diff options
| -rw-r--r-- | inventory/byo/hosts.origin.example | 10 | ||||
| -rw-r--r-- | inventory/byo/hosts.ose.example | 9 | ||||
| -rw-r--r-- | playbooks/adhoc/bootstrap-fedora.yml | 1 | ||||
| -rw-r--r-- | playbooks/common/openshift-cluster/upgrades/post.yml | 1 | ||||
| -rw-r--r-- | roles/openshift_master/templates/master.yaml.v1.j2 | 5 |
5 files changed, 24 insertions, 2 deletions
diff --git a/inventory/byo/hosts.origin.example b/inventory/byo/hosts.origin.example index 8e7883f3b..8dedba9f8 100644 --- a/inventory/byo/hosts.origin.example +++ b/inventory/byo/hosts.origin.example @@ -343,6 +343,16 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', #osm_cluster_network_cidr=10.1.0.0/16 #openshift_portal_net=172.30.0.0/16 + +# ExternalIPNetworkCIDRs controls what values are acceptable for the +# service external IP field. If empty, no externalIP may be set. It +# may contain a list of CIDRs which are checked for access. If a CIDR +# is prefixed with !, IPs in that CIDR will be rejected. Rejections +# will be applied first, then the IP checked against one of the +# allowed CIDRs. You should ensure this range does not overlap with +# your nodes, pods, or service CIDRs for security reasons. +#openshift_master_external_ip_network_cidrs=['0.0.0.0/0'] + # Configure number of bits to allocate to each host’s subnet e.g. 8 # would mean a /24 network on the host. #osm_host_subnet_length=8 diff --git a/inventory/byo/hosts.ose.example b/inventory/byo/hosts.ose.example index 0d358146c..7b6b5fcc5 100644 --- a/inventory/byo/hosts.ose.example +++ b/inventory/byo/hosts.ose.example @@ -339,6 +339,15 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', #openshift_portal_net=172.30.0.0/16 +# ExternalIPNetworkCIDRs controls what values are acceptable for the +# service external IP field. If empty, no externalIP may be set. It +# may contain a list of CIDRs which are checked for access. If a CIDR +# is prefixed with !, IPs in that CIDR will be rejected. Rejections +# will be applied first, then the IP checked against one of the +# allowed CIDRs. You should ensure this range does not overlap with +# your nodes, pods, or service CIDRs for security reasons. +#openshift_master_external_ip_network_cidrs=['0.0.0.0/0'] + # Configure number of bits to allocate to each host’s subnet e.g. 8 # would mean a /24 network on the host. #osm_host_subnet_length=8 diff --git a/playbooks/adhoc/bootstrap-fedora.yml b/playbooks/adhoc/bootstrap-fedora.yml index 5ca383a37..b370d7fba 100644 --- a/playbooks/adhoc/bootstrap-fedora.yml +++ b/playbooks/adhoc/bootstrap-fedora.yml @@ -1,4 +1,5 @@ - hosts: OSEv3 + gather_facts: false tasks: - name: install python and deps for ansible modules raw: dnf install -y python2 python2-dnf libselinux-python libsemanage-python python2-firewall pyOpenSSL python-cryptography diff --git a/playbooks/common/openshift-cluster/upgrades/post.yml b/playbooks/common/openshift-cluster/upgrades/post.yml index 796634a5e..e43954453 100644 --- a/playbooks/common/openshift-cluster/upgrades/post.yml +++ b/playbooks/common/openshift-cluster/upgrades/post.yml @@ -66,6 +66,7 @@ grep pluginOrderOverride {{ openshift.common.config_base }}/master/master-config.yaml register: grep_plugin_order_override when: openshift.common.version_gte_3_3_or_1_3 | bool + failed_when: false - name: Warn if pluginOrderOverride is in use in master-config.yaml debug: msg="WARNING pluginOrderOverride is being deprecated in master-config.yaml, please see https://docs.openshift.com/enterprise/latest/architecture/additional_concepts/admission_controllers.html for more information." when: not grep_plugin_order_override | skipped and grep_plugin_order_override.rc == 0 diff --git a/roles/openshift_master/templates/master.yaml.v1.j2 b/roles/openshift_master/templates/master.yaml.v1.j2 index 31e86f5bd..0683fa95a 100644 --- a/roles/openshift_master/templates/master.yaml.v1.j2 +++ b/roles/openshift_master/templates/master.yaml.v1.j2 @@ -156,6 +156,7 @@ networkConfig: {% endif %} # serviceNetworkCIDR must match kubernetesMasterConfig.servicesSubnet serviceNetworkCIDR: {{ openshift.common.portal_net }} + externalIPNetworkCIDRs: {{ openshift_master_external_ip_network_cidrs | default(["0.0.0.0/0"]) | to_padded_yaml(1,2) }} oauthConfig: {% if 'oauth_always_show_provider_selection' in openshift.master %} alwaysShowProviderSelection: {{ openshift.master.oauth_always_show_provider_selection }} @@ -173,7 +174,7 @@ oauthConfig: {% if openshift.common.version_gte_3_2_or_1_2 | bool %} masterCA: ca-bundle.crt {% else %} - masterCA: ca.rt + masterCA: ca.crt {% endif %} masterPublicURL: {{ openshift.master.public_api_url }} masterURL: {{ openshift.master.api_url }} @@ -210,7 +211,7 @@ serviceAccountConfig: {% if openshift.common.version_gte_3_2_or_1_2 | bool %} masterCA: ca-bundle.crt {% else %} - masterCA: ca.rt + masterCA: ca.crt {% endif %} privateKeyFile: serviceaccounts.private.key publicKeyFiles: |