summaryrefslogtreecommitdiffstats
path: root/roles
diff options
context:
space:
mode:
Diffstat (limited to 'roles')
-rw-r--r--roles/ansible_service_broker/defaults/main.yml3
-rw-r--r--roles/ansible_service_broker/tasks/install.yml20
-rw-r--r--roles/docker/tasks/systemcontainer_docker.yml8
-rw-r--r--roles/etcd_common/defaults/main.yml4
-rw-r--r--roles/etcd_common/tasks/backup.yml15
-rw-r--r--roles/etcd_migrate/tasks/migrate.yml15
-rwxr-xr-xroles/openshift_facts/library/openshift_facts.py17
-rw-r--r--roles/openshift_hosted_logging/README.md2
-rw-r--r--roles/openshift_hosted_logging/vars/main.yaml3
-rw-r--r--roles/openshift_logging/README.md2
-rw-r--r--roles/openshift_logging/defaults/main.yml1
-rw-r--r--roles/openshift_logging/tasks/install_logging.yaml1
-rw-r--r--roles/openshift_logging_fluentd/defaults/main.yml2
-rw-r--r--roles/openshift_logging_fluentd/tasks/main.yaml18
-rw-r--r--roles/openshift_logging_fluentd/templates/fluentd.j214
-rw-r--r--roles/openshift_logging_fluentd/vars/main.yml1
-rw-r--r--roles/openshift_logging_mux/defaults/main.yml1
-rw-r--r--roles/openshift_logging_mux/templates/mux.j22
-rw-r--r--roles/openshift_master/tasks/main.yml13
-rw-r--r--roles/openshift_node/tasks/storage_plugins/glusterfs.yml60
-rw-r--r--roles/openshift_node/tasks/storage_plugins/nfs.yml42
-rw-r--r--roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml16
-rw-r--r--roles/openshift_service_catalog/tasks/install.yml1
-rw-r--r--roles/openshift_service_catalog/tasks/wire_aggregator.yml107
-rw-r--r--roles/openshift_service_catalog/templates/controller_manager.j21
25 files changed, 293 insertions, 76 deletions
diff --git a/roles/ansible_service_broker/defaults/main.yml b/roles/ansible_service_broker/defaults/main.yml
index 4a7252679..aa1c5022b 100644
--- a/roles/ansible_service_broker/defaults/main.yml
+++ b/roles/ansible_service_broker/defaults/main.yml
@@ -2,5 +2,8 @@
ansible_service_broker_remove: false
ansible_service_broker_log_level: info
+ansible_service_broker_output_request: false
+ansible_service_broker_recovery: true
# Recommended you do not enable this for now
+ansible_service_broker_dev_broker: false
ansible_service_broker_launch_apb_on_bind: false
diff --git a/roles/ansible_service_broker/tasks/install.yml b/roles/ansible_service_broker/tasks/install.yml
index 81c3f8e5b..65dffc89b 100644
--- a/roles/ansible_service_broker/tasks/install.yml
+++ b/roles/ansible_service_broker/tasks/install.yml
@@ -48,13 +48,13 @@
namespace: openshift-ansible-service-broker
state: present
labels:
- app: ansible-service-broker
+ app: openshift-ansible-service-broker
service: asb
ports:
- name: port-1338
port: 1338
selector:
- app: ansible-service-broker
+ app: openshift-ansible-service-broker
service: asb
- name: create etcd service
@@ -66,7 +66,7 @@
- name: etcd-advertise
port: 2379
selector:
- app: ansible-service-broker
+ app: openshift-ansible-service-broker
service: etcd
- name: create route for ansible-service-broker service
@@ -118,12 +118,12 @@
name: etcd
namespace: openshift-ansible-service-broker
labels:
- app: ansible-service-broker
+ app: openshift-ansible-service-broker
service: etcd
spec:
selector:
matchLabels:
- app: ansible-service-broker
+ app: openshift-ansible-service-broker
service: etcd
strategy:
type: RollingUpdate
@@ -134,7 +134,7 @@
template:
metadata:
labels:
- app: ansible-service-broker
+ app: openshift-ansible-service-broker
service: etcd
spec:
restartPolicy: Always
@@ -250,8 +250,10 @@
color: true
openshift: {}
broker:
- devbroker: false
- launchapbonbind: "{{ ansible_service_broker_launch_apb_on_bind }}"
+ dev_broker: {{ ansible_service_broker_dev_broker | bool | lower }}
+ launch_apb_on_bind: {{ ansible_service_broker_launch_apb_on_bind | bool | lower }}
+ recovery: {{ ansible_service_broker_recovery | bool | lower }}
+ output_request: {{ ansible_service_broker_output_request | bool | lower }}
- name: Create the Broker resource in the catalog
oc_obj:
@@ -266,4 +268,4 @@
metadata:
name: ansible-service-broker
spec:
- url: http://{{ ansible_service_broker_route }}
+ url: http://asb.openshift-ansible-service-broker.svc:1338
diff --git a/roles/docker/tasks/systemcontainer_docker.yml b/roles/docker/tasks/systemcontainer_docker.yml
index 650f06f86..d8c5ccfd3 100644
--- a/roles/docker/tasks/systemcontainer_docker.yml
+++ b/roles/docker/tasks/systemcontainer_docker.yml
@@ -12,6 +12,12 @@
traditional docker package install. Otherwise, comment out openshift_docker_options
in your inventory file.
