summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--.tito/packages/openshift-ansible2
-rw-r--r--README_AEP.md2
-rw-r--r--README_OSE.md2
-rw-r--r--README_origin.md6
-rw-r--r--filter_plugins/oo_filters.py19
-rw-r--r--filter_plugins/openshift_master.py1
-rw-r--r--openshift-ansible.spec100
-rwxr-xr-xplaybooks/adhoc/sdn_restart/oo-sdn-restart.yml53
-rw-r--r--playbooks/adhoc/uninstall.yml2
-rw-r--r--playbooks/aws/openshift-cluster/upgrades/v3_0_to_v3_1/upgrade.yml4
-rw-r--r--playbooks/aws/openshift-cluster/vars.yml2
-rw-r--r--playbooks/byo/openshift-cluster/upgrades/v3_0_minor/upgrade.yml2
-rw-r--r--playbooks/byo/openshift-cluster/upgrades/v3_0_to_v3_1/upgrade.yml2
-rw-r--r--playbooks/common/openshift-master/config.yml49
-rw-r--r--roles/etcd/tasks/main.yml2
-rwxr-xr-xroles/openshift_facts/library/openshift_facts.py99
-rw-r--r--roles/openshift_manageiq/tasks/main.yaml4
-rw-r--r--roles/openshift_master/tasks/main.yml5
-rw-r--r--roles/openshift_master/templates/master.yaml.v1.j22
-rw-r--r--roles/openshift_master/templates/sessionSecretsFile.yaml.v1.j26
-rw-r--r--roles/openshift_node/tasks/storage_plugins/ceph.yml2
-rw-r--r--roles/openshift_node/tasks/storage_plugins/glusterfs.yml2
-rw-r--r--roles/openshift_node/tasks/storage_plugins/main.yml5
-rw-r--r--roles/rhel_subscribe/tasks/main.yml10
24 files changed, 327 insertions, 56 deletions
diff --git a/.tito/packages/openshift-ansible b/.tito/packages/openshift-ansible
index 3cc7946d7..f95b607a9 100644
--- a/.tito/packages/openshift-ansible
+++ b/.tito/packages/openshift-ansible
@@ -1 +1 @@
-3.0.20-1 ./
+3.0.24-1 ./
diff --git a/README_AEP.md b/README_AEP.md
index 83e575ebe..584a7afff 100644
--- a/README_AEP.md
+++ b/README_AEP.md
@@ -98,6 +98,8 @@ aep3-node[1:2].example.com
The hostnames above should resolve both from the hosts themselves and
the host where ansible is running (if different).
+A more complete example inventory file ([hosts.aep.example](https://github.com/openshift/openshift-ansible/blob/master/inventory/byo/hosts.aep.example)) is available under the [`/inventory/byo`](https://github.com/openshift/openshift-ansible/tree/master/inventory/byo) directory.
+
## Running the ansible playbooks
From the openshift-ansible checkout run:
```sh
diff --git a/README_OSE.md b/README_OSE.md
index 524950d51..66fba33e5 100644
--- a/README_OSE.md
+++ b/README_OSE.md
@@ -105,6 +105,8 @@ ose3-node[1:2].example.com
The hostnames above should resolve both from the hosts themselves and
the host where ansible is running (if different).
+A more complete example inventory file ([hosts.ose.example](https://github.com/openshift/openshift-ansible/blob/master/inventory/byo/hosts.ose.example)) is available under the [`/inventory/byo`](https://github.com/openshift/openshift-ansible/tree/master/inventory/byo) directory.
+
## Running the ansible playbooks
From the openshift-ansible checkout run:
```sh
diff --git a/README_origin.md b/README_origin.md
index 12e79791e..0387e213f 100644
--- a/README_origin.md
+++ b/README_origin.md
@@ -59,12 +59,12 @@ option to ansible-playbook.
# This is an example of a bring your own (byo) host inventory
# Create an OSEv3 group that contains the masters and nodes groups
-[OSv3:children]
+[OSEv3:children]
masters
nodes
# Set variables common for all OSEv3 hosts
-[OSv3:vars]
+[OSEv3:vars]
# SSH user, this user should allow ssh based auth without requiring a password
ansible_ssh_user=root
@@ -95,6 +95,8 @@ osv3-lb.example.com
The hostnames above should resolve both from the hosts themselves and
the host where ansible is running (if different).
+A more complete example inventory file ([hosts.origin.example](https://github.com/openshift/openshift-ansible/blob/master/inventory/byo/hosts.origin.example)) is available under the [`/inventory/byo`](https://github.com/openshift/openshift-ansible/tree/master/inventory/byo) directory.
