diff options
Diffstat (limited to 'roles')
| -rw-r--r-- | roles/docker/defaults/main.yml | 1 | ||||
| -rw-r--r-- | roles/docker/tasks/package_docker.yml | 1 | ||||
| -rw-r--r-- | roles/openshift_management/tasks/storage/nfs_server.yml | 24 | ||||
| -rw-r--r-- | roles/openshift_master/tasks/bootstrap.yml | 3 | ||||
| -rw-r--r-- | roles/openshift_master/templates/master.yaml.v1.j2 | 5 | ||||
| -rw-r--r-- | roles/openshift_node_dnsmasq/templates/origin-dns.conf.j2 | 2 | ||||
| -rw-r--r-- | roles/openshift_service_catalog/tasks/install.yml | 27 | ||||
| -rw-r--r-- | roles/openshift_service_catalog/templates/sc_admin_edit_role_patching.j2 (renamed from roles/openshift_service_catalog/templates/sc_role_patching.j2) | 0 | ||||
| -rw-r--r-- | roles/openshift_service_catalog/templates/sc_view_role_patching.j2 | 11 | ||||
| -rw-r--r-- | roles/template_service_broker/files/openshift-ansible-catalog-console.js | 2 |
10 files changed, 65 insertions, 11 deletions
diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index fe938e52b..f6f2bd77e 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -20,6 +20,7 @@ l2_docker_additional_registries: "{% if openshift_docker_additional_registries i l2_docker_blocked_registries: "{% if openshift_docker_blocked_registries is string %}{% if openshift_docker_blocked_registries == '' %}[]{% elif ',' in openshift_docker_blocked_registries %}{{ openshift_docker_blocked_registries.split(',') | list }}{% else %}{{ [ openshift_docker_blocked_registries ] }}{% endif %}{% else %}{{ openshift_docker_blocked_registries }}{% endif %}" l2_docker_insecure_registries: "{% if openshift_docker_insecure_registries is string %}{% if openshift_docker_insecure_registries == '' %}[]{% elif ',' in openshift_docker_insecure_registries %}{{ openshift_docker_insecure_registries.split(',') | list }}{% else %}{{ [ openshift_docker_insecure_registries ] }}{% endif %}{% else %}{{ openshift_docker_insecure_registries }}{% endif %}" +openshift_docker_use_etc_containers: False containers_registries_conf_path: /etc/containers/registries.conf r_crio_firewall_enabled: "{{ os_firewall_enabled | default(True) }}" diff --git a/roles/docker/tasks/package_docker.yml b/roles/docker/tasks/package_docker.yml index b16413f72..c1aedf879 100644 --- a/roles/docker/tasks/package_docker.yml +++ b/roles/docker/tasks/package_docker.yml @@ -81,6 +81,7 @@ template: dest: "{{ containers_registries_conf_path }}" src: registries.conf + when: openshift_docker_use_etc_containers | bool notify: - restart docker diff --git a/roles/openshift_management/tasks/storage/nfs_server.yml b/roles/openshift_management/tasks/storage/nfs_server.yml index 96a742c83..a1b618137 100644 --- a/roles/openshift_management/tasks/storage/nfs_server.yml +++ b/roles/openshift_management/tasks/storage/nfs_server.yml @@ -20,12 +20,26 @@ when: - openshift_management_storage_class == "nfs_external" -- name: Failed NFS server detection +- name: Failed External NFS server detection assert: that: - openshift_management_nfs_server is defined msg: | - "Unable to detect an NFS server. The 'nfs_external' - openshift_management_storage_class option requires that you set - openshift_management_storage_nfs_external_hostname. NFS hosts detected - for local nfs services: {{ groups['oo_nfs_to_config'] | join(', ') }}" + Unable to detect an NFS server. The 'nfs_external' + openshift_management_storage_class option requires that you + manually set openshift_management_storage_nfs_external_hostname + parameter. + when: + - openshift_management_storage_class == 'nfs_external' + +- name: Failed Local NFS server detection + assert: + that: + - openshift_management_nfs_server is defined + msg: | + Unable to detect an NFS server. The 'nfs' + openshift_management_storage_class option requires that you have + an 'nfs' inventory group or manually set the + openshift_management_storage_nfs_local_hostname parameter. + when: + - openshift_management_storage_class == 'nfs' diff --git a/roles/openshift_master/tasks/bootstrap.yml b/roles/openshift_master/tasks/bootstrap.yml index 1c30c1dea..f837a8bae 100644 --- a/roles/openshift_master/tasks/bootstrap.yml +++ b/roles/openshift_master/tasks/bootstrap.yml @@ -4,6 +4,9 @@ - name: create service account kubeconfig with csr rights command: "oc serviceaccounts create-kubeconfig node-bootstrapper -n openshift-infra" register: kubeconfig_out + until: kubeconfig_out.rc == 0 + retries: 24 + delay: 5 - name: put service account kubeconfig into a file on disk for bootstrap copy: diff --git a/roles/openshift_master/templates/master.yaml.v1.j2 b/roles/openshift_master/templates/master.yaml.v1.j2 index a1a0bfaa9..c83fc9fbb 100644 --- a/roles/openshift_master/templates/master.yaml.v1.j2 +++ b/roles/openshift_master/templates/master.yaml.v1.j2 @@ -58,11 +58,12 @@ controllerConfig: {% endif %} controllers: '*' corsAllowedOrigins: + # anchor with start (\A) and end (\z) of the string, make the check case insensitive ((?i)) and escape hostname {% for origin in ['127.0.0.1', 'localhost', openshift.common.ip, openshift.common.public_ip] | union(openshift.common.all_hostnames) | unique %} - - {{ origin }} + - (?i)\A{{ origin | regex_escape() }}\z {% endfor %} {% for custom_origin in openshift.master.custom_cors_origins | default("") %} - - {{ custom_origin }} + - (?i)\A{{ custom_origin | regex_escape() }}\z {% endfor %} {% if 'disabled_features' in openshift.master %} disabledFeatures: {{ openshift.master.disabled_features | to_json }} diff --git a/roles/openshift_node_dnsmasq/templates/origin-dns.conf.j2 b/roles/openshift_node_dnsmasq/templates/origin-dns.conf.j2 index 4b55a0be4..6543c7c3e 100644 --- a/roles/openshift_node_dnsmasq/templates/origin-dns.conf.j2 +++ b/roles/openshift_node_dnsmasq/templates/origin-dns.conf.j2 @@ -5,7 +5,7 @@ max-cache-ttl=1 enable-dbus dns-forward-max=5000 cache-size=5000 -bind-interfaces +bind-dynamic {% for interface in openshift_node_dnsmasq_except_interfaces %} except-interface={{ interface }} {% endfor %} diff --git a/roles/openshift_service_catalog/tasks/install.yml b/roles/openshift_service_catalog/tasks/install.yml index aa3ec5724..d17468b5c 100644 --- a/roles/openshift_service_catalog/tasks/install.yml +++ b/roles/openshift_service_catalog/tasks/install.yml @@ -83,7 +83,7 @@ # only do this if we don't already have the updated role info - name: Generate apply template for clusterrole/edit template: - src: sc_role_patching.j2 + src: sc_admin_edit_role_patching.j2 dest: "{{ mktemp.stdout }}/edit_sc_patch.yml" vars: original_content: "{{ edit_yaml.results.results[0] | to_yaml }}" @@ -106,7 +106,7 @@ # only do this if we don't already have the updated role info - name: Generate apply template for clusterrole/admin template: - src: sc_role_patching.j2 + src: sc_admin_edit_role_patching.j2 dest: "{{ mktemp.stdout }}/admin_sc_patch.yml" vars: original_content: "{{ admin_yaml.results.results[0] | to_yaml }}" @@ -120,6 +120,29 @@ when: - not admin_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['serviceinstances', 'servicebindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not admin_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch']) +- oc_obj: + name: view + kind: clusterrole + state: list + register: view_yaml + +# only do this if we don't already have the updated role info +- name: Generate apply template for clusterrole/view + template: + src: sc_view_role_patching.j2 + dest: "{{ mktemp.stdout }}/view_sc_patch.yml" + vars: + original_content: "{{ view_yaml.results.results[0] | to_yaml }}" + when: + - not view_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['serviceinstances', 'servicebindings'], ['get', 'list', 'watch']) + +# only do this if we don't already have the updated role info +- name: update view role for service catalog access + command: > + oc replace -f {{ mktemp.stdout }}/view_sc_patch.yml + when: + - not view_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['serviceinstances', 'servicebindings'], ['get', 'list', 'watch']) + - oc_adm_policy_user: namespace: kube-service-catalog resource_kind: scc diff --git a/roles/openshift_service_catalog/templates/sc_role_patching.j2 b/roles/openshift_service_catalog/templates/sc_admin_edit_role_patching.j2 index 4629d5bb3..4629d5bb3 100644 --- a/roles/openshift_service_catalog/templates/sc_role_patching.j2 +++ b/roles/openshift_service_catalog/templates/sc_admin_edit_role_patching.j2 diff --git a/roles/openshift_service_catalog/templates/sc_view_role_patching.j2 b/roles/openshift_service_catalog/templates/sc_view_role_patching.j2 new file mode 100644 index 000000000..838993854 --- /dev/null +++ b/roles/openshift_service_catalog/templates/sc_view_role_patching.j2 @@ -0,0 +1,11 @@ +{{ original_content }} +- apiGroups: + - "servicecatalog.k8s.io" + attributeRestrictions: null + resources: + - serviceinstances + - servicebindings + verbs: + - get + - list + - watch diff --git a/roles/template_service_broker/files/openshift-ansible-catalog-console.js b/roles/template_service_broker/files/openshift-ansible-catalog-console.js index b3a3d3428..622afb6bd 100644 --- a/roles/template_service_broker/files/openshift-ansible-catalog-console.js +++ b/roles/template_service_broker/files/openshift-ansible-catalog-console.js @@ -1 +1 @@ -window.OPENSHIFT_CONSTANTS.ENABLE_TECH_PREVIEW_FEATURE.template_service_broker = true; +window.OPENSHIFT_CONSTANTS.TEMPLATE_SERVICE_BROKER_ENABLED = true; |