diff options
| -rw-r--r-- | inventory/byo/hosts.aep.example | 2 | ||||
| -rw-r--r-- | inventory/byo/hosts.origin.example | 2 | ||||
| -rw-r--r-- | inventory/byo/hosts.ose.example | 2 | ||||
| -rw-r--r-- | openshift-ansible.spec | 2 | ||||
| -rw-r--r-- | roles/nuage_master/files/serviceaccount.sh | 63 | ||||
| -rw-r--r-- | roles/nuage_master/tasks/main.yaml | 4 | ||||
| -rw-r--r-- | roles/nuage_master/tasks/serviceaccount.yml | 51 | ||||
| -rw-r--r-- | roles/nuage_master/vars/main.yaml | 16 | ||||
| -rw-r--r-- | roles/openshift_cluster_metrics/tasks/main.yml | 1 | 
9 files changed, 71 insertions, 72 deletions
| diff --git a/inventory/byo/hosts.aep.example b/inventory/byo/hosts.aep.example index 7c98ddcd6..30d31bc12 100644 --- a/inventory/byo/hosts.aep.example +++ b/inventory/byo/hosts.aep.example @@ -340,7 +340,7 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true',  # and configure node's dnsIP to point at the node's local dnsmasq instance. Defaults  # to True for Origin 1.2 and OSE 3.2. False for 1.1 / 3.1 installs, this cannot  # be used with 1.0 and 3.0. -# openshift_node_dnsmasq=False +# openshift_use_dnsmasq=False  # host group for masters  [masters] diff --git a/inventory/byo/hosts.origin.example b/inventory/byo/hosts.origin.example index ad5c77ac6..1dc5abfcf 100644 --- a/inventory/byo/hosts.origin.example +++ b/inventory/byo/hosts.origin.example @@ -345,7 +345,7 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true',  # and configure node's dnsIP to point at the node's local dnsmasq instance. Defaults  # to True for Origin 1.2 and OSE 3.2. False for 1.1 / 3.1 installs, this cannot  # be used with 1.0 and 3.0. -# openshift_node_dnsmasq=False +# openshift_use_dnsmasq=False  # host group for masters  [masters] diff --git a/inventory/byo/hosts.ose.example b/inventory/byo/hosts.ose.example index 7c0c71484..f3ce95f0c 100644 --- a/inventory/byo/hosts.ose.example +++ b/inventory/byo/hosts.ose.example @@ -341,7 +341,7 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true',  # and configure node's dnsIP to point at the node's local dnsmasq instance. Defaults  # to True for Origin 1.2 and OSE 3.2. False for 1.1 / 3.1 installs, this cannot  # be used with 1.0 and 3.0. -# openshift_node_dnsmasq=False +# openshift_use_dnsmasq=False  # host group for masters  [masters] diff --git a/openshift-ansible.spec b/openshift-ansible.spec index 5674a22c5..aa29e9958 100644 --- a/openshift-ansible.spec +++ b/openshift-ansible.spec @@ -214,7 +214,7 @@ Atomic OpenShift Utilities includes  - Fix router selector fact migration and match multiple selectors when counting    nodes. (abutcher@redhat.com)  - Fixing the spec for PR 1734 (bleanhar@redhat.com) -- Add openshift_node_dnsmasq (sdodson@redhat.com) +- Add openshift_use_dnsmasq (sdodson@redhat.com)  - Promote portal_net to openshift.common, add kube_svc_ip (sdodson@redhat.com)  - Add example inventories to docs, install docs by default (sdodson@redhat.com)  - Fix use of JSON inventory vars with raw booleans. (dgoodwin@redhat.com) diff --git a/roles/nuage_master/files/serviceaccount.sh b/roles/nuage_master/files/serviceaccount.sh deleted file mode 100644 index f6fdb8a8d..000000000 --- a/roles/nuage_master/files/serviceaccount.sh +++ /dev/null @@ -1,63 +0,0 @@ -#!