diff options
218 files changed, 6927 insertions, 3097 deletions
| diff --git a/.tito/packages/openshift-ansible b/.tito/packages/openshift-ansible index 9dcd067e5..2a6d4e915 100644 --- a/.tito/packages/openshift-ansible +++ b/.tito/packages/openshift-ansible @@ -1 +1 @@ -3.7.0-0.143.0 ./ +3.7.0-0.156.0 ./ diff --git a/images/installer/README_CONTAINER_IMAGE.md b/images/installer/README_CONTAINER_IMAGE.md index bc1ebb4a8..bfe3661c0 100644 --- a/images/installer/README_CONTAINER_IMAGE.md +++ b/images/installer/README_CONTAINER_IMAGE.md @@ -45,4 +45,6 @@ These options may be set via the ``atomic`` ``--set`` flag. For defaults see ``r  * ANSIBLE_CONFIG - Full path for the ansible configuration file to use inside the container -* INVENTORY_FILE - Full path for the inventory to use from the host
\ No newline at end of file +* INVENTORY_FILE - Full path for the inventory to use from the host + +* INVENTORY_DIR - Full path for the inventory directory to use (e.g. for use with a hybrid dynamic/static inventory) diff --git a/images/installer/root/usr/local/bin/run b/images/installer/root/usr/local/bin/run index 70aa0bac3..cd38a6ff0 100755 --- a/images/installer/root/usr/local/bin/run +++ b/images/installer/root/usr/local/bin/run @@ -19,6 +19,9 @@ if [[ -v INVENTORY_FILE ]]; then    # Make a copy so that ALLOW_ANSIBLE_CONNECTION_LOCAL below    # does not attempt to modify the original    cp -a ${INVENTORY_FILE} ${INVENTORY} +elif [[ -v INVENTORY_DIR ]]; then +  INVENTORY="$(mktemp -d)" +  cp -R ${INVENTORY_DIR}/* ${INVENTORY}  elif [[ -v INVENTORY_URL ]]; then    curl -o ${INVENTORY} ${INVENTORY_URL}  elif [[ -v DYNAMIC_SCRIPT_URL ]]; then @@ -29,7 +32,7 @@ elif [[ -v GENERATE_INVENTORY ]]; then    /usr/local/bin/generate ${INVENTORY}  else    echo -  echo "One of INVENTORY_FILE, INVENTORY_URL, GENERATE_INVENTORY, or DYNAMIC_SCRIPT_URL must be provided." +  echo "One of INVENTORY_FILE, INVENTORY_DIR, INVENTORY_URL, GENERATE_INVENTORY, or DYNAMIC_SCRIPT_URL must be provided."    exec /usr/local/bin/usage  fi  INVENTORY_ARG="-i ${INVENTORY}" diff --git a/inventory/byo/hosts.ose.example b/inventory/byo/hosts.example index 30987fa38..0b6050891 100644 --- a/inventory/byo/hosts.ose.example +++ b/inventory/byo/hosts.example @@ -27,7 +27,8 @@ ansible_ssh_user=root  debug_level=2  # Specify the deployment type. Valid values are origin and openshift-enterprise. -openshift_deployment_type=openshift-enterprise +openshift_deployment_type=origin +#openshift_deployment_type=openshift-enterprise  # Specify the generic release of OpenShift to install. This is used mainly just during installation, after which we  # rely on the version running on the first master. Works best for containerized installs where we can usually @@ -58,6 +59,8 @@ openshift_release=v3.7  #openshift_use_etcd_system_container=False  #  # In either case, system_images_registry must be specified to be able to find the system images +#system_images_registry="docker.io" +# when openshift_deployment_type=='openshift-enterprise'  #system_images_registry="registry.access.redhat.com"  # Manage openshift example imagestreams and templates during install and upgrade @@ -124,15 +127,15 @@ openshift_release=v3.7  # Default value: "--log-driver=journald"  #openshift_docker_options="-l warn --ipv6=false" +# Specify exact version of Docker to configure or upgrade to. +# Downgrades are not supported and will error out. Be careful when upgrading docker from < 1.10 to > 1.10. +# docker_version="1.12.1" +  # Specify whether to run Docker daemon with SELinux enabled in containers. Default is True.  # Uncomment below to disable; for example if your kernel does not support the  # Docker overlay/overlay2 storage drivers with SELinux enabled.  #openshift_docker_selinux_enabled=False -# Specify exact version of Docker to configure or upgrade to. -# Downgrades are not supported and will error out. Be careful when upgrading docker from < 1.10 to > 1.10. -# docker_version="1.12.1" -  # Skip upgrading Docker during an OpenShift upgrade, leaves the current Docker version alone.  # docker_upgrade=False @@ -179,7 +182,7 @@ openshift_release=v3.7  #oreg_auth_credentials_replace: True  # OpenShift repository configuration -#openshift_additional_repos=[{'id': 'ose-devel', 'name': 'ose-devel', 'baseurl': 'http://example.com/puddle/build/AtomicOpenShift/3.1/latest/RH7-RHOSE-3.0/$basearch/os', 'enabled': 1, 'gpgcheck': 0}] +#openshift_additional_repos=[{'id': 'openshift-origin-copr', 'name': 'OpenShift Origin COPR', 'baseurl': 'https://copr-be.cloud.fedoraproject.org/results/maxamillion/origin-next/epel-7-$basearch/', 'enabled': 1, 'gpgcheck': 1, 'gpgkey': 'https://copr-be.cloud.fedoraproject.org/results/maxamillion/origin-next/pubkey.gpg'}]  #openshift_repos_enable_testing=false  # htpasswd auth @@ -237,9 +240,9 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true',  # CloudForms Management Engine (ManageIQ) App Install  #  # Enables installation of MIQ server. Recommended for dedicated -# clusters only. See roles/openshift_cfme/README.md for instructions +# clusters only. See roles/openshift_management/README.md for instructions  # and requirements. -#openshift_cfme_install_app=False +#openshift_management_install_management=False  # Cloud Provider Configuration  # @@ -346,7 +349,7 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true',  # default storage plugin dependencies to install, by default the ceph and  # glusterfs plugin dependencies will be installed, if available. -#osn_storage_plugin_deps=['ceph','glusterfs'] +#osn_storage_plugin_deps=['ceph','glusterfs','iscsi']  # OpenShift Router Options  # @@ -461,7 +464,6 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true',  #openshift_hosted_registry_storage_volume_size=10Gi  #  # AWS S3 -#  # S3 bucket must already exist.  #openshift_hosted_registry_storage_kind=object  #openshift_hosted_registry_storage_provider=s3 @@ -549,8 +551,11 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true',  # `/hawkular/metrics` path will break installation of metrics.  #openshift_metrics_hawkular_hostname=hawkular-metrics.example.com  # Configure the prefix and version for the component images -#openshift_metrics_image_prefix=registry.example.com:8888/openshift3/ -#openshift_metrics_image_version=3.7.0 +#openshift_metrics_image_prefix=docker.io/openshift/origin- +#openshift_metrics_image_version=v3.7 +# when openshift_deployment_type=='openshift-enterprise' +#openshift_metrics_image_prefix=registry.access.redhat.com/openshift3/ +#openshift_metrics_image_version=v3.7  #  # StorageClass  # openshift_storageclass_name=gp2 @@ -604,7 +609,10 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true',  # this value must be 1  #openshift_logging_es_cluster_size=1  # Configure the prefix and version for the component images -#openshift_logging_image_prefix=registry.example.com:8888/openshift3/ +#openshift_logging_image_prefix=docker.io/openshift/origin- +#openshift_logging_image_version=v3.7.0 +# when openshift_deployment_type=='openshift-enterprise' +#openshift_logging_image_prefix=registry.access.redhat.com/openshift3/  #openshift_logging_image_version=3.7.0  # Configure the multi-tenant SDN plugin (default is 'redhat/openshift-ovs-subnet') @@ -662,8 +670,10 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true',  #openshift_master_api_port=8443  #openshift_master_console_port=8443 -# set RPM version for debugging purposes -#openshift_pkg_version=-3.1.0.0 +# set exact RPM version (include - prefix) +#openshift_pkg_version=-3.6.0 +# you may also specify version and release, ie: +#openshift_pkg_version=-3.7.0-0.126.0.git.0.9351aae.el7  # Configure custom ca certificate  #openshift_master_ca_certificate={'certfile': '/path/to/ca.crt', 'keyfile': '/path/to/ca.key'} @@ -675,6 +685,7 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true',  # Configure custom named certificates (SNI certificates)  # +# https://docs.openshift.org/latest/install_config/certificate_customization.html  # https://docs.openshift.com/enterprise/latest/install_config/certificate_customization.html  #  # NOTE: openshift_master_named_certificates is cached on masters and is an @@ -739,6 +750,7 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true',  # openshift_use_dnsmasq is deprecated.  This must be true, or installs will fail  # in versions >= 3.6  #openshift_use_dnsmasq=False +  # Define an additional dnsmasq.conf file to deploy to /etc/dnsmasq.d/openshift-ansible.conf  # This is useful for POC environments where DNS may not actually be available yet or to set  # options like 'strict-order' to alter dnsmasq configuration. @@ -821,7 +833,7 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true',  #openshift_master_controllers_env_vars={"ENABLE_HTTP2": "true"}  #openshift_node_env_vars={"ENABLE_HTTP2": "true"} -# Enable API service auditing, available as of 3.2 +# Enable API service auditing  #openshift_master_audit_config={"enabled": true}  #  # In case you want more advanced setup for the auditlog you can @@ -830,6 +842,10 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true',  # exist  #openshift_master_audit_config={"enabled": true, "auditFilePath": "/var/log/openpaas-oscp-audit/openpaas-oscp-audit.log", "maximumFileRetentionDays": 14, "maximumFileSizeMegabytes": 500, "maximumRetainedFiles": 5} +# Enable origin repos that point at Centos PAAS SIG, defaults to true, only used +# by deployment_type=origin +#openshift_enable_origin_repo=false +  # Validity of the auto-generated OpenShift certificates in days.  # See also openshift_hosted_registry_cert_expire_days above.  # @@ -878,9 +894,9 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true',  # You may wish to disable these or make them non fatal  #  # openshift_upgrade_pre_storage_migration_enabled=true -# openshift_upgrade_pre_storage_migration_fatal==true +# openshift_upgrade_pre_storage_migration_fatal=true  # openshift_upgrade_post_storage_migration_enabled=true -# openshift_upgrade_post_storage_migration_fatal==false +# openshift_upgrade_post_storage_migration_fatal=false  # host group for masters  [masters] @@ -900,3 +916,61 @@ ose3-lb-ansible.test.example.com containerized=false  [nodes]  ose3-master[1:3]-ansible.test.example.com  ose3-node[1:2]-ansible.test.example.com openshift_node_labels="{'region': 'primary', 'zone': 'default'}" + +# CloudForms/ManageIQ (CFME/MIQ) Configuration + +# See the readme for full descriptions and getting started +# instructions: ../../roles/openshift_management/README.md or go directly to +# their definitions: ../../roles/openshift_management/defaults/main.yml +# ../../roles/openshift_management/vars/main.yml +# +# Namespace for the CFME project +#openshift_management_project: openshift-management + +# Namespace/project description +#openshift_management_project_description: CloudForms Management Engine + +# Choose 'miq-template' for a podified database install +# Choose 'miq-template-ext-db' for an external database install +# +# If you are using the miq-template-ext-db template then you must add +# the required database parameters to the +# openshift_management_template_parameters variable. +#openshift_management_app_template: miq-template + +# Allowed options: nfs, nfs_external, preconfigured, cloudprovider. +#openshift_management_storage_class: nfs + +# [OPTIONAL] - If you are using an EXTERNAL NFS server, such as a +# netapp appliance, then you must set the hostname here. Leave the +# value as 'false' if you are not using external NFS. +#openshift_management_storage_nfs_external_hostname: false + +# [OPTIONAL] - If you are using external NFS then you must set the base +# path to the exports location here. +# +# Additionally: EXTERNAL NFS REQUIRES that YOU CREATE the nfs exports +# that will back the application PV and optionally the database +# pv. Export path definitions, relative to +# {{ openshift_management_storage_nfs_base_dir }} +# +# LOCAL NFS NOTE: +# +# You may may also change this value if you want to change the default +# path used for local NFS exports. +#openshift_management_storage_nfs_base_dir: /exports + +# LOCAL NFS NOTE: +# +# You may override the automatically selected LOCAL NFS server by +# setting