summaryrefslogtreecommitdiffstats
path: root/roles
Commit message (Collapse)AuthorAgeFilesLines
* Update deployment and apiserver with new certsJeff Peeler2018-01-103-6/+4
| | | | | | | | | | | Since new certificates are generated for every run, the apiservice caBundle needs updating in order to have the on disk CA match what is in Kubernetes. Because the secrets are updated, the daemonset needs to do a rolling update for the api server to pick up the new certs. Implemented here is an added annotation to the api server such that the update occurs automatically when the CA is changed.
* Merge pull request #6553 from ↵Michael Gugino2018-01-101-24/+14
|\ | | | | | | | | mgugino-upstream-stage/node-reduce-package-commands Install node packages in one task instead of 3
| * Install node packages in one task instead of 3Michael Gugino2018-01-041-24/+14
| | | | | | | | | | This commit reduces the number of package tasks from 3 to 1.
* | Merge pull request #6674 from mgugino-upstream-stage/remove-becomes2Scott Dodson2018-01-1015-36/+19
|\ \ | | | | | | Remove become statements
| * | Chmod temp dirs created on localhostMichael Gugino2018-01-094-6/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | After remove become:no statements on local_action tasks, we need to ensure that the proper file permssions are applied to local temp directories. This reason for this is that the 'fetch' module does not use 'become' for the localhost, just the remote host. Additionally, users may not wish for the localhost to become during a fetch. local_action will execute with whatever permissions are specified in inventory or via cli.
| * | Remove become statementsMichael Gugino2018-01-0913-30/+3
| | | | | | | | | | | | | | | This commit removes become:no statements that break the installer in various ways.
* | | Merge pull request #6671 from mgugino-upstream-stage/upgrade-cp-scopeOpenShift Merge Robot2018-01-109-234/+158
|\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | Automatic merge from submit-queue. Limit host group scope on control-plane upgrades This commit limits common init code to exclude oo_nodes_to_config during upgrade_control_plane runs.
| * | | Refactor version and move some checks into sanity_checks.pyMichael Gugino2018-01-099-234/+158
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This commit changes how we handle openshift_version role. Most of the version initialization code is only run on the first master now. All other hosts have values set from the master. Aftwards, we run some basic RPM queries to ensure that the correct version is available on the other nodes. Containerized needs to do their own image checks elsewhere.
* | | Merge pull request #6602 from ewolinetz/es_full_cluster_restartOpenShift Merge Robot2018-01-106-1/+117
|\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Automatic merge from submit-queue. Adding logic to do a full cluster restart if we are incrementing our … …major versions of ES This will help with the upgrade from 2.x to 5.x for ES, it also fixes something I came across with the handler on 3.7 where it checks the prior deployed version of the ES pod rather than the new one.
| * | | Adding logic to disable and reenable external communication to ES during ↵Eric Wolinetz2018-01-052-2/+35
| | | | | | | | | | | | | | | | full restart
| * | | Adding logic to do a full cluster restart if we are incrementing our major ↵Eric Wolinetz2018-01-036-1/+84
| | | | | | | | | | | | | | | | versions of ES
* | | | Merge pull request #5853 from imcsk8/flannel-iptablesOpenShift Merge Robot2018-01-092-0/+14
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Automatic merge from submit-queue. Add iptables rules for flannel [WIP] When using flannel there are iptables rules that need to be added as stated here: https://access.redhat.com/documentation/en-us/reference_architectures/2017/html-single/deploying_red_hat_openshift_container_platform_3.4_on_red_hat_openstack_platform_10/#run_ansible_installer Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1493955
| * | | | Add iptables save handlerIvan Chavero2018-01-081-0/+4
| | | | |
| * | | | Fix wrong indentationIvan Chavero2017-10-271-2/+2
| | | | |
| * | | | Fix yaml indentationIvan Chavero2017-10-271-2/+2
| | | | |
| * | | | Add iptables rules for flannelIvan Chavero2017-10-231-0/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [WIP] When using flannel there are iptables rules that need to be added as stated here: https://access.redhat.com/documentation/en-us/reference_architectures/2017/html-single/deploying_red_hat_openshift_container_platform_3.4_on_red_hat_openstack_platform_10/#run_ansible_installer Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1493955
* | | | | Merge pull request #6658 from mgugino-upstream-stage/containerized_boolsOpenShift Merge Robot2018-01-094-4/+4
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | Automatic merge from submit-queue. ensure containerized bools are cast
| * | | | | ensure containerized bools are castMichael Gugino2018-01-084-4/+4
| | | | | |
* | | | | | Merge pull request #6646 from giuseppe/fix-container-engine-authOpenShift Merge Robot2018-01-091-0/+6
|\ \ \ \ \ \ | |_|_|_|/ / |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Automatic merge from submit-queue. container-engine: move registry_auth.yml before pull so that the atomic pull takes into account the credentials if required. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | | | | container-engine: move registry_auth.yml before pullGiuseppe Scrivano2018-01-081-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | so that the atomic pull takes into account the credentials if required. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | | | | Merge pull request #6650 from ↵OpenShift Merge Robot2018-01-091-1/+1
|\ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | vrutkovs/containerized_upgrade_set_openshift_use_openshift_sdn Automatic merge from submit-queue. upgrades: use openshift_node_use_openshift_sdn when trying to pre-pull the image This affects 3.8/3.9 upgrades for containerized hosts, if nodes are separate from master.
