summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--.tito/packages/openshift-ansible2
-rw-r--r--openshift-ansible.spec15
-rw-r--r--playbooks/common/openshift-cluster/upgrades/pre/verify_upgrade_targets.yml8
-rw-r--r--playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml3
-rw-r--r--roles/ansible_service_broker/tasks/remove.yml12
-rw-r--r--roles/docker/tasks/package_docker.yml12
-rw-r--r--roles/docker/tasks/registry_auth.yml12
-rw-r--r--roles/openshift_gcp/templates/provision.j2.sh9
-rw-r--r--roles/openshift_logging/README.md75
-rw-r--r--roles/openshift_logging/templates/jks_pod.j22
-rw-r--r--roles/openshift_logging_curator/templates/curator.j22
-rw-r--r--roles/openshift_logging_elasticsearch/templates/es.j24
-rw-r--r--roles/openshift_logging_eventrouter/files/eventrouter-template.yaml2
-rw-r--r--roles/openshift_logging_eventrouter/templates/eventrouter-template.j22
-rw-r--r--roles/openshift_logging_fluentd/templates/fluentd.j22
-rw-r--r--roles/openshift_logging_kibana/templates/kibana.j24
-rw-r--r--roles/openshift_logging_mux/templates/mux.j22
-rw-r--r--roles/openshift_master/tasks/journald.yml22
-rw-r--r--roles/openshift_master/tasks/main.yml25
-rw-r--r--roles/openshift_master_facts/filter_plugins/openshift_master.py1
-rw-r--r--roles/openshift_metrics/README.md75
-rw-r--r--roles/openshift_metrics/templates/hawkular_cassandra_rc.j22
-rw-r--r--roles/openshift_metrics/templates/hawkular_metrics_rc.j22
-rw-r--r--roles/openshift_metrics/templates/hawkular_openshift_agent_ds.j22
-rw-r--r--roles/openshift_metrics/templates/heapster.j22
-rw-r--r--roles/openshift_prometheus/README.md4
-rw-r--r--roles/openshift_prometheus/defaults/main.yaml14
-rw-r--r--roles/openshift_prometheus/templates/prometheus.j210
-rw-r--r--roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml2
-rw-r--r--roles/openshift_service_catalog/files/kubesystem_roles_bindings.yml2
-rw-r--r--roles/openshift_service_catalog/tasks/generate_certs.yml10
-rw-r--r--roles/openshift_service_catalog/tasks/install.yml10
-rw-r--r--roles/openshift_service_catalog/tasks/remove.yml24
-rw-r--r--roles/openshift_service_catalog/templates/sc_role_patching.j24
-rw-r--r--roles/template_service_broker/tasks/remove.yml4
35 files changed, 300 insertions, 83 deletions
diff --git a/.tito/packages/openshift-ansible b/.tito/packages/openshift-ansible
index ae7183bcb..b340654f4 100644
--- a/.tito/packages/openshift-ansible
+++ b/.tito/packages/openshift-ansible
@@ -1 +1 @@
-3.7.0-0.177.0 ./
+3.7.0-0.178.0 ./
diff --git a/openshift-ansible.spec b/openshift-ansible.spec
index ea272bdb2..5ca9ac3a9 100644
--- a/openshift-ansible.spec
+++ b/openshift-ansible.spec
@@ -10,7 +10,7 @@
Name: openshift-ansible
Version: 3.7.0
-Release: 0.177.0%{?dist}
+Release: 0.178.0%{?dist}
Summary: Openshift and Atomic Enterprise Ansible
License: ASL 2.0
URL: https://github.com/openshift/openshift-ansible
@@ -280,6 +280,19 @@ Atomic OpenShift Utilities includes
%changelog
+* Wed Oct 25 2017 Jenkins CD Merge Bot <smunilla@redhat.com> 3.7.0-0.178.0
+- Split prometheus image defaults to prefix and version (zgalor@redhat.com)
+- Remove extraneous spaces that yamllint dislikes (staebler@redhat.com)
+- Fix edit and admin role patching for service catalog (staebler@redhat.com)
+- strip dash when comparing version with Python3 (jchaloup@redhat.com)
+- Bug 1452939 - change Logging & Metrics imagePullPolicy (jwozniak@redhat.com)
+- Remove role bindings during service catalog un-install (staebler@redhat.com)
+- Fix a few small issues in service catalog uninstall (staebler@redhat.com)
+- Remove incorrect validation for OpenIDIdentityProvider (mgugino@redhat.com)
+- Enable oreg_auth credential replace during upgrades (mgugino@redhat.com)
+- Handle bootstrap behavior in GCP template (ccoleman@redhat.com)
+- Ensure upgrades apply latest journald settings (mgugino@redhat.com)
+
* Tue Oct 24 2017 Jenkins CD Merge Bot <smunilla@redhat.com> 3.7.0-0.177.0
- Check if the master service is non-ha or not (jchaloup@redhat.com)
- Correct host group for controller restart (rteague@redhat.com)
diff --git a/playbooks/common/openshift-cluster/upgrades/pre/verify_upgrade_targets.yml b/playbooks/common/openshift-cluster/upgrades/pre/verify_upgrade_targets.yml
index 142ce5f3d..13fa37b09 100644
--- a/playbooks/common/openshift-cluster/upgrades/pre/verify_upgrade_targets.yml
