diff options
24 files changed, 495 insertions, 451 deletions
diff --git a/filter_plugins/oo_filters.py b/filter_plugins/oo_filters.py index c9390efe6..a833a5d93 100644 --- a/filter_plugins/oo_filters.py +++ b/filter_plugins/oo_filters.py @@ -242,6 +242,28 @@ def oo_combine_dict(data, in_joiner='=', out_joiner=' '): return out_joiner.join([in_joiner.join([k, str(v)]) for k, v in data.items()]) +def oo_dict_to_list_of_dict(data, key_title='key', value_title='value'): + """Take a dict and arrange them as a list of dicts + + Input data: + {'region': 'infra', 'test_k': 'test_v'} + + Return data: + [{'key': 'region', 'value': 'infra'}, {'key': 'test_k', 'value': 'test_v'}] + + Written for use of the oc_label module + """ + if not isinstance(data, dict): + # pylint: disable=line-too-long + raise errors.AnsibleFilterError("|failed expects first param is a dict. Got %s. Type: %s" % (str(data), str(type(data)))) + + rval = [] + for label in data.items(): + rval.append({key_title: label[0], value_title: label[1]}) + + return rval + + def oo_ami_selector(data, image_name): """ This takes a list of amis and an image name and attempts to return the latest ami. @@ -951,6 +973,7 @@ class FilterModule(object): "oo_ec2_volume_definition": oo_ec2_volume_definition, "oo_combine_key_value": oo_combine_key_value, "oo_combine_dict": oo_combine_dict, + "oo_dict_to_list_of_dict": oo_dict_to_list_of_dict, "oo_split": oo_split, "oo_filter_list": oo_filter_list, "oo_parse_heat_stack_outputs": oo_parse_heat_stack_outputs, diff --git a/playbooks/byo/openshift-cluster/upgrades/docker/docker_upgrade.yml b/playbooks/byo/openshift-cluster/upgrades/docker/docker_upgrade.yml index 13e1da961..5d3280328 100644 --- a/playbooks/byo/openshift-cluster/upgrades/docker/docker_upgrade.yml +++ b/playbooks/byo/openshift-cluster/upgrades/docker/docker_upgrade.yml @@ -22,12 +22,24 @@ hosts: oo_masters_to_config:oo_nodes_to_upgrade:oo_etcd_to_config serial: 1 any_errors_fatal: true + + roles: + - lib_openshift + tasks: - - name: Prepare for Node draining - command: > - {{ openshift.common.client_binary }} adm manage-node {{ openshift.node.nodename }} --schedulable=false + - name: Mark node unschedulable + oadm_manage_node: + node: "{{ openshift.node.nodename | lower }}" + schedulable: False delegate_to: "{{ groups.oo_first_master.0 }}" - when: l_docker_upgrade is defined and l_docker_upgrade | bool and inventory_hostname in groups.oo_nodes_to_upgrade + retries: 10 + delay: 5 + register: node_unschedulable + until: node_unschedulable|succeeded + when: + - l_docker_upgrade is defined + - l_docker_upgrade | bool + - inventory_hostname in groups.oo_nodes_to_upgrade - name: Drain Node for Kubelet upgrade command: > @@ -39,7 +51,12 @@ when: l_docker_upgrade is defined and l_docker_upgrade | bool - name: Set node schedulability - command: > - {{ openshift.common.client_binary }} adm manage-node {{ openshift.node.nodename }} --schedulable=true + oadm_manage_node: + node: "{{ openshift.node.nodename | lower }}" + schedulable: True delegate_to: "{{ groups.oo_first_master.0 }}" - when: l_docker_upgrade is defined and l_docker_upgrade | bool and inventory_hostname in groups.oo_nodes_to_upgrade and openshift.node.schedulable | bool + retries: 10 + delay: 5 + register: node_schedulable + until: node_schedulable|succeeded + when: node_unschedulable|changed diff --git a/playbooks/common/openshift-cluster/upgrades/etcd/backup.yml b/playbooks/common/openshift-cluster/upgrades/etcd/backup.yml index 45aabf3e4..7ef79afa9 100644 --- a/playbooks/common/openshift-cluster/upgrades/etcd/backup.yml +++ b/playbooks/common/openshift-cluster/upgrades/etcd/backup.yml @@ -29,12 +29,18 @@ - name: Check available disk space for etcd backup shell: df --output=avail -k {{ openshift.common.data_dir }} | tail -n 1 register: avail_disk + # AUDIT:changed_when: `false` because we are only inspecting + # state, not manipulating anything + changed_when: false # TODO: replace shell module with command and update later checks - name: Check current embedded etcd disk usage shell: du -k {{ openshift.etcd.etcd_data_dir }} | tail -n 1 | cut -f1 register: etcd_disk_usage when: embedded_etcd | bool + # AUDIT:changed_when: `false` because we are only inspecting + # state, not manipulating anything + changed_when: false - name: Abort if insufficient disk space for etcd backup fail: diff --git a/playbooks/common/openshift-cluster/upgrades/etcd/upgrade.yml b/playbooks/common/openshift-cluster/upgrades/etcd/upgrade.yml index 690858c53..a9b5b94e6 100644 --- a/playbooks/common/openshift-cluster/upgrades/etcd/upgrade.yml +++ b/playbooks/common/openshift-cluster/upgrades/etcd/upgrade.yml @@ -9,21 +9,36 @@ register: etcd_rpm_version failed_when: false when: not openshift.common.is_containerized | bool + # AUDIT:changed_when: `false` because we are only inspecting + # state, not manipulating anything + changed_when: false + - name: Record containerized etcd version command: docker exec etcd_container rpm -qa --qf '%{version}' etcd\* register: etcd_container_version failed_when: false when: openshift.common.is_containerized | bool + # AUDIT:changed_when: `false` because we are only inspecting + # state, not manipulating anything + changed_when: false + - name: Record containerized etcd version command: docker exec etcd_container rpm -qa --qf '%{version}' etcd\* register: etcd_container_version failed_when: false when: openshift.common.is_containerized | bool and not openshift.common.is_etcd_system_container | bool + # AUDIT:changed_when: `false` because we are only inspecting + # state, not manipulating anything + changed_when: false + - name: Record containerized etcd version command: runc exec etcd_container rpm -qa --qf '%{version}' etcd\* register: etcd_container_version failed_when: false when: openshift.common.is_containerized | bool and openshift.common.is_etcd_system_container | bool + # AUDIT:changed_when: `false` because we are only inspecting + # state, not manipulating anything + changed_when: false # I really dislike this copy/pasta but I wasn't able to find a way to get it to loop # through hosts, then loop through tasks only when appropriate diff --git a/playbooks/common/openshift-cluster/upgrades/initialize_nodes_to_upgrade.yml b/playbooks/common/openshift-cluster/upgrades/initialize_nodes_to_upgrade.yml index 37c89374c..046535680 100644 --- a/playbooks/common/openshift-cluster/upgrades/initialize_nodes_to_upgrade.yml +++ b/playbooks/common/openshift-cluster/upgrades/initialize_nodes_to_upgrade.yml @@ -1,20 +1,17 @@ --- - name: Filter list of nodes to be upgraded if necessary hosts: oo_first_master + + roles: + - lib_openshift + tasks: - name: Retrieve list of openshift nodes matching upgrade label - command: > - {{ openshift.common.client_binary }} - get nodes - --config={{ openshift.common.config_base }}/master/admin.kubeconfig - --selector={{ openshift_upgrade_nodes_label }} - -o jsonpath='{.items[*].metadata.name}' - register: matching_nodes - changed_when: false - when: openshift_upgrade_nodes_label is defined - - - set_fact: - nodes_to_upgrade: "{{ matching_nodes.stdout.split(' ') }}" + oc_obj: + state: list + kind: node + selector: "{{ openshift_upgrade_nodes_label }}" + register: nodes_to_upgrade when: openshift_upgrade_nodes_label is defined # We got a list of nodes with the label, now we need to match these with inventory hosts @@ -26,7 +23,9 @@ ansible_ssh_user: "{{ g_ssh_user | default(omit) }}" ansible_become: "{{ g_sudo | default(omit) }}" with_items: " {{ groups['oo_nodes_to_config'] }}" - when: openshift_upgrade_nodes_label is defined and hostvars[item].openshift.common.hostname in nodes_to_upgrade + when: + - openshift_upgrade_nodes_label is defined + - hostvars[item].openshift.common.hostname in nodes_to_upgrade.results.results[0]['items'] | map(attribute='metadata.name') | list changed_when: false # Build up the oo_nodes_to_upgrade group, use the list filtered by label if diff --git a/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml index 4135f7e94..f0191e380 100644 --- a/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml +++ b/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml @@ -9,77 +9,100 @@ registry_image: "{{ openshift.master.registry_url | replace( '${component}', 'docker-registry' ) | replace ( '${version}', openshift_image_tag ) }}" router_image: "{{ openshift.master.registry_url | replace( '${component}', 'haproxy-router' ) | replace ( '${version}', openshift_image_tag ) }}" oc_cmd: "{{ openshift.common.client_binary }} --config={{ openshift.common.config_base }}/master/admin.kubeconfig" - roles: - - openshift_manageiq - # Create the new templates shipped in 3.2, existing templates are left - # unmodified. This prevents the subsequent role definition for - # openshift_examples from failing when trying to replace templates that do - # not already exist. We could have potentially done a replace --force to - # create and update in one step. - - openshift_examples - - openshift_hosted_templates - # Update the existing templates - - role: openshift_examples - registry_url: "{{ openshift.master.registry_url }}" - openshift_examples_import_command: replace - - role: openshift_hosted_templates - registry_url: "{{ openshift.master.registry_url }}" - openshift_hosted_templates_import_command: replace - pre_tasks: + pre_tasks: + - name: Load lib_openshift modules + include_role: + name: lib_openshift # TODO: remove temp_skip_router_registry_upgrade variable. This is a short term hack # to allow ops to use this control plane upgrade, without triggering router/registry # upgrade which has not yet been synced with their process. - name: Collect all routers - command: > - {{ oc_cmd }} get pods --all-namespaces -l 'router' -o json + oc_obj: + state: list + kind: pods + all_namespaces: True + selector: 'router' register: all_routers - failed_when: false - changed_when: false when: temp_skip_router_registry_upgrade is not defined - - set_fact: haproxy_routers="{{ (all_routers.stdout | from_json)['items'] | oo_pods_match_component(openshift_deployment_type, 'haproxy-router') | oo_select_keys_from_list(['metadata']) }}" - when: all_routers.rc == 0 and temp_skip_router_registry_upgrade is not defined + - set_fact: haproxy_routers="{{ (all_routers.reults.results[0]['items'] | oo_pods_match_component(openshift_deployment_type, 'haproxy-router') | oo_select_keys_from_list(['metadata']) }}" + when: + - all_routers.results.returncode == 0 + - temp_skip_router_registry_upgrade is not defined - set_fact: haproxy_routers=[] - when: all_routers.rc != 0 and temp_skip_router_registry_upgrade is not defined + when: + - all_routers.results.returncode != 0 + - temp_skip_router_registry_upgrade is not defined - name: Update router image to current version - when: all_routers.rc == 0 and temp_skip_router_registry_upgrade is not defined + when: + - all_routers.results.returncode == 0 + - temp_skip_router_registry_upgrade is not defined command: > {{ oc_cmd }} patch dc/{{ item['labels']['deploymentconfig'] }} -n {{ item['namespace'] }} -p '{"spec":{"template":{"spec":{"containers":[{"name":"router","image":"{{ router_image }}","livenessProbe":{"tcpSocket":null,"httpGet":{"path": "/healthz", "port": 1936, "host": "localhost", "scheme": "HTTP"},"initialDelaySeconds":10,"timeoutSeconds":1}}]}}}}' --api-version=v1 with_items: "{{ haproxy_routers }}" + # AUDIT:changed_when_note: `false` not being set here. What we + # need to do is check the current router image version and see if + # this task needs to be ran. - name: Check for default registry - command: > - {{ oc_cmd }} get -n default dc/docker-registry + oc_obj: + state: list + kind: dc + name: docker-registry register: _default_registry - failed_when: false - changed_when: false when: temp_skip_router_registry_upgrade is not defined - name: Update registry image to current version - when: _default_registry.rc == 0 and temp_skip_router_registry_upgrade is not defined + when: + - _default_registry.results.results[0] != {} + - temp_skip_router_registry_upgrade is not defined command: > {{ oc_cmd }} patch dc/docker-registry -n default -p '{"spec":{"template":{"spec":{"containers":[{"name":"registry","image":"{{ registry_image }}"}]}}}}' --api-version=v1 + # AUDIT:changed_when_note: `false` not being set here. What we + # need to do is check the current registry image version and see + # if this task needs to be ran. + + roles: + - openshift_manageiq + # Create the new templates shipped in 3.2, existing templates are left + # unmodified. This prevents the subsequent role definition for + # openshift_examples from failing when trying to replace templates that do + # not already exist. We could have potentially done a replace --force to + # create and update in one step. + - openshift_examples + - openshift_hosted_templates + # Update the existing templates + - role: openshift_examples + registry_url: "{{ openshift.master.registry_url }}" + openshift_examples_import_command: replace + - role: openshift_hosted_templates + registry_url: "{{ openshift.master.registry_url }}" + openshift_hosted_templates_import_command: replace # Check for warnings to be printed at the end of the upgrade: - name: Check for warnings hosts: oo_masters_to_config tasks: # Check if any masters are using pluginOrderOverride and warn if so, only for 1.3/3.3 and beyond: - - command: > - grep pluginOrderOverride {{ openshift.common.config_base }}/master/master-config.yaml + - name: grep pluginOrderOverride + command: grep pluginOrderOverride {{ openshift.common.config_base }}/master/master-config.yaml register: grep_plugin_order_override when: openshift.common.version_gte_3_3_or_1_3 | bool - failed_when: false + changed_when: false + - name: Warn if pluginOrderOverride is in use in master-config.yaml - debug: msg="WARNING pluginOrderOverride is being deprecated in master-config.yaml, please see https://docs.openshift.com/enterprise/latest/architecture/additional_concepts/admission_controllers.html