summaryrefslogtreecommitdiffstats
path: root/roles
diff options
context:
space:
mode:
Diffstat (limited to 'roles')
-rwxr-xr-xroles/openshift_facts/library/openshift_facts.py2
-rw-r--r--roles/openshift_hosted/filter_plugins/filters.py35
-rw-r--r--roles/openshift_hosted/handlers/main.yml0
-rw-r--r--roles/openshift_hosted/meta/main.yml1
-rw-r--r--roles/openshift_hosted/tasks/main.yml19
-rw-r--r--roles/openshift_hosted/tasks/registry/registry.yml126
-rw-r--r--roles/openshift_hosted/tasks/registry/secure.yml147
-rw-r--r--roles/openshift_hosted/tasks/registry/storage/object_storage.yml123
-rw-r--r--roles/openshift_hosted/tasks/registry/storage/persistent_volume.yml26
-rw-r--r--roles/openshift_hosted/tasks/registry/storage/s3.yml73
-rw-r--r--roles/openshift_hosted/tasks/router/router.yml173
-rw-r--r--roles/openshift_logging/templates/elasticsearch.yml.j22
-rw-r--r--roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_predicates.py20
-rw-r--r--roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_priorities.py18
-rw-r--r--roles/openshift_master_facts/test/openshift_master_facts_default_predicates_tests.py1
-rw-r--r--roles/openshift_master_facts/test/openshift_master_facts_default_priorities_tests.py1
-rwxr-xr-xroles/openshift_metrics/files/import_jks_certs.sh19
-rw-r--r--roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml12
-rw-r--r--roles/openshift_metrics/tasks/import_jks_certs.yaml11
-rw-r--r--roles/openshift_metrics/templates/hawkular_metrics_rc.j213
20 files changed, 344 insertions, 478 deletions
diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py
index 2503d6212..32bbbc30a 100755
--- a/roles/openshift_facts/library/openshift_facts.py
+++ b/roles/openshift_facts/library/openshift_facts.py
@@ -875,7 +875,7 @@ def set_version_facts_if_unset(facts):
version_gte_3_3_or_1_3 = version >= LooseVersion('1.3.0')
version_gte_3_4_or_1_4 = version >= LooseVersion('1.4.0')
version_gte_3_5_or_1_5 = version >= LooseVersion('1.5.0')
- version_gte_3_6_or_1_6 = version >= LooseVersion('1.6.0')
+ version_gte_3_6_or_1_6 = version >= LooseVersion('3.6.0') or version >= LooseVersion('1.6.0')
else:
version_gte_3_1_or_1_1 = version >= LooseVersion('3.0.2.905')
version_gte_3_1_1_or_1_1_1 = version >= LooseVersion('3.1.1')
diff --git a/roles/openshift_hosted/filter_plugins/filters.py b/roles/openshift_hosted/filter_plugins/filters.py
new file mode 100644
index 000000000..cbfadfe9d
--- /dev/null
+++ b/roles/openshift_hosted/filter_plugins/filters.py
@@ -0,0 +1,35 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+'''
+Custom filters for use in openshift_hosted
+'''
+
+
+class FilterModule(object):
+ ''' Custom ansible filters for use by openshift_hosted role'''
+
+ @staticmethod
+ def get_router_replicas(replicas=None, router_nodes=None):
+ ''' This function will return the number of replicas
+ based on the results from the defined
+ openshift.hosted.router.replicas OR
+ the query from oc_obj on openshift nodes with a selector OR
+ default to 1
+
+ '''
+ # We always use what they've specified if they've specified a value
+ if replicas is not None:
+ return replicas
+
+ if (isinstance(router_nodes, dict) and
+ 'results' in router_nodes and
+ 'results' in router_nodes['results'] and
+ 'items' in router_nodes['results']['results']):
+
+ return len(router_nodes['results']['results'][0]['items'])
+
+ return 1
+
+ def filters(self):
+ ''' returns a mapping of filters to methods '''
+ return {'get_router_replicas': self.get_router_replicas}
diff --git a/roles/openshift_hosted/handlers/main.yml b/roles/openshift_hosted/handlers/main.yml
deleted file mode 100644
index e69de29bb..000000000
--- a/roles/openshift_hosted/handlers/main.yml
+++ /dev/null
diff --git a/roles/openshift_hosted/meta/main.yml b/roles/openshift_hosted/meta/main.yml
index afea0ac59..e9b590550 100644
--- a/roles/openshift_hosted/meta/main.yml
+++ b/roles/openshift_hosted/meta/main.yml
@@ -20,6 +20,7 @@ dependencies:
- role: openshift_serviceaccounts
openshift_serviceaccounts_names:
- router
+ - registry
openshift_serviceaccounts_namespace: default
openshift_serviceaccounts_sccs:
- hostnetwork
diff --git a/roles/openshift_hosted/tasks/main.yml b/roles/openshift_hosted/tasks/main.yml
index 67c6bbfd7..fe254f72d 100644
--- a/roles/openshift_hosted/tasks/main.yml
+++ b/roles/openshift_hosted/tasks/main.yml
@@ -1,25 +1,6 @@
---
-- name: Create temp directory for kubeconfig
- command: mktemp -d /tmp/openshift-ansible-XXXXXX
- register: mktemp
- changed_when: False
-
-- set_fact:
- openshift_hosted_kubeconfig: "{{ mktemp.stdout }}/admin.kubeconfig"
-
-- name: Copy the admin client config(s)
- command: >
- cp {{ openshift_master_config_dir }}/admin.kubeconfig {{ openshift_hosted_kubeconfig }}
- changed_when: False
-
- include: router/router.yml
when: openshift_hosted_manage_router | default(true) | bool
- include: registry/registry.yml
when: openshift_hosted_manage_registry | default(true) | bool
-
-- name: Delete temp directory
- file:
- name: "{{ mktemp.stdout }}"
- state: absent
- changed_when: False
diff --git a/roles/openshift_hosted/tasks/registry/registry.yml b/roles/openshift_hosted/tasks/registry/registry.yml
index 93b701ebc..cad5c666c 100644
--- a/roles/openshift_hosted/tasks/registry/registry.yml
+++ b/roles/openshift_hosted/tasks/registry/registry.yml
@@ -1,64 +1,88 @@
---
-- name: Retrieve list of openshift nodes matching registry selector
- command: >
- {{ openshift.common.client_binary }} --api-version='v1' -o json
- get nodes -n default --config={{ openshift_hosted_kubeconfig }}
- --selector={{ openshift.hosted.registry.selector | default('') }}
- register: registry_nodes_json
- changed_when: false
- when: openshift.hosted.registry.replicas | default(none) is none
+- block:
-- set_fact:
- l_node_count: "{{ (registry_nodes_json.stdout | default('{\"items\":[]}') | from_json)['items'] | length }}"
+ - name: Retrieve list of openshift nodes matching registry selector
+ oc_obj:
+ state: list
+ kind: node
+ selector: "{{ openshift.hosted.registry.selector | default(omit) }}"
+ register: registry_nodes
-# Determine the default number of registry/router replicas to use if no count
-# has been specified.
-# If no registry nodes defined, the default should be 0.
-- set_fact:
- l_default_replicas: 0
- when: l_node_count | int == 0
+ - name: set_fact l_node_count to number of nodes matching registry selector
+ set_fact:
+ l_node_count: "{{ registry_nodes.results.results[0]['items'] | length }}"
-# If registry nodes are defined and the registry storage kind is
-# defined, default should be the number of registry nodes, otherwise
-# just 1:
-- set_fact:
- l_default_replicas: "{{ l_node_count if openshift.hosted.registry.storage.kind | default(none) is not none else 1 }}"
- when: l_node_count | int > 0
+ # Determine the default number of registry/router replicas to use if no count
+ # has been specified.
