summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--.pylintrc3
-rw-r--r--CONTRIBUTING.md18
-rw-r--r--filter_plugins/openshift_master.py16
-rw-r--r--inventory/byo/hosts.origin.example15
-rw-r--r--inventory/byo/hosts.ose.example17
-rw-r--r--openshift-ansible.spec4
-rw-r--r--playbooks/adhoc/openshift_hosted_logging_efk.yaml2
-rw-r--r--playbooks/adhoc/s3_registry/s3_registry.j223
-rw-r--r--playbooks/adhoc/s3_registry/s3_registry.yml78
-rw-r--r--playbooks/adhoc/uninstall.yml26
-rw-r--r--playbooks/byo/openshift-preflight/check.yml39
-rw-r--r--playbooks/certificate_expiry/default.yaml (renamed from roles/openshift_certificate_expiry/examples/playbooks/default.yaml)0
-rw-r--r--playbooks/certificate_expiry/easy-mode.yaml (renamed from roles/openshift_certificate_expiry/examples/playbooks/easy-mode.yaml)3
-rw-r--r--playbooks/certificate_expiry/html_and_json_default_paths.yaml (renamed from roles/openshift_certificate_expiry/examples/playbooks/html_and_json_default_paths.yaml)0
-rw-r--r--playbooks/certificate_expiry/longer-warning-period-json-results.yaml (renamed from roles/openshift_certificate_expiry/examples/playbooks/longer-warning-period-json-results.yaml)0
-rw-r--r--playbooks/certificate_expiry/longer_warning_period.yaml (renamed from roles/openshift_certificate_expiry/examples/playbooks/longer_warning_period.yaml)0
l---------playbooks/certificate_expiry/roles1
-rw-r--r--playbooks/common/openshift-cluster/openshift_hosted.yml26
-rw-r--r--playbooks/common/openshift-cluster/redeploy-certificates/ca.yml21
-rw-r--r--playbooks/common/openshift-cluster/redeploy-certificates/masters.yml8
-rw-r--r--playbooks/common/openshift-cluster/redeploy-certificates/registry.yml20
-rw-r--r--playbooks/common/openshift-cluster/redeploy-certificates/router.yml12
-rw-r--r--playbooks/common/openshift-cluster/upgrades/etcd/backup.yml2
-rw-r--r--playbooks/common/openshift-cluster/upgrades/etcd/upgrade.yml10
-rw-r--r--playbooks/common/openshift-master/restart_hosts.yml16
-rw-r--r--roles/cockpit-ui/tasks/main.yml2
-rw-r--r--roles/etcd/defaults/main.yaml2
-rw-r--r--roles/etcd/tasks/main.yml24
-rw-r--r--roles/etcd/tasks/system_container.yml63
-rw-r--r--roles/etcd_common/defaults/main.yml3
-rw-r--r--roles/lib_openshift/library/oc_process.py1493
-rw-r--r--roles/lib_openshift/src/ansible/oc_process.py32
-rw-r--r--roles/lib_openshift/src/class/oc_process.py188
-rw-r--r--roles/lib_openshift/src/doc/process84
-rw-r--r--roles/lib_openshift/src/sources.yml10
-rwxr-xr-xroles/lib_openshift/src/test/integration/oc_process.yml83
-rwxr-xr-xroles/lib_openshift/src/test/unit/oc_process.py483
-rw-r--r--roles/nuage_master/meta/main.yml1
-rw-r--r--roles/nuage_master/tasks/serviceaccount.yml16
-rw-r--r--roles/nuage_master/vars/main.yaml6
-rw-r--r--roles/openshift_certificate_expiry/README.md65
l---------roles/openshift_certificate_expiry/examples/playbooks1
-rw-r--r--roles/openshift_etcd_facts/vars/main.yml2
-rw-r--r--roles/openshift_examples/files/examples/v1.4/cfme-templates/cfme-template.yaml6
-rw-r--r--roles/openshift_examples/files/examples/v1.5/cfme-templates/cfme-template.yaml6
-rw-r--r--roles/openshift_facts/defaults/main.yml2
-rwxr-xr-xroles/openshift_facts/library/openshift_facts.py22
-rw-r--r--roles/openshift_facts/tasks/main.yml9
-rw-r--r--roles/openshift_health_checker/HOWTO_CHECKS.md34
-rw-r--r--roles/openshift_health_checker/README.md45
-rw-r--r--roles/openshift_health_checker/action_plugins/openshift_health_check.py116
-rw-r--r--roles/openshift_health_checker/callback_plugins/zz_failure_summary.py (renamed from roles/openshift_preflight/verify_status/callback_plugins/zz_failure_summary.py)4
-rwxr-xr-xroles/openshift_health_checker/library/aos_version.py (renamed from roles/openshift_preflight/base/library/aos_version.py)45
-rwxr-xr-xroles/openshift_health_checker/library/check_yum_update.py (renamed from roles/openshift_preflight/base/library/check_yum_update.py)15
-rw-r--r--roles/openshift_health_checker/meta/main.yml (renamed from roles/openshift_preflight/init/meta/main.yml)0
-rw-r--r--roles/openshift_health_checker/openshift_checks/__init__.py84
-rw-r--r--roles/openshift_health_checker/openshift_checks/mixins.py21
-rw-r--r--roles/openshift_health_checker/openshift_checks/package_availability.py66
-rw-r--r--roles/openshift_health_checker/openshift_checks/package_update.py14
-rw-r--r--roles/openshift_health_checker/openshift_checks/package_version.py20
-rw-r--r--roles/openshift_hosted/meta/main.yml1
-rw-r--r--roles/openshift_hosted/tasks/registry/secure.yml29
-rw-r--r--roles/openshift_hosted/tasks/registry/storage/object_storage.yml22
-rw-r--r--roles/openshift_logging/README.md8
-rw-r--r--roles/openshift_logging/defaults/main.yml44
-rw-r--r--roles/openshift_logging/files/fluent.conf1
-rw-r--r--roles/openshift_logging/tasks/delete_logging.yaml10
-rw-r--r--roles/openshift_logging/tasks/generate_pvcs.yaml4
-rw-r--r--roles/openshift_logging/tasks/generate_routes.yaml20
-rw-r--r--roles/openshift_logging/tasks/install_elasticsearch.yaml8
-rw-r--r--roles/openshift_logging/tasks/install_logging.yaml4
-rw-r--r--roles/openshift_logging/tasks/upgrade_logging.yaml2
-rw-r--r--roles/openshift_logging/templates/curator.j22
-rw-r--r--roles/openshift_logging/templates/fluentd.j22
-rw-r--r--roles/openshift_logging/templates/kibana.j22
-rw-r--r--roles/openshift_logging/templates/route_reencrypt.j28
-rw-r--r--roles/openshift_logging/vars/main.yaml12
-rw-r--r--roles/openshift_manageiq/meta/main.yml15
-rw-r--r--roles/openshift_manageiq/tasks/main.yaml30
-rw-r--r--roles/openshift_manageiq/vars/main.yml13
-rw-r--r--roles/openshift_master/tasks/main.yml4
-rw-r--r--roles/openshift_master/tasks/system_container.yml36
-rw-r--r--roles/openshift_master/tasks/systemd_units.yml6
-rw-r--r--roles/openshift_master/templates/master.yaml.v1.j212
-rw-r--r--roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_predicates.py3
-rw-r--r--roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_priorities.py3
-rw-r--r--roles/openshift_metrics/README.md4
-rw-r--r--roles/openshift_metrics/defaults/main.yaml8
-rw-r--r--roles/openshift_metrics/tasks/generate_certificates.yaml10
-rw-r--r--roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml21
-rw-r--r--roles/openshift_metrics/tasks/generate_heapster_certificates.yaml17
-rw-r--r--roles/openshift_metrics/tasks/import_jks_certs.yaml20
-rw-r--r--roles/openshift_metrics/tasks/install_cassandra.yaml8
-rw-r--r--roles/openshift_metrics/tasks/install_hawkular.yaml2
-rw-r--r--roles/openshift_metrics/tasks/install_metrics.yaml14
-rw-r--r--roles/openshift_metrics/tasks/main.yaml11
-rw-r--r--roles/openshift_metrics/tasks/pre_install.yaml6
-rw-r--r--roles/openshift_metrics/tasks/setup_certificate.yaml35
-rw-r--r--roles/openshift_metrics/templates/hawkular_cassandra_rc.j25
-rw-r--r--roles/openshift_node/tasks/main.yml8
-rw-r--r--roles/openshift_node/tasks/node_system_container.yml34
-rw-r--r--roles/openshift_node/tasks/openvswitch_system_container.yml36
-rw-r--r--roles/openshift_node/tasks/systemd_units.yml72
-rw-r--r--roles/openshift_preflight/README.md52
-rw-r--r--roles/openshift_preflight/common/meta/main.yml3
-rw-r--r--roles/openshift_preflight/common/tasks/main.yml21
-rw-r--r--roles/openshift_preflight/init/tasks/main.yml4
-rw-r--r--roles/openshift_preflight/masters/meta/main.yml3
-rw-r--r--roles/openshift_preflight/masters/tasks/main.yml31
-rw-r--r--roles/openshift_preflight/nodes/meta/main.yml3
-rw-r--r--roles/openshift_preflight/nodes/tasks/main.yml41
-rw-r--r--roles/openshift_preflight/verify_status/tasks/main.yml8
-rw-r--r--roles/openshift_serviceaccounts/meta/main.yml1
-rw-r--r--roles/openshift_serviceaccounts/tasks/main.yml20
-rw-r--r--roles/openshift_storage_nfs/tasks/main.yml1
-rw-r--r--roles/openshift_storage_nfs/templates/exports.j21
116 files changed, 3563 insertions, 665 deletions
diff --git a/.pylintrc b/.pylintrc
index a32bd3d68..ab842843a 100644
--- a/.pylintrc
+++ b/.pylintrc
@@ -18,7 +18,8 @@ persistent=no
load-plugins=
# Use multiple processes to speed up Pylint.
-jobs=1
+# Zero means use the total number of CPUs.
+jobs=0
# Allow loading of arbitrary C extensions. Extensions are imported into the
# active Python interpreter and may run arbitrary code.
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 83c844e28..dafa73bad 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -85,6 +85,24 @@ parallel
pip install tox detox
```
+---
+
+Note: before running `tox` or `detox`, ensure that the only virtualenvs within
+the repository root are the ones managed by `tox`, those in a `.tox`
+subdirectory.
+
+Use this command to list paths that are likely part of a virtualenv not managed
+by `tox`:
+
+```
+$ find . -path '*/bin/python' | grep -vF .tox
+```
+
+Extraneous virtualenvs cause tools such as `pylint` to take a very long time
+going through files that are part of the virtualenv.
+
+---
+
List the test environments available:
```
tox -l
diff --git a/filter_plugins/openshift_master.py b/filter_plugins/openshift_master.py
index 4ccee91f9..6d009077a 100644
--- a/filter_plugins/openshift_master.py
+++ b/filter_plugins/openshift_master.py
@@ -162,7 +162,7 @@ class LDAPPasswordIdentityProvider(IdentityProviderBase):
AnsibleFilterError:
"""
def __init__(self, api_version, idp):
- super(self.__class__, self).__init__(api_version, idp)
+ super(LDAPPasswordIdentityProvider, self).__init__(api_version, idp)
self._allow_additional = False
self._required += [['attributes'], ['url'], ['insecure']]
self._optional += [['ca'],
@@ -206,7 +206,7 @@ class KeystonePasswordIdentityProvider(IdentityProviderBase):
AnsibleFilterError:
"""
def __init__(self, api_version, idp):
- super(self.__class__, self).__init__(api_version, idp)
+ super(KeystonePasswordIdentityProvider, self).__init__(api_version, idp)
self._allow_additional = False
self._required += [['url'], ['domainName', 'domain_name']]
self._optional += [['ca'], ['certFile', 'cert_file'], ['keyFile', 'key_file']]
@@ -225,7 +225,7 @@ class RequestHeaderIdentityProvider(IdentityProviderBase):
AnsibleFilterError:
"""
def __init__(self, api_version, idp):
- super(self.__class__, self).__init__(api_version, idp)
+ super(RequestHeaderIdentityProvider, self).__init__(api_version, idp)
self._allow_additional = False
self._required += [['headers']]
self._optional += [['challengeURL', 'challenge_url'],
@@ -256,7 +256,7 @@ class AllowAllPasswordIdentityProvider(IdentityProviderBase):
AnsibleFilterError:
"""
def __init__(self, api_version, idp):
- super(self.__class__, self).__init__(api_version, idp)
+ super(AllowAllPasswordIdentityProvider, self).__init__(api_version, idp)
self._allow_additional = False
@@ -273,7 +273,7 @@ class DenyAllPasswordIdentityProvider(IdentityProviderBase):
AnsibleFilterError:
"""
def __init__(self, api_version, idp):
- super(self.__class__, self).__init__(api_version, idp)
+ super(DenyAllPasswordIdentityProvider, self).__init__(api_version, idp)
self._allow_additional = False
@@ -290,7 +290,7 @@ class HTPasswdPasswordIdentityProvider(IdentityProviderBase):
AnsibleFilterError:
"""
def __init__(self, api_version, idp):
- super(self.__class__, self).__init__(api_version, idp)
+ super(HTPasswdPasswordIdentityProvider, self).__init__(api_version, idp)
self._allow_additional = False
self._required += [['file', 'filename', 'fileName', 'file_name']]
@@ -315,7 +315,7 @@ class BasicAuthPasswordIdentityProvider(IdentityProviderBase):
AnsibleFilterError:
"""
def __init__(self, api_version, idp):
- super(self.__class__, self).__init__(api_version, idp)
+ super(BasicAuthPasswordIdentityProvider, self).__init__(api_version, idp)
self._allow_additional = False
self._required += [['url']]
self._optional += [['ca'], ['certFile', 'cert_file'], ['keyFile', 'key_file']]
@@ -334,7 +334,7 @@ class IdentityProviderOauthBase(IdentityProviderBase):
AnsibleFilterError:
"""
def __init__(self, api_version, idp):
- super(self.__class__, self).__init__(api_version, idp)
+ super(IdentityProviderOauthBase, self).__init__(api_version, idp)
self._allow_additional = False
self._required += [['clientID', 'client_id'], ['clientSecret', 'client_secret']]
diff --git a/inventory/byo/hosts.origin.example b/inventory/byo/hosts.origin.example
index c5f9db909..7741730ad 100644
--- a/inventory/byo/hosts.origin.example
+++ b/inventory/byo/hosts.origin.example
@@ -301,6 +301,13 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true',
# Disable management of the OpenShift Router
#openshift_hosted_manage_router=false
+# OpenShift Registry Console Options
+# Override the console image prefix for enterprise deployments, not used in origin
+# default is "registry.access.redhat.com/openshift3/" and the image appended is "registry-console"
+#openshift_cockpit_deployer_prefix=registry.example.com/myrepo/
+# Override image version, defaults to latest for origin, matches the product version for enterprise
+#openshift_cockpit_deployer_version=1.4.1
+
# Openshift Registry Options
#
# An OpenShift registry will be created during install if there are
@@ -481,11 +488,11 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true',
#openshift_master_logging_public_url=https://kibana.example.com
# Configure the number of elastic search nodes, unless you're using dynamic provisioning
# this value must be 1
-#openshift_logging_es_cluster_size=1
-#openshift_logging_kibana_hostname=logging.apps.example.com
+#openshift_hosted_logging_elasticsearch_cluster_size=1
+#openshift_hosted_logging_hostname=logging.apps.example.com
# Configure the prefix and version for the deployer image
-#openshift_logging_image_prefix=registry.example.com:8888/openshift3/
-#openshift_logging_image_version=3.3.0
+#openshift_hosted_logging_deployer_prefix=registry.example.com:8888/openshift3/
+#openshift_hosted_logging_deployer_version=3.3.0
# Configure the multi-tenant SDN plugin (default is 'redhat/openshift-ovs-subnet')
# os_sdn_network_plugin_name='redhat/openshift-ovs-multitenant'
diff --git a/inventory/byo/hosts.ose.example b/inventory/byo/hosts.ose.example
index cacdbf115..3da9be081 100644
--- a/inventory/byo/hosts.ose.example
+++ b/inventory/byo/hosts.ose.example
@@ -301,6 +301,13 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true',
# Disable management of the OpenShift Router
#openshift_hosted_manage_router=false
+# OpenShift Registry Console Options
+# Override the console image prefix for enterprise deployments, not used in origin
+# default is "registry.access.redhat.com/openshift3/" and the image appended is "registry-console"
+#openshift_cockpit_deployer_prefix=registry.example.com/myrepo/
+# Override image version, defaults to latest for origin, matches the product version for enterprise
+#openshift_cockpit_deployer_version=1.4.1
+
# Openshift Registry Options
#
# An OpenShift registry will be created during install if there are
@@ -475,18 +482,18 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true',
# pods are deleted
#
# Other Logging Options -- Common items you may wish to reconfigure, for the complete
-# list of options please see roles/openshift_hosted_logging/README.md
+# list of options please see roles/openshift_logging/README.md
#
# Configure loggingPublicURL in the master config for aggregate logging, defaults
# to https://kibana.{{ openshift_master_default_subdomain }}
#openshift_master_logging_public_url=https://kibana.example.com
# Configure the number of elastic search nodes, unless you're using dynamic provisioning
# this value must be 1
-#openshift_logging_es_cluster_size=1
-#openshift_logging_kibana_hostname=logging.apps.example.com
+#openshift_hosted_logging_elasticsearch_cluster_size=1
+#openshift_hosted_logging_hostname=logging.apps.example.com
# Configure the prefix and version for the deployer image
-#openshift_logging_image_prefix=registry.example.com:8888/openshift3/
-#openshift_logging_image_version=3.3.0
+#openshift_hosted_logging_deployer_prefix=registry.example.com:8888/openshift3/
+#openshift_hosted_logging_deployer_version=3.3.0
# Configure the multi-tenant SDN plugin (default is 'redhat/openshift-ovs-subnet')
# os_sdn_network_plugin_name='redhat/openshift-ovs-multitenant'
diff --git a/openshift-ansible.spec b/openshift-ansible.spec
index 8cec36bb7..0ec12daa0 100644
--- a/openshift-ansible.spec
+++ b/openshift-ansible.spec
@@ -3,6 +3,10 @@
%{!?commit:
%global commit c64d09e528ca433832c6b6e6f5c7734a9cc8ee6f
}
+# This is inserted to prevent RPM from requiring "/usr/bin/ansible-playbook"
+# The ansible-playbook requirement will be ansibled by the explicit
+# "Requires: ansible" directive
+%global __requires_exclude ^/usr/bin/ansible-playbook$
Name: openshift-ansible
Version: 3.5.3
diff --git a/playbooks/adhoc/openshift_hosted_logging_efk.yaml b/playbooks/adhoc/openshift_hosted_logging_efk.yaml
index e83351272..44a2ef534 100644
--- a/playbooks/adhoc/openshift_hosted_logging_efk.yaml
+++ b/playbooks/adhoc/openshift_hosted_logging_efk.yaml
@@ -8,7 +8,7 @@
hosts: masters:!masters[0]
pre_tasks:
- set_fact:
- logging_hostname: "{{ openshift_hosted_logging_hostname | default('kibana.' ~ (openshift_master_default_subdomain | default('router.default.svc.cluster.local', true))) }}"
+ openshift_logging_kibana_hostname: "{{ openshift_hosted_logging_hostname | default('kibana.' ~ (openshift_master_default_subdomain | default('router.default.svc.cluster.local', true))) }}"
tasks:
- include_role:
name: openshift_logging
diff --git a/playbooks/adhoc/s3_registry/s3_registry.j2 b/playbooks/adhoc/s3_registry/s3_registry.j2
deleted file mode 100644
index 10454ad11..000000000
--- a/playbooks/adhoc/s3_registry/s3_registry.j2
+++ /dev/null
@@ -1,23 +0,0 @@
-version: 0.1
-log:
- level: debug
-http:
- addr: :5000
-storage:
- cache:
- layerinfo: inmemory
- s3:
- accesskey: {{ aws_access_key }}
- secretkey: {{ aws_secret_key }}
- region: {{ aws_bucket_region }}
- bucket: {{ aws_bucket_name }}
- encrypt: true
- secure: true
- v4auth: true
- rootdirectory: /registry
-auth:
- openshift:
- realm: openshift
-middleware:
- repository:
- - name: openshift
diff --git a/playbooks/adhoc/s3_registry/s3_registry.yml b/playbooks/adhoc/s3_registry/s3_registry.yml
deleted file mode 100644
index 2c79a1b4d..000000000
--- a/playbooks/adhoc/s3_registry/s3_registry.yml
+++ /dev/null
@@ -1,78 +0,0 @@
----
-# This playbook creates an S3 bucket named after your cluster and configures the docker-registry service to use the bucket as its backend storage.
-# Usage:
-# ansible-playbook s3_registry.yml -e clusterid="mycluster" -e aws_bucket="clusterid-docker" -e aws_region="us-east-1"
-#
-# The AWS access/secret keys should be the keys of a separate user (not your main user), containing only the necessary S3 access role.
-# The 'clusterid' is the short name of your cluster.
-
-- hosts: tag_clusterid_{{ clusterid }}:&tag_host-type_openshift-master
- remote_user: root
- gather_facts: False
-
- vars:
- aws_access_key: "{{ lookup('env', 'S3_ACCESS_KEY_ID') }}"
- aws_secret_key: "{{ lookup('env', 'S3_SECRET_ACCESS_KEY') }}"
- aws_bucket_name: "{{ aws_bucket | default(clusterid ~ '-docker') }}"
- aws_bucket_region: "{{ aws_region | default(lookup('env', 'S3_REGION') | default('us-east-1', true)) }}"
- aws_create_bucket: "{{ aws_create | default(True) }}"
- aws_tmp_path: "{{ aws_tmp_pathfile | default('/root/config.yml')}}"
- aws_delete_tmp_file: "{{ aws_delete_tmp | default(True) }}"
-
- tasks:
-
- - name: Check for AWS creds
- fail:
- msg: "Couldn't find {{ item }} creds in ENV"
- when: "{{ item }} == ''"
- with_items:
- - aws_access_key
- - aws_secret_key
-
- - name: Scale down registry
- command: oc scale --replicas=0 dc/docker-registry
-
- - name: Create S3 bucket
- when: aws_create_bucket | bool
- local_action:
- module: s3 bucket="{{ aws_bucket_name }}" mode=create
-
- - name: Set up registry environment variable
- command: oc env dc/docker-registry REGISTRY_CONFIGURATION_PATH=/etc/registryconfig/config.yml
-
- - name: Generate docker registry config
- template: src="s3_registry.j2" dest="/root/config.yml" owner=root mode=0600
-
- - name: Determine if new secrets are needed
- command: oc get secrets
- register: secrets
-
- - name: Create registry secrets
- command: oc secrets new dockerregistry /root/config.yml
- when: "'dockerregistry' not in secrets.stdout"
-
- - name: Determine if service account contains secrets
- command: oc describe serviceaccount/registry
- register: serviceaccount
-
- - name: Add secrets to registry service account
- command: oc secrets add serviceaccount/registry secrets/dockerregistry
- when: "'dockerregistry' not in serviceaccount.stdout"
-
- - name: Determine if deployment config contains secrets
- command: oc volume dc/docker-registry --list
- register: dc
-
- - name: Add secrets to registry deployment config
- command: oc volume dc/docker-registry --add --name=dockersecrets -m /etc/registryconfig --type=secret --secret-name=dockerregistry
- when: "'dockersecrets' not in dc.stdout"
-
- - name: Wait for deployment config to take effect before scaling up
- pause: seconds=30
-
- - name: Scale up registry
- command: oc scale --replicas=1 dc/docker-registry
-
- - name: Delete temporary config file
- file: path={{ aws_tmp_path }} state=absent
- when: aws_delete_tmp_file | bool
diff --git a/playbooks/adhoc/uninstall.yml b/playbooks/adhoc/uninstall.yml
index f0cfa7f55..147e84131 100644
--- a/playbooks/adhoc/uninstall.yml
+++ b/playbooks/adhoc/uninstall.yml
@@ -148,6 +148,29 @@
- vovsbr
when: "{{ openshift_remove_all | default(true) | bool }}"
+ - shell: atomic uninstall "{{ item }}"-master
+ changed_when: False
+ failed_when: False
+ with_items:
+ - openshift-enterprise
+ - atomic-enterprise
+ - origin
+
+ - shell: atomic uninstall "{{ item }}"-node
+ changed_when: False
+ failed_when: False
+ with_items:
+ - openshift-enterprise
+ - atomic-enterprise
+ - origin
+
+ - shell: atomic uninstall "{{ item }}"
+ changed_when: False
+ failed_when: False
+ with_items:
+ - etcd
+ - openvswitch
+
- shell: find /var/lib/origin/openshift.local.volumes -type d -exec umount {} \; 2>/dev/null || true
changed_when: False
@@ -263,6 +286,9 @@
- /var/lib/atomic-enterprise
- /var/lib/openshift
+ - shell: systemctl daemon-reload
+ changed_when: False
+
- name: restart docker
service: name=docker state=restarted
diff --git a/playbooks/byo/openshift-preflight/check.yml b/playbooks/byo/openshift-preflight/check.yml
index 32673d01d..c5f05d0f0 100644
--- a/playbooks/byo/openshift-preflight/check.yml
+++ b/playbooks/byo/openshift-preflight/check.yml
@@ -1,31 +1,12 @@
---
- hosts: OSEv3
- roles:
- - openshift_preflight/init
-
-- hosts: OSEv3
- name: checks that apply to all hosts
- gather_facts: no
- ignore_errors: yes
- roles:
- - openshift_preflight/common
-
-- hosts: masters
- name: checks that apply to masters
- gather_facts: no
- ignore_errors: yes
- roles:
- - openshift_preflight/masters
-
-- hosts: nodes
- name: checks that apply to nodes
- gather_facts: no
- ignore_errors: yes
- roles:
- - openshift_preflight/nodes
-
-- hosts: OSEv3
- name: verify check results
- gather_facts: no
- roles:
- - openshift_preflight/verify_status
+ name: run OpenShift health checks
+ roles:
+ - openshift_health_checker
+ post_tasks:
+ # NOTE: we need to use the old "action: name" syntax until
+ # https://github.com/ansible/ansible/issues/20513 is fixed.
