diff options
40 files changed, 308 insertions, 124 deletions
diff --git a/inventory/byo/hosts.origin.example b/inventory/byo/hosts.origin.example index 5d21f8e14..206ec06c3 100644 --- a/inventory/byo/hosts.origin.example +++ b/inventory/byo/hosts.origin.example @@ -329,8 +329,8 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', # router's default certificate. #openshift_hosted_router_certificate={"certfile": "/path/to/router.crt", "keyfile": "/path/to/router.key", "cafile": "/path/to/router-ca.crt"} # -# Disable management of the OpenShift Router -#openshift_hosted_manage_router=false +# Manage the OpenShift Router +#openshift_hosted_manage_router=true # # Router sharding support has been added and can be achieved by supplying the correct # data to the inventory. The variable to house the data is openshift_hosted_routers @@ -407,8 +407,8 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', # Validity of the auto-generated certificate in days (optional) #openshift_hosted_registry_cert_expire_days=730 # -# Disable management of the OpenShift Registry -#openshift_hosted_manage_registry=false +# Manage the OpenShift Registry +#openshift_hosted_manage_registry=true # Registry Storage Options # diff --git a/inventory/byo/hosts.ose.example b/inventory/byo/hosts.ose.example index 662df8104..4f777c330 100644 --- a/inventory/byo/hosts.ose.example +++ b/inventory/byo/hosts.ose.example @@ -328,8 +328,8 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', # router's default certificate. #openshift_hosted_router_certificate={"certfile": "/path/to/router.crt", "keyfile": "/path/to/router.key", "cafile": "/path/to/router-ca.crt"} # -# Disable management of the OpenShift Router -#openshift_hosted_manage_router=false +# Manage the OpenShift Router (optional) +#openshift_hosted_manage_router=true # # Router sharding support has been added and can be achieved by supplying the correct # data to the inventory. The variable to house the data is openshift_hosted_routers @@ -406,8 +406,8 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', # Validity of the auto-generated certificate in days (optional) #openshift_hosted_registry_cert_expire_days=730 # -# Disable management of the OpenShift Registry -#openshift_hosted_manage_registry=false +# Manage the OpenShift Registry (optional) +#openshift_hosted_manage_registry=true # Registry Storage Options # diff --git a/playbooks/byo/openshift-cluster/redeploy-certificates.yml b/playbooks/byo/openshift-cluster/redeploy-certificates.yml index 012ce69ec..a3894e243 100644 --- a/playbooks/byo/openshift-cluster/redeploy-certificates.yml +++ b/playbooks/byo/openshift-cluster/redeploy-certificates.yml @@ -20,5 +20,7 @@ - include: ../../common/openshift-node/restart.yml - include: ../../common/openshift-cluster/redeploy-certificates/router.yml + when: openshift_hosted_manage_router | default(true) | bool - include: ../../common/openshift-cluster/redeploy-certificates/registry.yml + when: openshift_hosted_manage_registry | default(true) | bool diff --git a/playbooks/common/openshift-cluster/upgrades/pre/verify_docker_upgrade_targets.yml b/playbooks/common/openshift-cluster/upgrades/pre/verify_docker_upgrade_targets.yml index 7646e0fa6..9d8b73cff 100644 --- a/playbooks/common/openshift-cluster/upgrades/pre/verify_docker_upgrade_targets.yml +++ b/playbooks/common/openshift-cluster/upgrades/pre/verify_docker_upgrade_targets.yml @@ -1,23 +1,20 @@ --- -- name: Verify docker upgrade targets - hosts: oo_masters_to_config:oo_nodes_to_upgrade:oo_etcd_to_config - tasks: - # Only check if docker upgrade is required if docker_upgrade is not - # already set to False. - - include: ../docker/upgrade_check.yml - when: docker_upgrade is not defined or docker_upgrade | bool and not openshift.common.is_atomic | bool +# Only check if docker upgrade is required if docker_upgrade is not +# already set to False. +- include: ../docker/upgrade_check.yml + when: docker_upgrade is not defined or docker_upgrade | bool and not openshift.common.is_atomic | bool - # Additional checks for Atomic hosts: +# Additional checks for Atomic hosts: - - name: Determine available Docker - shell: "rpm -q --queryformat '---\ncurr_version: %{VERSION}\navail_version: \n' docker" - register: g_atomic_docker_version_result - when: openshift.common.is_atomic | bool +- name: Determine available Docker + shell: "rpm -q --queryformat '---\ncurr_version: %{VERSION}\navail_version: \n' docker" + register: g_atomic_docker_version_result + when: openshift.common.is_atomic | bool - - set_fact: - l_docker_version: "{{ g_atomic_docker_version_result.stdout | from_yaml }}" - when: openshift.common.is_atomic | bool +- set_fact: + l_docker_version: "{{ g_atomic_docker_version_result.stdout | from_yaml }}" + when: openshift.common.is_atomic | bool - - fail: - msg: This playbook requires access to Docker 1.12 or later - when: openshift.common.is_atomic | bool and l_docker_version.avail_version | default(l_docker_version.curr_version, true) | version_compare('1.12','<') +- fail: + msg: This playbook requires access to Docker 1.12 or later + when: openshift.common.is_atomic | bool and l_docker_version.avail_version | default(l_docker_version.curr_version, true) | version_compare('1.12','<') diff --git a/playbooks/common/openshift-cluster/upgrades/pre/verify_upgrade_targets.yml b/playbooks/common/openshift-cluster/upgrades/pre/verify_upgrade_targets.yml index 6a9f88707..1b437dce9 100644 --- a/playbooks/common/openshift-cluster/upgrades/pre/verify_upgrade_targets.yml +++ b/playbooks/common/openshift-cluster/upgrades/pre/verify_upgrade_targets.yml @@ -1,45 +1,41 @@ --- -- name: Verify upgrade targets - hosts: oo_masters_to_config:oo_nodes_to_upgrade +- name: Fail when OpenShift is not installed + fail: + msg: Verify OpenShift is already installed + when: openshift.common.version is not defined - tasks: - - name: Fail when OpenShift is not installed - fail: - msg: Verify OpenShift is already installed - when: openshift.common.version is not defined +- name: Verify containers are available for upgrade + command: > + docker pull {{ openshift.common.cli_image }}:{{ openshift_image_tag }} + register: pull_result + changed_when: "'Downloaded newer image' in pull_result.stdout" + when: openshift.common.is_containerized | bool - - name: Verify containers are available for upgrade +- when: not openshift.common.is_containerized | bool + block: + - name: Check latest available OpenShift RPM version command: > - docker pull {{ openshift.common.cli_image }}:{{ openshift_image_tag }} - register: pull_result - changed_when: "'Downloaded newer image' in pull_result.stdout" - when: openshift.common.is_containerized | bool - - - when: not openshift.common.is_containerized | bool - block: - - name: Check latest available OpenShift RPM version - command: > - {{ repoquery_cmd }} --qf '%{version}' "{{ openshift.common.service_type }}" - failed_when: false - changed_when: false - register: avail_openshift_version - - - name: Fail when unable to determine available OpenShift RPM version - fail: - msg: "Unable to determine available OpenShift RPM version" - when: - - avail_openshift_version.stdout == '' + {{ repoquery_cmd }} --qf '%{version}' "{{ openshift.common.service_type }}" + failed_when: false + changed_when: false + register: avail_openshift_version - - name: Verify OpenShift RPMs are available for upgrade - fail: - msg: "OpenShift {{ avail_openshift_version.stdout }} is available, but {{ openshift_upgrade_target }} or greater is required" - when: - - not avail_openshift_version | skipped - - avail_openshift_version.stdout | default('0.0', True) | version_compare(openshift_release, '<') + - name: Fail when unable to determine available OpenShift RPM version + fail: + msg: "Unable to determine available OpenShift RPM version" + when: + - avail_openshift_version.stdout == '' - - name: Fail when openshift version does not meet minium requirement for Origin upgrade + - name: Verify OpenShift RPMs are available for upgrade fail: - msg: "This upgrade playbook must be run against OpenShift {{ openshift_upgrade_min }} or later" + msg: "OpenShift {{ avail_openshift_version.stdout }} is available, but {{ openshift_upgrade_target }} or greater is required" when: - - deployment_type == 'origin' - - openshift.common.version | version_compare(openshift_upgrade_min,'<') + - not avail_openshift_version | skipped + - avail_openshift_version.stdout | default('0.0', True) | version_compare(openshift_release, '<') + +- name: Fail when openshift version does not meet minium requirement for Origin upgrade + fail: + msg: "This upgrade playbook must be run against OpenShift {{ openshift_upgrade_min }} or later" + when: + - deployment_type == 'origin' + - openshift.common.version | version_compare(openshift_upgrade_min,'<') diff --git a/playbooks/common/openshift-cluster/upgrades/v3_3/upgrade.yml b/playbooks/common/openshift-cluster/upgrades/v3_3/upgrade.yml index d81a13ef2..f1245aa2e 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_3/upgrade.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_3/upgrade.yml @@ -78,11 +78,17 @@ tags: - pre_upgrade -- include: ../pre/verify_upgrade_targets.yml +- name: Verify upgrade targets + hosts: oo_masters_to_config:oo_nodes_to_upgrade + tasks: + - include: ../pre/verify_upgrade_targets.yml tags: - pre_upgrade -- include: ../pre/verify_docker_upgrade_targets.yml +- name: Verify docker upgrade targets + hosts: oo_masters_to_config:oo_nodes_to_upgrade:oo_etcd_to_config + tasks: + - include: ../pre/verify_docker_upgrade_targets.yml tags: - pre_upgrade diff --git a/playbooks/common/openshift-cluster/upgrades/v3_3/upgrade_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/v3_3/upgrade_control_plane.yml index 8a692d02b..b693ab55c 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_3/upgrade_control_plane.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_3/upgrade_control_plane.yml @@ -82,11 +82,17 @@ tags: - pre_upgrade -- include: ../pre/verify_upgrade_targets.yml +- name: Verify upgrade targets + hosts: oo_masters_to_config + tasks: + - include: ../pre/verify_upgrade_targets.yml tags: - pre_upgrade -- include: ../pre/verify_docker_upgrade_targets.yml +- name: Verify docker upgrade targets + hosts: oo_masters_to_config:oo_etcd_to_config + tasks: + - include: ../pre/verify_docker_upgrade_targets.yml tags: - pre_upgrade diff --git a/playbooks/common/openshift-cluster/upgrades/v3_3/upgrade_nodes.yml b/playbooks/common/openshift-cluster/upgrades/v3_3/upgrade_nodes.yml index 2d30bba94..4fd029107 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_3/upgrade_nodes.