summaryrefslogtreecommitdiffstats
path: root/playbooks
diff options
context:
space:
mode:
Diffstat (limited to 'playbooks')
-rw-r--r--playbooks/adhoc/bootstrap-fedora.yml1
-rw-r--r--playbooks/adhoc/metrics_setup/playbooks/install.yml9
-rw-r--r--playbooks/adhoc/uninstall.yml118
-rw-r--r--playbooks/aws/openshift-cluster/config.yml2
-rw-r--r--playbooks/byo/openshift-cluster/config.yml5
-rw-r--r--playbooks/byo/openshift-cluster/enable_dnsmasq.yml4
-rw-r--r--playbooks/byo/openshift-cluster/redeploy-certificates.yml22
l---------playbooks/byo/openshift-cluster/upgrades/docker/nuke_images.sh1
-rw-r--r--playbooks/byo/openshift-cluster/upgrades/v3_2/README.md6
-rw-r--r--playbooks/byo/openshift-cluster/upgrades/v3_2/upgrade.yml14
-rw-r--r--playbooks/byo/openshift-cluster/upgrades/v3_3/README.md18
-rw-r--r--playbooks/byo/openshift-cluster/upgrades/v3_3/upgrade.yml67
-rw-r--r--playbooks/byo/openshift_facts.yml2
-rw-r--r--playbooks/common/openshift-cluster/additional_config.yml12
-rw-r--r--playbooks/common/openshift-cluster/config.yml22
-rw-r--r--playbooks/common/openshift-cluster/enable_dnsmasq.yml4
-rw-r--r--playbooks/common/openshift-cluster/evaluate_groups.yml2
-rw-r--r--playbooks/common/openshift-cluster/openshift_hosted.yml91
-rw-r--r--playbooks/common/openshift-cluster/redeploy-certificates.yml255
l---------playbooks/common/openshift-cluster/upgrades/atomic-openshift-master.j21
-rw-r--r--playbooks/common/openshift-cluster/upgrades/containerized_node_upgrade.yml (renamed from playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/containerized_node_upgrade.yml)4
-rw-r--r--playbooks/common/openshift-cluster/upgrades/create_service_signer_cert.yml69
l---------playbooks/common/openshift-cluster/upgrades/docker-cluster1
-rw-r--r--playbooks/common/openshift-cluster/upgrades/docker/upgrade.yml22
-rw-r--r--playbooks/common/openshift-cluster/upgrades/docker/upgrade_check.yml2
-rw-r--r--playbooks/common/openshift-cluster/upgrades/files/nuke_images.sh8
l---------playbooks/common/openshift-cluster/upgrades/master_docker1
l---------playbooks/common/openshift-cluster/upgrades/native-cluster1
l---------playbooks/common/openshift-cluster/upgrades/openshift.docker.node.dep.service1
l---------playbooks/common/openshift-cluster/upgrades/openshift.docker.node.service1
l---------playbooks/common/openshift-cluster/upgrades/openvswitch.docker.service1
l---------playbooks/common/openshift-cluster/upgrades/openvswitch.sysconfig.j21
-rw-r--r--playbooks/common/openshift-cluster/upgrades/post.yml (renamed from playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/post.yml)13
-rw-r--r--playbooks/common/openshift-cluster/upgrades/pre.yml (renamed from playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/pre.yml)78
-rw-r--r--playbooks/common/openshift-cluster/upgrades/rpm_upgrade.yml (renamed from playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/rpm_upgrade.yml)0
-rw-r--r--playbooks/common/openshift-cluster/upgrades/upgrade.yml (renamed from playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/upgrade.yml)204
l---------playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/atomic-openshift-master.j21
l---------playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/docker1
l---------playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/docker-cluster1
l---------playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/filter_plugins1
l---------playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/library1
l---------playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/lookup_plugins1
l---------playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/native-cluster1
l---------playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/openshift.docker.node.dep.service1
l---------playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/openshift.docker.node.service1
l---------playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/openvswitch.docker.service1
l---------playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/openvswitch.sysconfig.j21
l---------playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/roles1
-rw-r--r--playbooks/common/openshift-cluster/upgrades/v3_3/master_config_upgrade.yml50
-rw-r--r--playbooks/common/openshift-cluster/upgrades/v3_3/node_config_upgrade.yml21
-rw-r--r--playbooks/common/openshift-master/config.yml6
-rw-r--r--playbooks/common/openshift-node/config.yml7
-rw-r--r--playbooks/libvirt/openshift-cluster/tasks/configure_libvirt_network.yml36
-rw-r--r--playbooks/libvirt/openshift-cluster/tasks/configure_libvirt_storage_pool.yml29
-rw-r--r--playbooks/libvirt/openshift-cluster/tasks/launch_instances.yml2
-rw-r--r--playbooks/libvirt/openshift-cluster/templates/network.xml2
-rw-r--r--playbooks/libvirt/openshift-cluster/templates/storage-pool.xml6
-rw-r--r--playbooks/openstack/openshift-cluster/cluster_hosts.yml22
-rw-r--r--playbooks/openstack/openshift-cluster/dns.yml2
-rw-r--r--playbooks/openstack/openshift-cluster/files/heat_stack.yaml11
-rw-r--r--playbooks/openstack/openshift-cluster/launch.yml51
-rw-r--r--playbooks/openstack/openshift-cluster/list.yml6
-rw-r--r--playbooks/openstack/openshift-cluster/terminate.yml2
-rw-r--r--playbooks/openstack/openshift-cluster/vars.yml2
64 files changed, 1049 insertions, 281 deletions
diff --git a/playbooks/adhoc/bootstrap-fedora.yml b/playbooks/adhoc/bootstrap-fedora.yml
index 5ca383a37..b370d7fba 100644
--- a/playbooks/adhoc/bootstrap-fedora.yml
+++ b/playbooks/adhoc/bootstrap-fedora.yml
@@ -1,4 +1,5 @@
- hosts: OSEv3
+ gather_facts: false
tasks:
- name: install python and deps for ansible modules
raw: dnf install -y python2 python2-dnf libselinux-python libsemanage-python python2-firewall pyOpenSSL python-cryptography
diff --git a/playbooks/adhoc/metrics_setup/playbooks/install.yml b/playbooks/adhoc/metrics_setup/playbooks/install.yml
index 235f775ef..a9ec3c1ef 100644
--- a/playbooks/adhoc/metrics_setup/playbooks/install.yml
+++ b/playbooks/adhoc/metrics_setup/playbooks/install.yml
@@ -16,21 +16,30 @@
- name: "Add metrics-deployer"
command: "{{item}}"
+ run_once: true
+ register: output
+ failed_when: ('already exists' not in output.stderr) and (output.rc != 0)
with_items:
- oc project openshift-infra
- oc create -f /tmp/metrics-deployer-setup.yaml
- name: "Give metrics-deployer SA permissions"
command: "oadm policy add-role-to-user edit system:serviceaccount:openshift-infra:metrics-deployer"
+ run_once: true
- name: "Give heapster SA permissions"
command: "oadm policy add-cluster-role-to-user cluster-reader system:serviceaccount:openshift-infra:heapster"
+ run_once: true
- name: "Create metrics-deployer secret"
command: "oc secrets new metrics-deployer nothing=/dev/null"
+ register: output
+ failed_when: ('already exists' not in output.stderr) and (output.rc != 0)
+ run_once: true
- name: "Copy metrics.yaml to remote"
copy: "src=../files/metrics.yaml dest=/tmp/metrics.yaml force=yes"
- name: "Process yml template"
shell: "oc process -f /tmp/metrics.yaml -v MASTER_URL={{ masterPublicURL }},REDEPLOY=true,HAWKULAR_METRICS_HOSTNAME={{ metrics_external_service }},IMAGE_PREFIX={{ metrics_image_prefix }},IMAGE_VERSION={{ metrics_image_version }},USE_PERSISTENT_STORAGE=false | oc create -f -"
+ run_once: true \ No newline at end of file
diff --git a/playbooks/adhoc/uninstall.yml b/playbooks/adhoc/uninstall.yml
index 4edd44fe4..789f66b14 100644
--- a/playbooks/adhoc/uninstall.yml
+++ b/playbooks/adhoc/uninstall.yml
@@ -22,6 +22,7 @@
- set_fact:
is_containerized: "{{ is_atomic or containerized | default(false) | bool }}"
+# Stop services on all hosts prior to removing files.
- hosts: nodes
become: yes
tasks:
@@ -35,6 +36,46 @@
- origin-node
failed_when: false
+- hosts: masters
+ become: yes
+ tasks:
+ - name: Stop services
+ service: name={{ item }} state=stopped
+ with_items:
+ - atomic-enterprise-master
+ - atomic-openshift-master
+ - atomic-openshift-master-api
+ - atomic-openshift-master-controllers
+ - openshift-master
+ - openshift-master-api
+ - openshift-master-controllers
+ - origin-master
+ - origin-master-api
+ - origin-master-controllers
+ - pcsd
+ failed_when: false
+
+- hosts: etcd
+ become: yes
+ tasks:
+ - name: Stop services
+ service: name={{ item }} state=stopped
+ with_items:
+ - etcd
+ failed_when: false
+
+- hosts: lb
+ become: yes
+ tasks:
+ - name: Stop services
+ service: name={{ item }} state=stopped
+ with_items:
+ - haproxy
+ failed_when: false
+
+- hosts: nodes
+ become: yes
+ tasks:
- name: unmask services
command: systemctl unmask "{{ item }}"
changed_when: False
@@ -72,6 +113,10 @@
- tuned-profiles-openshift-node
- tuned-profiles-origin-node
+ - name: Remove flannel package
+ action: "{{ ansible_pkg_mgr }} name=flannel state=absent"
+ when: openshift_use_flannel | default(false) | bool and not is_atomic | bool
+
- shell: systemctl reset-failed
changed_when: False
@@ -92,12 +137,6 @@
- vlinuxbr
- vovsbr
- - name: restart docker
- service: name=docker state=restarted
-
- - name: restart NetworkManager
- service: name=NetworkManager state=restarted
-
- shell: find /var/lib/origin/openshift.local.volumes -type d -exec umount {} \; 2>/dev/null || true
changed_when: False
@@ -161,51 +200,44 @@
with_items:
- /etc/ansible/facts.d/openshift.fact
- /etc/atomic-enterprise
+ - /etc/dnsmasq.d/origin-dns.conf
+ - /etc/dnsmasq.d/origin-upstream-dns.conf
+ - /etc/NetworkManager/dispatcher.d/99-origin-dns.sh
- /etc/openshift
- /etc/openshift-sdn
- /etc/origin
- - /etc/systemd/system/atomic-openshift-node.service
- - /etc/systemd/system/atomic-openshift-node-dep.service
- - /etc/systemd/system/origin-node.service
- - /etc/systemd/system/origin-node-dep.service
- - /etc/systemd/system/openvswitch.service
- /etc/sysconfig/atomic-enterprise-node
- /etc/sysconfig/atomic-openshift-node
- /etc/sysconfig/atomic-openshift-node-dep
- - /etc/sysconfig/origin-node
- - /etc/sysconfig/origin-node-dep
- /etc/sysconfig/openshift-node
- /etc/sysconfig/openshift-node-dep
- /etc/sysconfig/openvswitch
- /etc/sysconfig/origin-node
