summaryrefslogtreecommitdiffstats
path: root/playbooks
diff options
context:
space:
mode:
Diffstat (limited to 'playbooks')
-rw-r--r--playbooks/common/openshift-cluster/upgrades/post_control_plane.yml3
-rw-r--r--playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml23
-rw-r--r--playbooks/openshift-etcd/private/upgrade_main.yml33
-rw-r--r--playbooks/openshift-hosted/private/redeploy-registry-certificates.yml3
-rw-r--r--playbooks/openshift-hosted/private/redeploy-router-certificates.yml3
-rw-r--r--playbooks/openshift-logging/private/config.yml41
6 files changed, 74 insertions, 32 deletions
diff --git a/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml
index f44ab3580..9c927c0a1 100644
--- a/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml
+++ b/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml
@@ -119,6 +119,9 @@
- shell: >
echo -n | openssl s_client -showcerts -servername docker-registry.default.svc -connect docker-registry.default.svc:5000 | openssl x509 -text | grep -A1 'X509v3 Subject Alternative Name:' | grep -Pq 'DNS:docker-registry\.default\.svc(,|$)'
register: cert_output
+ changed_when: false
+ failed_when:
+ - cert_output.rc not in [0, 1]
# Step 2: Set a fact to be used to determine if we should run the redeploy of registry certs
- name: set a fact to include the registry certs playbook if needed
diff --git a/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml
index c4a28275a..40e245d75 100644
--- a/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml
+++ b/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml
@@ -3,29 +3,6 @@
# Upgrade Masters
###############################################################################
-# Prior to 3.6, openshift-ansible created etcd serving certificates
-# without a SubjectAlternativeName entry for the system hostname. The
-# SAN list in Go 1.8 is now (correctly) authoritative and since
-# openshift-ansible configures masters to talk to etcd hostnames
-# rather than IP addresses, we must correct etcd certificates.
-#
-# This play examines the etcd serving certificate SANs on each etcd
-# host and records whether or not the system hostname is missing.
-- name: Examine etcd serving certificate SAN
- hosts: oo_etcd_to_config
- tasks:
- - slurp:
- src: /etc/etcd/server.crt
- register: etcd_serving_cert
- - set_fact:
- __etcd_cert_lacks_hostname: "{{ (openshift.common.hostname not in (etcd_serving_cert.content | b64decode | lib_utils_oo_parse_certificate_san)) | bool }}"
-
-# Redeploy etcd certificates when hostnames were missing from etcd
-# serving certificate SANs.
-- import_playbook: ../../../openshift-etcd/redeploy-certificates.yml
- when:
- - true in hostvars | lib_utils_oo_select_keys(groups['oo_etcd_to_config']) | lib_utils_oo_collect('__etcd_cert_lacks_hostname') | default([false])
-
- name: Backup and upgrade etcd
import_playbook: ../../../openshift-etcd/private/upgrade_main.yml
diff --git a/playbooks/openshift-etcd/private/upgrade_main.yml b/playbooks/openshift-etcd/private/upgrade_main.yml
index 8997680f9..fea588260 100644
--- a/playbooks/openshift-etcd/private/upgrade_main.yml
+++ b/playbooks/openshift-etcd/private/upgrade_main.yml
@@ -1,4 +1,37 @@
---
+# Prior to 3.6, openshift-ansible created etcd serving certificates
+# without a SubjectAlternativeName entry for the system hostname. The
+# SAN list in Go 1.8 is now (correctly) authoritative and since
+# openshift-ansible configures masters to talk to etcd hostnames
+# rather than IP addresses, we must correct etcd certificates.
+#
+# This play examines the etcd serving certificate SANs on each etcd
+# host and records whether or not the system hostname is missing.
+- name: Examine etcd serving certificate SAN
+ hosts: oo_etcd_to_config
+ tasks:
+ - slurp:
+ src: /etc/etcd/server.crt
+ register: etcd_serving_cert
+ - set_fact:
+ __etcd_cert_lacks_hostname: "{{ (openshift.common.hostname not in (etcd_serving_cert.content | b64decode | lib_utils_oo_parse_certificate_san)) | bool }}"
+
+# Redeploy etcd certificates when hostnames were missing from etcd
+# serving certificate SANs.
