From e7082b9870bdf4cc0769645f4fae3bccc3efdee4 Mon Sep 17 00:00:00 2001
From: Scott Dodson <sdodson@redhat.com>
Date: Fri, 12 Jun 2015 14:52:03 -0400
Subject: Add etcd role that builds out basic etcd cluster

- Add initial etcd role
- Add etcd playbook to create etcd client certs
- Hookup master to etcd
---
 roles/etcd/README.md              | 39 +++++++++++++++++++++++++++++++++
 roles/etcd/defaults/main.yaml     | 28 ++++++++++++++++++++++++
 roles/etcd/handlers/main.yml      |  3 +++
 roles/etcd/meta/main.yml          | 17 +++++++++++++++
 roles/etcd/tasks/main.yml         | 16 ++++++++++++++
 roles/etcd/templates/etcd.conf.j2 | 46 +++++++++++++++++++++++++++++++++++++++
 6 files changed, 149 insertions(+)
 create mode 100644 roles/etcd/README.md
 create mode 100644 roles/etcd/defaults/main.yaml
 create mode 100644 roles/etcd/handlers/main.yml
 create mode 100644 roles/etcd/meta/main.yml
 create mode 100644 roles/etcd/tasks/main.yml
 create mode 100644 roles/etcd/templates/etcd.conf.j2

(limited to 'roles/etcd')

