diff options
20 files changed, 164 insertions, 61 deletions
diff --git a/files/origin-components/apiserver-template.yaml b/files/origin-components/apiserver-template.yaml index 1b42597af..035e4734b 100644 --- a/files/origin-components/apiserver-template.yaml +++ b/files/origin-components/apiserver-template.yaml @@ -15,6 +15,8 @@ parameters: apiVersion: config.templateservicebroker.openshift.io/v1 templateNamespaces: - openshift +- name: NODE_SELECTOR + value: "{}" objects: # to create the tsb server @@ -59,6 +61,7 @@ objects: path: /healthz port: 8443 scheme: HTTPS + nodeSelector: "${{NODE_SELECTOR}}" volumes: - name: serving-cert secret: diff --git a/playbooks/byo/rhel_subscribe.yml b/playbooks/byo/rhel_subscribe.yml index 5a877809a..3cb11a457 100644 --- a/playbooks/byo/rhel_subscribe.yml +++ b/playbooks/byo/rhel_subscribe.yml @@ -8,6 +8,7 @@ when: - deployment_type == 'openshift-enterprise' - ansible_distribution == "RedHat" - - lookup('env', 'rhel_skip_subscription') | default(rhsub_skip, True) | default('no', True) | lower in ['no', 'false'] + - rhsub_user | default(False) + - rhsub_pass | default(False) - role: openshift_repos - role: os_update_latest diff --git a/playbooks/init/main.yml b/playbooks/init/main.yml index b2b972a7d..06e8ba504 100644 --- a/playbooks/init/main.yml +++ b/playbooks/init/main.yml @@ -23,8 +23,6 @@ - import_playbook: validate_hostnames.yml when: not (skip_validate_hostnames | default(False)) -- import_playbook: repos.yml - - import_playbook: version.yml when: not (skip_verison | default(False)) diff --git a/playbooks/init/repos.yml b/playbooks/init/repos.yml index 4967b8f13..048b09e60 100644 --- a/playbooks/init/repos.yml +++ b/playbooks/init/repos.yml @@ -9,8 +9,8 @@ when: - ansible_distribution == 'RedHat' - deployment_type == 'openshift-enterprise' - - (rhel_subscription_user or rhsub_user) is defined - - (rhel_subscription_password or rhsub_pass) is defined + - rhsub_user | default(False) + - rhsub_pass | default(False) - name: initialize openshift repos include_role: name: openshift_repos diff --git a/playbooks/init/validate_hostnames.yml b/playbooks/init/validate_hostnames.yml index be2e6a15a..86e0b2416 100644 --- a/playbooks/init/validate_hostnames.yml +++ b/playbooks/init/validate_hostnames.yml @@ -1,6 +1,7 @@ --- - name: Validate node hostnames hosts: oo_nodes_to_config + any_errors_fatal: true tasks: - name: Query DNS for IP address of {{ openshift.common.hostname }} shell: @@ -8,16 +9,35 @@ register: lookupip changed_when: false failed_when: false - - name: Warn user about bad openshift_hostname values - pause: - prompt: + + - name: Validate openshift_hostname when defined + fail: + msg: > The hostname {{ openshift.common.hostname }} for {{ ansible_nodename }} doesn't resolve to an IP address owned by this host. Please set openshift_hostname variable to a hostname that when resolved on the host - in question resolves to an IP address matching an interface on this - host. This host will fail liveness checks for pods utilizing hostPorts, - press ENTER to continue or CTRL-C to abort. - seconds: "{{ 10 if openshift_override_hostname_check | default(false) | bool else omit }}" + in question resolves to an IP address matching an interface on this host. + This will ensure proper functionality of OpenShift networking features. + Inventory setting: openshift_hostname={{ openshift_hostname }} + This check can be overridden by setting openshift_hostname_check=false in + the inventory. + See https://docs.openshift.org/latest/install_config/install/advanced_install.html#configuring-host-variables when: - lookupip.stdout != '127.0.0.1' - lookupip.stdout not in ansible_all_ipv4_addresses + - openshift_hostname_check | default(true) + + - name: Validate openshift_ip exists on node when defined + fail: + msg: > + The IP address {{ openshift_ip }} does not exist on {{ ansible_nodename }}. + Please set the openshift_ip variable to an IP address of this node. + This will ensure proper