diff options
Diffstat (limited to 'roles')
41 files changed, 323 insertions, 171 deletions
diff --git a/roles/ansible_service_broker/defaults/main.yml b/roles/ansible_service_broker/defaults/main.yml index fa982d533..dc05b03b5 100644 --- a/roles/ansible_service_broker/defaults/main.yml +++ b/roles/ansible_service_broker/defaults/main.yml @@ -13,7 +13,4 @@ ansible_service_broker_launch_apb_on_bind: false ansible_service_broker_image_pull_policy: IfNotPresent ansible_service_broker_sandbox_role: edit -ansible_service_broker_auto_escalate: true -ansible_service_broker_registry_tag: latest -ansible_service_broker_registry_whitelist: - - '.*-apb$' +ansible_service_broker_auto_escalate: false diff --git a/roles/ansible_service_broker/tasks/install.yml b/roles/ansible_service_broker/tasks/install.yml index 9a91927b8..66c3d9cc4 100644 --- a/roles/ansible_service_broker/tasks/install.yml +++ b/roles/ansible_service_broker/tasks/install.yml @@ -22,23 +22,14 @@ ansible_service_broker_registry_user: "{{ ansible_service_broker_registry_user | default(__ansible_service_broker_registry_user) }}" ansible_service_broker_registry_password: "{{ ansible_service_broker_registry_password | default(__ansible_service_broker_registry_password) }}" ansible_service_broker_registry_organization: "{{ ansible_service_broker_registry_organization | default(__ansible_service_broker_registry_organization) }}" - - ansible_service_broker_certs_dir: "{{ openshift.common.config_base }}/service-catalog" + ansible_service_broker_registry_tag: "{{ ansible_service_broker_registry_tag | default(__ansible_service_broker_registry_tag) }}" + ansible_service_broker_registry_whitelist: "{{ ansible_service_broker_registry_whitelist | default(__ansible_service_broker_registry_whitelist) }}" - name: set ansible-service-broker image facts using set prefix and tag set_fact: ansible_service_broker_image: "{{ ansible_service_broker_image_prefix }}ansible-service-broker:{{ ansible_service_broker_image_tag }}" ansible_service_broker_etcd_image: "{{ ansible_service_broker_etcd_image_prefix }}etcd:{{ ansible_service_broker_etcd_image_tag }}" -- set_fact: - openshift_master_config_dir: "{{ openshift.common.config_base }}/master" - when: openshift_master_config_dir is undefined - -- slurp: - src: "{{ openshift_master_config_dir }}/service-signer.crt" - register: catalog_ca - - - include: validate_facts.yml @@ -83,13 +74,12 @@ state: present name: asb-access rules: - - nonResourceURLs: ["/ansible-service-broker", "ansible-service-broker/*"] + - nonResourceURLs: ["/ansible-service-broker", "/ansible-service-broker/*"] verbs: ["get", "post", "put", "patch", "delete"] - name: Bind admin cluster-role to asb serviceaccount oc_adm_policy_user: state: present - namespace: openshift-ansible-service-broker resource_kind: cluster-role resource_name: admin user: "system:serviceaccount:openshift-ansible-service-broker:asb" @@ -97,7 +87,6 @@ - name: Bind auth cluster role to asb service account oc_adm_policy_user: state: present - namespace: openshift-ansible-service-broker resource_kind: cluster-role resource_name: asb-auth user: "system:serviceaccount:openshift-ansible-service-broker:asb" @@ -105,7 +94,6 @@ - name: Bind asb-access role to asb-client service account oc_adm_policy_user: state: present - namespace: openshift-ansible-service-broker resource_kind: cluster-role resource_name: asb-access user: "system:serviceaccount:openshift-ansible-service-broker:asb-client" @@ -113,6 +101,7 @@ - name: create asb-client token secret oc_obj: name: asb-client + namespace: openshift-ansible-service-broker state: present kind: Secret content: @@ -122,10 +111,20 @@ kind: Secret metadata: name: asb-client + namespace: openshift-ansible-service-broker annotations: kubernetes.io/service-account.name: asb-client type: kubernetes.io/service-account-token +- oc_secret: + state: list + namespace: openshift-ansible-service-broker + name: asb-client + register: asb_client_secret + +- set_fact: + service_ca_crt: asb_client_secret.results.results.0.data['service-ca.crt'] + # Using oc_obj because oc_service doesn't seem to allow annotations # TODO: Extend oc_service to allow annotations - name: create ansible-service-broker service @@ -141,6 +140,7 @@ kind: Service metadata: name: asb + namespace: openshift-ansible-service-broker labels: app: openshift-ansible-service-broker service: asb @@ -354,11 +354,11 @@ metadata: name: ansible-service-broker spec: - url: http://asb.openshift-ansible-service-broker.svc:1338/ansible-service-broker + url: https://asb.openshift-ansible-service-broker.svc:1338/ansible-service-broker authInfo: bearer: secretRef: name: asb-client namespace: openshift-ansible-service-broker kind: Secret - caBundle: "{{ catalog_ca.content }}" + caBundle: "{{ service_ca_crt }}" diff --git a/roles/ansible_service_broker/tasks/remove.yml b/roles/ansible_service_broker/tasks/remove.yml index f0a6be226..51b86fb26 100644 --- a/roles/ansible_service_broker/tasks/remove.yml +++ b/roles/ansible_service_broker/tasks/remove.yml @@ -85,9 +85,9 @@ - name: remove secret for broker auth oc_obj: - name: asb-auth-secret + name: asb-client