this variable. Useful for testing specific task files. +#openshift_management_storage_nfs_local_hostname: false + +# A hash of parameters you want to override or set in the +# miq-template.yaml or miq-template-ext-db.yaml templates. Set this in +# your inventory file as a simple hash. Acceptable values are defined +# under the .parameters list in files/miq-template{-ext-db}.yaml +# Example: +# +# openshift_management_template_parameters={'APPLICATION_MEM_REQ': '512Mi'} +#openshift_management_template_parameters: {} diff --git a/inventory/byo/hosts.origin.example b/inventory/byo/hosts.origin.example deleted file mode 100644 index c8c60bb60..000000000 --- a/inventory/byo/hosts.origin.example +++ /dev/null @@ -1,899 +0,0 @@ -# This is an example of a bring your own (byo) host inventory - -# Create an OSEv3 group that contains the masters and nodes groups -[OSEv3:children] -masters -nodes -etcd -lb -nfs - -# Set variables common for all OSEv3 hosts -[OSEv3:vars] -# Enable unsupported configurations, things that will yield a partially -# functioning cluster but would not be supported for production use -#openshift_enable_unsupported_configurations=false - -# SSH user, this user should allow ssh based auth without requiring a -# password. If using ssh key based auth, then the key should be managed by an -# ssh agent. -ansible_ssh_user=root - -# If ansible_ssh_user is not root, ansible_become must be set to true and the -# user must be configured for passwordless sudo -#ansible_become=yes - -# Debug level for all OpenShift components (Defaults to 2) -debug_level=2 - -# Specify the deployment type. Valid values are origin and openshift-enterprise. -openshift_deployment_type=origin - -# Specify the generic release of OpenShift to install. This is used mainly just during installation, after which we -# rely on the version running on the first master. Works best for containerized installs where we can usually -# use this to lookup the latest exact version of the container images, which is the tag actually used to configure -# the cluster. For RPM installations we just verify the version detected in your configured repos matches this -# release. -openshift_release=v3.7 - -# Specify an exact container image tag to install or configure. -# WARNING: This value will be used for all hosts in containerized environments, even those that have another version installed. -# This could potentially trigger an upgrade and downtime, so be careful with modifying this value after the cluster is set up. -#openshift_image_tag=v3.7.0 - -# Specify an exact rpm version to install or configure. -# WARNING: This value will be used for all hosts in RPM based environments, even those that have another version installed. -# This could potentially trigger an upgrade and downtime, so be careful with modifying this value after the cluster is set up. -#openshift_pkg_version=-3.7.0 - -# This enables all the system containers except for docker: -#openshift_use_system_containers=False -# -# But you can choose separately each component that must be a -# system container: -# -#openshift_use_openvswitch_system_container=False -#openshift_use_node_system_container=False -#openshift_use_master_system_container=False -#openshift_use_etcd_system_container=False -# -# In either case, system_images_registry must be specified to be able to find the system images -#system_images_registry="docker.io" - -# Install the openshift examples -#openshift_install_examples=true - -# Configure logoutURL in the master config for console customization -# See: https://docs.openshift.org/latest/install_config/web_console_customization.html#changing-the-logout-url -#openshift_master_logout_url=http://example.com - -# Configure extensionScripts in the master config for console customization -# See: https://docs.openshift.org/latest/install_config/web_console_customization.html#loading-custom-scripts-and-stylesheets -#openshift_master_extension_scripts=['/path/to/script1.js','/path/to/script2.js'] - -# Configure extensionStylesheets in the master config for console customization -# See: https://docs.openshift.org/latest/install_config/web_console_customization.html#loading-custom-scripts-and-stylesheets -#openshift_master_extension_stylesheets=['/path/to/stylesheet1.css','/path/to/stylesheet2.css'] - -# Configure extensions in the master config for console customization -# See: https://docs.openshift.org/latest/install_config/web_console_customization.html#serving-static-files -#openshift_master_extensions=[{'name': 'images', 'sourceDirectory': '/path/to/my_images'}] - -# Configure extensions in the master config for console customization -# See: https://docs.openshift.org/latest/install_config/web_console_customization.html#serving-static-files -#openshift_master_oauth_template=/path/to/login-template.html - -# Configure imagePolicyConfig in the master config -# See: https://godoc.org/github.com/openshift/origin/pkg/cmd/server/api#ImagePolicyConfig -#openshift_master_image_policy_config={"maxImagesBulkImportedPerRepository": 3, "disableScheduledImport": true} - -# Configure master API rate limits for external clients -#openshift_master_external_ratelimit_qps=200 -#openshift_master_external_ratelimit_burst=400 -# Configure master API rate limits for loopback clients -#openshift_master_loopback_ratelimit_qps=300 -#openshift_master_loopback_ratelimit_burst=600 - -# Docker Configuration -# Add additional, insecure, and blocked registries to global docker configuration -# For enterprise deployment types we ensure that registry.access.redhat.com is -# included if you do not include it -#openshift_docker_additional_registries=registry.example.com -#openshift_docker_insecure_registries=registry.example.com -#openshift_docker_blocked_registries=registry.hacker.com -# Disable pushing to dockerhub -#openshift_docker_disable_push_dockerhub=True -# Use Docker inside a System Container. Note that this is a tech preview and should -# not be used to upgrade! -# The following options for docker are ignored: -# - docker_version -# - docker_upgrade -# The following options must