4 files changed, 93 insertions, 35 deletions

diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py
index 04b5dc86b..beef77896 100755
--- a/roles/openshift_facts/library/openshift_facts.py
+++ b/roles/openshift_facts/library/openshift_facts.py
@@ -1643,38 +1643,75 @@ def set_proxy_facts(facts):
     if 'common' in facts:
         common = facts['common']
 
-        # No openshift_no_proxy settings detected, empty list for now
-        if 'no_proxy' not in common:
-            common['no_proxy'] = []
-
-        # _no_proxy settings set. It is just a simple string, not a
-        # list or anything
-        elif 'no_proxy' in common and isinstance(common['no_proxy'], string_types):
-            # no_proxy is now a list of all the comma-separated items
-            # in the _no_proxy value
-            common['no_proxy'] = common['no_proxy'].split(",")
-
-            # at this point common['no_proxy'] is a LIST datastructure. It
-            # may be empty, or it may contain some hostnames or ranges.
-
-            # We always add local dns domain, the service domain, and
-            # ourselves, no matter what (if you are setting any
-            # NO_PROXY values)
-            common['no_proxy'].append('.svc')
-            common['no_proxy'].append('.' + common['dns_domain'])
-            common['no_proxy'].append(common['hostname'])
-
-        # You are also setting system proxy vars, openshift_http_proxy/openshift_https_proxy
-        if 'http_proxy' in common or 'https_proxy' in common:
-            # You want to generate no_proxy hosts and it's a boolean value
-            if 'generate_no_proxy_hosts' in common and safe_get_bool(common['generate_no_proxy_hosts']):
-                # And you want to set up no_proxy for internal hostnames
-                if 'no_proxy_internal_hostnames' in common:
-                    # Split the internal_hostnames string by a comma
-                    # and add that list to the overall no_proxy list
-                    common['no_proxy'].extend(common['no_proxy_internal_hostnames'].split(','))
-
-        common['no_proxy'] = ','.join(sort_unique(common['no_proxy']))
+        ######################################################################
+        # We can exit early now if we don't need to set any proxy facts
+        proxy_params = ['no_proxy', 'https_proxy', 'http_proxy']
+        # If any of the known Proxy Params (pp) are defined
+        proxy_settings_defined = any(
+            [True for pp in proxy_params if pp in common]
+        )
+
+        if not proxy_settings_defined:
+            common['no_proxy'] = ''
+            return facts
+
+        # As of 3.6 if ANY of the proxy parameters are defined in the
+        # inventory then we MUST add certain domains to the NO_PROXY
+        # environment variable.
+
+        ######################################################################
+
+        # Spot to build up some data we may insert later
+        raw_no_proxy_list = []
+
+        # Automatic 3.6 NO_PROXY additions if a proxy is in use
+        svc_cluster_name = ['.svc', '.' + common['dns_domain'], common['hostname']]
+
+        # auto_hosts: Added to NO_PROXY list if any proxy params are
+        # set in the inventory. This a list of the FQDNs of all
+        # cluster hosts:
+        auto_hosts = common['no_proxy_internal_hostnames'].split(',')
+
+        # custom_no_proxy_hosts: If you define openshift_no_proxy in
+        # inventory we automatically add those hosts to the list:
+        if 'no_proxy' in common:
+            custom_no_proxy_hosts = common['no_proxy'].split(',')
+        else:
+            custom_no_proxy_hosts = []
+
+        # This should exist no matter what. Defaults to true.
+        if 'generate_no_proxy_hosts' in common:
+            generate_no_proxy_hosts = safe_get_bool(common['generate_no_proxy_hosts'])
+
+        ######################################################################
+
+        # You set a proxy var. Now we are obliged to add some things
+        raw_no_proxy_list = svc_cluster_name + custom_no_proxy_hosts
+
+        # You did not turn openshift_generate_no_proxy_hosts to False
+        if generate_no_proxy_hosts:
+            raw_no_proxy_list.extend(auto_hosts)
+
+        ######################################################################
+
+        # Was anything actually added? There should be something by now.
+        processed_no_proxy_list = sort_unique(raw_no_proxy_list)
+        if processed_no_proxy_list != list():
+            common['no_proxy'] = ','.join(processed_no_proxy_list)
+        else:
+            # Somehow we got an empty list. This should have been
+            # skipped by now in the 'return' earlier. If
+            # common['no_proxy'] is DEFINED it will cause unexpected
+            # behavior and bad templating. Ensure it does not
+            # exist. Even an empty list or string will have undesired
+            # side-effects.
+            del common['no_proxy']
+
+        ######################################################################
+        # In case you were wondering, because 'common' is a reference
+        # to the object facts['common'], there is no need to re-assign
+        # it.
+
     return facts
 
