diff options
Diffstat (limited to 'roles')
25 files changed, 293 insertions, 76 deletions
diff --git a/roles/ansible_service_broker/defaults/main.yml b/roles/ansible_service_broker/defaults/main.yml index 4a7252679..aa1c5022b 100644 --- a/roles/ansible_service_broker/defaults/main.yml +++ b/roles/ansible_service_broker/defaults/main.yml @@ -2,5 +2,8 @@ ansible_service_broker_remove: false ansible_service_broker_log_level: info +ansible_service_broker_output_request: false +ansible_service_broker_recovery: true # Recommended you do not enable this for now +ansible_service_broker_dev_broker: false ansible_service_broker_launch_apb_on_bind: false diff --git a/roles/ansible_service_broker/tasks/install.yml b/roles/ansible_service_broker/tasks/install.yml index 81c3f8e5b..65dffc89b 100644 --- a/roles/ansible_service_broker/tasks/install.yml +++ b/roles/ansible_service_broker/tasks/install.yml @@ -48,13 +48,13 @@ namespace: openshift-ansible-service-broker state: present labels: - app: ansible-service-broker + app: openshift-ansible-service-broker service: asb ports: - name: port-1338 port: 1338 selector: - app: ansible-service-broker + app: openshift-ansible-service-broker service: asb - name: create etcd service @@ -66,7 +66,7 @@ - name: etcd-advertise port: 2379 selector: - app: ansible-service-broker + app: openshift-ansible-service-broker service: etcd - name: create route for ansible-service-broker service @@ -118,12 +118,12 @@ name: etcd namespace: openshift-ansible-service-broker labels: - app: ansible-service-broker + app: openshift-ansible-service-broker service: etcd spec: selector: matchLabels: - app: ansible-service-broker + app: openshift-ansible-service-broker service: etcd strategy: type: RollingUpdate @@ -134,7 +134,7 @@ template: metadata: labels: - app: ansible-service-broker + app: openshift-ansible-service-broker service: etcd spec: restartPolicy: Always @@ -250,8 +250,10 @@ color: true openshift: {} broker: - devbroker: false - launchapbonbind: "{{ ansible_service_broker_launch_apb_on_bind }}" + dev_broker: {{ ansible_service_broker_dev_broker | bool | lower }} + launch_apb_on_bind: {{ ansible_service_broker_launch_apb_on_bind | bool | lower }} + recovery: {{ ansible_service_broker_recovery | bool | lower }} + output_request: {{ ansible_service_broker_output_request | bool | lower }} - name: Create the Broker resource in the catalog oc_obj: @@ -266,4 +268,4 @@ metadata: name: ansible-service-broker spec: - url: http://{{ ansible_service_broker_route }} + url: http://asb.openshift-ansible-service-broker.svc:1338 diff --git a/roles/docker/tasks/systemcontainer_docker.yml b/roles/docker/tasks/systemcontainer_docker.yml index 650f06f86..d8c5ccfd3 100644 --- a/roles/docker/tasks/systemcontainer_docker.yml +++ b/roles/docker/tasks/systemcontainer_docker.yml @@ -12,6 +12,12 @@ traditional docker package install. Otherwise, comment out openshift_docker_options in your inventory file. +- name: Ensure container-selinux is installed + package: + name: container-selinux + state: present + when: not openshift.common.is_atomic | bool + # Used to pull and install the system container - name: Ensure atomic is installed package: @@ -86,7 +92,7 @@ - name: Use Fedora Registry for image when distribution is Fedora set_fact: - l_docker_image_prepend: "registry.fedoraproject.org" + l_docker_image_prepend: "registry.fedoraproject.org/f25" when: ansible_distribution == 'Fedora' # For https://github.com/openshift/openshift-ansible/pull/4049#discussion_r114478504 diff --git a/roles/etcd_common/defaults/main.yml b/roles/etcd_common/defaults/main.yml index b5b38c1e1..b1bfa4592 100644 --- a/roles/etcd_common/defaults/main.yml +++ b/roles/etcd_common/defaults/main.yml @@ -44,6 +44,10 @@ etcd_ca_serial: "{{ etcd_ca_dir }}/serial" etcd_ca_crl_number: "{{ etcd_ca_dir }}/crlnumber" etcd_ca_default_days: 1825 +r_etcd_common_master_peer_cert_file: /etc/origin/master/master.etcd-client.crt +r_etcd_common_master_peer_key_file: /etc/origin/master/master.etcd-client.key +r_etcd_common_master_peer_ca_file: /etc/origin/master/master.etcd-ca.crt + # etcd server & certificate vars etcd_hostname: "{{ inventory_hostname }}" etcd_ip: "{{ ansible_default_ipv4.address }}" diff --git a/roles/etcd_common/tasks/backup.yml b/roles/etcd_common/tasks/backup.yml