diff options
40 files changed, 384 insertions, 105 deletions
diff --git a/.tito/packages/openshift-ansible b/.tito/packages/openshift-ansible index 8dde380f1..b340654f4 100644 --- a/.tito/packages/openshift-ansible +++ b/.tito/packages/openshift-ansible @@ -1 +1 @@ -3.7.0-0.176.0 ./ +3.7.0-0.178.0 ./ diff --git a/inventory/byo/hosts.example b/inventory/byo/hosts.example index 499a9d8e7..7c4a7885d 100644 --- a/inventory/byo/hosts.example +++ b/inventory/byo/hosts.example @@ -632,6 +632,7 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', #openshift_prometheus_storage_volume_name=prometheus #openshift_prometheus_storage_volume_size=10Gi #openshift_prometheus_storage_labels={'storage': 'prometheus'} +#openshift_prometheus_storage_type='pvc' # For prometheus-alertmanager #openshift_prometheus_alertmanager_storage_kind=nfs #openshift_prometheus_alertmanager_storage_access_modes=['ReadWriteOnce'] @@ -640,6 +641,7 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', #openshift_prometheus_alertmanager_storage_volume_name=prometheus-alertmanager #openshift_prometheus_alertmanager_storage_volume_size=10Gi #openshift_prometheus_alertmanager_storage_labels={'storage': 'prometheus-alertmanager'} +#openshift_prometheus_alertmanager_storage_type='pvc' # For prometheus-alertbuffer #openshift_prometheus_alertbuffer_storage_kind=nfs #openshift_prometheus_alertbuffer_storage_access_modes=['ReadWriteOnce'] @@ -648,6 +650,7 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', #openshift_prometheus_alertbuffer_storage_volume_name=prometheus-alertbuffer #openshift_prometheus_alertbuffer_storage_volume_size=10Gi #openshift_prometheus_alertbuffer_storage_labels={'storage': 'prometheus-alertbuffer'} +#openshift_prometheus_alertbuffer_storage_type='pvc' # # Option B - External NFS Host # NFS volume must already exist with path "nfs_directory/_volume_name" on @@ -660,6 +663,7 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', #openshift_prometheus_storage_volume_name=prometheus #openshift_prometheus_storage_volume_size=10Gi #openshift_prometheus_storage_labels={'storage': 'prometheus'} +#openshift_prometheus_storage_type='pvc' # For prometheus-alertmanager #openshift_prometheus_alertmanager_storage_kind=nfs #openshift_prometheus_alertmanager_storage_access_modes=['ReadWriteOnce'] @@ -668,6 +672,7 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', #openshift_prometheus_alertmanager_storage_volume_name=prometheus-alertmanager #openshift_prometheus_alertmanager_storage_volume_size=10Gi #openshift_prometheus_alertmanager_storage_labels={'storage': 'prometheus-alertmanager'} +#openshift_prometheus_alertmanager_storage_type='pvc' # For prometheus-alertbuffer #openshift_prometheus_alertbuffer_storage_kind=nfs #openshift_prometheus_alertbuffer_storage_access_modes=['ReadWriteOnce'] @@ -676,6 +681,7 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', #openshift_prometheus_alertbuffer_storage_volume_name=prometheus-alertbuffer #openshift_prometheus_alertbuffer_storage_volume_size=10Gi #openshift_prometheus_alertbuffer_storage_labels={'storage': 'prometheus-alertbuffer'} +#openshift_prometheus_alertbuffer_storage_type='pvc' # # Option C - none -- Prometheus, alertmanager and alertbuffer will use emptydir volumes # which are destroyed when pods are deleted diff --git a/openshift-ansible.spec b/openshift-ansible.spec index 6866f9a4f..5ca9ac3a9 100644 --- a/openshift-ansible.spec +++ b/openshift-ansible.spec @@ -10,7 +10,7 @@ Name: openshift-ansible Version: 3.7.0 -Release: 0.176.0%{?dist} +Release: 0.178.0%{?dist} Summary: Openshift and Atomic Enterprise Ansible License: ASL 2.0 URL: https://github.com/openshift/openshift-ansible @@ -280,6 +280,38 @@ Atomic OpenShift Utilities includes %changelog +* Wed Oct 25 2017 Jenkins CD Merge Bot <smunilla@redhat.com> 3.7.0-0.178.0 +- Split prometheus image defaults to prefix and version (zgalor@redhat.com) +- Remove extraneous spaces that yamllint dislikes (staebler@redhat.com) +- Fix edit and admin role patching for service catalog (staebler@redhat.com) +- strip dash when comparing version with Python3 (jchaloup@redhat.com) +- Bug 1452939 - change Logging & Metrics imagePullPolicy (jwozniak@redhat.com) +- Remove role bindings during service catalog un-install (staebler@redhat.com) +- Fix a few small issues in service catalog uninstall (staebler@redhat.com) +- Remove incorrect validation for OpenIDIdentityProvider (mgugino@redhat.com) +- Enable oreg_auth credential replace during upgrades (mgugino@redhat.com) +- Handle bootstrap behavior in GCP template (ccoleman@redhat.com) +- Ensure upgrades apply latest journald settings (mgugino@redhat.com) + +* Tue Oct 24 2017 Jenkins CD Merge Bot <smunilla@redhat.com> 3.7.0-0.177.0 +- Check if the master service is non-ha or not (jchaloup@redhat.com) +- Correct host group for controller restart (rteague@redhat.com) +- Set the proper external etcd ip address when migrating embeded etcd + (jchaloup@redhat.com) +- Switch to stateful set in prometheus (zgalor@redhat.com) +- cli: use the correct name for the master system container + (gscrivan@redhat.com) +- cli: do not pull again the image when using Docker (gscrivan@redhat.com) +- verstion_gte seems unreliable on containerized installs (sdodson@redhat.com) +- Retry reconcile in case of error and give up eventually (simo@redhat.com) +- Updating ocp es proxy image to use openshift_logging_proxy_image_prefix if + specified (ewolinet@redhat.com) +- Generate all internal hostnames of no_proxy (ghuang@redhat.com) +- Add nfs variables documentation to README file (zgalor@redhat.com) +- Avoid undefined variable in master sysconfig template (hansmi@vshn.ch) +- Ensure proper variable templating for skopeo auth credentials + (mgugino@redhat.com) + * Mon Oct 23 2017 Jenkins CD Merge Bot <smunilla@redhat.com> 3.7.0-0.176.0 - Update defaults (fabian@fabianism.us) - Use service-ca.crt instead of master ca.crt (fabian@fabianism.us) diff --git a/playbooks/common/openshift-cluster/openshift_prometheus.yml b/playbooks/common/openshift-cluster/openshift_prometheus.yml index ac2d250a3..a73b294a5 100644 --- a/playbooks/common/openshift-cluster/openshift_prometheus.yml +++ b/playbooks/common/openshift-cluster/openshift_prometheus.yml @@ -1,5 +1,25 @@ --- +- name: Prometheus Install Checkpoint Start + hosts: oo_all_hosts + gather_facts: false + tasks: + - name: Set Prometheus install 'In Progress' + set_stats: + data: + installer_phase_prometheus: "In Progress" + aggregate: false + - name: Create Hosted Resources - openshift_prometheus hosts: oo_first_master roles: - role: openshift_prometheus + +- name: Prometheus Install Checkpoint End + hosts: oo_all_hosts + gather_facts: false + tasks: + - name: Set Prometheus install 'Complete' + set_stats: + data: + installer_phase_prometheus: "Complete" + aggregate: false diff --git a/playbooks/common/openshift-cluster/upgrades/pre/verify_upgrade_targets.yml b/playbooks/common/openshift-cluster/upgrades/pre/verify_upgrade_targets.yml index 142ce5f3d..13fa37b09 100644 --- a/playbooks/common/openshift-cluster/upgrades/pre/verify_upgrade_targets.yml +++ b/playbooks/common/openshift-cluster/upgrades/pre/verify_upgrade_targets.yml @@ -4,6 +4,12 @@ msg: Verify OpenShift is already installed when: openshift.common.version is not defined +- name: Update oreg_auth docker login credentials if necessary + include_role: + name: docker + tasks_from: registry_auth.yml + when: oreg_auth_user is defined + - name: Verify containers are available for upgrade command: > docker pull {{ openshift.common.cli_image }}:{{ openshift_image_tag }} @@ -37,7 +43,7 @@ fail: msg: "OpenShift {{ avail_openshift_version }} is available, but {{ openshift_upgrade_target }} or greater is required" when: - - openshift_pkg_version | default('0.0', True) | version_compare(openshift_release, '<') + - (openshift_pkg_version | default('-0.0', True)).split('-')[1] | version_compare(openshift_release, '<') - name: Fail when openshift version does not meet minium requirement for Origin upgrade fail: diff --git a/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml index ea4e25f8f..a5e2f7940 100644 --- a/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml +++ b/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml @@ -90,6 +90,9 @@ - include_vars: ../../../../roles/openshift_master/vars/main.yml + - name: Update journald config + include: ../../../../roles/openshift_master/tasks/journald.yml + - name: Remove any legacy systemd units and update systemd units include: ../../../../roles/openshift_master/tasks/systemd_units.yml diff --git a/roles/ansible_service_broker/tasks/remove.yml b/roles/ansible_service_broker/tasks/remove.yml index f0a6be226..51b86fb26 100644 --- a/roles/ansible_service_broker/tasks/remove.yml +++ b/roles/ansible_service_broker/tasks/remove.yml @@ -85,9 +85,9 @@ - name: remove secret for broker auth oc_obj: - name: asb-auth-secret + name: asb-client namespace: openshift-ansible-service-broker - kind: Broker + kind: Secret state: absent # TODO: saw a oc_configmap in the library, but didn't understand how to get it to do the following: @@ -99,11 +99,17 @@ kind: ConfigMap # TODO: Is this going to work? +- shell: > + oc get apiservices.apiregistration.k8s.io/v1beta1.servicecatalog.k8s.io -n kube-service-catalog || echo "not found" + register: get_apiservices + changed_when: no + - name: remove broker object from the catalog oc_obj: name: ansible-service-broker state: absent - kind: ServiceBroker + kind: ClusterServiceBroker + when: not "'not found' in get_apiservices.stdout" - name: remove openshift-ansible-service-broker project oc_project: diff --git a/roles/docker/tasks/package_docker.yml b/roles/docker/tasks/package_docker.yml index d6aee0513..b16413f72 100644 --- a/roles/docker/tasks/package_docker.yml +++ b/roles/docker/tasks/package_docker.yml @@ -153,16 +153,6 @@ - set_fact: docker_service_status_changed: "{{ (r_docker_package_docker_start_result | changed) and (r_docker_already_running_result.stdout != 'ActiveState=active' ) }}" -- name: Check for credentials file for registry auth - stat: - path: "{{ docker_cli_auth_config_path }}/config.json" - when: oreg_auth_user is defined - register: docker_cli_auth_credentials_stat - -- name: Create credentials for docker cli registry auth - command: "docker --config={{ docker_cli_auth_config_path }} login -u {{ oreg_auth_user }} -p {{ oreg_auth_password }} {{ oreg_host }}" - when: - - oreg_auth_user is defined - - (not docker_cli_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool +- include: registry_auth.yml - meta: flush_handlers diff --git a/roles/docker/tasks/registry_auth.yml b/roles/docker/tasks/registry_auth.yml new file mode 100644 index 000000000..65ed60efa --- /dev/null +++ b/roles/docker/tasks/registry_auth.yml @@ -0,0 +1,12 @@ +--- +- name: Check for credentials file for registry auth + stat: + path: "{{ docker_cli_auth_config_path }}/config.json" + when: oreg_auth_user is defined + register: docker_cli_auth_credentials_stat + +- name: Create credentials for docker cli registry auth + command: "docker --config={{ docker_cli_auth_config_path }} login -u {{ oreg_auth_user }} -p {{ oreg_auth_password }} {{ oreg_host }}" + when: + - oreg_auth_user is defined + - (not docker_cli_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool diff --git a/roles/installer_checkpoint/callback_plugins/installer_checkpoint.py b/roles/installer_checkpoint/callback_plugins/installer_checkpoint.py index 25f9405af..55c44bb84 100644 --- a/roles/installer_checkpoint/callback_plugins/installer_checkpoint.py +++ b/roles/installer_checkpoint/callback_plugins/installer_checkpoint.py @@ -31,6 +31,7 @@ GlusterFS Install : Not Started Hosted Install : Complete Metrics Install : Not Started Logging Install : Not Started +Prometheus Install : Not Started Service Catalog Install : Not Started ----------------------------------------------------- @@ -49,6 +50,7 @@ GlusterFS Install : Not Started Hosted Install : Not Started Metrics Install : Not Started Logging Install : Not Started +Prometheus Install : Not Started Service Catalog Install : Not Started ''' @@ -80,6 +82,7 @@ class CallbackModule(CallbackBase): 'installer_phase_hosted', 'installer_phase_metrics', 'installer_phase_logging', + 'installer_phase_prometheus', 'installer_phase_servicecatalog', 