+++ b/playbooks/common/openshift-cluster/upgrades/pre/verify_upgrade_targets.yml
@@ -4,6 +4,12 @@
msg: Verify OpenShift is already installed
when: openshift.common.version is not defined
+- name: Update oreg_auth docker login credentials if necessary
+ include_role:
+ name: docker
+ tasks_from: registry_auth.yml
+ when: oreg_auth_user is defined
+
- name: Verify containers are available for upgrade
command: >
docker pull {{ openshift.common.cli_image }}:{{ openshift_image_tag }}
@@ -37,7 +43,7 @@
fail:
msg: "OpenShift {{ avail_openshift_version }} is available, but {{ openshift_upgrade_target }} or greater is required"
when:
- - openshift_pkg_version | default('0.0', True) | version_compare(openshift_release, '<')
+ - (openshift_pkg_version | default('-0.0', True)).split('-')[1] | version_compare(openshift_release, '<')
- name: Fail when openshift version does not meet minium requirement for Origin upgrade
fail:
diff --git a/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml
index ea4e25f8f..a5e2f7940 100644
--- a/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml
+++ b/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml
@@ -90,6 +90,9 @@
- include_vars: ../../../../roles/openshift_master/vars/main.yml
+ - name: Update journald config
+ include: ../../../../roles/openshift_master/tasks/journald.yml
+
- name: Remove any legacy systemd units and update systemd units
include: ../../../../roles/openshift_master/tasks/systemd_units.yml
diff --git a/roles/ansible_service_broker/tasks/remove.yml b/roles/ansible_service_broker/tasks/remove.yml
index f0a6be226..51b86fb26 100644
--- a/roles/ansible_service_broker/tasks/remove.yml
+++ b/roles/ansible_service_broker/tasks/remove.yml
@@ -85,9 +85,9 @@
- name: remove secret for broker auth
oc_obj:
- name: asb-auth-secret
+ name: asb-client
namespace: openshift-ansible-service-broker
- kind: Broker
+ kind: Secret
state: absent
# TODO: saw a oc_configmap in the library, but didn't understand how to get it to do the following:
@@ -99,11 +99,17 @@
kind: ConfigMap
# TODO: Is this going to work?
+- shell: >
+ oc get apiservices.apiregistration.k8s.io/v1beta1.servicecatalog.k8s.io -n kube-service-catalog || echo "not found"
+ register: get_apiservices
+ changed_when: no
+
- name: remove broker object from the catalog
oc_obj:
name: ansible-service-broker
state: absent
- kind: ServiceBroker
+ kind: ClusterServiceBroker
+ when: not "'not found' in get_apiservices.stdout"
- name: remove openshift-ansible-service-broker project
oc_project:
diff --git a/roles/docker/tasks/package_docker.yml b/roles/docker/tasks/package_docker.yml
index d6aee0513..b16413f72 100644
--- a/roles/docker/tasks/package_docker.yml
+++ b/roles/docker/tasks/package_docker.yml
@@ -153,16 +153,6 @@
- set_fact:
docker_service_status_changed: "{{ (r_docker_package_docker_start_result | changed) and (r_docker_already_running_result.stdout != 'ActiveState=active' ) }}"
-- name: Check for credentials file for registry auth
- stat:
- path: "{{ docker_cli_auth_config_path }}/config.json"
- when: oreg_auth_user is defined
- register: docker_cli_auth_credentials_stat
-
-- name: Create credentials for docker cli registry auth
- command: "docker --config={{ docker_cli_auth_config_path }} login -u {{ oreg_auth_user }} -p {{ oreg_auth_password }} {{ oreg_host }}"
- when:
- - oreg_auth_user is defined
- - (not docker_cli_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool
+- include: registry_auth.yml
- meta: flush_handlers
diff --git a/roles/docker/tasks/registry_auth.yml b/roles/docker/tasks/registry_auth.yml
new file mode 100644
index 000000000..65ed60efa
--- /dev/null
+++ b/roles/docker/tasks/registry_auth.yml
@@ -0,0 +1,12 @@
+---
+- name: Check for credentials file for registry auth
+ stat:
+ path: "{{ docker_cli_auth_config_path }}/config.json"
+ when: oreg_auth_user is defined
+ register: docker_cli_auth_credentials_stat
+
+- name: Create credentials for docker cli registry auth
+ command: "docker --config={{ docker_cli_auth_config_path }} login -u {{ oreg_auth_user }} -p {{ oreg_auth_password }} {{ oreg_host }}"
+ when:
+ - oreg_auth_user is defined
+ - (not docker_cli_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool
diff --git a/roles/openshift_gcp/templates/provision.j2.sh b/roles/openshift_gcp/templates/provision.j2.sh
