summaryrefslogtreecommitdiffstats
path: root/roles
diff options
context:
space:
mode:
Diffstat (limited to 'roles')
-rw-r--r--roles/docker/defaults/main.yml2
-rw-r--r--roles/docker/meta/main.yml1
-rw-r--r--roles/docker/tasks/main.yml2
-rw-r--r--roles/docker/tasks/registry_auth.yml16
-rw-r--r--roles/docker/tasks/systemcontainer_crio.yml6
-rw-r--r--roles/docker/tasks/systemcontainer_docker.yml8
-rw-r--r--roles/lib_utils/library/docker_creds.py207
-rw-r--r--roles/openshift_ca/tasks/main.yml4
-rw-r--r--roles/openshift_cloud_provider/tasks/openstack.yml4
-rwxr-xr-xroles/openshift_facts/library/openshift_facts.py52
-rw-r--r--roles/openshift_hosted/tasks/secure.yml2
-rw-r--r--roles/openshift_hosted_metrics/handlers/main.yml4
-rw-r--r--roles/openshift_logging/handlers/main.yml4
-rw-r--r--roles/openshift_logging/tasks/main.yaml11
-rw-r--r--roles/openshift_logging/vars/default_images.yml3
-rw-r--r--roles/openshift_logging/vars/openshift-enterprise.yml3
-rw-r--r--roles/openshift_logging_curator/defaults/main.yml2
-rw-r--r--roles/openshift_logging_curator/tasks/determine_version.yaml10
-rw-r--r--roles/openshift_logging_curator/tasks/main.yaml29
-rw-r--r--roles/openshift_logging_curator/vars/default_images.yml3
-rw-r--r--roles/openshift_logging_curator/vars/openshift-enterprise.yml3
-rw-r--r--roles/openshift_logging_elasticsearch/defaults/main.yml2
-rw-r--r--roles/openshift_logging_elasticsearch/tasks/determine_version.yaml12
-rw-r--r--roles/openshift_logging_elasticsearch/tasks/main.yaml12
-rw-r--r--roles/openshift_logging_elasticsearch/vars/default_images.yml6
-rw-r--r--roles/openshift_logging_elasticsearch/vars/openshift-enterprise.yml4
-rw-r--r--roles/openshift_logging_eventrouter/defaults/main.yaml2
-rw-r--r--roles/openshift_logging_eventrouter/tasks/main.yaml13
-rw-r--r--roles/openshift_logging_eventrouter/vars/default_images.yml3
-rw-r--r--roles/openshift_logging_eventrouter/vars/openshift-enterprise.yml3
-rw-r--r--roles/openshift_logging_fluentd/defaults/main.yml2
-rw-r--r--roles/openshift_logging_fluentd/tasks/determine_version.yaml10
-rw-r--r--roles/openshift_logging_fluentd/tasks/main.yaml29
-rw-r--r--roles/openshift_logging_fluentd/vars/default_images.yml3
-rw-r--r--roles/openshift_logging_fluentd/vars/openshift-enterprise.yml3
-rw-r--r--roles/openshift_logging_kibana/defaults/main.yml4
-rw-r--r--roles/openshift_logging_kibana/tasks/determine_version.yaml10
-rw-r--r--roles/openshift_logging_kibana/tasks/main.yaml74
-rw-r--r--roles/openshift_logging_kibana/vars/default_images.yml5
-rw-r--r--roles/openshift_logging_kibana/vars/openshift-enterprise.yml5
-rw-r--r--roles/openshift_logging_mux/defaults/main.yml2
-rw-r--r--roles/openshift_logging_mux/tasks/determine_version.yaml10
-rw-r--r--roles/openshift_logging_mux/tasks/main.yaml49
-rw-r--r--roles/openshift_logging_mux/vars/default_images.yml3
-rw-r--r--roles/openshift_logging_mux/vars/openshift-enterprise.yml3
-rw-r--r--roles/openshift_manage_node/tasks/main.yml4
-rw-r--r--roles/openshift_master/defaults/main.yml4
-rw-r--r--roles/openshift_master/handlers/main.yml4
-rw-r--r--roles/openshift_master/tasks/main.yml8
-rw-r--r--roles/openshift_master/tasks/registry_auth.yml20
-rw-r--r--roles/openshift_master/tasks/restart.yml22
-rw-r--r--roles/openshift_master/tasks/systemd_units.yml3
-rw-r--r--roles/openshift_master/tasks/upgrade.yml45
-rw-r--r--roles/openshift_master/tasks/upgrade/rpm_upgrade.yml20
-rw-r--r--roles/openshift_master/tasks/upgrade/upgrade_scheduler.yml173
-rw-r--r--roles/openshift_master/tasks/upgrade/v3_6/master_config_upgrade.yml15
-rw-r--r--roles/openshift_master/tasks/upgrade/v3_7/master_config_upgrade.yml20
-rw-r--r--roles/openshift_master/templates/master.yaml.v1.j240
-rw-r--r--roles/openshift_master/templates/native-cluster/atomic-openshift-master-controllers.service.j24
-rw-r--r--roles/openshift_master_certificates/tasks/main.yml6
-rw-r--r--roles/openshift_master_cluster/tasks/main.yml4
-rw-r--r--roles/openshift_master_facts/filter_plugins/openshift_master.py23
-rw-r--r--roles/openshift_metrics/handlers/main.yml4
-rw-r--r--roles/openshift_node/defaults/main.yml1
-rw-r--r--roles/openshift_node/tasks/registry_auth.yml19
-rw-r--r--roles/openshift_node/templates/node.yaml.v1.j22
-rw-r--r--roles/openshift_node_certificates/tasks/main.yml4
-rw-r--r--roles/openshift_node_upgrade/defaults/main.yml1
-rw-r--r--roles/openshift_node_upgrade/tasks/main.yml2
-rw-r--r--roles/openshift_node_upgrade/tasks/registry_auth.yml19
-rw-r--r--roles/openshift_prometheus/tasks/install_prometheus.yaml38
71 files changed, 835 insertions, 315 deletions
diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml
index c086c28df..224844a06 100644
--- a/roles/docker/defaults/main.yml
+++ b/roles/docker/defaults/main.yml
@@ -2,6 +2,8 @@
docker_cli_auth_config_path: '/root/.docker'
openshift_docker_signature_verification: False
+openshift_docker_alternative_creds: False
+
# oreg_url is defined by user input.
oreg_host: "{{ oreg_url.split('/')[0] if (oreg_url is defined and '.' in oreg_url.split('/')[0]) else '' }}"
oreg_auth_credentials_replace: False
diff --git a/roles/docker/meta/main.yml b/roles/docker/meta/main.yml
index 62b8a2eb5..d5faae8df 100644
--- a/roles/docker/meta/main.yml
+++ b/roles/docker/meta/main.yml
@@ -12,3 +12,4 @@ galaxy_info:
dependencies:
- role: lib_openshift
- role: lib_os_firewall
+- role: lib_utils
diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml
index 3c814d8d8..69ee62790 100644
--- a/roles/docker/tasks/main.yml
+++ b/roles/docker/tasks/main.yml
@@ -53,7 +53,7 @@
- when:
- l_use_crio
- - dockerstat.stat.islink is defined and not (dockerstat.stat.islink | bool)
+ - dockerstat.stat.islnk is defined and not (dockerstat.stat.islnk | bool)
block:
- name: stop the current running docker
systemd:
diff --git a/roles/docker/tasks/registry_auth.yml b/roles/docker/tasks/registry_auth.yml
index d05b7f2b8..2c7bc5711 100644
--- a/roles/docker/tasks/registry_auth.yml
+++ b/roles/docker/tasks/registry_auth.yml
@@ -12,5 +12,21 @@
delay: 5
until: openshift_docker_credentials_create_res.rc == 0
when:
+ - not openshift_docker_alternative_creds | bool
+ - oreg_auth_user is defined
+ - (not docker_cli_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool
+
+# docker_creds is a custom module from lib_utils
+# 'docker login' requires a docker.service running on the local host, this is an
+# alternative implementation for non-docker hosts. This implementation does not
+# check the registry to determine whether or not the credentials will work.
+- name: Create credentials for docker cli registry auth (alternative)
+ docker_creds:
+ path: "{{ docker_cli_auth_config_path }}"
+ registry: "{{ oreg_host }}"
+ username: "{{ oreg_auth_user }}"
+ password: "{{ oreg_auth_password }}"
+ when:
+ - openshift_docker_alternative_creds | bool
- oreg_auth_user is defined
- (not docker_cli_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool
diff --git a/roles/docker/tasks/systemcontainer_crio.yml b/roles/docker/tasks/systemcontainer_crio.yml
index 1e2d64293..3fe10454d 100644
--- a/roles/docker/tasks/systemcontainer_crio.yml
+++ b/roles/docker/tasks/systemcontainer_crio.yml
@@ -179,3 +179,9 @@
register: start_result
- meta: flush_handlers
+
+# If we are using crio only, docker.service might not be available for
+# 'docker login'
+- include: registry_auth.yml
+ vars:
+ openshift_docker_alternative_creds: "{{ l_use_crio_only }}"
diff --git a/roles/docker/tasks/systemcontainer_docker.yml b/roles/docker/tasks/systemcontainer_docker.yml
index aa3b35ddd..84220fa66 100644
--- a/roles/docker/tasks/systemcontainer_docker.yml
+++ b/roles/docker/tasks/systemcontainer_docker.yml
@@ -173,6 +173,10 @@
- set_fact:
docker_service_status_changed: "{{ r_docker_systemcontainer_docker_start_result | changed }}"
-- include: registry_auth.yml
-
- meta: flush_handlers
+
+# Since docker is running as a system container, docker login will fail to create
+# credentials. Use alternate method if requiring authenticated registries.
+- include: registry_auth.yml
+ vars:
+ openshift_docker_alternative_creds: True
diff --git a/roles/lib_utils/library/docker_creds.py b/roles/lib_utils/library/docker_creds.py
new file mode 100644
index 000000000..d4674845e
--- /dev/null
+++ b/roles/lib_utils/library/docker_creds.py
@@ -0,0 +1,207 @@
+#!/usr/bin/env python
+# pylint: disable=missing-docstring
+#
+# Copyright 2017 Red Hat, Inc. and/or its affiliates
+# and other contributors as indicated by the @author tags.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import base64
+import json
+import os
+
+from ansible.module_utils.basic import AnsibleModule
+
+
+DOCUMENTATION = '''
+---
+module: docker_creds
+
+short_description: Creates/updates a 'docker login' file in place of using 'docker login'
+
+version_added: "2.4"
+
+description:
+ - This module creates a docker config.json file in the directory provided by 'path'
+ on hosts that do not support 'docker login' but need the file present for
+ registry authentication purposes of various other services.
+
+options:
+ path:
+ description:
+ - This is the message to send to the sample module
+ required: true
+ registry:
+ description:
+ - This is the registry the credentials are for.
+ required: true
+ username:
+ description:
+ - This is the username to authenticate to the registry with.
+ required: true
+ password:
+ description:
+ - This is the password to authenticate to the registry with.
+ required: true
+
+author:
+ - "Michael Gugino <mgugino@redhat.com>"
+'''
+
+EXAMPLES = '''
+# Pass in a message
+- name: Place credentials in file
+ docker_creds:
+ path: /root/.docker
+ registry: registry.example.com:443
+ username: myuser
+ password: mypassword
+'''
+
+
+def check_dest_dir_exists(module, dest):
+ '''Check if dest dir is present and is a directory'''
+ dir_exists = os.path.exists(dest)
+ if dir_exists:
+ if not os.path.isdir(dest):
+ msg = "{} exists but is not a directory".format(dest)
+ result = {'failed': True,
+ 'changed': False,
+ 'msg': msg,
+ 'state': 'unknown'}
+ module.fail_json(**result)
+ else:
+ return 1
+ else:
+ return 0
+
+
+def create_dest_dir(module, dest):
+ try:
+ os.makedirs(dest, mode=0o700)
+ except OSError as oserror:
+ result = {'failed': True,
+ 'changed': False,
+ 'msg': str(oserror),
+ 'state': 'unknown'}
+ module.fail_json(**result)
+
+
+def load_config_file(module, dest):
+ '''load the config.json in directory dest'''
+ conf_file_path = os.path.join(dest, 'config.json')
+ if os.path.exists(conf_file_path):
+ # Try to open the file and load json data
+ try:
+ with open(conf_file_path) as conf_file:
+ data = conf_file.read()
+ jdata = json.loads(data)
+
+ except IOError as ioerror:
+ result = {'failed': True,
+ 'changed': False,
+ 'msg': str(ioerror),
+ 'state': 'unknown'}
+ module.fail_json(**result)
+ except ValueError as jsonerror:
+ result = {'failed': True,
+ 'changed': False,
+ 'msg': str(jsonerror),
+ 'state': 'unknown'}
+ module.fail_json(**result)
+ return jdata
+ else:
+ # File doesn't exist, we just return an empty dictionary.
+ return {}
+
+
+def update_config(docker_config, registry, username, password):
+ '''Add our registry auth credentials into docker_config dict'''
+
+ # Add anything that might be missing in our dictionary
+ if 'auths' not in docker_config:
+ docker_config['auths'] = {}
+ if registry not in docker_config['auths']:
+ docker_config['auths'][registry] = {}
+
+ # base64 encode our username:password string
+ encoded_data = base64.b64encode('{}:{}'.format(username, password))
+
+ # check if the same value is already present for idempotency.
+ if 'auth' in docker_config['auths'][registry]:
+ if docker_config['auths'][registry]['auth'] == encoded_data:
+ # No need to go further, everything is already set in file.