+ # If no registry nodes defined, the default should be 0.
+ - name: set_fact l_default_replicas when l_node_count == 0
+ set_fact:
+ l_default_replicas: 0
+ when: l_node_count | int == 0
-- set_fact:
- replicas: "{{ openshift.hosted.registry.replicas | default(l_default_replicas) }}"
+ # If registry nodes are defined and the registry storage kind is
+ # defined, default should be the number of registry nodes, otherwise
+ # just 1:
+ - name: set_fact l_default_replicas when l_node_count > 0
+ set_fact:
+ l_default_replicas: "{{ l_node_count if openshift.hosted.registry.storage.kind | default(none) is not none else 1 }}"
+ when: l_node_count | int > 0
-- name: Create OpenShift registry
- command: >
- {{ openshift.common.client_binary }} adm registry --create
- --config={{ openshift_hosted_kubeconfig }}
- {% if replicas > 1 -%}
- --replicas={{ replicas }}
- {% endif -%}
- --namespace={{ openshift.hosted.registry.namespace | default('default') }}
- --service-account=registry
- {% if openshift.hosted.registry.selector | default(none) is not none -%}
- --selector='{{ openshift.hosted.registry.selector }}'
- {% endif -%}
- {% if not openshift.common.version_gte_3_2_or_1_2 | bool -%}
- --credentials={{ openshift_master_config_dir }}/openshift-registry.kubeconfig
- {% endif -%}
- {% if openshift.hosted.registry.registryurl | default(none) is not none -%}
- --images='{{ openshift.hosted.registry.registryurl }}'
- {% endif -%}
- register: openshift_hosted_registry_results
- changed_when: "'service exists' not in openshift_hosted_registry_results.stdout"
- failed_when: "openshift_hosted_registry_results.rc != 0 and 'service exists' not in openshift_hosted_registry_results.stdout and 'deployment_config' not in openshift_hosted_registry_results.stderr and 'service' not in openshift_hosted_registry_results.stderr"
- when: replicas | int > 0
+ when: openshift.hosted.registry.replicas | default(none) is none
+
+- name: set openshift_hosted facts
+ set_fact:
+ openshift_hosted_registry_replicas: "{{ openshift.hosted.registry.replicas | default(l_default_replicas) }}"
+ openshift_hosted_registry_name: docker-registry
+ openshift_hosted_registry_serviceaccount: registry
+ openshift_hosted_registry_namespace: "{{ openshift.hosted.registry.namespace | default('default') }}"
+ openshift_hosted_registry_selector: "{{ openshift.hosted.registry.selector }}"
+ openshift_hosted_registry_images: "{{ openshift.hosted.registry.registryurl | default('openshift3/ose-${component}:${version}')}}"
+ openshift_hosted_registry_volumes: []
+ openshift_hosted_registry_env_vars: {}
+ openshift_hosted_registry_edits:
+ # These edits are being specified only to prevent 'changed' on rerun
+ - key: spec.strategy.rollingParams
+ value:
+ intervalSeconds: 1
+ maxSurge: "25%"
+ maxUnavailable: "25%"
+ timeoutSeconds: 600
+ updatePeriodSeconds: 1
+ action: put
+ openshift_hosted_registry_force:
+ - False
- include: secure.yml
static: no
- when: replicas | int > 0 and not (openshift.docker.hosted_registry_insecure | default(false) | bool)
+ run_once: true
+ when:
+ - not (openshift.docker.hosted_registry_insecure | default(false) | bool)
- include: storage/object_storage.yml
static: no
- when: replicas | int > 0 and openshift.hosted.registry.storage.kind | default(none) == 'object'
+ when:
+ - openshift.hosted.registry.storage.kind | default(none) == 'object'
-- include: storage/persistent_volume.yml
- static: no
- when: replicas | int > 0 and openshift.hosted.registry.storage.kind | default(none) in ['nfs', 'openstack']
+- name: Set facts for persistent volume
+ set_fact:
+ pvc_volume_mounts:
+ - name: registry-storage
+ type: persistentVolumeClaim
+ claim_name: "{{ openshift.hosted.registry.storage.volume.name }}-claim"
+ openshift_hosted_registry_volumes: "{{ openshift_hosted_registry_volumes | union(pvc_volume_mounts) }}"
+ when:
+ - openshift.hosted.registry.storage.kind | default(none) in ['nfs', 'openstack']
+
+- name: Create OpenShift registry
+ oc_adm_registry:
+ name: "{{ openshift_hosted_registry_name }}"
+ namespace: "{{ openshift_hosted_registry_namespace }}"
+ selector: "{{ openshift_hosted_registry_selector }}"
+ replicas: "{{ openshift_hosted_registry_replicas }}"
+ service_account: "{{ openshift_hosted_registry_serviceaccount }}"
+ images: "{{ openshift_hosted_registry_images }}"
+ env_vars: "{{ openshift_hosted_registry_env_vars }}"
+ volume_mounts: "{{ openshift_hosted_registry_volumes }}"
+ edits: "{{ openshift_hosted_registry_edits }}"
+ force: "{{ True|bool in openshift_hosted_registry_force }}"
diff --git a/roles/openshift_hosted/tasks/registry/secure.yml b/roles/openshift_hosted/tasks/registry/secure.yml
index 8b44b94c6..e70d377c6 100644
--- a/roles/openshift_hosted/tasks/registry/secure.yml
+++ b/roles/openshift_hosted/tasks/registry/secure.yml
@@ -1,132 +1,77 @@
---
+- name: Set fact docker_registry_route_hostname
+ set_fact:
+ docker_registry_route_hostname: "{{ 'docker-registry-default.' ~ (openshift_master_default_subdomain | default('router.default.svc.cluster.local', true)) }}"
+
- name: Create passthrough route for docker-registry
oc_route:
- kubeconfig: "{{ openshift_hosted_kubeconfig }}"
name: docker-registry
- namespace: default
+ namespace: "{{ openshift_hosted_registry_namespace }}"
service_name: docker-registry
- state: present
tls_termination: passthrough
- run_once: true
-
-- name: Determine if registry certificate must be created
- stat:
- path: "{{ openshift_master_config_dir }}/{{ item }}"
- with_items:
- - registry.crt
- - registry.key
- register: docker_registry_certificates_stat_result
- changed_when: false
- failed_when: false
+ host: "{{ docker_registry_route_hostname }}"
- name: Retrieve registry service IP
oc_service:
- namespace: default
+ namespace: "{{ openshift_hosted_registry_namespace }}"
name: docker-registry
state: list
register: docker_registry_service_ip
- changed_when: false
-
-- set_fact:
- docker_registry_route_hostname: "{{ 'docker-registry-default.' ~ (openshift_master_default_subdomain | default('router.default.svc.cluster.local', true)) }}"
-- name: Create registry certificates if they do not exist
- command: >
- {{ openshift.common.client_binary }} adm ca create-server-cert
- --signer-cert={{ openshift_master_config_dir }}/ca.crt
- --signer-key={{ openshift_master_config_dir }}/ca.key
- --signer-serial={{ openshift_master_config_dir }}/ca.serial.txt
- --hostnames="{{ docker_registry_service_ip.results.clusterip }},docker-registry.default.svc.cluster.local,{{ docker_registry_route_hostname }}"
- --cert={{ openshift_master_config_dir }}/registry.crt
- --key={{ openshift_master_config_dir }}/registry.key
- when: False in (docker_registry_certificates_stat_result.results | default([]) | oo_collect(attribute='stat.exists') | list)
+- name: Create registry certificates
+ oc_adm_ca_server_cert:
+ signer_cert: "{{ openshift_master_config_dir }}/ca.crt"
+ signer_key: "{{ openshift_master_config_dir }}/ca.key"
