From e4c7c26436d4daf2cbccd54bc91cb5f3471c3dc0 Mon Sep 17 00:00:00 2001 From: Jason DeTiberus Date: Fri, 29 Apr 2016 20:48:02 -0400 Subject: Call evaluate_groups from update_repos_and_packages --- playbooks/common/openshift-cluster/update_repos_and_packages.yml | 2 ++ 1 file changed, 2 insertions(+) (limited to 'playbooks/common') diff --git a/playbooks/common/openshift-cluster/update_repos_and_packages.yml b/playbooks/common/openshift-cluster/update_repos_and_packages.yml index 1474bb3ca..0a37d4597 100644 --- a/playbooks/common/openshift-cluster/update_repos_and_packages.yml +++ b/playbooks/common/openshift-cluster/update_repos_and_packages.yml @@ -1,4 +1,6 @@ --- +- include: evaluate_groups.yml + - hosts: oo_hosts_to_update vars: openshift_deployment_type: "{{ deployment_type }}" -- cgit v1.2.3 From c9cd222f8eab56a31c6ff237739653672c7010af Mon Sep 17 00:00:00 2001 From: Andrew Butcher Date: Tue, 17 May 2016 10:24:41 -0400 Subject: Consolidate ca/master/node certificates roles into openshift_certificates. --- playbooks/common/openshift-master/config.yml | 101 ++--------------- playbooks/common/openshift-node/config.yml | 70 +----------- roles/openshift_ca/README.md | 48 ++++++++ roles/openshift_ca/meta/main.yml | 17 +++ roles/openshift_ca/tasks/main.yml | 56 ++++++++++ roles/openshift_ca/vars/main.yml | 6 + roles/openshift_master/meta/main.yml | 1 + roles/openshift_master_ca/README.md | 34 ------ roles/openshift_master_ca/meta/main.yml | 17 --- roles/openshift_master_ca/tasks/main.yml | 23 ---- roles/openshift_master_ca/vars/main.yml | 6 - roles/openshift_master_certificates/README.md | 29 ++++- roles/openshift_master_certificates/meta/main.yml | 6 +- roles/openshift_master_certificates/tasks/main.yml | 123 +++++++++++++++++---- roles/openshift_master_certificates/vars/main.yml | 2 + roles/openshift_node/meta/main.yml | 2 +- roles/openshift_node_certificates/README.md | 33 ++++-- roles/openshift_node_certificates/meta/main.yml | 6 +- roles/openshift_node_certificates/tasks/main.yml | 97 ++++++++++++---- roles/openshift_node_certificates/vars/main.yml | 9 +- 20 files changed, 384 insertions(+), 302 deletions(-) create mode 100644 roles/openshift_ca/README.md create mode 100644 roles/openshift_ca/meta/main.yml create mode 100644 roles/openshift_ca/tasks/main.yml create mode 100644 roles/openshift_ca/vars/main.yml delete mode 100644 roles/openshift_master_ca/README.md delete mode 100644 roles/openshift_master_ca/meta/main.yml delete mode 100644 roles/openshift_master_ca/tasks/main.yml delete mode 100644 roles/openshift_master_ca/vars/main.yml (limited to 'playbooks/common') diff --git a/playbooks/common/openshift-master/config.yml b/playbooks/common/openshift-master/config.yml index 125aab0ae..fe0e2e666 100644 --- a/playbooks/common/openshift-master/config.yml +++ b/playbooks/common/openshift-master/config.yml @@ -156,85 +156,6 @@ - master.etcd-ca.crt when: etcd_client_certs_missing is defined and etcd_client_certs_missing -- name: Determine if master certificates need to be generated - hosts: oo_first_master:oo_masters_to_config - tasks: - - set_fact: - openshift_master_certs_no_etcd: - - admin.crt - - master.kubelet-client.crt - - "{{ 'master.proxy-client.crt' if openshift.common.version_gte_3_1_or_1_1 else omit }}" - - master.server.crt - - openshift-master.crt - - openshift-registry.crt - - openshift-router.crt - - etcd.server.crt - openshift_master_certs_etcd: - - master.etcd-client.crt - - - set_fact: - openshift_master_certs: "{{ (openshift_master_certs_no_etcd | union(openshift_master_certs_etcd)) if (groups.oo_etcd_to_config is defined and groups.oo_etcd_to_config) else openshift_master_certs_no_etcd }}" - - - name: Check status of master certificates - stat: - path: "{{ openshift.common.config_base }}/master/{{ item }}" - with_items: "{{ openshift_master_certs }}" - register: g_master_cert_stat_result - - set_fact: - master_certs_missing: "{{ False in (g_master_cert_stat_result.results - | oo_collect(attribute='stat.exists') - | list ) }}" - master_cert_subdir: master-{{ openshift.common.hostname }} - master_cert_config_dir: "{{ openshift.common.config_base }}/master" - - set_fact: - openshift_infra_nodes: "{{ hostvars | oo_select_keys(groups['oo_nodes_to_config']) - | oo_nodes_with_label('region', 'infra') - | oo_collect('inventory_hostname') }}" - when: openshift_infra_nodes is not defined and groups.oo_nodes_to_config | default([]) | length > 0 - -- name: Configure master certificates - hosts: oo_first_master - vars: - master_generated_certs_dir: "{{ openshift.common.config_base }}/generated-configs" - masters_needing_certs: "{{ hostvars - | oo_select_keys(groups['oo_masters_to_config'] | difference(groups['oo_first_master'])) - | oo_filter_list(filter_attr='master_certs_missing') }}" - master_hostnames: "{{ hostvars - | oo_select_keys(groups['oo_masters_to_config']) - | oo_collect('openshift.common.all_hostnames') - | oo_flatten | unique }}" - sync_tmpdir: "{{ hostvars.localhost.g_master_mktemp.stdout }}" - openshift_docker_hosted_registry_network: "{{ hostvars[groups.oo_first_master.0].openshift.common.portal_net }}" - roles: - - openshift_master_certificates - post_tasks: - - name: Remove generated etcd client certs when using external etcd - file: - path: "{{ master_generated_certs_dir }}/{{ item.0.master_cert_subdir }}/{{ item.1 }}" - state: absent - when: groups.oo_etcd_to_config is defined and groups.oo_etcd_to_config - with_nested: - - "{{ masters_needing_certs | default([]) }}" - - - master.etcd-client.crt - - master.etcd-client.key - - - name: Create a tarball of the master certs - command: > - tar -czvf {{ master_generated_certs_dir }}/{{ item.master_cert_subdir }}.tgz - -C {{ master_generated_certs_dir }}/{{ item.master_cert_subdir }} . - args: - creates: "{{ master_generated_certs_dir }}/{{ item.master_cert_subdir }}.tgz" - with_items: "{{ masters_needing_certs | default([]) }}" - - - name: Retrieve the master cert tarball from the master - fetch: - src: "{{ master_generated_certs_dir }}/{{ item.master_cert_subdir }}.tgz" - dest: "{{ sync_tmpdir }}/" - flat: yes - fail_on_missing: yes - validate_checksum: yes - with_items: "{{ masters_needing_certs | default([]) }}" - - name: Configure load balancers hosts: oo_lb_to_config vars: @@ -355,19 +276,17 @@ }}" when: "{{ (openshift_http_proxy is defined or openshift_https_proxy is defined) and openshift_generate_no_proxy_hosts | default(True) | bool }}" - pre_tasks: - - name: Ensure certificate directory exists - file: - path: "{{ openshift.common.config_base }}/master" - state: directory - when: master_certs_missing | bool and 'oo_first_master' not in group_names - - name: Unarchive the tarball on the master - unarchive: - src: "{{ sync_tmpdir }}/{{ master_cert_subdir }}.tgz" - dest: "{{ master_cert_config_dir }}" - when: master_certs_missing | bool and 'oo_first_master' not in group_names roles: - - openshift_master + - role: openshift_master + openshift_ca_host: "{{ groups.oo_first_master.0 }}" + openshift_master_etcd_hosts: "{{ hostvars + | oo_select_keys(groups['oo_etcd_to_config'] | default([])) + | oo_collect('openshift.common.hostname') + | default(none, true) }}" + openshift_master_hostnames: "{{ hostvars + | oo_select_keys(groups['oo_masters_to_config'] | default([])) + | oo_collect('openshift.common.all_hostnames') + | oo_flatten | unique }}" - role: nickhammond.logrotate - role: nuage_master when: openshift.common.use_nuage | bool diff --git a/playbooks/common/openshift-node/config.yml b/playbooks/common/openshift-node/config.yml index b3491ef8d..6fbf7d44a 100644 --- a/playbooks/common/openshift-node/config.yml +++ b/playbooks/common/openshift-node/config.yml @@ -19,23 +19,6 @@ labels: "{{ openshift_node_labels | default(None) }}" annotations: "{{ openshift_node_annotations | default(None) }}" schedulable: "{{ openshift_schedulable | default(openshift_scheduleable) | default(None) }}" - - name: Check status of node certificates - stat: - path: "{{ openshift.common.config_base }}/node/{{ item }}" - with_items: - - "system:node:{{ openshift.common.hostname }}.crt" - - "system:node:{{ openshift.common.hostname }}.key" - - "system:node:{{ openshift.common.hostname }}.kubeconfig" - - ca.crt - - server.key - - server.crt - register: stat_result - - set_fact: - certs_missing: "{{ stat_result.results | oo_collect(attribute='stat.exists') - | list | intersect([false])}}" - node_subdir: node-{{ openshift.common.hostname }} - config_dir: "{{ openshift.common.config_base }}/generated-configs/node-{{ openshift.common.hostname }}" - node_cert_dir: "{{ openshift.common.config_base }}/node" - name: Create temp directory for syncing certs hosts: localhost @@ -48,53 +31,6 @@ register: mktemp changed_when: False -- name: Create node certificates - hosts: oo_first_master - vars: - nodes_needing_certs: "{{ hostvars - | oo_select_keys(groups['oo_nodes_to_config'] - | default([])) - | oo_filter_list(filter_attr='certs_missing') }}" - sync_tmpdir: "{{ hostvars.localhost.mktemp.stdout }}" - roles: - - openshift_node_certificates - post_tasks: - - name: Create a tarball of the node config directories - command: > - tar -czvf {{ item.config_dir }}.tgz - --transform 's|system:{{ item.node_subdir }}|node|' - -C {{ item.config_dir }} . - args: - creates: "{{ item.config_dir }}.tgz" - with_items: "{{ nodes_needing_certs | default([]) }}" - - - name: Retrieve the node config tarballs from the master - fetch: - src: "{{ item.config_dir }}.tgz" - dest: "{{ sync_tmpdir }}/" - flat: yes - fail_on_missing: yes - validate_checksum: yes - with_items: "{{ nodes_needing_certs | default([]) }}" - -- name: Deploy node certificates - hosts: oo_nodes_to_config - vars: - sync_tmpdir: "{{ hostvars.localhost.mktemp.stdout }}" - tasks: - - name: Ensure certificate directory exists - file: - path: "{{ node_cert_dir }}" - state: directory - # TODO: notify restart node - # possibly test service started time against certificate/config file - # timestamps in node to trigger notify - - name: Unarchive the tarball on the node - unarchive: - src: "{{ sync_tmpdir }}/{{ node_subdir }}.tgz" - dest: "{{ node_cert_dir }}" - when: certs_missing - - name: Evaluate node groups hosts: localhost become: no @@ -124,7 +60,8 @@ when: "{{ (openshift_http_proxy is defined or openshift_https_proxy is defined) and openshift_generate_no_proxy_hosts | default(True) | bool }}" roles: - - openshift_node + - role: openshift_node + openshift_ca_host: "{{ groups.oo_first_master.0 }}" - name: Configure node instances hosts: oo_nodes_to_config:!oo_containerized_master_nodes @@ -140,7 +77,8 @@ when: "{{ (openshift_http_proxy is defined or openshift_https_proxy is defined) and openshift_generate_no_proxy_hosts | default(True) | bool }}" roles: - - openshift_node + - role: openshift_node + openshift_ca_host: "{{ groups.oo_first_master.0 }}" - name: Gather and set facts for flannel certificatess hosts: oo_nodes_to_config diff --git a/roles/openshift_ca/README.md b/roles/openshift_ca/README.md new file mode 100644 index 000000000..96c9cd5f2 --- /dev/null +++ b/roles/openshift_ca/README.md @@ -0,0 +1,48 @@ +OpenShift CA +============ + +This role delegates all tasks to the `openshift_ca_host` such that this role can be depended on by other OpenShift certificate roles. + +Requirements +------------ + +Role Variables +-------------- + +From this role: + +| Name | Default value | Description | +|-------------------------|-----------------------------------------------|-----------------------------------------------------------------------------| +| openshift_ca_host | None (Required) | The hostname of the system where the OpenShift CA will be created. | +| openshift_ca_config_dir | `{{ openshift.common.config_base }}/master` | CA certificate directory. | +| openshift_ca_cert | `{{ openshift_ca_config_dir }}/ca.crt` | CA certificate path including CA certificate filename. | +| openshift_ca_key | `{{ openshift_ca_config_dir }}/ca.key` | CA key path including CA key filename. | +| openshift_ca_serial | `{{ openshift_ca_config_dir }}/ca.serial.txt` | CA serial path including CA serial filename. | +| openshift_version | `{{ openshift_pkg_version }}` | OpenShift package version. | + +Dependencies +------------ + +* openshift_repos +* openshift_cli + +Example Playbook +---------------- + +``` +- name: Create OpenShift CA + hosts: localhost + roles: + - role: openshift_ca + openshift_ca_host: master1.example.com +``` + +License +------- + +Apache License Version 2.0 + +Author Information +------------------ + +Jason DeTiberus (jdetiber@redhat.com) diff --git a/roles/openshift_ca/meta/main.yml b/roles/openshift_ca/meta/main.yml new file mode 100644 index 000000000..0089f4209 --- /dev/null +++ b/roles/openshift_ca/meta/main.yml @@ -0,0 +1,17 @@ +--- +galaxy_info: + author: Jason DeTiberus + description: OpenShift CA + company: Red Hat, Inc. + license: Apache License, Version 2.0 + min_ansible_version: 1.9.4 + platforms: + - name: EL + versions: + - 7 + categories: + - cloud + - system +dependencies: +- role: openshift_repos +- role: openshift_cli diff --git a/roles/openshift_ca/tasks/main.yml b/roles/openshift_ca/tasks/main.yml new file mode 100644 index 000000000..497473f22 --- /dev/null +++ b/roles/openshift_ca/tasks/main.yml @@ -0,0 +1,56 @@ +--- +- fail: + msg: "openshift_ca_host variable must be defined for this role" + when: openshift_ca_host is not defined + +- name: Install the base package for admin tooling + action: > + {{ ansible_pkg_mgr }} + name={{ openshift.common.service_type }}{{ openshift_version }} + state=present + when: not openshift.common.is_containerized | bool + register: install_result + delegate_to: "{{ openshift_ca_host }}" + run_once: true + +- name: Reload generated facts + openshift_facts: + when: install_result | changed + delegate_to: "{{ openshift_ca_host }}" + run_once: true + +- name: Create openshift_ca_config_dir if it does not exist + file: + path: "{{ openshift_ca_config_dir }}" + state: directory + delegate_to: "{{ openshift_ca_host }}" + run_once: true + +- name: Determine if