diff options
20 files changed, 363 insertions, 134 deletions
diff --git a/.tito/packages/openshift-ansible b/.tito/packages/openshift-ansible index 1efbfd949..64a35a246 100644 --- a/.tito/packages/openshift-ansible +++ b/.tito/packages/openshift-ansible @@ -1 +1 @@ -3.6.144-1 ./ +3.6.153-1 ./ diff --git a/filter_plugins/oo_filters.py b/filter_plugins/oo_filters.py index cff9f8a60..c6d0e69eb 100644 --- a/filter_plugins/oo_filters.py +++ b/filter_plugins/oo_filters.py @@ -1009,6 +1009,21 @@ def oo_random_word(length, source='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRS return ''.join(random.choice(source) for i in range(length)) +def oo_contains_rule(source, apiGroups, resources, verbs): + '''Return true if the specified rule is contained within the provided source''' + + rules = source['rules'] + + if rules: + for rule in rules: + if set(rule['apiGroups']) == set(apiGroups): + if set(rule['resources']) == set(resources): + if set(rule['verbs']) == set(verbs): + return True + + return False + + class FilterModule(object): """ Custom ansible filter mapping """ @@ -1049,5 +1064,6 @@ class FilterModule(object): "oo_openshift_loadbalancer_frontends": oo_openshift_loadbalancer_frontends, "oo_openshift_loadbalancer_backends": oo_openshift_loadbalancer_backends, "to_padded_yaml": to_padded_yaml, - "oo_random_word": oo_random_word + "oo_random_word": oo_random_word, + "oo_contains_rule": oo_contains_rule } diff --git a/inventory/byo/hosts.origin.example b/inventory/byo/hosts.origin.example index e6bc6c829..93e821ba7 100644 --- a/inventory/byo/hosts.origin.example +++ b/inventory/byo/hosts.origin.example @@ -468,6 +468,8 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', # S3 bucket must already exist. #openshift_hosted_registry_storage_kind=object #openshift_hosted_registry_storage_provider=s3 +#openshift_hosted_registry_storage_s3_encrypt=false +#openshift_hosted_registry_storage_s3_kmskeyid=aws_kms_key_id #openshift_hosted_registry_storage_s3_accesskey=aws_access_key_id #openshift_hosted_registry_storage_s3_secretkey=aws_secret_access_key #openshift_hosted_registry_storage_s3_bucket=bucket_name @@ -552,6 +554,11 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', # Configure the prefix and version for the component images #openshift_hosted_metrics_deployer_prefix=docker.io/openshift/origin- #openshift_hosted_metrics_deployer_version=3.6.0 +# +# StorageClass +# openshift_storageclass_name=gp2 +# openshift_storageclass_parameters={'type': 'gp2', 'encrypted': false} +# # Logging deployment # @@ -714,7 +721,7 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', #openshift_dns_ip=172.30.0.1 # Configure node kubelet arguments. pods-per-core is valid in OpenShift Origin 1.3 or OpenShift Container Platform 3.3 and later. -#openshift_node_kubelet_args={'pods-per-core': ['10'], 'max-pods': ['250'], 'image-gc-high-threshold': ['90'], 'image-gc-low-threshold': ['80']} +#openshift_node_kubelet_args={'pods-per-core': ['10'], 'max-pods': ['250'], 'image-gc-high-threshold': ['85'], 'image-gc-low-threshold': ['80']} # Configure logrotate scripts # See: https://github.com/nickhammond/ansible-logrotate @@ -740,6 +747,10 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', # Global Proxy Configuration # These options configure HTTP_PROXY, HTTPS_PROXY, and NOPROXY environment # variables for docker and master services. +# +# Hosts in the openshift_no_proxy list will NOT use any globally +# configured HTTP(S)_PROXYs. openshift_no_proxy accepts domains +# (.example.com), and hosts (example.com), and IP addresses. #openshift_http_proxy=http://USER:PASSWORD@IPADDR:PORT #openshift_https_proxy=https://USER:PASSWORD@IPADDR:PORT #openshift_no_proxy='.hosts.example.com,some-host.com' @@ -747,7 +758,11 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', # Most environments don't require a proxy between openshift masters, nodes, and # etcd hosts. So automatically add those hostnames to the openshift_no_proxy list. # If all of your hosts share a common domain you may wish to disable this and -# specify that domain