diff options
Diffstat (limited to 'roles')
79 files changed, 569 insertions, 587 deletions
diff --git a/roles/cockpit/defaults/main.yml b/roles/cockpit/defaults/main.yml index ffd55f1dd..9cf665841 100644 --- a/roles/cockpit/defaults/main.yml +++ b/roles/cockpit/defaults/main.yml @@ -1,5 +1,4 @@ --- -os_firewall_use_firewalld: false os_firewall_allow: - service: cockpit-ws port: 9090/tcp diff --git a/roles/dns/README.md b/roles/dns/README.md index e238fb92e..7e0140772 100644 --- a/roles/dns/README.md +++ b/roles/dns/README.md @@ -16,6 +16,7 @@ Role Variables | `dns_zones` | Mandatory | DNS zones in which we must find the hosts | | `dns_forwarders` | If not set, the DNS will be a recursive non-forwarding DNS server | DNS forwarders to delegate the requests for hosts outside of `dns_zones` | | `dns_all_hosts` | Mandatory | Exhaustive list of hosts | +| `base_docker_image` | Optional | Base docker image to build Bind image from, used only in containerized deployments | Dependencies ------------ @@ -31,6 +32,7 @@ Example Playbook dns_forwarders: [ '8.8.8.8', '8.8.4.4' ] dns_zones: [ novalocal, openstacklocal ] dns_all_hosts: "{{ g_all_hosts }}" + base_docker_image: 'centos:centos7' License ------- diff --git a/roles/dns/defaults/main.yml b/roles/dns/defaults/main.yml new file mode 100644 index 000000000..82055c8cd --- /dev/null +++ b/roles/dns/defaults/main.yml @@ -0,0 +1,2 @@ +--- +base_docker_image: "{{ 'centos:centos7' if openshift.common.deployment_type == 'origin' else 'rhel7' }}" diff --git a/roles/dns/meta/main.yml b/roles/dns/meta/main.yml index b6e9d9ad0..048274c49 100644 --- a/roles/dns/meta/main.yml +++ b/roles/dns/meta/main.yml @@ -4,4 +4,5 @@ galaxy_info: description: Deploy and configure a DNS server company: Amadeus SAS license: ASL 2.0 -dependencies: [] +dependencies: +- { role: openshift_facts } diff --git a/roles/dns/tasks/main.yml b/roles/dns/tasks/main.yml index af728585d..57a7e6269 100644 --- a/roles/dns/tasks/main.yml +++ b/roles/dns/tasks/main.yml @@ -1,18 +1,46 @@ - name: Install Bind action: "{{ ansible_pkg_mgr }} name=bind" + when: not openshift.common.is_containerized | bool + +- name: Create docker build dir + file: path=/tmp/dockerbuild state=directory + when: openshift.common.is_containerized | bool + +- name: Install dockerfile + template: + dest: "/tmp/dockerbuild/Dockerfile" + src: Dockerfile + register: install_result + when: openshift.common.is_containerized | bool + +- name: Build Bind image + docker_image: path="/tmp/dockerbuild" name="bind" state=present + when: openshift.common.is_containerized | bool + +- name: Install bind service file + template: + dest: "/etc/systemd/system/named.service" + src: named.service.j2 + register: install_result + when: openshift.common.is_containerized | bool + +- name: reload systemd + command: /usr/bin/systemctl --system daemon-reload + when: openshift.common.is_containerized | bool and install_result | changed + +- name: Create bind zone dir + file: path=/var/named state=directory + when: openshift.common.is_containerized | bool - name: Configure Bind template: src: "{{ item.src }}" dest: "{{ item.dest }}" - validate: "{{ item.validate }}" with_items: - src: openshift-cluster.zone dest: /var/named/openshift-cluster.zone - validate: "named-checkzone {{ dns_zones[0] }} %s" - src: named.conf dest: /etc/named.conf - validate: "named-checkconf %s" notify: restart bind - name: Enable Bind diff --git a/roles/dns/templates/Dockerfile b/roles/dns/templates/Dockerfile new file mode 100644 index 000000000..cdff0a228 --- /dev/null +++ b/roles/dns/templates/Dockerfile @@ -0,0 +1,11 @@ +FROM {{ base_docker_image }} +MAINTAINER Jan Provaznik <jprovazn@redhat.com> + +# install main packages: +RUN yum -y update; yum clean all; +RUN yum -y install bind-utils bind + +EXPOSE 53 + +# start services: +CMD ["/usr/sbin/named", "-f"] diff --git a/roles/dns/templates/named.service.j2 b/roles/dns/templates/named.service.j2 new file mode 100644 index 000000000..566739f25 --- /dev/null +++ b/roles/dns/templates/named.service.j2 @@ -0,0 +1,15 @@ +[Unit] +Requires=docker.service +After=docker.service +PartOf=docker.service + +[Service] +Type=simple +TimeoutStartSec=5m +ExecStartPre=/usr/bin/docker run --rm -v /etc/named.conf:/etc/named.conf -v /var/named:/var/named:z bind named-checkconf -z /etc/named.conf +ExecStartPre=-/usr/bin/docker rm -f bind +ExecStart=/usr/bin/docker run --name bind -p 53:53/udp -v /var/log:/var/log -v /etc/named.conf:/etc/named.conf -v /var/named:/var/named:z bind +ExecStop=/usr/bin/docker stop bind + +[Install] +WantedBy=docker.service diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index 4a47a60fa..b9b2666fb 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -16,7 +16,7 @@ when: docker_storage_check.stat.exists | bool and not docker_version_result | skipped and docker_version_result.stdout | default('0.0', True) | version_compare('1.9', '>=') and docker_version | version_compare('1.9', '<') - name: Downgrade docker if necessary - command: "{{ ansible_pkg_mgr }} downgrade -y docker-{{ docker_version }}" + command: "{{ ansible_pkg_mgr }} swap -y docker-* docker-*{{ docker_version }}" register: docker_downgrade_result when: not docker_version_result | skipped and docker_version_result.stdout | default('0.0', True) | version_compare(docker_version, 'gt') @@ -70,6 +70,22 @@ notify: - restart docker +- name: Set Proxy Settings + lineinfile: + dest: /etc/sysconfig/docker + regexp: '^{{ item.reg_conf_var }}=.*$' + line: "{{ item.reg_conf_var }}='{{ item.reg_fact_val }}'" + state: "{{ 'present' if item.reg_fact_val != '' else 'absent'}}" + with_items: + - reg_conf_var: HTTP_PROXY + reg_fact_val: "{{ docker_http_proxy | default('') }}" + - reg_conf_var: HTTPS_PROXY + reg_fact_val: "{{ docker_https_proxy | default('') }}" + - reg_conf_var: NO_PROXY + reg_fact_val: "{{ docker_no_proxy | default('') | join(',') }}" + notify: + - restart docker + - name: Set various docker options lineinfile: dest: /etc/sysconfig/docker diff --git a/roles/etcd/defaults/main.yaml b/roles/etcd/defaults/main.yaml index a2212bacd..1cb055816 100644 --- a/roles/etcd/defaults/main.yaml +++ b/roles/etcd/defaults/main.yaml @@ -15,7 +15,6 @@ etcd_listen_client_urls: "{{ etcd_url_scheme }}://{{ etcd_ip }}:{{ etcd_client_p etcd_data_dir: /var/lib/etcd/ -os_firewall_use_firewalld: False os_firewall_allow: - service: etcd port: "{{etcd_client_port}}/tcp" diff --git a/roles/etcd_certificates/tasks/client.yml b/roles/etcd_certificates/tasks/client.yml index 7bf95809f..a9f130bb9 100644 --- a/roles/etcd_certificates/tasks/client.yml +++ b/roles/etcd_certificates/tasks/client.yml @@ -4,7 +4,7 @@ path: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}" state: directory mode: 0700 - with_items: etcd_needing_client_certs + with_items: etcd_needing_client_certs | default([]) - name: Create the client csr command: > @@ -19,7 +19,7 @@ ~ item.etcd_cert_prefix ~ 'client.csr' }}" environment: SAN: "IP:{{ item.etcd_ip }}" - with_items: etcd_needing_client_certs + with_items: etcd_needing_client_certs | default([]) - name: Sign and create the client crt command: > @@ -33,10 +33,10 @@ ~ item.etcd_cert_prefix ~ 'client.crt' }}" environment: SAN: "IP:{{ item.etcd_ip }}" - with_items: etcd_needing_client_certs + with_items: etcd_needing_client_certs | default([]) - file: src: "{{ etcd_ca_cert }}" dest: "{{ etcd_generated_certs_dir}}/{{ item.etcd_cert_subdir }}/{{ item.etcd_cert_prefix }}ca.crt" state: hard - with_items: etcd_needing_client_certs + with_items: etcd_needing_client_certs | default([]) diff --git a/roles/etcd_certificates/tasks/main.yml b/roles/etcd_certificates/tasks/main.yml index 3bb715943..17092ca58 100644 --- a/roles/etcd_certificates/tasks/main.yml +++ b/roles/etcd_certificates/tasks/main.yml @@ -1,6 +1,6 @@ --- - include: client.yml - when: etcd_needing_client_certs is defined and etcd_needing_client_certs + when: etcd_needing_client_certs | default([]) | length > 0 - include: server.yml - when: etcd_needing_server_certs is defined and etcd_needing_server_certs + when: etcd_needing_server_certs | default([]) | length > 0 diff --git a/roles/etcd_certificates/tasks/server.yml b/roles/etcd_certificates/tasks/server.yml index 2589c5192..223917ccd 100644 --- a/roles/etcd_certificates/tasks/server.yml +++ b/roles/etcd_certificates/tasks/server.yml @@ -4,7 +4,7 @@ path: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}" state: directory mode: 0700 - with_items: etcd_needing_server_certs + with_items: etcd_needing_server_certs | default([]) - name: Create the server csr command: > @@ -19,7 +19,7 @@ ~ item.etcd_cert_prefix ~ 'server.csr' }}" environment: SAN: "IP:{{ item.etcd_ip }}" - with_items: etcd_needing_server_certs + with_items: etcd_needing_server_certs | default([]) - name: Sign and create the server crt command: > @@ -33,7 +33,7 @@ ~ item.etcd_cert_prefix ~ 'server.crt' }}" environment: SAN: "IP:{{ item.etcd_ip }}" - with_items: etcd_needing_server_certs + with_items: etcd_needing_server_certs | default([]) - name: Create the peer csr command: > @@ -48,7 +48,7 @@ ~ item.etcd_cert_prefix ~ 'peer.csr' }}" environment: SAN: "IP:{{ item.etcd_ip }}" - with_items: etcd_needing_server_certs + with_items: etcd_needing_server_certs | default([]) - name: Sign and create the peer crt command: > @@ -62,10 +62,10 @@ ~ item.etcd_cert_prefix ~ 'peer.crt' }}" environment: SAN: "IP:{{ item.etcd_ip }}" - with_items: etcd_needing_server_certs + with_items: etcd_needing_server_certs | default([]) - file: src: "{{ etcd_ca_cert }}" dest: "{{ etcd_generated_certs_dir}}/{{ item.etcd_cert_subdir }}/{{ item.etcd_cert_prefix }}ca.crt" state: hard - with_items: etcd_needing_server_certs + with_items: etcd_needing_server_certs | default([]) diff --git a/roles/flannel/handlers/main.yml b/roles/flannel/handlers/main.yml index f9b9ae7f1..981ea5c7a 100644 --- a/roles/flannel/handlers/main.yml +++ b/roles/flannel/handlers/main.yml @@ -1,8 +1,8 @@ --- - name: restart flanneld - sudo: true + become: yes service: name=flanneld state=restarted - name: restart docker - sudo: true + become: yes service: name=docker state=restarted diff --git a/roles/flannel/tasks/main.yml b/roles/flannel/tasks/main.yml index aa27b674e..6b6dfb423 100644 --- a/roles/flannel/tasks/main.yml +++ b/roles/flannel/tasks/main.yml @@ -1,11 +1,11 @@ --- - name: Install flannel - sudo: true + become: yes action: "{{ ansible_pkg_mgr }} name=flannel state=present" when: not openshift.common.is_containerized | bool - name: Set flannel etcd url - sudo: true + become: yes lineinfile: dest: /etc/sysconfig/flanneld backrefs: yes @@ -13,7 +13,7 @@ line: '\1{{ etcd_hosts|join(",") }}' - name: Set flannel etcd key - sudo: true + become: yes lineinfile: dest: /etc/sysconfig/flanneld backrefs: yes @@ -21,7 +21,7 @@ line: '\1{{ flannel_etcd_key }}' - name: Set flannel options - sudo: true + become: yes lineinfile: dest: /etc/sysconfig/flanneld backrefs: yes @@ -29,7 +29,7 @@ line: '\1--iface {{ flannel_interface }} --etcd-cafile={{ etcd_peer_ca_file }} --etcd-keyfile={{ etcd_peer_key_file }} --etcd-certfile={{ etcd_peer_cert_file }}' - name: Enable flanneld - sudo: true + become: yes service: name: flanneld state: started @@ -37,7 +37,7 @@ register: start_result - name: Remove docker bridge ip - sudo: true + become: yes shell: ip a del `ip a show docker0 | grep "inet[[:space:]]" | awk '{print $2}'` dev docker0 notify: - restart docker diff --git a/roles/flannel_register/tasks/main.yml b/roles/flannel_register/tasks/main.yml index 1629157c8..845b7ef40 100644 --- a/roles/flannel_register/tasks/main.yml +++ b/roles/flannel_register/tasks/main.yml @@ -1,14 +1,14 @@ --- - name: Assures /etc/flannel dir exists - sudo: true + become: yes file: path=/etc/flannel state=directory - name: Generate etcd configuration for etcd - sudo: true + become: yes template: src: "flannel-config.json" dest: "/etc/flannel/config.json" - name: Insert flannel configuration into etcd - sudo: true + become: yes command: 'curl -L --cacert "{{ etcd_peer_ca_file }}" --cert "{{ etcd_peer_cert_file }}" --key "{{ etcd_peer_key_file }}" "{{ etcd_hosts[0] }}/v2/keys{{ flannel_etcd_key }}/config" -XPUT --data-urlencode value@/etc/flannel/config.json' diff --git a/roles/haproxy/defaults/main.yml b/roles/haproxy/defaults/main.yml index 937d94209..a1524cfe1 100644 --- a/roles/haproxy/defaults/main.yml +++ b/roles/haproxy/defaults/main.yml @@ -15,7 +15,6 @@ haproxy_backends: address: 127.0.0.1:9000 opts: check -os_firewall_use_firewalld: False os_firewall_allow: - service: haproxy stats port: "9000/tcp" diff --git a/roles/kube_nfs_volumes/README.md b/roles/kube_nfs_volumes/README.md index 1520f79b2..dd91ad8b1 100644 --- a/roles/kube_nfs_volumes/README.md +++ b/roles/kube_nfs_volumes/README.md @@ -94,7 +94,7 @@ partitions. * Create an ansible playbook, say `setupnfs.yaml`: ``` - hosts: nfsservers - sudo: yes + become: yes roles: - role: kube_nfs_volumes disks: "/dev/sdb,/dev/sdc" diff --git a/roles/nuage_master/defaults/main.yaml b/roles/nuage_master/defaults/main.yaml new file mode 100644 index 000000000..cf670a9e1 --- /dev/null +++ b/roles/nuage_master/defaults/main.yaml @@ -0,0 +1,4 @@ +--- +nuage_master_cspadminpasswd: "" +nuage_master_adminusername: admin +nuage_master_adminuserpasswd: admin diff --git a/roles/nuage_master/files/serviceaccount.sh b/roles/nuage_master/files/serviceaccount.sh deleted file mode 100644 index f6fdb8a8d..000000000 --- a/roles/nuage_master/files/serviceaccount.sh +++ /dev/null @@ -1,63 +0,0 @@ -#!/bin/bash -# Parse CLI options -for i in "$@"; do - case $i in - --master-cert-dir=*) - MASTER_DIR="${i#*=}" - CA_CERT=${MASTER_DIR}/ca.crt - CA_KEY=${MASTER_DIR}/ca.key - CA_SERIAL=${MASTER_DIR}/ca.serial.txt - ADMIN_FILE=${MASTER_DIR}/admin.kubeconfig - ;; - --server=*) - SERVER="${i#*=}" - ;; - --output-cert-dir=*) - OUTDIR="${i#*=}" - CONFIG_FILE=${OUTDIR}/nuage.kubeconfig - ;; - esac -done - -# If any are missing, print the usage and exit -if [ -z $SERVER ] || [ -z $OUTDIR ] || [ -z $MASTER_DIR ]; then - echo "Invalid syntax: $@" - echo "Usage:" - echo " $0 --server=<address>:<port> --output-cert-dir=/path/to/output/dir/ --master-cert-dir=/path/to/master/" - echo "--master-cert-dir: Directory where the master's configuration is held" - echo "--server: Address of Kubernetes API server (default port is 8443)" - echo "--output-cert-dir: Directory to put artifacts in" - echo "" - echo "All options are required" - exit 1 -fi - -# Login as admin so that we can create the service account -oc login -u system:admin --config=$ADMIN_FILE || exit 1 -oc project default --config=$ADMIN_FILE - -ACCOUNT_CONFIG=' -{ - "apiVersion": "v1", - "kind": "ServiceAccount", - "metadata": { - "name": "nuage" - } -} -' - -# Create the account with the included info -echo $ACCOUNT_CONFIG|oc create --config=$ADMIN_FILE -f - - -# Add the cluser-reader role, which allows this service account read access to -# everything in the cluster except secrets -oadm policy add-cluster-role-to-user cluster-reader system:serviceaccounts:default:nuage --config=$ADMIN_FILE - -# Generate certificates and a kubeconfig for the service account -oadm create-api-client-config --certificate-authority=${CA_CERT} --client-dir=${OUTDIR} --signer-cert=${CA_CERT} --signer-key=${CA_KEY} --signer-serial=${CA_SERIAL} --user=system:serviceaccounts:default:nuage --master=${SERVER} --public-master=${SERVER} --basename='nuage' - -# Verify the finalized kubeconfig -if ! [ $(oc whoami --config=$CONFIG_FILE) == 'system:serviceaccounts:default:nuage' ]; then - echo "Service account creation failed!" - exit 1 -fi diff --git a/roles/nuage_master/handlers/main.yaml b/roles/nuage_master/handlers/main.yaml index 5d133cf16..56224cf82 100644 --- a/roles/nuage_master/handlers/main.yaml +++ b/roles/nuage_master/handlers/main.yaml @@ -1,6 +1,6 @@ --- - name: restart nuage-openshift-monitor - sudo: true + become: yes service: name=nuage-openshift-monitor state=restarted - name: restart master diff --git a/roles/nuage_master/tasks/main.yaml b/roles/nuage_master/tasks/main.yaml index abeee3d71..b8eaede3b 100644 --- a/roles/nuage_master/tasks/main.yaml +++ b/roles/nuage_master/tasks/main.yaml @@ -1,22 +1,20 @@ --- - name: Create directory /usr/share/nuage-openshift-monitor - sudo: true + become: yes file: path=/usr/share/nuage-openshift-monitor state=directory - name: Create the log directory - sudo: true + become: yes file: path={{ nuage_mon_rest_server_logdir }} state=directory - name: Install Nuage Openshift Monitor - sudo: true + become: yes yum: name={{ nuage_openshift_rpm }} state=present -- name: Run the service account creation script - sudo: true - script: serviceaccount.sh --server={{ openshift.master.api_url }} --output-cert-dir={{ cert_output_dir }} --master-cert-dir={{ openshift_master_config_dir }} +- include: serviceaccount.yml - name: Download the certs and keys - sudo: true + become: yes fetch: src={{ cert_output_dir }}/{{ item }} dest=/tmp/{{ item }} flat=yes with_items: - ca.crt @@ -27,7 +25,7 @@ - include: certificates.yml - name: Create nuage-openshift-monitor.yaml - sudo: true + become: yes template: src=nuage-openshift-monitor.j2 dest=/usr/share/nuage-openshift-monitor/nuage-openshift-monitor.yaml owner=root mode=0644 notify: - restart master diff --git a/roles/nuage_master/tasks/serviceaccount.yml b/roles/nuage_master/tasks/serviceaccount.yml new file mode 100644 index 000000000..5b4af5824 --- /dev/null +++ b/roles/nuage_master/tasks/serviceaccount.yml @@ -0,0 +1,51 @@ +--- +- name: Create temporary directory for admin kubeconfig + command: mktemp -u /tmp/openshift-ansible-XXXXXXX.kubeconfig + register: nuage_tmp_conf_mktemp + changed_when: False + +- set_fact: + nuage_tmp_conf: "{{ nuage_tmp_conf_mktemp.stdout }}" + +- name: Copy Configuration to temporary conf + command: > + cp {{ openshift.common.config_base }}/master/admin.kubeconfig {{nuage_tmp_conf}} + changed_when: false + +- name: Create Admin Service Account + shell: > + echo {{ nuage_service_account_config | to_json | quote }} | + {{ openshift.common.client_binary }} create + -n default + --config={{nuage_tmp_conf}} + -f - + register: osnuage_create_service_account + failed_when: "'already exists' not in osnuage_create_service_account.stderr and osnuage_create_service_account.rc != 0" + changed_when: osnuage_create_service_account.rc == 0 + +- name: Configure role/user permissions + command: > + {{ openshift.common.admin_binary }} {{item}} + --config={{nuage_tmp_conf}} + with_items: "{{nuage_tasks}}" + register: osnuage_perm_task + failed_when: "'already exists' not in osnuage_perm_task.stderr and osnuage_perm_task.rc != 0" + changed_when: osnuage_perm_task.rc == 0 + +- name: Generate the node client config + command: > + {{ openshift.common.admin_binary }} create-api-client-config + --certificate-authority={{ openshift_master_ca_cert }} + --client-dir={{ cert_output_dir }} + --master={{ openshift.master.api_url }} + --public-master={{ openshift.master.api_url }} + --signer-cert={{ openshift_master_ca_cert }} + --signer-key={{ openshift_master_ca_key }} + --signer-serial={{ openshift_master_ca_serial }} + --basename='nuage' + --user={{ nuage_service_account }} + +- name: Clean temporary configuration file + command: > + rm -f {{nuage_tmp_conf}} + changed_when: false diff --git a/roles/nuage_master/vars/main.yaml b/roles/nuage_master/vars/main.yaml index c4c15d65c..5bc735bb6 100644 --- a/roles/nuage_master/vars/main.yaml +++ b/roles/nuage_master/vars/main.yaml @@ -1,4 +1,7 @@ openshift_master_config_dir: "{{ openshift.common.config_base }}/master" +openshift_master_ca_cert: "{{ openshift_master_config_dir }}/ca.crt" +openshift_master_ca_key: "{{ openshift_master_config_dir }}/ca.key" +openshift_master_ca_serial: "{{ openshift_master_config_dir }}/ca.serial.txt" ca_cert: "{{ openshift_master_config_dir }}/ca.crt" admin_config: "{{ openshift.common.config_base }}/master/admin.kubeconfig" cert_output_dir: /usr/share/nuage-openshift-monitor @@ -15,6 +18,13 @@ nuage_ca_master_rest_server_key: "{{ nuage_mon_rest_server_crt_dir }}/nuageMonSe nuage_ca_master_rest_server_crt: "{{ nuage_mon_rest_server_crt_dir }}/nuageMonServer.crt" nuage_master_crt_dir : /usr/share/nuage-openshift-monitor -nuage_master_cspadminpasswd: '' -nuage_master_adminsusername: 'admin' -nuage_master_adminuserpasswd: 'admin' +nuage_service_account: system:serviceaccount:default:nuage + +nuage_service_account_config: + apiVersion: v1 + kind: ServiceAccount + metadata: + name: nuage + +nuage_tasks: + - policy add-cluster-role-to-user cluster-reader {{ nuage_service_account }} diff --git a/roles/nuage_node/handlers/main.yaml b/roles/nuage_node/handlers/main.yaml index 25482a845..5f2b97ae2 100644 --- a/roles/nuage_node/handlers/main.yaml +++ b/roles/nuage_node/handlers/main.yaml @@ -1,8 +1,8 @@ --- - name: restart vrs - sudo: true + become: yes service: name=openvswitch state=restarted - name: restart node - sudo: true + become: yes service: name={{ openshift.common.service_type }}-node state=restarted diff --git a/roles/nuage_node/tasks/main.yaml b/roles/nuage_node/tasks/main.yaml index d7dd53802..1146573d3 100644 --- a/roles/nuage_node/tasks/main.yaml +++ b/roles/nuage_node/tasks/main.yaml @@ -1,27 +1,27 @@ --- - name: Install Nuage VRS - sudo: true + become: yes yum: name={{ vrs_rpm }} state=present - name: Set the uplink interface - sudo: true + become: yes lineinfile: dest={{ vrs_config }} regexp=^NETWORK_UPLINK_INTF line='NETWORK_UPLINK_INTF={{ uplink_interface }}' - name: Set the Active Controller - sudo: true + become: yes lineinfile: dest={{ vrs_config }} regexp=^ACTIVE_CONTROLLER line='ACTIVE_CONTROLLER={{ vsc_active_ip }}' - name: Set the Standby Controller - sudo: true + become: yes lineinfile: dest={{ vrs_config }} regexp=^STANDBY_CONTROLLER line='STANDBY_CONTROLLER={{ vsc_standby_ip }}' when: vsc_standby_ip is defined - name: Install plugin rpm - sudo: true + become: yes yum: name={{ plugin_rpm }} state=present - name: Copy the certificates and keys - sudo: true + become: yes copy: src="/tmp/{{ item }}" dest="{{ vsp_openshift_dir }}/{{ item }}" with_items: - ca.crt @@ -32,7 +32,7 @@ - include: certificates.yml - name: Set the vsp-openshift.yaml - sudo: true + become: yes template: src=vsp-openshift.j2 dest={{ vsp_openshift_yaml }} owner=root mode=0644 notify: - restart vrs diff --git a/roles/openshift_builddefaults/meta/main.yml b/roles/openshift_builddefaults/meta/main.yml new file mode 100644 index 000000000..422d08400 --- /dev/null +++ b/roles/openshift_builddefaults/meta/main.yml @@ -0,0 +1,15 @@ +--- +galaxy_info: + author: Scott Dodson + description: OpenShift Build Defaults configuration + company: Red Hat, Inc. + license: Apache License, Version 2.0 + min_ansible_version: 1.9 + platforms: + - name: EL + versions: + - 7 + categories: + - cloud +dependencies: +- role: openshift_facts diff --git a/roles/openshift_builddefaults/tasks/main.yml b/roles/openshift_builddefaults/tasks/main.yml new file mode 100644 index 000000000..6a4e919e8 --- /dev/null +++ b/roles/openshift_builddefaults/tasks/main.yml @@ -0,0 +1,24 @@ +--- +- name: Set builddefaults + openshift_facts: + role: builddefaults + # TODO: add ability to define builddefaults env vars sort of like this + # may need to move the config generation to a filter however. + # openshift_env: "{{ hostvars + # | oo_merge_hostvars(vars, inventory_hostname) + # | oo_openshift_env }}" + # openshift_env_structures: + # - 'openshift.builddefaults.env.*' + local_facts: + http_proxy: "{{ openshift_builddefaults_http_proxy | default(None) }}" + https_proxy: "{{ openshift_builddefaults_https_proxy | default(None) }}" + no_proxy: "{{ openshift_builddefaults_no_proxy | default(None) }}" + git_http_proxy: "{{ openshift_builddefaults_git_http_proxy | default(None) }}" + git_https_proxy: "{{ openshift_builddefaults_git_https_proxy | default(None) }}" + +- name: Set builddefaults config structure + openshift_facts: + role: builddefaults + local_facts: + config: "{{ openshift_builddefaults_json | default(builddefaults_yaml) }}" + diff --git a/roles/openshift_builddefaults/vars/main.yml b/roles/openshift_builddefaults/vars/main.yml new file mode 100644 index 000000000..9727c73a5 --- /dev/null +++ b/roles/openshift_builddefaults/vars/main.yml @@ -0,0 +1,15 @@ +--- +builddefaults_yaml: + BuildDefaults: + configuration: + apiVersion: v1 + kind: BuildDefaultsConfig + gitHTTPProxy: "{{ openshift.builddefaults.git_http_proxy | default('', true) }}" + gitHTTPSProxy: "{{ openshift.builddefaults.git_https_proxy | default('', true) }}" + env: + - name: HTTP_PROXY + value: "{{ openshift.builddefaults.http_proxy | default('', true) }}" + - name: HTTPS_PROXY + value: "{{ openshift.builddefaults.https_proxy | default('', true) }}" + - name: NO_PROXY + value: "{{ openshift.builddefaults.no_proxy | default('', true) | join(',') }}" diff --git a/roles/openshift_cloud_provider/tasks/main.yml b/roles/openshift_cloud_provider/tasks/main.yml index d7442924f..6111d1207 100644 --- a/roles/openshift_cloud_provider/tasks/main.yml +++ b/roles/openshift_cloud_provider/tasks/main.yml @@ -2,8 +2,8 @@ - name: Set cloud provider facts openshift_facts: role: cloudprovider - openshift_env: "{{ hostvars[inventory_hostname] - | oo_merge_dicts(hostvars) + openshift_env: "{{ hostvars + | oo_merge_hostvars(vars, inventory_hostname) | oo_openshift_env }}" openshift_env_structures: - 'openshift.cloudprovider.aws.*' diff --git a/roles/openshift_cloud_provider/templates/openstack.conf.j2 b/roles/openshift_cloud_provider/templates/openstack.conf.j2 index 1b70edc16..8a06b3a08 100644 --- a/roles/openshift_cloud_provider/templates/openstack.conf.j2 +++ b/roles/openshift_cloud_provider/templates/openstack.conf.j2 @@ -11,7 +11,6 @@ tenant-name = {{ openshift.cloudprovider.openstack.tenant_name }} region = {{ openshift.cloudprovider.openstack.region }} {% endif %} {% if 'lb_subnet_id' in openshift.cloudprovider.openstack %} -+ -+[LoadBalancer] -+subnet-id = {{ openshift.cloudprovider.openstack.lb_subnet_id }} -+{% endif %} +[LoadBalancer] +subnet-id = {{ openshift.cloudprovider.openstack.lb_subnet_id }} +{% endif %} diff --git a/roles/openshift_cluster_metrics/tasks/main.yml b/roles/openshift_cluster_metrics/tasks/main.yml index d45f62eca..1fc8a074a 100644 --- a/roles/openshift_cluster_metrics/tasks/main.yml +++ b/roles/openshift_cluster_metrics/tasks/main.yml @@ -28,7 +28,6 @@ cluster-reader system:serviceaccount:default:heapster register: oex_cluster_header_role - register: oex_cluster_header_role failed_when: "'already exists' not in oex_cluster_header_role.stderr and oex_cluster_header_role.rc != 0" changed_when: false diff --git a/roles/openshift_common/tasks/main.yml b/roles/openshift_common/tasks/main.yml index d5166b52e..4ec255dbc 100644 --- a/roles/openshift_common/tasks/main.yml +++ b/roles/openshift_common/tasks/main.yml @@ -27,7 +27,6 @@ use_nuage: "{{ openshift_use_nuage | default(None) }}" use_manageiq: "{{ openshift_use_manageiq | default(None) }}" data_dir: "{{ openshift_data_dir | default(None) }}" - portal_net: "{{ openshift_portal_net | default(openshift_master_portal_net) | default(None) }}" use_dnsmasq: "{{ openshift_use_dnsmasq | default(None) }}" # Using oo_image_tag_to_rpm_version here is a workaround for how diff --git a/roles/openshift_common/vars/main.yml b/roles/openshift_common/vars/main.yml deleted file mode 100644 index 50816d319..000000000 --- a/roles/openshift_common/vars/main.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -# TODO: Upstream kubernetes only supports iptables currently, if this changes, -# then these variable should be moved to defaults -# TODO: it might be possible to still use firewalld if we wire up the created -# chains with the public zone (or the zone associated with the correct -# interfaces) -os_firewall_use_firewalld: False diff --git a/roles/openshift_docker/tasks/main.yml b/roles/openshift_docker/tasks/main.yml index 23613b762..4e5cec82f 100644 --- a/roles/openshift_docker/tasks/main.yml +++ b/roles/openshift_docker/tasks/main.yml @@ -4,12 +4,13 @@ # openshift_image_tag correctly for upgrades. - name: Set version when containerized command: > - docker run --rm {{ openshift.common.cli_image }}:latest version + docker run --rm {{ openshift.common.cli_image }} version register: cli_image_version when: openshift.common.is_containerized is defined and openshift.common.is_containerized | bool and openshift_image_tag is not defined - set_fact: - l_image_tag: "{{ cli_image_version.stdout_lines[0].split(' ')[1].split('-')[0] }}" + l_image_tag: "{{ cli_image_version.stdout_lines[0].split(' ')[1].split('-')[0:2] | join('-') if openshift.common.deployment_type == 'origin' else + cli_image_version.stdout_lines[0].split(' ')[1].split('-')[0] }}" when: openshift.common.is_containerized is defined and openshift.common.is_containerized | bool and openshift_image_tag is not defined - set_fact: @@ -23,6 +24,6 @@ with_items: - role: docker local_facts: - openshift_image_tag: "{{ l_image_tag }}" - openshift_version: "{{ l_image_tag if l_image_tag is defined else '' | oo_image_tag_to_rpm_version }}" + openshift_image_tag: "{{ l_image_tag | default(None) }}" + openshift_version: "{{ l_image_tag.split('-')[0] | oo_image_tag_to_rpm_version if l_image_tag is defined else '' }}" when: openshift.common.is_containerized is defined and openshift.common.is_containerized | bool diff --git a/roles/openshift_docker_facts/tasks/main.yml b/roles/openshift_docker_facts/tasks/main.yml index 89393168b..3acd2bba8 100644 --- a/roles/openshift_docker_facts/tasks/main.yml +++ b/roles/openshift_docker_facts/tasks/main.yml @@ -27,6 +27,9 @@ docker_log_options: "{{ openshift.docker.log_options | default(omit) }}" docker_push_dockerhub: "{{ openshift.docker.disable_push_dockerhub | default(omit) }}" + docker_http_proxy: "{{ openshift.common.http_proxy | default(omit) }}" + docker_https_proxy: "{{ openshift.common.https_proxy | default(omit) }}" + docker_no_proxy: "{{ openshift.common.no_proxy | default(omit) }}" - set_fact: docker_options: > diff --git a/roles/openshift_etcd_facts/meta/main.yml b/roles/openshift_etcd_facts/meta/main.yml index 18d289ea1..925aa9f92 100644 --- a/roles/openshift_etcd_facts/meta/main.yml +++ b/roles/openshift_etcd_facts/meta/main.yml @@ -12,4 +12,4 @@ galaxy_info: categories: - cloud dependencies: -- role: openshift_common +- role: openshift_facts diff --git a/roles/openshift_expand_partition/README.md b/roles/openshift_expand_partition/README.md index aed4ec871..c9c7b378c 100644 --- a/roles/openshift_expand_partition/README.md +++ b/roles/openshift_expand_partition/README.md @@ -45,7 +45,7 @@ space on /dev/xvda, and the file system will be expanded to fill the new partition space. - hosts: mynodes - sudo: no + become: no remote_user: root gather_facts: no roles: @@ -68,7 +68,7 @@ partition space. * Create an ansible playbook, say `expandvar.yaml`: ``` - hosts: mynodes - sudo: no + become: no remote_user: root gather_facts: no roles: diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py index 48b117b8f..cb8301da4 100755 --- a/roles/openshift_facts/library/openshift_facts.py +++ b/roles/openshift_facts/library/openshift_facts.py @@ -499,12 +499,12 @@ def set_dnsmasq_facts_if_unset(facts): """ if 'common' in facts: - if 'use_dnsmasq' not in facts['common'] and facts['common']['version_gte_3_2_or_1_2']: + if 'use_dnsmasq' not in facts['common'] and safe_get_bool(facts['common']['version_gte_3_2_or_1_2']): facts['common']['use_dnsmasq'] = True else: facts['common']['use_dnsmasq'] = False if 'master' in facts and 'dns_port' not in facts['master']: - if facts['common']['use_dnsmasq']: + if safe_get_bool(facts['common']['use_dnsmasq']): facts['master']['dns_port'] = 8053 else: facts['master']['dns_port'] = 53 @@ -1276,7 +1276,12 @@ def merge_facts(orig, new, additive_facts_to_overwrite, protected_facts_to_overw facts[key] = copy.deepcopy(value) new_keys = set(new.keys()) - set(orig.keys()) for key in new_keys: - facts[key] = copy.deepcopy(new[key]) + # Watchout for JSON facts that sometimes load as strings. + # (can happen if the JSON contains a boolean) + if key in inventory_json_facts and isinstance(new[key], basestring): + facts[key] = yaml.safe_load(new[key]) + else: + facts[key] = copy.deepcopy(new[key]) return facts def save_local_facts(filename, facts): @@ -1327,6 +1332,23 @@ def get_local_facts_from_file(filename): return local_facts +def sort_unique(alist): + """ Sorts and de-dupes a list + + Args: + list: a list + Returns: + list: a sorted de-duped list + """ + + alist.sort() + out = list() + for i in alist: + if i not in out: + out.append(i) + + return out + def safe_get_bool(fact): """ Get a boolean fact safely. @@ -1337,6 +1359,62 @@ def safe_get_bool(fact): """ return bool(strtobool(str(fact))) +def set_proxy_facts(facts): + """ Set global proxy facts and promote defaults from http_proxy, https_proxy, + no_proxy to the more specific builddefaults and builddefaults_git vars. + 1. http_proxy, https_proxy, no_proxy + 2. builddefaults_* + 3. builddefaults_git_* + + Args: + facts(dict): existing facts + Returns: + facts(dict): Updated facts with missing values + """ + if 'common' in facts: + common = facts['common'] + if 'http_proxy' in common or 'https_proxy' in common: + if 'no_proxy' in common and \ + isinstance(common['no_proxy'], basestring): + common['no_proxy'] = common['no_proxy'].split(",") + elif 'no_proxy' not in common: + common['no_proxy'] = [] + if 'generate_no_proxy_hosts' in common and \ + safe_get_bool(common['generate_no_proxy_hosts']): + if 'no_proxy_internal_hostnames' in common: + common['no_proxy'].extend(common['no_proxy_internal_hostnames'].split(',')) + common['no_proxy'].append('.' + common['dns_domain']) + # We always add ourselves no matter what + common['no_proxy'].append(common['hostname']) + common['no_proxy'] = sort_unique(common['no_proxy']) + facts['common'] = common + + if 'builddefaults' in facts: + builddefaults = facts['builddefaults'] + common = facts['common'] + # Copy values from common to builddefaults + if 'http_proxy' not in builddefaults and 'http_proxy' in common: + builddefaults['http_proxy'] = common['http_proxy'] + if 'https_proxy' not in builddefaults and 'https_proxy' in common: + builddefaults['https_proxy'] = common['https_proxy'] + if 'no_proxy' not in builddefaults and 'no_proxy' in common: + builddefaults['no_proxy'] = common['no_proxy'] + if 'git_http_proxy' not in builddefaults and 'http_proxy' in builddefaults: + builddefaults['git_http_proxy'] = builddefaults['http_proxy'] + if 'git_https_proxy' not in builddefaults and 'https_proxy' in builddefaults: + builddefaults['git_https_proxy'] = builddefaults['https_proxy'] + # If we're actually defining a proxy config then create kube_admission_plugin_config + # if it doesn't exist, then merge builddefaults[config] structure + # into kube_admission_plugin_config + if 'kube_admission_plugin_config' not in facts['master']: + facts['master']['kube_admission_plugin_config'] = dict() + if 'config' in builddefaults and ('http_proxy' in builddefaults or \ + 'https_proxy' in builddefaults): + facts['master']['kube_admission_plugin_config'].update(builddefaults['config']) + facts['builddefaults'] = builddefaults + + return facts + # pylint: disable=too-many-statements def set_container_facts_if_unset(facts): """ Set containerized facts. @@ -1470,7 +1548,8 @@ class OpenShiftFacts(object): Raises: OpenShiftFactsUnsupportedRoleError: """ - known_roles = ['cloudprovider', + known_roles = ['builddefaults', + 'cloudprovider', 'common', 'docker', 'etcd', @@ -1558,6 +1637,7 @@ class OpenShiftFacts(object): facts = set_manageiq_facts_if_unset(facts) facts = set_aggregate_facts(facts) facts = set_etcd_facts_if_unset(facts) + facts = set_proxy_facts(facts) if not safe_get_bool(facts['common']['is_containerized']): facts = set_installed_variant_rpm_facts(facts) return dict(openshift=facts) @@ -1621,7 +1701,8 @@ class OpenShiftFacts(object): auth_token_max_seconds=500, oauth_grant_method='auto', scheduler_predicates=scheduler_predicates, - scheduler_priorities=scheduler_priorities) + scheduler_priorities=scheduler_priorities, + dynamic_provisioning_enabled=True) if 'node' in roles: defaults['node'] = dict(labels={}, annotations={}, @@ -1644,6 +1725,8 @@ class OpenShiftFacts(object): defaults['hosted'] = dict( metrics=dict( deploy=False, + duration=7, + resolution=10, storage=dict( kind=None, volume=dict( @@ -1653,6 +1736,9 @@ class OpenShiftFacts(object): nfs=dict( directory='/exports', options='*(rw,root_squash)'), + openstack=dict( + filesystem='ext4', + volumeID='123'), host=None, access_modes=['ReadWriteMany'], create_pv=True diff --git a/roles/openshift_facts/tasks/main.yml b/roles/openshift_facts/tasks/main.yml index 36def57c8..ff726ae24 100644 --- a/roles/openshift_facts/tasks/main.yml +++ b/roles/openshift_facts/tasks/main.yml @@ -5,15 +5,13 @@ when: ansible_version.full | version_compare('1.9.4', 'lt') or ansible_version.full | version_compare('2.0', 'ge') - name: Detecting Operating System - shell: ls /run/ostree-booted - ignore_errors: yes - failed_when: false - changed_when: false - register: ostree_output + stat: + path: /run/ostree-booted + register: ostree_booted # Locally setup containerized facts for now - set_fact: - l_is_atomic: "{{ ostree_output.rc == 0 }}" + l_is_atomic: "{{ ostree_booted.stat.exists }}" - set_fact: l_is_containerized: "{{ (l_is_atomic | bool) or (containerized | default(false) | bool) }}" @@ -33,3 +31,19 @@ is_containerized: "{{ l_is_containerized | default(None) }}" public_hostname: "{{ openshift_public_hostname | default(None) }}" public_ip: "{{ openshift_public_ip | default(None) }}" + portal_net: "{{ openshift_portal_net | default(openshift_master_portal_net) | default(None) }}" + +# had to be done outside of the above because hostname isn't yet set +- name: Gather hostnames for proxy configuration + openshift_facts: + role: common + local_facts: + http_proxy: "{{ openshift_http_proxy | default(None) }}" + https_proxy: "{{ openshift_https_proxy | default(None) }}" + no_proxy: "{{ openshift_no_proxy | default(None) }}" + generate_no_proxy_hosts: "{{ openshift_generate_no_proxy_hosts | default(True) }}" + no_proxy_internal_hostnames: "{{ hostvars | oo_select_keys(groups['oo_nodes_to_config'] + | union(groups['oo_masters_to_config']) + | union(groups['oo_etcd_to_config'] | default([]))) + | oo_collect('openshift.common.hostname') | default([]) | join (',') + }}" diff --git a/roles/openshift_hosted_facts/tasks/main.yml b/roles/openshift_hosted_facts/tasks/main.yml index f595e1e81..2a11e6cbd 100644 --- a/roles/openshift_hosted_facts/tasks/main.yml +++ b/roles/openshift_hosted_facts/tasks/main.yml @@ -2,6 +2,6 @@ - name: Set hosted facts openshift_facts: role: hosted - openshift_env: "{{ hostvars[inventory_hostname] - | oo_merge_dicts(hostvars) + openshift_env: "{{ hostvars + | oo_merge_hostvars(vars, inventory_hostname) | oo_openshift_env }}" diff --git a/roles/openshift_hosted_logging/tasks/deploy_logging.yaml b/roles/openshift_hosted_logging/tasks/deploy_logging.yaml index d8a5b62a0..072f7bb4e 100644 --- a/roles/openshift_hosted_logging/tasks/deploy_logging.yaml +++ b/roles/openshift_hosted_logging/tasks/deploy_logging.yaml @@ -15,43 +15,52 @@ changed_when: False - name: "Create logging project" - command: {{ openshift.common.admin_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig new-project logging + command: > + {{ openshift.common.admin_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig new-project logging - name: "Changing projects" - command: "{{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig project logging" + command: > + {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig project logging - name: "Creating logging deployer secret" - command: " {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig secrets new logging-deployer {{ openshift_hosted_logging_secret_vars | default('nothing=/dev/null') }}" + command: > + {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig secrets new logging-deployer {{ openshift_hosted_logging_secret_vars | default('nothing=/dev/null') }} register: secret_output failed_when: "secret_output.rc == 1 and 'exists' not in secret_output.stderr" - name: "Copy serviceAccount file" - copy: dest=/tmp/logging-deployer-sa.yaml - src={{role_path}}/files/logging-deployer-sa.yaml - force=yes + copy: + dest: /tmp/logging-deployer-sa.yaml + src: "{{role_path}}/files/logging-deployer-sa.yaml" + force: yes - name: "Create logging-deployer service account" - command: "{{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig create -f /tmp/logging-deployer-sa.yaml" + command: > + {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig create -f /tmp/logging-deployer-sa.yaml register: deployer_output failed_when: "deployer_output.rc == 1 and 'exists' not in deployer_output.stderr" - name: "Set permissions for logging-deployer service account" - command: "{{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig policy add-role-to-user edit system:serviceaccount:logging:logging-deployer" + command: > + {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig policy add-role-to-user edit system:serviceaccount:logging:logging-deployer register: permiss_output failed_when: "permiss_output.rc == 1 and 'exists' not in permiss_output.stderr" - name: "Set permissions for fluentd" - command: {{ openshift.common.admin_binary}} policy add-scc-to-user privileged system:serviceaccount:logging:aggregated-logging-fluentd + command: > + {{ openshift.common.admin_binary}} policy add-scc-to-user privileged system:serviceaccount:logging:aggregated-logging-fluentd register: fluentd_output failed_when: "fluentd_output.rc == 1 and 'exists' not in fluentd_output.stderr" - name: "Set additional permissions for fluentd" - command: {{ openshift.common.admin_binary}} policy add-cluster-role-to-user cluster-reader system:serviceaccount:logging:aggregated-logging-fluentd + command: > + {{ openshift.common.admin_binary}} policy add-cluster-role-to-user cluster-reader system:serviceaccount:logging:aggregated-logging-fluentd register: fluentd2_output failed_when: "fluentd2_output.rc == 1 and 'exists' not in fluentd2_output.stderr" - name: "Create deployer template" - command: "{{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig create -f /usr/share/openshift/examples/infrastructure-templates/enterprise/logging-deployer.yaml -n openshift" + command: > + {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig create -f /usr/share/openshift/examples/infrastructure-templates/enterprise/logging-deployer.yaml -n openshift register: template_output failed_when: "template_output.rc == 1 and 'exists' not in template_output.stderr" @@ -90,13 +99,12 @@ - name: "Scale fluentd deployment config" - command: "{{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig scale dc/logging-fluentd --replicas={{ fluentd_replicas | default('1') }}" - + command: > + {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig scale dc/logging-fluentd --replicas={{ fluentd_replicas | default('1') }} - - name: "Scale fluentd replication controller" - command: "{{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig scale rc/logging-fluentd-1 --replicas={{ fluentd_replicas | default('1') }}" - - debug: msg="Logging components deployed. Note persistant volume for elasticsearch must be setup manually" + - debug: + msg: "Logging components deployed. Note persistant volume for elasticsearch must be setup manually" - name: Delete temp directory file: diff --git a/roles/openshift_manage_node/tasks/main.yml b/roles/openshift_manage_node/tasks/main.yml index cee1f1738..291cdbbb5 100644 --- a/roles/openshift_manage_node/tasks/main.yml +++ b/roles/openshift_manage_node/tasks/main.yml @@ -6,7 +6,7 @@ retries: 50 delay: 5 changed_when: false - with_items: openshift_nodes + with_items: "{{ openshift_nodes }}" - name: Set node schedulability command: > diff --git a/roles/openshift_master/defaults/main.yml b/roles/openshift_master/defaults/main.yml index 09bde6002..16df984f9 100644 --- a/roles/openshift_master/defaults/main.yml +++ b/roles/openshift_master/defaults/main.yml @@ -13,6 +13,14 @@ os_firewall_allow: port: "{{ openshift.master.dns_port }}/tcp" - service: skydns udp port: "{{ openshift.master.dns_port }}/udp" +# On HA masters version_gte facts are not properly set so open port 53 +# whenever we're not certain of the need +- service: legacy skydns tcp + port: "53/tcp" + when: "{{ 'version' not in openshift.common or openshift.common.version == None }}" +- service: legacy skydns udp + port: "53/udp" + when: "{{ 'version' not in openshift.common or openshift.common.version == None }}" - service: Fluentd td-agent tcp port: 24224/tcp - service: Fluentd td-agent udp diff --git a/roles/openshift_master/meta/main.yml b/roles/openshift_master/meta/main.yml index 0d4241e2c..e882e0b8b 100644 --- a/roles/openshift_master/meta/main.yml +++ b/roles/openshift_master/meta/main.yml @@ -15,5 +15,6 @@ dependencies: - role: openshift_docker - role: openshift_cli - role: openshift_cloud_provider +- role: openshift_builddefaults - role: openshift_master_facts - role: openshift_hosted_facts diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml index 18a42bf93..fe0784ea2 100644 --- a/roles/openshift_master/tasks/main.yml +++ b/roles/openshift_master/tasks/main.yml @@ -78,23 +78,50 @@ action: "{{ ansible_pkg_mgr }} name=httpd-tools state=present" when: (item.kind == 'HTPasswdPasswordIdentityProvider') and not openshift.common.is_atomic | bool - with_items: openshift.master.identity_providers + with_items: "{{ openshift.master.identity_providers }}" - name: Ensure htpasswd directory exists file: path: "{{ item.filename | dirname }}" state: directory when: item.kind == 'HTPasswdPasswordIdentityProvider' - with_items: openshift.master.identity_providers + with_items: "{{ openshift.master.identity_providers }}" - name: Create the htpasswd file if needed - copy: + template: dest: "{{ item.filename }}" - content: "" + src: htpasswd.j2 mode: 0600 - force: no + backup: yes when: item.kind == 'HTPasswdPasswordIdentityProvider' - with_items: openshift.master.identity_providers + with_items: "{{ openshift.master.identity_providers }}" + +- name: Create the ldap ca file if needed + copy: + dest: "{{ item.ca if 'ca' in item and '/' in item.ca else openshift_master_config_dir ~ '/' ~ item.ca | default('ldap_ca.crt') }}" + content: "{{ openshift.master.ldap_ca }}" + mode: 0600 + backup: yes + when: openshift.master.ldap_ca is defined and item.kind == 'LDAPPasswordIdentityProvider' + with_items: "{{ openshift.master.identity_providers }}" + +- name: Create the openid ca file if needed + copy: + dest: "{{ item.ca if 'ca' in item and '/' in item.ca else openshift_master_config_dir ~ '/' ~ item.ca | default('openid_ca.crt') }}" + content: "{{ openshift.master.openid_ca }}" + mode: 0600 + backup: yes + when: openshift.master.openid_ca is defined and item.kind == 'OpenIDIdentityProvider' and item.ca | default('') != '' + with_items: "{{ openshift.master.identity_providers }}" + +- name: Create the request header ca file if needed + copy: + dest: "{{ item.clientCA if 'clientCA' in item and '/' in item.clientCA else openshift_master_config_dir ~ '/' ~ item.clientCA | default('request_header_ca.crt') }}" + content: "{{ openshift.master.request_header_ca }}" + mode: 0600 + backup: yes + when: openshift.master.request_header_ca is defined and item.kind == 'RequestHeaderIdentityProvider' and item.clientCA | default('') != '' + with_items: "{{ openshift.master.identity_providers }}" - name: Install the systemd units include: systemd_units.yml @@ -212,7 +239,7 @@ mode: 0700 owner: "{{ item }}" group: "{{ 'root' if item == 'root' else _ansible_ssh_user_gid.stdout }}" - with_items: client_users + with_items: "{{ client_users }}" # TODO: Update this file if the contents of the source file are not present in # the dest file, will need to make sure to ignore things that could be added @@ -220,7 +247,7 @@ command: cp {{ openshift_master_config_dir }}/admin.kubeconfig ~{{ item }}/.kube/config args: creates: ~{{ item }}/.kube/config - with_items: client_users + with_items: "{{ client_users }}" - name: Update the permissions on the admin client config(s) file: @@ -229,4 +256,4 @@ mode: 0700 owner: "{{ item }}" group: "{{ 'root' if item == 'root' else _ansible_ssh_user_gid.stdout }}" - with_items: client_users + with_items: "{{ client_users }}" diff --git a/roles/openshift_master/templates/atomic-openshift-master.j2 b/roles/openshift_master/templates/atomic-openshift-master.j2 index 862cfa8f1..4cf632841 100644 --- a/roles/openshift_master/templates/atomic-openshift-master.j2 +++ b/roles/openshift_master/templates/atomic-openshift-master.j2 @@ -10,8 +10,13 @@ AWS_SECRET_ACCESS_KEY={{ openshift.cloudprovider.aws.secret_key }} {% endif %} # Proxy configuration -# Origin uses standard HTTP_PROXY environment variables. Be sure to set -# NO_PROXY for your master -#NO_PROXY=master.example.com -#HTTP_PROXY=http://USER:PASSWORD@IPADDR:PORT -#HTTPS_PROXY=https://USER:PASSWORD@IPADDR:PORT +# See https://docs.openshift.com/enterprise/latest/install_config/install/advanced_install.html#configuring-global-proxy +{% if 'http_proxy' in openshift.common %} +HTTP_PROXY='{{ openshift.common.http_proxy | default('') }}' +{% endif %} +{% if 'https_proxy' in openshift.common %} +HTTPS_PROXY='{{ openshift.common.https_proxy | default('')}}' +{% endif %} +{% if 'no_proxy' in openshift.common %} +NO_PROXY='{{ openshift.common.no_proxy | default('') | join(',') }},{{ openshift.common.portal_net }},{{ openshift.master.sdn_cluster_network_cidr }}' +{% endif %} diff --git a/roles/openshift_master/templates/htpasswd.j2 b/roles/openshift_master/templates/htpasswd.j2 new file mode 100644 index 