namespace: openshift-ansible-service-broker - kind: Broker + kind: Secret state: absent # TODO: saw a oc_configmap in the library, but didn't understand how to get it to do the following: @@ -99,11 +99,17 @@ kind: ConfigMap # TODO: Is this going to work? +- shell: > + oc get apiservices.apiregistration.k8s.io/v1beta1.servicecatalog.k8s.io -n kube-service-catalog || echo "not found" + register: get_apiservices + changed_when: no + - name: remove broker object from the catalog oc_obj: name: ansible-service-broker state: absent - kind: ServiceBroker + kind: ClusterServiceBroker + when: not "'not found' in get_apiservices.stdout" - name: remove openshift-ansible-service-broker project oc_project: diff --git a/roles/ansible_service_broker/vars/default_images.yml b/roles/ansible_service_broker/vars/default_images.yml index 3e9639adf..8438e993f 100644 --- a/roles/ansible_service_broker/vars/default_images.yml +++ b/roles/ansible_service_broker/vars/default_images.yml @@ -13,3 +13,5 @@ __ansible_service_broker_registry_url: null __ansible_service_broker_registry_user: null __ansible_service_broker_registry_password: null __ansible_service_broker_registry_organization: null +__ansible_service_broker_registry_tag: latest +__ansible_service_broker_registry_whitelist: [] diff --git a/roles/ansible_service_broker/vars/openshift-enterprise.yml b/roles/ansible_service_broker/vars/openshift-enterprise.yml index 9c576cb76..fc58b4fd8 100644 --- a/roles/ansible_service_broker/vars/openshift-enterprise.yml +++ b/roles/ansible_service_broker/vars/openshift-enterprise.yml @@ -1,7 +1,7 @@ --- __ansible_service_broker_image_prefix: registry.access.redhat.com/openshift3/ose- -__ansible_service_broker_image_tag: v3.6 +__ansible_service_broker_image_tag: v3.7 __ansible_service_broker_etcd_image_prefix: rhel7/ __ansible_service_broker_etcd_image_tag: latest @@ -14,3 +14,6 @@ __ansible_service_broker_registry_url: "https://registry.access.redhat.com" __ansible_service_broker_registry_user: null __ansible_service_broker_registry_password: null __ansible_service_broker_registry_organization: null +__ansible_service_broker_registry_tag: v3.7 +__ansible_service_broker_registry_whitelist: + - '.*-apb$' diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index f73f90686..5ea73568a 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -10,6 +10,15 @@ l_use_crio: "{{ openshift_use_crio | default(False) }}" l_use_crio_only: "{{ openshift_use_crio_only | default(False) }}" +- name: Add enterprise registry, if necessary + set_fact: + l2_docker_additional_registries: "{{ l2_docker_additional_registries + [openshift_docker_ent_reg] }}" + when: + - openshift.common.deployment_type == 'openshift-enterprise' + - openshift_docker_ent_reg != '' + - openshift_docker_ent_reg not in l2_docker_additional_registries + - not l_use_crio_only + - name: Use Package Docker if Requested include: package_docker.yml when: diff --git a/roles/docker/tasks/package_docker.yml b/roles/docker/tasks/package_docker.yml index 7ccab37a5..b16413f72 100644 --- a/roles/docker/tasks/package_docker.yml +++ b/roles/docker/tasks/package_docker.yml @@ -52,14 +52,6 @@ - restart docker when: not (os_firewall_use_firewalld | default(False)) | bool -- name: Add enterprise registry, if necessary - set_fact: - l2_docker_additional_registries: "{{ l2_docker_additional_registries + [openshift_docker_ent_reg] }}" - when: - - openshift.common.deployment_type == 'openshift-enterprise' - - openshift_docker_ent_reg != '' - - openshift_docker_ent_reg not in l2_docker_additional_registries - - stat: path=/etc/sysconfig/docker register: docker_check @@ -161,16 +153,6 @@ - set_fact: docker_service_status_changed: "{{ (r_docker_package_docker_start_result | changed) and (r_docker_already_running_result.stdout != 'ActiveState=active' ) }}" -- name: Check for credentials file for registry auth - stat: - path: "{{ docker_cli_auth_config_path }}/config.json" - when: oreg_auth_user is defined - register: docker_cli_auth_credentials_stat - -- name: Create credentials for docker cli registry auth - command: "docker --config={{ docker_cli_auth_config_path }} login -u {{ oreg_auth_user }} -p {{ oreg_auth_password }} {{ oreg_host }}" - when: - - oreg_auth_user is defined - - (not docker_cli_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool +- include: registry_auth.yml - meta: flush_handlers diff --git a/roles/docker/tasks/registry_auth.yml b/roles/docker/tasks/registry_auth.yml new file mode 100644 index 000000000..65ed60efa --- /dev/null +++ b/roles/docker/tasks/registry_auth.yml @@ -0,0 +1,12 @@ +--- +- name: Check for credentials file for registry auth + stat: + path: "{{ docker_cli_auth_config_path }}/config.json" + when: oreg_auth_user is defined + register: docker_cli_auth_credentials_stat + +- name: Create credentials for docker cli registry auth + command: "docker --config={{ docker_cli_auth_config_path }} login -u {{ oreg_auth_user }} -p {{ oreg_auth_password }} {{ oreg_host }}" + when: + - oreg_auth_user is defined + - (not docker_cli_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool diff --git a/roles/docker/tasks/systemcontainer_crio.yml