diff options
Diffstat (limited to 'roles')
-rw-r--r-- | roles/etcd_certificates/tasks/client.yml | 8 | ||||
-rw-r--r-- | roles/etcd_certificates/tasks/main.yml | 4 | ||||
-rw-r--r-- | roles/etcd_certificates/tasks/server.yml | 12 | ||||
-rw-r--r-- | roles/openshift_docker/tasks/main.yml | 2 | ||||
-rw-r--r-- | roles/openshift_manage_node/tasks/main.yml | 2 | ||||
-rw-r--r-- | roles/openshift_master/tasks/main.yml | 18 | ||||
-rw-r--r-- | roles/openshift_master_certificates/tasks/main.yml | 8 | ||||
-rw-r--r-- | roles/openshift_node_certificates/tasks/main.yml | 6 | ||||
-rw-r--r-- | roles/openshift_serviceaccounts/tasks/main.yml | 12 | ||||
-rw-r--r-- | roles/os_firewall/defaults/main.yml | 2 | ||||
-rw-r--r-- | roles/os_firewall/tasks/firewall/firewalld.yml | 12 | ||||
-rw-r--r-- | roles/os_firewall/tasks/firewall/iptables.yml | 6 |
12 files changed, 44 insertions, 48 deletions
diff --git a/roles/etcd_certificates/tasks/client.yml b/roles/etcd_certificates/tasks/client.yml index 7bf95809f..b497a46c0 100644 --- a/roles/etcd_certificates/tasks/client.yml +++ b/roles/etcd_certificates/tasks/client.yml @@ -4,7 +4,7 @@ path: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}" state: directory mode: 0700 - with_items: etcd_needing_client_certs + with_items: "{{ etcd_needing_client_certs | default([]) }}" - name: Create the client csr command: > @@ -19,7 +19,7 @@ ~ item.etcd_cert_prefix ~ 'client.csr' }}" environment: SAN: "IP:{{ item.etcd_ip }}" - with_items: etcd_needing_client_certs + with_items: "{{ etcd_needing_client_certs | default([]) }}" - name: Sign and create the client crt command: > @@ -33,10 +33,10 @@ ~ item.etcd_cert_prefix ~ 'client.crt' }}" environment: SAN: "IP:{{ item.etcd_ip }}" - with_items: etcd_needing_client_certs + with_items: "{{ etcd_needing_client_certs | default([]) }}" - file: src: "{{ etcd_ca_cert }}" dest: "{{ etcd_generated_certs_dir}}/{{ item.etcd_cert_subdir }}/{{ item.etcd_cert_prefix }}ca.crt" state: hard - with_items: etcd_needing_client_certs + with_items: "{{ etcd_needing_client_certs | default([]) }}" diff --git a/roles/etcd_certificates/tasks/main.yml b/roles/etcd_certificates/tasks/main.yml index 3bb715943..17092ca58 100644 --- a/roles/etcd_certificates/tasks/main.yml +++ b/roles/etcd_certificates/tasks/main.yml @@ -1,6 +1,6 @@ --- - include: client.yml - when: etcd_needing_client_certs is defined and etcd_needing_client_certs + when: etcd_needing_client_certs | default([]) | length > 0 - include: server.yml - when: etcd_needing_server_certs is defined and etcd_needing_server_certs + when: etcd_needing_server_certs | default([]) | length > 0 diff --git a/roles/etcd_certificates/tasks/server.yml b/roles/etcd_certificates/tasks/server.yml index 2589c5192..934b8b805 100644 --- a/roles/etcd_certificates/tasks/server.yml +++ b/roles/etcd_certificates/tasks/server.yml @@ -4,7 +4,7 @@ path: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}" state: directory mode: 0700 - with_items: etcd_needing_server_certs + with_items: "{{ etcd_needing_server_certs | default([]) }}" - name: Create the server csr command: > @@ -19,7 +19,7 @@ ~ item.etcd_cert_prefix ~ 'server.csr' }}" environment: SAN: "IP:{{ item.etcd_ip }}" - with_items: etcd_needing_server_certs + with_items: "{{ etcd_needing_server_certs | default([]) }}" - name: Sign and create the server crt command: > @@ -33,7 +33,7 @@ ~ item.etcd_cert_prefix ~ 'server.crt' }}" environment: SAN: "IP:{{ item.etcd_ip }}" - with_items: etcd_needing_server_certs + with_items: "{{ etcd_needing_server_certs | default([]) }}" - name: Create the peer csr command: > @@ -48,7 +48,7 @@ ~ item.etcd_cert_prefix ~ 'peer.csr' }}" environment: SAN: "IP:{{ item.etcd_ip }}" - with_items: etcd_needing_server_certs + with_items: "{{ etcd_needing_server_certs | default([]) }}" - name: Sign and create the peer crt command: > @@ -62,10 +62,10 @@ ~ item.etcd_cert_prefix ~ 'peer.crt' }}" environment: SAN: "IP:{{ item.etcd_ip }}" - with_items: etcd_needing_server_certs + with_items: "{{ etcd_needing_server_certs | default([]) }}" - file: src: "{{ etcd_ca_cert }}" dest: "{{ etcd_generated_certs_dir}}/{{ item.etcd_cert_subdir }}/{{ item.etcd_cert_prefix }}ca.crt" state: hard - with_items: etcd_needing_server_certs + with_items: "{{ etcd_needing_server_certs | default([]) }}" diff --git a/roles/openshift_docker/tasks/main.yml b/roles/openshift_docker/tasks/main.yml index 873229b34..10f47f9b2 100644 --- a/roles/openshift_docker/tasks/main.yml +++ b/roles/openshift_docker/tasks/main.yml @@ -24,6 +24,6 @@ with_items: - role: docker local_facts: - openshift_image_tag: "{{ l_image_tag }}" + openshift_image_tag: "{{ l_image_tag | default(None) }}" openshift_version: "{{ l_image_tag.split('-')[0] if l_image_tag is defined else '' | oo_image_tag_to_rpm_version }}" when: openshift.common.is_containerized is defined and openshift.common.is_containerized | bool diff --git a/roles/openshift_manage_node/tasks/main.yml b/roles/openshift_manage_node/tasks/main.yml index cee1f1738..291cdbbb5 100644 --- a/roles/openshift_manage_node/tasks/main.yml +++ b/roles/openshift_manage_node/tasks/main.yml @@ -6,7 +6,7 @@ retries: 50 delay: 5 changed_when: false - with_items: openshift_nodes + with_items: "{{ openshift_nodes }}" - name: Set node schedulability command: > diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml index fee6d3924..fe0784ea2 100644 --- a/roles/openshift_master/tasks/main.yml +++ b/roles/openshift_master/tasks/main.yml @@ -78,14 +78,14 @@ action: "{{ ansible_pkg_mgr }} name=httpd-tools state=present" when: (item.kind == 'HTPasswdPasswordIdentityProvider') and not openshift.common.is_atomic | bool - with_items: openshift.master.identity_providers + with_items: "{{ openshift.master.identity_providers }}" - name: Ensure htpasswd directory exists file: path: "{{ item.filename | dirname }}" state: directory when: item.kind == 'HTPasswdPasswordIdentityProvider' - with_items: openshift.master.identity_providers + with_items: "{{ openshift.master.identity_providers }}" - name: Create the htpasswd file if needed template: @@ -94,7 +94,7 @@ mode: 0600 backup: yes when: item.kind == 'HTPasswdPasswordIdentityProvider' - with_items: openshift.master.identity_providers + with_items: "{{ openshift.master.identity_providers }}" - name: Create the ldap ca file if needed copy: @@ -103,7 +103,7 @@ mode: 0600 backup: yes when: openshift.master.ldap_ca is defined and item.kind == 'LDAPPasswordIdentityProvider' - with_items: openshift.master.identity_providers + with_items: "{{ openshift.master.identity_providers }}" - name: Create the openid ca file if needed copy: @@ -112,7 +112,7 @@ mode: 0600 backup: yes when: openshift.master.openid_ca is defined and item.kind == 'OpenIDIdentityProvider' and item.ca | default('') != '' - with_items: openshift.master.identity_providers + with_items: "{{ openshift.master.identity_providers }}" - name: Create the request header ca file if needed copy: @@ -121,7 +121,7 @@ mode: 0600 backup: yes when: openshift.master.request_header_ca is defined and item.kind == 'RequestHeaderIdentityProvider' and