+- import_playbook: redeploy-certificates.yml
+ when:
+ - true in hostvars | lib_utils_oo_select_keys(groups['oo_etcd_to_config']) | lib_utils_oo_collect('__etcd_cert_lacks_hostname') | default([false])
+
+- import_playbook: restart.yml
+ vars:
+ g_etcd_certificates_expired: "{{ ('expired' in (hostvars | lib_utils_oo_select_keys(groups['etcd']) | lib_utils_oo_collect('check_results.check_results.etcd') | lib_utils_oo_collect('health'))) | bool }}"
+ when:
+ - true in hostvars | lib_utils_oo_select_keys(groups['oo_etcd_to_config']) | lib_utils_oo_collect('__etcd_cert_lacks_hostname') | default([false])
+
+- import_playbook: ../../openshift-master/private/restart.yml
+ when:
+ - true in hostvars | lib_utils_oo_select_keys(groups['oo_etcd_to_config']) | lib_utils_oo_collect('__etcd_cert_lacks_hostname') | default([false])
+
# For 1.4/3.4 we want to upgrade everyone to etcd-3.0. etcd docs say to
# upgrade from 2.0.x to 2.1.x to 2.2.x to 2.3.x to 3.0.x. While this is a tedius
# task for RHEL and CENTOS it's simply not possible in Fedora unless you've
diff --git a/playbooks/openshift-hosted/private/redeploy-registry-certificates.yml b/playbooks/openshift-hosted/private/redeploy-registry-certificates.yml
index b817221b8..d88209593 100644
--- a/playbooks/openshift-hosted/private/redeploy-registry-certificates.yml
+++ b/playbooks/openshift-hosted/private/redeploy-registry-certificates.yml
@@ -88,8 +88,7 @@
- name: Redeploy docker registry
command: >
- {{ openshift_client_binary }} deploy dc/docker-registry
- --latest
+ {{ openshift_client_binary }} rollout latest dc/docker-registry
--config={{ mktemp.stdout }}/admin.kubeconfig
-n default
diff --git a/playbooks/openshift-hosted/private/redeploy-router-certificates.yml b/playbooks/openshift-hosted/private/redeploy-router-certificates.yml
index 0df748f47..952a5f4ee 100644
--- a/playbooks/openshift-hosted/private/redeploy-router-certificates.yml
+++ b/playbooks/openshift-hosted/private/redeploy-router-certificates.yml
@@ -129,8 +129,7 @@
- name: Redeploy router
command: >
- {{ openshift_client_binary }} deploy dc/router
- --latest
+ {{ openshift_client_binary }} rollout latest dc/router
--config={{ router_cert_redeploy_tempdir.stdout }}/admin.kubeconfig
-n default
diff --git a/playbooks/openshift-logging/private/config.yml b/playbooks/openshift-logging/private/config.yml
index 07aa8bfde..f2a57f9f8 100644
--- a/playbooks/openshift-logging/private/config.yml
+++ b/playbooks/openshift-logging/private/config.yml
@@ -11,6 +11,38 @@
status: "In Progress"
start: "{{ lookup('pipe', 'date +%Y%m%d%H%M%SZ') }}"
+- name: Update vm.max_map_count for ES 5.x
+ hosts: all
+ gather_facts: false
+ tasks:
+ - when:
+ - openshift_logging_es5_techpreview | default(false) | bool
+ - openshift_deployment_type in ['origin']
+ block:
+ - name: Checking vm max_map_count value
+ command:
+ cat /proc/sys/vm/max_map_count
+ register: _vm_max_map_count
+
+ - stat:
+ path: /etc/sysctl.d/99-elasticsearch.conf
+ register: _99_es_conf
+
+ - name: Check for current value of vm.max_map_count in 99-elasticsearch.conf
+ command: >
+ sed /etc/sysctl.d/99-elasticsearch.conf -e 's/vm.max_map_count=\(.*\)/\1/'
+ register: _curr_vm_max_map_count
+ when: _99_es_conf.stat.exists
+
+ - name: Updating vm.max_map_count value
+ sysctl:
+ name: vm.max_map_count
+ value: 262144
+ sysctl_file: "/etc/sysctl.d/99-elasticsearch.conf"
+ reload: yes
+ when:
+ - _vm_max_map_count.stdout | default(0) | int < 262144 | int or _curr_vm_max_map_count.stdout | default(0) | int < 262144
+
- name: OpenShift Aggregated Logging
hosts: oo_first_master
roles:
@@ -20,11 +52,10 @@
- name: Update Master configs
hosts: oo_masters:!oo_first_master
tasks:
- - block:
- - import_role:
- name: openshift_logging
- tasks_from: update_master_config
- when: not openshift.common.version_gte_3_9
+ - include_role:
+ name: openshift_logging
+ tasks_from: update_master_config
+ when: not openshift.common.version_gte_3_9
- name: Logging Install Checkpoint End
hosts: all