summaryrefslogtreecommitdiffstats
path: root/roles
diff options
context:
space:
mode:
Diffstat (limited to 'roles')
-rw-r--r--roles/ansible_service_broker/defaults/main.yml10
-rw-r--r--roles/ansible_service_broker/tasks/install.yml282
-rw-r--r--roles/ansible_service_broker/tasks/remove.yml70
-rw-r--r--roles/ansible_service_broker/vars/default_images.yml1
-rw-r--r--roles/ansible_service_broker/vars/openshift-enterprise.yml2
-rw-r--r--roles/docker/tasks/package_docker.yml24
-rw-r--r--roles/lib_openshift/library/oc_adm_registry.py6
-rw-r--r--roles/lib_openshift/library/oc_adm_router.py6
-rw-r--r--roles/lib_openshift/library/oc_route.py12
-rw-r--r--roles/lib_openshift/library/oc_secret.py16
-rw-r--r--roles/lib_openshift/src/ansible/oc_route.py1
-rw-r--r--roles/lib_openshift/src/ansible/oc_secret.py1
-rw-r--r--roles/lib_openshift/src/class/oc_route.py1
-rw-r--r--roles/lib_openshift/src/class/oc_secret.py3
-rw-r--r--roles/lib_openshift/src/doc/route6
-rw-r--r--roles/lib_openshift/src/doc/secret6
-rw-r--r--roles/lib_openshift/src/lib/route.py4
-rw-r--r--roles/lib_openshift/src/lib/secret.py6
-rwxr-xr-xroles/lib_openshift/src/test/unit/test_oc_route.py11
-rw-r--r--roles/openshift_aws/README.md2
-rw-r--r--roles/openshift_aws/defaults/main.yml1
-rw-r--r--roles/openshift_aws/tasks/master_facts.yml22
-rw-r--r--roles/openshift_aws/tasks/provision.yml8
-rw-r--r--roles/openshift_aws/tasks/provision_instance.yml (renamed from roles/openshift_aws/tasks/build_ami.yml)41
-rw-r--r--roles/openshift_aws/tasks/setup_master_group.yml35
-rw-r--r--roles/openshift_health_checker/openshift_checks/disk_availability.py30
-rw-r--r--roles/openshift_health_checker/openshift_checks/docker_image_availability.py8
-rw-r--r--roles/openshift_health_checker/openshift_checks/etcd_traffic.py2
-rw-r--r--roles/openshift_health_checker/openshift_checks/etcd_volume.py6
-rw-r--r--roles/openshift_health_checker/openshift_checks/logging/fluentd_config.py2
-rw-r--r--roles/openshift_health_checker/openshift_checks/memory_availability.py6
-rw-r--r--roles/openshift_health_checker/openshift_checks/mixins.py8
-rw-r--r--roles/openshift_health_checker/openshift_checks/ovs_version.py2
-rw-r--r--roles/openshift_health_checker/openshift_checks/package_availability.py4
-rw-r--r--roles/openshift_health_checker/openshift_checks/package_version.py2
-rw-r--r--roles/openshift_health_checker/test/disk_availability_test.py40
-rw-r--r--roles/openshift_health_checker/test/docker_image_availability_test.py24
-rw-r--r--roles/openshift_health_checker/test/docker_storage_test.py6
-rw-r--r--roles/openshift_health_checker/test/etcd_traffic_test.py22
-rw-r--r--roles/openshift_health_checker/test/fluentd_config_test.py10
-rw-r--r--roles/openshift_health_checker/test/memory_availability_test.py36
-rw-r--r--roles/openshift_health_checker/test/ovs_version_test.py12
-rw-r--r--roles/openshift_health_checker/test/package_availability_test.py6
-rw-r--r--roles/openshift_health_checker/test/package_version_test.py12
-rw-r--r--roles/openshift_logging/defaults/main.yml4
-rw-r--r--roles/openshift_logging/filter_plugins/openshift_logging.py19
-rw-r--r--roles/openshift_logging/library/openshift_logging_facts.py11
-rw-r--r--roles/openshift_logging/tasks/delete_logging.yaml1
-rw-r--r--roles/openshift_logging/tasks/generate_certs.yaml4
-rw-r--r--roles/openshift_logging/tasks/install_logging.yaml19
-rw-r--r--roles/openshift_logging_elasticsearch/defaults/main.yml10
-rw-r--r--roles/openshift_logging_elasticsearch/tasks/main.yaml63
-rw-r--r--roles/openshift_logging_elasticsearch/templates/es.j249
-rw-r--r--roles/openshift_logging_elasticsearch/templates/logging-metrics-role.j231
-rw-r--r--roles/openshift_named_certificates/tasks/named_certificates.yml32
-rw-r--r--roles/openshift_sanitize_inventory/filter_plugins/openshift_logging.py25
-rw-r--r--roles/openshift_sanitize_inventory/filter_plugins/openshift_sanitize_inventory.py44
-rw-r--r--roles/openshift_sanitize_inventory/tasks/unsupported.yml22
58 files changed, 786 insertions, 363 deletions
diff --git a/roles/ansible_service_broker/defaults/main.yml b/roles/ansible_service_broker/defaults/main.yml
index 9eb9db316..fa982d533 100644
--- a/roles/ansible_service_broker/defaults/main.yml
+++ b/roles/ansible_service_broker/defaults/main.yml
@@ -6,6 +6,14 @@ ansible_service_broker_log_level: info
ansible_service_broker_output_request: false
ansible_service_broker_recovery: true
ansible_service_broker_bootstrap_on_startup: true
-# Recommended you do not enable this for now
ansible_service_broker_dev_broker: false
+ansible_service_broker_refresh_interval: 600s
+# Recommended you do not enable this for now
ansible_service_broker_launch_apb_on_bind: false
+
+ansible_service_broker_image_pull_policy: IfNotPresent
+ansible_service_broker_sandbox_role: edit
+ansible_service_broker_auto_escalate: true
+ansible_service_broker_registry_tag: latest
+ansible_service_broker_registry_whitelist:
+ - '.*-apb$'
diff --git a/roles/ansible_service_broker/tasks/install.yml b/roles/ansible_service_broker/tasks/install.yml
index b3797ef96..0f4b71124 100644
--- a/roles/ansible_service_broker/tasks/install.yml
+++ b/roles/ansible_service_broker/tasks/install.yml
@@ -17,16 +17,24 @@
ansible_service_broker_etcd_image_etcd_path: "{{ ansible_service_broker_etcd_image_etcd_path | default(__ansible_service_broker_etcd_image_etcd_path) }}"
ansible_service_broker_registry_type: "{{ ansible_service_broker_registry_type | default(__ansible_service_broker_registry_type) }}"
+ ansible_service_broker_registry_name: "{{ ansible_service_broker_registry_name | default(__ansible_service_broker_registry_name) }}"
ansible_service_broker_registry_url: "{{ ansible_service_broker_registry_url | default(__ansible_service_broker_registry_url) }}"
ansible_service_broker_registry_user: "{{ ansible_service_broker_registry_user | default(__ansible_service_broker_registry_user) }}"
ansible_service_broker_registry_password: "{{ ansible_service_broker_registry_password | default(__ansible_service_broker_registry_password) }}"
ansible_service_broker_registry_organization: "{{ ansible_service_broker_registry_organization | default(__ansible_service_broker_registry_organization) }}"
+ ansible_service_broker_certs_dir: "{{ openshift.common.config_base }}/service-catalog"
+
- name: set ansible-service-broker image facts using set prefix and tag
set_fact:
ansible_service_broker_image: "{{ ansible_service_broker_image_prefix }}ansible-service-broker:{{ ansible_service_broker_image_tag }}"
ansible_service_broker_etcd_image: "{{ ansible_service_broker_etcd_image_prefix }}etcd:{{ ansible_service_broker_etcd_image_tag }}"
+- slurp:
+ src: "{{ ansible_service_broker_certs_dir }}/ca.crt"
+ register: catalog_ca
+
+
- include: validate_facts.yml
@@ -42,53 +50,119 @@
namespace: openshift-ansible-service-broker
state: present
-- name: Set SA cluster-role
+- name: create ansible-service-broker client serviceaccount
+ oc_serviceaccount:
+ name: asb-client
+ namespace: openshift-ansible-service-broker
+ state: present
+
+- name: Create asb-auth cluster role
+ oc_clusterrole:
+ state: present
+ name: asb-auth
+ rules:
+ - apiGroups: [""]
+ resources: ["namespaces"]
+ verbs: ["create", "delete"]
+ - apiGroups: ["authorization.openshift.io"]
+ resources: ["subjectrulesreview"]
+ verbs: ["create"]
+ - apiGroups: ["authorization.k8s.io"]
+ resources: ["subjectaccessreviews"]
+ verbs: ["create"]
+ - apiGroups: ["authentication.k8s.io"]
+ resources: ["tokenreviews"]
+ verbs: ["create"]
+
+- name: Create asb-access cluster role
+ oc_clusterrole:
+ state: present
+ name: asb-access
+ rules:
+ - nonResourceURLs: ["/ansible-service-broker", "ansible-service-broker/*"]
+ verbs: ["get", "post", "put", "patch", "delete"]
+
+- name: Bind admin cluster-role to asb serviceaccount
oc_adm_policy_user:
state: present
- namespace: "openshift-ansible-service-broker"
+ namespace: openshift-ansible-service-broker
resource_kind: cluster-role
resource_name: admin
user: "system:serviceaccount:openshift-ansible-service-broker:asb"
-- name: create ansible-service-broker service
- oc_service:
- name: asb
+- name: Bind auth cluster role to asb service account
+ oc_adm_policy_user:
+ state: present
namespace: openshift-ansible-service-broker
+ resource_kind: cluster-role
+ resource_name: asb-auth
+ user: "system:serviceaccount:openshift-ansible-service-broker:asb"
+
+- name: Bind asb-access role to asb-client service account
+ oc_adm_policy_user:
state: present
- labels:
- app: openshift-ansible-service-broker
- service: asb
- ports:
- - name: port-1338
- port: 1338
- selector:
- app: openshift-ansible-service-broker
- service: asb
+ namespace: openshift-ansible-service-broker
+ resource_kind: cluster-role
+ resource_name: asb-access
+ user: "system:serviceaccount:openshift-ansible-service-broker:asb-client"
-- name: create etcd service
- oc_service:
- name: etcd
+- name: create asb-client token secret
+ oc_obj:
+ name: asb-client
+ state: present
+ kind: Secret
+ content:
+ path: /tmp/asbclientsecretout
+ data:
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: asb-client
+ annotations:
+ kubernetes.io/service-account.name: asb-client
+ type: kubernetes.io/service-account-token
+
+# Using oc_obj because oc_service doesn't seem to allow annotations
+# TODO: Extend oc_service to allow annotations
+- name: create ansible-service-broker service
+ oc_obj:
+ name: asb
namespace: openshift-ansible-service-broker
state: present
- ports:
- - name: etcd-advertise
- port: 2379
- selector:
- app: openshift-ansible-service-broker
- service: etcd
+ kind: Service
+ content:
+ path: /tmp/asbsvcout
+ data:
+ apiVersion: v1
+ kind: Service
+ metadata:
+ name: asb
+ labels:
+ app: openshift-ansible-service-broker
+ service: asb
+ annotations:
+ service.alpha.openshift.io/serving-cert-secret-name: asb-tls
+ spec:
+ ports:
+ - name: port-1338
+ port: 1338
+ targetPort: 1338
+ protocol: TCP
+ selector:
+ app: openshift-ansible-service-broker
+ service: asb
- name: create route for ansible-service-broker service
oc_route:
name: asb-1338
namespace: openshift-ansible-service-broker
state: present
+ labels:
+ app: openshift-ansible-service-broker
+ service: asb
service_name: asb
port: 1338
- register: asb_route_out
-
-- name: get ansible-service-broker route name
- set_fact:
- ansible_service_broker_route: "{{ asb_route_out.results.results[0].spec.host }}"
+ tls_termination: Reencrypt
- name: create persistent volume claim for etcd
oc_obj:
@@ -97,7 +171,7 @@
state: present
kind: PersistentVolumeClaim
content:
- path: /tmp/dcout
+ path: /tmp/pvcout
data:
apiVersion: v1
kind: PersistentVolumeClaim
@@ -111,50 +185,61 @@
requests:
storage: 1Gi
-- name: create etcd deployment
+- name: Create Ansible Service Broker deployment config
oc_obj:
- name: etcd
+ name: asb
namespace: openshift-ansible-service-broker
state: present
- kind: Deployment
+ kind: DeploymentConfig
content:
path: /tmp/dcout
data:
- apiVersion: extensions/v1beta1
- kind: Deployment
+ apiVersion: v1
+ kind: DeploymentConfig
metadata:
- name: etcd
- namespace: openshift-ansible-service-broker
+ name: asb
labels:
app: openshift-ansible-service-broker
- service: etcd
+ service: asb
spec:
+ replicas: 1
selector:
- matchLabels:
- app: openshift-ansible-service-broker
- service: etcd
+ app: openshift-ansible-service-broker
strategy:
- type: RollingUpdate
- rollingUpdate:
- maxSurge: 1
- maxUnavailable: 1
- replicas: 1
+ type: Rolling
template:
metadata:
labels:
app: openshift-ansible-service-broker
- service: etcd
+ service: asb
spec:
- restartPolicy: Always
+ serviceAccount: asb
containers:
+ - image: "{{ ansible_service_broker_image }}"
+ name: asb
+ imagePullPolicy: IfNotPresent