+ - /etc/sysconfig/origin-node
+ - /etc/sysconfig/origin-node-dep
+ - /etc/systemd/system/atomic-openshift-node-dep.service
+ - /etc/systemd/system/atomic-openshift-node.service
- /etc/systemd/system/atomic-openshift-node.service.wants
+ - /etc/systemd/system/docker.service.d/docker-sdn-ovs.conf
+ - /etc/systemd/system/openvswitch.service
+ - /etc/systemd/system/origin-node-dep.service
+ - /etc/systemd/system/origin-node.service
+ - /etc/systemd/system/origin-node.service.wants
- /run/openshift-sdn
- /var/lib/atomic-enterprise
- /var/lib/openshift
- /var/lib/origin
- - /etc/NetworkManager/dispatcher.d/99-origin-dns.sh
- - /etc/dnsmasq.d/origin-dns.conf
- - /etc/dnsmasq.d/origin-upstream-dns.conf
+
+ - name: restart docker
+ service: name=docker state=restarted
+
+ - name: restart NetworkManager
+ service: name=NetworkManager state=restarted
+
- hosts: masters
become: yes
tasks:
- - name: Stop services
- service: name={{ item }} state=stopped
- with_items:
- - atomic-enterprise-master
- - atomic-openshift-master
- - atomic-openshift-master-api
- - atomic-openshift-master-controllers
- - openshift-master
- - openshift-master-api
- - openshift-master-controllers
- - origin-master
- - origin-master-api
- - origin-master-controllers
- - pcsd
- failed_when: false
-
- name: unmask services
command: systemctl unmask "{{ item }}"
changed_when: False
@@ -289,6 +321,7 @@
- /usr/local/bin/oadm
- /usr/local/bin/oc
- /usr/local/bin/kubectl
+ - /etc/flannel
# Since we are potentially removing the systemd unit files for separated
# master-api and master-controllers services, so we need to reload the
@@ -299,12 +332,6 @@
- hosts: etcd
become: yes
tasks:
- - name: Stop services
- service: name={{ item }} state=stopped
- with_items:
- - etcd
- failed_when: false
-
- name: unmask services
command: systemctl unmask "{{ item }}"
changed_when: False
@@ -338,17 +365,18 @@
- /etc/ansible/facts.d/openshift.fact
- /etc/etcd
- /etc/systemd/system/etcd_container.service
- - /var/lib/etcd
+
+ # Intenationally using rm command over file module because if someone had mounted a filesystem
+ # at /var/lib/etcd then the contents was not removed correctly
+ - name: Remove etcd data
+ shell: rm -rf /var/lib/etcd/*
+ args:
+ warn: no
+ failed_when: false
- hosts: lb
become: yes
tasks:
- - name: Stop services
- service: name={{ item }} state=stopped
- with_items:
- - haproxy
- failed_when: false
-
- name: unmask services
command: systemctl unmask "{{ item }}"
changed_when: False
diff --git a/playbooks/aws/openshift-cluster/config.yml b/playbooks/aws/openshift-cluster/config.yml
index 647c72239..05cfe7d6e 100644
--- a/playbooks/aws/openshift-cluster/config.yml
+++ b/playbooks/aws/openshift-cluster/config.yml
@@ -30,7 +30,7 @@
openshift_hosted_router_selector: 'type=infra'
openshift_node_labels:
region: "{{ deployment_vars[deployment_type].region }}"
- type: "{{ hostvars[inventory_hostname]['ec2_tag_sub-host-type'] if inventory_hostname in groups['tag_host-type_node'] else hostvars[inventory_hostname]['ec2_tag_host-type'] }}"
+ type: "{{ hostvars[inventory_hostname]['ec2_tag_sub-host-type'] }}"
openshift_master_cluster_method: 'native'
openshift_use_openshift_sdn: "{{ lookup('oo_option', 'use_openshift_sdn') }}"
os_sdn_network_plugin_name: "{{ lookup('oo_option', 'sdn_network_plugin_name') }}"
diff --git a/playbooks/byo/openshift-cluster/config.yml b/playbooks/byo/openshift-cluster/config.yml
index 0a931fbe0..0b85b2485 100644
--- a/playbooks/byo/openshift-cluster/config.yml
+++ b/playbooks/byo/openshift-cluster/config.yml
@@ -5,6 +5,8 @@
connection: local
become: no
gather_facts: no
+ tags:
+ - always
tasks:
- include_vars: ../../byo/openshift-cluster/cluster_hosts.yml
- add_host:
@@ -14,6 +16,8 @@
- hosts: l_oo_all_hosts
gather_facts: no
+ tags:
+ - always
tasks:
- include_vars: ../../byo/openshift-cluster/cluster_hosts.yml
@@ -22,3 +26,4 @@
openshift_cluster_id: "{{ cluster_id | default('default') }}"
openshift_debug_level: "{{ debug_level | default(2) }}"
openshift_deployment_type: "{{ deployment_type }}"
+ openshift_deployment_subtype: "{{ deployment_subtype | default(none) }}"
diff --git a/playbooks/byo/openshift-cluster/enable_dnsmasq.yml b/playbooks/byo/openshift-cluster/enable_dnsmasq.yml
index 1c8d99341..0ba11a21b 100644
--- a/playbooks/byo/openshift-cluster/enable_dnsmasq.yml
+++ b/playbooks/byo/openshift-cluster/enable_dnsmasq.yml
@@ -1,4 +1,6 @@
---
+- include: ../../common/openshift-cluster/verify_ansible_version.yml
+
- hosts: localhost
connection: local
become: no
@@ -8,7 +10,7 @@
- add_host:
name: "{{ item }}"
groups: l_oo_all_hosts
- with_items: g_all_hosts
+ with_items: "{{ g_all_hosts | default([]) }}"
- hosts: l_oo_all_hosts
gather_facts: no
diff --git a/playbooks/byo/openshift-cluster/redeploy-certificates.yml b/playbooks/byo/openshift-cluster/redeploy-certificates.yml
new file mode 100644
index 000000000..6d1247e0f
--- /dev/null
+++ b/playbooks/byo/openshift-cluster/redeploy-certificates.yml
@@ -0,0 +1,22 @@
+---
+- include: ../../common/openshift-cluster/verify_ansible_version.yml
+
+- hosts: localhost
+ connection: local
+ become: no
+ gather_facts: no
+ tasks:
+ - include_vars: ../../byo/openshift-cluster/cluster_hosts.yml
+ - add_host:
+ name: "{{ item }}"
+ groups: l_oo_all_hosts
+ with_items: "{{ g_all_hosts | default([]) }}"
+
+- hosts: l_oo_all_hosts
+ gather_facts: no
+ tasks:
+ - include_vars: ../../byo/openshift-cluster/cluster_hosts.yml
+
+- include: ../../common/openshift-cluster/redeploy-certificates.yml
+ vars:
+ openshift_deployment_type: "{{ deployment_type }}"
diff --git a/playbooks/byo/openshift-cluster/upgrades/docker/nuke_images.sh b/playbooks/byo/openshift-cluster/upgrades/docker/nuke_images.sh
new file mode 120000
index 000000000..d5d864b63
--- /dev/null
+++ b/playbooks/byo/openshift-cluster/upgrades/docker/nuke_images.sh
@@ -0,0 +1 @@
+../../../../common/openshift-cluster/upgrades/files/nuke_images.sh \ No newline at end of file
diff --git a/playbooks/byo/openshift-cluster/upgrades/v3_2/README.md b/playbooks/byo/openshift-cluster/upgrades/v3_2/README.md
index 62577c3df..30603463a 100644
--- a/playbooks/byo/openshift-cluster/upgrades/v3_2/README.md
+++ b/playbooks/byo/openshift-cluster/upgrades/v3_2/README.md
@@ -1,10 +1,12 @@
-# v3.1 to v3.2 upgrade playbook
+# v3.2 Major and Minor Upgrade Playbook
## Overview
This playbook currently performs the
following steps.
* Upgrade and restart master services
+ * Unschedule node.
+ * Upgrade and restart docker
* Upgrade and restart node services
* Modifies the subset of the configuration necessary
* Applies the latest cluster policies
@@ -13,4 +15,4 @@ following steps.
* Updates image streams and quickstarts
## Usage
-ansible-playbook -i ~/ansible-inventory openshift-ansible/playbooks/byo/openshift-cluster/upgrades/v3_1_to_v3_2/upgrade.yml
+ansible-playbook -i ~/ansible-inventory openshift-ansible/playbooks/byo/openshift-cluster/upgrades/v3_2/upgrade.yml
diff --git a/playbooks/byo/openshift-cluster/upgrades/v3_2/upgrade.yml b/playbooks/byo/openshift-cluster/upgrades/v3_2/upgrade.yml
index e28313221..5d549eee7 100644
--- a/playbooks/byo/openshift-cluster/upgrades/v3_2/upgrade.yml
+++ b/playbooks/byo/openshift-cluster/upgrades/v3_2/upgrade.yml
@@ -47,11 +47,19 @@
openshift_docker_log_options: "{{ lookup('oo_option', 'docker_log_options') }}"
when: openshift_docker_log_options is not defined
-- include: ../../../../common/openshift-cluster/upgrades/v3_1_to_v3_2/pre.yml
+
+# Configure the upgrade target for the common upgrade tasks:
+- hosts: l_oo_all_hosts
+ tasks:
+ - set_fact:
+ openshift_upgrade_target: "{{ '1.2' if deployment_type == 'origin' else '3.2' }}"
+ openshift_upgrade_min: "{{ '1.1' if deployment_type == 'origin' else '3.1' }}"
+
+- include: ../../../../common/openshift-cluster/upgrades/pre.yml
vars:
openshift_deployment_type: "{{ deployment_type }}"
-- include: ../../../../common/openshift-cluster/upgrades/v3_1_to_v3_2/upgrade.yml
+- include: ../../../../common/openshift-cluster/upgrades/upgrade.yml
vars:
openshift_deployment_type: "{{ deployment_type }}"
- include: ../../../openshift-master/restart.yml
-- include: ../../../../common/openshift-cluster/upgrades/v3_1_to_v3_2/post.yml
+- include: ../../../../common/openshift-cluster/upgrades/post.yml
diff --git a/playbooks/byo/openshift-cluster/upgrades/v3_3/README.md b/playbooks/byo/openshift-cluster/upgrades/v3_3/README.md
new file mode 100644
index 000000000..6892f6324
--- /dev/null
+++ b/playbooks/byo/openshift-cluster/upgrades/v3_3/README.md
@@ -0,0 +1,18 @@
+# v3.3 Major and Minor Upgrade Playbook
+
+## Overview
+This playbook currently performs the
+following steps.
+
+ * Upgrade and restart master services
+ * Unschedule node.
+ * Upgrade and restart docker
+ * Upgrade and restart node services
+ * Modifies the subset of the configuration necessary
+ * Applies the latest cluster policies
+ * Updates the default router if one exists
+ * Updates the default registry if one exists
+ * Updates image streams and quickstarts
+
+## Usage
+ansible-playbook -i ~/ansible-inventory openshift-ansible/playbooks/byo/openshift-cluster/upgrades/v3_3/upgrade.yml
diff --git a/playbooks/byo/openshift-cluster/upgrades/v3_3/upgrade.yml b/playbooks/byo/openshift-cluster/upgrades/v3_3/upgrade.yml
new file mode 100644
index 000000000..e740b12c0
--- /dev/null
+++ b/playbooks/byo/openshift-cluster/upgrades/v3_3/upgrade.yml
@@ -0,0 +1,67 @@
+---
+- include: ../../../../common/openshift-cluster/verify_ansible_version.yml
+
+- hosts: localhost
+ connection: local
+ become: no
+ gather_facts: no
+ tasks:
+ - include_vars: ../../../../byo/openshift-cluster/cluster_hosts.yml
+ - add_host:
+ name: "{{ item }}"
+ groups: l_oo_all_hosts
+ with_items: g_all_hosts | default([])
+
+- hosts: l_oo_all_hosts
+ gather_facts: no
+ tasks:
+ - include_vars: ../../../../byo/openshift-cluster/cluster_hosts.yml
+
+- include: ../../../../common/openshift-cluster/evaluate_groups.yml
+ vars:
+ # Do not allow adding hosts during upgrade.