000000000..ba2c02e20 --- /dev/null +++ b/roles/openshift_master/templates/htpasswd.j2 @@ -0,0 +1,5 @@ +{% if 'htpasswd_users' in openshift.master %} +{% for user,pass in openshift.master.htpasswd_users.iteritems() %} +{{ user ~ ':' ~ pass }} +{% endfor %} +{% endif %} diff --git a/roles/openshift_master/templates/master.yaml.v1.j2 b/roles/openshift_master/templates/master.yaml.v1.j2 index 979b428bf..48bb8a13f 100644 --- a/roles/openshift_master/templates/master.yaml.v1.j2 +++ b/roles/openshift_master/templates/master.yaml.v1.j2 @@ -209,3 +209,5 @@ servingInfo: {% endfor %} {% endfor %} {% endif %} +volumeConfig: + dynamicProvisioningEnabled: {{ openshift.master.dynamic_provisioning_enabled }} diff --git a/roles/openshift_master/templates/native-cluster/atomic-openshift-master-api.j2 b/roles/openshift_master/templates/native-cluster/atomic-openshift-master-api.j2 index 69754ee10..01a8428a0 100644 --- a/roles/openshift_master/templates/native-cluster/atomic-openshift-master-api.j2 +++ b/roles/openshift_master/templates/native-cluster/atomic-openshift-master-api.j2 @@ -10,8 +10,13 @@ AWS_SECRET_ACCESS_KEY={{ openshift.cloudprovider.aws.secret_key }} {% endif %} # Proxy configuration -# Origin uses standard HTTP_PROXY environment variables. Be sure to set -# NO_PROXY for your master -#NO_PROXY=master.example.com -#HTTP_PROXY=http://USER:PASSWORD@IPADDR:PORT -#HTTPS_PROXY=https://USER:PASSWORD@IPADDR:PORT +# See https://docs.openshift.com/enterprise/latest/install_config/install/advanced_install.html#configuring-global-proxy +{% if 'http_proxy' in openshift.common %} +HTTP_PROXY='{{ openshift.common.http_proxy | default('') }}' +{% endif %} +{% if 'https_proxy' in openshift.common %} +HTTPS_PROXY='{{ openshift.common.https_proxy | default('')}}' +{% endif %} +{% if 'no_proxy' in openshift.common %} +NO_PROXY='{{ openshift.common.no_proxy | default('') | join(',') }},{{ openshift.common.portal_net }},{{ openshift.master.sdn_cluster_network_cidr }}' +{% endif %} diff --git a/roles/openshift_master/templates/native-cluster/atomic-openshift-master-controllers.j2 b/roles/openshift_master/templates/native-cluster/atomic-openshift-master-controllers.j2 index 048a4305a..89ccb1eed 100644 --- a/roles/openshift_master/templates/native-cluster/atomic-openshift-master-controllers.j2 +++ b/roles/openshift_master/templates/native-cluster/atomic-openshift-master-controllers.j2 @@ -10,8 +10,13 @@ AWS_SECRET_ACCESS_KEY={{ openshift.cloudprovider.aws.secret_key }} {% endif %} # Proxy configuration -# Origin uses standard HTTP_PROXY environment variables. Be sure to set -# NO_PROXY for your master -#NO_PROXY=master.example.com -#HTTP_PROXY=http://USER:PASSWORD@IPADDR:PORT -#HTTPS_PROXY=https://USER:PASSWORD@IPADDR:PORT +# See https://docs.openshift.com/enterprise/latest/install_config/install/advanced_install.html#configuring-global-proxy +{% if 'http_proxy' in openshift.common %} +HTTP_PROXY='{{ openshift.common.http_proxy | default('') }}' +{% endif %} +{% if 'https_proxy' in openshift.common %} +HTTPS_PROXY='{{ openshift.common.https_proxy | default('')}}' +{% endif %} +{% if 'no_proxy' in openshift.common %} +NO_PROXY='{{ openshift.common.no_proxy | default('') | join(',') }},{{ openshift.common.portal_net }},{{ openshift.master.sdn_cluster_network_cidr }}' +{% endif %} diff --git a/roles/openshift_master_certificates/tasks/main.yml b/roles/openshift_master_certificates/tasks/main.yml index 9017b7d2b..394f9d381 100644 --- a/roles/openshift_master_certificates/tasks/main.yml +++ b/roles/openshift_master_certificates/tasks/main.yml @@ -4,14 +4,14 @@ path: "{{ openshift_generated_configs_dir }}/{{ item.master_cert_subdir }}" state: directory mode: 0700 - with_items: masters_needing_certs + with_items: "{{ masters_needing_certs | default([]) }}" - file: src: "{{ openshift_master_config_dir }}/{{ item.1 }}" dest: "{{ openshift_generated_configs_dir }}/{{ item.0.master_cert_subdir }}/{{ item.1 }}" state: hard with_nested: - - masters_needing_certs + - "{{ masters_needing_certs | default([]) }}" - - ca.crt - ca.key @@ -26,7 +26,7 @@ --cert-dir={{ openshift_generated_configs_dir }}/{{ item.master_cert_subdir }} --overwrite=false when: item.master_certs_missing | bool - with_items: masters_needing_certs + with_items: "{{ masters_needing_certs | default([]) }}" - file: src: "{{ openshift_master_config_dir }}/{{ item.1 }}" @@ -34,5 +34,5 @@ state: hard force: true with_nested: - - masters_needing_certs + - "{{ masters_needing_certs | default([]) }}" - "{{ hostvars[inventory_hostname] | certificates_to_synchronize }}" diff --git a/roles/openshift_master_facts/tasks/main.yml b/roles/openshift_master_facts/tasks/main.yml index a020fdb41..0cbbaffc2 100644 --- a/roles/openshift_master_facts/tasks/main.yml +++ b/roles/openshift_master_facts/tasks/main.yml @@ -22,7 +22,6 @@ extension_scripts: "{{ openshift_master_extension_scripts | default(None) }}" extension_stylesheets: "{{ openshift_master_extension_stylesheets | default(None) }}" extensions: "{{ openshift_master_extensions | default(None) }}" - oauth_template: "{{ openshift_master_oauth_template | default(None) }}" etcd_hosts: "{{ openshift_master_etcd_hosts | default(None) }}" etcd_port: "{{ openshift_master_etcd_port | default(None) }}" etcd_use_ssl: "{{ openshift_master_etcd_use_ssl | default(None) }}" @@ -42,11 +41,15 @@ access_token_max_seconds: "{{ openshift_master_access_token_max_seconds | default(None) }}" auth_token_max_seconds: "{{ openshift_master_auth_token_max_seconds | default(None) }}" identity_providers: "{{ openshift_master_identity_providers | default(None) }}" + htpasswd_users: "{{ openshift_master_htpasswd_users | default(lookup('file', openshift_master_htpasswd_file) | oo_htpasswd_users_from_file if openshift_master_htpasswd_file is defined else None) }}" + ldap_ca: "{{ openshift_master_ldap_ca | default(lookup('file', openshift_master_ldap_ca_file) if openshift_master_ldap_ca_file is defined else None) }}" + openid_ca: "{{ openshift_master_openid_ca | default(lookup('file', openshift_master_openid_ca_file) if openshift_master_openid_ca_file is defined else None) }}" + request_header_ca: "{{ openshift_master_request_header_ca | default(lookup('file', openshift_master_request_header_ca_file) if openshift_master_request_header_ca_file is defined else None) }}" registry_url: "{{ oreg_url | default(None) }}" oauth_grant_method: "{{ openshift_master_oauth_grant_method | default(None) }}" sdn_cluster_network_cidr: "{{ osm_cluster_network_cidr | default(None) }}" sdn_host_subnet_length: "{{ osm_host_subnet_length | default(None) }}" - default_subdomain: "{{ openshift_master_default_subdomain | default(osm_default_subdomain) | default(None) }}" + default_subdomain: "{{ openshift_master_default_subdomain | default(osm_default_subdomain | default(None), true) }}" custom_cors_origins: "{{ osm_custom_cors_origins | default(None) }}" default_node_selector: "{{ osm_default_node_selector | default(None) }}" project_request_message: "{{ osm_project_request_message | default(None) }}" @@ -72,3 +75,4 @@ oauth_templates: "{{ openshift_master_oauth_templates | default(None) }}" oauth_always_show_provider_selection: "{{ openshift_master_oauth_always_show_provider_selection | default(None) }}" image_policy_config: "{{ openshift_master_image_policy_config | default(None) }}" + dynamic_provisioning_enabled: "{{ openshift_master_dynamic_provisioning_enabled | default(None) }}" diff --git a/roles/openshift_master_facts/vars/main.yml b/roles/openshift_master_facts/vars/main.yml new file mode 100644 index 000000000..3b0ee2761 --- /dev/null +++ b/roles/openshift_master_facts/vars/main.yml @@ -0,0 +1,14 @@ +builddefaults_yaml: + BuildDefaults: + configuration: + apiVersion: v1 + kind: BuildDefaultsConfig + gitHTTPProxy: "{{ openshift.master.builddefaults_git_http_proxy | default(omit, true) }}" + gitHTTPSProxy: "{{ openshift.master.builddefaults_git_https_proxy | default(omit, true) }}" + env: + - name: HTTP_PROXY + value: "{{ openshift.master.builddefaults_http_proxy | default(omit, true) }}" + - name: HTTPS_PROXY + value: "{{ openshift.master.builddefaults_https_proxy | default(omit, true) }}" + - name: NO_PROXY + value: "{{ openshift.master.builddefaults_no_proxy | default(omit, true) | join(',') }}"
\ No newline at end of file diff --git a/roles/openshift_metrics/README.md b/roles/openshift_metrics/README.md index 610917d7d..2e903379a 100644 --- a/roles/openshift_metrics/README.md +++ b/roles/openshift_metrics/README.md @@ -6,12 +6,13 @@ OpenShift Metrics Installation Requirements ------------ It requires subdomain fqdn to be set. -If persistence is enabled, then it also requires NFS +If persistence is enabled, then it also requires NFS. Role Variables -------------- From this role: + | Name | Default value | | |-------------------------------------------------|-----------------------|-------------------------------------------------------------| | openshift_hosted_metrics_deploy | False | If metrics should be deployed | @@ -19,9 +20,12 @@ From this role: | openshift_hosted_metrics_storage_volume_name | metrics | Metrics volume within openshift_hosted_metrics_volume_dir | | openshift_hosted_metrics_storage_volume_size | 10Gi | Metrics volume size | | openshift_hosted_metrics_storage_nfs_options | *(rw,root_squash) | NFS options for configured exports. | +| openshift_hosted_metrics_duration | 7 | Metrics query duration | +| openshift_hosted_metrics_resolution | 10 | Metrics resolution | From openshift_common: + | Name | Default Value | | |---------------------------------------|----------------|----------------------------------------| | openshift_master_default_subdomain | null | Subdomain FQDN (Mandatory) | @@ -35,10 +39,12 @@ openshift_examples Example Playbook ---------------- +``` - name: Configure openshift-metrics hosts: oo_first_master roles: - role: openshift_metrics +``` License ------- diff --git a/roles/openshift_metrics/tasks/main.yaml b/roles/openshift_metrics/tasks/main.yaml index 1a86cb1ea..ca29ad6e1 100644 --- a/roles/openshift_metrics/tasks/main.yaml +++ b/roles/openshift_metrics/tasks/main.yaml @@ -20,6 +20,7 @@ {{ openshift.common.client_binary }} secrets new metrics-deployer nothing=/dev/null + --config={{hawkular_tmp_conf}} -n openshift-infra register: deployer_create_secret failed_when: "'already exists' not in deployer_create_secret.stderr and deployer_create_secret.rc !=0" @@ -43,8 +44,9 @@ shell: > {{ openshift.common.client_binary }} process -f \ /usr/share/openshift/examples/infrastructure-templates/{{ hawkular_type }}/metrics-deployer.yaml -v \ - HAWKULAR_METRICS_HOSTNAME=hawkular-metrics.{{ openshift.master.default_subdomain }},USE_PERSISTENT_STORAGE={{ hawkular_persistence }} | \ - {{ openshift.common.client_binary }} create -n openshift-infra -f - + HAWKULAR_METRICS_HOSTNAME=hawkular-metrics.{{ openshift.master.default_subdomain }} USE_PERSISTENT_STORAGE={{ hawkular_persistence }} \ + METRIC_DURATION={{ openshift.hosted.metrics.duration }} METRIC_RESOLUTION={{ openshift.hosted.metrics.resolution }} | + {{ openshift.common.client_binary }} create -n openshift-infra --config={{hawkular_tmp_conf}} -f - register: oex_heapster_services failed_when: "'already exists' not in oex_heapster_services.stderr and oex_heapster_services.rc != 0" changed_when: false @@ -52,4 +54,4 @@ - name: Clean temporary config file command: > rm -rf {{hawkular_tmp_conf}} - changed_when: false
