Merge pull request #763 from openshift/master

Merge master into prod.
author: Kenny Woodson <kwoodson@redhat.com> 2015-10-29 11:14:51 -0400
committer: Kenny Woodson <kwoodson@redhat.com> 2015-10-29 11:14:51 -0400
commit: 9bbaa824da5e1a049cdec1a6523c3841d713386c (patch)
tree: 93e80f1577ad0f2f5f8931b493c50cd9aa657c77 /roles/openshift_master
parent: 15df494fb781dd1509854eeb366e981930b52c22 (diff)
parent: 16d1bce0be2f8c3942489630adcb7030aecadc55 (diff)
download: openshift-9bbaa824da5e1a049cdec1a6523c3841d713386c.tar.gz
openshift-9bbaa824da5e1a049cdec1a6523c3841d713386c.tar.bz2
openshift-9bbaa824da5e1a049cdec1a6523c3841d713386c.tar.xz
openshift-9bbaa824da5e1a049cdec1a6523c3841d713386c.zip
9 files changed, 164 insertions, 70 deletions
diff --git a/roles/openshift_master/README.md b/roles/openshift_master/README.md
index 3178e318c..155bdb58b 100644
--- a/roles/openshift_master/README.md
+++ b/roles/openshift_master/README.md
@@ -1,13 +1,13 @@
-OpenShift Master
-================
+OpenShift/Atomic Enterprise Master
+==================================
 
-OpenShift Master service installation
+Master service installation
 
 Requirements
 ------------
 
 A RHEL 7.1 host pre-configured with access to the rhel-7-server-rpms,
-rhel-7-server-extras-rpms, and rhel-server-7-ose-beta-rpms repos.
+rhel-7-server-extras-rpms, and rhel-7-server-ose-3.0-rpms repos.
 
 Role Variables
 --------------
@@ -15,8 +15,8 @@ Role Variables
 From this role:
 | Name                                | Default value         |                                                  |
 |-------------------------------------|-----------------------|--------------------------------------------------|
-| openshift_master_debug_level        | openshift_debug_level | Verbosity of the debug logs for openshift-master |
-| openshift_node_ips                  | []                    | List of the openshift node ip addresses to pre-register when openshift-master starts up |
+| openshift_master_debug_level        | openshift_debug_level | Verbosity of the debug logs for master |
+| openshift_node_ips                  | []                    | List of the openshift node ip addresses to pre-register when master starts up |
 | oreg_url                            | UNDEF                 | Default docker registry to use |
 | openshift_master_api_port           | UNDEF                 | |
 | openshift_master_console_port       | UNDEF                 | |
@@ -28,7 +28,7 @@ From this role:
 From openshift_common:
 | Name                          | Default Value  |                                        |
 |-------------------------------|----------------|----------------------------------------|
-| openshift_debug_level         | 0              | Global openshift debug log verbosity   |
+| openshift_debug_level         | 2              | Global openshift debug log verbosity   |
 | openshift_public_ip           | UNDEF          | Public IP address to use for this host |
 | openshift_hostname            | UNDEF          | hostname to use for this instance      |
 
