diff options
Diffstat (limited to 'roles')
71 files changed, 835 insertions, 315 deletions
diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index c086c28df..224844a06 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -2,6 +2,8 @@ docker_cli_auth_config_path: '/root/.docker' openshift_docker_signature_verification: False +openshift_docker_alternative_creds: False + # oreg_url is defined by user input. oreg_host: "{{ oreg_url.split('/')[0] if (oreg_url is defined and '.' in oreg_url.split('/')[0]) else '' }}" oreg_auth_credentials_replace: False diff --git a/roles/docker/meta/main.yml b/roles/docker/meta/main.yml index 62b8a2eb5..d5faae8df 100644 --- a/roles/docker/meta/main.yml +++ b/roles/docker/meta/main.yml @@ -12,3 +12,4 @@ galaxy_info: dependencies: - role: lib_openshift - role: lib_os_firewall +- role: lib_utils diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index 3c814d8d8..69ee62790 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -53,7 +53,7 @@ - when: - l_use_crio - - dockerstat.stat.islink is defined and not (dockerstat.stat.islink | bool) + - dockerstat.stat.islnk is defined and not (dockerstat.stat.islnk | bool) block: - name: stop the current running docker systemd: diff --git a/roles/docker/tasks/registry_auth.yml b/roles/docker/tasks/registry_auth.yml index d05b7f2b8..2c7bc5711 100644 --- a/roles/docker/tasks/registry_auth.yml +++ b/roles/docker/tasks/registry_auth.yml @@ -12,5 +12,21 @@ delay: 5 until: openshift_docker_credentials_create_res.rc == 0 when: + - not openshift_docker_alternative_creds | bool + - oreg_auth_user is defined + - (not docker_cli_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool + +# docker_creds is a custom module from lib_utils +# 'docker login' requires a docker.service running on the local host, this is an +# alternative implementation for non-docker hosts. This implementation does not +# check the registry to determine whether or not the credentials will work. +- name: Create credentials for docker cli registry auth (alternative) + docker_creds: + path: "{{ docker_cli_auth_config_path }}" + registry: "{{ oreg_host }}" + username: "{{ oreg_auth_user }}" + password: "{{ oreg_auth_password }}" + when: + - openshift_docker_alternative_creds | bool - oreg_auth_user is defined - (not docker_cli_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool diff --git a/roles/docker/tasks/systemcontainer_crio.yml b/roles/docker/tasks/systemcontainer_crio.yml index 1e2d64293..3fe10454d 100644 --- a/roles/docker/tasks/systemcontainer_crio.yml +++ b/roles/docker/tasks/systemcontainer_crio.yml @@ -179,3 +179,9 @@ register: start_result - meta: flush_handlers + +# If we are using crio only, docker.service might not be available for +# 'docker login' +- include: registry_auth.yml + vars: + openshift_docker_alternative_creds: "{{ l_use_crio_only }}" diff --git a/roles/docker/tasks/systemcontainer_docker.yml b/roles/docker/tasks/systemcontainer_docker.yml index aa3b35ddd..84220fa66 100644 --- a/roles/docker/tasks/systemcontainer_docker.yml +++ b/roles/docker/tasks/systemcontainer_docker.yml @@ -173,6 +173,10 @@ - set_fact: docker_service_status_changed: "{{ r_docker_systemcontainer_docker_start_result | changed }}" -- include: registry_auth.yml - - meta: flush_handlers + +# Since docker is running as a system container, docker login will fail to create +# credentials. Use alternate method if requiring authenticated registries. +- include: registry_auth.yml + vars: + openshift_docker_alternative_creds: True diff --git a/roles/lib_utils/library/docker_creds.py b/roles/lib_utils/library/docker_creds.py new file mode 100644 index 000000000..d4674845e --- /dev/null +++ b/roles/lib_utils/library/docker_creds.py @@ -0,0 +1,207 @@ +#!/usr/bin/env python +# pylint: disable=missing-docstring +# +# Copyright 2017 Red Hat, Inc. and/or its affiliates +# and other contributors as indicated by the @author tags. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import base64 +import json +import os + +from ansible.module_utils.basic import AnsibleModule + + +DOCUMENTATION = ''' +--- +module: docker_creds + +short_description: Creates/updates a 'docker login' file in place of using 'docker login' + +version_added: "2.4" + +description: + - This module creates a docker config.json file in the directory provided by 'path' + on hosts that do not support 'docker login' but need the file present for + registry authentication purposes of various other services. + +options: + path: + description: + - This is the message to send to the sample module + required: true + registry: + description: + - This is the registry the credentials are for. + required: true + username: + description: + - This is the username to authenticate to the registry with. + required: true + password: + description: + - This is the password to authenticate to the registry with. + required: true + +author: + - "Michael Gugino <mgugino@redhat.com>" +''' + +EXAMPLES = ''' +# Pass in a message +- name: Place credentials in file + docker_creds: + path: /root/.docker + registry: registry.example.com:443 + username: myuser + password: mypassword +''' + + +def check_dest_dir_exists(module, dest): + '''Check if dest dir is present and is a directory''' + dir_exists = os.path.exists(dest) + if dir_exists: + if not os.path.isdir(dest): + msg = "{} exists but is not a directory".format(dest) + result = {'failed': True, + 'changed': False, + 'msg': msg, + 'state': 'unknown'} + module.fail_json(**result) + else: + return 1 + else: + return 0 + + +def create_dest_dir(module, dest): + try: + os.makedirs(dest, mode=0o700) + except OSError as oserror: + result = {'failed': True, + 'changed': False, + 'msg': str(oserror), + 'state': 'unknown'} + module.fail_json(**result) + + +def load_config_file(module, dest): + '''load the config.json in directory dest''' + conf_file_path = os.path.join(dest, 'config.json') + if os.path.exists(conf_file_path): + # Try to open the file and load json data + try: + with open(conf_file_path) as conf_file: + data = conf_file.read() + jdata = json.loads(data) + + except IOError as ioerror: + result = {'failed': True, + 'changed': False, + 'msg': str(ioerror), + 'state': 'unknown'} + module.fail_json(**result) + except ValueError as jsonerror: + result = {'failed': True, + 'changed': False, + 'msg': str(jsonerror), + 'state': 'unknown'} + module.fail_json(**result) + return jdata + else: + # File doesn't exist, we just return an empty dictionary. + return {} + + +def update_config(docker_config, registry, username, password): + '''Add our registry auth credentials into docker_config dict''' + + # Add anything that might be missing in our dictionary + if 'auths' not in docker_config: + docker_config['auths'] = {} + if registry not in docker_config['auths']: + docker_config['auths'][registry] = {} + + # base64 encode our username:password string + encoded_data = base64.b64encode('{}:{}'.format(username, password)) + + # check if the same value is already present for idempotency. + if 'auth' in docker_config['auths'][registry]: + if docker_config['auths'][registry]['auth'] == encoded_data: + # No need to go further, everything is already set in file. + return False + docker_config['auths'][registry]['auth'] = encoded_data + return True + + +def write_config(module, docker_config, dest): + '''Write updated credentials into dest/config.json''' + conf_file_path = os.path.join(dest, 'config.json') + try: + with open(conf_file_path, 'w') as conf_file: + json.dump(docker_config, conf_file, indent=8) + except IOError as ioerror: + result = {'failed': True, + 'changed': False, + 'msg': str(ioerror), + 'state': 'unknown'} + module.fail_json(**result) + + +def run_module(): + '''Run this module''' + module_args = dict( + path=dict(aliases=['dest', 'name'], required=True, type='path'), + registry=dict(type='str', required=True), + username=dict(type='str', required=True), + password=dict(type='str', required=True, no_log=True) + ) + + module = AnsibleModule( + argument_spec=module_args, + supports_check_mode=False + ) + + # First, create our dest dir if necessary + dest = module.params['path'] + registry = module.params['registry'] + username = module.params['username'] + password = module.params['password'] + + if not check_dest_dir_exists(module, dest): + create_dest_dir(module, dest) + docker_config = {} + else: + # We want to scrape the contents of dest/config.json + # in case there are other registries/settings already present. + docker_config = load_config_file(module, dest) + + # Put the registry auth info into the config dict. + changed = update_config(docker_config, registry, username, password) + + if changed: + write_config(module, docker_config, dest) + + result = {'changed': changed} + + module.exit_json(**result) + + +def main(): + run_module() + + +if __name__ == '__main__': + main() diff --git a/roles/openshift_ca/tasks/main.yml b/roles/openshift_ca/tasks/main.yml index 587526d07..31f0f8e7a 100644 --- a/roles/openshift_ca/tasks/main.yml +++ b/roles/openshift_ca/tasks/main.yml @@ -97,10 +97,8 @@ --master={{ openshift.master.api_url }} --public-master={{ openshift.master.public_api_url }} --cert-dir={{ openshift_ca_config_dir }} - {% if openshift_version | oo_version_gte_3_5_or_1_5(openshift.common.deployment_type) | bool %} --expire-days={{ openshift_master_cert_expire_days }} --signer-expire-days={{ openshift_ca_cert_expire_days }} - {% endif %} --overwrite=false when: master_ca_missing | bool or openshift_certificates_redeploy | default(false) | bool delegate_to: "{{ openshift_ca_host }}" @@ -169,9 +167,7 @@ --signer-serial={{ openshift_ca_serial }} --user=system:openshift-master --basename=openshift-master - {% if openshift_version | oo_version_gte_3_5_or_1_5(openshift.common.deployment_type) | bool %} --expire-days={{ openshift_master_cert_expire_days }} - {% endif %} - name: Copy generated loopback master client config to master config dir copy: src: "{{ openshift_ca_loopback_tmpdir.stdout }}/{{ item }}" diff --git a/roles/openshift_cloud_provider/tasks/openstack.yml b/roles/openshift_cloud_provider/tasks/openstack.yml index 5788e6d74..324630491 100644 --- a/roles/openshift_cloud_provider/tasks/openstack.yml +++ b/roles/openshift_cloud_provider/tasks/openstack.yml @@ -1,8 +1,4 @@ --- -- fail: - msg: "The Openstack integration requires OpenShift Enterprise 3.2 or Origin 1.2." - when: not openshift.common.version_gte_3_2_or_1_2 | bool - - name: Create cloud config template: dest: "{{ openshift.common.config_base }}/cloudprovider/openstack.conf" diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py index 699dc300f..99ebb7e36 100755 --- a/roles/openshift_facts/library/openshift_facts.py +++ b/roles/openshift_facts/library/openshift_facts.py @@ -490,7 +490,7 @@ def set_selectors(facts): facts['hosted']['metrics'] = {} if 'selector' not in facts['hosted']['metrics'] or facts['hosted']['metrics']['selector'] in [None, 'None']: facts['hosted']['metrics']['selector'] = None - if 'logging' not in facts: + if 'logging' not in facts or not isinstance(facts['logging'], dict): facts['logging'] = {} if 'selector' not in facts['logging'] or facts['logging']['selector'] in [None, 'None']: facts['logging']['selector'] = None @@ -806,7 +806,7 @@ def set_deployment_facts_if_unset(facts): # pylint: disable=too-many-statements def set_version_facts_if_unset(facts): """ Set version facts. This currently includes common.version and - common.version_gte_3_1_or_1_1. + common.version_gte_3_x Args: facts (dict): existing facts @@ -814,49 +814,19 @@ def set_version_facts_if_unset(facts): dict: the facts dict updated with version facts. """ if 'common' in facts: - deployment_type = facts['common']['deployment_type'] openshift_version = get_openshift_version(facts) if openshift_version and openshift_version != "latest": version = LooseVersion(openshift_version) facts['common']['version'] = openshift_version facts['common']['short_version'] = '.'