not be used -# - openshift_docker_options -#openshift_docker_use_system_container=False -# Instead of using docker, replacec it with cri-o -# NOTE: This uses openshift_docker_systemcontainer_image_registry_override as it's override -# just as container-engine does. -#openshift_use_crio=False -# Force the registry to use for the docker/crio system container. By default the registry -# will be built off of the deployment type and ansible_distribution. Only -# use this option if you are sure you know what you are doing! -#openshift_docker_systemcontainer_image_override="registry.example.com/container-engine:latest" -#openshift_crio_systemcontainer_image_override="registry.example.com/cri-o:latest" -# Items added, as is, to end of /etc/sysconfig/docker OPTIONS -# Default value: "--log-driver=journald" -#openshift_docker_options="-l warn --ipv6=false" - -# Specify exact version of Docker to configure or upgrade to. -# Downgrades are not supported and will error out. Be careful when upgrading docker from < 1.10 to > 1.10. -# docker_version="1.12.1" - -# Specify whether to run Docker daemon with SELinux enabled in containers. Default is True. -# Uncomment below to disable; for example if your kernel does not support the -# Docker overlay/overlay2 storage drivers with SELinux enabled. -#openshift_docker_selinux_enabled=False - -# Skip upgrading Docker during an OpenShift upgrade, leaves the current Docker version alone. -# docker_upgrade=False - -# Specify exact version of etcd to configure or upgrade to. -# etcd_version="3.1.0" -# Enable etcd debug logging, defaults to false -# etcd_debug=true -# Set etcd log levels by package -# etcd_log_package_levels="etcdserver=WARNING,security=DEBUG" - -# Upgrade Hooks -# -# Hooks are available to run custom tasks at various points during a cluster -# upgrade. Each hook should point to a file with Ansible tasks defined. Suggest using -# absolute paths, if not the path will be treated as relative to the file where the -# hook is actually used. -# -# Tasks to run before each master is upgraded. -# openshift_master_upgrade_pre_hook=/usr/share/custom/pre_master.yml -# -# Tasks to run to upgrade the master. These tasks run after the main openshift-ansible -# upgrade steps, but before we restart system/services. -# openshift_master_upgrade_hook=/usr/share/custom/master.yml -# -# Tasks to run after each master is upgraded and system/services have been restarted. -# openshift_master_upgrade_post_hook=/usr/share/custom/post_master.yml - - -# Alternate image format string, useful if you've got your own registry mirror -# Configure this setting just on node or master -#oreg_url_master=example.com/openshift3/ose-${component}:${version} -#oreg_url_node=example.com/openshift3/ose-${component}:${version} -# For setting the configuration globally -#oreg_url=example.com/openshift3/ose-${component}:${version} -# If oreg_url points to a registry other than registry.access.redhat.com we can -# modify image streams to point at that registry by setting the following to true -#openshift_examples_modify_imagestreams=true - -# OpenShift repository configuration -#openshift_additional_repos=[{'id': 'openshift-origin-copr', 'name': 'OpenShift Origin COPR', 'baseurl': 'https://copr-be.cloud.fedoraproject.org/results/maxamillion/origin-next/epel-7-$basearch/', 'enabled': 1, 'gpgcheck': 1, 'gpgkey': 'https://copr-be.cloud.fedoraproject.org/results/maxamillion/origin-next/pubkey.gpg'}] -#openshift_repos_enable_testing=false - -# htpasswd auth -openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', 'challenge': 'true', 'kind': 'HTPasswdPasswordIdentityProvider', 'filename': '/etc/origin/master/htpasswd'}] -# Defining htpasswd users -#openshift_master_htpasswd_users={'user1': '<pre-hashed password>', 'user2': '<pre-hashed password>'} -# or -#openshift_master_htpasswd_file=<path to local pre-generated htpasswd file> - -# Allow all auth -#openshift_master_identity_providers=[{'name': 'allow_all', 'login': 'true', 'challenge': 'true', 'kind': 'AllowAllPasswordIdentityProvider'}] - -# LDAP auth -#openshift_master_identity_providers=[{'name': 'my_ldap_provider', 'challenge': 'true', 'login': 'true', 'kind': 'LDAPPasswordIdentityProvider', 'attributes': {'id': ['dn'], 'email': ['mail'], 'name': ['cn'], 'preferredUsername': ['uid']}, 'bindDN': '', 'bindPassword': '', 'ca': 'my-ldap-ca.crt', 'insecure': 'false', 'url': 'ldap://ldap.example.com:389/ou=users,dc=example,dc=com?uid'}] -# -# Configure LDAP CA certificate -# Specify either the ASCII contents of the certificate or the path to -# the local file that will be copied to the remote host. CA -# certificate contents will be copied to master systems and saved -# within /etc/origin/master/ with a filename matching the "ca" key set -# within the LDAPPasswordIdentityProvider. -# -#openshift_master_ldap_ca=<ca text> -# or -#openshift_master_ldap_ca_file=<path to local ca file to use> - -# OpenID auth -#openshift_master_identity_providers=[{"name": "openid_auth", "login": "true", "challenge": "false", "kind": "OpenIDIdentityProvider", "client_id": "my_client_id", "client_secret": "my_client_secret", "claims": {"id": ["sub"], "preferredUsername": ["preferred_username"], "name": ["name"], "email": ["email"]}, "urls": {"authorize": "https://myidp.example.com/oauth2/authorize", "token": "https://myidp.example.com/oauth2/token"}, "ca": "my-openid-ca-bundle.crt"}] -# -# Configure OpenID CA certificate -# Specify either the ASCII contents of the certificate or the path to -# the local file that will be copied to the remote host. CA -# certificate contents will be copied to master systems and saved -# within /etc/origin/master/ with a filename matching the "ca" key set -# within the OpenIDIdentityProvider. -# -#openshift_master_openid_ca=<ca text> -# or -#openshift_master_openid_ca_file=<path to local ca file to use> - -# Request header auth -#openshift_master_identity_providers=[{"name": "my_request_header_provider", "challenge": "true", "login": "true", "kind": "RequestHeaderIdentityProvider", "challengeURL": "https://www.example.com/challenging-proxy/oauth/authorize?