diff options
60 files changed, 1168 insertions, 699 deletions
diff --git a/.tito/packages/openshift-ansible b/.tito/packages/openshift-ansible index b8982c3a5..43cc6693e 100644 --- a/.tito/packages/openshift-ansible +++ b/.tito/packages/openshift-ansible @@ -1 +1 @@ -3.3.4-1 ./ +3.3.6-1 ./ diff --git a/README_GCE.md b/README_GCE.md index df9942f24..f909630aa 100644 --- a/README_GCE.md +++ b/README_GCE.md @@ -86,6 +86,8 @@ Install Dependencies yum install -y ansible python-libcloud ``` +> Installation using Mac OSX requires pycrypto library +> $ pip install pycrypto Test The Setup -------------- diff --git a/filter_plugins/oo_filters.py b/filter_plugins/oo_filters.py index ec00a1646..557a684dc 100644 --- a/filter_plugins/oo_filters.py +++ b/filter_plugins/oo_filters.py @@ -37,6 +37,9 @@ class FilterModule(object): def get_attr(data, attribute=None): """ This looks up dictionary attributes of the form a.b.c and returns the value. + + If the key isn't present, None is returned. + Ex: data = {'a': {'b': {'c': 5}}} attribute = "a.b.c" returns 5 @@ -46,7 +49,11 @@ class FilterModule(object): ptr = data for attr in attribute.split('.'): - ptr = ptr[attr] + if attr in ptr: + ptr = ptr[attr] + else: + ptr = None + break return ptr @@ -138,6 +145,7 @@ class FilterModule(object): else: retval = [FilterModule.get_attr(d, attribute) for d in data] + retval = [val for val in retval if val != None] return retval @staticmethod @@ -474,16 +482,20 @@ class FilterModule(object): """ Parses names from list of certificate hashes. Ex: certificates = [{ "certfile": "/root/custom1.crt", - "keyfile": "/root/custom1.key" }, + "keyfile": "/root/custom1.key", + "cafile": "/root/custom-ca1.crt" }, { "certfile": "custom2.crt", - "keyfile": "custom2.key" }] + "keyfile": "custom2.key", + "cafile": "custom-ca2.crt" }] returns [{ "certfile": "/etc/origin/master/named_certificates/custom1.crt", "keyfile": "/etc/origin/master/named_certificates/custom1.key", + "cafile": "/etc/origin/master/named_certificates/custom-ca1.crt", "names": [ "public-master-host.com", "other-master-host.com" ] }, { "certfile": "/etc/origin/master/named_certificates/custom2.crt", "keyfile": "/etc/origin/master/named_certificates/custom2.key", + "cafile": "/etc/origin/master/named_certificates/custom-ca-2.crt", "names": [ "some-hostname.com" ] }] """ if not isinstance(named_certs_dir, basestring): @@ -514,17 +526,20 @@ class FilterModule(object): raise errors.AnsibleFilterError(("|failed to parse certificate '%s', " % certificate['certfile'] + "please specify certificate names in host inventory")) - certificate['names'] = [name for name in certificate['names'] if name not in internal_hostnames] - certificate['names'] = list(set(certificate['names'])) - if not certificate['names']: - raise errors.AnsibleFilterError(("|failed to parse certificate '%s' or " % certificate['certfile'] + - "detected a collision with internal hostname, please specify " + - "certificate names in host inventory")) + if 'cafile' not in certificate: + certificate['names'] = [name for name in certificate['names'] if name not in internal_hostnames] + certificate['names'] = list(set(certificate['names'])) + if not certificate['names']: + raise errors.AnsibleFilterError(("|failed to parse certificate '%s' or " % certificate['certfile'] + + "detected a collision with internal hostname, please specify " + + "certificate names in host inventory")) for certificate in certificates: # Update paths for configuration certificate['certfile'] = os.path.join(named_certs_dir, os.path.basename(certificate['certfile'])) certificate['keyfile'] = os.path.join(named_certs_dir, os.path.basename(certificate['keyfile'])) + if 'cafile' in certificate: + certificate['cafile'] = os.path.join(named_certs_dir, os.path.basename(certificate['cafile'])) return certificates @staticmethod diff --git a/inventory/byo/hosts.aep.example b/inventory/byo/hosts.aep.example index 8d2d95f8f..36e1e8825 100644 --- a/inventory/byo/hosts.aep.example +++ b/inventory/byo/hosts.aep.example @@ -345,15 +345,20 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', # NOTE: openshift_master_named_certificates is cached on masters and is an # additive fact, meaning that each run with a different set of certificates # will add the newly provided certificates to the cached set of certificates. +# +# An optional CA may be specified for each named certificate. CAs will +# be added to the OpenShift CA bundle which allows for the named +# certificate to be served for internal cluster communication. +# # If you would like openshift_master_named_certificates to be overwritten with # the provided value, specify openshift_master_overwrite_named_certificates. #openshift_master_overwrite_named_certificates=true # # Provide local certificate paths which will be deployed to masters -#openshift_master_named_certificates=[{"certfile": "/path/to/custom1.crt", "keyfile": "/path/to/custom1.key"}] +#openshift_master_named_certificates=[{"certfile": "/path/to/custom1.crt", "keyfile": "/path/to/custom1.key", "cafile": "/path/to/custom-ca1.crt"}] # # Detected names may be overridden by specifying the "names" key -#openshift_master_named_certificates=[{"certfile": "/path/to/custom1.crt", "keyfile": "/path/to/custom1.key", "names": ["public-master-host.com"]}] +#openshift_master_named_certificates=[{"certfile": "/path/to/custom1.crt", "keyfile": "/path/to/custom1.key", "names": ["public-master-host.com"], "cafile": "/path/to/custom-ca1.crt"}] # Session options #openshift_master_session_name=ssn diff --git a/inventory/byo/hosts.origin.example b/inventory/byo/hosts.origin.example index d71ed5727..115ddb824 100644 --- a/inventory/byo/hosts.origin.example +++ b/inventory/byo/hosts.origin.example @@ -353,15 +353,20 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', # NOTE: openshift_master_named_certificates is cached on masters and is an # additive fact, meaning that each run with a different set of certificates # will add the newly provided certificates to the cached set of certificates. +# +# An optional CA may be specified for each named certificate. CAs will +# be added to the OpenShift CA bundle which allows for the named +# certificate to be served for internal cluster communication. +# # If you would like openshift_master_named_certificates to be overwritten with # the provided value, specify openshift_master_overwrite_named_certificates. #openshift_master_overwrite_named_certificates=true # # Provide local certificate paths which will be deployed to masters -#openshift_master_named_certificates=[{"certfile": "/path/to/custom1.crt", "keyfile": "/path/to/custom1.key"}] +#openshift_master_named_certificates=[{"certfile": "/path/to/custom1.crt", "keyfile": "/path/to/custom1.key", "cafile": "/path/to/custom-ca1.crt"}] # # Detected names may be overridden by specifying the "names" key -#openshift_master_named_certificates=[{"certfile": "/path/to/custom1.crt", "keyfile": "/path/to/custom1.key", "names": ["public-master-host.com"]}] +#openshift_master_named_certificates=[{"certfile": "/path/to/custom1.crt", "keyfile": "/path/to/custom1.key", "names": ["public-master-host.com"], "cafile": "/path/to/custom-ca1.crt"}] # Session options #openshift_master_session_name=ssn diff --git a/inventory/byo/hosts.ose.example b/inventory/byo/hosts.ose.example index ccff97b47..b036165be 100644 --- a/inventory/byo/hosts.ose.example +++ b/inventory/byo/hosts.ose.example @@ -347,15 +347,20 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', # NOTE: openshift_master_named_certificates is cached on masters and is an # additive fact, meaning that each run with a different set of certificates # will add the newly provided certificates to the cached set of certificates. +# +# An optional CA may be specified for each named certificate. CAs will +# be added to the OpenShift CA bundle which allows for the named +# certificate to be served for internal cluster communication. +# # If you would like openshift_master_named_certificates to be overwritten with # the provided value, specify openshift_master_overwrite_named_certificates. #openshift_master_overwrite_named_certificates=true # # Provide local certificate paths which will be deployed to masters -#openshift_master_named_certificates=[{"certfile": "/path/to/custom1.crt", "keyfile": "/path/to/custom1.key"}] +#openshift_master_named_certificates=[{"certfile": "/path/to/custom1.crt", "keyfile": "/path/to/custom1.key", "cafile": "/path/to/custom-ca1.crt"}] # # Detected names may be overridden by specifying the "names" key -#openshift_master_named_certificates=[{"certfile": "/path/to/custom1.crt", "keyfile": "/path/to/custom1.key", "names": ["public-master-host.com"]}] +#openshift_master_named_certificates=[{"certfile": "/path/to/custom1.crt", "keyfile": "/path/to/custom1.key", "names": ["public-master-host.com"], "cafile": "/path/to/custom-ca1.crt"}] # Session options #openshift_master_session_name=ssn diff --git a/library/delegated_serial_command.py b/library/delegated_serial_command.py new file mode 100755 index 000000000..3969edfdd --- /dev/null +++ b/library/delegated_serial_command.py @@ -0,0 +1,275 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# (c) 2012, Michael DeHaan <michael.dehaan@gmail.com>, and others +# (c) 2016, Andrew Butcher <abutcher@redhat.com> +# +# This module is derrived from the Ansible command module. +# +# Ansible is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# Ansible is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Ansible. If not, see <http://www.gnu.org/licenses/>. + + +# pylint: disable=unused-wildcard-import,wildcard-import,unused-import,redefined-builtin + +''' delegated_serial_command ''' + +import copy +import sys +import datetime +import glob +import traceback +import re +import shlex +import os +import fcntl +import time + +DOCUMENTATION = ''' +--- +module: delegated_serial_command +short_description: Executes a command on a remote node +version_added: historical +description: + - The M(command) module takes the command name followed by a list + of space-delimited arguments. + - The given command will be executed on all selected nodes. It + will not be processed through the shell, so variables like + C($HOME) and operations like C("<"), C(">"), C("|"), and C("&") + will not work (use the M(shell) module if you need these + features). + - Creates and maintains a lockfile such that this module will + wait for other invocations to proceed. +options: + command: + description: + - the command to run + required: true + default: null + creates: + description: + - a filename or (since 2.0) glob pattern, when it already + exists, this step will B(not) be run. + required: no + default: null + removes: + description: + - a filename or (since 2.0) glob pattern, when it does not + exist, this step will B(not) be run. + version_added: "0.8" + required: no + default: null + chdir: + description: + - cd into this directory before running the command + version_added: "0.6" + required: false + default: null + executable: + description: + - change the shell used to execute the command. Should be an + absolute path to the executable. + required: false + default: null + version_added: "0.9" + warn: + version_added: "1.8" + default: yes + description: + - if command warnings are on in ansible.cfg, do not warn about + this particular line if set to no/false. + required: false + lockfile: + default: yes + description: + - the lockfile that will be created + timeout: + default: yes + description: + - time in milliseconds to wait to obtain the lock +notes: + - If you want to run a command through the shell (say you are using C(<), + C(>), C(|), etc), you actually want the M(shell) module instead. The + M(command) module is much more secure as it's not affected by the user's + environment. + - " C(creates), C(removes), and C(chdir) can be specified after + the command. For instance, if you only want to run a command if + a certain file does not exist, use this." +author: + - Ansible Core Team + - Michael DeHaan + - Andrew Butcher +''' + +EXAMPLES = ''' +# Example from Ansible Playbooks. +- delegated_serial_command: + command: /sbin/shutdown -t now + +# Run the command if the specified file does not