20 files changed, 67 insertions, 54 deletions

diff --git a/playbooks/common/openshift-cluster/config.yml b/playbooks/common/openshift-cluster/config.yml
index ff4c4b0d7..1b967b7f1 100644
--- a/playbooks/common/openshift-cluster/config.yml
+++ b/playbooks/common/openshift-cluster/config.yml
@@ -27,9 +27,6 @@
     when: openshift_docker_selinux_enabled is not defined
 
 - include: disable_excluder.yml
-  vars:
-    # the excluders needs to be disabled no matter what status says
-    with_status_check: false
   tags:
   - always
 
diff --git a/playbooks/common/openshift-cluster/disable_excluder.yml b/playbooks/common/openshift-cluster/disable_excluder.yml
index 68bffb5f5..f664c51c9 100644
--- a/playbooks/common/openshift-cluster/disable_excluder.yml
+++ b/playbooks/common/openshift-cluster/disable_excluder.yml
@@ -1,5 +1,5 @@
 ---
-- name: Record excluder state and disable
+- name: Disable excluders
   hosts: oo_masters_to_config:oo_nodes_to_config
   gather_facts: no
   tasks:
diff --git a/playbooks/common/openshift-cluster/enable_dnsmasq.yml b/playbooks/common/openshift-cluster/enable_dnsmasq.yml
index ca5177852..5425f448f 100644
--- a/playbooks/common/openshift-cluster/enable_dnsmasq.yml
+++ b/playbooks/common/openshift-cluster/enable_dnsmasq.yml
@@ -56,8 +56,6 @@
     - role: node
       local_facts:
         dns_ip: "{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}"
-  vars:
-    openshift_deployment_type: "{{ deployment_type }}"
   roles:
   - openshift_node_dnsmasq
   post_tasks:
diff --git a/playbooks/common/openshift-cluster/initialize_facts.yml b/playbooks/common/openshift-cluster/initialize_facts.yml
index 18f99728c..9cebecd68 100644
--- a/playbooks/common/openshift-cluster/initialize_facts.yml
+++ b/playbooks/common/openshift-cluster/initialize_facts.yml
@@ -15,5 +15,3 @@
         hostname: "{{ openshift_hostname | default(None) }}"
   - set_fact:
       openshift_docker_hosted_registry_network: "{{ hostvars[groups.oo_first_master.0].openshift.common.portal_net }}"
-  - set_fact:
-      openshift_deployment_type: "{{ deployment_type }}"
diff --git a/playbooks/common/openshift-cluster/initialize_openshift_version.yml b/playbooks/common/openshift-cluster/initialize_openshift_version.yml
index 1f74e929f..07b38920f 100644
--- a/playbooks/common/openshift-cluster/initialize_openshift_version.yml
+++ b/playbooks/common/openshift-cluster/initialize_openshift_version.yml
@@ -18,18 +18,6 @@
       msg: Incompatible versions of yum and subscription-manager found. You may need to update yum and yum-utils.
     when: "not openshift.common.is_atomic | bool and 'Plugin \"search-disabled-repos\" requires API 2.7. Supported API is 2.6.' in yum_ver_test.stdout"
 
-# TODO(jchaloup): find a different way how to make repoquery --qf '%version` atomic-openshift work without disabling the excluders
-- include: disable_excluder.yml
-  vars:
-    # the excluders needs to be disabled no matter what status says
-    with_status_check: false
-    # Only openshift excluder needs to be temporarily disabled
-    # So ignore the docker one
-    enable_docker_excluder: false
-  tags:
-  - always
-  when: openshift_upgrade_target is not defined
-
 - name: Determine openshift_version to configure on first master
   hosts: oo_first_master
   roles:
@@ -44,13 +32,3 @@
     openshift_version: "{{ hostvars[groups.oo_first_master.0].openshift_version }}"
   roles:
   - openshift_version
-
-  # Re-enable excluders if they are meant to be enabled (and only during installation, upgrade disables the excluders before this play)
-- include: reset_excluder.yml
-  vars:
-    # Only openshift excluder needs to be re-enabled
-    # So ignore the docker one
-    enable_docker_excluder: false
-  tags:
-  - always
-  when: openshift_upgrade_target is not defined
diff --git a/playbooks/common/openshift-cluster/redeploy-certificates/registry.yml b/playbooks/common/openshift-cluster/redeploy-certificates/registry.yml
index 6771cc98d..e82996cf4 100644
--- a/playbooks/common/openshift-cluster/redeploy-certificates/registry.yml
+++ b/playbooks/common/openshift-cluster/redeploy-certificates/registry.yml
@@ -48,10 +48,6 @@
 