index 64c7cd019..5ed6d9f84 100644
--- a/roles/openshift_gcp/templates/provision.j2.sh
+++ b/roles/openshift_gcp/templates/provision.j2.sh
@@ -125,10 +125,11 @@ fi ) &
if ! gcloud --project "{{ openshift_gcp_project }}" compute instance-templates describe "{{ openshift_gcp_prefix }}instance-template-{{ node_group.name }}" &>/dev/null; then
gcloud --project "{{ openshift_gcp_project }}" compute instance-templates create "{{ openshift_gcp_prefix }}instance-template-{{ node_group.name }}" \
--machine-type "{{ node_group.machine_type }}" --network "{{ openshift_gcp_network_name }}" \
- --tags "{{ openshift_gcp_prefix }}ocp,ocp,{{ node_group.tags }}" \
+ --tags "{{ openshift_gcp_prefix }}ocp,ocp,{{ 'ocp-bootstrap,' if (node_group.bootstrap | default(False)) else '' }}{{ node_group.tags }}" \
--boot-disk-size "{{ node_group.boot_disk_size }}" --boot-disk-type "pd-ssd" \
--scopes "logging-write,monitoring-write,useraccounts-ro,service-control,service-management,storage-ro,compute-rw" \
- --image "${image}" ${metadata}
+ --image "{{ node_group.image | default('${image}') }}" ${metadata} \
+ --metadata "bootstrap={{ node_group.bootstrap | default(False) | bool | to_json }},cluster-id={{ openshift_gcp_prefix + openshift_gcp_clusterid }},node-group={{ node_group.name }}"
else
echo "Instance template '{{ openshift_gcp_prefix }}instance-template-{{ node_group.name }}' already exists"
fi
@@ -312,8 +313,12 @@ fi
# wait until all node groups are stable
{% for node_group in openshift_gcp_node_group_config %}
+{% if node_group.bootstrap | default(False) %}
+# not waiting for {{ node_group.name }} due to bootstrapping
+{% else %}
# wait for stable {{ node_group.name }}
( gcloud --project "{{ openshift_gcp_project }}" compute instance-groups managed wait-until-stable "{{ openshift_gcp_prefix }}ig-{{ node_group.suffix }}" --zone "{{ openshift_gcp_zone }}" --timeout=600 ) &
+{% endif %}
{% endfor %}
diff --git a/roles/openshift_logging/README.md b/roles/openshift_logging/README.md
index 280d7d24c..0ea34faf2 100644
--- a/roles/openshift_logging/README.md
+++ b/roles/openshift_logging/README.md
@@ -225,3 +225,78 @@ The corresponding openshift\_logging\_mux\_* parameters are below.
- `openshift_logging_mux_remote_syslog_tag_key`: If string specified, use this field from the record to set the key field on the syslog message
- `openshift_logging_mux_remote_syslog_use_record`: Set `true` to use the severity and facility from the record, defaults to `false`
- `openshift_logging_mux_remote_syslog_payload_key`: If string is specified, use this field from the record as the payload on the syslog message
+
+Image update procedure
+----------------------
+An upgrade of the logging stack from older version to newer is an automated process and should be performed by calling appropriate ansible playbook and setting required ansible variables in your inventory as documented in https://docs.openshift.org/.
+
+Following text describes manual update of the logging images without version upgrade. To determine the current version of images being used you can.
+```
+oc describe pod | grep 'Image ID:'
+```
+This will get the repo digest that can later be compared to the inspected image details.
+
+A way to determine when was your image last updated:
+```
+$ docker images
+REPOSITORY TAG IMAGE ID CREATED SIZE
+<registry>/openshift3/logging-fluentd v3.7 ff2e249fc45a About an hour ago 235.2 MB
+
+$ docker inspect ff2e249fc45a
+[
+ {
+ . . .
+ "RepoDigests": [
+ "<registry>/openshift3/logging-fluentd@sha256:4346f0aa9694f32735115705ad324803b1a6ff08343c3288f7a62c3a5cb70495"
+ ],
+ . . .
+ "Config": {
+ . . .
+ "Labels": {
+ . . .
+ "build-date": "2017-10-12T14:38:22.414827",
+ . . .
+ "release": "0.143.3.0",
+ . . .
+ "url": "https://access.redhat.com/containers/#/registry.access.redhat.com/openshift3/logging-fluentd/images/v3.7.0-0.143.3.0",
+ . . .
+ "version": "v3.7.0"
+ }
+ },
+ . . .
+```
+
+Pull a new image to see if registry has any newer images with the same tag:
+```
+$ docker pull <registry>/openshift3/logging-fluentd:v3.7
+```
+
+If there was an update, you need to run the `docker pull` on each node.
+
+It is recommended that you now rerun the `openshift_logging` playbook to ensure that any necessary config changes are also picked up.
