From 34455e0f4f2d4b6ea0b21703f711448e947bf0c7 Mon Sep 17 00:00:00 2001 From: Jason DeTiberus Date: Tue, 2 Feb 2016 16:47:39 -0500 Subject: Fix infra_node deployment - Do not deploy the router/registry when the infra_nodes variable is present but does not contain a list of infra nodes. - use right node group and only set openshift_infra_nodes if group is present --- playbooks/common/openshift-master/config.yml | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/playbooks/common/openshift-master/config.yml b/playbooks/common/openshift-master/config.yml index 3d646be64..648a63150 100644 --- a/playbooks/common/openshift-master/config.yml +++ b/playbooks/common/openshift-master/config.yml @@ -170,10 +170,10 @@ master_cert_subdir: master-{{ openshift.common.hostname }} master_cert_config_dir: "{{ openshift.common.config_base }}/master" - set_fact: - openshift_infra_nodes: "{{ hostvars | oo_select_keys(groups['nodes']) + openshift_infra_nodes: "{{ hostvars | oo_select_keys(groups['oo_nodes_to_config']) | oo_nodes_with_label('region', 'infra') | oo_collect('inventory_hostname') }}" - when: openshift_infra_nodes is not defined + when: openshift_infra_nodes is not defined and groups.oo_nodes_to_config | default([]) | length > 0 - name: Configure master certificates hosts: oo_first_master @@ -408,7 +408,6 @@ - name: Configure service accounts hosts: oo_first_master vars: - accounts: ["router", "registry"] roles: - openshift_serviceaccounts @@ -417,10 +416,17 @@ vars: persistent_volumes: "{{ hostvars[groups.oo_first_master.0] | oo_persistent_volumes(groups) }}" persistent_volume_claims: "{{ hostvars[groups.oo_first_master.0] | oo_persistent_volume_claims }}" + attach_registry_volume: "{{ openshift.hosted.registry.storage.kind != None }}" + deploy_infra: "{{ openshift.master.infra_nodes | default(0) | length > 0 }}" + pre_tasks: + - set_fact: + nfs_host: "{{ groups.oo_nfs_to_config.0 }}" + registry_volume_path: "{{ hostvars[groups.oo_nfs_to_config.0].openshift.nfs.exports_dir + '/' + hostvars[groups.oo_nfs_to_config.0].openshift.nfs.registry_volume }}" + when: attach_registry_volume | bool roles: - role: openshift_persistent_volumes when: persistent_volumes | length > 0 or persistent_volume_claims | length > 0 - role: openshift_router - when: openshift.master.infra_nodes is defined + when: deploy_infra | bool - role: openshift_registry - when: openshift.master.infra_nodes is defined and openshift.hosted.registry.storage.kind != None + when: deploy_infra | bool and attach_registry_volume | bool -- cgit v1.2.3 From d30acfb23637525cf79cd05c94d0d3c900cc4b88 Mon Sep 17 00:00:00 2001 From: Jason DeTiberus Date: Wed, 3 Feb 2016 16:27:30 -0500 Subject: openshift_serviceaccounts updates - make service account creation more flexible - create service accounts near where they are consumed --- playbooks/common/openshift-master/config.yml | 25 +++++---- roles/openshift_serviceaccounts/meta/main.yml | 15 ++++++ roles/openshift_serviceaccounts/tasks/main.yml | 59 ++++++++++------------ .../templates/serviceaccount.j2 | 2 +- 4 files changed, 60 insertions(+), 41 deletions(-) create mode 100644 roles/openshift_serviceaccounts/meta/main.yml diff --git a/playbooks/common/openshift-master/config.yml b/playbooks/common/openshift-master/config.yml index 648a63150..a4da68573 100644 --- a/playbooks/common/openshift-master/config.yml +++ b/playbooks/common/openshift-master/config.yml @@ -405,19 +405,11 @@ - file: name={{ g_master_mktemp.stdout }} state=absent changed_when: False -- name: Configure service accounts - hosts: oo_first_master - vars: - roles: - - openshift_serviceaccounts - -- name: Create persistent volumes and services +- name: Create persistent volumes hosts: oo_first_master vars: persistent_volumes: "{{ hostvars[groups.oo_first_master.0] | oo_persistent_volumes(groups) }}" persistent_volume_claims: "{{ hostvars[groups.oo_first_master.0] | oo_persistent_volume_claims }}" - attach_registry_volume: "{{ openshift.hosted.registry.storage.kind != None }}" - deploy_infra: "{{ openshift.master.infra_nodes | default(0) | length > 0 }}" pre_tasks: - set_fact: nfs_host: "{{ groups.oo_nfs_to_config.0 }}" @@ -426,6 +418,21 @@ roles: - role: openshift_persistent_volumes when: persistent_volumes | length > 0 or persistent_volume_claims | length > 0 + +- name: Create hosted infrastructure services + hosts: oo_first_master + vars: + accounts: ["router", "registry"] + attach_registry_volume: "{{ openshift.hosted.registry.storage.kind != None }}" + deploy_infra: "{{ openshift.master.infra_nodes | default(0) | length > 0 }}" + roles: + - role: openshift_serviceaccounts + openshift_serviceaccounts_names: + - router + - registry + openshift_serviceaccounts_namespace: default + openshift_serviceaccounts_sccs: + - privileged - role: openshift_router when: deploy_infra | bool - role: openshift_registry diff --git a/roles/openshift_serviceaccounts/meta/main.yml b/roles/openshift_serviceaccounts/meta/main.yml new file mode 100644 index 000000000..a2c9fee70 --- /dev/null +++ b/roles/openshift_serviceaccounts/meta/main.yml @@ -0,0 +1,15 @@ +--- +galaxy_info: + author: OpenShift Operations + description: OpenShift Service Accounts + company: Red Hat, Inc. + license: Apache License, Version 2.0 + min_ansible_version: 1.9 + platforms: + - name: EL + versions: + - 7 + categories: + - cloud +dependencies: +- { role: openshift_facts } diff --git a/roles/openshift_serviceaccounts/tasks/main.yml b/roles/openshift_serviceaccounts/tasks/main.yml index 4c7faa6fe..5fe7d28f3 100644 --- a/roles/openshift_serviceaccounts/tasks/main.yml +++ b/roles/openshift_serviceaccounts/tasks/main.yml @@ -1,36 +1,33 @@ -- name: tmp dir for openshift - file: - path: /tmp/openshift - state: directory - owner: root - mode: 700 - -- name: Create service account configs - template: - src: serviceaccount.j2 - dest: "/tmp/openshift/{{ item }}-serviceaccount.yaml" - with_items: accounts - -- name: Create {{ item }} service account +- name: test if service accounts exists command: > - {{ openshift.common.client_binary }} create -f "/tmp/openshift/{{ item }}-serviceaccount.yaml" - with_items: accounts - register: _sa_result - failed_when: "'serviceaccounts \"{{ item }}\" already exists' not in _sa_result.stderr and _sa_result.rc != 0" - changed_when: "'serviceaccounts \"{{ item }}\" already exists' not in _sa_result.stderr and _sa_result.rc == 0" + {{ openshift.common.client_binary }} get sa {{ item }} -n {{ openshift_serviceaccounts_namespace }} + with_items: openshift_serviceaccounts_names + failed_when: false + changed_when: false + register: account_test -- name: Get current security context constraints +- name: create the service account shell: > - {{ openshift.common.client_binary }} get scc privileged -o yaml - --output-version=v1 > /tmp/openshift/scc.yaml - changed_when: false + echo {{ lookup('template', '../templates/serviceaccount.j2') + | from_yaml | to_json | quote }} | {{ openshift.common.client_binary }} create -f - + when: item.1.rc != 0 + with_together: + - openshift_serviceaccounts_names + - account_test.results -- name: Add security context constraint for {{ item }} - lineinfile: - dest: /tmp/openshift/scc.yaml - line: "- system:serviceaccount:default:{{ item }}" - insertafter: "^users:$" - with_items: accounts +- name: test if scc needs to be updated + command: > + {{ openshift.common.client_binary }} get scc {{ item }} -o yaml + changed_when: false + failed_when: false + register: scc_test + with_items: openshift_serviceaccounts_sccs -- name: Apply new scc rules for service accounts - command: "{{ openshift.common.client_binary }} update -f /tmp/openshift/scc.yaml --api-version=v1" +- name: Grant the user access to the privileged scc + command: > + {{ openshift.common.admin_binary }} policy add-scc-to-user + privileged system:serviceaccount:{{ openshift_serviceaccounts_namespace }}:{{ item.0 }} + when: "item.1.rc == 0 and 'system:serviceaccount:{{ openshift_serviceaccounts_namespace }}:{{ item.0 }}' not in {{ (item.1.stdout | from_yaml).users }}" + with_nested: + - openshift_serviceaccounts_names + - scc_test.results diff --git a/roles/openshift_serviceaccounts/templates/serviceaccount.j2 b/roles/openshift_serviceaccounts/templates/serviceaccount.j2 index 931e249f9..c5f12421f 100644 --- a/roles/openshift_serviceaccounts/templates/serviceaccount.j2 +++ b/roles/openshift_serviceaccounts/templates/serviceaccount.j2 @@ -1,4 +1,4 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: {{ item }} + name: {{ item.0 }} -- cgit v1.2.3 From 2ce5997322acd407bc4c2d6af3bf361ca3cc50c8 Mon Sep 17 00:00:00 2001 From: Jason DeTiberus Date: Wed, 3 Feb 2016 17:16:20 -0500 Subject: consolidate oo_first_master post-config a bit, fix some roles that use openshift_facts without declaring a dependency --- playbooks/common/openshift-master/config.yml | 42 +++++++--------------------- roles/fluentd_master/meta/main.yml | 15 ++++++++++ roles/openshift_registry/README.md | 6 ---- roles/openshift_registry/meta/main.yml | 4 ++- roles/openshift_router/README.md | 5 ---- roles/openshift_router/meta/main.yml | 4 ++- 6 files changed, 31 insertions(+), 45 deletions(-) create mode 100644 roles/fluentd_master/meta/main.yml diff --git a/playbooks/common/openshift-master/config.yml b/playbooks/common/openshift-master/config.yml index a4da68573..aa1a8b34f 100644 --- a/playbooks/common/openshift-master/config.yml +++ b/playbooks/common/openshift-master/config.yml @@ -360,6 +360,8 @@ - name: Additional master configuration hosts: oo_first_master vars: + cockpit_plugins: "{{ osm_cockpit_plugins | default(['cockpit-kubernetes']) }}" + etcd_urls: "{{ openshift.master.etcd_urls }}" openshift_master_ha: "{{ groups.oo_masters_to_config | length > 1 }}" omc_cluster_hosts: "{{ groups.oo_masters_to_config | join(' ')}}" roles: @@ -371,30 +373,16 @@ when: openshift.common.use_cluster_metrics | bool - role: openshift_manageiq when: openshift.common.use_manageiq | bool - -- name: Enable cockpit - hosts: oo_first_master - vars: - cockpit_plugins: "{{ osm_cockpit_plugins | default(['cockpit-kubernetes']) }}" - roles: - role: cockpit when: not openshift.common.is_atomic and ( deployment_type in ['atomic-enterprise','openshift-enterprise'] ) and (osm_use_cockpit | bool or osm_use_cockpit is undefined ) - -- name: Configure flannel - hosts: oo_first_master - vars: - etcd_urls: "{{ openshift.master.etcd_urls }}" - roles: - role: flannel_register when: openshift.common.use_flannel | bool + - role: pods + when: openshift.common.deployment_type == 'online' + - role: os_env_extras + when: openshift.common.deployment_type == 'online' -# Additional instance config for online deployments -- name: Additional instance config - hosts: oo_masters_deployment_type_online - roles: - - pods - - os_env_extras - name: Delete temporary directory on localhost hosts: localhost @@ -405,27 +393,16 @@ - file: name={{ g_master_mktemp.stdout }} state=absent changed_when: False -- name: Create persistent volumes +- name: Create persistent volumes and create hosted services hosts: oo_first_master vars: + attach_registry_volume: "{{ openshift.hosted.registry.storage.kind != None }}" + deploy_infra: "{{ openshift.master.infra_nodes | default(0) | length > 0 }}" persistent_volumes: "{{ hostvars[groups.oo_first_master.0] | oo_persistent_volumes(groups) }}" persistent_volume_claims: "{{ hostvars[groups.oo_first_master.0] | oo_persistent_volume_claims }}" - pre_tasks: - - set_fact: - nfs_host: "{{ groups.oo_nfs_to_config.0 }}" - registry_volume_path: "{{ hostvars[groups.oo_nfs_to_config.0].openshift.nfs.exports_dir + '/' + hostvars[groups.oo_nfs_to_config.0].openshift.nfs.registry_volume }}" - when: attach_registry_volume | bool roles: - role: openshift_persistent_volumes when: persistent_volumes | length > 0 or persistent_volume_claims | length > 0 - -- name: Create hosted infrastructure services - hosts: oo_first_master - vars: - accounts: ["router", "registry"] - attach_registry_volume: "{{ openshift.hosted.registry.storage.kind != None }}" - deploy_infra: "{{ openshift.master.infra_nodes | default(0) | length > 0 }}" - roles: - role: openshift_serviceaccounts openshift_serviceaccounts_names: - router @@ -437,3 +414,4 @@ when: deploy_infra | bool - role: openshift_registry when: deploy_infra | bool and attach_registry_volume | bool + diff --git a/roles/fluentd_master/meta/main.yml b/roles/fluentd_master/meta/main.yml new file mode 100644 index 