diff options
Diffstat (limited to 'playbooks')
21 files changed, 44 insertions, 56 deletions
diff --git a/playbooks/common/openshift-cluster/upgrades/init.yml b/playbooks/common/openshift-cluster/upgrades/init.yml index ba783638d..a9a35b028 100644 --- a/playbooks/common/openshift-cluster/upgrades/init.yml +++ b/playbooks/common/openshift-cluster/upgrades/init.yml @@ -6,6 +6,7 @@ g_new_node_hosts: [] - import_playbook: ../../../init/basic_facts.yml +- import_playbook: ../../../init/base_packages.yml - import_playbook: ../../../init/cluster_facts.yml - name: Ensure firewall is not switched during upgrade diff --git a/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml index 9c927c0a1..fafbd8d1c 100644 --- a/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml +++ b/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml @@ -114,22 +114,26 @@ openshift_hosted_templates_import_command: replace post_tasks: - # we need to migrate customers to the new pattern of pushing to the registry via dns - # Step 1: verify the certificates have the docker registry service name - - shell: > - echo -n | openssl s_client -showcerts -servername docker-registry.default.svc -connect docker-registry.default.svc:5000 | openssl x509 -text | grep -A1 'X509v3 Subject Alternative Name:' | grep -Pq 'DNS:docker-registry\.default\.svc(,|$)' - register: cert_output - changed_when: false - failed_when: - - cert_output.rc not in [0, 1] - - # Step 2: Set a fact to be used to determine if we should run the redeploy of registry certs - - name: set a fact to include the registry certs playbook if needed - set_fact: - openshift_hosted_rollout_certs_and_registry: "{{ cert_output.rc == 0 }}" - -# Run the redeploy certs based upon the certificates -- when: hostvars[groups.oo_first_master.0].openshift_hosted_rollout_certs_and_registry + # Do not perform these tasks when the registry is insecure. The default registry is insecure in openshift_hosted/defaults/main.yml + - when: not (openshift_docker_hosted_registry_insecure | default(True)) + block: + # we need to migrate customers to the new pattern of pushing to the registry via dns + # Step 1: verify the certificates have the docker registry service name + - name: shell command to determine if the docker-registry.default.svc is found in the registry certificate + shell: > + echo -n | openssl s_client -showcerts -servername docker-registry.default.svc -connect docker-registry.default.svc:5000 | openssl x509 -text | grep -A1 'X509v3 Subject Alternative Name:' | grep -Pq 'DNS:docker-registry\.default\.svc(,|$)' + register: cert_output + changed_when: false + failed_when: + - cert_output.rc not in [0, 1] + + # Step 2: Set a fact to be used to determine if we should run the redeploy of registry certs + - name: set a fact to include the registry certs playbook if needed + set_fact: + openshift_hosted_rollout_certs_and_registry: "{{ cert_output.rc == 0 }}" + +# Run the redeploy certs based upon the certificates. Defaults to False for insecure registries +- when: (hostvars[groups.oo_first_master.0].openshift_hosted_rollout_certs_and_registry | default(False)) | bool import_playbook: ../../../openshift-hosted/redeploy-registry-certificates.yml # Check for warnings to be printed at the end of the upgrade: diff --git a/playbooks/common/openshift-cluster/upgrades/pre/verify_cluster.yml b/playbooks/common/openshift-cluster/upgrades/pre/verify_cluster.yml index 463a05688..4902b9ecd 100644 --- a/playbooks/common/openshift-cluster/upgrades/pre/verify_cluster.yml +++ b/playbooks/common/openshift-cluster/upgrades/pre/verify_cluster.yml @@ -94,25 +94,3 @@ state: started enabled: yes with_items: "{{ master_services }}" - -# Until openshift-ansible is determining which host is the CA host we -# must (unfortunately) ensure that the first host in the etcd group is -# the etcd CA host. -# https://bugzilla.redhat.com/show_bug.cgi?id=1469358 -- name: Verify we can proceed on first etcd - hosts: oo_first_etcd - gather_facts: no - tasks: - - name: Ensure CA exists on first etcd - stat: - path: /etc/etcd/generated_certs - register: __etcd_ca_stat - - - fail: - msg: > - In order to correct an etcd certificate signing problem - upgrading may require re-generating etcd certificates. Please - ensure that the /etc/etcd/generated_certs directory exists on - the first host defined in your [etcd] group. - when: - - not __etcd_ca_stat.stat.exists | bool diff --git a/playbooks/common/openshift-cluster/upgrades/v3_9/upgrade_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/v3_9/upgrade_control_plane.yml index d0ed46a18..9c7677f1b 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_9/upgrade_control_plane.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_9/upgrade_control_plane.yml @@ -15,6 +15,7 @@ vars: l_upgrade_no_switch_firewall_hosts: "oo_masters_to_config:oo_etcd_to_config:oo_lb_to_config" l_init_fact_hosts: "oo_masters_to_config:oo_etcd_to_config:oo_lb_to_config" + l_base_packages_hosts: "oo_masters_to_config:oo_etcd_to_config:oo_lb_to_config" ## Check to see if they're running 3.7 and if so upgrade them to 3.8 on control plan ## If they've specified pkg_version or image_tag preserve that for later use diff --git a/playbooks/container-runtime/private/config.yml b/playbooks/container-runtime/private/config.yml index 5396df20a..d5312de15 100644 --- a/playbooks/container-runtime/private/config.yml +++ b/playbooks/container-runtime/private/config.yml @@ -12,6 +12,12 @@ - role: container_runtime tasks: - import_role: + name: openshift_excluder + tasks_from: enable.yml + vars: + r_openshift_excluder_action: enable + r_openshift_excluder_enable_openshift_excluder: false + - import_role: name: container_runtime tasks_from: package_docker.yml when: diff --git a/playbooks/gcp/openshift-cluster/build_image.yml b/playbooks/gcp/openshift-cluster/build_image.yml index 787de8ebc..0daf61122 100644 --- a/playbooks/gcp/openshift-cluster/build_image.yml +++ b/playbooks/gcp/openshift-cluster/build_image.yml @@ -62,6 +62,12 @@ timeout: 120 with_items: "{{ gce.instance_data }}" +- name: Wait for full SSH connection + hosts: nodes + gather_facts: no + tasks: + - wait_for_connection: + - hosts: nodes tasks: - name: Set facts diff --git a/playbooks/init/base_packages.yml b/playbooks/init/base_packages.yml index 81f4dd183..addb4f44d 100644 --- a/playbooks/init/base_packages.yml +++ b/playbooks/init/base_packages.yml @@ -1,8 +1,9 @@ --- -# l_scale_up_hosts may be passed in via prerequisites.yml during scaleup plays. +# l_base_packages_hosts may be passed in via prerequisites.yml during scaleup plays +# and upgrade_control_plane.yml upgrade plays. - name: Install packages necessary for installer - hosts: "{{ l_scale_up_hosts | default('oo_all_hosts') }}" + hosts: "{{ l_base_packages_hosts | default('oo_all_hosts') }}" any_errors_fatal: true tasks: - when: diff --git a/playbooks/init/evaluate_groups.yml b/playbooks/init/evaluate_groups.yml index e8bf1892c..81d7d63ca 100644 --- a/playbooks/init/evaluate_groups.yml +++ b/playbooks/init/evaluate_groups.yml @@ -51,7 +51,7 @@ upgrade please see https://docs.openshift.com/container-platform/latest/install_config/upgrading/migrating_embedded_etcd.html for documentation on how to migrate from embedded to external etcd. when: - - g_etcd_hosts | default([]) | length not in [5,3,1] + - g_etcd_hosts | default([]) | length == 0 - not (openshift_node_bootstrap | default(False)) - name: Evaluate oo_all_hosts diff --git a/playbooks/openshift-etcd/private/ca.yml b/playbooks/openshift-etcd/private/ca.yml index 72c39d546..77e7b0ed0 100644 --- a/playbooks/openshift-etcd/private/ca.yml +++ b/playbooks/openshift-etcd/private/ca.yml @@ -10,7 +10,6 @@ tasks_from: ca.yml vars: etcd_peers: "{{ groups.oo_etcd_to_config | default([], true) }}" - etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}" etcd_certificates_etcd_hosts: "{{ groups.oo_etcd_to_config | default([], true) }}" when: - etcd_ca_setup | default(True) | bool diff --git a/playbooks/openshift-etcd/private/certificates-backup.yml b/playbooks/openshift-etcd/private/certificates-backup.yml index 2f9bef799..e1354de67 100644 --- a/playbooks/openshift-etcd/private/certificates-backup.yml +++ b/playbooks/openshift-etcd/private/certificates-backup.yml @@ -1,6 +1,6 @@ --- - name: Backup and remove generated etcd certificates - hosts: oo_first_etcd + hosts: oo_etcd_to_config any_errors_fatal: true tasks: - import_role: diff --git a/playbooks/openshift-etcd/private/config.yml b/playbooks/openshift-etcd/private/config.yml index 35407969e..bbc952d8e 100644 --- a/playbooks/openshift-etcd/private/config.yml +++ b/playbooks/openshift-etcd/private/config.yml @@ -22,7 +22,6 @@ - role: openshift_clock - role: openshift_etcd etcd_peers: "{{ groups.oo_etcd_to_config | default([], true) }}" - etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}" etcd_certificates_etcd_hosts: "{{ groups.oo_etcd_to_config | default([], true) }}" - role: nickhammond.logrotate diff --git a/playbooks/openshift-etcd/private/master_etcd_certificates.yml b/playbooks/openshift-etcd/private/master_etcd_certificates.yml index d98470db2..4e4972dba 100644 --- a/playbooks/openshift-etcd/private/master_etcd_certificates.yml +++ b/playbooks/openshift-etcd/private/master_etcd_certificates.yml @@ -5,9 +5,7 @@ roles: - role: openshift_etcd_facts - role: openshift_etcd_client_certificates - etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}" etcd_cert_subdir: "openshift-master-{{ openshift.common.hostname }}" etcd_cert_config_dir: "{{ openshift.common.config_base }}/master" etcd_cert_prefix: "master.etcd-" - openshift_ca_host: "{{ groups.oo_first_master.0 }}" when: groups.oo_etcd_to_config is defined and groups.oo_etcd_to_config diff --git a/playbooks/openshift-etcd/private/redeploy-ca.yml b/playbooks/openshift-etcd/private/redeploy-ca.yml index a3acf6945..55409e503 100644 --- a/playbooks/openshift-etcd/private/redeploy-ca.yml +++ b/playbooks/openshift-etcd/private/redeploy-ca.yml @@ -45,7 +45,6 @@ tasks_from: distribute_ca.yml vars: etcd_sync_cert_dir: "{{ hostvars['localhost'].g_etcd_mktemp.stdout }}" - etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}" - import_playbook: restart.yml # Do not restart etcd when etcd certificates were previously expired. diff --git a/playbooks/openshift-etcd/private/scaleup.yml b/playbooks/openshift-etcd/private/scaleup.yml index 8a9811a25..162a5eba7 100644 --- a/playbooks/openshift-etcd/private/scaleup.yml +++ b/playbooks/openshift-etcd/private/scaleup.yml @@ -12,8 +12,6 @@ hosts: oo_new_etcd_to_config serial: 1 any_errors_fatal: true - vars: - etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}" pre_tasks: - name: Add new etcd members to cluster command: > @@ -42,7 +40,6 @@ - role: openshift_etcd when: etcd_add_check.rc == 0 etcd_peers: "{{ groups.oo_etcd_to_config | union(groups.oo_new_etcd_to_config)| default([], true) }}" - etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}" etcd_certificates_etcd_hosts: "{{ groups.oo_etcd_to_config | default([], true) }}" etcd_initial_cluster_state: "existing" etcd_initial_cluster: "{{ etcd_add_check.stdout_lines[3] | regex_replace('ETCD_INITIAL_CLUSTER=','') | regex_replace('\"','') }}" @@ -66,8 +63,6 @@ hosts: oo_masters_to_config serial: 1 vars: - etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}" - openshift_ca_host: "{{ groups.oo_first_master.0 }}" openshift_master_etcd_hosts: "{{ hostvars | lib_utils_oo_select_keys(groups['oo_etcd_to_config'] | union(groups['oo_new_etcd_to_config'] | default([]) )) | lib_utils_oo_collect('openshift.common.hostname') diff --git a/playbooks/openshift-etcd/private/server_certificates.yml