diff options
Diffstat (limited to 'roles')
32 files changed, 923 insertions, 86 deletions
diff --git a/roles/ansible_service_broker/tasks/install.yml b/roles/ansible_service_broker/tasks/install.yml index 0f4b71124..9a91927b8 100644 --- a/roles/ansible_service_broker/tasks/install.yml +++ b/roles/ansible_service_broker/tasks/install.yml @@ -30,8 +30,12 @@ ansible_service_broker_image: "{{ ansible_service_broker_image_prefix }}ansible-service-broker:{{ ansible_service_broker_image_tag }}" ansible_service_broker_etcd_image: "{{ ansible_service_broker_etcd_image_prefix }}etcd:{{ ansible_service_broker_etcd_image_tag }}" +- set_fact: + openshift_master_config_dir: "{{ openshift.common.config_base }}/master" + when: openshift_master_config_dir is undefined + - slurp: - src: "{{ ansible_service_broker_certs_dir }}/ca.crt" + src: "{{ openshift_master_config_dir }}/service-signer.crt" register: catalog_ca @@ -231,6 +235,20 @@ value: /etc/ansible-service-broker/config.yaml resources: {} terminationMessagePath: /tmp/termination-log + readinessProbe: + httpGet: + port: 1338 + path: /healthz + scheme: HTTPS + initialDelaySeconds: 15 + timeoutSeconds: 1 + livenessProbe: + httpGet: + port: 1338 + path: /healthz + scheme: HTTPS + initialDelaySeconds: 15 + timeoutSeconds: 1 - image: "{{ ansible_service_broker_etcd_image }}" name: etcd @@ -327,12 +345,12 @@ oc_obj: name: ansible-service-broker state: present - kind: ServiceBroker + kind: ClusterServiceBroker content: path: /tmp/brokerout data: - apiVersion: servicecatalog.k8s.io/v1alpha1 - kind: ServiceBroker + apiVersion: servicecatalog.k8s.io/v1beta1 + kind: ClusterServiceBroker metadata: name: ansible-service-broker spec: diff --git a/roles/kuryr/README.md b/roles/kuryr/README.md new file mode 100644 index 000000000..7b618f902 --- /dev/null +++ b/roles/kuryr/README.md @@ -0,0 +1,38 @@ +## OpenStack Kuryr + +Install Kuryr CNI components (kuryr-controller, kuryr-cni) on Master and worker +nodes. Kuryr uses OpenStack Networking service (Neutron) to provide network for +pods. This allows to have interconnectivity between pods and OpenStack VMs. + +## Requirements + +* Ansible 2.2+ +* Centos/ RHEL 7.3+ + +## Current Kuryr restrictions when used with OpenShift + +* Openshift Origin only +* OpenShift on OpenStack Newton or newer (only with Trunk ports) + +## Key Ansible inventory Kuryr master configuration parameters + +* ``openshift_use_kuryr=True`` +* ``openshift_use_openshift_sdn=False`` +* ``openshift_sdn_network_plugin_name='cni'`` +* ``kuryr_cni_link_interface=eth0`` +* ``kuryr_openstack_auth_url=keystone_url`` +* ``kuryr_openstack_user_domain_name=Default`` +* ``kuryr_openstack_user_project_name=Default`` +* ``kuryr_openstack_project_id=project_uuid`` +* ``kuryr_openstack_username=kuryr`` +* ``kuryr_openstack_password=kuryr_pass`` +* ``kuryr_openstack_pod_sg_id=pod_security_group_uuid`` +* ``kuryr_openstack_pod_subnet_id=pod_subnet_uuid`` +* ``kuryr_openstack_pod_service_id=service_subnet_uuid`` +* ``kuryr_openstack_pod_project_id=pod_project_uuid`` +* ``kuryr_openstack_worker_nodes_subnet_id=worker_nodes_subnet_uuid`` + +## Kuryr resources + +* [Kuryr documentation](https://docs.openstack.org/kuryr-kubernetes/latest/) +* [Installing Kuryr containerized](https://docs.openstack.org/kuryr-kubernetes/latest/installation/containerized.html) diff --git a/roles/kuryr/defaults/main.yaml b/roles/kuryr/defaults/main.yaml new file mode 100644 index 000000000..ff298dda0 --- /dev/null +++ b/roles/kuryr/defaults/main.yaml @@ -0,0 +1,72 @@ +--- +# Kuryr conf directory +kuryr_config_dir: /etc/kuryr + +# Kuryr username +kuryr_openstack_username: kuryr + +# Kuryr username domain +kuryr_openstack_user_domain_name: default + +# Kuryr username domain +kuryr_openstack_project_domain_name: default + +# Kuryr OpenShift namespace +kuryr_namespace: kube-system + +# Whether to run the cni plugin in debug mode +kuryr_cni_debug: "false" + +# The version of cni binaries +cni_version: v0.5.2 + +# Path to bin dir (where kuryr execs get installed) +bin_dir: /usr/bin + +# Path to the cni binaries +cni_bin_dir: /opt/cni/bin + +# URL for cni binaries +cni_bin_url_base: "https://github.com/containernetworking/cni/releases/download/" +cni_bin_url: "{{ cni_bin_url_base }}/{{ cni_version }}/cni-{{ cni_version }}.tgz" +cni_bin_checksum: "71f411080245aa14d0cc06f6824e8039607dd9e9" + +# Kuryr ClusterRole definiton +kuryr_clusterrole: + name: kuryrctl + state: present + rules: + - apiGroups: + - "" + attributeRestrictions: null + verbs: + - get + - list + - watch + resources: + - daemonsets + - deployments + - deploymentconfigs + - endpoints + - ingress + - nodes + - namespaces + - pods + - projects + - routes + - services + - apiGroups: + - "" + attributeRestrictions: null + verbs: + - update + - patch + resources: + - endpoints + - ingress + - pods + - namespaces + - nodes + - services + - services/status + - routes diff --git a/roles/kuryr/meta/main.yml b/roles/kuryr/meta/main.yml new file mode 100644 index 000000000..7fd5adf41 --- /dev/null +++ b/roles/kuryr/meta/main.yml @@ -0,0 +1,17 @@ +--- +galaxy_info: + author: Red Hat + description: Kuryr networking + company: Red Hat + license: Apache License, Version 2.0 + min_ansible_version: 2.2 + platforms: + - name: EL + versions: + - 7 + categories: + - cloud + - system +dependencies: +- { role: lib_openshift } +- { role: openshift_facts } diff --git a/roles/kuryr/tasks/master.yaml b/roles/kuryr/tasks/master.yaml new file mode 100644 index 000000000..55ab16f74 --- /dev/null +++ b/roles/kuryr/tasks/master.yaml @@ -0,0 +1,52 @@ +--- +- name: Perform OpenShit ServiceAccount config + include: serviceaccount.yaml + +- name: Create kuryr manifests tempdir + command: mktemp -d + register: manifests_tmpdir + +- name: Create kuryr ConfigMap manifest + become: yes + template: + src: configmap.yaml.j2 + dest: "{{ manifests_tmpdir.stdout }}/configmap.yaml" + +- name: Create kuryr-controller Deployment manifest + become: yes + template: + src: controller-deployment.yaml.j2 + dest: "{{ manifests_tmpdir.stdout }}/controller-deployment.yaml" + +- name: Create kuryr-cni DaemonSet manifest + become: yes + template: + src: cni-daemonset.yaml.j2 + dest: "{{ manifests_tmpdir.stdout }}/cni-daemonset.yaml" + +- name: Apply ConfigMap manifest + oc_obj: + state: present + kind: ConfigMap + name: "kuryr-config" + namespace: "{{ kuryr_namespace }}" + files: + - "{{ manifests_tmpdir.stdout }}/configmap.yaml" + +- name: Apply Controller Deployment manifest + oc_obj: + state: present + kind: Deployment + name: "kuryr-controller" + namespace: "{{ kuryr_namespace }}" + files: + - "{{ manifests_tmpdir.stdout }}/controller-deployment.yaml" + +- name: Apply kuryr-cni DaemonSet manifest + oc_obj: + state: present + kind: DaemonSet + name: "kuryr-cni-ds" + namespace: "{{ kuryr_namespace }}" + files: + - "{{ manifests_tmpdir.stdout }}/cni-daemonset.yaml" diff --git a/roles/kuryr/tasks/node.yaml b/roles/kuryr/tasks/node.yaml new file mode 100644 index 000000000..ffe814713 --- /dev/null +++ b/roles/kuryr/tasks/node.yaml @@ -0,0 +1,48 @@ +--- +- name: Create CNI bin directory + file: + state: directory + path: "{{ cni_bin_dir }}" + mode: 0755 + owner: root + group: root + recurse: yes + +- name: Create CNI extraction tempdir + command: mktemp -d + register: cni_tmpdir + +- name: Download CNI + get_url: + url: "{{ cni_bin_url }}" + checksum: "sha1:{{ cni_bin_checksum }}" + mode: 0644 + dest: "{{ cni_tmpdir.stdout }}" + register: downloaded_tarball + +- name: Extract CNI + become: yes + unarchive: + remote_src: True + src: "{{ downloaded_tarball.dest }}" + dest: "{{ cni_bin_dir }}" + when: downloaded_tarball.changed + +- name: Ensure CNI net.d exists + file: + path: /etc/cni/net.d + recurse: yes + state: directory + +- name: Configure OpenShift node with disabled service proxy + lineinfile: + dest: "/etc/sysconfig/{{ openshift.common.service_type }}-node" + regexp: '^OPTIONS="?(.*?)"?$' + backrefs: yes + backup: yes + line: 'OPTIONS="\1 --disable dns,proxy,plugins"' + +- name: force node restart to disable the proxy + service: + name: "{{ openshift.common.service_type }}-node" + state: restarted diff --git a/roles/kuryr/tasks/serviceaccount.yaml b/roles/kuryr/tasks/serviceaccount.yaml new file mode 100644 index 000000000..088f13091 --- /dev/null +++ b/roles/kuryr/tasks/serviceaccount.yaml @@ -0,0 +1,31 @@ +--- +- name: Create Controller service account + oc_serviceaccount: + name: kuryr-controller + namespace: "{{ kuryr_namespace }}" + register: saout + +- name: Create a role for the Kuryr + oc_clusterrole: "{{ kuryr_clusterrole }}" + +- name: Fetch the created Kuryr controller cluster role + oc_clusterrole: + name: kuryrctl + state: list + register: crout + +- name: Grant Kuryr the privileged security context constraints + oc_adm_policy_user: + user: "system:serviceaccount:{{ kuryr_namespace }}:{{ saout.results.results.0.metadata.name }}" + namespace: "{{ kuryr_namespace }}" + resource_kind: scc + resource_name: privileged + state: present + +- name: Assign role to Kuryr service account + oc_adm_policy_user: + user: "system:serviceaccount:{{ kuryr_namespace }}:{{ saout.results.results.0.metadata.name }}" + namespace: "{{ kuryr_namespace }}" + resource_kind: cluster-role + resource_name: "{{ crout.results.results.metadata.name }}" + state: present diff --git a/roles/kuryr/templates/cni-daemonset.yaml.j2 b/roles/kuryr/templates/cni-daemonset.yaml.j2 new file mode 100644 index 000000000..39348ae90 --- /dev/null +++ b/roles/kuryr/templates/cni-daemonset.yaml.j2 @@ -0,0 +1,53 @@ +# More info about the template: https://docs.openstack.org/kuryr-kubernetes/latest/installation/containerized.html#generating-kuryr-resource-definitions-for-kubernetes + +apiVersion: extensions/v1beta1 +kind: DaemonSet +metadata: + name: kuryr-cni-ds + namespace: {{ kuryr_namespace }} + labels: + tier: node + app: kuryr +spec: + template: + metadata: + labels: + tier: node + app: kuryr + spec: + hostNetwork: true + tolerations: + - key: node-role.kubernetes.io/master + operator: Exists + effect: NoSchedule + serviceAccountName: kuryr-controller + containers: + - name: kuryr-cni + image: kuryr/cni:latest + imagePullPolicy: IfNotPresent + command: [ "cni_ds_init" ] + securityContext: + privileged: true + volumeMounts: + - name: bin + mountPath: /opt/cni/bin + - name: net-conf + mountPath: /etc/cni/net.d + - name: config-volume + mountPath: /tmp/kuryr/kuryr.conf + subPath: kuryr-cni.conf + - name: etc + mountPath: /etc + volumes: + - name: bin + hostPath: + path: {{ cni_bin_dir }} + - name: net-conf + hostPath: + path: /etc/cni/net.d + - name: config-volume + configMap: + name: kuryr-config + - name: etc + hostPath: + path: /etc
\ No newline at end of file diff --git a/roles/kuryr/templates/configmap.yaml.j2 b/roles/kuryr/templates/configmap.yaml.j2 new file mode 100644 index 000000000..e874d6c25 --- /dev/null +++ b/roles/kuryr/templates/configmap.yaml.j2 @@ -0,0 +1,343 @@ +# More info about the template: https://docs.openstack.org/kuryr-kubernetes/latest/installation/containerized.html#generating-kuryr-resource-definitions-for-kubernetes + +apiVersion: v1 +kind: ConfigMap +metadata: + name: kuryr-config + namespace: {{ kuryr_namespace }} +data: + kuryr.conf: |+ + [DEFAULT] + + # + # From kuryr_kubernetes + # + + # Directory for Kuryr vif binding executables. (string value) + #bindir = /usr/libexec/kuryr + + # If set to true, the logging level will be set to DEBUG instead of the default + # INFO level. (boolean value) + # Note: This option can be changed without restarting. + #debug = false + + # DEPRECATED: If set to false, the logging level will be set to WARNING instead + # of the default INFO level. (boolean value) + # This option is deprecated for removal. + # Its value may be silently ignored in the future. + #verbose = true + + # The name of a logging configuration file. This file is appended to any + # existing logging configuration files. For details about logging configuration + # files, see the Python logging module documentation. Note that when logging + # configuration files are used then all logging configuration is set in the + # configuration file and other logging configuration options are ignored (for + # example, logging_context_format_string). (string value) + # Note: This option can be changed without restarting. + # Deprecated group/name - [DEFAULT]/log_config + #log_config_append = <None> + + # Defines the format string for %%(asctime)s in log records. Default: + # %(default)s . This option is ignored if log_config_append is set. (string + # value) + #log_date_format = %Y-%m-%d %H:%M:%S + + # (Optional) Name of log file to send logging output to. If no default is set, + # logging will go to stderr as defined by use_stderr. This option is ignored if + # log_config_append is set. (string value) + # Deprecated group/name - [DEFAULT]/logfile + #log_file = /var/log/kuryr/kuryr-controller.log + + # (Optional) The base directory used for relative log_file paths. This option + # is ignored if log_config_append is set. (string value) + # Deprecated group/name - [DEFAULT]/logdir + #log_dir = <None> + + # Uses logging handler designed to watch file system. When log file is moved or + # removed this handler will open a new log file with specified path + # instantaneously. It makes sense only if log_file option is specified and + # Linux platform is used. This option is ignored if log_config_append is set. + # (boolean value) + #watch_log_file = false + + # Use syslog for logging. Existing syslog format is DEPRECATED and will be + # changed later to honor RFC5424. This option is ignored