summaryrefslogtreecommitdiffstats
path: root/roles
Commit message (Collapse)AuthorAgeFilesLines
* Access UI via a bastion node (#596)Bogdan Dobrelya2017-08-166-5/+64
| | | | | | | | When using a bastion and a single master, use the lb-secgrp to access UI port allowed from the ingress bastion node cidr. For HA (masters>1), UI still should be accessed via the LB node's ingress cidr, omitting the bastion. Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
* Specify different image names for roles (#637)Tlacenka2017-08-151-6/+6
| | | | | | | | | | | | * all.yml: set up new variables for specifying images for roles * stack_params.yaml: add image name variables for different roles * more roles added * heat_stack.yaml.j2: openstack_image changed to updated image names * README: updated documentation for specifying image names
* Support multiple private networks for static inventory (#604)Bogdan Dobrelya2017-08-152-4/+18
| | | | | | Add openstack_private_network_name to filter by a wanted private network. Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
* Allow using ephemeral volumes for docker storage (#615)Tomas Sedovic2017-08-042-0/+4
| | | | | | | | For testing cases it's sometimes useful to not create Cinder volumes for the VMs. It can also sometimes be a little faster and more robust (but unfit for production). This adds an option called `ephemeral_volumes` that will use the VM's storage instead of creating volumes when set to true.
* Moving common DNS roles out of the playbook area (#605)Øystein Bedin2017-08-022-0/+107
|
* Options for bastion, SSH config, static inventory autogenerationBogdan Dobrelya2017-07-256-10/+187
| | | | | | | | | | | | | | | * At the provisioning stage, allow users to auto-generate SSH config, when using a static inventory. * Run playbooks to provsion and post-provision as a separate, when using a bastion. This re-applies the SSH config, which ansible can't do on the fly. * Support a pre-installed bastion node, colocated with the 1st infra node. * With a bastion enabled, reduce floating IP footprint to infra and dns nodes only, effectively isolating a cluster in a private network. Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
* Add bastion and ssh config for the static inventory roleBogdan Dobrelya2017-07-256-2/+78
| | | | | | | | | * Autogenerate SSH config for static inventory and bastion. * When using bastion, use FQDN for inventory's ansible_host and SSH config's Hostname. Simplifies accessing nodes by names instead of private IPs. Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
* Set openshift_hostname explicitly for openstack (#579)Tomas Sedovic2017-07-251-0/+1
| | | | | | This fixes a regression caused by the move to the static inventory. The nodes in `oc get nodes` should be (and had been) identified by their hostnames (e.g. master-0.openshift.example.com), but are now using their internal IP addresses instead.
* Generate static inventory with shade inventory (#538)Bogdan Dobrelya2017-07-206-13/+37
| | | | | | | | | | | | | | * Autogenerate inventory/hosts when 'inventory: static' (Default), with the shade-inventory tool. * Drop unused anymore: openstack.py and associated GPL notes, an example static inventory, omit manual updates for the inventory DNS names in the deployment guide. * Switch openstack.py formatted inventory hostvars to the shade-inventory format (omit openstack.* from hostvars). * Populate node labels from inventory vars instead of the heat templates combined with inventory vars. * Add app (k8s minions) nodes group for primary node labels. Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
* Include masters into etcd group, when it is empty (#559)Bogdan Dobrelya2017-07-201-0/+1
| | | Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
* During provisioning, make unnecessary packages optional under a switch (#561)Tlacenka2017-07-192-0/+9
| | | | | | * openshift-prep: bash-completion and vim-enhanced packages are now optional under install_debug_packages switch * openshift-prep: new line removal
* Add a role to generate a static inventory (#540)Bogdan Dobrelya2017-07-175-0/+154
| | | | | | * Add the static-inventory role that configures the inventory/hosts file by the given path, or creates it for you. Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
* Retry tasks in the subscription manager role (#552)Tlacenka2017-07-171-0/+28
| | | | | | | | * subscription manager: added 10 retries after 1 second delay * subscription manager: added untils * sub manager: typo
* Set up NetworkManager automatically (#542)Tomas Sedovic2017-07-141-0/+22
| | | | | | | | | | | | | | | | | | | * Set up NetworkManager automatically This removes the extra step of running the `openshift-ansible/playbooks/byo/openshift-node/network_manager.yml` before installing openshift. In addition, the playbook relies on a host group that the provisioning doesn't provide (oo_all_hosts). Instead, we set up NetworkManager on CentOS nodes automatically. And we restart it on RHEL (which is necessary for the nodes to pick up the new DNS we configured the subnet with). This makes the provisioning easier and more resilient. * Apply the node-network-manager role to every node It makes the code simpler and more consistent across distros.
* Replace greaterthan and equalto in openstack-stackTomas Sedovic2017-07-131-4/+4
| | | | | | These two Jinja filters were added in 2.8 which is notably not packaged in CentOS and RHEL. This removes them in favour of the `==` and `>` operators which are available in Jinja 2.7.
