diff options
Diffstat (limited to 'roles/openshift_hosted')
-rw-r--r-- | roles/openshift_hosted/README.md | 1 | ||||
-rw-r--r-- | roles/openshift_hosted/defaults/main.yml | 10 | ||||
-rw-r--r-- | roles/openshift_hosted/filter_plugins/filters.py | 13 | ||||
-rw-r--r-- | roles/openshift_hosted/meta/main.yml | 18 | ||||
-rw-r--r-- | roles/openshift_hosted/tasks/main.yml | 7 | ||||
-rw-r--r-- | roles/openshift_hosted/tasks/registry/registry.yml | 16 | ||||
-rw-r--r-- | roles/openshift_hosted/tasks/registry/secure.yml | 4 | ||||
-rw-r--r-- | roles/openshift_hosted/tasks/router/router.yml | 50 | ||||
-rw-r--r-- | roles/openshift_hosted/templates/registry_config.j2 | 2 | ||||
-rw-r--r-- | roles/openshift_hosted/vars/main.yml | 10 |
10 files changed, 102 insertions, 29 deletions
diff --git a/roles/openshift_hosted/README.md b/roles/openshift_hosted/README.md index 328f800bf..6d576df71 100644 --- a/roles/openshift_hosted/README.md +++ b/roles/openshift_hosted/README.md @@ -26,6 +26,7 @@ From this role: | openshift_hosted_registry_registryurl | 'openshift3/ose-${component}:${version}' | The image to base the OpenShift registry on. | | openshift_hosted_registry_replicas | Number of nodes matching selector | The number of replicas to configure. | | openshift_hosted_registry_selector | region=infra | Node selector used when creating registry. The OpenShift registry will only be deployed to nodes matching this selector. | +| openshift_hosted_registry_cert_expire_days | `730` (2 years) | Validity of the certificates in days. Works only with OpenShift version 1.5 (3.5) and later. | Dependencies ------------ diff --git a/roles/openshift_hosted/defaults/main.yml b/roles/openshift_hosted/defaults/main.yml index 0a6299c9b..596b36239 100644 --- a/roles/openshift_hosted/defaults/main.yml +++ b/roles/openshift_hosted/defaults/main.yml @@ -14,17 +14,19 @@ openshift_hosted_router_edits: openshift_hosted_routers: - name: router - replicas: "{{ replicas }}" + replicas: "{{ replicas | default(1) }}" namespace: default serviceaccount: router - selector: "{{ openshift_hosted_router_selector }}" - images: "{{ openshift_hosted_router_image }}" + selector: "{{ openshift_hosted_router_selector | default(None) }}" + images: "{{ openshift_hosted_router_image | default(None) }}" edits: "{{ openshift_hosted_router_edits }}" stats_port: 1936 ports: - 80:80 - 443:443 - certificates: "{{ openshift_hosted_router_certificate | default({}) }}" + certificates: "{{ openshift_hosted_router_certificates | default({}) }}" openshift_hosted_router_certificates: {} +openshift_hosted_registry_cert_expire_days: 730 +openshift_hosted_router_create_certificate: False diff --git a/roles/openshift_hosted/filter_plugins/filters.py b/roles/openshift_hosted/filter_plugins/filters.py index cbfadfe9d..7f41529ac 100644 --- a/roles/openshift_hosted/filter_plugins/filters.py +++ b/roles/openshift_hosted/filter_plugins/filters.py @@ -21,14 +21,21 @@ class FilterModule(object): if replicas is not None: return replicas + replicas = 1 + + # Ignore boolean expression limit of 5. + # pylint: disable=too-many-boolean-expressions if (isinstance(router_nodes, dict) and 'results' in router_nodes and 'results' in router_nodes['results'] and - 'items' in router_nodes['results']['results']): + isinstance(router_nodes['results']['results'], list) and + len(router_nodes['results']['results']) > 0 and + 'items' in router_nodes['results']['results'][0]): - return len(router_nodes['results']['results'][0]['items']) + if len(router_nodes['results']['results'][0]['items']) > 0: + replicas = len(router_nodes['results']['results'][0]['items']) - return 1 + return replicas def filters(self): ''' returns a mapping of filters to methods ''' diff --git a/roles/openshift_hosted/meta/main.yml b/roles/openshift_hosted/meta/main.yml index e9b590550..9626c23c1 100644 --- a/roles/openshift_hosted/meta/main.yml +++ b/roles/openshift_hosted/meta/main.yml @@ -15,21 +15,3 @@ dependencies: - role: openshift_cli - role: openshift_hosted_facts - role: lib_openshift -- role: openshift_projects - openshift_projects: "{{ openshift_additional_projects | default({}) | oo_merge_dicts({'default':{'default_node_selector':''},'openshift-infra':{'default_node_selector':''},'logging':{'default_node_selector':''}}) }}" -- role: openshift_serviceaccounts - openshift_serviceaccounts_names: - - router - - registry - openshift_serviceaccounts_namespace: default - openshift_serviceaccounts_sccs: - - hostnetwork - when: openshift.common.version_gte_3_2_or_1_2 -- role: openshift_serviceaccounts - openshift_serviceaccounts_names: - - router - - registry - openshift_serviceaccounts_namespace: default - openshift_serviceaccounts_sccs: - - privileged - when: not openshift.common.version_gte_3_2_or_1_2 diff --git a/roles/openshift_hosted/tasks/main.yml b/roles/openshift_hosted/tasks/main.yml index fe254f72d..6efe2f63c 100644 --- a/roles/openshift_hosted/tasks/main.yml +++ b/roles/openshift_hosted/tasks/main.yml @@ -1,4 +1,11 @@ --- +- name: Create projects + oc_project: + name: "{{ item.key }}" + node_selector: + - "{{ item.value.default_node_selector }}" + with_dict: "{{ openshift_projects }}" + - include: router/router.yml when: openshift_hosted_manage_router | default(true) | bool diff --git a/roles/openshift_hosted/tasks/registry/registry.yml b/roles/openshift_hosted/tasks/registry/registry.yml index d89ce855a..0b8042473 100644 --- a/roles/openshift_hosted/tasks/registry/registry.yml +++ b/roles/openshift_hosted/tasks/registry/registry.yml @@ -56,12 +56,24 @@ openshift_hosted_registry_force: - False +- name: Create the registry service account + oc_serviceaccount: + name: "{{ openshift_hosted_registry_serviceaccount }}" + namespace: "{{ openshift_hosted_registry_namespace }}" + +- name: Grant the registry serivce account access to the appropriate scc + oc_adm_policy_user: + user: "system:serviceaccount:{{ openshift_hosted_registry_namespace }}:{{ openshift_hosted_registry_serviceaccount }}" + namespace: "{{ openshift_hosted_registry_namespace }}" + resource_kind: scc + resource_name: hostnetwork + - name: oc adm policy add-cluster-role-to-user system:registry system:serviceaccount:default:registry oc_adm_policy_user: - user: system:serviceaccount:default:registry + user: "system:serviceaccount:{{ openshift_hosted_registry_namespace }}:{{ openshift_hosted_registry_serviceaccount }}" + namespace: "{{ openshift_hosted_registry_namespace }}" resource_kind: cluster-role resource_name: system:registry - state: present - name: create the default registry service oc_service: diff --git a/roles/openshift_hosted/tasks/registry/secure.yml b/roles/openshift_hosted/tasks/registry/secure.yml index f9ea2ebeb..29c164f52 100644 --- a/roles/openshift_hosted/tasks/registry/secure.yml +++ b/roles/openshift_hosted/tasks/registry/secure.yml @@ -53,10 +53,12 @@ signer_serial: "{{ openshift_master_config_dir }}/ca.serial.txt" hostnames: - "{{ docker_registry_service_ip.results.clusterip }}" - - docker-registry.default.svc.cluster.local + - "{{ openshift_hosted_registry_name }}.default.svc" + - "{{ openshift_hosted_registry_name }}.default.svc.{{ openshift.common.dns_domain }}" - "{{ docker_registry_route_hostname }}" cert: "{{ openshift_master_config_dir }}/registry.crt" key: "{{ openshift_master_config_dir }}/registry.key" + expire_days: "{{ openshift_hosted_registry_cert_expire_days if openshift_version | oo_version_gte_3_5_or_1_5(openshift.common.deployment_type) | bool else omit }}" register: server_cert_out - name: Create the secret for the registry certificates diff --git a/roles/openshift_hosted/tasks/router/router.yml b/roles/openshift_hosted/tasks/router/router.yml index 3b7021eae..c71d0a34f 100644 --- a/roles/openshift_hosted/tasks/router/router.yml +++ b/roles/openshift_hosted/tasks/router/router.yml @@ -14,6 +14,31 @@ openshift_hosted_router_selector: "{{ openshift.hosted.router.selector | default(None) }}" openshift_hosted_router_image: "{{ openshift.hosted.router.registryurl }}" +# This is for when we desire a cluster signed cert +# The certificate is generated and placed in master_config_dir/ +- block: + - name: generate a default wildcard router certificate + oc_adm_ca_server_cert: + signer_cert: "{{ openshift_master_config_dir }}/ca.crt" + signer_key: "{{ openshift_master_config_dir }}/ca.key" + signer_serial: "{{ openshift_master_config_dir }}/ca.serial.txt" + hostnames: + - "{{ openshift_master_default_subdomain }}" + - "*.