item.clientCA | default('') != '' - with_items: openshift.master.identity_providers + with_items: "{{ openshift.master.identity_providers }}" - name: Install the systemd units include: systemd_units.yml @@ -239,7 +239,7 @@ mode: 0700 owner: "{{ item }}" group: "{{ 'root' if item == 'root' else _ansible_ssh_user_gid.stdout }}" - with_items: client_users + with_items: "{{ client_users }}" # TODO: Update this file if the contents of the source file are not present in # the dest file, will need to make sure to ignore things that could be added @@ -247,7 +247,7 @@ command: cp {{ openshift_master_config_dir }}/admin.kubeconfig ~{{ item }}/.kube/config args: creates: ~{{ item }}/.kube/config - with_items: client_users + with_items: "{{ client_users }}" - name: Update the permissions on the admin client config(s) file: @@ -256,4 +256,4 @@ mode: 0700 owner: "{{ item }}" group: "{{ 'root' if item == 'root' else _ansible_ssh_user_gid.stdout }}" - with_items: client_users + with_items: "{{ client_users }}" diff --git a/roles/openshift_master_certificates/tasks/main.yml b/roles/openshift_master_certificates/tasks/main.yml index 9017b7d2b..394f9d381 100644 --- a/roles/openshift_master_certificates/tasks/main.yml +++ b/roles/openshift_master_certificates/tasks/main.yml @@ -4,14 +4,14 @@ path: "{{ openshift_generated_configs_dir }}/{{ item.master_cert_subdir }}" state: directory mode: 0700 - with_items: masters_needing_certs + with_items: "{{ masters_needing_certs | default([]) }}" - file: src: "{{ openshift_master_config_dir }}/{{ item.1 }}" dest: "{{ openshift_generated_configs_dir }}/{{ item.0.master_cert_subdir }}/{{ item.1 }}" state: hard with_nested: - - masters_needing_certs + - "{{ masters_needing_certs | default([]) }}" - - ca.crt - ca.key @@ -26,7 +26,7 @@ --cert-dir={{ openshift_generated_configs_dir }}/{{ item.master_cert_subdir }} --overwrite=false when: item.master_certs_missing | bool - with_items: masters_needing_certs + with_items: "{{ masters_needing_certs | default([]) }}" - file: src: "{{ openshift_master_config_dir }}/{{ item.1 }}" @@ -34,5 +34,5 @@ state: hard force: true with_nested: - - masters_needing_certs + - "{{ masters_needing_certs | default([]) }}" - "{{ hostvars[inventory_hostname] | certificates_to_synchronize }}" diff --git a/roles/openshift_node_certificates/tasks/main.yml b/roles/openshift_node_certificates/tasks/main.yml index c9a7a40c8..216c11093 100644 --- a/roles/openshift_node_certificates/tasks/main.yml +++ b/roles/openshift_node_certificates/tasks/main.yml @@ -1,5 +1,5 @@ --- -- name: Create openshift_generated_configs_dir if it doesn't exist +- name: Create openshift_generated_configs_dir if it doesn\'t exist file: path: "{{ openshift_generated_configs_dir }}" state: directory @@ -19,7 +19,7 @@ --user=system:node:{{ item.openshift.common.hostname }} args: creates: "{{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}" - with_items: nodes_needing_certs + with_items: "{{ nodes_needing_certs | default([]) }}" - name: Generate the node server certificate command: > @@ -33,4 +33,4 @@ --signer-serial={{ openshift_master_ca_serial }} args: creates: "{{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}/server.crt" - with_items: nodes_needing_certs + with_items: "{{ nodes_needing_certs | default([]) }}" diff --git a/roles/openshift_serviceaccounts/tasks/main.yml b/roles/openshift_serviceaccounts/tasks/main.yml index 5dd28d52a..bafda9695 100644 --- a/roles/openshift_serviceaccounts/tasks/main.yml +++ b/roles/openshift_serviceaccounts/tasks/main.yml @@ -1,7 +1,7 @@ - name: test if service accounts exists command: > {{ openshift.common.client_binary }} get sa {{ item }} -n {{ openshift_serviceaccounts_namespace }} - with_items: openshift_serviceaccounts_names + with_items: "{{ openshift_serviceaccounts_names }}" failed_when: false changed_when: false register: account_test @@ -13,8 +13,8 @@ -n {{ openshift_serviceaccounts_namespace }} create -f - when: item.1.rc != 0 with_together: - - openshift_serviceaccounts_names - - account_test.results + - "{{ openshift_serviceaccounts_names }}" + - "{{ account_test.results }}" - name: test if scc needs to be updated command: > @@ -22,7 +22,7 @@ changed_when: false failed_when: false register: scc_test - with_items: openshift_serviceaccounts_sccs + with_items: "{{ openshift_serviceaccounts_sccs }}" - name: Grant the user access to the privileged scc command: > @@ -30,8 +30,8 @@ privileged system:serviceaccount:{{ openshift_serviceaccounts_namespace }}:{{ item.0 }} when: "openshift.common.version_gte_3_1_or_1_1 and item.1.rc == 0 and 'system:serviceaccount:{{ openshift_serviceaccounts_namespace }}:{{ item.0 }}' not in {{ (item.1.stdout | from_yaml).users }}" with_nested: - - openshift_serviceaccounts_names - - scc_test.results + - "{{ openshift_serviceaccounts_names }}" + - "{{ scc_test.results }}" - include: legacy_add_scc_to_user.yml when: not openshift.common.version_gte_3_1_or_1_1 diff --git a/roles/os_firewall/defaults/main.yml b/roles/os_firewall/defaults/main.yml index e3176e611..20413d563 100644 --- a/roles/os_firewall/defaults/main.yml +++ b/roles/os_firewall/defaults/main.yml @@ -1,3 +1,5 @@ --- os_firewall_enabled: True os_firewall_use_firewalld: True +os_firewall_allow: [] +os_firewall_deny: [] diff --git a/roles/os_firewall/tasks/firewall/firewalld.yml b/roles/os_firewall/tasks/firewall/firewalld.yml index ac4600f83..241fa8823 100644 --- a/roles/os_firewall/tasks/firewall/firewalld.yml +++ b/roles/os_firewall/tasks/firewall/firewalld.yml @@ -52,29 +52,25 @@ port: "{{ item.port }}" permanent: false state: enabled - with_items: os_firewall_allow - when: os_firewall_allow is defined + with_items: "{{ os_firewall_allow }}" - name: Persist firewalld allow rules firewalld: port: "{{ item.port }}" permanent: true state: enabled - with_items: os_firewall_allow - when: os_firewall_allow is defined + with_items: "{{ os_firewall_allow }}" - name: Remove firewalld allow rules firewalld: port: "{{ item.port }}" permanent: false state: disabled - with_items: os_firewall_deny - when: os_firewall_deny is defined + with_items: "{{ os_firewall_deny }}" - name: Persist removal of firewalld allow rules firewalld: port: "{{ item.port }}" permanent: true state: disabled - with_items: os_firewall_deny - when: os_firewall_deny is defined + with_items: "{{ os_firewall_deny }}" diff --git a/roles/os_firewall/tasks/firewall/iptables.yml b/roles/os_firewall/tasks/firewall/iptables.yml index 3b584f8eb..070fe6a3a 100644 --- a/roles/os_firewall/tasks/firewall/iptables.yml +++ b/roles/os_firewall/tasks/firewall/iptables.yml @@ -49,8 +49,7 @@ action: add protocol: "{{ item.port.split('/')[1] }}" port: "{{ item.port.split('/')[0] }}" - with_items: os_firewall_allow - when: os_firewall_allow is defined + with_items: "{{ os_firewall_allow }}" - name: Remove iptables rules os_firewall_manage_iptables: @@ -58,5 +57,4 @@ action: remove protocol: "{{ item.port.split('/')[1] }}" port: "{{ item.port.split('/')[0] }}" - with_items: os_firewall_deny - when: os_firewall_deny is defined + with_items: "{{ os_firewall_deny }}" |