+ return False
+ docker_config['auths'][registry]['auth'] = encoded_data
+ return True
+
+
+def write_config(module, docker_config, dest):
+ '''Write updated credentials into dest/config.json'''
+ conf_file_path = os.path.join(dest, 'config.json')
+ try:
+ with open(conf_file_path, 'w') as conf_file:
+ json.dump(docker_config, conf_file, indent=8)
+ except IOError as ioerror:
+ result = {'failed': True,
+ 'changed': False,
+ 'msg': str(ioerror),
+ 'state': 'unknown'}
+ module.fail_json(**result)
+
+
+def run_module():
+ '''Run this module'''
+ module_args = dict(
+ path=dict(aliases=['dest', 'name'], required=True, type='path'),
+ registry=dict(type='str', required=True),
+ username=dict(type='str', required=True),
+ password=dict(type='str', required=True, no_log=True)
+ )
+
+ module = AnsibleModule(
+ argument_spec=module_args,
+ supports_check_mode=False
+ )
+
+ # First, create our dest dir if necessary
+ dest = module.params['path']
+ registry = module.params['registry']
+ username = module.params['username']
+ password = module.params['password']
+
+ if not check_dest_dir_exists(module, dest):
+ create_dest_dir(module, dest)
+ docker_config = {}
+ else:
+ # We want to scrape the contents of dest/config.json
+ # in case there are other registries/settings already present.
+ docker_config = load_config_file(module, dest)
+
+ # Put the registry auth info into the config dict.
+ changed = update_config(docker_config, registry, username, password)
+
+ if changed:
+ write_config(module, docker_config, dest)
+
+ result = {'changed': changed}
+
+ module.exit_json(**result)
+
+
+def main():
+ run_module()
+
+
+if __name__ == '__main__':
+ main()
diff --git a/roles/openshift_ca/tasks/main.yml b/roles/openshift_ca/tasks/main.yml
index 587526d07..31f0f8e7a 100644
--- a/roles/openshift_ca/tasks/main.yml
+++ b/roles/openshift_ca/tasks/main.yml
@@ -97,10 +97,8 @@
--master={{ openshift.master.api_url }}
--public-master={{ openshift.master.public_api_url }}
--cert-dir={{ openshift_ca_config_dir }}
- {% if openshift_version | oo_version_gte_3_5_or_1_5(openshift.common.deployment_type) | bool %}
--expire-days={{ openshift_master_cert_expire_days }}
--signer-expire-days={{ openshift_ca_cert_expire_days }}
- {% endif %}
--overwrite=false
when: master_ca_missing | bool or openshift_certificates_redeploy | default(false) | bool
delegate_to: "{{ openshift_ca_host }}"
@@ -169,9 +167,7 @@
--signer-serial={{ openshift_ca_serial }}
--user=system:openshift-master
--basename=openshift-master
- {% if openshift_version | oo_version_gte_3_5_or_1_5(openshift.common.deployment_type) | bool %}
--expire-days={{ openshift_master_cert_expire_days }}
- {% endif %}
- name: Copy generated loopback master client config to master config dir
copy:
src: "{{ openshift_ca_loopback_tmpdir.stdout }}/{{ item }}"
diff --git a/roles/openshift_cloud_provider/tasks/openstack.yml b/roles/openshift_cloud_provider/tasks/openstack.yml
index 5788e6d74..324630491 100644
--- a/roles/openshift_cloud_provider/tasks/openstack.yml
+++ b/roles/openshift_cloud_provider/tasks/openstack.yml
@@ -1,8 +1,4 @@
---
-- fail:
- msg: "The Openstack integration requires OpenShift Enterprise 3.2 or Origin 1.2."
- when: not openshift.common.version_gte_3_2_or_1_2 | bool
-
- name: Create cloud config
template:
dest: "{{ openshift.common.config_base }}/cloudprovider/openstack.conf"
diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py
index 699dc300f..99ebb7e36 100755
--- a/roles/openshift_facts/library/openshift_facts.py
+++ b/roles/openshift_facts/library/openshift_facts.py
@@ -490,7 +490,7 @@ def set_selectors(facts):
facts['hosted']['metrics'] = {}
if 'selector' not in facts['hosted']['metrics'] or facts['hosted']['metrics']['selector'] in [None, 'None']:
facts['hosted']['metrics']['selector'] = None
- if 'logging' not in facts:
+ if 'logging' not in facts or not isinstance(facts['logging'], dict):
facts['logging'] = {}
if 'selector' not in facts['logging'] or facts['logging']['selector'] in [None, 'None']:
facts['logging']['selector'] = None
@@ -806,7 +806,7 @@ def set_deployment_facts_if_unset(facts):
# pylint: disable=too-many-statements
def set_version_facts_if_unset(facts):
""" Set version facts. This currently includes common.version and
- common.version_gte_3_1_or_1_1.
+ common.version_gte_3_x
Args:
facts (dict): existing facts
@@ -814,49 +814,19 @@ def set_version_facts_if_unset(facts):
dict: the facts dict updated with version facts.
"""
if 'common' in facts:
- deployment_type = facts['common']['deployment_type']
openshift_version = get_openshift_version(facts)
if openshift_version and openshift_version != "latest":
version = LooseVersion(openshift_version)
facts['common']['version'] = openshift_version
facts['common']['short_version'] = '.'.join([str(x) for x in version.version[0:2]])
- if deployment_type == 'origin':
- version_gte_3_1_or_1_1 = version >= LooseVersion('1.1.0')
- version_gte_3_1_1_or_1_1_1 = version >= LooseVersion('1.1.1')
- version_gte_3_2_or_1_2 = version >= LooseVersion('1.2.0')
- version_gte_3_3_or_1_3 = version >= LooseVersion('1.3.0')
- version_gte_3_4_or_1_4 = version >= LooseVersion('1.4')
- version_gte_3_5_or_1_5 = version >= LooseVersion('1.5')
- version_gte_3_6 = version >= LooseVersion('3.6')
- version_gte_3_7 = version >= LooseVersion('3.7')
- version_gte_3_8 = version >= LooseVersion('3.8')
- else:
- version_gte_3_1_or_1_1 = version >= LooseVersion('3.0.2.905')
- version_gte_3_1_1_or_1_1_1 = version >= LooseVersion('3.1.1')
- version_gte_3_2_or_1_2 = version >= LooseVersion('3.1.1.901')
- version_gte_3_3_or_1_3 = version >= LooseVersion('3.3.0')
- version_gte_3_4_or_1_4 = version >= LooseVersion('3.4')
- version_gte_3_5_or_1_5 = version >= LooseVersion('3.5')
- version_gte_3_6 = version >= LooseVersion('3.6')
- version_gte_3_7 = version >= LooseVersion('3.7')
- version_gte_3_8 = version >= LooseVersion('3.8')
+ version_gte_3_6 = version >= LooseVersion('3.6')
+ version_gte_3_7 = version >= LooseVersion('3.7')
+ version_gte_3_8 = version >= LooseVersion('3.8')
else:
# 'Latest' version is set to True, 'Next' versions set to False
- version_gte_3_1_or_1_1 = True
- version_gte_3_1_1_or_1_1_1 = True
- version_gte_3_2_or_1_2 = True
- version_gte_3_3_or_1_3 = True
- version_gte_3_4_or_1_4 = True
- version_gte_3_5_or_1_5 = True
version_gte_3_6 = True
version_gte_3_7 = True
version_gte_3_8 = False
- facts['common']['version_gte_3_1_or_1_1'] = version_gte_3_1_or_1_1
- facts['common']['version_gte_3_1_1_or_1_1_1'] = version_gte_3_1_1_or_1_1_1
- facts['common']['version_gte_3_2_or_1_2'] = version_gte_3_2_or_1_2
- facts['common']['version_gte_3_3_or_1_3'] = version_gte_3_3_or_1_3
- facts['common']['version_gte_3_4_or_1_4'] = version_gte_3_4_or_1_4
- facts['common']['version_gte_3_5_or_1_5'] = version_gte_3_5_or_1_5
facts['common']['version_gte_3_6'] = version_gte_3_6
facts['common']['version_gte_3_7'] = version_gte_3_7
facts['common']['version_gte_3_8'] = version_gte_3_8
@@ -867,18 +837,8 @@ def set_version_facts_if_unset(facts):
examples_content_version = 'v3.7'
elif version_gte_3_6:
examples_content_version = 'v3.6'
- elif version_gte_3_5_or_1_5:
- examples_content_version = 'v1.5'
- elif version_gte_3_4_or_1_4:
- examples_content_version = 'v1.4'
- elif version_gte_3_3_or_1_3:
- examples_content_version = 'v1.3'
- elif version_gte_3_2_or_1_2:
- examples_content_version = 'v1.2'
- elif version_gte_3_1_or_1_1:
- examples_content_version = 'v1.1'
else:
- examples_content_version = 'v1.0'
+ examples_content_version = 'v1.5'
facts['common']['examples_content_version'] = examples_content_version
diff --git a/roles/openshift_hosted/tasks/secure.yml b/roles/openshift_hosted/tasks/secure.yml
index 0da8ac8a7..174bc39a4 100644
--- a/roles/openshift_hosted/tasks/secure.yml
+++ b/roles/openshift_hosted/tasks/secure.yml
@@ -42,7 +42,7 @@
- "{{ openshift_hosted_registry_routehost }}"
cert: "{{ docker_registry_cert_path }}"
key: "{{ docker_registry_key_path }}"
- expire_days: "{{ openshift_hosted_registry_cert_expire_days if openshift_version | oo_version_gte_3_5_or_1_5(openshift_deployment_type) | bool else omit }}"
+ expire_days: "{{ openshift_hosted_registry_cert_expire_days }}"
register: registry_self_cert
when: docker_registry_self_signed
diff --git a/roles/openshift_hosted_metrics/handlers/main.yml b/roles/openshift_hosted_metrics/handlers/main.yml
index 88b893448..074b72942 100644
--- a/roles/openshift_hosted_metrics/handlers/main.yml
+++ b/roles/openshift_hosted_metrics/handlers/main.yml
@@ -18,11 +18,7 @@
# wait_for port doesn't provide health information.
command: >
curl --silent --tlsv1.2
- {% if openshift.common.version_gte_3_2_or_1_2 | bool %}
--cacert {{ openshift.common.config_base }}/master/ca-bundle.crt
- {% else %}
- --cacert {{ openshift.common.config_base }}/master/ca.crt
- {% endif %}
{{ openshift.master.api_url }}/healthz/ready
args:
# Disables the following warning:
diff --git a/roles/openshift_logging/handlers/main.yml b/roles/openshift_logging/handlers/main.yml
index 88b893448..074b72942 100644
--- a/roles/openshift_logging/handlers/main.yml
+++ b/roles/openshift_logging/handlers/main.yml
@@ -18,11 +18,7 @@
# wait_for port doesn't provide health information.
command: >
curl --silent --tlsv1.2
- {% if openshift.common.version_gte_3_2_or_1_2 | bool %}
--cacert {{ openshift.common.config_base }}/master/ca-bundle.crt
- {% else %}
- --cacert {{ openshift.common.config_base }}/master/ca.crt
- {% endif %}
{{ openshift.master.api_url }}/healthz/ready
args:
# Disables the following warning:
diff --git a/roles/openshift_logging/tasks/main.yaml b/roles/openshift_logging/tasks/main.yaml
index 15f6a23e6..7f8e88036 100644
--- a/roles/openshift_logging/tasks/main.yaml
+++ b/roles/openshift_logging/tasks/main.yaml
@@ -3,17 +3,6 @@
msg: Only one Fluentd nodeselector key pair should be provided
when: openshift_logging_fluentd_nodeselector.keys() | count > 1
-- name: Set default image variables based on deployment_type
- include_vars: "{{ item }}"
- with_first_found:
- - "{{ openshift_deployment_type | default(deployment_type) }}.yml"
- - "default_images.yml"
-
-- name: Set logging image facts
- set_fact:
- openshift_logging_image_prefix: "{{ openshift_logging_image_prefix | default(__openshift_logging_image_prefix) }}"
- openshift_logging_image_version: "{{ openshift_logging_image_version | default(__openshift_logging_image_version) }}"
-
- name: Create temp directory for doing work in
command: mktemp -d /tmp/openshift-logging-ansible-XXXXXX
register: mktemp
diff --git a/roles/openshift_logging/vars/default_images.yml b/roles/openshift_logging/vars/default_images.yml
deleted file mode 100644
index 1a77808f6..000000000
--- a/roles/openshift_logging/vars/default_images.yml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-__openshift_logging_image_prefix: "{{ openshift_hosted_logging_deployer_prefix | default('docker.io/openshift/origin-') }}"
-__openshift_logging_image_version: "{{ openshift_hosted_logging_deployer_version | default('latest') }}"
diff --git a/roles/openshift_logging/vars/openshift-enterprise.yml b/roles/openshift_logging/vars/openshift-enterprise.yml
deleted file mode 100644
index f60fa8d7d..000000000
--- a/roles/openshift_logging/vars/openshift-enterprise.yml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-__openshift_logging_image_prefix: "{{ openshift_hosted_logging_deployer_prefix | default('registry.access.redhat.com/openshift3/') }}"
-__openshift_logging_image_version: "{{ openshift_hosted_logging_deployer_version | default ('v3.7') }}"
diff --git a/roles/openshift_logging_curator/defaults/main.yml b/roles/openshift_logging_curator/defaults/main.yml
index 9cae9f936..a0d221c32 100644
--- a/roles/openshift_logging_curator/defaults/main.yml
+++ b/roles/openshift_logging_curator/defaults/main.yml
@@ -1,7 +1,5 @@
---
### General logging settings
-openshift_logging_curator_image_prefix: "{{ openshift_logging_image_prefix | default(__openshift_logging_image_prefix) }}"
-openshift_logging_curator_image_version: "{{ openshift_logging_image_version | default('latest') }}"
openshift_logging_curator_image_pull_secret: "{{ openshift_hosted_logging_image_pull_secret | default('') }}"
openshift_logging_curator_master_url: "https://kubernetes.default.svc.cluster.local"
diff --git a/roles/openshift_logging_curator/tasks/determine_version.yaml b/roles/openshift_logging_curator/tasks/determine_version.yaml