if log_config_append + # is set. (boolean value) + #use_syslog = false + + # Syslog facility to receive log lines. This option is ignored if + # log_config_append is set. (string value) + #syslog_log_facility = LOG_USER + + # Log output to standard error. This option is ignored if log_config_append is + # set. (boolean value) + #use_stderr = true + + # Format string to use for log messages with context. (string value) + #logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s + + # Format string to use for log messages when context is undefined. (string + # value) + #logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s + + # Additional data to append to log message when logging level for the message + # is DEBUG. (string value) + #logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d + + # Prefix each line of exception output with this format. (string value) + #logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s + + # Defines the format string for %(user_identity)s that is used in + # logging_context_format_string. (string value) + #logging_user_identity_format = %(user)s %(tenant)s %(domain)s %(user_domain)s %(project_domain)s + + # List of package logging levels in logger=LEVEL pairs. This option is ignored + # if log_config_append is set. (list value) + #default_log_levels = amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,requests.packages.urllib3.util.retry=WARN,urllib3.util.retry=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN,taskflow=WARN,keystoneauth=WARN,oslo.cache=INFO,dogpile.core.dogpile=INFO + + # Enables or disables publication of error events. (boolean value) + #publish_errors = false + + # The format for an instance that is passed with the log message. (string + # value) + #instance_format = "[instance: %(uuid)s] " + + # The format for an instance UUID that is passed with the log message. (string + # value) + #instance_uuid_format = "[instance: %(uuid)s] " + + # Enables or disables fatal status of deprecations. (boolean value) + #fatal_deprecations = false + + + [binding] + + driver = kuryr.lib.binding.drivers.vlan + link_iface = eth0 + + [kubernetes] + + # + # From kuryr_kubernetes + # + + # The root URL of the Kubernetes API (string value) + api_root = {{ openshift.master.api_url }} + + # Absolute path to client cert to connect to HTTPS K8S_API (string value) + # ssl_client_crt_file = /etc/kuryr/controller.crt + + # Absolute path client key file to connect to HTTPS K8S_API (string value) + # ssl_client_key_file = /etc/kuryr/controller.key + + # Absolute path to ca cert file to connect to HTTPS K8S_API (string value) + ssl_ca_crt_file = /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + + # The token to talk to the k8s API + token_file = /var/run/secrets/kubernetes.io/serviceaccount/token + + # HTTPS K8S_API server identity verification (boolean value) + # TODO (apuimedo): Make configurable + ssl_verify_server_crt = True + + # The driver to determine OpenStack project for pod ports (string value) + pod_project_driver = default + + # The driver to determine OpenStack project for services (string value) + service_project_driver = default + + # The driver to determine Neutron subnets for pod ports (string value) + pod_subnets_driver = default + + # The driver to determine Neutron subnets for services (string value) + service_subnets_driver = default + + # The driver to determine Neutron security groups for pods (string value) + pod_security_groups_driver = default + + # The driver to determine Neutron security groups for services (string value) + service_security_groups_driver = default + + # The driver that provides VIFs for Kubernetes Pods. (string value) + pod_vif_driver = nested-vlan + + + [neutron] + # Configuration options for OpenStack Neutron + + # + # From kuryr_kubernetes + # + + # Authentication URL (string value) + auth_url = {{ kuryr_openstack_auth_url }} + + # Authentication type to load (string value) + # Deprecated group/name - [neutron]/auth_plugin + auth_type = password + + # Domain ID to scope to (string value) + user_domain_name = {{ kuryr_openstack_user_domain_name }} + + # User's password (string value) + password = {{ kuryr_openstack_password }} + + # Domain name containing project (string value) + project_domain_name = {{ kuryr_openstack_project_domain_name }} + + # Project ID to scope to (string value) + # Deprecated group/name - [neutron]/tenant-id + project_id = {{ kuryr_openstack_project_id }} + + # Token (string value) + #token = <None> + + # Trust ID (string value) + #trust_id = <None> + + # User's domain id (string value) + #user_domain_id = <None> + + # User id (string value) + #user_id = <None> + + # Username (string value) + # Deprecated group/name - [neutron]/user-name + username = {{kuryr_openstack_username }} + + # Whether a plugging operation is failed if the port to plug does not become + # active (boolean value) + #vif_plugging_is_fatal = false + + # Seconds to wait for port to become active (integer value) + #vif_plugging_timeout = 0 + + [neutron_defaults] + + pod_security_groups = {{ kuryr_openstack_pod_sg_id }} + pod_subnet = {{ kuryr_openstack_pod_subnet_id }} + service_subnet = {{ kuryr_openstack_service_subnet_id }} + project = {{ kuryr_openstack_pod_project_id }} + # TODO (apuimedo): Remove the duplicated line just after this one once the + # RDO packaging contains the upstream patch + worker_nodes_subnet = {{ kuryr_openstack_worker_nodes_subnet_id }} + + [pod_vif_nested] + worker_nodes_subnet = {{ kuryr_openstack_worker_nodes_subnet_id }} + kuryr-cni.conf: |+ + [DEFAULT] + + # + # From kuryr_kubernetes + # + # If set to true, the logging level will be set to DEBUG instead of the default + # INFO level. (boolean value) + # Note: This option can be changed without restarting. + #debug = false + + # The name of a logging configuration file. This file is appended to any + # existing logging configuration files. For details about logging configuration + # files, see the Python logging module documentation. Note that when logging + # configuration files are used then all logging configuration is set in the + # configuration file and other logging configuration options are ignored (for + # example, logging_context_format_string). (string value) + # Note: This option can be changed without restarting. + # Deprecated group/name - [DEFAULT]/log_config + #log_config_append = <None> + + # Defines the format string for %%(asctime)s in log records. Default: + # %(default)s . This option is ignored if log_config_append is set. (string + # value) + #log_date_format = %Y-%m-%d %H:%M:%S + + # (Optional) Name of log file to send logging output to. If no default is set, + # logging will go to stderr as defined by use_stderr. This option is ignored if + # log_config_append is set. (string value) + # Deprecated