13 files changed, 242 insertions, 65 deletions

diff --git a/roles/openshift_master/defaults/main.yml b/roles/openshift_master/defaults/main.yml
index 73e935d3f..3da861d03 100644
--- a/roles/openshift_master/defaults/main.yml
+++ b/roles/openshift_master/defaults/main.yml
@@ -1,4 +1,9 @@
 ---
+# openshift_master_defaults_in_use is a workaround to detect if we are consuming
+# the plays from the role or outside of the role.
+openshift_master_defaults_in_use: True
+openshift_master_debug_level: "{{ debug_level | default(2) }}"
+
 r_openshift_master_firewall_enabled: "{{ os_firewall_enabled | default(True) }}"
 r_openshift_master_use_firewalld: "{{ os_firewall_use_firewalld | default(False) }}"
 
@@ -26,6 +31,9 @@ oreg_auth_credentials_path: "{{ r_openshift_master_data_dir }}/.docker"
 oreg_auth_credentials_replace: False
 l_bind_docker_reg_auth: False
 
+containerized_svc_dir: "/usr/lib/systemd/system"
+ha_svc_template_path: "native-cluster"
+
 # NOTE
 # r_openshift_master_*_default may be defined external to this role.
 # openshift_use_*, if defined, may affect other roles or play behavior.
@@ -38,8 +46,99 @@ r_openshift_master_use_nuage: "{{ r_openshift_master_use_nuage_default }}"
 r_openshift_master_use_contiv_default: "{{ openshift_use_contiv | default(False) }}"
 r_openshift_master_use_contiv: "{{ r_openshift_master_use_contiv_default }}"
 
+r_openshift_master_use_kuryr_default: "{{ openshift_use_kuryr | default(False) }}"
+r_openshift_master_use_kuryr: "{{ r_openshift_master_use_kuryr_default }}"
+
 r_openshift_master_data_dir_default: "{{ openshift_data_dir | default('/var/lib/origin') }}"
 r_openshift_master_data_dir: "{{ r_openshift_master_data_dir_default }}"
 