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_3/upgrade_nodes.yml @@ -79,11 +79,17 @@ tags: - pre_upgrade -- include: ../pre/verify_upgrade_targets.yml +- name: Verify upgrade targets + hosts: oo_nodes_to_upgrade + tasks: + - include: ../pre/verify_upgrade_targets.yml tags: - pre_upgrade -- include: ../pre/verify_docker_upgrade_targets.yml +- name: Verify docker upgrade targets + hosts: oo_nodes_to_upgrade + tasks: + - include: ../pre/verify_docker_upgrade_targets.yml tags: - pre_upgrade diff --git a/playbooks/common/openshift-cluster/upgrades/v3_4/upgrade.yml b/playbooks/common/openshift-cluster/upgrades/v3_4/upgrade.yml index e9ff47f32..965e39482 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_4/upgrade.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_4/upgrade.yml @@ -78,11 +78,17 @@ tags: - pre_upgrade -- include: ../pre/verify_upgrade_targets.yml +- name: Verify upgrade targets + hosts: oo_masters_to_config:oo_nodes_to_upgrade + tasks: + - include: ../pre/verify_upgrade_targets.yml tags: - pre_upgrade -- include: ../pre/verify_docker_upgrade_targets.yml +- name: Verify docker upgrade targets + hosts: oo_masters_to_config:oo_nodes_to_upgrade:oo_etcd_to_config + tasks: + - include: ../pre/verify_docker_upgrade_targets.yml tags: - pre_upgrade diff --git a/playbooks/common/openshift-cluster/upgrades/v3_4/upgrade_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/v3_4/upgrade_control_plane.yml index d4ae8d8b4..7830f462c 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_4/upgrade_control_plane.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_4/upgrade_control_plane.yml @@ -82,11 +82,17 @@ tags: - pre_upgrade -- include: ../pre/verify_upgrade_targets.yml +- name: Verify upgrade targets + hosts: oo_masters_to_config + tasks: + - include: ../pre/verify_upgrade_targets.yml tags: - pre_upgrade -- include: ../pre/verify_docker_upgrade_targets.yml +- name: Verify docker upgrade targets + hosts: oo_masters_to_config:oo_etcd_to_config + tasks: + - include: ../pre/verify_docker_upgrade_targets.yml tags: - pre_upgrade diff --git a/playbooks/common/openshift-cluster/upgrades/v3_4/upgrade_nodes.yml b/playbooks/common/openshift-cluster/upgrades/v3_4/upgrade_nodes.yml index ae205b172..4364ff8e3 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_4/upgrade_nodes.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_4/upgrade_nodes.yml @@ -79,11 +79,17 @@ tags: - pre_upgrade -- include: ../pre/verify_upgrade_targets.yml +- name: Verify upgrade targets + hosts: oo_nodes_to_upgrade + tasks: + - include: ../pre/verify_upgrade_targets.yml tags: - pre_upgrade -- include: ../pre/verify_docker_upgrade_targets.yml +- name: Verify docker upgrade targets + hosts: oo_nodes_to_upgrade + tasks: + - include: ../pre/verify_docker_upgrade_targets.yml tags: - pre_upgrade diff --git a/playbooks/common/openshift-cluster/upgrades/v3_5/upgrade.yml b/playbooks/common/openshift-cluster/upgrades/v3_5/upgrade.yml index 1269634d1..e63b03e51 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_5/upgrade.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_5/upgrade.yml @@ -78,11 +78,17 @@ tags: - pre_upgrade -- include: ../pre/verify_upgrade_targets.yml +- name: Verify upgrade targets + hosts: oo_masters_to_config:oo_nodes_to_upgrade + tasks: + - include: ../pre/verify_upgrade_targets.yml tags: - pre_upgrade -- include: ../pre/verify_docker_upgrade_targets.yml +- name: Verify docker upgrade targets + hosts: oo_masters_to_config:oo_nodes_to_upgrade:oo_etcd_to_config + tasks: + - include: ../pre/verify_docker_upgrade_targets.yml tags: - pre_upgrade diff --git a/playbooks/common/openshift-cluster/upgrades/v3_5/upgrade_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/v3_5/upgrade_control_plane.yml index 21c075678..21e1d440d 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_5/upgrade_control_plane.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_5/upgrade_control_plane.yml @@ -82,11 +82,17 @@ tags: - pre_upgrade -- include: ../pre/verify_upgrade_targets.yml +- name: Verify upgrade targets + hosts: oo_masters_to_config + tasks: + - include: ../pre/verify_upgrade_targets.yml tags: - pre_upgrade -- include: ../pre/verify_docker_upgrade_targets.yml +- name: Verify docker upgrade targets + hosts: oo_masters_to_config:oo_etcd_to_config + tasks: + - include: ../pre/verify_docker_upgrade_targets.yml tags: - pre_upgrade diff --git a/playbooks/common/openshift-cluster/upgrades/v3_5/upgrade_nodes.yml b/playbooks/common/openshift-cluster/upgrades/v3_5/upgrade_nodes.yml index e67e169fc..036d3fcf5 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_5/upgrade_nodes.