diff options
90 files changed, 795 insertions, 545 deletions
@@ -214,7 +214,8 @@ ignore-mixin-members=yes # (useful for modules/projects where namespaces are manipulated during runtime # and thus existing member attributes cannot be deduced by static analysis. It # supports qualified module names, as well as Unix pattern matching. -ignored-modules= +# Ignoring ansible.constants to suppress `no-member` warnings +ignored-modules=ansible.constants # List of classes names for which member attributes should not be checked # (useful for classes with attributes dynamically set). This supports can work diff --git a/.tito/packages/openshift-ansible b/.tito/packages/openshift-ansible index 6fab7527e..88c353122 100644 --- a/.tito/packages/openshift-ansible +++ b/.tito/packages/openshift-ansible @@ -1 +1 @@ -3.7.5-1 ./ +3.8.0-0.1.0 ./ diff --git a/.tito/releasers.conf b/.tito/releasers.conf index 17baaa1bd..bce5e5443 100644 --- a/.tito/releasers.conf +++ b/.tito/releasers.conf @@ -42,6 +42,10 @@ releaser = tito.release.DistGitReleaser branches = rhaos-3.7-rhel-7 srpm_disttag = .el7aos +[aos-3.8] +releaser = tito.release.DistGitReleaser +branches = rhaos-3.8-rhel-7 +srpm_disttag = .el7aos [copr-openshift-ansible] releaser = tito.release.CoprReleaser diff --git a/callback_plugins/aa_version_requirement.py b/callback_plugins/aa_version_requirement.py index 9562adb28..110b3d673 100644 --- a/callback_plugins/aa_version_requirement.py +++ b/callback_plugins/aa_version_requirement.py @@ -29,7 +29,7 @@ else: # Set to minimum required Ansible version -REQUIRED_VERSION = '2.3.0.0' +REQUIRED_VERSION = '2.4.0.0' DESCRIPTION = "Supported versions: %s or newer" % REQUIRED_VERSION diff --git a/docs/proposals/crt_management_proposal.md b/docs/proposals/crt_management_proposal.md new file mode 100644 index 000000000..5fc1ad08d --- /dev/null +++ b/docs/proposals/crt_management_proposal.md @@ -0,0 +1,113 @@ +# Container Runtime Management + +## Description +origin and openshift-ansible support multiple container runtimes. This proposal +is related to refactoring how we handle those runtimes in openshift-ansible. + +### Problems addressed +We currently don't install docker during the install at a point early enough to +not fail health checks, and we don't have a good story around when/how to do it. +This is complicated by logic around containerized and non-containerized installs. + +A web of dependencies can cause changes to docker that are unintended and has +resulted in a series of work-around such as 'skip_docker' boolean. + +We don't handle docker storage because it's BYO. By moving docker to a prerequisite +play, we can tackle storage up front and never have to touch it again. + +container_runtime logic is currently spread across 3 roles: docker, openshift_docker, +and openshift_docker_facts. The name 'docker' does not accurately portray what +the role(s) do. + +## Rationale +* Refactor docker (and related meta/fact roles) into 'container_runtime' role. +* Strip all meta-depends on container runtime out of other roles and plays. +* Create a 'prerequisites.yml' entry point that will setup various items +such as container storage and container runtime before executing installation. +* All other roles and plays should merely consume container runtime, should not +configure, restart, or change the container runtime as much as feasible. + +## Design + +The container_runtime role should be comprised of 3 'pseudo-roles' which will be +consumed using include_role; each component area should be enabled/disabled with +a boolean value, defaulting to true. + +I call them 'pseudo-roles' because they are more or less independent functional +areas that may share some variables and act on closely related components. This +is an effort to reuse as much code as possible, limit role-bloat (we already have +an abundance of roles), and make things as modular as possible. + +```yaml +# prerequisites.yml +- include: std_include.yml +- include: container_runtime_setup.yml +... +# container_runtime_setup.yml +- hosts: "{{ openshift_runtime_manage_hosts | default('oo_nodes_to_config') }}" + tasks: + - include_role: + name: container_runtime + tasks_from: install.yml + when: openshift_container_runtime_install | default(True) | bool + - include_role: + name: container_runtime + tasks_from: storage.yml + when: openshift_container_runtime_storage | default(True) | bool + - include_role: + name: container_runtime + tasks_from: configure.yml + when: openshift_container_runtime_configure | default(True) | bool +``` + +Note the host group on the above play. No more guessing what hosts to run this +stuff against. If you want to use an atomic install, specify what hosts will need +us to setup container runtime (such as etcd hosts, loadbalancers, etc); + +We should direct users that are using atomic hosts to disable install in the docs, +let's not add a bunch of logic. + +Alternatively, we can create a new group. + +### Part 1, container runtime install +Install the container runtime components of the desired type. + +```yaml +# install.yml +- include: docker.yml + when: openshift_container_runtime_install_docker | bool + +- include: crio.yml + when: openshift_container_runtime_install_crio | bool + +... other container run times... +``` + +Alternatively to using booleans for each run time, we could use a variable like +"openshift_container_runtime_type". This would be my preference, as we could +use this information in later roles. + +### Part 2, configure/setup container runtime storage +Configure a supported storage solution for containers. + +Similar setup to the previous section. We might need to add some logic for the +different runtimes here, or we maybe create a matrix of possible options. + +### Part 3, configure container runtime. +Place config files, environment files, systemd units, etc. Start/restart +the container runtime as needed. + +Similar to Part 1 with how we should do things. + +## Checklist +* Strip docker from meta dependencies. +* Combine docker facts and meta roles into container_runtime role. +* Docs + +## User Story +As a user of openshift-ansible, I want to be able to manage my container runtime +and related components independent of openshift itself. + +## Acceptance Criteria +* Verify that each container runtime installs with this new method. +* Verify that openshift installs with this new method. diff --git a/filter_plugins/openshift_version.py b/filter_plugins/openshift_version.py index c515f1a71..7a70b158b 100644 --- a/filter_plugins/openshift_version.py +++ b/filter_plugins/openshift_version.py @@ -10,40 +10,6 @@ Custom version comparison filters for use in openshift-ansible from distutils.version import LooseVersion -def legacy_gte_function_builder(name, versions): - """ - Build and return a version comparison function. - - Ex: name = 'oo_version_gte_3_1_or_1_1' - versions = {'enterprise': '3.1', 'origin': '1.1'} - - returns oo_version_gte_3_1_or_1_1, a function which based on the - version and deployment type will return true if the provided - version is greater than or equal to the function's version - """ - enterprise_version = versions['enterprise'] - origin_version = versions['origin'] - - def _gte_function(version, deployment_type): - """ - Dynamic function created by gte_function_builder. - - Ex: version = '3.1' - deployment_type = 'openshift-enterprise' - returns True/False - """ - version_gte = False - if deployment_type == 'openshift-enterprise': - if str(version) >= LooseVersion(enterprise_version): - version_gte = True - else: - if str(version) >= LooseVersion(origin_version): - version_gte = True - return version_gte - _gte_function.__name__ = name - return _gte_function - - def gte_function_builder(name, gte_version): """ Build and return a version comparison function. @@ -96,30 +62,6 @@ class FilterModule(object): # Add the function to the mapping self._filters[func_name] = func - # Create filters with special versioning requirements. - # Treat all Origin 1.x as special case. - legacy_filters = [{'name': 'oo_version_gte_3_1_or_1_1', - 'versions': {'enterprise': '3.0.2.905', - 'origin': '1.1.0'}}, - {'name': 'oo_version_gte_3_1_1_or_1_1_1', - 'versions': {'enterprise': '3.1.1', - 'origin': '1.1.1'}}, - {'name': 'oo_version_gte_3_2_or_1_2', - 'versions': {'enterprise': '3.1.1.901', - 'origin': '1.2.0'}}, - {'name': 'oo_version_gte_3_3_or_1_3', - 'versions': {'enterprise': '3.3.0', - 'origin': '1.3.0'}}, - {'name': 'oo_version_gte_3_4_or_1_4', - 'versions': {'enterprise': '3.4.0', - 'origin': '1.4.0'}}, - {'name': 'oo_version_gte_3_5_or_1_5', - 'versions': {'enterprise': '3.5.0', - 'origin': '1.5.0'}}] - for legacy_filter in legacy_filters: - self._filters[legacy_filter['name']] = legacy_gte_function_builder(legacy_filter['name'], - legacy_filter['versions']) - def filters(self): """ Return the filters mapping. diff --git a/openshift-ansible.spec b/openshift-ansible.spec index 8bd9cd0f3..76a56e5cf 100644 --- a/openshift-ansible.spec +++ b/openshift-ansible.spec @@ -10,7 +10,7 @@ Name: openshift-ansible Version: 3.8.0 -Release: 0.0.0%{?dist} +Release: 0.1.0%{?dist} Summary: Openshift and Atomic Enterprise Ansible License: ASL 2.0 URL: https://github.com/openshift/openshift-ansible @@ -285,6 +285,38 @@ Atomic OpenShift Utilities includes %changelog +* Wed Nov 15 2017 Jenkins CD Merge Bot <smunilla@redhat.com> 3.8.0-0.1.0 +- Allow disabling authorization migration check (sdodson@redhat.com) +- Alternative method to create docker registry auth creds (mgugino@redhat.com) +- Nuke /var/lib/dockershim/sandbox/* while nodes are drained + (sdodson@redhat.com) +- crio: sync crio.conf (gscrivan@redhat.com) +- Updating provisioning order. (kwoodson@redhat.com) +- Regex anchors changed to match protocol start and ports. + (kwoodson@redhat.com) +- First pass at v3.8 support (sdodson@redhat.com) +- Run registry auth after docker restart (mgugino@redhat.com) +- Fix extension script for catalog (mgugino@redhat.com) +- Adding instance profile support for node groups. (kwoodson@redhat.com) +- Bumping openshift-ansible to 3.8 (smunilla@redhat.com) +- ansible.cfg: error when inventory does not parse (lmeyer@redhat.com) +- removing kind restrictions from oc_edit (kwoodson@redhat.com) +- Update Docs. Make Clearer where the actual docs are. (tbielawa@redhat.com) +- Remove upgrade playbooks for 3.3 through 3.5 (rteague@redhat.com) +- GlusterFS: Add gluster-s3 functionality (jarrpa@redhat.com) +- GlusterFS: Add glusterblock functionality (jarrpa@redhat.com) +- GlusterFS: Update heketi templates for latest version (jarrpa@redhat.com) +- GlusterFS: Specify resource requests (jarrpa@redhat.com) +- Remove remaining haproxy files with uninstallation + (nakayamakenjiro@gmail.com) +- Proposal: container_runtime role (mgugino@redhat.com) +- Fix contenerized documentation? (mickael.canevet@camptocamp.com) +- Cleans up additional artifacts in uninstall. Closes 3082 + (gregswift@gmail.com) +- Add execution times to checkpoint status (rteague@redhat.com) +- Make clearer *_nfs_directory and *_volume_name (lpsantil@gmail.com) +- Allow cluster IP for docker-registry service to be set (hansmi@vshn.ch) + * Thu Nov 09 2017 Jenkins CD Merge Bot <smunilla@redhat.com> 3.7.5-1 - diff --git a/playbooks/common/openshift-cluster/cockpit-ui.yml b/playbooks/common/openshift-cluster/cockpit-ui.yml index 5ddafdb07..359132dd0 100644 --- a/playbooks/common/openshift-cluster/cockpit-ui.yml +++ b/playbooks/common/openshift-cluster/cockpit-ui.yml @@ -3,4 +3,6 @@ hosts: oo_first_master roles: - role: cockpit-ui - when: ( openshift.common.version_gte_3_3_or_1_3 | bool ) and ( openshift_hosted_manage_registry | default(true) | bool ) and not (openshift.docker.hosted_registry_insecure | default(false) | bool) + when: + - openshift_hosted_manage_registry | default(true) | bool + - not openshift.docker.hosted_registry_insecure | default(false) | bool diff --git a/playbooks/common/openshift-cluster/enable_dnsmasq.yml b/playbooks/common/openshift-cluster/enable_dnsmasq.yml index be14b06f0..fe765aa5d 100644 --- a/playbooks/common/openshift-cluster/enable_dnsmasq.yml +++ b/playbooks/common/openshift-cluster/enable_dnsmasq.yml @@ -5,9 +5,6 @@ hosts: oo_masters_to_config:oo_nodes_to_config roles: - openshift_facts - post_tasks: - - fail: msg="This playbook requires a master version of at least Origin 1.1 or OSE 3.1" - when: not openshift.common.version_gte_3_1_1_or_1_1_1 | bool - name: Reconfigure masters to listen on our new dns_port hosts: oo_masters_to_config diff --git a/playbooks/common/openshift-cluster/redeploy-certificates/openshift-ca.yml b/playbooks/common/openshift-cluster/redeploy-certificates/openshift-ca.yml index e22c8cbdb..eb225dfb5 100644 --- a/playbooks/common/openshift-cluster/redeploy-certificates/openshift-ca.yml +++ b/playbooks/common/openshift-cluster/redeploy-certificates/openshift-ca.yml @@ -1,11 +1,4 @@ --- -- name: Verify OpenShift version is greater than or equal to 1.2 or 3.2 - hosts: oo_first_master - tasks: - - fail: - msg: "The current OpenShift version is less than 1.2/3.2 and does not support CA bundles." - when: not openshift.common.version_gte_3_2_or_1_2 | bool - - name: Check cert expirys hosts: oo_nodes_to_config:oo_masters_to_config:oo_etcd_to_config vars: diff --git a/playbooks/common/openshift-cluster/redeploy-certificates/registry.yml b/playbooks/common/openshift-cluster/redeploy-certificates/registry.yml index afd5463b2..7e9363c5f 100644 --- a/playbooks/common/openshift-cluster/redeploy-certificates/registry.yml +++ b/playbooks/common/openshift-cluster/redeploy-certificates/registry.yml @@ -70,9 +70,7 @@ --hostnames="{{ docker_registry_service_ip.results.clusterip }},docker-registry.default.svc,docker-registry.default.svc.cluster.local,{{ docker_registry_route_hostname }}" --cert={{ openshift.common.config_base }}/master/registry.crt --key={{ openshift.common.config_base }}/master/registry.key - {% if openshift_version | oo_version_gte_3_5_or_1_5(openshift.common.deployment_type) | bool %} --expire-days={{ openshift_hosted_registry_cert_expire_days | default(730) }} - {% endif %} - name: Update registry certificates secret oc_secret: diff --git a/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml index 122066955..9f93777b4 100644 --- a/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml +++ b/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml @@ -117,7 +117,6 @@ - name: grep pluginOrderOverride command: grep pluginOrderOverride {{ openshift.common.config_base }}/master/master-config.yaml register: grep_plugin_order_override - when: openshift.common.version_gte_3_3_or_1_3 | bool changed_when: false failed_when: false diff --git a/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml index 8783ade99..399b818a7 100644 --- a/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml +++ b/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml @@ -63,13 +63,9 @@ vars: openshift_master_ha: "{{ groups.oo_masters_to_config | length > 1 }}" serial: 1 - handlers: - - include: ../../../../roles/openshift_master/handlers/main.yml - static: yes - roles: - - openshift_facts - - lib_utils - post_tasks: + tasks: + - include_role: + name: openshift_facts # Run the pre-upgrade hook if defined: - debug: msg="Running master pre-upgrade hook {{ openshift_master_upgrade_pre_hook }}" @@ -78,55 +74,9 @@ - include: "{{ openshift_master_upgrade_pre_hook }}" when: openshift_master_upgrade_pre_hook is defined - - include: rpm_upgrade.yml component=master - when: not openshift.common.is_containerized | bool - - - include_vars: ../../../../roles/openshift_master_facts/vars/main.yml - - - include: upgrade_scheduler.yml - - - include: "{{ master_config_hook }}" - when: master_config_hook is defined - - - include_vars: ../../../../roles/openshift_master/vars/main.yml - - - name: Update journald config - include: ../../../../roles/openshift_master/tasks/journald.yml - - - name: Remove any legacy systemd units and update systemd units - include: ../../../../roles/openshift_master/tasks/systemd_units.yml - - - name: Check for ca-bundle.crt - stat: - path: "{{ openshift.common.config_base }}/master/ca-bundle.crt" - register: ca_bundle_stat - failed_when: false - - - name: Check for ca.crt - stat: - path: "{{ openshift.common.config_base }}/master/ca.crt" - register: ca_crt_stat - failed_when: false - - - name: Migrate ca.crt to ca-bundle.crt - command: mv ca.crt ca-bundle.crt - args: - chdir: "{{ openshift.common.config_base }}/master" - when: ca_crt_stat.stat.isreg and not ca_bundle_stat.stat.exists - - - name: Link ca.crt to ca-bundle.crt - file: - src: "{{ openshift.common.config_base }}/master/ca-bundle.crt" - path: "{{ openshift.common.config_base }}/master/ca.crt" - state: link - when: ca_crt_stat.stat.isreg and not ca_bundle_stat.stat.exists - - - name: Update oreg value - yedit: - src: "{{ openshift.common.config_base }}/master/master-config.yaml" - key: 'imageConfig.format' - value: "{{ oreg_url | default(oreg_url_master) }}" - when: oreg_url is defined or oreg_url_master is defined + - include_role: + name: openshift_master + tasks_from: upgrade.yml # Run the upgrade hook prior to restarting services/system if defined: - debug: msg="Running master upgrade hook {{ openshift_master_upgrade_hook }}" @@ -236,7 +186,6 @@ - reconcile_jenkins_role_binding_result.rc == 0 when: - openshift_version | version_compare('3.7','<') - - openshift_version | version_compare('3.4','>=') - when: openshift_upgrade_target | version_compare('3.7','<') block: diff --git a/playbooks/common/openshift-master/restart_services.yml b/playbooks/common/openshift-master/restart_services.yml index 4f8b758fd..4e1b3a3be 100644 --- a/playbooks/common/openshift-master/restart_services.yml +++ b/playbooks/common/openshift-master/restart_services.yml @@ -1,22 +1,4 @@ --- -- name: Restart master API - service: - name: "{{ openshift.common.service_type }}-master-api" - state: restarted - when: openshift_master_ha | bool -- name: Wait for master API to come back online - wait_for: - host: "{{ openshift.common.hostname }}" - state: started - delay: 10 - port: "{{ openshift.master.api_port }}" - timeout: 600 - when: openshift_master_ha | bool -- name: Restart master controllers - service: - name: "{{ openshift.common.service_type }}-master-controllers" - state: restarted - # Ignore errrors since it is possible that type != simple for - # pre-3.1.1 installations. - ignore_errors: true - when: openshift_master_ha | bool +- include_role: + name: openshift_master + tasks_from: restart.yml diff --git a/playbooks/common/openshift-master/scaleup.yml b/playbooks/common/openshift-master/scaleup.yml index 05b37d59f..4c415ebce 100644 --- a/playbooks/common/openshift-master/scaleup.yml +++ b/playbooks/common/openshift-master/scaleup.yml @@ -32,11 +32,7 @@ - name: verify api server command: > curl --silent --tlsv1.2 - {% if openshift.common.version_gte_3_2_or_1_2 | bool %} --cacert {{ openshift.common.config_base }}/master/ca-bundle.crt - {% else %} - --cacert {{ openshift.common.config_base }}/master/ca.crt - {% endif %} {{ openshift.master.api_url }}/healthz/ready args: # Disables the following warning: diff --git a/playbooks/common/openshift-master/tasks/wire_aggregator.yml b/playbooks/common/openshift-master/tasks/wire_aggregator.yml index 0d23e9d61..97acc5d5d 100644 --- a/playbooks/common/openshift-master/tasks/wire_aggregator.yml +++ b/playbooks/common/openshift-master/tasks/wire_aggregator.yml @@ -201,11 +201,7 @@ # wait_for port doesn't provide health information. command: > curl --silent --tlsv1.2 - {% if openshift.common.version_gte_3_2_or_1_2 | bool %} --cacert {{ openshift.common.config_base }}/master/ca-bundle.crt - {% else %} - --cacert {{ openshift.common.config_base }}/master/ca.crt - {% endif %} {{ openshift.master.api_url }}/healthz/ready args: # Disables the following warning: diff --git a/requirements.txt b/requirements.txt index bf95b4ff9..5bc29f193 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,6 +1,6 @@ # Versions are pinned to prevent pypi releases arbitrarily breaking # tests with new APIs/semantics. We want to update versions deliberately. -ansible==2.3.1.0 +ansible==2.4.0.0 boto==2.34.0 click==6.7 pyOpenSSL==16.2.0 diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index c086c28df..224844a06 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -2,6 +2,8 @@ docker_cli_auth_config_path: '/root/.docker' openshift_docker_signature_verification: False +openshift_docker_alternative_creds: False + # oreg_url is defined by user input. oreg_host: "{{ oreg_url.split('/')[0] if (oreg_url is defined and '.' in oreg_url.split('/')[0]) else '' }}" oreg_auth_credentials_replace: False diff --git a/roles/docker/meta/main.yml b/roles/docker/meta/main.yml index 62b8a2eb5..d5faae8df 100644 --- a/roles/docker/meta/main.yml +++ b/roles/docker/meta/main.yml @@ -12,3 +12,4 @@ galaxy_info: dependencies: - role: lib_openshift - role: lib_os_firewall +- role: lib_utils diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index 3c814d8d8..69ee62790 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -53,7 +53,7 @@ - when: - l_use_crio - - dockerstat.stat.islink is defined and not (dockerstat.stat.islink | bool) + - dockerstat.stat.islnk is defined and not (dockerstat.stat.islnk | bool) block: - name: stop the current running docker systemd: diff --git a/roles/docker/tasks/registry_auth.yml b/roles/docker/tasks/registry_auth.yml index d05b7f2b8..2c7bc5711 100644 --- a/roles/docker/tasks/registry_auth.yml +++ b/roles/docker/tasks/registry_auth.yml @@ -12,5 +12,21 @@ delay: 5 until: openshift_docker_credentials_create_res.rc == 0 when: + - not openshift_docker_alternative_creds | bool + - oreg_auth_user is defined + - (not docker_cli_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool + +# docker_creds is a custom module from lib_utils +# 'docker login' requires a docker.service running on the local host, this is an +# alternative implementation for non-docker hosts. This implementation does not +# check the registry to determine whether or not the credentials will work. +- name: Create credentials for docker cli registry auth (alternative) + docker_creds: + path: "{{ docker_cli_auth_config_path }}" + registry: "{{ oreg_host }}" + username: "{{ oreg_auth_user }}" + password: "{{ oreg_auth_password }}" + when: + - openshift_docker_alternative_creds | bool - oreg_auth_user is defined - (not docker_cli_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool diff --git a/roles/docker/tasks/systemcontainer_crio.yml b/roles/docker/tasks/systemcontainer_crio.yml index 1e2d64293..3fe10454d 100644 --- a/roles/docker/tasks/systemcontainer_crio.yml +++ b/roles/docker/tasks/systemcontainer_crio.yml @@ -179,3 +179,9 @@ register: start_result - meta: flush_handlers + +# If we are using crio only, docker.service might not be available for +# 'docker login' +- include: registry_auth.yml + vars: + openshift_docker_alternative_creds: "{{ l_use_crio_only }}" diff --git a/roles/docker/tasks/systemcontainer_docker.yml b/roles/docker/tasks/systemcontainer_docker.yml index aa3b35ddd..84220fa66 100644 --- a/roles/docker/tasks/systemcontainer_docker.yml +++ b/roles/docker/tasks/systemcontainer_docker.yml @@ -173,6 +173,10 @@ - set_fact: docker_service_status_changed: "{{ r_docker_systemcontainer_docker_start_result | changed }}" -- include: registry_auth.yml - - meta: flush_handlers + +# Since docker is running as a system container, docker login will fail to create +# credentials. Use alternate method if requiring authenticated registries. +- include: registry_auth.yml + vars: + openshift_docker_alternative_creds: True diff --git a/roles/lib_utils/library/docker_creds.py b/roles/lib_utils/library/docker_creds.py new file mode 100644 index 000000000..d4674845e --- /dev/null +++ b/roles/lib_utils/library/docker_creds.py @@ -0,0 +1,207 @@ +#!/usr/bin/env python +# pylint: disable=missing-docstring +# +# Copyright 2017 Red Hat, Inc. and/or its affiliates +# and other contributors as indicated by the @author tags. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import base64 +import json +import os + +from ansible.module_utils.basic import AnsibleModule + + +DOCUMENTATION = ''' +--- +module: docker_creds + +short_description: Creates/updates a 'docker login' file in place of using 'docker login' + +version_added: "2.4" + +description: + - This module creates a docker config.json file in the directory provided by 'path' + on hosts that do not support 'docker login' but need the file present for + registry authentication purposes of various other services. + +options: + path: + description: + - This is the message to send to the sample module + required: true + registry: + description: + - This is the registry the credentials are for. + required: true + username: + description: + - This is the username to authenticate to the registry with. + required: true + password: + description: + - This is the password to authenticate to the registry with. + required: true + +author: + - "Michael Gugino <mgugino@redhat.com>" +''' + +EXAMPLES = ''' +# Pass in a message +- name: Place credentials in file + docker_creds: + path: /root/.docker + registry: registry.example.com:443 + username: myuser + password: mypassword +''' + + +def check_dest_dir_exists(module, dest): + '''Check if dest dir is present and is a directory''' + dir_exists = os.path.exists(dest) + if dir_exists: + if not os.path.isdir(dest): + msg = "{} exists but is not a directory".format(dest) + result = {'failed': True, + 'changed': False, + 'msg': msg, + 'state': 'unknown'} + module.fail_json(**result) + else: + return 1 + else: + return 0 + + +def create_dest_dir(module, dest): + try: + os.makedirs(dest, mode=0o700) + except OSError as oserror: + result = {'failed': True, + 'changed': False, + 'msg': str(oserror), + 'state': 'unknown'} + module.fail_json(**result) + + +def load_config_file(module, dest): + '''load the config.json in directory dest''' + conf_file_path = os.path.join(dest, 'config.json') + if os.path.exists(conf_file_path): + # Try to open the file and load json data + try: + with open(conf_file_path) as conf_file: + data = conf_file.read() + jdata = json.loads(data) + + except IOError as ioerror: + result = {'failed': True, + 'changed': False, + 'msg': str(ioerror), + 'state': 'unknown'} + module.fail_json(**result) + except ValueError as jsonerror: + result = {'failed': True, + 'changed': False, + 'msg': str(jsonerror), + 'state': 'unknown'} + module.fail_json(**result) + return jdata + else: + # File doesn't exist, we just return an empty dictionary. + return {} + + +def update_config(docker_config, registry, username, password): + '''Add our registry auth credentials into docker_config dict''' + + # Add anything that might be missing in our dictionary + if 'auths' not in docker_config: + docker_config['auths'] = {} + if registry not in docker_config['auths']: + docker_config['auths'][registry] = {} + + # base64 encode our username:password string + encoded_data = base64.b64encode('{}:{}'.format(username, password)) + + # check