summaryrefslogtreecommitdiffstats
path: root/roles
diff options
context:
space:
mode:
authorAndrew Butcher <abutcher@redhat.com>2016-04-11 15:45:26 -0400
committerAndrew Butcher <abutcher@redhat.com>2016-04-11 15:45:26 -0400
commit4ac07696f3db92d1361290c3a0d7b7637d3d1994 (patch)
tree58ec00b29f982a9cd78b80bcf4aed1763a91bec3 /roles
parent1bc6b51585c23670fdc08a1df6a89d35cd0b8149 (diff)
downloadopenshift-4ac07696f3db92d1361290c3a0d7b7637d3d1994.tar.gz
openshift-4ac07696f3db92d1361290c3a0d7b7637d3d1994.tar.bz2
openshift-4ac07696f3db92d1361290c3a0d7b7637d3d1994.tar.xz
openshift-4ac07696f3db92d1361290c3a0d7b7637d3d1994.zip
Add support for creating secure router.
* Move openshift_router to openshift_hosted role which will eventually contain registry, metrics and logging. * Adds option for specifying an openshift_hosted_router_certificate cert and key pair. * Removes dependency on node label variables and retrieves the node list from the API s.t. this role can be applied to any cluster with existing nodes. I've added an openshift_hosted playbook that occurs after node install to account for this. * Infrastructure nodes are selected using openshift_hosted_router_selector which is based on deployment type by default; openshift-enterprise -> "region=infra" and online -> "type=infra".
Diffstat (limited to 'roles')
-rwxr-xr-xroles/openshift_facts/library/openshift_facts.py70
-rw-r--r--roles/openshift_hosted/README.md55
-rw-r--r--roles/openshift_hosted/handlers/main.yml (renamed from roles/openshift_router/handlers/main.yml)0
-rw-r--r--roles/openshift_hosted/meta/main.yml (renamed from roles/openshift_router/meta/main.yml)5
-rw-r--r--roles/openshift_hosted/tasks/main.yml3
-rw-r--r--roles/openshift_hosted/tasks/router.yml64
-rw-r--r--roles/openshift_hosted/vars/main.yml2
-rw-r--r--roles/openshift_router/README.md35
-rw-r--r--roles/openshift_router/tasks/main.yml10
-rw-r--r--roles/openshift_router/vars/main.yml4
10 files changed, 170 insertions, 78 deletions
diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py
index 32e608e86..92d650550 100755
--- a/roles/openshift_facts/library/openshift_facts.py
+++ b/roles/openshift_facts/library/openshift_facts.py
@@ -63,7 +63,16 @@ def migrate_local_facts(facts):
migrated_facts = copy.deepcopy(facts)
return migrate_docker_facts(migrated_facts)
-
+def migrate_hosted_facts(facts):
+ """ Apply migrations for master facts """
+ if 'master' in facts:
+ if 'router_selector' in facts['master']:
+ if 'hosted' not in facts:
+ facts['hosted'] = {}
+ if 'router' not in facts['hosted']:
+ facts['hosted']['router'] = {}
+ facts['hosted']['router']['selector'] = facts['master'].pop('router_selector')
+ return facts
def first_ip(network):
""" Return the first IPv4 address in network
@@ -394,7 +403,7 @@ def set_node_schedulability(facts):
facts['node']['schedulable'] = True
return facts
-def set_master_selectors(facts):
+def set_selectors(facts):
""" Set selectors facts if not already present in facts dict
Args:
facts (dict): existing facts
@@ -403,16 +412,21 @@ def set_master_selectors(facts):
facts if they were not already present
"""
+ deployment_type = facts['common']['deployment_type']
+ if deployment_type == 'online':
+ selector = "type=infra"
+ else:
+ selector = "region=infra"
+
+ if 'hosted' not in facts:
+ facts['hosted'] = {}
+ if 'router' not in facts['hosted']:
+ facts['hosted']['router'] = {}
+ if 'selector' not in facts['hosted']['router'] or facts['hosted']['router']['selector'] in [None, 'None']:
+ facts['hosted']['router']['selector'] = selector
+
if 'master' in facts:
if 'infra_nodes' in facts['master']:
- deployment_type = facts['common']['deployment_type']
- if deployment_type == 'online':
- selector = "type=infra"
- else:
- selector = "region=infra"
-
- if 'router_selector' not in facts['master']:
- facts['master']['router_selector'] = selector
if 'registry_selector' not in facts['master']:
facts['master']['registry_selector'] = selector
return facts
@@ -1479,7 +1493,7 @@ class OpenShiftFacts(object):
facts = set_flannel_facts_if_unset(facts)
facts = set_nuage_facts_if_unset(facts)
