diff options
116 files changed, 2131 insertions, 916 deletions
diff --git a/.tito/packages/openshift-ansible b/.tito/packages/openshift-ansible index b8982c3a5..ec25643e6 100644 --- a/.tito/packages/openshift-ansible +++ b/.tito/packages/openshift-ansible @@ -1 +1 @@ -3.3.4-1 ./ +3.3.11-1 ./ @@ -5,9 +5,9 @@ For more information on tito, please see the [Tito home page](https://github.com ## Build openshift-ansible-bin -- Change into openshift-ansible/bin +- Change into openshift-ansible ``` -cd openshift-ansible/bin +cd openshift-ansible ``` - Build a test package (no tagging needed) ``` diff --git a/README_GCE.md b/README_GCE.md index df9942f24..f909630aa 100644 --- a/README_GCE.md +++ b/README_GCE.md @@ -86,6 +86,8 @@ Install Dependencies yum install -y ansible python-libcloud ``` +> Installation using Mac OSX requires pycrypto library +> $ pip install pycrypto Test The Setup -------------- diff --git a/callback_plugins/default.py b/callback_plugins/default.py index 31e3d7d4c..bc0b207bb 100644 --- a/callback_plugins/default.py +++ b/callback_plugins/default.py @@ -27,6 +27,12 @@ DEFAULT_MODULE = imp.load_source( DEFAULT_PATH ) +try: + from ansible.plugins.callback import CallbackBase + BASECLASS = CallbackBase +except ImportError: # < ansible 2.1 + BASECLASS = DEFAULT_MODULE.CallbackModule + class CallbackModule(DEFAULT_MODULE.CallbackModule): # pylint: disable=too-few-public-methods,no-init ''' @@ -48,7 +54,7 @@ class CallbackModule(DEFAULT_MODULE.CallbackModule): # pylint: disable=too-few- if key in result: save[key] = result.pop(key) - output = DEFAULT_MODULE.CallbackModule._dump_results(self, result) + output = BASECLASS._dump_results(self, result) # pylint: disable=protected-access for key in ['stdout', 'stderr', 'msg']: if key in save and save[key]: diff --git a/filter_plugins/oo_filters.py b/filter_plugins/oo_filters.py index ec00a1646..557a684dc 100644 --- a/filter_plugins/oo_filters.py +++ b/filter_plugins/oo_filters.py @@ -37,6 +37,9 @@ class FilterModule(object): def get_attr(data, attribute=None): """ This looks up dictionary attributes of the form a.b.c and returns the value. + + If the key isn't present, None is returned. + Ex: data = {'a': {'b': {'c': 5}}} attribute = "a.b.c" returns 5 @@ -46,7 +49,11 @@ class FilterModule(object): ptr = data for attr in attribute.split('.'): - ptr = ptr[attr] + if attr in ptr: + ptr = ptr[attr] + else: + ptr = None + break return ptr @@ -138,6 +145,7 @@ class FilterModule(object): else: retval = [FilterModule.get_attr(d, attribute) for d in data] + retval = [val for val in retval if val != None] return retval @staticmethod @@ -474,16 +482,20 @@ class FilterModule(object): """ Parses names from list of certificate hashes. Ex: certificates = [{ "certfile": "/root/custom1.crt", - "keyfile": "/root/custom1.key" }, + "keyfile": "/root/custom1.key", + "cafile": "/root/custom-ca1.crt" }, { "certfile": "custom2.crt", - "keyfile": "custom2.key" }] + "keyfile": "custom2.key", + "cafile": "custom-ca2.crt" }] returns [{ "certfile": "/etc/origin/master/named_certificates/custom1.crt", "keyfile": "/etc/origin/master/named_certificates/custom1.key", + "cafile": "/etc/origin/master/named_certificates/custom-ca1.crt", "names": [ "public-master-host.com", "other-master-host.com" ] }, { "certfile": "/etc/origin/master/named_certificates/custom2.crt", "keyfile": "/etc/origin/master/named_certificates/custom2.key", + "cafile": "/etc/origin/master/named_certificates/custom-ca-2.crt", "names": [ "some-hostname.com" ] }] """ if not isinstance(named_certs_dir, basestring): @@ -514,17 +526,20 @@ class FilterModule(object): raise errors.AnsibleFilterError(("|failed to parse certificate '%s', " % certificate['certfile'] + "please specify certificate names in host inventory")) - certificate['names'] = [name for name in certificate['names'] if name not in internal_hostnames] - certificate['names'] = list(set(certificate['names'])) - if not certificate['names']: - raise errors.AnsibleFilterError(("|failed to parse certificate '%s' or " % certificate['certfile'] + - "detected a collision with internal hostname, please specify " + - "certificate names in host inventory")) + if 'cafile' not in certificate: + certificate['names'] = [name for name in certificate['names'] if name not in internal_hostnames] + certificate['names'] = list(set(certificate['names'])) + if not certificate['names']: + raise errors.AnsibleFilterError(("|failed to parse certificate '%s' or " % certificate['certfile'] + + "detected a collision with internal hostname, please specify " + + "certificate names in host inventory")) for certificate in certificates: # Update paths for configuration certificate['certfile'] = os.path.join(named_certs_dir, os.path.basename(certificate['certfile'])) certificate['keyfile'] = os.path.join(named_certs_dir, os.path.basename(certificate['keyfile'])) + if 'cafile' in certificate: + certificate['cafile'] = os.path.join(named_certs_dir, os.path.basename(certificate['cafile'])) return certificates @staticmethod diff --git a/filter_plugins/openshift_master.py b/filter_plugins/openshift_master.py index b3f284a8e..048cd04c7 100644 --- a/filter_plugins/openshift_master.py +++ b/filter_plugins/openshift_master.py @@ -521,7 +521,7 @@ class FilterModule(object): return valid @staticmethod - def certificates_to_synchronize(hostvars): + def certificates_to_synchronize(hostvars, include_keys=True): ''' Return certificates to synchronize based on facts. ''' if not issubclass(type(hostvars), dict): raise errors.AnsibleFilterError("|failed expects hostvars is a dict") @@ -535,9 +535,10 @@ class FilterModule(object): 'openshift-registry.kubeconfig', 'openshift-router.crt', 'openshift-router.key', - 'openshift-router.kubeconfig', - 'serviceaccounts.private.key', - 'serviceaccounts.public.key'] + 'openshift-router.kubeconfig'] + if bool(include_keys): + certs += ['serviceaccounts.private.key', + 'serviceaccounts.public.key'] if bool(hostvars['openshift']['common']['version_gte_3_1_or_1_1']): certs += ['master.proxy-client.crt', 'master.proxy-client.key'] diff --git a/inventory/byo/hosts.aep.example b/inventory/byo/hosts.aep.example index 8d2d95f8f..cff003a9c 100644 --- a/inventory/byo/hosts.aep.example +++ b/inventory/byo/hosts.aep.example @@ -6,6 +6,7 @@ masters nodes etcd lb +nfs # Set variables common for all OSEv3 hosts [OSEv3:vars] @@ -110,7 +111,7 @@ openshift_release=v3.2 # htpasswd auth openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', 'challenge': 'true', 'kind': 'HTPasswdPasswordIdentityProvider', 'filename': '/etc/origin/master/htpasswd'}] # Defining htpasswd users -#openshift_master_htpasswd_users={'user1': '<pre-hashed password>', 'user2': '<pre-hashed password>' +#openshift_master_htpasswd_users={'user1': '<pre-hashed password>', 'user2': '<pre-hashed password>'} # or #openshift_master_htpasswd_file=<path to local pre-generated htpasswd file> @@ -345,15 +346,20 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', # NOTE: openshift_master_named_certificates is cached on masters and is an # additive fact, meaning that each run with a different set of certificates # will add the newly provided certificates to the cached set of certificates. +# +# An optional CA may be specified for each named certificate. CAs will +# be added to the OpenShift CA bundle which allows for the named +# certificate to be served for internal cluster communication. +# # If you would like openshift_master_named_certificates to be overwritten with # the provided value, specify openshift_master_overwrite_named_certificates. #openshift_master_overwrite_named_certificates=true # # Provide local certificate paths which will be deployed to masters -#openshift_master_named_certificates=[{"certfile": "/path/to/custom1.crt", "keyfile": "/path/to/custom1.key"}] +#openshift_master_named_certificates=[{"certfile": "/path/to/custom1.crt", "keyfile": "/path/to/custom1.key", "cafile": "/path/to/custom-ca1.crt"}] # # Detected names may be overridden by specifying the "names" key -#openshift_master_named_certificates=[{"certfile": "/path/to/custom1.crt", "keyfile": "/path/to/custom1.key", "names": ["public-master-host.com"]}] +#openshift_master_named_certificates=[{"certfile": "/path/to/custom1.crt", "keyfile": "/path/to/custom1.key", "names": ["public-master-host.com"], "cafile": "/path/to/custom-ca1.crt"}] # Session options #openshift_master_session_name=ssn diff --git a/inventory/byo/hosts.origin.example b/inventory/byo/hosts.origin.example index d71ed5727..8e7883f3b 100644 --- a/inventory/byo/hosts.origin.example +++ b/inventory/byo/hosts.origin.example @@ -116,7 +116,7 @@ openshift_release=v1.2 # htpasswd auth openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', 'challenge': 'true', 'kind': 'HTPasswdPasswordIdentityProvider', 'filename': '/etc/origin/master/htpasswd'}] # Defining htpasswd users -#openshift_master_htpasswd_users={'user1': '<pre-hashed password>', 'user2': '<pre-hashed password>' +#openshift_master_htpasswd_users={'user1': '<pre-hashed password>', 'user2': '<pre-hashed password>'} # or #openshift_master_htpasswd_file=<path to local pre-generated htpasswd file> @@ -259,6 +259,9 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', # Provide local certificate paths which will be configured as the # router's default certificate. #openshift_hosted_router_certificate={"certfile": "/path/to/router.crt", "keyfile": "/path/to/router.key", "cafile": "/path/to/router-ca.crt"} +# +# Disable management of the OpenShift Router +#openshift_hosted_manage_router=false # Openshift Registry Options # @@ -280,6 +283,9 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', # Unless specified, openshift-ansible will calculate the replica count # based on the number of nodes matching the openshift registry selector. #openshift_hosted_registry_replicas=2 +# +# Disable management of the OpenShift Registry +#openshift_hosted_manage_registry=false # Registry Storage Options # @@ -337,7 +343,6 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', #osm_cluster_network_cidr=10.1.0.0/16 #openshift_portal_net=172.30.0.0/16 - # Configure number of bits to allocate to each host’s subnet e.g. 8 # would mean a /24 network on the host. #osm_host_subnet_length=8 @@ -349,19 +354,38 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', # set RPM version for debugging purposes #openshift_pkg_version=-1.1 -# Configure custom named certificates +# Configure custom ca certificate +#openshift_master_ca_certificate={'certfile': '/path/to/ca.crt', 'keyfile': '/path/to/ca.key'} +# +# NOTE: CA certificate will not be replaced with existing clusters. +# This option may only be specified when creating a new cluster or +# when redeploying cluster certificates with the redeploy-certificates +# playbook. If replacing the CA certificate in an existing cluster +# with a custom ca certificate, the following variable must also be +# set. +#openshift_certificates_redeploy_ca=true + +# Configure custom named certificates (SNI certificates) +# +# https://docs.openshift.org/latest/install_config/certificate_customization.html +# # NOTE: openshift_master_named_certificates is cached on masters and is an # additive fact, meaning that each run with a different set of certificates # will add the newly provided certificates to the cached set of certificates. +# +# An optional CA may be specified for each named certificate. CAs will +# be added to the OpenShift CA bundle which allows for the named +# certificate to be served for internal cluster communication. +# # If you would like openshift_master_named_certificates to be overwritten with # the provided value, specify openshift_master_overwrite_named_certificates. #openshift_master_overwrite_named_certificates=true # # Provide local certificate paths which will be deployed to masters -#openshift_master_named_certificates=[{"certfile": "/path/to/custom1.crt", "keyfile": "/path/to/custom1.key"}] +#openshift_master_named_certificates=[{"certfile": "/path/to/custom1.crt", "keyfile": "/path/to/custom1.key", "cafile": "/path/to/custom-ca1.crt"}] # # Detected names may be overridden by specifying the "names" key -#openshift_master_named_certificates=[{"certfile": "/path/to/custom1.crt", "keyfile": "/path/to/custom1.key", "names": ["public-master-host.com"]}] +#openshift_master_named_certificates=[{"certfile": "/path/to/custom1.crt", "keyfile": "/path/to/custom1.key", "names": ["public-master-host.com"], "cafile": "/path/to/custom-ca1.crt"}] # Session options #openshift_master_session_name=ssn diff --git a/inventory/byo/hosts.ose.example b/inventory/byo/hosts.ose.example index ccff97b47..0d358146c 100644 --- a/inventory/byo/hosts.ose.example +++ b/inventory/byo/hosts.ose.example @@ -6,6 +6,7 @@ masters nodes etcd lb +nfs # Set variables common for all OSEv3 hosts [OSEv3:vars] @@ -110,7 +111,7 @@ openshift_release=v3.2 # htpasswd auth openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', 'challenge': 'true', 'kind': 'HTPasswdPasswordIdentityProvider', 'filename': '/etc/origin/master/htpasswd'}] # Defining htpasswd users -#openshift_master_htpasswd_users={'user1': '<pre-hashed password>', 'user2': '<pre-hashed password>' +#openshift_master_htpasswd_users={'user1': '<pre-hashed password>', 'user2': '<pre-hashed password>'} # or #openshift_master_htpasswd_file=<path to local pre-generated htpasswd file> @@ -253,6 +254,9 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', # Provide local certificate paths which will be configured as the # router's default certificate. #openshift_hosted_router_certificate={"certfile": "/path/to/router.crt", "keyfile": "/path/to/router.key", "cafile": "/path/to/router-ca.crt"} +# +# Disable management of the OpenShift Router +#openshift_hosted_manage_router=false # Openshift Registry Options # @@ -274,6 +278,9 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', # Unless specified, openshift-ansible will calculate the replica count # based on the number of nodes matching the openshift registry selector. #openshift_hosted_registry_replicas=2 +# +# Disable management of the OpenShift Registry +#openshift_hosted_manage_registry=false # Registry Storage Options # @@ -343,19 +350,38 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', # set RPM version for debugging purposes #openshift_pkg_version=-3.1.0.0 -# Configure custom named certificates +# Configure custom ca certificate +#openshift_master_ca_certificate={'certfile': '/path/to/ca.crt', 'keyfile': '/path/to/ca.key'} +# +# NOTE: CA certificate will not be replaced with existing clusters. +# This option may only be specified when creating a new cluster or +# when redeploying cluster certificates with the redeploy-certificates +# playbook. If replacing the CA certificate in an existing cluster +# with a custom ca certificate, the following variable must also be +# set. +#openshift_certificates_redeploy_ca=true + +# Configure custom named certificates (SNI certificates) +# +# https://docs.openshift.com/enterprise/latest/install_config/certificate_customization.html +# # NOTE: openshift_master_named_certificates is cached on masters and is an # additive fact, meaning that each run with a different set of certificates # will add the newly provided certificates to the cached set of certificates. +# +# An optional CA may be specified for each named certificate. CAs will +# be added to the OpenShift CA bundle which allows for the named +# certificate to be served for internal cluster communication. +# # If you would like openshift_master_named_certificates to be overwritten with # the provided value, specify openshift_master_overwrite_named_certificates. #openshift_master_overwrite_named_certificates=true # # Provide local certificate paths which will be deployed to masters -#openshift_master_named_certificates=[{"certfile": "/path/to/custom1.crt", "keyfile": "/path/to/custom1.key"}] +#openshift_master_named_certificates=[{"certfile": "/path/to/custom1.crt", "keyfile": "/path/to/custom1.key", "cafile": "/path/to/custom-ca1.crt"}] # # Detected names may be overridden by specifying the "names" key -#openshift_master_named_certificates=[{"certfile": "/path/to/custom1.crt", "keyfile": "/path/to/custom1.key", "names": ["public-master-host.com"]}] +#openshift_master_named_certificates=[{"certfile": "/path/to/custom1.crt", "keyfile": "/path/to/custom1.key", "names": ["public-master-host.com"], "cafile": "/path/to/custom-ca1.crt"}] # Session options #openshift_master_session_name=ssn diff --git a/library/delegated_serial_command.py b/library/delegated_serial_command.py new file mode 100755 index 000000000..3969edfdd --- /dev/null +++ b/library/delegated_serial_command.py @@ -0,0 +1,275 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# (c) 2012, Michael DeHaan <michael.dehaan@gmail.com>, and others +# (c) 2016, Andrew Butcher <abutcher@redhat.com> +# +# This module is derrived from the Ansible command module. +# +# Ansible is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# Ansible is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Ansible. If not, see <http://www.gnu.org/licenses/>. + + +# pylint: disable=unused-wildcard-import,wildcard-import,unused-import,redefined-builtin + +''' delegated_serial_command ''' + +import copy +import sys +import datetime +import glob +import traceback +import re +import shlex +import os +import fcntl +import time + +DOCUMENTATION = ''' +--- +module: delegated_serial_command +short_description: Executes a command on a remote node +version_added: historical +description: + - The M(command) module takes the command name followed by a list + of space-delimited arguments. + - The given command will be executed on all selected nodes. It + will not be processed through the shell, so variables like + C($HOME) and operations like C("<"), C(">"), C("|"), and C("&") + will not work (use the M(shell) module if you need these + features). + - Creates and maintains a lockfile such that this module will + wait for other invocations to proceed. +options: + command: + description: + - the command to run + required: true + default: null + creates: + description: + - a filename or (since 2.0) glob pattern, when it already + exists, this step will B(not) be run. + required: no + default: null + removes: + description: + - a filename or (since 2.0) glob pattern, when it does not + exist, this step will B(not) be run. + version_added: "0.8" + required: no + default: null + chdir: + description: + - cd into this directory before running the command + version_added: "0.6" + required: false + default: null + executable: + description: + - change the shell used to execute the command. Should be an + absolute path to the executable. + required: false + default: null + version_added: "0.9" + warn: + version_added: "1.8" + default: yes + description: + - if command warnings are on in ansible.cfg, do not warn about + this particular line if set to no/false. + required: false + lockfile: + default: yes + description: + - the lockfile that will be created + timeout: + default: yes + description: + - time in milliseconds to wait to obtain the lock +notes: + - If you want to run a command through the shell (say you are using C(<), + C(>), C(|), etc), you actually want the M(shell) module instead. The + M(command) module is much more secure as it's not affected by the user's + environment. + - " C(creates), C(removes), and C(chdir) can be specified after + the command. For instance, if you only want to run a command if + a certain file does not exist, use this." +author: + - Ansible Core Team + - Michael DeHaan + - Andrew Butcher +''' + +EXAMPLES = ''' +# Example from Ansible Playbooks. +- delegated_serial_command: + command: /sbin/shutdown -t now + +# Run the command if the specified file does not exist. +- delegated_serial_command: + command: /usr/bin/make_database.sh arg1 arg2 + creates: /path/to/database +''' + +# Dict of options and their defaults +OPTIONS = {'chdir': None, + 'creates': None, + 'command': None, + 'executable': None, + 'NO_LOG': None, + 'removes': None, + 'warn': True, + 'lockfile': None, + 'timeout': None} + +def check_command(commandline): + ''' Check provided command ''' + arguments = {'chown': 'owner', 'chmod': 'mode', 'chgrp': 'group', + 'ln': 'state=link', 'mkdir': 'state=directory', + 'rmdir': 'state=absent', 'rm': 'state=absent', 'touch': 'state=touch'} + commands = {'git': 'git', 'hg': 'hg', 'curl': 'get_url or uri', 'wget': 'get_url or uri', + 'svn': 'subversion', 'service': 'service', + 'mount': 'mount', 'rpm': 'yum, dnf or zypper', 'yum': 'yum', 'apt-get': 'apt', + 'tar': 'unarchive', 'unzip': 'unarchive', 'sed': 'template or lineinfile', + 'rsync': 'synchronize', 'dnf': 'dnf', 'zypper': 'zypper'} + become = ['sudo', 'su', 'pbrun', 'pfexec', 'runas'] + warnings = list() + command = os.path.basename(commandline.split()[0]) + # pylint: disable=line-too-long + if command in arguments: + warnings.append("Consider using file module with {0} rather than running {1}".format(arguments[command], command)) + if command in commands: + warnings.append("Consider using {0} module rather than running {1}".format(commands[command], command)) + if command in become: + warnings.append( + "Consider using 'become', 'become_method', and 'become_user' rather than running {0}".format(command,)) + return warnings + + +# pylint: disable=too-many-statements,too-many-branches,too-many-locals +def main(): + ''' Main module function ''' + module = AnsibleModule( + argument_spec=dict( + _uses_shell=dict(type='bool', default=False), + command=dict(required=True), + chdir=dict(), + executable=dict(), + creates=dict(), + removes=dict(), + warn=dict(type='bool', default=True), + lockfile=dict(default='/tmp/delegated_serial_command.lock'), + timeout=dict(type='int', default=30) + ) + ) + + shell = module.params['_uses_shell'] + chdir = module.params['chdir'] + executable = module.params['executable'] + command = module.params['command'] + creates = module.params['creates'] + removes = module.params['removes'] + warn = module.params['warn'] + lockfile = module.params['lockfile'] + timeout = module.params['timeout'] + + if command.strip() == '': + module.fail_json(rc=256, msg="no command given") + + iterated = 0 + lockfd = open(lockfile, 'w+') + while iterated < timeout: + try: + fcntl.flock(lockfd, fcntl.LOCK_EX | fcntl.LOCK_NB) + break + # pylint: disable=invalid-name + except IOError as e: + if e.errno != errno.EAGAIN: + module.fail_json(msg="I/O Error {0}: {1}".format(e.errno, e.strerror)) + else: + iterated += 1 + time.sleep(0.1) + + if chdir: + chdir = os.path.abspath(os.path.expanduser(chdir)) + os.chdir(chdir) + + if creates: + # do not run the command if the line contains creates=filename + # and the filename already exists. This allows idempotence + # of command executions. + path = os.path.expanduser(creates) + if glob.glob(path): + module.exit_json( + cmd=command, + stdout="skipped, since %s exists" % path, + changed=False, + stderr=False, + rc=0 + ) + + if removes: + # do not run the command if the line contains removes=filename + # and the filename does not exist. This allows idempotence + # of command executions. + path = os.path.expanduser(removes) + if not glob.glob(path): + module.exit_json( + cmd=command, + stdout="skipped, since %s does not exist" % path, + changed=False, + stderr=False, + rc=0 + ) + + warnings = list() + if warn: + warnings = check_command(command) + + if not shell: + command = shlex.split(command) + startd = datetime.datetime.now() + + # pylint: disable=invalid-name + rc, out, err = module.run_command(command, executable=executable, use_unsafe_shell=shell) + + fcntl.flock(lockfd, fcntl.LOCK_UN) + lockfd.close() + + endd = datetime.datetime.now() + delta = endd - startd + + if out is None: + out = '' + if err is None: + err = '' + + module.exit_json( + cmd=command, + stdout=out.rstrip("\r\n"), + stderr=err.rstrip("\r\n"), + rc=rc, + start=str(startd), + end=str(endd), + delta=str(delta), + changed=True, + warnings=warnings, + iterated=iterated + ) + +# import module snippets +from ansible.module_utils.basic import * +from ansible.module_utils.splitter import * + +main() diff --git a/library/modify_yaml.py b/library/modify_yaml.py index a4be10ca3..63b507a72 100755 --- a/library/modify_yaml.py +++ b/library/modify_yaml.py @@ -20,6 +20,24 @@ EXAMPLES = ''' yaml_value: 2 ''' + +# pylint: disable=missing-docstring +def set_key(yaml_data, yaml_key, yaml_value): + changes = [] + ptr = yaml_data + for key in yaml_key.split('.'): + if key not in ptr and key != yaml_key.split('.')