${query}", "loginURL": "https://www.example.com/login-proxy/oauth/authorize?${query}", "clientCA": "my-request-header-ca.crt", "clientCommonNames": ["my-auth-proxy"], "headers": ["X-Remote-User", "SSO-User"], "emailHeaders": ["X-Remote-User-Email"], "nameHeaders": ["X-Remote-User-Display-Name"], "preferredUsernameHeaders": ["X-Remote-User-Login"]}] -# -# Configure request header CA certificate -# Specify either the ASCII contents of the certificate or the path to -# the local file that will be copied to the remote host. CA -# certificate contents will be copied to master systems and saved -# within /etc/origin/master/ with a filename matching the "clientCA" -# key set within the RequestHeaderIdentityProvider. -# -#openshift_master_request_header_ca=<ca text> -# or -#openshift_master_request_header_ca_file=<path to local ca file to use> - -# CloudForms Management Engine (ManageIQ) App Install -# -# Enables installation of MIQ server. Recommended for dedicated -# clusters only. See roles/openshift_cfme/README.md for instructions -# and requirements. -#openshift_cfme_install_app=False - -# Cloud Provider Configuration -# -# Note: You may make use of environment variables rather than store -# sensitive configuration within the ansible inventory. -# For example: -#openshift_cloudprovider_aws_access_key="{{ lookup('env','AWS_ACCESS_KEY_ID') }}" -#openshift_cloudprovider_aws_secret_key="{{ lookup('env','AWS_SECRET_ACCESS_KEY') }}" -# -# AWS -#openshift_cloudprovider_kind=aws -# Note: IAM profiles may be used instead of storing API credentials on disk. -#openshift_cloudprovider_aws_access_key=aws_access_key_id -#openshift_cloudprovider_aws_secret_key=aws_secret_access_key -# -# Openstack -#openshift_cloudprovider_kind=openstack -#openshift_cloudprovider_openstack_auth_url=http://openstack.example.com:35357/v2.0/ -#openshift_cloudprovider_openstack_username=username -#openshift_cloudprovider_openstack_password=password -#openshift_cloudprovider_openstack_domain_id=domain_id -#openshift_cloudprovider_openstack_domain_name=domain_name -#openshift_cloudprovider_openstack_tenant_id=tenant_id -#openshift_cloudprovider_openstack_tenant_name=tenant_name -#openshift_cloudprovider_openstack_region=region -#openshift_cloudprovider_openstack_lb_subnet_id=subnet_id -# -# GCE -#openshift_cloudprovider_kind=gce - -# Project Configuration -#osm_project_request_message='' -#osm_project_request_template='' -#osm_mcs_allocator_range='s0:/2' -#osm_mcs_labels_per_project=5 -#osm_uid_allocator_range='1000000000-1999999999/10000' - -# Configure additional projects -#openshift_additional_projects={'my-project': {'default_node_selector': 'label=value'}} - -# Enable cockpit -#osm_use_cockpit=true -# -# Set cockpit plugins -#osm_cockpit_plugins=['cockpit-kubernetes'] - -# Native high availability cluster method with optional load balancer. -# If no lb group is defined, the installer assumes that a load balancer has -# been preconfigured. For installation the value of -# openshift_master_cluster_hostname must resolve to the load balancer -# or to one or all of the masters defined in the inventory if no load -# balancer is present. -#openshift_master_cluster_method=native -#openshift_master_cluster_hostname=openshift-ansible.test.example.com -#openshift_master_cluster_public_hostname=openshift-ansible.test.example.com - -# Pacemaker high availability cluster method. -# Pacemaker HA environment must be able to self provision the -# configured VIP. For installation openshift_master_cluster_hostname -# must resolve to the configured VIP. -#openshift_master_cluster_method=pacemaker -#openshift_master_cluster_password=openshift_cluster -#openshift_master_cluster_vip=192.168.133.25 -#openshift_master_cluster_public_vip=192.168.133.25 -#openshift_master_cluster_hostname=openshift-ansible.test.example.com -#openshift_master_cluster_public_hostname=openshift-ansible.test.example.com - -# Override the default controller lease ttl -#osm_controller_lease_ttl=30 - -# Configure controller arguments -#osm_controller_args={'resource-quota-sync-period': ['10s']} - -# Configure api server arguments -#osm_api_server_args={'max-requests-inflight': ['400']} - -# default subdomain to use for exposed routes -#openshift_master_default_subdomain=apps.test.example.com - -# additional cors origins -#osm_custom_cors_origins=['foo.example.com', 'bar.example.com'] - -# default project node selector -#osm_default_node_selector='region=primary' - -# Override the default pod eviction timeout -#openshift_master_pod_eviction_timeout=5m - -# Override the default oauth tokenConfig settings: -# openshift_master_access_token_max_seconds=86400 -# openshift_master_auth_token_max_seconds=500 - -# Override master servingInfo.maxRequestsInFlight -#openshift_master_max_requests_inflight=500 - -# Override master and node servingInfo.minTLSVersion and .cipherSuites -# valid TLS versions are VersionTLS10, VersionTLS11, VersionTLS12 -# example cipher suites override, valid cipher suites are https://golang.org/pkg/crypto/tls/#pkg-constants -#openshift_master_min_tls_version=VersionTLS12 -#openshift_master_cipher_suites=['TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', '...'] -# -#openshift_node_min_tls_version=VersionTLS12 -#openshift_node_cipher_suites=['TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', '...'] - -# default storage plugin dependencies to install, by default the ceph and -# glusterfs plugin dependencies will be installed, if available. -#osn_storage_plugin_deps=['ceph','glusterfs','iscsi'] - -# OpenShift Router Options -# -# An OpenShift router will be created during install if there are -# nodes present with labels matching the default router selector, -# "region=infra". Set openshift_node_labels per node as needed in -# order to label nodes. -# -# Example: -# [nodes] -# node.example.com openshift_node_labels="{'region': 'infra'}" -# -# Router selector (optional) -# Router will only be created if nodes matching this label are present. -# Default value: 'region=infra' -#openshift_hosted_router_selector='region=infra' -# -# Router replicas (optional) -# Unless specified, openshift-ansible will calculate the replica count -# based on the number of nodes matching the openshift router selector. -#openshift_hosted_router_replicas=2 -# -# Router force subdomain (optional) -# A router path format to force on all routes used by this router -# (will ignore the route host value) -#openshift_hosted_router_force_subdomain='${name}-${namespace}.apps.example.com' -# -# Router certificate (optional) -# Provide local certificate paths which will be configured as the -# router's default certificate. -#openshift_hosted_router_certificate={"certfile": "/path/to/router.crt", "keyfile": "/path/to/router.key", "cafile": "/path/to/router-ca.crt"} -# -# Manage the OpenShift Router -#openshift_hosted_manage_router=true -# -# Router sharding support has been added and can be achieved by supplying the correct -# data to the inventory.  