diff --git a/roles/etcd/README.md b/roles/etcd/README.md
new file mode 100644
index 000000000..49207c428
--- /dev/null
+++ b/roles/etcd/README.md
@@ -0,0 +1,39 @@
+Role Name
+=========
+
+Configures an etcd cluster for an arbitrary number of hosts
+
+Requirements
+------------
+
+This role assumes it's being deployed on a RHEL/Fedora based host with package
+named 'etcd' available via yum.
+
+Role Variables
+--------------
+
+TODO
+
+Dependencies
+------------
+
+None
+
+Example Playbook
+----------------
+
+    - hosts: etcd
+      roles:
+         - { etcd }
+
+License
+-------
+
+MIT
+
+Author Information
+------------------
+
+Scott Dodson <sdodson@redhat.com>
+Adapted from https://github.com/retr0h/ansible-etcd for use on RHEL/Fedora. We
+should at some point submit a PR to merge this with that module.
diff --git a/roles/etcd/defaults/main.yaml b/roles/etcd/defaults/main.yaml
new file mode 100644
index 000000000..f6281101f
--- /dev/null
+++ b/roles/etcd/defaults/main.yaml
@@ -0,0 +1,28 @@
+---
+etcd_interface: eth0
+etcd_client_port: 2379
+etcd_peer_port: 2380
+etcd_peers_group: etcd
+etcd_url_scheme: http
+etcd_peer_url_scheme: http
+etcd_ca_file: /etc/etcd/ca.crt
+etcd_cert_file: /etc/etcd/client.crt
+etcd_key_file: /etc/etcd/client.key
+etcd_peer_ca_file: /etc/etcd/ca.crt
+etcd_peer_cert_file: /etc/etcd/peer.crt
+etcd_peer_key_file: /etc/etcd/peer.key
+
+etcd_initial_cluster_state: new
+etcd_initial_cluster_token: etcd-cluster-1
+
+etcd_initial_advertise_peer_urls: "{{ etcd_peer_url_scheme }}://{{ hostvars[inventory_hostname]['ansible_' + etcd_interface]['ipv4']['address'] }}:{{ etcd_peer_port }}"
+etcd_listen_peer_urls: "{{ etcd_peer_url_scheme }}://{{ hostvars[inventory_hostname]['ansible_' + etcd_interface]['ipv4']['address'] }}:{{ etcd_peer_port }}"
+etcd_advertise_client_urls: "{{ etcd_url_scheme }}://{{ hostvars[inventory_hostname]['ansible_' + etcd_interface]['ipv4']['address'] }}:{{ etcd_client_port }}"
+etcd_listen_client_urls: "{{ etcd_url_scheme }}://{{ hostvars[inventory_hostname]['ansible_' + etcd_interface]['ipv4']['address'] }}:{{ etcd_client_port }}"
+
+etcd_data_dir: /var/lib/etcd/
+os_firewall_allow:
+- service: etcd
+  port: "{{etcd_client_port}}/tcp"
+- service: etcd peering
+  port: "{{ etcd_peer_port }}/tcp"
diff --git a/roles/etcd/handlers/main.yml b/roles/etcd/handlers/main.yml
new file mode 100644
index 000000000..b897913f9
--- /dev/null
+++ b/roles/etcd/handlers/main.yml
@@ -0,0 +1,3 @@
+---
+- name: restart etcd
+  service: name=etcd state=restarted
diff --git a/roles/etcd/meta/main.yml b/roles/etcd/meta/main.yml
new file mode 100644
index 000000000..f952f84be
--- /dev/null
+++ b/roles/etcd/meta/main.yml
@@ -0,0 +1,17 @@
+---
+# This module is based on https://github.com/retr0h/ansible-etcd with most
+# changes centered around installing from a pre-existing rpm
+# TODO: Extend https://github.com/retr0h/ansible-etcd rather than forking
+galaxy_info:
+  author: Scott Dodson
+  description: etcd management
+  company: Red Hat, Inc.
+  license: Apache License, Version 2.0
+  min_ansible_version: 1.2
+  platforms:
+  - name: EL
+    versions:
+    - 7
+  categories:
+  - cloud
+  - system
diff --git a/roles/etcd/tasks/main.yml b/roles/etcd/tasks/main.yml
new file mode 100644
index 000000000..8ed803119
--- /dev/null
+++ b/roles/etcd/tasks/main.yml
@@ -0,0 +1,16 @@
+---
+- name: Install etcd
+  yum: pkg=etcd state=present disable_gpg_check=yes
+
+- name: Write etcd global config file
+  template:
+    src: etcd.conf.j2
+    dest: /etc/etcd/etcd.conf
+  notify:
+    - restart etcd
+
+- name: Enable etcd
+  service:
+    name: etcd
+    state: started
+    enabled: yes
diff --git a/roles/etcd/templates/etcd.conf.j2 b/roles/etcd/templates/etcd.conf.j2
new file mode 100644
index 000000000..5723b5089
--- /dev/null
+++ b/roles/etcd/templates/etcd.conf.j2
@@ -0,0 +1,46 @@
+{% macro initial_cluster() -%}
+{% for host in groups[etcd_peers_group] -%}
+{% if loop.last -%}
+{{ host }}={{ etcd_peer_url_scheme }}://{{ hostvars[host]['ansible_' + etcd_interface]['ipv4']['address'] }}:{{ etcd_peer_port }}
+{%- else -%}
+{{ host }}={{ etcd_peer_url_scheme }}://{{ hostvars[host]['ansible_' + etcd_interface]['ipv4']['address'] }}:{{ etcd_peer_port }},
+{%- endif -%}
+{% endfor -%}
+{% endmacro -%}
+
+ETCD_NAME={{ inventory_hostname }}
+ETCD_DATA_DIR={{ etcd_data_dir }}
+#ETCD_SNAPSHOT_COUNTER="10000"
+#ETCD_HEARTBEAT_INTERVAL="100"
+#ETCD_ELECTION_TIMEOUT="1000"
+ETCD_LISTEN_PEER_URLS={{ etcd_listen_peer_urls }}
+ETCD_LISTEN_CLIENT_URLS={{ etcd_listen_client_urls }}
+#ETCD_MAX_SNAPSHOTS="5"
+#ETCD_MAX_WALS="5"
+#ETCD_CORS=""
+#
+#[cluster]
+ETCD_INITIAL_ADVERTISE_PEER_URLS={{ etcd_initial_advertise_peer_urls }}
+ETCD_INITIAL_CLUSTER={{ initial_cluster() }}
+ETCD_INITIAL_CLUSTER_STATE={{ etcd_initial_cluster_state }}
+ETCD_INITIAL_CLUSTER_TOKEN={{ etcd_initial_cluster_token }}
+ETCD_ADVERTISE_CLIENT_URLS={{ etcd_advertise_client_urls }}
+#ETCD_DISCOVERY=""
+#ETCD_DISCOVERY_SRV=""
+#ETCD_DISCOVERY_FALLBACK="proxy"
+#ETCD_DISCOVERY_PROXY=""
+#
+#[proxy]
+#ETCD_PROXY="off"
+#
+#[security]
+{% if etcd_url_scheme == 'https' -%}
+ETCD_CA_FILE={{ etcd_ca_file }}
+ETCD_CERT_FILE={{ etcd_cert_file }}
+ETCD_KEY_FILE={{ etcd_key_file }}
+{% endif -%}
+{% if etcd_peer_url_scheme == 'https' -%}
+ETCD_PEER_CA_FILE={{ etcd_peer_ca_file }}
+ETCD_PEER_CERT_FILE={{ etcd_peer_cert_file }}
+ETCD_PEER_KEY_FILE={{ etcd_peer_key_file }}
+{% endif -%}
-- 
cgit v1.2.3