b/roles/docker/tasks/systemcontainer_crio.yml index a79600930..13bbd359e 100644 --- a/roles/docker/tasks/systemcontainer_crio.yml +++ b/roles/docker/tasks/systemcontainer_crio.yml @@ -82,36 +82,10 @@ enabled: yes state: restarted - -- block: - - - name: Add http_proxy to /etc/atomic.conf - lineinfile: - dest: /etc/atomic.conf - regexp: "^#?http_proxy[:=]{1}" - line: "http_proxy: {{ openshift.common.http_proxy | default('') }}" - when: - - openshift.common.http_proxy is defined - - openshift.common.http_proxy != '' - - - name: Add https_proxy to /etc/atomic.conf - lineinfile: - dest: /etc/atomic.conf - regexp: "^#?https_proxy[:=]{1}" - line: "https_proxy: {{ openshift.common.https_proxy | default('') }}" - when: - - openshift.common.https_proxy is defined - - openshift.common.https_proxy != '' - - - name: Add no_proxy to /etc/atomic.conf - lineinfile: - dest: /etc/atomic.conf - regexp: "^#?no_proxy[:=]{1}" - line: "no_proxy: {{ openshift.common.no_proxy | default('') }}" - when: - - openshift.common.no_proxy is defined - - openshift.common.no_proxy != '' - +- name: Ensure proxies are in the atomic.conf + include_role: + name: openshift_atomic + tasks_from: proxy - block: diff --git a/roles/docker/tasks/systemcontainer_docker.yml b/roles/docker/tasks/systemcontainer_docker.yml index 15c6a55db..726e8ada7 100644 --- a/roles/docker/tasks/systemcontainer_docker.yml +++ b/roles/docker/tasks/systemcontainer_docker.yml @@ -68,38 +68,10 @@ retries: 3 delay: 30 - -# Set http_proxy, https_proxy, and no_proxy in /etc/atomic.conf -# regexp: the line starts with or without #, followed by the string -# http_proxy, then either : or = -- block: - - - name: Add http_proxy to /etc/atomic.conf - lineinfile: - dest: /etc/atomic.conf - regexp: "^#?http_proxy[:=]{1}" - line: "http_proxy: {{ openshift.common.http_proxy | default('') }}" - when: - - openshift.common.http_proxy is defined - - openshift.common.http_proxy != '' - - - name: Add https_proxy to /etc/atomic.conf - lineinfile: - dest: /etc/atomic.conf - regexp: "^#?https_proxy[:=]{1}" - line: "https_proxy: {{ openshift.common.https_proxy | default('') }}" - when: - - openshift.common.https_proxy is defined - - openshift.common.https_proxy != '' - - - name: Add no_proxy to /etc/atomic.conf - lineinfile: - dest: /etc/atomic.conf - regexp: "^#?no_proxy[:=]{1}" - line: "no_proxy: {{ openshift.common.no_proxy | default('') }}" - when: - - openshift.common.no_proxy is defined - - openshift.common.no_proxy != '' +- name: Ensure proxies are in the atomic.conf + include_role: + name: openshift_atomic + tasks_from: proxy - block: diff --git a/roles/etcd/tasks/system_container.yml b/roles/etcd/tasks/system_container.yml index 024479fb4..9a6951920 100644 --- a/roles/etcd/tasks/system_container.yml +++ b/roles/etcd/tasks/system_container.yml @@ -2,6 +2,11 @@ - set_fact: l_etcd_src_data_dir: "{{ '/var/lib/origin/openshift.local.etcd' if r_etcd_common_embedded_etcd | bool else '/var/lib/etcd/' }}" +- name: Ensure proxies are in the atomic.conf + include_role: + name: openshift_atomic + tasks_from: proxy + - name: Pull etcd system container command: atomic pull --storage=ostree {{ openshift.etcd.etcd_image }} register: pull_result diff --git a/roles/openshift_atomic/README.md b/roles/openshift_atomic/README.md new file mode 100644 index 000000000..8c10c9991 --- /dev/null +++ b/roles/openshift_atomic/README.md @@ -0,0 +1,28 @@ +OpenShift Atomic +================ + +This role houses atomic specific tasks. + +Requirements +------------ + +Role Variables +-------------- + +Dependencies +------------ + +Example Playbook +---------------- + +``` +- name: Ensure atomic proxies are defined + hosts: localhost + roles: + - role: openshift_atomic +``` + +License +------- + +Apache License Version 2.0 diff --git a/roles/openshift_atomic/meta/main.yml b/roles/openshift_atomic/meta/main.yml new file mode 100644 index 000000000..ea129f514 --- /dev/null +++ b/roles/openshift_atomic/meta/main.yml @@ -0,0 +1,13 @@ +--- +galaxy_info: + author: OpenShift + description: Atomic related tasks + company: Red Hat, Inc + license: ASL 2.0 + min_ansible_version: 2.2 + platforms: + - name: EL + versions: + - 7 +dependencies: +- role: lib_openshift diff --git a/roles/openshift_atomic/tasks/proxy.yml b/roles/openshift_atomic/tasks/proxy.yml new file mode 100644 index 000000000..dde099984 --- /dev/null +++ b/roles/openshift_atomic/tasks/proxy.yml @@ -0,0 +1,32 @@ +--- +# Set http_proxy, https_proxy, and no_proxy in /etc/atomic.conf +# regexp: the line starts with or without #, followed by the string +# http_proxy, then either : or = +- block: + + - name: Add http_proxy to /etc/atomic.conf + lineinfile: + dest: /etc/atomic.conf + regexp: "^#?http_proxy[:=]{1}" + line: "http_proxy: {{ openshift.common.http_proxy | default('') }}" + when: + - openshift.common.http_proxy is defined + - openshift.common.http_proxy != '' + + - name: Add https_proxy to /etc/atomic.conf + lineinfile: + dest: /etc/atomic.conf + regexp: "^#?https_proxy[:=]{1}" + line: "https_proxy: {{ openshift.common.https_proxy | default('') }}" + when: + - openshift.common.https_proxy