diff options
Diffstat (limited to 'roles/openshift_master')
21 files changed, 443 insertions, 155 deletions
diff --git a/roles/openshift_master/defaults/main.yml b/roles/openshift_master/defaults/main.yml index f861a8e4d..3fb94fff8 100644 --- a/roles/openshift_master/defaults/main.yml +++ b/roles/openshift_master/defaults/main.yml @@ -12,7 +12,7 @@ r_openshift_master_clean_install: false r_openshift_master_etcd3_storage: false r_openshift_master_os_firewall_enable: true r_openshift_master_os_firewall_deny: [] -r_openshift_master_os_firewall_allow: +default_r_openshift_master_os_firewall_allow: - service: api server https port: "{{ openshift.master.api_port }}/tcp" - service: api controllers https @@ -24,12 +24,14 @@ r_openshift_master_os_firewall_allow: - service: etcd embedded port: 4001/tcp cond: "{{ groups.oo_etcd_to_config | default([]) | length == 0 }}" +r_openshift_master_os_firewall_allow: "{{ default_r_openshift_master_os_firewall_allow | union(openshift_master_open_ports | default([])) }}" # oreg_url is defined by user input oreg_host: "{{ oreg_url.split('/')[0] if (oreg_url is defined and '.' in oreg_url.split('/')[0]) else '' }}" oreg_auth_credentials_path: "{{ r_openshift_master_data_dir }}/.docker" oreg_auth_credentials_replace: False l_bind_docker_reg_auth: False +openshift_docker_alternative_creds: "{{ (openshift_docker_use_system_container | default(False)) or (openshift_use_crio_only | default(False)) }}" containerized_svc_dir: "/usr/lib/systemd/system" ha_svc_template_path: "native-cluster" @@ -46,6 +48,9 @@ r_openshift_master_use_nuage: "{{ r_openshift_master_use_nuage_default }}" r_openshift_master_use_contiv_default: "{{ openshift_use_contiv | default(False) }}" r_openshift_master_use_contiv: "{{ r_openshift_master_use_contiv_default }}" +r_openshift_master_use_kuryr_default: "{{ openshift_use_kuryr | default(False) }}" +r_openshift_master_use_kuryr: "{{ r_openshift_master_use_kuryr_default }}" + r_openshift_master_data_dir_default: "{{ openshift_data_dir | default('/var/lib/origin') }}" r_openshift_master_data_dir: "{{ r_openshift_master_data_dir_default }}" @@ -54,3 +59,14 @@ r_openshift_master_sdn_network_plugin_name: "{{ r_openshift_master_sdn_network_p openshift_master_image_config_latest_default: "{{ openshift_image_config_latest | default(False) }}" openshift_master_image_config_latest: "{{ openshift_master_image_config_latest_default }}" + +openshift_master_config_dir_default: "{{ openshift.common.config_base ~ '/master' if openshift is defined and 'common' in openshift else '/etc/origin/master' }}" +openshift_master_config_dir: "{{ openshift_master_config_dir_default }}" + +openshift_master_bootstrap_enabled: False + +openshift_master_csr_sa: node-bootstrapper +openshift_master_csr_namespace: openshift-infra + +openshift_master_config_file: "{{ openshift_master_config_dir }}/master-config.yaml" +openshift_master_scheduler_conf: "{{ openshift_master_config_dir }}/scheduler.json" diff --git a/roles/openshift_master/handlers/main.yml b/roles/openshift_master/handlers/main.yml index d5094c2c9..359536202 100644 --- a/roles/openshift_master/handlers/main.yml +++ b/roles/openshift_master/handlers/main.yml @@ -9,10 +9,13 @@ notify: - Verify API Server +# We retry the controllers because the API may not be 100% initialized yet. - name: restart master controllers - systemd: - name: "{{ openshift.common.service_type }}-master-controllers" - state: restarted + command: "systemctl restart {{ openshift.common.service_type }}-master-controllers" + retries: 3 + delay: 5 + register: result + until: result.rc == 0 when: - not (master_controllers_service_status_changed | default(false) | bool) - openshift.master.cluster_method == 'native' @@ -22,11 +25,7 @@ # wait_for port doesn't provide health information. command: > curl --silent --tlsv1.2 - {% if openshift.common.version_gte_3_2_or_1_2 | bool %} --cacert {{ openshift.common.config_base }}/master/ca-bundle.crt - {% else %} - --cacert {{ openshift.common.config_base }}/master/ca.crt - {% endif %} {{ openshift.master.api_url }}/healthz/ready args: # Disables the following warning: diff --git a/roles/openshift_master/meta/main.yml b/roles/openshift_master/meta/main.yml index a657668a9..a1cda2ad4 100644 --- a/roles/openshift_master/meta/main.yml +++ b/roles/openshift_master/meta/main.yml @@ -13,4 +13,5 @@ galaxy_info: - cloud dependencies: - role: lib_openshift +- role: lib_utils - role: lib_os_firewall diff --git a/roles/openshift_master/tasks/bootstrap.yml b/roles/openshift_master/tasks/bootstrap.yml index 0013f5289..ce55e7d0c 100644 --- a/roles/openshift_master/tasks/bootstrap.yml +++ b/roles/openshift_master/tasks/bootstrap.yml @@ -1,26 +1,13 @@ --- - -- name: ensure the