8 files changed, 79 insertions, 38 deletions

diff --git a/roles/ansible_service_broker/tasks/install.yml b/roles/ansible_service_broker/tasks/install.yml
index ba2f7293b..1bc1b5e43 100644
--- a/roles/ansible_service_broker/tasks/install.yml
+++ b/roles/ansible_service_broker/tasks/install.yml
@@ -72,6 +72,15 @@
       - apiGroups: ["image.openshift.io", ""]
         resources: ["images"]
         verbs: ["get", "list"]
+      - apiGroups: ["network.openshift.io"]
+        resources: ["clusternetworks", "netnamespaces"]
+        verbs: ["get"]
+      - apiGroups: ["network.openshift.io"]
+        resources: ["netnamespaces"]
+        verbs: ["update"]
+      - apiGroups: ["networking.k8s.io"]
+        resources: ["networkpolicies"]
+        verbs: ["create", "delete"]
 
 - name: Create asb-access cluster role
   oc_clusterrole:
diff --git a/roles/openshift_aws/tasks/provision_nodes.yml b/roles/openshift_aws/tasks/provision_nodes.yml
index d82f18574..9105b5b4c 100644
--- a/roles/openshift_aws/tasks/provision_nodes.yml
+++ b/roles/openshift_aws/tasks/provision_nodes.yml
@@ -2,25 +2,12 @@
 # Get bootstrap config token
 # bootstrap should be created on first master
 # need to fetch it and shove it into cloud data
-- name: fetch master instances
-  ec2_instance_facts:
-    region: "{{ openshift_aws_region }}"
-    filters:
-      "tag:clusterid": "{{ openshift_aws_clusterid }}"
-      "tag:host-type": master
-      instance-state-name: running
-  register: instancesout
-  retries: 20
-  delay: 3
-  until:
-  - "'instances' in instancesout"
-  - instancesout.instances|length > 0
+- include_tasks: setup_master_group.yml
 
 - name: slurp down the bootstrap.kubeconfig
   slurp:
     src: /etc/origin/master/bootstrap.kubeconfig
-  delegate_to: "{{ instancesout.instances[0].public_ip_address }}"
-  remote_user: root
+  delegate_to: "{{ groups.masters.0 }}"
   register: bootstrap
 
 - name: set_fact for kubeconfig token
diff --git a/roles/openshift_logging/tasks/install_logging.yaml b/roles/openshift_logging/tasks/install_logging.yaml
index ebd2d747b..ff62b6136 100644
--- a/roles/openshift_logging/tasks/install_logging.yaml
+++ b/roles/openshift_logging/tasks/install_logging.yaml
@@ -321,9 +321,14 @@
 - name: Add Kibana route information to web console asset config
   include_role:
     name: openshift_web_console
-    tasks_from: update_asset_config.yml
+    tasks_from: update_console_config.yml
   vars:
-    asset_config_edits:
+    console_config_edits:
+    - key: clusterInfo#loggingPublicURL
+      value: "https://{{ openshift_logging_kibana_hostname }}"
+    # Continue to set the old deprecated property until the
+    # origin-web-console image is updated for the new name.
+    # This will be removed in a future pull.
     - key: loggingPublicURL
       value: "https://{{ openshift_logging_kibana_hostname }}"
   when: openshift_web_console_install | default(true) | bool
diff --git a/roles/openshift_master/tasks/upgrade/rpm_upgrade.yml b/roles/openshift_master/tasks/upgrade/rpm_upgrade.yml
index 7870f43e2..96079884e 100644
--- a/roles/openshift_master/tasks/upgrade/rpm_upgrade.yml
+++ b/roles/openshift_master/tasks/upgrade/rpm_upgrade.yml
@@ -17,6 +17,5 @@
       - "{{ openshift_service_type }}-node{{ openshift_pkg_version | default('') }}"
       - "{{ openshift_service_type }}-sdn-ovs{{ openshift_pkg_version | default('') }}"
       - "{{ openshift_service_type }}-clients{{ openshift_pkg_version | default('') }}"
-      - "tuned-profiles-{{ openshift_service_type }}-node{{ openshift_pkg_version | default('') }}"
   register: result
   until: result is succeeded
diff --git a/roles/openshift_metrics/tasks/install_metrics.yaml b/roles/openshift_metrics/tasks/install_metrics.yaml
index 0866fe0d2..4a63d081e 100644
--- a/roles/openshift_metrics/tasks/install_metrics.yaml
+++ b/roles/openshift_metrics/tasks/install_metrics.yaml
@@ -74,9 +74,14 @@
 - name: Add metrics route information to web console asset config
   include_role:
     name: openshift_web_console
-    tasks_from: update_asset_config.yml
+    tasks_from: update_console_config.yml
   vars:
-    asset_config_edits:
+    console_config_edits:
+      - key: clusterInfo#metricsPublicURL
+        value: "https://{{ openshift_metrics_hawkular_hostname}}/hawkular/metrics"
+      # Continue to set the old deprecated property until the
+      # origin-web-console image is updated for the new name.
+      # This will be removed in a future pull.
       - key: metricsPublicURL
         value: "https://{{ openshift_metrics_hawkular_hostname}}/hawkular/metrics"
   when: openshift_web_console_install | default(true) | bool
diff --git a/roles/openshift_web_console/tasks/install.yml b/roles/openshift_web_console/tasks/install.yml
index 12916961b..50e72657f 100644
--- a/roles/openshift_web_console/tasks/install.yml
+++ b/roles/openshift_web_console/tasks/install.yml
@@ -21,36 +21,68 @@
     node_selector:
       - ""
 
