15 files changed, 168 insertions, 59 deletions

diff --git a/roles/lib_openshift/library/oc_configmap.py b/roles/lib_openshift/library/oc_configmap.py
index 96345ffe0..c60f4661c 100644
--- a/roles/lib_openshift/library/oc_configmap.py
+++ b/roles/lib_openshift/library/oc_configmap.py
@@ -1524,6 +1524,10 @@ class OCConfigMap(OpenShiftCLI):
         if state == 'list':
             return {'changed': False, 'results': api_rval, 'state': state}
 
+        if not params['name']:
+            return {'failed': True,
+                    'msg': 'Please specify a name when state is absent|present.'}
+
         ########
         # Delete
         ########
diff --git a/roles/lib_openshift/library/oc_label.py b/roles/lib_openshift/library/oc_label.py
index 62b6049c4..5fbbabe4f 100644
--- a/roles/lib_openshift/library/oc_label.py
+++ b/roles/lib_openshift/library/oc_label.py
@@ -1551,9 +1551,9 @@ class OCLabel(OpenShiftCLI):
         label_list = []
 
         if self.name:
-            result = self._get(resource=self.kind, rname=self.name, selector=self.selector)
+            result = self._get(resource=self.kind, rname=self.name)
 
-            if 'labels' in result['results'][0]['metadata']:
+            if result['results'][0] and 'labels' in result['results'][0]['metadata']:
                 label_list.append(result['results'][0]['metadata']['labels'])
             else:
                 label_list.append({})
diff --git a/roles/lib_openshift/library/oc_process.py b/roles/lib_openshift/library/oc_process.py
index d487746eb..112d9ab5f 100644
--- a/roles/lib_openshift/library/oc_process.py
+++ b/roles/lib_openshift/library/oc_process.py
@@ -1545,7 +1545,7 @@ class OCProcess(OpenShiftCLI):
             if api_rval['returncode'] != 0:
                 return {"failed": True, "msg" : api_rval}
 
-            return {"changed" : False, "results": api_rval, "state": "list"}
+            return {"changed" : False, "results": api_rval, "state": state}
 
         elif state == 'present':
             if check_mode and params['create']:
@@ -1567,9 +1567,9 @@ class OCProcess(OpenShiftCLI):
                     return {"failed": True, "msg": api_rval}
 
                 if params['create']:
-                    return {"changed": True, "results": api_rval, "state": "present"}
+                    return {"changed": True, "results": api_rval, "state": state}
 
-                return {"changed": False, "results": api_rval, "state": "present"}
+                return {"changed": False, "results": api_rval, "state": state}
 
         # verify results
         update = False
@@ -1584,13 +1584,13 @@ class OCProcess(OpenShiftCLI):
                 update = True
 
         if not update:
-            return {"changed": update, "results": api_rval, "state": "present"}
+            return {"changed": update, "results": api_rval, "state": state}
 
         for cmd in rval:
             if cmd['returncode'] != 0:
-                return {"failed": True, "changed": update, "results": rval, "state": "present"}
+                return {"failed": True, "changed": update, "msg": rval, "state": state}
 
-        return {"changed": update, "results": rval, "state": "present"}
+        return {"changed": update, "results": rval, "state": state}
 
 
 # -*- -*- -*- End included fragment: class/oc_process.py -*- -*- -*-
diff --git a/roles/lib_openshift/src/class/oc_configmap.py b/roles/lib_openshift/src/class/oc_configmap.py
index 87de3e1df..de77d1102 100644
--- a/roles/lib_openshift/src/class/oc_configmap.py
+++ b/roles/lib_openshift/src/class/oc_configmap.py
@@ -127,6 +127,10 @@ class OCConfigMap(OpenShiftCLI):
         if state == 'list':
             return {'changed': False, 'results': api_rval, 'state': state}
 
+        if not params['name']:
+            return {'failed': True,
+                    'msg': 'Please specify a name when state is absent|present.'}
+
         ########
         # Delete
         ########
diff --git a/roles/lib_openshift/src/class/oc_label.py b/roles/lib_openshift/src/class/oc_label.py
index bd312c170..ed17eecb1 100644
--- a/roles/lib_openshift/src/class/oc_label.py
+++ b/roles/lib_openshift/src/class/oc_label.py
@@ -134,9 +134,9 @@ class OCLabel(OpenShiftCLI):
         label_list = []
 
         if self.name:
-            result = self._get(resource=self.kind, rname=self.name, selector=self.selector)
+            result = self._get(resource=self.kind, rname=self.name)
 
