16 files changed, 28 insertions, 106 deletions

diff --git a/roles/flannel/README.md b/roles/flannel/README.md
index 8f271aada..84e2c5c49 100644
--- a/roles/flannel/README.md
+++ b/roles/flannel/README.md
@@ -13,15 +13,15 @@ to 0.3.
 Role Variables
 --------------
 
-| Name                | Default value                           | Description                                   |
-|---------------------|-----------------------------------------|-----------------------------------------------|
-| flannel_interface   | ansible_default_ipv4.interface          | interface to use for inter-host communication |
-| flannel_etcd_key    | /openshift.com/network                  | etcd prefix                                   |
-| etcd_hosts          | etcd_urls                               | a list of etcd endpoints                      |
-| etcd_conf_dir       | {{ openshift.common.config_base }}/node | SSL certificates directory                    |
-| etcd_peer_ca_file   | {{ etcd_conf_dir }}/ca.crt              | SSL CA to use for etcd                        |
-| etcd_peer_cert_file | Openshift SSL cert                      | SSL cert to use for etcd                      |
-| etcd_peer_key_file  | Openshift SSL key                       | SSL key to use for etcd                       |
+| Name                 | Default value                           | Description                                   |
+|----------------------|-----------------------------------------|-----------------------------------------------|
+| flannel_interface    | ansible_default_ipv4.interface          | interface to use for inter-host communication |
+| flannel_etcd_key     | /openshift.com/network                  | etcd prefix                                   |
+| etcd_hosts           | etcd_urls                               | a list of etcd endpoints                      |
+| etcd_cert_config_dir | {{ openshift.common.config_base }}/node | SSL certificates directory                    |
+| etcd_peer_ca_file    | {{ etcd_conf_dir }}/ca.crt              | SSL CA to use for etcd                        |
+| etcd_peer_cert_file  | Openshift SSL cert                      | SSL cert to use for etcd                      |
+| etcd_peer_key_file   | Openshift SSL key                       | SSL key to use for etcd                       |
 
 Dependencies
 ------------
diff --git a/roles/flannel/defaults/main.yaml b/roles/flannel/defaults/main.yaml
index 34cebda9c..988731ef2 100644
--- a/roles/flannel/defaults/main.yaml
+++ b/roles/flannel/defaults/main.yaml
@@ -2,7 +2,6 @@
 flannel_interface: "{{ ansible_default_ipv4.interface }}"
 flannel_etcd_key: /openshift.com/network
 etcd_hosts: "{{ etcd_urls }}"
-etcd_conf_dir: "{{ openshift.common.config_base }}/node"
-etcd_peer_ca_file: "{{ etcd_conf_dir }}/{{ 'ca' if (embedded_etcd | bool) else 'node.etcd-ca' }}.crt"
-etcd_peer_cert_file: "{{ etcd_conf_dir }}/{{ 'system:node:' + openshift.common.hostname if (embedded_etcd | bool) else 'node.etcd-client' }}.crt"
-etcd_peer_key_file: "{{ etcd_conf_dir }}/{{ 'system:node:' + openshift.common.hostname if (embedded_etcd | bool) else 'node.etcd-client' }}.key"
+etcd_peer_ca_file: "{{ openshift.common.config_base }}/node/{{ 'ca' if (embedded_etcd | bool) else 'flannel.etcd-ca' }}.crt"
+etcd_peer_cert_file: "{{ openshift.common.config_base }}/node/{{ 'system:node:' + openshift.common.hostname if (embedded_etcd | bool) else 'flannel.etcd-client' }}.crt"
+etcd_peer_key_file: "{{ openshift.common.config_base }}/node/{{ 'system:node:' + openshift.common.hostname if (embedded_etcd | bool) else 'flannel.etcd-client' }}.key"
diff --git a/roles/openshift_master/templates/master.yaml.v1.j2 b/roles/openshift_master/templates/master.yaml.v1.j2
index 31e86f5bd..0683fa95a 100644
--- a/roles/openshift_master/templates/master.yaml.v1.j2
+++ b/roles/openshift_master/templates/master.yaml.v1.j2
@@ -156,6 +156,7 @@ networkConfig:
 {% endif %}
 # serviceNetworkCIDR must match kubernetesMasterConfig.servicesSubnet
   serviceNetworkCIDR: {{ openshift.common.portal_net }}
+  externalIPNetworkCIDRs: {{ openshift_master_external_ip_network_cidrs | default(["0.0.0.0/0"]) | to_padded_yaml(1,2) }}
 oauthConfig:
 {% if 'oauth_always_show_provider_selection' in openshift.master %}
   alwaysShowProviderSelection: {{ openshift.master.oauth_always_show_provider_selection }}
@@ -173,7 +174,7 @@ oauthConfig:
 {% if openshift.common.version_gte_3_2_or_1_2 | bool %}
   masterCA: ca-bundle.crt
 {% else %}
-  masterCA: ca.rt
+  masterCA: ca.crt
 {% endif %}
   masterPublicURL: {{ openshift.master.public_api_url }}
   masterURL: {{ openshift.master.api_url }}
@@ -210,7 +211,7 @@ serviceAccountConfig:
 {% if openshift.common.version_gte_3_2_or_1_2 | bool %}
   masterCA: ca-bundle.crt
 {% else %}
-  masterCA: ca.rt
+  masterCA: ca.crt
 {% endif %}
   privateKeyFile: serviceaccounts.private.key
   publicKeyFiles:
diff --git a/roles/openshift_node/tasks/storage_plugins/nfs.yml b/roles/openshift_node/tasks/storage_plugins/nfs.yml
index e384c1bd7..22b539d16 100644
--- a/roles/openshift_node/tasks/storage_plugins/nfs.yml
+++ b/roles/openshift_node/tasks/storage_plugins/nfs.yml
@@ -17,16 +17,16 @@
     persistent: yes
   when: ansible_selinux and ansible_selinux.status == "enabled" and virt_use_nfs_output.rc == 0
 