above. +# specify that domain above instead. +# +# For example, having hosts with FQDNs: m1.ex.com, n1.ex.com, and +# n2.ex.com, one would simply add '.ex.com' to the openshift_no_proxy +# variable (above) and set this value to False #openshift_generate_no_proxy_hosts=True # # These options configure the BuildDefaults admission controller which injects diff --git a/inventory/byo/hosts.ose.example b/inventory/byo/hosts.ose.example index 928da40fa..9a0dce01b 100644 --- a/inventory/byo/hosts.ose.example +++ b/inventory/byo/hosts.ose.example @@ -468,6 +468,8 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', # S3 bucket must already exist. #openshift_hosted_registry_storage_kind=object #openshift_hosted_registry_storage_provider=s3 +#openshift_hosted_registry_storage_s3_encrypt=false +#openshift_hosted_registry_storage_s3_kmskeyid=aws_kms_key_id #openshift_hosted_registry_storage_s3_accesskey=aws_access_key_id #openshift_hosted_registry_storage_s3_secretkey=aws_secret_access_key #openshift_hosted_registry_storage_s3_bucket=bucket_name @@ -552,6 +554,11 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', # Configure the prefix and version for the component images #openshift_hosted_metrics_deployer_prefix=registry.example.com:8888/openshift3/ #openshift_hosted_metrics_deployer_version=3.6.0 +# +# StorageClass +# openshift_storageclass_name=gp2 +# openshift_storageclass_parameters={'type': 'gp2', 'encrypted': false} +# # Logging deployment # @@ -714,7 +721,7 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', #openshift_dns_ip=172.30.0.1 # Configure node kubelet arguments. pods-per-core is valid in OpenShift Origin 1.3 or OpenShift Container Platform 3.3 and later. -#openshift_node_kubelet_args={'pods-per-core': ['10'], 'max-pods': ['250'], 'image-gc-high-threshold': ['90'], 'image-gc-low-threshold': ['80']} +#openshift_node_kubelet_args={'pods-per-core': ['10'], 'max-pods': ['250'], 'image-gc-high-threshold': ['85'], 'image-gc-low-threshold': ['80']} # Configure logrotate scripts # See: https://github.com/nickhammond/ansible-logrotate @@ -740,6 +747,10 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', # Global Proxy Configuration # These options configure HTTP_PROXY, HTTPS_PROXY, and NOPROXY environment # variables for docker and master services. +# +# Hosts in the openshift_no_proxy list will NOT use any globally +# configured HTTP(S)_PROXYs. openshift_no_proxy accepts domains +# (.example.com), hosts (example.com), and IP addresses. #openshift_http_proxy=http://USER:PASSWORD@IPADDR:PORT #openshift_https_proxy=https://USER:PASSWORD@IPADDR:PORT #openshift_no_proxy='.hosts.example.com,some-host.com' @@ -747,7 +758,11 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', # Most environments don't require a proxy between openshift masters, nodes, and # etcd hosts. So automatically add those hostnames to the openshift_no_proxy list. # If all of your hosts share a common domain you may wish to disable this and -# specify that domain above. +# specify that domain above instead. +# +# For example, having hosts with FQDNs: m1.ex.com, n1.ex.com, and +# n2.ex.com, one would simply add '.ex.com' to the openshift_no_proxy +# variable (above) and set this value to False #openshift_generate_no_proxy_hosts=True # # These options configure the BuildDefaults admission controller which injects diff --git a/openshift-ansible.spec b/openshift-ansible.spec index e4dda2b24..3a59ab25b 100644 --- a/openshift-ansible.spec +++ b/openshift-ansible.spec @@ -9,7 +9,7 @@ %global __requires_exclude ^/usr/bin/ansible-playbook$ Name: openshift-ansible -Version: 3.6.144 +Version: 3.6.153 Release: 1%{?dist} Summary: Openshift and Atomic Enterprise Ansible License: ASL 2.0 @@ -280,6 +280,43 @@ Atomic OpenShift Utilities includes %changelog +* Tue Jul 18 2017 Jenkins CD Merge Bot <smunilla@redhat.com> 3.6.153-1 +- Updating to compare sets instead of sorted lists (ewolinet@redhat.com) +- Adding ability to create podpreset for service-catalog-controller for + bz1471881 (ewolinet@redhat.com) +- Updating to use oc replace and