diff options
| author | Andrew Butcher <abutcher@redhat.com> | 2016-04-11 15:45:26 -0400 | 
|---|---|---|
| committer | Andrew Butcher <abutcher@redhat.com> | 2016-04-11 15:45:26 -0400 | 
| commit | 4ac07696f3db92d1361290c3a0d7b7637d3d1994 (patch) | |
| tree | 58ec00b29f982a9cd78b80bcf4aed1763a91bec3 /roles | |
| parent | 1bc6b51585c23670fdc08a1df6a89d35cd0b8149 (diff) | |
| download | openshift-4ac07696f3db92d1361290c3a0d7b7637d3d1994.tar.gz openshift-4ac07696f3db92d1361290c3a0d7b7637d3d1994.tar.bz2 openshift-4ac07696f3db92d1361290c3a0d7b7637d3d1994.tar.xz openshift-4ac07696f3db92d1361290c3a0d7b7637d3d1994.zip | |
Add support for creating secure router.
* Move openshift_router to openshift_hosted role which will eventually
  contain registry, metrics and logging.
* Adds option for specifying an openshift_hosted_router_certificate
  cert and key pair.
* Removes dependency on node label variables and retrieves the node
  list from the API s.t. this role can be applied to any cluster with
  existing nodes. I've added an openshift_hosted playbook that occurs
  after node install to account for this.
* Infrastructure nodes are selected using
  openshift_hosted_router_selector which is based on deployment type
  by default; openshift-enterprise -> "region=infra" and online ->
  "type=infra".
Diffstat (limited to 'roles')
| -rwxr-xr-x | roles/openshift_facts/library/openshift_facts.py | 70 | ||||
| -rw-r--r-- | roles/openshift_hosted/README.md | 55 | ||||
| -rw-r--r-- | roles/openshift_hosted/handlers/main.yml (renamed from roles/openshift_router/handlers/main.yml) | 0 | ||||
| -rw-r--r-- | roles/openshift_hosted/meta/main.yml (renamed from roles/openshift_router/meta/main.yml) | 5 | ||||
| -rw-r--r-- | roles/openshift_hosted/tasks/main.yml | 3 | ||||
| -rw-r--r-- | roles/openshift_hosted/tasks/router.yml | 64 | ||||
| -rw-r--r-- | roles/openshift_hosted/vars/main.yml | 2 | ||||
| -rw-r--r-- | roles/openshift_router/README.md | 35 | ||||
| -rw-r--r-- | roles/openshift_router/tasks/main.yml | 10 | ||||
| -rw-r--r-- | roles/openshift_router/vars/main.yml | 4 | 
10 files changed, 170 insertions, 78 deletions
| diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py index 32e608e86..92d650550 100755 --- a/roles/openshift_facts/library/openshift_facts.py +++ b/roles/openshift_facts/library/openshift_facts.py @@ -63,7 +63,16 @@ def migrate_local_facts(facts):      migrated_facts = copy.deepcopy(facts)      return migrate_docker_facts(migrated_facts) - +def migrate_hosted_facts(facts): +    """ Apply migrations for master facts """ +    if 'master' in facts: +        if 'router_selector' in facts['master']: +            if 'hosted' not in facts: +                facts['hosted'] = {} +            if 'router' not in facts['hosted']: +                facts['hosted']['router'] = {} +            facts['hosted']['router']['selector'] = facts['master'].pop('router_selector') +    return facts  def first_ip(network):      """ Return the first IPv4 address in network @@ -394,7 +403,7 @@ def set_node_schedulability(facts):                  facts['node']['schedulable'] = True      return facts -def set_master_selectors(facts): +def set_selectors(facts):      """ Set selectors facts if not already present in facts dict          Args:              facts (dict): existing facts @@ -403,16 +412,21 @@ def set_master_selectors(facts):              facts if they were not already present      """ +    deployment_type = facts['common']['deployment_type'] +    if deployment_type == 'online': +        selector = "type=infra" +    else: +        selector = "region=infra" + +    if 'hosted' not in facts: +        facts['hosted'] = {} +    if 'router' not in facts['hosted']: +        facts['hosted']['router'] = {} +    if 'selector' not in facts['hosted']['router'] or facts['hosted']['router']['selector'] in [None, 'None']: +        facts['hosted']['router']['selector'] = selector +      if 'master' in facts:          if 'infra_nodes' in facts['master']: -            deployment_type = facts['common']['deployment_type'] -            if deployment_type == 'online': -                selector = "type=infra" -            else: -                selector = "region=infra" - -            if 'router_selector' not in facts['master']: -                facts['master']['router_selector'] = selector              if 'registry_selector' not in facts['master']:                  facts['master']['registry_selector'] = selector      return facts @@ -1479,7 +1493,7 @@ class OpenShiftFacts(object):          facts = set_flannel_facts_if_unset(facts)          facts = set_nuage_facts_if_unset(facts)          facts = set_node_schedulability(facts) -        facts = set_master_selectors(facts) +        facts = set_selectors(facts)          facts = set_metrics_facts_if_unset(facts)          facts = set_identity_providers_if_unset(facts)          facts = set_sdn_facts_if_unset(facts, self.system_facts) @@ -1573,23 +1587,25 @@ class OpenShiftFacts(object):          if 'cloudprovider' in roles:              