'installer_phase_management', ] @@ -130,6 +133,10 @@ class CallbackModule(CallbackBase): 'title': 'Logging Install', 'playbook': 'playbooks/byo/openshift-cluster/openshift-logging.yml' }, + 'installer_phase_prometheus': { + 'title': 'Prometheus Install', + 'playbook': 'playbooks/byo/openshift-cluster/openshift-prometheus.yml' + }, 'installer_phase_servicecatalog': { 'title': 'Service Catalog Install', 'playbook': 'playbooks/byo/openshift-cluster/service-catalog.yml' diff --git a/roles/openshift_gcp/templates/provision.j2.sh b/roles/openshift_gcp/templates/provision.j2.sh index 64c7cd019..5ed6d9f84 100644 --- a/roles/openshift_gcp/templates/provision.j2.sh +++ b/roles/openshift_gcp/templates/provision.j2.sh @@ -125,10 +125,11 @@ fi ) & if ! gcloud --project "{{ openshift_gcp_project }}" compute instance-templates describe "{{ openshift_gcp_prefix }}instance-template-{{ node_group.name }}" &>/dev/null; then gcloud --project "{{ openshift_gcp_project }}" compute instance-templates create "{{ openshift_gcp_prefix }}instance-template-{{ node_group.name }}" \ --machine-type "{{ node_group.machine_type }}" --network "{{ openshift_gcp_network_name }}" \ - --tags "{{ openshift_gcp_prefix }}ocp,ocp,{{ node_group.tags }}" \ + --tags "{{ openshift_gcp_prefix }}ocp,ocp,{{ 'ocp-bootstrap,' if (node_group.bootstrap | default(False)) else '' }}{{ node_group.tags }}" \ --boot-disk-size "{{ node_group.boot_disk_size }}" --boot-disk-type "pd-ssd" \ --scopes "logging-write,monitoring-write,useraccounts-ro,service-control,service-management,storage-ro,compute-rw" \ - --image "${image}" ${metadata} + --image "{{ node_group.image | default('${image}') }}" ${metadata} \ + --metadata "bootstrap={{ node_group.bootstrap | default(False) | bool | to_json }},cluster-id={{ openshift_gcp_prefix + openshift_gcp_clusterid }},node-group={{ node_group.name }}" else echo "Instance template '{{ openshift_gcp_prefix }}instance-template-{{ node_group.name }}' already exists" fi @@ -312,8 +313,12 @@ fi # wait until all node groups are stable {% for node_group in openshift_gcp_node_group_config %} +{% if node_group.bootstrap | default(False) %} +# not waiting for {{ node_group.name }} due to bootstrapping +{% else %} # wait for stable {{ node_group.name }} ( gcloud --project "{{ openshift_gcp_project }}" compute instance-groups managed wait-until-stable "{{ openshift_gcp_prefix }}ig-{{ node_group.suffix }}" --zone "{{ openshift_gcp_zone }}" --timeout=600 ) & +{% endif %} {% endfor %} diff --git a/roles/openshift_logging/README.md b/roles/openshift_logging/README.md index 280d7d24c..0ea34faf2 100644 --- a/roles/openshift_logging/README.md +++ b/roles/openshift_logging/README.md @@ -225,3 +225,78 @@ The corresponding openshift\_logging\_mux\_* parameters are below. - `openshift_logging_mux_remote_syslog_tag_key`: If string specified, use this field from the record to set the key field on the syslog message - `openshift_logging_mux_remote_syslog_use_record`: Set `true` to use the severity and facility from the record, defaults to `false` - `openshift_logging_mux_remote_syslog_payload_key`: If string is specified, use this field from the record as the payload on the syslog message + +Image update procedure +---------------------- +An upgrade of the logging stack from older version to newer is an automated process and should be performed by calling appropriate ansible playbook and setting required ansible variables in your inventory as documented in https://docs.openshift.org/. + +Following text describes manual update of the logging images without version upgrade. To determine the current version of images being used you can. +``` +oc describe pod | grep 'Image ID:' +``` +This will get the repo digest that can later be compared to the inspected image details. + +A way to determine when was your image last updated: +``` +$ docker images +REPOSITORY TAG IMAGE ID CREATED SIZE +<registry>/openshift3/logging-fluentd v3.7 ff2e249fc45a About an hour ago 235.2 MB + +$ docker inspect ff2e249fc45a +[ + { + . . . + "RepoDigests": [ + "<registry>/openshift3/logging-fluentd@sha256:4346f0aa9694f32735115705ad324803b1a6ff08343c3288f7a62c3a5cb70495" + ], + . . . + "Config": { + . . . + "Labels": { + . . . + "build-date": "2017-10-12T14:38:22.414827", + . . . + "release": "0.143.3.0", + . . . + "url": "https://access.redhat.com/containers/#/registry.access.redhat.com/openshift3/logging-fluentd/images/v3.7.0-0.143.3.0", + . . . + "version": "v3.7.0" + } + }, + . . . +``` + +Pull a new image to see if registry has any newer images with the same tag: +``` +$ docker pull <registry>/openshift3/logging-fluentd:v3.7 +``` + +If there was an update, you need to run the `docker pull` on each node. + +It is recommended that you now rerun the `openshift_logging` playbook to ensure that any necessary config changes are also picked up. + +To manually redeploy your pod you can do the following: +- for a DC you can do: +``` +oc rollout latest <dc_name> +``` + +- for a RC you can scale down and scale back up +``` +oc scale --replicas=0 <rc_name> + +... wait for scale down + +oc scale --replicas=<original_replica_count> <rc_name> +``` + +- for a DS you can delete the pod or unlabel and relabel your node +``` +oc delete pod --selector=<ds_selector> +``` + +Changelog +--------- + +Tue Oct 10, 2017 +- Default imagePullPolicy changed from Always to IfNotPresent diff --git a/roles/openshift_logging/templates/jks_pod.j2 b/roles/openshift_logging/templates/jks_pod.j2 index 8b1c74211..e4110b7b3 100644 --- a/roles/openshift_logging/templates/jks_pod.j2 +++ b/roles/openshift_logging/templates/jks_pod.j2 @@ -8,7 +8,7 @@ spec: containers: - name: jks-cert-gen image: {{openshift_logging_image_prefix}}logging-deployer:{{openshift_logging_image_version}} - imagePullPolicy: Always + imagePullPolicy: IfNotPresent command: ["sh", "{{generated_certs_dir}}/generate-jks.sh"] securityContext: privileged: true diff --git a/roles/openshift_logging_curator/templates/curator.j2 b/roles/openshift_logging_curator/templates/curator.j2 index e71393643..462128366 100644 --- a/roles/openshift_logging_curator/templates/curator.j2 +++ b/roles/openshift_logging_curator/templates/curator.j2 @@ -38,7 +38,7 @@ spec: - name: "curator" image: {{image}} - imagePullPolicy: Always + imagePullPolicy: IfNotPresent {% if (curator_memory_limit is defined and curator_memory_limit is not none and curator_memory_limit != "") or (curator_cpu_limit is defined and curator_cpu_limit is not none and curator_cpu_limit != "") or (curator_cpu_request is defined and curator_cpu_request is not none and curator_cpu_request != "") %} resources: {% if (curator_memory_limit is defined and curator_memory_limit is not none and curator_memory_limit != "") or (curator_cpu_limit is defined and curator_cpu_limit is not none and curator_cpu_limit != "") %} diff --git a/roles/openshift_logging_elasticsearch/templates/es.j2 b/roles/openshift_logging_elasticsearch/templates/es.j2 index 7966d219e..0c7d8b46e 100644 --- a/roles/openshift_logging_elasticsearch/templates/es.j2 +++ b/roles/openshift_logging_elasticsearch/templates/es.j2 @@ -41,7 +41,7 @@ spec: containers: - name: proxy image: {{ proxy_image }} - imagePullPolicy: Always + imagePullPolicy: IfNotPresent args: - --upstream-ca=/etc/elasticsearch/secret/admin-ca - --https-address=:4443 @@ -76,7 +76,7 @@ spec: - name: "elasticsearch" image: {{image}} - imagePullPolicy: Always + imagePullPolicy: IfNotPresent resources: limits: {% if es_cpu_limit is defined and es_cpu_limit is not none and es_cpu_limit != '' %} diff --git a/roles/openshift_logging_eventrouter/files/eventrouter-template.yaml b/roles/openshift_logging_eventrouter/files/eventrouter-template.yaml index 91708e54b..cc01c010d 100644 --- a/roles/openshift_logging_eventrouter/files/eventrouter-template.yaml +++ b/roles/openshift_logging_eventrouter/files/eventrouter-template.yaml @@ -56,7 +56,7 @@ objects: containers: - name: kube-eventrouter image: ${IMAGE} - imagePullPolicy: Always + imagePullPolicy: IfNotPresent resources: limits: memory: ${MEMORY} diff --git a/roles/openshift_logging_eventrouter/templates/eventrouter-template.j2 b/roles/openshift_logging_eventrouter/templates/eventrouter-template.j2 index 7fdf959d3..5a4f7f762 100644 --- a/roles/openshift_logging_eventrouter/templates/eventrouter-template.j2 +++ b/roles/openshift_logging_eventrouter/templates/eventrouter-template.j2 @@ -62,7 +62,7 @@ objects: containers: - name: kube-eventrouter image: ${IMAGE} - imagePullPolicy: Always + imagePullPolicy: IfNotPresent resources: limits: memory: ${MEMORY} diff --git a/roles/openshift_logging_fluentd/templates/fluentd.j2 b/roles/openshift_logging_fluentd/templates/fluentd.j2 index b07175a50..10283316c 100644 --- a/roles/openshift_logging_fluentd/templates/fluentd.j2 +++ b/roles/openshift_logging_fluentd/templates/fluentd.j2 @@ -29,7 +29,7 @@ spec: containers: - name: "{{ daemonset_container_name }}" image: "{{ openshift_logging_fluentd_image_prefix }}{{ daemonset_name }}:{{ openshift_logging_fluentd_image_version }}" - imagePullPolicy: Always + imagePullPolicy: IfNotPresent securityContext: privileged: true {% if (fluentd_memory_limit is defined and fluentd_memory_limit is not none) or (fluentd_cpu_limit is defined and fluentd_cpu_limit is not none) or (fluentd_cpu_request is defined and fluentd_cpu_request is not none) %} diff --git a/roles/openshift_logging_kibana/templates/kibana.j2 b/roles/openshift_logging_kibana/templates/kibana.j2 index 329ccbde2..4ff86729a 100644 --- a/roles/openshift_logging_kibana/templates/kibana.j2 +++ b/roles/openshift_logging_kibana/templates/kibana.j2 @@ -37,7 +37,7 @@ spec: - name: "kibana" image: {{ image }} - imagePullPolicy: Always + imagePullPolicy: IfNotPresent {% if (kibana_memory_limit is defined and kibana_memory_limit is not none and kibana_memory_limit != "") or (kibana_cpu_limit is defined and kibana_cpu_limit is not none and kibana_cpu_limit != "") or (kibana_cpu_request is defined and kibana_cpu_request is not none and kibana_cpu_request != "") %} resources: {% if (kibana_memory_limit is defined and kibana_memory_limit is not none and kibana_memory_limit != "") or (kibana_cpu_limit is defined and kibana_cpu_limit is not none and kibana_cpu_limit != "") %} @@ -84,7 +84,7 @@ spec: - name: "kibana-proxy" image: {{ proxy_image }} - imagePullPolicy: Always + imagePullPolicy: IfNotPresent {% if (kibana_proxy_memory_limit is defined and kibana_proxy_memory_limit is not none and kibana_proxy_memory_limit != "") or (kibana_proxy_cpu_limit is defined and kibana_proxy_cpu_limit is not none and kibana_proxy_cpu_limit != "") or (kibana_proxy_cpu_request is defined and kibana_proxy_cpu_request is not none and kibana_proxy_cpu_request != "") %} resources: {% if (kibana_proxy_memory_limit is defined and kibana_proxy_memory_limit is not none and kibana_proxy_memory_limit != "") or (kibana_proxy_cpu_limit is defined and kibana_proxy_cpu_limit is not none and kibana_proxy_cpu_limit != "") %} diff --git a/roles/openshift_logging_mux/templates/mux.j2 b/roles/openshift_logging_mux/templates/mux.j2 index 7e88e3964..cfb13d59b 100644 --- a/roles/openshift_logging_mux/templates/mux.j2 +++ b/roles/openshift_logging_mux/templates/mux.j2 @@ -36,7 +36,7 @@ spec: containers: - name: "mux" image: {{image}} - imagePullPolicy: Always + imagePullPolicy: IfNotPresent {% if (mux_memory_limit is defined and mux_memory_limit is not none) or (mux_cpu_limit is defined and mux_cpu_limit is not none) or (mux_cpu_request is defined and mux_cpu_request is not none) %} resources: {% if (mux_memory_limit is defined and mux_memory_limit is not none) or (mux_cpu_limit is defined and mux_cpu_limit is not none) %} diff --git a/roles/openshift_master/tasks/journald.yml b/roles/openshift_master/tasks/journald.yml new file mode 100644 index 000000000..f79955e95 --- /dev/null +++ b/roles/openshift_master/tasks/journald.yml @@ -0,0 +1,22 @@ +--- +- name: Checking for journald.conf + stat: path=/etc/systemd/journald.conf + register: journald_conf_file + +- name: Update journald setup + replace: + dest: /etc/systemd/journald.conf + regexp: '^(\#| )?{{ item.var }}=\s*.*?