conditionally update edit and admin roles + (ewolinet@redhat.com) +- Other playbooks maybe expecting this to be at least an empty string. I think + they default it to an empty list if its not found. (tbielawa@redhat.com) +- Fix NO_PROXY environment variable setting (tbielawa@redhat.com) +- Changing the passing of data for sc creation. (kwoodson@redhat.com) +- Fixed variable name. (kwoodson@redhat.com) +- Adding disk encryption to storageclasses and to openshift registry + (kwoodson@redhat.com) + +* Mon Jul 17 2017 Jenkins CD Merge Bot <smunilla@redhat.com> 3.6.152-1 +- + +* Sun Jul 16 2017 Jenkins CD Merge Bot <smunilla@redhat.com> 3.6.151-1 +- + +* Sun Jul 16 2017 Jenkins CD Merge Bot <smunilla@redhat.com> 3.6.150-1 +- + +* Sat Jul 15 2017 Jenkins CD Merge Bot <smunilla@redhat.com> 3.6.149-1 +- Config was missed before replace. (jkaur@redhat.com) +- Redeploy-certificates will fail for registry and router if user is not + system:admin (jkaur@redhat.com) + +* Fri Jul 14 2017 Jenkins CD Merge Bot <smunilla@redhat.com> 3.6.148-1 +- Adding in permissions to edit and admin cluster roles (ewolinet@redhat.com) +- making kube-service-catalog project network global when using redhat + /openshift-ovs-multitenant plugin (ewolinet@redhat.com) +- set KillMode to process in node service file (jchaloup@redhat.com) +- Upgrade fails when "Drain Node for Kubelet upgrade" (jkaur@redhat.com) +- openvswitch, syscontainer: specify the Docker service name + (gscrivan@redhat.com) + * Thu Jul 13 2017 Jenkins CD Merge Bot <smunilla@redhat.com> 3.6.144-1 - Created js file for enabling tech preview for console, updated master-config for pod presets and console tech preview (ewolinet@redhat.com) diff --git a/playbooks/common/openshift-cluster/redeploy-certificates/registry.yml b/playbooks/common/openshift-cluster/redeploy-certificates/registry.yml index 8c8062585..afd5463b2 100644 --- a/playbooks/common/openshift-cluster/redeploy-certificates/registry.yml +++ b/playbooks/common/openshift-cluster/redeploy-certificates/registry.yml @@ -66,6 +66,7 @@ --signer-cert={{ openshift.common.config_base }}/master/ca.crt --signer-key={{ openshift.common.config_base }}/master/ca.key --signer-serial={{ openshift.common.config_base }}/master/ca.serial.txt + --config={{ mktemp.stdout }}/admin.kubeconfig --hostnames="{{ docker_registry_service_ip.results.clusterip }},docker-registry.default.svc,docker-registry.default.svc.cluster.local,{{ docker_registry_route_hostname }}" --cert={{ openshift.common.config_base }}/master/registry.crt --key={{ openshift.common.config_base }}/master/registry.key diff --git a/playbooks/common/openshift-cluster/redeploy-certificates/router.yml b/playbooks/common/openshift-cluster/redeploy-certificates/router.yml index 9f14f2d69..748bbbf91 100644 --- a/playbooks/common/openshift-cluster/redeploy-certificates/router.yml +++ b/playbooks/common/openshift-cluster/redeploy-certificates/router.yml @@ -116,8 +116,9 @@ tls.crt="{{ mktemp.stdout }}/openshift-hosted-router-certificate.pem" tls.key="{{ mktemp.stdout }}/openshift-hosted-router-certificate.key" --type=kubernetes.io/tls + --config={{ mktemp.stdout }}/admin.kubeconfig --confirm - -o json | {{ openshift.common.client_binary }} replace -f - + -o json | {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig replace -f - - name: Remove temporary router certificate and key files file: diff --git a/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml index 86f2cfa54..b7f089d99 100644 --- a/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml +++ b/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml @@ -294,7 +294,7 @@ - name: Drain Node for Kubelet upgrade command: > - {{ hostvars[groups.oo_first_master.0].openshift.common.admin_binary }} drain {{ openshift.node.nodename | lower }} --force --delete-local-data --ignore-daemonsets + {{ hostvars[groups.oo_first_master.0].openshift.common.admin_binary }} drain {{ openshift.node.nodename | lower }} --config={{ openshift.common.config_base }}/master/admin.kubeconfig --force --delete-local-data --ignore-daemonsets delegate_to: "{{ groups.oo_first_master.0 }}" roles: diff --git a/requirements.txt b/requirements.txt index dae460713..bf95b4ff9 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,6 +1,6 @@ # Versions are pinned to prevent pypi releases arbitrarily breaking # tests with new APIs/semantics. We want to update versions deliberately. -ansible==2.2.2.0 +ansible==2.3.1.0 boto==2.34.0 click==6.7 pyOpenSSL==16.2.0 diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py index 04b5dc86b..beef77896 100755 --- a/roles/openshift_facts/library/openshift_facts.py +++ b/roles/openshift_facts/library/openshift_facts.py @@ -1643,38 +1643,75 @@ def set_proxy_facts(facts): if 'common' in facts: common = facts['common'] - # No openshift_no_proxy settings detected, empty list for now - if 'no_proxy' not in common: - common['no_proxy'] = [] - - # _no_proxy settings set. It is just a simple string, not a - # list or anything - elif 'no_proxy' in common and isinstance(common['no_proxy'], string_types): - # no_proxy is now a list of all the comma-separated items - # in the _no_proxy value - common['no_proxy'] = common['no_proxy'].split(",") - - # at this point common['no_proxy'] is a LIST datastructure. It - # may be empty, or it may contain some hostnames or ranges. - - # We always add local dns domain, the service domain, and - # ourselves, no matter what (if you are setting any - # NO_PROXY values) - common['no_proxy'].append('.svc') - common['no_proxy'].append('.' + common['dns_domain']) - common['no_proxy'].append(common['hostname']) - - # You are also setting system proxy vars, openshift_http_proxy/openshift_https_proxy - if 'http_proxy' in common or 'https_proxy' in common: - # You want to generate no_proxy hosts and it's a boolean value - if 'generate_no_proxy_hosts' in common and safe_get_bool(common['generate_no_proxy_hosts']): - # And you want to set up no_proxy for internal hostnames - if 'no_proxy_internal_hostnames' in common: - # Split the internal_hostnames string by a comma - # and add that list to the overall no_proxy list - common['no_proxy'].extend(common['no_proxy_internal_hostnames'].split(',')) - - common['no_proxy'] = ','.join(sort_unique(common['no_proxy'])) + ###################################################################### + # We can exit early now if we don't need to set any proxy facts + proxy_params = ['no_proxy', 'https_proxy', 'http_proxy'] + # If any of the known Proxy Params (pp) are defined + proxy_settings_defined = any( + [True for pp in proxy_params if pp in common] + ) + + if not proxy_settings_defined: + common['no_proxy'] = '' + return facts + + # As of 3.6 if ANY of the proxy parameters are defined in the + # inventory then we MUST add certain domains to the NO_PROXY + # environment variable. + + ###################################################################### + + # Spot to build up some data we may insert later + raw_no_proxy_list = [] + + # Automatic 3.6 NO_PROXY additions if a proxy is in use + svc_cluster_name = ['.svc', '.' + common['dns_domain'], common['hostname']] + + # auto_hosts: Added to NO_PROXY list if any proxy params are + # set in the inventory. This a list of the FQDNs of all + # cluster hosts: + auto_hosts = common['no_proxy_internal_hostnames'].split(',') + + # custom_no_proxy_hosts: If you define openshift_no_proxy in + # inventory we automatically add those hosts to the list: + if 'no_proxy' in common: + custom_no_proxy_hosts = common['no_proxy'].split(',') + else: + custom_no_proxy_hosts = [] + + # This should exist no matter what. Defaults to true. + if 'generate_no_proxy_hosts' in common: + generate_no_proxy_hosts = safe_get_bool(common['generate_no_proxy_hosts']) + + ###################################################################### + + # You set a proxy var. Now we are obliged to add some things + raw_no_proxy_list = svc_cluster_name + custom_no_proxy_hosts + + # You did not turn openshift_generate_no_proxy_hosts to False + if generate_no_proxy_hosts: + raw_no_proxy_list.extend(auto_hosts) + + ###################################################################### + + # Was