if the same value is already present for idempotency. + if 'auth' in docker_config['auths'][registry]: + if docker_config['auths'][registry]['auth'] == encoded_data: + # No need to go further, everything is already set in file. + return False + docker_config['auths'][registry]['auth'] = encoded_data + return True + + +def write_config(module, docker_config, dest): + '''Write updated credentials into dest/config.json''' + conf_file_path = os.path.join(dest, 'config.json') + try: + with open(conf_file_path, 'w') as conf_file: + json.dump(docker_config, conf_file, indent=8) + except IOError as ioerror: + result = {'failed': True, + 'changed': False, + 'msg': str(ioerror), + 'state': 'unknown'} + module.fail_json(**result) + + +def run_module(): + '''Run this module''' + module_args = dict( + path=dict(aliases=['dest', 'name'], required=True, type='path'), + registry=dict(type='str', required=True), + username=dict(type='str', required=True), + password=dict(type='str', required=True, no_log=True) + ) + + module = AnsibleModule( + argument_spec=module_args, + supports_check_mode=False + ) + + # First, create our dest dir if necessary + dest = module.params['path'] + registry = module.params['registry'] + username = module.params['username'] + password = module.params['password'] + + if not check_dest_dir_exists(module, dest): + create_dest_dir(module, dest) + docker_config = {} + else: + # We want to scrape the contents of dest/config.json + # in case there are other registries/settings already present. + docker_config = load_config_file(module, dest) + + # Put the registry auth info into the config dict. + changed = update_config(docker_config, registry, username, password) + + if changed: + write_config(module, docker_config, dest) + + result = {'changed': changed} + + module.exit_json(**result) + + +def main(): + run_module() + + +if __name__ == '__main__': + main() diff --git a/roles/openshift_ca/tasks/main.yml b/roles/openshift_ca/tasks/main.yml index 587526d07..31f0f8e7a 100644 --- a/roles/openshift_ca/tasks/main.yml +++ b/roles/openshift_ca/tasks/main.yml @@ -97,10 +97,8 @@ --master={{ openshift.master.api_url }} --public-master={{ openshift.master.public_api_url }} --cert-dir={{ openshift_ca_config_dir }} - {% if openshift_version | oo_version_gte_3_5_or_1_5(openshift.common.deployment_type) | bool %} --expire-days={{ openshift_master_cert_expire_days }} --signer-expire-days={{ openshift_ca_cert_expire_days }} - {% endif %} --overwrite=false when: master_ca_missing | bool or openshift_certificates_redeploy | default(false) | bool delegate_to: "{{ openshift_ca_host }}" @@ -169,9 +167,7 @@ --signer-serial={{ openshift_ca_serial }} --user=system:openshift-master --basename=openshift-master - {% if openshift_version | oo_version_gte_3_5_or_1_5(openshift.common.deployment_type) | bool %} --expire-days={{ openshift_master_cert_expire_days }} - {% endif %} - name: Copy generated loopback master client config to master config dir copy: src: "{{ openshift_ca_loopback_tmpdir.stdout }}/{{ item }}" diff --git a/roles/openshift_cloud_provider/tasks/openstack.yml b/roles/openshift_cloud_provider/tasks/openstack.yml index 5788e6d74..324630491 100644 --- a/roles/openshift_cloud_provider/tasks/openstack.yml +++ b/roles/openshift_cloud_provider/tasks/openstack.yml @@ -1,8 +1,4 @@ --- -- fail: - msg: "The Openstack integration requires OpenShift Enterprise 3.2 or Origin 1.2." - when: not openshift.common.version_gte_3_2_or_1_2 | bool - - name: Create cloud config template: dest: "{{ openshift.common.config_base }}/cloudprovider/openstack.conf" diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py index 699dc300f..99ebb7e36 100755 --- a/roles/openshift_facts/library/openshift_facts.py +++ b/roles/openshift_facts/library/openshift_facts.py @@ -490,7 +490,7 @@ def set_selectors(facts): facts['hosted']['metrics'] = {} if 'selector' not in facts['hosted']['metrics'] or facts['hosted']['metrics']['selector'] in [None, 'None']: facts['hosted']['metrics']['selector'] = None - if 'logging' not in facts: + if 'logging' not in facts or not isinstance(facts['logging'], dict): facts['logging'] = {} if 'selector' not in facts['logging'] or facts['logging']['selector'] in [None, 'None']: facts['logging']['selector'] = None @@ -806,7 +806,7 @@ def set_deployment_facts_if_unset(facts): # pylint: disable=too-many-statements def set_version_facts_if_unset(facts): """ Set version facts. This currently includes common.version and - common.version_gte_3_1_or_1_1. + common.version_gte_3_x Args: facts (dict): existing facts @@ -814,49 +814,19 @@ def set_version_facts_if_unset(facts): dict: the facts dict updated with version facts. """ if 'common' in facts: - deployment_type = facts['common']['deployment_type'] openshift_version = get_openshift_version(facts) if openshift_version and openshift_version != "latest": version = LooseVersion(openshift_version) facts['common']['version'] = openshift_version facts['common']['short_version'] = '.'.join([str(x) for x in version.version[0:2]]) - if deployment_type == 'origin': - version_gte_3_1_or_1_1 = version >= LooseVersion('1.1.0') - version_gte_3_1_1_or_1_1_1 = version >= LooseVersion('1.1.1') - version_gte_3_2_or_1_2 = version >= LooseVersion('1.2.0') - version_gte_3_3_or_1_3 = version >= LooseVersion('1.3.0') - version_gte_3_4_or_1_4 = version >= LooseVersion('1.4') - version_gte_3_5_or_1_5 = version >= LooseVersion('1.5') - version_gte_3_6 = version >= LooseVersion('3.6') - version_gte_3_7 = version >= LooseVersion('3.7') - version_gte_3_8 = version >= LooseVersion('3.8') - else: - version_gte_3_1_or_1_1 = version >= LooseVersion('3.0.2.905') - version_gte_3_1_1_or_1_1_1 = version >= LooseVersion('3.1.1') - version_gte_3_2_or_1_2 = version >= LooseVersion('3.1.1.901') - version_gte_3_3_or_1_3 = version >= LooseVersion('3.3.0') - version_gte_3_4_or_1_4 = version >= LooseVersion('3.4') - version_gte_3_5_or_1_5 = version >= LooseVersion('3.5') - version_gte_3_6 = version >= LooseVersion('3.6') - version_gte_3_7 = version >= LooseVersion('3.7') - version_gte_3_8 = version >= LooseVersion('3.8') + version_gte_3_6 = version >= LooseVersion('3.6') + version_gte_3_7 = version >= LooseVersion('3.7') + version_gte_3_8 = version >= LooseVersion('3.8') else: # 'Latest' version is set to True, 'Next' versions set to False - version_gte_3_1_or_1_1 = True - version_gte_3_1_1_or_1_1_1 = True - version_gte_3_2_or_1_2 = True - version_gte_3_3_or_1_3 = True - version_gte_3_4_or_1_4 = True - version_gte_3_5_or_1_5 = True version_gte_3_6 = True version_gte_3_7 = True version_gte_3_8 = False - facts['common']['version_gte_3_1_or_1_1'] = version_gte_3_1_or_1_1 - facts['common']['version_gte_3_1_1_or_1_1_1'] = version_gte_3_1_1_or_1_1_1 - facts['common']['version_gte_3_2_or_1_2'] = version_gte_3_2_or_1_2 - facts['common']['version_gte_3_3_or_1_3'] = version_gte_3_3_or_1_3 - facts['common']['version_gte_3_4_or_1_4'] = version_gte_3_4_or_1_4 - facts['common']['version_gte_3_5_or_1_5'] = version_gte_3_5_or_1_5 facts['common']['version_gte_3_6'] = version_gte_3_6 facts['common']['version_gte_3_7'] = version_gte_3_7 facts['common']['version_gte_3_8'] = version_gte_3_8 @@ -867,18 +837,8 @@ def set_version_facts_if_unset(facts): examples_content_version = 'v3.7' elif version_gte_3_6: examples_content_version = 'v3.6' - elif version_gte_3_5_or_1_5: - examples_content_version = 'v1.5' - elif version_gte_3_4_or_1_4: - examples_content_version = 'v1.4' - elif version_gte_3_3_or_1_3: - examples_content_version = 'v1.3' - elif version_gte_3_2_or_1_2: - examples_content_version = 'v1.2' - elif version_gte_3_1_or_1_1: - examples_content_version = 'v1.1' else: - examples_content_version = 'v1.0' + examples_content_version = 'v1.5' facts['common']['examples_content_version'] = examples_content_version diff --git a/roles/openshift_hosted/tasks/secure.yml b/roles/openshift_hosted/tasks/secure.yml index 0da8ac8a7..174bc39a4 100644 --- a/roles/openshift_hosted/tasks/secure.yml +++ b/roles/openshift_hosted/tasks/secure.yml @@ -42,7 +42,7 @@ - "{{ openshift_hosted_registry_routehost }}" cert: "{{ docker_registry_cert_path }}" key: "{{ docker_registry_key_path }}" - expire_days: "{{ openshift_hosted_registry_cert_expire_days if openshift_version | oo_version_gte_3_5_or_1_5(openshift_deployment_type) | bool else omit }}" + expire_days: "{{ openshift_hosted_registry_cert_expire_days }}" register: registry_self_cert when: docker_registry_self_signed diff --git a/roles/openshift_hosted_metrics/handlers/main.yml b/roles/openshift_hosted_metrics/handlers/main.yml index 88b893448..074b72942 100644 --- a/roles/openshift_hosted_metrics/handlers/main.yml +++ b/roles/openshift_hosted_metrics/handlers/main.yml @@ -18,11 +18,7 @@ # wait_for port doesn't provide health information. command: > curl --silent --tlsv1.2 - {% if openshift.common.version_gte_3_2_or_1_2 | bool %} --cacert {{ openshift.common.config_base }}/master/ca-bundle.crt - {% else %} - --cacert {{ openshift.common.config_base }}/master/ca.crt - {% endif %} {{ openshift.master.api_url }}/healthz/ready args: # Disables the following warning: diff --git a/roles/openshift_logging/handlers/main.yml b/roles/openshift_logging/handlers/main.yml index 88b893448..074b72942 100644 --- a/roles/openshift_logging/handlers/main.yml +++ b/roles/openshift_logging/handlers/main.yml @@ -18,11 +18,7 @@ # wait_for port doesn't provide health information. command: > curl --silent --tlsv1.2 - {% if openshift.common.version_gte_3_2_or_1_2 | bool %} --cacert {{ openshift.common.config_base }}/master/ca-bundle.crt - {% else %} - --cacert {{ openshift.common.config_base }}/master/ca.crt - {% endif %} {{ openshift.master.api_url }}/healthz/ready args: # Disables the following warning: diff --git a/roles/openshift_logging/tasks/main.yaml b/roles/openshift_logging/tasks/main.yaml index 15f6a23e6..7f8e88036 100644 --- a/roles/openshift_logging/tasks/main.yaml +++ b/roles/openshift_logging/tasks/main.yaml @@ -3,17 +3,6 @@ msg: Only one Fluentd nodeselector key pair should be provided when: openshift_logging_fluentd_nodeselector.keys() | count > 1 -- name: Set default image variables based on deployment_type - include_vars: "{{ item }}" - with_first_found: - - "{{ openshift_deployment_type | default(deployment_type) }}.yml" - - "default_images.yml" - -- name: Set logging image facts - set_fact: - openshift_logging_image_prefix: "{{ openshift_logging_image_prefix | default(__openshift_logging_image_prefix) }}" - openshift_logging_image_version: "{{ openshift_logging_image_version | default(__openshift_logging_image_version) }}" - - name: Create temp directory for doing work in command: mktemp -d /tmp/openshift-logging-ansible-XXXXXX register: mktemp diff --git a/roles/openshift_logging/vars/default_images.yml b/roles/openshift_logging/vars/default_images.yml deleted file mode 100644 index 1a77808f6..000000000 --- a/roles/openshift_logging/vars/default_images.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -__openshift_logging_image_prefix: "{{ openshift_hosted_logging_deployer_prefix | default('docker.io/openshift/origin-') }}" -__openshift_logging_image_version: "{{ openshift_hosted_logging_deployer_version | default('latest') }}" diff --git a/roles/openshift_logging/vars/openshift-enterprise.yml b/roles/openshift_logging/vars/openshift-enterprise.yml deleted file mode 100644 index f60fa8d7d..000000000 --- a/roles/openshift_logging/vars/openshift-enterprise.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -__openshift_logging_image_prefix: "{{ openshift_hosted_logging_deployer_prefix | default('registry.access.redhat.com/openshift3/') }}" -__openshift_logging_image_version: "{{ openshift_hosted_logging_deployer_version | default ('v3.7') }}" diff --git a/roles/openshift_logging_curator/defaults/main.yml b/roles/openshift_logging_curator/defaults/main.yml index 9cae9f936..a0d221c32 100644 --- a/roles/openshift_logging_curator/defaults/main.yml +++ b/roles/openshift_logging_curator/defaults/main.yml @@ -1,7 +1,5 @@ --- ### General logging settings -openshift_logging_curator_image_prefix: "{{ openshift_logging_image_prefix | default(__openshift_logging_image_prefix) }}" -openshift_logging_curator_image_version: "{{ openshift_logging_image_version | default('latest') }}" openshift_logging_curator_image_pull_secret: "{{ openshift_hosted_logging_image_pull_secret | default('') }}" openshift_logging_curator_master_url: "https://kubernetes.default.svc.cluster.local" diff --git a/roles/openshift_logging_curator/tasks/determine_version.yaml b/roles/openshift_logging_curator/tasks/determine_version.yaml index 94f8b4a97..2013f4e38 100644 --- a/roles/openshift_logging_curator/tasks/determine_version.yaml +++ b/roles/openshift_logging_curator/tasks/determine_version.yaml @@ -1,16 +1,16 @@ --- # debating making this a module instead? - fail: - msg: Missing version to install provided by 'openshift_logging_image_version' - when: not openshift_logging_image_version or openshift_logging_image_version == '' + msg: Missing version to install provided by 'openshift_logging_curator_image_version' + when: not openshift_logging_curator_image_version or openshift_logging_curator_image_version == '' - set_fact: curator_version: "{{ __latest_curator_version }}" - when: openshift_logging_image_version == 'latest' + when: openshift_logging_curator_image_version == 'latest' # should we just assume that we will have the correct major version? -- set_fact: curator_version="{{ openshift_logging_image_version | regex_replace('^v?