The variable to house the data is openshift_hosted_routers -# and is in the form of a list.  If no data is passed then a default router will be -# created.  There are multiple combinations of router sharding.  The one described -# below supports routers on separate nodes. -# -#openshift_hosted_routers=[{'name': 'router1', 'certificate': {'certfile': '/path/to/certificate/abc.crt', 'keyfile': '/path/to/certificate/abc.key', 'cafile': '/path/to/certificate/ca.crt'}, 'replicas': 1, 'serviceaccount': 'router', 'namespace': 'default', 'stats_port': 1936, 'edits': [], 'images': 'openshift3/ose-${component}:${version}', 'selector': 'type=router1', 'ports': ['80:80', '443:443']}, {'name': 'router2', 'certificate': {'certfile': '/path/to/certificate/xyz.crt', 'keyfile': '/path/to/certificate/xyz.key', 'cafile': '/path/to/certificate/ca.crt'}, 'replicas': 1, 'serviceaccount': 'router', 'namespace': 'default', 'stats_port': 1936, 'edits': [{'action': 'append', 'key': 'spec.template.spec.containers[0].env', 'value': {'name': 'ROUTE_LABELS', 'value': 'route=external'}}], 'images': 'openshift3/ose-${component}:${version}', 'selector': 'type=router2', 'ports': ['80:80', '443:443']}] - -# OpenShift Registry Console Options -# Override the console image prefix for enterprise deployments, not used in origin -# default is "registry.access.redhat.com/openshift3/" and the image appended is "registry-console" -#openshift_cockpit_deployer_prefix=registry.example.com/myrepo/ -# Override image version, defaults to latest for origin, matches the product version for enterprise -#openshift_cockpit_deployer_version=1.4.1 - -# Openshift Registry Options -# -# An OpenShift registry will be created during install if there are -# nodes present with labels matching the default registry selector, -# "region=infra". Set openshift_node_labels per node as needed in -# order to label nodes. -# -# Example: -# [nodes] -# node.example.com openshift_node_labels="{'region': 'infra'}" -# -# Registry selector (optional) -# Registry will only be created if nodes matching this label are present. -# Default value: 'region=infra' -#openshift_hosted_registry_selector='region=infra' -# -# Registry replicas (optional) -# Unless specified, openshift-ansible will calculate the replica count -# based on the number of nodes matching the openshift registry selector. -#openshift_hosted_registry_replicas=2 -# -# Validity of the auto-generated certificate in days (optional) -#openshift_hosted_registry_cert_expire_days=730 -# -# Manage the OpenShift Registry -#openshift_hosted_manage_registry=true - -# Registry Storage Options -# -# NFS Host Group -# An NFS volume will be created with path "nfs_directory/volume_name" -# on the host within the [nfs] host group.  For example, the volume -# path using these options would be "/exports/registry" -#openshift_hosted_registry_storage_kind=nfs -#openshift_hosted_registry_storage_access_modes=['ReadWriteMany'] -# nfs_directory must conform to DNS-1123 subdomain must consist of lower case -# alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character -#openshift_hosted_registry_storage_nfs_directory=/exports -#openshift_hosted_registry_storage_nfs_options='*(rw,root_squash)' -#openshift_hosted_registry_storage_volume_name=registry -#openshift_hosted_registry_storage_volume_size=10Gi -# -# External NFS Host -# NFS volume must already exist with path "nfs_directory/_volume_name" on -# the storage_host. For example, the remote volume path using these -# options would be "nfs.example.com:/exports/registry" -#openshift_hosted_registry_storage_kind=nfs -#openshift_hosted_registry_storage_access_modes=['ReadWriteMany'] -#openshift_hosted_registry_storage_host=nfs.example.com -# nfs_directory must conform to DNS-1123 subdomain must consist of lower case -# alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character -#openshift_hosted_registry_storage_nfs_directory=/exports -#openshift_hosted_registry_storage_volume_name=registry -#openshift_hosted_registry_storage_volume_size=10Gi -# -# Openstack -# Volume must already exist. -#openshift_hosted_registry_storage_kind=openstack -#openshift_hosted_registry_storage_access_modes=['ReadWriteOnce'] -#openshift_hosted_registry_storage_openstack_filesystem=ext4 -#openshift_hosted_registry_storage_openstack_volumeID=3a650b4f-c8c5-4e0a-8ca5-eaee11f16c57 -#openshift_hosted_registry_storage_volume_size=10Gi -# -# AWS S3 -# S3 bucket must already exist. -#openshift_hosted_registry_storage_kind=object -#openshift_hosted_registry_storage_provider=s3 -#openshift_hosted_registry_storage_s3_encrypt=false -#openshift_hosted_registry_storage_s3_kmskeyid=aws_kms_key_id -#openshift_hosted_registry_storage_s3_accesskey=aws_access_key_id -#openshift_hosted_registry_storage_s3_secretkey=aws_secret_access_key -#openshift_hosted_registry_storage_s3_bucket=bucket_name -#openshift_hosted_registry_storage_s3_region=bucket_region -#openshift_hosted_registry_storage_s3_chunksize=26214400 -#openshift_hosted_registry_storage_s3_rootdirectory=/registry -#openshift_hosted_registry_pullthrough=true -#openshift_hosted_registry_acceptschema2=true -#openshift_hosted_registry_enforcequota=true -# -# Any S3 