000000000..148bc377e --- /dev/null +++ b/roles/fluentd_master/meta/main.yml @@ -0,0 +1,15 @@ +--- +galaxy_info: + author: OpenShift Red Hat + description: Fluentd Master + company: Red Hat, Inc. + license: Apache License, Version 2.0 + min_ansible_version: 1.9 + platforms: + - name: EL + versions: + - 7 + categories: + - monitoring + dependencies: + - openshift_facts diff --git a/roles/openshift_registry/README.md b/roles/openshift_registry/README.md index 8e66c483b..247272668 100644 --- a/roles/openshift_registry/README.md +++ b/roles/openshift_registry/README.md @@ -17,12 +17,6 @@ From this role: |--------------------|-------------------------------------------------------|---------------------| | | | | -From openshift_common: - -| Name | Default value | | -|-----------------------|---------------|--------------------------------------| -| openshift_debug_level | 2 | Global openshift debug log verbosity | - Dependencies ------------ diff --git a/roles/openshift_registry/meta/main.yml b/roles/openshift_registry/meta/main.yml index 93b6797d1..b220a020e 100644 --- a/roles/openshift_registry/meta/main.yml +++ b/roles/openshift_registry/meta/main.yml @@ -4,10 +4,12 @@ galaxy_info: description: OpenShift Embedded Docker Registry company: Red Hat, Inc. license: Apache License, Version 2.0 - min_ansible_version: 1.7 + min_ansible_version: 1.9 platforms: - name: EL versions: - 7 categories: - cloud + dependencies: + - openshift_facts diff --git a/roles/openshift_router/README.md b/roles/openshift_router/README.md index 836efc443..d490e1038 100644 --- a/roles/openshift_router/README.md +++ b/roles/openshift_router/README.md @@ -16,11 +16,6 @@ From this role: |--------------------|-------------------------------------------------------|---------------------| | | | | -From openshift_common: -| Name | Default value | | -|-----------------------|---------------|--------------------------------------| -| openshift_debug_level | 2 | Global openshift debug log verbosity | - Dependencies ------------ diff --git a/roles/openshift_router/meta/main.yml b/roles/openshift_router/meta/main.yml index 0471e5e14..c2b0777b5 100644 --- a/roles/openshift_router/meta/main.yml +++ b/roles/openshift_router/meta/main.yml @@ -4,10 +4,12 @@ galaxy_info: description: OpenShift Embedded Router company: Red Hat, Inc. license: Apache License, Version 2.0 - min_ansible_version: 1.7 + min_ansible_version: 1.9 platforms: - name: EL versions: - 7 categories: - cloud + dependencies: + - openshift_facts -- cgit v1.2.3 From 9c9f0a1d138e8df7d415ee1752a1e8a1105240e5 Mon Sep 17 00:00:00 2001 From: Jason DeTiberus Date: Mon, 8 Feb 2016 21:10:53 -0500 Subject: add missing connection:local --- playbooks/common/openshift-node/config.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/playbooks/common/openshift-node/config.yml b/playbooks/common/openshift-node/config.yml index e07de0e99..01e637f7a 100644 --- a/playbooks/common/openshift-node/config.yml +++ b/playbooks/common/openshift-node/config.yml @@ -176,6 +176,7 @@ - name: Evaluate node groups hosts: localhost become: no + connection: local tasks: - name: Evaluate oo_containerized_master_nodes add_host: -- cgit v1.2.3 From 9a0dcd5dc1431ef21cb45b5abb3f55a28cc0ed93 Mon Sep 17 00:00:00 2001 From: Jason DeTiberus Date: Wed, 10 Feb 2016 14:16:39 -0500 Subject: fix default value --- playbooks/common/openshift-master/config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/common/openshift-master/config.yml b/playbooks/common/openshift-master/config.yml index aa1a8b34f..9bd6f73cf 100644 --- a/playbooks/common/openshift-master/config.yml +++ b/playbooks/common/openshift-master/config.yml @@ -397,7 +397,7 @@ hosts: oo_first_master vars: attach_registry_volume: "{{ openshift.hosted.registry.storage.kind != None }}" - deploy_infra: "{{ openshift.master.infra_nodes | default(0) | length > 0 }}" + deploy_infra: "{{ openshift.master.infra_nodes | default([]) | length > 0 }}" persistent_volumes: "{{ hostvars[groups.oo_first_master.0] | oo_persistent_volumes(groups) }}" persistent_volume_claims: "{{ hostvars[groups.oo_first_master.0] | oo_persistent_volume_claims }}" roles: -- cgit v1.2.3