+
## Running the ansible playbooks
From the openshift-ansible checkout run:
```sh
diff --git a/filter_plugins/oo_filters.py b/filter_plugins/oo_filters.py
index 48e27a24a..326c36f6c 100644
--- a/filter_plugins/oo_filters.py
+++ b/filter_plugins/oo_filters.py
@@ -8,12 +8,11 @@ Custom filters for use in openshift-ansible
from ansible import errors
from operator import itemgetter
import OpenSSL.crypto
-import os.path
+import os
import pdb
import re
import json
-
class FilterModule(object):
''' Custom ansible filters '''
@@ -366,9 +365,6 @@ class FilterModule(object):
"keyfile": "/etc/origin/master/named_certificates/custom2.key",
"names": [ "some-hostname.com" ] }]
'''
- if not issubclass(type(certificates), list):
- raise errors.AnsibleFilterError("|failed expects certificates is a list")
-
if not issubclass(type(named_certs_dir), unicode):
raise errors.AnsibleFilterError("|failed expects named_certs_dir is unicode")
@@ -468,6 +464,16 @@ class FilterModule(object):
pass
return clusters
+ @staticmethod
+ def oo_generate_secret(num_bytes):
+ ''' generate a session secret '''
+
+ if not issubclass(type(num_bytes), int):
+ raise errors.AnsibleFilterError("|failed expects num_bytes is int")
+
+ secret = os.urandom(num_bytes)
+ return secret.encode('base-64').strip()
+
def filters(self):
''' returns a mapping of filters to methods '''
return {
@@ -486,5 +492,6 @@ class FilterModule(object):
"oo_parse_heat_stack_outputs": self.oo_parse_heat_stack_outputs,
"oo_parse_named_certificates": self.oo_parse_named_certificates,
"oo_haproxy_backend_masters": self.oo_haproxy_backend_masters,
- "oo_pretty_print_cluster": self.oo_pretty_print_cluster
+ "oo_pretty_print_cluster": self.oo_pretty_print_cluster,
+ "oo_generate_secret": self.oo_generate_secret
}
diff --git a/filter_plugins/openshift_master.py b/filter_plugins/openshift_master.py
index f12017967..8d7c62ad1 100644
--- a/filter_plugins/openshift_master.py
+++ b/filter_plugins/openshift_master.py
@@ -463,7 +463,6 @@ class FilterModule(object):
IdentityProviderBase.validate_idp_list(idp_list)
return yaml.safe_dump([idp.to_dict() for idp in idp_list], default_flow_style=False)
-
def filters(self):
''' returns a mapping of filters to methods '''
return {"translate_idps": self.translate_idps}
diff --git a/openshift-ansible.spec b/openshift-ansible.spec
index 563ea3cae..eef619ede 100644
--- a/openshift-ansible.spec
+++ b/openshift-ansible.spec
@@ -5,7 +5,7 @@
}
Name: openshift-ansible
-Version: 3.0.20
+Version: 3.0.24
Release: 1%{?dist}
Summary: Openshift and Atomic Enterprise Ansible
License: ASL 2.0
@@ -259,6 +259,104 @@ Atomic OpenShift Utilities includes
%changelog
+* Thu Jan 07 2016 Brenton Leanhardt <bleanhar@redhat.com> 3.0.24-1
+- Setting relative paths in the upgrade playbooks wasn't working
+ (bleanhar@redhat.com)
+
+* Wed Jan 06 2016 Brenton Leanhardt <bleanhar@redhat.com> 3.0.23-1
+- Move extra secret validations into openshift_facts. (abutcher@redhat.com)
+- Remove not is_containerized restriction on storage plugin includes.
+ (abutcher@redhat.com)
+- We can't enable manageiq for installations less than OSE 3.1 or Origin 1.1
+ (bleanhar@redhat.com)
+- Fix RHN subscription by explicitly attaching to the right pool
+ (lhuard@amadeus.com)
+- openshift_facts validation (abutcher@redhat.com)
+- Secrets validation. (abutcher@redhat.com)
+- Clean up idempotency issues with session secrets. (abutcher@redhat.com)
+
+* Wed Jan 06 2016 Kenny Woodson <kwoodson@redhat.com> 3.0.22-1
+- playbook for restarting SDN (jdiaz@redhat.com)
+- Stop haproxy and remove package during uninstall. (abutcher@redhat.com)
+- Group name as per hosts.origin.example (donovan.muller@gmail.com)
+- I believe the ami id changed since the initial documentation was created for
+ AWS deployment (rcook@redhat.com)
+
+* Tue Jan 05 2016 Brenton Leanhardt <bleanhar@redhat.com> 3.0.21-1
+- Fix osm_controller_args and osm_api_server_args settings.