+ g_new_master_hosts: []
+ g_new_node_hosts: []
+ openshift_cluster_id: "{{ cluster_id | default('default') }}"
+ openshift_deployment_type: "{{ deployment_type }}"
+
+- name: Set oo_options
+ hosts: oo_all_hosts
+ tasks:
+ - set_fact:
+ openshift_docker_additional_registries: "{{ lookup('oo_option', 'docker_additional_registries') }}"
+ when: openshift_docker_additional_registries is not defined
+ - set_fact:
+ openshift_docker_insecure_registries: "{{ lookup('oo_option', 'docker_insecure_registries') }}"
+ when: openshift_docker_insecure_registries is not defined
+ - set_fact:
+ openshift_docker_blocked_registries: "{{ lookup('oo_option', 'docker_blocked_registries') }}"
+ when: openshift_docker_blocked_registries is not defined
+ - set_fact:
+ openshift_docker_options: "{{ lookup('oo_option', 'docker_options') }}"
+ when: openshift_docker_options is not defined
+ - set_fact:
+ openshift_docker_log_driver: "{{ lookup('oo_option', 'docker_log_driver') }}"
+ when: openshift_docker_log_driver is not defined
+ - set_fact:
+ openshift_docker_log_options: "{{ lookup('oo_option', 'docker_log_options') }}"
+ when: openshift_docker_log_options is not defined
+
+
+# Configure the upgrade target for the common upgrade tasks:
+- hosts: l_oo_all_hosts
+ tasks:
+ - set_fact:
+ openshift_upgrade_target: "{{ '1.3' if deployment_type == 'origin' else '3.3' }}"
+ openshift_upgrade_min: "{{ '1.2' if deployment_type == 'origin' else '3.2' }}"
+
+- include: ../../../../common/openshift-cluster/upgrades/pre.yml
+ vars:
+ openshift_deployment_type: "{{ deployment_type }}"
+- include: ../../../../common/openshift-cluster/upgrades/upgrade.yml
+ vars:
+ openshift_deployment_type: "{{ deployment_type }}"
+ master_config_hook: "v3_3/master_config_upgrade.yml"
+ node_config_hook: "v3_3/node_config_upgrade.yml"
+- include: ../../../openshift-master/restart.yml
+- include: ../../../../common/openshift-cluster/upgrades/post.yml
diff --git a/playbooks/byo/openshift_facts.yml b/playbooks/byo/openshift_facts.yml
index d966b58fd..8c0708df0 100644
--- a/playbooks/byo/openshift_facts.yml
+++ b/playbooks/byo/openshift_facts.yml
@@ -10,7 +10,7 @@
- add_host:
name: "{{ item }}"
groups: l_oo_all_hosts
- with_items: g_all_hosts
+ with_items: "{{ g_all_hosts }}"
- hosts: l_oo_all_hosts
gather_facts: no
diff --git a/playbooks/common/openshift-cluster/additional_config.yml b/playbooks/common/openshift-cluster/additional_config.yml
index e9fb3de96..26b31d313 100644
--- a/playbooks/common/openshift-cluster/additional_config.yml
+++ b/playbooks/common/openshift-cluster/additional_config.yml
@@ -1,11 +1,3 @@
-- name: Configure flannel
- hosts: oo_first_master
- vars:
- etcd_urls: "{{ openshift.master.etcd_urls }}"
- roles:
- - role: flannel_register
- when: openshift.common.use_flannel | bool
-
- name: Additional master configuration
hosts: oo_first_master
vars:
@@ -23,8 +15,6 @@
when: openshift.common.use_manageiq | bool
- role: cockpit
when: not openshift.common.is_atomic and ( deployment_type in ['atomic-enterprise','openshift-enterprise'] ) and
- (osm_use_cockpit | bool or osm_use_cockpit is undefined )
+ (osm_use_cockpit | bool or osm_use_cockpit is undefined ) and ( openshift.common.deployment_subtype != 'registry' )
- role: flannel_register
when: openshift.common.use_flannel | bool
-
-
diff --git a/playbooks/common/openshift-cluster/config.yml b/playbooks/common/openshift-cluster/config.yml
index 5cf5df08e..d6a99fcda 100644
--- a/playbooks/common/openshift-cluster/config.yml
+++ b/playbooks/common/openshift-cluster/config.yml
@@ -1,14 +1,22 @@
---
- include: evaluate_groups.yml
+ tags:
+ - always
- include: initialize_facts.yml
+ tags:
+ - always
- include: validate_hostnames.yml
+ tags:
+ - node
- include: initialize_openshift_version.yml
- name: Set oo_options
hosts: oo_all_hosts
+ tags:
+ - always
tasks:
- set_fact:
openshift_docker_additional_registries: "{{ lookup('oo_option', 'docker_additional_registries') }}"
@@ -30,15 +38,29 @@
when: openshift_docker_log_options is not defined
- include: ../openshift-etcd/config.yml
+ tags:
+ - etcd
- include: ../openshift-nfs/config.yml
+ tags:
+ - nfs
- include: ../openshift-loadbalancer/config.yml
+ tags:
+ - loadbalancer
- include: ../openshift-master/config.yml
+ tags:
+ - master
- include: additional_config.yml
+ tags:
+ - master
- include: ../openshift-node/config.yml
+ tags:
+ - node
- include: openshift_hosted.yml
+ tags:
+ - hosted
diff --git a/playbooks/common/openshift-cluster/enable_dnsmasq.yml b/playbooks/common/openshift-cluster/enable_dnsmasq.yml
index f2bcc872f..4cfe8617e 100644
--- a/playbooks/common/openshift-cluster/enable_dnsmasq.yml
+++ b/playbooks/common/openshift-cluster/enable_dnsmasq.yml
@@ -8,11 +8,12 @@
post_tasks:
- fail: msg="This playbook requires a master version of at least Origin 1.1 or OSE 3.1"
when: not openshift.common.version_gte_3_1_1_or_1_1_1 | bool
-
+
- name: Reconfigure masters to listen on our new dns_port
hosts: oo_masters_to_config
handlers:
- include: ../../../roles/openshift_master/handlers/main.yml
+ static: yes
vars:
os_firewall_allow:
- service: skydns tcp
@@ -43,6 +44,7 @@
hosts: oo_nodes_to_config
handlers:
- include: ../../../roles/openshift_node/handlers/main.yml
+ static: yes
pre_tasks:
- openshift_facts:
role: "{{ item.role }}"
diff --git a/playbooks/common/openshift-cluster/evaluate_groups.yml b/playbooks/common/openshift-cluster/evaluate_groups.yml
index 3fb42a7fa..b3e02fb97 100644
--- a/playbooks/common/openshift-cluster/evaluate_groups.yml
+++ b/playbooks/common/openshift-cluster/evaluate_groups.yml
@@ -77,7 +77,7 @@
ansible_ssh_user: "{{ g_ssh_user | default(omit) }}"
ansible_become: "{{ g_sudo | default(omit) }}"
with_items: "{{ g_master_hosts | default([]) }}"
- when: g_nodeonmaster | default(false) == true and g_new_node_hosts is not defined
+ when: g_nodeonmaster | default(false) | bool and not g_new_node_hosts | default(false) | bool
- name: Evaluate oo_first_etcd
add_host:
diff --git a/playbooks/common/openshift-cluster/openshift_hosted.yml b/playbooks/common/openshift-cluster/openshift_hosted.yml
index 4d4a09828..4aca4daf4 100644
--- a/playbooks/common/openshift-cluster/openshift_hosted.yml
+++ b/playbooks/common/openshift-cluster/openshift_hosted.yml
@@ -1,5 +1,8 @@
+---
- name: Create persistent volumes
hosts: oo_first_master
+ tags:
+ - hosted
vars:
persistent_volumes: "{{ hostvars[groups.oo_first_master.0] | oo_persistent_volumes(groups) }}"
persistent_volume_claims: "{{ hostvars[groups.oo_first_master.0] | oo_persistent_volume_claims }}"
@@ -9,6 +12,8 @@
- name: Create Hosted Resources
hosts: oo_first_master
+ tags:
+ - hosted
pre_tasks:
- set_fact:
openshift_hosted_router_registryurl: "{{ hostvars[groups.oo_first_master.0].openshift.master.registry_url }}"
@@ -36,6 +41,90 @@
openshift_serviceaccounts_sccs:
- privileged
when: not openshift.common.version_gte_3_2_or_1_2
+ - role: openshift_hosted
- role: openshift_metrics
when: openshift.hosted.metrics.deploy | bool
- - role: openshift_hosted
+ - role: cockpit-ui
+ when: openshift.common.deployment_subtype == 'registry'
+
+- name: Configure CA certificate for secure registry
+ hosts: oo_nodes_to_config
+ tags:
+ - hosted
+ tasks:
+ - name: Create temp directory for kubeconfig
+ command: mktemp -d /tmp/openshift-ansible-XXXXXX
+ register: mktemp
+ when: openshift.common.deployment_subtype == 'registry'
+ changed_when: false
+ delegate_to: "{{ groups.oo_first_master.0 }}"
+ run_once: true
+ - set_fact:
+ openshift_hosted_kubeconfig: "{{ mktemp.stdout }}/admin.kubeconfig"
+ when: openshift.common.deployment_subtype == 'registry'
+ delegate_to: "{{ groups.oo_first_master.0 }}"
+ run_once: true
+ - name: Copy the admin client config(s)
+ command: >
+ cp {{ openshift.common.config_base }}/master/admin.kubeconfig {{ openshift_hosted_kubeconfig }}
+ when: openshift.common.deployment_subtype == 'registry'
+ changed_when: false
+ delegate_to: "{{ groups.oo_first_master.0 }}"
+ run_once: true
+ - name: Retrieve docker-registry route
+ command: >
+ {{ openshift.common.client_binary }} get route docker-registry
+ --template='{{ '{{' }} .spec.host {{ '}}' }}'
+ --config={{ openshift_hosted_kubeconfig }}
+ -n default
+ register: docker_registry_route
+ when: openshift.common.deployment_subtype == 'registry'
+ changed_when: false
+ delegate_to: "{{ groups.oo_first_master.0 }}"
+ run_once: true
+ - name: Retrieve registry service IP
+ command: >
+ {{ openshift.common.client_binary }} get service docker-registry
+ --template='{{ '{{' }} .spec.clusterIP {{ '}}' }}'
+ --config={{ openshift_hosted_kubeconfig }}
+ -n default
+ register: docker_registry_service_ip
+ when: openshift.common.deployment_subtype == 'registry'
+ changed_when: false
+ delegate_to: "{{ groups.oo_first_master.0 }}"
+ run_once: true
+ - name: Create registry CA directories
+ file:
+ path: "/etc/docker/certs.d/{{ item }}"
+ state: directory
+ with_items:
+ - "{{ docker_registry_service_ip.stdout }}:5000"
+ - "{{ docker_registry_route.stdout }}"
+ - "docker-registry.default.svc.cluster.local:5000"
+ when: openshift.common.deployment_subtype == 'registry'
+ - name: Copy CA to registry CA directories
+ copy:
+ src: "{{ openshift.common.config_base }}/node/ca.crt"
+ dest: "/etc/docker/certs.d/{{ item }}"
+ remote_src: yes
+ force: yes
+ with_items:
+ - "{{ docker_registry_service_ip.stdout }}:5000"
+ - "{{ docker_registry_route.stdout }}"
+ - "docker-registry.default.svc.cluster.local:5000"
+ when: openshift.common.deployment_subtype == 'registry'
+ notify:
+ - Restart docker
+ - name: Delete temp directory
+ file:
+ name: "{{ mktemp.stdout }}"
+ state: absent
+ when: openshift.common.deployment_subtype == 'registry'
+ changed_when: False
+ delegate_to: "{{ groups.oo_first_master.0 }}"
+ run_once: true
+ handlers:
+ - name: Restart docker
+ service:
+ name: docker
+ state: restarted
diff --git a/playbooks/common/openshift-cluster/redeploy-certificates.yml b/playbooks/common/openshift-cluster/redeploy-certificates.yml
new file mode 100644
index 000000000..5b72c3450
--- /dev/null
+++ b/playbooks/common/openshift-cluster/redeploy-certificates.yml
@@ -0,0 +1,255 @@
+---
+- include: evaluate_groups.yml
+
+- include: initialize_facts.yml
+
+- include: initialize_openshift_version.yml
+
+- name: Load openshift_facts
+ hosts: oo_etcd_to_config:oo_masters_to_config:oo_nodes_to_config
+ roles:
+ - openshift_facts
+
+- name: Redeploy etcd certificates
+ hosts: oo_etcd_to_config
+ any_errors_fatal: true
+ vars:
+ etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}"
+ etcd_conf_dir: /etc/etcd
+ etcd_generated_certs_dir: "{{ etcd_conf_dir }}/generated_certs"
+
+ pre_tasks:
+ - stat:
+ path: "{{ etcd_generated_certs_dir }}"
+ register: etcd_generated_certs_dir_stat
+ - name: Backup etcd certificates
+ command: >
+ tar -czvf /etc/etcd/etcd-certificate-backup-{{ ansible_date_time.epoch }}.tgz
+ {{ etcd_conf_dir }}/ca.crt
+ {{ etcd_conf_dir }}/ca
+ {{ etcd_generated_certs_dir }}
+ when: etcd_generated_certs_dir_stat.stat.exists
+ delegate_to: "{{ etcd_ca_host }}"
+ run_once: true
+ - name: Remove existing etcd certificates
+ file:
+ path: "{{ item }}"
+ state: absent
+ with_items:
+ - "{{ etcd_conf_dir }}/ca.crt"
+ - "{{ etcd_conf_dir }}/ca"
+ - "{{ etcd_generated_certs_dir }}"
+ roles:
+ - role: openshift_etcd_server_certificates
+ etcd_peers: "{{ groups.oo_etcd_to_config | default([], true) }}"
+ etcd_certificates_etcd_hosts: "{{ groups.oo_etcd_to_config | default([], true) }}"
+ etcd_certificates_redeploy: true
+
+- name: Redeploy master certificates
+ hosts: oo_masters_to_config
+ any_errors_fatal: true
+ vars:
+ openshift_ca_host: "{{ groups.oo_first_master.0 }}"
+ openshift_master_count: "{{ openshift.master.master_count | default(groups.oo_masters | length) }}"
+ pre_tasks:
+ # set_fact task copied from playbooks/common/openshift-master/config.yml
+ # so that openshift_master_default_subdomain has a default value of ""
+ # (emptry string). openshift_master_default_subdomain must have a default
+ # value for openshift_master_facts to set metrics_public_url.
+ # TODO: clean this up.