From add3fbcce31e9db4ea8c76acb9c8579f20581912 Mon Sep 17 00:00:00 2001
From: Jason DeTiberus <jdetiber@redhat.com>
Date: Fri, 10 Jul 2015 14:46:43 -0400
Subject: Etcd role updates and playbook updates

- fix firewall conflict issues with co-located etcd and openshift hosts
- added os_firewall dependency to etcd role
- updated etcd template to better handle clustered and non-clustered installs
- added etcd_ca role
  - generates a self-signed cert to manage etcd certificates, since etcd peer
    certificates are required to be client and server certs and the openshift
    ca will only generate client or server certs (not one authorized for
    both).
- renamed openshift_etcd_certs role to etcd_certificates and updated it to
  manage certificates generated from the CA managed by the etcd_ca role
- remove hard coded etcd_port in openshift_facts
- updates for the openshift-etcd common playbook
- removed etcd and openshift-etcd playbooks from the byo playbooks directory
- added a common playbook for setting etcd launch facts
- added an openshift-etcd common service playbook
- removed unused variables
- fixed tests for embedded_{etcd,dns,kube} in openshift_master
- removed old workaround for reloading systemd units
---
 roles/etcd/defaults/main.yaml     | 15 +++++++++------
 roles/etcd/meta/main.yml          |  2 ++
 roles/etcd/tasks/main.yml         | 36 +++++++++++++++++++++++++++++++++++-
 roles/etcd/templates/etcd.conf.j2 | 16 +++++++++++-----
 4 files changed, 57 insertions(+), 12 deletions(-)

(limited to 'roles/etcd')

diff --git a/roles/etcd/defaults/main.yaml b/roles/etcd/defaults/main.yaml
index f6281101f..0fb45f37c 100644
--- a/roles/etcd/defaults/main.yaml
+++ b/roles/etcd/defaults/main.yaml
@@ -5,12 +5,13 @@ etcd_peer_port: 2380
 etcd_peers_group: etcd
 etcd_url_scheme: http
 etcd_peer_url_scheme: http
-etcd_ca_file: /etc/etcd/ca.crt
-etcd_cert_file: /etc/etcd/client.crt
-etcd_key_file: /etc/etcd/client.key
-etcd_peer_ca_file: /etc/etcd/ca.crt
-etcd_peer_cert_file: /etc/etcd/peer.crt
-etcd_peer_key_file: /etc/etcd/peer.key
+etcd_conf_dir: /etc/etcd
+etcd_ca_file: "{{ etcd_conf_dir }}/ca.crt"
+etcd_cert_file: "{{ etcd_conf_dir }}/server.crt"
+etcd_key_file: "{{ etcd_conf_dir }}/server.key"
+etcd_peer_ca_file: "{{ etcd_conf_dir }}/ca.crt"
+etcd_peer_cert_file: "{{ etcd_conf_dir }}/peer.crt"
+etcd_peer_key_file: "{{ etcd_conf_dir }}/peer.key"
 
 etcd_initial_cluster_state: new
 etcd_initial_cluster_token: etcd-cluster-1
@@ -21,6 +22,8 @@ etcd_advertise_client_urls: "{{ etcd_url_scheme }}://{{ hostvars[inventory_hostn
 etcd_listen_client_urls: "{{ etcd_url_scheme }}://{{ hostvars[inventory_hostname]['ansible_' + etcd_interface]['ipv4']['address'] }}:{{ etcd_client_port }}"
 
 etcd_data_dir: /var/lib/etcd/
+
+os_firewall_use_firewalld: False
 os_firewall_allow:
 - service: etcd
   port: "{{etcd_client_port}}/tcp"
diff --git a/roles/etcd/meta/main.yml b/roles/etcd/meta/main.yml
index f952f84be..82b1a62b8 100644
--- a/roles/etcd/meta/main.yml
+++ b/roles/etcd/meta/main.yml
@@ -15,3 +15,5 @@ galaxy_info:
   categories:
   - cloud
   - system
+dependencies:
+- { role: os_firewall }
diff --git a/roles/etcd/tasks/main.yml b/roles/etcd/tasks/main.yml
index 8ed803119..62e29324c 100644
--- a/roles/etcd/tasks/main.yml
+++ b/roles/etcd/tasks/main.yml
@@ -1,6 +1,38 @@
 ---
 - name: Install etcd
-  yum: pkg=etcd state=present disable_gpg_check=yes
+  yum: pkg=etcd state=present
+
+- name: Validate permissions on the config dir
+  file:
+    path: "{{ etcd_conf_dir }}"
+    state: directory
+    owner: etcd
+    group: etcd
+    mode: 0700
+
+- name: Validate permissions on certificate files
+  file:
+    path: "{{ item }}"
+    mode: 0600
+    group: etcd
+    owner: etcd
+  when: etcd_url_scheme == 'https'
+  with_items:
+  - "{{ etcd_ca_file }}"
+  - "{{ etcd_cert_file }}"
+  - "{{ etcd_key_file }}"
+
+- name: Validate permissions on peer certificate files
+  file:
+    path: "{{ item }}"
+    mode: 0600
+    group: etcd
+    owner: etcd
+  when: etcd_peer_url_scheme == 'https'
+  with_items:
+  - "{{ etcd_peer_ca_file }}"
+  - "{{ etcd_peer_cert_file }}"
+  - "{{ etcd_peer_key_file }}"
 