+ volumeMounts:
+ - name: config-volume
+ mountPath: /etc/ansible-service-broker
+ - name: asb-tls
+ mountPath: /etc/tls/private
+ ports:
+ - containerPort: 1338
+ protocol: TCP
+ env:
+ - name: BROKER_CONFIG
+ value: /etc/ansible-service-broker/config.yaml
+ resources: {}
+ terminationMessagePath: /tmp/termination-log
+
- image: "{{ ansible_service_broker_etcd_image }}"
name: etcd
imagePullPolicy: IfNotPresent
terminationMessagePath: /tmp/termination-log
workingDir: /etcd
args:
- - '{{ ansible_service_broker_etcd_image_etcd_path }}'
- - --data-dir=/data
+ - "{{ ansible_service_broker_etcd_image_etcd_path }}"
+ - "--data-dir=/data"
- "--listen-client-urls=http://0.0.0.0:2379"
- "--advertise-client-urls=http://0.0.0.0:2379"
ports:
@@ -170,57 +255,15 @@
- name: etcd
persistentVolumeClaim:
claimName: etcd
-
-- name: create ansible-service-broker deployment
- oc_obj:
- name: asb
- namespace: openshift-ansible-service-broker
- state: present
- kind: Deployment
- content:
- path: /tmp/dcout
- data:
- apiVersion: extensions/v1beta1
- kind: Deployment
- metadata:
- name: asb
- namespace: openshift-ansible-service-broker
- labels:
- app: openshift-ansible-service-broker
- service: asb
- spec:
- strategy:
- type: Recreate
- replicas: 1
- template:
- metadata:
- labels:
- app: openshift-ansible-service-broker
- service: asb
- spec:
- serviceAccount: asb
- restartPolicy: Always
- containers:
- - image: "{{ ansible_service_broker_image }}"
- name: asb
- imagePullPolicy: IfNotPresent
- volumeMounts:
- - name: config-volume
- mountPath: /etc/ansible-service-broker
- ports:
- - containerPort: 1338
- protocol: TCP
- env:
- - name: BROKER_CONFIG
- value: /etc/ansible-service-broker/config.yaml
- terminationMessagePath: /tmp/termination-log
- volumes:
- name: config-volume
configMap:
name: broker-config
items:
- key: broker-config
path: config.yaml
+ - name: asb-tls
+ secret:
+ secretName: asb-tls
# TODO: saw a oc_configmap in the library, but didn't understand how to get it to do the following:
@@ -239,42 +282,65 @@
name: broker-config
namespace: openshift-ansible-service-broker
labels:
- app: ansible-service-broker
+ app: openshift-ansible-service-broker
data:
broker-config: |
registry:
- name: "{{ ansible_service_broker_registry_type }}"
- url: "{{ ansible_service_broker_registry_url }}"
- user: "{{ ansible_service_broker_registry_user }}"
- pass: "{{ ansible_service_broker_registry_password }}"
- org: "{{ ansible_service_broker_registry_organization }}"
+ - type: {{ ansible_service_broker_registry_type }}
+ name: {{ ansible_service_broker_registry_name }}
+ url: {{ ansible_service_broker_registry_url }}
+ user: {{ ansible_service_broker_registry_user }}
+ pass: {{ ansible_service_broker_registry_password }}
+ org: {{ ansible_service_broker_registry_organization }}
+ tag: {{ ansible_service_broker_registry_tag }}
+ white_list: {{ ansible_service_broker_registry_whitelist }}
dao:
- etcd_host: etcd
+ etcd_host: 0.0.0.0
etcd_port: 2379
log:
logfile: /var/log/ansible-service-broker/asb.log
stdout: true
- level: "{{ ansible_service_broker_log_level }}"
+ level: {{ ansible_service_broker_log_level }}
color: true
- openshift: {}
+ openshift:
+ host: ""
+ ca_file: ""
+ bearer_token_file: ""
+ sandbox_role: {{ ansible_service_broker_sandbox_role }}
+ image_pull_policy: {{ ansible_service_broker_image_pull_policy }}
broker:
dev_broker: {{ ansible_service_broker_dev_broker | bool | lower }}
+ bootstrap_on_startup: {{ ansible_service_broker_bootstrap_on_startup | bool | lower }}
+ refresh_interval: {{ ansible_service_broker_refresh_interval }}
launch_apb_on_bind: {{ ansible_service_broker_launch_apb_on_bind | bool | lower }}
- recovery: {{ ansible_service_broker_recovery | bool | lower }}
output_request: {{ ansible_service_broker_output_request | bool | lower }}
- bootstrap_on_startup: {{ ansible_service_broker_bootstrap_on_startup | bool | lower }}
+ recovery: {{ ansible_service_broker_recovery | bool | lower }}
+ ssl_cert_key: /etc/tls/private/tls.key
+ ssl_cert: /etc/tls/private/tls.crt
+ auto_escalate: {{ ansible_service_broker_auto_escalate }}
+ auth:
+ - type: basic
+ enabled: false
+
- name: Create the Broker resource in the catalog
oc_obj:
name: ansible-service-broker
state: present
- kind: Broker
+ kind: ServiceBroker
content:
path: /tmp/brokerout
data:
apiVersion: servicecatalog.k8s.io/v1alpha1
- kind: Broker
+ kind: ServiceBroker
metadata:
name: ansible-service-broker
spec:
- url: http://asb.openshift-ansible-service-broker.svc:1338
+ url: http://asb.openshift-ansible-service-broker.svc:1338/ansible-service-broker
+ authInfo:
+ bearer:
+ secretRef:
+ name: asb-client
+ namespace: openshift-ansible-service-broker
+ kind: Secret
+ caBundle: "{{ catalog_ca.content }}"
diff --git a/roles/ansible_service_broker/tasks/remove.yml b/roles/ansible_service_broker/tasks/remove.yml
index 2519f9f4c..f0a6be226 100644
--- a/roles/ansible_service_broker/tasks/remove.yml
+++ b/roles/ansible_service_broker/tasks/remove.yml
@@ -1,16 +1,57 @@
---
-- name: remove openshift-ansible-service-broker project
- oc_project:
- name: openshift-ansible-service-broker
- state: absent
-
- name: remove ansible-service-broker serviceaccount
oc_serviceaccount:
name: asb
namespace: openshift-ansible-service-broker
state: absent
+- name: remove ansible-service-broker client serviceaccount
+ oc_serviceaccount:
+ name: asb-client
+ namespace: openshift-ansible-service-broker
+ state: absent
+
+- name: remove asb-auth cluster role
+ oc_clusterrole:
+ state: absent
+ name: asb-auth
+
+- name: remove asb-access cluster role
+ oc_clusterrole:
+ state: absent
+ name: asb-access
+
+- name: Unbind admin cluster-role to asb serviceaccount
+ oc_adm_policy_user:
+ state: absent
+ namespace: openshift-ansible-service-broker
+ resource_kind: cluster-role
+ resource_name: admin
+ user: "system:serviceaccount:openshift-ansible-service-broker:asb"
+
+- name: Unbind auth cluster role to asb service account
+ oc_adm_policy_user:
+ state: absent
+ namespace: openshift-ansible-service-broker
+ resource_kind: cluster-role
+ resource_name: asb-auth
+ user: "system:serviceaccount:openshift-ansible-service-broker:asb"
+
+- name: Unbind asb-access role to asb-client service account
+ oc_adm_policy_user:
+ state: absent
+ namespace: openshift-ansible-service-broker
+ resource_kind: cluster-role
+ resource_name: asb-access
+ user: "system:serviceaccount:openshift-ansible-service-broker:asb-client"
+
+- name: remove asb-client token secret
+ oc_secret:
+ state: absent
+ name: asb-client
+ namespace: openshift-ansible-service-broker
+
- name: remove ansible-service-broker service
oc_service:
name: asb
@@ -35,19 +76,19 @@
namespace: openshift-ansible-service-broker
state: absent
-- name: remove etcd deployment
+- name: remove Ansible Service Broker deployment config
oc_obj:
- name: etcd
+ name: asb
namespace: openshift-ansible-service-broker
+ kind: DeploymentConfig
state: absent
- kind: Deployment
-- name: remove ansible-service-broker deployment
+- name: remove secret for broker auth
oc_obj:
- name: asb
+ name: asb-auth-secret
namespace: openshift-ansible-service-broker
+ kind: Broker
state: absent
- kind: Deployment
# TODO: saw a oc_configmap in the library, but didn't understand how to get it to do the following:
- name: remove config map for ansible-service-broker
@@ -62,4 +103,9 @@
oc_obj:
name: ansible-service-broker
state: absent
- kind: Broker
+ kind: ServiceBroker
+
+- name: remove openshift-ansible-service-broker project
+ oc_project:
+ name: openshift-ansible-service-broker
+ state: absent
diff --git a/roles/ansible_service_broker/vars/default_images.yml b/roles/ansible_service_broker/vars/default_images.yml
index 15e448515..3e9639adf 100644
--- a/roles/ansible_service_broker/vars/default_images.yml
+++ b/roles/ansible_service_broker/vars/default_images.yml
@@ -8,6 +8,7 @@ __ansible_service_broker_etcd_image_tag: latest
__ansible_service_broker_etcd_image_etcd_path: /usr/local/bin/etcd
__ansible_service_broker_registry_type: dockerhub
+__ansible_service_broker_registry_name: dh
__ansible_service_broker_registry_url: null
__ansible_service_broker_registry_user: null
__ansible_service_broker_registry_password: null
diff --git a/roles/ansible_service_broker/vars/openshift-enterprise.yml b/roles/ansible_service_broker/vars/openshift-enterprise.yml
index ce2ae8365..9c576cb76 100644
--- a/roles/ansible_service_broker/vars/openshift-enterprise.yml
+++ b/roles/ansible_service_broker/vars/openshift-enterprise.yml
@@ -7,7 +7,9 @@ __ansible_service_broker_etcd_image_prefix: rhel7/
__ansible_service_broker_etcd_image_tag: latest
__ansible_service_broker_etcd_image_etcd_path: /bin/etcd
+
__ansible_service_broker_registry_type: rhcc
+__ansible_service_broker_registry_name: rh
__ansible_service_broker_registry_url: "https://registry.access.redhat.com"
__ansible_service_broker_registry_user: null
__ansible_service_broker_registry_password: null
diff --git a/roles/docker/tasks/package_docker.yml b/roles/docker/tasks/package_docker.yml
index a35335937..eab5c3bb1 100644
--- a/roles/docker/tasks/package_docker.yml
+++ b/roles/docker/tasks/package_docker.yml
@@ -137,18 +137,6 @@
notify:
- restart docker
-- name: Check for credentials file for registry auth
- stat:
- path: "{{ docker_cli_auth_config_path }}/config.json"
- when: oreg_auth_user is defined
- register: docker_cli_auth_credentials_stat
-
-- name: Create credentials for docker cli registry auth
- command: "docker --config={{ docker_cli_auth_config_path }} login -u {{ oreg_auth_user }} -p {{ oreg_auth_password }} {{ oreg_host }}"
- when:
- - oreg_auth_user is defined
- - (not docker_cli_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool
-
- name: Start the Docker service
systemd:
name: docker
@@ -163,4 +151,16 @@
- set_fact:
docker_service_status_changed: "{{ r_docker_package_docker_start_result | changed }}"
+- name: Check for credentials file for registry auth
+ stat:
+ path: "{{ docker_cli_auth_config_path }}/config.json"
+ when: oreg_auth_user is defined
+ register: docker_cli_auth_credentials_stat
+
+- name: Create credentials for docker cli registry auth
+ command: "docker --config={{ docker_cli_auth_config_path }} login -u {{ oreg_auth_user }} -p {{ oreg_auth_password }} {{ oreg_host }}"
+ when:
+ - oreg_auth_user is defined
+ - (not docker_cli_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool
+
- meta: flush_handlers
diff --git a/roles/lib_openshift/library/oc_adm_registry.py b/roles/lib_openshift/library/oc_adm_registry.py
index 5d6fa1f80..0771aa5a5 100644
--- a/roles/lib_openshift/library/oc_adm_registry.py
+++ b/roles/lib_openshift/library/oc_adm_registry.py
@@ -1886,13 +1886,15 @@ class SecretConfig(object):
namespace,
kubeconfig,
secrets=None,
- stype=None):
+ stype=None,
+ annotations=None):
''' constructor for handling secret options '''
self.kubeconfig = kubeconfig
self.name = sname
self.type = stype
self.namespace = namespace
self.secrets = secrets
+ self.annotations = annotations
self.data = {}
self.create_dict()
@@ -1909,6 +1911,8 @@ class SecretConfig(object):
if self.secrets:
for key, value in self.secrets.items():
self.data['data'][key] = value
+ if self.annotations:
+ self.data['metadata']['annotations'] = self.annotations
# pylint: disable=too-many-instance-attributes
class Secret(Yedit):
diff --git a/roles/lib_openshift/library/oc_adm_router.py b/roles/lib_openshift/library/oc_adm_router.py
index ffea14766..146f71f68 100644
--- a/roles/lib_openshift/library/oc_adm_router.py
+++ b/roles/lib_openshift/library/oc_adm_router.py
@@ -2230,13 +2230,15 @@ class SecretConfig(object):
namespace,
kubeconfig,
secrets=None,
- stype=None):
+ stype=None,