index 1a0b857f1..2bc486d3f 100644 --- a/roles/etcd_common/tasks/backup.yml +++ b/roles/etcd_common/tasks/backup.yml @@ -61,6 +61,21 @@ - r_etcd_common_embedded_etcd | bool - not l_ostree_booted.stat.exists | bool +- name: Check selinux label of '{{ l_etcd_data_dir }}' + command: > + stat -c '%C' {{ l_etcd_data_dir }} + register: l_etcd_selinux_labels + +- debug: + msg: "{{ l_etcd_selinux_labels }}" + +- name: Make sure the '{{ l_etcd_data_dir }}' has the proper label + command: > + chcon -t svirt_sandbox_file_t "{{ l_etcd_data_dir }}" + when: + - l_etcd_selinux_labels.rc == 0 + - "'svirt_sandbox_file_t' not in l_etcd_selinux_labels.stdout" + - name: Generate etcd backup command: > {{ r_etcd_common_etcdctl_command }} backup --data-dir={{ l_etcd_incontainer_data_dir }} diff --git a/roles/etcd_migrate/tasks/migrate.yml b/roles/etcd_migrate/tasks/migrate.yml index 7f441568a..b2cf6d20a 100644 --- a/roles/etcd_migrate/tasks/migrate.yml +++ b/roles/etcd_migrate/tasks/migrate.yml @@ -31,14 +31,23 @@ name: "{{ l_etcd_service }}" state: started +- name: Wait for cluster to become healthy after migration + command: > + etcdctl --cert-file {{ etcd_peer_cert_file }} --key-file {{ etcd_peer_key_file }} --ca-file {{ etcd_peer_ca_file }} --endpoint https://{{ etcd_peer }}:{{ etcd_client_port }} cluster-health + register: l_etcd_migrate_health + until: l_etcd_migrate_health.rc == 0 + retries: 3 + delay: 30 + run_once: true + # NOTE: /usr/local/bin may be removed from the PATH by ansible hence why # it's added to the environment in this task. - name: Re-introduce leases (as a replacement for key TTLs) command: > oadm migrate etcd-ttl \ - --cert {{ etcd_peer_cert_file }} \ - --key {{ etcd_peer_key_file }} \ - --cacert {{ etcd_peer_ca_file }} \ + --cert {{ r_etcd_common_master_peer_cert_file }} \ + --key {{ r_etcd_common_master_peer_key_file }} \ + --cacert {{ r_etcd_common_master_peer_ca_file }} \ --etcd-address 'https://{{ etcd_peer }}:{{ etcd_client_port }}' \ --ttl-keys-prefix {{ item }} \ --lease-duration 1h diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py index c960630ed..04b5dc86b 100755 --- a/roles/openshift_facts/library/openshift_facts.py +++ b/roles/openshift_facts/library/openshift_facts.py @@ -1654,14 +1654,15 @@ def set_proxy_facts(facts): # in the _no_proxy value common['no_proxy'] = common['no_proxy'].split(",") - # at this point common['no_proxy'] is a LIST datastructure. It - # may be empty, or it may contain some hostnames or ranges. - - # We always add local dns domain, the service domain, and - # ourselves, no matter what - common['no_proxy'].append('.svc') - common['no_proxy'].append('.' + common['dns_domain']) - common['no_proxy'].append(common['hostname']) + # at this point common['no_proxy'] is a LIST datastructure. It + # may be empty, or it may contain some hostnames or ranges. + + # We always add local dns domain, the service domain, and + # ourselves, no matter what (if you are setting any + # NO_PROXY values) + common['no_proxy'].append('.svc') + common['no_proxy'].append('.' + common['dns_domain']) + common['no_proxy'].append(common['hostname']) # You are also setting system proxy vars, openshift_http_proxy/openshift_https_proxy if 'http_proxy' in common or 'https_proxy' in common: diff --git a/roles/openshift_hosted_logging/README.md b/roles/openshift_hosted_logging/README.md index 12ffe777d..680303853 100644 --- a/roles/openshift_hosted_logging/README.md +++ b/roles/openshift_hosted_logging/README.md @@ -22,7 +22,7 @@ - openshift_hosted_logging_kibana_nodeselector: Specify the nodeSelector that Kibana should be use (label=value) - openshift_hosted_logging_curator_nodeselector: Specify the nodeSelector that Curator should be use (label=value) - openshift_hosted_logging_enable_ops_cluster: If "true", configure a second ES cluster and Kibana for ops logs. -- openshift_hosted_logging_use_journal: If this is unset or empty, logging will try to figure out from docker which log driver it is using (json-file or journald). You can set this param to "true" or "false" to force logging to use journal or not (but make sure you are sure which one docker is using). +- openshift_hosted_logging_use_journal: *DEPRECATED - DO NOT USE* - openshift_hosted_logging_journal_source: By default, if this