+ - action: openshift_health_check
+ args:
+ checks:
+ - '@preflight'
diff --git a/roles/openshift_certificate_expiry/examples/playbooks/default.yaml b/playbooks/certificate_expiry/default.yaml
index 630135cae..630135cae 100644
--- a/roles/openshift_certificate_expiry/examples/playbooks/default.yaml
+++ b/playbooks/certificate_expiry/default.yaml
diff --git a/roles/openshift_certificate_expiry/examples/playbooks/easy-mode.yaml b/playbooks/certificate_expiry/easy-mode.yaml
index d0209426f..ae41c7c14 100644
--- a/roles/openshift_certificate_expiry/examples/playbooks/easy-mode.yaml
+++ b/playbooks/certificate_expiry/easy-mode.yaml
@@ -4,8 +4,6 @@
#
# This example enables HTML and JSON reports
#
-# The warning window is set very large so you will almost always get results back
-#
# All certificates (healthy or not) are included in the results
- name: Check cert expirys
@@ -13,7 +11,6 @@
become: yes
gather_facts: no
vars:
- openshift_certificate_expiry_warning_days: 1500
openshift_certificate_expiry_save_json_results: yes
openshift_certificate_expiry_generate_html_report: yes
openshift_certificate_expiry_show_all: yes
diff --git a/roles/openshift_certificate_expiry/examples/playbooks/html_and_json_default_paths.yaml b/playbooks/certificate_expiry/html_and_json_default_paths.yaml
index d80cb6ff4..d80cb6ff4 100644
--- a/roles/openshift_certificate_expiry/examples/playbooks/html_and_json_default_paths.yaml
+++ b/playbooks/certificate_expiry/html_and_json_default_paths.yaml
diff --git a/roles/openshift_certificate_expiry/examples/playbooks/longer-warning-period-json-results.yaml b/playbooks/certificate_expiry/longer-warning-period-json-results.yaml
index 87a0f3be4..87a0f3be4 100644
--- a/roles/openshift_certificate_expiry/examples/playbooks/longer-warning-period-json-results.yaml
+++ b/playbooks/certificate_expiry/longer-warning-period-json-results.yaml
diff --git a/roles/openshift_certificate_expiry/examples/playbooks/longer_warning_period.yaml b/playbooks/certificate_expiry/longer_warning_period.yaml
index 960457c4b..960457c4b 100644
--- a/roles/openshift_certificate_expiry/examples/playbooks/longer_warning_period.yaml
+++ b/playbooks/certificate_expiry/longer_warning_period.yaml
diff --git a/playbooks/certificate_expiry/roles b/playbooks/certificate_expiry/roles
new file mode 120000
index 000000000..b741aa3db
--- /dev/null
+++ b/playbooks/certificate_expiry/roles
@@ -0,0 +1 @@
+../../roles \ No newline at end of file
diff --git a/playbooks/common/openshift-cluster/openshift_hosted.yml b/playbooks/common/openshift-cluster/openshift_hosted.yml
index 7b58eebc3..06cda36a5 100644
--- a/playbooks/common/openshift-cluster/openshift_hosted.yml
+++ b/playbooks/common/openshift-cluster/openshift_hosted.yml
@@ -31,17 +31,17 @@
when: openshift_hosted_metrics_deploy | default(false) | bool
- role: openshift_logging
when: openshift_hosted_logging_deploy | default(false) | bool
- openshift_logging_kibana_hostname: "{{ logging_hostname }}"
- openshift_logging_kibana_ops_hostname: "{{ logging_ops_hostname }}"
- openshift_logging_master_public_url: "{{ logging_master_public_url }}"
- openshift_logging_es_cluster_size: "{{ logging_elasticsearch_cluster_size }}"
- openshift_logging_es_pvc_dynamic: "{{ 'true' if openshift_hosted_logging_storage_kind | default(none) == 'dynamic' else '' }}"
- openshift_logging_es_pvc_size: "{{ openshift.hosted.logging.storage.volume.size if openshift_hosted_logging_storage_kind | default(none) in ['dynamic','nfs'] else '' }}"
- openshift_logging_es_pvc_prefix: "{{ 'logging-es' if openshift_hosted_logging_storage_kind | default(none) == 'dynamic' else '' }}"
- openshift_logging_es_ops_cluster_size: "{{ logging_elasticsearch_ops_cluster_size }}"
- openshift_logging_es_ops_pvc_dynamic: "{{ 'true' if openshift_hosted_logging_storage_kind | default(none) == 'dynamic' else '' }}"
- openshift_logging_es_ops_pvc_size: "{{ openshift.hosted.logging.storage.volume.size if openshift_hosted_logging_storage_kind | default(none) in ['dynamic','nfs' ] else '' }}"
- openshift_logging_es_ops_pvc_prefix: "{{ 'logging-es' if openshift_hosted_logging_storage_kind | default(none) =='dynamic' else '' }}"
+ openshift_hosted_logging_hostname: "{{ logging_hostname }}"
+ openshift_hosted_logging_ops_hostname: "{{ logging_ops_hostname }}"
+ openshift_hosted_logging_master_public_url: "{{ logging_master_public_url }}"
+ openshift_hosted_logging_elasticsearch_cluster_size: "{{ logging_elasticsearch_cluster_size }}"
+ openshift_hosted_logging_elasticsearch_pvc_dynamic: "{{ 'true' if openshift_hosted_logging_storage_kind | default(none) == 'dynamic' else '' }}"
+ openshift_hosted_logging_elasticsearch_pvc_size: "{{ openshift.hosted.logging.storage.volume.size if openshift_hosted_logging_storage_kind | default(none) in ['dynamic','nfs'] else '' }}"
+ openshift_hosted_logging_elasticsearch_pvc_prefix: "{{ 'logging-es' if openshift_hosted_logging_storage_kind | default(none) == 'dynamic' else '' }}"
+ openshift_hosted_logging_elasticsearch_ops_cluster_size: "{{ logging_elasticsearch_ops_cluster_size }}"
+ openshift_hosted_logging_elasticsearch_ops_pvc_dynamic: "{{ 'true' if openshift_hosted_loggingops_storage_kind | default(none) == 'dynamic' else '' }}"
+ openshift_hosted_logging_elasticsearch_ops_pvc_size: "{{ openshift.hosted.logging.storage.volume.size if openshift_hosted_logging_storage_kind | default(none) in ['dynamic','nfs' ] else '' }}"
+ openshift_hosted_logging_elasticsearch_ops_pvc_prefix: "{{ 'logging-es-ops' if openshift_hosted_loggingops_storage_kind | default(none) =='dynamic' else '' }}"
- role: cockpit-ui
when: ( openshift.common.version_gte_3_3_or_1_3 | bool ) and ( openshift_hosted_manage_registry | default(true) | bool ) and not (openshift.docker.hosted_registry_insecure | default(false) | bool)
@@ -52,11 +52,11 @@
- hosted
pre_tasks:
- set_fact:
- logging_hostname: "{{ openshift_hosted_logging_hostname | default('kibana.' ~ (openshift_master_default_subdomain | default('router.default.svc.cluster.local', true))) }}"
+ openshift_logging_kibana_hostname: "{{ openshift_hosted_logging_hostname | default('kibana.' ~ (openshift_master_default_subdomain | default('router.default.svc.cluster.local', true))) }}"
tasks:
- block:
- include_role:
- name: openshift_hosted_logging
+ name: openshift_logging
tasks_from: update_master_config
when: openshift_hosted_logging_deploy | default(false) | bool
diff --git a/playbooks/common/openshift-cluster/redeploy-certificates/ca.yml b/playbooks/common/openshift-cluster/redeploy-certificates/ca.yml
index 0b1c39ba4..9d4d3ea26 100644
--- a/playbooks/common/openshift-cluster/redeploy-certificates/ca.yml
+++ b/playbooks/common/openshift-cluster/redeploy-certificates/ca.yml
@@ -160,6 +160,27 @@
yaml_key: servingInfo.clientCA
yaml_value: ca-bundle.crt
when: (g_master_config_output.content|b64decode|from_yaml).servingInfo.clientCA != 'ca-bundle.crt'
+ - modify_yaml:
+ dest: "{{ openshift.common.config_base }}/master/master-config.yaml"
+ yaml_key: etcdClientInfo.ca
+ yaml_value: ca-bundle.crt
+ when:
+ - groups.oo_etcd_to_config | default([]) | length == 0
+ - (g_master_config_output.content|b64decode|from_yaml).etcdClientInfo.ca != 'ca-bundle.crt'
+ - modify_yaml:
+ dest: "{{ openshift.common.config_base }}/master/master-config.yaml"
+ yaml_key: etcdConfig.peerServingInfo.clientCA
+ yaml_value: ca-bundle.crt
+ when:
+ - groups.oo_etcd_to_config | default([]) | length == 0
+ - (g_master_config_output.content|b64decode|from_yaml).etcdConfig.peerServingInfo.clientCA != 'ca-bundle.crt'
+ - modify_yaml:
+ dest: "{{ openshift.common.config_base }}/master/master-config.yaml"
+ yaml_key: etcdConfig.servingInfo.clientCA
+ yaml_value: ca-bundle.crt
+ when:
+ - groups.oo_etcd_to_config | default([]) | length == 0
+ - (g_master_config_output.content|b64decode|from_yaml).etcdConfig.servingInfo.clientCA != 'ca-bundle.crt'
- name: Copy current OpenShift CA to legacy directory
hosts: oo_masters_to_config
diff --git a/playbooks/common/openshift-cluster/redeploy-certificates/masters.yml b/playbooks/common/openshift-cluster/redeploy-certificates/masters.yml
index f653a111f..c30889d64 100644
--- a/playbooks/common/openshift-cluster/redeploy-certificates/masters.yml
+++ b/playbooks/common/openshift-cluster/redeploy-certificates/masters.yml
@@ -36,6 +36,14 @@
- "openshift-master.crt"
- "openshift-master.key"
- "openshift-master.kubeconfig"
+ - name: Remove generated etcd client certificates
+ file:
+ path: "{{ openshift.common.config_base }}/master/{{ item }}"
+ state: absent
+ with_items:
+ - "master.etcd-client.crt"
+ - "master.etcd-client.key"
+ when: groups.oo_etcd_to_config | default([]) | length == 0
roles:
- role: openshift_master_certificates
openshift_master_etcd_hosts: "{{ hostvars
diff --git a/playbooks/common/openshift-cluster/redeploy-certificates/registry.yml b/playbooks/common/openshift-cluster/redeploy-certificates/registry.yml
index 18b93e1d6..999e4af65 100644
--- a/playbooks/common/openshift-cluster/redeploy-certificates/registry.yml
+++ b/playbooks/common/openshift-cluster/redeploy-certificates/registry.yml
@@ -2,6 +2,8 @@
- name: Update registry certificates
hosts: oo_first_master
vars:
+ roles:
+ - lib_openshift
tasks:
- name: Create temp directory for kubeconfig
command: mktemp -d /tmp/openshift-ansible-XXXXXX
@@ -70,13 +72,17 @@
--key={{ openshift.common.config_base }}/master/registry.key
- name: Update registry certificates secret
- shell: >
- {{ openshift.common.client_binary }} secret new registry-certificates
- {{ openshift.common.config_base }}/master/registry.crt
- {{ openshift.common.config_base }}/master/registry.key
- --config={{ mktemp.stdout }}/admin.kubeconfig
- -n default
- -o json | oc replace -f -
+ oc_secret:
+ kubeconfig: "{{ mktemp.stdout }}/admin.kubeconfig"
+ name: registry-certificates
+ namespace: default
+ state: present
+ files:
+ - name: registry.crt
+ path: "{{ openshift.common.config_base }}/master/registry.crt"
+ - name: registry.key
+ path: "{{ openshift.common.config_base }}/master/registry.key"
+ run_once: true
when: l_docker_registry_dc.rc == 0 and 'registry-certificates' in docker_registry_secrets and 'REGISTRY_HTTP_TLS_CERTIFICATE' in docker_registry_env_vars and 'REGISTRY_HTTP_TLS_KEY' in docker_registry_env_vars
- name: Redeploy docker registry
diff --git a/playbooks/common/openshift-cluster/redeploy-certificates/router.yml b/playbooks/common/openshift-cluster/redeploy-certificates/router.yml
index a9e9f0915..707fb6424 100644
--- a/playbooks/common/openshift-cluster/redeploy-certificates/router.yml
+++ b/playbooks/common/openshift-cluster/redeploy-certificates/router.yml
@@ -7,6 +7,8 @@
command: mktemp -d /tmp/openshift-ansible-XXXXXX
register: mktemp
changed_when: false
+ roles:
+ - lib_openshift
- name: Copy admin client config(s)
command: >
@@ -45,10 +47,12 @@
- block:
- name: Delete existing router certificate secret
- command: >
- {{ openshift.common.client_binary }} delete secret/router-certs
- --config={{ mktemp.stdout }}/admin.kubeconfig
- -n default
+ oc_secret:
+ kubeconfig: "{{ mktemp.stdout }}/admin.kubeconfig"
+ name: router-certs
+ namespace: default
+ state: absent
+ run_once: true
- name: Remove router service annotations
command: >
diff --git a/playbooks/common/openshift-cluster/upgrades/etcd/backup.yml b/playbooks/common/openshift-cluster/upgrades/etcd/backup.yml
index d0eadf1fc..45aabf3e4 100644
--- a/playbooks/common/openshift-cluster/upgrades/etcd/backup.yml
+++ b/playbooks/common/openshift-cluster/upgrades/etcd/backup.yml
@@ -4,7 +4,7 @@
vars:
embedded_etcd: "{{ groups.oo_etcd_to_config | default([]) | length == 0 }}"
timestamp: "{{ lookup('pipe', 'date +%Y%m%d%H%M%S') }}"
- etcdctl_command: "{{ 'etcdctl' if not openshift.common.is_containerized or embedded_etcd else 'docker exec etcd_container etcdctl' }}"
+ etcdctl_command: "{{ 'etcdctl' if not openshift.common.is_containerized or embedded_etcd else 'docker exec etcd_container etcdctl' if not openshift.common.is_etcd_system_container else 'runc exec etcd etcdctl' }}"
roles:
- openshift_facts
tasks:
diff --git a/playbooks/common/openshift-cluster/upgrades/etcd/upgrade.yml b/playbooks/common/openshift-cluster/upgrades/etcd/upgrade.yml
index 0f8d94737..690858c53 100644
--- a/playbooks/common/openshift-cluster/upgrades/etcd/upgrade.yml
+++ b/playbooks/common/openshift-cluster/upgrades/etcd/upgrade.yml
@@ -14,6 +14,16 @@
register: etcd_container_version
failed_when: false
when: openshift.common.is_containerized | bool
+ - name: Record containerized etcd version
+ command: docker exec etcd_container rpm -qa --qf '%{version}' etcd\*
+ register: etcd_container_version
+ failed_when: false
+ when: openshift.common.is_containerized | bool and not openshift.common.is_etcd_system_container | bool
+ - name: Record containerized etcd version
+ command: runc exec etcd_container rpm -qa --qf '%{version}' etcd\*
+ register: etcd_container_version
+ failed_when: false
+ when: openshift.common.is_containerized | bool and openshift.common.is_etcd_system_container | bool
# I really dislike this copy/pasta but I wasn't able to find a way to get it to loop
# through hosts, then loop through tasks only when appropriate
diff --git a/playbooks/common/openshift-master/restart_hosts.yml b/playbooks/common/openshift-master/restart_hosts.yml
index a9750e40f..67ba0aa2e 100644
--- a/playbooks/common/openshift-master/restart_hosts.yml
+++ b/playbooks/common/openshift-master/restart_hosts.yml
@@ -7,14 +7,26 @@
ignore_errors: true
become: yes
+# WARNING: This process is riddled with weird behavior.
+
+# Workaround for https://github.com/ansible/ansible/issues/21269
+- set_fact:
+ wait_for_host: "{{ ansible_host }}"
+
+# Ansible's blog documents this *without* the port, which appears to now
+# just wait until the timeout value and then proceed without checking anything.
+# port is now required.
+#
+# However neither ansible_ssh_port or ansible_port are reliably defined, likely
+# only if overridden. Assume a default of 22.
- name: Wait for master to restart
local_action:
module: wait_for
- host="{{ ansible_host }}"
+ host="{{ wait_for_host }}"
state=started
delay=10
timeout=600
- port="{{ ansible_ssh_port }}"
+ port="{{ ansible_port | default(ansible_ssh_port | default(22,boolean=True),boolean=True) }}"
become: no
# Now that ssh is back up we can wait for API on the remote system,
diff --git a/roles/cockpit-ui/tasks/main.yml b/roles/cockpit-ui/tasks/main.yml
index 87ed7fee7..f2ef4f161 100644
--- a/roles/cockpit-ui/tasks/main.yml
+++ b/roles/cockpit-ui/tasks/main.yml
@@ -63,10 +63,12 @@
changed_when: false
when: check_docker_registry_exists.rc == 0
+# TODO: Need to fix the origin and enterprise templates so that they both respect IMAGE_PREFIX
- name: Deploy registry-console
command: >
{{ openshift.common.client_binary }} new-app --template=registry-console
{% if openshift_cockpit_deployer_prefix is defined %}-p IMAGE_PREFIX="{{ openshift_cockpit_deployer_prefix }}"{% endif %}
+ {% if openshift_cockpit_deployer_version is defined %}-p IMAGE_VERSION="{{ openshift_cockpit_deployer_version }}"{% endif %}
-p OPENSHIFT_OAUTH_PROVIDER_URL="{{ openshift.master.public_api_url }}"
-p REGISTRY_HOST="{{ docker_registry_route.stdout }}"
-p COCKPIT_KUBE_URL="{{ registry_console_cockpit_kube_url.stdout }}"
diff --git a/roles/etcd/defaults/main.yaml b/roles/etcd/defaults/main.yaml
index 2ec62c37c..e0746d70d 100644
--- a/roles/etcd/defaults/main.yaml
+++ b/roles/etcd/defaults/main.yaml
@@ -1,5 +1,5 @@
---
-etcd_service: "{{ 'etcd' if not etcd_is_containerized | bool else 'etcd_container' }}"
+etcd_service: "{{ 'etcd' if openshift.common.is_etcd_system_container | bool or not etcd_is_containerized | bool else 'etcd_container' }}"
etcd_client_port: 2379
etcd_peer_port: 2380
etcd_url_scheme: http
diff --git a/roles/etcd/tasks/main.yml b/roles/etcd/tasks/main.yml
index 41f25be70..5f3ca461e 100644
--- a/roles/etcd/tasks/main.yml
+++ b/roles/etcd/tasks/main.yml
@@ -14,13 +14,17 @@
command: docker pull {{ openshift.etcd.etcd_image }}
register: pull_result
changed_when: "'Downloaded newer image' in pull_result.stdout"
- when: etcd_is_containerized | bool
+ when:
+ - etcd_is_containerized | bool
+ - not openshift.common.is_etcd_system_container | bool
- name: Install etcd container service file
template:
dest: "/etc/systemd/system/etcd_container.service"
src: etcd.docker.service
- when: etcd_is_containerized | bool
+ when:
+ - etcd_is_containerized | bool
+ - not openshift.common.is_etcd_system_container | bool
- name: Ensure etcd datadir exists when containerized
file:
@@ -36,10 +40,22 @@
enabled: no
masked: yes
daemon_reload: yes
- when: etcd_is_containerized | bool
+ when:
+ - etcd_is_containerized | bool
+ - not openshift.common.is_etcd_system_container | bool
register: task_result
failed_when: "task_result|failed and 'could not' not in task_result.msg|lower"
+- name: Install etcd container service file
+ template:
+ dest: "/etc/systemd/system/etcd_container.service"
+ src: etcd.docker.service
+ when: etcd_is_containerized | bool and not openshift.common.is_etcd_system_container | bool
+
+- name: Install Etcd system container
+ include: system_container.yml
+ when: etcd_is_containerized | bool and openshift.common.is_etcd_system_container | bool
+
- name: Validate permissions on the config dir
file:
path: "{{ etcd_conf_dir }}"
@@ -54,7 +70,7 @@
dest: /etc/etcd/etcd.conf
backup: true
notify:
- - restart etcd
+ - restart etcd
- name: Enable etcd
systemd:
diff --git a/roles/etcd/tasks/system_container.yml b/roles/etcd/tasks/system_container.yml
new file mode 100644
index 000000000..241180e2c
--- /dev/null
+++ b/roles/etcd/tasks/system_container.yml
@@ -0,0 +1,63 @@
+---
+- name: Pull etcd system container
+ command: atomic pull --storage=ostree {{ openshift.etcd.etcd_image }}
+ register: pull_result
+ changed_when: "'Pulling layer' in pull_result.stdout"
+
+- name: Check etcd system container package
+ command: >
+ atomic containers list --no-trunc -a -f container=etcd
+ register: result
+
+- name: Set initial Etcd cluster
+ set_fact:
+ etcd_initial_cluster: >
+ {% for host in etcd_peers | default([]) -%}
+ {% if loop.last -%}
+ {{ hostvars[host].etcd_hostname }}={{ etcd_peer_url_scheme }}://{{ hostvars[host].etcd_ip }}:{{ etcd_peer_port }}
+ {%- else -%}
+ {{ hostvars[host].etcd_hostname }}={{ etcd_peer_url_scheme }}://{{ hostvars[host].etcd_ip }}:{{ etcd_peer_port }},
+ {%- endif -%}
+ {% endfor -%}
+
+- name: Update Etcd system container package
+ command: >
+ atomic containers update
+ --set ETCD_LISTEN_PEER_URLS={{ etcd_listen_peer_urls }}
+ --set ETCD_NAME={{ etcd_hostname }}
+ --set ETCD_INITIAL_CLUSTER={{ etcd_initial_cluster | replace('\n', '') }}
+ --set ETCD_LISTEN_CLIENT_URLS={{ etcd_listen_client_urls }}
+ --set ETCD_INITIAL_ADVERTISE_PEER_URLS={{ etcd_initial_advertise_peer_urls }}
+ --set ETCD_INITIAL_CLUSTER_STATE={{ etcd_initial_cluster_state }}
+ --set ETCD_INITIAL_CLUSTER_TOKEN={{ etcd_initial_cluster_token }}
+ --set ETCD_ADVERTISE_CLIENT_URLS={{ etcd_advertise_client_urls }}
+ --set ETCD_CA_FILE={{ etcd_system_container_conf_dir }}/ca.crt
+ --set ETCD_CERT_FILE={{ etcd_system_container_conf_dir }}/server.crt
+ --set ETCD_KEY_FILE={{ etcd_system_container_conf_dir }}/server.key
+ --set ETCD_PEER_CA_FILE={{ etcd_system_container_conf_dir }}/ca.crt
+ --set ETCD_PEER_CERT_FILE={{ etcd_system_container_conf_dir }}/peer.crt
+ --set ETCD_PEER_KEY_FILE={{ etcd_system_container_conf_dir }}/peer.key
+ etcd
+ when:
+ - ("etcd" in result.stdout)
+
+- name: Install Etcd system container package
+ command: >
+ atomic install --system --name=etcd
+ --set ETCD_LISTEN_PEER_URLS={{ etcd_listen_peer_urls }}
+ --set ETCD_NAME={{ etcd_hostname }}
+ --set ETCD_INITIAL_CLUSTER={{ etcd_initial_cluster | replace('\n', '') }}
+ --set ETCD_LISTEN_CLIENT_URLS={{ etcd_listen_client_urls }}
+ --set ETCD_INITIAL_ADVERTISE_PEER_URLS={{ etcd_initial_advertise_peer_urls }}
+ --set ETCD_INITIAL_CLUSTER_STATE={{ etcd_initial_cluster_state }}
+ --set ETCD_INITIAL_CLUSTER_TOKEN={{ etcd_initial_cluster_token }}
+ --set ETCD_ADVERTISE_CLIENT_URLS={{ etcd_advertise_client_urls }}
+ --set ETCD_CA_FILE={{ etcd_system_container_conf_dir }}/ca.crt
+ --set ETCD_CERT_FILE={{ etcd_system_container_conf_dir }}/server.crt
+ --set ETCD_KEY_FILE={{ etcd_system_container_conf_dir }}/server.key
+ --set ETCD_PEER_CA_FILE={{ etcd_system_container_conf_dir }}/ca.crt
+ --set ETCD_PEER_CERT_FILE={{ etcd_system_container_conf_dir }}/peer.crt
+ --set ETCD_PEER_KEY_FILE={{ etcd_system_container_conf_dir }}/peer.key
+ {{ openshift.etcd.etcd_image }}
+ when:
+ - ("etcd" not in result.stdout)
diff --git a/roles/etcd_common/defaults/main.yml b/roles/etcd_common/defaults/main.yml
index 93633e3e6..2eb9af921 100644
--- a/roles/etcd_common/defaults/main.yml
+++ b/roles/etcd_common/defaults/main.yml
@@ -1,6 +1,7 @@
---
# etcd server vars
-etcd_conf_dir: /etc/etcd
+etcd_conf_dir: "{{ '/etc/etcd' if not openshift.common.is_etcd_system_container else '/var/lib/etcd/etcd.etcd/etc' }}"
+etcd_system_container_conf_dir: /var/lib/etcd/etc
etcd_ca_file: "{{ etcd_conf_dir }}/ca.crt"
etcd_cert_file: "{{ etcd_conf_dir }}/server.crt"
etcd_key_file: "{{ etcd_conf_dir }}/server.key"
diff --git a/roles/lib_openshift/library/oc_process.py b/roles/lib_openshift/library/oc_process.py
new file mode 100644
index 000000000..702cb02d4
--- /dev/null
+++ b/roles/lib_openshift/library/oc_process.py
@@ -0,0 +1,1493 @@
+#!/usr/bin/env python
+# pylint: disable=missing-docstring
+# flake8: noqa: T001
+# ___ ___ _ _ ___ ___ _ _____ ___ ___
+# / __| __| \| | __| _ \ /_\_ _| __| \
+# | (_ | _|| .` | _|| / / _ \| | | _|| |) |
+# \___|___|_|\_|___|_|_\/_/_\_\_|_|___|___/_ _____
+# | \ / _ \ | \| |/ _ \_ _| | __| \_ _|_ _|
+# | |) | (_) | | .` | (_) || | | _|| |) | | | |
+# |___/ \___/ |_|\_|\___/ |_| |___|___/___| |_|
+#
+# Copyright 2016 Red Hat, Inc. and/or its affiliates
+# and other contributors as indicated by the @author tags.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# -*- -*- -*- Begin included fragment: lib/import.py -*- -*- -*-
+'''
+ OpenShiftCLI class that wraps the oc commands in a subprocess
+'''
+# pylint: disable=too-many-lines
+
+from __future__ import print_function
+import atexit
+import json
+import os
+import re
+import shutil
+import subprocess
+import tempfile
+# pylint: disable=import-error
+import ruamel.yaml as yaml
+from ansible.module_utils.basic import AnsibleModule
+
+# -*- -*- -*- End included fragment: lib/import.py -*- -*- -*-
+
+# -*- -*- -*- Begin included fragment: doc/process -*- -*- -*-
+
+DOCUMENTATION = '''
+---
+module: oc_process
+short_description: Module to process openshift templates
+description:
+ - Process openshift templates programmatically.
+options:
+ state:
+ description:
+ - State has a few different meanings when it comes to process.
+ - state: present - This state runs an `oc process <template>`. When used in
+ - conjunction with 'create: True' the process will be piped to | oc create -f
+ - state: absent - will remove a template
+ - state: list - will perform an `oc get template <template_name>`
+ default: present
+ choices: ["present", "absent", "list"]
+ aliases: []
+ kubeconfig:
+ description:
+ - The path for the kubeconfig file to use for authentication
+ required: false
+ default: /etc/origin/master/admin.kubeconfig
+ aliases: []
+ debug:
+ description:
+ - Turn on debug output.
+ required: false
+ default: False
+ aliases: []
+ template_name:
+ description:
+ - Name of the openshift template that is being processed.
+ required: false
+ default: None
+ aliases: []
+ namespace:
+ description:
+ - The namespace where the template lives.
+ required: false
+ default: default
+ aliases: []
+ content:
+ description:
+ - Template content that will be processed.
+ required: false
+ default: None
+ aliases: []
+ params:
+ description:
+ - A list of parameters that will be inserted into the template.
+ required: false
+ default: None
+ aliases: []
+ create:
+ description:
+ - Whether or not to create the template after being processed. e.g. oc process | oc create -f -
+ required: False
+ default: False
+ aliases: []
+ reconcile:
+ description:
+ - Whether or not to attempt to determine if there are updates or changes in the incoming template.
+ default: true
+ aliases: []
+author:
+- "Kenny Woodson <kwoodson@redhat.com>"
+extends_documentation_fragment: []
+'''
+
+EXAMPLES = '''
+- name: process the cloud volume provisioner template with variables
+ oc_process:
+ namespace: openshift-infra
+ template_name: online-volume-provisioner
+ create: True
+ params:
+ PLAT: rhel7
+ register: processout
+ run_once: true
+- debug: var=processout
+'''
+
+# -*- -*- -*- End included fragment: doc/process -*- -*- -*-
+
+# -*- -*- -*- Begin included fragment: ../../lib_utils/src/class/yedit.py -*- -*- -*-
+# noqa: E301,E302
+
+
+class YeditException(Exception):
+ ''' Exception class for Yedit '''
+ pass
+
+
+# pylint: disable=too-many-public-methods
+class Yedit(object):
+ ''' Class to modify yaml files '''
+ re_valid_key = r"(((\[-?\d+\])|([0-9a-zA-Z%s/_-]+)).?)+$"
+ re_key = r"(?:\[(-?\d+)\])|([0-9a-zA-Z%s/_-]+)"
+ com_sep = set(['.', '#', '|', ':'])
+
+ # pylint: disable=too-many-arguments
+ def __init__(self,
+ filename=None,
+ content=None,
+ content_type='yaml',
+ separator='.',
+ backup=False):
+ self.content = content
+ self._separator = separator
+ self.filename = filename
+ self.__yaml_dict = content
+ self.content_type = content_type
+ self.backup = backup
+ self.load(content_type=self.content_type)
+ if self.__yaml_dict is None:
+ self.__yaml_dict = {}
+
+ @property
+ def separator(self):
+ ''' getter method for yaml_dict '''
+ return self._separator
+
+ @separator.setter
+ def separator(self):
+ ''' getter method for yaml_dict '''
+ return self._separator
+
+ @property
+ def yaml_dict(self):
+ ''' getter method for yaml_dict '''
+ return self.__yaml_dict
+
+ @yaml_dict.setter
+ def yaml_dict(self, value):
+ ''' setter method for yaml_dict '''
+ self.__yaml_dict = value
+
+ @staticmethod
+ def parse_key(key, sep='.'):
+ '''parse the key allowing the appropriate separator'''
+ common_separators = list(Yedit.com_sep - set([sep]))
+ return re.findall(Yedit.re_key % ''.join(common_separators), key)
+
+ @staticmethod
+ def valid_key(key, sep='.'):
+ '''validate the incoming key'''
+ common_separators = list(Yedit.com_sep - set([sep]))
+ if not re.match(Yedit.re_valid_key % ''.join(common_separators), key):
+ return False
+
+ return True
+
+ @staticmethod
+ def remove_entry(data, key, sep='.'):
+ ''' remove data at location key '''
+ if key == '' and isinstance(data, dict):
+ data.clear()
+ return True
+ elif key == '' and isinstance(data, list):
+ del data[:]
+ return True
+
+ if not (key and Yedit.valid_key(key, sep)) and \
+ isinstance(data, (list, dict)):
+ return None
+
+ key_indexes = Yedit.parse_key(key, sep)
+ for arr_ind, dict_key in key_indexes[:-1]:
+ if dict_key and isinstance(data, dict):
+ data = data.get(dict_key, None)
+ elif (arr_ind and isinstance(data, list) and
+ int(arr_ind) <= len(data) - 1):
+ data = data[int(arr_ind)]
+ else:
+ return None
+
+ # process last index for remove
+ # expected list entry
+ if key_indexes[-1][0]:
+ if isinstance(data, list) and int(key_indexes[-1][0]) <= len(data) - 1: # noqa: E501
+ del data[int(key_indexes[-1][0])]
+ return True
+
+ # expected dict entry
+ elif key_indexes[-1][1]:
+ if isinstance(data, dict):
+ del data[key_indexes[-1][1]]
+ return True
+
+ @staticmethod
+ def add_entry(data, key, item=None, sep='.'):
+ ''' Get an item from a dictionary with key notation a.b.c
+ d = {'a': {'b': 'c'}}}
+ key = a#b
+ return c
+ '''
+ if key == '':
+ pass
+ elif (not (key and Yedit.valid_key(key, sep)) and
+ isinstance(data, (list, dict))):
+ return None
+
+ key_indexes = Yedit.parse_key(key, sep)
+ for arr_ind, dict_key in key_indexes[:-1]:
+ if dict_key:
+ if isinstance(data, dict) and dict_key in data and data[dict_key]: # noqa: E501
+ data = data[dict_key]
+ continue
+
+ elif data and not isinstance(data, dict):
+ return None
+
+ data[dict_key] = {}
+ data = data[dict_key]
+
+ elif (arr_ind and isinstance(data, list) and
+ int(arr_ind) <= len(data) - 1):
+ data = data[int(arr_ind)]
+ else:
+ return None
+
+ if key == '':
+ data = item
+
+ # process last index for add
+ # expected list entry
+ elif key_indexes[-1][0] and isinstance(data, list) and int(key_indexes[-1][0]) <= len(data) - 1: # noqa: E501
+ data[int(key_indexes[-1][0])] = item
+
+ # expected dict entry
+ elif key_indexes[-1][1] and isinstance(data, dict):
+ data[key_indexes[-1][1]] = item
+
+ return data
+
+ @staticmethod
+ def get_entry(data, key, sep='.'):
+ ''' Get an item from a dictionary with key notation a.b.c
+ d = {'a': {'b': 'c'}}}
+ key = a.b
+ return c
+ '''
+ if key == '':
+ pass
+ elif (not (key and Yedit.valid_key(key, sep)) and
+ isinstance(data, (list, dict))):
+ return None
+
+ key_indexes = Yedit.parse_key(key, sep)
+ for arr_ind, dict_key in key_indexes:
+ if dict_key and isinstance(data, dict):
+ data = data.get(dict_key, None)
+ elif (arr_ind and isinstance(data, list) and
+ int(arr_ind) <= len(data) - 1):
+ data = data[int(arr_ind)]
+ else:
+ return None
+
+ return data
+
+ @staticmethod
+ def _write(filename, contents):
+ ''' Actually write the file contents to disk. This helps with mocking. '''
+
+ tmp_filename = filename + '.yedit'
+
+ with open(tmp_filename, 'w') as yfd:
+ yfd.write(contents)
+
+ os.rename(tmp_filename, filename)
+
+ def write(self):
+ ''' write to file '''
+ if not self.filename:
+ raise YeditException('Please specify a filename.')