group/name - [DEFAULT]/logfile + #log_file = /var/log/kuryr/cni.log + + # (Optional) The base directory used for relative log_file paths. This option + # is ignored if log_config_append is set. (string value) + # Deprecated group/name - [DEFAULT]/logdir + #log_dir = <None> + + # Uses logging handler designed to watch file system. When log file is moved or + # removed this handler will open a new log file with specified path + # instantaneously. It makes sense only if log_file option is specified and + # Linux platform is used. This option is ignored if log_config_append is set. + # (boolean value) + #watch_log_file = false + + # Use syslog for logging. Existing syslog format is DEPRECATED and will be + # changed later to honor RFC5424. This option is ignored if log_config_append + # is set. (boolean value) + #use_syslog = false + + # Syslog facility to receive log lines. This option is ignored if + # log_config_append is set. (string value) + #syslog_log_facility = LOG_USER + + # Log output to standard error. This option is ignored if log_config_append is + # set. (boolean value) + use_stderr = true + + # Format string to use for log messages with context. (string value) + #logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s + + # Format string to use for log messages when context is undefined. (string + # value) + #logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s + + # Additional data to append to log message when logging level for the message + # is DEBUG. (string value) + #logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d + + # Prefix each line of exception output with this format. (string value) + #logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s + + # Defines the format string for %(user_identity)s that is used in + # logging_context_format_string. (string value) + #logging_user_identity_format = %(user)s %(tenant)s %(domain)s %(user_domain)s %(project_domain)s + + # List of package logging levels in logger=LEVEL pairs. This option is ignored + # if log_config_append is set. (list value) + #default_log_levels = amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,requests.packages.urllib3.util.retry=WARN,urllib3.util.retry=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN,taskflow=WARN,keystoneauth=WARN,oslo.cache=INFO,dogpile.core.dogpile=INFO + + # Enables or disables publication of error events. (boolean value) + #publish_errors = false + + # The format for an instance that is passed with the log message. (string + # value) + #instance_format = "[instance: %(uuid)s] " + + # The format for an instance UUID that is passed with the log message. (string + # value) + #instance_uuid_format = "[instance: %(uuid)s] " + + # Enables or disables fatal status of deprecations. (boolean value) + #fatal_deprecations = false + + + [binding] + + driver = kuryr.lib.binding.drivers.vlan + link_iface = {{ kuryr_cni_link_interface }} + + [kubernetes] + + # + # From kuryr_kubernetes + # + + # The root URL of the Kubernetes API (string value) + api_root = {{ openshift.master.api_url }} + + # The token to talk to the k8s API + token_file = /etc/kuryr/token + + # Absolute path to ca cert file to connect to HTTPS K8S_API (string value) + ssl_ca_crt_file = /etc/kuryr/ca.crt + + # HTTPS K8S_API server identity verification (boolean value) + # TODO (apuimedo): Make configurable + ssl_verify_server_crt = True diff --git a/roles/kuryr/templates/controller-deployment.yaml.j2 b/roles/kuryr/templates/controller-deployment.yaml.j2 new file mode 100644 index 000000000..d970270b5 --- /dev/null +++ b/roles/kuryr/templates/controller-deployment.yaml.j2 @@ -0,0 +1,40 @@ +# More info about the template: https://docs.openstack.org/kuryr-kubernetes/latest/installation/containerized.html#generating-kuryr-resource-definitions-for-kubernetes + +apiVersion: apps/v1beta1 +kind: Deployment +metadata: + labels: + name: kuryr-controller + name: kuryr-controller + namespace: {{ kuryr_namespace }} +spec: + replicas: 1 + template: + metadata: + labels: + name: kuryr-controller + name: kuryr-controller + spec: + serviceAccountName: kuryr-controller + automountServiceAccountToken: true + hostNetwork: true + containers: + - image: kuryr/controller:latest + imagePullPolicy: IfNotPresent + name: controller + terminationMessagePath: "/dev/termination-log" + # FIXME(dulek): This shouldn't be required, but without it selinux is + # complaining about access to kuryr.conf. + securityContext: + privileged: true + runAsUser: 0 + volumeMounts: + - name: config-volume + mountPath: "/etc/kuryr/kuryr.conf" + subPath: kuryr.conf + volumes: + - name: config-volume + configMap: + name: kuryr-config + defaultMode: 0666 + restartPolicy: Always diff --git a/roles/openshift_gcp/templates/provision.j2.sh b/roles/openshift_gcp/templates/provision.j2.sh index d72a11de1..64c7cd019 100644 --- a/roles/openshift_gcp/templates/provision.j2.sh +++ b/roles/openshift_gcp/templates/provision.j2.sh @@ -313,7 +313,7 @@ fi # wait until all node groups are stable {% for node_group in openshift_gcp_node_group_config %} # wait for stable {{ node_group.name }} -( gcloud --project "{{ openshift_gcp_project }}" compute instance-groups managed wait-until-stable "{{ openshift_gcp_prefix }}ig-{{ node_group.suffix }}" --zone "{{ openshift_gcp_zone }}" --timeout=300) & +( gcloud --project "{{ openshift_gcp_project }}" compute instance-groups managed wait-until-stable "{{ openshift_gcp_prefix }}ig-{{ node_group.suffix }}" --zone "{{ openshift_gcp_zone }}" --timeout=600 ) & {% endfor %} diff --git a/roles/openshift_logging/defaults/main.yml b/roles/openshift_logging/defaults/main.yml index 6e7e2557f..6aff89dbf 100644 --- a/roles/openshift_logging/defaults/main.yml +++ b/roles/openshift_logging/defaults/main.yml @@ -98,8 +98,6 @@ openshift_logging_es_storage_group: "65534" openshift_logging_es_nodeselector: {} # openshift_logging_es_config is a hash to be merged into the defaults for the elasticsearch.yaml openshift_logging_es_config: {} -openshift_logging_es_number_of_shards: 1 -openshift_logging_es_number_of_replicas: 0 # for exposing es to external (outside of the cluster) clients openshift_logging_es_allow_external: False diff --git a/roles/openshift_logging/filter_plugins/openshift_logging.py b/roles/openshift_logging/filter_plugins/openshift_logging.py index 330e7e59a..959573635 100644 --- a/roles/openshift_logging/filter_plugins/openshift_logging.py +++ b/roles/openshift_logging/filter_plugins/openshift_logging.py @@ -17,6 +17,22 @@ def es_storage(os_logging_facts, dc_name, pvc_claim, root='elasticsearch'): return dict(kind='emptydir') +def walk(source, path, default, delimiter='.'): + '''Walk the sourch hash given the path and return the value or default if not found''' + if not isinstance(source, dict): + raise RuntimeError('The