diff options
Diffstat (limited to 'roles')
40 files changed, 405 insertions, 40 deletions
diff --git a/roles/etcd/templates/etcd.conf.j2 b/roles/etcd/templates/etcd.conf.j2 index 990a86c21..9151dd0bd 100644 --- a/roles/etcd/templates/etcd.conf.j2 +++ b/roles/etcd/templates/etcd.conf.j2 @@ -60,3 +60,9 @@ ETCD_PEER_CA_FILE={{ etcd_peer_ca_file }} ETCD_PEER_CERT_FILE={{ etcd_peer_cert_file }} ETCD_PEER_KEY_FILE={{ etcd_peer_key_file }} {% endif -%} + +#[logging] +ETCD_DEBUG="{{ etcd_debug | default(false) | string }}" +{% if etcd_log_package_levels is defined %} +ETCD_LOG_PACKAGE_LEVELS="{{ etcd_log_package_levels }}" +{% endif %} diff --git a/roles/lib_openshift/library/oc_adm_ca_server_cert.py b/roles/lib_openshift/library/oc_adm_ca_server_cert.py index af1d13fe1..afe026099 100644 --- a/roles/lib_openshift/library/oc_adm_ca_server_cert.py +++ b/roles/lib_openshift/library/oc_adm_ca_server_cert.py @@ -130,6 +130,12 @@ options: required: false default: True aliases: [] + expire_days: + description + - Validity of the certificate in days + required: false + default: None + aliases: [] author: - "Kenny Woodson <kwoodson@redhat.com>" extends_documentation_fragment: [] @@ -1480,6 +1486,7 @@ class CAServerCert(OpenShiftCLI): 'signer_cert': {'value': params['signer_cert'], 'include': True}, 'signer_key': {'value': params['signer_key'], 'include': True}, 'signer_serial': {'value': params['signer_serial'], 'include': True}, + 'expire_days': {'value': params['expire_days'], 'include': True}, 'backup': {'value': params['backup'], 'include': False}, }) @@ -1538,6 +1545,7 @@ def main(): signer_key=dict(default='/etc/origin/master/ca.key', type='str'), signer_serial=dict(default='/etc/origin/master/ca.serial.txt', type='str'), hostnames=dict(default=[], type='list'), + expire_days=dict(default=None, type='int'), ), supports_check_mode=True, ) diff --git a/roles/lib_openshift/src/ansible/oc_adm_ca_server_cert.py b/roles/lib_openshift/src/ansible/oc_adm_ca_server_cert.py index c80c2eb44..10f1c9b4b 100644 --- a/roles/lib_openshift/src/ansible/oc_adm_ca_server_cert.py +++ b/roles/lib_openshift/src/ansible/oc_adm_ca_server_cert.py @@ -20,6 +20,7 @@ def main(): signer_key=dict(default='/etc/origin/master/ca.key', type='str'), signer_serial=dict(default='/etc/origin/master/ca.serial.txt', type='str'), hostnames=dict(default=[], type='list'), + expire_days=dict(default=None, type='int'), ), supports_check_mode=True, ) diff --git a/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py b/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py index 18c69f2fa..fa0c4e3af 100644 --- a/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py +++ b/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py @@ -102,6 +102,7 @@ class CAServerCert(OpenShiftCLI): 'signer_cert': {'value': params['signer_cert'], 'include': True}, 'signer_key': {'value': params['signer_key'], 'include': True}, 'signer_serial': {'value': params['signer_serial'], 'include': True}, + 'expire_days': {'value': params['expire_days'], 'include': True}, 'backup': {'value': params['backup'], 'include': False}, }) diff --git a/roles/lib_openshift/src/doc/ca_server_cert b/roles/lib_openshift/src/doc/ca_server_cert index ff9229281..7f2be4ada 100644 --- a/roles/lib_openshift/src/doc/ca_server_cert +++ b/roles/lib_openshift/src/doc/ca_server_cert @@ -79,6 +79,12 @@ options: required: false default: True aliases: [] + expire_days: + description + - Validity of the certificate in days + required: false + default: None + aliases: [] author: - "Kenny Woodson <kwoodson@redhat.com>" extends_documentation_fragment: [] diff --git a/roles/openshift_ca/README.md b/roles/openshift_ca/README.md index 96c9cd5f2..dfbe81c6c 100644 --- a/roles/openshift_ca/README.md +++ b/roles/openshift_ca/README.md @@ -19,6 +19,8 @@ From this role: | openshift_ca_key | `{{ openshift_ca_config_dir }}/ca.key` | CA key path including CA key filename. | | openshift_ca_serial | `{{ openshift_ca_config_dir }}/ca.serial.txt` | CA serial path including CA serial filename. | | openshift_version | `{{ openshift_pkg_version }}` | OpenShift package version. | +| openshift_master_cert_expire_days | `730` (2 years) | Validity of the certificates in days. Works only with OpenShift version 1.5 (3.5) and later. | +| openshift_ca_cert_expire_days | `1825` (5 years) | Validity of the CA certificates in days. Works only with OpenShift version 1.5 (3.5) and later. | Dependencies ------------ diff --git a/roles/openshift_ca/defaults/main.yml b/roles/openshift_ca/defaults/main.yml new file mode 100644 index 000000000..ecfcc88b3 --- /dev/null +++ b/roles/openshift_ca/defaults/main.yml @@ -0,0 +1,3 @@ +--- +openshift_ca_cert_expire_days: 1825 +openshift_master_cert_expire_days: 730 diff --git a/roles/openshift_ca/tasks/main.yml b/roles/openshift_ca/tasks/main.yml index 70c2a9121..3b17d9ed6 100644 --- a/roles/openshift_ca/tasks/main.yml +++ b/roles/openshift_ca/tasks/main.yml @@ -88,7 +88,7 @@ # This should NOT replace the CA due to --overwrite=false when a CA already exists. - name: Create the master certificates if they do not already exist command: > - {{ hostvars[openshift_ca_host].openshift.common.client_binary }} adm create-master-certs + {{ hostvars[openshift_ca_host].openshift.common.client_binary }} adm ca create-master-certs {% for named_ca_certificate in openshift.master.named_certificates | default([]) | oo_collect('cafile') %} --certificate-authority {{ named_ca_certificate }} {% endfor %} @@ -99,6 +99,10 @@ --master={{ openshift.master.api_url }} --public-master={{ openshift.master.public_api_url }} --cert-dir={{ openshift_ca_config_dir }} + {% if openshift_version | oo_version_gte_3_5_or_1_5(openshift.common.deployment_type) | bool %} + --expire-days={{ openshift_master_cert_expire_days }} + --signer-expire-days={{ openshift_ca_cert_expire_days }} + {% endif %} --overwrite=false when: master_ca_missing | bool or openshift_certificates_redeploy | default(false) | bool delegate_to: "{{ openshift_ca_host }}" diff --git a/roles/openshift_excluder/tasks/disable.yml b/roles/openshift_excluder/tasks/disable.yml index e23496b3b..325d2a4e8 100644 --- a/roles/openshift_excluder/tasks/disable.yml +++ b/roles/openshift_excluder/tasks/disable.yml @@ -1,6 +1,5 @@ --- # input variables -# - with_status_check # - excluder_package_state # - docker_excluder_package_state - include: init.yml @@ -35,6 +34,6 @@ unexclude_docker_excluder: false # disable openshift excluder is never overrided to be enabled # disable it if the docker excluder is enabled - unexclude_openshift_excluder: true + unexclude_openshift_excluder: "{{ openshift_excluder_on | bool }}" when: - not openshift.common.is_atomic | bool diff --git a/roles/openshift_facts/meta/main.yml b/roles/openshift_facts/meta/main.yml index 0be3afd24..7eead2d6e 100644 --- a/roles/openshift_facts/meta/main.yml +++ b/roles/openshift_facts/meta/main.yml @@ -12,4 +12,5 @@ galaxy_info: categories: - cloud - system -dependencies: [] +dependencies: +- role: openshift_sanitize_inventory diff --git a/roles/openshift_facts/tasks/main.yml b/roles/openshift_facts/tasks/main.yml index 73c668c72..93972f0e0 100644 --- a/roles/openshift_facts/tasks/main.yml +++ b/roles/openshift_facts/tasks/main.yml @@ -64,8 +64,7 @@ role: common local_facts: debug_level: "{{ openshift_debug_level | default(2) }}" - # TODO: Deprecate deployment_type in favor of openshift_deployment_type - deployment_type: "{{ openshift_deployment_type | default(deployment_type) }}" + deployment_type: "{{ openshift_deployment_type }}" deployment_subtype: "{{ openshift_deployment_subtype | default(None) }}" cluster_id: "{{ openshift_cluster_id | default('default') }}" hostname: "{{ openshift_hostname | default(None) }}" diff --git a/roles/openshift_health_checker/action_plugins/openshift_health_check.py b/roles/openshift_health_checker/action_plugins/openshift_health_check.py index 8b23533c8..cf0fe19f1 100644 --- a/roles/openshift_health_checker/action_plugins/openshift_health_check.py +++ b/roles/openshift_health_checker/action_plugins/openshift_health_check.py @@ -17,7 +17,7 @@ from ansible.plugins.action import ActionBase # this callback plugin. sys.path.insert(1, os.path.dirname(os.path.dirname(__file__))) -from openshift_checks import OpenShiftCheck, OpenShiftCheckException # noqa: E402 +from openshift_checks import OpenShiftCheck, OpenShiftCheckException, load_checks # noqa: E402 class ActionModule(ActionBase): @@ -78,6 +78,8 @@ class ActionModule(ActionBase): return result def load_known_checks(self): + load_checks() + known_checks = {} known_check_classes = set(cls for cls in OpenShiftCheck.subclasses()) @@ -91,7 +93,7 @@ class ActionModule(ActionBase): check_name, cls.__module__, cls.__name__, other_cls.__module__, other_cls.