+ (abutcher@redhat.com)
+- Fix error in byo cluster_hosts.yml (jdetiber@redhat.com)
+- Cleanup and fixes for cluster_id change (jdetiber@redhat.com)
+- Fix typo in etcd service status fact. (abutcher@redhat.com)
+- Removing environment and env tags. (kwoodson@redhat.com)
+- Add node kubelet args to inventory examples. (abutcher@redhat.com)
+- Adding ManageIQ service account by default (efreiber@redhat.com)
+- Fixes typo assigning docker_service_status_changed which leads to
+ misinterpretation in handler. (eric.mountain@amadeus.com)
+- Fix restart handlers. (abutcher@redhat.com)
+- Remove lb from docker hosts. (abutcher@redhat.com)
+- Install iptables, iptables-services when not is_aotmic (sdodson@redhat.com)
+- Install all xpaas streams when enabled (sdodson@redhat.com)
+- add the necessary URLs for logging and metrics
+ (git001@users.noreply.github.com)
+- Link to Tito Home Page is Broken (lloy0076@adam.com.au)
+- Conditionalize for 3.1.1/1.1.1 (abutcher@redhat.com)
+- Use notify for workaround controllers unit. (abutcher@redhat.com)
+- change dns triggers to average (jdiaz@redhat.com)
+- add item/trigger for dns tests on all currently running containers
+ (jdiaz@redhat.com)
+- Add jboss-fuse/application-templates/fis-image-streams.json
+ (sdodson@redhat.com)
+- atomic-openshift-installer: Fix broken nosetest (smunilla@redhat.com)
+- Update from jboss-openshift/application-templates ose-v1.2.0-1
+ (sdodson@redhat.com)
+- fix logic to tolerate occasional failures (jdiaz@redhat.com)
+- Clean up versions.sh (sdodson@redhat.com)
+- change ovs mount to /var/run/openvswitch will not require a container restart
+ if openvswitch service is restarted (jdiaz@redhat.com)
+- split zagg.server.processor.errors into separate heartbeat and metrics error
+ items (needed since the scripts are split now). (twiest@redhat.com)
+- quick installer tests (smunilla@redhat.com)
+- atomic-openshift-installer: Remove HA hint for 3.0 install
+ (smunilla@redhat.com)
+- Add some guards to wait for images to be pulled before moving on
+ (sdodson@redhat.com)
+- Install httpd-tools when not is_atomic (sdodson@redhat.com)
+- Properly set use_flannel fact (sbaubeau@redhat.com)
+- Fix containerized variable (sdodson@redhat.com)
+- Skip yum/dnf ops when is_containerized (sdodson@redhat.com)
+- Move all docker config into openshift_docker to minimize docker restarts
+ (sdodson@redhat.com)
+- Create nfs host group with registry volume attachment. (abutcher@redhat.com)
+- Add openshift_cli role (sdodson@redhat.com)
+- pull docker images only if not already present (jdetiber@redhat.com)
+- fixes (jdetiber@redhat.com)
+- Containerization work by @sdodson (sdodson@redhat.com)
+- Initial containerization work from @ibotty (tob@butter.sh)
+- Add zabbix values to track docker container DNS results (jdiaz@redhat.com)
+- Fix registry modification for new deployment types. (dgoodwin@redhat.com)
+- Updates to ohi to pull cache if specified. Also require version
+ (kwoodson@redhat.com)
+- Zabbix: added trigger to monitor app create over the last hour
+ (mwoodson@redhat.com)
+- added 'Template Zagg Server' (twiest@redhat.com)
+- Fixes typo when setting facts to record whether master/node has been
+ restarted already, to decide whether notify handler should do so or not.
+ Currently, this causes random SDN network setup failures as openshift-node
+ gets restarted while the setup script is running, and the subsequent start
+ fails to configure the SDN because it thinks it's already done.
+ (eric.mountain@amadeus.com)
+- Change controllers service type to simple. (abutcher@redhat.com)
+- Updating env-host-type to host patterns (kwoodson@redhat.com)
+- Add note that Fedora 23+ is acceptable deployment target for origin
+ (admiller@redhat.com)
+- Enforce connection: local and become: no on all localhost plays
+ (jdetiber@redhat.com)
+- Use join for the uncompress command. (jsteffan@fedoraproject.org)
+- Update for latest CentOS-7-x86_64-GenericCloud. - Use xz compressed image -
+ Update sha256 for new image - Update docs to reflect new settings
+ (jsteffan@fedoraproject.org)
+
* Thu Dec 10 2015 Thomas Wiest <twiest@redhat.com> 3.0.20-1
- Revert "Automatic commit of package [openshift-ansible] release [3.0.20-1]."