anything actually added? There should be something by now. + processed_no_proxy_list = sort_unique(raw_no_proxy_list) + if processed_no_proxy_list != list(): + common['no_proxy'] = ','.join(processed_no_proxy_list) + else: + # Somehow we got an empty list. This should have been + # skipped by now in the 'return' earlier. If + # common['no_proxy'] is DEFINED it will cause unexpected + # behavior and bad templating. Ensure it does not + # exist. Even an empty list or string will have undesired + # side-effects. + del common['no_proxy'] + + ###################################################################### + # In case you were wondering, because 'common' is a reference + # to the object facts['common'], there is no need to re-assign + # it. + return facts diff --git a/roles/openshift_health_checker/library/aos_version.py b/roles/openshift_health_checker/library/aos_version.py index 4c205e48c..4f43ee751 100755 --- a/roles/openshift_health_checker/library/aos_version.py +++ b/roles/openshift_health_checker/library/aos_version.py @@ -19,6 +19,10 @@ the inventory, the version comparison checks just pass. ''' from ansible.module_utils.basic import AnsibleModule +# NOTE: because of the dependency on yum (Python 2-only), this module does not +# work under Python 3. But since we run unit tests against both Python 2 and +# Python 3, we use six for cross compatibility in this module alone: +from ansible.module_utils.six import string_types IMPORT_EXCEPTION = None try: @@ -122,12 +126,15 @@ def _check_precise_version_found(pkgs, expected_pkgs_dict): for pkg in pkgs: if pkg.name not in expected_pkgs_dict: continue - # does the version match, to the precision requested? - # and, is it strictly greater, at the precision requested? - expected_pkg_version = expected_pkgs_dict[pkg.name]["version"] - match_version = '.'.join(pkg.version.split('.')[:expected_pkg_version.count('.') + 1]) - if match_version == expected_pkg_version: - pkgs_precise_version_found.add(pkg.name) + expected_pkg_versions = expected_pkgs_dict[pkg.name]["version"] + if isinstance(expected_pkg_versions, string_types): + expected_pkg_versions = [expected_pkg_versions] + for expected_pkg_version in expected_pkg_versions: + # does the version match, to the precision requested? + # and, is it strictly greater, at the precision requested? + match_version = '.'.join(pkg.version.split('.')[:expected_pkg_version.count('.') + 1]) + if match_version == expected_pkg_version: + pkgs_precise_version_found.add(pkg.name) not_found = [] for name, pkg in expected_pkgs_dict.items(): @@ -157,8 +164,13 @@ def _check_higher_version_found(pkgs, expected_pkgs_dict): for pkg in pkgs: if pkg.name not in expected_pkg_names: continue - expected_pkg_version = expected_pkgs_dict[pkg.name]["version"] - req_release_arr = [int(segment) for segment in expected_pkg_version.split(".")] + expected_pkg_versions = expected_pkgs_dict[pkg.name]["version"] + if isinstance(expected_pkg_versions, string_types): + expected_pkg_versions = [expected_pkg_versions] + # NOTE: the list of versions is assumed to be sorted so that the highest + # desirable version is the last. + highest_desirable_version = expected_pkg_versions[-1] + req_release_arr = [int(segment) for segment in highest_desirable_version.split(".")] version = [int(segment) for segment in pkg.version.split(".")] too_high = version[:len(req_release_arr)] > req_release_arr higher_than_seen = version > higher_version_for_pkg.get(pkg.name, []) diff --git a/roles/openshift_health_checker/openshift_checks/package_version.py b/roles/openshift_health_checker/openshift_checks/package_version.py index 6a76bb93d..204752bd0 100644 --- a/roles/openshift_health_checker/openshift_checks/package_version.py +++ b/roles/openshift_health_checker/openshift_checks/package_version.py @@ -10,8 +10,8 @@ class PackageVersion(NotContainerizedMixin, OpenShiftCheck): tags = ["preflight"] openshift_to_ovs_version = { - "3.6": "2.6", - "3.5": "2.6", + "3.6": ["2.6", "2.7"], + "3.5": ["2.6", "2.7"], "3.4": "2.4", } diff --git