summaryrefslogtreecommitdiffstats
path: root/playbooks/common/openshift-cluster
diff options
context:
space:
mode:
Diffstat (limited to 'playbooks/common/openshift-cluster')
-rw-r--r--playbooks/common/openshift-cluster/additional_config.yml12
-rw-r--r--playbooks/common/openshift-cluster/config.yml22
-rw-r--r--playbooks/common/openshift-cluster/enable_dnsmasq.yml4
-rw-r--r--playbooks/common/openshift-cluster/evaluate_groups.yml2
-rw-r--r--playbooks/common/openshift-cluster/openshift_hosted.yml91
-rw-r--r--playbooks/common/openshift-cluster/redeploy-certificates.yml255
l---------playbooks/common/openshift-cluster/upgrades/atomic-openshift-master.j21
-rw-r--r--playbooks/common/openshift-cluster/upgrades/containerized_node_upgrade.yml (renamed from playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/containerized_node_upgrade.yml)4
-rw-r--r--playbooks/common/openshift-cluster/upgrades/create_service_signer_cert.yml69
l---------playbooks/common/openshift-cluster/upgrades/docker-cluster1
-rw-r--r--playbooks/common/openshift-cluster/upgrades/docker/upgrade.yml22
-rw-r--r--playbooks/common/openshift-cluster/upgrades/docker/upgrade_check.yml2
-rw-r--r--playbooks/common/openshift-cluster/upgrades/files/nuke_images.sh8
l---------playbooks/common/openshift-cluster/upgrades/master_docker1
l---------playbooks/common/openshift-cluster/upgrades/native-cluster1
l---------playbooks/common/openshift-cluster/upgrades/openshift.docker.node.dep.service1
l---------playbooks/common/openshift-cluster/upgrades/openshift.docker.node.service1
l---------playbooks/common/openshift-cluster/upgrades/openvswitch.docker.service1
l---------playbooks/common/openshift-cluster/upgrades/openvswitch.sysconfig.j21
-rw-r--r--playbooks/common/openshift-cluster/upgrades/post.yml (renamed from playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/post.yml)13
-rw-r--r--playbooks/common/openshift-cluster/upgrades/pre.yml (renamed from playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/pre.yml)78
-rw-r--r--playbooks/common/openshift-cluster/upgrades/rpm_upgrade.yml (renamed from playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/rpm_upgrade.yml)0
-rw-r--r--playbooks/common/openshift-cluster/upgrades/upgrade.yml (renamed from playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/upgrade.yml)204
l---------playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/atomic-openshift-master.j21
l---------playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/docker1
l---------playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/docker-cluster1
l---------playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/filter_plugins1
l---------playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/library1
l---------playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/lookup_plugins1
l---------playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/native-cluster1
l---------playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/openshift.docker.node.dep.service1
l---------playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/openshift.docker.node.service1
l---------playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/openvswitch.docker.service1
l---------playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/openvswitch.sysconfig.j21
l---------playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/roles1
-rw-r--r--playbooks/common/openshift-cluster/upgrades/v3_3/master_config_upgrade.yml50
-rw-r--r--playbooks/common/openshift-cluster/upgrades/v3_3/node_config_upgrade.yml21
37 files changed, 735 insertions, 142 deletions
diff --git a/playbooks/common/openshift-cluster/additional_config.yml b/playbooks/common/openshift-cluster/additional_config.yml
index e9fb3de96..26b31d313 100644
--- a/playbooks/common/openshift-cluster/additional_config.yml
+++ b/playbooks/common/openshift-cluster/additional_config.yml
@@ -1,11 +1,3 @@
-- name: Configure flannel
- hosts: oo_first_master
- vars:
- etcd_urls: "{{ openshift.master.etcd_urls }}"
- roles:
- - role: flannel_register
- when: openshift.common.use_flannel | bool
-
- name: Additional master configuration
hosts: oo_first_master
vars:
@@ -23,8 +15,6 @@
when: openshift.common.use_manageiq | bool
- role: cockpit
when: not openshift.common.is_atomic and ( deployment_type in ['atomic-enterprise','openshift-enterprise'] ) and
- (osm_use_cockpit | bool or osm_use_cockpit is undefined )
+ (osm_use_cockpit | bool or osm_use_cockpit is undefined ) and ( openshift.common.deployment_subtype != 'registry' )
- role: flannel_register
when: openshift.common.use_flannel | bool
-
-
diff --git a/playbooks/common/openshift-cluster/config.yml b/playbooks/common/openshift-cluster/config.yml
index 5cf5df08e..d6a99fcda 100644
--- a/playbooks/common/openshift-cluster/config.yml
+++ b/playbooks/common/openshift-cluster/config.yml
@@ -1,14 +1,22 @@
---
- include: evaluate_groups.yml
+ tags:
+ - always
- include: initialize_facts.yml
+ tags:
+ - always
- include: validate_hostnames.yml
+ tags:
+ - node
- include: initialize_openshift_version.yml
- name: Set oo_options
hosts: oo_all_hosts
+ tags:
+ - always
tasks:
- set_fact:
openshift_docker_additional_registries: "{{ lookup('oo_option', 'docker_additional_registries') }}"
@@ -30,15 +38,29 @@
when: openshift_docker_log_options is not defined
- include: ../openshift-etcd/config.yml
+ tags:
+ - etcd
- include: ../openshift-nfs/config.yml
+ tags:
+ - nfs
- include: ../openshift-loadbalancer/config.yml
+ tags:
+ - loadbalancer
- include: ../openshift-master/config.yml
+ tags:
+ - master
- include: additional_config.yml
+ tags:
+ - master
- include: ../openshift-node/config.yml
+ tags:
+ - node
- include: openshift_hosted.yml
+ tags:
+ - hosted
diff --git a/playbooks/common/openshift-cluster/enable_dnsmasq.yml b/playbooks/common/openshift-cluster/enable_dnsmasq.yml
index f2bcc872f..4cfe8617e 100644
--- a/playbooks/common/openshift-cluster/enable_dnsmasq.yml
+++ b/playbooks/common/openshift-cluster/enable_dnsmasq.yml
@@ -8,11 +8,12 @@
post_tasks:
- fail: msg="This playbook requires a master version of at least Origin 1.1 or OSE 3.1"
when: not openshift.common.version_gte_3_1_1_or_1_1_1 | bool
-
+
- name: Reconfigure masters to listen on our new dns_port
hosts: oo_masters_to_config
handlers:
- include: ../../../roles/openshift_master/handlers/main.yml
+ static: yes
vars:
os_firewall_allow:
- service: skydns tcp
@@ -43,6 +44,7 @@
hosts: oo_nodes_to_config
handlers:
- include: ../../../roles/openshift_node/handlers/main.yml
+ static: yes
pre_tasks:
- openshift_facts:
role: "{{ item.role }}"
diff --git a/playbooks/common/openshift-cluster/evaluate_groups.yml b/playbooks/common/openshift-cluster/evaluate_groups.yml