+ annotations=None):
''' constructor for handling secret options '''
self.kubeconfig = kubeconfig
self.name = sname
self.type = stype
self.namespace = namespace
self.secrets = secrets
+ self.annotations = annotations
self.data = {}
self.create_dict()
@@ -2253,6 +2255,8 @@ class SecretConfig(object):
if self.secrets:
for key, value in self.secrets.items():
self.data['data'][key] = value
+ if self.annotations:
+ self.data['metadata']['annotations'] = self.annotations
# pylint: disable=too-many-instance-attributes
class Secret(Yedit):
diff --git a/roles/lib_openshift/library/oc_route.py b/roles/lib_openshift/library/oc_route.py
index b46fd5495..e003770d8 100644
--- a/roles/lib_openshift/library/oc_route.py
+++ b/roles/lib_openshift/library/oc_route.py
@@ -90,6 +90,12 @@ options:
required: false
default: str
aliases: []
+ labels:
+ description:
+ - The labels to apply on the route
+ required: false
+ default: None
+ aliases: []
tls_termination:
description:
- The options for termination. e.g. reencrypt
@@ -1469,6 +1475,7 @@ class RouteConfig(object):
sname,
namespace,
kubeconfig,
+ labels=None,
destcacert=None,
cacert=None,
cert=None,
@@ -1483,6 +1490,7 @@ class RouteConfig(object):
self.kubeconfig = kubeconfig
self.name = sname
self.namespace = namespace
+ self.labels = labels
self.host = host
self.tls_termination = tls_termination
self.destcacert = destcacert
@@ -1508,6 +1516,8 @@ class RouteConfig(object):
self.data['metadata'] = {}
self.data['metadata']['name'] = self.name
self.data['metadata']['namespace'] = self.namespace
+ if self.labels:
+ self.data['metadata']['labels'] = self.labels
self.data['spec'] = {}
self.data['spec']['host'] = self.host
@@ -1715,6 +1725,7 @@ class OCRoute(OpenShiftCLI):
rconfig = RouteConfig(params['name'],
params['namespace'],
params['kubeconfig'],
+ params['labels'],
files['destcacert']['value'],
files['cacert']['value'],
files['cert']['value'],
@@ -1819,6 +1830,7 @@ def main():
state=dict(default='present', type='str',
choices=['present', 'absent', 'list']),
debug=dict(default=False, type='bool'),
+ labels=dict(default=None, type='dict'),
name=dict(default=None, required=True, type='str'),
namespace=dict(default=None, required=True, type='str'),
tls_termination=dict(default=None, type='str'),
diff --git a/roles/lib_openshift/library/oc_secret.py b/roles/lib_openshift/library/oc_secret.py
index 19c7fde78..0614f359d 100644
--- a/roles/lib_openshift/library/oc_secret.py
+++ b/roles/lib_openshift/library/oc_secret.py
@@ -90,6 +90,12 @@ options:
required: false
default: default
aliases: []
+ annotations:
+ description:
+ - Annotations to apply to the object
+ required: false
+ default: None
+ aliases: []
files:
description:
- A list of files provided for secrets
@@ -1464,13 +1470,15 @@ class SecretConfig(object):
namespace,
kubeconfig,
secrets=None,
- stype=None):
+ stype=None,
+ annotations=None):
''' constructor for handling secret options '''
self.kubeconfig = kubeconfig
self.name = sname
self.type = stype
self.namespace = namespace
self.secrets = secrets
+ self.annotations = annotations
self.data = {}
self.create_dict()
@@ -1487,6 +1495,8 @@ class SecretConfig(object):
if self.secrets:
for key, value in self.secrets.items():
self.data['data'][key] = value
+ if self.annotations:
+ self.data['metadata']['annotations'] = self.annotations
# pylint: disable=too-many-instance-attributes
class Secret(Yedit):
@@ -1698,8 +1708,7 @@ class OCSecret(OpenShiftCLI):
elif params['contents']:
files = Utils.create_tmp_files_from_contents(params['contents'])
else:
- return {'failed': True,
- 'msg': 'Either specify files or contents.'}
+ files = [{'name': 'null', 'path': os.devnull}]
########
# Create
@@ -1783,6 +1792,7 @@ def main():
debug=dict(default=False, type='bool'),
namespace=dict(default='default', type='str'),
name=dict(default=None, type='str'),
+ annotations=dict(default=None, type='dict'),
type=dict(default=None, type='str'),
files=dict(default=None, type='list'),
delete_after=dict(default=False, type='bool'),
diff --git a/roles/lib_openshift/src/ansible/oc_route.py b/roles/lib_openshift/src/ansible/oc_route.py
index f2f5c5095..969cf8bcd 100644
--- a/roles/lib_openshift/src/ansible/oc_route.py
+++ b/roles/lib_openshift/src/ansible/oc_route.py
@@ -13,6 +13,7 @@ def main():
state=dict(default='present', type='str',
choices=['present', 'absent', 'list']),
debug=dict(default=False, type='bool'),
+ labels=dict(default=None, type='dict'),
name=dict(default=None, required=True, type='str'),
namespace=dict(default=None, required=True, type='str'),
tls_termination=dict(default=None, type='str'),
diff --git a/roles/lib_openshift/src/ansible/oc_secret.py b/roles/lib_openshift/src/ansible/oc_secret.py
index faa7c1772..ee2827e69 100644
--- a/roles/lib_openshift/src/ansible/oc_secret.py
+++ b/roles/lib_openshift/src/ansible/oc_secret.py
@@ -15,6 +15,7 @@ def main():
debug=dict(default=False, type='bool'),
namespace=dict(default='default', type='str'),
name=dict(default=None, type='str'),
+ annotations=dict(default=None, type='dict'),
type=dict(default=None, type='str'),
files=dict(default=None, type='list'),
delete_after=dict(default=False, type='bool'),
diff --git a/roles/lib_openshift/src/class/oc_route.py b/roles/lib_openshift/src/class/oc_route.py
index 3a1bd732f..dc2f7977b 100644
--- a/roles/lib_openshift/src/class/oc_route.py
+++ b/roles/lib_openshift/src/class/oc_route.py
@@ -118,6 +118,7 @@ class OCRoute(OpenShiftCLI):
rconfig = RouteConfig(params['name'],
params['namespace'],
params['kubeconfig'],
+ params['labels'],
files['destcacert']['value'],
files['cacert']['value'],
files['cert']['value'],
diff --git a/roles/lib_openshift/src/class/oc_secret.py b/roles/lib_openshift/src/class/oc_secret.py
index 4ee6443e9..5322d6241 100644
--- a/roles/lib_openshift/src/class/oc_secret.py
+++ b/roles/lib_openshift/src/class/oc_secret.py
@@ -142,8 +142,7 @@ class OCSecret(OpenShiftCLI):
elif params['contents']:
files = Utils.create_tmp_files_from_contents(params['contents'])
else:
- return {'failed': True,
- 'msg': 'Either specify files or contents.'}
+ files = [{'name': 'null', 'path': os.devnull}]
########
# Create
diff --git a/roles/lib_openshift/src/doc/route b/roles/lib_openshift/src/doc/route
index a12999c9e..f0d38ab5f 100644
--- a/roles/lib_openshift/src/doc/route
+++ b/roles/lib_openshift/src/doc/route
@@ -39,6 +39,12 @@ options:
required: false
default: str
aliases: []
+ labels:
+ description:
+ - The labels to apply on the route
+ required: false
+ default: None
+ aliases: []
tls_termination:
description:
- The options for termination. e.g. reencrypt
diff --git a/roles/lib_openshift/src/doc/secret b/roles/lib_openshift/src/doc/secret
index 76b147f6f..a27f90f38 100644
--- a/roles/lib_openshift/src/doc/secret
+++ b/roles/lib_openshift/src/doc/secret
@@ -39,6 +39,12 @@ options:
required: false
default: default
aliases: []
+ annotations:
+ description:
+ - Annotations to apply to the object
+ required: false
+ default: None
+ aliases: []
files:
description:
- A list of files provided for secrets
diff --git a/roles/lib_openshift/src/lib/route.py b/roles/lib_openshift/src/lib/route.py
index 3b54a24fb..b106866cb 100644
--- a/roles/lib_openshift/src/lib/route.py
+++ b/roles/lib_openshift/src/lib/route.py
@@ -11,6 +11,7 @@ class RouteConfig(object):
sname,
namespace,
kubeconfig,
+ labels=None,
destcacert=None,
cacert=None,
cert=None,
@@ -25,6 +26,7 @@ class RouteConfig(object):
self.kubeconfig = kubeconfig
self.name = sname
self.namespace = namespace
+ self.labels = labels
self.host = host
self.tls_termination = tls_termination
self.destcacert = destcacert
@@ -50,6 +52,8 @@ class RouteConfig(object):
self.data['metadata'] = {}
self.data['metadata']['name'] = self.name
self.data['metadata']['namespace'] = self.namespace
+ if self.labels:
+ self.data['metadata']['labels'] = self.labels
self.data['spec'] = {}
self.data['spec']['host'] = self.host
diff --git a/roles/lib_openshift/src/lib/secret.py b/roles/lib_openshift/src/lib/secret.py
index a1c202442..ad4b6aa36 100644
--- a/roles/lib_openshift/src/lib/secret.py
+++ b/roles/lib_openshift/src/lib/secret.py
@@ -10,13 +10,15 @@ class SecretConfig(object):
namespace,
kubeconfig,
secrets=None,
- stype=None):
+ stype=None,
+ annotations=None):
''' constructor for handling secret options '''
self.kubeconfig = kubeconfig
self.name = sname
self.type = stype
self.namespace = namespace
self.secrets = secrets
+ self.annotations = annotations
self.data = {}
self.create_dict()
@@ -33,6 +35,8 @@ class SecretConfig(object):
if self.secrets:
for key, value in self.secrets.items():
self.data['data'][key] = value
+ if self.annotations:
+ self.data['metadata']['annotations'] = self.annotations
# pylint: disable=too-many-instance-attributes
class Secret(Yedit):
diff --git a/roles/lib_openshift/src/test/unit/test_oc_route.py b/roles/lib_openshift/src/test/unit/test_oc_route.py
index afdb5e4dc..5699f123b 100755
--- a/roles/lib_openshift/src/test/unit/test_oc_route.py
+++ b/roles/lib_openshift/src/test/unit/test_oc_route.py
@@ -39,6 +39,7 @@ class OCRouteTest(unittest.TestCase):
'debug': False,
'name': 'test',
'namespace': 'default',
+ 'labels': {'route': 'route'},
'tls_termination': 'passthrough',
'dest_cacert_path': None,
'cacert_path': None,
@@ -64,7 +65,10 @@ class OCRouteTest(unittest.TestCase):
"selfLink": "/oapi/v1/namespaces/default/routes/test",
"uid": "1b127c67-ecd9-11e6-96eb-0e0d9bdacd26",
"resourceVersion": "439182",
- "creationTimestamp": "2017-02-07T01:59:48Z"
+ "creationTimestamp": "2017-02-07T01:59:48Z",
+ "labels": {
+ "route": "route"
+ }
},
"spec": {
"host": "test.example",
@@ -141,6 +145,7 @@ class OCRouteTest(unittest.TestCase):
'debug': False,
'name': 'test',
'namespace': 'default',
+ 'labels': {'route': 'route'},
'tls_termination': 'edge',
'dest_cacert_path': None,
'cacert_path': None,
@@ -166,7 +171,8 @@ class OCRouteTest(unittest.TestCase):
"namespace": "default",
"resourceVersion": "517745",
"selfLink": "/oapi/v1/namespaces/default/routes/test",
- "uid": "b6f25898-ed77-11e6-9755-0e737db1e63a"
+ "uid": "b6f25898-ed77-11e6-9755-0e737db1e63a",
+ "labels": {"route": "route"}
},
"spec": {
"host": "test.openshift.com",
@@ -250,6 +256,7 @@ metadata:
self.assertTrue(results['changed'])
self.assertEqual(results['state'], 'present')
self.assertEqual(results['results']['results'][0]['metadata']['name'], 'test')
+ self.assertEqual(results['results']['results'][0]['metadata']['labels']['route'], 'route')
# Making sure our mock was called as we expected
mock_cmd.assert_has_calls([
diff --git a/roles/openshift_aws/README.md b/roles/openshift_aws/README.md
index 696efbea5..ff96081fe 100644
--- a/roles/openshift_aws/README.md
+++ b/roles/openshift_aws/README.md
@@ -23,7 +23,6 @@ From this role:
| openshift_aws_ami_copy_wait | False
| openshift_aws_users | []
| openshift_aws_launch_config_name | {{ openshift_aws_clusterid }}-{{ openshift_aws_node_group_type }}
-| openshift_aws_create_vpc | False
| openshift_aws_node_group_type | master
| openshift_aws_elb_cert_arn | ''
| openshift_aws_kubernetes_cluster_status | owned
@@ -72,7 +71,6 @@ Example Playbook
vars:
openshift_aws_clusterid: test
openshift_aws_region: us-east-1
- openshift_aws_create_vpc: true
```
License
diff --git a/roles/openshift_aws/defaults/main.yml b/roles/openshift_aws/defaults/main.yml
index 94c0f4472..ea09857b0 100644
--- a/roles/openshift_aws/defaults/main.yml
+++ b/roles/openshift_aws/defaults/main.yml
@@ -1,5 +1,4 @@
---
-openshift_aws_create_vpc: True
openshift_aws_create_s3: True
openshift_aws_create_iam_cert: True
openshift_aws_create_security_groups: True
diff --git a/roles/openshift_aws/tasks/master_facts.yml b/roles/openshift_aws/tasks/master_facts.yml