defaults['cloudprovider'] = dict(kind=None) -        defaults['hosted'] = dict( -            registry=dict( -                storage=dict( -                    kind=None, -                    volume=dict( -                        name='registry', -                        size='5Gi' -                    ), -                    nfs=dict( -                        directory='/exports', -                        options='*(rw,root_squash)'), -                    host=None, -                    access_modes=['ReadWriteMany'], -                    create_pv=True -                ) +        if 'hosted' in roles or self.role == 'hosted': +            defaults['hosted'] = dict( +                registry=dict( +                    storage=dict( +                        kind=None, +                        volume=dict( +                            name='registry', +                            size='5Gi' +                        ), +                        nfs=dict( +                            directory='/exports', +                            options='*(rw,root_squash)'), +                        host=None, +                        access_modes=['ReadWriteMany'], +                        create_pv=True +                    ) +                ), +                router=dict()              ) -        )          return defaults diff --git a/roles/openshift_hosted/README.md b/roles/openshift_hosted/README.md new file mode 100644 index 000000000..633ec0937 --- /dev/null +++ b/roles/openshift_hosted/README.md @@ -0,0 +1,55 @@ +OpenShift Hosted +================ + +OpenShift Hosted Resources + +* OpenShift Router + +Requirements +------------ + +This role requires a running OpenShift cluster with nodes labeled to +match the openshift_hosted_router_selector (default: region=infra). + +Role Variables +-------------- + +From this role: + +| Name                                | Default value                            | Description                                                                                                          | +|-------------------------------------|------------------------------------------|----------------------------------------------------------------------------------------------------------------------| +| openshift_hosted_router_certificate | None                                     | Dictionary containing "certfile" and "keyfile" keys with values containing paths to local certificate files.         | +| openshift_hosted_router_registryurl | 'openshift3/ose-${component}:${version}' | The image to base the OpenShift router on.                                                                           | +| openshift_hosted_router_replicas    | Number of nodes matching selector        | The number of replicas to configure.                                                                                 | +| openshift_hosted_router_selector    | region=infra                             | Node selector used when creating router. The OpenShift router will only be deployed to nodes matching this selector. | + +Dependencies +------------ + +* openshift_common +* openshift_hosted_facts + +Example Playbook +---------------- + +``` +- name: Create hosted resources +  hosts: oo_first_master +  roles: +  - role: openshift_hosted +    openshift_hosted_router_certificate: +      certfile: /path/to/my-router.crt +      keyfile: /path/to/my-router.key +    openshift_hosted_router_registryurl: 'registry.access.redhat.com/openshift3/ose-haproxy-router:v3.0.2.0' +    openshift_hosted_router_selector: 'type=infra' +``` + +License +------- + +Apache License, Version 2.0 + +Author Information +------------------ + +Red Hat openshift@redhat.com diff --git a/roles/openshift_router/handlers/main.yml b/roles/openshift_hosted/handlers/main.yml index e69de29bb..e69de29bb 100644 --- a/roles/openshift_router/handlers/main.yml +++ b/roles/openshift_hosted/handlers/main.yml diff --git a/roles/openshift_router/meta/main.yml b/roles/openshift_hosted/meta/main.yml index c2b0777b5..75dfc24c3 100644 --- a/roles/openshift_router/meta/main.yml +++ b/roles/openshift_hosted/meta/main.yml @@ -11,5 +11,6 @@ galaxy_info:      - 7    categories:    - cloud -  dependencies: -  - openshift_facts +dependencies: +- openshift_common +- openshift_hosted_facts diff --git a/roles/openshift_hosted/tasks/main.yml b/roles/openshift_hosted/tasks/main.yml new file mode 100644 index 000000000..d42a4e365 --- /dev/null +++ b/roles/openshift_hosted/tasks/main.yml @@ -0,0 +1,3 @@ +--- + +- include: router.yml diff --git a/roles/openshift_hosted/tasks/router.yml b/roles/openshift_hosted/tasks/router.yml new file mode 100644 index 000000000..6a36f74b2 --- /dev/null +++ b/roles/openshift_hosted/tasks/router.yml @@ -0,0 +1,64 @@ +--- +- fail: +    msg: "Both 'certfile' and 'keyfile' keys must be specified when supplying the openshift_hosted_router_certificate variable." +  when: openshift_hosted_router_certificate is defined and ('certfile' not in openshift_hosted_router_certificate or 'keyfile' not in