.join([str(x) for x in version.version[0:2]]) - if deployment_type == 'origin': - version_gte_3_1_or_1_1 = version >= LooseVersion('1.1.0') - version_gte_3_1_1_or_1_1_1 = version >= LooseVersion('1.1.1') - version_gte_3_2_or_1_2 = version >= LooseVersion('1.2.0') - version_gte_3_3_or_1_3 = version >= LooseVersion('1.3.0') - version_gte_3_4_or_1_4 = version >= LooseVersion('1.4') - version_gte_3_5_or_1_5 = version >= LooseVersion('1.5') - version_gte_3_6 = version >= LooseVersion('3.6') - version_gte_3_7 = version >= LooseVersion('3.7') - version_gte_3_8 = version >= LooseVersion('3.8') - else: - version_gte_3_1_or_1_1 = version >= LooseVersion('3.0.2.905') - version_gte_3_1_1_or_1_1_1 = version >= LooseVersion('3.1.1') - version_gte_3_2_or_1_2 = version >= LooseVersion('3.1.1.901') - version_gte_3_3_or_1_3 = version >= LooseVersion('3.3.0') - version_gte_3_4_or_1_4 = version >= LooseVersion('3.4') - version_gte_3_5_or_1_5 = version >= LooseVersion('3.5') - version_gte_3_6 = version >= LooseVersion('3.6') - version_gte_3_7 = version >= LooseVersion('3.7') - version_gte_3_8 = version >= LooseVersion('3.8') + version_gte_3_6 = version >= LooseVersion('3.6') + version_gte_3_7 = version >= LooseVersion('3.7') + version_gte_3_8 = version >= LooseVersion('3.8') else: # 'Latest' version is set to True, 'Next' versions set to False - version_gte_3_1_or_1_1 = True - version_gte_3_1_1_or_1_1_1 = True - version_gte_3_2_or_1_2 = True - version_gte_3_3_or_1_3 = True - version_gte_3_4_or_1_4 = True - version_gte_3_5_or_1_5 = True version_gte_3_6 = True version_gte_3_7 = True version_gte_3_8 = False - facts['common']['version_gte_3_1_or_1_1'] = version_gte_3_1_or_1_1 - facts['common']['version_gte_3_1_1_or_1_1_1'] = version_gte_3_1_1_or_1_1_1 - facts['common']['version_gte_3_2_or_1_2'] = version_gte_3_2_or_1_2 - facts['common']['version_gte_3_3_or_1_3'] = version_gte_3_3_or_1_3 - facts['common']['version_gte_3_4_or_1_4'] = version_gte_3_4_or_1_4 - facts['common']['version_gte_3_5_or_1_5'] = version_gte_3_5_or_1_5 facts['common']['version_gte_3_6'] = version_gte_3_6 facts['common']['version_gte_3_7'] = version_gte_3_7 facts['common']['version_gte_3_8'] = version_gte_3_8 @@ -867,18 +837,8 @@ def set_version_facts_if_unset(facts): examples_content_version = 'v3.7' elif version_gte_3_6: examples_content_version = 'v3.6' - elif version_gte_3_5_or_1_5: - examples_content_version = 'v1.5' - elif version_gte_3_4_or_1_4: - examples_content_version = 'v1.4' - elif version_gte_3_3_or_1_3: - examples_content_version = 'v1.3' - elif version_gte_3_2_or_1_2: - examples_content_version = 'v1.2' - elif version_gte_3_1_or_1_1: - examples_content_version = 'v1.1' else: - examples_content_version = 'v1.0' + examples_content_version = 'v1.5' facts['common']['examples_content_version'] = examples_content_version diff --git a/roles/openshift_hosted/tasks/secure.yml b/roles/openshift_hosted/tasks/secure.yml index 0da8ac8a7..174bc39a4 100644 --- a/roles/openshift_hosted/tasks/secure.yml +++ b/roles/openshift_hosted/tasks/secure.yml @@ -42,7 +42,7 @@ - "{{ openshift_hosted_registry_routehost }}" cert: "{{ docker_registry_cert_path }}" key: "{{ docker_registry_key_path }}" - expire_days: "{{ openshift_hosted_registry_cert_expire_days if openshift_version | oo_version_gte_3_5_or_1_5(openshift_deployment_type) | bool else omit }}" + expire_days: "{{ openshift_hosted_registry_cert_expire_days }}" register: registry_self_cert when: docker_registry_self_signed diff --git a/roles/openshift_hosted_metrics/handlers/main.yml b/roles/openshift_hosted_metrics/handlers/main.yml index 88b893448..074b72942 100644 --- a/roles/openshift_hosted_metrics/handlers/main.yml +++ b/roles/openshift_hosted_metrics/handlers/main.yml @@ -18,11 +18,7 @@ # wait_for port doesn't provide health information. command: > curl --silent --tlsv1.2 - {% if openshift.common.version_gte_3_2_or_1_2 | bool %} --cacert {{ openshift.common.config_base }}/master/ca-bundle.crt - {% else %} - --cacert {{ openshift.common.config_base }}/master/ca.crt - {% endif %} {{ openshift.master.api_url }}/healthz/ready args: # Disables the following warning: diff --git a/roles/openshift_logging/handlers/main.yml b/roles/openshift_logging/handlers/main.yml index 88b893448..074b72942 100644 --- a/roles/openshift_logging/handlers/main.yml +++ b/roles/openshift_logging/handlers/main.yml @@ -18,11 +18,7 @@ # wait_for port doesn't provide health information. command: > curl --silent --tlsv1.2 - {% if openshift.common.version_gte_3_2_or_1_2 | bool %} --cacert {{ openshift.common.config_base }}/master/ca-bundle.crt - {% else %} - --cacert {{ openshift.common.config_base }}/master/ca.crt - {% endif %} {{ openshift.master.api_url }}/healthz/ready args: # Disables the following warning: diff --git a/roles/openshift_logging/tasks/main.yaml b/roles/openshift_logging/tasks/main.yaml index 15f6a23e6..7f8e88036 100644 --- a/roles/openshift_logging/tasks/main.yaml +++ b/roles/openshift_logging/tasks/main.yaml @@ -3,17 +3,6 @@ msg: Only one Fluentd nodeselector key pair should be provided when: openshift_logging_fluentd_nodeselector.keys() | count > 1 -- name: Set default image variables based on deployment_type - include_vars: "{{ item }}" - with_first_found: - - "{{ openshift_deployment_type | default(deployment_type) }}.yml" - - "default_images.yml" - -- name: Set logging image facts - set_fact: - openshift_logging_image_prefix: "{{ openshift_logging_image_prefix | default(__openshift_logging_image_prefix) }}" - openshift_logging_image_version: "{{ openshift_logging_image_version | default(__openshift_logging_image_version) }}" - - name: Create temp directory for doing work in command: mktemp -d /tmp/openshift-logging-ansible-XXXXXX register: mktemp diff --git a/roles/openshift_logging/vars/default_images.yml b/roles/openshift_logging/vars/default_images.yml deleted file mode 100644 index 1a77808f6..000000000 --- a/roles/openshift_logging/vars/default_images.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -__openshift_logging_image_prefix: "{{ openshift_hosted_logging_deployer_prefix | default('docker.io/openshift/origin-') }}" -__openshift_logging_image_version: "{{ openshift_hosted_logging_deployer_version | default('latest') }}" diff --git a/roles/openshift_logging/vars/openshift-enterprise.yml b/roles/openshift_logging/vars/openshift-enterprise.yml deleted file mode 100644 index f60fa8d7d..000000000 --- a/roles/openshift_logging/vars/openshift-enterprise.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -__openshift_logging_image_prefix: "{{ openshift_hosted_logging_deployer_prefix | default('registry.access.redhat.com/openshift3/') }}" -__openshift_logging_image_version: "{{ openshift_hosted_logging_deployer_version | default ('v3.7') }}" diff --git a/roles/openshift_logging_curator/defaults/main.yml b/roles/openshift_logging_curator/defaults/main.yml index 9cae9f936..a0d221c32 100644 --- a/roles/openshift_logging_curator/defaults/main.yml +++ b/roles/openshift_logging_curator/defaults/main.yml @@ -1,7 +1,5 @@ --- ### General logging settings -openshift_logging_curator_image_prefix: "{{ openshift_logging_image_prefix | default(__openshift_logging_image_prefix) }}" -openshift_logging_curator_image_version: "{{ openshift_logging_image_version | default('latest') }}" openshift_logging_curator_image_pull_secret: "{{ openshift_hosted_logging_image_pull_secret | default('') }}" openshift_logging_curator_master_url: "https://kubernetes.default.svc.cluster.local" diff --git a/roles/openshift_logging_curator/tasks/determine_version.yaml b/roles/openshift_logging_curator/tasks/determine_version.yaml index 94f8b4a97..2013f4e38 100644 --- a/roles/openshift_logging_curator/tasks/determine_version.yaml +++ b/roles/openshift_logging_curator/tasks/determine_version.yaml @@ -1,16 +1,16 @@ --- # debating making this a module instead? - fail: - msg: Missing version to install provided by 'openshift_logging_image_version' - when: not openshift_logging_image_version or openshift_logging_image_version == '' + msg: Missing version to install provided by 'openshift_logging_curator_image_version' + when: not openshift_logging_curator_image_version or openshift_logging_curator_image_version == '' - set_fact: curator_version: "{{ __latest_curator_version }}" - when: openshift_logging_image_version == 'latest' + when: openshift_logging_curator_image_version == 'latest' # should we just assume that we will have the correct major version? -- set_fact: curator_version="{{ openshift_logging_image_version | regex_replace('^v?(?P<major>\d)\.(?P<minor>\d).*$', '3_\\g<minor>') }}" - when: openshift_logging_image_version != 'latest' +- set_fact: curator_version="{{ openshift_logging_curator_image_version | regex_replace('^v?(?P<major>\d)\.(?P<minor>\d).*$', '3_\\g<minor>') }}" + when: openshift_logging_curator_image_version != 'latest' - fail: msg: Invalid version specified for Curator diff --git a/roles/openshift_logging_curator/tasks/main.yaml b/roles/openshift_logging_curator/tasks/main.yaml index fcaf18ed4..7ddf57450 100644 --- a/roles/openshift_logging_curator/tasks/main.yaml +++ b/roles/openshift_logging_curator/tasks/main.yaml @@ -1,4 +1,17 @@ --- +- name: Set default image variables based on deployment_type + include_vars: "{{ var_file_name }}" + with_first_found: + - "{{ openshift_deployment_type | default(deployment_type) }}.yml" + - "default_images.yml" + loop_control: + loop_var: var_file_name + +- name: Set curator image facts + set_fact: + openshift_logging_curator_image_prefix: "{{ openshift_logging_curator_image_prefix | default(__openshift_logging_curator_image_prefix) }}" + openshift_logging_curator_image_version: "{{ openshift_logging_curator_image_version | default(__openshift_logging_curator_image_version) }}" + - include: determine_version.yaml # allow passing in a tempdir @@ -35,7 +48,7 @@ name: "aggregated-logging-curator" namespace: "{{ openshift_logging_namespace }}" when: - - openshift_logging_image_pull_secret == '' + - openshift_logging_image_pull_secret == '' # configmap - copy: @@ -65,12 +78,12 @@ name: "logging-curator" namespace: "{{ openshift_logging_namespace }}" files: - - name: ca - path: "{{ generated_certs_dir }}/ca.crt" - - name: key - path: "{{ generated_certs_dir }}/system.logging.curator.key" - - name: cert - path: "{{ generated_certs_dir }}/system.logging.curator.crt" + - name: ca + path: "{{ generated_certs_dir }}/ca.crt" + - name: key + path: "{{ generated_certs_dir }}/system.logging.curator.key" + - name: cert + path: "{{ generated_certs_dir }}/system.logging.curator.crt" - set_fact: curator_name: "{{ 'logging-curator' ~ ( (openshift_logging_curator_ops_deployment | default(false) | bool) | ternary('-ops', '') ) }}" @@ -104,7 +117,7 @@ namespace: "{{ openshift_logging_namespace }}" kind: dc files: - - "{{ tempdir }}/templates/curator-dc.yaml" + - "{{ tempdir }}/templates/curator-dc.yaml" delete_after: true - name: Delete temp directory diff --git a/roles/openshift_logging_curator/vars/default_images.yml b/roles/openshift_logging_curator/vars/default_images.yml new file mode 100644 index 000000000..208b41afa --- /dev/null +++ b/roles/openshift_logging_curator/vars/default_images.yml @@ -0,0 +1,3 @@ +--- +__openshift_logging_curator_image_prefix: "{{ openshift_logging_image_prefix | default('docker.io/openshift/origin-') }}" +__openshift_logging_curator_image_version: "{{ openshift_logging_image_version | default('latest') }}" diff --git a/roles/openshift_logging_curator/vars/openshift-enterprise.yml b/roles/openshift_logging_curator/vars/openshift-enterprise.yml new file mode 100644 index 000000000..79cf131fd --- /dev/null +++ b/roles/openshift_logging_curator/vars/openshift-enterprise.yml @@ -0,0 +1,3 @@ +--- +__openshift_logging_curator_image_prefix: "{{ openshift_logging_image_prefix | default('registry.access.redhat.com/openshift3/') }}" +__openshift_logging_curator_image_version: "{{ openshift_logging_image_version | default ('v3.7') }}" diff --git a/roles/openshift_logging_elasticsearch/defaults/main.yml b/roles/openshift_logging_elasticsearch/defaults/main.yml index 9fc6fd1d8..bec4432c3 100644 --- a/roles/openshift_logging_elasticsearch/defaults/main.yml +++ b/roles/openshift_logging_elasticsearch/defaults/main.yml @@ -1,7 +1,5 @@ --- ### Common settings -openshift_logging_elasticsearch_image_prefix: "{{ openshift_logging_image_prefix | default(__openshift_logging_image_prefix) }}" -openshift_logging_elasticsearch_image_version: "{{ openshift_logging_image_version | default('latest') }}" openshift_logging_elasticsearch_image_pull_secret: "{{ openshift_hosted_logging_image_pull_secret | default('') }}" openshift_logging_elasticsearch_namespace: logging diff --git a/roles/openshift_logging_elasticsearch/tasks/determine_version.yaml b/roles/openshift_logging_elasticsearch/tasks/determine_version.yaml index 1a952b5cf..c53a06019 100644 --- a/roles/openshift_logging_elasticsearch/tasks/determine_version.yaml +++ b/roles/openshift_logging_elasticsearch/tasks/determine_version.yaml @@ -1,18 +1,16 @@ --- # debating making this a module instead? - fail: - msg: Missing version to install provided by 'openshift_logging_image_version' - when: not openshift_logging_image_version or openshift_logging_image_version == '' + msg: Missing version to install provided by 'openshift_logging_elasticsearch_image_version' + when: not openshift_logging_elasticsearch_image_version or openshift_logging_elasticsearch_image_version == '' - set_fact: es_version: "{{ __latest_es_version }}" - when: openshift_logging_image_version == 'latest' - -- debug: var=openshift_logging_image_version + when: openshift_logging_elasticsearch_image_version == 'latest' # should we just assume that we will have the correct major version? -- set_fact: es_version="{{ openshift_logging_image_version | regex_replace('^v?(?P<major>\d)\.(?P<minor>\d).*$', '3_\\g<minor>') }}" - when: openshift_logging_image_version != 'latest' +- set_fact: es_version="{{ openshift_logging_elasticsearch_image_version | regex_replace('^v?(?P<major>\d)\.(?P<minor>\d).*$', '3_\\g<minor>') }}" + when: openshift_logging_elasticsearch_image_version != 'latest' - fail: msg: Invalid version specified for Elasticsearch diff --git a/roles/openshift_logging_elasticsearch/tasks/main.yaml b/roles/openshift_logging_elasticsearch/tasks/main.yaml index e7ef443bd..2bd02af60 100644 --- a/roles/openshift_logging_elasticsearch/tasks/main.yaml +++ b/roles/openshift_logging_elasticsearch/tasks/main.yaml @@ -15,18 +15,22 @@ elasticsearch_name: "{{ 'logging-elasticsearch' ~ ( (openshift_logging_elasticsearch_ops_deployment | default(false) | bool) | ternary('-ops', '')) }}" es_component: "{{ 'es' ~ ( (openshift_logging_elasticsearch_ops_deployment | default(false) | bool) | ternary('-ops', '') ) }}" -- include: determine_version.yaml - - name: Set default image variables based on deployment_type - include_vars: "{{ item }}" + include_vars: "{{ var_file_name }}" with_first_found: - "{{ openshift_deployment_type | default(deployment_type) }}.yml" - "default_images.yml" + loop_control: + loop_var: var_file_name -- name: Set elasticsearch_prefix image facts +- name: Set elasticsearch image facts set_fact: openshift_logging_elasticsearch_proxy_image_prefix: "{{ openshift_logging_elasticsearch_proxy_image_prefix | default(__openshift_logging_elasticsearch_proxy_image_prefix) }}" openshift_logging_elasticsearch_proxy_image_version: "{{ openshift_logging_elasticsearch_proxy_image_version | default(__openshift_logging_elasticsearch_proxy_image_version) }}" + openshift_logging_elasticsearch_image_prefix: "{{ openshift_logging_elasticsearch_image_prefix | default(__openshift_logging_elasticsearch_image_prefix) }}" + openshift_logging_elasticsearch_image_version: "{{ openshift_logging_elasticsearch_image_version | default(__openshift_logging_elasticsearch_image_version) }}" + +- include: determine_version.yaml # allow passing in a tempdir - name: Create temp directory for doing work in diff --git a/roles/openshift_logging_elasticsearch/vars/default_images.yml b/roles/openshift_logging_elasticsearch/vars/default_images.yml index b7d105caf..cef49dd92 100644 --- a/roles/openshift_logging_elasticsearch/vars/default_images.yml +++ b/roles/openshift_logging_elasticsearch/vars/default_images.yml @@ -1,3 +1,5 @@ --- -__openshift_logging_elasticsearch_proxy_image_prefix: "docker.io/openshift/" -__openshift_logging_elasticsearch_proxy_image_version: "v1.0.0" +__openshift_logging_elasticsearch_image_prefix: "{{ openshift_logging_image_prefix | default('docker.io/openshift/origin-') }}" +__openshift_logging_elasticsearch_image_version: "{{ openshift_logging_image_version | default('latest') }}" +__openshift_logging_elasticsearch_proxy_image_prefix: "{{ openshift_logging_image_prefix | default('docker.io/openshift/') }}" +__openshift_logging_elasticsearch_proxy_image_version: "{{ openshift_logging_image_version | default('v1.0.0') }}" diff --git a/roles/openshift_logging_elasticsearch/vars/openshift-enterprise.yml b/roles/openshift_logging_elasticsearch/vars/openshift-enterprise.yml index 2fd960bb5..07d92896f 100644 --- a/roles/openshift_logging_elasticsearch/vars/openshift-enterprise.yml +++ b/roles/openshift_logging_elasticsearch/vars/openshift-enterprise.yml @@ -1,3 +1,5 @@ --- +__openshift_logging_elasticsearch_image_prefix: "{{ openshift_logging_image_prefix | default('registry.access.redhat.com/openshift3/') }}" +__openshift_logging_elasticsearch_image_version: "{{ openshift_logging_image_version | default ('v3.7') }}" __openshift_logging_elasticsearch_proxy_image_prefix: "{{ openshift_logging_image_prefix | default('registry.access.redhat.com/openshift3/') }}" -__openshift_logging_elasticsearch_proxy_image_version: "v3.7" +__openshift_logging_elasticsearch_proxy_image_version: "{{ openshift_logging_image_version | default ('v3.7') }}" diff --git a/roles/openshift_logging_eventrouter/defaults/main.yaml b/roles/openshift_logging_eventrouter/defaults/main.yaml index 4c0350c98..62542f496 100644 --- a/roles/openshift_logging_eventrouter/defaults/main.yaml +++ b/roles/openshift_logging_eventrouter/defaults/main.yaml @@ -1,6 +1,4 @@ --- -openshift_logging_eventrouter_image_prefix: "{{ openshift_logging_image_prefix | default(__openshift_logging_image_prefix) }}" -openshift_logging_eventrouter_image_version: "{{ openshift_logging_image_version | default('latest') }}" openshift_logging_eventrouter_replicas: 1 openshift_logging_eventrouter_sink: stdout openshift_logging_eventrouter_nodeselector: "" diff --git a/roles/openshift_logging_eventrouter/tasks/main.yaml b/roles/openshift_logging_eventrouter/tasks/main.yaml index 58e5a559f..b1f93eeb9 100644 --- a/roles/openshift_logging_eventrouter/tasks/main.yaml +++ b/roles/openshift_logging_eventrouter/tasks/main.yaml @@ -1,4 +1,17 @@ --- +- name: Set default image variables based on deployment_type + include_vars: "{{ var_file_name }}" + with_first_found: + - "{{ openshift_deployment_type | default(deployment_type) }}.yml" + - "default_images.yml" + loop_control: + loop_var: var_file_name + +- name: Set eventrouter image facts + set_fact: + openshift_logging_eventrouter_image_prefix: "{{ openshift_logging_eventrouter_image_prefix | default(__openshift_logging_eventrouter_image_prefix) }}" + openshift_logging_eventrouter_image_version: "{{ openshift_logging_eventrouter_image_version | default(__openshift_logging_eventrouter_image_version) }}" + - include: "{{ role_path }}/tasks/install_eventrouter.yaml" when: openshift_logging_install_eventrouter | default(false) | bool diff --git a/roles/openshift_logging_eventrouter/vars/default_images.yml b/roles/openshift_logging_eventrouter/vars/default_images.yml new file mode 100644 index 000000000..dbfe2d697 --- /dev/null +++ b/roles/openshift_logging_eventrouter/vars/default_images.yml @@ -0,0 +1,3 @@ +--- +__openshift_logging_eventrouter_image_prefix: "{{ openshift_logging_image_prefix | default('docker.io/openshift/origin-') }}" +__openshift_logging_eventrouter_image_version: "{{ openshift_logging_image_version | default('latest') }}" diff --git a/roles/openshift_logging_eventrouter/vars/openshift-enterprise.yml b/roles/openshift_logging_eventrouter/vars/openshift-enterprise.yml new file mode 100644 index 000000000..bb7dc6455 --- /dev/null +++ b/roles/openshift_logging_eventrouter/vars/openshift-enterprise.yml @@ -0,0 +1,3 @@ +--- +__openshift_logging_eventrouter_image_prefix: "{{ openshift_logging_image_prefix | default('registry.access.redhat.com/openshift3/') }}" +__openshift_logging_eventrouter_image_version: "{{ openshift_logging_image_version | default ('v3.7') }}" diff --git a/roles/openshift_logging_fluentd/defaults/main.yml b/roles/openshift_logging_fluentd/defaults/main.yml index 861935c99..9b58e4456 100644 --- a/roles/openshift_logging_fluentd/defaults/main.yml +++ b/roles/openshift_logging_fluentd/defaults/main.yml @@ -1,7 +1,5 @@ --- ### General logging settings -openshift_logging_fluentd_image_prefix: "{{ openshift_logging_image_prefix | default(__openshift_logging_image_prefix) }}" -openshift_logging_fluentd_image_version: "{{ openshift_logging_image_version | default('latest') }}" openshift_logging_fluentd_image_pull_secret: "{{ openshift_hosted_logging_image_pull_secret | default('') }}" openshift_logging_fluentd_master_url: "https://kubernetes.default.svc.{{ openshift.common.dns_domain }}" openshift_logging_fluentd_namespace: logging diff --git a/roles/openshift_logging_fluentd/tasks/determine_version.yaml b/roles/openshift_logging_fluentd/tasks/determine_version.yaml index a1ba71b1b..6848eb512 100644 --- a/roles/openshift_logging_fluentd/tasks/determine_version.yaml +++ b/roles/openshift_logging_fluentd/tasks/determine_version.yaml @@ -1,16 +1,16 @@ --- # debating making this a module instead? - fail: - msg: Missing version to install provided by 'openshift_logging_image_version' - when: not openshift_logging_image_version or openshift_logging_image_version == '' + msg: Missing version to install provided by 'openshift_logging_fluentd_image_version' + when: not openshift_logging_fluentd_image_version or openshift_logging_fluentd_image_version == '' - set_fact: fluentd_version: "{{ __latest_fluentd_version }}" - when: openshift_logging_image_version == 'latest' + when: openshift_logging_fluentd_image_version == 'latest' # should we just assume that we will have the correct major version? -- set_fact: fluentd_version="{{ openshift_logging_image_version | regex_replace('^v?(?P<major>\d)\.(?P<minor>\d).*$', '3_\\g<minor>') }}" - when: openshift_logging_image_version != 'latest' +- set_fact: fluentd_version="{{ openshift_logging_fluentd_image_version | regex_replace('^v?(?P<major>\d)\.(?P<minor>\d).