\ No newline at end of file + changed_when: false diff --git a/roles/openshift_node_certificates/tasks/main.yml b/roles/openshift_node_certificates/tasks/main.yml index c9a7a40c8..216c11093 100644 --- a/roles/openshift_node_certificates/tasks/main.yml +++ b/roles/openshift_node_certificates/tasks/main.yml @@ -1,5 +1,5 @@ --- -- name: Create openshift_generated_configs_dir if it doesn't exist +- name: Create openshift_generated_configs_dir if it doesn\'t exist file: path: "{{ openshift_generated_configs_dir }}" state: directory @@ -19,7 +19,7 @@ --user=system:node:{{ item.openshift.common.hostname }} args: creates: "{{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}" - with_items: nodes_needing_certs + with_items: "{{ nodes_needing_certs | default([]) }}" - name: Generate the node server certificate command: > @@ -33,4 +33,4 @@ --signer-serial={{ openshift_master_ca_serial }} args: creates: "{{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}/server.crt" - with_items: nodes_needing_certs + with_items: "{{ nodes_needing_certs | default([]) }}" diff --git a/roles/openshift_node_dnsmasq/files/networkmanager/99-origin-dns.sh b/roles/openshift_node_dnsmasq/files/networkmanager/99-origin-dns.sh index 51e0751e9..691fa32f3 100755 --- a/roles/openshift_node_dnsmasq/files/networkmanager/99-origin-dns.sh +++ b/roles/openshift_node_dnsmasq/files/networkmanager/99-origin-dns.sh @@ -46,7 +46,6 @@ EOF for ns in ${DHCP4_DOMAIN_NAME_SERVERS}; do echo "server=${ns}" >> /etc/dnsmasq.d/origin-upstream-dns.conf done - echo "listen-address=${def_route_ip}" >> /etc/dnsmasq.d/origin-upstream-dns.conf systemctl restart dnsmasq sed -i 's/^nameserver.*$/nameserver '"${def_route_ip}"'/g' /etc/resolv.conf diff --git a/roles/openshift_node_dnsmasq/tasks/no-network-manager.yml b/roles/openshift_node_dnsmasq/tasks/no-network-manager.yml index cda90bd10..4d1bd3794 100644 --- a/roles/openshift_node_dnsmasq/tasks/no-network-manager.yml +++ b/roles/openshift_node_dnsmasq/tasks/no-network-manager.yml @@ -1,2 +1,2 @@ --- -- fail: msg="Not implemented"
\ No newline at end of file +- fail: msg="Currently, NetworkManager must be installed and enabled prior to installation."
\ No newline at end of file diff --git a/roles/openshift_serviceaccounts/tasks/main.yml b/roles/openshift_serviceaccounts/tasks/main.yml index 5dd28d52a..bafda9695 100644 --- a/roles/openshift_serviceaccounts/tasks/main.yml +++ b/roles/openshift_serviceaccounts/tasks/main.yml @@ -1,7 +1,7 @@ - name: test if service accounts exists command: > {{ openshift.common.client_binary }} get sa {{ item }} -n {{ openshift_serviceaccounts_namespace }} - with_items: openshift_serviceaccounts_names + with_items: "{{ openshift_serviceaccounts_names }}" failed_when: false changed_when: false register: account_test @@ -13,8 +13,8 @@ -n {{ openshift_serviceaccounts_namespace }} create -f - when: item.1.rc != 0 with_together: - - openshift_serviceaccounts_names - - account_test.results + - "{{ openshift_serviceaccounts_names }}" + - "{{ account_test.results }}" - name: test if scc needs to be updated command: > @@ -22,7 +22,7 @@ changed_when: false failed_when: false register: scc_test - with_items: openshift_serviceaccounts_sccs + with_items: "{{ openshift_serviceaccounts_sccs }}" - name: Grant the user access to the privileged scc command: > @@ -30,8 +30,8 @@ privileged system:serviceaccount:{{ openshift_serviceaccounts_namespace }}:{{ item.0 }} when: "openshift.common.version_gte_3_1_or_1_1 and item.1.rc == 0 and 'system:serviceaccount:{{ openshift_serviceaccounts_namespace }}:{{ item.0 }}' not in {{ (item.1.stdout | from_yaml).users }}" with_nested: - - openshift_serviceaccounts_names - - scc_test.results + - "{{ openshift_serviceaccounts_names }}" + - "{{ scc_test.results }}" - include: legacy_add_scc_to_user.yml when: not openshift.common.version_gte_3_1_or_1_1 diff --git a/roles/openshift_storage_nfs/defaults/main.yml b/roles/openshift_storage_nfs/defaults/main.yml index 90592e9d0..df0bb9fd4 100644 --- a/roles/openshift_storage_nfs/defaults/main.yml +++ b/roles/openshift_storage_nfs/defaults/main.yml @@ -16,7 +16,6 @@ openshift: options: "*(rw,root_squash)" volume: name: "metrics" -os_firewall_use_firewalld: False os_firewall_allow: - service: nfs port: "2049/tcp" diff --git a/roles/openshift_storage_nfs_lvm/README.md b/roles/openshift_storage_nfs_lvm/README.md index 1ee02e18a..3680ef5b5 100644 --- a/roles/openshift_storage_nfs_lvm/README.md +++ b/roles/openshift_storage_nfs_lvm/README.md @@ -62,7 +62,7 @@ Both of them are mounted into `/exports/openshift` directory. Both directories exported via NFS. json files are created in /root. - hosts: nfsservers - sudo: no + become: no remote_user: root gather_facts: no roles: @@ -87,7 +87,7 @@ exported via NFS. json files are created in /root. * Create an ansible playbook, say `setupnfs.yaml`: ``` - hosts: nfsservers - sudo: no + become: no remote_user: root gather_facts: no roles: diff --git a/roles/os_env_extras/files/irbrc b/roles/os_env_extras/files/irbrc deleted file mode 100644 index 47374e920..000000000 --- a/roles/os_env_extras/files/irbrc +++ /dev/null @@ -1,2 +0,0 @@ -require 'irb/completion' -IRB.conf[:PROMPT_MODE] = :SIMPLE diff --git a/roles/os_env_extras/files/vimrc b/roles/os_env_extras/files/vimrc deleted file mode 100644 index 537b944ed..000000000 --- a/roles/os_env_extras/files/vimrc +++ /dev/null @@ -1,12 +0,0 @@ -set tabstop=4 -set shiftwidth=4 -set expandtab -set list - -"flag problematic whitespace (trailing and spaces before tabs) -"Note you get the same by doing let c_space_errors=1 but -"this rule really applies to everything. -highlight RedundantSpaces term=standout ctermbg=red guibg=red -match RedundantSpaces /\s\+$\| \+\ze\t/ "\ze sets end of match so only spaces highlighted -"use :set list! to toggle visible whitespace on/off -set listchars=tab:>-,trail:.,extends:> diff --git a/roles/os_env_extras/tasks/main.yaml b/roles/os_env_extras/tasks/main.yaml deleted file mode 100644 index 628df713a..000000000 --- a/roles/os_env_extras/tasks/main.yaml +++ /dev/null @@ -1,16 +0,0 @@ ---- -# environment configuration role, configures irbrc, vimrc - -- name: Ensure irbrc is installed for user root - copy: - src: irbrc - dest: /root/.irbrc - -- name: Ensure vimrc is installed for user root - copy: - src: vimrc - dest: /root/.vimrc - -- name: Bash Completion - action: "{{ ansible_pkg_mgr }} name=bash-completion state=present" - when: not openshift.common.is_containerized | bool
\ No newline at end of file diff --git a/roles/os_env_extras_node/tasks/main.yml b/roles/os_env_extras_node/tasks/main.yml deleted file mode 100644 index 208065df2..000000000 --- a/roles/os_env_extras_node/tasks/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -# From the origin rpm there exists instructions on how to -# setup origin properly. The following steps come from there -- name: Change root to be in the Docker group - user: name=root groups=dockerroot append=yes diff --git a/roles/os_firewall/defaults/main.yml b/roles/os_firewall/defaults/main.yml index e3176e611..c870a301a 100644 --- a/roles/os_firewall/defaults/main.yml +++ b/roles/os_firewall/defaults/main.yml @@ -1,3 +1,9 @@ --- os_firewall_enabled: True -os_firewall_use_firewalld: True +# TODO: Upstream kubernetes only supports iptables currently +# TODO: it might be possible to still use firewalld if we wire up the created +# chains with the public zone (or the zone associated with the correct +# interfaces) +os_firewall_use_firewalld: False +os_firewall_allow: [] +os_firewall_deny: [] diff --git a/roles/os_firewall/tasks/firewall/firewalld.yml b/roles/os_firewall/tasks/firewall/firewalld.yml index ac4600f83..5ddca1fc0 100644 --- a/roles/os_firewall/tasks/firewall/firewalld.yml +++ b/roles/os_firewall/tasks/firewall/firewalld.yml @@ -24,6 +24,18 @@ command: systemctl daemon-reload when: install_result | changed +- name: Determine if firewalld service masked + command: > + systemctl is-enabled firewalld + register: os_firewall_firewalld_masked_output + changed_when: false + failed_when: false + +- name: Unmask firewalld service + command: > + systemctl unmask firewalld + when: os_firewall_firewalld_masked_output.stdout == "masked" + - name: Start and enable firewalld service service: name: firewalld @@ -52,29 +64,25 @@ port: "{{ item.port }}" permanent: false state: enabled - with_items: os_firewall_allow - when: os_firewall_allow is defined + with_items: "{{ os_firewall_allow }}" - name: Persist firewalld allow rules