diff options
Diffstat (limited to 'roles/openshift_master')
11 files changed, 153 insertions, 85 deletions
diff --git a/roles/openshift_master/README.md b/roles/openshift_master/README.md index 663ac08b8..c3300a7ef 100644 --- a/roles/openshift_master/README.md +++ b/roles/openshift_master/README.md @@ -6,7 +6,8 @@ Master service installation Requirements ------------ -A RHEL 7.1 host pre-configured with access to the rhel-7-server-rpms, +* Ansible 2.2 +* A RHEL 7.1 host pre-configured with access to the rhel-7-server-rpms, rhel-7-server-extras-rpms, and rhel-7-server-ose-3.0-rpms repos. Role Variables diff --git a/roles/openshift_master/handlers/main.yml b/roles/openshift_master/handlers/main.yml index edb7369de..69c5a1663 100644 --- a/roles/openshift_master/handlers/main.yml +++ b/roles/openshift_master/handlers/main.yml @@ -1,29 +1,33 @@ --- - name: restart master - service: name={{ openshift.common.service_type }}-master state=restarted + systemd: name={{ openshift.common.service_type }}-master state=restarted when: (openshift.master.ha is not defined or not openshift.master.ha | bool) and (not (master_service_status_changed | default(false) | bool)) notify: Verify API Server - name: restart master api - service: name={{ openshift.common.service_type }}-master-api state=restarted + systemd: name={{ openshift.common.service_type }}-master-api state=restarted when: (openshift.master.ha is defined and openshift.master.ha | bool) and (not (master_api_service_status_changed | default(false) | bool)) and openshift.master.cluster_method == 'native' notify: Verify API Server - name: restart master controllers - service: name={{ openshift.common.service_type }}-master-controllers state=restarted + systemd: name={{ openshift.common.service_type }}-master-controllers state=restarted when: (openshift.master.ha is defined and openshift.master.ha | bool) and (not (master_controllers_service_status_changed | default(false) | bool)) and openshift.master.cluster_method == 'native' - name: Verify API Server # Using curl here since the uri module requires python-httplib2 and # wait_for port doesn't provide health information. command: > - curl --silent + curl --silent --tlsv1.2 {% if openshift.common.version_gte_3_2_or_1_2 | bool %} --cacert {{ openshift.common.config_base }}/master/ca-bundle.crt {% else %} --cacert {{ openshift.common.config_base }}/master/ca.crt {% endif %} {{ openshift.master.api_url }}/healthz/ready + args: + # Disables the following warning: + # Consider using get_url or uri module rather than running curl + warn: no register: api_available_output until: api_available_output.stdout == 'ok' retries: 120 diff --git a/roles/openshift_master/meta/main.yml b/roles/openshift_master/meta/main.yml index a2f665702..56af0cf36 100644 --- a/roles/openshift_master/meta/main.yml +++ b/roles/openshift_master/meta/main.yml @@ -4,11 +4,41 @@ galaxy_info: description: Master company: Red Hat, Inc. license: Apache License, Version 2.0 - min_ansible_version: 2.1 + min_ansible_version: 2.2 platforms: - name: EL versions: - 7 categories: - cloud -dependencies: [] +dependencies: +- role: openshift_master_facts +- role: openshift_hosted_facts +- role: openshift_master_certificates +- role: openshift_etcd_client_certificates + etcd_cert_subdir: "openshift-master-{{ openshift.common.hostname }}" + etcd_cert_config_dir: "{{ openshift.common.config_base }}/master" + etcd_cert_prefix: "master.etcd-" + when: groups.oo_etcd_to_config | default([]) | length != 0 +- role: openshift_clock +- role: openshift_cloud_provider +- role: openshift_builddefaults +- role: openshift_buildoverrides +- role: os_firewall + os_firewall_allow: + - service: api server https + port: "{{ openshift.master.api_port }}/tcp" + - service: api controllers https + port: "{{ openshift.master.controllers_port }}/tcp" + - service: skydns tcp + port: "{{ openshift.master.dns_port }}/tcp" + - service: skydns udp + port: "{{ openshift.master.dns_port }}/udp" +- role: os_firewall + os_firewall_allow: + - service: etcd embedded + port: 4001/tcp + when: groups.oo_etcd_to_config | default([]) | length == 0 +- role: nickhammond.logrotate +- role: nuage_master + when: openshift.common.use_nuage | bool diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml index ce2f96723..9cd6b6c81 100644 --- a/roles/openshift_master/tasks/main.yml +++ b/roles/openshift_master/tasks/main.yml @@ -24,16 +24,11 @@ when: openshift_master_ha | bool and openshift_master_cluster_method == "pacemaker" and openshift.common.is_containerized | bool - name: Install Master package - action: "{{ ansible_pkg_mgr }} name={{ openshift.common.service_type }}-master{{ openshift_pkg_version | default('') | oo_image_tag_to_rpm_version(include_dash=True) }} state=present" + package: + name: "{{ openshift.common.service_type }}-master{{ openshift_pkg_version | default('') | oo_image_tag_to_rpm_version(include_dash=True) }}" + state: present when: not openshift.common.is_containerized | bool -- name: Pull master image - command: > - docker pull {{ openshift.master.master_image }}:{{ openshift_image_tag }} - register: pull_result - changed_when: "'Downloaded newer image' in pull_result.stdout" - when: openshift.common.is_containerized | bool - - name: Create openshift.common.data_dir file: path: "{{ openshift.common.data_dir }}" @@ -57,14 +52,14 @@ - name: Create the policy file if it does not already exist command: > - {{ openshift.common.admin_binary }} create-bootstrap-policy-file + {{ openshift.common.client_binary }} adm create-bootstrap-policy-file --filename={{ openshift_master_policy }} args: creates: "{{ openshift_master_policy }}" notify: - - restart master - - restart master api - - restart master controllers + - restart master + - restart master api + - restart master controllers - name: Create the scheduler config copy: @@ -72,12 +67,12 @@ dest: "{{ openshift_master_scheduler_conf }}" backup: true notify: - - restart master - - restart master api - - restart master controllers + - restart master + - restart master api + - restart master controllers - name: Install httpd-tools if needed - action: "{{ ansible_pkg_mgr }} name=httpd-tools state=present" + package: name=httpd-tools state=present when: (item.kind == 'HTPasswdPasswordIdentityProvider') and not openshift.common.is_atomic | bool with_items: "{{ openshift.master.identity_providers }}" @@ -145,8 +140,8 @@ mode: 0600 when: openshift.master.session_auth_secrets is defined and openshift.master.session_encryption_secrets is defined notify: - - restart master - - restart master api + - restart master + - restart master api - set_fact: translated_identity_providers: "{{ openshift.master.identity_providers | translate_idps('v1', openshift.common.version, openshift.common.deployment_type) }}" @@ -161,47 +156,65 @@ group: root mode: 0600 notify: - - restart master - - restart master api - - restart master controllers + - restart master + - restart master api + - restart master controllers - include: set_loopback_context.yml when: openshift.common.version_gte_3_2_or_1_2 +# TODO: Master startup can fail when ec2 transparently reallocates the block +# storage, causing etcd writes to temporarily fail. Retry failures blindly just +# once to allow time for this transient condition to to resolve and for systemd +# to restart the master (which will eventually succeed). +# +# https://github.com/coreos/etcd/issues/3864 +# https://github.com/openshift/origin/issues/6065 +# https://github.com/openshift/origin/issues/6447 - name: Start and enable master - service: name={{ openshift.common.service_type }}-master enabled=yes state=started + systemd: + name: "{{ openshift.common.service_type }}-master" + enabled: yes + state: started when: not openshift_master_ha | bool register: start_result + until: not start_result | failed + retries: 1 + delay: 60 notify: Verify API Server -- name: Check for non-HA master service presence - command: systemctl show {{ openshift.common.service_type }}-master.service - register: master_svc_show - changed_when: false - failed_when: false - - name: Stop and disable non-HA master when running HA - service: + systemd: name: "{{ openshift.common.service_type }}-master" enabled: no state: stopped - when: openshift_master_ha | bool and master_svc_show.rc == 0 and 'LoadState=not-found' not in master_svc_show.stdout + when: openshift_master_ha | bool + register: task_result + failed_when: "task_result|failed and 'could not' not in task_result.msg|lower" - set_fact: master_service_status_changed: "{{ start_result | changed }}" when: not openshift_master_ha | bool - name: Mask master service - command: systemctl mask {{ openshift.common.service_type }}-master - when: openshift_master_ha | bool and openshift.master.cluster_method == 'native' and not openshift.common.is_containerized | bool + systemd: + name: "{{ openshift.common.service_type }}-master" + masked: yes + when: > + openshift_master_ha | bool and + openshift.master.cluster_method == 'native' and + not openshift.common.is_containerized | bool - name: Start and enable master api on first master - service: + systemd: name: "{{ openshift.common.service_type }}-master-api" enabled: yes state: started when: openshift_master_ha | bool and openshift.master.cluster_method == 'native' and inventory_hostname == openshift_master_hosts[0] register: start_result + until: not start_result | failed + retries: 1 + delay: 60 - set_fact: master_api_service_status_changed: "{{ start_result | changed }}" @@ -212,12 +225,15 @@ when: openshift_master_ha | bool and openshift.master.cluster_method == 'native' - name: Start and enable master api all masters - service: + systemd: name: "{{ openshift.common.service_type }}-master-api" enabled: yes state: started when: openshift_master_ha | bool and openshift.master.cluster_method == 'native' and inventory_hostname != openshift_master_hosts[0] register: start_result + until: not start_result | failed + retries: 1 + delay: 60 - set_fact: master_api_service_status_changed: "{{ start_result | changed }}" @@ -245,37 +261,47 @@ when: openshift_master_ha | bool and openshift.master.cluster_method == 'native' and master_api_service_status_changed | bool - name: Start and enable master controller on first master - service: + systemd: name: "{{ openshift.common.service_type }}-master-controllers" enabled: yes state: started when: openshift_master_ha | bool and openshift.master.cluster_method == 'native' and inventory_hostname == openshift_master_hosts[0] register: start_result + until: not start_result | failed + retries: 1 + delay: 60 -- pause: +- name: Wait for master controller service to start on first master + pause: seconds: 15 when: openshift_master_ha | bool and openshift.master.cluster_method == 'native' - name: Start and enable master controller on all masters - service: + systemd: name: "{{ openshift.common.service_type }}-master-controllers" enabled: yes state: started when: openshift_master_ha | bool and openshift.master.cluster_method == 'native' and inventory_hostname != openshift_master_hosts[0] register: start_result + until: not start_result | failed + retries: 1 + delay: 60 - set_fact: master_controllers_service_status_changed: "{{ start_result | changed }}" when: openshift_master_ha | bool and openshift.master.cluster_method == 'native' - name: Install cluster packages - action: "{{ ansible_pkg_mgr }} name=pcs state=present" + package: name=pcs state=present when: openshift_master_ha | bool and openshift.master.cluster_method == 'pacemaker' and not openshift.common.is_containerized | bool register: install_result - name: Start and enable cluster service - service: name=pcsd enabled=yes