+
+To manually redeploy your pod you can do the following:
+- for a DC you can do:
+```
+oc rollout latest <dc_name>
+```
+
+- for a RC you can scale down and scale back up
+```
+oc scale --replicas=0 <rc_name>
+
+... wait for scale down
+
+oc scale --replicas=<original_replica_count> <rc_name>
+```
+
+- for a DS you can delete the pod or unlabel and relabel your node
+```
+oc delete pod --selector=<ds_selector>
+```
+
+Changelog
+---------
+
+Tue Oct 10, 2017
+- Default imagePullPolicy changed from Always to IfNotPresent
diff --git a/roles/openshift_logging/templates/jks_pod.j2 b/roles/openshift_logging/templates/jks_pod.j2
index 8b1c74211..e4110b7b3 100644
--- a/roles/openshift_logging/templates/jks_pod.j2
+++ b/roles/openshift_logging/templates/jks_pod.j2
@@ -8,7 +8,7 @@ spec:
containers:
- name: jks-cert-gen
image: {{openshift_logging_image_prefix}}logging-deployer:{{openshift_logging_image_version}}
- imagePullPolicy: Always
+ imagePullPolicy: IfNotPresent
command: ["sh", "{{generated_certs_dir}}/generate-jks.sh"]
securityContext:
privileged: true
diff --git a/roles/openshift_logging_curator/templates/curator.j2 b/roles/openshift_logging_curator/templates/curator.j2
index e71393643..462128366 100644
--- a/roles/openshift_logging_curator/templates/curator.j2
+++ b/roles/openshift_logging_curator/templates/curator.j2
@@ -38,7 +38,7 @@ spec:
-
name: "curator"
image: {{image}}
- imagePullPolicy: Always
+ imagePullPolicy: IfNotPresent
{% if (curator_memory_limit is defined and curator_memory_limit is not none and curator_memory_limit != "") or (curator_cpu_limit is defined and curator_cpu_limit is not none and curator_cpu_limit != "") or (curator_cpu_request is defined and curator_cpu_request is not none and curator_cpu_request != "") %}
resources:
{% if (curator_memory_limit is defined and curator_memory_limit is not none and curator_memory_limit != "") or (curator_cpu_limit is defined and curator_cpu_limit is not none and curator_cpu_limit != "") %}
diff --git a/roles/openshift_logging_elasticsearch/templates/es.j2 b/roles/openshift_logging_elasticsearch/templates/es.j2
index 7966d219e..0c7d8b46e 100644
--- a/roles/openshift_logging_elasticsearch/templates/es.j2
+++ b/roles/openshift_logging_elasticsearch/templates/es.j2
@@ -41,7 +41,7 @@ spec:
containers:
- name: proxy
image: {{ proxy_image }}
- imagePullPolicy: Always
+ imagePullPolicy: IfNotPresent
args:
- --upstream-ca=/etc/elasticsearch/secret/admin-ca
- --https-address=:4443
@@ -76,7 +76,7 @@ spec:
-
name: "elasticsearch"
image: {{image}}
- imagePullPolicy: Always
+ imagePullPolicy: IfNotPresent
resources:
limits:
{% if es_cpu_limit is defined and es_cpu_limit is not none and es_cpu_limit != '' %}
diff --git a/roles/openshift_logging_eventrouter/files/eventrouter-template.yaml b/roles/openshift_logging_eventrouter/files/eventrouter-template.yaml
index 91708e54b..cc01c010d 100644
--- a/roles/openshift_logging_eventrouter/files/eventrouter-template.yaml
+++ b/roles/openshift_logging_eventrouter/files/eventrouter-template.yaml
@@ -56,7 +56,7 @@ objects:
containers:
- name: kube-eventrouter
image: ${IMAGE}
- imagePullPolicy: Always
+ imagePullPolicy: IfNotPresent
resources:
limits:
memory: ${MEMORY}
diff --git a/roles/openshift_logging_eventrouter/templates/eventrouter-template.j2 b/roles/openshift_logging_eventrouter/templates/eventrouter-template.j2
index 7fdf959d3..5a4f7f762 100644
--- a/roles/openshift_logging_eventrouter/templates/eventrouter-template.j2
+++ b/roles/openshift_logging_eventrouter/templates/eventrouter-template.j2
@@ -62,7 +62,7 @@ objects:
containers:
- name: kube-eventrouter
image: ${IMAGE}
- imagePullPolicy: Always
+ imagePullPolicy: IfNotPresent
resources:
limits:
memory: ${MEMORY}
diff --git a/roles/openshift_logging_fluentd/templates/fluentd.j2 b/roles/openshift_logging_fluentd/templates/fluentd.j2
index b07175a50..10283316c 100644
--- a/roles/openshift_logging_fluentd/templates/fluentd.j2
+++ b/roles/openshift_logging_fluentd/templates/fluentd.j2
@@ -29,7 +29,7 @@ spec:
containers:
- name: "{{ daemonset_container_name }}"
image: "{{ openshift_logging_fluentd_image_prefix }}{{ daemonset_name }}:{{ openshift_logging_fluentd_image_version }}"
- imagePullPolicy: Always
+ imagePullPolicy: IfNotPresent
securityContext:
privileged: true
{% if (fluentd_memory_limit is defined and fluentd_memory_limit is not none) or (fluentd_cpu_limit is defined and fluentd_cpu_limit is not none) or (fluentd_cpu_request is defined and fluentd_cpu_request is not none) %}
diff --git a/roles/openshift_logging_kibana/templates/kibana.j2 b/roles/openshift_logging_kibana/templates/kibana.j2
index 329ccbde2..4ff86729a 100644
--- a/roles/openshift_logging_kibana/templates/kibana.j2
+++ b/roles/openshift_logging_kibana/templates/kibana.j2
@@ -37,7 +37,7 @@ spec:
-
name: "kibana"
image: {{ image }}
- imagePullPolicy: Always
+ imagePullPolicy: IfNotPresent
{% if (kibana_memory_limit is defined and kibana_memory_limit is not none and kibana_memory_limit != "") or (kibana_cpu_limit is defined and kibana_cpu_limit is not none and kibana_cpu_limit != "") or (kibana_cpu_request is defined and kibana_cpu_request is not none and kibana_cpu_request != "") %}
