summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--.tito/packages/openshift-ansible2
-rw-r--r--docs/proposals/crt_management_proposal.md8
-rw-r--r--docs/proposals/role_decomposition.md14
-rw-r--r--files/origin-components/console-config.yaml21
-rw-r--r--files/origin-components/console-template.yaml114
-rw-r--r--inventory/hosts.example5
-rw-r--r--openshift-ansible.spec33
-rw-r--r--playbooks/adhoc/openshift_hosted_logging_efk.yaml2
-rw-r--r--playbooks/aws/openshift-cluster/install.yml4
-rw-r--r--playbooks/aws/openshift-cluster/provision.yml2
-rw-r--r--playbooks/aws/openshift-cluster/provision_instance.yml2
-rw-r--r--playbooks/aws/openshift-cluster/provision_nodes.yml2
-rw-r--r--playbooks/aws/openshift-cluster/provision_sec_group.yml2
-rw-r--r--playbooks/aws/openshift-cluster/provision_ssh_keypair.yml2
-rw-r--r--playbooks/aws/openshift-cluster/provision_vpc.yml2
-rw-r--r--playbooks/aws/openshift-cluster/seal_ami.yml2
-rw-r--r--playbooks/common/openshift-cluster/upgrades/docker/docker_upgrade.yml2
-rw-r--r--playbooks/common/openshift-cluster/upgrades/pre/config.yml2
-rw-r--r--playbooks/common/openshift-cluster/upgrades/pre/verify_upgrade_targets.yml2
-rw-r--r--playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml6
-rw-r--r--playbooks/common/openshift-cluster/upgrades/upgrade_nodes.yml6
-rw-r--r--playbooks/common/openshift-cluster/upgrades/upgrade_scale_group.yml4
-rw-r--r--playbooks/container-runtime/private/config.yml6
-rw-r--r--playbooks/container-runtime/private/setup_storage.yml2
-rw-r--r--playbooks/deploy_cluster.yml3
-rw-r--r--playbooks/gcp/provision.yml2
-rw-r--r--playbooks/init/facts.yml2
-rw-r--r--playbooks/init/repos.yml4
-rw-r--r--playbooks/openshift-etcd/private/ca.yml2
-rw-r--r--playbooks/openshift-etcd/private/certificates-backup.yml6
-rw-r--r--playbooks/openshift-etcd/private/embedded2external.yml24
-rw-r--r--playbooks/openshift-etcd/private/migrate.yml14
-rw-r--r--playbooks/openshift-etcd/private/redeploy-ca.yml8
-rw-r--r--playbooks/openshift-etcd/private/restart.yml4
-rw-r--r--playbooks/openshift-etcd/private/scaleup.yml4
-rw-r--r--playbooks/openshift-etcd/private/server_certificates.yml2
-rw-r--r--playbooks/openshift-etcd/private/upgrade_backup.yml2
-rw-r--r--playbooks/openshift-etcd/private/upgrade_image_members.yml2
-rw-r--r--playbooks/openshift-etcd/private/upgrade_main.yml2
-rw-r--r--playbooks/openshift-etcd/private/upgrade_rpm_members.yml2
-rw-r--r--playbooks/openshift-etcd/private/upgrade_step.yml4
-rw-r--r--playbooks/openshift-glusterfs/private/config.yml10
-rw-r--r--playbooks/openshift-hosted/private/config.yml4
-rw-r--r--playbooks/openshift-hosted/private/install_docker_gc.yml2
-rw-r--r--playbooks/openshift-hosted/private/openshift_hosted_create_projects.yml2
-rw-r--r--playbooks/openshift-hosted/private/openshift_hosted_registry.yml2
-rw-r--r--playbooks/openshift-hosted/private/openshift_hosted_registry_storage.yml13
-rw-r--r--playbooks/openshift-hosted/private/openshift_hosted_router.yml2
-rw-r--r--playbooks/openshift-hosted/private/openshift_hosted_wait_for_pods.yml26
-rw-r--r--playbooks/openshift-hosted/private/redeploy-router-certificates.yml2
-rw-r--r--playbooks/openshift-logging/private/config.yml3
-rw-r--r--playbooks/openshift-management/add_many_container_providers.yml2
-rw-r--r--playbooks/openshift-management/private/add_container_provider.yml2
-rw-r--r--playbooks/openshift-management/private/config.yml2
-rw-r--r--playbooks/openshift-management/private/uninstall.yml2
-rw-r--r--playbooks/openshift-master/private/config.yml7
-rw-r--r--playbooks/openshift-master/private/tasks/restart_services.yml2
-rw-r--r--playbooks/openshift-metrics/private/config.yml3
-rw-r--r--playbooks/openshift-node/private/additional_config.yml14
-rw-r--r--playbooks/openshift-node/private/image_prep.yml2
-rw-r--r--playbooks/openshift-web-console/config.yml4
-rw-r--r--playbooks/openshift-web-console/private/config.yml31
l---------playbooks/openshift-web-console/private/roles1
-rw-r--r--playbooks/openstack/openshift-cluster/prerequisites.yml4
-rw-r--r--playbooks/openstack/openshift-cluster/provision.yml12
-rw-r--r--playbooks/openstack/sample-inventory/group_vars/all.yml5
-rwxr-xr-xplaybooks/openstack/sample-inventory/inventory.py9
-rw-r--r--roles/ansible_service_broker/vars/default_images.yml2
-rw-r--r--roles/calico/tasks/main.yml2
-rw-r--r--roles/container_runtime/README.md4
-rw-r--r--roles/container_runtime/defaults/main.yml2
-rw-r--r--roles/container_runtime/tasks/common/post.yml2
-rw-r--r--roles/container_runtime/tasks/main.yml2
-rw-r--r--roles/container_runtime/tasks/systemcontainer_crio.yml11
-rw-r--r--roles/container_runtime/templates/crio-network.j29
-rw-r--r--roles/contiv/README.md4
-rw-r--r--roles/contiv/defaults/main.yml148
-rw-r--r--roles/contiv/meta/main.yml14
-rw-r--r--roles/contiv/tasks/aci.yml2
-rw-r--r--roles/contiv/tasks/api_proxy.yml120
-rw-r--r--roles/contiv/tasks/default_network.yml58
-rw-r--r--roles/contiv/tasks/download_bins.yml20
-rw-r--r--roles/contiv/tasks/etcd.yml114
-rw-r--r--roles/contiv/tasks/main.yml9
-rw-r--r--roles/contiv/tasks/netmaster.yml30
-rw-r--r--roles/contiv/tasks/netmaster_firewalld.yml23
-rw-r--r--roles/contiv/tasks/netmaster_iptables.yml51
-rw-r--r--roles/contiv/tasks/netplugin.yml33
-rw-r--r--roles/contiv/tasks/netplugin_firewalld.yml39
-rw-r--r--roles/contiv/tasks/netplugin_iptables.yml98
-rw-r--r--roles/contiv/tasks/old_version_cleanup.yml43
-rw-r--r--roles/contiv/tasks/old_version_cleanup_firewalld.yml11
-rw-r--r--roles/contiv/tasks/old_version_cleanup_iptables.yml44
-rw-r--r--roles/contiv/tasks/ovs.yml2
-rw-r--r--roles/contiv/tasks/packageManagerInstall.yml5
-rw-r--r--roles/contiv/tasks/pkgMgrInstallers/centos-install.yml12
-rw-r--r--roles/contiv/templates/aci-gw.service6
-rw-r--r--roles/contiv/templates/aci_gw.j214
-rw-r--r--roles/contiv/templates/api-proxy-daemonset.yml.j257
-rw-r--r--roles/contiv/templates/api-proxy-secrets.yml.j212
-rw-r--r--roles/contiv/templates/contiv.cfg.j22
-rw-r--r--roles/contiv/templates/contiv.cfg.master.j22
-rw-r--r--roles/contiv/templates/etcd-daemonset.yml.j283
-rw-r--r--roles/contiv/templates/etcd-proxy-daemonset.yml.j255
-rw-r--r--roles/contiv/templates/etcd-scc.yml.j242
-rw-r--r--roles/contiv/templates/netmaster.env.j22
-rw-r--r--roles/contiv/templates/netmaster.j21
-rw-r--r--roles/contiv/templates/netmaster.service2
-rw-r--r--roles/contiv/templates/netplugin.j25
-rw-r--r--roles/contiv/templates/netplugin.service2
-rw-r--r--roles/contiv_auth_proxy/README.md29
-rw-r--r--roles/contiv_auth_proxy/defaults/main.yml12
-rw-r--r--roles/contiv_auth_proxy/files/auth-proxy.service13
-rw-r--r--roles/contiv_auth_proxy/files/cert.pem33
-rw-r--r--roles/contiv_auth_proxy/files/key.pem51
-rw-r--r--roles/contiv_auth_proxy/handlers/main.yml2
-rw-r--r--roles/contiv_auth_proxy/tasks/cleanup.yml10
-rw-r--r--roles/contiv_auth_proxy/tasks/main.yml37
-rw-r--r--roles/contiv_auth_proxy/templates/auth_proxy.j236
-rw-r--r--roles/contiv_auth_proxy/tests/inventory1
-rw-r--r--roles/contiv_auth_proxy/tests/test.yml5
-rw-r--r--roles/contiv_auth_proxy/vars/main.yml2
-rw-r--r--roles/contiv_facts/defaults/main.yaml9
-rw-r--r--roles/contiv_facts/tasks/fedora-install.yml12
-rw-r--r--roles/contiv_facts/tasks/main.yml48
-rw-r--r--roles/contiv_facts/tasks/rpm.yml8
-rw-r--r--roles/etcd/defaults/main.yaml2
-rw-r--r--roles/etcd/tasks/certificates/fetch_client_certificates_from_ca.yml23
-rw-r--r--roles/etcd/tasks/certificates/fetch_server_certificates_from_ca.yml18
-rw-r--r--roles/flannel/defaults/main.yaml2
-rw-r--r--roles/installer_checkpoint/callback_plugins/installer_checkpoint.py5
-rw-r--r--roles/lib_openshift/library/conditional_set_fact.py (renamed from roles/openshift_sanitize_inventory/library/conditional_set_fact.py)18
-rw-r--r--roles/lib_utils/callback_plugins/openshift_quick_installer.py4
-rw-r--r--roles/openshift_aws/README.md6
-rw-r--r--roles/openshift_cluster_autoscaler/README.md2
-rw-r--r--roles/openshift_etcd_client_certificates/tasks/main.yml2
-rw-r--r--roles/openshift_examples/tasks/main.yml12
-rwxr-xr-xroles/openshift_facts/library/openshift_facts.py21
-rw-r--r--roles/openshift_health_checker/openshift_checks/__init__.py7
-rw-r--r--roles/openshift_health_checker/openshift_checks/docker_image_availability.py10
-rw-r--r--roles/openshift_hosted/tasks/main.yml4
-rw-r--r--roles/openshift_hosted/tasks/registry.yml25
-rw-r--r--roles/openshift_hosted/tasks/registry_storage.yml4
-rw-r--r--roles/openshift_hosted/tasks/router.yml6
-rw-r--r--roles/openshift_hosted/tasks/wait_for_pod.yml6
-rw-r--r--roles/openshift_hosted_templates/meta/main.yml1
-rw-r--r--roles/openshift_hosted_templates/tasks/main.yml12
-rw-r--r--roles/openshift_loadbalancer/defaults/main.yml2
-rw-r--r--roles/openshift_logging/filter_plugins/openshift_logging.py25
-rw-r--r--roles/openshift_logging/library/logging_patch.py112
-rw-r--r--roles/openshift_logging/library/openshift_logging_facts.py13
-rw-r--r--roles/openshift_logging/tasks/delete_logging.yaml13
-rw-r--r--roles/openshift_logging/tasks/install_logging.yaml37
-rw-r--r--roles/openshift_logging/tasks/patch_configmap_file.yaml35
-rw-r--r--roles/openshift_logging/tasks/patch_configmap_files.yaml31
-rw-r--r--roles/openshift_logging/tasks/set_defaults_from_current.yml34
-rw-r--r--roles/openshift_logging/tasks/update_master_config.yaml1
-rw-r--r--roles/openshift_logging_curator/tasks/main.yaml15
-rw-r--r--roles/openshift_logging_curator/vars/main.yml4
-rw-r--r--roles/openshift_logging_elasticsearch/tasks/main.yaml32
-rw-r--r--roles/openshift_logging_elasticsearch/vars/main.yml4
-rw-r--r--roles/openshift_logging_fluentd/tasks/main.yaml36
-rw-r--r--roles/openshift_logging_fluentd/vars/main.yml4
-rw-r--r--roles/openshift_logging_kibana/vars/main.yml4
-rw-r--r--roles/openshift_logging_mux/tasks/main.yaml24
-rw-r--r--roles/openshift_logging_mux/vars/main.yml4
-rw-r--r--roles/openshift_management/tasks/add_container_provider.yml2
-rw-r--r--roles/openshift_management/tasks/main.yml2
-rw-r--r--roles/openshift_management/tasks/storage/nfs.yml6
-rw-r--r--roles/openshift_master/defaults/main.yml13
-rw-r--r--roles/openshift_master/templates/master.yaml.v1.j24
-rw-r--r--roles/openshift_master_facts/tasks/main.yml2
-rw-r--r--roles/openshift_metrics/tasks/install_metrics.yaml12
-rw-r--r--roles/openshift_metrics/tasks/uninstall_metrics.yaml11
-rw-r--r--roles/openshift_metrics/tasks/update_master_config.yaml1
-rw-r--r--roles/openshift_nfs/tasks/create_export.yml2
-rw-r--r--roles/openshift_node/defaults/main.yml10
-rw-r--r--roles/openshift_node/templates/openshift.docker.node.dep.service8
-rw-r--r--roles/openshift_node_certificates/defaults/main.yml2
-rw-r--r--roles/openshift_node_certificates/tasks/main.yml15
-rw-r--r--roles/openshift_openstack/defaults/main.yml5
-rw-r--r--roles/openshift_openstack/tasks/check-prerequisites.yml2
-rw-r--r--roles/openshift_openstack/templates/heat_stack.yaml.j295
-rw-r--r--roles/openshift_sanitize_inventory/meta/main.yml1
-rw-r--r--roles/openshift_storage_glusterfs/templates/v3.9/glusterfs-registry-endpoints.yml.j212
-rw-r--r--roles/openshift_storage_glusterfs/templates/v3.9/glusterfs-registry-service.yml.j210
-rw-r--r--roles/openshift_storage_glusterfs/templates/v3.9/glusterfs-storageclass.yml.j217
-rw-r--r--roles/openshift_storage_glusterfs/templates/v3.9/heketi-endpoints.yml.j212
-rw-r--r--roles/openshift_storage_glusterfs/templates/v3.9/heketi-service.yml.j210
-rw-r--r--roles/openshift_storage_glusterfs/templates/v3.9/heketi.json.j242
-rw-r--r--roles/openshift_storage_glusterfs/templates/v3.9/topology.json.j249
-rw-r--r--roles/openshift_web_console/defaults/main.yml3
-rw-r--r--roles/openshift_web_console/meta/main.yaml19
-rw-r--r--roles/openshift_web_console/tasks/install.yml79
-rw-r--r--roles/openshift_web_console/tasks/main.yml8
-rw-r--r--roles/openshift_web_console/tasks/remove.yml5
-rw-r--r--roles/openshift_web_console/tasks/update_asset_config.yml70
-rw-r--r--roles/openshift_web_console/vars/default_images.yml4
-rw-r--r--roles/openshift_web_console/vars/main.yml5
-rw-r--r--roles/openshift_web_console/vars/openshift-enterprise.yml4
-rw-r--r--roles/os_firewall/README.md4
-rw-r--r--test/ci/README.md14
-rw-r--r--test/ci/extra_vars/default.yml4
-rwxr-xr-xtest/ci/install.sh34
-rw-r--r--test/ci/inventory/group_vars/OSEv3/checks.yml4
-rw-r--r--test/ci/inventory/group_vars/OSEv3/general.yml23
-rw-r--r--test/ci/inventory/group_vars/OSEv3/logging.yml37
-rw-r--r--test/ci/inventory/group_vars/all.yml13
-rw-r--r--test/ci/inventory/host_vars/localhost.yml8
-rw-r--r--test/ci/inventory/local.txt23
210 files changed, 2410 insertions, 925 deletions
diff --git a/.tito/packages/openshift-ansible b/.tito/packages/openshift-ansible
index f352f0079..203ed61cc 100644
--- a/.tito/packages/openshift-ansible
+++ b/.tito/packages/openshift-ansible
@@ -1 +1 @@
-3.9.0-0.12.0 ./
+3.9.0-0.16.0 ./
diff --git a/docs/proposals/crt_management_proposal.md b/docs/proposals/crt_management_proposal.md
index 5fc1ad08d..bf4048744 100644
--- a/docs/proposals/crt_management_proposal.md
+++ b/docs/proposals/crt_management_proposal.md
@@ -30,7 +30,7 @@ configure, restart, or change the container runtime as much as feasible.
## Design
The container_runtime role should be comprised of 3 'pseudo-roles' which will be
-consumed using include_role; each component area should be enabled/disabled with
+consumed using import_role; each component area should be enabled/disabled with
a boolean value, defaulting to true.
I call them 'pseudo-roles' because they are more or less independent functional
@@ -46,15 +46,15 @@ an abundance of roles), and make things as modular as possible.
# container_runtime_setup.yml
- hosts: "{{ openshift_runtime_manage_hosts | default('oo_nodes_to_config') }}"
tasks:
- - include_role:
+ - import_role:
name: container_runtime
tasks_from: install.yml
when: openshift_container_runtime_install | default(True) | bool
- - include_role:
+ - import_role:
name: container_runtime
tasks_from: storage.yml
when: openshift_container_runtime_storage | default(True) | bool
- - include_role:
+ - import_role:
name: container_runtime
tasks_from: configure.yml
when: openshift_container_runtime_configure | default(True) | bool
diff --git a/docs/proposals/role_decomposition.md b/docs/proposals/role_decomposition.md
index 37d080d5c..61690e8bd 100644
--- a/docs/proposals/role_decomposition.md
+++ b/docs/proposals/role_decomposition.md
@@ -115,12 +115,12 @@ providing the location of the generated certificates to the individual roles.
generated_certs_dir: "{{openshift.common.config_base}}/logging"
## Elasticsearch
-- include_role:
+- import_role:
name: openshift_logging_elasticsearch
vars:
generated_certs_dir: "{{openshift.common.config_base}}/logging"
-- include_role:
+- import_role:
name: openshift_logging_elasticsearch
vars:
generated_certs_dir: "{{openshift.common.config_base}}/logging"
@@ -130,7 +130,7 @@ providing the location of the generated certificates to the individual roles.
## Kibana
-- include_role:
+- import_role:
name: openshift_logging_kibana
vars:
generated_certs_dir: "{{openshift.common.config_base}}/logging"
@@ -144,7 +144,7 @@ providing the location of the generated certificates to the individual roles.
openshift_logging_kibana_es_port: "{{ openshift_logging_es_port }}"
openshift_logging_kibana_image_pull_secret: "{{ openshift_logging_image_pull_secret }}"
-- include_role:
+- import_role:
name: openshift_logging_kibana
vars:
generated_certs_dir: "{{openshift.common.config_base}}/logging"
@@ -173,7 +173,7 @@ providing the location of the generated certificates to the individual roles.
## Curator
-- include_role:
+- import_role:
name: openshift_logging_curator
vars:
generated_certs_dir: "{{openshift.common.config_base}}/logging"
@@ -183,7 +183,7 @@ providing the location of the generated certificates to the individual roles.
openshift_logging_curator_image_version: "{{ openshift_logging_image_version }}"
openshift_logging_curator_image_pull_secret: "{{ openshift_logging_image_pull_secret }}"
-- include_role:
+- import_role:
name: openshift_logging_curator
vars:
generated_certs_dir: "{{openshift.common.config_base}}/logging"
@@ -201,7 +201,7 @@ providing the location of the generated certificates to the individual roles.
## Fluentd
-- include_role:
+- import_role:
name: openshift_logging_fluentd
vars:
generated_certs_dir: "{{openshift.common.config_base}}/logging"
diff --git a/files/origin-components/console-config.yaml b/files/origin-components/console-config.yaml
new file mode 100644
index 000000000..8f3f87c0b
--- /dev/null
+++ b/files/origin-components/console-config.yaml
@@ -0,0 +1,21 @@
+kind: AssetConfig
+apiVersion: v1
+extensionDevelopment: false
+extensionProperties: null
+extensionScripts: null
+extensionStylesheets: null
+extensions: null
+loggingPublicURL: ""
+logoutURL: ""
+masterPublicURL: https://127.0.0.1:8443
+metricsPublicURL: ""
+publicURL: https://127.0.0.1:8443/console/
+servingInfo:
+ bindAddress: 0.0.0.0:8443
+ bindNetwork: tcp4
+ certFile: /var/serving-cert/tls.crt
+ clientCA: ""
+ keyFile: /var/serving-cert/tls.key
+ maxRequestsInFlight: 0
+ namedCertificates: null
+ requestTimeoutSeconds: 0 \ No newline at end of file
diff --git a/files/origin-components/console-template.yaml b/files/origin-components/console-template.yaml
new file mode 100644
index 000000000..b2a6569fd
--- /dev/null
+++ b/files/origin-components/console-template.yaml
@@ -0,0 +1,114 @@
+apiVersion: template.openshift.io/v1
+kind: Template
+metadata:
+ name: openshift-web-console
+ annotations:
+ openshift.io/display-name: OpenShift Web Console
+ description: The server for the OpenShift web console.
+ iconClass: icon-openshift
+ tags: openshift,infra
+ openshift.io/documentation-url: https://github.com/openshift/origin-web-console-server
+ openshift.io/support-url: https://access.redhat.com
+ openshift.io/provider-display-name: Red Hat, Inc.
+parameters:
+- name: IMAGE
+ value: openshift/origin-web-console:latest
+- name: NAMESPACE
+ value: openshift-web-console
+- name: LOGLEVEL
+ value: "0"
+- name: API_SERVER_CONFIG
+- name: NODE_SELECTOR
+ value: "{}"
+- name: REPLICA_COUNT
+ value: "1"
+objects:
+
+# to create the web console server
+- apiVersion: apps/v1beta1
+ kind: Deployment
+ metadata:
+ namespace: ${NAMESPACE}
+ name: webconsole
+ labels:
+ app: openshift-web-console
+ webconsole: "true"
+ spec:
+ replicas: "${{REPLICA_COUNT}}"
+ strategy:
+ type: Recreate
+ template:
+ metadata:
+ name: webconsole
+ labels:
+ webconsole: "true"
+ spec:
+ serviceAccountName: webconsole
+ containers:
+ - name: webconsole
+ image: ${IMAGE}
+ imagePullPolicy: IfNotPresent
+ command:
+ - "/usr/bin/origin-web-console"
+ - "--audit-log-path=-"
+ - "--config=/var/webconsole-config/webconsole-config.yaml"
+ ports:
+ - containerPort: 8443
+ volumeMounts:
+ - mountPath: /var/serving-cert
+ name: serving-cert
+ - mountPath: /var/webconsole-config
+ name: webconsole-config
+ readinessProbe:
+ httpGet:
+ path: /healthz
+ port: 8443
+ scheme: HTTPS
+ nodeSelector: "${{NODE_SELECTOR}}"
+ volumes:
+ - name: serving-cert
+ secret:
+ defaultMode: 420
+ secretName: webconsole-serving-cert
+ - name: webconsole-config
+ configMap:
+ defaultMode: 420
+ name: webconsole-config
+
+# to create the config for the web console
+- apiVersion: v1
+ kind: ConfigMap
+ metadata:
+ namespace: ${NAMESPACE}
+ name: webconsole-config
+ labels:
+ app: openshift-web-console
+ data:
+ webconsole-config.yaml: ${API_SERVER_CONFIG}
+
+# to be able to assign powers to the process
+- apiVersion: v1
+ kind: ServiceAccount
+ metadata:
+ namespace: ${NAMESPACE}
+ name: webconsole
+ labels:
+ app: openshift-web-console
+
+# to be able to expose web console inside the cluster
+- apiVersion: v1
+ kind: Service
+ metadata:
+ namespace: ${NAMESPACE}
+ name: webconsole
+ labels:
+ app: openshift-web-console
+ annotations:
+ service.alpha.openshift.io/serving-cert-secret-name: webconsole-serving-cert
+ spec:
+ selector:
+ webconsole: "true"
+ ports:
+ - name: https
+ port: 443
+ targetPort: 8443
diff --git a/inventory/hosts.example b/inventory/hosts.example
index b009b4fc8..8c2590078 100644
--- a/inventory/hosts.example
+++ b/inventory/hosts.example
@@ -84,6 +84,9 @@ openshift_release=v3.7
# Configure extensions in the master config for console customization
# See: https://docs.openshift.org/latest/install_config/web_console_customization.html#serving-static-files
+#openshift_master_oauth_templates:
+# login: /path/to/login-template.html
+# openshift_master_oauth_template is deprecated. Use openshift_master_oauth_templates instead.
#openshift_master_oauth_template=/path/to/login-template.html
# Configure imagePolicyConfig in the master config
@@ -125,7 +128,7 @@ openshift_release=v3.7
#openshift_crio_systemcontainer_image_override="registry.example.com/cri-o:latest"
# NOTE: The following crio docker-gc items are tech preview and likely shouldn't be used
# unless you know what you are doing!!
-# The following two variables are used when opneshift_use_crio is True
+# The following two variables are used when openshift_use_crio is True
# and cleans up after builds that pass through docker.
# Enable docker garbage collection when using cri-o
#openshift_crio_enable_docker_gc=false
diff --git a/openshift-ansible.spec b/openshift-ansible.spec
index e593cc4dc..06f5d3669 100644
--- a/openshift-ansible.spec
+++ b/openshift-ansible.spec
@@ -10,7 +10,7 @@
Name: openshift-ansible
Version: 3.9.0
-Release: 0.12.0%{?dist}
+Release: 0.16.0%{?dist}
Summary: Openshift and Atomic Enterprise Ansible
License: ASL 2.0
URL: https://github.com/openshift/openshift-ansible
@@ -202,6 +202,29 @@ Atomic OpenShift Utilities includes
%changelog
+* Wed Jan 03 2018 Jenkins CD Merge Bot <smunilla@redhat.com> 3.9.0-0.16.0
+- Add gluster 3.9 templates (sdodson@redhat.com)
+- Add in-tree CI scripts (mgugino@redhat.com)
+
+* Wed Jan 03 2018 Jenkins CD Merge Bot <smunilla@redhat.com> 3.9.0-0.15.0
+-
+
+* Wed Jan 03 2018 Jenkins CD Merge Bot <smunilla@redhat.com> 3.9.0-0.14.0
+- Cast openshift_docker_use_system_container to bool (mgugino@redhat.com)
+- Correct kublet_args cloud-provider directories (mgugino@redhat.com)
+- Updating logging_facts to be able to pull values from config maps yaml files,
+ use diffs to keep custom changes, white list certain settings when creating
+ diffs (ewolinet@redhat.com)
+- Add docker auth credentials to system container install (mgugino@redhat.com)
+- Move wait_for_pods to it's own play openshift_hosted (mgugino@redhat.com)
+- Remove oauth_template bits from openshift_facts (mgugino@redhat.com)
+
+* Tue Jan 02 2018 Jenkins CD Merge Bot <smunilla@redhat.com> 3.9.0-0.13.0
+- Bug 1527178 - installation of logging stack failed: Invalid version specified
+ for Elasticsearch (nhosoi@redhat.com)
+- Remove bootstrap.yml from main.yml in openshift_node role
+ (mgugino@redhat.com)
+
* Tue Jan 02 2018 Jenkins CD Merge Bot <smunilla@redhat.com> 3.9.0-0.12.0
-
@@ -385,7 +408,7 @@ Atomic OpenShift Utilities includes
- Update prometheus to 2.0.0 GA (zgalor@redhat.com)
- remove schedulable from openshift_facts (mgugino@redhat.com)
- inventory: Add example for service catalog vars (smilner@redhat.com)
-- Correct usage of include_role (rteague@redhat.com)
+- Correct usage of import_role (rteague@redhat.com)
- Remove openshift.common.cli_image (mgugino@redhat.com)
- Fix openshift_env fact creation within openshift_facts. (abutcher@redhat.com)
- Combine openshift_node and openshift_node_dnsmasq (mgugino@redhat.com)
@@ -978,7 +1001,7 @@ Atomic OpenShift Utilities includes
- Renaming csr to bootstrap for consistency. (kwoodson@redhat.com)
- Add master config upgrade hook to upgrade-all plays (mgugino@redhat.com)
- Remove 'Not Started' status from playbook checkpoint (rteague@redhat.com)
-- Force include_role to static for loading openshift_facts module
+- Force import_role to static for loading openshift_facts module
(rteague@redhat.com)
- Make openshift-ansible depend on all subpackages (sdodson@redhat.com)
- Refactor health check playbooks (rteague@redhat.com)
@@ -3706,9 +3729,9 @@ Atomic OpenShift Utilities includes
- run node upgrade if master is node as part of the control plan upgrade only
(jchaloup@redhat.com)
- Appease yamllint (sdodson@redhat.com)
-- Adding include_role to block to resolve when eval (ewolinet@redhat.com)
+- Adding import_role to block to resolve when eval (ewolinet@redhat.com)
- Updating oc_apply to use command instead of shell (ewolinet@redhat.com)
-- Wrap openshift_hosted_logging include_role within a block.
+- Wrap openshift_hosted_logging import_role within a block.
(abutcher@redhat.com)
- Adding unit test. Fixed redudant calls to get. (kwoodson@redhat.com)
- Fixing doc and generating new label with updated base. (kwoodson@redhat.com)
diff --git a/playbooks/adhoc/openshift_hosted_logging_efk.yaml b/playbooks/adhoc/openshift_hosted_logging_efk.yaml
index 69b2541bb..faeb332ad 100644
--- a/playbooks/adhoc/openshift_hosted_logging_efk.yaml
+++ b/playbooks/adhoc/openshift_hosted_logging_efk.yaml
@@ -10,7 +10,7 @@
- set_fact:
openshift_logging_kibana_hostname: "{{ openshift_hosted_logging_hostname | default('kibana.' ~ openshift_master_default_subdomain }}"
tasks:
- - include_role:
+ - import_role:
name: openshift_logging
tasks_from: update_master_config
when: openshift_hosted_logging_deploy | default(false) | bool
diff --git a/playbooks/aws/openshift-cluster/install.yml b/playbooks/aws/openshift-cluster/install.yml
index b03fb0b7f..a3fc82f9a 100644
--- a/playbooks/aws/openshift-cluster/install.yml
+++ b/playbooks/aws/openshift-cluster/install.yml
@@ -2,7 +2,7 @@
- name: Setup the master node group
hosts: localhost
tasks:
- - include_role:
+ - import_role:
name: openshift_aws
tasks_from: setup_master_group.yml
@@ -11,7 +11,7 @@
gather_facts: no
remote_user: root
tasks:
- - include_role:
+ - import_role:
name: openshift_aws
tasks_from: master_facts.yml
diff --git a/playbooks/aws/openshift-cluster/provision.yml b/playbooks/aws/openshift-cluster/provision.yml
index 4b5bd22ea..7dde60b7d 100644
--- a/playbooks/aws/openshift-cluster/provision.yml
+++ b/playbooks/aws/openshift-cluster/provision.yml
@@ -12,6 +12,6 @@
msg: "openshift_aws_region={{ openshift_aws_region | default('us-east-1') }}"
- name: provision cluster
- include_role:
+ import_role:
name: openshift_aws
tasks_from: provision.yml
diff --git a/playbooks/aws/openshift-cluster/provision_instance.yml b/playbooks/aws/openshift-cluster/provision_instance.yml
index 6e843453c..6c7c1f069 100644
--- a/playbooks/aws/openshift-cluster/provision_instance.yml
+++ b/playbooks/aws/openshift-cluster/provision_instance.yml
@@ -7,6 +7,6 @@
gather_facts: no
tasks:
- name: create an instance and prepare for ami
- include_role:
+ import_role:
name: openshift_aws
tasks_from: provision_instance.yml
diff --git a/playbooks/aws/openshift-cluster/provision_nodes.yml b/playbooks/aws/openshift-cluster/provision_nodes.yml
index 44c686e08..82f147865 100644
--- a/playbooks/aws/openshift-cluster/provision_nodes.yml
+++ b/playbooks/aws/openshift-cluster/provision_nodes.yml
@@ -13,6 +13,6 @@
msg: "openshift_aws_region={{ openshift_aws_region | default('us-east-1') }}"
- name: create the node groups
- include_role:
+ import_role:
name: openshift_aws
tasks_from: provision_nodes.yml
diff --git a/playbooks/aws/openshift-cluster/provision_sec_group.yml b/playbooks/aws/openshift-cluster/provision_sec_group.yml
index 7d74a691a..a0d4ec728 100644
--- a/playbooks/aws/openshift-cluster/provision_sec_group.yml
+++ b/playbooks/aws/openshift-cluster/provision_sec_group.yml
@@ -7,7 +7,7 @@
gather_facts: no
tasks:
- name: create security groups
- include_role:
+ import_role:
name: openshift_aws
tasks_from: security_group.yml
when: openshift_aws_create_security_groups | default(True) | bool
diff --git a/playbooks/aws/openshift-cluster/provision_ssh_keypair.yml b/playbooks/aws/openshift-cluster/provision_ssh_keypair.yml
index 3ec683958..d86ff9f9b 100644
--- a/playbooks/aws/openshift-cluster/provision_ssh_keypair.yml
+++ b/playbooks/aws/openshift-cluster/provision_ssh_keypair.yml
@@ -4,7 +4,7 @@
gather_facts: no
tasks:
- name: create an instance and prepare for ami
- include_role:
+ import_role:
name: openshift_aws
tasks_from: ssh_keys.yml
vars:
diff --git a/playbooks/aws/openshift-cluster/provision_vpc.yml b/playbooks/aws/openshift-cluster/provision_vpc.yml
index 0a23a6d32..cf72f6c87 100644
--- a/playbooks/aws/openshift-cluster/provision_vpc.yml
+++ b/playbooks/aws/openshift-cluster/provision_vpc.yml
@@ -4,7 +4,7 @@
gather_facts: no
tasks:
- name: create a vpc
- include_role:
+ import_role:
name: openshift_aws
tasks_from: vpc.yml
when: openshift_aws_create_vpc | default(True) | bool
diff --git a/playbooks/aws/openshift-cluster/seal_ami.yml b/playbooks/aws/openshift-cluster/seal_ami.yml
index 8239a64fb..f315db604 100644
--- a/playbooks/aws/openshift-cluster/seal_ami.yml
+++ b/playbooks/aws/openshift-cluster/seal_ami.yml
@@ -7,6 +7,6 @@
become: no
tasks:
- name: seal the ami
- include_role:
+ import_role:
name: openshift_aws
tasks_from: seal_ami.yml
diff --git a/playbooks/common/openshift-cluster/upgrades/docker/docker_upgrade.yml b/playbooks/common/openshift-cluster/upgrades/docker/docker_upgrade.yml
index 28ddc3ded..ffb11670d 100644
--- a/playbooks/common/openshift-cluster/upgrades/docker/docker_upgrade.yml
+++ b/playbooks/common/openshift-cluster/upgrades/docker/docker_upgrade.yml
@@ -16,7 +16,7 @@
msg: Cannot upgrade Docker on Atomic operating systems.
