diff options
Diffstat (limited to 'playbooks/common/openshift-cluster')
13 files changed, 154 insertions, 48 deletions
diff --git a/playbooks/common/openshift-cluster/config.yml b/playbooks/common/openshift-cluster/config.yml index 4ca0d48e4..dbe09dce2 100644 --- a/playbooks/common/openshift-cluster/config.yml +++ b/playbooks/common/openshift-cluster/config.yml @@ -8,7 +8,10 @@ vars: - r_openshift_health_checker_playbook_context: install post_tasks: - - action: openshift_health_check + + - name: Verify Requirements - EL + when: ansible_distribution != "Fedora" + action: openshift_health_check args: checks: - disk_availability @@ -17,10 +20,12 @@ - package_version - docker_image_availability - docker_storage - -- include: ../openshift-etcd/ca.yml - -- include: ../openshift-etcd/certificates.yml + - name: Verify Requirements - Fedora + when: ansible_distribution == "Fedora" + action: openshift_health_check + args: + checks: + - docker_image_availability - include: ../openshift-etcd/config.yml @@ -30,16 +35,10 @@ - include: ../openshift-loadbalancer/config.yml when: groups.oo_lb_to_config | default([]) | count > 0 -- include: ../openshift-master/ca.yml - -- include: ../openshift-master/certificates.yml - - include: ../openshift-master/config.yml - include: ../openshift-master/additional_config.yml -- include: ../openshift-node/certificates.yml - - include: ../openshift-node/config.yml - include: ../openshift-glusterfs/config.yml @@ -56,6 +55,9 @@ - include: service_catalog.yml when: openshift_enable_service_catalog | default(false) | bool +- include: openshift_management.yml + when: openshift_management_install_management | default(false) | bool + - name: Print deprecated variable warning message if necessary hosts: oo_first_master gather_facts: no diff --git a/playbooks/common/openshift-cluster/initialize_openshift_version.yml b/playbooks/common/openshift-cluster/initialize_openshift_version.yml index 6100c36e1..e6400ea61 100644 --- a/playbooks/common/openshift-cluster/initialize_openshift_version.yml +++ b/playbooks/common/openshift-cluster/initialize_openshift_version.yml @@ -19,8 +19,8 @@ # NOTE: We set this even on etcd hosts as they may also later run as masters, # and we don't want to install wrong version of docker and have to downgrade # later. -- name: Set openshift_version for all hosts - hosts: oo_all_hosts:!oo_first_master +- name: Set openshift_version for etcd, node, and master hosts + hosts: oo_etcd_to_config:oo_nodes_to_config:oo_masters_to_config:!oo_first_master vars: openshift_version: "{{ hostvars[groups.oo_first_master.0].openshift_version }}" pre_tasks: diff --git a/playbooks/common/openshift-cluster/openshift_hosted.yml b/playbooks/common/openshift-cluster/openshift_hosted.yml index 32e5e708a..c1536eb36 100644 --- a/playbooks/common/openshift-cluster/openshift_hosted.yml +++ b/playbooks/common/openshift-cluster/openshift_hosted.yml @@ -1,7 +1,6 @@ --- - name: Hosted Install Checkpoint Start - hosts: localhost - connection: local + hosts: oo_all_hosts gather_facts: false tasks: - name: Set Hosted install 'In Progress' @@ -26,8 +25,7 @@ when: openshift_hosted_prometheus_deploy | default(False) | bool - name: Hosted Install Checkpoint End - hosts: localhost - connection: local + hosts: oo_all_hosts gather_facts: false tasks: - name: Set Hosted install 'Complete' diff --git a/playbooks/common/openshift-cluster/openshift_logging.yml b/playbooks/common/openshift-cluster/openshift_logging.yml index 69f50fbcd..529a4c939 100644 --- a/playbooks/common/openshift-cluster/openshift_logging.yml +++ b/playbooks/common/openshift-cluster/openshift_logging.yml @@ -1,7 +1,6 @@ --- - name: Logging Install Checkpoint Start - hosts: localhost - connection: local + hosts: oo_all_hosts gather_facts: false tasks: - name: Set Logging install 'In Progress' @@ -24,8 +23,7 @@ tasks_from: update_master_config - name: Logging Install Checkpoint End - hosts: localhost - connection: local + hosts: oo_all_hosts gather_facts: false tasks: - name: Set Logging install 'Complete' diff --git a/playbooks/common/openshift-cluster/openshift_management.yml b/playbooks/common/openshift-cluster/openshift_management.yml new file mode 100644 index 000000000..6e582920b --- /dev/null +++ b/playbooks/common/openshift-cluster/openshift_management.yml @@ -0,0 +1,25 @@ +--- +- name: Management Install Checkpoint Start + hosts: localhost + connection: local + gather_facts: false + tasks: + - name: Set Management install 'In Progress' + set_stats: + data: + installer_phase_Management: "In Progress" + aggregate: false + +- name: Management + include: ../openshift-management/config.yml + +- name: Management Install Checkpoint End + hosts: localhost + connection: local + gather_facts: false + tasks: + - name: Set Management install 'Complete' + set_stats: + data: + installer_phase_Management: "Complete" + aggregate: false diff --git a/playbooks/common/openshift-cluster/openshift_metrics.yml b/playbooks/common/openshift-cluster/openshift_metrics.yml index e369dcd86..9c0bd489b 100644 --- a/playbooks/common/openshift-cluster/openshift_metrics.yml +++ b/playbooks/common/openshift-cluster/openshift_metrics.yml @@ -1,7 +1,6 @@ --- - name: Metrics Install Checkpoint Start - hosts: localhost - connection: local + hosts: oo_all_hosts gather_facts: false tasks: - name: Set Metrics install 'In Progress' @@ -25,8 +24,7 @@ tasks_from: update_master_config.yaml - name: Metrics Install Checkpoint End - hosts: localhost - connection: local + hosts: oo_all_hosts gather_facts: false tasks: - name: Set Metrics install 'Complete' diff --git a/playbooks/common/openshift-cluster/redeploy-certificates/openshift-ca.yml b/playbooks/common/openshift-cluster/redeploy-certificates/openshift-ca.yml index 12cd209d2..2068ed199 100644 --- a/playbooks/common/openshift-cluster/redeploy-certificates/openshift-ca.yml +++ b/playbooks/common/openshift-cluster/redeploy-certificates/openshift-ca.yml @@ -44,8 +44,8 @@ - modify_yaml: dest: "{{ openshift.common.config_base }}/master/master-config.yaml" yaml_key: servingInfo.clientCA - yaml_value: ca-bundle.crt - when: (g_master_config_output.content|b64decode|from_yaml).servingInfo.clientCA != 'ca-bundle.crt' + yaml_value: ca.crt + when: (g_master_config_output.content|b64decode|from_yaml).servingInfo.clientCA != 'ca.crt' - modify_yaml: dest: "{{ openshift.common.config_base }}/master/master-config.yaml" yaml_key: etcdClientInfo.ca @@ -114,12 +114,18 @@ register: g_new_openshift_ca_mktemp changed_when: false -- include: ../../openshift-master/ca.yml +- name: Create OpenShift CA + hosts: oo_first_master vars: # Set openshift_ca_config_dir to a temporary directory where CA # will be created. We'll replace the existing CA with the CA # created in the temporary directory. openshift_ca_config_dir: "{{ hostvars[groups.oo_first_master.0].g_new_openshift_ca_mktemp.stdout }}" + roles: + - role: openshift_master_facts + - role: openshift_named_certificates + - role: openshift_ca + openshift_ca_host: "{{ groups.oo_first_master.0 }}" - name: Create temp directory for syncing certs hosts: localhost diff --git a/playbooks/common/openshift-cluster/service_catalog.yml b/playbooks/common/openshift-cluster/service_catalog.yml index 95a8f601c..bd964b2ce 100644 --- a/playbooks/common/openshift-cluster/service_catalog.yml +++ b/playbooks/common/openshift-cluster/service_catalog.yml @@ -1,7 +1,6 @@ --- - name: Service Catalog Install Checkpoint Start - hosts: localhost - connection: local + hosts: oo_all_hosts gather_facts: false tasks: - name: Set Service Catalog install 'In Progress' @@ -20,8 +19,7 @@ first_master: "{{ groups.oo_first_master[0] }}" - name: Service Catalog Install Checkpoint End - hosts: localhost - connection: local + hosts: oo_all_hosts gather_facts: false tasks: - name: Set Service Catalog install 'Complete' diff --git a/playbooks/common/openshift-cluster/std_include.yml b/playbooks/common/openshift-cluster/std_include.yml index 090ad6445..45b34c8bd 100644 --- a/playbooks/common/openshift-cluster/std_include.yml +++ b/playbooks/common/openshift-cluster/std_include.yml @@ -1,7 +1,6 @@ --- - name: Initialization Checkpoint Start - hosts: localhost - connection: local + hosts: oo_all_hosts gather_facts: false roles: - installer_checkpoint @@ -37,8 +36,7 @@ - always - name: Initialization Checkpoint End - hosts: localhost - connection: local + hosts: oo_all_hosts gather_facts: false tasks: - name: Set install initialization 'Complete' diff --git a/playbooks/common/openshift-cluster/upgrades/files/shared_resource_viewer_role.yaml b/playbooks/common/openshift-cluster/upgrades/files/shared_resource_viewer_role.yaml new file mode 100644 index 000000000..9c9c260fb --- /dev/null +++ b/playbooks/common/openshift-cluster/upgrades/files/shared_resource_viewer_role.yaml @@ -0,0 +1,37 @@ +--- +apiVersion: v1 +kind: Role +metadata: + name: shared-resource-viewer + namespace: openshift +rules: +- apiGroups: + - "" + - template.openshift.io + attributeRestrictions: null + resources: + - templates + verbs: + - get + - list + - watch +- apiGroups: + - "" + - image.openshift.io + attributeRestrictions: null + resources: + - imagestreamimages + - imagestreams + - imagestreamtags + verbs: + - get + - list + - watch +- apiGroups: + - "" + - image.openshift.io + attributeRestrictions: null + resources: + - imagestreams/layers + verbs: + - get diff --git a/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml index 07e521a89..122066955 100644 --- a/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml +++ b/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml @@ -103,9 +103,16 @@ openshift_hosted_templates_import_command: replace # Check for warnings to be printed at the end of the upgrade: -- name: Check for warnings +- name: Clean up and display warnings hosts: oo_masters_to_config - tasks: + tags: + - always + gather_facts: no + roles: + - role: openshift_excluder + r_openshift_excluder_action: enable + r_openshift_excluder_service_type: "{{ openshift.common.service_type }}" + post_tasks: # Check if any masters are using pluginOrderOverride and warn if so, only for 1.3/3.3 and beyond: - name: grep pluginOrderOverride command: grep pluginOrderOverride {{ openshift.common.config_base }}/master/master-config.yaml @@ -121,12 +128,8 @@ - not grep_plugin_order_override | skipped - grep_plugin_order_override.rc == 0 -- name: Re-enable excluder if it was previously enabled - hosts: oo_masters_to_config - tags: - - always - gather_facts: no - roles: - - role: openshift_excluder - r_openshift_excluder_action: enable - r_openshift_excluder_service_type: "{{ openshift.common.service_type }}" + - name: Warn if shared-resource-viewer could not be updated + debug: + msg: "WARNING the shared-resource-viewer role could not be upgraded to 3.6 spec because it's marked protected, please see https://bugzilla.redhat.com/show_bug.cgi?id=1493213" + when: + - __shared_resource_viewer_protected | default(false) diff --git a/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml index da47491c1..c37a5f9ab 100644 --- a/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml +++ b/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml @@ -31,7 +31,6 @@ role: master local_facts: embedded_etcd: "{{ groups.oo_etcd_to_config | default([]) | length == 0 }}" - debug_level: "{{ openshift_master_debug_level | default(openshift.common.debug_level | default(2)) }}" - name: Upgrade and backup etcd include: ./etcd/main.yml @@ -193,6 +192,7 @@ # Another spot where we assume docker is running and do not want to accidentally trigger an unsafe # restart. skip_docker_role: True + __master_shared_resource_viewer_file: "shared_resource_viewer_role.yaml" tasks: - name: Reconcile Cluster Roles command: > @@ -231,6 +231,44 @@ - reconcile_jenkins_role_binding_result.rc == 0 when: (not openshift.common.version_gte_3_7 | bool) and (openshift.common.version_gte_3_4_or_1_4 | bool) + - when: (openshift.common.version_gte_3_6 | bool) and (not openshift.common.version_gte_3_7 | bool) + block: + - name: Retrieve shared-resource-viewer + oc_obj: + state: list + kind: role + name: "shared-resource-viewer" + namespace: "openshift" + register: objout + + - name: Determine if shared-resource-viewer is protected + set_fact: + __shared_resource_viewer_protected: true + when: + - "'results' in objout" + - "'results' in objout['results']" + - "'annotations' in objout['results']['results'][0]['metadata']" + - "'openshift.io/reconcile-protect' in objout['results']['results'][0]['metadata']['annotations']" + - "objout['results']['results'][0]['metadata']['annotations']['openshift.io/reconcile-protect'] == 'true'" + + - copy: + src: "{{ item }}" + dest: "/tmp/{{ item }}" + with_items: + - "{{ __master_shared_resource_viewer_file }}" + when: __shared_resource_viewer_protected is not defined + + - name: Fixup shared-resource-viewer role + oc_obj: + state: present + kind: role + name: "shared-resource-viewer" + namespace: "openshift" + files: + - "/tmp/{{ __master_shared_resource_viewer_file }}" + delete_after: true + when: __shared_resource_viewer_protected is not defined + - name: Reconcile Security Context Constraints command: > {{ openshift.common.client_binary }} adm policy --config={{ openshift.common.config_base }}/master/admin.kubeconfig reconcile-sccs --confirm --additive-only=true -o name diff --git a/playbooks/common/openshift-cluster/upgrades/v3_7/master_config_upgrade.yml b/playbooks/common/openshift-cluster/upgrades/v3_7/master_config_upgrade.yml index ed89dbe8d..df59a8782 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_7/master_config_upgrade.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_7/master_config_upgrade.yml @@ -14,3 +14,8 @@ dest: "{{ openshift.common.config_base}}/master/master-config.yaml" yaml_key: 'kubernetesMasterConfig.admissionConfig' yaml_value: + +- modify_yaml: + dest: "{{ openshift.common.config_base}}/master/master-config.yaml" + yaml_key: 'controllerConfig.election.lockName' + yaml_value: 'openshift-master-controllers' |