index 94f8b4a97..2013f4e38 100644
--- a/roles/openshift_logging_curator/tasks/determine_version.yaml
+++ b/roles/openshift_logging_curator/tasks/determine_version.yaml
@@ -1,16 +1,16 @@
---
# debating making this a module instead?
- fail:
- msg: Missing version to install provided by 'openshift_logging_image_version'
- when: not openshift_logging_image_version or openshift_logging_image_version == ''
+ msg: Missing version to install provided by 'openshift_logging_curator_image_version'
+ when: not openshift_logging_curator_image_version or openshift_logging_curator_image_version == ''
- set_fact:
curator_version: "{{ __latest_curator_version }}"
- when: openshift_logging_image_version == 'latest'
+ when: openshift_logging_curator_image_version == 'latest'
# should we just assume that we will have the correct major version?
-- set_fact: curator_version="{{ openshift_logging_image_version | regex_replace('^v?(?P<major>\d)\.(?P<minor>\d).*$', '3_\\g<minor>') }}"
- when: openshift_logging_image_version != 'latest'
+- set_fact: curator_version="{{ openshift_logging_curator_image_version | regex_replace('^v?(?P<major>\d)\.(?P<minor>\d).*$', '3_\\g<minor>') }}"
+ when: openshift_logging_curator_image_version != 'latest'
- fail:
msg: Invalid version specified for Curator
diff --git a/roles/openshift_logging_curator/tasks/main.yaml b/roles/openshift_logging_curator/tasks/main.yaml
index fcaf18ed4..7ddf57450 100644
--- a/roles/openshift_logging_curator/tasks/main.yaml
+++ b/roles/openshift_logging_curator/tasks/main.yaml
@@ -1,4 +1,17 @@
---
+- name: Set default image variables based on deployment_type
+ include_vars: "{{ var_file_name }}"
+ with_first_found:
+ - "{{ openshift_deployment_type | default(deployment_type) }}.yml"
+ - "default_images.yml"
+ loop_control:
+ loop_var: var_file_name
+
+- name: Set curator image facts
+ set_fact:
+ openshift_logging_curator_image_prefix: "{{ openshift_logging_curator_image_prefix | default(__openshift_logging_curator_image_prefix) }}"
+ openshift_logging_curator_image_version: "{{ openshift_logging_curator_image_version | default(__openshift_logging_curator_image_version) }}"
+
- include: determine_version.yaml
# allow passing in a tempdir
@@ -35,7 +48,7 @@
name: "aggregated-logging-curator"
namespace: "{{ openshift_logging_namespace }}"
when:
- - openshift_logging_image_pull_secret == ''
+ - openshift_logging_image_pull_secret == ''
# configmap
- copy:
@@ -65,12 +78,12 @@
name: "logging-curator"
namespace: "{{ openshift_logging_namespace }}"
files:
- - name: ca
- path: "{{ generated_certs_dir }}/ca.crt"
- - name: key
- path: "{{ generated_certs_dir }}/system.logging.curator.key"
- - name: cert
- path: "{{ generated_certs_dir }}/system.logging.curator.crt"
+ - name: ca
+ path: "{{ generated_certs_dir }}/ca.crt"
+ - name: key
+ path: "{{ generated_certs_dir }}/system.logging.curator.key"
+ - name: cert
+ path: "{{ generated_certs_dir }}/system.logging.curator.crt"
- set_fact:
curator_name: "{{ 'logging-curator' ~ ( (openshift_logging_curator_ops_deployment | default(false) | bool) | ternary('-ops', '') ) }}"
@@ -104,7 +117,7 @@
namespace: "{{ openshift_logging_namespace }}"
kind: dc
files:
- - "{{ tempdir }}/templates/curator-dc.yaml"
+ - "{{ tempdir }}/templates/curator-dc.yaml"
delete_after: true
- name: Delete temp directory
diff --git a/roles/openshift_logging_curator/vars/default_images.yml b/roles/openshift_logging_curator/vars/default_images.yml
new file mode 100644
index 000000000..208b41afa
--- /dev/null
+++ b/roles/openshift_logging_curator/vars/default_images.yml
@@ -0,0 +1,3 @@
+---
+__openshift_logging_curator_image_prefix: "{{ openshift_logging_image_prefix | default('docker.io/openshift/origin-') }}"
+__openshift_logging_curator_image_version: "{{ openshift_logging_image_version | default('latest') }}"
diff --git a/roles/openshift_logging_curator/vars/openshift-enterprise.yml b/roles/openshift_logging_curator/vars/openshift-enterprise.yml
new file mode 100644
index 000000000..79cf131fd
--- /dev/null
+++ b/roles/openshift_logging_curator/vars/openshift-enterprise.yml
@@ -0,0 +1,3 @@
+---
+__openshift_logging_curator_image_prefix: "{{ openshift_logging_image_prefix | default('registry.access.redhat.com/openshift3/') }}"
+__openshift_logging_curator_image_version: "{{ openshift_logging_image_version | default ('v3.7') }}"
diff --git a/roles/openshift_logging_elasticsearch/defaults/main.yml b/roles/openshift_logging_elasticsearch/defaults/main.yml
index 9fc6fd1d8..bec4432c3 100644
--- a/roles/openshift_logging_elasticsearch/defaults/main.yml
+++ b/roles/openshift_logging_elasticsearch/defaults/main.yml
@@ -1,7 +1,5 @@
---
### Common settings
-openshift_logging_elasticsearch_image_prefix: "{{ openshift_logging_image_prefix | default(__openshift_logging_image_prefix) }}"
-openshift_logging_elasticsearch_image_version: "{{ openshift_logging_image_version | default('latest') }}"
openshift_logging_elasticsearch_image_pull_secret: "{{ openshift_hosted_logging_image_pull_secret | default('') }}"
openshift_logging_elasticsearch_namespace: logging
diff --git a/roles/openshift_logging_elasticsearch/tasks/determine_version.yaml b/roles/openshift_logging_elasticsearch/tasks/determine_version.yaml
index 1a952b5cf..c53a06019 100644
--- a/roles/openshift_logging_elasticsearch/tasks/determine_version.yaml
+++ b/roles/openshift_logging_elasticsearch/tasks/determine_version.yaml
@@ -1,18 +1,16 @@
---
# debating making this a module instead?
- fail:
- msg: Missing version to install provided by 'openshift_logging_image_version'
- when: not openshift_logging_image_version or openshift_logging_image_version == ''
+ msg: Missing version to install provided by 'openshift_logging_elasticsearch_image_version'
+ when: not openshift_logging_elasticsearch_image_version or openshift_logging_elasticsearch_image_version == ''
- set_fact:
es_version: "{{ __latest_es_version }}"
- when: openshift_logging_image_version == 'latest'
-
-- debug: var=openshift_logging_image_version
+ when: openshift_logging_elasticsearch_image_version == 'latest'
# should we just assume that we will have the correct major version?
-- set_fact: es_version="{{ openshift_logging_image_version | regex_replace('^v?(?P<major>\d)\.(?P<minor>\d).*$', '3_\\g<minor>') }}"
- when: openshift_logging_image_version != 'latest'
+- set_fact: es_version="{{ openshift_logging_elasticsearch_image_version | regex_replace('^v?(?P<major>\d)\.(?P<minor>\d).*$', '3_\\g<minor>') }}"
+ when: openshift_logging_elasticsearch_image_version != 'latest'
- fail:
msg: Invalid version specified for Elasticsearch
diff --git a/roles/openshift_logging_elasticsearch/tasks/main.yaml b/roles/openshift_logging_elasticsearch/tasks/main.yaml
index e7ef443bd..2bd02af60 100644
--- a/roles/openshift_logging_elasticsearch/tasks/main.yaml
+++ b/roles/openshift_logging_elasticsearch/tasks/main.yaml
@@ -15,18 +15,22 @@
elasticsearch_name: "{{ 'logging-elasticsearch' ~ ( (openshift_logging_elasticsearch_ops_deployment | default(false) | bool) | ternary('-ops', '')) }}"
es_component: "{{ 'es' ~ ( (openshift_logging_elasticsearch_ops_deployment | default(false) | bool) | ternary('-ops', '') ) }}"
-- include: determine_version.yaml
-
- name: Set default image variables based on deployment_type
- include_vars: "{{ item }}"
+ include_vars: "{{ var_file_name }}"
with_first_found:
- "{{ openshift_deployment_type | default(deployment_type) }}.yml"
- "default_images.yml"
+ loop_control:
+ loop_var: var_file_name
-- name: Set elasticsearch_prefix image facts
+- name: Set elasticsearch image facts
set_fact:
openshift_logging_elasticsearch_proxy_image_prefix: "{{ openshift_logging_elasticsearch_proxy_image_prefix | default(__openshift_logging_elasticsearch_proxy_image_prefix) }}"
openshift_logging_elasticsearch_proxy_image_version: "{{ openshift_logging_elasticsearch_proxy_image_version | default(__openshift_logging_elasticsearch_proxy_image_version) }}"
+ openshift_logging_elasticsearch_image_prefix: "{{ openshift_logging_elasticsearch_image_prefix | default(__openshift_logging_elasticsearch_image_prefix) }}"
+ openshift_logging_elasticsearch_image_version: "{{ openshift_logging_elasticsearch_image_version | default(__openshift_logging_elasticsearch_image_version) }}"
+
+- include: determine_version.yaml
# allow passing in a tempdir
- name: Create temp directory for doing work in
diff --git a/roles/openshift_logging_elasticsearch/vars/default_images.yml b/roles/openshift_logging_elasticsearch/vars/default_images.yml
index b7d105caf..cef49dd92 100644
--- a/roles/openshift_logging_elasticsearch/vars/default_images.yml
+++ b/roles/openshift_logging_elasticsearch/vars/default_images.yml
@@ -1,3 +1,5 @@
---
-__openshift_logging_elasticsearch_proxy_image_prefix: "docker.io/openshift/"
-__openshift_logging_elasticsearch_proxy_image_version: "v1.0.0"
+__openshift_logging_elasticsearch_image_prefix: "{{ openshift_logging_image_prefix | default('docker.io/openshift/origin-') }}"
+__openshift_logging_elasticsearch_image_version: "{{ openshift_logging_image_version | default('latest') }}"
+__openshift_logging_elasticsearch_proxy_image_prefix: "{{ openshift_logging_image_prefix | default('docker.io/openshift/') }}"
+__openshift_logging_elasticsearch_proxy_image_version: "{{ openshift_logging_image_version | default('v1.0.0') }}"
diff --git a/roles/openshift_logging_elasticsearch/vars/openshift-enterprise.yml b/roles/openshift_logging_elasticsearch/vars/openshift-enterprise.yml
index 2fd960bb5..07d92896f 100644
--- a/roles/openshift_logging_elasticsearch/vars/openshift-enterprise.yml
+++ b/roles/openshift_logging_elasticsearch/vars/openshift-enterprise.yml
@@ -1,3 +1,5 @@
---
+__openshift_logging_elasticsearch_image_prefix: "{{ openshift_logging_image_prefix | default('registry.access.redhat.com/openshift3/') }}"
+__openshift_logging_elasticsearch_image_version: "{{ openshift_logging_image_version | default ('v3.7') }}"
__openshift_logging_elasticsearch_proxy_image_prefix: "{{ openshift_logging_image_prefix | default('registry.access.redhat.com/openshift3/') }}"
-__openshift_logging_elasticsearch_proxy_image_version: "v3.7"
+__openshift_logging_elasticsearch_proxy_image_version: "{{ openshift_logging_image_version | default ('v3.7') }}"
diff --git a/roles/openshift_logging_eventrouter/defaults/main.yaml b/roles/openshift_logging_eventrouter/defaults/main.yaml
index 4c0350c98..62542f496 100644
--- a/roles/openshift_logging_eventrouter/defaults/main.yaml
+++ b/roles/openshift_logging_eventrouter/defaults/main.yaml
@@ -1,6 +1,4 @@
---
-openshift_logging_eventrouter_image_prefix: "{{ openshift_logging_image_prefix | default(__openshift_logging_image_prefix) }}"
-openshift_logging_eventrouter_image_version: "{{ openshift_logging_image_version | default('latest') }}"
openshift_logging_eventrouter_replicas: 1
openshift_logging_eventrouter_sink: stdout
openshift_logging_eventrouter_nodeselector: ""
diff --git a/roles/openshift_logging_eventrouter/tasks/main.yaml b/roles/openshift_logging_eventrouter/tasks/main.yaml
index 58e5a559f..b1f93eeb9 100644
--- a/roles/openshift_logging_eventrouter/tasks/main.yaml
+++ b/roles/openshift_logging_eventrouter/tasks/main.yaml
@@ -1,4 +1,17 @@
---
+- name: Set default image variables based on deployment_type
+ include_vars: "{{ var_file_name }}"
+ with_first_found:
+ - "{{ openshift_deployment_type | default(deployment_type) }}.yml"
+ - "default_images.yml"
+ loop_control:
+ loop_var: var_file_name
+
+- name: Set eventrouter image facts
+ set_fact:
+ openshift_logging_eventrouter_image_prefix: "{{ openshift_logging_eventrouter_image_prefix | default(__openshift_logging_eventrouter_image_prefix) }}"
+ openshift_logging_eventrouter_image_version: "{{ openshift_logging_eventrouter_image_version | default(__openshift_logging_eventrouter_image_version) }}"
+
- include: "{{ role_path }}/tasks/install_eventrouter.yaml"
when: openshift_logging_install_eventrouter | default(false) | bool
diff --git a/roles/openshift_logging_eventrouter/vars/default_images.yml b/roles/openshift_logging_eventrouter/vars/default_images.yml
new file mode 100644
index 000000000..dbfe2d697
--- /dev/null
+++ b/roles/openshift_logging_eventrouter/vars/default_images.yml
@@ -0,0 +1,3 @@
+---
+__openshift_logging_eventrouter_image_prefix: "{{ openshift_logging_image_prefix | default('docker.io/openshift/origin-') }}"
+__openshift_logging_eventrouter_image_version: "{{ openshift_logging_image_version | default('latest') }}"
diff --git a/roles/openshift_logging_eventrouter/vars/openshift-enterprise.yml b/roles/openshift_logging_eventrouter/vars/openshift-enterprise.yml
new file mode 100644
index 000000000..bb7dc6455
--- /dev/null
+++ b/roles/openshift_logging_eventrouter/vars/openshift-enterprise.yml
@@ -0,0 +1,3 @@
+---
+__openshift_logging_eventrouter_image_prefix: "{{ openshift_logging_image_prefix | default('registry.access.redhat.com/openshift3/') }}"
+__openshift_logging_eventrouter_image_version: "{{ openshift_logging_image_version | default ('v3.7') }}"
diff --git a/roles/openshift_logging_fluentd/defaults/main.yml b/roles/openshift_logging_fluentd/defaults/main.yml
index 861935c99..9b58e4456 100644
--- a/roles/openshift_logging_fluentd/defaults/main.yml
+++ b/roles/openshift_logging_fluentd/defaults/main.yml
@@ -1,7 +1,5 @@
---
### General logging settings
-openshift_logging_fluentd_image_prefix: "{{ openshift_logging_image_prefix | default(__openshift_logging_image_prefix) }}"
-openshift_logging_fluentd_image_version: "{{ openshift_logging_image_version | default('latest') }}"
openshift_logging_fluentd_image_pull_secret: "{{ openshift_hosted_logging_image_pull_secret | default('') }}"
openshift_logging_fluentd_master_url: "https://kubernetes.default.svc.{{ openshift.common.dns_domain }}"
openshift_logging_fluentd_namespace: logging
diff --git a/roles/openshift_logging_fluentd/tasks/determine_version.yaml b/roles/openshift_logging_fluentd/tasks/determine_version.yaml
