| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Make `openstack_private_ssh_key` optional
Before this, the deployer could not reasonably rely on their own SSH
configuration or e.g. using the `--private-key` option to
ansible-playbook because we always wrote the `ansible_private_key_file`
value in the static inventory.
This change makes the `openstack_private_ssh_key` variable truly
optional: if it's not set, the static inventory will not configure the
SSH key and will just rely on the existing configuration.
* Update the openstack e2e CI
It no longer sets the SSH keys explicitly -- which should just work with
the previous commit.
* Put back the `openstack_ssh_public_key` in CI
This is the option we actually need to keep. This sholud fix the CI
failures.
|
|\
| |
| | |
Clear the previous inventory during provisioning
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
If there was a left-over inventory from a previous run that had nodes
which were subsequently removed, these would still show up in the
Ansible's in-memory inventory and Ansible would fail trying to connect
to them.
This is because Ansible automatically loads the `inventory/hosts` file
if it exists and even if we overwrite it later, every node and group
still remains in the memory.
By removing the inventory file and and calling the `refresh_inventory`
meta task, we make sure that any left-over values are removed.
|
| |
| |
| |
| |
| |
| | |
Deployments without the cinder registry would fail, because the
`cinder_registry_volume` variable is still set even when we don't
actually create the volume.
|
|/ |
|
|
|
|
|
|
| |
* Add ability to support custom api and console ports
* Missed an ingress rule
|
|
|
|
|
|
|
|
| |
This ensures that the ports that the servers were using before this
commit will be parent ports of Neutron trunk ports. Thanks to this,
there can be nested Neutron ports inside the OS::NOva::Server resources
created either in the heat stack or dynamically inside the Instances.
Signed-off-by: Antoni Segura Puimedon <antonisp@celebdor.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Point openshift_master_cluster_public_hostname at master or load balancer if specified
* cleanup
* remove extraneous brackets
* corrections
* added doc section
* add private records
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Allow using a provider network
This adds a new option `openstack_provider_network_name` which will take
a name of an existing network and put the servers there. It will also
prevent creating floating IP addresses as the provider network's IPs
should already be accessible without any additional routing required.
Fixes #622
* Requested changes
Don't fail on external/private networks and use role defaults for the
provider network.
* Add missing endif
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Document global DNS security options
Related changes:
* Do not create a view if externally managed.
* Allow to specify the recursion settings for public/private
views defined by the dns-view role.
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
* Document public_dns_nameservers better
Also use it as the private view forwarder
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Document how to use fully external DNS servers w/o provisioning
dns servers group with Heat.
* Document how to use a mixed servers setup for dynamic records
updates mathing public or private views.
* Allow custom nsupdate key names for OSP10 dns service compatibility.
The osp-dns configures the named service with the fixed key_name
'update-key'. Add optional key_name for the external_nsupdate_keys
public section to allow custom key names.
|
|
|
| |
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
|
|
|
|
|
|
|
|
| |
Additionally, add the lb group to contain lb nodes to the
static inventory template. Include the lb group into the
OSEv3 group, in order to apply the cluster group vars to it.
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
* README, all.yml, stack_params.yaml, openstack-stack: added docker volume size customisation
- app_volume_size changed to node_volume_size (it is node everywhere else)
* all.yml, stack_params.yaml,openstack-stack: added customisation for lb, etcd, dns
* README: updated
* README: updated info about ephemeral volumes
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* README, all.yml, stack_params.yml, heat_stack.yaml.j2: hostname customisation added
* hostnames customisation: default set in stack_params
* heat_stack: bug fix
* fixed commented defaults in group_vars/all.yml
|
|
|
|
|
|
|
|
| |
When using a bastion and a single master, use the lb-secgrp
to access UI port allowed from the ingress bastion node cidr.
For HA (masters>1), UI still should be accessed via
the LB node's ingress cidr, omitting the bastion.
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
* all.yml: set up new variables for specifying images for roles
* stack_params.yaml: add image name variables for different roles
* more roles added
* heat_stack.yaml.j2: openstack_image changed to updated image names
* README: updated documentation for specifying image names
|
|
|
|
|
|
| |
Add openstack_private_network_name to filter by a wanted private
network.
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
|
|
|
|
|
|
|
|
| |
For testing cases it's sometimes useful to not create Cinder volumes for
the VMs. It can also sometimes be a little faster and more robust (but
unfit for production).
This adds an option called `ephemeral_volumes` that will use the VM's
storage instead of creating volumes when set to true.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* At the provisioning stage, allow users to auto-generate SSH config,
when using a static inventory.
* Run playbooks to provsion and post-provision as a separate, when
using a bastion. This re-applies the SSH config, which ansible can't
do on the fly.
* Support a pre-installed bastion node, colocated with the 1st infra
node.
* With a bastion enabled, reduce floating IP footprint to infra and
dns nodes only, effectively isolating a cluster in a private
network.
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
|
|
|
|
|
|
|
|
|
| |
* Autogenerate SSH config for static inventory and bastion.
* When using bastion, use FQDN for inventory's ansible_host and SSH
config's Hostname. Simplifies accessing nodes by names instead of
private IPs.