diff --git a/roles/openshift_master/defaults/main.yml b/roles/openshift_master/defaults/main.yml
index 11195e83e..9766d01ae 100644
--- a/roles/openshift_master/defaults/main.yml
+++ b/roles/openshift_master/defaults/main.yml
@@ -5,20 +5,26 @@ openshift_node_ips: []
 os_firewall_allow:
 - service: etcd embedded
   port: 4001/tcp
-- service: OpenShift api https
+- service: api server https
   port: 8443/tcp
-- service: OpenShift dns tcp
+- service: dns tcp
   port: 53/tcp
-- service: OpenShift dns udp
+- service: dns udp
   port: 53/udp
 - service: Fluentd td-agent tcp
   port: 24224/tcp
 - service: Fluentd td-agent udp
   port: 24224/udp
+- service: pcsd
+  port: 2224/tcp
+- service: Corosync UDP
+  port: 5404/udp
+- service: Corosync UDP
+  port: 5405/udp
 os_firewall_deny:
-- service: OpenShift api http
+- service: api server http
   port: 8080/tcp
-- service: former OpenShift web console port
+- service: former web console port
   port: 8444/tcp
 - service: former etcd peer port
   port: 7001/tcp
diff --git a/roles/openshift_master/handlers/main.yml b/roles/openshift_master/handlers/main.yml
index 6fd4dfb51..37028e0f6 100644
--- a/roles/openshift_master/handlers/main.yml
+++ b/roles/openshift_master/handlers/main.yml
@@ -1,3 +1,4 @@
 ---
-- name: restart openshift-master
-  service: name=openshift-master state=restarted
+- name: restart master
+  service: name={{ openshift.common.service_type }}-master state=restarted
+  when: (not openshift_master_ha | bool) and (not master_service_status_changed | default(false))
diff --git a/roles/openshift_master/meta/main.yml b/roles/openshift_master/meta/main.yml
index 41a183c3b..c125cb5d0 100644
--- a/roles/openshift_master/meta/main.yml
+++ b/roles/openshift_master/meta/main.yml
@@ -1,7 +1,7 @@
 ---
 galaxy_info:
   author: Jhon Honce
-  description: OpenShift Master
+  description: Master
   company: Red Hat, Inc.
   license: Apache License, Version 2.0
   min_ansible_version: 1.7
diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml
index 23f8b4649..94eb73346 100644
--- a/roles/openshift_master/tasks/main.yml
+++ b/roles/openshift_master/tasks/main.yml
@@ -8,10 +8,17 @@
     - openshift_master_oauth_grant_method in openshift_master_valid_grant_methods
   when: openshift_master_oauth_grant_method is defined
 
-- name: Set master OpenShift facts
+- fail:
+    msg: "openshift_master_cluster_password must be set for multi-master installations"
+  when: openshift_master_ha | bool and not openshift.master.cluster_defer_ha | bool and openshift_master_cluster_password is not defined
+
+- name: Set master facts
   openshift_facts:
     role: master
     local_facts:
+      cluster_hostname: "{{ openshift_master_cluster_hostname | default(None) }}"
+      cluster_public_hostname: "{{ openshift_master_cluster_public_hostname | default(None) }}"
+      cluster_defer_ha: "{{ openshift_master_cluster_defer_ha | default(None) }}"
       debug_level: "{{ openshift_master_debug_level | default(openshift.common.debug_level) }}"
       api_port: "{{ openshift_master_api_port | default(None) }}"
       api_url: "{{ openshift_master_api_url | default(None) }}"
@@ -22,6 +29,7 @@
       console_url: "{{ openshift_master_console_url | default(None) }}"
       console_use_ssl: "{{ openshift_master_console_use_ssl | default(None) }}"
       public_console_url: "{{ openshift_master_public_console_url | default(None) }}"
+      etcd_hosts: "{{ openshift_master_etcd_hosts | default(None)}}"
       etcd_port: "{{ openshift_master_etcd_port | default(None) }}"
       etcd_use_ssl: "{{ openshift_master_etcd_use_ssl | default(None) }}"
       etcd_urls: "{{ openshift_master_etcd_urls | default(None) }}"
@@ -41,39 +49,38 @@
       oauth_grant_method: "{{ openshift_master_oauth_grant_method | default(None) }}"
       sdn_cluster_network_cidr: "{{ osm_cluster_network_cidr | default(None) }}"
       sdn_host_subnet_length: "{{ osm_host_subnet_length | default(None) }}"
+      default_subdomain: "{{ osm_default_subdomain | default(None) }}"
+      custom_cors_origins: "{{ osm_custom_cors_origins | default(None) }}"
+      default_node_selector: "{{ osm_default_node_selector | default(None) }}"
+      project_request_message: "{{ osm_project_request_message | default(None) }}"
+      project_request_template: "{{ osm_project_request_template | default(None) }}"
+      mcs_allocator_range: "{{ osm_mcs_allocator_range | default(None) }}"
+      mcs_labels_per_project: "{{ osm_mcs_labels_per_project | default(None) }}"
+      uid_allocator_range: "{{ osm_uid_allocator_range | default(None) }}"
+      router_selector: "{{ openshift_router_selector | default(None) }}"
+      registry_selector: "{{ openshift_registry_selector | default(None) }}"
+      api_server_args: "{{ osm_api_server_args | default(None) }}"
+      controller_args: "{{ osm_controller_args | default(None) }}"
+      infra_nodes: "{{ num_infra | default(None) }}"
+
+- name: Install Master package
+  yum: pkg={{ openshift.common.service_type }}-master{{ openshift_version  }} state=present
+  register: install_result
 