node-bootstrap service account exists - oc_serviceaccount: - name: node-bootstrapper - namespace: openshift-infra - state: present - run_once: true - -- name: grant node-bootstrapper the correct permissions to bootstrap - oc_adm_policy_user: - namespace: openshift-infra - user: system:serviceaccount:openshift-infra:node-bootstrapper - resource_kind: cluster-role - resource_name: system:node-bootstrapper - state: present - run_once: true - # TODO: create a module for this command. # oc_serviceaccounts_kubeconfig - name: create service account kubeconfig with csr rights - command: "oc serviceaccounts create-kubeconfig node-bootstrapper -n openshift-infra" + command: > + oc serviceaccounts create-kubeconfig {{ openshift_master_csr_sa }} -n {{ openshift_master_csr_namespace }} register: kubeconfig_out + until: kubeconfig_out.rc == 0 + retries: 24 + delay: 5 - name: put service account kubeconfig into a file on disk for bootstrap copy: diff --git a/roles/openshift_master/tasks/bootstrap_settings.yml b/roles/openshift_master/tasks/bootstrap_settings.yml new file mode 100644 index 000000000..cbd7f587b --- /dev/null +++ b/roles/openshift_master/tasks/bootstrap_settings.yml @@ -0,0 +1,14 @@ +--- +- name: modify controller args + yedit: + src: /etc/origin/master/master-config.yaml + edits: + - key: kubernetesMasterConfig.controllerArguments.cluster-signing-cert-file + value: + - /etc/origin/master/ca.crt + - key: kubernetesMasterConfig.controllerArguments.cluster-signing-key-file + value: + - /etc/origin/master/ca.key + notify: + - restart master controllers + when: openshift_master_bootstrap_enabled | default(False) diff --git a/roles/openshift_master/tasks/clean_systemd_units.yml b/roles/openshift_master/tasks/clean_systemd_units.yml deleted file mode 100644 index e641f84d4..000000000 --- a/roles/openshift_master/tasks/clean_systemd_units.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- - -- name: Disable master service - systemd: - name: "{{ openshift.common.service_type }}-master" - state: stopped - enabled: no - masked: yes - ignore_errors: true diff --git a/roles/openshift_master/tasks/journald.yml b/roles/openshift_master/tasks/journald.yml new file mode 100644 index 000000000..a16cbe78e --- /dev/null +++ b/roles/openshift_master/tasks/journald.yml @@ -0,0 +1,29 @@ +--- +- name: Checking for journald.conf + stat: path=/etc/systemd/journald.conf + register: journald_conf_file + +- name: Create journald persistence directories + file: + path: /var/log/journal + state: directory + +- name: Update journald setup + replace: + dest: /etc/systemd/journald.conf + regexp: '^(\#| )?{{ item.var }}=\s*.*?$' + replace: ' {{ item.var }}={{ item.val }}' + backup: yes + with_items: "{{ journald_vars_to_replace | default([]) }}" + when: journald_conf_file.stat.exists + register: journald_update + +# I need to restart journald immediatelly, otherwise it gets into way during +# further steps in ansible +- name: Restart journald + command: "systemctl restart systemd-journald" + retries: 3 + delay: 5 + register: result + until: result.rc == 0 + when: journald_update | changed diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml index 824a5886e..b6d3539b1 100644 --- a/roles/openshift_master/tasks/main.yml +++ b/roles/openshift_master/tasks/main.yml @@ -18,12 +18,6 @@ - openshift.master.ha | bool - (openshift.master.cluster_method is not defined) or (openshift.master.cluster_method is defined and openshift.master.cluster_method not in ["native", "pacemaker"]) - fail: - msg: "'native' high availability is not supported for the requested OpenShift version" - when: - - openshift.master.ha | bool - - openshift.master.cluster_method == "native" - - not openshift.common.version_gte_3_1_or_1_1 | bool -- fail: msg: "openshift_master_cluster_password must be set for multi-master installations" when: - openshift.master.ha | bool @@ -177,31 +171,12 @@ local_facts: no_proxy_etcd_host_ips: "{{ openshift_no_proxy_etcd_host_ips }}" +- name: Update journald config + include: journald.yml + - name: Install the systemd units include: systemd_units.yml -- name: Checking for journald.conf - stat: path=/etc/systemd/journald.conf - register: journald_conf_file - -- name: Update journald setup - replace: - dest: /etc/systemd/journald.conf - regexp: '^(\#| )?{{ item.var }}=\s*.*?