+ signer_serial: "{{ openshift_master_config_dir }}/ca.serial.txt"
+ hostnames:
+ - "{{ docker_registry_service_ip.results.clusterip }}"
+ - docker-registry.default.svc.cluster.local
+ - "{{ docker_registry_route_hostname }}"
+ cert: "{{ openshift_master_config_dir }}/registry.crt"
+ key: "{{ openshift_master_config_dir }}/registry.key"
+ register: server_cert_out
- name: Create the secret for the registry certificates
oc_secret:
- kubeconfig: "{{ openshift_hosted_kubeconfig }}"
name: registry-certificates
- namespace: default
- state: present
+ namespace: "{{ openshift_hosted_registry_namespace }}"
files:
- name: registry.crt
path: "{{ openshift_master_config_dir }}/registry.crt"
- name: registry.key
path: "{{ openshift_master_config_dir }}/registry.key"
- register: create_registry_certificates_secret
- run_once: true
+ register: create_registry_certificates_secret_out
-- name: "Add the secret to the registry's pod service accounts"
+- name: Add the secret to the registry's pod service accounts
oc_serviceaccount_secret:
service_account: "{{ item }}"
secret: registry-certificates
- namespace: default
- kubeconfig: "{{ openshift_hosted_kubeconfig }}"
- state: present
+ namespace: "{{ openshift_hosted_registry_namespace }}"
with_items:
- registry
- default
-- name: Determine if registry-certificates secret volume attached
- command: >
- {{ openshift.common.client_binary }} get dc/docker-registry
- -o jsonpath='{.spec.template.spec.volumes[?(@.secret)].secret.secretName}'
- --config={{ openshift_hosted_kubeconfig }}
- -n default
- register: docker_registry_volumes
- changed_when: false
- failed_when: "docker_registry_volumes.stdout != '' and 'secretName is not found' not in docker_registry_volumes.stdout and docker_registry_volumes.rc != 0"
-
-- name: Attach registry-certificates secret volume
- command: >
- {{ openshift.common.client_binary }} volume dc/docker-registry --add --type=secret
- --secret-name=registry-certificates
- -m /etc/secrets
- --config={{ openshift_hosted_kubeconfig }}
- -n default
- when: "'registry-certificates' not in docker_registry_volumes.stdout"
-
-- name: Determine if registry environment variables must be set
- command: >
- {{ openshift.common.client_binary }} env dc/docker-registry
- --list
- --config={{ openshift_hosted_kubeconfig }}
- -n default
- register: docker_registry_env
- changed_when: false
-
-- name: Configure certificates in registry deplomentConfig
- command: >
- {{ openshift.common.client_binary }} env dc/docker-registry
- REGISTRY_HTTP_TLS_CERTIFICATE=/etc/secrets/registry.crt
- REGISTRY_HTTP_TLS_KEY=/etc/secrets/registry.key
- --config={{ openshift_hosted_kubeconfig }}
- -n default
- when: "'REGISTRY_HTTP_TLS_CERTIFICATE=/etc/secrets/registry.crt' not in docker_registry_env.stdout or 'REGISTRY_HTTP_TLS_KEY=/etc/secrets/registry.key' not in docker_registry_env.stdout"
-
-- name: Determine if registry liveness probe scheme is HTTPS
- command: >
- {{ openshift.common.client_binary }} get dc/docker-registry
- -o jsonpath='{.spec.template.spec.containers[*].livenessProbe.httpGet.scheme}'
- --config={{ openshift_hosted_kubeconfig }}
- -n default
- register: docker_registry_liveness_probe
- changed_when: false
-
-# This command is on a single line to preserve patch json.
-- name: Update registry liveness probe from HTTP to HTTPS
- command: "{{ openshift.common.client_binary }} patch dc/docker-registry --api-version=v1 -p '{\"spec\":{\"template\":{\"spec\":{\"containers\":[{\"name\":\"registry\",\"livenessProbe\":{\"httpGet\":{\"scheme\":\"HTTPS\"}}}]}}}}' --config={{ openshift_hosted_kubeconfig }} -n default"
- when: "'HTTPS' not in docker_registry_liveness_probe.stdout"
-
-- name: Determine if registry readiness probe scheme is HTTPS
- command: >
- {{ openshift.common.client_binary }} get dc/docker-registry
- -o jsonpath='{.spec.template.spec.containers[*].readinessProbe.httpGet.scheme}'
- --config={{ openshift_hosted_kubeconfig }}
- -n default
- register: docker_registry_readiness_probe
- changed_when: false
+- name: Set facts for secure registry
+ set_fact:
+ registry_secure_volume_mounts:
+ - name: registry-certificates
+ path: /etc/secrets
+ type: secret
+ secret_name: registry-certificates
+ registry_secure_env_vars:
+ REGISTRY_HTTP_TLS_CERTIFICATE: /etc/secrets/registry.crt
+ REGISTRY_HTTP_TLS_KEY: /etc/secrets/registry.key
+ registry_secure_edits:
+ - key: spec.template.spec.containers[0].livenessProbe.httpGet.scheme
+ value: HTTPS
+ action: put
+ - key: spec.template.spec.containers[0].readinessProbe.httpGet.scheme
+ value: HTTPS
+ action: put
-# This command is on a single line to preserve patch json.
-- name: Update registry readiness probe from HTTP to HTTPS
- command: "{{ openshift.common.client_binary }} patch dc/docker-registry --api-version=v1 -p '{\"spec\":{\"template\":{\"spec\":{\"containers\":[{\"name\":\"registry\",\"readinessProbe\":{\"httpGet\":{\"scheme\":\"HTTPS\"}}}]}}}}' --config={{ openshift_hosted_kubeconfig }} -n default"
- when: "'HTTPS' not in docker_registry_readiness_probe.stdout"
+- name: Update openshift_hosted facts with secure registry variables
+ set_fact:
+ openshift_hosted_registry_volumes: "{{ openshift_hosted_registry_volumes | union(registry_secure_volume_mounts) }}"
+ openshift_hosted_registry_env_vars: "{{ openshift_hosted_registry_env_vars | combine(registry_secure_env_vars) }}"
+ openshift_hosted_registry_edits: "{{ openshift_hosted_registry_edits | union(registry_secure_edits) }}"
+ openshift_hosted_registry_force: "{{ openshift_hosted_registry_force | union([server_cert_out.changed]) | union([create_registry_certificates_secret_out.changed]) }}"
diff --git a/roles/openshift_hosted/tasks/registry/storage/object_storage.yml b/roles/openshift_hosted/tasks/registry/storage/object_storage.yml
index 15128784e..3dde83bee 100644
--- a/roles/openshift_hosted/tasks/registry/storage/object_storage.yml
+++ b/roles/openshift_hosted/tasks/registry/storage/object_storage.yml
@@ -1,105 +1,52 @@
---
-- fail:
+- name: Assert supported openshift.hosted.registry.storage.provider
+ assert:
+ that:
+ - openshift.hosted.registry.storage.provider in ['azure_blob', 's3', 'swift']
msg: >
- Object Storage Provider: {{ openshift.hosted.registry.storage.provider }}
+ Object Storage Provider: "{{ openshift.hosted.registry.storage.provider }}"
is not currently supported
- when: openshift.hosted.registry.storage.provider not in ['azure_blob', 's3', 'swift']
-- fail:
+- name: Assert implemented openshift.hosted.registry.storage.provider
+ assert:
+ that:
+ - openshift.hosted.registry.storage.provider not in ['azure_blob', 'swift']
msg: >
Support for provider: "{{ openshift.hosted.registry.storage.provider }}"
not implemented yet
- when: openshift.hosted.registry.storage.provider in ['azure_blob', 'swift']
- include: s3.yml
when: openshift.hosted.registry.storage.provider == 's3'
-- name: Test if docker registry config secret exists
- command: >
- {{ openshift.common.client_binary }}