when: openshift_is_atomic | bool
- - include_role:
+ - import_role:
name: container_runtime
tasks_from: docker_upgrade_check.yml
when: docker_upgrade is not defined or docker_upgrade | bool
diff --git a/playbooks/common/openshift-cluster/upgrades/pre/config.yml b/playbooks/common/openshift-cluster/upgrades/pre/config.yml
index de74c8ab8..cfc0c8745 100644
--- a/playbooks/common/openshift-cluster/upgrades/pre/config.yml
+++ b/playbooks/common/openshift-cluster/upgrades/pre/config.yml
@@ -72,6 +72,6 @@
- name: Verify docker upgrade targets
hosts: "{{ l_upgrade_docker_target_hosts }}"
tasks:
- - include_role:
+ - import_role:
name: container_runtime
tasks_from: docker_upgrade_check.yml
diff --git a/playbooks/common/openshift-cluster/upgrades/pre/verify_upgrade_targets.yml b/playbooks/common/openshift-cluster/upgrades/pre/verify_upgrade_targets.yml
index b0b5a7e4b..4c1156f4b 100644
--- a/playbooks/common/openshift-cluster/upgrades/pre/verify_upgrade_targets.yml
+++ b/playbooks/common/openshift-cluster/upgrades/pre/verify_upgrade_targets.yml
@@ -5,7 +5,7 @@
when: openshift.common.version is not defined
- name: Update oreg_auth docker login credentials if necessary
- include_role:
+ import_role:
name: container_runtime
tasks_from: registry_auth.yml
when: oreg_auth_user is defined
diff --git a/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml
index 0263e721d..91d496ff4 100644
--- a/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml
+++ b/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml
@@ -50,7 +50,7 @@
openshift_master_ha: "{{ groups.oo_masters_to_config | length > 1 }}"
serial: 1
tasks:
- - include_role:
+ - import_role:
name: openshift_facts
# Run the pre-upgrade hook if defined:
@@ -60,7 +60,7 @@
- include_tasks: "{{ openshift_master_upgrade_pre_hook }}"
when: openshift_master_upgrade_pre_hook is defined
- - include_role:
+ - import_role:
name: openshift_master
tasks_from: upgrade.yml
@@ -301,7 +301,7 @@
roles:
- openshift_facts
post_tasks:
- - include_role:
+ - import_role:
name: openshift_node
tasks_from: upgrade.yml
vars:
diff --git a/playbooks/common/openshift-cluster/upgrades/upgrade_nodes.yml b/playbooks/common/openshift-cluster/upgrades/upgrade_nodes.yml
index ece69a3d5..aba179c2b 100644
--- a/playbooks/common/openshift-cluster/upgrades/upgrade_nodes.yml
+++ b/playbooks/common/openshift-cluster/upgrades/upgrade_nodes.yml
@@ -4,7 +4,7 @@
roles:
- role: openshift_facts
tasks:
- - include_role:
+ - import_role:
name: openshift_node
tasks_from: upgrade_pre.yml
vars:
@@ -43,7 +43,7 @@
delay: 60
post_tasks:
- - include_role:
+ - import_role:
name: openshift_node
tasks_from: upgrade.yml
vars:
@@ -62,7 +62,7 @@
- name: Re-enable excluders
hosts: oo_nodes_to_upgrade:!oo_masters_to_config
tasks:
- - include_role:
+ - import_role:
name: openshift_excluder
vars:
r_openshift_excluder_action: enable
diff --git a/playbooks/common/openshift-cluster/upgrades/upgrade_scale_group.yml b/playbooks/common/openshift-cluster/upgrades/upgrade_scale_group.yml
index a90082760..6d59bfd0b 100644
--- a/playbooks/common/openshift-cluster/upgrades/upgrade_scale_group.yml
+++ b/playbooks/common/openshift-cluster/upgrades/upgrade_scale_group.yml
@@ -3,7 +3,7 @@
hosts: localhost
tasks:
- name: build upgrade scale groups
- include_role:
+ import_role:
name: openshift_aws
tasks_from: upgrade_node_group.yml
@@ -61,6 +61,6 @@
hosts: localhost
tasks:
- name: clean up scale group
- include_role:
+ import_role:
name: openshift_aws
tasks_from: remove_scale_group.yml
diff --git a/playbooks/container-runtime/private/config.yml b/playbooks/container-runtime/private/config.yml
index d8fc93710..dd13fa4a2 100644
--- a/playbooks/container-runtime/private/config.yml
+++ b/playbooks/container-runtime/private/config.yml
@@ -8,19 +8,19 @@
roles:
- role: container_runtime
tasks:
- - include_role:
+ - import_role:
name: container_runtime
tasks_from: package_docker.yml
when:
- not openshift_docker_use_system_container | bool
- not openshift_use_crio_only | bool
- - include_role:
+ - import_role:
name: container_runtime
tasks_from: systemcontainer_docker.yml
when:
- openshift_docker_use_system_container | bool
- not openshift_use_crio_only | bool
- - include_role:
+ - import_role:
name: container_runtime
tasks_from: systemcontainer_crio.yml
when:
diff --git a/playbooks/container-runtime/private/setup_storage.yml b/playbooks/container-runtime/private/setup_storage.yml
index 54fa5ca66..357f67f0c 100644
--- a/playbooks/container-runtime/private/setup_storage.yml
+++ b/playbooks/container-runtime/private/setup_storage.yml
@@ -8,7 +8,7 @@
roles:
- role: container_runtime
tasks:
- - include_role:
+ - import_role:
name: container_runtime
tasks_from: docker_storage_setup_overlay.yml
when:
diff --git a/playbooks/deploy_cluster.yml b/playbooks/deploy_cluster.yml
index 0e6bde09a..5efdc486a 100644
--- a/playbooks/deploy_cluster.yml
+++ b/playbooks/deploy_cluster.yml
@@ -22,6 +22,9 @@
- import_playbook: openshift-hosted/private/config.yml
+- import_playbook: openshift-web-console/private/config.yml
+ when: openshift_web_console_install | default(true) | bool
+
- import_playbook: openshift-metrics/private/config.yml
when: openshift_metrics_install_metrics | default(false) | bool
diff --git a/playbooks/gcp/provision.yml b/playbooks/gcp/provision.yml
index 6016e6a78..b6edf9961 100644
--- a/playbooks/gcp/provision.yml
+++ b/playbooks/gcp/provision.yml
@@ -6,7 +6,7 @@
tasks:
- name: provision a GCP cluster in the specified project
- include_role:
+ import_role:
name: openshift_gcp
- name: run the cluster deploy
diff --git a/playbooks/init/facts.yml b/playbooks/init/facts.yml
index 9e411a551..6759240c9 100644
--- a/playbooks/init/facts.yml
+++ b/playbooks/init/facts.yml
@@ -13,7 +13,7 @@
# TODO: Should this role be refactored into health_checks??
- name: Run openshift_sanitize_inventory to set variables
- include_role:
+ import_role:
name: openshift_sanitize_inventory
- name: Detecting Operating System from ostree_booted
diff --git a/playbooks/init/repos.yml b/playbooks/init/repos.yml
index 866c889b6..667f38ddd 100644
--- a/playbooks/init/repos.yml
+++ b/playbooks/init/repos.yml
@@ -4,7 +4,7 @@
gather_facts: no
tasks:
- name: subscribe instances to Red Hat Subscription Manager
- include_role:
+ import_role:
name: rhel_subscribe
when:
- ansible_distribution == 'RedHat'
@@ -12,5 +12,5 @@
- rhsub_user is defined
- rhsub_pass is defined
- name: initialize openshift repos
- include_role:
+ import_role:
name: openshift_repos
diff --git a/playbooks/openshift-etcd/private/ca.yml b/playbooks/openshift-etcd/private/ca.yml
index f3bb3c2d1..72c39d546 100644
--- a/playbooks/openshift-etcd/private/ca.yml
+++ b/playbooks/openshift-etcd/private/ca.yml
@@ -5,7 +5,7 @@
- role: openshift_clock
- role: openshift_etcd_facts
tasks:
- - include_role:
+ - import_role:
name: etcd
tasks_from: ca.yml
vars:
diff --git a/playbooks/openshift-etcd/private/certificates-backup.yml b/playbooks/openshift-etcd/private/certificates-backup.yml
index ce21a1f96..2f9bef799 100644
--- a/playbooks/openshift-etcd/private/certificates-backup.yml
+++ b/playbooks/openshift-etcd/private/certificates-backup.yml
@@ -3,10 +3,10 @@
hosts: oo_first_etcd
any_errors_fatal: true
tasks:
- - include_role:
+ - import_role:
name: etcd
tasks_from: backup_generated_certificates.yml
- - include_role:
+ - import_role:
name: etcd
tasks_from: remove_generated_certificates.yml
@@ -14,6 +14,6 @@
hosts: oo_etcd_to_config
any_errors_fatal: true
tasks:
- - include_role:
+ - import_role:
name: etcd
tasks_from: backup_server_certificates.yml
diff --git a/playbooks/openshift-etcd/private/embedded2external.yml b/playbooks/openshift-etcd/private/embedded2external.yml
index be177b714..b71eaacd0 100644
--- a/playbooks/openshift-etcd/private/embedded2external.yml
+++ b/playbooks/openshift-etcd/private/embedded2external.yml
@@ -18,7 +18,7 @@
- role: openshift_facts
tasks:
- name: Check the master API is ready
- include_role:
+ import_role:
name: openshift_master
tasks_from: check_master_api_is_ready.yml
- set_fact:
@@ -31,8 +31,8 @@
name: "{{ master_service }}"
state: stopped
# 2. backup embedded etcd
- # Can't use with_items with include_role: https://github.com/ansible/ansible/issues/21285
- - include_role:
+ # Can't use with_items with import_role: https://github.com/ansible/ansible/issues/21285
+ - import_role:
name: etcd
tasks_from: backup.yml
vars:
@@ -40,7 +40,7 @@
r_etcd_common_embedded_etcd: "{{ true }}"
r_etcd_common_backup_sufix_name: "{{ embedded_etcd_backup_suffix }}"
- - include_role:
+ - import_role:
name: etcd
tasks_from: backup.archive.yml
vars:
@@ -56,7 +56,7 @@
- name: Backup etcd client certificates for master host
hosts: oo_first_master
tasks:
- - include_role:
+ - import_role:
name: etcd
tasks_from: backup_master_etcd_certificates.yml
@@ -73,10 +73,10 @@
hosts: oo_etcd_to_config[0]
gather_facts: no
pre_tasks:
- - include_role:
+ - import_role:
name: etcd
tasks_from: disable_etcd.yml
- - include_role:
+ - import_role:
name: etcd
tasks_from: clean_data.yml
@@ -91,7 +91,7 @@
changed_when: False
become: no
- - include_role:
+ - import_role:
name: etcd
tasks_from: backup.fetch.yml
vars:
@@ -101,7 +101,7 @@
r_etcd_common_backup_sufix_name: "{{ hostvars[groups.oo_first_master.0].embedded_etcd_backup_suffix }}"
delegate_to: "{{ groups.oo_first_master[0] }}"
- - include_role:
+ - import_role:
name: etcd
tasks_from: backup.copy.yml
vars:
@@ -122,14 +122,14 @@
- name: Force new etcd cluster
hosts: oo_etcd_to_config[0]
tasks:
- - include_role:
+ - import_role:
name: etcd
tasks_from: backup.unarchive.yml
vars:
r_etcd_common_backup_tag: pre-migrate
r_etcd_common_backup_sufix_name: "{{ hostvars[groups.oo_first_master.0].embedded_etcd_backup_suffix }}"
- - include_role:
+ - import_role:
name: etcd
tasks_from: backup.force_new_cluster.yml
vars:
@@ -143,7 +143,7 @@
- name: Configure master to use external etcd
hosts: oo_first_master
tasks:
- - include_role:
+ - import_role:
name: openshift_master
tasks_from: configure_external_etcd.yml
vars:
diff --git a/playbooks/openshift-etcd/private/migrate.yml b/playbooks/openshift-etcd/private/migrate.yml
index cad0ebcaa..0a2ac7f1a 100644
--- a/playbooks/openshift-etcd/private/migrate.yml
+++ b/playbooks/openshift-etcd/private/migrate.yml
@@ -15,7 +15,7 @@
- name: Run pre-checks
hosts: oo_etcd_to_migrate
tasks:
- - include_role:
+ - import_role:
name: etcd
tasks_from: migrate.pre_check.yml
vars:
@@ -43,7 +43,7 @@
roles:
- role: openshift_facts
post_tasks:
- - include_role:
+ - import_role:
name: etcd
tasks_from: backup.yml
vars:
@@ -70,7 +70,7 @@
hosts: oo_etcd_to_migrate
gather_facts: no
pre_tasks:
- - include_role:
+ - import_role:
name: etcd
tasks_from: disable_etcd.yml
@@ -78,7 +78,7 @@
hosts: oo_etcd_to_migrate[0]
gather_facts: no
tasks:
- - include_role:
+ - import_role:
name: etcd
tasks_from: migrate.yml
vars:
@@ -90,7 +90,7 @@
hosts: oo_etcd_to_migrate[1:]
gather_facts: no
tasks:
- - include_role:
+ - import_role:
name: etcd
tasks_from: clean_data.yml
vars:
@@ -126,7 +126,7 @@
- name: Add TTLs on the first master
hosts: oo_first_master[0]
tasks:
- - include_role:
+ - import_role:
name: etcd
tasks_from: migrate.add_ttls.yml
vars:
@@ -138,7 +138,7 @@
- name: Configure masters if etcd data migration is succesfull
hosts: oo_masters_to_config
tasks:
- - include_role:
+ - import_role:
name: etcd
tasks_from: migrate.configure_master.yml
when: etcd_migration_failed | length == 0
diff --git a/playbooks/openshift-etcd/private/redeploy-ca.yml b/playbooks/openshift-etcd/private/redeploy-ca.yml
index 0995945cc..7b0d99255 100644
--- a/playbooks/openshift-etcd/private/redeploy-ca.yml
+++ b/playbooks/openshift-etcd/private/redeploy-ca.yml
@@ -14,10 +14,10 @@
- name: Backup existing etcd CA certificate directories
hosts: oo_etcd_to_config
tasks:
- - include_role:
+ - import_role:
name: etcd
tasks_from: backup_ca_certificates.yml
- - include_role:
+ - import_role:
name: etcd
tasks_from: remove_ca_certificates.yml
@@ -37,7 +37,7 @@
- name: Distribute etcd CA to etcd hosts
hosts: oo_etcd_to_config
tasks:
- - include_role:
+ - import_role:
name: etcd
tasks_from: distribute_ca.yml
vars:
@@ -54,7 +54,7 @@
- name: Retrieve etcd CA certificate
hosts: oo_first_etcd
tasks:
- - include_role:
+ - import_role:
name: etcd
tasks_from: retrieve_ca_certificates.yml
vars:
diff --git a/playbooks/openshift-etcd/private/restart.yml b/playbooks/openshift-etcd/private/restart.yml
index 0751480e2..a2a53651b 100644
--- a/playbooks/openshift-etcd/private/restart.yml
+++ b/playbooks/openshift-etcd/private/restart.yml
@@ -3,7 +3,7 @@
hosts: oo_etcd_to_config
serial: 1
tasks:
- - include_role:
+ - import_role:
name: etcd
tasks_from: restart.yml
when:
@@ -12,7 +12,7 @@
- name: Restart etcd
hosts: oo_etcd_to_config
tasks:
- - include_role:
+ - import_role:
name: etcd
tasks_from: restart.yml
when:
diff --git a/playbooks/openshift-etcd/private/scaleup.yml b/playbooks/openshift-etcd/private/scaleup.yml
index dc667958f..8a9811a25 100644
--- a/playbooks/openshift-etcd/private/scaleup.yml
+++ b/playbooks/openshift-etcd/private/scaleup.yml
@@ -30,7 +30,7 @@
retries: 3
delay: 10
until: etcd_add_check.rc == 0
- - include_role:
+ - import_role:
name: etcd
tasks_from: server_certificates.yml
vars:
@@ -76,6 +76,6 @@
roles:
- role: openshift_master_facts
post_tasks:
- - include_role:
+ - import_role:
name: openshift_master
tasks_from: update_etcd_client_urls.yml
diff --git a/playbooks/openshift-etcd/private/server_certificates.yml b/playbooks/openshift-etcd/private/server_certificates.yml
index 695b53990..ebcf4a5ff 100644
--- a/playbooks/openshift-etcd/private/server_certificates.yml
+++ b/playbooks/openshift-etcd/private/server_certificates.yml
@@ -5,7 +5,7 @@
roles:
- role: openshift_etcd_facts
post_tasks:
- - include_role:
+ - import_role:
name: etcd
tasks_from: server_certificates.yml
vars:
diff --git a/playbooks/openshift-etcd/private/upgrade_backup.yml b/playbooks/openshift-etcd/private/upgrade_backup.yml
index 0d8943d93..97b6edba5 100644
--- a/playbooks/openshift-etcd/private/upgrade_backup.yml
+++ b/playbooks/openshift-etcd/private/upgrade_backup.yml
@@ -4,7 +4,7 @@
roles:
- role: openshift_etcd_facts
post_tasks:
- - include_role:
+ - import_role:
name: etcd
tasks_from: backup.yml
vars:
diff --git a/playbooks/openshift-etcd/private/upgrade_image_members.yml b/playbooks/openshift-etcd/private/upgrade_image_members.yml
index d4386249e..f9e50e748 100644
--- a/playbooks/openshift-etcd/private/upgrade_image_members.yml
+++ b/playbooks/openshift-etcd/private/upgrade_image_members.yml
@@ -6,7 +6,7 @@
hosts: oo_etcd_hosts_to_upgrade
serial: 1
tasks:
- - include_role:
+ - import_role:
name: etcd
tasks_from: upgrade_image.yml
vars:
diff --git a/playbooks/openshift-etcd/private/upgrade_main.yml b/playbooks/openshift-etcd/private/upgrade_main.yml
index e373a4a4c..8997680f9 100644
--- a/playbooks/openshift-etcd/private/upgrade_main.yml
+++ b/playbooks/openshift-etcd/private/upgrade_main.yml
@@ -14,7 +14,7 @@
- name: Drop etcdctl profiles
hosts: oo_etcd_hosts_to_upgrade
tasks:
- - include_role:
+ - import_role:
name: etcd
tasks_from: drop_etcdctl.yml
diff --git a/playbooks/openshift-etcd/private/upgrade_rpm_members.yml b/playbooks/openshift-etcd/private/upgrade_rpm_members.yml
index f7fe6cd9c..e78cc5826 100644
--- a/playbooks/openshift-etcd/private/upgrade_rpm_members.yml
+++ b/playbooks/openshift-etcd/private/upgrade_rpm_members.yml
@@ -6,7 +6,7 @@
hosts: oo_etcd_hosts_to_upgrade
serial: 1
tasks:
- - include_role:
+ - import_role:
name: etcd
tasks_from: upgrade_rpm.yml
vars:
diff --git a/playbooks/openshift-etcd/private/upgrade_step.yml b/playbooks/openshift-etcd/private/upgrade_step.yml
index 05c543d62..6aec838d4 100644
--- a/playbooks/openshift-etcd/private/upgrade_step.yml
+++ b/playbooks/openshift-etcd/private/upgrade_step.yml
@@ -2,7 +2,7 @@
- name: Determine etcd version
hosts: oo_etcd_hosts_to_upgrade
tasks:
- - include_role:
+ - import_role:
name: etcd
tasks_from: version_detect.yml
@@ -54,7 +54,7 @@
hosts: oo_etcd_hosts_to_upgrade
serial: 1
tasks:
- - include_role:
+ - import_role:
name: etcd
tasks_from: upgrade_image.yml
vars:
diff --git a/playbooks/openshift-glusterfs/private/config.yml b/playbooks/openshift-glusterfs/private/config.yml
index 19e14ab3e..9a5bc143d 100644
--- a/playbooks/openshift-glusterfs/private/config.yml
+++ b/playbooks/openshift-glusterfs/private/config.yml
@@ -14,12 +14,12 @@
- name: Open firewall ports for GlusterFS nodes
hosts: glusterfs
tasks:
- - include_role:
+ - import_role:
name: openshift_storage_glusterfs
tasks_from: firewall.yml
when:
- openshift_storage_glusterfs_is_native | default(True) | bool
- - include_role:
+ - import_role:
name: openshift_storage_glusterfs
tasks_from: kernel_modules.yml
when:
@@ -28,12 +28,12 @@
- name: Open firewall ports for GlusterFS registry nodes
hosts: glusterfs_registry
tasks:
- - include_role:
+ - import_role:
name: openshift_storage_glusterfs
tasks_from: firewall.yml
when:
- openshift_storage_glusterfs_registry_is_native | default(True) | bool
- - include_role:
+ - import_role:
name: openshift_storage_glusterfs
tasks_from: kernel_modules.yml
when:
@@ -43,7 +43,7 @@
hosts: oo_first_master
tasks:
- name: setup glusterfs
- include_role:
+ import_role:
name: openshift_storage_glusterfs
when: groups.oo_glusterfs_to_config | default([]) | count > 0
diff --git a/playbooks/openshift-hosted/private/config.yml b/playbooks/openshift-hosted/private/config.yml
index 036fe654d..4e7b98da2 100644
--- a/playbooks/openshift-hosted/private/config.yml
+++ b/playbooks/openshift-hosted/private/config.yml
@@ -21,6 +21,10 @@
- import_playbook: openshift_hosted_registry.yml
+- import_playbook: openshift_hosted_wait_for_pods.yml
+
+- import_playbook: openshift_hosted_registry_storage.yml
+
- import_playbook: cockpit-ui.yml
- import_playbook: install_docker_gc.yml
diff --git a/playbooks/openshift-hosted/private/install_docker_gc.yml b/playbooks/openshift-hosted/private/install_docker_gc.yml
index 1e3dfee07..03eb542d3 100644
--- a/playbooks/openshift-hosted/private/install_docker_gc.yml
+++ b/playbooks/openshift-hosted/private/install_docker_gc.yml
@@ -3,5 +3,5 @@
hosts: oo_first_master
gather_facts: false
tasks:
- - include_role:
+ - import_role:
name: openshift_docker_gc
diff --git a/playbooks/openshift-hosted/private/openshift_hosted_create_projects.yml b/playbooks/openshift-hosted/private/openshift_hosted_create_projects.yml
index d5ca5185c..b09432da2 100644
--- a/playbooks/openshift-hosted/private/openshift_hosted_create_projects.yml
+++ b/playbooks/openshift-hosted/private/openshift_hosted_create_projects.yml
@@ -2,6 +2,6 @@
- name: Create Hosted Resources - openshift projects
hosts: oo_first_master
tasks:
- - include_role:
+ - import_role:
name: openshift_hosted
tasks_from: create_projects.yml
diff --git a/playbooks/openshift-hosted/private/openshift_hosted_registry.yml b/playbooks/openshift-hosted/private/openshift_hosted_registry.yml
index 2a91a827c..659c95eda 100644
--- a/playbooks/openshift-hosted/private/openshift_hosted_registry.yml
+++ b/playbooks/openshift-hosted/private/openshift_hosted_registry.yml
@@ -5,7 +5,7 @@
- set_fact:
openshift_hosted_registry_registryurl: "{{ hostvars[groups.oo_first_master.0].openshift.master.registry_url }}"
when: "'master' in hostvars[groups.oo_first_master.0].openshift and 'registry_url' in hostvars[groups.oo_first_master.0].openshift.master"
- - include_role:
+ - import_role:
name: openshift_hosted
tasks_from: registry.yml
when:
diff --git a/playbooks/openshift-hosted/private/openshift_hosted_registry_storage.yml b/playbooks/openshift-hosted/private/openshift_hosted_registry_storage.yml
new file mode 100644
index 000000000..cfc47c9b2
--- /dev/null
+++ b/playbooks/openshift-hosted/private/openshift_hosted_registry_storage.yml
@@ -0,0 +1,13 @@
+---
+# This playbook waits for registry and router pods after both have been
+# created. It is intended to allow the tasks of deploying both to complete
+# before polling to save time.
+- name: Poll for hosted pod deployments
+ hosts: oo_first_master
+ tasks:
+ - import_role:
+ name: openshift_hosted
+ tasks_from: registry_storage.yml
+ when:
+ - openshift_hosted_manage_registry | default(True) | bool
+ - openshift_hosted_registry_registryurl is defined
diff --git a/playbooks/openshift-hosted/private/openshift_hosted_router.yml b/playbooks/openshift-hosted/private/openshift_hosted_router.yml
index bcb5a34a4..353377189 100644
--- a/playbooks/openshift-hosted/private/openshift_hosted_router.yml
+++ b/playbooks/openshift-hosted/private/openshift_hosted_router.yml
@@ -5,7 +5,7 @@
- set_fact:
openshift_hosted_router_registryurl: "{{ hostvars[groups.oo_first_master.0].openshift.master.registry_url }}"
when: "'master' in hostvars[groups.oo_first_master.0].openshift and 'registry_url' in hostvars[groups.oo_first_master.0].openshift.master"
- - include_role:
+ - import_role:
name: openshift_hosted
tasks_from: router.yml
when:
diff --git a/playbooks/openshift-hosted/private/openshift_hosted_wait_for_pods.yml b/playbooks/openshift-hosted/private/openshift_hosted_wait_for_pods.yml
new file mode 100644
index 000000000..1f6868c2a
--- /dev/null
+++ b/playbooks/openshift-hosted/private/openshift_hosted_wait_for_pods.yml
@@ -0,0 +1,26 @@
+---
+# This playbook waits for registry and router pods after both have been
+# created. It is intended to allow the tasks of deploying both to complete
+# before polling to save time.
+- name: Poll for hosted pod deployments
+ hosts: oo_first_master
+ tasks:
+ - import_role:
+ name: openshift_hosted
+ tasks_from: wait_for_pod.yml
+ vars:
+ l_openshift_hosted_wait_for_pod: "{{ openshift_hosted_router_wait }}"
+ l_openshift_hosted_wfp_items: "{{ openshift_hosted_routers }}"
+ when:
+ - openshift_hosted_manage_router | default(True) | bool
+ - openshift_hosted_router_registryurl is defined
+
+ - import_role:
+ name: openshift_hosted
+ tasks_from: wait_for_pod.yml
+ vars:
+ l_openshift_hosted_wait_for_pod: "{{ openshift_hosted_registry_wait }}"
+ l_openshift_hosted_wfp_items: "{{ r_openshift_hosted_registry_list }}"
+ when:
+ - openshift_hosted_manage_registry | default(True) | bool
+ - openshift_hosted_registry_registryurl is defined
diff --git a/playbooks/openshift-hosted/private/redeploy-router-certificates.yml b/playbooks/openshift-hosted/private/redeploy-router-certificates.yml
index c19147d41..0df748f47 100644
--- a/playbooks/openshift-hosted/private/redeploy-router-certificates.yml
+++ b/playbooks/openshift-hosted/private/redeploy-router-certificates.yml
@@ -115,7 +115,7 @@
- ('service.alpha.openshift.io/serving-cert-secret-name') not in router_service_annotations
- ('service.alpha.openshift.io/serving-cert-signed-by') not in router_service_annotations
- - include_role:
+ - import_role:
name: openshift_hosted
tasks_from: main
vars:
diff --git a/playbooks/openshift-logging/private/config.yml b/playbooks/openshift-logging/private/config.yml
index bc59bd95a..d6b26647c 100644
--- a/playbooks/openshift-logging/private/config.yml
+++ b/playbooks/openshift-logging/private/config.yml
@@ -16,11 +16,12 @@
roles:
- openshift_logging
+# TODO: Remove when master config property is removed
- name: Update Master configs
hosts: oo_masters:!oo_first_master
tasks:
- block:
- - include_role:
+ - import_role:
name: openshift_logging
tasks_from: update_master_config
diff --git a/playbooks/openshift-management/add_many_container_providers.yml b/playbooks/openshift-management/add_many_container_providers.yml
index 62fdb11c5..45231a495 100644
--- a/playbooks/openshift-management/add_many_container_providers.yml
+++ b/playbooks/openshift-management/add_many_container_providers.yml
@@ -27,7 +27,7 @@
register: results
# Include openshift_management for access to filter_plugins.
- - include_role:
+ - import_role:
name: openshift_management
tasks_from: noop
diff --git a/playbooks/openshift-management/private/add_container_provider.yml b/playbooks/openshift-management/private/add_container_provider.yml
index facb3a5b9..25d4058e5 100644
--- a/playbooks/openshift-management/private/add_container_provider.yml
+++ b/playbooks/openshift-management/private/add_container_provider.yml
@@ -3,6 +3,6 @@
hosts: oo_first_master
tasks:
- name: Run the Management Integration Tasks
- include_role:
+ import_role:
name: openshift_management
tasks_from: add_container_provider
diff --git a/playbooks/openshift-management/private/config.yml b/playbooks/openshift-management/private/config.yml
index 3f1cdf713..22f3ee8f3 100644
--- a/playbooks/openshift-management/private/config.yml
+++ b/playbooks/openshift-management/private/config.yml
@@ -21,7 +21,7 @@
tasks:
- name: Run the CFME Setup Role
- include_role:
+ import_role:
name: openshift_management
vars:
template_dir: "{{ hostvars[groups.masters.0].r_openshift_management_mktemp.stdout }}"
diff --git a/playbooks/openshift-management/private/uninstall.yml b/playbooks/openshift-management/private/uninstall.yml
index 9f35cc276..6097ea45a 100644
--- a/playbooks/openshift-management/private/uninstall.yml
+++ b/playbooks/openshift-management/private/uninstall.yml
@@ -3,6 +3,6 @@
hosts: masters[0]
tasks:
- name: Run the CFME Uninstall Role Tasks
- include_role:
+ import_role:
name: openshift_management
tasks_from: uninstall
diff --git a/playbooks/openshift-master/private/config.yml b/playbooks/openshift-master/private/config.yml
index e53a6f093..153ea9993 100644
--- a/playbooks/openshift-master/private/config.yml
+++ b/playbooks/openshift-master/private/config.yml
@@ -185,9 +185,6 @@
- role: openshift_builddefaults
- role: openshift_buildoverrides
- role: nickhammond.logrotate
- - role: contiv
- contiv_role: netmaster
- when: openshift_use_contiv | default(False) | bool
- role: openshift_master
openshift_master_hosts: "{{ groups.oo_masters_to_config }}"
r_openshift_master_clean_install: "{{ hostvars[groups.oo_first_master.0].l_clean_install }}"
@@ -206,13 +203,13 @@
- role: calico_master
when: openshift_use_calico | default(false) | bool
tasks:
- - include_role:
+ - import_role:
name: kuryr
tasks_from: master
when: openshift_use_kuryr | default(false) | bool
- name: Setup the node group config maps
- include_role:
+ import_role:
name: openshift_node_group
when: openshift_master_bootstrap_enabled | default(false) | bool
run_once: True
diff --git a/playbooks/openshift-master/private/tasks/restart_services.yml b/playbooks/openshift-master/private/tasks/restart_services.yml
index 4e1b3a3be..cf2c282e3 100644
--- a/playbooks/openshift-master/private/tasks/restart_services.yml
+++ b/playbooks/openshift-master/private/tasks/restart_services.yml
@@ -1,4 +1,4 @@
---
-- include_role:
+- import_role:
name: openshift_master
tasks_from: restart.yml
diff --git a/playbooks/openshift-metrics/private/config.yml b/playbooks/openshift-metrics/private/config.yml
index 80cd93e5f..1e237e3f0 100644
--- a/playbooks/openshift-metrics/private/config.yml
+++ b/playbooks/openshift-metrics/private/config.yml
@@ -16,12 +16,13 @@
roles:
- role: openshift_metrics
+# TODO: Remove when master config property is removed
- name: OpenShift Metrics
hosts: oo_masters:!oo_first_master
serial: 1
tasks:
- name: Setup the non-first masters configs
- include_role:
+ import_role:
name: openshift_metrics
tasks_from: update_master_config.yaml
diff --git a/playbooks/openshift-node/private/additional_config.yml b/playbooks/openshift-node/private/additional_config.yml
index b86cb3cc2..0881121c9 100644
--- a/playbooks/openshift-node/private/additional_config.yml
+++ b/playbooks/openshift-node/private/additional_config.yml
@@ -47,17 +47,23 @@
- role: nuage_node
when: openshift_use_nuage | default(false) | bool
-- name: Additional node config
- hosts: oo_nodes_use_contiv
+- name: Configure Contiv masters
+ hosts: oo_masters_to_config
+ roles:
+ - role: contiv
+ contiv_master: true
+ when: openshift_use_contiv | default(false) | bool
+
+- name: Configure rest of Contiv nodes
+ hosts: "{{ groups.oo_nodes_use_contiv | default([]) | difference(groups.oo_masters_to_config) }}"
roles:
- role: contiv
- contiv_role: netplugin
when: openshift_use_contiv | default(false) | bool
- name: Configure Kuryr node
hosts: oo_nodes_use_kuryr
tasks:
- - include_role:
+ - import_role:
name: kuryr
tasks_from: node
when: openshift_use_kuryr | default(false) | bool
diff --git a/playbooks/openshift-node/private/image_prep.yml b/playbooks/openshift-node/private/image_prep.yml
index c0ddcd926..adcbb0fdb 100644
--- a/playbooks/openshift-node/private/image_prep.yml
+++ b/playbooks/openshift-node/private/image_prep.yml
@@ -15,7 +15,7 @@
- name: node bootstrap config
hosts: oo_nodes_to_config:!oo_containerized_master_nodes
tasks:
- - include_role:
+ - import_role:
name: openshift_node
tasks_from: bootstrap.yml
diff --git a/playbooks/openshift-web-console/config.yml b/playbooks/openshift-web-console/config.yml
new file mode 100644
index 000000000..c7814207c
--- /dev/null
+++ b/playbooks/openshift-web-console/config.yml
@@ -0,0 +1,4 @@
+---
+- import_playbook: ../init/main.yml
+
+- import_playbook: private/config.yml
diff --git a/playbooks/openshift-web-console/private/config.yml b/playbooks/openshift-web-console/private/config.yml
new file mode 100644
index 000000000..ffd702d20
--- /dev/null
+++ b/playbooks/openshift-web-console/private/config.yml
@@ -0,0 +1,31 @@
+---
+- name: Web Console Install Checkpoint Start
+ hosts: all
+ gather_facts: false
+ tasks:
+ - name: Set Web Console install 'In Progress'
+ run_once: true
+ set_stats:
+ data:
+ installer_phase_web_console:
+ status: "In Progress"
+ start: "{{ lookup('pipe', 'date +%Y%m%d%H%M%SZ') }}"
+
+- name: Web Console
+ hosts: oo_first_master
+ roles:
+ - openshift_web_console
+ vars:
+ first_master: "{{ groups.oo_first_master[0] }}"
+
+- name: Web Console Install Checkpoint End
+ hosts: all
+ gather_facts: false
+ tasks:
+ - name: Set Web Console install 'Complete'
+ run_once: true
+ set_stats:
+ data:
+ installer_phase_web_console:
+ status: "Complete"
+ end: "{{ lookup('pipe', 'date +%Y%m%d%H%M%SZ') }}"
diff --git a/playbooks/openshift-web-console/private/roles b/playbooks/openshift-web-console/private/roles
new file mode 120000
index 000000000..e2b799b9d
--- /dev/null
+++ b/playbooks/openshift-web-console/private/roles
@@ -0,0 +1 @@
+../../../roles/ \ No newline at end of file
diff --git a/playbooks/openstack/openshift-cluster/prerequisites.yml b/playbooks/openstack/openshift-cluster/prerequisites.yml
index 0356b37dd..8bb700501 100644
--- a/playbooks/openstack/openshift-cluster/prerequisites.yml
+++ b/playbooks/openstack/openshift-cluster/prerequisites.yml
@@ -2,11 +2,11 @@
- hosts: localhost
tasks:
- name: Check dependencies and OpenStack prerequisites
- include_role:
+ import_role:
name: openshift_openstack
tasks_from: check-prerequisites.yml
- name: Check network configuration
- include_role:
+ import_role:
name: openshift_openstack
tasks_from: net_vars_check.yaml
diff --git a/playbooks/openstack/openshift-cluster/provision.yml b/playbooks/openstack/openshift-cluster/provision.yml
index fa5c91ace..a38d7bff7 100644
--- a/playbooks/openstack/openshift-cluster/provision.yml
+++ b/playbooks/openstack/openshift-cluster/provision.yml
@@ -3,7 +3,7 @@
hosts: localhost
tasks:
- name: provision cluster
- include_role:
+ import_role:
name: openshift_openstack
tasks_from: provision.yml
@@ -36,7 +36,7 @@
hosts: localhost
tasks:
- name: Populate DNS entries
- include_role:
+ import_role:
name: openshift_openstack
tasks_from: populate-dns.yml
when:
@@ -49,7 +49,7 @@
gather_facts: yes
tasks:
- name: Subscribe RHEL instances
- include_role:
+ import_role:
name: rhel_subscribe
when:
- ansible_distribution == "RedHat"
@@ -57,18 +57,18 @@
- rhsub_pass is defined
- name: Enable required YUM repositories
- include_role:
+ import_role:
name: openshift_repos
when:
- ansible_distribution == "RedHat"
- rh_subscribed is defined
- name: Install dependencies
- include_role:
+ import_role:
name: openshift_openstack
tasks_from: node-packages.yml
- name: Configure Node
- include_role:
+ import_role:
name: openshift_openstack
tasks_from: node-configuration.yml
diff --git a/playbooks/openstack/sample-inventory/group_vars/all.yml b/playbooks/openstack/sample-inventory/group_vars/all.yml
index c7afe9a24..d63229120 100644
--- a/playbooks/openstack/sample-inventory/group_vars/all.yml
+++ b/playbooks/openstack/sample-inventory/group_vars/all.yml
@@ -7,6 +7,7 @@ openshift_openstack_dns_nameservers: []
# # - set custom hostnames for roles by uncommenting corresponding lines
#openshift_openstack_master_hostname: "master"
#openshift_openstack_infra_hostname: "infra-node"
+#openshift_openstack_cns_hostname: "cns"
#openshift_openstack_node_hostname: "app-node"
#openshift_openstack_lb_hostname: "lb"
#openshift_openstack_etcd_hostname: "etcd"
@@ -30,6 +31,7 @@ openshift_openstack_external_network_name: "public"
# # - note: do not remove openshift_openstack_default_image_name definition
#openshift_openstack_master_image_name: "centos7"
#openshift_openstack_infra_image_name: "centos7"
+#openshift_openstack_cns_image_name: "centos7"
#openshift_openstack_node_image_name: "centos7"
#openshift_openstack_lb_image_name: "centos7"
#openshift_openstack_etcd_image_name: "centos7"
@@ -37,6 +39,7 @@ openshift_openstack_default_image_name: "centos7"
openshift_openstack_num_masters: 1
openshift_openstack_num_infra: 1
+openshift_openstack_num_cns: 0
openshift_openstack_num_nodes: 2
# # Used Flavors
@@ -44,6 +47,7 @@ openshift_openstack_num_nodes: 2
# # - note: do note remove openshift_openstack_default_flavor definition
#openshift_openstack_master_flavor: "m1.medium"
#openshift_openstack_infra_flavor: "m1.medium"
+#openshift_openstack_cns_flavor: "m1.medium"
#openshift_openstack_node_flavor: "m1.medium"
#openshift_openstack_lb_flavor: "m1.medium"
#openshift_openstack_etcd_flavor: "m1.medium"
@@ -57,6 +61,7 @@ openshift_openstack_default_flavor: "m1.medium"
# # - note: do not remove docker_default_volume_size definition
#openshift_openstack_docker_master_volume_size: "15"
#openshift_openstack_docker_infra_volume_size: "15"
+#openshift_openstack_docker_cns_volume_size: "15"
#openshift_openstack_docker_node_volume_size: "15"
#openshift_openstack_docker_etcd_volume_size: "2"
#openshift_openstack_docker_lb_volume_size: "5"
diff --git a/playbooks/openstack/sample-inventory/inventory.py b/playbooks/openstack/sample-inventory/inventory.py
index ad3fd936b..084b5c0a0 100755
--- a/playbooks/openstack/sample-inventory/inventory.py
+++ b/playbooks/openstack/sample-inventory/inventory.py
@@ -42,7 +42,10 @@ def build_inventory():
if server.metadata['host-type'] == 'node' and
server.metadata['sub-host-type'] == 'app']
- nodes = list(set(masters + infra_hosts + app))
+ cns = [server.name for server in cluster_hosts
+ if server.metadata['host-type'] == 'cns']
+
+ nodes = list(set(masters + infra_hosts + app + cns))
dns = [server.name for server in cluster_hosts
if server.metadata['host-type'] == 'dns']
@@ -59,6 +62,7 @@ def build_inventory():
inventory['nodes'] = {'hosts': nodes}
inventory['infra_hosts'] = {'hosts': infra_hosts}
inventory['app'] = {'hosts': app}
+ inventory['glusterfs'] = {'hosts': cns}
inventory['dns'] = {'hosts': dns}
inventory['lb'] = {'hosts': load_balancers}
@@ -93,6 +97,9 @@ def build_inventory():
hostvars['openshift_hostname'] = server.private_v4
hostvars['openshift_public_hostname'] = server.name
+ if server.metadata['host-type'] == 'cns':
+ hostvars['glusterfs_devices'] = ['/dev/nvme0n1']
+
node_labels = server.metadata.get('node_labels')
if node_labels:
hostvars['openshift_node_labels'] = node_labels
diff --git a/roles/ansible_service_broker/vars/default_images.yml b/roles/ansible_service_broker/vars/default_images.yml
index 248e0363d..0ed1d9674 100644
--- a/roles/ansible_service_broker/vars/default_images.yml
+++ b/roles/ansible_service_broker/vars/default_images.yml
@@ -1,6 +1,6 @@
---
-__ansible_service_broker_image_prefix: ansibleplaybookbundle/
+__ansible_service_broker_image_prefix: ansibleplaybookbundle/origin-
__ansible_service_broker_image_tag: latest
__ansible_service_broker_etcd_image_prefix: quay.io/coreos/
diff --git a/roles/calico/tasks/main.yml b/roles/calico/tasks/main.yml
index bbc6edd48..556953a71 100644
--- a/roles/calico/tasks/main.yml
+++ b/roles/calico/tasks/main.yml
@@ -7,7 +7,7 @@
- not (calico_etcd_cert_dir is defined and calico_etcd_ca_cert_file is defined and calico_etcd_cert_file is defined and calico_etcd_key_file is defined and calico_etcd_endpoints is defined)
- name: Calico Node | Generate OpenShift-etcd certs
- include_role:
+ import_role:
name: etcd
tasks_from: client_certificates
when: calico_etcd_ca_cert_file is not defined or calico_etcd_cert_file is not defined or calico_etcd_key_file is not defined or calico_etcd_endpoints is not defined or calico_etcd_cert_dir is not defined
diff --git a/roles/container_runtime/README.md b/roles/container_runtime/README.md
index 51f469aaf..665b1b012 100644
--- a/roles/container_runtime/README.md
+++ b/roles/container_runtime/README.md
@@ -5,7 +5,7 @@ Ensures docker package or system container is installed, and optionally raises t
container-daemon.json items may be found at https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file
-This role is designed to be used with include_role and tasks_from.