exist. +- delegated_serial_command: + command: /usr/bin/make_database.sh arg1 arg2 + creates: /path/to/database +''' + +# Dict of options and their defaults +OPTIONS = {'chdir': None, + 'creates': None, + 'command': None, + 'executable': None, + 'NO_LOG': None, + 'removes': None, + 'warn': True, + 'lockfile': None, + 'timeout': None} + +def check_command(commandline): + ''' Check provided command ''' + arguments = {'chown': 'owner', 'chmod': 'mode', 'chgrp': 'group', + 'ln': 'state=link', 'mkdir': 'state=directory', + 'rmdir': 'state=absent', 'rm': 'state=absent', 'touch': 'state=touch'} + commands = {'git': 'git', 'hg': 'hg', 'curl': 'get_url or uri', 'wget': 'get_url or uri', + 'svn': 'subversion', 'service': 'service', + 'mount': 'mount', 'rpm': 'yum, dnf or zypper', 'yum': 'yum', 'apt-get': 'apt', + 'tar': 'unarchive', 'unzip': 'unarchive', 'sed': 'template or lineinfile', + 'rsync': 'synchronize', 'dnf': 'dnf', 'zypper': 'zypper'} + become = ['sudo', 'su', 'pbrun', 'pfexec', 'runas'] + warnings = list() + command = os.path.basename(commandline.split()[0]) + # pylint: disable=line-too-long + if command in arguments: + warnings.append("Consider using file module with {0} rather than running {1}".format(arguments[command], command)) + if command in commands: + warnings.append("Consider using {0} module rather than running {1}".format(commands[command], command)) + if command in become: + warnings.append( + "Consider using 'become', 'become_method', and 'become_user' rather than running {0}".format(command,)) + return warnings + + +# pylint: disable=too-many-statements,too-many-branches,too-many-locals +def main(): + ''' Main module function ''' + module = AnsibleModule( + argument_spec=dict( + _uses_shell=dict(type='bool', default=False), + command=dict(required=True), + chdir=dict(), + executable=dict(), + creates=dict(), + removes=dict(), + warn=dict(type='bool', default=True), + lockfile=dict(default='/tmp/delegated_serial_command.lock'), + timeout=dict(type='int', default=30) + ) + ) + + shell = module.params['_uses_shell'] + chdir = module.params['chdir'] + executable = module.params['executable'] + command = module.params['command'] + creates = module.params['creates'] + removes = module.params['removes'] + warn = module.params['warn'] + lockfile = module.params['lockfile'] + timeout = module.params['timeout'] + + if command.strip() == '': + module.fail_json(rc=256, msg="no command given") + + iterated = 0 + lockfd = open(lockfile, 'w+') + while iterated < timeout: + try: + fcntl.flock(lockfd, fcntl.LOCK_EX | fcntl.LOCK_NB) + break + # pylint: disable=invalid-name + except IOError as e: + if e.errno != errno.EAGAIN: + module.fail_json(msg="I/O Error {0}: {1}".format(e.errno, e.strerror)) + else: + iterated += 1 + time.sleep(0.1) + + if chdir: + chdir = os.path.abspath(os.path.expanduser(chdir)) + os.chdir(chdir) + + if creates: + # do not run the command if the line contains creates=filename + # and the filename already exists. This allows idempotence + # of command executions. + path = os.path.expanduser(creates) + if glob.glob(path): + module.exit_json( + cmd=command, + stdout="skipped, since %s exists" % path, + changed=False, + stderr=False, + rc=0 + ) + + if removes: + # do not run the command if the line contains removes=filename + # and the filename does not exist. This allows idempotence + # of command executions. + path = os.path.expanduser(removes) + if not glob.glob(path): + module.exit_json( + cmd=command, + stdout="skipped, since %s does not exist" % path, + changed=False, + stderr=False, + rc=0 + ) + + warnings = list() + if warn: + warnings = check_command(command) + + if not shell: + command = shlex.split(command) + startd = datetime.datetime.now() + + # pylint: disable=invalid-name + rc, out, err = module.run_command(command, executable=executable, use_unsafe_shell=shell) + + fcntl.flock(lockfd, fcntl.LOCK_UN) + lockfd.close() + + endd = datetime.datetime.now() + delta = endd - startd + + if out is None: + out = '' + if err is None: + err = '' + + module.exit_json( + cmd=command, + stdout=out.rstrip("\r\n"), + stderr=err.rstrip("\r\n"), + rc=rc, + start=str(startd), + end=str(endd), + delta=str(delta), + changed=True, + warnings=warnings, + iterated=iterated + ) + +# import module snippets +from ansible.module_utils.basic import * +from ansible.module_utils.splitter import * + +main() diff --git a/openshift-ansible.spec b/openshift-ansible.spec index 84b9c9518..66765d859 100644 --- a/openshift-ansible.spec +++ b/openshift-ansible.spec @@ -5,7 +5,7 @@ } Name: openshift-ansible -Version: 3.3.4 +Version: 3.3.6 Release: 1%{?dist} Summary: Openshift and Atomic Enterprise Ansible License: ASL 2.0 @@ -221,6 +221,25 @@ Atomic OpenShift Utilities includes %changelog +* Wed Aug 03 2016 Troy Dawson <tdawson@redhat.com> 3.3.6-1 +- Rename router and registry node list variables. (abutcher@redhat.com) +- a-o-i: Fix broken uninstall (smunilla@redhat.com) +- Refactor etcd certificates roles. (abutcher@redhat.com) + +* Mon Aug 01 2016 Troy Dawson <tdawson@redhat.com> 3.3.5-1 +- Update for issue#2244 (kunallimaye@gmail.com) +- Update for issue-2244 (kunallimaye@gmail.com) +- a-o-i: Remove AEP, OSE 3.0, and OSE 3.2 choices (smunilla@redhat.com) +- Move role dependencies to playbooks. (abutcher@redhat.com) +- Fix xpaas_templates_base (sdodson@redhat.com) +- a-o-i: Better inventory group handling (smunilla@redhat.com) +- Add dotnet image stream to enterprise installs (sdodson@redhat.com) +- Fix haproxy logs (sdodson@redhat.com) +- update bootstrap-fedora playbook with new python crypto deps + (maxamillion@fedoraproject.org) +- Remove old sso70-basic templates (sdodson@redhat.com) +- xPaaS v1.3.2 release (sdodson@redhat.com) + * Fri Jul 29 2016 Troy Dawson <tdawson@redhat.com> 3.3.4-1 - a-o-i: Set roles on standalone storage (smunilla@redhat.com) - Disable too many branches pylint (sdodson@redhat.com) diff --git a/playbooks/common/openshift-cluster/openshift_hosted.yml b/playbooks/common/openshift-cluster/openshift_hosted.yml index c3077e3c2..4d4a09828 100644 --- a/playbooks/common/openshift-cluster/openshift_hosted.yml +++ b/playbooks/common/openshift-cluster/openshift_hosted.yml @@ -15,4 +15,27 @@ openshift_hosted_registry_registryurl: "{{ hostvars[groups.oo_first_master.0].openshift.master.registry_url }}" when: "'master' in hostvars[groups.oo_first_master.0].openshift and 'registry_url' in hostvars[groups.oo_first_master.0].openshift.master" roles: + - role: openshift_cli + - role: openshift_hosted_facts + - role: openshift_projects + # TODO: Move standard project definitions to openshift_hosted/vars/main.yml + # Vars are not accessible in meta/main.yml in ansible-1.9.x + openshift_projects: "{{ openshift_additional_projects | default({}) | oo_merge_dicts({'default':{'default_node_selector':''},'openshift-infra':{'default_node_selector':''},'logging':{'default_node_selector':''}}) }}" + - role: openshift_serviceaccounts + openshift_serviceaccounts_names: + - router + openshift_serviceaccounts_namespace: default + openshift_serviceaccounts_sccs: + - hostnetwork + when: openshift.common.version_gte_3_2_or_1_2 + - role: openshift_serviceaccounts + openshift_serviceaccounts_names: + - router + - registry + openshift_serviceaccounts_namespace: default + openshift_serviceaccounts_sccs: + - privileged + when: not openshift.common.version_gte_3_2_or_1_2 + - role: openshift_metrics + when: openshift.hosted.metrics.deploy | bool - role: openshift_hosted diff --git a/playbooks/common/openshift-etcd/config.yml b/playbooks/common/openshift-etcd/config.yml index a95de8cf3..1b8106e0e 100644 --- a/playbooks/common/openshift-etcd/config.yml +++ b/playbooks/common/openshift-etcd/config.yml @@ -1,119 +1,10 @@ --- -- name: Set etcd facts needed for generating certs +- name: Configure etcd hosts: oo_etcd_to_config any_errors_fatal: true roles: - - openshift_facts - tasks: - - openshift_facts: - role: etcd - local_facts: - etcd_image: "{{ osm_etcd_image | default(None) }}" - - name: Check status of etcd certificates - stat: - path: "{{ item }}" - with_items: - - /etc/etcd/server.crt - - /etc/etcd/peer.crt - - /etc/etcd/ca.crt - register: g_etcd_server_cert_stat_result - - set_fact: - etcd_server_certs_missing: "{{ g_etcd_server_cert_stat_result.results | oo_collect(attribute='stat.exists') - | list | intersect([false])}}" - etcd_cert_subdir: etcd-{{ openshift.common.hostname }} - etcd_cert_config_dir: /etc/etcd - etcd_cert_prefix: - etcd_hostname: "{{ openshift.common.hostname }}" - etcd_ip: "{{ openshift.common.ip }}" - -- name: Create temp directory for syncing certs - hosts: localhost - connection: local - become: no - gather_facts: no - tasks: - - name: Create local temp directory for syncing certs - local_action: command mktemp -d /tmp/openshift-ansible-XXXXXXX - register: g_etcd_mktemp - changed_when: False - -- name: Configure etcd certificates - hosts: oo_first_etcd - vars: - etcd_generated_certs_dir: /etc/etcd/generated_certs - etcd_needing_server_certs: "{{ hostvars - | oo_select_keys(groups['oo_etcd_to_config']) - | oo_filter_list(filter_attr='etcd_server_certs_missing') }}" - sync_tmpdir: "{{ hostvars.localhost.g_etcd_mktemp.stdout }}" - roles: - - openshift_etcd_certificates - post_tasks: - - name: Create a tarball of the etcd certs - command: > - tar -czvf {{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}.tgz - -C {{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }} . - args: - creates: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}.tgz" - with_items: "{{ etcd_needing_server_certs | default([]) }}" - - name: Retrieve the etcd cert tarballs - fetch: - src: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}.tgz" - dest: "{{ sync_tmpdir }}/" - flat: yes - fail_on_missing: yes - validate_checksum: yes - with_items: "{{ etcd_needing_server_certs | default([]) }}" - -# Configure a first etcd host to avoid conflicts in choosing a leader -# if other members come online too quickly. -- name: Configure first etcd host - hosts: oo_first_etcd - vars: - sync_tmpdir: "{{ hostvars.localhost.g_etcd_mktemp.stdout }}" - etcd_url_scheme: https - etcd_peer_url_scheme: https - etcd_peers: "{{ groups.oo_etcd_to_config | default([], true) }}" - pre_tasks: - - name: Ensure certificate directory exists - file: - path: "{{ etcd_cert_config_dir }}" - state: directory - - name: Unarchive the tarball on the etcd host - unarchive: - src: "{{ sync_tmpdir }}/{{ etcd_cert_subdir }}.tgz" - dest: "{{ etcd_cert_config_dir }}" - when: etcd_server_certs_missing - roles: - - openshift_etcd - - nickhammond.logrotate - -# Configure the remaining etcd hosts, skipping the first one we dealt with above. -- name: Configure remaining etcd hosts - hosts: oo_etcd_to_config:!oo_first_etcd - vars: - sync_tmpdir: "{{ hostvars.localhost.g_etcd_mktemp.stdout }}" - etcd_url_scheme: https - etcd_peer_url_scheme: https + - role: openshift_etcd etcd_peers: "{{ groups.oo_etcd_to_config | default([], true) }}" - pre_tasks: - - name: Ensure certificate directory exists - file: - path: "{{ etcd_cert_config_dir }}" - state: directory - - name: Unarchive the tarball on the etcd host - unarchive: - src: "{{ sync_tmpdir }}/{{ etcd_cert_subdir }}.tgz" - dest: "{{ etcd_cert_config_dir }}" - when: etcd_server_certs_missing - roles: - - openshift_etcd + etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}" + etcd_certificates_etcd_hosts: "{{ groups.oo_etcd_to_config | default([], true) }}" - role: nickhammond.logrotate - -- name: Delete temporary directory on localhost - hosts: localhost - connection: local - become: no - gather_facts: no - tasks: - - file: name={{ g_etcd_mktemp.stdout }} state=absent - changed_when: False diff --git a/playbooks/common/openshift-master/config.yml b/playbooks/common/openshift-master/config.yml index 34c96a3af..1d818eea0 100644 --- a/playbooks/common/openshift-master/config.yml +++ b/playbooks/common/openshift-master/config.yml @@ -1,5 +1,5 @@ --- -- name: Set master facts and determine if external etcd certs need to be generated +- name: Set master facts hosts: oo_masters_to_config vars: t_oo_option_master_debug_level: "{{ lookup('oo_option', 'openshift_master_debug_level') }}" @@ -73,23 +73,6 @@ openshift_env: openshift_hosted_registry_storage_kind: 'nfs' when: openshift_hosted_registry_storage_kind is not defined and groups.oo_nfs_to_config is defined and groups.oo_nfs_to_config | length > 0 - - name: Check status of external etcd certificatees - stat: - path: "{{ openshift.common.config_base }}/master/{{ item }}" - with_items: - - master.etcd-client.crt - - master.etcd-ca.crt - register: g_external_etcd_cert_stat_result - - set_fact: - etcd_client_certs_missing: "{{ g_external_etcd_cert_stat_result.results - | oo_collect(attribute='stat.exists') - | list | intersect([false])}}" - etcd_cert_subdir: openshift-master-{{ openshift.common.hostname }} - etcd_cert_config_dir: "{{ openshift.common.config_base }}/master" - etcd_cert_prefix: master.etcd- - etcd_hostname: "{{ openshift.common.hostname }}" - etcd_ip: "{{ openshift.common.ip }}" - when: groups.oo_etcd_to_config is defined and groups.oo_etcd_to_config - name: Create temp directory for syncing certs hosts: localhost @@ -102,60 +85,6 @@ register: g_master_mktemp changed_when: False -- name: Configure etcd certificates - hosts: oo_first_etcd - vars: - etcd_generated_certs_dir: /etc/etcd/generated_certs - etcd_needing_client_certs: "{{ hostvars - | oo_select_keys(groups['oo_masters_to_config']) - | default([]) - | oo_filter_list(filter_attr='etcd_client_certs_missing') }}" - sync_tmpdir: "{{ hostvars.localhost.g_master_mktemp.stdout }}" - roles: - - openshift_etcd_certificates - post_tasks: - - name: Create a tarball of the etcd certs - command: > - tar -czvf {{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}.tgz - -C {{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }} . - args: - creates: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}.tgz" - with_items: "{{ etcd_needing_client_certs | default([]) }}" - - name: Retrieve the etcd cert tarballs - fetch: - src: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}.tgz" - dest: "{{ sync_tmpdir }}/" - flat: yes - fail_on_missing: yes - validate_checksum: yes - with_items: "{{ etcd_needing_client_certs | default([]) }}" - -- name: Copy the external etcd certs to the masters - hosts: oo_masters_to_config - vars: - sync_tmpdir: "{{ hostvars.localhost.g_master_mktemp.stdout }}" - tasks: - - name: Ensure certificate directory exists - file: - path: "{{ openshift.common.config_base }}/master" - state: directory - when: etcd_client_certs_missing is defined and etcd_client_certs_missing - - name: Unarchive the tarball on the master - unarchive: - src: "{{ sync_tmpdir }}/{{ etcd_cert_subdir }}.tgz" - dest: "{{ etcd_cert_config_dir }}" - when: etcd_client_certs_missing is defined and etcd_client_certs_missing - - file: - path: "{{ etcd_cert_config_dir }}/{{ item }}" - owner: root - group: root - mode: 0600 - with_items: - - master.etcd-client.crt - - master.etcd-client.key - - master.etcd-ca.crt - when: etcd_client_certs_missing is defined and etcd_client_certs_missing - - name: Check for cached session secrets hosts: oo_first_master roles: @@ -183,54 +112,6 @@ session_encryption_secrets: "{{ g_session_encryption_secrets }}" when: not g_session_secrets_present | bool -- name: Parse named certificates - hosts: localhost - connection: local - become: no - vars: - internal_hostnames: "{{ hostvars[groups.oo_first_master.0].openshift.common.internal_hostnames }}" - named_certificates: "{{ hostvars[groups.oo_first_master.0].openshift_master_named_certificates | default([]) }}" - named_certificates_dir: "{{ hostvars[groups.oo_first_master.0].openshift.common.config_base }}/master/named_certificates/" - tasks: - - set_fact: - parsed_named_certificates: "{{ named_certificates | oo_parse_named_certificates(named_certificates_dir, internal_hostnames) }}" - when: named_certificates | length > 0 - -- name: Deploy named certificates - hosts: oo_masters_to_config - vars: - named_certs_dir: "{{ openshift.common.config_base }}/master/named_certificates/" - named_certs_specified: "{{ openshift_master_named_certificates is defined }}" - overwrite_named_certs: "{{ openshift_master_overwrite_named_certificates | default(false) }}" - roles: - - role: openshift_facts - post_tasks: - - openshift_facts: - role: master - local_facts: - named_certificates: "{{ hostvars.localhost.parsed_named_certificates | default([]) }}" - additive_facts_to_overwrite: - - "{{ 'master.named_certificates' if overwrite_named_certs | bool else omit }}" - - name: Clear named certificates - file: - path: "{{ named_certs_dir }}" - state: absent - when: overwrite_named_certs | bool - - name: Ensure named certificate directory exists - file: - path: "{{ named_certs_dir }}" - state: directory - mode: 0700 - when: named_certs_specified | bool - - name: Land named certificates - copy: src="{{ item.certfile }}" dest="{{ named_certs_dir }}" - with_items: "{{ openshift_master_named_certificates }}" - when: named_certs_specified | bool - - name: Land named certificate keys - copy: src="{{ item.keyfile }}" dest="{{ named_certs_dir }}" mode=0600 - with_items: "{{ openshift_master_named_certificates }}" - when: named_certs_specified | bool - - name: Configure masters hosts: oo_masters_to_config any_errors_fatal: true @@ -245,10 +126,10 @@ | union(groups['oo_etcd_to_config'] | default([]))) | oo_collect('openshift.common.hostname') | default([]) | join (',') }}" - when: "{{ (openshift_http_proxy is defined or openshift_https_proxy is defined) and - openshift_generate_no_proxy_hosts | default(True) | bool }}" roles: - - role: openshift_master + - role: openshift_master_facts + - role: openshift_hosted_facts + - role: openshift_master_certificates openshift_ca_host: "{{ groups.oo_first_master.0 }}" openshift_master_etcd_hosts: "{{ hostvars | oo_select_keys(groups['oo_etcd_to_config'] | default([])) @@ -258,6 +139,38 @@ | oo_select_keys(groups['oo_masters_to_config'] | default([])) | oo_collect('openshift.common.all_hostnames') | oo_flatten | unique }}" + - role: openshift_etcd_client_certificates + etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}" + etcd_cert_subdir: "openshift-master-{{ openshift.common.hostname }}" + etcd_cert_config_dir: "{{ openshift.common.config_base }}/master" + etcd_cert_prefix: "master.etcd-" + when: groups.oo_etcd_to_config is defined and groups.oo_etcd_to_config + - role: openshift_clock + - role: openshift_cloud_provider + - role: openshift_builddefaults + - role: os_firewall + os_firewall_allow: + - service: etcd embedded + port: 4001/tcp + - service: api server https + port: "{{ openshift.master.api_port }}/tcp" + - service: api controllers https + port: "{{ openshift.master.controllers_port }}/tcp" + - service: skydns tcp + port: "{{ openshift.master.dns_port }}/tcp" + - service: skydns udp + port: "{{ openshift.master.dns_port }}/udp" + - service: Fluentd td-agent tcp + port: 24224/tcp + - service: Fluentd td-agent udp + port: 24224/udp + - service: pcsd + port: 2224/tcp + - service: Corosync UDP + port: 5404/udp + - service: Corosync UDP + port: 5405/udp + - role: openshift_master openshift_master_hosts: "{{ groups.oo_masters_to_config }}" - role: nickhammond.logrotate - role: nuage_master diff --git a/playbooks/common/openshift-master/scaleup.yml b/playbooks/common/openshift-master/scaleup.yml index 6e6cb3e01..b40b01709 100644 --- a/playbooks/common/openshift-master/scaleup.yml +++ b/playbooks/common/openshift-master/scaleup.yml @@ -33,7 +33,12 @@ service: name={{ openshift.common.service_type }}-master-controllers state=restarted - name: verify api server command: > - curl --silent --cacert {{ openshift.common.config_base }}/master/ca.crt + curl --silent + {% if openshift.common.version_gte_3_2_or_1_2 | bool %} + --cacert {{ openshift.common.config_base }}/master/ca-bundle.crt + {% else %} + --cacert {{ openshift.common.config_base }}/master/ca.crt + {% endif %} {{ openshift.master.api_url }}/healthz/ready register: api_available_output until: api_available_output.stdout == 'ok' diff --git a/playbooks/common/openshift-node/config.yml b/playbooks/common/openshift-node/config.yml index a8c49d37b..c56353430 100644 --- a/playbooks/common/openshift-node/config.yml +++ b/playbooks/common/openshift-node/config.yml @@ -60,8 +60,30 @@ when: "{{ (openshift_http_proxy is defined or openshift_https_proxy is defined) and openshift_generate_no_proxy_hosts | default(True) | bool }}" roles: - - role: openshift_node + - role: openshift_clock + - role: openshift_docker + - role: openshift_node_certificates openshift_ca_host: "{{ groups.oo_first_master.0 }}" + - role: openshift_cloud_provider + - role: openshift_common + - role: openshift_node_dnsmasq + when: openshift.common.use_dnsmasq + - role: os_firewall + os_firewall_allow: + - service: Kubernetes kubelet + port: 10250/tcp + - service: http + port: 80/tcp + - service: https + port: 443/tcp + - service: Openshift kubelet ReadOnlyPort + port: 10255/tcp + - service: Openshift kubelet ReadOnlyPort udp + port: 10255/udp + - service: OpenShift OVS sdn + port: 4789/udp + when: openshift.node.use_openshift_sdn | bool + - role: openshift_node - name: Configure node instances hosts: oo_nodes_to_config:!oo_containerized_master_nodes @@ -77,97 +99,42 @@ when: "{{ (openshift_http_proxy is defined or openshift_https_proxy is defined) and openshift_generate_no_proxy_hosts | default(True) | bool }}" roles: - - role: openshift_node + - role: openshift_clock + - role: openshift_docker + - role: openshift_node_certificates openshift_ca_host: "{{ groups.oo_first_master.0 }}" - -- name: Gather and set facts for flannel certificatess - hosts: oo_nodes_to_config - tasks: - - name: Check status of flannel external etcd certificates - stat: - path: "{{ openshift.common.config_base }}/node/{{ item }}" - with_items: - - node.etcd-client.crt - - node.etcd-ca.crt - register: g_external_etcd_flannel_cert_stat_result - when: groups.oo_etcd_to_config is defined and groups.oo_etcd_to_config and (openshift.common.use_flannel | bool) - - set_fact: - etcd_client_flannel_certs_missing: "{{ False in g_external_etcd_flannel_cert_stat_result.results - | oo_collect(attribute='stat.exists') - | list }}" - etcd_cert_subdir: openshift-node-{{ openshift.common.hostname }} - etcd_cert_config_dir: "{{ openshift.common.config_base }}/node" - etcd_cert_prefix: node.etcd- - etcd_hostname: "{{ openshift.common.hostname }}" - etcd_ip: "{{ openshift.common.ip }}" - when: groups.oo_etcd_to_config is defined and groups.oo_etcd_to_config | length > 0 and (openshift.common.use_flannel | bool) - -- name: Configure flannel etcd certificates - hosts: oo_first_etcd - vars: - etcd_generated_certs_dir: /etc/etcd/generated_certs - sync_tmpdir: "{{ hostvars.localhost.mktemp.stdout }}" - pre_tasks: - - set_fact: - etcd_needing_client_certs: "{{ hostvars - | oo_select_keys(groups['oo_nodes_to_config']) - | oo_filter_list('etcd_client_flannel_certs_missing') | default([]) }}" - roles: - - role: openshift_etcd_certificates - when: openshift_use_flannel | default(false) | bool - post_tasks: - - name: Create a tarball of the etcd flannel certs - command: > - tar -czvf {{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}.tgz - -C {{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }} . - args: - creates: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}.tgz" - with_items: "{{ etcd_needing_client_certs | default([]) }}" - - name: Retrieve the etcd cert tarballs - fetch: - src: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}.tgz" - dest: "{{ sync_tmpdir }}/" - flat: yes - fail_on_missing: yes - validate_checksum: yes - with_items: "{{ etcd_needing_client_certs | default([]) }}" - -- name: Copy the external etcd flannel certs to the nodes - hosts: oo_nodes_to_config - vars: - sync_tmpdir: "{{ hostvars.localhost.mktemp.stdout }}" - tasks: - - name: Ensure certificate directory exists - file: - path: "{{ openshift.common.config_base }}/node" - state: directory - when: etcd_client_flannel_certs_missing | default(false) | bool - - name: Unarchive the tarball on the master - unarchive: - src: "{{ sync_tmpdir }}/{{ etcd_cert_subdir }}.tgz" - dest: "{{ etcd_cert_config_dir }}" - when: etcd_client_flannel_certs_missing | default(false) | bool - - file: - path: "{{ etcd_cert_config_dir }}/{{ item }}" - owner: root - group: root - mode: 0600 - with_items: - - node.etcd-client.crt - - node.etcd-client.key - - node.etcd-ca.crt - when: etcd_client_flannel_certs_missing | default(false) | bool - + - role: openshift_cloud_provider + - role: openshift_common + - role: openshift_node_dnsmasq + when: openshift.common.use_dnsmasq + - role: os_firewall + os_firewall_allow: + - service: Kubernetes kubelet + port: 10250/tcp + - service: http + port: 80/tcp + - service: https + port: 443/tcp + - service: Openshift kubelet ReadOnlyPort + port: 10255/tcp + - service: Openshift kubelet ReadOnlyPort udp + port: 10255/udp + - service: OpenShift OVS sdn + port: 4789/udp + when: openshift.node.use_openshift_sdn | bool + - role: openshift_node - name: Additional node config hosts: oo_nodes_to_config vars: - # TODO: Prefix flannel role variables. openshift_node_master_api_url: "{{ hostvars[groups.oo_first_master.0].openshift.master.api_url }}" - etcd_urls: "{{ hostvars[groups.oo_first_master.0].openshift.master.etcd_urls }}" - embedded_etcd: "{{ hostvars[groups.oo_first_master.0].openshift.master.embedded_etcd }}" roles: - role: flannel + etcd_urls: "{{ hostvars[groups.oo_first_master.0].openshift.master.etcd_urls }}" + embedded_etcd: "{{ hostvars[groups.oo_first_master.0].openshift.master.embedded_etcd }}" + etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}" + etcd_cert_subdir: "openshift-node-{{ openshift.common.hostname }}" + etcd_cert_config_dir: "{{ openshift.common.config_base }}/node" when: openshift.common.use_flannel | bool - role: nuage_node when: openshift.common.use_nuage | bool @@ -201,7 +168,12 @@ # Using curl here since the uri module requires python-httplib2 and # wait_for port doesn't provide health information. command: > - curl --silent --cacert {{ openshift.common.config_base }}/master/ca.crt + curl --silent + {% if openshift.common.version_gte_3_2_or_1_2 | bool %} + --cacert {{ openshift.common.config_base }}/master/ca-bundle.crt + {% else %} + --cacert {{ openshift.common.config_base }}/master/ca.crt + {% endif %} {{ openshift.master.api_url }}/healthz/ready register: api_available_output until: api_available_output.stdout == 'ok' diff --git a/roles/etcd/meta/main.yml b/roles/etcd/meta/main.yml index 7156a9fff..cfd72dfbc 100644 --- a/roles/etcd/meta/main.yml +++ b/roles/etcd/meta/main.yml @@ -7,7 +7,7 @@ galaxy_info: description: etcd management company: Red Hat, Inc. license: Apache License, Version 2.0 - min_ansible_version: 1.2 + min_ansible_version: 2.1 platforms: - name: EL versions: @@ -22,4 +22,4 @@ dependencies: port: "{{etcd_client_port}}/tcp" - service: etcd peering port: "{{ etcd_peer_port }}/tcp" -- role: etcd_common +- role: etcd_server_certificates diff --git a/roles/etcd/templates/etcd.conf.j2 b/roles/etcd/templates/etcd.conf.j2 index cd048ec60..7ccf78212 100644 --- a/roles/etcd/templates/etcd.conf.j2 +++ b/roles/etcd/templates/etcd.conf.j2 @@ -1,5 +1,5 @@ {% macro initial_cluster() -%} -{% for host in etcd_peers -%} +{% for host in etcd_peers | default([]) -%} {% if loop.last -%} {{ hostvars[host].etcd_hostname }}={{ etcd_peer_url_scheme }}://{{ hostvars[host].etcd_ip }}:{{ etcd_peer_port }} {%- else -%} diff --git a/roles/etcd_ca/meta/main.yml b/roles/etcd_ca/meta/main.yml index d02456ca3..e3e2f7781 100644 --- a/roles/etcd_ca/meta/main.yml +++ b/roles/etcd_ca/meta/main.yml @@ -1,10 +1,10 @@ --- galaxy_info: author: Jason DeTiberus - description: + description: Etcd CA company: Red Hat, Inc. license: Apache License, Version 2.0 - min_ansible_version: 1.9 + min_ansible_version: 2.1 platforms: - name: EL versions: @@ -13,4 +13,4 @@ galaxy_info: - cloud - system dependencies: -- { role: etcd_common } +- role: etcd_common diff --git a/roles/etcd_ca/tasks/main.yml b/roles/etcd_ca/tasks/main.yml index e1bb9baed..865074e41 100644 --- a/roles/etcd_ca/tasks/main.yml +++ b/roles/etcd_ca/tasks/main.yml @@ -2,6 +2,8 @@ - name: Install openssl action: "{{ ansible_pkg_mgr }} name=openssl state=present" when: not etcd_is_atomic | bool + delegate_to: "{{ etcd_ca_host }}" + run_once: true - file: path: "{{ item }}" @@ -13,29 +15,41 @@ - "{{ etcd_ca_new_certs_dir }}" - "{{ etcd_ca_crl_dir }}" - "{{ etcd_ca_dir }}/fragments" + delegate_to: "{{ etcd_ca_host }}" + run_once: true - command: cp /etc/pki/tls/openssl.cnf ./ args: chdir: "{{ etcd_ca_dir }}/fragments" creates: "{{ etcd_ca_dir }}/fragments/openssl.cnf" + delegate_to: "{{ etcd_ca_host }}" + run_once: true - template: dest: "{{ etcd_ca_dir }}/fragments/openssl_append.cnf" src: openssl_append.j2 backup: true + delegate_to: "{{ etcd_ca_host }}" + run_once: true - assemble: src: "{{ etcd_ca_dir }}/fragments" dest: "{{ etcd_openssl_conf }}" + delegate_to: "{{ etcd_ca_host }}" + run_once: true - command: touch {{ etcd_ca_db }} args: creates: "{{ etcd_ca_db }}" + delegate_to: "{{ etcd_ca_host }}" + run_once: true - copy: dest: "{{ etcd_ca_serial }}" content: "01" force: no + delegate_to: "{{ etcd_ca_host }}" + run_once: true - command: > openssl req -config {{ etcd_openssl_conf }} -newkey rsa:4096 @@ -48,3 +62,5 @@ creates: "{{ etcd_ca_cert }}" environment: SAN: 'etcd-signer' + delegate_to: "{{ etcd_ca_host }}" + run_once: true diff --git a/roles/etcd_certificates/tasks/client.yml b/roles/etcd_certificates/tasks/client.yml deleted file mode 100644 index b497a46c0..000000000 --- a/roles/etcd_certificates/tasks/client.yml +++ /dev/null @@ -1,42 +0,0 @@ ---- -- name: Ensure generated_certs directory present - file: - path: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}" - state: directory - mode: 0700 - with_items: "{{ etcd_needing_client_certs | default([]) }}" - -- name: Create the client csr - command: > - openssl req -new -keyout {{ item.etcd_cert_prefix }}client.key - -config {{ etcd_openssl_conf }} - -out {{ item.etcd_cert_prefix }}client.csr - -reqexts {{ etcd_req_ext }} -batch -nodes - -subj /CN={{ item.etcd_hostname }} - args: - chdir: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}" - creates: "{{ etcd_generated_certs_dir ~ '/' ~ item.etcd_cert_subdir ~ '/' - ~ item.etcd_cert_prefix ~ 'client.csr' }}" - environment: - SAN: "IP:{{ item.etcd_ip }}" - with_items: "{{ etcd_needing_client_certs | default([]) }}" - -- name: Sign and create the client crt - command: > - openssl ca -name {{ etcd_ca_name }} -config {{ etcd_openssl_conf }} - -out {{ item.etcd_cert_prefix }}client.crt - -in {{ item.etcd_cert_prefix }}client.csr - -batch - args: - chdir: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}" - creates: "{{ etcd_generated_certs_dir ~ '/' ~ item.etcd_cert_subdir ~ '/' - ~ item.etcd_cert_prefix ~ 'client.crt' }}" - environment: - SAN: "IP:{{ item.etcd_ip }}" - with_items: "{{ etcd_needing_client_certs | default([]) }}" - -- file: - src: "{{ etcd_ca_cert }}" - dest: "{{ etcd_generated_certs_dir}}/{{ item.etcd_cert_subdir }}/{{ item.etcd_cert_prefix }}ca.crt" - state: hard - with_items: "{{ etcd_needing_client_certs | default([]) }}" diff --git a/roles/etcd_certificates/tasks/main.yml b/roles/etcd_certificates/tasks/main.yml deleted file mode 100644 index 17092ca58..000000000 --- a/roles/etcd_certificates/tasks/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- include: client.yml - when: etcd_needing_client_certs | default([]) | length > 0 - -- include: server.yml - when: etcd_needing_server_certs | default([]) | length > 0 diff --git a/roles/etcd_certificates/tasks/server.yml b/roles/etcd_certificates/tasks/server.yml deleted file mode 100644 index 934b8b805..000000000 --- a/roles/etcd_certificates/tasks/server.yml +++ /dev/null @@ -1,71 +0,0 @@ ---- -- name: Ensure generated_certs directory present - file: - path: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}" - state: directory - mode: 0700 - with_items: "{{ etcd_needing_server_certs | default([]) }}" - -- name: Create the server csr - command: > - openssl req -new -keyout {{ item.etcd_cert_prefix }}server.key - -config {{ etcd_openssl_conf }} - -out {{ item.etcd_cert_prefix }}server.csr - -reqexts {{ etcd_req_ext }} -batch -nodes - -subj /CN={{ item.etcd_hostname }} - args: - chdir: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}" - creates: "{{ etcd_generated_certs_dir ~ '/' ~ item.etcd_cert_subdir ~ '/' - ~ item.etcd_cert_prefix ~ 'server.csr' }}" - environment: - SAN: "IP:{{ item.etcd_ip }}" - with_items: "{{ etcd_needing_server_certs | default([]) }}" - -- name: Sign and create the server crt - command: > - openssl ca -name {{ etcd_ca_name }} -config {{ etcd_openssl_conf }} - -out {{ item.etcd_cert_prefix }}server.crt - -in {{ item.etcd_cert_prefix }}server.csr - -extensions {{ etcd_ca_exts_server }} -batch - args: - chdir: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}" - creates: "{{ etcd_generated_certs_dir ~ '/' ~ item.etcd_cert_subdir ~ '/' - ~ item.etcd_cert_prefix ~ 'server.crt' }}" - environment: - SAN: "IP:{{ item.etcd_ip }}" - with_items: "{{ etcd_needing_server_certs | default([]) }}" - -- name: Create the peer csr - command: > - openssl req -new -keyout {{ item.etcd_cert_prefix }}peer.key - -config {{ etcd_openssl_conf }} - -out {{ item.etcd_cert_prefix }}peer.csr - -reqexts {{ etcd_req_ext }} -batch -nodes - -subj /CN={{ item.etcd_hostname }} - args: - chdir: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}" - creates: "{{ etcd_generated_certs_dir ~ '/' ~ item.etcd_cert_subdir ~ '/' - ~ item.etcd_cert_prefix ~ 'peer.csr' }}" - environment: - SAN: "IP:{{ item.etcd_ip }}" - with_items: "{{ etcd_needing_server_certs | default([]) }}" - -- name: Sign and create the peer crt - command: > - openssl ca -name {{ etcd_ca_name }} -config {{ etcd_openssl_conf }} - -out {{ item.etcd_cert_prefix }}peer.crt - -in {{ item.etcd_cert_prefix }}peer.csr - -extensions {{ etcd_ca_exts_peer }} -batch - args: - chdir: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}" - creates: "{{ etcd_generated_certs_dir ~ '/' ~ item.etcd_cert_subdir ~ '/' - ~ item.etcd_cert_prefix ~ 'peer.crt' }}" - environment: - SAN: "IP:{{ item.etcd_ip }}" - with_items: "{{ etcd_needing_server_certs | default([]) }}" - -- file: - src: "{{ etcd_ca_cert }}" - dest: "{{ etcd_generated_certs_dir}}/{{ item.etcd_cert_subdir }}/{{ item.etcd_cert_prefix }}ca.crt" - state: hard - with_items: "{{ etcd_needing_server_certs | default([]) }}" diff --git a/roles/etcd_certificates/README.md b/roles/etcd_client_certificates/README.md index 95f8f8aab..269d5296d 100644 --- a/roles/etcd_certificates/README.md +++ b/roles/etcd_client_certificates/README.md @@ -1,5 +1,5 @@ -OpenShift etcd certificates -======================== +OpenShift Etcd Certificates +=========================== TODO diff --git a/roles/etcd_client_certificates/library b/roles/etcd_client_certificates/library new file mode 120000 index 000000000..494d3c39e --- /dev/null +++ b/roles/etcd_client_certificates/library @@ -0,0 +1 @@ +../../library