$' - replace: ' {{ item.var }}={{ item.val }}' - backup: yes - with_items: "{{ journald_vars_to_replace | default([]) }}" - when: journald_conf_file.stat.exists - register: journald_update - -# I need to restart journald immediatelly, otherwise it gets into way during -# further steps in ansible -- name: Restart journald - systemd: - name: systemd-journald - state: restarted - when: journald_update | changed - - name: Install Master system container include: system_container.yml when: @@ -237,23 +212,10 @@ - restart master api - restart master controllers -- name: modify controller args - yedit: - src: /etc/origin/master/master-config.yaml - edits: - - key: kubernetesMasterConfig.controllerArguments.cluster-signing-cert-file - value: - - /etc/origin/master/ca.crt - - key: kubernetesMasterConfig.controllerArguments.cluster-signing-key-file - value: - - /etc/origin/master/ca.key - notify: - - restart master controllers +- include: bootstrap_settings.yml when: openshift_master_bootstrap_enabled | default(False) - include: set_loopback_context.yml - when: - - openshift.common.version_gte_3_2_or_1_2 - name: Start and enable master api on first master systemd: @@ -316,14 +278,13 @@ - openshift.master.cluster_method == 'native' - master_api_service_status_changed | bool -- name: Start and enable master controller on first master +- name: Start and enable master controller service systemd: name: "{{ openshift.common.service_type }}-master-controllers" enabled: yes state: started when: - openshift.master.cluster_method == 'native' - - inventory_hostname == openshift_master_hosts[0] register: l_start_result until: not l_start_result | failed retries: 1 @@ -334,31 +295,8 @@ when: - l_start_result | failed -- name: Wait for master controller service to start on first master - pause: - seconds: 15 - when: - - openshift.master.cluster_method == 'native' - -- name: Start and enable master controller on all masters - systemd: - name: "{{ openshift.common.service_type }}-master-controllers" - enabled: yes - state: started - when: - - openshift.master.cluster_method == 'native' - - inventory_hostname != openshift_master_hosts[0] - register: l_start_result - until: not l_start_result | failed - retries: 1 - delay: 60 - -- name: Dump logs from master-controllers if it failed - command: journalctl --no-pager -n 100 -u {{ openshift.common.service_type }}-master-controllers - when: - - l_start_result | failed - -- set_fact: +- name: Set fact master_controllers_service_status_changed + set_fact: master_controllers_service_status_changed: "{{ l_start_result | changed }}" when: - openshift.master.cluster_method == 'native' diff --git a/roles/openshift_master/tasks/registry_auth.yml b/roles/openshift_master/tasks/registry_auth.yml index 63d483760..c95f562d0 100644 --- a/roles/openshift_master/tasks/registry_auth.yml +++ b/roles/openshift_master/tasks/registry_auth.yml @@ -8,9 +8,32 @@ - name: Create credentials for registry auth command: "docker --config={{ oreg_auth_credentials_path }} login -u {{ oreg_auth_user }} -p {{ oreg_auth_password }} {{ oreg_host }}" when: + - not (openshift_docker_alternative_creds | default(False)) - oreg_auth_user is defined - (not master_oreg_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool register: master_oreg_auth_credentials_create + retries: 3 + delay: 5 + until: master_oreg_auth_credentials_create.rc == 0 + notify: + - restart master api + - restart master controllers + +# docker_creds is a custom module from lib_utils +# 'docker login' requires a docker.service running on the local host, this is an +# alternative implementation for non-docker hosts. This implementation does not +# check the registry to determine whether or not the credentials will work. +- name: Create credentials for registry auth (alternative) + docker_creds: + path: "{{ oreg_auth_credentials_path }}" + registry: "{{ oreg_host }}" + username: "{{ oreg_auth_user }}" + password: "{{ oreg_auth_password }}" + when: + - openshift_docker_alternative_creds | default(False) | bool + - oreg_auth_user is defined + - (not docker_cli_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool + register: master_oreg_auth_credentials_create notify: - restart master api - restart master controllers diff --git a/roles/openshift_master/tasks/restart.yml b/roles/openshift_master/tasks/restart.yml new file mode 100644 index 000000000..4f8b758fd --- /dev/null +++ b/roles/openshift_master/tasks/restart.yml @@ -0,0 +1,22 @@ +--- +- name: Restart master API + service: + name: "{{ openshift.common.service_type }}-master-api" + state: restarted + when: openshift_master_ha | bool +- name: Wait for master API to come back online + wait_for: + host: "{{ openshift.common.hostname }}" + state: started + delay: 10 + port: "{{ openshift.master.api_port }}" + timeout: 600 + when: openshift_master_ha | bool +- name: Restart master controllers + service: + name: "{{ openshift.common.service_type }}-master-controllers" + state: restarted + # Ignore errrors since it is possible that type != simple for + # pre-3.1.1 installations. + ignore_errors: true + when: openshift_master_ha | bool diff --git a/roles/openshift_master/tasks/system_container.yml b/roles/openshift_master/tasks/system_container.yml index 91332acfb..843352532 100644 --- a/roles/openshift_master/tasks/system_container.yml +++ b/roles/openshift_master/tasks/system_container.yml @@ -1,4 +1,9 @@ --- +- name: Ensure proxies are in the atomic.conf + include_role: + name: openshift_atomic + tasks_from: proxy + - name: Pre-pull master system container image command: > atomic pull --storage=ostree {{ 'docker:' if openshift.common.system_images_registry == 'docker' else openshift.common.system_images_registry + '/' }}{{ openshift.master.master_system_image }}:{{ openshift_image_tag }} diff --git a/roles/openshift_master/tasks/systemd_units.yml b/roles/openshift_master/tasks/systemd_units.yml index fcc66044b..b0fa72f19 100644 --- a/roles/openshift_master/tasks/systemd_units.yml +++ b/roles/openshift_master/tasks/systemd_units.yml @@ -2,9 +2,6 @@ # systemd_units.yml is included both in the openshift_master role and in the upgrade # playbooks. -- include: upgrade_facts.yml - when: openshift_master_defaults_in_use is not defined - - name: Set HA Service Info for containerized installs set_fact: containerized_svc_dir: "/etc/systemd/system" @@ -14,8 +11,22 @@ - include: registry_auth.yml +- name: Disable the legacy master service if it exists + systemd: + name: "{{ openshift.common.service_type }}-master" + state: stopped + enabled: no + masked: yes + ignore_errors: true + - name: Remove the legacy master service if it exists - include: clean_systemd_units.yml + file: + path: "{{ containerized_svc_dir }}/{{ openshift.common.service_type }}-master.service" + state: absent + ignore_errors: true + when: + - openshift.master.cluster_method == "native" + - not openshift.common.is_master_system_container | bool # This is the image used for both HA and non-HA clusters: - name: Pre-pull master image @@ -44,6 +55,17 @@ - l_create_ha_unit_files | changed # end workaround for missing systemd unit files +- name: enable master services + systemd: + name: "{{ openshift.common.service_type }}-master-{{ item }}" + enabled: yes + with_items: + - api + - controllers + when: + - openshift.master.cluster_method == "native" + - not openshift.common.is_master_system_container | bool + - name: Preserve Master API Proxy Config options command: grep PROXY /etc/sysconfig/{{ openshift.common.service_type }}-master-api register: l_master_api_proxy diff --git a/roles/openshift_master/tasks/upgrade.yml b/roles/openshift_master/tasks/upgrade.yml new file mode 100644 index 000000000..92371921d --- /dev/null +++ b/roles/openshift_master/tasks/upgrade.yml @@ -0,0 +1,45 @@ +--- +- include: upgrade/rpm_upgrade.yml + when: not openshift.common.is_containerized | bool + +- include: upgrade/upgrade_scheduler.yml + +# master_config_hook is passed in from upgrade play. +- include: "upgrade/{{ master_config_hook }}" + when: master_config_hook is defined + +- include: journald.yml + +- include: systemd_units.yml + +- name: Check for ca-bundle.crt + stat: + path: "{{ openshift.common.config_base }}/master/ca-bundle.crt" + register: ca_bundle_stat + failed_when: false + +- name: Check for ca.crt + stat: + path: "{{ openshift.common.config_base }}/master/ca.crt" + register: ca_crt_stat + failed_when: false + +- name: Migrate ca.crt to ca-bundle.crt + command: mv ca.crt ca-bundle.crt + args: + chdir: "{{ openshift.common.config_base }}/master" + when: ca_crt_stat.stat.isreg and not ca_bundle_stat.stat.exists + +- name: Link ca.crt to ca-bundle.crt + file: + src: "{{ openshift.common.config_base }}/master/ca-bundle.crt" + path: "{{ openshift.common.config_base }}/master/ca.crt" + state: link + when: ca_crt_stat.stat.isreg and not ca_bundle_stat.stat.exists + +- name: Update oreg value + yedit: + src: "{{ openshift.common.config_base }}/master/master-config.yaml" + key: 'imageConfig.format' + value: "{{ oreg_url | default(oreg_url_master) }}" + when: oreg_url is defined or oreg_url_master is defined diff --git a/roles/openshift_master/tasks/upgrade/rpm_upgrade.yml b/roles/openshift_master/tasks/upgrade/rpm_upgrade.yml new file mode 100644 index 000000000..f914a9978 --- /dev/null +++ b/roles/openshift_master/tasks/upgrade/rpm_upgrade.yml @@ -0,0 +1,20 @@ +--- +# When we update package "a-${version}" and a requires b >= ${version} if we +# don't specify the version of b yum will choose the latest version of b +# available and the whole set of dependencies end up at the latest version. +# Since the package module, unlike the yum module, doesn't flatten a list +# of packages into one transaction we need to do that explicitly. The ansible +# core team tells us not to rely on yum module transaction flattening