13 files changed, 79 insertions, 47 deletions
diff --git a/roles/fluentd_master/meta/main.yml b/roles/fluentd_master/meta/main.yml
new file mode 100644
index 000000000..148bc377e
--- /dev/null
+++ b/roles/fluentd_master/meta/main.yml
@@ -0,0 +1,15 @@
+---
+galaxy_info:
+  author: OpenShift Red Hat
+  description: Fluentd Master
+  company: Red Hat, Inc.
+  license: Apache License, Version 2.0
+  min_ansible_version: 1.9
+  platforms:
+  - name: EL
+    versions:
+    - 7
+  categories:
+  - monitoring
+  dependencies:
+  - openshift_facts
diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py
index e88022464..5f5c5c788 100755
--- a/roles/openshift_facts/library/openshift_facts.py
+++ b/roles/openshift_facts/library/openshift_facts.py
@@ -711,8 +711,8 @@ def set_deployment_facts_if_unset(facts):
     if 'node' in facts:
         deployment_type = facts['common']['deployment_type']
         if 'storage_plugin_deps' not in facts['node']:
-            if deployment_type in ['openshift-enterprise', 'atomic-enterprise']:
-                facts['node']['storage_plugin_deps'] = ['ceph', 'glusterfs']
+            if deployment_type in ['openshift-enterprise', 'atomic-enterprise', 'origin']:
+                facts['node']['storage_plugin_deps'] = ['ceph', 'glusterfs', 'iscsi']
             else:
                 facts['node']['storage_plugin_deps'] = []
 
diff --git a/roles/openshift_node/tasks/main.yml b/roles/openshift_node/tasks/main.yml
index 1df81ca00..acf2f74e3 100644
--- a/roles/openshift_node/tasks/main.yml
+++ b/roles/openshift_node/tasks/main.yml
@@ -33,6 +33,7 @@
       set_node_ip: "{{ openshift_set_node_ip | default(None) }}"
       node_image: "{{ osn_image | default(None) }}"
       ovs_image: "{{ osn_ovs_image | default(None) }}"
+      proxy_mode: "{{ openshift_node_proxy_mode | default('iptables') }}"
 
 # We have to add tuned-profiles in the same transaction otherwise we run into depsolving
 # problems because the rpms don't pin the version properly. This was fixed in 3.1 packaging.
diff --git a/roles/openshift_node/tasks/storage_plugins/iscsi.yml b/roles/openshift_node/tasks/storage_plugins/iscsi.yml
new file mode 100644
index 000000000..d6684b34a
--- /dev/null
+++ b/roles/openshift_node/tasks/storage_plugins/iscsi.yml
@@ -0,0 +1,4 @@
+---
+- name: Install iSCSI storage plugin dependencies
+  action: "{{ ansible_pkg_mgr }} name=iscsi-initiator-utils state=present"
+  when: not openshift.common.is_atomic | bool
diff --git a/roles/openshift_node/tasks/storage_plugins/main.yml b/roles/openshift_node/tasks/storage_plugins/main.yml
index 39c7b9390..fe638718d 100644
--- a/roles/openshift_node/tasks/storage_plugins/main.yml
+++ b/roles/openshift_node/tasks/storage_plugins/main.yml
@@ -11,3 +11,7 @@
 - name: Ceph storage plugin configuration
   include: ceph.yml
   when: "'ceph' in openshift.node.storage_plugin_deps"
+
+- name: iSCSI storage plugin configuration
+  include: iscsi.yml
+  when: "'iscsi' in openshift.node.storage_plugin_deps"
diff --git a/roles/openshift_node/templates/node.yaml.v1.j2 b/roles/openshift_node/templates/node.yaml.v1.j2
index 44065f4bd..67975d372 100644
--- a/roles/openshift_node/templates/node.yaml.v1.j2
+++ b/roles/openshift_node/templates/node.yaml.v1.j2
@@ -35,3 +35,6 @@ servingInfo:
   keyFile: server.key
 volumeDirectory: {{ openshift.common.data_dir }}/openshift.local.volumes
 {% include 'partials/kubeletArguments.j2' %}
+proxyArguments:
+  proxy-mode:
+     - {{ openshift.node.proxy_mode }}
diff --git a/roles/openshift_registry/README.md b/roles/openshift_registry/README.md
index 8e66c483b..247272668 100644
--- a/roles/openshift_registry/README.md
+++ b/roles/openshift_registry/README.md
@@ -17,12 +17,6 @@ From this role:
 |--------------------|-------------------------------------------------------|---------------------|
 |                    |                                                       |                     |
 
-From openshift_common:
-
-| Name                  | Default value |                                      |
-|-----------------------|---------------|--------------------------------------|
-| openshift_debug_level | 2             | Global openshift debug log verbosity |
-
 
 Dependencies
 ------------
diff --git a/roles/openshift_registry/meta/main.yml b/roles/openshift_registry/meta/main.yml
index 93b6797d1..b220a020e 100644
--- a/roles/openshift_registry/meta/main.yml
+++ b/roles/openshift_registry/meta/main.yml
@@ -4,10 +4,12 @@ galaxy_info:
   description: OpenShift Embedded Docker Registry
   company: Red Hat, Inc.
   license: Apache License, Version 2.0
-  min_ansible_version: 1.7
+  min_ansible_version: 1.9
   platforms:
   - name: EL
     versions:
     - 7
   categories:
   - cloud
+  dependencies:
+  - openshift_facts
diff --git a/roles/openshift_router/README.md b/roles/openshift_router/README.md
index 836efc443..d490e1038 100644
--- a/roles/openshift_router/README.md
+++ b/roles/openshift_router/README.md
@@ -16,11 +16,6 @@ From this role:
 |--------------------|-------------------------------------------------------|---------------------|
 |                    |                                                       |                     |
 