__name__)) - known_checks[check_name] = cls(module_executor=self._execute_module) + known_checks[check_name] = cls(execute_module=self._execute_module) return known_checks diff --git a/roles/openshift_health_checker/openshift_checks/__init__.py b/roles/openshift_health_checker/openshift_checks/__init__.py index 93547a2e0..be63d864a 100644 --- a/roles/openshift_health_checker/openshift_checks/__init__.py +++ b/roles/openshift_health_checker/openshift_checks/__init__.py @@ -21,8 +21,13 @@ class OpenShiftCheckException(Exception): class OpenShiftCheck(object): """A base class for defining checks for an OpenShift cluster environment.""" - def __init__(self, module_executor): - self.module_executor = module_executor + def __init__(self, execute_module=None, module_executor=None): + if execute_module is module_executor is None: + raise TypeError( + "__init__() takes either execute_module (recommended) " + "or module_executor (deprecated), none given") + self.execute_module = execute_module or module_executor + self.module_executor = self.execute_module @abstractproperty def name(self): @@ -58,6 +63,21 @@ class OpenShiftCheck(object): yield subclass +LOADER_EXCLUDES = ( + "__init__.py", + "mixins.py", +) + + +def load_checks(): + """Dynamically import all check modules for the side effect of registering checks.""" + return [ + import_module(__package__ + "." + name[:-3]) + for name in os.listdir(os.path.dirname(__file__)) + if name.endswith(".py") and name not in LOADER_EXCLUDES + ] + + def get_var(task_vars, *keys, **kwargs): """Helper function to get deeply nested values from task_vars. @@ -73,15 +93,3 @@ def get_var(task_vars, *keys, **kwargs): return kwargs["default"] raise OpenShiftCheckException("'{}' is undefined".format(".".join(map(str, keys)))) return value - - -# Dynamically import all submodules for the side effect of loading checks. - -EXCLUDES = ( - "__init__.py", - "mixins.py", -) - -for name in os.listdir(os.path.dirname(__file__)): - if name.endswith(".py") and name not in EXCLUDES: - import_module(__package__ + "." + name[:-3]) diff --git a/roles/openshift_health_checker/openshift_checks/docker_image_availability.py b/roles/openshift_health_checker/openshift_checks/docker_image_availability.py index 7a7498cb7..cce289b95 100644 --- a/roles/openshift_health_checker/openshift_checks/docker_image_availability.py +++ b/roles/openshift_health_checker/openshift_checks/docker_image_availability.py @@ -15,6 +15,9 @@ class DockerImageAvailability(OpenShiftCheck): skopeo_image = "openshift/openshift-ansible" + # FIXME(juanvallejo): we should consider other possible values of + # `deployment_type` (the key here). See + # https://github.com/openshift/openshift-ansible/blob/8e26f8c/roles/openshift_repos/vars/main.yml#L7 docker_image_base = { "origin": { "repo": "openshift", @@ -62,9 +65,15 @@ class DockerImageAvailability(OpenShiftCheck): def required_images(self, task_vars): deployment_type = get_var(task_vars, "deployment_type") + # FIXME(juanvallejo): we should handle gracefully with a proper error + # message when given an unexpected value for `deployment_type`. image_base_name = self.docker_image_base[deployment_type] openshift_release = get_var(task_vars, "openshift_release") + # FIXME(juanvallejo): this variable is not required when the + # installation is non-containerized. The example inventories have it + # commented out. We should handle gracefully and with a proper error + # message when this variable is required and not set. openshift_image_tag = get_var(task_vars, "openshift_image_tag") is_containerized = get_var(task_vars, "openshift", "common", "is_containerized") @@ -104,6 +113,8 @@ class DockerImageAvailability(OpenShiftCheck): if result.get("failed", False): return [] + # FIXME(juanvallejo): wrong default type, result["info"] is expected to + # contain a dictionary (see how we call `docker_info.get` below). docker_info = result.get("info", "") return [registry.get("Name", "") for registry in docker_info.get("Registries", {})] diff --git a/roles/openshift_health_checker/openshift_checks/package_availability.py b/roles/openshift_health_checker/openshift_checks/package_availability.py index 771123d61..9891972a6 100644 --- a/roles/openshift_health_checker/openshift_checks/package_availability.py +++ b/roles/openshift_health_checker/openshift_checks/package_availability.py @@ -21,7 +21,7 @@ class PackageAvailability(NotContainerizedMixin, OpenShiftCheck): packages.update(self.node_packages(rpm_prefix)) args = {"packages": sorted(set(packages))} - return self.module_executor("check_yum_update", args, tmp, task_vars) + return self.execute_module("check_yum_update", args, tmp, task_vars) @staticmethod def master_packages(rpm_prefix): diff --git a/roles/openshift_health_checker/openshift_checks/package_update.py b/roles/openshift_health_checker/openshift_checks/package_update.py index c5a226954..fd0c0a755 100644 --- a/roles/openshift_health_checker/openshift_checks/package_update.py +++ b/roles/openshift_health_checker/openshift_checks/package_update.py @@ -11,4 +11,4 @@ class PackageUpdate(NotContainerizedMixin, OpenShiftCheck): def run(self, tmp, task_vars): args = {"packages": []} - return self.module_executor("check_yum_update", args, tmp, task_vars) + return