+ - set_fact:
+ openshift_master_default_subdomain: "{{ lookup('oo_option', 'openshift_master_default_subdomain') | default(None, true) }}"
+ when: openshift_master_default_subdomain is not defined
+ - stat:
+ path: "{{ openshift_generated_configs_dir }}"
+ register: openshift_generated_configs_dir_stat
+ - name: Backup generated certificate and config directories
+ command: >
+ tar -czvf /etc/origin/master-node-cert-config-backup-{{ ansible_date_time.epoch }}.tgz
+ {{ openshift_generated_configs_dir }}
+ {{ openshift.common.config_base }}/master
+ when: openshift_generated_configs_dir_stat.stat.exists
+ delegate_to: "{{ openshift_ca_host }}"
+ run_once: true
+ - name: Remove generated certificate directories
+ file:
+ path: "{{ item }}"
+ state: absent
+ with_items:
+ - "{{ openshift_generated_configs_dir }}"
+ - name: Remove generated certificates
+ file:
+ path: "{{ openshift.common.config_base }}/master/{{ item }}"
+ state: absent
+ with_items:
+ - "{{ hostvars[inventory_hostname] | certificates_to_synchronize(include_keys=false) }}"
+ - "etcd.server.crt"
+ - "etcd.server.key"
+ - "master.etcd-client.crt"
+ - "master.etcd-client.key"
+ - "master.server.crt"
+ - "master.server.key"
+ - "openshift-master.crt"
+ - "openshift-master.key"
+ - "openshift-master.kubeconfig"
+ - name: Remove CA certificate
+ file:
+ path: "{{ openshift.common.config_base }}/master/{{ item }}"
+ state: absent
+ when: openshift_certificates_redeploy_ca | default(false) | bool
+ with_items:
+ - "ca.crt"
+ - "ca.key"
+ - "ca.serial.txt"
+ - "ca-bundle.crt"
+ roles:
+ - role: openshift_master_certificates
+ openshift_master_etcd_hosts: "{{ hostvars
+ | oo_select_keys(groups['oo_etcd_to_config'] | default([]))
+ | oo_collect('openshift.common.hostname')
+ | default(none, true) }}"
+ openshift_master_hostnames: "{{ hostvars
+ | oo_select_keys(groups['oo_masters_to_config'] | default([]))
+ | oo_collect('openshift.common.all_hostnames')
+ | oo_flatten | unique }}"
+ openshift_certificates_redeploy: true
+ - role: openshift_etcd_client_certificates
+ etcd_certificates_redeploy: true
+ etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}"
+ etcd_cert_subdir: "openshift-master-{{ openshift.common.hostname }}"
+ etcd_cert_config_dir: "{{ openshift.common.config_base }}/master"
+ etcd_cert_prefix: "master.etcd-"
+ when: groups.oo_etcd_to_config is defined and groups.oo_etcd_to_config
+
+- name: Redeploy node certificates
+ hosts: oo_nodes_to_config
+ any_errors_fatal: true
+ pre_tasks:
+ - name: Remove CA certificate
+ file:
+ path: "{{ item }}"
+ state: absent
+ with_items:
+ - "{{ openshift.common.config_base }}/node/ca.crt"
+ roles:
+ - role: openshift_node_certificates
+ openshift_node_master_api_url: "{{ hostvars[groups.oo_first_master.0].openshift.master.api_url }}"
+ openshift_ca_host: "{{ groups.oo_first_master.0 }}"
+ openshift_certificates_redeploy: true
+
+- name: Restart etcd
+ hosts: oo_etcd_to_config
+ tasks:
+ - name: restart etcd
+ service:
+ name: "{{ 'etcd' if not openshift.common.is_containerized | bool else 'etcd_container' }}"
+ state: restarted
+
+- name: Stop master services
+ hosts: oo_masters_to_config
+ vars:
+ openshift_master_ha: "{{ groups.oo_masters_to_config | length > 1 }}"
+ tasks:
+ - name: stop master
+ service: name={{ openshift.common.service_type }}-master state=stopped
+ when: not openshift_master_ha | bool
+ - name: stop master api
+ service: name={{ openshift.common.service_type }}-master-api state=stopped
+ when: openshift_master_ha | bool and openshift_master_cluster_method == 'native'
+ - name: stop master controllers
+ service: name={{ openshift.common.service_type }}-master-controllers state=stopped
+ when: openshift_master_ha | bool and openshift_master_cluster_method == 'native'
+
+- name: Start master services
+ hosts: oo_masters_to_config
+ serial: 1
+ vars:
+ openshift_master_ha: "{{ groups.oo_masters_to_config | length > 1 }}"
+ tasks:
+ - name: start master
+ service: name={{ openshift.common.service_type }}-master state=started
+ when: not openshift_master_ha | bool
+ - name: start master api
+ service: name={{ openshift.common.service_type }}-master-api state=started
+ when: openshift_master_ha | bool and openshift_master_cluster_method == 'native'
+ - name: start master controllers
+ service: name={{ openshift.common.service_type }}-master-controllers state=started
+ when: openshift_master_ha | bool and openshift_master_cluster_method == 'native'
+
+- name: Restart masters (pacemaker)
+ hosts: oo_first_master
+ vars:
+ openshift_master_ha: "{{ groups.oo_masters_to_config | length > 1 }}"
+ tasks:
+ - name: restart master
+ command: pcs resource restart master
+ when: openshift_master_ha | bool and openshift_master_cluster_method == 'pacemaker'
+
+- name: Restart nodes
+ hosts: oo_nodes_to_config
+ tasks:
+ - name: restart node
+ service: name={{ openshift.common.service_type }}-node state=restarted
+
+- name: Copy admin client config(s)
+ hosts: oo_first_master
+ tasks:
+ - name: Create temp directory for kubeconfig
+ command: mktemp -d /tmp/openshift-ansible-XXXXXX
+ register: mktemp
+ changed_when: False
+
+ - name: Copy admin client config(s)
+ command: >
+ cp {{ openshift.common.config_base }}/master//admin.kubeconfig {{ mktemp.stdout }}/admin.kubeconfig
+ changed_when: False
+
+- name: Serially evacuate all nodes to trigger redeployments
+ hosts: oo_nodes_to_config
+ serial: 1
+ any_errors_fatal: true
+ tasks:
+ - name: Determine if node is currently scheduleable
+ command: >
+ {{ openshift.common.client_binary }} --config={{ hostvars[groups.oo_first_master.0].mktemp.stdout }}/admin.kubeconfig
+ get node {{ openshift.common.hostname | lower }} -o json
+ register: node_output
+ when: openshift_certificates_redeploy_ca | default(false) | bool
+ delegate_to: "{{ groups.oo_first_master.0 }}"
+ changed_when: false
+
+ - set_fact:
+ was_schedulable: "{{ 'unschedulable' not in (node_output.stdout | from_json).spec }}"
+ when: openshift_certificates_redeploy_ca | default(false) | bool
+
+ - name: Prepare for node evacuation
+ command: >
+ {{ openshift.common.admin_binary }} --config={{ hostvars[groups.oo_first_master.0].mktemp.stdout }}/admin.kubeconfig
+ manage-node {{ openshift.common.hostname | lower }}
+ --schedulable=false
+ delegate_to: "{{ groups.oo_first_master.0 }}"
+ when: openshift_certificates_redeploy_ca | default(false) | bool and was_schedulable | bool
+
+ - name: Evacuate node
+ command: >
+ {{ openshift.common.admin_binary }} --config={{ hostvars[groups.oo_first_master.0].mktemp.stdout }}/admin.kubeconfig
+ manage-node {{ openshift.common.hostname | lower }}
+ --evacuate --force
+ delegate_to: "{{ groups.oo_first_master.0 }}"
+ when: openshift_certificates_redeploy_ca | default(false) | bool and was_schedulable | bool
+
+ - name: Set node schedulability
+ command: >
+ {{ openshift.common.admin_binary }} --config={{ hostvars[groups.oo_first_master.0].mktemp.stdout }}/admin.kubeconfig
+ manage-node {{ openshift.common.hostname | lower }} --schedulable=true
+ delegate_to: "{{ groups.oo_first_master.0 }}"
+ when: openshift_certificates_redeploy_ca | default(false) | bool and was_schedulable | bool
+
+- name: Delete temporary directory
+ hosts: oo_first_master
+ tasks:
+ - name: Delete temp directory
+ file:
+ name: "{{ mktemp.stdout }}"
+ state: absent
+ changed_when: False
diff --git a/playbooks/common/openshift-cluster/upgrades/atomic-openshift-master.j2 b/playbooks/common/openshift-cluster/upgrades/atomic-openshift-master.j2
new file mode 120000
index 000000000..2441f8887
--- /dev/null
+++ b/playbooks/common/openshift-cluster/upgrades/atomic-openshift-master.j2
@@ -0,0 +1 @@
+../../../../roles/openshift_master/templates/atomic-openshift-master.j2 \ No newline at end of file
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/containerized_node_upgrade.yml b/playbooks/common/openshift-cluster/upgrades/containerized_node_upgrade.yml
index 60ea84f8e..32a3636aa 100644
--- a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/containerized_node_upgrade.yml
+++ b/playbooks/common/openshift-cluster/upgrades/containerized_node_upgrade.yml
@@ -1,7 +1,7 @@
-- include_vars: ../../../../../roles/openshift_node/vars/main.yml
+- include_vars: ../../../../roles/openshift_node/vars/main.yml
- name: Update systemd units
- include: ../../../../../roles/openshift_node/tasks/systemd_units.yml openshift_version={{ openshift_image_tag }}
+ include: ../../../../roles/openshift_node/tasks/systemd_units.yml openshift_version={{ openshift_image_tag }}
- name: Verifying the correct version was configured
shell: grep {{ verify_upgrade_version }} {{ item }}
diff --git a/playbooks/common/openshift-cluster/upgrades/create_service_signer_cert.yml b/playbooks/common/openshift-cluster/upgrades/create_service_signer_cert.yml
new file mode 100644
index 000000000..e8a20aa2b
--- /dev/null
+++ b/playbooks/common/openshift-cluster/upgrades/create_service_signer_cert.yml
@@ -0,0 +1,69 @@
+---
+- name: Create local temp directory for syncing certs
+ hosts: localhost
+ connection: local
+ become: no
+ gather_facts: no
+ tasks:
+ - name: Create local temp directory for syncing certs
+ local_action: command mktemp -d /tmp/openshift-ansible-XXXXXXX
+ register: local_cert_sync_tmpdir
+ changed_when: false
+
+- name: Create service signer certificate
+ hosts: oo_first_master
+ tasks:
+ - name: Create remote temp directory for creating certs
+ command: mktemp -d /tmp/openshift-ansible-XXXXXXX
+ register: remote_cert_create_tmpdir
+ changed_when: false
+
+ - name: Create service signer certificate
+ command: >
+ {{ openshift.common.admin_binary }} ca create-signer-cert
+ --cert=service-signer.crt
+ --key=service-signer.key
+ --name=openshift-service-serving-signer
+ --serial=service-signer.serial.txt
+ args:
+ chdir: "{{ remote_cert_create_tmpdir.stdout }}/"
+
+ - name: Retrieve service signer certificate
+ fetch:
+ src: "{{ remote_cert_create_tmpdir.stdout }}/{{ item }}"
+ dest: "{{ hostvars.localhost.local_cert_sync_tmpdir.stdout }}/"
+ flat: yes
+ fail_on_missing: yes
+ validate_checksum: yes
+ with_items:
+ - "service-signer.crt"
+ - "service-signer.key"
+
+ - name: Delete remote temp directory
+ file:
+ name: "{{ remote_cert_create_tmpdir.stdout }}"
+ state: absent
+ changed_when: false
+
+- name: Deploy service signer certificate
+ hosts: oo_masters_to_config
+ tasks:
+ - name: Deploy service signer certificate
+ copy:
+ src: "{{ hostvars.localhost.local_cert_sync_tmpdir.stdout }}/{{ item }}"
+ dest: "{{ openshift.common.config_base }}/master/"
+ with_items:
+ - "service-signer.crt"
+ - "service-signer.key"
+
+- name: Delete local temp directory
+ hosts: localhost
+ connection: local
+ become: no
+ gather_facts: no
+ tasks:
+ - name: Delete local temp directory
+ file:
+ name: "{{ local_cert_sync_tmpdir.stdout }}"
+ state: absent
+ changed_when: false
diff --git a/playbooks/common/openshift-cluster/upgrades/docker-cluster b/playbooks/common/openshift-cluster/upgrades/docker-cluster
new file mode 120000
index 000000000..055ad09fc
--- /dev/null
+++ b/playbooks/common/openshift-cluster/upgrades/docker-cluster
@@ -0,0 +1 @@
+../../../../roles/openshift_master/templates/docker-cluster \ No newline at end of file
diff --git a/playbooks/common/openshift-cluster/upgrades/docker/upgrade.yml b/playbooks/common/openshift-cluster/upgrades/docker/upgrade.yml
index 20d66522f..417096dd0 100644
--- a/playbooks/common/openshift-cluster/upgrades/docker/upgrade.yml
+++ b/playbooks/common/openshift-cluster/upgrades/docker/upgrade.yml
@@ -13,14 +13,36 @@
failed_when: false
when: openshift.common.is_containerized | bool
+- name: Check Docker image count
+ shell: "docker images -aq | wc -l"
+ register: docker_image_count
+
+- debug: var=docker_image_count.stdout
+
- name: Remove all containers and images
script: nuke_images.sh docker
register: nuke_images_result
when: docker_upgrade_nuke_images is defined and docker_upgrade_nuke_images | bool
+- name: Check Docker image count
+ shell: "docker images -aq | wc -l"
+ register: docker_image_count
+ when: docker_upgrade_nuke_images is defined and docker_upgrade_nuke_images | bool
+
+- debug: var=docker_image_count.stdout
+ when: docker_upgrade_nuke_images is defined and docker_upgrade_nuke_images | bool
+
+- service: name=docker state=stopped
+
- name: Upgrade Docker
action: "{{ ansible_pkg_mgr }} name=docker{{ '-' + docker_version }} state=present"
+- service: name=docker state=started
+
+- name: Update docker facts
+ openshift_facts:
+ role: docker
+
- name: Restart containerized services
service: name={{ item }} state=started
with_items:
diff --git a/playbooks/common/openshift-cluster/upgrades/docker/upgrade_check.yml b/playbooks/common/openshift-cluster/upgrades/docker/upgrade_check.yml
index 06b3e244f..8002af4fc 100644
--- a/playbooks/common/openshift-cluster/upgrades/docker/upgrade_check.yml
+++ b/playbooks/common/openshift-cluster/upgrades/docker/upgrade_check.yml
@@ -28,7 +28,7 @@
- fail:
msg: This playbook requires access to Docker 1.10 or later
# Disable the 1.10 requirement if the user set a specific Docker version
- when: avail_docker_version.stdout | version_compare('1.10','<') and docker_version is not defined
+ when: docker_version is not defined and (docker_upgrade is not defined or docker_upgrade | bool == True) and (avail_docker_version.stdout == "" or avail_docker_version.stdout | version_compare('1.10','<'))
# Default l_docker_upgrade to False, we'll set to True if an upgrade is required:
- set_fact:
diff --git a/playbooks/common/openshift-cluster/upgrades/files/nuke_images.sh b/playbooks/common/openshift-cluster/upgrades/files/nuke_images.sh
index 6b155f7fa..8635eab0d 100644
--- a/playbooks/common/openshift-cluster/upgrades/files/nuke_images.sh
+++ b/playbooks/common/openshift-cluster/upgrades/files/nuke_images.sh
@@ -15,9 +15,11 @@ then
fi
# Delete all images (forcefully)
-image_ids=`docker images -q`
+image_ids=`docker images -aq`
if test -n "$image_ids"
then
- # Taken from: https://gist.github.com/brianclements/f72b2de8e307c7b56689#gistcomment-1443144
- docker rmi $(docker images | grep "$2/\|/$2 \| $2 \|$2 \|$2-\|$2_" | awk '{print $1 ":" $2}') 2>/dev/null || echo "No images matching \"$2\" left to purge."