index a1ba71b1b..6848eb512 100644
--- a/roles/openshift_logging_fluentd/tasks/determine_version.yaml
+++ b/roles/openshift_logging_fluentd/tasks/determine_version.yaml
@@ -1,16 +1,16 @@
---
# debating making this a module instead?
- fail:
- msg: Missing version to install provided by 'openshift_logging_image_version'
- when: not openshift_logging_image_version or openshift_logging_image_version == ''
+ msg: Missing version to install provided by 'openshift_logging_fluentd_image_version'
+ when: not openshift_logging_fluentd_image_version or openshift_logging_fluentd_image_version == ''
- set_fact:
fluentd_version: "{{ __latest_fluentd_version }}"
- when: openshift_logging_image_version == 'latest'
+ when: openshift_logging_fluentd_image_version == 'latest'
# should we just assume that we will have the correct major version?
-- set_fact: fluentd_version="{{ openshift_logging_image_version | regex_replace('^v?(?P<major>\d)\.(?P<minor>\d).*$', '3_\\g<minor>') }}"
- when: openshift_logging_image_version != 'latest'
+- set_fact: fluentd_version="{{ openshift_logging_fluentd_image_version | regex_replace('^v?(?P<major>\d)\.(?P<minor>\d).*$', '3_\\g<minor>') }}"
+ when: openshift_logging_fluentd_image_version != 'latest'
- fail:
msg: Invalid version specified for Fluentd
diff --git a/roles/openshift_logging_fluentd/tasks/main.yaml b/roles/openshift_logging_fluentd/tasks/main.yaml
index 2f89c3f9f..f8683ab75 100644
--- a/roles/openshift_logging_fluentd/tasks/main.yaml
+++ b/roles/openshift_logging_fluentd/tasks/main.yaml
@@ -34,6 +34,19 @@
msg: WARNING Use of openshift_logging_mux_client_mode=minimal is not recommended due to current scaling issues
when: openshift_logging_mux_client_mode is defined and openshift_logging_mux_client_mode == 'minimal'
+- name: Set default image variables based on deployment_type
+ include_vars: "{{ var_file_name }}"
+ with_first_found:
+ - "{{ openshift_deployment_type | default(deployment_type) }}.yml"
+ - "default_images.yml"
+ loop_control:
+ loop_var: var_file_name
+
+- name: Set fluentd image facts
+ set_fact:
+ openshift_logging_fluentd_image_prefix: "{{ openshift_logging_fluentd_image_prefix | default(__openshift_logging_fluentd_image_prefix) }}"
+ openshift_logging_fluentd_image_version: "{{ openshift_logging_fluentd_image_version | default(__openshift_logging_fluentd_image_version) }}"
+
- include: determine_version.yaml
# allow passing in a tempdir
@@ -69,7 +82,7 @@
name: "aggregated-logging-fluentd"
namespace: "{{ openshift_logging_fluentd_namespace }}"
when:
- - openshift_logging_image_pull_secret == ''
+ - openshift_logging_image_pull_secret == ''
# set service account scc
- name: Set privileged permissions for Fluentd
@@ -146,12 +159,12 @@
name: logging-fluentd
namespace: "{{ openshift_logging_fluentd_namespace }}"
files:
- - name: ca
- path: "{{ generated_certs_dir }}/ca.crt"
- - name: key
- path: "{{ generated_certs_dir }}/system.logging.fluentd.key"
- - name: cert
- path: "{{ generated_certs_dir }}/system.logging.fluentd.crt"
+ - name: ca
+ path: "{{ generated_certs_dir }}/ca.crt"
+ - name: key
+ path: "{{ generated_certs_dir }}/system.logging.fluentd.key"
+ - name: cert
+ path: "{{ generated_certs_dir }}/system.logging.fluentd.crt"
# create Fluentd daemonset
# this should change based on the type of fluentd deployment to be done...
@@ -187,7 +200,7 @@
namespace: "{{ openshift_logging_fluentd_namespace }}"
kind: daemonset
files:
- - "{{ tempdir }}/templates/logging-fluentd.yaml"
+ - "{{ tempdir }}/templates/logging-fluentd.yaml"
delete_after: true
# Scale up Fluentd
diff --git a/roles/openshift_logging_fluentd/vars/default_images.yml b/roles/openshift_logging_fluentd/vars/default_images.yml
new file mode 100644
index 000000000..6d127b730
--- /dev/null
+++ b/roles/openshift_logging_fluentd/vars/default_images.yml
@@ -0,0 +1,3 @@
+---
+__openshift_logging_fluentd_image_prefix: "{{ openshift_logging_image_prefix | default('docker.io/openshift/origin-') }}"
+__openshift_logging_fluentd_image_version: "{{ openshift_logging_image_version | default('latest') }}"
diff --git a/roles/openshift_logging_fluentd/vars/openshift-enterprise.yml b/roles/openshift_logging_fluentd/vars/openshift-enterprise.yml
new file mode 100644
index 000000000..d0c74f1fb
--- /dev/null
+++ b/roles/openshift_logging_fluentd/vars/openshift-enterprise.yml
@@ -0,0 +1,3 @@
+---
+__openshift_logging_fluentd_image_prefix: "{{ openshift_logging_image_prefix | default('registry.access.redhat.com/openshift3/') }}"
+__openshift_logging_fluentd_image_version: "{{ openshift_logging_image_version | default ('v3.7') }}"
diff --git a/roles/openshift_logging_kibana/defaults/main.yml b/roles/openshift_logging_kibana/defaults/main.yml
index 1366e96cd..6cdf7c8f3 100644
--- a/roles/openshift_logging_kibana/defaults/main.yml
+++ b/roles/openshift_logging_kibana/defaults/main.yml
@@ -2,8 +2,6 @@
### Common settings
openshift_logging_kibana_master_url: "https://kubernetes.default.svc.cluster.local"
openshift_logging_kibana_master_public_url: "https://kubernetes.default.svc.cluster.local"
-openshift_logging_kibana_image_prefix: "{{ openshift_logging_image_prefix | default(__openshift_logging_image_prefix) }}"
-openshift_logging_kibana_image_version: "{{ openshift_logging_image_version | default('latest') }}"
openshift_logging_kibana_image_pull_secret: "{{ openshift_hosted_logging_image_pull_secret | default('') }}"
openshift_logging_kibana_namespace: logging
@@ -25,8 +23,6 @@ openshift_logging_kibana_edge_term_policy: Redirect
openshift_logging_kibana_ops_deployment: false
# Proxy settings
-openshift_logging_kibana_proxy_image_prefix: "{{ openshift_logging_image_prefix | default(__openshift_logging_image_prefix) }}"
-openshift_logging_kibana_proxy_image_version: "{{ openshift_logging_image_version | default('latest') }}"
openshift_logging_kibana_proxy_debug: false
openshift_logging_kibana_proxy_cpu_limit: null
openshift_logging_kibana_proxy_cpu_request: 100m
diff --git a/roles/openshift_logging_kibana/tasks/determine_version.yaml b/roles/openshift_logging_kibana/tasks/determine_version.yaml
index 53e15af5f..63e5a89f1 100644
--- a/roles/openshift_logging_kibana/tasks/determine_version.yaml
+++ b/roles/openshift_logging_kibana/tasks/determine_version.yaml
@@ -1,16 +1,16 @@
---
# debating making this a module instead?
- fail:
- msg: Missing version to install provided by 'openshift_logging_image_version'
- when: not openshift_logging_image_version or openshift_logging_image_version == ''
+ msg: Missing version to install provided by 'openshift_logging_kibana_image_version'
+ when: not openshift_logging_kibana_image_version or openshift_logging_kibana_image_version == ''
- set_fact:
kibana_version: "{{ __latest_kibana_version }}"
- when: openshift_logging_image_version == 'latest'
+ when: openshift_logging_kibana_image_version == 'latest'
# should we just assume that we will have the correct major version?
-- set_fact: kibana_version="{{ openshift_logging_image_version | regex_replace('^v?(?P<major>\d)\.(?P<minor>\d).*$', '3_\\g<minor>') }}"
- when: openshift_logging_image_version != 'latest'
+- set_fact: kibana_version="{{ openshift_logging_kibana_image_version | regex_replace('^v?(?P<major>\d)\.(?P<minor>\d).*$', '3_\\g<minor>') }}"
+ when: openshift_logging_kibana_image_version != 'latest'
- fail:
msg: Invalid version specified for Kibana
diff --git a/roles/openshift_logging_kibana/tasks/main.yaml b/roles/openshift_logging_kibana/tasks/main.yaml
index 8ef8ede9a..9d99114c5 100644
--- a/roles/openshift_logging_kibana/tasks/main.yaml
+++ b/roles/openshift_logging_kibana/tasks/main.yaml
@@ -1,5 +1,19 @@
---
# fail is we don't have an endpoint for ES to connect to?
+- name: Set default image variables based on deployment_type
+ include_vars: "{{ var_file_name }}"
+ with_first_found:
+ - "{{ openshift_deployment_type | default(deployment_type) }}.yml"
+ - "default_images.yml"
+ loop_control:
+ loop_var: var_file_name
+
+- name: Set kibana image facts
+ set_fact:
+ openshift_logging_kibana_image_prefix: "{{ openshift_logging_kibana_image_prefix | default(__openshift_logging_kibana_image_prefix) }}"
+ openshift_logging_kibana_image_version: "{{ openshift_logging_kibana_image_version | default(__openshift_logging_kibana_image_version) }}"
+ openshift_logging_kibana_proxy_image_prefix: "{{ openshift_logging_kibana_proxy_image_prefix | default(__openshift_logging_kibana_proxy_image_prefix) }}"
+ openshift_logging_kibana_proxy_image_version: "{{ openshift_logging_kibana_proxy_image_version | default(__openshift_logging_kibana_proxy_image_version) }}"
- include: determine_version.yaml
@@ -37,7 +51,7 @@
name: "aggregated-logging-kibana"
namespace: "{{ openshift_logging_namespace }}"
when:
- - openshift_logging_image_pull_secret == ''
+ - openshift_logging_image_pull_secret == ''
- set_fact:
kibana_name: "{{ 'logging-kibana' ~ ( (openshift_logging_kibana_ops_deployment | default(false) | bool) | ternary('-ops', '')) }}"
@@ -58,7 +72,7 @@
content: "{{ 200 | oo_random_word }}"
dest: "{{ generated_certs_dir }}/session_secret"
when:
- - not session_secret_file.stat.exists
+ - not session_secret_file.stat.exists
# gen oauth_secret if necessary
- name: Generate oauth secret
@@ -66,19 +80,19 @@
content: "{{ 64 | oo_random_word }}"
dest: "{{ generated_certs_dir }}/oauth_secret"
when:
- - not oauth_secret_file.stat.exists
+ - not oauth_secret_file.stat.exists
- name: Retrieving the cert to use when generating secrets for the logging components
slurp:
src: "{{ generated_certs_dir }}/{{ item.file }}"
register: key_pairs
with_items:
- - { name: "ca_file", file: "ca.crt" }
- - { name: "kibana_internal_key", file: "kibana-internal.key"}
- - { name: "kibana_internal_cert", file: "kibana-internal.crt"}
- - { name: "server_tls", file: "server-tls.json"}
- - { name: "session_secret", file: "session_secret" }
- - { name: "oauth_secret", file: "oauth_secret" }
+ - { name: "ca_file", file: "ca.crt" }
+ - { name: "kibana_internal_key", file: "kibana-internal.key"}
+ - { name: "kibana_internal_cert", file: "kibana-internal.crt"}
+ - { name: "server_tls", file: "server-tls.json"}
+ - { name: "session_secret", file: "session_secret" }
+ - { name: "oauth_secret", file: "oauth_secret" }
# services
- name: Set {{ kibana_name }} service
@@ -92,8 +106,8 @@
labels:
logging-infra: 'support'
ports:
- - port: 443
- targetPort: "oaproxy"
+ - port: 443
+ targetPort: "oaproxy"