   # Replace dc/docker-registry certificate secret contents if set.
   - block:
-    - name: Load lib_openshift modules
-      include_role:
-        name: lib_openshift
-
     - name: Retrieve registry service IP
       oc_service:
         namespace: default
@@ -73,6 +69,9 @@
         --hostnames="{{ docker_registry_service_ip.results.clusterip }},docker-registry.default.svc.cluster.local,{{ docker_registry_route_hostname }}"
         --cert={{ openshift.common.config_base }}/master/registry.crt
         --key={{ openshift.common.config_base }}/master/registry.key
+        {% if openshift_version | oo_version_gte_3_5_or_1_5(openshift.common.deployment_type) | bool %}
+        --expire-days={{ openshift_hosted_registry_cert_expire_days | default(730) }}
+        {% endif %}
 
     - name: Update registry certificates secret
       oc_secret:
diff --git a/playbooks/common/openshift-cluster/std_include.yml b/playbooks/common/openshift-cluster/std_include.yml
index 078991b12..74cc1d527 100644
--- a/playbooks/common/openshift-cluster/std_include.yml
+++ b/playbooks/common/openshift-cluster/std_include.yml
@@ -22,8 +22,6 @@
   - always
   tasks:
   - include_vars: ../../byo/openshift-cluster/cluster_hosts.yml
-  - set_fact:
-      openshift_deployment_type: "{{ deployment_type }}"
 
 - include: evaluate_groups.yml
   tags:
diff --git a/playbooks/common/openshift-cluster/update_repos_and_packages.yml b/playbooks/common/openshift-cluster/update_repos_and_packages.yml
index b83e4d821..be956fca5 100644
--- a/playbooks/common/openshift-cluster/update_repos_and_packages.yml
+++ b/playbooks/common/openshift-cluster/update_repos_and_packages.yml
@@ -3,8 +3,6 @@
 
 - name: Subscribe hosts, update repos and update OS packages
   hosts: oo_hosts_to_update
-  vars:
-    openshift_deployment_type: "{{ deployment_type }}"
   roles:
   # Explicitly calling openshift_facts because it appears that when
   # rhel_subscribe is skipped that the openshift_facts dependency for
diff --git a/playbooks/common/openshift-cluster/upgrades/init.yml b/playbooks/common/openshift-cluster/upgrades/init.yml
index a3b8c489e..bcbc4ee02 100644
--- a/playbooks/common/openshift-cluster/upgrades/init.yml
+++ b/playbooks/common/openshift-cluster/upgrades/init.yml
@@ -29,7 +29,6 @@
     g_new_master_hosts: []
     g_new_node_hosts: []
     openshift_cluster_id: "{{ cluster_id | default('default') }}"
-    openshift_deployment_type: "{{ deployment_type }}"
 