/bin/bash -# Parse CLI options -for i in "$@"; do -    case $i in -        --master-cert-dir=*) -            MASTER_DIR="${i#*=}" -            CA_CERT=${MASTER_DIR}/ca.crt -            CA_KEY=${MASTER_DIR}/ca.key -            CA_SERIAL=${MASTER_DIR}/ca.serial.txt -            ADMIN_FILE=${MASTER_DIR}/admin.kubeconfig -        ;; -        --server=*) -            SERVER="${i#*=}" -        ;; -        --output-cert-dir=*) -            OUTDIR="${i#*=}" -            CONFIG_FILE=${OUTDIR}/nuage.kubeconfig -        ;; -    esac -done - -# If any are missing, print the usage and exit -if [ -z $SERVER ] || [ -z $OUTDIR ] || [ -z $MASTER_DIR ]; then -    echo "Invalid syntax: $@" -    echo "Usage:" -    echo "  $0 --server=<address>:<port> --output-cert-dir=/path/to/output/dir/ --master-cert-dir=/path/to/master/" -    echo "--master-cert-dir:  Directory where the master's configuration is held" -    echo "--server:           Address of Kubernetes API server (default port is 8443)" -    echo "--output-cert-dir:  Directory to put artifacts in" -    echo "" -    echo "All options are required" -    exit 1 -fi - -# Login as admin so that we can create the service account -oc login -u system:admin --config=$ADMIN_FILE || exit 1 -oc project default --config=$ADMIN_FILE - -ACCOUNT_CONFIG=' -{ -  "apiVersion": "v1", -  "kind": "ServiceAccount", -  "metadata": { -    "name": "nuage" -  } -} -' - -# Create the account with the included info -echo $ACCOUNT_CONFIG|oc create --config=$ADMIN_FILE -f - - -# Add the cluser-reader role, which allows this service account read access to -# everything in the cluster except secrets -oadm policy add-cluster-role-to-user cluster-reader system:serviceaccounts:default:nuage --config=$ADMIN_FILE - -# Generate certificates and a kubeconfig for the service account -oadm create-api-client-config --certificate-authority=${CA_CERT} --client-dir=${OUTDIR} --signer-cert=${CA_CERT} --signer-key=${CA_KEY} --signer-serial=${CA_SERIAL} --user=system:serviceaccounts:default:nuage --master=${SERVER} --public-master=${SERVER} --basename='nuage' - -# Verify the finalized kubeconfig -if ! [ $(oc whoami --config=$CONFIG_FILE) == 'system:serviceaccounts:default:nuage' ]; then -    echo "Service account creation failed!" -    exit 1 -fi diff --git a/roles/nuage_master/tasks/main.yaml b/roles/nuage_master/tasks/main.yaml index abeee3d71..c71f3072c 100644 --- a/roles/nuage_master/tasks/main.yaml +++ b/roles/nuage_master/tasks/main.yaml @@ -11,9 +11,7 @@    sudo: true    yum: name={{ nuage_openshift_rpm }} state=present -- name: Run the service account creation script -  sudo: true -  script: serviceaccount.sh --server={{ openshift.master.api_url }} --output-cert-dir={{ cert_output_dir }} --master-cert-dir={{ openshift_master_config_dir }} +- include: serviceaccount.yml  - name: Download the certs and keys    sudo: true diff --git a/roles/nuage_master/tasks/serviceaccount.yml b/roles/nuage_master/tasks/serviceaccount.yml new file mode 100644 index 000000000..5b4af5824 --- /dev/null +++ b/roles/nuage_master/tasks/serviceaccount.yml @@ -0,0 +1,51 @@ +--- +- name: Create temporary directory for admin kubeconfig +  command: mktemp -u /tmp/openshift-ansible-XXXXXXX.kubeconfig +  register: nuage_tmp_conf_mktemp +  changed_when: False + +- set_fact: +    nuage_tmp_conf: "{{ nuage_tmp_conf_mktemp.stdout }}" + +- name: Copy Configuration to temporary conf +  command: > +    cp {{ openshift.common.config_base }}/master/admin.kubeconfig {{nuage_tmp_conf}} +  