state=started + systemd: + name: pcsd + enabled: yes + state: started when: openshift_master_ha | bool and openshift.master.cluster_method == 'pacemaker' and not openshift.common.is_containerized | bool diff --git a/roles/openshift_master/tasks/systemd_units.yml b/roles/openshift_master/tasks/systemd_units.yml index 56110c28f..39ea42ab3 100644 --- a/roles/openshift_master/tasks/systemd_units.yml +++ b/roles/openshift_master/tasks/systemd_units.yml @@ -1,3 +1,4 @@ +--- # This file is included both in the openshift_master role and in the upgrade # playbooks. For that reason the ha_svc variables are use set_fact instead of # the vars directory on the role. @@ -13,6 +14,14 @@ ha_svc_template_path: "docker-cluster" when: openshift.common.is_containerized | bool +# This is the image used for both HA and non-HA clusters: +- name: Pre-pull master image + command: > + docker pull {{ openshift.master.master_image }}:{{ openshift_image_tag }} + register: pull_result + changed_when: "'Downloaded newer image' in pull_result.stdout" + when: openshift.common.is_containerized | bool + # workaround for missing systemd unit files - name: Create the systemd unit files template: @@ -127,16 +136,22 @@ - name: Preserve Master Proxy Config options command: grep PROXY /etc/sysconfig/{{ openshift.common.service_type }}-master - register: master_proxy + register: master_proxy_result failed_when: false changed_when: false +- set_fact: + master_proxy: "{{ master_proxy_result.stdout_lines | default([]) }}" + - name: Preserve Master AWS options command: grep AWS_ /etc/sysconfig/{{ openshift.common.service_type }}-master - register: master_aws + register: master_aws_result failed_when: false changed_when: false +- set_fact: + master_aws: "{{ master_aws_result.stdout_lines | default([]) }}" + - name: Create the master service env file template: src: "atomic-openshift-master.j2" @@ -144,17 +159,3 @@ backup: true notify: - restart master - -- name: Restore Master Proxy Config Options - lineinfile: - dest: /etc/sysconfig/{{ openshift.common.service_type }}-master - line: "{{ item }}" - with_items: "{{ master_proxy.stdout_lines | default([]) }}" - when: master_proxy.rc == 0 and 'http_proxy' not in openshift.common and 'https_proxy' not in openshift.common - -- name: Restore Master AWS Options - lineinfile: - dest: /etc/sysconfig/{{ openshift.common.service_type }}-master - line: "{{ item }}" - with_items: "{{ master_aws.stdout_lines | default([]) }}" - when: master_aws.rc == 0 and not (openshift_cloudprovider_kind is defined and openshift_cloudprovider_kind == 'aws' and openshift_cloudprovider_aws_access_key is defined and openshift_cloudprovider_aws_secret_key is defined) diff --git a/roles/openshift_master/templates/atomic-openshift-master.j2 b/roles/openshift_master/templates/atomic-openshift-master.j2 index 10eaeb401..7aea89578 100644 --- a/roles/openshift_master/templates/atomic-openshift-master.j2 +++ b/roles/openshift_master/templates/atomic-openshift-master.j2 @@ -1,4 +1,4 @@ -OPTIONS=--loglevel={{ openshift.master.debug_level }} +OPTIONS=--loglevel={{ openshift.master.debug_level | default(2) }} CONFIG_FILE={{ openshift_master_config_file }} {% if openshift.common.is_containerized | bool %} IMAGE_VERSION={{ openshift_image_tag }} @@ -8,6 +8,11 @@ IMAGE_VERSION={{ openshift_image_tag }} AWS_ACCESS_KEY_ID={{ openshift_cloudprovider_aws_access_key }} AWS_SECRET_ACCESS_KEY={{ openshift_cloudprovider_aws_secret_key }} {% endif %} +{% if not (openshift_cloudprovider_kind is defined and openshift_cloudprovider_kind == 'aws' and openshift_cloudprovider_aws_access_key is defined and openshift_cloudprovider_aws_secret_key is defined) %} +{% for item in master_aws %} +{{ item }} +{% endfor %} +{% endif %} {% if 'api_env_vars' in openshift.master or 'controllers_env_vars' in openshift.master -%} {% for key, value in