anyway. + +# TODO: If the sdn package isn't already installed this will install it, we +# should fix that +- name: Upgrade master packages + package: name={{ master_pkgs | join(',') }} state=present + vars: + master_pkgs: + - "{{ openshift.common.service_type }}{{ openshift_pkg_version }}" + - "{{ openshift.common.service_type }}-master{{ openshift_pkg_version }}" + - "{{ openshift.common.service_type }}-node{{ openshift_pkg_version }}" + - "{{ openshift.common.service_type }}-sdn-ovs{{ openshift_pkg_version }}" + - "{{ openshift.common.service_type }}-clients{{ openshift_pkg_version }}" + - "tuned-profiles-{{ openshift.common.service_type }}-node{{ openshift_pkg_version }}" diff --git a/roles/openshift_master/tasks/upgrade/upgrade_scheduler.yml b/roles/openshift_master/tasks/upgrade/upgrade_scheduler.yml new file mode 100644 index 000000000..8558bf3e9 --- /dev/null +++ b/roles/openshift_master/tasks/upgrade/upgrade_scheduler.yml @@ -0,0 +1,173 @@ +--- +# Upgrade predicates +- vars: + prev_predicates: "{{ lookup('openshift_master_facts_default_predicates', short_version=openshift_upgrade_min, deployment_type=openshift_deployment_type) }}" + prev_predicates_no_region: "{{ lookup('openshift_master_facts_default_predicates', short_version=openshift_upgrade_min, deployment_type=openshift_deployment_type, regions_enabled=False) }}" + default_predicates_no_region: "{{ lookup('openshift_master_facts_default_predicates', regions_enabled=False) }}" + # older_predicates are the set of predicates that have previously been + # hard-coded into openshift_facts + older_predicates: + - - name: MatchNodeSelector + - name: PodFitsResources + - name: PodFitsPorts + - name: NoDiskConflict + - name: NoVolumeZoneConflict + - name: MaxEBSVolumeCount + - name: MaxGCEPDVolumeCount + - name: Region + argument: + serviceAffinity: + labels: + - region + - - name: MatchNodeSelector + - name: PodFitsResources + - name: PodFitsPorts + - name: NoDiskConflict + - name: NoVolumeZoneConflict + - name: Region + argument: + serviceAffinity: + labels: + - region + - - name: MatchNodeSelector + - name: PodFitsResources + - name: PodFitsPorts + - name: NoDiskConflict + - name: Region + argument: + serviceAffinity: + labels: + - region + # older_predicates_no_region are the set of predicates that have previously + # been hard-coded into openshift_facts, with the Region predicate removed + older_predicates_no_region: + - - name: MatchNodeSelector + - name: PodFitsResources + - name: PodFitsPorts + - name: NoDiskConflict + - name: NoVolumeZoneConflict + - name: MaxEBSVolumeCount + - name: MaxGCEPDVolumeCount + - - name: MatchNodeSelector + - name: PodFitsResources + - name: PodFitsPorts + - name: NoDiskConflict + - name: NoVolumeZoneConflict + - - name: MatchNodeSelector + - name: PodFitsResources + - name: PodFitsPorts + - name: NoDiskConflict + block: + + # Handle case where openshift_master_predicates is defined + - block: + - debug: + msg: "WARNING: openshift_master_scheduler_predicates is set to defaults from an earlier release of OpenShift current defaults are: {{ openshift_master_scheduler_default_predicates }}" + when: openshift_master_scheduler_predicates in older_predicates + older_predicates_no_region + [prev_predicates] + [prev_predicates_no_region] + + - debug: + msg: "WARNING: openshift_master_scheduler_predicates does not match current defaults of: {{ openshift_master_scheduler_default_predicates }}" + when: openshift_master_scheduler_predicates != openshift_master_scheduler_default_predicates + when: openshift_master_scheduler_predicates | default(none) is not none + + # Handle cases where openshift_master_predicates is not defined + - block: + - debug: + msg: "WARNING: existing scheduler config does not match previous known defaults automated upgrade of scheduler config is disabled.\nexisting scheduler predicates: {{ openshift_master_scheduler_current_predicates }}\ncurrent scheduler default predicates are: {{ openshift_master_scheduler_default_predicates }}" + when: + - openshift_master_scheduler_current_predicates != openshift_master_scheduler_default_predicates + - openshift_master_scheduler_current_predicates not in older_predicates + [prev_predicates] + + - set_fact: + openshift_upgrade_scheduler_predicates: "{{ openshift_master_scheduler_default_predicates }}" + when: + - openshift_master_scheduler_current_predicates != openshift_master_scheduler_default_predicates + - openshift_master_scheduler_current_predicates in older_predicates + [prev_predicates] + + - set_fact: + openshift_upgrade_scheduler_predicates: "{{ default_predicates_no_region }}" + when: + - openshift_master_scheduler_current_predicates != default_predicates_no_region + - openshift_master_scheduler_current_predicates