 r_openshift_master_sdn_network_plugin_name_default: "{{ os_sdn_network_plugin_name | default('redhat/openshift-ovs-subnet') }}"
 r_openshift_master_sdn_network_plugin_name: "{{ r_openshift_master_sdn_network_plugin_name_default }}"
+
+openshift_master_image_config_latest_default: "{{ openshift_image_config_latest | default(False) }}"
+openshift_master_image_config_latest: "{{ openshift_master_image_config_latest_default }}"
+
+openshift_master_config_dir_default: "{{ (openshift.common.config_base | default('/etc/origin/master')) ~ '/master' }}"
+openshift_master_config_dir: "{{ openshift_master_config_dir_default }}"
+openshift_master_cloud_provider: "{{ openshift_cloudprovider_kind | default('aws') }}"
+
+openshift_master_node_config_networkconfig_mtu: 1450
+
+openshift_master_node_config_kubeletargs_cpu: 500m
+openshift_master_node_config_kubeletargs_mem: 512M
+
+openshift_master_bootstrap_enabled: False
+
+openshift_master_client_binary: "{{ openshift.common.client_binary if openshift is defined else 'oc' }}"
+
+openshift_master_config_imageconfig_format: "{{ oreg_url if oreg_url != '' else 'registry.access.redhat.com/openshift3/ose-${component}:${version}' }}"
+
+# these are for the default settings in a generated node-config.yaml
+openshift_master_node_config_default_edits:
+- key: nodeName
+  state: absent
+- key: dnsBindAddress
+  value: 127.0.0.1:53
+- key: dnsDomain
+  value: cluster.local
+- key: dnsRecursiveResolvConf
+  value: /etc/origin/node/resolv.conf
+- key: imageConfig.format
+  value: "{{ openshift_master_config_imageconfig_format }}"
+- key: kubeletArguments.cloud-config
+  value:
+  - "/etc/origin/cloudprovider/{{ openshift_master_cloud_provider }}.conf"
+- key: kubeletArguments.cloud-provider
+  value:
+  - "{{ openshift_master_cloud_provider }}"
+- key: kubeletArguments.kube-reserved
+  value:
+  - "cpu={{ openshift_master_node_config_kubeletargs_cpu }},memory={{ openshift_master_node_config_kubeletargs_mem }}"
+- key: kubeletArguments.system-reserved
+  value:
+  - "cpu={{ openshift_master_node_config_kubeletargs_cpu }},memory={{ openshift_master_node_config_kubeletargs_mem }}"
+- key: enable-controller-attach-detach
+  value:
+  - 'true'
+- key: networkConfig.mtu
+  value: 8951
+- key: networkConfig.networkPluginName
+  value: "{{ r_openshift_master_sdn_network_plugin_name }}"
+- key: networkPluginName
+  value: "{{ r_openshift_master_sdn_network_plugin_name }}"
+
+
+# We support labels for all nodes here
+openshift_master_node_config_kubeletargs_default_labels: []
+# We do support overrides for node group labels
+openshift_master_node_config_kubeletargs_master_labels: []
+openshift_master_node_config_kubeletargs_infra_labels: []
+openshift_master_node_config_kubeletargs_compute_labels: []
+
+openshift_master_node_config_master:
+  type: master
+  edits:
+  - key: kubeletArguments.node-labels
+    value: "{{ openshift_master_node_config_kubeletargs_default_labels |
+               union(openshift_master_node_config_kubeletargs_master_labels) |
+               union(['type=master']) }}"
+openshift_master_node_config_infra:
+  type: infra
+  edits:
+  - key: kubeletArguments.node-labels
+    value: "{{ openshift_master_node_config_kubeletargs_default_labels |
+               union(openshift_master_node_config_kubeletargs_infra_labels) |
+               union(['type=infra']) }}"
+openshift_master_node_config_compute:
+  type: compute
+  edits:
+  - key: kubeletArguments.node-labels
+    value: "{{ openshift_master_node_config_kubeletargs_default_labels |
+               union(openshift_master_node_config_kubeletargs_compute_labels) |
+               union(['type=compute']) }}"
+
+openshift_master_node_configs:
+- "{{ openshift_master_node_config_infra }}"
+- "{{ openshift_master_node_config_compute }}"
+
+openshift_master_bootstrap_namespace: openshift-node
diff --git a/roles/openshift_master/meta/main.yml b/roles/openshift_master/meta/main.yml
index a657668a9..a1cda2ad4 100644
--- a/roles/openshift_master/meta/main.yml
+++ b/roles/openshift_master/meta/main.yml
@@ -13,4 +13,5 @@ galaxy_info:
   - cloud
 dependencies:
 - role: lib_openshift
+- role: lib_utils
 - role: lib_os_firewall
diff --git a/roles/openshift_master/tasks/bootstrap.yml b/roles/openshift_master/tasks/bootstrap.yml