[-1]: + ptr[key] = {} + ptr = ptr[key] + elif key == yaml_key.split('.')[-1]: + if (key in ptr and module.safe_eval(ptr[key]) != yaml_value) or (key not in ptr): + ptr[key] = yaml_value + changes.append((yaml_key, yaml_value)) + else: + ptr = ptr[key] + return changes + + def main(): ''' Modify key (supplied in jinja2 dot notation) in yaml file, setting the key to the desired value. @@ -53,22 +71,12 @@ def main(): yaml.add_representer(type(None), none_representer) try: - changes = [] yaml_file = open(dest) yaml_data = yaml.safe_load(yaml_file.read()) yaml_file.close() - ptr = yaml_data - for key in yaml_key.split('.'): - if key not in ptr and key != yaml_key.split('.')[-1]: - ptr[key] = {} - elif key == yaml_key.split('.')[-1]: - if (key in ptr and module.safe_eval(ptr[key]) != yaml_value) or (key not in ptr): - ptr[key] = yaml_value - changes.append((yaml_key, yaml_value)) - else: - ptr = ptr[key] + changes = set_key(yaml_data, yaml_key, yaml_value) if len(changes) > 0: if backup: diff --git a/openshift-ansible.spec b/openshift-ansible.spec index 84b9c9518..11f18cf72 100644 --- a/openshift-ansible.spec +++ b/openshift-ansible.spec @@ -5,7 +5,7 @@ } Name: openshift-ansible -Version: 3.3.4 +Version: 3.3.11 Release: 1%{?dist} Summary: Openshift and Atomic Enterprise Ansible License: ASL 2.0 @@ -221,6 +221,83 @@ Atomic OpenShift Utilities includes %changelog +* Mon Aug 15 2016 Troy Dawson <tdawson@redhat.com> 3.3.11-1 +- Ensure etcd user exists in etcd_server_certificates by installing etcd. + (abutcher@redhat.com) +- a-o-i: Fix broken upgrades (smunilla@redhat.com) + +* Fri Aug 12 2016 Troy Dawson <tdawson@redhat.com> 3.3.10-1 +- Reference tmpdir from first master hostvars when evacuating nodes. + (abutcher@redhat.com) +- Support for redeploying certificates. (abutcher@redhat.com) +- qps typo (deads@redhat.com) +- a-o-i: Automatically Label Nodes as Infra (smunilla@redhat.com) +- Improvements for Docker 1.10+ upgrade image nuking. (dgoodwin@redhat.com) +- a-o-i: Restrict installed host check (smunilla@redhat.com) +- Shutdown Docker before upgrading the rpm. (dgoodwin@redhat.com) +- Restrict the middleware stanza contains 'registry' and 'storage' at least on + 3.3 (ghuang@redhat.com) +- docker-registry's middleware stanza should contain 'registry' and 'storage' + by default (ghuang@redhat.com) + +* Wed Aug 10 2016 Troy Dawson <tdawson@redhat.com> 3.3.9-1 +- Enable 'NoVolumeZoneConflict' policy for scheduler (abutcher@redhat.com) +- a-o-i: Update nosetests for ansible_ssh_user (smunilla@redhat.com) +- move ansible_ssh_user to deployment, remove ansible_config and + ansible_log_path (ghuang@redhat.com) +- Labeling nodes only (ghuang@redhat.com) +- Set become=no for etcd server certificates temporary directory. + (abutcher@redhat.com) +- Move storage includes up to main. (abutcher@redhat.com) +- Support gathering ansible 2.1/2.2 system facts (abutcher@redhat.com) +- Try/except urlparse calls. (abutcher@redhat.com) +- with_fileglob no longer supports wildcard prefixes. (abutcher@redhat.com) +- BUILD.md lies (jmainguy@redhat.com) +- Migrate ca.crt to ca-bundle.crt (sdodson@redhat.com) +- Upgrade configs for protobuf support. (dgoodwin@redhat.com) +- Fixed a bug in modify_yaml module. (dgoodwin@redhat.com) +- make the improved log formatter work with ansible 2.1 (rmeggins@redhat.com) +- Convert ansible facts callback to v2. (abutcher@redhat.com) +- Add 3.3 protobuf config stanzas for master/node config. (dgoodwin@redhat.com) +- Introduce 1.3/3.3 upgrade path. (dgoodwin@redhat.com) + +* Mon Aug 08 2016 Troy Dawson <tdawson@redhat.com> 3.3.8-1 +- Fix little mistake in openshift_master_htpasswd_users value . + (jmferrer@paradigmatecnologico.com) + +* Fri Aug 05 2016 Troy Dawson <tdawson@redhat.com> 3.3.7-1 +- Call relocated openshift-loadbalancer playbook in master scaleup. + (abutcher@redhat.com) +- [openshift_ca] correct check for missing CA. (abutcher@redhat.com) +- a-o-i: Rename OSE in Install Menu (smunilla@redhat.com) +- a-o-i: Allow Arbitrary Deployment Variables (smunilla@redhat.com) +- Add knobs for disabling router/registry management. (abutcher@redhat.com) +- Restore missing etcd_image fact. (abutcher@redhat.com) +- Add options for specifying named ca certificates to be added to the openshift + ca bundle. (abutcher@redhat.com) +- oo_collect can be ran against dicts where key isn't present. + (abutcher@redhat.com) +- Don't set a networkPluginName in 3.3 installs (sdodson@redhat.com) + +* Wed Aug 03 2016 Troy Dawson <tdawson@redhat.com> 3.3.6-1 +- Rename router and registry node list variables. (abutcher@redhat.com) +- a-o-i: Fix broken uninstall (smunilla@redhat.com) +- Refactor etcd certificates roles. (abutcher@redhat.com) + +* Mon Aug 01 2016 Troy Dawson <tdawson@redhat.com> 3.3.5-1 +- Update for issue#2244 (kunallimaye@gmail.com) +- Update for issue-2244 (kunallimaye@gmail.com) +- a-o-i: Remove AEP, OSE 3.0, and OSE 3.2 choices (smunilla@redhat.com) +- Move role dependencies to playbooks. (abutcher@redhat.com) +- Fix xpaas_templates_base (sdodson@redhat.com) +- a-o-i: Better inventory group handling (smunilla@redhat.com) +- Add dotnet image stream to enterprise installs (sdodson@redhat.com) +- Fix haproxy logs (sdodson@redhat.com) +- update bootstrap-fedora playbook with new python crypto deps + (maxamillion@fedoraproject.org) +- Remove old sso70-basic templates (sdodson@redhat.com) +- xPaaS v1.3.2 release (sdodson@redhat.com) + * Fri Jul 29 2016 Troy Dawson <tdawson@redhat.com> 3.3.4-1 - a-o-i: Set roles on standalone storage (smunilla@redhat.com) - Disable too many branches pylint (sdodson@redhat.com) diff --git a/playbooks/byo/openshift-cluster/enable_dnsmasq.yml b/playbooks/byo/openshift-cluster/enable_dnsmasq.yml index 1c8d99341..0ba11a21b 100644 --- a/playbooks/byo/openshift-cluster/enable_dnsmasq.yml +++ b/playbooks/byo/openshift-cluster/enable_dnsmasq.yml @@ -1,4 +1,6 @@ --- +- include: ../../common/openshift-cluster/verify_ansible_version.yml + - hosts: localhost connection: local become: no @@ -8,7 +10,7 @@ - add_host: name: "{{ item }}" groups: l_oo_all_hosts - with_items: g_all_hosts + with_items: "{{ g_all_hosts | default([]) }}" - hosts: l_oo_all_hosts gather_facts: no diff --git a/playbooks/byo/openshift-cluster/redeploy-certificates.yml b/playbooks/byo/openshift-cluster/redeploy-certificates.yml new file mode 100644 index 000000000..6d1247e0f --- /dev/null +++ b/playbooks/byo/openshift-cluster/redeploy-certificates.yml @@ -0,0 +1,22 @@ +--- +- include: ../../common/openshift-cluster/verify_ansible_version.yml + +- hosts: localhost + connection: local + become: no + gather_facts: no + tasks: + - include_vars: ../../byo/openshift-cluster/cluster_hosts.yml + - add_host: + name: "{{ item }}" + groups: l_oo_all_hosts + with_items: "{{ g_all_hosts | default([]) }}" + +- hosts: l_oo_all_hosts + gather_facts: no + tasks: + - include_vars: ../../byo/openshift-cluster/cluster_hosts.yml + +- include: ../../common/openshift-cluster/redeploy-certificates.yml + vars: + openshift_deployment_type: "{{ deployment_type }}" diff --git a/playbooks/byo/openshift-cluster/upgrades/v3_2/README.md b/playbooks/byo/openshift-cluster/upgrades/v3_2/README.md index 62577c3df..30603463a 100644 --- a/playbooks/byo/openshift-cluster/upgrades/v3_2/README.md +++ b/playbooks/byo/openshift-cluster/upgrades/v3_2/README.md @@ -1,10 +1,12 @@ -# v3.1 to v3.2 upgrade playbook +# v3.2 Major and Minor Upgrade Playbook ## Overview This playbook currently performs the following steps. * Upgrade and restart master services + * Unschedule node. + * Upgrade and restart docker * Upgrade and restart node services * Modifies the subset of the configuration necessary * Applies the latest cluster policies @@ -13,4 +15,4 @@ following steps. * Updates image streams and quickstarts ## Usage -ansible-playbook -i ~/ansible-inventory openshift-ansible/playbooks/byo/openshift-cluster/upgrades/v3_1_to_v3_2/upgrade.yml +ansible-playbook -i ~/ansible-inventory openshift-ansible/playbooks/byo/openshift-cluster/upgrades/v3_2/upgrade.yml diff --git a/playbooks/byo/openshift-cluster/upgrades/v3_2/upgrade.yml b/playbooks/byo/openshift-cluster/upgrades/v3_2/upgrade.yml index e28313221..5d549eee7 100644 --- a/playbooks/byo/openshift-cluster/upgrades/v3_2/upgrade.yml +++ b/playbooks/byo/openshift-cluster/upgrades/v3_2/upgrade.yml @@ -47,11 +47,19 @@ openshift_docker_log_options: "{{ lookup('oo_option', 'docker_log_options') }}" when: openshift_docker_log_options is not defined -- include: ../../../../common/openshift-cluster/upgrades/v3_1_to_v3_2/pre.yml + +# Configure the upgrade target for the common upgrade tasks: +- hosts: l_oo_all_hosts + tasks: + - set_fact: + openshift_upgrade_target: "{{ '1.2' if deployment_type == 'origin' else '3.2' }}" + openshift_upgrade_min: "{{ '1.1' if deployment_type == 'origin' else '3.1' }}" + +- include: ../../../../common/openshift-cluster/upgrades/pre.yml vars: openshift_deployment_type: "{{ deployment_type }}" -- include: ../../../../common/openshift-cluster/upgrades/v3_1_to_v3_2/upgrade.yml +- include: ../../../../common/openshift-cluster/upgrades/upgrade.yml vars: openshift_deployment_type: "{{ deployment_type }}" - include: ../../../openshift-master/restart.yml -- include: ../../../../common/openshift-cluster/upgrades/v3_1_to_v3_2/post.yml +- include: ../../../../common/openshift-cluster/upgrades/post.yml diff --git a/playbooks/byo/openshift-cluster/upgrades/v3_3/README.md b/playbooks/byo/openshift-cluster/upgrades/v3_3/README.md new file mode 100644 index 000000000..6892f6324 --- /dev/null +++ b/playbooks/byo/openshift-cluster/upgrades/v3_3/README.md @@ -0,0 +1,18 @@ +# v3.3 Major and Minor Upgrade Playbook + +## Overview +This playbook currently performs the +following steps. + + * Upgrade and restart master services + * Unschedule node. + * Upgrade and restart docker + * Upgrade and restart node services + * Modifies the subset of the configuration necessary + * Applies the latest cluster policies + * Updates the default router if one exists + * Updates the default registry if one exists + * Updates image streams and quickstarts + +## Usage +ansible-playbook -i ~/ansible-inventory openshift-ansible/playbooks/byo/openshift-cluster/upgrades/v3_3/upgrade.yml diff --git a/playbooks/byo/openshift-cluster/upgrades/v3_3/upgrade.yml b/playbooks/byo/openshift-cluster/upgrades/v3_3/upgrade.yml new file mode 100644 index 000000000..e740b12c0 --- /dev/null +++ b/playbooks/byo/openshift-cluster/upgrades/v3_3/upgrade.yml @@ -0,0 +1,67 @@ +--- +- include: ../../../../common/openshift-cluster/verify_ansible_version.yml + +- hosts: localhost + connection: local + become: no + gather_facts: no + tasks: + - include_vars: ../../../../byo/openshift-cluster/cluster_hosts.yml + - add_host: + name: "{{ item }}" + groups: l_oo_all_hosts + with_items: g_all_hosts | default([]) + +- hosts: l_oo_all_hosts + gather_facts: no + tasks: + - include_vars: ../../../../byo/openshift-cluster/cluster_hosts.yml + +- include: ../../../../common/openshift-cluster/evaluate_groups.yml + vars: + # Do not allow adding hosts during upgrade. + g_new_master_hosts: [] + g_new_node_hosts: [] + openshift_cluster_id: "{{ cluster_id | default('default') }}" + openshift_deployment_type: "{{ deployment_type }}" + +- name: Set oo_options + hosts: oo_all_hosts + tasks: + - set_fact: + openshift_docker_additional_registries: "{{ lookup('oo_option', 'docker_additional_registries') }}" + when: openshift_docker_additional_registries is not defined + - set_fact: + openshift_docker_insecure_registries: "{{ lookup('oo_option', 'docker_insecure_registries') }}" + when: openshift_docker_insecure_registries is not defined + - set_fact: + openshift_docker_blocked_registries: "{{ lookup('oo_option', 'docker_blocked_registries') }}" + when: openshift_docker_blocked_registries is not defined + - set_fact: + openshift_docker_options: "{{ lookup('oo_option', 'docker_options') }}" + when: openshift_docker_options is not defined + - set_fact: + openshift_docker_log_driver: "{{ lookup('oo_option', 'docker_log_driver') }}" + when: openshift_docker_log_driver is not defined + - set_fact: + openshift_docker_log_options: "{{ lookup('oo_option', 'docker_log_options') }}" + when: openshift_docker_log_options is not defined + + +# Configure the upgrade target for the common upgrade tasks: +- hosts: l_oo_all_hosts + tasks: + - set_fact: + openshift_upgrade_target: "{{ '1.3' if deployment_type == 'origin' else '3.3' }}" + openshift_upgrade_min: "{{ '1.2' if deployment_type == 'origin' else '3.2' }}" + +- include: ../../../../common/openshift-cluster/upgrades/pre.yml + vars: + openshift_deployment_type: "{{ deployment_type }}" +- include: ../../../../common/openshift-cluster/upgrades/upgrade.yml + vars: + openshift_deployment_type: "{{ deployment_type }}" + master_config_hook: "v3_3/master_config_upgrade.yml" + node_config_hook: "v3_3/node_config_upgrade.yml" +- include: ../../../openshift-master/restart.yml +- include: ../../../../common/openshift-cluster/upgrades/post.yml diff --git a/playbooks/byo/openshift_facts.yml b/playbooks/byo/openshift_facts.yml index d966b58fd..8c0708df0 100644 --- a/playbooks/byo/openshift_facts.yml +++ b/playbooks/byo/openshift_facts.yml @@ -10,7 +10,7 @@ - add_host: name: "{{ item }}" groups: l_oo_all_hosts - with_items: g_all_hosts + with_items: "{{ g_all_hosts }}" - hosts: l_oo_all_hosts gather_facts: no diff --git a/playbooks/common/openshift-cluster/enable_dnsmasq.yml b/playbooks/common/openshift-cluster/enable_dnsmasq.yml index f2bcc872f..4cfe8617e 100644 --- a/playbooks/common/openshift-cluster/enable_dnsmasq.yml +++ b/playbooks/common/openshift-cluster/enable_dnsmasq.yml @@ -8,11 +8,12 @@ post_tasks: - fail: msg="This playbook requires a master version of at least Origin 1.1 or OSE 3.1" when: not openshift.common.version_gte_3_1_1_or_1_1_1 | bool - + - name: Reconfigure masters to listen on our new dns_port hosts: oo_masters_to_config handlers: - include: ../../../roles/openshift_master/handlers/main.yml + static: yes vars: os_firewall_allow: - service: skydns tcp @@ -43,6 +44,7 @@ hosts: oo_nodes_to_config handlers: - include: ../../../roles/openshift_node/handlers/main.yml + static: yes pre_tasks: - openshift_facts: role: "{{ item.role }}" diff --git a/playbooks/common/openshift-cluster/openshift_hosted.yml b/playbooks/common/openshift-cluster/openshift_hosted.yml index c3077e3c2..4d4a09828 100644 --- a/playbooks/common/openshift-cluster/openshift_hosted.yml +++ b/playbooks/common/openshift-cluster/openshift_hosted.yml @@ -15,4 +15,27 @@ openshift_hosted_registry_registryurl: "{{ hostvars[groups.oo_first_master.0].openshift.master.registry_url }}" when: "'master' in hostvars[groups.oo_first_master.0].openshift and 'registry_url' in hostvars[groups.oo_first_master.0].openshift.master" roles: + - role: openshift_cli + - role: openshift_hosted_facts + - role: openshift_projects + # TODO: Move standard project definitions to openshift_hosted/vars/main.yml + # Vars are not accessible in meta/main.yml in ansible-1.9.x + openshift_projects: "{{ openshift_additional_projects | default({}) | oo_merge_dicts({'default':{'default_node_selector':''},'openshift-infra':{'default_node_selector':''},'logging':{'default_node_selector':''}}) }}" + - role: openshift_serviceaccounts + openshift_serviceaccounts_names: + - router + openshift_serviceaccounts_namespace: default + openshift_serviceaccounts_sccs: + - hostnetwork + when: openshift.common.version_gte_3_2_or_1_2 + - role: openshift_serviceaccounts + openshift_serviceaccounts_names: + - router + - registry + openshift_serviceaccounts_namespace: default + openshift_serviceaccounts_sccs: + - privileged + when: not openshift.common.version_gte_3_2_or_1_2 + - role: openshift_metrics + when: openshift.hosted.metrics.deploy | bool - role: openshift_hosted diff --git a/playbooks/common/openshift-cluster/redeploy-certificates.yml b/playbooks/common/openshift-cluster/redeploy-certificates.yml new file mode 100644 index 000000000..b97906072 --- /dev/null +++ b/playbooks/common/openshift-cluster/redeploy-certificates.yml @@ -0,0 +1,245 @@ +--- +- include: evaluate_groups.yml + +- include: initialize_facts.yml + +- include: initialize_openshift_version.yml + +- name: Load openshift_facts + hosts: oo_etcd_to_config:oo_masters_to_config:oo_nodes_to_config + roles: + - openshift_facts + +- name: Redeploy etcd certificates + hosts: oo_etcd_to_config + any_errors_fatal: true + vars: + etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}" + etcd_conf_dir: /etc/etcd + etcd_generated_certs_dir: "{{ etcd_conf_dir }}/generated_certs" + + pre_tasks: + - stat: + path: "{{ etcd_generated_certs_dir }}" + register: etcd_generated_certs_dir_stat + - name: Backup etcd certificates + command: > + tar -czvf /etc/etcd/etcd-certificate-backup-{{ ansible_date_time.epoch }}.tgz + {{ etcd_conf_dir }}/ca.crt + {{ etcd_conf_dir }}/ca + {{ etcd_generated_certs_dir }} + when: etcd_generated_certs_dir_stat.stat.exists + delegate_to: "{{ etcd_ca_host }}" + run_once: true + - name: Remove existing etcd certificates + file: + path: "{{ item }}" + state: absent + with_items: + - "{{ etcd_conf_dir }}/ca.crt" + - "{{ etcd_conf_dir }}/ca" + - "{{ etcd_generated_certs_dir }}" + roles: + - role: openshift_etcd_server_certificates + etcd_peers: "{{ groups.oo_etcd_to_config | default([], true) }}" + etcd_certificates_etcd_hosts: "{{ groups.oo_etcd_to_config | default([], true) }}" + etcd_certificates_redeploy: true + +- name: Redeploy master certificates + hosts: oo_masters_to_config + any_errors_fatal: true + vars: + openshift_ca_host: "{{ groups.oo_first_master.0 }}" + openshift_master_count: "{{ openshift.master.master_count | default(groups.oo_masters | length) }}" + pre_tasks: + - stat: + path: "{{ openshift_generated_configs_dir }}" + register: openshift_generated_configs_dir_stat + - name: Backup generated certificate and config directories + command: > + tar -czvf /etc/origin/master-node-cert-config-backup-{{ ansible_date_time.epoch }}.tgz + {{ openshift_generated_configs_dir }} + {{ openshift.common.config_base }}/master + when: openshift_generated_configs_dir_stat.stat.exists + delegate_to: "{{ openshift_ca_host }}" + run_once: true + - name: Remove generated certificate directories + file: + path: "{{ item }}" + state: absent + with_items: + - "{{ openshift_generated_configs_dir }}" + - name: Remove generated certificates + file: + path: "{{ openshift.common.config_base }}/master/{{ item }}" + state: absent + with_items: + - "{{ hostvars[inventory_hostname] | certificates_to_synchronize(include_keys=false) }}" + - "etcd.server.crt" + - "etcd.server.key" + - "master.etcd-client.crt" + - "master.etcd-client.key" + - "master.server.crt" + - "master.server.key" + - "openshift-master.crt" + - "openshift-master.key" + - "openshift-master.kubeconfig" + - name: Remove CA certificate + file: + path: "{{ openshift.common.config_base }}/master/{{ item }}" + state: absent + when: openshift_certificates_redeploy_ca | default(false) | bool + with_items: + - "ca.crt" + - "ca.key" + - "ca.serial.txt" + - "ca-bundle.crt" + roles: + - role: openshift_master_certificates + openshift_master_etcd_hosts: "{{ hostvars + | oo_select_keys(groups['oo_etcd_to_config'] | default([])) + | oo_collect('openshift.common.hostname') + | default(none, true) }}" + openshift_master_hostnames: "{{ hostvars + | oo_select_keys(groups['oo_masters_to_config'] | default([])) + | oo_collect('openshift.common.all_hostnames') + | oo_flatten | unique }}" + openshift_certificates_redeploy: true + - role: openshift_etcd_client_certificates + etcd_certificates_redeploy: true + etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}" + etcd_cert_subdir: "openshift-master-{{ openshift.common.hostname }}" + etcd_cert_config_dir: "{{ openshift.common.config_base }}/master" + etcd_cert_prefix: "master.etcd-" + when: groups.oo_etcd_to_config is defined and groups.oo_etcd_to_config + +- name: Redeploy node certificates + hosts: oo_nodes_to_config + any_errors_fatal: true + pre_tasks: + - name: Remove CA certificate + file: + path: "{{ item }}" + state: absent + with_items: + - "{{ openshift.common.config_base }}/node/ca.crt" + roles: + - role: openshift_node_certificates + openshift_node_master_api_url: "{{ hostvars[groups.oo_first_master.0].openshift.master.api_url }}" + openshift_ca_host: "{{ groups.oo_first_master.0 }}" + openshift_certificates_redeploy: true + +- name: Restart etcd + hosts: oo_etcd_to_config + tasks: + - name: restart etcd + service: name=etcd state=restarted + +- name: Stop master services + hosts: oo_masters_to_config + vars: + openshift_master_ha: "{{ groups.oo_masters_to_config | length > 1 }}" + tasks: + - name: stop master + service: name={{ openshift.common.service_type }}-master state=stopped + when: not openshift_master_ha | bool + - name: stop master api + service: name={{ openshift.common.service_type }}-master-api state=stopped + when: openshift_master_ha | bool and openshift_master_cluster_method == 'native' + - name: stop master controllers + service: name={{ openshift.common.service_type }}-master-controllers state=stopped + when: openshift_master_ha | bool and openshift_master_cluster_method == 'native' + +- name: Start master services + hosts: oo_masters_to_config + serial: 1 + vars: + openshift_master_ha: "{{ groups.oo_masters_to_config | length > 1 }}" + tasks: + - name: start master + service: name={{ openshift.common.service_type }}-master state=started + when: not openshift_master_ha | bool + - name: start master api + service: name={{ openshift.common.service_type }}-master-api state=started + when: openshift_master_ha | bool and openshift_master_cluster_method == 'native' + - name: start master controllers + service: name={{ openshift.common.service_type }}-master-controllers state=started + when: openshift_master_ha | bool and openshift_master_cluster_method == 'native' + +- name: Restart masters (pacemaker) + hosts: oo_first_master + vars: + openshift_master_ha: "{{ groups.oo_masters_to_config | length > 1 }}" + tasks: + - name: restart master + command: pcs resource restart master + when: openshift_master_ha | bool and openshift_master_cluster_method == 'pacemaker' + +- name: Restart nodes + hosts: oo_nodes_to_config + tasks: + - name: restart node + service: name={{ openshift.common.service_type }}-node state=restarted + +- name: Copy admin client config(s) + hosts: oo_first_master + tasks: + - name: Create temp directory for kubeconfig + command: mktemp -d /tmp/openshift-ansible-XXXXXX + register: mktemp + changed_when: False + + - name: Copy admin client config(s) + command: > + cp {{ openshift.common.config_base }}/master//admin.kubeconfig {{ mktemp.stdout }}/admin.kubeconfig + changed_when: False + +- name: Serially evacuate all nodes to trigger redeployments + hosts: oo_nodes_to_config + serial: 1 + any_errors_fatal: true + tasks: + - name: Determine if node is currently scheduleable + command: > + {{ openshift.common.client_binary }} --config={{ hostvars[groups.oo_first_master.0].mktemp.stdout }}/admin.kubeconfig + get node {{ openshift.common.hostname | lower }} -o json + register: node_output + when: openshift_certificates_redeploy_ca | default(false) | bool + delegate_to: "{{ groups.oo_first_master.0 }}" + changed_when: false + + - set_fact: + was_schedulable: "{{ 'unschedulable' not in (node_output.stdout | from_json).spec }}" + when: openshift_certificates_redeploy_ca | default(false) | bool + + - name: Prepare for node evacuation + command: > + {{ openshift.common.admin_binary }} --config={{ hostvars[groups.oo_first_master.0].mktemp.stdout }}/admin.kubeconfig + manage-node {{ openshift.common.hostname | lower }} + --schedulable=false + delegate_to: "{{ groups.oo_first_master.0 }}" + when: openshift_certificates_redeploy_ca | default(false) | bool and was_schedulable | bool + + - name: Evacuate node + command: > + {{ openshift.common.admin_binary }} --config={{ hostvars[groups.oo_first_master.0].mktemp.stdout }}/admin.kubeconfig + manage-node {{ openshift.common.hostname | lower }} + --evacuate --force + delegate_to: "{{ groups.oo_first_master.0 }}" + when: openshift_certificates_redeploy_ca | default(false) | bool and was_schedulable | bool + + - name: Set node schedulability + command: > + {{ openshift.common.admin_binary }} --config={{ hostvars[groups.oo_first_master.0].mktemp.stdout }}/admin.kubeconfig + manage-node {{ openshift.common.hostname | lower }} --schedulable=true + delegate_to: "{{ groups.oo_first_master.0 }}" + when: openshift_certificates_redeploy_ca | default(false) | bool and was_schedulable | bool + +- name: Delete temporary directory + hosts: oo_first_master + tasks: + - name: Delete temp directory + file: + name: "{{ mktemp.stdout }}" + state: absent + changed_when: False diff --git a/playbooks/common/openshift-cluster/upgrades/atomic-openshift-master.j2 b/playbooks/common/openshift-cluster/upgrades/atomic-openshift-master.j2 new file mode 120000 index 000000000..2441f8887 --- /dev/null +++ b/playbooks/common/openshift-cluster/upgrades/atomic-openshift-master.j2 @@ -0,0 +1 @@ +../../../../roles/openshift_master/templates/atomic-openshift-master.j2
\ No newline at end of file diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/containerized_node_upgrade.yml b/playbooks/common/openshift-cluster/upgrades/containerized_node_upgrade.yml index 60ea84f8e..32a3636aa 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/containerized_node_upgrade.yml +++ b/playbooks/common/openshift-cluster/upgrades/containerized_node_upgrade.yml @@ -1,7 +1,7 @@ -- include_vars: ../../../../../roles/openshift_node/vars/main.yml +- include_vars: ../../../../roles/openshift_node/vars/main.yml - name: Update systemd units - include: ../../../../../roles/openshift_node/tasks/systemd_units.yml openshift_version={{ openshift_image_tag }} + include: ../../../../roles/openshift_node/tasks/systemd_units.yml openshift_version={{ openshift_image_tag }} - name: Verifying the correct version was configured shell: grep {{ verify_upgrade_version }} {{ item }} diff --git a/playbooks/common/openshift-cluster/upgrades/docker-cluster b/playbooks/common/openshift-cluster/upgrades/docker-cluster new file mode 120000 index 000000000..055ad09fc --- /dev/null +++ b/playbooks/common/openshift-cluster/upgrades/docker-cluster @@ -0,0 +1 @@ +../../../../roles/openshift_master/templates/docker-cluster
\ No newline at end of file diff --git a/playbooks/common/openshift-cluster/upgrades/docker/upgrade.yml b/playbooks/common/openshift-cluster/upgrades/docker/upgrade.yml index 20d66522f..03e7b844c 100644 --- a/playbooks/common/openshift-cluster/upgrades/docker/upgrade.yml +++ b/playbooks/common/openshift-cluster/upgrades/docker/upgrade.yml @@ -13,14 +13,32 @@ failed_when: false when: openshift.common.is_containerized | bool +- name: Check Docker image count + shell: "docker images -aq | wc -l" + register: docker_image_count + +- debug: var=docker_image_count.stdout + - name: Remove all containers and images script: nuke_images.sh docker register: nuke_images_result when: docker_upgrade_nuke_images is defined and docker_upgrade_nuke_images | bool +- name: Check Docker image count + shell: "docker images -aq | wc -l" + register: docker_image_count + when: docker_upgrade_nuke_images is defined and docker_upgrade_nuke_images | bool + +- debug: var=docker_image_count.stdout + when: docker_upgrade_nuke_images is defined and docker_upgrade_nuke_images | bool + +- service: name=docker state=stopped + - name: Upgrade Docker action: "{{ ansible_pkg_mgr }} name=docker{{ '-' + docker_version }} state=present" +- service: name=docker state=started + - name: Restart containerized services service: name={{ item }} state=started with_items: diff --git a/playbooks/common/openshift-cluster/upgrades/files/nuke_images.sh b/playbooks/common/openshift-cluster/upgrades/files/nuke_images.sh index 6b155f7fa..8635eab0d 100644 --- a/playbooks/common/openshift-cluster/upgrades/files/nuke_images.sh +++ b/playbooks/common/openshift-cluster/upgrades/files/nuke_images.sh @@ -15,9 +15,11 @@ then fi # Delete all images (forcefully) -image_ids=`docker images -q` +image_ids=`docker images -aq` if test -n "$image_ids" then - # Taken from: https://gist.github.com/brianclements/f72b2de8e307c7b56689#gistcomment-1443144 - docker rmi $(docker images | grep "$2/\|/$2 \| $2 \|$2 \|$2-\|$2_" | awk '{print $1 ":" $2}') 2>/dev/null || echo "No images matching \"$2\" left to purge." + # Some layers are deleted recursively and are no longer present + # when docker goes to remove them: + docker rmi -f `docker images -aq` || true fi + diff --git a/playbooks/common/openshift-cluster/upgrades/master_docker b/playbooks/common/openshift-cluster/upgrades/master_docker new file mode 120000 index 000000000..6aeca2842 --- /dev/null +++ b/playbooks/common/openshift-cluster/upgrades/master_docker @@ -0,0 +1 @@ +../../../../roles/openshift_master/templates/master_docker
\ No newline at end of file diff --git a/playbooks/common/openshift-cluster/upgrades/native-cluster b/playbooks/common/openshift-cluster/upgrades/native-cluster new file mode 120000 index 000000000..4af88e666 --- /dev/null +++ b/playbooks/common/openshift-cluster/upgrades/native-cluster @@ -0,0 +1 @@ +../../../../roles/openshift_master/templates/native-cluster
\ No newline at end of file diff --git a/playbooks/common/openshift-cluster/upgrades/openshift.docker.node.dep.service b/playbooks/common/openshift-cluster/upgrades/openshift.docker.node.dep.service new file mode 120000 index 000000000..add8b7fa9 --- /dev/null +++ b/playbooks/common/openshift-cluster/upgrades/openshift.docker.node.dep.service @@ -0,0 +1 @@ +../../../../roles/openshift_node/templates/openshift.docker.node.dep.service
\ No newline at end of file diff --git a/playbooks/common/openshift-cluster/upgrades/openshift.docker.node.service b/playbooks/common/openshift-cluster/upgrades/openshift.docker.node.service new file mode 120000 index 000000000..ed181633d --- /dev/null +++ b/playbooks/common/openshift-cluster/upgrades/openshift.docker.node.service @@ -0,0 +1 @@ +../../../../roles/openshift_node/templates/openshift.docker.node.service
\ No newline at end of file diff --git a/playbooks/common/openshift-cluster/upgrades/openvswitch.docker.service b/playbooks/common/openshift-cluster/upgrades/openvswitch.docker.service new file mode 120000 index 000000000..c21e895f2 --- /dev/null +++ b/playbooks/common/openshift-cluster/upgrades/openvswitch.docker.service @@ -0,0 +1 @@ +../../../../roles/openshift_node/templates/openvswitch.docker.service
\ No newline at end of file diff --git a/playbooks/common/openshift-cluster/upgrades/openvswitch.sysconfig.j2 b/playbooks/common/openshift-cluster/upgrades/openvswitch.sysconfig.j2 new file mode 120000 index 000000000..ead6904c4 --- /dev/null +++ b/playbooks/common/openshift-cluster/upgrades/openvswitch.sysconfig.j2 @@ -0,0 +1 @@ +../../../../roles/openshift_node/templates/openvswitch.sysconfig.j2
\ No newline at end of file diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/post.yml b/playbooks/common/openshift-cluster/upgrades/post.yml index ccf9514f1..bd97d0b34 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/post.yml +++ b/playbooks/common/openshift-cluster/upgrades/post.yml @@ -56,4 +56,3 @@ {{ oc_cmd }} patch dc/docker-registry -n default -p '{"spec":{"template":{"spec":{"containers":[{"name":"registry","image":"{{ registry_image }}"}]}}}}' --api-version=v1 - diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/pre.yml b/playbooks/common/openshift-cluster/upgrades/pre.yml index a32123952..42a24eaf8 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/pre.yml +++ b/playbooks/common/openshift-cluster/upgrades/pre.yml @@ -3,7 +3,7 @@ # Evaluate host groups and gather facts ############################################################################### -- include: ../../initialize_facts.yml +- include: ../initialize_facts.yml - name: Update repos and initialize facts on all hosts hosts: oo_masters_to_config:oo_nodes_to_config:oo_etcd_to_config:oo_lb_to_config @@ -39,7 +39,6 @@ - name: Verify upgrade can proceed on first master hosts: oo_first_master vars: - target_version: "{{ '1.2' if deployment_type == 'origin' else '3.2' }}" g_pacemaker_upgrade_url_segment: "{{ 'org/latest' if deployment_type =='origin' else '.com/enterprise/3.1' }}" gather_facts: no tasks: @@ -63,14 +62,14 @@ - fail: msg: > openshift_pkg_version is {{ openshift_pkg_version }} which is not a - valid version for a {{ target_version }} upgrade - when: openshift_pkg_version is defined and openshift_pkg_version.split('-',1).1 | version_compare(target_version ,'<') + valid version for a {{ openshift_upgrade_target }} upgrade + when: openshift_pkg_version is defined and openshift_pkg_version.split('-',1).1 | version_compare(openshift_upgrade_target ,'<') - fail: msg: > openshift_image_tag is {{ openshift_image_tag }} which is not a - valid version for a {{ target_version }} upgrade - when: openshift_image_tag is defined and openshift_image_tag.split('v',1).1 | version_compare(target_version ,'<') + valid version for a {{ openshift_upgrade_target }} upgrade + when: openshift_image_tag is defined and openshift_image_tag.split('v',1).1 | version_compare(openshift_upgrade_target ,'<') - set_fact: openshift_release: "{{ openshift_release[1:] }}" @@ -79,15 +78,15 @@ - fail: msg: > openshift_release is {{ openshift_release }} which is not a - valid release for a {{ target_version }} upgrade - when: openshift_release is defined and not openshift_release | version_compare(target_version ,'=') + valid release for a {{ openshift_upgrade_target }} upgrade + when: openshift_release is defined and not openshift_release | version_compare(openshift_upgrade_target ,'=') -- include: ../../../../common/openshift-cluster/initialize_openshift_version.yml +- include: ../../../common/openshift-cluster/initialize_openshift_version.yml vars: - # Request openshift_release 3.2 and let the openshift_version role handle converting this + # Request specific openshift_release and let the openshift_version role handle converting this # to a more specific version, respecting openshift_image_tag and openshift_pkg_version if # defined, and overriding the normal behavior of protecting the installed version - openshift_release: "{{ '1.2' if deployment_type == 'origin' else '3.2' }}" + openshift_release: "{{ openshift_upgrade_target }}" openshift_protect_installed_version: False # Docker role (a dependency) should be told not to do anything to installed version # of docker, we handle this separately during upgrade. (the inventory may have a @@ -141,7 +140,6 @@ - name: Verify upgrade targets hosts: oo_masters_to_config:oo_nodes_to_config vars: - target_version: "{{ '1.2' if deployment_type == 'origin' else '3.2' }}" openshift_docker_hosted_registry_network: "{{ hostvars[groups.oo_first_master.0].openshift.common.portal_net }}" pre_tasks: - fail: @@ -175,48 +173,24 @@ register: avail_openshift_version when: not openshift.common.is_containerized | bool - - name: Verify OpenShift 3.2 RPMs are available for upgrade + - name: Verify OpenShift RPMs are available for upgrade fail: - msg: "OpenShift {{ avail_openshift_version.stdout }} is available, but 3.2 or greater is required" - when: deployment_type != 'origin' and not openshift.common.is_containerized | bool and not avail_openshift_version | skipped and avail_openshift_version.stdout | default('0.0', True) | version_compare(openshift_release, '<') - - - name: Verify Origin 1.2 RPMs are available for upgrade - fail: - msg: "OpenShift {{ avail_openshift_version.stdout }} is available, but 1.2 or greater is required" - when: deployment_type == 'origin' and not openshift.common.is_containerized | bool and not avail_openshift_version | skipped and avail_openshift_version.stdout | default('0.0', True) | version_compare(openshift_release, '<') - - # TODO: Are these two grep checks necessary anymore? - # Note: the version number is hardcoded here in hopes of catching potential - # bugs in how g_aos_versions.curr_version is set - - name: Verifying the correct version is installed for upgrade - shell: grep 3.1.1.6 {{ item }} - with_items: - - /etc/sysconfig/openvswitch - - /etc/sysconfig/{{ openshift.common.service_type }}* - when: verify_upgrade_version is defined - - - name: Verifying the image version is used in the systemd unit - shell: grep IMAGE_VERSION {{ item }} - with_items: - - /etc/systemd/system/openvswitch.service - - /etc/systemd/system/{{ openshift.common.service_type }}*.service - when: openshift.common.is_containerized | bool and verify_upgrade_version is defined - - - fail: - msg: This upgrade playbook must be run on Origin 1.1 or later - when: deployment_type == 'origin' and openshift.common.version | version_compare('1.1','<') + msg: "OpenShift {{ avail_openshift_version.stdout }} is available, but {{ openshift_upgrade_target }} or greater is required" + when: not openshift.common.is_containerized | bool and not avail_openshift_version | skipped and avail_openshift_version.stdout | default('0.0', True) | version_compare(openshift_release, '<') - fail: - msg: This upgrade playbook must be run on OpenShift Enterprise 3.1 or later - when: deployment_type == 'atomic-openshift' and openshift.common.version | version_compare('3.1','<') + msg: "This upgrade playbook must be run against OpenShift {{ openshift_upgrade_min }} or later" + when: deployment_type == 'origin' and openshift.common.version | version_compare(openshift_upgrade_min,'<') - name: Verify docker upgrade targets hosts: oo_masters_to_config:oo_nodes_to_config:oo_etcd_to_config tasks: - - name: Determine available Docker - script: ../files/rpm_versions.sh docker - register: g_docker_version_result - when: not openshift.common.is_atomic | bool + # Only check if docker upgrade is required if docker_upgrade is not + # already set to False. + - include: docker/upgrade_check.yml + when: docker_upgrade is not defined or docker_upgrade | bool and not openshift.common.is_atomic | bool + + # Additional checks for Atomic hosts: - name: Determine available Docker shell: "rpm -q --queryformat '---\ncurr_version: %{VERSION}\navail_version: \n' docker" @@ -224,18 +198,12 @@ when: openshift.common.is_atomic | bool - set_fact: - g_docker_version: "{{ g_docker_version_result.stdout | from_yaml }}" - when: not openshift.common.is_atomic | bool - - - set_fact: - g_docker_version: "{{ g_atomic_docker_version_result.stdout | from_yaml }}" + l_docker_version: "{{ g_atomic_docker_version_result.stdout | from_yaml }}" when: openshift.common.is_atomic | bool - fail: msg: This playbook requires access to Docker 1.10 or later - when: g_docker_version.avail_version | default(g_docker_version.curr_version, true) | version_compare('1.10','<') - - # TODO: add check to upgrade ostree to get latest Docker + when: openshift.common.is_atomic | bool and l_docker_version.avail_version | default(l_docker_version.curr_version, true) | version_compare('1.10','<') - set_fact: pre_upgrade_complete: True diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/rpm_upgrade.yml b/playbooks/common/openshift-cluster/upgrades/rpm_upgrade.yml index f5e4d807e..f5e4d807e 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/rpm_upgrade.yml +++ b/playbooks/common/openshift-cluster/upgrades/rpm_upgrade.yml diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/upgrade.yml b/playbooks/common/openshift-cluster/upgrades/upgrade.yml index 59cedc839..3ec47d6f3 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/upgrade.yml +++ b/playbooks/common/openshift-cluster/upgrades/upgrade.yml @@ -3,23 +3,55 @@ # The restart playbook should be run after this playbook completes. ############################################################################### +# Separate step so we can execute in parallel and clear out anything unused +# before we get into the serialized upgrade process which will then remove +# remaining images if possible. +- name: Cleanup unused Docker images + hosts: oo_masters_to_config:oo_nodes_to_config:oo_etcd_to_config + tasks: + - name: Check Docker image count + shell: "docker images -aq | wc -l" + register: docker_image_count + when: docker_upgrade_nuke_images is defined and docker_upgrade_nuke_images | bool + + - debug: var=docker_image_count.stdout + when: docker_upgrade_nuke_images is defined and docker_upgrade_nuke_images | bool + + - name: Remove unused Docker images for Docker 1.10+ migration + shell: "docker rmi `docker images -aq`" + # Will fail on images still in use: + failed_when: false + when: docker_upgrade_nuke_images is defined and docker_upgrade_nuke_images | bool + + - name: Check Docker image count + shell: "docker images -aq | wc -l" + register: docker_image_count + when: docker_upgrade_nuke_images is defined and docker_upgrade_nuke_images | bool + + - debug: var=docker_image_count.stdout + when: docker_upgrade_nuke_images is defined and docker_upgrade_nuke_images | bool + ############################################################################### # Upgrade Masters ############################################################################### - name: Upgrade master hosts: oo_masters_to_config handlers: - - include: ../../../../../roles/openshift_master/handlers/main.yml + - include: ../../../../roles/openshift_master/handlers/main.yml + static: yes roles: - openshift_facts tasks: - include: rpm_upgrade.yml component=master when: not openshift.common.is_containerized | bool - - include_vars: ../../../../../roles/openshift_master/vars/main.yml + - include: "{{ master_config_hook }}" + when: master_config_hook is defined + + - include_vars: ../../../../roles/openshift_master/vars/main.yml - name: Update systemd units - include: ../../../../../roles/openshift_master/tasks/systemd_units.yml + include: ../../../../roles/openshift_master/tasks/systemd_units.yml # - name: Upgrade master configuration # openshift_upgrade_config: @@ -28,6 +60,31 @@ # role: master # config_base: "{{ hostvars[inventory_hostname].openshift.common.config_base }}" + - name: Check for ca-bundle.crt + stat: + path: "{{ openshift.common.config_base }}/master/ca-bundle.crt" + register: ca_bundle_stat + failed_when: false + + - name: Check for ca.crt + stat: + path: "{{ openshift.common.config_base }}/master/ca.crt" + register: ca_crt_stat + failed_when: false + + - name: Migrate ca.crt to ca-bundle.crt + command: mv ca.crt ca-bundle.crt + args: + chdir: "{{ openshift.common.config_base }}/master" + when: ca_crt_stat.stat.isreg and not ca_bundle_stat.stat.exists + + - name: Link ca.crt to ca-bundle.crt + file: + src: "{{ openshift.common.config_base }}/master/ca-bundle.crt" + path: "{{ openshift.common.config_base }}/master/ca.crt" + state: link + when: ca_crt_stat.stat.isreg and not ca_bundle_stat.stat.exists + - name: Set master update status to complete hosts: oo_masters_to_config tasks: @@ -64,7 +121,8 @@ roles: - openshift_facts handlers: - - include: ../../../../../roles/openshift_node/handlers/main.yml + - include: ../../../../roles/openshift_node/handlers/main.yml + static: yes tasks: # TODO: To better handle re-trying failed upgrades, it would be nice to check if the node # or docker actually needs an upgrade before proceeding. Perhaps best to save this until @@ -81,13 +139,10 @@ delegate_to: "{{ groups.oo_first_master.0 }}" when: inventory_hostname in groups.oo_nodes_to_config - # Only check if docker upgrade is required if docker_upgrade is not - # already set to False. - - include: ../docker/upgrade_check.yml - when: docker_upgrade is not defined or docker_upgrade | bool and not openshift.common.is_atomic | bool - - - include: ../docker/upgrade.yml + - include: docker/upgrade.yml when: l_docker_upgrade is defined and l_docker_upgrade | bool and not openshift.common.is_atomic | bool + - include: "{{ node_config_hook }}" + when: node_config_hook is defined - include: rpm_upgrade.yml vars: diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/atomic-openshift-master.j2 b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/atomic-openshift-master.j2 deleted file mode 120000 index cf20e8959..000000000 --- a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/atomic-openshift-master.j2 +++ /dev/null @@ -1 +0,0 @@ -../../../../../roles/openshift_master/templates/atomic-openshift-master.j2