index 3fb42a7fa..b3e02fb97 100644
--- a/playbooks/common/openshift-cluster/evaluate_groups.yml
+++ b/playbooks/common/openshift-cluster/evaluate_groups.yml
@@ -77,7 +77,7 @@
ansible_ssh_user: "{{ g_ssh_user | default(omit) }}"
ansible_become: "{{ g_sudo | default(omit) }}"
with_items: "{{ g_master_hosts | default([]) }}"
- when: g_nodeonmaster | default(false) == true and g_new_node_hosts is not defined
+ when: g_nodeonmaster | default(false) | bool and not g_new_node_hosts | default(false) | bool
- name: Evaluate oo_first_etcd
add_host:
diff --git a/playbooks/common/openshift-cluster/openshift_hosted.yml b/playbooks/common/openshift-cluster/openshift_hosted.yml
index 4d4a09828..4aca4daf4 100644
--- a/playbooks/common/openshift-cluster/openshift_hosted.yml
+++ b/playbooks/common/openshift-cluster/openshift_hosted.yml
@@ -1,5 +1,8 @@
+---
- name: Create persistent volumes
hosts: oo_first_master
+ tags:
+ - hosted
vars:
persistent_volumes: "{{ hostvars[groups.oo_first_master.0] | oo_persistent_volumes(groups) }}"
persistent_volume_claims: "{{ hostvars[groups.oo_first_master.0] | oo_persistent_volume_claims }}"
@@ -9,6 +12,8 @@
- name: Create Hosted Resources
hosts: oo_first_master
+ tags:
+ - hosted
pre_tasks:
- set_fact:
openshift_hosted_router_registryurl: "{{ hostvars[groups.oo_first_master.0].openshift.master.registry_url }}"
@@ -36,6 +41,90 @@
openshift_serviceaccounts_sccs:
- privileged
when: not openshift.common.version_gte_3_2_or_1_2
+ - role: openshift_hosted
- role: openshift_metrics
when: openshift.hosted.metrics.deploy | bool
- - role: openshift_hosted
+ - role: cockpit-ui
+ when: openshift.common.deployment_subtype == 'registry'
+
+- name: Configure CA certificate for secure registry
+ hosts: oo_nodes_to_config
+ tags:
+ - hosted
+ tasks:
+ - name: Create temp directory for kubeconfig
+ command: mktemp -d /tmp/openshift-ansible-XXXXXX
+ register: mktemp
+ when: openshift.common.deployment_subtype == 'registry'
+ changed_when: false
+ delegate_to: "{{ groups.oo_first_master.0 }}"
+ run_once: true
+ - set_fact:
+ openshift_hosted_kubeconfig: "{{ mktemp.stdout }}/admin.kubeconfig"
+ when: openshift.common.deployment_subtype == 'registry'
+ delegate_to: "{{ groups.oo_first_master.0 }}"
+ run_once: true
+ - name: Copy the admin client config(s)
+ command: >
+ cp {{ openshift.common.config_base }}/master/admin.kubeconfig {{ openshift_hosted_kubeconfig }}
+ when: openshift.common.deployment_subtype == 'registry'
+ changed_when: false
+ delegate_to: "{{ groups.oo_first_master.0 }}"
+ run_once: true
+ - name: Retrieve docker-registry route
+ command: >
+ {{ openshift.common.client_binary }} get route docker-registry
+ --template='{{ '{{' }} .spec.host {{ '}}' }}'
+ --config={{ openshift_hosted_kubeconfig }}
+ -n default
+ register: docker_registry_route
+ when: openshift.common.deployment_subtype == 'registry'
+ changed_when: false
+ delegate_to: "{{ groups.oo_first_master.0 }}"
+ run_once: true
+ - name: Retrieve registry service IP
+ command: >
+ {{ openshift.common.client_binary }} get service docker-registry
+ --template='{{ '{{' }} .spec.clusterIP {{ '}}' }}'
+ --config={{ openshift_hosted_kubeconfig }}
+ -n default
+ register: docker_registry_service_ip
+ when: openshift.common.deployment_subtype == 'registry'
+ changed_when: false
+ delegate_to: "{{ groups.oo_first_master.0 }}"
+ run_once: true
+ - name: Create registry CA directories
+ file:
+ path: "/etc/docker/certs.d/{{ item }}"
+ state: directory
+ with_items:
+ - "{{ docker_registry_service_ip.stdout }}:5000"
+ - "{{ docker_registry_route.stdout }}"
+ - "docker-registry.default.svc.cluster.local:5000"
+ when: openshift.common.deployment_subtype == 'registry'
+ - name: Copy CA to registry CA directories
+ copy:
+ src: "{{ openshift.common.config_base }}/node/ca.crt"
+ dest: "/etc/docker/certs.d/{{ item }}"
+ remote_src: yes
+ force: yes
+ with_items:
+ - "{{ docker_registry_service_ip.stdout }}:5000"
+ - "{{ docker_registry_route.stdout }}"
+ - "docker-registry.default.svc.cluster.local:5000"
+ when: openshift.common.deployment_subtype == 'registry'
+ notify:
+ - Restart docker
+ - name: Delete temp directory
+ file:
+ name: "{{ mktemp.stdout }}"
+ state: absent
+ when: openshift.common.deployment_subtype == 'registry'
+ changed_when: False
+ delegate_to: "{{ groups.oo_first_master.0 }}"
+ run_once: true
+ handlers:
+ - name: Restart docker
+ service:
+ name: docker
+ state: restarted
diff --git a/playbooks/common/openshift-cluster/redeploy-certificates.yml b/playbooks/common/openshift-cluster/redeploy-certificates.yml
new file mode 100644
index 000000000..5b72c3450
--- /dev/null
+++ b/playbooks/common/openshift-cluster/redeploy-certificates.yml
@@ -0,0 +1,255 @@
+---
+- include: evaluate_groups.yml
+
+- include: initialize_facts.yml
+
+- include: initialize_openshift_version.yml
+
+- name: Load openshift_facts
+ hosts: oo_etcd_to_config:oo_masters_to_config:oo_nodes_to_config
+ roles:
+ - openshift_facts
+
+- name: Redeploy etcd certificates
+ hosts: oo_etcd_to_config
+ any_errors_fatal: true
+ vars:
+ etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}"
+ etcd_conf_dir: /etc/etcd
+ etcd_generated_certs_dir: "{{ etcd_conf_dir }}/generated_certs"
+
+ pre_tasks:
+ - stat:
+ path: "{{ etcd_generated_certs_dir }}"
+ register: etcd_generated_certs_dir_stat
+ - name: Backup etcd certificates
+ command: >
+ tar -czvf /etc/etcd/etcd-certificate-backup-{{ ansible_date_time.epoch }}.tgz
+ {{ etcd_conf_dir }}/ca.crt
+ {{ etcd_conf_dir }}/ca
+ {{ etcd_generated_certs_dir }}
+ when: etcd_generated_certs_dir_stat.stat.exists
+ delegate_to: "{{ etcd_ca_host }}"
+ run_once: true
+ - name: Remove existing etcd certificates
+ file:
+ path: "{{ item }}"
+ state: absent
+ with_items:
+ - "{{ etcd_conf_dir }}/ca.crt"
+ - "{{ etcd_conf_dir }}/ca"
+ - "{{ etcd_generated_certs_dir }}"
+ roles:
+ - role: openshift_etcd_server_certificates
+ etcd_peers: "{{ groups.oo_etcd_to_config | default([], true) }}"
+ etcd_certificates_etcd_hosts: "{{ groups.oo_etcd_to_config | default([], true) }}"
+ etcd_certificates_redeploy: true
+
+- name: Redeploy master certificates
+ hosts: oo_masters_to_config
+ any_errors_fatal: true
+ vars:
+ openshift_ca_host: "{{ groups.oo_first_master.0 }}"
+ openshift_master_count: "{{ openshift.master.master_count | default(groups.oo_masters | length) }}"
+ pre_tasks:
+ # set_fact task copied from playbooks/common/openshift-master/config.yml
+ # so that openshift_master_default_subdomain has a default value of ""
+ # (emptry string). openshift_master_default_subdomain must have a default
+ # value for openshift_master_facts to set metrics_public_url.
+ # TODO: clean this up.