openshift.master.api_env_vars.items() | default([]) | union(openshift.master.controllers_env_vars.items() | default([])) -%} @@ -26,3 +31,8 @@ HTTPS_PROXY={{ openshift.common.https_proxy | default('')}} {% if 'no_proxy' in openshift.common %} NO_PROXY={{ openshift.common.no_proxy | default('') | join(',') }},{{ openshift.common.portal_net }},{{ openshift.master.sdn_cluster_network_cidr }} {% endif %} +{% if not ('https_proxy' in openshift.common or 'https_proxy' in openshift.common or 'no_proxy' in openshift.common) %} +{% for item in master_proxy %} +{{ item }} +{% endfor %} +{% endif %} diff --git a/roles/openshift_master/templates/docker-cluster/atomic-openshift-master-controllers.service.j2 b/roles/openshift_master/templates/docker-cluster/atomic-openshift-master-controllers.service.j2 index a8f5d7351..088e8db43 100644 --- a/roles/openshift_master/templates/docker-cluster/atomic-openshift-master-controllers.service.j2 +++ b/roles/openshift_master/templates/docker-cluster/atomic-openshift-master-controllers.service.j2 @@ -18,7 +18,7 @@ LimitNOFILE=131072 LimitCORE=infinity WorkingDirectory={{ openshift.common.data_dir }} SyslogIdentifier={{ openshift.common.service_type }}-master-controllers -Restart=on-failure +Restart=always RestartSec=5s [Install] diff --git a/roles/openshift_master/templates/master.yaml.v1.j2 b/roles/openshift_master/templates/master.yaml.v1.j2 index ced3eb76f..fcb8125e9 100644 --- a/roles/openshift_master/templates/master.yaml.v1.j2 +++ b/roles/openshift_master/templates/master.yaml.v1.j2 @@ -1,7 +1,4 @@ admissionConfig: -{% if 'admission_plugin_order' in openshift.master %} - pluginOrderOverride:{{ openshift.master.admission_plugin_order | to_padded_yaml(level=2) }} -{% endif %} {% if 'admission_plugin_config' in openshift.master %} pluginConfig:{{ openshift.master.admission_plugin_config | to_padded_yaml(level=2) }} {% endif %} @@ -18,8 +15,8 @@ assetConfig: {% if 'logging_public_url' in openshift.master %} loggingPublicURL: {{ openshift.master.logging_public_url }} {% endif %} -{% if 'metrics_public_url' in openshift.master %} - metricsPublicURL: {{ openshift.master.metrics_public_url }} +{% if openshift_hosted_metrics_deploy | default(false) | bool %} + metricsPublicURL: {{ openshift_hosted_metrics_public_url }} {% endif %} {% if 'extension_scripts' in openshift.master %} extensionScripts: {{ openshift.master.extension_scripts | to_padded_yaml(1, 2) }} @@ -116,13 +113,6 @@ kubernetesMasterConfig: - v1beta3 - v1 {% endif %} - admissionConfig: -{% if 'kube_admission_plugin_order' in openshift.master %} - pluginOrderOverride:{{ openshift.master.kube_admission_plugin_order | to_padded_yaml(level=3) }} -{% endif %} -{% if 'kube_admission_plugin_config' in openshift.master %} - pluginConfig:{{ openshift.master.kube_admission_plugin_config | to_padded_yaml(level=3) }} -{% endif %} apiServerArguments: {{ openshift.master.api_server_args | default(None) | to_padded_yaml( level=2 ) }} controllerArguments: {{ openshift.master.controller_args | default(None) | to_padded_yaml( level=2 ) }} masterCount: {{ openshift.master.master_count if openshift.master.cluster_method | default(None) == 'native' else 1 }} @@ -131,8 +121,9 @@ kubernetesMasterConfig: proxyClientInfo: certFile: master.proxy-client.crt keyFile: master.proxy-client.key + schedulerArguments: {{ openshift_master_scheduler_args | default(None) | to_padded_yaml( level=3 ) }} schedulerConfigFile: {{ openshift_master_scheduler_conf }} - servicesNodePortRange: "" + servicesNodePortRange: "{{ openshift_node_port_range | default("") }}" servicesSubnet: {{ openshift.common.portal_net }} staticNodeNames: {{ openshift_node_ips | default([], true) }} {% endif %} @@ -158,12 +149,15 @@ masterPublicURL: {{ openshift.master.public_api_url }} networkConfig: clusterNetworkCIDR: {{ openshift.master.sdn_cluster_network_cidr }} hostSubnetLength: {{ openshift.master.sdn_host_subnet_length }} -{% if