facts = set_node_schedulability(facts)
- facts = set_master_selectors(facts)
+ facts = set_selectors(facts)
facts = set_metrics_facts_if_unset(facts)
facts = set_identity_providers_if_unset(facts)
facts = set_sdn_facts_if_unset(facts, self.system_facts)
@@ -1573,23 +1587,25 @@ class OpenShiftFacts(object):
if 'cloudprovider' in roles:
defaults['cloudprovider'] = dict(kind=None)
- defaults['hosted'] = dict(
- registry=dict(
- storage=dict(
- kind=None,
- volume=dict(
- name='registry',
- size='5Gi'
- ),
- nfs=dict(
- directory='/exports',
- options='*(rw,root_squash)'),
- host=None,
- access_modes=['ReadWriteMany'],
- create_pv=True
- )
+ if 'hosted' in roles or self.role == 'hosted':
+ defaults['hosted'] = dict(
+ registry=dict(
+ storage=dict(
+ kind=None,
+ volume=dict(
+ name='registry',
+ size='5Gi'
+ ),
+ nfs=dict(
+ directory='/exports',
+ options='*(rw,root_squash)'),
+ host=None,
+ access_modes=['ReadWriteMany'],
+ create_pv=True
+ )
+ ),
+ router=dict()
)
- )
return defaults
diff --git a/roles/openshift_hosted/README.md b/roles/openshift_hosted/README.md
new file mode 100644
index 000000000..633ec0937
--- /dev/null
+++ b/roles/openshift_hosted/README.md
@@ -0,0 +1,55 @@
+OpenShift Hosted
+================
+
+OpenShift Hosted Resources
+
+* OpenShift Router
+
+Requirements
+------------
+
+This role requires a running OpenShift cluster with nodes labeled to
+match the openshift_hosted_router_selector (default: region=infra).
+
+Role Variables
+--------------
+
+From this role:
+
+| Name | Default value | Description |
+|-------------------------------------|------------------------------------------|----------------------------------------------------------------------------------------------------------------------|
+| openshift_hosted_router_certificate | None | Dictionary containing "certfile" and "keyfile" keys with values containing paths to local certificate files. |
+| openshift_hosted_router_registryurl | 'openshift3/ose-${component}:${version}' | The image to base the OpenShift router on. |
+| openshift_hosted_router_replicas | Number of nodes matching selector | The number of replicas to configure. |
+| openshift_hosted_router_selector | region=infra | Node selector used when creating router. The OpenShift router will only be deployed to nodes matching this selector. |
+
+Dependencies
+------------
+
+* openshift_common
+* openshift_hosted_facts
+
+Example Playbook
+----------------
+
+```
+- name: Create hosted resources
+ hosts: oo_first_master
+ roles:
+ - role: openshift_hosted
+ openshift_hosted_router_certificate:
+ certfile: /path/to/my-router.crt
+ keyfile: /path/to/my-router.key
+ openshift_hosted_router_registryurl: 'registry.access.redhat.com/openshift3/ose-haproxy-router:v3.0.2.0'
+ openshift_hosted_router_selector: 'type=infra'
+```
+
+License
+-------
+
+Apache License, Version 2.0
+
+Author Information
+------------------
+
+Red Hat openshift@redhat.com
diff --git a/roles/openshift_router/handlers/main.yml b/roles/openshift_hosted/handlers/main.yml
index e69de29bb..e69de29bb 100644
--- a/roles/openshift_router/handlers/main.yml
+++ b/roles/openshift_hosted/handlers/main.yml
diff --git a/roles/openshift_router/meta/main.yml b/roles/openshift_hosted/meta/main.yml
index c2b0777b5..75dfc24c3 100644
--- a/roles/openshift_router/meta/main.yml
+++ b/roles/openshift_hosted/meta/main.yml
@@ -11,5 +11,6 @@ galaxy_info:
- 7
categories:
- cloud
- dependencies:
- - openshift_facts
+dependencies:
+- openshift_common
+- openshift_hosted_facts
diff --git a/roles/openshift_hosted/tasks/main.yml b/roles/openshift_hosted/tasks/main.yml
new file mode 100644
index 000000000..d42a4e365
--- /dev/null
+++ b/roles/openshift_hosted/tasks/main.yml
@@ -0,0 +1,3 @@
+---
+
+- include: router.yml
diff --git a/roles/openshift_hosted/tasks/router.yml b/roles/openshift_hosted/tasks/router.yml
new file mode 100644
index 000000000..6a36f74b2
--- /dev/null
+++ b/roles/openshift_hosted/tasks/router.yml
@@ -0,0 +1,64 @@
+---
+- fail:
+ msg: "Both 'certfile' and 'keyfile' keys must be specified when supplying the openshift_hosted_router_certificate variable."
