diff options
68 files changed, 464 insertions, 466 deletions
diff --git a/.tito/packages/openshift-ansible b/.tito/packages/openshift-ansible index bfc9e0962..d176e08c5 100644 --- a/.tito/packages/openshift-ansible +++ b/.tito/packages/openshift-ansible @@ -1 +1 @@ -3.0.39-1 ./ +3.0.40-1 ./ diff --git a/Vagrantfile b/Vagrantfile index 362e1ff48..a38378289 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -30,7 +30,9 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config| libvirt.memory = 1024 libvirt.driver = 'kvm' case deployment_type - when "enterprise" + when "openshift-enterprise" + override.vm.box = "rhel-7" + when "atomic-enterprise" override.vm.box = "rhel-7" when "origin" override.vm.box = "centos/7" diff --git a/filter_plugins/oo_filters.py b/filter_plugins/oo_filters.py index 450101785..dcda14c63 100644 --- a/filter_plugins/oo_filters.py +++ b/filter_plugins/oo_filters.py @@ -670,6 +670,33 @@ class FilterModule(object): return rpms_31 + @staticmethod + def oo_pods_match_component(pods, deployment_type, component): + """ Filters a list of Pods and returns the ones matching the deployment_type and component + """ + if not isinstance(pods, list): + raise errors.AnsibleFilterError("failed expects to filter on a list") + if not isinstance(deployment_type, basestring): + raise errors.AnsibleFilterError("failed expects deployment_type to be a string") + if not isinstance(component, basestring): + raise errors.AnsibleFilterError("failed expects component to be a string") + + image_prefix = 'openshift/origin-' + if deployment_type in ['enterprise', 'online', 'openshift-enterprise']: + image_prefix = 'openshift3/ose-' + elif deployment_type == 'atomic-enterprise': + image_prefix = 'aep3_beta/aep-' + + matching_pods = [] + image_regex = image_prefix + component + r'.*' + for pod in pods: + for container in pod['spec']['containers']: + if re.search(image_regex, container['image']): + matching_pods.append(pod) + break # stop here, don't add a pod more than once + + return matching_pods + def filters(self): """ returns a mapping of filters to methods """ return { @@ -696,4 +723,5 @@ class FilterModule(object): "oo_persistent_volumes": self.oo_persistent_volumes, "oo_persistent_volume_claims": self.oo_persistent_volume_claims, "oo_31_rpm_rename_conversion": self.oo_31_rpm_rename_conversion, + "oo_pods_match_component": self.oo_pods_match_component, } diff --git a/filter_plugins/openshift_master.py b/filter_plugins/openshift_master.py index 35a881a85..c41367f05 100644 --- a/filter_plugins/openshift_master.py +++ b/filter_plugins/openshift_master.py @@ -53,7 +53,20 @@ class IdentityProviderBase(object): self.challenge = ansible_bool(self._idp.pop('challenge', False)) self.provider = dict(apiVersion=api_version, kind=self._idp.pop('kind')) - self._required = [['mappingMethod', 'mapping_method']] + mm_keys = ('mappingMethod', 'mapping_method') + mapping_method = None + for key in mm_keys: + if key in self._idp: + mapping_method = self._idp[key] + if mapping_method is None: + mapping_method = self.get_default('mappingMethod') + self.mapping_method = mapping_method + + valid_mapping_methods = ['add', 'claim', 'generate', 'lookup'] + if self.mapping_method not in valid_mapping_methods: + raise errors.AnsibleFilterError("|failed unkown mapping method " + "for provider {0}".format(self.__class__.__name__)) + self._required = [] self._optional = [] self._allow_additional = True @@ -75,10 +88,7 @@ class IdentityProviderBase(object): def validate(self): ''' validate an instance of this idp class ''' - valid_mapping_methods = ['add', 'claim', 'generate', 'lookup'] - if self.provider['mappingMethod'] not in valid_mapping_methods: - raise errors.AnsibleFilterError("|failed unkown mapping method " - "for provider {0}".format(self.__class__.__name__)) + pass @staticmethod def get_default(key): @@ -121,7 +131,8 @@ class IdentityProviderBase(object): def to_dict(self): ''' translate this idp to a dictionary ''' return dict(name=self.name, challenge=self.challenge, - login=self.login, provider=self.provider) + login=self.login, mappingMethod=self.mapping_method, + provider=self.provider) class LDAPPasswordIdentityProvider(IdentityProviderBase): @@ -436,7 +447,9 @@ class GitHubIdentityProvider(IdentityProviderOauthBase): Raises: AnsibleFilterError: """ - pass + def __init__(self, api_version, idp): + IdentityProviderOauthBase.__init__(self, api_version, idp) + self._optional += [['organizations']] class FilterModule(object): diff --git a/inventory/byo/hosts.aep.example b/inventory/byo/hosts.aep.example index 7f4a1a9d2..a2e1708d4 100644 --- a/inventory/byo/hosts.aep.example +++ b/inventory/byo/hosts.aep.example @@ -89,17 +89,14 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', #osm_mcs_labels_per_project=5 #osm_uid_allocator_range='1000000000-1999999999/10000' -# Configure Fluentd -#use_fluentd=true - # Enable cockpit #osm_use_cockpit=true # # Set cockpit plugins #osm_cockpit_plugins=['cockpit-kubernetes'] -# Native high availbility cluster method with optional load balancer. -# If no lb group is defined installer assumes that a load balancer has +# Native high availability cluster method with optional load balancer. +# If no lb group is defined, the installer assumes that a load balancer has # been preconfigured. For installation the value of # openshift_master_cluster_hostname must resolve to the load balancer # or to one or all of the masters defined in the inventory if no load @@ -142,7 +139,7 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', # default storage plugin dependencies to install, by default the ceph and # glusterfs plugin dependencies will be installed, if available. -#osn_storage_plugin_deps=['ceph','glusterfs'] +#osn_storage_plugin_deps=['ceph','glusterfs','iscsi'] # default selectors for router and registry services # openshift_router_selector='region=infra' @@ -247,7 +244,7 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', # openshift-ansible will wait indefinitely for your input when it detects that the # value of openshift_hostname resolves to an IP address not bound to any local # interfaces. This mis-configuration is problematic for any pod leveraging host -# networking and liveness or readiness probes. +# networking and liveness or readiness probes. # Setting this variable to true will override that check. #openshift_override_hostname_check=true diff --git a/inventory/byo/hosts.origin.example b/inventory/byo/hosts.origin.example index aae987796..de1d0f88b 100644 --- a/inventory/byo/hosts.origin.example +++ b/inventory/byo/hosts.origin.example @@ -94,17 +94,14 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', #osm_mcs_labels_per_project=5 #osm_uid_allocator_range='1000000000-1999999999/10000' -# Configure Fluentd -#use_fluentd=true - # Enable cockpit #osm_use_cockpit=true # # Set cockpit plugins #osm_cockpit_plugins=['cockpit-kubernetes'] -# Native high availbility cluster method with optional load balancer. -# If no lb group is defined installer assumes that a load balancer has +# Native high availability cluster method with optional load balancer. +# If no lb group is defined, the installer assumes that a load balancer has # been preconfigured. For installation the value of # openshift_master_cluster_hostname must resolve to the load balancer # or to one or all of the masters defined in the inventory if no load @@ -147,7 +144,7 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', # default storage plugin dependencies to install, by default the ceph and # glusterfs plugin dependencies will be installed, if available. -#osn_storage_plugin_deps=['ceph','glusterfs'] +#osn_storage_plugin_deps=['ceph','glusterfs','iscsi'] # default selectors for router and registry services # openshift_router_selector='region=infra' @@ -252,7 +249,7 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', # openshift-ansible will wait indefinitely for your input when it detects that the # value of openshift_hostname resolves to an IP address not bound to any local # interfaces. This mis-configuration is problematic for any pod leveraging host -# networking and liveness or readiness probes. +# networking and liveness or readiness probes. # Setting this variable to true will override that check. #openshift_override_hostname_check=true diff --git a/inventory/byo/hosts.ose.example b/inventory/byo/hosts.ose.example index f017f9a6e..c80be574f 100644 --- a/inventory/byo/hosts.ose.example +++ b/inventory/byo/hosts.ose.example @@ -89,17 +89,14 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', #osm_mcs_labels_per_project=5 #osm_uid_allocator_range='1000000000-1999999999/10000' -# Configure Fluentd -#use_fluentd=true - # Enable cockpit #osm_use_cockpit=true # # Set cockpit plugins #osm_cockpit_plugins=['cockpit-kubernetes'] -# Native high availbility cluster method with optional load balancer. -# If no lb group is defined installer assumes that a load balancer has +# Native high availability cluster method with optional load balancer. +# If no lb group is defined, the installer assumes that a load balancer has # been preconfigured. For installation the value of # openshift_master_cluster_hostname must resolve to the load balancer # or to one or all of the masters defined in the inventory if no load @@ -247,7 +244,7 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', # openshift-ansible will wait indefinitely for your input when it detects that the # value of openshift_hostname resolves to an IP address not bound to any local # interfaces. This mis-configuration is problematic for any pod leveraging host -# networking and liveness or readiness probes. +# networking and liveness or readiness probes. # Setting this variable to true will override that check. #openshift_override_hostname_check=true diff --git a/openshift-ansible.spec b/openshift-ansible.spec index b6efaafdb..7c7fb399c 100644 --- a/openshift-ansible.spec +++ b/openshift-ansible.spec @@ -5,7 +5,7 @@ } Name: openshift-ansible -Version: 3.0.39 +Version: 3.0.40 Release: 1%{?dist} Summary: Openshift and Atomic Enterprise Ansible License: ASL 2.0 @@ -259,6 +259,40 @@ Atomic OpenShift Utilities includes %changelog +* Thu Feb 11 2016 Brenton Leanhardt <bleanhar@redhat.com> 3.0.40-1 +- Bug 1306665 - [metrics] update metrics-deployer template to use latest image + versions (bleanhar@redhat.com) +- Add organizations attribute to github identity provider (jdetiber@redhat.com) +- use correct dict key (jdiaz@redhat.com) +- handle being passed an empty group list (jdiaz@redhat.com) +- fix default value (jdetiber@redhat.com) +- removed notscheduleable trigger, it just makes noise in its current + incarnation (sten@redhat.com) +- trigger on two successive bad pid counts (jdiaz@redhat.com) +- added nodes not ready and nodes not schedulable triggers (sten@redhat.com) +- Enable selection of kubeproxy mode (vishal.patil@nuagenetworks.net) +- add default storage plugins to 'origin' deployment_type + (rvanveelen@tremorvideo.com) +- added nodes not ready and nodes not schedulable triggers (sten@redhat.com) +- Don't mask master service on atomic. (abutcher@redhat.com) +- update defaults and examples w/ iscsi plugin (rvanveelen@tremorvideo.com) +- add iscsi storage_plugin dependency (rvanveelen@tremorvideo.com) +- Add gte check for 3.2, update version checks to gte (jdetiber@redhat.com) +- Specify default namespace when creating router (pat2man@gmail.com) +- add missing connection:local (jdetiber@redhat.com) +- consolidate oo_first_master post-config a bit, fix some roles that use + openshift_facts without declaring a dependency (jdetiber@redhat.com) +- openshift_serviceaccounts updates (jdetiber@redhat.com) +- Fix infra_node deployment (jdetiber@redhat.com) +- changed registry checks to alert based on number of registries with problems + (sten@redhat.com) +- Fix a bug with existing CNAME records (rharriso@redhat.com) +- Fix HA typo in example AEP/OSE/Origin inventories (adellape@redhat.com) +- Updated the key for app create (kwoodson@redhat.com) +- Add missing atomic- and openshift-enterprise (pep@redhat.com) +- Fix enabling iptables for latest rhel versions (jdetiber@redhat.com) +- Make pod_eviction_timeout configurable from cli (jawed.khelil@amadeus.com) + * Tue Feb 09 2016 Brenton Leanhardt <bleanhar@redhat.com> 3.0.39-1 - Bug 1304150 - Can't upgrade atomic-openshift to specified version (bleanhar@redhat.com) diff --git a/playbooks/adhoc/bootstrap-fedora.yml b/playbooks/adhoc/bootstrap-fedora.yml index 0df77e309..471c41f16 100644 --- a/playbooks/adhoc/bootstrap-fedora.yml +++ b/playbooks/adhoc/bootstrap-fedora.yml @@ -1,5 +1,4 @@ - hosts: OSEv3 - gather_facts: false tasks: - name: install python and deps for ansible modules raw: dnf install -y python2 python2-dnf libselinux-python libsemanage-python diff --git a/playbooks/aws/openshift-cluster/terminate.yml b/playbooks/aws/openshift-cluster/terminate.yml index c20f370bf..6dd5d8b62 100644 --- a/playbooks/aws/openshift-cluster/terminate.yml +++ b/playbooks/aws/openshift-cluster/terminate.yml @@ -18,7 +18,7 @@ hosts: oo_hosts_to_terminate roles: - role: rhel_unsubscribe - when: deployment_type == "enterprise" and + when: deployment_type in ['atomic-enterprise', 'enterprise', 'openshift-enterprise'] and ansible_distribution == "RedHat" and lookup('oo_option', 'rhel_skip_subscription') | default(rhsub_skip, True) | default('no', True) | lower in ['no', 'false'] diff --git a/playbooks/byo/rhel_subscribe.yml b/playbooks/byo/rhel_subscribe.yml index f564905ea..990ddd2f2 100644 --- a/playbooks/byo/rhel_subscribe.yml +++ b/playbooks/byo/rhel_subscribe.yml @@ -4,7 +4,7 @@ openshift_deployment_type: "{{ deployment_type }}" roles: - role: rhel_subscribe - when: deployment_type == "enterprise" and + when: deployment_type in ['atomic-enterprise', 'enterprise', 'openshift-enterprise'] and ansible_distribution == "RedHat" and lookup('oo_option', 'rhel_skip_subscription') | default(rhsub_skip, True) | default('no', True) | lower in ['no', 'false'] diff --git a/playbooks/common/openshift-cluster/upgrades/v3_0_to_v3_1/upgrade.yml b/playbooks/common/openshift-cluster/upgrades/v3_0_to_v3_1/upgrade.yml index 55c36810f..049ac997c 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_0_to_v3_1/upgrade.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_0_to_v3_1/upgrade.yml @@ -74,6 +74,11 @@ - set_fact: g_new_version: "{{ g_aos_versions.curr_version.split('-', 1).0 if g_aos_versions.avail_version is none else g_aos_versions.avail_version.split('-', 1).0 }}" + when: openshift_pkg_version is not defined + + - set_fact: + g_new_version: "{{ openshift_pkg_version | replace('-','') }}" + when: openshift_pkg_version is defined - fail: msg: This playbook requires Origin 1.0.6 or later @@ -258,7 +263,7 @@ openshift_master_certs_no_etcd: - admin.crt - master.kubelet-client.crt - - "{{ 'master.proxy-client.crt' if openshift.common.version_greater_than_3_1_or_1_1 else omit }}" + - "{{ 'master.proxy-client.crt' if openshift.common.version_gte_3_1_or_1_1 else omit }}" - master.server.crt - openshift-master.crt - openshift-registry.crt @@ -496,6 +501,7 @@ {{ openshift.common.admin_binary}} --config={{ openshift.common.config_base }}/master/admin.kubeconfig policy reconcile-cluster-role-bindings --exclude-groups=system:authenticated + --exclude-groups=system:authenticated:oauth --exclude-groups=system:unauthenticated --exclude-users=system:anonymous --additive-only=true --confirm @@ -567,46 +573,55 @@ - role: openshift_examples openshift_examples_import_command: replace pre_tasks: - - name: Check for default router + - name: Collect all routers command: > - {{ oc_cmd }} get -n default dc/router - register: _default_router + {{ oc_cmd }} get pods --all-namespaces -l 'router' -o json + register: all_routers failed_when: false changed_when: false + - set_fact: haproxy_routers="{{ (all_routers.stdout | from_json)['items'] | oo_pods_match_component(openshift_deployment_type, 'haproxy-router') | oo_select_keys_from_list(['metadata']) }}" + when: all_routers.rc == 0 + + - set_fact: haproxy_routers=[] + when: all_routers.rc != 0 + - name: Check for allowHostNetwork and allowHostPorts - when: _default_router.rc == 0 + when: all_routers.rc == 0 shell: > {{ oc_cmd }} get -o yaml scc/privileged | /usr/bin/grep -e allowHostPorts -e allowHostNetwork register: _scc - name: Grant allowHostNetwork and allowHostPorts when: - - _default_router.rc == 0 + - all_routers.rc == 0 - "'false' in _scc.stdout" command: > {{ oc_cmd }} patch scc/privileged -p '{"allowHostPorts":true,"allowHostNetwork":true}' --api-version=v1 - name: Update deployment config to 1.0.4/3.0.1 spec - when: _default_router.rc == 0 + when: all_routers.rc == 0 command: > - {{ oc_cmd }} patch dc/router -p + {{ oc_cmd }} patch dc/{{ item['labels']['deploymentconfig'] }} -p '{"spec":{"strategy":{"rollingParams":{"updatePercent":-10},"spec":{"serviceAccount":"router","serviceAccountName":"router"}}}}' --api-version=v1 + with_items: haproxy_routers - name: Switch to hostNetwork=true - when: _default_router.rc == 0 + when: all_routers.rc == 0 command: > - {{ oc_cmd }} patch dc/router -p '{"spec":{"template":{"spec":{"hostNetwork":true}}}}' + {{ oc_cmd }} patch dc/{{ item['labels']['deploymentconfig'] }} -p '{"spec":{"template":{"spec":{"hostNetwork":true}}}}' --api-version=v1 + with_items: haproxy_routers - name: Update router image to current version - when: _default_router.rc == 0 + when: all_routers.rc == 0 command: > - {{ oc_cmd }} patch dc/router -p + {{ oc_cmd }} patch dc/{{ item['labels']['deploymentconfig'] }} -p '{"spec":{"template":{"spec":{"containers":[{"name":"router","image":"{{ router_image }}"}]}}}}' --api-version=v1 + with_items: haproxy_routers - name: Check for default registry command: > diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_minor/post.yml b/playbooks/common/openshift-cluster/upgrades/v3_1_minor/post.yml index d8336fcae..d7a2ac405 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_1_minor/post.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_1_minor/post.yml @@ -20,13 +20,27 @@ - role: openshift_examples openshift_examples_import_command: replace pre_tasks: - - name: Check for default router + - name: Collect all routers command: > - {{ oc_cmd }} get -n default dc/router - register: _default_router + {{ oc_cmd }} get pods --all-namespaces -l 'router' -o json + register: all_routers failed_when: false changed_when: false + - set_fact: haproxy_routers="{{ (all_routers.stdout | from_json)['items'] | oo_pods_match_component(openshift_deployment_type, 'haproxy-router') | oo_select_keys_from_list(['metadata']) }}" + when: all_routers.rc == 0 + + - set_fact: haproxy_routers=[] + when: all_routers.rc != 0 + + - name: Update router image to current version + when: all_routers.rc == 0 + command: > + {{ oc_cmd }} patch dc/{{ item['labels']['deploymentconfig'] }} -p + '{"spec":{"template":{"spec":{"containers":[{"name":"router","image":"{{ router_image }}"}]}}}}' + --api-version=v1 + with_items: haproxy_routers + - name: Check for default registry command: > {{ oc_cmd }} get -n default dc/docker-registry @@ -34,13 +48,6 @@ failed_when: false changed_when: false - - name: Update router image to current version - when: _default_router.rc == 0 - command: > - {{ oc_cmd }} patch dc/router -p - '{"spec":{"template":{"spec":{"containers":[{"name":"router","image":"{{ router_image }}"}]}}}}' - --api-version=v1 - - name: Update registry image to current version when: _default_registry.rc == 0 command: > diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_minor/pre.yml b/playbooks/common/openshift-cluster/upgrades/v3_1_minor/pre.yml index 91780de09..12b9c84d3 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_1_minor/pre.