# create routes
# TODO: set up these certs differently?
@@ -144,7 +158,7 @@
namespace: "{{ openshift_logging_namespace }}"
kind: route
files:
- - "{{ tempdir }}/templates/kibana-route.yaml"
+ - "{{ tempdir }}/templates/kibana-route.yaml"
# preserve list of current hostnames
- name: Get current oauthclient hostnames
@@ -173,7 +187,7 @@
namespace: "{{ openshift_logging_namespace }}"
kind: oauthclient
files:
- - "{{ tempdir }}/templates/oauth-client.yml"
+ - "{{ tempdir }}/templates/oauth-client.yml"
delete_after: true
# create Kibana secret
@@ -183,12 +197,12 @@
name: "logging-kibana"
namespace: "{{ openshift_logging_namespace }}"
files:
- - name: ca
- path: "{{ generated_certs_dir }}/ca.crt"
- - name: key
- path: "{{ generated_certs_dir }}/system.logging.kibana.key"
- - name: cert
- path: "{{ generated_certs_dir }}/system.logging.kibana.crt"
+ - name: ca
+ path: "{{ generated_certs_dir }}/ca.crt"
+ - name: key
+ path: "{{ generated_certs_dir }}/system.logging.kibana.key"
+ - name: cert
+ path: "{{ generated_certs_dir }}/system.logging.kibana.crt"
# create Kibana-proxy secret
- name: Set Kibana Proxy secret
@@ -205,16 +219,16 @@
#- name: server-tls.json
# path: "{{ generated_certs_dir }}/server-tls.json"
contents:
- - path: oauth-secret
- data: "{{ key_pairs | entry_from_named_pair('oauth_secret') | b64decode }}"
- - path: session-secret
- data: "{{ key_pairs | entry_from_named_pair('session_secret') | b64decode }}"
- - path: server-key
- data: "{{ key_pairs | entry_from_named_pair('kibana_internal_key') | b64decode }}"
- - path: server-cert
- data: "{{ key_pairs | entry_from_named_pair('kibana_internal_cert') | b64decode }}"
- - path: server-tls.json
- data: "{{ key_pairs | entry_from_named_pair('server_tls') | b64decode }}"
+ - path: oauth-secret
+ data: "{{ key_pairs | entry_from_named_pair('oauth_secret') | b64decode }}"
+ - path: session-secret
+ data: "{{ key_pairs | entry_from_named_pair('session_secret') | b64decode }}"
+ - path: server-key
+ data: "{{ key_pairs | entry_from_named_pair('kibana_internal_key') | b64decode }}"
+ - path: server-cert
+ data: "{{ key_pairs | entry_from_named_pair('kibana_internal_cert') | b64decode }}"
+ - path: server-tls.json
+ data: "{{ key_pairs | entry_from_named_pair('server_tls') | b64decode }}"
# create Kibana DC
- name: Generate Kibana DC template
@@ -245,7 +259,7 @@
namespace: "{{ openshift_logging_namespace }}"
kind: dc
files:
- - "{{ tempdir }}/templates/kibana-dc.yaml"
+ - "{{ tempdir }}/templates/kibana-dc.yaml"
delete_after: true
# update master configs?
diff --git a/roles/openshift_logging_kibana/vars/default_images.yml b/roles/openshift_logging_kibana/vars/default_images.yml
new file mode 100644
index 000000000..db0f9b622
--- /dev/null
+++ b/roles/openshift_logging_kibana/vars/default_images.yml
@@ -0,0 +1,5 @@
+---
+__openshift_logging_kibana_image_prefix: "{{ openshift_logging_image_prefix | default('docker.io/openshift/origin-') }}"
+__openshift_logging_kibana_image_version: "{{ openshift_logging_image_version | default('latest') }}"
+__openshift_logging_kibana_proxy_image_prefix: "{{ openshift_logging_image_prefix | default('docker.io/openshift/origin-') }}"
+__openshift_logging_kibana_proxy_image_version: "{{ openshift_logging_image_version | default('latest') }}"
diff --git a/roles/openshift_logging_kibana/vars/openshift-enterprise.yml b/roles/openshift_logging_kibana/vars/openshift-enterprise.yml
new file mode 100644
index 000000000..0be2e7252
--- /dev/null
+++ b/roles/openshift_logging_kibana/vars/openshift-enterprise.yml
@@ -0,0 +1,5 @@
+---
+__openshift_logging_kibana_image_prefix: "{{ openshift_logging_image_prefix | default('registry.access.redhat.com/openshift3/') }}"
+__openshift_logging_kibana_image_version: "{{ openshift_logging_image_version | default ('v3.7') }}"
+__openshift_logging_kibana_proxy_image_prefix: "{{ openshift_logging_image_prefix | default('registry.access.redhat.com/openshift3/') }}"
+__openshift_logging_kibana_proxy_image_version: "{{ openshift_logging_image_version | default ('v3.7') }}"
diff --git a/roles/openshift_logging_mux/defaults/main.yml b/roles/openshift_logging_mux/defaults/main.yml
index 9de686576..cd15da939 100644
--- a/roles/openshift_logging_mux/defaults/main.yml
+++ b/roles/openshift_logging_mux/defaults/main.yml
@@ -1,7 +1,5 @@
---
### General logging settings
-openshift_logging_mux_image_prefix: "{{ openshift_logging_image_prefix | default(__openshift_logging_image_prefix) }}"
-openshift_logging_mux_image_version: "{{ openshift_logging_image_version | default('latest') }}"
openshift_logging_mux_image_pull_secret: "{{ openshift_hosted_logging_image_pull_secret | default('') }}"
openshift_logging_mux_master_url: "https://kubernetes.default.svc.{{ openshift.common.dns_domain }}"
openshift_logging_mux_master_public_url: "{{ openshift_hosted_logging_master_public_url | default('https://' + openshift.common.public_hostname + ':' ~ (openshift_master_api_port | default('8443', true))) }}"
diff --git a/roles/openshift_logging_mux/tasks/determine_version.yaml b/roles/openshift_logging_mux/tasks/determine_version.yaml
index 229bcf3d5..769475dd5 100644
--- a/roles/openshift_logging_mux/tasks/determine_version.yaml
+++ b/roles/openshift_logging_mux/tasks/determine_version.yaml
@@ -1,16 +1,16 @@
---
# debating making this a module instead?
- fail:
- msg: Missing version to install provided by 'openshift_logging_image_version'
- when: not openshift_logging_image_version or openshift_logging_image_version == ''
+ msg: Missing version to install provided by 'openshift_logging_mux_image_version'
+ when: not openshift_logging_mux_image_version or openshift_logging_mux_image_version == ''
- set_fact:
mux_version: "{{ __latest_mux_version }}"
- when: openshift_logging_image_version == 'latest'
+ when: openshift_logging_mux_image_version == 'latest'
# should we just assume that we will have the correct major version?
-- set_fact: mux_version="{{ openshift_logging_image_version | regex_replace('^v?(?P<major>\d)\.(?P<minor>\d).*$', '3_\\g<minor>') }}"
- when: openshift_logging_image_version != 'latest'
+- set_fact: mux_version="{{ openshift_logging_mux_image_version | regex_replace('^v?(?P<major>\d)\.(?P<minor>\d).*$', '3_\\g<minor>') }}"
+ when: openshift_logging_mux_image_version != 'latest'
- fail:
msg: Invalid version specified for mux
diff --git a/roles/openshift_logging_mux/tasks/main.yaml b/roles/openshift_logging_mux/tasks/main.yaml
index 5b257139e..242d92188 100644
--- a/roles/openshift_logging_mux/tasks/main.yaml
+++ b/roles/openshift_logging_mux/tasks/main.yaml
@@ -7,6 +7,19 @@
msg: Operations logs destination is required
when: not openshift_logging_mux_ops_host or openshift_logging_mux_ops_host == ''
+- name: Set default image variables based on deployment_type
+ include_vars: "{{ var_file_name }}"
+ with_first_found:
+ - "{{ openshift_deployment_type | default(deployment_type) }}.yml"
+ - "default_images.yml"
+ loop_control:
+ loop_var: var_file_name
+
+- name: Set mux image facts
+ set_fact:
+ openshift_logging_mux_image_prefix: "{{ openshift_logging_mux_image_prefix | default(__openshift_logging_mux_image_prefix) }}"
+ openshift_logging_mux_image_version: "{{ openshift_logging_mux_image_version | default(__openshift_logging_mux_image_version) }}"
+
- include: determine_version.yaml
# allow passing in a tempdir
@@ -42,7 +55,7 @@
name: "aggregated-logging-mux"
namespace: "{{ openshift_logging_mux_namespace }}"
when:
- - openshift_logging_image_pull_secret == ''
+ - openshift_logging_image_pull_secret == ''
# set service account scc
- name: Set privileged permissions for Mux
@@ -112,14 +125,14 @@
name: logging-mux
namespace: "{{ openshift_logging_mux_namespace }}"
files:
- - name: ca
- path: "{{ generated_certs_dir }}/ca.crt"
- - name: key
- path: "{{ generated_certs_dir }}/system.logging.mux.key"
- - name: cert
- path: "{{ generated_certs_dir }}/system.logging.mux.crt"
- - name: shared_key
- path: "{{ generated_certs_dir }}/mux_shared_key"
+ - name: ca
+ path: "{{ generated_certs_dir }}/ca.crt"
+ - name: key
+ path: "{{ generated_certs_dir }}/system.logging.mux.key"
+ - name: cert
+ path: "{{ generated_certs_dir }}/system.logging.mux.crt"
+ - name: shared_key
+ path: "{{ generated_certs_dir }}/mux_shared_key"
# services
- name: Set logging-mux service for external communication
@@ -133,11 +146,11 @@
labels:
logging-infra: 'support'
ports:
- - name: mux-forward
- port: "{{ openshift_logging_mux_port }}"
- targetPort: "mux-forward"
+ - name: mux-forward
+ port: "{{ openshift_logging_mux_port }}"
+ targetPort: "mux-forward"
external_ips:
- - "{{ ansible_eth0.ipv4.address }}"
+ - "{{ ansible_eth0.ipv4.address }}"
when: openshift_logging_mux_allow_external | bool
- name: Set logging-mux service for internal communication
@@ -151,9 +164,9 @@
labels:
logging-infra: 'support'
ports:
- - name: mux-forward
- port: "{{ openshift_logging_mux_port }}"
- targetPort: "mux-forward"
+ - name: mux-forward
+ port: "{{ openshift_logging_mux_port }}"
+ targetPort: "mux-forward"
when: not openshift_logging_mux_allow_external | bool
# create Mux DC
@@ -188,7 +201,7 @@
selector: "{{ openshift_logging_mux_file_buffer_pvc_pv_selector }}"
storage_class_name: "{{ openshift_logging_mux_file_buffer_pvc_storage_class_name | default('', true) }}"
when:
- - openshift_logging_mux_file_buffer_storage_type == "pvc"
+ - openshift_logging_mux_file_buffer_storage_type == "pvc"
- name: Set logging-mux DC
oc_obj:
@@ -197,7 +210,7 @@
namespace: "{{ openshift_logging_mux_namespace }}"
kind: dc
files:
- - "{{ tempdir }}/templates/logging-mux-dc.yaml"
+ - "{{ tempdir }}/templates/logging-mux-dc.yaml"
delete_after: true
- name: Add mux namespaces
diff --git a/roles/openshift_logging_mux/vars/default_images.yml b/roles/openshift_logging_mux/vars/default_images.yml
new file mode 100644
index 000000000..bd5dc4504
--- /dev/null
+++ b/roles/openshift_logging_mux/vars/default_images.yml
@@ -0,0 +1,3 @@
+---
+__openshift_logging_mux_image_prefix: "{{ openshift_logging_image_prefix | default('docker.io/openshift/origin-') }}"
+__openshift_logging_mux_image_version: "{{ openshift_logging_image_version | default('latest') }}"
diff --git a/roles/openshift_logging_mux/vars/openshift-enterprise.yml b/roles/openshift_logging_mux/vars/openshift-enterprise.yml
new file mode 100644
index 000000000..1e7eb9d8d
--- /dev/null
+++ b/roles/openshift_logging_mux/vars/openshift-enterprise.yml
@@ -0,0 +1,3 @@
+---
+__openshift_logging_mux_image_prefix: "{{ openshift_logging_image_prefix | default('registry.access.redhat.com/openshift3/') }}"
+__openshift_logging_mux_image_version: "{{ openshift_logging_image_version | default ('v3.7') }}"
diff --git a/roles/openshift_manage_node/tasks/main.yml b/roles/openshift_manage_node/tasks/main.yml
index f67aee88b..fbbac1176 100644
--- a/roles/openshift_manage_node/tasks/main.yml
+++ b/roles/openshift_manage_node/tasks/main.yml
@@ -7,11 +7,7 @@
# wait_for port doesn't provide health information.
command: >
curl --silent --tlsv1.2
- {% if openshift.common.version_gte_3_2_or_1_2 | bool %}
--cacert {{ openshift.common.config_base }}/master/ca-bundle.crt
- {% else %}
- --cacert {{ openshift.common.config_base }}/master/ca.crt
- {% endif %}
{{ openshift_node_master_api_url }}/healthz/ready
args:
# Disables the following warning:
diff --git a/roles/openshift_master/defaults/main.yml b/roles/openshift_master/defaults/main.yml
index a27fbae7e..3fb94fff8 100644
--- a/roles/openshift_master/defaults/main.yml
+++ b/roles/openshift_master/defaults/main.yml
@@ -31,6 +31,7 @@ oreg_host: "{{ oreg_url.split('/')[0] if (oreg_url is defined and '.' in oreg_ur
oreg_auth_credentials_path: "{{ r_openshift_master_data_dir }}/.docker"
oreg_auth_credentials_replace: False
l_bind_docker_reg_auth: False
+openshift_docker_alternative_creds: "{{ (openshift_docker_use_system_container | default(False)) or (openshift_use_crio_only | default(False)) }}"
containerized_svc_dir: "/usr/lib/systemd/system"
ha_svc_template_path: "native-cluster"
@@ -66,3 +67,6 @@ openshift_master_bootstrap_enabled: False
openshift_master_csr_sa: node-bootstrapper
openshift_master_csr_namespace: openshift-infra
+
+openshift_master_config_file: "{{ openshift_master_config_dir }}/master-config.yaml"
+openshift_master_scheduler_conf: "{{ openshift_master_config_dir }}/scheduler.json"
diff --git a/roles/openshift_master/handlers/main.yml b/roles/openshift_master/handlers/main.yml