\ No newline at end of file diff --git a/roles/etcd_certificates/meta/main.yml b/roles/etcd_client_certificates/meta/main.yml index 41370fab4..713c78c70 100644 --- a/roles/etcd_certificates/meta/main.yml +++ b/roles/etcd_client_certificates/meta/main.yml @@ -1,10 +1,10 @@ --- galaxy_info: author: Jason DeTiberus - description: + description: Etcd Client Certificates company: Red Hat, Inc. license: Apache License, Version 2.0 - min_ansible_version: 1.8 + min_ansible_version: 2.1 platforms: - name: EL versions: @@ -13,4 +13,4 @@ galaxy_info: - cloud - system dependencies: -- { role: etcd_ca } +- role: etcd_ca diff --git a/roles/etcd_client_certificates/tasks/main.yml b/roles/etcd_client_certificates/tasks/main.yml new file mode 100644 index 000000000..b86afb81c --- /dev/null +++ b/roles/etcd_client_certificates/tasks/main.yml @@ -0,0 +1,119 @@ +--- +- name: Check status of external etcd certificatees + stat: + path: "{{ etcd_cert_config_dir }}/{{ item }}" + with_items: + - "{{ etcd_cert_prefix }}client.crt" + - "{{ etcd_cert_prefix }}client.key" + - "{{ etcd_cert_prefix }}ca.crt" + register: g_external_etcd_cert_stat_result + +- set_fact: + etcd_client_certs_missing: "{{ False in (g_external_etcd_cert_stat_result.results + | oo_collect(attribute='stat.exists') + | list) }}" + +- name: Ensure generated_certs directory present + file: + path: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}" + state: directory + mode: 0700 + when: etcd_client_certs_missing | bool + delegate_to: "{{ etcd_ca_host }}" + +- name: Create the client csr + command: > + openssl req -new -keyout {{ etcd_cert_prefix }}client.key + -config {{ etcd_openssl_conf }} + -out {{ etcd_cert_prefix }}client.csr + -reqexts {{ etcd_req_ext }} -batch -nodes + -subj /CN={{ etcd_hostname }} + args: + chdir: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}" + creates: "{{ etcd_generated_certs_dir ~ '/' ~ etcd_cert_subdir ~ '/' + ~ etcd_cert_prefix ~ 'client.csr' }}" + environment: + SAN: "IP:{{ etcd_ip }}" + when: etcd_client_certs_missing | bool + delegate_to: "{{ etcd_ca_host }}" + +# Certificates must be signed serially in order to avoid competing +# for the serial file. +- name: Sign and create the client crt + delegated_serial_command: + command: > + openssl ca -name {{ etcd_ca_name }} -config {{ etcd_openssl_conf }} + -out {{ etcd_cert_prefix }}client.crt + -in {{ etcd_cert_prefix }}client.csr + -batch + chdir: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}" + creates: "{{ etcd_generated_certs_dir ~ '/' ~ etcd_cert_subdir ~ '/' + ~ etcd_cert_prefix ~ 'client.crt' }}" + environment: + SAN: "IP:{{ etcd_ip }}" + when: etcd_client_certs_missing | bool + delegate_to: "{{ etcd_ca_host }}" + +- file: + src: "{{ etcd_ca_cert }}" + dest: "{{ etcd_generated_certs_dir}}/{{ etcd_cert_subdir }}/{{ etcd_cert_prefix }}ca.crt" + state: hard + when: etcd_client_certs_missing | bool + delegate_to: "{{ etcd_ca_host }}" + +- name: Create local temp directory for syncing certs + local_action: command mktemp -d /tmp/etcd_certificates-XXXXXXX + register: g_etcd_client_mktemp + changed_when: False + when: etcd_client_certs_missing | bool + delegate_to: localhost + become: no + +- name: Create a tarball of the etcd certs + command: > + tar -czvf {{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}.tgz + -C {{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }} . + args: + creates: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}.tgz" + when: etcd_client_certs_missing | bool + delegate_to: "{{ etcd_ca_host }}" + +- name: Retrieve the etcd cert tarballs + fetch: + src: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}.tgz" + dest: "{{ g_etcd_client_mktemp.stdout }}/" + flat: yes + fail_on_missing: yes + validate_checksum: yes + when: etcd_client_certs_missing | bool + delegate_to: "{{ etcd_ca_host }}" + +- name: Ensure certificate directory exists + file: + path: "{{ etcd_cert_config_dir }}" + state: directory + when: etcd_client_certs_missing | bool + +- name: Unarchive etcd cert tarballs + unarchive: + src: "{{ g_etcd_client_mktemp.stdout }}/{{ etcd_cert_subdir }}.tgz" + dest: "{{ etcd_cert_config_dir }}" + when: etcd_client_certs_missing | bool + +- file: + path: "{{ etcd_cert_config_dir }}/{{ item }}" + owner: root + group: root + mode: 0600 + with_items: + - "{{ etcd_cert_prefix }}client.crt" + - "{{ etcd_cert_prefix }}client.key" + - "{{ etcd_cert_prefix }}ca.crt" + when: etcd_client_certs_missing | bool + +- name: Delete temporary directory + file: name={{ g_etcd_client_mktemp.stdout }} state=absent + changed_when: False + when: etcd_client_certs_missing | bool + delegate_to: localhost + become: no diff --git a/roles/etcd_server_certificates/README.md b/roles/etcd_server_certificates/README.md new file mode 100644 index 000000000..269d5296d --- /dev/null +++ b/roles/etcd_server_certificates/README.md @@ -0,0 +1,34 @@ +OpenShift Etcd Certificates +=========================== + +TODO + +Requirements +------------ + +TODO + +Role Variables +-------------- + +TODO + +Dependencies +------------ + +TODO + +Example Playbook +---------------- + +TODO + +License +------- + +Apache License Version 2.0 + +Author Information +------------------ + +Scott Dodson (sdodson@redhat.com) diff --git a/roles/etcd_server_certificates/library b/roles/etcd_server_certificates/library new file mode 120000 index 000000000..494d3c39e --- /dev/null +++ b/roles/etcd_server_certificates/library @@ -0,0 +1 @@ +../../library
\ No newline at end of file diff --git a/roles/etcd_server_certificates/meta/main.yml b/roles/etcd_server_certificates/meta/main.yml new file mode 100644 index 000000000..b453f2bd8 --- /dev/null +++ b/roles/etcd_server_certificates/meta/main.yml @@ -0,0 +1,16 @@ +--- +galaxy_info: + author: Jason DeTiberus + description: Etcd Server Certificates + company: Red Hat, Inc. + license: Apache License, Version 2.0 + min_ansible_version: 2.1 + platforms: + - name: EL + versions: + - 7 + categories: + - cloud + - system +dependencies: +- role: etcd_ca diff --git a/roles/etcd_server_certificates/tasks/main.yml b/roles/etcd_server_certificates/tasks/main.yml new file mode 100644 index 000000000..edcf51092 --- /dev/null +++ b/roles/etcd_server_certificates/tasks/main.yml @@ -0,0 +1,136 @@ +--- +- name: Check status of etcd certificates + stat: + path: "{{ etcd_cert_config_dir }}/{{ item }}" + with_items: + - "{{ etcd_cert_prefix }}server.crt" + - "{{ etcd_cert_prefix }}peer.crt" + - "{{ etcd_cert_prefix }}ca.crt" + register: g_etcd_server_cert_stat_result + +- set_fact: + etcd_server_certs_missing: "{{ False in (g_etcd_server_cert_stat_result.results + | oo_collect(attribute='stat.exists') + | list) }}" + +- name: Ensure generated_certs directory present + file: + path: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}" + state: directory + mode: 0700 + when: etcd_server_certs_missing | bool + delegate_to: "{{ etcd_ca_host }}" + +- name: Create the server csr + command: > + openssl req -new -keyout {{ etcd_cert_prefix }}server.key + -config {{ etcd_openssl_conf }} + -out {{ etcd_cert_prefix }}server.csr + -reqexts {{ etcd_req_ext }} -batch -nodes + -subj /CN={{ etcd_hostname }} + args: + chdir: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}" + creates: "{{ etcd_generated_certs_dir ~ '/' ~ etcd_cert_subdir ~ '/' + ~ etcd_cert_prefix ~ 'server.csr' }}" + environment: + SAN: "IP:{{ etcd_ip }}" + when: etcd_server_certs_missing | bool + delegate_to: "{{ etcd_ca_host }}" + +# Certificates must be signed serially in order to avoid competing +# for the serial file. +- name: Sign and create the server crt + delegated_serial_command: + command: > + openssl ca -name {{ etcd_ca_name }} -config {{ etcd_openssl_conf }} + -out {{ etcd_cert_prefix }}server.crt + -in {{ etcd_cert_prefix }}server.csr + -extensions {{ etcd_ca_exts_server }} -batch + chdir: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}" + creates: "{{ etcd_generated_certs_dir ~ '/' ~ etcd_cert_subdir ~ '/' + ~ etcd_cert_prefix ~ 'server.crt' }}" + environment: + SAN: "IP:{{ etcd_ip }}" + delegate_to: "{{ etcd_ca_host }}" + +- name: Create the peer csr + command: > + openssl req -new -keyout {{ etcd_cert_prefix }}peer.key + -config {{ etcd_openssl_conf }} + -out {{ etcd_cert_prefix }}peer.csr + -reqexts {{ etcd_req_ext }} -batch -nodes + -subj /CN={{ etcd_hostname }} + args: + chdir: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}" + creates: "{{ etcd_generated_certs_dir ~ '/' ~ etcd_cert_subdir ~ '/' + ~ etcd_cert_prefix ~ 'peer.csr' }}" + environment: + SAN: "IP:{{ etcd_ip }}" + when: etcd_server_certs_missing | bool + delegate_to: "{{ etcd_ca_host }}" + +- name: Sign and create the peer crt + delegated_serial_command: + command: > + openssl ca -name {{ etcd_ca_name }} -config {{ etcd_openssl_conf }} + -out {{ etcd_cert_prefix }}peer.crt + -in {{ etcd_cert_prefix }}peer.csr + -extensions {{ etcd_ca_exts_peer }} -batch + chdir: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}" + creates: "{{ etcd_generated_certs_dir ~ '/' ~ etcd_cert_subdir ~ '/' + ~ etcd_cert_prefix ~ 'peer.crt' }}" + environment: + SAN: "IP:{{ etcd_ip }}" + when: etcd_server_certs_missing | bool + delegate_to: "{{ etcd_ca_host }}" + +- file: + src: "{{ etcd_ca_cert }}" + dest: "{{ etcd_generated_certs_dir}}/{{ etcd_cert_subdir }}/{{ etcd_cert_prefix }}ca.crt" + state: hard + when: etcd_server_certs_missing | bool + delegate_to: "{{ etcd_ca_host }}" + +- name: Create local temp directory for syncing certs + local_action: command mktemp -d /tmp/etcd_certificates-XXXXXXX + register: g_etcd_server_mktemp + changed_when: False + when: etcd_server_certs_missing | bool + delegate_to: localhost + +- name: Create a tarball of the etcd certs + command: > + tar -czvf {{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}.tgz + -C {{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }} . + args: + creates: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}.tgz" + when: etcd_server_certs_missing | bool + delegate_to: "{{ etcd_ca_host }}" + +- name: Retrieve etcd cert tarball + fetch: + src: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}.tgz" + dest: "{{ g_etcd_server_mktemp.stdout }}/" + flat: yes + fail_on_missing: yes + validate_checksum: yes + when: etcd_server_certs_missing | bool + delegate_to: "{{ etcd_ca_host }}" + +- name: Ensure certificate directory exists + file: + path: "{{ etcd_cert_config_dir }}" + state: directory + when: etcd_server_certs_missing | bool + +- name: Unarchive cert tarball + unarchive: + src: "{{ g_etcd_server_mktemp.stdout }}/{{ etcd_cert_subdir }}.tgz" + dest: "{{ etcd_cert_config_dir }}" + when: etcd_server_certs_missing | bool + +- name: Delete temporary directory + file: name={{ g_etcd_server_mktemp.stdout }} state=absent + changed_when: False + when: etcd_server_certs_missing | bool + delegate_to: localhost diff --git a/roles/flannel/meta/main.yml b/roles/flannel/meta/main.yml index 909bdbfa4..616ae61d2 100644 --- a/roles/flannel/meta/main.yml +++ b/roles/flannel/meta/main.yml @@ -4,7 +4,7 @@ galaxy_info: description: flannel management company: Red Hat, Inc. license: Apache License, Version 2.0 - min_ansible_version: 1.2 + min_ansible_version: 2.1 platforms: - name: EL versions: @@ -13,4 +13,6 @@ galaxy_info: - cloud - system dependencies: -- { role: openshift_facts } +- role: openshift_facts +- role: openshift_etcd_client_certificates + etcd_cert_prefix: flannel.etcd- diff --git a/roles/openshift_ca/meta/main.yml b/roles/openshift_ca/meta/main.yml index a08aa1686..444c5b77e 100644 --- a/roles/openshift_ca/meta/main.yml +++ b/roles/openshift_ca/meta/main.yml @@ -15,3 +15,4 @@ galaxy_info: dependencies: - role: openshift_repos - role: openshift_cli +- role: openshift_named_certificates diff --git a/roles/openshift_ca/tasks/main.yml b/roles/openshift_ca/tasks/main.yml index 4d9768ce7..2e147840d 100644 --- a/roles/openshift_ca/tasks/main.yml +++ b/roles/openshift_ca/tasks/main.yml @@ -28,6 +28,7 @@ path: "{{ openshift_ca_config_dir }}/{{ item }}" register: g_master_ca_stat_result with_items: + - ca-bundle.crt - ca.crt - ca.key delegate_to: "{{ openshift_ca_host }}" @@ -43,11 +44,14 @@ - name: Create the master certificates if they do not already exist command: > {{ openshift.common.admin_binary }} create-master-certs - --hostnames={{ openshift_master_hostnames | join(',') }} - --master={{ openshift.master.api_url }} - --public-master={{ openshift.master.public_api_url }} - --cert-dir={{ openshift_ca_config_dir }} - --overwrite=false + {% for named_ca_certificate in openshift.master.named_certificates | default([]) | oo_collect('cafile') %} + --certificate-authority {{ named_ca_certificate }} + {% endfor %} + --hostnames={{ openshift_master_hostnames | join(',') }} + --master={{ openshift.master.api_url }} + --public-master={{ openshift.master.public_api_url }} + --cert-dir={{ openshift_ca_config_dir }} + --overwrite=false when: hostvars[openshift_ca_host].master_ca_missing | bool delegate_to: "{{ openshift_ca_host }}" run_once: true diff --git a/roles/openshift_etcd_client_certificates/meta/main.yml b/roles/openshift_etcd_client_certificates/meta/main.yml new file mode 100644 index 000000000..3268c390f --- /dev/null +++ b/roles/openshift_etcd_client_certificates/meta/main.yml @@ -0,0 +1,16 @@ +--- +galaxy_info: + author: Jason DeTiberus + description: OpenShift Etcd Client Certificates + company: Red Hat, Inc. + license: Apache License, Version 2.0 + min_ansible_version: 2.1 + platforms: + - name: EL + versions: + - 7 + categories: + - cloud +dependencies: +- role: openshift_etcd_facts +- role: etcd_client_certificates diff --git