+- name: Ensure container-selinux is installed
+ package:
+ name: container-selinux
+ state: present
+ when: not openshift.common.is_atomic | bool
+
# Used to pull and install the system container
- name: Ensure atomic is installed
package:
@@ -86,7 +92,7 @@
- name: Use Fedora Registry for image when distribution is Fedora
set_fact:
- l_docker_image_prepend: "registry.fedoraproject.org"
+ l_docker_image_prepend: "registry.fedoraproject.org/f25"
when: ansible_distribution == 'Fedora'
# For https://github.com/openshift/openshift-ansible/pull/4049#discussion_r114478504
diff --git a/roles/etcd_common/defaults/main.yml b/roles/etcd_common/defaults/main.yml
index b5b38c1e1..b1bfa4592 100644
--- a/roles/etcd_common/defaults/main.yml
+++ b/roles/etcd_common/defaults/main.yml
@@ -44,6 +44,10 @@ etcd_ca_serial: "{{ etcd_ca_dir }}/serial"
etcd_ca_crl_number: "{{ etcd_ca_dir }}/crlnumber"
etcd_ca_default_days: 1825
+r_etcd_common_master_peer_cert_file: /etc/origin/master/master.etcd-client.crt
+r_etcd_common_master_peer_key_file: /etc/origin/master/master.etcd-client.key
+r_etcd_common_master_peer_ca_file: /etc/origin/master/master.etcd-ca.crt
+
# etcd server & certificate vars
etcd_hostname: "{{ inventory_hostname }}"
etcd_ip: "{{ ansible_default_ipv4.address }}"
diff --git a/roles/etcd_common/tasks/backup.yml b/roles/etcd_common/tasks/backup.yml
index 1a0b857f1..2bc486d3f 100644
--- a/roles/etcd_common/tasks/backup.yml
+++ b/roles/etcd_common/tasks/backup.yml
@@ -61,6 +61,21 @@
- r_etcd_common_embedded_etcd | bool
- not l_ostree_booted.stat.exists | bool
+- name: Check selinux label of '{{ l_etcd_data_dir }}'
+ command: >
+ stat -c '%C' {{ l_etcd_data_dir }}
+ register: l_etcd_selinux_labels
+
+- debug:
+ msg: "{{ l_etcd_selinux_labels }}"
+
+- name: Make sure the '{{ l_etcd_data_dir }}' has the proper label
+ command: >
+ chcon -t svirt_sandbox_file_t "{{ l_etcd_data_dir }}"
+ when:
+ - l_etcd_selinux_labels.rc == 0
+ - "'svirt_sandbox_file_t' not in l_etcd_selinux_labels.stdout"
+
- name: Generate etcd backup
command: >
{{ r_etcd_common_etcdctl_command }} backup --data-dir={{ l_etcd_incontainer_data_dir }}
diff --git a/roles/etcd_migrate/tasks/migrate.yml b/roles/etcd_migrate/tasks/migrate.yml
index 7f441568a..b2cf6d20a 100644
--- a/roles/etcd_migrate/tasks/migrate.yml
+++ b/roles/etcd_migrate/tasks/migrate.yml
@@ -31,14 +31,23 @@
name: "{{ l_etcd_service }}"
state: started
+- name: Wait for cluster to become healthy after migration
+ command: >
+ etcdctl --cert-file {{ etcd_peer_cert_file }} --key-file {{ etcd_peer_key_file }} --ca-file {{ etcd_peer_ca_file }} --endpoint https://{{ etcd_peer }}:{{ etcd_client_port }} cluster-health
+ register: l_etcd_migrate_health
+ until: l_etcd_migrate_health.rc == 0
+ retries: 3
+ delay: 30
+ run_once: true
+
# NOTE: /usr/local/bin may be removed from the PATH by ansible hence why
# it's added to the environment in this task.
- name: Re-introduce leases (as a replacement for key TTLs)
command: >
oadm migrate etcd-ttl \
- --cert {{ etcd_peer_cert_file }} \
- --key {{ etcd_peer_key_file }} \
- --cacert {{ etcd_peer_ca_file }} \
+ --cert {{ r_etcd_common_master_peer_cert_file }} \
+ --key {{ r_etcd_common_master_peer_key_file }} \
+ --cacert {{ r_etcd_common_master_peer_ca_file }} \
--etcd-address 'https://{{ etcd_peer }}:{{ etcd_client_port }}' \
--ttl-keys-prefix {{ item }} \
--lease-duration 1h
diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py
index c960630ed..04b5dc86b 100755
--- a/roles/openshift_facts/library/openshift_facts.py
+++ b/roles/openshift_facts/library/openshift_facts.py
@@ -1654,14 +1654,15 @@ def set_proxy_facts(facts):
# in the _no_proxy value
common['no_proxy'] = common['no_proxy'].split(",")
- # at this point common['no_proxy'] is a LIST datastructure. It
- # may be empty, or it may contain some hostnames or ranges.
-
- # We always add local dns domain, the service domain, and
- # ourselves, no matter what
- common['no_proxy'].append('.svc')
- common['no_proxy'].append('.' + common['dns_domain'])
- common['no_proxy'].append(common['hostname'])
+ # at this point common['no_proxy'] is a LIST datastructure. It
+ # may be empty, or it may contain some hostnames or ranges.