+This role is designed to be used with import_role and tasks_from.
Entry points
------------
@@ -30,7 +30,7 @@ Example Playbook
- hosts: servers
tasks:
- - include_role: container_runtime
+ - import_role: container_runtime
tasks_from: package_docker.yml
License
diff --git a/roles/container_runtime/defaults/main.yml b/roles/container_runtime/defaults/main.yml
index f4e249792..d0e37e2f4 100644
--- a/roles/container_runtime/defaults/main.yml
+++ b/roles/container_runtime/defaults/main.yml
@@ -11,7 +11,7 @@ oreg_auth_credentials_replace: False
openshift_docker_use_system_container: False
openshift_docker_disable_push_dockerhub: False # bool
openshift_docker_selinux_enabled: True
-openshift_docker_service_name: "{{ 'container-engine' if (openshift_docker_use_system_container | default(False)) else 'docker' }}"
+openshift_docker_service_name: "{{ 'container-engine' if (openshift_docker_use_system_container | default(False) | bool) else 'docker' }}"
openshift_docker_hosted_registry_insecure: False # bool
diff --git a/roles/container_runtime/tasks/common/post.yml b/roles/container_runtime/tasks/common/post.yml
index d790eb2c0..b90190ebf 100644
--- a/roles/container_runtime/tasks/common/post.yml
+++ b/roles/container_runtime/tasks/common/post.yml
@@ -11,7 +11,7 @@
- meta: flush_handlers
# This needs to run after docker is restarted to account for proxy settings.
-# registry_auth is called directly with include_role in some places, so we
+# registry_auth is called directly with import_role in some places, so we
# have to put it in the root of the tasks/ directory.
- include_tasks: ../registry_auth.yml
diff --git a/roles/container_runtime/tasks/main.yml b/roles/container_runtime/tasks/main.yml
index 96d8606c6..07da831c4 100644
--- a/roles/container_runtime/tasks/main.yml
+++ b/roles/container_runtime/tasks/main.yml
@@ -1,2 +1,2 @@
---
-# This role is meant to be used with include_role and tasks_from.
+# This role is meant to be used with import_role and tasks_from.
diff --git a/roles/container_runtime/tasks/systemcontainer_crio.yml b/roles/container_runtime/tasks/systemcontainer_crio.yml
index 6a195a938..eedb18604 100644
--- a/roles/container_runtime/tasks/systemcontainer_crio.yml
+++ b/roles/container_runtime/tasks/systemcontainer_crio.yml
@@ -81,6 +81,17 @@
dest: /etc/cni/net.d/openshift-sdn.conf
src: 80-openshift-sdn.conf.j2
+- name: Create /etc/sysconfig/crio-storage
+ copy:
+ content: ""
+ dest: /etc/sysconfig/crio-storage
+ force: no
+
+- name: Create /etc/sysconfig/crio-network
+ template:
+ dest: /etc/sysconfig/crio-network
+ src: crio-network.j2
+
- name: Start the CRI-O service
systemd:
name: "cri-o"
diff --git a/roles/container_runtime/templates/crio-network.j2 b/roles/container_runtime/templates/crio-network.j2
new file mode 100644
index 000000000..763be97d7
--- /dev/null
+++ b/roles/container_runtime/templates/crio-network.j2
@@ -0,0 +1,9 @@
+{% if 'http_proxy' in openshift.common %}
+HTTP_PROXY={{ openshift.common.http_proxy }}
+{% endif %}
+{% if 'https_proxy' in openshift.common %}
+HTTPS_PROXY={{ openshift.common.https_proxy }}
+{% endif %}
+{% if 'no_proxy' in openshift.common %}
+NO_PROXY={{ openshift.common.no_proxy }}
+{% endif %}
diff --git a/roles/contiv/README.md b/roles/contiv/README.md
index fa36039d9..ce414f9fb 100644
--- a/roles/contiv/README.md
+++ b/roles/contiv/README.md
@@ -19,8 +19,8 @@ Install Contiv components (netmaster, netplugin, contiv_etcd) on Master and Mini
* ``openshift_use_contiv=True``
* ``openshift_use_openshift_sdn=False``
* ``os_sdn_network_plugin_name='cni'``
-* ``netmaster_interface=eth0``
-* ``netplugin_interface=eth1``
+* ``contiv_netmaster_interface=eth0``
+* ``contiv_netplugin_interface=eth1``
* ref. Openshift docs Contiv section for more details
## Example bare metal deployment of Openshift + Contiv
diff --git a/roles/contiv/defaults/main.yml b/roles/contiv/defaults/main.yml
index 8d06a5e96..4869abc61 100644
--- a/roles/contiv/defaults/main.yml
+++ b/roles/contiv/defaults/main.yml
@@ -1,51 +1,63 @@
---
# The version of Contiv binaries to use
-contiv_version: 1.1.1
+contiv_version: 1.2.0
# The version of cni binaries
-cni_version: v0.4.0
+contiv_cni_version: v0.4.0
+
+# If the node we are deploying to is to be a contiv master.
+contiv_master: false
contiv_default_subnet: "10.128.0.0/16"
contiv_default_gw: "10.128.254.254"
-# TCP port that Netmaster listens for network connections
-netmaster_port: 9999
-# Default for contiv_role
-contiv_role: netmaster
+# Ports netmaster listens on
+contiv_netmaster_port: 9999
+contiv_netmaster_port_proto: tcp
+contiv_ofnet_master_port: 9001
+contiv_ofnet_master_port_proto: tcp
+# Ports netplugin listens on
+contiv_netplugin_port: 6640
+contiv_netplugin_port_proto: tcp
+contiv_ofnet_vxlan_port: 9002
+contiv_ofnet_vxlan_port_proto: tcp
+contiv_ovs_port: 9003
+contiv_ovs_port_proto: tcp
-# TCP port that Netplugin listens for network connections
-netplugin_port: 6640
-contiv_rpc_port1: 9001
-contiv_rpc_port2: 9002
-contiv_rpc_port3: 9003
+contiv_vxlan_port: 4789
+contiv_vxlan_port_proto: udp
# Interface used by Netplugin for inter-host traffic when encap_mode is vlan.
# The interface must support 802.1Q trunking.
-netplugin_interface: "eno16780032"
+contiv_netplugin_interface: "eno16780032"
# IP address of the interface used for control communication within the cluster
# It needs to be reachable from all nodes in the cluster.
-netplugin_ctrl_ip: "{{ hostvars[inventory_hostname]['ansible_' + netplugin_interface].ipv4.address }}"
+contiv_netplugin_ctrl_ip: "{{ hostvars[inventory_hostname]['ansible_' + contiv_netplugin_interface].ipv4.address }}"
# IP used to terminate vxlan tunnels
-netplugin_vtep_ip: "{{ hostvars[inventory_hostname]['ansible_' + netplugin_interface].ipv4.address }}"
+contiv_netplugin_vtep_ip: "{{ hostvars[inventory_hostname]['ansible_' + contiv_netplugin_interface].ipv4.address }}"
# Interface used to bind Netmaster service
-netmaster_interface: "{{ netplugin_interface }}"
+contiv_netmaster_interface: "{{ contiv_netplugin_interface }}"
+
+# IP address of the interface used for control communication within the cluster
+# It needs to be reachable from all nodes in the cluster.
+contiv_netmaster_ctrl_ip: "{{ hostvars[inventory_hostname]['ansible_' + contiv_netmaster_interface].ipv4.address }}"
# Path to the contiv binaries
-bin_dir: /usr/bin
+contiv_bin_dir: /usr/bin
# Path to the contivk8s cni binary
-cni_bin_dir: /opt/cni/bin
+contiv_cni_bin_dir: /opt/cni/bin
# Path to cni archive download directory
-cni_download_dir: /tmp
+contiv_cni_download_dir: /tmp
# URL for cni binaries
-cni_bin_url_base: "https://github.com/containernetworking/cni/releases/download/"
-cni_bin_url: "{{ cni_bin_url_base }}/{{ cni_version }}/cni-{{ cni_version }}.tbz2"
+contiv_cni_bin_url_base: "https://github.com/containernetworking/cni/releases/download/"
+contiv_cni_bin_url: "{{ contiv_cni_bin_url_base }}/{{ contiv_cni_version }}/cni-{{ contiv_cni_version }}.tbz2"
# Contiv config directory
@@ -60,11 +72,11 @@ contiv_download_url_base: "https://github.com/contiv/netplugin/releases/download
contiv_download_url: "{{ contiv_download_url_base }}/{{ contiv_version }}/netplugin-{{ contiv_version }}.tar.bz2"
# This is where kubelet looks for plugin files
-kube_plugin_dir: /usr/libexec/kubernetes/kubelet-plugins/net/exec
+contiv_kube_plugin_dir: /usr/libexec/kubernetes/kubelet-plugins/net/exec
# Specifies routed mode vs bridged mode for networking (bridge | routing)
# if you are using an external router for all routing, you should select bridge here
-netplugin_fwd_mode: bridge
+contiv_netplugin_fwd_mode: routing
# Contiv fabric mode aci|default
contiv_fabric_mode: default
@@ -73,10 +85,10 @@ contiv_fabric_mode: default
contiv_vlan_range: "2900-3000"
# Encapsulation type vlan|vxlan to use for instantiating container networks
-contiv_encap_mode: vlan
+contiv_encap_mode: vxlan
# Backend used by Netplugin for instantiating container networks
-netplugin_driver: ovs
+contiv_netplugin_driver: ovs
# Create a default Contiv network for use by pods
contiv_default_network: true
@@ -85,38 +97,80 @@ contiv_default_network: true
contiv_default_network_tag: ""
#SRFIXME (use the openshift variables)
-https_proxy: ""
-http_proxy: ""
-no_proxy: ""
+contiv_https_proxy: ""
+contiv_http_proxy: ""
+contiv_no_proxy: ""
# The following are aci specific parameters when contiv_fabric_mode: aci is set.
# Otherwise, you can ignore these.
-apic_url: ""
-apic_username: ""
-apic_password: ""
-apic_leaf_nodes: ""
-apic_phys_dom: ""
-apic_contracts_unrestricted_mode: no
-apic_epg_bridge_domain: not_specified
+contiv_apic_url: ""
+contiv_apic_username: ""
+contiv_apic_password: ""
+contiv_apic_leaf_nodes: ""
+contiv_apic_phys_dom: ""
+contiv_apic_contracts_unrestricted_mode: no
+contiv_apic_epg_bridge_domain: not_specified
apic_configure_default_policy: false
-apic_default_external_contract: "uni/tn-common/brc-default"
-apic_default_app_profile: "contiv-infra-app-profile"
-kube_cert_dir: "/data/src/github.com/openshift/origin/openshift.local.config/master"
-master_name: "{{ groups['masters'][0] }}"
-contiv_etcd_port: 22379
-etcd_url: "{{ hostvars[groups['masters'][0]]['ansible_' + netmaster_interface].ipv4.address }}:{{ contiv_etcd_port }}"
-kube_ca_cert: "{{ kube_cert_dir }}/ca.crt"
-kube_key: "{{ kube_cert_dir }}/admin.key"
-kube_cert: "{{ kube_cert_dir }}/admin.crt"
-kube_master_api_port: 8443
+contiv_apic_default_external_contract: "uni/tn-common/brc-default"
+contiv_apic_default_app_profile: "contiv-infra-app-profile"
+contiv_kube_cert_dir: "/data/src/github.com/openshift/origin/openshift.local.config/master"
+contiv_kube_ca_cert: "{{ contiv_kube_cert_dir }}/ca.crt"
+contiv_kube_key: "{{ contiv_kube_cert_dir }}/admin.key"
+contiv_kube_cert: "{{ contiv_kube_cert_dir }}/admin.crt"
+contiv_kube_master_api_port: 8443
+contiv_kube_master_api_port_proto: tcp
# contivh1 default subnet and gateway
-#contiv_h1_subnet_default: "132.1.1.0/24"
-#contiv_h1_gw_default: "132.1.1.1"
contiv_h1_subnet_default: "10.129.0.0/16"
contiv_h1_gw_default: "10.129.0.1"
# contiv default private subnet for ext access
contiv_private_ext_subnet: "10.130.0.0/16"
-openshift_docker_service_name: "{{ 'container-engine' if (openshift_docker_use_system_container | default(False)) else 'docker' }}"
+contiv_openshift_docker_service_name: "{{ 'container-engine' if (openshift_docker_use_system_container | default(False) | bool) else 'docker' }}"
+
+contiv_api_proxy_port: 10000
+contiv_api_proxy_port_proto: tcp
+contiv_api_proxy_image_repo: contiv/auth_proxy
+contiv_api_proxy_ip: "{{ hostvars[inventory_hostname]['ansible_' + contiv_netmaster_interface].ipv4.address }}"
+
+contiv_etcd_system_user: contivetcd
+contiv_etcd_system_uid: 823
+contiv_etcd_system_group: contivetcd
+contiv_etcd_system_gid: 823
+contiv_etcd_port: 22379
+contiv_etcd_port_proto: tcp
+contiv_etcd_peer_port: 22380
+contiv_etcd_peer_port_proto: tcp
+contiv_etcd_url: "http://127.0.0.1:{{ contiv_etcd_port }}"
+contiv_etcd_init_image_repo: ferest/etcd-initer
+contiv_etcd_init_image_tag: latest
+contiv_etcd_image_repo: quay.io/coreos/etcd
+contiv_etcd_image_tag: v3.2.4
+contiv_etcd_conf_dir: /etc/contiv-etcd
+contiv_etcd_data_dir: /var/lib/contiv-etcd
+contiv_etcd_peers: |-
+ {% for host in groups.oo_masters_to_config -%}
+ {{ host }}=http://{{ hostvars[host]['ip'] | default(hostvars[host].ansible_default_ipv4['address']) }}:{{ contiv_etcd_peer_port }}{% if not loop.last %},{% endif %}
+ {%- endfor %}
+
+# List of port/protocol pairs to allow inbound access to on every host
+# netplugin runs on, from all host IPs in the cluster.
+contiv_netplugin_internal: [ "{{ contiv_ofnet_vxlan_port }}/{{ contiv_ofnet_vxlan_port_proto }}",
+ "{{ contiv_ovs_port }}/{{ contiv_ovs_port_proto }}",
+ "{{ contiv_vxlan_port }}/{{ contiv_vxlan_port_proto }}" ]
+# Allow all forwarded traffic in and out of these interfaces.
+contiv_netplugin_forward_interfaces: [ contivh0, contivh1 ]
+
+# List of port/protocol pairs to allow inbound access to on every host
+# netmaster runs on, from all host IPs in the cluster. Note that every host
+# that runs netmaster also runs netplugin, so the above netplugin rules will
+# apply as well.
+contiv_netmaster_internal: [ "{{ contiv_ofnet_master_port }}/{{ contiv_ofnet_master_port_proto }}",
+ "{{ contiv_netmaster_port }}/{{ contiv_netmaster_port_proto }}",
+ "{{ contiv_etcd_port }}/{{ contiv_etcd_port_proto }}",
+ "{{ contiv_etcd_peer_port }}/{{ contiv_etcd_peer_port_proto }}",
+ "{{ contiv_kube_master_api_port }}/{{ contiv_kube_master_api_port_proto }}" ]
+# List of port/protocol pairs to allow inbound access to on every host
+# netmaster runs on, from any host anywhere.
+contiv_netmaster_external: [ "{{ contiv_api_proxy_port }}/{{ contiv_api_proxy_port_proto }}" ]
diff --git a/roles/contiv/meta/main.yml b/roles/contiv/meta/main.yml
index 67fb23db8..e8607cc90 100644
--- a/roles/contiv/meta/main.yml
+++ b/roles/contiv/meta/main.yml
@@ -15,17 +15,3 @@ galaxy_info:
dependencies:
- role: lib_utils
- role: contiv_facts
-- role: etcd
- etcd_service: contiv-etcd
- etcd_is_thirdparty: True
- etcd_peer_port: 22380
- etcd_client_port: 22379
- etcd_conf_dir: /etc/contiv-etcd/
- etcd_data_dir: /var/lib/contiv-etcd/
- etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}"
- etcd_cert_config_dir: /etc/contiv-etcd/
- etcd_url_scheme: http
- etcd_peer_url_scheme: http
- when: contiv_role == "netmaster"
-- role: contiv_auth_proxy
- when: contiv_role == "netmaster"
diff --git a/roles/contiv/tasks/aci.yml b/roles/contiv/tasks/aci.yml
index 30d2eb339..8a56b3590 100644
--- a/roles/contiv/tasks/aci.yml
+++ b/roles/contiv/tasks/aci.yml
@@ -11,7 +11,7 @@
- name: ACI | Copy shell script used by aci-gw service
template:
src: aci_gw.j2
- dest: "{{ bin_dir }}/aci_gw.sh"
+ dest: "{{ contiv_bin_dir }}/aci_gw.sh"
mode: u=rwx,g=rx,o=rx
- name: ACI | Copy systemd units for aci-gw
diff --git a/roles/contiv/tasks/api_proxy.yml b/roles/contiv/tasks/api_proxy.yml
new file mode 100644
index 000000000..8b524dd6e
--- /dev/null
+++ b/roles/contiv/tasks/api_proxy.yml
@@ -0,0 +1,120 @@
+---
+- name: API proxy | Create contiv-api-proxy openshift user
+ oc_serviceaccount:
+ state: present
+ name: contiv-api-proxy
+ namespace: kube-system
+ run_once: true
+
+- name: API proxy | Set contiv-api-proxy openshift user permissions
+ oc_adm_policy_user:
+ user: system:serviceaccount:kube-system:contiv-api-proxy
+ resource_kind: scc
+ resource_name: hostnetwork
+ state: present
+ run_once: true
+
+- name: API proxy | Create temp directory for doing work
+ command: mktemp -d /tmp/openshift-contiv-XXXXXX
+ register: mktemp
+ changed_when: False
+ # For things that pass temp files between steps, we want to make sure they
+ # run on the same node.
+ delegate_to: "{{ groups.oo_masters_to_config.0 }}"
+ run_once: true
+
+- name: API proxy | Check for existing api proxy secret volume
+ oc_obj:
+ namespace: kube-system
+ kind: secret
+ state: list
+ selector: "name=contiv-api-proxy-secret"
+ register: existing_secret_volume
+ run_once: true
+
+- name: API proxy | Generate a self signed certificate for api proxy
+ command: openssl req -new -nodes -x509 -subj "/C=US/ST=/L=/O=/CN=localhost" -days 3650 -keyout "{{ mktemp.stdout }}/key.pem" -out "{{ mktemp.stdout }}/cert.pem" -extensions v3_ca
+ when: (contiv_api_proxy_cert is not defined or contiv_api_proxy_key is not defined)
+ and not existing_secret_volume.results.results[0]['items']
+ register: created_self_signed_cert
+ delegate_to: "{{ groups.oo_masters_to_config.0 }}"
+ run_once: true
+
+- name: API proxy | Read self signed certificate file
+ command: cat "{{ mktemp.stdout }}/cert.pem"
+ register: generated_cert
+ when: created_self_signed_cert.changed
+ delegate_to: "{{ groups.oo_masters_to_config.0 }}"
+ run_once: true
+
+- name: API proxy | Read self signed key file
+ command: cat "{{ mktemp.stdout }}/key.pem"
+ register: generated_key
+ when: created_self_signed_cert.changed
+ delegate_to: "{{ groups.oo_masters_to_config.0 }}"
+ run_once: true
+
+- name: API proxy | Create api-proxy-secrets.yml from template using generated cert
+ template:
+ src: api-proxy-secrets.yml.j2
+ dest: "{{ mktemp.stdout }}/api-proxy-secrets.yml"
+ vars:
+ key: "{{ generated_key.stdout }}"
+ cert: "{{ generated_cert.stdout }}"
+ when: created_self_signed_cert.changed
+ delegate_to: "{{ groups.oo_masters_to_config.0 }}"
+ run_once: true
+
+- name: API proxy | Create api-proxy-secrets.yml from template using user defined cert
+ template:
+ src: api-proxy-secrets.yml.j2
+ dest: "{{ mktemp.stdout }}/api-proxy-secrets.yml"
+ vars:
+ key: "{{ lookup('file', contiv_api_proxy_key) }}"
+ cert: "{{ lookup('file', contiv_api_proxy_cert) }}"
+ when: contiv_api_proxy_cert is defined and contiv_api_proxy_key is defined
+ delegate_to: "{{ groups.oo_masters_to_config.0 }}"
+ run_once: true
+
+- name: API proxy | Create secret certificate volume
+ oc_obj:
+ state: present
+ namespace: "kube-system"
+ kind: secret
+ name: contiv-api-proxy-secret
+ files:
+ - "{{ mktemp.stdout }}/api-proxy-secrets.yml"
+ when: (contiv_api_proxy_cert is defined and contiv_api_proxy_key is defined)
+ or created_self_signed_cert.changed
+ delegate_to: "{{ groups.oo_masters_to_config.0 }}"
+ run_once: true
+
+- name: API proxy | Create api-proxy-daemonset.yml from template
+ template:
+ src: api-proxy-daemonset.yml.j2
+ dest: "{{ mktemp.stdout }}/api-proxy-daemonset.yml"
+ vars:
+ etcd_host: "etcd://{{ groups.oo_etcd_to_config.0 }}:{{ contiv_etcd_port }}"
+ delegate_to: "{{ groups.oo_masters_to_config.0 }}"
+ run_once: true
+
+# Always "import" this file, k8s won't do anything if it matches exactly what
+# is already in the cluster.
+- name: API proxy | Add API proxy daemonset
+ oc_obj:
+ state: present
+ namespace: "kube-system"
+ kind: daemonset
+ name: contiv-api-proxy
+ files:
+ - "{{ mktemp.stdout }}/api-proxy-daemonset.yml"
+ delegate_to: "{{ groups.oo_masters_to_config.0 }}"
+ run_once: true
+
+- name: API proxy | Delete temp directory
+ file:
+ name: "{{ mktemp.stdout }}"
+ state: absent
+ changed_when: False
+ delegate_to: "{{ groups.oo_masters_to_config.0 }}"
+ run_once: true
diff --git a/roles/contiv/tasks/default_network.yml b/roles/contiv/tasks/default_network.yml
index 8a928ea54..e9763d34a 100644
--- a/roles/contiv/tasks/default_network.yml
+++ b/roles/contiv/tasks/default_network.yml
@@ -1,71 +1,71 @@
---
-- name: Contiv | Wait for netmaster
- command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ netmaster_port }}" tenant ls'
+- name: Default network | Wait for netmaster
+ command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ contiv_netmaster_port }}" tenant ls'
register: tenant_result
until: tenant_result.stdout.find("default") != -1
retries: 9
delay: 10
-- name: Contiv | Set globals
- command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ netmaster_port }}" global set --fabric-mode {{ contiv_fabric_mode }} --vlan-range {{ contiv_vlan_range }} --fwd-mode {{ netplugin_fwd_mode }} --private-subnet {{ contiv_private_ext_subnet }}'
+- name: Default network | Set globals
+ command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ contiv_netmaster_port }}" global set --fabric-mode {{ contiv_fabric_mode }} --vlan-range {{ contiv_vlan_range }} --fwd-mode {{ contiv_netplugin_fwd_mode }} --private-subnet {{ contiv_private_ext_subnet }}'
run_once: true
-- name: Contiv | Set arp mode to flood if ACI
- command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ netmaster_port }}" global set --arp-mode flood'
+- name: Default network | Set arp mode to flood if ACI
+ command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ contiv_netmaster_port }}" global set --arp-mode flood'
when: contiv_fabric_mode == "aci"
run_once: true
-- name: Contiv | Check if default-net exists
- command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ netmaster_port }}" net ls'
+- name: Default network | Check if default-net exists
+ command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ contiv_netmaster_port }}" net ls'
register: net_result
run_once: true
-- name: Contiv | Create default-net
- command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ netmaster_port }}" net create --subnet={{ contiv_default_subnet }} -e {{ contiv_encap_mode }} -p {{ contiv_default_network_tag }} --gateway {{ contiv_default_gw }} default-net'
+- name: Default network | Create default-net
+ command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ contiv_netmaster_port }}" net create --subnet={{ contiv_default_subnet }} -e {{ contiv_encap_mode }} -p {{ contiv_default_network_tag }} --gateway {{ contiv_default_gw }} default-net'
when: net_result.stdout.find("default-net") == -1
run_once: true
-- name: Contiv | Create host access infra network for VxLan routing case
- command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ netmaster_port }}" net create --subnet={{ contiv_h1_subnet_default }} --gateway={{ contiv_h1_gw_default }} --nw-type="infra" contivh1'
- when: (contiv_encap_mode == "vxlan") and (netplugin_fwd_mode == "routing")
+- name: Default network | Create host access infra network for VxLan routing case
+ command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ contiv_netmaster_port }}" net create --subnet={{ contiv_h1_subnet_default }} --gateway={{ contiv_h1_gw_default }} --nw-type="infra" contivh1'
+ when: (contiv_encap_mode == "vxlan") and (contiv_netplugin_fwd_mode == "routing")
run_once: true
-#- name: Contiv | Create an allow-all policy for the default-group
-# command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ netmaster_port }}" policy create ose-allow-all-policy'
+#- name: Default network | Create an allow-all policy for the default-group
+# command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ contiv_netmaster_port }}" policy create ose-allow-all-policy'
# when: contiv_fabric_mode == "aci"
# run_once: true
-- name: Contiv | Set up aci external contract to consume default external contract
- command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ netmaster_port }}" external-contracts create -c -a {{ apic_default_external_contract }} oseExtToConsume'
+- name: Default network | Set up aci external contract to consume default external contract
+ command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ contiv_netmaster_port }}" external-contracts create -c -a {{ contiv_apic_default_external_contract }} oseExtToConsume'
when: (contiv_fabric_mode == "aci") and (apic_configure_default_policy == true)
run_once: true
-- name: Contiv | Set up aci external contract to provide default external contract
- command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ netmaster_port }}" external-contracts create -p -a {{ apic_default_external_contract }} oseExtToProvide'
+- name: Default network | Set up aci external contract to provide default external contract
+ command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ contiv_netmaster_port }}" external-contracts create -p -a {{ contiv_apic_default_external_contract }} oseExtToProvide'
when: (contiv_fabric_mode == "aci") and (apic_configure_default_policy == true)
run_once: true
-- name: Contiv | Create aci default-group
- command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ netmaster_port }}" group create default-net default-group'
+- name: Default network | Create aci default-group
+ command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ contiv_netmaster_port }}" group create default-net default-group'
when: contiv_fabric_mode == "aci"
run_once: true
-- name: Contiv | Add external contracts to the default-group
- command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ netmaster_port }}" group create -e oseExtToConsume -e oseExtToProvide default-net default-group'
+- name: Default network | Add external contracts to the default-group
+ command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ contiv_netmaster_port }}" group create -e oseExtToConsume -e oseExtToProvide default-net default-group'
when: (contiv_fabric_mode == "aci") and (apic_configure_default_policy == true)
run_once: true
-#- name: Contiv | Add policy rule 1 for allow-all policy
-# command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ netmaster_port }}" policy rule-add -d in --action allow ose-allow-all-policy 1'
+#- name: Default network | Add policy rule 1 for allow-all policy
+# command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ contiv_netmaster_port }}" policy rule-add -d in --action allow ose-allow-all-policy 1'
# when: contiv_fabric_mode == "aci"
# run_once: true
-#- name: Contiv | Add policy rule 2 for allow-all policy
-# command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ netmaster_port }}" policy rule-add -d out --action allow ose-allow-all-policy 2'
+#- name: Default network | Add policy rule 2 for allow-all policy
+# command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ contiv_netmaster_port }}" policy rule-add -d out --action allow ose-allow-all-policy 2'
# when: contiv_fabric_mode == "aci"
# run_once: true
-- name: Contiv | Create default aci app profile
- command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ netmaster_port }}" app-profile create -g default-group {{ apic_default_app_profile }}'
+- name: Default network | Create default aci app profile
+ command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ contiv_netmaster_port }}" app-profile create -g default-group {{ contiv_apic_default_app_profile }}'
when: contiv_fabric_mode == "aci"
run_once: true
diff --git a/roles/contiv/tasks/download_bins.yml b/roles/contiv/tasks/download_bins.yml
index 831fd360a..47d74da9c 100644
--- a/roles/contiv/tasks/download_bins.yml
+++ b/roles/contiv/tasks/download_bins.yml
@@ -4,7 +4,7 @@
path: "{{ contiv_current_release_directory }}"
state: directory
-- name: Install bzip2
+- name: Download Bins | Install bzip2
yum:
name: bzip2
state: installed
@@ -18,9 +18,9 @@
mode: 0755
validate_certs: False
environment:
- http_proxy: "{{ http_proxy|default('') }}"
- https_proxy: "{{ https_proxy|default('') }}"
- no_proxy: "{{ no_proxy|default('') }}"
+ http_proxy: "{{ contiv_http_proxy|default('') }}"
+ https_proxy: "{{ contiv_https_proxy|default('') }}"
+ no_proxy: "{{ contiv_no_proxy|default('') }}"
- name: Download Bins | Extract Contiv tar file
unarchive:
@@ -30,19 +30,19 @@
- name: Download Bins | Download cni tar file
get_url:
- url: "{{ cni_bin_url }}"
- dest: "{{ cni_download_dir }}"
+ url: "{{ contiv_cni_bin_url }}"
+ dest: "{{ contiv_cni_download_dir }}"
mode: 0755
validate_certs: False
environment:
- http_proxy: "{{ http_proxy|default('') }}"
- https_proxy: "{{ https_proxy|default('') }}"
- no_proxy: "{{ no_proxy|default('') }}"
+ http_proxy: "{{ contiv_http_proxy|default('') }}"
+ https_proxy: "{{ contiv_https_proxy|default('') }}"
+ no_proxy: "{{ contiv_no_proxy|default('') }}"
register: download_file
- name: Download Bins | Extract cni tar file
unarchive:
src: "{{ download_file.dest }}"
- dest: "{{ cni_download_dir }}"
+ dest: "{{ contiv_cni_download_dir }}"
copy: no
when: download_file.changed
diff --git a/roles/contiv/tasks/etcd.yml b/roles/contiv/tasks/etcd.yml
new file mode 100644
index 000000000..b08ead982
--- /dev/null
+++ b/roles/contiv/tasks/etcd.yml
@@ -0,0 +1,114 @@
+---
+# To run contiv-etcd in a container as non-root, we need to match the uid/gid
+# with the filesystem permissions on the host.