 # TODO: These values need to be configurable
-- name: Set dns OpenShift facts
+- name: Set dns facts
   openshift_facts:
     role: dns
     local_facts:
-      ip: "{{ openshift.common.ip }}"
+      ip: "{{ openshift_master_cluster_vip | default(openshift.common.ip, true) | default(None) }}"
       domain: cluster.local
   when: openshift.master.embedded_dns
 
-- name: Install OpenShift Master package
-  yum: pkg=openshift-master state=present
-  register: install_result
-
-- name: Reload systemd units
-  command: systemctl daemon-reload
-  when: install_result | changed
-
 - name: Create config parent directory if it doesn't exist
   file:
     path: "{{ openshift_master_config_dir }}"
     state: directory
 
-- name: Create the master certificates if they do not already exist
-  command: >
-    {{ openshift.common.admin_binary }} create-master-certs
-      --hostnames={{ openshift.common.hostname }},{{ openshift.common.public_hostname }}
-      --master={{ openshift.master.api_url }}
-      --public-master={{ openshift.master.public_api_url }}
-      --cert-dir={{ openshift_master_config_dir }} --overwrite=false
-  args:
-    creates: "{{ openshift_master_config_dir }}/master.server.key"
-
 - name: Create the policy file if it does not already exist
   command: >
     {{ openshift.common.admin_binary }} create-bootstrap-policy-file
@@ -81,20 +88,28 @@
   args:
     creates: "{{ openshift_master_policy }}"
   notify:
-  - restart openshift-master
+  - restart master
 
 - name: Create the scheduler config
   template:
     dest: "{{ openshift_master_scheduler_conf }}"
     src: scheduler.json.j2
+    backup: true
   notify:
-  - restart openshift-master
+  - restart master
 
 - name: Install httpd-tools if needed
   yum: pkg=httpd-tools state=present
   when: item.kind == 'HTPasswdPasswordIdentityProvider'
   with_items: openshift.master.identity_providers
 
+- name: Ensure htpasswd directory exists
+  file:
+    path: "{{ item.filename | dirname }}"
+    state: directory
+  when: item.kind == 'HTPasswdPasswordIdentityProvider'
+  with_items: openshift.master.identity_providers
+
 - name: Create the htpasswd file if needed
   copy:
     dest: "{{ item.filename }}"
@@ -109,12 +124,13 @@
   template:
     dest: "{{ openshift_master_config_file }}"
     src: master.yaml.v1.j2
+    backup: true
   notify:
-  - restart openshift-master
+  - restart master
 
-- name: Configure OpenShift settings
+- name: Configure master settings
   lineinfile:
-    dest: /etc/sysconfig/openshift-master
+    dest: /etc/sysconfig/{{ openshift.common.service_type }}-master
     regexp: "{{ item.regex }}"
     line: "{{ item.line }}"
   with_items:
@@ -123,39 +139,61 @@
     - regex: '^CONFIG_FILE='
       line: "CONFIG_FILE={{ openshift_master_config_file }}"
   notify:
-  - restart openshift-master
+  - restart master
+
+- name: Start and enable master
+  service: name={{ openshift.common.service_type }}-master enabled=yes state=started
+  when: not openshift_master_ha | bool
+  register: start_result
+
+- set_fact:
+    master_service_status_changed = start_result | changed
+
+- name: Install cluster packages
+  yum: pkg=pcs state=present
+  when: openshift_master_ha | bool and not openshift.master.cluster_defer_ha | bool
+  register: install_result
+
+- name: Start and enable cluster service
+  service: name=pcsd enabled=yes state=started
+  when: openshift_master_ha | bool and not openshift.master.cluster_defer_ha | bool
+
+- name: Set the cluster user password
+  shell: echo {{ openshift_master_cluster_password | quote }} | passwd --stdin hacluster
+  when: install_result | changed
 