*$', '3_\\g<minor>') }}" + when: openshift_logging_fluentd_image_version != 'latest' - fail: msg: Invalid version specified for Fluentd diff --git a/roles/openshift_logging_fluentd/tasks/main.yaml b/roles/openshift_logging_fluentd/tasks/main.yaml index 2f89c3f9f..f8683ab75 100644 --- a/roles/openshift_logging_fluentd/tasks/main.yaml +++ b/roles/openshift_logging_fluentd/tasks/main.yaml @@ -34,6 +34,19 @@ msg: WARNING Use of openshift_logging_mux_client_mode=minimal is not recommended due to current scaling issues when: openshift_logging_mux_client_mode is defined and openshift_logging_mux_client_mode == 'minimal' +- name: Set default image variables based on deployment_type + include_vars: "{{ var_file_name }}" + with_first_found: + - "{{ openshift_deployment_type | default(deployment_type) }}.yml" + - "default_images.yml" + loop_control: + loop_var: var_file_name + +- name: Set fluentd image facts + set_fact: + openshift_logging_fluentd_image_prefix: "{{ openshift_logging_fluentd_image_prefix | default(__openshift_logging_fluentd_image_prefix) }}" + openshift_logging_fluentd_image_version: "{{ openshift_logging_fluentd_image_version | default(__openshift_logging_fluentd_image_version) }}" + - include: determine_version.yaml # allow passing in a tempdir @@ -69,7 +82,7 @@ name: "aggregated-logging-fluentd" namespace: "{{ openshift_logging_fluentd_namespace }}" when: - - openshift_logging_image_pull_secret == '' + - openshift_logging_image_pull_secret == '' # set service account scc - name: Set privileged permissions for Fluentd @@ -146,12 +159,12 @@ name: logging-fluentd namespace: "{{ openshift_logging_fluentd_namespace }}" files: - - name: ca - path: "{{ generated_certs_dir }}/ca.crt" - - name: key - path: "{{ generated_certs_dir }}/system.logging.fluentd.key" - - name: cert - path: "{{ generated_certs_dir }}/system.logging.fluentd.crt" + - name: ca + path: "{{ generated_certs_dir }}/ca.crt" + - name: key + path: "{{ generated_certs_dir }}/system.logging.fluentd.key" + - name: cert + path: "{{ generated_certs_dir }}/system.logging.fluentd.crt" # create Fluentd daemonset # this should change based on the type of fluentd deployment to be done... @@ -187,7 +200,7 @@ namespace: "{{ openshift_logging_fluentd_namespace }}" kind: daemonset files: - - "{{ tempdir }}/templates/logging-fluentd.yaml" + - "{{ tempdir }}/templates/logging-fluentd.yaml" delete_after: true # Scale up Fluentd diff --git a/roles/openshift_logging_fluentd/vars/default_images.yml b/roles/openshift_logging_fluentd/vars/default_images.yml new file mode 100644 index 000000000..6d127b730 --- /dev/null +++ b/roles/openshift_logging_fluentd/vars/default_images.yml @@ -0,0 +1,3 @@ +--- +__openshift_logging_fluentd_image_prefix: "{{ openshift_logging_image_prefix | default('docker.io/openshift/origin-') }}" +__openshift_logging_fluentd_image_version: "{{ openshift_logging_image_version | default('latest') }}" diff --git a/roles/openshift_logging_fluentd/vars/openshift-enterprise.yml b/roles/openshift_logging_fluentd/vars/openshift-enterprise.yml new file mode 100644 index 000000000..d0c74f1fb --- /dev/null +++ b/roles/openshift_logging_fluentd/vars/openshift-enterprise.yml @@ -0,0 +1,3 @@ +--- +__openshift_logging_fluentd_image_prefix: "{{ openshift_logging_image_prefix | default('registry.access.redhat.com/openshift3/') }}" +__openshift_logging_fluentd_image_version: "{{ openshift_logging_image_version | default ('v3.7') }}" diff --git a/roles/openshift_logging_kibana/defaults/main.yml b/roles/openshift_logging_kibana/defaults/main.yml index 1366e96cd..6cdf7c8f3 100644 --- a/roles/openshift_logging_kibana/defaults/main.yml +++ b/roles/openshift_logging_kibana/defaults/main.yml @@ -2,8 +2,6 @@ ### Common settings openshift_logging_kibana_master_url: "https://kubernetes.default.svc.cluster.local" openshift_logging_kibana_master_public_url: "https://kubernetes.default.svc.cluster.local" -openshift_logging_kibana_image_prefix: "{{ openshift_logging_image_prefix | default(__openshift_logging_image_prefix) }}" -openshift_logging_kibana_image_version: "{{ openshift_logging_image_version | default('latest') }}" openshift_logging_kibana_image_pull_secret: "{{ openshift_hosted_logging_image_pull_secret | default('') }}" openshift_logging_kibana_namespace: logging @@ -25,8 +23,6 @@ openshift_logging_kibana_edge_term_policy: Redirect openshift_logging_kibana_ops_deployment: false # Proxy settings -openshift_logging_kibana_proxy_image_prefix: "{{ openshift_logging_image_prefix | default(__openshift_logging_image_prefix) }}" -openshift_logging_kibana_proxy_image_version: "{{ openshift_logging_image_version | default('latest') }}" openshift_logging_kibana_proxy_debug: false openshift_logging_kibana_proxy_cpu_limit: null openshift_logging_kibana_proxy_cpu_request: 100m diff --git a/roles/openshift_logging_kibana/tasks/determine_version.yaml b/roles/openshift_logging_kibana/tasks/determine_version.yaml index 53e15af5f..63e5a89f1 100644 --- a/roles/openshift_logging_kibana/tasks/determine_version.yaml +++ b/roles/openshift_logging_kibana/tasks/determine_version.yaml @@ -1,16 +1,16 @@ --- # debating making this a module instead? - fail: - msg: Missing version to install provided by 'openshift_logging_image_version' - when: not openshift_logging_image_version or openshift_logging_image_version == '' + msg: Missing version to install provided by 'openshift_logging_kibana_image_version' + when: not openshift_logging_kibana_image_version or openshift_logging_kibana_image_version == '' - set_fact: kibana_version: "{{ __latest_kibana_version }}" - when: openshift_logging_image_version == 'latest' + when: openshift_logging_kibana_image_version == 'latest' # should we just assume that we will have the correct major version? -- set_fact: kibana_version="{{ openshift_logging_image_version | regex_replace('^v?(?P<major>\d)\.(?P<minor>\d).*$', '3_\\g<minor>') }}" - when: openshift_logging_image_version != 'latest' +- set_fact: kibana_version="{{ openshift_logging_kibana_image_version | regex_replace('^v?(?P<major>\d)\.(?P<minor>\d).*$', '3_\\g<minor>') }}" + when: openshift_logging_kibana_image_version != 'latest' - fail: msg: Invalid version specified for Kibana diff --git a/roles/openshift_logging_kibana/tasks/main.yaml b/roles/openshift_logging_kibana/tasks/main.yaml index 8ef8ede9a..9d99114c5 100644 --- a/roles/openshift_logging_kibana/tasks/main.yaml +++ b/roles/openshift_logging_kibana/tasks/main.yaml @@ -1,5 +1,19 @@ --- # fail is we don't have an endpoint for ES to connect to? +- name: Set default image variables based on deployment_type + include_vars: "{{ var_file_name }}" + with_first_found: + - "{{ openshift_deployment_type | default(deployment_type) }}.yml" + - "default_images.yml" + loop_control: + loop_var: var_file_name + +- name: Set kibana image facts + set_fact: + openshift_logging_kibana_image_prefix: "{{ openshift_logging_kibana_image_prefix | default(__openshift_logging_kibana_image_prefix) }}" + openshift_logging_kibana_image_version: "{{ openshift_logging_kibana_image_version | default(__openshift_logging_kibana_image_version) }}" + openshift_logging_kibana_proxy_image_prefix: "{{ openshift_logging_kibana_proxy_image_prefix | default(__openshift_logging_kibana_proxy_image_prefix) }}" + openshift_logging_kibana_proxy_image_version: "{{ openshift_logging_kibana_proxy_image_version | default(__openshift_logging_kibana_proxy_image_version) }}" - include: determine_version.yaml @@ -37,7 +51,7 @@ name: "aggregated-logging-kibana" namespace: "{{ openshift_logging_namespace }}" when: - - openshift_logging_image_pull_secret == '' + - openshift_logging_image_pull_secret == '' - set_fact: kibana_name: "{{ 'logging-kibana' ~ ( (openshift_logging_kibana_ops_deployment | default(false) | bool) | ternary('-ops', '')) }}" @@ -58,7 +72,7 @@ content: "{{ 200 | oo_random_word }}" dest: "{{ generated_certs_dir }}/session_secret" when: - - not session_secret_file.stat.exists + - not session_secret_file.stat.exists # gen oauth_secret if necessary - name: Generate oauth secret @@ -66,19 +80,19 @@ content: "{{ 64 | oo_random_word }}" dest: "{{ generated_certs_dir }}/oauth_secret" when: - - not oauth_secret_file.stat.exists + - not oauth_secret_file.stat.exists - name: Retrieving the cert to use when generating secrets for the logging components slurp: src: "{{ generated_certs_dir }}/{{ item.file }}" register: key_pairs with_items: - - { name: "ca_file", file: "ca.crt" } - - { name: "kibana_internal_key", file: "kibana-internal.key"} - - { name: "kibana_internal_cert", file: "kibana-internal.crt"} - - { name: "server_tls", file: "server-tls.json"} - - { name: "session_secret", file: "session_secret" } - - { name: "oauth_secret", file: "oauth_secret" } + - { name: "ca_file", file: "ca.crt" } + - { name: "kibana_internal_key", file: "kibana-internal.key"} + - { name: "kibana_internal_cert", file: "kibana-internal.crt"} + - { name: "server_tls", file: "server-tls.json"} + - { name: "session_secret", file: "session_secret" } + - { name: "oauth_secret", file: "oauth_secret" } # services - name: Set {{ kibana_name }} service @@ -92,8 +106,8 @@ labels: logging-infra: 'support' ports: - - port: 443 - targetPort: "oaproxy" + - port: 443 + targetPort: "oaproxy" # create routes # TODO: set up these certs differently? @@ -144,7 +158,7 @@ namespace: "{{ openshift_logging_namespace }}" kind: route files: - - "{{ tempdir }}/templates/kibana-route.yaml" + - "{{ tempdir }}/templates/kibana-route.yaml" # preserve list of current hostnames - name: Get current oauthclient hostnames @@ -173,7 +187,7 @@ namespace: "{{ openshift_logging_namespace }}" kind: oauthclient files: - - "{{ tempdir }}/templates/oauth-client.yml" + - "{{ tempdir }}/templates/oauth-client.yml" delete_after: true # create Kibana secret @@ -183,12 +197,12 @@ name: "logging-kibana" namespace: "{{ openshift_logging_namespace }}" files: - - name: ca - path: "{{ generated_certs_dir }}/ca.crt" - - name: key - path: "{{ generated_certs_dir }}/system.logging.kibana.key" - - name: cert - path: "{{ generated_certs_dir }}/system.logging.kibana.crt" + - name: ca + path: "{{ generated_certs_dir }}/ca.crt" + - name: key + path: "{{ generated_certs_dir }}/system.logging.kibana.key" + - name: cert + path: "{{ generated_certs_dir }}/system.logging.kibana.crt" # create Kibana-proxy secret - name: Set Kibana Proxy secret @@ -205,16 +219,16 @@ #- name: server-tls.json # path: "{{ generated_certs_dir }}/server-tls.json" contents: - - path: oauth-secret - data: "{{ key_pairs | entry_from_named_pair('oauth_secret') | b64decode }}" - - path: session-secret - data: "{{ key_pairs | entry_from_named_pair('session_secret') | b64decode }}" - - path: server-key - data: "{{ key_pairs | entry_from_named_pair('kibana_internal_key') | b64decode }}" - - path: server-cert - data: "{{ key_pairs | entry_from_named_pair('kibana_internal_cert') | b64decode }}" - - path: server-tls.json - data: "{{ key_pairs | entry_from_named_pair('server_tls') | b64decode }}" + - path: oauth-secret + data: "{{ key_pairs | entry_from_named_pair('oauth_secret') | b64decode }}" + - path: session-secret + data: "{{ key_pairs | entry_from_named_pair('session_secret') | b64decode }}" + - path: server-key + data: "{{ key_pairs | entry_from_named_pair('kibana_internal_key') | b64decode }}" + - path: server-cert + data: "{{ key_pairs | entry_from_named_pair('kibana_internal_cert') | b64decode }}" + - path: server-tls.json + data: "{{ key_pairs | entry_from_named_pair('server_tls') | b64decode }}" # create Kibana DC - name: Generate Kibana DC template @@ -245,7 +259,7 @@ namespace: "{{ openshift_logging_namespace }}" kind: dc files: - - "{{ tempdir }}/templates/kibana-dc.yaml" + - "{{ tempdir }}/templates/kibana-dc.yaml" delete_after: true # update master configs? diff --git a/roles/openshift_logging_kibana/vars/default_images.yml b/roles/openshift_logging_kibana/vars/default_images.yml new file mode 100644 index 000000000..db0f9b622 --- /dev/null +++ b/roles/openshift_logging_kibana/vars/default_images.yml @@ -0,0 +1,5 @@ +--- +__openshift_logging_kibana_image_prefix: "{{ openshift_logging_image_prefix | default('docker.io/openshift/origin-') }}" +__openshift_logging_kibana_image_version: "{{ openshift_logging_image_version | default('latest') }}" +__openshift_logging_kibana_proxy_image_prefix: "{{ openshift_logging_image_prefix | default('docker.io/openshift/origin-') }}" +__openshift_logging_kibana_proxy_image_version: "{{ openshift_logging_image_version | default('latest') }}" diff --git a/roles/openshift_logging_kibana/vars/openshift-enterprise.yml b/roles/openshift_logging_kibana/vars/openshift-enterprise.yml new file mode 100644 index 000000000..0be2e7252 --- /dev/null +++ b/roles/openshift_logging_kibana/vars/openshift-enterprise.yml @@ -0,0 +1,5 @@ +--- +__openshift_logging_kibana_image_prefix: "{{ openshift_logging_image_prefix | default('registry.access.redhat.com/openshift3/') }}" +__openshift_logging_kibana_image_version: "{{ openshift_logging_image_version | default ('v3.7') }}" +__openshift_logging_kibana_proxy_image_prefix: "{{ openshift_logging_image_prefix | default('registry.access.redhat.com/openshift3/') }}" +__openshift_logging_kibana_proxy_image_version: "{{ openshift_logging_image_version | default ('v3.7') }}" diff --git a/roles/openshift_logging_mux/defaults/main.yml b/roles/openshift_logging_mux/defaults/main.yml index 9de686576..cd15da939 100644 --- a/roles/openshift_logging_mux/defaults/main.yml +++ b/roles/openshift_logging_mux/defaults/main.yml @@ -1,7 +1,5 @@ --- ### General logging settings -openshift_logging_mux_image_prefix: "{{ openshift_logging_image_prefix | default(__openshift_logging_image_prefix) }}" -openshift_logging_mux_image_version: "{{ openshift_logging_image_version | default('latest') }}" openshift_logging_mux_image_pull_secret: "{{ openshift_hosted_logging_image_pull_secret | default('') }}" openshift_logging_mux_master_url: "https://kubernetes.default.svc.{{ openshift.common.dns_domain }}" openshift_logging_mux_master_public_url: "{{ openshift_hosted_logging_master_public_url | default('https://' + openshift.common.public_hostname + ':' ~ (openshift_master_api_port | default('8443', true))) }}" diff --git a/roles/openshift_logging_mux/tasks/determine_version.yaml b/roles/openshift_logging_mux/tasks/determine_version.yaml index 229bcf3d5..769475dd5 100644 --- a/roles/openshift_logging_mux/tasks/determine_version.yaml +++ b/roles/openshift_logging_mux/tasks/determine_version.yaml @@ -1,16 +1,16 @@ --- # debating making this a module instead? - fail: - msg: Missing version to install provided by 'openshift_logging_image_version' - when: not openshift_logging_image_version or openshift_logging_image_version == '' + msg: Missing version to install provided by 'openshift_logging_mux_image_version' + when: not openshift_logging_mux_image_version or openshift_logging_mux_image_version == '' - set_fact: mux_version: "{{ __latest_mux_version }}" - when: openshift_logging_image_version == 'latest' + when: openshift_logging_mux_image_version == 'latest' # should we just assume that we will have the correct major version? -- set_fact: mux_version="{{ openshift_logging_image_version | regex_replace('^v?(?P<major>\d)\.(?P<minor>\d).*$', '3_\\g<minor>') }}" - when: openshift_logging_image_version != 'latest' +- set_fact: mux_version="{{ openshift_logging_mux_image_version | regex_replace('^v?(?P<major>\d)\.(?P<minor>\d).*$', '3_\\g<minor>') }}" + when: openshift_logging_mux_image_version != 'latest' - fail: msg: Invalid version specified for mux diff --git a/roles/openshift_logging_mux/tasks/main.yaml b/roles/openshift_logging_mux/tasks/main.yaml index 5b257139e..242d92188 100644 --- a/roles/openshift_logging_mux/tasks/main.yaml +++ b/roles/openshift_logging_mux/tasks/main.yaml @@ -7,6 +7,19 @@ msg: Operations logs destination is required when: not openshift_logging_mux_ops_host or openshift_logging_mux_ops_host == '' +- name: Set default image variables based on deployment_type + include_vars: "{{ var_file_name }}" + with_first_found: + - "{{ openshift_deployment_type | default(deployment_type) }}.yml" + - "default_images.yml" + loop_control: + loop_var: var_file_name + +- name: Set mux image facts + set_fact: + openshift_logging_mux_image_prefix: "{{ openshift_logging_mux_image_prefix | default(__openshift_logging_mux_image_prefix) }}" + openshift_logging_mux_image_version: "{{ openshift_logging_mux_image_version | default(__openshift_logging_mux_image_version) }}" + - include: determine_version.yaml # allow passing in a tempdir @@ -42,7 +55,7 @@ name: "aggregated-logging-mux" namespace: "{{ openshift_logging_mux_namespace }}" when: - - openshift_logging_image_pull_secret == '' + - openshift_logging_image_pull_secret == '' # set service account scc - name: Set privileged permissions for Mux @@ -112,14 +125,14 @@ name: logging-mux namespace: "{{ openshift_logging_mux_namespace }}" files: - - name: ca - path: "{{ generated_certs_dir }}/ca.crt" - - name: key - path: "{{ generated_certs_dir }}/system.logging.mux.key" - - name: cert - path: "{{ generated_certs_dir }}/system.logging.mux.crt" - - name: shared_key - path: "{{ generated_certs_dir }}/mux_shared_key" + - name: ca + path: "{{ generated_certs_dir }}/ca.crt" + - name: key + path: "{{ generated_certs_dir }}/system.logging.mux.key" + - name: cert + path: "{{ generated_certs_dir }}/system.logging.mux.crt" + - name: shared_key + path: "{{ generated_certs_dir }}/mux_shared_key" # services - name: Set logging-mux service for external communication @@ -133,11 +146,11 @@ labels: logging-infra: 'support' ports: - - name: mux-forward - port: "{{ openshift_logging_mux_port }}" - targetPort: "mux-forward" + - name: mux-forward + port: "{{ openshift_logging_mux_port }}" + targetPort: "mux-forward" external_ips: - - "{{ ansible_eth0.ipv4.address }}" + - "{{ ansible_eth0.ipv4.address }}" when: openshift_logging_mux_allow_external | bool - name: Set logging-mux service for internal communication @@ -151,9 +164,9 @@ labels: logging-infra: 'support' ports: - - name: mux-forward - port: "{{ openshift_logging_mux_port }}" - targetPort: "mux-forward" + - name: mux-forward + port: "{{ openshift_logging_mux_port }}" + targetPort: "mux-forward" when: not openshift_logging_mux_allow_external | bool # create Mux DC @@ -188,7 +201,7 @@ selector: "{{ openshift_logging_mux_file_buffer_pvc_pv_selector }}" storage_class_name: "{{ openshift_logging_mux_file_buffer_pvc_storage_class_name | default('', true) }}" when: - - openshift_logging_mux_file_buffer_storage_type == "pvc" + - openshift_logging_mux_file_buffer_storage_type == "pvc" - name: Set logging-mux DC oc_obj: @@ -197,7 +210,7 @@ namespace: "{{ openshift_logging_mux_namespace }}" kind: dc files: - - "{{ tempdir }}/templates/logging-mux-dc.yaml" + - "{{ tempdir }}/templates/logging-mux-dc.yaml" delete_after: true - name: Add mux namespaces diff --git a/roles/openshift_logging_mux/vars/default_images.yml b/roles/openshift_logging_mux/vars/default_images.yml new file mode 100644 index 000000000..bd5dc4504 --- /dev/null +++ b/roles/openshift_logging_mux/vars/default_images.yml @@ -0,0 +1,3 @@ +--- +__openshift_logging_mux_image_prefix: "{{ openshift_logging_image_prefix | default('docker.io/openshift/origin-') }}" +__openshift_logging_mux_image_version: "{{ openshift_logging_image_version | default('latest') }}" diff --git a/roles/openshift_logging_mux/vars/openshift-enterprise.yml b/roles/openshift_logging_mux/vars/openshift-enterprise.yml new file mode 100644 index 000000000..1e7eb9d8d --- /dev/null +++ b/roles/openshift_logging_mux/vars/openshift-enterprise.yml @@ -0,0 +1,3 @@ +--- +__openshift_logging_mux_image_prefix: "{{ openshift_logging_image_prefix | default('registry.access.redhat.com/openshift3/') }}" +__openshift_logging_mux_image_version: "{{ openshift_logging_image_version | default ('v3.7') }}" diff --git a/roles/openshift_manage_node/tasks/main.yml b/roles/openshift_manage_node/tasks/main.yml index f67aee88b..fbbac1176 100644 --- a/roles/openshift_manage_node/tasks/main.yml +++ b/roles/openshift_manage_node/tasks/main.yml @@ -7,11 +7,7 @@ # wait_for port doesn't provide health information. command: > curl --silent --tlsv1.2 - {% if openshift.common.version_gte_3_2_or_1_2 | bool %} --cacert {{ openshift.common.config_base }}/master/ca-bundle.crt - {% else %} - --cacert {{ openshift.common.config_base }}/master/ca.crt - {% endif %} {{ openshift_node_master_api_url }}/healthz/ready args: # Disables the following warning: diff --git a/roles/openshift_master/defaults/main.yml b/roles/openshift_master/defaults/main.yml index a27fbae7e..3fb94fff8 100644 --- a/roles/openshift_master/defaults/main.yml +++ b/roles/openshift_master/defaults/main.yml @@ -31,6 +31,7 @@ oreg_host: "{{ oreg_url.split('/')[0] if (oreg_url is defined and '.' in oreg_ur oreg_auth_credentials_path: "{{ r_openshift_master_data_dir }}/.docker" oreg_auth_credentials_replace: False l_bind_docker_reg_auth: False +openshift_docker_alternative_creds: "{{ (openshift_docker_use_system_container | default(False)) or (openshift_use_crio_only | default(False)) }}" containerized_svc_dir: "/usr/lib/systemd/system" ha_svc_template_path: "native-cluster" @@ -66,3 +67,6 @@ openshift_master_bootstrap_enabled: False openshift_master_csr_sa: node-bootstrapper openshift_master_csr_namespace: openshift-infra + +openshift_master_config_file: "{{ openshift_master_config_dir }}/master-config.yaml" +openshift_master_scheduler_conf: "{{ openshift_master_config_dir }}/scheduler.json" diff --git a/roles/openshift_master/handlers/main.yml b/roles/openshift_master/handlers/main.yml index f88c4a7dc..359536202 100644 --- a/roles/openshift_master/handlers/main.yml +++ b/roles/openshift_master/handlers/main.yml @@ -25,11 +25,7 @@ # wait_for port doesn't provide health information. command: > curl --silent --tlsv1.2 - {% if openshift.common.version_gte_3_2_or_1_2 | bool %} --cacert {{ openshift.common.config_base }}/master/ca-bundle.crt - {% else %} - --cacert {{ openshift.common.config_base }}/master/ca.crt - {% endif %} {{ openshift.master.api_url }}/healthz/ready args: # Disables the following warning: diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml index c7c02d49b..b6d3539b1 100644 --- a/roles/openshift_master/tasks/main.yml +++ b/roles/openshift_master/tasks/main.yml @@ -18,12 +18,6 @@ - openshift.master.ha | bool - (openshift.master.cluster_method is not defined) or (openshift.master.cluster_method is defined and openshift.master.cluster_method not in ["native", "pacemaker"]) - fail: - msg: "'native' high availability is not supported for the requested OpenShift version" - when: - - openshift.master.ha | bool - - openshift.master.cluster_method == "native" - - not openshift.common.version_gte_3_1_or_1_1 | bool -- fail: msg: "openshift_master_cluster_password must be set for multi-master installations" when: - openshift.master.ha | bool @@ -222,8 +216,6 @@ when: openshift_master_bootstrap_enabled | default(False) - include: set_loopback_context.yml - when: - - openshift.common.version_gte_3_2_or_1_2 - name: Start and enable master api on first master systemd: diff --git a/roles/openshift_master/tasks/registry_auth.yml