self.execute_module("check_yum_update", args, tmp, task_vars) diff --git a/roles/openshift_health_checker/openshift_checks/package_version.py b/roles/openshift_health_checker/openshift_checks/package_version.py index 2e9d07deb..42193a1c6 100644 --- a/roles/openshift_health_checker/openshift_checks/package_version.py +++ b/roles/openshift_health_checker/openshift_checks/package_version.py @@ -17,4 +17,4 @@ class PackageVersion(NotContainerizedMixin, OpenShiftCheck): "prefix": rpm_prefix, "version": openshift_release, } - return self.module_executor("aos_version", args, tmp, task_vars) + return self.execute_module("aos_version", args, tmp, task_vars) diff --git a/roles/openshift_health_checker/test/docker_image_availability_test.py b/roles/openshift_health_checker/test/docker_image_availability_test.py new file mode 100644 index 000000000..2a9c32f77 --- /dev/null +++ b/roles/openshift_health_checker/test/docker_image_availability_test.py @@ -0,0 +1,28 @@ +import pytest + +from openshift_checks.docker_image_availability import DockerImageAvailability + + +@pytest.mark.xfail(strict=True) # TODO: remove this once this test is fully implemented. +@pytest.mark.parametrize('task_vars,expected_result', [ + ( + dict( + openshift=dict(common=dict( + service_type='origin', + is_containerized=False, + )), + openshift_release='v3.5', + deployment_type='origin', + openshift_image_tag='', # FIXME: should not be required + ), + {'changed': False}, + ), + # TODO: add more parameters here to test the multiple possible inputs that affect behavior. +]) +def test_docker_image_availability(task_vars, expected_result): + def execute_module(module_name=None, module_args=None, tmp=None, task_vars=None): + return {'info': {}} # TODO: this will vary depending on input parameters. + + check = DockerImageAvailability(execute_module=execute_module) + result = check.run(tmp=None, task_vars=task_vars) + assert result == expected_result diff --git a/roles/openshift_health_checker/test/mixins_test.py b/roles/openshift_health_checker/test/mixins_test.py new file mode 100644 index 000000000..2d83e207d --- /dev/null +++ b/roles/openshift_health_checker/test/mixins_test.py @@ -0,0 +1,23 @@ +import pytest + +from openshift_checks import OpenShiftCheck, OpenShiftCheckException +from openshift_checks.mixins import NotContainerizedMixin + + +class NotContainerizedCheck(NotContainerizedMixin, OpenShiftCheck): + name = "not_containerized" + run = NotImplemented + + +@pytest.mark.parametrize('task_vars,expected', [ + (dict(openshift=dict(common=dict(is_containerized=False))), True), + (dict(openshift=dict(common=dict(is_containerized=True))), False), +]) +def test_is_active(task_vars, expected): + assert NotContainerizedCheck.is_active(task_vars) == expected + + +def test_is_active_missing_task_vars(): + with pytest.raises(OpenShiftCheckException) as excinfo: + NotContainerizedCheck.is_active(task_vars={}) + assert 'is_containerized' in str(excinfo.value) diff --git a/roles/openshift_health_checker/test/openshift_check_test.py b/roles/openshift_health_checker/test/openshift_check_test.py index c4c8cd1c2..e3153979c 100644 --- a/roles/openshift_health_checker/test/openshift_check_test.py +++ b/roles/openshift_health_checker/test/openshift_check_test.py @@ -1,6 +1,7 @@ import pytest -from openshift_checks import get_var, OpenShiftCheckException +from openshift_checks import OpenShiftCheck, OpenShiftCheckException +from openshift_checks import load_checks, get_var # Fixtures @@ -22,6 +23,64 @@ def missing_keys(request): # Tests +def test_OpenShiftCheck_init(): + class TestCheck(OpenShiftCheck): + name = "test_check" + run = NotImplemented + + # initialization requires at least one argument (apart from self) + with pytest.raises(TypeError) as excinfo: + TestCheck() + assert 'execute_module' in str(excinfo.value) + assert 'module_executor' in str(excinfo.value) + + execute_module = object() + + # initialize with positional argument + check = TestCheck(execute_module) + # new recommended name + assert check.execute_module == execute_module + # deprecated attribute name + assert check.module_executor == execute_module + + # initialize with keyword argument, recommended name + check = TestCheck(execute_module=execute_module) + # new recommended name + assert check.execute_module == execute_module + # deprecated attribute name + assert check.module_executor == execute_module + + # initialize with keyword argument, deprecated name + check = TestCheck(module_executor=execute_module) + # new recommended name + assert check.execute_module == execute_module + # deprecated attribute name + assert