+
+ # We always add local dns domain, the service domain, and
+ # ourselves, no matter what (if you are setting any
+ # NO_PROXY values)
+ common['no_proxy'].append('.svc')
+ common['no_proxy'].append('.' + common['dns_domain'])
+ common['no_proxy'].append(common['hostname'])
# You are also setting system proxy vars, openshift_http_proxy/openshift_https_proxy
if 'http_proxy' in common or 'https_proxy' in common:
diff --git a/roles/openshift_hosted_logging/README.md b/roles/openshift_hosted_logging/README.md
index 12ffe777d..680303853 100644
--- a/roles/openshift_hosted_logging/README.md
+++ b/roles/openshift_hosted_logging/README.md
@@ -22,7 +22,7 @@
- openshift_hosted_logging_kibana_nodeselector: Specify the nodeSelector that Kibana should be use (label=value)
- openshift_hosted_logging_curator_nodeselector: Specify the nodeSelector that Curator should be use (label=value)
- openshift_hosted_logging_enable_ops_cluster: If "true", configure a second ES cluster and Kibana for ops logs.
-- openshift_hosted_logging_use_journal: If this is unset or empty, logging will try to figure out from docker which log driver it is using (json-file or journald). You can set this param to "true" or "false" to force logging to use journal or not (but make sure you are sure which one docker is using).
+- openshift_hosted_logging_use_journal: *DEPRECATED - DO NOT USE*
- openshift_hosted_logging_journal_source: By default, if this param is unset or empty, logging will use `/var/log/journal` if it exists, or `/run/log/journal` if not. You can use this param to force logging to use a different location.
- openshift_hosted_logging_journal_read_from_head: Set to `true` to have fluentd read from the beginning of the journal, to get historical log data. Default is `false`. *WARNING* Using `true` may take several minutes or even hours, depending on the size of the journal, until any new records show up in Elasticsearch, and will cause fluentd to consume a lot of CPU and RAM resources.
diff --git a/roles/openshift_hosted_logging/vars/main.yaml b/roles/openshift_hosted_logging/vars/main.yaml
index 33320e9c8..4b350b244 100644
--- a/roles/openshift_hosted_logging/vars/main.yaml
+++ b/roles/openshift_hosted_logging/vars/main.yaml
@@ -26,8 +26,7 @@ kb_ops_ns_cmap_param: "{{ '--from-literal kibana-ops-nodeselector=' ~ openshift_
cr_ns_cmap_param: "{{ '--from-literal curator-nodeselector=' ~ openshift_hosted_logging_curator_nodeselector | quote if openshift_hosted_logging_curator_nodeselector | default(none) is not none else '' }}"
cr_ops_ns_cmap_param: "{{ '--from-literal curator-ops-nodeselector=' ~ openshift_hosted_logging_curator_ops_nodeselector | quote if openshift_hosted_logging_curator_ops_nodeselector | default(none) is not none else '' }}"
ops_cmap_param: "{{ '--from-literal enable-ops-cluster=' ~ openshift_hosted_logging_enable_ops_cluster | string | lower | quote if openshift_hosted_logging_enable_ops_cluster | default(none) is not none else '' }}"
-use_journal_cmap_param: "{{ '--from-literal use-journal=' ~ openshift_hosted_logging_use_journal | string | lower | quote if openshift_hosted_logging_use_journal | default(none) is not none else '' }}"
journal_source_cmap_param: "{{ '--from-literal journal-source=' ~ openshift_hosted_logging_journal_source | quote if openshift_hosted_logging_journal_source | default(none) is not none else '' }}"
journal_read_from_head_cmap_param: "{{ '--from-literal journal-read-from-head=' ~ openshift_hosted_logging_journal_read_from_head | string | lower | quote if openshift_hosted_logging_journal_read_from_head | default(none) is not none else '' }}"
ips_cmap_param: "{{ '--from-literal image-pull-secret=' ~ openshift_hosted_logging_image_pull_secret | quote if openshift_hosted_logging_image_pull_secret | default(none) is not none else '' }}"
-deployer_cmap_params: "{{ kh_cmap_param }} {{ kh_ops_cmap_param }} {{ pmu_cmap_param }} {{ es_cs_cmap_param }} {{ es_ir_cmap_param }} {{ es_pvcs_cmap_param }} {{ es_pvcp_cmap_param }} {{ es_pvcd_cmap_param }} {{ es_ops_cs_cmap_param }} {{ es_ops_ir_cmap_param }} {{ es_ops_pvcs_cmap_param }} {{ es_ops_pvcp_cmap_param }} {{ es_ops_pvcd_cmap_param }} {{ es_sg_cmap_param }} {{ es_ns_cmap_param }} {{ es_ops_ns_cmap_param }} {{ fd_ns_cmap_param }} {{ kb_ns_cmap_param }} {{ kb_ops_ns_cmap_param }} {{ cr_ns_cmap_param }} {{ cr_ops_ns_cmap_param }} {{ ops_cmap_param }} {{ use_journal_cmap_param }} {{ journal_source_cmap_param }} {{ journal_read_from_head_cmap_param }} {{ ips_cmap_param }}"
+deployer_cmap_params: "{{ kh_cmap_param }} {{ kh_ops_cmap_param }} {{ pmu_cmap_param }} {{ es_cs_cmap_param }} {{ es_ir_cmap_param }} {{ es_pvcs_cmap_param }} {{ es_pvcp_cmap_param }} {{ es_pvcd_cmap_param }} {{ es_ops_cs_cmap_param }} {{ es_ops_ir_cmap_param }} {{ es_ops_pvcs_cmap_param }} {{ es_ops_pvcp_cmap_param }} {{ es_ops_pvcd_cmap_param }} {{ es_sg_cmap_param }} {{ es_ns_cmap_param }} {{ es_ops_ns_cmap_param }} {{ fd_ns_cmap_param }} {{ kb_ns_cmap_param }} {{ kb_ops_ns_cmap_param }} {{ cr_ns_cmap_param }} {{ cr_ops_ns_cmap_param }} {{ ops_cmap_param }} {{ journal_source_cmap_param }} {{ journal_read_from_head_cmap_param }} {{ ips_cmap_param }}"
diff --git a/roles/openshift_logging/README.md b/roles/openshift_logging/README.md
index dd0f22d4b..d2ef7cc71 100644
--- a/roles/openshift_logging/README.md
+++ b/roles/openshift_logging/README.md
@@ -52,7 +52,7 @@ When both `openshift_logging_install_logging` and `openshift_logging_upgrade_log
- `openshift_logging_fluentd_cpu_limit`: The CPU limit for Fluentd pods. Defaults to '100m'.