- --config={{ openshift_hosted_kubeconfig }}
- --namespace={{ openshift.hosted.registry.namespace | default('default') }}
- get secrets {{ registry_config_secret_name }} -o json
- register: secrets
- changed_when: false
- failed_when: false
-
-- set_fact:
- registry_config: "{{ lookup('template', 'registry_config.j2') | b64encode }}"
-
-- set_fact:
- registry_config_secret: "{{ lookup('template', 'registry_config_secret.j2') | from_yaml }}"
-
-- set_fact:
- same_storage_provider: "{{ (secrets.stdout|from_json)['metadata']['annotations']['provider'] | default(none) == openshift.hosted.registry.storage.provider }}"
- when: secrets.rc == 0
-
-- name: Update registry config secret
- command: >
- {{ openshift.common.client_binary }}
- --config={{ openshift_hosted_kubeconfig }}
- --namespace={{ openshift.hosted.registry.namespace | default('default') }}
- patch secret/{{ registry_config_secret_name }}
- -p '{"data": {"config.yml": "{{ registry_config }}"}}'
- register: update_config_secret
- when: secrets.rc == 0 and (secrets.stdout|from_json)['data']['config.yml'] != registry_config and same_storage_provider | bool
-
-- name: Create registry config secret
- shell: >
- echo '{{ registry_config_secret |to_json }}' |
- {{ openshift.common.client_binary }}
- --config={{ openshift_hosted_kubeconfig }}
- --namespace={{ openshift.hosted.registry.namespace | default('default') }}
- create -f -
- when: secrets.rc == 1
+- name: Ensure the resgistry secret exists
+ oc_secret:
+ name: "{{ registry_config_secret_name }}"
+ state: present
+ contents:
+ - path: /tmp/config.yml
+ data: "{{ lookup('template', 'registry_config.j2') }}"
+ register: registry_config_out
- name: Add secrets to registry service account
oc_serviceaccount_secret:
service_account: registry
secret: "{{ registry_config_secret_name }}"
- namespace: "{{ openshift.hosted.registry.namespace | default('default') }}"
- kubeconfig: "{{ openshift_hosted_kubeconfig }}"
+ namespace: "{{ openshift_hosted_registry_namespace }}"
state: present
-
-- name: Determine if deployment config contains secrets
- command: >
- {{ openshift.common.client_binary }}
- --config={{ openshift_hosted_kubeconfig }}
- --namespace={{ openshift.hosted.registry.namespace | default('default') }}
- set volumes dc/docker-registry --list
- register: volume
- changed_when: false
-
-- name: Add secrets to registry deployment config
- command: >
- {{ openshift.common.client_binary }}
- --config={{ openshift_hosted_kubeconfig }}
- --namespace={{ openshift.hosted.registry.namespace | default('default') }}
- set volumes dc/docker-registry --add --name=docker-config -m /etc/registry
- --type=secret --secret-name={{ registry_config_secret_name }}
- when: registry_config_secret_name not in volume.stdout
-
-- name: Determine if registry environment variable needs to be created
- command: >
- {{ openshift.common.client_binary }}
- --config={{ openshift_hosted_kubeconfig }}
- --namespace={{ openshift.hosted.registry.namespace | default('default') }}
- set env --list dc/docker-registry
- register: oc_env
- changed_when: false
-
-- name: Add registry environment variable
- command: >
- {{ openshift.common.client_binary }}
- --config={{ openshift_hosted_kubeconfig }}
- --namespace={{ openshift.hosted.registry.namespace | default('default') }}
- set env dc/docker-registry REGISTRY_CONFIGURATION_PATH=/etc/registry/config.yml
- when: "'REGISTRY_CONFIGURATION_PATH' not in oc_env.stdout"
-
-- name: Redeploy registry
- command: >
- {{ openshift.common.client_binary }}
- --config={{ openshift_hosted_kubeconfig }}
- --namespace={{ openshift.hosted.registry.namespace | default('default') }}
- deploy dc/docker-registry --latest
- when: secrets.rc == 0 and not update_config_secret | skipped and update_config_secret.rc == 0 and same_storage_provider | bool
+ register: svcac
+
+- name: Set facts for registry object storage
+ set_fact:
+ registry_obj_storage_volume_mounts:
+ - name: docker-config
+ path: /etc/registry
+ type: secret
+ secret_name: "{{ registry_config_secret_name }}"
+ registry_obj_storage_env_vars:
+ REGISTRY_CONFIGURATION_PATH: /etc/registry/config.yml
+
+- name: Update openshift_hosted registry facts for storage
+ set_fact:
+ openshift_hosted_registry_volumes: "{{ openshift_hosted_registry_volumes | union(registry_obj_storage_volume_mounts) }}"
+ openshift_hosted_registry_env_vars: "{{ openshift_hosted_registry_env_vars | combine(registry_obj_storage_env_vars) }}"
+ openshift_hosted_registry_force: "{{ openshift_hosted_registry_force | union([registry_config_out.changed]) | union([svcac.changed]) }}"
diff --git a/roles/openshift_hosted/tasks/registry/storage/persistent_volume.yml b/roles/openshift_hosted/tasks/registry/storage/persistent_volume.yml
deleted file mode 100644
index 0172f5ca0..000000000
--- a/roles/openshift_hosted/tasks/registry/storage/persistent_volume.yml
+++ /dev/null
@@ -1,26 +0,0 @@
----
-- set_fact:
- registry_volume_claim: "{{ openshift.hosted.registry.storage.volume.name }}-claim"
-
-- name: Determine if volume is already attached to dc/docker-registry
- command: >
- {{ openshift.common.client_binary }}
- --config={{ openshift_hosted_kubeconfig }}
- --namespace={{ openshift.hosted.registry.namespace | default('default') }}
- get -o template dc/docker-registry --template=\\{\\{.spec.template.spec.volumes\\}\\} --output-version=v1
- changed_when: false
- failed_when: false
- register: registry_volumes_output
-
-- set_fact:
- volume_attached: "{{ registry_volume_claim in (registry_volumes_output).stdout | default(['']) }}"
-
-- name: Add volume to dc/docker-registry
- command: >
- {{ openshift.common.client_binary }}
- --config={{ openshift_hosted_kubeconfig }}
- --namespace={{ openshift.hosted.registry.namespace | default('default') }}
- volume dc/docker-registry
- --add --overwrite -t persistentVolumeClaim --claim-name={{ registry_volume_claim }}
- --name=registry-storage
- when: not volume_attached | bool
diff --git a/roles/openshift_hosted/tasks/registry/storage/s3.yml b/roles/openshift_hosted/tasks/registry/storage/s3.yml
index 16709dfef..69b91be0b 100644
--- a/roles/openshift_hosted/tasks/registry/storage/s3.yml
+++ b/roles/openshift_hosted/tasks/registry/storage/s3.yml
@@ -1,47 +1,48 @@
---
-- fail:
- msg: >
- openshift_hosted_registry_storage_s3_accesskey and
- openshift_hosted_registry_storage_s3_secretkey are required
- when: openshift.hosted.registry.storage.s3.accesskey | default(none) is none or openshift.hosted.registry.storage.s3.secretkey | default(none) is none
-
-- fail:
- msg: >
- openshift_hosted_registry_storage_s3_bucket and
- openshift_hosted_registry_storage_s3_region are required
- when: openshift.hosted.registry.storage.s3.bucket | default(none) is none or openshift.hosted.registry.storage.s3.region | default(none) is none
+- name: Assert that S3 variables are provided for registry_config template
+ assert:
+ that:
+ - openshift.hosted.registry.storage.s3.accesskey | default(none) is not none