 - name: Set oo_options
   hosts: oo_all_hosts
diff --git a/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml
index 6f096f705..c00795a8d 100644
--- a/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml
+++ b/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml
@@ -5,7 +5,6 @@
 - name: Upgrade default router and default registry
   hosts: oo_first_master
   vars:
-    openshift_deployment_type: "{{ deployment_type }}"
     registry_image: "{{  openshift.master.registry_url | replace( '${component}', 'docker-registry' )  | replace ( '${version}', openshift_image_tag ) }}"
     router_image: "{{ openshift.master.registry_url | replace( '${component}', 'haproxy-router' ) | replace ( '${version}', openshift_image_tag ) }}"
     oc_cmd: "{{ openshift.common.client_binary }} --config={{ openshift.common.config_base }}/master/admin.kubeconfig"
diff --git a/playbooks/common/openshift-cluster/upgrades/rpm_upgrade.yml b/playbooks/common/openshift-cluster/upgrades/rpm_upgrade.yml
index df2b664d4..03ac02e9f 100644
--- a/playbooks/common/openshift-cluster/upgrades/rpm_upgrade.yml
+++ b/playbooks/common/openshift-cluster/upgrades/rpm_upgrade.yml
@@ -1,7 +1,26 @@
 ---
 # We verified latest rpm available is suitable, so just yum update.
-- name: Upgrade packages
-  package: "name={{ openshift.common.service_type }}-{{ component }}{{ openshift_pkg_version }} state=present"
+
+# Master package upgrade ends up depending on node and sdn packages, we need to be explicit
+# with all versions to avoid yum from accidentally jumping to something newer than intended:
+- name: Upgrade master packages
+  package: name={{ item }} state=present
+  when: component == "master"
+  with_items:
+  - "{{ openshift.common.service_type }}{{ openshift_pkg_version }}"
+  - "{{ openshift.common.service_type }}-master{{ openshift_pkg_version }}"
+  - "{{ openshift.common.service_type }}-node{{ openshift_pkg_version }}"
+  - "{{ openshift.common.service_type }}-sdn-ovs{{ openshift_pkg_version }}"
+  - "{{ openshift.common.service_type }}-clients{{ openshift_pkg_version }}"
+
+- name: Upgrade node packages
+  package: name={{ item }} state=present
+  when: component == "node"
+  with_items:
+  - "{{ openshift.common.service_type }}{{ openshift_pkg_version }}"
+  - "{{ openshift.common.service_type }}-node{{ openshift_pkg_version }}"
+  - "{{ openshift.common.service_type }}-sdn-ovs{{ openshift_pkg_version }}"
+  - "{{ openshift.common.service_type }}-clients{{ openshift_pkg_version }}"
 
 - name: Ensure python-yaml present for config upgrade
   package: name=PyYAML state=present
diff --git a/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml
index e16a1f6d0..c6e799261 100644
--- a/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml
+++ b/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml
@@ -64,6 +64,7 @@
     static: yes
   roles:
   - openshift_facts
+  - lib_utils
   post_tasks:
 
   # Run the pre-upgrade hook if defined:
@@ -113,6 +114,13 @@
       state: link
     when: ca_crt_stat.stat.isreg and not ca_bundle_stat.stat.exists
 