-            if 'labels' in result['results'][0]['metadata']:
+            if result['results'][0] and 'labels' in result['results'][0]['metadata']:
                 label_list.append(result['results'][0]['metadata']['labels'])
             else:
                 label_list.append({})
diff --git a/roles/lib_openshift/src/class/oc_process.py b/roles/lib_openshift/src/class/oc_process.py
index 9d29938aa..eba9a43cd 100644
--- a/roles/lib_openshift/src/class/oc_process.py
+++ b/roles/lib_openshift/src/class/oc_process.py
@@ -136,7 +136,7 @@ class OCProcess(OpenShiftCLI):
             if api_rval['returncode'] != 0:
                 return {"failed": True, "msg" : api_rval}
 
-            return {"changed" : False, "results": api_rval, "state": "list"}
+            return {"changed" : False, "results": api_rval, "state": state}
 
         elif state == 'present':
             if check_mode and params['create']:
@@ -158,9 +158,9 @@ class OCProcess(OpenShiftCLI):
                     return {"failed": True, "msg": api_rval}
 
                 if params['create']:
-                    return {"changed": True, "results": api_rval, "state": "present"}
+                    return {"changed": True, "results": api_rval, "state": state}
 
-                return {"changed": False, "results": api_rval, "state": "present"}
+                return {"changed": False, "results": api_rval, "state": state}
 
         # verify results
         update = False
@@ -175,11 +175,11 @@ class OCProcess(OpenShiftCLI):
                 update = True
 
         if not update:
-            return {"changed": update, "results": api_rval, "state": "present"}
+            return {"changed": update, "results": api_rval, "state": state}
 
         for cmd in rval:
             if cmd['returncode'] != 0:
-                return {"failed": True, "changed": update, "results": rval, "state": "present"}
+                return {"failed": True, "changed": update, "msg": rval, "state": state}
 
-        return {"changed": update, "results": rval, "state": "present"}
+        return {"changed": update, "results": rval, "state": state}
 
diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py
index e1f4c4e6d..7edf141e5 100755
--- a/roles/openshift_facts/library/openshift_facts.py
+++ b/roles/openshift_facts/library/openshift_facts.py
@@ -936,7 +936,9 @@ def set_version_facts_if_unset(facts):
         facts['common']['version_gte_3_5_or_1_5'] = version_gte_3_5_or_1_5
         facts['common']['version_gte_3_6_or_1_6'] = version_gte_3_6_or_1_6
 
-        if version_gte_3_5_or_1_5:
+        if version_gte_3_6_or_1_6:
+            examples_content_version = 'v1.6'
+        elif version_gte_3_5_or_1_5:
             examples_content_version = 'v1.5'
         elif version_gte_3_4_or_1_4:
             examples_content_version = 'v1.4'
diff --git a/roles/openshift_hosted/tasks/registry/secure.yml b/roles/openshift_hosted/tasks/registry/secure.yml
index 8a159bf73..29c164f52 100644
--- a/roles/openshift_hosted/tasks/registry/secure.yml
+++ b/roles/openshift_hosted/tasks/registry/secure.yml
@@ -53,7 +53,8 @@
     signer_serial: "{{ openshift_master_config_dir }}/ca.serial.txt"
     hostnames:
     - "{{ docker_registry_service_ip.results.clusterip }}"
-    - docker-registry.default.svc.cluster.local
+    - "{{ openshift_hosted_registry_name }}.default.svc"
+    - "{{ openshift_hosted_registry_name }}.default.svc.{{ openshift.common.dns_domain }}"
     - "{{ docker_registry_route_hostname }}"
     cert: "{{ openshift_master_config_dir }}/registry.crt"
     key: "{{ openshift_master_config_dir }}/registry.key"
diff --git a/roles/openshift_logging/tasks/generate_pems.yaml b/roles/openshift_logging/tasks/generate_pems.yaml
index 289b72ea6..e8cececfb 100644
--- a/roles/openshift_logging/tasks/generate_pems.yaml
+++ b/roles/openshift_logging/tasks/generate_pems.yaml
@@ -15,6 +15,7 @@
     -subj "/CN={{component}}/OU=OpenShift/O=Logging/subjectAltName=DNS.1=localhost{{cert_ext.stdout}}" -days 712 -nodes
   when:
     - not key_file.stat.exists
+    - cert_ext is defined
     - cert_ext.stdout is defined
   check_mode: no
 