-- name: Check for existence of virt_sandbox_use_nfs seboolean
+- name: Check for existence of virt_sandbox_use_nfs seboolean (RHEL)
   command: getsebool virt_sandbox_use_nfs
   register: virt_sandbox_use_nfs_output
-  when: ansible_selinux and ansible_selinux.status == "enabled"
+  when: ansible_distribution != "Fedora" and ansible_selinux and ansible_selinux.status == "enabled"
   failed_when: false
   changed_when: false
 
-- name: Set seboolean to allow nfs storage plugin access from containers(sandbox)
+- name: Set seboolean to allow nfs storage plugin access from containers(sandbox) (RHEL)
   seboolean:
     name: virt_sandbox_use_nfs
     state: yes
     persistent: yes
-  when: ansible_selinux and ansible_selinux.status == "enabled" and virt_sandbox_use_nfs_output.rc == 0
+  when: ansible_distribution != "Fedora" and ansible_selinux and ansible_selinux.status == "enabled" and virt_sandbox_use_nfs_output.rc == 0
diff --git a/roles/openshift_repos/files/fedora-openshift-enterprise/gpg_keys/.gitkeep b/roles/openshift_repos/files/fedora-openshift-enterprise/gpg_keys/.gitkeep
deleted file mode 100644
index e69de29bb..000000000
--- a/roles/openshift_repos/files/fedora-openshift-enterprise/gpg_keys/.gitkeep
+++ /dev/null
diff --git a/roles/openshift_repos/files/fedora-openshift-enterprise/repos/.gitkeep b/roles/openshift_repos/files/fedora-openshift-enterprise/repos/.gitkeep
deleted file mode 100644
index e69de29bb..000000000
--- a/roles/openshift_repos/files/fedora-openshift-enterprise/repos/.gitkeep
+++ /dev/null
diff --git a/roles/openshift_repos/files/fedora-origin/repos/maxamillion-fedora-openshift-fedora.repo b/roles/openshift_repos/files/fedora-origin/repos/maxamillion-fedora-openshift-fedora.repo
deleted file mode 100644
index bc0435d82..000000000
--- a/roles/openshift_repos/files/fedora-origin/repos/maxamillion-fedora-openshift-fedora.repo
+++ /dev/null
@@ -1,8 +0,0 @@
-[maxamillion-fedora-openshift]
-name=Copr repo for fedora-openshift owned by maxamillion
-baseurl=https://copr-be.cloud.fedoraproject.org/results/maxamillion/fedora-openshift/fedora-$releasever-$basearch/
-skip_if_unavailable=True
-gpgcheck=1
-gpgkey=https://copr-be.cloud.fedoraproject.org/results/maxamillion/fedora-openshift/pubkey.gpg
-enabled=1
-enabled_metadata=1
\ No newline at end of file
diff --git a/roles/openshift_repos/files/online/repos/enterprise-v3.repo b/roles/openshift_repos/files/online/repos/enterprise-v3.repo
deleted file mode 100644
index 92bd35834..000000000
--- a/roles/openshift_repos/files/online/repos/enterprise-v3.repo
+++ /dev/null
@@ -1,10 +0,0 @@
-[enterprise-v3]
-name=OpenShift Enterprise
-baseurl=https://mirror.ops.rhcloud.com/libra/rhui-rhel-server-7-ose/
-        https://gce-mirror1.ops.rhcloud.com/libra/rhui-rhel-server-7-ose/
-enabled=1
-gpgcheck=0
-failovermethod=priority
-sslverify=False
-sslclientcert=/var/lib/yum/client-cert.pem
-sslclientkey=/var/lib/yum/client-key.pem
diff --git a/roles/openshift_repos/files/online/repos/rhel-7-libra-candidate.repo b/roles/openshift_repos/files/online/repos/rhel-7-libra-candidate.repo