+
+ if self.backup and self.file_exists():
+ shutil.copy(self.filename, self.filename + '.orig')
+
+ # pylint: disable=no-member
+ if hasattr(self.yaml_dict, 'fa'):
+ self.yaml_dict.fa.set_block_style()
+
+ Yedit._write(self.filename, yaml.dump(self.yaml_dict, Dumper=yaml.RoundTripDumper))
+
+ return (True, self.yaml_dict)
+
+ def read(self):
+ ''' read from file '''
+ # check if it exists
+ if self.filename is None or not self.file_exists():
+ return None
+
+ contents = None
+ with open(self.filename) as yfd:
+ contents = yfd.read()
+
+ return contents
+
+ def file_exists(self):
+ ''' return whether file exists '''
+ if os.path.exists(self.filename):
+ return True
+
+ return False
+
+ def load(self, content_type='yaml'):
+ ''' return yaml file '''
+ contents = self.read()
+
+ if not contents and not self.content:
+ return None
+
+ if self.content:
+ if isinstance(self.content, dict):
+ self.yaml_dict = self.content
+ return self.yaml_dict
+ elif isinstance(self.content, str):
+ contents = self.content
+
+ # check if it is yaml
+ try:
+ if content_type == 'yaml' and contents:
+ self.yaml_dict = yaml.load(contents, yaml.RoundTripLoader)
+ # pylint: disable=no-member
+ if hasattr(self.yaml_dict, 'fa'):
+ self.yaml_dict.fa.set_block_style()
+ elif content_type == 'json' and contents:
+ self.yaml_dict = json.loads(contents)
+ except yaml.YAMLError as err:
+ # Error loading yaml or json
+ raise YeditException('Problem with loading yaml file. %s' % err)
+
+ return self.yaml_dict
+
+ def get(self, key):
+ ''' get a specified key'''
+ try:
+ entry = Yedit.get_entry(self.yaml_dict, key, self.separator)
+ except KeyError:
+ entry = None
+
+ return entry
+
+ def pop(self, path, key_or_item):
+ ''' remove a key, value pair from a dict or an item for a list'''
+ try:
+ entry = Yedit.get_entry(self.yaml_dict, path, self.separator)
+ except KeyError:
+ entry = None
+
+ if entry is None:
+ return (False, self.yaml_dict)
+
+ if isinstance(entry, dict):
+ # pylint: disable=no-member,maybe-no-member
+ if key_or_item in entry:
+ entry.pop(key_or_item)
+ return (True, self.yaml_dict)
+ return (False, self.yaml_dict)
+
+ elif isinstance(entry, list):
+ # pylint: disable=no-member,maybe-no-member
+ ind = None
+ try:
+ ind = entry.index(key_or_item)
+ except ValueError:
+ return (False, self.yaml_dict)
+
+ entry.pop(ind)
+ return (True, self.yaml_dict)
+
+ return (False, self.yaml_dict)
+
+ def delete(self, path):
+ ''' remove path from a dict'''
+ try:
+ entry = Yedit.get_entry(self.yaml_dict, path, self.separator)
+ except KeyError:
+ entry = None
+
+ if entry is None:
+ return (False, self.yaml_dict)
+
+ result = Yedit.remove_entry(self.yaml_dict, path, self.separator)
+ if not result:
+ return (False, self.yaml_dict)
+
+ return (True, self.yaml_dict)
+
+ def exists(self, path, value):
+ ''' check if value exists at path'''
+ try:
+ entry = Yedit.get_entry(self.yaml_dict, path, self.separator)
+ except KeyError:
+ entry = None
+
+ if isinstance(entry, list):
+ if value in entry:
+ return True
+ return False
+
+ elif isinstance(entry, dict):
+ if isinstance(value, dict):
+ rval = False
+ for key, val in value.items():
+ if entry[key] != val:
+ rval = False
+ break
+ else:
+ rval = True
+ return rval
+
+ return value in entry
+
+ return entry == value
+
+ def append(self, path, value):
+ '''append value to a list'''
+ try:
+ entry = Yedit.get_entry(self.yaml_dict, path, self.separator)
+ except KeyError:
+ entry = None
+
+ if entry is None:
+ self.put(path, [])
+ entry = Yedit.get_entry(self.yaml_dict, path, self.separator)
+ if not isinstance(entry, list):
+ return (False, self.yaml_dict)
+
+ # pylint: disable=no-member,maybe-no-member
+ entry.append(value)
+ return (True, self.yaml_dict)
+
+ # pylint: disable=too-many-arguments
+ def update(self, path, value, index=None, curr_value=None):
+ ''' put path, value into a dict '''
+ try:
+ entry = Yedit.get_entry(self.yaml_dict, path, self.separator)
+ except KeyError:
+ entry = None
+
+ if isinstance(entry, dict):
+ # pylint: disable=no-member,maybe-no-member
+ if not isinstance(value, dict):
+ raise YeditException('Cannot replace key, value entry in ' +
+ 'dict with non-dict type. value=[%s] [%s]' % (value, type(value))) # noqa: E501
+
+ entry.update(value)
+ return (True, self.yaml_dict)
+
+ elif isinstance(entry, list):
+ # pylint: disable=no-member,maybe-no-member
+ ind = None
+ if curr_value:
+ try:
+ ind = entry.index(curr_value)
+ except ValueError:
+ return (False, self.yaml_dict)
+
+ elif index is not None:
+ ind = index
+
+ if ind is not None and entry[ind] != value:
+ entry[ind] = value
+ return (True, self.yaml_dict)
+
+ # see if it exists in the list
+ try:
+ ind = entry.index(value)
+ except ValueError:
+ # doesn't exist, append it
+ entry.append(value)
+ return (True, self.yaml_dict)
+
+ # already exists, return
+ if ind is not None:
+ return (False, self.yaml_dict)
+ return (False, self.yaml_dict)
+
+ def put(self, path, value):
+ ''' put path, value into a dict '''
+ try:
+ entry = Yedit.get_entry(self.yaml_dict, path, self.separator)
+ except KeyError:
+ entry = None
+
+ if entry == value:
+ return (False, self.yaml_dict)
+
+ # deepcopy didn't work
+ tmp_copy = yaml.load(yaml.round_trip_dump(self.yaml_dict,
+ default_flow_style=False),
+ yaml.RoundTripLoader)
+ # pylint: disable=no-member
+ if hasattr(self.yaml_dict, 'fa'):
+ tmp_copy.fa.set_block_style()
+ result = Yedit.add_entry(tmp_copy, path, value, self.separator)
+ if not result:
+ return (False, self.yaml_dict)
+
+ self.yaml_dict = tmp_copy
+
+ return (True, self.yaml_dict)
+
+ def create(self, path, value):
+ ''' create a yaml file '''
+ if not self.file_exists():
+ # deepcopy didn't work
+ tmp_copy = yaml.load(yaml.round_trip_dump(self.yaml_dict, default_flow_style=False), # noqa: E501
+ yaml.RoundTripLoader)
+ # pylint: disable=no-member
+ if hasattr(self.yaml_dict, 'fa'):
+ tmp_copy.fa.set_block_style()
+ result = Yedit.add_entry(tmp_copy, path, value, self.separator)
+ if result:
+ self.yaml_dict = tmp_copy
+ return (True, self.yaml_dict)
+
+ return (False, self.yaml_dict)
+
+ @staticmethod
+ def get_curr_value(invalue, val_type):
+ '''return the current value'''
+ if invalue is None:
+ return None
+
+ curr_value = invalue
+ if val_type == 'yaml':
+ curr_value = yaml.load(invalue)
+ elif val_type == 'json':
+ curr_value = json.loads(invalue)
+
+ return curr_value
+
+ @staticmethod
+ def parse_value(inc_value, vtype=''):
+ '''determine value type passed'''
+ true_bools = ['y', 'Y', 'yes', 'Yes', 'YES', 'true', 'True', 'TRUE',
+ 'on', 'On', 'ON', ]
+ false_bools = ['n', 'N', 'no', 'No', 'NO', 'false', 'False', 'FALSE',
+ 'off', 'Off', 'OFF']
+
+ # It came in as a string but you didn't specify value_type as string
+ # we will convert to bool if it matches any of the above cases
+ if isinstance(inc_value, str) and 'bool' in vtype:
+ if inc_value not in true_bools and inc_value not in false_bools:
+ raise YeditException('Not a boolean type. str=[%s] vtype=[%s]'
+ % (inc_value, vtype))
+ elif isinstance(inc_value, bool) and 'str' in vtype:
+ inc_value = str(inc_value)
+
+ # If vtype is not str then go ahead and attempt to yaml load it.
+ if isinstance(inc_value, str) and 'str' not in vtype:
+ try:
+ inc_value = yaml.load(inc_value)
+ except Exception:
+ raise YeditException('Could not determine type of incoming ' +
+ 'value. value=[%s] vtype=[%s]'
+ % (type(inc_value), vtype))
+
+ return inc_value
+
+ # pylint: disable=too-many-return-statements,too-many-branches
+ @staticmethod
+ def run_ansible(module):
+ '''perform the idempotent crud operations'''
+ yamlfile = Yedit(filename=module.params['src'],
+ backup=module.params['backup'],
+ separator=module.params['separator'])
+
+ if module.params['src']:
+ rval = yamlfile.load()
+
+ if yamlfile.yaml_dict is None and \
+ module.params['state'] != 'present':
+ return {'failed': True,
+ 'msg': 'Error opening file [%s]. Verify that the ' +
+ 'file exists, that it is has correct' +
+ ' permissions, and is valid yaml.'}
+
+ if module.params['state'] == 'list':
+ if module.params['content']:
+ content = Yedit.parse_value(module.params['content'],
+ module.params['content_type'])
+ yamlfile.yaml_dict = content
+
+ if module.params['key']:
+ rval = yamlfile.get(module.params['key']) or {}
+
+ return {'changed': False, 'result': rval, 'state': "list"}
+
+ elif module.params['state'] == 'absent':
+ if module.params['content']:
+ content = Yedit.parse_value(module.params['content'],
+ module.params['content_type'])
+ yamlfile.yaml_dict = content
+
+ if module.params['update']:
+ rval = yamlfile.pop(module.params['key'],
+ module.params['value'])
+ else:
+ rval = yamlfile.delete(module.params['key'])
+
+ if rval[0] and module.params['src']:
+ yamlfile.write()
+
+ return {'changed': rval[0], 'result': rval[1], 'state': "absent"}
+
+ elif module.params['state'] == 'present':
+ # check if content is different than what is in the file
+ if module.params['content']:
+ content = Yedit.parse_value(module.params['content'],
+ module.params['content_type'])
+
+ # We had no edits to make and the contents are the same
+ if yamlfile.yaml_dict == content and \
+ module.params['value'] is None:
+ return {'changed': False,
+ 'result': yamlfile.yaml_dict,
+ 'state': "present"}
+
+ yamlfile.yaml_dict = content
+
+ # we were passed a value; parse it
+ if module.params['value']:
+ value = Yedit.parse_value(module.params['value'],
+ module.params['value_type'])
+ key = module.params['key']
+ if module.params['update']:
+ # pylint: disable=line-too-long
+ curr_value = Yedit.get_curr_value(Yedit.parse_value(module.params['curr_value']), # noqa: E501
+ module.params['curr_value_format']) # noqa: E501
+
+ rval = yamlfile.update(key, value, module.params['index'], curr_value) # noqa: E501
+
+ elif module.params['append']:
+ rval = yamlfile.append(key, value)
+ else:
+ rval = yamlfile.put(key, value)
+
+ if rval[0] and module.params['src']:
+ yamlfile.write()
+
+ return {'changed': rval[0],
+ 'result': rval[1], 'state': "present"}
+
+ # no edits to make
+ if module.params['src']:
+ # pylint: disable=redefined-variable-type
+ rval = yamlfile.write()
+ return {'changed': rval[0],
+ 'result': rval[1],
+ 'state': "present"}
+
+ return {'failed': True, 'msg': 'Unkown state passed'}
+
+# -*- -*- -*- End included fragment: ../../lib_utils/src/class/yedit.py -*- -*- -*-
+
+# -*- -*- -*- Begin included fragment: lib/base.py -*- -*- -*-
+# pylint: disable=too-many-lines
+# noqa: E301,E302,E303,T001
+
+
+class OpenShiftCLIError(Exception):
+ '''Exception class for openshiftcli'''
+ pass
+
+
+# pylint: disable=too-few-public-methods
+class OpenShiftCLI(object):
+ ''' Class to wrap the command line tools '''
+ def __init__(self,
+ namespace,
+ kubeconfig='/etc/origin/master/admin.kubeconfig',
+ verbose=False,
+ all_namespaces=False):
+ ''' Constructor for OpenshiftCLI '''
+ self.namespace = namespace
+ self.verbose = verbose
+ self.kubeconfig = Utils.create_tmpfile_copy(kubeconfig)
+ self.all_namespaces = all_namespaces
+
+ # Pylint allows only 5 arguments to be passed.
+ # pylint: disable=too-many-arguments
+ def _replace_content(self, resource, rname, content, force=False, sep='.'):
+ ''' replace the current object with the content '''
+ res = self._get(resource, rname)
+ if not res['results']:
+ return res
+
+ fname = Utils.create_tmpfile(rname + '-')
+
+ yed = Yedit(fname, res['results'][0], separator=sep)
+ changes = []
+ for key, value in content.items():
+ changes.append(yed.put(key, value))
+
+ if any([change[0] for change in changes]):
+ yed.write()
+
+ atexit.register(Utils.cleanup, [fname])
+
+ return self._replace(fname, force)
+
+ return {'returncode': 0, 'updated': False}
+
+ def _replace(self, fname, force=False):
+ '''replace the current object with oc replace'''
+ cmd = ['replace', '-f', fname]
+ if force:
+ cmd.append('--force')
+ return self.openshift_cmd(cmd)
+
+ def _create_from_content(self, rname, content):
+ '''create a temporary file and then call oc create on it'''
+ fname = Utils.create_tmpfile(rname + '-')
+ yed = Yedit(fname, content=content)
+ yed.write()
+
+ atexit.register(Utils.cleanup, [fname])
+
+ return self._create(fname)
+
+ def _create(self, fname):
+ '''call oc create on a filename'''
+ return self.openshift_cmd(['create', '-f', fname])
+
+ def _delete(self, resource, rname, selector=None):
+ '''call oc delete on a resource'''
+ cmd = ['delete', resource, rname]
+ if selector:
+ cmd.append('--selector=%s' % selector)
+
+ return self.openshift_cmd(cmd)
+
+ def _process(self, template_name, create=False, params=None, template_data=None): # noqa: E501
+ '''process a template
+
+ template_name: the name of the template to process
+ create: whether to send to oc create after processing
+ params: the parameters for the template
+ template_data: the incoming template's data; instead of a file
+ '''
+ cmd = ['process']
+ if template_data:
+ cmd.extend(['-f', '-'])
+ else:
+ cmd.append(template_name)
+ if params:
+ param_str = ["%s=%s" % (key, value) for key, value in params.items()]
+ cmd.append('-v')
+ cmd.extend(param_str)
+
+ results = self.openshift_cmd(cmd, output=True, input_data=template_data)
+
+ if results['returncode'] != 0 or not create:
+ return results
+
+ fname = Utils.create_tmpfile(template_name + '-')
+ yed = Yedit(fname, results['results'])
+ yed.write()
+
+ atexit.register(Utils.cleanup, [fname])
+
+ return self.openshift_cmd(['create', '-f', fname])
+
+ def _get(self, resource, rname=None, selector=None):
+ '''return a resource by name '''
+ cmd = ['get', resource]
+ if selector:
+ cmd.append('--selector=%s' % selector)
+ elif rname:
+ cmd.append(rname)
+
+ cmd.extend(['-o', 'json'])
+
+ rval = self.openshift_cmd(cmd, output=True)
+
+ # Ensure results are retuned in an array
+ if 'items' in rval:
+ rval['results'] = rval['items']
+ elif not isinstance(rval['results'], list):
+ rval['results'] = [rval['results']]
+
+ return rval
+
+ def _schedulable(self, node=None, selector=None, schedulable=True):
+ ''' perform oadm manage-node scheduable '''
+ cmd = ['manage-node']
+ if node:
+ cmd.extend(node)
+ else:
+ cmd.append('--selector=%s' % selector)
+
+ cmd.append('--schedulable=%s' % schedulable)
+
+ return self.openshift_cmd(cmd, oadm=True, output=True, output_type='raw') # noqa: E501
+
+ def _list_pods(self, node=None, selector=None, pod_selector=None):
+ ''' perform oadm list pods
+
+ node: the node in which to list pods
+ selector: the label selector filter if provided
+ pod_selector: the pod selector filter if provided
+ '''
+ cmd = ['manage-node']
+ if node:
+ cmd.extend(node)
+ else:
+ cmd.append('--selector=%s' % selector)
+
+ if pod_selector:
+ cmd.append('--pod-selector=%s' % pod_selector)
+
+ cmd.extend(['--list-pods', '-o', 'json'])
+
+ return self.openshift_cmd(cmd, oadm=True, output=True, output_type='raw')
+
+ # pylint: disable=too-many-arguments
+ def _evacuate(self, node=None, selector=None, pod_selector=None, dry_run=False, grace_period=None, force=False):
+ ''' perform oadm manage-node evacuate '''
+ cmd = ['manage-node']
+ if node:
+ cmd.extend(node)
+ else:
+ cmd.append('--selector=%s' % selector)
+
+ if dry_run:
+ cmd.append('--dry-run')
+
+ if pod_selector:
+ cmd.append('--pod-selector=%s' % pod_selector)
+
+ if grace_period:
+ cmd.append('--grace-period=%s' % int(grace_period))
+
+ if force:
+ cmd.append('--force')
+
+ cmd.append('--evacuate')
+
+ return self.openshift_cmd(cmd, oadm=True, output=True, output_type='raw')
+
+ def _version(self):
+ ''' return the openshift version'''
+ return self.openshift_cmd(['version'], output=True, output_type='raw')
+
+ def _import_image(self, url=None, name=None, tag=None):
+ ''' perform image import '''
+ cmd = ['import-image']
+
+ image = '{0}'.format(name)
+ if tag:
+ image += ':{0}'.format(tag)
+
+ cmd.append(image)
+
+ if url:
+ cmd.append('--from={0}/{1}'.format(url, image))
+
+ cmd.append('-n{0}'.format(self.namespace))
+
+ cmd.append('--confirm')
+ return self.openshift_cmd(cmd)
+
+ def _run(self, cmds, input_data):
+ ''' Actually executes the command. This makes mocking easier. '''
+ curr_env = os.environ.copy()
+ curr_env.update({'KUBECONFIG': self.kubeconfig})
+ proc = subprocess.Popen(cmds,
+ stdin=subprocess.PIPE,
+ stdout=subprocess.PIPE,
+ stderr=subprocess.PIPE,
+ env=curr_env)
+
+ stdout, stderr = proc.communicate(input_data)
+
+ return proc.returncode, stdout, stderr
+
+ # pylint: disable=too-many-arguments,too-many-branches
+ def openshift_cmd(self, cmd, oadm=False, output=False, output_type='json', input_data=None):
+ '''Base command for oc '''
+ cmds = []
+ if oadm:
+ cmds = ['oadm']
+ else:
+ cmds = ['oc']
+
+ if self.all_namespaces:
+ cmds.extend(['--all-namespaces'])
+ elif self.namespace is not None and self.namespace.lower() not in ['none', 'emtpy']: # E501
+ cmds.extend(['-n', self.namespace])
+
+ cmds.extend(cmd)
+
+ rval = {}
+ results = ''
+ err = None
+
+ if self.verbose:
+ print(' '.join(cmds))
+
+ returncode, stdout, stderr = self._run(cmds, input_data)
+
+ rval = {"returncode": returncode,
+ "results": results,
+ "cmd": ' '.join(cmds)}
+
+ if returncode == 0:
+ if output:
+ if output_type == 'json':
+ try:
+ rval['results'] = json.loads(stdout)
+ except ValueError as err:
+ if "No JSON object could be decoded" in err.args:
+ err = err.args
+ elif output_type == 'raw':
+ rval['results'] = stdout
+
+ if self.verbose:
+ print("STDOUT: {0}".format(stdout))
+ print("STDERR: {0}".format(stderr))
+
+ if err:
+ rval.update({"err": err,
+ "stderr": stderr,
+ "stdout": stdout,
+ "cmd": cmds})
+
+ else:
+ rval.update({"stderr": stderr,
+ "stdout": stdout,
+ "results": {}})
+
+ return rval
+
+
+class Utils(object):
+ ''' utilities for openshiftcli modules '''
+
+ @staticmethod
+ def _write(filename, contents):
+ ''' Actually write the file contents to disk. This helps with mocking. '''
+
+ with open(filename, 'w') as sfd:
+ sfd.write(contents)
+
+ @staticmethod
+ def create_tmp_file_from_contents(rname, data, ftype='yaml'):
+ ''' create a file in tmp with name and contents'''
+
+ tmp = Utils.create_tmpfile(prefix=rname)
+
+ if ftype == 'yaml':
+ Utils._write(tmp, yaml.dump(data, Dumper=yaml.RoundTripDumper))
+ elif ftype == 'json':
+ Utils._write(tmp, json.dumps(data))
+ else:
+ Utils._write(tmp, data)
+
+ # Register cleanup when module is done
+ atexit.register(Utils.cleanup, [tmp])
+ return tmp
+
+ @staticmethod
+ def create_tmpfile_copy(inc_file):
+ '''create a temporary copy of a file'''
+ tmpfile = Utils.create_tmpfile('lib_openshift-')
+ Utils._write(tmpfile, open(inc_file).read())
+
+ # Cleanup the tmpfile
+ atexit.register(Utils.cleanup, [tmpfile])
+
+ return tmpfile
+
+ @staticmethod
+ def create_tmpfile(prefix='tmp'):
+ ''' Generates and returns a temporary file name '''
+
+ with tempfile.NamedTemporaryFile(prefix=prefix, delete=False) as tmp:
+ return tmp.name
+
+ @staticmethod
+ def create_tmp_files_from_contents(content, content_type=None):
+ '''Turn an array of dict: filename, content into a files array'''
+ if not isinstance(content, list):
+ content = [content]
+ files = []
+ for item in content:
+ path = Utils.create_tmp_file_from_contents(item['path'] + '-',
+ item['data'],
+ ftype=content_type)
+ files.append({'name': os.path.basename(item['path']),
+ 'path': path})
+ return files
+
+ @staticmethod
+ def cleanup(files):
+ '''Clean up on exit '''
+ for sfile in files:
+ if os.path.exists(sfile):
+ if os.path.isdir(sfile):
+ shutil.rmtree(sfile)
+ elif os.path.isfile(sfile):
+ os.remove(sfile)
+
+ @staticmethod
+ def exists(results, _name):
+ ''' Check to see if the results include the name '''
+ if not results:
+ return False
+
+ if Utils.find_result(results, _name):
+ return True
+
+ return False
+
+ @staticmethod
+ def find_result(results, _name):
+ ''' Find the specified result by name'''
+ rval = None
+ for result in results:
+ if 'metadata' in result and result['metadata']['name'] == _name:
+ rval = result
+ break
+
+ return rval
+
+ @staticmethod
+ def get_resource_file(sfile, sfile_type='yaml'):
+ ''' return the service file '''
+ contents = None
+ with open(sfile) as sfd:
+ contents = sfd.read()
+
+ if sfile_type == 'yaml':
+ contents = yaml.load(contents, yaml.RoundTripLoader)
+ elif sfile_type == 'json':
+ contents = json.loads(contents)
+
+ return contents
+
+ @staticmethod
+ def filter_versions(stdout):
+ ''' filter the oc version output '''
+
+ version_dict = {}
+ version_search = ['oc', 'openshift', 'kubernetes']
+
+ for line in stdout.strip().split('\n'):
+ for term in version_search:
+ if not line:
+ continue
+ if line.startswith(term):
+ version_dict[term] = line.split()[-1]
+
+ # horrible hack to get openshift version in Openshift 3.2
+ # By default "oc version in 3.2 does not return an "openshift" version
+ if "openshift" not in version_dict:
+ version_dict["openshift"] = version_dict["oc"]
+
+ return version_dict
+
+ @staticmethod
+ def add_custom_versions(versions):
+ ''' create custom versions strings '''
+
+ versions_dict = {}
+
+ for tech, version in versions.items():
+ # clean up "-" from version
+ if "-" in version:
+ version = version.split("-")[0]
+
+ if version.startswith('v'):
+ versions_dict[tech + '_numeric'] = version[1:].split('+')[0]
+ # "v3.3.0.33" is what we have, we want "3.3"
+ versions_dict[tech + '_short'] = version[1:4]
+
+ return versions_dict
+
+ @staticmethod
+ def openshift_installed():
+ ''' check if openshift is installed '''
+ import yum
+
+ yum_base = yum.YumBase()
+ if yum_base.rpmdb.searchNevra(name='atomic-openshift'):
+ return True
+
+ return False
+
+ # Disabling too-many-branches. This is a yaml dictionary comparison function
+ # pylint: disable=too-many-branches,too-many-return-statements,too-many-statements
+ @staticmethod
+ def check_def_equal(user_def, result_def, skip_keys=None, debug=False):
+ ''' Given a user defined definition, compare it with the results given back by our query. '''
+
+ # Currently these values are autogenerated and we do not need to check them
+ skip = ['metadata', 'status']
+ if skip_keys:
+ skip.extend(skip_keys)
+
+ for key, value in result_def.items():
+ if key in skip:
+ continue
+
+ # Both are lists
+ if isinstance(value, list):
+ if key not in user_def:
+ if debug:
+ print('User data does not have key [%s]' % key)
+ print('User data: %s' % user_def)
+ return False
+
+ if not isinstance(user_def[key], list):
+ if debug:
+ print('user_def[key] is not a list key=[%s] user_def[key]=%s' % (key, user_def[key]))
+ return False
+
+ if len(user_def[key]) != len(value):
+ if debug:
+ print("List lengths are not equal.")