a/roles/openshift_etcd_facts/tasks/main.yml b/roles/openshift_etcd_facts/tasks/main.yml new file mode 100644 index 000000000..22fb39006 --- /dev/null +++ b/roles/openshift_etcd_facts/tasks/main.yml @@ -0,0 +1,5 @@ +--- +- openshift_facts: + role: etcd + local_facts: + etcd_image: "{{ osm_etcd_image | default(None) }}" diff --git a/roles/openshift_etcd_facts/vars/main.yml b/roles/openshift_etcd_facts/vars/main.yml index 6f3894565..cae15d61a 100644 --- a/roles/openshift_etcd_facts/vars/main.yml +++ b/roles/openshift_etcd_facts/vars/main.yml @@ -3,3 +3,8 @@ etcd_is_containerized: "{{ openshift.common.is_containerized }}" etcd_is_atomic: "{{ openshift.common.is_atomic }}" etcd_hostname: "{{ openshift.common.hostname }}" etcd_ip: "{{ openshift.common.ip }}" +etcd_cert_subdir: "etcd-{{ openshift.common.hostname }}" +etcd_cert_prefix: +etcd_cert_config_dir: /etc/etcd +etcd_peer_url_scheme: https +etcd_url_scheme: https diff --git a/roles/openshift_examples/defaults/main.yml b/roles/openshift_examples/defaults/main.yml index 0f5189974..a15285417 100644 --- a/roles/openshift_examples/defaults/main.yml +++ b/roles/openshift_examples/defaults/main.yml @@ -11,7 +11,9 @@ content_version: "{{ openshift.common.examples_content_version }}" examples_base: "{{ openshift.common.config_base if openshift.common.is_containerized | bool else '/usr/share/openshift' }}/examples" image_streams_base: "{{ examples_base }}/image-streams" centos_image_streams: "{{ image_streams_base}}/image-streams-centos7.json" -rhel_image_streams: "{{ image_streams_base}}/image-streams-rhel7.json" +rhel_image_streams: + - "{{ image_streams_base}}/image-streams-rhel7.json" + - "{{ image_streams_base}}/dotnet_imagestreams.json" db_templates_base: "{{ examples_base }}/db-templates" xpaas_image_streams: "{{ examples_base }}/xpaas-streams/" xpaas_templates_base: "{{ examples_base }}/xpaas-templates" diff --git a/roles/openshift_examples/examples-sync.sh b/roles/openshift_examples/examples-sync.sh index ff53a0a4f..236717203 100755 --- a/roles/openshift_examples/examples-sync.sh +++ b/roles/openshift_examples/examples-sync.sh @@ -39,7 +39,7 @@ cp cakephp-ex-master/openshift/templates/* ${EXAMPLES_BASE}/quickstart-templates mv application-templates-${XPAAS_VERSION}/jboss-image-streams.json ${EXAMPLES_BASE}/xpaas-streams/ find application-templates-${XPAAS_VERSION}/ -name '*.json' ! -wholename '*secret*' ! -wholename '*demo*' -exec mv {} ${EXAMPLES_BASE}/xpaas-templates/ \; wget https://raw.githubusercontent.com/jboss-fuse/application-templates/master/fis-image-streams.json -O ${EXAMPLES_BASE}/xpaas-streams/fis-image-streams.json - +wget https://raw.githubusercontent.com/redhat-developer/s2i-dotnetcore/master/dotnet_imagestreams.json -O ${EXAMPLES_BASE}/image-streams/dotnet_imagestreams.json wget https://raw.githubusercontent.com/openshift/origin-metrics/master/metrics.yaml -O ${EXAMPLES_BASE}/infrastructure-templates/origin/metrics-deployer.yaml wget https://raw.githubusercontent.com/openshift/origin-metrics/enterprise/metrics.yaml -O ${EXAMPLES_BASE}/infrastructure-templates/enterprise/metrics-deployer.yaml wget https://raw.githubusercontent.com/openshift/origin-aggregated-logging/master/deployer/deployer.yaml -O ${EXAMPLES_BASE}/infrastructure-templates/origin/logging-deployer.yaml diff --git a/roles/openshift_examples/files/examples/v1.2/image-streams/dotnet_imagestreams.json b/roles/openshift_examples/files/examples/v1.2/image-streams/dotnet_imagestreams.json new file mode 100644 index 000000000..3d7afe4aa --- /dev/null +++ b/roles/openshift_examples/files/examples/v1.2/image-streams/dotnet_imagestreams.json @@ -0,0 +1,36 @@ +{ + "kind": "List", + "apiVersion": "v1", + "metadata": { + "name": "dotnet-image-streams", + "annotations": { + "description": "ImageStream definitions for .Net Core on RHEL" + } + }, + "items": [ + { + "kind": "ImageStream", + "apiVersion": "v1", + "metadata": { + "name": "dotnetcore-10-rhel7" + }, + "spec": { + "dockerImageRepository": "registry.access.redhat.com/dotnet/dotnetcore-10-rhel7", + "tags": [ + { + "name": "1.0", + "annotations": { + "description": ".Net Core 1.0 S2I image.", + "iconClass": "icon-dotnet", + "tags": "builder,.net,dotnet,dotnetcore,rh-dotnetcore10", + "supports":"dotnet:1.0", + "sampleRepo": "https://github.com/redhat-developer/s2i-dotnetcore.git", + "sampleContextDir": "1.0/test/asp-net-hello-world", + "version": "1.0" + } + } + ] + } + } + ] +} diff --git a/roles/openshift_examples/files/examples/v1.3/image-streams/dotnet_imagestreams.json b/roles/openshift_examples/files/examples/v1.3/image-streams/dotnet_imagestreams.json new file mode 100644 index 000000000..3d7afe4aa --- /dev/null +++ b/roles/openshift_examples/files/examples/v1.3/image-streams/dotnet_imagestreams.json @@ -0,0 +1,36 @@ +{ + "kind": "List", + "apiVersion": "v1", + "metadata": { + "name": "dotnet-image-streams", + "annotations": { + "description": "ImageStream definitions for .Net Core on RHEL" + } + }, + "items": [ + { + "kind": "ImageStream", + "apiVersion": "v1", + "metadata": { + "name": "dotnetcore-10-rhel7" + }, + "spec": { + "dockerImageRepository": "registry.access.redhat.com/dotnet/dotnetcore-10-rhel7", + "tags": [ + { + "name": "1.0", + "annotations": { + "description": ".Net Core 1.0 S2I image.", + "iconClass": "icon-dotnet", + "tags": "builder,.net,dotnet,dotnetcore,rh-dotnetcore10", + "supports":"dotnet:1.0", + "sampleRepo": "https://github.com/redhat-developer/s2i-dotnetcore.git", + "sampleContextDir": "1.0/test/asp-net-hello-world", + "version": "1.0" + } + } + ] + } + } + ] +} diff --git a/roles/openshift_examples/tasks/main.yml b/roles/openshift_examples/tasks/main.yml index d80e7f086..4150fabec 100644 --- a/roles/openshift_examples/tasks/main.yml +++ b/roles/openshift_examples/tasks/main.yml @@ -49,8 +49,10 @@ # RHEL and Centos image streams are mutually exclusive - name: Import RHEL streams command: > - {{ openshift.common.client_binary }} {{ openshift_examples_import_command }} -n openshift -f {{ rhel_image_streams }} + {{ openshift.common.client_binary }} {{ openshift_examples_import_command }} -n openshift -f {{ item }} when: openshift_examples_load_rhel | bool + with_items: + - "{{ rhel_image_streams }}" register: oex_import_rhel_streams failed_when: "'already exists' not in oex_import_rhel_streams.stderr and oex_import_rhel_streams.rc != 0" changed_when: false @@ -100,12 +102,15 @@ path: "{{ item }}" state: absent with_items: - - "{{ xpaas_templates }}/sso70-basic.json" + - "{{ xpaas_templates_base }}/sso70-basic.json" - name: Remove old xPaas templates from openshift namespace - command: oc delete -n openshift {{ item }} + command: "{{ openshift.common.client_binary }} -n openshift delete templates/{{ item }}" with_items: - sso70-basic + register: oex_delete_old_xpaas_templates + failed_when: "'not found' not in oex_delete_old_xpaas_templates.stderr and oex_delete_old_xpaas_templates.rc != 0" + changed_when: false - name: Import xPaas image streams command: > diff --git a/roles/openshift_hosted/meta/main.yml b/roles/openshift_hosted/meta/main.yml index c7d20f88b..74c50ae1d 100644 --- a/roles/openshift_hosted/meta/main.yml +++ b/roles/openshift_hosted/meta/main.yml @@ -11,27 +11,4 @@ galaxy_info: - 7 categories: - cloud -dependencies: -- role: openshift_cli -- role: openshift_hosted_facts -- role: openshift_projects - # TODO: Move standard project definitions to openshift_hosted/vars/main.yml - # Vars are not accessible in meta/main.yml in ansible-1.9.x - openshift_projects: "{{ openshift_additional_projects | default({}) | oo_merge_dicts({'default':{'default_node_selector':''},'openshift-infra':{'default_node_selector':''},'logging':{'default_node_selector':''}}) }}" -- role: openshift_serviceaccounts - openshift_serviceaccounts_names: - - router - openshift_serviceaccounts_namespace: default - openshift_serviceaccounts_sccs: - - hostnetwork - when: openshift.common.version_gte_3_2_or_1_2 -- role: openshift_serviceaccounts - openshift_serviceaccounts_names: - - router - - registry - openshift_serviceaccounts_namespace: default - openshift_serviceaccounts_sccs: - - privileged - when: not openshift.common.version_gte_3_2_or_1_2 -- role: openshift_metrics - when: openshift.hosted.metrics.deploy | bool +dependencies: [] diff --git a/roles/openshift_hosted/tasks/registry/registry.yml b/roles/openshift_hosted/tasks/registry/registry.yml index 08c7e944e..fc037ceda 100644 --- a/roles/openshift_hosted/tasks/registry/registry.yml +++ b/roles/openshift_hosted/tasks/registry/registry.yml @@ -4,12 +4,12 @@ {{ openshift.common.client_binary }} --api-version='v1' -o json get nodes -n default --config={{ openshift_hosted_kubeconfig }} --selector={{ openshift.hosted.registry.selector | default('') }} - register: openshift_hosted_registry_nodes_json + register: registry_nodes_json changed_when: false when: openshift.hosted.registry.replicas | default(none) is none - set_fact: - l_node_count: "{{ (openshift_hosted_registry_nodes_json.stdout | default('{\"items\":[]}') | from_json)['items'] | length }}" + l_node_count: "{{ (registry_nodes_json.stdout | default('{\"items\":[]}') | from_json)['items'] | length }}" # Determine the default number of registry/router replicas to use if no count # has been specified. diff --git a/roles/openshift_hosted/tasks/router/router.yml b/roles/openshift_hosted/tasks/router/router.yml index d0a129c95..e18b9781c 100644 --- a/roles/openshift_hosted/tasks/router/router.yml +++ b/roles/openshift_hosted/tasks/router/router.yml @@ -39,12 +39,12 @@ {{ openshift.common.client_binary }} --api-version='v1' -o json get nodes -n default --config={{ openshift_hosted_kubeconfig }} --selector={{ openshift.hosted.router.selector | default('') }} - register: openshift_hosted_router_nodes_json + register: router_nodes_json changed_when: false when: openshift.hosted.router.replicas | default(none) is none - set_fact: - replicas: "{{ openshift.hosted.router.replicas | default((openshift_hosted_router_nodes_json.stdout | default('{\"items\":[]}') | from_json)['items'] | length) }}" + replicas: "{{ openshift.hosted.router.replicas | default((router_nodes_json.stdout | default('{\"items\":[]}') | from_json)['items'] | length) }}" - name: Create OpenShift router command: > diff --git a/roles/openshift_master/handlers/main.yml b/roles/openshift_master/handlers/main.yml index f7dfb11f7..edb7369de 100644 --- a/roles/openshift_master/handlers/main.yml +++ b/roles/openshift_master/handlers/main.yml @@ -17,7 +17,12 @@ # Using curl here since the uri module requires python-httplib2 and # wait_for port doesn't provide health information. command: > - curl --silent --cacert {{ openshift.common.config_base }}/master/ca.crt + curl --silent + {% if openshift.common.version_gte_3_2_or_1_2 | bool %} + --cacert {{ openshift.common.config_base }}/master/ca-bundle.crt + {% else %} + --cacert {{ openshift.common.config_base }}/master/ca.crt + {% endif %} {{ openshift.master.api_url }}/healthz/ready register: api_available_output until: api_available_output.stdout == 'ok' diff --git a/roles/openshift_master/meta/main.yml b/roles/openshift_master/meta/main.yml index be70d9102..a2f665702 100644 --- a/roles/openshift_master/meta/main.yml +++ b/roles/openshift_master/meta/main.yml @@ -11,32 +11,4 @@ galaxy_info: - 7 categories: - cloud -dependencies: -- role: openshift_clock -- role: openshift_master_certificates -- role: openshift_cloud_provider -- role: openshift_builddefaults -- role: openshift_master_facts -- role: openshift_hosted_facts -- role: os_firewall - os_firewall_allow: - - service: etcd embedded - port: 4001/tcp - - service: api server https - port: "{{ openshift.master.api_port }}/tcp" - - service: api controllers https - port: "{{ openshift.master.controllers_port }}/tcp" - - service: skydns tcp - port: "{{ openshift.master.dns_port }}/tcp" - - service: skydns udp - port: "{{ openshift.master.dns_port }}/udp" - - service: Fluentd td-agent tcp - port: 24224/tcp - - service: Fluentd td-agent udp - port: 24224/udp - - service: pcsd - port: 2224/tcp - - service: Corosync UDP - port: 5404/udp - - service: Corosync UDP - port: 5405/udp +dependencies: [] diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml index 115a64aeb..e1efb4c2b 