CA must be created + stat: + path: "{{ openshift_ca_config_dir }}/{{ item }}" + register: g_master_ca_stat_result + with_items: + - ca.crt + - ca.key + delegate_to: "{{ openshift_ca_host }}" + run_once: true + +- set_fact: + master_ca_missing: "{{ False in (g_master_ca_stat_result.results + | oo_collect(attribute='stat.exists') + | list) }}" + delegate_to: "{{ openshift_ca_host }}" + run_once: true + +- name: Create the master certificates if they do not already exist + command: > + {{ openshift.common.admin_binary }} create-master-certs + --hostnames={{ openshift_master_hostnames | join(',') }} + --master={{ openshift.master.api_url }} + --public-master={{ openshift.master.public_api_url }} + --cert-dir={{ openshift_ca_config_dir }} + --overwrite=false + when: hostvars[openshift_ca_host].master_ca_missing | bool + delegate_to: "{{ openshift_ca_host }}" + run_once: true diff --git a/roles/openshift_ca/vars/main.yml b/roles/openshift_ca/vars/main.yml new file mode 100644 index 000000000..a32e385ec --- /dev/null +++ b/roles/openshift_ca/vars/main.yml @@ -0,0 +1,6 @@ +--- +openshift_ca_config_dir: "{{ openshift.common.config_base }}/master" +openshift_ca_cert: "{{ openshift_ca_config_dir }}/ca.crt" +openshift_ca_key: "{{ openshift_ca_config_dir }}/ca.key" +openshift_ca_serial: "{{ openshift_ca_config_dir }}/ca.serial.txt" +openshift_version: "{{ openshift_pkg_version | default('') }}" diff --git a/roles/openshift_master/meta/main.yml b/roles/openshift_master/meta/main.yml index d8834d27f..774f190c8 100644 --- a/roles/openshift_master/meta/main.yml +++ b/roles/openshift_master/meta/main.yml @@ -14,6 +14,7 @@ galaxy_info: dependencies: - role: openshift_docker - role: openshift_cli +- role: openshift_master_certificates - role: openshift_cloud_provider - role: openshift_builddefaults - role: openshift_master_facts diff --git a/roles/openshift_master_ca/README.md b/roles/openshift_master_ca/README.md deleted file mode 100644 index 5b2d3601b..000000000 --- a/roles/openshift_master_ca/README.md +++ /dev/null @@ -1,34 +0,0 @@ -OpenShift Master CA -======================== - -TODO - -Requirements ------------- - -TODO - -Role Variables --------------- - -TODO - -Dependencies ------------- - -TODO - -Example Playbook ----------------- - -TODO - -License -------- - -Apache License Version 2.0 - -Author Information ------------------- - -Jason DeTiberus (jdetiber@redhat.com) diff --git a/roles/openshift_master_ca/meta/main.yml b/roles/openshift_master_ca/meta/main.yml deleted file mode 100644 index b5dd466c9..000000000 --- a/roles/openshift_master_ca/meta/main.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- -galaxy_info: - author: Jason DeTiberus - description: - company: Red Hat, Inc. - license: Apache License, Version 2.0 - min_ansible_version: 1.8 - platforms: - - name: EL - versions: - - 7 - categories: - - cloud - - system -dependencies: -- { role: openshift_repos } -- { role: openshift_cli } diff --git a/roles/openshift_master_ca/tasks/main.yml b/roles/openshift_master_ca/tasks/main.yml deleted file mode 100644 index 4b7ef1d84..000000000 --- a/roles/openshift_master_ca/tasks/main.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- -- name: Install the base package for admin tooling - action: "{{ ansible_pkg_mgr }} name={{ openshift.common.service_type }}{{ openshift_version }} state=present" - when: not openshift.common.is_containerized | bool - register: install_result - -- name: Reload generated facts - openshift_facts: - when: install_result | changed - -- name: Create openshift_master_config_dir if it doesn't exist - file: - path: "{{ openshift_master_config_dir }}" - state: directory - -- name: Create the master certificates if they do not already exist - command: > - {{ openshift.common.admin_binary }} create-master-certs - --hostnames={{ master_hostnames | join(',') }} - --master={{ openshift.master.api_url }} - --public-master={{ openshift.master.public_api_url }} - --cert-dir={{ openshift_master_config_dir }} --overwrite=false - when: master_certs_missing | bool diff --git a/roles/openshift_master_ca/vars/main.yml b/roles/openshift_master_ca/vars/main.yml deleted file mode 100644 index b35339b18..000000000 --- a/roles/openshift_master_ca/vars/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -openshift_master_config_dir: "{{ openshift.common.config_base }}/master" -openshift_master_ca_cert: "{{ openshift_master_config_dir }}/ca.crt" -openshift_master_ca_key: "{{ openshift_master_config_dir }}/ca.key" -openshift_master_ca_serial: "{{ openshift_master_config_dir }}/ca.serial.txt" -openshift_version: "{{ openshift_pkg_version | default('') }}" diff --git a/roles/openshift_master_certificates/README.md b/roles/openshift_master_certificates/README.md index ba3d5f28c..a80d47040 100644 --- a/roles/openshift_master_certificates/README.md +++ b/roles/openshift_master_certificates/README.md @@ -1,27 +1,44 @@ OpenShift Master Certificates ======================== -TODO +This role determines if OpenShift master certificates must be created, delegates certificate creation to the `openshift_ca_host` and then deploys those certificates to master hosts which this role is being applied to. If this role is applied to the `openshift_ca_host`, certificate deployment will be skipped. Requirements ------------ -TODO - Role Variables -------------- -TODO +From `openshift_ca`: + +| Name | Default value | Description | +|---------------------------------------|---------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------| +| openshift_ca_host | None (Required) | The hostname of the system where the OpenShift CA will be (or has been) created. | + +From this role: + +| Name | Default value | Description | +|---------------------------------------|---------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------| +| openshift_generated_configs_dir | `{{ openshift.common.config_base }}/generated-configs` | Directory in which per-master generated config directories will be created on the `openshift_ca_host`. | +| openshift_master_cert_subdir | `master-{{ openshift.common.hostname }}` | Directory within `openshift_generated_configs_dir` where per-master configurations will be placed on the `openshift_ca_host`. | +| openshift_master_config_dir | `{{ openshift.common.config_base }}/master` | Master configuration directory in which certificates will be deployed on masters. | +| openshift_master_generated_config_dir | `{{ openshift_generated_configs_dir }}/{{ openshift_master_cert_subdir }` | Full path to the per-master generated config directory. | Dependencies ------------ -TODO +* openshift_ca Example Playbook ---------------- -TODO +``` +- name: Create OpenShift Master Certificates + hosts: masters + roles: + - role: openshift_master_certificates + openshift_ca_host: master1.example.com +``` License ------- diff --git a/roles/openshift_master_certificates/meta/main.yml b/roles/openshift_master_certificates/meta/main.yml index fd7b73b0f..90fc0fb10 100644 --- a/roles/openshift_master_certificates/meta/main.yml +++ b/roles/openshift_master_certificates/meta/main.yml @@ -1,10 +1,10 @@ --- galaxy_info: author: Jason DeTiberus - description: + description: OpenShift Master Certificates company: Red Hat, Inc. license: Apache License, Version 2.0 - min_ansible_version: 1.8 + min_ansible_version: 1.9.4 platforms: - name: EL versions: @@ -13,4 +13,4 @@ galaxy_info: - cloud - system dependencies: -- { role: openshift_master_ca } +- role: openshift_ca diff --git a/roles/openshift_master_certificates/tasks/main.yml b/roles/openshift_master_certificates/tasks/main.yml index 394f9d381..dd105652b 100644 --- a/roles/openshift_master_certificates/tasks/main.yml +++ b/roles/openshift_master_certificates/tasks/main.yml @@ -1,38 +1,121 @@ --- +- set_fact: + openshift_master_certs_no_etcd: + - admin.crt + - master.kubelet-client.crt + - "{{ 'master.proxy-client.crt' if openshift.common.version_gte_3_1_or_1_1 else omit }}" + - master.server.crt + - openshift-master.crt + - openshift-registry.crt + - openshift-router.crt + - etcd.server.crt + openshift_master_certs_etcd: + - master.etcd-client.crt + +- set_fact: + openshift_master_certs: "{{ (openshift_master_certs_no_etcd | union(openshift_master_certs_etcd )) if openshift_master_etcd_hosts | length > 0 else openshift_master_certs_no_etcd }}" + +- name: Check status of master certificates + stat: + path: "{{ openshift_master_config_dir }}/{{ item }}" + with_items: + - "{{ openshift_master_certs }}" + register: g_master_cert_stat_result + +- set_fact: + master_certs_missing: "{{ False in (g_master_cert_stat_result.results + | oo_collect(attribute='stat.exists') + | list) }}" + - name: Ensure the generated_configs directory present file: - path: "{{ openshift_generated_configs_dir }}/{{ item.master_cert_subdir }}" + path: "{{ openshift_master_generated_config_dir }}" state: directory mode: 0700 - with_items: "{{ masters_needing_certs | default([]) }}" + when: master_certs_missing | bool + delegate_to: "{{ openshift_ca_host }}" - file: - src: "{{ openshift_master_config_dir }}/{{ item.1 }}" - dest: "{{ openshift_generated_configs_dir }}/{{ item.0.master_cert_subdir }}/{{ item.1 }}" + src: "{{ openshift_master_config_dir }}/{{ item }}" + dest: "{{ openshift_master_generated_config_dir }}/{{ item }}" state: hard - with_nested: - - "{{ masters_needing_certs | default([]) }}" - - - - ca.crt - - ca.key - - ca.serial.txt + with_items: + - ca.crt + - ca.key + - ca.serial.txt + when: master_certs_missing | bool + delegate_to: "{{ openshift_ca_host }}" - name: Create the master certificates if they do not already exist command: > {{ openshift.common.admin_binary }} create-master-certs - --hostnames={{ item.openshift.common.all_hostnames | join(',') }} - --master={{ item.openshift.master.api_url }} - --public-master={{ item.openshift.master.public_api_url }} - --cert-dir={{ openshift_generated_configs_dir }}/{{ item.master_cert_subdir }} + --hostnames={{ openshift.common.all_hostnames | join(',') }} + --master={{ openshift.master.api_url }} + --public-master={{ openshift.master.public_api_url }} + --cert-dir={{ openshift_master_generated_config_dir }} --overwrite=false - when: item.master_certs_missing | bool - with_items: "{{ masters_needing_certs | default([]) }}" + when: master_certs_missing | bool + delegate_to: "{{ openshift_ca_host }}" - file: - src: "{{ openshift_master_config_dir }}/{{ item.1 }}" - dest: "{{ openshift_generated_configs_dir }}/{{ item.0.master_cert_subdir }}/{{ item.1 }}" + src: "{{ openshift_master_config_dir }}/{{ item }}" + dest: "{{ openshift_master_generated_config_dir }}/{{ item }}" state: hard force: true - with_nested: - - "{{ masters_needing_certs | default([]) }}" + with_items: - "{{ hostvars[inventory_hostname] | certificates_to_synchronize }}" + when: master_certs_missing | bool + delegate_to: "{{ openshift_ca_host }}" + +- name: Remove generated etcd client certs when using external etcd + file: + path: "{{ openshift_master_generated_config_dir }}/{{ item }}" + state: absent + when: openshift_master_etcd_hosts | length > 0 + with_items: + - master.etcd-client.crt + - master.etcd-client.key + delegate_to: "{{ openshift_ca_host }}" + +- name: Create local temp directory for syncing certs + local_action: command mktemp -d /tmp/openshift-ansible-XXXXXXX + register: g_master_mktemp + changed_when: False + when: master_certs_missing | bool + delegate_to: localhost + +- name: Create a tarball of the master certs + command: > + tar -czvf {{ openshift_master_generated_config_dir }}.tgz + -C {{ openshift_master_generated_config_dir }} . + args: + creates: "{{ openshift_master_generated_config_dir }}.tgz" + when: master_certs_missing | bool and inventory_hostname != openshift_ca_host + delegate_to: "{{ openshift_ca_host }}" + +- name: Retrieve the master cert tarball from the master + fetch: + src: "{{ openshift_master_generated_config_dir }}.tgz" + dest: "{{ g_master_mktemp.stdout }}/" + flat: yes + fail_on_missing: yes + validate_checksum: yes + when: master_certs_missing | bool and inventory_hostname != openshift_ca_host + delegate_to: "{{ openshift_ca_host }}" + +- name: Ensure certificate directory exists + file: + path: "{{ openshift_master_config_dir }}" + state: directory + when: master_certs_missing | bool and inventory_hostname != openshift_ca_host + +- name: Unarchive the tarball on the master + unarchive: + src: "{{ g_master_mktemp.stdout }}/{{ openshift_master_cert_subdir }}.tgz" + dest: "{{ openshift_master_config_dir }}" + when: master_certs_missing | bool and inventory_hostname != openshift_ca_host + +- file: name={{ g_master_mktemp.stdout }} state=absent + changed_when: False + when: master_certs_missing | bool + delegate_to: localhost diff --git a/roles/openshift_master_certificates/vars/main.yml b/roles/openshift_master_certificates/vars/main.yml index 3f18ddc79..66f2e5162 100644 --- a/roles/openshift_master_certificates/vars/main.yml +++ b/roles/openshift_master_certificates/vars/main.yml @@ -1,3 +1,5 @@ --- openshift_generated_configs_dir: "{{ openshift.common.config_base }}/generated-configs" +openshift_master_cert_subdir: "master-{{ openshift.common.hostname }}" openshift_master_config_dir: "{{ openshift.common.config_base }}/master" +openshift_master_generated_config_dir: "{{ openshift_generated_configs_dir }}/{{ openshift_master_cert_subdir }}" diff --git a/roles/openshift_node/meta/main.yml b/roles/openshift_node/meta/main.yml index db1776632..4d35ec420 100644 --- a/roles/openshift_node/meta/main.yml +++ b/roles/openshift_node/meta/main.yml @@ -13,9 +13,9 @@ galaxy_info: - cloud dependencies: - role: openshift_docker +- role: openshift_node_certificates - role: openshift_cloud_provider - role: openshift_common - role: openshift_node_dnsmasq when: openshift.common.use_dnsmasq - role: os_firewall - diff --git a/roles/openshift_node_certificates/README.md b/roles/openshift_node_certificates/README.md index 6264d253a..f56066b29 100644 --- a/roles/openshift_node_certificates/README.md +++ b/roles/openshift_node_certificates/README.md @@ -1,27 +1,44 @@ -OpenShift/Atomic Enterprise Node Certificates -============================================= +OpenShift Node Certificates +=========================== -TODO +This role determines if OpenShift node certificates must be created, delegates certificate creation to the `openshift_ca_host` and then deploys those certificates to node hosts which this role is being applied to. Requirements ------------ -TODO - Role Variables -------------- -TODO +From `openshift_ca`: + +| Name | Default value | Description | +|-------------------------------------|-------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------| +| openshift_ca_host | None (Required) | The hostname of the system where the OpenShift CA will be (or has been) created. | + +From this role: + +| Name | Default value | Description | +|-------------------------------------|-------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------| +| openshift_generated_configs_dir | `{{ openshift.common.config_base }}/generated-configs` | Directory in which per-node generated config directories will be created on the `openshift_ca_host`. | +| openshift_node_cert_subdir | `node-{{ openshift.common.hostname }}` | Directory within `openshift_generated_configs_dir` where per-node certificates will be placed on the `openshift_ca_host`. | +| openshift_node_config_dir | `{{ openshift.common.config_base }}/node` | Node configuration directory in which certificates will be deployed on nodes. | +| openshift_node_generated_config_dir | `{{ openshift_generated_configs_dir }}/{{ openshift_node_cert_subdir }` | Full path to the per-node generated config directory. | Dependencies ------------ -TODO +* openshift_ca Example Playbook ---------------- -TODO +``` +- name: Create OpenShift Node Certificates + hosts: nodes + roles: + - role: openshift_node_certificates + openshift_ca_host: master1.example.com +``` License ------- diff --git a/roles/openshift_node_certificates/meta/main.yml b/roles/openshift_node_certificates/meta/main.yml index f3236e850..3caa1cdf1 100644 --- a/roles/openshift_node_certificates/meta/main.yml +++ b/roles/openshift_node_certificates/meta/main.yml @@ -1,10 +1,10 @@ --- galaxy_info: author: Jason DeTiberus - description: + description: OpenShift Node Certificates company: Red Hat, Inc. license: Apache License, Version 2.0 - min_ansible_version: 1.8 + min_ansible_version: 1.9.4 platforms: - name: EL versions: @@ -13,4 +13,4 @@ galaxy_info: - cloud - system dependencies: -- { role: openshift_facts } +- role: openshift_ca diff --git a/roles/openshift_node_certificates/tasks/main.yml b/roles/openshift_node_certificates/tasks/main.yml index 216c11093..147a432a4 100644 --- a/roles/openshift_node_certificates/tasks/main.yml +++ b/roles/openshift_node_certificates/tasks/main.yml @@ -1,36 +1,95 @@ --- -- name: Create openshift_generated_configs_dir if it doesn\'t exist +- name: Check status of node certificates + stat: + path: "{{ openshift.common.config_base }}/node/{{ item }}" + with_items: + - "system:node:{{ openshift.common.hostname }}.crt" + - "system:node:{{ openshift.common.hostname }}.key" + - "system:node:{{ openshift.common.hostname }}.kubeconfig" + - ca.crt + - server.key + - server.crt + register: g_node_cert_stat_result + +- set_fact: + node_certs_missing: "{{ False in (g_node_cert_stat_result.results + | oo_collect(attribute='stat.exists') + | list) }}" + +- name: Create openshift_generated_configs_dir if it does not exist file: path: "{{ openshift_generated_configs_dir }}" state: directory mode: 0700 - when: nodes_needing_certs | length > 0 + when: node_certs_missing | bool + delegate_to: "{{ openshift_ca_host }}" - name: Generate the node client config command: > {{ openshift.common.admin_binary }} create-api-client-config - --certificate-authority={{ openshift_master_ca_cert }} - --client-dir={{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }} + --certificate-authority={{ openshift_ca_cert }} + --client-dir={{ openshift_node_generated_config_dir }} --groups=system:nodes - --master={{ openshift.master.api_url }} - --signer-cert={{ openshift_master_ca_cert }} - --signer-key={{ openshift_master_ca_key }} - --signer-serial={{ openshift_master_ca_serial }} - --user=system:node:{{ item.openshift.common.hostname }} + --master={{ hostvars[openshift_ca_host].openshift.master.api_url }} + --signer-cert={{ openshift_ca_cert }} + --signer-key={{ openshift_ca_key }} + --signer-serial={{ openshift_ca_serial }} + --user=system:node:{{ openshift.common.hostname }} args: - creates: "{{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}" - with_items: "{{ nodes_needing_certs | default([]) }}" + creates: "{{ openshift_node_generated_config_dir }}" + when: node_certs_missing | bool + delegate_to: "{{ openshift_ca_host }}" - name: Generate the node server certificate command: > {{ openshift.common.admin_binary }} ca create-server-cert - --cert={{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}/server.crt - --key={{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}/server.key + --cert={{ openshift_node_generated_config_dir }}/server.crt + --key={{ openshift_generated_configs_dir }}/node-{{ openshift.common.hostname }}/server.key --overwrite=true - --hostnames={{ item.openshift.common.all_hostnames |join(",") }} - --signer-cert={{ openshift_master_ca_cert }} - --signer-key={{ openshift_master_ca_key }} - --signer-serial={{ openshift_master_ca_serial }} + --hostnames={{ openshift.common.all_hostnames |join(",") }} + --signer-cert={{ openshift_ca_cert }} + --signer-key={{ openshift_ca_key }} + --signer-serial={{ openshift_ca_serial }} + args: + creates: "{{ openshift_node_generated_config_dir }}/server.crt" + when: node_certs_missing | bool + delegate_to: "{{ openshift_ca_host}}" + +- name: Create local temp directory for syncing certs + local_action: command mktemp -d /tmp/openshift-ansible-XXXXXXX + register: node_cert_mktemp + changed_when: False + when: node_certs_missing | bool + delegate_to: localhost + +- name: Create a tarball of the node config directories + command: > + tar -czvf {{ openshift_node_generated_config_dir }}.tgz + --transform 's|system:{{ openshift_node_cert_subdir }}|node|' + -C {{ openshift_node_generated_config_dir }} . args: - creates: "{{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}/server.crt" - with_items: "{{ nodes_needing_certs | default([]) }}" + creates: "{{ openshift_node_generated_config_dir }}.tgz" + when: node_certs_missing | bool + delegate_to: "{{ openshift_ca_host }}" + +- name: Retrieve the node config tarballs from the master + fetch: + src: "{{ openshift_node_generated_config_dir }}.tgz" + dest: "{{ node_cert_mktemp.stdout }}/" + flat: yes + fail_on_missing: yes + validate_checksum: yes + when: node_certs_missing | bool + delegate_to: "{{ openshift_ca_host }}" + +- name: Ensure certificate directory exists + file: + path: "{{ openshift_node_cert_dir }}" + state: directory + when: node_certs_missing | bool + +- name: Unarchive the tarball on the node + unarchive: + src: "{{ node_cert_mktemp.stdout }}/{{ openshift_node_cert_subdir }}.tgz" + dest: "{{ openshift_node_cert_dir }}" + when: node_certs_missing | bool diff --git a/roles/openshift_node_certificates/vars/main.yml b/roles/openshift_node_certificates/vars/main.yml index 61fbb1e51..2fafc7387 100644 --- a/roles/openshift_node_certificates/vars/main.yml +++ b/roles/openshift_node_certificates/vars/main.yml @@ -1,7 +1,6 @@ --- -openshift_node_config_dir: "{{ openshift.common.config_base }}/node" -openshift_master_config_dir: "{{ openshift.common.config_base }}/master" openshift_generated_configs_dir: "{{ openshift.common.config_base }}/generated-configs" -openshift_master_ca_cert: "{{ openshift_master_config_dir }}/ca.crt" -openshift_master_ca_key: "{{ openshift_master_config_dir }}/ca.key" -openshift_master_ca_serial: "{{ openshift_master_config_dir }}/ca.serial.txt" +openshift_node_cert_dir: "{{ openshift.common.config_base }}/node" +openshift_node_cert_subdir: "node-{{ openshift.common.hostname }}" +openshift_node_config_dir: "{{ openshift.common.config_base }}/node" +openshift_node_generated_config_dir: "{{ openshift_generated_configs_dir }}/{{ openshift_node_cert_subdir }}" -- cgit v1.2.3 From 57abf26c30e306d1527e92a61a94088e542bb006 Mon Sep 17 00:00:00 2001 From: Andrew Butcher Date: Mon, 16 May 2016 11:45:32 -0400 Subject: Separate master and haproxy config playbooks. * Move haproxy configuration to a separate openshift-loadbalancer play. * Move the haproxy role to openshift_loadbalancer. * Add openshift_loadbalancer* facts which drive haproxy configuration. --- filter_plugins/oo_filters.py | 5 +- playbooks/common/openshift-cluster/config.yml | 2 + playbooks/common/openshift-loadbalancer/config.yml | 5 ++ .../common/openshift-loadbalancer/filter_plugins | 1 + .../common/openshift-loadbalancer/lookup_plugins | 1 + playbooks/common/openshift-loadbalancer/roles | 1 + .../common/openshift-loadbalancer/service.yml | 20 ++++++ playbooks/common/openshift-master/config.yml | 27 -------- roles/haproxy/README.md | 34 ---------- roles/haproxy/defaults/main.yml | 22 ------- roles/haproxy/handlers/main.yml | 6 -- roles/haproxy/meta/main.yml | 14 ---- roles/haproxy/tasks/main.yml | 43 ------------ roles/haproxy/templates/haproxy.cfg.j2 | 76 ---------------------- roles/openshift_facts/library/openshift_facts.py | 8 +++ roles/openshift_loadbalancer/README.md | 34 ++++++++++ roles/openshift_loadbalancer/defaults/main.yml | 22 +++++++ roles/openshift_loadbalancer/handlers/main.yml | 6 ++ roles/openshift_loadbalancer/meta/main.yml | 15 +++++ roles/openshift_loadbalancer/tasks/main.yml | 73 +++++++++++++++++++++ .../templates/haproxy.cfg.j2 | 76 ++++++++++++++++++++++ 21 files changed, 266 insertions(+), 225 deletions(-) create mode 100644 playbooks/common/openshift-loadbalancer/config.yml create mode 120000 playbooks/common/openshift-loadbalancer/filter_plugins create mode 120000 playbooks/common/openshift-loadbalancer/lookup_plugins create mode 120000 playbooks/common/openshift-loadbalancer/roles create mode 100644 playbooks/common/openshift-loadbalancer/service.yml delete mode 100644 roles/haproxy/README.md delete mode 100644 roles/haproxy/defaults/main.yml delete mode 100644 roles/haproxy/handlers/main.yml delete mode 100644 roles/haproxy/meta/main.yml delete mode 100644 roles/haproxy/tasks/main.yml delete mode 100644 roles/haproxy/templates/haproxy.cfg.j2 create mode 100644 roles/openshift_loadbalancer/README.md create mode 100644 roles/openshift_loadbalancer/defaults/main.yml create mode 100644 roles/openshift_loadbalancer/handlers/main.yml create mode 100644 roles/openshift_loadbalancer/meta/main.yml create mode 100644 roles/openshift_loadbalancer/tasks/main.yml create mode 100644 roles/openshift_loadbalancer/templates/haproxy.cfg.j2 (limited to 'playbooks/common') diff --git a/filter_plugins/oo_filters.py b/filter_plugins/oo_filters.py index e7409bf22..b81c3bf7f 100644 --- a/filter_plugins/oo_filters.py +++ b/filter_plugins/oo_filters.py @@ -306,7 +306,7 @@ class FilterModule(object): return string.split(separator) @staticmethod - def oo_haproxy_backend_masters(hosts): + def oo_haproxy_backend_masters(hosts, port): """ This takes an array of dicts and returns an array of dicts to be used as a backend for the haproxy role """ @@ -314,8 +314,7 @@ class FilterModule(object): for idx, host_info in enumerate(hosts): server = dict(name="master%s" % idx) server_ip = host_info['openshift']['common']['ip'] - server_port = host_info['openshift']['master']['api_port'] - server['address'] = "%s:%s" % (server_ip, server_port) + server['address'] = "%s:%s" % (server_ip, port) server['opts'] = 'check' servers.append(server) return servers diff --git a/playbooks/common/openshift-cluster/config.yml b/playbooks/common/openshift-cluster/config.yml index 903babc45..5fec11541 100644 --- a/playbooks/common/openshift-cluster/config.yml +++ b/playbooks/common/openshift-cluster/config.yml @@ -31,6 +31,8 @@ - include: ../openshift-nfs/config.yml +- include: ../openshift-loadbalancer/config.yml + - include: ../openshift-master/config.yml - include: additional_config.yml diff --git a/playbooks/common/openshift-loadbalancer/config.yml b/playbooks/common/openshift-loadbalancer/config.yml new file mode 100644 index 000000000..f4392173a --- /dev/null +++ b/playbooks/common/openshift-loadbalancer/config.yml @@ -0,0 +1,5 @@ +--- +- name: Configure load balancers + hosts: oo_lb_to_config + roles: + - role: openshift_loadbalancer diff --git a/playbooks/common/openshift-loadbalancer/filter_plugins b/playbooks/common/openshift-loadbalancer/filter_plugins new file mode 120000 index 000000000..99a95e4ca --- /dev/null +++ b/playbooks/common/openshift-loadbalancer/filter_plugins @@ -0,0 +1 @@ +../../../filter_plugins \ No newline at end of file diff --git a/playbooks/common/openshift-loadbalancer/lookup_plugins b/playbooks/common/openshift-loadbalancer/lookup_plugins new file mode 120000 index 000000000..ac79701db --- /dev/null +++ b/playbooks/common/openshift-loadbalancer/lookup_plugins @@ -0,0 +1 @@ +../../../lookup_plugins \ No newline at end of file diff --git a/playbooks/common/openshift-loadbalancer/roles b/playbooks/common/openshift-loadbalancer/roles new file mode 120000 index 000000000..e2b799b9d --- /dev/null +++ b/playbooks/common/openshift-loadbalancer/roles @@ -0,0 +1 @@ +../../../roles/ \ No newline at end of file diff --git a/playbooks/common/openshift-loadbalancer/service.yml b/playbooks/common/openshift-loadbalancer/service.yml new file mode 100644 index 000000000..19fffd5e9 --- /dev/null +++ b/playbooks/common/openshift-loadbalancer/service.yml @@ -0,0 +1,20 @@ +--- +- name: Populate g_service_nodes host group if needed + hosts: localhost + connection: local + become: no + gather_facts: no + tasks: + - fail: msg="new_cluster_state is required to be injected in this playbook" + when: new_cluster_state is not defined + + - name: Evaluate g_service_lb + add_host: name={{ item }} groups=g_service_lb + with_items: oo_host_group_exp | default([]) + +- name: Change state on lb instance(s) + hosts: g_service_lb + connection: ssh + gather_facts: no + tasks: + - service: name=hapoxy state="{{ new_cluster_state }}" diff --git a/playbooks/common/openshift-master/config.yml b/playbooks/common/openshift-master/config.yml index fe0e2e666..e9337270b 100644 --- a/playbooks/common/openshift-master/config.yml +++ b/playbooks/common/openshift-master/config.yml @@ -156,33 +156,6 @@ - master.etcd-ca.crt when: etcd_client_certs_missing is defined and etcd_client_certs_missing -- name: Configure load balancers - hosts: oo_lb_to_config - vars: - sync_tmpdir: "{{ hostvars.localhost.g_master_mktemp.stdout }}" - haproxy_limit_nofile: 100000 - haproxy_global_maxconn: 20000 - haproxy_default_maxconn: 20000 - haproxy_frontend_port: "{{ hostvars[groups.oo_first_master.0].openshift.master.api_port }}" - haproxy_frontends: - - name: atomic-openshift-api - mode: tcp - options: - - tcplog - binds: - - "*:{{ hostvars[groups.oo_first_master.0].openshift.master.api_port }}" - default_backend: atomic-openshift-api - haproxy_backends: - - name: atomic-openshift-api - mode: tcp - option: tcplog - balance: source - servers: "{{ hostvars | oo_select_keys(groups['oo_masters']) | oo_haproxy_backend_masters }}" - roles: - - role: openshift_facts - - role: haproxy - when: hostvars[groups.oo_first_master.0].openshift.master.ha | bool - - name: Check for cached session secrets hosts: oo_first_master roles: diff --git a/roles/haproxy/README.md b/roles/haproxy/README.md deleted file mode 100644 index 5bc415066..000000000 --- a/roles/haproxy/README.md +++ /dev/null @@ -1,34 +0,0 @@ -HAProxy -======= - -TODO - -Requirements ------------- - -TODO - -Role Variables --------------- - -TODO - -Dependencies ------------- - -TODO - -Example Playbook ----------------- - -TODO - -License -------- - -Apache License, Version 2.0 - -Author Information ------------------- - -Jason DeTiberus (jdetiber@redhat.com) diff --git a/roles/haproxy/defaults/main.yml b/roles/haproxy/defaults/main.yml deleted file mode 100644 index a1524cfe1..000000000 --- a/roles/haproxy/defaults/main.yml +++ /dev/null @@ -1,22 +0,0 @@ ---- -haproxy_frontend_port: 80 - -haproxy_frontends: -- name: main - binds: - - "*:80" - default_backend: default - -haproxy_backends: -- name: default - balance: roundrobin - servers: - - name: web01 - address: 127.0.0.1:9000 - opts: check - -os_firewall_allow: -- service: haproxy stats - port: "9000/tcp" -- service: haproxy balance - port: "{{ haproxy_frontend_port }}/tcp" diff --git a/roles/haproxy/handlers/main.yml b/roles/haproxy/handlers/main.yml deleted file mode 100644 index 5b8691b26..000000000 --- a/roles/haproxy/handlers/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: restart haproxy - service: - name: haproxy - state: restarted - when: not (haproxy_start_result_changed | default(false) | bool) diff --git a/roles/haproxy/meta/main.yml b/roles/haproxy/meta/main.yml deleted file mode 100644 index 0fad106a9..000000000 --- a/roles/haproxy/meta/main.yml +++ /dev/null @@ -1,14 +0,0 @@ ---- -galaxy_info: - author: Jason DeTiberus - description: HAProxy - company: Red Hat, Inc. - license: Apache License, Version 2.0 - min_ansible_version: 1.9 - platforms: - - name: EL - versions: - - 7 -dependencies: -- { role: os_firewall } -- { role: openshift_repos } diff --git a/roles/haproxy/tasks/main.yml b/roles/haproxy/tasks/main.yml deleted file mode 100644 index 837fa67db..000000000 --- a/roles/haproxy/tasks/main.yml +++ /dev/null @@ -1,43 +0,0 @@ ---- -- name: Install haproxy - action: "{{ ansible_pkg_mgr }} name=haproxy state=present" - when: not openshift.common.is_containerized | bool - -- name: Configure systemd service directory for haproxy - file: - path: /etc/systemd/system/haproxy.service.d - state: directory - when: haproxy_limit_nofile is defined - -- name: Configure the nofile limits for haproxy - ini_file: - dest: /etc/systemd/system/haproxy.service.d/limits.conf - section: Service - option: LimitNOFILE - value: "{{ haproxy_limit_nofile }}" - when: haproxy_limit_nofile is defined - notify: restart haproxy - register: nofile_limit_result - -- name: Reload systemd if needed - command: systemctl daemon-reload - when: nofile_limit_result | changed - -- name: Configure haproxy - template: - src: haproxy.cfg.j2 - dest: /etc/haproxy/haproxy.cfg - owner: root - group: root - mode: 0644 - notify: restart haproxy - -- name: Enable and start haproxy - service: - name: haproxy - state: started - enabled: yes - register: start_result - -- set_fact: - haproxy_start_result_changed: "{{ start_result | changed }}" diff --git a/roles/haproxy/templates/haproxy.cfg.j2 b/roles/haproxy/templates/haproxy.cfg.j2 deleted file mode 100644 index cb4380971..000000000 --- a/roles/haproxy/templates/haproxy.cfg.j2 +++ /dev/null @@ -1,76 +0,0 @@ -# Global settings -#--------------------------------------------------------------------- -global - chroot /var/lib/haproxy - pidfile /var/run/haproxy.pid - maxconn {{ haproxy_global_maxconn | default('4000') }} - user haproxy - group haproxy - daemon - - # turn on stats unix socket - stats socket /var/lib/haproxy/stats - -#--------------------------------------------------------------------- -# common defaults that all the 'listen' and 'backend' sections will -# use if not designated in their block -#--------------------------------------------------------------------- -defaults - mode http - log global - option httplog - option dontlognull -# option http-server-close - option forwardfor except 127.0.0.0/8 - option redispatch - retries 3 - timeout http-request 10s - timeout queue 1m - timeout connect 10s - timeout client 300s - timeout server 300s - timeout http-keep-alive 10s - timeout check 10s - maxconn {{ haproxy_default_maxconn | default('3000') }} - -listen stats :9000 - mode http - stats enable - stats uri / - -{% for frontend in haproxy_frontends %} -frontend {{ frontend.name }} -{% for bind in frontend.binds %} - bind {{ bind }} -{% endfor %} - default_backend {{ frontend.default_backend }} -{% if 'mode' in frontend %} - mode {{ frontend.mode }} -{% endif %} -{% if 'options' in frontend %} -{% for option in frontend.options %} - option {{ option }} -{% endfor %} -{% endif %} -{% if 'redirects' in frontend %} -{% for redirect in frontend.redirects %} - redirect {{ redirect }} -{% endfor %} -{% endif %} -{% endfor %} - -{% for backend in haproxy_backends %} -backend {{ backend.name }} - balance {{ backend.balance }} -{% if 'mode' in backend %} - mode {{ backend.mode }} -{% endif %} -{% if 'options' in backend %} -{% for option in backend.options %} - option {{ option }} -{% endfor %} -{% endif %} -{% for server in backend.servers %} - server {{ server.name }} {{ server.address }} {{ server.opts }} -{% endfor %} -{% endfor %} diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py index b13343776..11203de17 100755 --- a/roles/openshift_facts/library/openshift_facts.py +++ b/roles/openshift_facts/library/openshift_facts.py @@ -1554,6 +1554,7 @@ class OpenShiftFacts(object): 