deleted file mode 100644
index b4215679f..000000000
--- a/roles/openshift_repos/files/online/repos/rhel-7-libra-candidate.repo
+++ /dev/null
@@ -1,11 +0,0 @@
-[rhel-7-libra-candidate]
-name=rhel-7-libra-candidate - \$basearch
-baseurl=https://gce-mirror1.ops.rhcloud.com/libra/rhel-7-libra-candidate/\$basearch/
-        https://mirror.ops.rhcloud.com/libra/rhel-7-libra-candidate/\$basearch/
-gpgkey=https://mirror.ops.rhcloud.com/libra/RPM-GPG-KEY-redhat-openshifthosted
-skip_if_unavailable=True
-gpgcheck=0
-enabled=1
-sslclientcert=/var/lib/yum/client-cert.pem
-sslclientkey=/var/lib/yum/client-key.pem
-sslverify=False
diff --git a/roles/openshift_repos/files/openshift-enterprise/gpg_keys/.gitkeep b/roles/openshift_repos/files/openshift-enterprise/gpg_keys/.gitkeep
deleted file mode 100644
index e69de29bb..000000000
--- a/roles/openshift_repos/files/openshift-enterprise/gpg_keys/.gitkeep
+++ /dev/null
diff --git a/roles/openshift_repos/files/openshift-enterprise/repos/.gitkeep b/roles/openshift_repos/files/openshift-enterprise/repos/.gitkeep
deleted file mode 100644
index e69de29bb..000000000
--- a/roles/openshift_repos/files/openshift-enterprise/repos/.gitkeep
+++ /dev/null
diff --git a/roles/openshift_repos/files/removed/repos/epel7-openshift.repo b/roles/openshift_repos/files/removed/repos/epel7-openshift.repo
deleted file mode 100644
index e69de29bb..000000000
--- a/roles/openshift_repos/files/removed/repos/epel7-openshift.repo
+++ /dev/null
diff --git a/roles/openshift_repos/files/removed/repos/maxamillion-origin-next-epel-7.repo b/roles/openshift_repos/files/removed/repos/maxamillion-origin-next-epel-7.repo
deleted file mode 100644
index 0b21e0a65..000000000
--- a/roles/openshift_repos/files/removed/repos/maxamillion-origin-next-epel-7.repo
+++ /dev/null
@@ -1,7 +0,0 @@
-[maxamillion-origin-next]
-name=Copr repo for origin-next owned by maxamillion
-baseurl=https://copr-be.cloud.fedoraproject.org/results/maxamillion/origin-next/epel-7-$basearch/
-skip_if_unavailable=True
-gpgcheck=1
-gpgkey=https://copr-be.cloud.fedoraproject.org/results/maxamillion/origin-next/pubkey.gpg
-enabled=1
diff --git a/roles/openshift_repos/files/removed/repos/oso-rhui-rhel-7-extras.repo b/roles/openshift_repos/files/removed/repos/oso-rhui-rhel-7-extras.repo
deleted file mode 100644
index e69de29bb..000000000
--- a/roles/openshift_repos/files/removed/repos/oso-rhui-rhel-7-extras.repo
+++ /dev/null
diff --git a/roles/openshift_repos/files/removed/repos/oso-rhui-rhel-7-server.repo b/roles/openshift_repos/files/removed/repos/oso-rhui-rhel-7-server.repo
deleted file mode 100644
index e69de29bb..000000000
--- a/roles/openshift_repos/files/removed/repos/oso-rhui-rhel-7-server.repo
+++ /dev/null
diff --git a/roles/openshift_repos/tasks/main.yaml b/roles/openshift_repos/tasks/main.yaml
index 07a8d28fd..9be168611 100644
--- a/roles/openshift_repos/tasks/main.yaml
+++ b/roles/openshift_repos/tasks/main.yaml
@@ -29,62 +29,20 @@
   when: openshift_additional_repos | length == 0 and not openshift.common.is_containerized | bool
   notify: refresh cache
 