resources:
{% if (kibana_memory_limit is defined and kibana_memory_limit is not none and kibana_memory_limit != "") or (kibana_cpu_limit is defined and kibana_cpu_limit is not none and kibana_cpu_limit != "") %}
@@ -84,7 +84,7 @@ spec:
-
name: "kibana-proxy"
image: {{ proxy_image }}
- imagePullPolicy: Always
+ imagePullPolicy: IfNotPresent
{% if (kibana_proxy_memory_limit is defined and kibana_proxy_memory_limit is not none and kibana_proxy_memory_limit != "") or (kibana_proxy_cpu_limit is defined and kibana_proxy_cpu_limit is not none and kibana_proxy_cpu_limit != "") or (kibana_proxy_cpu_request is defined and kibana_proxy_cpu_request is not none and kibana_proxy_cpu_request != "") %}
resources:
{% if (kibana_proxy_memory_limit is defined and kibana_proxy_memory_limit is not none and kibana_proxy_memory_limit != "") or (kibana_proxy_cpu_limit is defined and kibana_proxy_cpu_limit is not none and kibana_proxy_cpu_limit != "") %}
diff --git a/roles/openshift_logging_mux/templates/mux.j2 b/roles/openshift_logging_mux/templates/mux.j2
index 7e88e3964..cfb13d59b 100644
--- a/roles/openshift_logging_mux/templates/mux.j2
+++ b/roles/openshift_logging_mux/templates/mux.j2
@@ -36,7 +36,7 @@ spec:
containers:
- name: "mux"
image: {{image}}
- imagePullPolicy: Always
+ imagePullPolicy: IfNotPresent
{% if (mux_memory_limit is defined and mux_memory_limit is not none) or (mux_cpu_limit is defined and mux_cpu_limit is not none) or (mux_cpu_request is defined and mux_cpu_request is not none) %}
resources:
{% if (mux_memory_limit is defined and mux_memory_limit is not none) or (mux_cpu_limit is defined and mux_cpu_limit is not none) %}
diff --git a/roles/openshift_master/tasks/journald.yml b/roles/openshift_master/tasks/journald.yml
new file mode 100644
index 000000000..f79955e95
--- /dev/null
+++ b/roles/openshift_master/tasks/journald.yml
@@ -0,0 +1,22 @@
+---
+- name: Checking for journald.conf
+ stat: path=/etc/systemd/journald.conf
+ register: journald_conf_file
+
+- name: Update journald setup
+ replace:
+ dest: /etc/systemd/journald.conf
+ regexp: '^(\#| )?{{ item.var }}=\s*.*?$'
+ replace: ' {{ item.var }}={{ item.val }}'
+ backup: yes
+ with_items: "{{ journald_vars_to_replace | default([]) }}"
+ when: journald_conf_file.stat.exists
+ register: journald_update
+
+# I need to restart journald immediatelly, otherwise it gets into way during
+# further steps in ansible
+- name: Restart journald
+ systemd:
+ name: systemd-journald
+ state: restarted
+ when: journald_update | changed
diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml
index 824a5886e..d0bc79c0c 100644
--- a/roles/openshift_master/tasks/main.yml
+++ b/roles/openshift_master/tasks/main.yml
@@ -177,31 +177,12 @@
local_facts:
no_proxy_etcd_host_ips: "{{ openshift_no_proxy_etcd_host_ips }}"
+- name: Update journald config
+ include: journald.yml
+
- name: Install the systemd units
include: systemd_units.yml
-- name: Checking for journald.conf
- stat: path=/etc/systemd/journald.conf
- register: journald_conf_file
-
-- name: Update journald setup
- replace:
- dest: /etc/systemd/journald.conf
- regexp: '^(\#| )?{{ item.var }}=\s*.*?$'
- replace: ' {{ item.var }}={{ item.val }}'
- backup: yes
- with_items: "{{ journald_vars_to_replace | default([]) }}"
- when: journald_conf_file.stat.exists
- register: journald_update
-
-# I need to restart journald immediatelly, otherwise it gets into way during
-# further steps in ansible
-- name: Restart journald
- systemd:
- name: systemd-journald
- state: restarted
- when: journald_update | changed
-
- name: Install Master system container
include: system_container.yml
when:
diff --git a/roles/openshift_master_facts/filter_plugins/openshift_master.py b/roles/openshift_master_facts/filter_plugins/openshift_master.py
index f7f3ac2b1..a4f410296 100644
--- a/roles/openshift_master_facts/filter_plugins/openshift_master.py
+++ b/roles/openshift_master_facts/filter_plugins/openshift_master.py
@@ -363,7 +363,6 @@ class OpenIDIdentityProvider(IdentityProviderOauthBase):
def validate(self):
''' validate this idp instance '''
- IdentityProviderOauthBase.validate(self)
if not isinstance(self.provider['claims'], dict):
raise errors.AnsibleFilterError("|failed claims for provider {0} "
"must be a dictionary".format(self.__class__.__name__))
diff --git a/roles/openshift_metrics/README.md b/roles/openshift_metrics/README.md
index ed698daca..b74f22c00 100644
--- a/roles/openshift_metrics/README.md
+++ b/roles/openshift_metrics/README.md
@@ -109,3 +109,78 @@ Author Information
------------------
Jose David Martín (j.david.nieto@gmail.com)
+
+Image update procedure
+----------------------
+An upgrade of the metrics stack from older version to newer is an automated process and should be performed by calling appropriate ansible playbook and setting required ansible variables in your inventory as documented in https://docs.openshift.org/.
+
+Following text describes manual update of the metrics images without version upgrade. To determine the current version of images being used you can:
+```
+oc describe pod | grep 'Image ID:'
+```
+This will get the repo digest that can later be compared to the inspected image details.