(?P<major>\d)\.(?P<minor>\d).*$', '3_\\g<minor>') }}" - when: openshift_logging_image_version != 'latest' +- set_fact: curator_version="{{ openshift_logging_curator_image_version | regex_replace('^v?(?P<major>\d)\.(?P<minor>\d).*$', '3_\\g<minor>') }}" + when: openshift_logging_curator_image_version != 'latest' - fail: msg: Invalid version specified for Curator diff --git a/roles/openshift_logging_curator/tasks/main.yaml b/roles/openshift_logging_curator/tasks/main.yaml index fcaf18ed4..7ddf57450 100644 --- a/roles/openshift_logging_curator/tasks/main.yaml +++ b/roles/openshift_logging_curator/tasks/main.yaml @@ -1,4 +1,17 @@ --- +- name: Set default image variables based on deployment_type + include_vars: "{{ var_file_name }}" + with_first_found: + - "{{ openshift_deployment_type | default(deployment_type) }}.yml" + - "default_images.yml" + loop_control: + loop_var: var_file_name + +- name: Set curator image facts + set_fact: + openshift_logging_curator_image_prefix: "{{ openshift_logging_curator_image_prefix | default(__openshift_logging_curator_image_prefix) }}" + openshift_logging_curator_image_version: "{{ openshift_logging_curator_image_version | default(__openshift_logging_curator_image_version) }}" + - include: determine_version.yaml # allow passing in a tempdir @@ -35,7 +48,7 @@ name: "aggregated-logging-curator" namespace: "{{ openshift_logging_namespace }}" when: - - openshift_logging_image_pull_secret == '' + - openshift_logging_image_pull_secret == '' # configmap - copy: @@ -65,12 +78,12 @@ name: "logging-curator" namespace: "{{ openshift_logging_namespace }}" files: - - name: ca - path: "{{ generated_certs_dir }}/ca.crt" - - name: key - path: "{{ generated_certs_dir }}/system.logging.curator.key" - - name: cert - path: "{{ generated_certs_dir }}/system.logging.curator.crt" + - name: ca + path: "{{ generated_certs_dir }}/ca.crt" + - name: key + path: "{{ generated_certs_dir }}/system.logging.curator.key" + - name: cert + path: "{{ generated_certs_dir }}/system.logging.curator.crt" - set_fact: curator_name: "{{ 'logging-curator' ~ ( (openshift_logging_curator_ops_deployment | default(false) | bool) | ternary('-ops', '') ) }}" @@ -104,7 +117,7 @@ namespace: "{{ openshift_logging_namespace }}" kind: dc files: - - "{{ tempdir }}/templates/curator-dc.yaml" + - "{{ tempdir }}/templates/curator-dc.yaml" delete_after: true - name: Delete temp directory diff --git a/roles/openshift_logging_curator/vars/default_images.yml b/roles/openshift_logging_curator/vars/default_images.yml new file mode 100644 index 000000000..208b41afa --- /dev/null +++ b/roles/openshift_logging_curator/vars/default_images.yml @@ -0,0 +1,3 @@ +--- +__openshift_logging_curator_image_prefix: "{{ openshift_logging_image_prefix | default('docker.io/openshift/origin-') }}" +__openshift_logging_curator_image_version: "{{ openshift_logging_image_version | default('latest') }}" diff --git a/roles/openshift_logging_curator/vars/openshift-enterprise.yml b/roles/openshift_logging_curator/vars/openshift-enterprise.yml new file mode 100644 index 000000000..79cf131fd --- /dev/null +++ b/roles/openshift_logging_curator/vars/openshift-enterprise.yml @@ -0,0 +1,3 @@ +--- +__openshift_logging_curator_image_prefix: "{{ openshift_logging_image_prefix | default('registry.access.redhat.com/openshift3/') }}" +__openshift_logging_curator_image_version: "{{ openshift_logging_image_version | default ('v3.7') }}" diff --git a/roles/openshift_logging_elasticsearch/defaults/main.yml b/roles/openshift_logging_elasticsearch/defaults/main.yml index 9fc6fd1d8..bec4432c3 100644 --- a/roles/openshift_logging_elasticsearch/defaults/main.yml +++ b/roles/openshift_logging_elasticsearch/defaults/main.yml @@ -1,7 +1,5 @@ --- ### Common settings -openshift_logging_elasticsearch_image_prefix: "{{ openshift_logging_image_prefix | default(__openshift_logging_image_prefix) }}" -openshift_logging_elasticsearch_image_version: "{{ openshift_logging_image_version | default('latest') }}" openshift_logging_elasticsearch_image_pull_secret: "{{ openshift_hosted_logging_image_pull_secret | default('') }}" openshift_logging_elasticsearch_namespace: logging diff --git a/roles/openshift_logging_elasticsearch/tasks/determine_version.yaml b/roles/openshift_logging_elasticsearch/tasks/determine_version.yaml index 1a952b5cf..c53a06019 100644 --- a/roles/openshift_logging_elasticsearch/tasks/determine_version.yaml +++ b/roles/openshift_logging_elasticsearch/tasks/determine_version.yaml @@ -1,18 +1,16 @@ --- # debating making this a module instead? - fail: - msg: Missing version to install provided by 'openshift_logging_image_version' - when: not openshift_logging_image_version or openshift_logging_image_version == '' + msg: Missing version to install provided by 'openshift_logging_elasticsearch_image_version' + when: not openshift_logging_elasticsearch_image_version or openshift_logging_elasticsearch_image_version == '' - set_fact: es_version: "{{ __latest_es_version }}" - when: openshift_logging_image_version == 'latest' - -- debug: var=openshift_logging_image_version + when: openshift_logging_elasticsearch_image_version == 'latest' # should we just assume that we will have the correct major version? -- set_fact: es_version="{{ openshift_logging_image_version | regex_replace('^v?(?P<major>\d)\.(?P<minor>\d).*$', '3_\\g<minor>') }}" - when: openshift_logging_image_version != 'latest' +- set_fact: es_version="{{ openshift_logging_elasticsearch_image_version | regex_replace('^v?(?P<major>\d)\.(?P<minor>\d).*$', '3_\\g<minor>') }}" + when: openshift_logging_elasticsearch_image_version != 'latest' - fail: msg: Invalid version specified for Elasticsearch diff --git a/roles/openshift_logging_elasticsearch/tasks/main.yaml b/roles/openshift_logging_elasticsearch/tasks/main.yaml index e7ef443bd..2bd02af60 100644 --- a/roles/openshift_logging_elasticsearch/tasks/main.yaml +++ b/roles/openshift_logging_elasticsearch/tasks/main.yaml @@ -15,18 +15,22 @@ elasticsearch_name: "{{ 'logging-elasticsearch' ~ ( (openshift_logging_elasticsearch_ops_deployment | default(false) | bool) | ternary('-ops', '')) }}" es_component: "{{ 'es' ~ ( (openshift_logging_elasticsearch_ops_deployment | default(false) | bool) | ternary('-ops', '') ) }}" -- include: determine_version.yaml - - name: Set default image variables based on deployment_type - include_vars: "{{ item }}" + include_vars: "{{ var_file_name }}" with_first_found: - "{{ openshift_deployment_type | default(deployment_type) }}.yml" - "default_images.yml" + loop_control: + loop_var: var_file_name -- name: Set elasticsearch_prefix image facts +- name: Set elasticsearch image facts set_fact: openshift_logging_elasticsearch_proxy_image_prefix: "{{ openshift_logging_elasticsearch_proxy_image_prefix | default(__openshift_logging_elasticsearch_proxy_image_prefix) }}" openshift_logging_elasticsearch_proxy_image_version: "{{ openshift_logging_elasticsearch_proxy_image_version | default(__openshift_logging_elasticsearch_proxy_image_version) }}" + openshift_logging_elasticsearch_image_prefix: "{{ openshift_logging_elasticsearch_image_prefix | default(__openshift_logging_elasticsearch_image_prefix) }}" + openshift_logging_elasticsearch_image_version: "{{ openshift_logging_elasticsearch_image_version | default(__openshift_logging_elasticsearch_image_version) }}" + +- include: determine_version.yaml # allow passing in a tempdir - name: Create temp directory for doing work in diff --git a/roles/openshift_logging_elasticsearch/vars/default_images.yml b/roles/openshift_logging_elasticsearch/vars/default_images.yml index b7d105caf..cef49dd92 100644 --- a/roles/openshift_logging_elasticsearch/vars/default_images.yml +++ b/roles/openshift_logging_elasticsearch/vars/default_images.yml @@ -1,3 +1,5 @@ --- -__openshift_logging_elasticsearch_proxy_image_prefix: "docker.io/openshift/" -__openshift_logging_elasticsearch_proxy_image_version: "v1.0.0" +__openshift_logging_elasticsearch_image_prefix: "{{ openshift_logging_image_prefix | default('docker.io/openshift/origin-') }}" +__openshift_logging_elasticsearch_image_version: "{{ openshift_logging_image_version | default('latest') }}" +__openshift_logging_elasticsearch_proxy_image_prefix: "{{ openshift_logging_image_prefix | default('docker.io/openshift/') }}" +__openshift_logging_elasticsearch_proxy_image_version: "{{ openshift_logging_image_version | default('v1.0.0') }}" diff --git a/roles/openshift_logging_elasticsearch/vars/openshift-enterprise.yml b/roles/openshift_logging_elasticsearch/vars/openshift-enterprise.yml index 2fd960bb5..07d92896f 100644 --- a/roles/openshift_logging_elasticsearch/vars/openshift-enterprise.yml +++ b/roles/openshift_logging_elasticsearch/vars/openshift-enterprise.yml @@ -1,3 +1,5 @@ --- +__openshift_logging_elasticsearch_image_prefix: "{{ openshift_logging_image_prefix | default('registry.access.redhat.com/openshift3/') }}" +__openshift_logging_elasticsearch_image_version: "{{ openshift_logging_image_version | default ('v3.7') }}" __openshift_logging_elasticsearch_proxy_image_prefix: "{{ openshift_logging_image_prefix | default('registry.access.redhat.com/openshift3/') }}" -__openshift_logging_elasticsearch_proxy_image_version: "v3.7" +__openshift_logging_elasticsearch_proxy_image_version: "{{ openshift_logging_image_version | default ('v3.7') }}" diff --git a/roles/openshift_logging_eventrouter/defaults/main.yaml b/roles/openshift_logging_eventrouter/defaults/main.yaml index 4c0350c98..62542f496 100644 --- a/roles/openshift_logging_eventrouter/defaults/main.yaml +++ b/roles/openshift_logging_eventrouter/defaults/main.yaml @@ -1,6 +1,4 @@ --- -openshift_logging_eventrouter_image_prefix: "{{ openshift_logging_image_prefix | default(__openshift_logging_image_prefix) }}" -openshift_logging_eventrouter_image_version: "{{ openshift_logging_image_version | default('latest') }}" openshift_logging_eventrouter_replicas: 1 openshift_logging_eventrouter_sink: stdout openshift_logging_eventrouter_nodeselector: "" diff --git a/roles/openshift_logging_eventrouter/tasks/main.yaml b/roles/openshift_logging_eventrouter/tasks/main.yaml index 58e5a559f..b1f93eeb9 100644 --- a/roles/openshift_logging_eventrouter/tasks/main.yaml +++ b/roles/openshift_logging_eventrouter/tasks/main.yaml @@ -1,4 +1,17 @@ --- +- name: Set default image variables based on deployment_type + include_vars: "{{ var_file_name }}" + with_first_found: + - "{{ openshift_deployment_type | default(deployment_type) }}.yml" + - "default_images.yml" + loop_control: + loop_var: var_file_name + +- name: Set eventrouter image facts + set_fact: + openshift_logging_eventrouter_image_prefix: "{{ openshift_logging_eventrouter_image_prefix | default(__openshift_logging_eventrouter_image_prefix) }}" + openshift_logging_eventrouter_image_version: "{{ openshift_logging_eventrouter_image_version | default(__openshift_logging_eventrouter_image_version) }}" + - include: "{{ role_path }}/tasks/install_eventrouter.yaml" when: openshift_logging_install_eventrouter | default(false) | bool diff --git a/roles/openshift_logging_eventrouter/vars/default_images.yml b/roles/openshift_logging_eventrouter/vars/default_images.yml new file mode 100644 index 000000000..dbfe2d697 --- /dev/null +++ b/roles/openshift_logging_eventrouter/vars/default_images.yml @@ -0,0 +1,3 @@ +--- +__openshift_logging_eventrouter_image_prefix: "{{ openshift_logging_image_prefix | default('docker.io/openshift/origin-') }}" +__openshift_logging_eventrouter_image_version: "{{ openshift_logging_image_version | default('latest') }}" diff --git a/roles/openshift_logging_eventrouter/vars/openshift-enterprise.yml b/roles/openshift_logging_eventrouter/vars/openshift-enterprise.yml new file mode 100644 index 000000000..bb7dc6455 --- /dev/null +++ b/roles/openshift_logging_eventrouter/vars/openshift-enterprise.yml @@ -0,0 +1,3 @@ +--- +__openshift_logging_eventrouter_image_prefix: "{{ openshift_logging_image_prefix | default('registry.access.redhat.com/openshift3/') }}" +__openshift_logging_eventrouter_image_version: "{{ openshift_logging_image_version | default ('v3.7') }}" diff --git a/roles/openshift_logging_fluentd/defaults/main.yml b/roles/openshift_logging_fluentd/defaults/main.yml index 861935c99..9b58e4456 100644 --- a/roles/openshift_logging_fluentd/defaults/main.yml +++ b/roles/openshift_logging_fluentd/defaults/main.yml @@ -1,7 +1,5 @@ --- ### General logging settings -openshift_logging_fluentd_image_prefix: "{{ openshift_logging_image_prefix | default(__openshift_logging_image_prefix) }}" -openshift_logging_fluentd_image_version: "{{ openshift_logging_image_version | default('latest') }}" openshift_logging_fluentd_image_pull_secret: "{{ openshift_hosted_logging_image_pull_secret | default('') }}" openshift_logging_fluentd_master_url: "https://kubernetes.default.svc.{{ openshift.common.dns_domain }}" openshift_logging_fluentd_namespace: logging diff --git a/roles/openshift_logging_fluentd/tasks/determine_version.yaml b/roles/openshift_logging_fluentd/tasks/determine_version.yaml index a1ba71b1b..6848eb512 100644 --- a/roles/openshift_logging_fluentd/tasks/determine_version.yaml +++ b/roles/openshift_logging_fluentd/tasks/determine_version.yaml @@ -1,16 +1,16 @@ --- # debating making this a module instead? - fail: - msg: Missing version to install provided by 'openshift_logging_image_version' - when: not openshift_logging_image_version or openshift_logging_image_version == '' + msg: Missing version to install provided by 'openshift_logging_fluentd_image_version' + when: not openshift_logging_fluentd_image_version or openshift_logging_fluentd_image_version == '' - set_fact: fluentd_version: "{{ __latest_fluentd_version }}" - when: openshift_logging_image_version == 'latest' + when: openshift_logging_fluentd_image_version == 'latest' # should we just assume that we will have the correct major version? -- set_fact: fluentd_version="{{ openshift_logging_image_version | regex_replace('^v?