for more information." - when: not grep_plugin_order_override | skipped and grep_plugin_order_override.rc == 0 + debug: + msg: "WARNING pluginOrderOverride is being deprecated in master-config.yaml, please see https://docs.openshift.com/enterprise/latest/architecture/additional_concepts/admission_controllers.html for more information." + when: + - not grep_plugin_order_override | skipped + - grep_plugin_order_override.rc == 0 - include: ../reset_excluder.yml tags: diff --git a/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml index db2c27919..a4aefcdac 100644 --- a/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml +++ b/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml @@ -238,29 +238,22 @@ any_errors_fatal: true pre_tasks: + - name: Load lib_openshift modules + include_role: + name: lib_openshift + # TODO: To better handle re-trying failed upgrades, it would be nice to check if the node # or docker actually needs an upgrade before proceeding. Perhaps best to save this until # we merge upgrade functionality into the base roles and a normal config.yml playbook run. - - name: Determine if node is currently scheduleable - command: > - {{ hostvars[groups.oo_first_master.0].openshift.common.client_binary }} get node {{ openshift.node.nodename | lower }} -o json - register: node_output - delegate_to: "{{ groups.oo_first_master.0 }}" - changed_when: false - - - set_fact: - was_schedulable: "{{ 'unschedulable' not in (node_output.stdout | from_json).spec }}" - - name: Mark node unschedulable - command: > - {{ hostvars[groups.oo_first_master.0].openshift.common.client_binary }} adm manage-node {{ openshift.node.nodename | lower }} --schedulable=false + oadm_manage_node: + node: "{{ openshift.node.nodename | lower }}" + schedulable: False delegate_to: "{{ groups.oo_first_master.0 }}" - # NOTE: There is a transient "object has been modified" error here, allow a couple - # retries for a more reliable upgrade. - register: node_unsched - until: node_unsched.rc == 0 - retries: 3 - delay: 1 + retries: 10 + delay: 5 + register: node_unschedulable + until: node_unschedulable|succeeded - name: Drain Node for Kubelet upgrade command: > @@ -268,17 +261,19 @@ delegate_to: "{{ groups.oo_first_master.0 }}" roles: + - lib_openshift - openshift_facts - docker - openshift_node_upgrade post_tasks: - name: Set node schedulability - command: > - {{ hostvars[groups.oo_first_master.0].openshift.common.client_binary }} adm manage-node {{ openshift.node.nodename | lower }} --schedulable=true + oadm_manage_node: + node: "{{ openshift.node.nodename | lower }}" + schedulable: True delegate_to: "{{ groups.oo_first_master.0 }}" - when: was_schedulable | bool - register: node_sched - until: node_sched.rc == 0 - retries: 3 - delay: 1 + retries: 10 + delay: 5 + register: node_schedulable + until: node_schedulable|succeeded + when: node_unschedulable|changed diff --git a/playbooks/common/openshift-cluster/upgrades/upgrade_nodes.yml b/playbooks/common/openshift-cluster/upgrades/upgrade_nodes.yml index e45b635f7..e3a98fd9b 100644 --- a/playbooks/common/openshift-cluster/upgrades/upgrade_nodes.yml +++ b/playbooks/common/openshift-cluster/upgrades/upgrade_nodes.yml @@ -7,29 +7,22 @@ any_errors_fatal: true pre_tasks: + - name: Load lib_openshift modules + include_role: + name: lib_openshift + # TODO: To better handle re-trying failed upgrades, it would be nice to check if the node # or docker actually needs an upgrade before proceeding. Perhaps best to save this until # we merge upgrade functionality into the base roles and a normal config.yml playbook run. - - name: Determine if node is currently scheduleable - command: > - {{ hostvars[groups.oo_first_master.0].openshift.common.client_binary }} get node {{ openshift.node.nodename | lower }} -o json - register: node_output - delegate_to: "{{ groups.oo_first_master.0 }}" - changed_when: false - - - set_fact: - was_schedulable: "{{ 'unschedulable' not in (node_output.stdout | from_json).spec }}" - - name: Mark node unschedulable - command: > - {{ hostvars[groups.oo_first_master.0].openshift.common.client_binary }} adm manage-node {{ openshift.node.nodename | lower }} --schedulable=false + oadm_manage_node: + node: "{{ openshift.node.nodename | lower }}" + schedulable: False delegate_to: "{{ groups.oo_first_master.0 }}" - # NOTE: There is a transient "object has been modified" error here, allow a couple - # retries for a more reliable upgrade. - register: node_unsched - until: node_unsched.rc == 0 - retries: 3 - delay: 1 + retries: 10 + delay: 5 + register: node_unschedulable + until: node_unschedulable|succeeded - name: Drain Node for Kubelet upgrade command: > @@ -37,20 +30,22 @@ delegate_to: "{{ groups.oo_first_master.0 }}" roles: + - lib_openshift - openshift_facts - docker - openshift_node_upgrade post_tasks: - name: Set node schedulability - command: > - {{ hostvars[groups.oo_first_master.0].openshift.common.client_binary }} adm manage-node {{ openshift.node.nodename | lower }} --schedulable=true + oadm_manage_node: + node: "{{ openshift.node.nodename | lower }}" + schedulable: True delegate_to: "{{ groups.oo_first_master.0 }}" - when: was_schedulable | bool - register: node_sched - until: node_sched.rc == 0 - retries: 3 - delay: 1 + retries: 10 + delay: 5 + register: node_schedulable + until: node_schedulable|succeeded + when: node_unschedulable|changed - include: ../reset_excluder.yml tags: diff --git a/roles/cockpit-ui/meta/main.yml b/roles/cockpit-ui/meta/main.yml index 6ad2e324a..4d619fff6 100644 --- a/roles/cockpit-ui/meta/main.yml +++ b/roles/cockpit-ui/meta/main.yml @@ -11,3 +11,5 @@ galaxy_info: - 7 categories: - cloud +dependencies: +- role: lib_openshift diff --git a/roles/cockpit-ui/tasks/main.yml b/roles/cockpit-ui/tasks/main.yml index f2ef4f161..8bd68787a 100644 --- a/roles/cockpit-ui/tasks/main.yml +++ b/roles/cockpit-ui/tasks/main.yml @@ -1,86 +1,58 @@ --- -- name: Create temp directory for kubeconfig - command: mktemp -d /tmp/openshift-ansible-XXXXXX - register: mktemp - changed_when: False - -- set_fact: - openshift_hosted_kubeconfig: "{{ mktemp.stdout }}/admin.kubeconfig" - -- name: Copy the admin client config(s) - command: > - cp {{ openshift_master_config_dir }}/admin.kubeconfig {{ openshift_hosted_kubeconfig }} - changed_when: False - -- name: Determine if docker-registry service exists - command: > - {{ openshift.common.client_binary }} get svc/docker-registry - --config={{ openshift_hosted_kubeconfig }} - -n default - register: check_docker_registry_exists - failed_when: false - changed_when: false - -- name: Create passthrough route for docker-registry - command: > - {{ openshift.common.client_binary }} create route passthrough - --service docker-registry - --config={{ openshift_hosted_kubeconfig }} - -n default - register: create_docker_registry_route - changed_when: "'already exists' not in create_docker_registry_route.stderr" - failed_when: "'already exists' not in create_docker_registry_route.stderr