index 0013f5289..eee89743c 100644
--- a/roles/openshift_master/tasks/bootstrap.yml
+++ b/roles/openshift_master/tasks/bootstrap.yml
@@ -26,3 +26,66 @@
   copy:
     content: "{{ kubeconfig_out.stdout }}"
     dest: "{{ openshift_master_config_dir }}/bootstrap.kubeconfig"
+
+- name: create a temp dir for this work
+  command: mktemp -d /tmp/openshift_node_config-XXXXXX
+  register: mktempout
+  run_once: true
+
+# This generate is so that we do not have to maintain
+# our own copy of the template.  This is generated by
+# the product and the following settings will be
+# generated by the master
+- name: generate a node-config dynamically
+  command: >
+    {{ openshift_master_client_binary }} adm create-node-config
+    --node-dir={{ mktempout.stdout }}/
+    --node=CONFIGMAP
+    --hostnames=test
+    --certificate-authority={{ openshift_master_config_dir }}/ca.crt
+    --signer-cert={{ openshift_master_config_dir }}/ca.crt
+    --signer-key={{ openshift_master_config_dir }}/ca.key
+    --signer-serial={{ openshift_master_config_dir }}/ca.serial.txt
+    --node-client-certificate-authority={{ openshift_master_config_dir }}/ca.crt
+  register: configgen
+  run_once: true
+
+- name: remove the default settings
+  yedit:
+    state: "{{ item.state | default('present') }}"
+    src: "{{ mktempout.stdout }}/node-config.yaml"
+    key: "{{ item.key }}"
+    value: "{{ item.value | default(omit) }}"
+  with_items: "{{ openshift_master_node_config_default_edits }}"
+  run_once: true
+
+- name: copy the generated config into each group
+  copy:
+    src: "{{ mktempout.stdout }}/node-config.yaml"
+    remote_src: true
+    dest: "{{ mktempout.stdout }}/node-config-{{ item.type }}.yaml"
+  with_items: "{{ openshift_master_node_configs }}"
+  run_once: true
+
+- name: "specialize the generated configs for node-config-{{ item.type }}"
+  yedit:
+    src: "{{ mktempout.stdout }}/node-config-{{ item.type }}.yaml"
+    edits: "{{ item.edits }}"
+  with_items: "{{ openshift_master_node_configs }}"
+  run_once: true
+
+- name: create node-config.yaml configmap
+  oc_configmap:
+    name: "node-config-{{ item.type }}"
+    namespace: "{{ openshift_master_bootstrap_namespace }}"
+    from_file:
+      node-config.yaml: "{{ mktempout.stdout }}/node-config-{{ item.type }}.yaml"
+  with_items: "{{ openshift_master_node_configs }}"
+  run_once: true
+
+- name: remove templated files
+  file:
+    dest: "{{ mktempout.stdout }}/"
+    state: absent
+  with_items: "{{ openshift_master_node_configs }}"
+  run_once: true
diff --git a/roles/openshift_master/tasks/check_master_api_is_ready.yml b/roles/openshift_master/tasks/check_master_api_is_ready.yml
new file mode 100644
index 000000000..7e8a7a596
--- /dev/null
+++ b/roles/openshift_master/tasks/check_master_api_is_ready.yml
@@ -0,0 +1,14 @@
+---
+- name: Wait for API to become available
+  # Using curl here since the uri module requires python-httplib2 and
+  # wait_for port doesn't provide health information.
+  command: >
+    curl --silent --tlsv1.2
+    --cacert {{ openshift.common.config_base }}/master/ca-bundle.crt
+    {{ openshift.master.api_url }}/healthz/ready
+  register: l_api_available_output
+  until: l_api_available_output.stdout == 'ok'
+  retries: 120
+  delay: 1
+  run_once: true
+  changed_when: false
diff --git a/roles/openshift_master/tasks/configure_external_etcd.yml b/roles/openshift_master/tasks/configure_external_etcd.yml
new file mode 100644
index 000000000..b0590ac84
--- /dev/null
+++ b/roles/openshift_master/tasks/configure_external_etcd.yml
@@ -0,0 +1,17 @@
+---
+- name: Remove etcdConfig section
+  yedit:
+    src: /etc/origin/master/master-config.yaml
+    key: "etcdConfig"
+    state: absent
+- name: Set etcdClientInfo.ca to master.etcd-ca.crt
+  yedit:
+    src: /etc/origin/master/master-config.yaml
+    key: etcdClientInfo.ca
+    value: master.etcd-ca.crt
+- name: Set etcdClientInfo.urls to the external etcd
+  yedit:
+    src: /etc/origin/master/master-config.yaml
+    key: etcdClientInfo.urls
+    value:
+      - "{{ etcd_peer_url_scheme }}://{{ etcd_ip }}:{{ etcd_peer_port }}"
diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml
index 82b4b420c..824a5886e 100644
--- a/roles/openshift_master/tasks/main.yml
+++ b/roles/openshift_master/tasks/main.yml
@@ -311,23 +311,7 @@
 
