ b/playbooks/openshift-hosted/redeploy-registry-certificates.yml
@@ -0,0 +1,4 @@
+---
+- import_playbook: ../init/main.yml
+
+- import_playbook: private/redeploy-registry-certificates.yml
diff --git a/playbooks/openshift-hosted/redeploy-router-certificates.yml b/playbooks/openshift-hosted/redeploy-router-certificates.yml
new file mode 100644
index 000000000..a74dd8c79
--- /dev/null
+++ b/playbooks/openshift-hosted/redeploy-router-certificates.yml
@@ -0,0 +1,4 @@
+---
+- import_playbook: ../init/main.yml
+
+- import_playbook: private/redeploy-router-certificates.yml