| * | | | | | Use openshift_node_use_openshift_sdn when doing a containerized node upgradeVadim Rutkovsky2018-01-091-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: Vadim Rutkovsky <vrutkovs@redhat.com>
* | | | | | | Merge pull request #6659 from joelddiaz/ami_and_docker_storage_setupKenny Woodson2018-01-091-1/+1
|\ \ \ \ \ \ \ | | | | | | | | | | | | | | | | docker storage setup for ami building
| * | | | | | | docker storage setup for ami buildingJoel Diaz2018-01-081-1/+1
| | |_|/ / / / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | add host to g_new_node_hosts so that plays run against the AMI instance update example vars so that overlay2 is used by default for docker storage
* | | | | | | Merge pull request #6660 from mgugino-upstream-stage/fix-logging-staticMichael Gugino2018-01-081-1/+3
|\ \ \ \ \ \ \ | | | | | | | | | | | | | | | | Fix: change import_role to include_role
| * | | | | | | Fix: change import_role to include_roleMichael Gugino2018-01-081-1/+3
| |/ / / / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It appears that when one role dynamically imports another, usage of import_role inside the dynamically included role is not possible. If something is included with include_role (dynamic), all tasks therein must also use include_role (dynamic).
* | | | | | | Merge pull request #6653 from mgugino-upstream-stage/fix-crio-boolMichael Gugino2018-01-0810-15/+15
|\ \ \ \ \ \ \ | |/ / / / / / |/| | | | | | Properly cast crio boolean variables to bool
| * | | | | | Properly cast crio boolean variables to boolMichael Gugino2018-01-0810-15/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Variables that are specifically booleans should be cast to bool. This is because users may sometimes pass them as string values. This is particularly prevalent when using ini-style inventories. Affected-by: https://github.com/ansible/ansible/issues/34591 Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1531592
* | | | | | | Merge pull request #6549 from mgugino-upstream-stage/node-meta-depends2OpenShift Merge Robot2018-01-081-2/+0
|\ \ \ \ \ \ \ | |/ / / / / / |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Automatic merge from submit-queue. Remove last of openshift_node role meta-depends Remove last non-taskless meta-depends from openshift_node role.
| * | | | | | Remove last of openshift_node role meta-dependsMichael Gugino2018-01-021-2/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Remove last non-taskless meta-depends from openshift_node role. Remove variable 'openshift_node_upgrade_in_progress' as it is no longer used.
* | | | | | | Merge pull request #6548 from kwoodson/configurable_ami_drive_sizeKenny Woodson2018-01-081-5/+1
|\ \ \ \ \ \ \ | | | | | | | | | | | | | | | | Adding ability to update ami drive size.
| * | | | | | | Adding ability to update ami drive size.Kenny Woodson2017-12-211-5/+1
| |/ / / / / /
* | | | | | | Merge pull request #6624 from vrutkovs/containerized-avoid-replacing-node-unitOpenShift Merge Robot2018-01-081-1/+1
|\ \ \ \ \ \ \ | |_|/ / / / / |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Automatic merge from submit-queue. Don't overwrite node's systemd units for containerized install Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1527849 Perphaps this block should be removed, unless I'm missing some other case for it, as systemd units are being updated in ../systemd_units.yml.
| * | | | | | Don't overwrite node's systemd units for containerized installVadim Rutkovsky2018-01-051-1/+1
| | |_|_|_|/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | Systemd units are being updated in ../systemd_units.yml Signed-off-by: Vadim Rutkovsky <vrutkovs@redhat.com>
* | | | | | Merge pull request #6641 from sdodson/logging-loopsMichael Gugino2018-01-081-4/+4
|\ \ \ \ \ \ | | | | | | | | | | | | | | Switch back to dynamic include_role in logging loops
| * | | | | | Switch back to dynamic include_role in logging loopsScott Dodson2018-01-071-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We'd switched to import_role to avoid increased memory consumption but we must use include_role whenever we loop.
