diff options
Diffstat (limited to 'roles/openshift_master_facts')
8 files changed, 86 insertions, 36 deletions
diff --git a/roles/openshift_master_facts/defaults/main.yml b/roles/openshift_master_facts/defaults/main.yml index f1cbbeb2d..a80313505 100644 --- a/roles/openshift_master_facts/defaults/main.yml +++ b/roles/openshift_master_facts/defaults/main.yml @@ -1,2 +1,24 @@ --- openshift_master_default_subdomain: "{{ lookup('oo_option', 'openshift_master_default_subdomain') | default(None, true) }}" +openshift_master_admission_plugin_config: + openshift.io/ImagePolicy: + configuration: + kind: ImagePolicyConfig + apiVersion: v1 + # To require that all images running on the platform be imported first, you may uncomment the + # following rule. Any image that refers to a registry outside of OpenShift will be rejected unless it + # unless it points directly to an image digest (myregistry.com/myrepo/image@sha256:ea83bcf...) and that + # digest has been imported via the import-image flow. + #resolveImages: Required + executionRules: + - name: execution-denied + # Reject all images that have the annotation images.openshift.io/deny-execution set to true. + # This annotation may be set by infrastructure that wishes to flag particular images as dangerous + onResources: + - resource: pods + - resource: builds + reject: true + matchImageAnnotations: + - key: images.openshift.io/deny-execution + value: "true" + skipOnResolutionFailure: true diff --git a/roles/openshift_master_facts/filter_plugins/openshift_master.py b/roles/openshift_master_facts/filter_plugins/openshift_master.py index db24028cd..e767772ce 100644 --- a/roles/openshift_master_facts/filter_plugins/openshift_master.py +++ b/roles/openshift_master_facts/filter_plugins/openshift_master.py @@ -1,18 +1,24 @@ #!/usr/bin/python # -*- coding: utf-8 -*- -# vim: expandtab:tabstop=4:shiftwidth=4 ''' Custom filters for use in openshift-master ''' import copy import sys +# pylint import-error disabled because pylint cannot find the package +# when installed in a virtualenv from distutils.version import LooseVersion # pylint: disable=no-name-in-module,import-error from ansible import errors from ansible.parsing.yaml.dumper import AnsibleDumper from ansible.plugins.filter.core import to_bool as ansible_bool -from six import string_types + +# ansible.compat.six goes away with Ansible 2.4 +try: + from ansible.compat.six import string_types, u +except ImportError: + from ansible.module_utils.six import string_types, u import yaml @@ -462,7 +468,8 @@ class GitHubIdentityProvider(IdentityProviderOauthBase): """ def __init__(self, api_version, idp): IdentityProviderOauthBase.__init__(self, api_version, idp) - self._optional += [['organizations']] + self._optional += [['organizations'], + ['teams']] class FilterModule(object): @@ -486,10 +493,11 @@ class FilterModule(object): idp_list.append(idp_inst) IdentityProviderBase.validate_idp_list(idp_list, openshift_version, deployment_type) - return yaml.dump([idp.to_dict() for idp in idp_list], - allow_unicode=True, - default_flow_style=False, - Dumper=AnsibleDumper) + return u(yaml.dump([idp.to_dict() for idp in idp_list], + allow_unicode=True, + default_flow_style=False, + width=float("inf"), + Dumper=AnsibleDumper)) @staticmethod def validate_pcs_cluster(data, masters=None): diff --git a/roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_predicates.py b/roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_predicates.py index 7f7bc4316..c45f255af 100644 --- a/roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_predicates.py +++ b/roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_predicates.py @@ -40,20 +40,20 @@ class LookupModule(LookupBase): # pylint: disable=line-too-long raise AnsibleError("Either OpenShift needs to be installed or openshift_release needs to be specified") if deployment_type == 'origin': - if short_version not in ['1.1', '1.2', '1.3', '1.4', '1.5', '1.6', '3.6', 'latest']: + if short_version not in ['1.1', '1.2', '1.3', '1.4', '1.5', '3.6', '3.7', 