+ when: openshift_hosted_router_certificate is defined and ('certfile' not in openshift_hosted_router_certificate or 'keyfile' not in openshift_hosted_router_certificate)
+
+- name: Read router certificate and key
+ slurp:
+ src: "{{ item }}"
+ register: openshift_router_certificate_output
+ with_items:
+ - "{{ openshift_hosted_router_certificate.certfile }}"
+ - "{{ openshift_hosted_router_certificate.keyfile }}"
+ delegate_to: localhost
+ when: openshift_hosted_router_certificate is defined
+
+- name: Persist certificate contents
+ openshift_facts:
+ role: hosted
+ openshift_env:
+ openshift_hosted_router_certificate_contents: "{% for certificate in openshift_router_certificate_output.results -%}{{ certificate.content | b64decode }}{% endfor -%}"
+ when: openshift_hosted_router_certificate is defined
+
+- name: Create PEM certificate
+ copy:
+ content: "{{ openshift.hosted.router.certificate.contents }}"
+ dest: "{{ openshift_master_config_dir }}/openshift-router.pem"
+ mode: 0600
+ when: openshift.hosted.router.certificate | default(None) != None
+
+- name: Retrieve list of openshift nodes
+ command: >
+ {{ openshift.common.client_binary }} --api-version='v1' -o json
+ get nodes -n default --config={{ openshift.common.config_base }}/master/admin.kubeconfig
+ register: openshift_hosted_router_nodes_json
+ when: openshift.hosted.router.replicas | default(None) == None
+
+- name: Collect nodes matching router selector
+ set_fact:
+ openshift_hosted_router_nodes: >
+ {{ (openshift_hosted_router_nodes_json.stdout|from_json)['items']
+ | oo_oc_nodes_matching_selector(openshift.hosted.router.selector) }}
+ when: openshift.hosted.router.replicas | default(None) == None
+
+- name: Create OpenShift router
+ command: >
+ {{ openshift.common.admin_binary }} router --create
+ {% if openshift.hosted.router.replicas | default(None) != None -%}
+ --replicas={{ openshift.hosted.router.replicas }}
+ {% else -%}
+ --replicas={{ openshift_hosted_router_nodes | length }}
+ {% endif %}
+ {% if openshift.hosted.router.certificate | default(None) != None -%}
+ --default-cert={{ openshift_master_config_dir }}/openshift-router.pem
+ {% endif -%}
+ --namespace=default
+ --service-account=router
+ --selector='{{ openshift.hosted.router.selector }}'
+ --credentials={{ openshift_master_config_dir }}/openshift-router.kubeconfig
+ {% if openshift.hosted.router.registryurl | default(None)!= None -%}
+ --images='{{ openshift.hosted.router.registryurl }}'
+ {% endif -%}
+ register: openshift_hosted_router_results
+ changed_when: "'service exists' not in openshift_hosted_router_results.stdout"
+ when: openshift.hosted.router.replicas | default(None) != None or (openshift_hosted_router_nodes is defined and openshift_hosted_router_nodes | length > 0)
diff --git a/roles/openshift_hosted/vars/main.yml b/roles/openshift_hosted/vars/main.yml
new file mode 100644
index 000000000..9967e26f4
--- /dev/null
+++ b/roles/openshift_hosted/vars/main.yml
@@ -0,0 +1,2 @@
+---
+openshift_master_config_dir: "{{ openshift.common.config_base }}/master"
diff --git a/roles/openshift_router/README.md b/roles/openshift_router/README.md
deleted file mode 100644
index d490e1038..000000000
--- a/roles/openshift_router/README.md
+++ /dev/null
@@ -1,35 +0,0 @@
-OpenShift Container Router
-==========================
-
-OpenShift Router service installation
-
-Requirements
-------------
-
-Running OpenShift cluster
-
-Role Variables
---------------
-
-From this role:
-| Name | Default value | |
-|--------------------|-------------------------------------------------------|---------------------|
-| | | |
-
-Dependencies
-------------
-
-Example Playbook
-----------------
-
-TODO
-
-License
--------
-
-Apache License, Version 2.0
-
-Author Information
-------------------
-
-Red Hat openshift@redhat.com
diff --git a/roles/openshift_router/tasks/main.yml b/roles/openshift_router/tasks/main.yml
deleted file mode 100644
index 40365d04d..000000000
--- a/roles/openshift_router/tasks/main.yml
+++ /dev/null
@@ -1,10 +0,0 @@
----
-- name: Deploy OpenShift Router
- command: >
- {{ openshift.common.admin_binary }} router
- --create --replicas={{ openshift.master.infra_nodes | length }}
- --namespace=default
- --service-account=router {{ ortr_selector }}
- --credentials={{ openshift_master_config_dir }}/openshift-router.kubeconfig {{ ortr_images }}
- register: ortr_results
- changed_when: "'service exists' not in ortr_results.stdout"
diff --git a/roles/openshift_router/vars/main.yml b/roles/openshift_router/vars/main.yml
deleted file mode 100644
index bcac12068..000000000
--- a/roles/openshift_router/vars/main.yml
+++ /dev/null
@@ -1,4 +0,0 @@
----
-openshift_master_config_dir: "{{ openshift.common.config_base }}/master"
-ortr_images: "--images='{{ openshift.master.registry_url }}'"
-ortr_selector: "--selector='{{ openshift.master.router_selector }}'"