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
|
|
|
|
|
|
| |
This fixes a regression caused by the move to the static inventory.
The nodes in `oc get nodes` should be (and had been) identified by
their hostnames (e.g. master-0.openshift.example.com), but are
now using their internal IP addresses instead.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Autogenerate inventory/hosts when 'inventory: static' (Default),
with the shade-inventory tool.
* Drop unused anymore: openstack.py and associated GPL notes,
an example static inventory, omit manual updates for the
inventory DNS names in the deployment guide.
* Switch openstack.py formatted inventory hostvars
to the shade-inventory format (omit openstack.* from hostvars).
* Populate node labels from inventory vars instead of the heat
templates combined with inventory vars.
* Add app (k8s minions) nodes group for primary node labels.
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
|
|
|
| |
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
|
|
|
|
|
|
| |
* openshift-prep: bash-completion and vim-enhanced packages are now optional under install_debug_packages switch
* openshift-prep: new line removal
|
|
|
|
|
|
| |
* Add the static-inventory role that configures the inventory/hosts
file by the given path, or creates it for you.
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
|
|
|
|
|
|
|
|
| |
* subscription manager: added 10 retries after 1 second delay
* subscription manager: added untils
* sub manager: typo
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Set up NetworkManager automatically
This removes the extra step of running the
`openshift-ansible/playbooks/byo/openshift-node/network_manager.yml`
before installing openshift. In addition, the playbook relies on a
host group that the provisioning doesn't provide (oo_all_hosts).
Instead, we set up NetworkManager on CentOS nodes automatically. And
we restart it on RHEL (which is necessary for the nodes to pick up the
new DNS we configured the subnet with).
This makes the provisioning easier and more resilient.
* Apply the node-network-manager role to every node
It makes the code simpler and more consistent across distros.
|
|
|
|
|
|
| |
These two Jinja filters were added in 2.8 which is notably not packaged in
CentOS and RHEL. This removes them in favour of the `==` and `>` operators
which are available in Jinja 2.7.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Add defaults values for some openstack vars
Ansible shows errors when the `rhsm_register` and
`openstack_flat_secgrp` values are not present in the inventory even
though they have sensible default values.
This makes them both default to false when they're not specified.
* Comment out the flat security group option in inv
It's no longer required to be there so let's comment it out.
|
|\
| |
| | |
Manage packages to install/update for openstack provider
|
| |
| |
| |
| |
| |
| |
| | |
Allow required packages and yum update all steps to be optionally
disabled.
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Firstly, provision a Heat stack with given public resolvers.
* After the DNS node configured as an authoritative server,
switch the Heat stack's Neutron subnet to that resolver
(private_dns_server) the way it to become the first entry pushed
into the hosts /etc/resolv.conf. It will be serving the cluster
domain requests for OpenShift nodes and workloads.
* Drop post-provision /etc/reslov.conf nameserver hacks as not
needed anymore.
* Fix dns floating IPs output and add the priv IPs output as well.
* Update docs, clarify localhost vs servers requirements, add
required Network Manager setup step.
* Use post-provision task names instead of comments.
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
|
|\
| |
| | |
Modify sec groups for provisioned openstack servers
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Drop ingress DNS rules from the common secgrp.
Add an ingress ICMP rule, restricted by the ssh ingress cidr,
to the common secgrp. This allows to ping servers from the
control node (ansible admin node).
Add dns servers into the common secgrp as well.
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
|
|\ \
| | |
| | | |
Put back node/flat secgrp for infra nodes on openstack
|
| |/
| |
| |
| |
| |
| |
| | |
Partially undo 2028883e936c8a1a0be031a19d531d0804a32b68
to unblock end-to-end deployments
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
|
|\ \
| |/
|/| |
Add node_removal_policies variable to openstack provisioning to allow for scaling down
|
| | |
|
| | |
|
|\ \
| | |
| | | |
Fix flat sec group and infra/dns sec rules
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Make flat sec group to only merge node/master/etcd sec rules.
Add basic dns/ssh sec group and assign it to all but dns node groups.
Assign only dns sec group for dns nodes.
Assign only infra (and basic) sec groups for ingra nodes.
Add security notes for openstack provider.
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
|
|/
|
|
|
|
| |
Prohibit sudoing for localhost played tasks, like DNS setup.
Re-use cached facts to speed up deployment.
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
TODO use with
when: ansible_distribution == 'CentOS'
Also update docs for origin
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Add a openstack_flat_secgroup, defaults to False.
When set, merges sec rules for master, node, etcd, infra nodes into a
single group. Less secure, but might help to mitigate quota limitations.
Update docs. Use timeout 30s to mitigate the error:
Timeout (12s) waiting for privilege escalation prompt.
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
|
|
|
|
|
|
|
|
|
| |
When `node_ingress_cidr` to limit the IP range for the DNS server, this
can prevent the actual openshift nodes from accessing it as well.
This commit makes the access from the `openstack_subnet_prefix` always
pass through and uses `node_ingress_cidr` for additional
access control.
|
|
|
|
|
| |
We should probably not pollute the role namespace with a name as common
as "common". Moving the pre_task.yml to provisioners/openstack instead.
|