+ # Some layers are deleted recursively and are no longer present
+ # when docker goes to remove them:
+ docker rmi -f `docker images -aq` || true
fi
+
diff --git a/playbooks/common/openshift-cluster/upgrades/master_docker b/playbooks/common/openshift-cluster/upgrades/master_docker
new file mode 120000
index 000000000..6aeca2842
--- /dev/null
+++ b/playbooks/common/openshift-cluster/upgrades/master_docker
@@ -0,0 +1 @@
+../../../../roles/openshift_master/templates/master_docker \ No newline at end of file
diff --git a/playbooks/common/openshift-cluster/upgrades/native-cluster b/playbooks/common/openshift-cluster/upgrades/native-cluster
new file mode 120000
index 000000000..4af88e666
--- /dev/null
+++ b/playbooks/common/openshift-cluster/upgrades/native-cluster
@@ -0,0 +1 @@
+../../../../roles/openshift_master/templates/native-cluster \ No newline at end of file
diff --git a/playbooks/common/openshift-cluster/upgrades/openshift.docker.node.dep.service b/playbooks/common/openshift-cluster/upgrades/openshift.docker.node.dep.service
new file mode 120000
index 000000000..add8b7fa9
--- /dev/null
+++ b/playbooks/common/openshift-cluster/upgrades/openshift.docker.node.dep.service
@@ -0,0 +1 @@
+../../../../roles/openshift_node/templates/openshift.docker.node.dep.service \ No newline at end of file
diff --git a/playbooks/common/openshift-cluster/upgrades/openshift.docker.node.service b/playbooks/common/openshift-cluster/upgrades/openshift.docker.node.service
new file mode 120000
index 000000000..ed181633d
--- /dev/null
+++ b/playbooks/common/openshift-cluster/upgrades/openshift.docker.node.service
@@ -0,0 +1 @@
+../../../../roles/openshift_node/templates/openshift.docker.node.service \ No newline at end of file
diff --git a/playbooks/common/openshift-cluster/upgrades/openvswitch.docker.service b/playbooks/common/openshift-cluster/upgrades/openvswitch.docker.service
new file mode 120000
index 000000000..c21e895f2
--- /dev/null
+++ b/playbooks/common/openshift-cluster/upgrades/openvswitch.docker.service
@@ -0,0 +1 @@
+../../../../roles/openshift_node/templates/openvswitch.docker.service \ No newline at end of file
diff --git a/playbooks/common/openshift-cluster/upgrades/openvswitch.sysconfig.j2 b/playbooks/common/openshift-cluster/upgrades/openvswitch.sysconfig.j2
new file mode 120000
index 000000000..ead6904c4
--- /dev/null
+++ b/playbooks/common/openshift-cluster/upgrades/openvswitch.sysconfig.j2
@@ -0,0 +1 @@
+../../../../roles/openshift_node/templates/openvswitch.sysconfig.j2 \ No newline at end of file
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/post.yml b/playbooks/common/openshift-cluster/upgrades/post.yml
index ccf9514f1..e43954453 100644
--- a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/post.yml
+++ b/playbooks/common/openshift-cluster/upgrades/post.yml
@@ -57,3 +57,16 @@
'{"spec":{"template":{"spec":{"containers":[{"name":"registry","image":"{{ registry_image }}"}]}}}}'
--api-version=v1
+# Check for warnings to be printed at the end of the upgrade:
+- name: Check for warnings
+ hosts: oo_masters_to_config
+ tasks:
+ # Check if any masters are using pluginOrderOverride and warn if so, only for 1.3/3.3 and beyond:
+ - command: >
+ grep pluginOrderOverride {{ openshift.common.config_base }}/master/master-config.yaml
+ register: grep_plugin_order_override
+ when: openshift.common.version_gte_3_3_or_1_3 | bool
+ failed_when: false
+ - name: Warn if pluginOrderOverride is in use in master-config.yaml
+ debug: msg="WARNING pluginOrderOverride is being deprecated in master-config.yaml, please see https://docs.openshift.com/enterprise/latest/architecture/additional_concepts/admission_controllers.html for more information."
+ when: not grep_plugin_order_override | skipped and grep_plugin_order_override.rc == 0
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/pre.yml b/playbooks/common/openshift-cluster/upgrades/pre.yml
index a32123952..42a24eaf8 100644
--- a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/pre.yml
+++ b/playbooks/common/openshift-cluster/upgrades/pre.yml
@@ -3,7 +3,7 @@
# Evaluate host groups and gather facts
###############################################################################
-- include: ../../initialize_facts.yml
+- include: ../initialize_facts.yml
- name: Update repos and initialize facts on all hosts
hosts: oo_masters_to_config:oo_nodes_to_config:oo_etcd_to_config:oo_lb_to_config
@@ -39,7 +39,6 @@
- name: Verify upgrade can proceed on first master
hosts: oo_first_master
vars:
- target_version: "{{ '1.2' if deployment_type == 'origin' else '3.2' }}"
g_pacemaker_upgrade_url_segment: "{{ 'org/latest' if deployment_type =='origin' else '.com/enterprise/3.1' }}"
gather_facts: no
tasks:
@@ -63,14 +62,14 @@
- fail:
msg: >
openshift_pkg_version is {{ openshift_pkg_version }} which is not a
- valid version for a {{ target_version }} upgrade
- when: openshift_pkg_version is defined and openshift_pkg_version.split('-',1).1 | version_compare(target_version ,'<')
+ valid version for a {{ openshift_upgrade_target }} upgrade
+ when: openshift_pkg_version is defined and openshift_pkg_version.split('-',1).1 | version_compare(openshift_upgrade_target ,'<')
- fail:
msg: >
openshift_image_tag is {{ openshift_image_tag }} which is not a
- valid version for a {{ target_version }} upgrade
- when: openshift_image_tag is defined and openshift_image_tag.split('v',1).1 | version_compare(target_version ,'<')
+ valid version for a {{ openshift_upgrade_target }} upgrade
+ when: openshift_image_tag is defined and openshift_image_tag.split('v',1).1 | version_compare(openshift_upgrade_target ,'<')
- set_fact:
openshift_release: "{{ openshift_release[1:] }}"
@@ -79,15 +78,15 @@
- fail:
msg: >
openshift_release is {{ openshift_release }} which is not a
- valid release for a {{ target_version }} upgrade
- when: openshift_release is defined and not openshift_release | version_compare(target_version ,'=')
+ valid release for a {{ openshift_upgrade_target }} upgrade
+ when: openshift_release is defined and not openshift_release | version_compare(openshift_upgrade_target ,'=')
-- include: ../../../../common/openshift-cluster/initialize_openshift_version.yml
+- include: ../../../common/openshift-cluster/initialize_openshift_version.yml
vars:
- # Request openshift_release 3.2 and let the openshift_version role handle converting this
+ # Request specific openshift_release and let the openshift_version role handle converting this
# to a more specific version, respecting openshift_image_tag and openshift_pkg_version if
# defined, and overriding the normal behavior of protecting the installed version
- openshift_release: "{{ '1.2' if deployment_type == 'origin' else '3.2' }}"
+ openshift_release: "{{ openshift_upgrade_target }}"
openshift_protect_installed_version: False
# Docker role (a dependency) should be told not to do anything to installed version
# of docker, we handle this separately during upgrade. (the inventory may have a
@@ -141,7 +140,6 @@
- name: Verify upgrade targets
hosts: oo_masters_to_config:oo_nodes_to_config
vars:
- target_version: "{{ '1.2' if deployment_type == 'origin' else '3.2' }}"
openshift_docker_hosted_registry_network: "{{ hostvars[groups.oo_first_master.0].openshift.common.portal_net }}"
pre_tasks:
- fail:
@@ -175,48 +173,24 @@
register: avail_openshift_version
when: not openshift.common.is_containerized | bool
- - name: Verify OpenShift 3.2 RPMs are available for upgrade
+ - name: Verify OpenShift RPMs are available for upgrade
fail:
- msg: "OpenShift {{ avail_openshift_version.stdout }} is available, but 3.2 or greater is required"
- when: deployment_type != 'origin' and not openshift.common.is_containerized | bool and not avail_openshift_version | skipped and avail_openshift_version.stdout | default('0.0', True) | version_compare(openshift_release, '<')
-
- - name: Verify Origin 1.2 RPMs are available for upgrade
- fail:
- msg: "OpenShift {{ avail_openshift_version.stdout }} is available, but 1.2 or greater is required"
- when: deployment_type == 'origin' and not openshift.common.is_containerized | bool and not avail_openshift_version | skipped and avail_openshift_version.stdout | default('0.0', True) | version_compare(openshift_release, '<')
-
- # TODO: Are these two grep checks necessary anymore?
- # Note: the version number is hardcoded here in hopes of catching potential
- # bugs in how g_aos_versions.curr_version is set
- - name: Verifying the correct version is installed for upgrade
- shell: grep 3.1.1.6 {{ item }}
- with_items:
- - /etc/sysconfig/openvswitch
- - /etc/sysconfig/{{ openshift.common.service_type }}*
- when: verify_upgrade_version is defined
-
- - name: Verifying the image version is used in the systemd unit
- shell: grep IMAGE_VERSION {{ item }}
- with_items:
- - /etc/systemd/system/openvswitch.service
- - /etc/systemd/system/{{ openshift.common.service_type }}*.service
- when: openshift.common.is_containerized | bool and verify_upgrade_version is defined
-
- - fail:
- msg: This upgrade playbook must be run on Origin 1.1 or later
- when: deployment_type == 'origin' and openshift.common.version | version_compare('1.1','<')
+ msg: "OpenShift {{ avail_openshift_version.stdout }} is available, but {{ openshift_upgrade_target }} or greater is required"
+ when: not openshift.common.is_containerized | bool and not avail_openshift_version | skipped and avail_openshift_version.stdout | default('0.0', True) | version_compare(openshift_release, '<')
- fail:
- msg: This upgrade playbook must be run on OpenShift Enterprise 3.1 or later
- when: deployment_type == 'atomic-openshift' and openshift.common.version | version_compare('3.1','<')
+ msg: "This upgrade playbook must be run against OpenShift {{ openshift_upgrade_min }} or later"
+ when: deployment_type == 'origin' and openshift.common.version | version_compare(openshift_upgrade_min,'<')
- name: Verify docker upgrade targets
hosts: oo_masters_to_config:oo_nodes_to_config:oo_etcd_to_config
tasks:
- - name: Determine available Docker
- script: ../files/rpm_versions.sh docker
- register: g_docker_version_result
- when: not openshift.common.is_atomic | bool
+ # Only check if docker upgrade is required if docker_upgrade is not
+ # already set to False.
+ - include: docker/upgrade_check.yml
+ when: docker_upgrade is not defined or docker_upgrade | bool and not openshift.common.is_atomic | bool
+
+ # Additional checks for Atomic hosts:
- name: Determine available Docker
shell: "rpm -q --queryformat '---\ncurr_version: %{VERSION}\navail_version: \n' docker"
@@ -224,18 +198,12 @@
when: openshift.common.is_atomic | bool
- set_fact:
- g_docker_version: "{{ g_docker_version_result.stdout | from_yaml }}"
- when: not openshift.common.is_atomic | bool
-
- - set_fact:
- g_docker_version: "{{ g_atomic_docker_version_result.stdout | from_yaml }}"
+ l_docker_version: "{{ g_atomic_docker_version_result.stdout | from_yaml }}"
when: openshift.common.is_atomic | bool
- fail:
msg: This playbook requires access to Docker 1.10 or later
- when: g_docker_version.avail_version | default(g_docker_version.curr_version, true) | version_compare('1.10','<')
-
- # TODO: add check to upgrade ostree to get latest Docker
+ when: openshift.common.is_atomic | bool and l_docker_version.avail_version | default(l_docker_version.curr_version, true) | version_compare('1.10','<')
- set_fact:
pre_upgrade_complete: True
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/rpm_upgrade.yml b/playbooks/common/openshift-cluster/upgrades/rpm_upgrade.yml
index f5e4d807e..f5e4d807e 100644
--- a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/rpm_upgrade.yml
+++ b/playbooks/common/openshift-cluster/upgrades/rpm_upgrade.yml
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/upgrade.yml b/playbooks/common/openshift-cluster/upgrades/upgrade.yml
index 59cedc839..ba4fc63be 100644
--- a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/upgrade.yml
+++ b/playbooks/common/openshift-cluster/upgrades/upgrade.yml
@@ -3,23 +3,77 @@
# The restart playbook should be run after this playbook completes.
###############################################################################
+# Separate step so we can execute in parallel and clear out anything unused
+# before we get into the serialized upgrade process which will then remove
+# remaining images if possible.
