summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--.tito/packages/openshift-ansible2
-rw-r--r--openshift-ansible.spec18
-rw-r--r--playbooks/common/openshift-cluster/service_catalog.yml12
-rw-r--r--roles/ansible_service_broker/tasks/install.yml14
-rw-r--r--roles/etcd_common/defaults/main.yml4
-rw-r--r--roles/etcd_common/tasks/backup.yml15
-rw-r--r--roles/etcd_migrate/tasks/migrate.yml6
-rwxr-xr-xroles/openshift_facts/library/openshift_facts.py4
-rw-r--r--roles/openshift_logging_fluentd/defaults/main.yml1
-rw-r--r--roles/openshift_logging_fluentd/templates/fluentd.j212
-rw-r--r--roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml16
-rw-r--r--roles/openshift_service_catalog/tasks/install.yml1
-rw-r--r--roles/openshift_service_catalog/tasks/wire_aggregator.yml107
-rw-r--r--roles/openshift_service_catalog/templates/controller_manager.j21
-rw-r--r--roles/openshift_service_catalog/vars/openshift-enterprise.yml2
15 files changed, 198 insertions, 17 deletions
diff --git a/.tito/packages/openshift-ansible b/.tito/packages/openshift-ansible
index 5ae5d035e..a3da9c085 100644
--- a/.tito/packages/openshift-ansible
+++ b/.tito/packages/openshift-ansible
@@ -1 +1 @@
-3.6.134-1 ./
+3.6.136-1 ./
diff --git a/openshift-ansible.spec b/openshift-ansible.spec
index 43111f72d..7328dfdbc 100644
--- a/openshift-ansible.spec
+++ b/openshift-ansible.spec
@@ -9,7 +9,7 @@
%global __requires_exclude ^/usr/bin/ansible-playbook$
Name: openshift-ansible
-Version: 3.6.134
+Version: 3.6.136
Release: 1%{?dist}
Summary: Openshift and Atomic Enterprise Ansible
License: ASL 2.0
@@ -280,6 +280,22 @@ Atomic OpenShift Utilities includes
%changelog
+* Thu Jul 06 2017 Jenkins CD Merge Bot <smunilla@redhat.com> 3.6.136-1
+- Synching certs and aggregator configs from first master to all other masters
+ (ewolinet@redhat.com)
+- Addressing servicecatalog doesnt have enough permissions and multimaster
+ config for service-catalog (ewolinet@redhat.com)
+- add back mux_client config that was removed (rmeggins@redhat.com)
+- use master etcd certificates when delegating oadm migrate etcd-ttl
+ (jchaloup@redhat.com)
+
+* Wed Jul 05 2017 Jenkins CD Merge Bot <smunilla@redhat.com> 3.6.135-1
+- Update the tag for enterprise service catalog (sdodson@redhat.com)
+- Fix missing service domain .svc in NO_PROXY settings (tbielawa@redhat.com)
+- drop etcdctl before the etcd_container service (jchaloup@redhat.com)
+- Fix prefix for OCP service-catalog prefix (sdodson@redhat.com)
+- Fully qualify ocp ansible_service_broker_image_prefix (sdodson@redhat.com)
+
* Wed Jul 05 2017 Jenkins CD Merge Bot <smunilla@redhat.com> 3.6.134-1
-
diff --git a/playbooks/common/openshift-cluster/service_catalog.yml b/playbooks/common/openshift-cluster/service_catalog.yml
index c42e8781a..68ca6cdbf 100644
--- a/playbooks/common/openshift-cluster/service_catalog.yml
+++ b/playbooks/common/openshift-cluster/service_catalog.yml
@@ -1,8 +1,20 @@
---
- include: evaluate_groups.yml
+- name: Update Master configs
+ hosts: oo_masters
+ tasks:
+ - block:
+ - include_role:
+ name: openshift_service_catalog
+ tasks_from: wire_aggregator
+ vars:
+ first_master: "{{ groups.oo_first_master[0] }}"
+
- name: Service Catalog
hosts: oo_first_master
roles:
- openshift_service_catalog
- ansible_service_broker
+ vars:
+ first_master: "{{ groups.oo_first_master[0] }}"
diff --git a/roles/ansible_service_broker/tasks/install.yml b/roles/ansible_service_broker/tasks/install.yml
index 81c3f8e5b..9c3379291 100644
--- a/roles/ansible_service_broker/tasks/install.yml
+++ b/roles/ansible_service_broker/tasks/install.yml
@@ -48,13 +48,13 @@
namespace: openshift-ansible-service-broker
