blob: 57b50bee43910cf982b413cd806e8cdfac64c913 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
|
---
# TODO: add ability to configure certificates given either a local file to
# point to or certificate contents, set in default cert locations.
# Authentication Variable Validation
# TODO: validate the different identity provider kinds as well
- fail:
msg: >
Invalid OAuth grant method: {{ openshift_master_oauth_grant_method }}
when: openshift_master_oauth_grant_method is defined and openshift_master_oauth_grant_method not in openshift_master_valid_grant_methods
# HA Variable Validation
- fail:
msg: "openshift_master_cluster_method must be set to either 'native' or 'pacemaker' for multi-master installations"
when: openshift_master_ha | bool and ((openshift_master_cluster_method is not defined) or (openshift_master_cluster_method is defined and openshift_master_cluster_method not in ["native", "pacemaker"]))
- fail:
msg: "'native' high availability is not supported for the requested OpenShift version"
when: openshift_master_ha | bool and openshift_master_cluster_method == "native" and not openshift.common.version_greater_than_3_1_or_1_1 | bool
- fail:
msg: "openshift_master_cluster_password must be set for multi-master installations"
when: openshift_master_ha | bool and openshift_master_cluster_method == "pacemaker" and (openshift_master_cluster_password is not defined or not openshift_master_cluster_password)
- fail:
msg: "Pacemaker based HA is not supported at this time when used with containerized installs"
when: openshift_master_ha | bool and openshift_master_cluster_method == "pacemaker" and openshift.common.is_containerized | bool
- name: Set master facts
openshift_facts:
role: master
local_facts:
cluster_method: "{{ openshift_master_cluster_method | default(None) }}"
cluster_hostname: "{{ openshift_master_cluster_hostname | default(None) }}"
cluster_public_hostname: "{{ openshift_master_cluster_public_hostname | default(None) }}"
debug_level: "{{ openshift_master_debug_level | default(openshift.common.debug_level) }}"
api_port: "{{ openshift_master_api_port | default(None) }}"
api_url: "{{ openshift_master_api_url | default(None) }}"
api_use_ssl: "{{ openshift_master_api_use_ssl | default(None) }}"
public_api_url: "{{ openshift_master_public_api_url | default(None) }}"
console_path: "{{ openshift_master_console_path | default(None) }}"
console_port: "{{ openshift_master_console_port | default(None) }}"
console_url: "{{ openshift_master_console_url | default(None) }}"
console_use_ssl: "{{ openshift_master_console_use_ssl | default(None) }}"
public_console_url: "{{ openshift_master_public_console_url | default(None) }}"
logging_public_url: "{{ openshift_master_logging_public_url | default(None) }}"
metrics_public_url: "{{ openshift_master_metrics_public_url | default(None) }}"
logout_url: "{{ openshift_master_logout_url | default(None) }}"
extension_scripts: "{{ openshift_master_extension_scripts | default(None) }}"
extension_stylesheets: "{{ openshift_master_extension_stylesheets | default(None) }}"
extensions: "{{ openshift_master_extensions | default(None) }}"
oauth_template: "{{ openshift_master_oauth_template | default(None) }}"
etcd_hosts: "{{ openshift_master_etcd_hosts | default(None) }}"
etcd_port: "{{ openshift_master_etcd_port | default(None) }}"
etcd_use_ssl: "{{ openshift_master_etcd_use_ssl | default(None) }}"
etcd_urls: "{{ openshift_master_etcd_urls | default(None) }}"
embedded_etcd: "{{ openshift_master_embedded_etcd | default(None) }}"
embedded_kube: "{{ openshift_master_embedded_kube | default(None) }}"
embedded_dns: "{{ openshift_master_embedded_dns | default(None) }}"
dns_port: "{{ openshift_master_dns_port | default(None) }}"
bind_addr: "{{ openshift_master_bind_addr | default(None) }}"
