blob: e57ed733e0ae6dd2128144737f926e638f0163c9 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
|
---
- name: setup firewall
include: firewall.yml
static: yes
- name: Retrieve list of openshift nodes matching router selector
oc_obj:
state: list
kind: node
namespace: "{{ openshift.hosted.router.namespace | default('default') }}"
selector: "{{ openshift.hosted.router.selector | default(omit) }}"
register: router_nodes
when: openshift.hosted.router.replicas | default(none) is none
- name: set_fact replicas
set_fact:
replicas: "{{ openshift.hosted.router.replicas|default(None) | get_router_replicas(router_nodes) }}"
openshift_hosted_router_selector: "{{ openshift.hosted.router.selector | default(None) }}"
openshift_hosted_router_image: "{{ openshift.hosted.router.registryurl }}"
# This is for when we desire a cluster signed cert
# The certificate is generated and placed in master_config_dir/
- block:
- name: generate a default wildcard router certificate
oc_adm_ca_server_cert:
signer_cert: "{{ openshift_master_config_dir }}/ca.crt"
signer_key: "{{ openshift_master_config_dir }}/ca.key"
signer_serial: "{{ openshift_master_config_dir }}/ca.serial.txt"
hostnames:
- "{{ openshift_master_default_subdomain | default('router.default.svc.cluster.local') }}"
- "*.{{ openshift_master_default_subdomain | default('router.default.svc.cluster.local') }}"
cert: "{{ ('/etc/origin/master/' ~ (item.certificate.certfile | basename)) if 'certfile' in item.certificate else ((openshift_master_config_dir) ~ '/openshift-router.crt') }}"
key: "{{ ('/etc/origin/master/' ~ (item.certificate.keyfile | basename)) if 'keyfile' in item.certificate else ((openshift_master_config_dir) ~ '/openshift-router.key') }}"
with_items: "{{ openshift_hosted_routers }}"
- name: set the openshift_hosted_router_certificate
set_fact:
openshift_hosted_router_certificate:
certfile: "{{ openshift_master_config_dir ~ '/openshift-router.crt' }}"
keyfile: "{{ openshift_master_config_dir ~ '/openshift-router.key' }}"
cafile: "{{ openshift_master_config_dir ~ '/ca.crt' }}"
# End Block
when: ( openshift_hosted_router_create_certificate | bool ) and openshift_hosted_router_certificate == {}
- name: Get the certificate contents for router
copy:
backup: True
dest: "/etc/origin/master/{{ item | basename }}"
src: "{{ item }}"
with_items: "{{ openshift_hosted_routers | oo_collect(attribute='certificate') |
oo_select_keys_from_list(['keyfile', 'certfile', 'cafile']) }}"
when: not openshift_hosted_router_create_certificate | bool
- name: Create the router service account(s)
oc_serviceaccount:
name: "{{ item.serviceaccount }}"
namespace: "{{ item.namespace }}"
state: present
with_items: "{{ openshift_hosted_routers }}"
- name: Grant the router service account(s) access to the appropriate scc
oc_adm_policy_user:
user: "system:serviceaccount:{{ item.namespace }}:{{ item.serviceaccount }}"
namespace: "{{ item.namespace }}"
resource_kind: scc
resource_name: hostnetwork
with_items: "{{ openshift_hosted_routers }}"
- name: Set additional permissions for router service account
oc_adm_policy_user:
user: "system:serviceaccount:{{ item.namespace }}:{{ item.serviceaccount }}"
namespace: "{{ item.namespace }}"
resource_kind: cluster-role
resource_name: cluster-reader
when: item.namespace == 'default'
with_items: "{{ openshift_hosted_routers }}"
- name: Create OpenShift router
oc_adm_router:
name: "{{ item.name }}"
replicas: "{{ item.replicas }}"
namespace: "{{ item.namespace | default('default') }}"
# This option is not yet implemented
# force_subdomain: "{{ openshift.hosted.router.force_subdomain | default(none) }}"
service_account: "{{ item.serviceaccount | default('router') }}"
selector: "{{ item.selector | default(none) }}"
images: "{{ item.images | default(omit) }}"
cert_file: "{{ ('/etc/origin/master/' ~ (item.certificate.certfile | basename)) if 'certfile' in item.certificate else omit }}"
key_file: "{{ ('/etc/origin/master/' ~ (item.certificate.keyfile | basename)) if 'keyfile' in item.certificate else omit }}"
cacert_file: "{{ ('/etc/origin/master/' ~ (item.certificate.cafile | basename)) if 'cafile' in item.certificate else omit }}"
edits: "{{ openshift_hosted_router_edits | union(item.edits) }}"
ports: "{{ item.ports }}"
stats_port: "{{ item.stats_port }}"
with_items: "{{ openshift_hosted_routers }}"
- when: openshift_hosted_router_wait
block:
- name: Ensure OpenShift router correctly rolls out (best-effort today)
command: |
{{ openshift.common.client_binary }} rollout status deploymentconfig {{ item.name }} \
--namespace {{ item.namespace | default('default') }} \
--config {{ openshift.common.config_base }}/master/admin.kubeconfig
async: 600
poll: 15
with_items: "{{ openshift_hosted_routers }}"
failed_when: false
- name: Determine the latest version of the OpenShift router deployment
command: |
{{ openshift.common.client_binary }} get deploymentconfig {{ item.name }} \
--namespace {{ item.namespace }} \
--config {{ openshift.common.config_base }}/master/admin.kubeconfig \
-o jsonpath='{ .status.latestVersion }'
register: openshift_hosted_routers_latest_version
with_items: "{{ openshift_hosted_routers }}"
- name: Poll for OpenShift router deployment success
command: |
{{ openshift.common.client_binary }} get replicationcontroller {{ item.0.name }}-{{ item.1.stdout }} \
--namespace {{ item.0.namespace }} \
--config {{ openshift.common.config_base }}/master/admin.kubeconfig \
-o jsonpath='{ .metadata.annotations.openshift\.io/deployment\.phase }'
register: openshift_hosted_router_rc_phase
until: "'Running' not in openshift_hosted_router_rc_phase.stdout"
delay: 15
retries: 40
failed_when: "'Failed' in openshift_hosted_router_rc_phase.stdout"
with_together:
- "{{ openshift_hosted_routers }}"
- "{{ openshift_hosted_routers_latest_version.results }}"
|