source is not a walkable dict: {} path: {}'.format(source, path)) + keys = path.split(delimiter) + max_depth = len(keys) + cur_depth = 0 + while cur_depth < max_depth: + if keys[cur_depth] in source: + source = source[keys[cur_depth]] + cur_depth = cur_depth + 1 + else: + return default + return source + + def random_word(source_alpha, length): ''' Returns a random word given the source of characters to pick from and resulting length ''' return ''.join(random.choice(source_alpha) for i in range(length)) @@ -73,5 +89,6 @@ class FilterModule(object): 'map_from_pairs': map_from_pairs, 'es_storage': es_storage, 'serviceaccount_name': serviceaccount_name, - 'serviceaccount_namespace': serviceaccount_namespace + 'serviceaccount_namespace': serviceaccount_namespace, + 'walk': walk } diff --git a/roles/openshift_logging/filter_plugins/test b/roles/openshift_logging/filter_plugins/test new file mode 100644 index 000000000..3ad956cca --- /dev/null +++ b/roles/openshift_logging/filter_plugins/test @@ -0,0 +1,34 @@ +import unittest +from openshift_logging import walk + +class TestFilterMethods(unittest.TestCase): + + + def test_walk_find_key(self): + source = {'foo': {'bar.xyz': 'myvalue'}} + self.assertEquals(walk(source,'foo#bar.xyz', 123, delimiter='#'), 'myvalue') + + + def test_walk_return_default(self): + source = {'foo': {'bar.xyz': 'myvalue'}} + self.assertEquals(walk(source,'foo#bar.abc', 123, delimiter='#'), 123) + + + def test_walk_limit_max_depth(self): + source = {'foo': {'bar.xyz': 'myvalue'}} + self.assertEquals(walk(source,'foo#bar.abc#dontfindme', 123, delimiter='#'), 123) + + def test_complex_hash(self): + source = { + 'elasticsearch': { + 'configmaps': { + 'logging-elasticsearch': { + 'elasticsearch.yml': "a string value" + } + } + } + } + self.assertEquals(walk(source,'elasticsearch#configmaps#logging-elasticsearch#elasticsearch.yml', 123, delimiter='#'), "a string value") + +if __name__ == '__main__': + unittest.main() diff --git a/roles/openshift_logging/library/openshift_logging_facts.py b/roles/openshift_logging/library/openshift_logging_facts.py index f10df8da5..98d0d1c4f 100644 --- a/roles/openshift_logging/library/openshift_logging_facts.py +++ b/roles/openshift_logging/library/openshift_logging_facts.py @@ -207,7 +207,7 @@ class OpenshiftLoggingFacts(OCBaseCommand): def facts_for_configmaps(self, namespace): ''' Gathers facts for configmaps in logging namespace ''' self.default_keys_for("configmaps") - a_list = self.oc_command("get", "configmaps", namespace=namespace, add_options=["-l", LOGGING_SELECTOR]) + a_list = self.oc_command("get", "configmaps", namespace=namespace) if len(a_list["items"]) == 0: return for item in a_list["items"]: diff --git a/roles/openshift_logging/tasks/install_logging.yaml b/roles/openshift_logging/tasks/install_logging.yaml index 21fd79c28..efc3b97aa 100644 --- a/roles/openshift_logging/tasks/install_logging.yaml +++ b/roles/openshift_logging/tasks/install_logging.yaml @@ -78,6 +78,7 @@ openshift_logging_elasticsearch_nodeselector: "{{ openshift_logging_es_nodeselector if item.0.nodeSelector | default(None) is none else item.0.nodeSelector }}" openshift_logging_elasticsearch_storage_group: "{{ [openshift_logging_es_storage_group] if item.0.storageGroups | default([]) | length == 0 else item.0.storageGroups }}" _es_containers: "{{item.0.containers}}" + _es_configmap: "{{ openshift_logging_facts | walk('elasticsearch#configmaps#logging-elasticsearch#elasticsearch.yml', '{}', delimiter='#') | from_yaml }}" with_together: - "{{ openshift_logging_facts.elasticsearch.deploymentconfigs.values() }}" @@ -141,7 +142,10 @@ openshift_logging_es_hostname: "{{ openshift_logging_es_ops_hostname }}" openshift_logging_es_edge_term_policy: "{{ openshift_logging_es_ops_edge_term_policy | default('') }}" openshift_logging_es_allow_external: "{{ openshift_logging_es_ops_allow_external }}" + openshift_logging_es_number_of_shards: "{{ openshift_logging_es_ops_number_of_shards | default(None) }}" + openshift_logging_es_number_of_replicas: "{{ openshift_logging_es_ops_number_of_replicas | default(None) }}" _es_containers: "{{item.0.containers}}" + _es_configmap: "{{ openshift_logging_facts | walk('elasticsearch_ops#configmaps#logging-elasticsearch-ops#elasticsearch.yml', '{}', delimiter='#') | from_yaml }}" with_together: - "{{ openshift_logging_facts.elasticsearch_ops.deploymentconfigs.values() }}" diff --git a/roles/openshift_logging_elasticsearch/tasks/main.yaml b/roles/openshift_logging_elasticsearch/tasks/main.yaml index aeff2d198..44f6b00f3 100644 --- a/roles/openshift_logging_elasticsearch/tasks/main.yaml +++ b/roles/openshift_logging_elasticsearch/tasks/main.yaml @@ -164,13 +164,17 @@ when: es_logging_contents is undefined changed_when: no +- set_fact: + __es_num_of_shards: "{{ _es_configmap | default({}) | walk('index.number_of_shards', '1') }}" + __es_num_of_replicas: "{{ _es_configmap | default({}) | walk('index.number_of_replicas', '0') }}" + - template: src: elasticsearch.yml.j2 dest: "{{ tempdir }}/elasticsearch.yml" vars: allow_cluster_reader: "{{ openshift_logging_elasticsearch_ops_allow_cluster_reader | lower | default('false') }}" - es_number_of_shards: "{{ openshift_logging_es_number_of_shards | default(1) }}" - es_number_of_replicas: "{{ openshift_logging_es_number_of_replicas | default(0) }}" + es_number_of_shards: "{{ openshift_logging_es_number_of_shards | default(None) or __es_num_of_shards }}" + es_number_of_replicas: "{{ openshift_logging_es_number_of_replicas | default(None) or __es_num_of_replicas }}" es_kibana_index_mode: "{{ openshift_logging_elasticsearch_kibana_index_mode | default('unique') }}" when: es_config_contents is undefined diff --git a/roles/openshift_master/defaults/main.yml b/roles/openshift_master/defaults/main.yml index b6875ebd4..3da861d03 100644 --- a/roles/openshift_master/defaults/main.yml +++ b/roles/openshift_master/defaults/main.yml @@ -46,6 +46,9 @@ r_openshift_master_use_nuage: "{{ r_openshift_master_use_nuage_default }}" r_openshift_master_use_contiv_default: "{{ openshift_use_contiv | default(False) }}" r_openshift_master_use_contiv: "{{ r_openshift_master_use_contiv_default }}" +r_openshift_master_use_kuryr_default: "{{ openshift_use_kuryr | default(False) }}" +r_openshift_master_use_kuryr: "{{ r_openshift_master_use_kuryr_default }}" + r_openshift_master_data_dir_default: "{{ openshift_data_dir | default('/var/lib/origin') }}" r_openshift_master_data_dir: "{{ r_openshift_master_data_dir_default }}" diff --git a/roles/openshift_master/templates/master.yaml.v1.j2 b/roles/openshift_master/templates/master.yaml.v1.j2 index 7159ccc7f..40775571f 100644 --- a/roles/openshift_master/templates/master.yaml.v1.j2 +++ b/roles/openshift_master/templates/master.yaml.v1.j2 @@ -179,7 +179,7 @@ masterPublicURL: {{ openshift.master.public_api_url }} networkConfig: clusterNetworkCIDR: {{ openshift.master.sdn_cluster_network_cidr }} hostSubnetLength: {{ openshift.master.sdn_host_subnet_length }} -{% if r_openshift_master_use_openshift_sdn or r_openshift_master_use_nuage or r_openshift_master_use_contiv or r_openshift_master_sdn_network_plugin_name == 'cni' %} +{% if r_openshift_master_use_openshift_sdn or r_openshift_master_use_nuage or r_openshift_master_use_contiv or r_openshift_master_use_kuryr or r_openshift_master_sdn_network_plugin_name == 'cni' %} networkPluginName: {{ r_openshift_master_sdn_network_plugin_name_default }} {% endif %} # serviceNetworkCIDR must match kubernetesMasterConfig.servicesSubnet diff --git a/roles/openshift_node/defaults/main.yml b/roles/openshift_node/defaults/main.yml index b310a8f64..b9f16dfd4 100644 --- a/roles/openshift_node/defaults/main.yml +++ b/roles/openshift_node/defaults/main.yml @@ -104,6 +104,9 @@ openshift_node_use_nuage: "{{ openshift_node_use_nuage_default }}" openshift_node_use_contiv_default: "{{ openshift_use_contiv | default(False) }}" openshift_node_use_contiv: "{{ openshift_node_use_contiv_default }}" +openshift_node_use_kuryr_default: "{{ openshift_use_kuryr | default(False) }}" +openshift_node_use_kuryr: "{{ openshift_node_use_kuryr_default }}" + openshift_node_data_dir_default: "{{ openshift_data_dir | default('/var/lib/origin') }}" openshift_node_data_dir: "{{ openshift_node_data_dir_default }}" diff --git a/roles/openshift_node/templates/node.yaml.v1.j2 b/roles/openshift_node/templates/node.yaml.v1.j2 index 08e1c7f4f..718d35dca 100644 --- a/roles/openshift_node/templates/node.yaml.v1.j2 +++ b/roles/openshift_node/templates/node.yaml.v1.j2 @@ -44,7 +44,7 @@ networkPluginName: {{ openshift_node_sdn_network_plugin_name }} # deprecates networkPluginName above. The two should match. networkConfig: mtu: {{ openshift.node.sdn_mtu }} -{% if openshift_node_use_openshift_sdn | bool or openshift_node_use_nuage | bool or openshift_node_use_contiv | bool or openshift_node_sdn_network_plugin_name == 'cni' %} +{% if openshift_node_use_openshift_sdn | bool or openshift_node_use_nuage | bool or openshift_node_use_contiv | bool or openshift_node_use_kuryr | bool or openshift_node_sdn_network_plugin_name == 'cni' %} networkPluginName: {{ openshift_node_sdn_network_plugin_name }} {% endif %} {% if openshift.node.set_node_ip | bool %} @@ -67,9 +67,11 @@ servingInfo: {% endfor %} {% endif %} volumeDirectory: {{ openshift_node_data_dir }}/openshift.local.volumes +{% if not (openshift_node_use_kuryr | default(False)) | bool %} proxyArguments: proxy-mode: - {{ openshift.node.proxy_mode }} +{% endif %} volumeConfig: localQuota: perFSGroup: {{ openshift.node.local_quota_per_fsgroup }} diff --git a/roles/openshift_node_certificates/handlers/main.yml b/roles/openshift_node_certificates/handlers/main.yml index 4abe8bcaf..ef66bf9ca 100644 --- a/roles/openshift_node_certificates/handlers/main.yml +++ b/roles/openshift_node_certificates/handlers/main.yml @@ -2,9 +2,21 @@ - name: update ca trust command: update-ca-trust notify: - - restart docker after updating ca trust + - check for container runtime after updating ca trust -- name: restart docker after updating ca trust +- name: check for container runtime after updating ca trust + command: > + systemctl -q is-active {{ openshift.docker.service_name }}.service + register: l_docker_installed + # An rc of 0 indicates that the container runtime service is + # running. We will restart it by notifying the restart handler since + # we have updated the system CA trust. + changed_when: l_docker_installed.rc == 0 + failed_when: false + notify: + - restart container runtime after updating ca trust + +- name: restart container runtime after updating ca trust systemd: name: "{{ openshift.docker.service_name }}" state: restarted diff --git a/roles/openshift_prometheus/defaults/main.yaml b/roles/openshift_prometheus/defaults/main.yaml index ab3d4e31e..c08bec4cb 100644 --- a/roles/openshift_prometheus/defaults/main.yaml +++ b/roles/openshift_prometheus/defaults/main.yaml @@ -21,19 +21,19 @@ openshift_prometheus_storage_type: pvc openshift_prometheus_pvc_name: prometheus openshift_prometheus_pvc_size: "{{ openshift_prometheus_storage_volume_size | default('10Gi') }}" openshift_prometheus_pvc_access_modes: [ReadWriteOnce] -openshift_prometheus_pvc_pv_selector: "{{ openshift_prometheus_storage_labels | default('') }}" +openshift_prometheus_pvc_pv_selector: "{{ openshift_prometheus_storage_labels | default({}) }}" openshift_prometheus_alertmanager_storage_type: pvc openshift_prometheus_alertmanager_pvc_name: prometheus-alertmanager openshift_prometheus_alertmanager_pvc_size: "{{ openshift_prometheus_alertmanager_storage_volume_size | default('10Gi') }}" openshift_prometheus_alertmanager_pvc_access_modes: [ReadWriteOnce] -openshift_prometheus_alertmanager_pvc_pv_selector: "{{ openshift_prometheus_alertmanager_storage_labels | default('') }}" +openshift_prometheus_alertmanager_pvc_pv_selector: "{{ openshift_prometheus_alertmanager_storage_labels | default({}) }}" openshift_prometheus_alertbuffer_storage_type: pvc openshift_prometheus_alertbuffer_pvc_name: prometheus-alertbuffer openshift_prometheus_alertbuffer_pvc_size: "{{ openshift_prometheus_alertbuffer_storage_volume_size | default('10Gi') }}" openshift_prometheus_alertbuffer_pvc_access_modes: [ReadWriteOnce] -openshift_prometheus_alertbuffer_pvc_pv_selector: "{{ openshift_prometheus_alertbuffer_storage_labels | default('') }}" +openshift_prometheus_alertbuffer_pvc_pv_selector: "{{ openshift_prometheus_alertbuffer_storage_labels | default({}) }}" # container resources openshift_prometheus_cpu_limit: null diff --git a/roles/openshift_prometheus/templates/prometheus_deployment.j2 b/roles/openshift_prometheus/templates/prometheus_deployment.j2 index 98c117f19..66eab6df4 100644 --- a/roles/openshift_prometheus/templates/prometheus_deployment.j2 +++ b/roles/openshift_prometheus/templates/prometheus_deployment.j2 @@ -38,7 +38,7 @@ spec: cpu: "{{openshift_prometheus_oauth_proxy_cpu_requests}}" {% endif %} limits: -{% if openshift_prometheus_memory_requests_limit_proxy is defined and openshift_prometheus_oauth_proxy_memory_limit is not none %} +{% if openshift_prometheus_oauth_proxy_memory_limit is defined and openshift_prometheus_oauth_proxy_memory_limit is not none %} memory: "{{openshift_prometheus_oauth_proxy_memory_limit}}" {% endif %} {% if openshift_prometheus_oauth_proxy_cpu_limit is defined and openshift_prometheus_oauth_proxy_cpu_limit is not none %} diff --git a/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml b/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml index 71e21a269..56b2d1463 100644 --- a/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml +++ b/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml @@ -4,22 +4,23 @@ metadata: name: service-catalog objects: -- kind: ClusterRole - apiVersion: v1 +- apiVersion: authorization.openshift.io/v1 + kind: ClusterRole metadata: name: servicecatalog-serviceclass-viewer rules: - apiGroups: - servicecatalog.k8s.io resources: - - serviceclasses + - clusterserviceclasses + - clusterserviceplans verbs: - list - watch - get -- kind: ClusterRoleBinding - apiVersion: v1 +- apiVersion: authorization.openshift.io/v1 + kind: ClusterRoleBinding metadata: name: servicecatalog-serviceclass-viewer-binding roleRef: @@ -37,8 +38,8 @@ objects: metadata: name: service-catalog-apiserver -- kind: ClusterRole - apiVersion: v1 +- apiVersion: authorization.openshift.io/v1 + kind: ClusterRole metadata: name: sar-creator rules: @@ -49,17 +50,19 @@ objects: verbs: - create -- kind: ClusterRoleBinding - apiVersion: v1 +- apiVersion: authorization.openshift.io/v1 + kind: ClusterRoleBinding metadata: name: service-catalog-sar-creator-binding roleRef: name: sar-creator - userNames: - - system:serviceaccount:kube-service-catalog:service-catalog-apiserver + subjects: + - kind: ServiceAccount + name: service-catalog-apiserver + namespace: kube-service-catalog -- kind: ClusterRole - apiVersion: v1 +- apiVersion: authorization.openshift.io/v1 + kind: ClusterRole metadata: name: namespace-viewer rules: @@ -72,26 +75,30 @@ objects: - watch - get -- kind: ClusterRoleBinding - apiVersion: v1 +- apiVersion: authorization.openshift.io/v1 + kind: ClusterRoleBinding metadata: name: service-catalog-namespace-viewer-binding roleRef: name: namespace-viewer - userNames: - - system:serviceaccount:kube-service-catalog:service-catalog-apiserver + subjects: + - kind: ServiceAccount + name: service-catalog-apiserver + namespace: kube-service-catalog -- kind: ClusterRoleBinding - apiVersion: v1 +- apiVersion: authorization.openshift.io/v1 + kind: ClusterRoleBinding metadata: name: service-catalog-controller-namespace-viewer-binding roleRef: name: namespace-viewer - userNames: - - system:serviceaccount:kube-service-catalog:service-catalog-controller + subjects: + - kind: ServiceAccount + name: service-catalog-controller + namespace: kube-service-catalog -- kind: ClusterRole - apiVersion: v1 +- apiVersion: authorization.openshift.io/v1 + kind: ClusterRole metadata: name: service-catalog-controller rules: @@ -102,6 +109,7 @@ objects: verbs: - create - update + - patch - delete - get - list @@ -109,19 +117,22 @@ objects: - apiGroups: - servicecatalog.k8s.io resources: - - brokers/status - - instances/status - - bindings/status + - clusterservicebrokers/status + - serviceinstances/status + - servicebindings/status + - servicebindings/finalizers + - serviceinstances/reference verbs: - update - apiGroups: - servicecatalog.k8s.io resources: - - brokers - - instances - - bindings + - clusterservicebrokers + - serviceinstances + - servicebindings verbs: - list + - get - watch - apiGroups: - "" @@ -133,7 +144,8 @@ objects: - apiGroups: - servicecatalog.k8s.io resources: - - serviceclasses + - clusterserviceclasses + - clusterserviceplans verbs: - create - delete @@ -154,17 +166,19 @@ objects: - list - watch -- kind: ClusterRoleBinding - apiVersion: v1 +- apiVersion: authorization.openshift.io/v1 + kind: ClusterRoleBinding metadata: name: service-catalog-controller-binding roleRef: name: service-catalog-controller - userNames: - - system:serviceaccount:kube-service-catalog:service-catalog-controller - -- kind: Role - apiVersion: v1 + subjects: + - kind: ServiceAccount + name: service-catalog-controller + namespace: kube-service-catalog + +- apiVersion: authorization.openshift.io/v1 + kind: Role metadata: name: endpoint-accessor rules: @@ -179,21 +193,25 @@ objects: - create - update -- kind: RoleBinding - apiVersion: v1 +- apiVersion: authorization.openshift.io/v1 + kind: RoleBinding metadata: - name: endpoint-accessor-binding + name: endpointer-accessor-binding roleRef: name: endpoint-accessor namespace: kube-service-catalog - userNames: - - system:serviceaccount:kube-service-catalog:service-catalog-controller + subjects: + - kind: ServiceAccount + namespace: kube-service-catalog + name: service-catalog-controller -- kind: ClusterRoleBinding - apiVersion: v1 +- apiVersion: authorization.openshift.io/v1 + kind: ClusterRoleBinding metadata: name: system:auth-delegator-binding roleRef: name: system:auth-delegator - userNames: - - system:serviceaccount:kube-service-catalog:service-catalog-apiserver + subjects: + - kind: ServiceAccount + name: service-catalog-apiserver + namespace: kube-service-catalog diff --git a/roles/openshift_service_catalog/files/kubesystem_roles_bindings.yml b/roles/openshift_service_catalog/files/kubesystem_roles_bindings.yml index f6ee0955d..e1af51ce6 100644 --- a/roles/openshift_service_catalog/files/kubesystem_roles_bindings.yml +++ b/roles/openshift_service_catalog/files/kubesystem_roles_bindings.yml @@ -4,8 +4,8 @@ metadata: name: kube-system-service-catalog objects: -- kind: Role - apiVersion: v1 +- apiVersion: authorization.openshift.io/v1 + kind: Role metadata: name: extension-apiserver-authentication-reader namespace: ${KUBE_SYSTEM_NAMESPACE} @@ -19,16 +19,18 @@ objects: verbs: - get -- kind: RoleBinding - apiVersion: v1 +- apiVersion: authorization.openshift.io/v1 + kind: RoleBinding metadata: name: extension-apiserver-authentication-reader-binding namespace: ${KUBE_SYSTEM_NAMESPACE} roleRef: name: extension-apiserver-authentication-reader - namespace: kube-system - userNames: - - system:serviceaccount:kube-service-catalog:service-catalog-apiserver + namespace: ${KUBE_SYSTEM_NAMESPACE} + subjects: + - kind: ServiceAccount + name: service-catalog-apiserver + namespace: kube-service-catalog parameters: - description: Do not change this value. diff --git a/roles/openshift_service_catalog/tasks/generate_certs.yml b/roles/openshift_service_catalog/tasks/generate_certs.yml index cc897b032..416bdac70 100644 --- a/roles/openshift_service_catalog/tasks/generate_certs.yml +++ b/roles/openshift_service_catalog/tasks/generate_certs.yml @@ -36,19 +36,28 @@ - name: tls.key path: "{{ generated_certs_dir }}/apiserver.key" +- name: Create service-catalog-ssl secret + oc_secret: + state: present + name: service-catalog-ssl + namespace: kube-service-catalog + files: + - name: tls.crt + path: "{{ generated_certs_dir }}/apiserver.crt" + - slurp: src: "{{ generated_certs_dir }}/ca.crt" register: apiserver_ca - shell: > - oc get apiservices.apiregistration.k8s.io/v1alpha1.servicecatalog.k8s.io -n kube-service-catalog || echo "not found" + oc get apiservices.apiregistration.k8s.io/v1beta1.servicecatalog.k8s.io -n kube-service-catalog || echo "not found" register: get_apiservices changed_when: no - name: Create api service oc_obj: state: present - name: v1alpha1.servicecatalog.k8s.io + name: v1beta1.servicecatalog.k8s.io kind: apiservices.apiregistration.k8s.io namespace: "kube-service-catalog" content: @@ -57,10 +66,10 @@ apiVersion: apiregistration.k8s.io/v1beta1 kind: APIService metadata: - name: v1alpha1.servicecatalog.k8s.io + name: v1beta1.servicecatalog.k8s.io spec: group: servicecatalog.k8s.io - version: v1alpha1 + version: v1beta1 service: namespace: "kube-service-catalog" name: apiserver diff --git a/roles/openshift_service_catalog/tasks/install.yml b/roles/openshift_service_catalog/tasks/install.yml index e202ae173..1e94c8c5d 100644 --- a/roles/openshift_service_catalog/tasks/install.yml +++ b/roles/openshift_service_catalog/tasks/install.yml @@ -90,14 +90,14 @@ vars: original_content: "{{ edit_yaml.results.results[0] | to_yaml }}" when: - - not edit_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['instances', 'bindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not edit_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch']) + - not edit_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['serviceinstances', 'servicebindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not edit_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch']) # only do this if we don't already have the updated role info - name: update edit role for service catalog and pod preset access command: > oc replace -f {{ mktemp.stdout }}/edit_sc_patch.yml when: - - not edit_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['instances', 'bindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not edit_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch']) + - not edit_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['serviceinstances', 'servicebindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not edit_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch']) - oc_obj: name: admin @@ -113,14 +113,14 @@ vars: original_content: "{{ admin_yaml.results.results[0] | to_yaml }}" when: - - not admin_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['instances', 'bindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not admin_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch']) + - not admin_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['serviceinstances', 'servicebindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not admin_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch']) # only do this if we don't already have the updated role info - name: update admin role for service catalog and pod preset access command: > oc replace -f {{ mktemp.stdout }}/admin_sc_patch.yml when: - - not admin_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['instances', 'bindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not admin_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch']) + - not admin_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['serviceinstances', 'servicebindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not admin_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch']) - oc_adm_policy_user: namespace: kube-service-catalog diff --git a/roles/openshift_service_catalog/tasks/remove.yml b/roles/openshift_service_catalog/tasks/remove.yml index 2fb1ec440..96ae61507 100644 --- a/roles/openshift_service_catalog/tasks/remove.yml +++ b/roles/openshift_service_catalog/tasks/remove.yml @@ -1,7 +1,7 @@ --- - name: Remove Service Catalog APIServer command: > - oc delete apiservices.apiregistration.k8s.io/v1alpha1.servicecatalog.k8s.io --ignore-not-found -n kube-service-catalog + oc delete apiservices.apiregistration.k8s.io/v1beta1.servicecatalog.k8s.io --ignore-not-found -n kube-service-catalog - name: Remove Policy Binding command: > @@ -13,7 +13,7 @@ # state: absent # namespace: "kube-service-catalog" # kind: apiservices.apiregistration.k8s.io -# name: v1alpha1.servicecatalog.k8s.io +# name: v1beta1.servicecatalog.k8s.io - name: Remove Service Catalog API Server route oc_obj: diff --git a/roles/openshift_service_catalog/templates/api_server.j2 b/roles/openshift_service_catalog/templates/api_server.j2 index c09834fd4..5d5352c1c 100644 --- a/roles/openshift_service_catalog/templates/api_server.j2 +++ b/roles/openshift_service_catalog/templates/api_server.j2 @@ -41,7 +41,9 @@ spec: - --cors-allowed-origins - {{ cors_allowed_origin }} - --admission-control - - "KubernetesNamespaceLifecycle" + - KubernetesNamespaceLifecycle,DefaultServicePlan,ServiceBindingsLifecycle,ServicePlanChangeValidator,BrokerAuthSarCheck + - --feature-gates + - OriginatingIdentity=true image: {{ openshift_service_catalog_image_prefix }}service-catalog:{{ openshift_service_catalog_image_version }} command: ["/usr/bin/apiserver"] imagePullPolicy: Always diff --git a/roles/openshift_service_catalog/templates/controller_manager.j2 b/roles/openshift_service_catalog/templates/controller_manager.j2 index 1bbc0fa2c..2272cbb44 100644 --- a/roles/openshift_service_catalog/templates/controller_manager.j2 +++ b/roles/openshift_service_catalog/templates/controller_manager.j2 @@ -31,7 +31,12 @@ spec: args: - -v - "5" - - "--leader-election-namespace=$(K8S_NAMESPACE)" + - --leader-election-namespace + - kube-service-catalog + - --broker-relist-interval + - "5m" + - --feature-gates + - OriginatingIdentity=true image: {{ openshift_service_catalog_image_prefix }}service-catalog:{{ openshift_service_catalog_image_version }} command: ["/usr/bin/controller-manager"] imagePullPolicy: Always @@ -41,7 +46,19 @@ spec: protocol: TCP resources: {} terminationMessagePath: /dev/termination-log + volumeMounts: + - mountPath: /var/run/kubernetes-service-catalog + name: service-catalog-ssl + readOnly: true dnsPolicy: ClusterFirst restartPolicy: Always securityContext: {} terminationGracePeriodSeconds: 30 + volumes: + - name: service-catalog-ssl + secret: + defaultMode: 420 + items: + - key: tls.crt + path: apiserver.crt + secretName: apiserver-ssl diff --git a/roles/template_service_broker/tasks/install.yml b/roles/template_service_broker/tasks/install.yml index 54008bbf1..6a532a206 100644 --- a/roles/template_service_broker/tasks/install.yml +++ b/roles/template_service_broker/tasks/install.yml @@ -6,7 +6,7 @@ - "{{ openshift_deployment_type | default(deployment_type) }}.yml" - "default_images.yml" -- name: set ansible_service_broker facts +- name: set template_service_broker facts set_fact: template_service_broker_prefix: "{{ template_service_broker_prefix | default(__template_service_broker_prefix) }}" template_service_broker_version: "{{ template_service_broker_version | default(__template_service_broker_version) }}" @@ -76,7 +76,7 @@ when: openshift_master_config_dir is undefined - slurp: - src: "{{ openshift_master_config_dir }}/ca.crt" + src: "{{ openshift_master_config_dir }}/service-signer.crt" register: __ca_bundle # Register with broker |