b/playbooks/openshift-etcd/private/server_certificates.yml index ebcf4a5ff..0abfe1650 100644 --- a/playbooks/openshift-etcd/private/server_certificates.yml +++ b/playbooks/openshift-etcd/private/server_certificates.yml @@ -9,6 +9,5 @@ name: etcd tasks_from: server_certificates.yml vars: - etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}" etcd_peers: "{{ groups.oo_etcd_to_config | default([], true) }}" etcd_certificates_etcd_hosts: "{{ groups.oo_etcd_to_config | default([], true) }}" diff --git a/playbooks/openshift-etcd/scaleup.yml b/playbooks/openshift-etcd/scaleup.yml index 656454fe3..1f8cb7391 100644 --- a/playbooks/openshift-etcd/scaleup.yml +++ b/playbooks/openshift-etcd/scaleup.yml @@ -32,6 +32,7 @@ l_build_container_groups_hosts: "oo_new_etcd_to_config" l_etcd_scale_up_hosts: "oo_hosts_containerized_managed_true" l_scale_up_hosts: "oo_new_etcd_to_config" + l_base_packages_hosts: "oo_new_etcd_to_config" l_init_fact_hosts: "oo_masters_to_config:oo_etcd_to_config:oo_lb_to_config:oo_new_etcd_to_config" l_sanity_check_hosts: "{{ groups['oo_new_etcd_to_config'] | union(groups['oo_masters_to_config']) | union(groups['oo_etcd_to_config']) }}" when: diff --git a/playbooks/openshift-master/private/scaleup.yml b/playbooks/openshift-master/private/scaleup.yml index 20ebf70d3..5aaa0b156 100644 --- a/playbooks/openshift-master/private/scaleup.yml +++ b/playbooks/openshift-master/private/scaleup.yml @@ -45,7 +45,7 @@ - import_playbook: set_network_facts.yml -- import_playbook: ../../openshift-etcd/private/certificates.yml +- import_playbook: ../../openshift-etcd/private/master_etcd_certificates.yml - import_playbook: config.yml diff --git a/playbooks/openshift-master/scaleup.yml b/playbooks/openshift-master/scaleup.yml index 09e205afc..0ca5d1a61 100644 --- a/playbooks/openshift-master/scaleup.yml +++ b/playbooks/openshift-master/scaleup.yml @@ -32,6 +32,7 @@ - import_playbook: ../prerequisites.yml vars: l_scale_up_hosts: "oo_nodes_to_config:oo_masters_to_config" + l_base_packages_hosts: "oo_nodes_to_config:oo_masters_to_config" l_init_fact_hosts: "oo_masters_to_config:oo_etcd_to_config:oo_lb_to_config:oo_nodes_to_config" l_sanity_check_hosts: "{{ groups['oo_nodes_to_config'] | union(groups['oo_masters_to_config']) }}" diff --git a/playbooks/openshift-node/private/etcd_client_config.yml b/playbooks/openshift-node/private/etcd_client_config.yml index c3fa38a81..148bdc769 100644 --- a/playbooks/openshift-node/private/etcd_client_config.yml +++ b/playbooks/openshift-node/private/etcd_client_config.yml @@ -6,6 +6,5 @@ - role: openshift_etcd_facts - role: openshift_etcd_client_certificates etcd_cert_prefix: flannel.etcd- - etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}" etcd_cert_subdir: "openshift-node-{{ openshift.common.hostname }}" etcd_cert_config_dir: "{{ openshift.common.config_base }}/node" diff --git a/playbooks/openshift-node/scaleup.yml b/playbooks/openshift-node/scaleup.yml index 9cc7263b7..bda251fa5 100644 --- a/playbooks/openshift-node/scaleup.yml +++ b/playbooks/openshift-node/scaleup.yml @@ -27,6 +27,7 @@ - import_playbook: ../prerequisites.yml vars: l_scale_up_hosts: "oo_nodes_to_config" + l_base_packages_hosts: "oo_nodes_to_config" l_init_fact_hosts: "oo_masters_to_config:oo_etcd_to_config:oo_lb_to_config:oo_nodes_to_config" l_sanity_check_hosts: "{{ groups['oo_nodes_to_config'] | union(groups['oo_masters_to_config']) }}" diff --git a/playbooks/openshift-prometheus/private/uninstall.yml b/playbooks/openshift-prometheus/private/uninstall.yml index 2df39c2a8..b01f7f988 100644 --- a/playbooks/openshift-prometheus/private/uninstall.yml +++ b/playbooks/openshift-prometheus/private/uninstall.yml @@ -5,4 +5,4 @@ - name: Run the Prometheus Uninstall Role Tasks include_role: name: openshift_prometheus - tasks_from: uninstall + tasks_from: uninstall_prometheus |