\ No newline at end of file diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/docker b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/docker deleted file mode 120000 index 5a3dd12b3..000000000 --- a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/docker +++ /dev/null @@ -1 +0,0 @@ -../../../../../roles/openshift_master/templates/docker
\ No newline at end of file diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/docker-cluster b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/docker-cluster deleted file mode 120000 index 3ee319365..000000000 --- a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/docker-cluster +++ /dev/null @@ -1 +0,0 @@ -../../../../../roles/openshift_master/templates/docker-cluster
\ No newline at end of file diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/filter_plugins b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/filter_plugins deleted file mode 120000 index 27ddaa18b..000000000 --- a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/filter_plugins +++ /dev/null @@ -1 +0,0 @@ -../../../../../filter_plugins
\ No newline at end of file diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/library b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/library deleted file mode 120000 index 53bed9684..000000000 --- a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/library +++ /dev/null @@ -1 +0,0 @@ -../library
\ No newline at end of file diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/lookup_plugins b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/lookup_plugins deleted file mode 120000 index cf407f69b..000000000 --- a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/lookup_plugins +++ /dev/null @@ -1 +0,0 @@ -../../../../../lookup_plugins
\ No newline at end of file diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/native-cluster b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/native-cluster deleted file mode 120000 index f44f8eb4f..000000000 --- a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/native-cluster +++ /dev/null @@ -1 +0,0 @@ -../../../../../roles/openshift_master/templates/native-cluster
\ No newline at end of file diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/openshift.docker.node.dep.service b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/openshift.docker.node.dep.service deleted file mode 120000 index b384a3f4d..000000000 --- a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/openshift.docker.node.dep.service +++ /dev/null @@ -1 +0,0 @@ -../../../../../roles/openshift_node/templates/openshift.docker.node.dep.service
\ No newline at end of file diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/openshift.docker.node.service b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/openshift.docker.node.service deleted file mode 120000 index a2f140144..000000000 --- a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/openshift.docker.node.service +++ /dev/null @@ -1 +0,0 @@ -../../../../../roles/openshift_node/templates/openshift.docker.node.service
\ No newline at end of file diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/openvswitch.docker.service b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/openvswitch.docker.service deleted file mode 120000 index 61946ff91..000000000 --- a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/openvswitch.docker.service +++ /dev/null @@ -1 +0,0 @@ -../../../../../roles/openshift_node/templates/openvswitch.docker.service
\ No newline at end of file diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/openvswitch.sysconfig.j2 b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/openvswitch.sysconfig.j2 deleted file mode 120000 index 3adc56e4e..000000000 --- a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/openvswitch.sysconfig.j2 +++ /dev/null @@ -1 +0,0 @@ -../../../../../roles/openshift_node/templates/openvswitch.sysconfig.j2
\ No newline at end of file diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/roles b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/roles deleted file mode 120000 index 6bc1a7aef..000000000 --- a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/roles +++ /dev/null @@ -1 +0,0 @@ -../../../../../roles
\ No newline at end of file diff --git a/playbooks/common/openshift-cluster/upgrades/v3_3/master_config_upgrade.yml b/playbooks/common/openshift-cluster/upgrades/v3_3/master_config_upgrade.yml new file mode 100644 index 000000000..638ef23a8 --- /dev/null +++ b/playbooks/common/openshift-cluster/upgrades/v3_3/master_config_upgrade.yml @@ -0,0 +1,40 @@ +--- +- modify_yaml: + dest: "{{ openshift.common.config_base}}/master/master-config.yaml" + yaml_key: 'masterClients.externalKubernetesClientConnectionOverrides.acceptContentTypes' + yaml_value: 'application/vnd.kubernetes.protobuf,application/json' + +- modify_yaml: + dest: "{{ openshift.common.config_base}}/master/master-config.yaml" + yaml_key: 'masterClients.externalKubernetesClientConnectionOverrides.contentType' + yaml_value: 'application/vnd.kubernetes.protobuf' + +- modify_yaml: + dest: "{{ openshift.common.config_base}}/master/master-config.yaml" + yaml_key: 'masterClients.externalKubernetesClientConnectionOverrides.burst' + yaml_value: 400 + +- modify_yaml: + dest: "{{ openshift.common.config_base}}/master/master-config.yaml" + yaml_key: 'masterClients.externalKubernetesClientConnectionOverrides.ops' + yaml_value: 200 + +- modify_yaml: + dest: "{{ openshift.common.config_base}}/master/master-config.yaml" + yaml_key: 'masterClients.openshiftLoopbackClientConnectionOverrides.acceptContentTypes' + yaml_value: 'application/vnd.kubernetes.protobuf,application/json' + +- modify_yaml: + dest: "{{ openshift.common.config_base}}/master/master-config.yaml" + yaml_key: 'masterClients.openshiftLoopbackClientConnectionOverrides.contentType' + yaml_value: 'application/vnd.kubernetes.protobuf' + +- modify_yaml: + dest: "{{ openshift.common.config_base}}/master/master-config.yaml" + yaml_key: 'masterClients.openshiftLoopbackClientConnectionOverrides.burst' + yaml_value: 600 + +- modify_yaml: + dest: "{{ openshift.common.config_base}}/master/master-config.yaml" + yaml_key: 'masterClients.openshiftLoopbackClientConnectionOverrides.ops' + yaml_value: 300 diff --git a/playbooks/common/openshift-cluster/upgrades/v3_3/node_config_upgrade.yml b/playbooks/common/openshift-cluster/upgrades/v3_3/node_config_upgrade.yml new file mode 100644 index 000000000..1297938bc --- /dev/null +++ b/playbooks/common/openshift-cluster/upgrades/v3_3/node_config_upgrade.yml @@ -0,0 +1,21 @@ +--- +- modify_yaml: + dest: "{{ openshift.common.config_base}}/node/node-config.yaml" + yaml_key: 'masterClientConnectionOverrides.acceptContentTypes' + yaml_value: 'application/vnd.kubernetes.protobuf,application/json' + +- modify_yaml: + dest: "{{ openshift.common.config_base}}/node/node-config.yaml" + yaml_key: 'masterClientConnectionOverrides.contentType' + yaml_value: 'application/vnd.kubernetes.protobuf' + +- modify_yaml: + dest: "{{ openshift.common.config_base}}/node/node-config.yaml" + yaml_key: 'masterClientConnectionOverrides.burst' + yaml_value: 40 + +- modify_yaml: + dest: "{{ openshift.common.config_base}}/node/node-config.yaml" + yaml_key: 'masterClientConnectionOverrides.ops' + yaml_value: 20 + diff --git a/playbooks/common/openshift-etcd/config.yml b/playbooks/common/openshift-etcd/config.yml index a95de8cf3..1b8106e0e 100644 --- a/playbooks/common/openshift-etcd/config.yml +++ b/playbooks/common/openshift-etcd/config.yml @@ -1,119 +1,10 @@ --- -- name: Set etcd facts needed for generating certs +- name: Configure etcd hosts: oo_etcd_to_config any_errors_fatal: true roles: - - openshift_facts - tasks: - - openshift_facts: - role: etcd - local_facts: - etcd_image: "{{ osm_etcd_image | default(None) }}" - - name: Check status of etcd certificates - stat: - path: "{{ item }}" - with_items: - - /etc/etcd/server.crt - - /etc/etcd/peer.crt - - /etc/etcd/ca.crt - register: g_etcd_server_cert_stat_result - - set_fact: - etcd_server_certs_missing: "{{ g_etcd_server_cert_stat_result.results | oo_collect(attribute='stat.exists') - | list | intersect([false])}}" - etcd_cert_subdir: etcd-{{ openshift.common.hostname }} - etcd_cert_config_dir: /etc/etcd - etcd_cert_prefix: - etcd_hostname: "{{ openshift.common.hostname }}" - etcd_ip: "{{ openshift.common.ip }}" - -- name: Create temp directory for syncing certs - hosts: localhost - connection: local - become: no - gather_facts: no - tasks: - - name: Create local temp directory for syncing certs - local_action: command mktemp -d /tmp/openshift-ansible-XXXXXXX - register: g_etcd_mktemp - changed_when: False - -- name: Configure etcd certificates - hosts: oo_first_etcd - vars: - etcd_generated_certs_dir: /etc/etcd/generated_certs - etcd_needing_server_certs: "{{ hostvars - | oo_select_keys(groups['oo_etcd_to_config']) - | oo_filter_list(filter_attr='etcd_server_certs_missing') }}" - sync_tmpdir: "{{ hostvars.localhost.g_etcd_mktemp.stdout }}" - roles: - - openshift_etcd_certificates - post_tasks: - - name: Create a tarball of the etcd certs - command: > - tar -czvf {{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}.tgz - -C {{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }} . - args: - creates: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}.tgz" - with_items: "{{ etcd_needing_server_certs | default([]) }}" - - name: Retrieve the etcd cert tarballs - fetch: - src: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}.tgz" - dest: "{{ sync_tmpdir }}/" - flat: yes - fail_on_missing: yes - validate_checksum: yes - with_items: "{{ etcd_needing_server_certs | default([]) }}" - -# Configure a first etcd host to avoid conflicts in choosing a leader -# if other members come online too quickly. -- name: Configure first etcd host - hosts: oo_first_etcd - vars: - sync_tmpdir: "{{ hostvars.localhost.g_etcd_mktemp.stdout }}" - etcd_url_scheme: https - etcd_peer_url_scheme: https - etcd_peers: "{{ groups.oo_etcd_to_config | default([], true) }}" - pre_tasks: - - name: Ensure certificate directory exists - file: - path: "{{ etcd_cert_config_dir }}" - state: directory - - name: Unarchive the tarball on the etcd host - unarchive: - src: "{{ sync_tmpdir }}/{{ etcd_cert_subdir }}.tgz" - dest: "{{ etcd_cert_config_dir }}" - when: etcd_server_certs_missing - roles: - - openshift_etcd - - nickhammond.logrotate - -# Configure the remaining etcd hosts, skipping the first one we dealt with above. -- name: Configure remaining etcd hosts - hosts: oo_etcd_to_config:!oo_first_etcd - vars: - sync_tmpdir: "{{ hostvars.localhost.g_etcd_mktemp.stdout }}" - etcd_url_scheme: https - etcd_peer_url_scheme: https + - role: openshift_etcd etcd_peers: "{{ groups.oo_etcd_to_config | default([], true) }}" - pre_tasks: - - name: Ensure certificate directory exists - file: - path: "{{ etcd_cert_config_dir }}" - state: directory - - name: Unarchive the tarball on the etcd host - unarchive: - src: "{{ sync_tmpdir }}/{{ etcd_cert_subdir }}.tgz" - dest: "{{ etcd_cert_config_dir }}" - when: etcd_server_certs_missing - roles: - - openshift_etcd + etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}" + etcd_certificates_etcd_hosts: "{{ groups.oo_etcd_to_config | default([], true) }}" - role: nickhammond.logrotate - -- name: Delete temporary directory on localhost - hosts: localhost - connection: local - become: no - gather_facts: no - tasks: - - file: name={{ g_etcd_mktemp.stdout }} state=absent - changed_when: False diff --git a/playbooks/common/openshift-master/config.yml b/playbooks/common/openshift-master/config.yml index 34c96a3af..1d818eea0 100644 --- a/playbooks/common/openshift-master/config.yml +++ b/playbooks/common/openshift-master/config.yml @@ -1,5 +1,5 @@ --- -- name: Set master facts and determine if external etcd certs need to be generated +- name: Set master facts hosts: oo_masters_to_config vars: t_oo_option_master_debug_level: "{{ lookup('oo_option', 'openshift_master_debug_level') }}" @@ -73,23 +73,6 @@ openshift_env: openshift_hosted_registry_storage_kind: 'nfs' when: openshift_hosted_registry_storage_kind is not defined and groups.oo_nfs_to_config is defined and groups.oo_nfs_to_config | length > 0 - - name: Check status of external etcd certificatees - stat: - path: "{{ openshift.common.config_base }}/master/{{ item }}" - with_items: - - master.etcd-client.crt - - master.etcd-ca.crt - register: g_external_etcd_cert_stat_result - - set_fact: - etcd_client_certs_missing: "{{ g_external_etcd_cert_stat_result.results - | oo_collect(attribute='stat.exists') - | list | intersect([false])}}" - etcd_cert_subdir: openshift-master-{{ openshift.common.hostname }} - etcd_cert_config_dir: "{{ openshift.common.config_base }}/master" - etcd_cert_prefix: master.etcd- - etcd_hostname: "{{ openshift.common.hostname }}" - etcd_ip: "{{ openshift.common.ip }}" - when: groups.oo_etcd_to_config is defined and groups.oo_etcd_to_config - name: Create temp directory for syncing certs hosts: localhost @@ -102,60 +85,6 @@ register: g_master_mktemp changed_when: False -- name: Configure etcd certificates - hosts: oo_first_etcd - vars: - etcd_generated_certs_dir: /etc/etcd/generated_certs - etcd_needing_client_certs: "{{ hostvars - | oo_select_keys(groups['oo_masters_to_config']) - | default([]) - | oo_filter_list(filter_attr='etcd_client_certs_missing') }}" - sync_tmpdir: "{{ hostvars.localhost.g_master_mktemp.stdout }}" - roles: - - openshift_etcd_certificates - post_tasks: - - name: Create a tarball of the etcd certs - command: > - tar -czvf {{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}.tgz - -C {{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }} . - args: - creates: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}.tgz" - with_items: "{{ etcd_needing_client_certs | default([]) }}" - - name: Retrieve the etcd cert tarballs - fetch: - src: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}.tgz" - dest: "{{ sync_tmpdir }}/" - flat: yes - fail_on_missing: yes - validate_checksum: yes - with_items: "{{ etcd_needing_client_certs | default([]) }}" - -- name: Copy the external etcd certs to the masters - hosts: oo_masters_to_config - vars: - sync_tmpdir: "{{ hostvars.localhost.g_master_mktemp.stdout }}" - tasks: - - name: Ensure certificate directory exists - file: - path: "{{ openshift.common.config_base }}/master" - state: directory - when: etcd_client_certs_missing is defined and etcd_client_certs_missing - - name: Unarchive the tarball on the master - unarchive: - src: "{{ sync_tmpdir }}/{{ etcd_cert_subdir }}.tgz" - dest: "{{ etcd_cert_config_dir }}" - when: etcd_client_certs_missing is defined and etcd_client_certs_missing - - file: - path: "{{ etcd_cert_config_dir }}/{{ item }}" - owner: root - group: root - mode: 0600 - with_items: - - master.etcd-client.crt - - master.etcd-client.key - - master.etcd-ca.crt - when: etcd_client_certs_missing is defined and etcd_client_certs_missing - - name: Check for cached session secrets hosts: oo_first_master roles: @@ -183,54 +112,6 @@ session_encryption_secrets: "{{ g_session_encryption_secrets }}" when: not g_session_secrets_present | bool -- name: Parse named certificates - hosts: localhost - connection: local - become: no - vars: - internal_hostnames: "{{ hostvars[groups.oo_first_master.0].openshift.common.internal_hostnames }}" - named_certificates: "{{ hostvars[groups.oo_first_master.0].openshift_master_named_certificates | default([]) }}" - named_certificates_dir: "{{ hostvars[groups.oo_first_master.0].openshift.common.config_base }}/master/named_certificates/" - tasks: - - set_fact: - parsed_named_certificates: "{{ named_certificates | oo_parse_named_certificates(named_certificates_dir, internal_hostnames) }}" - when: named_certificates | length > 0 - -- name: Deploy named certificates - hosts: oo_masters_to_config - vars: - named_certs_dir: "{{ openshift.common.config_base }}/master/named_certificates/" - named_certs_specified: "{{ openshift_master_named_certificates is defined }}" - overwrite_named_certs: "{{ openshift_master_overwrite_named_certificates | default(false) }}" - roles: - - role: openshift_facts - post_tasks: - - openshift_facts: - role: master - local_facts: - named_certificates: "{{ hostvars.localhost.parsed_named_certificates | default([]) }}" - additive_facts_to_overwrite: - - "{{ 'master.named_certificates' if overwrite_named_certs | bool else omit }}" - - name: Clear named certificates - file: - path: "{{ named_certs_dir }}" - state: absent - when: overwrite_named_certs | bool - - name: Ensure named certificate directory exists - file: - path: "{{ named_certs_dir }}" - state: directory - mode: 0700 - when: named_certs_specified | bool - - name: Land named certificates - copy: src="{{ item.certfile }}" dest="{{ named_certs_dir }}" - with_items: "{{ openshift_master_named_certificates }}" - when: named_certs_specified | bool - - name: Land named certificate keys - copy: src="{{ item.keyfile }}" dest="{{ named_certs_dir }}" mode=0600 - with_items: "{{ openshift_master_named_certificates }}" - when: named_certs_specified | bool - - name: Configure masters hosts: oo_masters_to_config any_errors_fatal: true @@ -245,10 +126,10 @@ | union(groups['oo_etcd_to_config'] | default([]))) | oo_collect('openshift.common.hostname') | default([]) | join (',') }}" - when: "{{ (openshift_http_proxy is defined or openshift_https_proxy is defined) and - openshift_generate_no_proxy_hosts | default(True) | bool }}" roles: - - role: openshift_master + - role: openshift_master_facts + - role: openshift_hosted_facts + - role: openshift_master_certificates openshift_ca_host: "{{ groups.oo_first_master.0 }}" openshift_master_etcd_hosts: "{{ hostvars | oo_select_keys(groups['oo_etcd_to_config'] | default([])) @@ -258,6 +139,38 @@ | oo_select_keys(groups['oo_masters_to_config'] | default([])) | oo_collect('openshift.common.all_hostnames') | oo_flatten | unique }}" + - role: openshift_etcd_client_certificates + etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}" + etcd_cert_subdir: "openshift-master-{{ openshift.common.hostname }}" + etcd_cert_config_dir: "{{ openshift.common.config_base }}/master" + etcd_cert_prefix: "master.etcd-" + when: groups.oo_etcd_to_config is defined and groups.oo_etcd_to_config + - role: openshift_clock + - role: openshift_cloud_provider + - role: openshift_builddefaults + - role: os_firewall + os_firewall_allow: + - service: etcd embedded + port: 4001/tcp + - service: api server https + port: "{{ openshift.master.api_port }}/tcp" + - service: api controllers https + port: "{{ openshift.master.controllers_port }}/tcp" + - service: skydns tcp + port: "{{ openshift.master.dns_port }}/tcp" + - service: skydns udp + port: "{{ openshift.master.dns_port }}/udp" + - service: Fluentd td-agent tcp + port: 24224/tcp + - service: Fluentd td-agent udp + port: 24224/udp + - service: pcsd + port: 2224/tcp + - service: Corosync UDP + port: 5404/udp + - service: Corosync UDP + port: 5405/udp + - role: openshift_master openshift_master_hosts: "{{ groups.oo_masters_to_config }}" - role: nickhammond.logrotate - role: nuage_master diff --git a/playbooks/common/openshift-master/scaleup.yml b/playbooks/common/openshift-master/scaleup.yml index 6e6cb3e01..7304fca56 100644 --- a/playbooks/common/openshift-master/scaleup.yml +++ b/playbooks/common/openshift-master/scaleup.yml @@ -33,7 +33,12 @@ service: name={{ openshift.common.service_type }}-master-controllers state=restarted - name: verify api server command: > - curl --silent --cacert {{ openshift.common.config_base }}/master/ca.crt + curl --silent + {% if openshift.common.version_gte_3_2_or_1_2 | bool %} + --cacert {{ openshift.common.config_base }}/master/ca-bundle.crt + {% else %} + --cacert {{ openshift.common.config_base }}/master/ca.crt + {% endif %} {{ openshift.master.api_url }}/healthz/ready register: api_available_output until: api_available_output.stdout == 'ok' @@ -53,4 +58,6 @@ - include: ../openshift-master/config.yml +- include: ../openshift-loadbalancer/config.yml + - include: ../openshift-node/config.yml diff --git a/playbooks/common/openshift-node/config.yml b/playbooks/common/openshift-node/config.yml index a8c49d37b..c56353430 100644 --- a/playbooks/common/openshift-node/config.yml +++ b/playbooks/common/openshift-node/config.yml @@ -60,8 +60,30 @@ when: "{{ (openshift_http_proxy is defined or openshift_https_proxy is defined) and openshift_generate_no_proxy_hosts | default(True) | bool }}" roles: - - role: openshift_node + - role: openshift_clock + - role: openshift_docker + - role: openshift_node_certificates openshift_ca_host: "{{ groups.oo_first_master.0 }}" + - role: openshift_cloud_provider + - role: openshift_common + - role: openshift_node_dnsmasq + when: openshift.common.use_dnsmasq + - role: os_firewall + os_firewall_allow: + - service: Kubernetes kubelet + port: 10250/tcp + - service: http + port: 80/tcp + - service: https + port: 443/tcp + - service: Openshift kubelet ReadOnlyPort + port: 10255/tcp + - service: Openshift kubelet ReadOnlyPort udp + port: 10255/udp + - service: OpenShift OVS sdn + port: 4789/udp + when: openshift.node.use_openshift_sdn | bool + - role: openshift_node - name: Configure node instances hosts: oo_nodes_to_config:!oo_containerized_master_nodes @@ -77,97 +99,42 @@ when: "{{ (openshift_http_proxy is defined or openshift_https_proxy is defined) and openshift_generate_no_proxy_hosts | default(True) | bool }}" roles: - - role: openshift_node + - role: openshift_clock + - role: openshift_docker + - role: openshift_node_certificates openshift_ca_host: "{{ groups.oo_first_master.0 }}" - -- name: Gather and set facts for flannel certificatess - hosts: oo_nodes_to_config - tasks: - - name: Check status of flannel external etcd certificates - stat: - path: "{{ openshift.common.config_base }}/node/{{ item }}" - with_items: - - node.etcd-client.crt - - node.etcd-ca.crt - register: g_external_etcd_flannel_cert_stat_result - when: groups.oo_etcd_to_config is defined and groups.oo_etcd_to_config and (openshift.common.use_flannel | bool) - - set_fact: - etcd_client_flannel_certs_missing: "{{ False in g_external_etcd_flannel_cert_stat_result.results - | oo_collect(attribute='stat.exists') - | list }}" - etcd_cert_subdir: openshift-node-{{ openshift.common.hostname }} - etcd_cert_config_dir: "{{ openshift.common.config_base }}/node" - etcd_cert_prefix: node.etcd- - etcd_hostname: "{{ openshift.common.hostname }}" - etcd_ip: "{{ openshift.common.ip }}" - when: groups.oo_etcd_to_config is defined and groups.oo_etcd_to_config | length > 0 and (openshift.common.use_flannel | bool) - -- name: Configure flannel etcd certificates - hosts: oo_first_etcd - vars: - etcd_generated_certs_dir: /etc/etcd/generated_certs - sync_tmpdir: "{{ hostvars.localhost.mktemp.stdout }}" - pre_tasks: - - set_fact: - etcd_needing_client_certs: "{{ hostvars - | oo_select_keys(groups['oo_nodes_to_config']) - | oo_filter_list('etcd_client_flannel_certs_missing') | default([]) }}" - roles: - - role: openshift_etcd_certificates - when: openshift_use_flannel | default(false) | bool - post_tasks: - - name: Create a tarball of the etcd flannel certs - command: > - tar -czvf {{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}.tgz - -C {{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }} . - args: - creates: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}.tgz" - with_items: "{{ etcd_needing_client_certs | default([]) }}" - - name: Retrieve the etcd cert tarballs - fetch: - src: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}.tgz" - dest: "{{ sync_tmpdir }}/" - flat: yes - fail_on_missing: yes - validate_checksum: yes - with_items: "{{ etcd_needing_client_certs | default([]) }}" - -- name: Copy the external etcd flannel certs to the nodes - hosts: oo_nodes_to_config - vars: - sync_tmpdir: "{{ hostvars.localhost.mktemp.stdout }}" - tasks: - - name: Ensure certificate directory exists - file: - path: "{{ openshift.common.config_base }}/node" - state: directory - when: etcd_client_flannel_certs_missing | default(false) | bool - - name: Unarchive the tarball on the master - unarchive: - src: "{{ sync_tmpdir }}/{{ etcd_cert_subdir }}.tgz" - dest: "{{ etcd_cert_config_dir }}" - when: etcd_client_flannel_certs_missing | default(false) | bool - - file: - path: "{{ etcd_cert_config_dir }}/{{ item }}" - owner: root - group: root - mode: 0600 - with_items: - - node.etcd-client.crt - - node.etcd-client.key - - node.etcd-ca.crt - when: etcd_client_flannel_certs_missing | default(false) | bool - + - role: openshift_cloud_provider + - role: openshift_common + - role: openshift_node_dnsmasq + when: openshift.common.use_dnsmasq + - role: os_firewall + os_firewall_allow: + - service: Kubernetes kubelet + port: 10250/tcp + - service: http + port: 80/tcp + - service: https + port: 443/tcp + - service: Openshift kubelet ReadOnlyPort + port: 10255/tcp + - service: Openshift kubelet ReadOnlyPort udp + port: 10255/udp + - service: OpenShift OVS sdn + port: 4789/udp + when: openshift.node.use_openshift_sdn | bool + - role: openshift_node - name: Additional node config hosts: oo_nodes_to_config vars: - # TODO: Prefix flannel role variables. openshift_node_master_api_url: "{{ hostvars[groups.oo_first_master.0].openshift.master.api_url }}" - etcd_urls: "{{ hostvars[groups.oo_first_master.0].openshift.master.etcd_urls }}" - embedded_etcd: "{{ hostvars[groups.oo_first_master.0].openshift.master.embedded_etcd }}" roles: - role: flannel + etcd_urls: "{{ hostvars[groups.oo_first_master.0].openshift.master.etcd_urls }}" + embedded_etcd: "{{ hostvars[groups.oo_first_master.0].openshift.master.embedded_etcd }}" + etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}" + etcd_cert_subdir: "openshift-node-{{ openshift.common.hostname }}" + etcd_cert_config_dir: "{{ openshift.common.config_base }}/node" when: openshift.common.use_flannel | bool - role: nuage_node when: openshift.common.use_nuage | bool @@ -201,7 +168,12 @@ # Using curl here since the uri module requires python-httplib2 and # wait_for port doesn't provide health information. command: > - curl --silent --cacert {{ openshift.common.config_base }}/master/ca.crt + curl --silent + {% if openshift.common.version_gte_3_2_or_1_2 | bool %} + --cacert {{ openshift.common.config_base }}/master/ca-bundle.crt + {% else %} + --cacert {{ openshift.common.config_base }}/master/ca.crt + {% endif %} {{ openshift.master.api_url }}/healthz/ready register: api_available_output until: api_available_output.stdout == 'ok' diff --git a/roles/etcd/meta/main.yml b/roles/etcd/meta/main.yml index 7156a9fff..cfd72dfbc 100644 --- a/roles/etcd/meta/main.yml +++ b/roles/etcd/meta/main.yml @@ -7,7 +7,7 @@ galaxy_info: description: etcd management company: Red Hat, Inc. license: Apache License, Version 2.0 - min_ansible_version: 1.2 + min_ansible_version: 2.1 platforms: - name: EL versions: @@ -22,4 +22,4 @@ dependencies: port: "{{etcd_client_port}}/tcp" - service: etcd peering port: "{{ etcd_peer_port }}/tcp" -- role: etcd_common +- role: etcd_server_certificates diff --git a/roles/etcd/tasks/main.yml b/roles/etcd/tasks/main.yml index 75d40216d..ba4136327 100644 --- a/roles/etcd/tasks/main.yml +++ b/roles/etcd/tasks/main.yml @@ -58,30 +58,6 @@ group: "{{ 'etcd' if not etcd_is_containerized | bool else omit }}" mode: 0700 -- name: Validate permissions on certificate files - file: - path: "{{ item }}" - mode: 0600 - owner: "{{ 'etcd' if not etcd_is_containerized | bool else omit }}" - group: "{{ 'etcd' if not etcd_is_containerized | bool else omit }}" - when: etcd_url_scheme == 'https' - with_items: - - "{{ etcd_ca_file }}" - - "{{ etcd_cert_file }}" - - "{{ etcd_key_file }}" - -- name: Validate permissions on peer certificate files - file: - path: "{{ item }}" - mode: 0600 - owner: "{{ 'etcd' if not etcd_is_containerized | bool else omit }}" - group: "{{ 'etcd' if not etcd_is_containerized | bool else omit }}" - when: etcd_peer_url_scheme == 'https' - with_items: - - "{{ etcd_peer_ca_file }}" - - "{{ etcd_peer_cert_file }}" - - "{{ etcd_peer_key_file }}" - - name: Write etcd global config file template: src: etcd.conf.j2 diff --git a/roles/etcd/templates/etcd.conf.j2 b/roles/etcd/templates/etcd.conf.j2 index cd048ec60..7ccf78212 100644 --- a/roles/etcd/templates/etcd.conf.j2 +++ b/roles/etcd/templates/etcd.conf.j2 @@ -1,5 +1,5 @@ {% macro initial_cluster() -%} -{% for host in etcd_peers -%} +{% for host in etcd_peers | default([]) -%} {% if loop.last -%} {{ hostvars[host].etcd_hostname }}={{ etcd_peer_url_scheme }}://{{ hostvars[host].etcd_ip }}:{{ etcd_peer_port }} {%- else -%} diff --git a/roles/etcd_ca/meta/main.yml b/roles/etcd_ca/meta/main.yml index d02456ca3..e3e2f7781 100644 --- a/roles/etcd_ca/meta/main.yml +++ b/roles/etcd_ca/meta/main.yml @@ -1,10 +1,10 @@ --- galaxy_info: author: Jason DeTiberus - description: + description: Etcd CA company: Red Hat, Inc. license: Apache License, Version 2.0 - min_ansible_version: 1.9 + min_ansible_version: 2.1 platforms: - name: EL versions: @@ -13,4 +13,4 @@ galaxy_info: - cloud - system dependencies: -- { role: etcd_common } +- role: etcd_common diff --git a/roles/etcd_ca/tasks/main.yml b/roles/etcd_ca/tasks/main.yml index e1bb9baed..865074e41 100644 --- a/roles/etcd_ca/tasks/main.yml +++ b/roles/etcd_ca/tasks/main.yml @@ -2,6 +2,8 @@ - name: Install openssl action: "{{ ansible_pkg_mgr }} name=openssl state=present" when: not etcd_is_atomic | bool + delegate_to: "{{ etcd_ca_host }}" + run_once: true - file: path: "{{ item }}" @@ -13,29 +15,41 @@ - "{{ etcd_ca_new_certs_dir }}" - "{{ etcd_ca_crl_dir }}" - "{{ etcd_ca_dir }}/fragments" + delegate_to: "{{ etcd_ca_host }}" + run_once: true - command: cp /etc/pki/tls/openssl.cnf ./ args: chdir: "{{ etcd_ca_dir }}/fragments" creates: "{{ etcd_ca_dir }}/fragments/openssl.cnf" + delegate_to: "{{ etcd_ca_host }}" + run_once: true - template: dest: "{{ etcd_ca_dir }}/fragments/openssl_append.cnf" src: openssl_append.j2 backup: true + delegate_to: "{{ etcd_ca_host }}" + run_once: true - assemble: src: "{{ etcd_ca_dir }}/fragments" dest: "{{ etcd_openssl_conf }}" + delegate_to: "{{ etcd_ca_host }}" + run_once: true - command: touch {{ etcd_ca_db }} args: creates: "{{ etcd_ca_db }}" + delegate_to: "{{ etcd_ca_host }}" + run_once: true - copy: dest: "{{ etcd_ca_serial }}" content: "01" force: no + delegate_to: "{{ etcd_ca_host }}" + run_once: true - command: > openssl req -config {{ etcd_openssl_conf }} -newkey rsa:4096 @@ -48,3 +62,5 @@ creates: "{{ etcd_ca_cert }}" environment: SAN: 'etcd-signer' + delegate_to: "{{ etcd_ca_host }}" + run_once: true diff --git a/roles/etcd_certificates/tasks/client.yml b/roles/etcd_certificates/tasks/client.yml deleted file mode 100644 index b497a46c0..000000000 --- a/roles/etcd_certificates/tasks/client.yml +++ /dev/null @@ -1,42 +0,0 @@ ---- -- name: Ensure generated_certs directory present - file: - path: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}" - state: directory - mode: 0700 - with_items: "{{ etcd_needing_client_certs | default([]) }}" - -- name: Create the client csr - command: > - openssl req -new -keyout {{ item.etcd_cert_prefix }}client.key - -config {{ etcd_openssl_conf }} - -out {{ item.etcd_cert_prefix }}client.csr - -reqexts {{ etcd_req_ext }} -batch -nodes - -subj /CN={{ item.etcd_hostname }} - args: - chdir: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}" - creates: "{{ etcd_generated_certs_dir ~ '/' ~ item.etcd_cert_subdir ~ '/' - ~ item.etcd_cert_prefix ~ 'client.csr' }}" - environment: - SAN: "IP:{{ item.etcd_ip }}" - with_items: "{{ etcd_needing_client_certs | default([]) }}" - -- name: Sign and create the client crt - command: > - openssl ca -name {{ etcd_ca_name }} -config {{ etcd_openssl_conf }} - -out {{ item.etcd_cert_prefix }}client.crt - -in {{ item.etcd_cert_prefix }}client.csr - -batch - args: - chdir: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}" - creates: "{{ etcd_generated_certs_dir ~ '/' ~ item.etcd_cert_subdir ~ '/' - ~ item.etcd_cert_prefix ~ 'client.crt' }}" - environment: - SAN: "IP:{{ item.etcd_ip }}" - with_items: "{{ etcd_needing_client_certs | default([]) }}" - -- file: - src: "{{ etcd_ca_cert }}" - dest: "{{ etcd_generated_certs_dir}}/{{ item.etcd_cert_subdir }}/{{ item.etcd_cert_prefix }}ca.crt" - state: hard - with_items: "{{ etcd_needing_client_certs | default([]) }}" diff --git a/roles/etcd_certificates/tasks/main.yml b/roles/etcd_certificates/tasks/main.yml deleted file mode 100644 index 17092ca58..000000000 --- a/roles/etcd_certificates/tasks/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- include: client.yml - when: etcd_needing_client_certs | default([]) | length > 0 - -- include: server.yml - when: etcd_needing_server_certs | default([]) | length > 0 diff --git a/roles/etcd_certificates/tasks/server.yml b/roles/etcd_certificates/tasks/server.yml deleted file mode 100644 index 934b8b805..000000000 --- a/roles/etcd_certificates/tasks/server.yml +++ /dev/null @@ -1,71 +0,0 @@ ---- -- name: Ensure generated_certs directory present - file: - path: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}" - state: directory - mode: 0700 - with_items: "{{ etcd_needing_server_certs | default([]) }}" - -- name: Create the server csr - command: > - openssl req -new -keyout {{ item.etcd_cert_prefix }}server.key - -config {{ etcd_openssl_conf }} - -out {{ item.etcd_cert_prefix }}server.csr - -reqexts {{ etcd_req_ext }} -batch -nodes - -subj /CN={{ item.etcd_hostname }} - args: - chdir: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}" - creates: "{{ etcd_generated_certs_dir ~ '/' ~ item.etcd_cert_subdir ~ '/' - ~ item.etcd_cert_prefix ~ 'server.csr' }}" - environment: - SAN: "IP:{{ item.etcd_ip }}" - with_items: "{{ etcd_needing_server_certs | default([]) }}" - -- name: Sign and create the server crt - command: > - openssl ca -name {{ etcd_ca_name }} -config {{ etcd_openssl_conf }} - -out {{ item.etcd_cert_prefix }}server.crt - -in {{ item.etcd_cert_prefix }}server.csr - -extensions {{ etcd_ca_exts_server }} -batch - args: - chdir: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}" - creates: "{{ etcd_generated_certs_dir ~ '/' ~ item.etcd_cert_subdir ~ '/' - ~ item.etcd_cert_prefix ~ 'server.crt' }}" - environment: - SAN: "IP:{{ item.etcd_ip }}" - with_items: "{{ etcd_needing_server_certs | default([]) }}" - -- name: Create the peer csr - command: > - openssl req -new -keyout {{ item.etcd_cert_prefix }}peer.key - -config {{ etcd_openssl_conf }} - -out {{ item.etcd_cert_prefix }}peer.csr - -reqexts {{ etcd_req_ext }} -batch -nodes - -subj /CN={{ item.etcd_hostname }} - args: - chdir: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}" - creates: "{{ etcd_generated_certs_dir ~ '/' ~ item.etcd_cert_subdir ~ '/' - ~ item.etcd_cert_prefix ~ 'peer.csr' }}" - environment: - SAN: "IP:{{ item.etcd_ip }}" - with_items: "{{ etcd_needing_server_certs | default([]) }}" - -- name: Sign and create the peer crt - command: > - openssl ca -name {{ etcd_ca_name }} -config {{ etcd_openssl_conf }} - -out {{ item.etcd_cert_prefix }}peer.crt - -in {{ item.etcd_cert_prefix }}peer.csr - -extensions {{ etcd_ca_exts_peer }} -batch - args: - chdir: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}" - creates: "{{ etcd_generated_certs_dir ~ '/' ~ item.etcd_cert_subdir ~ '/' - ~ item.etcd_cert_prefix ~ 'peer.crt' }}" - environment: - SAN: "IP:{{ item.etcd_ip }}" - with_items: "{{ etcd_needing_server_certs | default([]) }}" - -- file: - src: "{{ etcd_ca_cert }}" - dest: "{{ etcd_generated_certs_dir}}/{{ item.etcd_cert_subdir }}/{{ item.etcd_cert_prefix }}ca.crt" - state: hard - with_items: "{{ etcd_needing_server_certs | default([]) }}" diff --git a/roles/etcd_certificates/README.md b/roles/etcd_client_certificates/README.md index 95f8f8aab..269d5296d 100644 --- a/roles/etcd_certificates/README.md +++ b/roles/etcd_client_certificates/README.md @@ -1,5 +1,5 @@ -OpenShift etcd certificates -======================== +OpenShift Etcd Certificates +=========================== TODO diff --git a/roles/etcd_client_certificates/library b/roles/etcd_client_certificates/library new file mode 120000 index 000000000..494d3c39e --- /dev/null +++ b/roles/etcd_client_certificates/library @@ -0,0 +1 @@ +../../library
\ No newline at end of file diff --git a/roles/etcd_client_certificates/meta/main.yml b/roles/etcd_client_certificates/meta/main.yml new file mode 100644 index 000000000..efebdb599 --- /dev/null +++ b/roles/etcd_client_certificates/meta/main.yml @@ -0,0 +1,16 @@ +--- +galaxy_info: + author: Jason DeTiberus + description: Etcd Client Certificates + company: Red Hat, Inc. + license: Apache License, Version 2.0 + min_ansible_version: 2.1 + platforms: + - name: EL + versions: + - 7 + categories: + - cloud + - system +dependencies: +- role: etcd_common diff --git a/roles/etcd_client_certificates/tasks/main.yml b/roles/etcd_client_certificates/tasks/main.yml new file mode 100644 index 000000000..275aa0a63 --- /dev/null +++ b/roles/etcd_client_certificates/tasks/main.yml @@ -0,0 +1,137 @@ +--- +- name: Ensure CA certificate exists on etcd_ca_host + stat: + path: "{{ etcd_ca_cert }}" + register: g_ca_cert_stat_result + delegate_to: "{{ etcd_ca_host }}" + run_once: true + +- fail: + msg: > + CA certificate {{ etcd_ca_cert }} doesn't exist on CA host + {{ etcd_ca_host }}. Apply 'etcd_ca' role to + {{ etcd_ca_host }}. + when: not g_ca_cert_stat_result.stat.exists | bool + run_once: true + +- name: Check status of external etcd certificatees + stat: + path: "{{ etcd_cert_config_dir }}/{{ item }}" + with_items: + - "{{ etcd_cert_prefix }}client.crt" + - "{{ etcd_cert_prefix }}client.key" + - "{{ etcd_cert_prefix }}ca.crt" + register: g_external_etcd_cert_stat_result + when: not etcd_certificates_redeploy | default(false) | bool + +- set_fact: + etcd_client_certs_missing: "{{ true if etcd_certificates_redeploy | default(false) | bool + else (False in (g_external_etcd_cert_stat_result.results + | default({}) + | oo_collect(attribute='stat.exists') + | list)) }}" + +- name: Ensure generated_certs directory present + file: + path: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}" + state: directory + mode: 0700 + when: etcd_client_certs_missing | bool + delegate_to: "{{ etcd_ca_host }}" + +- name: Create the client csr + command: > + openssl req -new -keyout {{ etcd_cert_prefix }}client.key + -config {{ etcd_openssl_conf }} + -out {{ etcd_cert_prefix }}client.csr + -reqexts {{ etcd_req_ext }} -batch -nodes + -subj /CN={{ etcd_hostname }} + args: + chdir: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}" + creates: "{{ etcd_generated_certs_dir ~ '/' ~ etcd_cert_subdir ~ '/' + ~ etcd_cert_prefix ~ 'client.csr' }}" + environment: + SAN: "IP:{{ etcd_ip }}" + when: etcd_client_certs_missing | bool + delegate_to: "{{ etcd_ca_host }}" + +# Certificates must be signed serially in order to avoid competing +# for the serial file. +- name: Sign and create the client crt + delegated_serial_command: + command: > + openssl ca -name {{ etcd_ca_name }} -config {{ etcd_openssl_conf }} + -out {{ etcd_cert_prefix }}client.crt + -in {{ etcd_cert_prefix }}client.csr + -batch + chdir: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}" + creates: "{{ etcd_generated_certs_dir ~ '/' ~ etcd_cert_subdir ~ '/' + ~ etcd_cert_prefix ~ 'client.crt' }}" + environment: + SAN: "IP:{{ etcd_ip }}" + when: etcd_client_certs_missing | bool + delegate_to: "{{ etcd_ca_host }}" + +- file: + src: "{{ etcd_ca_cert }}" + dest: "{{ etcd_generated_certs_dir}}/{{ etcd_cert_subdir }}/{{ etcd_cert_prefix }}ca.crt" + state: hard + when: etcd_client_certs_missing | bool + delegate_to: "{{ etcd_ca_host }}" + +- name: Create local temp directory for syncing certs + local_action: command mktemp -d /tmp/etcd_certificates-XXXXXXX + register: g_etcd_client_mktemp + changed_when: False + when: etcd_client_certs_missing | bool + delegate_to: localhost + become: no + +- name: Create a tarball of the etcd certs + command: > + tar -czvf {{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}.tgz + -C {{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }} . + args: + creates: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}.tgz" + when: etcd_client_certs_missing | bool + delegate_to: "{{ etcd_ca_host }}" + +- name: Retrieve the etcd cert tarballs + fetch: + src: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}.tgz" + dest: "{{ g_etcd_client_mktemp.stdout }}/" + flat: yes + fail_on_missing: yes + validate_checksum: yes + when: etcd_client_certs_missing | bool + delegate_to: "{{ etcd_ca_host }}" + +- name: Ensure certificate directory exists + file: + path: "{{ etcd_cert_config_dir }}" + state: directory + when: etcd_client_certs_missing | bool + +- name: Unarchive etcd cert tarballs + unarchive: + src: "{{ g_etcd_client_mktemp.stdout }}/{{ etcd_cert_subdir }}.tgz" + dest: "{{ etcd_cert_config_dir }}" + when: etcd_client_certs_missing | bool + +- file: + path: "{{ etcd_cert_config_dir }}/{{ item }}" + owner: root + group: root + mode: 0600 + with_items: + - "{{ etcd_cert_prefix }}client.crt" + - "{{ etcd_cert_prefix }}client.key" + - "{{ etcd_cert_prefix }}ca.crt" + when: etcd_client_certs_missing | bool + +- name: Delete temporary directory + file: name={{ g_etcd_client_mktemp.stdout }} state=absent + changed_when: False + when: etcd_client_certs_missing | bool + delegate_to: localhost + become: no diff --git a/roles/etcd_server_certificates/README.md b/roles/etcd_server_certificates/README.md new file mode 100644 index 000000000..269d5296d --- /dev/null +++ b/roles/etcd_server_certificates/README.md @@ -0,0 +1,34 @@ +OpenShift Etcd Certificates +=========================== + +TODO + +Requirements +------------ + +TODO + +Role Variables +-------------- + +TODO + +Dependencies +------------ + +TODO + +Example Playbook +---------------- + +TODO + +License +------- + +Apache License Version 2.0 + +Author Information +------------------ + +Scott Dodson (sdodson@redhat.com) diff --git a/roles/etcd_server_certificates/library b/roles/etcd_server_certificates/library new file mode 120000 index 000000000..494d3c39e --- /dev/null +++ b/roles/etcd_server_certificates/library @@ -0,0 +1 @@ +../../library
