path: root/roles/openshift_master/tasks/main.yml

---
# TODO: add ability to configure certificates given either a local file to
#       point to or certificate contents, set in default cert locations.

# Authentication Variable Validation
# TODO: validate the different identity provider kinds as well
- fail:
    msg: >
      Invalid OAuth grant method: {{ openshift_master_oauth_grant_method }}
  when:
  - openshift_master_oauth_grant_method is defined
  - openshift_master_oauth_grant_method not in openshift_master_valid_grant_methods

- name: Open up firewall ports
  import_tasks: firewall.yml

- name: Install Master package
  package:
    name: "{{ openshift_service_type }}-master{{ openshift_pkg_version | default('') | lib_utils_oo_image_tag_to_rpm_version(include_dash=True) }}"
    state: present
  when:
  - not openshift_is_containerized | bool
  register: result
  until: result is succeeded

- name: Create r_openshift_master_data_dir
  file:
    path: "{{ r_openshift_master_data_dir }}"
    state: directory
    mode: 0755
    owner: root
    group: root
  when:
  - openshift_is_containerized | bool

- name: Reload systemd units
  command: systemctl daemon-reload
  when:
  - openshift_is_containerized | bool

- name: Re-gather package dependent master facts
  openshift_facts:

- name: Create config parent directory if it does not exist
  file:
    path: "{{ openshift_master_config_dir }}"
    state: directory

- name: Create the policy file if it does not already exist
  command: >
    {{ openshift_client_binary }} adm create-bootstrap-policy-file
      --filename={{ openshift_master_policy }}
  args:
    creates: "{{ openshift_master_policy }}"
  notify:
  - restart master api
  - restart master controllers

- name: Create the scheduler config
  copy:
    content: "{{ scheduler_config | to_nice_json }}"
    dest: "{{ openshift_master_scheduler_conf }}"
    backup: true
  notify:
  - restart master api
  - restart master controllers

- name: Install httpd-tools if needed
  package: name=httpd-tools state=present
  when:
  - item.kind == 'HTPasswdPasswordIdentityProvider'
  - not openshift_is_atomic | bool
  with_items: "{{ openshift.master.identity_providers }}"
  register: result
  until: result is succeeded

- name: Ensure htpasswd directory exists
  file:
    path: "{{ item.filename | dirname }}"
    state: directory
  when:
  - item.kind == 'HTPasswdPasswordIdentityProvider'
  with_items: "{{ openshift.master.identity_providers }}"

- name: Create the htpasswd file if needed
  template:
    dest: "{{ item.filename }}"
    src: htpasswd.j2
    backup: yes
  when:
  - item.kind == 'HTPasswdPasswordIdentityProvider'
  - openshift.master.manage_htpasswd | bool
  with_items: "{{ openshift.master.identity_providers }}"

- name: Ensure htpasswd file exists
  copy:
    dest: "{{ item.filename }}"
    force: no
    content: ""
    mode: 0600
  when:
  - item.kind == 'HTPasswdPasswordIdentityProvider'
  with_items: "{{ openshift.master.identity_providers }}"

- name: Create the ldap ca file if needed
  copy:
    dest: "{{ item.ca if 'ca' in item and '/' in item.ca else openshift_master_config_dir ~ '/' ~ item.ca | default('ldap_ca.crt') }}"
    content: "{{ openshift.master.ldap_ca }}"
    mode: 0600
    backup: yes
  when:
  - openshift.master.ldap_ca is defined
  - item.kind == 'LDAPPasswordIdentityProvider'
  with_items: "{{ openshift.master.identity_providers }}"

- name: Create the openid ca file if needed
  copy:
    dest: "{{ item.ca if 'ca' in item and '/' in item.ca else openshift_master_config_dir ~ '/' ~ item.ca | default('openid_ca.crt') }}"
    content: "{{ openshift.master.openid_ca }}"
    mode: 0600
    backup: yes
  when:
  - openshift.master.openid_ca is defined
  - item.kind == 'OpenIDIdentityProvider'
  - item.ca | default('') != ''
  with_items: "{{ openshift.master.identity_providers }}"