service (Minio, ExoScale, ...): Basically the same as above -# but with regionendpoint configured -# S3 bucket must already exist. -#openshift_hosted_registry_storage_kind=object -#openshift_hosted_registry_storage_provider=s3 -#openshift_hosted_registry_storage_s3_accesskey=access_key_id -#openshift_hosted_registry_storage_s3_secretkey=secret_access_key -#openshift_hosted_registry_storage_s3_regionendpoint=https://myendpoint.example.com/ -#openshift_hosted_registry_storage_s3_bucket=bucket_name -#openshift_hosted_registry_storage_s3_region=bucket_region -#openshift_hosted_registry_storage_s3_chunksize=26214400 -#openshift_hosted_registry_storage_s3_rootdirectory=/registry -#openshift_hosted_registry_pullthrough=true -#openshift_hosted_registry_acceptschema2=true -#openshift_hosted_registry_enforcequota=true -# -# Additional CloudFront Options. When using CloudFront all three -# of the followingg variables must be defined. -#openshift_hosted_registry_storage_s3_cloudfront_baseurl=https://myendpoint.cloudfront.net/ -#openshift_hosted_registry_storage_s3_cloudfront_privatekeyfile=/full/path/to/secret.pem -#openshift_hosted_registry_storage_s3_cloudfront_keypairid=yourpairid - -# Metrics deployment -# See: https://docs.openshift.com/enterprise/latest/install_config/cluster_metrics.html -# -# By default metrics are not automatically deployed, set this to enable them -#openshift_metrics_install_metrics=true -# -# Storage Options -# If openshift_metrics_storage_kind is unset then metrics will be stored -# in an EmptyDir volume and will be deleted when the cassandra pod terminates. -# Storage options A & B currently support only one cassandra pod which is -# generally enough for up to 1000 pods. Additional volumes can be created -# manually after the fact and metrics scaled per the docs. -# -# Option A - NFS Host Group -# An NFS volume will be created with path "nfs_directory/volume_name" -# on the host within the [nfs] host group.  For example, the volume -# path using these options would be "/exports/metrics" -#openshift_metrics_storage_kind=nfs -#openshift_metrics_storage_access_modes=['ReadWriteOnce'] -#openshift_metrics_storage_nfs_directory=/exports -#openshift_metrics_storage_nfs_options='*(rw,root_squash)' -#openshift_metrics_storage_volume_name=metrics -#openshift_metrics_storage_volume_size=10Gi -#openshift_metrics_storage_labels={'storage': 'metrics'} -# -# Option B - External NFS Host -# NFS volume must already exist with path "nfs_directory/_volume_name" on -# the storage_host. For example, the remote volume path using these -# options would be "nfs.example.com:/exports/metrics" -#openshift_metrics_storage_kind=nfs -#openshift_metrics_storage_access_modes=['ReadWriteOnce'] -#openshift_metrics_storage_host=nfs.example.com -#openshift_metrics_storage_nfs_directory=/exports -#openshift_metrics_storage_volume_name=metrics -#openshift_metrics_storage_volume_size=10Gi -#openshift_metrics_storage_labels={'storage': 'metrics'} -# -# Option C - Dynamic -- If openshift supports dynamic volume provisioning for -# your cloud platform use this. -#openshift_metrics_storage_kind=dynamic -# -# Other Metrics Options -- Common items you may wish to reconfigure, for the complete -# list of options please see roles/openshift_metrics/README.md -# -# Override metricsPublicURL in the master config for cluster metrics -# Defaults to https://hawkular-metrics.{{openshift_master_default_subdomain}}/hawkular/metrics -# Currently, you may only alter the hostname portion of the url, alterting the -# `/hawkular/metrics` path will break installation of metrics. -#openshift_metrics_hawkular_hostname=hawkular-metrics.example.com -# Configure the prefix and version for the component images -#openshift_metrics_image_prefix=docker.io/openshift/origin- -#openshift_metrics_image_version=v3.7.0 -# -# StorageClass -# openshift_storageclass_name=gp2 -# openshift_storageclass_parameters={'type': 'gp2', 'encrypted': 'false'} -# - -# Logging deployment -# -# Currently logging deployment is disabled by default, enable it by setting this -#openshift_logging_install_logging=true -# -# Logging storage config -# Option A - NFS Host Group -# An NFS volume will be created with path "nfs_directory/volume_name" -# on the host within the [nfs] host group.  For example, the volume -# path using these options would be "/exports/logging" -#openshift_logging_storage_kind=nfs -#openshift_logging_storage_access_modes=['ReadWriteOnce'] -#openshift_logging_storage_nfs_directory=/exports -#openshift_logging_storage_nfs_options='*(rw,root_squash)' -#openshift_logging_storage_volume_name=logging -#openshift_logging_storage_volume_size=10Gi -#openshift_logging_storage_labels={'storage': 'logging'} -# -# Option B - External NFS Host -# NFS volume must already exist with path "nfs_directory/_volume_name" on -# the storage_host. For example, the remote volume path using these -# options would be "nfs.example.com:/exports/logging" -#openshift_logging_storage_kind=nfs -#openshift_logging_storage_access_modes=['ReadWriteOnce'] -#openshift_logging_storage_host=nfs.example.com -#openshift_logging_storage_nfs_directory=/exports -#openshift_logging_storage_volume_name=logging -#openshift_logging_storage_volume_size=10Gi -#openshift_logging_storage_labels={'storage': 'logging'} -# -# Option C - Dynamic -- If openshift supports dynamic volume provisioning for -# your cloud platform use this. -#openshift_logging_storage_kind=dynamic -# -# Option D - none -- Logging will use emptydir volumes which are destroyed when -# pods are deleted -# -# Other Logging Options -- Common items you may wish to reconfigure, for the complete -# list of options please see roles/openshift_logging/README.md -# -# Configure loggingPublicURL in the master config for aggregate logging, defaults -# to kibana.