* Add defaults values for some openstack vars (#539)Tomas Sedovic2017-07-121-6/+5
| | | | | | | | | | | | | | * Add defaults values for some openstack vars Ansible shows errors when the `rhsm_register` and `openstack_flat_secgrp` values are not present in the inventory even though they have sensible default values. This makes them both default to false when they're not specified. * Comment out the flat security group option in inv It's no longer required to be there so let's comment it out.
* Merge pull request #525 from bogdando/manage_packagesTomas Sedovic2017-06-302-9/+15
|\ | | | | Manage packages to install/update for openstack provider
| * Manage packages to install/update for openstack providerBogdan Dobrelya2017-06-302-9/+15
| | | | | | | | | | | | | | Allow required packages and yum update all steps to be optionally disabled. Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
* | Persist DNS configuration for nodes for openstack providerBogdan Dobrelya2017-06-303-14/+22
|/ | | | | | | | | | | | | | | | | * Firstly, provision a Heat stack with given public resolvers. * After the DNS node configured as an authoritative server, switch the Heat stack's Neutron subnet to that resolver (private_dns_server) the way it to become the first entry pushed into the hosts /etc/resolv.conf. It will be serving the cluster domain requests for OpenShift nodes and workloads. * Drop post-provision /etc/reslov.conf nameserver hacks as not needed anymore. * Fix dns floating IPs output and add the priv IPs output as well. * Update docs, clarify localhost vs servers requirements, add required Network Manager setup step. * Use post-provision task names instead of comments. Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
* Merge pull request #502 from bogdando/sec_groupsTomas Sedovic2017-06-281-13/+4
|\ | | | | Modify sec groups for provisioned openstack servers
| * Modify sec groups for provisioned openstack serversBogdan Dobrelya2017-06-261-13/+4
| | | | | | | | | | | | | | | | | | | | Drop ingress DNS rules from the common secgrp. Add an ingress ICMP rule, restricted by the ssh ingress cidr, to the common secgrp. This allows to ping servers from the control node (ansible admin node). Add dns servers into the common secgrp as well. Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
* | Merge pull request #512 from bogdando/undo_infra_secgrpTomas Sedovic2017-06-281-0/+6
|\ \ | | | | | | Put back node/flat secgrp for infra nodes on openstack
| * | Put back node/flat secgrp for infra nodes on openstackBogdan Dobrelya2017-06-281-0/+6
| |/ | | | | | | | | | | | | Partially undo 2028883e936c8a1a0be031a19d531d0804a32b68 to unblock end-to-end deployments Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
* | Merge pull request #491 from tzumainn/openstack-heat-stack-updateTomas Sedovic2017-06-262-0/+3
|\ \ | |/ |/| Add node_removal_policies variable to openstack provisioning to allow for scaling down
| * rename node_removal_policies, add some comments and defaultsTzu-Mainn Chen2017-06-232-2/+2
| |
| * Add node_removal_policies variable to allow for scaling downTzu-Mainn Chen2017-06-212-0/+3
| |
* | Merge pull request #488 from bogdando/fix_flat_sgBogdan Dobrelya2017-06-231-59/+33
|\ \ | | | | | | Fix flat sec group and infra/dns sec rules
| * | Fix flat sec group and infra/dns sec rulesBogdan Dobrelya2017-06-231-59/+33
| |/ | | | | | | | | | | | | | | | | | | Make flat sec group to only merge node/master/etcd sec rules. Add basic dns/ssh sec group and assign it to all but dns node groups. Assign only dns sec group for dns nodes. Assign only infra (and basic) sec groups for ingra nodes. Add security notes for openstack provider. Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
* / Use cached facts, do not become for localhost (#484)Bogdan Dobrelya2017-06-211-0/+2
|/ | | | | | Prohibit sudoing for localhost played tasks, like DNS setup. Re-use cached facts to speed up deployment. Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
* Fix yamllint errorsTomas Sedovic2017-06-167-52/+32
|
* Drop atomic-openshift-utils, update docs for originBogdan Dobrelya2017-06-151-2/+1
| | | | | | | | TODO use with when: ansible_distribution == 'CentOS' Also update docs for origin Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
* Add a flat sec group for openstack providerBogdan Dobrelya2017-06-151-10/+128
| | | | | | | | | | Add a openstack_flat_secgroup, defaults to False. When set, merges sec rules for master, node, etcd, infra nodes into a single group. Less secure, but might help to mitigate quota limitations. Update docs. Use timeout 30s to mitigate the error: Timeout (12s) waiting for privilege escalation prompt. Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
* Always let the openshift nodes access the DNSTomas Sedovic2017-06-151-0/+15
| | | | | | | | | When `node_ingress_cidr` to limit the IP range for the DNS server, this can prevent the actual openshift nodes from accessing it as well. This commit makes the access from the `openstack_subnet_prefix` always pass through and uses `node_ingress_cidr` for additional access control.
* Move pre_tasks from to the openstack provisionerTomas Sedovic2017-06-141-38/+0
| | | | | We should probably not pollute the role namespace with a name as common as "common". Moving the pre_task.yml to provisioners/openstack instead.