@@ -24,7 +25,7 @@
     -subj "/CN={{component}}/OU=OpenShift/O=Logging" -days 712 -nodes
   when:
     - not key_file.stat.exists
-    - cert_ext.stdout is undefined
+    - cert_ext is undefined or cert_ext is defined and cert_ext.stdout is undefined
   check_mode: no
 
 - name: Sign cert request with CA for {{component}}
diff --git a/roles/openshift_logging/tasks/procure_server_certs.yaml b/roles/openshift_logging/tasks/procure_server_certs.yaml
index 44dd5e894..7ab140357 100644
--- a/roles/openshift_logging/tasks/procure_server_certs.yaml
+++ b/roles/openshift_logging/tasks/procure_server_certs.yaml
@@ -11,12 +11,18 @@
 
 - name: Trying to discover server cert variable name for {{ cert_info.procure_component }}
   set_fact: procure_component_crt={{ lookup('env', '{{cert_info.procure_component}}' + '_crt') }}
-  when: cert_info.hostnames is undefined and {{ cert_info.procure_component }}_crt is defined and {{ cert_info.procure_component }}_key is defined
+  when:
+  - cert_info.hostnames is undefined
+  - cert_info[ cert_info.procure_component + '_crt' ] is defined
+  - cert_info[ cert_info.procure_component + '_key' ] is defined
   check_mode: no
 
 - name: Trying to discover the server key variable name for {{ cert_info.procure_component }}
   set_fact: procure_component_key={{ lookup('env', '{{cert_info.procure_component}}' + '_key') }}
-  when: cert_info.hostnames is undefined and {{ cert_info.procure_component }}_crt is defined and {{ cert_info.procure_component }}_key is defined
+  when:
+  - cert_info.hostnames is undefined
+  - cert_info[ cert_info.procure_component + '_crt' ] is defined
+  - cert_info[ cert_info.procure_component + '_key' ] is defined
   check_mode: no
 
 - name: Creating signed server cert and key for {{ cert_info.procure_component }}
@@ -27,26 +33,26 @@
      --signer-serial={{generated_certs_dir}}/ca.serial.txt
   check_mode: no
   when:
-    - cert_info.hostnames is defined
-    - not component_key_file.stat.exists
-    - not component_cert_file.stat.exists
+  - cert_info.hostnames is defined
+  - not component_key_file.stat.exists
+  - not component_cert_file.stat.exists
 
 - name: Copying server key for {{ cert_info.procure_component }} to generated certs directory
   copy: content="{{procure_component_key}}" dest={{generated_certs_dir}}/{{cert_info.procure_component}}.key
   check_mode: no
   when:
-    - cert_info.hostnames is undefined
-    - "{{ cert_info.procure_component }}_crt is defined"
-    - "{{ cert_info.procure_component }}_key is defined"
-    - not component_key_file.stat.exists
-    - not component_cert_file.stat.exists
+  - cert_info.hostnames is undefined
+  - cert_info[ cert_info.procure_component + '_crt' ] is defined
+  - cert_info[ cert_info.procure_component + '_key' ] is defined
+  - not component_key_file.stat.exists
+  - not component_cert_file.stat.exists
 