in older_predicates_no_region + [prev_predicates_no_region] + + when: openshift_master_scheduler_predicates | default(none) is none + + +# Upgrade priorities +- vars: + prev_priorities: "{{ lookup('openshift_master_facts_default_priorities', short_version=openshift_upgrade_min, deployment_type=openshift_deployment_type) }}" + prev_priorities_no_zone: "{{ lookup('openshift_master_facts_default_priorities', short_version=openshift_upgrade_min, deployment_type=openshift_deployment_type, zones_enabled=False) }}" + default_priorities_no_zone: "{{ lookup('openshift_master_facts_default_priorities', zones_enabled=False) }}" + # older_priorities are the set of priorities that have previously been + # hard-coded into openshift_facts + older_priorities: + - - name: LeastRequestedPriority + weight: 1 + - name: SelectorSpreadPriority + weight: 1 + - name: Zone + weight: 2 + argument: + serviceAntiAffinity: + label: zone + # older_priorities_no_region are the set of priorities that have previously + # been hard-coded into openshift_facts, with the Zone priority removed + older_priorities_no_zone: + - - name: LeastRequestedPriority + weight: 1 + - name: SelectorSpreadPriority + weight: 1 + block: + + # Handle case where openshift_master_priorities is defined + - block: + - debug: + msg: "WARNING: openshift_master_scheduler_priorities is set to defaults from an earlier release of OpenShift current defaults are: {{ openshift_master_scheduler_default_priorities }}" + when: openshift_master_scheduler_priorities in older_priorities + older_priorities_no_zone + [prev_priorities] + [prev_priorities_no_zone] + + - debug: + msg: "WARNING: openshift_master_scheduler_priorities does not match current defaults of: {{ openshift_master_scheduler_default_priorities }}" + when: openshift_master_scheduler_priorities != openshift_master_scheduler_default_priorities + when: openshift_master_scheduler_priorities | default(none) is not none + + # Handle cases where openshift_master_priorities is not defined + - block: + - debug: + msg: "WARNING: existing scheduler config does not match previous known defaults automated upgrade of scheduler config is disabled.\nexisting scheduler priorities: {{ openshift_master_scheduler_current_priorities }}\ncurrent scheduler default priorities are: {{ openshift_master_scheduler_default_priorities }}" + when: + - openshift_master_scheduler_current_priorities != openshift_master_scheduler_default_priorities + - openshift_master_scheduler_current_priorities not in older_priorities + [prev_priorities] + + - set_fact: + openshift_upgrade_scheduler_priorities: "{{ openshift_master_scheduler_default_priorities }}" + when: + - openshift_master_scheduler_current_priorities != openshift_master_scheduler_default_priorities + - openshift_master_scheduler_current_priorities in older_priorities + [prev_priorities] + + - set_fact: + openshift_upgrade_scheduler_priorities: "{{ default_priorities_no_zone }}" + when: + - openshift_master_scheduler_current_priorities != default_priorities_no_zone + - openshift_master_scheduler_current_priorities in older_priorities_no_zone + [prev_priorities_no_zone] + + when: openshift_master_scheduler_priorities | default(none) is none + + +# Update scheduler +- vars: + scheduler_config: + kind: Policy + apiVersion: v1 + predicates: "{{ openshift_upgrade_scheduler_predicates + | default(openshift_master_scheduler_current_predicates) }}" + priorities: "{{ openshift_upgrade_scheduler_priorities + | default(openshift_master_scheduler_current_priorities) }}" + block: + - name: Update scheduler config + copy: + content: "{{ scheduler_config | to_nice_json }}" + dest: "{{ openshift_master_scheduler_conf }}" + backup: true + when: > + openshift_upgrade_scheduler_predicates is defined or + openshift_upgrade_scheduler_priorities is defined diff --git a/roles/openshift_master/tasks/upgrade/v3_6/master_config_upgrade.yml b/roles/openshift_master/tasks/upgrade/v3_6/master_config_upgrade.yml new file mode 100644 index 000000000..db0c8f886 --- /dev/null +++ b/roles/openshift_master/tasks/upgrade/v3_6/master_config_upgrade.yml @@ -0,0 +1,15 @@ +--- +- modify_yaml: + dest: "{{ openshift.common.config_base}}/master/master-config.yaml" + yaml_key: 'controllerConfig.serviceServingCert.signer.certFile' + yaml_value: service-signer.crt + +- modify_yaml: + dest: "{{ openshift.common.config_base}}/master/master-config.yaml" + yaml_key: 'controllerConfig.serviceServingCert.signer.keyFile' + yaml_value: service-signer.key + +- modify_yaml: + dest: "{{ openshift.common.config_base }}/master/master-config.yaml" + yaml_key: servingInfo.clientCA + yaml_value: ca.crt diff --git a/roles/openshift_master/tasks/upgrade/v3_7/master_config_upgrade.yml