(twiest@redhat.com)
diff --git a/playbooks/adhoc/sdn_restart/oo-sdn-restart.yml b/playbooks/adhoc/sdn_restart/oo-sdn-restart.yml
new file mode 100755
index 000000000..0dc021fbc
--- /dev/null
+++ b/playbooks/adhoc/sdn_restart/oo-sdn-restart.yml
@@ -0,0 +1,53 @@
+#!/usr/bin/ansible-playbook
+---
+#example run:
+# ansible-playbook -e "host=ops-node-compute-abcde" oo-sdn-restart.yml
+#
+
+- name: Check vars
+ hosts: localhost
+ gather_facts: false
+
+ pre_tasks:
+ - fail:
+ msg: "Playbook requires host to be set"
+ when: host is not defined or host == ''
+
+- name: Restart openshift/docker (and monitoring containers)
+ hosts: oo_version_3:&oo_name_{{ host }}
+ gather_facts: false
+ user: root
+
+ tasks:
+ - name: stop openshift/docker
+ service:
+ name: "{{ item }}"
+ state: stopped
+ with_items:
+ - atomic-openshift-node
+ - docker
+
+ - name: restart openvswitch
+ service:
+ name: openvswitch
+ state: restarted
+
+ - name: wait 5 sec
+ pause:
+ seconds: 5
+
+ - name: start openshift/docker
+ service:
+ name: "{{ item }}"
+ state: started
+ with_items:
+ - atomic-openshift-node
+ - docker
+
+ - name: start monitoring containers
+ service:
+ name: "{{ item }}"
+ state: restarted
+ with_items:
+ - oso-f22-host-monitoring
+ - oso-rhel7-zagg-client
diff --git a/playbooks/adhoc/uninstall.yml b/playbooks/adhoc/uninstall.yml
index 55df78a3f..ac20f5f9b 100644
--- a/playbooks/adhoc/uninstall.yml
+++ b/playbooks/adhoc/uninstall.yml
@@ -40,6 +40,7 @@
- atomic-openshift-master-controllers
- atomic-openshift-node
- etcd
+ - haproxy
- openshift-master
- openshift-master-api
- openshift-master-controllers
@@ -67,6 +68,7 @@
- atomic-openshift-sdn-ovs
- corosync
- etcd
+ - haproxy
- openshift
- openshift-master
- openshift-node
diff --git a/playbooks/aws/openshift-cluster/upgrades/v3_0_to_v3_1/upgrade.yml b/playbooks/aws/openshift-cluster/upgrades/v3_0_to_v3_1/upgrade.yml
index 231356798..11026e38d 100644
--- a/playbooks/aws/openshift-cluster/upgrades/v3_0_to_v3_1/upgrade.yml
+++ b/playbooks/aws/openshift-cluster/upgrades/v3_0_to_v3_1/upgrade.yml
@@ -4,8 +4,8 @@
# ansible-playbook playbooks/aws/openshift-cluster/upgrades/v3_0_to_v3_1/upgrade.yml -e deployment_type=online -e cluster_id=<cluster_id>
- include: ../../../../common/openshift-cluster/upgrades/v3_0_to_v3_1/upgrade.yml
vars_files:
- - ../../../../aws/openshift-cluster/vars.yml
- - ../../../../aws/openshift-cluster/cluster_hosts.yml
+ - "{{lookup('file', '../../../../aws/openshift-cluster/vars.yml')}}"
+ - "{{lookup('file', '../../../../aws/openshift-cluster/cluster_hosts.yml')}}"
vars:
g_ssh_user: "{{ deployment_vars[deployment_type].ssh_user }}"
g_sudo: "{{ deployment_vars[deployment_type].sudo }}"
diff --git a/playbooks/aws/openshift-cluster/vars.yml b/playbooks/aws/openshift-cluster/vars.yml
index 452c90d6a..c8ee9bad4 100644
--- a/playbooks/aws/openshift-cluster/vars.yml
+++ b/playbooks/aws/openshift-cluster/vars.yml
@@ -3,7 +3,7 @@ debug_level: 2
deployment_vars:
origin:
# centos-7, requires marketplace
- image: ami-96a818fe
+ image: ami-61bbf104
image_name:
region: us-east-1
ssh_user: centos
diff --git a/playbooks/byo/openshift-cluster/upgrades/v3_0_minor/upgrade.yml b/playbooks/byo/openshift-cluster/upgrades/v3_0_minor/upgrade.yml
index 58c04d41d..b52456dcd 100644
--- a/playbooks/byo/openshift-cluster/upgrades/v3_0_minor/upgrade.yml
+++ b/playbooks/byo/openshift-cluster/upgrades/v3_0_minor/upgrade.yml
@@ -1,7 +1,7 @@
---
- include: ../../../../common/openshift-cluster/upgrades/v3_0_minor/upgrade.yml
vars_files:
- - ../../../../byo/openshift-cluster/cluster_hosts.yml
+ - "{{lookup('file', '../../../../byo/openshift-cluster/cluster_hosts.yml')}}"
vars:
g_etcd_hosts: "{{ groups.etcd | default([]) }}"
g_master_hosts: "{{ groups.masters | default([]) }}"
diff --git a/playbooks/byo/openshift-cluster/upgrades/v3_0_to_v3_1/upgrade.yml b/playbooks/byo/openshift-cluster/upgrades/v3_0_to_v3_1/upgrade.yml
index 2f9e8dc7a..e07e2b88e 100644
--- a/playbooks/byo/openshift-cluster/upgrades/v3_0_to_v3_1/upgrade.yml
+++ b/playbooks/byo/openshift-cluster/upgrades/v3_0_to_v3_1/upgrade.yml
@@ -1,7 +1,7 @@
---
- include: ../../../../common/openshift-cluster/upgrades/v3_0_to_v3_1/upgrade.yml
vars_files:
- - ../../../../byo/openshift-cluster/cluster_hosts.yml
+ - "{{lookup('file', '../../../../byo/openshift-cluster/cluster_hosts.yml')}}"
vars:
g_etcd_hosts: "{{ groups.etcd | default([]) }}"
g_master_hosts: "{{ groups.masters | default([]) }}"
diff --git a/playbooks/common/openshift-master/config.yml b/playbooks/common/openshift-master/config.yml
index 759656e63..677c274c4 100644
--- a/playbooks/common/openshift-master/config.yml
+++ b/playbooks/common/openshift-master/config.yml
@@ -236,29 +236,32 @@
- role: haproxy
when: groups.oo_masters_to_config | length > 1
-- name: Generate master session keys
+- name: Check for cached session secrets
hosts: oo_first_master
+ roles:
+ - role: openshift_facts