+- name: Contiv etcd | Create local unix group
+ group:
+ name: "{{ contiv_etcd_system_group }}"
+ gid: "{{ contiv_etcd_system_gid }}"
+ system: yes
+
+- name: Contiv etcd | Create local unix user
+ user:
+ name: "{{ contiv_etcd_system_user }}"
+ createhome: no
+ uid: "{{ contiv_etcd_system_uid }}"
+ group: "{{ contiv_etcd_system_group }}"
+ home: "{{ contiv_etcd_data_dir }}"
+ shell: /bin/false
+ system: yes
+
+- name: Contiv etcd | Create directories
+ file:
+ path: "{{ item }}"
+ state: directory
+ mode: g-rwx,o-rwx
+ owner: "{{ contiv_etcd_system_user }}"
+ group: "{{ contiv_etcd_system_group }}"
+ setype: svirt_sandbox_file_t
+ seuser: system_u
+ serole: object_r
+ selevel: s0
+ recurse: yes
+ with_items:
+ - "{{ contiv_etcd_data_dir }}"
+ - "{{ contiv_etcd_conf_dir }}"
+
+- name: Contiv etcd | Create contiv-etcd openshift user
+ oc_serviceaccount:
+ state: present
+ name: contiv-etcd
+ namespace: kube-system
+ run_once: true
+
+- name: Contiv etcd | Create temp directory for doing work
+ command: mktemp -d /tmp/openshift-contiv-XXXXXX
+ register: mktemp
+ changed_when: False
+ # For things that pass temp files between steps, we want to make sure they
+ # run on the same node.
+ delegate_to: "{{ groups.oo_masters_to_config.0 }}"
+ run_once: true
+
+- name: Contiv etcd | Create etcd-scc.yml from template
+ template:
+ src: etcd-scc.yml.j2
+ dest: "{{ mktemp.stdout }}/etcd-scc.yml"
+ delegate_to: "{{ groups.oo_masters_to_config.0 }}"
+ run_once: true
+
+- name: Contiv etcd | Create etcd.yml from template
+ template:
+ src: etcd-daemonset.yml.j2
+ dest: "{{ mktemp.stdout }}/etcd-daemonset.yml"
+ delegate_to: "{{ groups.oo_masters_to_config.0 }}"
+ run_once: true
+
+- name: Contiv etcd | Create etcd-proxy.yml from template
+ template:
+ src: etcd-proxy-daemonset.yml.j2
+ dest: "{{ mktemp.stdout }}/etcd-proxy-daemonset.yml"
+ delegate_to: "{{ groups.oo_masters_to_config.0 }}"
+ run_once: true
+
+- name: Contiv etcd | Add etcd scc
+ oc_obj:
+ state: present
+ namespace: "kube-system"
+ kind: SecurityContextConstraints
+ name: contiv-etcd
+ files:
+ - "{{ mktemp.stdout }}/etcd-scc.yml"
+ delegate_to: "{{ groups.oo_masters_to_config.0 }}"
+ run_once: true
+
+# Always "import" this file, k8s won't do anything if it matches exactly what
+# is already in the cluster.
+- name: Contiv etcd | Add etcd daemonset
+ oc_obj:
+ state: present
+ namespace: "kube-system"
+ kind: daemonset
+ name: contiv-etcd
+ files:
+ - "{{ mktemp.stdout }}/etcd-daemonset.yml"
+ delegate_to: "{{ groups.oo_masters_to_config.0 }}"
+ run_once: true
+
+- name: Contiv etcd | Add etcd-proxy daemonset
+ oc_obj:
+ state: present
+ namespace: "kube-system"
+ kind: daemonset
+ name: contiv-etcd-proxy
+ files:
+ - "{{ mktemp.stdout }}/etcd-proxy-daemonset.yml"
+ delegate_to: "{{ groups.oo_masters_to_config.0 }}"
+ run_once: true
+
+- name: Contiv etcd | Delete temp directory
+ file:
+ name: "{{ mktemp.stdout }}"
+ state: absent
+ changed_when: False
+ delegate_to: "{{ groups.oo_masters_to_config.0 }}"
+ run_once: true
diff --git a/roles/contiv/tasks/main.yml b/roles/contiv/tasks/main.yml
index cb9196a71..4d530ae90 100644
--- a/roles/contiv/tasks/main.yml
+++ b/roles/contiv/tasks/main.yml
@@ -1,14 +1,15 @@
---
-- name: Ensure bin_dir exists
+- include_tasks: old_version_cleanup.yml
+
+- name: Ensure contiv_bin_dir exists
file:
- path: "{{ bin_dir }}"
+ path: "{{ contiv_bin_dir }}"
recurse: yes
state: directory
- include_tasks: download_bins.yml
- include_tasks: netmaster.yml
- when: contiv_role == "netmaster"
+ when: contiv_master
- include_tasks: netplugin.yml
- when: contiv_role == "netplugin"
diff --git a/roles/contiv/tasks/netmaster.yml b/roles/contiv/tasks/netmaster.yml
index 6f15af8c2..bb22fb801 100644
--- a/roles/contiv/tasks/netmaster.yml
+++ b/roles/contiv/tasks/netmaster.yml
@@ -1,34 +1,16 @@
---
- include_tasks: netmaster_firewalld.yml
- when: has_firewalld
+ when: contiv_has_firewalld
- include_tasks: netmaster_iptables.yml
- when: not has_firewalld and has_iptables
+ when: not contiv_has_firewalld and contiv_has_iptables
-- name: Netmaster | Check is /etc/hosts file exists
- stat:
- path: /etc/hosts
- register: hosts
-
-- name: Netmaster | Create hosts file if it is not present
- file:
- path: /etc/hosts
- state: touch
- when: not hosts.stat.exists
-
-- name: Netmaster | Build hosts file
- lineinfile:
- dest: /etc/hosts
- regexp: .*netmaster$
- line: "{{ hostvars[item]['ansible_' + netmaster_interface].ipv4.address }} netmaster"
- state: present
- when: hostvars[item]['ansible_' + netmaster_interface].ipv4.address is defined
- with_items: "{{ groups['masters'] }}"
+- include_tasks: etcd.yml
- name: Netmaster | Create netmaster symlinks
file:
src: "{{ contiv_current_release_directory }}/{{ item }}"
- dest: "{{ bin_dir }}/{{ item }}"
+ dest: "{{ contiv_bin_dir }}/{{ item }}"
state: link
with_items:
- netmaster
@@ -36,7 +18,7 @@
- name: Netmaster | Copy environment file for netmaster
template:
- src: netmaster.env.j2
+ src: netmaster.j2
dest: /etc/default/netmaster
mode: 0644
notify: restart netmaster
@@ -75,3 +57,5 @@
- include_tasks: default_network.yml
when: contiv_default_network == true
+
+- include_tasks: api_proxy.yml
diff --git a/roles/contiv/tasks/netmaster_firewalld.yml b/roles/contiv/tasks/netmaster_firewalld.yml
index 2975351ac..0d52f821d 100644
--- a/roles/contiv/tasks/netmaster_firewalld.yml
+++ b/roles/contiv/tasks/netmaster_firewalld.yml
@@ -1,16 +1,17 @@
---
-- name: Netmaster Firewalld | Open Netmaster port
+- name: Netmaster Firewalld | Add internal rules
firewalld:
- port: "{{ netmaster_port }}/tcp"
- permanent: false
- state: enabled
- # in case this is also a node where firewalld turned off
- ignore_errors: yes
+ immediate: true
+ permanent: true
+ port: "{{ item[0] }}"
+ source: "{{ item[1] }}"
+ with_nested:
+ - "{{ contiv_netmaster_internal }}"
+ - "{{ groups.oo_nodes_to_config|difference(hostvars[inventory_hostname]['ansible_' + contiv_netmaster_interface].ipv4.address)|list }}"
-- name: Netmaster Firewalld | Save Netmaster port
+- name: Netmaster Firewalld | Add external rules
firewalld:
- port: "{{ netmaster_port }}/tcp"
+ immediate: true
permanent: true
- state: enabled
- # in case this is also a node where firewalld turned off
- ignore_errors: yes
+ port: "{{ item }}"
+ with_items: "{{ contiv_netmaster_external }}"
diff --git a/roles/contiv/tasks/netmaster_iptables.yml b/roles/contiv/tasks/netmaster_iptables.yml
index c98e7b6a5..3b68ea0c3 100644
--- a/roles/contiv/tasks/netmaster_iptables.yml
+++ b/roles/contiv/tasks/netmaster_iptables.yml
@@ -1,27 +1,32 @@
---
-- name: Netmaster IPtables | Get iptables rules
- command: iptables -L --wait
- register: iptablesrules
- check_mode: no
-
-- name: Netmaster IPtables | Enable iptables at boot
- service:
- name: iptables
- enabled: yes
- state: started
-
-- name: Netmaster IPtables | Open Netmaster with iptables
- command: /sbin/iptables -I INPUT 1 -p tcp --dport {{ item }} -j ACCEPT -m comment --comment "contiv"
- with_items:
- - "{{ contiv_rpc_port1 }}"
- - "{{ contiv_rpc_port2 }}"
- - "{{ contiv_rpc_port3 }}"
- when: iptablesrules.stdout.find("contiv") == -1
+- name: Netmaster IPtables | Add internal rules
+ iptables:
+ action: insert
+ chain: INPUT
+ # Parsed from the contiv_netmaster_internal list, this will be tcp or udp.
+ protocol: "{{ item[0].split('/')[1] }}"
+ match: "{{ item[0].split('/')[1] }}"
+ # Parsed from the contiv_netmaster_internal list, this will be a port number.
+ destination_port: "{{ item[0].split('/')[0] }}"
+ # This is an IP address from a node in the cluster.
+ source: "{{ item[1] }}"
+ jump: ACCEPT
+ comment: contiv
+ with_nested:
+ - "{{ contiv_netmaster_internal }}"
+ - "{{ groups.oo_nodes_to_config|difference(hostvars[inventory_hostname]['ansible_' + contiv_netmaster_interface].ipv4.address)|list }}"
notify: Save iptables rules
-- name: Netmaster IPtables | Open netmaster main port
- command: /sbin/iptables -I INPUT 1 -p tcp -s {{ item }} --dport {{ netmaster_port }} -j ACCEPT -m comment --comment "contiv"
- with_items:
- - "{{ groups.oo_nodes_to_config|difference(hostvars[inventory_hostname]['ansible_' + netmaster_interface].ipv4.address)|list }}"
- when: iptablesrules.stdout.find("contiv") == -1
+- name: Netmaster IPtables | Add external rules
+ iptables:
+ action: insert
+ chain: INPUT
+ # Parsed from the contiv_netmaster_external list, this will be tcp or udp.
+ protocol: "{{ item.split('/')[1] }}"
+ match: "{{ item.split('/')[1] }}"
+ # Parsed from the contiv_netmaster_external list, this will be a port number.
+ destination_port: "{{ item.split('/')[0] }}"
+ jump: ACCEPT
+ comment: contiv
+ with_items: "{{ contiv_netmaster_external }}"
notify: Save iptables rules
diff --git a/roles/contiv/tasks/netplugin.yml b/roles/contiv/tasks/netplugin.yml
index 540f6e4bc..60f432202 100644
--- a/roles/contiv/tasks/netplugin.yml
+++ b/roles/contiv/tasks/netplugin.yml
@@ -1,9 +1,9 @@
---
- include_tasks: netplugin_firewalld.yml
- when: has_firewalld
+ when: contiv_has_firewalld
- include_tasks: netplugin_iptables.yml
- when: has_iptables
+ when: not contiv_has_firewalld and contiv_has_iptables
- name: Netplugin | Ensure localhost entry correct in /etc/hosts
lineinfile:
@@ -20,41 +20,40 @@
state: absent
- include_tasks: ovs.yml
- when: netplugin_driver == "ovs"
+ when: contiv_netplugin_driver == "ovs"
- name: Netplugin | Create Netplugin bin symlink
file:
src: "{{ contiv_current_release_directory }}/netplugin"
- dest: "{{ bin_dir }}/netplugin"
+ dest: "{{ contiv_bin_dir }}/netplugin"
state: link
-
-- name: Netplugin | Ensure cni_bin_dir exists
+- name: Netplugin | Ensure contiv_cni_bin_dir exists
file:
- path: "{{ cni_bin_dir }}"
+ path: "{{ contiv_cni_bin_dir }}"
recurse: yes
state: directory
- name: Netplugin | Create CNI bin symlink
file:
src: "{{ contiv_current_release_directory }}/contivk8s"
- dest: "{{ cni_bin_dir }}/contivk8s"
+ dest: "{{ contiv_cni_bin_dir }}/contivk8s"
state: link
- name: Netplugin | Copy CNI loopback bin
copy:
- src: "{{ cni_download_dir }}/loopback"
- dest: "{{ cni_bin_dir }}/loopback"
+ src: "{{ contiv_cni_download_dir }}/loopback"
+ dest: "{{ contiv_cni_bin_dir }}/loopback"
remote_src: True
mode: 0755
-- name: Netplugin | Ensure kube_plugin_dir and cni/net.d directories exist
+- name: Netplugin | Ensure contiv_kube_plugin_dir and cni/net.d directories exist
file:
path: "{{ item }}"
recurse: yes
state: directory
with_items:
- - "{{ kube_plugin_dir }}"
+ - "{{ contiv_kube_plugin_dir }}"
- "/etc/cni/net.d"
- name: Netplugin | Ensure contiv_config_dir exists
@@ -68,7 +67,7 @@
src: contiv_cni.conf
dest: "{{ item }}"
with_items:
- - "{{ kube_plugin_dir }}/contiv_cni.conf"
+ - "{{ contiv_kube_plugin_dir }}/contiv_cni.conf"
- "/etc/cni/net.d"
# notify: restart kubelet
@@ -85,11 +84,11 @@
mode: 0644
notify: restart netplugin
-- name: Docker | Make sure proxy setting exists
+- name: Netplugin | Make sure docker proxy setting exists
lineinfile:
dest: /etc/sysconfig/docker-network
regexp: '^https_proxy.*'
- line: 'https_proxy={{ https_proxy }}'
+ line: 'https_proxy={{ contiv_https_proxy }}'
state: present
register: docker_updated
@@ -103,9 +102,9 @@
command: systemctl daemon-reload
when: docker_updated is changed
-- name: Docker | Restart docker
+- name: Netplugin | Restart docker
service:
- name: "{{ openshift_docker_service_name }}"
+ name: "{{ contiv_openshift_docker_service_name }}"
state: restarted
when: docker_updated is changed
register: l_docker_restart_docker_in_contiv_result
diff --git a/roles/contiv/tasks/netplugin_firewalld.yml b/roles/contiv/tasks/netplugin_firewalld.yml
index 3aeffae56..5ac531ec6 100644
--- a/roles/contiv/tasks/netplugin_firewalld.yml
+++ b/roles/contiv/tasks/netplugin_firewalld.yml
@@ -1,34 +1,17 @@
---
-- name: Netplugin Firewalld | Open Netplugin port
+- name: Netplugin Firewalld | Add internal rules
firewalld:
- port: "{{ netplugin_port }}/tcp"
- permanent: false
- state: enabled
- # in case this is also a node where firewalld turned off
- ignore_errors: yes
-
-- name: Netplugin Firewalld | Save Netplugin port
- firewalld:
- port: "{{ netplugin_port }}/tcp"
+ immediate: true
permanent: true
- state: enabled
- # in case this is also a node where firewalld turned off
- ignore_errors: yes
-
-- name: Netplugin Firewalld | Open vxlan port
- firewalld:
- port: "8472/udp"
- permanent: false
- state: enabled
- # in case this is also a node where firewalld turned off
- ignore_errors: yes
- when: contiv_encap_mode == "vxlan"
+ port: "{{ item[0] }}"
+ source: "{{ item[1] }}"
+ with_nested:
+ - "{{ contiv_netplugin_internal }}"
+ - "{{ groups.oo_nodes_to_config|difference(hostvars[inventory_hostname]['ansible_' + contiv_netmaster_interface].ipv4.address)|list }}"
-- name: Netplugin Firewalld | Save firewalld vxlan port for flanneld
+- name: Netplugin Firewalld | Add dns rule
firewalld:
- port: "8472/udp"
+ immediate: true
permanent: true
- state: enabled
- # in case this is also a node where firewalld turned off
- ignore_errors: yes
- when: contiv_encap_mode == "vxlan"
+ port: "53/udp"
+ interface: contivh0
diff --git a/roles/contiv/tasks/netplugin_iptables.yml b/roles/contiv/tasks/netplugin_iptables.yml
index 3ea34645d..9d376f4e5 100644
--- a/roles/contiv/tasks/netplugin_iptables.yml
+++ b/roles/contiv/tasks/netplugin_iptables.yml
@@ -1,58 +1,52 @@
---
-- name: Netplugin IPtables | Get iptables rules
- command: iptables -L --wait
- register: iptablesrules
- check_mode: no
+- name: Netplugin IPtables | Add internal rules
+ iptables:
+ action: insert
+ chain: INPUT
+ protocol: "{{ item[0].split('/')[1] }}"
+ match: "{{ item[0].split('/')[1] }}"
+ destination_port: "{{ item[0].split('/')[0] }}"
+ source: "{{ item[1] }}"
+ jump: ACCEPT
+ comment: contiv
+ with_nested:
+ - "{{ contiv_netplugin_internal }}"
+ - "{{ groups.oo_nodes_to_config|difference(hostvars[inventory_hostname]['ansible_' + contiv_netmaster_interface].ipv4.address)|list }}"
+ notify: Save iptables rules
+
+- name: Netplugin IPtables | Add [in] forward rules
+ iptables:
+ action: insert
+ chain: FORWARD
+ in_interface: "{{ item }}"
+ jump: ACCEPT
+ comment: contiv
+ with_items: "{{ contiv_netplugin_forward_interfaces }}"
+ notify: Save iptables rules
+
+- name: Netplugin IPtables | Add [out] forward rules
+ iptables:
+ action: insert
+ chain: FORWARD
+ out_interface: "{{ item }}"
+ jump: ACCEPT
+ comment: contiv
+ with_items: "{{ contiv_netplugin_forward_interfaces }}"
+ notify: Save iptables rules
+
+- name: Netplugin IPtables | Add dns rule
+ iptables:
+ action: insert
+ chain: INPUT
+ protocol: udp
+ match: udp
+ destination_port: 53
+ in_interface: contivh0
+ jump: ACCEPT
+ comment: contiv
+ notify: Save iptables rules
- name: Netplugin IPtables | Enable iptables at boot
service:
name: iptables
enabled: yes
- state: started
-
-- name: Netplugin IPtables | Open Netmaster with iptables
- command: /sbin/iptables -I INPUT 1 -p tcp --dport {{ item }} -j ACCEPT -m comment --comment "contiv"
- with_items:
- - "{{ netmaster_port }}"
- - "{{ contiv_rpc_port1 }}"
- - "{{ contiv_rpc_port2 }}"
- - "{{ contiv_rpc_port3 }}"
- - "{{ contiv_etcd_port }}"
- - "{{ kube_master_api_port }}"
- when: iptablesrules.stdout.find("contiv") == -1
- notify: Save iptables rules
-
-- name: Netplugin IPtables | Open vxlan port with iptables
- command: /sbin/iptables -I INPUT 1 -p udp --dport 8472 -j ACCEPT -m comment --comment "netplugin vxlan 8472"
- when: iptablesrules.stdout.find("netplugin vxlan 8472") == -1
- notify: Save iptables rules
-
-- name: Netplugin IPtables | Open vxlan port with iptables
- command: /sbin/iptables -I INPUT 1 -p udp --dport 4789 -j ACCEPT -m comment --comment "netplugin vxlan 4789"
- when: iptablesrules.stdout.find("netplugin vxlan 4789") == -1
- notify: Save iptables rules
-
-- name: Netplugin IPtables | Allow from contivh0
- command: /sbin/iptables -I FORWARD 1 -i contivh0 -j ACCEPT -m comment --comment "contivh0 FORWARD input"
- when: iptablesrules.stdout.find("contivh0 FORWARD input") == -1
- notify: Save iptables rules
-
-- name: Netplugin IPtables | Allow to contivh0
- command: /sbin/iptables -I FORWARD 1 -o contivh0 -j ACCEPT -m comment --comment "contivh0 FORWARD output"
- when: iptablesrules.stdout.find("contivh0 FORWARD output") == -1
- notify: Save iptables rules
-
-- name: Netplugin IPtables | Allow from contivh1
- command: /sbin/iptables -I FORWARD 1 -i contivh1 -j ACCEPT -m comment --comment "contivh1 FORWARD input"
- when: iptablesrules.stdout.find("contivh1 FORWARD input") == -1
- notify: Save iptables rules
-
-- name: Netplugin IPtables | Allow to contivh1
- command: /sbin/iptables -I FORWARD 1 -o contivh1 -j ACCEPT -m comment --comment "contivh1 FORWARD output"
- when: iptablesrules.stdout.find("contivh1 FORWARD output") == -1
- notify: Save iptables rules
-
-- name: Netplugin IPtables | Allow dns
- command: /sbin/iptables -I INPUT 1 -p udp --dport 53 -j ACCEPT -m comment --comment "contiv dns"
- when: iptablesrules.stdout.find("contiv dns") == -1
- notify: Save iptables rules
diff --git a/roles/contiv/tasks/old_version_cleanup.yml b/roles/contiv/tasks/old_version_cleanup.yml
new file mode 100644
index 000000000..8b3d88096
--- /dev/null
+++ b/roles/contiv/tasks/old_version_cleanup.yml
@@ -0,0 +1,43 @@
+---
+- name: Old version cleanup | Check if old auth proxy service exists
+ stat:
+ path: /etc/systemd/system/auth-proxy.service
+ register: auth_proxy_stat
+
+- name: Old version cleanup | Stop old auth proxy
+ service:
+ name: auth-proxy
+ enabled: no
+ state: stopped
+ when: auth_proxy_stat.stat.exists
+
+# Note(NB): The new containerized contiv-etcd service uses the same data
+# directory on the host, so etcd data is not lost.
+- name: Old version cleanup | Check if old contiv-etcd service exists
+ stat:
+ path: /etc/systemd/system/contiv-etcd.service
+ register: contiv_etcd_stat
+
+- name: Old version cleanup | Stop old contiv-etcd
+ service:
+ name: contiv-etcd
+ enabled: no
+ state: stopped
+ when: contiv_etcd_stat.stat.exists
+
+- name: Old version cleanup | Delete old files
+ file:
+ state: absent
+ path: "{{ item }}"
+ with_items:
+ - /etc/systemd/system/auth-proxy.service
+ - /var/contiv/certs
+ - /usr/bin/auth_proxy.sh
+ - /etc/systemd/system/contiv-etcd.service
+ - /etc/systemd/system/contiv-etcd.service.d
+
+- include_tasks: old_version_cleanup_iptables.yml
+ when: not contiv_has_firewalld and contiv_has_iptables
+
+- include_tasks: old_version_cleanup_firewalld.yml
+ when: contiv_has_firewalld
diff --git a/roles/contiv/tasks/old_version_cleanup_firewalld.yml b/roles/contiv/tasks/old_version_cleanup_firewalld.yml
new file mode 100644
index 000000000..675a6358a
--- /dev/null
+++ b/roles/contiv/tasks/old_version_cleanup_firewalld.yml
@@ -0,0 +1,11 @@
+---
+- name: Old version cleanup | Delete old firewalld rules
+ firewalld:
+ state: absent
+ immediate: true
+ permanent: true
+ port: "{{ item }}"
+ with_items:
+ - "9999/tcp"
+ - "6640/tcp"
+ - "8472/udp"
diff --git a/roles/contiv/tasks/old_version_cleanup_iptables.yml b/roles/contiv/tasks/old_version_cleanup_iptables.yml
new file mode 100644
index 000000000..513357606
--- /dev/null
+++ b/roles/contiv/tasks/old_version_cleanup_iptables.yml
@@ -0,0 +1,44 @@
+---
+- name: Old version cleanup | Delete old forward [in] iptables rules
+ iptables:
+ state: absent
+ chain: FORWARD
+ in_interface: "{{ item }}"
+ jump: ACCEPT
+ comment: "{{ item }} FORWARD input"
+ with_items:
+ - contivh0
+ - contivh1
+ notify: Save iptables rules
+
+- name: Old version cleanup | Delete old forward [out] iptables rules
+ iptables:
+ state: absent
+ chain: FORWARD
+ out_interface: "{{ item }}"
+ jump: ACCEPT
+ comment: "{{ item }} FORWARD output"
+ with_items:
+ - contivh0
+ - contivh1
+ notify: Save iptables rules
+
+- name: Old version cleanup | Delete old input iptables rules
+ iptables:
+ state: absent
+ chain: INPUT
+ protocol: "{{ item.split('/')[1] }}"
+ match: "{{ item.split('/')[1] }}"
+ destination_port: "{{ item.split('/')[0] }}"
+ comment: "{{ item.split('/')[2] }}"
+ jump: ACCEPT
+ with_items:
+ - "53/udp/contiv dns"
+ - "4789/udp/netplugin vxlan 4789"
+ - "8472/udp/netplugin vxlan 8472"
+ - "9003/tcp/contiv"
+ - "9002/tcp/contiv"
+ - "9001/tcp/contiv"
+ - "9999/tcp/contiv"
+ - "10000/tcp/Contiv auth proxy service (10000)"
+ notify: Save iptables rules
diff --git a/roles/contiv/tasks/ovs.yml b/roles/contiv/tasks/ovs.yml
index 5c92e90e9..21ba6ead4 100644
--- a/roles/contiv/tasks/ovs.yml
+++ b/roles/contiv/tasks/ovs.yml
@@ -1,6 +1,6 @@
---
- include_tasks: packageManagerInstall.yml
- when: source_type == "packageManager"
+ when: contiv_source_type == "packageManager"
tags:
- binary-update
diff --git a/roles/contiv/tasks/packageManagerInstall.yml b/roles/contiv/tasks/packageManagerInstall.yml
index 3367844a8..8c8e7a7bd 100644
--- a/roles/contiv/tasks/packageManagerInstall.yml
+++ b/roles/contiv/tasks/packageManagerInstall.yml
@@ -4,10 +4,9 @@
did_install: false
- include_tasks: pkgMgrInstallers/centos-install.yml
- when: (ansible_os_family == "RedHat") and
- not openshift_is_atomic
+ when: ansible_os_family == "RedHat" and not openshift_is_atomic | bool
- name: Package Manager | Set fact saying we did CentOS package install
set_fact:
did_install: true
- when: (ansible_os_family == "RedHat")
+ when: ansible_os_family == "RedHat"
diff --git a/roles/contiv/tasks/pkgMgrInstallers/centos-install.yml b/roles/contiv/tasks/pkgMgrInstallers/centos-install.yml
index 53c5b4099..2c82973d6 100644
--- a/roles/contiv/tasks/pkgMgrInstallers/centos-install.yml
+++ b/roles/contiv/tasks/pkgMgrInstallers/centos-install.yml
@@ -12,9 +12,9 @@
dest: /tmp/rdo-release-ocata-2.noarch.rpm
validate_certs: False
environment:
- http_proxy: "{{ http_proxy|default('') }}"
- https_proxy: "{{ https_proxy|default('') }}"
- no_proxy: "{{ no_proxy|default('') }}"
+ http_proxy: "{{ contiv_http_proxy|default('') }}"
+ https_proxy: "{{ contiv_https_proxy|default('') }}"
+ no_proxy: "{{ contiv_no_proxy|default('') }}"
tags:
- ovs_install
@@ -30,9 +30,9 @@
pkg=openvswitch
state=present
environment:
- http_proxy: "{{ http_proxy|default('') }}"
- https_proxy: "{{ https_proxy|default('') }}"
- no_proxy: "{{ no_proxy|default('') }}"
+ http_proxy: "{{ contiv_http_proxy|default('') }}"
+ https_proxy: "{{ contiv_https_proxy|default('') }}"
+ no_proxy: "{{ contiv_no_proxy|default('') }}"
tags:
- ovs_install
register: result
diff --git a/roles/contiv/templates/aci-gw.service b/roles/contiv/templates/aci-gw.service
index 9b3f12567..e2813c99d 100644
--- a/roles/contiv/templates/aci-gw.service
+++ b/roles/contiv/templates/aci-gw.service
@@ -1,10 +1,10 @@
[Unit]
Description=Contiv ACI gw
-After=auditd.service systemd-user-sessions.service time-sync.target {{ openshift_docker_service_name }}.service
+After=auditd.service systemd-user-sessions.service time-sync.target {{ contiv_openshift_docker_service_name }}.service
[Service]
-ExecStart={{ bin_dir }}/aci_gw.sh start
-ExecStop={{ bin_dir }}/aci_gw.sh stop
+ExecStart={{ contiv_bin_dir }}/aci_gw.sh start
+ExecStop={{ contiv_bin_dir }}/aci_gw.sh stop
KillMode=control-group
Restart=always
RestartSec=10
diff --git a/roles/contiv/templates/aci_gw.j2 b/roles/contiv/templates/aci_gw.j2
index ab4ad46a6..5ff349945 100644
--- a/roles/contiv/templates/aci_gw.j2
+++ b/roles/contiv/templates/aci_gw.j2
@@ -11,13 +11,13 @@ start)
set -e
docker run --net=host \
- -e "APIC_URL={{ apic_url }}" \
- -e "APIC_USERNAME={{ apic_username }}" \
- -e "APIC_PASSWORD={{ apic_password }}" \
- -e "APIC_LEAF_NODE={{ apic_leaf_nodes }}" \
- -e "APIC_PHYS_DOMAIN={{ apic_phys_dom }}" \
- -e "APIC_EPG_BRIDGE_DOMAIN={{ apic_epg_bridge_domain }}" \
- -e "APIC_CONTRACTS_UNRESTRICTED_MODE={{ apic_contracts_unrestricted_mode }}" \
+ -e "APIC_URL={{ contiv_apic_url }}" \
+ -e "APIC_USERNAME={{ contiv_apic_username }}" \
+ -e "APIC_PASSWORD={{ contiv_apic_password }}" \
+ -e "APIC_LEAF_NODE={{ contiv_apic_leaf_nodes }}" \
+ -e "APIC_PHYS_DOMAIN={{ contiv_apic_phys_dom }}" \
+ -e "APIC_EPG_BRIDGE_DOMAIN={{ contiv_apic_epg_bridge_domain }}" \
+ -e "APIC_CONTRACTS_UNRESTRICTED_MODE={{ contiv_apic_contracts_unrestricted_mode }}" \
--name=contiv-aci-gw \
contiv/aci-gw
;;
diff --git a/roles/contiv/templates/api-proxy-daemonset.yml.j2 b/roles/contiv/templates/api-proxy-daemonset.yml.j2
new file mode 100644
index 000000000..a15073580
--- /dev/null
+++ b/roles/contiv/templates/api-proxy-daemonset.yml.j2
@@ -0,0 +1,57 @@
+---
+apiVersion: extensions/v1beta1
+kind: DaemonSet
+metadata:
+ name: contiv-api-proxy
+ namespace: kube-system
+spec:
+ updateStrategy:
+ type: RollingUpdate
+ selector:
+ matchLabels:
+ name: contiv-api-proxy
+ template:
+ metadata:
+ namespace: kube-system
+ labels:
+ name: contiv-api-proxy
+ annotations:
+ scheduler.alpha.kubernetes.io/critical-pod: ""
+ spec:
+ serviceAccountName: contiv-api-proxy
+ hostNetwork: true
+ affinity:
+ nodeAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ nodeSelectorTerms:
+ - matchExpressions:
+ - key: kubernetes.io/hostname
+ operator: In
+ values:
+{% for node in groups.oo_masters_to_config %}
+ - "{{ node }}"
+{% endfor %}
+ tolerations:
+ - key: node-role.kubernetes.io/master
+ effect: NoSchedule
+ containers:
+ - name: contiv-api-proxy
+ image: "{{ contiv_api_proxy_image_repo }}:{{ contiv_version }}"
+ args:
+ - "--listen-address=0.0.0.0:{{ contiv_api_proxy_port }}"
+ - --tls-key-file=/var/contiv/api_proxy_key.pem
+ - --tls-certificate=/var/contiv/api_proxy_cert.pem
+ - "--data-store-address={{ etcd_host }}"
+ - --data-store-driver=etcd
+ - "--netmaster-address=127.0.0.1:{{ contiv_netmaster_port }}"
+ ports:
+ - containerPort: "{{ contiv_api_proxy_port }}"
+ hostPort: "{{ contiv_api_proxy_port }}"
+ volumeMounts:
+ - name: secret-volume
+ mountPath: /var/contiv
+ readOnly: true
+ volumes:
+ - name: secret-volume
+ secret:
+ secretName: contiv-api-proxy-secret
diff --git a/roles/contiv/templates/api-proxy-secrets.yml.j2 b/roles/contiv/templates/api-proxy-secrets.yml.j2
new file mode 100644
index 000000000..cd800c97d
--- /dev/null
+++ b/roles/contiv/templates/api-proxy-secrets.yml.j2
@@ -0,0 +1,12 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: contiv-api-proxy-secret
+ namespace: kube-system
+ labels:
+ name: contiv-api-proxy-secret
+# Use data+b64encode, because stringData doesn't preserve newlines.
