diff options
-rw-r--r-- | .tito/packages/openshift-ansible | 2 | ||||
-rw-r--r-- | openshift-ansible.spec | 18 | ||||
-rw-r--r-- | playbooks/common/openshift-cluster/service_catalog.yml | 12 | ||||
-rw-r--r-- | roles/ansible_service_broker/tasks/install.yml | 14 | ||||
-rw-r--r-- | roles/etcd_common/defaults/main.yml | 4 | ||||
-rw-r--r-- | roles/etcd_common/tasks/backup.yml | 15 | ||||
-rw-r--r-- | roles/etcd_migrate/tasks/migrate.yml | 6 | ||||
-rwxr-xr-x | roles/openshift_facts/library/openshift_facts.py | 4 | ||||
-rw-r--r-- | roles/openshift_logging_fluentd/defaults/main.yml | 1 | ||||
-rw-r--r-- | roles/openshift_logging_fluentd/templates/fluentd.j2 | 12 | ||||
-rw-r--r-- | roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml | 16 | ||||
-rw-r--r-- | roles/openshift_service_catalog/tasks/install.yml | 1 | ||||
-rw-r--r-- | roles/openshift_service_catalog/tasks/wire_aggregator.yml | 107 | ||||
-rw-r--r-- | roles/openshift_service_catalog/templates/controller_manager.j2 | 1 | ||||
-rw-r--r-- | roles/openshift_service_catalog/vars/openshift-enterprise.yml | 2 |
15 files changed, 198 insertions, 17 deletions
diff --git a/.tito/packages/openshift-ansible b/.tito/packages/openshift-ansible index 5ae5d035e..a3da9c085 100644 --- a/.tito/packages/openshift-ansible +++ b/.tito/packages/openshift-ansible @@ -1 +1 @@ -3.6.134-1 ./ +3.6.136-1 ./ diff --git a/openshift-ansible.spec b/openshift-ansible.spec index 43111f72d..7328dfdbc 100644 --- a/openshift-ansible.spec +++ b/openshift-ansible.spec @@ -9,7 +9,7 @@ %global __requires_exclude ^/usr/bin/ansible-playbook$ Name: openshift-ansible -Version: 3.6.134 +Version: 3.6.136 Release: 1%{?dist} Summary: Openshift and Atomic Enterprise Ansible License: ASL 2.0 @@ -280,6 +280,22 @@ Atomic OpenShift Utilities includes %changelog +* Thu Jul 06 2017 Jenkins CD Merge Bot <smunilla@redhat.com> 3.6.136-1 +- Synching certs and aggregator configs from first master to all other masters + (ewolinet@redhat.com) +- Addressing servicecatalog doesnt have enough permissions and multimaster + config for service-catalog (ewolinet@redhat.com) +- add back mux_client config that was removed (rmeggins@redhat.com) +- use master etcd certificates when delegating oadm migrate etcd-ttl + (jchaloup@redhat.com) + +* Wed Jul 05 2017 Jenkins CD Merge Bot <smunilla@redhat.com> 3.6.135-1 +- Update the tag for enterprise service catalog (sdodson@redhat.com) +- Fix missing service domain .svc in NO_PROXY settings (tbielawa@redhat.com) +- drop etcdctl before the etcd_container service (jchaloup@redhat.com) +- Fix prefix for OCP service-catalog prefix (sdodson@redhat.com) +- Fully qualify ocp ansible_service_broker_image_prefix (sdodson@redhat.com) + * Wed Jul 05 2017 Jenkins CD Merge Bot <smunilla@redhat.com> 3.6.134-1 - diff --git a/playbooks/common/openshift-cluster/service_catalog.yml b/playbooks/common/openshift-cluster/service_catalog.yml index c42e8781a..68ca6cdbf 100644 --- a/playbooks/common/openshift-cluster/service_catalog.yml +++ b/playbooks/common/openshift-cluster/service_catalog.yml @@ -1,8 +1,20 @@ --- - include: evaluate_groups.yml +- name: Update Master configs + hosts: oo_masters + tasks: + - block: + - include_role: + name: openshift_service_catalog + tasks_from: wire_aggregator + vars: + first_master: "{{ groups.oo_first_master[0] }}" + - name: Service Catalog hosts: oo_first_master roles: - openshift_service_catalog - ansible_service_broker + vars: + first_master: "{{ groups.oo_first_master[0] }}" diff --git a/roles/ansible_service_broker/tasks/install.yml b/roles/ansible_service_broker/tasks/install.yml index 81c3f8e5b..9c3379291 100644 --- a/roles/ansible_service_broker/tasks/install.yml +++ b/roles/ansible_service_broker/tasks/install.yml @@ -48,13 +48,13 @@ namespace: openshift-ansible-service-broker state: present labels: - app: ansible-service-broker + app: openshift-ansible-service-broker service: asb ports: - name: port-1338 port: 1338 selector: - app: ansible-service-broker + app: openshift-ansible-service-broker service: asb - name: create etcd service @@ -66,7 +66,7 @@ - name: etcd-advertise port: 2379 selector: - app: ansible-service-broker + app: openshift-ansible-service-broker service: etcd - name: create route for ansible-service-broker service @@ -118,12 +118,12 @@ name: etcd namespace: openshift-ansible-service-broker labels: - app: ansible-service-broker + app: openshift-ansible-service-broker service: etcd spec: selector: matchLabels: - app: ansible-service-broker + app: openshift-ansible-service-broker service: etcd strategy: type: RollingUpdate @@ -134,7 +134,7 @@ template: metadata: labels: - app: ansible-service-broker + app: openshift-ansible-service-broker service: etcd spec: restartPolicy: Always @@ -266,4 +266,4 @@ metadata: name: ansible-service-broker spec: - url: http://{{ ansible_service_broker_route }} + url: http://asb.openshift-ansible-service-broker.svc:1338 diff --git a/roles/etcd_common/defaults/main.yml b/roles/etcd_common/defaults/main.yml index b5b38c1e1..b1bfa4592 100644 --- a/roles/etcd_common/defaults/main.yml +++ b/roles/etcd_common/defaults/main.yml @@ -44,6 +44,10 @@ etcd_ca_serial: "{{ etcd_ca_dir }}/serial" etcd_ca_crl_number: "{{ etcd_ca_dir }}/crlnumber" etcd_ca_default_days: 1825 +r_etcd_common_master_peer_cert_file: /etc/origin/master/master.etcd-client.crt +r_etcd_common_master_peer_key_file: /etc/origin/master/master.etcd-client.key +r_etcd_common_master_peer_ca_file: /etc/origin/master/master.etcd-ca.crt + # etcd server & certificate vars etcd_hostname: "{{ inventory_hostname }}" etcd_ip: "{{ ansible_default_ipv4.address }}" diff --git a/roles/etcd_common/tasks/backup.yml b/roles/etcd_common/tasks/backup.yml index 1a0b857f1..2bc486d3f 100644 --- a/roles/etcd_common/tasks/backup.yml +++ b/roles/etcd_common/tasks/backup.yml @@ -61,6 +61,21 @@ - r_etcd_common_embedded_etcd | bool - not l_ostree_booted.stat.exists | bool +- name: Check selinux label of '{{ l_etcd_data_dir }}' + command: > + stat -c '%C' {{ l_etcd_data_dir }} + register: l_etcd_selinux_labels + +- debug: + msg: "{{ l_etcd_selinux_labels }}" + +- name: Make sure the '{{ l_etcd_data_dir }}' has the proper label + command: > + chcon -t svirt_sandbox_file_t "{{ l_etcd_data_dir }}" + when: + - l_etcd_selinux_labels.rc == 0 + - "'svirt_sandbox_file_t' not in l_etcd_selinux_labels.stdout" + - name: Generate etcd backup command: > {{ r_etcd_common_etcdctl_command }} backup --data-dir={{ l_etcd_incontainer_data_dir }} diff --git a/roles/etcd_migrate/tasks/migrate.yml b/roles/etcd_migrate/tasks/migrate.yml index 7f441568a..4f987a051 100644 --- a/roles/etcd_migrate/tasks/migrate.yml +++ b/roles/etcd_migrate/tasks/migrate.yml @@ -36,9 +36,9 @@ - name: Re-introduce leases (as a replacement for key TTLs) command: > oadm migrate etcd-ttl \ - --cert {{ etcd_peer_cert_file }} \ - --key {{ etcd_peer_key_file }} \ - --cacert {{ etcd_peer_ca_file }} \ + --cert {{ r_etcd_common_master_peer_cert_file }} \ + --key {{ r_etcd_common_master_peer_key_file }} \ + --cacert {{ r_etcd_common_master_peer_ca_file }} \ --etcd-address 'https://{{ etcd_peer }}:{{ etcd_client_port }}' \ --ttl-keys-prefix {{ item }} \ --lease-duration 1h diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py index 30701a518..c960630ed 100755 --- a/roles/openshift_facts/library/openshift_facts.py +++ b/roles/openshift_facts/library/openshift_facts.py @@ -1657,7 +1657,9 @@ def set_proxy_facts(facts): # at this point common['no_proxy'] is a LIST datastructure. It # may be empty, or it may contain some hostnames or ranges. - # We always add local dns domain and ourselves no matter what + # We always add local dns domain, the service domain, and + # ourselves, no matter what + common['no_proxy'].append('.svc') common['no_proxy'].append('.' + common['dns_domain']) common['no_proxy'].append(common['hostname']) diff --git a/roles/openshift_logging_fluentd/defaults/main.yml b/roles/openshift_logging_fluentd/defaults/main.yml index 228196d74..07f02804b 100644 --- a/roles/openshift_logging_fluentd/defaults/main.yml +++ b/roles/openshift_logging_fluentd/defaults/main.yml @@ -49,6 +49,7 @@ openshift_logging_fluentd_aggregating_strict: "no" openshift_logging_fluentd_aggregating_cert_path: none openshift_logging_fluentd_aggregating_key_path: none openshift_logging_fluentd_aggregating_passphrase: none +openshift_logging_use_mux_client: False ### Deprecating in 3.6 openshift_logging_fluentd_es_copy: false diff --git a/roles/openshift_logging_fluentd/templates/fluentd.j2 b/roles/openshift_logging_fluentd/templates/fluentd.j2 index d9814370f..4b87379f6 100644 --- a/roles/openshift_logging_fluentd/templates/fluentd.j2 +++ b/roles/openshift_logging_fluentd/templates/fluentd.j2 @@ -62,6 +62,11 @@ spec: - name: dockerdaemoncfg mountPath: /etc/docker readOnly: true +{% if openshift_logging_use_mux_client | bool %} + - name: muxcerts + mountPath: /etc/fluent/muxkeys + readOnly: true +{% endif %} env: - name: "K8S_HOST_URL" value: "{{ openshift_logging_fluentd_master_url }}" @@ -107,6 +112,8 @@ spec: resourceFieldRef: containerName: "{{ daemonset_container_name }}" resource: limits.memory + - name: "USE_MUX_CLIENT" + value: "{{ openshift_logging_use_mux_client | default('false') | lower }}" volumes: - name: runlogjournal hostPath: @@ -135,3 +142,8 @@ spec: - name: dockerdaemoncfg hostPath: path: /etc/docker +{% if openshift_logging_use_mux_client | bool %} + - name: muxcerts + secret: + secretName: logging-mux +{% endif %} diff --git a/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml b/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml index 880146ca4..ebefaeaba 100644 --- a/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml +++ b/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml @@ -115,6 +115,22 @@ objects: - bindings/status verbs: - update + - apiGroups: + - servicecatalog.k8s.io + resources: + - brokers + - instances + - bindings + verbs: + - list + - watch + - apiGroups: + - "" + resources: + - events + verbs: + - patch + - create - kind: ClusterRoleBinding apiVersion: v1 diff --git a/roles/openshift_service_catalog/tasks/install.yml b/roles/openshift_service_catalog/tasks/install.yml index 6e8301ffe..1342c3d30 100644 --- a/roles/openshift_service_catalog/tasks/install.yml +++ b/roles/openshift_service_catalog/tasks/install.yml @@ -6,7 +6,6 @@ register: mktemp changed_when: False - - include: wire_aggregator.yml - name: Set default image variables based on deployment_type diff --git a/roles/openshift_service_catalog/tasks/wire_aggregator.yml b/roles/openshift_service_catalog/tasks/wire_aggregator.yml index 3e5897ba4..b8b8d0863 100644 --- a/roles/openshift_service_catalog/tasks/wire_aggregator.yml +++ b/roles/openshift_service_catalog/tasks/wire_aggregator.yml @@ -1,16 +1,82 @@ --- +- name: Make temp cert dir + command: mktemp -d /tmp/openshift-service-catalog-ansible-XXXXXX + register: certtemp + changed_when: False + +- name: Check for First Master Aggregator Signer cert + stat: + path: /etc/origin/master/front-proxy-ca.crt + register: first_proxy_ca_crt + changed_when: false + delegate_to: "{{ first_master }}" + +- name: Check for First Master Aggregator Signer key + stat: + path: /etc/origin/master/front-proxy-ca.crt + register: first_proxy_ca_key + changed_when: false + delegate_to: "{{ first_master }}" + + # TODO: this currently has a bug where hostnames are required -- name: Creating Aggregator signer certs +- name: Creating First Master Aggregator signer certs command: > oc adm ca create-signer-cert --cert=/etc/origin/master/front-proxy-ca.crt --key=/etc/origin/master/front-proxy-ca.key --serial=/etc/origin/master/ca.serial.txt + delegate_to: "{{ first_master }}" + when: + - not first_proxy_ca_crt.stat.exists + - not first_proxy_ca_key.stat.exists + +- name: Check for Aggregator Signer cert + stat: + path: /etc/origin/master/front-proxy-ca.crt + register: proxy_ca_crt + changed_when: false + +- name: Check for Aggregator Signer key + stat: + path: /etc/origin/master/front-proxy-ca.crt + register: proxy_ca_key + changed_when: false + +- name: Copy Aggregator Signer certs from first master + fetch: + src: "/etc/origin/master/{{ item }}" + dest: "{{ certtemp.stdout }}/{{ item }}" + with_items: + - front-proxy-ca.crt + - front-proxy-ca.key + delegate_to: "{{ first_master }}" + when: + - not proxy_ca_key.stat.exists + - not proxy_ca_crt.stat.exists + +- name: Copy Aggregator Signer certs to host + copy: + src: "{{ certtemp.stdout }}/{{ item }}" + dest: "/etc/origin/master/{{ item }}" + with_items: + - front-proxy-ca.crt + - front-proxy-ca.key + when: + - not proxy_ca_key.stat.exists + - not proxy_ca_crt.stat.exists + # oc_adm_ca_server_cert: # cert: /etc/origin/master/front-proxy-ca.crt # key: /etc/origin/master/front-proxy-ca.key -- name: Create api-client config for Aggregator +- name: Check for first master api-client config + stat: + path: /etc/origin/master/aggregator-front-proxy.kubeconfig + register: first_front_proxy_kubeconfig + delegate_to: "{{ first_master }}" + +- name: Create first master api-client config for Aggregator command: > oc adm create-api-client-config --certificate-authority=/etc/origin/master/front-proxy-ca.crt @@ -19,6 +85,37 @@ --user aggregator-front-proxy --client-dir=/etc/origin/master --signer-serial=/etc/origin/master/ca.serial.txt + delegate_to: "{{ first_master }}" + when: + - not first_front_proxy_kubeconfig.stat.exists + +- name: Check for api-client config + stat: + path: /etc/origin/master/aggregator-front-proxy.kubeconfig + register: front_proxy_kubeconfig + +- name: Copy api-client config from first master + fetch: + src: "/etc/origin/master/{{ item }}" + dest: "{{ certtemp.stdout }}/{{ item }}" + delegate_to: "{{ first_master }}" + with_items: + - aggregator-front-proxy.crt + - aggregator-front-proxy.key + - aggregator-front-proxy.kubeconfig + when: + - not front_proxy_kubeconfig.stat.exists + +- name: Copy api-client config to host + copy: + src: "{{ certtemp.stdout }}/{{ item }}" + dest: "/etc/origin/master/{{ item }}" + with_items: + - aggregator-front-proxy.crt + - aggregator-front-proxy.key + - aggregator-front-proxy.kubeconfig + when: + - not front_proxy_kubeconfig.stat.exists - name: Update master config yedit: @@ -84,3 +181,9 @@ changed_when: false when: - yedit_output.changed + +- name: Delete temp directory + file: + name: "{{ certtemp.stdout }}" + state: absent + changed_when: False diff --git a/roles/openshift_service_catalog/templates/controller_manager.j2 b/roles/openshift_service_catalog/templates/controller_manager.j2 index 33932eeb7..1bbc0fa2c 100644 --- a/roles/openshift_service_catalog/templates/controller_manager.j2 +++ b/roles/openshift_service_catalog/templates/controller_manager.j2 @@ -17,6 +17,7 @@ spec: labels: app: controller-manager spec: + serviceAccountName: service-catalog-controller nodeSelector: {% for key, value in node_selector.iteritems() %} {{key}}: "{{value}}" diff --git a/roles/openshift_service_catalog/vars/openshift-enterprise.yml b/roles/openshift_service_catalog/vars/openshift-enterprise.yml index 3a96ff76c..4df60e9a8 100644 --- a/roles/openshift_service_catalog/vars/openshift-enterprise.yml +++ b/roles/openshift_service_catalog/vars/openshift-enterprise.yml @@ -1,3 +1,3 @@ --- __openshift_service_catalog_image_prefix: "registry.access.redhat.com/openshift3/ose-" -__openshift_service_catalog_image_version: "3.6.0" +__openshift_service_catalog_image_version: "v3.6" |