+ - openshift.hosted.registry.storage.s3.secretkey | default(none) is not none
+ - openshift.hosted.registry.storage.s3.bucket | default(none) is not none
+ - openshift.hosted.registry.storage.s3.region | default(none) is not none
+ msg: |
+ When using S3 storage, the following variables are required:
+ openshift_hosted_registry_storage_s3_accesskey
+ openshift_hosted_registry_storage_s3_secretkey
+ openshift_hosted_registry_storage_s3_bucket
+ openshift_hosted_registry_storage_s3_region
-# If cloudfront is being used, fail if we don't have all the required variables
-- assert:
+- name: If cloudfront is being used, assert that we have all the required variables
+ assert:
that:
- - "openshift_hosted_registry_storage_s3_cloudfront_baseurl is not defined or openshift_hosted_registry_storage_s3_cloudfront_privatekeyfile | default(none) is not none"
- - "openshift_hosted_registry_storage_s3_cloudfront_baseurl is not defined or openshift_hosted_registry_storage_s3_cloudfront_keypairid | default(none) is not none"
- msg: >
+ - "openshift_hosted_registry_storage_s3_cloudfront_privatekeyfile | default(none) is not none"
+ - "openshift_hosted_registry_storage_s3_cloudfront_keypairid | default(none) is not none"
+ msg: |
When openshift_hosted_registry_storage_s3_cloudfront_baseurl is provided
- openshift_hosted_registry_storage_s3_cloudfront_keypairid and
- openshift_hosted_registry_storage_s3_cloudfront_privatekeyfile are required
-
+ openshift_hosted_registry_storage_s3_cloudfront_keypairid and
+ openshift_hosted_registry_storage_s3_cloudfront_privatekeyfile are required
+ when: openshift_hosted_registry_storage_s3_cloudfront_baseurl is defined
# Inject the cloudfront private key as a secret when required
- block:
- - name: Create registry secret for cloudfront
- oc_secret:
- state: present
- namespace: "{{ openshift.hosted.registry.namespace | default('default') }}"
- name: docker-registry-s3-cloudfront
- contents:
- - path: cloudfront.pem
- data: "{{ lookup('file', openshift_hosted_registry_storage_s3_cloudfront_privatekeyfile) }}"
+ - name: Create registry secret for cloudfront
+ oc_secret:
+ state: present
+ namespace: "{{ openshift_hosted_registry_namespace }}"
+ name: docker-registry-s3-cloudfront
+ contents:
+ - path: cloudfront.pem
+ data: "{{ lookup('file', openshift_hosted_registry_storage_s3_cloudfront_privatekeyfile) }}"
- - name: Add cloudfront secret to the registry deployment config
- command: >
- oc volume dc/docker-registry --add --name=cloudfront-vol
- --namespace="{{ openshift.hosted.registry.namespace | default('default') }}"
- -m /etc/origin --type=secret --secret-name=docker-registry-s3-cloudfront
- register: cloudfront_vol_attach
- failed_when:
- - "'already exists' not in cloudfront_vol_attach.stderr"
- - "cloudfront_vol_attach.rc != 0"
+ - name: Add cloudfront secret to the registry volumes
+ set_fact:
+ s3_volume_mount:
+ - name: cloudfront-vol
+ path: /etc/origin
+ type: secret
+ secret_name: docker-registry-s3-cloudfront
+ openshift_hosted_registry_volumes: "{{ openshift_hosted_registry_volumes | union(s3_volume_mount) }}"
when: openshift_hosted_registry_storage_s3_cloudfront_baseurl | default(none) is not none
diff --git a/roles/openshift_hosted/tasks/router/router.yml b/roles/openshift_hosted/tasks/router/router.yml
index 3d5713d6b..607ace7f9 100644
--- a/roles/openshift_hosted/tasks/router/router.yml
+++ b/roles/openshift_hosted/tasks/router/router.yml
@@ -1,104 +1,91 @@
---
-- fail:
- msg: "'certfile', 'keyfile' and 'cafile' keys must be specified when supplying the openshift_hosted_router_certificate variable."
- when: openshift_hosted_router_certificate is defined and ('certfile' not in openshift_hosted_router_certificate or 'keyfile' not in openshift_hosted_router_certificate or 'cafile' not in openshift_hosted_router_certificate)
+- name: Retrieve list of openshift nodes matching router selector
+ oc_obj:
+ state: list
+ kind: node
+ namespace: "{{ openshift.hosted.router.namespace | default('default') }}"
+ selector: "{{ openshift.hosted.router.selector | default(omit) }}"
+ register: router_nodes
+ when: openshift.hosted.router.replicas | default(none) is none
-- name: Read router certificate and key
- become: no
- local_action:
- module: slurp
- src: "{{ item }}"
- register: openshift_router_certificate_output
- # Defaulting dictionary keys to none to avoid deprecation warnings
- # (future fatal errors) during template evaluation. Dictionary keys
- # won't be accessed unless openshift_hosted_router_certificate is
- # defined and has all keys (certfile, keyfile, cafile) which we
- # check above.
- with_items:
- - "{{ (openshift_hosted_router_certificate | default({'certfile':none})).certfile }}"
- - "{{ (openshift_hosted_router_certificate | default({'keyfile':none})).keyfile }}"
- - "{{ (openshift_hosted_router_certificate | default({'cafile':none})).cafile }}"
- when: openshift_hosted_router_certificate is defined
+- name: set_fact replicas
+ set_fact:
+ replicas: "{{ openshift.hosted.router.replicas|default(None) | get_router_replicas(router_nodes) }}"
-- name: Persist certificate contents
- openshift_facts:
- role: hosted
- openshift_env:
- openshift_hosted_router_certificate_contents: "{% for certificate in openshift_router_certificate_output.results -%}{{ certificate.content | b64decode }}{% endfor -%}"
- when: openshift_hosted_router_certificate is defined
+- block:
-- name: Create PEM certificate
- copy:
- content: "{{ openshift.hosted.router.certificate.contents }}"
- dest: "{{ openshift_master_config_dir }}/openshift-router.pem"
- mode: 0600
- when: "'certificate' in openshift.hosted.router and 'contents' in openshift.hosted.router.certificate"
+ - name: Assert that 'certfile', 'keyfile' and 'cafile' keys provided in openshift_hosted_router_certificate
+ assert:
+ that:
+ - "'certfile' in openshift_hosted_router_certificate"
+ - "'keyfile' in openshift_hosted_router_certificate"
+ - "'cafile' in openshift_hosted_router_certificate"
+ msg: "'certfile', 'keyfile' and 'cafile' keys must be specified when supplying the openshift_hosted_router_certificate variable."
-- name: Retrieve list of openshift nodes matching router selector
- command: >
- {{ openshift.common.client_binary }} --api-version='v1' -o json
- get nodes -n default --config={{ openshift_hosted_kubeconfig }}
- --selector={{ openshift.hosted.router.selector | default('') }}
- register: router_nodes_json
- changed_when: false
- when: openshift.hosted.router.replicas | default(none) is none
+ - name: Read router certificate and key
+ become: no
+ local_action:
+ module: slurp
+ src: "{{ item }}"
+ register: openshift_router_certificate_output
+ # Defaulting dictionary keys to none to avoid deprecation warnings
+ # (future fatal errors) during template evaluation. Dictionary keys
+ # won't be accessed unless openshift_hosted_router_certificate is
+ # defined and has all keys (certfile, keyfile, cafile) which we
+ # check above.