(?P<major>\d)\.(?P<minor>\d).*$', '3_\\g<minor>') }}" - when: openshift_logging_image_version != 'latest' +- set_fact: fluentd_version="{{ openshift_logging_fluentd_image_version | regex_replace('^v?(?P<major>\d)\.(?P<minor>\d).*$', '3_\\g<minor>') }}" + when: openshift_logging_fluentd_image_version != 'latest' - fail: msg: Invalid version specified for Fluentd diff --git a/roles/openshift_logging_fluentd/tasks/main.yaml b/roles/openshift_logging_fluentd/tasks/main.yaml index 2f89c3f9f..f8683ab75 100644 --- a/roles/openshift_logging_fluentd/tasks/main.yaml +++ b/roles/openshift_logging_fluentd/tasks/main.yaml @@ -34,6 +34,19 @@ msg: WARNING Use of openshift_logging_mux_client_mode=minimal is not recommended due to current scaling issues when: openshift_logging_mux_client_mode is defined and openshift_logging_mux_client_mode == 'minimal' +- name: Set default image variables based on deployment_type + include_vars: "{{ var_file_name }}" + with_first_found: + - "{{ openshift_deployment_type | default(deployment_type) }}.yml" + - "default_images.yml" + loop_control: + loop_var: var_file_name + +- name: Set fluentd image facts + set_fact: + openshift_logging_fluentd_image_prefix: "{{ openshift_logging_fluentd_image_prefix | default(__openshift_logging_fluentd_image_prefix) }}" + openshift_logging_fluentd_image_version: "{{ openshift_logging_fluentd_image_version | default(__openshift_logging_fluentd_image_version) }}" + - include: determine_version.yaml # allow passing in a tempdir @@ -69,7 +82,7 @@ name: "aggregated-logging-fluentd" namespace: "{{ openshift_logging_fluentd_namespace }}" when: - - openshift_logging_image_pull_secret == '' + - openshift_logging_image_pull_secret == '' # set service account scc - name: Set privileged permissions for Fluentd @@ -146,12 +159,12 @@ name: logging-fluentd namespace: "{{ openshift_logging_fluentd_namespace }}" files: - - name: ca - path: "{{ generated_certs_dir }}/ca.crt" - - name: key - path: "{{ generated_certs_dir }}/system.logging.fluentd.key" - - name: cert - path: "{{ generated_certs_dir }}/system.logging.fluentd.crt" + - name: ca + path: "{{ generated_certs_dir }}/ca.crt" + - name: key + path: "{{ generated_certs_dir }}/system.logging.fluentd.key" + - name: cert + path: "{{ generated_certs_dir }}/system.logging.fluentd.crt" # create Fluentd daemonset # this should change based on the type of fluentd deployment to be done... @@ -187,7 +200,7 @@ namespace: "{{ openshift_logging_fluentd_namespace }}" kind: daemonset files: - - "{{ tempdir }}/templates/logging-fluentd.yaml" + - "{{ tempdir }}/templates/logging-fluentd.yaml" delete_after: true # Scale up Fluentd diff --git a/roles/openshift_logging_fluentd/vars/default_images.yml b/roles/openshift_logging_fluentd/vars/default_images.yml new file mode 100644 index 000000000..6d127b730 --- /dev/null +++ b/roles/openshift_logging_fluentd/vars/default_images.yml @@ -0,0 +1,3 @@ +--- +__openshift_logging_fluentd_image_prefix: "{{ openshift_logging_image_prefix | default('docker.io/openshift/origin-') }}" +__openshift_logging_fluentd_image_version: "{{ openshift_logging_image_version | default('latest') }}" diff --git a/roles/openshift_logging_fluentd/vars/openshift-enterprise.yml b/roles/openshift_logging_fluentd/vars/openshift-enterprise.yml new file mode 100644 index 000000000..d0c74f1fb --- /dev/null +++ b/roles/openshift_logging_fluentd/vars/openshift-enterprise.yml @@ -0,0 +1,3 @@ +--- +__openshift_logging_fluentd_image_prefix: "{{ openshift_logging_image_prefix | default('registry.access.redhat.com/openshift3/') }}" +__openshift_logging_fluentd_image_version: "{{ openshift_logging_image_version | default ('v3.7') }}" diff --git a/roles/openshift_logging_kibana/defaults/main.yml b/roles/openshift_logging_kibana/defaults/main.yml index 1366e96cd..6cdf7c8f3 100644 --- a/roles/openshift_logging_kibana/defaults/main.yml +++ b/roles/openshift_logging_kibana/defaults/main.yml @@ -2,8 +2,6 @@ ### Common settings openshift_logging_kibana_master_url: "https://kubernetes.default.svc.cluster.local" openshift_logging_kibana_master_public_url: "https://kubernetes.default.svc.cluster.local" -openshift_logging_kibana_image_prefix: "{{ openshift_logging_image_prefix | default(__openshift_logging_image_prefix) }}" -openshift_logging_kibana_image_version: "{{ openshift_logging_image_version | default('latest') }}" openshift_logging_kibana_image_pull_secret: "{{ openshift_hosted_logging_image_pull_secret | default('') }}" openshift_logging_kibana_namespace: logging @@ -25,8 +23,6 @@ openshift_logging_kibana_edge_term_policy: Redirect openshift_logging_kibana_ops_deployment: false # Proxy settings -openshift_logging_kibana_proxy_image_prefix: "{{ openshift_logging_image_prefix | default(__openshift_logging_image_prefix) }}" -openshift_logging_kibana_proxy_image_version: "{{ openshift_logging_image_version | default('latest') }}" openshift_logging_kibana_proxy_debug: false openshift_logging_kibana_proxy_cpu_limit: null openshift_logging_kibana_proxy_cpu_request: 100m diff --git a/roles/openshift_logging_kibana/tasks/determine_version.yaml b/roles/openshift_logging_kibana/tasks/determine_version.yaml index 53e15af5f..63e5a89f1 100644 --- a/roles/openshift_logging_kibana/tasks/determine_version.yaml +++ b/roles/openshift_logging_kibana/tasks/determine_version.yaml @@ -1,16 +1,16 @@ --- # debating making this a module instead? - fail: - msg: Missing version to install provided by 'openshift_logging_image_version' - when: not openshift_logging_image_version or openshift_logging_image_version == '' + msg: Missing version to install provided by 'openshift_logging_kibana_image_version' + when: not openshift_logging_kibana_image_version or openshift_logging_kibana_image_version == '' - set_fact: kibana_version: "{{ __latest_kibana_version }}" - when: openshift_logging_image_version == 'latest' + when: openshift_logging_kibana_image_version == 'latest' # should we just assume that we will have the correct major version? -- set_fact: kibana_version="{{ openshift_logging_image_version | regex_replace('^v?(?P<major>\d)\.(?P<minor>\d).*$', '3_\\g<minor>') }}" - when: openshift_logging_image_version != 'latest' +- set_fact: kibana_version="{{ openshift_logging_kibana_image_version | regex_replace('^v?(?P<major>\d)\.(?P<minor>\d).*$', '3_\\g<minor>') }}" + when: openshift_logging_kibana_image_version != 'latest' - fail: msg: Invalid version specified for Kibana diff --git a/roles/openshift_logging_kibana/tasks/main.yaml b/roles/openshift_logging_kibana/tasks/main.yaml index 8ef8ede9a..9d99114c5 100644 --- a/roles/openshift_logging_kibana/tasks/main.yaml +++ b/roles/openshift_logging_kibana/tasks/main.yaml @@ -1,5 +1,19 @@ --- # fail is we don't have an endpoint for ES to connect to? +- name: Set default image variables based on deployment_type + include_vars: "{{ var_file_name }}" + with_first_found: + - "{{ openshift_deployment_type | default(deployment_type) }}.yml" + - "default_images.yml" + loop_control: + loop_var: var_file_name + +- name: Set kibana image facts + set_fact: + openshift_logging_kibana_image_prefix: "{{ openshift_logging_kibana_image_prefix | default(__openshift_logging_kibana_image_prefix) }}" + openshift_logging_kibana_image_version: "{{ openshift_logging_kibana_image_version | default(__openshift_logging_kibana_image_version) }}" + openshift_logging_kibana_proxy_image_prefix: "{{ openshift_logging_kibana_proxy_image_prefix | default(__openshift_logging_kibana_proxy_image_prefix) }}" + openshift_logging_kibana_proxy_image_version: "{{ openshift_logging_kibana_proxy_image_version | default(__openshift_logging_kibana_proxy_image_version) }}" - include: determine_version.yaml @@ -37,7 +51,7 @@ name: "aggregated-logging-kibana" namespace: "{{ openshift_logging_namespace }}" when: - - openshift_logging_image_pull_secret == '' + - openshift_logging_image_pull_secret == '' - set_fact: kibana_name: "{{ 'logging-kibana' ~ ( (openshift_logging_kibana_ops_deployment | default(false) | bool) | ternary('-ops', '')) }}" @@ -58,7 +72,7 @@ content: "{{ 200 | oo_random_word }}" dest: "{{ generated_certs_dir }}/session_secret" when: - - not session_secret_file.stat.exists + - not session_secret_file.stat.exists # gen oauth_secret if necessary - name: Generate oauth secret @@ -66,19 +80,19 @@ content: "{{ 64 | oo_random_word }}" dest: "{{ generated_certs_dir }}/oauth_secret" when: - - not oauth_secret_file.stat.exists + - not oauth_secret_file.stat.exists - name: Retrieving the cert to use when generating secrets for the logging components slurp: src: "{{ generated_certs_dir }}/{{ item.file }}" register: key_pairs with_items: - - { name: "ca_file", file: "ca.crt" } - - { name: "kibana_internal_key", file: "kibana-internal.key"} - - { name: "kibana_internal_cert", file: "kibana-internal.crt"} - - { name: "server_tls", file: "server-tls.json"} - - { name: "session_secret", file: "session_secret" } - - { name: "oauth_secret", file: "oauth_secret" } + - { name: "ca_file", file: "ca.crt" } + - { name: "kibana_internal_key", file: "kibana-internal.key"} + - { name: "kibana_internal_cert", file: "kibana-internal.crt"} + - { name: "server_tls", file: "server-tls.json"} + - { name: "session_secret", file: "session_secret" } + - { name: "oauth_secret", file: "oauth_secret" } # services - name: Set {{ kibana_name }} service @@ -92,8 +106,8 @@ labels: logging-infra: 'support' ports: - - port: 443 - targetPort: "oaproxy" + - port: 443 + targetPort: "oaproxy" # create routes # TODO: set up these certs differently? @@ -144,7 +158,7 @@ namespace: "{{ openshift_logging_namespace }}" kind: route files: - - "{{ tempdir }}/templates/kibana-route.yaml" + - "{{ tempdir }}/templates/kibana-route.yaml" # preserve list of current hostnames - name: Get current oauthclient hostnames @@ -173,7 +187,7 @@ namespace: "{{ openshift_logging_namespace }}" kind: oauthclient files: - - "{{ tempdir }}/templates/oauth-client.yml" + - "{{ tempdir }}/templates/oauth-client.yml" delete_after: true # create Kibana secret @@ -183,12 +197,12 @@ name: "logging-kibana" namespace: "{{ openshift_logging_namespace }}" files: - - name: ca - path: "{{ generated_certs_dir }}/ca.crt" - - name: key - path: "{{ generated_certs_dir }}/system.logging.kibana.key" - - name: cert - path: "{{ generated_certs_dir }}/system.logging.kibana.crt" + - name: ca + path: "{{ generated_certs_dir }}/ca.crt" + - name: key + path: "{{ generated_certs_dir }}/system.logging.kibana.key" + - name: cert + path: "{{ generated_certs_dir }}/system.logging.kibana.crt" # create Kibana-proxy secret - name: Set Kibana Proxy secret @@ -205,16 +219,16 @@ #- name: server-tls.json # path: "{{ generated_certs_dir }}/server-tls.json" contents: - - path: oauth-secret - data: "{{ key_pairs | entry_from_named_pair('oauth_secret') | b64decode }}" - - path: session-secret - data: "{{ key_pairs | entry_from_named_pair('session_secret') | b64decode }}" - - path: server-key - data: "{{ key_pairs | entry_from_named_pair('kibana_internal_key') | b64decode }}" - - path: server-cert - data: "{{ key_pairs | entry_from_named_pair('kibana_internal_cert') | b64decode }}" - - path: server-tls.json - data: "{{ key_pairs | entry_from_named_pair('server_tls') | b64decode }}" + - path: oauth-secret + data: "{{ key_pairs | entry_from_named_pair('oauth_secret') | b64decode }}" + - path: session-secret + data: "{{ key_pairs | entry_from_named_pair('session_secret') | b64decode }}" + - path: server-key + data: "{{ key_pairs | entry_from_named_pair('kibana_internal_key') | b64decode }}" + - path: server-cert + data: "{{ key_pairs | entry_from_named_pair('kibana_internal_cert') | b64decode }}" + - path: server-tls.json + data: "{{ key_pairs | entry_from_named_pair('server_tls') | b64decode }}" # create Kibana DC - name: Generate Kibana DC template @@ -245,7 +259,7 @@ namespace: "{{ openshift_logging_namespace }}" kind: dc files: - - "{{ tempdir }}/templates/kibana-dc.yaml" + - "{{ tempdir }}/templates/kibana-dc.yaml" delete_after: true # update master configs? diff --git a/roles/openshift_logging_kibana/vars/default_images.yml b/roles/openshift_logging_kibana/vars/default_images.yml new file mode 100644 index 000000000..db0f9b622 --- /dev/null +++ b/roles/openshift_logging_kibana/vars/default_images.yml @@ -0,0 +1,5 @@ +--- +__openshift_logging_kibana_image_prefix: "{{ openshift_logging_image_prefix | default('docker.io/openshift/origin-') }}" +__openshift_logging_kibana_image_version: "{{ openshift_logging_image_version | default('latest') }}" +__openshift_logging_kibana_proxy_image_prefix: "{{ openshift_logging_image_prefix | default('docker.io/openshift/origin-') }}" +__openshift_logging_kibana_proxy_image_version: "{{ openshift_logging_image_version | default('latest') }}" diff --git a/roles/openshift_logging_kibana/vars/openshift-enterprise.yml b/roles/openshift_logging_kibana/vars/openshift-enterprise.yml new file mode 100644 index 000000000..0be2e7252 --- /dev/null +++ b/roles/openshift_logging_kibana/vars/openshift-enterprise.yml @@ -0,0 +1,5 @@ +--- +__openshift_logging_kibana_image_prefix: "{{ openshift_logging_image_prefix | default('registry.access.redhat.com/openshift3/') }}" +__openshift_logging_kibana_image_version: "{{ openshift_logging_image_version | default ('v3.7') }}" +__openshift_logging_kibana_proxy_image_prefix: "{{ openshift_logging_image_prefix | default('registry.access.redhat.com/openshift3/') }}" +__openshift_logging_kibana_proxy_image_version: "{{ openshift_logging_image_version | default ('v3.7') }}" diff --git a/roles/openshift_logging_mux/defaults/main.yml b/roles/openshift_logging_mux/defaults/main.yml index 9de686576..cd15da939 100644 --- a/roles/openshift_logging_mux/defaults/main.yml +++ b/roles/openshift_logging_mux/defaults/main.yml @@ -1,7 +1,5 @@ --- ### General logging settings -openshift_logging_mux_image_prefix: "{{ openshift_logging_image_prefix | default(__openshift_logging_image_prefix) }}" -openshift_logging_mux_image_version: "{{ openshift_logging_image_version | default('latest') }}" openshift_logging_mux_image_pull_secret: "{{ openshift_hosted_logging_image_pull_secret | default('') }}" openshift_logging_mux_master_url: "https://kubernetes.default.svc.