+
+A way to determine when was your image last updated:
+```
+$ docker images
+REPOSITORY TAG IMAGE ID CREATED SIZE
+<registry>/openshift3/origin-metrics-cassandra v3.7 f8ad8d569e27 14 hours ago 783.7 MB
+
+$ docker inspect 9c3597aeb39f
+[
+ {
+ . . .
+ "RepoDigests": [
+ "<registry>/openshift3/metrics-cassandra@sha256:d37fc0cab268625b53a92bb98d09fcc501cfca1c68e16bac6dd98446d32ba135
+ ],
+ . . .
+ "Config": {
+ . . .
+ "Labels": {
+ . . .
+ "build-date": "2017-10-17T16:47:44.350655",
+ . . .
+ "release": "0.143.4.0",
+ . . .
+ "url": "https://access.redhat.com/containers/#/registry.access.redhat.com/openshift3/metrics-cassandra/images/v3.7.0-0.143.4.0",
+ . . .
+ "version": "v3.7.0"
+ }
+ },
+ . . .
+```
+
+Pull a new image to see if registry has any newer images with the same tag:
+```
+$ docker pull <registry>/openshift3/origin-metrics-cassandra:v3.7
+```
+
+If there was an update, you need to run the `docker pull` on each node.
+
+It is recommended that you now rerun the `openshift_metrics` playbook to ensure that any necessary config changes are also picked up.
+
+To manually redeploy your pod you can do the following:
+- for a DC you can do:
+```
+oc rollout latest <dc_name>
+```
+
+- for a RC you can scale down and scale back up
+```
+oc scale --replicas=0 <rc_name>
+
+... wait for scale down
+
+oc scale --replicas=<original_replica_count> <rc_name>
+```
+
+- for a DS you can delete the pod or unlabel and relabel your node
+```
+oc delete pod --selector=<ds_selector>
+```
+
+Changelog
+---------
+
+Tue Oct 10, 2017
+- Default imagePullPolicy changed from Always to IfNotPresent
diff --git a/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 b/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2
index 6f341bcfb..6a3811598 100644
--- a/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2
+++ b/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2
@@ -30,7 +30,7 @@ spec:
{% endif %}
containers:
- image: "{{ openshift_metrics_image_prefix }}metrics-cassandra:{{ openshift_metrics_image_version }}"
- imagePullPolicy: Always
+ imagePullPolicy: IfNotPresent
name: hawkular-cassandra-{{ node }}
ports:
- name: cql-port
diff --git a/roles/openshift_metrics/templates/hawkular_metrics_rc.j2 b/roles/openshift_metrics/templates/hawkular_metrics_rc.j2
index 59f7fb44a..0662bea53 100644
--- a/roles/openshift_metrics/templates/hawkular_metrics_rc.j2
+++ b/roles/openshift_metrics/templates/hawkular_metrics_rc.j2
@@ -25,7 +25,7 @@ spec:
{% endif %}
containers:
- image: {{openshift_metrics_image_prefix}}metrics-hawkular-metrics:{{openshift_metrics_image_version}}
- imagePullPolicy: Always
+ imagePullPolicy: IfNotPresent
name: hawkular-metrics
ports:
- name: http-endpoint
diff --git a/roles/openshift_metrics/templates/hawkular_openshift_agent_ds.j2 b/roles/openshift_metrics/templates/hawkular_openshift_agent_ds.j2
index d65eaf9ae..40d09e9fa 100644
--- a/roles/openshift_metrics/templates/hawkular_openshift_agent_ds.j2
+++ b/roles/openshift_metrics/templates/hawkular_openshift_agent_ds.j2
@@ -25,7 +25,7 @@ spec:
{% endif %}
containers:
- image: {{openshift_metrics_image_prefix}}metrics-hawkular-openshift-agent:{{openshift_metrics_image_version}}
- imagePullPolicy: Always
+ imagePullPolicy: IfNotPresent
name: hawkular-openshift-agent
{% if ((openshift_metrics_hawkular_agent_limits_cpu is defined and openshift_metrics_hawkular_agent_limits_cpu is not none)
or (openshift_metrics_hawkular_agent_limits_memory is defined and openshift_metrics_hawkular_agent_limits_memory is not none)
diff --git a/roles/openshift_metrics/templates/heapster.j2 b/roles/openshift_metrics/templates/heapster.j2
index d8c7763ea..e732c1eee 100644
--- a/roles/openshift_metrics/templates/heapster.j2
+++ b/roles/openshift_metrics/templates/heapster.j2
@@ -27,7 +27,7 @@ spec:
containers:
- name: heapster
image: {{openshift_metrics_image_prefix}}metrics-heapster:{{openshift_metrics_image_version}}
- imagePullPolicy: Always
+ imagePullPolicy: IfNotPresent
ports:
- containerPort: 8082
name: "http-endpoint"
diff --git a/roles/openshift_prometheus/README.md b/roles/openshift_prometheus/README.md
index 07ea0299d..b51da34a5 100644
--- a/roles/openshift_prometheus/README.md
+++ b/roles/openshift_prometheus/README.md
@@ -19,7 +19,9 @@ For default values, see [`defaults/main.yaml`](defaults/main.yaml).
- `openshift_prometheus_node_selector`: Selector for the nodes prometheus will be deployed on.