-- name: Start and enable openshift-master
-  service: name=openshift-master enabled=yes state=started
+- name: Lookup default group for ansible_ssh_user
+  command: "/usr/bin/id -g {{ ansible_ssh_user }}"
+  register: _ansible_ssh_user_gid
 
-- name: Create the OpenShift client config dir(s)
+- name: Create the client config dir(s)
   file:
-    path: "~{{ item }}/.config/openshift"
+    path: "~{{ item }}/.kube"
     state: directory
     mode: 0700
     owner: "{{ item }}"
-    group: "{{ item }}"
+    group: "{{ 'root' if item == 'root' else _ansible_ssh_user_gid.stdout  }}"
   with_items:
   - root
   - "{{ ansible_ssh_user }}"
 
 # TODO: Update this file if the contents of the source file are not present in
 # the dest file, will need to make sure to ignore things that could be added
-- name: Copy the OpenShift admin client config(s)
-  command: cp {{ openshift_master_config_dir }}/admin.kubeconfig ~{{ item }}/.config/openshift/.config
+- name: Copy the admin client config(s)
+  command: cp {{ openshift_master_config_dir }}/admin.kubeconfig ~{{ item }}/.kube/config
   args:
-    creates: ~{{ item }}/.config/openshift/.config
+    creates: ~{{ item }}/.kube/config
   with_items:
   - root
   - "{{ ansible_ssh_user }}"
 