+data:
+ api_proxy_key.pem: "{{ key | b64encode }}"
+ api_proxy_cert.pem: "{{ cert | b64encode }}"
diff --git a/roles/contiv/templates/contiv.cfg.j2 b/roles/contiv/templates/contiv.cfg.j2
index f0e99c556..1dce9fcc2 100644
--- a/roles/contiv/templates/contiv.cfg.j2
+++ b/roles/contiv/templates/contiv.cfg.j2
@@ -1,5 +1,5 @@
{
- "K8S_API_SERVER": "https://{{ hostvars[groups['masters'][0]]['ansible_' + netmaster_interface].ipv4.address }}:{{ kube_master_api_port }}",
+ "K8S_API_SERVER": "https://{{ hostvars[groups['masters'][0]]['ansible_' + contiv_netmaster_interface].ipv4.address }}:{{ contiv_kube_master_api_port }}",
"K8S_CA": "{{ openshift.common.config_base }}/node/ca.crt",
"K8S_KEY": "{{ openshift.common.config_base }}/node/system:node:{{ openshift.common.hostname }}.key",
"K8S_CERT": "{{ openshift.common.config_base }}/node/system:node:{{ openshift.common.hostname }}.crt",
diff --git a/roles/contiv/templates/contiv.cfg.master.j2 b/roles/contiv/templates/contiv.cfg.master.j2
index fac8e3c4c..ca29b8001 100644
--- a/roles/contiv/templates/contiv.cfg.master.j2
+++ b/roles/contiv/templates/contiv.cfg.master.j2
@@ -1,5 +1,5 @@
{
- "K8S_API_SERVER": "https://{{ hostvars[groups['masters'][0]]['ansible_' + netmaster_interface].ipv4.address }}:{{ kube_master_api_port }}",
+ "K8S_API_SERVER": "https://{{ hostvars[groups['masters'][0]]['ansible_' + contiv_netmaster_interface].ipv4.address }}:{{ contiv_kube_master_api_port }}",
"K8S_CA": "{{ openshift.common.config_base }}/master/ca.crt",
"K8S_KEY": "{{ openshift.common.config_base }}/master/system:node:{{ openshift.common.hostname }}.key",
"K8S_CERT": "{{ openshift.common.config_base }}/master/system:node:{{ openshift.common.hostname }}.crt",
diff --git a/roles/contiv/templates/etcd-daemonset.yml.j2 b/roles/contiv/templates/etcd-daemonset.yml.j2
new file mode 100644
index 000000000..76937e670
--- /dev/null
+++ b/roles/contiv/templates/etcd-daemonset.yml.j2
@@ -0,0 +1,83 @@
+---
+apiVersion: extensions/v1beta1
+kind: DaemonSet
+metadata:
+ name: contiv-etcd
+ namespace: kube-system
+spec:
+ updateStrategy:
+ type: RollingUpdate
+ selector:
+ matchLabels:
+ name: contiv-etcd
+ template:
+ metadata:
+ namespace: kube-system
+ labels:
+ name: contiv-etcd
+ annotations:
+ scheduler.alpha.kubernetes.io/critical-pod: ""
+ spec:
+ serviceAccountName: contiv-etcd
+ hostNetwork: true
+ affinity:
+ nodeAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ nodeSelectorTerms:
+ - matchExpressions:
+ - key: kubernetes.io/hostname
+ operator: In
+ values:
+{% for node in groups.oo_masters_to_config %}
+ - "{{ node }}"
+{% endfor %}
+ tolerations:
+ - key: node-role.kubernetes.io/master
+ effect: NoSchedule
+ initContainers:
+ - name: contiv-etcd-init
+ image: "{{ contiv_etcd_init_image_repo }}:{{ contiv_etcd_init_image_tag }}"
+ env:
+ - name: ETCD_INIT_ARGSFILE
+ value: "{{ contiv_etcd_conf_dir }}/contiv-etcd-args"
+ - name: ETCD_INIT_LISTEN_PORT
+ value: "{{ contiv_etcd_port }}"
+ - name: ETCD_INIT_PEER_PORT
+ value: "{{ contiv_etcd_peer_port }}"
+ - name: ETCD_INIT_CLUSTER
+ value: "{{ contiv_etcd_peers }}"
+ - name: ETCD_INIT_DATA_DIR
+ value: "{{ contiv_etcd_data_dir }}"
+ volumeMounts:
+ - name: contiv-etcd-conf-dir
+ mountPath: "{{ contiv_etcd_conf_dir }}"
+ securityContext:
+ runAsUser: "{{ contiv_etcd_system_uid }}"
+ fsGroup: "{{ contiv_etcd_system_gid }}"
+ containers:
+ - name: contiv-etcd
+ image: "{{ contiv_etcd_image_repo }}:{{ contiv_etcd_image_tag }}"
+ command:
+ - sh
+ - -c
+ - 'exec etcd $(cat "$ETCD_INIT_ARGSFILE")'
+ env:
+ - name: ETCD_INIT_ARGSFILE
+ value: "{{ contiv_etcd_conf_dir }}/contiv-etcd-args"
+ volumeMounts:
+ - name: contiv-etcd-conf-dir
+ mountPath: "{{ contiv_etcd_conf_dir }}"
+ - name: contiv-etcd-data-dir
+ mountPath: "{{ contiv_etcd_data_dir }}"
+ securityContext:
+ runAsUser: "{{ contiv_etcd_system_uid }}"
+ fsGroup: "{{ contiv_etcd_system_gid }}"
+ volumes:
+ - name: contiv-etcd-data-dir
+ hostPath:
+ type: DirectoryOrCreate
+ path: "{{ contiv_etcd_data_dir }}"
+ - name: contiv-etcd-conf-dir
+ hostPath:
+ type: DirectoryOrCreate
+ path: "{{ contiv_etcd_conf_dir }}"
diff --git a/roles/contiv/templates/etcd-proxy-daemonset.yml.j2 b/roles/contiv/templates/etcd-proxy-daemonset.yml.j2
new file mode 100644
index 000000000..4ec6cfd76
--- /dev/null
+++ b/roles/contiv/templates/etcd-proxy-daemonset.yml.j2
@@ -0,0 +1,55 @@
+---
+apiVersion: extensions/v1beta1
+kind: DaemonSet
+metadata:
+ name: contiv-etcd-proxy
+ namespace: kube-system
+spec:
+ updateStrategy:
+ type: RollingUpdate
+ selector:
+ matchLabels:
+ name: contiv-etcd-proxy
+ template:
+ metadata:
+ namespace: kube-system
+ labels:
+ name: contiv-etcd-proxy
+ annotations:
+ scheduler.alpha.kubernetes.io/critical-pod: ""
+ spec:
+ serviceAccountName: contiv-etcd
+ hostNetwork: true
+ affinity:
+ nodeAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ nodeSelectorTerms:
+ - matchExpressions:
+ - key: kubernetes.io/hostname
+ operator: NotIn
+ values:
+{% for node in groups.oo_masters_to_config %}
+ - "{{ node }}"
+{% endfor %}
+ tolerations:
+ - key: node-role.kubernetes.io/master
+ effect: NoSchedule
+ containers:
+ - name: contiv-etcd-proxy
+ image: "{{ contiv_etcd_image_repo }}:{{ contiv_etcd_image_tag }}"
+ command:
+ - etcd
+ - "--proxy=on"
+ - "--listen-client-urls=http://127.0.0.1:{{ contiv_etcd_port }}"
+ - "--advertise-client-urls=http://127.0.0.1:{{ contiv_etcd_port }}"
+ - "--initial-cluster={{ contiv_etcd_peers }}"
+ - "--data-dir={{ contiv_etcd_data_dir }}"
+ volumeMounts:
+ - name: contiv-etcd-data-dir
+ mountPath: "{{ contiv_etcd_data_dir }}"
+ securityContext:
+ runAsUser: "{{ contiv_etcd_system_uid }}"
+ fsGroup: "{{ contiv_etcd_system_gid }}"
+ volumes:
+ - name: contiv-etcd-data-dir
+ emptyDir: {}
diff --git a/roles/contiv/templates/etcd-scc.yml.j2 b/roles/contiv/templates/etcd-scc.yml.j2
new file mode 100644
index 000000000..6c4bb1d1e
--- /dev/null
+++ b/roles/contiv/templates/etcd-scc.yml.j2
@@ -0,0 +1,42 @@
+allowHostDirVolumePlugin: true
+allowHostIPC: false
+allowHostNetwork: true
+allowHostPID: false
+allowHostPorts: false
+allowPrivilegedContainer: false
+allowedCapabilities: []
+allowedFlexVolumes: []
+apiVersion: v1
+defaultAddCapabilities: []
+fsGroup:
+ ranges:
+ - max: "{{ contiv_etcd_system_gid }}"
+ min: "{{ contiv_etcd_system_gid }}"
+ type: MustRunAs
+groups: []
+kind: SecurityContextConstraints
+metadata:
+ annotations:
+ kubernetes.io/description: 'For contiv-etcd only.'
+ creationTimestamp: null
+ name: contiv-etcd
+priority: null
+readOnlyRootFilesystem: true
+requiredDropCapabilities:
+- KILL
+- MKNOD
+- SETUID
+- SETGID
+runAsUser:
+ type: MustRunAs
+ uid: "{{ contiv_etcd_system_uid }}"
+seLinuxContext:
+ type: MustRunAs
+supplementalGroups:
+ type: MustRunAs
+users:
+- system:serviceaccount:kube-system:contiv-etcd
+volumes:
+- emptyDir
+- hostPath
+- secret
diff --git a/roles/contiv/templates/netmaster.env.j2 b/roles/contiv/templates/netmaster.env.j2
deleted file mode 100644
index 5b5c84a2e..000000000
--- a/roles/contiv/templates/netmaster.env.j2
+++ /dev/null
@@ -1,2 +0,0 @@
-NETMASTER_ARGS='--cluster-store etcd://{{ etcd_url }} --cluster-mode=kubernetes'
-
diff --git a/roles/contiv/templates/netmaster.j2 b/roles/contiv/templates/netmaster.j2
new file mode 100644
index 000000000..c9db122b5
--- /dev/null
+++ b/roles/contiv/templates/netmaster.j2
@@ -0,0 +1 @@
+NETMASTER_ARGS='--etcd={{ contiv_etcd_url }} --listen-url=127.0.0.1:{{ contiv_netmaster_port }} --fwdmode={{ contiv_netplugin_fwd_mode }} --infra={{ contiv_fabric_mode }} --control-url={{ contiv_netmaster_ctrl_ip }}:{{ contiv_netmaster_port }} --cluster-mode=kubernetes --netmode={{ contiv_encap_mode }}'
diff --git a/roles/contiv/templates/netmaster.service b/roles/contiv/templates/netmaster.service
index ce7d0c75e..b7289bc38 100644
--- a/roles/contiv/templates/netmaster.service
+++ b/roles/contiv/templates/netmaster.service
@@ -4,7 +4,7 @@ After=auditd.service systemd-user-sessions.service contiv-etcd.service
[Service]
EnvironmentFile=/etc/default/netmaster
-ExecStart={{ bin_dir }}/netmaster $NETMASTER_ARGS
+ExecStart={{ contiv_bin_dir }}/netmaster $NETMASTER_ARGS
KillMode=control-group
Restart=always
RestartSec=10
diff --git a/roles/contiv/templates/netplugin.j2 b/roles/contiv/templates/netplugin.j2
index a4928cc3d..0fd727401 100644
--- a/roles/contiv/templates/netplugin.j2
+++ b/roles/contiv/templates/netplugin.j2
@@ -1,7 +1,6 @@
{% if contiv_encap_mode == "vlan" %}
-NETPLUGIN_ARGS='-vlan-if {{ netplugin_interface }} -ctrl-ip {{ netplugin_ctrl_ip }} -plugin-mode kubernetes -cluster-store etcd://{{ etcd_url }}'
+NETPLUGIN_ARGS='--vlan-if={{ contiv_netplugin_interface }} --ctrl-ip={{ contiv_netplugin_ctrl_ip }} --etcd={{ contiv_etcd_url }} --fwdmode={{ contiv_netplugin_fwd_mode }} --cluster-mode=kubernetes --netmode={{ contiv_encap_mode }}'
{% endif %}
{% if contiv_encap_mode == "vxlan" %}
-NETPLUGIN_ARGS='-vtep-ip {{ netplugin_ctrl_ip }} -ctrl-ip {{ netplugin_ctrl_ip }} -plugin-mode kubernetes -cluster-store etcd://{{ etcd_url }}'
+NETPLUGIN_ARGS='--vtep-ip={{ contiv_netplugin_ctrl_ip }} --vxlan-port={{ contiv_vxlan_port }} --ctrl-ip={{ contiv_netplugin_ctrl_ip }} --etcd={{ contiv_etcd_url }} --fwdmode={{ contiv_netplugin_fwd_mode }} --cluster-mode=kubernetes --netmode={{ contiv_encap_mode }}'
{% endif %}
-
diff --git a/roles/contiv/templates/netplugin.service b/roles/contiv/templates/netplugin.service
index 6358d89ec..2e1ca1bdf 100644
--- a/roles/contiv/templates/netplugin.service
+++ b/roles/contiv/templates/netplugin.service
@@ -4,7 +4,7 @@ After=auditd.service systemd-user-sessions.service contiv-etcd.service
[Service]
EnvironmentFile=/etc/default/netplugin
-ExecStart={{ bin_dir }}/netplugin $NETPLUGIN_ARGS
+ExecStart={{ contiv_bin_dir }}/netplugin $NETPLUGIN_ARGS
KillMode=control-group
Restart=always
RestartSec=10
diff --git a/roles/contiv_auth_proxy/README.md b/roles/contiv_auth_proxy/README.md
deleted file mode 100644
index 287b6c148..000000000
--- a/roles/contiv_auth_proxy/README.md
+++ /dev/null
@@ -1,29 +0,0 @@
-Role Name
-=========
-
-Role to install Contiv API Proxy and UI
-
-Requirements
-------------
-
-Docker needs to be installed to run the auth proxy container.
-
-Role Variables
---------------
-
-auth_proxy_image specifies the image with version tag to be used to spin up the auth proxy container.
-auth_proxy_cert, auth_proxy_key specify files to use for the proxy server certificates.
-auth_proxy_port is the host port and auth_proxy_datastore the cluster data store address.
-
-Dependencies
-------------
-
-docker
-
-Example Playbook
-----------------
-
-- hosts: netplugin-node
- become: true
- roles:
- - { role: auth_proxy, auth_proxy_port: 10000, auth_proxy_datastore: etcd://netmaster:22379 }
diff --git a/roles/contiv_auth_proxy/defaults/main.yml b/roles/contiv_auth_proxy/defaults/main.yml
deleted file mode 100644
index e1d904c6a..000000000
--- a/roles/contiv_auth_proxy/defaults/main.yml
+++ /dev/null
@@ -1,12 +0,0 @@
----
-auth_proxy_image: "contiv/auth_proxy:1.1.1"
-auth_proxy_port: 10000
-contiv_certs: "/var/contiv/certs"
-cluster_store: "etcd://{{ hostvars[groups['masters'][0]]['ansible_' + netmaster_interface].ipv4.address }}:22379"
-auth_proxy_cert: "{{ contiv_certs }}/auth_proxy_cert.pem"
-auth_proxy_key: "{{ contiv_certs }}/auth_proxy_key.pem"
-auth_proxy_datastore: "{{ cluster_store }}"
-auth_proxy_binaries: "/var/contiv_cache"
-auth_proxy_local_install: False
-auth_proxy_rule_comment: "Contiv auth proxy service"
-service_vip: "{{ hostvars[groups['masters'][0]]['ansible_' + netmaster_interface].ipv4.address }}"
diff --git a/roles/contiv_auth_proxy/files/auth-proxy.service b/roles/contiv_auth_proxy/files/auth-proxy.service
deleted file mode 100644
index 7cd2edff1..000000000
--- a/roles/contiv_auth_proxy/files/auth-proxy.service
+++ /dev/null
@@ -1,13 +0,0 @@
-[Unit]
-Description=Contiv Proxy and UI
-After=auditd.service systemd-user-sessions.service time-sync.target docker.service
-
-[Service]
-ExecStart=/usr/bin/auth_proxy.sh start
-ExecStop=/usr/bin/auth_proxy.sh stop
-KillMode=control-group
-Restart=on-failure
-RestartSec=10
-
-[Install]
-WantedBy=multi-user.target
diff --git a/roles/contiv_auth_proxy/files/cert.pem b/roles/contiv_auth_proxy/files/cert.pem
deleted file mode 100644
index 63df4603f..000000000
--- a/roles/contiv_auth_proxy/files/cert.pem
+++ /dev/null
@@ -1,33 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIFuTCCA6GgAwIBAgIJAOFyylO2zW2EMA0GCSqGSIb3DQEBCwUAMHMxCzAJBgNV
-BAYTAlVTMQswCQYDVQQIDAJDQTERMA8GA1UEBwwIU2FuIEpvc2UxDTALBgNVBAoM
-BENQU0cxFjAUBgNVBAsMDUlUIERlcGFydG1lbnQxHTAbBgNVBAMMFGF1dGgtbG9j
-YWwuY2lzY28uY29tMB4XDTE3MDcxMzE5NDYwMVoXDTI3MDcxMTE5NDYwMVowczEL
-MAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMREwDwYDVQQHDAhTYW4gSm9zZTENMAsG
-A1UECgwEQ1BTRzEWMBQGA1UECwwNSVQgRGVwYXJ0bWVudDEdMBsGA1UEAwwUYXV0
-aC1sb2NhbC5jaXNjby5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
-AQDKCg26dvsD1u3f1lCaLlVptyTyGyanaJ73mlHiUnAMcu0A/p3kzluTeQLZJxtl
-MToM7rT/lun6fbhQC+7TQep9mufBzLhssyzRnT9rnGSeGwN66mO/rlYPZc5C1D7p
-7QZh1uLznzgOA2zMkgnI+n6LB2TZWg+XLhZZIr5SVYE18lj0tnwq3R1uznVv9t06
-grUYK2K7x0Y3Pt2e6yV0e1w2FOGH+7v3mm0c8r1+7U+4EZ2SM3fdG7nyTL/187gl
-yE8X4HOnAyYGbAnULJC02LR/DTQpv/RpLN/YJEpHZWApHZCKh+fbFdIhRRwEnT4L
-DLy3GJVFDEsmFaC91wf24+HAeUl9/hRIbxo9x/7kXmrhMlK38x2oo3cPh0XZxHje
-XmJUGG1OByAuIZaGFwS9lUuGTNvpN8P/v3HN/nORc0RE3fvoXIv4nuhaEfuo32q4
-dvO4aNjmxjz1JcUEx6DiMQe4ECaReYdvI+j9ZkUJj/e89iLsQ8gz5t3FTM+tmBi1
-hrRBAgWyRY5DKECVv2SNFiX55JQGA5vQDGw51qTTuhntfBhkHvhKL7V1FRZazx6N
-wqFyynig/jplb1ZNdKZ9ZxngZr6qHIx4RcGaJ9HdVhik7NyUCiHjWeGagzun2Omq
-FFXAD9Hmfctac5bGxx0FBi95kO8bd8b0GSIh2CWanETjawIDAQABo1AwTjAdBgNV
-HQ4EFgQU5P1g5gFZot//iwEV98MwW2YXzEMwHwYDVR0jBBgwFoAU5P1g5gFZot//
-iwEV98MwW2YXzEMwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAbWgN
-BkFzzG5sbG7vUb23Ggv/0TCCuMtuKBGOBR0EW5Ssw6Aml7j3AGiy/1+2sdrQMsx2
-nVpexyQW5XS/X+8JjH7H7ifvwl3bVJ8xiR/9ioIJovrQojxQO0cUB2Lljj3bPd/R
-/tddAhPj0uN9N7UAejA12kXGa0Rrzb2U1rIpO9jnTbQYJiTOSzFiiGRMZWx3hfsW
-SDTpPmsV2Mh+jcmuxvPITl0s+vtqsm7SYoUZHwJ80LvrPbmk/5hTZGRsI3W5jipB
-PpOxvBnAWnQH3miMhty2TDaQ9JjYUwnxjFFZvNIYtp8+eH4nlbSldbgZoUeAe8It
-X6SsP8gT/uQh3TPvzNIfYROA7qTwoOQ8ZW8ssai/EttHAztFxketgNEfjwUTz8EJ
-yKeyAJ7qk3zD5k7p33ZNLWjmN0Awx3fCE9OQmNUyNX7PpYb4i+tHWu3h6Clw0RUf
-0gb1I+iyB3PXmpiYtxdMxGSi9CQIyWHzC4bsTQZkrzzIHWFSwewhUWOQ2Wko0hrv
-DnkS5k0cMPn5aNxw56H6OI+6hb+y/GGkTxNY9Gbxypx6lgZson0EY80EPZOJAORM
-XggJtTjiMpzvKh18DZY/Phmdh0C2tt8KYFdG83qLEhya9WZujbLAm38vIziFHbdX
-jOitXBSPyVrV3JvsCVksp+YC8Lnv3FsM494R4kA=
------END CERTIFICATE-----
diff --git a/roles/contiv_auth_proxy/files/key.pem b/roles/contiv_auth_proxy/files/key.pem
deleted file mode 100644
index 7224e569c..000000000
--- a/roles/contiv_auth_proxy/files/key.pem
+++ /dev/null
@@ -1,51 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIJKQIBAAKCAgEAygoNunb7A9bt39ZQmi5Vabck8hsmp2ie95pR4lJwDHLtAP6d
-5M5bk3kC2ScbZTE6DO60/5bp+n24UAvu00HqfZrnwcy4bLMs0Z0/a5xknhsDeupj
-v65WD2XOQtQ+6e0GYdbi8584DgNszJIJyPp+iwdk2VoPly4WWSK+UlWBNfJY9LZ8
-Kt0dbs51b/bdOoK1GCtiu8dGNz7dnusldHtcNhThh/u795ptHPK9fu1PuBGdkjN3
-3Ru58ky/9fO4JchPF+BzpwMmBmwJ1CyQtNi0fw00Kb/0aSzf2CRKR2VgKR2Qiofn
-2xXSIUUcBJ0+Cwy8txiVRQxLJhWgvdcH9uPhwHlJff4USG8aPcf+5F5q4TJSt/Md
-qKN3D4dF2cR43l5iVBhtTgcgLiGWhhcEvZVLhkzb6TfD/79xzf5zkXNERN376FyL
-+J7oWhH7qN9quHbzuGjY5sY89SXFBMeg4jEHuBAmkXmHbyPo/WZFCY/3vPYi7EPI
-M+bdxUzPrZgYtYa0QQIFskWOQyhAlb9kjRYl+eSUBgOb0AxsOdak07oZ7XwYZB74
-Si+1dRUWWs8ejcKhcsp4oP46ZW9WTXSmfWcZ4Ga+qhyMeEXBmifR3VYYpOzclAoh
-41nhmoM7p9jpqhRVwA/R5n3LWnOWxscdBQYveZDvG3fG9BkiIdglmpxE42sCAwEA
-AQKCAgANVU6EoLd+EGAQZo9ZLXebi2eXxqztXV0oT/nZasFUQP1dFHCNGgU3HURP
-2mHXcsE2+0XcnDQCwOs59R+kt3PnKCLlSkJdghGSH8OAsYh+WqAHK5K7oqCxUXGk
-PWeNfoPuTwUZOMe1PQqgEX8t0UIqoKlKIsRmoLb+2Okge94UFlNCiwx0s7TujBd5
-9Ruycc/LsYlJhSQgHzj29OO65S03sHcVx0onU/yhbW+OAdFB/3+bl2PwppTF5cTB
-UX00mRyHIdvgCLgoslaPtwUxuh9nRxLLMozJqBl5pSN1xL3s2LOiQMfPUIhWg74O
-m+XtSsDlgGzRardG4ySBgsBWzcEnGWi5/xyc/6dtERzR382+CLUfOEoucGJHk6kj
-RdbVx5FCawpAzjs9Wo49Vr+WQceSiBfb2+ndNUTiD0wu7xLEVPcYC6CMk71qZv5H
-0qGlLhtkHF0nSQytbwqwfMz2SGDfkwIHgQ0gTKMpEMWK79E24ewE1BnMiaKC1bgk
-evB6WM1YZFMKS5L7fshJcbeMe9dhSF3s+Y0MYVv5MCL1VMZyIzAcj8mkPYZyBRUk
-MC87GnaebeTvHNtimvqCuWDGVI1SOoc1xtopkxinTqtIYGuQacrSmfyf9D3Rg4+l
-kB0ibtJV+HLP94q266aef/PdpXszs7zo0h6skpLItW/jAuSNuQKCAQEA/VdXpMi8
-nfOtXwOZlGA2+jShYyHyCl2TKgbpfDGl1yKNkbBrIu2/PEl1DpmzSeG1tdNCzN68
-4vEjpF/jBsdSJj4BDiRY6HEcURXpw4yTZ7oCnUCbzadLIo3wX/gFDEVZz+0nQQ29
-5x0XGuQnJXC2fe/CyrkfltKhFSYoTSjtMbma4Pm3Q3HP3wGOvoUKtKNDO5rF26Qh
-YtqJgJSKBAms0wKiy9VVTa6DaXrtSnXTR+Ltud3xnWBrX1Z+idwxYt/Be5W2woHf
-M5zPIqMUgry5ujtRxhLmleFXDAYbaIQR9AZXlSS3w+9Gcl5EDRkFXqlaoCfppwTR
-wakj2lNjbAidPwKCAQEAzCjgko4/Yss/0dCs8ySKd2IaRF93OwC/E2SHVqe5bATh
-rVmDn/KIH4J2fI4FiaIHELT1CU5vmganYbK2k7CoJztjJltM1B7rkpHiVSL+qMqn
-yBZFg3LFq9eiBPZHyQEc+HMJUhFRexjdeqLH78HCoPz1QnKo2xRoGHhSQ/Rh6lXo
-20tldL9HrSxPRmwxnyLgWGcWopv/92JNxu6FgnZcnsVjkpO2mriLD7+Ty5qfvkwc
-RFDBYnq2JjBcvqngrzDIGDzC7hTA5BRuuQdNMZggJwO6nKdZDUrq5NIo9B07FLj1
-IRMVm7D1vJYzYI6HW7Wj4vNRXMY8jG1fwvNG0+xy1QKCAQEA7m14R9bAZWuDnGt3
-7APNWheUWAcHk6fTq/cLYV4cdWfIkvfVLO9STrvXliEjcoIhkPk94jAy1ucZo0a3
-FJccgm9ScOvWXRSvEMUt12ODC1ktwq+esqMi/GdXdgqnPZA7YYwRqJD1TAC90Qou
-qXb12Xp/+mjWCQ08mvnpbgz5hxXmZJvAVZJUj84YeMgfdjg9O2iDlB5ZaX7BcCjb
-58bvRzww2ONzQAPhG7Gch7pyWTKCh64RCgtHold2CesY87QglV4mvdKarSmEbFXN
-JOnXZiUT5fW93AtS8DcDLo81klMxtGT1KksUIukC5MzKl/eNGjPWG+FWRAwaeQyI
-ApHs4wKCAQAI10RSVGKeTprm5Rh4Nv7gCJmGmHO7VF7x4gqSUBURfmyfax7uEDyg
-0K982VGYEjIoIQ3zZzgh/WPGMU0CvEWr3UB/6rg6/1PINxUMBsXsXUpCueQsuw2g
-UWgsutWE+M1eXOzsZt+Waw88PkxWL5fUDOA6DmkNg6a2WI+Hbc/HrAy3Yl50Xcwm
-zaJpNEo5z/LTITOzuvmsps8jbDTP33xHS9jyAf+IV7F97xfhW0LLpNQciTq2nwXA
-RZvejdCzBXPEyOzQDooD1natAInxOds6lUjBe+W5U6M0YX1whMuILDJBSmhHI7Sg
-hAiZh9KIwCbmrw6468S3eA0LjillB/o5AoIBAQCg93syT50nYF2UWWP/rEa7qf6h
-+YpBPpJskIl3NDMJtie9OcdsoFpjblpFbsMqsSag9KhGl7wn4f8qXO0HERSb8oYd
-1Zu6BgUCuRXuAKNI4f508IooNpXx9y7xxl4giFBnDPa6W3KWqZ2LMDt92htMd/Zm
-qvoyYZhFhMSyKFzPDAFdsZijJgahqJRKhHeW9BsPqho5i7Ys+PhE8e/vUZs2zUeS
-QEHWhVisDTNKOoJIdz7JXFgEXCPTLAxXIIhYSkIfQxHxsWjt0vs79tzUkV8NlpKt
-d7s0iyHnD6kDvoxYOSI9YmSEnnFBFdgeiD+/VD+7enOdqb5MHsjuw+by09ft
------END RSA PRIVATE KEY-----
diff --git a/roles/contiv_auth_proxy/handlers/main.yml b/roles/contiv_auth_proxy/handlers/main.yml
deleted file mode 100644
index 9cb9bea49..000000000
--- a/roles/contiv_auth_proxy/handlers/main.yml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-# handlers file for auth_proxy
diff --git a/roles/contiv_auth_proxy/tasks/cleanup.yml b/roles/contiv_auth_proxy/tasks/cleanup.yml
deleted file mode 100644
index a29659cc9..000000000
--- a/roles/contiv_auth_proxy/tasks/cleanup.yml
+++ /dev/null
@@ -1,10 +0,0 @@
----
-
-- name: stop auth-proxy container
- service: name=auth-proxy state=stopped
-
-- name: cleanup iptables for auth proxy
- shell: iptables -D INPUT -p tcp --dport {{ item }} -j ACCEPT -m comment --comment "{{ auth_proxy_rule_comment }} ({{ item }})"
- become: true
- with_items:
- - "{{ auth_proxy_port }}"
diff --git a/roles/contiv_auth_proxy/tasks/main.yml b/roles/contiv_auth_proxy/tasks/main.yml
deleted file mode 100644
index 74e7bf794..000000000
--- a/roles/contiv_auth_proxy/tasks/main.yml
+++ /dev/null
@@ -1,37 +0,0 @@
----
-# tasks file for auth_proxy
-- name: setup iptables for auth proxy
- shell: >
- ( iptables -L INPUT | grep "{{ auth_proxy_rule_comment }} ({{ item }})" ) || \
- iptables -I INPUT 1 -p tcp --dport {{ item }} -j ACCEPT -m comment --comment "{{ auth_proxy_rule_comment }} ({{ item }})"
- become: true
- with_items:
- - "{{ auth_proxy_port }}"
-
-# Load the auth-proxy-image from local tar. Ignore any errors to handle the
-# case where the image is not built in
-- name: copy auth-proxy image
- copy: src={{ auth_proxy_binaries }}/auth-proxy-image.tar dest=/tmp/auth-proxy-image.tar
- when: auth_proxy_local_install == True
-
-- name: load auth-proxy image
- shell: docker load -i /tmp/auth-proxy-image.tar
- when: auth_proxy_local_install == True
-
-- name: create cert folder for proxy
- file: path=/var/contiv/certs state=directory
-
-- name: copy shell script for starting auth-proxy
- template: src=auth_proxy.j2 dest=/usr/bin/auth_proxy.sh mode=u=rwx,g=rx,o=rx
-
-- name: copy cert for starting auth-proxy
- copy: src=cert.pem dest=/var/contiv/certs/auth_proxy_cert.pem mode=u=rw,g=r,o=r
-
-- name: copy key for starting auth-proxy
- copy: src=key.pem dest=/var/contiv/certs/auth_proxy_key.pem mode=u=rw,g=r,o=r
-
-- name: copy systemd units for auth-proxy
- copy: src=auth-proxy.service dest=/etc/systemd/system/auth-proxy.service
-
-- name: start auth-proxy container
- systemd: name=auth-proxy daemon_reload=yes state=started enabled=yes
diff --git a/roles/contiv_auth_proxy/templates/auth_proxy.j2 b/roles/contiv_auth_proxy/templates/auth_proxy.j2
deleted file mode 100644
index 0ab8c831b..000000000
--- a/roles/contiv_auth_proxy/templates/auth_proxy.j2
+++ /dev/null
@@ -1,36 +0,0 @@
-#!/bin/bash
-
-usage="$0 start/stop"
-if [ $# -ne 1 ]; then
- echo USAGE: $usage
- exit 1
-fi
-
-case $1 in
-start)
- set -e
-
- /usr/bin/docker run --rm \
- -p 10000:{{ auth_proxy_port }} \
- --net=host --name=auth-proxy \
- -e NO_NETMASTER_STARTUP_CHECK=1 \
- -v /var/contiv:/var/contiv:z \
- {{ auth_proxy_image }} \
- --tls-key-file={{ auth_proxy_key }} \
- --tls-certificate={{ auth_proxy_cert }} \
- --data-store-address={{ auth_proxy_datastore }} \
- --netmaster-address={{ service_vip }}:9999 \
- --listen-address=:10000
- ;;
-
-stop)
- # don't stop on error
- /usr/bin/docker stop auth-proxy
- /usr/bin/docker rm -f -v auth-proxy
- ;;
-
-*)
- echo USAGE: $usage
- exit 1
- ;;
-esac
diff --git a/roles/contiv_auth_proxy/tests/inventory b/roles/contiv_auth_proxy/tests/inventory
deleted file mode 100644
index d18580b3c..000000000
--- a/roles/contiv_auth_proxy/tests/inventory
+++ /dev/null
@@ -1 +0,0 @@
-localhost \ No newline at end of file
diff --git a/roles/contiv_auth_proxy/tests/test.yml b/roles/contiv_auth_proxy/tests/test.yml
deleted file mode 100644
index 2af3250cd..000000000
--- a/roles/contiv_auth_proxy/tests/test.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-- hosts: localhost
- remote_user: root
- roles:
- - auth_proxy
diff --git a/roles/contiv_auth_proxy/vars/main.yml b/roles/contiv_auth_proxy/vars/main.yml
deleted file mode 100644
index 9032766c4..000000000
--- a/roles/contiv_auth_proxy/vars/main.yml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-# vars file for auth_proxy
diff --git a/roles/contiv_facts/defaults/main.yaml b/roles/contiv_facts/defaults/main.yaml