-- `openshift_prometheus_image_<COMPONENT>`: specify image for the component
+- `openshift_prometheus_<COMPONENT>_image_prefix`: specify image prefix for the component
+
+- `openshift_prometheus_<COMPONENT>_image_version`: specify image version for the component
## PVC related variables
Each prometheus component (prometheus, alertmanager, alertbuffer) can set pv claim by setting corresponding role variable:
diff --git a/roles/openshift_prometheus/defaults/main.yaml b/roles/openshift_prometheus/defaults/main.yaml
index f6ff7ce22..9dc1ef289 100644
--- a/roles/openshift_prometheus/defaults/main.yaml
+++ b/roles/openshift_prometheus/defaults/main.yaml
@@ -6,11 +6,15 @@ openshift_prometheus_namespace: prometheus
openshift_prometheus_node_selector: {"region":"infra"}
-# images
-openshift_prometheus_image_proxy: "openshift/oauth-proxy:v1.0.0"
-openshift_prometheus_image_prometheus: "openshift/prometheus:v2.0.0-dev.3"
-openshift_prometheus_image_alertmanager: "openshift/prometheus-alertmanager:v0.9.1"
-openshift_prometheus_image_alertbuffer: "openshift/prometheus-alert-buffer:v0.0.2"
+# image defaults
+openshift_prometheus_image_prefix: "openshift/"
+openshift_prometheus_image_version: "v2.0.0-dev.3"
+openshift_prometheus_proxy_image_prefix: "openshift/"
+openshift_prometheus_proxy_image_version: "v1.0.0"
+openshift_prometheus_alertmanager_image_prefix: "openshift/"
+openshift_prometheus_alertmanager_image_version: "v0.9.1"
+openshift_prometheus_alertbuffer_image_prefix: "openshift/"
+openshift_prometheus_alertbuffer_image_version: "v0.0.2"
# additional prometheus rules file
openshift_prometheus_additional_rules_file: null
diff --git a/roles/openshift_prometheus/templates/prometheus.j2 b/roles/openshift_prometheus/templates/prometheus.j2
index 81f043491..916c57aa2 100644
--- a/roles/openshift_prometheus/templates/prometheus.j2
+++ b/roles/openshift_prometheus/templates/prometheus.j2
@@ -29,7 +29,7 @@ spec:
containers:
# Deploy Prometheus behind an oauth proxy
- name: prom-proxy
- image: "{{ openshift_prometheus_image_proxy }}"
+ image: "{{openshift_prometheus_proxy_image_prefix}}oauth-proxy:{{openshift_prometheus_proxy_image_version}}"
imagePullPolicy: IfNotPresent
resources:
requests:
@@ -79,7 +79,7 @@ spec:
- --storage.tsdb.min-block-duration=2m
- --config.file=/etc/prometheus/prometheus.yml
- --web.listen-address=localhost:9090
- image: "{{ openshift_prometheus_image_prometheus }}"
+ image: "{{openshift_prometheus_image_prefix}}prometheus:{{openshift_prometheus_image_version}}"
imagePullPolicy: IfNotPresent
resources:
requests:
@@ -105,7 +105,7 @@ spec:
# Deploy alertmanager behind prometheus-alert-buffer behind an oauth proxy
- name: alerts-proxy
- image: "{{ openshift_prometheus_image_proxy }}"
+ image: "{{openshift_prometheus_proxy_image_prefix}}oauth-proxy:{{openshift_prometheus_proxy_image_version}}"
imagePullPolicy: IfNotPresent
resources:
requests:
@@ -149,7 +149,7 @@ spec:
- name: alert-buffer
args:
- --storage-path=/alert-buffer/messages.db
- image: "{{ openshift_prometheus_image_alertbuffer }}"
+ image: "{{openshift_prometheus_alertbuffer_image_prefix}}prometheus-alert-buffer:{{openshift_prometheus_alertbuffer_image_version}}"
imagePullPolicy: IfNotPresent
resources:
requests:
@@ -176,7 +176,7 @@ spec:
- name: alertmanager
args:
- -config.file=/etc/alertmanager/alertmanager.yml
- image: "{{ openshift_prometheus_image_alertmanager }}"
+ image: "{{openshift_prometheus_alertmanager_image_prefix}}prometheus-alertmanager:{{openshift_prometheus_alertmanager_image_version}}"
imagePullPolicy: IfNotPresent
resources:
requests:
diff --git a/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml b/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml
index 56b2d1463..f449fba2b 100644
--- a/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml
+++ b/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml
@@ -1,7 +1,7 @@
apiVersion: v1
kind: Template
metadata:
- name: service-catalog
+ name: service-catalog-role-bindings
objects:
- apiVersion: authorization.openshift.io/v1
diff --git a/roles/openshift_service_catalog/files/kubesystem_roles_bindings.yml b/roles/openshift_service_catalog/files/kubesystem_roles_bindings.yml
index e1af51ce6..f563ae42e 100644
--- a/roles/openshift_service_catalog/files/kubesystem_roles_bindings.yml
+++ b/roles/openshift_service_catalog/files/kubesystem_roles_bindings.yml
@@ -1,7 +1,7 @@
apiVersion: v1
kind: Template
metadata:
- name: kube-system-service-catalog
+ name: kube-system-service-catalog-role-bindings
objects:
- apiVersion: authorization.openshift.io/v1