- `openshift_logging_fluentd_memory_limit`: The memory limit for Fluentd pods. Defaults to '512Mi'.
- `openshift_logging_fluentd_es_copy`: Whether or not to use the ES_COPY feature for Fluentd (DEPRECATED). Defaults to 'False'.
-- `openshift_logging_fluentd_use_journal`: NOTE: Fluentd will attempt to detect whether or not Docker is using the journald log driver when using the default of empty.
+- `openshift_logging_fluentd_use_journal`: *DEPRECATED - DO NOT USE* Fluentd will automatically detect whether or not Docker is using the journald log driver.
- `openshift_logging_fluentd_journal_read_from_head`: If empty, Fluentd will use its internal default, which is false.
- `openshift_logging_fluentd_hosts`: List of nodes that should be labeled for Fluentd to be deployed to. Defaults to ['--all'].
- `openshift_logging_fluentd_buffer_queue_limit`: Buffer queue limit for Fluentd. Defaults to 1024.
diff --git a/roles/openshift_logging/defaults/main.yml b/roles/openshift_logging/defaults/main.yml
index c243a6e4a..1c243f934 100644
--- a/roles/openshift_logging/defaults/main.yml
+++ b/roles/openshift_logging/defaults/main.yml
@@ -72,7 +72,6 @@ openshift_logging_fluentd_nodeselector: "{{ openshift_hosted_logging_fluentd_nod
openshift_logging_fluentd_cpu_limit: 100m
openshift_logging_fluentd_memory_limit: 512Mi
openshift_logging_fluentd_es_copy: false
-openshift_logging_fluentd_use_journal: "{{ openshift_hosted_logging_use_journal if openshift_hosted_logging_use_journal is defined else (docker_log_driver == 'journald') | ternary(True, False) if docker_log_driver is defined else (openshift.docker.log_driver == 'journald') | ternary(True, False) if openshift.docker.log_driver is defined else openshift.docker.options | search('--log-driver=journald') if openshift.docker.options is defined else default(omit) }}"
openshift_logging_fluentd_journal_source: "{{ openshift_hosted_logging_journal_source | default('') }}"
openshift_logging_fluentd_journal_read_from_head: "{{ openshift_hosted_logging_journal_read_from_head | default('') }}"
openshift_logging_fluentd_hosts: ['--all']
diff --git a/roles/openshift_logging/tasks/install_logging.yaml b/roles/openshift_logging/tasks/install_logging.yaml
index 50698599a..5c5bbf84c 100644
--- a/roles/openshift_logging/tasks/install_logging.yaml
+++ b/roles/openshift_logging/tasks/install_logging.yaml
@@ -261,7 +261,6 @@
vars:
generated_certs_dir: "{{openshift.common.config_base}}/logging"
openshift_logging_fluentd_ops_host: "{{ ( openshift_logging_use_ops | bool ) | ternary('logging-es-ops', 'logging-es') }}"
- openshift_logging_fluentd_use_journal: "{{ openshift.docker.options | search('journald') }}"
openshift_logging_fluentd_image_prefix: "{{ openshift_logging_image_prefix }}"
openshift_logging_fluentd_image_version: "{{ openshift_logging_image_version }}"
openshift_logging_fluentd_image_pull_secret: "{{ openshift_logging_image_pull_secret }}"
diff --git a/roles/openshift_logging_fluentd/defaults/main.yml b/roles/openshift_logging_fluentd/defaults/main.yml
index 228196d74..ce7cfc433 100644
--- a/roles/openshift_logging_fluentd/defaults/main.yml
+++ b/roles/openshift_logging_fluentd/defaults/main.yml
@@ -28,7 +28,6 @@ openshift_logging_fluentd_ops_host: "{{ openshift_logging_fluentd_app_host }}"
openshift_logging_fluentd_ops_port: "{{ openshift_logging_fluentd_app_port }}"
### Used by "hosted" and "secure-aggregator" deployments
-#openshift_logging_fluentd_use_journal: "{{ openshift_hosted_logging_use_journal }}"
openshift_logging_fluentd_journal_source: "{{ openshift_hosted_logging_journal_source | default('') }}"
openshift_logging_fluentd_journal_read_from_head: "{{ openshift_hosted_logging_journal_read_from_head | default('') }}"
@@ -49,6 +48,7 @@ openshift_logging_fluentd_aggregating_strict: "no"
openshift_logging_fluentd_aggregating_cert_path: none
openshift_logging_fluentd_aggregating_key_path: none
openshift_logging_fluentd_aggregating_passphrase: none
+openshift_logging_use_mux_client: False
### Deprecating in 3.6
openshift_logging_fluentd_es_copy: false
diff --git a/roles/openshift_logging_fluentd/tasks/main.yaml b/roles/openshift_logging_fluentd/tasks/main.yaml
index 30b596e22..55de2ae8d 100644
--- a/roles/openshift_logging_fluentd/tasks/main.yaml
+++ b/roles/openshift_logging_fluentd/tasks/main.yaml
@@ -15,19 +15,15 @@
msg: Invalid deployment type, one of ['hosted', 'secure-aggregator', 'secure-host'] allowed
when: not openshift_logging_fluentd_deployment_type in __allowed_fluentd_types
-- include: determine_version.yaml
+- debug:
+ msg: openshift_logging_fluentd_use_journal is deprecated. Fluentd will automatically detect which logging driver is being used.