param is unset or empty, logging will use `/var/log/journal` if it exists, or `/run/log/journal` if not. You can use this param to force logging to use a different location. - openshift_hosted_logging_journal_read_from_head: Set to `true` to have fluentd read from the beginning of the journal, to get historical log data. Default is `false`. *WARNING* Using `true` may take several minutes or even hours, depending on the size of the journal, until any new records show up in Elasticsearch, and will cause fluentd to consume a lot of CPU and RAM resources. diff --git a/roles/openshift_hosted_logging/vars/main.yaml b/roles/openshift_hosted_logging/vars/main.yaml index 33320e9c8..4b350b244 100644 --- a/roles/openshift_hosted_logging/vars/main.yaml +++ b/roles/openshift_hosted_logging/vars/main.yaml @@ -26,8 +26,7 @@ kb_ops_ns_cmap_param: "{{ '--from-literal kibana-ops-nodeselector=' ~ openshift_ cr_ns_cmap_param: "{{ '--from-literal curator-nodeselector=' ~ openshift_hosted_logging_curator_nodeselector | quote if openshift_hosted_logging_curator_nodeselector | default(none) is not none else '' }}" cr_ops_ns_cmap_param: "{{ '--from-literal curator-ops-nodeselector=' ~ openshift_hosted_logging_curator_ops_nodeselector | quote if openshift_hosted_logging_curator_ops_nodeselector | default(none) is not none else '' }}" ops_cmap_param: "{{ '--from-literal enable-ops-cluster=' ~ openshift_hosted_logging_enable_ops_cluster | string | lower | quote if openshift_hosted_logging_enable_ops_cluster | default(none) is not none else '' }}" -use_journal_cmap_param: "{{ '--from-literal use-journal=' ~ openshift_hosted_logging_use_journal | string | lower | quote if openshift_hosted_logging_use_journal | default(none) is not none else '' }}" journal_source_cmap_param: "{{ '--from-literal journal-source=' ~ openshift_hosted_logging_journal_source | quote if openshift_hosted_logging_journal_source | default(none) is not none else '' }}" journal_read_from_head_cmap_param: "{{ '--from-literal journal-read-from-head=' ~ openshift_hosted_logging_journal_read_from_head | string | lower | quote if openshift_hosted_logging_journal_read_from_head | default(none) is not none else '' }}" ips_cmap_param: "{{ '--from-literal image-pull-secret=' ~ openshift_hosted_logging_image_pull_secret | quote if openshift_hosted_logging_image_pull_secret | default(none) is not none else '' }}" -deployer_cmap_params: "{{ kh_cmap_param }} {{ kh_ops_cmap_param }} {{ pmu_cmap_param }} {{ es_cs_cmap_param }} {{ es_ir_cmap_param }} {{ es_pvcs_cmap_param }} {{ es_pvcp_cmap_param }} {{ es_pvcd_cmap_param }} {{ es_ops_cs_cmap_param }} {{ es_ops_ir_cmap_param }} {{ es_ops_pvcs_cmap_param }} {{ es_ops_pvcp_cmap_param }} {{ es_ops_pvcd_cmap_param }} {{ es_sg_cmap_param }} {{ es_ns_cmap_param }} {{ es_ops_ns_cmap_param }} {{ fd_ns_cmap_param }} {{ kb_ns_cmap_param }} {{ kb_ops_ns_cmap_param }} {{ cr_ns_cmap_param }} {{ cr_ops_ns_cmap_param }} {{ ops_cmap_param }} {{ use_journal_cmap_param }} {{ journal_source_cmap_param }} {{ journal_read_from_head_cmap_param }} {{ ips_cmap_param }}" +deployer_cmap_params: "{{ kh_cmap_param }} {{ kh_ops_cmap_param }} {{ pmu_cmap_param }} {{ es_cs_cmap_param }} {{ es_ir_cmap_param }} {{ es_pvcs_cmap_param }} {{ es_pvcp_cmap_param }} {{ es_pvcd_cmap_param }} {{ es_ops_cs_cmap_param }} {{ es_ops_ir_cmap_param }} {{ es_ops_pvcs_cmap_param }} {{ es_ops_pvcp_cmap_param }} {{ es_ops_pvcd_cmap_param }} {{ es_sg_cmap_param }} {{ es_ns_cmap_param }} {{ es_ops_ns_cmap_param }} {{ fd_ns_cmap_param }} {{ kb_ns_cmap_param }} {{ kb_ops_ns_cmap_param }} {{ cr_ns_cmap_param }} {{ cr_ops_ns_cmap_param }} {{ ops_cmap_param }} {{ journal_source_cmap_param }} {{ journal_read_from_head_cmap_param }} {{ ips_cmap_param }}" diff --git a/roles/openshift_logging/README.md b/roles/openshift_logging/README.md index dd0f22d4b..d2ef7cc71 100644 --- a/roles/openshift_logging/README.md +++ b/roles/openshift_logging/README.md @@ -52,7 +52,7 @@ When both `openshift_logging_install_logging` and `openshift_logging_upgrade_log - `openshift_logging_fluentd_cpu_limit`: The CPU limit for Fluentd pods. Defaults to '100m'. - `openshift_logging_fluentd_memory_limit`: The memory limit for Fluentd pods. Defaults to '512Mi'. - `openshift_logging_fluentd_es_copy`: Whether or not to use