 # A separate wait is required here for native HA since notifies will
 # be resolved after all tasks in the role.
-- name: Wait for API to become available
-  # Using curl here since the uri module requires python-httplib2 and
-  # wait_for port doesn't provide health information.
-  command: >
-    curl --silent --tlsv1.2
-    {% if openshift.common.version_gte_3_2_or_1_2 | bool %}
-    --cacert {{ openshift.common.config_base }}/master/ca-bundle.crt
-    {% else %}
-    --cacert {{ openshift.common.config_base }}/master/ca.crt
-    {% endif %}
-    {{ openshift.master.api_url }}/healthz/ready
-  register: l_api_available_output
-  until: l_api_available_output.stdout == 'ok'
-  retries: 120
-  delay: 1
-  run_once: true
-  changed_when: false
+- include: check_master_api_is_ready.yml
   when:
   - openshift.master.cluster_method == 'native'
   - master_api_service_status_changed | bool
diff --git a/roles/openshift_master/tasks/registry_auth.yml b/roles/openshift_master/tasks/registry_auth.yml
index 2644f235e..63d483760 100644
--- a/roles/openshift_master/tasks/registry_auth.yml
+++ b/roles/openshift_master/tasks/registry_auth.yml
@@ -1,14 +1,4 @@
 ---
-# We need to setup some variables as this play might be called directly
-# from outside of the role.
-- set_fact:
-    oreg_auth_credentials_path: "{{ r_openshift_master_data_dir }}/.docker"
-  when: oreg_auth_credentials_path is not defined
-
-- set_fact:
-    oreg_host: "{{ oreg_url.split('/')[0] if (oreg_url is defined and '.' in oreg_url.split('/')[0]) else '' }}"
-  when: oreg_host is not defined
-
 - name: Check for credentials file for registry auth
   stat:
     path: "{{ oreg_auth_credentials_path }}"
diff --git a/roles/openshift_master/tasks/systemd_units.yml b/roles/openshift_master/tasks/systemd_units.yml
index 8de62c59a..fcc66044b 100644
--- a/roles/openshift_master/tasks/systemd_units.yml
+++ b/roles/openshift_master/tasks/systemd_units.yml
@@ -1,31 +1,9 @@
 ---
-# This file is included both in the openshift_master role and in the upgrade
-# playbooks.  For that reason the ha_svc variables are use set_fact instead of
-# the vars directory on the role.
+# systemd_units.yml is included both in the openshift_master role and in the upgrade
+# playbooks.
 