b/roles/openshift_master/tasks/registry_auth.yml index cde01c49e..c95f562d0 100644 --- a/roles/openshift_master/tasks/registry_auth.yml +++ b/roles/openshift_master/tasks/registry_auth.yml @@ -8,6 +8,7 @@ - name: Create credentials for registry auth command: "docker --config={{ oreg_auth_credentials_path }} login -u {{ oreg_auth_user }} -p {{ oreg_auth_password }} {{ oreg_host }}" when: + - not (openshift_docker_alternative_creds | default(False)) - oreg_auth_user is defined - (not master_oreg_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool register: master_oreg_auth_credentials_create @@ -18,6 +19,25 @@ - restart master api - restart master controllers +# docker_creds is a custom module from lib_utils +# 'docker login' requires a docker.service running on the local host, this is an +# alternative implementation for non-docker hosts. This implementation does not +# check the registry to determine whether or not the credentials will work. +- name: Create credentials for registry auth (alternative) + docker_creds: + path: "{{ oreg_auth_credentials_path }}" + registry: "{{ oreg_host }}" + username: "{{ oreg_auth_user }}" + password: "{{ oreg_auth_password }}" + when: + - openshift_docker_alternative_creds | default(False) | bool + - oreg_auth_user is defined + - (not docker_cli_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool + register: master_oreg_auth_credentials_create + notify: + - restart master api + - restart master controllers + # Container images may need the registry credentials - name: Setup ro mount of /root/.docker for containerized hosts set_fact: diff --git a/roles/openshift_master/tasks/restart.yml b/roles/openshift_master/tasks/restart.yml new file mode 100644 index 000000000..4f8b758fd --- /dev/null +++ b/roles/openshift_master/tasks/restart.yml @@ -0,0 +1,22 @@ +--- +- name: Restart master API + service: + name: "{{ openshift.common.service_type }}-master-api" + state: restarted + when: openshift_master_ha | bool +- name: Wait for master API to come back online + wait_for: + host: "{{ openshift.common.hostname }}" + state: started + delay: 10 + port: "{{ openshift.master.api_port }}" + timeout: 600 + when: openshift_master_ha | bool +- name: Restart master controllers + service: + name: "{{ openshift.common.service_type }}-master-controllers" + state: restarted + # Ignore errrors since it is possible that type != simple for + # pre-3.1.1 installations. + ignore_errors: true + when: openshift_master_ha | bool diff --git a/roles/openshift_master/tasks/systemd_units.yml b/roles/openshift_master/tasks/systemd_units.yml index 8420dfb8c..b0fa72f19 100644 --- a/roles/openshift_master/tasks/systemd_units.yml +++ b/roles/openshift_master/tasks/systemd_units.yml @@ -2,9 +2,6 @@ # systemd_units.yml is included both in the openshift_master role and in the upgrade # playbooks. -- include: upgrade_facts.yml - when: openshift_master_defaults_in_use is not defined - - name: Set HA Service Info for containerized installs set_fact: containerized_svc_dir: "/etc/systemd/system" diff --git a/roles/openshift_master/tasks/upgrade.yml b/roles/openshift_master/tasks/upgrade.yml new file mode 100644 index 000000000..92371921d --- /dev/null +++ b/roles/openshift_master/tasks/upgrade.yml @@ -0,0 +1,45 @@ +--- +- include: upgrade/rpm_upgrade.yml + when: not openshift.common.is_containerized | bool + +- include: upgrade/upgrade_scheduler.yml + +# master_config_hook is passed in from upgrade play. +- include: "upgrade/{{ master_config_hook }}" + when: master_config_hook is defined + +- include: journald.yml + +- include: systemd_units.yml + +- name: Check for ca-bundle.crt + stat: + path: "{{ openshift.common.config_base }}/master/ca-bundle.crt" + register: ca_bundle_stat + failed_when: false + +- name: Check for ca.crt + stat: + path: "{{ openshift.common.config_base }}/master/ca.crt" + register: ca_crt_stat + failed_when: false + +- name: Migrate ca.crt to ca-bundle.crt + command: mv ca.crt ca-bundle.crt + args: + chdir: "{{ openshift.common.config_base }}/master" + when: ca_crt_stat.stat.isreg and not ca_bundle_stat.stat.exists + +- name: Link ca.crt to ca-bundle.crt + file: + src: "{{ openshift.common.config_base }}/master/ca-bundle.crt" + path: "{{ openshift.common.config_base }}/master/ca.crt" + state: link + when: ca_crt_stat.stat.isreg and not ca_bundle_stat.stat.exists + +- name: Update oreg value + yedit: + src: "{{ openshift.common.config_base }}/master/master-config.yaml" + key: 'imageConfig.format' + value: "{{ oreg_url | default(oreg_url_master) }}" + when: oreg_url is defined or oreg_url_master is defined diff --git a/roles/openshift_master/tasks/upgrade/rpm_upgrade.yml b/roles/openshift_master/tasks/upgrade/rpm_upgrade.yml new file mode 100644 index 000000000..f914a9978 --- /dev/null +++ b/roles/openshift_master/tasks/upgrade/rpm_upgrade.yml @@ -0,0 +1,20 @@ +--- +# When we update package "a-${version}" and a requires b >= ${version} if we +# don't specify the version of b yum will choose the latest version of b +# available and the whole set of dependencies end up at the latest version. +# Since the package module, unlike the yum module, doesn't flatten a list +# of packages into one transaction we need to do that explicitly. The ansible +# core team tells us not to rely on yum module transaction flattening anyway. + +# TODO: If the sdn package isn't already installed this will install it, we +# should fix that +- name: Upgrade master packages + package: name={{ master_pkgs | join(',') }} state=present + vars: + master_pkgs: + - "{{ openshift.common.service_type }}{{ openshift_pkg_version }}" + - "{{ openshift.common.service_type }}-master{{ openshift_pkg_version }}" + - "{{ openshift.common.service_type }}-node{{ openshift_pkg_version }}" + - "{{ openshift.common.service_type }}-sdn-ovs{{ openshift_pkg_version }}" + - "{{ openshift.common.service_type }}-clients{{ openshift_pkg_version }}" + - "tuned-profiles-{{ openshift.common.service_type }}-node{{ openshift_pkg_version }}" diff --git a/roles/openshift_master/tasks/upgrade/upgrade_scheduler.yml b/roles/openshift_master/tasks/upgrade/upgrade_scheduler.yml new file mode 100644 index 000000000..8558bf3e9 --- /dev/null +++ b/roles/openshift_master/tasks/upgrade/upgrade_scheduler.yml @@ -0,0 +1,173 @@ +--- +# Upgrade predicates +- vars: + prev_predicates: "{{ lookup('openshift_master_facts_default_predicates', short_version=openshift_upgrade_min, deployment_type=openshift_deployment_type) }}" + prev_predicates_no_region: "{{ lookup('openshift_master_facts_default_predicates', short_version=openshift_upgrade_min, deployment_type=openshift_deployment_type, regions_enabled=False) }}" + default_predicates_no_region: "{{ lookup('openshift_master_facts_default_predicates', regions_enabled=False) }}" + # older_predicates are the set of predicates that have previously been + # hard-coded into openshift_facts + older_predicates: + - - name: MatchNodeSelector + - name: PodFitsResources + - name: PodFitsPorts + - name: NoDiskConflict + - name: NoVolumeZoneConflict + - name: MaxEBSVolumeCount + - name: MaxGCEPDVolumeCount + - name: Region + argument: + serviceAffinity: + labels: + - region + - - name: MatchNodeSelector + - name: PodFitsResources + - name: PodFitsPorts + - name: NoDiskConflict + - name: NoVolumeZoneConflict + - name: Region + argument: + serviceAffinity: + labels: + - region + - - name: MatchNodeSelector + - name: PodFitsResources + - name: PodFitsPorts + - name: NoDiskConflict + - name: Region + argument: + serviceAffinity: + labels: + - region + # older_predicates_no_region are the set of predicates that have previously + # been hard-coded into openshift_facts, with the Region predicate removed + older_predicates_no_region: + - - name: MatchNodeSelector + - name: PodFitsResources + - name: PodFitsPorts + - name: NoDiskConflict + - name: NoVolumeZoneConflict + - name: MaxEBSVolumeCount + - name: MaxGCEPDVolumeCount + - - name: MatchNodeSelector + - name: PodFitsResources + - name: PodFitsPorts + - name: NoDiskConflict + - name: NoVolumeZoneConflict + - - name: MatchNodeSelector + - name: PodFitsResources + - name: PodFitsPorts + - name: NoDiskConflict + block: + + # Handle case where openshift_master_predicates is defined + - block: + - debug: + msg: "WARNING: openshift_master_scheduler_predicates is set to defaults from an earlier release of OpenShift current defaults are: {{ openshift_master_scheduler_default_predicates }}" + when: openshift_master_scheduler_predicates in older_predicates + older_predicates_no_region + [prev_predicates] + [prev_predicates_no_region] + + - debug: + msg: "WARNING: openshift_master_scheduler_predicates does not match current defaults of: {{ openshift_master_scheduler_default_predicates }}" + when: openshift_master_scheduler_predicates != openshift_master_scheduler_default_predicates + when: openshift_master_scheduler_predicates | default(none) is not none + + # Handle cases where openshift_master_predicates is not defined + - block: + - debug: + msg: "WARNING: existing scheduler config does not match previous known defaults automated upgrade of scheduler config is disabled.\nexisting scheduler predicates: {{ openshift_master_scheduler_current_predicates }}\ncurrent scheduler default predicates are: {{ openshift_master_scheduler_default_predicates }}" + when: + - openshift_master_scheduler_current_predicates != openshift_master_scheduler_default_predicates + - openshift_master_scheduler_current_predicates not in older_predicates + [prev_predicates] + + - set_fact: + openshift_upgrade_scheduler_predicates: "{{ openshift_master_scheduler_default_predicates }}" + when: + - openshift_master_scheduler_current_predicates != openshift_master_scheduler_default_predicates + - openshift_master_scheduler_current_predicates in older_predicates + [prev_predicates] + + - set_fact: + openshift_upgrade_scheduler_predicates: "{{ default_predicates_no_region }}" + when: + - openshift_master_scheduler_current_predicates != default_predicates_no_region + - openshift_master_scheduler_current_predicates in older_predicates_no_region + [prev_predicates_no_region] + + when: openshift_master_scheduler_predicates | default(none) is none + + +# Upgrade priorities +- vars: + prev_priorities: "{{ lookup('openshift_master_facts_default_priorities', short_version=openshift_upgrade_min, deployment_type=openshift_deployment_type) }}" + prev_priorities_no_zone: "{{ lookup('openshift_master_facts_default_priorities', short_version=openshift_upgrade_min, deployment_type=openshift_deployment_type, zones_enabled=False) }}" + default_priorities_no_zone: "{{ lookup('openshift_master_facts_default_priorities', zones_enabled=False) }}" + # older_priorities are the set of priorities that have previously been + # hard-coded into openshift_facts + older_priorities: + - - name: LeastRequestedPriority + weight: 1 + - name: SelectorSpreadPriority + weight: 1 + - name: Zone + weight: 2 + argument: + serviceAntiAffinity: + label: zone + # older_priorities_no_region are the set of priorities that have previously + # been hard-coded into openshift_facts, with the Zone priority removed + older_priorities_no_zone: + - - name: LeastRequestedPriority + weight: 1 + - name: SelectorSpreadPriority + weight: 1 + block: + + # Handle case where openshift_master_priorities is defined + - block: + - debug: + msg: "WARNING: openshift_master_scheduler_priorities is set to defaults from an earlier release of OpenShift current defaults are: {{ openshift_master_scheduler_default_priorities }}" + when: openshift_master_scheduler_priorities in older_priorities + older_priorities_no_zone + [prev_priorities] + [prev_priorities_no_zone] + + - debug: + msg: "WARNING: openshift_master_scheduler_priorities does not match current defaults of: {{ openshift_master_scheduler_default_priorities }}" + when: openshift_master_scheduler_priorities != openshift_master_scheduler_default_priorities + when: openshift_master_scheduler_priorities | default(none) is not none + + # Handle cases where openshift_master_priorities is not defined + - block: + - debug: + msg: "WARNING: existing scheduler config does not match previous known defaults automated upgrade of scheduler config is disabled.