diff options
Diffstat (limited to 'playbooks')
| -rw-r--r-- | playbooks/adhoc/bootstrap-fedora.yml | 2 | ||||
| -rw-r--r-- | playbooks/byo/openshift_facts.yml | 2 | ||||
| -rw-r--r-- | playbooks/common/openshift-cluster/additional_config.yml | 2 | ||||
| -rw-r--r-- | playbooks/common/openshift-cluster/openshift_hosted.yml | 23 | ||||
| l--------- | playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/nuke_images.sh | 1 | ||||
| -rw-r--r-- | playbooks/common/openshift-etcd/config.yml | 117 | ||||
| -rw-r--r-- | playbooks/common/openshift-master/config.yml | 256 | ||||
| -rw-r--r-- | playbooks/common/openshift-master/scaleup.yml | 9 | ||||
| -rw-r--r-- | playbooks/common/openshift-node/config.yml | 208 |
9 files changed, 144 insertions, 476 deletions
diff --git a/playbooks/adhoc/bootstrap-fedora.yml b/playbooks/adhoc/bootstrap-fedora.yml index b380a74d6..5ca383a37 100644 --- a/playbooks/adhoc/bootstrap-fedora.yml +++ b/playbooks/adhoc/bootstrap-fedora.yml @@ -1,4 +1,4 @@ - hosts: OSEv3 tasks: - name: install python and deps for ansible modules - raw: dnf install -y python2 python2-dnf libselinux-python libsemanage-python python2-firewall + raw: dnf install -y python2 python2-dnf libselinux-python libsemanage-python python2-firewall pyOpenSSL python-cryptography diff --git a/playbooks/byo/openshift_facts.yml b/playbooks/byo/openshift_facts.yml index d966b58fd..8c0708df0 100644 --- a/playbooks/byo/openshift_facts.yml +++ b/playbooks/byo/openshift_facts.yml @@ -10,7 +10,7 @@ - add_host: name: "{{ item }}" groups: l_oo_all_hosts - with_items: g_all_hosts + with_items: "{{ g_all_hosts }}" - hosts: l_oo_all_hosts gather_facts: no diff --git a/playbooks/common/openshift-cluster/additional_config.yml b/playbooks/common/openshift-cluster/additional_config.yml index a34322754..e9fb3de96 100644 --- a/playbooks/common/openshift-cluster/additional_config.yml +++ b/playbooks/common/openshift-cluster/additional_config.yml @@ -19,8 +19,6 @@ - role: openshift_examples registry_url: "{{ openshift.master.registry_url }}" when: openshift.common.install_examples | bool - - role: openshift_cluster_metrics - when: openshift.common.use_cluster_metrics | bool - role: openshift_manageiq when: openshift.common.use_manageiq | bool - role: cockpit diff --git a/playbooks/common/openshift-cluster/openshift_hosted.yml b/playbooks/common/openshift-cluster/openshift_hosted.yml index c3077e3c2..4d4a09828 100644 --- a/playbooks/common/openshift-cluster/openshift_hosted.yml +++ b/playbooks/common/openshift-cluster/openshift_hosted.yml @@ -15,4 +15,27 @@ openshift_hosted_registry_registryurl: "{{ hostvars[groups.oo_first_master.0].openshift.master.registry_url }}" when: "'master' in hostvars[groups.oo_first_master.0].openshift and 'registry_url' in hostvars[groups.oo_first_master.0].openshift.master" roles: + - role: openshift_cli + - role: openshift_hosted_facts + - role: openshift_projects + # TODO: Move standard project definitions to openshift_hosted/vars/main.yml + # Vars are not accessible in meta/main.yml in ansible-1.9.x + openshift_projects: "{{ openshift_additional_projects | default({}) | oo_merge_dicts({'default':{'default_node_selector':''},'openshift-infra':{'default_node_selector':''},'logging':{'default_node_selector':''}}) }}" + - role: openshift_serviceaccounts + openshift_serviceaccounts_names: + - router + openshift_serviceaccounts_namespace: default + openshift_serviceaccounts_sccs: + - hostnetwork + when: openshift.common.version_gte_3_2_or_1_2 + - role: openshift_serviceaccounts + openshift_serviceaccounts_names: + - router + - registry + openshift_serviceaccounts_namespace: default + openshift_serviceaccounts_sccs: + - privileged + when: not openshift.common.version_gte_3_2_or_1_2 + - role: openshift_metrics + when: openshift.hosted.metrics.deploy | bool - role: openshift_hosted diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/nuke_images.sh b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/nuke_images.sh new file mode 120000 index 000000000..49a51bba9 --- /dev/null +++ b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/nuke_images.sh @@ -0,0 +1 @@ +../files/nuke_images.sh