+- name: Cleanup unused Docker images
+ hosts: oo_masters_to_config:oo_nodes_to_config:oo_etcd_to_config
+ tasks:
+ - name: Check Docker image count
+ shell: "docker images -aq | wc -l"
+ register: docker_image_count
+ when: docker_upgrade_nuke_images is defined and docker_upgrade_nuke_images | bool
+
+ - debug: var=docker_image_count.stdout
+ when: docker_upgrade_nuke_images is defined and docker_upgrade_nuke_images | bool
+
+ - name: Remove unused Docker images for Docker 1.10+ migration
+ shell: "docker rmi `docker images -aq`"
+ # Will fail on images still in use:
+ failed_when: false
+ when: docker_upgrade_nuke_images is defined and docker_upgrade_nuke_images | bool
+
+ - name: Check Docker image count
+ shell: "docker images -aq | wc -l"
+ register: docker_image_count
+ when: docker_upgrade_nuke_images is defined and docker_upgrade_nuke_images | bool
+
+ - debug: var=docker_image_count.stdout
+ when: docker_upgrade_nuke_images is defined and docker_upgrade_nuke_images | bool
+
###############################################################################
# Upgrade Masters
###############################################################################
-- name: Upgrade master
+- name: Upgrade master packages
hosts: oo_masters_to_config
handlers:
- - include: ../../../../../roles/openshift_master/handlers/main.yml
+ - include: ../../../../roles/openshift_master/handlers/main.yml
+ static: yes
roles:
- openshift_facts
tasks:
- include: rpm_upgrade.yml component=master
when: not openshift.common.is_containerized | bool
- - include_vars: ../../../../../roles/openshift_master/vars/main.yml
+- name: Determine if service signer cert must be created
+ hosts: oo_first_master
+ tasks:
+ - name: Determine if service signer certificate must be created
+ stat:
+ path: "{{ openshift.common.config_base }}/master/service-signer.crt"
+ register: service_signer_cert_stat
+ changed_when: false
+
+# Create service signer cert when missing. Service signer certificate
+# is added to master config in the master config hook for v3_3.
+- include: create_service_signer_cert.yml
+ when: not (hostvars[groups.oo_first_master.0].service_signer_cert_stat.stat.exists | bool)
+
+- name: Upgrade master config and systemd units
+ hosts: oo_masters_to_config
+ handlers:
+ - include: ../../../../roles/openshift_master/handlers/main.yml
+ static: yes
+ roles:
+ - openshift_facts
+ tasks:
+ - include: "{{ master_config_hook }}"
+ when: master_config_hook is defined
+
+ - include_vars: ../../../../roles/openshift_master/vars/main.yml
- name: Update systemd units
- include: ../../../../../roles/openshift_master/tasks/systemd_units.yml
+ include: ../../../../roles/openshift_master/tasks/systemd_units.yml
# - name: Upgrade master configuration
# openshift_upgrade_config:
@@ -28,6 +82,31 @@
# role: master
# config_base: "{{ hostvars[inventory_hostname].openshift.common.config_base }}"
+ - name: Check for ca-bundle.crt
+ stat:
+ path: "{{ openshift.common.config_base }}/master/ca-bundle.crt"
+ register: ca_bundle_stat
+ failed_when: false
+
+ - name: Check for ca.crt
+ stat:
+ path: "{{ openshift.common.config_base }}/master/ca.crt"
+ register: ca_crt_stat
+ failed_when: false
+
+ - name: Migrate ca.crt to ca-bundle.crt
+ command: mv ca.crt ca-bundle.crt
+ args:
+ chdir: "{{ openshift.common.config_base }}/master"
+ when: ca_crt_stat.stat.isreg and not ca_bundle_stat.stat.exists
+
+ - name: Link ca.crt to ca-bundle.crt
+ file:
+ src: "{{ openshift.common.config_base }}/master/ca-bundle.crt"
+ path: "{{ openshift.common.config_base }}/master/ca.crt"
+ state: link
+ when: ca_crt_stat.stat.isreg and not ca_bundle_stat.stat.exists
+
- name: Set master update status to complete
hosts: oo_masters_to_config
tasks:
@@ -53,6 +132,52 @@
when: master_update_failed | length > 0
###############################################################################
+# Reconcile Cluster Roles, Cluster Role Bindings and Security Context Constraints
+###############################################################################
+
+- name: Reconcile Cluster Roles and Cluster Role Bindings and Security Context Constraints
+ hosts: oo_masters_to_config
+ roles:
+ - { role: openshift_cli }
+ vars:
+ origin_reconcile_bindings: "{{ deployment_type == 'origin' and openshift_version | version_compare('1.0.6', '>') }}"
+ ent_reconcile_bindings: true
+ openshift_docker_hosted_registry_network: "{{ hostvars[groups.oo_first_master.0].openshift.common.portal_net }}"
+ # Similar to pre.yml, we don't want to upgrade docker during the openshift_cli role,
+ # it will be updated when we perform node upgrade.
+ docker_protect_installed_version: True
+ tasks:
+ - name: Verifying the correct commandline tools are available
+ shell: grep {{ verify_upgrade_version }} {{ openshift.common.admin_binary}}
+ when: openshift.common.is_containerized | bool and verify_upgrade_version is defined
+
+ - name: Reconcile Cluster Roles
+ command: >
+ {{ openshift.common.admin_binary}} --config={{ openshift.common.config_base }}/master/admin.kubeconfig
+ policy reconcile-cluster-roles --additive-only=true --confirm
+ run_once: true
+
+ - name: Reconcile Cluster Role Bindings
+ command: >
+ {{ openshift.common.admin_binary}} --config={{ openshift.common.config_base }}/master/admin.kubeconfig
+ policy reconcile-cluster-role-bindings
+ --exclude-groups=system:authenticated
+ --exclude-groups=system:authenticated:oauth
+ --exclude-groups=system:unauthenticated
+ --exclude-users=system:anonymous
+ --additive-only=true --confirm
+ when: origin_reconcile_bindings | bool or ent_reconcile_bindings | bool
+ run_once: true
+
+ - name: Reconcile Security Context Constraints
+ command: >
+ {{ openshift.common.admin_binary}} policy reconcile-sccs --confirm --additive-only=true
+ run_once: true
+
+ - set_fact:
+ reconcile_complete: True
+
+###############################################################################
# Upgrade Nodes
###############################################################################
@@ -64,11 +189,24 @@
roles:
- openshift_facts
handlers:
- - include: ../../../../../roles/openshift_node/handlers/main.yml
+ - include: ../../../../roles/openshift_node/handlers/main.yml
+ static: yes
tasks:
# TODO: To better handle re-trying failed upgrades, it would be nice to check if the node
# or docker actually needs an upgrade before proceeding. Perhaps best to save this until
# we merge upgrade functionality into the base roles and a normal config.yml playbook run.
+ - name: Determine if node is currently scheduleable
+ command: >
+ {{ openshift.common.client_binary }} get node {{ openshift.common.hostname | lower }} -o json
+ register: node_output
+ delegate_to: "{{ groups.oo_first_master.0 }}"
+ changed_when: false
+ when: inventory_hostname in groups.oo_nodes_to_config
+
+ - set_fact:
+ was_schedulable: "{{ 'unschedulable' not in (node_output.stdout | from_json).spec }}"
+ when: inventory_hostname in groups.oo_nodes_to_config
+
- name: Mark unschedulable if host is a node
command: >
{{ openshift.common.admin_binary }} manage-node {{ openshift.common.hostname | lower }} --schedulable=false
@@ -81,13 +219,10 @@
delegate_to: "{{ groups.oo_first_master.0 }}"
when: inventory_hostname in groups.oo_nodes_to_config
- # Only check if docker upgrade is required if docker_upgrade is not
- # already set to False.
- - include: ../docker/upgrade_check.yml
- when: docker_upgrade is not defined or docker_upgrade | bool and not openshift.common.is_atomic | bool
-
- - include: ../docker/upgrade.yml
+ - include: docker/upgrade.yml
when: l_docker_upgrade is defined and l_docker_upgrade | bool and not openshift.common.is_atomic | bool
+ - include: "{{ node_config_hook }}"
+ when: node_config_hook is defined and inventory_hostname in groups.oo_nodes_to_config
- include: rpm_upgrade.yml
vars:
@@ -98,55 +233,14 @@
- include: containerized_node_upgrade.yml
when: inventory_hostname in groups.oo_nodes_to_config and openshift.common.is_containerized | bool
+ - meta: flush_handlers
+
- name: Set node schedulability
command: >
{{ openshift.common.admin_binary }} manage-node {{ openshift.common.hostname | lower }} --schedulable=true
delegate_to: "{{ groups.oo_first_master.0 }}"
- when: inventory_hostname in groups.oo_nodes_to_config and openshift.node.schedulable | bool
-
+ when: inventory_hostname in groups.oo_nodes_to_config and was_schedulable | bool
-###############################################################################
-# Reconcile Cluster Roles, Cluster Role Bindings and Security Context Constraints
-###############################################################################
-
-- name: Reconcile Cluster Roles and Cluster Role Bindings and Security Context Constraints
- hosts: oo_masters_to_config
- roles:
- - { role: openshift_cli }
- vars:
- origin_reconcile_bindings: "{{ deployment_type == 'origin' and openshift_version | version_compare('1.0.6', '>') }}"
- ent_reconcile_bindings: true
- openshift_docker_hosted_registry_network: "{{ hostvars[groups.oo_first_master.0].openshift.common.portal_net }}"
- tasks:
- - name: Verifying the correct commandline tools are available
- shell: grep {{ verify_upgrade_version }} {{ openshift.common.admin_binary}}
- when: openshift.common.is_containerized | bool and verify_upgrade_version is defined
-
- - name: Reconcile Cluster Roles
- command: >
- {{ openshift.common.admin_binary}} --config={{ openshift.common.config_base }}/master/admin.kubeconfig
- policy reconcile-cluster-roles --additive-only=true --confirm
- run_once: true
-
- - name: Reconcile Cluster Role Bindings
- command: >
- {{ openshift.common.admin_binary}} --config={{ openshift.common.config_base }}/master/admin.kubeconfig
- policy reconcile-cluster-role-bindings
- --exclude-groups=system:authenticated
- --exclude-groups=system:authenticated:oauth
- --exclude-groups=system:unauthenticated
- --exclude-users=system:anonymous
- --additive-only=true --confirm
- when: origin_reconcile_bindings | bool or ent_reconcile_bindings | bool
- run_once: true
-
- - name: Reconcile Security Context Constraints
- command: >
- {{ openshift.common.admin_binary}} policy reconcile-sccs --confirm --additive-only=true
- run_once: true
-
- - set_fact:
- reconcile_complete: True
##############################################################################
# Gate on reconcile
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/atomic-openshift-master.j2 b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/atomic-openshift-master.j2
deleted file mode 120000
index cf20e8959..000000000
--- a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/atomic-openshift-master.j2
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../roles/openshift_master/templates/atomic-openshift-master.j2 \ No newline at end of file
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/docker b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/docker
deleted file mode 120000
index 5a3dd12b3..000000000
--- a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/docker
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../roles/openshift_master/templates/docker \ No newline at end of file
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/docker-cluster b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/docker-cluster
deleted file mode 120000
index 3ee319365..000000000
--- a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/docker-cluster
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../roles/openshift_master/templates/docker-cluster \ No newline at end of file
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/filter_plugins b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/filter_plugins
deleted file mode 120000
index 27ddaa18b..000000000
--- a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/filter_plugins
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../filter_plugins \ No newline at end of file
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/library b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/library
deleted file mode 120000
index 53bed9684..000000000
--- a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/library
+++ /dev/null
@@ -1 +0,0 @@
-../library \ No newline at end of file
