blob: b1412c3d995ec672149f5927f7bc567b0ea6f1ea (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
|
---
# TODO: add ability to configure certificates given either a local file to
# point to or certificate contents, set in default cert locations.
# Authentication Variable Validation
# TODO: validate the different identity provider kinds as well
- fail:
msg: >
Invalid OAuth grant method: {{ openshift_master_oauth_grant_method }}
when: openshift_master_oauth_grant_method is defined and openshift_master_oauth_grant_method not in openshift_master_valid_grant_methods
# HA Variable Validation
- fail:
msg: "openshift_master_cluster_method must be set to either 'native' or 'pacemaker' for multi-master installations"
when: openshift.master.ha | bool and ((openshift.master.cluster_method is not defined) or (openshift.master.cluster_method is defined and openshift.master.cluster_method not in ["native", "pacemaker"]))
- fail:
msg: "'native' high availability is not supported for the requested OpenShift version"
when: openshift.master.ha | bool and openshift.master.cluster_method == "native" and not openshift.common.version_gte_3_1_or_1_1 | bool
- fail:
msg: "openshift_master_cluster_password must be set for multi-master installations"
when: openshift.master.ha | bool and openshift.master.cluster_method == "pacemaker" and (openshift_master_cluster_password is not defined or not openshift_master_cluster_password)
- fail:
msg: "Pacemaker based HA is not supported at this time when used with containerized installs"
when: openshift.master.ha | bool and openshift.master.cluster_method == "pacemaker" and openshift.common.is_containerized | bool
- name: Open up firewall ports
include: firewall.yml
static: yes
- name: Install Master package
package:
name: "{{ openshift.common.service_type }}-master{{ openshift_pkg_version | default('') | oo_image_tag_to_rpm_version(include_dash=True) }}"
state: present
when: not openshift.common.is_containerized | bool
- name: Create openshift.common.data_dir
file:
path: "{{ openshift.common.data_dir }}"
state: directory
mode: 0755
owner: root
group: root
when: openshift.common.is_containerized | bool
- name: Reload systemd units
command: systemctl daemon-reload
when: openshift.common.is_containerized | bool and install_result | changed
- name: Re-gather package dependent master facts
openshift_facts:
- name: Create config parent directory if it does not exist
file:
path: "{{ openshift_master_config_dir }}"
state: directory
- name: Create the policy file if it does not already exist
command: >
{{ openshift.common.client_binary }} adm create-bootstrap-policy-file
--filename={{ openshift_master_policy }}
args:
creates: "{{ openshift_master_policy }}"
notify:
- restart master api
- restart master controllers
- name: Create the scheduler config
copy:
content: "{{ scheduler_config | to_nice_json }}"
dest: "{{ openshift_master_scheduler_conf }}"
backup: true
notify:
- restart master api
- restart master controllers
- name: Install httpd-tools if needed
package: name=httpd-tools state=present
when: (item.kind == 'HTPasswdPasswordIdentityProvider') and
not openshift.common.is_atomic | bool
with_items: "{{ openshift.master.identity_providers }}"
- name: Ensure htpasswd directory exists
file:
path: "{{ item.filename | dirname }}"
state: directory
when: item.kind == 'HTPasswdPasswordIdentityProvider'
with_items: "{{ openshift.master.identity_providers }}"
- name: Create the htpasswd file if needed
template:
dest: "{{ item.filename }}"
src: htpasswd.j2
backup: yes
when: item.kind == 'HTPasswdPasswordIdentityProvider' and openshift.master.manage_htpasswd | bool
with_items: "{{ openshift.master.identity_providers }}"
- name: Ensure htpasswd file exists
copy:
dest: "{{ item.filename }}"
force: no
content: ""
mode: 0600
when: item.kind == 'HTPasswdPasswordIdentityProvider'
with_items: "{{ openshift.master.identity_providers }}"
- name: Create the ldap ca file if needed
copy:
dest: "{{ item.ca if 'ca' in item and '/' in item.ca else openshift_master_config_dir ~ '/' ~ item.ca | default('ldap_ca.crt') }}"
content: "{{ openshift.master.ldap_ca }}"
mode: 0600
backup: yes
when: openshift.master.ldap_ca is defined and item.kind == 'LDAPPasswordIdentityProvider'
with_items: "{{ openshift.master.identity_providers }}"
- name: Create the openid ca file if needed
copy:
dest: "{{ item.ca if 'ca' in item and '/' in item.ca else openshift_master_config_dir ~ '/' ~ item.ca | default('openid_ca.crt') }}"
content: "{{ openshift.master.openid_ca }}"
mode: 0600
backup: yes
when: openshift.master.openid_ca is defined and item.kind == 'OpenIDIdentityProvider' and item.ca | default('') != ''
with_items: "{{ openshift.master.identity_providers }}"
- name: Create the request header ca file if needed
copy:
dest: "{{ item.clientCA if 'clientCA' in item and '/' in item.clientCA else openshift_master_config_dir ~ '/' ~ item.clientCA | default('request_header_ca.crt') }}"
content: "{{ openshift.master.request_header_ca }}"
mode: 0600
backup: yes
when: openshift.master.request_header_ca is defined and item.kind == 'RequestHeaderIdentityProvider' and item.clientCA | default('') != ''
with_items: "{{ openshift.master.identity_providers }}"
