diff options
| author | Jason DeTiberus <jdetiber@redhat.com> | 2015-08-25 08:42:20 -0400 |
|---|---|---|
| committer | Andrew Butcher <abutcher@redhat.com> | 2015-11-04 19:57:22 -0500 |
| commit | 18c877db73dcb63b1402322fe8352505006e4985 (patch) | |
| tree | 62534068df31898f763d791370455a9e7f574176 | |
| parent | 51bcc78aea4015bf23d06b621b57de675b21e7cf (diff) | |
additional ha related updates
| -rw-r--r-- | playbooks/byo/openshift-cluster/config.yml | 1 | ||||
| -rw-r--r-- | playbooks/common/openshift-cluster/config.yml | 8 | ||||
| -rw-r--r-- | playbooks/common/openshift-master/config.yml | 49 | ||||
| -rw-r--r-- | roles/haproxy/defaults/main.yml | 3 | ||||
| -rw-r--r-- | roles/haproxy/templates/haproxy.cfg.j2 | 25 | ||||
| -rw-r--r-- | roles/openshift_master/handlers/main.yml | 8 | ||||
| -rw-r--r-- | roles/openshift_master/tasks/main.yml | 84 | ||||
| -rw-r--r-- | roles/openshift_master/templates/master.yaml.v1.j2 | 18 |
8 files changed, 182 insertions, 14 deletions
diff --git a/playbooks/byo/openshift-cluster/config.yml b/playbooks/byo/openshift-cluster/config.yml index 9e50a4a18..411c7e660 100644 --- a/playbooks/byo/openshift-cluster/config.yml +++ b/playbooks/byo/openshift-cluster/config.yml @@ -4,6 +4,7 @@ g_etcd_group: "{{ 'etcd' }}" g_masters_group: "{{ 'masters' }}" g_nodes_group: "{{ 'nodes' }}" + g_lb_group: "{{ 'lb' }}" openshift_cluster_id: "{{ cluster_id | default('default') }}" openshift_debug_level: 2 openshift_deployment_type: "{{ deployment_type }}" diff --git a/playbooks/common/openshift-cluster/config.yml b/playbooks/common/openshift-cluster/config.yml index 57de7130b..b66ca4709 100644 --- a/playbooks/common/openshift-cluster/config.yml +++ b/playbooks/common/openshift-cluster/config.yml @@ -1,6 +1,14 @@ --- - include: evaluate_groups.yml + - name: Evaluate oo_lb_to_config + add_host: + name: "{{ item }}" + groups: oo_lb_to_config + ansible_ssh_user: "{{ g_ssh_user | default(omit) }}" + ansible_sudo: "{{ g_sudo | default(omit) }}" + with_items: groups[g_lb_group] | default(groups[g_masters_group]) | default([]) + - include: ../openshift-etcd/config.yml - include: ../openshift-master/config.yml diff --git a/playbooks/common/openshift-master/config.yml b/playbooks/common/openshift-master/config.yml index e5357f6e3..e223e3d57 100644 --- a/playbooks/common/openshift-master/config.yml +++ b/playbooks/common/openshift-master/config.yml @@ -209,7 +209,24 @@ parsed_named_certificates: "{{ openshift_master_named_certificates | oo_parse_certificate_names(master_cert_config_dir, openshift.common.internal_hostnames) }}" when: openshift_master_named_certificates is defined -- name: Compute haproxy_backend_servers +- name: Fetch master server certificate for load balancer + hosts: oo_first_master + vars: + sync_tmpdir: "{{ hostvars.localhost.g_master_mktemp.stdout }}" + tasks: + - file: + path: "{{ sync_tmpdir }}/haproxy_cert" + state: directory + - fetch: + src: /etc/origin/master/master.server.crt + dest: "{{ sync_tmpdir }}/haproxy_cert/server.crt" + flat: yes + - fetch: + src: /etc/origin/master/master.server.key + dest: "{{ sync_tmpdir }}/haproxy_cert/server.key" + flat: yes + +- name: Compute haproxy_backend_servers and combine certificate hosts: localhost connection: local sudo: false @@ -217,24 +234,44 @@ tasks: - set_fact: haproxy_backend_servers: "{{ hostvars | oo_select_keys(groups['oo_masters_to_config']) | oo_haproxy_backend_masters }}" + - shell: cat server.crt server.key > server.pem + args: + chdir: "{{ g_master_mktemp.stdout }}/haproxy_cert" + creates: "{{ g_master_mktemp.stdout }}/haproxy_cert/server.pem" + - name: Configure load balancers - hosts: oo_first_master + hosts: oo_lb_to_config vars: + sync_tmpdir: "{{ hostvars.localhost.g_master_mktemp.stdout }}" haproxy_frontends: - - name: atomic-openshift - bind: "*:80" - default_backend: atomic-openshift + - name: atomic-openshift-api + options: + - tcplog + binds: + - "*:{{ hostvars[groups.oo_first_master.0].openshift.master.api_port }} ssl crt /etc/haproxy/server.pem" + default_backend: atomic-openshift-api haproxy_backends: - - name: atomic-openshift + - name: atomic-openshift-api balance: roundrobin servers: "{{ hostvars.localhost.haproxy_backend_servers }}" + pre_tasks: + - file: + path: /etc/haproxy + state: directory + - copy: + src: "{{ sync_tmpdir }}/haproxy_cert/server.pem" + dest: /etc/haproxy/server.pem + mode: 0600 + owner: root + group: root roles: - role: haproxy when: groups.oo_masters_to_config | length > 1 - name: Configure master instances hosts: oo_masters_to_config + serial: 1 vars: named_certificates: "{{ hostvars[groups['oo_first_master'][0]]['parsed_named_certificates'] | default([])}}" sync_tmpdir: "{{ hostvars.localhost.g_master_mktemp.stdout }}" diff --git a/roles/haproxy/defaults/main.yml b/roles/haproxy/defaults/main.yml index c002efdbc..16e9af4d1 100644 --- a/roles/haproxy/defaults/main.yml +++ b/roles/haproxy/defaults/main.yml @@ -1,7 +1,8 @@ --- haproxy_frontends: - name: main - bind: "*:80" + binds: + - "*:80" default_backend: default haproxy_backends: diff --git a/roles/haproxy/templates/haproxy.cfg.j2 b/roles/haproxy/templates/haproxy.cfg.j2 index bfcdcfdb1..fddf0ede1 100644 --- a/roles/haproxy/templates/haproxy.cfg.j2 +++ b/roles/haproxy/templates/haproxy.cfg.j2 @@ -35,13 +35,36 @@ defaults {% for frontend in haproxy_frontends %} frontend {{ frontend.name }} - bind {{ frontend.bind }} +{% for bind in frontend.binds %} + bind {{ bind }} +{% endfor %} default_backend {{ frontend.default_backend }} +{% if 'mode' in frontend %} + mode {{ frontend.mode }} +{% endif %} +{% if 'options' in frontend %} +{% for option in frontend.options %} + option {{ option }} +{% endfor %} +{% endif %} +{% if 'redirects' in frontend %} +{% for redirect in frontend.redirects %} + redirect {{ redirect }} +{% endfor %} +{% endif %} {% endfor %} {% for backend in haproxy_backends %} backend {{ backend.name }} balance {{ backend.balance }} +{% if 'mode' in backend %} + mode {{ backend.mode }} +{% endif %} +{% if 'options' in backend %} +{% for option in backend.options %} + option {{ option }} +{% endfor %} +{% endif %} {% for server in backend.servers %} server {{ server.name }} {{ server.address }} {{ server.opts }} {% endfor %} diff --git a/roles/openshift_master/handlers/main.yml b/roles/openshift_master/handlers/main.yml index 37028e0f6..9ce4f512b 100644 --- a/roles/openshift_master/handlers/main.yml +++ b/roles/openshift_master/handlers/main.yml @@ -2,3 +2,11 @@ - name: restart master service: name={{ openshift.common.service_type }}-master state=restarted when: (not openshift_master_ha | bool) and (not master_service_status_changed | default(false)) + +- name: restart master api + service: name={{ openshift.common.service_type }}-master-api state=restarted + when: openshift_master_ha | bool + +- name: restart master controllers + service: name={{ openshift.common.service_type }}-master-controllers state=restarted + when: openshift_master_ha | bool diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml index f11582ce7..b23c19d37 100644 --- a/roles/openshift_master/tasks/main.yml +++ b/roles/openshift_master/tasks/main.yml @@ -91,6 +91,8 @@ creates: "{{ openshift_master_policy }}" notify: - restart master + - restart master api + - restart master controllers - name: Create the scheduler config template: @@ -99,6 +101,8 @@ backup: true notify: - restart master + - restart master api + - restart master controllers - name: Install httpd-tools if needed yum: pkg=httpd-tools state=present @@ -121,6 +125,30 @@ when: item.kind == 'HTPasswdPasswordIdentityProvider' with_items: openshift.master.identity_providers +# workaround for missing systemd unit files for controllers/api +- name: Create the api service file + copy: + src: atomic-openshift-master-api.service + dest: /usr/lib/systemd/system/atomic-openshift-master-api.service + force: no +- name: Create the controllers service file + copy: + src: atomic-openshift-master-controllers.service + dest: /usr/lib/systemd/system/atomic-openshift-master-controllers.service + force: no +- name: Create the api env file + copy: + src: atomic-openshift-master-api + dest: /etc/sysconfig/atomic-openshift-master-api + force: no +- name: Create the controllers env file + copy: + src: atomic-openshift-master-controllers + dest: /etc/sysconfig/atomic-openshift-master-controllers + force: no +- command: systemctl daemon-reload +# end workaround for missing systemd unit files + # TODO: add the validate parameter when there is a validation command to run - name: Create master config template: @@ -129,6 +157,8 @@ backup: true notify: - restart master + - restart master api + - restart master controllers - name: Configure master settings lineinfile: @@ -143,9 +173,61 @@ notify: - restart master +- name: Configure master api settings + lineinfile: + dest: /etc/sysconfig/{{ openshift.common.service_type }}-master-api + regexp: "{{ item.regex }}" + line: "{{ item.line }}" + with_items: + - regex: '^OPTIONS=' + line: "OPTIONS=--loglevel={{ openshift.master.debug_level }} --listen=https://0.0.0.0:8443 --master=https://{{ openshift.common.ip }}:8443" + - regex: '^CONFIG_FILE=' + line: "CONFIG_FILE={{ openshift_master_config_file }}" + notify: + - restart master api + +- name: Configure master controller settings + lineinfile: + dest: /etc/sysconfig/{{ openshift.common.service_type }}-master-controllers + regexp: "{{ item.regex }}" + line: "{{ item.line }}" + with_items: + - regex: '^OPTIONS=' + line: "OPTIONS=--loglevel={{ openshift.master.debug_level }} --listen=https://0.0.0.0:8444" + - regex: '^CONFIG_FILE=' + line: "CONFIG_FILE={{ openshift_master_config_file }}" + notify: + - restart master controllers + - name: Start and enable master service: name={{ openshift.common.service_type }}-master enabled=yes state=started -# when: not openshift_master_ha | bool + when: not openshift_master_ha | bool + register: start_result + +# workaround for start bug when configuring ha +- name: Start master for ha workaround + service: name={{ openshift.common.service_type }}-master state=started + when: openshift_master_ha | bool and inventory_hostname in groups.oo_first_master + +- name: pause for 30 seconds to let master finish starting up for ha workaround + pause: seconds=30 + when: openshift_master_ha | bool and inventory_hostname in groups.oo_first_master + +- name: Stop master for ha workaround + service: name={{ openshift.common.service_type }}-master state=stopped + when: openshift_master_ha | bool and inventory_hostname in groups.oo_first_master +# end workaround for start bug when configuring ha + +- fail: + +- name: Start and enable master api + service: name={{ openshift.common.service_type }}-master-api enabled=yes state=started + when: openshift_master_ha | bool + register: start_result + +- name: Start and enable master controller + service: name={{ openshift.common.service_type }}-master-controllers enabled=yes state=started + when: openshift_master_ha | bool register: start_result - set_fact: diff --git a/roles/openshift_master/templates/master.yaml.v1.j2 b/roles/openshift_master/templates/master.yaml.v1.j2 index 877c44772..3f2c51417 100644 --- a/roles/openshift_master/templates/master.yaml.v1.j2 +++ b/roles/openshift_master/templates/master.yaml.v1.j2 @@ -10,13 +10,16 @@ assetConfig: publicURL: {{ openshift.master.public_console_url }}/ servingInfo: bindAddress: {{ openshift.master.bind_addr }}:{{ openshift.master.console_port }} + bindNetwork: tcp4 certFile: master.server.crt clientCA: "" keyFile: master.server.key maxRequestsInFlight: 0 requestTimeoutSeconds: 0 +controllerLeaseTTL: 0 +controllers: '*' corsAllowedOrigins: -{% for origin in ['127.0.0.1', 'localhost', openshift.common.hostname, openshift.common.ip, openshift.common.public_hostname, openshift.common.public_ip] | unique %} +{% for origin in ['127.0.0.1', 'localhost', openshift.common.ip, openshift.common.public_ip] | union(openshift.common.all_hostnames) | unique %} - {{ origin }} {% endfor %} {% for custom_origin in openshift.master.custom_cors_origins | default("") %} @@ -29,8 +32,10 @@ corsAllowedOrigins: disabledFeatures: {{ openshift.master.disabled_features | to_json }} {% endif %} {% if openshift.master.embedded_dns | bool %} +disabledFeatures: null dnsConfig: bindAddress: {{ openshift.master.bind_addr }}:{{ openshift.master.dns_port }} + bindNetwork: tcp4 {% endif %} etcdClientInfo: ca: {{ "ca.crt" if (openshift.master.embedded_etcd | bool) else "master.etcd-ca.crt" }} @@ -81,13 +86,13 @@ kubernetesMasterConfig: apiServerArguments: {{ api_server_args if api_server_args is defined else 'null' }} controllerArguments: {{ controller_args if controller_args is defined else 'null' }} masterCount: {{ openshift.master.master_count }} - masterIP: "" - podEvictionTimeout: "" + masterIP: {{ openshift.common.ip }} + podEvictionTimeout: 5m proxyClientInfo: certFile: master.proxy-client.crt keyFile: master.proxy-client.key schedulerConfigFile: {{ openshift_master_scheduler_conf }} - servicesNodePortRange: "" + servicesNodePortRange: 30000-32767 servicesSubnet: {{ openshift.master.portal_net }} staticNodeNames: {{ openshift_node_ips | default([], true) }} {% endif %} @@ -105,6 +110,7 @@ networkConfig: # serviceNetworkCIDR must match kubernetesMasterConfig.servicesSubnet serviceNetworkCIDR: {{ openshift.master.portal_net }} {% include 'v1_partials/oauthConfig.j2' %} +pauseControllers: false policyConfig: bootstrapPolicyFile: {{ openshift_master_policy }} openshiftInfrastructureNamespace: openshift-infra @@ -118,8 +124,9 @@ projectConfig: mcsLabelsPerProject: {{ openshift.master.mcs_labels_per_project }} uidAllocatorRange: "{{ openshift.master.uid_allocator_range }}" routingConfig: - subdomain: "{{ openshift.master.default_subdomain | default("") }}" + subdomain: "{{ openshift.master.default_subdomain | default("router.default.svc.cluster.local") }}" serviceAccountConfig: + limitSecretReferences: false managedNames: - default - builder @@ -130,6 +137,7 @@ serviceAccountConfig: - serviceaccounts.public.key servingInfo: bindAddress: {{ openshift.master.bind_addr }}:{{ openshift.master.api_port }} + bindNetwork: tcp4 certFile: master.server.crt clientCA: ca.crt keyFile: master.server.key |