state: present
labels:
- app: ansible-service-broker
+ app: openshift-ansible-service-broker
service: asb
ports:
- name: port-1338
port: 1338
selector:
- app: ansible-service-broker
+ app: openshift-ansible-service-broker
service: asb
- name: create etcd service
@@ -66,7 +66,7 @@
- name: etcd-advertise
port: 2379
selector:
- app: ansible-service-broker
+ app: openshift-ansible-service-broker
service: etcd
- name: create route for ansible-service-broker service
@@ -118,12 +118,12 @@
name: etcd
namespace: openshift-ansible-service-broker
labels:
- app: ansible-service-broker
+ app: openshift-ansible-service-broker
service: etcd
spec:
selector:
matchLabels:
- app: ansible-service-broker
+ app: openshift-ansible-service-broker
service: etcd
strategy:
type: RollingUpdate
@@ -134,7 +134,7 @@
template:
metadata:
labels:
- app: ansible-service-broker
+ app: openshift-ansible-service-broker
service: etcd
spec:
restartPolicy: Always
@@ -266,4 +266,4 @@
metadata:
name: ansible-service-broker
spec:
- url: http://{{ ansible_service_broker_route }}
+ url: http://asb.openshift-ansible-service-broker.svc:1338
diff --git a/roles/etcd_common/defaults/main.yml b/roles/etcd_common/defaults/main.yml
index b5b38c1e1..b1bfa4592 100644
--- a/roles/etcd_common/defaults/main.yml
+++ b/roles/etcd_common/defaults/main.yml
@@ -44,6 +44,10 @@ etcd_ca_serial: "{{ etcd_ca_dir }}/serial"
etcd_ca_crl_number: "{{ etcd_ca_dir }}/crlnumber"
etcd_ca_default_days: 1825
+r_etcd_common_master_peer_cert_file: /etc/origin/master/master.etcd-client.crt
+r_etcd_common_master_peer_key_file: /etc/origin/master/master.etcd-client.key
+r_etcd_common_master_peer_ca_file: /etc/origin/master/master.etcd-ca.crt
+
# etcd server & certificate vars
etcd_hostname: "{{ inventory_hostname }}"
etcd_ip: "{{ ansible_default_ipv4.address }}"
diff --git a/roles/etcd_common/tasks/backup.yml b/roles/etcd_common/tasks/backup.yml
index 1a0b857f1..2bc486d3f 100644
--- a/roles/etcd_common/tasks/backup.yml
+++ b/roles/etcd_common/tasks/backup.yml
@@ -61,6 +61,21 @@
- r_etcd_common_embedded_etcd | bool
- not l_ostree_booted.stat.exists | bool
+- name: Check selinux label of '{{ l_etcd_data_dir }}'
+ command: >
+ stat -c '%C' {{ l_etcd_data_dir }}
+ register: l_etcd_selinux_labels
+
+- debug:
+ msg: "{{ l_etcd_selinux_labels }}"
+
+- name: Make sure the '{{ l_etcd_data_dir }}' has the proper label
+ command: >
+ chcon -t svirt_sandbox_file_t "{{ l_etcd_data_dir }}"
+ when:
+ - l_etcd_selinux_labels.rc == 0
+ - "'svirt_sandbox_file_t' not in l_etcd_selinux_labels.stdout"
+
- name: Generate etcd backup
command: >
{{ r_etcd_common_etcdctl_command }} backup --data-dir={{ l_etcd_incontainer_data_dir }}
diff --git a/roles/etcd_migrate/tasks/migrate.yml b/roles/etcd_migrate/tasks/migrate.yml
index 7f441568a..4f987a051 100644
--- a/roles/etcd_migrate/tasks/migrate.yml
+++ b/roles/etcd_migrate/tasks/migrate.yml
@@ -36,9 +36,9 @@
- name: Re-introduce leases (as a replacement for key TTLs)
command: >
oadm migrate etcd-ttl \
- --cert {{ etcd_peer_cert_file }} \
- --key {{ etcd_peer_key_file }} \
- --cacert {{ etcd_peer_ca_file }} \
+ --cert {{ r_etcd_common_master_peer_cert_file }} \
+ --key {{ r_etcd_common_master_peer_key_file }} \
+ --cacert {{ r_etcd_common_master_peer_ca_file }} \
--etcd-address 'https://{{ etcd_peer }}:{{ etcd_client_port }}' \
--ttl-keys-prefix {{ item }} \
--lease-duration 1h
diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py
index 30701a518..c960630ed 100755
--- a/roles/openshift_facts/library/openshift_facts.py
+++ b/roles/openshift_facts/library/openshift_facts.py
@@ -1657,7 +1657,9 @@ def set_proxy_facts(facts):