\ No newline at end of file diff --git a/roles/etcd_certificates/meta/main.yml b/roles/etcd_server_certificates/meta/main.yml index 41370fab4..b453f2bd8 100644 --- a/roles/etcd_certificates/meta/main.yml +++ b/roles/etcd_server_certificates/meta/main.yml @@ -1,10 +1,10 @@ --- galaxy_info: author: Jason DeTiberus - description: + description: Etcd Server Certificates company: Red Hat, Inc. license: Apache License, Version 2.0 - min_ansible_version: 1.8 + min_ansible_version: 2.1 platforms: - name: EL versions: @@ -13,4 +13,4 @@ galaxy_info: - cloud - system dependencies: -- { role: etcd_ca } +- role: etcd_ca diff --git a/roles/etcd_server_certificates/tasks/main.yml b/roles/etcd_server_certificates/tasks/main.yml new file mode 100644 index 000000000..718515023 --- /dev/null +++ b/roles/etcd_server_certificates/tasks/main.yml @@ -0,0 +1,179 @@ +--- +- name: Install etcd + action: "{{ ansible_pkg_mgr }} name=etcd state=present" + when: not etcd_is_containerized | bool + +- name: Check status of etcd certificates + stat: + path: "{{ etcd_cert_config_dir }}/{{ item }}" + with_items: + - "{{ etcd_cert_prefix }}server.crt" + - "{{ etcd_cert_prefix }}peer.crt" + - "{{ etcd_cert_prefix }}ca.crt" + register: g_etcd_server_cert_stat_result + when: not etcd_certificates_redeploy | default(false) | bool + +- set_fact: + etcd_server_certs_missing: "{{ true if etcd_certificates_redeploy | default(false) | bool + else (False in (g_etcd_server_cert_stat_result.results + | default({}) + | oo_collect(attribute='stat.exists') + | list)) }}" + +- name: Ensure generated_certs directory present + file: + path: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}" + state: directory + mode: 0700 + when: etcd_server_certs_missing | bool + delegate_to: "{{ etcd_ca_host }}" + +- name: Create the server csr + command: > + openssl req -new -keyout {{ etcd_cert_prefix }}server.key + -config {{ etcd_openssl_conf }} + -out {{ etcd_cert_prefix }}server.csr + -reqexts {{ etcd_req_ext }} -batch -nodes + -subj /CN={{ etcd_hostname }} + args: + chdir: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}" + creates: "{{ etcd_generated_certs_dir ~ '/' ~ etcd_cert_subdir ~ '/' + ~ etcd_cert_prefix ~ 'server.csr' }}" + environment: + SAN: "IP:{{ etcd_ip }}" + when: etcd_server_certs_missing | bool + delegate_to: "{{ etcd_ca_host }}" + +# Certificates must be signed serially in order to avoid competing +# for the serial file. +- name: Sign and create the server crt + delegated_serial_command: + command: > + openssl ca -name {{ etcd_ca_name }} -config {{ etcd_openssl_conf }} + -out {{ etcd_cert_prefix }}server.crt + -in {{ etcd_cert_prefix }}server.csr + -extensions {{ etcd_ca_exts_server }} -batch + chdir: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}" + creates: "{{ etcd_generated_certs_dir ~ '/' ~ etcd_cert_subdir ~ '/' + ~ etcd_cert_prefix ~ 'server.crt' }}" + environment: + SAN: "IP:{{ etcd_ip }}" + delegate_to: "{{ etcd_ca_host }}" + +- name: Create the peer csr + command: > + openssl req -new -keyout {{ etcd_cert_prefix }}peer.key + -config {{ etcd_openssl_conf }} + -out {{ etcd_cert_prefix }}peer.csr + -reqexts {{ etcd_req_ext }} -batch -nodes + -subj /CN={{ etcd_hostname }} + args: + chdir: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}" + creates: "{{ etcd_generated_certs_dir ~ '/' ~ etcd_cert_subdir ~ '/' + ~ etcd_cert_prefix ~ 'peer.csr' }}" + environment: + SAN: "IP:{{ etcd_ip }}" + when: etcd_server_certs_missing | bool + delegate_to: "{{ etcd_ca_host }}" + +# Certificates must be signed serially in order to avoid competing +# for the serial file. +- name: Sign and create the peer crt + delegated_serial_command: + command: > + openssl ca -name {{ etcd_ca_name }} -config {{ etcd_openssl_conf }} + -out {{ etcd_cert_prefix }}peer.crt + -in {{ etcd_cert_prefix }}peer.csr + -extensions {{ etcd_ca_exts_peer }} -batch + chdir: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}" + creates: "{{ etcd_generated_certs_dir ~ '/' ~ etcd_cert_subdir ~ '/' + ~ etcd_cert_prefix ~ 'peer.crt' }}" + environment: + SAN: "IP:{{ etcd_ip }}" + when: etcd_server_certs_missing | bool + delegate_to: "{{ etcd_ca_host }}" + +- file: + src: "{{ etcd_ca_cert }}" + dest: "{{ etcd_generated_certs_dir}}/{{ etcd_cert_subdir }}/{{ etcd_cert_prefix }}ca.crt" + state: hard + when: etcd_server_certs_missing | bool + delegate_to: "{{ etcd_ca_host }}" + +- name: Create local temp directory for syncing certs + local_action: command mktemp -d /tmp/etcd_certificates-XXXXXXX + become: no + register: g_etcd_server_mktemp + changed_when: False + when: etcd_server_certs_missing | bool + delegate_to: localhost + +- name: Create a tarball of the etcd certs + command: > + tar -czvf {{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}.tgz + -C {{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }} . + args: + creates: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}.tgz" + when: etcd_server_certs_missing | bool + delegate_to: "{{ etcd_ca_host }}" + +- name: Retrieve etcd cert tarball + fetch: + src: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}.tgz" + dest: "{{ g_etcd_server_mktemp.stdout }}/" + flat: yes + fail_on_missing: yes + validate_checksum: yes + when: etcd_server_certs_missing | bool + delegate_to: "{{ etcd_ca_host }}" + +- name: Ensure certificate directory exists + file: + path: "{{ etcd_cert_config_dir }}" + state: directory + when: etcd_server_certs_missing | bool + +- name: Unarchive cert tarball + unarchive: + src: "{{ g_etcd_server_mktemp.stdout }}/{{ etcd_cert_subdir }}.tgz" + dest: "{{ etcd_cert_config_dir }}" + when: etcd_server_certs_missing | bool + +- name: Delete temporary directory + file: name={{ g_etcd_server_mktemp.stdout }} state=absent + become: no + changed_when: False + when: etcd_server_certs_missing | bool + delegate_to: localhost + +- name: Validate permissions on certificate files + file: + path: "{{ item }}" + mode: 0600 + owner: "{{ 'etcd' if not etcd_is_containerized | bool else omit }}" + group: "{{ 'etcd' if not etcd_is_containerized | bool else omit }}" + when: etcd_url_scheme == 'https' + with_items: + - "{{ etcd_ca_file }}" + - "{{ etcd_cert_file }}" + - "{{ etcd_key_file }}" + +- name: Validate permissions on peer certificate files + file: + path: "{{ item }}" + mode: 0600 + owner: "{{ 'etcd' if not etcd_is_containerized | bool else omit }}" + group: "{{ 'etcd' if not etcd_is_containerized | bool else omit }}" + when: etcd_peer_url_scheme == 'https' + with_items: + - "{{ etcd_peer_ca_file }}" + - "{{ etcd_peer_cert_file }}" + - "{{ etcd_peer_key_file }}" + +- name: Validate permissions on the config dir + file: + path: "{{ etcd_conf_dir }}" + state: directory + owner: "{{ 'etcd' if not etcd_is_containerized | bool else omit }}" + group: "{{ 'etcd' if not etcd_is_containerized | bool else omit }}" + mode: 0700 diff --git a/roles/flannel/meta/main.yml b/roles/flannel/meta/main.yml index 909bdbfa4..616ae61d2 100644 --- a/roles/flannel/meta/main.yml +++ b/roles/flannel/meta/main.yml @@ -4,7 +4,7 @@ galaxy_info: description: flannel management company: Red Hat, Inc. license: Apache License, Version 2.0 - min_ansible_version: 1.2 + min_ansible_version: 2.1 platforms: - name: EL versions: @@ -13,4 +13,6 @@ galaxy_info: - cloud - system dependencies: -- { role: openshift_facts } +- role: openshift_facts +- role: openshift_etcd_client_certificates + etcd_cert_prefix: flannel.etcd- diff --git a/roles/openshift_ca/meta/main.yml b/roles/openshift_ca/meta/main.yml index a08aa1686..444c5b77e 100644 --- a/roles/openshift_ca/meta/main.yml +++ b/roles/openshift_ca/meta/main.yml @@ -15,3 +15,4 @@ galaxy_info: dependencies: - role: openshift_repos - role: openshift_cli +- role: openshift_named_certificates diff --git a/roles/openshift_ca/tasks/main.yml b/roles/openshift_ca/tasks/main.yml index 4d9768ce7..bb89b65a6 100644 --- a/roles/openshift_ca/tasks/main.yml +++ b/roles/openshift_ca/tasks/main.yml @@ -3,6 +3,10 @@ msg: "openshift_ca_host variable must be defined for this role" when: openshift_ca_host is not defined +- fail: + msg: "Both 'certfile' and 'keyfile' keys must be supplied when configuring openshift_master_ca_certificate" + when: openshift_master_ca_certificate is defined and ('certfile' not in openshift_master_ca_certificate or 'keyfile' not in openshift_master_ca_certificate) + - name: Install the base package for admin tooling action: "{{ ansible_pkg_mgr }} name={{ openshift.common.service_type }}{{ openshift_pkg_version | default('') | oo_image_tag_to_rpm_version(include_dash=True) }} state=present" when: not openshift.common.is_containerized | bool @@ -28,26 +32,82 @@ path: "{{ openshift_ca_config_dir }}/{{ item }}" register: g_master_ca_stat_result with_items: + - ca-bundle.crt - ca.crt - ca.key delegate_to: "{{ openshift_ca_host }}" run_once: true - set_fact: - master_ca_missing: "{{ False in (g_master_ca_stat_result.results - | oo_collect(attribute='stat.exists') - | list) }}" + master_ca_missing: "{{ true if openshift_certificates_redeploy | default(false) | bool + else False in (g_master_ca_stat_result.results + | oo_collect(attribute='stat.exists') + | list) }}" + run_once: true + +- name: Retain original serviceaccount keys + copy: + src: "{{ item }}" + dest: "{{ item }}.keep" + remote_src: true + with_items: + - "{{ openshift_ca_config_dir }}/serviceaccounts.private.key" + - "{{ openshift_ca_config_dir }}/serviceaccounts.public.key" + when: openshift_certificates_redeploy | default(false) | bool + +- name: Deploy master ca certificate + copy: + src: "{{ item.src }}" + dest: "{{ openshift_ca_config_dir }}/{{ item.dest }}" + force: "{{ true if openshift_certificates_redeploy_ca | default(false) | bool else false }}" + with_items: + - src: "{{ (openshift_master_ca_certificate | default({'certfile':none})).certfile }}" + dest: ca.crt + - src: "{{ (openshift_master_ca_certificate | default({'keyfile':none})).keyfile }}" + dest: ca.key + when: openshift_master_ca_certificate is defined + delegate_to: "{{ openshift_ca_host }}" + run_once: true + +- name: Create ca serial + copy: + content: "1" + dest: "{{ openshift_ca_config_dir }}/ca.serial.txt" + force: "{{ true if openshift_certificates_redeploy | default(false) | bool else false }}" + when: openshift_master_ca_certificate is defined delegate_to: "{{ openshift_ca_host }}" run_once: true - name: Create the master certificates if they do not already exist command: > {{ openshift.common.admin_binary }} create-master-certs - --hostnames={{ openshift_master_hostnames | join(',') }} - --master={{ openshift.master.api_url }} - --public-master={{ openshift.master.public_api_url }} - --cert-dir={{ openshift_ca_config_dir }} - --overwrite=false - when: hostvars[openshift_ca_host].master_ca_missing | bool + {% for named_ca_certificate in openshift.master.named_certificates | default([]) | oo_collect('cafile') %} + --certificate-authority {{ named_ca_certificate }} + {% endfor %} + --hostnames={{ openshift_master_hostnames | join(',') }} + --master={{ openshift.master.api_url }} + --public-master={{ openshift.master.public_api_url }} + --cert-dir={{ openshift_ca_config_dir }} + --overwrite=false + when: master_ca_missing | bool delegate_to: "{{ openshift_ca_host }}" run_once: true + +- name: Restore original serviceaccount keys + copy: + src: "{{ item }}.keep" + dest: "{{ item }}" + remote_src: true + with_items: + - "{{ openshift_ca_config_dir }}/serviceaccounts.private.key" + - "{{ openshift_ca_config_dir }}/serviceaccounts.public.key" + when: openshift_certificates_redeploy | default(false) | bool + +- name: Remove backup serviceaccount keys + file: + path: "{{ item }}.keep" + state: absent + with_items: + - "{{ openshift_ca_config_dir }}/serviceaccounts.private.key" + - "{{ openshift_ca_config_dir }}/serviceaccounts.public.key" + when: openshift_certificates_redeploy | default(false) | bool diff --git a/roles/openshift_etcd_client_certificates/meta/main.yml b/roles/openshift_etcd_client_certificates/meta/main.yml new file mode 100644 index 000000000..3268c390f --- /dev/null +++ b/roles/openshift_etcd_client_certificates/meta/main.yml @@ -0,0 +1,16 @@ +--- +galaxy_info: + author: Jason DeTiberus + description: OpenShift Etcd Client Certificates + company: Red Hat, Inc. + license: Apache License, Version 2.0 + min_ansible_version: 2.1 + platforms: + - name: EL + versions: + - 7 + categories: + - cloud +dependencies: +- role: openshift_etcd_facts +- role: etcd_client_certificates diff --git a/roles/openshift_etcd_facts/tasks/main.yml b/roles/openshift_etcd_facts/tasks/main.yml new file mode 100644 index 000000000..22fb39006 --- /dev/null +++ b/roles/openshift_etcd_facts/tasks/main.yml @@ -0,0 +1,5 @@ +--- +- openshift_facts: + role: etcd + local_facts: + etcd_image: "{{ osm_etcd_image | default(None) }}" diff --git a/roles/openshift_etcd_facts/vars/main.yml b/roles/openshift_etcd_facts/vars/main.yml index 6f3894565..cae15d61a 100644 --- a/roles/openshift_etcd_facts/vars/main.yml +++ b/roles/openshift_etcd_facts/vars/main.yml @@ -3,3 +3,8 @@ etcd_is_containerized: "{{ openshift.common.is_containerized }}" etcd_is_atomic: "{{ openshift.common.is_atomic }}" etcd_hostname: "{{ openshift.common.hostname }}" etcd_ip: "{{ openshift.common.ip }}" +etcd_cert_subdir: "etcd-{{ openshift.common.hostname }}" +etcd_cert_prefix: +etcd_cert_config_dir: /etc/etcd +etcd_peer_url_scheme: https +etcd_url_scheme: https diff --git a/roles/openshift_etcd_server_certificates/meta/main.yml b/roles/openshift_etcd_server_certificates/meta/main.yml new file mode 100644 index 000000000..7750f14af --- /dev/null +++ b/roles/openshift_etcd_server_certificates/meta/main.yml @@ -0,0 +1,16 @@ +--- +galaxy_info: + author: Jason DeTiberus + description: OpenShift Etcd Server Certificates + company: Red Hat, Inc. + license: Apache License, Version 2.0 + min_ansible_version: 2.1 + platforms: + - name: EL + versions: + - 7 + categories: + - cloud +dependencies: +- role: openshift_etcd_facts +- role: etcd_server_certificates diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py index 659f4eba6..30cec82ce 100755 --- a/roles/openshift_facts/library/openshift_facts.py +++ b/roles/openshift_facts/library/openshift_facts.py @@ -944,7 +944,12 @@ def format_url(use_ssl, hostname, port, path=''): netloc = hostname if (use_ssl and port != '443') or (not use_ssl and port != '80'): netloc += ":%s" % port - return urlparse.urlunparse((scheme, netloc, path, '', '', '')) + try: + url = urlparse.urlunparse((scheme, netloc, path, '', '', '')) + except AttributeError: + # pylint: disable=undefined-variable + url = urlunparse((scheme, netloc, path, '', '', '')) + return url def get_current_config(facts): """ Get current openshift config @@ -1599,11 +1604,13 @@ class OpenShiftFacts(object): try: # ansible-2.1 - # pylint: disable=too-many-function-args + # pylint: disable=too-many-function-args,invalid-name self.system_facts = ansible_facts(module, ['hardware', 'network', 'virtual', 'facter']) - except TypeError: - # ansible-1.9.x,ansible-2.0.x - self.system_facts = ansible_facts(module) + for (k, v) in self.system_facts.items(): + self.system_facts["ansible_%s" % k.replace('-', '_')] = v + except UnboundLocalError: + # ansible-2.2 + self.system_facts = get_all_facts(module)['ansible_facts'] self.facts = self.generate_facts(local_facts, additive_facts_to_overwrite, @@ -1684,11 +1691,11 @@ class OpenShiftFacts(object): dict: The generated default facts """ defaults = {} - ip_addr = self.system_facts['default_ipv4']['address'] + ip_addr = self.system_facts['ansible_default_ipv4']['address'] exit_code, output, _ = module.run_command(['hostname', '-f']) hostname_f = output.strip() if exit_code == 0 else '' - hostname_values = [hostname_f, self.system_facts['nodename'], - self.system_facts['fqdn']] + hostname_values = [hostname_f, self.system_facts['ansible_nodename'], + self.system_facts['ansible_fqdn']] hostname = choose_hostname(hostname_values, ip_addr) defaults['common'] = dict(use_openshift_sdn=True, ip=ip_addr, @@ -1708,6 +1715,7 @@ class OpenShiftFacts(object): {"name": "PodFitsResources"}, {"name": "PodFitsPorts"}, {"name": "NoDiskConflict"}, + {"name": "NoVolumeZoneConflict"}, {"name": "Region", "argument": {"serviceAffinity" : {"labels" : ["region"]}}} ] scheduler_priorities = [ @@ -1821,10 +1829,10 @@ class OpenShiftFacts(object): dict: The generated default facts for the detected provider """ # TODO: cloud provider facts should probably be submitted upstream - product_name = self.system_facts['product_name'] - product_version = self.system_facts['product_version'] - virt_type = self.system_facts['virtualization_type'] - virt_role = self.system_facts['virtualization_role'] + product_name = self.system_facts['ansible_product_name'] + product_version = self.system_facts['ansible_product_version'] + virt_type = self.system_facts['ansible_virtualization_type'] + virt_role = self.system_facts['ansible_virtualization_role'] provider = None metadata = None @@ -2107,12 +2115,16 @@ def main(): additive_facts_to_overwrite=dict(default=[], type='list', required=False), openshift_env=dict(default={}, type='dict', required=False), openshift_env_structures=dict(default=[], type='list', required=False), - protected_facts_to_overwrite=dict(default=[], type='list', required=False), + protected_facts_to_overwrite=dict(default=[], type='list', required=False) ), supports_check_mode=True, add_file_common_args=True, ) + module.params['gather_subset'] = ['hardware', 'network', 'virtual', 'facter'] + module.params['gather_timeout'] = 10 + module.params['filter'] = '*' + role = module.params['role'] local_facts = module.params['local_facts'] additive_facts_to_overwrite = module.params['additive_facts_to_overwrite'] diff --git a/roles/openshift_hosted/meta/main.yml b/roles/openshift_hosted/meta/main.yml index c7d20f88b..74c50ae1d 100644 --- a/roles/openshift_hosted/meta/main.yml +++ b/roles/openshift_hosted/meta/main.yml @@ -11,27 +11,4 @@ galaxy_info: - 7 categories: - cloud -dependencies: -- role: openshift_cli -- role: openshift_hosted_facts -- role: openshift_projects - # TODO: Move standard project definitions to openshift_hosted/vars/main.yml - # Vars are not accessible in meta/main.yml in ansible-1.9.x - openshift_projects: "{{ openshift_additional_projects | default({}) | oo_merge_dicts({'default':{'default_node_selector':''},'openshift-infra':{'default_node_selector':''},'logging':{'default_node_selector':''}}) }}" -- role: openshift_serviceaccounts - openshift_serviceaccounts_names: - - router - openshift_serviceaccounts_namespace: default - openshift_serviceaccounts_sccs: - - hostnetwork - when: openshift.common.version_gte_3_2_or_1_2 -- role: openshift_serviceaccounts - openshift_serviceaccounts_names: - - router - - registry - openshift_serviceaccounts_namespace: default - openshift_serviceaccounts_sccs: - - privileged - when: not openshift.common.version_gte_3_2_or_1_2 -- role: openshift_metrics - when: openshift.hosted.metrics.deploy | bool +dependencies: [] diff --git a/roles/openshift_hosted/tasks/main.yml b/roles/openshift_hosted/tasks/main.yml index c801a0e67..67c6bbfd7 100644 --- a/roles/openshift_hosted/tasks/main.yml +++ b/roles/openshift_hosted/tasks/main.yml @@ -13,7 +13,10 @@ changed_when: False - include: router/router.yml + when: openshift_hosted_manage_router | default(true) | bool + - include: registry/registry.yml + when: openshift_hosted_manage_registry | default(true) | bool - name: Delete temp directory file: diff --git a/roles/openshift_hosted/tasks/registry/registry.yml b/roles/openshift_hosted/tasks/registry/registry.yml index 08c7e944e..b28974236 100644 --- a/roles/openshift_hosted/tasks/registry/registry.yml +++ b/roles/openshift_hosted/tasks/registry/registry.yml @@ -4,12 +4,12 @@ {{ openshift.common.client_binary }} --api-version='v1' -o json get nodes -n default --config={{ openshift_hosted_kubeconfig }} --selector={{ openshift.hosted.registry.selector | default('') }} - register: openshift_hosted_registry_nodes_json + register: registry_nodes_json changed_when: false when: openshift.hosted.registry.replicas | default(none) is none - set_fact: - l_node_count: "{{ (openshift_hosted_registry_nodes_json.stdout | default('{\"items\":[]}') | from_json)['items'] | length }}" + l_node_count: "{{ (registry_nodes_json.stdout | default('{\"items\":[]}') | from_json)['items'] | length }}" # Determine the default number of registry/router replicas to use if no count # has been specified. @@ -50,7 +50,9 @@ when: replicas | int > 0 - include: storage/object_storage.yml + static: no when: replicas | int > 0 and openshift.hosted.registry.storage.kind | default(none) == 'object' - include: storage/persistent_volume.yml + static: no when: replicas | int > 0 and openshift.hosted.registry.storage.kind | default(none) in ['nfs', 'openstack'] diff --git a/roles/openshift_hosted/tasks/router/router.yml b/roles/openshift_hosted/tasks/router/router.yml index d0a129c95..e18b9781c 100644 --- a/roles/openshift_hosted/tasks/router/router.yml +++ b/roles/openshift_hosted/tasks/router/router.yml @@ -39,12 +39,12 @@ {{ openshift.common.client_binary }} --api-version='v1' -o json get nodes -n default --config={{ openshift_hosted_kubeconfig }} --selector={{ openshift.hosted.router.selector | default('') }} - register: openshift_hosted_router_nodes_json + register: router_nodes_json changed_when: false when: openshift.hosted.router.replicas | default(none) is none - set_fact: - replicas: "{{ openshift.hosted.router.replicas | default((openshift_hosted_router_nodes_json.stdout | default('{\"items\":[]}') | from_json)['items'] | length) }}" + replicas: "{{ openshift.hosted.router.replicas | default((router_nodes_json.stdout | default('{\"items\":[]}') | from_json)['items'] | length) }}" - name: Create OpenShift router command: > diff --git a/roles/openshift_hosted/templates/registry_config.j2 b/roles/openshift_hosted/templates/registry_config.j2 index ea5626642..71539775d 100644 --- a/roles/openshift_hosted/templates/registry_config.j2 +++ b/roles/openshift_hosted/templates/registry_config.j2 @@ -58,6 +58,10 @@ auth: openshift: realm: openshift middleware: +{% if openshift.common.version_gte_3_3_or_1_3 | bool %} + registry: + - name: openshift +{% endif -%} repository: - name: openshift options: @@ -69,4 +73,7 @@ middleware: baseurl: {{ openshift.hosted.registry.storage.s3.cloudfront.baseurl }} privatekey: {{ openshift.hosted.registry.storage.s3.cloudfront.privatekeyfile }} keypairid: {{ openshift.hosted.registry.storage.s3.cloudfront.keypairid }} +{% elif openshift.common.version_gte_3_3_or_1_3 | bool %} + storage: + - name: openshift {% endif -%} diff --git a/roles/openshift_master/handlers/main.yml b/roles/openshift_master/handlers/main.yml index f7dfb11f7..edb7369de 100644 --- a/roles/openshift_master/handlers/main.yml +++ b/roles/openshift_master/handlers/main.yml @@ -17,7 +17,12 @@ # Using curl here since the uri module requires python-httplib2 and # wait_for port doesn't provide health information. command: > - curl --silent --cacert {{ openshift.common.config_base }}/master/ca.crt + curl --silent + {% if openshift.common.version_gte_3_2_or_1_2 | bool %} + --cacert {{ openshift.common.config_base }}/master/ca-bundle.crt + {% else %} + --cacert {{ openshift.common.config_base }}/master/ca.crt + {% endif %} {{ openshift.master.api_url }}/healthz/ready register: api_available_output until: api_available_output.stdout == 'ok' diff --git a/roles/openshift_master/meta/main.yml