+ print("key=[%s]: user_def[%s] != value[%s]" % (key, len(user_def[key]), len(value)))
+ print("user_def: %s" % user_def[key])
+ print("value: %s" % value)
+ return False
+
+ for values in zip(user_def[key], value):
+ if isinstance(values[0], dict) and isinstance(values[1], dict):
+ if debug:
+ print('sending list - list')
+ print(type(values[0]))
+ print(type(values[1]))
+ result = Utils.check_def_equal(values[0], values[1], skip_keys=skip_keys, debug=debug)
+ if not result:
+ print('list compare returned false')
+ return False
+
+ elif value != user_def[key]:
+ if debug:
+ print('value should be identical')
+ print(value)
+ print(user_def[key])
+ return False
+
+ # recurse on a dictionary
+ elif isinstance(value, dict):
+ if key not in user_def:
+ if debug:
+ print("user_def does not have key [%s]" % key)
+ return False
+ if not isinstance(user_def[key], dict):
+ if debug:
+ print("dict returned false: not instance of dict")
+ return False
+
+ # before passing ensure keys match
+ api_values = set(value.keys()) - set(skip)
+ user_values = set(user_def[key].keys()) - set(skip)
+ if api_values != user_values:
+ if debug:
+ print("keys are not equal in dict")
+ print(api_values)
+ print(user_values)
+ return False
+
+ result = Utils.check_def_equal(user_def[key], value, skip_keys=skip_keys, debug=debug)
+ if not result:
+ if debug:
+ print("dict returned false")
+ print(result)
+ return False
+
+ # Verify each key, value pair is the same
+ else:
+ if key not in user_def or value != user_def[key]:
+ if debug:
+ print("value not equal; user_def does not have key")
+ print(key)
+ print(value)
+ if key in user_def:
+ print(user_def[key])
+ return False
+
+ if debug:
+ print('returning true')
+ return True
+
+
+class OpenShiftCLIConfig(object):
+ '''Generic Config'''
+ def __init__(self, rname, namespace, kubeconfig, options):
+ self.kubeconfig = kubeconfig
+ self.name = rname
+ self.namespace = namespace
+ self._options = options
+
+ @property
+ def config_options(self):
+ ''' return config options '''
+ return self._options
+
+ def to_option_list(self):
+ '''return all options as a string'''
+ return self.stringify()
+
+ def stringify(self):
+ ''' return the options hash as cli params in a string '''
+ rval = []
+ for key, data in self.config_options.items():
+ if data['include'] \
+ and (data['value'] or isinstance(data['value'], int)):
+ rval.append('--%s=%s' % (key.replace('_', '-'), data['value']))
+
+ return rval
+
+
+# -*- -*- -*- End included fragment: lib/base.py -*- -*- -*-
+
+# -*- -*- -*- Begin included fragment: class/oc_process.py -*- -*- -*-
+
+
+# pylint: disable=too-many-instance-attributes
+class OCProcess(OpenShiftCLI):
+ ''' Class to wrap the oc command line tools '''
+
+ # pylint allows 5. we need 6
+ # pylint: disable=too-many-arguments
+ def __init__(self,
+ namespace,
+ tname=None,
+ params=None,
+ create=False,
+ kubeconfig='/etc/origin/master/admin.kubeconfig',
+ tdata=None,
+ verbose=False):
+ ''' Constructor for OpenshiftOC '''
+ super(OCProcess, self).__init__(namespace, kubeconfig)
+ self.namespace = namespace
+ self.name = tname
+ self.data = tdata
+ self.params = params
+ self.create = create
+ self.kubeconfig = kubeconfig
+ self.verbose = verbose
+ self._template = None
+
+ @property
+ def template(self):
+ '''template property'''
+ if self._template is None:
+ results = self._process(self.name, False, self.params, self.data)
+ if results['returncode'] != 0:
+ raise OpenShiftCLIError('Error processing template [%s].' % self.name)
+ self._template = results['results']['items']
+
+ return self._template
+
+ def get(self):
+ '''get the template'''
+ results = self._get('template', self.name)
+ if results['returncode'] != 0:
+ # Does the template exist??
+ if 'not found' in results['stderr']:
+ results['returncode'] = 0
+ results['exists'] = False
+ results['results'] = []
+
+ return results
+
+ def delete(self, obj):
+ '''delete a resource'''
+ return self._delete(obj['kind'], obj['metadata']['name'])
+
+ def create_obj(self, obj):
+ '''create a resource'''
+ return self._create_from_content(obj['metadata']['name'], obj)
+
+ def process(self, create=None):
+ '''process a template'''
+ do_create = False
+ if create != None:
+ do_create = create
+ else:
+ do_create = self.create
+
+ return self._process(self.name, do_create, self.params, self.data)
+
+ def exists(self):
+ '''return whether the template exists'''
+ # Always return true if we're being passed template data
+ if self.data:
+ return True
+ t_results = self._get('template', self.name)
+
+ if t_results['returncode'] != 0:
+ # Does the template exist??
+ if 'not found' in t_results['stderr']:
+ return False
+ else:
+ raise OpenShiftCLIError('Something went wrong. %s' % t_results)
+
+ return True
+
+ def needs_update(self):
+ '''attempt to process the template and return it for comparison with oc objects'''
+ obj_results = []
+ for obj in self.template:
+
+ # build a list of types to skip
+ skip = []
+
+ if obj['kind'] == 'ServiceAccount':
+ skip.extend(['secrets', 'imagePullSecrets'])
+ if obj['kind'] == 'BuildConfig':
+ skip.extend(['lastTriggeredImageID'])
+ if obj['kind'] == 'ImageStream':
+ skip.extend(['generation'])
+ if obj['kind'] == 'DeploymentConfig':
+ skip.extend(['lastTriggeredImage'])
+
+ # fetch the current object
+ curr_obj_results = self._get(obj['kind'], obj['metadata']['name'])
+ if curr_obj_results['returncode'] != 0:
+ # Does the template exist??
+ if 'not found' in curr_obj_results['stderr']:
+ obj_results.append((obj, True))
+ continue
+
+ # check the generated object against the existing object
+ if not Utils.check_def_equal(obj, curr_obj_results['results'][0], skip_keys=skip):
+ obj_results.append((obj, True))
+ continue
+
+ obj_results.append((obj, False))
+
+ return obj_results
+
+ # pylint: disable=too-many-return-statements
+ @staticmethod
+ def run_ansible(params, check_mode):
+ '''run the ansible idempotent code'''
+
+ ocprocess = OCProcess(params['namespace'],
+ params['template_name'],
+ params['params'],
+ params['create'],
+ kubeconfig=params['kubeconfig'],
+ tdata=params['content'],
+ verbose=params['debug'])
+
+ state = params['state']
+
+ api_rval = ocprocess.get()
+
+ if state == 'list':
+ if api_rval['returncode'] != 0:
+ return {"failed": True, "msg" : api_rval}
+
+ return {"changed" : False, "results": api_rval, "state": "list"}
+
+ elif state == 'present':
+ if check_mode and params['create']:
+ return {"changed": True, 'msg': "CHECK_MODE: Would have processed template."}
+
+ if not ocprocess.exists() or not params['reconcile']:
+ #FIXME: this code will never get run in a way that succeeds when
+ # module.params['reconcile'] is true. Because oc_process doesn't
+ # create the actual template, the check of ocprocess.exists()
+ # is meaningless. Either it's already here and this code
+ # won't be run, or this code will fail because there is no
+ # template available for oc process to use. Have we conflated
+ # the template's existence with the existence of the objects
+ # it describes?
+
+ # Create it here
+ api_rval = ocprocess.process()
+ if api_rval['returncode'] != 0:
+ return {"failed": True, "msg": api_rval}
+
+ if params['create']:
+ return {"changed": True, "results": api_rval, "state": "present"}
+
+ return {"changed": False, "results": api_rval, "state": "present"}
+
+ # verify results
+ update = False
+ rval = []
+ all_results = ocprocess.needs_update()
+ for obj, status in all_results:
+ if status:
+ ocprocess.delete(obj)
+ results = ocprocess.create_obj(obj)
+ results['kind'] = obj['kind']
+ rval.append(results)
+ update = True
+
+ if not update:
+ return {"changed": update, "results": api_rval, "state": "present"}
+
+ for cmd in rval:
+ if cmd['returncode'] != 0:
+ return {"failed": True, "changed": update, "results": rval, "state": "present"}
+
+ return {"changed": update, "results": rval, "state": "present"}
+
+
+# -*- -*- -*- End included fragment: class/oc_process.py -*- -*- -*-
+
+# -*- -*- -*- Begin included fragment: ansible/oc_process.py -*- -*- -*-
+
+
+def main():
+ '''
+ ansible oc module for processing templates
+ '''
+
+ module = AnsibleModule(
+ argument_spec=dict(
+ kubeconfig=dict(default='/etc/origin/master/admin.kubeconfig', type='str'),
+ state=dict(default='present', type='str', choices=['present', 'list']),
+ debug=dict(default=False, type='bool'),
+ namespace=dict(default='default', type='str'),
+ template_name=dict(default=None, type='str'),
+ content=dict(default=None, type='str'),
+ params=dict(default=None, type='dict'),
+ create=dict(default=False, type='bool'),
+ reconcile=dict(default=True, type='bool'),
+ ),
+ supports_check_mode=True,
+ )
+
+ rval = OCProcess.run_ansible(module.params, module.check_mode)
+ if 'failed' in rval:
+ module.fail_json(**rval)
+
+ module.exit_json(**rval)
+
+if __name__ == '__main__':
+ main()
+
+# -*- -*- -*- End included fragment: ansible/oc_process.py -*- -*- -*-
diff --git a/roles/lib_openshift/src/ansible/oc_process.py b/roles/lib_openshift/src/ansible/oc_process.py
new file mode 100644
index 000000000..17cf865b7
--- /dev/null
+++ b/roles/lib_openshift/src/ansible/oc_process.py
@@ -0,0 +1,32 @@
+# pylint: skip-file
+# flake8: noqa
+
+
+def main():
+ '''
+ ansible oc module for processing templates
+ '''
+
+ module = AnsibleModule(
+ argument_spec=dict(
+ kubeconfig=dict(default='/etc/origin/master/admin.kubeconfig', type='str'),
+ state=dict(default='present', type='str', choices=['present', 'list']),
+ debug=dict(default=False, type='bool'),
+ namespace=dict(default='default', type='str'),
+ template_name=dict(default=None, type='str'),
+ content=dict(default=None, type='str'),
+ params=dict(default=None, type='dict'),
+ create=dict(default=False, type='bool'),
+ reconcile=dict(default=True, type='bool'),
+ ),
+ supports_check_mode=True,
+ )
+
+ rval = OCProcess.run_ansible(module.params, module.check_mode)
+ if 'failed' in rval:
+ module.fail_json(**rval)
+
+ module.exit_json(**rval)
+
+if __name__ == '__main__':
+ main()
diff --git a/roles/lib_openshift/src/class/oc_process.py b/roles/lib_openshift/src/class/oc_process.py
new file mode 100644
index 000000000..80d81448d
--- /dev/null
+++ b/roles/lib_openshift/src/class/oc_process.py
@@ -0,0 +1,188 @@
+# pylint: skip-file
+# flake8: noqa
+
+
+# pylint: disable=too-many-instance-attributes
+class OCProcess(OpenShiftCLI):
+ ''' Class to wrap the oc command line tools '''
+
+ # pylint allows 5. we need 6
+ # pylint: disable=too-many-arguments
+ def __init__(self,
+ namespace,
+ tname=None,
+ params=None,
+ create=False,
+ kubeconfig='/etc/origin/master/admin.kubeconfig',
+ tdata=None,
+ verbose=False):
+ ''' Constructor for OpenshiftOC '''
+ super(OCProcess, self).__init__(namespace, kubeconfig)
+ self.namespace = namespace
+ self.name = tname
+ self.data = tdata
+ self.params = params
+ self.create = create
+ self.kubeconfig = kubeconfig
+ self.verbose = verbose
+ self._template = None
+
+ @property
+ def template(self):
+ '''template property'''
+ if self._template is None:
+ results = self._process(self.name, False, self.params, self.data)
+ if results['returncode'] != 0:
+ raise OpenShiftCLIError('Error processing template [%s].' % self.name)
+ self._template = results['results']['items']
+
+ return self._template
+
+ def get(self):
+ '''get the template'''
+ results = self._get('template', self.name)
+ if results['returncode'] != 0:
+ # Does the template exist??
+ if 'not found' in results['stderr']:
+ results['returncode'] = 0
+ results['exists'] = False
+ results['results'] = []
+
+ return results
+
+ def delete(self, obj):
+ '''delete a resource'''
+ return self._delete(obj['kind'], obj['metadata']['name'])
+
+ def create_obj(self, obj):
+ '''create a resource'''
+ return self._create_from_content(obj['metadata']['name'], obj)
+
+ def process(self, create=None):
+ '''process a template'''
+ do_create = False
+ if create != None:
+ do_create = create
+ else:
+ do_create = self.create
+
+ return self._process(self.name, do_create, self.params, self.data)
+
+ def exists(self):
+ '''return whether the template exists'''
+ # Always return true if we're being passed template data
+ if self.data:
+ return True
+ t_results = self._get('template', self.name)
+
+ if t_results['returncode'] != 0:
+ # Does the template exist??
+ if 'not found' in t_results['stderr']:
+ return False
+ else:
+ raise OpenShiftCLIError('Something went wrong. %s' % t_results)
+
+ return True
+
+ def needs_update(self):
+ '''attempt to process the template and return it for comparison with oc objects'''
+ obj_results = []
+ for obj in self.template:
+
+ # build a list of types to skip
+ skip = []
+
+ if obj['kind'] == 'ServiceAccount':
+ skip.extend(['secrets', 'imagePullSecrets'])
+ if obj['kind'] == 'BuildConfig':
+ skip.extend(['lastTriggeredImageID'])
+ if obj['kind'] == 'ImageStream':
+ skip.extend(['generation'])
+ if obj['kind'] == 'DeploymentConfig':
+ skip.extend(['lastTriggeredImage'])
+
+ # fetch the current object
+ curr_obj_results = self._get(obj['kind'], obj['metadata']['name'])
+ if curr_obj_results['returncode'] != 0:
+ # Does the template exist??
+ if 'not found' in curr_obj_results['stderr']:
+ obj_results.append((obj, True))
+ continue
+
+ # check the generated object against the existing object
+ if not Utils.check_def_equal(obj, curr_obj_results['results'][0], skip_keys=skip):
+ obj_results.append((obj, True))
+ continue
+
+ obj_results.append((obj, False))
+
+ return obj_results
+
+ # pylint: disable=too-many-return-statements
+ @staticmethod
+ def run_ansible(params, check_mode):
+ '''run the ansible idempotent code'''
+
+ ocprocess = OCProcess(params['namespace'],
+ params['template_name'],
+ params['params'],
+ params['create'],
+ kubeconfig=params['kubeconfig'],
+ tdata=params['content'],
+ verbose=params['debug'])
+
+ state = params['state']
+
+ api_rval = ocprocess.get()
+
+ if state == 'list':
+ if api_rval['returncode'] != 0:
+ return {"failed": True, "msg" : api_rval}
+
+ return {"changed" : False, "results": api_rval, "state": "list"}
+
+ elif state == 'present':
+ if check_mode and params['create']:
+ return {"changed": True, 'msg': "CHECK_MODE: Would have processed template."}
+
+ if not ocprocess.exists() or not params['reconcile']:
+ #FIXME: this code will never get run in a way that succeeds when
+ # module.params['reconcile'] is true. Because oc_process doesn't
+ # create the actual template, the check of ocprocess.exists()
+ # is meaningless. Either it's already here and this code
+ # won't be run, or this code will fail because there is no
+ # template available for oc process to use. Have we conflated
+ # the template's existence with the existence of the objects
+ # it describes?
+
+ # Create it here
+ api_rval = ocprocess.process()
+ if api_rval['returncode'] != 0:
+ return {"failed": True, "msg": api_rval}
+
+ if params['create']:
+ return {"changed": True, "results": api_rval, "state": "present"}
+
+ return {"changed": False, "results": api_rval, "state": "present"}
+
+ # verify results
+ update = False
+ rval = []
+ all_results = ocprocess.needs_update()
+ for obj, status in all_results:
+ if status:
+ ocprocess.delete(obj)
+ results = ocprocess.create_obj(obj)
+ results['kind'] = obj['kind']
+ rval.append(results)
+ update = True
+
+ if not update:
+ return {"changed": update, "results": api_rval, "state": "present"}
+
+ for cmd in rval:
+ if cmd['returncode'] != 0:
+ return {"failed": True, "changed": update, "results": rval, "state": "present"}
+
+ return {"changed": update, "results": rval, "state": "present"}
+
diff --git a/roles/lib_openshift/src/doc/process b/roles/lib_openshift/src/doc/process
new file mode 100644
index 000000000..86a854c07
--- /dev/null
+++ b/roles/lib_openshift/src/doc/process
@@ -0,0 +1,84 @@
+# flake8: noqa
+# pylint: skip-file
+
+DOCUMENTATION = '''
+---
+module: oc_process
+short_description: Module to process openshift templates
+description:
+ - Process openshift templates programmatically.
+options:
+ state:
+ description:
+ - State has a few different meanings when it comes to process.
+ - state: present - This state runs an `oc process <template>`. When used in
+ - conjunction with 'create: True' the process will be piped to | oc create -f
+ - state: absent - will remove a template
+ - state: list - will perform an `oc get template <template_name>`
+ default: present
+ choices: ["present", "absent", "list"]
+ aliases: []
+ kubeconfig:
+ description:
+ - The path for the kubeconfig file to use for authentication
+ required: false
+ default: /etc/origin/master/admin.kubeconfig
+ aliases: []
+ debug:
+ description:
+ - Turn on debug output.
+ required: false
+ default: False
+ aliases: []
+ template_name:
+ description:
+ - Name of the openshift template that is being processed.
+ required: false
+ default: None
+ aliases: []
+ namespace:
+ description:
+ - The namespace where the template lives.
+ required: false
+ default: default
+ aliases: []
+ content:
+ description:
+ - Template content that will be processed.
+ required: false
+ default: None
+ aliases: []
+ params:
+ description:
+ - A list of parameters that will be inserted into the template.
+ required: false
+ default: None
+ aliases: []
+ create:
+ description:
+ - Whether or not to create the template after being processed. e.g. oc process | oc create -f -
+ required: False
+ default: False
+ aliases: []
+ reconcile:
+ description:
+ - Whether or not to attempt to determine if there are updates or changes in the incoming template.
+ default: true
+ aliases: []
+author:
+- "Kenny Woodson <kwoodson@redhat.com>"
+extends_documentation_fragment: []
+'''
+
+EXAMPLES = '''
+- name: process the cloud volume provisioner template with variables
+ oc_process:
+ namespace: openshift-infra
+ template_name: online-volume-provisioner
+ create: True
+ params:
+ PLAT: rhel7
+ register: processout
+ run_once: true
+- debug: var=processout
+'''
diff --git a/roles/lib_openshift/src/sources.yml b/roles/lib_openshift/src/sources.yml
index badb1b1a4..091aaef2e 100644
--- a/roles/lib_openshift/src/sources.yml
+++ b/roles/lib_openshift/src/sources.yml
@@ -50,6 +50,16 @@ oc_obj.py:
- class/oc_obj.py
- ansible/oc_obj.py
+oc_process.py:
+- doc/generated
+- doc/license
+- lib/import.py
+- doc/process
+- ../../lib_utils/src/class/yedit.py
+- lib/base.py
+- class/oc_process.py
+- ansible/oc_process.py
+
oc_route.py:
- doc/generated
- doc/license
diff --git a/roles/lib_openshift/src/test/integration/oc_process.yml b/roles/lib_openshift/src/test/integration/oc_process.yml
new file mode 100755
index 000000000..7ea4c6b99
--- /dev/null
+++ b/roles/lib_openshift/src/test/integration/oc_process.yml
@@ -0,0 +1,83 @@
+#!/usr/bin/ansible-playbook --module-path=../../../library/:../../../../lib_utils/library
+
+---
+- hosts: "{{ cli_master_test }}"
+ gather_facts: no
+ user: root
+ vars:
+ template_name: mysql-ephemeral
+ ns_name: test
+
+ post_tasks:
+ - name: get the mysql-ephemeral template
+ oc_obj:
+ name: mysql-ephemeral
+ state: list
+ namespace: openshift
+ kind: template
+ register: mysqltempl
+
+ - name: fix namespace
+ yedit:
+ src: /tmp/mysql-template
+ key: metadata.namespace
+ value: test
+ backup: false
+ content: "{{ mysqltempl.results.results[0] | to_yaml }}"
+
+ - name: create the test namespace
+ oc_obj:
+ name: test
+ state: present
+ namespace: test
+ kind: namespace
+ content:
+ path: /tmp/ns_test
+ data:
+ apiVersion: v1
+ kind: Namespace
+ metadata:
+ name: test
+ spec:
+ finalizers:
+ - openshift.io/origin
+ - kubernetes
+ register: mysqltempl
+
+ - name: create the mysql-ephemeral template
+ oc_obj:
+ name: mysql-ephemeral
+ state: present
+ namespace: test
+ kind: template
+ files:
+ - /tmp/mysql-template
+ delete_after: True
+ register: mysqltempl
+
+ - name: process mysql-ephemeral
+ oc_process:
+ template_name: mysql-ephemeral
+ namespace: test
+ params:
+ NAMESPACE: test
+ DATABASE_SERVICE_NAME: testdb
+ create: False
+ reconcile: false
+ register: procout
+
+ - assert:
+ that:
+ - not procout.changed
+ - procout.results.results['items'][0]['metadata']['name'] == 'testdb'
+ - procout.results.results['items'][0]['kind'] == 'Service'
+ - procout.results.results['items'][1]['metadata']['name'] == 'testdb'
+ - procout.results.results['items'][1]['kind'] == 'DeploymentConfig'
+ msg: process failed on template
+
+ - name: remove namespace test
+ oc_obj:
+ kind: namespace
+ name: test
+ namespace: test
+ state: absent
diff --git a/roles/lib_openshift/src/test/unit/oc_process.py b/roles/lib_openshift/src/test/unit/oc_process.py
new file mode 100755
index 000000000..450ff7071
--- /dev/null
+++ b/roles/lib_openshift/src/test/unit/oc_process.py
@@ -0,0 +1,483 @@
+#!/usr/bin/env python2
+'''
+ Unit tests for oc process
+'''
+# To run
+# python -m unittest version
+#
+# .