* Merge redhat-cop/casl-ansible into openstack-providerTomas Sedovic2017-06-1423-0/+1418
|\ | | | | | | | | | | | | | | This imports the openstack provisioning bits of: https://github.com/redhat-cop/casl-ansible taking care to preserve the original history of those files.
| * Update CASL to use nsupdate for DNS records (#48)Øystein Bedin2017-06-135-9/+50
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Updated to use nsupdate for DNS records * Updated formatting of dict * Updating descriptive text * Support for external DNS config * Upgrading jinja2 to work correctly with latest templates * Latest update for nsupdate * Updated to use nsupdate for DNS records * Updated formatting of dict * Updating descriptive text * Support for external DNS config * Latest update for nsupdate * Updated to support external public/private DNS server(s) * Updated DNS server handling * Updated DNS server handling * Updated DNS server handling * Eliminated the from the sample inventories * Updated sample inventory to point to 2 separate DNS servers for private/public * Playbook clean-up * Adding 'python-dns' * splitting subscription manager calls to allow for a clean pre-install playbook
| * Conditionally set the openshift_master_default_subdomain to avoid overriding ↵Øystein Bedin2017-06-051-0/+2
| | | | | | | | it unecessary (#47)
| * First attempt at a simple multi-master support (#39)Eric Sauer2017-04-272-0/+71
| | | | | | | | | | | | | | | | * First attempt at a simple multi-master support * Removing unneeded inventory * adding default number of masters and lower number of nodes
| * Stack refactor (#38)Eric Sauer2017-04-255-286/+184
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Refactored openstack-stack role to: - Convert static heat template files to ansible templates - Include native ansible groups via openstack metadata. This removes the need for a playbook to map host groups - Some code cleanup * Deleting commentd out code and irrelevant plays * Refactored openstack-stack role to: - Convert static heat template files to ansible templates - Include native ansible groups via openstack metadata. This removes the need for a playbook to map host groups - Some code cleanup * Deleting commentd out code and irrelevant plays * Replacing stack parameters with jinja expressions * Updating sample inventory to work with latest dynamic inventory changes * updating inventory with host group mapping. making sync keys optional * Missing cluster_hosts group * Updating to add infra_hosts * Updating inventory per comments from oybed and sabre1041
| * Ensure DNS configuration has wildcards set for infra nodes (#24)Øystein Bedin2017-02-201-0/+10
| | | | | | | | | | | | * Ensure DNS configuration has wildcards set for infra nodes * Updated to include all cluster hosts for DNS entries
| * Fixing two significant bugs in the HEAT deployment (#13)Eric Sauer2017-02-061-0/+3
| |
| * Openstack heat (#2)Eric Sauer2016-12-2110-0/+956
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Adding a role to invoke openstack heat * Adding readme * Pulling parameters out to inventory file * start of end-to-end playbook * More enhancements and refactoring to make dynamic inventory the driver for an openshift install * Switching to variable substituted path to config.yaml playbook * Changes to allow defining of number of nodes/infranodes. * Added labels to inventory * Start of end-to-end functionality * Enhancements to support openstack heat provisioning * Updating inventory sample to remove some deprecation warnings * Working towards making the secure-registry role 'become' aware * Fixing node labels and removing secure-registry as it's no longer needed * No longer need insecure registry line, as installer will secure our registry * Adjusted dynamic inventory to filter by clusterid * Minor updates to dynamic inventory bug * Adding a refactored sample inventory directory * Refactoring playbooks for better directory structure, and to narrow down host groups * Adding volume mounts to heat template * Moving dns playbooks back to original location * Fixing incorrect file path * Cleaning up inventory samples * One more hostname to clean up * Changing var name * changed openshift-provision to openshift-prep * Adjusting current provision script to avoid breakage by new openstack-heat code
| * Fixing ansible impl to work with OSP9 and ansible 2.2Øystein Bedin2016-11-151-1/+1
| |
| * Updated env_id to be a sub-domain + make the logic a bit more flexibleØystein Bedin2016-08-212-4/+21
| |
| * Fixes Issue #163 if rhsm_password is not definedVinny Valdez2016-07-151-5/+1
| |
| * Merge pull request #157 from vvaldez/satellite-with-orgEric Sauer2016-06-211-0/+12
| |\ | | | | | | Add org parameter to Satellite with user/pass
| | * Add org parameter to Satellite with user/passVinny Valdez2016-04-231-0/+12
| | |
| * | Cleande up hostname role to make it more genericØystein Bedin2016-06-172-50/+21
| | |
| * | Updated to run as root rather than cloud-user, for now...Øystein Bedin2016-06-091-1/+1
| | |
| * | Channging hard coded host groups to match openshift-ansible expected host ↵Eric Sauer2016-06-082-13/+12
| | | | | | | | | | | | groups. Importing byo playbook now instead of nested ansible run. Need to refactor how we generate hostnames to make it fit this.