diff options
Diffstat (limited to 'roles/openshift_hosted')
7 files changed, 133 insertions, 60 deletions
diff --git a/roles/openshift_hosted/meta/main.yml b/roles/openshift_hosted/meta/main.yml index 74c50ae1d..ca5e88b15 100644 --- a/roles/openshift_hosted/meta/main.yml +++ b/roles/openshift_hosted/meta/main.yml @@ -11,4 +11,23 @@ galaxy_info: - 7 categories: - cloud -dependencies: [] +dependencies: +- role: openshift_cli +- role: openshift_hosted_facts +- role: openshift_projects + openshift_projects: "{{ openshift_additional_projects | default({}) | oo_merge_dicts({'default':{'default_node_selector':''},'openshift-infra':{'default_node_selector':''},'logging':{'default_node_selector':''}}) }}" +- role: openshift_serviceaccounts + openshift_serviceaccounts_names: + - router + openshift_serviceaccounts_namespace: default + openshift_serviceaccounts_sccs: + - hostnetwork + when: openshift.common.version_gte_3_2_or_1_2 +- role: openshift_serviceaccounts + openshift_serviceaccounts_names: + - router + - registry + openshift_serviceaccounts_namespace: default + openshift_serviceaccounts_sccs: + - privileged + when: not openshift.common.version_gte_3_2_or_1_2 diff --git a/roles/openshift_hosted/tasks/registry/registry.yml b/roles/openshift_hosted/tasks/registry/registry.yml index d5077932b..93b701ebc 100644 --- a/roles/openshift_hosted/tasks/registry/registry.yml +++ b/roles/openshift_hosted/tasks/registry/registry.yml @@ -30,7 +30,7 @@ - name: Create OpenShift registry command: > - {{ openshift.common.admin_binary }} registry --create + {{ openshift.common.client_binary }} adm registry --create --config={{ openshift_hosted_kubeconfig }} {% if replicas > 1 -%} --replicas={{ replicas }} @@ -53,7 +53,7 @@ - include: secure.yml static: no - when: openshift.common.deployment_subtype == 'registry' + when: replicas | int > 0 and not (openshift.docker.hosted_registry_insecure | default(false) | bool) - include: storage/object_storage.yml static: no diff --git a/roles/openshift_hosted/tasks/registry/secure.yml b/roles/openshift_hosted/tasks/registry/secure.yml index 4cb85df04..d87a3847c 100644 --- a/roles/openshift_hosted/tasks/registry/secure.yml +++ b/roles/openshift_hosted/tasks/registry/secure.yml @@ -1,5 +1,15 @@ --- -- name: Determine if registry certificates must be created +- name: Create passthrough route for docker-registry + command: > + {{ openshift.common.client_binary }} create route passthrough + --service docker-registry + --config={{ openshift_hosted_kubeconfig }} + -n default + register: create_docker_registry_route + changed_when: "'already exists' not in create_docker_registry_route.stderr" + failed_when: "'already exists' not in create_docker_registry_route.stderr and create_docker_registry_route.rc != 0" + +- name: Determine if registry certificate must be created stat: path: "{{ openshift_master_config_dir }}/{{ item }}" with_items: @@ -12,21 +22,21 @@ - name: Retrieve registry service IP command: > {{ openshift.common.client_binary }} get service docker-registry - --template='{{ '{{' }} .spec.clusterIP {{ '}}' }}' + -o jsonpath='{.spec.clusterIP}' --config={{ openshift_hosted_kubeconfig }} -n default register: docker_registry_service_ip changed_when: false - set_fact: - docker_registry_route_hostname: "{{ 'docker-registry-default.' ~ (openshift.master.default_subdomain | default('router.default.svc.cluster.local', true)) }}" + docker_registry_route_hostname: "{{ 'docker-registry-default.' ~ (openshift_master_default_subdomain | default('router.default.svc.cluster.local', true)) }}" - name: Create registry certificates if they do not exist command: > - {{ openshift.common.admin_binary }} ca create-server-cert - --signer-cert=/etc/origin/master/ca.crt - --signer-key=/etc/origin/master/ca.key - --signer-serial=/etc/origin/master/ca.serial.txt + {{ openshift.common.client_binary }} adm ca create-server-cert + --signer-cert={{ openshift_master_config_dir }}/ca.crt + --signer-key={{ openshift_master_config_dir }}/ca.key + --signer-serial={{ openshift_master_config_dir }}/ca.serial.txt --hostnames="{{ docker_registry_service_ip.stdout }},docker-registry.default.svc.cluster.local,{{ docker_registry_route_hostname }}" --cert={{ openshift_master_config_dir }}/registry.crt --key={{ openshift_master_config_dir }}/registry.key @@ -45,8 +55,8 @@ - name: "Add the secret to the registry's pod service accounts" command: > - {{ openshift.common.client_binary }} secrets link {{ item }} registry-certificates - --config={{ openshift_hosted_kubeconfig }} + {{ openshift.common.client_binary }} secrets add {{ item }} registry-certificates + --config={{ openshift_hosted_kubeconfig }} -n default with_items: - registry @@ -55,12 +65,12 @@ - name: Determine if registry-certificates secret volume attached command: > {{ openshift.common.client_binary }} get dc/docker-registry - --template='{{ '{{' }} range .spec.template.spec.volumes {{ '}}' }}{{ '{{' }} .secret.secretName {{ '}}' }}{{ '{{' }} end {{ '}}' }}' + -o jsonpath='{.spec.template.spec.volumes[?(@.secret)].secret.secretName}' --config={{ openshift_hosted_kubeconfig }} -n default register: docker_registry_volumes changed_when: false - failed_when: false + failed_when: "docker_registry_volumes.stdout != '' and 'secretName is not found' not in docker_registry_volumes.stdout and docker_registry_volumes.rc != 0" - name: Attach registry-certificates secret volume command: > @@ -71,17 +81,48 @@ -n default when: "'registry-certificates' not in docker_registry_volumes.stdout" -- name: Set registry environment variables for TLS certificate +- name: Determine if registry environment variables must be set + command: > + {{ openshift.common.client_binary }} env dc/docker-registry + --list + --config={{ openshift_hosted_kubeconfig }} + -n default + register: docker_registry_env + changed_when: false + +- name: Configure certificates in registry deplomentConfig command: > {{ openshift.common.client_binary }} env dc/docker-registry REGISTRY_HTTP_TLS_CERTIFICATE=/etc/secrets/registry.crt REGISTRY_HTTP_TLS_KEY=/etc/secrets/registry.key --config={{ openshift_hosted_kubeconfig }} -n default + when: "'REGISTRY_HTTP_TLS_CERTIFICATE=/etc/secrets/registry.crt' not in docker_registry_env.stdout or 'REGISTRY_HTTP_TLS_KEY=/etc/secrets/registry.key' not in docker_registry_env.stdout" -# These commands are on a single line to preserve patch json. +- name: Determine if registry liveness probe scheme is HTTPS + command: > + {{ openshift.common.client_binary }} get dc/docker-registry + -o jsonpath='{.spec.template.spec.containers[*].livenessProbe.httpGet.scheme}' + --config={{ openshift_hosted_kubeconfig }} + -n default + register: docker_registry_liveness_probe + changed_when: false + +# This command is on a single line to preserve patch json. - name: Update registry liveness probe from HTTP to HTTPS command: "{{ openshift.common.client_binary }} patch dc/docker-registry --api-version=v1 -p '{\"spec\":{\"template\":{\"spec\":{\"containers\":[{\"name\":\"registry\",\"livenessProbe\":{\"httpGet\":{\"scheme\":\"HTTPS\"}}}]}}}}' --config={{ openshift_hosted_kubeconfig }} -n default" + when: "'HTTPS' not in docker_registry_liveness_probe.stdout" + +- name: Determine if registry readiness probe scheme is HTTPS + command: > + {{ openshift.common.client_binary }} get dc/docker-registry + -o jsonpath='{.spec.template.spec.containers[*].readinessProbe.httpGet.scheme}' + --config={{ openshift_hosted_kubeconfig }} + -n default + register: docker_registry_readiness_probe + changed_when: false +# This command is on a single line to preserve patch json. - name: Update registry readiness probe from HTTP to HTTPS command: "{{ openshift.common.client_binary }} patch dc/docker-registry --api-version=v1 -p '{\"spec\":{\"template\":{\"spec\":{\"containers\":[{\"name\":\"registry\",\"readinessProbe\":{\"httpGet\":{\"scheme\":\"HTTPS\"}}}]}}}}' --config={{ openshift_hosted_kubeconfig }} -n default" + when: "'HTTPS' not in docker_registry_readiness_probe.stdout" diff --git a/roles/openshift_hosted/tasks/registry/storage/object_storage.yml b/roles/openshift_hosted/tasks/registry/storage/object_storage.yml index 7b1b3f6ff..e56a68e27 100644 --- a/roles/openshift_hosted/tasks/registry/storage/object_storage.yml +++ b/roles/openshift_hosted/tasks/registry/storage/object_storage.yml @@ -1,3 +1,4 @@ +--- - fail: msg: > Object Storage Provider: {{ openshift.hosted.registry.storage.provider }} diff --git a/roles/openshift_hosted/tasks/registry/storage/persistent_volume.yml b/roles/openshift_hosted/tasks/registry/storage/persistent_volume.yml index 60eefd71a..0172f5ca0 100644 --- a/roles/openshift_hosted/tasks/registry/storage/persistent_volume.yml +++ b/roles/openshift_hosted/tasks/registry/storage/persistent_volume.yml @@ -3,7 +3,11 @@ registry_volume_claim: "{{ openshift.hosted.registry.storage.volume.name }}-claim" - name: Determine if volume is already attached to dc/docker-registry - command: "{{ openshift.common.client_binary }} get -o template dc/docker-registry --template=\\{\\{.spec.template.spec.volumes\\}\\} --output-version=v1" + command: > + {{ openshift.common.client_binary }} + --config={{ openshift_hosted_kubeconfig }} + --namespace={{ openshift.hosted.registry.namespace | default('default') }} + get -o template dc/docker-registry --template=\\{\\{.spec.template.spec.volumes\\}\\} --output-version=v1 changed_when: false failed_when: false register: registry_volumes_output @@ -13,7 +17,10 @@ - name: Add volume to dc/docker-registry command: > - {{ openshift.common.client_binary }} volume dc/docker-registry + {{ openshift.common.client_binary }} + --config={{ openshift_hosted_kubeconfig }} + --namespace={{ openshift.hosted.registry.namespace | default('default') }} + volume dc/docker-registry --add --overwrite -t persistentVolumeClaim --claim-name={{ registry_volume_claim }} --name=registry-storage when: not volume_attached | bool diff --git a/roles/openshift_hosted/tasks/router/router.yml b/roles/openshift_hosted/tasks/router/router.yml index 0cad19c34..b944fa522 100644 --- a/roles/openshift_hosted/tasks/router/router.yml +++ b/roles/openshift_hosted/tasks/router/router.yml @@ -48,7 +48,7 @@ - name: Create OpenShift router command: > - {{ openshift.common.admin_binary }} router --create + {{ openshift.common.client_binary }} adm router --create --config={{ openshift_hosted_kubeconfig }} {% if replicas > 1 -%} --replicas={{ replicas }} @@ -73,7 +73,7 @@ {% if openshift.hosted.router.name | default(none) is not none -%} {{ openshift.hosted.router.name }} {% endif -%} - + register: openshift_hosted_router_results changed_when: "'service exists' not in openshift_hosted_router_results.stdout" failed_when: "openshift_hosted_router_results.rc != 0 and 'service exists' not in openshift_hosted_router_results.stdout and 'deployment_config' not in openshift_hosted_router_results.stderr and 'service' not in openshift_hosted_router_results.stderr" diff --git a/roles/openshift_hosted/templates/registry_config.j2 b/roles/openshift_hosted/templates/registry_config.j2 index 092b0fb35..557fd03af 100644 --- a/roles/openshift_hosted/templates/registry_config.j2 +++ b/roles/openshift_hosted/templates/registry_config.j2 @@ -4,54 +4,59 @@ log: http: addr: :5000 storage: + delete: + enabled: true cache: blobdescriptor: inmemory -{% if openshift.hosted.registry.storage.provider == 's3' %} +{% if openshift_hosted_registry_storage_provider | default('') == 's3' %} s3: - accesskey: {{ openshift.hosted.registry.storage.s3.accesskey }} - secretkey: {{ openshift.hosted.registry.storage.s3.secretkey }} - region: {{ openshift.hosted.registry.storage.s3.region }} - bucket: {{ openshift.hosted.registry.storage.s3.bucket }} + accesskey: {{ openshift_hosted_registry_storage_s3_accesskey }} + secretkey: {{ openshift_hosted_registry_storage_s3_secretkey }} + region: {{ openshift_hosted_registry_storage_s3_region }} +{% if openshift_hosted_registry_storage_s3_regionendpoint is defined %} + regionendpoint: {{ openshift_hosted_registry_storage_s3_regionendpoint }} +{% endif %} + bucket: {{ openshift_hosted_registry_storage_s3_bucket }} encrypt: false secure: true v4auth: true - rootdirectory: {{ openshift.hosted.registry.storage.s3.rootdirectory | default('/registry') }} - chunksize: "{{ openshift.hosted.registry.storage.s3.chunksize | default(26214400) }}" -{% elif openshift.hosted.registry.storage.provider == 'azure_blob' %} + rootdirectory: {{ openshift_hosted_registry_storage_s3_rootdirectory | default('/registry') }} + chunksize: "{{ openshift_hosted_registry_storage_s3_chunksize | default(26214400) }}" +{% elif openshift_hosted_registry_storage_provider | default('') == 'azure_blob' %} azure: - accountname: {{ openshift.hosted.registry.storage.azure_blob.accountname }} - accountkey: {{ openshift.hosted.registry.storage.azure_blob.accountkey }} - container: {{ openshift.hosted.registry.storage.azure_blob.container }} - realm: {{ openshift.hosted.registry.storage.azure_blob.realm }} -{% elif openshift.hosted.registry.storage.provider == 'swift' %} + accountname: {{ openshift_hosted_registry_storage_azure_blob_accountname }} + accountkey: {{ openshift_hosted_registry_storage_azure_blob_accountkey }} + container: {{ openshift_hosted_registry_storage_azure_blob_container }} + realm: {{ openshift_hosted_registry_storage_azure_blob_realm }} +{% elif openshift_hosted_registry_storage_provider | default('') == 'swift' %} swift: - authurl: {{ openshift.hosted.registry.storage.swift.authurl }} - username: {{ openshift.hosted.registry.storage.swift.username }} - password: {{ openshift.hosted.registry.storage.swift.password }} - container: {{ openshift.hosted.registry.storage.swift.container }} -{% if 'region' in openshift.hosted.registry.storage.swift %} - region: {{ openshift.hosted.registry.storage.swift.region }} + authurl: {{ openshift_hosted_registry_storage_swift_authurl }} + username: {{ openshift_hosted_registry_storage_swift_username }} + password: {{ openshift_hosted_registry_storage_swift_password }} + container: {{ openshift_hosted_registry_storage_swift_container }} +{% if openshift_hosted_registry_storage_swift_region is defined %} + region: {{ openshift_hosted_registry_storage_swift_region }} {% endif -%} -{% if 'tenant' in openshift.hosted.registry.storage.swift %} - tenant: {{ openshift.hosted.registry.storage.swift.tenant }} +{% if openshift_hosted_registry_storage_swift_tenant is defined %} + tenant: {{ openshift_hosted_registry_storage_swift_tenant }} {% endif -%} -{% if 'tenantid' in openshift.hosted.registry.storage.swift %} - tenantid: {{ openshift.hosted.registry.storage.swift.tenantid }} +{% if openshift_hosted_registry_storage_swift_tenantid is defined %} + tenantid: {{ openshift_hosted_registry_storage_swift_tenantid }} {% endif -%} -{% if 'domain' in openshift.hosted.registry.storage.swift %} - domain: {{ openshift.hosted.registry.storage.swift.domain }} +{% if openshift_hosted_registry_storage_swift_domain is defined %} + domain: {{ openshift_hosted_registry_storage_swift_domain }} {% endif -%} -{% if 'domainid' in openshift.hosted.registry.storage.swift %} - domainid: {{ openshift.hosted.registry.storage.swift.domainid }} +{% if openshift_hosted_registry_storage_swift_domainid %} + domainid: {{ openshift_hosted_registry_storage_swift_domainid }} {% endif -%} -{% elif openshift.hosted.registry.storage.provider == 'gcs' %} +{% elif openshift_hosted_registry_storage_provider | default('') == 'gcs' %} gcs: - bucket: {{ openshift.hosted.registry.storage.gcs.bucket }} -{% if 'keyfile' in openshift.hosted.registry.storage.gcs %} - keyfile: {{ openshift.hosted.registry.storage.gcs.keyfile }} + bucket: {{ openshift_hosted_registry_storage_gcs_bucket }} +{% if openshift_hosted_registry_storage_gcs_keyfile is defined %} + keyfile: {{ openshift_hosted_registry_storage_gcs_keyfile }} {% endif -%} -{% if 'rootdirectory' in openshift.hosted.registry.storage.gcs %} - rootdirectory: {{ openshift.hosted.registry.storage.gcs.rootdirectory }} +{% if openshift_hosted_registry_storage_gcs_rootdirectory is defined %} + rootdirectory: {{ openshift_hosted_registry_storage_gcs_rootdirectory }} {% endif -%} {% endif -%} auth: @@ -65,16 +70,16 @@ middleware: repository: - name: openshift options: - pullthrough: {{ openshift.hosted.registry.pullthrough | default(true) }} - acceptschema2: {{ openshift.hosted.registry.acceptschema2 | default(false) }} - enforcequota: {{ openshift.hosted.registry.enforcequota | default(false) }} -{% if openshift.hosted.registry.storage.provider == 's3' and 'cloudfront' in openshift.hosted.registry.storage.s3 %} + pullthrough: {{ openshift_hosted_registry_pullthrough | default(true) }} + acceptschema2: {{ openshift_hosted_registry_acceptschema2 | default(false) }} + enforcequota: {{ openshift_hosted_registry_enforcequota | default(false) }} +{% if openshift_hosted_registry_storage_provider | default('') == 's3' and openshift_hosted_registry_storage_s3_cloudfront_baseurl is defined %} storage: - name: cloudfront options: - baseurl: {{ openshift.hosted.registry.storage.s3.cloudfront.baseurl }} - privatekey: {{ openshift.hosted.registry.storage.s3.cloudfront.privatekeyfile }} - keypairid: {{ openshift.hosted.registry.storage.s3.cloudfront.keypairid }} + baseurl: {{ openshift_hosted_registry_storage_s3_cloudfront_baseurl }} + privatekey: {{ openshift_hosted_registry_storage_s3_cloudfront_privatekeyfile }} + keypairid: {{ openshift_hosted_registry_storage_s3_cloudfront_keypairid }} {% elif openshift.common.version_gte_3_3_or_1_3 | bool %} storage: - name: openshift |