summaryrefslogtreecommitdiffstats
path: root/roles
diff options
context:
space:
mode:
Diffstat (limited to 'roles')
-rwxr-xr-xroles/openshift_facts/library/openshift_facts.py101
-rw-r--r--roles/openshift_hosted/templates/registry_config.j25
-rw-r--r--roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml6
-rw-r--r--roles/openshift_service_catalog/tasks/install.yml16
4 files changed, 93 insertions, 35 deletions
diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py
index 04b5dc86b..beef77896 100755
--- a/roles/openshift_facts/library/openshift_facts.py
+++ b/roles/openshift_facts/library/openshift_facts.py
@@ -1643,38 +1643,75 @@ def set_proxy_facts(facts):
if 'common' in facts:
common = facts['common']
- # No openshift_no_proxy settings detected, empty list for now
- if 'no_proxy' not in common:
- common['no_proxy'] = []
-
- # _no_proxy settings set. It is just a simple string, not a
- # list or anything
- elif 'no_proxy' in common and isinstance(common['no_proxy'], string_types):
- # no_proxy is now a list of all the comma-separated items
- # in the _no_proxy value
- common['no_proxy'] = common['no_proxy'].split(",")
-
- # at this point common['no_proxy'] is a LIST datastructure. It
- # may be empty, or it may contain some hostnames or ranges.
-
- # We always add local dns domain, the service domain, and
- # ourselves, no matter what (if you are setting any
- # NO_PROXY values)
- common['no_proxy'].append('.svc')
- common['no_proxy'].append('.' + common['dns_domain'])
- common['no_proxy'].append(common['hostname'])
-
- # You are also setting system proxy vars, openshift_http_proxy/openshift_https_proxy
- if 'http_proxy' in common or 'https_proxy' in common:
- # You want to generate no_proxy hosts and it's a boolean value
- if 'generate_no_proxy_hosts' in common and safe_get_bool(common['generate_no_proxy_hosts']):
- # And you want to set up no_proxy for internal hostnames
- if 'no_proxy_internal_hostnames' in common:
- # Split the internal_hostnames string by a comma
- # and add that list to the overall no_proxy list
- common['no_proxy'].extend(common['no_proxy_internal_hostnames'].split(','))
-
- common['no_proxy'] = ','.join(sort_unique(common['no_proxy']))
+ ######################################################################
+ # We can exit early now if we don't need to set any proxy facts
+ proxy_params = ['no_proxy', 'https_proxy', 'http_proxy']
+ # If any of the known Proxy Params (pp) are defined
+ proxy_settings_defined = any(
+ [True for pp in proxy_params if pp in common]
+ )
+
+ if not proxy_settings_defined:
+ common['no_proxy'] = ''
+ return facts
+
+ # As of 3.6 if ANY of the proxy parameters are defined in the
+ # inventory then we MUST add certain domains to the NO_PROXY
+ # environment variable.
+
+ ######################################################################
+
+ # Spot to build up some data we may insert later
+ raw_no_proxy_list = []
+
+ # Automatic 3.6 NO_PROXY additions if a proxy is in use
+ svc_cluster_name = ['.svc', '.' + common['dns_domain'], common['hostname']]
+
+ # auto_hosts: Added to NO_PROXY list if any proxy params are
+ # set in the inventory. This a list of the FQDNs of all
+ # cluster hosts:
+ auto_hosts = common['no_proxy_internal_hostnames'].split(',')
+
+ # custom_no_proxy_hosts: If you define openshift_no_proxy in
+ # inventory we automatically add those hosts to the list:
+ if 'no_proxy' in common:
+ custom_no_proxy_hosts = common['no_proxy'].split(',')
+ else:
+ custom_no_proxy_hosts = []
+
+ # This should exist no matter what. Defaults to true.
+ if 'generate_no_proxy_hosts' in common:
+ generate_no_proxy_hosts = safe_get_bool(common['generate_no_proxy_hosts'])
+
+ ######################################################################
+
+ # You set a proxy var. Now we are obliged to add some things
+ raw_no_proxy_list = svc_cluster_name + custom_no_proxy_hosts
+
+ # You did not turn openshift_generate_no_proxy_hosts to False
+ if generate_no_proxy_hosts:
+ raw_no_proxy_list.extend(auto_hosts)
+
+ ######################################################################
+
+ # Was anything actually added? There should be something by now.