+ when: openshift_logging_fluentd_use_journal is defined
-- set_fact:
- openshift_logging_fluentd_use_journal: "{{ openshift_hosted_logging_use_journal }}"
- when:
- - openshift_hosted_logging_use_journal is defined
- - openshift_logging_fluentd_use_journal is not defined
+- debug:
+ msg: openshift_hosted_logging_use_journal is deprecated. Fluentd will automatically detect which logging driver is being used.
+ when: openshift_hosted_logging_use_journal is defined
-- set_fact:
- openshift_logging_fluentd_use_journal: "{{ __fluentd_use_journal }}"
- when:
- - openshift_hosted_logging_use_journal is not defined
- - openshift_logging_fluentd_use_journal is not defined
+- include: determine_version.yaml
# allow passing in a tempdir
- name: Create temp directory for doing work in
diff --git a/roles/openshift_logging_fluentd/templates/fluentd.j2 b/roles/openshift_logging_fluentd/templates/fluentd.j2
index d9814370f..970e5c2a5 100644
--- a/roles/openshift_logging_fluentd/templates/fluentd.j2
+++ b/roles/openshift_logging_fluentd/templates/fluentd.j2
@@ -62,6 +62,11 @@ spec:
- name: dockerdaemoncfg
mountPath: /etc/docker
readOnly: true
+{% if openshift_logging_use_mux_client | bool %}
+ - name: muxcerts
+ mountPath: /etc/fluent/muxkeys
+ readOnly: true
+{% endif %}
env:
- name: "K8S_HOST_URL"
value: "{{ openshift_logging_fluentd_master_url }}"
@@ -87,8 +92,6 @@ spec:
value: "{{ openshift_logging_fluentd_ops_ca }}"
- name: "ES_COPY"
value: "false"
- - name: "USE_JOURNAL"
- value: "{{ openshift_logging_fluentd_use_journal | lower }}"
- name: "JOURNAL_SOURCE"
value: "{{ openshift_logging_fluentd_journal_source | default('') }}"
- name: "JOURNAL_READ_FROM_HEAD"
@@ -107,6 +110,8 @@ spec:
resourceFieldRef:
containerName: "{{ daemonset_container_name }}"
resource: limits.memory
+ - name: "USE_MUX_CLIENT"
+ value: "{{ openshift_logging_use_mux_client | default('false') | lower }}"
volumes:
- name: runlogjournal
hostPath:
@@ -135,3 +140,8 @@ spec:
- name: dockerdaemoncfg
hostPath:
path: /etc/docker
+{% if openshift_logging_use_mux_client | bool %}
+ - name: muxcerts
+ secret:
+ secretName: logging-mux
+{% endif %}
diff --git a/roles/openshift_logging_fluentd/vars/main.yml b/roles/openshift_logging_fluentd/vars/main.yml
index f601b738e..ad3fb0bdd 100644
--- a/roles/openshift_logging_fluentd/vars/main.yml
+++ b/roles/openshift_logging_fluentd/vars/main.yml
@@ -2,4 +2,3 @@
__latest_fluentd_version: "3_5"
__allowed_fluentd_versions: ["3_5", "3_6"]
__allowed_fluentd_types: ["hosted", "secure-aggregator", "secure-host"]
-__fluentd_use_journal: "{{ (docker_log_driver == 'journald') | ternary(True, False) if docker_log_driver is defined else (openshift.docker.log_driver == 'journald') | ternary(True, False) if openshift.docker.log_driver is defined else openshift.docker.options | search('--log-driver=journald') if openshift.docker.options is defined else default(omit) }}"
diff --git a/roles/openshift_logging_mux/defaults/main.yml b/roles/openshift_logging_mux/defaults/main.yml
index 77e47d38c..797a27c1b 100644
--- a/roles/openshift_logging_mux/defaults/main.yml
+++ b/roles/openshift_logging_mux/defaults/main.yml
@@ -24,7 +24,6 @@ openshift_logging_mux_ops_host: "{{ openshift_logging_mux_app_host }}"
openshift_logging_mux_ops_port: "{{ openshift_logging_mux_app_port }}"
### Used by "hosted" and "secure-aggregator" deployments
-openshift_logging_mux_use_journal: "{{ openshift_hosted_logging_use_journal | default('') }}"
openshift_logging_mux_journal_source: "{{ openshift_hosted_logging_journal_source | default('') }}"
openshift_logging_mux_journal_read_from_head: "{{ openshift_hosted_logging_journal_read_from_head | default('') }}"
diff --git a/roles/openshift_logging_mux/templates/mux.j2 b/roles/openshift_logging_mux/templates/mux.j2
index c3f9b3433..226294847 100644
--- a/roles/openshift_logging_mux/templates/mux.j2
+++ b/roles/openshift_logging_mux/templates/mux.j2
@@ -89,8 +89,6 @@ spec:
value: "{{openshift_logging_mux_ops_client_key}}"
- name: "OPS_CA"
value: "{{openshift_logging_mux_ops_ca}}"
- - name: "USE_JOURNAL"
- value: "false"
- name: "JOURNAL_SOURCE"
value: "{{openshift_logging_mux_journal_source | default('')}}"
- name: "JOURNAL_READ_FROM_HEAD"
diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml
index 86532cd0a..9b7125240 100644
--- a/roles/openshift_master/tasks/main.yml
+++ b/roles/openshift_master/tasks/main.yml
@@ -128,8 +128,17 @@
when: openshift.master.request_header_ca is defined and item.kind == 'RequestHeaderIdentityProvider' and item.clientCA | default('') != ''
with_items: "{{ openshift.master.identity_providers }}"
-- set_fact:
- openshift_push_via_dns: "{{ openshift_use_dnsmasq | default(true) and openshift.common.version_gte_3_6 and r_openshift_master_clean_install }}"
+# This is an ugly hack to verify settings are in a file without modifying them with lineinfile.
+# The template file will stomp any other settings made.
+- block:
+ - name: check whether our docker-registry setting exists in the env file
+ command: "awk '/^OPENSHIFT_DEFAULT_REGISTRY=docker-registry.default.svc:5000/' /etc/sysconfig/{{ openshift.common.service_type }}-master"
+ ignore_errors: true
+ changed_when: false
+ register: already_set
+
+ - set_fact:
+ openshift_push_via_dns: "{{ (openshift_use_dnsmasq | default(true) and openshift.common.version_gte_3_6) or (already_set.stdout | match('OPENSHIFT_DEFAULT_REGISTRY=docker-registry.default.svc:5000')) }}"
- name: Install the systemd units
include: systemd_units.yml
diff --git a/roles/openshift_node/tasks/storage_plugins/glusterfs.yml b/roles/openshift_node/tasks/storage_plugins/glusterfs.yml
index 7d8c42ee2..1b8a7ad50 100644
--- a/roles/openshift_node/tasks/storage_plugins/glusterfs.yml
+++ b/roles/openshift_node/tasks/storage_plugins/glusterfs.yml
@@ -3,30 +3,52 @@
package: name=glusterfs-fuse state=present
when: not openshift.common.is_atomic | bool
-- name: Check for existence of virt_use_fusefs seboolean
- command: getsebool virt_use_fusefs
- register: virt_use_fusefs_output
- when: ansible_selinux and ansible_selinux.status == "enabled"
+- name: Check for existence of fusefs sebooleans
+ command: getsebool {{ item }}
+ register: fusefs_getsebool_status
+ when:
+ - ansible_selinux
+ - ansible_selinux.status == "enabled"
failed_when: false
changed_when: false
+ with_items:
+ - virt_use_fusefs
+ - virt_sandbox_use_fusefs
- name: Set seboolean to allow gluster storage plugin access from containers
seboolean:
- name: virt_use_fusefs
+ name: "{{ item.item }}"
state: yes
persistent: yes
- when: ansible_selinux and ansible_selinux.status == "enabled" and virt_use_fusefs_output.rc == 0
+ when:
+ - ansible_selinux
+ - ansible_selinux.status == "enabled"
+ - item.rc == 0
+ # We need to detect whether or not the boolean is an alias, since `seboolean`
+ # will error if it is an alias. We do this by inspecting stdout for the boolean name,
+ # since getsebool prints the resolved name. (At some point Ansible's seboolean module
+ # should learn to deal with aliases)
+ - item.item in item.stdout # Boolean does not have an alias.
+ - ansible_python_version | version_compare('3', '<')
+ with_items: "{{ fusefs_getsebool_status.results }}"
-- name: Check for existence of virt_sandbox_use_fusefs seboolean
- command: getsebool virt_sandbox_use_fusefs
- register: virt_sandbox_use_fusefs_output
- when: ansible_selinux and ansible_selinux.status == "enabled"
- failed_when: false
- changed_when: false
-
-- name: Set seboolean to allow gluster storage plugin access from containers(sandbox)
- seboolean:
- name: virt_sandbox_use_fusefs
- state: yes
- persistent: yes
- when: ansible_selinux and ansible_selinux.status == "enabled" and virt_sandbox_use_fusefs_output.rc == 0
+# Workaround for https://github.com/openshift/openshift-ansible/issues/4438
+# Use command module rather than seboolean module to set GlusterFS booleans.