-- name: Remove any yum repo files for other deployment types RHEL/CentOS
-  file:
-    path: "/etc/yum.repos.d/{{ item | basename }}"
-    state: absent
-  with_fileglob:
-  - "fedora-openshift-enterprise/repos/*"
-  - "fedora-origin/repos/*"
-  - "online/repos/*"
-  - "openshift-enterprise/repos/*"
-  - "origin/repos/*"
-  - "removed/repos/*"
-  when: not openshift.common.is_containerized | bool
-        and not (item | search("/files/" ~ openshift_deployment_type ~ "/repos"))
-        and (ansible_os_family == "RedHat" and ansible_distribution != "Fedora")
-  notify: refresh cache
-
-- name: Remove any yum repo files for other deployment types Fedora
-  file:
-    path: "{{ item | basename }}"
-    state: absent
-  with_fileglob:
-  - "fedora-openshift-enterprise/repos/*"
-  - "fedora-origin/repos/*"
-  - "online/repos/*"
-  - "openshift-enterprise/repos/*"
-  - "origin/repos/*"
-  - "removed/repos/*"
-  when: not openshift.common.is_containerized | bool
-        and not (item | search("/files/fedora-" ~ openshift_deployment_type ~ "/repos"))
-        and (ansible_distribution == "Fedora")
-  notify: refresh cache
-
-- name: Configure gpg keys if needed
+- name: Configure origin gpg keys if needed
   copy:
-    src: "{{ item }}"
+    src: origin/gpg_keys/openshift-ansible-CentOS-SIG-PaaS
     dest: /etc/pki/rpm-gpg/
-  with_fileglob:
-  - "{{ openshift_deployment_type }}/gpg_keys/*"
-  notify: refresh cache
-  when: not openshift.common.is_containerized | bool
-
-- name: Configure yum repositories RHEL/CentOS
-  copy:
-    src: "{{ item }}"
-    dest: /etc/yum.repos.d/
-  with_fileglob:
-  - "{{ openshift_deployment_type }}/repos/*"
   notify: refresh cache
-  when: (ansible_os_family == "RedHat" and ansible_distribution != "Fedora")
+  when: ansible_os_family == "RedHat" and ansible_distribution != "Fedora"
+        and openshift_deployment_type == 'origin'
         and not openshift.common.is_containerized | bool
 
-- name: Configure yum repositories Fedora
+- name: Configure origin yum repositories RHEL/CentOS
   copy:
-    src: "{{ item }}"
+    src: origin/repos/openshift-ansible-centos-paas-sig.repo
     dest: /etc/yum.repos.d/
-  with_fileglob:
-  - "fedora-{{ openshift_deployment_type }}/repos/*"
   notify: refresh cache
-  when: (ansible_distribution == "Fedora") and not openshift.common.is_containerized | bool
+  when: ansible_os_family == "RedHat" and ansible_distribution != "Fedora"
+        and openshift_deployment_type == 'origin'
+        and not openshift.common.is_containerized | bool