+ processed_no_proxy_list = sort_unique(raw_no_proxy_list)
+ if processed_no_proxy_list != list():
+ common['no_proxy'] = ','.join(processed_no_proxy_list)
+ else:
+ # Somehow we got an empty list. This should have been
+ # skipped by now in the 'return' earlier. If
+ # common['no_proxy'] is DEFINED it will cause unexpected
+ # behavior and bad templating. Ensure it does not
+ # exist. Even an empty list or string will have undesired
+ # side-effects.
+ del common['no_proxy']
+
+ ######################################################################
+ # In case you were wondering, because 'common' is a reference
+ # to the object facts['common'], there is no need to re-assign
+ # it.
+
return facts
diff --git a/roles/openshift_hosted/templates/registry_config.j2 b/roles/openshift_hosted/templates/registry_config.j2
index dc8a9f089..9673841bf 100644
--- a/roles/openshift_hosted/templates/registry_config.j2
+++ b/roles/openshift_hosted/templates/registry_config.j2
@@ -21,7 +21,10 @@ storage:
regionendpoint: {{ openshift_hosted_registry_storage_s3_regionendpoint }}
{% endif %}
bucket: {{ openshift_hosted_registry_storage_s3_bucket }}
- encrypt: false
+ encrypt: {{ openshift_hosted_registry_storage_s3_encrypt | default(false) }}
+{% if openshift_hosted_registry_storage_s3_kmskeyid %}
+ keyid: {{ openshift_hosted_registry_storage_s3_kmskeyid }}
+{% endif %}
secure: true
v4auth: true
rootdirectory: {{ openshift_hosted_registry_storage_s3_rootdirectory | default('/registry') }}
diff --git a/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml b/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml
index 2e0dcfd97..bcc7fb590 100644
--- a/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml
+++ b/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml
@@ -137,6 +137,12 @@ objects:
- serviceclasses
verbs:
- create
+ - apiGroups:
+ - settings.k8s.io
+ resources:
+ - podpresets
+ verbs:
+ - create
- kind: ClusterRoleBinding
apiVersion: v1
diff --git a/roles/openshift_service_catalog/tasks/install.yml b/roles/openshift_service_catalog/tasks/install.yml
index de7511f71..4d1a38e61 100644
--- a/roles/openshift_service_catalog/tasks/install.yml
+++ b/roles/openshift_service_catalog/tasks/install.yml
@@ -72,16 +72,22 @@
state: list
register: edit_yaml
+# only do this if we don't already have the updated role info
- name: Generate apply template for clusterrole/edit
template:
src: sc_role_patching.j2
dest: "{{ mktemp.stdout }}/edit_sc_patch.yml"
vars:
original_content: "{{ edit_yaml.results.results[0] | to_yaml }}"
+ when:
+ - not edit_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['instances', 'bindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not edit_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch'])
+# only do this if we don't already have the updated role info
- name: update edit role for service catalog and pod preset access
command: >
- oc apply -f {{ mktemp.stdout }}/edit_sc_patch.yml
+ oc replace -f {{ mktemp.stdout }}/edit_sc_patch.yml
+ when:
+ - not edit_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['instances', 'bindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not edit_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch'])
- oc_obj:
name: admin
@@ -89,16 +95,22 @@
state: list
register: admin_yaml
+# only do this if we don't already have the updated role info
- name: Generate apply template for clusterrole/admin
template:
src: sc_role_patching.j2
dest: "{{ mktemp.stdout }}/admin_sc_patch.yml"
vars:
original_content: "{{ admin_yaml.results.results[0] | to_yaml }}"
+ when:
+ - not admin_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['instances', 'bindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not admin_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch'])
+# only do this if we don't already have the updated role info
- name: update admin role for service catalog and pod preset access
command: >
- oc apply -f {{ mktemp.stdout }}/admin_sc_patch.yml
+ oc replace -f {{ mktemp.stdout }}/admin_sc_patch.yml
+ when:
+ - not admin_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['instances', 'bindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not admin_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch'])
- shell: >
oc get policybindings/kube-system:default -n kube-system || echo "not found"