 - name: Copying Server cert for {{ cert_info.procure_component }} to generated certs directory
   copy: content="{{procure_component_crt}}" dest={{generated_certs_dir}}/{{cert_info.procure_component}}.crt
   check_mode: no
   when:
-    - cert_info.hostnames is undefined
-    - "{{ cert_info.procure_component }}_crt is defined"
-    - "{{ cert_info.procure_component }}_key is defined"
-    - not component_key_file.stat.exists
-    - not component_cert_file.stat.exists
+  - cert_info.hostnames is undefined
+  - cert_info[ cert_info.procure_component + '_crt' ] is defined
+  - cert_info[ cert_info.procure_component + '_key' ] is defined
+  - not component_key_file.stat.exists
+  - not component_cert_file.stat.exists
diff --git a/roles/openshift_master_facts/filter_plugins/openshift_master.py b/roles/openshift_master_facts/filter_plugins/openshift_master.py
index 01806c97f..e570392ff 100644
--- a/roles/openshift_master_facts/filter_plugins/openshift_master.py
+++ b/roles/openshift_master_facts/filter_plugins/openshift_master.py
@@ -14,9 +14,12 @@ from distutils.version import LooseVersion  # pylint: disable=no-name-in-module,
 from ansible import errors
 from ansible.parsing.yaml.dumper import AnsibleDumper
 from ansible.plugins.filter.core import to_bool as ansible_bool
-# pylint import-error disabled because pylint cannot find the package
-# when installed in a virtualenv
-from ansible.compat.six import string_types  # pylint: disable=no-name-in-module,import-error
+
+# ansible.compat.six goes away with Ansible 2.4
+try:
+    from ansible.compat.six import string_types, u
+except ImportError:
+    from ansible.module_utils.six import string_types, u
 
 import yaml
 
@@ -490,10 +493,10 @@ class FilterModule(object):
             idp_list.append(idp_inst)
 
         IdentityProviderBase.validate_idp_list(idp_list, openshift_version, deployment_type)
-        return yaml.dump([idp.to_dict() for idp in idp_list],
-                         allow_unicode=True,
-                         default_flow_style=False,
-                         Dumper=AnsibleDumper)
+        return u(yaml.dump([idp.to_dict() for idp in idp_list],
+                           allow_unicode=True,
+                           default_flow_style=False,
+                           Dumper=AnsibleDumper))
 
     @staticmethod
     def validate_pcs_cluster(data, masters=None):
diff --git a/roles/openshift_version/tasks/main.yml b/roles/openshift_version/tasks/main.yml
index 35953b744..c3d001bb4 100644
--- a/roles/openshift_version/tasks/main.yml
+++ b/roles/openshift_version/tasks/main.yml
@@ -9,16 +9,55 @@
 # be used by default. Users must indicate what they want.
 - fail:
     msg: "Must specify openshift_release or openshift_image_tag in inventory to install origin. (suggestion: add openshift_release=\"1.2\" to inventory)"
-  when: is_containerized | bool and openshift.common.deployment_type == 'origin' and openshift_release is not defined and openshift_image_tag is not defined
+  when:
+  - is_containerized | bool
+  - openshift.common.deployment_type == 'origin'
+  - openshift_release is not defined
+  - openshift_image_tag is not defined
 
 # Normalize some values that we need in a certain format that might be confusing:
 - set_fact:
-    openshift_image_tag: "{{ 'v' + openshift_image_tag }}"
-  when: openshift_image_tag is defined and openshift_image_tag[0] != 'v' and openshift_image_tag != 'latest'
+    openshift_release: "{{ openshift_release[1:] }}"
+  when:
+  - openshift_release is defined
+  - openshift_release[0] == 'v'
 
 - set_fact:
-    openshift_pkg_version: "{{ '-' + openshift_pkg_version }}"
-  when: openshift_pkg_version is defined and openshift_pkg_version[0] != '-'
+    openshift_release: "{{ openshift_release | string }}"
+  when: openshift_release is defined
+
+# Verify that the image tag is in a valid format
+- block:
+
+  # Verifies that when the deployment type is origin the version:
+  # - starts with a v
+  # - Has 3 integers seperated by dots
+  # It also allows for optional trailing data which:
+  # - must start with a dash
+  # - may contain numbers, letters, dashes and dots.
+  - name: Verify Origin openshift_image_tag is valid
+    assert:
+      that:
+      - "{{ openshift_image_tag|match('(^v?\\d+\\.\\d+\\.\\d+(-[\\w\\-\\.]*)?$)') }}"
+      msg: "openshift_image_tag must be in the format v#.#.#[-optional.#]. Examples: v1.2.3, v3.5.1-alpha.1"
+    when: openshift.common.deployment_type == 'origin'
+
+  # Verifies that when the deployment type is openshift-enterprise the version:
+  # - starts with a v
+  # - Has at least 2 integers seperated by dots
+  # It also allows for optional trailing data which:
+  # - must start with a dash
+  # - may contain numbers
+  - name: Verify Enterprise openshift_image_tag is valid
+    assert:
+      that:
+      - "{{ openshift_image_tag|match('(^v\\d+\\.\\d+[\\.\\d+]*(-\\d+)?$)') }}"
+      msg: "openshift_image_tag must be in the format v#.#[.#[.#]]. Examples: v1.2, v3.4.1, v3.5.1.3, v1.2-1, v1.2.3-4"
+    when: openshift.common.deployment_type == 'openshift-enterprise'
+
+  when:
+  - openshift_image_tag is defined
+  - openshift_image_tag != "latest"
 