+# Ran 1 test in 0.597s
+#
+# OK
+
+import os
+import sys
+import unittest
+import mock
+
+# Removing invalid variable names for tests so that I can
+# keep them brief
+# pylint: disable=invalid-name,no-name-in-module
+# Disable import-error b/c our libraries aren't loaded in jenkins
+# pylint: disable=import-error
+# place class in our python path
+module_path = os.path.join('/'.join(os.path.realpath(__file__).split('/')[:-4]), 'library') # noqa: E501
+sys.path.insert(0, module_path)
+from oc_process import OCProcess # noqa: E402
+
+
+# pylint: disable=too-many-public-methods
+class OCProcessTest(unittest.TestCase):
+ '''
+ Test class for OCProcess
+ '''
+ mysql = '''{
+ "kind": "Template",
+ "apiVersion": "v1",
+ "metadata": {
+ "name": "mysql-ephemeral",
+ "namespace": "openshift",
+ "selfLink": "/oapi/v1/namespaces/openshift/templates/mysql-ephemeral",
+ "uid": "fb8b5f04-e3d3-11e6-a982-0e84250fc302",
+ "resourceVersion": "480",
+ "creationTimestamp": "2017-01-26T14:30:27Z",
+ "annotations": {
+ "iconClass": "icon-mysql-database",
+ "openshift.io/display-name": "MySQL (Ephemeral)",
+ "tags": "database,mysql"
+ }
+ },
+ "objects": [
+ {
+ "apiVersion": "v1",
+ "kind": "Service",
+ "metadata": {
+ "creationTimestamp": null,
+ "name": "${DATABASE_SERVICE_NAME}"
+ },
+ "spec": {
+ "ports": [
+ {
+ "name": "mysql",
+ "nodePort": 0,
+ "port": 3306,
+ "protocol": "TCP",
+ "targetPort": 3306
+ }
+ ],
+ "selector": {
+ "name": "${DATABASE_SERVICE_NAME}"
+ },
+ "sessionAffinity": "None",
+ "type": "ClusterIP"
+ },
+ "status": {
+ "loadBalancer": {}
+ }
+ },
+ {
+ "apiVersion": "v1",
+ "kind": "DeploymentConfig",
+ "metadata": {
+ "creationTimestamp": null,
+ "name": "${DATABASE_SERVICE_NAME}"
+ },
+ "spec": {
+ "replicas": 1,
+ "selector": {
+ "name": "${DATABASE_SERVICE_NAME}"
+ },
+ "strategy": {
+ "type": "Recreate"
+ },
+ "template": {
+ "metadata": {
+ "creationTimestamp": null,
+ "labels": {
+ "name": "${DATABASE_SERVICE_NAME}"
+ }
+ },
+ "spec": {
+ "containers": [
+ {
+ "capabilities": {},
+ "env": [
+ {
+ "name": "MYSQL_USER",
+ "value": "${MYSQL_USER}"
+ },
+ {
+ "name": "MYSQL_PASSWORD",
+ "value": "${MYSQL_PASSWORD}"
+ },
+ {
+ "name": "MYSQL_DATABASE",
+ "value": "${MYSQL_DATABASE}"
+ }
+ ],
+ "image": " ",
+ "imagePullPolicy": "IfNotPresent",
+ "livenessProbe": {
+ "initialDelaySeconds": 30,
+ "tcpSocket": {
+ "port": 3306
+ },
+ "timeoutSeconds": 1
+ },
+ "name": "mysql",
+ "ports": [
+ {
+ "containerPort": 3306,
+ "protocol": "TCP"
+ }
+ ],
+ "readinessProbe": {
+ "exec": {
+ "command": [
+ "/bin/sh",
+ "-i",
+ "-c",
+ "MYSQL_PWD=$MYSQL_PASSWORD mysql -h 127.0.0.1 -u $MYSQL_USER -D $MYSQL_DATABASE -e 'SELECT 1'"
+ ]
+ },
+ "initialDelaySeconds": 5,
+ "timeoutSeconds": 1
+ },
+ "resources": {
+ "limits": {
+ "memory": "${MEMORY_LIMIT}"
+ }
+ },
+ "securityContext": {
+ "capabilities": {},
+ "privileged": false
+ },
+ "terminationMessagePath": "/dev/termination-log",
+ "volumeMounts": [
+ {
+ "mountPath": "/var/lib/mysql/data",
+ "name": "${DATABASE_SERVICE_NAME}-data"
+ }
+ ]
+ }
+ ],
+ "dnsPolicy": "ClusterFirst",
+ "restartPolicy": "Always",
+ "volumes": [
+ {
+ "emptyDir": {
+ "medium": ""
+ },
+ "name": "${DATABASE_SERVICE_NAME}-data"
+ }
+ ]
+ }
+ },
+ "triggers": [
+ {
+ "imageChangeParams": {
+ "automatic": true,
+ "containerNames": [
+ "mysql"
+ ],
+ "from": {
+ "kind": "ImageStreamTag",
+ "name": "mysql:${MYSQL_VERSION}",
+ "namespace": "${NAMESPACE}"
+ },
+ "lastTriggeredImage": ""
+ },
+ "type": "ImageChange"
+ },
+ {
+ "type": "ConfigChange"
+ }
+ ]
+ },
+ "status": {}
+ }
+ ],
+ "parameters": [
+ {
+ "name": "MEMORY_LIMIT",
+ "displayName": "Memory Limit",
+ "description": "Maximum amount of memory the container can use.",
+ "value": "512Mi"
+ },
+ {
+ "name": "NAMESPACE",
+ "displayName": "Namespace",
+ "description": "The OpenShift Namespace where the ImageStream resides.",
+ "value": "openshift"
+ },
+ {
+ "name": "DATABASE_SERVICE_NAME",
+ "displayName": "Database Service Name",
+ "description": "The name of the OpenShift Service exposed for the database.",
+ "value": "mysql",
+ "required": true
+ },
+ {
+ "name": "MYSQL_USER",
+ "displayName": "MySQL Connection Username",
+ "description": "Username for MySQL user that will be used for accessing the database.",
+ "generate": "expression",
+ "from": "user[A-Z0-9]{3}",
+ "required": true
+ },
+ {
+ "name": "MYSQL_PASSWORD",
+ "displayName": "MySQL Connection Password",
+ "description": "Password for the MySQL connection user.",
+ "generate": "expression",
+ "from": "[a-zA-Z0-9]{16}",
+ "required": true
+ },
+ {
+ "name": "MYSQL_DATABASE",
+ "displayName": "MySQL Database Name",
+ "description": "Name of the MySQL database accessed.",
+ "value": "sampledb",
+ "required": true
+ },
+ {
+ "name": "MYSQL_VERSION",
+ "displayName": "Version of MySQL Image",
+ "description": "Version of MySQL image to be used (5.5, 5.6 or latest).",
+ "value": "5.6",
+ "required": true
+ }
+ ],
+ "labels": {
+ "template": "mysql-ephemeral-template"
+ }
+}'''
+
+ def setUp(self):
+ ''' setup method will set to known configuration '''
+ pass
+
+ @mock.patch('oc_process.Utils.create_tmpfile_copy')
+ @mock.patch('oc_process.OCProcess._run')
+ def test_state_list(self, mock_cmd, mock_tmpfile_copy):
+ ''' Testing a get '''
+ params = {'template_name': 'mysql-ephermeral',
+ 'namespace': 'test',
+ 'content': None,
+ 'state': 'list',
+ 'reconcile': False,
+ 'create': False,
+ 'params': {'NAMESPACE': 'test', 'DATABASE_SERVICE_NAME': 'testdb'},
+ 'kubeconfig': '/etc/origin/master/admin.kubeconfig',
+ 'debug': False}
+
+ mock_cmd.side_effect = [
+ (0, OCProcessTest.mysql, '')
+ ]
+
+ mock_tmpfile_copy.side_effect = [
+ '/tmp/mock_kubeconfig',
+ ]
+
+ results = OCProcess.run_ansible(params, False)
+
+ self.assertFalse(results['changed'])
+ self.assertEqual(results['results']['results'][0]['metadata']['name'], 'mysql-ephemeral')
+
+ @mock.patch('oc_process.Utils.create_tmpfile_copy')
+ @mock.patch('oc_process.OCProcess._run')
+ def test_process_no_create(self, mock_cmd, mock_tmpfile_copy):
+ ''' Testing a process with no create '''
+ params = {'template_name': 'mysql-ephermeral',
+ 'namespace': 'test',
+ 'content': None,
+ 'state': 'present',
+ 'reconcile': False,
+ 'create': False,
+ 'params': {'NAMESPACE': 'test', 'DATABASE_SERVICE_NAME': 'testdb'},
+ 'kubeconfig': '/etc/origin/master/admin.kubeconfig',
+ 'debug': False}
+
+ mysqlproc = '''{
+ "kind": "List",
+ "apiVersion": "v1",
+ "metadata": {},
+ "items": [
+ {
+ "apiVersion": "v1",
+ "kind": "Service",
+ "metadata": {
+ "creationTimestamp": null,
+ "labels": {
+ "template": "mysql-ephemeral-template"
+ },
+ "name": "testdb"
+ },
+ "spec": {
+ "ports": [
+ {
+ "name": "mysql",
+ "nodePort": 0,
+ "port": 3306,
+ "protocol": "TCP",
+ "targetPort": 3306
+ }
+ ],
+ "selector": {
+ "name": "testdb"
+ },
+ "sessionAffinity": "None",
+ "type": "ClusterIP"
+ },
+ "status": {
+ "loadBalancer": {}
+ }
+ },
+ {
+ "apiVersion": "v1",
+ "kind": "DeploymentConfig",
+ "metadata": {
+ "creationTimestamp": null,
+ "labels": {
+ "template": "mysql-ephemeral-template"
+ },
+ "name": "testdb"
+ },
+ "spec": {
+ "replicas": 1,
+ "selector": {
+ "name": "testdb"
+ },
+ "strategy": {
+ "type": "Recreate"
+ },
+ "template": {
+ "metadata": {
+ "creationTimestamp": null,
+ "labels": {
+ "name": "testdb"
+ }
+ },
+ "spec": {
+ "containers": [
+ {
+ "capabilities": {},
+ "env": [
+ {
+ "name": "MYSQL_USER",
+ "value": "userHJJ"
+ },
+ {
+ "name": "MYSQL_PASSWORD",
+ "value": "GITOAduAMaV6k688"
+ },
+ {
+ "name": "MYSQL_DATABASE",
+ "value": "sampledb"
+ }
+ ],
+ "image": " ",
+ "imagePullPolicy": "IfNotPresent",
+ "livenessProbe": {
+ "initialDelaySeconds": 30,
+ "tcpSocket": {
+ "port": 3306
+ },
+ "timeoutSeconds": 1
+ },
+ "name": "mysql",
+ "ports": [
+ {
+ "containerPort": 3306,
+ "protocol": "TCP"
+ }
+ ],
+ "readinessProbe": {
+ "exec": {
+ "command": [
+ "/bin/sh",
+ "-i",
+ "-c",
+ "MYSQL_PWD=$MYSQL_PASSWORD mysql -h 127.0.0.1 -u $MYSQL_USER -D $MYSQL_DATABASE -e 'SELECT 1'"
+ ]
+ },
+ "initialDelaySeconds": 5,
+ "timeoutSeconds": 1
+ },
+ "resources": {
+ "limits": {
+ "memory": "512Mi"
+ }
+ },
+ "securityContext": {
+ "capabilities": {},
+ "privileged": false
+ },
+ "terminationMessagePath": "/dev/termination-log",
+ "volumeMounts": [
+ {
+ "mountPath": "/var/lib/mysql/data",
+ "name": "testdb-data"
+ }
+ ]
+ }
+ ],
+ "dnsPolicy": "ClusterFirst",
+ "restartPolicy": "Always",
+ "volumes": [
+ {
+ "emptyDir": {
+ "medium": ""
+ },
+ "name": "testdb-data"
+ }
+ ]
+ }
+ },
+ "triggers": [
+ {
+ "imageChangeParams": {
+ "automatic": true,
+ "containerNames": [
+ "mysql"
+ ],
+ "from": {
+ "kind": "ImageStreamTag",
+ "name": "mysql:5.6",
+ "namespace": "test"
+ },
+ "lastTriggeredImage": ""
+ },
+ "type": "ImageChange"
+ },
+ {
+ "type": "ConfigChange"
+ }
+ ]
+ }
+ }
+ ]
+}'''
+
+ mock_cmd.side_effect = [
+ (0, OCProcessTest.mysql, ''),
+ (0, OCProcessTest.mysql, ''),
+ (0, mysqlproc, ''),
+ ]
+
+ mock_tmpfile_copy.side_effect = [
+ '/tmp/mock_kubeconfig',
+ ]
+
+ results = OCProcess.run_ansible(params, False)
+
+ self.assertFalse(results['changed'])
+ self.assertEqual(results['results']['results']['items'][0]['metadata']['name'], 'testdb')
+
+ def tearDown(self):
+ '''TearDown method'''
+ pass
+
+
+if __name__ == "__main__":
+ unittest.main()
diff --git a/roles/nuage_master/meta/main.yml b/roles/nuage_master/meta/main.yml
index a8a9bd3b4..e3ed9ac71 100644
--- a/roles/nuage_master/meta/main.yml
+++ b/roles/nuage_master/meta/main.yml
@@ -17,6 +17,7 @@ dependencies:
- role: nuage_common
- role: openshift_etcd_client_certificates
- role: os_firewall
+- role: lib_openshift
os_firewall_allow:
- service: openshift-monitor
port: "{{ nuage_mon_rest_server_port }}/tcp"
diff --git a/roles/nuage_master/tasks/serviceaccount.yml b/roles/nuage_master/tasks/serviceaccount.yml
index 41143772e..16ea08244 100644
--- a/roles/nuage_master/tasks/serviceaccount.yml
+++ b/roles/nuage_master/tasks/serviceaccount.yml
@@ -13,20 +13,16 @@
changed_when: false
- name: Create Admin Service Account
- shell: >
- echo {{ nuage_service_account_config | to_json | quote }} |
- {{ openshift.common.client_binary }} create
- -n default
- --config={{nuage_tmp_conf}}
- -f -
- register: osnuage_create_service_account
- failed_when: "'already exists' not in osnuage_create_service_account.stderr and osnuage_create_service_account.rc != 0"
- changed_when: osnuage_create_service_account.rc == 0
+ oc_serviceaccount:
+ kubeconfig: "{{ openshift_master_config_dir }}/admin.kubeconfig"
+ name: nuage
+ namespace: default
+ state: present
- name: Configure role/user permissions
command: >
{{ openshift.common.client_binary }} adm {{item}}
- --config={{nuage_tmp_conf}}
+ --config={{ nuage_tmp_conf }}
with_items: "{{nuage_tasks}}"
register: osnuage_perm_task
failed_when: "'the object has been modified' not in osnuage_perm_task.stderr and osnuage_perm_task.rc != 0"
diff --git a/roles/nuage_master/vars/main.yaml b/roles/nuage_master/vars/main.yaml
index dba399a03..651d5775c 100644
--- a/roles/nuage_master/vars/main.yaml
+++ b/roles/nuage_master/vars/main.yaml
@@ -22,11 +22,5 @@ nuage_mon_rest_server_host: "{{ openshift.master.cluster_hostname | default(open
nuage_master_crt_dir: /usr/share/nuage-openshift-monitor
nuage_service_account: system:serviceaccount:default:nuage
-nuage_service_account_config:
- apiVersion: v1
- kind: ServiceAccount
- metadata:
- name: nuage
-
nuage_tasks:
- policy add-cluster-role-to-user cluster-reader {{ nuage_service_account }}
diff --git a/roles/openshift_certificate_expiry/README.md b/roles/openshift_certificate_expiry/README.md
index 327cc004b..df43c3770 100644
--- a/roles/openshift_certificate_expiry/README.md
+++ b/roles/openshift_certificate_expiry/README.md
@@ -51,11 +51,11 @@ How to use the Certificate Expiration Checking Role.
Run one of the example playbooks using an inventory file
representative of your existing cluster. Some example playbooks are
-included in this repo, or you can read on below after this example to
+included in this role, or you can read on below after this example to
craft you own.
```
-$ ansible-playbook -v -i HOSTS ./roles/openshift_certificate_expiry/examples/playbooks/easy-mode.yaml
+$ ansible-playbook -v -i HOSTS playbooks/certificate_expiry/easy-mode.yaml
```
Using the `easy-mode.yaml` playbook will produce:
@@ -65,16 +65,19 @@ Using the `easy-mode.yaml` playbook will produce:
* A stylized HTML report in `/tmp/`
+> **Note:** If you are running from an RPM install use
+> `/usr/share/ansible/openshift-ansible/playbooks/certificate_expiry/easy-mode.yaml`
+> instead
+
## More Example Playbooks
> **Note:** These Playbooks are available to run directly out of the
-> [examples/playbooks/](examples/playbooks/) directory.
+> [/playbooks/certificate_expiry/](../../playbooks/certificate_expiry/) directory.
This example playbook is great if you're just wanting to **try the
-role out**. This playbook enables HTML and JSON reports. The warning
-window is set very large so you will almost always get results back.
-All certificates (healthy or not) are included in the results:
+role out**. This playbook enables HTML and JSON reports. All
+certificates (healthy or not) are included in the results:
```yaml
---
@@ -83,7 +86,6 @@ All certificates (healthy or not) are included in the results:
become: yes
gather_facts: no
vars:
- openshift_certificate_expiry_warning_days: 1500
openshift_certificate_expiry_save_json_results: yes
openshift_certificate_expiry_generate_html_report: yes
openshift_certificate_expiry_show_all: yes
@@ -91,11 +93,16 @@ All certificates (healthy or not) are included in the results:
- role: openshift_certificate_expiry
```
+**From git:**
+```
+$ ansible-playbook -v -i HOSTS playbooks/certificate_expiry/easy-mode.yaml
+```
+**From openshift-ansible-playbooks rpm:**
```
-$ ansible-playbook -v -i HOSTS ./roles/openshift_certificate_expiry/examples/playbooks/easy-mode.yaml
+$ ansible-playbook -v -i HOSTS /usr/share/ansible/openshift-ansible/playbooks/certificate_expiry/easy-mode.yaml
```
-> [View This Playbook](examples/playbooks/easy-mode.yaml)
+> [View This Playbook](../../playbooks/certificate_expiry/easy-mode.yaml)
***
@@ -111,12 +118,16 @@ Default behavior:
- role: openshift_certificate_expiry
```
+**From git:**
```
-$ ansible-playbook -v -i HOSTS ./roles/openshift_certificate_expiry/examples/playbooks/default.yaml
+$ ansible-playbook -v -i HOSTS playbooks/certificate_expiry/default.yaml
+```
+**From openshift-ansible-playbooks rpm:**
+```
+$ ansible-playbook -v -i HOSTS /usr/share/ansible/openshift-ansible/playbooks/certificate_expiry/default.yaml
```
-
-> [View This Playbook](examples/playbooks/default.yaml)
+> [View This Playbook](../../playbooks/certificate_expiry/default.yaml)
***
@@ -136,12 +147,16 @@ Generate HTML and JSON artifacts in their default paths:
- role: openshift_certificate_expiry
```
+**From git:**
```
-$ ansible-playbook -v -i HOSTS ./roles/openshift_certificate_expiry/examples/playbooks/html_and_json_default_paths.yaml
+$ ansible-playbook -v -i HOSTS playbooks/certificate_expiry/html_and_json_default_paths.yaml
+```
+**From openshift-ansible-playbooks rpm:**
+```
+$ ansible-playbook -v -i HOSTS /usr/share/ansible/openshift-ansible/playbooks/certificate_expiry/html_and_json_default_paths.yaml
```
-
-> [View This Playbook](examples/playbooks/html_and_json_default_paths.yaml)
+> [View This Playbook](../../playbooks/certificate_expiry/html_and_json_default_paths.yaml)
***
@@ -160,12 +175,16 @@ the module out):
- role: openshift_certificate_expiry
```
+**From git:**
```
-$ ansible-playbook -v -i HOSTS ./roles/openshift_certificate_expiry/examples/playbooks/longer_warning_period.yaml
+$ ansible-playbook -v -i HOSTS playbooks/certificate_expiry/longer_warning_period.yaml
+```
+**From openshift-ansible-playbooks rpm:**
+```
+$ ansible-playbook -v -i HOSTS /usr/share/ansible/openshift-ansible/playbooks/certificate_expiry/longer_warning_period.yaml
```
-
-> [View This Playbook](examples/playbooks/longer_warning_period.yaml)
+> [View This Playbook](../../playbooks/certificate_expiry/longer_warning_period.yaml)
***
@@ -185,12 +204,16 @@ the module out) and save the results as a JSON file:
- role: openshift_certificate_expiry
```
+**From git:**
```
-$ ansible-playbook -v -i HOSTS ./roles/openshift_certificate_expiry/examples/playbooks/longer-warning-period-json-results.yaml
+$ ansible-playbook -v -i HOSTS playbooks/certificate_expiry/longer-warning-period-json-results.yaml
+```
+**From openshift-ansible-playbooks rpm:**
+```
+$ ansible-playbook -v -i HOSTS /usr/share/ansible/openshift-ansible/playbooks/certificate_expiry/longer-warning-period-json-results.yaml
```
-
-> [View This Playbook](examples/playbooks/longer-warning-period-json-results.yaml)
+> [View This Playbook](../../playbooks/certificate_expiry/longer-warning-period-json-results.yaml)
diff --git a/roles/openshift_certificate_expiry/examples/playbooks b/roles/openshift_certificate_expiry/examples/playbooks
new file mode 120000
index 000000000..586afb0d5
--- /dev/null
+++ b/roles/openshift_certificate_expiry/examples/playbooks
@@ -0,0 +1 @@
+../../../playbooks/certificate_expiry \ No newline at end of file
diff --git a/roles/openshift_etcd_facts/vars/main.yml b/roles/openshift_etcd_facts/vars/main.yml
index cae15d61a..82db36eba 100644
--- a/roles/openshift_etcd_facts/vars/main.yml
+++ b/roles/openshift_etcd_facts/vars/main.yml
@@ -5,6 +5,6 @@ etcd_hostname: "{{ openshift.common.hostname }}"
etcd_ip: "{{ openshift.common.ip }}"
etcd_cert_subdir: "etcd-{{ openshift.common.hostname }}"
etcd_cert_prefix:
-etcd_cert_config_dir: /etc/etcd
+etcd_cert_config_dir: "{{ '/etc/etcd' if not openshift.common.is_etcd_system_container | bool else '/var/lib/etcd/etcd.etcd/etc' }}"
etcd_peer_url_scheme: https
etcd_url_scheme: https
diff --git a/roles/openshift_examples/files/examples/v1.4/cfme-templates/cfme-template.yaml b/roles/openshift_examples/files/examples/v1.4/cfme-templates/cfme-template.yaml
index c8e3d4083..4f25a9c8f 100644
--- a/roles/openshift_examples/files/examples/v1.4/cfme-templates/cfme-template.yaml
+++ b/roles/openshift_examples/files/examples/v1.4/cfme-templates/cfme-template.yaml
@@ -157,7 +157,7 @@ objects:
- type: "ConfigChange"
- type: "ImageChange"
imageChangeParams:
- automatic: false
+ automatic: true
containerNames:
- "cloudforms"
from:
@@ -202,7 +202,7 @@ objects:
-
type: "ImageChange"
imageChangeParams:
- automatic: false
+ automatic: true
containerNames:
- "memcached"
from:
@@ -286,7 +286,7 @@ objects:
-
type: "ImageChange"
imageChangeParams:
- automatic: false
+ automatic: true
containerNames:
- "postgresql"
from:
diff --git a/roles/openshift_examples/files/examples/v1.5/cfme-templates/cfme-template.yaml b/roles/openshift_examples/files/examples/v1.5/cfme-templates/cfme-template.yaml
index c8e3d4083..4f25a9c8f 100644
--- a/roles/openshift_examples/files/examples/v1.5/cfme-templates/cfme-template.yaml
+++ b/roles/openshift_examples/files/examples/v1.5/cfme-templates/cfme-template.yaml
@@ -157,7 +157,7 @@ objects:
- type: "ConfigChange"
- type: "ImageChange"
imageChangeParams:
- automatic: false
+ automatic: true
containerNames:
- "cloudforms"
from:
@@ -202,7 +202,7 @@ objects:
-
type: "ImageChange"
imageChangeParams:
- automatic: false
+ automatic: true
containerNames:
- "memcached"
from:
@@ -286,7 +286,7 @@ objects:
-
type: "ImageChange"
imageChangeParams:
- automatic: false
+ automatic: true
containerNames:
- "postgresql"
from:
diff --git a/roles/openshift_facts/defaults/main.yml b/roles/openshift_facts/defaults/main.yml
new file mode 100644
index 000000000..28b388560
--- /dev/null
+++ b/roles/openshift_facts/defaults/main.yml
@@ -0,0 +1,2 @@
+---
+use_system_containers: false
diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py
index ec2942b69..97b3edd6e 100755
--- a/roles/openshift_facts/library/openshift_facts.py
+++ b/roles/openshift_facts/library/openshift_facts.py
@@ -1785,11 +1785,14 @@ def set_container_facts_if_unset(facts):
facts['etcd']['etcd_image'] = etcd_image
if 'master' in facts and 'master_image' not in facts['master']:
facts['master']['master_image'] = master_image
+ facts['master']['master_system_image'] = master_image
if 'node' in facts:
if 'node_image' not in facts['node']:
facts['node']['node_image'] = node_image
+ facts['node']['node_system_image'] = node_image
if 'ovs_image' not in facts['node']:
facts['node']['ovs_image'] = ovs_image
+ facts['node']['ovs_system_image'] = ovs_image
if safe_get_bool(facts['common']['is_containerized']):
facts['common']['admin_binary'] = '/usr/local/bin/oadm'
@@ -2078,6 +2081,25 @@ class OpenShiftFacts(object):
create_pvc=False
)
),
+ loggingops=dict(
+ storage=dict(
+ kind=None,
+ volume=dict(
+ name='logging-es-ops',
+ size='10Gi'
+ ),
+ nfs=dict(
+ directory='/exports',
+ options='*(rw,root_squash)'
+ ),
+ host=None,
+ access=dict(
+ modes=['ReadWriteOnce']
+ ),
+ create_pv=True,
+ create_pvc=False
+ )
+ ),
logging=dict(
storage=dict(
kind=None,
diff --git a/roles/openshift_facts/tasks/main.yml b/roles/openshift_facts/tasks/main.yml
index b7b521f1a..9a1982076 100644
--- a/roles/openshift_facts/tasks/main.yml
+++ b/roles/openshift_facts/tasks/main.yml
@@ -9,6 +9,10 @@
l_is_atomic: "{{ ostree_booted.stat.exists }}"
- set_fact:
l_is_containerized: "{{ (l_is_atomic | bool) or (containerized | default(false) | bool) }}"
+ l_is_openvswitch_system_container: "{{ (use_openvswitch_system_container | default(use_system_containers) | bool) }}"
+ l_is_node_system_container: "{{ (use_node_system_container | default(use_system_containers) | bool) }}"
+ l_is_master_system_container: "{{ (use_master_system_container | default(use_system_containers) | bool) }}"
+ l_is_etcd_system_container: "{{ (use_etcd_system_container | default(use_system_containers) | bool) }}"
- name: Ensure various deps are installed
package: name={{ item }} state=present
@@ -27,6 +31,11 @@
hostname: "{{ openshift_hostname | default(None) }}"
ip: "{{ openshift_ip | default(None) }}"
is_containerized: "{{ l_is_containerized | default(None) }}"
+ is_openvswitch_system_container: "{{ l_is_openvswitch_system_container | default(false) }}"
+ is_node_system_container: "{{ l_is_node_system_container | default(false) }}"
+ is_master_system_container: "{{ l_is_master_system_container | default(false) }}"
+ is_etcd_system_container: "{{ l_is_etcd_system_container | default(false) }}"
+ system_images_registry: "{{ system_images_registry | default('') }}"
public_hostname: "{{ openshift_public_hostname | default(None) }}"
public_ip: "{{ openshift_public_ip | default(None) }}"
portal_net: "{{ openshift_portal_net | default(openshift_master_portal_net) | default(None) }}"
diff --git a/roles/openshift_health_checker/HOWTO_CHECKS.md b/roles/openshift_health_checker/HOWTO_CHECKS.md
new file mode 100644
index 000000000..1573c14da
--- /dev/null
+++ b/roles/openshift_health_checker/HOWTO_CHECKS.md
@@ -0,0 +1,34 @@
+# OpenShift health checks
+
+This Ansible role contains health checks to diagnose problems in OpenShift
+environments.
+
+Checks are typically implemented as two parts:
+
+1. a Python module in [openshift_checks/](openshift_checks), with a class that
+ inherits from `OpenShiftCheck`.
+2. a custom Ansible module in [library/](library), for cases when the modules
+ shipped with Ansible do not provide the required functionality.
+
+The checks are called from an Ansible playbooks via the `openshift_health_check`
+action plugin. See
+[playbooks/byo/openshift-preflight/check.yml](../../playbooks/byo/openshift-preflight/check.yml)
+for an example.
+
+The action plugin dynamically discovers all checks and executes only those
+selected in the play.
+
+Checks can determine when they are active by implementing the method
+`is_active`. Inactive checks are skipped. This is similar to the `when`
+instruction in Ansible plays.
+
+Checks may have tags, which are a way to group related checks together. For
+instance, to run all preflight checks, pass in the group `'@preflight'` to
+`openshift_health_check`.
+
+Groups are automatically computed from tags.
+
+Groups and individual check names can be used together in the argument list to
+`openshift_health_check`.
+
+Look at existing checks for the implementation details.
diff --git a/roles/openshift_health_checker/README.md b/roles/openshift_health_checker/README.md
new file mode 100644
index 000000000..4ab5f1f7b
--- /dev/null
+++ b/roles/openshift_health_checker/README.md
@@ -0,0 +1,45 @@
+OpenShift Health Checker
+========================
+
+This role detects common problems with OpenShift installations or with
+environments prior to install.
+
+For more information about creating new checks, see [HOWTO_CHECKS.md](HOWTO_CHECKS.md).
+
+Requirements
+------------
+
+* Ansible 2.2+
+
+Role Variables
+--------------
+
+None
+
+Dependencies
+------------
+
+- openshift_facts
+
+Example Playbook
+----------------
+
+```yaml
+---
+- hosts: OSEv3
+ name: run OpenShift health checks
+ roles:
+ - openshift_health_checker
+ post_tasks:
+ - action: openshift_health_check
+```
+
+License
+-------
+
+Apache License Version 2.0
+
+Author Information
+------------------
+
+Customer Success team (dev@lists.openshift.redhat.com)
diff --git a/roles/openshift_health_checker/action_plugins/openshift_health_check.py b/roles/openshift_health_checker/action_plugins/openshift_health_check.py
new file mode 100644
index 000000000..0411797b1
--- /dev/null
+++ b/roles/openshift_health_checker/action_plugins/openshift_health_check.py
@@ -0,0 +1,116 @@
+"""
+Ansible action plugin to execute health checks in OpenShift clusters.
+"""
+# pylint: disable=wrong-import-position,missing-docstring,invalid-name
+import sys
+import os
+
+try:
+ from __main__ import display
+except ImportError:
+ from ansible.utils.display import Display
+ display = Display()
+
+from ansible.plugins.action import ActionBase
+
+# Augment sys.path so that we can import checks from a directory relative to
+# this callback plugin.
+sys.path.insert(1, os.path.dirname(os.path.dirname(__file__)))
+
+from openshift_checks import OpenShiftCheck, OpenShiftCheckException # noqa: E402
+
+
+class ActionModule(ActionBase):
+
+ def run(self, tmp=None, task_vars=None):
+ result = super(ActionModule, self).run(tmp, task_vars)
+
+ if task_vars is None:
+ task_vars = {}
+
+ if "openshift" not in task_vars:
+ result["failed"] = True
+ result["msg"] = "'openshift' is undefined, did 'openshift_facts' run?"
+ return result
+
+ try:
+ known_checks = self.load_known_checks()
+ except OpenShiftCheckException as e:
+ result["failed"] = True
+ result["msg"] = str(e)
+ return result
+
+ args = self._task.args
+ requested_checks = resolve_checks(args.get("checks", []), known_checks.values())
+
+ unknown_checks = requested_checks - set(known_checks)
+ if unknown_checks:
+ result["failed"] = True
+ result["msg"] = (
+ "One or more checks are unknown: {}. "
+ "Make sure there is no typo in the playbook and no files are missing."
+ ).format(", ".join(unknown_checks))
+ return result
+
+ result["checks"] = check_results = {}
+
+ for check_name in requested_checks & set(known_checks):
+ display.banner("CHECK [{} : {}]".format(check_name, task_vars["ansible_host"]))
+ check = known_checks[check_name]
+
+ if check.is_active(task_vars):
+ try:
+ r = check.run(tmp, task_vars)
+ except OpenShiftCheckException as e:
+ r = {}
+ r["failed"] = True
+ r["msg"] = str(e)
+ else:
+ r = {"skipped": True}
+
+ check_results[check_name] = r
+
+ if r.get("failed", False):
+ result["failed"] = True
+ result["msg"] = "One or more checks failed"
+
+ return result
+
+ def load_known_checks(self):
+ known_checks = {}
+
+ known_check_classes = set(cls for cls in OpenShiftCheck.subclasses())
+
+ for cls in known_check_classes:
+ check_name = cls.name
+ if check_name in known_checks:
+ other_cls = known_checks[check_name].__class__
+ raise OpenShiftCheckException(
+ "non-unique check name '{}' in: '{}.{}' and '{}.{}'".format(
+ check_name,
+ cls.__module__, cls.__name__,
+ other_cls.__module__, other_cls.__name__))
+ known_checks[check_name] = cls(module_executor=self._execute_module)
+
+ return known_checks
+
+
+def resolve_checks(names, all_checks):
+ """Returns a set of resolved check names.
+
+ Resolving a check name involves expanding tag references (e.g., '@tag') with
+ all the checks that contain the given tag.
+
+ names should be a sequence of strings.
+
+ all_checks should be a sequence of check classes/instances.
+ """
+ resolved = set()
+ for name in names:
+ if name.startswith("@"):
+ for check in all_checks:
+ if name[1:] in check.tags:
+ resolved.add(check.name)
+ else:
+ resolved.add(name)
+ return resolved
diff --git a/roles/openshift_preflight/verify_status/callback_plugins/zz_failure_summary.py b/roles/openshift_health_checker/callback_plugins/zz_failure_summary.py
index 180ed8d8f..8caefab15 100644
--- a/roles/openshift_preflight/verify_status/callback_plugins/zz_failure_summary.py
+++ b/roles/openshift_health_checker/callback_plugins/zz_failure_summary.py
@@ -3,6 +3,8 @@
Ansible callback plugin.
'''
+from pprint import pformat
+
from ansible.plugins.callback import CallbackBase
from ansible import constants as C
from ansible.utils.color import stringc
@@ -79,6 +81,8 @@ def _format_failure(failure):
(u'Task', task),
(u'Message', stringc(msg, C.COLOR_ERROR)),
)
+ if 'checks' in result._result:
+ rows += ((u'Details', stringc(pformat(result._result['checks']), C.COLOR_ERROR)),)
row_format = '{:10}{}'
return [row_format.format(header + u':', body) for header, body in rows]
diff --git a/roles/openshift_preflight/base/library/aos_version.py b/roles/openshift_health_checker/library/aos_version.py
index f7fcb6da5..13b7d310b 100755
--- a/roles/openshift_preflight/base/library/aos_version.py
+++ b/roles/openshift_health_checker/library/aos_version.py
@@ -1,57 +1,49 @@
#!/usr/bin/python
# vim: expandtab:tabstop=4:shiftwidth=4
'''
-An ansible module for determining if more than one minor version
-of any atomic-openshift package is available, which would indicate
-that multiple repos are enabled for different versions of the same
-thing which may cause problems.
+Ansible module for determining if multiple versions of an OpenShift package are
+available, and if the version requested is available down to the given
+precision.
-Also, determine if the version requested is available down to the
-precision requested.
+Multiple versions available suggest that multiple repos are enabled for the
+different versions, which may cause installation problems.
'''
-# import os
-# import sys
import yum # pylint: disable=import-error
+
from ansible.module_utils.basic import AnsibleModule
-def main(): # pylint: disable=missing-docstring
+def main(): # pylint: disable=missing-docstring,too-many-branches
module = AnsibleModule(
argument_spec=dict(
- version=dict(required=True)
+ prefix=dict(required=True), # atomic-openshift, origin, ...