-# This play may be consumed outside the role, we need to ensure that
-# openshift_master_config_dir is set.
-- name: Set openshift_master_config_dir if unset
-  set_fact:
-    openshift_master_config_dir: '/etc/origin/master'
-  when: openshift_master_config_dir is not defined
-
-# This play may be consumed outside the role, we need to ensure that
-# r_openshift_master_data_dir is set.
-- name: Set r_openshift_master_data_dir if unset
-  set_fact:
-    r_openshift_master_data_dir: "{{ openshift_data_dir | default('/var/lib/origin') }}"
-  when: r_openshift_master_data_dir is not defined
-
-- include: registry_auth.yml
-
-- name: Remove the legacy master service if it exists
-  include: clean_systemd_units.yml
-
-- name: Init HA Service Info
-  set_fact:
-    containerized_svc_dir: "/usr/lib/systemd/system"
-    ha_svc_template_path: "native-cluster"
+- include: upgrade_facts.yml
+  when: openshift_master_defaults_in_use is not defined
 
 - name: Set HA Service Info for containerized installs
   set_fact:
@@ -34,6 +12,11 @@
   when:
   - openshift.common.is_containerized | bool
 
+- include: registry_auth.yml
+
+- name: Remove the legacy master service if it exists
+  include: clean_systemd_units.yml
+
 # This is the image used for both HA and non-HA clusters:
 - name: Pre-pull master image
   command: >
diff --git a/roles/openshift_master/tasks/upgrade_facts.yml b/roles/openshift_master/tasks/upgrade_facts.yml
new file mode 100644
index 000000000..f6ad438aa
--- /dev/null
+++ b/roles/openshift_master/tasks/upgrade_facts.yml
@@ -0,0 +1,33 @@
+---
+# This file exists because we call systemd_units.yml from outside of the role
+# during upgrades.  When we remove this pattern, we can probably
+# eliminate most of these set_fact items.
+
+- name: Set openshift_master_config_dir if unset
+  set_fact:
+    openshift_master_config_dir: '/etc/origin/master'
+  when: openshift_master_config_dir is not defined
+
+- name: Set r_openshift_master_data_dir if unset
+  set_fact:
+    r_openshift_master_data_dir: "{{ openshift_data_dir | default('/var/lib/origin') }}"
+  when: r_openshift_master_data_dir is not defined
+
+- set_fact:
+    oreg_auth_credentials_path: "{{ r_openshift_master_data_dir }}/.docker"
+  when: oreg_auth_credentials_path is not defined
+
+- set_fact:
+    oreg_host: "{{ oreg_url.split('/')[0] if (oreg_url is defined and '.' in oreg_url.split('/')[0]) else '' }}"
+  when: oreg_host is not defined
+
+- name: Set openshift_master_debug_level
+  set_fact:
+    openshift_master_debug_level: "{{ debug_level | default(2) }}"
+  when:
+  - openshift_master_debug_level is not defined
+
+- name: Init HA Service Info
+  set_fact:
+    containerized_svc_dir: "{{ containerized_svc_dir | default('/usr/lib/systemd/system') }}"
+    ha_svc_template_path: "{{ ha_svc_template_path | default('native-cluster') }}"
diff --git a/roles/openshift_master/templates/atomic-openshift-master.j2 b/roles/openshift_master/templates/atomic-openshift-master.j2
index b931f1414..7ec26ceb7 100644
--- a/roles/openshift_master/templates/atomic-openshift-master.j2
+++ b/roles/openshift_master/templates/atomic-openshift-master.j2
@@ -1,4 +1,4 @@
-OPTIONS=--loglevel={{ openshift.master.debug_level | default(2) }}
+OPTIONS=--loglevel={{ openshift_master_debug_level }}
 CONFIG_FILE={{ openshift_master_config_file }}
 {# Preserve existing OPENSHIFT_DEFAULT_REGISTRY settings in scale up runs #}
 {% if openshift_master_is_scaleup_host %}
diff --git a/roles/openshift_master/templates/master.yaml.v1.j2 b/roles/openshift_master/templates/master.yaml.v1.j2
index 9b3fbcf49..40775571f 100644
--- a/roles/openshift_master/templates/master.yaml.v1.j2
+++ b/roles/openshift_master/templates/master.yaml.v1.j2
@@ -115,7 +115,7 @@ etcdStorageConfig:
   openShiftStorageVersion: v1
 imageConfig:
   format: {{ openshift.master.registry_url }}
-  latest: false
+  latest: {{ openshift_master_image_config_latest }}
 {% if 'image_policy_config' in openshift.master %}
 imagePolicyConfig:{{ openshift.master.image_policy_config | to_padded_yaml(level=1) }}
 {% endif %}
@@ -179,7 +179,7 @@ masterPublicURL: {{ openshift.master.public_api_url }}
 networkConfig:
   clusterNetworkCIDR: {{ openshift.master.sdn_cluster_network_cidr }}
   hostSubnetLength: {{ openshift.master.sdn_host_subnet_length }}
-{% if r_openshift_master_use_openshift_sdn or r_openshift_master_use_nuage or r_openshift_master_use_contiv or r_openshift_master_sdn_network_plugin_name == 'cni' %}
+{% if r_openshift_master_use_openshift_sdn or r_openshift_master_use_nuage or r_openshift_master_use_contiv or r_openshift_master_use_kuryr or r_openshift_master_sdn_network_plugin_name == 'cni' %}
   networkPluginName: {{ r_openshift_master_sdn_network_plugin_name_default }}
 {% endif %}
 # serviceNetworkCIDR must match kubernetesMasterConfig.servicesSubnet
@@ -275,12 +275,5 @@ servingInfo:
   - {{ cipher_suite }}
 {% endfor %}
 {% endif %}
-{% if openshift_template_service_broker_namespaces is defined %}
-templateServiceBrokerConfig:
-  templateNamespaces:
-{% for namespace in openshift_template_service_broker_namespaces %}
-  - {{ namespace }}
-{% endfor %}
-{% endif %}
 volumeConfig:
   dynamicProvisioningEnabled: {{ openshift.master.dynamic_provisioning_enabled }}
diff --git a/roles/openshift_master/templates/native-cluster/atomic-openshift-master-api.j2 b/roles/openshift_master/templates/native-cluster/atomic-openshift-master-api.j2
index 63eb3ea1b..cc21b37af 100644
--- a/roles/openshift_master/templates/native-cluster/atomic-openshift-master-api.j2
+++ b/roles/openshift_master/templates/native-cluster/atomic-openshift-master-api.j2
@@ -1,4 +1,4 @@
-OPTIONS=--loglevel={{ openshift.master.debug_level }} --listen={{ 'https' if openshift.master.api_use_ssl else 'http' }}://{{ openshift.master.bind_addr }}:{{ openshift.master.api_port }} --master={{ openshift.master.loopback_api_url }}
+OPTIONS=--loglevel={{ openshift_master_debug_level }} --listen={{ 'https' if openshift.master.api_use_ssl else 'http' }}://{{ openshift.master.bind_addr }}:{{ openshift.master.api_port }} --master={{ openshift.master.loopback_api_url }}
 CONFIG_FILE={{ openshift_master_config_file }}
 {# Preserve existing OPENSHIFT_DEFAULT_REGISTRY settings in scale up runs #}
 {% if openshift_master_is_scaleup_host %}
diff --git a/roles/openshift_master/templates/native-cluster/atomic-openshift-master-controllers.j2 b/roles/openshift_master/templates/native-cluster/atomic-openshift-master-controllers.j2
index 0adfd05b6..493fc510e 100644
--- a/roles/openshift_master/templates/native-cluster/atomic-openshift-master-controllers.j2
+++ b/roles/openshift_master/templates/native-cluster/atomic-openshift-master-controllers.j2
@@ -1,4 +1,4 @@
-OPTIONS=--loglevel={{ openshift.master.debug_level }} --listen={{ 'https' if openshift.master.api_use_ssl else 'http' }}://{{ openshift.master.bind_addr }}:{{ openshift.master.controllers_port }}
+OPTIONS=--loglevel={{ openshift_master_debug_level }} --listen={{ 'https' if openshift.master.api_use_ssl else 'http' }}://{{ openshift.master.bind_addr }}:{{ openshift.master.controllers_port }}
 CONFIG_FILE={{ openshift_master_config_file }}
 {# Preserve existing OPENSHIFT_DEFAULT_REGISTRY settings in scale up runs #}
 {% if openshift_master_is_scaleup_host %}