index f88c4a7dc..359536202 100644
--- a/roles/openshift_master/handlers/main.yml
+++ b/roles/openshift_master/handlers/main.yml
@@ -25,11 +25,7 @@
# wait_for port doesn't provide health information.
command: >
curl --silent --tlsv1.2
- {% if openshift.common.version_gte_3_2_or_1_2 | bool %}
--cacert {{ openshift.common.config_base }}/master/ca-bundle.crt
- {% else %}
- --cacert {{ openshift.common.config_base }}/master/ca.crt
- {% endif %}
{{ openshift.master.api_url }}/healthz/ready
args:
# Disables the following warning:
diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml
index c7c02d49b..b6d3539b1 100644
--- a/roles/openshift_master/tasks/main.yml
+++ b/roles/openshift_master/tasks/main.yml
@@ -18,12 +18,6 @@
- openshift.master.ha | bool
- (openshift.master.cluster_method is not defined) or (openshift.master.cluster_method is defined and openshift.master.cluster_method not in ["native", "pacemaker"])
- fail:
- msg: "'native' high availability is not supported for the requested OpenShift version"
- when:
- - openshift.master.ha | bool
- - openshift.master.cluster_method == "native"
- - not openshift.common.version_gte_3_1_or_1_1 | bool
-- fail:
msg: "openshift_master_cluster_password must be set for multi-master installations"
when:
- openshift.master.ha | bool
@@ -222,8 +216,6 @@
when: openshift_master_bootstrap_enabled | default(False)
- include: set_loopback_context.yml
- when:
- - openshift.common.version_gte_3_2_or_1_2
- name: Start and enable master api on first master
systemd:
diff --git a/roles/openshift_master/tasks/registry_auth.yml b/roles/openshift_master/tasks/registry_auth.yml
index cde01c49e..c95f562d0 100644
--- a/roles/openshift_master/tasks/registry_auth.yml
+++ b/roles/openshift_master/tasks/registry_auth.yml
@@ -8,6 +8,7 @@
- name: Create credentials for registry auth
command: "docker --config={{ oreg_auth_credentials_path }} login -u {{ oreg_auth_user }} -p {{ oreg_auth_password }} {{ oreg_host }}"
when:
+ - not (openshift_docker_alternative_creds | default(False))
- oreg_auth_user is defined
- (not master_oreg_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool
register: master_oreg_auth_credentials_create
@@ -18,6 +19,25 @@
- restart master api
- restart master controllers
+# docker_creds is a custom module from lib_utils
+# 'docker login' requires a docker.service running on the local host, this is an
+# alternative implementation for non-docker hosts. This implementation does not
+# check the registry to determine whether or not the credentials will work.
+- name: Create credentials for registry auth (alternative)
+ docker_creds:
+ path: "{{ oreg_auth_credentials_path }}"
+ registry: "{{ oreg_host }}"
+ username: "{{ oreg_auth_user }}"
+ password: "{{ oreg_auth_password }}"
+ when:
+ - openshift_docker_alternative_creds | default(False) | bool
+ - oreg_auth_user is defined
+ - (not docker_cli_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool
+ register: master_oreg_auth_credentials_create
+ notify:
+ - restart master api
+ - restart master controllers
+
# Container images may need the registry credentials
- name: Setup ro mount of /root/.docker for containerized hosts
set_fact:
diff --git a/roles/openshift_master/tasks/restart.yml b/roles/openshift_master/tasks/restart.yml
new file mode 100644
index 000000000..4f8b758fd
--- /dev/null
+++ b/roles/openshift_master/tasks/restart.yml
@@ -0,0 +1,22 @@
+---
+- name: Restart master API
+ service:
+ name: "{{ openshift.common.service_type }}-master-api"
+ state: restarted
+ when: openshift_master_ha | bool
+- name: Wait for master API to come back online
+ wait_for:
+ host: "{{ openshift.common.hostname }}"
+ state: started
+ delay: 10
+ port: "{{ openshift.master.api_port }}"
+ timeout: 600
+ when: openshift_master_ha | bool
+- name: Restart master controllers
+ service:
+ name: "{{ openshift.common.service_type }}-master-controllers"
+ state: restarted
+ # Ignore errrors since it is possible that type != simple for
+ # pre-3.1.1 installations.
+ ignore_errors: true
+ when: openshift_master_ha | bool
diff --git a/roles/openshift_master/tasks/systemd_units.yml b/roles/openshift_master/tasks/systemd_units.yml
index 8420dfb8c..b0fa72f19 100644
--- a/roles/openshift_master/tasks/systemd_units.yml
+++ b/roles/openshift_master/tasks/systemd_units.yml
@@ -2,9 +2,6 @@
# systemd_units.yml is included both in the openshift_master role and in the upgrade
# playbooks.
-- include: upgrade_facts.yml
- when: openshift_master_defaults_in_use is not defined
-
- name: Set HA Service Info for containerized installs
set_fact:
containerized_svc_dir: "/etc/systemd/system"
diff --git a/roles/openshift_master/tasks/upgrade.yml b/roles/openshift_master/tasks/upgrade.yml
new file mode 100644
index 000000000..92371921d
--- /dev/null
+++ b/roles/openshift_master/tasks/upgrade.yml
@@ -0,0 +1,45 @@
+---
+- include: upgrade/rpm_upgrade.yml
+ when: not openshift.common.is_containerized | bool
+
+- include: upgrade/upgrade_scheduler.yml
+
+# master_config_hook is passed in from upgrade play.
+- include: "upgrade/{{ master_config_hook }}"
+ when: master_config_hook is defined
+
+- include: journald.yml
+
+- include: systemd_units.yml
+
+- name: Check for ca-bundle.crt
+ stat:
+ path: "{{ openshift.common.config_base }}/master/ca-bundle.crt"
+ register: ca_bundle_stat
+ failed_when: false
+
+- name: Check for ca.crt
+ stat:
+ path: "{{ openshift.common.config_base }}/master/ca.crt"
+ register: ca_crt_stat
+ failed_when: false
+
+- name: Migrate ca.crt to ca-bundle.crt
+ command: mv ca.crt ca-bundle.crt
+ args:
+ chdir: "{{ openshift.common.config_base }}/master"
+ when: ca_crt_stat.stat.isreg and not ca_bundle_stat.stat.exists
+
+- name: Link ca.crt to ca-bundle.crt
+ file:
+ src: "{{ openshift.common.config_base }}/master/ca-bundle.crt"
+ path: "{{ openshift.common.config_base }}/master/ca.crt"
+ state: link
+ when: ca_crt_stat.stat.isreg and not ca_bundle_stat.stat.exists
+
+- name: Update oreg value
+ yedit:
+ src: "{{ openshift.common.config_base }}/master/master-config.yaml"
+ key: 'imageConfig.format'
+ value: "{{ oreg_url | default(oreg_url_master) }}"
+ when: oreg_url is defined or oreg_url_master is defined
diff --git a/roles/openshift_master/tasks/upgrade/rpm_upgrade.yml b/roles/openshift_master/tasks/upgrade/rpm_upgrade.yml
new file mode 100644
index 000000000..f914a9978
--- /dev/null
+++ b/roles/openshift_master/tasks/upgrade/rpm_upgrade.yml
@@ -0,0 +1,20 @@
+---
+# When we update package "a-${version}" and a requires b >= ${version} if we
+# don't specify the version of b yum will choose the latest version of b
+# available and the whole set of dependencies end up at the latest version.
+# Since the package module, unlike the yum module, doesn't flatten a list
+# of packages into one transaction we need to do that explicitly. The ansible
+# core team tells us not to rely on yum module transaction flattening anyway.
+
+# TODO: If the sdn package isn't already installed this will install it, we
+# should fix that
+- name: Upgrade master packages
+ package: name={{ master_pkgs | join(',') }} state=present
+ vars:
+ master_pkgs:
+ - "{{ openshift.common.service_type }}{{ openshift_pkg_version }}"
+ - "{{ openshift.common.service_type }}-master{{ openshift_pkg_version }}"
+ - "{{ openshift.common.service_type }}-node{{ openshift_pkg_version }}"
+ - "{{ openshift.common.service_type }}-sdn-ovs{{ openshift_pkg_version }}"
+ - "{{ openshift.common.service_type }}-clients{{ openshift_pkg_version }}"
+ - "tuned-profiles-{{ openshift.common.service_type }}-node{{ openshift_pkg_version }}"
diff --git a/roles/openshift_master/tasks/upgrade/upgrade_scheduler.yml b/roles/openshift_master/tasks/upgrade/upgrade_scheduler.yml
new file mode 100644
index 000000000..8558bf3e9
--- /dev/null
+++ b/roles/openshift_master/tasks/upgrade/upgrade_scheduler.yml
@@ -0,0 +1,173 @@
+---
+# Upgrade predicates
+- vars:
+ prev_predicates: "{{ lookup('openshift_master_facts_default_predicates', short_version=openshift_upgrade_min, deployment_type=openshift_deployment_type) }}"
+ prev_predicates_no_region: "{{ lookup('openshift_master_facts_default_predicates', short_version=openshift_upgrade_min, deployment_type=openshift_deployment_type, regions_enabled=False) }}"
+ default_predicates_no_region: "{{ lookup('openshift_master_facts_default_predicates', regions_enabled=False) }}"
+ # older_predicates are the set of predicates that have previously been
+ # hard-coded into openshift_facts
+ older_predicates:
+ - - name: MatchNodeSelector
+ - name: PodFitsResources
+ - name: PodFitsPorts
+ - name: NoDiskConflict
+ - name: NoVolumeZoneConflict
+ - name: MaxEBSVolumeCount
+ - name: MaxGCEPDVolumeCount
+ - name: Region
+ argument:
+ serviceAffinity:
+ labels:
+ - region
+ - - name: MatchNodeSelector
+ - name: PodFitsResources
+ - name: PodFitsPorts
+ - name: NoDiskConflict
+ - name: NoVolumeZoneConflict
+ - name: Region
+ argument:
+ serviceAffinity:
+ labels:
+ - region
+ - - name: MatchNodeSelector
+ - name: PodFitsResources
+ - name: PodFitsPorts
+ - name: NoDiskConflict
+ - name: Region
+ argument:
+ serviceAffinity:
+ labels:
+ - region
+ # older_predicates_no_region are the set of predicates that have previously
+ # been hard-coded into openshift_facts, with the Region predicate removed
+ older_predicates_no_region:
+ - - name: MatchNodeSelector
+ - name: PodFitsResources
+ - name: PodFitsPorts
+ - name: NoDiskConflict
+ - name: NoVolumeZoneConflict
+ - name: MaxEBSVolumeCount
+ - name: MaxGCEPDVolumeCount
+ - - name: MatchNodeSelector
+ - name: PodFitsResources
+ - name: PodFitsPorts
+ - name: NoDiskConflict
+ - name: NoVolumeZoneConflict
+ - - name: MatchNodeSelector
+ - name: PodFitsResources
+ - name: PodFitsPorts
+ - name: NoDiskConflict
+ block:
+
+ # Handle case where openshift_master_predicates is defined
+ - block:
+ - debug:
+ msg: "WARNING: openshift_master_scheduler_predicates is set to defaults from an earlier release of OpenShift current defaults are: {{ openshift_master_scheduler_default_predicates }}"
+ when: openshift_master_scheduler_predicates in older_predicates + older_predicates_no_region + [prev_predicates] + [prev_predicates_no_region]
+
+ - debug:
+ msg: "WARNING: openshift_master_scheduler_predicates does not match current defaults of: {{ openshift_master_scheduler_default_predicates }}"
+ when: openshift_master_scheduler_predicates != openshift_master_scheduler_default_predicates
+ when: openshift_master_scheduler_predicates | default(none) is not none
+
+ # Handle cases where openshift_master_predicates is not defined
+ - block:
+ - debug:
+ msg: "WARNING: existing scheduler config does not match previous known defaults automated upgrade of scheduler config is disabled.\nexisting scheduler predicates: {{ openshift_master_scheduler_current_predicates }}\ncurrent scheduler default predicates are: {{ openshift_master_scheduler_default_predicates }}"
+ when:
+ - openshift_master_scheduler_current_predicates != openshift_master_scheduler_default_predicates
+ - openshift_master_scheduler_current_predicates not in older_predicates + [prev_predicates]
+
+ - set_fact:
+ openshift_upgrade_scheduler_predicates: "{{ openshift_master_scheduler_default_predicates }}"
+ when:
+ - openshift_master_scheduler_current_predicates != openshift_master_scheduler_default_predicates
+ - openshift_master_scheduler_current_predicates in older_predicates + [prev_predicates]
+
+ - set_fact:
+ openshift_upgrade_scheduler_predicates: "{{ default_predicates_no_region }}"
+ when:
+ - openshift_master_scheduler_current_predicates != default_predicates_no_region
+ - openshift_master_scheduler_current_predicates in older_predicates_no_region + [prev_predicates_no_region]
+
+ when: openshift_master_scheduler_predicates | default(none) is none
+
+
+# Upgrade priorities
+- vars:
+ prev_priorities: "{{ lookup('openshift_master_facts_default_priorities', short_version=openshift_upgrade_min, deployment_type=openshift_deployment_type) }}"
+ prev_priorities_no_zone: "{{ lookup('openshift_master_facts_default_priorities', short_version=openshift_upgrade_min, deployment_type=openshift_deployment_type, zones_enabled=False) }}"
+ default_priorities_no_zone: "{{ lookup('openshift_master_facts_default_priorities', zones_enabled=False) }}"
+ # older_priorities are the set of priorities that have previously been
+ # hard-coded into openshift_facts
+ older_priorities:
+ - - name: LeastRequestedPriority
+ weight: 1
+ - name: SelectorSpreadPriority
+ weight: 1
+ - name: Zone
+ weight: 2
+ argument:
+ serviceAntiAffinity:
+ label: zone
+ # older_priorities_no_region are the set of priorities that have previously
+ # been hard-coded into openshift_facts, with the Zone priority removed
+ older_priorities_no_zone:
+ - - name: LeastRequestedPriority
+ weight: 1
+ - name: SelectorSpreadPriority
+ weight: 1
+ block:
+
+ # Handle case where openshift_master_priorities is defined
+ - block:
+ - debug:
+ msg: "WARNING: openshift_master_scheduler_priorities is set to defaults from an earlier release of OpenShift current defaults are: {{ openshift_master_scheduler_default_priorities }}"
+ when: openshift_master_scheduler_priorities in older_priorities + older_priorities_no_zone + [prev_priorities] + [prev_priorities_no_zone]
+
+ - debug:
+ msg: "WARNING: openshift_master_scheduler_priorities does not match current defaults of: {{ openshift_master_scheduler_default_priorities }}"