-From openshift_common:
-| Name                  | Default value |                                      |
-|-----------------------|---------------|--------------------------------------|
-| openshift_debug_level | 2             | Global openshift debug log verbosity |
-
 Dependencies
 ------------
 
diff --git a/roles/openshift_router/meta/main.yml b/roles/openshift_router/meta/main.yml
index 0471e5e14..c2b0777b5 100644
--- a/roles/openshift_router/meta/main.yml
+++ b/roles/openshift_router/meta/main.yml
@@ -4,10 +4,12 @@ galaxy_info:
   description: OpenShift Embedded Router
   company: Red Hat, Inc.
   license: Apache License, Version 2.0
-  min_ansible_version: 1.7
+  min_ansible_version: 1.9
   platforms:
   - name: EL
     versions:
     - 7
   categories:
   - cloud
+  dependencies:
+  - openshift_facts
diff --git a/roles/openshift_serviceaccounts/meta/main.yml b/roles/openshift_serviceaccounts/meta/main.yml
new file mode 100644
index 000000000..a2c9fee70
--- /dev/null
+++ b/roles/openshift_serviceaccounts/meta/main.yml
@@ -0,0 +1,15 @@
+---
+galaxy_info:
+  author: OpenShift Operations
+  description: OpenShift Service Accounts
+  company: Red Hat, Inc.
+  license: Apache License, Version 2.0
+  min_ansible_version: 1.9
+  platforms:
+  - name: EL
+    versions:
+    - 7
+  categories:
+  - cloud
+dependencies:
+- { role: openshift_facts }
diff --git a/roles/openshift_serviceaccounts/tasks/main.yml b/roles/openshift_serviceaccounts/tasks/main.yml
index 4c7faa6fe..5fe7d28f3 100644
--- a/roles/openshift_serviceaccounts/tasks/main.yml
+++ b/roles/openshift_serviceaccounts/tasks/main.yml
@@ -1,36 +1,33 @@
-- name: tmp dir for openshift
-  file:
-    path: /tmp/openshift
-    state: directory
-    owner: root
-    mode: 700
-
-- name: Create service account configs
-  template:
-    src: serviceaccount.j2
-    dest: "/tmp/openshift/{{ item }}-serviceaccount.yaml"
-  with_items: accounts
-
-- name: Create {{ item }} service account
+- name: test if service accounts exists
   command: >
-    {{ openshift.common.client_binary }} create -f "/tmp/openshift/{{ item }}-serviceaccount.yaml"
-  with_items: accounts
-  register: _sa_result
-  failed_when: "'serviceaccounts \"{{ item }}\" already exists' not in _sa_result.stderr and _sa_result.rc != 0"
-  changed_when: "'serviceaccounts \"{{ item }}\" already exists' not in _sa_result.stderr and _sa_result.rc == 0"
+      {{ openshift.common.client_binary }} get sa {{ item }} -n {{ openshift_serviceaccounts_namespace }}
+  with_items: openshift_serviceaccounts_names
+  failed_when: false
+  changed_when: false
+  register: account_test
 
-- name: Get current security context constraints
+- name: create the service account
   shell: >
-    {{ openshift.common.client_binary }} get scc privileged -o yaml
-    --output-version=v1 > /tmp/openshift/scc.yaml
-  changed_when: false
+       echo {{ lookup('template', '../templates/serviceaccount.j2')
+               | from_yaml | to_json | quote }} | {{ openshift.common.client_binary }}  create -f -
+  when: item.1.rc != 0
+  with_together:
+  - openshift_serviceaccounts_names
+  - account_test.results
 
-- name: Add security context constraint for {{ item }}
-  lineinfile:
-    dest: /tmp/openshift/scc.yaml
-    line: "- system:serviceaccount:default:{{ item }}"
-    insertafter: "^users:$"
-  with_items: accounts
+- name: test if scc needs to be updated
+  command: >
+      {{ openshift.common.client_binary }} get scc {{ item }} -o yaml
+  changed_when: false
+  failed_when: false
+  register: scc_test
+  with_items: openshift_serviceaccounts_sccs
 
-- name: Apply new scc rules for service accounts
-  command: "{{ openshift.common.client_binary }} update -f /tmp/openshift/scc.yaml --api-version=v1"
+- name: Grant the user access to the privileged scc
+  command: >
+      {{ openshift.common.admin_binary }} policy add-scc-to-user
+      privileged system:serviceaccount:{{ openshift_serviceaccounts_namespace }}:{{ item.0 }}
+  when: "item.1.rc == 0 and 'system:serviceaccount:{{ openshift_serviceaccounts_namespace }}:{{ item.0 }}' not in {{ (item.1.stdout | from_yaml).users }}"
+  with_nested:
+  - openshift_serviceaccounts_names
+  - scc_test.results
diff --git a/roles/openshift_serviceaccounts/templates/serviceaccount.j2 b/roles/openshift_serviceaccounts/templates/serviceaccount.j2
index 931e249f9..c5f12421f 100644
--- a/roles/openshift_serviceaccounts/templates/serviceaccount.j2
+++ b/roles/openshift_serviceaccounts/templates/serviceaccount.j2
@@ -1,4 +1,4 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ item }}
+  name: {{ item.0 }}