new file mode 100644
index 000000000..737cfc7a6
--- /dev/null
+++ b/roles/openshift_aws/tasks/master_facts.yml
@@ -0,0 +1,22 @@
+---
+- name: fetch elbs
+ ec2_elb_facts:
+ region: "{{ openshift_aws_region }}"
+ names:
+ - "{{ item }}"
+ with_items:
+ - "{{ openshift_aws_elb_name }}-external"
+ - "{{ openshift_aws_elb_name }}-internal"
+ delegate_to: localhost
+ register: elbs
+
+- debug: var=elbs
+
+- name: set fact
+ set_fact:
+ openshift_master_cluster_hostname: "{{ elbs.results[1].elbs[0].dns_name }}"
+ osm_custom_cors_origins:
+ - "{{ elbs.results[1].elbs[0].dns_name }}"
+ - "console.{{ openshift_aws_clusterid | default('default') }}.openshift.com"
+ - "api.{{ openshift_aws_clusterid | default('default') }}.openshift.com"
+ with_items: "{{ groups['masters'] }}"
diff --git a/roles/openshift_aws/tasks/provision.yml b/roles/openshift_aws/tasks/provision.yml
index a2920b744..a8518d43a 100644
--- a/roles/openshift_aws/tasks/provision.yml
+++ b/roles/openshift_aws/tasks/provision.yml
@@ -1,16 +1,8 @@
---
-- when: openshift_aws_create_vpc | bool
- name: create default vpc
- include: vpc.yml
-
- when: openshift_aws_create_iam_cert | bool
name: create the iam_cert for elb certificate
include: iam_cert.yml
-- when: openshift_aws_users | length > 0
- name: create aws ssh keypair
- include: ssh_keys.yml
-
- when: openshift_aws_create_s3 | bool
name: create s3 bucket for registry
include: s3.yml
diff --git a/roles/openshift_aws/tasks/build_ami.yml b/roles/openshift_aws/tasks/provision_instance.yml
index 48555e5da..1384bae59 100644
--- a/roles/openshift_aws/tasks/build_ami.yml
+++ b/roles/openshift_aws/tasks/provision_instance.yml
@@ -1,16 +1,4 @@
---
-- when: openshift_aws_create_vpc | bool
- name: create a vpc
- include: vpc.yml
-
-- when: openshift_aws_users | length > 0
- name: create aws ssh keypair
- include: ssh_keys.yml
-
-- when: openshift_aws_create_security_groups | bool
- name: Create compute security_groups
- include: security_group.yml
-
- name: query vpc
ec2_vpc_net_facts:
region: "{{ openshift_aws_region }}"
@@ -33,7 +21,7 @@
key_name: "{{ openshift_aws_ssh_key_name }}"
group: "{{ openshift_aws_build_ami_group }}"
instance_type: m4.xlarge
- vpc_subnet_id: "{{ subnetout.subnets[0].id }}"
+ vpc_subnet_id: "{{ openshift_aws_subnet_id | default(subnetout.subnets[0].id) }}"
image: "{{ openshift_aws_base_ami }}"
volumes:
- device_name: /dev/sdb
@@ -46,3 +34,30 @@
Name: "{{ openshift_aws_base_ami_name }}"
instance_tags:
Name: "{{ openshift_aws_base_ami_name }}"
+
+- name: fetch newly created instances
+ ec2_remote_facts:
+ region: "{{ openshift_aws_region }}"
+ filters:
+ "tag:Name": "{{ openshift_aws_base_ami_name }}"
+ instance-state-name: running
+ register: instancesout
+ retries: 20
+ delay: 3
+ until: instancesout.instances|length > 0
+
+- name: wait for ssh to become available
+ wait_for:
+ port: 22
+ host: "{{ instancesout.instances[0].public_ip_address }}"
+ timeout: 300
+ search_regex: OpenSSH
+
+- name: Pause 10 seconds to ensure ssh actually accepts logins
+ pause:
+ seconds: 20
+
+- name: add host to nodes
+ add_host:
+ groups: nodes
+ name: "{{ instancesout.instances[0].public_dns_name }}"
diff --git a/roles/openshift_aws/tasks/setup_master_group.yml b/roles/openshift_aws/tasks/setup_master_group.yml
new file mode 100644
index 000000000..166f3b938
--- /dev/null
+++ b/roles/openshift_aws/tasks/setup_master_group.yml
@@ -0,0 +1,35 @@
+---
+- name: Alert user to variables needed - clusterid
+ debug:
+ msg: "openshift_aws_clusterid={{ openshift_aws_clusterid }}"
+
+- name: Alert user to variables needed - region
+ debug:
+ msg: "openshift_aws_region={{ openshift_aws_region }}"
+
+- name: fetch newly created instances
+ ec2_remote_facts:
+ region: "{{ openshift_aws_region }}"
+ filters:
+ "tag:clusterid": "{{ openshift_aws_clusterid }}"
+ "tag:host-type": master
+ instance-state-name: running
+ register: instancesout
+ retries: 20
+ delay: 3
+ until: instancesout.instances|length > 0
+
+- name: add new master to masters group
+ add_host:
+ groups: "masters,etcd,nodes"
+ name: "{{ item.public_dns_name }}"
+ hostname: "{{ openshift_aws_clusterid }}-master-{{ item.id[:-5] }}"
+ with_items: "{{ instancesout.instances }}"
+
+- name: wait for ssh to become available
+ wait_for:
+ port: 22
+ host: "{{ item.public_dns_name }}"
+ timeout: 300
+ search_regex: OpenSSH
+ with_items: "{{ instancesout.instances }}"
diff --git a/roles/openshift_health_checker/openshift_checks/disk_availability.py b/roles/openshift_health_checker/openshift_checks/disk_availability.py
index cdf56e959..7956559c6 100644
--- a/roles/openshift_health_checker/openshift_checks/disk_availability.py
+++ b/roles/openshift_health_checker/openshift_checks/disk_availability.py
@@ -15,31 +15,31 @@ class DiskAvailability(OpenShiftCheck):
# https://docs.openshift.org/latest/install_config/install/prerequisites.html#system-requirements
recommended_disk_space_bytes = {
'/var': {
- 'masters': 40 * 10**9,
- 'nodes': 15 * 10**9,
- 'etcd': 20 * 10**9,
+ 'oo_masters_to_config': 40 * 10**9,
+ 'oo_nodes_to_config': 15 * 10**9,
+ 'oo_etcd_to_config': 20 * 10**9,
},
# Used to copy client binaries into,
# see roles/openshift_cli/library/openshift_container_binary_sync.py.
'/usr/local/bin': {
- 'masters': 1 * 10**9,
- 'nodes': 1 * 10**9,
- 'etcd': 1 * 10**9,
+ 'oo_masters_to_config': 1 * 10**9,
+ 'oo_nodes_to_config': 1 * 10**9,
+ 'oo_etcd_to_config': 1 * 10**9,
},
# Used as temporary storage in several cases.
tempfile.gettempdir(): {
- 'masters': 1 * 10**9,
- 'nodes': 1 * 10**9,
- 'etcd': 1 * 10**9,
+ 'oo_masters_to_config': 1 * 10**9,
+ 'oo_nodes_to_config': 1 * 10**9,
+ 'oo_etcd_to_config': 1 * 10**9,
},
}
# recommended disk space for each location under an upgrade context
recommended_disk_upgrade_bytes = {
'/var': {
- 'masters': 10 * 10**9,
- 'nodes': 5 * 10 ** 9,
- 'etcd': 5 * 10 ** 9,
+ 'oo_masters_to_config': 10 * 10**9,
+ 'oo_nodes_to_config': 5 * 10 ** 9,
+ 'oo_etcd_to_config': 5 * 10 ** 9,
},
}
@@ -61,9 +61,9 @@ class DiskAvailability(OpenShiftCheck):
number = float(user_config)
user_config = {
'/var': {
- 'masters': number,
- 'nodes': number,
- 'etcd': number,
+ 'oo_masters_to_config': number,
+ 'oo_nodes_to_config': number,
+ 'oo_etcd_to_config': number,
},
}
except TypeError:
diff --git a/roles/openshift_health_checker/openshift_checks/docker_image_availability.py b/roles/openshift_health_checker/openshift_checks/docker_image_availability.py
index fa07c1dde..63ccadcd1 100644
--- a/roles/openshift_health_checker/openshift_checks/docker_image_availability.py
+++ b/roles/openshift_health_checker/openshift_checks/docker_image_availability.py
@@ -114,7 +114,7 @@ class DockerImageAvailability(DockerHostMixin, OpenShiftCheck):
# template for images that run on top of OpenShift
image_url = "{}/{}-{}:{}".format(image_info["namespace"], image_info["name"], "${component}", "${version}")
image_url = self.get_var("oreg_url", default="") or image_url
- if 'nodes' in host_groups:
+ if 'oo_nodes_to_config' in host_groups:
for suffix in NODE_IMAGE_SUFFIXES:
required.add(image_url.replace("${component}", suffix).replace("${version}", image_tag))
# The registry-console is for some reason not prefixed with ose- like the other components.
@@ -125,13 +125,13 @@ class DockerImageAvailability(DockerHostMixin, OpenShiftCheck):
# images for containerized components
if self.get_var("openshift", "common", "is_containerized"):
components = set()
- if 'nodes' in host_groups:
+ if 'oo_nodes_to_config' in host_groups:
components.update(["node", "openvswitch"])
- if 'masters' in host_groups: # name is "origin" or "ose"
+ if 'oo_masters_to_config' in host_groups: # name is "origin" or "ose"
components.add(image_info["name"])
for component in components:
required.add("{}/{}:{}".format(image_info["namespace"], component, image_tag))
- if 'etcd' in host_groups: # special case, note it is the same for origin/enterprise
+ if 'oo_etcd_to_config' in host_groups: # special case, note it is the same for origin/enterprise
required.add("registry.access.redhat.com/rhel7/etcd") # and no image tag
return required
diff --git a/roles/openshift_health_checker/openshift_checks/etcd_traffic.py b/roles/openshift_health_checker/openshift_checks/etcd_traffic.py
index b4c8957e9..8b20ccb49 100644
--- a/roles/openshift_health_checker/openshift_checks/etcd_traffic.py
+++ b/roles/openshift_health_checker/openshift_checks/etcd_traffic.py
@@ -12,7 +12,7 @@ class EtcdTraffic(OpenShiftCheck):
def is_active(self):
"""Skip hosts that do not have etcd in their group names."""
group_names = self.get_var("group_names", default=[])
- valid_group_names = "etcd" in group_names
+ valid_group_names = "oo_etcd_to_config" in group_names
version = self.get_major_minor_version(self.get_var("openshift_image_tag"))
valid_version = version in ((3, 4), (3, 5))
diff --git a/roles/openshift_health_checker/openshift_checks/etcd_volume.py b/roles/openshift_health_checker/openshift_checks/etcd_volume.py
index 79955cb2f..3d75da6f9 100644
--- a/roles/openshift_health_checker/openshift_checks/etcd_volume.py
+++ b/roles/openshift_health_checker/openshift_checks/etcd_volume.py
@@ -15,7 +15,11 @@ class EtcdVolume(OpenShiftCheck):
etcd_mount_path = "/var/lib/etcd"
def is_active(self):
- etcd_hosts = self.get_var("groups", "etcd", default=[]) or self.get_var("groups", "masters", default=[]) or []
+ etcd_hosts = (
+ self.get_var("groups", "oo_etcd_to_config", default=[]) or
+ self.get_var("groups", "oo_masters_to_config", default=[]) or
+ []
+ )
is_etcd_host = self.get_var("ansible_host") in etcd_hosts
return super(EtcdVolume, self).is_active() and is_etcd_host
diff --git a/roles/openshift_health_checker/openshift_checks/logging/fluentd_config.py b/roles/openshift_health_checker/openshift_checks/logging/fluentd_config.py
index d783e6760..e93cc9028 100644
--- a/roles/openshift_health_checker/openshift_checks/logging/fluentd_config.py
+++ b/roles/openshift_health_checker/openshift_checks/logging/fluentd_config.py
@@ -46,7 +46,7 @@ class FluentdConfig(LoggingCheck):
# if check is running on a master, retrieve all running pods
# and check any pod's container for the env var "USE_JOURNAL"
group_names = self.get_var("group_names")
- if "masters" in group_names:
+ if "oo_masters_to_config" in group_names:
use_journald = self.check_fluentd_env_var()
docker_info = self.execute_module("docker_info", {})
diff --git a/roles/openshift_health_checker/openshift_checks/memory_availability.py b/roles/openshift_health_checker/openshift_checks/memory_availability.py
index 765ba072d..e7a8ec976 100644
--- a/roles/openshift_health_checker/openshift_checks/memory_availability.py
+++ b/roles/openshift_health_checker/openshift_checks/memory_availability.py
@@ -14,9 +14,9 @@ class MemoryAvailability(OpenShiftCheck):
# Values taken from the official installation documentation:
# https://docs.openshift.org/latest/install_config/install/prerequisites.html#system-requirements
recommended_memory_bytes = {
- "masters": 16 * GIB,
- "nodes": 8 * GIB,
- "etcd": 8 * GIB,
+ "oo_masters_to_config": 16 * GIB,
+ "oo_nodes_to_config": 8 * GIB,
+ "oo_etcd_to_config": 8 * GIB,
}
# https://access.redhat.com/solutions/3006511 physical RAM is partly reserved from memtotal
memtotal_adjustment = 1 * GIB
diff --git a/roles/openshift_health_checker/openshift_checks/mixins.py b/roles/openshift_health_checker/openshift_checks/mixins.py
index b90ebf6dd..cfbdea303 100644
--- a/roles/openshift_health_checker/openshift_checks/mixins.py
+++ b/roles/openshift_health_checker/openshift_checks/mixins.py
@@ -21,9 +21,11 @@ class DockerHostMixin(object):
def is_active(self):
"""Only run on hosts that depend on Docker."""