+ post_tasks:
+ - openshift_facts:
+ role: master
+ local_facts:
+ session_auth_secrets: "{{ openshift_master_session_auth_secrets | default(openshift.master.session_auth_secrets | default(None)) }}"
+ session_encryption_secrets: "{{ openshift_master_session_encryption_secrets | default(openshift.master.session_encryption_secrets | default(None)) }}"
+
+- name: Generate master session secrets
+ hosts: oo_first_master
+ vars:
+ g_session_secrets_present: "{{ (openshift.master.session_auth_secrets | default([]) and openshift.master.session_encryption_secrets | default([])) | length > 0 }}"
+ g_session_auth_secrets: "{{ [ 24 | oo_generate_secret ] }}"
+ g_session_encryption_secrets: "{{ [ 24 | oo_generate_secret ] }}"
+ roles:
+ - role: openshift_facts
tasks:
- - fail:
- msg: "Both openshift_master_session_auth_secrets and openshift_master_session_encryption_secrets must be provided if either variable is set"
- when: (openshift_master_session_auth_secrets is defined and openshift_master_session_encryption_secrets is not defined) or (openshift_master_session_encryption_secrets is defined and openshift_master_session_auth_secrets is not defined)
- - fail:
- msg: "openshift_master_session_auth_secrets and openshift_master_encryption_secrets must be equal length"
- when: (openshift_master_session_auth_secrets is defined and openshift_master_session_encryption_secrets is defined) and (openshift_master_session_auth_secrets | length != openshift_master_session_encryption_secrets | length)
- - name: Install OpenSSL package
- action: "{{ ansible_pkg_mgr }} name=openssl state=present"
- when: not openshift.common.is_atomic | bool
- - name: Generate session authentication key
- command: /usr/bin/openssl rand -base64 24
- register: session_auth_output
- when: openshift_master_session_auth_secrets is undefined
- - name: Generate session encryption key
- command: /usr/bin/openssl rand -base64 24
- register: session_encryption_output
- when: openshift_master_session_encryption_secrets is undefined
- - set_fact:
- session_auth_secret: "{{ openshift_master_session_auth_secrets | default([session_auth_output.stdout]) }}"
- session_encryption_secret: "{{ openshift_master_session_encryption_secrets | default([session_encryption_output.stdout]) }}"
+ - openshift_facts:
+ role: master
+ local_facts:
+ session_auth_secrets: "{{ g_session_auth_secrets }}"
+ session_encryption_secrets: "{{ g_session_encryption_secrets }}"
+ when: not g_session_secrets_present | bool
- name: Parse named certificates
hosts: localhost
@@ -314,8 +317,8 @@
sync_tmpdir: "{{ hostvars.localhost.g_master_mktemp.stdout }}"
openshift_master_ha: "{{ groups.oo_masters_to_config | length > 1 }}"
openshift_master_count: "{{ groups.oo_masters_to_config | length }}"
- openshift_master_session_auth_secrets: "{{ hostvars[groups['oo_first_master'][0]]['session_auth_secret'] }}"
- openshift_master_session_encryption_secrets: "{{ hostvars[groups['oo_first_master'][0]]['session_encryption_secret'] }}"
+ openshift_master_session_auth_secrets: "{{ hostvars[groups.oo_first_master.0].openshift.master.session_auth_secrets }}"
+ openshift_master_session_encryption_secrets: "{{ hostvars[groups.oo_first_master.0].openshift.master.session_encryption_secrets }}"
pre_tasks:
- name: Ensure certificate directory exists
file:
diff --git a/roles/etcd/tasks/main.yml b/roles/etcd/tasks/main.yml
index 663f6e537..e83cfc33c 100644
--- a/roles/etcd/tasks/main.yml
+++ b/roles/etcd/tasks/main.yml
@@ -104,4 +104,4 @@
register: start_result
- set_fact:
- etcd_service_status_changed = "{{ start_result | changed }}"
+ etcd_service_status_changed: "{{ start_result | changed }}"
diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py
index 911a684fc..8dc16f5e4 100755
--- a/roles/openshift_facts/library/openshift_facts.py
+++ b/roles/openshift_facts/library/openshift_facts.py
@@ -628,7 +628,7 @@ def set_deployment_facts_if_unset(facts):
facts['common']['service_type'] = service_type
if 'config_base' not in facts['common']:
config_base = '/etc/origin'
- if deployment_type in ['enterprise', 'online']:
+ if deployment_type in ['enterprise']:
config_base = '/etc/openshift'
# Handle upgrade scenarios when symlinks don't yet exist:
if not os.path.exists(config_base) and os.path.exists('/etc/openshift'):
@@ -636,7 +636,7 @@ def set_deployment_facts_if_unset(facts):
facts['common']['config_base'] = config_base
if 'data_dir' not in facts['common']:
data_dir = '/var/lib/origin'
- if deployment_type in ['enterprise', 'online']:
+ if deployment_type in ['enterprise']:
data_dir = '/var/lib/openshift'
# Handle upgrade scenarios when symlinks don't yet exist:
if not os.path.exists(data_dir) and os.path.exists('/var/lib/openshift'):
@@ -715,6 +715,26 @@ def set_version_facts_if_unset(facts):
return facts
+def set_manageiq_facts_if_unset(facts):
+ """ Set manageiq facts. This currently includes common.use_manageiq.