-- name: Update the permissions on the OpenShift admin client config(s)
+- name: Update the permissions on the admin client config(s)
   file:
-    path: "~{{ item }}/.config/openshift/.config"
+    path: "~{{ item }}/.kube/config"
     state: file
     mode: 0700
     owner: "{{ item }}"
-    group: "{{ item }}"
+    group: "{{ 'root' if item == 'root' else _ansible_ssh_user_gid.stdout  }}"
   with_items:
   - root
   - "{{ ansible_ssh_user }}"
diff --git a/roles/openshift_master/templates/master.yaml.v1.j2 b/roles/openshift_master/templates/master.yaml.v1.j2
index 1c2d37b63..3e4f78b17 100644
--- a/roles/openshift_master/templates/master.yaml.v1.j2
+++ b/roles/openshift_master/templates/master.yaml.v1.j2
@@ -1,3 +1,6 @@
+apiLevels:
+- v1beta3
+- v1
 apiVersion: v1
 assetConfig:
   logoutURL: ""
@@ -8,24 +11,28 @@ assetConfig:
     certFile: master.server.crt
     clientCA: ""
     keyFile: master.server.key
+    maxRequestsInFlight: 0
+    requestTimeoutSeconds: 0
 corsAllowedOrigins:
-{# TODO: add support for user specified corsAllowedOrigins #}
 {% for origin in ['127.0.0.1', 'localhost', openshift.common.hostname, openshift.common.ip, openshift.common.public_hostname, openshift.common.public_ip] %}
   - {{ origin }}
 {% endfor %}
-{% if openshift.master.embedded_dns %}
+{% for custom_origin in openshift.master.custom_cors_origins | default("") %}
+  - {{ custom_origin }}
+{% endfor %}
+{% if openshift.master.embedded_dns | bool %}
 dnsConfig:
   bindAddress: {{ openshift.master.bind_addr }}:{{ openshift.master.dns_port }}
 {% endif %}
 etcdClientInfo:
-  ca: ca.crt
+  ca: {{ "ca.crt" if (openshift.master.embedded_etcd | bool) else "master.etcd-ca.crt" }}
   certFile: master.etcd-client.crt
   keyFile: master.etcd-client.key
   urls:
 {% for etcd_url in openshift.master.etcd_urls %}
     - {{ etcd_url }}
 {% endfor %}
-{% if openshift.master.embedded_etcd %}
+{% if openshift.master.embedded_etcd | bool %}
 etcdConfig:
   address: {{ openshift.common.hostname }}:{{ openshift.master.etcd_port }}
   peerAddress: {{ openshift.common.hostname }}:7001
@@ -39,13 +46,13 @@ etcdConfig:
     certFile: etcd.server.crt
     clientCA: ca.crt
     keyFile: etcd.server.key
-  storageDirectory: {{ openshift_data_dir }}/openshift.local.etcd
+  storageDirectory: {{ openshift.common.data_dir }}/openshift.local.etcd
 {% endif %}
 etcdStorageConfig:
   kubernetesStoragePrefix: kubernetes.io
-  kubernetesStorageVersion: v1beta3
-  kubernetesStoragePrefix: kubernetes.io
-  openShiftStorageVersion: v1beta3
+  kubernetesStorageVersion: v1
+  openShiftStoragePrefix: openshift.io
+  openShiftStorageVersion: v1
 imageConfig:
   format: {{ openshift.master.registry_url }}
   latest: false
@@ -56,38 +63,59 @@ kubeletClientInfo:
   certFile: master.kubelet-client.crt
   keyFile: master.kubelet-client.key
   port: 10250
-{% if openshift.master.embedded_kube %}
+{% if openshift.master.embedded_kube | bool %}
 kubernetesMasterConfig:
+  apiLevels:
+  - v1beta3
+  - v1
+  apiServerArguments: {{ api_server_args if api_server_args is defined else 'null' }}
+  controllerArguments: {{ controller_args if controller_args is defined else 'null' }}
 {# TODO: support overriding masterCount #}
   masterCount: 1
   masterIP: ""
+  podEvictionTimeout: ""
+  proxyClientInfo:
+    certFile: master.proxy-client.crt
+    keyFile: master.proxy-client.key
   schedulerConfigFile: {{ openshift_master_scheduler_conf }}
+  servicesNodePortRange: ""
   servicesSubnet: {{ openshift.master.portal_net }}
   staticNodeNames: {{ openshift_node_ips | default([], true) }}
 {% endif %}
 masterClients:
 {# TODO: allow user to set externalKubernetesKubeConfig #}
-  deployerKubeConfig: openshift-deployer.kubeconfig
   externalKubernetesKubeConfig: ""
-  openshiftLoopbackKubeConfig: openshift-client.kubeconfig
+  openshiftLoopbackKubeConfig: openshift-master.kubeconfig
 masterPublicURL: {{ openshift.master.public_api_url }}
 networkConfig:
   clusterNetworkCIDR: {{ openshift.master.sdn_cluster_network_cidr }}
   hostSubnetLength: {{ openshift.master.sdn_host_subnet_length }}
+{% if openshift.common.use_openshift_sdn %}
   networkPluginName: {{ openshift.common.sdn_network_plugin_name }}
+{% endif %}
+# serviceNetworkCIDR must match kubernetesMasterConfig.servicesSubnet
+  serviceNetworkCIDR: {{ openshift.master.portal_net }}
 {% include 'v1_partials/oauthConfig.j2' %}
 policyConfig:
   bootstrapPolicyFile: {{ openshift_master_policy }}