- is_containerized = self.get_var("openshift", "common", "is_containerized")
- is_node = "nodes" in self.get_var("group_names", default=[])
- return super(DockerHostMixin, self).is_active() and (is_containerized or is_node)
+ group_names = set(self.get_var("group_names", default=[]))
+ needs_docker = set(["oo_nodes_to_config"])
+ if self.get_var("openshift.common.is_containerized"):
+ needs_docker.update(["oo_masters_to_config", "oo_etcd_to_config"])
+ return super(DockerHostMixin, self).is_active() and bool(group_names.intersection(needs_docker))
def ensure_dependencies(self):
"""
diff --git a/roles/openshift_health_checker/openshift_checks/ovs_version.py b/roles/openshift_health_checker/openshift_checks/ovs_version.py
index 363c12def..416805c4d 100644
--- a/roles/openshift_health_checker/openshift_checks/ovs_version.py
+++ b/roles/openshift_health_checker/openshift_checks/ovs_version.py
@@ -24,7 +24,7 @@ class OvsVersion(NotContainerizedMixin, OpenShiftCheck):
def is_active(self):
"""Skip hosts that do not have package requirements."""
group_names = self.get_var("group_names", default=[])
- master_or_node = 'masters' in group_names or 'nodes' in group_names
+ master_or_node = 'oo_masters_to_config' in group_names or 'oo_nodes_to_config' in group_names
return super(OvsVersion, self).is_active() and master_or_node
def run(self):
diff --git a/roles/openshift_health_checker/openshift_checks/package_availability.py b/roles/openshift_health_checker/openshift_checks/package_availability.py
index 21355c2f0..090e438ff 100644
--- a/roles/openshift_health_checker/openshift_checks/package_availability.py
+++ b/roles/openshift_health_checker/openshift_checks/package_availability.py
@@ -20,9 +20,9 @@ class PackageAvailability(NotContainerizedMixin, OpenShiftCheck):
packages = set()
- if "masters" in group_names:
+ if "oo_masters_to_config" in group_names:
packages.update(self.master_packages(rpm_prefix))
- if "nodes" in group_names:
+ if "oo_nodes_to_config" in group_names:
packages.update(self.node_packages(rpm_prefix))
args = {"packages": sorted(set(packages))}
diff --git a/roles/openshift_health_checker/openshift_checks/package_version.py b/roles/openshift_health_checker/openshift_checks/package_version.py
index d4aec3ed8..2f09b22fc 100644
--- a/roles/openshift_health_checker/openshift_checks/package_version.py
+++ b/roles/openshift_health_checker/openshift_checks/package_version.py
@@ -36,7 +36,7 @@ class PackageVersion(NotContainerizedMixin, OpenShiftCheck):
def is_active(self):
"""Skip hosts that do not have package requirements."""
group_names = self.get_var("group_names", default=[])
- master_or_node = 'masters' in group_names or 'nodes' in group_names
+ master_or_node = 'oo_masters_to_config' in group_names or 'oo_nodes_to_config' in group_names
return super(PackageVersion, self).is_active() and master_or_node
def run(self):
diff --git a/roles/openshift_health_checker/test/disk_availability_test.py b/roles/openshift_health_checker/test/disk_availability_test.py
index 9ae679b79..29a325a17 100644
--- a/roles/openshift_health_checker/test/disk_availability_test.py
+++ b/roles/openshift_health_checker/test/disk_availability_test.py
@@ -4,11 +4,11 @@ from openshift_checks.disk_availability import DiskAvailability, OpenShiftCheckE
@pytest.mark.parametrize('group_names,is_active', [
- (['masters'], True),
- (['nodes'], True),
- (['etcd'], True),
- (['masters', 'nodes'], True),
- (['masters', 'etcd'], True),
+ (['oo_masters_to_config'], True),
+ (['oo_nodes_to_config'], True),
+ (['oo_etcd_to_config'], True),
+ (['oo_masters_to_config', 'oo_nodes_to_config'], True),
+ (['oo_masters_to_config', 'oo_etcd_to_config'], True),
([], False),
(['lb'], False),
(['nfs'], False),
@@ -39,7 +39,7 @@ def test_is_active(group_names, is_active):
])
def test_cannot_determine_available_disk(desc, ansible_mounts, expect_chunks):
task_vars = dict(
- group_names=['masters'],
+ group_names=['oo_masters_to_config'],
ansible_mounts=ansible_mounts,
)
@@ -52,7 +52,7 @@ def test_cannot_determine_available_disk(desc, ansible_mounts, expect_chunks):
@pytest.mark.parametrize('group_names,configured_min,ansible_mounts', [
(
- ['masters'],
+ ['oo_masters_to_config'],
0,
[{
'mount': '/',
@@ -60,7 +60,7 @@ def test_cannot_determine_available_disk(desc, ansible_mounts, expect_chunks):
}],
),
(
- ['nodes'],
+ ['oo_nodes_to_config'],
0,
[{
'mount': '/',
@@ -68,7 +68,7 @@ def test_cannot_determine_available_disk(desc, ansible_mounts, expect_chunks):
}],
),
(
- ['etcd'],
+ ['oo_etcd_to_config'],
0,
[{
'mount': '/',
@@ -76,7 +76,7 @@ def test_cannot_determine_available_disk(desc, ansible_mounts, expect_chunks):
}],
),
(
- ['etcd'],
+ ['oo_etcd_to_config'],
1, # configure lower threshold
[{
'mount': '/',
@@ -84,7 +84,7 @@ def test_cannot_determine_available_disk(desc, ansible_mounts, expect_chunks):
}],
),
(
- ['etcd'],
+ ['oo_etcd_to_config'],
0,
[{
# not enough space on / ...
@@ -112,7 +112,7 @@ def test_succeeds_with_recommended_disk_space(group_names, configured_min, ansib
@pytest.mark.parametrize('name,group_names,configured_min,ansible_mounts,expect_chunks', [
(
'test with no space available',
- ['masters'],
+ ['oo_masters_to_config'],
0,
[{
'mount': '/',
@@ -122,7 +122,7 @@ def test_succeeds_with_recommended_disk_space(group_names, configured_min, ansib
),
(
'test with a higher configured required value',
- ['masters'],
+ ['oo_masters_to_config'],
100, # set a higher threshold
[{
'mount': '/',
@@ -132,7 +132,7 @@ def test_succeeds_with_recommended_disk_space(group_names, configured_min, ansib
),
(
'test with 1GB available, but "0" GB space requirement',
- ['nodes'],
+ ['oo_nodes_to_config'],
0,
[{
'mount': '/',
@@ -142,7 +142,7 @@ def test_succeeds_with_recommended_disk_space(group_names, configured_min, ansib
),
(
'test with no space available, but "0" GB space requirement',
- ['etcd'],
+ ['oo_etcd_to_config'],
0,
[{
'mount': '/',
@@ -152,7 +152,7 @@ def test_succeeds_with_recommended_disk_space(group_names, configured_min, ansib
),
(
'test with enough space for a node, but not for a master',
- ['nodes', 'masters'],
+ ['oo_nodes_to_config', 'oo_masters_to_config'],
0,
[{
'mount': '/',
@@ -162,7 +162,7 @@ def test_succeeds_with_recommended_disk_space(group_names, configured_min, ansib
),
(
'test failure with enough space on "/", but not enough on "/var"',
- ['etcd'],
+ ['oo_etcd_to_config'],
0,
[{
# enough space on / ...
@@ -194,7 +194,7 @@ def test_fails_with_insufficient_disk_space(name, group_names, configured_min, a
@pytest.mark.parametrize('name,group_names,context,ansible_mounts,failed,extra_words', [
(
'test without enough space for master under "upgrade" context',
- ['nodes', 'masters'],
+ ['oo_nodes_to_config', 'oo_masters_to_config'],
"upgrade",
[{
'mount': '/',
@@ -206,7 +206,7 @@ def test_fails_with_insufficient_disk_space(name, group_names, configured_min, a
),
(
'test with enough space for master under "upgrade" context',
- ['nodes', 'masters'],
+ ['oo_nodes_to_config', 'oo_masters_to_config'],
"upgrade",
[{
'mount': '/',
@@ -218,7 +218,7 @@ def test_fails_with_insufficient_disk_space(name, group_names, configured_min, a
),
(
'test with not enough space for master, and non-upgrade context',
- ['nodes', 'masters'],
+ ['oo_nodes_to_config', 'oo_masters_to_config'],
"health",
[{
'mount': '/',
diff --git a/roles/openshift_health_checker/test/docker_image_availability_test.py b/roles/openshift_health_checker/test/docker_image_availability_test.py
index c523ffd5c..43dcf0c9a 100644
--- a/roles/openshift_health_checker/test/docker_image_availability_test.py
+++ b/roles/openshift_health_checker/test/docker_image_availability_test.py
@@ -16,19 +16,19 @@ def task_vars():
),
openshift_deployment_type='origin',
openshift_image_tag='',
- group_names=['nodes', 'masters'],
+ group_names=['oo_nodes_to_config', 'oo_masters_to_config'],
)
@pytest.mark.parametrize('deployment_type, is_containerized, group_names, expect_active', [
- ("origin", True, [], True),
- ("openshift-enterprise", True, [], True),
("invalid", True, [], False),
("", True, [], False),
("origin", False, [], False),
("openshift-enterprise", False, [], False),
- ("origin", False, ["nodes", "masters"], True),
- ("openshift-enterprise", False, ["etcd"], False),
+ ("origin", False, ["oo_nodes_to_config", "oo_masters_to_config"], True),
+ ("openshift-enterprise", False, ["oo_etcd_to_config"], False),
+ ("origin", True, ["nfs"], False),
+ ("openshift-enterprise", True, ["lb"], False),
])
def test_is_active(task_vars, deployment_type, is_containerized, group_names, expect_active):
task_vars['openshift_deployment_type'] = deployment_type
@@ -126,7 +126,7 @@ def test_no_known_registries():
openshift_docker_additional_registries=["docker.io"],
openshift_deployment_type="openshift-enterprise",
openshift_image_tag='latest',
- group_names=['nodes', 'masters'],
+ group_names=['oo_nodes_to_config', 'oo_masters_to_config'],
))
dia.known_docker_registries = mock_known_docker_registries
actual = dia.run()
@@ -205,7 +205,7 @@ def test_registry_availability(image, registries, connection_test_failed, skopeo
@pytest.mark.parametrize("deployment_type, is_containerized, groups, oreg_url, expected", [
( # standard set of stuff required on nodes
- "origin", False, ['nodes'], None,
+ "origin", False, ['oo_nodes_to_config'], None,
set([
'openshift/origin-pod:vtest',
'openshift/origin-deployer:vtest',
@@ -215,7 +215,7 @@ def test_registry_availability(image, registries, connection_test_failed, skopeo
])
),
( # set a different URL for images
- "origin", False, ['nodes'], 'foo.io/openshift/origin-${component}:${version}',
+ "origin", False, ['oo_nodes_to_config'], 'foo.io/openshift/origin-${component}:${version}',
set([
'foo.io/openshift/origin-pod:vtest',
'foo.io/openshift/origin-deployer:vtest',
@@ -225,7 +225,7 @@ def test_registry_availability(image, registries, connection_test_failed, skopeo
])
),
(
- "origin", True, ['nodes', 'masters', 'etcd'], None,
+ "origin", True, ['oo_nodes_to_config', 'oo_masters_to_config', 'oo_etcd_to_config'], None,
set([
# images running on top of openshift
'openshift/origin-pod:vtest',
@@ -241,7 +241,7 @@ def test_registry_availability(image, registries, connection_test_failed, skopeo
])
),
( # enterprise images
- "openshift-enterprise", True, ['nodes'], 'foo.io/openshift3/ose-${component}:f13ac45',
+ "openshift-enterprise", True, ['oo_nodes_to_config'], 'foo.io/openshift3/ose-${component}:f13ac45',
set([
'foo.io/openshift3/ose-pod:f13ac45',
'foo.io/openshift3/ose-deployer:f13ac45',
@@ -255,7 +255,7 @@ def test_registry_availability(image, registries, connection_test_failed, skopeo
])
),
(
- "openshift-enterprise", True, ['etcd', 'lb'], 'foo.io/openshift3/ose-${component}:f13ac45',
+ "openshift-enterprise", True, ['oo_etcd_to_config', 'lb'], 'foo.io/openshift3/ose-${component}:f13ac45',
set([
'registry.access.redhat.com/rhel7/etcd',
# lb does not yet come in a containerized version
@@ -288,7 +288,7 @@ def test_containerized_etcd():
),
),
openshift_deployment_type="origin",
- group_names=['etcd'],
+ group_names=['oo_etcd_to_config'],
)
expected = set(['registry.access.redhat.com/rhel7/etcd'])
assert expected == DockerImageAvailability(task_vars=task_vars).required_images()
diff --git a/roles/openshift_health_checker/test/docker_storage_test.py b/roles/openshift_health_checker/test/docker_storage_test.py
index e0dccc062..8fa68c378 100644
--- a/roles/openshift_health_checker/test/docker_storage_test.py
+++ b/roles/openshift_health_checker/test/docker_storage_test.py