100644 --- a/roles/openshift_master/tasks/main.yml +++ b/roles/openshift_master/tasks/main.yml @@ -224,7 +224,12 @@ # Using curl here since the uri module requires python-httplib2 and # wait_for port doesn't provide health information. command: > - curl --silent --cacert {{ openshift.common.config_base }}/master/ca.crt + curl --silent + {% if openshift.common.version_gte_3_2_or_1_2 | bool %} + --cacert {{ openshift.common.config_base }}/master/ca-bundle.crt + {% else %} + --cacert {{ openshift.common.config_base }}/master/ca.crt + {% endif %} {{ openshift.master.api_url }}/healthz/ready register: api_available_output until: api_available_output.stdout == 'ok' diff --git a/roles/openshift_master/templates/master.yaml.v1.j2 b/roles/openshift_master/templates/master.yaml.v1.j2 index b18a42e32..662f23aa3 100644 --- a/roles/openshift_master/templates/master.yaml.v1.j2 +++ b/roles/openshift_master/templates/master.yaml.v1.j2 @@ -156,7 +156,11 @@ oauthConfig: {% for line in translated_identity_providers.splitlines() %} {{ line }} {% endfor %} - masterCA: ca.crt +{% if openshift.common.version_gte_3_2_or_1_2 | bool %} + masterCA: ca-bundle.crt +{% else %} + masterCA: ca.rt +{% endif %} masterPublicURL: {{ openshift.master.public_api_url }} masterURL: {{ openshift.master.api_url }} sessionConfig: @@ -189,7 +193,11 @@ serviceAccountConfig: - default - builder - deployer - masterCA: ca.crt +{% if openshift.common.version_gte_3_2_or_1_2 | bool %} + masterCA: ca-bundle.crt +{% else %} + masterCA: ca.rt +{% endif %} privateKeyFile: serviceaccounts.private.key publicKeyFiles: - serviceaccounts.public.key @@ -201,7 +209,7 @@ servingInfo: keyFile: master.server.key maxRequestsInFlight: {{ openshift.master.max_requests_inflight }} requestTimeoutSeconds: 3600 -{% if openshift.master.named_certificates %} +{% if openshift.master.named_certificates | default([]) | length > 0 %} namedCertificates: {% for named_certificate in openshift.master.named_certificates %} - certFile: {{ named_certificate['certfile'] }} diff --git a/roles/openshift_master_certificates/meta/main.yml b/roles/openshift_master_certificates/meta/main.yml index dd19c8ded..018186e86 100644 --- a/roles/openshift_master_certificates/meta/main.yml +++ b/roles/openshift_master_certificates/meta/main.yml @@ -13,4 +13,5 @@ galaxy_info: - cloud - system dependencies: +- role: openshift_master_facts - role: openshift_ca diff --git a/roles/openshift_master_certificates/tasks/main.yml b/roles/openshift_master_certificates/tasks/main.yml index 6fb5830cf..9ed082d9f 100644 --- a/roles/openshift_master_certificates/tasks/main.yml +++ b/roles/openshift_master_certificates/tasks/main.yml @@ -49,11 +49,14 @@ - name: Create the master certificates if they do not already exist command: > {{ openshift.common.admin_binary }} create-master-certs - --hostnames={{ openshift.common.all_hostnames | join(',') }} - --master={{ openshift.master.api_url }} - --public-master={{ openshift.master.public_api_url }} - --cert-dir={{ openshift_master_generated_config_dir }} - --overwrite=false + {% for named_ca_certificate in openshift.master.named_certificates | default([]) | oo_collect('cafile') %} + --certificate-authority {{ named_ca_certificate }} + {% endfor %} + --hostnames={{ openshift.common.all_hostnames | join(',') }} + --master={{ openshift.master.api_url }} + --public-master={{ openshift.master.public_api_url }} + --cert-dir={{ openshift_master_generated_config_dir }} + --overwrite=false when: master_certs_missing | bool delegate_to: "{{ openshift_ca_host }}" diff --git a/roles/openshift_named_certificates/README.md b/roles/openshift_named_certificates/README.md new file mode 100644 index 000000000..41f895813 --- /dev/null +++ b/roles/openshift_named_certificates/README.md @@ -0,0 +1,32 @@ +OpenShift Named Certificates +============================ + +TODO + +Requirements +------------ + +Role Variables +-------------- + +TODO + +Dependencies +------------ + +TODO + +Example Playbook +---------------- + +TODO + +License +------- + +Apache License Version 2.0 + +Author Information +------------------ + +Andrew Butcher <abutcher@redhat.com> diff --git a/roles/openshift_etcd_certificates/meta/main.yml b/roles/openshift_named_certificates/meta/main.yml index 2725fdb51..2c6e12494 100644 --- a/roles/openshift_etcd_certificates/meta/main.yml +++ b/roles/openshift_named_certificates/meta/main.yml @@ -1,16 +1,16 @@ --- galaxy_info: author: Andrew Butcher - description: OpenShift etcd Certificates + description: OpenShift Named Certificates company: Red Hat, Inc. license: Apache License, Version 2.0 - min_ansible_version: 1.9 + min_ansible_version: 2.1 platforms: - name: EL versions: - 7 categories: - cloud + - system dependencies: -- role: openshift_etcd_facts -- role: etcd_certificates +- role: openshift_facts diff --git a/roles/openshift_named_certificates/tasks/main.yml b/roles/openshift_named_certificates/tasks/main.yml new file mode 100644 index 000000000..7f20cf401 --- /dev/null +++ b/roles/openshift_named_certificates/tasks/main.yml @@ -0,0 +1,46 @@ +--- +- set_fact: + parsed_named_certificates: "{{ named_certificates | oo_parse_named_certificates(named_certs_dir, internal_hostnames) }}" + when: named_certificates | length > 0 + delegate_to: localhost + become: no + run_once: true + +- openshift_facts: + role: master + local_facts: + named_certificates: "{{ parsed_named_certificates | default([]) }}" + additive_facts_to_overwrite: + - "{{ 'master.named_certificates' if overwrite_named_certs | bool else omit }}" + +- name: Clear named certificates + file: + path: "{{ named_certs_dir }}" + state: absent + when: overwrite_named_certs | bool + +- name: Ensure named certificate directory exists + file: + path: "{{ named_certs_dir }}" + state: directory + mode: 0700 + +- name: Land named certificates + copy: + src: "{{ item.certfile }}" + dest: "{{ named_certs_dir }}" + with_items: "{{ named_certificates }}" + +- name: Land named certificate keys + copy: + src: "{{ item.keyfile }}" + dest: "{{ named_certs_dir }}" + mode: 0600 + with_items: "{{ named_certificates }}" + +- name: Land named CA certificates + copy: + src: "{{ item }}" + dest: "{{ named_certs_dir }}" + mode: 0600 + with_items: "{{ named_certificates | oo_collect('cafile') }}" diff --git a/roles/openshift_named_certificates/tasks/named_certificates.yml b/roles/openshift_named_certificates/tasks/named_certificates.yml new file mode 100644 index 000000000..7b097b443 --- /dev/null +++ b/roles/openshift_named_certificates/tasks/named_certificates.yml @@ -0,0 +1,32 @@ +--- +- name: Clear named certificates + file: + path: "{{ named_certs_dir }}" + state: absent + when: overwrite_named_certs | bool + +- name: Ensure named certificate directory exists + file: + path: "{{ named_certs_dir }}" + state: directory + mode: 0700 + +- name: Land named certificates + copy: + src: "{{ item.certfile }}" + dest: "{{ named_certs_dir }}" + with_items: "{{ openshift_master_named_certificates | default([]) }}" + +- name: Land named certificate keys + copy: + src: "{{ item.keyfile }}" + dest: "{{ named_certs_dir }}" + mode: 0600 + with_items: "{{ openshift_master_named_certificates | default([]) }}" + +- name: Land named CA certificates + copy: + src: "{{ item }}" + dest: "{{ named_certs_dir }}" + mode: 0600 + with_items: "{{ openshift_master_named_certificates | default([]) | oo_collect('cafile') }}" diff --git a/roles/openshift_named_certificates/vars/main.yml b/roles/openshift_named_certificates/vars/main.yml new file mode 100644 index 000000000..368e9bdac --- /dev/null +++ b/roles/openshift_named_certificates/vars/main.yml @@ -0,0 +1,11 @@ +--- +openshift_ca_config_dir: "{{ openshift.common.config_base }}/master" +openshift_ca_cert: "{{ openshift_ca_config_dir }}/ca.crt" +openshift_ca_key: "{{ openshift_ca_config_dir }}/ca.key" +openshift_ca_serial: "{{ openshift_ca_config_dir }}/ca.serial.txt" +openshift_version: "{{ openshift_pkg_version | default('') }}" + +overwrite_named_certs: "{{ openshift_master_overwrite_named_certificates | default(false) }}" +named_certs_dir: "{{ openshift.common.config_base }}/master/named_certificates/" +internal_hostnames: "{{ openshift.common.internal_hostnames }}" +named_certificates: "{{ openshift_master_named_certificates | default([]) }}" diff --git a/roles/openshift_node/meta/main.yml b/roles/openshift_node/meta/main.yml index fd493340b..c39269f33 100644 --- a/roles/openshift_node/meta/main.yml +++ b/roles/openshift_node/meta/main.yml @@ -11,26 +11,4 @@ galaxy_info: - 7 categories: - cloud -dependencies: -- role: openshift_clock -- role: openshift_docker -- role: openshift_node_certificates -- role: openshift_cloud_provider -- role: openshift_common -- role: openshift_node_dnsmasq - when: openshift.common.use_dnsmasq -- role: os_firewall - os_firewall_allow: - - service: Kubernetes kubelet - port: 10250/tcp - - service: http - port: 80/tcp - - service: https - port: 443/tcp - - service: Openshift kubelet ReadOnlyPort - port: 10255/tcp - - service: Openshift kubelet ReadOnlyPort udp - port: 10255/udp - - service: OpenShift OVS sdn - port: 4789/udp - when: openshift.node.use_openshift_sdn | bool +dependencies: [] diff --git a/roles/openshift_node_certificates/tasks/main.yml b/roles/openshift_node_certificates/tasks/main.yml index 0e69dc6f0..8768fb0c2 100644 --- a/roles/openshift_node_certificates/tasks/main.yml +++ b/roles/openshift_node_certificates/tasks/main.yml @@ -42,6 +42,9 @@ - name: Generate the node client config command: > {{ openshift.common.admin_binary }} create-api-client-config + {% for named_ca_certificate in hostvars[openshift_ca_host].openshift.master.named_certificates | default([]) | oo_collect('cafile') %} + --certificate-authority {{ named_ca_certificate }} + {% endfor %} --certificate-authority={{ openshift_ca_cert }} --client-dir={{ openshift_node_generated_config_dir }} --groups=system:nodes diff --git a/utils/src/ooinstall/cli_installer.py b/utils/src/ooinstall/cli_installer.py index 9fbb61a46..51c4c2def 100644 --- a/utils/src/ooinstall/cli_installer.py +++ b/utils/src/ooinstall/cli_installer.py @@ -121,7 +121,7 @@ http://docs.openshift.com/enterprise/latest/architecture/infrastructure_componen click.echo(message) hosts = [] - roles = set(['master', 'node', 'storage']) + roles = set(['master', 'node', 'storage', 'etcd']) more_hosts = True num_masters = 0 while more_hosts: @@ -133,6 +133,7 @@ http://docs.openshift.com/enterprise/latest/architecture/infrastructure_componen if not masters_set: if click.confirm('Will this host be an OpenShift Master?'): host_props['roles'].append('master') + host_props['roles'].append('etcd') num_masters += 1 if oo_cfg.settings['variant_version'] == '3.0': @@ -827,21 +828,25 @@ def uninstall(ctx): oo_cfg = ctx.obj['oo_cfg'] verbose = ctx.obj['verbose'] - if len(oo_cfg.deployment.hosts) == 0: + if hasattr(oo_cfg, 'deployment'): + hosts = oo_cfg.deployment.hosts + elif hasattr(oo_cfg, 'hosts'): + hosts = oo_cfg.hosts + else: click.echo("No hosts defined in: %s" % oo_cfg.config_path) sys.exit(1) click.echo("OpenShift will be uninstalled from the following hosts:\n") if not ctx.obj['unattended']: # Prompt interactively to confirm: - for host in oo_cfg.deployment.hosts: + for host in hosts: click.echo(" * %s" % host.connect_to) proceed = click.confirm("\nDo you wish to proceed?") if not proceed: click.echo("Uninstall cancelled.") sys.exit(0) - openshift_ansible.run_uninstall_playbook(verbose) + openshift_ansible.run_uninstall_playbook(hosts, verbose) @click.command() diff --git a/utils/src/ooinstall/oo_config.py b/utils/src/ooinstall/oo_config.py index e37892c9b..69ad2b4c5 100644 --- a/utils/src/ooinstall/oo_config.py +++ b/utils/src/ooinstall/oo_config.py @@ -17,11 +17,9 @@ CONFIG_PERSIST_SETTINGS = [ 'variant_version', ] -DEPLOYMENT_PERSIST_SETTINGS = [ - 'master_routingconfig_subdomain', - 'proxy_http', - 'proxy_https', - 'proxy_exclude_hosts', +DEPLOYMENT_VARIABLES_BLACKLIST = [ + 'hosts', + 'roles', ] DEFAULT_REQUIRED_FACTS = ['ip', 'public_ip', 'hostname', 'public_hostname'] @@ -191,10 +189,11 @@ class OOConfig(object): except KeyError: continue - for setting in DEPLOYMENT_PERSIST_SETTINGS: + for setting in loaded_config['deployment']: try: - self.deployment.variables[setting] = \ - str(loaded_config['deployment'][setting]) + if setting not in DEPLOYMENT_VARIABLES_BLACKLIST: + self.deployment.variables[setting] = \ + str(loaded_config['deployment'][setting]) except KeyError: continue @@ -306,21 +305,20 @@ class OOConfig(object): if setting in self.settings and self.settings[setting]: p_settings[setting] = self.settings[setting] - p_settings['deployment'] = {} p_settings['deployment']['hosts'] = [] p_settings['deployment']['roles'] = {} - for setting in DEPLOYMENT_PERSIST_SETTINGS: - if setting in self.deployment.variables: - p_settings['deployment'][setting] = self.deployment.variables[setting] - for host in self.deployment.hosts: p_settings['deployment']['hosts'].append(host.to_dict()) for name, role in self.deployment.roles.iteritems(): p_settings['deployment']['roles'][name] = role.variables + for setting in self.deployment.variables: + if setting not in DEPLOYMENT_VARIABLES_BLACKLIST: + p_settings['deployment'][setting] = self.deployment.variables[setting] + try: p_settings['variant'] = self.settings['variant'] p_settings['variant_version'] = self.settings['variant_version'] diff --git a/utils/src/ooinstall/openshift_ansible.py b/utils/src/ooinstall/openshift_ansible.py index bcf06b599..f1e03f8f2 100644 --- a/utils/src/ooinstall/openshift_ansible.py +++ b/utils/src/ooinstall/openshift_ansible.py @@ -1,5 +1,3 @@ -# TODO: Temporarily disabled due to importing old code into openshift-ansible -# repo. We will work on these over time. # pylint: disable=bad-continuation,missing-docstring,no-self-use,invalid-name,global-statement,global-variable-not-assigned import socket @@ -14,7 +12,9 @@ CFG = None ROLES_TO_GROUPS_MAP = { 'master': 'masters', 'node': 'nodes', - 'storage': 'nfs' + 'etcd': 'etcd', + 'storage': 'nfs', + 'master_lb': 'lb' } VARIABLES_MAP = { @@ -34,75 +34,52 @@ def set_config(cfg): def generate_inventory(hosts): global CFG + masters = [host for host in hosts if host.is_master()] - nodes = [host for host in hosts if host.is_node()] - new_nodes = [host for host in hosts if host.is_node() and host.new_host] - proxy = determine_proxy_configuration(hosts) - storage = determine_storage_configuration(hosts) multiple_masters = len(masters) > 1 + + new_nodes = [host for host in hosts if host.is_node() and host.new_host] scaleup = len(new_nodes) > 0 + lb = determine_lb_configuration(hosts) + base_inventory_path = CFG.settings['ansible_inventory_path'] base_inventory = open(base_inventory_path, 'w') - write_inventory_children(base_inventory, multiple_masters, proxy, scaleup) - - write_inventory_vars(base_inventory, multiple_masters, proxy) - - - - base_inventory.write('\n[masters]\n') - for master in masters: - write_host(master, base_inventory) - - if len(masters) > 1: - base_inventory.write('\n[etcd]\n') - for master in masters: - write_host(master, base_inventory) - - base_inventory.write('\n[nodes]\n') + write_inventory_children(base_inventory, scaleup) - for node in nodes: - # Let the fact defaults decide if we're not a master: - schedulable = None + write_inventory_vars(base_inventory, multiple_masters, lb) - # If the node is also a master, we must explicitly set schedulablity: - if node.is_master(): - schedulable = node.is_schedulable_node(hosts) - write_host(node, base_inventory, schedulable) - - if not getattr(proxy, 'preconfigured', True): - base_inventory.write('\n[lb]\n') - write_host(proxy, base_inventory) + #write_inventory_hosts + for role in CFG.deployment.roles: + # write group block + group = ROLES_TO_GROUPS_MAP.get(role, role) + base_inventory.write("\n[{}]\n".format(group)) + # write each host + group_hosts = [host for host in hosts if role in host.roles] + for host in group_hosts: + schedulable = host.is_schedulable_node(hosts) + write_host(host, role, base_inventory, schedulable) if scaleup: base_inventory.write('\n[new_nodes]\n') for node in new_nodes: - write_host(node, base_inventory) - - if storage: - base_inventory.write('\n[nfs]\n') - write_host(storage, base_inventory) + write_host(node, 'new_nodes', base_inventory) base_inventory.close() return base_inventory_path -def determine_proxy_configuration(hosts): - proxy = next((host for host in hosts if host.is_master_lb()), None) - if proxy: - if proxy.hostname == None: - proxy.hostname = proxy.connect_to - proxy.public_hostname = proxy.connect_to +def determine_lb_configuration(hosts): + lb = next((host for host in hosts if host.is_master_lb()), None) + if lb: + if lb.hostname == None: + lb.hostname = lb.connect_to + lb.public_hostname = lb.connect_to - return proxy + return lb -def determine_storage_configuration(hosts): - storage = next((host for host in hosts if host.is_storage()), None) - - return storage - -def write_inventory_children(base_inventory, multiple_masters, proxy, scaleup): +def write_inventory_children(base_inventory, scaleup): global CFG base_inventory.write('\n[OSEv3:children]\n') @@ -112,13 +89,10 @@ def write_inventory_children(base_inventory, multiple_masters, proxy, scaleup): if scaleup: base_inventory.write('new_nodes\n') - if multiple_masters: - base_inventory.write('etcd\n') - if not getattr(proxy, 'preconfigured', True): - base_inventory.write('lb\n') + # pylint: disable=too-many-branches -def write_inventory_vars(base_inventory, multiple_masters, proxy): +def write_inventory_vars(base_inventory, multiple_masters, lb): global CFG base_inventory.write('\n[OSEv3:vars]\n') @@ -135,11 +109,11 @@ def write_inventory_vars(base_inventory, multiple_masters, proxy): if CFG.settings['ansible_ssh_user'] != 'root': base_inventory.write('ansible_become=yes\n') - if multiple_masters and proxy is not None: + if multiple_masters and lb is not None: base_inventory.write('openshift_master_cluster_method=native\n') - base_inventory.write("openshift_master_cluster_hostname={}\n".format(proxy.hostname)) + base_inventory.write("openshift_master_cluster_hostname={}\n".format(lb.hostname)) base_inventory.write( - "openshift_master_cluster_public_hostname={}\n".format(proxy.public_hostname)) + "openshift_master_cluster_public_hostname={}\n".format(lb.public_hostname)) if CFG.settings.get('variant_version', None) == '3.1': #base_inventory.write('openshift_image_tag=v{}\n'.format(CFG.settings.get('variant_version'))) @@ -195,9 +169,12 @@ def write_proxy_settings(base_inventory): # pylint: disable=too-many-branches -def write_host(host, inventory, schedulable=None): +def write_host(host, role, inventory, schedulable=None): global CFG + if host.preconfigured: + return + facts = '' if host.ip: facts += ' openshift_ip={}'.format(host.ip) @@ -215,14 +192,13 @@ def write_host(host, inventory, schedulable=None): if host.node_labels: facts += ' openshift_node_labels="{}"'.format(host.node_labels) + # Distinguish between three states, no schedulability specified (use default), # explicitly set to True, or explicitly set to False: - if schedulable is None: + if role != 'node' or schedulable is None: pass - elif schedulable: - facts += ' openshift_schedulable=True' - elif not schedulable: - facts += ' openshift_schedulable=False' + else: + facts += " openshift_schedulable={}".format(schedulable) installer_host = socket.gethostname() if installer_host in [host.connect_to, host.hostname, host.public_hostname]: @@ -303,10 +279,10 @@ def run_ansible(playbook, inventory, env_vars, verbose=False): return subprocess.call(args, env=env_vars) -def run_uninstall_playbook(verbose=False): +def run_uninstall_playbook(hosts, verbose=False): playbook = os.path.join(CFG.settings['ansible_playbook_directory'], 'playbooks/adhoc/uninstall.yml') - inventory_file = generate_inventory(CFG.hosts) + inventory_file = generate_inventory(hosts) facts_env = os.environ.copy() if 'ansible_log_path' in CFG.settings: facts_env['ANSIBLE_LOG_PATH'] = CFG.settings['ansible_log_path'] diff --git a/utils/src/ooinstall/variants.py b/utils/src/ooinstall/variants.py index 8889e42e6..2397ee9cc 100644 --- a/utils/src/ooinstall/variants.py +++ b/utils/src/ooinstall/variants.py @@ -37,15 +37,6 @@ class Variant(object): OSE = Variant('openshift-enterprise', 'OpenShift Enterprise', [ Version('3.2', 'openshift-enterprise'), - Version('3.1', 'openshift-enterprise'), - Version('3.0', 'enterprise') - ] -) - -AEP = Variant('atomic-enterprise', 'Atomic Enterprise Platform', - [ - Version('3.2', 'atomic-enterprise'), - Version('3.1', 'atomic-enterprise') ] ) @@ -56,8 +47,8 @@ origin = Variant('origin', 'OpenShift Origin', ) # Ordered list of variants we can install, first is the default. -SUPPORTED_VARIANTS = (OSE, AEP, origin) -DISPLAY_VARIANTS = (OSE, AEP) +SUPPORTED_VARIANTS = (OSE, origin) +DISPLAY_VARIANTS = (OSE, ) def find_variant(name, version=None): """ diff --git a/utils/test/cli_installer_tests.py b/utils/test/cli_installer_tests.py index 13973f22f..3044a2449 100644 --- a/utils/test/cli_installer_tests.py +++ b/utils/test/cli_installer_tests.py @@ -573,7 +573,7 @@ class UnattendedCliTests(OOCliFixture): run_playbook_mock.return_value = 0 config = SAMPLE_CONFIG % 'openshift-enterprise' - config = '%s\n%s' % (config, 'variant_version: 3.0') + config = '%s\n%s' % (config, 'variant_version: 3.2') config_file = self.write_config(os.path.join(self.work_dir, 'ooinstall.conf'), config) @@ -586,11 +586,11 @@ class UnattendedCliTests(OOCliFixture): self.assertEquals('openshift-enterprise', written_config['variant']) # Make sure our older version was preserved: # and written to disk: - self.assertEquals('3.0', written_config['variant_version']) + self.assertEquals('3.2', written_config['variant_version']) inventory = ConfigParser.ConfigParser(allow_no_value=True) inventory.read(os.path.join(self.work_dir, 'hosts')) - self.assertEquals('enterprise', + self.assertEquals('openshift-enterprise', inventory.get('OSEv3:vars', 'deployment_type')) @patch('ooinstall.openshift_ansible.run_ansible') @@ -815,9 +815,9 @@ class AttendedCliTests(OOCliFixture): self.assert_inventory_host_var(inventory, 'nodes', '10.0.0.1', 'openshift_schedulable=False') self.assert_inventory_host_var_unset(inventory, 'nodes', '10.0.0.2', - 'openshift_schedulable') + 'openshift_schedulable=True') self.assert_inventory_host_var_unset(inventory, 'nodes', '10.0.0.3', - 'openshift_schedulable') + 'openshift_schedulable=True') # interactive with config file and some installed some uninstalled hosts @patch('ooinstall.openshift_ansible.run_main_playbook') @@ -939,7 +939,7 @@ class AttendedCliTests(OOCliFixture): self.assert_inventory_host_var(inventory, 'nodes', '10.0.0.3', 'openshift_schedulable=False') self.assert_inventory_host_var_unset(inventory, 'nodes', '10.0.0.4', - 'openshift_schedulable') + 'openshift_schedulable=True') self.assertTrue(inventory.has_section('etcd')) self.assertEquals(3, len(inventory.items('etcd'))) @@ -1068,26 +1068,6 @@ class AttendedCliTests(OOCliFixture): self.assert_inventory_host_var(inventory, 'nodes', '10.0.0.1', 'openshift_schedulable=True') - #interactive 3.0 install confirm no HA hints - @patch('ooinstall.openshift_ansible.run_main_playbook') - @patch('ooinstall.openshift_ansible.load_system_facts') - def test_ha_hint(self, load_facts_mock, run_playbook_mock): - load_facts_mock.return_value = (MOCK_FACTS, 0) - run_playbook_mock.return_value = 0 - - cli_input = build_input(hosts=[ - ('10.0.0.1', True, False)], - ssh_user='root', - variant_num=3, - confirm_facts='y', - storage='10.1.0.1',) - self.cli_args.append("install") - result = self.runner.invoke(cli.cli, self.cli_args, - input=cli_input) - self.assert_result(result, 0) - print result.output - self.assertTrue("NOTE: Add a total of 3 or more Masters to perform an HA installation." - not in result.output) @patch('ooinstall.openshift_ansible.run_main_playbook') @patch('ooinstall.openshift_ansible.load_system_facts') @@ -1122,9 +1102,9 @@ class AttendedCliTests(OOCliFixture): self.assert_inventory_host_var(inventory, 'nodes', '10.0.0.1', 'openshift_schedulable=False') self.assert_inventory_host_var_unset(inventory, 'nodes', '10.0.0.2', - 'openshift_schedulable') + 'openshift_schedulable=True') self.assert_inventory_host_var_unset(inventory, 'nodes', '10.0.0.3', - 'openshift_schedulable') + 'openshift_schedulable=True') # TODO: test with config file, attended add node |