and create_docker_registry_route.rc != 0" - when: check_docker_registry_exists.rc == 0 - -- name: Create passthrough route for registry-console - command: > - {{ openshift.common.client_binary }} create route passthrough - --service registry-console - --port registry-console - --config={{ openshift_hosted_kubeconfig }} - -n default - register: create_registry_console_route - changed_when: "'already exists' not in create_registry_console_route.stderr" - failed_when: "'already exists' not in create_registry_console_route.stderr and create_registry_console_route.rc != 0" - when: check_docker_registry_exists.rc == 0 - -- name: Retrieve docker-registry route - command: > - {{ openshift.common.client_binary }} get route docker-registry - -o jsonpath='{.spec.host}' - --config={{ openshift_hosted_kubeconfig }} - -n default - register: docker_registry_route - changed_when: false - when: check_docker_registry_exists.rc == 0 - -- name: Retrieve cockpit kube url - command: > - {{ openshift.common.client_binary }} get route registry-console - -o jsonpath='https://{.spec.host}' - -n default - register: registry_console_cockpit_kube_url - changed_when: false - when: check_docker_registry_exists.rc == 0 - -# TODO: Need to fix the origin and enterprise templates so that they both respect IMAGE_PREFIX -- name: Deploy registry-console - command: > - {{ openshift.common.client_binary }} new-app --template=registry-console - {% if openshift_cockpit_deployer_prefix is defined %}-p IMAGE_PREFIX="{{ openshift_cockpit_deployer_prefix }}"{% endif %} - {% if openshift_cockpit_deployer_version is defined %}-p IMAGE_VERSION="{{ openshift_cockpit_deployer_version }}"{% endif %} - -p OPENSHIFT_OAUTH_PROVIDER_URL="{{ openshift.master.public_api_url }}" - -p REGISTRY_HOST="{{ docker_registry_route.stdout }}" - -p COCKPIT_KUBE_URL="{{ registry_console_cockpit_kube_url.stdout }}" - --config={{ openshift_hosted_kubeconfig }} - -n default - register: deploy_registry_console - changed_when: "'already exists' not in deploy_registry_console.stderr" - failed_when: "'already exists' not in deploy_registry_console.stderr and deploy_registry_console.rc != 0" - when: check_docker_registry_exists.rc == 0 - -- name: Delete temp directory - file: - name: "{{ mktemp.stdout }}" - state: absent - changed_when: False +- block: + - name: Create passthrough route for docker-registry + oc_route: + kubeconfig: "{{ openshift_master_config_dir }}/admin.kubeconfig" + name: docker-registry + namespace: default + service_name: docker-registry + state: present + tls_termination: passthrough + register: docker_registry_route + + - name: Create passthrough route for registry-console + oc_route: + kubeconfig: "{{ openshift_master_config_dir }}/admin.kubeconfig" + name: registry-console + namespace: default + service_name: registry-console + state: present + tls_termination: passthrough + register: registry_console_cockpit_kube + + # XXX: Required for items still using command + - name: Create temp directory for kubeconfig + command: mktemp -d /tmp/openshift-ansible-XXXXXX + register: mktemp + changed_when: False + + - set_fact: + openshift_hosted_kubeconfig: "{{ mktemp.stdout }}/admin.kubeconfig" + + - name: Copy the admin client config(s) + command: > + cp {{ openshift_master_config_dir }}/admin.kubeconfig {{ openshift_hosted_kubeconfig }} + changed_when: False + + # TODO: Need to fix the origin and enterprise templates so that they both respect IMAGE_PREFIX + - name: Deploy registry-console + command: > + {{ openshift.common.client_binary }} new-app --template=registry-console + {% if openshift_cockpit_deployer_prefix is defined %}-p IMAGE_PREFIX="{{ openshift_cockpit_deployer_prefix }}"{% endif %} + {% if openshift_cockpit_deployer_version is defined %}-p IMAGE_VERSION="{{ openshift_cockpit_deployer_version }}"{% endif %} + -p OPENSHIFT_OAUTH_PROVIDER_URL="{{ openshift.master.public_api_url }}" + -p REGISTRY_HOST="{{ docker_registry_route.results.results[0].spec.host }}" + -p COCKPIT_KUBE_URL="https://{{ registry_console_cockpit_kube.results.results[0].spec.host }}" + --config={{ openshift_hosted_kubeconfig }} + -n default + register: deploy_registry_console + changed_when: "'already exists' not in deploy_registry_console.stderr" + failed_when: "'already exists' not in deploy_registry_console.stderr and deploy_registry_console.rc != 0" + + - name: Delete temp directory + file: + name: "{{ mktemp.stdout }}" + state: absent + changed_when: False + # XXX: End required for items still using command + run_once: true diff --git a/roles/openshift_facts/tasks/main.yml b/roles/openshift_facts/tasks/main.yml index 9a1982076..11bd68207 100644 --- a/roles/openshift_facts/tasks/main.yml +++ b/roles/openshift_facts/tasks/main.yml @@ -1,52 +1,64 @@ --- -- name: Detecting Operating System - stat: - path: /run/ostree-booted - register: ostree_booted +- block: + - name: Detecting Operating System + stat: + path: /run/ostree-booted + register: ostree_booted -# Locally setup containerized facts for now -- set_fact: - l_is_atomic: "{{ ostree_booted.stat.exists }}" -- set_fact: - l_is_containerized: "{{ (l_is_atomic | bool) or (containerized | default(false) | bool) }}" - l_is_openvswitch_system_container: "{{ (use_openvswitch_system_container | default(use_system_containers) | bool) }}" - l_is_node_system_container: "{{ (use_node_system_container | default(use_system_containers) | bool) }}" - l_is_master_system_container: "{{ (use_master_system_container | default(use_system_containers) | bool) }}" - l_is_etcd_system_container: "{{ (use_etcd_system_container | default(use_system_containers) | bool) }}" + # Locally setup containerized facts for now + - set_fact: + l_is_atomic: "{{ ostree_booted.stat.exists }}" + - set_fact: + l_is_containerized: "{{ (l_is_atomic | bool) or (containerized | default(false) | bool) }}" + l_is_openvswitch_system_container: "{{ (use_openvswitch_system_container | default(use_system_containers) | bool) }}" + l_is_node_system_container: "{{ (use_node_system_container | default(use_system_containers) | bool) }}" + l_is_master_system_container: "{{ (use_master_system_container | default(use_system_containers) | bool) }}" + l_is_etcd_system_container: "{{ (use_etcd_system_container | default(use_system_containers) | bool) }}" -- name: Ensure various deps are installed - package: name={{ item }} state=present - with_items: "{{ required_packages }}" - when: not l_is_atomic | bool + - name: Ensure various deps are installed + package: name={{ item }} state=present + with_items: "{{ required_packages }}" + when: not l_is_atomic | bool -- name: Gather Cluster facts and set is_containerized if needed - openshift_facts: - role: common - local_facts: - debug_level: "{{ openshift_debug_level | default(2) }}" - # TODO: Deprecate deployment_type in favor of openshift_deployment_type - deployment_type: "{{ openshift_deployment_type | default(deployment_type) }}" - deployment_subtype: "{{ openshift_deployment_subtype | default(None) }}" - cluster_id: "{{ openshift_cluster_id | default('default') }}" - hostname: "{{ openshift_hostname | default(None) }}" - ip: "{{ openshift_ip | default(None) }}" - is_containerized: "{{ l_is_containerized | default(None) }}" - is_openvswitch_system_container: "{{ l_is_openvswitch_system_container | default(false) }}" - is_node_system_container: "{{ l_is_node_system_container | default(false) }}" - is_master_system_container: "{{ l_is_master_system_container | default(false) }}" - is_etcd_system_container: "{{ l_is_etcd_system_container | default(false) }}" - system_images_registry: "{{ system_images_registry | default('') }}" - public_hostname: "{{ openshift_public_hostname | default(None) }}" - public_ip: "{{ openshift_public_ip | default(None) }}" - portal_net: "{{ openshift_portal_net | default(openshift_master_portal_net) | default(None) }}" - http_proxy: "{{ openshift_http_proxy | default(None) }}" - https_proxy: "{{ openshift_https_proxy | default(None) }}" - no_proxy: "{{ openshift_no_proxy | default(None) }}" - generate_no_proxy_hosts: "{{ openshift_generate_no_proxy_hosts | default(True) }}" - no_proxy_internal_hostnames: "{{ openshift_no_proxy_internal_hostnames | default(None) }}" - sdn_network_plugin_name: "{{ os_sdn_network_plugin_name | default(None) }}" - use_openshift_sdn: "{{ openshift_use_openshift_sdn | default(None) }}" + - name: Gather Cluster facts and set is_containerized if needed + openshift_facts: + role: common + local_facts: + debug_level: "{{ openshift_debug_level | default(2) }}" + # TODO: Deprecate deployment_type in favor of openshift_deployment_type + deployment_type: "{{ openshift_deployment_type | default(deployment_type) }}" + deployment_subtype: "{{ openshift_deployment_subtype | default(None) }}" + cluster_id: "{{ openshift_cluster_id | default('default') }}" + hostname: "{{ openshift_hostname | default(None) }}" + ip: "{{ openshift_ip | default(None) }}" + is_containerized: "{{ l_is_containerized | default(None) }}" + is_openvswitch_system_container: "{{ l_is_openvswitch_system_container | default(false) }}" + is_node_system_container: "{{ l_is_node_system_container | default(false) }}" + is_master_system_container: "{{ l_is_master_system_container | default(false) }}" + is_etcd_system_container: "{{ l_is_etcd_system_container | default(false) }}" + system_images_registry: "{{ system_images_registry | default('') }}" + public_hostname: "{{ openshift_public_hostname | default(None) }}" + public_ip: "{{ openshift_public_ip | default(None) }}" + portal_net: "{{ openshift_portal_net | default(openshift_master_portal_net) | default(None) }}" + http_proxy: "{{ openshift_http_proxy | default(None) }}" + https_proxy: "{{ openshift_https_proxy | default(None) }}" + no_proxy: "{{ openshift_no_proxy | default(None) }}" + generate_no_proxy_hosts: "{{ openshift_generate_no_proxy_hosts | default(True) }}" + no_proxy_internal_hostnames: "{{ openshift_no_proxy_internal_hostnames | default(None) }}" + sdn_network_plugin_name: "{{ os_sdn_network_plugin_name | default(None) }}" + use_openshift_sdn: "{{ openshift_use_openshift_sdn | default(None) }}" -- name: Set repoquery command + - name: Set repoquery command + set_fact: + repoquery_cmd: "{{ 'dnf repoquery --latest-limit 1 -d 0' if ansible_pkg_mgr == 'dnf' else 'repoquery --plugins' }}" + + # This `when` allows us to skip this expensive block of tasks on + # subsequent calls to the `openshift_facts` role. You will notice + # speed-ups in proportion to the size of your cluster as this will + # skip all tasks on the next calls to the `openshift_facts` role. + when: + - openshift_facts_init is not defined + +- name: Record that openshift_facts has initialized set_fact: - repoquery_cmd: "{{ 'dnf repoquery --latest-limit 1 -d 0' if ansible_pkg_mgr == 'dnf' else 'repoquery --plugins' }}" + openshift_facts_init: true diff --git a/roles/openshift_hosted/tasks/registry/secure.yml b/roles/openshift_hosted/tasks/registry/secure.yml index 556da5304..8b44b94c6 100644 --- a/roles/openshift_hosted/tasks/registry/secure.yml +++ b/roles/openshift_hosted/tasks/registry/secure.yml @@ -1,13 +1,13 @@ --- - name: Create passthrough route for docker-registry - command: > - {{ openshift.common.client_binary }} create route passthrough - --service docker-registry - --config={{ openshift_hosted_kubeconfig }} - -n default - register: create_docker_registry_route - changed_when: "'already exists' not in create_docker_registry_route.stderr" - failed_when: "'already exists' not in create_docker_registry_route.stderr and create_docker_registry_route.rc != 0" + oc_route: + kubeconfig: "{{ openshift_hosted_kubeconfig }}" + name: docker-registry + namespace: default + service_name: docker-registry + state: present + tls_termination: passthrough + run_once: true - name: Determine if registry certificate must be created stat: diff --git a/roles/openshift_hosted_templates/tasks/main.yml b/roles/openshift_hosted_templates/tasks/main.yml index 7d176bce3..89b92dfcc 100644 --- a/roles/openshift_hosted_templates/tasks/main.yml +++ b/roles/openshift_hosted_templates/tasks/main.yml @@ -4,6 +4,8 @@ become: False register: copy_hosted_templates_mktemp run_once: True + # AUDIT:changed_when: not set here because this task actually + # creates something - name: Create tar of OpenShift examples local_action: command tar -C "{{ role_path }}/files/{{ content_version }}/{{ hosted_deployment_type }}" -cvf "{{ copy_hosted_templates_mktemp.stdout }}/openshift-hosted-templates.tar" . diff --git a/roles/openshift_logging/defaults/main.yml b/roles/openshift_logging/defaults/main.yml index bdb168921..d9eebe688 100644 --- a/roles/openshift_logging/defaults/main.yml +++ b/roles/openshift_logging/defaults/main.yml @@ -19,7 +19,7 @@ openshift_logging_curator_memory_limit: null openshift_logging_curator_ops_cpu_limit: 100m openshift_logging_curator_ops_memory_limit: null -openshift_logging_kibana_hostname: "{{ openshift_hosted_logging_hostname | default(kibana.{{openshift.common.dns_domain}}) }}" +openshift_logging_kibana_hostname: "{{ openshift_hosted_logging_hostname | default('kibana.{{openshift.common.dns_domain}}') }}" openshift_logging_kibana_cpu_limit: null openshift_logging_kibana_memory_limit: null openshift_logging_kibana_proxy_debug: false diff --git a/roles/openshift_logging/tasks/delete_logging.yaml b/roles/openshift_logging/tasks/delete_logging.yaml index 9621d0d1a..188ea246c 100644 --- a/roles/openshift_logging/tasks/delete_logging.yaml +++ b/roles/openshift_logging/tasks/delete_logging.yaml @@ -81,7 +81,6 @@ # delete our service accounts - name: delete service accounts oc_serviceaccount: - kubeconfig: "{{ mktemp.stdout }}/admin.kubeconfig" name: "{{ item }}" namespace: "{{ openshift_logging_namespace }}" state: absent diff --git a/roles/openshift_logging/tasks/label_node.yaml b/roles/openshift_logging/tasks/label_node.yaml deleted file mode 100644 index ebe8f1ca8..000000000 --- a/roles/openshift_logging/tasks/label_node.yaml +++ /dev/null @@ -1,52 +0,0 @@ ---- -- command: > - {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get node {{host}} - -o jsonpath='{.metadata.labels}' - register: node_labels - when: not ansible_check_mode - changed_when: no - -- command: > - {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig label node {{host}} {{label}}={{value}} - register: label_result - failed_when: label_result.rc == 1 and 'exists' not in label_result.stderr - when: - - value is defined - - node_labels.stdout is defined - - label not in node_labels.stdout - - unlabel is not defined or not unlabel - - not ansible_check_mode - -- command: > - {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get node {{host}} - -o jsonpath='{.metadata.labels.