+# TODO: Remove this task and the ansible_python_version comparison in
+# the previous task when the problem has been addressed in current
+# ansible release.
+- name: Set seboolean to allow gluster storage plugin access from containers (python 3)
+ command: >
+ setsebool -P {{ item.item }} on
+ when:
+ - ansible_selinux
+ - ansible_selinux.status == "enabled"
+ - item.rc == 0
+ # We need to detect whether or not the boolean is an alias, since `seboolean`
+ # will error if it is an alias. We do this by inspecting stdout for the boolean name,
+ # since getsebool prints the resolved name. (At some point Ansible's seboolean module
+ # should learn to deal with aliases)
+ - item.item in item.stdout # Boolean does not have an alias.
+ - ('--> off' in item.stdout) # Boolean is currently off.
+ - ansible_python_version | version_compare('3', '>=')
+ with_items: "{{ fusefs_getsebool_status.results }}"
diff --git a/roles/openshift_node/tasks/storage_plugins/nfs.yml b/roles/openshift_node/tasks/storage_plugins/nfs.yml
index d40ae66cb..7e1035893 100644
--- a/roles/openshift_node/tasks/storage_plugins/nfs.yml
+++ b/roles/openshift_node/tasks/storage_plugins/nfs.yml
@@ -3,24 +3,52 @@
package: name=nfs-utils state=present
when: not openshift.common.is_atomic | bool
-- name: Check for existence of seboolean
+- name: Check for existence of nfs sebooleans
command: getsebool {{ item }}
- register: getsebool_status
- when: ansible_selinux and ansible_selinux.status == "enabled"
+ register: nfs_getsebool_status
+ when:
+ - ansible_selinux
+ - ansible_selinux.status == "enabled"
failed_when: false
changed_when: false
with_items:
- - virt_use_nfs
- - virt_sandbox_use_nfs
+ - virt_use_nfs
+ - virt_sandbox_use_nfs
- name: Set seboolean to allow nfs storage plugin access from containers
seboolean:
name: "{{ item.item }}"
state: yes
persistent: yes
+ when:
+ - ansible_selinux
+ - ansible_selinux.status == "enabled"
+ - item.rc == 0
# We need to detect whether or not the boolean is an alias, since `seboolean`
# will error if it is an alias. We do this by inspecting stdout for the boolean name,
# since getsebool prints the resolved name. (At some point Ansible's seboolean module
# should learn to deal with aliases)
- when: ansible_selinux and ansible_selinux.status == "enabled" and item.rc == 0 and item.stdout.find(item.item) != -1
- with_items: "{{ getsebool_status.results }}"
+ - item.item in item.stdout # Boolean does not have an alias.
+ - ansible_python_version | version_compare('3', '<')
+ with_items: "{{ nfs_getsebool_status.results }}"
+
+# Workaround for https://github.com/openshift/openshift-ansible/issues/4438
+# Use command module rather than seboolean module to set NFS booleans.
+# TODO: Remove this task and the ansible_python_version comparison in
+# the previous task when the problem has been addressed in current
+# ansible release.
+- name: Set seboolean to allow nfs storage plugin access from containers (python 3)
+ command: >
+ setsebool -P {{ item.item }} on
+ when:
+ - ansible_selinux
+ - ansible_selinux.status == "enabled"
+ - item.rc == 0
+ # We need to detect whether or not the boolean is an alias, since `seboolean`
+ # will error if it is an alias. We do this by inspecting stdout for the boolean name,
+ # since getsebool prints the resolved name. (At some point Ansible's seboolean module
+ # should learn to deal with aliases)
+ - item.item in item.stdout # Boolean does not have an alias.
+ - ('--> off' in item.stdout) # Boolean is currently off.