index 7b8150954..c1622c56a 100644
--- a/roles/contiv_facts/defaults/main.yaml
+++ b/roles/contiv_facts/defaults/main.yaml
@@ -1,13 +1,10 @@
---
# The directory where binaries are stored on Ansible
# managed systems.
-bin_dir: /usr/bin
+contiv_bin_dir: /usr/bin
# The directory used by Ansible to temporarily store
# files on Ansible managed systems.
-ansible_temp_dir: /tmp/.ansible/files
+contiv_ansible_temp_dir: /tmp/.ansible/files
-source_type: packageManager
-
-# Whether or not to also install and enable the Contiv auth_proxy
-contiv_enable_auth_proxy: false
+contiv_source_type: packageManager
diff --git a/roles/contiv_facts/tasks/fedora-install.yml b/roles/contiv_facts/tasks/fedora-install.yml
index 932ff091a..b8239a636 100644
--- a/roles/contiv_facts/tasks/fedora-install.yml
+++ b/roles/contiv_facts/tasks/fedora-install.yml
@@ -11,9 +11,9 @@
retries: 5
delay: 10
environment:
- https_proxy: "{{ https_proxy }}"
- http_proxy: "{{ http_proxy }}"
- no_proxy: "{{ no_proxy }}"
+ https_proxy: "{{ contiv_https_proxy }}"
+ http_proxy: "{{ contiv_http_proxy }}"
+ no_proxy: "{{ contiv_no_proxy }}"
- name: Install libselinux-python
command: dnf install {{ item }} -y
@@ -21,6 +21,6 @@
- python-dnf
- libselinux-python
environment:
- https_proxy: "{{ https_proxy }}"
- http_proxy: "{{ http_proxy }}"
- no_proxy: "{{ no_proxy }}"
+ https_proxy: "{{ contiv_https_proxy }}"
+ http_proxy: "{{ contiv_http_proxy }}"
+ no_proxy: "{{ contiv_no_proxy }}"
diff --git a/roles/contiv_facts/tasks/main.yml b/roles/contiv_facts/tasks/main.yml
index ced04759d..11f1e1369 100644
--- a/roles/contiv_facts/tasks/main.yml
+++ b/roles/contiv_facts/tasks/main.yml
@@ -4,42 +4,28 @@
register: distro
check_mode: no
-- name: Init the is_coreos fact
+- name: Init the contiv_is_coreos fact
set_fact:
- is_coreos: false
+ contiv_is_coreos: false
-- name: Set the is_coreos fact
+- name: Set the contiv_is_coreos fact
set_fact:
- is_coreos: true
+ contiv_is_coreos: true
when: "'CoreOS' in distro.stdout"
-- name: Set docker config file directory
- set_fact:
- docker_config_dir: "/etc/sysconfig"
-
-- name: Override docker config file directory for Debian
- set_fact:
- docker_config_dir: "/etc/default"
- when: ansible_distribution == "Debian" or ansible_distribution == "Ubuntu"
-
-- name: Create config file directory
- file:
- path: "{{ docker_config_dir }}"
- state: directory
-
- name: Set the bin directory path for CoreOS
set_fact:
- bin_dir: "/opt/bin"
- when: is_coreos
+ contiv_bin_dir: "/opt/bin"
+ when: contiv_is_coreos
- name: Create the directory used to store binaries
file:
- path: "{{ bin_dir }}"
+ path: "{{ contiv_bin_dir }}"
state: directory
- name: Create Ansible temp directory
file:
- path: "{{ ansible_temp_dir }}"
+ path: "{{ contiv_ansible_temp_dir }}"
state: directory
- name: Determine if has rpm
@@ -48,26 +34,26 @@
changed_when: false
check_mode: no
-- name: Init the has_rpm fact
+- name: Init the contiv_has_rpm fact
set_fact:
- has_rpm: false
+ contiv_has_rpm: false
-- name: Set the has_rpm fact
+- name: Set the contiv_has_rpm fact
set_fact:
- has_rpm: true
+ contiv_has_rpm: true
when: s.stat.exists
-- name: Init the has_firewalld fact
+- name: Init the contiv_has_firewalld fact
set_fact:
- has_firewalld: false
+ contiv_has_firewalld: false
-- name: Init the has_iptables fact
+- name: Init the contiv_has_iptables fact
set_fact:
- has_iptables: false
+ contiv_has_iptables: false
# collect information about what packages are installed
- include_tasks: rpm.yml
- when: has_rpm
+ when: contiv_has_rpm
- include_tasks: fedora-install.yml
when: not openshift_is_atomic and ansible_distribution == "Fedora"
diff --git a/roles/contiv_facts/tasks/rpm.yml b/roles/contiv_facts/tasks/rpm.yml
index d12436f96..dc6c5d3b7 100644
--- a/roles/contiv_facts/tasks/rpm.yml
+++ b/roles/contiv_facts/tasks/rpm.yml
@@ -13,9 +13,9 @@
failed_when: false
check_mode: no
-- name: Set the has_firewalld fact
+- name: Set the contiv_has_firewalld fact
set_fact:
- has_firewalld: true
+ contiv_has_firewalld: true
when: s.rc == 0 and ss.rc == 0
- name: Determine if iptables-services installed
@@ -25,7 +25,7 @@
failed_when: false
check_mode: no
-- name: Set the has_iptables fact
+- name: Set the contiv_has_iptables fact
set_fact:
- has_iptables: true
+ contiv_has_iptables: true
when: s.rc == 0
diff --git a/roles/etcd/defaults/main.yaml b/roles/etcd/defaults/main.yaml
index 337727e47..87e249642 100644
--- a/roles/etcd/defaults/main.yaml
+++ b/roles/etcd/defaults/main.yaml
@@ -98,4 +98,4 @@ r_etcd_os_firewall_allow:
# set the backend quota to 4GB by default
etcd_quota_backend_bytes: 4294967296
-openshift_docker_service_name: "{{ 'container-engine' if (openshift_docker_use_system_container | default(False)) else 'docker' }}"
+openshift_docker_service_name: "{{ 'container-engine' if (openshift_docker_use_system_container | default(False) | bool) else 'docker' }}"
diff --git a/roles/etcd/tasks/certificates/fetch_client_certificates_from_ca.yml b/roles/etcd/tasks/certificates/fetch_client_certificates_from_ca.yml
index d4518554c..78578a055 100644
--- a/roles/etcd/tasks/certificates/fetch_client_certificates_from_ca.yml
+++ b/roles/etcd/tasks/certificates/fetch_client_certificates_from_ca.yml
@@ -79,13 +79,6 @@
when: etcd_client_certs_missing | bool
delegate_to: "{{ etcd_ca_host }}"
-- name: Create local temp directory for syncing certs
- local_action: command mktemp -d /tmp/etcd_certificates-XXXXXXX
- register: g_etcd_client_mktemp
- changed_when: False
- when: etcd_client_certs_missing | bool
- become: no
-
- name: Create a tarball of the etcd certs
command: >
tar -czvf {{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}.tgz
@@ -101,8 +94,7 @@
- name: Retrieve the etcd cert tarballs
fetch:
src: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}.tgz"
- dest: "{{ g_etcd_client_mktemp.stdout }}/"
- flat: yes
+ dest: "/tmp"
fail_on_missing: yes
validate_checksum: yes
when: etcd_client_certs_missing | bool
@@ -116,10 +108,15 @@
- name: Unarchive etcd cert tarballs
unarchive:
- src: "{{ g_etcd_client_mktemp.stdout }}/{{ etcd_cert_subdir }}.tgz"
+ src: "/tmp/{{ inventory_hostname }}/{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}.tgz"
dest: "{{ etcd_cert_config_dir }}"
when: etcd_client_certs_missing | bool
+- name: Delete temporary directory
+ local_action: file path="/tmp/{{ inventory_hostname }}" state=absent
+ changed_when: False
+ when: etcd_client_certs_missing | bool
+
- file:
path: "{{ etcd_cert_config_dir }}/{{ item }}"
owner: root
@@ -130,9 +127,3 @@
- "{{ etcd_cert_prefix }}client.key"
- "{{ etcd_cert_prefix }}ca.crt"
when: etcd_client_certs_missing | bool
-
-- name: Delete temporary directory
- local_action: file path="{{ g_etcd_client_mktemp.stdout }}" state=absent
- changed_when: False
- when: etcd_client_certs_missing | bool
- become: no
diff --git a/roles/etcd/tasks/certificates/fetch_server_certificates_from_ca.yml b/roles/etcd/tasks/certificates/fetch_server_certificates_from_ca.yml
index 59a6b6590..987380d0c 100644
--- a/roles/etcd/tasks/certificates/fetch_server_certificates_from_ca.yml
+++ b/roles/etcd/tasks/certificates/fetch_server_certificates_from_ca.yml
@@ -105,13 +105,6 @@
when: etcd_server_certs_missing | bool
delegate_to: "{{ etcd_ca_host }}"
-- name: Create local temp directory for syncing certs
- local_action: command mktemp -d /tmp/etcd_certificates-XXXXXXX
- become: no
- register: g_etcd_server_mktemp
- changed_when: False
- when: etcd_server_certs_missing | bool
-
- name: Create a tarball of the etcd certs
command: >
tar -czvf {{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}.tgz
@@ -127,8 +120,7 @@
- name: Retrieve etcd cert tarball
fetch:
src: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}.tgz"
- dest: "{{ g_etcd_server_mktemp.stdout }}/"
- flat: yes
+ dest: "/tmp"
fail_on_missing: yes
validate_checksum: yes
when: etcd_server_certs_missing | bool
@@ -144,7 +136,7 @@
- name: Unarchive cert tarball
unarchive:
- src: "{{ g_etcd_server_mktemp.stdout }}/{{ etcd_cert_subdir }}.tgz"
+ src: "/tmp/{{ inventory_hostname }}/{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}.tgz"
dest: "{{ etcd_cert_config_dir }}"
when: etcd_server_certs_missing | bool
@@ -161,8 +153,7 @@
- name: Retrieve etcd ca cert tarball
fetch:
src: "{{ etcd_generated_certs_dir }}/{{ etcd_ca_name }}.tgz"
- dest: "{{ g_etcd_server_mktemp.stdout }}/"
- flat: yes
+ dest: "/tmp"
fail_on_missing: yes
validate_checksum: yes
when: etcd_server_certs_missing | bool
@@ -177,8 +168,7 @@
when: etcd_server_certs_missing | bool
- name: Delete temporary directory
- local_action: file path="{{ g_etcd_server_mktemp.stdout }}" state=absent
- become: no
+ local_action: file path="/tmp/{{ inventory_hostname }}" state=absent
changed_when: False
when: etcd_server_certs_missing | bool
diff --git a/roles/flannel/defaults/main.yaml b/roles/flannel/defaults/main.yaml
index 2e4a0dc39..d9e4d2354 100644
--- a/roles/flannel/defaults/main.yaml
+++ b/roles/flannel/defaults/main.yaml
@@ -6,4 +6,4 @@ etcd_peer_ca_file: "{{ openshift.common.config_base }}/node/flannel.etcd-ca.crt"
etcd_peer_cert_file: "{{ openshift.common.config_base }}/node/flannel.etcd-client.crt"
etcd_peer_key_file: "{{ openshift.common.config_base }}/node/flannel.etcd-client.key"
-openshift_docker_service_name: "{{ 'container-engine' if (openshift_docker_use_system_container | default(False)) else 'docker' }}"
+openshift_docker_service_name: "{{ 'container-engine' if (openshift_docker_use_system_container | default(False) | bool) else 'docker' }}"
diff --git a/roles/installer_checkpoint/callback_plugins/installer_checkpoint.py b/roles/installer_checkpoint/callback_plugins/installer_checkpoint.py
index 83ca83350..da7e7b1da 100644
--- a/roles/installer_checkpoint/callback_plugins/installer_checkpoint.py
+++ b/roles/installer_checkpoint/callback_plugins/installer_checkpoint.py
@@ -31,6 +31,7 @@ class CallbackModule(CallbackBase):
'installer_phase_node',
'installer_phase_glusterfs',
'installer_phase_hosted',
+ 'installer_phase_web_console',
'installer_phase_metrics',
'installer_phase_logging',
'installer_phase_prometheus',
@@ -80,6 +81,10 @@ class CallbackModule(CallbackBase):
'title': 'Hosted Install',
'playbook': 'playbooks/openshift-hosted/config.yml'
},
+ 'installer_phase_web_console': {
+ 'title': 'Web Console Install',
+ 'playbook': 'playbooks/openshift-web-console/config.yml'
+ },
'installer_phase_metrics': {
'title': 'Metrics Install',
'playbook': 'playbooks/openshift-metrics/config.yml'
diff --git a/roles/openshift_sanitize_inventory/library/conditional_set_fact.py b/roles/lib_openshift/library/conditional_set_fact.py
index f61801714..363399f33 100644
--- a/roles/openshift_sanitize_inventory/library/conditional_set_fact.py
+++ b/roles/lib_openshift/library/conditional_set_fact.py
@@ -29,6 +29,10 @@ EXAMPLES = '''
fact1: not_defined_variable
fact2: defined_variable
+- name: Conditionally set fact falling back on default
+ conditional_set_fact:
+ fact1: not_defined_var | defined_variable
+
'''
@@ -48,12 +52,14 @@ def run_module():
is_changed = False
for param in module.params['vars']:
- other_var = module.params['vars'][param]
-
- if other_var in module.params['facts']:
- local_facts[param] = module.params['facts'][other_var]
- if not is_changed:
- is_changed = True
+ other_vars = module.params['vars'][param].replace(" ", "")
+
+ for other_var in other_vars.split('|'):
+ if other_var in module.params['facts']:
+ local_facts[param] = module.params['facts'][other_var]
+ if not is_changed:
+ is_changed = True
+ break
return module.exit_json(changed=is_changed, # noqa: F405
ansible_facts=local_facts)
diff --git a/roles/lib_utils/callback_plugins/openshift_quick_installer.py b/roles/lib_utils/callback_plugins/openshift_quick_installer.py
index c0fdbc650..365e2443d 100644
--- a/roles/lib_utils/callback_plugins/openshift_quick_installer.py
+++ b/roles/lib_utils/callback_plugins/openshift_quick_installer.py
@@ -192,7 +192,7 @@ The only thing we change here is adding `log_only=True` to the
"""
delegated_vars = result._result.get('_ansible_delegated_vars', None)
self._clean_results(result._result, result._task.action)
- if result._task.action in ('include', 'include_role'):
+ if result._task.action in ('include', 'import_role'):
return
elif result._result.get('changed', False):
if delegated_vars:
@@ -220,7 +220,7 @@ The only thing we change here is adding `log_only=True` to the
def v2_runner_item_on_ok(self, result):
"""Print out task results for items you're iterating over"""
delegated_vars = result._result.get('_ansible_delegated_vars', None)
- if result._task.action in ('include', 'include_role'):
+ if result._task.action in ('include', 'import_role'):
return
elif result._result.get('changed', False):
msg = 'changed'
diff --git a/roles/openshift_aws/README.md b/roles/openshift_aws/README.md
index 4aca5c7a8..de73ab01d 100644
--- a/roles/openshift_aws/README.md
+++ b/roles/openshift_aws/README.md
@@ -7,9 +7,9 @@ This role contains many task-areas to provision resources and perform actions
against an AWS account for the purposes of dynamically building an openshift
cluster.
-This role is primarily intended to be used with "include_role" and "tasks_from".
+This role is primarily intended to be used with "import_role" and "tasks_from".
-include_role can be called from the tasks section in a play. See example
+import_role can be called from the tasks section in a play. See example
playbook below for reference.
These task-areas are:
@@ -40,7 +40,7 @@ Example Playbook
----------------
```yaml
-- include_role:
+- import_role:
name: openshift_aws
tasks_from: vpc.yml
vars:
diff --git a/roles/openshift_cluster_autoscaler/README.md b/roles/openshift_cluster_autoscaler/README.md
index d775a8a71..137ae0cef 100644
--- a/roles/openshift_cluster_autoscaler/README.md
+++ b/roles/openshift_cluster_autoscaler/README.md
@@ -28,7 +28,7 @@ Example Playbook
remote_user: root
tasks:
- name: include role autoscaler
- include_role:
+ import_role:
name: openshift_cluster_autoscaler
vars:
openshift_clusterid: opstest
diff --git a/roles/openshift_etcd_client_certificates/tasks/main.yml b/roles/openshift_etcd_client_certificates/tasks/main.yml
index 7f8b667f0..18d07fc2f 100644
--- a/roles/openshift_etcd_client_certificates/tasks/main.yml
+++ b/roles/openshift_etcd_client_certificates/tasks/main.yml
@@ -1,4 +1,4 @@
---
-- include_role:
+- import_role:
name: etcd
tasks_from: client_certificates
diff --git a/roles/openshift_examples/tasks/main.yml b/roles/openshift_examples/tasks/main.yml
index a09a598bd..ff04cdf9c 100644
--- a/roles/openshift_examples/tasks/main.yml
+++ b/roles/openshift_examples/tasks/main.yml
@@ -13,18 +13,23 @@
# use it either due to changes introduced in Ansible 2.x.
- name: Create local temp dir for OpenShift examples copy
local_action: command mktemp -d /tmp/openshift-ansible-XXXXXXX
- become: False
register: copy_examples_mktemp
run_once: True
+- name: Create local temp dir for OpenShift examples copy
+ local_action: command chmod 755 "{{ copy_examples_mktemp.stdout }}"
+ run_once: True
+
- name: Create tar of OpenShift examples
local_action: command tar -C "{{ role_path }}/files/examples/{{ content_version }}/" -cvf "{{ copy_examples_mktemp.stdout }}/openshift-examples.tar" .
args:
# Disables the following warning:
# Consider using unarchive module rather than running tar
warn: no
- become: False
- register: copy_examples_tar
+
+- name: Create local temp dir for OpenShift examples copy
+ local_action: command chmod 744 "{{ copy_examples_mktemp.stdout }}/openshift-examples.tar"
+ run_once: True
- name: Create the remote OpenShift examples directory
file:
@@ -38,7 +43,6 @@
dest: "{{ examples_base }}/"
- name: Cleanup the OpenShift Examples temp dir
- become: False
local_action: file dest="{{ copy_examples_mktemp.stdout }}" state=absent
# Done copying examples
diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py
index d659286dc..d7c358a2f 100755
--- a/roles/openshift_facts/library/openshift_facts.py
+++ b/roles/openshift_facts/library/openshift_facts.py
@@ -656,26 +656,6 @@ def set_nodename(facts):
return facts
-def migrate_oauth_template_facts(facts):
- """
- Migrate an old oauth template fact to a newer format if it's present.
-
- The legacy 'oauth_template' fact was just a filename, and assumed you were
- setting the 'login' template.
-
- The new pluralized 'oauth_templates' fact is a dict mapping the template
- name to a filename.
-
- Simplify the code after this by merging the old fact into the new.
- """
- if 'master' in facts and 'oauth_template' in facts['master']:
- if 'oauth_templates' not in facts['master']:
- facts['master']['oauth_templates'] = {"login": facts['master']['oauth_template']}
- elif 'login' not in facts['master']['oauth_templates']:
- facts['master']['oauth_templates']['login'] = facts['master']['oauth_template']
- return facts
-
-
def format_url(use_ssl, hostname, port, path=''):
""" Format url based on ssl flag, hostname, port and path
@@ -1387,7 +1367,6 @@ class OpenShiftFacts(object):
facts = merge_facts(facts,
local_facts,
additive_facts_to_overwrite)
- facts = migrate_oauth_template_facts(facts)
facts['current_config'] = get_current_config(facts)
facts = set_url_facts_if_unset(facts)
facts = set_identity_providers_if_unset(facts)
diff --git a/roles/openshift_health_checker/openshift_checks/__init__.py b/roles/openshift_health_checker/openshift_checks/__init__.py
index b7b16e0ea..83e551b5d 100644
--- a/roles/openshift_health_checker/openshift_checks/__init__.py
+++ b/roles/openshift_health_checker/openshift_checks/__init__.py
@@ -95,6 +95,13 @@ class OpenShiftCheck(object):
# These are intended to be a sequential record of what the check observed and determined.
self.logs = []
+ def template_var(self, var_to_template):
+ """Return a templated variable if self._templar is not None, else
+ just return the variable as-is"""
+ if self._templar is not None:
+ return self._templar.template(var_to_template)
+ return var_to_template
+
@abstractproperty
def name(self):
"""The name of this check, usually derived from the class name."""
diff --git a/roles/openshift_health_checker/openshift_checks/docker_image_availability.py b/roles/openshift_health_checker/openshift_checks/docker_image_availability.py
index 744b79c1a..7afb8f730 100644
--- a/roles/openshift_health_checker/openshift_checks/docker_image_availability.py
+++ b/roles/openshift_health_checker/openshift_checks/docker_image_availability.py
@@ -64,7 +64,9 @@ class DockerImageAvailability(DockerHostMixin, OpenShiftCheck):
self.registries["configured"] = regs
# for the oreg_url registry there may be credentials specified
- components = self.get_var("oreg_url", default="").split('/')
+ oreg_url = self.get_var("oreg_url", default="")
+ oreg_url = self.template_var(oreg_url)
+ components = oreg_url.split('/')
self.registries["oreg"] = "" if len(components) < 3 else components[0]
# Retrieve and template registry credentials, if provided
@@ -72,9 +74,8 @@ class DockerImageAvailability(DockerHostMixin, OpenShiftCheck):
oreg_auth_user = self.get_var('oreg_auth_user', default='')
oreg_auth_password = self.get_var('oreg_auth_password', default='')
if oreg_auth_user != '' and oreg_auth_password != '':
- if self._templar is not None:
- oreg_auth_user = self._templar.template(oreg_auth_user)
- oreg_auth_password = self._templar.template(oreg_auth_password)
+ oreg_auth_user = self.template_var(oreg_auth_user)
+ oreg_auth_password = self.template_var(oreg_auth_password)
self.skopeo_command_creds = "--creds={}:{}".format(quote(oreg_auth_user), quote(oreg_auth_password))
# record whether we could reach a registry or not (and remember results)
@@ -153,6 +154,7 @@ class DockerImageAvailability(DockerHostMixin, OpenShiftCheck):
# template for images that run on top of OpenShift
image_url = "{}/{}-{}:{}".format(image_info["namespace"], image_info["name"], "${component}", "${version}")
image_url = self.get_var("oreg_url", default="") or image_url
+ image_url = self.template_var(image_url)
if 'oo_nodes_to_config' in host_groups:
for suffix in NODE_IMAGE_SUFFIXES:
required.add(image_url.replace("${component}", suffix).replace("${version}", image_tag))
diff --git a/roles/openshift_hosted/tasks/main.yml b/roles/openshift_hosted/tasks/main.yml
index d306adf42..57f59f872 100644
--- a/roles/openshift_hosted/tasks/main.yml
+++ b/roles/openshift_hosted/tasks/main.yml
@@ -1,6 +1,6 @@
---
-# This role is intended to be used with include_role.
-# include_role:
+# This role is intended to be used with import_role.
+# import_role:
# name: openshift_hosted
# tasks_from: "{{ item }}"
# with_items:
diff --git a/roles/openshift_hosted/tasks/registry.yml b/roles/openshift_hosted/tasks/registry.yml
index 429f0c514..22294e3d4 100644
--- a/roles/openshift_hosted/tasks/registry.yml
+++ b/roles/openshift_hosted/tasks/registry.yml
@@ -1,10 +1,4 @@
---
-- name: Create temp directory for doing work in
- command: mktemp -d /tmp/openshift-hosted-ansible-XXXXXX
- register: mktempHosted
- changed_when: False
- check_mode: no
-
- name: setup firewall
import_tasks: firewall.yml
vars:
@@ -132,25 +126,10 @@
edits: "{{ openshift_hosted_registry_edits }}"
force: "{{ True|bool in openshift_hosted_registry_force }}"
+# TODO(michaelgugino) remove this set fact. It is currently necessary due to
+# custom module not properly templating variables.
- name: setup registry list
set_fact:
r_openshift_hosted_registry_list:
- name: "{{ openshift_hosted_registry_name }}"
namespace: "{{ openshift_hosted_registry_namespace }}"
-
-- name: Wait for pod (Registry)
- include_tasks: wait_for_pod.yml
- vars:
- l_openshift_hosted_wait_for_pod: "{{ openshift_hosted_registry_wait }}"
- l_openshift_hosted_wfp_items: "{{ r_openshift_hosted_registry_list }}"
-
-- include_tasks: storage/glusterfs.yml
- when:
- - openshift_hosted_registry_storage_kind | default(none) == 'glusterfs' or openshift_hosted_registry_storage_glusterfs_swap
-
-- name: Delete temp directory
- file:
- name: "{{ mktempHosted.stdout }}"
- state: absent
- changed_when: False
- check_mode: no
diff --git a/roles/openshift_hosted/tasks/registry_storage.yml b/roles/openshift_hosted/tasks/registry_storage.yml
new file mode 100644
index 000000000..aa66a7867
--- /dev/null
+++ b/roles/openshift_hosted/tasks/registry_storage.yml
@@ -0,0 +1,4 @@
+---
+- include_tasks: storage/glusterfs.yml
+ when:
+ - openshift_hosted_registry_storage_kind | default(none) == 'glusterfs' or openshift_hosted_registry_storage_glusterfs_swap
diff --git a/roles/openshift_hosted/tasks/router.yml b/roles/openshift_hosted/tasks/router.yml
index 8ecaacb4a..2dc9c98f6 100644
--- a/roles/openshift_hosted/tasks/router.yml
+++ b/roles/openshift_hosted/tasks/router.yml
@@ -98,9 +98,3 @@
ports: "{{ item.ports }}"
stats_port: "{{ item.stats_port }}"
with_items: "{{ openshift_hosted_routers }}"
-
-- name: Wait for pod (Routers)
- include_tasks: wait_for_pod.yml
- vars:
- l_openshift_hosted_wait_for_pod: "{{ openshift_hosted_router_wait }}"
- l_openshift_hosted_wfp_items: "{{ openshift_hosted_routers }}"
diff --git a/roles/openshift_hosted/tasks/wait_for_pod.yml b/roles/openshift_hosted/tasks/wait_for_pod.yml
index f4b9939cc..a14b0febc 100644
--- a/roles/openshift_hosted/tasks/wait_for_pod.yml
+++ b/roles/openshift_hosted/tasks/wait_for_pod.yml
@@ -7,7 +7,7 @@
--namespace {{ item.namespace | default('default') }} \
--config {{ openshift_master_config_dir }}/admin.kubeconfig
async: 600
- poll: 15
+ poll: 5
with_items: "{{ l_openshift_hosted_wfp_items }}"
failed_when: false
@@ -28,8 +28,8 @@
-o jsonpath='{ .metadata.annotations.openshift\.io/deployment\.phase }'
register: openshift_hosted_wfp_rc_phase
until: "'Running' not in openshift_hosted_wfp_rc_phase.stdout"
- delay: 15
- retries: 40
+ delay: 5
+ retries: 60
failed_when: "'Failed' in openshift_hosted_wfp_rc_phase.stdout"
with_together:
- "{{ l_openshift_hosted_wfp_items }}"
diff --git a/roles/openshift_hosted_templates/meta/main.yml b/roles/openshift_hosted_templates/meta/main.yml
index fca3485fd..d7cc1e288 100644
--- a/roles/openshift_hosted_templates/meta/main.yml
+++ b/roles/openshift_hosted_templates/meta/main.yml
@@ -13,3 +13,4 @@ galaxy_info:
- cloud
dependencies:
- role: lib_utils
+- role: openshift_facts
diff --git a/roles/openshift_hosted_templates/tasks/main.yml b/roles/openshift_hosted_templates/tasks/main.yml
index b2313c297..672d25b4d 100644
--- a/roles/openshift_hosted_templates/tasks/main.yml
+++ b/roles/openshift_hosted_templates/tasks/main.yml
@@ -1,20 +1,25 @@
---
- name: Create local temp dir for OpenShift hosted templates copy
local_action: command mktemp -d /tmp/openshift-ansible-XXXXXXX
- become: False
register: copy_hosted_templates_mktemp
run_once: True
# AUDIT:changed_when: not set here because this task actually
# creates something
+- name: Create local temp dir for OpenShift examples copy
+ local_action: command chmod 755 "{{ copy_hosted_templates_mktemp.stdout }}"
+ run_once: True
+
- name: Create tar of OpenShift examples
local_action: command tar -C "{{ role_path }}/files/{{ content_version }}/{{ hosted_deployment_type }}" -cvf "{{ copy_hosted_templates_mktemp.stdout }}/openshift-hosted-templates.tar" .
args:
# Disables the following warning:
# Consider using unarchive module rather than running tar
warn: no
- become: False
- register: copy_hosted_templates_tar
+
+- name: Create local temp dir for OpenShift examples copy
+ local_action: command chmod 744 "{{ copy_hosted_templates_mktemp.stdout }}/openshift-hosted-templates.tar"
+ run_once: True
- name: Create remote OpenShift hosted templates directory
file:
@@ -28,7 +33,6 @@
dest: "{{ hosted_base }}/"
- name: Cleanup the OpenShift hosted templates temp dir
- become: False
local_action: file dest="{{ copy_hosted_templates_mktemp.stdout }}" state=absent
- name: Modify registry paths if registry_url is not registry.access.redhat.com
diff --git a/roles/openshift_loadbalancer/defaults/main.yml b/roles/openshift_loadbalancer/defaults/main.yml
index 6ffe3f11e..d8c45fb33 100644
--- a/roles/openshift_loadbalancer/defaults/main.yml
+++ b/roles/openshift_loadbalancer/defaults/main.yml
@@ -32,7 +32,7 @@ r_openshift_loadbalancer_os_firewall_allow:
port: "{{ nuage_mon_rest_server_port | default(9443) }}/tcp"
cond: "{{ r_openshift_lb_use_nuage | bool }}"
-openshift_docker_service_name: "{{ 'container-engine' if (openshift_docker_use_system_container | default(False)) else 'docker' }}"
+openshift_docker_service_name: "{{ 'container-engine' if (openshift_docker_use_system_container | default(False) | bool) else 'docker' }}"
# NOTE
# r_openshift_lb_use_nuage_default may be defined external to this role.
diff --git a/roles/openshift_logging/filter_plugins/openshift_logging.py b/roles/openshift_logging/filter_plugins/openshift_logging.py
index e1a5ea726..ba412b5a6 100644
--- a/roles/openshift_logging/filter_plugins/openshift_logging.py
+++ b/roles/openshift_logging/filter_plugins/openshift_logging.py
@@ -102,6 +102,28 @@ def serviceaccount_namespace(qualified_sa, default=None):
return seg[-1]
+def flatten_dict(data, parent_key=None):
+ """ This filter plugin will flatten a dict and its sublists into a single dict
+ """
+ if not isinstance(data, dict):
+ raise RuntimeError("flatten_dict failed, expects to flatten a dict")
+
+ merged = dict()
+
+ for key in data:
+ if parent_key is not None:
+ insert_key = '.'.join((parent_key, key))
+ else:
+ insert_key = key
+
+ if isinstance(data[key], dict):
+ merged.update(flatten_dict(data[key], insert_key))
+ else:
+ merged[insert_key] = data[key]
+
+ return merged
+
+
# pylint: disable=too-few-public-methods
class FilterModule(object):
''' OpenShift Logging Filters '''
@@ -117,5 +139,6 @@ class FilterModule(object):
'es_storage': es_storage,
'serviceaccount_name': serviceaccount_name,
'serviceaccount_namespace': serviceaccount_namespace,
- 'walk': walk
+ 'walk': walk,
+ "flatten_dict": flatten_dict
}
diff --git a/roles/openshift_logging/library/logging_patch.py b/roles/openshift_logging/library/logging_patch.py
new file mode 100644
index 000000000..d2c0bc456
--- /dev/null
+++ b/roles/openshift_logging/library/logging_patch.py
@@ -0,0 +1,112 @@
+#!/usr/bin/python
+
+""" Ansible module to help with creating context patch file with whitelisting for logging """
+
+import difflib
+import re
+
+from ansible.module_utils.basic import AnsibleModule
+
+
+DOCUMENTATION = '''
+---
+module: logging_patch
+
+short_description: This will create a context patch file while giving ability
+ to whitelist some lines (excluding them from comparison)
+
+description:
+ - "To create configmap patches for logging"
+
+author:
+ - Eric Wolinetz ewolinet@redhat.com
+'''
+
+
+EXAMPLES = '''
+- logging_patch:
+ original_file: "{{ tempdir }}/current.yml"
+ new_file: "{{ configmap_new_file }}"
+ whitelist: "{{ configmap_protected_lines | default([]) }}"
+
+'''
+
+
+def account_for_whitelist(file_contents, white_list=None):
+ """ This method will remove lines that contain whitelist values from the content
+ of the file so that we aren't build a patch based on that line
+
+ Usage:
+
+ for file_contents:
+
+ index:
+ number_of_shards: {{ es_number_of_shards | default ('1') }}
+ number_of_replicas: {{ es_number_of_replicas | default ('0') }}
+ unassigned.node_left.delayed_timeout: 2m
+ translog:
+ flush_threshold_size: 256mb
+ flush_threshold_period: 5m
+
+
+ and white_list:
+
+ ['number_of_shards', 'number_of_replicas']
+
+
+ We would end up with:
+
+ index:
+ unassigned.node_left.delayed_timeout: 2m
+ translog:
+ flush_threshold_size: 256mb
+ flush_threshold_period: 5m
+
+ """
+
+ for line in white_list:
+ file_contents = re.sub(r".*%s:.*\n" % line, "", file_contents)
+
+ return file_contents
+
+
+def run_module():
+ """ The body of the module, we check if the variable name specified as the value
+ for the key is defined. If it is then we use that value as for the original key """
+
+ module = AnsibleModule(
+ argument_spec=dict(
+ original_file=dict(type='str', required=True),
+ new_file=dict(type='str', required=True),
+ whitelist=dict(required=False, type='list', default=[])
+ ),
+ supports_check_mode=True
+ )
+
+ original_fh = open(module.params['original_file'], "r")
+ original_contents = original_fh.read()
+ original_fh.close()
+
+ original_contents = account_for_whitelist(original_contents, module.params['whitelist'])
+
+ new_fh = open(module.params['new_file'], "r")
+ new_contents = new_fh.read()
+ new_fh.close()
+
+ new_contents = account_for_whitelist(new_contents, module.params['whitelist'])
+
+ uni_diff = difflib.unified_diff(new_contents.splitlines(),
+ original_contents.splitlines(),
+ lineterm='')
+
+ return module.exit_json(changed=False, # noqa: F405
+ raw_patch="\n".join(uni_diff))
+
+
+def main():
+ """ main """
+ run_module()
+
+
+if __name__ == '__main__':
+ main()
diff --git a/roles/openshift_logging/library/openshift_logging_facts.py b/roles/openshift_logging/library/openshift_logging_facts.py
index 98d0d1c4f..302a9b4c9 100644
--- a/roles/openshift_logging/library/openshift_logging_facts.py
+++ b/roles/openshift_logging/library/openshift_logging_facts.py
@@ -204,6 +204,14 @@ class OpenshiftLoggingFacts(OCBaseCommand):
if comp is not None:
self.add_facts_for(comp, "services", name, dict())
+ # pylint: disable=too-many-arguments
+ def facts_from_configmap(self, comp, kind, name, config_key, yaml_file=None):
+ '''Extracts facts in logging namespace from configmap'''
+ if yaml_file is not None:
+ config_facts = yaml.load(yaml_file)
+ self.facts[comp][kind][name][config_key] = config_facts
+ self.facts[comp][kind][name]["raw"] = yaml_file
+
def facts_for_configmaps(self, namespace):
''' Gathers facts for configmaps in logging namespace '''
self.default_keys_for("configmaps")
@@ -214,7 +222,10 @@ class OpenshiftLoggingFacts(OCBaseCommand):
name = item["metadata"]["name"]
comp = self.comp(name)
if comp is not None:
- self.add_facts_for(comp, "configmaps", name, item["data"])
+ self.add_facts_for(comp, "configmaps", name, dict(item["data"]))
+ if comp in ["elasticsearch", "elasticsearch_ops"]:
+ for config_key in item["data"]:
+ self.facts_from_configmap(comp, "configmaps", name, config_key, item["data"][config_key])
def facts_for_oauthclients(self, namespace):
''' Gathers facts for oauthclients used with logging '''
diff --git a/roles/openshift_logging/tasks/delete_logging.yaml b/roles/openshift_logging/tasks/delete_logging.yaml
index 51d6d0efd..fbc3e3fd1 100644
--- a/roles/openshift_logging/tasks/delete_logging.yaml
+++ b/roles/openshift_logging/tasks/delete_logging.yaml
@@ -126,7 +126,18 @@
- __logging_ops_projects.stderr | length == 0
## EventRouter
-- include_role:
+- import_role:
name: openshift_logging_eventrouter
when:
not openshift_logging_install_eventrouter | default(false) | bool
+
+# Update asset config in openshift-web-console namespace
+- name: Remove Kibana route information from web console asset config
+ include_role:
+ name: openshift_web_console
+ tasks_from: update_asset_config.yml
+ vars:
+ asset_config_edits:
+ - key: loggingPublicURL
+ value: ""
+ when: openshift_web_console_install | default(true) | bool
diff --git a/roles/openshift_logging/tasks/install_logging.yaml b/roles/openshift_logging/tasks/install_logging.yaml
index 11f59652c..185f47f50 100644
--- a/roles/openshift_logging/tasks/install_logging.yaml
+++ b/roles/openshift_logging/tasks/install_logging.yaml
@@ -4,6 +4,9 @@
oc_bin: "{{openshift_client_binary}}"
openshift_logging_namespace: "{{openshift_logging_namespace}}"
+## This is include vs import because we need access to group/inventory variables
+- include_tasks: set_defaults_from_current.yml
+
- name: Set logging project
oc_project:
state: present
@@ -72,7 +75,7 @@
elasticsearch_storage_type: "{{ openshift_logging_elasticsearch_storage_type | default('pvc' if ( openshift_logging_es_pvc_dynamic | bool or openshift_hosted_logging_storage_kind | default('') == 'nfs' or openshift_logging_es_pvc_size | length > 0) else 'emptydir') }}"
# We don't allow scaling down of ES nodes currently
-- include_role:
+- import_role:
name: openshift_logging_elasticsearch
vars:
generated_certs_dir: "{{openshift.common.config_base}}/logging"
@@ -100,7 +103,7 @@
- openshift_logging_facts.elasticsearch.deploymentconfigs.keys() | count > 0
# Create any new DC that may be required
-- include_role:
+- import_role:
name: openshift_logging_elasticsearch
vars:
generated_certs_dir: "{{openshift.common.config_base}}/logging"
@@ -134,7 +137,7 @@
when:
- openshift_logging_use_ops | bool
-- include_role:
+- import_role:
name: openshift_logging_elasticsearch
vars:
generated_certs_dir: "{{openshift.common.config_base}}/logging"
@@ -177,7 +180,7 @@
- openshift_logging_facts.elasticsearch_ops.deploymentconfigs.keys() | count > 0
# Create any new DC that may be required
-- include_role:
+- import_role:
name: openshift_logging_elasticsearch
vars:
generated_certs_dir: "{{openshift.common.config_base}}/logging"
@@ -210,7 +213,7 @@
## Kibana
-- include_role:
+- import_role:
name: openshift_logging_kibana
vars:
generated_certs_dir: "{{openshift.common.config_base}}/logging"
@@ -223,7 +226,7 @@
openshift_logging_kibana_image_pull_secret: "{{ openshift_logging_image_pull_secret }}"
-- include_role:
+- import_role:
name: openshift_logging_kibana
vars:
generated_certs_dir: "{{openshift.common.config_base}}/logging"
@@ -253,7 +256,7 @@
- include_tasks: annotate_ops_projects.yaml
## Curator
-- include_role:
+- import_role:
name: openshift_logging_curator
vars:
generated_certs_dir: "{{openshift.common.config_base}}/logging"
@@ -263,7 +266,7 @@
openshift_logging_curator_master_url: "{{ openshift_logging_master_url }}"
openshift_logging_curator_image_pull_secret: "{{ openshift_logging_image_pull_secret }}"
-- include_role:
+- import_role:
name: openshift_logging_curator
vars:
generated_certs_dir: "{{openshift.common.config_base}}/logging"
@@ -281,7 +284,7 @@
- openshift_logging_use_ops | bool
## Mux
-- include_role:
+- import_role:
name: openshift_logging_mux
vars:
generated_certs_dir: "{{openshift.common.config_base}}/logging"
@@ -294,7 +297,7 @@
## Fluentd
-- include_role:
+- import_role:
name: openshift_logging_fluentd
vars:
generated_certs_dir: "{{openshift.common.config_base}}/logging"
@@ -305,10 +308,22 @@
## EventRouter
-- include_role:
+- import_role:
name: openshift_logging_eventrouter
when:
openshift_logging_install_eventrouter | default(false) | bool
+# TODO: Remove when asset config is removed from master-config.yaml
- include_tasks: update_master_config.yaml
+
+# Update asset config in openshift-web-console namespace
+- name: Add Kibana route information to web console asset config
+ include_role:
+ name: openshift_web_console
+ tasks_from: update_asset_config.yml
+ vars:
+ asset_config_edits:
+ - key: loggingPublicURL
+ value: "https://{{ openshift_logging_kibana_hostname }}"
+ when: openshift_web_console_install | default(true) | bool
diff --git a/roles/openshift_logging/tasks/patch_configmap_file.yaml b/roles/openshift_logging/tasks/patch_configmap_file.yaml
new file mode 100644
index 000000000..30087fe6a
--- /dev/null
+++ b/roles/openshift_logging/tasks/patch_configmap_file.yaml
@@ -0,0 +1,35 @@
+---
+## The purpose of this task file is to get a patch that is based on the diff
+## between configmap_current_file and configmap_new_file. The module
+## logging_patch takes the paths of two files to compare and also a list of
+## variables whose line we exclude from the diffs.