+ with_items:
+ - "{{ (openshift_hosted_router_certificate | default({'certfile':none})).certfile }}"
+ - "{{ (openshift_hosted_router_certificate | default({'keyfile':none})).keyfile }}"
+ - "{{ (openshift_hosted_router_certificate | default({'cafile':none})).cafile }}"
-- set_fact:
- replicas: "{{ openshift.hosted.router.replicas | default((router_nodes_json.stdout | default('{\"items\":[]}') | from_json)['items'] | length) }}"
+ - name: Persist certificate contents
+ openshift_facts:
+ role: hosted
+ openshift_env:
+ openshift_hosted_router_certificate_contents: "{% for certificate in openshift_router_certificate_output.results -%}{{ certificate.content | b64decode }}{% endfor -%}"
-- name: Create OpenShift router
- command: >
- {{ openshift.common.client_binary }} adm router --create
- --config={{ openshift_hosted_kubeconfig }}
- {% if replicas > 1 -%}
- --replicas={{ replicas }}
- {% endif -%}
- {% if 'certificate' in openshift.hosted.router and 'contents' in openshift.hosted.router.certificate -%}
- --default-cert={{ openshift_master_config_dir }}/openshift-router.pem
- {% endif -%}
- --namespace={{ openshift.hosted.router.namespace | default('default') }}
- {% if openshift.hosted.router.force_subdomain | default(none) is not none %}
- --force-subdomain={{ openshift.hosted.router.force_subdomain }}
- {% endif %}
- --service-account=router
- {% if openshift.hosted.router.selector | default(none) is not none -%}
- --selector='{{ openshift.hosted.router.selector }}'
- {% endif -%}
- {% if not openshift.common.version_gte_3_2_or_1_2 | bool -%}
- --credentials={{ openshift_master_config_dir }}/openshift-router.kubeconfig
- {% endif -%}
- {% if openshift.hosted.router.registryurl | default(none) is not none -%}
- --images='{{ openshift.hosted.router.registryurl }}'
- {% endif -%}
- {% if openshift.hosted.router.name | default(none) is not none -%}
- {{ openshift.hosted.router.name }}
- {% endif -%}
+ - name: Create PEM certificate
+ copy:
+ content: "{{ openshift.hosted.router.certificate.contents }}"
+ dest: "{{ openshift_master_config_dir }}/openshift-router.pem"
+ mode: 0600
- register: openshift_hosted_router_results
- changed_when: "'service exists' not in openshift_hosted_router_results.stdout"
- failed_when: "openshift_hosted_router_results.rc != 0 and 'service exists' not in openshift_hosted_router_results.stdout and 'deployment_config' not in openshift_hosted_router_results.stderr and 'service' not in openshift_hosted_router_results.stderr"
- when: replicas | int > 0
+ when: openshift_hosted_router_certificate is defined
-- command: >
- {{ openshift.common.client_binary }}
- {% if openshift.hosted.router.name | default(none) is not none -%}
- get dc/{{ openshift.hosted.router.name }}
- {% else %}
- get dc/router
- {% endif%}
- --template=\\{\\{.spec.replicas\\}\\}
- --namespace={{ openshift.hosted.router.namespace | default('default') }}
- register: current_replicas
- when: replicas | int > 0
+- name: Create OpenShift router
+ oc_adm_router:
+ name: "{{ openshift.hosted.router.name | default('router') }}"
+ replicas: "{{ replicas }}"
+ namespace: "{{ openshift.hosted.router.namespace | default('default') }}"
+ # This option is not yet implemented
+ # force_subdomain: "{{ openshift.hosted.router.force_subdomain | default(none) }}"
+ service_account: router
+ selector: "{{ openshift.hosted.router.selector | default(none) }}"
+ images: "{{ openshift.hosted.router.registryurl | default(none) }}"
+ default_cert: "{{ openshift_hosted_router_certificate is defined | default(false) | ternary(openshift_master_config_dir + '/openshift-router.pem', omit) }}"
+ # These edits are being specified only to prevent 'changed' on rerun
+ edits:
+ - key: spec.strategy.rollingParams.intervalSeconds
+ value: 1
+ action: put
+ - key: spec.strategy.rollingParams.updatePeriodSeconds
+ value: 1
+ action: put
+ - key: spec.strategy.activeDeadlineSeconds
+ value: 21600
+ action: put
+ register: routerout
+
+# This should probably move to module
+- name: wait for deploy
+ pause:
+ seconds: 30
+ when: routerout.changed
- name: Ensure router replica count matches desired
- command: >
- {{ openshift.common.client_binary }}
- scale --replicas={{ replicas }}
- {% if openshift.hosted.router.name | default(none) is not none -%}
- dc/{{ openshift.hosted.router.name }}
- {% else %}
- dc/router
- {% endif%}
- --namespace={{ openshift.hosted.router.namespace | default('default') }}
- when: replicas | int > 0 and replicas | int != current_replicas.stdout | int
+ oc_scale:
+ kind: dc
+ name: "{{ openshift.hosted.router.name | default('router') }}"
+ namespace: "{{ openshift.hosted.router.namespace | default('default') }}"
+ replicas: "{{ replicas }}"
+ when: replicas | int > 0
diff --git a/roles/openshift_logging/templates/elasticsearch.yml.j2 b/roles/openshift_logging/templates/elasticsearch.yml.j2
index 8021a476d..f2d098f10 100644
--- a/roles/openshift_logging/templates/elasticsearch.yml.j2
+++ b/roles/openshift_logging/templates/elasticsearch.yml.j2
@@ -8,7 +8,7 @@ script:
index:
number_of_shards: 1
number_of_replicas: 0
- auto_expand_replicas: 0-3
+ auto_expand_replicas: 0-2
unassigned.node_left.delayed_timeout: 2m
translog:
flush_threshold_size: 256mb
diff --git a/roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_predicates.py b/roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_predicates.py
index ef322bd7d..7f7bc4316 100644
--- a/roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_predicates.py
+++ b/roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_predicates.py
@@ -40,7 +40,7 @@ class LookupModule(LookupBase):
# pylint: disable=line-too-long
raise AnsibleError("Either OpenShift needs to be installed or openshift_release needs to be specified")
if deployment_type == 'origin':
- if short_version not in ['1.1', '1.2', '1.3', '1.4', '1.5', '1.6', 'latest']:
+ if short_version not in ['1.1', '1.2', '1.3', '1.4', '1.5', '1.6', '3.6', 'latest']:
raise AnsibleError("Unknown short_version %s" % short_version)
elif deployment_type == 'openshift-enterprise':
if short_version not in ['3.1', '3.2', '3.3', '3.4', '3.5', '3.6', 'latest']:
@@ -48,17 +48,17 @@ class LookupModule(LookupBase):
else:
raise AnsibleError("Unknown deployment_type %s" % deployment_type)
- if deployment_type == 'openshift-enterprise':
- # convert short_version to origin short_version
- short_version = re.sub('^3.', '1.', short_version)
+ if deployment_type == 'origin':
+ # convert short_version to enterpise short_version