+ - set_fact:
+ openshift_master_default_subdomain: "{{ lookup('oo_option', 'openshift_master_default_subdomain') | default(None, true) }}"
+ when: openshift_master_default_subdomain is not defined
+ - stat:
+ path: "{{ openshift_generated_configs_dir }}"
+ register: openshift_generated_configs_dir_stat
+ - name: Backup generated certificate and config directories
+ command: >
+ tar -czvf /etc/origin/master-node-cert-config-backup-{{ ansible_date_time.epoch }}.tgz
+ {{ openshift_generated_configs_dir }}
+ {{ openshift.common.config_base }}/master
+ when: openshift_generated_configs_dir_stat.stat.exists
+ delegate_to: "{{ openshift_ca_host }}"
+ run_once: true
+ - name: Remove generated certificate directories
+ file:
+ path: "{{ item }}"
+ state: absent
+ with_items:
+ - "{{ openshift_generated_configs_dir }}"
+ - name: Remove generated certificates
+ file:
+ path: "{{ openshift.common.config_base }}/master/{{ item }}"
+ state: absent
+ with_items:
+ - "{{ hostvars[inventory_hostname] | certificates_to_synchronize(include_keys=false) }}"
+ - "etcd.server.crt"
+ - "etcd.server.key"
+ - "master.etcd-client.crt"
+ - "master.etcd-client.key"
+ - "master.server.crt"
+ - "master.server.key"
+ - "openshift-master.crt"
+ - "openshift-master.key"
+ - "openshift-master.kubeconfig"
+ - name: Remove CA certificate
+ file:
+ path: "{{ openshift.common.config_base }}/master/{{ item }}"
+ state: absent
+ when: openshift_certificates_redeploy_ca | default(false) | bool
+ with_items:
+ - "ca.crt"
+ - "ca.key"
+ - "ca.serial.txt"
+ - "ca-bundle.crt"
+ roles:
+ - role: openshift_master_certificates
+ openshift_master_etcd_hosts: "{{ hostvars
+ | oo_select_keys(groups['oo_etcd_to_config'] | default([]))
+ | oo_collect('openshift.common.hostname')
+ | default(none, true) }}"
+ openshift_master_hostnames: "{{ hostvars
+ | oo_select_keys(groups['oo_masters_to_config'] | default([]))
+ | oo_collect('openshift.common.all_hostnames')
+ | oo_flatten | unique }}"
+ openshift_certificates_redeploy: true
+ - role: openshift_etcd_client_certificates
+ etcd_certificates_redeploy: true
+ etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}"
+ etcd_cert_subdir: "openshift-master-{{ openshift.common.hostname }}"
+ etcd_cert_config_dir: "{{ openshift.common.config_base }}/master"
+ etcd_cert_prefix: "master.etcd-"
+ when: groups.oo_etcd_to_config is defined and groups.oo_etcd_to_config
+
+- name: Redeploy node certificates
+ hosts: oo_nodes_to_config
+ any_errors_fatal: true
+ pre_tasks:
+ - name: Remove CA certificate
+ file:
+ path: "{{ item }}"
+ state: absent
+ with_items:
+ - "{{ openshift.common.config_base }}/node/ca.crt"
+ roles:
+ - role: openshift_node_certificates
+ openshift_node_master_api_url: "{{ hostvars[groups.oo_first_master.0].openshift.master.api_url }}"
+ openshift_ca_host: "{{ groups.oo_first_master.0 }}"
+ openshift_certificates_redeploy: true
+
+- name: Restart etcd
+ hosts: oo_etcd_to_config
+ tasks:
+ - name: restart etcd
+ service:
+ name: "{{ 'etcd' if not openshift.common.is_containerized | bool else 'etcd_container' }}"
+ state: restarted
+
+- name: Stop master services
+ hosts: oo_masters_to_config
+ vars:
+ openshift_master_ha: "{{ groups.oo_masters_to_config | length > 1 }}"
+ tasks:
+ - name: stop master
+ service: name={{ openshift.common.service_type }}-master state=stopped
+ when: not openshift_master_ha | bool
+ - name: stop master api
+ service: name={{ openshift.common.service_type }}-master-api state=stopped
+ when: openshift_master_ha | bool and openshift_master_cluster_method == 'native'
+ - name: stop master controllers
+ service: name={{ openshift.common.service_type }}-master-controllers state=stopped
+ when: openshift_master_ha | bool and openshift_master_cluster_method == 'native'
+
+- name: Start master services
+ hosts: oo_masters_to_config
+ serial: 1
+ vars:
+ openshift_master_ha: "{{ groups.oo_masters_to_config | length > 1 }}"
+ tasks:
+ - name: start master
+ service: name={{ openshift.common.service_type }}-master state=started
+ when: not openshift_master_ha | bool
+ - name: start master api
+ service: name={{ openshift.common.service_type }}-master-api state=started
+ when: openshift_master_ha | bool and openshift_master_cluster_method == 'native'
+ - name: start master controllers
+ service: name={{ openshift.common.service_type }}-master-controllers state=started
+ when: openshift_master_ha | bool and openshift_master_cluster_method == 'native'
+
+- name: Restart masters (pacemaker)
+ hosts: oo_first_master
+ vars:
+ openshift_master_ha: "{{ groups.oo_masters_to_config | length > 1 }}"
+ tasks:
+ - name: restart master
+ command: pcs resource restart master
+ when: openshift_master_ha | bool and openshift_master_cluster_method == 'pacemaker'
+
+- name: Restart nodes
+ hosts: oo_nodes_to_config
+ tasks:
+ - name: restart node
+ service: name={{ openshift.common.service_type }}-node state=restarted
+
+- name: Copy admin client config(s)
+ hosts: oo_first_master
+ tasks:
+ - name: Create temp directory for kubeconfig
+ command: mktemp -d /tmp/openshift-ansible-XXXXXX
+ register: mktemp
+ changed_when: False
+
+ - name: Copy admin client config(s)
+ command: >
+ cp {{ openshift.common.config_base }}/master//admin.kubeconfig {{ mktemp.stdout }}/admin.kubeconfig
+ changed_when: False
+
+- name: Serially evacuate all nodes to trigger redeployments
+ hosts: oo_nodes_to_config
+ serial: 1
+ any_errors_fatal: true
+ tasks:
+ - name: Determine if node is currently scheduleable
+ command: >
+ {{ openshift.common.client_binary }} --config={{ hostvars[groups.oo_first_master.0].mktemp.stdout }}/admin.kubeconfig
+ get node {{ openshift.common.hostname | lower }} -o json
+ register: node_output
+ when: openshift_certificates_redeploy_ca | default(false) | bool
+ delegate_to: "{{ groups.oo_first_master.0 }}"
+ changed_when: false
+
+ - set_fact:
+ was_schedulable: "{{ 'unschedulable' not in (node_output.stdout | from_json).spec }}"
+ when: openshift_certificates_redeploy_ca | default(false) | bool
+
+ - name: Prepare for node evacuation
+ command: >
+ {{ openshift.common.admin_binary }} --config={{ hostvars[groups.oo_first_master.0].mktemp.stdout }}/admin.kubeconfig
+ manage-node {{ openshift.common.hostname | lower }}
+ --schedulable=false
+ delegate_to: "{{ groups.oo_first_master.0 }}"
+ when: openshift_certificates_redeploy_ca | default(false) | bool and was_schedulable | bool
+
+ - name: Evacuate node
+ command: >
+ {{ openshift.common.admin_binary }} --config={{ hostvars[groups.oo_first_master.0].mktemp.stdout }}/admin.kubeconfig
+ manage-node {{ openshift.common.hostname | lower }}
+ --evacuate --force
+ delegate_to: "{{ groups.oo_first_master.0 }}"
+ when: openshift_certificates_redeploy_ca | default(false) | bool and was_schedulable | bool
+
+ - name: Set node schedulability
+ command: >
+ {{ openshift.common.admin_binary }} --config={{ hostvars[groups.oo_first_master.0].mktemp.stdout }}/admin.kubeconfig
+ manage-node {{ openshift.common.hostname | lower }} --schedulable=true
+ delegate_to: "{{ groups.oo_first_master.0 }}"
+ when: openshift_certificates_redeploy_ca | default(false) | bool and was_schedulable | bool
+
+- name: Delete temporary directory
+ hosts: oo_first_master
+ tasks:
+ - name: Delete temp directory
+ file:
+ name: "{{ mktemp.stdout }}"
+ state: absent
+ changed_when: False
diff --git a/playbooks/common/openshift-cluster/upgrades/atomic-openshift-master.j2 b/playbooks/common/openshift-cluster/upgrades/atomic-openshift-master.j2
new file mode 120000
index 000000000..2441f8887
--- /dev/null
+++ b/playbooks/common/openshift-cluster/upgrades/atomic-openshift-master.j2
@@ -0,0 +1 @@
+../../../../roles/openshift_master/templates/atomic-openshift-master.j2 \ No newline at end of file
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/containerized_node_upgrade.yml b/playbooks/common/openshift-cluster/upgrades/containerized_node_upgrade.yml
index 60ea84f8e..32a3636aa 100644
--- a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/containerized_node_upgrade.yml
+++ b/playbooks/common/openshift-cluster/upgrades/containerized_node_upgrade.yml
@@ -1,7 +1,7 @@
-- include_vars: ../../../../../roles/openshift_node/vars/main.yml
+- include_vars: ../../../../roles/openshift_node/vars/main.yml
- name: Update systemd units
- include: ../../../../../roles/openshift_node/tasks/systemd_units.yml openshift_version={{ openshift_image_tag }}
+ include: ../../../../roles/openshift_node/tasks/systemd_units.yml openshift_version={{ openshift_image_tag }}
- name: Verifying the correct version was configured
shell: grep {{ verify_upgrade_version }} {{ item }}
diff --git a/playbooks/common/openshift-cluster/upgrades/create_service_signer_cert.yml b/playbooks/common/openshift-cluster/upgrades/create_service_signer_cert.yml
new file mode 100644
index 000000000..e8a20aa2b
--- /dev/null
+++ b/playbooks/common/openshift-cluster/upgrades/create_service_signer_cert.yml
@@ -0,0 +1,69 @@
+---
+- name: Create local temp directory for syncing certs
+ hosts: localhost
+ connection: local
+ become: no
+ gather_facts: no
+ tasks:
+ - name: Create local temp directory for syncing certs
+ local_action: command mktemp -d /tmp/openshift-ansible-XXXXXXX
+ register: local_cert_sync_tmpdir
+ changed_when: false
+
+- name: Create service signer certificate
+ hosts: oo_first_master
+ tasks:
+ - name: Create remote temp directory for creating certs
+ command: mktemp -d /tmp/openshift-ansible-XXXXXXX
+ register: remote_cert_create_tmpdir
+ changed_when: false
+
+ - name: Create service signer certificate
+ command: >
+ {{ openshift.common.admin_binary }} ca create-signer-cert
+ --cert=service-signer.crt
+ --key=service-signer.key
+ --name=openshift-service-serving-signer
+ --serial=service-signer.serial.txt
+ args:
+ chdir: "{{ remote_cert_create_tmpdir.stdout }}/"
+
+ - name: Retrieve service signer certificate
+ fetch:
+ src: "{{ remote_cert_create_tmpdir.stdout }}/{{ item }}"
+ dest: "{{ hostvars.localhost.local_cert_sync_tmpdir.stdout }}/"
+ flat: yes
+ fail_on_missing: yes
+ validate_checksum: yes
+ with_items:
+ - "service-signer.crt"
+ - "service-signer.key"
+
+ - name: Delete remote temp directory
+ file:
+ name: "{{ remote_cert_create_tmpdir.stdout }}"
+ state: absent
+ changed_when: false
+
+- name: Deploy service signer certificate
+ hosts: oo_masters_to_config
+ tasks:
+ - name: Deploy service signer certificate
+ copy:
+ src: "{{ hostvars.localhost.local_cert_sync_tmpdir.stdout }}/{{ item }}"
+ dest: "{{ openshift.common.config_base }}/master/"
+ with_items:
+ - "service-signer.crt"
+ - "service-signer.key"
+
+- name: Delete local temp directory
+ hosts: localhost
+ connection: local
+ become: no
+ gather_facts: no
+ tasks:
+ - name: Delete local temp directory
+ file:
+ name: "{{ local_cert_sync_tmpdir.stdout }}"
+ state: absent
+ changed_when: false
diff --git a/playbooks/common/openshift-cluster/upgrades/docker-cluster b/playbooks/common/openshift-cluster/upgrades/docker-cluster
new file mode 120000
index 000000000..055ad09fc
--- /dev/null
+++ b/playbooks/common/openshift-cluster/upgrades/docker-cluster
@@ -0,0 +1 @@
+../../../../roles/openshift_master/templates/docker-cluster \ No newline at end of file
diff --git a/playbooks/common/openshift-cluster/upgrades/docker/upgrade.yml b/playbooks/common/openshift-cluster/upgrades/docker/upgrade.yml
index 20d66522f..417096dd0 100644
--- a/playbooks/common/openshift-cluster/upgrades/docker/upgrade.yml
+++ b/playbooks/common/openshift-cluster/upgrades/docker/upgrade.yml
@@ -13,14 +13,36 @@
failed_when: false
when: openshift.common.is_containerized | bool
+- name: Check Docker image count
+ shell: "docker images -aq | wc -l"
+ register: docker_image_count
+
+- debug: var=docker_image_count.stdout
+
- name: Remove all containers and images
script: nuke_images.sh docker
register: nuke_images_result
when: docker_upgrade_nuke_images is defined and docker_upgrade_nuke_images | bool
+- name: Check Docker image count
+ shell: "docker images -aq | wc -l"
+ register: docker_image_count
+ when: docker_upgrade_nuke_images is defined and docker_upgrade_nuke_images | bool
+
+- debug: var=docker_image_count.stdout
+ when: docker_upgrade_nuke_images is defined and docker_upgrade_nuke_images | bool
+
+- service: name=docker state=stopped
+
- name: Upgrade Docker
action: "{{ ansible_pkg_mgr }} name=docker{{ '-' + docker_version }} state=present"
+- service: name=docker state=started
+
+- name: Update docker facts
+ openshift_facts:
+ role: docker
+
- name: Restart containerized services
service: name={{ item }} state=started
with_items:
diff --git a/playbooks/common/openshift-cluster/upgrades/docker/upgrade_check.yml b/playbooks/common/openshift-cluster/upgrades/docker/upgrade_check.yml
index 06b3e244f..8002af4fc 100644
--- a/playbooks/common/openshift-cluster/upgrades/docker/upgrade_check.yml
+++ b/playbooks/common/openshift-cluster/upgrades/docker/upgrade_check.yml
@@ -28,7 +28,7 @@
- fail:
msg: This playbook requires access to Docker 1.10 or later
# Disable the 1.10 requirement if the user set a specific Docker version
- when: avail_docker_version.stdout | version_compare('1.10','<') and docker_version is not defined
+ when: docker_version is not defined and (docker_upgrade is not defined or docker_upgrade | bool == True) and (avail_docker_version.stdout == "" or avail_docker_version.stdout | version_compare('1.10','<'))
# Default l_docker_upgrade to False, we'll set to True if an upgrade is required:
- set_fact:
diff --git a/playbooks/common/openshift-cluster/upgrades/files/nuke_images.sh b/playbooks/common/openshift-cluster/upgrades/files/nuke_images.sh
index 6b155f7fa..8635eab0d 100644
--- a/playbooks/common/openshift-cluster/upgrades/files/nuke_images.sh
+++ b/playbooks/common/openshift-cluster/upgrades/files/nuke_images.sh
@@ -15,9 +15,11 @@ then
fi
# Delete all images (forcefully)
-image_ids=`docker images -q`
+image_ids=`docker images -aq`
if test -n "$image_ids"
then
- # Taken from: https://gist.github.com/brianclements/f72b2de8e307c7b56689#gistcomment-1443144
- docker rmi $(docker images | grep "$2/\|/$2 \| $2 \|$2 \|$2-\|$2_" | awk '{print $1 ":" $2}') 2>/dev/null || echo "No images matching \"$2\" left to purge."
+ # Some layers are deleted recursively and are no longer present
+ # when docker goes to remove them:
+ docker rmi -f `docker images -aq` || true
fi
+
diff --git a/playbooks/common/openshift-cluster/upgrades/master_docker b/playbooks/common/openshift-cluster/upgrades/master_docker
new file mode 120000
index 000000000..6aeca2842
--- /dev/null
+++ b/playbooks/common/openshift-cluster/upgrades/master_docker
@@ -0,0 +1 @@
+../../../../roles/openshift_master/templates/master_docker \ No newline at end of file
diff --git a/playbooks/common/openshift-cluster/upgrades/native-cluster b/playbooks/common/openshift-cluster/upgrades/native-cluster
new file mode 120000
index 000000000..4af88e666
--- /dev/null
+++ b/playbooks/common/openshift-cluster/upgrades/native-cluster
@@ -0,0 +1 @@
+../../../../roles/openshift_master/templates/native-cluster \ No newline at end of file
diff --git a/playbooks/common/openshift-cluster/upgrades/openshift.docker.node.dep.service b/playbooks/common/openshift-cluster/upgrades/openshift.docker.node.dep.service
new file mode 120000
index 000000000..add8b7fa9
--- /dev/null
+++ b/playbooks/common/openshift-cluster/upgrades/openshift.docker.node.dep.service
@@ -0,0 +1 @@
+../../../../roles/openshift_node/templates/openshift.docker.node.dep.service \ No newline at end of file
diff --git a/playbooks/common/openshift-cluster/upgrades/openshift.docker.node.service b/playbooks/common/openshift-cluster/upgrades/openshift.docker.node.service
new file mode 120000
index 000000000..ed181633d
--- /dev/null
+++ b/playbooks/common/openshift-cluster/upgrades/openshift.docker.node.service
@@ -0,0 +1 @@
+../../../../roles/openshift_node/templates/openshift.docker.node.service \ No newline at end of file
diff --git a/playbooks/common/openshift-cluster/upgrades/openvswitch.docker.service b/playbooks/common/openshift-cluster/upgrades/openvswitch.docker.service
new file mode 120000
index 000000000..c21e895f2
--- /dev/null
+++ b/playbooks/common/openshift-cluster/upgrades/openvswitch.docker.service
@@ -0,0 +1 @@
+../../../../roles/openshift_node/templates/openvswitch.docker.service \ No newline at end of file
diff --git a/playbooks/common/openshift-cluster/upgrades/openvswitch.sysconfig.j2 b/playbooks/common/openshift-cluster/upgrades/openvswitch.sysconfig.j2
new file mode 120000
index 000000000..ead6904c4
--- /dev/null
+++ b/playbooks/common/openshift-cluster/upgrades/openvswitch.sysconfig.j2
@@ -0,0 +1 @@
+../../../../roles/openshift_node/templates/openvswitch.sysconfig.j2 \ No newline at end of file
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/post.yml b/playbooks/common/openshift-cluster/upgrades/post.yml
index ccf9514f1..e43954453 100644
--- a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/post.yml
+++ b/playbooks/common/openshift-cluster/upgrades/post.yml
@@ -57,3 +57,16 @@
'{"spec":{"template":{"spec":{"containers":[{"name":"registry","image":"{{ registry_image }}"}]}}}}'
--api-version=v1
+# Check for warnings to be printed at the end of the upgrade:
+- name: Check for warnings
+ hosts: oo_masters_to_config
+ tasks:
+ # Check if any masters are using pluginOrderOverride and warn if so, only for 1.3/3.3 and beyond:
+ - command: >
+ grep pluginOrderOverride {{ openshift.common.config_base }}/master/master-config.yaml
+ register: grep_plugin_order_override
+ when: openshift.common.version_gte_3_3_or_1_3 | bool
+ failed_when: false
+ - name: Warn if pluginOrderOverride is in use in master-config.yaml
+ debug: msg="WARNING pluginOrderOverride is being deprecated in master-config.yaml, please see https://docs.openshift.com/enterprise/latest/architecture/additional_concepts/admission_controllers.html for more information."
+ when: not grep_plugin_order_override | skipped and grep_plugin_order_override.rc == 0
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/pre.yml b/playbooks/common/openshift-cluster/upgrades/pre.yml
index a32123952..42a24eaf8 100644
--- a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/pre.yml
+++ b/playbooks/common/openshift-cluster/upgrades/pre.yml
@@ -3,7 +3,7 @@
# Evaluate host groups and gather facts
###############################################################################
-- include: ../../initialize_facts.yml
+- include: ../initialize_facts.yml
- name: Update repos and initialize facts on all hosts
hosts: oo_masters_to_config:oo_nodes_to_config:oo_etcd_to_config:oo_lb_to_config
@@ -39,7 +39,6 @@
- name: Verify upgrade can proceed on first master
hosts: oo_first_master
vars:
- target_version: "{{ '1.2' if deployment_type == 'origin' else '3.2' }}"
g_pacemaker_upgrade_url_segment: "{{ 'org/latest' if deployment_type =='origin' else '.com/enterprise/3.1' }}"
gather_facts: no
tasks:
@@ -63,14 +62,14 @@
- fail:
msg: >
openshift_pkg_version is {{ openshift_pkg_version }} which is not a
- valid version for a {{ target_version }} upgrade
- when: openshift_pkg_version is defined and openshift_pkg_version.split('-',1).1 | version_compare(target_version ,'<')
+ valid version for a {{ openshift_upgrade_target }} upgrade
+ when: openshift_pkg_version is defined and openshift_pkg_version.split('-',1).1 | version_compare(openshift_upgrade_target ,'<')
- fail:
msg: >
openshift_image_tag is {{ openshift_image_tag }} which is not a
- valid version for a {{ target_version }} upgrade
- when: openshift_image_tag is defined and openshift_image_tag.split('v',1).1 | version_compare(target_version ,'<')
+ valid version for a {{ openshift_upgrade_target }} upgrade
+ when: openshift_image_tag is defined and openshift_image_tag.split('v',1).1 | version_compare(openshift_upgrade_target ,'<')
- set_fact:
openshift_release: "{{ openshift_release[1:] }}"
@@ -79,15 +78,15 @@
- fail:
msg: >
openshift_release is {{ openshift_release }} which is not a
- valid release for a {{ target_version }} upgrade
- when: openshift_release is defined and not openshift_release | version_compare(target_version ,'=')
+ valid release for a {{ openshift_upgrade_target }} upgrade
+ when: openshift_release is defined and not openshift_release | version_compare(openshift_upgrade_target ,'=')
-- include: ../../../../common/openshift-cluster/initialize_openshift_version.yml
+- include: ../../../common/openshift-cluster/initialize_openshift_version.yml
vars:
- # Request openshift_release 3.2 and let the openshift_version role handle converting this
+ # Request specific openshift_release and let the openshift_version role handle converting this
# to a more specific version, respecting openshift_image_tag and openshift_pkg_version if
# defined, and overriding the normal behavior of protecting the installed version
- openshift_release: "{{ '1.2' if deployment_type == 'origin' else '3.2' }}"
+ openshift_release: "{{ openshift_upgrade_target }}"
openshift_protect_installed_version: False
# Docker role (a dependency) should be told not to do anything to installed version
# of docker, we handle this separately during upgrade. (the inventory may have a
@@ -141,7 +140,6 @@
- name: Verify upgrade targets
hosts: oo_masters_to_config:oo_nodes_to_config
vars:
- target_version: "{{ '1.2' if deployment_type == 'origin' else '3.2' }}"
openshift_docker_hosted_registry_network: "{{ hostvars[groups.oo_first_master.0].openshift.common.portal_net }}"
pre_tasks:
- fail:
@@ -175,48 +173,24 @@
register: avail_openshift_version
when: not openshift.common.is_containerized | bool
- - name: Verify OpenShift 3.2 RPMs are available for upgrade
+ - name: Verify OpenShift RPMs are available for upgrade
fail:
- msg: "OpenShift {{ avail_openshift_version.stdout }} is available, but 3.2 or greater is required"
- when: deployment_type != 'origin' and not openshift.common.is_containerized | bool and not avail_openshift_version | skipped and avail_openshift_version.stdout | default('0.0', True) | version_compare(openshift_release, '<')
-
- - name: Verify Origin 1.2 RPMs are available for upgrade
- fail:
- msg: "OpenShift {{ avail_openshift_version.stdout }} is available, but 1.2 or greater is required"
- when: deployment_type == 'origin' and not openshift.common.is_containerized | bool and not avail_openshift_version | skipped and avail_openshift_version.stdout | default('0.0', True) | version_compare(openshift_release, '<')
-
- # TODO: Are these two grep checks necessary anymore?
- # Note: the version number is hardcoded here in hopes of catching potential
- # bugs in how g_aos_versions.curr_version is set
- - name: Verifying the correct version is installed for upgrade
- shell: grep 3.1.1.6 {{ item }}
- with_items:
- - /etc/sysconfig/openvswitch
- - /etc/sysconfig/{{ openshift.common.service_type }}*
- when: verify_upgrade_version is defined
-
- - name: Verifying the image version is used in the systemd unit
- shell: grep IMAGE_VERSION {{ item }}
- with_items:
- - /etc/systemd/system/openvswitch.service
- - /etc/systemd/system/{{ openshift.common.service_type }}*.service
- when: openshift.common.is_containerized | bool and verify_upgrade_version is defined
-
- - fail:
- msg: This upgrade playbook must be run on Origin 1.1 or later
- when: deployment_type == 'origin' and openshift.common.version | version_compare('1.1','<')
+ msg: "OpenShift {{ avail_openshift_version.stdout }} is available, but {{ openshift_upgrade_target }} or greater is required"
+ when: not openshift.common.is_containerized | bool and not avail_openshift_version | skipped and avail_openshift_version.stdout | default('0.0', True) | version_compare(openshift_release, '<')
- fail:
- msg: This upgrade playbook must be run on OpenShift Enterprise 3.1 or later
- when: deployment_type == 'atomic-openshift' and openshift.common.version | version_compare('3.1','<')
+ msg: "This upgrade playbook must be run against OpenShift {{ openshift_upgrade_min }} or later"
+ when: deployment_type == 'origin' and openshift.common.version | version_compare(openshift_upgrade_min,'<')
- name: Verify docker upgrade targets
hosts: oo_masters_to_config:oo_nodes_to_config:oo_etcd_to_config
tasks:
- - name: Determine available Docker
- script: ../files/rpm_versions.sh docker
- register: g_docker_version_result
- when: not openshift.common.is_atomic | bool
+ # Only check if docker upgrade is required if docker_upgrade is not
+ # already set to False.
+ - include: docker/upgrade_check.yml
+ when: docker_upgrade is not defined or docker_upgrade | bool and not openshift.common.is_atomic | bool
+
+ # Additional checks for Atomic hosts:
- name: Determine available Docker
shell: "rpm -q --queryformat '---\ncurr_version: %{VERSION}\navail_version: \n' docker"
@@ -224,18 +198,12 @@
when: openshift.common.is_atomic | bool
- set_fact:
- g_docker_version: "{{ g_docker_version_result.stdout | from_yaml }}"
- when: not openshift.common.is_atomic | bool
-
- - set_fact:
- g_docker_version: "{{ g_atomic_docker_version_result.stdout | from_yaml }}"
+ l_docker_version: "{{ g_atomic_docker_version_result.stdout | from_yaml }}"
when: openshift.common.is_atomic | bool
- fail:
msg: This playbook requires access to Docker 1.10 or later
- when: g_docker_version.avail_version | default(g_docker_version.curr_version, true) | version_compare('1.10','<')
-
- # TODO: add check to upgrade ostree to get latest Docker
+ when: openshift.common.is_atomic | bool and l_docker_version.avail_version | default(l_docker_version.curr_version, true) | version_compare('1.10','<')
- set_fact:
pre_upgrade_complete: True
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/rpm_upgrade.yml b/playbooks/common/openshift-cluster/upgrades/rpm_upgrade.yml
index f5e4d807e..f5e4d807e 100644
--- a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/rpm_upgrade.yml
+++ b/playbooks/common/openshift-cluster/upgrades/rpm_upgrade.yml
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/upgrade.yml b/playbooks/common/openshift-cluster/upgrades/upgrade.yml
index 59cedc839..ba4fc63be 100644
--- a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/upgrade.yml
+++ b/playbooks/common/openshift-cluster/upgrades/upgrade.yml
@@ -3,23 +3,77 @@
# The restart playbook should be run after this playbook completes.
###############################################################################
+# Separate step so we can execute in parallel and clear out anything unused
+# before we get into the serialized upgrade process which will then remove
+# remaining images if possible.
+- name: Cleanup unused Docker images
+ hosts: oo_masters_to_config:oo_nodes_to_config:oo_etcd_to_config
+ tasks:
+ - name: Check Docker image count
+ shell: "docker images -aq | wc -l"
+ register: docker_image_count
+ when: docker_upgrade_nuke_images is defined and docker_upgrade_nuke_images | bool
+
+ - debug: var=docker_image_count.stdout
+ when: docker_upgrade_nuke_images is defined and docker_upgrade_nuke_images | bool
+
+ - name: Remove unused Docker images for Docker 1.10+ migration
+ shell: "docker rmi `docker images -aq`"
+ # Will fail on images still in use:
+ failed_when: false
+ when: docker_upgrade_nuke_images is defined and docker_upgrade_nuke_images | bool
+
+ - name: Check Docker image count
+ shell: "docker images -aq | wc -l"
+ register: docker_image_count
+ when: docker_upgrade_nuke_images is defined and docker_upgrade_nuke_images | bool
+
+ - debug: var=docker_image_count.stdout
+ when: docker_upgrade_nuke_images is defined and docker_upgrade_nuke_images | bool
+
###############################################################################
# Upgrade Masters
###############################################################################
-- name: Upgrade master
+- name: Upgrade master packages
hosts: oo_masters_to_config
handlers:
- - include: ../../../../../roles/openshift_master/handlers/main.yml
+ - include: ../../../../roles/openshift_master/handlers/main.yml
+ static: yes
roles:
- openshift_facts
tasks:
- include: rpm_upgrade.yml component=master
when: not openshift.common.is_containerized | bool
- - include_vars: ../../../../../roles/openshift_master/vars/main.yml
+- name: Determine if service signer cert must be created
+ hosts: oo_first_master
+ tasks:
+ - name: Determine if service signer certificate must be created
+ stat:
+ path: "{{ openshift.common.config_base }}/master/service-signer.crt"
+ register: service_signer_cert_stat
+ changed_when: false
+
+# Create service signer cert when missing. Service signer certificate
+# is added to master config in the master config hook for v3_3.
+- include: create_service_signer_cert.yml
+ when: not (hostvars[groups.oo_first_master.0].service_signer_cert_stat.stat.exists | bool)
+
+- name: Upgrade master config and systemd units
+ hosts: oo_masters_to_config
+ handlers:
+ - include: ../../../../roles/openshift_master/handlers/main.yml
+ static: yes
+ roles:
+ - openshift_facts
+ tasks:
+ - include: "{{ master_config_hook }}"
+ when: master_config_hook is defined
+
+ - include_vars: ../../../../roles/openshift_master/vars/main.yml
- name: Update systemd units
- include: ../../../../../roles/openshift_master/tasks/systemd_units.yml
+ include: ../../../../roles/openshift_master/tasks/systemd_units.yml
# - name: Upgrade master configuration
# openshift_upgrade_config:
@@ -28,6 +82,31 @@
# role: master
# config_base: "{{ hostvars[inventory_hostname].openshift.common.config_base }}"
+ - name: Check for ca-bundle.crt
+ stat:
+ path: "{{ openshift.common.config_base }}/master/ca-bundle.crt"
+ register: ca_bundle_stat
+ failed_when: false
+
+ - name: Check for ca.crt
+ stat:
+ path: "{{ openshift.common.config_base }}/master/ca.crt"
+ register: ca_crt_stat
+ failed_when: false
+
+ - name: Migrate ca.crt to ca-bundle.crt
+ command: mv ca.crt ca-bundle.crt
+ args:
+ chdir: "{{ openshift.common.config_base }}/master"
+ when: ca_crt_stat.stat.isreg and not ca_bundle_stat.stat.exists
+
+ - name: Link ca.crt to ca-bundle.crt
+ file:
+ src: "{{ openshift.common.config_base }}/master/ca-bundle.crt"
+ path: "{{ openshift.common.config_base }}/master/ca.crt"
+ state: link
+ when: ca_crt_stat.stat.isreg and not ca_bundle_stat.stat.exists
+
- name: Set master update status to complete
hosts: oo_masters_to_config
tasks:
@@ -53,6 +132,52 @@
when: master_update_failed | length > 0
###############################################################################
+# Reconcile Cluster Roles, Cluster Role Bindings and Security Context Constraints
+###############################################################################
+
+- name: Reconcile Cluster Roles and Cluster Role Bindings and Security Context Constraints
+ hosts: oo_masters_to_config
+ roles:
+ - { role: openshift_cli }
+ vars:
+ origin_reconcile_bindings: "{{ deployment_type == 'origin' and openshift_version | version_compare('1.0.6', '>') }}"
+ ent_reconcile_bindings: true
+ openshift_docker_hosted_registry_network: "{{ hostvars[groups.oo_first_master.0].openshift.common.portal_net }}"
+ # Similar to pre.yml, we don't want to upgrade docker during the openshift_cli role,
+ # it will be updated when we perform node upgrade.
+ docker_protect_installed_version: True
+ tasks:
+ - name: Verifying the correct commandline tools are available
+ shell: grep {{ verify_upgrade_version }} {{ openshift.common.admin_binary}}
+ when: openshift.common.is_containerized | bool and verify_upgrade_version is defined
+
+ - name: Reconcile Cluster Roles
+ command: >
+ {{ openshift.common.admin_binary}} --config={{ openshift.common.config_base }}/master/admin.kubeconfig
+ policy reconcile-cluster-roles --additive-only=true --confirm
+ run_once: true
+
+ - name: Reconcile Cluster Role Bindings
+ command: >
+ {{ openshift.common.admin_binary}} --config={{ openshift.common.config_base }}/master/admin.kubeconfig
+ policy reconcile-cluster-role-bindings
+ --exclude-groups=system:authenticated
+ --exclude-groups=system:authenticated:oauth
+ --exclude-groups=system:unauthenticated
+ --exclude-users=system:anonymous
+ --additive-only=true --confirm
+ when: origin_reconcile_bindings | bool or ent_reconcile_bindings | bool
+ run_once: true
+
+ - name: Reconcile Security Context Constraints
+ command: >
+ {{ openshift.common.admin_binary}} policy reconcile-sccs --confirm --additive-only=true
+ run_once: true
+
+ - set_fact:
+ reconcile_complete: True
+
+###############################################################################
# Upgrade Nodes
###############################################################################
@@ -64,11 +189,24 @@
roles:
- openshift_facts
handlers:
- - include: ../../../../../roles/openshift_node/handlers/main.yml
+ - include: ../../../../roles/openshift_node/handlers/main.yml
+ static: yes
tasks:
# TODO: To better handle re-trying failed upgrades, it would be nice to check if the node
# or docker actually needs an upgrade before proceeding. Perhaps best to save this until
# we merge upgrade functionality into the base roles and a normal config.yml playbook run.
+ - name: Determine if node is currently scheduleable
+ command: >
+ {{ openshift.common.client_binary }} get node {{ openshift.common.hostname | lower }} -o json
+ register: node_output
+ delegate_to: "{{ groups.oo_first_master.0 }}"
+ changed_when: false
+ when: inventory_hostname in groups.oo_nodes_to_config
+
+ - set_fact:
+ was_schedulable: "{{ 'unschedulable' not in (node_output.stdout | from_json).spec }}"
+ when: inventory_hostname in groups.oo_nodes_to_config
+
- name: Mark unschedulable if host is a node
command: >
{{ openshift.common.admin_binary }} manage-node {{ openshift.common.hostname | lower }} --schedulable=false
@@ -81,13 +219,10 @@
delegate_to: "{{ groups.oo_first_master.0 }}"
when: inventory_hostname in groups.oo_nodes_to_config
- # Only check if docker upgrade is required if docker_upgrade is not
- # already set to False.
- - include: ../docker/upgrade_check.yml
- when: docker_upgrade is not defined or docker_upgrade | bool and not openshift.common.is_atomic | bool
-
- - include: ../docker/upgrade.yml
+ - include: docker/upgrade.yml
when: l_docker_upgrade is defined and l_docker_upgrade | bool and not openshift.common.is_atomic | bool
+ - include: "{{ node_config_hook }}"
+ when: node_config_hook is defined and inventory_hostname in groups.oo_nodes_to_config
- include: rpm_upgrade.yml
vars:
@@ -98,55 +233,14 @@
- include: containerized_node_upgrade.yml
when: inventory_hostname in groups.oo_nodes_to_config and openshift.common.is_containerized | bool
+ - meta: flush_handlers
+
- name: Set node schedulability
command: >
{{ openshift.common.admin_binary }} manage-node {{ openshift.common.hostname | lower }} --schedulable=true
delegate_to: "{{ groups.oo_first_master.0 }}"
- when: inventory_hostname in groups.oo_nodes_to_config and openshift.node.schedulable | bool
-
+ when: inventory_hostname in groups.oo_nodes_to_config and was_schedulable | bool
-###############################################################################
-# Reconcile Cluster Roles, Cluster Role Bindings and Security Context Constraints
-###############################################################################
-
-- name: Reconcile Cluster Roles and Cluster Role Bindings and Security Context Constraints
- hosts: oo_masters_to_config
- roles:
- - { role: openshift_cli }
- vars:
- origin_reconcile_bindings: "{{ deployment_type == 'origin' and openshift_version | version_compare('1.0.6', '>') }}"
- ent_reconcile_bindings: true
- openshift_docker_hosted_registry_network: "{{ hostvars[groups.oo_first_master.0].openshift.common.portal_net }}"
- tasks:
- - name: Verifying the correct commandline tools are available
- shell: grep {{ verify_upgrade_version }} {{ openshift.common.admin_binary}}
- when: openshift.common.is_containerized | bool and verify_upgrade_version is defined
-
- - name: Reconcile Cluster Roles
- command: >
- {{ openshift.common.admin_binary}} --config={{ openshift.common.config_base }}/master/admin.kubeconfig
- policy reconcile-cluster-roles --additive-only=true --confirm
- run_once: true
-
- - name: Reconcile Cluster Role Bindings
- command: >
- {{ openshift.common.admin_binary}} --config={{ openshift.common.config_base }}/master/admin.kubeconfig
- policy reconcile-cluster-role-bindings
- --exclude-groups=system:authenticated
- --exclude-groups=system:authenticated:oauth
- --exclude-groups=system:unauthenticated
- --exclude-users=system:anonymous
- --additive-only=true --confirm
- when: origin_reconcile_bindings | bool or ent_reconcile_bindings | bool
- run_once: true
-
- - name: Reconcile Security Context Constraints
- command: >
- {{ openshift.common.admin_binary}} policy reconcile-sccs --confirm --additive-only=true
- run_once: true
-
- - set_fact:
- reconcile_complete: True
##############################################################################
# Gate on reconcile
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/atomic-openshift-master.j2 b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/atomic-openshift-master.j2
deleted file mode 120000
index cf20e8959..000000000
--- a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/atomic-openshift-master.j2
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../roles/openshift_master/templates/atomic-openshift-master.j2 \ No newline at end of file
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/docker b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/docker
deleted file mode 120000
index 5a3dd12b3..000000000
--- a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/docker
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../roles/openshift_master/templates/docker \ No newline at end of file
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/docker-cluster b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/docker-cluster
deleted file mode 120000
index 3ee319365..000000000
--- a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/docker-cluster
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../roles/openshift_master/templates/docker-cluster \ No newline at end of file
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/filter_plugins b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/filter_plugins
deleted file mode 120000
index 27ddaa18b..000000000
--- a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/filter_plugins
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../filter_plugins \ No newline at end of file
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/library b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/library
deleted file mode 120000
index 53bed9684..000000000
--- a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/library
+++ /dev/null
@@ -1 +0,0 @@
-../library \ No newline at end of file
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/lookup_plugins b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/lookup_plugins
deleted file mode 120000
index cf407f69b..000000000
--- a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/lookup_plugins
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../lookup_plugins \ No newline at end of file
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/native-cluster b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/native-cluster
deleted file mode 120000
index f44f8eb4f..000000000
--- a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/native-cluster
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../roles/openshift_master/templates/native-cluster \ No newline at end of file
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/openshift.docker.node.dep.service b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/openshift.docker.node.dep.service
deleted file mode 120000
index b384a3f4d..000000000
--- a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/openshift.docker.node.dep.service
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../roles/openshift_node/templates/openshift.docker.node.dep.service \ No newline at end of file
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/openshift.docker.node.service b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/openshift.docker.node.service
deleted file mode 120000
index a2f140144..000000000
--- a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/openshift.docker.node.service
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../roles/openshift_node/templates/openshift.docker.node.service \ No newline at end of file
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/openvswitch.docker.service b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/openvswitch.docker.service
deleted file mode 120000
index 61946ff91..000000000
--- a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/openvswitch.docker.service
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../roles/openshift_node/templates/openvswitch.docker.service \ No newline at end of file
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/openvswitch.sysconfig.j2 b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/openvswitch.sysconfig.j2
deleted file mode 120000
index 3adc56e4e..000000000
--- a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/openvswitch.sysconfig.j2
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../roles/openshift_node/templates/openvswitch.sysconfig.j2 \ No newline at end of file
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/roles b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/roles
deleted file mode 120000
index 6bc1a7aef..000000000
--- a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/roles
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../roles \ No newline at end of file
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_3/master_config_upgrade.yml b/playbooks/common/openshift-cluster/upgrades/v3_3/master_config_upgrade.yml
new file mode 100644
index 000000000..684eea343
--- /dev/null
+++ b/playbooks/common/openshift-cluster/upgrades/v3_3/master_config_upgrade.yml
@@ -0,0 +1,50 @@
+---
+- modify_yaml:
+ dest: "{{ openshift.common.config_base}}/master/master-config.yaml"
+ yaml_key: 'masterClients.externalKubernetesClientConnectionOverrides.acceptContentTypes'
+ yaml_value: 'application/vnd.kubernetes.protobuf,application/json'
+
+- modify_yaml:
+ dest: "{{ openshift.common.config_base}}/master/master-config.yaml"
+ yaml_key: 'masterClients.externalKubernetesClientConnectionOverrides.contentType'
+ yaml_value: 'application/vnd.kubernetes.protobuf'
+
+- modify_yaml:
+ dest: "{{ openshift.common.config_base}}/master/master-config.yaml"
+ yaml_key: 'masterClients.externalKubernetesClientConnectionOverrides.burst'
+ yaml_value: 400
+
+- modify_yaml:
+ dest: "{{ openshift.common.config_base}}/master/master-config.yaml"
+ yaml_key: 'masterClients.externalKubernetesClientConnectionOverrides.qps'
+ yaml_value: 200
+
+- modify_yaml:
+ dest: "{{ openshift.common.config_base}}/master/master-config.yaml"
+ yaml_key: 'masterClients.openshiftLoopbackClientConnectionOverrides.acceptContentTypes'
+ yaml_value: 'application/vnd.kubernetes.protobuf,application/json'
+
+- modify_yaml:
+ dest: "{{ openshift.common.config_base}}/master/master-config.yaml"
+ yaml_key: 'masterClients.openshiftLoopbackClientConnectionOverrides.contentType'
+ yaml_value: 'application/vnd.kubernetes.protobuf'
+
+- modify_yaml:
+ dest: "{{ openshift.common.config_base}}/master/master-config.yaml"
+ yaml_key: 'masterClients.openshiftLoopbackClientConnectionOverrides.burst'
+ yaml_value: 600
+
+- modify_yaml:
+ dest: "{{ openshift.common.config_base}}/master/master-config.yaml"
+ yaml_key: 'masterClients.openshiftLoopbackClientConnectionOverrides.qps'
+ yaml_value: 300
+
+- modify_yaml:
+ dest: "{{ openshift.common.config_base}}/master/master-config.yaml"
+ yaml_key: 'controllerConfig.servicesServingCert.signer.certFile'
+ yaml_value: service-signer.crt
+
+- modify_yaml:
+ dest: "{{ openshift.common.config_base}}/master/master-config.yaml"
+ yaml_key: 'controllerConfig.servicesServingCert.signer.keyFile'
+ yaml_value: service-signer.key
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_3/node_config_upgrade.yml b/playbooks/common/openshift-cluster/upgrades/v3_3/node_config_upgrade.yml
new file mode 100644
index 000000000..8f64636ae
--- /dev/null
+++ b/playbooks/common/openshift-cluster/upgrades/v3_3/node_config_upgrade.yml
@@ -0,0 +1,21 @@
+---
+- modify_yaml:
+ dest: "{{ openshift.common.config_base}}/node/node-config.yaml"
+ yaml_key: 'masterClientConnectionOverrides.acceptContentTypes'
+ yaml_value: 'application/vnd.kubernetes.protobuf,application/json'
+
+- modify_yaml:
+ dest: "{{ openshift.common.config_base}}/node/node-config.yaml"
+ yaml_key: 'masterClientConnectionOverrides.contentType'
+ yaml_value: 'application/vnd.kubernetes.protobuf'
+
+- modify_yaml:
+ dest: "{{ openshift.common.config_base}}/node/node-config.yaml"
+ yaml_key: 'masterClientConnectionOverrides.burst'
+ yaml_value: 40
+
+- modify_yaml:
+ dest: "{{ openshift.common.config_base}}/node/node-config.yaml"
+ yaml_key: 'masterClientConnectionOverrides.qps'
+ yaml_value: 20
+
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-30 17:51:57 +0000