 # Make sure we copy this to a fact if given a var:
 - set_fact:
@@ -30,7 +69,10 @@
 - name: Use openshift.common.version fact as version to configure if already installed
   set_fact:
     openshift_version: "{{ openshift.common.version }}"
-  when: openshift.common.version is defined and openshift_version is not defined and openshift_protect_installed_version | bool
+  when:
+  - openshift.common.version is defined
+  - openshift_version is not defined
+  - openshift_protect_installed_version | bool
 
 - name: Set openshift_version for rpm installation
   include: set_version_rpm.yml
@@ -40,17 +82,39 @@
   include: set_version_containerized.yml
   when: is_containerized | bool
 
+# Warn if the user has provided an openshift_image_tag but is not doing a containerized install
+# NOTE: This will need to be modified/removed for future container + rpm installations work.
+- name: Warn if openshift_image_tag is defined when not doing a containerized install
+  debug:
+    msg: >
+      openshift_image_tag is used for containerized installs. If you are trying to
+      specify an image for a non-container install see oreg_url.
+  when:
+  - not is_containerized | bool
+  - openshift_image_tag is defined
+
+
 # At this point we know openshift_version is set appropriately. Now we set
 # openshift_image_tag and openshift_pkg_version, so all roles can always assume
 # each of this variables *will* be set correctly and can use them per their
 # intended purpose.
 
-- set_fact:
-    openshift_image_tag: v{{ openshift_version }}
+- block:
+  - debug:
+      msg: "openshift_image_tag was not defined. Falling back to v{{ openshift_version }}"
+
+  - set_fact:
+      openshift_image_tag: v{{ openshift_version }}
+
   when: openshift_image_tag is not defined
 
-- set_fact:
-    openshift_pkg_version: -{{ openshift_version }}
+- block:
+  - debug:
+      msg: "openshift_pkg_version was not defined. Falling back to -{{ openshift_version }}"
+
+  - set_fact:
+      openshift_pkg_version: -{{ openshift_version }}
+
   when: openshift_pkg_version is not defined
 
 - fail:
@@ -67,13 +131,18 @@
 
 - fail:
     msg: "No OpenShift version available, please ensure your systems are fully registered and have access to appropriate yum repositories."
-  when: not is_containerized | bool and openshift_version == '0.0'
+  when:
+  - not is_containerized | bool
+  - openshift_version == '0.0'
 
 # We can't map an openshift_release to full rpm version like we can with containers, make sure
 # the rpm version we looked up matches the release requested and error out if not.
 - fail:
     msg: "Detected OpenShift version {{ openshift_version }} does not match requested openshift_release {{ openshift_release }}. You may need to adjust your yum repositories, inventory, or run the appropriate OpenShift upgrade playbook."
-  when: not is_containerized | bool and openshift_release is defined and not openshift_version.startswith(openshift_release) | bool
+  when:
+  - not is_containerized | bool
+  - openshift_release is defined
+  - not openshift_version.startswith(openshift_release) | bool
 
 # The end result of these three variables is quite important so make sure they are displayed and logged:
 - debug: var=openshift_release
diff --git a/roles/openshift_version/tasks/set_version_containerized.yml b/roles/openshift_version/tasks/set_version_containerized.yml
index cd0f20ae9..0ec4c49d6 100644
--- a/roles/openshift_version/tasks/set_version_containerized.yml
+++ b/roles/openshift_version/tasks/set_version_containerized.yml
@@ -4,12 +4,16 @@
     # Expects a leading "v" in inventory, strip it off here unless
     # openshift_image_tag=latest
     openshift_version: "{{ openshift_image_tag[1:].split('-')[0] if openshift_image_tag != 'latest' else openshift_image_tag }}"
-  when: openshift_image_tag is defined and openshift_version is not defined
+  when:
+  - openshift_image_tag is defined
+  - openshift_version is not defined
 
 - name: Set containerized version to configure if openshift_release specified
   set_fact:
     openshift_version: "{{ openshift_release }}"
-  when: openshift_release is defined and openshift_version is not defined
+  when:
+  - openshift_release is defined
+  - openshift_version is not defined
 
 - name: Lookup latest containerized version if no version specified
   command: >
@@ -20,7 +24,10 @@
 # Origin latest = pre-release version (i.e. v1.3.0-alpha.1-321-gb095e3a)
 - set_fact:
     openshift_version: "{{ (cli_image_version.stdout_lines[0].split(' ')[1].split('-')[0:2] | join('-'))[1:] }}"
-  when: openshift_version is not defined and openshift.common.deployment_type == 'origin' and cli_image_version.stdout_lines[0].split('-') | length > 1
+  when:
+  - openshift_version is not defined
+  - openshift.common.deployment_type == 'origin'
+  - cli_image_version.stdout_lines[0].split('-') | length > 1
 
 - set_fact:
     openshift_version: "{{ cli_image_version.stdout_lines[0].split(' ')[1].split('-')[0][1:] }}"
@@ -32,11 +39,15 @@
   command: >
     docker run --rm {{ openshift.common.cli_image }}:v{{ openshift_version }} version
   register: cli_image_version
-  when: openshift_version is defined and openshift_version.split('.') | length == 2
+  when:
+  - openshift_version is defined
+  - openshift_version.split('.') | length == 2
 
 - set_fact:
     openshift_version: "{{ cli_image_version.stdout_lines[0].split(' ')[1].split('-')[0:2][1:] | join('-') if openshift.common.deployment_type == 'origin' else cli_image_version.stdout_lines[0].split(' ')[1].split('-')[0][1:] }}"
-  when: openshift_version is defined and openshift_version.split('.') | length == 2
+  when:
+  - openshift_version is defined
+  - openshift_version.split('.') | length == 2
 
 # We finally have the specific version. Now we clean up any strange
 # dangly +c0mm1t-offset tags in the version. See also,
diff --git a/roles/openshift_version/tasks/set_version_rpm.yml b/roles/openshift_version/tasks/set_version_rpm.yml
index 0c2ef4bb7..c7604af1a 100644
--- a/roles/openshift_version/tasks/set_version_rpm.yml
+++ b/roles/openshift_version/tasks/set_version_rpm.yml
@@ -3,7 +3,9 @@
   set_fact:
     # Expects a leading "-" in inventory, strip it off here, and remove trailing release,
     openshift_version: "{{ openshift_pkg_version[1:].split('-')[0] }}"
-  when: openshift_pkg_version is defined and openshift_version is not defined
+  when:
+  - openshift_pkg_version is defined
+  - openshift_version is not defined
 
 # if {{ openshift.common.service_type}}-excluder is enabled,
 # the repoquery for {{ openshift.common.service_type}} will not work.
diff --git a/roles/os_firewall/tasks/firewall/firewalld.yml b/roles/os_firewall/tasks/firewall/firewalld.yml
index 2b40eee1b..4b2979887 100644
--- a/roles/os_firewall/tasks/firewall/firewalld.yml
+++ b/roles/os_firewall/tasks/firewall/firewalld.yml
@@ -34,6 +34,12 @@
   pause: seconds=10
   when: result | changed
 
+- name: Restart polkitd
+  systemd:
+    name: polkit
+    state: restarted
+  when: result | changed
+
 # Fix suspected race between firewalld and polkit BZ1436964
 - name: Wait for polkit action to have been created
   command: pkaction --action-id=org.fedoraproject.FirewallD1.config.info