@@ -5,9 +5,9 @@ from openshift_checks.docker_storage import DockerStorage
@pytest.mark.parametrize('is_containerized, group_names, is_active', [
- (False, ["masters", "etcd"], False),
- (False, ["masters", "nodes"], True),
- (True, ["etcd"], True),
+ (False, ["oo_masters_to_config", "oo_etcd_to_config"], False),
+ (False, ["oo_masters_to_config", "oo_nodes_to_config"], True),
+ (True, ["oo_etcd_to_config"], True),
])
def test_is_active(is_containerized, group_names, is_active):
task_vars = dict(
diff --git a/roles/openshift_health_checker/test/etcd_traffic_test.py b/roles/openshift_health_checker/test/etcd_traffic_test.py
index fae3e578d..dd6f4ad81 100644
--- a/roles/openshift_health_checker/test/etcd_traffic_test.py
+++ b/roles/openshift_health_checker/test/etcd_traffic_test.py
@@ -4,14 +4,14 @@ from openshift_checks.etcd_traffic import EtcdTraffic
@pytest.mark.parametrize('group_names,version,is_active', [
- (['masters'], "3.5", False),
- (['masters'], "3.6", False),
- (['nodes'], "3.4", False),
- (['etcd'], "3.4", True),
- (['etcd'], "1.5", True),
- (['etcd'], "3.1", False),
- (['masters', 'nodes'], "3.5", False),
- (['masters', 'etcd'], "3.5", True),
+ (['oo_masters_to_config'], "3.5", False),
+ (['oo_masters_to_config'], "3.6", False),
+ (['oo_nodes_to_config'], "3.4", False),
+ (['oo_etcd_to_config'], "3.4", True),
+ (['oo_etcd_to_config'], "1.5", True),
+ (['oo_etcd_to_config'], "3.1", False),
+ (['oo_masters_to_config', 'oo_nodes_to_config'], "3.5", False),
+ (['oo_masters_to_config', 'oo_etcd_to_config'], "3.5", True),
([], "3.4", False),
])
def test_is_active(group_names, version, is_active):
@@ -23,9 +23,9 @@ def test_is_active(group_names, version, is_active):
@pytest.mark.parametrize('group_names,matched,failed,extra_words', [
- (["masters"], True, True, ["Higher than normal", "traffic"]),
- (["masters", "etcd"], False, False, []),
- (["etcd"], False, False, []),
+ (["oo_masters_to_config"], True, True, ["Higher than normal", "traffic"]),
+ (["oo_masters_to_config", "oo_etcd_to_config"], False, False, []),
+ (["oo_etcd_to_config"], False, False, []),
])
def test_log_matches_high_traffic_msg(group_names, matched, failed, extra_words):
def execute_module(module_name, *_):
diff --git a/roles/openshift_health_checker/test/fluentd_config_test.py b/roles/openshift_health_checker/test/fluentd_config_test.py
index 10db253bc..b5b4858d6 100644
--- a/roles/openshift_health_checker/test/fluentd_config_test.py
+++ b/roles/openshift_health_checker/test/fluentd_config_test.py
@@ -82,7 +82,7 @@ def test_check_logging_config_non_master(name, use_journald, logging_driver, ext
return {}
task_vars = dict(
- group_names=["nodes", "etcd"],
+ group_names=["oo_nodes_to_config", "oo_etcd_to_config"],
openshift_logging_fluentd_use_journal=use_journald,
openshift=dict(
common=dict(config_base=""),
@@ -128,7 +128,7 @@ def test_check_logging_config_non_master_failed(name, use_journald, logging_driv
return {}
task_vars = dict(
- group_names=["nodes", "etcd"],
+ group_names=["oo_nodes_to_config", "oo_etcd_to_config"],
openshift_logging_fluentd_use_journal=use_journald,
openshift=dict(
common=dict(config_base=""),
@@ -192,7 +192,7 @@ def test_check_logging_config_master(name, pods, logging_driver, extra_words):
return {}
task_vars = dict(
- group_names=["masters"],
+ group_names=["oo_masters_to_config"],
openshift=dict(
common=dict(config_base=""),
),
@@ -274,7 +274,7 @@ def test_check_logging_config_master_failed(name, pods, logging_driver, words):
return {}
task_vars = dict(
- group_names=["masters"],
+ group_names=["oo_masters_to_config"],
openshift=dict(
common=dict(config_base=""),
),
@@ -331,7 +331,7 @@ def test_check_logging_config_master_fails_on_unscheduled_deployment(name, pods,
return {}
task_vars = dict(
- group_names=["masters"],
+ group_names=["oo_masters_to_config"],
openshift=dict(
common=dict(config_base=""),
),
diff --git a/roles/openshift_health_checker/test/memory_availability_test.py b/roles/openshift_health_checker/test/memory_availability_test.py
index aee2f0416..5ec83dd79 100644
--- a/roles/openshift_health_checker/test/memory_availability_test.py
+++ b/roles/openshift_health_checker/test/memory_availability_test.py
@@ -4,11 +4,11 @@ from openshift_checks.memory_availability import MemoryAvailability
@pytest.mark.parametrize('group_names,is_active', [
- (['masters'], True),
- (['nodes'], True),
- (['etcd'], True),
- (['masters', 'nodes'], True),
- (['masters', 'etcd'], True),
+ (['oo_masters_to_config'], True),
+ (['oo_nodes_to_config'], True),
+ (['oo_etcd_to_config'], True),
+ (['oo_masters_to_config', 'oo_nodes_to_config'], True),
+ (['oo_masters_to_config', 'oo_etcd_to_config'], True),
([], False),
(['lb'], False),
(['nfs'], False),
@@ -22,32 +22,32 @@ def test_is_active(group_names, is_active):
@pytest.mark.parametrize('group_names,configured_min,ansible_memtotal_mb', [
(
- ['masters'],
+ ['oo_masters_to_config'],
0,
17200,
),
(
- ['nodes'],
+ ['oo_nodes_to_config'],
0,
8200,
),
(
- ['nodes'],
+ ['oo_nodes_to_config'],
1, # configure lower threshold
2000, # too low for recommended but not for configured
),
(
- ['nodes'],
+ ['oo_nodes_to_config'],
2, # configure threshold where adjustment pushes it over
1900,
),
(
- ['etcd'],
+ ['oo_etcd_to_config'],
0,
8200,
),
(
- ['masters', 'nodes'],
+ ['oo_masters_to_config', 'oo_nodes_to_config'],
0,
17000,
),
@@ -66,43 +66,43 @@ def test_succeeds_with_recommended_memory(group_names, configured_min, ansible_m
@pytest.mark.parametrize('group_names,configured_min,ansible_memtotal_mb,extra_words', [
(
- ['masters'],
+ ['oo_masters_to_config'],
0,
0,
['0.0 GiB'],
),
(
- ['nodes'],
+ ['oo_nodes_to_config'],
0,
100,
['0.1 GiB'],
),
(
- ['nodes'],
+ ['oo_nodes_to_config'],
24, # configure higher threshold
20 * 1024, # enough to meet recommended but not configured
['20.0 GiB'],
),
(
- ['nodes'],
+ ['oo_nodes_to_config'],
24, # configure higher threshold
22 * 1024, # not enough for adjustment to push over threshold
['22.0 GiB'],
),
(
- ['etcd'],
+ ['oo_etcd_to_config'],
0,
6 * 1024,
['6.0 GiB'],
),
(
- ['etcd', 'masters'],
+ ['oo_etcd_to_config', 'oo_masters_to_config'],
0,
9 * 1024, # enough memory for etcd, not enough for a master
['9.0 GiB'],
),
(
- ['nodes', 'masters'],
+ ['oo_nodes_to_config', 'oo_masters_to_config'],
0,
# enough memory for a node, not enough for a master
11 * 1024,
diff --git a/roles/openshift_health_checker/test/ovs_version_test.py b/roles/openshift_health_checker/test/ovs_version_test.py
index 602f32989..5a82a43bf 100644
--- a/roles/openshift_health_checker/test/ovs_version_test.py
+++ b/roles/openshift_health_checker/test/ovs_version_test.py
@@ -67,14 +67,14 @@ def test_ovs_package_version(openshift_release, expected_ovs_version):
@pytest.mark.parametrize('group_names,is_containerized,is_active', [
- (['masters'], False, True),
+ (['oo_masters_to_config'], False, True),
# ensure check is skipped on containerized installs
- (['masters'], True, False),
- (['nodes'], False, True),
- (['masters', 'nodes'], False, True),
- (['masters', 'etcd'], False, True),
+ (['oo_masters_to_config'], True, False),
+ (['oo_nodes_to_config'], False, True),
+ (['oo_masters_to_config', 'oo_nodes_to_config'], False, True),
+ (['oo_masters_to_config', 'oo_etcd_to_config'], False, True),
([], False, False),
- (['etcd'], False, False),
+ (['oo_etcd_to_config'], False, False),
(['lb'], False, False),
(['nfs'], False, False),
])
diff --git a/roles/openshift_health_checker/test/package_availability_test.py b/roles/openshift_health_checker/test/package_availability_test.py
index b34e8fbfc..9815acb38 100644
--- a/roles/openshift_health_checker/test/package_availability_test.py
+++ b/roles/openshift_health_checker/test/package_availability_test.py
@@ -26,7 +26,7 @@ def test_is_active(pkg_mgr, is_containerized, is_active):
(
dict(
openshift=dict(common=dict(service_type='origin')),
- group_names=['masters'],
+ group_names=['oo_masters_to_config'],
),
set(['origin-master']),
set(['origin-node']),
@@ -34,7 +34,7 @@ def test_is_active(pkg_mgr, is_containerized, is_active):
(
dict(
openshift=dict(common=dict(service_type='atomic-openshift')),
- group_names=['nodes'],
+ group_names=['oo_nodes_to_config'],
),
set(['atomic-openshift-node']),
set(['atomic-openshift-master']),
@@ -42,7 +42,7 @@ def test_is_active(pkg_mgr, is_containerized, is_active):
(
dict(
openshift=dict(common=dict(service_type='atomic-openshift')),
- group_names=['masters', 'nodes'],
+ group_names=['oo_masters_to_config', 'oo_nodes_to_config'],
),
set(['atomic-openshift-master', 'atomic-openshift-node']),
set(),
diff --git a/roles/openshift_health_checker/test/package_version_test.py b/roles/openshift_health_checker/test/package_version_test.py
index 8564cd4db..3cf4ce033 100644
--- a/roles/openshift_health_checker/test/package_version_test.py
+++ b/roles/openshift_health_checker/test/package_version_test.py
@@ -97,14 +97,14 @@ def test_docker_package_version(deployment_type, openshift_release, expected_doc
@pytest.mark.parametrize('group_names,is_containerized,is_active', [
- (['masters'], False, True),
+ (['oo_masters_to_config'], False, True),
# ensure check is skipped on containerized installs
- (['masters'], True, False),
- (['nodes'], False, True),
- (['masters', 'nodes'], False, True),
- (['masters', 'etcd'], False, True),
+ (['oo_masters_to_config'], True, False),
+ (['oo_nodes_to_config'], False, True),
+ (['oo_masters_to_config', 'oo_nodes_to_config'], False, True),
+ (['oo_masters_to_config', 'oo_etcd_to_config'], False, True),
([], False, False),
- (['etcd'], False, False),
+ (['oo_etcd_to_config'], False, False),
(['lb'], False, False),
(['nfs'], False, False),
])
diff --git a/roles/openshift_logging/defaults/main.yml b/roles/openshift_logging/defaults/main.yml
index 0f1f659c6..6e7e2557f 100644
--- a/roles/openshift_logging/defaults/main.yml
+++ b/roles/openshift_logging/defaults/main.yml
@@ -94,7 +94,7 @@ openshift_logging_es_pvc_dynamic: "{{ openshift_logging_elasticsearch_pvc_dynami
openshift_logging_es_pvc_size: "{{ openshift_logging_elasticsearch_pvc_size | default('') }}"
openshift_logging_es_pvc_prefix: "{{ openshift_logging_elasticsearch_pvc_prefix | default('logging-es') }}"
openshift_logging_es_recover_after_time: 5m
-openshift_logging_es_storage_group: "{{ openshift_logging_elasticsearch_storage_group | default('65534') }}"
+openshift_logging_es_storage_group: "65534"
openshift_logging_es_nodeselector: {}
# openshift_logging_es_config is a hash to be merged into the defaults for the elasticsearch.yaml
openshift_logging_es_config: {}
@@ -133,7 +133,7 @@ openshift_logging_es_ops_pvc_dynamic: "{{ openshift_logging_elasticsearch_ops_pv
openshift_logging_es_ops_pvc_size: "{{ openshift_logging_elasticsearch_ops_pvc_size | default('') }}"
openshift_logging_es_ops_pvc_prefix: "{{ openshift_logging_elasticsearch_ops_pvc_prefix | default('logging-es-ops') }}"
openshift_logging_es_ops_recover_after_time: 5m
-openshift_logging_es_ops_storage_group: "{{ openshift_logging_elasticsearch_storage_group | default('65534') }}"
+openshift_logging_es_ops_storage_group: "65534"
openshift_logging_es_ops_nodeselector: {}
# for exposing es-ops to external (outside of the cluster) clients
diff --git a/roles/openshift_logging/filter_plugins/openshift_logging.py b/roles/openshift_logging/filter_plugins/openshift_logging.py
index eac086e81..330e7e59a 100644
--- a/roles/openshift_logging/filter_plugins/openshift_logging.py