+ version=dict(required=True),
),
supports_check_mode=True
)
- # NOTE(rhcarvalho): sosiouxme added _unmute, but I couldn't find a case yet
- # for when it is actually necessary. Leaving it commented out for now,
- # though this comment and the commented out code related to _unmute should
- # be deleted later if not proven necessary.
-
- # sys.stdout = os.devnull # mute yum so it doesn't break our output
- # sys.stderr = os.devnull # mute yum so it doesn't break our output
-
- # def _unmute(): # pylint: disable=missing-docstring
- # sys.stdout = sys.__stdout__
-
def bail(error): # pylint: disable=missing-docstring
- # _unmute()
module.fail_json(msg=error)
+ rpm_prefix = module.params['prefix']
+
+ if not rpm_prefix:
+ bail("prefix must not be empty")
+
yb = yum.YumBase() # pylint: disable=invalid-name
# search for package versions available for aos pkgs
expected_pkgs = [
- 'atomic-openshift',
- 'atomic-openshift-master',
- 'atomic-openshift-node',
+ rpm_prefix,
+ rpm_prefix + '-master',
+ rpm_prefix + '-node',
]
try:
pkgs = yb.pkgSack.returnPackages(patterns=expected_pkgs)
except yum.Errors.PackageSackError as e: # pylint: disable=invalid-name
# you only hit this if *none* of the packages are available
- bail('Unable to find any atomic-openshift packages. \nCheck your subscription and repo settings. \n%s' % e)
+ bail('Unable to find any OpenShift packages.\nCheck your subscription and repo settings.\n%s' % e)
# determine what level of precision we're expecting for the version
expected_version = module.params['version']
@@ -92,7 +84,6 @@ def main(): # pylint: disable=missing-docstring
msg += ' %s\n' % name
bail(msg + "There should only be one OpenShift version's repository enabled at a time.")
- # _unmute()
module.exit_json(changed=False)
diff --git a/roles/openshift_preflight/base/library/check_yum_update.py b/roles/openshift_health_checker/library/check_yum_update.py
index 296ebd44f..9bc14fd47 100755
--- a/roles/openshift_preflight/base/library/check_yum_update.py
+++ b/roles/openshift_health_checker/library/check_yum_update.py
@@ -8,9 +8,10 @@ parameters:
If omitted, all installed RPMs are considered for updates.
'''
-# import os
import sys
+
import yum # pylint: disable=import-error
+
from ansible.module_utils.basic import AnsibleModule
@@ -22,18 +23,7 @@ def main(): # pylint: disable=missing-docstring,too-many-branches
supports_check_mode=True
)
- # NOTE(rhcarvalho): sosiouxme added _unmute, but I couldn't find a case yet
- # for when it is actually necessary. Leaving it commented out for now,
- # though this comment and the commented out code related to _unmute should
- # be deleted later if not proven necessary.
-
- # sys.stdout = os.devnull # mute yum so it doesn't break our output
-
- # def _unmute(): # pylint: disable=missing-docstring
- # sys.stdout = sys.__stdout__
-
def bail(error): # pylint: disable=missing-docstring
- # _unmute()
module.fail_json(msg=error)
yb = yum.YumBase() # pylint: disable=invalid-name
@@ -108,7 +98,6 @@ def main(): # pylint: disable=missing-docstring,too-many-branches
bail('Unknown error(s) from dependency resolution. Exit Code: %d:\n%s' %
(txn_result, txn_msgs))
- # _unmute()
module.exit_json(changed=False)
diff --git a/roles/openshift_preflight/init/meta/main.yml b/roles/openshift_health_checker/meta/main.yml
index 0bbeadd34..0bbeadd34 100644
--- a/roles/openshift_preflight/init/meta/main.yml
+++ b/roles/openshift_health_checker/meta/main.yml
diff --git a/roles/openshift_health_checker/openshift_checks/__init__.py b/roles/openshift_health_checker/openshift_checks/__init__.py
new file mode 100644
index 000000000..c31242624
--- /dev/null
+++ b/roles/openshift_health_checker/openshift_checks/__init__.py
@@ -0,0 +1,84 @@
+"""
+Health checks for OpenShift clusters.
+"""
+
+import os
+from abc import ABCMeta, abstractmethod, abstractproperty
+from importlib import import_module
+import operator
+
+import six
+from six.moves import reduce
+
+
+class OpenShiftCheckException(Exception):
+ """Raised when a check cannot proceed."""
+ pass
+
+
+@six.add_metaclass(ABCMeta)
+class OpenShiftCheck(object):
+ """A base class for defining checks for an OpenShift cluster environment."""
+
+ def __init__(self, module_executor):
+ self.module_executor = module_executor
+
+ @abstractproperty
+ def name(self):
+ """The name of this check, usually derived from the class name."""
+ return "openshift_check"
+
+ @property
+ def tags(self):
+ """A list of tags that this check satisfy.
+
+ Tags are used to reference multiple checks with a single '@tagname'
+ special check name.
+ """
+ return []
+
+ @classmethod
+ def is_active(cls, task_vars): # pylint: disable=unused-argument
+ """Returns true if this check applies to the ansible-playbook run."""
+ return True
+
+ @abstractmethod
+ def run(self, tmp, task_vars):
+ """Executes a check, normally implemented as a module."""
+ return {}
+
+ @classmethod
+ def subclasses(cls):
+ """Returns a generator of subclasses of this class and its subclasses."""
+ for subclass in cls.__subclasses__(): # pylint: disable=no-member
+ yield subclass
+ for subclass in subclass.subclasses():
+ yield subclass
+
+
+def get_var(task_vars, *keys, **kwargs):
+ """Helper function to get deeply nested values from task_vars.
+
+ Ansible task_vars structures are Python dicts, often mapping strings to
+ other dicts. This helper makes it easier to get a nested value, raising
+ OpenShiftCheckException when a key is not found.
+ """
+ try:
+ value = reduce(operator.getitem, keys, task_vars)
+ except (KeyError, TypeError):
+ if "default" in kwargs:
+ return kwargs["default"]
+ raise OpenShiftCheckException("'{}' is undefined".format(".".join(map(str, keys))))
+ return value
+
+
+# Dynamically import all submodules for the side effect of loading checks.
+
+EXCLUDES = (
+ "__init__.py",
+ "mixins.py",
+)
+
+for name in os.listdir(os.path.dirname(__file__)):
+ if name.endswith(".py") and name not in EXCLUDES:
+ import_module(__package__ + "." + name[:-3])
diff --git a/roles/openshift_health_checker/openshift_checks/mixins.py b/roles/openshift_health_checker/openshift_checks/mixins.py
new file mode 100644
index 000000000..4029fba62
--- /dev/null
+++ b/roles/openshift_health_checker/openshift_checks/mixins.py
@@ -0,0 +1,21 @@
+# pylint: disable=missing-docstring
+from openshift_checks import get_var
+
+
+class NotContainerized(object):
+ """Mixin for checks that are only active when not in containerized mode."""
+
+ @classmethod
+ def is_active(cls, task_vars):
+ return (
+ # This mixin is meant to be used with subclasses of
+ # OpenShiftCheck. Pylint disables this by default on mixins,
+ # though it relies on the class name ending in 'mixin'.
+ # pylint: disable=no-member
+ super(NotContainerized, cls).is_active(task_vars) and
+ not cls.is_containerized(task_vars)
+ )
+
+ @staticmethod
+ def is_containerized(task_vars):
+ return get_var(task_vars, "openshift", "common", "is_containerized")
diff --git a/roles/openshift_health_checker/openshift_checks/package_availability.py b/roles/openshift_health_checker/openshift_checks/package_availability.py
new file mode 100644
index 000000000..8faeef5ee
--- /dev/null
+++ b/roles/openshift_health_checker/openshift_checks/package_availability.py
@@ -0,0 +1,66 @@
+# pylint: disable=missing-docstring
+from openshift_checks import OpenShiftCheck, get_var
+from openshift_checks.mixins import NotContainerized
+
+
+class PackageAvailability(NotContainerized, OpenShiftCheck):
+ """Check that required RPM packages are available."""
+
+ name = "package_availability"
+ tags = ["preflight"]
+
+ def run(self, tmp, task_vars):
+ rpm_prefix = get_var(task_vars, "openshift", "common", "service_type")
+ group_names = get_var(task_vars, "group_names", default=[])
+
+ packages = set()
+
+ if "masters" in group_names:
+ packages.update(self.master_packages(rpm_prefix))
+ if "nodes" in group_names:
+ packages.update(self.node_packages(rpm_prefix))
+
+ args = {"packages": sorted(set(packages))}
+ return self.module_executor("check_yum_update", args, tmp, task_vars)
+
+ @staticmethod
+ def master_packages(rpm_prefix):
+ return [
+ "{rpm_prefix}".format(rpm_prefix=rpm_prefix),
+ "{rpm_prefix}-clients".format(rpm_prefix=rpm_prefix),
+ "{rpm_prefix}-master".format(rpm_prefix=rpm_prefix),
+ "bash-completion",
+ "cockpit-bridge",
+ "cockpit-docker",
+ "cockpit-kubernetes",
+ "cockpit-shell",
+ "cockpit-ws",
+ "etcd",
+ "httpd-tools",
+ ]
+
+ @staticmethod
+ def node_packages(rpm_prefix):
+ return [
+ "{rpm_prefix}".format(rpm_prefix=rpm_prefix),
+ "{rpm_prefix}-node".format(rpm_prefix=rpm_prefix),
+ "{rpm_prefix}-sdn-ovs".format(rpm_prefix=rpm_prefix),
+ "bind",
+ "ceph-common",
+ "dnsmasq",
+ "docker",
+ "firewalld",
+ "flannel",
+ "glusterfs-fuse",
+ "iptables-services",
+ "iptables",
+ "iscsi-initiator-utils",
+ "libselinux-python",
+ "nfs-utils",
+ "ntp",
+ "openssl",
+ "pyparted",
+ "python-httplib2",
+ "PyYAML",
+ "yum-utils",
+ ]
diff --git a/roles/openshift_health_checker/openshift_checks/package_update.py b/roles/openshift_health_checker/openshift_checks/package_update.py
new file mode 100644
index 000000000..86b7b6245
--- /dev/null
+++ b/roles/openshift_health_checker/openshift_checks/package_update.py
@@ -0,0 +1,14 @@
+# pylint: disable=missing-docstring
+from openshift_checks import OpenShiftCheck
+from openshift_checks.mixins import NotContainerized
+
+
+class PackageUpdate(NotContainerized, OpenShiftCheck):
+ """Check that there are no conflicts in RPM packages."""
+
+ name = "package_update"
+ tags = ["preflight"]
+
+ def run(self, tmp, task_vars):
+ args = {"packages": []}
+ return self.module_executor("check_yum_update", args, tmp, task_vars)
diff --git a/roles/openshift_health_checker/openshift_checks/package_version.py b/roles/openshift_health_checker/openshift_checks/package_version.py
new file mode 100644
index 000000000..7fa09cbfd
--- /dev/null
+++ b/roles/openshift_health_checker/openshift_checks/package_version.py
@@ -0,0 +1,20 @@
+# pylint: disable=missing-docstring
+from openshift_checks import OpenShiftCheck, get_var
+from openshift_checks.mixins import NotContainerized
+
+
+class PackageVersion(NotContainerized, OpenShiftCheck):
+ """Check that available RPM packages match the required versions."""
+
+ name = "package_version"
+ tags = ["preflight"]
+
+ def run(self, tmp, task_vars):
+ rpm_prefix = get_var(task_vars, "openshift", "common", "service_type")
+ openshift_release = get_var(task_vars, "openshift_release")
+
+ args = {
+ "prefix": rpm_prefix,
+ "version": openshift_release,
+ }
+ return self.module_executor("aos_version", args, tmp, task_vars)
diff --git a/roles/openshift_hosted/meta/main.yml b/roles/openshift_hosted/meta/main.yml
index ca5e88b15..ced71bb41 100644
--- a/roles/openshift_hosted/meta/main.yml
+++ b/roles/openshift_hosted/meta/main.yml
@@ -14,6 +14,7 @@ galaxy_info:
dependencies:
- role: openshift_cli
- role: openshift_hosted_facts
+- role: lib_openshift
- role: openshift_projects
openshift_projects: "{{ openshift_additional_projects | default({}) | oo_merge_dicts({'default':{'default_node_selector':''},'openshift-infra':{'default_node_selector':''},'logging':{'default_node_selector':''}}) }}"
- role: openshift_serviceaccounts
diff --git a/roles/openshift_hosted/tasks/registry/secure.yml b/roles/openshift_hosted/tasks/registry/secure.yml
index d87a3847c..216a40874 100644
--- a/roles/openshift_hosted/tasks/registry/secure.yml
+++ b/roles/openshift_hosted/tasks/registry/secure.yml
@@ -43,21 +43,26 @@
when: False in (docker_registry_certificates_stat_result.results | default([]) | oo_collect(attribute='stat.exists') | list)
- name: Create the secret for the registry certificates
- command: >
- {{ openshift.common.client_binary }} secrets new registry-certificates
- {{ openshift_master_config_dir }}/registry.crt
- {{ openshift_master_config_dir }}/registry.key
- --config={{ openshift_hosted_kubeconfig }}
- -n default
+ oc_secret:
+ kubeconfig: "{{ openshift_hosted_kubeconfig }}"
+ name: registry-certificates
+ namespace: default
+ state: present
+ files:
+ - name: registry.crt
+ path: "{{ openshift_master_config_dir }}/registry.crt"
+ - name: registry.key
+ path: "{{ openshift_master_config_dir }}/registry.key"
register: create_registry_certificates_secret
- changed_when: "'already exists' not in create_registry_certificates_secret.stderr"
- failed_when: "'already exists' not in create_registry_certificates_secret.stderr and create_registry_certificates_secret.rc != 0"
+ run_once: true
- name: "Add the secret to the registry's pod service accounts"
- command: >
- {{ openshift.common.client_binary }} secrets add {{ item }} registry-certificates
- --config={{ openshift_hosted_kubeconfig }}
- -n default
+ oc_serviceaccount_secret:
+ service_account: "{{ item }}"
+ secret: registry-certificates
+ namespace: default
+ kubeconfig: "{{ openshift_hosted_kubeconfig }}"
+ state: present
with_items:
- registry
- default
diff --git a/roles/openshift_hosted/tasks/registry/storage/object_storage.yml b/roles/openshift_hosted/tasks/registry/storage/object_storage.yml
index e56a68e27..15128784e 100644
--- a/roles/openshift_hosted/tasks/registry/storage/object_storage.yml
+++ b/roles/openshift_hosted/tasks/registry/storage/object_storage.yml
@@ -53,23 +53,13 @@
create -f -
when: secrets.rc == 1
-- name: Determine if service account contains secrets
- command: >
- {{ openshift.common.client_binary }}
- --config={{ openshift_hosted_kubeconfig }}
- --namespace={{ openshift.hosted.registry.namespace | default('default') }}
- get serviceaccounts registry
- -o jsonpath='{.secrets[?(@.name=="{{ registry_config_secret_name }}")].name}'
- register: serviceaccount
- changed_when: false
-
- name: Add secrets to registry service account
- command: >
- {{ openshift.common.client_binary }}
- --config={{ openshift_hosted_kubeconfig }}
- --namespace={{ openshift.hosted.registry.namespace | default('default') }}
- secrets add serviceaccount/registry secrets/{{ registry_config_secret_name }}
- when: serviceaccount.stdout == ''
+ oc_serviceaccount_secret:
+ service_account: registry
+ secret: "{{ registry_config_secret_name }}"
+ namespace: "{{ openshift.hosted.registry.namespace | default('default') }}"
+ kubeconfig: "{{ openshift_hosted_kubeconfig }}"
+ state: present
- name: Determine if deployment config contains secrets
command: >
diff --git a/roles/openshift_logging/README.md b/roles/openshift_logging/README.md
index 9394977c0..f7b2f7743 100644
--- a/roles/openshift_logging/README.md
+++ b/roles/openshift_logging/README.md
@@ -24,8 +24,8 @@ When both `openshift_logging_install_logging` and `openshift_logging_upgrade_log
- `openshift_logging_image_prefix`: The prefix for the logging images to use. Defaults to 'docker.io/openshift/origin-'.
- `openshift_logging_image_version`: The image version for the logging images to use. Defaults to 'latest'.
- `openshift_logging_use_ops`: If 'True', set up a second ES and Kibana cluster for infrastructure logs. Defaults to 'False'.
-- `master_url`: The URL for the Kubernetes master, this does not need to be public facing but should be accessible from within the cluster. Defaults to 'https://kubernetes.default.svc.cluster.local'.
-- `openshift_logging_master_public_url`: The public facing URL for the Kubernetes master, this is used for Authentication redirection. Defaults to 'https://localhost:8443'.
+- `openshift_logging_master_url`: The URL for the Kubernetes master, this does not need to be public facing but should be accessible from within the cluster. Defaults to 'https://kubernetes.default.svc.{{openshift.common.dns_domain}}'.
+- `openshift_logging_master_public_url`: The public facing URL for the Kubernetes master, this is used for Authentication redirection. Defaults to 'https://{{openshift.common.public_hostname}}:8443'.
- `openshift_logging_namespace`: The namespace that Aggregated Logging will be installed in. Defaults to 'logging'.
- `openshift_logging_curator_default_days`: The default minimum age (in days) Curator uses for deleting log records. Defaults to '30'.
- `openshift_logging_curator_run_hour`: The hour of the day that Curator will run at. Defaults to '0'.
@@ -51,8 +51,8 @@ When both `openshift_logging_install_logging` and `openshift_logging_upgrade_log
- `openshift_logging_fluentd_cpu_limit`: The CPU limit for Fluentd pods. Defaults to '100m'.
- `openshift_logging_fluentd_memory_limit`: The memory limit for Fluentd pods. Defaults to '512Mi'.
- `openshift_logging_fluentd_es_copy`: Whether or not to use the ES_COPY feature for Fluentd (DEPRECATED). Defaults to 'False'.
-- `openshift_logging_fluentd_use_journal`: Whether or not Fluentd should read log entries from Journal. Defaults to 'False'. NOTE: Fluentd will attempt to detect whether or not Docker is using the journald log driver and may overwrite this value.
-- `openshift_logging_fluentd_journal_read_from_head`: Whether or not Fluentd will try to read from the head of Journal when first starting up, using this may cause a delay in ES receiving current log records. Defaults to 'False'.
+- `openshift_logging_fluentd_use_journal`: NOTE: Fluentd will attempt to detect whether or not Docker is using the journald log driver when using the default of empty.
+- `openshift_logging_fluentd_journal_read_from_head`: If empty, Fluentd will use its internal default, which is false.
- `openshift_logging_fluentd_hosts`: List of nodes that should be labeled for Fluentd to be deployed to. Defaults to ['--all'].
- `openshift_logging_es_host`: The name of the ES service Fluentd should send logs to. Defaults to 'logging-es'.
diff --git a/roles/openshift_logging/defaults/main.yml b/roles/openshift_logging/defaults/main.yml
index ead59c029..bdb168921 100644
--- a/roles/openshift_logging/defaults/main.yml
+++ b/roles/openshift_logging/defaults/main.yml
@@ -1,9 +1,9 @@
---
-openshift_logging_image_prefix: docker.io/openshift/origin-
-openshift_logging_image_version: latest
+openshift_logging_image_prefix: "{{ openshift_hosted_logging_deployer_prefix | default('docker.io/openshift/origin-') }}"
+openshift_logging_image_version: "{{ openshift_hosted_logging_deployer_version | default('latest') }}"
openshift_logging_use_ops: False
-master_url: "https://kubernetes.default.svc.{{ openshift.common.dns_domain }}"
-openshift_logging_master_public_url: "https://{{openshift.common.public_hostname}}:8443"
+openshift_logging_master_url: "https://kubernetes.default.svc.{{ openshift.common.dns_domain }}"
+openshift_logging_master_public_url: "{{ openshift_hosted_logging_master_public_url | default('https://{{openshift.common.public_hostname}}:8443') }}"
openshift_logging_namespace: logging
openshift_logging_install_logging: True
@@ -19,7 +19,7 @@ openshift_logging_curator_memory_limit: null
openshift_logging_curator_ops_cpu_limit: 100m
openshift_logging_curator_ops_memory_limit: null
-openshift_logging_kibana_hostname: "kibana.{{openshift.common.dns_domain}}"
+openshift_logging_kibana_hostname: "{{ openshift_hosted_logging_hostname | default(kibana.{{openshift.common.dns_domain}}) }}"
openshift_logging_kibana_cpu_limit: null
openshift_logging_kibana_memory_limit: null
openshift_logging_kibana_proxy_debug: false
@@ -27,7 +27,19 @@ openshift_logging_kibana_proxy_cpu_limit: null
openshift_logging_kibana_proxy_memory_limit: null
openshift_logging_kibana_replica_count: 1
-openshift_logging_kibana_ops_hostname: "kibana-ops.{{openshift.common.dns_domain}}"
+#The absolute path on the control node to the cert file to use
+#for the public facing kibana certs
+openshift_logging_kibana_cert: ""
+
+#The absolute path on the control node to the key file to use
+#for the public facing kibana certs
+openshift_logging_kibana_key: ""
+
+#The absolute path on the control node to the CA file to use
+#for the public facing kibana certs
+openshift_logging_kibana_ca: ""
+
+openshift_logging_kibana_ops_hostname: "{{ openshift_hosted_logging_ops_hostname | default('kibana-ops.{{openshift.common.dns_domain}}') }}"
openshift_logging_kibana_ops_cpu_limit: null
openshift_logging_kibana_ops_memory_limit: null
openshift_logging_kibana_ops_proxy_debug: false
@@ -39,8 +51,8 @@ openshift_logging_fluentd_nodeselector: {'logging-infra-fluentd': 'true'}
openshift_logging_fluentd_cpu_limit: 100m
openshift_logging_fluentd_memory_limit: 512Mi
openshift_logging_fluentd_es_copy: false
-openshift_logging_fluentd_use_journal: false
-openshift_logging_fluentd_journal_read_from_head: false
+openshift_logging_fluentd_use_journal: ''
+openshift_logging_fluentd_journal_read_from_head: ''
openshift_logging_fluentd_hosts: ['--all']
openshift_logging_es_host: logging-es
@@ -48,13 +60,13 @@ openshift_logging_es_port: 9200
openshift_logging_es_ca: /etc/fluent/keys/ca
openshift_logging_es_client_cert: /etc/fluent/keys/cert
openshift_logging_es_client_key: /etc/fluent/keys/key
-openshift_logging_es_cluster_size: 1
+openshift_logging_es_cluster_size: "{{ openshift_hosted_logging_elasticsearch_cluster_size | default(1) }}"
openshift_logging_es_cpu_limit: null
openshift_logging_es_memory_limit: 1024Mi
openshift_logging_es_pv_selector: null
-openshift_logging_es_pvc_dynamic: False
-openshift_logging_es_pvc_size: ""
-openshift_logging_es_pvc_prefix: logging-es
+openshift_logging_es_pvc_dynamic: "{{ openshift_hosted_logging_elasticsearch_pvc_dynamic | default(False) }}"
+openshift_logging_es_pvc_size: "{{ openshift_hosted_logging_elasticsearch_pvc_size | default('') }}"
+openshift_logging_es_pvc_prefix: "{{ openshift_hosted_logging_elasticsearch_pvc_prefix | default('logging-es') }}"
openshift_logging_es_recover_after_time: 5m
openshift_logging_es_storage_group: 65534
@@ -66,13 +78,13 @@ openshift_logging_es_ops_port: 9200
openshift_logging_es_ops_ca: /etc/fluent/keys/ca
openshift_logging_es_ops_client_cert: /etc/fluent/keys/cert
openshift_logging_es_ops_client_key: /etc/fluent/keys/key
-openshift_logging_es_ops_cluster_size: 1
+openshift_logging_es_ops_cluster_size: "{{ openshift_hosted_logging_elasticsearch_ops_cluster_size | default(1) }}"
openshift_logging_es_ops_cpu_limit: null
openshift_logging_es_ops_memory_limit: 1024Mi
openshift_logging_es_ops_pv_selector: None
-openshift_logging_es_ops_pvc_dynamic: False
-openshift_logging_es_ops_pvc_size: ""
-openshift_logging_es_ops_pvc_prefix: logging-es-ops
+openshift_logging_es_ops_pvc_dynamic: "{{ openshift_hosted_logging_elasticsearch_ops_pvc_dynamic | default(False) }}"
+openshift_logging_es_ops_pvc_size: "{{ openshift_hosted_logging_elasticsearch_ops_pvc_size | default('') }}"
+openshift_logging_es_ops_pvc_prefix: "{{ openshift_hosted_logging_elasticsearch_ops_pvc_prefix | default('logging-es-ops') }}"
openshift_logging_es_ops_recover_after_time: 5m
openshift_logging_es_ops_storage_group: 65534
diff --git a/roles/openshift_logging/files/fluent.conf b/roles/openshift_logging/files/fluent.conf
index aa843e983..c0c1c8a44 100644
--- a/roles/openshift_logging/files/fluent.conf
+++ b/roles/openshift_logging/files/fluent.conf
@@ -22,6 +22,7 @@
@include configs.d/openshift/filter-k8s-flatten-hash.conf
@include configs.d/openshift/filter-k8s-record-transform.conf
@include configs.d/openshift/filter-syslog-record-transform.conf
+ @include configs.d/openshift/filter-common-data-model.conf
@include configs.d/openshift/filter-post-*.conf
##
diff --git a/roles/openshift_logging/tasks/delete_logging.yaml b/roles/openshift_logging/tasks/delete_logging.yaml
index 908f3ee88..9621d0d1a 100644
--- a/roles/openshift_logging/tasks/delete_logging.yaml
+++ b/roles/openshift_logging/tasks/delete_logging.yaml
@@ -80,16 +80,16 @@
# delete our service accounts
- name: delete service accounts
- command: >
- {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig
- delete serviceaccount {{ item }} -n {{ openshift_logging_namespace }} --ignore-not-found=true
+ oc_serviceaccount:
+ kubeconfig: "{{ mktemp.stdout }}/admin.kubeconfig"
+ name: "{{ item }}"
+ namespace: "{{ openshift_logging_namespace }}"
+ state: absent
with_items:
- aggregated-logging-elasticsearch
- aggregated-logging-kibana
- aggregated-logging-curator
- aggregated-logging-fluentd
- register: delete_result
- changed_when: delete_result.stdout.find("deleted") != -1 and delete_result.rc == 0
# delete our roles
- name: delete roles
diff --git a/roles/openshift_logging/tasks/generate_pvcs.yaml b/roles/openshift_logging/tasks/generate_pvcs.yaml
index 601ec9e83..d782d621e 100644
--- a/roles/openshift_logging/tasks/generate_pvcs.yaml
+++ b/roles/openshift_logging/tasks/generate_pvcs.yaml
@@ -4,10 +4,10 @@
vars:
pvc_name: "{{openshift_logging_es_pvc_prefix}}-{{item| int}}"
start: "{{es_pvc_names | map('regex_search',openshift_logging_es_pvc_prefix+'.*')|select('string')|list|length}}"
- with_sequence: start={{start}} end={{ (start|int > openshift_logging_es_cluster_size - 1) | ternary(start, openshift_logging_es_cluster_size - 1)}}
+ with_sequence: start={{start}} end={{ (start|int > openshift_logging_es_cluster_size|int - 1) | ternary(start, openshift_logging_es_cluster_size|int - 1)}}
when:
- openshift_logging_es_pvc_size | search('^\d.*')
- - "{{ es_dc_names|default([]) | length < openshift_logging_es_cluster_size }}"
+ - "{{ es_dc_names|default([]) | length < openshift_logging_es_cluster_size|int }}"
check_mode: no
- name: Generating PersistentVolumeClaims
diff --git a/roles/openshift_logging/tasks/generate_routes.yaml b/roles/openshift_logging/tasks/generate_routes.yaml
index 60694f67e..3c462378b 100644
--- a/roles/openshift_logging/tasks/generate_routes.yaml
+++ b/roles/openshift_logging/tasks/generate_routes.yaml
@@ -1,4 +1,20 @@
---
+- set_fact: kibana_key={{ lookup('file', openshift_logging_kibana_key) | b64encode }}
+ when: "{{ openshift_logging_kibana_key | trim | length > 0 }}"
+ changed_when: false
+
+- set_fact: kibana_cert={{ lookup('file', openshift_logging_kibana_cert)| b64encode }}
+ when: "{{openshift_logging_kibana_cert | trim | length > 0}}"
+ changed_when: false
+
+- set_fact: kibana_ca={{ lookup('file', openshift_logging_kibana_ca)| b64encode }}
+ when: "{{openshift_logging_kibana_ca | trim | length > 0}}"
+ changed_when: false
+
+- set_fact: kibana_ca={{key_pairs | entry_from_named_pair('ca_file') }}
+ when: kibana_ca is not defined
+ changed_when: false
+
- name: Generating logging routes
template: src=route_reencrypt.j2 dest={{mktemp.stdout}}/templates/logging-{{route_info.name}}-route.yaml
tags: routes
@@ -6,7 +22,9 @@
obj_name: "{{route_info.name}}"
route_host: "{{route_info.host}}"
service_name: "{{route_info.name}}"
- tls_ca_cert: "{{key_pairs | entry_from_named_pair('ca_file')| b64decode }}"
+ tls_key: "{{kibana_key | default('') | b64decode}}"
+ tls_cert: "{{kibana_cert | default('') | b64decode}}"
+ tls_ca_cert: "{{kibana_ca | b64decode}}"
tls_dest_ca_cert: "{{key_pairs | entry_from_named_pair('ca_file')| b64decode }}"
labels:
component: support
diff --git a/roles/openshift_logging/tasks/install_elasticsearch.yaml b/roles/openshift_logging/tasks/install_elasticsearch.yaml
index 1d6e55e44..f9c2c81fb 100644
--- a/roles/openshift_logging/tasks/install_elasticsearch.yaml
+++ b/roles/openshift_logging/tasks/install_elasticsearch.yaml
@@ -54,10 +54,10 @@
fail: msg="The openshift_logging_es_ops_cluster_size may not be scaled down more than 1 less (or 0) the number of Elasticsearch nodes already deployed"
vars:
es_dcs: "{{openshift_logging_facts.elasticsearch_ops.deploymentconfigs}}"
- cluster_size: "{{openshift_logging_es_ops_cluster_size}}"
+ cluster_size: "{{openshift_logging_es_ops_cluster_size|int}}"
when:
- openshift_logging_use_ops | bool
- - "{{es_dcs | length - openshift_logging_es_ops_cluster_size | abs > 1}}"
+ - "{{es_dcs | length - openshift_logging_es_ops_cluster_size|int | abs > 1}}"
check_mode: no
- name: Generate PersistentVolumeClaims for Ops
@@ -66,7 +66,7 @@
es_pvc_names: "{{openshift_logging_facts.elasticsearch_ops.pvcs.keys()}}"
es_dc_names: "{{openshift_logging_facts.elasticsearch_ops.deploymentconfigs.keys()}}"
openshift_logging_es_pvc_prefix: "{{openshift_logging_es_ops_pvc_prefix}}"
- openshift_logging_es_cluster_size: "{{openshift_logging_es_ops_cluster_size}}"
+ openshift_logging_es_cluster_size: "{{openshift_logging_es_ops_cluster_size|int}}"
openshift_logging_es_pvc_size: "{{openshift_logging_es_ops_pvc_size}}"
openshift_logging_es_pvc_dynamic: "{{openshift_logging_es_ops_pvc_dynamic}}"
openshift_logging_es_pv_selector: "{{openshift_logging_es_ops_pv_selector}}"
@@ -89,7 +89,7 @@
es_cluster_name: "{{component}}"
deploy_name_prefix: "logging-{{component}}"
deploy_name: "{{deploy_name_prefix}}-{{'abcdefghijklmnopqrstuvwxyz0123456789'|random_word(8)}}"
- cluster_size: "{{openshift_logging_es_ops_cluster_size}}"
+ cluster_size: "{{openshift_logging_es_ops_cluster_size|int}}"
with_sequence: count={{ openshift_logging_es_ops_cluster_size | int - openshift_logging_current_es_ops_size | int }}
when:
- openshift_logging_use_ops | bool
diff --git a/roles/openshift_logging/tasks/install_logging.yaml b/roles/openshift_logging/tasks/install_logging.yaml
index d52429f03..e23c3f9f1 100644
--- a/roles/openshift_logging/tasks/install_logging.yaml
+++ b/roles/openshift_logging/tasks/install_logging.yaml
@@ -9,11 +9,11 @@
- name: Validate Elasticsearch cluster size
fail: msg="The openshift_logging_es_cluster_size may only be scaled down manually. Please see official documentation on how to do this."