changed_when: false + +- name: Create Admin Service Account +  shell: > +    echo {{ nuage_service_account_config | to_json | quote }} | +    {{ openshift.common.client_binary }} create +    -n default  +    --config={{nuage_tmp_conf}} +    -f - +  register: osnuage_create_service_account +  failed_when: "'already exists' not in osnuage_create_service_account.stderr and osnuage_create_service_account.rc != 0" +  changed_when: osnuage_create_service_account.rc == 0 + +- name: Configure role/user permissions +  command: > +    {{ openshift.common.admin_binary }} {{item}} +    --config={{nuage_tmp_conf}} +  with_items: "{{nuage_tasks}}" +  register: osnuage_perm_task +  failed_when: "'already exists' not in osnuage_perm_task.stderr and osnuage_perm_task.rc != 0" +  changed_when: osnuage_perm_task.rc == 0 + +- name: Generate the node client config +  command: > +    {{ openshift.common.admin_binary }} create-api-client-config +      --certificate-authority={{ openshift_master_ca_cert }} +      --client-dir={{ cert_output_dir }} +      --master={{ openshift.master.api_url }} +      --public-master={{ openshift.master.api_url }} +      --signer-cert={{ openshift_master_ca_cert }} +      --signer-key={{ openshift_master_ca_key }} +      --signer-serial={{ openshift_master_ca_serial }} +      --basename='nuage' +      --user={{ nuage_service_account }} + +- name: Clean temporary configuration file +  command: > +    rm -f {{nuage_tmp_conf}} +  changed_when: false diff --git a/roles/nuage_master/vars/main.yaml b/roles/nuage_master/vars/main.yaml index c4c15d65c..d3536eb33 100644 --- a/roles/nuage_master/vars/main.yaml +++ b/roles/nuage_master/vars/main.yaml @@ -1,4 +1,7 @@  openshift_master_config_dir: "{{ openshift.common.config_base }}/master" +openshift_master_ca_cert: "{{ openshift_master_config_dir }}/ca.crt" +openshift_master_ca_key: "{{ openshift_master_config_dir }}/ca.key" +openshift_master_ca_serial: "{{ openshift_master_config_dir }}/ca.serial.txt"  ca_cert: "{{ openshift_master_config_dir }}/ca.crt"  admin_config: "{{ openshift.common.config_base }}/master/admin.kubeconfig"  cert_output_dir: /usr/share/nuage-openshift-monitor @@ -15,6 +18,17 @@ nuage_ca_master_rest_server_key: "{{ nuage_mon_rest_server_crt_dir }}/nuageMonSe  nuage_ca_master_rest_server_crt: "{{ nuage_mon_rest_server_crt_dir }}/nuageMonServer.crt"   nuage_master_crt_dir : /usr/share/nuage-openshift-monitor +nuage_service_account: system:serviceaccount:default:nuage + +nuage_service_account_config: +    apiVersion: v1 +    kind: ServiceAccount +    metadata: +      name: nuage  + +nuage_tasks: +    - policy add-cluster-role-to-user cluster-reader {{ nuage_service_account }}  +  nuage_master_cspadminpasswd: '' -nuage_master_adminsusername: 'admin' +nuage_master_adminusername: 'admin'  nuage_master_adminuserpasswd: 'admin' diff --git a/roles/openshift_cluster_metrics/tasks/main.yml b/roles/openshift_cluster_metrics/tasks/main.yml index d45f62eca..1fc8a074a 100644 --- a/roles/openshift_cluster_metrics/tasks/main.yml +++ b/roles/openshift_cluster_metrics/tasks/main.yml @@ -28,7 +28,6 @@      cluster-reader      system:serviceaccount:default:heapster    register: oex_cluster_header_role -  register: oex_cluster_header_role    failed_when: "'already exists' not in oex_cluster_header_role.stderr and oex_cluster_header_role.rc != 0"    changed_when: false | 