+## We then patch the new configmap file so that we can build a configmap
+## using that file later. We then use oc apply to idempotenly modify any
+## existing configmap.
+
+## The following variables are expected to be provided when including this task:
+# __configmap_output -- This is provided to us from patch_configmap_files.yaml
+# it is a dict of the configmap where configmap_current_file exists
+# configmap_current_file -- The name of the data file in the __configmap_output
+# configmap_new_file -- The path to the file that we intend to oc apply later
+# we apply our generated patch to this file.
+# configmap_protected_lines -- The list of variables to exclude from the diff
+
+- copy:
+ content: "{{ __configmap_output.results.results[0]['data'][configmap_current_file] }}"
+ dest: "{{ tempdir }}/current.yml"
+
+- logging_patch:
+ original_file: "{{ tempdir }}/current.yml"
+ new_file: "{{ configmap_new_file }}"
+ whitelist: "{{ configmap_protected_lines | default([]) }}"
+ register: patch_output
+
+- copy:
+ content: "{{ patch_output.raw_patch }}\n"
+ dest: "{{ tempdir }}/patch.patch"
+ when: patch_output.raw_patch | length > 0
+
+- command: >
+ patch --force --quiet -u "{{ configmap_new_file }}" "{{ tempdir }}/patch.patch"
+ when: patch_output.raw_patch | length > 0
diff --git a/roles/openshift_logging/tasks/patch_configmap_files.yaml b/roles/openshift_logging/tasks/patch_configmap_files.yaml
new file mode 100644
index 000000000..74a9cc287
--- /dev/null
+++ b/roles/openshift_logging/tasks/patch_configmap_files.yaml
@@ -0,0 +1,31 @@
+---
+## The purpose of this task file is to take in a list of configmap files provided
+## in the variable configmap_file_names, which correspond to the data sections
+## within a configmap. We iterate over each of these files and create a patch
+## from the diff between current_file and new_file to try to maintain any custom
+## changes that a user may have made to a currently deployed configmap while
+## trying to idempotently update with any role provided files.
+
+## The following variables are expected to be provided when including this task:
+# configmap_name -- This is the name of the configmap that the files exist in
+# configmap_namespace -- The namespace that the configmap lives in
+# configmap_file_names -- This is expected to be passed in as a dict
+# current_file -- The name of the data entry within the configmap
+# new_file -- The file path to the file we are comparing to current_file
+# protected_lines -- List of variables whose line will be excluded when creating a diff
+
+- oc_configmap:
+ name: "{{ configmap_name }}"
+ state: list
+ namespace: "{{ configmap_namespace }}"
+ register: __configmap_output
+
+- when: __configmap_output.results.stderr is undefined
+ include_tasks: patch_configmap_file.yaml
+ vars:
+ configmap_current_file: "{{ configmap_files.current_file }}"
+ configmap_new_file: "{{ configmap_files.new_file }}"
+ configmap_protected_lines: "{{ configmap_files.protected_lines | default([]) }}"
+ with_items: "{{ configmap_file_names }}"
+ loop_control:
+ loop_var: configmap_files
diff --git a/roles/openshift_logging/tasks/set_defaults_from_current.yml b/roles/openshift_logging/tasks/set_defaults_from_current.yml
new file mode 100644
index 000000000..dde362abe
--- /dev/null
+++ b/roles/openshift_logging/tasks/set_defaults_from_current.yml
@@ -0,0 +1,34 @@
+---
+
+## We are pulling default values from configmaps if they exist already
+## Using conditional_set_fact allows us to set the value of a variable based on
+## the value of another one, if it is already defined. Else we don't set the
+## left hand side (it stays undefined as well).
+
+## conditional_set_fact allows us to specify a fact source, so first we try to
+## set variables in the logging-elasticsearch & logging-elasticsearch-ops configmaps
+## afterwards we set the value of the variable based on the value in the inventory
+## but fall back to using the value from a configmap as a default. If neither is set
+## then the variable remains undefined and the role default will be used.
+
+- conditional_set_fact:
+ facts: "{{ openshift_logging_facts['elasticsearch']['configmaps']['logging-elasticsearch']['elasticsearch.yml'] | flatten_dict }}"
+ vars:
+ __openshift_logging_es_number_of_shards: index.number_of_shards
+ __openshift_logging_es_number_of_replicas: index.number_of_replicas
+ when: openshift_logging_facts['elasticsearch']['configmaps']['logging-elasticsearch'] is defined
+
+- conditional_set_fact:
+ facts: "{{ openshift_logging_facts['elasticsearch_ops']['configmaps']['logging-elasticsearch-ops']['elasticsearch.yml'] | flatten_dict }}"
+ vars:
+ __openshift_logging_es_ops_number_of_shards: index.number_of_shards
+ __openshift_logging_es_ops_number_of_replicas: index.number_of_replicas
+ when: openshift_logging_facts['elasticsearch_ops']['configmaps']['logging-elasticsearch-ops'] is defined
+
+- conditional_set_fact:
+ facts: "{{ hostvars[inventory_hostname] }}"
+ vars:
+ openshift_logging_es_number_of_shards: openshift_logging_es_number_of_shards | __openshift_logging_es_number_of_shards
+ openshift_logging_es_number_of_replicas: openshift_logging_es_number_of_replicas | __openshift_logging_es_number_of_replicas
+ openshift_logging_es_ops_number_of_shards: openshift_logging_es_ops_number_of_shards | __openshift_logging_es_ops_number_of_shards
+ openshift_logging_es_ops_number_of_replicas: openshift_logging_es_ops_number_of_replicas | __openshift_logging_es_ops_number_of_replicas
diff --git a/roles/openshift_logging/tasks/update_master_config.yaml b/roles/openshift_logging/tasks/update_master_config.yaml
index b96b8e29d..c0f42ba97 100644
--- a/roles/openshift_logging/tasks/update_master_config.yaml
+++ b/roles/openshift_logging/tasks/update_master_config.yaml
@@ -1,4 +1,5 @@
---
+# TODO: Remove when asset config is removed from master-config.yaml
- name: Adding Kibana route information to loggingPublicURL
modify_yaml:
dest: "{{ openshift.common.config_base }}/master/master-config.yaml"
diff --git a/roles/openshift_logging_curator/tasks/main.yaml b/roles/openshift_logging_curator/tasks/main.yaml
index 524e239b7..cc68998f5 100644
--- a/roles/openshift_logging_curator/tasks/main.yaml
+++ b/roles/openshift_logging_curator/tasks/main.yaml
@@ -54,14 +54,17 @@
- copy:
src: curator.yml
dest: "{{ tempdir }}/curator.yml"
- when: curator_config_contents is undefined
changed_when: no
-- copy:
- content: "{{ curator_config_contents }}"
- dest: "{{ tempdir }}/curator.yml"
- when: curator_config_contents is defined
- changed_when: no
+- import_role:
+ name: openshift_logging
+ tasks_from: patch_configmap_files.yaml
+ vars:
+ configmap_name: "logging-curator"
+ configmap_namespace: "logging"
+ configmap_file_names:
+ - current_file: "config.yaml"
+ new_file: "{{ tempdir }}/curator.yml"
- name: Set Curator configmap
oc_configmap:
diff --git a/roles/openshift_logging_curator/vars/main.yml b/roles/openshift_logging_curator/vars/main.yml
index 95bf462d1..5bee58725 100644
--- a/roles/openshift_logging_curator/vars/main.yml
+++ b/roles/openshift_logging_curator/vars/main.yml
@@ -1,3 +1,3 @@
---
-__latest_curator_version: "3_6"
-__allowed_curator_versions: ["3_5", "3_6", "3_7"]
+__latest_curator_version: "3_8"
+__allowed_curator_versions: ["3_5", "3_6", "3_7", "3_8"]
diff --git a/roles/openshift_logging_elasticsearch/tasks/main.yaml b/roles/openshift_logging_elasticsearch/tasks/main.yaml
index 6ddeb122e..9bd37f33c 100644
--- a/roles/openshift_logging_elasticsearch/tasks/main.yaml
+++ b/roles/openshift_logging_elasticsearch/tasks/main.yaml
@@ -168,33 +168,31 @@
when: es_logging_contents is undefined
changed_when: no
-- set_fact:
- __es_num_of_shards: "{{ _es_configmap | default({}) | walk('index.number_of_shards', '1') }}"
- __es_num_of_replicas: "{{ _es_configmap | default({}) | walk('index.number_of_replicas', '0') }}"
-
- template:
src: elasticsearch.yml.j2
dest: "{{ tempdir }}/elasticsearch.yml"
vars:
allow_cluster_reader: "{{ openshift_logging_elasticsearch_ops_allow_cluster_reader | lower | default('false') }}"
- es_number_of_shards: "{{ openshift_logging_es_number_of_shards | default(None) or __es_num_of_shards }}"
- es_number_of_replicas: "{{ openshift_logging_es_number_of_replicas | default(None) or __es_num_of_replicas }}"
+ es_number_of_shards: "{{ openshift_logging_es_number_of_shards | default(1) }}"
+ es_number_of_replicas: "{{ openshift_logging_es_number_of_replicas| default(0) }}"
es_kibana_index_mode: "{{ openshift_logging_elasticsearch_kibana_index_mode | default('unique') }}"
when: es_config_contents is undefined
changed_when: no
-- copy:
- content: "{{ es_logging_contents }}"
- dest: "{{ tempdir }}/elasticsearch-logging.yml"
- when: es_logging_contents is defined
- changed_when: no
-
-- copy:
- content: "{{ es_config_contents }}"
- dest: "{{ tempdir }}/elasticsearch.yml"
- when: es_config_contents is defined
- changed_when: no
+# create diff between current configmap files and our current files
+- import_role:
+ name: openshift_logging
+ tasks_from: patch_configmap_files.yaml
+ vars:
+ configmap_name: "logging-elasticsearch"
+ configmap_namespace: "logging"
+ configmap_file_names:
+ - current_file: "elasticsearch.yml"
+ new_file: "{{ tempdir }}/elasticsearch.yml"
+ protected_lines: ["number_of_shards", "number_of_replicas"]
+ - current_file: "logging.yml"
+ new_file: "{{ tempdir }}/elasticsearch-logging.yml"
- name: Set ES configmap
oc_configmap:
diff --git a/roles/openshift_logging_elasticsearch/vars/main.yml b/roles/openshift_logging_elasticsearch/vars/main.yml
index c8e995146..0e56a6eac 100644
--- a/roles/openshift_logging_elasticsearch/vars/main.yml
+++ b/roles/openshift_logging_elasticsearch/vars/main.yml
@@ -1,6 +1,6 @@
---
-__latest_es_version: "3_6"
-__allowed_es_versions: ["3_5", "3_6", "3_7"]
+__latest_es_version: "3_8"
+__allowed_es_versions: ["3_5", "3_6", "3_7", "3_8"]
__allowed_es_types: ["data-master", "data-client", "master", "client"]
__es_log_appenders: ['file', 'console']
__kibana_index_modes: ["unique", "shared_ops"]
diff --git a/roles/openshift_logging_fluentd/tasks/main.yaml b/roles/openshift_logging_fluentd/tasks/main.yaml
index 08d7561ac..529859983 100644
--- a/roles/openshift_logging_fluentd/tasks/main.yaml
+++ b/roles/openshift_logging_fluentd/tasks/main.yaml
@@ -108,38 +108,28 @@
dest: "{{ tempdir }}/fluent.conf"
vars:
deploy_type: "{{ openshift_logging_fluentd_deployment_type }}"
- when: fluentd_config_contents is undefined
- changed_when: no
- copy:
src: fluentd-throttle-config.yaml
dest: "{{ tempdir }}/fluentd-throttle-config.yaml"
- when: fluentd_throttle_contents is undefined
- changed_when: no
- copy:
src: secure-forward.conf
dest: "{{ tempdir }}/secure-forward.conf"
- when: fluentd_secureforward_contents is undefined
- changed_when: no
-
-- copy:
- content: "{{ fluentd_config_contents }}"
- dest: "{{ tempdir }}/fluent.conf"
- when: fluentd_config_contents is defined
- changed_when: no
-- copy:
- content: "{{ fluentd_throttle_contents }}"
- dest: "{{ tempdir }}/fluentd-throttle-config.yaml"
- when: fluentd_throttle_contents is defined
- changed_when: no
-
-- copy:
- content: "{{ fluentd_secureforward_contents }}"
- dest: "{{ tempdir }}/secure-forward.conf"
- when: fluentd_secureforward_contents is defined
- changed_when: no
+- import_role:
+ name: openshift_logging
+ tasks_from: patch_configmap_files.yaml
+ vars:
+ configmap_name: "logging-fluentd"
+ configmap_namespace: "logging"
+ configmap_file_names:
+ - current_file: "fluent.conf"
+ new_file: "{{ tempdir }}/fluent.conf"
+ - current_file: "throttle-config.yaml"
+ new_file: "{{ tempdir }}/fluentd-throttle-config.yaml"
+ - current_file: "secure-forward.conf"
+ new_file: "{{ tempdir }}/secure-forward.conf"
- name: Set Fluentd configmap
oc_configmap:
diff --git a/roles/openshift_logging_fluentd/vars/main.yml b/roles/openshift_logging_fluentd/vars/main.yml
index 92a426952..762e3d4d0 100644
--- a/roles/openshift_logging_fluentd/vars/main.yml
+++ b/roles/openshift_logging_fluentd/vars/main.yml
@@ -1,5 +1,5 @@
---
-__latest_fluentd_version: "3_6"
-__allowed_fluentd_versions: ["3_5", "3_6", "3_7"]
+__latest_fluentd_version: "3_8"
+__allowed_fluentd_versions: ["3_5", "3_6", "3_7", "3_8"]
__allowed_fluentd_types: ["hosted", "secure-aggregator", "secure-host"]
__allowed_mux_client_modes: ["minimal", "maximal"]
diff --git a/roles/openshift_logging_kibana/vars/main.yml b/roles/openshift_logging_kibana/vars/main.yml
index 241877a02..a2c54d8e4 100644
--- a/roles/openshift_logging_kibana/vars/main.yml
+++ b/roles/openshift_logging_kibana/vars/main.yml
@@ -1,3 +1,3 @@
---
-__latest_kibana_version: "3_6"
-__allowed_kibana_versions: ["3_5", "3_6", "3_7"]
+__latest_kibana_version: "3_8"
+__allowed_kibana_versions: ["3_5", "3_6", "3_7", "3_8"]
diff --git a/roles/openshift_logging_mux/tasks/main.yaml b/roles/openshift_logging_mux/tasks/main.yaml
index 59a6301d7..34bdb891c 100644
--- a/roles/openshift_logging_mux/tasks/main.yaml
+++ b/roles/openshift_logging_mux/tasks/main.yaml
@@ -88,26 +88,24 @@
- copy:
src: fluent.conf
dest: "{{mktemp.stdout}}/fluent-mux.conf"
- when: fluentd_mux_config_contents is undefined
changed_when: no
- copy:
src: secure-forward.conf
dest: "{{mktemp.stdout}}/secure-forward-mux.conf"
- when: fluentd_mux_securefoward_contents is undefined
changed_when: no
-- copy:
- content: "{{fluentd_mux_config_contents}}"
- dest: "{{mktemp.stdout}}/fluent-mux.conf"
- when: fluentd_mux_config_contents is defined
- changed_when: no
-
-- copy:
- content: "{{fluentd_mux_secureforward_contents}}"
- dest: "{{mktemp.stdout}}/secure-forward-mux.conf"
- when: fluentd_mux_secureforward_contents is defined
- changed_when: no
+- import_role:
+ name: openshift_logging
+ tasks_from: patch_configmap_files.yaml
+ vars:
+ configmap_name: "logging-mux"
+ configmap_namespace: "{{ openshift_logging_mux_namespace }}"
+ configmap_file_names:
+ - current_file: "fluent.conf"
+ new_file: "{{ tempdir }}/fluent-mux.conf"
+ - current_file: "secure-forward.conf"
+ new_file: "{{ tempdir }}/secure-forward-mux.conf"
- name: Set Mux configmap
oc_configmap:
diff --git a/roles/openshift_logging_mux/vars/main.yml b/roles/openshift_logging_mux/vars/main.yml
index e7b57f4b5..1da053b4a 100644
--- a/roles/openshift_logging_mux/vars/main.yml
+++ b/roles/openshift_logging_mux/vars/main.yml
@@ -1,3 +1,3 @@
---
-__latest_mux_version: "3_6"
-__allowed_mux_versions: ["3_5", "3_6", "3_7"]
+__latest_mux_version: "3_8"
+__allowed_mux_versions: ["3_5", "3_6", "3_7", "3_8"]
diff --git a/roles/openshift_management/tasks/add_container_provider.yml b/roles/openshift_management/tasks/add_container_provider.yml
index ca381b105..357e6a710 100644
--- a/roles/openshift_management/tasks/add_container_provider.yml
+++ b/roles/openshift_management/tasks/add_container_provider.yml
@@ -1,6 +1,6 @@
---
- name: Ensure OpenShift facts module is available
- include_role:
+ import_role:
role: openshift_facts
- name: Ensure OpenShift facts are loaded
diff --git a/roles/openshift_management/tasks/main.yml b/roles/openshift_management/tasks/main.yml
index f212dba7c..c4b204b98 100644
--- a/roles/openshift_management/tasks/main.yml
+++ b/roles/openshift_management/tasks/main.yml
@@ -8,7 +8,7 @@
# This creates a service account allowing Container Provider
# integration (managing OCP/Origin via MIQ/Management)
- name: Enable Container Provider Integration
- include_role:
+ import_role:
role: openshift_manageiq
- name: "Ensure the Management '{{ openshift_management_project }}' namespace exists"
diff --git a/roles/openshift_management/tasks/storage/nfs.yml b/roles/openshift_management/tasks/storage/nfs.yml
index 94e11137c..9e3a4d43a 100644
--- a/roles/openshift_management/tasks/storage/nfs.yml
+++ b/roles/openshift_management/tasks/storage/nfs.yml
@@ -5,14 +5,14 @@
- name: Setting up NFS storage
block:
- name: Include the NFS Setup role tasks
- include_role:
+ import_role:
role: openshift_nfs
tasks_from: setup
vars:
l_nfs_base_dir: "{{ openshift_management_storage_nfs_base_dir }}"
- name: Create the App export
- include_role:
+ import_role:
role: openshift_nfs
tasks_from: create_export
vars:
@@ -22,7 +22,7 @@
l_nfs_options: "*(rw,no_root_squash,no_wdelay)"
- name: Create the DB export
- include_role:
+ import_role:
role: openshift_nfs
tasks_from: create_export
vars:
diff --git a/roles/openshift_master/defaults/main.yml b/roles/openshift_master/defaults/main.yml
index 5d292ffd0..7d96a467e 100644
--- a/roles/openshift_master/defaults/main.yml
+++ b/roles/openshift_master/defaults/main.yml
@@ -53,12 +53,12 @@ oreg_host: "{{ oreg_url.split('/')[0] if (oreg_url is defined and '.' in oreg_ur
oreg_auth_credentials_path: "{{ r_openshift_master_data_dir }}/.docker"
oreg_auth_credentials_replace: False
l_bind_docker_reg_auth: False
-openshift_docker_alternative_creds: "{{ (openshift_docker_use_system_container | default(False)) or (openshift_use_crio_only | default(False)) }}"
+openshift_docker_alternative_creds: "{{ (openshift_docker_use_system_container | default(False) | bool) or (openshift_use_crio_only | default(False)) }}"
containerized_svc_dir: "/usr/lib/systemd/system"
ha_svc_template_path: "native-cluster"
-openshift_docker_service_name: "{{ 'container-engine' if (openshift_docker_use_system_container | default(False)) else 'docker' }}"
+openshift_docker_service_name: "{{ 'container-engine' if (openshift_docker_use_system_container | default(False) | bool) else 'docker' }}"
openshift_master_loopback_config: "{{ openshift_master_config_dir }}/openshift-master.kubeconfig"
loopback_context_string: "current-context: {{ openshift.master.loopback_context_name }}"
@@ -82,6 +82,15 @@ openshift_master_valid_grant_methods:
openshift_master_is_scaleup_host: False
+# openshift_master_oauth_template is deprecated. Should be added to deprecations
+# and removed.
+openshift_master_oauth_template: False
+openshift_master_oauth_templates_default:
+ login: "{{ openshift_master_oauth_template }}"
+openshift_master_oauth_templates: "{{ openshift_master_oauth_template | ternary(openshift_master_oauth_templates_default, False) }}"
+# Here we combine openshift_master_oath_template into 'login' key of openshift_master_oath_templates, if not present.
+l_openshift_master_oauth_templates: "{{ openshift_master_oauth_templates | default(openshift_master_oauth_templates_default) }}"
+
# These defaults assume forcing journald persistence, fsync to disk once
# a second, rate-limiting to 10,000 logs a second, no forwarding to
# syslog or wall, using 8GB of disk space maximum, using 10MB journal
diff --git a/roles/openshift_master/templates/master.yaml.v1.j2 b/roles/openshift_master/templates/master.yaml.v1.j2
index c224ad714..14023ea73 100644
--- a/roles/openshift_master/templates/master.yaml.v1.j2
+++ b/roles/openshift_master/templates/master.yaml.v1.j2
@@ -152,8 +152,8 @@ oauthConfig:
{% if 'oauth_always_show_provider_selection' in openshift.master %}
alwaysShowProviderSelection: {{ openshift.master.oauth_always_show_provider_selection }}
{% endif %}
-{% if 'oauth_templates' in openshift.master %}
- templates:{{ openshift.master.oauth_templates | lib_utils_to_padded_yaml(level=2) }}
+{% if l_openshift_master_oauth_templates %}
+ templates:{{ l_openshift_master_oauth_templates | lib_utils_to_padded_yaml(level=2) }}
{% endif %}
assetPublicURL: {{ openshift.master.public_console_url }}/
grantConfig:
diff --git a/roles/openshift_master_facts/tasks/main.yml b/roles/openshift_master_facts/tasks/main.yml
index ad9a21c96..85d0ac25c 100644
--- a/roles/openshift_master_facts/tasks/main.yml
+++ b/roles/openshift_master_facts/tasks/main.yml
@@ -74,8 +74,6 @@
master_count: "{{ openshift_master_count | default(None) }}"
admission_plugin_config: "{{openshift_master_admission_plugin_config }}"
kube_admission_plugin_config: "{{openshift_master_kube_admission_plugin_config | default(None) }}" # deprecated, merged with admission_plugin_config
- oauth_template: "{{ openshift_master_oauth_template | default(None) }}" # deprecated in origin 1.2 / OSE 3.2
- oauth_templates: "{{ openshift_master_oauth_templates | default(None) }}"
oauth_always_show_provider_selection: "{{ openshift_master_oauth_always_show_provider_selection | default(None) }}"
image_policy_config: "{{ openshift_master_image_policy_config | default(None) }}"
dynamic_provisioning_enabled: "{{ openshift_master_dynamic_provisioning_enabled | default(None) }}"
diff --git a/roles/openshift_metrics/tasks/install_metrics.yaml b/roles/openshift_metrics/tasks/install_metrics.yaml
index 106909941..0866fe0d2 100644
--- a/roles/openshift_metrics/tasks/install_metrics.yaml
+++ b/roles/openshift_metrics/tasks/install_metrics.yaml
@@ -67,8 +67,20 @@
with_items: "{{ hawkular_agent_object_defs.results }}"
when: openshift_metrics_install_hawkular_agent | bool
+# TODO: Remove when asset config is removed from master-config.yaml
- include_tasks: update_master_config.yaml
+# Update asset config in openshift-web-console namespace
+- name: Add metrics route information to web console asset config
+ include_role:
+ name: openshift_web_console
+ tasks_from: update_asset_config.yml
+ vars:
+ asset_config_edits:
+ - key: metricsPublicURL
+ value: "https://{{ openshift_metrics_hawkular_hostname}}/hawkular/metrics"
+ when: openshift_web_console_install | default(true) | bool
+
- command: >
{{openshift_client_binary}}
--config={{mktemp.stdout}}/admin.kubeconfig
diff --git a/roles/openshift_metrics/tasks/uninstall_metrics.yaml b/roles/openshift_metrics/tasks/uninstall_metrics.yaml
index 0ab0eec4b..610c7b4e5 100644
--- a/roles/openshift_metrics/tasks/uninstall_metrics.yaml
+++ b/roles/openshift_metrics/tasks/uninstall_metrics.yaml
@@ -18,3 +18,14 @@
clusterrolebinding/heapster-cluster-reader
clusterrolebinding/hawkular-metrics
changed_when: delete_metrics.stdout != 'No resources found'
+
+# Update asset config in openshift-web-console namespace
+- name: Remove metrics route information from web console asset config
+ include_role:
+ name: openshift_web_console
+ tasks_from: update_asset_config.yml
+ vars:
+ asset_config_edits:
+ - key: metricsPublicURL
+ value: ""
+ when: openshift_web_console_install | default(true) | bool
diff --git a/roles/openshift_metrics/tasks/update_master_config.yaml b/roles/openshift_metrics/tasks/update_master_config.yaml
index 5059d8d94..6567fcb4f 100644
--- a/roles/openshift_metrics/tasks/update_master_config.yaml
+++ b/roles/openshift_metrics/tasks/update_master_config.yaml
@@ -1,4 +1,5 @@
---
+# TODO: Remove when asset config is removed from master-config.yaml
- name: Adding metrics route information to metricsPublicURL
modify_yaml:
dest: "{{ openshift.common.config_base }}/master/master-config.yaml"
diff --git a/roles/openshift_nfs/tasks/create_export.yml b/roles/openshift_nfs/tasks/create_export.yml
index 5fcdbf76e..331685289 100644
--- a/roles/openshift_nfs/tasks/create_export.yml
+++ b/roles/openshift_nfs/tasks/create_export.yml
@@ -3,7 +3,7 @@
#
# Include signature
#
-# include_role:
+# import_role:
# role: openshift_nfs
# tasks_from: create_export
# vars:
diff --git a/roles/openshift_node/defaults/main.yml b/roles/openshift_node/defaults/main.yml
index a90aad532..27fe2f5c0 100644
--- a/roles/openshift_node/defaults/main.yml
+++ b/roles/openshift_node/defaults/main.yml
@@ -34,19 +34,19 @@ openshift_node_kubelet_args_dict:
cloud-provider:
- aws
cloud-config:
- - "{{ openshift_config_base ~ '/aws.conf' }}"
+ - "{{ openshift_config_base ~ '/cloudprovider/aws.conf' }}"
node-labels: "{{ l_node_kubelet_node_labels }}"
openstack:
cloud-provider:
- openstack
cloud-config:
- - "{{ openshift_config_base ~ '/openstack.conf' }}"
+ - "{{ openshift_config_base ~ '/cloudprovider/openstack.conf' }}"
node-labels: "{{ l_node_kubelet_node_labels }}"
gce:
cloud-provider:
- gce
cloud-config:
- - "{{ openshift_config_base ~ '/gce.conf' }}"
+ - "{{ openshift_config_base ~ '/cloudprovider/gce.conf' }}"
node-labels: "{{ l_node_kubelet_node_labels }}"
undefined:
node-labels: "{{ l_node_kubelet_node_labels }}"
@@ -169,9 +169,9 @@ oreg_auth_credentials_path: "{{ openshift_node_data_dir }}/.docker"
oreg_auth_credentials_replace: False
l_bind_docker_reg_auth: False
openshift_use_crio: False
-openshift_docker_alternative_creds: "{{ (openshift_docker_use_system_container | default(False)) or (openshift_use_crio_only | default(False)) }}"
+openshift_docker_alternative_creds: "{{ (openshift_docker_use_system_container | default(False) | bool) or (openshift_use_crio_only | default(False)) }}"
-openshift_docker_service_name: "{{ 'container-engine' if (openshift_docker_use_system_container | default(False)) else 'docker' }}"
+openshift_docker_service_name: "{{ 'container-engine' if (openshift_docker_use_system_container | default(False) | bool) else 'docker' }}"