 - name: Write etcd global config file
   template:
@@ -14,3 +46,5 @@
     name: etcd
     state: started
     enabled: yes
+
+- pause: seconds=10
diff --git a/roles/etcd/templates/etcd.conf.j2 b/roles/etcd/templates/etcd.conf.j2
index 5723b5089..801be2c97 100644
--- a/roles/etcd/templates/etcd.conf.j2
+++ b/roles/etcd/templates/etcd.conf.j2
@@ -8,31 +8,37 @@
 {% endfor -%}
 {% endmacro -%}
 
+{% if groups[etcd_peers_group] and groups[etcd_peers_group] | length > 1 %}
 ETCD_NAME={{ inventory_hostname }}
+ETCD_LISTEN_PEER_URLS={{ etcd_listen_peer_urls }}
+{% else %}
+ETCD_NAME=default
+{% endif %}
 ETCD_DATA_DIR={{ etcd_data_dir }}
 #ETCD_SNAPSHOT_COUNTER="10000"
 #ETCD_HEARTBEAT_INTERVAL="100"
 #ETCD_ELECTION_TIMEOUT="1000"
-ETCD_LISTEN_PEER_URLS={{ etcd_listen_peer_urls }}
 ETCD_LISTEN_CLIENT_URLS={{ etcd_listen_client_urls }}
 #ETCD_MAX_SNAPSHOTS="5"
 #ETCD_MAX_WALS="5"
 #ETCD_CORS=""
-#
+
+{% if groups[etcd_peers_group] and groups[etcd_peers_group] | length > 1 %}
 #[cluster]
 ETCD_INITIAL_ADVERTISE_PEER_URLS={{ etcd_initial_advertise_peer_urls }}
 ETCD_INITIAL_CLUSTER={{ initial_cluster() }}
 ETCD_INITIAL_CLUSTER_STATE={{ etcd_initial_cluster_state }}
 ETCD_INITIAL_CLUSTER_TOKEN={{ etcd_initial_cluster_token }}
-ETCD_ADVERTISE_CLIENT_URLS={{ etcd_advertise_client_urls }}
 #ETCD_DISCOVERY=""
 #ETCD_DISCOVERY_SRV=""
 #ETCD_DISCOVERY_FALLBACK="proxy"
 #ETCD_DISCOVERY_PROXY=""
-#
+{% endif %}
+ETCD_ADVERTISE_CLIENT_URLS={{ etcd_advertise_client_urls }}
+
 #[proxy]
 #ETCD_PROXY="off"
-#
+
 #[security]
 {% if etcd_url_scheme == 'https' -%}
 ETCD_CA_FILE={{ etcd_ca_file }}
-- 
cgit v1.2.3


From f831779404b0147d6a92935cd8b77de3e25f2bec Mon Sep 17 00:00:00 2001
From: Jason DeTiberus <jdetiber@redhat.com>
Date: Wed, 15 Jul 2015 17:04:11 -0400
Subject: add pauses to avoid service restarts from interfering with initial
 startup bootstrapping

---
 roles/etcd/tasks/main.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'roles/etcd')

diff --git a/roles/etcd/tasks/main.yml b/roles/etcd/tasks/main.yml
index 62e29324c..79a91dfde 100644
--- a/roles/etcd/tasks/main.yml
+++ b/roles/etcd/tasks/main.yml
@@ -46,5 +46,7 @@
     name: etcd
     state: started
     enabled: yes
+  register: start_result
 
-- pause: seconds=10
+- pause: seconds=30
+  when: start_result | changed
-- 
cgit v1.2.3