functionality of OpenShift networking features. + Inventory setting: openshift_ip={{ openshift_ip }} + This check can be overridden by setting openshift_ip_check=false in + the inventory. + See https://docs.openshift.org/latest/install_config/install/advanced_install.html#configuring-host-variables + when: + - openshift_ip is defined + - openshift_ip not in ansible_all_ipv4_addresses + - openshift_ip_check | default(true) diff --git a/playbooks/openshift-node/private/restart.yml b/playbooks/openshift-node/private/restart.yml index afd1deb60..c2092b23c 100644 --- a/playbooks/openshift-node/private/restart.yml +++ b/playbooks/openshift-node/private/restart.yml @@ -5,6 +5,7 @@ roles: - lib_openshift + - openshift_facts tasks: - name: Restart docker diff --git a/playbooks/prerequisites.yml b/playbooks/prerequisites.yml index 7b7868cfe..5ba62a6d6 100644 --- a/playbooks/prerequisites.yml +++ b/playbooks/prerequisites.yml @@ -3,6 +3,8 @@ vars: skip_verison: True +- import_playbook: init/repos.yml + # This is required for container runtime for crio, only needs to run once. - name: Configure os_firewall hosts: oo_masters_to_config:oo_etcd_to_config:oo_lb_to_config:oo_nfs_to_config:oo_nodes_to_config diff --git a/roles/openshift_logging_elasticsearch/handlers/main.yml b/roles/openshift_logging_elasticsearch/handlers/main.yml new file mode 100644 index 000000000..fa56897d0 --- /dev/null +++ b/roles/openshift_logging_elasticsearch/handlers/main.yml @@ -0,0 +1,13 @@ +--- +- name: "Restarting logging-{{ _cluster_component }} cluster" + listen: "restart elasticsearch" + include_tasks: restart_cluster.yml + with_items: "{{ _restart_logging_components }}" + loop_control: + loop_var: _cluster_component + when: not logging_elasticsearch_rollout_override | bool + +## Stop this from running more than once +- set_fact: + logging_elasticsearch_rollout_override: True + listen: "restart elasticsearch" diff --git a/roles/openshift_logging_elasticsearch/tasks/main.yaml b/roles/openshift_logging_elasticsearch/tasks/main.yaml index 8f2050043..5fe683ae5 100644 --- a/roles/openshift_logging_elasticsearch/tasks/main.yaml +++ b/roles/openshift_logging_elasticsearch/tasks/main.yaml @@ -204,7 +204,21 @@ from_file: elasticsearch.yml: "{{ tempdir }}/elasticsearch.yml" logging.yml: "{{ tempdir }}/elasticsearch-logging.yml" + register: es_config_creation + notify: "restart elasticsearch" +- when: es_config_creation.changed | bool + block: + - set_fact: + _restart_logging_components: "{{ _restart_logging_components | default([]) + [es_component] | unique }}" + + - shell: > + oc get dc -l component="{{ es_component }}" -n "{{ openshift_logging_elasticsearch_namespace }}" -o name | cut -d'/' -f2 + register: _es_dcs + + - set_fact: + _restart_logging_nodes: "{{ _restart_logging_nodes | default([]) + [_es_dcs.stdout] | unique }}" + when: _es_dcs.stdout != "" # secret - name: Set ES secret @@ -375,6 +389,13 @@ files: - "{{ tempdir }}/templates/logging-es-dc.yml" delete_after: true + register: es_dc_creation + notify: "restart elasticsearch" + +- set_fact: + _restart_logging_components: "{{ _restart_logging_components | default([]) + [es_component] | unique }}" + _restart_logging_nodes: "{{ _restart_logging_nodes | default([]) + [es_deploy_name] | unique }}" + when: es_dc_creation.changed | bool - name: Retrieving the cert to use when generating secrets for the {{ es_component }} component slurp: diff --git a/roles/openshift_logging_elasticsearch/tasks/restart_cluster.yml b/roles/openshift_logging_elasticsearch/tasks/restart_cluster.yml new file mode 100644 index 000000000..4a32453e3 --- /dev/null +++ b/roles/openshift_logging_elasticsearch/tasks/restart_cluster.yml @@ -0,0 +1,35 @@ +--- +## get all pods for the cluster +- command: > + oc get pod -l component={{ _cluster_component }},provider=openshift -n {{ openshift_logging_elasticsearch_namespace }} -o jsonpath={.items[*].metadata.name} + register: _cluster_pods + +- name: "Disable shard balancing