b/roles/openshift_master/meta/main.yml index be70d9102..a2f665702 100644 --- a/roles/openshift_master/meta/main.yml +++ b/roles/openshift_master/meta/main.yml @@ -11,32 +11,4 @@ galaxy_info: - 7 categories: - cloud -dependencies: -- role: openshift_clock -- role: openshift_master_certificates -- role: openshift_cloud_provider -- role: openshift_builddefaults -- role: openshift_master_facts -- role: openshift_hosted_facts -- role: os_firewall - os_firewall_allow: - - service: etcd embedded - port: 4001/tcp - - service: api server https - port: "{{ openshift.master.api_port }}/tcp" - - service: api controllers https - port: "{{ openshift.master.controllers_port }}/tcp" - - service: skydns tcp - port: "{{ openshift.master.dns_port }}/tcp" - - service: skydns udp - port: "{{ openshift.master.dns_port }}/udp" - - service: Fluentd td-agent tcp - port: 24224/tcp - - service: Fluentd td-agent udp - port: 24224/udp - - service: pcsd - port: 2224/tcp - - service: Corosync UDP - port: 5404/udp - - service: Corosync UDP - port: 5405/udp +dependencies: [] diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml index 115a64aeb..6259fd996 100644 --- a/roles/openshift_master/tasks/main.yml +++ b/roles/openshift_master/tasks/main.yml @@ -224,7 +224,12 @@ # Using curl here since the uri module requires python-httplib2 and # wait_for port doesn't provide health information. command: > - curl --silent --cacert {{ openshift.common.config_base }}/master/ca.crt + curl --silent + {% if openshift.common.version_gte_3_2_or_1_2 | bool %} + --cacert {{ openshift.common.config_base }}/master/ca-bundle.crt + {% else %} + --cacert {{ openshift.common.config_base }}/master/ca.crt + {% endif %} {{ openshift.master.api_url }}/healthz/ready register: api_available_output until: api_available_output.stdout == 'ok' @@ -272,37 +277,3 @@ - name: Set the cluster user password shell: echo {{ openshift_master_cluster_password | quote }} | passwd --stdin hacluster when: install_result | changed - -- name: Lookup default group for ansible_ssh_user - command: "/usr/bin/id -g {{ ansible_ssh_user }}" - changed_when: false - register: _ansible_ssh_user_gid - -- set_fact: - client_users: "{{ [ansible_ssh_user, 'root'] | unique }}" - -- name: Create the client config dir(s) - file: - path: "~{{ item }}/.kube" - state: directory - mode: 0700 - owner: "{{ item }}" - group: "{{ 'root' if item == 'root' else _ansible_ssh_user_gid.stdout }}" - with_items: "{{ client_users }}" - -# TODO: Update this file if the contents of the source file are not present in -# the dest file, will need to make sure to ignore things that could be added -- name: Copy the admin client config(s) - command: cp {{ openshift_master_config_dir }}/admin.kubeconfig ~{{ item }}/.kube/config - args: - creates: ~{{ item }}/.kube/config - with_items: "{{ client_users }}" - -- name: Update the permissions on the admin client config(s) - file: - path: "~{{ item }}/.kube/config" - state: file - mode: 0700 - owner: "{{ item }}" - group: "{{ 'root' if item == 'root' else _ansible_ssh_user_gid.stdout }}" - with_items: "{{ client_users }}" diff --git a/roles/openshift_master/tasks/systemd_units.yml b/roles/openshift_master/tasks/systemd_units.yml index 458b56fd1..0c0c7e61e 100644 --- a/roles/openshift_master/tasks/systemd_units.yml +++ b/roles/openshift_master/tasks/systemd_units.yml @@ -16,7 +16,7 @@ # workaround for missing systemd unit files - name: Create the systemd unit files template: - src: "docker/master.docker.service.j2" + src: "master_docker/master.docker.service.j2" dest: "{{ containerized_svc_dir }}/{{ openshift.common.service_type }}-master.service" when: openshift.common.is_containerized | bool and (openshift.master.ha is not defined or not openshift.master.ha | bool) register: create_master_unit_file @@ -84,12 +84,12 @@ line: "{{ item }}" with_items: "{{ master_controllers_proxy.stdout_lines | default([]) }}" when: openshift.master.ha is defined and openshift.master.ha | bool and openshift_master_cluster_method == "native" - and master_controllers_proxy.rc == 0 and 'http_proxy' not in openshift.common and 'https_proxy' not in openshift.common + and master_controllers_proxy.rc == 0 and 'http_proxy' not in openshift.common and 'https_proxy' not in openshift.common - name: Install Master docker service file template: dest: "/etc/systemd/system/{{ openshift.common.service_type }}-master.service" - src: docker/master.docker.service.j2 + src: master_docker/master.docker.service.j2 register: install_result when: openshift.common.is_containerized | bool and openshift.master.ha is defined and not openshift.master.ha | bool @@ -112,4 +112,4 @@ dest: /etc/sysconfig/{{ openshift.common.service_type }}-master line: "{{ item }}" with_items: "{{ master_proxy.stdout_lines | default([]) }}" - when: master_proxy.rc == 0 and 'http_proxy' not in openshift.common and 'https_proxy' not in openshift.common
\ No newline at end of file + when: master_proxy.rc == 0 and 'http_proxy' not in openshift.common and 'https_proxy' not in openshift.common diff --git a/roles/openshift_master/templates/master.yaml.v1.j2 b/roles/openshift_master/templates/master.yaml.v1.j2 index b18a42e32..31e86f5bd 100644 --- a/roles/openshift_master/templates/master.yaml.v1.j2 +++ b/roles/openshift_master/templates/master.yaml.v1.j2 @@ -131,7 +131,21 @@ kubernetesMasterConfig: {% endif %} masterClients: {# TODO: allow user to set externalKubernetesKubeConfig #} +{% if openshift.common.version_gte_3_3_or_1_3 | bool %} + externalKubernetesClientConnectionOverrides: + acceptContentTypes: application/vnd.kubernetes.protobuf,application/json + contentType: application/vnd.kubernetes.protobuf + burst: 400 + qps: 200 +{% endif %} externalKubernetesKubeConfig: "" +{% if openshift.common.version_gte_3_3_or_1_3 | bool %} + openshiftLoopbackClientConnectionOverrides: + acceptContentTypes: application/vnd.kubernetes.protobuf,application/json + contentType: application/vnd.kubernetes.protobuf + burst: 600 + qps: 300 +{% endif %} openshiftLoopbackKubeConfig: openshift-master.kubeconfig masterPublicURL: {{ openshift.master.public_api_url }} networkConfig: @@ -156,7 +170,11 @@ oauthConfig: {% for line in translated_identity_providers.splitlines() %} {{ line }} {% endfor %} - masterCA: ca.crt +{% if openshift.common.version_gte_3_2_or_1_2 | bool %} + masterCA: ca-bundle.crt +{% else %} + masterCA: ca.rt +{% endif %} masterPublicURL: {{ openshift.master.public_api_url }} masterURL: {{ openshift.master.api_url }} sessionConfig: @@ -189,7 +207,11 @@ serviceAccountConfig: - default - builder - deployer - masterCA: ca.crt +{% if openshift.common.version_gte_3_2_or_1_2 | bool %} + masterCA: ca-bundle.crt +{% else %} + masterCA: ca.rt +{% endif %} privateKeyFile: serviceaccounts.private.key publicKeyFiles: - serviceaccounts.public.key @@ -201,7 +223,7 @@ servingInfo: keyFile: master.server.key maxRequestsInFlight: {{ openshift.master.max_requests_inflight }} requestTimeoutSeconds: 3600 -{% if openshift.master.named_certificates %} +{% if openshift.master.named_certificates | default([]) | length > 0 %} namedCertificates: {% for named_certificate in openshift.master.named_certificates %} - certFile: {{ named_certificate['certfile'] }} diff --git a/roles/openshift_master/templates/docker/master.docker.service.j2 b/roles/openshift_master/templates/master_docker/master.docker.service.j2 index 97f698b68..97f698b68 100644 --- a/roles/openshift_master/templates/docker/master.docker.service.j2 +++ b/roles/openshift_master/templates/master_docker/master.docker.service.j2 diff --git a/roles/openshift_master_certificates/meta/main.yml b/roles/openshift_master_certificates/meta/main.yml index dd19c8ded..018186e86 100644 --- a/roles/openshift_master_certificates/meta/main.yml +++ b/roles/openshift_master_certificates/meta/main.yml @@ -13,4 +13,5 @@ galaxy_info: - cloud - system dependencies: +- role: openshift_master_facts - role: openshift_ca diff --git a/roles/openshift_master_certificates/tasks/main.yml b/roles/openshift_master_certificates/tasks/main.yml index 6fb5830cf..aafb06f93 100644 --- a/roles/openshift_master_certificates/tasks/main.yml +++ b/roles/openshift_master_certificates/tasks/main.yml @@ -21,18 +21,22 @@ with_items: - "{{ openshift_master_certs }}" register: g_master_cert_stat_result + when: not openshift_certificates_redeploy | default(false) | bool - set_fact: - master_certs_missing: "{{ False in (g_master_cert_stat_result.results - | oo_collect(attribute='stat.exists') - | list) }}" + master_certs_missing: "{{ true if openshift_certificates_redeploy | default(false) | bool + else (False in (g_master_cert_stat_result.results + | default({}) + | oo_collect(attribute='stat.exists') + | list)) }}" + - name: Ensure the generated_configs directory present file: path: "{{ openshift_master_generated_config_dir }}" state: directory mode: 0700 - when: master_certs_missing | bool + when: master_certs_missing | bool and inventory_hostname != openshift_ca_host delegate_to: "{{ openshift_ca_host }}" - file: @@ -43,18 +47,21 @@ - ca.crt - ca.key - ca.serial.txt - when: master_certs_missing | bool + when: master_certs_missing | bool and inventory_hostname != openshift_ca_host delegate_to: "{{ openshift_ca_host }}" - name: Create the master certificates if they do not already exist command: > {{ openshift.common.admin_binary }} create-master-certs - --hostnames={{ openshift.common.all_hostnames | join(',') }} - --master={{ openshift.master.api_url }} - --public-master={{ openshift.master.public_api_url }} - --cert-dir={{ openshift_master_generated_config_dir }} - --overwrite=false - when: master_certs_missing | bool + {% for named_ca_certificate in openshift.master.named_certificates | default([]) | oo_collect('cafile') %} + --certificate-authority {{ named_ca_certificate }} + {% endfor %} + --hostnames={{ openshift.common.all_hostnames | join(',') }} + --master={{ openshift.master.api_url }} + --public-master={{ openshift.master.public_api_url }} + --cert-dir={{ openshift_master_generated_config_dir }} + --overwrite=false + when: master_certs_missing | bool and inventory_hostname != openshift_ca_host delegate_to: "{{ openshift_ca_host }}" - file: @@ -64,7 +71,7 @@ force: true with_items: - "{{ hostvars[inventory_hostname] | certificates_to_synchronize }}" - when: master_certs_missing | bool + when: master_certs_missing | bool and inventory_hostname != openshift_ca_host delegate_to: "{{ openshift_ca_host }}" - name: Remove generated etcd client certs when using external etcd @@ -121,3 +128,39 @@ when: master_certs_missing | bool delegate_to: localhost become: no + +- name: Lookup default group for ansible_ssh_user + command: "/usr/bin/id -g {{ ansible_ssh_user }}" + changed_when: false + register: _ansible_ssh_user_gid + +- set_fact: + client_users: "{{ [ansible_ssh_user, 'root'] | unique }}" + +- name: Create the client config dir(s) + file: + path: "~{{ item }}/.kube" + state: directory + mode: 0700 + owner: "{{ item }}" + group: "{{ 'root' if item == 'root' else _ansible_ssh_user_gid.stdout }}" + with_items: "{{ client_users }}" + +# TODO: Update this file if the contents of the source file are not present in +# the dest file, will need to make sure to ignore things that could be added +- name: Copy the admin client config(s) + copy: + src: "{{ openshift_master_config_dir }}/admin.kubeconfig" + dest: "~{{ item }}/.kube/config" + remote_src: yes + force: "{{ openshift_certificates_redeploy | default(false) }}" + with_items: "{{ client_users }}" + +- name: Update the permissions on the admin client config(s) + file: + path: "~{{ item }}/.kube/config" + state: file + mode: 0700 + owner: "{{ item }}" + group: "{{ 'root' if item == 'root' else _ansible_ssh_user_gid.stdout }}" + with_items: "{{ client_users }}" diff --git a/roles/openshift_named_certificates/README.md b/roles/openshift_named_certificates/README.md new file mode 100644 index 000000000..41f895813 --- /dev/null +++ b/roles/openshift_named_certificates/README.md @@ -0,0 +1,32 @@ +OpenShift Named Certificates +============================ + +TODO + +Requirements +------------ + +Role Variables +-------------- + +TODO + +Dependencies +------------ + +TODO + +Example Playbook +---------------- + +TODO + +License +------- + +Apache License Version 2.0 + +Author Information +------------------ + +Andrew Butcher <abutcher@redhat.com> diff --git a/roles/openshift_etcd_certificates/meta/main.yml b/roles/openshift_named_certificates/meta/main.yml index 2725fdb51..2c6e12494 100644 --- a/roles/openshift_etcd_certificates/meta/main.yml +++ b/roles/openshift_named_certificates/meta/main.yml @@ -1,16 +1,16 @@ --- galaxy_info: author: Andrew Butcher - description: OpenShift etcd Certificates + description: OpenShift Named Certificates company: Red Hat, Inc. license: Apache License, Version 2.0 - min_ansible_version: 1.9 + min_ansible_version: 2.1 platforms: - name: EL versions: - 7 categories: - cloud + - system dependencies: -- role: openshift_etcd_facts -- role: etcd_certificates +- role: openshift_facts diff --git a/roles/openshift_named_certificates/tasks/main.yml b/roles/openshift_named_certificates/tasks/main.yml new file mode 100644 index 000000000..7f20cf401 --- /dev/null +++ b/roles/openshift_named_certificates/tasks/main.yml @@ -0,0 +1,46 @@ +--- +- set_fact: + parsed_named_certificates: "{{ named_certificates | oo_parse_named_certificates(named_certs_dir, internal_hostnames) }}" + when: named_certificates | length > 0 + delegate_to: localhost + become: no + run_once: true + +- openshift_facts: + role: master + local_facts: + named_certificates: "{{ parsed_named_certificates | default([]) }}" + additive_facts_to_overwrite: + - "{{ 'master.named_certificates' if overwrite_named_certs | bool else omit }}" + +- name: Clear named certificates + file: + path: "{{ named_certs_dir }}" + state: absent + when: overwrite_named_certs | bool + +- name: Ensure named certificate directory exists + file: + path: "{{ named_certs_dir }}" + state: directory + mode: 0700 + +- name: Land named certificates + copy: + src: "{{ item.certfile }}" + dest: "{{ named_certs_dir }}" + with_items: "{{ named_certificates }}" + +- name: Land named certificate keys + copy: + src: "{{ item.keyfile }}" + dest: "{{ named_certs_dir }}" + mode: 0600 + with_items: "{{ named_certificates }}" + +- name: Land named CA certificates + copy: + src: "{{ item }}" + dest: "{{ named_certs_dir }}" + mode: 0600 + with_items: "{{ named_certificates | oo_collect('cafile') }}" diff --git a/roles/openshift_named_certificates/tasks/named_certificates.yml b/roles/openshift_named_certificates/tasks/named_certificates.yml new file mode 100644 index 000000000..7b097b443 --- /dev/null +++ b/roles/openshift_named_certificates/tasks/named_certificates.yml @@ -0,0 +1,32 @@ +--- +- name: Clear named certificates + file: + path: "{{ named_certs_dir }}" + state: absent + when: overwrite_named_certs | bool + +- name: Ensure named certificate directory exists + file: + path: "{{ named_certs_dir }}" + state: directory + mode: 0700 + +- name: Land named certificates + copy: + src: "{{ item.certfile }}" + dest: "{{ named_certs_dir }}" + with_items: "{{ openshift_master_named_certificates | default([]) }}" + +- name: Land named certificate keys + copy: + src: "{{ item.keyfile }}" + dest: "{{ named_certs_dir }}" + mode: 0600 + with_items: "{{ openshift_master_named_certificates | default([]) }}" + +- name: Land named CA certificates + copy: + src: "{{ item }}" + dest: "{{ named_certs_dir }}" + mode: 0600 + with_items: "{{ openshift_master_named_certificates | default([]) | oo_collect('cafile') }}" diff --git a/roles/openshift_named_certificates/vars/main.yml b/roles/openshift_named_certificates/vars/main.yml new file mode 100644 index 000000000..368e9bdac --- /dev/null +++ b/roles/openshift_named_certificates/vars/main.yml @@ -0,0 +1,11 @@ +--- +openshift_ca_config_dir: "{{ openshift.common.config_base }}/master" +openshift_ca_cert: "{{ openshift_ca_config_dir }}/ca.crt" +openshift_ca_key: "{{ openshift_ca_config_dir }}/ca.key" +openshift_ca_serial: "{{ openshift_ca_config_dir }}/ca.serial.txt" +openshift_version: "{{ openshift_pkg_version | default('') }}" + +overwrite_named_certs: "{{ openshift_master_overwrite_named_certificates | default(false) }}" +named_certs_dir: "{{ openshift.common.config_base }}/master/named_certificates/" +internal_hostnames: "{{ openshift.common.internal_hostnames }}" +named_certificates: "{{ openshift_master_named_certificates | default([]) }}" diff --git a/roles/openshift_node/meta/main.yml b/roles/openshift_node/meta/main.yml index fd493340b..c39269f33 100644 --- a/roles/openshift_node/meta/main.yml +++ b/roles/openshift_node/meta/main.yml @@ -11,26 +11,4 @@ galaxy_info: - 7 categories: - cloud -dependencies: -- role: openshift_clock -- role: openshift_docker -- role: openshift_node_certificates -- role: openshift_cloud_provider -- role: openshift_common -- role: openshift_node_dnsmasq - when: openshift.common.use_dnsmasq -- role: os_firewall - os_firewall_allow: - - service: Kubernetes kubelet - port: 10250/tcp - - service: http - port: 80/tcp - - service: https - port: 443/tcp - - service: Openshift kubelet ReadOnlyPort - port: 10255/tcp - - service: Openshift kubelet ReadOnlyPort udp - port: 10255/udp - - service: OpenShift OVS sdn - port: 4789/udp - when: openshift.node.use_openshift_sdn | bool +dependencies: [] diff --git a/roles/openshift_node/tasks/main.yml b/roles/openshift_node/tasks/main.yml index 889541e25..9c71af6d9 100644 --- a/roles/openshift_node/tasks/main.yml +++ b/roles/openshift_node/tasks/main.yml @@ -106,8 +106,20 @@ notify: - restart node -- name: Additional storage plugin configuration - include: storage_plugins/main.yml +- name: NFS storage plugin configuration + include: storage_plugins/nfs.yml + +- name: GlusterFS storage plugin configuration + include: storage_plugins/glusterfs.yml + when: "'glusterfs' in openshift.node.storage_plugin_deps" + +- name: Ceph storage plugin configuration + include: storage_plugins/ceph.yml + when: "'ceph' in openshift.node.storage_plugin_deps" + +- name: iSCSI storage plugin configuration + include: storage_plugins/iscsi.yml + when: "'iscsi' in openshift.node.storage_plugin_deps" # Necessary because when you're on a node that's also a master the master will be # restarted after the node restarts docker and it will take up to 60 seconds for diff --git a/roles/openshift_node/tasks/storage_plugins/main.yml b/roles/openshift_node/tasks/storage_plugins/main.yml deleted file mode 100644 index fe638718d..000000000 --- a/roles/openshift_node/tasks/storage_plugins/main.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- -# The NFS storage plugin is always enabled since it doesn't require any -# additional package dependencies -- name: NFS storage plugin configuration - include: nfs.yml - -- name: GlusterFS storage plugin configuration - include: glusterfs.yml - when: "'glusterfs' in openshift.node.storage_plugin_deps" - -- name: Ceph storage plugin configuration - include: ceph.yml - when: "'ceph' in openshift.node.storage_plugin_deps" - -- name: iSCSI storage plugin configuration - include: iscsi.yml - when: "'iscsi' in openshift.node.storage_plugin_deps" diff --git a/roles/openshift_node/templates/node.yaml.v1.j2 b/roles/openshift_node/templates/node.yaml.v1.j2 index a37770c4a..414f0d5e3 100644 --- a/roles/openshift_node/templates/node.yaml.v1.j2 +++ b/roles/openshift_node/templates/node.yaml.v1.j2 @@ -12,15 +12,22 @@ imageConfig: latest: false kind: NodeConfig kubeletArguments: {{ openshift.node.kubelet_args | default(None) | to_padded_yaml(level=1) }} +{% if openshift.common.version_gte_3_3_or_1_3 | bool %} +masterClientConnectionOverrides: + acceptContentTypes: application/vnd.kubernetes.protobuf,application/json + contentType: application/vnd.kubernetes.protobuf + burst: 200 + qps: 100 +{% endif %} masterKubeConfig: system:node:{{ openshift.common.hostname }}.kubeconfig -{% if openshift.common.use_openshift_sdn %} +{% if openshift.common.use_openshift_sdn | bool and not openshift.common.version_gte_3_3_or_1_3 | bool %} networkPluginName: {{ openshift.common.sdn_network_plugin_name }} {% endif %} # networkConfig struct introduced in origin 1.0.6 and OSE 3.0.2 which # deprecates networkPluginName above. The two should match. networkConfig: mtu: {{ openshift.node.sdn_mtu }} -{% if openshift.common.use_openshift_sdn or openshift.common.use_nuage %} +{% if ( openshift.common.use_openshift_sdn | bool or openshift.common.use_nuage | bool ) and not openshift.common.version_gte_3_3_or_1_3 | bool%} networkPluginName: {{ openshift.common.sdn_network_plugin_name }} {% endif %} {% if openshift.node.set_node_ip | bool %} diff --git a/roles/openshift_node_certificates/tasks/main.yml b/roles/openshift_node_certificates/tasks/main.yml index 0e69dc6f0..fef7caab8 100644 --- a/roles/openshift_node_certificates/tasks/main.yml +++ b/roles/openshift_node_certificates/tasks/main.yml @@ -25,11 +25,14 @@ - server.key - server.crt register: g_node_cert_stat_result + when: not openshift_certificates_redeploy | default(false) | bool - set_fact: - node_certs_missing: "{{ False in (g_node_cert_stat_result.results - | oo_collect(attribute='stat.exists') - | list) }}" + node_certs_missing: "{{ true if openshift_certificates_redeploy | default(false) | bool + else (False in (g_node_cert_stat_result.results + | default({}) + | oo_collect(attribute='stat.exists') + | list)) }}" - name: Create openshift_generated_configs_dir if it does not exist file: @@ -42,6 +45,9 @@ - name: Generate the node client config command: > {{ openshift.common.admin_binary }} create-api-client-config + {% for named_ca_certificate in hostvars[openshift_ca_host].openshift.master.named_certificates | default([]) | oo_collect('cafile') %} + --certificate-authority {{ named_ca_certificate }} + {% endfor %} --certificate-authority={{ openshift_ca_cert }} --client-dir={{ openshift_node_generated_config_dir }} --groups=system:nodes diff --git a/roles/openshift_repos/files/fedora-openshift-enterprise/gpg_keys/.gitkeep b/roles/openshift_repos/files/fedora-openshift-enterprise/gpg_keys/.gitkeep new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/roles/openshift_repos/files/fedora-openshift-enterprise/gpg_keys/.gitkeep diff --git a/roles/openshift_repos/files/fedora-openshift-enterprise/repos/.gitkeep b/roles/openshift_repos/files/fedora-openshift-enterprise/repos/.gitkeep