- when: openshift_logging_facts.elasticsearch.deploymentconfigs | length > openshift_logging_es_cluster_size
+ when: openshift_logging_facts.elasticsearch.deploymentconfigs | length > openshift_logging_es_cluster_size|int
- name: Validate Elasticsearch Ops cluster size
fail: msg="The openshift_logging_es_ops_cluster_size may only be scaled down manually. Please see official documentation on how to do this."
- when: openshift_logging_facts.elasticsearch_ops.deploymentconfigs | length > openshift_logging_es_ops_cluster_size
+ when: openshift_logging_facts.elasticsearch_ops.deploymentconfigs | length > openshift_logging_es_ops_cluster_size|int
- name: Install logging
include: "{{ role_path }}/tasks/install_{{ install_component }}.yaml"
diff --git a/roles/openshift_logging/tasks/upgrade_logging.yaml b/roles/openshift_logging/tasks/upgrade_logging.yaml
index cceacd538..0dc31932c 100644
--- a/roles/openshift_logging/tasks/upgrade_logging.yaml
+++ b/roles/openshift_logging/tasks/upgrade_logging.yaml
@@ -17,7 +17,7 @@
oc_scale:
kind: dc
name: "{{object.split('/')[1]}}"
- namespace: "{{mktemp.stdout}}/admin.kubeconfig"
+ namespace: "{{openshift_logging_namespace}}"
replicas: 1
with_items: "{{es_dc.stdout_lines}}"
loop_control:
diff --git a/roles/openshift_logging/templates/curator.j2 b/roles/openshift_logging/templates/curator.j2
index de6258eaa..b7bc15b62 100644
--- a/roles/openshift_logging/templates/curator.j2
+++ b/roles/openshift_logging/templates/curator.j2
@@ -48,7 +48,7 @@ spec:
env:
-
name: "K8S_HOST_URL"
- value: "{{master_url}}"
+ value: "{{openshift_logging_master_url}}"
-
name: "ES_HOST"
value: "{{es_host}}"
diff --git a/roles/openshift_logging/templates/fluentd.j2 b/roles/openshift_logging/templates/fluentd.j2
index b6c91f8ed..223d342b9 100644
--- a/roles/openshift_logging/templates/fluentd.j2
+++ b/roles/openshift_logging/templates/fluentd.j2
@@ -61,7 +61,7 @@ spec:
readOnly: true
env:
- name: "K8S_HOST_URL"
- value: "{{master_url}}"
+ value: "{{openshift_logging_master_url}}"
- name: "ES_HOST"
value: "{{openshift_logging_es_host}}"
- name: "ES_PORT"
diff --git a/roles/openshift_logging/templates/kibana.j2 b/roles/openshift_logging/templates/kibana.j2
index 3a9e03768..be9b45ab4 100644
--- a/roles/openshift_logging/templates/kibana.j2
+++ b/roles/openshift_logging/templates/kibana.j2
@@ -90,7 +90,7 @@ spec:
value: kibana-proxy
-
name: "OAP_MASTER_URL"
- value: {{master_url}}
+ value: {{openshift_logging_master_url}}
-
name: "OAP_PUBLIC_MASTER_URL"
value: {{openshift_logging_master_public_url}}
diff --git a/roles/openshift_logging/templates/route_reencrypt.j2 b/roles/openshift_logging/templates/route_reencrypt.j2
index 8be30a2c4..341ffdd84 100644
--- a/roles/openshift_logging/templates/route_reencrypt.j2
+++ b/roles/openshift_logging/templates/route_reencrypt.j2
@@ -11,6 +11,14 @@ metadata:
spec:
host: {{ route_host }}
tls:
+{% if tls_key is defined and tls_key | length > 0 %}
+ key: |
+{{ tls_key|indent(6, true) }}
+{% if tls_cert is defined and tls_cert | length > 0 %}
+ certificate: |
+{{ tls_cert|indent(6, true) }}
+{% endif %}
+{% endif %}
caCertificate: |
{% for line in tls_ca_cert.split('\n') %}
{{ line }}
diff --git a/roles/openshift_logging/vars/main.yaml b/roles/openshift_logging/vars/main.yaml
index 11662c446..07cc05683 100644
--- a/roles/openshift_logging/vars/main.yaml
+++ b/roles/openshift_logging/vars/main.yaml
@@ -1,8 +1,8 @@
---
openshift_master_config_dir: "{{ openshift.common.config_base }}/master"
-es_node_quorum: "{{openshift_logging_es_cluster_size/2 + 1}}"
-es_recover_after_nodes: "{{openshift_logging_es_cluster_size - 1}}"
-es_recover_expected_nodes: "{{openshift_logging_es_cluster_size}}"
-es_ops_node_quorum: "{{openshift_logging_es_ops_cluster_size/2 + 1}}"
-es_ops_recover_after_nodes: "{{openshift_logging_es_ops_cluster_size - 1}}"
-es_ops_recover_expected_nodes: "{{openshift_logging_es_ops_cluster_size}}"
+es_node_quorum: "{{openshift_logging_es_cluster_size|int/2 + 1}}"
+es_recover_after_nodes: "{{openshift_logging_es_cluster_size|int - 1}}"
+es_recover_expected_nodes: "{{openshift_logging_es_cluster_size|int}}"
+es_ops_node_quorum: "{{openshift_logging_es_ops_cluster_size|int/2 + 1}}"
+es_ops_recover_after_nodes: "{{openshift_logging_es_ops_cluster_size|int - 1}}"
+es_ops_recover_expected_nodes: "{{openshift_logging_es_ops_cluster_size|int}}"
diff --git a/roles/openshift_manageiq/meta/main.yml b/roles/openshift_manageiq/meta/main.yml
new file mode 100644
index 000000000..6c96a91bf
--- /dev/null
+++ b/roles/openshift_manageiq/meta/main.yml
@@ -0,0 +1,15 @@
+---
+galaxy_info:
+ author: Erez Freiberger
+ description: ManageIQ
+ company: Red Hat, Inc.
+ license: Apache License, Version 2.0
+ min_ansible_version: 2.1
+ platforms:
+ - name: EL
+ versions:
+ - 7
+ categories:
+ - cloud
+dependencies:
+- role: lib_openshift
diff --git a/roles/openshift_manageiq/tasks/main.yaml b/roles/openshift_manageiq/tasks/main.yaml
index a7214482f..e58947fd2 100644
--- a/roles/openshift_manageiq/tasks/main.yaml
+++ b/roles/openshift_manageiq/tasks/main.yaml
@@ -18,27 +18,15 @@
failed_when: "'already exists' not in osmiq_create_mi_project.stderr and osmiq_create_mi_project.rc != 0"
changed_when: osmiq_create_mi_project.rc == 0
-- name: Create Admin Service Account
- shell: >
- echo {{ manageiq_service_account | to_json | quote }} |
- {{ openshift.common.client_binary }} create
- -n management-infra
- --config={{manage_iq_tmp_conf}}
- -f -
- register: osmiq_create_service_account
- failed_when: "'already exists' not in osmiq_create_service_account.stderr and osmiq_create_service_account.rc != 0"
- changed_when: osmiq_create_service_account.rc == 0
-
-- name: Create Image Inspector Service Account
- shell: >
- echo {{ manageiq_image_inspector_service_account | to_json | quote }} |
- {{ openshift.common.client_binary }} create
- -n management-infra
- --config={{manage_iq_tmp_conf}}
- -f -
- register: osmiq_create_service_account
- failed_when: "'already exists' not in osmiq_create_service_account.stderr and osmiq_create_service_account.rc != 0"
- changed_when: osmiq_create_service_account.rc == 0
+- name: Create Admin and Image Inspector Service Account
+ oc_serviceaccount:
+ kubeconfig: "{{ openshift_master_config_dir }}/admin.kubeconfig"
+ name: "{{ item }}"
+ namespace: management-infra
+ state: present
+ with_items:
+ - management-admin
+ - inspector-admin
- name: Create Cluster Role
shell: >
diff --git a/roles/openshift_manageiq/vars/main.yml b/roles/openshift_manageiq/vars/main.yml
index 3f24fd6be..9936bb126 100644
--- a/roles/openshift_manageiq/vars/main.yml
+++ b/roles/openshift_manageiq/vars/main.yml
@@ -1,4 +1,5 @@
---
+openshift_master_config_dir: "{{ openshift.common.config_base }}/master"
manageiq_cluster_role:
apiVersion: v1
kind: ClusterRole
@@ -24,18 +25,6 @@ manageiq_metrics_admin_clusterrole:
verbs:
- '*'
-manageiq_service_account:
- apiVersion: v1
- kind: ServiceAccount
- metadata:
- name: management-admin
-
-manageiq_image_inspector_service_account:
- apiVersion: v1
- kind: ServiceAccount
- metadata:
- name: inspector-admin
-
manage_iq_tmp_conf: /tmp/manageiq_admin.kubeconfig
manage_iq_tasks:
diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml
index 9cd6b6c81..2ef61cddf 100644
--- a/roles/openshift_master/tasks/main.yml
+++ b/roles/openshift_master/tasks/main.yml
@@ -131,6 +131,10 @@
- name: Install the systemd units
include: systemd_units.yml
+- name: Install Master system container
+ include: system_container.yml
+ when: openshift.common.is_containerized | bool and openshift.common.is_master_system_container | bool
+
- name: Create session secrets file
template:
dest: "{{ openshift.master.session_secrets_file }}"
diff --git a/roles/openshift_master/tasks/system_container.yml b/roles/openshift_master/tasks/system_container.yml
new file mode 100644
index 000000000..e3e3d7948
--- /dev/null
+++ b/roles/openshift_master/tasks/system_container.yml
@@ -0,0 +1,36 @@
+---
+- name: Pre-pull master system container image
+ command: >
+ atomic pull --storage=ostree {{ openshift.common.system_images_registry }}/{{ openshift.master.master_system_image }}:{{ openshift_image_tag }}
+ register: pull_result
+ changed_when: "'Pulling layer' in pull_result.stdout"
+
+- name: Check Master system container package
+ command: >
+ atomic containers list --no-trunc -a -f container={{ openshift.common.service_type }}-master
+ register: result
+
+- name: Update Master system container package
+ command: >
+ atomic containers update {{ openshift.common.service_type }}-master
+ register: update_result
+ changed_when: "'Extracting' in update_result.stdout"
+ when:
+ - ("master" in result.stdout)
+ - (openshift.common.version is defined) and (openshift.common.version == openshift_version) | bool
+
+- name: Uninstall Master system container package
+ command: >
+ atomic uninstall {{ openshift.common.service_type }}-master
+ failed_when: False
+ when:
+ - ("master" in result.stdout)
+ - (openshift.common.version is not defined) or (openshift.common.version != openshift_version) | bool
+
+- name: Install Master system container package
+ command: >
+ atomic install --system --name={{ openshift.common.service_type }}-master {{ openshift.common.system_images_registry }}/{{ openshift.master.master_system_image }}:{{ openshift_image_tag }}
+ when:
+ - (openshift.common.version is not defined) or (openshift.common.version != openshift_version) or ("master" not in result.stdout) | bool
+ notify:
+ - restart master
diff --git a/roles/openshift_master/tasks/systemd_units.yml b/roles/openshift_master/tasks/systemd_units.yml
index 39ea42ab3..4ab98cbbb 100644
--- a/roles/openshift_master/tasks/systemd_units.yml
+++ b/roles/openshift_master/tasks/systemd_units.yml
@@ -20,14 +20,14 @@
docker pull {{ openshift.master.master_image }}:{{ openshift_image_tag }}
register: pull_result
changed_when: "'Downloaded newer image' in pull_result.stdout"
- when: openshift.common.is_containerized | bool
+ when: openshift.common.is_containerized | bool and not openshift.common.is_master_system_container | bool
# workaround for missing systemd unit files
- name: Create the systemd unit files
template:
src: "master_docker/master.docker.service.j2"
dest: "{{ containerized_svc_dir }}/{{ openshift.common.service_type }}-master.service"
- when: openshift.common.is_containerized | bool and (openshift.master.ha is not defined or not openshift.master.ha | bool)
+ when: openshift.common.is_containerized | bool and (openshift.master.ha is not defined or not openshift.master.ha | bool and not openshift.common.is_master_system_container | bool)
register: create_master_unit_file
- command: systemctl daemon-reload
@@ -132,7 +132,7 @@
dest: "/etc/systemd/system/{{ openshift.common.service_type }}-master.service"
src: master_docker/master.docker.service.j2
register: install_result
- when: openshift.common.is_containerized | bool and openshift.master.ha is defined and not openshift.master.ha | bool
+ when: openshift.common.is_containerized | bool and openshift.master.ha is defined and not openshift.master.ha | bool and not openshift.common.is_master_system_container | bool
- name: Preserve Master Proxy Config options
command: grep PROXY /etc/sysconfig/{{ openshift.common.service_type }}-master
diff --git a/roles/openshift_master/templates/master.yaml.v1.j2 b/roles/openshift_master/templates/master.yaml.v1.j2
index 9ae54dac1..cf2d2e103 100644
--- a/roles/openshift_master/templates/master.yaml.v1.j2
+++ b/roles/openshift_master/templates/master.yaml.v1.j2
@@ -65,7 +65,11 @@ dnsConfig:
bindNetwork: tcp4
{% endif %}
etcdClientInfo:
+{% if openshift.common.version_gte_3_2_or_1_2 | bool %}
+ ca: {{ "ca-bundle.crt" if (openshift.master.embedded_etcd | bool) else "master.etcd-ca.crt" }}
+{% else %}
ca: {{ "ca.crt" if (openshift.master.embedded_etcd | bool) else "master.etcd-ca.crt" }}
+{% endif %}
certFile: master.etcd-client.crt
keyFile: master.etcd-client.key
urls:
@@ -79,12 +83,20 @@ etcdConfig:
peerServingInfo:
bindAddress: {{ openshift.master.bind_addr }}:7001
certFile: etcd.server.crt
+{% if openshift.common.version_gte_3_2_or_1_2 | bool %}
+ clientCA: ca-bundle.crt
+{% else %}
clientCA: ca.crt
+{% endif %}
keyFile: etcd.server.key
servingInfo:
bindAddress: {{ openshift.master.bind_addr }}:{{ openshift.master.etcd_port }}
certFile: etcd.server.crt
+{% if openshift.common.version_gte_3_2_or_1_2 | bool %}
+ clientCA: ca-bundle.crt
+{% else %}
clientCA: ca.crt
+{% endif %}
keyFile: etcd.server.key
storageDirectory: {{ openshift.common.data_dir }}/openshift.local.etcd
{% endif %}
diff --git a/roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_predicates.py b/roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_predicates.py
index 0c94228c6..ef322bd7d 100644
--- a/roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_predicates.py
+++ b/roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_predicates.py
@@ -52,6 +52,9 @@ class LookupModule(LookupBase):
# convert short_version to origin short_version
short_version = re.sub('^3.', '1.', short_version)
+ if short_version == 'latest':
+ short_version = '1.6'
+
# Predicates ordered according to OpenShift Origin source:
# origin/vendor/k8s.io/kubernetes/plugin/pkg/scheduler/algorithmprovider/defaults/defaults.go
diff --git a/roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_priorities.py b/roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_priorities.py
index 95ace7923..6ad40e748 100644
--- a/roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_priorities.py
+++ b/roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_priorities.py
@@ -53,6 +53,9 @@ class LookupModule(LookupBase):
# convert short_version to origin short_version
short_version = re.sub('^3.', '1.', short_version)
+ if short_version == 'latest':
+ short_version = '1.6'
+
if short_version == '1.1':
priorities.extend([
{'name': 'LeastRequestedPriority', 'weight': 1},
diff --git a/roles/openshift_metrics/README.md b/roles/openshift_metrics/README.md
index a61b0db5e..f4c61a75e 100644
--- a/roles/openshift_metrics/README.md
+++ b/roles/openshift_metrics/README.md
@@ -46,11 +46,11 @@ For default values, see [`defaults/main.yaml`](defaults/main.yaml).
testing), `pv` to use persistent volumes (which need to be created before the
installation) or `dynamic` for dynamic persistent volumes.
-- `openshift_metrics_cassandra_pv_prefix`: The name of persistent volume claims created
+- `openshift_metrics_cassandra_pvc_prefix`: The name of persistent volume claims created
for cassandra will be this with a serial number appended to the end, starting
from 1.
-- `openshift_metrics_cassandra_pv_size`: The persistent volume size for each of the
+- `openshift_metrics_cassandra_pvc_size`: The persistent volume claim size for each of the
Cassandra nodes.
- `openshift_metrics_heapster_standalone`: Deploy only heapster, without the Hawkular Metrics and
diff --git a/roles/openshift_metrics/defaults/main.yaml b/roles/openshift_metrics/defaults/main.yaml
index dd5a20d5b..0cfbac8a9 100644
--- a/roles/openshift_metrics/defaults/main.yaml
+++ b/roles/openshift_metrics/defaults/main.yaml
@@ -17,12 +17,13 @@ openshift_metrics_hawkular_nodeselector: ""
openshift_metrics_cassandra_replicas: 1
openshift_metrics_cassandra_storage_type: emptydir
-openshift_metrics_cassandra_pv_size: 10Gi
+openshift_metrics_cassandra_pvc_size: 10Gi
openshift_metrics_cassandra_limits_memory: 2G
openshift_metrics_cassandra_limits_cpu: null
openshift_metrics_cassandra_requests_memory: 1G
openshift_metrics_cassandra_requests_cpu: null
openshift_metrics_cassandra_nodeselector: ""
+openshift_metrics_cassandra_storage_group: 65534
openshift_metrics_heapster_standalone: False
openshift_metrics_heapster_limits_memory: 3.75G
@@ -31,6 +32,8 @@ openshift_metrics_heapster_requests_memory: 0.9375G
openshift_metrics_heapster_requests_cpu: null
openshift_metrics_heapster_nodeselector: ""
+openshift_metrics_hostname: "hawkular-metrics.{{openshift_master_default_subdomain}}"
+
openshift_metrics_duration: 7
openshift_metrics_resolution: 15s
@@ -39,12 +42,11 @@ openshift_metrics_resolution: 15s
# overriding the values here
#####
-openshift_metrics_certs_dir: "{{ openshift.common.config_base }}/master/metrics"
openshift_metrics_master_url: https://kubernetes.default.svc.cluster.local
openshift_metrics_node_id: nodename
openshift_metrics_project: openshift-infra
-openshift_metrics_cassandra_pv_prefix: metrics-cassandra
+openshift_metrics_cassandra_pvc_prefix: metrics-cassandra
openshift_metrics_hawkular_user_write_access: False
diff --git a/roles/openshift_metrics/tasks/generate_certificates.yaml b/roles/openshift_metrics/tasks/generate_certificates.yaml
index 4925275e8..f7cba0093 100644
--- a/roles/openshift_metrics/tasks/generate_certificates.yaml
+++ b/roles/openshift_metrics/tasks/generate_certificates.yaml
@@ -1,11 +1,11 @@
---
- name: generate ca certificate chain
- shell: >
+ command: >
{{ openshift.common.admin_binary }} ca create-signer-cert
--config={{ mktemp.stdout }}/admin.kubeconfig
- --key='{{ openshift_metrics_certs_dir }}/ca.key'
- --cert='{{ openshift_metrics_certs_dir }}/ca.crt'
- --serial='{{ openshift_metrics_certs_dir }}/ca.serial.txt'
+ --key='{{ mktemp.stdout }}/ca.key'
+ --cert='{{ mktemp.stdout }}/ca.crt'
+ --serial='{{ mktemp.stdout }}/ca.serial.txt'
--name="metrics-signer@$(date +%s)"
- when: not '{{ openshift_metrics_certs_dir }}/ca.key' | exists
+
- include: generate_hawkular_certificates.yaml
diff --git a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml
index 9333d341c..854697abb 100644
--- a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml
+++ b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml
@@ -13,13 +13,13 @@
hostnames: hawkular-cassandra
changed_when: no
-- slurp: src={{ openshift_metrics_certs_dir }}/hawkular-cassandra-truststore.pwd
+- slurp: src={{ mktemp.stdout }}/hawkular-cassandra-truststore.pwd
register: cassandra_truststore_password
-- slurp: src={{ openshift_metrics_certs_dir }}/hawkular-metrics-truststore.pwd
+- slurp: src={{ mktemp.stdout }}/hawkular-metrics-truststore.pwd
register: hawkular_truststore_password
-- stat: path="{{openshift_metrics_certs_dir}}/{{item}}"
+- stat: path="{{mktemp.stdout}}/{{item}}"
register: pwd_file_stat
with_items:
- hawkular-metrics.pwd
@@ -32,44 +32,33 @@
with_items: "{{pwd_file_stat.results}}"
changed_when: no
-- name: Create temp directory local on control node
- local_action: command mktemp -d
- register: local_tmp
- changed_when: False
-
- name: generate password for hawkular metrics and jgroups
local_action: copy dest="{{ local_tmp.stdout}}/{{ item }}.pwd" content="{{ 15 | oo_random_word }}"
with_items:
- hawkular-metrics
- hawkular-jgroups-keystore
- when: "not pwd_files['{{ item }}.pwd'].exists"
- name: generate htpasswd file for hawkular metrics
local_action: >
shell htpasswd -ci
'{{ local_tmp.stdout }}/hawkular-metrics.htpasswd' hawkular
< '{{ local_tmp.stdout }}/hawkular-metrics.pwd'
- when: "not pwd_files['hawkular-metrics.htpasswd'].exists"
- name: copy local generated passwords to target
copy:
src: "{{local_tmp.stdout}}/{{item}}"
- dest: "{{openshift_metrics_certs_dir}}/{{item}}"
+ dest: "{{mktemp.stdout}}/{{item}}"
with_items:
- hawkular-metrics.pwd
- hawkular-metrics.htpasswd
- hawkular-jgroups-keystore.pwd
- when: "not pwd_files['{{ item }}'].exists"
- include: import_jks_certs.yaml
-- local_action: file path="{{local_tmp.stdout}}" state=absent
- changed_when: False
-
- name: read files for the hawkular-metrics secret
shell: >
printf '%s: ' '{{ item }}'
- && base64 --wrap 0 '{{ openshift_metrics_certs_dir }}/{{ item }}'
+ && base64 --wrap 0 '{{ mktemp.stdout }}/{{ item }}'
register: hawkular_secrets
with_items:
- ca.crt
diff --git a/roles/openshift_metrics/tasks/generate_heapster_certificates.yaml b/roles/openshift_metrics/tasks/generate_heapster_certificates.yaml
index 2449b1518..ced2df1d0 100644
--- a/roles/openshift_metrics/tasks/generate_heapster_certificates.yaml
+++ b/roles/openshift_metrics/tasks/generate_heapster_certificates.yaml
@@ -3,13 +3,12 @@
command: >
{{ openshift.common.admin_binary }} ca create-server-cert
--config={{ mktemp.stdout }}/admin.kubeconfig
- --key='{{ openshift_metrics_certs_dir }}/heapster.key'
- --cert='{{ openshift_metrics_certs_dir }}/heapster.cert'
+ --key='{{ mktemp.stdout }}/heapster.key'
+ --cert='{{ mktemp.stdout }}/heapster.cert'
--hostnames=heapster
- --signer-cert='{{ openshift_metrics_certs_dir }}/ca.crt'
- --signer-key='{{ openshift_metrics_certs_dir }}/ca.key'
- --signer-serial='{{ openshift_metrics_certs_dir }}/ca.serial.txt'
- when: not '{{ openshift_metrics_certs_dir }}/heapster.key' | exists
+ --signer-cert='{{ mktemp.stdout }}/ca.crt'
+ --signer-key='{{ mktemp.stdout }}/ca.key'
+ --signer-serial='{{ mktemp.stdout }}/ca.serial.txt'
- when: "'secret/heapster-secrets' not in metrics_secrets.stdout_lines"
block:
@@ -17,11 +16,11 @@
slurp: src={{ item }}
register: heapster_secret
with_items:
- - "{{ openshift_metrics_certs_dir }}/heapster.cert"
- - "{{ openshift_metrics_certs_dir }}/heapster.key"
+ - "{{ mktemp.stdout }}/heapster.cert"
+ - "{{ mktemp.stdout }}/heapster.key"
- "{{ client_ca }}"
vars:
- custom_ca: "{{ openshift_metrics_certs_dir }}/heapster_client_ca.crt"
+ custom_ca: "{{ mktemp.stdout }}/heapster_client_ca.crt"
default_ca: "{{ openshift.common.config_base }}/master/ca-bundle.crt"
client_ca: "{{ custom_ca|exists|ternary(custom_ca, default_ca) }}"
- name: generate heapster secret template
diff --git a/roles/openshift_metrics/tasks/import_jks_certs.yaml b/roles/openshift_metrics/tasks/import_jks_certs.yaml
index 16fd8d9f8..57ec70c79 100644
--- a/roles/openshift_metrics/tasks/import_jks_certs.yaml
+++ b/roles/openshift_metrics/tasks/import_jks_certs.yaml
@@ -1,37 +1,37 @@
---
-- stat: path="{{openshift_metrics_certs_dir}}/hawkular-cassandra.keystore"
+- stat: path="{{mktemp.stdout}}/hawkular-cassandra.keystore"
register: cassandra_keystore
check_mode: no
-- stat: path="{{openshift_metrics_certs_dir}}/hawkular-cassandra.truststore"
+- stat: path="{{mktemp.stdout}}/hawkular-cassandra.truststore"
register: cassandra_truststore
check_mode: no
-- stat: path="{{openshift_metrics_certs_dir}}/hawkular-metrics.keystore"
+- stat: path="{{mktemp.stdout}}/hawkular-metrics.keystore"
register: metrics_keystore
check_mode: no
-- stat: path="{{openshift_metrics_certs_dir}}/hawkular-metrics.truststore"
+- stat: path="{{mktemp.stdout}}/hawkular-metrics.truststore"
register: metrics_truststore
check_mode: no
-- stat: path="{{openshift_metrics_certs_dir}}/hawkular-jgroups.keystore"
+- stat: path="{{mktemp.stdout}}/hawkular-jgroups.keystore"
register: jgroups_keystore
check_mode: no
- block:
- - slurp: src={{ openshift_metrics_certs_dir }}/hawkular-metrics-keystore.pwd
+ - slurp: src={{ mktemp.stdout }}/hawkular-metrics-keystore.pwd
register: metrics_keystore_password
- - slurp: src={{ openshift_metrics_certs_dir }}/hawkular-cassandra-keystore.pwd
+ - slurp: src={{ mktemp.stdout }}/hawkular-cassandra-keystore.pwd
register: cassandra_keystore_password
- - slurp: src={{ openshift_metrics_certs_dir }}/hawkular-jgroups-keystore.pwd
+ - slurp: src={{ mktemp.stdout }}/hawkular-jgroups-keystore.pwd
register: jgroups_keystore_password
- fetch:
dest: "{{local_tmp.stdout}}/"
- src: "{{ openshift_metrics_certs_dir }}/{{item}}"
+ src: "{{ mktemp.stdout }}/{{item}}"
flat: yes
changed_when: False
with_items:
@@ -52,7 +52,7 @@
changed_when: False
- copy:
- dest: "{{openshift_metrics_certs_dir}}/"
+ dest: "{{mktemp.stdout}}/"
src: "{{item}}"
with_fileglob: "{{local_tmp.stdout}}/*.*store"
diff --git a/roles/openshift_metrics/tasks/install_cassandra.yaml b/roles/openshift_metrics/tasks/install_cassandra.yaml
index 9e25071af..df39c1e1f 100644
--- a/roles/openshift_metrics/tasks/install_cassandra.yaml
+++ b/roles/openshift_metrics/tasks/install_cassandra.yaml
@@ -27,12 +27,12 @@
src: pvc.j2
dest: "{{ mktemp.stdout }}/templates/hawkular-cassandra-pvc{{ item }}.yaml"
vars:
- obj_name: "{{ openshift_metrics_cassandra_pv_prefix }}-{{ item }}"
+ obj_name: "{{ openshift_metrics_cassandra_pvc_prefix }}-{{ item }}"
labels:
metrics-infra: hawkular-cassandra
access_modes:
- ReadWriteOnce
- size: "{{ openshift_metrics_cassandra_pv_size }}"
+ size: "{{ openshift_metrics_cassandra_pvc_size }}"
with_sequence: count={{ openshift_metrics_cassandra_replicas }}
when: openshift_metrics_cassandra_storage_type == 'pv'
changed_when: false
@@ -42,14 +42,14 @@
src: pvc.j2