pod_eviction_timeout: "{{ openshift_master_pod_eviction_timeout | default(None) }}"
portal_net: "{{ openshift_master_portal_net | default(None) }}"
session_max_seconds: "{{ openshift_master_session_max_seconds | default(None) }}"
session_name: "{{ openshift_master_session_name | default(None) }}"
session_secrets_file: "{{ openshift_master_session_secrets_file | default(None) }}"
session_auth_secrets: "{{ openshift_master_session_auth_secrets | default(None) }}"
session_encryption_secrets: "{{ openshift_master_session_encryption_secrets | default(None) }}"
access_token_max_seconds: "{{ openshift_master_access_token_max_seconds | default(None) }}"
auth_token_max_seconds: "{{ openshift_master_auth_token_max_seconds | default(None) }}"
identity_providers: "{{ openshift_master_identity_providers | default(None) }}"
registry_url: "{{ oreg_url | default(None) }}"
oauth_grant_method: "{{ openshift_master_oauth_grant_method | default(None) }}"
sdn_cluster_network_cidr: "{{ osm_cluster_network_cidr | default(None) }}"
sdn_host_subnet_length: "{{ osm_host_subnet_length | default(None) }}"
default_subdomain: "{{ osm_default_subdomain | default(None) }}"
custom_cors_origins: "{{ osm_custom_cors_origins | default(None) }}"
default_node_selector: "{{ osm_default_node_selector | default(None) }}"
project_request_message: "{{ osm_project_request_message | default(None) }}"
project_request_template: "{{ osm_project_request_template | default(None) }}"
mcs_allocator_range: "{{ osm_mcs_allocator_range | default(None) }}"
mcs_labels_per_project: "{{ osm_mcs_labels_per_project | default(None) }}"
uid_allocator_range: "{{ osm_uid_allocator_range | default(None) }}"
router_selector: "{{ openshift_router_selector | default(None) }}"
registry_selector: "{{ openshift_registry_selector | default(None) }}"
api_server_args: "{{ osm_api_server_args | default(None) }}"
controller_args: "{{ osm_controller_args | default(None) }}"
infra_nodes: "{{ num_infra | default(None) }}"
disabled_features: "{{ osm_disabled_features | default(None) }}"
master_count: "{{ openshift_master_count | default(None) }}"
controller_lease_ttl: "{{ osm_controller_lease_ttl | default(None) }}"
master_image: "{{ osm_image | default(None) }}"
- name: Install Master package
action: "{{ ansible_pkg_mgr }} name={{ openshift.common.service_type }}-master{{ openshift_version }} state=present"
when: not openshift.common.is_containerized | bool
- name: Pull master image
command: >
docker pull {{ openshift.master.master_image }}
when: openshift.common.is_containerized | bool
- name: Install Master docker service file
template:
dest: "/etc/systemd/system/{{ openshift.common.service_type }}-master.service"
src: docker/master.docker.service.j2
register: install_result
when: openshift.common.is_containerized | bool and not openshift_master_ha | bool
- name: Create openshift.common.data_dir
file:
path: "{{ openshift.common.data_dir }}"
state: directory
mode: 0755
owner: root
group: root
when: openshift.common.is_containerized | bool
- name: Reload systemd units
command: systemctl daemon-reload
when: openshift.common.is_containerized | bool and install_result | changed
- name: Re-gather package dependent master facts
openshift_facts:
- name: Create config parent directory if it does not exist
file:
path: "{{ openshift_master_config_dir }}"
state: directory
- name: Create the policy file if it does not already exist
command: >
{{ openshift.common.admin_binary }} create-bootstrap-policy-file
--filename={{ openshift_master_policy }}
args:
creates: "{{ openshift_master_policy }}"
notify:
- restart master
- restart master api
- restart master controllers
- name: Create the scheduler config
template:
dest: "{{ openshift_master_scheduler_conf }}"
src: scheduler.json.j2
backup: true
notify:
- restart master
- restart master api
- restart master controllers