+
+ Args:
+ facts (dict): existing facts
+ Returns:
+ dict: the facts dict updated with version facts.
+ Raises:
+ OpenShiftFactsInternalError:
+ """
+ if 'common' not in facts:
+ if 'version_greater_than_3_1_or_1_1' not in facts['common']:
+ raise OpenShiftFactsInternalError(
+ "Invalid invocation: The required facts are not set"
+ )
+
+ facts['common']['use_manageiq'] = facts['common']['version_greater_than_3_1_or_1_1']
+
+ return facts
+
def set_sdn_facts_if_unset(facts, system_facts):
""" Set sdn facts if not already present in facts dict
@@ -1021,6 +1041,11 @@ def set_container_facts_if_unset(facts):
return facts
+class OpenShiftFactsInternalError(Exception):
+ """Origin Facts Error"""
+ pass
+
+
class OpenShiftFactsUnsupportedRoleError(Exception):
"""Origin Facts Unsupported Role Error"""
pass
@@ -1043,6 +1068,7 @@ class OpenShiftFacts(object):
facts (dict): facts for the host
Args:
+ module (AnsibleModule): an AnsibleModule object
role (str): role for setting local facts
filename (str): local facts file to use
local_facts (dict): local facts to set
@@ -1096,6 +1122,7 @@ class OpenShiftFacts(object):
facts = set_sdn_facts_if_unset(facts, self.system_facts)
facts = set_deployment_facts_if_unset(facts)
facts = set_version_facts_if_unset(facts)
+ facts = set_manageiq_facts_if_unset(facts)
facts = set_aggregate_facts(facts)
facts = set_etcd_facts_if_unset(facts)
facts = set_container_facts_if_unset(facts)
@@ -1121,7 +1148,7 @@ class OpenShiftFacts(object):
common = dict(use_openshift_sdn=True, ip=ip_addr, public_ip=ip_addr,
deployment_type='origin', hostname=hostname,
- public_hostname=hostname, use_manageiq=True)
+ public_hostname=hostname)
common['client_binary'] = 'oc'
common['admin_binary'] = 'oadm'
common['dns_domain'] = 'cluster.local'
@@ -1263,14 +1290,78 @@ class OpenShiftFacts(object):
del facts[key]
if new_local_facts != local_facts:
+ self.validate_local_facts(new_local_facts)
changed = True
-
if not module.check_mode:
save_local_facts(self.filename, new_local_facts)
self.changed = changed
return new_local_facts
+ def validate_local_facts(self, facts=None):
+ """ Validate local facts
+
+ Args:
+ facts (dict): local facts to validate
+ """
+ invalid_facts = dict()
+ invalid_facts = self.validate_master_facts(facts, invalid_facts)
+ if invalid_facts:
+ msg = 'Invalid facts detected:\n'
+ for key in invalid_facts.keys():
+ msg += '{0}: {1}\n'.format(key, invalid_facts[key])
+ module.fail_json(msg=msg,
+ changed=self.changed)
+
+ # disabling pylint errors for line-too-long since we're dealing
+ # with best effort reduction of error messages here.
+ # disabling errors for too-many-branches since we require checking
+ # many conditions.
+ # pylint: disable=line-too-long, too-many-branches
+ @staticmethod
+ def validate_master_facts(facts, invalid_facts):
+ """ Validate master facts
+
+ Args:
+ facts (dict): local facts to validate
+ invalid_facts (dict): collected invalid_facts
+
+ Returns:
+ dict: Invalid facts
+ """
+ if 'master' in facts:
+ # openshift.master.session_auth_secrets
+ if 'session_auth_secrets' in facts['master']:
+ session_auth_secrets = facts['master']['session_auth_secrets']
+ if not issubclass(type(session_auth_secrets), list):
+ invalid_facts['session_auth_secrets'] = 'Expects session_auth_secrets is a list.'
+ elif 'session_encryption_secrets' not in facts['master']:
+ invalid_facts['session_auth_secrets'] = ('openshift_master_session_encryption secrets must be set '
+ 'if openshift_master_session_auth_secrets is provided.')