-- name: Make temp directory for asset config files
+- name: Make temp directory for the web console config files
   command: mktemp -d /tmp/console-ansible-XXXXXX
   register: mktemp
   changed_when: False
 
-- name: Copy asset config template to temp directory
+- name: Copy the web console config template to temp directory
   copy:
     src: "{{ __console_files_location }}/{{ item }}"
     dest: "{{ mktemp.stdout }}/{{ item }}"
   with_items:
     - "{{ __console_template_file }}"
+    - "{{ __console_rbac_file }}"
     - "{{ __console_config_file }}"
 
-- name: Update asset config properties
+- name: Update the web console config properties
   yedit:
     src: "{{ mktemp.stdout }}/{{ __console_config_file }}"
     edits:
-      - key: logoutURL
+      - key: clusterInfo#consolePublicURL
+        # Must have a trailing slash
+        value: "{{ openshift.master.public_console_url }}/"
+      - key: clusterInfo#masterPublicURL
+        value: "{{ openshift.master.public_api_url }}"
+      - key: clusterInfo#logoutPublicURL
         value: "{{ openshift.master.logout_url | default('') }}"
+      - key: features#inactivityTimeoutMinutes
+        value: "{{ openshift_web_console_inactivity_timeout_minutes | default(0) }}"
+
+      # TODO: The new extensions properties cannot be set until
+      # origin-web-console-server has been updated with the API changes since
+      # `extensions` in the old asset config was an array.
+
+      # - key: extensions#scriptURLs
+      #   value: "{{ openshift_web_console_extension_script_urls | default([]) }}"
+      # - key: extensions#stylesheetURLs
+      #   value: "{{ openshift_web_console_extension_stylesheet_urls | default([]) }}"
+      # - key: extensions#properties
+      #   value: "{{ openshift_web_console_extension_properties | default({}) }}"
+
+      # DEPRECATED PROPERTIES
+      # These properties have been renamed and will be removed from the install
+      # in a future pull. Keep both the old and new properties for now so that
+      # the install is not broken while the origin-web-console image is updated.
       - key: publicURL
         # Must have a trailing slash
         value: "{{ openshift.master.public_console_url }}/"
+      - key: logoutURL
+        value: "{{ openshift.master.logout_url | default('') }}"
       - key: masterPublicURL
         value: "{{ openshift.master.public_api_url }}"
+    separator: '#'
+    state: present
 
 - slurp:
     src: "{{ mktemp.stdout }}/{{ __console_config_file }}"
   register: config
 