+ short_version = re.sub('^1.', '3.', short_version)
if short_version == 'latest':
- short_version = '1.6'
+ short_version = '3.6'
# Predicates ordered according to OpenShift Origin source:
# origin/vendor/k8s.io/kubernetes/plugin/pkg/scheduler/algorithmprovider/defaults/defaults.go
- if short_version == '1.1':
+ if short_version == '3.1':
predicates.extend([
{'name': 'PodFitsHostPorts'},
{'name': 'PodFitsResources'},
@@ -66,7 +66,7 @@ class LookupModule(LookupBase):
{'name': 'MatchNodeSelector'},
])
- if short_version == '1.2':
+ if short_version == '3.2':
predicates.extend([
{'name': 'PodFitsHostPorts'},
{'name': 'PodFitsResources'},
@@ -77,7 +77,7 @@ class LookupModule(LookupBase):
{'name': 'MaxGCEPDVolumeCount'}
])
- if short_version == '1.3':
+ if short_version == '3.3':
predicates.extend([
{'name': 'NoDiskConflict'},
{'name': 'NoVolumeZoneConflict'},
@@ -88,7 +88,7 @@ class LookupModule(LookupBase):
{'name': 'CheckNodeMemoryPressure'}
])
- if short_version == '1.4':
+ if short_version == '3.4':
predicates.extend([
{'name': 'NoDiskConflict'},
{'name': 'NoVolumeZoneConflict'},
@@ -101,7 +101,7 @@ class LookupModule(LookupBase):
{'name': 'MatchInterPodAffinity'}
])
- if short_version in ['1.5', '1.6']:
+ if short_version in ['3.5', '3.6']:
predicates.extend([
{'name': 'NoVolumeZoneConflict'},
{'name': 'MaxEBSVolumeCount'},
diff --git a/roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_priorities.py b/roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_priorities.py
index 6ad40e748..66e6ecea3 100644
--- a/roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_priorities.py
+++ b/roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_priorities.py
@@ -41,7 +41,7 @@ class LookupModule(LookupBase):
raise AnsibleError("Either OpenShift needs to be installed or openshift_release needs to be specified")
if deployment_type == 'origin':
- if short_version not in ['1.1', '1.2', '1.3', '1.4', '1.5', '1.6', 'latest']:
+ if short_version not in ['1.1', '1.2', '1.3', '1.4', '1.5', '1.6', '3.6', 'latest']:
raise AnsibleError("Unknown short_version %s" % short_version)
elif deployment_type == 'openshift-enterprise':
if short_version not in ['3.1', '3.2', '3.3', '3.4', '3.5', '3.6', 'latest']:
@@ -49,21 +49,21 @@ class LookupModule(LookupBase):
else:
raise AnsibleError("Unknown deployment_type %s" % deployment_type)
- if deployment_type == 'openshift-enterprise':
+ if deployment_type == 'origin':
# convert short_version to origin short_version
- short_version = re.sub('^3.', '1.', short_version)
+ short_version = re.sub('^1.', '3.', short_version)
if short_version == 'latest':
- short_version = '1.6'
+ short_version = '3.6'
- if short_version == '1.1':
+ if short_version == '3.1':
priorities.extend([
{'name': 'LeastRequestedPriority', 'weight': 1},
{'name': 'BalancedResourceAllocation', 'weight': 1},
{'name': 'SelectorSpreadPriority', 'weight': 1}
])
- if short_version == '1.2':
+ if short_version == '3.2':
priorities.extend([
{'name': 'LeastRequestedPriority', 'weight': 1},
{'name': 'BalancedResourceAllocation', 'weight': 1},
@@ -71,7 +71,7 @@ class LookupModule(LookupBase):
{'name': 'NodeAffinityPriority', 'weight': 1}
])
- if short_version == '1.3':
+ if short_version == '3.3':
priorities.extend([
{'name': 'LeastRequestedPriority', 'weight': 1},
{'name': 'BalancedResourceAllocation', 'weight': 1},
@@ -80,7 +80,7 @@ class LookupModule(LookupBase):
{'name': 'TaintTolerationPriority', 'weight': 1}
])
- if short_version == '1.4':
+ if short_version == '3.4':
priorities.extend([
{'name': 'LeastRequestedPriority', 'weight': 1},
{'name': 'BalancedResourceAllocation', 'weight': 1},
@@ -91,7 +91,7 @@ class LookupModule(LookupBase):
{'name': 'InterPodAffinityPriority', 'weight': 1}
])
- if short_version in ['1.5', '1.6']:
+ if short_version in ['3.5', '3.6']:
priorities.extend([
{'name': 'SelectorSpreadPriority', 'weight': 1},
{'name': 'InterPodAffinityPriority', 'weight': 1},
diff --git a/roles/openshift_master_facts/test/openshift_master_facts_default_predicates_tests.py b/roles/openshift_master_facts/test/openshift_master_facts_default_predicates_tests.py
index 25294d91a..5a9e545a3 100644
--- a/roles/openshift_master_facts/test/openshift_master_facts_default_predicates_tests.py
+++ b/roles/openshift_master_facts/test/openshift_master_facts_default_predicates_tests.py
@@ -76,6 +76,7 @@ TEST_VARS = [
('1.5', 'origin', DEFAULT_PREDICATES_1_5),
('3.5', 'openshift-enterprise', DEFAULT_PREDICATES_1_5),
('1.6', 'origin', DEFAULT_PREDICATES_1_5),
+ ('3.6', 'origin', DEFAULT_PREDICATES_1_5),
('3.6', 'openshift-enterprise', DEFAULT_PREDICATES_1_5),
]
diff --git a/roles/openshift_master_facts/test/openshift_master_facts_default_priorities_tests.py b/roles/openshift_master_facts/test/openshift_master_facts_default_priorities_tests.py
index cec44faa4..81d3ee19e 100644
--- a/roles/openshift_master_facts/test/openshift_master_facts_default_priorities_tests.py
+++ b/roles/openshift_master_facts/test/openshift_master_facts_default_priorities_tests.py
@@ -64,6 +64,7 @@ TEST_VARS = [
('1.5', 'origin', DEFAULT_PRIORITIES_1_5),
('3.5', 'openshift-enterprise', DEFAULT_PRIORITIES_1_5),
('1.6', 'origin', DEFAULT_PRIORITIES_1_5),
+ ('3.6', 'origin', DEFAULT_PRIORITIES_1_5),
('3.6', 'openshift-enterprise', DEFAULT_PRIORITIES_1_5),
]
diff --git a/roles/openshift_metrics/files/import_jks_certs.sh b/roles/openshift_metrics/files/import_jks_certs.sh
index f4315ef34..c8d5bb3d2 100755
--- a/roles/openshift_metrics/files/import_jks_certs.sh
+++ b/roles/openshift_metrics/files/import_jks_certs.sh
@@ -24,11 +24,10 @@ function import_certs() {
hawkular_cassandra_keystore_password=$(echo $CASSANDRA_KEYSTORE_PASSWD | base64 -d)
hawkular_metrics_truststore_password=$(echo $METRICS_TRUSTSTORE_PASSWD | base64 -d)
hawkular_cassandra_truststore_password=$(echo $CASSANDRA_TRUSTSTORE_PASSWD | base64 -d)
- hawkular_jgroups_password=$(echo $JGROUPS_PASSWD | base64 -d)
-
+
cassandra_alias=`keytool -noprompt -list -keystore $dir/hawkular-cassandra.truststore -storepass ${hawkular_cassandra_truststore_password} | sed -n '7~2s/,.*$//p'`
hawkular_alias=`keytool -noprompt -list -keystore $dir/hawkular-metrics.truststore -storepass ${hawkular_metrics_truststore_password} | sed -n '7~2s/,.*$//p'`
-
+
if [ ! -f $dir/hawkular-metrics.keystore ]; then
echo "Creating the Hawkular Metrics keystore from the PEM file"
keytool -importkeystore -v \
@@ -50,7 +49,7 @@ function import_certs() {
-srcstorepass $hawkular_cassandra_keystore_password \