+++ b/roles/openshift_logging/filter_plugins/openshift_logging.py
@@ -45,6 +45,21 @@ def map_from_pairs(source, delim="="):
return dict(item.split(delim) for item in source.split(","))
+def serviceaccount_name(qualified_sa):
+ ''' Returns the simple name from a fully qualified name '''
+ return qualified_sa.split(":")[-1]
+
+
+def serviceaccount_namespace(qualified_sa, default=None):
+ ''' Returns the namespace from a fully qualified name '''
+ seg = qualified_sa.split(":")
+ if len(seg) > 1:
+ return seg[-2]
+ if default:
+ return default
+ return seg[-1]
+
+
# pylint: disable=too-few-public-methods
class FilterModule(object):
''' OpenShift Logging Filters '''
@@ -56,5 +71,7 @@ class FilterModule(object):
'random_word': random_word,
'entry_from_named_pair': entry_from_named_pair,
'map_from_pairs': map_from_pairs,
- 'es_storage': es_storage
+ 'es_storage': es_storage,
+ 'serviceaccount_name': serviceaccount_name,
+ 'serviceaccount_namespace': serviceaccount_namespace
}
diff --git a/roles/openshift_logging/library/openshift_logging_facts.py b/roles/openshift_logging/library/openshift_logging_facts.py
index 35accfb78..f10df8da5 100644
--- a/roles/openshift_logging/library/openshift_logging_facts.py
+++ b/roles/openshift_logging/library/openshift_logging_facts.py
@@ -171,22 +171,25 @@ class OpenshiftLoggingFacts(OCBaseCommand):
if comp is not None:
spec = dc_item["spec"]["template"]["spec"]
facts = dict(
+ name=name,
selector=dc_item["spec"]["selector"],
replicas=dc_item["spec"]["replicas"],
serviceAccount=spec["serviceAccount"],
containers=dict(),
volumes=dict()
)
+ if "nodeSelector" in spec:
+ facts["nodeSelector"] = spec["nodeSelector"]
+ if "supplementalGroups" in spec["securityContext"]:
+ facts["storageGroups"] = spec["securityContext"]["supplementalGroups"]
+ facts["spec"] = spec
if "volumes" in spec:
for vol in spec["volumes"]:
clone = copy.deepcopy(vol)
clone.pop("name", None)
facts["volumes"][vol["name"]] = clone
for container in spec["containers"]:
- facts["containers"][container["name"]] = dict(
- image=container["image"],
- resources=container["resources"],
- )
+ facts["containers"][container["name"]] = container
self.add_facts_for(comp, "deploymentconfigs", name, facts)
def facts_for_services(self, namespace):
diff --git a/roles/openshift_logging/tasks/delete_logging.yaml b/roles/openshift_logging/tasks/delete_logging.yaml
index 3040d15ca..ffed956a4 100644
--- a/roles/openshift_logging/tasks/delete_logging.yaml
+++ b/roles/openshift_logging/tasks/delete_logging.yaml
@@ -92,6 +92,7 @@
with_items:
- rolebinding-reader
- daemonset-admin
+ - prometheus-metrics-viewer
# delete our configmaps
- name: delete configmaps
diff --git a/roles/openshift_logging/tasks/generate_certs.yaml b/roles/openshift_logging/tasks/generate_certs.yaml
index 9c8f0986a..f526fd734 100644
--- a/roles/openshift_logging/tasks/generate_certs.yaml
+++ b/roles/openshift_logging/tasks/generate_certs.yaml
@@ -139,10 +139,10 @@
# TODO: make idempotent
- name: Generate proxy session
- set_fact: session_secret={{'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'|random_word(200)}}
+ set_fact: session_secret={{ 200 | oo_random_word}}
check_mode: no
# TODO: make idempotent
- name: Generate oauth client secret
- set_fact: oauth_secret={{'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'|random_word(64)}}
+ set_fact: oauth_secret={{ 64 | oo_random_word}}
check_mode: no
diff --git a/roles/openshift_logging/tasks/install_logging.yaml b/roles/openshift_logging/tasks/install_logging.yaml
index 2695ef030..21fd79c28 100644
--- a/roles/openshift_logging/tasks/install_logging.yaml
+++ b/roles/openshift_logging/tasks/install_logging.yaml
@@ -69,17 +69,18 @@
vars:
generated_certs_dir: "{{openshift.common.config_base}}/logging"
openshift_logging_elasticsearch_namespace: "{{ openshift_logging_namespace }}"
- openshift_logging_elasticsearch_deployment_name: "{{ item.0 }}"
+ openshift_logging_elasticsearch_deployment_name: "{{ item.0.name }}"
openshift_logging_elasticsearch_pvc_name: "{{ openshift_logging_es_pvc_prefix ~ '-' ~ item.2 if item.1 is none else item.1 }}"
openshift_logging_elasticsearch_replica_count: "{{ openshift_logging_es_cluster_size | int }}"
openshift_logging_elasticsearch_storage_type: "{{ elasticsearch_storage_type }}"
- openshift_logging_elasticsearch_pvc_size: "{{ openshift_logging_es_pvc_size }}"
- openshift_logging_elasticsearch_pvc_dynamic: "{{ openshift_logging_es_pvc_dynamic }}"
openshift_logging_elasticsearch_pvc_pv_selector: "{{ openshift_logging_es_pv_selector }}"
+ openshift_logging_elasticsearch_nodeselector: "{{ openshift_logging_es_nodeselector if item.0.nodeSelector | default(None) is none else item.0.nodeSelector }}"
+ openshift_logging_elasticsearch_storage_group: "{{ [openshift_logging_es_storage_group] if item.0.storageGroups | default([]) | length == 0 else item.0.storageGroups }}"
+ _es_containers: "{{item.0.containers}}"
with_together:
- - "{{ openshift_logging_facts.elasticsearch.deploymentconfigs }}"
+ - "{{ openshift_logging_facts.elasticsearch.deploymentconfigs.values() }}"
- "{{ openshift_logging_facts.elasticsearch.pvcs }}"
- "{{ es_indices }}"
when:
@@ -95,8 +96,6 @@
openshift_logging_elasticsearch_replica_count: "{{ openshift_logging_es_cluster_size | int }}"
openshift_logging_elasticsearch_storage_type: "{{ elasticsearch_storage_type }}"
- openshift_logging_elasticsearch_pvc_size: "{{ openshift_logging_es_pvc_size }}"
- openshift_logging_elasticsearch_pvc_dynamic: "{{ openshift_logging_es_pvc_dynamic }}"
openshift_logging_elasticsearch_pvc_pv_selector: "{{ openshift_logging_es_pv_selector }}"
with_sequence: count={{ openshift_logging_es_cluster_size | int - openshift_logging_facts.elasticsearch.deploymentconfigs.keys() | count }}
@@ -123,7 +122,7 @@
vars:
generated_certs_dir: "{{openshift.common.config_base}}/logging"
openshift_logging_elasticsearch_namespace: "{{ openshift_logging_namespace }}"
- openshift_logging_elasticsearch_deployment_name: "{{ item.0 }}"
+ openshift_logging_elasticsearch_deployment_name: "{{ item.0.name }}"
openshift_logging_elasticsearch_pvc_name: "{{ openshift_logging_es_ops_pvc_prefix ~ '-' ~ item.2 if item.1 is none else item.1 }}"
openshift_logging_elasticsearch_ops_deployment: true
openshift_logging_elasticsearch_replica_count: "{{ openshift_logging_es_ops_cluster_size | int }}"
@@ -134,16 +133,18 @@
openshift_logging_elasticsearch_pvc_pv_selector: "{{ openshift_logging_es_ops_pv_selector }}"
openshift_logging_elasticsearch_memory_limit: "{{ openshift_logging_es_ops_memory_limit }}"
openshift_logging_elasticsearch_cpu_limit: "{{ openshift_logging_es_ops_cpu_limit }}"
- openshift_logging_elasticsearch_nodeselector: "{{ openshift_logging_es_ops_nodeselector }}"
+ openshift_logging_elasticsearch_nodeselector: "{{ openshift_logging_es_ops_nodeselector if item.0.nodeSelector | default(None) is none else item.0.nodeSelector }}"
+ openshift_logging_elasticsearch_storage_group: "{{ [openshift_logging_es_ops_storage_group] if item.0.storageGroups | default([]) | length == 0 else item.0.storageGroups }}"
openshift_logging_es_key: "{{ openshift_logging_es_ops_key }}"
openshift_logging_es_cert: "{{ openshift_logging_es_ops_cert }}"
openshift_logging_es_ca_ext: "{{ openshift_logging_es_ops_ca_ext }}"
openshift_logging_es_hostname: "{{ openshift_logging_es_ops_hostname }}"
openshift_logging_es_edge_term_policy: "{{ openshift_logging_es_ops_edge_term_policy | default('') }}"
openshift_logging_es_allow_external: "{{ openshift_logging_es_ops_allow_external }}"
+ _es_containers: "{{item.0.containers}}"
with_together:
- - "{{ openshift_logging_facts.elasticsearch_ops.deploymentconfigs }}"
+ - "{{ openshift_logging_facts.elasticsearch_ops.deploymentconfigs.values() }}"
- "{{ openshift_logging_facts.elasticsearch_ops.pvcs }}"
- "{{ es_ops_indices }}"
when:
diff --git a/roles/openshift_logging_elasticsearch/defaults/main.yml b/roles/openshift_logging_elasticsearch/defaults/main.yml
index 75bd479be..554aa5bb2 100644
--- a/roles/openshift_logging_elasticsearch/defaults/main.yml
+++ b/roles/openshift_logging_elasticsearch/defaults/main.yml
@@ -6,7 +6,7 @@ openshift_logging_elasticsearch_image_pull_secret: "{{ openshift_hosted_logging_
openshift_logging_elasticsearch_namespace: logging
openshift_logging_elasticsearch_nodeselector: "{{ openshift_logging_es_nodeselector | default('') }}"
-openshift_logging_elasticsearch_cpu_limit: 1000m
+openshift_logging_elasticsearch_cpu_limit: "{{ openshift_logging_es_cpu_limit | default('1000m') }}"
openshift_logging_elasticsearch_memory_limit: "{{ openshift_logging_es_memory_limit | default('1Gi') }}"
openshift_logging_elasticsearch_recover_after_time: "{{ openshift_logging_es_recover_after_time | default('5m') }}"
@@ -33,13 +33,19 @@ openshift_logging_elasticsearch_pvc_size: ""
openshift_logging_elasticsearch_pvc_dynamic: false
openshift_logging_elasticsearch_pvc_pv_selector: {}
openshift_logging_elasticsearch_pvc_access_modes: ['ReadWriteOnce']
-openshift_logging_elasticsearch_storage_group: '65534'
+openshift_logging_elasticsearch_storage_group: ['65534']
openshift_logging_es_pvc_prefix: "{{ openshift_hosted_logging_elasticsearch_pvc_prefix | default('logging-es') }}"
# config the es plugin to write kibana index based on the index mode
openshift_logging_elasticsearch_kibana_index_mode: 'unique'
+openshift_logging_elasticsearch_proxy_image_prefix: "openshift/oauth-proxy"
+openshift_logging_elasticsearch_proxy_image_version: "v1.0.0"
+openshift_logging_elasticsearch_proxy_cpu_limit: "100m"
+openshift_logging_elasticsearch_proxy_memory_limit: "64Mi"
+openshift_logging_elasticsearch_prometheus_sa: "system:serviceaccount:{{openshift_prometheus_namespace | default('prometheus')}}:prometheus"
+
# this is used to determine if this is an operations deployment or a non-ops deployment
# simply used for naming purposes
openshift_logging_elasticsearch_ops_deployment: false
diff --git a/roles/openshift_logging_elasticsearch/tasks/main.yaml b/roles/openshift_logging_elasticsearch/tasks/main.yaml
index 1e800b1d6..df2c17aa0 100644
--- a/roles/openshift_logging_elasticsearch/tasks/main.yaml
+++ b/roles/openshift_logging_elasticsearch/tasks/main.yaml
@@ -37,6 +37,7 @@
# we want to make sure we have all the necessary components here
# service account
+
- name: Create ES service account
oc_serviceaccount:
state: present
@@ -77,6 +78,38 @@
resource_name: rolebinding-reader
user: "system:serviceaccount:{{ openshift_logging_elasticsearch_namespace }}:aggregated-logging-elasticsearch"
+- oc_adm_policy_user:
+ state: present
+ namespace: "{{ openshift_logging_elasticsearch_namespace }}"
+ resource_kind: cluster-role
+ resource_name: system:auth-delegator
+ user: "system:serviceaccount:{{ openshift_logging_elasticsearch_namespace}}:aggregated-logging-elasticsearch"
+
+# logging-metrics-reader role
+- template:
+ src: logging-metrics-role.j2
+ dest: "{{mktemp.stdout}}/templates/logging-metrics-role.yml"
+ vars:
+ namespace: "{{ openshift_logging_elasticsearch_namespace }}"
+ role_namespace: "{{ openshift_logging_elasticsearch_prometheus_sa | serviceaccount_namespace(openshift_logging_elasticsearch_namespace) }}"
+ role_user: "{{ openshift_logging_elasticsearch_prometheus_sa | serviceaccount_name }}"
+
+- name: Create logging-metrics-reader-role
+ command: >
+ {{ openshift.common.client_binary }}
+ --config={{ openshift.common.config_base }}/master/admin.kubeconfig
+ -n "{{ openshift_logging_elasticsearch_namespace }}"