the ES_COPY feature for Fluentd (DEPRECATED). Defaults to 'False'. -- `openshift_logging_fluentd_use_journal`: NOTE: Fluentd will attempt to detect whether or not Docker is using the journald log driver when using the default of empty. +- `openshift_logging_fluentd_use_journal`: *DEPRECATED - DO NOT USE* Fluentd will automatically detect whether or not Docker is using the journald log driver. - `openshift_logging_fluentd_journal_read_from_head`: If empty, Fluentd will use its internal default, which is false. - `openshift_logging_fluentd_hosts`: List of nodes that should be labeled for Fluentd to be deployed to. Defaults to ['--all']. - `openshift_logging_fluentd_buffer_queue_limit`: Buffer queue limit for Fluentd. Defaults to 1024. diff --git a/roles/openshift_logging/defaults/main.yml b/roles/openshift_logging/defaults/main.yml index c243a6e4a..1c243f934 100644 --- a/roles/openshift_logging/defaults/main.yml +++ b/roles/openshift_logging/defaults/main.yml @@ -72,7 +72,6 @@ openshift_logging_fluentd_nodeselector: "{{ openshift_hosted_logging_fluentd_nod openshift_logging_fluentd_cpu_limit: 100m openshift_logging_fluentd_memory_limit: 512Mi openshift_logging_fluentd_es_copy: false -openshift_logging_fluentd_use_journal: "{{ openshift_hosted_logging_use_journal if openshift_hosted_logging_use_journal is defined else (docker_log_driver == 'journald') | ternary(True, False) if docker_log_driver is defined else (openshift.docker.log_driver == 'journald') | ternary(True, False) if openshift.docker.log_driver is defined else openshift.docker.options | search('--log-driver=journald') if openshift.docker.options is defined else default(omit) }}" openshift_logging_fluentd_journal_source: "{{ openshift_hosted_logging_journal_source | default('') }}" openshift_logging_fluentd_journal_read_from_head: "{{ openshift_hosted_logging_journal_read_from_head | default('') }}" openshift_logging_fluentd_hosts: ['--all'] diff --git a/roles/openshift_logging/tasks/install_logging.yaml b/roles/openshift_logging/tasks/install_logging.yaml index 50698599a..5c5bbf84c 100644 --- a/roles/openshift_logging/tasks/install_logging.yaml +++ b/roles/openshift_logging/tasks/install_logging.yaml @@ -261,7 +261,6 @@ vars: generated_certs_dir: "{{openshift.common.config_base}}/logging" openshift_logging_fluentd_ops_host: "{{ ( openshift_logging_use_ops | bool ) | ternary('logging-es-ops', 'logging-es') }}" - openshift_logging_fluentd_use_journal: "{{ openshift.docker.options | search('journald') }}" openshift_logging_fluentd_image_prefix: "{{ openshift_logging_image_prefix }}" openshift_logging_fluentd_image_version: "{{ openshift_logging_image_version }}" openshift_logging_fluentd_image_pull_secret: "{{ openshift_logging_image_pull_secret }}" diff --git a/roles/openshift_logging_fluentd/defaults/main.yml b/roles/openshift_logging_fluentd/defaults/main.yml index 228196d74..ce7cfc433 100644 --- a/roles/openshift_logging_fluentd/defaults/main.yml +++ b/roles/openshift_logging_fluentd/defaults/main.yml @@ -28,7 +28,6 @@ openshift_logging_fluentd_ops_host: "{{ openshift_logging_fluentd_app_host }}" openshift_logging_fluentd_ops_port: "{{ openshift_logging_fluentd_app_port }}" ### Used by "hosted" and "secure-aggregator" deployments -#openshift_logging_fluentd_use_journal: "{{ openshift_hosted_logging_use_journal }}" openshift_logging_fluentd_journal_source: "{{ openshift_hosted_logging_journal_source | default('') }}" openshift_logging_fluentd_journal_read_from_head: "{{ openshift_hosted_logging_journal_read_from_head | default('') }}" @@ -49,6 +48,7 @@ openshift_logging_fluentd_aggregating_strict: "no" openshift_logging_fluentd_aggregating_cert_path: none openshift_logging_fluentd_aggregating_key_path: none openshift_logging_fluentd_aggregating_passphrase: none +openshift_logging_use_mux_client: False ### Deprecating in 3.6 openshift_logging_fluentd_es_copy: false diff --git a/roles/openshift_logging_fluentd/tasks/main.yaml b/roles/openshift_logging_fluentd/tasks/main.yaml index 30b596e22..55de2ae8d 100644 --- a/roles/openshift_logging_fluentd/tasks/main.yaml +++ b/roles/openshift_logging_fluentd/tasks/main.yaml @@ -15,19 +15,15 @@ msg: Invalid deployment type, one of ['hosted', 'secure-aggregator', 'secure-host'] allowed when: not