check.module_executor == execute_module + + +def test_subclasses(): + """OpenShiftCheck.subclasses should find all subclasses recursively.""" + class TestCheck1(OpenShiftCheck): + pass + + class TestCheck2(OpenShiftCheck): + pass + + class TestCheck1A(TestCheck1): + pass + + local_subclasses = set([TestCheck1, TestCheck1A, TestCheck2]) + known_subclasses = set(OpenShiftCheck.subclasses()) + + assert local_subclasses - known_subclasses == set(), "local_subclasses should be a subset of known_subclasses" + + +def test_load_checks(): + """Loading checks should load and return Python modules.""" + modules = load_checks() + assert modules + + @pytest.mark.parametrize("keys,expected", [ (("foo",), 42), (("bar", "baz"), "openshift"), diff --git a/roles/openshift_health_checker/test/package_availability_test.py b/roles/openshift_health_checker/test/package_availability_test.py new file mode 100644 index 000000000..25385339a --- /dev/null +++ b/roles/openshift_health_checker/test/package_availability_test.py @@ -0,0 +1,49 @@ +import pytest + +from openshift_checks.package_availability import PackageAvailability + + +@pytest.mark.parametrize('task_vars,must_have_packages,must_not_have_packages', [ + ( + dict(openshift=dict(common=dict(service_type='openshift'))), + set(), + set(['openshift-master', 'openshift-node']), + ), + ( + dict( + openshift=dict(common=dict(service_type='origin')), + group_names=['masters'], + ), + set(['origin-master']), + set(['origin-node']), + ), + ( + dict( + openshift=dict(common=dict(service_type='atomic-openshift')), + group_names=['nodes'], + ), + set(['atomic-openshift-node']), + set(['atomic-openshift-master']), + ), + ( + dict( + openshift=dict(common=dict(service_type='atomic-openshift')), + group_names=['masters', 'nodes'], + ), + set(['atomic-openshift-master', 'atomic-openshift-node']), + set(), + ), +]) +def test_package_availability(task_vars, must_have_packages, must_not_have_packages): + return_value = object() + + def execute_module(module_name=None, module_args=None, tmp=None, task_vars=None): + assert module_name == 'check_yum_update' + assert 'packages' in module_args + assert set(module_args['packages']).issuperset(must_have_packages) + assert not set(module_args['packages']).intersection(must_not_have_packages) + return return_value + + check = PackageAvailability(execute_module=execute_module) + result = check.run(tmp=None, task_vars=task_vars) + assert result is return_value diff --git a/roles/openshift_health_checker/test/package_update_test.py b/roles/openshift_health_checker/test/package_update_test.py new file mode 100644 index 000000000..5e000cff5 --- /dev/null +++ b/roles/openshift_health_checker/test/package_update_test.py @@ -0,0 +1,16 @@ +from openshift_checks.package_update import PackageUpdate + + +def test_package_update(): + return_value = object() + + def execute_module(module_name=None, module_args=None, tmp=None, task_vars=None): + assert module_name == 'check_yum_update' + assert 'packages' in module_args + # empty list of packages means "generic check if 'yum update' will work" + assert module_args['packages'] == [] + return return_value + + check = PackageUpdate(execute_module=execute_module) + result = check.run(tmp=None, task_vars=None) + assert result is return_value diff --git a/roles/openshift_health_checker/test/package_version_test.py b/roles/openshift_health_checker/test/package_version_test.py new file mode 100644 index 000000000..cc1d263bc --- /dev/null +++ b/roles/openshift_health_checker/test/package_version_test.py @@ -0,0 +1,21 @@ +from openshift_checks.package_version import PackageVersion + + +def test_package_version(): + task_vars = dict( + openshift=dict(common=dict(service_type='origin')), + openshift_release='v3.5', + ) + return_value = object() + + def execute_module(module_name=None, module_args=None, tmp=None, task_vars=None): + assert module_name == 'aos_version' + assert 'prefix' in module_args + assert 'version' in module_args + assert module_args['prefix'] == task_vars['openshift']['common']['service_type'] + assert module_args['version'] == task_vars['openshift_release'] + return return_value + + check = PackageVersion(execute_module=execute_module) + result = check.run(tmp=None, task_vars=task_vars) + assert result is return_value diff --git a/roles/openshift_hosted/README.md b/roles/openshift_hosted/README.md index 328f800bf..6d576df71 100644 --- a/roles/openshift_hosted/README.md +++ b/roles/openshift_hosted/README.md @@ -26,6 +26,7 @@ From this role: | openshift_hosted_registry_registryurl | 'openshift3/ose-${component}:${version}' | The image to base the OpenShift registry on. | | openshift_hosted_registry_replicas | Number of nodes matching selector | The number of replicas to configure. | | openshift_hosted_registry_selector | region=infra | Node selector used when creating registry. The OpenShift registry will only be deployed to nodes matching this selector. | +| openshift_hosted_registry_cert_expire_days | `730` (2 years) | Validity of the certificates in days. Works only with OpenShift version 1.5 (3.5) and later. | Dependencies ------------ diff --git a/roles/openshift_hosted/defaults/main.yml b/roles/openshift_hosted/defaults/main.yml index 32bcd8d08..d73f339f7 100644 --- a/roles/openshift_hosted/defaults/main.yml +++ b/roles/openshift_hosted/defaults/main.yml @@ -28,3 +28,4 @@ openshift_hosted_routers: openshift_hosted_router_certificates: {} +openshift_hosted_registry_cert_expire_days: 730 diff --git a/roles/openshift_hosted/tasks/registry/secure.yml b/roles/openshift_hosted/tasks/registry/secure.yml index f9ea2ebeb..8a159bf73 100644 --- a/roles/openshift_hosted/tasks/registry/secure.yml +++ b/roles/openshift_hosted/tasks/registry/secure.yml @@ -57,6 +57,7 @@ - "{{ docker_registry_route_hostname }}" cert: "{{ openshift_master_config_dir }}/registry.crt" key: "{{ openshift_master_config_dir }}/registry.key" + expire_days: "{{ openshift_hosted_registry_cert_expire_days if openshift_version | oo_version_gte_3_5_or_1_5(openshift.common.deployment_type) | bool else omit }}" register: server_cert_out - name: Create the secret for the registry certificates diff --git a/roles/openshift_master_certificates/README.md b/roles/openshift_master_certificates/README.md index a80d47040..4758bbdfb 100644 --- a/roles/openshift_master_certificates/README.md +++ b/roles/openshift_master_certificates/README.md @@ -21,6 +21,7 @@ From this role: |---------------------------------------|---------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------| | openshift_generated_configs_dir | `{{ openshift.common.config_base }}/generated-configs` | Directory in which per-master generated config directories will be created on the `openshift_ca_host`. | | openshift_master_cert_subdir | `master-{{ openshift.common.hostname }}` | Directory within `openshift_generated_configs_dir` where per-master configurations will be placed on the `openshift_ca_host`. | +| openshift_master_cert_expire_days | `730` (2 years) | Validity of the certificates in days. Works only with OpenShift version 1.5 (3.5) and later. | | openshift_master_config_dir | `{{ openshift.common.config_base }}/master` | Master configuration directory in which certificates will be deployed on masters. | | openshift_master_generated_config_dir | `{{ openshift_generated_configs_dir }}/{{ openshift_master_cert_subdir }` | Full path to the per-master generated config directory. | diff --git a/roles/openshift_master_certificates/defaults/main.yml b/roles/openshift_master_certificates/defaults/main.yml new file mode 100644 index 000000000..dba62c4ec --- /dev/null +++ b/roles/openshift_master_certificates/defaults/main.yml @@ -0,0 +1,2 @@ +--- +openshift_master_cert_expire_days: 730 diff --git a/roles/openshift_master_certificates/tasks/main.yml b/roles/openshift_master_certificates/tasks/main.yml index 61541acb8..d4c9a96ca 100644 --- a/roles/openshift_master_certificates/tasks/main.yml +++ b/roles/openshift_master_certificates/tasks/main.yml @@ -57,6 +57,9 @@ --hostnames={{ hostvars[item].openshift.common.all_hostnames | join(',') }} --cert={{ openshift_generated_configs_dir }}/master-{{ hostvars[item].openshift.common.hostname }}/master.server.crt --key={{ openshift_generated_configs_dir }}/master-{{ hostvars[item].openshift.common.hostname }}/master.server.key + {% if openshift_version | oo_version_gte_3_5_or_1_5(openshift.common.deployment_type) | bool %} + --expire-days={{ openshift_master_cert_expire_days }} + {% endif %} --signer-cert={{ openshift_ca_cert }} --signer-key={{ openshift_ca_key }} --signer-serial={{ openshift_ca_serial }} @@ -84,6 +87,9 @@ --signer-serial={{ openshift_ca_serial }} --user=system:openshift-master --basename=openshift-master + {% if openshift_version | oo_version_gte_3_5_or_1_5(openshift.common.deployment_type) | bool %} + --expire-days={{ openshift_master_cert_expire_days }} + {% endif %} args: creates: "{{ openshift_generated_configs_dir }}/master-{{ hostvars[item].openshift.common.hostname }}/openshift-master.kubeconfig" with_items: "{{ hostvars diff --git a/roles/openshift_node_certificates/README.md b/roles/openshift_node_certificates/README.md index f4215950f..fef2f0783 100644 --- a/roles/openshift_node_certificates/README.md +++ b/roles/openshift_node_certificates/README.md @@ -23,6 +23,7 @@ From this