b/roles/openshift_master/tasks/upgrade/v3_7/master_config_upgrade.yml new file mode 100644 index 000000000..1d4d1919c --- /dev/null +++ b/roles/openshift_master/tasks/upgrade/v3_7/master_config_upgrade.yml @@ -0,0 +1,20 @@ +--- +- modify_yaml: + dest: "{{ openshift.common.config_base}}/master/master-config.yaml" + yaml_key: 'controllerConfig.election.lockName' + yaml_value: 'openshift-master-controllers' + +- modify_yaml: + dest: "{{ openshift.common.config_base}}/master/master-config.yaml" + yaml_key: 'controllerConfig.serviceServingCert.signer.certFile' + yaml_value: service-signer.crt + +- modify_yaml: + dest: "{{ openshift.common.config_base}}/master/master-config.yaml" + yaml_key: 'controllerConfig.serviceServingCert.signer.keyFile' + yaml_value: service-signer.key + +- modify_yaml: + dest: "{{ openshift.common.config_base }}/master/master-config.yaml" + yaml_key: servingInfo.clientCA + yaml_value: ca.crt diff --git a/roles/openshift_master/tasks/upgrade_facts.yml b/roles/openshift_master/tasks/upgrade_facts.yml index f6ad438aa..2252c003a 100644 --- a/roles/openshift_master/tasks/upgrade_facts.yml +++ b/roles/openshift_master/tasks/upgrade_facts.yml @@ -21,6 +21,10 @@ oreg_host: "{{ oreg_url.split('/')[0] if (oreg_url is defined and '.' in oreg_url.split('/')[0]) else '' }}" when: oreg_host is not defined +- set_fact: + oreg_auth_credentials_replace: False + when: oreg_auth_credentials_replace is not defined + - name: Set openshift_master_debug_level set_fact: openshift_master_debug_level: "{{ debug_level | default(2) }}" diff --git a/roles/openshift_master/templates/atomic-openshift-master.j2 b/roles/openshift_master/templates/atomic-openshift-master.j2 index 7ec26ceb7..3f7a528a9 100644 --- a/roles/openshift_master/templates/atomic-openshift-master.j2 +++ b/roles/openshift_master/templates/atomic-openshift-master.j2 @@ -21,7 +21,7 @@ AWS_SECRET_ACCESS_KEY={{ openshift_cloudprovider_aws_secret_key }} {% endif %} {% if 'api_env_vars' in openshift.master or 'controllers_env_vars' in openshift.master -%} -{% for key, value in openshift.master.api_env_vars.items() | default([]) | union(openshift.master.controllers_env_vars.items() | default([])) -%} +{% for key, value in (openshift.master.api_env_vars | default({})).items() | union((openshift.master.controllers_env_vars | default({})).items()) -%} {{ key }}={{ value }} {% endfor -%} {% endif -%} diff --git a/roles/openshift_master/templates/master.yaml.v1.j2 b/roles/openshift_master/templates/master.yaml.v1.j2 index 7159ccc7f..629fe3286 100644 --- a/roles/openshift_master/templates/master.yaml.v1.j2 +++ b/roles/openshift_master/templates/master.yaml.v1.j2 @@ -3,9 +3,6 @@ admissionConfig: pluginConfig:{{ openshift.master.admission_plugin_config | to_padded_yaml(level=2) }} {% endif %} apiLevels: -{% if not openshift.common.version_gte_3_1_or_1_1 | bool %} -- v1beta3 -{% endif %} - v1 apiVersion: v1 assetConfig: @@ -44,10 +41,9 @@ assetConfig: - {{ cipher_suite }} {% endfor %} {% endif %} -{% if openshift.master.audit_config | default(none) is not none and openshift.common.version_gte_3_2_or_1_2 | bool %} +{% if openshift.master.audit_config | default(none) is not none %} auditConfig:{{ openshift.master.audit_config | to_padded_yaml(level=1) }} {% endif %} -{% if openshift.common.version_gte_3_3_or_1_3 | bool %} controllerConfig: election: lockName: openshift-master-controllers @@ -55,14 +51,14 @@ controllerConfig: signer: certFile: service-signer.crt keyFile: service-signer.key -{% endif %} controllers: '*' corsAllowedOrigins: + # anchor with start (\A) and end (\z) of the string, make the check case insensitive ((?i)) and escape hostname {% for origin in ['127.0.0.1', 'localhost', openshift.common.ip, openshift.common.public_ip] | union(openshift.common.all_hostnames) | unique %} - - {{ origin }} + - (?i)//{{ origin | regex_escape() }}(:|\z) {% endfor %} {% for custom_origin in openshift.master.custom_cors_origins | default("") %} - - {{ custom_origin }} + - (?i)//{{ custom_origin | regex_escape() }}(:|\z) {% endfor %} {% if 'disabled_features' in openshift.master %} disabledFeatures: {{ openshift.master.disabled_features | to_json }} @@ -73,11 +69,7 @@ dnsConfig: bindNetwork: tcp4 {% endif %} etcdClientInfo: -{% if openshift.common.version_gte_3_2_or_1_2 | bool %} ca: {{ "ca-bundle.crt" if (openshift.master.embedded_etcd | bool) else "master.etcd-ca.crt" }} -{% else %} - ca: {{ "ca.crt" if (openshift.master.embedded_etcd | bool) else "master.etcd-ca.crt" }} -{% endif %} certFile: master.etcd-client.crt keyFile: master.etcd-client.key urls: @@ -91,20 +83,12 @@ etcdConfig: peerServingInfo: bindAddress: {{ openshift.master.bind_addr }}:7001 certFile: etcd.server.crt -{% if openshift.common.version_gte_3_2_or_1_2 | bool %} clientCA: ca-bundle.crt -{% else %} - clientCA: ca.crt -{% endif %} keyFile: etcd.server.key servingInfo: bindAddress: {{ openshift.master.bind_addr }}:{{ openshift.master.etcd_port }} certFile: etcd.server.crt -{% if openshift.common.version_gte_3_2_or_1_2 | bool %} clientCA: ca-bundle.crt -{% else %} - clientCA: ca.crt -{% endif %} keyFile: etcd.server.key storageDirectory: {{ r_openshift_master_data_dir }}/openshift.local.etcd {% endif %} @@ -122,21 +106,12 @@ imagePolicyConfig:{{ openshift.master.image_policy_config | to_padded_yaml(level kind: MasterConfig kubeletClientInfo: {# TODO: allow user specified kubelet port #} -{% if openshift.common.version_gte_3_2_or_1_2 | bool %} ca: ca-bundle.crt -{% else %} - ca: ca.crt -{% endif %} certFile: master.kubelet-client.crt keyFile: master.kubelet-client.key port: 10250 {% if openshift.master.embedded_kube | bool %} kubernetesMasterConfig: -{% if not openshift.common.version_gte_3_1_or_1_1 | bool %} - apiLevels: - - v1beta3 - - v1 -{% endif %} apiServerArguments: {{ openshift.master.api_server_args | default(None) | to_padded_yaml( level=2 ) }} {% if r_openshift_master_etcd3_storage or ( r_openshift_master_clean_install and openshift.common.version_gte_3_6 ) %} storage-backend: @@ -159,27 +134,28 @@ kubernetesMasterConfig: {% endif %} masterClients: {# TODO: allow user to set externalKubernetesKubeConfig #} -{% if openshift.common.version_gte_3_3_or_1_3 | bool %} externalKubernetesClientConnectionOverrides: acceptContentTypes: application/vnd.kubernetes.protobuf,application/json contentType: application/vnd.kubernetes.protobuf burst: {{ openshift_master_external_ratelimit_burst | default(400) }} qps: {{ openshift_master_external_ratelimit_qps | default(200) }} -{% endif %} externalKubernetesKubeConfig: "" -{% if openshift.common.version_gte_3_3_or_1_3 | bool %} openshiftLoopbackClientConnectionOverrides: acceptContentTypes: application/vnd.kubernetes.protobuf,application/json contentType: application/vnd.kubernetes.protobuf burst: {{ openshift_master_loopback_ratelimit_burst | default(600) }} qps: {{ openshift_master_loopback_ratelimit_qps | default(300) }} -{% endif %} openshiftLoopbackKubeConfig: openshift-master.kubeconfig masterPublicURL: {{ openshift.master.public_api_url }} networkConfig: clusterNetworkCIDR: {{ openshift.master.sdn_cluster_network_cidr }} hostSubnetLength: {{ openshift.master.sdn_host_subnet_length }} -{% if r_openshift_master_use_openshift_sdn or r_openshift_master_use_nuage or r_openshift_master_use_contiv or r_openshift_master_sdn_network_plugin_name == 'cni' %} +{% if openshift.common.version_gte_3_7 | bool %} + clusterNetworks: + - cidr: {{ openshift.master.sdn_cluster_network_cidr }} + hostSubnetLength: {{ openshift.master.sdn_host_subnet_length }} +{% endif %} +{% if r_openshift_master_use_openshift_sdn or r_openshift_master_use_nuage or r_openshift_master_use_contiv or r_openshift_master_use_kuryr or r_openshift_master_sdn_network_plugin_name == 'cni' %} networkPluginName: {{ r_openshift_master_sdn_network_plugin_name_default }} {% endif %} # serviceNetworkCIDR must match kubernetesMasterConfig.servicesSubnet @@ -202,11 +178,7 @@ oauthConfig: {% for line in translated_identity_providers.splitlines() %} {{ line }} {% endfor %} -{% if openshift.common.version_gte_3_2_or_1_2 | bool %} masterCA: ca-bundle.crt -{% else %} - masterCA: ca.crt -{% endif %} masterPublicURL: {{ openshift.master.public_api_url }} masterURL: {{ openshift.master.api_url }} sessionConfig: @@ -239,11 +211,7 @@ serviceAccountConfig: - default - builder - deployer -{% if openshift.common.version_gte_3_2_or_1_2 | bool %} masterCA: ca-bundle.crt -{% else %} - masterCA: ca.crt -{% endif %} privateKeyFile: serviceaccounts.private.key publicKeyFiles: - serviceaccounts.public.key diff --git a/roles/openshift_master/templates/native-cluster/atomic-openshift-master-controllers.service.j2 b/roles/openshift_master/templates/native-cluster/atomic-openshift-master-controllers.service.j2 index e284413f7..fae021845 100644 --- a/roles/openshift_master/templates/native-cluster/atomic-openshift-master-controllers.service.j2 +++ b/roles/openshift_master/templates/native-cluster/atomic-openshift-master-controllers.service.j2 @@ -7,11 +7,7 @@ Wants={{ openshift.common.service_type }}-master-api.service Requires=network-online.target [Service] -{% if openshift.common.version_gte_3_1_1_or_1_1_1 | bool %} Type=notify -{% else %} -Type=simple -{% endif %} EnvironmentFile=/etc/sysconfig/{{ openshift.common.service_type }}-master-controllers Environment=GOTRACEBACK=crash ExecStart=/usr/bin/openshift start master controllers --config=${CONFIG_FILE} $OPTIONS |