for logging-{{ _cluster_component }} cluster" + command: > + oc exec {{ _cluster_pods.stdout.split(' ')[0] }} -c elasticsearch -n {{ openshift_logging_elasticsearch_namespace }} -- {{ __es_local_curl }} -XPUT 'https://localhost:9200/_cluster/settings' -d '{ "transient": { "cluster.routing.allocation.enable" : "none" } }' + register: _disable_output + changed_when: "'\"acknowledged\":true' in _disable_output.stdout" + when: _cluster_pods.stdout_lines | count > 0 + +- command: > + oc get dc -l component={{ _cluster_component }},provider=openshift -n {{ openshift_logging_elasticsearch_namespace }} -o jsonpath={.items[*].metadata.name} + register: _cluster_dcs + +## restart the node if it's dc is in the list of nodes to restart? +- name: "Restart ES node {{ _es_node }}" + include_tasks: restart_es_node.yml + with_items: "{{ _restart_logging_nodes }}" + loop_control: + loop_var: _es_node + when: _es_node in _cluster_dcs.stdout + +## we may need a new first pod to run against -- fetch them all again +- command: > + oc get pod -l component={{ _cluster_component }},provider=openshift -n {{ openshift_logging_elasticsearch_namespace }} -o jsonpath={.items[*].metadata.name} + register: _cluster_pods + +- name: "Enable shard balancing for logging-{{ _cluster_component }} cluster" + command: > + oc exec {{ _cluster_pods.stdout.split(' ')[0] }} -c elasticsearch -n {{ openshift_logging_elasticsearch_namespace }} -- {{ __es_local_curl }} -XPUT 'https://localhost:9200/_cluster/settings' -d '{ "transient": { "cluster.routing.allocation.enable" : "all" } }' + register: _enable_output + changed_when: "'\"acknowledged\":true' in _enable_output.stdout" diff --git a/roles/openshift_logging_elasticsearch/tasks/restart_es_node.yml b/roles/openshift_logging_elasticsearch/tasks/restart_es_node.yml new file mode 100644 index 000000000..b07b232ce --- /dev/null +++ b/roles/openshift_logging_elasticsearch/tasks/restart_es_node.yml @@ -0,0 +1,35 @@ +--- +- name: "Rolling out new pod(s) for {{ _es_node }}" + command: > + oc rollout latest {{ _es_node }} -n {{ openshift_logging_elasticsearch_namespace }} + +- name: "Waiting for {{ _es_node }} to finish scaling up" + oc_obj: + state: list + name: "{{ _es_node }}" + namespace: "{{ openshift_logging_elasticsearch_namespace }}" + kind: dc + register: _dc_output + until: + - _dc_output.results.results[0].status is defined + - _dc_output.results.results[0].status.readyReplicas is defined + - _dc_output.results.results[0].status.readyReplicas > 0 + retries: 60 + delay: 30 + +- name: Gettings name(s) of replica pod(s) + command: > + oc get pods -l deploymentconfig={{ _es_node }} -n {{ openshift_logging_elasticsearch_namespace }} -o jsonpath={.items[*].metadata.name} + register: _pods + +- name: "Waiting for ES to be ready for {{ _es_node }}" + shell: > + oc exec "{{ _pod }}" -c elasticsearch -n "{{ openshift_logging_elasticsearch_namespace }}" -- {{ __es_local_curl }} https://localhost:9200/_cat/health | cut -d' ' -f4 + with_items: "{{ _pods.stdout.split(' ') }}" + loop_control: + loop_var: _pod + register: _pod_status + until: _pod_status.stdout in ['green', 'yellow'] + retries: 60 + delay: 5 + changed_when: false diff --git a/roles/openshift_logging_elasticsearch/templates/es.j2 b/roles/openshift_logging_elasticsearch/templates/es.j2 index bf04094a3..cf6ee36bb 100644 --- a/roles/openshift_logging_elasticsearch/templates/es.j2 +++ b/roles/openshift_logging_elasticsearch/templates/es.j2 @@ -17,6 +17,7 @@ spec: logging-infra: "{{logging_component}}" strategy: type: Recreate + triggers: [] template: metadata: name: "{{deploy_name}}" diff --git a/roles/openshift_logging_elasticsearch/vars/main.yml b/roles/openshift_logging_elasticsearch/vars/main.yml index 09e2ee4d0..c8e995146 100644 --- a/roles/openshift_logging_elasticsearch/vars/main.yml +++ b/roles/openshift_logging_elasticsearch/vars/main.yml @@ -5,6 +5,8 @@ __allowed_es_types: ["data-master", "data-client", "master", "client"] __es_log_appenders: ['file', 'console'] __kibana_index_modes: ["unique", "shared_ops"] +__es_local_curl: "curl -s --cacert /etc/elasticsearch/secret/admin-ca --cert /etc/elasticsearch/secret/admin-cert --key /etc/elasticsearch/secret/admin-key" + # TODO: integrate these openshift_master_config_dir: "{{ openshift.common.config_base }}/master" es_node_quorum: "{{ openshift_logging_elasticsearch_replica_count | int/2 + 1 }}" diff --git a/roles/openshift_logging_fluentd/templates/fluentd.j2 b/roles/openshift_logging_fluentd/templates/fluentd.j2 index 10283316c..c6256cf49 100644 --- a/roles/openshift_logging_fluentd/templates/fluentd.j2 +++ b/roles/openshift_logging_fluentd/templates/fluentd.j2 @@ -130,7 +130,7 @@ spec: containerName: "{{ daemonset_container_name }}" resource: limits.memory - name: "FILE_BUFFER_LIMIT" - value: "{{ openshift_logging_fluentd_file_buffer_limit | default('256i') }}" + value: "{{ openshift_logging_fluentd_file_buffer_limit | default('256Mi') }}" {% if openshift_logging_mux_client_mode is defined and ((openshift_logging_mux_allow_external is defined and openshift_logging_mux_allow_external | bool) or (openshift_logging_use_mux is defined and openshift_logging_use_mux | bool)) %} diff --git a/roles/openshift_logging_mux/defaults/main.yml b/roles/openshift_logging_mux/defaults/main.yml index 1e6c501bf..db6f23126 100644 --- a/roles/openshift_logging_mux/defaults/main.yml +++ b/roles/openshift_logging_mux/defaults/main.yml @@ -63,4 +63,4 @@ openshift_logging_mux_file_buffer_pvc_access_modes: ['ReadWriteOnce'] openshift_logging_mux_file_buffer_storage_group: '65534' openshift_logging_mux_file_buffer_pvc_prefix: "logging-mux" -openshift_logging_mux_file_buffer_limit: 256Mi +openshift_logging_mux_file_buffer_limit: 2Gi diff --git a/roles/openshift_repos/tasks/main.yaml b/roles/openshift_repos/tasks/main.yaml index fecec1ccd..2ada20767 100644 --- a/roles/openshift_repos/tasks/main.yaml +++ b/roles/openshift_repos/tasks/main.yaml @@ -41,8 +41,8 @@ when: - ansible_distribution == 'RedHat' - deployment_type == 'openshift-enterprise' - - (rhel_subscription_user or rhsub_user) is defined - - (rhel_subscription_password or rhsub_pass) is defined + - rhsub_user is defined + - rhsub_password is defined - include_tasks: centos_repos.yml when: diff --git a/roles/rhel_subscribe/tasks/main.yml b/roles/rhel_subscribe/tasks/main.yml index d283596e5..e7eb6c572 100644 --- a/roles/rhel_subscribe/tasks/main.yml +++ b/roles/rhel_subscribe/tasks/main.yml @@ -1,22 +1,8 @@ --- -- set_fact: - rhel_subscription_pass: "{{ lookup('env', 'rhel_subscription_pass') | default(rhsub_pass | default(omit, True)) }}" - rhel_subscription_pool: "{{ lookup('env', 'rhel_subscription_pool') | default(rhsub_pool | default('Red Hat OpenShift Container Platform, Premium*')) }}" - rhel_subscription_user: "{{ lookup('env', 'rhel_subscription_user') | default(rhsub_user | default(omit, True)) }}" - rhel_subscription_server: "{{ lookup('env', 'rhel_subscription_server') | default(rhsub_server | default(omit, True)) }}" - - fail: msg: "This role is only supported for Red Hat hosts" when: ansible_distribution != 'RedHat' -- fail: - msg: The rhel_subscription_user variable is required for this role. - when: rhel_subscription_user is not defined or not rhsub_user is not defined - -- fail: - msg: The rhel_subscription_pass variable is required for this role. - when: rhel_subscription_pass is not defined or not rhsub_pass is not defined - - name: Install Red Hat Subscription manager yum: name: subscription-manager @@ -25,21 +11,18 @@ until: result is succeeded - name: Is host already registered? - command: bash -c "subscription-manager version" + command: "subscription-manager version" register: rh_subscribed - changed_when: "'not registered' in rh_subscribed.stdout" - ignore_errors: yes + changed_when: False - name: Register host redhat_subscription: - username: "{{ rhel_subscription_user }}" - password: "{{ rhel_subscription_pass }}" + username: "{{ rhsub_user }}" + password: "{{ rhsub_pass }}" register: rh_subscription until: rh_subscription is succeeded when: - "'not registered' in rh_subscribed.stdout" - - rhel_subscription_user is defined - - rhel_subscription_pass is defined - fail: msg: 'Unable to register host with Red Hat Subscription Manager' @@ -48,34 +31,18 @@ - rh_subscription.failed - name: Determine if OpenShift Pool Already Attached - command: bash -c "subscription-manager list --consumed --pool-only --matches '*OpenShift*' | grep {{ rhel_subscription_pool }}" + command: "subscription-manager list --consumed --pool-only --matches '*OpenShift*'" register: openshift_pool_attached - changed_when: rhel_subscription_pool not in openshift_pool_attached.stdout - failed_when: openshift_pool_attached.rc == 2 + changed_when: False ignore_errors: yes -- name: Retrieve the OpenShift Pool ID - command: bash -c "subscription-manager list --available --pool-only --matches '*OpenShift*' | grep {{ rhel_subscription_pool }}" - register: openshift_pool_retrieve - changed_when: rhel_subscription_pool in openshift_pool_retrieve.stdout - when: rhel_subscription_pool not in openshift_pool_attached.stdout - ignore_errors: yes - -- fail: - msg: "Unable to find pool matching {{ rhel_subscription_pool }} in available pools" - when: - - rhel_subscription_pool not in openshift_pool_attached.stdout - - rhel_subscription_pool not in openshift_pool_retrieve.stdout - - name: Attach to OpenShift Pool - command: bash -c "subscription-manager attach --pool {{ rhel_subscription_pool }}" + command: "subscription-manager attach --pool {{ rhsub_pool }}" register: openshift_pool_attached changed_when: "'Successfully attached a subscription' in openshift_pool_attached.stdout" - when: rhel_subscription_pool not in openshift_pool_attached.stdout + when: rhsub_pool not in openshift_pool_attached.stdout -- include_role: - role: rhel_subscribe - tasks_from: satellite +- include_tasks: satellite.yml when: - - (rhel_subscription_server or rhsub_server) is defined - - (rhel_subscription_server or rhsub_server) + - rhsub_server is defined + - rhsub_server diff --git a/roles/rhel_subscribe/tasks/satellite.yml b/roles/rhel_subscribe/tasks/satellite.yml index b2b2a621d..dadbe3487 100644 --- a/roles/rhel_subscribe/tasks/satellite.yml +++ b/roles/rhel_subscribe/tasks/satellite.yml @@ -1,5 +1,5 @@ --- - name: Satellite preparation - command: "rpm -Uvh http://{{ rhel_subscription_server }}/pub/katello-ca-consumer-latest.noarch.rpm" + command: "rpm -Uvh http://{{ rhsub_server }}/pub/katello-ca-consumer-latest.noarch.rpm" args: creates: /etc/rhsm/ca/katello-server-ca.pem diff --git a/roles/template_service_broker/defaults/main.yml b/roles/template_service_broker/defaults/main.yml index 421b4ecf9..c32872d24 100644 --- a/roles/template_service_broker/defaults/main.yml +++ b/roles/template_service_broker/defaults/main.yml @@ -3,3 +3,4 @@ template_service_broker_remove: False template_service_broker_install: True openshift_template_service_broker_namespaces: ['openshift'] +template_service_broker_selector: { "region": "infra" } diff --git a/roles/template_service_broker/tasks/install.yml b/roles/template_service_broker/tasks/install.yml index 99a58baff..1253c1133 100644 --- a/roles/template_service_broker/tasks/install.yml +++ b/roles/template_service_broker/tasks/install.yml @@ -15,6 +15,8 @@ - oc_project: name: openshift-template-service-broker state: present + node_selector: + - "" - command: mktemp -d /tmp/tsb-ansible-XXXXXX register: mktemp @@ -45,6 +47,7 @@ {{ openshift.common.client_binary }} process -f "{{ mktemp.stdout }}/{{ __tsb_template_file }}" --param API_SERVER_CONFIG="{{ config['content'] | b64decode }}" --param IMAGE="{{ template_service_broker_prefix }}{{ template_service_broker_image_name }}:{{ template_service_broker_version }}" + --param NODE_SELECTOR={{ template_service_broker_selector | to_json | quote }} | {{ openshift.common.client_binary }} apply -f - # reconcile with rbac |