'docker', 'etcd', 'hosted', + 'loadbalancer', 'master', 'node'] @@ -1763,6 +1764,13 @@ class OpenShiftFacts(object): router=dict() ) + if 'loadbalancer' in roles: + loadbalancer = dict(frontend_port='8443', + default_maxconn='20000', + global_maxconn='20000', + limit_nofile='100000') + defaults['loadbalancer'] = loadbalancer + return defaults def guess_host_provider(self): diff --git a/roles/openshift_loadbalancer/README.md b/roles/openshift_loadbalancer/README.md new file mode 100644 index 000000000..81fc282be --- /dev/null +++ b/roles/openshift_loadbalancer/README.md @@ -0,0 +1,34 @@ +OpenShift HAProxy Loadbalancer +============================== + +TODO + +Requirements +------------ + +TODO + +Role Variables +-------------- + +TODO + +Dependencies +------------ + +TODO + +Example Playbook +---------------- + +TODO + +License +------- + +Apache License, Version 2.0 + +Author Information +------------------ + +Jason DeTiberus (jdetiber@redhat.com) diff --git a/roles/openshift_loadbalancer/defaults/main.yml b/roles/openshift_loadbalancer/defaults/main.yml new file mode 100644 index 000000000..a1524cfe1 --- /dev/null +++ b/roles/openshift_loadbalancer/defaults/main.yml @@ -0,0 +1,22 @@ +--- +haproxy_frontend_port: 80 + +haproxy_frontends: +- name: main + binds: + - "*:80" + default_backend: default + +haproxy_backends: +- name: default + balance: roundrobin + servers: + - name: web01 + address: 127.0.0.1:9000 + opts: check + +os_firewall_allow: +- service: haproxy stats + port: "9000/tcp" +- service: haproxy balance + port: "{{ haproxy_frontend_port }}/tcp" diff --git a/roles/openshift_loadbalancer/handlers/main.yml b/roles/openshift_loadbalancer/handlers/main.yml new file mode 100644 index 000000000..5b8691b26 --- /dev/null +++ b/roles/openshift_loadbalancer/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: restart haproxy + service: + name: haproxy + state: restarted + when: not (haproxy_start_result_changed | default(false) | bool) diff --git a/roles/openshift_loadbalancer/meta/main.yml b/roles/openshift_loadbalancer/meta/main.yml new file mode 100644 index 000000000..fe336acf7 --- /dev/null +++ b/roles/openshift_loadbalancer/meta/main.yml @@ -0,0 +1,15 @@ +--- +galaxy_info: + author: Jason DeTiberus + description: OpenShift haproxy loadbalancer + company: Red Hat, Inc. + license: Apache License, Version 2.0 + min_ansible_version: 1.9 + platforms: + - name: EL + versions: + - 7 +dependencies: +- role: openshift_facts +- role: os_firewall +- role: openshift_repos diff --git a/roles/openshift_loadbalancer/tasks/main.yml b/roles/openshift_loadbalancer/tasks/main.yml new file mode 100644 index 000000000..5514aa70b --- /dev/null +++ b/roles/openshift_loadbalancer/tasks/main.yml @@ -0,0 +1,73 @@ +--- +- name: Set haproxy frontend port + openshift_facts: + role: loadbalancer + local_facts: + frontend_port: "{{ openshift_master_api_port | default(None) }}" + +- name: Set loadbalancer facts + openshift_facts: + role: loadbalancer + local_facts: + limit_nofile: "{{ openshift_loadbalancer_limit_nofile | default(None) }}" + default_maxconn: "{{ openshift_loadbalancer_default_maxconn | default(None) }}" + global_maxconn: "{{ openshift_loadbalancer_global_maxconn | default(None) }}" + frontends: + - name: atomic-openshift-api + mode: tcp + options: + - tcplog + binds: + - "*:{{ openshift.loadbalancer.frontend_port }}" + default_backend: atomic-openshift-api + backends: + - name: atomic-openshift-api + mode: tcp + option: tcplog + balance: source + servers: "{{ hostvars + | oo_select_keys(groups['oo_masters']) + | oo_haproxy_backend_masters(openshift.loadbalancer.frontend_port) }}" + +- name: Install haproxy + action: "{{ ansible_pkg_mgr }} name=haproxy state=present" + when: not openshift.common.is_containerized | bool + +- name: Configure systemd service directory for haproxy + file: + path: /etc/systemd/system/haproxy.service.d + state: directory + when: "'limit_nofile' in openshift.loadbalancer" + +- name: Configure the nofile limits for haproxy + ini_file: + dest: /etc/systemd/system/haproxy.service.d/limits.conf + section: Service + option: LimitNOFILE + value: "{{ openshift.loadbalancer.limit_nofile }}" + when: "'limit_nofile' in openshift.loadbalancer" + notify: restart haproxy + register: nofile_limit_result + +- name: Reload systemd if needed + command: systemctl daemon-reload + when: nofile_limit_result | changed + +- name: Configure haproxy + template: + src: haproxy.cfg.j2 + dest: /etc/haproxy/haproxy.cfg + owner: root + group: root + mode: 0644 + notify: restart haproxy + +- name: Enable and start haproxy + service: + name: haproxy + state: started + enabled: yes + register: start_result + +- set_fact: + haproxy_start_result_changed: "{{ start_result | changed }}" diff --git a/roles/openshift_loadbalancer/templates/haproxy.cfg.j2 b/roles/openshift_loadbalancer/templates/haproxy.cfg.j2 new file mode 100644 index 000000000..05e360d3b --- /dev/null +++ b/roles/openshift_loadbalancer/templates/haproxy.cfg.j2 @@ -0,0 +1,76 @@ +# Global settings +#--------------------------------------------------------------------- +global + chroot /var/lib/haproxy + pidfile /var/run/haproxy.pid + maxconn {{ openshift.loadbalancer.global_maxconn }} + user haproxy + group haproxy + daemon + + # turn on stats unix socket + stats socket /var/lib/haproxy/stats + +#--------------------------------------------------------------------- +# common defaults that all the 'listen' and 'backend' sections will +# use if not designated in their block +#--------------------------------------------------------------------- +defaults + mode http + log global + option httplog + option dontlognull +# option http-server-close + option forwardfor except 127.0.0.0/8 + option redispatch + retries 3 + timeout http-request 10s + timeout queue 1m + timeout connect 10s + timeout client 300s + timeout server 300s + timeout http-keep-alive 10s + timeout check 10s + maxconn {{ openshift.loadbalancer.default_maxconn }} + +listen stats :9000 + mode http + stats enable + stats uri / + +{% for frontend in openshift.loadbalancer.frontends %} +frontend {{ frontend.name }} +{% for bind in frontend.binds %} + bind {{ bind }} +{% endfor %} + default_backend {{ frontend.default_backend }} +{% if 'mode' in frontend %} + mode {{ frontend.mode }} +{% endif %} +{% if 'options' in frontend %} +{% for option in frontend.options %} + option {{ option }} +{% endfor %} +{% endif %} +{% if 'redirects' in frontend %} +{% for redirect in frontend.redirects %} + redirect {{ redirect }} +{% endfor %} +{% endif %} +{% endfor %} + +{% for backend in openshift.loadbalancer.backends %} +backend {{ backend.name }} + balance {{ backend.balance }} +{% if 'mode' in backend %} + mode {{ backend.mode }} +{% endif %} +{% if 'options' in backend %} +{% for option in backend.options %} + option {{ option }} +{% endfor %} +{% endif %} +{% for server in backend.servers %} + server {{ server.name }} {{ server.address }} {{ server.opts }} +{% endfor %} +{% endfor %} -- cgit v1.2.3