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_5/upgrade_nodes.yml @@ -79,11 +79,17 @@ tags: - pre_upgrade -- include: ../pre/verify_upgrade_targets.yml +- name: Verify upgrade targets + hosts: oo_nodes_to_upgrade + tasks: + - include: ../pre/verify_upgrade_targets.yml tags: - pre_upgrade -- include: ../pre/verify_docker_upgrade_targets.yml +- name: Verify docker upgrade targets + hosts: oo_nodes_to_upgrade + tasks: + - include: ../pre/verify_docker_upgrade_targets.yml tags: - pre_upgrade diff --git a/playbooks/common/openshift-cluster/upgrades/v3_6/upgrade.yml b/playbooks/common/openshift-cluster/upgrades/v3_6/upgrade.yml index a1b1f3301..5d41b84d0 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_6/upgrade.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_6/upgrade.yml @@ -78,11 +78,17 @@ tags: - pre_upgrade -- include: ../pre/verify_upgrade_targets.yml +- name: Verify upgrade targets + hosts: oo_masters_to_config:oo_nodes_to_upgrade + tasks: + - include: ../pre/verify_upgrade_targets.yml tags: - pre_upgrade -- include: ../pre/verify_docker_upgrade_targets.yml +- name: Verify docker upgrade targets + hosts: oo_masters_to_config:oo_nodes_to_upgrade:oo_etcd_to_config + tasks: + - include: ../pre/verify_docker_upgrade_targets.yml tags: - pre_upgrade diff --git a/playbooks/common/openshift-cluster/upgrades/v3_6/upgrade_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/v3_6/upgrade_control_plane.yml index af6e1f71b..e34259b00 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_6/upgrade_control_plane.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_6/upgrade_control_plane.yml @@ -82,11 +82,17 @@ tags: - pre_upgrade -- include: ../pre/verify_upgrade_targets.yml +- name: Verify upgrade targets + hosts: oo_masters_to_config + tasks: + - include: ../pre/verify_upgrade_targets.yml tags: - pre_upgrade -- include: ../pre/verify_docker_upgrade_targets.yml +- name: Verify docker upgrade targets + hosts: oo_masters_to_config:oo_etcd_to_config + tasks: + - include: ../pre/verify_docker_upgrade_targets.yml tags: - pre_upgrade diff --git a/playbooks/common/openshift-cluster/upgrades/v3_6/upgrade_nodes.yml b/playbooks/common/openshift-cluster/upgrades/v3_6/upgrade_nodes.yml index 285c18b7b..25eceaf90 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_6/upgrade_nodes.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_6/upgrade_nodes.yml @@ -79,11 +79,17 @@ tags: - pre_upgrade -- include: ../pre/verify_upgrade_targets.yml +- name: Verify upgrade targets + hosts: oo_nodes_to_upgrade + tasks: + - include: ../pre/verify_upgrade_targets.yml tags: - pre_upgrade -- include: ../pre/verify_docker_upgrade_targets.yml +- name: Verify docker upgrade targets + hosts: oo_nodes_to_upgrade + tasks: + - include: ../pre/verify_docker_upgrade_targets.yml tags: - pre_upgrade diff --git a/roles/lib_openshift/library/oc_adm_registry.py b/roles/lib_openshift/library/oc_adm_registry.py index 0090cac12..df0e40d20 100644 --- a/roles/lib_openshift/library/oc_adm_registry.py +++ b/roles/lib_openshift/library/oc_adm_registry.py @@ -1898,10 +1898,12 @@ class SecretConfig(object): sname, namespace, kubeconfig, - secrets=None): + secrets=None, + stype=None): ''' constructor for handling secret options ''' self.kubeconfig = kubeconfig self.name = sname + self.type = stype self.namespace = namespace self.secrets = secrets self.data = {} @@ -1912,6 +1914,7 @@ class SecretConfig(object): ''' assign the correct properties for a secret dict ''' self.data['apiVersion'] = 'v1' self.data['kind'] = 'Secret' + self.data['type'] = self.type self.data['metadata'] = {} self.data['metadata']['name'] = self.name self.data['metadata']['namespace'] = self.namespace diff --git a/roles/lib_openshift/library/oc_adm_router.py b/roles/lib_openshift/library/oc_adm_router.py index 98e80e001..8af8cb196 100644 --- a/roles/lib_openshift/library/oc_adm_router.py +++ b/roles/lib_openshift/library/oc_adm_router.py @@ -2242,10 +2242,12 @@ class SecretConfig(object): sname, namespace, kubeconfig, - secrets=None): + secrets=None, + stype=None): ''' constructor for handling secret options ''' self.kubeconfig = kubeconfig self.name = sname + self.type = stype self.namespace = namespace self.secrets = secrets self.data = {} @@ -2256,6 +2258,7 @@ class SecretConfig(object): ''' assign the correct properties for a secret dict ''' self.data['apiVersion'] = 'v1' self.data['kind'] = 'Secret' + self.data['type'] = self.type self.data['metadata'] = {} self.data['metadata']['name'] = self.name self.data['metadata']['namespace'] = self.namespace diff --git a/roles/lib_openshift/library/oc_secret.py b/roles/lib_openshift/library/oc_secret.py index 379670aee..02257500f 100644 --- a/roles/lib_openshift/library/oc_secret.py +++ b/roles/lib_openshift/library/oc_secret.py @@ -108,6 +108,12 @@ options: required: false default: None aliases: [] + type: + description: + - The secret type. + required: false + default: None + aliases: [] force: description: - Whether or not to force the operation @@ -1470,10 +1476,12 @@ class SecretConfig(object): sname, namespace, kubeconfig, - secrets=None): + secrets=None, + stype=None): ''' constructor for handling secret options ''' self.kubeconfig = kubeconfig self.name = sname + self.type = stype self.namespace = namespace self.secrets = secrets self.data = {} @@ -1484,6 +1492,7 @@ class SecretConfig(object): ''' assign the correct properties for a secret dict ''' self.data['apiVersion'] = 'v1' self.data['kind'] = 'Secret' + self.data['type'] = self.type self.data['metadata'] = {} self.data['metadata']['name'] = self.name self.data['metadata']['namespace'] = self.namespace @@ -1573,12 +1582,14 @@ class OCSecret(OpenShiftCLI): def __init__(self, namespace, secret_name=None, + secret_type=None, decode=False, kubeconfig='/etc/origin/master/admin.kubeconfig', verbose=False): ''' Constructor for OpenshiftOC ''' super(OCSecret, self).