- name: Install httpd-tools if needed
action: "{{ ansible_pkg_mgr }} name=httpd-tools state=present"
when: (item.kind == 'HTPasswdPasswordIdentityProvider') and
not openshift.common.is_atomic | bool
with_items: openshift.master.identity_providers
- name: Ensure htpasswd directory exists
file:
path: "{{ item.filename | dirname }}"
state: directory
when: item.kind == 'HTPasswdPasswordIdentityProvider'
with_items: openshift.master.identity_providers
- name: Create the htpasswd file if needed
copy:
dest: "{{ item.filename }}"
content: ""
mode: 0600
force: no
when: item.kind == 'HTPasswdPasswordIdentityProvider'
with_items: openshift.master.identity_providers
- name: Init HA Service Info
set_fact:
ha_suffix: ""
ha_svcdir: "/usr/lib/systemd/system"
- name: Set HA Service Info for containerized installs
set_fact:
ha_suffix: ".docker"
ha_svcdir: "/etc/systemd/system"
when: openshift.common.is_containerized | bool
# workaround for missing systemd unit files for controllers/api
- name: Create the systemd unit files
template:
src: "{{ ha_svc_template_path }}/atomic-openshift-master-{{ item }}.service.j2"
dest: "{{ ha_svcdir }}/{{ openshift.common.service_type }}-master-{{ item }}.service"
when: openshift_master_ha | bool and openshift_master_cluster_method == "native"
with_items:
- api
- controllers
register: create_unit_files
- command: systemctl daemon-reload
when: create_unit_files | changed
# end workaround for missing systemd unit files
- name: Create the master api service env file
template:
src: "{{ ha_svc_template_path }}/atomic-openshift-master-api.j2"
dest: /etc/sysconfig/{{ openshift.common.service_type }}-master-api
when: openshift_master_ha | bool and openshift_master_cluster_method == "native"
notify:
- restart master api
- name: Create the master controllers service env file
template:
src: "{{ ha_svc_template_path }}/atomic-openshift-master-controllers.j2"
dest: /etc/sysconfig/{{ openshift.common.service_type }}-master-controllers
when: openshift_master_ha | bool and openshift_master_cluster_method == "native"
notify:
- restart master controllers
- name: Create the master service env file
template:
src: "atomic-openshift-master.j2"
dest: /etc/sysconfig/{{ openshift.common.service_type }}-master
notify:
- restart master
- name: Create session secrets file
template:
dest: "{{ openshift.master.session_secrets_file }}"
src: sessionSecretsFile.yaml.v1.j2
when: openshift.master.session_auth_secrets is defined and openshift.master.session_encryption_secrets is defined
notify:
- restart master
- restart master api
- set_fact:
translated_identity_providers: "{{ openshift.master.identity_providers | translate_idps('v1') }}"
# TODO: add the validate parameter when there is a validation command to run
- name: Create master config
template:
dest: "{{ openshift_master_config_file }}"
src: master.yaml.v1.j2
backup: true
notify:
- restart master
- restart master api
- restart master controllers
- name: Test local loopback context
command: >
{{ openshift.common.client_binary }} config view
--config={{ openshift_master_loopback_config }}
changed_when: false
register: loopback_config
- command: >
{{ openshift.common.client_binary }} config set-cluster
--certificate-authority={{ openshift_master_config_dir }}/ca.crt
--embed-certs=true --server={{ openshift.master.loopback_api_url }}
{{ openshift.master.loopback_cluster_name }}
--config={{ openshift_master_loopback_config }}
when: loopback_context_string not in loopback_config.stdout
register: set_loopback_cluster
- command: >
{{ openshift.common.client_binary }} config set-context
--cluster={{ openshift.master.loopback_cluster_name }}
--namespace=default --user={{ openshift.master.loopback_user }}
{{ openshift.master.loopback_context_name }}
--config={{ openshift_master_loopback_config }}