openshift_logging_fluentd_deployment_type in __allowed_fluentd_types -- include: determine_version.yaml +- debug: + msg: openshift_logging_fluentd_use_journal is deprecated. Fluentd will automatically detect which logging driver is being used. + when: openshift_logging_fluentd_use_journal is defined -- set_fact: - openshift_logging_fluentd_use_journal: "{{ openshift_hosted_logging_use_journal }}" - when: - - openshift_hosted_logging_use_journal is defined - - openshift_logging_fluentd_use_journal is not defined +- debug: + msg: openshift_hosted_logging_use_journal is deprecated. Fluentd will automatically detect which logging driver is being used. + when: openshift_hosted_logging_use_journal is defined -- set_fact: - openshift_logging_fluentd_use_journal: "{{ __fluentd_use_journal }}" - when: - - openshift_hosted_logging_use_journal is not defined - - openshift_logging_fluentd_use_journal is not defined +- include: determine_version.yaml # allow passing in a tempdir - name: Create temp directory for doing work in diff --git a/roles/openshift_logging_fluentd/templates/fluentd.j2 b/roles/openshift_logging_fluentd/templates/fluentd.j2 index d9814370f..970e5c2a5 100644 --- a/roles/openshift_logging_fluentd/templates/fluentd.j2 +++ b/roles/openshift_logging_fluentd/templates/fluentd.j2 @@ -62,6 +62,11 @@ spec: - name: dockerdaemoncfg mountPath: /etc/docker readOnly: true +{% if openshift_logging_use_mux_client | bool %} + - name: muxcerts + mountPath: /etc/fluent/muxkeys + readOnly: true +{% endif %} env: - name: "K8S_HOST_URL" value: "{{ openshift_logging_fluentd_master_url }}" @@ -87,8 +92,6 @@ spec: value: "{{ openshift_logging_fluentd_ops_ca }}" - name: "ES_COPY" value: "false" - - name: "USE_JOURNAL" - value: "{{ openshift_logging_fluentd_use_journal | lower }}" - name: "JOURNAL_SOURCE" value: "{{ openshift_logging_fluentd_journal_source | default('') }}" - name: "JOURNAL_READ_FROM_HEAD" @@ -107,6 +110,8 @@ spec: resourceFieldRef: containerName: "{{ daemonset_container_name }}" resource: limits.memory + - name: "USE_MUX_CLIENT" + value: "{{ openshift_logging_use_mux_client | default('false') | lower }}" volumes: - name: runlogjournal hostPath: @@ -135,3 +140,8 @@ spec: - name: dockerdaemoncfg hostPath: path: /etc/docker +{% if openshift_logging_use_mux_client | bool %} + - name: muxcerts + secret: + secretName: logging-mux +{% endif %} diff --git a/roles/openshift_logging_fluentd/vars/main.yml b/roles/openshift_logging_fluentd/vars/main.yml index f601b738e..ad3fb0bdd 100644 --- a/roles/openshift_logging_fluentd/vars/main.yml +++ b/roles/openshift_logging_fluentd/vars/main.yml @@ -2,4 +2,3 @@ __latest_fluentd_version: "3_5" __allowed_fluentd_versions: ["3_5", "3_6"] __allowed_fluentd_types: ["hosted", "secure-aggregator", "secure-host"] -__fluentd_use_journal: "{{ (docker_log_driver == 'journald') | ternary(True, False) if docker_log_driver is defined else (openshift.docker.log_driver == 'journald') | ternary(True, False) if openshift.docker.log_driver is defined else openshift.docker.options | search('--log-driver=journald') if openshift.docker.options is defined else default(omit) }}" diff --git a/roles/openshift_logging_mux/defaults/main.yml b/roles/openshift_logging_mux/defaults/main.yml index 77e47d38c..797a27c1b 100644 --- a/roles/openshift_logging_mux/defaults/main.yml +++ b/roles/openshift_logging_mux/defaults/main.yml @@ -24,7 +24,6 @@ openshift_logging_mux_ops_host: "{{ openshift_logging_mux_app_host }}" openshift_logging_mux_ops_port: "{{ openshift_logging_mux_app_port }}" ### Used by "hosted" and "secure-aggregator" deployments -openshift_logging_mux_use_journal: "{{ openshift_hosted_logging_use_journal | default('') }}" openshift_logging_mux_journal_source: "{{ openshift_hosted_logging_journal_source | default('') }}" openshift_logging_mux_journal_read_from_head: "{{ openshift_hosted_logging_journal_read_from_head | default('') }}" diff --git a/roles/openshift_logging_mux/templates/mux.j2 b/roles/openshift_logging_mux/templates/mux.j2 index c3f9b3433..226294847 100644 --- a/roles/openshift_logging_mux/templates/mux.j2 +++ b/roles/openshift_logging_mux/templates/mux.j2 @@ -89,8 +89,6 @@ spec: value: "{{openshift_logging_mux_ops_client_key}}" - name: "OPS_CA" value: "{{openshift_logging_mux_ops_ca}}" - - name: "USE_JOURNAL" - value: "false" - name: "JOURNAL_SOURCE" value: "{{openshift_logging_mux_journal_source | default('')}}" - name: "JOURNAL_READ_FROM_HEAD" diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml index 86532cd0a..9b7125240 100644 --- a/roles/openshift_master/tasks/main.yml +++ b/roles/openshift_master/tasks/main.yml @@ -128,8 +128,17 @@ when: openshift.master.request_header_ca is defined and item.kind == 'RequestHeaderIdentityProvider' and item.clientCA | default('') != '' with_items: "{{ openshift.master.identity_providers }}" -- set_fact: - openshift_push_via_dns: "{{ openshift_use_dnsmasq | default(true) and openshift.common.version_gte_3_6 and r_openshift_master_clean_install }}" +# This is an ugly hack to verify settings are in a file without modifying them with lineinfile. +# The template file will stomp any other settings made. +- block: + - name: check whether our docker-registry setting exists in the env file + command: "awk '/^OPENSHIFT_DEFAULT_REGISTRY=docker-registry.default.svc:5000/' /etc/sysconfig/{{ openshift.common.service_type }}-master" + ignore_errors: true + changed_when: false + register: already_set + + - set_fact: + openshift_push_via_dns: "{{ (openshift_use_dnsmasq | default(true) and openshift.common.version_gte_3_6) or (already_set.stdout | match('OPENSHIFT_DEFAULT_REGISTRY=docker-registry.default.svc:5000')) }}" - name: Install the systemd units include: systemd_units.yml diff --git a/roles/openshift_node/tasks/storage_plugins/glusterfs.yml b/roles/openshift_node/tasks/storage_plugins/glusterfs.yml index 7d8c42ee2..1b8a7ad50 100644 --- a/roles/openshift_node/tasks/storage_plugins/glusterfs.yml +++ b/roles/openshift_node/tasks/storage_plugins/glusterfs.yml @@ -3,30 +3,52 @@ package: name=glusterfs-fuse state=present when: not openshift.common.is_atomic | bool -- name: Check for existence of virt_use_fusefs seboolean - command: getsebool virt_use_fusefs - register: virt_use_fusefs_output - when: ansible_selinux and ansible_selinux.status == "enabled" +- name: Check for existence of fusefs sebooleans + command: getsebool {{ item }} + register: fusefs_getsebool_status + when: + - ansible_selinux + - ansible_selinux.status == "enabled" failed_when: false changed_when: false + with_items: + - virt_use_fusefs + - virt_sandbox_use_fusefs - name: Set seboolean to allow gluster storage plugin access from containers seboolean: - name: virt_use_fusefs + name: "{{ item.item }}" state: yes persistent: yes - when: ansible_selinux and ansible_selinux.status == "enabled" and virt_use_fusefs_output.rc == 0 + when: + - ansible_selinux + - ansible_selinux.status == "enabled" + - item.rc == 0 + # We need to detect whether or not the boolean is an alias, since `seboolean` + # will error if it is an alias. We do this by inspecting stdout for the boolean name, + # since getsebool prints the resolved name. (At some point Ansible's seboolean module + # should learn to deal with aliases) + - item.item in item.stdout # Boolean does not have an alias. + - ansible_python_version | version_compare('3', '<') + with_items: "{{ fusefs_getsebool_status.results }}" -- name: Check for existence of virt_sandbox_use_fusefs seboolean - command: getsebool virt_sandbox_use_fusefs - register: virt_sandbox_use_fusefs_output - when: ansible_selinux and ansible_selinux.status == "enabled" - failed_when: false - changed_when: false - -- name: Set seboolean to allow gluster storage plugin access from containers(sandbox) - seboolean: - name: virt_sandbox_use_fusefs - state: yes - persistent: yes - when: ansible_selinux and ansible_selinux.status == "enabled" and virt_sandbox_use_fusefs_output.rc == 0 +# Workaround for https://github.com/openshift/openshift-ansible/issues/4438 +# Use command module rather than seboolean module to set GlusterFS booleans. +# TODO: Remove this task and the ansible_python_version comparison in +# the previous task when the problem has been addressed in current +# ansible release. +- name: Set seboolean to allow gluster storage plugin access from containers (python 3) + command: > + setsebool -P {{ item.item }} on + when: + - ansible_selinux + - ansible_selinux.status == "enabled" + - item.rc == 0 + # We need to detect whether or not the boolean is an alias, since `seboolean` + # will error if it is