role: |-------------------------------------|-------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------| | openshift_generated_configs_dir | `{{ openshift.common.config_base }}/generated-configs` | Directory in which per-node generated config directories will be created on the `openshift_ca_host`. | | openshift_node_cert_subdir | `node-{{ openshift.common.hostname }}` | Directory within `openshift_generated_configs_dir` where per-node certificates will be placed on the `openshift_ca_host`. | +| openshift_node_cert_expire_days | `730` (2 years) | Validity of the certificates in days. Works only with OpenShift version 1.5 (3.5) and later. | | openshift_node_config_dir | `{{ openshift.common.config_base }}/node` | Node configuration directory in which certificates will be deployed on nodes. | | openshift_node_generated_config_dir | `{{ openshift_generated_configs_dir }}/{{ openshift_node_cert_subdir }` | Full path to the per-node generated config directory. | diff --git a/roles/openshift_node_certificates/defaults/main.yml b/roles/openshift_node_certificates/defaults/main.yml new file mode 100644 index 000000000..70a38b844 --- /dev/null +++ b/roles/openshift_node_certificates/defaults/main.yml @@ -0,0 +1,2 @@ +--- +openshift_node_cert_expire_days: 730 diff --git a/roles/openshift_node_certificates/tasks/main.yml b/roles/openshift_node_certificates/tasks/main.yml index 4cb89aba2..9120915b2 100644 --- a/roles/openshift_node_certificates/tasks/main.yml +++ b/roles/openshift_node_certificates/tasks/main.yml @@ -66,6 +66,9 @@ --signer-key={{ openshift_ca_key }} --signer-serial={{ openshift_ca_serial }} --user=system:node:{{ hostvars[item].openshift.common.hostname }} + {% if openshift_version | oo_version_gte_3_5_or_1_5(openshift.common.deployment_type) | bool %} + --expire-days={{ openshift_node_cert_expire_days }} + {% endif %} args: creates: "{{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname }}" with_items: "{{ hostvars @@ -79,6 +82,9 @@ {{ hostvars[openshift_ca_host].openshift.common.client_binary }} adm ca create-server-cert --cert={{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname }}/server.crt --key={{ openshift_generated_configs_dir }}/node-{{ hostvars[item].openshift.common.hostname }}/server.key + {% if openshift_version | oo_version_gte_3_5_or_1_5(openshift.common.deployment_type) | bool %} + --expire-days={{ openshift_node_cert_expire_days }} + {% endif %} --overwrite=true --hostnames={{ hostvars[item].openshift.common.hostname }},{{ hostvars[item].openshift.common.public_hostname }},{{ hostvars[item].openshift.common.ip }},{{ hostvars[item].openshift.common.public_ip }} --signer-cert={{ openshift_ca_cert }} diff --git a/roles/openshift_repos/meta/main.yml b/roles/openshift_repos/meta/main.yml index cc18c453c..1b043863b 100644 --- a/roles/openshift_repos/meta/main.yml +++ b/roles/openshift_repos/meta/main.yml @@ -11,4 +11,5 @@ galaxy_info: - 7 categories: - cloud -dependencies: [] +dependencies: +- role: openshift_sanitize_inventory diff --git a/roles/openshift_repos/tasks/main.yaml b/roles/openshift_repos/tasks/main.yaml index ffb760bfe..84a0905cc 100644 --- a/roles/openshift_repos/tasks/main.yaml +++ b/roles/openshift_repos/tasks/main.yaml @@ -4,10 +4,6 @@ path: /run/ostree-booted register: ostree_booted -- assert: - that: openshift_deployment_type in known_openshift_deployment_types - msg: "openshift_deployment_type must be one of {{ known_openshift_deployment_types }}" - - block: - name: Ensure libselinux-python is installed package: name=libselinux-python state=present diff --git a/roles/openshift_sanitize_inventory/README.md b/roles/openshift_sanitize_inventory/README.md new file mode 100644 index 000000000..23f6b84fc --- /dev/null +++ b/roles/openshift_sanitize_inventory/README.md @@ -0,0 +1,37 @@ +OpenShift Inventory +=================== + +Provides a role to validate and normalize the variables the user has +provided. This role should run before pretty much everything else so that +this kind of logic only has to be in one place. However, complicated +business logic should usually be left to other roles. + +Requirements +------------ + +None + +Role Variables +-------------- + +None + +Dependencies +------------ + +None + +Example Playbook +---------------- + +TODO + +License +------- + +Apache License, Version 2.0 + +Author Information +------------------ + +OpenShift dev (dev@lists.openshift.redhat.com) diff --git a/roles/openshift_sanitize_inventory/meta/main.yml b/roles/openshift_sanitize_inventory/meta/main.yml new file mode 100644 index 000000000..f5b37186e --- /dev/null +++ b/roles/openshift_sanitize_inventory/meta/main.yml @@ -0,0 +1,15 @@ +--- +galaxy_info: + author: OpenShift dev + description: + company: Red Hat, Inc. + license: Apache License, Version 2.0 + min_ansible_version: 1.8 + platforms: + - name: EL + versions: + - 7 + categories: + - cloud + - system +dependencies: [] diff --git a/roles/openshift_sanitize_inventory/tasks/main.yml b/roles/openshift_sanitize_inventory/tasks/main.yml new file mode 100644 index 000000000..fc562c42c --- /dev/null +++ b/roles/openshift_sanitize_inventory/tasks/main.yml @@ -0,0 +1,28 @@ +--- +- name: Standardize on latest variable names + no_log: True # keep task description legible + set_fact: + # goal is to deprecate deployment_type in favor of openshift_deployment_type. + # both will be accepted for now, but code should refer to the new name. + # TODO: once this is well-documented, add deprecation notice if using old name. + deployment_type: "{{ openshift_deployment_type | default(deployment_type) | default | string }}" + openshift_deployment_type: "{{ openshift_deployment_type | default(deployment_type) | default | string }}" + +- name: Normalize openshift_release + no_log: True # keep task description legible + set_fact: + # Normalize release if provided, e.g. "v3.5" => "3.5" + # Currently this is not required to be defined for all installs, and the + # `openshift_version` role can generally figure out the specific version + # that gets installed (e.g. 3.5.0.1). So consider this the user's expressed + # intent (if any), not the authoritative version that will be installed. + openshift_release: "{{ openshift_release | string | regex_replace('^v', '') }}" + when: openshift_release is defined + +- name: Ensure a valid deployment type has been given. + # this variable is required; complain early and clearly if it is invalid. + when: openshift_deployment_type not in known_openshift_deployment_types + fail: + msg: |- + Please set openshift_deployment_type to one of: + {{ known_openshift_deployment_types | join(', ') }} diff --git a/roles/openshift_repos/vars/main.yml b/roles/openshift_sanitize_inventory/vars/main.yml index da48e42c1..da48e42c1 100644 --- a/roles/openshift_repos/vars/main.yml +++ b/roles/openshift_sanitize_inventory/vars/main.yml diff --git a/roles/openshift_version/tasks/main.yml b/roles/openshift_version/tasks/main.yml index 0f2a660a7..35953b744 100644 --- a/roles/openshift_version/tasks/main.yml +++ b/roles/openshift_version/tasks/main.yml @@ -13,14 +13,6 @@ # Normalize some values that we need in a certain format that might be confusing: - set_fact: - openshift_release: "{{ openshift_release[1:] }}" - when: openshift_release is defined and openshift_release[0] == 'v' - -- set_fact: - openshift_release: "{{ openshift_release | string }}" - when: openshift_release is defined - -- set_fact: openshift_image_tag: "{{ 'v' + openshift_image_tag }}" when: openshift_image_tag is defined and openshift_image_tag[0] != 'v' and openshift_image_tag != 'latest' diff --git a/roles/openshift_version/tasks/set_version_rpm.yml b/roles/openshift_version/tasks/set_version_rpm.yml index 7fa74e24f..0c2ef4bb7 100644 --- a/roles/openshift_version/tasks/set_version_rpm.yml +++ b/roles/openshift_version/tasks/set_version_rpm.yml @@ -5,14 +5,42 @@ openshift_version: "{{ openshift_pkg_version[1:].split('-')[0] }}" when: openshift_pkg_version is defined and openshift_version is not defined +# if {{ openshift.common.service_type}}-excluder is enabled, +# the repoquery for {{ openshift.common.service_type}} will not work. +# Thus, create a temporary yum,conf file where exclude= is set to an empty list +- name: Create temporary yum.conf file + command: mktemp -d /tmp/yum.conf.XXXXXX + register: yum_conf_temp_file_result + +- set_fact: + yum_conf_temp_file: "{{yum_conf_temp_file_result.stdout}}/yum.conf" + +- name: Copy yum.conf into the temporary file + copy: + src: /etc/yum.conf + dest: "{{ yum_conf_temp_file }}" + remote_src: True + +- name: Clear the exclude= list in the temporary yum.conf + lineinfile: + # since ansible 2.3 s/dest/path + dest: "{{ yum_conf_temp_file }}" + regexp: '^exclude=' + line: 'exclude=' + - name: Gather common package version command: > - {{ repoquery_cmd }} --qf '%{version}' "{{ openshift.common.service_type}}" + {{ repoquery_cmd }} --config "{{ yum_conf_temp_file }}" --qf '%{version}' "{{ openshift.common.service_type}}" register: common_version failed_when: false changed_when: false when: openshift_version is not defined +- name: Delete the temporary yum.conf + file: + path: "{{ yum_conf_temp_file_result.stdout }}" + state: absent + - set_fact: openshift_version: "{{ common_version.stdout | default('0.0', True) }}" when: openshift_version is not defined |