'latest']: raise AnsibleError("Unknown short_version %s" % short_version) elif deployment_type == 'openshift-enterprise': - if short_version not in ['3.1', '3.2', '3.3', '3.4', '3.5', '3.6', 'latest']: + if short_version not in ['3.1', '3.2', '3.3', '3.4', '3.5', '3.6', '3.7', 'latest']: raise AnsibleError("Unknown short_version %s" % short_version) else: raise AnsibleError("Unknown deployment_type %s" % deployment_type) if deployment_type == 'origin': - # convert short_version to enterpise short_version + # convert short_version to enterprise short_version short_version = re.sub('^1.', '3.', short_version) if short_version == 'latest': - short_version = '3.6' + short_version = '3.7' # Predicates ordered according to OpenShift Origin source: # origin/vendor/k8s.io/kubernetes/plugin/pkg/scheduler/algorithmprovider/defaults/defaults.go @@ -101,7 +101,7 @@ class LookupModule(LookupBase): {'name': 'MatchInterPodAffinity'} ]) - if short_version in ['3.5', '3.6']: + if short_version in ['3.5', '3.6', '3.7']: predicates.extend([ {'name': 'NoVolumeZoneConflict'}, {'name': 'MaxEBSVolumeCount'}, diff --git a/roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_priorities.py b/roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_priorities.py index 66e6ecea3..fe488f49c 100644 --- a/roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_priorities.py +++ b/roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_priorities.py @@ -41,10 +41,10 @@ class LookupModule(LookupBase): raise AnsibleError("Either OpenShift needs to be installed or openshift_release needs to be specified") if deployment_type == 'origin': - if short_version not in ['1.1', '1.2', '1.3', '1.4', '1.5', '1.6', '3.6', 'latest']: + if short_version not in ['1.1', '1.2', '1.3', '1.4', '1.5', '3.6', '3.7', 'latest']: raise AnsibleError("Unknown short_version %s" % short_version) elif deployment_type == 'openshift-enterprise': - if short_version not in ['3.1', '3.2', '3.3', '3.4', '3.5', '3.6', 'latest']: + if short_version not in ['3.1', '3.2', '3.3', '3.4', '3.5', '3.6', '3.7', 'latest']: raise AnsibleError("Unknown short_version %s" % short_version) else: raise AnsibleError("Unknown deployment_type %s" % deployment_type) @@ -54,7 +54,7 @@ class LookupModule(LookupBase): short_version = re.sub('^1.', '3.', short_version) if short_version == 'latest': - short_version = '3.6' + short_version = '3.7' if short_version == '3.1': priorities.extend([ @@ -91,7 +91,7 @@ class LookupModule(LookupBase): {'name': 'InterPodAffinityPriority', 'weight': 1} ]) - if short_version in ['3.5', '3.6']: + if short_version in ['3.5', '3.6', '3.7']: priorities.extend([ {'name': 'SelectorSpreadPriority', 'weight': 1}, {'name': 'InterPodAffinityPriority', 'weight': 1}, diff --git a/roles/openshift_master_facts/tasks/main.yml b/roles/openshift_master_facts/tasks/main.yml index 6f8f09b22..fa228af2a 100644 --- a/roles/openshift_master_facts/tasks/main.yml +++ b/roles/openshift_master_facts/tasks/main.yml @@ -32,7 +32,7 @@ openshift_facts: role: master local_facts: - cluster_method: "{{ openshift_master_cluster_method | default(None) }}" + cluster_method: "{{ openshift_master_cluster_method | default('native') }}" cluster_hostname: "{{ openshift_master_cluster_hostname | default(None) }}" cluster_public_hostname: "{{ openshift_master_cluster_public_hostname | default(None) }}" debug_level: "{{ openshift_master_debug_level | default(openshift.common.debug_level) }}" @@ -74,7 +74,7 @@ ldap_ca: "{{ openshift_master_ldap_ca | default(lookup('file', openshift_master_ldap_ca_file) if openshift_master_ldap_ca_file is defined else None) }}" openid_ca: "{{ openshift_master_openid_ca | default(lookup('file', openshift_master_openid_ca_file) if openshift_master_openid_ca_file is defined else None) }}" request_header_ca: "{{ openshift_master_request_header_ca | default(lookup('file', openshift_master_request_header_ca_file) if openshift_master_request_header_ca_file is defined else None) }}" - registry_url: "{{ oreg_url | default(None) }}" + registry_url: "{{ oreg_url_master | default(oreg_url) | default(None) }}" oauth_grant_method: "{{ openshift_master_oauth_grant_method | default(None) }}" sdn_cluster_network_cidr: "{{ osm_cluster_network_cidr | default(None) }}" sdn_host_subnet_length: "{{ osm_host_subnet_length | default(None) }}" @@ -92,7 +92,7 @@ master_count: "{{ openshift_master_count | default(None) }}" controller_lease_ttl: "{{ osm_controller_lease_ttl | default(None) }}" master_image: "{{ osm_image | default(None) }}" - admission_plugin_config: "{{openshift_master_admission_plugin_config | default(None) }}" + admission_plugin_config: "{{openshift_master_admission_plugin_config }}" kube_admission_plugin_config: "{{openshift_master_kube_admission_plugin_config | default(None) }}" # deprecated, merged with admission_plugin_config oauth_template: "{{ openshift_master_oauth_template | default(None) }}" # deprecated in origin 1.2 / OSE 3.2 oauth_templates: "{{ openshift_master_oauth_templates | default(None) }}" @@ -128,10 +128,10 @@ - name: Test if scheduler config is readable fail: msg: "Unknown scheduler config apiVersion {{ openshift_master_scheduler_config.apiVersion }}" - when: "{{ openshift_master_scheduler_current_config.apiVersion | default(None) != 'v1' }}" + when: openshift_master_scheduler_current_config.apiVersion | default(None) != 'v1' - name: Set current scheduler predicates and priorities set_fact: openshift_master_scheduler_current_predicates: "{{ openshift_master_scheduler_current_config.predicates }}" openshift_master_scheduler_current_priorities: "{{ openshift_master_scheduler_current_config.priorities }}" - when: "{{ scheduler_config_stat.stat.exists }}" + when: scheduler_config_stat.stat.exists diff --git a/roles/openshift_master_facts/test/conftest.py b/roles/openshift_master_facts/test/conftest.py index e67d24f04..140cced73 100644 --- a/roles/openshift_master_facts/test/conftest.py +++ b/roles/openshift_master_facts/test/conftest.py @@ -20,7 +20,7 @@ def priorities_lookup(): @pytest.fixture() -def facts(request): +def facts(): return { 'openshift': { 'common': {} diff --git a/roles/openshift_master_facts/test/openshift_master_facts_default_predicates_tests.py b/roles/openshift_master_facts/test/openshift_master_facts_default_predicates_tests.py index 5a9e545a3..4a28fb8f8 100644 --- a/roles/openshift_master_facts/test/openshift_master_facts_default_predicates_tests.py +++ b/roles/openshift_master_facts/test/openshift_master_facts_default_predicates_tests.py @@ -55,6 +55,8 @@ DEFAULT_PREDICATES_1_5 = [ {'name': 'CheckNodeDiskPressure'}, ] +DEFAULT_PREDICATES_3_6 = DEFAULT_PREDICATES_1_5 + REGION_PREDICATE = { 'name': 'Region', 'argument': { @@ -75,9 +77,8 @@ TEST_VARS = [ ('3.4', 'openshift-enterprise', DEFAULT_PREDICATES_1_4), ('1.5', 'origin', DEFAULT_PREDICATES_1_5), ('3.5', 'openshift-enterprise', DEFAULT_PREDICATES_1_5), - ('1.6', 'origin', DEFAULT_PREDICATES_1_5), - ('3.6', 'origin', DEFAULT_PREDICATES_1_5), - ('3.6', 'openshift-enterprise', DEFAULT_PREDICATES_1_5), + ('3.6', 'origin', DEFAULT_PREDICATES_3_6), + ('3.6', 'openshift-enterprise', DEFAULT_PREDICATES_3_6), ] @@ -131,7 +132,9 @@ def short_version_fixture(request, facts): def test_short_version_kwarg(predicates_lookup, short_version_kwarg_fixture, regions_enabled): facts, short_version, default_predicates = short_version_kwarg_fixture - assert_ok(predicates_lookup, default_predicates, variables=facts, regions_enabled=regions_enabled, short_version=short_version) + assert_ok( + predicates_lookup, default_predicates, variables=facts, + regions_enabled=regions_enabled, short_version=short_version) @pytest.fixture(params=TEST_VARS) @@ -143,7 +146,9 @@ def short_version_kwarg_fixture(request, facts): def test_deployment_type_kwarg(predicates_lookup, deployment_type_kwarg_fixture, regions_enabled): facts, deployment_type, default_predicates = deployment_type_kwarg_fixture - assert_ok(predicates_lookup, default_predicates, variables=facts, regions_enabled=regions_enabled, deployment_type=deployment_type) + assert_ok( + predicates_lookup, default_predicates, variables=facts, + regions_enabled=regions_enabled, deployment_type=deployment_type) @pytest.fixture(params=TEST_VARS) @@ -153,9 +158,12 @@ def deployment_type_kwarg_fixture(request, facts): return facts, deployment_type, default_predicates -def test_short_version_deployment_type_kwargs(predicates_lookup, short_version_deployment_type_kwargs_fixture, regions_enabled): +def test_short_version_deployment_type_kwargs( + predicates_lookup, short_version_deployment_type_kwargs_fixture, regions_enabled): short_version, deployment_type, default_predicates = short_version_deployment_type_kwargs_fixture - assert_ok(predicates_lookup, default_predicates, regions_enabled=regions_enabled, short_version=short_version, deployment_type=deployment_type) + assert_ok( + predicates_lookup, default_predicates, regions_enabled=regions_enabled, + short_version=short_version, deployment_type=deployment_type) @pytest.fixture(params=TEST_VARS) diff --git a/roles/openshift_master_facts/test/openshift_master_facts_default_priorities_tests.py b/roles/openshift_master_facts/test/openshift_master_facts_default_priorities_tests.py index 81d3ee19e..44b564d6f 100644 --- a/roles/openshift_master_facts/test/openshift_master_facts_default_priorities_tests.py +++ b/roles/openshift_master_facts/test/openshift_master_facts_default_priorities_tests.py @@ -42,6 +42,10 @@ DEFAULT_PRIORITIES_1_5 = [ {'name': 'TaintTolerationPriority', 'weight': 1} ] +DEFAULT_PRIORITIES_3_6 = DEFAULT_PRIORITIES_1_5 + +DEFAULT_PRIORITIES_3_7 = DEFAULT_PRIORITIES_3_6 + ZONE_PRIORITY = { 'name': 'Zone', 'argument': { @@ -63,9 +67,10 @@ TEST_VARS = [ ('3.4', 'openshift-enterprise', DEFAULT_PRIORITIES_1_4), ('1.5', 'origin', DEFAULT_PRIORITIES_1_5), ('3.5', 'openshift-enterprise', DEFAULT_PRIORITIES_1_5), - ('1.6', 'origin', DEFAULT_PRIORITIES_1_5), - ('3.6', 'origin', DEFAULT_PRIORITIES_1_5), - ('3.6', 'openshift-enterprise', DEFAULT_PRIORITIES_1_5), + ('3.6', 'origin', DEFAULT_PRIORITIES_3_6), + ('3.6', 'openshift-enterprise', DEFAULT_PRIORITIES_3_6), + ('3.7', 'origin', DEFAULT_PRIORITIES_3_7), + ('3.7', 'openshift-enterprise', DEFAULT_PRIORITIES_3_7), ] @@ -119,7 +124,9 @@ def short_version_fixture(request, facts): def test_short_version_kwarg(priorities_lookup, short_version_kwarg_fixture, zones_enabled): facts, short_version, default_priorities = short_version_kwarg_fixture - assert_ok(priorities_lookup, default_priorities, variables=facts, zones_enabled=zones_enabled, short_version=short_version) + assert_ok( + priorities_lookup, default_priorities, variables=facts, + zones_enabled=zones_enabled, short_version=short_version) @pytest.fixture(params=TEST_VARS) @@ -131,7 +138,9 @@ def short_version_kwarg_fixture(request, facts): def test_deployment_type_kwarg(priorities_lookup, deployment_type_kwarg_fixture, zones_enabled): facts, deployment_type, default_priorities = deployment_type_kwarg_fixture - assert_ok(priorities_lookup, default_priorities, variables=facts, zones_enabled=zones_enabled, deployment_type=deployment_type) + assert_ok( + priorities_lookup, default_priorities, variables=facts, + zones_enabled=zones_enabled, deployment_type=deployment_type) @pytest.fixture(params=TEST_VARS) @@ -141,9 +150,12 @@ def deployment_type_kwarg_fixture(request, facts): return facts, deployment_type, default_priorities -def test_short_version_deployment_type_kwargs(priorities_lookup, short_version_deployment_type_kwargs_fixture, zones_enabled): +def test_short_version_deployment_type_kwargs( + priorities_lookup, short_version_deployment_type_kwargs_fixture, zones_enabled): short_version, deployment_type, default_priorities = short_version_deployment_type_kwargs_fixture - assert_ok(priorities_lookup, default_priorities, zones_enabled=zones_enabled, short_version=short_version, deployment_type=deployment_type) + assert_ok( + priorities_lookup, default_priorities, zones_enabled=zones_enabled, + short_version=short_version, deployment_type=deployment_type) @pytest.fixture(params=TEST_VARS) |