$' + replace: ' {{ item.var }}={{ item.val }}' + backup: yes + with_items: "{{ journald_vars_to_replace | default([]) }}" + when: journald_conf_file.stat.exists + register: journald_update + +# I need to restart journald immediatelly, otherwise it gets into way during +# further steps in ansible +- name: Restart journald + systemd: + name: systemd-journald + state: restarted + when: journald_update | changed diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml index 824a5886e..d0bc79c0c 100644 --- a/roles/openshift_master/tasks/main.yml +++ b/roles/openshift_master/tasks/main.yml @@ -177,31 +177,12 @@ local_facts: no_proxy_etcd_host_ips: "{{ openshift_no_proxy_etcd_host_ips }}" +- name: Update journald config + include: journald.yml + - name: Install the systemd units include: systemd_units.yml -- name: Checking for journald.conf - stat: path=/etc/systemd/journald.conf - register: journald_conf_file - -- name: Update journald setup - replace: - dest: /etc/systemd/journald.conf - regexp: '^(\#| )?{{ item.var }}=\s*.*?$' - replace: ' {{ item.var }}={{ item.val }}' - backup: yes - with_items: "{{ journald_vars_to_replace | default([]) }}" - when: journald_conf_file.stat.exists - register: journald_update - -# I need to restart journald immediatelly, otherwise it gets into way during -# further steps in ansible -- name: Restart journald - systemd: - name: systemd-journald - state: restarted - when: journald_update | changed - - name: Install Master system container include: system_container.yml when: diff --git a/roles/openshift_master_facts/filter_plugins/openshift_master.py b/roles/openshift_master_facts/filter_plugins/openshift_master.py index f7f3ac2b1..a4f410296 100644 --- a/roles/openshift_master_facts/filter_plugins/openshift_master.py +++ b/roles/openshift_master_facts/filter_plugins/openshift_master.py @@ -363,7 +363,6 @@ class OpenIDIdentityProvider(IdentityProviderOauthBase): def validate(self): ''' validate this idp instance ''' - IdentityProviderOauthBase.validate(self) if not isinstance(self.provider['claims'], dict): raise errors.AnsibleFilterError("|failed claims for provider {0} " "must be a dictionary".format(self.__class__.__name__)) diff --git a/roles/openshift_metrics/README.md b/roles/openshift_metrics/README.md index ed698daca..b74f22c00 100644 --- a/roles/openshift_metrics/README.md +++ b/roles/openshift_metrics/README.md @@ -109,3 +109,78 @@ Author Information ------------------ Jose David MartÃn (j.david.nieto@gmail.com) + +Image update procedure +---------------------- +An upgrade of the metrics stack from older version to newer is an automated process and should be performed by calling appropriate ansible playbook and setting required ansible variables in your inventory as documented in https://docs.openshift.org/. + +Following text describes manual update of the metrics images without version upgrade. To determine the current version of images being used you can: +``` +oc describe pod | grep 'Image ID:' +``` +This will get the repo digest that can later be compared to the inspected image details. + +A way to determine when was your image last updated: +``` +$ docker images +REPOSITORY TAG IMAGE ID CREATED SIZE +<registry>/openshift3/origin-metrics-cassandra v3.7 f8ad8d569e27 14 hours ago 783.7 MB + +$ docker inspect 9c3597aeb39f +[ + { + . . . + "RepoDigests": [ + "<registry>/openshift3/metrics-cassandra@sha256:d37fc0cab268625b53a92bb98d09fcc501cfca1c68e16bac6dd98446d32ba135 + ], + . . . + "Config": { + . . . + "Labels": { + . . . + "build-date": "2017-10-17T16:47:44.350655", + . . . + "release": "0.143.4.0", + . . . + "url": "https://access.redhat.com/containers/#/registry.access.redhat.com/openshift3/metrics-cassandra/images/v3.7.0-0.143.4.0", + . . . + "version": "v3.7.0" + } + }, + . . . +``` + +Pull a new image to see if registry has any newer images with the same tag: +``` +$ docker pull <registry>/openshift3/origin-metrics-cassandra:v3.7 +``` + +If there was an update, you need to run the `docker pull` on each node. + +It is recommended that you now rerun the `openshift_metrics` playbook to ensure that any necessary config changes are also picked up. + +To manually redeploy your pod you can do the following: +- for a DC you can do: +``` +oc rollout latest <dc_name> +``` + +- for a RC you can scale down and scale back up +``` +oc scale --replicas=0 <rc_name> + +... wait for scale down + +oc scale --replicas=<original_replica_count> <rc_name> +``` + +- for a DS you can delete the pod or unlabel and relabel your node +``` +oc delete pod --selector=<ds_selector> +``` + +Changelog +--------- + +Tue Oct 10, 2017 +- Default imagePullPolicy changed from Always to IfNotPresent diff --git a/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 b/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 index 6f341bcfb..6a3811598 100644 --- a/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 +++ b/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 @@ -30,7 +30,7 @@ spec: {% endif %} containers: - image: "{{ openshift_metrics_image_prefix }}metrics-cassandra:{{ openshift_metrics_image_version }}" - imagePullPolicy: Always + imagePullPolicy: IfNotPresent name: hawkular-cassandra-{{ node }} ports: - name: cql-port diff --git a/roles/openshift_metrics/templates/hawkular_metrics_rc.j2 b/roles/openshift_metrics/templates/hawkular_metrics_rc.j2 index 59f7fb44a..0662bea53 100644 --- a/roles/openshift_metrics/templates/hawkular_metrics_rc.j2 +++ b/roles/openshift_metrics/templates/hawkular_metrics_rc.j2 @@ -25,7 +25,7 @@ spec: {% endif %} containers: - image: {{openshift_metrics_image_prefix}}metrics-hawkular-metrics:{{openshift_metrics_image_version}} - imagePullPolicy: Always + imagePullPolicy: IfNotPresent name: hawkular-metrics ports: - name: http-endpoint diff --git a/roles/openshift_metrics/templates/hawkular_openshift_agent_ds.j2 b/roles/openshift_metrics/templates/hawkular_openshift_agent_ds.j2 index d65eaf9ae..40d09e9fa 100644 --- a/roles/openshift_metrics/templates/hawkular_openshift_agent_ds.j2 +++ b/roles/openshift_metrics/templates/hawkular_openshift_agent_ds.j2 @@ -25,7 +25,7 @@ spec: {% endif %} containers: - image: {{openshift_metrics_image_prefix}}metrics-hawkular-openshift-agent:{{openshift_metrics_image_version}} - imagePullPolicy: Always + imagePullPolicy: IfNotPresent name: hawkular-openshift-agent {% if ((openshift_metrics_hawkular_agent_limits_cpu is defined and openshift_metrics_hawkular_agent_limits_cpu is not none) or (openshift_metrics_hawkular_agent_limits_memory is defined and openshift_metrics_hawkular_agent_limits_memory is not none) diff --git a/roles/openshift_metrics/templates/heapster.j2 b/roles/openshift_metrics/templates/heapster.j2 index d8c7763ea..e732c1eee 100644 --- a/roles/openshift_metrics/templates/heapster.j2 +++ b/roles/openshift_metrics/templates/heapster.j2 @@ -27,7 +27,7 @@ spec: containers: - name: heapster image: {{openshift_metrics_image_prefix}}metrics-heapster:{{openshift_metrics_image_version}} - imagePullPolicy: Always + imagePullPolicy: IfNotPresent ports: - containerPort: 8082 name: "http-endpoint" diff --git a/roles/openshift_prometheus/README.md b/roles/openshift_prometheus/README.md index ce72930ed..92f74928c 100644 --- a/roles/openshift_prometheus/README.md +++ b/roles/openshift_prometheus/README.md @@ -17,16 +17,16 @@ For default values, see [`defaults/main.yaml`](defaults/main.yaml). - `openshift_prometheus_namespace`: project (i.e. namespace) where the components will be deployed. -- `openshift_prometheus_replicas`: The number of replicas for prometheus deployment. - - `openshift_prometheus_node_selector`: Selector for the nodes prometheus will be deployed on. -- `openshift_prometheus_image_<COMPONENT>`: specify image for the component +- `openshift_prometheus_<COMPONENT>_image_prefix`: specify image prefix for the component + +- `openshift_prometheus_<COMPONENT>_image_version`: specify image version for the component ## PVC related variables Each prometheus component (prometheus, alertmanager, alertbuffer) can set pv claim by setting corresponding role variable: ``` -openshift_prometheus_<COMPONENT>_storage_type: <VALUE> +openshift_prometheus_<COMPONENT>_storage_type: <VALUE> (pvc, emptydir) openshift_prometheus_<COMPONENT>_pvc_(name|size|access_modes|pv_selector): <VALUE> ``` e.g diff --git a/roles/openshift_prometheus/defaults/main.yaml b/roles/openshift_prometheus/defaults/main.yaml index c08bec4cb..00995eee6 100644 --- a/roles/openshift_prometheus/defaults/main.yaml +++ b/roles/openshift_prometheus/defaults/main.yaml @@ -4,32 +4,38 @@ openshift_prometheus_state: present openshift_prometheus_namespace: prometheus -openshift_prometheus_replicas: 1 openshift_prometheus_node_selector: {"region":"infra"} -# images -openshift_prometheus_image_proxy: "openshift/oauth-proxy:v1.0.0" -openshift_prometheus_image_prometheus: "openshift/prometheus:v2.0.0-dev" -openshift_prometheus_image_alertmanager: "openshift/prometheus-alertmanager:v0.9.1" -openshift_prometheus_image_alertbuffer: "openshift/prometheus-alert-buffer:v0.0.1" +# image defaults +openshift_prometheus_image_prefix: "openshift/" +openshift_prometheus_image_version: "v2.0.0-dev.3" +openshift_prometheus_proxy_image_prefix: "openshift/" +openshift_prometheus_proxy_image_version: "v1.0.0" +openshift_prometheus_alertmanager_image_prefix: "openshift/" +openshift_prometheus_alertmanager_image_version: "v0.9.1" +openshift_prometheus_alertbuffer_image_prefix: "openshift/" +openshift_prometheus_alertbuffer_image_version: "v0.0.2" # additional prometheus rules file openshift_prometheus_additional_rules_file: null # storage -openshift_prometheus_storage_type: pvc +# One of ['emptydir', 'pvc'] +openshift_prometheus_storage_type: "emptydir" openshift_prometheus_pvc_name: prometheus openshift_prometheus_pvc_size: "{{ openshift_prometheus_storage_volume_size | default('10Gi') }}" openshift_prometheus_pvc_access_modes: [ReadWriteOnce] openshift_prometheus_pvc_pv_selector: "{{ openshift_prometheus_storage_labels | default({}) }}" -openshift_prometheus_alertmanager_storage_type: pvc +# One of ['emptydir', 'pvc'] +openshift_prometheus_alertmanager_storage_type: "emptydir" openshift_prometheus_alertmanager_pvc_name: prometheus-alertmanager openshift_prometheus_alertmanager_pvc_size: "{{ openshift_prometheus_alertmanager_storage_volume_size | default('10Gi') }}" openshift_prometheus_alertmanager_pvc_access_modes: [ReadWriteOnce] openshift_prometheus_alertmanager_pvc_pv_selector: "{{ openshift_prometheus_alertmanager_storage_labels | default({}) }}" -openshift_prometheus_alertbuffer_storage_type: pvc +# One of ['emptydir', 'pvc'] +openshift_prometheus_alertbuffer_storage_type: "emptydir" openshift_prometheus_alertbuffer_pvc_name: prometheus-alertbuffer openshift_prometheus_alertbuffer_pvc_size: "{{ openshift_prometheus_alertbuffer_storage_volume_size | default('10Gi') }}" openshift_prometheus_alertbuffer_pvc_access_modes: [ReadWriteOnce] diff --git a/roles/openshift_prometheus/tasks/install_prometheus.yaml b/roles/openshift_prometheus/tasks/install_prometheus.yaml index cb75eedca..00c3c1987 100644 --- a/roles/openshift_prometheus/tasks/install_prometheus.yaml +++ b/roles/openshift_prometheus/tasks/install_prometheus.yaml @@ -128,6 +128,7 @@ access_modes: "{{ openshift_prometheus_pvc_access_modes }}" volume_capacity: "{{ openshift_prometheus_pvc_size }}" selector: "{{ openshift_prometheus_pvc_pv_selector }}" + when: openshift_prometheus_storage_type == 'pvc' - name: create alertmanager pvc oc_pvc: @@ -136,6 +137,7 @@ access_modes: "{{ openshift_prometheus_alertmanager_pvc_access_modes }}" volume_capacity: "{{ openshift_prometheus_alertmanager_pvc_size }}" selector: "{{ openshift_prometheus_alertmanager_pvc_pv_selector }}" + when: openshift_prometheus_alertmanager_storage_type == 'pvc' - name: create alertbuffer pvc oc_pvc: @@ -144,22 +146,23 @@ access_modes: "{{ openshift_prometheus_alertbuffer_pvc_access_modes }}" volume_capacity: "{{ openshift_prometheus_alertbuffer_pvc_size }}" selector: "{{ openshift_prometheus_alertbuffer_pvc_pv_selector }}" + when: openshift_prometheus_alertbuffer_storage_type == 'pvc' -# create prometheus deployment -- name: Set prometheus deployment template +# create prometheus stateful set +- name: Set prometheus template template: - src: prometheus_deployment.j2 + src: prometheus.j2 dest: "{{ tempdir }}/templates/prometheus.yaml" vars: namespace: "{{ openshift_prometheus_namespace }}" - prom_replicas: "{{ openshift_prometheus_replicas }}" +# prom_replicas: "{{ openshift_prometheus_replicas }}" -- name: Set prometheus deployment +- name: Set prometheus stateful set oc_obj: state: "{{ state }}" name: "prometheus" namespace: "{{ openshift_prometheus_namespace }}" - kind: deployment + kind: statefulset files: - "{{ tempdir }}/templates/prometheus.yaml" delete_after: true diff --git a/roles/openshift_prometheus/templates/prometheus_deployment.j2 b/roles/openshift_prometheus/templates/prometheus.j2 index 66eab6df4..916c57aa2 100644 --- a/roles/openshift_prometheus/templates/prometheus_deployment.j2 +++ b/roles/openshift_prometheus/templates/prometheus.j2 @@ -1,12 +1,14 @@ -apiVersion: extensions/v1beta1 -kind: Deployment +apiVersion: apps/v1beta1 +kind: StatefulSet metadata: name: prometheus namespace: {{ namespace }} labels: app: prometheus spec: - replicas: {{ prom_replicas|default(1) }} + updateStrategy: + type: RollingUpdate + podManagementPolicy: Parallel selector: provider: openshift matchLabels: @@ -27,7 +29,7 @@ spec: containers: # Deploy Prometheus behind an oauth proxy - name: prom-proxy - image: "{{ openshift_prometheus_image_proxy }}" + image: "{{openshift_prometheus_proxy_image_prefix}}oauth-proxy:{{openshift_prometheus_proxy_image_version}}" imagePullPolicy: IfNotPresent resources: requests: @@ -60,6 +62,8 @@ spec: - -tls-key=/etc/tls/private/tls.key - -client-secret-file=/var/run/secrets/kubernetes.io/serviceaccount/token - -cookie-secret-file=/etc/proxy/secrets/session_secret + - -openshift-ca=/etc/pki/tls/cert.pem + - -openshift-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt - -skip-auth-regex=^/metrics volumeMounts: - mountPath: /etc/tls/private @@ -72,9 +76,10 @@ spec: - name: prometheus args: - --storage.tsdb.retention=6h + - --storage.tsdb.min-block-duration=2m - --config.file=/etc/prometheus/prometheus.yml - --web.listen-address=localhost:9090 - image: "{{ openshift_prometheus_image_prometheus }}" + image: "{{openshift_prometheus_image_prefix}}prometheus:{{openshift_prometheus_image_version}}" imagePullPolicy: IfNotPresent resources: requests: @@ -100,7 +105,7 @@ spec: # Deploy alertmanager behind prometheus-alert-buffer behind an oauth proxy - name: alerts-proxy - image: "{{ openshift_prometheus_image_proxy }}" + image: "{{openshift_prometheus_proxy_image_prefix}}oauth-proxy:{{openshift_prometheus_proxy_image_version}}" imagePullPolicy: IfNotPresent resources: requests: @@ -133,6 +138,8 @@ spec: - -tls-key=/etc/tls/private/tls.key - -client-secret-file=/var/run/secrets/kubernetes.io/serviceaccount/token - -cookie-secret-file=/etc/proxy/secrets/session_secret + - -openshift-ca=/etc/pki/tls/cert.pem + - -openshift-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt volumeMounts: - mountPath: /etc/tls/private name: alerts-tls @@ -142,7 +149,7 @@ spec: - name: alert-buffer args: - --storage-path=/alert-buffer/messages.db - image: "{{ openshift_prometheus_image_alertbuffer }}" + image: "{{openshift_prometheus_alertbuffer_image_prefix}}prometheus-alert-buffer:{{openshift_prometheus_alertbuffer_image_version}}" imagePullPolicy: IfNotPresent resources: requests: @@ -169,7 +176,7 @@ spec: - name: alertmanager args: - -config.file=/etc/alertmanager/alertmanager.yml - image: "{{ openshift_prometheus_image_alertmanager }}" + image: "{{openshift_prometheus_alertmanager_image_prefix}}prometheus-alertmanager:{{openshift_prometheus_alertmanager_image_version}}" imagePullPolicy: IfNotPresent resources: requests: diff --git a/roles/openshift_sanitize_inventory/tasks/__deprecations_logging.yml b/roles/openshift_sanitize_inventory/tasks/__deprecations_logging.yml index e534e0cca..7c1573096 100644 --- a/roles/openshift_sanitize_inventory/tasks/__deprecations_logging.yml +++ b/roles/openshift_sanitize_inventory/tasks/__deprecations_logging.yml @@ -21,16 +21,22 @@ openshift_logging_image_pull_secret: openshift_hosted_logging_image_pull_secret openshift_logging_kibana_hostname: openshift_hosted_logging_hostname openshift_logging_kibana_ops_hostname: openshift_hosted_logging_ops_hostname + openshift_logging_kibana_nodeselector: openshift_hosted_logging_kibana_nodeselector + openshift_logging_kibana_ops_nodeselector: openshift_hosted_logging_kibana_ops_nodeselector openshift_logging_fluentd_journal_source: openshift_hosted_logging_journal_source openshift_logging_fluentd_journal_read_from_head: openshift_hosted_logging_journal_read_from_head + openshift_logging_fluentd_nodeselector: openshift_hosted_logging_fluentd_nodeselector_label openshift_logging_es_memory_limit: openshift_hosted_logging_elasticsearch_instance_ram openshift_logging_es_nodeselector: openshift_hosted_logging_elasticsearch_nodeselector + openshift_logging_es_ops_nodeselector: openshift_hosted_logging_elasticsearch_ops_nodeselector openshift_logging_es_ops_memory_limit: openshift_hosted_logging_elasticsearch_ops_instance_ram openshift_logging_storage_access_modes: openshift_hosted_logging_storage_access_modes openshift_logging_master_public_url: openshift_hosted_logging_master_public_url openshift_logging_image_prefix: openshift_hosted_logging_deployer_prefix openshift_logging_image_version: openshift_hosted_logging_deployer_version openshift_logging_install_logging: openshift_hosted_logging_deploy + openshift_logging_curator_nodeselector: openshift_hosted_logging_curator_nodeselector + openshift_logging_curator_ops_nodeselector: openshift_hosted_logging_curator_ops_nodeselector - set_fact: @@ -40,9 +46,3 @@ openshift_logging_elasticsearch_ops_pvc_dynamic: "{{ 'true' if openshift_loggingops_storage_kind | default(none) == 'dynamic' else '' }}" openshift_logging_elasticsearch_ops_pvc_size: "{{ openshift_loggingops_storage_volume_size | default('10Gi') if openshift_loggingops_storage_kind | default(none) in ['dynamic','nfs'] else '' }}" openshift_logging_elasticsearch_ops_pvc_prefix: "{{ 'logging-es-ops' if openshift_loggingops_storage_kind | default(none) == 'dynamic' else '' }}" - openshift_logging_curator_nodeselector: "{{ openshift_hosted_logging_curator_nodeselector | default('') | map_from_pairs }}" - openshift_logging_curator_ops_nodeselector: "{{ openshift_hosted_logging_curator_ops_nodeselector | default('') | map_from_pairs }}" - openshift_logging_kibana_nodeselector: "{{ openshift_hosted_logging_kibana_nodeselector | default('') | map_from_pairs }}" - openshift_logging_kibana_ops_nodeselector: "{{ openshift_hosted_logging_kibana_ops_nodeselector | default('') | map_from_pairs }}" - openshift_logging_fluentd_nodeselector: "{{ openshift_hosted_logging_fluentd_nodeselector_label | default('logging-infra-fluentd=true') | map_from_pairs }}" - openshift_logging_es_ops_nodeselector: "{{ openshift_hosted_logging_elasticsearch_ops_nodeselector | default('') | map_from_pairs }}" diff --git a/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml b/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml index 56b2d1463..f449fba2b 100644 --- a/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml +++ b/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml @@ -1,7 +1,7 @@ apiVersion: v1 kind: Template metadata: - name: service-catalog + name: service-catalog-role-bindings objects: - apiVersion: authorization.openshift.io/v1 diff --git a/roles/openshift_service_catalog/files/kubesystem_roles_bindings.yml b/roles/openshift_service_catalog/files/kubesystem_roles_bindings.yml index e1af51ce6..f563ae42e 100644 --- a/roles/openshift_service_catalog/files/kubesystem_roles_bindings.yml +++ b/roles/openshift_service_catalog/files/kubesystem_roles_bindings.yml @@ -1,7 +1,7 @@ apiVersion: v1 kind: Template metadata: - name: kube-system-service-catalog + name: kube-system-service-catalog-role-bindings objects: - apiVersion: authorization.openshift.io/v1 diff --git a/roles/openshift_service_catalog/tasks/generate_certs.yml b/roles/openshift_service_catalog/tasks/generate_certs.yml index 416bdac70..9d55185c8 100644 --- a/roles/openshift_service_catalog/tasks/generate_certs.yml +++ b/roles/openshift_service_catalog/tasks/generate_certs.yml @@ -16,6 +16,16 @@ --key={{ generated_certs_dir }}/ca.key --cert={{ generated_certs_dir }}/ca.crt --serial={{ generated_certs_dir }}/apiserver.serial.txt --name=service-catalog-signer +- name: Delete old apiserver.crt + file: + path: "{{ generated_certs_dir }}/apiserver.crt" + state: absent + +- name: Delete old apiserver.key + file: + path: "{{ generated_certs_dir }}/apiserver.key" + state: absent + - name: Generating server keys oc_adm_ca_server_cert: cert: "{{ generated_certs_dir }}/apiserver.crt" diff --git a/roles/openshift_service_catalog/tasks/install.yml b/roles/openshift_service_catalog/tasks/install.yml index 1e94c8c5d..aa3ec5724 100644 --- a/roles/openshift_service_catalog/tasks/install.yml +++ b/roles/openshift_service_catalog/tasks/install.yml @@ -47,16 +47,15 @@ dest: "{{ mktemp.stdout }}/kubeservicecatalog_roles_bindings.yml" - oc_obj: - name: service-catalog + name: service-catalog-role-bindings kind: template namespace: "kube-service-catalog" files: - "{{ mktemp.stdout }}/kubeservicecatalog_roles_bindings.yml" - delete_after: yes - oc_process: create: True - template_name: service-catalog + template_name: service-catalog-role-bindings namespace: "kube-service-catalog" - copy: @@ -64,16 +63,15 @@ dest: "{{ mktemp.stdout }}/kubesystem_roles_bindings.yml" - oc_obj: - name: kube-system-service-catalog + name: kube-system-service-catalog-role-bindings kind: template namespace: kube-system files: - "{{ mktemp.stdout }}/kubesystem_roles_bindings.yml" - delete_after: yes - oc_process: create: True - template_name: kube-system-service-catalog + template_name: kube-system-service-catalog-role-bindings namespace: kube-system - oc_obj: diff --git a/roles/openshift_service_catalog/tasks/remove.yml b/roles/openshift_service_catalog/tasks/remove.yml index 96ae61507..ca9844e79 100644 --- a/roles/openshift_service_catalog/tasks/remove.yml +++ b/roles/openshift_service_catalog/tasks/remove.yml @@ -3,10 +3,6 @@ command: > oc delete apiservices.apiregistration.k8s.io/v1beta1.servicecatalog.k8s.io --ignore-not-found -n kube-service-catalog -- name: Remove Policy Binding - command: > - oc delete policybindings/kube-system:default -n kube-system --ignore-not-found - # TODO: this module doesn't currently remove this #- name: Remove service catalog api service # oc_obj: @@ -50,6 +46,26 @@ kind: deployment name: controller-manager +- name: Remove Service Catalog kube-system Role Bindinds + shell: > + oc process kube-system-service-catalog-role-bindings -n kube-system | oc delete --ignore-not-found -f - + +- oc_obj: + kind: template + name: "kube-system-service-catalog-role-bindings" + namespace: kube-system + state: absent + +- name: Remove Service Catalog kube-service-catalog Role Bindinds + shell: > + oc process service-catalog-role-bindings -n kube-service-catalog | oc delete --ignore-not-found -f - + +- oc_obj: + kind: template + name: "service-catalog-role-bindings" + namespace: kube-service-catalog + state: absent + - name: Remove Service Catalog namespace oc_project: state: absent diff --git a/roles/openshift_service_catalog/templates/sc_role_patching.j2 b/roles/openshift_service_catalog/templates/sc_role_patching.j2 index 69b062b3f..4629d5bb3 100644 --- a/roles/openshift_service_catalog/templates/sc_role_patching.j2 +++ b/roles/openshift_service_catalog/templates/sc_role_patching.j2 @@ -3,8 +3,8 @@ - "servicecatalog.k8s.io" attributeRestrictions: null resources: - - instances - - bindings + - serviceinstances + - servicebindings verbs: - create - update diff --git a/roles/template_service_broker/tasks/remove.yml b/roles/template_service_broker/tasks/remove.yml index f3afe65ed..28836f97f 100644 --- a/roles/template_service_broker/tasks/remove.yml +++ b/roles/template_service_broker/tasks/remove.yml @@ -13,11 +13,11 @@ - name: Delete TSB broker shell: > - oc process -f "{{ mktemp.stdout }}/{{ __tsb_broker_file }}" | oc delete -f - + oc process -f "{{ mktemp.stdout }}/{{ __tsb_broker_file }}" | oc delete --ignore-not-found -f - - name: Delete TSB objects shell: > - oc process -f "{{ mktemp.stdout }}/{{ __tsb_template_file }}" | kubectl delete -f - + oc process -f "{{ mktemp.stdout }}/{{ __tsb_template_file }}" | oc delete --ignore-not-found -f - - name: empty out tech preview extension file for service console UI copy: |