new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/roles/openshift_repos/files/fedora-openshift-enterprise/repos/.gitkeep diff --git a/roles/openshift_repos/files/openshift-enterprise/gpg_keys/.gitkeep b/roles/openshift_repos/files/openshift-enterprise/gpg_keys/.gitkeep new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/roles/openshift_repos/files/openshift-enterprise/gpg_keys/.gitkeep diff --git a/roles/openshift_repos/files/openshift-enterprise/repos/.gitkeep b/roles/openshift_repos/files/openshift-enterprise/repos/.gitkeep new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/roles/openshift_repos/files/openshift-enterprise/repos/.gitkeep diff --git a/roles/openshift_repos/tasks/main.yaml b/roles/openshift_repos/tasks/main.yaml index d8e43438a..07a8d28fd 100644 --- a/roles/openshift_repos/tasks/main.yaml +++ b/roles/openshift_repos/tasks/main.yaml @@ -34,7 +34,12 @@ path: "/etc/yum.repos.d/{{ item | basename }}" state: absent with_fileglob: - - '*/repos/*' + - "fedora-openshift-enterprise/repos/*" + - "fedora-origin/repos/*" + - "online/repos/*" + - "openshift-enterprise/repos/*" + - "origin/repos/*" + - "removed/repos/*" when: not openshift.common.is_containerized | bool and not (item | search("/files/" ~ openshift_deployment_type ~ "/repos")) and (ansible_os_family == "RedHat" and ansible_distribution != "Fedora") @@ -42,10 +47,15 @@ - name: Remove any yum repo files for other deployment types Fedora file: - path: "/etc/yum.repos.d/{{ item | basename }}" + path: "{{ item | basename }}" state: absent with_fileglob: - - '*/repos/*' + - "fedora-openshift-enterprise/repos/*" + - "fedora-origin/repos/*" + - "online/repos/*" + - "openshift-enterprise/repos/*" + - "origin/repos/*" + - "removed/repos/*" when: not openshift.common.is_containerized | bool and not (item | search("/files/fedora-" ~ openshift_deployment_type ~ "/repos")) and (ansible_distribution == "Fedora") diff --git a/test/modify_yaml_tests.py b/test/modify_yaml_tests.py new file mode 100644 index 000000000..24cce4855 --- /dev/null +++ b/test/modify_yaml_tests.py @@ -0,0 +1,37 @@ +""" Tests for the modify_yaml Ansible module. """ +# pylint: disable=missing-docstring,invalid-name + +import os +import sys +import unittest + +sys.path = [os.path.abspath(os.path.dirname(__file__) + "/../library/")] + sys.path + +# pylint: disable=import-error +from modify_yaml import set_key + +class ModifyYamlTests(unittest.TestCase): + + def test_simple_nested_value(self): + cfg = {"section": {"a": 1, "b": 2}} + changes = set_key(cfg, 'section.c', 3) + self.assertEquals(1, len(changes)) + self.assertEquals(3, cfg['section']['c']) + + # Tests a previous bug where property would land in section above where it should, + # if the destination section did not yet exist: + def test_nested_property_in_new_section(self): + cfg = { + "masterClients": { + "externalKubernetesKubeConfig": "", + "openshiftLoopbackKubeConfig": "openshift-master.kubeconfig", + }, + } + + yaml_key = 'masterClients.externalKubernetesClientConnectionOverrides.acceptContentTypes' + yaml_value = 'application/vnd.kubernetes.protobuf,application/json' + set_key(cfg, yaml_key, yaml_value) + self.assertEquals(yaml_value, cfg['masterClients'] + ['externalKubernetesClientConnectionOverrides'] + ['acceptContentTypes']) + diff --git a/utils/src/ooinstall/ansible_plugins/facts_callback.py b/utils/src/ooinstall/ansible_plugins/facts_callback.py index ea6ed6574..2537a099f 100644 --- a/utils/src/ooinstall/ansible_plugins/facts_callback.py +++ b/utils/src/ooinstall/ansible_plugins/facts_callback.py @@ -4,8 +4,10 @@ import os import yaml +from ansible.plugins.callback import CallbackBase -class CallbackModule(object): +# pylint: disable=super-init-not-called +class CallbackModule(CallbackBase): def __init__(self): ###################### @@ -21,68 +23,71 @@ class CallbackModule(object): self.hosts_yaml = os.open(self.hosts_yaml_name, os.O_CREAT | os.O_WRONLY) - def on_any(self, *args, **kwargs): + def v2_on_any(self, *args, **kwargs): pass - def runner_on_failed(self, host, res, ignore_errors=False): + def v2_runner_on_failed(self, res, ignore_errors=False): pass - def runner_on_ok(self, host, res): - if res['invocation']['module_args'] == 'var=result': - facts = res['var']['result']['ansible_facts']['openshift'] + # pylint: disable=protected-access + def v2_runner_on_ok(self, res): + abridged_result = res._result.copy() + # Collect facts result from playbooks/byo/openshift_facts.yml + if 'result' in abridged_result: + facts = abridged_result['result']['ansible_facts']['openshift'] hosts_yaml = {} - hosts_yaml[host] = facts + hosts_yaml[res._host.get_name()] = facts os.write(self.hosts_yaml, yaml.safe_dump(hosts_yaml)) - def runner_on_skipped(self, host, item=None): + def v2_runner_on_skipped(self, res): pass - def runner_on_unreachable(self, host, res): + def v2_runner_on_unreachable(self, res): pass - def runner_on_no_hosts(self): + def v2_runner_on_no_hosts(self, task): pass - def runner_on_async_poll(self, host, res): + def v2_runner_on_async_poll(self, res): pass - def runner_on_async_ok(self, host, res): + def v2_runner_on_async_ok(self, res): pass - def runner_on_async_failed(self, host, res): + def v2_runner_on_async_failed(self, res): pass - def playbook_on_start(self): + def v2_playbook_on_start(self, playbook): pass - def playbook_on_notify(self, host, handler): + def v2_playbook_on_notify(self, res, handler): pass - def playbook_on_no_hosts_matched(self): + def v2_playbook_on_no_hosts_matched(self): pass - def playbook_on_no_hosts_remaining(self): + def v2_playbook_on_no_hosts_remaining(self): pass - def playbook_on_task_start(self, name, is_conditional): + def v2_playbook_on_task_start(self, name, is_conditional): pass #pylint: disable=too-many-arguments - def playbook_on_vars_prompt(self, varname, private=True, prompt=None, + def v2_playbook_on_vars_prompt(self, varname, private=True, prompt=None, encrypt=None, confirm=False, salt_size=None, salt=None, default=None): pass - def playbook_on_setup(self): + def v2_playbook_on_setup(self): pass - def playbook_on_import_for_host(self, host, imported_file): + def v2_playbook_on_import_for_host(self, res, imported_file): pass - def playbook_on_not_import_for_host(self, host, missing_file): + def v2_playbook_on_not_import_for_host(self, res, missing_file): pass - def playbook_on_play_start(self, name): + def v2_playbook_on_play_start(self, play): pass - def playbook_on_stats(self, stats): + def v2_playbook_on_stats(self, stats): pass diff --git a/utils/src/ooinstall/cli_installer.py b/utils/src/ooinstall/cli_installer.py index b9750fad1..e197c722d 100644 --- a/utils/src/ooinstall/cli_installer.py +++ b/utils/src/ooinstall/cli_installer.py @@ -1,5 +1,3 @@ -# TODO: Temporarily disabled due to importing old code into openshift-ansible -# repo. We will work on these over time. # pylint: disable=bad-continuation,missing-docstring,no-self-use,invalid-name,no-value-for-parameter,too-many-lines import os @@ -16,6 +14,21 @@ from ooinstall.variants import find_variant, get_variant_version_combos DEFAULT_ANSIBLE_CONFIG = '/usr/share/atomic-openshift-utils/ansible.cfg' DEFAULT_PLAYBOOK_DIR = '/usr/share/ansible/openshift-ansible/' +UPGRADE_MAPPINGS = { + '3.0':{ + 'minor_version' :'3.0', + 'minor_playbook':'v3_0_minor/upgrade.yml', + 'major_version' :'3.1', + 'major_playbook':'v3_0_to_v3_1/upgrade.yml', + }, + '3.1':{ + 'minor_version' :'3.1', + 'minor_playbook':'v3_1_minor/upgrade.yml', + 'major_playbook':'v3_1_to_v3_2/upgrade.yml', + 'major_version' :'3.2', + } + } + def validate_ansible_dir(path): if not path: raise click.BadParameter('An ansible path must be provided') @@ -490,7 +503,7 @@ def error_if_missing_info(oo_cfg): 'command line or in the config file: %s' % oo_cfg.config_path) sys.exit(1) - if 'ansible_ssh_user' not in oo_cfg.settings: + if 'ansible_ssh_user' not in oo_cfg.deployment.variables: click.echo("Must specify ansible_ssh_user in configuration file.") sys.exit(1) @@ -586,7 +599,8 @@ https://docs.openshift.com/enterprise/latest/admin_guide/install/prerequisites.h click.clear() if not oo_cfg.settings.get('ansible_ssh_user', ''): - oo_cfg.settings['ansible_ssh_user'] = get_ansible_ssh_user() + oo_cfg.deployment.variables['ansible_ssh_user'] = \ + get_ansible_ssh_user() click.clear() if not oo_cfg.settings.get('variant', ''): @@ -597,6 +611,7 @@ https://docs.openshift.com/enterprise/latest/admin_guide/install/prerequisites.h if not oo_cfg.deployment.hosts: oo_cfg.deployment.hosts, roles = collect_hosts(oo_cfg) + set_infra_nodes(oo_cfg.deployment.hosts) for role in roles: oo_cfg.deployment.roles[role] = Role(name=role, variables={}) @@ -654,7 +669,7 @@ def get_installed_hosts(hosts, callback_facts): except (KeyError, StopIteration): pass - for host in hosts: + for host in [h for h in hosts if h.is_master() or h.is_node()]: if host.connect_to in callback_facts.keys() and is_installed_host(host, callback_facts): installed_hosts.append(host) return installed_hosts @@ -741,6 +756,16 @@ def get_hosts_to_run_on(oo_cfg, callback_facts, unattended, force, verbose): return hosts_to_run_on, callback_facts +def set_infra_nodes(hosts): + if all(host.is_master() for host in hosts): + infra_list = hosts + else: + nodes_list = [host for host in hosts if host.is_node()] + infra_list = nodes_list[:2] + + for host in infra_list: + host.node_labels = "{'region': 'infra'}" + @click.group() @click.pass_context @@ -774,6 +799,7 @@ def get_hosts_to_run_on(oo_cfg, callback_facts, unattended, force, verbose): default="/tmp/ansible.log") @click.option('-v', '--verbose', is_flag=True, default=False) +@click.help_option('--help', '-h') #pylint: disable=too-many-arguments #pylint: disable=line-too-long # Main CLI entrypoint, not much we can do about too many arguments. @@ -828,21 +854,25 @@ def uninstall(ctx): oo_cfg = ctx.obj['oo_cfg'] verbose = ctx.obj['verbose'] - if len(oo_cfg.deployment.hosts) == 0: + if hasattr(oo_cfg, 'deployment'): + hosts = oo_cfg.deployment.hosts + elif hasattr(oo_cfg, 'hosts'): + hosts = oo_cfg.hosts + else: click.echo("No hosts defined in: %s" % oo_cfg.config_path) sys.exit(1) click.echo("OpenShift will be uninstalled from the following hosts:\n") if not ctx.obj['unattended']: # Prompt interactively to confirm: - for host in oo_cfg.deployment.hosts: + for host in hosts: click.echo(" * %s" % host.connect_to) proceed = click.confirm("\nDo you wish to proceed?") if not proceed: click.echo("Uninstall cancelled.") sys.exit(0) - openshift_ansible.run_uninstall_playbook(verbose) + openshift_ansible.run_uninstall_playbook(hosts, verbose) @click.command() @@ -852,22 +882,6 @@ def uninstall(ctx): #pylint: disable=bad-builtin,too-many-statements def upgrade(ctx, latest_minor, next_major): oo_cfg = ctx.obj['oo_cfg'] - verbose = ctx.obj['verbose'] - - # major/minor fields are optional, as we don't always support minor/major - # upgrade for what you're currently running. - upgrade_mappings = { - '3.1':{ - 'major_playbook':'v3_2/upgrade.yml', - 'major_version' :'3.2', - }, - '3.2':{ - 'minor_playbook':'v3_2/upgrade.yml', -# Uncomment these when we're ready to support 3.3. -# 'major_version' :'3.3', -# 'major_playbook':'v3_1_to_v3_2/upgrade.yml', - }, - } if len(oo_cfg.deployment.hosts) == 0: click.echo("No hosts defined in: %s" % oo_cfg.config_path) @@ -879,7 +893,7 @@ def upgrade(ctx, latest_minor, next_major): sys.exit(0) old_version = oo_cfg.settings['variant_version'] - mapping = upgrade_mappings.get(old_version) + mapping = UPGRADE_MAPPINGS.get(old_version) message = """ This tool will help you upgrade your existing OpenShift installation. @@ -934,12 +948,13 @@ def upgrade(ctx, latest_minor, next_major): if not ctx.obj['unattended']: # Prompt interactively to confirm: - proceed = click.confirm("\nDo you wish to proceed?") - if not proceed: + if not click.confirm("\nDo you wish to proceed?"): click.echo("Upgrade cancelled.") sys.exit(0) - retcode = openshift_ansible.run_upgrade_playbook(playbook, verbose) + retcode = openshift_ansible.run_upgrade_playbook(oo_cfg.deployment.hosts, + playbook, + ctx.obj['verbose']) if retcode > 0: click.echo("Errors encountered during upgrade, please check %s." % oo_cfg.settings['ansible_log_path']) diff --git a/utils/src/ooinstall/oo_config.py b/utils/src/ooinstall/oo_config.py index e37892c9b..69ad2b4c5 100644 --- a/utils/src/ooinstall/oo_config.py +++ b/utils/src/ooinstall/oo_config.py @@ -17,11 +17,9 @@ CONFIG_PERSIST_SETTINGS = [ 'variant_version', ] -DEPLOYMENT_PERSIST_SETTINGS = [ - 'master_routingconfig_subdomain', - 'proxy_http', - 'proxy_https', - 'proxy_exclude_hosts', +DEPLOYMENT_VARIABLES_BLACKLIST = [ + 'hosts', + 'roles', ] DEFAULT_REQUIRED_FACTS = ['ip', 'public_ip', 'hostname', 'public_hostname'] @@ -191,10 +189,11 @@ class OOConfig(object): except KeyError: continue - for setting in DEPLOYMENT_PERSIST_SETTINGS: + for setting in loaded_config['deployment']: try: - self.deployment.variables[setting] = \ - str(loaded_config['deployment'][setting]) + if setting not in DEPLOYMENT_VARIABLES_BLACKLIST: + self.deployment.variables[setting] = \ + str(loaded_config['deployment'][setting]) except KeyError: continue @@ -306,21 +305,20 @@ class OOConfig(object): if setting in self.settings and self.settings[setting]: p_settings[setting] = self.settings[setting] - p_settings['deployment'] = {} p_settings['deployment']['hosts'] = [] p_settings['deployment']['roles'] = {} - for setting in DEPLOYMENT_PERSIST_SETTINGS: - if setting in self.deployment.variables: - p_settings['deployment'][setting] = self.deployment.variables[setting] - for host in self.deployment.hosts: p_settings['deployment']['hosts'].append(host.to_dict()) for name, role in self.deployment.roles.iteritems(): p_settings['deployment']['roles'][name] = role.variables + for setting in self.deployment.variables: + if setting not in DEPLOYMENT_VARIABLES_BLACKLIST: + p_settings['deployment'][setting] = self.deployment.variables[setting] + try: p_settings['variant'] = self.settings['variant'] p_settings['variant_version'] = self.settings['variant_version'] diff --git a/utils/src/ooinstall/openshift_ansible.py b/utils/src/ooinstall/openshift_ansible.py index 54178f0cd..ef7906828 100644 --- a/utils/src/ooinstall/openshift_ansible.py +++ b/utils/src/ooinstall/openshift_ansible.py @@ -19,8 +19,6 @@ ROLES_TO_GROUPS_MAP = { VARIABLES_MAP = { 'ansible_ssh_user': 'ansible_ssh_user', - 'ansible_config': 'ansible_config', - 'ansible_log_path': 'ansible_log_path', 'deployment_type': 'deployment_type', 'master_routingconfig_subdomain':'openshift_master_default_subdomain', 'proxy_http':'openshift_http_proxy', @@ -106,7 +104,7 @@ def write_inventory_vars(base_inventory, multiple_masters, lb): if value: base_inventory.write('{}={}\n'.format(inventory_var, value)) - if CFG.settings['ansible_ssh_user'] != 'root': + if CFG.deployment.variables['ansible_ssh_user'] != 'root': base_inventory.write('ansible_become=yes\n') if multiple_masters and lb is not None: @@ -190,7 +188,8 @@ def write_host(host, role, inventory, schedulable=None): for variable, value in host.other_variables.iteritems(): facts += " {}={}".format(variable, value) if host.node_labels: - facts += ' openshift_node_labels="{}"'.format(host.node_labels) + if role == 'node': + facts += ' openshift_node_labels="{}"'.format(host.node_labels) # Distinguish between three states, no schedulability specified (use default), @@ -279,10 +278,10 @@ def run_ansible(playbook, inventory, env_vars, verbose=False): return subprocess.call(args, env=env_vars) -def run_uninstall_playbook(verbose=False): +def run_uninstall_playbook(hosts, verbose=False): playbook = os.path.join(CFG.settings['ansible_playbook_directory'], 'playbooks/adhoc/uninstall.yml') - inventory_file = generate_inventory(CFG.hosts) + inventory_file = generate_inventory(hosts) facts_env = os.environ.copy() if 'ansible_log_path' in CFG.settings: facts_env['ANSIBLE_LOG_PATH'] = CFG.settings['ansible_log_path'] @@ -291,12 +290,12 @@ def run_uninstall_playbook(verbose=False): return run_ansible(playbook, inventory_file, facts_env, verbose) -def run_upgrade_playbook(playbook, verbose=False): +def run_upgrade_playbook(hosts, playbook, verbose=False): playbook = os.path.join(CFG.settings['ansible_playbook_directory'], 'playbooks/byo/openshift-cluster/upgrades/{}'.format(playbook)) # TODO: Upgrade inventory for upgrade? - inventory_file = generate_inventory(CFG.hosts) + inventory_file = generate_inventory(hosts) facts_env = os.environ.copy() if 'ansible_log_path' in CFG.settings: facts_env['ANSIBLE_LOG_PATH'] = CFG.settings['ansible_log_path'] diff --git a/utils/src/ooinstall/variants.py b/utils/src/ooinstall/variants.py index a8e2caf5a..10bad5f2a 100644 --- a/utils/src/ooinstall/variants.py +++ b/utils/src/ooinstall/variants.py @@ -34,19 +34,10 @@ class Variant(object): # WARNING: Keep the versions ordered, most recent first: -OSE = Variant('openshift-enterprise', 'OpenShift Enterprise', +OSE = Variant('openshift-enterprise', 'OpenShift Container Platform', [ Version('3.3', 'openshift-enterprise'), Version('3.2', 'openshift-enterprise'), - Version('3.1', 'openshift-enterprise'), - Version('3.0', 'enterprise') - ] -) - -AEP = Variant('atomic-enterprise', 'Atomic Enterprise Platform', - [ - Version('3.2', 'atomic-enterprise'), - Version('3.1', 'atomic-enterprise') ] ) @@ -57,8 +48,8 @@ origin = Variant('origin', 'OpenShift Origin', ) # Ordered list of variants we can install, first is the default. -SUPPORTED_VARIANTS = (OSE, AEP, origin) -DISPLAY_VARIANTS = (OSE, AEP) +SUPPORTED_VARIANTS = (OSE, origin) +DISPLAY_VARIANTS = (OSE, ) def find_variant(name, version=None): """ diff --git a/utils/test/cli_installer_tests.py b/utils/test/cli_installer_tests.py index d79163e91..98e111043 100644 --- a/utils/test/cli_installer_tests.py +++ b/utils/test/cli_installer_tests.py @@ -101,8 +101,8 @@ MOCK_FACTS_QUICKHA = { # Missing connect_to on some hosts: BAD_CONFIG = """ variant: %s -ansible_ssh_user: root deployment: + ansible_ssh_user: root hosts: - connect_to: 10.0.0.1 ip: 10.0.0.1 @@ -132,8 +132,8 @@ deployment: QUICKHA_CONFIG = """ variant: %s -ansible_ssh_user: root deployment: + ansible_ssh_user: root hosts: - connect_to: 10.0.0.1 ip: 10.0.0.1 @@ -189,8 +189,8 @@ deployment: QUICKHA_2_MASTER_CONFIG = """ variant: %s -ansible_ssh_user: root deployment: + ansible_ssh_user: root hosts: - connect_to: 10.0.0.1 ip: 10.0.0.1 @@ -238,8 +238,8 @@ deployment: QUICKHA_CONFIG_REUSED_LB = """ variant: %s -ansible_ssh_user: root deployment: + ansible_ssh_user: root hosts: - connect_to: 10.0.0.1 ip: 10.0.0.1 @@ -281,8 +281,8 @@ deployment: QUICKHA_CONFIG_NO_LB = """ variant: %s -ansible_ssh_user: root deployment: + ansible_ssh_user: root hosts: - connect_to: 10.0.0.1 ip: 10.0.0.1 @@ -323,8 +323,8 @@ deployment: QUICKHA_CONFIG_PRECONFIGURED_LB = """ variant: %s -ansible_ssh_user: root deployment: + ansible_ssh_user: root hosts: - connect_to: 10.0.0.1 ip: 10.0.0.1 @@ -573,7 +573,7 @@ class UnattendedCliTests(OOCliFixture): run_playbook_mock.return_value = 0 config = SAMPLE_CONFIG % 'openshift-enterprise' - config = '%s\n%s' % (config, 'variant_version: 3.0') + config = '%s\n%s' % (config, 'variant_version: 3.2') config_file = self.write_config(os.path.join(self.work_dir, 'ooinstall.conf'), config) @@ -586,11 +586,11 @@ class UnattendedCliTests(OOCliFixture): self.assertEquals('openshift-enterprise', written_config['variant']) # Make sure our older version was preserved: # and written to disk: - self.assertEquals('3.0', written_config['variant_version']) + self.assertEquals('3.2', written_config['variant_version']) inventory = ConfigParser.ConfigParser(allow_no_value=True) inventory.read(os.path.join(self.work_dir, 'hosts')) - self.assertEquals('enterprise', + self.assertEquals('openshift-enterprise', inventory.get('OSEv3:vars', 'deployment_type')) @patch('ooinstall.openshift_ansible.run_ansible') @@ -1068,26 +1068,6 @@ class AttendedCliTests(OOCliFixture): self.assert_inventory_host_var(inventory, 'nodes', '10.0.0.1', 'openshift_schedulable=True') - #interactive 3.0 install confirm no HA hints - @patch('ooinstall.openshift_ansible.run_main_playbook') - @patch('ooinstall.openshift_ansible.load_system_facts') - def test_ha_hint(self, load_facts_mock, run_playbook_mock): - load_facts_mock.return_value = (MOCK_FACTS, 0) - run_playbook_mock.return_value = 0 - - cli_input = build_input(hosts=[ - ('10.0.0.1', True, False)], - ssh_user='root', - variant_num=3, - confirm_facts='y', - storage='10.1.0.1',) - self.cli_args.append("install") - result = self.runner.invoke(cli.cli, self.cli_args, - input=cli_input) - self.assert_result(result, 0) - print result.output - self.assertTrue("NOTE: Add a total of 3 or more Masters to perform an HA installation." - not in result.output) @patch('ooinstall.openshift_ansible.run_main_playbook') @patch('ooinstall.openshift_ansible.load_system_facts') diff --git a/utils/test/fixture.py b/utils/test/fixture.py index 006df739b..152c06da8 100644 --- a/utils/test/fixture.py +++ b/utils/test/fixture.py @@ -11,9 +11,9 @@ from click.testing import CliRunner SAMPLE_CONFIG = """ variant: %s variant_version: 3.2 -ansible_ssh_user: root master_routingconfig_subdomain: example.com deployment: + ansible_ssh_user: root hosts: - connect_to: 10.0.0.1 ip: 10.0.0.1 diff --git a/utils/test/oo_config_tests.py b/utils/test/oo_config_tests.py index c19fe9e0d..10439c9ae 100644 --- a/utils/test/oo_config_tests.py +++ b/utils/test/oo_config_tests.py @@ -13,8 +13,8 @@ from ooinstall.oo_config import OOConfig, Host, OOConfigInvalidHostError SAMPLE_CONFIG = """ variant: openshift-enterprise variant_version: 3.2 -ansible_ssh_user: root deployment: + ansible_ssh_user: root hosts: - connect_to: master-private.example.com ip: 10.0.0.1 @@ -65,6 +65,7 @@ validated_facts: CONFIG_INCOMPLETE_FACTS = """ deployment: + ansible_ssh_user: root hosts: - connect_to: 10.0.0.1 ip: 10.0.0.1 @@ -90,8 +91,8 @@ deployment: CONFIG_BAD = """ variant: openshift-enterprise -ansible_ssh_user: root deployment: + ansible_ssh_user: root hosts: - connect_to: master-private.example.com ip: 10.0.0.1 @@ -212,7 +213,7 @@ class OOConfigTests(OOInstallFixture): self.assertTrue('hostname' in h) self.assertTrue('public_hostname' in h) - self.assertTrue('ansible_ssh_user' in written_config) + self.assertTrue('ansible_ssh_user' in written_config['deployment']) self.assertTrue('variant' in written_config) self.assertEquals('v2', written_config['version']) |