{{ label }}}' - register: label_value - ignore_errors: yes - changed_when: no - when: - - value is defined - - node_labels.stdout is defined - - label in node_labels.stdout - - unlabel is not defined or not unlabel - - not ansible_check_mode - -- command: > - {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig label node {{host}} {{label}}={{value}} --overwrite - register: label_result - failed_when: label_result.rc == 1 and 'exists' not in label_result.stderr - when: - - value is defined - - label_value.stdout is defined - - label_value.stdout != value - - unlabel is not defined or not unlabel - - not ansible_check_mode - -- command: > - {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig label node {{host}} {{label}}- - register: label_result - failed_when: label_result.rc == 1 and 'exists' not in label_result.stderr - when: - - unlabel is defined - - unlabel - - not ansible_check_mode - - label in node_labels.stdout diff --git a/roles/openshift_logging/tasks/start_cluster.yaml b/roles/openshift_logging/tasks/start_cluster.yaml index 69d2b2b6b..3e97487dc 100644 --- a/roles/openshift_logging/tasks/start_cluster.yaml +++ b/roles/openshift_logging/tasks/start_cluster.yaml @@ -1,125 +1,133 @@ --- -- command: > - {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get node -o name - register: fluentd_hosts +- name: Retrieve list of fluentd hosts + oc_obj: + state: list + kind: node when: "'--all' in openshift_logging_fluentd_hosts" - check_mode: no - changed_when: no + register: fluentd_hosts -- set_fact: openshift_logging_fluentd_hosts={{ fluentd_hosts.stdout_lines | regex_replace('node/', '') }} +- name: Set fact openshift_logging_fluentd_hosts + set_fact: + openshift_logging_fluentd_hosts: "{{ fluentd_hosts.results.results[0]['items'] | map(attribute='metadata.name') | list }}" when: "'--all' in openshift_logging_fluentd_hosts" - name: start fluentd - include: label_node.yaml - vars: - host: "{{fluentd_host}}" - label: "{{openshift_logging_fluentd_nodeselector.keys()[0]}}" - value: "{{openshift_logging_fluentd_nodeselector.values()[0]}}" + oc_label: + name: "{{ fluentd_host }}" + kind: node + state: add + label: "{{ openshift_logging_fluentd_nodeselector | oo_dict_to_list_of_dict }}" with_items: "{{ openshift_logging_fluentd_hosts }}" loop_control: loop_var: fluentd_host -- command: > - {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=es -o name -n {{openshift_logging_namespace}} +- name: Retrieve elasticsearch + oc_obj: + state: list + kind: dc + selector: "component=es" + namespace: "{{openshift_logging_namespace}}" register: es_dc - check_mode: no - changed_when: no - name: start elasticsearch oc_scale: kind: dc - name: "{{object.split('/')[1]}}" + name: "{{ object }}" namespace: "{{openshift_logging_namespace}}" - kubeconfig: "{{mktemp.stdout}}/admin.kubeconfig" replicas: 1 - with_items: "{{es_dc.stdout_lines}}" + with_items: "{{ es_dc.results.results[0]['items'] | map(attribute='metadata.name') | list }}" loop_control: loop_var: object -- command: > - {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=kibana -o name -n {{openshift_logging_namespace}} +- name: Retrieve kibana + oc_obj: + state: list + kind: dc + selector: "component=kibana" + namespace: "{{openshift_logging_namespace}}" register: kibana_dc - check_mode: no - changed_when: no - name: start kibana oc_scale: kind: dc - name: "{{object.split('/')[1]}}" + name: "{{ object }}" namespace: "{{openshift_logging_namespace}}" - kubeconfig: "{{mktemp.stdout}}/admin.kubeconfig" replicas: "{{ openshift_logging_kibana_replica_count | default (1) }}" - with_items: "{{kibana_dc.stdout_lines}}" + with_items: "{{ kibana_dc.results.results[0]['items'] | map(attribute='metadata.name') | list }}" loop_control: loop_var: object -- command: > - {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=curator -o name -n {{openshift_logging_namespace}} +- name: Retrieve curator + oc_obj: + state: list + kind: dc + selector: "component=curator" + namespace: "{{openshift_logging_namespace}}" register: curator_dc - check_mode: no - changed_when: no - name: start curator oc_scale: kind: dc - name: "{{object.split('/')[1]}}" + name: "{{ object }}" namespace: "{{openshift_logging_namespace}}" - kubeconfig: "{{mktemp.stdout}}/admin.kubeconfig" replicas: 1 - with_items: "{{curator_dc.stdout_lines}}" + with_items: "{{ curator_dc.results.results[0]['items'] | map(attribute='metadata.name') | list }}" loop_control: loop_var: object -- command: > - {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=es-ops -o name -n {{openshift_logging_namespace}} +- name: Retrieve elasticsearch-ops + oc_obj: + state: list + kind: dc + selector: "component=es-ops" + namespace: "{{openshift_logging_namespace}}" register: es_dc - check_mode: no - changed_when: no - name: start elasticsearch-ops oc_scale: kind: dc - name: "{{object.split('/')[1]}}" + name: "{{ object }}" namespace: "{{openshift_logging_namespace}}" - kubeconfig: "{{mktemp.stdout}}/admin.kubeconfig" replicas: 1 - with_items: "{{es_dc.stdout_lines}}" + with_items: "{{ es_dc.results.results[0]['items'] | map(attribute='metadata.name') | list }}" loop_control: loop_var: object when: openshift_logging_use_ops | bool -- command: > - {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=kibana-ops -o name -n {{openshift_logging_namespace}} +- name: Retrieve kibana-ops + oc_obj: + state: list + kind: dc + selector: "component=kibana-ops" + namespace: "{{openshift_logging_namespace}}" register: kibana_dc - check_mode: no - changed_when: no - name: start kibana-ops oc_scale: kind: dc - name: "{{object.split('/')[1]}}" + name: "{{ object }}" namespace: "{{openshift_logging_namespace}}" - kubeconfig: "{{mktemp.stdout}}/admin.kubeconfig" replicas: "{{ openshift_logging_kibana_ops_replica_count | default (1) }}" - with_items: "{{kibana_dc.stdout_lines}}" + with_items: "{{ kibana_dc.results.results[0]['items'] | map(attribute='metadata.name') | list }}" loop_control: loop_var: object when: openshift_logging_use_ops | bool -- command: > - {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=curator-ops -o name -n {{openshift_logging_namespace}} +- name: Retrieve curator + oc_obj: + state: list + kind: dc + selector: "component=curator-ops" + namespace: "{{openshift_logging_namespace}}" register: curator_dc - check_mode: no - changed_when: no - name: start curator-ops oc_scale: kind: dc - name: "{{object.split('/')[1]}}" + name: "{{ object }}" namespace: "{{openshift_logging_namespace}}" - kubeconfig: "{{mktemp.stdout}}/admin.kubeconfig" replicas: 1 - with_items: "{{curator_dc.stdout_lines}}" + with_items: "{{ curator_dc.results.results[0]['items'] | map(attribute='metadata.name') | list }}" loop_control: loop_var: object when: openshift_logging_use_ops | bool diff --git a/roles/openshift_logging/tasks/stop_cluster.yaml b/roles/openshift_logging/tasks/stop_cluster.yaml index 7826efabe..bae6aebbb 100644 --- a/roles/openshift_logging/tasks/stop_cluster.yaml +++ b/roles/openshift_logging/tasks/stop_cluster.yaml @@ -1,118 +1,133 @@ --- -- command: > - {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get node -o name - register: fluentd_hosts +- name: Retrieve list of fluentd hosts + oc_obj: + state: list + kind: node when: "'--all' in openshift_logging_fluentd_hosts" - changed_when: no + register: fluentd_hosts -- set_fact: openshift_logging_fluentd_hosts={{ fluentd_hosts.stdout_lines | regex_replace('node/', '') }} +- name: Set fact openshift_logging_fluentd_hosts + set_fact: + openshift_logging_fluentd_hosts: "{{ fluentd_hosts.results.results[0]['items'] | map(attribute='metadata.name') | list }}" when: "'--all' in openshift_logging_fluentd_hosts" - name: stop fluentd - include: label_node.yaml - vars: - host: "{{fluentd_host}}" - label: "{{openshift_logging_fluentd_nodeselector.keys()[0]}}" - unlabel: True + oc_label: + name: "{{ fluentd_host }}" + kind: node + state: absent + label: "{{ openshift_logging_fluentd_nodeselector | oo_dict_to_list_of_dict }}" with_items: "{{ openshift_logging_fluentd_hosts }}" loop_control: loop_var: fluentd_host -- command: > - {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=es -o name -n {{openshift_logging_namespace}} +- name: Retrieve elasticsearch + oc_obj: + state: list + kind: dc + selector: "component=es" + namespace: "{{openshift_logging_namespace}}" register: es_dc - changed_when: no - name: stop elasticsearch oc_scale: kind: dc - name: "{{object.split('/')[1]}}" + name: "{{ object }}" namespace: "{{openshift_logging_namespace}}" - kubeconfig: "{{mktemp.stdout}}/admin.kubeconfig" replicas: 0 - with_items: "{{es_dc.stdout_lines}}" + with_items: "{{ es_dc.results.results[0]['items'] | map(attribute='metadata.name') | list }}" loop_control: loop_var: object -- command: > - {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=kibana -o name -n {{openshift_logging_namespace}} +- name: Retrieve kibana + oc_obj: + state: list + kind: dc + selector: "component=kibana" + namespace: "{{openshift_logging_namespace}}" register: kibana_dc - changed_when: no - name: stop kibana oc_scale: kind: dc - name: "{{object.split('/')[1]}}" + name: "{{ object }}" namespace: "{{openshift_logging_namespace}}" - kubeconfig: "{{mktemp.stdout}}/admin.kubeconfig" replicas: 0 - with_items: "{{kibana_dc.stdout_lines}}" + with_items: "{{ kibana_dc.results.results[0]['items'] | map(attribute='metadata.name') | list }}" loop_control: loop_var: object -- command: > - {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=curator -o name -n {{openshift_logging_namespace}} +- name: Retrieve curator + oc_obj: + state: list + kind: dc + selector: "component=curator" + namespace: "{{openshift_logging_namespace}}" register: curator_dc - changed_when: no - name: stop curator oc_scale: kind: dc - name: "{{object.split('/')[1]}}" + name: "{{ object }}" namespace: "{{openshift_logging_namespace}}" - kubeconfig: "{{mktemp.stdout}}/admin.kubeconfig" replicas: 0 - with_items: "{{curator_dc.stdout_lines}}" + with_items: "{{ curator_dc.results.results[0]['items'] | map(attribute='metadata.name') | list }}" loop_control: loop_var: object -- command: > - {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=es-ops -o name -n {{openshift_logging_namespace}} +- name: Retrieve elasticsearch-ops + oc_obj: + state: list + kind: dc + selector: "component=es-ops" + namespace: "{{openshift_logging_namespace}}" register: es_dc - changed_when: no - name: stop elasticsearch-ops oc_scale: kind: dc - name: "{{object.split('/')[1]}}" + name: "{{ object }}" namespace: "{{openshift_logging_namespace}}" - kubeconfig: "{{mktemp.stdout}}/admin.kubeconfig" replicas: 0 - with_items: "{{es_dc.stdout_lines}}" + with_items: "{{ es_dc.results.results[0]['items'] | map(attribute='metadata.name') | list }}" loop_control: loop_var: object when: openshift_logging_use_ops | bool -- command: > - {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=kibana-ops -o name -n {{openshift_logging_namespace}} +- name: Retrieve kibana-ops + oc_obj: + state: list + kind: dc + selector: "component=kibana-ops" + namespace: "{{openshift_logging_namespace}}" register: kibana_dc - changed_when: no - name: stop kibana-ops oc_scale: kind: dc - name: "{{object.split('/')[1]}}" + name: "{{ object }}" namespace: "{{openshift_logging_namespace}}" - kubeconfig: "{{mktemp.stdout}}/admin.kubeconfig" replicas: 0 - with_items: "{{kibana_dc.stdout_lines}}" + with_items: "{{ kibana_dc.results.results[0]['items'] | map(attribute='metadata.name') | list }}" loop_control: loop_var: object when: openshift_logging_use_ops | bool -- command: > - {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=curator-ops -o name -n {{openshift_logging_namespace}} +- name: Retrieve curator + oc_obj: + state: list + kind: dc + selector: "component=curator-ops" + namespace: "{{openshift_logging_namespace}}" register: curator_dc - changed_when: no - name: stop curator-ops oc_scale: kind: dc - name: "{{object.split('/')[1]}}" + name: "{{ object }}" namespace: "{{openshift_logging_namespace}}" - kubeconfig: "{{mktemp.stdout}}/admin.kubeconfig" replicas: 0 - with_items: "{{curator_dc.stdout_lines}}" + with_items: "{{ curator_dc.results.results[0]['items'] | map(attribute='metadata.name') | list }}" loop_control: loop_var: object when: openshift_logging_use_ops | bool diff --git a/roles/openshift_logging/tasks/upgrade_logging.yaml b/roles/openshift_logging/tasks/upgrade_logging.yaml index 0dc31932c..0421cdf58 100644 --- a/roles/openshift_logging/tasks/upgrade_logging.yaml +++ b/roles/openshift_logging/tasks/upgrade_logging.yaml @@ -8,29 +8,34 @@ start_cluster: False # start ES so that we can run migrate script -- command: > - {{openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get dc -l component=es -o name -n {{openshift_logging_namespace}} +- name: Retrieve elasticsearch + oc_obj: + state: list + kind: dc + selector: "component=es" + namespace: "{{openshift_logging_namespace}}" register: es_dc - check_mode: no - name: start elasticsearch oc_scale: kind: dc - name: "{{object.split('/')[1]}}" + name: "{{ object }}" namespace: "{{openshift_logging_namespace}}" replicas: 1 - with_items: "{{es_dc.stdout_lines}}" + with_items: "{{ es_dc.results.results[0]['items'] | map(attribute='metadata.name') | list }}" loop_control: loop_var: object -- command: > - {{ openshift.common.client_binary}} --config={{mktemp.stdout}}/admin.kubeconfig get pods -n {{openshift_logging_namespace}} -l component=es -o jsonpath='{.items[?