+ elif len(session_auth_secrets) != len(facts['master']['session_encryption_secrets']):
+ invalid_facts['session_auth_secrets'] = ('openshift_master_session_auth_secrets and '
+ 'openshift_master_session_encryption_secrets must be '
+ 'equal length.')
+ else:
+ for secret in session_auth_secrets:
+ if len(secret) < 32:
+ invalid_facts['session_auth_secrets'] = ('Invalid secret in session_auth_secrets. '
+ 'Secrets must be at least 32 characters in length.')
+ # openshift.master.session_encryption_secrets
+ if 'session_encryption_secrets' in facts['master']:
+ session_encryption_secrets = facts['master']['session_encryption_secrets']
+ if not issubclass(type(session_encryption_secrets), list):
+ invalid_facts['session_encryption_secrets'] = 'Expects session_encryption_secrets is a list.'
+ elif 'session_auth_secrets' not in facts['master']:
+ invalid_facts['session_encryption_secrets'] = ('openshift_master_session_auth_secrets must be '
+ 'set if openshift_master_session_encryption_secrets '
+ 'is provided.')
+ else:
+ for secret in session_encryption_secrets:
+ if len(secret) not in [16, 24, 32]:
+ invalid_facts['session_encryption_secrets'] = ('Invalid secret in session_encryption_secrets. '
+ 'Secrets must be 16, 24, or 32 characters in length.')
+ return invalid_facts
def main():
""" main """
diff --git a/roles/openshift_manageiq/tasks/main.yaml b/roles/openshift_manageiq/tasks/main.yaml
index 2d3187e21..0357fc85a 100644
--- a/roles/openshift_manageiq/tasks/main.yaml
+++ b/roles/openshift_manageiq/tasks/main.yaml
@@ -1,4 +1,8 @@
---
+- fail:
+ msg: "The openshift_manageiq role requires OpenShift Enterprise 3.1 or Origin 1.1."
+ when: not openshift.common.version_greater_than_3_1_or_1_1 | bool
+
- name: Copy Configuration to temporary conf
command: >
cp {{ openshift.common.config_base }}/master/admin.kubeconfig {{manage_iq_tmp_conf}}
diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml
index a22654678..397122631 100644
--- a/roles/openshift_master/tasks/main.yml
+++ b/roles/openshift_master/tasks/main.yml
@@ -9,7 +9,6 @@
Invalid OAuth grant method: {{ openshift_master_oauth_grant_method }}
when: openshift_master_oauth_grant_method is defined and openshift_master_oauth_grant_method not in openshift_master_valid_grant_methods
-
# HA Variable Validation
- fail:
msg: "openshift_master_cluster_method must be set to either 'native' or 'pacemaker' for multi-master installations"
@@ -55,9 +54,9 @@
portal_net: "{{ openshift_master_portal_net | default(None) }}"
session_max_seconds: "{{ openshift_master_session_max_seconds | default(None) }}"
session_name: "{{ openshift_master_session_name | default(None) }}"
+ session_secrets_file: "{{ openshift_master_session_secrets_file | default(None) }}"
session_auth_secrets: "{{ openshift_master_session_auth_secrets | default(None) }}"
session_encryption_secrets: "{{ openshift_master_session_encryption_secrets | default(None) }}"
- session_secrets_file: "{{ openshift_master_session_secrets_file | default(None) }}"
access_token_max_seconds: "{{ openshift_master_access_token_max_seconds | default(None) }}"
auth_token_max_seconds: "{{ openshift_master_auth_token_max_seconds | default(None) }}"
identity_providers: "{{ openshift_master_identity_providers | default(None) }}"
@@ -221,7 +220,7 @@
template:
dest: "{{ openshift.master.session_secrets_file }}"
src: sessionSecretsFile.yaml.v1.j2
- force: no
+ when: openshift.master.session_auth_secrets is defined and openshift.master.session_encryption_secrets is defined
notify:
- restart master
- restart master api
diff --git a/roles/openshift_master/templates/master.yaml.v1.j2 b/roles/openshift_master/templates/master.yaml.v1.j2
index 317049c44..647476b7f 100644
--- a/roles/openshift_master/templates/master.yaml.v1.j2
+++ b/roles/openshift_master/templates/master.yaml.v1.j2
@@ -127,7 +127,9 @@ oauthConfig:
sessionConfig:
sessionMaxAgeSeconds: {{ openshift.master.session_max_seconds }}
sessionName: {{ openshift.master.session_name }}
+{% if openshift.master.session_auth_secrets is defined and openshift.master.session_encryption_secrets is defined %}
sessionSecretsFile: {{ openshift.master.session_secrets_file }}
+{% endif %}
tokenConfig:
accessTokenMaxAgeSeconds: {{ openshift.master.access_token_max_seconds }}
