11 files changed, 482 insertions, 0 deletions

diff --git a/playbooks/byo/openshift-cluster/upgrades/v3_8/README.md b/playbooks/byo/openshift-cluster/upgrades/v3_8/README.md
new file mode 100644
index 000000000..d9be6ae3b
--- /dev/null
+++ b/playbooks/byo/openshift-cluster/upgrades/v3_8/README.md
@@ -0,0 +1,20 @@
+# v3.6 Major and Minor Upgrade Playbook
+
+## Overview
+This playbook currently performs the following steps.
+
+ * Upgrade and restart master services
+ * Unschedule node
+ * Upgrade and restart docker
+ * Upgrade and restart node services
+ * Modifies the subset of the configuration necessary
+ * Applies the latest cluster policies
+ * Updates the default router if one exists
+ * Updates the default registry if one exists
+ * Updates image streams and quickstarts
+
+## Usage
+
+```
+ansible-playbook -i ~/ansible-inventory openshift-ansible/playbooks/byo/openshift-cluster/upgrades/v3_8/upgrade.yml
+```
diff --git a/playbooks/byo/openshift-cluster/upgrades/v3_8/upgrade.yml b/playbooks/byo/openshift-cluster/upgrades/v3_8/upgrade.yml
new file mode 100644
index 000000000..3d4e6a790
--- /dev/null
+++ b/playbooks/byo/openshift-cluster/upgrades/v3_8/upgrade.yml
@@ -0,0 +1,7 @@
+---
+#
+# Full Control Plane + Nodes Upgrade
+#
+- include: ../../initialize_groups.yml
+
+- include: ../../../../common/openshift-cluster/upgrades/v3_8/upgrade.yml
diff --git a/playbooks/byo/openshift-cluster/upgrades/v3_8/upgrade_control_plane.yml b/playbooks/byo/openshift-cluster/upgrades/v3_8/upgrade_control_plane.yml
new file mode 100644
index 000000000..d83305119
--- /dev/null
+++ b/playbooks/byo/openshift-cluster/upgrades/v3_8/upgrade_control_plane.yml
@@ -0,0 +1,16 @@
+---
+#
+# Control Plane Upgrade Playbook
+#
+# Upgrades masters and Docker (only on standalone etcd hosts)
+#
+# This upgrade does not include:
+# - node service running on masters
+# - docker running on masters
+# - node service running on dedicated nodes
+#
+# You can run the upgrade_nodes.yml playbook after this to upgrade these components separately.
+#
+- include: ../../initialize_groups.yml
+
+- include: ../../../../common/openshift-cluster/upgrades/v3_8/upgrade_control_plane.yml
diff --git a/playbooks/byo/openshift-cluster/upgrades/v3_8/upgrade_nodes.yml b/playbooks/byo/openshift-cluster/upgrades/v3_8/upgrade_nodes.yml
new file mode 100644
index 000000000..a972bb7a6
--- /dev/null
+++ b/playbooks/byo/openshift-cluster/upgrades/v3_8/upgrade_nodes.yml
@@ -0,0 +1,9 @@
+---
+#
+# Node Upgrade Playbook
+#
+# Upgrades nodes only, but requires the control plane to have already been upgraded.
+#
+- include: ../../initialize_groups.yml
+
+- include: ../../../../common/openshift-cluster/upgrades/v3_8/upgrade_nodes.yml
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_8/filter_plugins b/playbooks/common/openshift-cluster/upgrades/v3_8/filter_plugins
new file mode 120000
index 000000000..7de3c1dd7
--- /dev/null
+++ b/playbooks/common/openshift-cluster/upgrades/v3_8/filter_plugins
@@ -0,0 +1 @@
+../../../../../filter_plugins/
\ No newline at end of file
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_8/master_config_upgrade.yml b/playbooks/common/openshift-cluster/upgrades/v3_8/master_config_upgrade.yml
new file mode 100644
index 000000000..1d4d1919c
--- /dev/null
+++ b/playbooks/common/openshift-cluster/upgrades/v3_8/master_config_upgrade.yml
@@ -0,0 +1,20 @@
+---
+- modify_yaml:
+    dest: "{{ openshift.common.config_base}}/master/master-config.yaml"
+    yaml_key: 'controllerConfig.election.lockName'
+    yaml_value: 'openshift-master-controllers'
+
+- modify_yaml:
+    dest: "{{ openshift.common.config_base}}/master/master-config.yaml"
+    yaml_key: 'controllerConfig.serviceServingCert.signer.certFile'
+    yaml_value: service-signer.crt
+
+- modify_yaml:
+    dest: "{{ openshift.common.config_base}}/master/master-config.yaml"
+    yaml_key: 'controllerConfig.serviceServingCert.signer.keyFile'
+    yaml_value: service-signer.key
+
+- modify_yaml:
+    dest: "{{ openshift.common.config_base }}/master/master-config.yaml"
+    yaml_key: servingInfo.clientCA
+    yaml_value: ca.crt
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_8/roles b/playbooks/common/openshift-cluster/upgrades/v3_8/roles
new file mode 120000
index 000000000..415645be6
--- /dev/null
+++ b/playbooks/common/openshift-cluster/upgrades/v3_8/roles
@@ -0,0 +1 @@
+../../../../../roles/
\ No newline at end of file
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_8/upgrade.yml b/playbooks/common/openshift-cluster/upgrades/v3_8/upgrade.yml
new file mode 100644
index 000000000..b3162bd5f
--- /dev/null
+++ b/playbooks/common/openshift-cluster/upgrades/v3_8/upgrade.yml
@@ -0,0 +1,142 @@
+---
+#
+# Full Control Plane + Nodes Upgrade
+#
+- include: ../init.yml
+  tags:
+  - pre_upgrade
+
+- name: Configure the upgrade target for the common upgrade tasks
+  hosts: oo_all_hosts
+  tags:
+  - pre_upgrade
+  tasks:
+  - set_fact:
+      openshift_upgrade_target: '3.8'
+      openshift_upgrade_min: '3.7'
+
+# Pre-upgrade
+
+- include: ../initialize_nodes_to_upgrade.yml
+  tags:
+  - pre_upgrade
+
+- include: ../pre/verify_etcd3_backend.yml
+  tags:
+  - pre_upgrade
+
+- name: Update repos and initialize facts on all hosts
+  hosts: oo_masters_to_config:oo_nodes_to_upgrade:oo_etcd_to_config:oo_lb_to_config
+  tags:
+  - pre_upgrade
+  roles:
+  - openshift_repos
+
+- name: Set openshift_no_proxy_internal_hostnames
+  hosts: oo_masters_to_config:oo_nodes_to_upgrade
+  tags:
+  - pre_upgrade
+  tasks:
+  - set_fact:
+      openshift_no_proxy_internal_hostnames: "{{ hostvars | oo_select_keys(groups['oo_nodes_to_config']
+                                                    | union(groups['oo_masters_to_config'])
+                                                    | union(groups['oo_etcd_to_config'] | default([])))
+                                                | oo_collect('openshift.common.hostname') | default([]) | join (',')
+                                                }}"
+    when:
+    - openshift_http_proxy is defined or openshift_https_proxy is defined
+    - openshift_generate_no_proxy_hosts | default(True) | bool
+
+- include: ../pre/verify_inventory_vars.yml
+  tags:
+  - pre_upgrade
+
+- include: ../pre/verify_health_checks.yml
+  tags:
+  - pre_upgrade
+
+- include: ../pre/verify_control_plane_running.yml
+  tags:
+  - pre_upgrade
+
+- include: ../disable_master_excluders.yml
+  tags:
+  - pre_upgrade
+
+- include: ../disable_node_excluders.yml
+  tags:
+  - pre_upgrade
+
+- include: ../../initialize_openshift_version.yml
+  tags:
+  - pre_upgrade
+  vars:
+    # Request specific openshift_release and let the openshift_version role handle converting this
+    # to a more specific version, respecting openshift_image_tag and openshift_pkg_version if
+    # defined, and overriding the normal behavior of protecting the installed version
+    openshift_release: "{{ openshift_upgrade_target }}"
+    openshift_protect_installed_version: False
+
+    # We skip the docker role at this point in upgrade to prevent
+    # unintended package, container, or config upgrades which trigger
+    # docker restarts. At this early stage of upgrade we can assume
+    # docker is configured and running.
+    skip_docker_role: True
+
+- include: ../../../openshift-master/validate_restart.yml
+  tags:
+  - pre_upgrade
+
+- name: Verify upgrade targets
+  hosts: oo_masters_to_config:oo_nodes_to_upgrade
+  tasks:
+  - include: ../pre/verify_upgrade_targets.yml
+  tags:
+  - pre_upgrade
+
+- name: Verify docker upgrade targets
+  hosts: oo_masters_to_config:oo_nodes_to_upgrade:oo_etcd_to_config
+  tasks:
+  - include: ../pre/tasks/verify_docker_upgrade_targets.yml
+  tags:
+  - pre_upgrade
+
+- include: validator.yml
+  tags:
+  - pre_upgrade
+
+- include: ../pre/gate_checks.yml
+  tags:
+  - pre_upgrade
+
+# Pre-upgrade completed, nothing after this should be tagged pre_upgrade.
+
+# Separate step so we can execute in parallel and clear out anything unused
+# before we get into the serialized upgrade process which will then remove
+# remaining images if possible.
+- name: Cleanup unused Docker images
+  hosts: oo_masters_to_config:oo_nodes_to_upgrade:oo_etcd_to_config
+  tasks:
+  - include: ../cleanup_unused_images.yml
+
+- include: ../upgrade_control_plane.yml
+  vars:
+    master_config_hook: "v3_7/master_config_upgrade.yml"
+
+# All controllers must be stopped at the same time then restarted
+- name: Cycle all controller services to force new leader election mode
+  hosts: oo_masters_to_config
+  gather_facts: no
+  tasks:
+  - name: Stop {{ openshift.common.service_type }}-master-controllers
+    systemd:
+      name: "{{ openshift.common.service_type }}-master-controllers"
+      state: stopped
+  - name: Start {{ openshift.common.service_type }}-master-controllers
+    systemd:
+      name: "{{ openshift.common.service_type }}-master-controllers"
+      state: started
+
+- include: ../upgrade_nodes.yml
+
+- include: ../post_control_plane.yml
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_8/upgrade_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/v3_8/upgrade_control_plane.yml
new file mode 100644
index 000000000..3df5b17b5
--- /dev/null
+++ b/playbooks/common/openshift-cluster/upgrades/v3_8/upgrade_control_plane.yml
@@ -0,0 +1,144 @@
+---
+#
+# Control Plane Upgrade Playbook
+#
+# Upgrades masters and Docker (only on standalone etcd hosts)
+#
+# This upgrade does not include:
+# - node service running on masters
+# - docker running on masters
+# - node service running on dedicated nodes
+#
+# You can run the upgrade_nodes.yml playbook after this to upgrade these components separately.
+#
+- include: ../init.yml
+  tags:
+  - pre_upgrade
+
+- name: Configure the upgrade target for the common upgrade tasks
+  hosts: oo_all_hosts
+  tags:
+  - pre_upgrade
+  tasks:
+  - set_fact:
+      openshift_upgrade_target: '3.8'
+      openshift_upgrade_min: '3.7'
+
+# Pre-upgrade
+- include: ../initialize_nodes_to_upgrade.yml
+  tags:
+  - pre_upgrade
+
+- include: ../pre/verify_etcd3_backend.yml
+  tags:
+  - pre_upgrade
+
+- name: Update repos on control plane hosts
+  hosts: oo_masters_to_config:oo_etcd_to_config:oo_lb_to_config
+  tags:
+  - pre_upgrade
+  roles:
+  - openshift_repos
+
+- name: Set openshift_no_proxy_internal_hostnames
+  hosts: oo_masters_to_config:oo_nodes_to_upgrade
+  tags:
+  - pre_upgrade
+  tasks:
+  - set_fact:
+      openshift_no_proxy_internal_hostnames: "{{ hostvars | oo_select_keys(groups['oo_nodes_to_config']
+                                                    | union(groups['oo_masters_to_config'])
+                                                    | union(groups['oo_etcd_to_config'] | default([])))
+                                                | oo_collect('openshift.common.hostname') | default([]) | join (',')
+                                                }}"
+    when:
+    - openshift_http_proxy is defined or openshift_https_proxy is defined
+    - openshift_generate_no_proxy_hosts | default(True) | bool
+
+- include: ../pre/verify_inventory_vars.yml
+  tags:
+  - pre_upgrade
+
+- include: ../pre/verify_health_checks.yml
+  tags:
+  - pre_upgrade
+
+- include: ../pre/verify_control_plane_running.yml
+  tags:
+  - pre_upgrade
+
+- include: ../disable_master_excluders.yml
+  tags:
+  - pre_upgrade
+
+- include: ../../initialize_openshift_version.yml
+  tags:
+  - pre_upgrade
+  vars:
+    # Request specific openshift_release and let the openshift_version role handle converting this
+    # to a more specific version, respecting openshift_image_tag and openshift_pkg_version if
+    # defined, and overriding the normal behavior of protecting the installed version
+    openshift_release: "{{ openshift_upgrade_target }}"
+    openshift_protect_installed_version: False
+
+    # We skip the docker role at this point in upgrade to prevent
+    # unintended package, container, or config upgrades which trigger
+    # docker restarts. At this early stage of upgrade we can assume
+    # docker is configured and running.
+    skip_docker_role: True
+
+- include: ../../../openshift-master/validate_restart.yml
+  tags:
+  - pre_upgrade
+
+- name: Verify upgrade targets
+  hosts: oo_masters_to_config
+  tasks:
+  - include: ../pre/verify_upgrade_targets.yml
+  tags:
+  - pre_upgrade
+
+- name: Verify docker upgrade targets
+  hosts: oo_masters_to_config:oo_etcd_to_config
+  tasks:
+  - include: ../pre/tasks/verify_docker_upgrade_targets.yml
+  tags:
+  - pre_upgrade
+
+- include: validator.yml
+  tags:
+  - pre_upgrade
+
+- include: ../pre/gate_checks.yml
+  tags:
+  - pre_upgrade
+
+# Pre-upgrade completed, nothing after this should be tagged pre_upgrade.
+
+# Separate step so we can execute in parallel and clear out anything unused
+# before we get into the serialized upgrade process which will then remove
+# remaining images if possible.
+- name: Cleanup unused Docker images
+  hosts: oo_masters_to_config:oo_etcd_to_config
+  tasks:
+  - include: ../cleanup_unused_images.yml
+
+- include: ../upgrade_control_plane.yml
+  vars:
+    master_config_hook: "v3_7/master_config_upgrade.yml"
+
+# All controllers must be stopped at the same time then restarted
+- name: Cycle all controller services to force new leader election mode
+  hosts: oo_masters_to_config
+  gather_facts: no
+  tasks:
+  - name: Stop {{ openshift.common.service_type }}-master-controllers
+    systemd:
+      name: "{{ openshift.common.service_type }}-master-controllers"
+      state: stopped
+  - name: Start {{ openshift.common.service_type }}-master-controllers
+    systemd:
+      name: "{{ openshift.common.service_type }}-master-controllers"
+      state: started
+
+- include: ../post_control_plane.yml
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_8/upgrade_nodes.yml b/playbooks/common/openshift-cluster/upgrades/v3_8/upgrade_nodes.yml
new file mode 100644
index 000000000..f3d192ba7
--- /dev/null
+++ b/playbooks/common/openshift-cluster/upgrades/v3_8/upgrade_nodes.yml
@@ -0,0 +1,115 @@
+---
+#
+# Node Upgrade Playbook
+#
+# Upgrades nodes only, but requires the control plane to have already been upgraded.
+#
+- include: ../init.yml
+  tags:
+  - pre_upgrade
+
+- name: Configure the upgrade target for the common upgrade tasks
+  hosts: oo_all_hosts
+  tags:
+  - pre_upgrade
+  tasks:
+  - set_fact:
+      openshift_upgrade_target: '3.8'
+      openshift_upgrade_min: '3.7'
+
+# Pre-upgrade
+- include: ../initialize_nodes_to_upgrade.yml
+  tags:
+  - pre_upgrade
+
+- name: Update repos on nodes
+  hosts: oo_masters_to_config:oo_nodes_to_upgrade:oo_etcd_to_config:oo_lb_to_config
+  roles:
+  - openshift_repos
+  tags:
+  - pre_upgrade
+
+- name: Set openshift_no_proxy_internal_hostnames
+  hosts: oo_masters_to_config:oo_nodes_to_upgrade
+  tags:
+  - pre_upgrade
+  tasks:
+  - set_fact:
+      openshift_no_proxy_internal_hostnames: "{{ hostvars | oo_select_keys(groups['oo_nodes_to_upgrade']
+                                                    | union(groups['oo_masters_to_config'])
+                                                    | union(groups['oo_etcd_to_config'] | default([])))
+                                                | oo_collect('openshift.common.hostname') | default([]) | join (',')
+                                                }}"
+    when:
+    - openshift_http_proxy is defined or openshift_https_proxy is defined
+    - openshift_generate_no_proxy_hosts | default(True) | bool
+
+- include: ../pre/verify_inventory_vars.yml
+  tags:
+  - pre_upgrade
+
+- include: ../pre/verify_health_checks.yml
+  tags:
+  - pre_upgrade
+
+- include: ../disable_node_excluders.yml
+  tags:
+  - pre_upgrade
+
+- include: ../../initialize_openshift_version.yml
+  tags:
+  - pre_upgrade
+  vars:
+    # Request specific openshift_release and let the openshift_version role handle converting this
+    # to a more specific version, respecting openshift_image_tag and openshift_pkg_version if
+    # defined, and overriding the normal behavior of protecting the installed version
+    openshift_release: "{{ openshift_upgrade_target }}"
+    openshift_protect_installed_version: False
+
+    # We skip the docker role at this point in upgrade to prevent
+    # unintended package, container, or config upgrades which trigger
+    # docker restarts. At this early stage of upgrade we can assume
+    # docker is configured and running.
+    skip_docker_role: True
+
+- name: Verify masters are already upgraded
+  hosts: oo_masters_to_config
+  tags:
+  - pre_upgrade
+  tasks:
+  - fail: msg="Master running {{ openshift.common.version }} must be upgraded to {{ openshift_version }} before node upgrade can be run."
+    when: openshift.common.version != openshift_version
+
+- include: ../pre/verify_control_plane_running.yml
+  tags:
+  - pre_upgrade
+
+- name: Verify upgrade targets
+  hosts: oo_nodes_to_upgrade
+  tasks:
+  - include: ../pre/verify_upgrade_targets.yml
+  tags:
+  - pre_upgrade
+
+- name: Verify docker upgrade targets
+  hosts: oo_nodes_to_upgrade
+  tasks:
+  - include: ../pre/tasks/verify_docker_upgrade_targets.yml
+  tags:
+  - pre_upgrade
+
+- include: ../pre/gate_checks.yml
+  tags:
+  - pre_upgrade
+
+# Pre-upgrade completed, nothing after this should be tagged pre_upgrade.
+
+# Separate step so we can execute in parallel and clear out anything unused
+# before we get into the serialized upgrade process which will then remove
+# remaining images if possible.
+- name: Cleanup unused Docker images
+  hosts: oo_nodes_to_upgrade
+  tasks:
+  - include: ../cleanup_unused_images.yml
+
+- include: ../upgrade_nodes.yml
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_8/validator.yml b/playbooks/common/openshift-cluster/upgrades/v3_8/validator.yml
new file mode 100644
index 000000000..d8540abfb
--- /dev/null
+++ b/playbooks/common/openshift-cluster/upgrades/v3_8/validator.yml
@@ -0,0 +1,7 @@
+---
+- name: Verify 3.8 specific upgrade checks
+  hosts: oo_first_master
+  roles:
+  - { role: lib_openshift }
+  tasks:
+  - debug: msg="noop"