summaryrefslogtreecommitdiffstats
path: root/playbooks/common/openshift-cluster/upgrades/upgrade.yml
diff options
context:
space:
mode:
Diffstat (limited to 'playbooks/common/openshift-cluster/upgrades/upgrade.yml')
-rw-r--r--playbooks/common/openshift-cluster/upgrades/upgrade.yml131
1 files changed, 85 insertions, 46 deletions
diff --git a/playbooks/common/openshift-cluster/upgrades/upgrade.yml b/playbooks/common/openshift-cluster/upgrades/upgrade.yml
index 3ec47d6f3..ba4fc63be 100644
--- a/playbooks/common/openshift-cluster/upgrades/upgrade.yml
+++ b/playbooks/common/openshift-cluster/upgrades/upgrade.yml
@@ -34,7 +34,7 @@
###############################################################################
# Upgrade Masters
###############################################################################
-- name: Upgrade master
+- name: Upgrade master packages
hosts: oo_masters_to_config
handlers:
- include: ../../../../roles/openshift_master/handlers/main.yml
@@ -45,6 +45,28 @@
- include: rpm_upgrade.yml component=master
when: not openshift.common.is_containerized | bool
+- name: Determine if service signer cert must be created
+ hosts: oo_first_master
+ tasks:
+ - name: Determine if service signer certificate must be created
+ stat:
+ path: "{{ openshift.common.config_base }}/master/service-signer.crt"
+ register: service_signer_cert_stat
+ changed_when: false
+
+# Create service signer cert when missing. Service signer certificate
+# is added to master config in the master config hook for v3_3.
+- include: create_service_signer_cert.yml
+ when: not (hostvars[groups.oo_first_master.0].service_signer_cert_stat.stat.exists | bool)
+
+- name: Upgrade master config and systemd units
+ hosts: oo_masters_to_config
+ handlers:
+ - include: ../../../../roles/openshift_master/handlers/main.yml
+ static: yes
+ roles:
+ - openshift_facts
+ tasks:
- include: "{{ master_config_hook }}"
when: master_config_hook is defined
@@ -110,6 +132,52 @@
when: master_update_failed | length > 0
###############################################################################
+# Reconcile Cluster Roles, Cluster Role Bindings and Security Context Constraints
+###############################################################################
+
+- name: Reconcile Cluster Roles and Cluster Role Bindings and Security Context Constraints
+ hosts: oo_masters_to_config
+ roles:
+ - { role: openshift_cli }
+ vars:
+ origin_reconcile_bindings: "{{ deployment_type == 'origin' and openshift_version | version_compare('1.0.6', '>') }}"
+ ent_reconcile_bindings: true
+ openshift_docker_hosted_registry_network: "{{ hostvars[groups.oo_first_master.0].openshift.common.portal_net }}"
+ # Similar to pre.yml, we don't want to upgrade docker during the openshift_cli role,
+ # it will be updated when we perform node upgrade.
+ docker_protect_installed_version: True
+ tasks:
+ - name: Verifying the correct commandline tools are available
+ shell: grep {{ verify_upgrade_version }} {{ openshift.common.admin_binary}}
+ when: openshift.common.is_containerized | bool and verify_upgrade_version is defined
+
+ - name: Reconcile Cluster Roles
+ command: >
+ {{ openshift.common.admin_binary}} --config={{ openshift.common.config_base }}/master/admin.kubeconfig
+ policy reconcile-cluster-roles --additive-only=true --confirm
+ run_once: true
+
+ - name: Reconcile Cluster Role Bindings
+ command: >
+ {{ openshift.common.admin_binary}} --config={{ openshift.common.config_base }}/master/admin.kubeconfig
+ policy reconcile-cluster-role-bindings
+ --exclude-groups=system:authenticated
+ --exclude-groups=system:authenticated:oauth
+ --exclude-groups=system:unauthenticated
+ --exclude-users=system:anonymous
+ --additive-only=true --confirm
+ when: origin_reconcile_bindings | bool or ent_reconcile_bindings | bool
+ run_once: true
+
+ - name: Reconcile Security Context Constraints
+ command: >
+ {{ openshift.common.admin_binary}} policy reconcile-sccs --confirm --additive-only=true
+ run_once: true
+
+ - set_fact:
+ reconcile_complete: True
+
+###############################################################################
# Upgrade Nodes
###############################################################################
@@ -127,6 +195,18 @@
# TODO: To better handle re-trying failed upgrades, it would be nice to check if the node
# or docker actually needs an upgrade before proceeding. Perhaps best to save this until
# we merge upgrade functionality into the base roles and a normal config.yml playbook run.
+ - name: Determine if node is currently scheduleable
+ command: >
+ {{ openshift.common.client_binary }} get node {{ openshift.common.hostname | lower }} -o json
+ register: node_output
+ delegate_to: "{{ groups.oo_first_master.0 }}"
+ changed_when: false
+ when: inventory_hostname in groups.oo_nodes_to_config
+
+ - set_fact:
+ was_schedulable: "{{ 'unschedulable' not in (node_output.stdout | from_json).spec }}"
+ when: inventory_hostname in groups.oo_nodes_to_config
+
- name: Mark unschedulable if host is a node
command: >
{{ openshift.common.admin_binary }} manage-node {{ openshift.common.hostname | lower }} --schedulable=false
@@ -142,7 +222,7 @@
- include: docker/upgrade.yml
when: l_docker_upgrade is defined and l_docker_upgrade | bool and not openshift.common.is_atomic | bool
- include: "{{ node_config_hook }}"
- when: node_config_hook is defined
+ when: node_config_hook is defined and inventory_hostname in groups.oo_nodes_to_config
- include: rpm_upgrade.yml
vars:
@@ -153,55 +233,14 @@
- include: containerized_node_upgrade.yml
when: inventory_hostname in groups.oo_nodes_to_config and openshift.common.is_containerized | bool
+ - meta: flush_handlers
+
- name: Set node schedulability
command: >
{{ openshift.common.admin_binary }} manage-node {{ openshift.common.hostname | lower }} --schedulable=true
delegate_to: "{{ groups.oo_first_master.0 }}"
- when: inventory_hostname in groups.oo_nodes_to_config and openshift.node.schedulable | bool
-
-
-###############################################################################
-# Reconcile Cluster Roles, Cluster Role Bindings and Security Context Constraints
-###############################################################################
-
-- name: Reconcile Cluster Roles and Cluster Role Bindings and Security Context Constraints
- hosts: oo_masters_to_config
- roles:
- - { role: openshift_cli }
- vars:
- origin_reconcile_bindings: "{{ deployment_type == 'origin' and openshift_version | version_compare('1.0.6', '>') }}"
- ent_reconcile_bindings: true
- openshift_docker_hosted_registry_network: "{{ hostvars[groups.oo_first_master.0].openshift.common.portal_net }}"
- tasks:
- - name: Verifying the correct commandline tools are available
- shell: grep {{ verify_upgrade_version }} {{ openshift.common.admin_binary}}
- when: openshift.common.is_containerized | bool and verify_upgrade_version is defined
-
- - name: Reconcile Cluster Roles
- command: >
- {{ openshift.common.admin_binary}} --config={{ openshift.common.config_base }}/master/admin.kubeconfig
- policy reconcile-cluster-roles --additive-only=true --confirm
- run_once: true
-
- - name: Reconcile Cluster Role Bindings
- command: >
- {{ openshift.common.admin_binary}} --config={{ openshift.common.config_base }}/master/admin.kubeconfig
- policy reconcile-cluster-role-bindings
- --exclude-groups=system:authenticated
- --exclude-groups=system:authenticated:oauth
- --exclude-groups=system:unauthenticated
- --exclude-users=system:anonymous
- --additive-only=true --confirm
- when: origin_reconcile_bindings | bool or ent_reconcile_bindings | bool
- run_once: true
+ when: inventory_hostname in groups.oo_nodes_to_config and was_schedulable | bool
- - name: Reconcile Security Context Constraints
- command: >
- {{ openshift.common.admin_binary}} policy reconcile-sccs --confirm --additive-only=true
- run_once: true
-
- - set_fact:
- reconcile_complete: True
##############################################################################
# Gate on reconcile
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-08 05:48:21 +0000