\ No newline at end of file diff --git a/playbooks/common/openshift-etcd/config.yml b/playbooks/common/openshift-etcd/config.yml index a95de8cf3..1b8106e0e 100644 --- a/playbooks/common/openshift-etcd/config.yml +++ b/playbooks/common/openshift-etcd/config.yml @@ -1,119 +1,10 @@ --- -- name: Set etcd facts needed for generating certs +- name: Configure etcd hosts: oo_etcd_to_config any_errors_fatal: true roles: - - openshift_facts - tasks: - - openshift_facts: - role: etcd - local_facts: - etcd_image: "{{ osm_etcd_image | default(None) }}" - - name: Check status of etcd certificates - stat: - path: "{{ item }}" - with_items: - - /etc/etcd/server.crt - - /etc/etcd/peer.crt - - /etc/etcd/ca.crt - register: g_etcd_server_cert_stat_result - - set_fact: - etcd_server_certs_missing: "{{ g_etcd_server_cert_stat_result.results | oo_collect(attribute='stat.exists') - | list | intersect([false])}}" - etcd_cert_subdir: etcd-{{ openshift.common.hostname }} - etcd_cert_config_dir: /etc/etcd - etcd_cert_prefix: - etcd_hostname: "{{ openshift.common.hostname }}" - etcd_ip: "{{ openshift.common.ip }}" - -- name: Create temp directory for syncing certs - hosts: localhost - connection: local - become: no - gather_facts: no - tasks: - - name: Create local temp directory for syncing certs - local_action: command mktemp -d /tmp/openshift-ansible-XXXXXXX - register: g_etcd_mktemp - changed_when: False - -- name: Configure etcd certificates - hosts: oo_first_etcd - vars: - etcd_generated_certs_dir: /etc/etcd/generated_certs - etcd_needing_server_certs: "{{ hostvars - | oo_select_keys(groups['oo_etcd_to_config']) - | oo_filter_list(filter_attr='etcd_server_certs_missing') }}" - sync_tmpdir: "{{ hostvars.localhost.g_etcd_mktemp.stdout }}" - roles: - - openshift_etcd_certificates - post_tasks: - - name: Create a tarball of the etcd certs - command: > - tar -czvf {{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}.tgz - -C {{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }} . - args: - creates: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}.tgz" - with_items: "{{ etcd_needing_server_certs | default([]) }}" - - name: Retrieve the etcd cert tarballs - fetch: - src: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}.tgz" - dest: "{{ sync_tmpdir }}/" - flat: yes - fail_on_missing: yes - validate_checksum: yes - with_items: "{{ etcd_needing_server_certs | default([]) }}" - -# Configure a first etcd host to avoid conflicts in choosing a leader -# if other members come online too quickly. -- name: Configure first etcd host - hosts: oo_first_etcd - vars: - sync_tmpdir: "{{ hostvars.localhost.g_etcd_mktemp.stdout }}" - etcd_url_scheme: https - etcd_peer_url_scheme: https - etcd_peers: "{{ groups.oo_etcd_to_config | default([], true) }}" - pre_tasks: - - name: Ensure certificate directory exists - file: - path: "{{ etcd_cert_config_dir }}" - state: directory - - name: Unarchive the tarball on the etcd host - unarchive: - src: "{{ sync_tmpdir }}/{{ etcd_cert_subdir }}.tgz" - dest: "{{ etcd_cert_config_dir }}" - when: etcd_server_certs_missing - roles: - - openshift_etcd - - nickhammond.logrotate - -# Configure the remaining etcd hosts, skipping the first one we dealt with above. -- name: Configure remaining etcd hosts - hosts: oo_etcd_to_config:!oo_first_etcd - vars: - sync_tmpdir: "{{ hostvars.localhost.g_etcd_mktemp.stdout }}" - etcd_url_scheme: https - etcd_peer_url_scheme: https + - role: openshift_etcd etcd_peers: "{{ groups.oo_etcd_to_config | default([], true) }}" - pre_tasks: - - name: Ensure certificate directory exists - file: - path: "{{ etcd_cert_config_dir }}" - state: directory - - name: Unarchive the tarball on the etcd host - unarchive: - src: "{{ sync_tmpdir }}/{{ etcd_cert_subdir }}.tgz" - dest: "{{ etcd_cert_config_dir }}" - when: etcd_server_certs_missing - roles: - - openshift_etcd + etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}" + etcd_certificates_etcd_hosts: "{{ groups.oo_etcd_to_config | default([], true) }}" - role: nickhammond.logrotate - -- name: Delete temporary directory on localhost - hosts: localhost - connection: local - become: no - gather_facts: no - tasks: - - file: name={{ g_etcd_mktemp.stdout }} state=absent - changed_when: False diff --git a/playbooks/common/openshift-master/config.yml b/playbooks/common/openshift-master/config.yml index bb8fb77b6..1d818eea0 100644 --- a/playbooks/common/openshift-master/config.yml +++ b/playbooks/common/openshift-master/config.yml @@ -1,5 +1,5 @@ --- -- name: Set master facts and determine if external etcd certs need to be generated +- name: Set master facts hosts: oo_masters_to_config vars: t_oo_option_master_debug_level: "{{ lookup('oo_option', 'openshift_master_debug_level') }}" @@ -73,23 +73,6 @@ openshift_env: openshift_hosted_registry_storage_kind: 'nfs' when: openshift_hosted_registry_storage_kind is not defined and groups.oo_nfs_to_config is defined and groups.oo_nfs_to_config | length > 0 - - name: Check status of external etcd certificatees - stat: - path: "{{ openshift.common.config_base }}/master/{{ item }}" - with_items: - - master.etcd-client.crt - - master.etcd-ca.crt - register: g_external_etcd_cert_stat_result - - set_fact: - etcd_client_certs_missing: "{{ g_external_etcd_cert_stat_result.results - | oo_collect(attribute='stat.exists') - | list | intersect([false])}}" - etcd_cert_subdir: openshift-master-{{ openshift.common.hostname }} - etcd_cert_config_dir: "{{ openshift.common.config_base }}/master" - etcd_cert_prefix: master.etcd- - etcd_hostname: "{{ openshift.common.hostname }}" - etcd_ip: "{{ openshift.common.ip }}" - when: groups.oo_etcd_to_config is defined and groups.oo_etcd_to_config - name: Create temp directory for syncing certs hosts: localhost @@ -102,133 +85,6 @@ register: g_master_mktemp changed_when: False -- name: Configure etcd certificates - hosts: oo_first_etcd - vars: - etcd_generated_certs_dir: /etc/etcd/generated_certs - etcd_needing_client_certs: "{{ hostvars - | oo_select_keys(groups['oo_masters_to_config']) - | default([]) - | oo_filter_list(filter_attr='etcd_client_certs_missing') }}" - sync_tmpdir: "{{ hostvars.localhost.g_master_mktemp.stdout }}" - roles: - - openshift_etcd_certificates - post_tasks: - - name: Create a tarball of the etcd certs - command: > - tar -czvf {{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}.tgz - -C {{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }} . - args: - creates: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}.tgz" - with_items: "{{ etcd_needing_client_certs | default([]) }}" - - name: Retrieve the etcd cert tarballs - fetch: - src: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}.tgz" - dest: "{{ sync_tmpdir }}/" - flat: yes - fail_on_missing: yes - validate_checksum: yes - with_items: "{{ etcd_needing_client_certs | default([]) }}" - -- name: Copy the external etcd certs to the masters - hosts: oo_masters_to_config - vars: - sync_tmpdir: "{{ hostvars.localhost.g_master_mktemp.stdout }}" - tasks: - - name: Ensure certificate directory exists - file: - path: "{{ openshift.common.config_base }}/master" - state: directory - when: etcd_client_certs_missing is defined and etcd_client_certs_missing - - name: Unarchive the tarball on the master - unarchive: - src: "{{ sync_tmpdir }}/{{ etcd_cert_subdir }}.tgz" - dest: "{{ etcd_cert_config_dir }}" - when: etcd_client_certs_missing is defined and etcd_client_certs_missing - - file: - path: "{{ etcd_cert_config_dir }}/{{ item }}" - owner: root - group: root - mode: 0600 - with_items: - - master.etcd-client.crt - - master.etcd-client.key - - master.etcd-ca.crt - when: etcd_client_certs_missing is defined and etcd_client_certs_missing - -- name: Determine if master certificates need to be generated - hosts: oo_first_master:oo_masters_to_config - tasks: - - set_fact: - openshift_master_certs_no_etcd: - - admin.crt - - master.kubelet-client.crt - - "{{ 'master.proxy-client.crt' if openshift.common.version_gte_3_1_or_1_1 else omit }}" - - master.server.crt - - openshift-master.crt - - openshift-registry.crt - - openshift-router.crt - - etcd.server.crt - openshift_master_certs_etcd: - - master.etcd-client.crt - - - set_fact: - openshift_master_certs: "{{ (openshift_master_certs_no_etcd | union(openshift_master_certs_etcd)) if (groups.oo_etcd_to_config is defined and groups.oo_etcd_to_config) else openshift_master_certs_no_etcd }}" - - - name: Check status of master certificates - stat: - path: "{{ openshift.common.config_base }}/master/{{ item }}" - with_items: "{{ openshift_master_certs }}" - register: g_master_cert_stat_result - - set_fact: - master_certs_missing: "{{ False in (g_master_cert_stat_result.results - | oo_collect(attribute='stat.exists') - | list ) }}" - master_cert_subdir: master-{{ openshift.common.hostname }} - master_cert_config_dir: "{{ openshift.common.config_base }}/master" - -- name: Configure master certificates - hosts: oo_first_master - vars: - master_generated_certs_dir: "{{ openshift.common.config_base }}/generated-configs" - masters_needing_certs: "{{ hostvars - | oo_select_keys(groups['oo_masters_to_config'] | difference(groups['oo_first_master'])) - | oo_filter_list(filter_attr='master_certs_missing') }}" - master_hostnames: "{{ hostvars - | oo_select_keys(groups['oo_masters_to_config']) - | oo_collect('openshift.common.all_hostnames') - | oo_flatten | unique }}" - sync_tmpdir: "{{ hostvars.localhost.g_master_mktemp.stdout }}" - roles: - - openshift_master_certificates - post_tasks: - - name: Remove generated etcd client certs when using external etcd - file: - path: "{{ master_generated_certs_dir }}/{{ item.0.master_cert_subdir }}/{{ item.1 }}" - state: absent - when: groups.oo_etcd_to_config is defined and groups.oo_etcd_to_config - with_nested: - - "{{ masters_needing_certs | default([]) }}" - - - master.etcd-client.crt - - master.etcd-client.key - - - name: Create a tarball of the master certs - command: > - tar -czvf {{ master_generated_certs_dir }}/{{ item.master_cert_subdir }}.tgz - -C {{ master_generated_certs_dir }}/{{ item.master_cert_subdir }} . - args: - creates: "{{ master_generated_certs_dir }}/{{ item.master_cert_subdir }}.tgz" - with_items: "{{ masters_needing_certs | default([]) }}" - - - name: Retrieve the master cert tarball from the master - fetch: - src: "{{ master_generated_certs_dir }}/{{ item.master_cert_subdir }}.tgz" - dest: "{{ sync_tmpdir }}/" - flat: yes - fail_on_missing: yes - validate_checksum: yes - with_items: "{{ masters_needing_certs | default([]) }}" - - name: Check for cached session secrets hosts: oo_first_master roles: @@ -243,7 +99,7 @@ - name: Generate master session secrets hosts: oo_first_master vars: - g_session_secrets_present: "{{ (openshift.master.session_auth_secrets | default([]) and openshift.master.session_encryption_secrets | default([])) | length > 0 }}" + g_session_secrets_present: "{{ (openshift.master.session_auth_secrets | default([])) | length > 0 and (openshift.master.session_encryption_secrets | default([])) | length > 0 }}" g_session_auth_secrets: "{{ [ 24 | oo_generate_secret ] }}" g_session_encryption_secrets: "{{ [ 24 | oo_generate_secret ] }}" roles: @@ -256,58 +112,9 @@ session_encryption_secrets: "{{ g_session_encryption_secrets }}" when: not g_session_secrets_present | bool -- name: Parse named certificates - hosts: localhost - connection: local - become: no - vars: - internal_hostnames: "{{ hostvars[groups.oo_first_master.0].openshift.common.internal_hostnames }}" - named_certificates: "{{ hostvars[groups.oo_first_master.0].openshift_master_named_certificates | default([]) }}" - named_certificates_dir: "{{ hostvars[groups.oo_first_master.0].master_cert_config_dir }}/named_certificates/" - tasks: - - set_fact: - parsed_named_certificates: "{{ named_certificates | oo_parse_named_certificates(named_certificates_dir, internal_hostnames) }}" - when: named_certificates | length > 0 - -- name: Deploy named certificates - hosts: oo_masters_to_config - vars: - named_certs_dir: "{{ master_cert_config_dir }}/named_certificates/" - named_certs_specified: "{{ openshift_master_named_certificates is defined }}" - overwrite_named_certs: "{{ openshift_master_overwrite_named_certificates | default(false) }}" - roles: - - role: openshift_facts - post_tasks: - - openshift_facts: - role: master - local_facts: - named_certificates: "{{ hostvars.localhost.parsed_named_certificates | default([]) }}" - additive_facts_to_overwrite: - - "{{ 'master.named_certificates' if overwrite_named_certs | bool else omit }}" - - name: Clear named certificates - file: - path: "{{ named_certs_dir }}" - state: absent - when: overwrite_named_certs | bool - - name: Ensure named certificate directory exists - file: - path: "{{ named_certs_dir }}" - state: directory - mode: 0700 - when: named_certs_specified | bool - - name: Land named certificates - copy: src="{{ item.certfile }}" dest="{{ named_certs_dir }}" - with_items: openshift_master_named_certificates - when: named_certs_specified | bool - - name: Land named certificate keys - copy: src="{{ item.keyfile }}" dest="{{ named_certs_dir }}" mode=0600 - with_items: openshift_master_named_certificates - when: named_certs_specified | bool - - name: Configure masters hosts: oo_masters_to_config any_errors_fatal: true - serial: 1 vars: sync_tmpdir: "{{ hostvars.localhost.g_master_mktemp.stdout }}" openshift_master_ha: "{{ openshift.master.ha }}" @@ -319,21 +126,52 @@ | union(groups['oo_etcd_to_config'] | default([]))) | oo_collect('openshift.common.hostname') | default([]) | join (',') }}" - when: "{{ (openshift_http_proxy is defined or openshift_https_proxy is defined) and - openshift_generate_no_proxy_hosts | default(True) | bool }}" - pre_tasks: - - name: Ensure certificate directory exists - file: - path: "{{ openshift.common.config_base }}/master" - state: directory - when: master_certs_missing | bool and 'oo_first_master' not in group_names - - name: Unarchive the tarball on the master - unarchive: - src: "{{ sync_tmpdir }}/{{ master_cert_subdir }}.tgz" - dest: "{{ master_cert_config_dir }}" - when: master_certs_missing | bool and 'oo_first_master' not in group_names roles: - - openshift_master + - role: openshift_master_facts + - role: openshift_hosted_facts + - role: openshift_master_certificates + openshift_ca_host: "{{ groups.oo_first_master.0 }}" + openshift_master_etcd_hosts: "{{ hostvars + | oo_select_keys(groups['oo_etcd_to_config'] | default([])) + | oo_collect('openshift.common.hostname') + | default(none, true) }}" + openshift_master_hostnames: "{{ hostvars + | oo_select_keys(groups['oo_masters_to_config'] | default([])) + | oo_collect('openshift.common.all_hostnames') + | oo_flatten | unique }}" + - role: openshift_etcd_client_certificates + etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}" + etcd_cert_subdir: "openshift-master-{{ openshift.common.hostname }}" + etcd_cert_config_dir: "{{ openshift.common.config_base }}/master" + etcd_cert_prefix: "master.etcd-" + when: groups.oo_etcd_to_config is defined and groups.oo_etcd_to_config + - role: openshift_clock + - role: openshift_cloud_provider + - role: openshift_builddefaults + - role: os_firewall + os_firewall_allow: + - service: etcd embedded + port: 4001/tcp + - service: api server https + port: "{{ openshift.master.api_port }}/tcp" + - service: api controllers https + port: "{{ openshift.master.controllers_port }}/tcp" + - service: skydns tcp + port: "{{ openshift.master.dns_port }}/tcp" + - service: skydns udp + port: "{{ openshift.master.dns_port }}/udp" + - service: Fluentd td-agent tcp + port: 24224/tcp + - service: Fluentd td-agent udp + port: 24224/udp + - service: pcsd + port: 2224/tcp + - service: Corosync UDP + port: 5404/udp + - service: Corosync UDP + port: 5405/udp + - role: openshift_master + openshift_master_hosts: "{{ groups.oo_masters_to_config }}" - role: nickhammond.logrotate - role: nuage_master when: openshift.common.use_nuage | bool diff --git a/playbooks/common/openshift-master/scaleup.yml b/playbooks/common/openshift-master/scaleup.yml index 6e6cb3e01..7304fca56 100644 --- a/playbooks/common/openshift-master/scaleup.yml +++ b/playbooks/common/openshift-master/scaleup.yml @@ -33,7 +33,12 @@ service: name={{ openshift.common.service_type }}-master-controllers state=restarted - name: verify api server command: > - curl --silent --cacert {{ openshift.common.config_base }}/master/ca.crt + curl --silent + {% if openshift.common.version_gte_3_2_or_1_2 | bool %} + --cacert {{ openshift.common.config_base }}/master/ca-bundle.crt + {% else %} + --cacert {{ openshift.common.config_base }}/master/ca.crt + {% endif %} {{ openshift.master.api_url }}/healthz/ready register: api_available_output until: api_available_output.stdout == 'ok' @@ -53,4 +58,6 @@ - include: ../openshift-master/config.yml +- include: ../openshift-loadbalancer/config.yml + - include: ../openshift-node/config.yml diff --git a/playbooks/common/openshift-node/config.yml b/playbooks/common/openshift-node/config.yml index 80659dc52..c56353430 100644 --- a/playbooks/common/openshift-node/config.yml +++ b/playbooks/common/openshift-node/config.yml @@ -19,23 +19,6 @@ labels: "{{ openshift_node_labels | default(None) }}" annotations: "{{ openshift_node_annotations | default(None) }}" schedulable: "{{ openshift_schedulable | default(openshift_scheduleable) | default(None) }}" - - name: Check status of node certificates - stat: - path: "{{ openshift.common.config_base }}/node/{{ item }}" - with_items: - - "system:node:{{ openshift.common.hostname }}.crt" - - "system:node:{{ openshift.common.hostname }}.key" - - "system:node:{{ openshift.common.hostname }}.kubeconfig" - - ca.crt - - server.key - - server.crt - register: stat_result - - set_fact: - certs_missing: "{{ stat_result.results | oo_collect(attribute='stat.exists') - | list | intersect([false])}}" - node_subdir: node-{{ openshift.common.hostname }} - config_dir: "{{ openshift.common.config_base }}/generated-configs/node-{{ openshift.common.hostname }}" - node_cert_dir: "{{ openshift.common.config_base }}/node" - name: Create temp directory for syncing certs hosts: localhost @@ -48,53 +31,6 @@ register: mktemp changed_when: False -- name: Create node certificates - hosts: oo_first_master - vars: - nodes_needing_certs: "{{ hostvars - | oo_select_keys(groups['oo_nodes_to_config'] - | default([])) - | oo_filter_list(filter_attr='certs_missing') }}" - sync_tmpdir: "{{ hostvars.localhost.mktemp.stdout }}" - roles: - - openshift_node_certificates - post_tasks: - - name: Create a tarball of the node config directories - command: > - tar -czvf {{ item.config_dir }}.tgz - --transform 's|system:{{ item.node_subdir }}|node|' - -C {{ item.config_dir }} . - args: - creates: "{{ item.config_dir }}.tgz" - with_items: "{{ nodes_needing_certs | default([]) }}" - - - name: Retrieve the node config tarballs from the master - fetch: - src: "{{ item.config_dir }}.tgz" - dest: "{{ sync_tmpdir }}/" - flat: yes - fail_on_missing: yes - validate_checksum: yes - with_items: "{{ nodes_needing_certs | default([]) }}" - -- name: Deploy node certificates - hosts: oo_nodes_to_config - vars: - sync_tmpdir: "{{ hostvars.localhost.mktemp.stdout }}" - tasks: - - name: Ensure certificate directory exists - file: - path: "{{ node_cert_dir }}" - state: directory - # TODO: notify restart node - # possibly test service started time against certificate/config file - # timestamps in node to trigger notify - - name: Unarchive the tarball on the node - unarchive: - src: "{{ sync_tmpdir }}/{{ node_subdir }}.tgz" - dest: "{{ node_cert_dir }}" - when: certs_missing - - name: Evaluate node groups hosts: localhost become: no @@ -124,7 +60,30 @@ when: "{{ (openshift_http_proxy is defined or openshift_https_proxy is defined) and openshift_generate_no_proxy_hosts | default(True) | bool }}" roles: - - openshift_node + - role: openshift_clock + - role: openshift_docker + - role: openshift_node_certificates + openshift_ca_host: "{{ groups.oo_first_master.0 }}" + - role: openshift_cloud_provider + - role: openshift_common + - role: openshift_node_dnsmasq + when: openshift.common.use_dnsmasq + - role: os_firewall + os_firewall_allow: + - service: Kubernetes kubelet + port: 10250/tcp + - service: http + port: 80/tcp + - service: https + port: 443/tcp + - service: Openshift kubelet ReadOnlyPort + port: 10255/tcp + - service: Openshift kubelet ReadOnlyPort udp + port: 10255/udp + - service: OpenShift OVS sdn + port: 4789/udp + when: openshift.node.use_openshift_sdn | bool + - role: openshift_node - name: Configure node instances hosts: oo_nodes_to_config:!oo_containerized_master_nodes @@ -140,96 +99,42 @@ when: "{{ (openshift_http_proxy is defined or openshift_https_proxy is defined) and openshift_generate_no_proxy_hosts | default(True) | bool }}" roles: - - openshift_node - -- name: Gather and set facts for flannel certificatess - hosts: oo_nodes_to_config - tasks: - - name: Check status of flannel external etcd certificates - stat: - path: "{{ openshift.common.config_base }}/node/{{ item }}" - with_items: - - node.etcd-client.crt - - node.etcd-ca.crt - register: g_external_etcd_flannel_cert_stat_result - when: groups.oo_etcd_to_config is defined and groups.oo_etcd_to_config and (openshift.common.use_flannel | bool) - - set_fact: - etcd_client_flannel_certs_missing: "{{ False in g_external_etcd_flannel_cert_stat_result.results - | oo_collect(attribute='stat.exists') - | list }}" - etcd_cert_subdir: openshift-node-{{ openshift.common.hostname }} - etcd_cert_config_dir: "{{ openshift.common.config_base }}/node" - etcd_cert_prefix: node.etcd- - etcd_hostname: "{{ openshift.common.hostname }}" - etcd_ip: "{{ openshift.common.ip }}" - when: groups.oo_etcd_to_config is defined and groups.oo_etcd_to_config | length > 0 and (openshift.common.use_flannel | bool) - -- name: Configure flannel etcd certificates - hosts: oo_first_etcd - vars: - etcd_generated_certs_dir: /etc/etcd/generated_certs - sync_tmpdir: "{{ hostvars.localhost.mktemp.stdout }}" - pre_tasks: - - set_fact: - etcd_needing_client_certs: "{{ hostvars - | oo_select_keys(groups['oo_nodes_to_config']) - | oo_filter_list('etcd_client_flannel_certs_missing') | default([]) }}" - roles: - - role: openshift_etcd_certificates - when: openshift_use_flannel | default(false) | bool - post_tasks: - - name: Create a tarball of the etcd flannel certs - command: > - tar -czvf {{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}.tgz - -C {{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }} . - args: - creates: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}.tgz" - with_items: "{{ etcd_needing_client_certs | default([]) }}" - - name: Retrieve the etcd cert tarballs - fetch: - src: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}.tgz" - dest: "{{ sync_tmpdir }}/" - flat: yes - fail_on_missing: yes - validate_checksum: yes - with_items: "{{ etcd_needing_client_certs | default([]) }}" - -- name: Copy the external etcd flannel certs to the nodes - hosts: oo_nodes_to_config - vars: - sync_tmpdir: "{{ hostvars.localhost.mktemp.stdout }}" - tasks: - - name: Ensure certificate directory exists - file: - path: "{{ openshift.common.config_base }}/node" - state: directory - when: etcd_client_flannel_certs_missing | default(false) | bool - - name: Unarchive the tarball on the master - unarchive: - src: "{{ sync_tmpdir }}/{{ etcd_cert_subdir }}.tgz" - dest: "{{ etcd_cert_config_dir }}" - when: etcd_client_flannel_certs_missing | default(false) | bool - - file: - path: "{{ etcd_cert_config_dir }}/{{ item }}" - owner: root - group: root - mode: 0600 - with_items: - - node.etcd-client.crt - - node.etcd-client.key - - node.etcd-ca.crt - when: etcd_client_flannel_certs_missing | default(false) | bool - + - role: openshift_clock + - role: openshift_docker + - role: openshift_node_certificates + openshift_ca_host: "{{ groups.oo_first_master.0 }}" + - role: openshift_cloud_provider + - role: openshift_common + - role: openshift_node_dnsmasq + when: openshift.common.use_dnsmasq + - role: os_firewall + os_firewall_allow: + - service: Kubernetes kubelet + port: 10250/tcp + - service: http + port: 80/tcp + - service: https + port: 443/tcp + - service: Openshift kubelet ReadOnlyPort + port: 10255/tcp + - service: Openshift kubelet ReadOnlyPort udp + port: 10255/udp + - service: OpenShift OVS sdn + port: 4789/udp + when: openshift.node.use_openshift_sdn | bool + - role: openshift_node - name: Additional node config hosts: oo_nodes_to_config vars: - # TODO: Prefix flannel role variables. openshift_node_master_api_url: "{{ hostvars[groups.oo_first_master.0].openshift.master.api_url }}" - etcd_urls: "{{ hostvars[groups.oo_first_master.0].openshift.master.etcd_urls }}" - embedded_etcd: "{{ hostvars[groups.oo_first_master.0].openshift.master.embedded_etcd }}" roles: - role: flannel + etcd_urls: "{{ hostvars[groups.oo_first_master.0].openshift.master.etcd_urls }}" + embedded_etcd: "{{ hostvars[groups.oo_first_master.0].openshift.master.embedded_etcd }}" + etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}" + etcd_cert_subdir: "openshift-node-{{ openshift.common.hostname }}" + etcd_cert_config_dir: "{{ openshift.common.config_base }}/node" when: openshift.common.use_flannel | bool - role: nuage_node when: openshift.common.use_nuage | bool @@ -263,7 +168,12 @@ # Using curl here since the uri module requires python-httplib2 and # wait_for port doesn't provide health information. command: > - curl --silent --cacert {{ openshift.common.config_base }}/master/ca.crt + curl --silent + {% if openshift.common.version_gte_3_2_or_1_2 | bool %} + --cacert {{ openshift.common.config_base }}/master/ca-bundle.crt + {% else %} + --cacert {{ openshift.common.config_base }}/master/ca.crt + {% endif %} {{ openshift.master.api_url }}/healthz/ready register: api_available_output until: api_available_output.stdout == 'ok' |