{{ openshift.common.dns_domain }}" openshift_logging_mux_master_public_url: "{{ openshift_hosted_logging_master_public_url | default('https://' + openshift.common.public_hostname + ':' ~ (openshift_master_api_port | default('8443', true))) }}" diff --git a/roles/openshift_logging_mux/tasks/determine_version.yaml b/roles/openshift_logging_mux/tasks/determine_version.yaml index 229bcf3d5..769475dd5 100644 --- a/roles/openshift_logging_mux/tasks/determine_version.yaml +++ b/roles/openshift_logging_mux/tasks/determine_version.yaml @@ -1,16 +1,16 @@ --- # debating making this a module instead? - fail: - msg: Missing version to install provided by 'openshift_logging_image_version' - when: not openshift_logging_image_version or openshift_logging_image_version == '' + msg: Missing version to install provided by 'openshift_logging_mux_image_version' + when: not openshift_logging_mux_image_version or openshift_logging_mux_image_version == '' - set_fact: mux_version: "{{ __latest_mux_version }}" - when: openshift_logging_image_version == 'latest' + when: openshift_logging_mux_image_version == 'latest' # should we just assume that we will have the correct major version? -- set_fact: mux_version="{{ openshift_logging_image_version | regex_replace('^v?(?P<major>\d)\.(?P<minor>\d).*$', '3_\\g<minor>') }}" - when: openshift_logging_image_version != 'latest' +- set_fact: mux_version="{{ openshift_logging_mux_image_version | regex_replace('^v?(?P<major>\d)\.(?P<minor>\d).*$', '3_\\g<minor>') }}" + when: openshift_logging_mux_image_version != 'latest' - fail: msg: Invalid version specified for mux diff --git a/roles/openshift_logging_mux/tasks/main.yaml b/roles/openshift_logging_mux/tasks/main.yaml index 5b257139e..242d92188 100644 --- a/roles/openshift_logging_mux/tasks/main.yaml +++ b/roles/openshift_logging_mux/tasks/main.yaml @@ -7,6 +7,19 @@ msg: Operations logs destination is required when: not openshift_logging_mux_ops_host or openshift_logging_mux_ops_host == '' +- name: Set default image variables based on deployment_type + include_vars: "{{ var_file_name }}" + with_first_found: + - "{{ openshift_deployment_type | default(deployment_type) }}.yml" + - "default_images.yml" + loop_control: + loop_var: var_file_name + +- name: Set mux image facts + set_fact: + openshift_logging_mux_image_prefix: "{{ openshift_logging_mux_image_prefix | default(__openshift_logging_mux_image_prefix) }}" + openshift_logging_mux_image_version: "{{ openshift_logging_mux_image_version | default(__openshift_logging_mux_image_version) }}" + - include: determine_version.yaml # allow passing in a tempdir @@ -42,7 +55,7 @@ name: "aggregated-logging-mux" namespace: "{{ openshift_logging_mux_namespace }}" when: - - openshift_logging_image_pull_secret == '' + - openshift_logging_image_pull_secret == '' # set service account scc - name: Set privileged permissions for Mux @@ -112,14 +125,14 @@ name: logging-mux namespace: "{{ openshift_logging_mux_namespace }}" files: - - name: ca - path: "{{ generated_certs_dir }}/ca.crt" - - name: key - path: "{{ generated_certs_dir }}/system.logging.mux.key" - - name: cert - path: "{{ generated_certs_dir }}/system.logging.mux.crt" - - name: shared_key - path: "{{ generated_certs_dir }}/mux_shared_key" + - name: ca + path: "{{ generated_certs_dir }}/ca.crt" + - name: key + path: "{{ generated_certs_dir }}/system.logging.mux.key" + - name: cert + path: "{{ generated_certs_dir }}/system.logging.mux.crt" + - name: shared_key + path: "{{ generated_certs_dir }}/mux_shared_key" # services - name: Set logging-mux service for external communication @@ -133,11 +146,11 @@ labels: logging-infra: 'support' ports: - - name: mux-forward - port: "{{ openshift_logging_mux_port }}" - targetPort: "mux-forward" + - name: mux-forward + port: "{{ openshift_logging_mux_port }}" + targetPort: "mux-forward" external_ips: - - "{{ ansible_eth0.ipv4.address }}" + - "{{ ansible_eth0.ipv4.address }}" when: openshift_logging_mux_allow_external | bool - name: Set logging-mux service for internal communication @@ -151,9 +164,9 @@ labels: logging-infra: 'support' ports: - - name: mux-forward - port: "{{ openshift_logging_mux_port }}" - targetPort: "mux-forward" + - name: mux-forward + port: "{{ openshift_logging_mux_port }}" + targetPort: "mux-forward" when: not openshift_logging_mux_allow_external | bool # create Mux DC @@ -188,7 +201,7 @@ selector: "{{ openshift_logging_mux_file_buffer_pvc_pv_selector }}" storage_class_name: "{{ openshift_logging_mux_file_buffer_pvc_storage_class_name | default('', true) }}" when: - - openshift_logging_mux_file_buffer_storage_type == "pvc" + - openshift_logging_mux_file_buffer_storage_type == "pvc" - name: Set logging-mux DC oc_obj: @@ -197,7 +210,7 @@ namespace: "{{ openshift_logging_mux_namespace }}" kind: dc files: - - "{{ tempdir }}/templates/logging-mux-dc.yaml" + - "{{ tempdir }}/templates/logging-mux-dc.yaml" delete_after: true - name: Add mux namespaces diff --git a/roles/openshift_logging_mux/vars/default_images.yml b/roles/openshift_logging_mux/vars/default_images.yml new file mode 100644 index 000000000..bd5dc4504 --- /dev/null +++ b/roles/openshift_logging_mux/vars/default_images.yml @@ -0,0 +1,3 @@ +--- +__openshift_logging_mux_image_prefix: "{{ openshift_logging_image_prefix | default('docker.io/openshift/origin-') }}" +__openshift_logging_mux_image_version: "{{ openshift_logging_image_version | default('latest') }}" diff --git a/roles/openshift_logging_mux/vars/openshift-enterprise.yml b/roles/openshift_logging_mux/vars/openshift-enterprise.yml new file mode 100644 index 000000000..1e7eb9d8d --- /dev/null +++ b/roles/openshift_logging_mux/vars/openshift-enterprise.yml @@ -0,0 +1,3 @@ +--- +__openshift_logging_mux_image_prefix: "{{ openshift_logging_image_prefix | default('registry.access.redhat.com/openshift3/') }}" +__openshift_logging_mux_image_version: "{{ openshift_logging_image_version | default ('v3.7') }}" diff --git a/roles/openshift_manage_node/tasks/main.yml b/roles/openshift_manage_node/tasks/main.yml index f67aee88b..fbbac1176 100644 --- a/roles/openshift_manage_node/tasks/main.yml +++ b/roles/openshift_manage_node/tasks/main.yml @@ -7,11 +7,7 @@ # wait_for port doesn't provide health information. command: > curl --silent --tlsv1.2 - {% if openshift.common.version_gte_3_2_or_1_2 | bool %} --cacert {{ openshift.common.config_base }}/master/ca-bundle.crt - {% else %} - --cacert {{ openshift.common.config_base }}/master/ca.crt - {% endif %} {{ openshift_node_master_api_url }}/healthz/ready args: # Disables the following warning: diff --git a/roles/openshift_master/defaults/main.yml b/roles/openshift_master/defaults/main.yml index a27fbae7e..3fb94fff8 100644 --- a/roles/openshift_master/defaults/main.yml +++ b/roles/openshift_master/defaults/main.yml @@ -31,6 +31,7 @@ oreg_host: "{{ oreg_url.split('/')[0] if (oreg_url is defined and '.' in oreg_ur oreg_auth_credentials_path: "{{ r_openshift_master_data_dir }}/.docker" oreg_auth_credentials_replace: False l_bind_docker_reg_auth: False +openshift_docker_alternative_creds: "{{ (openshift_docker_use_system_container | default(False)) or (openshift_use_crio_only | default(False)) }}" containerized_svc_dir: "/usr/lib/systemd/system" ha_svc_template_path: "native-cluster" @@ -66,3 +67,6 @@ openshift_master_bootstrap_enabled: False openshift_master_csr_sa: node-bootstrapper openshift_master_csr_namespace: openshift-infra + +openshift_master_config_file: "{{ openshift_master_config_dir }}/master-config.yaml" +openshift_master_scheduler_conf: "{{ openshift_master_config_dir }}/scheduler.json" diff --git a/roles/openshift_master/handlers/main.yml b/roles/openshift_master/handlers/main.yml index f88c4a7dc..359536202 100644 --- a/roles/openshift_master/handlers/main.yml +++ b/roles/openshift_master/handlers/main.yml @@ -25,11 +25,7 @@ # wait_for port doesn't provide health information. command: > curl --silent --tlsv1.2 - {% if openshift.common.version_gte_3_2_or_1_2 | bool %} --cacert {{ openshift.common.config_base }}/master/ca-bundle.crt - {% else %} - --cacert {{ openshift.common.config_base }}/master/ca.crt - {% endif %} {{ openshift.master.api_url }}/healthz/ready args: # Disables the following warning: diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml index c7c02d49b..b6d3539b1 100644 --- a/roles/openshift_master/tasks/main.yml +++ b/roles/openshift_master/tasks/main.yml @@ -18,12 +18,6 @@ - openshift.master.ha | bool - (openshift.master.cluster_method is not defined) or (openshift.master.cluster_method is defined and openshift.master.cluster_method not in ["native", "pacemaker"]) - fail: - msg: "'native' high availability is not supported for the requested OpenShift version" - when: - - openshift.master.ha | bool - - openshift.master.cluster_method == "native" - - not openshift.common.version_gte_3_1_or_1_1 | bool -- fail: msg: "openshift_master_cluster_password must be set for multi-master installations" when: - openshift.master.ha | bool @@ -222,8 +216,6 @@ when: openshift_master_bootstrap_enabled | default(False) - include: set_loopback_context.yml - when: - - openshift.common.version_gte_3_2_or_1_2 - name: Start and enable master api on first master systemd: diff --git a/roles/openshift_master/tasks/registry_auth.yml b/roles/openshift_master/tasks/registry_auth.yml index cde01c49e..c95f562d0 100644 --- a/roles/openshift_master/tasks/registry_auth.yml +++ b/roles/openshift_master/tasks/registry_auth.yml @@ -8,6 +8,7 @@ - name: Create credentials for registry auth command: "docker --config={{ oreg_auth_credentials_path }} login -u {{ oreg_auth_user }} -p {{ oreg_auth_password }} {{ oreg_host }}" when: + - not (openshift_docker_alternative_creds | default(False)) - oreg_auth_user is defined - (not master_oreg_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool register: master_oreg_auth_credentials_create @@ -18,6 +19,25 @@ - restart master api - restart master controllers +# docker_creds is a custom module from lib_utils +# 'docker login' requires a docker.service running on the local host, this is an +# alternative implementation for non-docker hosts. This implementation does not +# check the registry to determine whether or not the credentials will work. +- name: Create credentials for registry auth (alternative) + docker_creds: + path: "{{ oreg_auth_credentials_path }}" + registry: "{{ oreg_host }}" + username: "{{ oreg_auth_user }}" + password: "{{ oreg_auth_password }}" + when: + - openshift_docker_alternative_creds | default(False) | bool + - oreg_auth_user is defined + - (not docker_cli_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool + register: master_oreg_auth_credentials_create + notify: + - restart master api + - restart master controllers + # Container images may need the registry credentials - name: Setup ro mount of /root/.docker for containerized hosts set_fact: diff --git a/roles/openshift_master/tasks/restart.yml b/roles/openshift_master/tasks/restart.yml new file mode 100644 index 000000000..4f8b758fd --- /dev/null +++ b/roles/openshift_master/tasks/restart.yml @@ -0,0 +1,22 @@ +--- +- name: Restart master API + service: + name: "{{ openshift.common.service_type }}-master-api" + state: restarted + when: openshift_master_ha | bool +- name: Wait for master API to come back online + wait_for: + host: "{{ openshift.common.hostname }}" + state: started + delay: 10 + port: "{{ openshift.master.api_port }}" + timeout: 600 + when: openshift_master_ha | bool +- name: Restart master controllers + service: + name: "{{ openshift.common.service_type }}-master-controllers" + state: restarted + # Ignore errrors since it is possible that type != simple for + # pre-3.1.1 installations. + ignore_errors: true + when: openshift_master_ha | bool diff --git a/roles/openshift_master/tasks/systemd_units.yml b/roles/openshift_master/tasks/systemd_units.yml index 8420dfb8c..b0fa72f19 100644 --- a/roles/openshift_master/tasks/systemd_units.yml +++ b/roles/openshift_master/tasks/systemd_units.yml @@ -2,9 +2,6 @@ # systemd_units.yml is included both in the openshift_master role and in the upgrade # playbooks. -- include: upgrade_facts.yml - when: openshift_master_defaults_in_use is not defined - - name: Set HA Service Info for containerized installs set_fact: containerized_svc_dir: "/etc/systemd/system" diff --git a/roles/openshift_master/tasks/upgrade.yml b/roles/openshift_master/tasks/upgrade.yml new file mode 100644 index 000000000..92371921d --- /dev/null +++ b/roles/openshift_master/tasks/upgrade.yml @@ -0,0 +1,45 @@ +--- +- include: upgrade/rpm_upgrade.yml + when: not openshift.common.is_containerized | bool + +- include: upgrade/upgrade_scheduler.yml + +# master_config_hook is passed in from upgrade play. +- include: "upgrade/{{ master_config_hook }}" + when: master_config_hook is defined + +- include: journald.yml + +- include: systemd_units.yml + +- name: Check for ca-bundle.crt + stat: + path: "{{ openshift.common.config_base }}/master/ca-bundle.crt" + register: ca_bundle_stat + failed_when: false + +- name: Check for ca.crt + stat: + path: "{{ openshift.common.config_base }}/master/ca.crt" + register: ca_crt_stat + failed_when: false + +- name: Migrate ca.crt to ca-bundle.crt + command: mv ca.crt ca-bundle.crt + args: + chdir: "{{ openshift.common.config_base }}/master" + when: ca_crt_stat.stat.isreg and not ca_bundle_stat.stat.exists + +- name: Link ca.crt to ca-bundle.crt + file: + src: "{{ openshift.common.config_base }}/master/ca-bundle.crt" + path: "{{ openshift.common.config_base }}/master/ca.crt" + state: link + when: ca_crt_stat.stat.isreg and not ca_bundle_stat.stat.exists + +- name: Update oreg value + yedit: + src: "{{ openshift.common.config_base }}/master/master-config.yaml" + key: 'imageConfig.format' + value: "{{ oreg_url | default(oreg_url_master) }}" + when: oreg_url is defined or oreg_url_master is defined diff --git a/playbooks/common/openshift-cluster/upgrades/rpm_upgrade.yml b/roles/openshift_master/tasks/upgrade/rpm_upgrade.yml index 8cc46ab68..f914a9978 100644 --- a/playbooks/common/openshift-cluster/upgrades/rpm_upgrade.yml +++ b/roles/openshift_master/tasks/upgrade/rpm_upgrade.yml @@ -18,21 +18,3 @@ - "{{ openshift.common.service_type }}-sdn-ovs{{ openshift_pkg_version }}" - "{{ openshift.common.service_type }}-clients{{ openshift_pkg_version }}" - "tuned-profiles-{{ openshift.common.service_type }}-node{{ openshift_pkg_version }}" - - PyYAML - when: - - component == "master" - - not openshift.common.is_atomic | bool - -- name: Upgrade node packages - package: name={{ node_pkgs | join(',') }} state=present - vars: - node_pkgs: - - "{{ openshift.common.service_type }}{{ openshift_pkg_version }}" - - "{{ openshift.common.service_type }}-node{{ openshift_pkg_version }}" - - "{{ openshift.common.service_type }}-sdn-ovs{{ openshift_pkg_version }}" - - "{{ openshift.common.service_type }}-clients{{ openshift_pkg_version }}" - - "tuned-profiles-{{ openshift.common.service_type }}-node{{ openshift_pkg_version }}" - - PyYAML - when: - - component == "node" - - not openshift.common.is_atomic | bool diff --git a/playbooks/common/openshift-cluster/upgrades/upgrade_scheduler.yml b/roles/openshift_master/tasks/upgrade/upgrade_scheduler.yml index 8558bf3e9..8558bf3e9 100644 --- a/playbooks/common/openshift-cluster/upgrades/upgrade_scheduler.yml +++ b/roles/openshift_master/tasks/upgrade/upgrade_scheduler.yml diff --git a/playbooks/common/openshift-cluster/upgrades/v3_6/master_config_upgrade.yml b/roles/openshift_master/tasks/upgrade/v3_6/master_config_upgrade.yml index db0c8f886..db0c8f886 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_6/master_config_upgrade.yml +++ b/roles/openshift_master/tasks/upgrade/v3_6/master_config_upgrade.yml diff --git a/playbooks/common/openshift-cluster/upgrades/v3_7/master_config_upgrade.yml b/roles/openshift_master/tasks/upgrade/v3_7/master_config_upgrade.yml index 1d4d1919c..1d4d1919c 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_7/master_config_upgrade.yml +++ b/roles/openshift_master/tasks/upgrade/v3_7/master_config_upgrade.yml diff --git a/roles/openshift_master/templates/master.yaml.v1.j2 b/roles/openshift_master/templates/master.yaml.v1.j2 index 5bc135601..629fe3286 100644 --- a/roles/openshift_master/templates/master.yaml.v1.j2 +++ b/roles/openshift_master/templates/master.yaml.v1.j2 @@ -3,9 +3,6 @@ admissionConfig: pluginConfig:{{ openshift.master.admission_plugin_config | to_padded_yaml(level=2) }} {% endif %} apiLevels: -{% if not openshift.common.version_gte_3_1_or_1_1 | bool %} -- v1beta3 -{% endif %} - v1 apiVersion: v1 assetConfig: @@ -44,10 +41,9 @@ assetConfig: - {{ cipher_suite }} {% endfor %} {% endif %} -{% if openshift.master.audit_config | default(none) is not none and openshift.common.version_gte_3_2_or_1_2 | bool %} +{% if openshift.master.audit_config | default(none) is not none %} auditConfig:{{ openshift.master.audit_config | to_padded_yaml(level=1) }} {% endif %} -{% if openshift.common.version_gte_3_3_or_1_3 | bool %} controllerConfig: election: lockName: openshift-master-controllers @@ -55,7 +51,6 @@ controllerConfig: signer: certFile: service-signer.crt keyFile: service-signer.key -{% endif %} controllers: '*' corsAllowedOrigins: # anchor with start (\A) and end (\z) of the string, make the check case insensitive ((?i)) and escape hostname @@ -74,11 +69,7 @@ dnsConfig: bindNetwork: tcp4 {% endif %} etcdClientInfo: -{% if openshift.common.version_gte_3_2_or_1_2 | bool %} ca: {{ "ca-bundle.crt" if (openshift.master.embedded_etcd | bool) else "master.etcd-ca.crt" }} -{% else %} - ca: {{ "ca.crt" if (openshift.master.embedded_etcd | bool) else "master.etcd-ca.crt" }} -{% endif %} certFile: master.etcd-client.crt keyFile: master.etcd-client.key urls: @@ -92,20 +83,12 @@ etcdConfig: peerServingInfo: bindAddress: {{ openshift.master.bind_addr }}:7001 certFile: etcd.server.crt -{% if openshift.common.version_gte_3_2_or_1_2 | bool %} clientCA: ca-bundle.crt -{% else %} - clientCA: ca.crt -{% endif %} keyFile: etcd.server.key servingInfo: bindAddress: {{ openshift.master.bind_addr }}:{{ openshift.master.etcd_port }} certFile: etcd.server.crt -{% if openshift.common.version_gte_3_2_or_1_2 | bool %} clientCA: ca-bundle.crt -{% else %} - clientCA: ca.crt -{% endif %} keyFile: etcd.server.key storageDirectory: {{ r_openshift_master_data_dir }}/openshift.local.etcd {% endif %} @@ -123,21 +106,12 @@ imagePolicyConfig:{{ openshift.master.image_policy_config | to_padded_yaml(level kind: MasterConfig kubeletClientInfo: {# TODO: allow user specified kubelet port #} -{% if openshift.common.version_gte_3_2_or_1_2 | bool %} ca: ca-bundle.crt -{% else %} - ca: ca.crt -{% endif %} certFile: master.kubelet-client.crt keyFile: master.kubelet-client.key port: 10250 {% if openshift.master.embedded_kube | bool %} kubernetesMasterConfig: -{% if not openshift.common.version_gte_3_1_or_1_1 | bool %} - apiLevels: - - v1beta3 - - v1 -{% endif %} apiServerArguments: {{ openshift.master.api_server_args | default(None) | to_padded_yaml( level=2 ) }} {% if r_openshift_master_etcd3_storage or ( r_openshift_master_clean_install and openshift.common.version_gte_3_6 ) %} storage-backend: @@ -160,21 +134,17 @@ kubernetesMasterConfig: {% endif %} masterClients: {# TODO: allow user to set externalKubernetesKubeConfig #} -{% if openshift.common.version_gte_3_3_or_1_3 | bool %} externalKubernetesClientConnectionOverrides: acceptContentTypes: application/vnd.kubernetes.protobuf,application/json contentType: application/vnd.kubernetes.protobuf burst: {{ openshift_master_external_ratelimit_burst | default(400) }} qps: {{ openshift_master_external_ratelimit_qps | default(200) }} -{% endif %} externalKubernetesKubeConfig: "" -{% if openshift.common.version_gte_3_3_or_1_3 | bool %} openshiftLoopbackClientConnectionOverrides: acceptContentTypes: application/vnd.kubernetes.protobuf,application/json contentType: application/vnd.kubernetes.protobuf burst: {{ openshift_master_loopback_ratelimit_burst | default(600) }} qps: {{ openshift_master_loopback_ratelimit_qps | default(300) }} -{% endif %} openshiftLoopbackKubeConfig: openshift-master.kubeconfig masterPublicURL: {{ openshift.master.public_api_url }} networkConfig: @@ -208,11 +178,7 @@ oauthConfig: {% for line in translated_identity_providers.splitlines() %} {{ line }} {% endfor %} -{% if openshift.common.version_gte_3_2_or_1_2 | bool %} masterCA: ca-bundle.crt -{% else %} - masterCA: ca.crt -{% endif %} masterPublicURL: {{ openshift.master.public_api_url }} masterURL: {{ openshift.master.api_url }} sessionConfig: @@ -245,11 +211,7 @@ serviceAccountConfig: - default - builder - deployer -{% if openshift.common.version_gte_3_2_or_1_2 | bool %} masterCA: ca-bundle.crt -{% else %} - masterCA: ca.crt -{% endif %} privateKeyFile: serviceaccounts.private.key publicKeyFiles: - serviceaccounts.public.key diff --git a/roles/openshift_master/templates/native-cluster/atomic-openshift-master-controllers.service.j2 b/roles/openshift_master/templates/native-cluster/atomic-openshift-master-controllers.service.j2 index e284413f7..fae021845 100644 --- a/roles/openshift_master/templates/native-cluster/atomic-openshift-master-controllers.service.j2 +++ b/roles/openshift_master/templates/native-cluster/atomic-openshift-master-controllers.service.j2 @@ -7,11 +7,7 @@ Wants={{ openshift.common.service_type }}-master-api.service Requires=network-online.target [Service] -{% if openshift.common.version_gte_3_1_1_or_1_1_1 | bool %} Type=notify -{% else %} -Type=simple -{% endif %} EnvironmentFile=/etc/sysconfig/{{ openshift.common.service_type }}-master-controllers Environment=GOTRACEBACK=crash ExecStart=/usr/bin/openshift start master controllers --config=${CONFIG_FILE} $OPTIONS diff --git a/roles/openshift_master_certificates/tasks/main.yml b/roles/openshift_master_certificates/tasks/main.yml index d9ffb1b6f..ec1fbb1ee 100644 --- a/roles/openshift_master_certificates/tasks/main.yml +++ b/roles/openshift_master_certificates/tasks/main.yml @@ -3,7 +3,7 @@ openshift_master_certs_no_etcd: - admin.crt - master.kubelet-client.crt - - "{{ 'master.proxy-client.crt' if openshift.common.version_gte_3_1_or_1_1 else omit }}" + - master.proxy-client.crt - master.server.crt - openshift-master.crt - openshift-registry.crt @@ -57,9 +57,7 @@ --hostnames={{ hostvars[item].openshift.common.all_hostnames | join(',') }} --cert={{ openshift_generated_configs_dir }}/master-{{ hostvars[item].openshift.common.hostname }}/master.server.crt --key={{ openshift_generated_configs_dir }}/master-{{ hostvars[item].openshift.common.hostname }}/master.server.key - {% if openshift_version | oo_version_gte_3_5_or_1_5(openshift.common.deployment_type) | bool %} --expire-days={{ openshift_master_cert_expire_days }} - {% endif %} --signer-cert={{ openshift_ca_cert }} --signer-key={{ openshift_ca_key }} --signer-serial={{ openshift_ca_serial }} @@ -87,9 +85,7 @@ --signer-serial={{ openshift_ca_serial }} --user=system:openshift-master --basename=openshift-master - {% if openshift_version | oo_version_gte_3_5_or_1_5(openshift.common.deployment_type) | bool %} --expire-days={{ openshift_master_cert_expire_days }} - {% endif %} args: creates: "{{ openshift_generated_configs_dir }}/master-{{ hostvars[item].openshift.common.hostname }}/openshift-master.kubeconfig" with_items: "{{ hostvars diff --git a/roles/openshift_master_cluster/tasks/main.yml b/roles/openshift_master_cluster/tasks/main.yml index 0543872c9..40705d357 100644 --- a/roles/openshift_master_cluster/tasks/main.yml +++ b/roles/openshift_master_cluster/tasks/main.yml @@ -3,10 +3,6 @@ msg: "Not possible on atomic hosts for now" when: openshift.common.is_containerized | bool -- fail: - msg: "Pacemaker HA is unsupported on OpenShift Enterprise 3.2 and Origin 1.2" - when: openshift.master.cluster_method == "pacemaker" and openshift.common.version_gte_3_2_or_1_2 | bool - - name: Test if cluster is already configured command: pcs status register: pcs_status diff --git a/roles/openshift_master_facts/filter_plugins/openshift_master.py b/roles/openshift_master_facts/filter_plugins/openshift_master.py index 97a5179e0..c827f2d26 100644 --- a/roles/openshift_master_facts/filter_plugins/openshift_master.py +++ b/roles/openshift_master_facts/filter_plugins/openshift_master.py @@ -518,29 +518,16 @@ class FilterModule(object): 'admin.key', 'admin.kubeconfig', 'master.kubelet-client.crt', - 'master.kubelet-client.key'] + 'master.kubelet-client.key', + 'master.proxy-client.crt', + 'master.proxy-client.key', + 'service-signer.crt', + 'service-signer.key'] if bool(include_ca): certs += ['ca.crt', 'ca.key', 'ca-bundle.crt', 'client-ca-bundle.crt'] if bool(include_keys): certs += ['serviceaccounts.private.key', 'serviceaccounts.public.key'] - if bool(hostvars['openshift']['common']['version_gte_3_1_or_1_1']): - certs += ['master.proxy-client.crt', - 'master.proxy-client.key'] - if not bool(hostvars['openshift']['common']['version_gte_3_2_or_1_2']): - certs += ['openshift-master.crt', - 'openshift-master.key', - 'openshift-master.kubeconfig'] - if bool(hostvars['openshift']['common']['version_gte_3_3_or_1_3']): - certs += ['service-signer.crt', - 'service-signer.key'] - if not bool(hostvars['openshift']['common']['version_gte_3_5_or_1_5']): - certs += ['openshift-registry.crt', - 'openshift-registry.key', - 'openshift-registry.kubeconfig', - 'openshift-router.crt', - 'openshift-router.key', - 'openshift-router.kubeconfig'] return certs @staticmethod diff --git a/roles/openshift_metrics/handlers/main.yml b/roles/openshift_metrics/handlers/main.yml index 88b893448..074b72942 100644 --- a/roles/openshift_metrics/handlers/main.yml +++ b/roles/openshift_metrics/handlers/main.yml @@ -18,11 +18,7 @@ # wait_for port doesn't provide health information. command: > curl --silent --tlsv1.2 - {% if openshift.common.version_gte_3_2_or_1_2 | bool %} --cacert {{ openshift.common.config_base }}/master/ca-bundle.crt - {% else %} - --cacert {{ openshift.common.config_base }}/master/ca.crt - {% endif %} {{ openshift.master.api_url }}/healthz/ready args: # Disables the following warning: diff --git a/roles/openshift_node/defaults/main.yml b/roles/openshift_node/defaults/main.yml index 85ad33ad3..89d154ad7 100644 --- a/roles/openshift_node/defaults/main.yml +++ b/roles/openshift_node/defaults/main.yml @@ -85,6 +85,7 @@ oreg_host: "{{ oreg_url.split('/')[0] if (oreg_url is defined and '.' in oreg_ur oreg_auth_credentials_path: "{{ openshift_node_data_dir }}/.docker" oreg_auth_credentials_replace: False l_bind_docker_reg_auth: False +openshift_docker_alternative_creds: "{{ (openshift_docker_use_system_container | default(False)) or (openshift_use_crio_only | default(False)) }}" # NOTE # r_openshift_node_*_default may be defined external to this role. diff --git a/roles/openshift_node/tasks/registry_auth.yml b/roles/openshift_node/tasks/registry_auth.yml index 5e5e4f94a..f5428867a 100644 --- a/roles/openshift_node/tasks/registry_auth.yml +++ b/roles/openshift_node/tasks/registry_auth.yml @@ -8,6 +8,7 @@ - name: Create credentials for registry auth command: "docker --config={{ oreg_auth_credentials_path }} login -u {{ oreg_auth_user }} -p {{ oreg_auth_password }} {{ oreg_host }}" when: + - not (openshift_docker_alternative_creds | default(False)) - oreg_auth_user is defined - (not node_oreg_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool register: node_oreg_auth_credentials_create @@ -17,6 +18,24 @@ notify: - restart node +# docker_creds is a custom module from lib_utils +# 'docker login' requires a docker.service running on the local host, this is an +# alternative implementation for non-docker hosts. This implementation does not +# check the registry to determine whether or not the credentials will work. +- name: Create credentials for registry auth (alternative) + docker_creds: + path: "{{ oreg_auth_credentials_path }}" + registry: "{{ oreg_host }}" + username: "{{ oreg_auth_user }}" + password: "{{ oreg_auth_password }}" + when: + - openshift_docker_alternative_creds | bool + - oreg_auth_user is defined + - (not node_oreg_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool + register: node_oreg_auth_credentials_create + notify: + - restart node + # Container images may need the registry credentials - name: Setup ro mount of /root/.docker for containerized hosts set_fact: diff --git a/roles/openshift_node/templates/node.yaml.v1.j2 b/roles/openshift_node/templates/node.yaml.v1.j2 index 718d35dca..d452cc45c 100644 --- a/roles/openshift_node/templates/node.yaml.v1.j2 +++ b/roles/openshift_node/templates/node.yaml.v1.j2 @@ -29,13 +29,11 @@ kubeletArguments: {{ openshift.node.kubelet_args | default(None) | to_padded_yam runtime-request-timeout: - 10m {% endif %} -{% if openshift.common.version_gte_3_3_or_1_3 | bool %} masterClientConnectionOverrides: acceptContentTypes: application/vnd.kubernetes.protobuf,application/json contentType: application/vnd.kubernetes.protobuf burst: 200 qps: 100 -{% endif %} masterKubeConfig: system:node:{{ openshift.common.hostname }}.kubeconfig {% if openshift_node_use_openshift_sdn | bool %} networkPluginName: {{ openshift_node_sdn_network_plugin_name }} diff --git a/roles/openshift_node_certificates/tasks/main.yml b/roles/openshift_node_certificates/tasks/main.yml index 1a775178d..97f1fbbdd 100644 --- a/roles/openshift_node_certificates/tasks/main.yml +++ b/roles/openshift_node_certificates/tasks/main.yml @@ -66,9 +66,7 @@ --signer-key={{ openshift_ca_key }} --signer-serial={{ openshift_ca_serial }} --user=system:node:{{ hostvars[item].openshift.common.hostname }} - {% if openshift_version | oo_version_gte_3_5_or_1_5(openshift.common.deployment_type) | bool %} --expire-days={{ openshift_node_cert_expire_days }} - {% endif %} args: creates: "{{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname }}" with_items: "{{ hostvars @@ -82,9 +80,7 @@ {{ hostvars[openshift_ca_host].openshift.common.client_binary }} adm ca create-server-cert --cert={{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname }}/server.crt --key={{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname }}/server.key - {% if openshift_version | oo_version_gte_3_5_or_1_5(openshift.common.deployment_type) | bool %} --expire-days={{ openshift_node_cert_expire_days }} - {% endif %} --overwrite=true --hostnames={{ hostvars[item].openshift.common.hostname }},{{ hostvars[item].openshift.common.public_hostname }},{{ hostvars[item].openshift.common.ip }},{{ hostvars[item].openshift.common.public_ip }} --signer-cert={{ openshift_ca_cert }} diff --git a/roles/openshift_node_upgrade/defaults/main.yml b/roles/openshift_node_upgrade/defaults/main.yml index 10b4c6977..1da434e6f 100644 --- a/roles/openshift_node_upgrade/defaults/main.yml +++ b/roles/openshift_node_upgrade/defaults/main.yml @@ -12,3 +12,4 @@ oreg_host: "{{ oreg_url.split('/')[0] if (oreg_url is defined and '.' in oreg_ur oreg_auth_credentials_path: "{{ openshift_node_data_dir }}/.docker" oreg_auth_credentials_replace: False l_bind_docker_reg_auth: False +openshift_docker_alternative_creds: "{{ (openshift_docker_use_system_container | default(False)) or (openshift_use_crio_only | default(False)) }}" diff --git a/roles/openshift_node_upgrade/tasks/main.yml b/roles/openshift_node_upgrade/tasks/main.yml index c1c9e0062..66c1fcc38 100644 --- a/roles/openshift_node_upgrade/tasks/main.yml +++ b/roles/openshift_node_upgrade/tasks/main.yml @@ -69,8 +69,6 @@ file: path: "/etc/systemd/system/docker.service.d/docker-sdn-ovs.conf" state: absent - when: (deployment_type == 'openshift-enterprise' and openshift_release | version_compare('3.4', '>=')) - or (deployment_type == 'origin' and openshift_release | version_compare('1.4', '>=')) - include: containerized_node_upgrade.yml when: openshift.common.is_containerized | bool diff --git a/roles/openshift_node_upgrade/tasks/registry_auth.yml b/roles/openshift_node_upgrade/tasks/registry_auth.yml index 5e5e4f94a..f5428867a 100644 --- a/roles/openshift_node_upgrade/tasks/registry_auth.yml +++ b/roles/openshift_node_upgrade/tasks/registry_auth.yml @@ -8,6 +8,7 @@ - name: Create credentials for registry auth command: "docker --config={{ oreg_auth_credentials_path }} login -u {{ oreg_auth_user }} -p {{ oreg_auth_password }} {{ oreg_host }}" when: + - not (openshift_docker_alternative_creds | default(False)) - oreg_auth_user is defined - (not node_oreg_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool register: node_oreg_auth_credentials_create @@ -17,6 +18,24 @@ notify: - restart node +# docker_creds is a custom module from lib_utils +# 'docker login' requires a docker.service running on the local host, this is an +# alternative implementation for non-docker hosts. This implementation does not +# check the registry to determine whether or not the credentials will work. +- name: Create credentials for registry auth (alternative) + docker_creds: + path: "{{ oreg_auth_credentials_path }}" + registry: "{{ oreg_host }}" + username: "{{ oreg_auth_user }}" + password: "{{ oreg_auth_password }}" + when: + - openshift_docker_alternative_creds | bool + - oreg_auth_user is defined + - (not node_oreg_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool + register: node_oreg_auth_credentials_create + notify: + - restart node + # Container images may need the registry credentials - name: Setup ro mount of /root/.docker for containerized hosts set_fact: diff --git a/roles/openshift_prometheus/tasks/install_prometheus.yaml b/roles/openshift_prometheus/tasks/install_prometheus.yaml index 00c3c1987..21da4bc9d 100644 --- a/roles/openshift_prometheus/tasks/install_prometheus.yaml +++ b/roles/openshift_prometheus/tasks/install_prometheus.yaml @@ -148,25 +148,6 @@ selector: "{{ openshift_prometheus_alertbuffer_pvc_pv_selector }}" when: openshift_prometheus_alertbuffer_storage_type == 'pvc' -# create prometheus stateful set -- name: Set prometheus template - template: - src: prometheus.j2 - dest: "{{ tempdir }}/templates/prometheus.yaml" - vars: - namespace: "{{ openshift_prometheus_namespace }}" -# prom_replicas: "{{ openshift_prometheus_replicas }}" - -- name: Set prometheus stateful set - oc_obj: - state: "{{ state }}" - name: "prometheus" - namespace: "{{ openshift_prometheus_namespace }}" - kind: statefulset - files: - - "{{ tempdir }}/templates/prometheus.yaml" - delete_after: true - # prometheus configmap # Copy the additional rules file if it is defined - name: Copy additional rules file to host @@ -236,3 +217,22 @@ namespace: "{{ openshift_prometheus_namespace }}" from_file: alertmanager.yml: "{{ tempdir }}/alertmanager.yml" + +# create prometheus stateful set +- name: Set prometheus template + template: + src: prometheus.j2 + dest: "{{ tempdir }}/templates/prometheus.yaml" + vars: + namespace: "{{ openshift_prometheus_namespace }}" +# prom_replicas: "{{ openshift_prometheus_replicas }}" + +- name: Set prometheus stateful set + oc_obj: + state: "{{ state }}" + name: "prometheus" + namespace: "{{ openshift_prometheus_namespace }}" + kind: statefulset + files: + - "{{ tempdir }}/templates/prometheus.yaml" + delete_after: true @@ -83,10 +83,14 @@ def find_entrypoint_playbooks(): if not isinstance(task, dict): # Skip yaml files which are not a dictionary of tasks continue - if 'include' in task: + if 'include' in task or 'import_playbook' in task: # Add the playbook and capture included playbooks playbooks.add(yaml_file) - included_file_name = task['include'].split()[0] + if 'include' in task: + directive = task['include'] + else: + directive = task['import_playbook'] + included_file_name = directive.split()[0] included_file = os.path.normpath( os.path.join(os.path.dirname(yaml_file), included_file_name)) @@ -318,7 +322,7 @@ class OpenShiftAnsibleSyntaxCheck(Command): has_errors = False print('Ansible Deprecation Checks') - exclude_dirs = ['adhoc', 'files', 'meta', 'test', 'tests', 'vars', 'defaults', '.tox'] + exclude_dirs = ['adhoc', 'files', 'meta', 'vars', 'defaults', '.tox'] for yaml_file in find_files( os.getcwd(), exclude_dirs, None, r'\.ya?ml$'): with open(yaml_file, 'r') as contents: @@ -336,7 +340,6 @@ class OpenShiftAnsibleSyntaxCheck(Command): if not has_errors: print('...PASSED') - print('Ansible Playbook Entry Point Syntax Checks') for playbook in find_entrypoint_playbooks(): print('-' * 60) @@ -350,8 +353,21 @@ class OpenShiftAnsibleSyntaxCheck(Command): # --syntax-check each entry point playbook else: try: + # Create a host group list to avoid WARNING on unmatched host patterns + host_group_list = [ + 'etcd,masters,nodes,OSEv3', + 'oo_all_hosts', + 'oo_etcd_to_config,oo_new_etcd_to_config,oo_first_etcd,oo_etcd_hosts_to_backup,' + 'oo_etcd_hosts_to_upgrade,oo_etcd_to_migrate', + 'oo_masters,oo_masters_to_config,oo_first_master,oo_containerized_master_nodes', + 'oo_nodes_to_config,oo_nodes_to_upgrade', + 'oo_nodes_use_kuryr,oo_nodes_use_flannel', + 'oo_nodes_use_calico,oo_nodes_use_nuage,oo_nodes_use_contiv', + 'oo_lb_to_config', + 'oo_nfs_to_config', + 'glusterfs,glusterfs_registry,'] subprocess.check_output( - ['ansible-playbook', '-i localhost,', + ['ansible-playbook', '-i ' + ','.join(host_group_list), '--syntax-check', playbook] ) except subprocess.CalledProcessError as cpe: diff --git a/test/openshift_version_tests.py b/test/openshift_version_tests.py index 6095beb95..36b8263bb 100644 --- a/test/openshift_version_tests.py +++ b/test/openshift_version_tests.py @@ -15,50 +15,6 @@ class OpenShiftVersionTests(unittest.TestCase): openshift_version_filters = openshift_version.FilterModule() - # Static tests for legacy filters. - legacy_gte_tests = [{'name': 'oo_version_gte_3_1_or_1_1', - 'positive_openshift-enterprise_version': '3.2.0', - 'negative_openshift-enterprise_version': '3.0.0', - 'positive_origin_version': '1.2.0', - 'negative_origin_version': '1.0.0'}, - {'name': 'oo_version_gte_3_1_1_or_1_1_1', - 'positive_openshift-enterprise_version': '3.2.0', - 'negative_openshift-enterprise_version': '3.1.0', - 'positive_origin_version': '1.2.0', - 'negative_origin_version': '1.1.0'}, - {'name': 'oo_version_gte_3_2_or_1_2', - 'positive_openshift-enterprise_version': '3.3.0', - 'negative_openshift-enterprise_version': '3.1.0', - 'positive_origin_version': '1.3.0', - 'negative_origin_version': '1.1.0'}, - {'name': 'oo_version_gte_3_3_or_1_3', - 'positive_openshift-enterprise_version': '3.4.0', - 'negative_openshift-enterprise_version': '3.2.0', - 'positive_origin_version': '1.4.0', - 'negative_origin_version': '1.2.0'}, - {'name': 'oo_version_gte_3_4_or_1_4', - 'positive_openshift-enterprise_version': '3.5.0', - 'negative_openshift-enterprise_version': '3.3.0', - 'positive_origin_version': '1.5.0', - 'negative_origin_version': '1.3.0'}, - {'name': 'oo_version_gte_3_5_or_1_5', - 'positive_openshift-enterprise_version': '3.6.0', - 'negative_openshift-enterprise_version': '3.4.0', - 'positive_origin_version': '3.6.0', - 'negative_origin_version': '1.4.0'}] - - def test_legacy_gte_filters(self): - for test in self.legacy_gte_tests: - for deployment_type in ['openshift-enterprise', 'origin']: - # Test negative case per deployment_type - self.assertFalse( - self.openshift_version_filters._filters[test['name']]( - test["negative_{}_version".format(deployment_type)], deployment_type)) - # Test positive case per deployment_type - self.assertTrue( - self.openshift_version_filters._filters[test['name']]( - test["positive_{}_version".format(deployment_type)], deployment_type)) - def test_gte_filters(self): for major, minor_start, minor_end in self.openshift_version_filters.versions: for minor in range(minor_start, minor_end): |