\nexisting scheduler priorities: {{ openshift_master_scheduler_current_priorities }}\ncurrent scheduler default priorities are: {{ openshift_master_scheduler_default_priorities }}" + when: + - openshift_master_scheduler_current_priorities != openshift_master_scheduler_default_priorities + - openshift_master_scheduler_current_priorities not in older_priorities + [prev_priorities] + + - set_fact: + openshift_upgrade_scheduler_priorities: "{{ openshift_master_scheduler_default_priorities }}" + when: + - openshift_master_scheduler_current_priorities != openshift_master_scheduler_default_priorities + - openshift_master_scheduler_current_priorities in older_priorities + [prev_priorities] + + - set_fact: + openshift_upgrade_scheduler_priorities: "{{ default_priorities_no_zone }}" + when: + - openshift_master_scheduler_current_priorities != default_priorities_no_zone + - openshift_master_scheduler_current_priorities in older_priorities_no_zone + [prev_priorities_no_zone] + + when: openshift_master_scheduler_priorities | default(none) is none + + +# Update scheduler +- vars: + scheduler_config: + kind: Policy + apiVersion: v1 + predicates: "{{ openshift_upgrade_scheduler_predicates + | default(openshift_master_scheduler_current_predicates) }}" + priorities: "{{ openshift_upgrade_scheduler_priorities + | default(openshift_master_scheduler_current_priorities) }}" + block: + - name: Update scheduler config + copy: + content: "{{ scheduler_config | to_nice_json }}" + dest: "{{ openshift_master_scheduler_conf }}" + backup: true + when: > + openshift_upgrade_scheduler_predicates is defined or + openshift_upgrade_scheduler_priorities is defined diff --git a/roles/openshift_master/tasks/upgrade/v3_6/master_config_upgrade.yml b/roles/openshift_master/tasks/upgrade/v3_6/master_config_upgrade.yml new file mode 100644 index 000000000..db0c8f886 --- /dev/null +++ b/roles/openshift_master/tasks/upgrade/v3_6/master_config_upgrade.yml @@ -0,0 +1,15 @@ +--- +- modify_yaml: + dest: "{{ openshift.common.config_base}}/master/master-config.yaml" + yaml_key: 'controllerConfig.serviceServingCert.signer.certFile' + yaml_value: service-signer.crt + +- modify_yaml: + dest: "{{ openshift.common.config_base}}/master/master-config.yaml" + yaml_key: 'controllerConfig.serviceServingCert.signer.keyFile' + yaml_value: service-signer.key + +- modify_yaml: + dest: "{{ openshift.common.config_base }}/master/master-config.yaml" + yaml_key: servingInfo.clientCA + yaml_value: ca.crt diff --git a/roles/openshift_master/tasks/upgrade/v3_7/master_config_upgrade.yml b/roles/openshift_master/tasks/upgrade/v3_7/master_config_upgrade.yml new file mode 100644 index 000000000..1d4d1919c --- /dev/null +++ b/roles/openshift_master/tasks/upgrade/v3_7/master_config_upgrade.yml @@ -0,0 +1,20 @@ +--- +- modify_yaml: + dest: "{{ openshift.common.config_base}}/master/master-config.yaml" + yaml_key: 'controllerConfig.election.lockName' + yaml_value: 'openshift-master-controllers' + +- modify_yaml: + dest: "{{ openshift.common.config_base}}/master/master-config.yaml" + yaml_key: 'controllerConfig.serviceServingCert.signer.certFile' + yaml_value: service-signer.crt + +- modify_yaml: + dest: "{{ openshift.common.config_base}}/master/master-config.yaml" + yaml_key: 'controllerConfig.serviceServingCert.signer.keyFile' + yaml_value: service-signer.key + +- modify_yaml: + dest: "{{ openshift.common.config_base }}/master/master-config.yaml" + yaml_key: servingInfo.clientCA + yaml_value: ca.crt diff --git a/roles/openshift_master/templates/master.yaml.v1.j2 b/roles/openshift_master/templates/master.yaml.v1.j2 index 5bc135601..629fe3286 100644 --- a/roles/openshift_master/templates/master.yaml.v1.j2 +++ b/roles/openshift_master/templates/master.yaml.v1.j2 @@ -3,9 +3,6 @@ admissionConfig: pluginConfig:{{ openshift.master.admission_plugin_config | to_padded_yaml(level=2) }} {% endif %} apiLevels: -{% if not openshift.common.version_gte_3_1_or_1_1 | bool %} -- v1beta3 -{% endif %} - v1 apiVersion: v1 assetConfig: @@ -44,10 +41,9 @@ assetConfig: - {{ cipher_suite }} {% endfor %} {% endif %} -{% if openshift.master.audit_config | default(none) is not none and openshift.common.version_gte_3_2_or_1_2 | bool %} +{% if openshift.master.audit_config | default(none) is not none %} auditConfig:{{ openshift.master.audit_config | to_padded_yaml(level=1) }} {% endif %} -{% if openshift.common.version_gte_3_3_or_1_3 | bool %} controllerConfig: election: lockName: openshift-master-controllers @@ -55,7 +51,6 @@ controllerConfig: signer: certFile: service-signer.crt keyFile: service-signer.key -{% endif %} controllers: '*' corsAllowedOrigins: # anchor with start (\A) and end (\z) of the string, make the check case insensitive ((?i)) and escape hostname @@ -74,11 +69,7 @@ dnsConfig: bindNetwork: tcp4 {% endif %} etcdClientInfo: -{% if openshift.common.version_gte_3_2_or_1_2 | bool %} ca: {{ "ca-bundle.crt" if (openshift.master.embedded_etcd | bool) else "master.etcd-ca.crt" }} -{% else %} - ca: {{ "ca.crt" if (openshift.master.embedded_etcd | bool) else "master.etcd-ca.crt" }} -{% endif %} certFile: master.etcd-client.crt keyFile: master.etcd-client.key urls: @@ -92,20 +83,12 @@ etcdConfig: peerServingInfo: bindAddress: {{ openshift.master.bind_addr }}:7001 certFile: etcd.server.crt -{% if openshift.common.version_gte_3_2_or_1_2 | bool %} clientCA: ca-bundle.crt -{% else %} - clientCA: ca.crt -{% endif %} keyFile: etcd.server.key servingInfo: bindAddress: {{ openshift.master.bind_addr }}:{{ openshift.master.etcd_port }} certFile: etcd.server.crt -{% if openshift.common.version_gte_3_2_or_1_2 | bool %} clientCA: ca-bundle.crt -{% else %} - clientCA: ca.crt -{% endif %} keyFile: etcd.server.key storageDirectory: {{ r_openshift_master_data_dir }}/openshift.local.etcd {% endif %} @@ -123,21 +106,12 @@ imagePolicyConfig:{{ openshift.master.image_policy_config | to_padded_yaml(level kind: MasterConfig kubeletClientInfo: {# TODO: allow user specified kubelet port #} -{% if openshift.common.version_gte_3_2_or_1_2 | bool %} ca: ca-bundle.crt -{% else %} - ca: ca.crt -{% endif %} certFile: master.kubelet-client.crt keyFile: master.kubelet-client.key port: 10250 {% if openshift.master.embedded_kube | bool %} kubernetesMasterConfig: -{% if not openshift.common.version_gte_3_1_or_1_1 | bool %} - apiLevels: - - v1beta3 - - v1 -{% endif %} apiServerArguments: {{ openshift.master.api_server_args | default(None) | to_padded_yaml( level=2 ) }} {% if r_openshift_master_etcd3_storage or ( r_openshift_master_clean_install and openshift.common.version_gte_3_6 ) %} storage-backend: @@ -160,21 +134,17 @@ kubernetesMasterConfig: {% endif %} masterClients: {# TODO: allow user to set externalKubernetesKubeConfig #} -{% if openshift.common.version_gte_3_3_or_1_3 | bool %} externalKubernetesClientConnectionOverrides: acceptContentTypes: application/vnd.kubernetes.protobuf,application/json contentType: application/vnd.kubernetes.protobuf burst: {{ openshift_master_external_ratelimit_burst | default(400) }} qps: {{ openshift_master_external_ratelimit_qps | default(200) }} -{% endif %} externalKubernetesKubeConfig: "" -{% if openshift.common.version_gte_3_3_or_1_3 | bool %} openshiftLoopbackClientConnectionOverrides: acceptContentTypes: application/vnd.kubernetes.protobuf,application/json contentType: application/vnd.kubernetes.protobuf burst: {{ openshift_master_loopback_ratelimit_burst | default(600) }} qps: {{ openshift_master_loopback_ratelimit_qps | default(300) }} -{% endif %} openshiftLoopbackKubeConfig: openshift-master.kubeconfig masterPublicURL: {{ openshift.master.public_api_url }} networkConfig: @@ -208,11 +178,7 @@ oauthConfig: {% for line in translated_identity_providers.splitlines() %} {{ line }} {% endfor %} -{% if openshift.common.version_gte_3_2_or_1_2 | bool %} masterCA: ca-bundle.crt -{% else %} - masterCA: ca.crt -{% endif %} masterPublicURL: {{ openshift.master.public_api_url }} masterURL: {{ openshift.master.api_url }} sessionConfig: @@ -245,11 +211,7 @@ serviceAccountConfig: - default - builder - deployer -{% if openshift.common.version_gte_3_2_or_1_2 | bool %} masterCA: ca-bundle.crt -{% else %} - masterCA: ca.crt -{% endif %} privateKeyFile: serviceaccounts.private.key publicKeyFiles: - serviceaccounts.public.key diff --git a/roles/openshift_master/templates/native-cluster/atomic-openshift-master-controllers.service.j2 b/roles/openshift_master/templates/native-cluster/atomic-openshift-master-controllers.service.j2 index e284413f7..fae021845 100644 --- a/roles/openshift_master/templates/native-cluster/atomic-openshift-master-controllers.service.j2 +++ b/roles/openshift_master/templates/native-cluster/atomic-openshift-master-controllers.service.j2 @@ -7,11 +7,7 @@ Wants={{ openshift.common.service_type }}-master-api.service Requires=network-online.target [Service] -{% if openshift.common.version_gte_3_1_1_or_1_1_1 | bool %} Type=notify -{% else %} -Type=simple -{% endif %} EnvironmentFile=/etc/sysconfig/{{ openshift.common.service_type }}-master-controllers Environment=GOTRACEBACK=crash ExecStart=/usr/bin/openshift start master controllers --config=${CONFIG_FILE} $OPTIONS diff --git a/roles/openshift_master_certificates/tasks/main.yml b/roles/openshift_master_certificates/tasks/main.yml index d9ffb1b6f..ec1fbb1ee 100644 --- a/roles/openshift_master_certificates/tasks/main.yml +++ b/roles/openshift_master_certificates/tasks/main.yml @@ -3,7 +3,7 @@ openshift_master_certs_no_etcd: - admin.crt - master.kubelet-client.crt - - "{{ 'master.proxy-client.crt' if openshift.common.version_gte_3_1_or_1_1 else omit }}" + - master.proxy-client.crt - master.server.crt - openshift-master.crt - openshift-registry.crt @@ -57,9 +57,7 @@ --hostnames={{ hostvars[item].openshift.common.all_hostnames | join(',') }} --cert={{ openshift_generated_configs_dir }}/master-{{ hostvars[item].openshift.common.hostname }}/master.server.crt --key={{ openshift_generated_configs_dir }}/master-{{ hostvars[item].openshift.common.hostname }}/master.server.key - {% if openshift_version | oo_version_gte_3_5_or_1_5(openshift.common.deployment_type) | bool %} --expire-days={{ openshift_master_cert_expire_days }} - {% endif %} --signer-cert={{ openshift_ca_cert }} --signer-key={{ openshift_ca_key }} --signer-serial={{ openshift_ca_serial }} @@ -87,9 +85,7 @@ --signer-serial={{ openshift_ca_serial }} --user=system:openshift-master --basename=openshift-master - {% if openshift_version | oo_version_gte_3_5_or_1_5(openshift.common.deployment_type) | bool %} --expire-days={{ openshift_master_cert_expire_days }} - {% endif %} args: creates: "{{ openshift_generated_configs_dir }}/master-{{ hostvars[item].openshift.common.hostname }}/openshift-master.kubeconfig" with_items: "{{ hostvars diff --git a/roles/openshift_master_cluster/tasks/main.yml b/roles/openshift_master_cluster/tasks/main.yml index 0543872c9..40705d357 100644 --- a/roles/openshift_master_cluster/tasks/main.yml +++ b/roles/openshift_master_cluster/tasks/main.yml @@ -3,10 +3,6 @@ msg: "Not possible on atomic hosts for now" when: openshift.common.is_containerized | bool -- fail: - msg: "Pacemaker HA is unsupported on OpenShift Enterprise 3.2 and Origin 1.2" - when: openshift.master.cluster_method == "pacemaker" and openshift.common.version_gte_3_2_or_1_2 | bool - - name: Test if cluster is already configured command: pcs status register: pcs_status diff --git a/roles/openshift_master_facts/filter_plugins/openshift_master.py b/roles/openshift_master_facts/filter_plugins/openshift_master.py index 97a5179e0..c827f2d26 100644 --- a/roles/openshift_master_facts/filter_plugins/openshift_master.py +++ b/roles/openshift_master_facts/filter_plugins/openshift_master.py @@ -518,29 +518,16 @@ class FilterModule(object): 'admin.key', 'admin.kubeconfig', 'master.kubelet-client.crt', - 'master.kubelet-client.key'] + 'master.kubelet-client.key', + 'master.proxy-client.crt', + 'master.proxy-client.key', + 'service-signer.crt', + 'service-signer.key'] if bool(include_ca): certs += ['ca.crt', 'ca.key', 'ca-bundle.crt', 'client-ca-bundle.crt'] if bool(include_keys): certs += ['serviceaccounts.private.key', 'serviceaccounts.public.key'] - if bool(hostvars['openshift']['common']['version_gte_3_1_or_1_1']): - certs += ['master.proxy-client.crt', - 'master.proxy-client.key'] - if not bool(hostvars['openshift']['common']['version_gte_3_2_or_1_2']): - certs += ['openshift-master.crt', - 'openshift-master.key', - 'openshift-master.kubeconfig'] - if bool(hostvars['openshift']['common']['version_gte_3_3_or_1_3']): - certs += ['service-signer.crt', - 'service-signer.key'] - if not bool(hostvars['openshift']['common']['version_gte_3_5_or_1_5']): - certs += ['openshift-registry.crt', - 'openshift-registry.key', - 'openshift-registry.kubeconfig', - 'openshift-router.crt', - 'openshift-router.key', - 'openshift-router.kubeconfig'] return certs @staticmethod diff --git a/roles/openshift_metrics/handlers/main.yml b/roles/openshift_metrics/handlers/main.yml index 88b893448..074b72942 100644 --- a/roles/openshift_metrics/handlers/main.yml +++ b/roles/openshift_metrics/handlers/main.yml @@ -18,11 +18,7 @@ # wait_for port doesn't provide health information. command: > curl --silent --tlsv1.2 - {% if openshift.common.version_gte_3_2_or_1_2 | bool %} --cacert {{ openshift.common.config_base }}/master/ca-bundle.crt - {% else %} - --cacert {{ openshift.common.config_base }}/master/ca.crt - {% endif %} {{ openshift.master.api_url }}/healthz/ready args: # Disables the following warning: diff --git a/roles/openshift_node/defaults/main.yml b/roles/openshift_node/defaults/main.yml index 85ad33ad3..89d154ad7 100644 --- a/roles/openshift_node/defaults/main.yml +++ b/roles/openshift_node/defaults/main.yml @@ -85,6 +85,7 @@ oreg_host: "{{ oreg_url.split('/')[0] if (oreg_url is defined and '.' in oreg_ur oreg_auth_credentials_path: "{{ openshift_node_data_dir }}/.docker" oreg_auth_credentials_replace: False l_bind_docker_reg_auth: False +openshift_docker_alternative_creds: "{{ (openshift_docker_use_system_container | default(False)) or (openshift_use_crio_only | default(False)) }}" # NOTE # r_openshift_node_*_default may be defined external to this role. diff --git a/roles/openshift_node/tasks/registry_auth.yml b/roles/openshift_node/tasks/registry_auth.yml index 5e5e4f94a..f5428867a 100644 --- a/roles/openshift_node/tasks/registry_auth.yml +++ b/roles/openshift_node/tasks/registry_auth.yml @@ -8,6 +8,7 @@ - name: Create credentials for registry auth command: "docker --config={{ oreg_auth_credentials_path }} login -u {{ oreg_auth_user }} -p {{ oreg_auth_password }} {{ oreg_host }}" when: + - not (openshift_docker_alternative_creds | default(False)) - oreg_auth_user is defined - (not node_oreg_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool register: node_oreg_auth_credentials_create @@ -17,6 +18,24 @@ notify: - restart node +# docker_creds is a custom module from lib_utils +# 'docker login' requires a docker.service running on the local host, this is an +# alternative implementation for non-docker hosts. This implementation does not +# check the registry to determine whether or not the credentials will work. +- name: Create credentials for registry auth (alternative) + docker_creds: + path: "{{ oreg_auth_credentials_path }}" + registry: "{{ oreg_host }}" + username: "{{ oreg_auth_user }}" + password: "{{ oreg_auth_password }}" + when: + - openshift_docker_alternative_creds | bool + - oreg_auth_user is defined + - (not node_oreg_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool + register: node_oreg_auth_credentials_create + notify: + - restart node + # Container images may need the registry credentials - name: Setup ro mount of /root/.docker for containerized hosts set_fact: diff --git a/roles/openshift_node/templates/node.yaml.v1.j2 b/roles/openshift_node/templates/node.yaml.v1.j2 index 718d35dca..d452cc45c 100644 --- a/roles/openshift_node/templates/node.yaml.v1.j2 +++ b/roles/openshift_node/templates/node.yaml.v1.j2 @@ -29,13 +29,11 @@ kubeletArguments: {{ openshift.node.kubelet_args | default(None) | to_padded_yam runtime-request-timeout: - 10m {% endif %} -{% if openshift.common.version_gte_3_3_or_1_3 | bool %} masterClientConnectionOverrides: acceptContentTypes: application/vnd.kubernetes.protobuf,application/json contentType: application/vnd.kubernetes.protobuf burst: 200 qps: 100 -{% endif %} masterKubeConfig: system:node:{{ openshift.common.hostname }}.kubeconfig {% if openshift_node_use_openshift_sdn | bool %} networkPluginName: {{ openshift_node_sdn_network_plugin_name }} diff --git a/roles/openshift_node_certificates/tasks/main.yml b/roles/openshift_node_certificates/tasks/main.yml index 1a775178d..97f1fbbdd 100644 --- a/roles/openshift_node_certificates/tasks/main.yml +++ b/roles/openshift_node_certificates/tasks/main.yml @@ -66,9 +66,7 @@ --signer-key={{ openshift_ca_key }} --signer-serial={{ openshift_ca_serial }} --user=system:node:{{ hostvars[item].openshift.common.hostname }} - {% if openshift_version | oo_version_gte_3_5_or_1_5(openshift.common.deployment_type) | bool %} --expire-days={{ openshift_node_cert_expire_days }} - {% endif %} args: creates: "{{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname }}" with_items: "{{ hostvars @@ -82,9 +80,7 @@ {{ hostvars[openshift_ca_host].openshift.common.client_binary }} adm ca create-server-cert --cert={{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname }}/server.crt --key={{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname }}/server.key - {% if openshift_version | oo_version_gte_3_5_or_1_5(openshift.common.deployment_type) | bool %} --expire-days={{ openshift_node_cert_expire_days }} - {% endif %} --overwrite=true --hostnames={{ hostvars[item].openshift.common.hostname }},{{ hostvars[item].openshift.common.public_hostname }},{{ hostvars[item].openshift.common.ip }},{{ hostvars[item].openshift.common.public_ip }} --signer-cert={{ openshift_ca_cert }} diff --git a/roles/openshift_node_upgrade/defaults/main.yml b/roles/openshift_node_upgrade/defaults/main.yml index 10b4c6977..1da434e6f 100644 --- a/roles/openshift_node_upgrade/defaults/main.yml +++ b/roles/openshift_node_upgrade/defaults/main.yml @@ -12,3 +12,4 @@ oreg_host: "{{ oreg_url.split('/')[0] if (oreg_url is defined and '.' in oreg_ur oreg_auth_credentials_path: "{{ openshift_node_data_dir }}/.docker" oreg_auth_credentials_replace: False l_bind_docker_reg_auth: False +openshift_docker_alternative_creds: "{{ (openshift_docker_use_system_container | default(False)) or (openshift_use_crio_only | default(False)) }}" diff --git a/roles/openshift_node_upgrade/tasks/main.yml b/roles/openshift_node_upgrade/tasks/main.yml index c1c9e0062..66c1fcc38 100644 --- a/roles/openshift_node_upgrade/tasks/main.yml +++ b/roles/openshift_node_upgrade/tasks/main.yml @@ -69,8 +69,6 @@ file: path: "/etc/systemd/system/docker.service.d/docker-sdn-ovs.conf" state: absent - when: (deployment_type == 'openshift-enterprise' and openshift_release | version_compare('3.4', '>=')) - or (deployment_type == 'origin' and openshift_release | version_compare('1.4', '>=')) - include: containerized_node_upgrade.yml when: openshift.common.is_containerized | bool diff --git a/roles/openshift_node_upgrade/tasks/registry_auth.yml b/roles/openshift_node_upgrade/tasks/registry_auth.yml index 5e5e4f94a..f5428867a 100644 --- a/roles/openshift_node_upgrade/tasks/registry_auth.yml +++ b/roles/openshift_node_upgrade/tasks/registry_auth.yml @@ -8,6 +8,7 @@ - name: Create credentials for registry auth command: "docker --config={{ oreg_auth_credentials_path }} login -u {{ oreg_auth_user }} -p {{ oreg_auth_password }} {{ oreg_host }}" when: + - not (openshift_docker_alternative_creds | default(False)) - oreg_auth_user is defined - (not node_oreg_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool register: node_oreg_auth_credentials_create @@ -17,6 +18,24 @@ notify: - restart node +# docker_creds is a custom module from lib_utils +# 'docker login' requires a docker.service running on the local host, this is an +# alternative implementation for non-docker hosts. This implementation does not +# check the registry to determine whether or not the credentials will work. +- name: Create credentials for registry auth (alternative) + docker_creds: + path: "{{ oreg_auth_credentials_path }}" + registry: "{{ oreg_host }}" + username: "{{ oreg_auth_user }}" + password: "{{ oreg_auth_password }}" + when: + - openshift_docker_alternative_creds | bool + - oreg_auth_user is defined + - (not node_oreg_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool + register: node_oreg_auth_credentials_create + notify: + - restart node + # Container images may need the registry credentials - name: Setup ro mount of /root/.docker for containerized hosts set_fact: diff --git a/roles/openshift_prometheus/tasks/install_prometheus.yaml b/roles/openshift_prometheus/tasks/install_prometheus.yaml index 00c3c1987..21da4bc9d 100644 --- a/roles/openshift_prometheus/tasks/install_prometheus.yaml +++ b/roles/openshift_prometheus/tasks/install_prometheus.yaml @@ -148,25 +148,6 @@ selector: "{{ openshift_prometheus_alertbuffer_pvc_pv_selector }}" when: openshift_prometheus_alertbuffer_storage_type == 'pvc' -# create prometheus stateful set -- name: Set prometheus template - template: - src: prometheus.j2 - dest: "{{ tempdir }}/templates/prometheus.yaml" - vars: - namespace: "{{ openshift_prometheus_namespace }}" -# prom_replicas: "{{ openshift_prometheus_replicas }}" - -- name: Set prometheus stateful set - oc_obj: - state: "{{ state }}" - name: "prometheus" - namespace: "{{ openshift_prometheus_namespace }}" - kind: statefulset - files: - - "{{ tempdir }}/templates/prometheus.yaml" - delete_after: true - # prometheus configmap # Copy the additional rules file if it is defined - name: Copy additional rules file to host @@ -236,3 +217,22 @@ namespace: "{{ openshift_prometheus_namespace }}" from_file: alertmanager.yml: "{{ tempdir }}/alertmanager.yml" + +# create prometheus stateful set +- name: Set prometheus template + template: + src: prometheus.j2 + dest: "{{ tempdir }}/templates/prometheus.yaml" + vars: + namespace: "{{ openshift_prometheus_namespace }}" +# prom_replicas: "{{ openshift_prometheus_replicas }}" + +- name: Set prometheus stateful set + oc_obj: + state: "{{ state }}" + name: "prometheus" + namespace: "{{ openshift_prometheus_namespace }}" + kind: statefulset + files: + - "{{ tempdir }}/templates/prometheus.yaml" + delete_after: true |