a/roles/openshift_health_checker/test/aos_version_test.py b/roles/openshift_health_checker/test/aos_version_test.py index 697805dd2..4100f6c70 100644 --- a/roles/openshift_health_checker/test/aos_version_test.py +++ b/roles/openshift_health_checker/test/aos_version_test.py @@ -18,7 +18,43 @@ expected_pkgs = { } -@pytest.mark.parametrize('pkgs, expect_not_found', [ +@pytest.mark.parametrize('pkgs,expected_pkgs_dict', [ + ( + # all found + [Package('spam', '3.2.1'), Package('eggs', '3.2.1')], + expected_pkgs, + ), + ( + # found with more specific version + [Package('spam', '3.2.1'), Package('eggs', '3.2.1.5')], + expected_pkgs, + ), + ( + [Package('ovs', '2.6'), Package('ovs', '2.4')], + { + "ovs": { + "name": "ovs", + "version": ["2.6", "2.7"], + "check_multi": False, + } + }, + ), + ( + [Package('ovs', '2.7')], + { + "ovs": { + "name": "ovs", + "version": ["2.6", "2.7"], + "check_multi": False, + } + }, + ), +]) +def test_check_precise_version_found(pkgs, expected_pkgs_dict): + aos_version._check_precise_version_found(pkgs, expected_pkgs_dict) + + +@pytest.mark.parametrize('pkgs,expect_not_found', [ ( [], { @@ -55,14 +91,6 @@ expected_pkgs = { }, # not the right version ), ( - [Package('spam', '3.2.1'), Package('eggs', '3.2.1')], - {}, # all found - ), - ( - [Package('spam', '3.2.1'), Package('eggs', '3.2.1.5')], - {}, # found with more specific version - ), - ( [Package('eggs', '1.2.3'), Package('eggs', '3.2.1.5')], { "spam": { @@ -73,64 +101,86 @@ expected_pkgs = { }, # eggs found with multiple versions ), ]) -def test_check_pkgs_for_precise_version(pkgs, expect_not_found): - if expect_not_found: - with pytest.raises(aos_version.PreciseVersionNotFound) as e: - aos_version._check_precise_version_found(pkgs, expected_pkgs) - - assert list(expect_not_found.values()) == e.value.problem_pkgs - else: +def test_check_precise_version_found_fail(pkgs, expect_not_found): + with pytest.raises(aos_version.PreciseVersionNotFound) as e: aos_version._check_precise_version_found(pkgs, expected_pkgs) + assert list(expect_not_found.values()) == e.value.problem_pkgs -@pytest.mark.parametrize('pkgs, expect_higher', [ +@pytest.mark.parametrize('pkgs,expected_pkgs_dict', [ ( [], - [], + expected_pkgs, ), ( + # more precise but not strictly higher [Package('spam', '3.2.1.9')], - [], # more precise but not strictly higher + expected_pkgs, ), ( + [Package('ovs', '2.7')], + { + "ovs": { + "name": "ovs", + "version": ["2.6", "2.7"], + "check_multi": False, + } + }, + ), +]) +def test_check_higher_version_found(pkgs, expected_pkgs_dict): + aos_version._check_higher_version_found(pkgs, expected_pkgs_dict) + + +@pytest.mark.parametrize('pkgs,expected_pkgs_dict,expect_higher', [ + ( [Package('spam', '3.3')], + expected_pkgs, ['spam-3.3'], # lower precision, but higher ), ( [Package('spam', '3.2.1'), Package('eggs', '3.3.2')], + expected_pkgs, ['eggs-3.3.2'], # one too high ), ( [Package('eggs', '1.2.3'), Package('eggs', '3.2.1.5'), Package('eggs', '3.4')], + expected_pkgs, ['eggs-3.4'], # multiple versions, one is higher ), ( [Package('eggs', '3.2.1'), Package('eggs', '3.4'), Package('eggs', '3.3')], + expected_pkgs, ['eggs-3.4'], # multiple versions, two are higher ), + ( + [Package('ovs', '2.8')], + { + "ovs": { + "name": "ovs", + "version": ["2.6", "2.7"], + "check_multi": False, + } + }, + ['ovs-2.8'], + ), ]) -def test_check_pkgs_for_greater_version(pkgs, expect_higher): - if expect_higher: - with pytest.raises(aos_version.FoundHigherVersion) as e: - aos_version._check_higher_version_found(pkgs, expected_pkgs) - assert set(expect_higher) == set(e.value.problem_pkgs) - else: - aos_version._check_higher_version_found(pkgs, expected_pkgs) +def test_check_higher_version_found_fail(pkgs, expected_pkgs_dict, expect_higher): + with pytest.raises(aos_version.FoundHigherVersion) as e: + aos_version._check_higher_version_found(pkgs, expected_pkgs_dict) + assert set(expect_higher) == set(e.value.problem_pkgs) -@pytest.mark.parametrize('pkgs, expect_to_flag_pkgs', [ - ( - [], - [], - ), - ( - [Package('spam', '3.2.1')], - [], - ), - ( - [Package('spam', '3.2.1'), Package('eggs', '3.2.2')], - [], - ), +@pytest.mark.parametrize('pkgs', [ + [], + [Package('spam', '3.2.1')], + [Package('spam', '3.2.1'), Package('eggs', '3.2.2')], +]) +def test_check_multi_minor_release(pkgs): + aos_version._check_multi_minor_release(pkgs, expected_pkgs) + + +@pytest.mark.parametrize('pkgs,expect_to_flag_pkgs', [ ( [Package('spam', '3.2.1'), Package('spam', '3.3.2')], ['spam'], @@ -140,10 +190,7 @@ def test_check_pkgs_for_greater_version(pkgs, expect_higher): ['eggs'], ), ]) -def test_check_pkgs_for_multi_release(pkgs, expect_to_flag_pkgs): - if expect_to_flag_pkgs: - with pytest.raises(aos_version.FoundMultiRelease) as e: - aos_version._check_multi_minor_release(pkgs, expected_pkgs) - assert set(expect_to_flag_pkgs) == set(e.value.problem_pkgs) - else: +def test_check_multi_minor_release_fail(pkgs, expect_to_flag_pkgs): + with pytest.raises(aos_version.FoundMultiRelease) as e: aos_version._check_multi_minor_release(pkgs, expected_pkgs) + assert set(expect_to_flag_pkgs) == set(e.value.problem_pkgs) diff --git a/roles/openshift_health_checker/test/package_version_test.py b/roles/openshift_health_checker/test/package_version_test.py index 91eace512..1bb6371ae 100644 --- a/roles/openshift_health_checker/test/package_version_test.py +++ b/roles/openshift_health_checker/test/package_version_test.py @@ -72,36 +72,6 @@ def test_package_version(openshift_release): assert result is return_value -@pytest.mark.parametrize('deployment_type,openshift_release,expected_ovs_version', [ - ("openshift-enterprise", "3.5", "2.6"), - ("origin", "3.6", "2.6"), - ("openshift-enterprise", "3.4", "2.4"), - ("origin", "3.3", "2.4"), -]) -def test_ovs_package_version(deployment_type, openshift_release, expected_ovs_version): - task_vars = dict( - openshift=dict(common=dict(service_type='origin')), - openshift_release=openshift_release, - openshift_image_tag='v' + openshift_release, - openshift_deployment_type=deployment_type, - ) - return_value = object() - - def execute_module(module_name=None, module_args=None, tmp=None, task_vars=None): - assert module_name == 'aos_version' - assert "package_list" in module_args - - for pkg in module_args["package_list"]: - if pkg["name"] == "openvswitch": - assert pkg["version"] == expected_ovs_version - - return return_value - - check = PackageVersion(execute_module=execute_module) - result = check.run(tmp=None, task_vars=task_vars) - assert result is return_value - - @pytest.mark.parametrize('deployment_type,openshift_release,expected_docker_version', [ ("origin", "3.5", "1.12"), ("openshift-enterprise", "3.4", "1.12"), diff --git a/roles/openshift_hosted/templates/registry_config.j2 b/roles/openshift_hosted/templates/registry_config.j2 index dc8a9f089..9673841bf 100644 --- a/roles/openshift_hosted/templates/registry_config.j2 +++ b/roles/openshift_hosted/templates/registry_config.j2 @@ -21,7 +21,10 @@ storage: regionendpoint: {{ openshift_hosted_registry_storage_s3_regionendpoint }} {% endif %} bucket: {{ openshift_hosted_registry_storage_s3_bucket }} - encrypt: false + encrypt: {{ openshift_hosted_registry_storage_s3_encrypt | default(false) }} +{% if openshift_hosted_registry_storage_s3_kmskeyid %} + keyid: {{ openshift_hosted_registry_storage_s3_kmskeyid }} +{% endif %} secure: true v4auth: true rootdirectory: {{ openshift_hosted_registry_storage_s3_rootdirectory | default('/registry') }} diff --git a/roles/openshift_node/tasks/openvswitch_system_container.yml b/roles/openshift_node/tasks/openvswitch_system_container.yml index 8cfa5a026..c8d653880 100644 --- a/roles/openshift_node/tasks/openvswitch_system_container.yml +++ b/roles/openshift_node/tasks/openvswitch_system_container.yml @@ -10,3 +10,5 @@ name: openvswitch image: "{{ openshift.common.system_images_registry }}/{{ openshift.node.ovs_system_image }}:{{ openshift_image_tag }}" state: latest + values: + - "DOCKER_SERVICE={{ openshift.docker.service_name }}.service" diff --git a/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml b/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml index 2e0dcfd97..bcc7fb590 