when: set_loopback_cluster | changed
register: set_loopback_context
- command: >
{{ openshift.common.client_binary }} config use-context {{ openshift.master.loopback_context_name }}
--config={{ openshift_master_loopback_config }}
when: set_loopback_context | changed
register: set_current_context
- name: Start and enable master
service: name={{ openshift.common.service_type }}-master enabled=yes state=started
when: not openshift_master_ha | bool
register: start_result
notify: Verify API Server
- name: Stop and disable non HA master when running HA
service: name={{ openshift.common.service_type }}-master enabled=no state=stopped
when: openshift_master_ha | bool
- set_fact:
master_service_status_changed: "{{ start_result | changed }}"
when: not openshift_master_ha | bool
- name: Start and enable master api
service: name={{ openshift.common.service_type }}-master-api enabled=yes state=started
when: openshift_master_ha | bool and openshift.master.cluster_method == 'native'
register: start_result
- set_fact:
master_api_service_status_changed: "{{ start_result | changed }}"
when: openshift_master_ha | bool and openshift.master.cluster_method == 'native'
# A separate wait is required here for native HA since notifies will
# be resolved after all tasks in the role.
- name: Wait for API to become available
# Using curl here since the uri module requires python-httplib2 and
# wait_for port doesn't provide health information.
command: >
curl -k --head --silent {{ openshift.master.api_url }}
register: api_available_output
until: api_available_output.stdout.find("200 OK") != -1
retries: 120
delay: 1
changed_when: false
when: openshift_master_ha | bool and openshift.master.cluster_method == 'native' and master_api_service_status_changed | bool
- name: Start and enable master controller
service: name={{ openshift.common.service_type }}-master-controllers enabled=yes state=started
when: openshift_master_ha | bool and openshift.master.cluster_method == 'native'
register: start_result
- set_fact:
master_controllers_service_status_changed: "{{ start_result | changed }}"
when: openshift_master_ha | bool and openshift.master.cluster_method == 'native'
- name: Install cluster packages
action: "{{ ansible_pkg_mgr }} name=pcs state=present"
when: openshift_master_ha | bool and openshift.master.cluster_method == 'pacemaker'
and not openshift.common.is_containerized | bool
register: install_result
- name: Start and enable cluster service
service: name=pcsd enabled=yes state=started
when: openshift_master_ha | bool and openshift.master.cluster_method == 'pacemaker'
and not openshift.common.is_containerized | bool
- name: Set the cluster user password
shell: echo {{ openshift_master_cluster_password | quote }} | passwd --stdin hacluster
when: install_result | changed
- name: Lookup default group for ansible_ssh_user
command: "/usr/bin/id -g {{ ansible_ssh_user }}"
changed_when: false
register: _ansible_ssh_user_gid
- name: Create the client config dir(s)
file:
path: "~{{ item }}/.kube"
state: directory
mode: 0700
owner: "{{ item }}"
group: "{{ 'root' if item == 'root' else _ansible_ssh_user_gid.stdout }}"
with_items:
- root
- "{{ ansible_ssh_user }}"
# TODO: Update this file if the contents of the source file are not present in
# the dest file, will need to make sure to ignore things that could be added
- name: Copy the admin client config(s)
command: cp {{ openshift_master_config_dir }}/admin.kubeconfig ~{{ item }}/.kube/config
args:
creates: ~{{ item }}/.kube/config
with_items:
- root
- "{{ ansible_ssh_user }}"
- name: Update the permissions on the admin client config(s)
file:
path: "~{{ item }}/.kube/config"
state: file
mode: 0700
owner: "{{ item }}"
group: "{{ 'root' if item == 'root' else _ansible_ssh_user_gid.stdout }}"
with_items:
- root
- "{{ ansible_ssh_user }}"
|