dest: "{{ mktemp.stdout }}/templates/hawkular-cassandra-pvc{{ item }}.yaml"
vars:
- obj_name: "{{ openshift_metrics_cassandra_pv_prefix }}-{{ item }}"
+ obj_name: "{{ openshift_metrics_cassandra_pvc_prefix }}-{{ item }}"
labels:
metrics-infra: hawkular-cassandra
annotations:
volume.alpha.kubernetes.io/storage-class: dynamic
access_modes:
- ReadWriteOnce
- size: "{{ openshift_metrics_cassandra_pv_size }}"
+ size: "{{ openshift_metrics_cassandra_pvc_size }}"
with_sequence: count={{ openshift_metrics_cassandra_replicas }}
when: openshift_metrics_cassandra_storage_type == 'dynamic'
changed_when: false
diff --git a/roles/openshift_metrics/tasks/install_hawkular.yaml b/roles/openshift_metrics/tasks/install_hawkular.yaml
index 1ba11efa8..6b37f85ab 100644
--- a/roles/openshift_metrics/tasks/install_hawkular.yaml
+++ b/roles/openshift_metrics/tasks/install_hawkular.yaml
@@ -17,7 +17,7 @@
changed_when: false
- name: read hawkular-metrics route destination ca certificate
- slurp: src={{ openshift_metrics_certs_dir }}/ca.crt
+ slurp: src={{ mktemp.stdout }}/ca.crt
register: metrics_route_dest_ca_cert
changed_when: false
diff --git a/roles/openshift_metrics/tasks/install_metrics.yaml b/roles/openshift_metrics/tasks/install_metrics.yaml
index 66925c113..66a3abdbd 100644
--- a/roles/openshift_metrics/tasks/install_metrics.yaml
+++ b/roles/openshift_metrics/tasks/install_metrics.yaml
@@ -34,6 +34,20 @@
file_content: "{{ item.content | b64decode | from_yaml }}"
with_items: "{{ object_defs.results }}"
+- command: >
+ {{openshift.common.client_binary}}
+ --config={{mktemp.stdout}}/admin.kubeconfig
+ get rc
+ -l metrics-infra
+ -o name
+ -n {{openshift_metrics_project}}
+ register: existing_metrics_rc
+ changed_when: no
+
+- name: Scaling down cluster to recognize changes
+ include: stop_metrics.yaml
+ when: "{{ existing_metrics_rc.stdout_lines | length > 0 }}"
+
- name: Scaling up cluster
include: start_metrics.yaml
tags: openshift_metrics_start_cluster
diff --git a/roles/openshift_metrics/tasks/main.yaml b/roles/openshift_metrics/tasks/main.yaml
index d03d4176b..1eebff3bf 100644
--- a/roles/openshift_metrics/tasks/main.yaml
+++ b/roles/openshift_metrics/tasks/main.yaml
@@ -9,6 +9,11 @@
changed_when: False
when: "{{ openshift_metrics_install_metrics | bool }}"
+- name: Create temp directory local on control node
+ local_action: command mktemp -d
+ register: local_tmp
+ changed_when: False
+
- name: Copy the admin client config(s)
command: >
cp {{ openshift.common.config_base}}/master/admin.kubeconfig {{ mktemp.stdout }}/admin.kubeconfig
@@ -17,3 +22,9 @@
tags: metrics_init
- include: "{{ (openshift_metrics_install_metrics | bool) | ternary('install_metrics.yaml','uninstall_metrics.yaml') }}"
+
+- name: Delete temp directory
+ local_action: file path=local_tmp.stdout state=absent
+ tags: metrics_cleanup
+ changed_when: False
+ check_mode: no
diff --git a/roles/openshift_metrics/tasks/pre_install.yaml b/roles/openshift_metrics/tasks/pre_install.yaml
index 262acd546..2e2013d40 100644
--- a/roles/openshift_metrics/tasks/pre_install.yaml
+++ b/roles/openshift_metrics/tasks/pre_install.yaml
@@ -12,12 +12,6 @@
- openshift_metrics_cassandra_storage_type not in openshift_metrics_cassandra_storage_types
- "not {{ openshift_metrics_heapster_standalone | bool }}"
-- name: create certificate output directory
- file:
- path: "{{ openshift_metrics_certs_dir }}"
- state: directory
- mode: 0700
-
- name: list existing secrets
command: >
{{ openshift.common.client_binary }} -n {{ openshift_metrics_project }}
diff --git a/roles/openshift_metrics/tasks/setup_certificate.yaml b/roles/openshift_metrics/tasks/setup_certificate.yaml
index 5ca8f4462..199968579 100644
--- a/roles/openshift_metrics/tasks/setup_certificate.yaml
+++ b/roles/openshift_metrics/tasks/setup_certificate.yaml
@@ -3,50 +3,41 @@
command: >
{{ openshift.common.admin_binary }} ca create-server-cert
--config={{ mktemp.stdout }}/admin.kubeconfig
- --key='{{ openshift_metrics_certs_dir }}/{{ component }}.key'
- --cert='{{ openshift_metrics_certs_dir }}/{{ component }}.crt'
+ --key='{{ mktemp.stdout }}/{{ component }}.key'
+ --cert='{{ mktemp.stdout }}/{{ component }}.crt'
--hostnames='{{ hostnames }}'
- --signer-cert='{{ openshift_metrics_certs_dir }}/ca.crt'
- --signer-key='{{ openshift_metrics_certs_dir }}/ca.key'
- --signer-serial='{{ openshift_metrics_certs_dir }}/ca.serial.txt'
- when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.key'|exists
+ --signer-cert='{{ mktemp.stdout }}/ca.crt'
+ --signer-key='{{ mktemp.stdout }}/ca.key'
+ --signer-serial='{{ mktemp.stdout }}/ca.serial.txt'
- slurp: src={{item}}
register: component_certs
with_items:
- - '{{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}.key'
- - '{{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}.crt'
- when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.pem'|exists
+ - '{{ mktemp.stdout | quote }}/{{ component|quote }}.key'
+ - '{{ mktemp.stdout | quote }}/{{ component|quote }}.crt'
- name: generate {{ component }} certificate
copy:
- dest: '{{ openshift_metrics_certs_dir }}/{{ component }}.pem'
+ dest: '{{ mktemp.stdout }}/{{ component }}.pem'
content: "{{ component_certs.results | map(attribute='content') | map('b64decode') | join('') }}"
- when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.pem'|exists
- name: generate random password for the {{ component }} keystore
copy:
content: "{{ 15 | oo_random_word }}"
- dest: '{{ openshift_metrics_certs_dir }}/{{ component }}-keystore.pwd'
- when: >
- not '{{ openshift_metrics_certs_dir }}/{{ component }}-keystore.pwd'|exists
+ dest: '{{ mktemp.stdout }}/{{ component }}-keystore.pwd'
-- slurp: src={{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}-keystore.pwd
+- slurp: src={{ mktemp.stdout | quote }}/{{ component|quote }}-keystore.pwd
register: keystore_password
- name: create the {{ component }} pkcs12 from the pem file
command: >
openssl pkcs12 -export
- -in '{{ openshift_metrics_certs_dir }}/{{ component }}.pem'
- -out '{{ openshift_metrics_certs_dir }}/{{ component }}.pkcs12'
+ -in '{{ mktemp.stdout }}/{{ component }}.pem'
+ -out '{{ mktemp.stdout }}/{{ component }}.pkcs12'
-name '{{ component }}' -noiter -nomaciter
-password 'pass:{{keystore_password.content | b64decode }}'
- when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.pkcs12'|exists
- name: generate random password for the {{ component }} truststore
copy:
content: "{{ 15 | oo_random_word }}"
- dest: '{{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}-truststore.pwd'
- when: >
- not
- '{{ openshift_metrics_certs_dir | quote }}/{{ component| quote }}-truststore.pwd'|exists
+ dest: '{{ mktemp.stdout | quote }}/{{ component|quote }}-truststore.pwd'
diff --git a/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 b/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2
index 876cb1915..504476dc4 100644
--- a/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2
+++ b/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2
@@ -19,6 +19,9 @@ spec:
type: hawkular-cassandra
spec:
serviceAccount: cassandra
+ securityContext:
+ supplementalGroups:
+ - {{openshift_metrics_cassandra_storage_group}}
{% if node_selector is iterable and node_selector | length > 0 %}
nodeSelector:
{% for key, value in node_selector.iteritems() %}
@@ -124,7 +127,7 @@ spec:
emptyDir: {}
{% else %}
persistentVolumeClaim:
- claimName: "{{ openshift_metrics_cassandra_pv_prefix }}-{{ node }}"
+ claimName: "{{ openshift_metrics_cassandra_pvc_prefix }}-{{ node }}"
{% endif %}
- name: hawkular-cassandra-secrets
secret:
diff --git a/roles/openshift_node/tasks/main.yml b/roles/openshift_node/tasks/main.yml
index e970c4cd1..691227915 100644
--- a/roles/openshift_node/tasks/main.yml
+++ b/roles/openshift_node/tasks/main.yml
@@ -60,6 +60,12 @@
state: present
when: openshift.common.use_openshift_sdn and not openshift.common.is_containerized | bool
+- name: Install conntrack-tools package
+ package:
+ name: "conntrack-tools"
+ state: present
+ when: not openshift.common.is_containerized | bool
+
- name: Install the systemd units
include: systemd_units.yml
@@ -69,7 +75,7 @@
- name: Persist net.ipv4.ip_forward sysctl entry
sysctl: name="net.ipv4.ip_forward" value=1 sysctl_set=yes state=present reload=yes
-- name: Start and enable openvswitch docker service
+- name: Start and enable openvswitch service
systemd:
name: openvswitch.service
enabled: yes
diff --git a/roles/openshift_node/tasks/node_system_container.yml b/roles/openshift_node/tasks/node_system_container.yml
new file mode 100644
index 000000000..01e2d33c7
--- /dev/null
+++ b/roles/openshift_node/tasks/node_system_container.yml
@@ -0,0 +1,34 @@
+---
+- name: Pre-pull node system container image
+ command: >
+ atomic pull --storage=ostree {{ openshift.common.system_images_registry }}/{{ openshift.node.node_system_image }}:{{ openshift_image_tag }}
+ register: pull_result
+ changed_when: "'Pulling layer' in pull_result.stdout"
+
+- name: Check Node system container package
+ command: >
+ atomic containers list --no-trunc -a -f container={{ openshift.common.service_type }}-node
+ register: result
+
+- name: Update Node system container package
+ command: >
+ atomic containers update {{ openshift.common.service_type }}-node
+ register: update_result
+ changed_when: "'Extracting' in update_result.stdout"
+ when:
+ - (openshift.common.version is defined) and (openshift.common.version == openshift_version) and ("node" in result.stdout) | bool
+
+- name: Uninstall Node system container package
+ command: >
+ atomic uninstall {{ openshift.common.service_type }}-node
+ failed_when: False
+ when:
+ - (openshift.common.version is not defined) or (openshift.common.version != openshift_version) and ("node" in result.stdout) | bool
+
+- name: Install Node system container package
+ command: >
+ atomic install --system --name={{ openshift.common.service_type }}-node {{ openshift.common.system_images_registry }}/{{ openshift.node.node_system_image }}:{{ openshift_image_tag }}
+ register: install_node_result
+ changed_when: "'Extracting' in pull_result.stdout"
+ when:
+ - (openshift.common.version is not defined) or (openshift.common.version != openshift_version) or ("node" not in result.stdout) | bool
diff --git a/roles/openshift_node/tasks/openvswitch_system_container.yml b/roles/openshift_node/tasks/openvswitch_system_container.yml
new file mode 100644
index 000000000..47fac99eb
--- /dev/null
+++ b/roles/openshift_node/tasks/openvswitch_system_container.yml
@@ -0,0 +1,36 @@
+---
+- name: Pre-pull OpenVSwitch system container image
+ command: >
+ atomic pull --storage=ostree {{ openshift.common.system_images_registry }}/{{ openshift.node.ovs_system_image }}:{{ openshift_image_tag }}
+ register: pull_result
+ changed_when: "'Pulling layer' in pull_result.stdout"
+
+- name: Check OpenvSwitch system container package
+ command: >
+ atomic containers list --no-trunc -a -f container=openvswitch
+ register: result
+ when:
+ - openshift.common.is_openvswitch_system_container | bool
+
+- name: Update OpenvSwitch system container package
+ command: >
+ atomic containers update openvswitch
+ register: update_result
+ changed_when: "'Extracting' in update_result.stdout"
+ when:
+ - (openshift.common.version is defined) and (openshift.common.version == openshift_version) and ("openvswitch" in result.stdout) | bool
+
+- name: Uninstall OpenvSwitch system container package
+ command: >
+ atomic uninstall openvswitch
+ failed_when: False
+ when:
+ - (openshift.common.version is not defined) or (openshift.common.version != openshift_version) and ("openvswitch" in result.stdout) | bool
+
+- name: Install OpenvSwitch system container package
+ command: >
+ atomic install --system --name=openvswitch {{ openshift.common.system_images_registry }}/{{ openshift.node.ovs_system_image }}:{{ openshift_image_tag }}
+ when:
+ - (openshift.common.version is not defined) or (openshift.common.version != openshift_version) or ("openvswitch" not in result.stdout) | bool
+ notify:
+ - restart docker
diff --git a/roles/openshift_node/tasks/systemd_units.yml b/roles/openshift_node/tasks/systemd_units.yml
index 5243a87fe..52482d09b 100644
--- a/roles/openshift_node/tasks/systemd_units.yml
+++ b/roles/openshift_node/tasks/systemd_units.yml
@@ -2,20 +2,6 @@
# This file is included both in the openshift_master role and in the upgrade
# playbooks.
-- name: Pre-pull node image
- command: >
- docker pull {{ openshift.node.node_image }}:{{ openshift_image_tag }}
- register: pull_result
- changed_when: "'Downloaded newer image' in pull_result.stdout"
- when: openshift.common.is_containerized | bool
-
-- name: Pre-pull openvswitch image
- command: >
- docker pull {{ openshift.node.ovs_image }}:{{ openshift_image_tag }}
- register: pull_result
- changed_when: "'Downloaded newer image' in pull_result.stdout"
- when: openshift.common.is_containerized | bool and openshift.common.use_openshift_sdn | bool
-
- name: Install Node dependencies docker service file
template:
dest: "/etc/systemd/system/{{ openshift.common.service_type }}-node-dep.service"
@@ -23,12 +9,21 @@
register: install_node_dep_result
when: openshift.common.is_containerized | bool
-- name: Install Node docker service file
- template:
- dest: "/etc/systemd/system/{{ openshift.common.service_type }}-node.service"
- src: openshift.docker.node.service
- register: install_node_result
- when: openshift.common.is_containerized | bool
+- block:
+ - name: Pre-pull node image
+ command: >
+ docker pull {{ openshift.node.node_image }}:{{ openshift_image_tag }}
+ register: pull_result
+ changed_when: "'Downloaded newer image' in pull_result.stdout"
+
+ - name: Install Node docker service file
+ template:
+ dest: "/etc/systemd/system/{{ openshift.common.service_type }}-node.service"
+ src: openshift.docker.node.service
+ register: install_node_result
+ when:
+ - openshift.common.is_containerized | bool
+ - not openshift.common.is_node_system_container | bool
- name: Create the openvswitch service env file
template:
@@ -39,6 +34,19 @@
notify:
- restart openvswitch
+- name: Install Node system container
+ include: node_system_container.yml
+ when:
+ - openshift.common.is_containerized | bool
+ - openshift.common.is_node_system_container | bool
+
+- name: Install OpenvSwitch system containers
+ include: openvswitch_system_container.yml
+ when:
+ - openshift.common.use_openshift_sdn | default(true) | bool
+ - openshift.common.is_containerized | bool
+ - openshift.common.is_openvswitch_system_container | bool
+
# May be a temporary workaround.
# https://bugzilla.redhat.com/show_bug.cgi?id=1331590
- name: Create OpenvSwitch service.d directory
@@ -54,13 +62,23 @@
notify:
- restart openvswitch
-- name: Install OpenvSwitch docker service file
- template:
- dest: "/etc/systemd/system/openvswitch.service"
- src: openvswitch.docker.service
- when: openshift.common.is_containerized | bool and openshift.common.use_openshift_sdn | default(true) | bool
- notify:
- - restart openvswitch
+- block:
+ - name: Pre-pull openvswitch image
+ command: >
+ docker pull {{ openshift.node.ovs_image }}:{{ openshift_image_tag }}
+ register: pull_result
+ changed_when: "'Downloaded newer image' in pull_result.stdout"
+
+ - name: Install OpenvSwitch docker service file
+ template:
+ dest: "/etc/systemd/system/openvswitch.service"
+ src: openvswitch.docker.service
+ notify:
+ - restart openvswitch
+ when:
+ - openshift.common.is_containerized | bool
+ - openshift.common.use_openshift_sdn | default(true) | bool
+ - not openshift.common.is_openvswitch_system_container | bool
- name: Configure Node settings
lineinfile:
diff --git a/roles/openshift_preflight/README.md b/roles/openshift_preflight/README.md
deleted file mode 100644
index b6d3542d3..000000000
--- a/roles/openshift_preflight/README.md
+++ /dev/null
@@ -1,52 +0,0 @@
-OpenShift Preflight Checks
-==========================
-
-This role detects common problems prior to installing OpenShift.
-
-Requirements
-------------
-
-* Ansible 2.2+
-
-Role Variables
---------------
-
-None
-
-Dependencies
-------------
-
-None
-
-Example Playbook
-----------------
-
-```yaml
----
-- hosts: OSEv3
- roles:
- - openshift_preflight/init
-
-- hosts: OSEv3
- name: checks that apply to all hosts
- gather_facts: no
- ignore_errors: yes
- roles:
- - openshift_preflight/common
-
-- hosts: OSEv3
- name: verify check results
- gather_facts: no
- roles:
- - openshift_preflight/verify_status
-```
-
-License
--------
-
-Apache License Version 2.0
-
-Author Information
-------------------
-
-Customer Success team (dev@lists.openshift.redhat.com)
diff --git a/roles/openshift_preflight/common/meta/main.yml b/roles/openshift_preflight/common/meta/main.yml
deleted file mode 100644
index 6f23cbf3b..000000000
--- a/roles/openshift_preflight/common/meta/main.yml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-dependencies:
- - role: openshift_preflight/base
diff --git a/roles/openshift_preflight/common/tasks/main.yml b/roles/openshift_preflight/common/tasks/main.yml
deleted file mode 100644
index f1a4a160e..000000000
--- a/roles/openshift_preflight/common/tasks/main.yml
+++ /dev/null
@@ -1,21 +0,0 @@
----
-# check content available on all hosts
-- when: not openshift.common.is_containerized | bool
- block:
-
- - name: determine if yum update will work
- action: check_yum_update
- register: r
-
- - set_fact:
- oo_preflight_check_results: "{{ oo_preflight_check_results + [r|combine({'_task': 'determine if yum update will work'})] }}"
-
- - name: determine if expected version matches what is available
- aos_version:
- version: "{{ openshift_release }}"
- when:
- - deployment_type == "openshift-enterprise"
- register: r
-
- - set_fact:
- oo_preflight_check_results: "{{ oo_preflight_check_results + [r|combine({'_task': 'determine if expected version matches what is available'})] }}"
diff --git a/roles/openshift_preflight/init/tasks/main.yml b/roles/openshift_preflight/init/tasks/main.yml
deleted file mode 100644
index bf2d82196..000000000
--- a/roles/openshift_preflight/init/tasks/main.yml
+++ /dev/null
@@ -1,4 +0,0 @@
----
-- name: set common variables
- set_fact:
- oo_preflight_check_results: "{{ oo_preflight_check_results | default([]) }}"
diff --git a/roles/openshift_preflight/masters/meta/main.yml b/roles/openshift_preflight/masters/meta/main.yml
deleted file mode 100644
index 6f23cbf3b..000000000
--- a/roles/openshift_preflight/masters/meta/main.yml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-dependencies:
- - role: openshift_preflight/base
diff --git a/roles/openshift_preflight/masters/tasks/main.yml b/roles/openshift_preflight/masters/tasks/main.yml
deleted file mode 100644
index 35fb1e3ca..000000000
--- a/roles/openshift_preflight/masters/tasks/main.yml
+++ /dev/null
@@ -1,31 +0,0 @@
----
-# determine if yum install of master pkgs will work
-- when: not openshift.common.is_containerized | bool
- block:
-
- - name: main master packages availability
- check_yum_update:
- packages:
- - "{{ openshift.common.service_type }}"
- - "{{ openshift.common.service_type }}-clients"
- - "{{ openshift.common.service_type }}-master"
- register: r
-
- - set_fact:
- oo_preflight_check_results: "{{ oo_preflight_check_results + [r|combine({'_task': 'main master packages availability'})] }}"
-
- - name: other master packages availability
- check_yum_update:
- packages:
- - etcd
- - bash-completion
- - cockpit-bridge
- - cockpit-docker
- - cockpit-kubernetes
- - cockpit-shell
- - cockpit-ws
- - httpd-tools
- register: r
-
- - set_fact:
- oo_preflight_check_results: "{{ oo_preflight_check_results + [r|combine({'_task': 'other master packages availability'})] }}"
diff --git a/roles/openshift_preflight/nodes/meta/main.yml b/roles/openshift_preflight/nodes/meta/main.yml
deleted file mode 100644
index 6f23cbf3b..000000000
--- a/roles/openshift_preflight/nodes/meta/main.yml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-dependencies:
- - role: openshift_preflight/base
diff --git a/roles/openshift_preflight/nodes/tasks/main.yml b/roles/openshift_preflight/nodes/tasks/main.yml
deleted file mode 100644
index a10e69024..000000000
--- a/roles/openshift_preflight/nodes/tasks/main.yml
+++ /dev/null
@@ -1,41 +0,0 @@
----
-# determine if yum install of node pkgs will work
-- when: not openshift.common.is_containerized | bool
- block:
-
- - name: main node packages availability
- check_yum_update:
- packages:
- - "{{ openshift.common.service_type }}"
- - "{{ openshift.common.service_type }}-node"
- - "{{ openshift.common.service_type }}-sdn-ovs"
- register: r
-
- - set_fact:
- oo_preflight_check_results: "{{ oo_preflight_check_results + [r|combine({'_task': 'main node packages availability'})] }}"
-
- - name: other node packages availability
- check_yum_update:
- packages:
- - docker
- - PyYAML
- - firewalld
- - iptables
- - iptables-services
- - nfs-utils
- - ntp
- - yum-utils
- - dnsmasq
- - libselinux-python
- - ceph-common
- - glusterfs-fuse
- - iscsi-initiator-utils
- - pyparted
- - python-httplib2
- - openssl
- - flannel
- - bind
- register: r
-
- - set_fact:
- oo_preflight_check_results: "{{ oo_preflight_check_results + [r|combine({'_task': 'other node packages availability'})] }}"
diff --git a/roles/openshift_preflight/verify_status/tasks/main.yml b/roles/openshift_preflight/verify_status/tasks/main.yml
deleted file mode 100644
index 36ccf648a..000000000
--- a/roles/openshift_preflight/verify_status/tasks/main.yml
+++ /dev/null
@@ -1,8 +0,0 @@
----
-- name: find check failures
- set_fact:
- oo_preflight_check_failures: "{{ oo_preflight_check_results | select('failed', 'equalto', True) | list }}"
-
-- name: ensure all checks succeed
- action: fail
- when: oo_preflight_check_failures
diff --git a/roles/openshift_serviceaccounts/meta/main.yml b/roles/openshift_serviceaccounts/meta/main.yml
index a2c9fee70..7a30c220f 100644
--- a/roles/openshift_serviceaccounts/meta/main.yml
+++ b/roles/openshift_serviceaccounts/meta/main.yml
@@ -13,3 +13,4 @@ galaxy_info:
- cloud
dependencies:
- { role: openshift_facts }
+- { role: lib_openshift }
diff --git a/roles/openshift_serviceaccounts/tasks/main.yml b/roles/openshift_serviceaccounts/tasks/main.yml
index d83ccf7de..1d570fa5b 100644
--- a/roles/openshift_serviceaccounts/tasks/main.yml
+++ b/roles/openshift_serviceaccounts/tasks/main.yml
@@ -1,21 +1,11 @@
---
-- name: test if service accounts exists
- command: >
- {{ openshift.common.client_binary }} get sa {{ item }} -n {{ openshift_serviceaccounts_namespace }}
- with_items: "{{ openshift_serviceaccounts_names }}"
- failed_when: false
- changed_when: false
- register: account_test
-
- name: create the service account
- shell: >
- echo {{ lookup('template', '../templates/serviceaccount.j2')
- | from_yaml | to_json | quote }} | {{ openshift.common.client_binary }}
- -n {{ openshift_serviceaccounts_namespace }} create -f -
- when: item.1.rc != 0
- with_together:
+ oc_serviceaccount:
+ name: "{{ item }}"
+ namespace: "{{ openshift_serviceaccounts_namespace }}"
+ state: present
+ with_items:
- "{{ openshift_serviceaccounts_names }}"
- - "{{ account_test.results }}"
- name: test if scc needs to be updated
command: >
diff --git a/roles/openshift_storage_nfs/tasks/main.yml b/roles/openshift_storage_nfs/tasks/main.yml
index fd935f105..0d6b8b7d4 100644
--- a/roles/openshift_storage_nfs/tasks/main.yml
+++ b/roles/openshift_storage_nfs/tasks/main.yml
@@ -29,6 +29,7 @@
- "{{ openshift.hosted.registry }}"
- "{{ openshift.hosted.metrics }}"
- "{{ openshift.hosted.logging }}"
+ - "{{ openshift.hosted.loggingops }}"
- name: Configure exports
diff --git a/roles/openshift_storage_nfs/templates/exports.j2 b/roles/openshift_storage_nfs/templates/exports.j2
index 2d6dd85e3..8c6d4105c 100644
--- a/roles/openshift_storage_nfs/templates/exports.j2
+++ b/roles/openshift_storage_nfs/templates/exports.j2
@@ -1,3 +1,4 @@
{{ openshift.hosted.registry.storage.nfs.directory }}/{{ openshift.hosted.registry.storage.volume.name }} {{ openshift.hosted.registry.storage.nfs.options }}
{{ openshift.hosted.metrics.storage.nfs.directory }}/{{ openshift.hosted.metrics.storage.volume.name }} {{ openshift.hosted.metrics.storage.nfs.options }}
{{ openshift.hosted.logging.storage.nfs.directory }}/{{ openshift.hosted.logging.storage.volume.name }} {{ openshift.hosted.logging.storage.nfs.options }}
+{{ openshift.hosted.loggingops.storage.nfs.directory }}/{{ openshift.hosted.loggingops.storage.volume.name }} {{ openshift.hosted.loggingops.storage.nfs.options }}