diff --git a/roles/openshift_service_catalog/tasks/generate_certs.yml b/roles/openshift_service_catalog/tasks/generate_certs.yml
index 416bdac70..9d55185c8 100644
--- a/roles/openshift_service_catalog/tasks/generate_certs.yml
+++ b/roles/openshift_service_catalog/tasks/generate_certs.yml
@@ -16,6 +16,16 @@
--key={{ generated_certs_dir }}/ca.key --cert={{ generated_certs_dir }}/ca.crt
--serial={{ generated_certs_dir }}/apiserver.serial.txt --name=service-catalog-signer
+- name: Delete old apiserver.crt
+ file:
+ path: "{{ generated_certs_dir }}/apiserver.crt"
+ state: absent
+
+- name: Delete old apiserver.key
+ file:
+ path: "{{ generated_certs_dir }}/apiserver.key"
+ state: absent
+
- name: Generating server keys
oc_adm_ca_server_cert:
cert: "{{ generated_certs_dir }}/apiserver.crt"
diff --git a/roles/openshift_service_catalog/tasks/install.yml b/roles/openshift_service_catalog/tasks/install.yml
index 1e94c8c5d..aa3ec5724 100644
--- a/roles/openshift_service_catalog/tasks/install.yml
+++ b/roles/openshift_service_catalog/tasks/install.yml
@@ -47,16 +47,15 @@
dest: "{{ mktemp.stdout }}/kubeservicecatalog_roles_bindings.yml"
- oc_obj:
- name: service-catalog
+ name: service-catalog-role-bindings
kind: template
namespace: "kube-service-catalog"
files:
- "{{ mktemp.stdout }}/kubeservicecatalog_roles_bindings.yml"
- delete_after: yes
- oc_process:
create: True
- template_name: service-catalog
+ template_name: service-catalog-role-bindings
namespace: "kube-service-catalog"
- copy:
@@ -64,16 +63,15 @@
dest: "{{ mktemp.stdout }}/kubesystem_roles_bindings.yml"
- oc_obj:
- name: kube-system-service-catalog
+ name: kube-system-service-catalog-role-bindings
kind: template
namespace: kube-system
files:
- "{{ mktemp.stdout }}/kubesystem_roles_bindings.yml"
- delete_after: yes
- oc_process:
create: True
- template_name: kube-system-service-catalog
+ template_name: kube-system-service-catalog-role-bindings
namespace: kube-system
- oc_obj:
diff --git a/roles/openshift_service_catalog/tasks/remove.yml b/roles/openshift_service_catalog/tasks/remove.yml
index 96ae61507..ca9844e79 100644
--- a/roles/openshift_service_catalog/tasks/remove.yml
+++ b/roles/openshift_service_catalog/tasks/remove.yml
@@ -3,10 +3,6 @@
command: >
oc delete apiservices.apiregistration.k8s.io/v1beta1.servicecatalog.k8s.io --ignore-not-found -n kube-service-catalog
-- name: Remove Policy Binding
- command: >
- oc delete policybindings/kube-system:default -n kube-system --ignore-not-found
-
# TODO: this module doesn't currently remove this
#- name: Remove service catalog api service
# oc_obj:
@@ -50,6 +46,26 @@
kind: deployment
name: controller-manager
+- name: Remove Service Catalog kube-system Role Bindinds
+ shell: >
+ oc process kube-system-service-catalog-role-bindings -n kube-system | oc delete --ignore-not-found -f -
+
+- oc_obj:
+ kind: template
+ name: "kube-system-service-catalog-role-bindings"
+ namespace: kube-system
+ state: absent
+
+- name: Remove Service Catalog kube-service-catalog Role Bindinds
+ shell: >
+ oc process service-catalog-role-bindings -n kube-service-catalog | oc delete --ignore-not-found -f -
+
+- oc_obj:
+ kind: template
+ name: "service-catalog-role-bindings"
+ namespace: kube-service-catalog
+ state: absent
+
- name: Remove Service Catalog namespace
oc_project:
state: absent
diff --git a/roles/openshift_service_catalog/templates/sc_role_patching.j2 b/roles/openshift_service_catalog/templates/sc_role_patching.j2
index 69b062b3f..4629d5bb3 100644
--- a/roles/openshift_service_catalog/templates/sc_role_patching.j2
+++ b/roles/openshift_service_catalog/templates/sc_role_patching.j2
@@ -3,8 +3,8 @@
- "servicecatalog.k8s.io"
attributeRestrictions: null
resources:
- - instances
- - bindings
+ - serviceinstances
+ - servicebindings
verbs:
- create
- update
diff --git a/roles/template_service_broker/tasks/remove.yml b/roles/template_service_broker/tasks/remove.yml
index f3afe65ed..28836f97f 100644
--- a/roles/template_service_broker/tasks/remove.yml
+++ b/roles/template_service_broker/tasks/remove.yml
@@ -13,11 +13,11 @@
- name: Delete TSB broker
shell: >
- oc process -f "{{ mktemp.stdout }}/{{ __tsb_broker_file }}" | oc delete -f -
+ oc process -f "{{ mktemp.stdout }}/{{ __tsb_broker_file }}" | oc delete --ignore-not-found -f -
- name: Delete TSB objects
shell: >
- oc process -f "{{ mktemp.stdout }}/{{ __tsb_template_file }}" | kubectl delete -f -
+ oc process -f "{{ mktemp.stdout }}/{{ __tsb_template_file }}" | oc delete --ignore-not-found -f -
- name: empty out tech preview extension file for service console UI
copy: