summaryrefslogtreecommitdiffstats
path: root/playbooks
diff options
context:
space:
mode:
Diffstat (limited to 'playbooks')
-rw-r--r--playbooks/adhoc/openshift_hosted_logging_efk.yaml2
-rw-r--r--playbooks/adhoc/s3_registry/s3_registry.yml13
-rw-r--r--playbooks/adhoc/uninstall.yml26
-rw-r--r--playbooks/byo/openshift-preflight/check.yml39
-rw-r--r--playbooks/certificate_expiry/default.yaml10
-rw-r--r--playbooks/certificate_expiry/easy-mode.yaml18
-rw-r--r--playbooks/certificate_expiry/html_and_json_default_paths.yaml12
-rw-r--r--playbooks/certificate_expiry/longer-warning-period-json-results.yaml13
-rw-r--r--playbooks/certificate_expiry/longer_warning_period.yaml12
l---------playbooks/certificate_expiry/roles1
-rw-r--r--playbooks/common/openshift-cluster/openshift_hosted.yml26
-rw-r--r--playbooks/common/openshift-cluster/redeploy-certificates/ca.yml21
-rw-r--r--playbooks/common/openshift-cluster/redeploy-certificates/masters.yml8
-rw-r--r--playbooks/common/openshift-cluster/redeploy-certificates/registry.yml20
-rw-r--r--playbooks/common/openshift-cluster/redeploy-certificates/router.yml12
-rw-r--r--playbooks/common/openshift-cluster/upgrades/etcd/backup.yml2
-rw-r--r--playbooks/common/openshift-cluster/upgrades/etcd/upgrade.yml10
17 files changed, 185 insertions, 60 deletions
diff --git a/playbooks/adhoc/openshift_hosted_logging_efk.yaml b/playbooks/adhoc/openshift_hosted_logging_efk.yaml
index e83351272..44a2ef534 100644
--- a/playbooks/adhoc/openshift_hosted_logging_efk.yaml
+++ b/playbooks/adhoc/openshift_hosted_logging_efk.yaml
@@ -8,7 +8,7 @@
hosts: masters:!masters[0]
pre_tasks:
- set_fact:
- logging_hostname: "{{ openshift_hosted_logging_hostname | default('kibana.' ~ (openshift_master_default_subdomain | default('router.default.svc.cluster.local', true))) }}"
+ openshift_logging_kibana_hostname: "{{ openshift_hosted_logging_hostname | default('kibana.' ~ (openshift_master_default_subdomain | default('router.default.svc.cluster.local', true))) }}"
tasks:
- include_role:
name: openshift_logging
diff --git a/playbooks/adhoc/s3_registry/s3_registry.yml b/playbooks/adhoc/s3_registry/s3_registry.yml
index 2c79a1b4d..d6758dae5 100644
--- a/playbooks/adhoc/s3_registry/s3_registry.yml
+++ b/playbooks/adhoc/s3_registry/s3_registry.yml
@@ -51,13 +51,16 @@
command: oc secrets new dockerregistry /root/config.yml
when: "'dockerregistry' not in secrets.stdout"
- - name: Determine if service account contains secrets
- command: oc describe serviceaccount/registry
- register: serviceaccount
+ - name: Load lib_openshift modules
+ include_role:
+ name: lib_openshift
- name: Add secrets to registry service account
- command: oc secrets add serviceaccount/registry secrets/dockerregistry
- when: "'dockerregistry' not in serviceaccount.stdout"
+ oc_serviceaccount_secret:
+ service_account: registry
+ secret: dockerregistry
+ namespace: default
+ state: present
- name: Determine if deployment config contains secrets
command: oc volume dc/docker-registry --list
diff --git a/playbooks/adhoc/uninstall.yml b/playbooks/adhoc/uninstall.yml
index f0cfa7f55..147e84131 100644
--- a/playbooks/adhoc/uninstall.yml
+++ b/playbooks/adhoc/uninstall.yml
@@ -148,6 +148,29 @@
- vovsbr
when: "{{ openshift_remove_all | default(true) | bool }}"
+ - shell: atomic uninstall "{{ item }}"-master
+ changed_when: False
+ failed_when: False
+ with_items:
+ - openshift-enterprise
+ - atomic-enterprise
+ - origin
+
+ - shell: atomic uninstall "{{ item }}"-node
+ changed_when: False
+ failed_when: False
+ with_items:
+ - openshift-enterprise
+ - atomic-enterprise
+ - origin
+
+ - shell: atomic uninstall "{{ item }}"
+ changed_when: False
+ failed_when: False
+ with_items:
+ - etcd
+ - openvswitch
+
- shell: find /var/lib/origin/openshift.local.volumes -type d -exec umount {} \; 2>/dev/null || true
changed_when: False
@@ -263,6 +286,9 @@
- /var/lib/atomic-enterprise
- /var/lib/openshift
+ - shell: systemctl daemon-reload
+ changed_when: False
+
- name: restart docker
service: name=docker state=restarted
diff --git a/playbooks/byo/openshift-preflight/check.yml b/playbooks/byo/openshift-preflight/check.yml
index 32673d01d..c5f05d0f0 100644
--- a/playbooks/byo/openshift-preflight/check.yml
+++ b/playbooks/byo/openshift-preflight/check.yml
@@ -1,31 +1,12 @@
---
- hosts: OSEv3
- roles:
- - openshift_preflight/init
-
-- hosts: OSEv3
- name: checks that apply to all hosts
- gather_facts: no
- ignore_errors: yes
- roles:
- - openshift_preflight/common
-
-- hosts: masters
- name: checks that apply to masters
- gather_facts: no
- ignore_errors: yes
- roles:
- - openshift_preflight/masters
-
-- hosts: nodes
- name: checks that apply to nodes
- gather_facts: no
- ignore_errors: yes
- roles:
- - openshift_preflight/nodes
-
-- hosts: OSEv3
- name: verify check results
- gather_facts: no
- roles:
- - openshift_preflight/verify_status
+ name: run OpenShift health checks
+ roles:
+ - openshift_health_checker
+ post_tasks:
+ # NOTE: we need to use the old "action: name" syntax until
+ # https://github.com/ansible/ansible/issues/20513 is fixed.
+ - action: openshift_health_check
+ args:
+ checks:
+ - '@preflight'
diff --git a/playbooks/certificate_expiry/default.yaml b/playbooks/certificate_expiry/default.yaml
new file mode 100644
index 000000000..630135cae
--- /dev/null
+++ b/playbooks/certificate_expiry/default.yaml
@@ -0,0 +1,10 @@
+---
+# Default behavior, you will need to ensure you run ansible with the
+# -v option to see report results:
+
+- name: Check cert expirys
+ hosts: nodes:masters:etcd
+ become: yes
+ gather_facts: no
+ roles:
+ - role: openshift_certificate_expiry
diff --git a/playbooks/certificate_expiry/easy-mode.yaml b/playbooks/certificate_expiry/easy-mode.yaml
new file mode 100644
index 000000000..ae41c7c14
--- /dev/null
+++ b/playbooks/certificate_expiry/easy-mode.yaml
@@ -0,0 +1,18 @@
+---
+# This example playbook is great if you're just wanting to try the
+# role out.
+#
+# This example enables HTML and JSON reports
+#
+# All certificates (healthy or not) are included in the results
+
+- name: Check cert expirys
+ hosts: nodes:masters:etcd
+ become: yes
+ gather_facts: no
+ vars:
+ openshift_certificate_expiry_save_json_results: yes
+ openshift_certificate_expiry_generate_html_report: yes
+ openshift_certificate_expiry_show_all: yes
+ roles:
+ - role: openshift_certificate_expiry
diff --git a/playbooks/certificate_expiry/html_and_json_default_paths.yaml b/playbooks/certificate_expiry/html_and_json_default_paths.yaml
new file mode 100644
index 000000000..d80cb6ff4
--- /dev/null
+++ b/playbooks/certificate_expiry/html_and_json_default_paths.yaml
@@ -0,0 +1,12 @@
+---
+# Generate HTML and JSON artifacts in their default paths:
+
+- name: Check cert expirys
+ hosts: nodes:masters:etcd
+ become: yes
+ gather_facts: no
+ vars:
+ openshift_certificate_expiry_generate_html_report: yes
+ openshift_certificate_expiry_save_json_results: yes
+ roles:
+ - role: openshift_certificate_expiry
diff --git a/playbooks/certificate_expiry/longer-warning-period-json-results.yaml b/playbooks/certificate_expiry/longer-warning-period-json-results.yaml
new file mode 100644
index 000000000..87a0f3be4
--- /dev/null
+++ b/playbooks/certificate_expiry/longer-warning-period-json-results.yaml
@@ -0,0 +1,13 @@
+---
+# Change the expiration warning window to 1500 days (good for testing
+# the module out) and save the results as a JSON file:
+
+- name: Check cert expirys
+ hosts: nodes:masters:etcd
+ become: yes
+ gather_facts: no
+ vars:
+ openshift_certificate_expiry_warning_days: 1500
+ openshift_certificate_expiry_save_json_results: yes
+ roles:
+ - role: openshift_certificate_expiry
diff --git a/playbooks/certificate_expiry/longer_warning_period.yaml b/playbooks/certificate_expiry/longer_warning_period.yaml
new file mode 100644
index 000000000..960457c4b
--- /dev/null
+++ b/playbooks/certificate_expiry/longer_warning_period.yaml
@@ -0,0 +1,12 @@
+---
+# Change the expiration warning window to 1500 days (good for testing
+# the module out):
+
+- name: Check cert expirys
+ hosts: nodes:masters:etcd
+ become: yes
+ gather_facts: no
+ vars:
+ openshift_certificate_expiry_warning_days: 1500
+ roles:
+ - role: openshift_certificate_expiry
diff --git a/playbooks/certificate_expiry/roles b/playbooks/certificate_expiry/roles
new file mode 120000
index 000000000..b741aa3db
--- /dev/null
+++ b/playbooks/certificate_expiry/roles
@@ -0,0 +1 @@
+../../roles \ No newline at end of file
diff --git a/playbooks/common/openshift-cluster/openshift_hosted.yml b/playbooks/common/openshift-cluster/openshift_hosted.yml
index 7b58eebc3..06cda36a5 100644
--- a/playbooks/common/openshift-cluster/openshift_hosted.yml
+++ b/playbooks/common/openshift-cluster/openshift_hosted.yml
@@ -31,17 +31,17 @@
when: openshift_hosted_metrics_deploy | default(false) | bool
- role: openshift_logging
when: openshift_hosted_logging_deploy | default(false) | bool
- openshift_logging_kibana_hostname: "{{ logging_hostname }}"
- openshift_logging_kibana_ops_hostname: "{{ logging_ops_hostname }}"
- openshift_logging_master_public_url: "{{ logging_master_public_url }}"
- openshift_logging_es_cluster_size: "{{ logging_elasticsearch_cluster_size }}"
- openshift_logging_es_pvc_dynamic: "{{ 'true' if openshift_hosted_logging_storage_kind | default(none) == 'dynamic' else '' }}"
- openshift_logging_es_pvc_size: "{{ openshift.hosted.logging.storage.volume.size if openshift_hosted_logging_storage_kind | default(none) in ['dynamic','nfs'] else '' }}"
- openshift_logging_es_pvc_prefix: "{{ 'logging-es' if openshift_hosted_logging_storage_kind | default(none) == 'dynamic' else '' }}"
- openshift_logging_es_ops_cluster_size: "{{ logging_elasticsearch_ops_cluster_size }}"
- openshift_logging_es_ops_pvc_dynamic: "{{ 'true' if openshift_hosted_logging_storage_kind | default(none) == 'dynamic' else '' }}"
- openshift_logging_es_ops_pvc_size: "{{ openshift.hosted.logging.storage.volume.size if openshift_hosted_logging_storage_kind | default(none) in ['dynamic','nfs' ] else '' }}"
- openshift_logging_es_ops_pvc_prefix: "{{ 'logging-es' if openshift_hosted_logging_storage_kind | default(none) =='dynamic' else '' }}"
+ openshift_hosted_logging_hostname: "{{ logging_hostname }}"
+ openshift_hosted_logging_ops_hostname: "{{ logging_ops_hostname }}"
+ openshift_hosted_logging_master_public_url: "{{ logging_master_public_url }}"
+ openshift_hosted_logging_elasticsearch_cluster_size: "{{ logging_elasticsearch_cluster_size }}"
+ openshift_hosted_logging_elasticsearch_pvc_dynamic: "{{ 'true' if openshift_hosted_logging_storage_kind | default(none) == 'dynamic' else '' }}"
+ openshift_hosted_logging_elasticsearch_pvc_size: "{{ openshift.hosted.logging.storage.volume.size if openshift_hosted_logging_storage_kind | default(none) in ['dynamic','nfs'] else '' }}"
+ openshift_hosted_logging_elasticsearch_pvc_prefix: "{{ 'logging-es' if openshift_hosted_logging_storage_kind | default(none) == 'dynamic' else '' }}"
+ openshift_hosted_logging_elasticsearch_ops_cluster_size: "{{ logging_elasticsearch_ops_cluster_size }}"
+ openshift_hosted_logging_elasticsearch_ops_pvc_dynamic: "{{ 'true' if openshift_hosted_loggingops_storage_kind | default(none) == 'dynamic' else '' }}"
+ openshift_hosted_logging_elasticsearch_ops_pvc_size: "{{ openshift.hosted.logging.storage.volume.size if openshift_hosted_logging_storage_kind | default(none) in ['dynamic','nfs' ] else '' }}"
+ openshift_hosted_logging_elasticsearch_ops_pvc_prefix: "{{ 'logging-es-ops' if openshift_hosted_loggingops_storage_kind | default(none) =='dynamic' else '' }}"
- role: cockpit-ui
when: ( openshift.common.version_gte_3_3_or_1_3 | bool ) and ( openshift_hosted_manage_registry | default(true) | bool ) and not (openshift.docker.hosted_registry_insecure | default(false) | bool)
@@ -52,11 +52,11 @@
- hosted
pre_tasks:
- set_fact:
- logging_hostname: "{{ openshift_hosted_logging_hostname | default('kibana.' ~ (openshift_master_default_subdomain | default('router.default.svc.cluster.local', true))) }}"
+ openshift_logging_kibana_hostname: "{{ openshift_hosted_logging_hostname | default('kibana.' ~ (openshift_master_default_subdomain | default('router.default.svc.cluster.local', true))) }}"
tasks:
- block:
- include_role:
- name: openshift_hosted_logging
+ name: openshift_logging
tasks_from: update_master_config
when: openshift_hosted_logging_deploy | default(false) | bool
diff --git a/playbooks/common/openshift-cluster/redeploy-certificates/ca.yml b/playbooks/common/openshift-cluster/redeploy-certificates/ca.yml
index 0b1c39ba4..9d4d3ea26 100644
--- a/playbooks/common/openshift-cluster/redeploy-certificates/ca.yml
+++ b/playbooks/common/openshift-cluster/redeploy-certificates/ca.yml
@@ -160,6 +160,27 @@
yaml_key: servingInfo.clientCA
yaml_value: ca-bundle.crt
when: (g_master_config_output.content|b64decode|from_yaml).servingInfo.clientCA != 'ca-bundle.crt'
+ - modify_yaml:
+ dest: "{{ openshift.common.config_base }}/master/master-config.yaml"
+ yaml_key: etcdClientInfo.ca
+ yaml_value: ca-bundle.crt
+ when:
+ - groups.oo_etcd_to_config | default([]) | length == 0
+ - (g_master_config_output.content|b64decode|from_yaml).etcdClientInfo.ca != 'ca-bundle.crt'
+ - modify_yaml:
+ dest: "{{ openshift.common.config_base }}/master/master-config.yaml"
+ yaml_key: etcdConfig.peerServingInfo.clientCA
+ yaml_value: ca-bundle.crt
+ when:
+ - groups.oo_etcd_to_config | default([]) | length == 0
+ - (g_master_config_output.content|b64decode|from_yaml).etcdConfig.peerServingInfo.clientCA != 'ca-bundle.crt'
+ - modify_yaml:
+ dest: "{{ openshift.common.config_base }}/master/master-config.yaml"
+ yaml_key: etcdConfig.servingInfo.clientCA
+ yaml_value: ca-bundle.crt
+ when:
+ - groups.oo_etcd_to_config | default([]) | length == 0
+ - (g_master_config_output.content|b64decode|from_yaml).etcdConfig.servingInfo.clientCA != 'ca-bundle.crt'
- name: Copy current OpenShift CA to legacy directory
hosts: oo_masters_to_config
diff --git a/playbooks/common/openshift-cluster/redeploy-certificates/masters.yml b/playbooks/common/openshift-cluster/redeploy-certificates/masters.yml
index f653a111f..c30889d64 100644
--- a/playbooks/common/openshift-cluster/redeploy-certificates/masters.yml
+++ b/playbooks/common/openshift-cluster/redeploy-certificates/masters.yml
@@ -36,6 +36,14 @@
- "openshift-master.crt"
- "openshift-master.key"
- "openshift-master.kubeconfig"
+ - name: Remove generated etcd client certificates
+ file:
+ path: "{{ openshift.common.config_base }}/master/{{ item }}"
+ state: absent
+ with_items:
+ - "master.etcd-client.crt"
+ - "master.etcd-client.key"
+ when: groups.oo_etcd_to_config | default([]) | length == 0
roles:
- role: openshift_master_certificates
openshift_master_etcd_hosts: "{{ hostvars
diff --git a/playbooks/common/openshift-cluster/redeploy-certificates/registry.yml b/playbooks/common/openshift-cluster/redeploy-certificates/registry.yml
index 18b93e1d6..999e4af65 100644
--- a/playbooks/common/openshift-cluster/redeploy-certificates/registry.yml
+++ b/playbooks/common/openshift-cluster/redeploy-certificates/registry.yml
@@ -2,6 +2,8 @@
- name: Update registry certificates
hosts: oo_first_master
vars:
+ roles:
+ - lib_openshift
tasks:
- name: Create temp directory for kubeconfig
command: mktemp -d /tmp/openshift-ansible-XXXXXX
@@ -70,13 +72,17 @@
--key={{ openshift.common.config_base }}/master/registry.key
- name: Update registry certificates secret
- shell: >
- {{ openshift.common.client_binary }} secret new registry-certificates
- {{ openshift.common.config_base }}/master/registry.crt
- {{ openshift.common.config_base }}/master/registry.key
- --config={{ mktemp.stdout }}/admin.kubeconfig
- -n default
- -o json | oc replace -f -
+ oc_secret:
+ kubeconfig: "{{ mktemp.stdout }}/admin.kubeconfig"
+ name: registry-certificates
+ namespace: default
+ state: present
+ files:
+ - name: registry.crt
+ path: "{{ openshift.common.config_base }}/master/registry.crt"
+ - name: registry.key
+ path: "{{ openshift.common.config_base }}/master/registry.key"
+ run_once: true
when: l_docker_registry_dc.rc == 0 and 'registry-certificates' in docker_registry_secrets and 'REGISTRY_HTTP_TLS_CERTIFICATE' in docker_registry_env_vars and 'REGISTRY_HTTP_TLS_KEY' in docker_registry_env_vars
- name: Redeploy docker registry
diff --git a/playbooks/common/openshift-cluster/redeploy-certificates/router.yml b/playbooks/common/openshift-cluster/redeploy-certificates/router.yml
index a9e9f0915..707fb6424 100644
--- a/playbooks/common/openshift-cluster/redeploy-certificates/router.yml
+++ b/playbooks/common/openshift-cluster/redeploy-certificates/router.yml
@@ -7,6 +7,8 @@
command: mktemp -d /tmp/openshift-ansible-XXXXXX
register: mktemp
changed_when: false
+ roles:
+ - lib_openshift
- name: Copy admin client config(s)
command: >
@@ -45,10 +47,12 @@
- block:
- name: Delete existing router certificate secret
- command: >
- {{ openshift.common.client_binary }} delete secret/router-certs
- --config={{ mktemp.stdout }}/admin.kubeconfig
- -n default
+ oc_secret:
+ kubeconfig: "{{ mktemp.stdout }}/admin.kubeconfig"
+ name: router-certs
+ namespace: default
+ state: absent
+ run_once: true
- name: Remove router service annotations
command: >
diff --git a/playbooks/common/openshift-cluster/upgrades/etcd/backup.yml b/playbooks/common/openshift-cluster/upgrades/etcd/backup.yml
index d0eadf1fc..45aabf3e4 100644
--- a/playbooks/common/openshift-cluster/upgrades/etcd/backup.yml
+++ b/playbooks/common/openshift-cluster/upgrades/etcd/backup.yml
@@ -4,7 +4,7 @@
vars:
embedded_etcd: "{{ groups.oo_etcd_to_config | default([]) | length == 0 }}"
timestamp: "{{ lookup('pipe', 'date +%Y%m%d%H%M%S') }}"
- etcdctl_command: "{{ 'etcdctl' if not openshift.common.is_containerized or embedded_etcd else 'docker exec etcd_container etcdctl' }}"
+ etcdctl_command: "{{ 'etcdctl' if not openshift.common.is_containerized or embedded_etcd else 'docker exec etcd_container etcdctl' if not openshift.common.is_etcd_system_container else 'runc exec etcd etcdctl' }}"
roles:
- openshift_facts
tasks:
diff --git a/playbooks/common/openshift-cluster/upgrades/etcd/upgrade.yml b/playbooks/common/openshift-cluster/upgrades/etcd/upgrade.yml
index 0f8d94737..690858c53 100644
--- a/playbooks/common/openshift-cluster/upgrades/etcd/upgrade.yml
+++ b/playbooks/common/openshift-cluster/upgrades/etcd/upgrade.yml
@@ -14,6 +14,16 @@
register: etcd_container_version
failed_when: false
when: openshift.common.is_containerized | bool
+ - name: Record containerized etcd version
+ command: docker exec etcd_container rpm -qa --qf '%{version}' etcd\*
+ register: etcd_container_version
+ failed_when: false
+ when: openshift.common.is_containerized | bool and not openshift.common.is_etcd_system_container | bool
+ - name: Record containerized etcd version
+ command: runc exec etcd_container rpm -qa --qf '%{version}' etcd\*
+ register: etcd_container_version
+ failed_when: false
+ when: openshift.common.is_containerized | bool and openshift.common.is_etcd_system_container | bool
# I really dislike this copy/pasta but I wasn't able to find a way to get it to loop
# through hosts, then loop through tasks only when appropriate