is defined + - openshift.common.https_proxy != '' + + - name: Add no_proxy to /etc/atomic.conf + lineinfile: + dest: /etc/atomic.conf + regexp: "^#?no_proxy[:=]{1}" + line: "no_proxy: {{ openshift.common.no_proxy | default('') }}" + when: + - openshift.common.no_proxy is defined + - openshift.common.no_proxy != '' diff --git a/roles/openshift_cli/tasks/main.yml b/roles/openshift_cli/tasks/main.yml index 9e61805f9..14d8a3325 100644 --- a/roles/openshift_cli/tasks/main.yml +++ b/roles/openshift_cli/tasks/main.yml @@ -1,6 +1,9 @@ --- - set_fact: - l_use_crio: "{{ openshift_use_crio | default(false) }}" + l_use_crio_only: "{{ openshift_use_crio_only | default(false) }}" + l_is_system_container_image: "{{ openshift_use_master_system_container | default(openshift_use_system_containers | default(false)) | bool }}" +- set_fact: + l_use_cli_atomic_image: "{{ l_use_crio_only or l_is_system_container_image }}" - name: Install clients package: name={{ openshift.common.service_type }}-clients state=present @@ -20,23 +23,23 @@ backend: "docker" when: - openshift.common.is_containerized | bool - - not l_use_crio + - not l_use_cli_atomic_image | bool - block: - name: Pull CLI Image command: > - atomic pull --storage ostree {{ openshift.common.system_images_registry }}/{{ openshift.common.cli_image }}:{{ openshift_image_tag }} + atomic pull --storage ostree {{ 'docker:' if openshift.common.system_images_registry == 'docker' else openshift.common.system_images_registry + '/' }}{{ openshift.common.cli_image }}:{{ openshift_image_tag }} register: pull_result changed_when: "'Pulling layer' in pull_result.stdout" - name: Copy client binaries/symlinks out of CLI image for use on the host openshift_container_binary_sync: - image: "{{ openshift.common.system_images_registry }}/{{ openshift.common.cli_image }}" + image: "{{ '' if openshift.common.system_images_registry == 'docker' else openshift.common.system_images_registry + '/' }}{{ openshift.common.cli_image }}" tag: "{{ openshift_image_tag }}" backend: "atomic" when: - openshift.common.is_containerized | bool - - l_use_crio + - l_use_cli_atomic_image | bool - name: Reload facts to pick up installed OpenShift version openshift_facts: diff --git a/roles/openshift_health_checker/action_plugins/openshift_health_check.py b/roles/openshift_health_checker/action_plugins/openshift_health_check.py index 326176273..3ee3b132c 100644 --- a/roles/openshift_health_checker/action_plugins/openshift_health_check.py +++ b/roles/openshift_health_checker/action_plugins/openshift_health_check.py @@ -101,7 +101,8 @@ class ActionModule(ActionBase): execute_module=self._execute_module, tmp=tmp, task_vars=task_vars, - want_full_results=want_full_results + want_full_results=want_full_results, + templar=self._templar ) return known_checks diff --git a/roles/openshift_health_checker/openshift_checks/__init__.py b/roles/openshift_health_checker/openshift_checks/__init__.py index ce05b44a4..b7b16e0ea 100644 --- a/roles/openshift_health_checker/openshift_checks/__init__.py +++ b/roles/openshift_health_checker/openshift_checks/__init__.py @@ -65,12 +65,15 @@ class OpenShiftCheck(object): If the check can gather logs, tarballs, etc., do so when True; but no need to spend the time if they're not wanted (won't be written to output directory). """ - - def __init__(self, execute_module=None, task_vars=None, tmp=None, want_full_results=False): + # pylint: disable=too-many-arguments + def __init__(self, execute_module=None, task_vars=None, tmp=None, want_full_results=False, + templar=None): # store a method for executing ansible modules from the check self._execute_module = execute_module # the task variables and tmpdir passed into the health checker task self.task_vars = task_vars or {} + # We may need to template some task_vars + self._templar = templar self.tmp = tmp # a boolean for disabling the gathering of results (files, computations) that won't # actually be recorded/used diff --git a/roles/openshift_health_checker/openshift_checks/docker_image_availability.py b/roles/openshift_health_checker/openshift_checks/docker_image_availability.py index 7c8ac78fe..5beb20503 100644 --- a/roles/openshift_health_checker/openshift_checks/docker_image_availability.py +++ b/roles/openshift_health_checker/openshift_checks/docker_image_availability.py @@ -61,10 +61,15 @@ class DockerImageAvailability(DockerHostMixin, OpenShiftCheck): # for the oreg_url registry there may be credentials specified components = self.get_var("oreg_url", default="").split('/') self.registries["oreg"] = "" if len(components) < 3 else components[0] + + # Retrieve and template registry credentials, if provided self.skopeo_command_creds = "" oreg_auth_user = self.get_var('oreg_auth_user', default='') oreg_auth_password = self.get_var('oreg_auth_password', default='') if oreg_auth_user != '' and oreg_auth_password != '': + if self._templar is not None: + oreg_auth_user = self._templar.template(oreg_auth_user) + oreg_auth_password = self._templar.template(oreg_auth_password) self.skopeo_command_creds = "--creds={}:{}".format(quote(oreg_auth_user), quote(oreg_auth_password)) # record whether