(@.status.phase == "Running")].metadata.name}' +- name: Wait for pods to stop + oc_obj: + state: list + kind: dc + selector: "component=es" + namespace: "{{openshift_logging_namespace}}" register: running_pod - until: running_pod.stdout != '' + until: running_pod.results.results.items[?(@.status.phase == "Running")].metadata.name != '' retries: 30 delay: 10 - changed_when: no - check_mode: no - name: Run upgrade script script: es_migration.sh {{openshift.common.config_base}}/logging/ca.crt {{openshift.common.config_base}}/logging/system.admin.key {{openshift.common.config_base}}/logging/system.admin.crt {{openshift_logging_es_host}} {{openshift_logging_es_port}} {{openshift_logging_namespace}} diff --git a/roles/openshift_manage_node/meta/main.yml b/roles/openshift_manage_node/meta/main.yml new file mode 100644 index 000000000..d90cd28cf --- /dev/null +++ b/roles/openshift_manage_node/meta/main.yml @@ -0,0 +1,15 @@ +--- +galaxy_info: + author: OpenShift Red Hat + description: OpenShift Manage Node + company: Red Hat, Inc. + license: Apache License, Version 2.0 + min_ansible_version: 2.2 + platforms: + - name: EL + versions: + - 7 + categories: + - cloud +dependencies: +- role: lib_openshift diff --git a/roles/openshift_manage_node/tasks/main.yml b/roles/openshift_manage_node/tasks/main.yml index c06758833..9a883feed 100644 --- a/roles/openshift_manage_node/tasks/main.yml +++ b/roles/openshift_manage_node/tasks/main.yml @@ -1,23 +1,4 @@ --- -- name: Create temp directory for kubeconfig - command: mktemp -d /tmp/openshift-ansible-XXXXXX - register: mktemp - changed_when: False - delegate_to: "{{ openshift_master_host }}" - run_once: true - -- set_fact: - openshift_manage_node_kubeconfig: "{{ mktemp.stdout }}/admin.kubeconfig" - delegate_to: "{{ openshift_master_host }}" - run_once: true - -- name: Copy the admin client config(s) - command: > - cp {{ openshift.common.config_base }}/master/admin.kubeconfig {{ openshift_manage_node_kubeconfig }} - changed_when: False - delegate_to: "{{ openshift_master_host }}" - run_once: true - # Necessary because when you're on a node that's also a master the master will be # restarted after the node restarts docker and it will take up to 60 seconds for # systemd to start the master again @@ -46,38 +27,37 @@ run_once: true - name: Wait for Node Registration - command: > - {{ hostvars[openshift_master_host].openshift.common.client_binary }} get node {{ openshift.node.nodename }} - --config={{ openshift_manage_node_kubeconfig }} - -n default - register: omd_get_node - until: omd_get_node.rc == 0 + oc_obj: + name: "{{ openshift.node.nodename }}" + kind: node + state: list + register: get_node + until: "'metadata' in get_node.results.results[0]" retries: 50 delay: 5 - changed_when: false when: "'nodename' in openshift.node" delegate_to: "{{ openshift_master_host }}" - name: Set node schedulability - command: > - {{ hostvars[openshift_master_host].openshift.common.client_binary }} adm manage-node {{ openshift.node.nodename }} --schedulable={{ 'true' if openshift.node.schedulable | bool else 'false' }} - --config={{ openshift_manage_node_kubeconfig }} - -n default + oadm_manage_node: + node: "{{ openshift.node.nodename | lower }}" + schedulable: "{{ 'true' if openshift.node.schedulable | bool else 'false' }}" + retries: 10 + delay: 5 + register: node_schedulable + until: node_schedulable|succeeded when: "'nodename' in openshift.node" delegate_to: "{{ openshift_master_host }}" - name: Label nodes - command: > - {{ hostvars[openshift_master_host].openshift.common.client_binary }} label --overwrite node {{ openshift.node.nodename }} {{ openshift.node.labels | oo_combine_dict }} - --config={{ openshift_manage_node_kubeconfig }} - -n default - when: "'nodename' in openshift.node and 'labels' in openshift.node and openshift.node.labels != {}" - delegate_to: "{{ openshift_master_host }}" - -- name: Delete temp directory - file: - name: "{{ mktemp.stdout }}" - state: absent - changed_when: False + oc_label: + name: "{{ openshift.node.nodename }}" + kind: node + state: add + labels: "{{ openshift.node.labels | oo_dict_to_list_of_dict }}" + namespace: default + when: + - "'nodename' in openshift.node" + - "'labels' in openshift.node" + - openshift.node.labels != {} delegate_to: "{{ openshift_master_host }}" - run_once: true diff --git a/roles/openshift_manageiq/tasks/main.yaml b/roles/openshift_manageiq/tasks/main.yaml index e58947fd2..f202486a5 100644 --- a/roles/openshift_manageiq/tasks/main.yaml +++ b/roles/openshift_manageiq/tasks/main.yaml @@ -47,6 +47,9 @@ register: oshawkular_create_cluster_role failed_when: "'already exists' not in oshawkular_create_cluster_role.stderr and oshawkular_create_cluster_role.rc != 0" changed_when: oshawkular_create_cluster_role.rc == 0 + # AUDIT:changed_when_note: Checking the return code is insufficient + # here. We really need to verify the if the role even exists before + # we run this task. - name: Configure role/user permissions command: > @@ -56,6 +59,10 @@ register: osmiq_perm_task failed_when: "'already exists' not in osmiq_perm_task.stderr and osmiq_perm_task.rc != 0" changed_when: osmiq_perm_task.rc == 0 + # AUDIT:changed_when_note: Checking the return code is insufficient + # here. We really need to compare the current role/user permissions + # with their expected state. I think we may have a module for this? + - name: Configure 3_2 role/user permissions command: > diff --git a/roles/openshift_metrics/defaults/main.yaml b/roles/openshift_metrics/defaults/main.yaml index 83843f126..edaa7d0df 100644 --- a/roles/openshift_metrics/defaults/main.yaml +++ b/roles/openshift_metrics/defaults/main.yaml @@ -32,7 +32,7 @@ openshift_metrics_heapster_requests_memory: 0.9375G openshift_metrics_heapster_requests_cpu: null openshift_metrics_heapster_nodeselector: "" -openshift_metrics_hostname: "hawkular-metrics.{{openshift_master_default_subdomain}}" +openshift_metrics_hawkular_hostname: "hawkular-metrics.{{openshift_master_default_subdomain}}" openshift_metrics_duration: 7 openshift_metrics_resolution: 30s diff --git a/roles/openshift_node_upgrade/tasks/main.yml b/roles/openshift_node_upgrade/tasks/main.yml index b1d5f0e0f..609ca2a6e 100644 --- a/roles/openshift_node_upgrade/tasks/main.yml +++ b/roles/openshift_node_upgrade/tasks/main.yml @@ -75,3 +75,9 @@ # so containerized services should restart quickly as well. retries: 24 delay: 5 + # AUDIT:changed_when: `false` because we are only inspecting the + # state of the node, we aren't changing anything (we changed node + # service state in the previous task). You could say we shouldn't + # override this because something will be changing (the state of a + # service), but that should be part of the last task. + changed_when: false |