# This is an ugly hack to verify settings are in a file without modifying them with lineinfile.
# The template file will stomp any other settings made.
- block:
- name: check whether our docker-registry setting exists in the env file
command: "awk '/^OPENSHIFT_DEFAULT_REGISTRY=docker-registry.default.svc:5000/' /etc/sysconfig/{{ openshift.common.service_type }}-master"
failed_when: false
changed_when: false
register: already_set
- set_fact:
openshift_push_via_dns: "{{ (openshift_use_dnsmasq | default(true) and openshift.common.version_gte_3_6) or (already_set.stdout is defined and already_set.stdout | match('OPENSHIFT_DEFAULT_REGISTRY=docker-registry.default.svc:5000')) }}"
- name: Set fact of all etcd host IPs
openshift_facts:
role: common
local_facts:
no_proxy_etcd_host_ips: "{{ openshift_no_proxy_etcd_host_ips }}"
- name: Remove the legacy master service if it exists
include: clean_systemd_units.yml
- name: Install the systemd units
include: systemd_units.yml
- name: Install Master system container
include: system_container.yml
when: openshift.common.is_containerized | bool and openshift.common.is_master_system_container | bool
- name: Create session secrets file
template:
dest: "{{ openshift.master.session_secrets_file }}"
src: sessionSecretsFile.yaml.v1.j2
owner: root
group: root
mode: 0600
when: openshift.master.session_auth_secrets is defined and openshift.master.session_encryption_secrets is defined
notify:
- restart master api
- set_fact:
translated_identity_providers: "{{ openshift.master.identity_providers | translate_idps('v1', openshift.common.version, openshift.common.deployment_type) }}"
# TODO: add the validate parameter when there is a validation command to run
- name: Create master config
template:
dest: "{{ openshift_master_config_file }}"
src: master.yaml.v1.j2
backup: true
owner: root
group: root
mode: 0600
notify:
- restart master api
- restart master controllers
- include: set_loopback_context.yml
when: openshift.common.version_gte_3_2_or_1_2
- name: Start and enable master api on first master
systemd:
name: "{{ openshift.common.service_type }}-master-api"
enabled: yes
state: started
when: openshift.master.cluster_method == 'native' and inventory_hostname == openshift_master_hosts[0]
register: start_result
until: not start_result | failed
retries: 1
delay: 60
- name: Dump logs from master-api if it failed
command: journalctl --no-pager -n 100 -u {{ openshift.common.service_type }}-master-api
when: start_result | failed
- set_fact:
master_api_service_status_changed: "{{ start_result | changed }}"
when: openshift.master.cluster_method == 'native' and inventory_hostname == openshift_master_hosts[0]
- pause:
seconds: 15
when: openshift.master.ha | bool and openshift.master.cluster_method == 'native'
- name: Start and enable master api all masters
systemd:
name: "{{ openshift.common.service_type }}-master-api"
enabled: yes
state: started
when: openshift.master.cluster_method == 'native' and inventory_hostname != openshift_master_hosts[0]
register: start_result
until: not start_result | failed
retries: 1
delay: 60
- name: Dump logs from master-api if it failed
command: journalctl --no-pager -n 100 -u {{ openshift.common.service_type }}-master-api
when: start_result | failed
- set_fact:
master_api_service_status_changed: "{{ start_result | changed }}"
when: openshift.master.cluster_method == 'native' and inventory_hostname != openshift_master_hosts[0]
# A separate wait is required here for native HA since notifies will
# be resolved after all tasks in the role.
- name: Wait for API to become available
# Using curl here since the uri module requires python-httplib2 and
# wait_for port doesn't provide health information.
command: >
curl --silent --tlsv1.2
{% if openshift.common.version_gte_3_2_or_1_2 | bool %}
--cacert {{ openshift.common.config_base }}/master/ca-bundle.crt
{% else %}
--cacert {{ openshift.common.config_base }}/master/ca.crt
{% endif %}
{{ openshift.master.api_url }}/healthz/ready
register: api_available_output
until: api_available_output.stdout == 'ok'
retries: 120
delay: 1
run_once: true
changed_when: false
when: openshift.master.cluster_method == 'native' and master_api_service_status_changed | bool
- name: Start and enable master controller on first master
systemd:
name: "{{ openshift.common.service_type }}-master-controllers"
enabled: yes
state: started
when: openshift.master.cluster_method == 'native' and inventory_hostname == openshift_master_hosts[0]
register: start_result
until: not start_result | failed
retries: 1
delay: 60
- name: Dump logs from master-controllers if it failed
command: journalctl --no-pager -n 100 -u {{ openshift.common.service_type }}-master-controllers
when: start_result | failed
- name: Wait for master controller service to start on first master
pause:
seconds: 15
when: openshift.master.cluster_method == 'native'
- name: Start and enable master controller on all masters
systemd:
name: "{{ openshift.common.service_type }}-master-controllers"
enabled: yes
state: started
when: openshift.master.cluster_method == 'native' and inventory_hostname != openshift_master_hosts[0]
register: start_result
until: not start_result | failed
retries: 1
delay: 60
- name: Dump logs from master-controllers if it failed
command: journalctl --no-pager -n 100 -u {{ openshift.common.service_type }}-master-controllers
when: start_result | failed
- set_fact:
master_controllers_service_status_changed: "{{ start_result | changed }}"
when: openshift.master.cluster_method == 'native'
- name: Install cluster packages
package: name=pcs state=present
when: openshift.master.cluster_method == 'pacemaker'
and not openshift.common.is_containerized | bool
register: install_result
- name: Start and enable cluster service
systemd:
name: pcsd
enabled: yes
state: started
when: openshift.master.cluster_method == 'pacemaker'
and not openshift.common.is_containerized | bool
- name: Set the cluster user password
shell: echo {{ openshift_master_cluster_password | quote }} | passwd --stdin hacluster
when: install_result | changed
|