{{ openshift_master_default_subdomain }}" + cert: "{{ ('/etc/origin/master/' ~ (item.certificates.certfile | basename)) if 'certfile' in item.certificates else ((openshift_master_config_dir) ~ '/openshift-router.crt') }}" + key: "{{ ('/etc/origin/master/' ~ (item.certificates.keyfile | basename)) if 'keyfile' in item.certificates else ((openshift_master_config_dir) ~ '/openshift-router.key') }}" + with_items: "{{ openshift_hosted_routers }}" + + - name: set the openshift_hosted_router_certificates + set_fact: + openshift_hosted_router_certificates: + certfile: "{{ openshift_master_config_dir ~ '/openshift-router.crt' }}" + keyfile: "{{ openshift_master_config_dir ~ '/openshift-router.key' }}" + cafile: "{{ openshift_master_config_dir ~ '/ca.crt' }}" + + # End Block + when: openshift_hosted_router_create_certificate + - name: Get the certificate contents for router copy: backup: True @@ -21,6 +46,31 @@ src: "{{ item }}" with_items: "{{ openshift_hosted_routers | oo_collect(attribute='certificates') | oo_select_keys_from_list(['keyfile', 'certfile', 'cafile']) }}" + when: not openshift_hosted_router_create_certificate + +- name: Create the router service account(s) + oc_serviceaccount: + name: "{{ item.serviceaccount }}" + namespace: "{{ item.namespace }}" + state: present + with_items: "{{ openshift_hosted_routers }}" + +- name: Grant the router serivce account(s) access to the appropriate scc + oc_adm_policy_user: + user: "system:serviceaccount:{{ item.namespace }}:{{ item.serviceaccount }}" + namespace: "{{ item.namespace }}" + resource_kind: scc + resource_name: hostnetwork + with_items: "{{ openshift_hosted_routers }}" + +- name: Set additional permissions for router service account + oc_adm_policy_user: + user: "system:serviceaccount:{{ item.namespace }}:{{ item.serviceaccount }}" + namespace: "{{ item.namespace }}" + resource_kind: cluster-role + resource_name: cluster-reader + when: item.namespace == 'default' + with_items: "{{ openshift_hosted_routers }}" - name: Create OpenShift router oc_adm_router: diff --git a/roles/openshift_hosted/templates/registry_config.j2 b/roles/openshift_hosted/templates/registry_config.j2 index f3336334a..ca6a23f21 100644 --- a/roles/openshift_hosted/templates/registry_config.j2 +++ b/roles/openshift_hosted/templates/registry_config.j2 @@ -71,7 +71,7 @@ middleware: - name: openshift options: pullthrough: {{ openshift_hosted_registry_pullthrough | default(true) }} - acceptschema2: {{ openshift_hosted_registry_acceptschema2 | default(false) }} + acceptschema2: {{ openshift_hosted_registry_acceptschema2 | default(true) }} enforcequota: {{ openshift_hosted_registry_enforcequota | default(false) }} {% if openshift_hosted_registry_storage_provider | default('') == 's3' and openshift_hosted_registry_storage_s3_cloudfront_baseurl is defined %} storage: diff --git a/roles/openshift_hosted/vars/main.yml b/roles/openshift_hosted/vars/main.yml index 521578cd0..0821d0e7e 100644 --- a/roles/openshift_hosted/vars/main.yml +++ b/roles/openshift_hosted/vars/main.yml @@ -1,3 +1,13 @@ --- openshift_master_config_dir: "{{ openshift.common.config_base }}/master" registry_config_secret_name: registry-config + +openshift_default_projects: + default: + default_node_selector: '' + logging: + default_node_selector: '' + openshift-infra: + default_node_selector: '' + +openshift_projects: "{{ openshift_additional_projects | default({}) | oo_merge_dicts(openshift_default_projects) }}" |