+  openshiftInfrastructureNamespace: openshift-infra
   openshiftSharedResourcesNamespace: openshift
-{# TODO: Allow users to override projectConfig items #}
 projectConfig:
-  defaultNodeSelector: ""
-  projectRequestMessage: ""
-  projectRequestTemplate: ""
+  defaultNodeSelector: "{{ openshift.master.default_node_selector }}"
+  projectRequestMessage: "{{ openshift.master.project_request_message }}"
+  projectRequestTemplate: "{{ openshift.master.project_request_template }}"
+  securityAllocator:
+    mcsAllocatorRange: "{{ openshift.master.mcs_allocator_range }}"
+    mcsLabelsPerProject: {{ openshift.master.mcs_labels_per_project }}
+    uidAllocatorRange: "{{ openshift.master.uid_allocator_range  }}"
+routingConfig:
+  subdomain:  "{{ openshift.master.default_subdomain | default("") }}"
 serviceAccountConfig:
   managedNames:
   - default
   - builder
+  - deployer
+  masterCA: ca.crt
   privateKeyFile: serviceaccounts.private.key
   publicKeyFiles:
   - serviceaccounts.public.key
@@ -96,3 +124,5 @@ servingInfo:
   certFile: master.server.crt
   clientCA: ca.crt
   keyFile: master.server.key
+  maxRequestsInFlight: 500
+  requestTimeoutSeconds: 3600
diff --git a/roles/openshift_master/templates/scheduler.json.j2 b/roles/openshift_master/templates/scheduler.json.j2
index 833e7f3e1..cb5f43bb2 100644
--- a/roles/openshift_master/templates/scheduler.json.j2
+++ b/roles/openshift_master/templates/scheduler.json.j2
@@ -1,5 +1,8 @@
 {
+  "kind": "Policy",
+  "apiVersion": "v1",
   "predicates": [
+    {"name": "MatchNodeSelector"},
     {"name": "PodFitsResources"},
     {"name": "PodFitsPorts"},
     {"name": "NoDiskConflict"},
diff --git a/roles/openshift_master/templates/v1_partials/oauthConfig.j2 b/roles/openshift_master/templates/v1_partials/oauthConfig.j2
index f6fd88c65..8a4f5a746 100644
--- a/roles/openshift_master/templates/v1_partials/oauthConfig.j2
+++ b/roles/openshift_master/templates/v1_partials/oauthConfig.j2
@@ -7,9 +7,23 @@
       url: {{ identity_provider.url }}
 {% for key in ('ca', 'certFile', 'keyFile') %}
 {% if key in identity_provider %}
-      {{ key }}: {{ identity_provider[key] }}"
+      {{ key }}: "{{ identity_provider[key] }}"
 {% endif %}
 {% endfor %}
+{% elif identity_provider.kind == 'LDAPPasswordIdentityProvider' %}
+      attributes:
+{% for attribute_key in identity_provider.attributes %}
+        {{ attribute_key }}:
+{% for attribute_value in identity_provider.attributes[attribute_key] %}
+        - {{ attribute_value }}
+{% endfor %}
+{% endfor %}
+{% for key in ('bindDN', 'bindPassword', 'ca') %}
+      {{ key }}: "{{ identity_provider[key] }}"
+{% endfor %}
+{% for key in ('insecure', 'url') %}
+      {{ key }}: {{ identity_provider[key] }}
+{% endfor %}
 {% elif identity_provider.kind == 'RequestHeaderIdentityProvider' %}
       headers: {{ identity_provider.headers }}
 {% if 'clientCA' in identity_provider %}
@@ -66,6 +80,7 @@ oauthConfig:
     provider:
 {{ identity_provider_config(identity_provider) }}
 {%- endfor %}
+  masterCA: ca.crt
   masterPublicURL: {{ openshift.master.public_api_url }}
   masterURL: {{ openshift.master.api_url }}
   sessionConfig:
diff --git a/roles/openshift_master/vars/main.yml b/roles/openshift_master/vars/main.yml
index f6f69966a..ecdb4f883 100644
--- a/roles/openshift_master/vars/main.yml
+++ b/roles/openshift_master/vars/main.yml
@@ -1,8 +1,9 @@
 ---
-openshift_master_config_dir: /etc/openshift/master
+openshift_master_config_dir: "{{ openshift.common.config_base }}/master"
 openshift_master_config_file: "{{ openshift_master_config_dir }}/master-config.yaml"
 openshift_master_scheduler_conf: "{{ openshift_master_config_dir }}/scheduler.json"
 openshift_master_policy: "{{ openshift_master_config_dir }}/policy.json"
+openshift_version: "{{ openshift_pkg_version | default('') }}"
 
 openshift_master_valid_grant_methods:
 - auto
author	Kenny Woodson <kwoodson@redhat.com>	2015-10-29 11:14:51 -0400
committer	Kenny Woodson <kwoodson@redhat.com>	2015-10-29 11:14:51 -0400
commit	9bbaa824da5e1a049cdec1a6523c3841d713386c (patch)
tree	93e80f1577ad0f2f5f8931b493c50cd9aa657c77 /roles/openshift_master
parent	15df494fb781dd1509854eeb366e981930b52c22 (diff)
parent	16d1bce0be2f8c3942489630adcb7030aecadc55 (diff)
download	openshift-9bbaa824da5e1a049cdec1a6523c3841d713386c.tar.gz openshift-9bbaa824da5e1a049cdec1a6523c3841d713386c.tar.bz2 openshift-9bbaa824da5e1a049cdec1a6523c3841d713386c.tar.xz openshift-9bbaa824da5e1a049cdec1a6523c3841d713386c.zip