+ when: openshift_master_scheduler_priorities != openshift_master_scheduler_default_priorities
+ when: openshift_master_scheduler_priorities | default(none) is not none
+
+ # Handle cases where openshift_master_priorities is not defined
+ - block:
+ - debug:
+ msg: "WARNING: existing scheduler config does not match previous known defaults automated upgrade of scheduler config is disabled.\nexisting scheduler priorities: {{ openshift_master_scheduler_current_priorities }}\ncurrent scheduler default priorities are: {{ openshift_master_scheduler_default_priorities }}"
+ when:
+ - openshift_master_scheduler_current_priorities != openshift_master_scheduler_default_priorities
+ - openshift_master_scheduler_current_priorities not in older_priorities + [prev_priorities]
+
+ - set_fact:
+ openshift_upgrade_scheduler_priorities: "{{ openshift_master_scheduler_default_priorities }}"
+ when:
+ - openshift_master_scheduler_current_priorities != openshift_master_scheduler_default_priorities
+ - openshift_master_scheduler_current_priorities in older_priorities + [prev_priorities]
+
+ - set_fact:
+ openshift_upgrade_scheduler_priorities: "{{ default_priorities_no_zone }}"
+ when:
+ - openshift_master_scheduler_current_priorities != default_priorities_no_zone
+ - openshift_master_scheduler_current_priorities in older_priorities_no_zone + [prev_priorities_no_zone]
+
+ when: openshift_master_scheduler_priorities | default(none) is none
+
+
+# Update scheduler
+- vars:
+ scheduler_config:
+ kind: Policy
+ apiVersion: v1
+ predicates: "{{ openshift_upgrade_scheduler_predicates
+ | default(openshift_master_scheduler_current_predicates) }}"
+ priorities: "{{ openshift_upgrade_scheduler_priorities
+ | default(openshift_master_scheduler_current_priorities) }}"
+ block:
+ - name: Update scheduler config
+ copy:
+ content: "{{ scheduler_config | to_nice_json }}"
+ dest: "{{ openshift_master_scheduler_conf }}"
+ backup: true
+ when: >
+ openshift_upgrade_scheduler_predicates is defined or
+ openshift_upgrade_scheduler_priorities is defined
diff --git a/roles/openshift_master/tasks/upgrade/v3_6/master_config_upgrade.yml b/roles/openshift_master/tasks/upgrade/v3_6/master_config_upgrade.yml
new file mode 100644
index 000000000..db0c8f886
--- /dev/null
+++ b/roles/openshift_master/tasks/upgrade/v3_6/master_config_upgrade.yml
@@ -0,0 +1,15 @@
+---
+- modify_yaml:
+ dest: "{{ openshift.common.config_base}}/master/master-config.yaml"
+ yaml_key: 'controllerConfig.serviceServingCert.signer.certFile'
+ yaml_value: service-signer.crt
+
+- modify_yaml:
+ dest: "{{ openshift.common.config_base}}/master/master-config.yaml"
+ yaml_key: 'controllerConfig.serviceServingCert.signer.keyFile'
+ yaml_value: service-signer.key
+
+- modify_yaml:
+ dest: "{{ openshift.common.config_base }}/master/master-config.yaml"
+ yaml_key: servingInfo.clientCA
+ yaml_value: ca.crt
diff --git a/roles/openshift_master/tasks/upgrade/v3_7/master_config_upgrade.yml b/roles/openshift_master/tasks/upgrade/v3_7/master_config_upgrade.yml
new file mode 100644
index 000000000..1d4d1919c
--- /dev/null
+++ b/roles/openshift_master/tasks/upgrade/v3_7/master_config_upgrade.yml
@@ -0,0 +1,20 @@
+---
+- modify_yaml:
+ dest: "{{ openshift.common.config_base}}/master/master-config.yaml"
+ yaml_key: 'controllerConfig.election.lockName'
+ yaml_value: 'openshift-master-controllers'
+
+- modify_yaml:
+ dest: "{{ openshift.common.config_base}}/master/master-config.yaml"
+ yaml_key: 'controllerConfig.serviceServingCert.signer.certFile'
+ yaml_value: service-signer.crt
+
+- modify_yaml:
+ dest: "{{ openshift.common.config_base}}/master/master-config.yaml"
+ yaml_key: 'controllerConfig.serviceServingCert.signer.keyFile'
+ yaml_value: service-signer.key
+
+- modify_yaml:
+ dest: "{{ openshift.common.config_base }}/master/master-config.yaml"
+ yaml_key: servingInfo.clientCA
+ yaml_value: ca.crt
diff --git a/roles/openshift_master/templates/master.yaml.v1.j2 b/roles/openshift_master/templates/master.yaml.v1.j2
index 5bc135601..629fe3286 100644
--- a/roles/openshift_master/templates/master.yaml.v1.j2
+++ b/roles/openshift_master/templates/master.yaml.v1.j2
@@ -3,9 +3,6 @@ admissionConfig:
pluginConfig:{{ openshift.master.admission_plugin_config | to_padded_yaml(level=2) }}
{% endif %}
apiLevels:
-{% if not openshift.common.version_gte_3_1_or_1_1 | bool %}
-- v1beta3
-{% endif %}
- v1
apiVersion: v1
assetConfig:
@@ -44,10 +41,9 @@ assetConfig:
- {{ cipher_suite }}
{% endfor %}
{% endif %}
-{% if openshift.master.audit_config | default(none) is not none and openshift.common.version_gte_3_2_or_1_2 | bool %}
+{% if openshift.master.audit_config | default(none) is not none %}
auditConfig:{{ openshift.master.audit_config | to_padded_yaml(level=1) }}
{% endif %}
-{% if openshift.common.version_gte_3_3_or_1_3 | bool %}
controllerConfig:
election:
lockName: openshift-master-controllers
@@ -55,7 +51,6 @@ controllerConfig:
signer:
certFile: service-signer.crt
keyFile: service-signer.key
-{% endif %}
controllers: '*'
corsAllowedOrigins:
# anchor with start (\A) and end (\z) of the string, make the check case insensitive ((?i)) and escape hostname
@@ -74,11 +69,7 @@ dnsConfig:
bindNetwork: tcp4
{% endif %}
etcdClientInfo:
-{% if openshift.common.version_gte_3_2_or_1_2 | bool %}
ca: {{ "ca-bundle.crt" if (openshift.master.embedded_etcd | bool) else "master.etcd-ca.crt" }}
-{% else %}
- ca: {{ "ca.crt" if (openshift.master.embedded_etcd | bool) else "master.etcd-ca.crt" }}
-{% endif %}
certFile: master.etcd-client.crt
keyFile: master.etcd-client.key
urls:
@@ -92,20 +83,12 @@ etcdConfig:
peerServingInfo:
bindAddress: {{ openshift.master.bind_addr }}:7001
certFile: etcd.server.crt
-{% if openshift.common.version_gte_3_2_or_1_2 | bool %}
clientCA: ca-bundle.crt
-{% else %}
- clientCA: ca.crt
-{% endif %}
keyFile: etcd.server.key
servingInfo:
bindAddress: {{ openshift.master.bind_addr }}:{{ openshift.master.etcd_port }}
certFile: etcd.server.crt
-{% if openshift.common.version_gte_3_2_or_1_2 | bool %}
clientCA: ca-bundle.crt
-{% else %}
- clientCA: ca.crt
-{% endif %}
keyFile: etcd.server.key
storageDirectory: {{ r_openshift_master_data_dir }}/openshift.local.etcd
{% endif %}
@@ -123,21 +106,12 @@ imagePolicyConfig:{{ openshift.master.image_policy_config | to_padded_yaml(level
kind: MasterConfig
kubeletClientInfo:
{# TODO: allow user specified kubelet port #}
-{% if openshift.common.version_gte_3_2_or_1_2 | bool %}
ca: ca-bundle.crt
-{% else %}
- ca: ca.crt
-{% endif %}
certFile: master.kubelet-client.crt
keyFile: master.kubelet-client.key
port: 10250
{% if openshift.master.embedded_kube | bool %}
kubernetesMasterConfig:
-{% if not openshift.common.version_gte_3_1_or_1_1 | bool %}
- apiLevels:
- - v1beta3
- - v1
-{% endif %}
apiServerArguments: {{ openshift.master.api_server_args | default(None) | to_padded_yaml( level=2 ) }}
{% if r_openshift_master_etcd3_storage or ( r_openshift_master_clean_install and openshift.common.version_gte_3_6 ) %}
storage-backend:
@@ -160,21 +134,17 @@ kubernetesMasterConfig:
{% endif %}
masterClients:
{# TODO: allow user to set externalKubernetesKubeConfig #}
-{% if openshift.common.version_gte_3_3_or_1_3 | bool %}
externalKubernetesClientConnectionOverrides:
acceptContentTypes: application/vnd.kubernetes.protobuf,application/json
contentType: application/vnd.kubernetes.protobuf
burst: {{ openshift_master_external_ratelimit_burst | default(400) }}
qps: {{ openshift_master_external_ratelimit_qps | default(200) }}
-{% endif %}
externalKubernetesKubeConfig: ""
-{% if openshift.common.version_gte_3_3_or_1_3 | bool %}
openshiftLoopbackClientConnectionOverrides:
acceptContentTypes: application/vnd.kubernetes.protobuf,application/json
contentType: application/vnd.kubernetes.protobuf
burst: {{ openshift_master_loopback_ratelimit_burst | default(600) }}
qps: {{ openshift_master_loopback_ratelimit_qps | default(300) }}
-{% endif %}
openshiftLoopbackKubeConfig: openshift-master.kubeconfig
masterPublicURL: {{ openshift.master.public_api_url }}
networkConfig:
@@ -208,11 +178,7 @@ oauthConfig:
{% for line in translated_identity_providers.splitlines() %}
{{ line }}
{% endfor %}
-{% if openshift.common.version_gte_3_2_or_1_2 | bool %}
masterCA: ca-bundle.crt
-{% else %}
- masterCA: ca.crt
-{% endif %}
masterPublicURL: {{ openshift.master.public_api_url }}
masterURL: {{ openshift.master.api_url }}
sessionConfig:
@@ -245,11 +211,7 @@ serviceAccountConfig:
- default
- builder
- deployer
-{% if openshift.common.version_gte_3_2_or_1_2 | bool %}
masterCA: ca-bundle.crt
-{% else %}
- masterCA: ca.crt
-{% endif %}
privateKeyFile: serviceaccounts.private.key
publicKeyFiles:
- serviceaccounts.public.key
diff --git a/roles/openshift_master/templates/native-cluster/atomic-openshift-master-controllers.service.j2 b/roles/openshift_master/templates/native-cluster/atomic-openshift-master-controllers.service.j2
index e284413f7..fae021845 100644
--- a/roles/openshift_master/templates/native-cluster/atomic-openshift-master-controllers.service.j2
+++ b/roles/openshift_master/templates/native-cluster/atomic-openshift-master-controllers.service.j2
@@ -7,11 +7,7 @@ Wants={{ openshift.common.service_type }}-master-api.service
Requires=network-online.target
[Service]
-{% if openshift.common.version_gte_3_1_1_or_1_1_1 | bool %}
Type=notify
-{% else %}
-Type=simple
-{% endif %}
EnvironmentFile=/etc/sysconfig/{{ openshift.common.service_type }}-master-controllers
Environment=GOTRACEBACK=crash
ExecStart=/usr/bin/openshift start master controllers --config=${CONFIG_FILE} $OPTIONS
diff --git a/roles/openshift_master_certificates/tasks/main.yml b/roles/openshift_master_certificates/tasks/main.yml
index d9ffb1b6f..ec1fbb1ee 100644
--- a/roles/openshift_master_certificates/tasks/main.yml
+++ b/roles/openshift_master_certificates/tasks/main.yml
@@ -3,7 +3,7 @@
openshift_master_certs_no_etcd:
- admin.crt
- master.kubelet-client.crt
- - "{{ 'master.proxy-client.crt' if openshift.common.version_gte_3_1_or_1_1 else omit }}"
+ - master.proxy-client.crt
- master.server.crt
- openshift-master.crt
- openshift-registry.crt
@@ -57,9 +57,7 @@
--hostnames={{ hostvars[item].openshift.common.all_hostnames | join(',') }}
--cert={{ openshift_generated_configs_dir }}/master-{{ hostvars[item].openshift.common.hostname }}/master.server.crt
--key={{ openshift_generated_configs_dir }}/master-{{ hostvars[item].openshift.common.hostname }}/master.server.key
- {% if openshift_version | oo_version_gte_3_5_or_1_5(openshift.common.deployment_type) | bool %}
--expire-days={{ openshift_master_cert_expire_days }}
- {% endif %}
--signer-cert={{ openshift_ca_cert }}
--signer-key={{ openshift_ca_key }}
--signer-serial={{ openshift_ca_serial }}
@@ -87,9 +85,7 @@
--signer-serial={{ openshift_ca_serial }}
--user=system:openshift-master
--basename=openshift-master
- {% if openshift_version | oo_version_gte_3_5_or_1_5(openshift.common.deployment_type) | bool %}
--expire-days={{ openshift_master_cert_expire_days }}
- {% endif %}
args:
creates: "{{ openshift_generated_configs_dir }}/master-{{ hostvars[item].openshift.common.hostname }}/openshift-master.kubeconfig"
with_items: "{{ hostvars
diff --git a/roles/openshift_master_cluster/tasks/main.yml b/roles/openshift_master_cluster/tasks/main.yml
index 0543872c9..40705d357 100644
--- a/roles/openshift_master_cluster/tasks/main.yml
+++ b/roles/openshift_master_cluster/tasks/main.yml
@@ -3,10 +3,6 @@
msg: "Not possible on atomic hosts for now"
when: openshift.common.is_containerized | bool
-- fail:
- msg: "Pacemaker HA is unsupported on OpenShift Enterprise 3.2 and Origin 1.2"
- when: openshift.master.cluster_method == "pacemaker" and openshift.common.version_gte_3_2_or_1_2 | bool
-
- name: Test if cluster is already configured
command: pcs status
register: pcs_status
diff --git a/roles/openshift_master_facts/filter_plugins/openshift_master.py b/roles/openshift_master_facts/filter_plugins/openshift_master.py
index 97a5179e0..c827f2d26 100644
--- a/roles/openshift_master_facts/filter_plugins/openshift_master.py
+++ b/roles/openshift_master_facts/filter_plugins/openshift_master.py
@@ -518,29 +518,16 @@ class FilterModule(object):
'admin.key',
'admin.kubeconfig',
'master.kubelet-client.crt',
- 'master.kubelet-client.key']
+ 'master.kubelet-client.key',
+ 'master.proxy-client.crt',
+ 'master.proxy-client.key',
+ 'service-signer.crt',
+ 'service-signer.key']
if bool(include_ca):
certs += ['ca.crt', 'ca.key', 'ca-bundle.crt', 'client-ca-bundle.crt']
if bool(include_keys):
certs += ['serviceaccounts.private.key',
'serviceaccounts.public.key']
- if bool(hostvars['openshift']['common']['version_gte_3_1_or_1_1']):
- certs += ['master.proxy-client.crt',
- 'master.proxy-client.key']
- if not bool(hostvars['openshift']['common']['version_gte_3_2_or_1_2']):
- certs += ['openshift-master.crt',
- 'openshift-master.key',
- 'openshift-master.kubeconfig']
- if bool(hostvars['openshift']['common']['version_gte_3_3_or_1_3']):
- certs += ['service-signer.crt',
- 'service-signer.key']
- if not bool(hostvars['openshift']['common']['version_gte_3_5_or_1_5']):
- certs += ['openshift-registry.crt',
- 'openshift-registry.key',
- 'openshift-registry.kubeconfig',
- 'openshift-router.crt',
- 'openshift-router.key',
- 'openshift-router.kubeconfig']
return certs
@staticmethod
diff --git a/roles/openshift_metrics/handlers/main.yml b/roles/openshift_metrics/handlers/main.yml
