Add support for creating secure router.

* Move openshift_router to openshift_hosted role which will eventually
  contain registry, metrics and logging.
* Adds option for specifying an openshift_hosted_router_certificate
  cert and key pair.
* Removes dependency on node label variables and retrieves the node
  list from the API s.t. this role can be applied to any cluster with
  existing nodes. I've added an openshift_hosted playbook that occurs
  after node install to account for this.
* Infrastructure nodes are selected using
  openshift_hosted_router_selector which is based on deployment type
  by default; openshift-enterprise -> "region=infra" and online ->
  "type=infra".

6 files changed, 140 insertions, 0 deletions

diff --git a/roles/openshift_hosted/README.md b/roles/openshift_hosted/README.md
new file mode 100644
index 000000000..633ec0937
--- /dev/null
+++ b/roles/openshift_hosted/README.md
@@ -0,0 +1,55 @@
+OpenShift Hosted
+================
+
+OpenShift Hosted Resources
+
+* OpenShift Router
+
+Requirements
+------------
+
+This role requires a running OpenShift cluster with nodes labeled to
+match the openshift_hosted_router_selector (default: region=infra).
+
+Role Variables
+--------------
+
+From this role:
+
+| Name                                | Default value                            | Description                                                                                                          |
+|-------------------------------------|------------------------------------------|----------------------------------------------------------------------------------------------------------------------|
+| openshift_hosted_router_certificate | None                                     | Dictionary containing "certfile" and "keyfile" keys with values containing paths to local certificate files.         |
+| openshift_hosted_router_registryurl | 'openshift3/ose-${component}:${version}' | The image to base the OpenShift router on.                                                                           |
+| openshift_hosted_router_replicas    | Number of nodes matching selector        | The number of replicas to configure.                                                                                 |
+| openshift_hosted_router_selector    | region=infra                             | Node selector used when creating router. The OpenShift router will only be deployed to nodes matching this selector. |
+
+Dependencies
+------------
+
+* openshift_common
+* openshift_hosted_facts
+
+Example Playbook
+----------------
+
+```
+- name: Create hosted resources
+  hosts: oo_first_master
+  roles:
+  - role: openshift_hosted
+    openshift_hosted_router_certificate:
+      certfile: /path/to/my-router.crt
+      keyfile: /path/to/my-router.key
+    openshift_hosted_router_registryurl: 'registry.access.redhat.com/openshift3/ose-haproxy-router:v3.0.2.0'
+    openshift_hosted_router_selector: 'type=infra'
+```
+
+License
+-------
+
+Apache License, Version 2.0
+
+Author Information
+------------------
+
+Red Hat openshift@redhat.com
diff --git a/roles/openshift_hosted/handlers/main.yml b/roles/openshift_hosted/handlers/main.yml
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/roles/openshift_hosted/handlers/main.yml
diff --git a/roles/openshift_hosted/meta/main.yml b/roles/openshift_hosted/meta/main.yml
new file mode 100644
index 000000000..75dfc24c3
--- /dev/null
+++ b/roles/openshift_hosted/meta/main.yml
@@ -0,0 +1,16 @@
+---
+galaxy_info:
+  author: OpenShift Red Hat
+  description: OpenShift Embedded Router
+  company: Red Hat, Inc.
+  license: Apache License, Version 2.0
+  min_ansible_version: 1.9
+  platforms:
+  - name: EL
+    versions:
+    - 7
+  categories:
+  - cloud
+dependencies:
+- openshift_common
+- openshift_hosted_facts
diff --git a/roles/openshift_hosted/tasks/main.yml b/roles/openshift_hosted/tasks/main.yml
new file mode 100644
index 000000000..d42a4e365
--- /dev/null
+++ b/roles/openshift_hosted/tasks/main.yml
@@ -0,0 +1,3 @@
+---
+
+- include: router.yml
diff --git a/roles/openshift_hosted/tasks/router.yml b/roles/openshift_hosted/tasks/router.yml
new file mode 100644
index 000000000..6a36f74b2
--- /dev/null
+++ b/roles/openshift_hosted/tasks/router.yml
@@ -0,0 +1,64 @@
+---
+- fail:
+    msg: "Both 'certfile' and 'keyfile' keys must be specified when supplying the openshift_hosted_router_certificate variable."
+  when: openshift_hosted_router_certificate is defined and ('certfile' not in openshift_hosted_router_certificate or 'keyfile' not in openshift_hosted_router_certificate)
+
+- name: Read router certificate and key
+  slurp:
+    src: "{{ item }}"
+  register: openshift_router_certificate_output
+  with_items:
+  - "{{ openshift_hosted_router_certificate.certfile }}"
+  - "{{ openshift_hosted_router_certificate.keyfile }}"
+  delegate_to: localhost
+  when: openshift_hosted_router_certificate is defined
+
+- name: Persist certificate contents
+  openshift_facts:
+    role: hosted
+    openshift_env:
+      openshift_hosted_router_certificate_contents: "{% for certificate in openshift_router_certificate_output.results -%}{{ certificate.content | b64decode }}{% endfor -%}"
+  when: openshift_hosted_router_certificate is defined
+
+- name: Create PEM certificate
+  copy:
+    content: "{{ openshift.hosted.router.certificate.contents }}"
+    dest: "{{ openshift_master_config_dir }}/openshift-router.pem"
+    mode: 0600
+  when: openshift.hosted.router.certificate | default(None) != None
+
+- name: Retrieve list of openshift nodes
+  command: >
+    {{ openshift.common.client_binary }} --api-version='v1' -o json
+    get nodes -n default --config={{ openshift.common.config_base }}/master/admin.kubeconfig
+  register: openshift_hosted_router_nodes_json
+  when: openshift.hosted.router.replicas | default(None) == None
+
+- name: Collect nodes matching router selector
+  set_fact:
+    openshift_hosted_router_nodes: >
+      {{ (openshift_hosted_router_nodes_json.stdout|from_json)['items']
+         | oo_oc_nodes_matching_selector(openshift.hosted.router.selector) }}
+  when: openshift.hosted.router.replicas | default(None) == None
+
+- name: Create OpenShift router
+  command: >
+    {{ openshift.common.admin_binary }} router --create
+    {% if openshift.hosted.router.replicas | default(None) != None -%}
+    --replicas={{ openshift.hosted.router.replicas }}
+    {% else -%}
+    --replicas={{ openshift_hosted_router_nodes | length }}
+    {% endif %}
+    {% if openshift.hosted.router.certificate | default(None) != None -%}
+    --default-cert={{ openshift_master_config_dir }}/openshift-router.pem
+    {% endif -%}
+    --namespace=default
+    --service-account=router
+    --selector='{{ openshift.hosted.router.selector }}'
+    --credentials={{ openshift_master_config_dir }}/openshift-router.kubeconfig
+    {% if openshift.hosted.router.registryurl | default(None)!= None -%}
+    --images='{{ openshift.hosted.router.registryurl }}'
+    {% endif -%}
+  register: openshift_hosted_router_results
+  changed_when: "'service exists' not in openshift_hosted_router_results.stdout"
+  when: openshift.hosted.router.replicas | default(None) != None or (openshift_hosted_router_nodes is defined and openshift_hosted_router_nodes | length > 0)
diff --git a/roles/openshift_hosted/vars/main.yml b/roles/openshift_hosted/vars/main.yml
new file mode 100644
index 000000000..9967e26f4
--- /dev/null
+++ b/roles/openshift_hosted/vars/main.yml
@@ -0,0 +1,2 @@
+---
+openshift_master_config_dir: "{{ openshift.common.config_base }}/master"