diff options
Diffstat (limited to 'roles/openshift_master_facts')
| -rw-r--r-- | roles/openshift_master_facts/defaults/main.yml | 22 | ||||
| -rw-r--r-- | roles/openshift_master_facts/filter_plugins/openshift_master.py | 5 | ||||
| -rw-r--r-- | roles/openshift_master_facts/tasks/main.yml | 8 |
3 files changed, 29 insertions, 6 deletions
diff --git a/roles/openshift_master_facts/defaults/main.yml b/roles/openshift_master_facts/defaults/main.yml index f1cbbeb2d..a80313505 100644 --- a/roles/openshift_master_facts/defaults/main.yml +++ b/roles/openshift_master_facts/defaults/main.yml @@ -1,2 +1,24 @@ --- openshift_master_default_subdomain: "{{ lookup('oo_option', 'openshift_master_default_subdomain') | default(None, true) }}" +openshift_master_admission_plugin_config: + openshift.io/ImagePolicy: + configuration: + kind: ImagePolicyConfig + apiVersion: v1 + # To require that all images running on the platform be imported first, you may uncomment the + # following rule. Any image that refers to a registry outside of OpenShift will be rejected unless it + # unless it points directly to an image digest (myregistry.com/myrepo/image@sha256:ea83bcf...) and that + # digest has been imported via the import-image flow. + #resolveImages: Required + executionRules: + - name: execution-denied + # Reject all images that have the annotation images.openshift.io/deny-execution set to true. + # This annotation may be set by infrastructure that wishes to flag particular images as dangerous + onResources: + - resource: pods + - resource: builds + reject: true + matchImageAnnotations: + - key: images.openshift.io/deny-execution + value: "true" + skipOnResolutionFailure: true diff --git a/roles/openshift_master_facts/filter_plugins/openshift_master.py b/roles/openshift_master_facts/filter_plugins/openshift_master.py index e570392ff..e767772ce 100644 --- a/roles/openshift_master_facts/filter_plugins/openshift_master.py +++ b/roles/openshift_master_facts/filter_plugins/openshift_master.py @@ -1,6 +1,5 @@ #!/usr/bin/python # -*- coding: utf-8 -*- -# vim: expandtab:tabstop=4:shiftwidth=4 ''' Custom filters for use in openshift-master ''' @@ -469,7 +468,8 @@ class GitHubIdentityProvider(IdentityProviderOauthBase): """ def __init__(self, api_version, idp): IdentityProviderOauthBase.__init__(self, api_version, idp) - self._optional += [['organizations']] + self._optional += [['organizations'], + ['teams']] class FilterModule(object): @@ -496,6 +496,7 @@ class FilterModule(object): return u(yaml.dump([idp.to_dict() for idp in idp_list], allow_unicode=True, default_flow_style=False, + width=float("inf"), Dumper=AnsibleDumper)) @staticmethod diff --git a/roles/openshift_master_facts/tasks/main.yml b/roles/openshift_master_facts/tasks/main.yml index 6f8f09b22..ef8dcd5fd 100644 --- a/roles/openshift_master_facts/tasks/main.yml +++ b/roles/openshift_master_facts/tasks/main.yml @@ -74,7 +74,7 @@ ldap_ca: "{{ openshift_master_ldap_ca | default(lookup('file', openshift_master_ldap_ca_file) if openshift_master_ldap_ca_file is defined else None) }}" openid_ca: "{{ openshift_master_openid_ca | default(lookup('file', openshift_master_openid_ca_file) if openshift_master_openid_ca_file is defined else None) }}" request_header_ca: "{{ openshift_master_request_header_ca | default(lookup('file', openshift_master_request_header_ca_file) if openshift_master_request_header_ca_file is defined else None) }}" - registry_url: "{{ oreg_url | default(None) }}" + registry_url: "{{ oreg_url_master | default(oreg_url) | default(None) }}" oauth_grant_method: "{{ openshift_master_oauth_grant_method | default(None) }}" sdn_cluster_network_cidr: "{{ osm_cluster_network_cidr | default(None) }}" sdn_host_subnet_length: "{{ osm_host_subnet_length | default(None) }}" @@ -92,7 +92,7 @@ master_count: "{{ openshift_master_count | default(None) }}" controller_lease_ttl: "{{ osm_controller_lease_ttl | default(None) }}" master_image: "{{ osm_image | default(None) }}" - admission_plugin_config: "{{openshift_master_admission_plugin_config | default(None) }}" + admission_plugin_config: "{{openshift_master_admission_plugin_config }}" kube_admission_plugin_config: "{{openshift_master_kube_admission_plugin_config | default(None) }}" # deprecated, merged with admission_plugin_config oauth_template: "{{ openshift_master_oauth_template | default(None) }}" # deprecated in origin 1.2 / OSE 3.2 oauth_templates: "{{ openshift_master_oauth_templates | default(None) }}" @@ -128,10 +128,10 @@ - name: Test if scheduler config is readable fail: msg: "Unknown scheduler config apiVersion {{ openshift_master_scheduler_config.apiVersion }}" - when: "{{ openshift_master_scheduler_current_config.apiVersion | default(None) != 'v1' }}" + when: openshift_master_scheduler_current_config.apiVersion | default(None) != 'v1' - name: Set current scheduler predicates and priorities set_fact: openshift_master_scheduler_current_predicates: "{{ openshift_master_scheduler_current_config.predicates }}" openshift_master_scheduler_current_priorities: "{{ openshift_master_scheduler_current_config.priorities }}" - when: "{{ scheduler_config_stat.stat.exists }}" + when: scheduler_config_stat.stat.exists |