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/lookup_plugins b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/lookup_plugins
deleted file mode 120000
index cf407f69b..000000000
--- a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/lookup_plugins
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../lookup_plugins \ No newline at end of file
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/native-cluster b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/native-cluster
deleted file mode 120000
index f44f8eb4f..000000000
--- a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/native-cluster
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../roles/openshift_master/templates/native-cluster \ No newline at end of file
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/openshift.docker.node.dep.service b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/openshift.docker.node.dep.service
deleted file mode 120000
index b384a3f4d..000000000
--- a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/openshift.docker.node.dep.service
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../roles/openshift_node/templates/openshift.docker.node.dep.service \ No newline at end of file
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/openshift.docker.node.service b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/openshift.docker.node.service
deleted file mode 120000
index a2f140144..000000000
--- a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/openshift.docker.node.service
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../roles/openshift_node/templates/openshift.docker.node.service \ No newline at end of file
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/openvswitch.docker.service b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/openvswitch.docker.service
deleted file mode 120000
index 61946ff91..000000000
--- a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/openvswitch.docker.service
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../roles/openshift_node/templates/openvswitch.docker.service \ No newline at end of file
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/openvswitch.sysconfig.j2 b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/openvswitch.sysconfig.j2
deleted file mode 120000
index 3adc56e4e..000000000
--- a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/openvswitch.sysconfig.j2
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../roles/openshift_node/templates/openvswitch.sysconfig.j2 \ No newline at end of file
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/roles b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/roles
deleted file mode 120000
index 6bc1a7aef..000000000
--- a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/roles
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../roles \ No newline at end of file
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_3/master_config_upgrade.yml b/playbooks/common/openshift-cluster/upgrades/v3_3/master_config_upgrade.yml
new file mode 100644
index 000000000..684eea343
--- /dev/null
+++ b/playbooks/common/openshift-cluster/upgrades/v3_3/master_config_upgrade.yml
@@ -0,0 +1,50 @@
+---
+- modify_yaml:
+ dest: "{{ openshift.common.config_base}}/master/master-config.yaml"
+ yaml_key: 'masterClients.externalKubernetesClientConnectionOverrides.acceptContentTypes'
+ yaml_value: 'application/vnd.kubernetes.protobuf,application/json'
+
+- modify_yaml:
+ dest: "{{ openshift.common.config_base}}/master/master-config.yaml"
+ yaml_key: 'masterClients.externalKubernetesClientConnectionOverrides.contentType'
+ yaml_value: 'application/vnd.kubernetes.protobuf'
+
+- modify_yaml:
+ dest: "{{ openshift.common.config_base}}/master/master-config.yaml"
+ yaml_key: 'masterClients.externalKubernetesClientConnectionOverrides.burst'
+ yaml_value: 400
+
+- modify_yaml:
+ dest: "{{ openshift.common.config_base}}/master/master-config.yaml"
+ yaml_key: 'masterClients.externalKubernetesClientConnectionOverrides.qps'
+ yaml_value: 200
+
+- modify_yaml:
+ dest: "{{ openshift.common.config_base}}/master/master-config.yaml"
+ yaml_key: 'masterClients.openshiftLoopbackClientConnectionOverrides.acceptContentTypes'
+ yaml_value: 'application/vnd.kubernetes.protobuf,application/json'
+
+- modify_yaml:
+ dest: "{{ openshift.common.config_base}}/master/master-config.yaml"
+ yaml_key: 'masterClients.openshiftLoopbackClientConnectionOverrides.contentType'
+ yaml_value: 'application/vnd.kubernetes.protobuf'
+
+- modify_yaml:
+ dest: "{{ openshift.common.config_base}}/master/master-config.yaml"
+ yaml_key: 'masterClients.openshiftLoopbackClientConnectionOverrides.burst'
+ yaml_value: 600
+
+- modify_yaml:
+ dest: "{{ openshift.common.config_base}}/master/master-config.yaml"
+ yaml_key: 'masterClients.openshiftLoopbackClientConnectionOverrides.qps'
+ yaml_value: 300
+
+- modify_yaml:
+ dest: "{{ openshift.common.config_base}}/master/master-config.yaml"
+ yaml_key: 'controllerConfig.servicesServingCert.signer.certFile'
+ yaml_value: service-signer.crt
+
+- modify_yaml:
+ dest: "{{ openshift.common.config_base}}/master/master-config.yaml"
+ yaml_key: 'controllerConfig.servicesServingCert.signer.keyFile'
+ yaml_value: service-signer.key
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_3/node_config_upgrade.yml b/playbooks/common/openshift-cluster/upgrades/v3_3/node_config_upgrade.yml
new file mode 100644
index 000000000..8f64636ae
--- /dev/null
+++ b/playbooks/common/openshift-cluster/upgrades/v3_3/node_config_upgrade.yml
@@ -0,0 +1,21 @@
+---
+- modify_yaml:
+ dest: "{{ openshift.common.config_base}}/node/node-config.yaml"
+ yaml_key: 'masterClientConnectionOverrides.acceptContentTypes'
+ yaml_value: 'application/vnd.kubernetes.protobuf,application/json'
+
+- modify_yaml:
+ dest: "{{ openshift.common.config_base}}/node/node-config.yaml"
+ yaml_key: 'masterClientConnectionOverrides.contentType'
+ yaml_value: 'application/vnd.kubernetes.protobuf'
+
+- modify_yaml:
+ dest: "{{ openshift.common.config_base}}/node/node-config.yaml"
+ yaml_key: 'masterClientConnectionOverrides.burst'
+ yaml_value: 40
+
+- modify_yaml:
+ dest: "{{ openshift.common.config_base}}/node/node-config.yaml"
+ yaml_key: 'masterClientConnectionOverrides.qps'
+ yaml_value: 20
+
diff --git a/playbooks/common/openshift-master/config.yml b/playbooks/common/openshift-master/config.yml
index 1d818eea0..7f60cd9e4 100644
--- a/playbooks/common/openshift-master/config.yml
+++ b/playbooks/common/openshift-master/config.yml
@@ -48,6 +48,12 @@
- set_fact:
openshift_hosted_metrics_resolution: "{{ lookup('oo_option', 'openshift_hosted_metrics_resolution') | default('10s', true) }}"
when: openshift_hosted_metrics_resolution is not defined
+ - set_fact:
+ openshift_hosted_metrics_deployer_prefix: "{{ lookup('oo_option', 'openshift_hosted_metrics_deployer_prefix') | default('openshift') }}"
+ when: openshift_hosted_metrics_deployer_prefix is not defined
+ - set_fact:
+ openshift_hosted_metrics_deployer_version: "{{ lookup('oo_option', 'openshift_hosted_metrics_deployer_version') | default('latest') }}"
+ when: openshift_hosted_metrics_deployer_prefix is not defined
roles:
- openshift_facts
post_tasks:
diff --git a/playbooks/common/openshift-node/config.yml b/playbooks/common/openshift-node/config.yml
index c56353430..66eb293e5 100644
--- a/playbooks/common/openshift-node/config.yml
+++ b/playbooks/common/openshift-node/config.yml
@@ -43,7 +43,7 @@
ansible_ssh_user: "{{ g_ssh_user | default(omit) }}"
ansible_become: "{{ g_sudo | default(omit) }}"
with_items: "{{ groups.oo_nodes_to_config | default([]) }}"
- when: hostvars[item].openshift.common.is_containerized | bool and (item in groups.oo_nodes_to_config and item in groups.oo_masters_to_config)
+ when: hostvars[item].openshift.common is defined and hostvars[item].openshift.common.is_containerized | bool and (item in groups.oo_nodes_to_config and item in groups.oo_masters_to_config)
- name: Configure node instances
hosts: oo_containerized_master_nodes
@@ -156,10 +156,7 @@
- name: Set schedulability
hosts: oo_first_master
vars:
- openshift_nodes: "{{ hostvars
- | oo_select_keys(groups['oo_nodes_to_config'])
- | oo_collect('openshift.common.hostname') }}"
- openshift_node_vars: "{{ hostvars | oo_select_keys(groups['oo_nodes_to_config']) }}"
+ openshift_nodes: "{{ groups.oo_nodes_to_config | default([]) }}"
pre_tasks:
# Necessary because when you're on a node that's also a master the master will be
# restarted after the node restarts docker and it will take up to 60 seconds for
diff --git a/playbooks/libvirt/openshift-cluster/tasks/configure_libvirt_network.yml b/playbooks/libvirt/openshift-cluster/tasks/configure_libvirt_network.yml
index 3117d9edc..b42ca83af 100644
--- a/playbooks/libvirt/openshift-cluster/tasks/configure_libvirt_network.yml
+++ b/playbooks/libvirt/openshift-cluster/tasks/configure_libvirt_network.yml
@@ -1,27 +1,11 @@
---
-- name: Test if libvirt network for openshift already exists
- command: "virsh -c {{ libvirt_uri }} net-info {{ libvirt_network }}"
- register: net_info_result
- changed_when: False
- failed_when: "net_info_result.rc != 0 and 'no network with matching name' not in net_info_result.stderr"
-
-- name: Create a temp directory for the template xml file
- command: "mktemp -d /tmp/openshift-ansible-XXXXXXX"
- register: mktemp
- when: net_info_result.rc == 1
-
-- name: Create network xml file
- template:
- src: templates/network.xml
- dest: "{{ mktemp.stdout }}/network.xml"
- when: net_info_result.rc == 1
-
-- name: Create libvirt network for openshift
- command: "virsh -c {{ libvirt_uri }} net-create {{ mktemp.stdout }}/network.xml"
- when: net_info_result.rc == 1
-
-- name: Remove the temp directory
- file:
- path: "{{ mktemp.stdout }}"
- state: absent
- when: net_info_result.rc == 1
+- name: Create the libvirt network for OpenShift
+ virt_net:
+ name: '{{ libvirt_network }}'
+ state: '{{ item }}'
+ autostart: 'yes'
+ xml: "{{ lookup('template', 'network.xml') }}"
+ uri: '{{ libvirt_uri }}'
+ with_items:
+ - present
+ - active
diff --git a/playbooks/libvirt/openshift-cluster/tasks/configure_libvirt_storage_pool.yml b/playbooks/libvirt/openshift-cluster/tasks/configure_libvirt_storage_pool.yml
index 397158b9e..8685624ec 100644
--- a/playbooks/libvirt/openshift-cluster/tasks/configure_libvirt_storage_pool.yml
+++ b/playbooks/libvirt/openshift-cluster/tasks/configure_libvirt_storage_pool.yml
@@ -6,22 +6,25 @@
# We need to set permissions on the directory and any items created under the directory, so we need to call the acl module with and without default set.
- acl:
- default: "{{ item }}"
+ default: '{{ item.default }}'
entity: kvm
etype: group
name: "{{ libvirt_storage_pool_path }}"
- permissions: rwx
+ permissions: '{{ item.permissions }}'
state: present
with_items:
- - no
- - yes
+ - default: no
+ permissions: x
+ - default: yes
+ permissions: rwx
-- name: Test if libvirt storage pool for openshift already exists
- command: "virsh -c {{ libvirt_uri }} pool-info {{ libvirt_storage_pool }}"
- register: pool_info_result
- changed_when: False
- failed_when: "pool_info_result.rc != 0 and 'no storage pool with matching name' not in pool_info_result.stderr"
-
-- name: Create the libvirt storage pool for openshift
- command: 'virsh -c {{ libvirt_uri }} pool-create-as {{ libvirt_storage_pool }} dir --target {{ libvirt_storage_pool_path }}'
- when: pool_info_result.rc == 1
+- name: Create the libvirt storage pool for OpenShift
+ virt_pool:
+ name: '{{ libvirt_storage_pool }}'
+ state: '{{ item }}'
+ autostart: 'yes'
+ xml: "{{ lookup('template', 'storage-pool.xml') }}"
+ uri: '{{ libvirt_uri }}'
+ with_items:
+ - present
+ - active
diff --git a/playbooks/libvirt/openshift-cluster/tasks/launch_instances.yml b/playbooks/libvirt/openshift-cluster/tasks/launch_instances.yml
index cc34d0ef9..e0afc43ba 100644
--- a/playbooks/libvirt/openshift-cluster/tasks/launch_instances.yml
+++ b/playbooks/libvirt/openshift-cluster/tasks/launch_instances.yml
@@ -134,4 +134,4 @@
delay: 1
with_together:
- '{{ instances }}'
- - '{{ ips }}' \ No newline at end of file
+ - '{{ ips }}'
diff --git a/playbooks/libvirt/openshift-cluster/templates/network.xml b/playbooks/libvirt/openshift-cluster/templates/network.xml
index 050bc7ab9..0ce2a8342 100644
--- a/playbooks/libvirt/openshift-cluster/templates/network.xml