authorizeTokenMaxAgeSeconds: {{ openshift.master.auth_token_max_seconds }}
diff --git a/roles/openshift_master/templates/sessionSecretsFile.yaml.v1.j2 b/roles/openshift_master/templates/sessionSecretsFile.yaml.v1.j2
index d12d9db90..3d4b573a9 100644
--- a/roles/openshift_master/templates/sessionSecretsFile.yaml.v1.j2
+++ b/roles/openshift_master/templates/sessionSecretsFile.yaml.v1.j2
@@ -1,7 +1,7 @@
apiVersion: v1
kind: SessionSecrets
secrets:
-{% for secret in openshift_master_session_auth_secrets %}
-- authentication: "{{ openshift_master_session_auth_secrets[loop.index0] }}"
- encryption: "{{ openshift_master_session_encryption_secrets[loop.index0] }}"
+{% for secret in openshift.master.session_auth_secrets %}
+- authentication: "{{ openshift.master.session_auth_secrets[loop.index0] }}"
+ encryption: "{{ openshift.master.session_encryption_secrets[loop.index0] }}"
{% endfor %}
diff --git a/roles/openshift_node/tasks/storage_plugins/ceph.yml b/roles/openshift_node/tasks/storage_plugins/ceph.yml
index 119ad62ef..eed3c99a3 100644
--- a/roles/openshift_node/tasks/storage_plugins/ceph.yml
+++ b/roles/openshift_node/tasks/storage_plugins/ceph.yml
@@ -1,4 +1,4 @@
---
- name: Install Ceph storage plugin dependencies
action: "{{ ansible_pkg_mgr }} name=ceph-common state=present"
- when: not openshift.common.is_containerized | bool \ No newline at end of file
+ when: not openshift.common.is_atomic | bool \ No newline at end of file
diff --git a/roles/openshift_node/tasks/storage_plugins/glusterfs.yml b/roles/openshift_node/tasks/storage_plugins/glusterfs.yml
index 91ee77e7e..8fc8497fa 100644
--- a/roles/openshift_node/tasks/storage_plugins/glusterfs.yml
+++ b/roles/openshift_node/tasks/storage_plugins/glusterfs.yml
@@ -1,7 +1,7 @@
---
- name: Install GlusterFS storage plugin dependencies
action: "{{ ansible_pkg_mgr }} name=glusterfs-fuse state=present"
- when: not openshift.common.is_containerized | bool
+ when: not openshift.common.is_atomic | bool
- name: Set sebooleans to allow gluster storage plugin access from containers
seboolean:
diff --git a/roles/openshift_node/tasks/storage_plugins/main.yml b/roles/openshift_node/tasks/storage_plugins/main.yml
index d237c26ec..39c7b9390 100644
--- a/roles/openshift_node/tasks/storage_plugins/main.yml
+++ b/roles/openshift_node/tasks/storage_plugins/main.yml
@@ -3,12 +3,11 @@
# additional package dependencies
- name: NFS storage plugin configuration
include: nfs.yml
- when: not openshift.common.is_containerized | bool
- name: GlusterFS storage plugin configuration
include: glusterfs.yml
- when: "'glusterfs' in openshift.node.storage_plugin_deps and not openshift.common.is_containerized | bool "
+ when: "'glusterfs' in openshift.node.storage_plugin_deps"
- name: Ceph storage plugin configuration
include: ceph.yml
- when: "'ceph' in openshift.node.storage_plugin_deps and not openshift.common.is_containerized | bool"
+ when: "'ceph' in openshift.node.storage_plugin_deps"
diff --git a/roles/rhel_subscribe/tasks/main.yml b/roles/rhel_subscribe/tasks/main.yml
index 30c0920a1..c160ea4e9 100644
--- a/roles/rhel_subscribe/tasks/main.yml
+++ b/roles/rhel_subscribe/tasks/main.yml
@@ -4,6 +4,7 @@
# to make it able to enable repositories
- set_fact:
+ rhel_subscription_pool: "{{ lookup('oo_option', 'rhel_subscription_pool') | default(rhsub_pool, True) | default('OpenShift Enterprise, Premium*', True) }}"
rhel_subscription_user: "{{ lookup('oo_option', 'rhel_subscription_user') | default(rhsub_user, True) | default(omit, True) }}"
rhel_subscription_pass: "{{ lookup('oo_option', 'rhel_subscription_pass') | default(rhsub_pass, True) | default(omit, True) }}"
rhel_subscription_server: "{{ lookup('oo_option', 'rhel_subscription_server') | default(rhsub_server) }}"
@@ -30,7 +31,14 @@
redhat_subscription:
username: "{{ rhel_subscription_user }}"
password: "{{ rhel_subscription_pass }}"
- autosubscribe: yes
+
+- name: Retrieve the OpenShift Pool ID
+ command: subscription-manager list --available --matches="{{ rhel_subscription_pool }}" --pool-only
+ register: openshift_pool_id
+ changed_when: False
+
+- name: Attach to OpenShift Pool
+ command: subscription-manager subscribe --pool {{ openshift_pool_id.stdout_lines[0] }}
- include: enterprise.yml
when: deployment_type == 'enterprise'