# NOTE
# r_openshift_node_*_default may be defined external to this role.
diff --git a/roles/openshift_node/templates/openshift.docker.node.dep.service b/roles/openshift_node/templates/openshift.docker.node.dep.service
index 8b43beb07..873744f34 100644
--- a/roles/openshift_node/templates/openshift.docker.node.dep.service
+++ b/roles/openshift_node/templates/openshift.docker.node.dep.service
@@ -6,6 +6,12 @@ Before={{ openshift_service_type }}-node.service
{% if openshift_use_crio %}Wants=cri-o.service{% endif %}
[Service]
-ExecStart=/bin/bash -c "if [[ -f /usr/bin/docker-current ]]; then echo \"DOCKER_ADDTL_BIND_MOUNTS=--volume=/usr/bin/docker-current:/usr/bin/docker-current:ro --volume=/etc/sysconfig/docker:/etc/sysconfig/docker:ro --volume=/etc/containers/registries:/etc/containers/registries:ro\" > /etc/sysconfig/{{ openshift_service_type }}-node-dep; else echo \"#DOCKER_ADDTL_BIND_MOUNTS=\" > /etc/sysconfig/{{ openshift_service_type }}-node-dep; fi"
+ExecStart=/bin/bash -c 'if [[ -f /usr/bin/docker-current ]]; \
+ then echo DOCKER_ADDTL_BIND_MOUNTS=\"--volume=/usr/bin/docker-current:/usr/bin/docker-current:ro \
+ --volume=/etc/sysconfig/docker:/etc/sysconfig/docker:ro \
+ --volume=/etc/containers/registries:/etc/containers/registries:ro \
+ {% if l_bind_docker_reg_auth %} --volume={{ oreg_auth_credentials_path }}:/root/.docker:ro{% endif %}\" > \
+ /etc/sysconfig/{{ openshift_service_type }}-node-dep; \
+ else echo "#DOCKER_ADDTL_BIND_MOUNTS=" > /etc/sysconfig/{{ openshift_service_type }}-node-dep; fi'
ExecStop=
SyslogIdentifier={{ openshift_service_type }}-node-dep
diff --git a/roles/openshift_node_certificates/defaults/main.yml b/roles/openshift_node_certificates/defaults/main.yml
index b42b75be9..da1570528 100644
--- a/roles/openshift_node_certificates/defaults/main.yml
+++ b/roles/openshift_node_certificates/defaults/main.yml
@@ -2,4 +2,4 @@
openshift_node_cert_expire_days: 730
openshift_ca_host: ''
-openshift_docker_service_name: "{{ 'container-engine' if (openshift_docker_use_system_container | default(False)) else 'docker' }}"
+openshift_docker_service_name: "{{ 'container-engine' if (openshift_docker_use_system_container | default(False) | bool) else 'docker' }}"
diff --git a/roles/openshift_node_certificates/tasks/main.yml b/roles/openshift_node_certificates/tasks/main.yml
index e95e38fdf..5f73f3bdc 100644
--- a/roles/openshift_node_certificates/tasks/main.yml
+++ b/roles/openshift_node_certificates/tasks/main.yml
@@ -94,13 +94,6 @@
delegate_to: "{{ openshift_ca_host }}"
run_once: true
-- name: Create local temp directory for syncing certs
- local_action: command mktemp -d /tmp/openshift-ansible-XXXXXXX
- register: node_cert_mktemp
- changed_when: False
- when: node_certs_missing | bool
- become: no
-
- name: Create a tarball of the node config directories
command: >
tar -czvf {{ openshift_node_generated_config_dir }}.tgz
@@ -117,8 +110,7 @@
- name: Retrieve the node config tarballs from the master
fetch:
src: "{{ openshift_node_generated_config_dir }}.tgz"
- dest: "{{ node_cert_mktemp.stdout }}/"
- flat: yes
+ dest: "/tmp"
fail_on_missing: yes
validate_checksum: yes
when: node_certs_missing | bool
@@ -132,15 +124,14 @@
- name: Unarchive the tarball on the node
unarchive:
- src: "{{ node_cert_mktemp.stdout }}/{{ openshift_node_cert_subdir }}.tgz"
+ src: "/tmp/{{ inventory_hostname }}/{{ openshift_node_generated_config_dir }}.tgz"
dest: "{{ openshift_node_cert_dir }}"
when: node_certs_missing | bool
- name: Delete local temp directory
- local_action: file path="{{ node_cert_mktemp.stdout }}" state=absent
+ local_action: file path="/tmp/{{ inventory_hostname }}" state=absent
changed_when: False
when: node_certs_missing | bool
- become: no
- name: Copy OpenShift CA to system CA trust
copy:
diff --git a/roles/openshift_openstack/defaults/main.yml b/roles/openshift_openstack/defaults/main.yml
index 65a647b8f..77be1f2b1 100644
--- a/roles/openshift_openstack/defaults/main.yml
+++ b/roles/openshift_openstack/defaults/main.yml
@@ -8,6 +8,7 @@ openshift_openstack_num_etcd: 0
openshift_openstack_num_masters: 1
openshift_openstack_num_nodes: 1
openshift_openstack_num_infra: 1
+openshift_openstack_num_cns: 0
openshift_openstack_dns_nameservers: []
openshift_openstack_nodes_to_remove: []
@@ -57,6 +58,7 @@ openshift_openstack_stack_name: "{{ openshift_openstack_clusterid }}.{{ openshif
openshift_openstack_subnet_prefix: "192.168.99"
openshift_openstack_master_hostname: master
openshift_openstack_infra_hostname: infra-node
+openshift_openstack_cns_hostname: cns
openshift_openstack_node_hostname: app-node
openshift_openstack_lb_hostname: lb
openshift_openstack_etcd_hostname: etcd
@@ -66,8 +68,10 @@ openshift_openstack_etcd_flavor: "{{ openshift_openstack_default_flavor }}"
openshift_openstack_master_flavor: "{{ openshift_openstack_default_flavor }}"
openshift_openstack_node_flavor: "{{ openshift_openstack_default_flavor }}"
openshift_openstack_infra_flavor: "{{ openshift_openstack_default_flavor }}"
+openshift_openstack_cns_flavor: "{{ openshift_openstack_default_flavor }}"
openshift_openstack_master_image: "{{ openshift_openstack_default_image_name }}"
openshift_openstack_infra_image: "{{ openshift_openstack_default_image_name }}"
+openshift_openstack_cns_image: "{{ openshift_openstack_default_image_name }}"
openshift_openstack_node_image: "{{ openshift_openstack_default_image_name }}"
openshift_openstack_lb_image: "{{ openshift_openstack_default_image_name }}"
openshift_openstack_etcd_image: "{{ openshift_openstack_default_image_name }}"
@@ -84,6 +88,7 @@ openshift_openstack_infra_server_group_policies: []
openshift_openstack_docker_volume_size: 15
openshift_openstack_master_volume_size: "{{ openshift_openstack_docker_volume_size }}"
openshift_openstack_infra_volume_size: "{{ openshift_openstack_docker_volume_size }}"
+openshift_openstack_cns_volume_size: "{{ openshift_openstack_docker_volume_size }}"
openshift_openstack_node_volume_size: "{{ openshift_openstack_docker_volume_size }}"
openshift_openstack_etcd_volume_size: 2
openshift_openstack_lb_volume_size: 5
diff --git a/roles/openshift_openstack/tasks/check-prerequisites.yml b/roles/openshift_openstack/tasks/check-prerequisites.yml
index 30996cc47..1e487d434 100644
--- a/roles/openshift_openstack/tasks/check-prerequisites.yml
+++ b/roles/openshift_openstack/tasks/check-prerequisites.yml
@@ -91,6 +91,7 @@
with_items:
- "{{ openshift_openstack_master_image }}"
- "{{ openshift_openstack_infra_image }}"
+ - "{{ openshift_openstack_cns_image }}"
- "{{ openshift_openstack_node_image }}"
- "{{ openshift_openstack_lb_image }}"
- "{{ openshift_openstack_etcd_image }}"
@@ -100,6 +101,7 @@
with_items:
- "{{ openshift_openstack_master_flavor }}"
- "{{ openshift_openstack_infra_flavor }}"
+ - "{{ openshift_openstack_cns_flavor }}"
- "{{ openshift_openstack_node_flavor }}"
- "{{ openshift_openstack_lb_flavor }}"
- "{{ openshift_openstack_etcd_flavor }}"
diff --git a/roles/openshift_openstack/templates/heat_stack.yaml.j2 b/roles/openshift_openstack/templates/heat_stack.yaml.j2
index 8d13eb81e..1be5d3a62 100644
--- a/roles/openshift_openstack/templates/heat_stack.yaml.j2
+++ b/roles/openshift_openstack/templates/heat_stack.yaml.j2
@@ -419,6 +419,46 @@ resources:
port_range_min: 443
port_range_max: 443
+ cns-secgrp:
+ type: OS::Neutron::SecurityGroup
+ properties:
+ name:
+ str_replace:
+ template: openshift-ansible-cluster_id-cns-secgrp
+ params:
+ cluster_id: {{ openshift_openstack_stack_name }}
+ description:
+ str_replace:
+ template: Security group for cluster_id OpenShift cns cluster nodes
+ params:
+ cluster_id: {{ openshift_openstack_stack_name }}
+ rules:
+ # glusterfs_sshd
+ - direction: ingress
+ protocol: tcp
+ port_range_min: 2222
+ port_range_max: 2222
+ # heketi dialing backends
+ - direction: ingress
+ protocol: tcp
+ port_range_min: 10250
+ port_range_max: 10250
+ # glusterfs_management
+ - direction: ingress
+ protocol: tcp
+ port_range_min: 24007
+ port_range_max: 24007
+ # glusterfs_rdma
+ - direction: ingress
+ protocol: tcp
+ port_range_min: 24008
+ port_range_max: 24008
+ # glusterfs_bricks
+ - direction: ingress
+ protocol: tcp
+ port_range_min: 49152
+ port_range_max: 49251
+
{% if openshift_openstack_num_masters|int > 1 %}
lb-secgrp:
type: OS::Neutron::SecurityGroup
@@ -764,3 +804,58 @@ resources:
depends_on:
- interface
{% endif %}
+
+ cns:
+ type: OS::Heat::ResourceGroup
+ properties:
+ count: {{ openshift_openstack_num_cns }}
+ resource_def:
+ type: server.yaml
+ properties:
+ name:
+ str_replace:
+ template: sub_type_k8s_type-%index%.cluster_id
+ params:
+ cluster_id: {{ openshift_openstack_stack_name }}
+ sub_type_k8s_type: {{ openshift_openstack_cns_hostname }}
+ cluster_env: {{ openshift_openstack_public_dns_domain }}
+ cluster_id: {{ openshift_openstack_stack_name }}
+ group:
+ str_replace:
+ template: k8s_type.cluster_id
+ params:
+ k8s_type: cns
+ cluster_id: {{ openshift_openstack_stack_name }}
+ type: cns
+ image: {{ openshift_openstack_cns_image }}
+ flavor: {{ openshift_openstack_cns_flavor }}
+ key_name: {{ openshift_openstack_keypair_name }}
+{% if openshift_openstack_provider_network_name %}
+ net: {{ openshift_openstack_provider_network_name }}
+ net_name: {{ openshift_openstack_provider_network_name }}
+{% else %}
+ net: { get_resource: net }
+ subnet: { get_resource: subnet }
+ net_name:
+ str_replace:
+ template: openshift-ansible-cluster_id-net
+ params:
+ cluster_id: {{ openshift_openstack_stack_name }}
+{% if openshift_use_flannel|default(False)|bool %}
+ attach_data_net: true
+ data_net: { get_resource: data_net }
+ data_subnet: { get_resource: data_subnet }
+{% endif %}
+{% endif %}
+ secgrp:
+{% if openshift_openstack_flat_secgrp|default(False)|bool %}
+ - { get_resource: flat-secgrp }
+{% else %}
+ - { get_resource: node-secgrp }
+{% endif %}
+ - { get_resource: cns-secgrp }
+ - { get_resource: common-secgrp }
+{% if not openshift_openstack_provider_network_name %}
+ floating_network: {{ openshift_openstack_external_network_name }}
+{% endif %}
+ volume_size: {{ openshift_openstack_cns_volume_size }}
diff --git a/roles/openshift_sanitize_inventory/meta/main.yml b/roles/openshift_sanitize_inventory/meta/main.yml
index 324ba06d8..cde3eccb6 100644
--- a/roles/openshift_sanitize_inventory/meta/main.yml
+++ b/roles/openshift_sanitize_inventory/meta/main.yml
@@ -14,3 +14,4 @@ galaxy_info:
- system
dependencies:
- role: lib_utils
+- role: lib_openshift
diff --git a/roles/openshift_storage_glusterfs/templates/v3.9/glusterfs-registry-endpoints.yml.j2 b/roles/openshift_storage_glusterfs/templates/v3.9/glusterfs-registry-endpoints.yml.j2
new file mode 100644
index 000000000..11c9195bb
--- /dev/null
+++ b/roles/openshift_storage_glusterfs/templates/v3.9/glusterfs-registry-endpoints.yml.j2
@@ -0,0 +1,12 @@
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+ name: glusterfs-{{ glusterfs_name }}-endpoints
+subsets:
+- addresses:
+{% for node in glusterfs_nodes %}
+ - ip: {{ hostvars[node].glusterfs_ip | default(hostvars[node].openshift.common.ip) }}
+{% endfor %}
+ ports:
+ - port: 1
diff --git a/roles/openshift_storage_glusterfs/templates/v3.9/glusterfs-registry-service.yml.j2 b/roles/openshift_storage_glusterfs/templates/v3.9/glusterfs-registry-service.yml.j2
new file mode 100644
index 000000000..3f869d2b7
--- /dev/null
+++ b/roles/openshift_storage_glusterfs/templates/v3.9/glusterfs-registry-service.yml.j2
@@ -0,0 +1,10 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: glusterfs-{{ glusterfs_name }}-endpoints
+spec:
+ ports:
+ - port: 1
+status:
+ loadBalancer: {}
diff --git a/roles/openshift_storage_glusterfs/templates/v3.9/glusterfs-storageclass.yml.j2 b/roles/openshift_storage_glusterfs/templates/v3.9/glusterfs-storageclass.yml.j2
new file mode 100644
index 000000000..ca87807fe
--- /dev/null
+++ b/roles/openshift_storage_glusterfs/templates/v3.9/glusterfs-storageclass.yml.j2
@@ -0,0 +1,17 @@
+---
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+ name: glusterfs-{{ glusterfs_name }}
+{% if glusterfs_storageclass_default is defined and glusterfs_storageclass_default %}
+ annotations:
+ storageclass.kubernetes.io/is-default-class: "true"
+{% endif %}
+provisioner: kubernetes.io/glusterfs
+parameters:
+ resturl: "http://{% if glusterfs_heketi_is_native %}{{ glusterfs_heketi_route }}{% else %}{{ glusterfs_heketi_url }}:{{ glusterfs_heketi_port }}{% endif %}"
+ restuser: "admin"
+{% if glusterfs_heketi_admin_key is defined %}
+ secretNamespace: "{{ glusterfs_namespace }}"
+ secretName: "heketi-{{ glusterfs_name }}-admin-secret"
+{%- endif -%}
diff --git a/roles/openshift_storage_glusterfs/templates/v3.9/heketi-endpoints.yml.j2 b/roles/openshift_storage_glusterfs/templates/v3.9/heketi-endpoints.yml.j2
new file mode 100644
index 000000000..99cbdf748
--- /dev/null
+++ b/roles/openshift_storage_glusterfs/templates/v3.9/heketi-endpoints.yml.j2
@@ -0,0 +1,12 @@
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+ name: heketi-db-{{ glusterfs_name }}-endpoints
+subsets:
+- addresses:
+{% for node in glusterfs_nodes %}
+ - ip: {{ hostvars[node].glusterfs_ip | default(hostvars[node].openshift.common.ip) }}
+{% endfor %}
+ ports:
+ - port: 1
diff --git a/roles/openshift_storage_glusterfs/templates/v3.9/heketi-service.yml.j2 b/roles/openshift_storage_glusterfs/templates/v3.9/heketi-service.yml.j2
new file mode 100644
index 000000000..dcb896441
--- /dev/null
+++ b/roles/openshift_storage_glusterfs/templates/v3.9/heketi-service.yml.j2
@@ -0,0 +1,10 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: heketi-db-{{ glusterfs_name }}-endpoints
+spec:
+ ports:
+ - port: 1
+status:
+ loadBalancer: {}
diff --git a/roles/openshift_storage_glusterfs/templates/v3.9/heketi.json.j2 b/roles/openshift_storage_glusterfs/templates/v3.9/heketi.json.j2
new file mode 100644
index 000000000..565e9be98
--- /dev/null
+++ b/roles/openshift_storage_glusterfs/templates/v3.9/heketi.json.j2
@@ -0,0 +1,42 @@
+{
+ "_port_comment": "Heketi Server Port Number",
+ "port" : "8080",
+
+ "_use_auth": "Enable JWT authorization. Please enable for deployment",
+ "use_auth" : false,
+
+ "_jwt" : "Private keys for access",
+ "jwt" : {
+ "_admin" : "Admin has access to all APIs",
+ "admin" : {
+ "key" : "My Secret"
+ },
+ "_user" : "User only has access to /volumes endpoint",
+ "user" : {
+ "key" : "My Secret"
+ }
+ },
+
+ "_glusterfs_comment": "GlusterFS Configuration",
+ "glusterfs" : {
+
+ "_executor_comment": "Execute plugin. Possible choices: mock, kubernetes, ssh",
+ "executor" : "{{ glusterfs_heketi_executor }}",
+
+ "_db_comment": "Database file name",
+ "db" : "/var/lib/heketi/heketi.db",
+
+ "sshexec" : {
+ "keyfile" : "/etc/heketi/private_key",
+ "port" : "{{ glusterfs_heketi_ssh_port }}",
+ "user" : "{{ glusterfs_heketi_ssh_user }}",
+ "sudo" : {{ glusterfs_heketi_ssh_sudo | lower }}
+ },
+
+ "_auto_create_block_hosting_volume": "Creates Block Hosting volumes automatically if not found or exsisting volume exhausted",
+ "auto_create_block_hosting_volume": {{ glusterfs_block_host_vol_create | lower }},
+
+ "_block_hosting_volume_size": "New block hosting volume will be created in size mentioned, This is considered only if auto-create is enabled.",
+ "block_hosting_volume_size": {{ glusterfs_block_host_vol_size }}
+ }
+}
diff --git a/roles/openshift_storage_glusterfs/templates/v3.9/topology.json.j2 b/roles/openshift_storage_glusterfs/templates/v3.9/topology.json.j2
new file mode 100644
index 000000000..d6c28f6dd
--- /dev/null
+++ b/roles/openshift_storage_glusterfs/templates/v3.9/topology.json.j2
@@ -0,0 +1,49 @@
+{
+ "clusters": [
+{%- set clusters = {} -%}
+{%- for node in glusterfs_nodes -%}
+ {%- set cluster = hostvars[node].glusterfs_cluster if 'glusterfs_cluster' in node else '1' -%}
+ {%- if cluster in clusters -%}
+ {%- set _dummy = clusters[cluster].append(node) -%}
+ {%- else -%}
+ {%- set _dummy = clusters.update({cluster: [ node, ]}) -%}
+ {%- endif -%}
+{%- endfor -%}
+{%- for cluster in clusters -%}
+ {
+ "nodes": [
+{%- for node in clusters[cluster] -%}
+ {
+ "node": {
+ "hostnames": {
+ "manage": [
+{%- if 'glusterfs_hostname' in hostvars[node] -%}
+ "{{ hostvars[node].glusterfs_hostname }}"
+{%- elif 'openshift' in hostvars[node] -%}
+ "{{ hostvars[node].openshift.node.nodename }}"
+{%- else -%}
+ "{{ node }}"
+{%- endif -%}
+ ],
+ "storage": [
+{%- if 'glusterfs_ip' in hostvars[node] -%}
+ "{{ hostvars[node].glusterfs_ip }}"
+{%- else -%}
+ "{{ hostvars[node].openshift.common.ip }}"
+{%- endif -%}
+ ]
+ },
+ "zone": {{ hostvars[node].glusterfs_zone | default(1) }}
+ },
+ "devices": [
+{%- for device in hostvars[node].glusterfs_devices -%}
+ "{{ device }}"{% if not loop.last %},{% endif %}
+{%- endfor -%}
+ ]
+ }{% if not loop.last %},{% endif %}
+{%- endfor -%}
+ ]
+ }{% if not loop.last %},{% endif %}
+{%- endfor -%}
+ ]
+}
diff --git a/roles/openshift_web_console/defaults/main.yml b/roles/openshift_web_console/defaults/main.yml
new file mode 100644
index 000000000..4f395398c
--- /dev/null
+++ b/roles/openshift_web_console/defaults/main.yml
@@ -0,0 +1,3 @@
+---
+# TODO: This is temporary and will be updated to use taints and tolerations so that the console runs on the masters
+openshift_web_console_nodeselector: {"region":"infra"}
diff --git a/roles/openshift_web_console/meta/main.yaml b/roles/openshift_web_console/meta/main.yaml
new file mode 100644
index 000000000..033c1e3a3
--- /dev/null
+++ b/roles/openshift_web_console/meta/main.yaml
@@ -0,0 +1,19 @@
+---
+galaxy_info:
+ author: OpenShift Development <dev@lists.openshift.redhat.com>
+ description: Deploy OpenShift web console
+ company: Red Hat, Inc.
+ license: Apache License, Version 2.0
+ min_ansible_version: 2.4
+ platforms:
+ - name: EL
+ versions:
+ - 7
+ - name: Fedora
+ versions:
+ - all
+ categories:
+ - openshift
+dependencies:
+- role: lib_openshift
+- role: openshift_facts
diff --git a/roles/openshift_web_console/tasks/install.yml b/roles/openshift_web_console/tasks/install.yml
new file mode 100644
index 000000000..8120c13e3
--- /dev/null
+++ b/roles/openshift_web_console/tasks/install.yml
@@ -0,0 +1,79 @@
+---
+# Fact setting
+- name: Set default image variables based on deployment type
+ include_vars: "{{ item }}"
+ with_first_found:
+ - "{{ openshift_deployment_type | default(deployment_type) }}.yml"
+ - "default_images.yml"
+
+- name: Set openshift_web_console facts
+ set_fact:
+ openshift_web_console_prefix: "{{ openshift_web_console_prefix | default(__openshift_web_console_prefix) }}"
+ openshift_web_console_version: "{{ openshift_web_console_version | default(__openshift_web_console_version) }}"
+ openshift_web_console_image_name: "{{ openshift_web_console_image_name | default(__openshift_web_console_image_name) }}"
+ # Default the replica count to the number of masters.
+ openshift_web_console_replica_count: "{{ openshift_web_console_replica_count | default(groups.oo_masters_to_config | length) }}"
+
+- name: Ensure openshift-web-console project exists
+ oc_project:
+ name: openshift-web-console
+ state: present
+
+- name: Make temp directory for asset config files
+ command: mktemp -d /tmp/console-ansible-XXXXXX
+ register: mktemp
+ changed_when: False
+ become: no
+
+- name: Copy asset config template to temp directory
+ copy:
+ src: "{{ __console_files_location }}/{{ item }}"
+ dest: "{{ mktemp.stdout }}/{{ item }}"
+ with_items:
+ - "{{ __console_template_file }}"
+ - "{{ __console_config_file }}"
+
+- name: Update asset config properties
+ yedit:
+ src: "{{ mktemp.stdout }}/{{ __console_config_file }}"
+ edits:
+ - key: logoutURL
+ value: "{{ openshift.master.logout_url | default('') }}"
+ - key: publicURL
+ # Must have a trailing slash
+ value: "{{ openshift.master.public_console_url }}/"
+ - key: masterPublicURL
+ value: "{{ openshift.master.public_api_url }}"
+
+- slurp:
+ src: "{{ mktemp.stdout }}/{{ __console_config_file }}"
+ register: config
+
+- name: Apply template file
+ shell: >
+ {{ openshift_client_binary }} process -f "{{ mktemp.stdout }}/{{ __console_template_file }}"
+ --param API_SERVER_CONFIG="{{ config['content'] | b64decode }}"
+ --param IMAGE="{{ openshift_web_console_prefix }}{{ openshift_web_console_image_name }}:{{ openshift_web_console_version }}"
+ --param NODE_SELECTOR={{ openshift_web_console_nodeselector | to_json | quote }}
+ --param REPLICA_COUNT="{{ openshift_web_console_replica_count }}"
+ | {{ openshift_client_binary }} apply -f -
+
+- name: Verify that the web console is running
+ command: >
+ curl -k https://webconsole.openshift-web-console.svc/healthz
+ args:
+ # Disables the following warning:
+ # Consider using get_url or uri module rather than running curl
+ warn: no
+ register: console_health
+ until: console_health.stdout == 'ok'
+ retries: 120
+ delay: 1
+ changed_when: false
+
+- name: Remove temp directory
+ file:
+ state: absent
+ name: "{{ mktemp.stdout }}"
+ changed_when: False
+ become: no
diff --git a/roles/openshift_web_console/tasks/main.yml b/roles/openshift_web_console/tasks/main.yml
new file mode 100644
index 000000000..937bebf25
--- /dev/null
+++ b/roles/openshift_web_console/tasks/main.yml
@@ -0,0 +1,8 @@
+---
+# do any asserts here
+
+- include_tasks: install.yml
+ when: openshift_web_console_install | default(true) | bool
+
+- include_tasks: remove.yml
+ when: not openshift_web_console_install | default(true) | bool
diff --git a/roles/openshift_web_console/tasks/remove.yml b/roles/openshift_web_console/tasks/remove.yml
new file mode 100644
index 000000000..f0712a993
--- /dev/null
+++ b/roles/openshift_web_console/tasks/remove.yml
@@ -0,0 +1,5 @@
+---
+- name: Remove openshift-web-console project
+ oc_project:
+ name: openshift-web-console
+ state: absent
diff --git a/roles/openshift_web_console/tasks/update_asset_config.yml b/roles/openshift_web_console/tasks/update_asset_config.yml
new file mode 100644
index 000000000..36e37e35d
--- /dev/null
+++ b/roles/openshift_web_console/tasks/update_asset_config.yml
@@ -0,0 +1,70 @@
+---
+# This task updates asset config values in the webconsole-config config map in
+# the openshift-web-console namespace. The values to set are pased in the
+# variable `asset_config_edits`, which is an array of objects with `key` and
+# `value` properties in the same format as `yedit` module `edits`. Only
+# properties passed are updated.
+#
+# Note that this triggers a redeployment on the console and a brief downtime
+# since it uses a `Recreate` strategy.
+#
+# Example usage:
+#
+# - include_role:
+# name: openshift_web_console
+# tasks_from: update_asset_config.yml
+# vars:
+# asset_config_edits:
+# - key: loggingPublicURL
+# value: "https://{{ openshift_logging_kibana_hostname }}"
+# when: openshift_web_console_install | default(true) | bool
+
+- name: Read web console config map
+ oc_configmap:
+ namespace: openshift-web-console
+ name: webconsole-config
+ state: list
+ register: webconsole_config
+
+- name: Make temp directory
+ command: mktemp -d /tmp/console-ansible-XXXXXX
+ register: mktemp
+ changed_when: False
+ become: no
+
+- name: Copy asset config to temp file
+ copy:
+ content: "{{webconsole_config.results.results[0].data['webconsole-config.yaml']}}"
+ dest: "{{ mktemp.stdout }}/webconsole-config.yaml"
+
+- name: Change asset config properties
+ yedit:
+ src: "{{ mktemp.stdout }}/webconsole-config.yaml"
+ edits: "{{asset_config_edits}}"
+
+- name: Update web console config map
+ oc_configmap:
+ namespace: openshift-web-console
+ name: webconsole-config
+ state: present
+ from_file:
+ webconsole-config.yaml: "{{ mktemp.stdout }}/webconsole-config.yaml"
+
+- name: Remove temp directory
+ file:
+ state: absent
+ name: "{{ mktemp.stdout }}"
+ changed_when: False
+ become: no
+
+# There's currently no command to trigger a rollout for a k8s deployment
+# without changing the pod spec. Add an annotation to force a rollout after
+# the config map has been edited.
+- name: Rollout updated web console deployment
+ oc_edit:
+ kind: deployments
+ name: webconsole
+ namespace: openshift-web-console
+ separator: '#'
+ content:
+ spec#template#metadata#annotations#installer-triggered-rollout: "{{ ansible_date_time.iso8601_micro }}"
diff --git a/roles/openshift_web_console/vars/default_images.yml b/roles/openshift_web_console/vars/default_images.yml
new file mode 100644
index 000000000..7adb8a0d0
--- /dev/null
+++ b/roles/openshift_web_console/vars/default_images.yml
@@ -0,0 +1,4 @@
+---
+__openshift_web_console_prefix: "docker.io/openshift/"
+__openshift_web_console_version: "latest"
+__openshift_web_console_image_name: "origin-web-console"
diff --git a/roles/openshift_web_console/vars/main.yml b/roles/openshift_web_console/vars/main.yml
new file mode 100644
index 000000000..80bc56a17
--- /dev/null
+++ b/roles/openshift_web_console/vars/main.yml
@@ -0,0 +1,5 @@
+---
+__console_files_location: "../../../files/origin-components/"
+
+__console_template_file: "console-template.yaml"
+__console_config_file: "console-config.yaml"
diff --git a/roles/openshift_web_console/vars/openshift-enterprise.yml b/roles/openshift_web_console/vars/openshift-enterprise.yml
new file mode 100644
index 000000000..721ac1d27
--- /dev/null
+++ b/roles/openshift_web_console/vars/openshift-enterprise.yml
@@ -0,0 +1,4 @@
+---
+__openshift_web_console_prefix: "registry.access.redhat.com/openshift3/"
+__openshift_web_console_version: "v3.9"
+__openshift_web_console_image_name: "ose-web-console"
diff --git a/roles/os_firewall/README.md b/roles/os_firewall/README.md
index be0b8291a..5ee11f7bd 100644
--- a/roles/os_firewall/README.md
+++ b/roles/os_firewall/README.md
@@ -32,7 +32,7 @@ Use iptables:
---
- hosts: servers
task:
- - include_role:
+ - import_role:
name: os_firewall
vars:
os_firewall_use_firewalld: false
@@ -44,7 +44,7 @@ Use firewalld:
- hosts: servers
vars:
tasks:
- - include_role:
+ - import_role:
name: os_firewall
vars:
os_firewall_use_firewalld: true
diff --git a/test/ci/README.md b/test/ci/README.md
new file mode 100644
index 000000000..fe80d7c04
--- /dev/null
+++ b/test/ci/README.md
@@ -0,0 +1,14 @@
+This directory contains scripts and other files that are executed by our
+CI integration tests.
+
+CI should call a script. The only arguments that each script should accept
+are:
+
+1) Path to openshift-ansible/playbooks
+2) Inventory path.
+3) Extra vars path.
+
+Ideally, inventory path and extra vars should live somewhere in this
+subdirectory instead of the CI's source.
+
+Extravars should typically be unnecessary.
diff --git a/test/ci/extra_vars/default.yml b/test/ci/extra_vars/default.yml
new file mode 100644
index 000000000..5b9a04cdd
--- /dev/null
+++ b/test/ci/extra_vars/default.yml
@@ -0,0 +1,4 @@
+---
+# Using extra_vars is typically not ideal. Please don't use extra_vars
+# unless there is no other way to accomplish a task.
+openshift_this_var_is_not_used: True
diff --git a/test/ci/install.sh b/test/ci/install.sh
new file mode 100755
index 000000000..7172a6765
--- /dev/null
+++ b/test/ci/install.sh
@@ -0,0 +1,34 @@
+#!/bin/bash
+
+set -x
+
+# Argument 1: path to openshift-ansible/playbooks
+# Argument 2: inventory path
+# Argument 3: Extra vars path
+
+echo "Running prerequisites"
+
+ansible-playbook -vv \
+ --inventory $2 \
+ --e @$3 \
+ $1/prerequisites.yml
+
+echo "Running network_manager setup"
+
+playbook_base='/usr/share/ansible/openshift-ansible/playbooks/'
+if [[ -s "$1/openshift-node/network_manager.yml" ]]; then
+ playbook="$1/openshift-node/network_manager.yml"
+else
+ playbook="$1/byo/openshift-node/network_manager.yml"
+fi
+ansible-playbook -vv \
+ --inventory $1 \
+ --e @$2 \
+ ${playbook}
+
+echo "Running openshift-ansible deploy_cluster"
+
+ansible-playbook -vv \
+ --inventory $2 \
+ --e @$3 \
+ $1/deploy_cluster.yml
diff --git a/test/ci/inventory/group_vars/OSEv3/checks.yml b/test/ci/inventory/group_vars/OSEv3/checks.yml
new file mode 100644
index 000000000..26f825b07
--- /dev/null
+++ b/test/ci/inventory/group_vars/OSEv3/checks.yml
@@ -0,0 +1,4 @@
+---
+openshift_check_min_host_disk_gb: 10
+openshift_check_min_host_memory_gb: 8
+openshift_disable_check: package_update,package_availability
diff --git a/test/ci/inventory/group_vars/OSEv3/general.yml b/test/ci/inventory/group_vars/OSEv3/general.yml
new file mode 100644
index 000000000..d2fd3f74c
--- /dev/null
+++ b/test/ci/inventory/group_vars/OSEv3/general.yml
@@ -0,0 +1,23 @@
+---
+debug_level: 5
+osm_default_node_selector: "region=infra"
+osm_controller_args:
+ enable-hostpath-provisioner:
+ - "true"
+openshift_hosted_router_selector: "region=infra"
+openshift_hosted_router_create_certificate: true
+openshift_hosted_registry_selector: "region=infra"
+openshift_master_audit_config:
+ enabled: true
+openshift_master_identity_providers:
+ - name: "allow_all"
+ login: "true"
+ challenge: "true"
+ kind: "AllowAllPasswordIdentityProvider"
+openshift_template_service_broker_namespaces:
+ - "openshift"
+ansible_ssh_user: "ec2-user"
+enable_excluders: "false"
+osm_cluster_network_cidr: "10.128.0.0/14"
+openshift_portal_net: "172.30.0.0/16"
+osm_host_subnet_length: 9
diff --git a/test/ci/inventory/group_vars/OSEv3/logging.yml b/test/ci/inventory/group_vars/OSEv3/logging.yml
new file mode 100644
index 000000000..a55f110ad
--- /dev/null
+++ b/test/ci/inventory/group_vars/OSEv3/logging.yml
@@ -0,0 +1,37 @@
+---
+openshift_logging_use_mux: false
+openshift_logging_use_ops: true
+openshift_logging_es_log_appenders:
+ - "console"
+openshift_logging_fluentd_journal_read_from_head: false
+openshift_logging_fluentd_audit_container_engine: true
+
+openshift_logging_curator_cpu_request: "100m"
+openshift_logging_curator_memory_limit: "32Mi"
+openshift_logging_curator_ops_cpu_request: "100m"
+openshift_logging_curator_ops_memory_limit: "32Mi"
+openshift_logging_elasticsearch_proxy_cpu_request: "100m"
+openshift_logging_elasticsearch_proxy_memory_limit: "32Mi"
+openshift_logging_es_cpu_request: "400m"
+openshift_logging_es_memory_limit: "4Gi"
+openshift_logging_es_ops_cpu_request: "400m"
+openshift_logging_es_ops_memory_limit: "4Gi"
+openshift_logging_eventrouter_cpu_request: "100m"
+openshift_logging_eventrouter_memory_limit: "64Mi"
+openshift_logging_fluentd_cpu_request: "100m"
+openshift_logging_fluentd_memory_limit: "256Mi"
+openshift_logging_kibana_cpu_request: "100m"
+openshift_logging_kibana_memory_limit: "128Mi"
+openshift_logging_kibana_ops_cpu_request: "100m"
+openshift_logging_kibana_ops_memory_limit: "128Mi"
+openshift_logging_kibana_ops_proxy_cpu_request: "100m"
+openshift_logging_kibana_ops_proxy_memory_limit: "64Mi"
+openshift_logging_kibana_proxy_cpu_request: "100m"
+openshift_logging_kibana_proxy_memory_limit: "64Mi"
+openshift_logging_mux_cpu_request: "400m"
+openshift_logging_mux_memory_limit: "256Mi"
+
+# TODO: remove this once we have oauth-proxy images built that are in step
+# with the logging images (version and prefix)
+openshift_logging_elasticsearch_proxy_image_prefix: "docker.io/openshift/"
+openshift_logging_elasticsearch_proxy_image_version: "v1.0.0"
diff --git a/test/ci/inventory/group_vars/all.yml b/test/ci/inventory/group_vars/all.yml
new file mode 100644
index 000000000..7848584d8
--- /dev/null
+++ b/test/ci/inventory/group_vars/all.yml
@@ -0,0 +1,13 @@
+---
+openshift_deployment_type: origin
+etcd_data_dir: "${ETCD_DATA_DIR}"
+openshift_node_port_range: '30000-32000'
+osm_controller_args:
+ enable-hostpath-provisioner:
+ - "true"
+
+# These env vars are created by the CI. This allows us
+# to test specific versions of openshift.
+openshift_pkg_version: "{{ lookup('env', 'ORIGIN_PKG_VERSION') }}"
+openshift_release: "{{ lookup('env', 'ORIGIN_RELEASE') }}"
+oreg_url: "openshift/origin-${component}:{{ lookup('env', 'ORIGIN_COMMIT') }}"
diff --git a/test/ci/inventory/host_vars/localhost.yml b/test/ci/inventory/host_vars/localhost.yml
new file mode 100644
index 000000000..2f308ab60
--- /dev/null
+++ b/test/ci/inventory/host_vars/localhost.yml
@@ -0,0 +1,8 @@
+---
+openshift_node_labels:
+ region: infra
+ zone: default
+openshift_schedulable: True
+ansible_become: True
+ansible_become_user: root
+ansible_connection: local
diff --git a/test/ci/inventory/local.txt b/test/ci/inventory/local.txt
new file mode 100644
index 000000000..90d5924a8
--- /dev/null
+++ b/test/ci/inventory/local.txt
@@ -0,0 +1,23 @@
+[OSEv3]
+
+[OSEv3:children]
+masters
+nodes
+etcd
+lb
+nfs
+
+[lb]
+# Empty, but present to pass integration tests.
+
+[nfs]
+# Empty, but present to pass integration tests.
+
+[masters]
+localhost
+
+[nodes]
+localhost
+
+[etcd]
+localhost