100644 --- a/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml +++ b/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml @@ -137,6 +137,12 @@ objects: - serviceclasses verbs: - create + - apiGroups: + - settings.k8s.io + resources: + - podpresets + verbs: + - create - kind: ClusterRoleBinding apiVersion: v1 diff --git a/roles/openshift_service_catalog/tasks/install.yml b/roles/openshift_service_catalog/tasks/install.yml index 1f9ecc2b8..4d1a38e61 100644 --- a/roles/openshift_service_catalog/tasks/install.yml +++ b/roles/openshift_service_catalog/tasks/install.yml @@ -66,6 +66,52 @@ template_name: kube-system-service-catalog namespace: kube-system +- oc_obj: + name: edit + kind: clusterrole + state: list + register: edit_yaml + +# only do this if we don't already have the updated role info +- name: Generate apply template for clusterrole/edit + template: + src: sc_role_patching.j2 + dest: "{{ mktemp.stdout }}/edit_sc_patch.yml" + vars: + original_content: "{{ edit_yaml.results.results[0] | to_yaml }}" + when: + - not edit_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['instances', 'bindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not edit_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch']) + +# only do this if we don't already have the updated role info +- name: update edit role for service catalog and pod preset access + command: > + oc replace -f {{ mktemp.stdout }}/edit_sc_patch.yml + when: + - not edit_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['instances', 'bindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not edit_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch']) + +- oc_obj: + name: admin + kind: clusterrole + state: list + register: admin_yaml + +# only do this if we don't already have the updated role info +- name: Generate apply template for clusterrole/admin + template: + src: sc_role_patching.j2 + dest: "{{ mktemp.stdout }}/admin_sc_patch.yml" + vars: + original_content: "{{ admin_yaml.results.results[0] | to_yaml }}" + when: + - not admin_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['instances', 'bindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not admin_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch']) + +# only do this if we don't already have the updated role info +- name: update admin role for service catalog and pod preset access + command: > + oc replace -f {{ mktemp.stdout }}/admin_sc_patch.yml + when: + - not admin_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['instances', 'bindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not admin_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch']) + - shell: > oc get policybindings/kube-system:default -n kube-system || echo "not found" register: get_kube_system diff --git a/roles/openshift_service_catalog/templates/sc_role_patching.j2 b/roles/openshift_service_catalog/templates/sc_role_patching.j2 new file mode 100644 index 000000000..69b062b3f --- /dev/null +++ b/roles/openshift_service_catalog/templates/sc_role_patching.j2 @@ -0,0 +1,26 @@ +{{ original_content }} +- apiGroups: + - "servicecatalog.k8s.io" + attributeRestrictions: null + resources: + - instances + - bindings + verbs: + - create + - update + - delete + - get + - list + - watch +- apiGroups: + - "settings.k8s.io" + attributeRestrictions: null + resources: + - podpresets + verbs: + - create + - update + - delete + - get + - list + - watch @@ -24,9 +24,4 @@ commands = generate_validation: python setup.py generate_validation # TODO(rhcarvalho): check syntax of other important entrypoint playbooks ansible_syntax: python setup.py ansible_syntax - # ansible 2.2.2+ unfortunately breaks the integration test runner - # because it can no longer set facts on the test docker hosts. - # So for now, install separate ansible version for integration. - # PR that fixes it: https://github.com/ansible/ansible/pull/23599 - # Once that PR is available, drop this and use same ansible. - integration: pip install ansible==2.2.1.0 + integration: python -c 'print "run test/integration/run-tests.sh"' |