-deststorepass $hawkular_cassandra_keystore_password
fi
-
+
if [[ ! ${cassandra_alias[*]} =~ hawkular-metrics ]]; then
echo "Importing the Hawkular Certificate into the Cassandra Truststore"
keytool -noprompt -import -v -trustcacerts -alias hawkular-metrics \
@@ -59,7 +58,7 @@ function import_certs() {
-trustcacerts \
-storepass $hawkular_cassandra_truststore_password
fi
-
+
if [[ ! ${hawkular_alias[*]} =~ hawkular-cassandra ]]; then
echo "Importing the Cassandra Certificate into the Hawkular Truststore"
keytool -noprompt -import -v -trustcacerts -alias hawkular-cassandra \
@@ -101,16 +100,6 @@ function import_certs() {
-storepass $hawkular_metrics_truststore_password
fi
done
-
- if [ ! -f $dir/hawkular-jgroups.keystore ]; then
- echo "Generating the jgroups keystore"
- keytool -genseckey -alias hawkular -keypass ${hawkular_jgroups_password} \
- -storepass ${hawkular_jgroups_password} \
- -keyalg Blowfish \
- -keysize 56 \
- -keystore $dir/hawkular-jgroups.keystore \
- -storetype JCEKS
- fi
}
import_certs
diff --git a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml
index 9e7140bfa..61a240a33 100644
--- a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml
+++ b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml
@@ -24,7 +24,6 @@
with_items:
- hawkular-metrics.pwd
- hawkular-metrics.htpasswd
- - hawkular-jgroups-keystore.pwd
changed_when: no
- set_fact:
@@ -32,11 +31,10 @@
with_items: "{{pwd_file_stat.results}}"
changed_when: no
-- name: generate password for hawkular metrics and jgroups
+- name: generate password for hawkular metrics
local_action: copy dest="{{ local_tmp.stdout}}/{{ item }}.pwd" content="{{ 15 | oo_random_word }}"
with_items:
- hawkular-metrics
- - hawkular-jgroups-keystore
- name: generate htpasswd file for hawkular metrics
local_action: >
@@ -51,7 +49,6 @@
with_items:
- hawkular-metrics.pwd
- hawkular-metrics.htpasswd
- - hawkular-jgroups-keystore.pwd
- include: import_jks_certs.yaml
@@ -69,8 +66,6 @@
- hawkular-metrics-truststore.pwd
- hawkular-metrics.pwd
- hawkular-metrics.htpasswd
- - hawkular-jgroups.keystore
- - hawkular-jgroups-keystore.pwd
- hawkular-cassandra.crt
- hawkular-cassandra.pem
- hawkular-cassandra.keystore
@@ -104,11 +99,6 @@
hawkular-metrics.keystore.alias: "{{ 'hawkular-metrics'|b64encode }}"
hawkular-metrics.htpasswd.file: >
{{ hawkular_secrets['hawkular-metrics.htpasswd'] }}
- hawkular-metrics.jgroups.keystore: >
- {{ hawkular_secrets['hawkular-jgroups.keystore'] }}
- hawkular-metrics.jgroups.keystore.password: >
- {{ hawkular_secrets['hawkular-jgroups-keystore.pwd'] }}
- hawkular-metrics.jgroups.alias: "{{ 'hawkular'|b64encode }}"
when: name not in metrics_secrets.stdout_lines
changed_when: no
diff --git a/roles/openshift_metrics/tasks/import_jks_certs.yaml b/roles/openshift_metrics/tasks/import_jks_certs.yaml
index 57ec70c79..2a67dad0e 100644
--- a/roles/openshift_metrics/tasks/import_jks_certs.yaml
+++ b/roles/openshift_metrics/tasks/import_jks_certs.yaml
@@ -15,10 +15,6 @@
register: metrics_truststore
check_mode: no
-- stat: path="{{mktemp.stdout}}/hawkular-jgroups.keystore"
- register: jgroups_keystore
- check_mode: no
-
- block:
- slurp: src={{ mktemp.stdout }}/hawkular-metrics-keystore.pwd
register: metrics_keystore_password
@@ -26,9 +22,6 @@
- slurp: src={{ mktemp.stdout }}/hawkular-cassandra-keystore.pwd
register: cassandra_keystore_password
- - slurp: src={{ mktemp.stdout }}/hawkular-jgroups-keystore.pwd
- register: jgroups_keystore_password
-
- fetch:
dest: "{{local_tmp.stdout}}/"
src: "{{ mktemp.stdout }}/{{item}}"
@@ -48,7 +41,6 @@
CASSANDRA_KEYSTORE_PASSWD: "{{cassandra_keystore_password.content}}"
METRICS_TRUSTSTORE_PASSWD: "{{hawkular_truststore_password.content}}"
CASSANDRA_TRUSTSTORE_PASSWD: "{{cassandra_truststore_password.content}}"
- JGROUPS_PASSWD: "{{jgroups_keystore_password.content}}"
changed_when: False
- copy:
@@ -59,5 +51,4 @@
when: not metrics_keystore.stat.exists or
not metrics_truststore.stat.exists or
not cassandra_keystore.stat.exists or
- not cassandra_truststore.stat.exists or
- not jgroups_keystore.stat.exists
+ not cassandra_truststore.stat.exists
diff --git a/roles/openshift_metrics/templates/hawkular_metrics_rc.j2 b/roles/openshift_metrics/templates/hawkular_metrics_rc.j2
index d39f1b43a..361378df3 100644
--- a/roles/openshift_metrics/templates/hawkular_metrics_rc.j2
+++ b/roles/openshift_metrics/templates/hawkular_metrics_rc.j2
@@ -58,9 +58,6 @@ spec:
- "--hmw.truststore=/secrets/hawkular-metrics.truststore"
- "--hmw.keystore_password_file=/secrets/hawkular-metrics.keystore.password"
- "--hmw.truststore_password_file=/secrets/hawkular-metrics.truststore.password"
- - "--hmw.jgroups_keystore=/secrets/hawkular-metrics.jgroups.keystore"
- - "--hmw.jgroups_keystore_password_file=/secrets/hawkular-metrics.jgroups.keystore.password"
- - "--hmw.jgroups_alias_file=/secrets/hawkular-metrics.jgroups.alias"
env:
- name: POD_NAMESPACE
valueFrom:
@@ -68,6 +65,8 @@ spec:
fieldPath: metadata.namespace
- name: MASTER_URL
value: "{{ openshift_metrics_master_url }}"
+ - name: JGROUPS_PASSWORD
+ value: "{{ 17 | oo_random_word }}"
- name: OPENSHIFT_KUBE_PING_NAMESPACE
valueFrom:
fieldRef:
@@ -81,10 +80,10 @@ spec:
mountPath: "/secrets"
- name: hawkular-metrics-client-secrets
mountPath: "/client-secrets"
-{% if ((openshift_metrics_hawkular_limits_cpu is defined and openshift_metrics_hawkular_limits_cpu is not none)
+{% if ((openshift_metrics_hawkular_limits_cpu is defined and openshift_metrics_hawkular_limits_cpu is not none)
or (openshift_metrics_hawkular_limits_memory is defined and openshift_metrics_hawkular_limits_memory is not none)
or (openshift_metrics_hawkular_requests_cpu is defined and openshift_metrics_hawkular_requests_cpu is not none)
- or (openshift_metrics_hawkular_requests_memory is defined and openshift_metrics_hawkular_requests_memory is not none))
+ or (openshift_metrics_hawkular_requests_memory is defined and openshift_metrics_hawkular_requests_memory is not none))
%}
resources:
{% if (openshift_metrics_hawkular_limits_cpu is not none
@@ -98,8 +97,8 @@ spec:
memory: "{{openshift_metrics_hawkular_limits_memory}}"
{% endif %}
{% endif %}
-{% if (openshift_metrics_hawkular_requests_cpu is not none
- or openshift_metrics_hawkular_requests_memory is not none)
+{% if (openshift_metrics_hawkular_requests_cpu is not none
+ or openshift_metrics_hawkular_requests_memory is not none)
%}
requests:
{% if openshift_metrics_hawkular_requests_cpu is not none %}