an alias. We do this by inspecting stdout for the boolean name, + # since getsebool prints the resolved name. (At some point Ansible's seboolean module + # should learn to deal with aliases) + - item.item in item.stdout # Boolean does not have an alias. + - ('--> off' in item.stdout) # Boolean is currently off. + - ansible_python_version | version_compare('3', '>=') + with_items: "{{ fusefs_getsebool_status.results }}" diff --git a/roles/openshift_node/tasks/storage_plugins/nfs.yml b/roles/openshift_node/tasks/storage_plugins/nfs.yml index d40ae66cb..7e1035893 100644 --- a/roles/openshift_node/tasks/storage_plugins/nfs.yml +++ b/roles/openshift_node/tasks/storage_plugins/nfs.yml @@ -3,24 +3,52 @@ package: name=nfs-utils state=present when: not openshift.common.is_atomic | bool -- name: Check for existence of seboolean +- name: Check for existence of nfs sebooleans command: getsebool {{ item }} - register: getsebool_status - when: ansible_selinux and ansible_selinux.status == "enabled" + register: nfs_getsebool_status + when: + - ansible_selinux + - ansible_selinux.status == "enabled" failed_when: false changed_when: false with_items: - - virt_use_nfs - - virt_sandbox_use_nfs + - virt_use_nfs + - virt_sandbox_use_nfs - name: Set seboolean to allow nfs storage plugin access from containers seboolean: name: "{{ item.item }}" state: yes persistent: yes + when: + - ansible_selinux + - ansible_selinux.status == "enabled" + - item.rc == 0 # We need to detect whether or not the boolean is an alias, since `seboolean` # will error if it is an alias. We do this by inspecting stdout for the boolean name, # since getsebool prints the resolved name. (At some point Ansible's seboolean module # should learn to deal with aliases) - when: ansible_selinux and ansible_selinux.status == "enabled" and item.rc == 0 and item.stdout.find(item.item) != -1 - with_items: "{{ getsebool_status.results }}" + - item.item in item.stdout # Boolean does not have an alias. + - ansible_python_version | version_compare('3', '<') + with_items: "{{ nfs_getsebool_status.results }}" + +# Workaround for https://github.com/openshift/openshift-ansible/issues/4438 +# Use command module rather than seboolean module to set NFS booleans. +# TODO: Remove this task and the ansible_python_version comparison in +# the previous task when the problem has been addressed in current +# ansible release. +- name: Set seboolean to allow nfs storage plugin access from containers (python 3) + command: > + setsebool -P {{ item.item }} on + when: + - ansible_selinux + - ansible_selinux.status == "enabled" + - item.rc == 0 + # We need to detect whether or not the boolean is an alias, since `seboolean` + # will error if it is an alias. We do this by inspecting stdout for the boolean name, + # since getsebool prints the resolved name. (At some point Ansible's seboolean module + # should learn to deal with aliases) + - item.item in item.stdout # Boolean does not have an alias. + - ('--> off' in item.stdout) # Boolean is currently off. + - ansible_python_version | version_compare('3', '>=') + with_items: "{{ nfs_getsebool_status.results }}" diff --git a/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml b/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml index 880146ca4..ebefaeaba 100644 --- a/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml +++ b/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml @@ -115,6 +115,22 @@ objects: - bindings/status verbs: - update + - apiGroups: + - servicecatalog.k8s.io + resources: + - brokers + - instances + - bindings + verbs: + - list + - watch + - apiGroups: + - "" + resources: + - events + verbs: + - patch + - create - kind: ClusterRoleBinding apiVersion: v1 diff --git a/roles/openshift_service_catalog/tasks/install.yml b/roles/openshift_service_catalog/tasks/install.yml index 6e8301ffe..1342c3d30 100644 --- a/roles/openshift_service_catalog/tasks/install.yml +++ b/roles/openshift_service_catalog/tasks/install.yml @@ -6,7 +6,6 @@ register: mktemp changed_when: False - - include: wire_aggregator.yml - name: Set default image variables based on deployment_type diff --git a/roles/openshift_service_catalog/tasks/wire_aggregator.yml b/roles/openshift_service_catalog/tasks/wire_aggregator.yml index 3e5897ba4..b8b8d0863 100644 --- a/roles/openshift_service_catalog/tasks/wire_aggregator.yml +++ b/roles/openshift_service_catalog/tasks/wire_aggregator.yml @@ -1,16 +1,82 @@ --- +- name: Make temp cert dir + command: mktemp -d /tmp/openshift-service-catalog-ansible-XXXXXX + register: certtemp + changed_when: False + +- name: Check for First Master Aggregator Signer cert + stat: + path: /etc/origin/master/front-proxy-ca.crt + register: first_proxy_ca_crt + changed_when: false + delegate_to: "{{ first_master }}" + +- name: Check for First Master Aggregator Signer key + stat: + path: /etc/origin/master/front-proxy-ca.crt + register: first_proxy_ca_key + changed_when: false + delegate_to: "{{ first_master }}" + + # TODO: this currently has a bug where hostnames are required -- name: Creating Aggregator signer certs +- name: Creating First Master Aggregator signer certs command: > oc adm ca create-signer-cert --cert=/etc/origin/master/front-proxy-ca.crt --key=/etc/origin/master/front-proxy-ca.key --serial=/etc/origin/master/ca.serial.txt + delegate_to: "{{ first_master }}" + when: + - not first_proxy_ca_crt.stat.exists + - not first_proxy_ca_key.stat.exists + +- name: Check for Aggregator Signer cert + stat: + path: /etc/origin/master/front-proxy-ca.crt + register: proxy_ca_crt + changed_when: false + +- name: Check for Aggregator Signer key + stat: + path: /etc/origin/master/front-proxy-ca.crt + register: proxy_ca_key + changed_when: false + +- name: Copy Aggregator Signer certs from first master + fetch: + src: "/etc/origin/master/{{ item }}" + dest: "{{ certtemp.stdout }}/{{ item }}" + with_items: + - front-proxy-ca.crt + - front-proxy-ca.key + delegate_to: "{{ first_master }}" + when: + - not proxy_ca_key.stat.exists + - not proxy_ca_crt.stat.exists + +- name: Copy Aggregator Signer certs to host + copy: + src: "{{ certtemp.stdout }}/{{ item }}" + dest: "/etc/origin/master/{{ item }}" + with_items: + - front-proxy-ca.crt + - front-proxy-ca.key + when: + - not proxy_ca_key.stat.exists + - not proxy_ca_crt.stat.exists + # oc_adm_ca_server_cert: # cert: /etc/origin/master/front-proxy-ca.crt # key: /etc/origin/master/front-proxy-ca.key -- name: Create api-client config for Aggregator +- name: Check for first master api-client config + stat: + path: /etc/origin/master/aggregator-front-proxy.kubeconfig + register: first_front_proxy_kubeconfig + delegate_to: "{{ first_master }}" + +- name: Create first master api-client config for Aggregator command: > oc adm create-api-client-config --certificate-authority=/etc/origin/master/front-proxy-ca.crt @@ -19,6 +85,37 @@ --user aggregator-front-proxy --client-dir=/etc/origin/master --signer-serial=/etc/origin/master/ca.serial.txt + delegate_to: "{{ first_master }}" + when: + - not first_front_proxy_kubeconfig.stat.exists + +- name: Check for api-client config + stat: + path: /etc/origin/master/aggregator-front-proxy.kubeconfig + register: front_proxy_kubeconfig + +- name: Copy api-client config from first master + fetch: + src: "/etc/origin/master/{{ item }}" + dest: "{{ certtemp.stdout }}/{{ item }}" + delegate_to: "{{ first_master }}" + with_items: + - aggregator-front-proxy.crt + - aggregator-front-proxy.key + - aggregator-front-proxy.kubeconfig + when: + - not front_proxy_kubeconfig.stat.exists + +- name: Copy api-client config to host + copy: + src: "{{ certtemp.stdout }}/{{ item }}" + dest: "/etc/origin/master/{{ item }}" + with_items: + - aggregator-front-proxy.crt + - aggregator-front-proxy.key + - aggregator-front-proxy.kubeconfig + when: + - not front_proxy_kubeconfig.stat.exists - name: Update master config yedit: @@ -84,3 +181,9 @@ changed_when: false when: - yedit_output.changed + +- name: Delete temp directory + file: + name: "{{ certtemp.stdout }}" + state: absent + changed_when: False diff --git a/roles/openshift_service_catalog/templates/controller_manager.j2 b/roles/openshift_service_catalog/templates/controller_manager.j2 index 33932eeb7..1bbc0fa2c 100644 --- a/roles/openshift_service_catalog/templates/controller_manager.j2 +++ b/roles/openshift_service_catalog/templates/controller_manager.j2 @@ -17,6 +17,7 @@ spec: labels: app: controller-manager spec: + serviceAccountName: service-catalog-controller nodeSelector: {% for key, value in node_selector.iteritems() %} {{key}}: "{{value}}" |