+  - name: Update oreg value
+    yedit:
+      src: "{{ openshift.common.config_base }}/master/master-config.yaml"
+      key: 'imageConfig.format'
+      value: "{{ oreg_url }}"
+    when: oreg_url is defined
+
   # Run the upgrade hook prior to restarting services/system if defined:
   - debug: msg="Running master upgrade hook {{ openshift_master_upgrade_hook }}"
     when: openshift_master_upgrade_hook is defined
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_6/filter_plugins b/playbooks/common/openshift-cluster/upgrades/v3_6/filter_plugins
new file mode 120000
index 000000000..7de3c1dd7
--- /dev/null
+++ b/playbooks/common/openshift-cluster/upgrades/v3_6/filter_plugins
@@ -0,0 +1 @@
+../../../../../filter_plugins/
\ No newline at end of file
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_6/roles b/playbooks/common/openshift-cluster/upgrades/v3_6/roles
new file mode 120000
index 000000000..415645be6
--- /dev/null
+++ b/playbooks/common/openshift-cluster/upgrades/v3_6/roles
@@ -0,0 +1 @@
+../../../../../roles/
\ No newline at end of file
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_6/storage_upgrade.yml b/playbooks/common/openshift-cluster/upgrades/v3_6/storage_upgrade.yml
new file mode 100644
index 000000000..48c69eccd
--- /dev/null
+++ b/playbooks/common/openshift-cluster/upgrades/v3_6/storage_upgrade.yml
@@ -0,0 +1,18 @@
+---
+###############################################################################
+# Post upgrade - Upgrade job storage
+###############################################################################
+- name: Upgrade job storage
+  hosts: oo_first_master
+  roles:
+  - { role: openshift_cli }
+  vars:
+    # Another spot where we assume docker is running and do not want to accidentally trigger an unsafe
+    # restart.
+    skip_docker_role: True
+  tasks:
+  - name: Upgrade job storage
+    command: >
+      {{ openshift.common.client_binary }} adm --config={{ openshift.common.config_base }}/master/admin.kubeconfig
+      migrate storage --include=jobs --confirm
+    run_once: true
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_6/validator.yml b/playbooks/common/openshift-cluster/upgrades/v3_6/validator.yml
new file mode 100644
index 000000000..ac5704f69
--- /dev/null
+++ b/playbooks/common/openshift-cluster/upgrades/v3_6/validator.yml
@@ -0,0 +1,10 @@
+---
+###############################################################################
+# Pre upgrade checks for known data problems, if this playbook fails you should
+# contact support. If you're not supported contact users@lists.openshift.com
+###############################################################################
+- name: Verify 3.6 specific upgrade checks
+  hosts: oo_first_master
+  roles:
+  - { role: lib_openshift }
+  tasks: []
diff --git a/playbooks/common/openshift-master/config.yml b/playbooks/common/openshift-master/config.yml
index 68b9db03a..60cf56108 100644
--- a/playbooks/common/openshift-master/config.yml
+++ b/playbooks/common/openshift-master/config.yml
@@ -48,12 +48,6 @@
   - set_fact:
       openshift_hosted_metrics_resolution: "{{ lookup('oo_option', 'openshift_hosted_metrics_resolution') | default('10s', true) }}"
     when: openshift_hosted_metrics_resolution is not defined
-  - set_fact:
-      openshift_hosted_metrics_deployer_prefix: "{{ lookup('oo_option', 'openshift_hosted_metrics_deployer_prefix') | default('openshift') }}"
-    when: openshift_hosted_metrics_deployer_prefix is not defined
-  - set_fact:
-      openshift_hosted_metrics_deployer_version: "{{ lookup('oo_option', 'openshift_hosted_metrics_deployer_version') | default('latest') }}"
-    when: openshift_hosted_metrics_deployer_version is not defined
   roles:
   - openshift_facts
   post_tasks:
@@ -129,6 +123,8 @@
     etcd_cert_prefix: "master.etcd-"
   - role: nuage_master
     when: openshift.common.use_nuage | bool
+  - role: calico_master
+    when: openshift.common.use_calico | bool
 
   post_tasks:
   - name: Create group for deployment type
diff --git a/playbooks/common/openshift-master/scaleup.yml b/playbooks/common/openshift-master/scaleup.yml
index c59747081..92f16dc47 100644
--- a/playbooks/common/openshift-master/scaleup.yml
+++ b/playbooks/common/openshift-master/scaleup.yml
@@ -61,9 +61,6 @@
   - openshift_docker
 
 - include: ../openshift-cluster/disable_excluder.yml
-  vars:
-    # the excluders needs to be disabled no matter what status says
-    with_status_check: false
   tags:
   - always
 
diff --git a/playbooks/common/openshift-node/config.yml b/playbooks/common/openshift-node/config.yml
index 6c5a299c1..792ffb4e2 100644
--- a/playbooks/common/openshift-node/config.yml
+++ b/playbooks/common/openshift-node/config.yml
@@ -82,6 +82,8 @@
     etcd_cert_subdir: "openshift-node-{{ openshift.common.hostname }}"
     etcd_cert_config_dir: "{{ openshift.common.config_base }}/node"
     when: openshift.common.use_flannel | bool
+  - role: calico
+    when: openshift.common.use_calico | bool
   - role: nuage_node
     when: openshift.common.use_nuage | bool
   - role: contiv
diff --git a/playbooks/common/openshift-node/scaleup.yml b/playbooks/common/openshift-node/scaleup.yml
index d81bd152e..c31aca62b 100644
--- a/playbooks/common/openshift-node/scaleup.yml
+++ b/playbooks/common/openshift-node/scaleup.yml
@@ -28,9 +28,6 @@
   - openshift_docker
 
 - include: ../openshift-cluster/disable_excluder.yml
-  vars:
-    # the excluders needs to be disabled no matter what status says
-    with_status_check: false
   tags:
   - always