+++ b/playbooks/libvirt/openshift-cluster/templates/network.xml
@@ -1,5 +1,5 @@
<network>
- <name>openshift-ansible</name>
+ <name>{{ libvirt_network }}</name>
<forward mode='nat'>
<nat>
<port start='1024' end='65535'/>
diff --git a/playbooks/libvirt/openshift-cluster/templates/storage-pool.xml b/playbooks/libvirt/openshift-cluster/templates/storage-pool.xml
new file mode 100644
index 000000000..da139afd0
--- /dev/null
+++ b/playbooks/libvirt/openshift-cluster/templates/storage-pool.xml
@@ -0,0 +1,6 @@
+<pool type='dir'>
+ <name>{{ libvirt_storage_pool }}</name>
+ <target>
+ <path>{{ libvirt_storage_pool_path }}</path>
+ </target>
+</pool>
diff --git a/playbooks/openstack/openshift-cluster/cluster_hosts.yml b/playbooks/openstack/openshift-cluster/cluster_hosts.yml
index 119b376aa..12c436eaf 100644
--- a/playbooks/openstack/openshift-cluster/cluster_hosts.yml
+++ b/playbooks/openstack/openshift-cluster/cluster_hosts.yml
@@ -1,21 +1,21 @@
---
-g_all_hosts: "{{ groups['tag_clusterid_' ~ cluster_id] | default([])
- | intersect(groups['tag_environment_' ~ cluster_env] | default([])) }}"
+g_all_hosts: "{{ groups['meta-clusterid_' ~ cluster_id] | default([])
+ | intersect(groups['meta-environment_' ~ cluster_env] | default([])) }}"
-g_etcd_hosts: "{{ g_all_hosts | intersect(groups['tag_host-type_etcd'] | default([])) }}"
+g_etcd_hosts: "{{ g_all_hosts | intersect(groups['meta-host-type_etcd'] | default([])) }}"
-g_lb_hosts: "{{ g_all_hosts | intersect(groups['tag_host-type_lb'] | default([])) }}"
+g_lb_hosts: "{{ g_all_hosts | intersect(groups['meta-host-type_lb'] | default([])) }}"
-g_nfs_hosts: "{{ g_all_hosts | intersect(groups['tag_host-type_nfs'] | default([])) }}"
+g_nfs_hosts: "{{ g_all_hosts | intersect(groups['meta-host-type_nfs'] | default([])) }}"
-g_master_hosts: "{{ g_all_hosts | intersect(groups['tag_host-type_master'] | default([])) }}"
+g_master_hosts: "{{ g_all_hosts | intersect(groups['meta-host-type_master'] | default([])) }}"
-g_new_master_hosts: "{{ g_all_hosts | intersect(groups['tag_host-type_new_master'] | default([])) }}"
+g_new_master_hosts: "{{ g_all_hosts | intersect(groups['meta-host-type_new_master'] | default([])) }}"
-g_node_hosts: "{{ g_all_hosts | intersect(groups['tag_host-type_node'] | default([])) }}"
+g_node_hosts: "{{ g_all_hosts | intersect(groups['meta-host-type_node'] | default([])) }}"
-g_new_node_hosts: "{{ g_all_hosts | intersect(groups['tag_host-type_new_node'] | default([])) }}"
+g_new_node_hosts: "{{ g_all_hosts | intersect(groups['meta-host-type_new_node'] | default([])) }}"
-g_infra_hosts: "{{ g_node_hosts | intersect(groups['tag_sub-host-type_infra'] | default([])) }}"
+g_infra_hosts: "{{ g_node_hosts | intersect(groups['meta-sub-host-type_infra'] | default([])) }}"
-g_compute_hosts: "{{ g_node_hosts | intersect(groups['tag_sub-host-type_compute'] | default([])) }}"
+g_compute_hosts: "{{ g_node_hosts | intersect(groups['meta-sub-host-type_compute'] | default([])) }}"
diff --git a/playbooks/openstack/openshift-cluster/dns.yml b/playbooks/openstack/openshift-cluster/dns.yml
index 446a1846f..285f8fa78 100644
--- a/playbooks/openstack/openshift-cluster/dns.yml
+++ b/playbooks/openstack/openshift-cluster/dns.yml
@@ -21,7 +21,7 @@
groups: oo_hosts_to_add_in_dns
ansible_ssh_user: "{{ deployment_vars[deployment_type].ssh_user }}"
ansible_become: "{{ deployment_vars[deployment_type].become }}"
- with_items: "{{ groups['tag_clusterid_' ~ cluster_id] }}"
+ with_items: "{{ groups['meta-clusterid_' ~ cluster_id] }}"
- name: Gather facts
hosts: oo_hosts_to_add_in_dns
diff --git a/playbooks/openstack/openshift-cluster/files/heat_stack.yaml b/playbooks/openstack/openshift-cluster/files/heat_stack.yaml
index 2d0098784..458cf5ac7 100644
--- a/playbooks/openstack/openshift-cluster/files/heat_stack.yaml
+++ b/playbooks/openstack/openshift-cluster/files/heat_stack.yaml
@@ -42,6 +42,12 @@ parameters:
description: Source of legitimate ssh connections
default: 0.0.0.0/0
+ node_port_incoming:
+ type: string
+ label: Source of node port connections
+ description: Authorized sources targetting node ports
+ default: 0.0.0.0/0
+
num_etcd:
type: number
label: Number of etcd nodes
@@ -393,6 +399,11 @@ resources:
port_range_min: 4789
port_range_max: 4789
remote_mode: remote_group_id
+ - direction: ingress
+ protocol: tcp
+ port_range_min: 30000
+ port_range_max: 32767
+ remote_ip_prefix: { get_param: node_port_incoming }
infra-secgrp:
type: OS::Neutron::SecurityGroup
diff --git a/playbooks/openstack/openshift-cluster/launch.yml b/playbooks/openstack/openshift-cluster/launch.yml
index b9aae2f4c..127e3e2e6 100644
--- a/playbooks/openstack/openshift-cluster/launch.yml
+++ b/playbooks/openstack/openshift-cluster/launch.yml
@@ -33,6 +33,7 @@
-P external_net={{ openstack_network_external_net }}
-P ssh_public_key="{{ openstack_ssh_public_key }}"
-P ssh_incoming={{ openstack_ssh_access_from }}
+ -P node_port_incoming={{ openstack_node_port_access_from }}
-P num_etcd={{ num_etcd }}
-P num_masters={{ num_masters }}
-P num_nodes={{ num_nodes }}
@@ -48,6 +49,8 @@
-P infra_flavor={{ openstack_flavor["infra"] }}
-P dns_flavor={{ openstack_flavor["dns"] }}
openshift-ansible-{{ cluster_id }}-stack'
+ args:
+ chdir: '{{ playbook_dir }}'
- name: Wait for OpenStack Stack readiness
shell: 'heat stack-show openshift-ansible-{{ cluster_id }}-stack | awk ''$2 == "stack_status" {print $4}'''
@@ -103,13 +106,13 @@
ansible_ssh_host: '{{ item[2] }}'
ansible_ssh_user: "{{ deployment_vars[deployment_type].ssh_user }}"
ansible_become: "{{ deployment_vars[deployment_type].become }}"
- groups: 'tag_environment_{{ cluster_env }}, tag_host-type_etcd, tag_sub-host-type_default, tag_clusterid_{{ cluster_id }}'
+ groups: 'meta-environment_{{ cluster_env }}, meta-host-type_etcd, meta-sub-host-type_default, meta-clusterid_{{ cluster_id }}'
openshift_node_labels:
type: "etcd"
with_together:
- - parsed_outputs.etcd_names
- - parsed_outputs.etcd_ips
- - parsed_outputs.etcd_floating_ips
+ - '{{ parsed_outputs.etcd_names }}'
+ - '{{ parsed_outputs.etcd_ips }}'
+ - '{{ parsed_outputs.etcd_floating_ips }}'
- name: Add new master instances groups and variables
add_host:
@@ -117,13 +120,13 @@
ansible_ssh_host: '{{ item[2] }}'
ansible_ssh_user: "{{ deployment_vars[deployment_type].ssh_user }}"
ansible_become: "{{ deployment_vars[deployment_type].become }}"
- groups: 'tag_environment_{{ cluster_env }}, tag_host-type_master, tag_sub-host-type_default, tag_clusterid_{{ cluster_id }}'
+ groups: 'meta-environment_{{ cluster_env }}, meta-host-type_master, meta-sub-host-type_default, meta-clusterid_{{ cluster_id }}'
openshift_node_labels:
type: "master"
with_together:
- - parsed_outputs.master_names
- - parsed_outputs.master_ips
- - parsed_outputs.master_floating_ips
+ - '{{ parsed_outputs.master_names }}'
+ - '{{ parsed_outputs.master_ips }}'
+ - '{{ parsed_outputs.master_floating_ips }}'
- name: Add new node instances groups and variables
add_host:
@@ -131,13 +134,13 @@
ansible_ssh_host: '{{ item[2] }}'
ansible_ssh_user: "{{ deployment_vars[deployment_type].ssh_user }}"
ansible_become: "{{ deployment_vars[deployment_type].become }}"
- groups: 'tag_environment_{{ cluster_env }}, tag_host-type_node, tag_sub-host-type_compute, tag_clusterid_{{ cluster_id }}'
+ groups: 'meta-environment_{{ cluster_env }}, meta-host-type_node, meta-sub-host-type_compute, meta-clusterid_{{ cluster_id }}'
openshift_node_labels:
type: "compute"
with_together:
- - parsed_outputs.node_names
- - parsed_outputs.node_ips
- - parsed_outputs.node_floating_ips
+ - '{{ parsed_outputs.node_names }}'
+ - '{{ parsed_outputs.node_ips }}'
+ - '{{ parsed_outputs.node_floating_ips }}'
- name: Add new infra instances groups and variables
add_host:
@@ -145,13 +148,13 @@
ansible_ssh_host: '{{ item[2] }}'
ansible_ssh_user: "{{ deployment_vars[deployment_type].ssh_user }}"
ansible_become: "{{ deployment_vars[deployment_type].become }}"
- groups: 'tag_environment_{{ cluster_env }}, tag_host-type_node, tag_sub-host-type_infra, tag_clusterid_{{ cluster_id }}'
+ groups: 'meta-environment_{{ cluster_env }}, meta-host-type_node, meta-sub-host-type_infra, meta-clusterid_{{ cluster_id }}'
openshift_node_labels:
type: "infra"
with_together:
- - parsed_outputs.infra_names
- - parsed_outputs.infra_ips
- - parsed_outputs.infra_floating_ips
+ - '{{ parsed_outputs.infra_names }}'
+ - '{{ parsed_outputs.infra_ips }}'
+ - '{{ parsed_outputs.infra_floating_ips }}'
- name: Add DNS groups and variables
add_host:
@@ -166,10 +169,10 @@
host: '{{ item }}'
port: 22
with_flattened:
- - parsed_outputs.master_floating_ips
- - parsed_outputs.node_floating_ips
- - parsed_outputs.infra_floating_ips
- - parsed_outputs.dns_floating_ip
+ - '{{ parsed_outputs.master_floating_ips }}'
+ - '{{ parsed_outputs.node_floating_ips }}'
+ - '{{ parsed_outputs.infra_floating_ips }}'
+ - '{{ parsed_outputs.dns_floating_ip }}'
- name: Wait for user setup
command: 'ssh -o StrictHostKeyChecking=no -o PasswordAuthentication=no -o ConnectTimeout=10 -o UserKnownHostsFile=/dev/null {{ deployment_vars[deployment_type].ssh_user }}@{{ item }} echo {{ deployment_vars[deployment_type].ssh_user }} user is setup'
@@ -178,10 +181,10 @@
retries: 30
delay: 1
with_flattened:
- - parsed_outputs.master_floating_ips
- - parsed_outputs.node_floating_ips
- - parsed_outputs.infra_floating_ips
- - parsed_outputs.dns_floating_ip
+ - '{{ parsed_outputs.master_floating_ips }}'
+ - '{{ parsed_outputs.node_floating_ips }}'
+ - '{{ parsed_outputs.infra_floating_ips }}'
+ - '{{ parsed_outputs.dns_floating_ip }}'
- include: update.yml
diff --git a/playbooks/openstack/openshift-cluster/list.yml b/playbooks/openstack/openshift-cluster/list.yml
index ba9c6bf9c..de68f5207 100644
--- a/playbooks/openstack/openshift-cluster/list.yml
+++ b/playbooks/openstack/openshift-cluster/list.yml
@@ -7,7 +7,7 @@
vars_files:
- vars.yml
tasks:
- - set_fact: scratch_group=tag_clusterid_{{ cluster_id }}
+ - set_fact: scratch_group=meta-clusterid_{{ cluster_id }}
when: cluster_id != ''
- set_fact: scratch_group=all
when: cluster_id == ''
@@ -17,7 +17,7 @@
ansible_ssh_user: "{{ deployment_vars[deployment_type].ssh_user }}"
ansible_ssh_host: "{{ hostvars[item].ansible_ssh_host | default(item) }}"
ansible_become: "{{ deployment_vars[deployment_type].become }}"
- with_items: groups[scratch_group] | default([]) | difference(['localhost'])
+ with_items: "{{ groups[scratch_group] | default([]) | difference(['localhost']) }}"
- name: List Hosts
hosts: oo_list_hosts
@@ -31,4 +31,4 @@
- vars.yml
tasks:
- debug:
- msg: "{{ hostvars | oo_select_keys(groups[scratch_group] | default([])) | oo_pretty_print_cluster }}"
+ msg: "{{ hostvars | oo_select_keys(groups[scratch_group] | default([])) | oo_pretty_print_cluster('meta-') }}"
diff --git a/playbooks/openstack/openshift-cluster/terminate.yml b/playbooks/openstack/openshift-cluster/terminate.yml
index 5bd8476f1..4527f4a28 100644
--- a/playbooks/openstack/openshift-cluster/terminate.yml
+++ b/playbooks/openstack/openshift-cluster/terminate.yml
@@ -11,7 +11,7 @@
groups: oo_hosts_to_terminate
ansible_ssh_user: "{{ deployment_vars[deployment_type].ssh_user }}"
ansible_become: "{{ deployment_vars[deployment_type].become }}"
- with_items: (groups['tag_environment_' ~ cluster_env]|default([])) | intersect(groups['tag_clusterid_' ~ cluster_id ]|default([]))
+ with_items: "{{ (groups['meta-environment_' ~ cluster_env]|default([])) | intersect(groups['meta-clusterid_' ~ cluster_id ]|default([])) }}"
- name: Unsubscribe VMs
hosts: oo_hosts_to_terminate
diff --git a/playbooks/openstack/openshift-cluster/vars.yml b/playbooks/openstack/openshift-cluster/vars.yml
index bc53a51b0..17063ef34 100644
--- a/playbooks/openstack/openshift-cluster/vars.yml
+++ b/playbooks/openstack/openshift-cluster/vars.yml
@@ -12,6 +12,8 @@ openstack_ssh_public_key: "{{ lookup('file', lookup('oo_option', 'public_k
default('~/.ssh/id_rsa.pub', True)) }}"
openstack_ssh_access_from: "{{ lookup('oo_option', 'ssh_from') |
default('0.0.0.0/0', True) }}"
+openstack_node_port_access_from: "{{ lookup('oo_option', 'node_port_from') |
+ default('0.0.0.0/0', True) }}"
openstack_flavor:
dns: "{{ lookup('oo_option', 'dns_flavor' ) | default('m1.small', True) }}"
etcd: "{{ lookup('oo_option', 'etcd_flavor' ) | default('m1.small', True) }}"