we could reach a registry or not (and remember results) diff --git a/roles/openshift_logging_elasticsearch/vars/openshift-enterprise.yml b/roles/openshift_logging_elasticsearch/vars/openshift-enterprise.yml index c87d48e27..2fd960bb5 100644 --- a/roles/openshift_logging_elasticsearch/vars/openshift-enterprise.yml +++ b/roles/openshift_logging_elasticsearch/vars/openshift-enterprise.yml @@ -1,3 +1,3 @@ --- -__openshift_logging_elasticsearch_proxy_image_prefix: "registry.access.redhat.com/openshift3/" +__openshift_logging_elasticsearch_proxy_image_prefix: "{{ openshift_logging_image_prefix | default('registry.access.redhat.com/openshift3/') }}" __openshift_logging_elasticsearch_proxy_image_version: "v3.7" diff --git a/roles/openshift_master/tasks/journald.yml b/roles/openshift_master/tasks/journald.yml new file mode 100644 index 000000000..f79955e95 --- /dev/null +++ b/roles/openshift_master/tasks/journald.yml @@ -0,0 +1,22 @@ +--- +- name: Checking for journald.conf + stat: path=/etc/systemd/journald.conf + register: journald_conf_file + +- name: Update journald setup + replace: + dest: /etc/systemd/journald.conf + regexp: '^(\#| )?{{ item.var }}=\s*.*?$' + replace: ' {{ item.var }}={{ item.val }}' + backup: yes + with_items: "{{ journald_vars_to_replace | default([]) }}" + when: journald_conf_file.stat.exists + register: journald_update + +# I need to restart journald immediatelly, otherwise it gets into way during +# further steps in ansible +- name: Restart journald + systemd: + name: systemd-journald + state: restarted + when: journald_update | changed diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml index 824a5886e..d0bc79c0c 100644 --- a/roles/openshift_master/tasks/main.yml +++ b/roles/openshift_master/tasks/main.yml @@ -177,31 +177,12 @@ local_facts: no_proxy_etcd_host_ips: "{{ openshift_no_proxy_etcd_host_ips }}" +- name: Update journald config + include: journald.yml + - name: Install the systemd units include: systemd_units.yml -- name: Checking for journald.conf - stat: path=/etc/systemd/journald.conf - register: journald_conf_file - -- name: Update journald setup - replace: - dest: /etc/systemd/journald.conf - regexp: '^(\#| )?{{ item.var }}=\s*.*?$' - replace: ' {{ item.var }}={{ item.val }}' - backup: yes - with_items: "{{ journald_vars_to_replace | default([]) }}" - when: journald_conf_file.stat.exists - register: journald_update - -# I need to restart journald immediatelly, otherwise it gets into way during -# further steps in ansible -- name: Restart journald - systemd: - name: systemd-journald - state: restarted - when: journald_update | changed - - name: Install Master system container include: system_container.yml when: diff --git a/roles/openshift_master/tasks/system_container.yml b/roles/openshift_master/tasks/system_container.yml index 91332acfb..843352532 100644 --- a/roles/openshift_master/tasks/system_container.yml +++ b/roles/openshift_master/tasks/system_container.yml @@ -1,4 +1,9 @@ --- +- name: Ensure proxies are in the atomic.conf + include_role: + name: openshift_atomic + tasks_from: proxy + - name: Pre-pull master system container image command: > atomic pull --storage=ostree {{ 'docker:' if openshift.common.system_images_registry == 'docker' else openshift.common.system_images_registry + '/' }}{{ openshift.master.master_system_image }}:{{ openshift_image_tag }} diff --git a/roles/openshift_master/templates/atomic-openshift-master.j2 b/roles/openshift_master/templates/atomic-openshift-master.j2 index 7ec26ceb7..3f7a528a9 100644 --- a/roles/openshift_master/templates/atomic-openshift-master.j2 +++ b/roles/openshift_master/templates/atomic-openshift-master.j2 @@ -21,7 +21,7 @@ AWS_SECRET_ACCESS_KEY={{ openshift_cloudprovider_aws_secret_key }} {% endif %} {% if 'api_env_vars' in openshift.master or 'controllers_env_vars' in openshift.master -%} -{% for key, value in openshift.master.api_env_vars.items() | default([]) | union(openshift.master.controllers_env_vars.items() | default([])) -%} +{% for key, value in (openshift.master.api_env_vars | default({})).items() | union((openshift.master.controllers_env_vars | default({})).items()) -%} {{ key }}={{ value }} {% endfor -%} {% endif -%} diff --git a/roles/openshift_master_facts/filter_plugins/openshift_master.py b/roles/openshift_master_facts/filter_plugins/openshift_master.py index f7f3ac2b1..a4f410296 100644 --- a/roles/openshift_master_facts/filter_plugins/openshift_master.py +++ b/roles/openshift_master_facts/filter_plugins/openshift_master.py @@ -363,7 +363,6 @@ class OpenIDIdentityProvider(IdentityProviderOauthBase): def validate(self): ''' validate this idp instance ''' - IdentityProviderOauthBase.validate(self) if not isinstance(self.provider['claims'], dict): raise errors.AnsibleFilterError("|failed claims for provider {0} " "must be a dictionary".format(self.__class__.