* | | | | | | Merge pull request #6587 from vrutkovs/test-coverageOpenShift Merge Robot2018-01-081-7/+344
|\ \ \ \ \ \ \ | |_|_|_|/ / / |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Automatic merge from submit-queue. Add more testcases for oc_scale module * Fixed docstrings for tests * Added tests to verify scale up/down, 'present' state, non-existant state and Replication Controller kind
| * | | | | | test_oc_scale: add more scale test casesVadim Rutkovsky2018-01-021-0/+337
| | | | | | |
| * | | | | | test_oc_scale: fix test docstringsVadim Rutkovsky2018-01-021-7/+7
| | | | | | |
* | | | | | | Merge pull request #6507 from nbartos/continerOpenShift Merge Robot2018-01-0751-568/+905
|\ \ \ \ \ \ \ | |_|/ / / / / |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Automatic merge from submit-queue. Contiv multi-master and other fixes Contiv's etcd was not being deployed correctly when using more than one master. To make it easier to manage, it has been moved into a k8s container. The api proxy was hardcoded to an old version (1.1.1), and in some environments would run into a docker error. This has been moved into a k8s container for easier management. The firewall was too permissive on several ports. Many were open to the world when they should have only been accessible inside the cluster. Many of the contiv role variables were not prefixed with 'contiv', which may end up clobbering variables from another role. Now all the contiv specific role variables start with 'contiv_'. The api proxy's default self-signed certificate was bundled with the role. This means someone with read-only MITM access and this key could decrypt traffic. Granted a user defined certificate from a trusted CA should be used in a production environment, it is still better to generate one in each environment when one is not provided.
| * | | | | | Use Contiv version 1.2.0Nick Bartos2018-01-086-8/+14
| | | | | | |
| * | | | | | Contiv multi-master and other fixesNick Bartos2018-01-0850-565/+896
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Contiv's etcd was not being deployed correctly when using more than one master. To make it easier to manage, it has been moved into a k8s container. The api proxy was hardcoded to an old version (1.1.1), and in some environments would run into a docker error. This has been moved into a k8s container for easier management. The firewall was too permissive on several ports. Many were open to the world when they should have only been accessible inside the cluster. Many of the contiv role variables were not prefixed with 'contiv', which may end up clobbering variables from another role. Now all the contiv specific role variables start with 'contiv_'. The api proxy's default self-signed certificate was bundled with the role. This means someone with read-only MITM access and this key could decrypt traffic. Granted a user defined certificate from a trusted CA should be used in a production environment, it is still better to generate one in each environment when one is not provided.
* | | | | | | Merge pull request #6637 from sdodson/missing-openshift-factsMichael Gugino2018-01-071-0/+1
|\ \ \ \ \ \ \ | |/ / / / / / |/| | | | | | Add missing dependency on openshift_facts
| * | | | | | Add missing dependency on openshift_factsScott Dodson2018-01-061-0/+1
| | | | | | |
* | | | | | | Merge pull request #6359 from spadgett/web-console-serverScott Dodson2018-01-0616-0/+250
|\ \ \ \ \ \ \ | | | | | | | | | | | | | | | | Install web console server
| * | | | | | | Install web console serverSamuel Padgett2018-01-0516-0/+250
| | | | | | | |
* | | | | | | | Merge pull request #6597 from mgugino-upstream-stage/etc-remove-become-noOpenShift Merge Robot2018-01-057-54/+43
|\ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Automatic merge from submit-queue. Remove become=no from etcd cert tasks etcd runs some actions locally to copy certs from the CA cert host. We shouldn't hard-code become behavior as it can be unexpected for the end user.
| * | | | | | | | Remove become=no from various roles and tasksMichael Gugino2018-01-055-50/+30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | etcd runs some actions locally to copy certs from the CA cert host. This commit ensures that we respect the end user's intended behavior with become when using 'anisble_become' in the inventory. Other roles with similar tasks have been modified in the same manner. We shouldn't hard-code become behavior as it can be unexpected for the end user. This only currently works in the CI because the CI passes the '-b' argument on the command line, which will override the task behavior.
| * | | | | | | | Fix docker_image_availability checksMichael Gugino2018-01-052-4/+13
| | |_|_|/ / / / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This commit ensures that oreg_url is properly templated by ansible before being consumed in the logic. This commit also adds a method to the base health check class to detect if self._templar is none, and return the appropriate templated/untemplated version of the variable. This is mostly for unit tests.
* | | | | | | | Merge pull request #6511 from fabianvf/asb-origin-prefixScott Dodson2018-01-051-1/+1
|\ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | Add origin- prefix to ASB image