openshift.common.use_openshift_sdn or openshift.common.use_nuage %} +{% if openshift.common.use_openshift_sdn or openshift.common.use_nuage or openshift.common.sdn_network_plugin_name == 'cni' %} networkPluginName: {{ openshift.common.sdn_network_plugin_name }} {% endif %} # serviceNetworkCIDR must match kubernetesMasterConfig.servicesSubnet serviceNetworkCIDR: {{ openshift.common.portal_net }} externalIPNetworkCIDRs: {{ openshift_master_external_ip_network_cidrs | default(["0.0.0.0/0"]) | to_padded_yaml(1,2) }} +{% if openshift_master_ingress_ip_network_cidr is defined %} + ingressIPNetworkCIDR: {{ openshift_master_ingress_ip_network_cidr }} +{% endif %} oauthConfig: {% if 'oauth_always_show_provider_selection' in openshift.master %} alwaysShowProviderSelection: {{ openshift.master.oauth_always_show_provider_selection }} @@ -208,7 +202,7 @@ projectConfig: mcsLabelsPerProject: {{ openshift.master.mcs_labels_per_project }} uidAllocatorRange: "{{ openshift.master.uid_allocator_range }}" routingConfig: - subdomain: "{{ openshift.master.default_subdomain | default("") }}" + subdomain: "{{ openshift_master_default_subdomain | default("") }}" serviceAccountConfig: limitSecretReferences: false managedNames: diff --git a/roles/openshift_master/templates/native-cluster/atomic-openshift-master-api.service.j2 b/roles/openshift_master/templates/native-cluster/atomic-openshift-master-api.service.j2 index 1f50fdce1..0e78d2d23 100644 --- a/roles/openshift_master/templates/native-cluster/atomic-openshift-master-api.service.j2 +++ b/roles/openshift_master/templates/native-cluster/atomic-openshift-master-api.service.j2 @@ -15,6 +15,7 @@ LimitNOFILE=131072 LimitCORE=infinity WorkingDirectory={{ openshift.common.data_dir }} SyslogIdentifier=atomic-openshift-master-api +Restart=always RestartSec=5s [Install] diff --git a/roles/openshift_master/templates/native-cluster/atomic-openshift-master-controllers.service.j2 b/roles/openshift_master/templates/native-cluster/atomic-openshift-master-controllers.service.j2 index bf62696f0..94928f88c 100644 --- a/roles/openshift_master/templates/native-cluster/atomic-openshift-master-controllers.service.j2 +++ b/roles/openshift_master/templates/native-cluster/atomic-openshift-master-controllers.service.j2 @@ -19,7 +19,7 @@ LimitNOFILE=131072 LimitCORE=infinity WorkingDirectory={{ openshift.common.data_dir }} SyslogIdentifier={{ openshift.common.service_type }}-master-controllers -Restart=on-failure +Restart=always RestartSec=5s [Install] diff --git a/roles/openshift_master/vars/main.yml b/roles/openshift_master/vars/main.yml index 7c1d5a212..01cd28c66 100644 --- a/roles/openshift_master/vars/main.yml +++ b/roles/openshift_master/vars/main.yml @@ -1,17 +1,18 @@ --- -openshift_master_config_dir: "{{ openshift.common.config_base }}/master" -openshift_master_config_file: "{{ openshift_master_config_dir }}/master-config.yaml" openshift_master_loopback_config: "{{ openshift_master_config_dir }}/openshift-master.kubeconfig" loopback_context_string: "current-context: {{ openshift.master.loopback_context_name }}" -openshift_master_scheduler_conf: "{{ openshift_master_config_dir }}/scheduler.json" openshift_master_session_secrets_file: "{{ openshift_master_config_dir }}/session-secrets.yaml" openshift_master_policy: "{{ openshift_master_config_dir }}/policy.json" scheduler_config: kind: Policy apiVersion: v1 - predicates: "{{ openshift.master.scheduler_predicates }}" - priorities: "{{ openshift.master.scheduler_priorities }}" + predicates: "{{ openshift_master_scheduler_predicates + | default(openshift_master_scheduler_current_predicates + | default(openshift_master_scheduler_default_predicates)) }}" + priorities: "{{ openshift_master_scheduler_priorities + | default(openshift_master_scheduler_current_priorities + | default(openshift_master_scheduler_default_priorities)) }}" openshift_master_valid_grant_methods: - auto |