__init__(namespace, kubeconfig=kubeconfig, verbose=verbose) self.name = secret_name + self.type = secret_type self.decode = decode def get(self): @@ -1609,6 +1620,8 @@ class OCSecret(OpenShiftCLI): secrets = ["%s=%s" % (sfile['name'], sfile['path']) for sfile in files] cmd = ['secrets', 'new', self.name] + if self.type is not None: + cmd.append("--type=%s" % (self.type)) cmd.extend(secrets) results = self.openshift_cmd(cmd) @@ -1642,6 +1655,8 @@ class OCSecret(OpenShiftCLI): secrets = ["%s=%s" % (sfile['name'], sfile['path']) for sfile in files] cmd = ['-ojson', 'secrets', 'new', self.name] + if self.type is not None: + cmd.extend(["--type=%s" % (self.type)]) cmd.extend(secrets) return self.openshift_cmd(cmd, output=True) @@ -1654,6 +1669,7 @@ class OCSecret(OpenShiftCLI): ocsecret = OCSecret(params['namespace'], params['name'], + params['type'], params['decode'], kubeconfig=params['kubeconfig'], verbose=params['debug']) @@ -1776,6 +1792,7 @@ def main(): debug=dict(default=False, type='bool'), namespace=dict(default='default', type='str'), name=dict(default=None, type='str'), + type=dict(default=None, type='str'), files=dict(default=None, type='list'), delete_after=dict(default=False, type='bool'), contents=dict(default=None, type='list'), diff --git a/roles/lib_openshift/src/ansible/oc_secret.py b/roles/lib_openshift/src/ansible/oc_secret.py index 1337cbbe5..faa7c1772 100644 --- a/roles/lib_openshift/src/ansible/oc_secret.py +++ b/roles/lib_openshift/src/ansible/oc_secret.py @@ -15,6 +15,7 @@ def main(): debug=dict(default=False, type='bool'), namespace=dict(default='default', type='str'), name=dict(default=None, type='str'), + type=dict(default=None, type='str'), files=dict(default=None, type='list'), delete_after=dict(default=False, type='bool'), contents=dict(default=None, type='list'), diff --git a/roles/lib_openshift/src/class/oc_secret.py b/roles/lib_openshift/src/class/oc_secret.py index deb36a9fa..ee83580df 100644 --- a/roles/lib_openshift/src/class/oc_secret.py +++ b/roles/lib_openshift/src/class/oc_secret.py @@ -13,12 +13,14 @@ class OCSecret(OpenShiftCLI): def __init__(self, namespace, secret_name=None, + secret_type=None, decode=False, kubeconfig='/etc/origin/master/admin.kubeconfig', verbose=False): ''' Constructor for OpenshiftOC ''' super(OCSecret, self).__init__(namespace, kubeconfig=kubeconfig, verbose=verbose) self.name = secret_name + self.type = secret_type self.decode = decode def get(self): @@ -49,6 +51,8 @@ class OCSecret(OpenShiftCLI): secrets = ["%s=%s" % (sfile['name'], sfile['path']) for sfile in files] cmd = ['secrets', 'new', self.name] + if self.type is not None: + cmd.append("--type=%s" % (self.type)) cmd.extend(secrets) results = self.openshift_cmd(cmd) @@ -82,6 +86,8 @@ class OCSecret(OpenShiftCLI): secrets = ["%s=%s" % (sfile['name'], sfile['path']) for sfile in files] cmd = ['-ojson', 'secrets', 'new', self.name] + if self.type is not None: + cmd.extend(["--type=%s" % (self.type)]) cmd.extend(secrets) return self.openshift_cmd(cmd, output=True) @@ -94,6 +100,7 @@ class OCSecret(OpenShiftCLI): ocsecret = OCSecret(params['namespace'], params['name'], + params['type'], params['decode'], kubeconfig=params['kubeconfig'], verbose=params['debug']) diff --git a/roles/lib_openshift/src/doc/secret b/roles/lib_openshift/src/doc/secret index 5c2bd9bc0..76b147f6f 100644 --- a/roles/lib_openshift/src/doc/secret +++ b/roles/lib_openshift/src/doc/secret @@ -57,6 +57,12 @@ options: required: false default: None aliases: [] + type: + description: + - The secret type. + required: false + default: None + aliases: [] force: description: - Whether or not to force the operation diff --git a/roles/lib_openshift/src/lib/secret.py b/roles/lib_openshift/src/lib/secret.py index 75c32e8b1..a1c202442 100644 --- a/roles/lib_openshift/src/lib/secret.py +++ b/roles/lib_openshift/src/lib/secret.py @@ -9,10 +9,12 @@ class SecretConfig(object): sname, namespace, kubeconfig, - secrets=None): + secrets=None, + stype=None): ''' constructor for handling secret options ''' self.kubeconfig = kubeconfig self.name = sname + self.type = stype self.namespace = namespace self.secrets = secrets self.data = {} @@ -23,6 +25,7 @@ class SecretConfig(object): ''' assign the correct properties for a secret dict ''' self.data['apiVersion'] = 'v1' self.data['kind'] = 'Secret' + self.data['type'] = self.type self.data['metadata'] = {} self.data['metadata']['name'] = self.name self.data['metadata']['namespace'] = self.namespace diff --git a/roles/lib_openshift/src/test/unit/test_oc_secret.py b/roles/lib_openshift/src/test/unit/test_oc_secret.py index e31393793..09cc4a374 100755 --- a/roles/lib_openshift/src/test/unit/test_oc_secret.py +++ b/roles/lib_openshift/src/test/unit/test_oc_secret.py @@ -38,6 +38,7 @@ class OCSecretTest(unittest.TestCase): 'state': 'present', 'namespace': 'default', 'name': 'testsecretname', + 'type': 'Opaque', 'contents': [{ 'path': "/tmp/somesecret.json", 'data': "{'one': 1, 'two': 2, 'three': 3}", @@ -74,7 +75,7 @@ class OCSecretTest(unittest.TestCase): # Making sure our mock was called as we expected mock_cmd.assert_has_calls([ mock.call(['oc', 'get', 'secrets', 'testsecretname', '-o', 'json', '-n', 'default'], None), - mock.call(['oc', 'secrets', 'new', 'testsecretname', mock.ANY, '-n', 'default'], None), + mock.call(['oc', 'secrets', 'new', 'testsecretname', '--type=Opaque', mock.ANY, '-n', 'default'], None), ]) mock_write.assert_has_calls([ diff --git a/roles/nuage_master/defaults/main.yaml b/roles/nuage_master/defaults/main.yaml deleted file mode 100644 index c90f4f443..000000000 --- a/roles/nuage_master/defaults/main.yaml +++ /dev/null @@ -1,4 +0,0 @@ ---- -nuage_master_cspadminpasswd: "" -nuage_master_adminusername: admin -nuage_master_adminuserpasswd: admin diff --git a/roles/nuage_master/tasks/main.yaml b/roles/nuage_master/tasks/main.yaml index fefd28bbd..4f8adb63e 100644 --- a/roles/nuage_master/tasks/main.yaml +++ b/roles/nuage_master/tasks/main.yaml @@ -33,6 +33,14 @@ - include: certificates.yml +- name: Install Nuage VSD user certificate + become: yes + copy: src="{{ vsd_user_cert_file }}" dest="{{ cert_output_dir }}/{{ vsd_user_cert_file | basename }}" + +- name: Install Nuage VSD user key + become: yes + copy: src="{{ vsd_user_key_file }}" dest="{{ cert_output_dir }}/{{ vsd_user_key_file | basename }}" + - name: Create nuage-openshift-monitor.yaml become: yes template: src=nuage-openshift-monitor.j2 dest=/usr/share/nuage-openshift-monitor/nuage-openshift-monitor.yaml owner=root mode=0644 diff --git a/roles/nuage_master/templates/nuage-openshift-monitor.j2 b/roles/nuage_master/templates/nuage-openshift-monitor.j2 index de2a97e37..e077128a4 100644 --- a/roles/nuage_master/templates/nuage-openshift-monitor.j2 +++ b/roles/nuage_master/templates/nuage-openshift-monitor.j2 @@ -15,12 +15,10 @@ vspVersion: {{ vsp_version }} enterpriseName: {{ enterprise }} # Name of the domain in which pods will reside domainName: {{ domain }} -# CSP admin user's password -cspAdminPassword: {{ nuage_master_cspadminpasswd }} -# Enterprise admin user name -enterpriseAdminUser: {{ nuage_master_adminusername }} -# Enterprise admin password -enterpriseAdminPassword: {{ nuage_master_adminuserpasswd }} +# VSD generated user certificate file location on master node +userCertificateFile: {{ cert_output_dir }}/{{ vsd_user_cert_file | basename }} +# VSD generated user key file location on master node +userKeyFile: {{ cert_output_dir }}/{{ vsd_user_key_file | basename }} # Location where logs should be saved log_dir: {{ nuage_mon_rest_server_logdir }} # Monitor rest server parameters diff --git a/roles/nuage_node/tasks/main.yaml b/roles/nuage_node/tasks/main.yaml index d82dd36a4..928f9e2e6 100644 --- a/roles/nuage_node/tasks/main.yaml +++ b/roles/nuage_node/tasks/main.yaml @@ -20,6 +20,21 @@ become: yes yum: name={{ plugin_rpm }} state=present +- name: Assure CNI conf dir exists + become: yes + file: path="{{ cni_conf_dir }}" state=directory + +- name: Assures Openshift CNI bin dir exists + become: yes + file: path="{{ cni_bin_dir }}" state=directory + +- name: Install CNI loopback plugin + become: yes + copy: + src: "{{ k8s_cni_loopback_plugin }}" + dest: "{{ cni_bin_dir }}/{{ k8s_cni_loopback_plugin | basename }}" + mode: 0755 + - name: Copy the certificates and keys become: yes copy: src="/tmp/{{ item }}" dest="{{ vsp_openshift_dir }}/{{ item }}" diff --git a/roles/nuage_node/templates/vsp-openshift.j2 b/roles/nuage_node/templates/vsp-openshift.j2 index d3c0a122a..9fab53906 100644 --- a/roles/nuage_node/templates/vsp-openshift.j2 +++ b/roles/nuage_node/templates/vsp-openshift.j2 @@ -8,6 +8,8 @@ CACert: {{ ca_cert }} enterpriseName: {{ enterprise }} # Name of the domain in which pods will reside domainName: {{ domain }} +# Name of the VSD user in admin group +vsdUser: {{ vsduser }} # IP address and port number of master API server masterApiServer: {{ api_server }} # REST server URL diff --git a/roles/nuage_node/vars/main.yaml b/roles/nuage_node/vars/main.yaml index 7b789152f..4cf68411f 100644 --- a/roles/nuage_node/vars/main.yaml +++ b/roles/nuage_node/vars/main.yaml @@ -19,4 +19,7 @@ nuage_plugin_rest_client_crt_dir: "{{ nuage_ca_master_crt_dir }}/{{ ansible_node nuage_ca_master_plugin_key: "{{ nuage_plugin_rest_client_crt_dir }}/nuageMonClient.key" nuage_ca_master_plugin_crt: "{{ nuage_plugin_rest_client_crt_dir }}/nuageMonClient.crt" +cni_conf_dir: "/etc/cni/net.d/" +cni_bin_dir: "/opt/cni/bin/" + nuage_plugin_crt_dir: /usr/share/vsp-openshift diff --git a/roles/openshift_excluder/tasks/disable.yml b/roles/openshift_excluder/tasks/disable.yml index 8d5a08874..5add25b45 100644 --- a/roles/openshift_excluder/tasks/disable.yml +++ b/roles/openshift_excluder/tasks/disable.yml @@ -5,10 +5,12 @@ include: verify_upgrade.yml # unexclude the current openshift/origin-excluder if it is installed so it can be updated -- name: Disable OpenShift excluder so it can be updated +- name: Disable excluders before the upgrade to remove older excluding expressions include: unexclude.yml vars: - unexclude_docker_excluder: false + # before the docker excluder can be updated, it needs to be disabled + # to remove older excluded packages that are no longer excluded + unexclude_docker_excluder: "{{ r_openshift_excluder_enable_docker_excluder }}" unexclude_openshift_excluder: "{{ r_openshift_excluder_enable_openshift_excluder }}" # Install any excluder that is enabled diff --git a/roles/openshift_logging/README.md b/roles/openshift_logging/README.md index 3c410eff2..0c60ef6fd 100644 --- a/roles/openshift_logging/README.md +++ b/roles/openshift_logging/README.md @@ -124,3 +124,34 @@ Elasticsearch OPS too, if using an OPS cluster: - `openshift_logging_es_ops_ca_ext`: The location of the CA cert for the cert Elasticsearch uses for the external TLS server cert (default is the internal CA) + +### mux - secure_forward listener service +- `openshift_logging_use_mux`: Default `False`. If this is `True`, a service + called `mux` will be deployed. This service will act as a Fluentd + secure_forward forwarder for the node agent Fluentd daemonsets running in the + cluster. This can be used to reduce the number of connections to the + OpenShift API server, by using `mux` and configuring each node Fluentd to + send raw logs to mux and turn off the k8s metadata plugin. +- `openshift_logging_mux_allow_external`: Default `False`. If this is `True`, + the `mux` service will be deployed, and it will be configured to allow + Fluentd clients running outside of the cluster to send logs using + secure_forward. This allows OpenShift logging to be used as a central + logging service for clients other than OpenShift, or other OpenShift + clusters. +- `openshift_logging_use_mux_client`: Default `False`. If this is `True`, the + node agent Fluentd services will be configured to send logs to the mux + service rather than directly to Elasticsearch. +- `openshift_logging_mux_hostname`: Default is "mux." + + `openshift_master_default_subdomain`. This is the hostname *external*_ + clients will use to connect to mux, and will be used in the TLS server cert + subject. +- `openshift_logging_mux_port`: 24284 +- `openshift_logging_mux_cpu_limit`: 100m +- `openshift_logging_mux_memory_limit`: 512Mi +- `openshift_logging_mux_default_namespaces`: Default `["mux-undefined"]` - the + first value in the list is the namespace to use for undefined projects, + followed by any additional namespaces to create by default - users will + typically not need to set this +- `openshift_logging_mux_namespaces`: Default `[]` - additional namespaces to + create for _external_ mux clients to associate with their logs - users will + need to set this diff --git a/roles/openshift_logging/defaults/main.yml b/roles/openshift_logging/defaults/main.yml index 837c54067..573cbdd09 100644 --- a/roles/openshift_logging/defaults/main.yml +++ b/roles/openshift_logging/defaults/main.yml @@ -160,8 +160,13 @@ openshift_logging_use_mux: "{{ openshift_logging_mux_allow_external | default(Fa openshift_logging_use_mux_client: False openshift_logging_mux_hostname: "{{ 'mux.' ~ (openshift_master_default_subdomain | default('router.default.svc.cluster.local', true)) }}" openshift_logging_mux_port: 24284 -openshift_logging_mux_cpu_limit: 100m -openshift_logging_mux_memory_limit: 512Mi +openshift_logging_mux_cpu_limit: 500m +openshift_logging_mux_memory_limit: 1Gi +# the namespace to use for undefined projects should come first, followed by any +# additional namespaces to create by default - users will typically not need to set this +openshift_logging_mux_default_namespaces: ["mux-undefined"] +# extra namespaces to create for mux clients - users will need to set this +openshift_logging_mux_namespaces: [] # following can be uncommented to provide values for configmaps -- take care when providing file contents as it may cause your cluster to not operate correctly #es_logging_contents: diff --git a/roles/openshift_logging/tasks/generate_certs.yaml b/roles/openshift_logging/tasks/generate_certs.yaml index 7169c4036..040356e3d 100644 --- a/roles/openshift_logging/tasks/generate_certs.yaml +++ b/roles/openshift_logging/tasks/generate_certs.yaml @@ -124,7 +124,7 @@ - system.logging.mux loop_control: loop_var: node_name - when: openshift_logging_use_mux + when: openshift_logging_use_mux | bool - name: Generate PEM cert for Elasticsearch external route include: generate_pems.yaml component={{node_name}} diff --git a/roles/openshift_logging/tasks/install_logging.yaml b/roles/openshift_logging/tasks/install_logging.yaml index 551638781..dde76b142 100644 --- a/roles/openshift_logging/tasks/install_logging.yaml +++ b/roles/openshift_logging/tasks/install_logging.yaml @@ -194,6 +194,8 @@ vars: generated_certs_dir: "{{openshift.common.config_base}}/logging" openshift_logging_curator_namespace: "{{ openshift_logging_namespace }}" + openshift_logging_curator_es_host: "{{ openshift_logging_es_host }}" + openshift_logging_curator_es_port: "{{ openshift_logging_es_port }}" openshift_logging_curator_master_url: "{{ openshift_logging_master_url }}" openshift_logging_curator_image_prefix: "{{ openshift_logging_image_prefix }}" openshift_logging_curator_image_version: "{{ openshift_logging_image_version }}" @@ -204,6 +206,8 @@ vars: generated_certs_dir: "{{openshift.common.config_base}}/logging" openshift_logging_curator_ops_deployment: true + openshift_logging_curator_es_host: "{{ openshift_logging_es_ops_host }}" + openshift_logging_curator_es_port: "{{ openshift_logging_es_ops_port }}" openshift_logging_curator_namespace: "{{ openshift_logging_namespace }}" openshift_logging_curator_master_url: "{{ openshift_logging_master_url }}" openshift_logging_curator_image_prefix: "{{ openshift_logging_image_prefix }}" diff --git a/roles/openshift_logging_curator/templates/curator.j2 b/roles/openshift_logging_curator/templates/curator.j2 index f8b84861f..1bf9b9de2 100644 --- a/roles/openshift_logging_curator/templates/curator.j2 +++ b/roles/openshift_logging_curator/templates/curator.j2 @@ -89,9 +89,6 @@ spec: - name: config mountPath: /etc/curator/settings readOnly: true - - name: elasticsearch-storage - mountPath: /elasticsearch/persistent - readOnly: true volumes: - name: certs secret: @@ -99,5 +96,3 @@ spec: - name: config configMap: name: logging-curator - - name: elasticsearch-storage - emptyDir: {} diff --git a/roles/openshift_logging_mux/defaults/main.yml b/roles/openshift_logging_mux/defaults/main.yml index 8aaa28706..10fa4372c 100644 --- a/roles/openshift_logging_mux/defaults/main.yml +++ b/roles/openshift_logging_mux/defaults/main.yml @@ -9,8 +9,8 @@ openshift_logging_mux_namespace: logging ### Common settings openshift_logging_mux_nodeselector: "{{ openshift_hosted_logging_mux_nodeselector_label | default('') | map_from_pairs }}" -openshift_logging_mux_cpu_limit: 100m -openshift_logging_mux_memory_limit: 512Mi +openshift_logging_mux_cpu_limit: 500m +openshift_logging_mux_memory_limit: 1Gi openshift_logging_mux_replicas: 1 @@ -26,9 +26,14 @@ openshift_logging_mux_use_journal: "{{ openshift_hosted_logging_use_journal | de openshift_logging_mux_journal_source: "{{ openshift_hosted_logging_journal_source | default('') }}" openshift_logging_mux_journal_read_from_head: "{{ openshift_hosted_logging_journal_read_from_head | default('') }}" -openshift_logging_mux_allow_external: false +openshift_logging_mux_allow_external: False openshift_logging_mux_hostname: "{{ 'mux.' ~ (openshift_master_default_subdomain | default('router.default.svc.cluster.local', true)) }}" openshift_logging_mux_port: 24284 +# the namespace to use for undefined projects should come first, followed by any +# additional namespaces to create by default - users will typically not need to set this +openshift_logging_mux_default_namespaces: ["mux-undefined"] +# extra namespaces to create for mux clients - users will need to set this +openshift_logging_mux_namespaces: [] openshift_logging_mux_app_client_cert: /etc/fluent/keys/cert openshift_logging_mux_app_client_key: /etc/fluent/keys/key diff --git a/roles/openshift_logging_mux/tasks/main.yaml b/roles/openshift_logging_mux/tasks/main.yaml index 432cab9e9..54af40070 100644 --- a/roles/openshift_logging_mux/tasks/main.yaml +++ b/roles/openshift_logging_mux/tasks/main.yaml @@ -130,16 +130,14 @@ selector: component: mux provider: openshift - # pending #4091 - #labels: - #- logging-infra: 'support' + labels: + logging-infra: 'support' ports: - name: mux-forward port: "{{ openshift_logging_mux_port }}" targetPort: "mux-forward" - # pending #4091 - # externalIPs: - # - "{{ ansible_eth0.ipv4.address }}" + external_ips: + - "{{ ansible_eth0.ipv4.address }}" when: openshift_logging_mux_allow_external | bool - name: Set logging-mux service for internal communication @@ -150,9 +148,8 @@ selector: component: mux provider: openshift - # pending #4091 - #labels: - #- logging-infra: 'support' + labels: + logging-infra: 'support' ports: - name: mux-forward port: "{{ openshift_logging_mux_port }}" @@ -190,6 +187,13 @@ - "{{ tempdir }}/templates/logging-mux-dc.yaml" delete_after: true +- name: Add mux namespaces + oc_project: + state: present + name: "{{ item }}" + node_selector: "" + with_items: "{{ openshift_logging_mux_namespaces | union(openshift_logging_mux_default_namespaces) }}" + - name: Delete temp directory file: name: "{{ tempdir }}" diff --git a/roles/openshift_node_upgrade/tasks/restart.yml b/roles/openshift_node_upgrade/tasks/restart.yml index e576228ba..508eb9358 100644 --- a/roles/openshift_node_upgrade/tasks/restart.yml +++ b/roles/openshift_node_upgrade/tasks/restart.yml @@ -5,6 +5,14 @@ # - openshift.common.hostname # - openshift.master.api_port +# NOTE: This is needed to make sure we are using the correct set +# of systemd unit files. The RPMs lay down defaults but +# the install/upgrade may override them in /etc/systemd/system/. +# NOTE: We don't use the systemd module as some versions of the module +# require a service to be part of the call. +- name: Reload systemd to ensure latest unit files + command: systemctl daemon-reload + - name: Restart docker service: name: "{{ openshift.docker.service_name }}" |