+ create -f "{{mktemp.stdout}}/templates/logging-metrics-role.yml"
+ register: prometheus_out
+ check_mode: no
+ ignore_errors: yes
+
+- fail:
+ msg: "There was an error creating the logging-metrics-role and binding: {{prometheus_out}}"
+ when:
+ - "prometheus_out.stderr | length > 0"
+ - "'already exists' not in prometheus_out.stderr"
+
# View role and binding
- name: Generate logging-elasticsearch-view-role
template:
@@ -206,6 +239,32 @@
- port: 9200
targetPort: "restapi"
+- name: Set logging-{{ es_component}}-prometheus service
+ oc_service:
+ state: present
+ name: "logging-{{es_component}}-prometheus"
+ namespace: "{{ openshift_logging_elasticsearch_namespace }}"
+ labels:
+ logging-infra: 'support'
+ ports:
+ - name: proxy
+ port: 443
+ targetPort: 4443
+ selector:
+ component: "{{ es_component }}-prometheus"
+ provider: openshift
+
+- oc_edit:
+ kind: service
+ name: "logging-{{es_component}}-prometheus"
+ namespace: "{{ openshift_logging_elasticsearch_namespace }}"
+ separator: '#'
+ content:
+ metadata#annotations#service.alpha.openshift.io/serving-cert-secret-name: "prometheus-tls"
+ metadata#annotations#prometheus.io/scrape: "true"
+ metadata#annotations#prometheus.io/scheme: "https"
+ metadata#annotations#prometheus.io/path: "_prometheus/metrics"
+
- name: Check to see if PVC already exists
oc_obj:
state: list
@@ -260,7 +319,7 @@
delete_after: true
- set_fact:
- es_deploy_name: "logging-{{ es_component }}-{{ openshift_logging_elasticsearch_deployment_type }}-{{ 'abcdefghijklmnopqrstuvwxyz0123456789' | random_word(8) }}"
+ es_deploy_name: "logging-{{ es_component }}-{{ openshift_logging_elasticsearch_deployment_type }}-{{ 8 | oo_random_word('abcdefghijklmnopqrstuvwxyz0123456789') }}"
when: openshift_logging_elasticsearch_deployment_name == ""
- set_fact:
@@ -281,6 +340,8 @@
es_cpu_limit: "{{ openshift_logging_elasticsearch_cpu_limit }}"
es_memory_limit: "{{ openshift_logging_elasticsearch_memory_limit }}"
es_node_selector: "{{ openshift_logging_elasticsearch_nodeselector | default({}) }}"
+ es_storage_groups: "{{ openshift_logging_elasticsearch_storage_group | default([]) }}"
+ es_container_security_context: "{{ _es_containers.elasticsearch.securityContext if _es_containers is defined and 'elasticsearch' in _es_containers and 'securityContext' in _es_containers.elasticsearch else None }}"
deploy_type: "{{ openshift_logging_elasticsearch_deployment_type }}"
es_replicas: 1
diff --git a/roles/openshift_logging_elasticsearch/templates/es.j2 b/roles/openshift_logging_elasticsearch/templates/es.j2
index 3c8f390c4..1ed886627 100644
--- a/roles/openshift_logging_elasticsearch/templates/es.j2
+++ b/roles/openshift_logging_elasticsearch/templates/es.j2
@@ -29,7 +29,9 @@ spec:
serviceAccountName: aggregated-logging-elasticsearch
securityContext:
supplementalGroups:
- - {{openshift_logging_elasticsearch_storage_group}}
+{% for group in es_storage_groups %}
+ - {{group}}
+{% endfor %}
{% if es_node_selector is iterable and es_node_selector | length > 0 %}
nodeSelector:
{% for key, value in es_node_selector.iteritems() %}
@@ -37,6 +39,40 @@ spec:
{% endfor %}
{% endif %}
containers:
+ - name: proxy
+ image: {{openshift_logging_elasticsearch_proxy_image_prefix}}:{{openshift_logging_elasticsearch_proxy_image_version}}
+ imagePullPolicy: Always
+ args:
+ - --upstream-ca=/etc/elasticsearch/secret/admin-ca
+ - --https-address=:4443
+ - -provider=openshift
+ - -client-id={{openshift_logging_elasticsearch_prometheus_sa}}
+ - -client-secret-file=/var/run/secrets/kubernetes.io/serviceaccount/token
+ - -cookie-secret={{ 16 | oo_random_word | b64encode }}
+ - -upstream=https://localhost:9200
+ - '-openshift-sar={"namespace": "{{ openshift_logging_elasticsearch_namespace}}", "verb": "view", "resource": "prometheus", "group": "metrics.openshift.io"}'
+ - '-openshift-delegate-urls={"/": {"resource": "prometheus", "verb": "view", "group": "metrics.openshift.io", "namespace": "{{ openshift_logging_elasticsearch_namespace}}"}}'
+ - --tls-cert=/etc/tls/private/tls.crt
+ - --tls-key=/etc/tls/private/tls.key
+ - -pass-access-token
+ - -pass-user-headers
+ ports:
+ - containerPort: 4443
+ name: proxy
+ protocol: TCP
+ volumeMounts:
+ - mountPath: /etc/tls/private
+ name: proxy-tls
+ readOnly: true
+ - mountPath: /etc/elasticsearch/secret
+ name: elasticsearch
+ readOnly: true
+ resources:
+ limits:
+ cpu: "{{openshift_logging_elasticsearch_proxy_cpu_limit }}"
+ memory: "{{openshift_logging_elasticsearch_proxy_memory_limit }}"
+ requests:
+ memory: "{{openshift_logging_elasticsearch_proxy_memory_limit }}"
-
name: "elasticsearch"
image: {{image}}
@@ -49,6 +85,9 @@ spec:
{% endif %}
requests:
memory: "{{es_memory_limit}}"
+{% if es_container_security_context %}
+ securityContext: {{ es_container_security_context | to_yaml }}
+{% endif %}
ports:
-
containerPort: 9200
@@ -94,7 +133,7 @@ spec:
value: "30"
-
name: "POD_LABEL"
- value: "component={{component}}"
+ value: "component={{component}}"
-
name: "IS_MASTER"
value: "{% if deploy_type in ['data-master', 'master'] %}true{% else %}false{% endif %}"
@@ -102,6 +141,9 @@ spec:
-
name: "HAS_DATA"
value: "{% if deploy_type in ['data-master', 'data-client'] %}true{% else %}false{% endif %}"
+ -
+ name: "PROMETHEUS_USER"
+ value: "{{openshift_logging_elasticsearch_prometheus_sa}}"
volumeMounts:
- name: elasticsearch
@@ -120,6 +162,9 @@ spec:
timeoutSeconds: 30
periodSeconds: 5
volumes:
+ - name: proxy-tls
+ secret:
+ secretName: prometheus-tls
- name: elasticsearch
secret:
secretName: logging-elasticsearch
diff --git a/roles/openshift_logging_elasticsearch/templates/logging-metrics-role.j2 b/roles/openshift_logging_elasticsearch/templates/logging-metrics-role.j2
new file mode 100644
index 000000000..d9800e5a5
--- /dev/null
+++ b/roles/openshift_logging_elasticsearch/templates/logging-metrics-role.j2
@@ -0,0 +1,31 @@
+---
+apiVersion: v1
+kind: List
+items:
+- apiVersion: rbac.authorization.k8s.io/v1beta1
+ kind: Role
+ metadata:
+ annotations:
+ rbac.authorization.kubernetes.io/autoupdate: "true"
+ name: prometheus-metrics-viewer
+ namespace: {{ namespace }}
+ rules:
+ - apiGroups:
+ - metrics.openshift.io
+ resources:
+ - prometheus
+ verbs:
+ - view
+- apiVersion: rbac.authorization.k8s.io/v1beta1
+ kind: RoleBinding
+ metadata:
+ name: prometheus-metrics-viewer
+ namespace: {{ namespace }}
+ roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: prometheus-metrics-viewer
+ subjects:
+ - kind: ServiceAccount
+ namespace: {{ role_namespace }}
+ name: {{ role_user }}
diff --git a/roles/openshift_named_certificates/tasks/named_certificates.yml b/roles/openshift_named_certificates/tasks/named_certificates.yml
deleted file mode 100644
index 7b097b443..000000000
--- a/roles/openshift_named_certificates/tasks/named_certificates.yml
+++ /dev/null
@@ -1,32 +0,0 @@
----
-- name: Clear named certificates
- file:
- path: "{{ named_certs_dir }}"
- state: absent
- when: overwrite_named_certs | bool
-
-- name: Ensure named certificate directory exists
- file:
- path: "{{ named_certs_dir }}"
- state: directory
- mode: 0700
-
-- name: Land named certificates
- copy:
- src: "{{ item.certfile }}"
- dest: "{{ named_certs_dir }}"
- with_items: "{{ openshift_master_named_certificates | default([]) }}"
-
-- name: Land named certificate keys
- copy:
- src: "{{ item.keyfile }}"
- dest: "{{ named_certs_dir }}"
- mode: 0600
- with_items: "{{ openshift_master_named_certificates | default([]) }}"
-
-- name: Land named CA certificates
- copy:
- src: "{{ item }}"
- dest: "{{ named_certs_dir }}"
- mode: 0600
- with_items: "{{ openshift_master_named_certificates | default([]) | oo_collect('cafile') }}"
diff --git a/roles/openshift_sanitize_inventory/filter_plugins/openshift_logging.py b/roles/openshift_sanitize_inventory/filter_plugins/openshift_logging.py
deleted file mode 100644
index d42c9bdb9..000000000
--- a/roles/openshift_sanitize_inventory/filter_plugins/openshift_logging.py
+++ /dev/null
@@ -1,25 +0,0 @@
-'''
- Openshift Logging class that provides useful filters used in Logging.
-
- This should be removed after map_from_pairs is no longer used in __deprecations_logging.yml
-'''
-
-
-def map_from_pairs(source, delim="="):
- ''' Returns a dict given the source and delim delimited '''
- if source == '':
- return dict()
-
- return dict(item.split(delim) for item in source.split(","))
-
-
-# pylint: disable=too-few-public-methods
-class FilterModule(object):
- ''' OpenShift Logging Filters '''
-
- # pylint: disable=no-self-use, too-few-public-methods
- def filters(self):
- ''' Returns the names of the filters provided by this class '''
- return {
- 'map_from_pairs': map_from_pairs
- }
diff --git a/roles/openshift_sanitize_inventory/filter_plugins/openshift_sanitize_inventory.py b/roles/openshift_sanitize_inventory/filter_plugins/openshift_sanitize_inventory.py
new file mode 100644
index 000000000..72c47b8ee
--- /dev/null
+++ b/roles/openshift_sanitize_inventory/filter_plugins/openshift_sanitize_inventory.py
@@ -0,0 +1,44 @@
+'''
+ Openshift Sanitize inventory class that provides useful filters used in Logging.
+'''
+
+
+import re
+
+
+# This should be removed after map_from_pairs is no longer used in __deprecations_logging.yml
+def map_from_pairs(source, delim="="):
+ ''' Returns a dict given the source and delim delimited '''
+ if source == '':
+ return dict()
+
+ return dict(item.split(delim) for item in source.split(","))
+
+
+def vars_with_pattern(source, pattern=""):
+ ''' Returns a list of variables whose name matches the given pattern '''
+ if source == '':
+ return list()
+
+ var_list = list()
+
+ var_pattern = re.compile(pattern)
+
+ for item in source:
+ if var_pattern.match(item):
+ var_list.append(item)
+
+ return var_list
+
+
+# pylint: disable=too-few-public-methods
+class FilterModule(object):
+ ''' OpenShift Logging Filters '''
+
+ # pylint: disable=no-self-use, too-few-public-methods
+ def filters(self):
+ ''' Returns the names of the filters provided by this class '''
+ return {
+ 'map_from_pairs': map_from_pairs,
+ 'vars_with_pattern': vars_with_pattern
+ }
diff --git a/roles/openshift_sanitize_inventory/tasks/unsupported.yml b/roles/openshift_sanitize_inventory/tasks/unsupported.yml
index 24e44ea85..39bf1780a 100644
--- a/roles/openshift_sanitize_inventory/tasks/unsupported.yml
+++ b/roles/openshift_sanitize_inventory/tasks/unsupported.yml
@@ -10,3 +10,25 @@
Starting in 3.6 openshift_use_dnsmasq must be true or critical features
will not function. This also means that NetworkManager must be installed
enabled and responsible for management of the primary interface.
+
+- set_fact:
+ __using_dynamic: True
+ when:
+ - hostvars[inventory_hostname][item] in ['dynamic']
+ with_items:
+ - "{{ hostvars[inventory_hostname] | vars_with_pattern(pattern='openshift_.*_storage_kind') }}"
+
+- name: Ensure that dynamic provisioning is set if using dynamic storage
+ when:
+ - dynamic_volumes_check | default(true) | bool
+ - not openshift_master_dynamic_provisioning_enabled | default(false) | bool
+ - not openshift_cloudprovider_kind is defined
+ - __using_dynamic is defined and __using_dynamic | bool
+ fail:
+ msg: |-
+ Using a storage kind of 'dynamic' without enabling dynamic provisioning nor
+ setting a cloud provider will cause generated PVCs to not be able to bind as
+ intended. Either update to not use a dynamic storage or set
+ openshift_master_dynamic_provisioning_enabled to True and set an
+ openshift_cloudprovider_kind. You can disable this check with
+ 'dynamic_volumes_check=False'.