 
diff --git a/roles/openshift_hosted/templates/registry_config.j2 b/roles/openshift_hosted/templates/registry_config.j2
index dc8a9f089..9673841bf 100644
--- a/roles/openshift_hosted/templates/registry_config.j2
+++ b/roles/openshift_hosted/templates/registry_config.j2
@@ -21,7 +21,10 @@ storage:
     regionendpoint: {{ openshift_hosted_registry_storage_s3_regionendpoint }}
 {%   endif %}
     bucket: {{ openshift_hosted_registry_storage_s3_bucket }}
-    encrypt: false
+    encrypt: {{ openshift_hosted_registry_storage_s3_encrypt | default(false) }}
+{% if openshift_hosted_registry_storage_s3_kmskeyid %}
+    keyid: {{ openshift_hosted_registry_storage_s3_kmskeyid }}
+{% endif %}
     secure: true
     v4auth: true
     rootdirectory: {{ openshift_hosted_registry_storage_s3_rootdirectory | default('/registry') }}
diff --git a/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml b/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml
index 2e0dcfd97..bcc7fb590 100644
--- a/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml
+++ b/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml
@@ -137,6 +137,12 @@ objects:
     - serviceclasses
     verbs:
     - create
+  - apiGroups:
+    - settings.k8s.io
+    resources:
+    - podpresets
+    verbs:
+    - create
 
 - kind: ClusterRoleBinding
   apiVersion: v1
diff --git a/roles/openshift_service_catalog/tasks/install.yml b/roles/openshift_service_catalog/tasks/install.yml
index de7511f71..4d1a38e61 100644
--- a/roles/openshift_service_catalog/tasks/install.yml
+++ b/roles/openshift_service_catalog/tasks/install.yml
@@ -72,16 +72,22 @@
     state: list
   register: edit_yaml
 
+# only do this if we don't already have the updated role info
 - name: Generate apply template for clusterrole/edit
   template:
     src: sc_role_patching.j2
     dest: "{{ mktemp.stdout }}/edit_sc_patch.yml"
   vars:
     original_content: "{{ edit_yaml.results.results[0] | to_yaml }}"
+  when:
+    - not edit_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['instances', 'bindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not edit_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch'])
 
+# only do this if we don't already have the updated role info
 - name: update edit role for service catalog and pod preset access
   command: >
-    oc apply -f {{ mktemp.stdout }}/edit_sc_patch.yml
+    oc replace -f {{ mktemp.stdout }}/edit_sc_patch.yml
+  when:
+    - not edit_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['instances', 'bindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not edit_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch'])
 
 - oc_obj:
     name: admin
@@ -89,16 +95,22 @@
     state: list
   register: admin_yaml
 
+# only do this if we don't already have the updated role info
 - name: Generate apply template for clusterrole/admin
   template:
     src: sc_role_patching.j2
     dest: "{{ mktemp.stdout }}/admin_sc_patch.yml"
   vars:
     original_content: "{{ admin_yaml.results.results[0] | to_yaml }}"
+  when:
+    - not admin_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['instances', 'bindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not admin_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch'])
 
+# only do this if we don't already have the updated role info
 - name: update admin role for service catalog and pod preset access
   command: >
-    oc apply -f {{ mktemp.stdout }}/admin_sc_patch.yml
+    oc replace -f {{ mktemp.stdout }}/admin_sc_patch.yml
+  when:
+    - not admin_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['instances', 'bindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not admin_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch'])
 
 - shell: >
     oc get policybindings/kube-system:default -n kube-system || echo "not found"