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_1_minor/pre.yml @@ -41,7 +41,7 @@ g_new_service_name: "{{ 'origin' if deployment_type =='origin' else 'atomic-openshift' }}" - name: Determine available versions - script: ../files/versions.sh {{ g_new_service_name }} openshift + script: ../files/versions.sh {{ g_new_service_name }} register: g_versions_result - set_fact: diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_minor/upgrade.yml b/playbooks/common/openshift-cluster/upgrades/v3_1_minor/upgrade.yml index 81dbba1e3..dbf746f12 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_1_minor/upgrade.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_1_minor/upgrade.yml @@ -109,6 +109,7 @@ {{ openshift.common.admin_binary}} --config={{ openshift.common.config_base }}/master/admin.kubeconfig policy reconcile-cluster-role-bindings --exclude-groups=system:authenticated + --exclude-groups=system:authenticated:oauth --exclude-groups=system:unauthenticated --exclude-users=system:anonymous --additive-only=true --confirm diff --git a/playbooks/common/openshift-master/config.yml b/playbooks/common/openshift-master/config.yml index 3d646be64..77edbd1a6 100644 --- a/playbooks/common/openshift-master/config.yml +++ b/playbooks/common/openshift-master/config.yml @@ -18,6 +18,10 @@ - .config_managed - set_fact: + openshift_master_pod_eviction_timeout: "{{ lookup('oo_option', 'openshift_master_pod_eviction_timeout') | default(none, true) }}" + when: openshift_master_pod_eviction_timeout is not defined + + - set_fact: openshift_master_etcd_port: "{{ (etcd_client_port | default('2379')) if (groups.oo_etcd_to_config is defined and groups.oo_etcd_to_config) else none }}" openshift_master_etcd_hosts: "{{ hostvars | oo_select_keys(groups['oo_etcd_to_config'] @@ -146,7 +150,7 @@ openshift_master_certs_no_etcd: - admin.crt - master.kubelet-client.crt - - "{{ 'master.proxy-client.crt' if openshift.common.version_greater_than_3_1_or_1_1 else omit }}" + - "{{ 'master.proxy-client.crt' if openshift.common.version_gte_3_1_or_1_1 else omit }}" - master.server.crt - openshift-master.crt - openshift-registry.crt @@ -170,10 +174,10 @@ master_cert_subdir: master-{{ openshift.common.hostname }} master_cert_config_dir: "{{ openshift.common.config_base }}/master" - set_fact: - openshift_infra_nodes: "{{ hostvars | oo_select_keys(groups['nodes']) + openshift_infra_nodes: "{{ hostvars | oo_select_keys(groups['oo_nodes_to_config']) | oo_nodes_with_label('region', 'infra') | oo_collect('inventory_hostname') }}" - when: openshift_infra_nodes is not defined + when: openshift_infra_nodes is not defined and groups.oo_nodes_to_config | default([]) | length > 0 - name: Configure master certificates hosts: oo_first_master @@ -348,8 +352,6 @@ roles: - openshift_master - role: nickhammond.logrotate - - role: fluentd_master - when: openshift.common.use_fluentd | bool - role: nuage_master when: openshift.common.use_nuage | bool post_tasks: @@ -360,6 +362,8 @@ - name: Additional master configuration hosts: oo_first_master vars: + cockpit_plugins: "{{ osm_cockpit_plugins | default(['cockpit-kubernetes']) }}" + etcd_urls: "{{ openshift.master.etcd_urls }}" openshift_master_ha: "{{ groups.oo_masters_to_config | length > 1 }}" omc_cluster_hosts: "{{ groups.oo_masters_to_config | join(' ')}}" roles: @@ -371,30 +375,16 @@ when: openshift.common.use_cluster_metrics | bool - role: openshift_manageiq when: openshift.common.use_manageiq | bool - -- name: Enable cockpit - hosts: oo_first_master - vars: - cockpit_plugins: "{{ osm_cockpit_plugins | default(['cockpit-kubernetes']) }}" - roles: - role: cockpit when: not openshift.common.is_atomic and ( deployment_type in ['atomic-enterprise','openshift-enterprise'] ) and (osm_use_cockpit | bool or osm_use_cockpit is undefined ) - -- name: Configure flannel - hosts: oo_first_master - vars: - etcd_urls: "{{ openshift.master.etcd_urls }}" - roles: - role: flannel_register when: openshift.common.use_flannel | bool + - role: pods + when: openshift.common.deployment_type == 'online' + - role: os_env_extras + when: openshift.common.deployment_type == 'online' -# Additional instance config for online deployments -- name: Additional instance config - hosts: oo_masters_deployment_type_online - roles: - - pods - - os_env_extras - name: Delete temporary directory on localhost hosts: localhost @@ -405,22 +395,25 @@ - file: name={{ g_master_mktemp.stdout }} state=absent changed_when: False -- name: Configure service accounts - hosts: oo_first_master - vars: - accounts: ["router", "registry"] - roles: - - openshift_serviceaccounts - -- name: Create persistent volumes and services +- name: Create persistent volumes and create hosted services hosts: oo_first_master vars: + attach_registry_volume: "{{ openshift.hosted.registry.storage.kind != None }}" + deploy_infra: "{{ openshift.master.infra_nodes | default([]) | length > 0 }}" persistent_volumes: "{{ hostvars[groups.oo_first_master.0] | oo_persistent_volumes(groups) }}" persistent_volume_claims: "{{ hostvars[groups.oo_first_master.0] | oo_persistent_volume_claims }}" roles: - role: openshift_persistent_volumes when: persistent_volumes | length > 0 or persistent_volume_claims | length > 0 + - role: openshift_serviceaccounts + openshift_serviceaccounts_names: + - router + - registry + openshift_serviceaccounts_namespace: default + openshift_serviceaccounts_sccs: + - privileged - role: openshift_router - when: openshift.master.infra_nodes is defined + when: deploy_infra | bool - role: openshift_registry - when: openshift.master.infra_nodes is defined and openshift.hosted.registry.storage.kind != None + when: deploy_infra | bool and attach_registry_volume | bool + diff --git a/playbooks/common/openshift-node/config.yml b/playbooks/common/openshift-node/config.yml index e07de0e99..56d30e9b9 100644 --- a/playbooks/common/openshift-node/config.yml +++ b/playbooks/common/openshift-node/config.yml @@ -176,6 +176,7 @@ - name: Evaluate node groups hosts: localhost become: no + connection: local tasks: - name: Evaluate oo_containerized_master_nodes add_host: @@ -216,8 +217,6 @@ - role: nuage_node when: openshift.common.use_nuage | bool - role: nickhammond.logrotate - - role: fluentd_node - when: openshift.common.use_fluentd | bool tasks: - name: Create group for deployment type group_by: key=oo_nodes_deployment_type_{{ openshift.common.deployment_type }} diff --git a/playbooks/gce/openshift-cluster/terminate.yml b/playbooks/gce/openshift-cluster/terminate.yml index 94b4ab14b..d835c53ba 100644 --- a/playbooks/gce/openshift-cluster/terminate.yml +++ b/playbooks/gce/openshift-cluster/terminate.yml @@ -20,7 +20,7 @@ - vars.yml roles: - role: rhel_unsubscribe - when: deployment_type == "enterprise" and + when: deployment_type in ['atomic-enterprise', 'enterprise', 'openshift-enterprise'] and ansible_distribution == "RedHat" and lookup('oo_option', 'rhel_skip_subscription') | default(rhsub_skip, True) | default('no', True) | lower in ['no', 'false'] diff --git a/playbooks/libvirt/openshift-cluster/tasks/launch_instances.yml b/playbooks/libvirt/openshift-cluster/tasks/launch_instances.yml index ebe9f0ad9..b00352539 100644 --- a/playbooks/libvirt/openshift-cluster/tasks/launch_instances.yml +++ b/playbooks/libvirt/openshift-cluster/tasks/launch_instances.yml @@ -94,6 +94,16 @@ - set_fact: ips: "{{ scratch_ip.results | default([]) | oo_collect('stdout') }}" +- set_fact: + node_label: + type: "{{ g_sub_host_type }}" + when: instances | length > 0 and type == "node" + +- set_fact: + node_label: + type: "{{ type }}" + when: instances | length > 0 and type != "node" + - name: Add new instances add_host: hostname: '{{ item.0 }}' @@ -101,6 +111,7 @@ ansible_ssh_user: "{{ deployment_vars[deployment_type].ssh_user }}" ansible_sudo: "{{ deployment_vars[deployment_type].sudo }}" groups: "tag_environment-{{ cluster_env }}, tag_host-type-{{ type }}, tag_sub-host-type-{{ g_sub_host_type }}, tag_clusterid-{{ cluster_id }}" + openshift_node_labels: "{{ node_label }}" with_together: - instances - ips diff --git a/playbooks/libvirt/openshift-cluster/templates/user-data b/playbooks/libvirt/openshift-cluster/templates/user-data index e0c966e45..ead881f78 100644 --- a/playbooks/libvirt/openshift-cluster/templates/user-data +++ b/playbooks/libvirt/openshift-cluster/templates/user-data @@ -3,7 +3,6 @@ disable_root: true hostname: {{ item[0] }} fqdn: {{ item[0] }}.example.com -manage_etc_hosts: true users: - default diff --git a/playbooks/libvirt/openshift-cluster/terminate.yml b/playbooks/libvirt/openshift-cluster/terminate.yml index 8d845c8f2..f4749c28d 100644 --- a/playbooks/libvirt/openshift-cluster/terminate.yml +++ b/playbooks/libvirt/openshift-cluster/terminate.yml @@ -23,7 +23,7 @@ - vars.yml roles: - role: rhel_unsubscribe - when: deployment_type == "enterprise" and + when: deployment_type in ['atomic-enterprise', 'enterprise', 'openshift-enterprise'] and ansible_distribution == "RedHat" and lookup('oo_option', 'rhel_skip_subscription') | default(rhsub_skip, True) | default('no', True) | lower in ['no', 'false'] diff --git a/playbooks/openstack/openshift-cluster/launch.yml b/playbooks/openstack/openshift-cluster/launch.yml index 2187cefed..e9b9cf540 100644 --- a/playbooks/openstack/openshift-cluster/launch.yml +++ b/playbooks/openstack/openshift-cluster/launch.yml @@ -75,6 +75,8 @@ ansible_ssh_user: "{{ deployment_vars[deployment_type].ssh_user }}" ansible_sudo: "{{ deployment_vars[deployment_type].sudo }}" groups: 'tag_environment_{{ cluster_env }}, tag_host-type_etcd, tag_sub-host-type_default, tag_clusterid_{{ cluster_id }}' + openshift_node_labels: + type: "etcd" with_together: - parsed_outputs.etcd_names - parsed_outputs.etcd_ips @@ -87,6 +89,8 @@ ansible_ssh_user: "{{ deployment_vars[deployment_type].ssh_user }}" ansible_sudo: "{{ deployment_vars[deployment_type].sudo }}" groups: 'tag_environment_{{ cluster_env }}, tag_host-type_master, tag_sub-host-type_default, tag_clusterid_{{ cluster_id }}' + openshift_node_labels: + type: "master" with_together: - parsed_outputs.master_names - parsed_outputs.master_ips @@ -99,6 +103,8 @@ ansible_ssh_user: "{{ deployment_vars[deployment_type].ssh_user }}" ansible_sudo: "{{ deployment_vars[deployment_type].sudo }}" groups: 'tag_environment_{{ cluster_env }}, tag_host-type_node, tag_sub-host-type_compute, tag_clusterid_{{ cluster_id }}' + openshift_node_labels: + type: "compute" with_together: - parsed_outputs.node_names - parsed_outputs.node_ips @@ -111,6 +117,8 @@ ansible_ssh_user: "{{ deployment_vars[deployment_type].ssh_user }}" ansible_sudo: "{{ deployment_vars[deployment_type].sudo }}" groups: 'tag_environment_{{ cluster_env }}, tag_host-type_node, tag_sub-host-type_infra, tag_clusterid_{{ cluster_id }}' + openshift_node_labels: + type: "infra" with_together: - parsed_outputs.infra_names - parsed_outputs.infra_ips diff --git a/playbooks/openstack/openshift-cluster/terminate.yml b/playbooks/openstack/openshift-cluster/terminate.yml index 7a86b78c5..a1fb41b53 100644 --- a/playbooks/openstack/openshift-cluster/terminate.yml +++ b/playbooks/openstack/openshift-cluster/terminate.yml @@ -19,7 +19,7 @@ - vars.yml roles: - role: rhel_unsubscribe - when: deployment_type == "enterprise" and + when: deployment_type in ['atomic-enterprise', 'enterprise', 'openshift-enterprise'] and ansible_distribution == "RedHat" and lookup('oo_option', 'rhel_skip_subscription') | default(rhsub_skip, True) | default('no', True) | lower in ['no', 'false'] diff --git a/roles/fluentd_master/meta/main.yml b/roles/fluentd_master/meta/main.yml new file mode 100644 index 000000000..148bc377e --- /dev/null +++ b/roles/fluentd_master/meta/main.yml @@ -0,0 +1,15 @@ +--- +galaxy_info: + author: OpenShift Red Hat + description: Fluentd Master + company: Red Hat, Inc. + license: Apache License, Version 2.0 + min_ansible_version: 1.9 + platforms: + - name: EL + versions: + - 7 + categories: + - monitoring + dependencies: + - openshift_facts diff --git a/roles/fluentd_master/tasks/main.yml b/roles/fluentd_master/tasks/main.yml deleted file mode 100644 index 32f972f0a..000000000 --- a/roles/fluentd_master/tasks/main.yml +++ /dev/null @@ -1,57 +0,0 @@ ---- -- fail: - msg: "fluentd master is not yet supported on atomic hosts" - when: openshift.common.is_atomic | bool - -# TODO: Update fluentd install and configuration when packaging is complete -- name: download and install td-agent - action: "{{ ansible_pkg_mgr }} name='http://packages.treasuredata.com/2/redhat/7/x86_64/td-agent-2.2.0-0.x86_64.rpm' state=present" - when: not openshift.common.is_atomic | bool - -- name: Verify fluentd plugin installed - command: '/opt/td-agent/embedded/bin/gem query -i fluent-plugin-kubernetes' - register: _fluent_plugin_check - failed_when: false - changed_when: false - -- name: install Kubernetes fluentd plugin - command: '/opt/td-agent/embedded/bin/gem install fluent-plugin-kubernetes' - when: _fluent_plugin_check.rc == 1 - -- name: Creates directories - file: - path: "{{ item }}" - state: directory - group: 'td-agent' - owner: 'td-agent' - mode: 0755 - with_items: ['/etc/td-agent/config.d'] - -- name: Add include to td-agent configuration - lineinfile: - dest: '/etc/td-agent/td-agent.conf' - regexp: '^@include config.d' - line: '@include config.d/*.conf' - state: present - -- name: install Kubernetes fluentd configuration file - template: - src: kubernetes.conf.j2 - dest: /etc/td-agent/config.d/kubernetes.conf - group: 'td-agent' - owner: 'td-agent' - mode: 0444 - -- name: wait for etcd to start up - wait_for: port=4001 delay=10 - when: embedded_etcd | bool - -- name: wait for etcd peer to start up - wait_for: port=7001 delay=10 - when: embedded_etcd | bool - -- name: ensure td-agent is running - service: - name: 'td-agent' - state: started - enabled: yes diff --git a/roles/fluentd_master/templates/kubernetes.conf.j2 b/roles/fluentd_master/templates/kubernetes.conf.j2 deleted file mode 100644 index 7b5c86062..000000000 --- a/roles/fluentd_master/templates/kubernetes.conf.j2 +++ /dev/null @@ -1,9 +0,0 @@ -<match kubernetes.**> - type file - path /var/log/td-agent/containers.log - time_slice_format %Y%m%d - time_slice_wait 10m - time_format %Y%m%dT%H%M%S%z - compress gzip - utc -</match> diff --git a/roles/fluentd_node/tasks/main.yml b/roles/fluentd_node/tasks/main.yml deleted file mode 100644 index 9fd908687..000000000 --- a/roles/fluentd_node/tasks/main.yml +++ /dev/null @@ -1,57 +0,0 @@ ---- -- fail: - msg: "fluentd node is not yet supported on atomic hosts" - when: openshift.common.is_atomic | bool - -# TODO: Update fluentd install and configuration when packaging is complete -- name: download and install td-agent - action: "{{ ansible_pkg_mgr }} name='http://packages.treasuredata.com/2/redhat/7/x86_64/td-agent-2.2.0-0.x86_64.rpm' state=present" - when: not openshift.common.is_atomic | bool - -- name: Verify fluentd plugin installed - command: '/opt/td-agent/embedded/bin/gem query -i fluent-plugin-kubernetes' - register: _fluent_plugin_check - failed_when: false - changed_when: false - -- name: install Kubernetes fluentd plugin - command: '/opt/td-agent/embedded/bin/gem install fluent-plugin-kubernetes' - when: _fluent_plugin_check.rc == 1 - -- name: Override td-agent configuration file - template: - src: td-agent.j2 - dest: /etc/sysconfig/td-agent - group: 'td-agent' - owner: 'td-agent' - mode: 0444 - -- name: Creates directories - file: - path: "{{ item }}" - state: directory - group: 'td-agent' - owner: 'td-agent' - mode: 0755 - with_items: ['/etc/td-agent/config.d', '/var/log/td-agent/tmp'] - -- name: Add include to td-agent configuration - lineinfile: - dest: '/etc/td-agent/td-agent.conf' - regexp: '^@include config.d' - line: '@include config.d/*.conf' - state: present - -- name: install Kubernetes fluentd configuration file - template: - src: kubernetes.conf.j2 - dest: /etc/td-agent/config.d/kubernetes.conf - group: 'td-agent' - owner: 'td-agent' - mode: 0444 - -- name: ensure td-agent is running - service: - name: 'td-agent' - state: started - enabled: yes diff --git a/roles/fluentd_node/templates/kubernetes.conf.j2 b/roles/fluentd_node/templates/kubernetes.conf.j2 deleted file mode 100644 index 5f1eecb20..000000000 --- a/roles/fluentd_node/templates/kubernetes.conf.j2 +++ /dev/null @@ -1,53 +0,0 @@ -<source> - type tail - path /var/lib/docker/containers/*/*-json.log - pos_file /var/log/td-agent/tmp/fluentd-docker.pos - time_format %Y-%m-%dT%H:%M:%S - tag docker.* - format json - read_from_head true -</source> - -<match docker.var.lib.docker.containers.*.*.log> - type kubernetes - container_id ${tag_parts[5]} - tag docker.${name} -</match> - -<match kubernetes> - type copy - - <store> - type forward - send_timeout 60s - recover_wait 10s - heartbeat_interval 1s - phi_threshold 16 - hard_timeout 60s - log_level trace - require_ack_response true - heartbeat_type tcp - - <server> - name {{groups['oo_first_master'][0]}} - host {{hostvars[groups['oo_first_master'][0]].openshift.common.hostname}} - port 24224 - weight 60 - </server> - - <secondary> - type file - path /var/log/td-agent/forward-failed - </secondary> - </store> - - <store> - type file - path /var/log/td-agent/containers.log - time_slice_format %Y%m%d - time_slice_wait 10m - time_format %Y%m%dT%H%M%S%z - compress gzip - utc - </store> -</match> diff --git a/roles/fluentd_node/templates/td-agent.j2 b/roles/fluentd_node/templates/td-agent.j2 deleted file mode 100644 index 7245e11ec..000000000 --- a/roles/fluentd_node/templates/td-agent.j2 +++ /dev/null @@ -1,2 +0,0 @@ -DAEMON_ARGS= -TD_AGENT_ARGS="/usr/sbin/td-agent --log /var/log/td-agent/td-agent.log --use-v1-config" diff --git a/roles/lib_dyn/library/dyn_record.py b/roles/lib_dyn/library/dyn_record.py index 5e088a674..f2796ccf2 100644 --- a/roles/lib_dyn/library/dyn_record.py +++ b/roles/lib_dyn/library/dyn_record.py @@ -224,11 +224,13 @@ def main(): # First get a list of existing records for the node values = get_record_values(dyn_node_records) value_key = get_record_key(module.params['record_type']) + param_value = module.params['record_value'] # Check to see if the record is already in place before doing anything. if (dyn_node_records and dyn_node_records[value_key][0].ttl == module.params['record_ttl'] and - module.params['record_value'] in values[value_key]): + (param_value in values[value_key] or + param_value + '.' in values[value_key])): module.exit_json(changed=False) diff --git a/roles/lib_dyn/tasks/main.yml b/roles/lib_dyn/tasks/main.yml index 9b3b1b0b9..965962928 100644 --- a/roles/lib_dyn/tasks/main.yml +++ b/roles/lib_dyn/tasks/main.yml @@ -3,3 +3,5 @@ - name: Make sure python-dyn is installed yum: name=python-dyn state=present + tags: + - lib_dyn diff --git a/roles/lib_zabbix/library/zbx_action.py b/roles/lib_zabbix/library/zbx_action.py index 2f9524556..e7edcde2f 100644 --- a/roles/lib_zabbix/library/zbx_action.py +++ b/roles/lib_zabbix/library/zbx_action.py @@ -120,8 +120,8 @@ def opmessage_usr_diff(zab_val, user_val): ''' Report whether there are differences between opmessage_usr on zabbix and opmessage_usr supplied by user ''' - zab_usr_ids = set([usr['usrid'] for usr in zab_val]) - usr_ids = set([usr['usrid'] for usr in user_val]) + zab_usr_ids = set([usr['userid'] for usr in zab_val]) + usr_ids = set([usr['userid'] for usr in user_val]) if usr_ids != zab_usr_ids: return True @@ -228,12 +228,12 @@ def get_user_groups(zapi, groups): '''get the mediatype id from the mediatype name''' user_groups = [] - content = zapi.get_content('usergroup', - 'get', - {'search': {'name': groups}}) - - for usr_grp in content['result']: - user_groups.append({'usrgrpid': usr_grp['usrgrpid']}) + for group in groups: + content = zapi.get_content('usergroup', + 'get', + {'search': {'name': group}}) + for result in content['result']: + user_groups.append({'usrgrpid': result['usrgrpid']}) return user_groups diff --git a/roles/nuage_master/handlers/main.yaml b/roles/nuage_master/handlers/main.yaml index 635d8a419..5d133cf16 100644 --- a/roles/nuage_master/handlers/main.yaml +++ b/roles/nuage_master/handlers/main.yaml @@ -1,7 +1,7 @@ --- -- name: restart nuagekubemon +- name: restart nuage-openshift-monitor sudo: true - service: name=nuagekubemon state=restarted + service: name=nuage-openshift-monitor state=restarted - name: restart master service: name={{ openshift.common.service_type }}-master state=restarted diff --git a/roles/nuage_master/tasks/main.yaml b/roles/nuage_master/tasks/main.yaml index a7baadc76..20d105b9e 100644 --- a/roles/nuage_master/tasks/main.yaml +++ b/roles/nuage_master/tasks/main.yaml @@ -1,15 +1,15 @@ --- -- name: Create directory /usr/share/nuagekubemon +- name: Create directory /usr/share/nuage-openshift-monitor sudo: true - file: path=/usr/share/nuagekubemon state=directory + file: path=/usr/share/nuage-openshift-monitor state=directory - name: Create the log directory sudo: true - file: path={{ nuagekubemon_log_dir }} state=directory + file: path={{ nuage_openshift_monitor_log_dir }} state=directory -- name: Install Nuage Kubemon +- name: Install Nuage Openshift Monitor sudo: true - yum: name={{ nuage_kubemon_rpm }} state=present + yum: name={{ nuage_openshift_rpm }} state=present - name: Run the service account creation script sudo: true @@ -24,11 +24,11 @@ - nuage.key - nuage.kubeconfig -- name: Create nuagekubemon.yaml +- name: Create nuage-openshift-monitor.yaml sudo: true - template: src=nuagekubemon.j2 dest=/usr/share/nuagekubemon/nuagekubemon.yaml owner=root mode=0644 + template: src=nuage-openshift-monitor.j2 dest=/usr/share/nuage-openshift-monitor/nuage-openshift-monitor.yaml owner=root mode=0644 notify: - restart master - restart master api - restart master controllers - - restart nuagekubemon + - restart nuage-openshift-monitor diff --git a/roles/nuage_master/templates/nuagekubemon.j2 b/roles/nuage_master/templates/nuage-openshift-monitor.j2 index fb586bcee..db8c3d85e 100644 --- a/roles/nuage_master/templates/nuagekubemon.j2 +++ b/roles/nuage_master/templates/nuage-openshift-monitor.j2 @@ -3,7 +3,7 @@ kubeConfig: {{ kube_config }} # name of the nuage service account, or another account with 'cluster-reader' # permissions # Openshift master config file -openshiftMasterConfig: {{ master_config_yaml }} +masterConfig: {{ master_config_yaml }} # URL of the VSD Architect vsdApiUrl: {{ vsd_api_url }} # API version to query against. Usually "v3_2" @@ -16,4 +16,4 @@ enterpriseName: {{ enterprise }} # Name of the domain in which pods will reside domainName: {{ domain }} # Location where logs should be saved -log_dir: {{ nuagekubemon_log_dir }} +log_dir: {{ nuage_openshift_monitor_log_dir }} diff --git a/roles/nuage_master/vars/main.yaml b/roles/nuage_master/vars/main.yaml index db901fea6..c489feabe 100644 --- a/roles/nuage_master/vars/main.yaml +++ b/roles/nuage_master/vars/main.yaml @@ -1,7 +1,7 @@ openshift_master_config_dir: "{{ openshift.common.config_base }}/master" ca_cert: "{{ openshift_master_config_dir }}/ca.crt" admin_config: "{{ openshift.common.config_base }}/master/admin.kubeconfig" -cert_output_dir: /usr/share/nuagekubemon -kube_config: /usr/share/nuagekubemon/nuage.kubeconfig -kubemon_yaml: /usr/share/nuagekubemon/nuagekubemon.yaml +cert_output_dir: /usr/share/nuage-openshift-monitor +kube_config: /usr/share/nuage-openshift-monitor/nuage.kubeconfig +kubemon_yaml: /usr/share/nuage-openshift-monitor/nuage-openshift-monitor.yaml master_config_yaml: "{{ openshift_master_config_dir }}/master-config.yaml" diff --git a/roles/nuage_node/tasks/main.yaml b/roles/nuage_node/tasks/main.yaml index e0117bf71..c1e49902d 100644 --- a/roles/nuage_node/tasks/main.yaml +++ b/roles/nuage_node/tasks/main.yaml @@ -22,16 +22,16 @@ - name: Copy the certificates and keys sudo: true - copy: src="/tmp/{{ item }}" dest="{{ vsp_k8s_dir }}/{{ item }}" + copy: src="/tmp/{{ item }}" dest="{{ vsp_openshift_dir }}/{{ item }}" with_items: - ca.crt - nuage.crt - nuage.key - nuage.kubeconfig -- name: Set the vsp-k8s.yaml +- name: Set the vsp-openshift.yaml sudo: true - template: src=vsp-k8s.j2 dest={{ vsp_k8s_yaml }} owner=root mode=0644 + template: src=vsp-openshift.j2 dest={{ vsp_openshift_yaml }} owner=root mode=0644 notify: - restart vrs - restart node diff --git a/roles/nuage_node/templates/vsp-k8s.j2 b/roles/nuage_node/templates/vsp-openshift.j2 index 98d6c3a9c..98d6c3a9c 100644 --- a/roles/nuage_node/templates/vsp-k8s.j2 +++ b/roles/nuage_node/templates/vsp-openshift.j2 diff --git a/roles/nuage_node/vars/main.yaml b/roles/nuage_node/vars/main.yaml index a6b7cf997..4975d17ed 100644 --- a/roles/nuage_node/vars/main.yaml +++ b/roles/nuage_node/vars/main.yaml @@ -1,9 +1,9 @@ --- vrs_config: /etc/default/openvswitch -vsp_k8s_dir: /usr/share/vsp-k8s -vsp_k8s_yaml: "{{ vsp_k8s_dir }}/vsp-k8s.yaml" -client_cert: "{{ vsp_k8s_dir }}/nuage.crt" -client_key: "{{ vsp_k8s_dir }}/nuage.key" -ca_cert: "{{ vsp_k8s_dir }}/ca.crt" +vsp_openshift_dir: /usr/share/vsp-openshift +vsp_openshift_yaml: "{{ vsp_openshift_dir }}/vsp-openshift.yaml" +client_cert: "{{ vsp_openshift_dir }}/nuage.crt" +client_key: "{{ vsp_openshift_dir }}/nuage.key" +ca_cert: "{{ vsp_openshift_dir }}/ca.crt" api_server: "{{ openshift_node_master_api_url }}" docker_bridge: "docker0" diff --git a/roles/openshift_common/tasks/main.yml b/roles/openshift_common/tasks/main.yml index 98b0b11ea..a2fcff507 100644 --- a/roles/openshift_common/tasks/main.yml +++ b/roles/openshift_common/tasks/main.yml @@ -8,7 +8,7 @@ when: openshift_use_openshift_sdn | default(false) | bool and openshift_use_nuage | default(false) | bool - fail: - msg: Nuage sdn can not be used with flannel + msg: Nuage sdn can not be used with flannel when: openshift_use_flannel | default(false) | bool and openshift_use_nuage | default(false) | bool - fail: @@ -29,7 +29,6 @@ use_openshift_sdn: "{{ openshift_use_openshift_sdn | default(None) }}" sdn_network_plugin_name: "{{ os_sdn_network_plugin_name | default(None) }}" deployment_type: "{{ openshift_deployment_type }}" - use_fluentd: "{{ openshift_use_fluentd | default(None) }}" use_flannel: "{{ openshift_use_flannel | default(None) }}" use_nuage: "{{ openshift_use_nuage | default(None) }}" use_manageiq: "{{ openshift_use_manageiq | default(None) }}" @@ -49,7 +48,7 @@ # For enterprise versions < 3.1 and origin versions < 1.1 we want to set the # hostname by default. - set_fact: - set_hostname_default: "{{ not openshift.common.version_greater_than_3_1_or_1_1 }}" + set_hostname_default: "{{ not openshift.common.version_gte_3_1_or_1_1 }}" - name: Set hostname command: > diff --git a/roles/openshift_examples/defaults/main.yml b/roles/openshift_examples/defaults/main.yml index 6b9964aec..5e955590e 100644 --- a/roles/openshift_examples/defaults/main.yml +++ b/roles/openshift_examples/defaults/main.yml @@ -6,7 +6,7 @@ openshift_examples_load_db_templates: true openshift_examples_load_xpaas: "{{ openshift_deployment_type != 'origin' }}" openshift_examples_load_quickstarts: true -content_version: "{{ 'v1.1' if openshift.common.version_greater_than_3_1_or_1_1 else 'v1.0' }}" +content_version: "{{ 'v1.1' if openshift.common.version_gte_3_1_or_1_1 else 'v1.0' }}" examples_base: "{{ openshift.common.config_base if openshift.common.is_containerized else '/usr/share/openshift' }}/examples" image_streams_base: "{{ examples_base }}/image-streams" diff --git a/roles/openshift_examples/files/examples/v1.1/infrastructure-templates/enterprise/metrics-deployer.yaml b/roles/openshift_examples/files/examples/v1.1/infrastructure-templates/enterprise/metrics-deployer.yaml index ddd9f2f75..be999bd1a 100644 --- a/roles/openshift_examples/files/examples/v1.1/infrastructure-templates/enterprise/metrics-deployer.yaml +++ b/roles/openshift_examples/files/examples/v1.1/infrastructure-templates/enterprise/metrics-deployer.yaml @@ -85,7 +85,7 @@ parameters: - description: 'Specify version for metrics components; e.g. for "openshift/origin-metrics-deployer:v1.1", set version "v1.1"' name: IMAGE_VERSION - value: "3.1.0" + value: "3.1.1" - description: "Internal URL for the master, for authentication retrieval" name: MASTER_URL diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py index d11af307b..25b9534dd 100755 --- a/roles/openshift_facts/library/openshift_facts.py +++ b/roles/openshift_facts/library/openshift_facts.py @@ -304,23 +304,6 @@ def normalize_provider_facts(provider, metadata): facts = normalize_openstack_facts(metadata, facts) return facts -def set_fluentd_facts_if_unset(facts): - """ Set fluentd facts if not already present in facts dict - dict: the facts dict updated with the generated fluentd facts if - missing - Args: - facts (dict): existing facts - Returns: - dict: the facts dict updated with the generated fluentd - facts if they were not already present - - """ - if 'common' in facts: - if 'use_fluentd' not in facts['common']: - use_fluentd = False - facts['common']['use_fluentd'] = use_fluentd - return facts - def set_flannel_facts_if_unset(facts): """ Set flannel facts if not already present in facts dict dict: the facts dict updated with the flannel facts if @@ -525,10 +508,11 @@ def set_url_facts_if_unset(facts): ports[prefix])) - r_lhn = "{0}:{1}".format(api_hostname, ports['api']).replace('.', '-') + r_lhn = "{0}:{1}".format(hostname, ports['api']).replace('.', '-') + r_lhu = "system:openshift-master/{0}:{1}".format(api_hostname, ports['api']).replace('.', '-') facts['master'].setdefault('loopback_cluster_name', r_lhn) facts['master'].setdefault('loopback_context_name', "default/{0}/system:openshift-master".format(r_lhn)) - facts['master'].setdefault('loopback_user', "system:openshift-master/{0}".format(r_lhn)) + facts['master'].setdefault('loopback_user', r_lhu) prefix_hosts = [('console', api_hostname), ('public_console', api_public_hostname)] for prefix, host in prefix_hosts: @@ -711,8 +695,8 @@ def set_deployment_facts_if_unset(facts): if 'node' in facts: deployment_type = facts['common']['deployment_type'] if 'storage_plugin_deps' not in facts['node']: - if deployment_type in ['openshift-enterprise', 'atomic-enterprise']: - facts['node']['storage_plugin_deps'] = ['ceph', 'glusterfs'] + if deployment_type in ['openshift-enterprise', 'atomic-enterprise', 'origin']: + facts['node']['storage_plugin_deps'] = ['ceph', 'glusterfs', 'iscsi'] else: facts['node']['storage_plugin_deps'] = [] @@ -720,7 +704,7 @@ def set_deployment_facts_if_unset(facts): def set_version_facts_if_unset(facts): """ Set version facts. This currently includes common.version and - common.version_greater_than_3_1_or_1_1. + common.version_gte_3_1_or_1_1. Args: facts (dict): existing facts @@ -732,16 +716,20 @@ def set_version_facts_if_unset(facts): facts['common']['version'] = version = get_openshift_version() if version is not None: if deployment_type == 'origin': - version_gt_3_1_or_1_1 = LooseVersion(version) > LooseVersion('1.0.6') - version_gt_3_1_1_or_1_1_1 = LooseVersion(version) > LooseVersion('1.1.1') + version_gte_3_1_or_1_1 = LooseVersion(version) >= LooseVersion('1.1.0') + version_gte_3_1_1_or_1_1_1 = LooseVersion(version) >= LooseVersion('1.1.1') + version_gte_3_2_or_1_2 = LooseVersion(version) >= LooseVersion('1.1.2') else: - version_gt_3_1_or_1_1 = LooseVersion(version) > LooseVersion('3.0.2.900') - version_gt_3_1_1_or_1_1_1 = LooseVersion(version) > LooseVersion('3.1.1') + version_gte_3_1_or_1_1 = LooseVersion(version) >= LooseVersion('3.0.2.905') + version_gte_3_1_1_or_1_1_1 = LooseVersion(version) >= LooseVersion('3.1.1') + version_gte_3_2_or_1_2 = LooseVersion(version) >= LooseVersion('3.1.1.901') else: - version_gt_3_1_or_1_1 = True - version_gt_3_1_1_or_1_1_1 = True - facts['common']['version_greater_than_3_1_or_1_1'] = version_gt_3_1_or_1_1 - facts['common']['version_greater_than_3_1_1_or_1_1_1'] = version_gt_3_1_1_or_1_1_1 + version_gte_3_1_or_1_1 = True + version_gte_3_1_1_or_1_1_1 = True + version_gte_3_2_or_1_2 = True + facts['common']['version_gte_3_1_or_1_1'] = version_gte_3_1_or_1_1 + facts['common']['version_gte_3_1_1_or_1_1_1'] = version_gte_3_1_1_or_1_1_1 + facts['common']['version_gte_3_2_or_1_2'] = version_gte_3_2_or_1_2 return facts @@ -756,12 +744,12 @@ def set_manageiq_facts_if_unset(facts): OpenShiftFactsInternalError: """ if 'common' not in facts: - if 'version_greater_than_3_1_or_1_1' not in facts['common']: + if 'version_gte_3_1_or_1_1' not in facts['common']: raise OpenShiftFactsInternalError( "Invalid invocation: The required facts are not set" ) if 'use_manageiq' not in facts['common']: - facts['common']['use_manageiq'] = facts['common']['version_greater_than_3_1_or_1_1'] + facts['common']['use_manageiq'] = facts['common']['version_gte_3_1_or_1_1'] return facts @@ -1167,7 +1155,6 @@ class OpenShiftFacts(object): facts['current_config'] = get_current_config(facts) facts = set_url_facts_if_unset(facts) facts = set_project_cfg_facts_if_unset(facts) - facts = set_fluentd_facts_if_unset(facts) facts = set_flannel_facts_if_unset(facts) facts = set_nuage_facts_if_unset(facts) facts = set_node_schedulability(facts) diff --git a/roles/openshift_manageiq/tasks/main.yaml b/roles/openshift_manageiq/tasks/main.yaml index 0357fc85a..d2ff1b4b7 100644 --- a/roles/openshift_manageiq/tasks/main.yaml +++ b/roles/openshift_manageiq/tasks/main.yaml @@ -1,7 +1,7 @@ --- - fail: msg: "The openshift_manageiq role requires OpenShift Enterprise 3.1 or Origin 1.1." - when: not openshift.common.version_greater_than_3_1_or_1_1 | bool + when: not openshift.common.version_gte_3_1_or_1_1 | bool - name: Copy Configuration to temporary conf command: > @@ -9,7 +9,7 @@ changed_when: false - name: Add Managment Infrastructure project - command: > + command: > {{ openshift.common.admin_binary }} new-project management-infra --description="Management Infrastructure" @@ -20,9 +20,9 @@ - name: Create Service Account shell: > - echo {{ manageiq_service_account | to_json | quote }} | - {{ openshift.common.client_binary }} create - -n management-infra + echo {{ manageiq_service_account | to_json | quote }} | + {{ openshift.common.client_binary }} create + -n management-infra --config={{manage_iq_tmp_conf}} -f - register: osmiq_create_service_account @@ -32,7 +32,7 @@ - name: Create Cluster Role shell: > echo {{ manageiq_cluster_role | to_json | quote }} | - {{ openshift.common.client_binary }} create + {{ openshift.common.client_binary }} create --config={{manage_iq_tmp_conf}} -f - register: osmiq_create_cluster_role diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml index 83f6f7542..4aede31f6 100644 --- a/roles/openshift_master/tasks/main.yml +++ b/roles/openshift_master/tasks/main.yml @@ -15,7 +15,7 @@ when: openshift_master_ha | bool and ((openshift_master_cluster_method is not defined) or (openshift_master_cluster_method is defined and openshift_master_cluster_method not in ["native", "pacemaker"])) - fail: msg: "'native' high availability is not supported for the requested OpenShift version" - when: openshift_master_ha | bool and openshift_master_cluster_method == "native" and not openshift.common.version_greater_than_3_1_or_1_1 | bool + when: openshift_master_ha | bool and openshift_master_cluster_method == "native" and not openshift.common.version_gte_3_1_or_1_1 | bool - fail: msg: "openshift_master_cluster_password must be set for multi-master installations" when: openshift_master_ha | bool and openshift_master_cluster_method == "pacemaker" and (openshift_master_cluster_password is not defined or not openshift_master_cluster_password) @@ -240,36 +240,8 @@ - restart master api - restart master controllers -- name: Test local loopback context - command: > - {{ openshift.common.client_binary }} config view - --config={{ openshift_master_loopback_config }} - changed_when: false - register: loopback_config - -- command: > - {{ openshift.common.client_binary }} config set-cluster - --certificate-authority={{ openshift_master_config_dir }}/ca.crt - --embed-certs=true --server={{ openshift.master.loopback_api_url }} - {{ openshift.master.loopback_cluster_name }} - --config={{ openshift_master_loopback_config }} - when: loopback_context_string not in loopback_config.stdout - register: set_loopback_cluster - -- command: > - {{ openshift.common.client_binary }} config set-context - --cluster={{ openshift.master.loopback_cluster_name }} - --namespace=default --user={{ openshift.master.loopback_user }} - {{ openshift.master.loopback_context_name }} - --config={{ openshift_master_loopback_config }} - when: set_loopback_cluster | changed - register: set_loopback_context - -- command: > - {{ openshift.common.client_binary }} config use-context {{ openshift.master.loopback_context_name }} - --config={{ openshift_master_loopback_config }} - when: set_loopback_context | changed - register: set_current_context +- include: set_loopback_context.yml + when: openshift.common.version_gte_3_2_or_1_2 - name: Start and enable master service: name={{ openshift.common.service_type }}-master enabled=yes state=started @@ -287,7 +259,7 @@ - name: Mask master service command: systemctl mask {{ openshift.common.service_type }}-master - when: openshift_master_ha | bool and openshift.master.cluster_method == 'native' + when: openshift_master_ha | bool and openshift.master.cluster_method == 'native' and not openshift.common.is_atomic | bool - name: Start and enable master api service: name={{ openshift.common.service_type }}-master-api enabled=yes state=started diff --git a/roles/openshift_master/tasks/set_loopback_context.yml b/roles/openshift_master/tasks/set_loopback_context.yml new file mode 100644 index 000000000..9c3fb31dc --- /dev/null +++ b/roles/openshift_master/tasks/set_loopback_context.yml @@ -0,0 +1,31 @@ +--- +- name: Test local loopback context + command: > + {{ openshift.common.client_binary }} config view + --config={{ openshift_master_loopback_config }} + changed_when: false + register: loopback_config + +- command: > + {{ openshift.common.client_binary }} config set-cluster + --certificate-authority={{ openshift_master_config_dir }}/ca.crt + --embed-certs=true --server={{ openshift.master.loopback_api_url }} + {{ openshift.master.loopback_cluster_name }} + --config={{ openshift_master_loopback_config }} + when: loopback_context_string not in loopback_config.stdout + register: set_loopback_cluster + +- command: > + {{ openshift.common.client_binary }} config set-context + --cluster={{ openshift.master.loopback_cluster_name }} + --namespace=default --user={{ openshift.master.loopback_user }} + {{ openshift.master.loopback_context_name }} + --config={{ openshift_master_loopback_config }} + when: set_loopback_cluster | changed + register: set_loopback_context + +- command: > + {{ openshift.common.client_binary }} config use-context {{ openshift.master.loopback_context_name }} + --config={{ openshift_master_loopback_config }} + when: set_loopback_context | changed + register: set_current_context diff --git a/roles/openshift_master/templates/master.yaml.v1.j2 b/roles/openshift_master/templates/master.yaml.v1.j2 index 1eeab46fe..813a58d60 100644 --- a/roles/openshift_master/templates/master.yaml.v1.j2 +++ b/roles/openshift_master/templates/master.yaml.v1.j2 @@ -1,5 +1,5 @@ apiLevels: -{% if not openshift.common.version_greater_than_3_1_or_1_1 | bool %} +{% if not openshift.common.version_gte_3_1_or_1_1 | bool %} - v1beta3 {% endif %} - v1 @@ -91,7 +91,7 @@ kubeletClientInfo: port: 10250 {% if openshift.master.embedded_kube | bool %} kubernetesMasterConfig: -{% if not openshift.common.version_greater_than_3_1_or_1_1 | bool %} +{% if not openshift.common.version_gte_3_1_or_1_1 | bool %} apiLevels: - v1beta3 - v1 diff --git a/roles/openshift_master/templates/native-cluster/atomic-openshift-master-controllers.service.j2 b/roles/openshift_master/templates/native-cluster/atomic-openshift-master-controllers.service.j2 index e6e97b24f..b393bb9ff 100644 --- a/roles/openshift_master/templates/native-cluster/atomic-openshift-master-controllers.service.j2 +++ b/roles/openshift_master/templates/native-cluster/atomic-openshift-master-controllers.service.j2 @@ -7,7 +7,7 @@ Before={{ openshift.common.service_type }}-node.service Requires=network.target [Service] -{% if openshift.common.version_greater_than_3_1_1_or_1_1_1 | bool %} +{% if openshift.common.version_gte_3_1_1_or_1_1_1 | bool %} Type=notify {% else %} Type=simple diff --git a/roles/openshift_master_certificates/tasks/main.yml b/roles/openshift_master_certificates/tasks/main.yml index 36d953111..7c58e943a 100644 --- a/roles/openshift_master_certificates/tasks/main.yml +++ b/roles/openshift_master_certificates/tasks/main.yml @@ -39,7 +39,7 @@ state: hard with_nested: - masters_needing_certs - - "{{ master_certificates | union(master_31_certificates) if openshift.common.version_greater_than_3_1_or_1_1 | bool else master_certificates }}" + - "{{ master_certificates | union(master_31_certificates) if openshift.common.version_gte_3_1_or_1_1 | bool else master_certificates }}" - name: Create the master certificates if they do not already exist command: > diff --git a/roles/openshift_node/tasks/main.yml b/roles/openshift_node/tasks/main.yml index 9035248f9..acf2f74e3 100644 --- a/roles/openshift_node/tasks/main.yml +++ b/roles/openshift_node/tasks/main.yml @@ -17,7 +17,7 @@ # TODO: Replace this with a lookup or filter plugin. dns_ip: "{{ openshift_dns_ip | default(openshift_master_cluster_vip - | default(None if openshift.common.version_greater_than_3_1_or_1_1 | bool else openshift_node_first_master_ip | default(None, true), true), true) }}" + | default(None if openshift.common.version_gte_3_1_or_1_1 | bool else openshift_node_first_master_ip | default(None, true), true), true) }}" - role: node local_facts: annotations: "{{ openshift_node_annotations | default(none) }}" @@ -33,6 +33,7 @@ set_node_ip: "{{ openshift_set_node_ip | default(None) }}" node_image: "{{ osn_image | default(None) }}" ovs_image: "{{ osn_ovs_image | default(None) }}" + proxy_mode: "{{ openshift_node_proxy_mode | default('iptables') }}" # We have to add tuned-profiles in the same transaction otherwise we run into depsolving # problems because the rpms don't pin the version properly. This was fixed in 3.1 packaging. diff --git a/roles/openshift_node/tasks/storage_plugins/iscsi.yml b/roles/openshift_node/tasks/storage_plugins/iscsi.yml new file mode 100644 index 000000000..d6684b34a --- /dev/null +++ b/roles/openshift_node/tasks/storage_plugins/iscsi.yml @@ -0,0 +1,4 @@ +--- +- name: Install iSCSI storage plugin dependencies + action: "{{ ansible_pkg_mgr }} name=iscsi-initiator-utils state=present" + when: not openshift.common.is_atomic | bool diff --git a/roles/openshift_node/tasks/storage_plugins/main.yml b/roles/openshift_node/tasks/storage_plugins/main.yml index 39c7b9390..fe638718d 100644 --- a/roles/openshift_node/tasks/storage_plugins/main.yml +++ b/roles/openshift_node/tasks/storage_plugins/main.yml @@ -11,3 +11,7 @@ - name: Ceph storage plugin configuration include: ceph.yml when: "'ceph' in openshift.node.storage_plugin_deps" + +- name: iSCSI storage plugin configuration + include: iscsi.yml + when: "'iscsi' in openshift.node.storage_plugin_deps" diff --git a/roles/openshift_node/templates/node.yaml.v1.j2 b/roles/openshift_node/templates/node.yaml.v1.j2 index 44065f4bd..67975d372 100644 --- a/roles/openshift_node/templates/node.yaml.v1.j2 +++ b/roles/openshift_node/templates/node.yaml.v1.j2 @@ -35,3 +35,6 @@ servingInfo: keyFile: server.key volumeDirectory: {{ openshift.common.data_dir }}/openshift.local.volumes {% include 'partials/kubeletArguments.j2' %} +proxyArguments: + proxy-mode: + - {{ openshift.node.proxy_mode }} diff --git a/roles/openshift_persistent_volumes/templates/persistent-volume-claim.yml.j2 b/roles/openshift_persistent_volumes/templates/persistent-volume-claim.yml.j2 index 58b3e1c67..d40417a9a 100644 --- a/roles/openshift_persistent_volumes/templates/persistent-volume-claim.yml.j2 +++ b/roles/openshift_persistent_volumes/templates/persistent-volume-claim.yml.j2 @@ -3,7 +3,8 @@ apiVersion: "v1" kind: "List" items: {% for claim in persistent_volume_claims %} -- kind: "PersistentVolumeClaim" +- apiVersion: "v1" + kind: "PersistentVolumeClaim" metadata: name: "{{ claim.name }}" spec: diff --git a/roles/openshift_persistent_volumes/templates/persistent-volume.yml.j2 b/roles/openshift_persistent_volumes/templates/persistent-volume.yml.j2 index 5714b6b0d..877e88002 100644 --- a/roles/openshift_persistent_volumes/templates/persistent-volume.yml.j2 +++ b/roles/openshift_persistent_volumes/templates/persistent-volume.yml.j2 @@ -3,7 +3,8 @@ apiVersion: v1 kind: List items: {% for volume in persistent_volumes %} -- kind: PersistentVolume +- apiVersion: v1 + kind: PersistentVolume metadata: name: "{{ volume.name }}" spec: diff --git a/roles/openshift_registry/README.md b/roles/openshift_registry/README.md index 8e66c483b..247272668 100644 --- a/roles/openshift_registry/README.md +++ b/roles/openshift_registry/README.md @@ -17,12 +17,6 @@ From this role: |--------------------|-------------------------------------------------------|---------------------| | | | | -From openshift_common: - -| Name | Default value | | -|-----------------------|---------------|--------------------------------------| -| openshift_debug_level | 2 | Global openshift debug log verbosity | - Dependencies ------------ diff --git a/roles/openshift_registry/meta/main.yml b/roles/openshift_registry/meta/main.yml index 93b6797d1..b220a020e 100644 --- a/roles/openshift_registry/meta/main.yml +++ b/roles/openshift_registry/meta/main.yml @@ -4,10 +4,12 @@ galaxy_info: description: OpenShift Embedded Docker Registry company: Red Hat, Inc. license: Apache License, Version 2.0 - min_ansible_version: 1.7 + min_ansible_version: 1.9 platforms: - name: EL versions: - 7 categories: - cloud + dependencies: + - openshift_facts diff --git a/roles/openshift_router/README.md b/roles/openshift_router/README.md index 836efc443..d490e1038 100644 --- a/roles/openshift_router/README.md +++ b/roles/openshift_router/README.md @@ -16,11 +16,6 @@ From this role: |--------------------|-------------------------------------------------------|---------------------| | | | | -From openshift_common: -| Name | Default value | | -|-----------------------|---------------|--------------------------------------| -| openshift_debug_level | 2 | Global openshift debug log verbosity | - Dependencies ------------ diff --git a/roles/openshift_router/meta/main.yml b/roles/openshift_router/meta/main.yml index 0471e5e14..c2b0777b5 100644 --- a/roles/openshift_router/meta/main.yml +++ b/roles/openshift_router/meta/main.yml @@ -4,10 +4,12 @@ galaxy_info: description: OpenShift Embedded Router company: Red Hat, Inc. license: Apache License, Version 2.0 - min_ansible_version: 1.7 + min_ansible_version: 1.9 platforms: - name: EL versions: - 7 categories: - cloud + dependencies: + - openshift_facts diff --git a/roles/openshift_router/tasks/main.yml b/roles/openshift_router/tasks/main.yml index 355cbf84b..40365d04d 100644 --- a/roles/openshift_router/tasks/main.yml +++ b/roles/openshift_router/tasks/main.yml @@ -3,6 +3,7 @@ command: > {{ openshift.common.admin_binary }} router --create --replicas={{ openshift.master.infra_nodes | length }} + --namespace=default --service-account=router {{ ortr_selector }} --credentials={{ openshift_master_config_dir }}/openshift-router.kubeconfig {{ ortr_images }} register: ortr_results diff --git a/roles/openshift_serviceaccounts/meta/main.yml b/roles/openshift_serviceaccounts/meta/main.yml new file mode 100644 index 000000000..a2c9fee70 --- /dev/null +++ b/roles/openshift_serviceaccounts/meta/main.yml @@ -0,0 +1,15 @@ +--- +galaxy_info: + author: OpenShift Operations + description: OpenShift Service Accounts + company: Red Hat, Inc. + license: Apache License, Version 2.0 + min_ansible_version: 1.9 + platforms: + - name: EL + versions: + - 7 + categories: + - cloud +dependencies: +- { role: openshift_facts } diff --git a/roles/openshift_serviceaccounts/tasks/main.yml b/roles/openshift_serviceaccounts/tasks/main.yml index 4c7faa6fe..5fe7d28f3 100644 --- a/roles/openshift_serviceaccounts/tasks/main.yml +++ b/roles/openshift_serviceaccounts/tasks/main.yml @@ -1,36 +1,33 @@ -- name: tmp dir for openshift - file: - path: /tmp/openshift - state: directory - owner: root - mode: 700 - -- name: Create service account configs - template: - src: serviceaccount.j2 - dest: "/tmp/openshift/{{ item }}-serviceaccount.yaml" - with_items: accounts - -- name: Create {{ item }} service account +- name: test if service accounts exists command: > - {{ openshift.common.client_binary }} create -f "/tmp/openshift/{{ item }}-serviceaccount.yaml" - with_items: accounts - register: _sa_result - failed_when: "'serviceaccounts \"{{ item }}\" already exists' not in _sa_result.stderr and _sa_result.rc != 0" - changed_when: "'serviceaccounts \"{{ item }}\" already exists' not in _sa_result.stderr and _sa_result.rc == 0" + {{ openshift.common.client_binary }} get sa {{ item }} -n {{ openshift_serviceaccounts_namespace }} + with_items: openshift_serviceaccounts_names + failed_when: false + changed_when: false + register: account_test -- name: Get current security context constraints +- name: create the service account shell: > - {{ openshift.common.client_binary }} get scc privileged -o yaml - --output-version=v1 > /tmp/openshift/scc.yaml - changed_when: false + echo {{ lookup('template', '../templates/serviceaccount.j2') + | from_yaml | to_json | quote }} | {{ openshift.common.client_binary }} create -f - + when: item.1.rc != 0 + with_together: + - openshift_serviceaccounts_names + - account_test.results -- name: Add security context constraint for {{ item }} - lineinfile: - dest: /tmp/openshift/scc.yaml - line: "- system:serviceaccount:default:{{ item }}" - insertafter: "^users:$" - with_items: accounts +- name: test if scc needs to be updated + command: > + {{ openshift.common.client_binary }} get scc {{ item }} -o yaml + changed_when: false + failed_when: false + register: scc_test + with_items: openshift_serviceaccounts_sccs -- name: Apply new scc rules for service accounts - command: "{{ openshift.common.client_binary }} update -f /tmp/openshift/scc.yaml --api-version=v1" +- name: Grant the user access to the privileged scc + command: > + {{ openshift.common.admin_binary }} policy add-scc-to-user + privileged system:serviceaccount:{{ openshift_serviceaccounts_namespace }}:{{ item.0 }} + when: "item.1.rc == 0 and 'system:serviceaccount:{{ openshift_serviceaccounts_namespace }}:{{ item.0 }}' not in {{ (item.1.stdout | from_yaml).users }}" + with_nested: + - openshift_serviceaccounts_names + - scc_test.results diff --git a/roles/openshift_serviceaccounts/templates/serviceaccount.j2 b/roles/openshift_serviceaccounts/templates/serviceaccount.j2 index 931e249f9..c5f12421f 100644 --- a/roles/openshift_serviceaccounts/templates/serviceaccount.j2 +++ b/roles/openshift_serviceaccounts/templates/serviceaccount.j2 @@ -1,4 +1,4 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: {{ item }} + name: {{ item.0 }} diff --git a/roles/os_firewall/tasks/firewall/iptables.yml b/roles/os_firewall/tasks/firewall/iptables.yml index 5cf4bf7af..3b584f8eb 100644 --- a/roles/os_firewall/tasks/firewall/iptables.yml +++ b/roles/os_firewall/tasks/firewall/iptables.yml @@ -1,12 +1,4 @@ --- -- name: Install iptables packages - action: "{{ ansible_pkg_mgr }} name={{ item }} state=present" - with_items: - - iptables - - iptables-services - register: install_result - when: not openshift.common.is_atomic | bool - - name: Check if firewalld is installed command: rpm -q firewalld register: pkg_check @@ -20,6 +12,22 @@ enabled: no when: pkg_check.rc == 0 +# TODO: submit PR upstream to add mask/unmask to service module +- name: Mask firewalld service + command: systemctl mask firewalld + register: result + changed_when: "'firewalld' in result.stdout" + when: pkg_check.rc == 0 + ignore_errors: yes + +- name: Install iptables packages + action: "{{ ansible_pkg_mgr }} name={{ item }} state=present" + with_items: + - iptables + - iptables-services + register: install_result + when: not openshift.common.is_atomic | bool + - name: Reload systemd units command: systemctl daemon-reload when: install_result | changed @@ -35,14 +43,6 @@ pause: seconds=10 when: result | changed -# TODO: submit PR upstream to add mask/unmask to service module -- name: Mask firewalld service - command: systemctl mask firewalld - register: result - changed_when: "'firewalld' in result.stdout" - when: pkg_check.rc == 0 - ignore_errors: yes - - name: Add iptables allow rules os_firewall_manage_iptables: name: "{{ item.service }}" diff --git a/roles/os_zabbix/vars/template_openshift_master.yml b/roles/os_zabbix/vars/template_openshift_master.yml index ccbf6a6ec..1824d7881 100644 --- a/roles/os_zabbix/vars/template_openshift_master.yml +++ b/roles/os_zabbix/vars/template_openshift_master.yml @@ -7,8 +7,8 @@ g_template_openshift_master: - Openshift Master key: openshift.master.app.create - - key: openshift.master.registry.healthz - description: "Shows the health status of the cluster's docker registry" + - key: openshift.master.registry.healthy_pct + description: "Shows the percentage of healthy registries in the cluster" type: int applications: - Openshift Master @@ -201,6 +201,18 @@ g_template_openshift_master: applications: - Openshift Master Metrics + - key: openshift.master.nodesnotready.count + description: "This check shows how many nodes in a cluster are in NotReady state." + type: int + applications: + - Openshift Master + + - key: openshift.master.nodesnotschedulable.count + description: "This check shows how many nodes in a cluster are not schedulable." + type: int + applications: + - Openshift Master + - key: openshift.master.apiserver.latency.summary.pods.quantile.list.5 description: "Value from https://master/metrics. This is the time, in miliseconds, that 50% of the pod operations have taken to completed." type: int @@ -333,9 +345,16 @@ g_template_openshift_master: - 'Openshift Master process not running on {HOST.NAME}' priority: avg - - name: 'Docker Registry check failed on {HOST.NAME}' - expression: '{Template Openshift Master:openshift.master.registry.healthz.max(#2)}<1' - url: 'https://github.com/openshift/ops-sop/blob/master/V3/Alerts/openshift_master.asciidoc' + - name: 'One or more Docker Registries is unhealthy according to {HOST.NAME}' + expression: '{Template Openshift Master:openshift.master.registry.healthy_pct.last(#2)}<100 and {Template Openshift Master:openshift.master.registry.healthy_pct.max(#2)}>50' + url: 'https://github.com/openshift/ops-sop/blob/master/V3/Alerts/openshift_registry.asciidoc' + dependencies: + - 'Openshift Master process not running on {HOST.NAME}' + priority: avg + + - name: 'Multiple Docker Registries are unhealthy according to {HOST.NAME}' + expression: '{Template Openshift Master:openshift.master.registry.healthy_pct.last(#2)}<51' + url: 'https://github.com/openshift/ops-sop/blob/master/V3/Alerts/openshift_registry.asciidoc' dependencies: - 'Openshift Master process not running on {HOST.NAME}' priority: high @@ -354,6 +373,13 @@ g_template_openshift_master: - 'Openshift Master API health check is failing on {HOST.NAME}' priority: high + - name: 'Hosts not ready according to {HOST.NAME}' + expression: '{Template Openshift Master:openshift.master.nodesnotready.count.last(#2)}>0' + url: 'https://github.com/openshift/ops-sop/blob/master/V3/Alerts/openshift_node.asciidoc' + dependencies: + - 'Openshift Master process not running on {HOST.NAME}' + priority: high + zgraphs: - name: Openshift Master API Server Latency Pods LIST Quantiles width: 900 diff --git a/roles/os_zabbix/vars/template_openshift_node.yml b/roles/os_zabbix/vars/template_openshift_node.yml index ff65ef158..b0488656d 100644 --- a/roles/os_zabbix/vars/template_openshift_node.yml +++ b/roles/os_zabbix/vars/template_openshift_node.yml @@ -37,8 +37,8 @@ g_template_openshift_node: url: 'https://github.com/openshift/ops-sop/blob/node/V3/Alerts/openshift_node.asciidoc' priority: high - - name: 'OVS may not be running on {HOST.NAME}' - expression: '{Template Openshift Node:openshift.node.ovs.pids.count.last()}<>4' + - name: '[HEAL] OVS may not be running on {HOST.NAME}' + expression: '{Template Openshift Node:openshift.node.ovs.pids.count.last(#1)}<>4 and {Template Openshift Node:openshift.node.ovs.pids.count.last(#2)}<>4' url: 'https://github.com/openshift/ops-sop/blob/node/V3/Alerts/openshift_node.asciidoc' priority: high diff --git a/utils/src/ooinstall/cli_installer.py b/utils/src/ooinstall/cli_installer.py index 3046d4d58..e1047e700 100644 --- a/utils/src/ooinstall/cli_installer.py +++ b/utils/src/ooinstall/cli_installer.py @@ -722,14 +722,30 @@ def upgrade(ctx): click.echo("No hosts defined in: %s" % oo_cfg.config_path) sys.exit(1) - # Update config to reflect the version we're targetting, we'll write - # to disk once ansible completes successfully, not before. old_variant = oo_cfg.settings['variant'] old_version = oo_cfg.settings['variant_version'] - if oo_cfg.settings['variant'] == 'enterprise': - oo_cfg.settings['variant'] = 'openshift-enterprise' - version = find_variant(oo_cfg.settings['variant'])[1] - oo_cfg.settings['variant_version'] = version.name + + + message = """ + This tool will help you upgrade your existing OpenShift installation. +""" + click.echo(message) + click.echo("Version {} found. Do you want to update to the latest version of {} " \ + "or migrate to the next major release?".format(old_version, old_version)) + resp = click.prompt("(1) Update to latest {} (2) Migrate to next relese".format(old_version)) + + if resp == "2": + # TODO: Make this a lot more flexible + new_version = "3.1" + # Update config to reflect the version we're targetting, we'll write + # to disk once ansible completes successfully, not before. + if oo_cfg.settings['variant'] == 'enterprise': + oo_cfg.settings['variant'] = 'openshift-enterprise' + version = find_variant(oo_cfg.settings['variant'])[1] + oo_cfg.settings['variant_version'] = version.name + else: + new_version = old_version + click.echo("Openshift will be upgraded from %s %s to %s %s on the following hosts:\n" % ( old_variant, old_version, oo_cfg.settings['variant'], oo_cfg.settings['variant_version'])) @@ -743,7 +759,7 @@ def upgrade(ctx): click.echo("Upgrade cancelled.") sys.exit(0) - retcode = openshift_ansible.run_upgrade_playbook(verbose) + retcode = openshift_ansible.run_upgrade_playbook(old_version, new_version, verbose) if retcode > 0: click.echo("Errors encountered during upgrade, please check %s." % oo_cfg.settings['ansible_log_path']) diff --git a/utils/src/ooinstall/openshift_ansible.py b/utils/src/ooinstall/openshift_ansible.py index 042ce1023..ec49c9601 100644 --- a/utils/src/ooinstall/openshift_ansible.py +++ b/utils/src/ooinstall/openshift_ansible.py @@ -237,11 +237,17 @@ def run_uninstall_playbook(verbose=False): return run_ansible(playbook, inventory_file, facts_env, verbose) -def run_upgrade_playbook(verbose=False): +def run_upgrade_playbook(old_version, new_version, verbose=False): # TODO: do not hardcode the upgrade playbook, add ability to select the # right playbook depending on the type of upgrade. - playbook = os.path.join(CFG.settings['ansible_playbook_directory'], - 'playbooks/byo/openshift-cluster/upgrades/v3_0_to_v3_1/upgrade.yml') + old_version = old_version.replace('.', '_') + new_version = old_version.replace('.', '_') + if old_version == new_version: + playbook = os.path.join(CFG.settings['ansible_playbook_directory'], + 'playbooks/byo/openshift-cluster/upgrades/v{}_minor/upgrade.yml'.format(new_version)) + else: + playbook = os.path.join(CFG.settings['ansible_playbook_directory'], + 'playbooks/byo/openshift-cluster/upgrades/v{}_to_v{}/upgrade.yml'.format(old_version, new_version)) # TODO: Upgrade inventory for upgrade? inventory_file = generate_inventory(CFG.hosts) facts_env = os.environ.copy() |