-- name: Apply template file
+- name: Reconcile with the web console RBAC file
+  shell: >
+    {{ openshift_client_binary }} process -f "{{ mktemp.stdout }}/{{ __console_rbac_file }}" | {{ openshift_client_binary }} auth reconcile -f -
+
+- name: Apply the web console template file
   shell: >
     {{ openshift_client_binary }} process -f "{{ mktemp.stdout }}/{{ __console_template_file }}"
     --param API_SERVER_CONFIG="{{ config['content'] | b64decode }}"
diff --git a/roles/openshift_web_console/tasks/update_asset_config.yml b/roles/openshift_web_console/tasks/update_console_config.yml
index 0992b32e1..e347c0193 100644
--- a/roles/openshift_web_console/tasks/update_asset_config.yml
+++ b/roles/openshift_web_console/tasks/update_console_config.yml
@@ -1,9 +1,9 @@
 ---
 # This task updates asset config values in the webconsole-config config map in
 # the openshift-web-console namespace. The values to set are pased in the
-# variable `asset_config_edits`, which is an array of objects with `key` and
+# variable `console_config_edits`, which is an array of objects with `key` and
 # `value` properties in the same format as `yedit` module `edits`. Only
-# properties passed are updated.
+# properties passed are updated. The separator for nested properties is `#`.
 #
 # Note that this triggers a redeployment on the console and a brief downtime
 # since it uses a `Recreate` strategy.
@@ -12,10 +12,10 @@
 #
 # - include_role:
 #     name: openshift_web_console
-#     tasks_from: update_asset_config.yml
+#     tasks_from: update_console_config.yml
 #   vars:
-#     asset_config_edits:
-#       - key: loggingPublicURL
+#     console_config_edits:
+#       - key: clusterInfo#loggingPublicURL
 #         value: "https://{{ openshift_logging_kibana_hostname }}"
 #   when: openshift_web_console_install | default(true) | bool
 
@@ -28,18 +28,20 @@
 
 - name: Make temp directory
   command: mktemp -d /tmp/console-ansible-XXXXXX
-  register: mktemp
+  register: mktemp_console
   changed_when: False
 
-- name: Copy asset config to temp file
+- name: Copy web console config to temp file
   copy:
     content: "{{webconsole_config.results.results[0].data['webconsole-config.yaml']}}"
-    dest: "{{ mktemp.stdout }}/webconsole-config.yaml"
+    dest: "{{ mktemp_console.stdout }}/webconsole-config.yaml"
 
-- name: Change asset config properties
+- name: Change web console config properties
   yedit:
-    src: "{{ mktemp.stdout }}/webconsole-config.yaml"
-    edits: "{{asset_config_edits}}"
+    src: "{{ mktemp_console.stdout }}/webconsole-config.yaml"
+    edits: "{{console_config_edits}}"
+    separator: '#'
+    state: present
 
 - name: Update web console config map
   oc_configmap:
@@ -47,14 +49,15 @@
     name: webconsole-config
     state: present
     from_file:
-      webconsole-config.yaml: "{{ mktemp.stdout }}/webconsole-config.yaml"
+      webconsole-config.yaml: "{{ mktemp_console.stdout }}/webconsole-config.yaml"
 
 - name: Remove temp directory
   file:
     state: absent
-    name: "{{ mktemp.stdout }}"
+    name: "{{ mktemp_console.stdout }}"
   changed_when: False
 
+# TODO: Only rollout if config has changed.
 # There's currently no command to trigger a rollout for a k8s deployment
 # without changing the pod spec. Add an annotation to force a rollout after
 # the config map has been edited.
diff --git a/roles/openshift_web_console/vars/main.yml b/roles/openshift_web_console/vars/main.yml
index 80bc56a17..e91048e38 100644
--- a/roles/openshift_web_console/vars/main.yml
+++ b/roles/openshift_web_console/vars/main.yml
@@ -2,4 +2,5 @@
 __console_files_location: "../../../files/origin-components/"
 
 __console_template_file: "console-template.yaml"
+__console_rbac_file: "console-rbac-template.yaml"
 __console_config_file: "console-config.yaml"