--- - name: setup firewall include: firewall.yml static: yes - name: Retrieve list of openshift nodes matching router selector oc_obj: state: list kind: node namespace: "{{ openshift.hosted.router.namespace | default('default') }}" selector: "{{ openshift.hosted.router.selector | default(omit) }}" register: router_nodes when: openshift.hosted.router.replicas | default(none) is none - name: set_fact replicas set_fact: replicas: "{{ openshift.hosted.router.replicas|default(None) | get_router_replicas(router_nodes) }}" openshift_hosted_router_selector: "{{ openshift.hosted.router.selector | default(None) }}" openshift_hosted_router_image: "{{ openshift.hosted.router.registryurl }}" # This is for when we desire a cluster signed cert # The certificate is generated and placed in master_config_dir/ - block: - name: generate a default wildcard router certificate oc_adm_ca_server_cert: signer_cert: "{{ openshift_master_config_dir }}/ca.crt" signer_key: "{{ openshift_master_config_dir }}/ca.key" signer_serial: "{{ openshift_master_config_dir }}/ca.serial.txt" hostnames: - "{{ openshift_master_default_subdomain | default('router.default.svc.cluster.local') }}" - "*.{{ openshift_master_default_subdomain | default('router.default.svc.cluster.local') }}" cert: "{{ ('/etc/origin/master/' ~ (item.certificate.certfile | basename)) if 'certfile' in item.certificate else ((openshift_master_config_dir) ~ '/openshift-router.crt') }}" key: "{{ ('/etc/origin/master/' ~ (item.certificate.keyfile | basename)) if 'keyfile' in item.certificate else ((openshift_master_config_dir) ~ '/openshift-router.key') }}" with_items: "{{ openshift_hosted_routers }}" - name: set the openshift_hosted_router_certificate set_fact: openshift_hosted_router_certificate: certfile: "{{ openshift_master_config_dir ~ '/openshift-router.crt' }}" keyfile: "{{ openshift_master_config_dir ~ '/openshift-router.key' }}" cafile: "{{ openshift_master_config_dir ~ '/ca.crt' }}" # End Block when: ( openshift_hosted_router_create_certificate | bool ) and openshift_hosted_router_certificate == {} - name: Get the certificate contents for router copy: backup: True dest: "/etc/origin/master/{{ item | basename }}" src: "{{ item }}" with_items: "{{ openshift_hosted_routers | oo_collect(attribute='certificate') | oo_select_keys_from_list(['keyfile', 'certfile', 'cafile']) }}" when: not openshift_hosted_router_create_certificate | bool - name: Create the router service account(s) oc_serviceaccount: name: "{{ item.serviceaccount }}" namespace: "{{ item.namespace }}" state: present with_items: "{{ openshift_hosted_routers }}" - name: Grant the router service account(s) access to the appropriate scc oc_adm_policy_user: user: "system:serviceaccount:{{ item.namespace }}:{{ item.serviceaccount }}" namespace: "{{ item.namespace }}" resource_kind: scc resource_name: hostnetwork with_items: "{{ openshift_hosted_routers }}" - name: Set additional permissions for router service account oc_adm_policy_user: user: "system:serviceaccount:{{ item.namespace }}:{{ item.serviceaccount }}" namespace: "{{ item.namespace }}" resource_kind: cluster-role resource_name: cluster-reader when: item.namespace == 'default' with_items: "{{ openshift_hosted_routers }}" - name: Create OpenShift router oc_adm_router: name: "{{ item.name }}" replicas: "{{ item.replicas }}" namespace: "{{ item.namespace | default('default') }}" # This option is not yet implemented # force_subdomain: "{{ openshift.hosted.router.force_subdomain | default(none) }}" service_account: "{{ item.serviceaccount | default('router') }}" selector: "{{ item.selector | default(none) }}" images: "{{ item.images | default(omit) }}" cert_file: "{{ ('/etc/origin/master/' ~ (item.certificate.certfile | basename)) if 'certfile' in item.certificate else omit }}" key_file: "{{ ('/etc/origin/master/' ~ (item.certificate.keyfile | basename)) if 'keyfile' in item.certificate else omit }}" cacert_file: "{{ ('/etc/origin/master/' ~ (item.certificate.cafile | basename)) if 'cafile' in item.certificate else omit }}" edits: "{{ openshift_hosted_router_edits | union(item.edits) }}" ports: "{{ item.ports }}" stats_port: "{{ item.stats_port }}" with_items: "{{ openshift_hosted_routers }}" - when: openshift_hosted_router_wait block: - name: Ensure OpenShift router correctly rolls out (best-effort today) command: | {{ openshift.common.client_binary }} rollout status deploymentconfig {{ item.name }} \ --namespace {{ item.namespace | default('default') }} \ --config {{ openshift.common.config_base }}/master/admin.kubeconfig async: 600 poll: 15 with_items: "{{ openshift_hosted_routers }}" failed_when: false - name: Determine the latest version of the OpenShift router deployment command: | {{ openshift.common.client_binary }} get deploymentconfig {{ item.name }} \ --namespace {{ item.namespace }} \ --config {{ openshift.common.config_base }}/master/admin.kubeconfig \ -o jsonpath='{ .status.latestVersion }' register: openshift_hosted_routers_latest_version with_items: "{{ openshift_hosted_routers }}" - name: Poll for OpenShift router deployment success command: | {{ openshift.common.client_binary }} get replicationcontroller {{ item.0.name }}-{{ item.1.stdout }} \ --namespace {{ item.0.namespace }} \ --config {{ openshift.common.config_base }}/master/admin.kubeconfig \ -o jsonpath='{ .metadata.annotations.openshift\.io/deployment\.phase }' register: openshift_hosted_router_rc_phase until: "'Running' not in openshift_hosted_router_rc_phase.stdout" delay: 15 retries: 40 failed_when: "'Failed' in openshift_hosted_router_rc_phase.stdout" with_together: - "{{ openshift_hosted_routers }}" - "{{ openshift_hosted_routers_latest_version.results }}"