openshift_hosted_router_certificate) + +- name: Read router certificate and key +  slurp: +    src: "{{ item }}" +  register: openshift_router_certificate_output +  with_items: +  - "{{ openshift_hosted_router_certificate.certfile }}" +  - "{{ openshift_hosted_router_certificate.keyfile }}" +  delegate_to: localhost +  when: openshift_hosted_router_certificate is defined + +- name: Persist certificate contents +  openshift_facts: +    role: hosted +    openshift_env: +      openshift_hosted_router_certificate_contents: "{% for certificate in openshift_router_certificate_output.results -%}{{ certificate.content | b64decode }}{% endfor -%}" +  when: openshift_hosted_router_certificate is defined + +- name: Create PEM certificate +  copy: +    content: "{{ openshift.hosted.router.certificate.contents }}" +    dest: "{{ openshift_master_config_dir }}/openshift-router.pem" +    mode: 0600 +  when: openshift.hosted.router.certificate | default(None) != None + +- name: Retrieve list of openshift nodes +  command: > +    {{ openshift.common.client_binary }} --api-version='v1' -o json +    get nodes -n default --config={{ openshift.common.config_base }}/master/admin.kubeconfig +  register: openshift_hosted_router_nodes_json +  when: openshift.hosted.router.replicas | default(None) == None + +- name: Collect nodes matching router selector +  set_fact: +    openshift_hosted_router_nodes: > +      {{ (openshift_hosted_router_nodes_json.stdout|from_json)['items'] +         | oo_oc_nodes_matching_selector(openshift.hosted.router.selector) }} +  when: openshift.hosted.router.replicas | default(None) == None + +- name: Create OpenShift router +  command: > +    {{ openshift.common.admin_binary }} router --create +    {% if openshift.hosted.router.replicas | default(None) != None -%} +    --replicas={{ openshift.hosted.router.replicas }} +    {% else -%} +    --replicas={{ openshift_hosted_router_nodes | length }} +    {% endif %} +    {% if openshift.hosted.router.certificate | default(None) != None -%} +    --default-cert={{ openshift_master_config_dir }}/openshift-router.pem +    {% endif -%} +    --namespace=default +    --service-account=router +    --selector='{{ openshift.hosted.router.selector }}' +    --credentials={{ openshift_master_config_dir }}/openshift-router.kubeconfig +    {% if openshift.hosted.router.registryurl | default(None)!= None -%} +    --images='{{ openshift.hosted.router.registryurl }}' +    {% endif -%} +  register: openshift_hosted_router_results +  changed_when: "'service exists' not in openshift_hosted_router_results.stdout" +  when: openshift.hosted.router.replicas | default(None) != None or (openshift_hosted_router_nodes is defined and openshift_hosted_router_nodes | length > 0) diff --git a/roles/openshift_hosted/vars/main.yml b/roles/openshift_hosted/vars/main.yml new file mode 100644 index 000000000..9967e26f4 --- /dev/null +++ b/roles/openshift_hosted/vars/main.yml @@ -0,0 +1,2 @@ +--- +openshift_master_config_dir: "{{ openshift.common.config_base }}/master" diff --git a/roles/openshift_router/README.md b/roles/openshift_router/README.md deleted file mode 100644 index d490e1038..000000000 --- a/roles/openshift_router/README.md +++ /dev/null @@ -1,35 +0,0 @@ -OpenShift Container Router -========================== - -OpenShift Router service installation - -Requirements ------------- - -Running OpenShift cluster - -Role Variables --------------- - -From this role: -| Name               | Default value                                         |                     | -|--------------------|-------------------------------------------------------|---------------------| -|                    |                                                       |                     | - -Dependencies ------------- - -Example Playbook ----------------- - -TODO - -License -------- - -Apache License, Version 2.0 - -Author Information ------------------- - -Red Hat openshift@redhat.com diff --git a/roles/openshift_router/tasks/main.yml b/roles/openshift_router/tasks/main.yml deleted file mode 100644 index 40365d04d..000000000 --- a/roles/openshift_router/tasks/main.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -- name: Deploy OpenShift Router -  command: > -    {{ openshift.common.admin_binary }} router -    --create --replicas={{ openshift.master.infra_nodes | length }} -    --namespace=default -    --service-account=router {{ ortr_selector }} -    --credentials={{ openshift_master_config_dir }}/openshift-router.kubeconfig {{ ortr_images }} -  register: ortr_results -  changed_when: "'service exists' not in ortr_results.stdout" diff --git a/roles/openshift_router/vars/main.yml b/roles/openshift_router/vars/main.yml deleted file mode 100644 index bcac12068..000000000 --- a/roles/openshift_router/vars/main.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -openshift_master_config_dir: "{{ openshift.common.config_base }}/master" -ortr_images: "--images='{{ openshift.master.registry_url }}'" -ortr_selector: "--selector='{{ openshift.master.router_selector }}'" | 