firewalld: port: "{{ item.port }}" permanent: true state: enabled - with_items: os_firewall_allow - when: os_firewall_allow is defined + with_items: "{{ os_firewall_allow }}" - name: Remove firewalld allow rules firewalld: port: "{{ item.port }}" permanent: false state: disabled - with_items: os_firewall_deny - when: os_firewall_deny is defined + with_items: "{{ os_firewall_deny }}" - name: Persist removal of firewalld allow rules firewalld: port: "{{ item.port }}" permanent: true state: disabled - with_items: os_firewall_deny - when: os_firewall_deny is defined + with_items: "{{ os_firewall_deny }}" diff --git a/roles/os_firewall/tasks/firewall/iptables.yml b/roles/os_firewall/tasks/firewall/iptables.yml index 3b584f8eb..774916798 100644 --- a/roles/os_firewall/tasks/firewall/iptables.yml +++ b/roles/os_firewall/tasks/firewall/iptables.yml @@ -32,6 +32,24 @@ command: systemctl daemon-reload when: install_result | changed +- name: Determine if iptables service masked + command: > + systemctl is-enabled {{ item }} + with_items: + - iptables + - ip6tables + register: os_firewall_iptables_masked_output + changed_when: false + failed_when: false + +- name: Unmask iptables service + command: > + systemctl unmask {{ item }} + with_items: + - iptables + - ip6tables + when: "'masked' in os_firewall_iptables_masked_output.results | map(attribute='stdout')" + - name: Start and enable iptables service service: name: iptables @@ -49,8 +67,7 @@ action: add protocol: "{{ item.port.split('/')[1] }}" port: "{{ item.port.split('/')[0] }}" - with_items: os_firewall_allow - when: os_firewall_allow is defined + with_items: "{{ os_firewall_allow }}" - name: Remove iptables rules os_firewall_manage_iptables: @@ -58,5 +75,4 @@ action: remove protocol: "{{ item.port.split('/')[1] }}" port: "{{ item.port.split('/')[0] }}" - with_items: os_firewall_deny - when: os_firewall_deny is defined + with_items: "{{ os_firewall_deny }}" diff --git a/roles/pods/README.md b/roles/pods/README.md deleted file mode 100644 index 225dd44b9..000000000 --- a/roles/pods/README.md +++ /dev/null @@ -1,38 +0,0 @@ -Role Name -========= - -A brief description of the role goes here. - -Requirements ------------- - -Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. - -Role Variables --------------- - -A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. - -Dependencies ------------- - -A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. - -Example Playbook ----------------- - -Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: - - - hosts: servers - roles: - - { role: username.rolename, x: 42 } - -License -------- - -BSD - -Author Information ------------------- - -An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/roles/pods/files/pods/docker-registry.json b/roles/pods/files/pods/docker-registry.json deleted file mode 100644 index a480e6b30..000000000 --- a/roles/pods/files/pods/docker-registry.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "kind": "Pod", - "version": "v1beta2", - "desiredState": { - "manifest": { - "version": "v1beta1", - "containers": [{ - "name": "docker-registry", - "image": "registry", - "volumeMounts": [{ - "name": "data", - "mountPath": "/var/lib/docker-registry" - }], - "ports": [{ - "containerPort": 5000, - "hostPort": 9999 - }] - }], - "volumes": [{ - "name": "data", - "source": { - "emptyDir": true - } - }] - } - }, - "labels": { - "name": "docker-registry" - } -} diff --git a/roles/pods/files/pods/fedora_apache.json b/roles/pods/files/pods/fedora_apache.json deleted file mode 100644 index 187927559..000000000 --- a/roles/pods/files/pods/fedora_apache.json +++ /dev/null @@ -1,23 +0,0 @@ -{ - "id": "apache", - "kind": "Pod", - "apiVersion": "v1beta2", - "desiredState": { - "manifest": { - "version": "v1beta1", - "id": "apache-1", - "containers": [{ - "name": "master", - "image": "fedora/apache", - "ports": [{ - "containerPort": 80, - "hostPort": 80 - }] - }] - } - }, - "labels": { - "name": "apache", - "distro": "fedora" - } -} diff --git a/roles/pods/files/pods/frontend-controller.json b/roles/pods/files/pods/frontend-controller.json deleted file mode 100644 index 2a2cdea9a..000000000 --- a/roles/pods/files/pods/frontend-controller.json +++ /dev/null @@ -1,23 +0,0 @@ -{ - "id": "frontendController", - "kind": "ReplicationController", - "apiVersion": "v1beta2", - "desiredState": { - "replicas": 2, - "replicaSelector": {"name": "frontend"}, - "podTemplate": { - "desiredState": { - "manifest": { - "version": "v1beta1", - "id": "frontendController", - "containers": [{ - "name": "php-redis", - "image": "brendanburns/php-redis", - "ports": [{"containerPort": 80, "hostPort": 8000}] - }] - } - }, - "labels": {"name": "frontend"} - }}, - "labels": {"name": "frontend"} -} diff --git a/roles/pods/files/pods/redis-master-service.json b/roles/pods/files/pods/redis-master-service.json deleted file mode 100644 index 0f590272d..000000000 --- a/roles/pods/files/pods/redis-master-service.json +++ /dev/null @@ -1,10 +0,0 @@ -{ - "id": "redismaster", - "kind": "Service", - "apiVersion": "v1beta2", - "port": 10000, - "containerPort": 6379, - "selector": { - "name": "redis-master" - } -} diff --git a/roles/pods/files/pods/redis-master.json b/roles/pods/files/pods/redis-master.json deleted file mode 100644 index 0a281a045..000000000 --- a/roles/pods/files/pods/redis-master.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "id": "redis-master-2", - "kind": "Pod", - "apiVersion": "v1beta2", - "desiredState": { - "manifest": { - "version": "v1beta1", - "id": "redis-master-2", - "containers": [{ - "name": "master", - "image": "dockerfile/redis", - "ports": [{ - "containerPort": 6379, - "hostPort": 6379 - }] - }] - } - }, - "labels": { - "name": "redis-master" - } -} diff --git a/roles/pods/files/pods/redis-slave-controller.json b/roles/pods/files/pods/redis-slave-controller.json deleted file mode 100644 index b85fff66a..000000000 --- a/roles/pods/files/pods/redis-slave-controller.json +++ /dev/null @@ -1,24 +0,0 @@ -{ - "id": "redisSlaveController", - "kind": "ReplicationController", - "apiVersion": "v1beta2", - "desiredState": { - "replicas": 2, - "replicaSelector": {"name": "redisslave"}, - "podTemplate": { - "desiredState": { - "manifest": { - "version": "v1beta1", - "id": "redisSlaveController", - "containers": [{ - "name": "slave", - "image": "brendanburns/redis-slave", - "ports": [{"containerPort": 6379, "hostPort": 6380}] - }] - } - }, - "labels": {"name": "redisslave"} - }}, - "labels": {"name": "redisslave"} -} - diff --git a/roles/pods/files/pods/redis-slave-service.json b/roles/pods/files/pods/redis-slave-service.json deleted file mode 100644 index e1c5029f6..000000000 --- a/roles/pods/files/pods/redis-slave-service.json +++ /dev/null @@ -1,13 +0,0 @@ -{ - "id": "redisslave", - "kind": "Service", - "apiVersion": "v1beta2", - "port": 10001, - "containerPort": 6379, - "labels": { - "name": "redisslave" - }, - "selector": { - "name": "redisslave" - } -} diff --git a/roles/pods/files/pods/registry-service.json b/roles/pods/files/pods/registry-service.json deleted file mode 100644 index 3a711a1ac..000000000 --- a/roles/pods/files/pods/registry-service.json +++ /dev/null @@ -1,10 +0,0 @@ -{ - "id": "dockerregistry", - "kind": "Service", - "apiVersion": "v1beta2", - "port": 8888, - "selector": { - "name": "docker-registry" - } -} - diff --git a/roles/pods/meta/main.yml b/roles/pods/meta/main.yml deleted file mode 100644 index bddf14bb2..000000000 --- a/roles/pods/meta/main.yml +++ /dev/null @@ -1,124 +0,0 @@ ---- -galaxy_info: - author: your name - description: - company: your company (optional) - # Some suggested licenses: - # - BSD (default) - # - MIT - # - GPLv2 - # - GPLv3 - # - Apache - # - CC-BY - license: license (GPLv2, CC-BY, etc) - min_ansible_version: 1.2 - # - # Below are all platforms currently available. Just uncomment - # the ones that apply to your role. If you don't see your - # platform on this list, let us know and we'll get it added! - # - #platforms: - #- name: EL - # versions: - # - all - # - 5 - # - 6 - # - 7 - #- name: GenericUNIX - # versions: - # - all - # - any - #- name: Fedora - # versions: - # - all - # - 16 - # - 17 - # - 18 - # - 19 - # - 20 - #- name: opensuse - # versions: - # - all - # - 12.1 - # - 12.2 - # - 12.3 - # - 13.1 - # - 13.2 - #- name: Amazon - # versions: - # - all - # - 2013.03 - # - 2013.09 - #- name: GenericBSD - # versions: - # - all - # - any - #- name: FreeBSD - # versions: - # - all - # - 8.0 - # - 8.1 - # - 8.2 - # - 8.3 - # - 8.4 - # - 9.0 - # - 9.1 - # - 9.1 - # - 9.2 - #- name: Ubuntu - # versions: - # - all - # - lucid - # - maverick - # - natty - # - oneiric - # - precise - # - quantal - # - raring - # - saucy - # - trusty - #- name: SLES - # versions: - # - all - # - 10SP3 - # - 10SP4 - # - 11 - # - 11SP1 - # - 11SP2 - # - 11SP3 - #- name: GenericLinux - # versions: - # - all - # - any - #- name: Debian - # versions: - # - all - # - etch - # - lenny - # - squeeze - # - wheezy - # - # Below are all categories currently available. Just as with - # the platforms above, uncomment those that apply to your role. - # - #categories: - #- cloud - #- cloud:ec2 - #- cloud:gce - #- cloud:rax - #- clustering - #- database - #- database:nosql - #- database:sql - #- development - #- monitoring - #- networking - #- packaging - #- system - #- web -dependencies: [] - # List your role dependencies here, one per line. Only - # dependencies available via galaxy should be listed here. - # Be sure to remove the '[]' above if you add dependencies - # to this list. - diff --git a/roles/pods/tasks/main.yml b/roles/pods/tasks/main.yml deleted file mode 100644 index 30c387c65..000000000 --- a/roles/pods/tasks/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: Transfer the fedora_apache pod template - file: path=/usr/local/etc/pods state=directory - -- name: Transfer the fedora_apache pod template - copy: directory_mode=on src=pods/ dest=/usr/local/etc/pods/ |