summaryrefslogtreecommitdiffstats
path: root/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml
blob: 86cde2844ca555e67beba58c9606adf5d3502873 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
---
####################################################################################
# Post upgrade - Upgrade web console, default router, default registry, and examples
####################################################################################
- name: Upgrade web console
  hosts: oo_first_master
  roles:
  - role: openshift_web_console
    when:
    - openshift_web_console_install | default(true) | bool
    - openshift_upgrade_target is version_compare('3.9','>=')

- name: Upgrade default router and default registry
  hosts: oo_first_master
  vars:
    registry_image: "{{  openshift.master.registry_url | replace( '${component}', 'docker-registry' )  |
                         replace ( '${version}', openshift_image_tag ) }}"
    router_image: "{{ openshift.master.registry_url | replace( '${component}', 'haproxy-router' ) |
                      replace ( '${version}', openshift_image_tag ) }}"
    registry_console_image: "{{ openshift.master.registry_url | regex_replace ( '(origin|ose)-\\${component}', 'registry-console') |
                                replace ( '${version}', 'v' ~ openshift.common.short_version ) }}"

  pre_tasks:
  - name: Load lib_openshift modules
    import_role:
      name: lib_openshift

  - name: Collect all routers
    oc_obj:
      state: list
      kind: pods
      all_namespaces: True
      selector: 'router'
    register: all_routers

  - set_fact:
      haproxy_routers: "{{ all_routers.results.results[0]['items'] |
                           lib_utils_oo_pods_match_component(openshift_deployment_type, 'haproxy-router') |
                           lib_utils_oo_select_keys_from_list(['metadata']) }}"
    when:
    - all_routers.results.returncode == 0

  - set_fact: haproxy_routers=[]
    when:
    - all_routers.results.returncode != 0

  - name: Update router image to current version
    oc_edit:
      kind: dc
      name: "{{ item['labels']['deploymentconfig'] }}"
      namespace: "{{ item['namespace'] }}"
      content:
        spec.template.spec.containers[0].image: "{{ router_image }}"
    with_items: "{{ haproxy_routers }}"
    when:
    - all_routers.results.returncode == 0

  - name: Check for default registry
    oc_obj:
      state: list
      kind: dc
      name: docker-registry
    register: _default_registry

  - name: Update registry image to current version
    oc_edit:
      kind: dc
      name: docker-registry
      namespace: default
      content:
        spec.template.spec.containers[0].image: "{{ registry_image }}"
    when:
    - _default_registry.results.results[0] != {}

  - name: Check for registry-console
    oc_obj:
      state: list
      kind: dc
      name: registry-console
    register: _registry_console
    when:
    - openshift.common.deployment_type != 'origin'

  - name: Update registry-console image to current version
    oc_edit:
      kind: dc
      name: registry-console
      namespace: default
      content:
        spec.template.spec.containers[0].image: "{{ registry_console_image }}"
    when:
    - openshift.common.deployment_type != 'origin'
    - _registry_console.results.results[0] != {}

  roles:
  - openshift_manageiq
  - role: openshift_project_request_template
    when: openshift_project_request_template_manage
  # Create the new templates shipped in 3.2, existing templates are left
  # unmodified. This prevents the subsequent role definition for
  # openshift_examples from failing when trying to replace templates that do
  # not already exist. We could have potentially done a replace --force to
  # create and update in one step.
  - role: openshift_examples
    when: openshift_install_examples | default(true) | bool
  - openshift_hosted_templates
  # Update the existing templates
  - role: openshift_examples
    when: openshift_install_examples | default(true) | bool
    registry_url: "{{ openshift.master.registry_url }}"
    openshift_examples_import_command: replace
  - role: openshift_hosted_templates
    registry_url: "{{ openshift.master.registry_url }}"
    openshift_hosted_templates_import_command: replace

  post_tasks:
  # Do not perform these tasks when the registry is insecure.  The default registry is insecure in openshift_hosted/defaults/main.yml
  - when: not (openshift_docker_hosted_registry_insecure | default(True))
    block:
    # we need to migrate customers to the new pattern of pushing to the registry via dns
    # Step 1: verify the certificates have the docker registry service name
    - name: shell command to determine if the docker-registry.default.svc is found in the registry certificate
      shell: >
        echo -n | openssl s_client -showcerts -servername docker-registry.default.svc -connect docker-registry.default.svc:5000  | openssl x509 -text |  grep -A1 'X509v3 Subject Alternative Name:' | grep -Pq 'DNS:docker-registry\.default\.svc(,|$)'
      register: cert_output
      changed_when: false
      failed_when:
      - cert_output.rc not in [0, 1]

    # Step 2: Set a fact to be used to determine if we should run the redeploy of registry certs
    - name: set a fact to include the registry certs playbook if needed
      set_fact:
        openshift_hosted_rollout_certs_and_registry: "{{ cert_output.rc == 0  }}"

# Run the redeploy certs based upon the certificates. Defaults to False for insecure registries
- when: (hostvars[groups.oo_first_master.0].openshift_hosted_rollout_certs_and_registry | default(False)) | bool
  import_playbook: ../../../openshift-hosted/private/redeploy-registry-certificates.yml

# Check for warnings to be printed at the end of the upgrade:
- name: Clean up and display warnings
  hosts: oo_masters_to_config
  tags:
  - always
  gather_facts: no
  roles:
  - role: openshift_excluder
    r_openshift_excluder_action: enable
  post_tasks:
  # Check if any masters are using pluginOrderOverride and warn if so, only for 1.3/3.3 and beyond:
  - name: grep pluginOrderOverride
    command: grep pluginOrderOverride {{ openshift.common.config_base }}/master/master-config.yaml
    register: grep_plugin_order_override
    changed_when: false
    failed_when: false

  - name: Warn if pluginOrderOverride is in use in master-config.yaml
    debug:
      msg: "WARNING pluginOrderOverride is being deprecated in master-config.yaml, please see https://docs.openshift.com/enterprise/latest/architecture/additional_concepts/admission_controllers.html for more information."
    when:
    - not (grep_plugin_order_override is skipped)
    - grep_plugin_order_override.rc == 0

  - name: Warn if shared-resource-viewer could not be updated
    debug:
      msg: "WARNING the shared-resource-viewer role could not be upgraded to 3.6 spec because it's marked protected, please see https://bugzilla.redhat.com/show_bug.cgi?id=1493213"
    when:
    - __shared_resource_viewer_protected | default(false)