+ - ansible_python_version | version_compare('3', '>=')
+ with_items: "{{ nfs_getsebool_status.results }}"
diff --git a/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml b/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml
index 880146ca4..ebefaeaba 100644
--- a/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml
+++ b/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml
@@ -115,6 +115,22 @@ objects:
- bindings/status
verbs:
- update
+ - apiGroups:
+ - servicecatalog.k8s.io
+ resources:
+ - brokers
+ - instances
+ - bindings
+ verbs:
+ - list
+ - watch
+ - apiGroups:
+ - ""
+ resources:
+ - events
+ verbs:
+ - patch
+ - create
- kind: ClusterRoleBinding
apiVersion: v1
diff --git a/roles/openshift_service_catalog/tasks/install.yml b/roles/openshift_service_catalog/tasks/install.yml
index 6e8301ffe..1342c3d30 100644
--- a/roles/openshift_service_catalog/tasks/install.yml
+++ b/roles/openshift_service_catalog/tasks/install.yml
@@ -6,7 +6,6 @@
register: mktemp
changed_when: False
-
- include: wire_aggregator.yml
- name: Set default image variables based on deployment_type
diff --git a/roles/openshift_service_catalog/tasks/wire_aggregator.yml b/roles/openshift_service_catalog/tasks/wire_aggregator.yml
index 3e5897ba4..b8b8d0863 100644
--- a/roles/openshift_service_catalog/tasks/wire_aggregator.yml
+++ b/roles/openshift_service_catalog/tasks/wire_aggregator.yml
@@ -1,16 +1,82 @@
---
+- name: Make temp cert dir
+ command: mktemp -d /tmp/openshift-service-catalog-ansible-XXXXXX
+ register: certtemp
+ changed_when: False
+
+- name: Check for First Master Aggregator Signer cert
+ stat:
+ path: /etc/origin/master/front-proxy-ca.crt
+ register: first_proxy_ca_crt
+ changed_when: false
+ delegate_to: "{{ first_master }}"
+
+- name: Check for First Master Aggregator Signer key
+ stat:
+ path: /etc/origin/master/front-proxy-ca.crt
+ register: first_proxy_ca_key
+ changed_when: false
+ delegate_to: "{{ first_master }}"
+
+
# TODO: this currently has a bug where hostnames are required
-- name: Creating Aggregator signer certs
+- name: Creating First Master Aggregator signer certs
command: >
oc adm ca create-signer-cert
--cert=/etc/origin/master/front-proxy-ca.crt
--key=/etc/origin/master/front-proxy-ca.key
--serial=/etc/origin/master/ca.serial.txt
+ delegate_to: "{{ first_master }}"
+ when:
+ - not first_proxy_ca_crt.stat.exists
+ - not first_proxy_ca_key.stat.exists
+
+- name: Check for Aggregator Signer cert
+ stat:
+ path: /etc/origin/master/front-proxy-ca.crt
+ register: proxy_ca_crt
+ changed_when: false
+
+- name: Check for Aggregator Signer key
+ stat:
+ path: /etc/origin/master/front-proxy-ca.crt
+ register: proxy_ca_key
+ changed_when: false
+
+- name: Copy Aggregator Signer certs from first master
+ fetch:
+ src: "/etc/origin/master/{{ item }}"
+ dest: "{{ certtemp.stdout }}/{{ item }}"
+ with_items:
+ - front-proxy-ca.crt
+ - front-proxy-ca.key
+ delegate_to: "{{ first_master }}"
+ when:
+ - not proxy_ca_key.stat.exists
+ - not proxy_ca_crt.stat.exists
+
+- name: Copy Aggregator Signer certs to host
+ copy:
+ src: "{{ certtemp.stdout }}/{{ item }}"
+ dest: "/etc/origin/master/{{ item }}"
+ with_items:
+ - front-proxy-ca.crt
+ - front-proxy-ca.key
+ when:
+ - not proxy_ca_key.stat.exists
+ - not proxy_ca_crt.stat.exists
+
# oc_adm_ca_server_cert:
# cert: /etc/origin/master/front-proxy-ca.crt
# key: /etc/origin/master/front-proxy-ca.key
-- name: Create api-client config for Aggregator
+- name: Check for first master api-client config
+ stat:
+ path: /etc/origin/master/aggregator-front-proxy.kubeconfig
+ register: first_front_proxy_kubeconfig
+ delegate_to: "{{ first_master }}"
+
+- name: Create first master api-client config for Aggregator
command: >
oc adm create-api-client-config
--certificate-authority=/etc/origin/master/front-proxy-ca.crt
@@ -19,6 +85,37 @@
--user aggregator-front-proxy
--client-dir=/etc/origin/master
--signer-serial=/etc/origin/master/ca.serial.txt
+ delegate_to: "{{ first_master }}"
+ when:
+ - not first_front_proxy_kubeconfig.stat.exists
+
+- name: Check for api-client config
+ stat:
+ path: /etc/origin/master/aggregator-front-proxy.kubeconfig
+ register: front_proxy_kubeconfig
+
+- name: Copy api-client config from first master
+ fetch:
+ src: "/etc/origin/master/{{ item }}"
+ dest: "{{ certtemp.stdout }}/{{ item }}"
+ delegate_to: "{{ first_master }}"
+ with_items:
+ - aggregator-front-proxy.crt
+ - aggregator-front-proxy.key
+ - aggregator-front-proxy.kubeconfig
+ when:
+ - not front_proxy_kubeconfig.stat.exists
+
+- name: Copy api-client config to host
+ copy:
+ src: "{{ certtemp.stdout }}/{{ item }}"
+ dest: "/etc/origin/master/{{ item }}"
+ with_items:
+ - aggregator-front-proxy.crt
+ - aggregator-front-proxy.key
+ - aggregator-front-proxy.kubeconfig
+ when:
+ - not front_proxy_kubeconfig.stat.exists
- name: Update master config
yedit:
@@ -84,3 +181,9 @@
changed_when: false
when:
- yedit_output.changed
+
+- name: Delete temp directory
+ file:
+ name: "{{ certtemp.stdout }}"
+ state: absent
+ changed_when: False
diff --git a/roles/openshift_service_catalog/templates/controller_manager.j2 b/roles/openshift_service_catalog/templates/controller_manager.j2
index 33932eeb7..1bbc0fa2c 100644
--- a/roles/openshift_service_catalog/templates/controller_manager.j2
+++ b/roles/openshift_service_catalog/templates/controller_manager.j2
@@ -17,6 +17,7 @@ spec:
labels:
app: controller-manager
spec:
+ serviceAccountName: service-catalog-controller
nodeSelector:
{% for key, value in node_selector.iteritems() %}
{{key}}: "{{value}}"