# at this point common['no_proxy'] is a LIST datastructure. It
# may be empty, or it may contain some hostnames or ranges.
- # We always add local dns domain and ourselves no matter what
+ # We always add local dns domain, the service domain, and
+ # ourselves, no matter what
+ common['no_proxy'].append('.svc')
common['no_proxy'].append('.' + common['dns_domain'])
common['no_proxy'].append(common['hostname'])
diff --git a/roles/openshift_logging_fluentd/defaults/main.yml b/roles/openshift_logging_fluentd/defaults/main.yml
index 228196d74..07f02804b 100644
--- a/roles/openshift_logging_fluentd/defaults/main.yml
+++ b/roles/openshift_logging_fluentd/defaults/main.yml
@@ -49,6 +49,7 @@ openshift_logging_fluentd_aggregating_strict: "no"
openshift_logging_fluentd_aggregating_cert_path: none
openshift_logging_fluentd_aggregating_key_path: none
openshift_logging_fluentd_aggregating_passphrase: none
+openshift_logging_use_mux_client: False
### Deprecating in 3.6
openshift_logging_fluentd_es_copy: false
diff --git a/roles/openshift_logging_fluentd/templates/fluentd.j2 b/roles/openshift_logging_fluentd/templates/fluentd.j2
index d9814370f..4b87379f6 100644
--- a/roles/openshift_logging_fluentd/templates/fluentd.j2
+++ b/roles/openshift_logging_fluentd/templates/fluentd.j2
@@ -62,6 +62,11 @@ spec:
- name: dockerdaemoncfg
mountPath: /etc/docker
readOnly: true
+{% if openshift_logging_use_mux_client | bool %}
+ - name: muxcerts
+ mountPath: /etc/fluent/muxkeys
+ readOnly: true
+{% endif %}
env:
- name: "K8S_HOST_URL"
value: "{{ openshift_logging_fluentd_master_url }}"
@@ -107,6 +112,8 @@ spec:
resourceFieldRef:
containerName: "{{ daemonset_container_name }}"
resource: limits.memory
+ - name: "USE_MUX_CLIENT"
+ value: "{{ openshift_logging_use_mux_client | default('false') | lower }}"
volumes:
- name: runlogjournal
hostPath:
@@ -135,3 +142,8 @@ spec:
- name: dockerdaemoncfg
hostPath:
path: /etc/docker
+{% if openshift_logging_use_mux_client | bool %}
+ - name: muxcerts
+ secret:
+ secretName: logging-mux
+{% endif %}
diff --git a/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml b/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml
index 880146ca4..ebefaeaba 100644
--- a/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml
+++ b/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml
@@ -115,6 +115,22 @@ objects:
- bindings/status
verbs:
- update
+ - apiGroups:
+ - servicecatalog.k8s.io
+ resources:
+ - brokers
+ - instances
+ - bindings
+ verbs:
+ - list
+ - watch
+ - apiGroups:
+ - ""
+ resources:
+ - events
+ verbs:
+ - patch
+ - create
- kind: ClusterRoleBinding
apiVersion: v1
diff --git a/roles/openshift_service_catalog/tasks/install.yml b/roles/openshift_service_catalog/tasks/install.yml
index 6e8301ffe..1342c3d30 100644
--- a/roles/openshift_service_catalog/tasks/install.yml
+++ b/roles/openshift_service_catalog/tasks/install.yml
@@ -6,7 +6,6 @@
register: mktemp
changed_when: False
-
- include: wire_aggregator.yml
- name: Set default image variables based on deployment_type
diff --git a/roles/openshift_service_catalog/tasks/wire_aggregator.yml b/roles/openshift_service_catalog/tasks/wire_aggregator.yml
index 3e5897ba4..b8b8d0863 100644
--- a/roles/openshift_service_catalog/tasks/wire_aggregator.yml
+++ b/roles/openshift_service_catalog/tasks/wire_aggregator.yml
@@ -1,16 +1,82 @@
---
+- name: Make temp cert dir
+ command: mktemp -d /tmp/openshift-service-catalog-ansible-XXXXXX
+ register: certtemp
+ changed_when: False
+
+- name: Check for First Master Aggregator Signer cert
+ stat:
+ path: /etc/origin/master/front-proxy-ca.crt
+ register: first_proxy_ca_crt
+ changed_when: false
+ delegate_to: "{{ first_master }}"
+
+- name: Check for First Master Aggregator Signer key
+ stat:
+ path: /etc/origin/master/front-proxy-ca.crt
+ register: first_proxy_ca_key
+ changed_when: false
+ delegate_to: "{{ first_master }}"
+
+
# TODO: this currently has a bug where hostnames are required
-- name: Creating Aggregator signer certs
+- name: Creating First Master Aggregator signer certs
command: >
oc adm ca create-signer-cert
--cert=/etc/origin/master/front-proxy-ca.crt
--key=/etc/origin/master/front-proxy-ca.key
--serial=/etc/origin/master/ca.serial.txt
+ delegate_to: "{{ first_master }}"
+ when:
+ - not first_proxy_ca_crt.stat.exists
+ - not first_proxy_ca_key.stat.exists
+
+- name: Check for Aggregator Signer cert
+ stat:
+ path: /etc/origin/master/front-proxy-ca.crt
+ register: proxy_ca_crt
+ changed_when: false
+
+- name: Check for Aggregator Signer key
+ stat:
+ path: /etc/origin/master/front-proxy-ca.crt
+ register: proxy_ca_key
+ changed_when: false
+
+- name: Copy Aggregator Signer certs from first master
+ fetch:
+ src: "/etc/origin/master/{{ item }}"
+ dest: "{{ certtemp.stdout }}/{{ item }}"
+ with_items:
+ - front-proxy-ca.crt
+ - front-proxy-ca.key
+ delegate_to: "{{ first_master }}"
+ when:
+ - not proxy_ca_key.stat.exists
+ - not proxy_ca_crt.stat.exists
+
+- name: Copy Aggregator Signer certs to host
+ copy:
+ src: "{{ certtemp.stdout }}/{{ item }}"
+ dest: "/etc/origin/master/{{ item }}"
+ with_items:
+ - front-proxy-ca.crt
+ - front-proxy-ca.key
+ when:
+ - not proxy_ca_key.stat.exists
+ - not proxy_ca_crt.stat.exists
+
# oc_adm_ca_server_cert:
# cert: /etc/origin/master/front-proxy-ca.crt
# key: /etc/origin/master/front-proxy-ca.key
-- name: Create api-client config for Aggregator
+- name: Check for first master api-client config
+ stat:
+ path: /etc/origin/master/aggregator-front-proxy.kubeconfig
+ register: first_front_proxy_kubeconfig
+ delegate_to: "{{ first_master }}"
+
+- name: Create first master api-client config for Aggregator
command: >
oc adm create-api-client-config
--certificate-authority=/etc/origin/master/front-proxy-ca.crt
@@ -19,6 +85,37 @@
--user aggregator-front-proxy
--client-dir=/etc/origin/master
--signer-serial=/etc/origin/master/ca.serial.txt
+ delegate_to: "{{ first_master }}"
+ when:
+ - not first_front_proxy_kubeconfig.stat.exists
+
+- name: Check for api-client config
+ stat:
+ path: /etc/origin/master/aggregator-front-proxy.kubeconfig
+ register: front_proxy_kubeconfig
+
+- name: Copy api-client config from first master
+ fetch:
+ src: "/etc/origin/master/{{ item }}"
+ dest: "{{ certtemp.stdout }}/{{ item }}"
+ delegate_to: "{{ first_master }}"
+ with_items:
+ - aggregator-front-proxy.crt
+ - aggregator-front-proxy.key
+ - aggregator-front-proxy.kubeconfig
+ when:
+ - not front_proxy_kubeconfig.stat.exists
+
+- name: Copy api-client config to host
+ copy:
+ src: "{{ certtemp.stdout }}/{{ item }}"
+ dest: "/etc/origin/master/{{ item }}"
+ with_items:
+ - aggregator-front-proxy.crt
+ - aggregator-front-proxy.key
+ - aggregator-front-proxy.kubeconfig
+ when:
+ - not front_proxy_kubeconfig.stat.exists
- name: Update master config
yedit:
@@ -84,3 +181,9 @@
changed_when: false
when:
- yedit_output.changed
+
+- name: Delete temp directory
+ file:
+ name: "{{ certtemp.stdout }}"
+ state: absent
+ changed_when: False
diff --git a/roles/openshift_service_catalog/templates/controller_manager.j2 b/roles/openshift_service_catalog/templates/controller_manager.j2
index 33932eeb7..1bbc0fa2c 100644
--- a/roles/openshift_service_catalog/templates/controller_manager.j2
+++ b/roles/openshift_service_catalog/templates/controller_manager.j2
@@ -17,6 +17,7 @@ spec:
labels:
app: controller-manager
spec:
+ serviceAccountName: service-catalog-controller
nodeSelector:
{% for key, value in node_selector.iteritems() %}
{{key}}: "{{value}}"
diff --git a/roles/openshift_service_catalog/vars/openshift-enterprise.yml b/roles/openshift_service_catalog/vars/openshift-enterprise.yml
index 3a96ff76c..4df60e9a8 100644
--- a/roles/openshift_service_catalog/vars/openshift-enterprise.yml
+++ b/roles/openshift_service_catalog/vars/openshift-enterprise.yml
@@ -1,3 +1,3 @@
---
__openshift_service_catalog_image_prefix: "registry.access.redhat.com/openshift3/ose-"
-__openshift_service_catalog_image_version: "3.6.0"
+__openshift_service_catalog_image_version: "v3.6"