- name: Create the request header ca file if needed
  copy:
    dest: "{{ item.clientCA if 'clientCA' in item and '/' in item.clientCA else openshift_master_config_dir ~ '/' ~ item.clientCA | default('request_header_ca.crt') }}"
    content: "{{ openshift.master.request_header_ca }}"
    mode: 0600
    backup: yes
  when:
  - openshift.master.request_header_ca is defined
  - item.kind == 'RequestHeaderIdentityProvider'
  - item.clientCA | default('') != ''
  with_items: "{{ openshift.master.identity_providers }}"

- name: Include push_via_dns.yml
  include_tasks: push_via_dns.yml

- name: Set fact of all etcd host IPs
  openshift_facts:
    role: common
    local_facts:
      no_proxy_etcd_host_ips: "{{ openshift_no_proxy_etcd_host_ips }}"

- name: Update journald config
  include_tasks: journald.yml

- name: Install the systemd units
  include_tasks: systemd_units.yml

- name: Install Master system container
  include_tasks: system_container.yml
  when:
  - openshift_is_containerized | bool
  - l_is_master_system_container | bool

- name: Create session secrets file
  template:
    dest: "{{ openshift.master.session_secrets_file }}"
    src: sessionSecretsFile.yaml.v1.j2
    owner: root
    group: root
    mode: 0600
  when:
  - openshift.master.session_auth_secrets is defined
  - openshift.master.session_encryption_secrets is defined
  notify:
  - restart master api

- set_fact:
    # translate_idps is a custom filter in role lib_utils
    translated_identity_providers: "{{ openshift.master.identity_providers | translate_idps('v1') }}"

# TODO: add the validate parameter when there is a validation command to run
- name: Create master config
  template:
    dest: "{{ openshift_master_config_file }}"
    src: master.yaml.v1.j2
    backup: true
    owner: root
    group: root
    mode: 0600
  notify:
  - restart master api
  - restart master controllers

- include_tasks: bootstrap_settings.yml
  when: openshift_master_bootstrap_enabled | default(False)

- include_tasks: set_loopback_context.yml

- name: Start and enable master api on first master
  systemd:
    name: "{{ openshift_service_type }}-master-api"
    enabled: yes
    state: started
  when:
  - inventory_hostname == openshift_master_hosts[0]
  register: l_start_result
  until: not (l_start_result is failed)
  retries: 1
  delay: 60

- name: Dump logs from master-api if it failed
  command: journalctl --no-pager -n 100 -u {{ openshift_service_type }}-master-api
  when:
  - l_start_result is failed

- set_fact:
    master_api_service_status_changed: "{{ l_start_result is changed }}"
  when:
  - inventory_hostname == openshift_master_hosts[0]

- pause:
    seconds: 15
  when:
  - openshift_master_ha | bool

- name: Start and enable master api all masters
  systemd:
    name: "{{ openshift_service_type }}-master-api"
    enabled: yes
    state: started
  when:
  - inventory_hostname != openshift_master_hosts[0]
  register: l_start_result
  until: not (l_start_result is failed)
  retries: 1
  delay: 60

- name: Dump logs from master-api if it failed
  command: journalctl --no-pager -n 100 -u {{ openshift_service_type }}-master-api
  when:
  - l_start_result is failed

- set_fact:
    master_api_service_status_changed: "{{ l_start_result is changed }}"
  when:
  - inventory_hostname != openshift_master_hosts[0]

# A separate wait is required here for native HA since notifies will
# be resolved after all tasks in the role.
- include_tasks: check_master_api_is_ready.yml
  when:
  - master_api_service_status_changed | bool

- name: Start and enable master controller service
  systemd:
    name: "{{ openshift_service_type }}-master-controllers"
    enabled: yes
    state: started
  register: l_start_result
  until: not (l_start_result is failed)
  retries: 1
  delay: 60

- name: Dump logs from master-controllers if it failed
  command: journalctl --no-pager -n 100 -u {{ openshift_service_type }}-master-controllers
  when:
  - l_start_result is failed

- name: Set fact master_controllers_service_status_changed
  set_fact:
    master_controllers_service_status_changed: "{{ l_start_result is changed }}"

- name: node bootstrap settings
  include_tasks: bootstrap.yml
  when: openshift_master_bootstrap_enabled | default(False)