index 88b893448..074b72942 100644
--- a/roles/openshift_metrics/handlers/main.yml
+++ b/roles/openshift_metrics/handlers/main.yml
@@ -18,11 +18,7 @@
# wait_for port doesn't provide health information.
command: >
curl --silent --tlsv1.2
- {% if openshift.common.version_gte_3_2_or_1_2 | bool %}
--cacert {{ openshift.common.config_base }}/master/ca-bundle.crt
- {% else %}
- --cacert {{ openshift.common.config_base }}/master/ca.crt
- {% endif %}
{{ openshift.master.api_url }}/healthz/ready
args:
# Disables the following warning:
diff --git a/roles/openshift_node/defaults/main.yml b/roles/openshift_node/defaults/main.yml
index 85ad33ad3..89d154ad7 100644
--- a/roles/openshift_node/defaults/main.yml
+++ b/roles/openshift_node/defaults/main.yml
@@ -85,6 +85,7 @@ oreg_host: "{{ oreg_url.split('/')[0] if (oreg_url is defined and '.' in oreg_ur
oreg_auth_credentials_path: "{{ openshift_node_data_dir }}/.docker"
oreg_auth_credentials_replace: False
l_bind_docker_reg_auth: False
+openshift_docker_alternative_creds: "{{ (openshift_docker_use_system_container | default(False)) or (openshift_use_crio_only | default(False)) }}"
# NOTE
# r_openshift_node_*_default may be defined external to this role.
diff --git a/roles/openshift_node/tasks/registry_auth.yml b/roles/openshift_node/tasks/registry_auth.yml
index 5e5e4f94a..f5428867a 100644
--- a/roles/openshift_node/tasks/registry_auth.yml
+++ b/roles/openshift_node/tasks/registry_auth.yml
@@ -8,6 +8,7 @@
- name: Create credentials for registry auth
command: "docker --config={{ oreg_auth_credentials_path }} login -u {{ oreg_auth_user }} -p {{ oreg_auth_password }} {{ oreg_host }}"
when:
+ - not (openshift_docker_alternative_creds | default(False))
- oreg_auth_user is defined
- (not node_oreg_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool
register: node_oreg_auth_credentials_create
@@ -17,6 +18,24 @@
notify:
- restart node
+# docker_creds is a custom module from lib_utils
+# 'docker login' requires a docker.service running on the local host, this is an
+# alternative implementation for non-docker hosts. This implementation does not
+# check the registry to determine whether or not the credentials will work.
+- name: Create credentials for registry auth (alternative)
+ docker_creds:
+ path: "{{ oreg_auth_credentials_path }}"
+ registry: "{{ oreg_host }}"
+ username: "{{ oreg_auth_user }}"
+ password: "{{ oreg_auth_password }}"
+ when:
+ - openshift_docker_alternative_creds | bool
+ - oreg_auth_user is defined
+ - (not node_oreg_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool
+ register: node_oreg_auth_credentials_create
+ notify:
+ - restart node
+
# Container images may need the registry credentials
- name: Setup ro mount of /root/.docker for containerized hosts
set_fact:
diff --git a/roles/openshift_node/templates/node.yaml.v1.j2 b/roles/openshift_node/templates/node.yaml.v1.j2
index 718d35dca..d452cc45c 100644
--- a/roles/openshift_node/templates/node.yaml.v1.j2
+++ b/roles/openshift_node/templates/node.yaml.v1.j2
@@ -29,13 +29,11 @@ kubeletArguments: {{ openshift.node.kubelet_args | default(None) | to_padded_yam
runtime-request-timeout:
- 10m
{% endif %}
-{% if openshift.common.version_gte_3_3_or_1_3 | bool %}
masterClientConnectionOverrides:
acceptContentTypes: application/vnd.kubernetes.protobuf,application/json
contentType: application/vnd.kubernetes.protobuf
burst: 200
qps: 100
-{% endif %}
masterKubeConfig: system:node:{{ openshift.common.hostname }}.kubeconfig
{% if openshift_node_use_openshift_sdn | bool %}
networkPluginName: {{ openshift_node_sdn_network_plugin_name }}
diff --git a/roles/openshift_node_certificates/tasks/main.yml b/roles/openshift_node_certificates/tasks/main.yml
index 1a775178d..97f1fbbdd 100644
--- a/roles/openshift_node_certificates/tasks/main.yml
+++ b/roles/openshift_node_certificates/tasks/main.yml
@@ -66,9 +66,7 @@
--signer-key={{ openshift_ca_key }}
--signer-serial={{ openshift_ca_serial }}
--user=system:node:{{ hostvars[item].openshift.common.hostname }}
- {% if openshift_version | oo_version_gte_3_5_or_1_5(openshift.common.deployment_type) | bool %}
--expire-days={{ openshift_node_cert_expire_days }}
- {% endif %}
args:
creates: "{{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname }}"
with_items: "{{ hostvars
@@ -82,9 +80,7 @@
{{ hostvars[openshift_ca_host].openshift.common.client_binary }} adm ca create-server-cert
--cert={{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname }}/server.crt
--key={{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname }}/server.key
- {% if openshift_version | oo_version_gte_3_5_or_1_5(openshift.common.deployment_type) | bool %}
--expire-days={{ openshift_node_cert_expire_days }}
- {% endif %}
--overwrite=true
--hostnames={{ hostvars[item].openshift.common.hostname }},{{ hostvars[item].openshift.common.public_hostname }},{{ hostvars[item].openshift.common.ip }},{{ hostvars[item].openshift.common.public_ip }}
--signer-cert={{ openshift_ca_cert }}
diff --git a/roles/openshift_node_upgrade/defaults/main.yml b/roles/openshift_node_upgrade/defaults/main.yml
index 10b4c6977..1da434e6f 100644
--- a/roles/openshift_node_upgrade/defaults/main.yml
+++ b/roles/openshift_node_upgrade/defaults/main.yml
@@ -12,3 +12,4 @@ oreg_host: "{{ oreg_url.split('/')[0] if (oreg_url is defined and '.' in oreg_ur
oreg_auth_credentials_path: "{{ openshift_node_data_dir }}/.docker"
oreg_auth_credentials_replace: False
l_bind_docker_reg_auth: False
+openshift_docker_alternative_creds: "{{ (openshift_docker_use_system_container | default(False)) or (openshift_use_crio_only | default(False)) }}"
diff --git a/roles/openshift_node_upgrade/tasks/main.yml b/roles/openshift_node_upgrade/tasks/main.yml
index c1c9e0062..66c1fcc38 100644
--- a/roles/openshift_node_upgrade/tasks/main.yml
+++ b/roles/openshift_node_upgrade/tasks/main.yml
@@ -69,8 +69,6 @@
file:
path: "/etc/systemd/system/docker.service.d/docker-sdn-ovs.conf"
state: absent
- when: (deployment_type == 'openshift-enterprise' and openshift_release | version_compare('3.4', '>='))
- or (deployment_type == 'origin' and openshift_release | version_compare('1.4', '>='))
- include: containerized_node_upgrade.yml
when: openshift.common.is_containerized | bool
diff --git a/roles/openshift_node_upgrade/tasks/registry_auth.yml b/roles/openshift_node_upgrade/tasks/registry_auth.yml
index 5e5e4f94a..f5428867a 100644
--- a/roles/openshift_node_upgrade/tasks/registry_auth.yml
+++ b/roles/openshift_node_upgrade/tasks/registry_auth.yml
@@ -8,6 +8,7 @@
- name: Create credentials for registry auth
command: "docker --config={{ oreg_auth_credentials_path }} login -u {{ oreg_auth_user }} -p {{ oreg_auth_password }} {{ oreg_host }}"
when:
+ - not (openshift_docker_alternative_creds | default(False))
- oreg_auth_user is defined
- (not node_oreg_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool
register: node_oreg_auth_credentials_create
@@ -17,6 +18,24 @@
notify:
- restart node
+# docker_creds is a custom module from lib_utils
+# 'docker login' requires a docker.service running on the local host, this is an
+# alternative implementation for non-docker hosts. This implementation does not
+# check the registry to determine whether or not the credentials will work.
+- name: Create credentials for registry auth (alternative)
+ docker_creds:
+ path: "{{ oreg_auth_credentials_path }}"
+ registry: "{{ oreg_host }}"
+ username: "{{ oreg_auth_user }}"
+ password: "{{ oreg_auth_password }}"
+ when:
+ - openshift_docker_alternative_creds | bool
+ - oreg_auth_user is defined
+ - (not node_oreg_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool
+ register: node_oreg_auth_credentials_create
+ notify:
+ - restart node
+
# Container images may need the registry credentials
- name: Setup ro mount of /root/.docker for containerized hosts
set_fact:
diff --git a/roles/openshift_prometheus/tasks/install_prometheus.yaml b/roles/openshift_prometheus/tasks/install_prometheus.yaml
index 00c3c1987..21da4bc9d 100644
--- a/roles/openshift_prometheus/tasks/install_prometheus.yaml
+++ b/roles/openshift_prometheus/tasks/install_prometheus.yaml
@@ -148,25 +148,6 @@
selector: "{{ openshift_prometheus_alertbuffer_pvc_pv_selector }}"
when: openshift_prometheus_alertbuffer_storage_type == 'pvc'
-# create prometheus stateful set
-- name: Set prometheus template
- template:
- src: prometheus.j2
- dest: "{{ tempdir }}/templates/prometheus.yaml"
- vars:
- namespace: "{{ openshift_prometheus_namespace }}"
-# prom_replicas: "{{ openshift_prometheus_replicas }}"
-
-- name: Set prometheus stateful set
- oc_obj:
- state: "{{ state }}"
- name: "prometheus"
- namespace: "{{ openshift_prometheus_namespace }}"
- kind: statefulset
- files:
- - "{{ tempdir }}/templates/prometheus.yaml"
- delete_after: true
-
# prometheus configmap
# Copy the additional rules file if it is defined
- name: Copy additional rules file to host
@@ -236,3 +217,22 @@
namespace: "{{ openshift_prometheus_namespace }}"
from_file:
alertmanager.yml: "{{ tempdir }}/alertmanager.yml"
+
+# create prometheus stateful set
+- name: Set prometheus template
+ template:
+ src: prometheus.j2
+ dest: "{{ tempdir }}/templates/prometheus.yaml"
+ vars:
+ namespace: "{{ openshift_prometheus_namespace }}"
+# prom_replicas: "{{ openshift_prometheus_replicas }}"
+
+- name: Set prometheus stateful set
+ oc_obj:
+ state: "{{ state }}"
+ name: "prometheus"
+ namespace: "{{ openshift_prometheus_namespace }}"
+ kind: statefulset
+ files:
+ - "{{ tempdir }}/templates/prometheus.yaml"
+ delete_after: true