__name__)) diff --git a/roles/openshift_node/tasks/node_system_container.yml b/roles/openshift_node/tasks/node_system_container.yml index 20d7a9539..164a79b39 100644 --- a/roles/openshift_node/tasks/node_system_container.yml +++ b/roles/openshift_node/tasks/node_system_container.yml @@ -1,4 +1,9 @@ --- +- name: Ensure proxies are in the atomic.conf + include_role: + name: openshift_atomic + tasks_from: proxy + - name: Pre-pull node system container image command: > atomic pull --storage=ostree {{ 'docker:' if openshift.common.system_images_registry == 'docker' else openshift.common.system_images_registry + '/' }}{{ openshift.node.node_system_image }}:{{ openshift_image_tag }} diff --git a/roles/openshift_node/tasks/openvswitch_system_container.yml b/roles/openshift_node/tasks/openvswitch_system_container.yml index e09063aa5..0f73ce454 100644 --- a/roles/openshift_node/tasks/openvswitch_system_container.yml +++ b/roles/openshift_node/tasks/openvswitch_system_container.yml @@ -10,6 +10,11 @@ l_service_name: "{{ openshift.docker.service_name }}" when: not l_use_crio +- name: Ensure proxies are in the atomic.conf + include_role: + name: openshift_atomic + tasks_from: proxy + - name: Pre-pull OpenVSwitch system container image command: > atomic pull --storage=ostree {{ 'docker:' if openshift.common.system_images_registry == 'docker' else openshift.common.system_images_registry + '/' }}{{ openshift.node.ovs_system_image }}:{{ openshift_image_tag }} diff --git a/roles/openshift_node_dnsmasq/README.md b/roles/openshift_node_dnsmasq/README.md new file mode 100644 index 000000000..4596190d7 --- /dev/null +++ b/roles/openshift_node_dnsmasq/README.md @@ -0,0 +1,27 @@ +OpenShift Node DNS resolver +=========================== + +Configure dnsmasq to act as a DNS resolver for an OpenShift node. + +Requirements +------------ + +Role Variables +-------------- + +From this role: + +| Name | Default value | Description | +|-----------------------------------------------------|---------------|-----------------------------------------------------------------------------------| +| openshift_node_dnsmasq_install_network_manager_hook | true | Install NetworkManager hook updating /etc/resolv.conf with local dnsmasq instance | + +Dependencies +------------ + +* openshift_common +* openshift_node_facts + +License +------- + +Apache License Version 2.0 diff --git a/roles/openshift_node_dnsmasq/defaults/main.yml b/roles/openshift_node_dnsmasq/defaults/main.yml index ed97d539c..eae832fcf 100644 --- a/roles/openshift_node_dnsmasq/defaults/main.yml +++ b/roles/openshift_node_dnsmasq/defaults/main.yml @@ -1 +1,2 @@ --- +openshift_node_dnsmasq_install_network_manager_hook: true diff --git a/roles/openshift_node_dnsmasq/tasks/network-manager.yml b/roles/openshift_node_dnsmasq/tasks/network-manager.yml index dddcfc9da..e5a92a630 100644 --- a/roles/openshift_node_dnsmasq/tasks/network-manager.yml +++ b/roles/openshift_node_dnsmasq/tasks/network-manager.yml @@ -5,5 +5,6 @@ dest: /etc/NetworkManager/dispatcher.d/ mode: 0755 notify: restart NetworkManager + when: openshift_node_dnsmasq_install_network_manager_hook | default(true) | bool - meta: flush_handlers diff --git a/roles/openshift_prometheus/README.md b/roles/openshift_prometheus/README.md index c5a44bffb..07ea0299d 100644 --- a/roles/openshift_prometheus/README.md +++ b/roles/openshift_prometheus/README.md @@ -17,14 +17,12 @@ For default values, see [`defaults/main.yaml`](defaults/main.yaml). - `openshift_prometheus_namespace`: project (i.e. namespace) where the components will be deployed. -- `openshift_prometheus_replicas`: The number of replicas for prometheus deployment. - - `openshift_prometheus_node_selector`: Selector for the nodes prometheus will be deployed on. - `openshift_prometheus_image_<COMPONENT>`: specify image for the component -## Storage related variables -Each prometheus component (prometheus, alertmanager, alert-buffer, oauth-proxy) can set pv claim by setting corresponding role variable: +## PVC related variables +Each prometheus component (prometheus, alertmanager, alertbuffer) can set pv claim by setting corresponding role variable: ``` openshift_prometheus_<COMPONENT>_storage_type: <VALUE> openshift_prometheus_<COMPONENT>_pvc_(name|size|access_modes|pv_selector): <VALUE> @@ -37,6 +35,29 @@ openshift_prometheus_alertbuffer_pvc_size: 10G openshift_prometheus_pvc_access_modes: [ReadWriteOnce] ``` +## NFS PV Storage variables +Each prometheus component (prometheus, alertmanager, alertbuffer) can set nfs pv by setting corresponding variable: +``` +openshift_prometheus_<COMPONENT>_storage_kind=<VALUE> +openshift_prometheus_<COMPONENT>_storage_(access_modes|host|labels)=<VALUE> +openshift_prometheus_<COMPONENT>_storage_volume_(name|size)=<VALUE> +openshift_prometheus_<COMPONENT>_storage_nfs_(directory|options)=<VALUE> +``` +e.g +``` +openshift_prometheus_storage_kind=nfs +openshift_prometheus_storage_access_modes=['ReadWriteOnce'] +openshift_prometheus_storage_host=nfs.example.com #for external host +openshift_prometheus_storage_nfs_directory=/exports +openshift_prometheus_storage_alertmanager_nfs_options='*(rw,root_squash)' +openshift_prometheus_storage_volume_name=prometheus +openshift_prometheus_storage_alertbuffer_volume_size=10Gi +openshift_prometheus_storage_labels={'storage': 'prometheus'} +``` + +NOTE: Setting `openshift_prometheus_<COMPONENT>_storage_labels` overrides `openshift_prometheus_<COMPONENT>_pvc_pv_selector` + + ## Additional Alert Rules file variable An external file with alert rules can be added by setting path to additional rules variable: ``` diff --git a/roles/openshift_prometheus/defaults/main.yaml b/roles/openshift_prometheus/defaults/main.yaml index c08bec4cb..f6ff7ce22 100644 --- a/roles/openshift_prometheus/defaults/main.yaml +++ b/roles/openshift_prometheus/defaults/main.yaml @@ -4,14 +4,13 @@ openshift_prometheus_state: present openshift_prometheus_namespace: prometheus -openshift_prometheus_replicas: 1 openshift_prometheus_node_selector: {"region":"infra"} # images openshift_prometheus_image_proxy: "openshift/oauth-proxy:v1.0.0" -openshift_prometheus_image_prometheus: "openshift/prometheus:v2.0.0-dev" +openshift_prometheus_image_prometheus: "openshift/prometheus:v2.0.0-dev.3" openshift_prometheus_image_alertmanager: "openshift/prometheus-alertmanager:v0.9.1" -openshift_prometheus_image_alertbuffer: "openshift/prometheus-alert-buffer:v0.0.1" +openshift_prometheus_image_alertbuffer: "openshift/prometheus-alert-buffer:v0.0.2" # additional prometheus rules file openshift_prometheus_additional_rules_file: null diff --git a/roles/openshift_prometheus/tasks/install_prometheus.yaml b/roles/openshift_prometheus/tasks/install_prometheus.yaml index cb75eedca..67141a866 100644 --- a/roles/openshift_prometheus/tasks/install_prometheus.yaml +++ b/roles/openshift_prometheus/tasks/install_prometheus.yaml @@ -145,21 +145,21 @@ volume_capacity: "{{ openshift_prometheus_alertbuffer_pvc_size }}" selector: "{{ openshift_prometheus_alertbuffer_pvc_pv_selector }}" -# create prometheus deployment -- name: Set prometheus deployment template +# create prometheus stateful set +- name: Set prometheus template template: - src: prometheus_deployment.j2 + src: prometheus.j2 dest: "{{ tempdir }}/templates/prometheus.yaml" vars: namespace: "{{ openshift_prometheus_namespace }}" - prom_replicas: "{{ openshift_prometheus_replicas }}" +# prom_replicas: "{{ openshift_prometheus_replicas }}" -- name: Set prometheus deployment +- name: Set prometheus stateful set oc_obj: state: "{{ state }}" name: "prometheus" namespace: "{{ openshift_prometheus_namespace }}" - kind: deployment + kind: statefulset files: - "{{ tempdir }}/templates/prometheus.yaml" delete_after: true diff --git a/roles/openshift_prometheus/templates/prometheus_deployment.j2 b/roles/openshift_prometheus/templates/prometheus.j2 index 66eab6df4..81f043491 100644 --- a/roles/openshift_prometheus/templates/prometheus_deployment.j2 +++ b/roles/openshift_prometheus/templates/prometheus.j2 @@ -1,12 +1,14 @@ -apiVersion: extensions/v1beta1 -kind: Deployment +apiVersion: apps/v1beta1 +kind: StatefulSet metadata: name: prometheus namespace: {{ namespace }} labels: app: prometheus spec: - replicas: {{ prom_replicas|default(1) }} + updateStrategy: + type: RollingUpdate + podManagementPolicy: Parallel selector: provider: openshift matchLabels: @@ -60,6 +62,8 @@ spec: - -tls-key=/etc/tls/private/tls.key - -client-secret-file=/var/run/secrets/kubernetes.io/serviceaccount/token - -cookie-secret-file=/etc/proxy/secrets/session_secret + - -openshift-ca=/etc/pki/tls/cert.pem + - -openshift-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt - -skip-auth-regex=^/metrics volumeMounts: - mountPath: /etc/tls/private @@ -72,6 +76,7 @@ spec: - name: prometheus args: - --storage.tsdb.retention=6h + - --storage.tsdb.min-block-duration=2m - --config.file=/etc/prometheus/prometheus.yml - --web.listen-address=localhost:9090 image: "{{ openshift_prometheus_image_prometheus }}" @@ -133,6 +138,8 @@ spec: - -tls-key=/etc/tls/private/tls.key - -client-secret-file=/var/run/secrets/kubernetes.io/serviceaccount/token - -cookie-secret-file=/etc/proxy/secrets/session_secret + - -openshift-ca=/etc/pki/tls/cert.pem + - -openshift-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt volumeMounts: - mountPath: /etc/tls/private name: alerts-tls diff --git a/roles/openshift_sanitize_inventory/tasks/unsupported.yml b/roles/openshift_sanitize_inventory/tasks/unsupported.yml index 39bf1780a..b70ab90a1 100644 --- a/roles/openshift_sanitize_inventory/tasks/unsupported.yml +++ b/roles/openshift_sanitize_inventory/tasks/unsupported.yml @@ -11,6 +11,14 @@ will not function. This also means that NetworkManager must be installed enabled and responsible for management of the primary interface. +- name: Ensure that openshift_node_dnsmasq_install_network_manager_hook is true + when: + - not openshift_node_dnsmasq_install_network_manager_hook | default(true) | bool + fail: + msg: |- + The NetworkManager hook is considered a critical part of the DNS + infrastructure. + - set_fact: __using_dynamic: True when: diff --git a/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml b/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml index 56b2d1463..f449fba2b 100644 --- a/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml +++ b/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml @@ -1,7 +1,7 @@ apiVersion: v1 kind: Template metadata: - name: service-catalog + name: service-catalog-role-bindings objects: - apiVersion: authorization.openshift.io/v1 diff --git a/roles/openshift_service_catalog/files/kubesystem_roles_bindings.yml b/roles/openshift_service_catalog/files/kubesystem_roles_bindings.yml index e1af51ce6..f563ae42e 100644 --- a/roles/openshift_service_catalog/files/kubesystem_roles_bindings.yml +++ b/roles/openshift_service_catalog/files/kubesystem_roles_bindings.yml @@ -1,7 +1,7 @@ apiVersion: v1 kind: Template metadata: - name: kube-system-service-catalog + name: kube-system-service-catalog-role-bindings objects: - apiVersion: authorization.openshift.io/v1 diff --git a/roles/openshift_service_catalog/tasks/generate_certs.yml b/roles/openshift_service_catalog/tasks/generate_certs.yml index 416bdac70..9d55185c8 100644 --- a/roles/openshift_service_catalog/tasks/generate_certs.yml +++ b/roles/openshift_service_catalog/tasks/generate_certs.yml @@ -16,6 +16,16 @@ --key={{ generated_certs_dir }}/ca.key --cert={{ generated_certs_dir }}/ca.crt --serial={{ generated_certs_dir }}/apiserver.serial.txt --name=service-catalog-signer +- name: Delete old apiserver.crt + file: + path: "{{ generated_certs_dir }}/apiserver.crt" + state: absent + +- name: Delete old apiserver.key + file: + path: "{{ generated_certs_dir }}/apiserver.key" + state: absent + - name: Generating server keys oc_adm_ca_server_cert: cert: "{{ generated_certs_dir }}/apiserver.crt" diff --git a/roles/openshift_service_catalog/tasks/install.yml b/roles/openshift_service_catalog/tasks/install.yml index 1e94c8c5d..aa3ec5724 100644 --- a/roles/openshift_service_catalog/tasks/install.yml +++ b/roles/openshift_service_catalog/tasks/install.yml @@ -47,16 +47,15 @@ dest: "{{ mktemp.stdout }}/kubeservicecatalog_roles_bindings.yml" - oc_obj: - name: service-catalog + name: service-catalog-role-bindings kind: template namespace: "kube-service-catalog" files: - "{{ mktemp.stdout }}/kubeservicecatalog_roles_bindings.yml" - delete_after: yes - oc_process: create: True - template_name: service-catalog + template_name: service-catalog-role-bindings namespace: "kube-service-catalog" - copy: @@ -64,16 +63,15 @@ dest: "{{ mktemp.stdout }}/kubesystem_roles_bindings.yml" - oc_obj: - name: kube-system-service-catalog + name: kube-system-service-catalog-role-bindings kind: template namespace: kube-system files: - "{{ mktemp.stdout }}/kubesystem_roles_bindings.yml" - delete_after: yes - oc_process: create: True - template_name: kube-system-service-catalog + template_name: kube-system-service-catalog-role-bindings namespace: kube-system - oc_obj: diff --git a/roles/openshift_service_catalog/tasks/remove.yml b/roles/openshift_service_catalog/tasks/remove.yml index 96ae61507..ca9844e79 100644 --- a/roles/openshift_service_catalog/tasks/remove.yml +++ b/roles/openshift_service_catalog/tasks/remove.yml @@ -3,10 +3,6 @@ command: > oc delete apiservices.apiregistration.k8s.io/v1beta1.servicecatalog.k8s.io --ignore-not-found -n kube-service-catalog -- name: Remove Policy Binding - command: > - oc delete policybindings/kube-system:default -n kube-system --ignore-not-found - # TODO: this module doesn't currently remove this #- name: Remove service catalog api service # oc_obj: @@ -50,6 +46,26 @@ kind: deployment name: controller-manager +- name: Remove Service Catalog kube-system Role Bindinds + shell: > + oc process kube-system-service-catalog-role-bindings -n kube-system | oc delete --ignore-not-found -f - + +- oc_obj: + kind: template + name: "kube-system-service-catalog-role-bindings" + namespace: kube-system + state: absent + +- name: Remove Service Catalog kube-service-catalog Role Bindinds + shell: > + oc process service-catalog-role-bindings -n kube-service-catalog | oc delete --ignore-not-found -f - + +- oc_obj: + kind: template + name: "service-catalog-role-bindings" + namespace: kube-service-catalog + state: absent + - name: Remove Service Catalog namespace oc_project: state: absent diff --git a/roles/openshift_service_catalog/templates/sc_role_patching.j2 b/roles/openshift_service_catalog/templates/sc_role_patching.j2 index 69b062b3f..4629d5bb3 100644 --- a/roles/openshift_service_catalog/templates/sc_role_patching.j2 +++ b/roles/openshift_service_catalog/templates/sc_role_patching.j2 @@ -3,8 +3,8 @@ - "servicecatalog.k8s.io" attributeRestrictions: null resources: - - instances - - bindings + - serviceinstances + - servicebindings verbs: - create - update diff --git a/roles/template_service_broker/tasks/remove.yml b/roles/template_service_broker/tasks/remove.yml index f3afe65ed..28836f97f 100644 --- a/roles/template_service_broker/tasks/remove.yml +++ b/roles/template_service_broker/tasks/remove.yml @@ -13,11 +13,11 @@ - name: Delete TSB broker shell: > - oc process -f "{{ mktemp.stdout }}/{{ __tsb_broker_file }}" | oc delete -f - + oc process -f "{{ mktemp.stdout }}/{{ __tsb_broker_file }}" | oc delete --ignore-not-found -f - - name: Delete TSB objects shell: > - oc process -f "{{ mktemp.stdout }}/{{ __tsb_template_file }}" | kubectl delete -f - + oc process -f "{{ mktemp.stdout }}/{{ __tsb_template_file }}" | oc delete --ignore-not-found -f - - name: empty out tech preview extension file for service console UI copy: |