{{ openshift_master_default_subdomain }} -#openshift_logging_kibana_hostname=logging.apps.example.com -# Configure the number of elastic search nodes, unless you're using dynamic provisioning -# this value must be 1 -#openshift_logging_es_cluster_size=1 -# Configure the prefix and version for the component images -#openshift_logging_image_prefix=docker.io/openshift/origin- -#openshift_logging_image_version=v3.7.0 - -# Configure the multi-tenant SDN plugin (default is 'redhat/openshift-ovs-subnet') -# os_sdn_network_plugin_name='redhat/openshift-ovs-multitenant' - -# Disable the OpenShift SDN plugin -# openshift_use_openshift_sdn=False - -# Configure SDN cluster network and kubernetes service CIDR blocks. These -# network blocks should be private and should not conflict with network blocks -# in your infrastructure that pods may require access to. Can not be changed -# after deployment. -# -# WARNING : Do not pick subnets that overlap with the default Docker bridge subnet of -# 172.17.0.0/16.  Your installation will fail and/or your configuration change will -# cause the Pod SDN or Cluster SDN to fail. -# -# WORKAROUND : If you must use an overlapping subnet, you can configure a non conflicting -# docker0 CIDR range by adding '--bip=192.168.2.1/24' to DOCKER_NETWORK_OPTIONS -# environment variable located in /etc/sysconfig/docker-network. -# When upgrading or scaling up the following must match whats in your master config! -#  Inventory: master yaml field -#  osm_cluster_network_cidr: clusterNetworkCIDR -#  openshift_portal_net: serviceNetworkCIDR -# When installing osm_cluster_network_cidr and openshift_portal_net must be set. -# Sane examples are provided below. -#osm_cluster_network_cidr=10.128.0.0/14 -#openshift_portal_net=172.30.0.0/16 - -# ExternalIPNetworkCIDRs controls what values are acceptable for the -# service external IP field. If empty, no externalIP may be set. It -# may contain a list of CIDRs which are checked for access. If a CIDR -# is prefixed with !, IPs in that CIDR will be rejected. Rejections -# will be applied first, then the IP checked against one of the -# allowed CIDRs. You should ensure this range does not overlap with -# your nodes, pods, or service CIDRs for security reasons. -#openshift_master_external_ip_network_cidrs=['0.0.0.0/0'] - -# IngressIPNetworkCIDR controls the range to assign ingress IPs from for -# services of type LoadBalancer on bare metal. If empty, ingress IPs will not -# be assigned. It may contain a single CIDR that will be allocated from. For -# security reasons, you should ensure that this range does not overlap with -# the CIDRs reserved for external IPs, nodes, pods, or services. -#openshift_master_ingress_ip_network_cidr=172.46.0.0/16 - -# Configure number of bits to allocate to each host's subnet e.g. 9 -# would mean a /23 network on the host. -# When upgrading or scaling up the following must match whats in your master config! -#  Inventory: master yaml field -#  osm_host_subnet_length:  hostSubnetLength -# When installing osm_host_subnet_length must be set. A sane example is provided below. -#osm_host_subnet_length=9 - -# Configure master API and console ports. -#openshift_master_api_port=8443 -#openshift_master_console_port=8443 - -# set RPM version for debugging purposes -#openshift_pkg_version=-1.1 - -# Configure custom ca certificate -#openshift_master_ca_certificate={'certfile': '/path/to/ca.crt', 'keyfile': '/path/to/ca.key'} -# -# NOTE: CA certificate will not be replaced with existing clusters. -# This option may only be specified when creating a new cluster or -# when redeploying cluster certificates with the redeploy-certificates -# playbook. - -# Configure custom named certificates (SNI certificates) -# -# https://docs.openshift.org/latest/install_config/certificate_customization.html -# -# NOTE: openshift_master_named_certificates is cached on masters and is an -# additive fact, meaning that each run with a different set of certificates -# will add the newly provided certificates to the cached set of certificates. -# -# An optional CA may be specified for each named certificate. CAs will -# be added to the OpenShift CA bundle which allows for the named -# certificate to be served for internal cluster communication. -# -# If you would like openshift_master_named_certificates to be overwritten with -# the provided value, specify openshift_master_overwrite_named_certificates. -#openshift_master_overwrite_named_certificates=true -# -# Provide local certificate paths which will be deployed to masters -#openshift_master_named_certificates=[{"certfile": "/path/to/custom1.crt", "keyfile": "/path/to/custom1.key", "cafile": "/path/to/custom-ca1.crt"}] -# -# Detected names may be overridden by specifying the "names" key -#openshift_master_named_certificates=[{"certfile": "/path/to/custom1.crt", "keyfile": "/path/to/custom1.key", "names": ["public-master-host.com"], "cafile": "/path/to/custom-ca1.crt"}] - -# Session options -#openshift_master_session_name=ssn -#openshift_master_session_max_seconds=3600 - -# An authentication and encryption secret will be generated if secrets -# are not provided. If provided, openshift_master_session_auth_secrets -# and openshift_master_encryption_secrets must be equal length. -# -# Signing secrets, used to authenticate sessions using -# HMAC. Recommended to use secrets with 32 or 64 bytes. -#openshift_master_session_auth_secrets=['DONT+USE+THIS+SECRET+b4NV+pmZNSO'] -# -# Encrypting secrets, used to encrypt sessions. Must be 16, 24, or 32 -# characters long, to select AES-128, AES-192, or AES-256. -#openshift_master_session_encryption_secrets=['DONT+USE+THIS+SECRET+b4NV+pmZNSO'] - -# configure how often node iptables rules are refreshed -#openshift_node_iptables_sync_period=5s - -# Configure nodeIP in the node config -# This is needed in cases where node traffic is desired to go over an -# interface other than the default network interface. -#openshift_set_node_ip=True - -# Configure dnsIP in the node config -#openshift_dns_ip=172.30.0.1 - -# Configure node kubelet arguments. pods-per-core is valid in OpenShift Origin 1.3 or OpenShift Container Platform 3.3 and later. -#openshift_node_kubelet_args={'pods-per-core': ['10'], 'max-pods': ['250'], 'image-gc-high-threshold': ['85'], 'image-gc-low-threshold': ['80']} - -# Configure logrotate scripts -# See: https://github.com/nickhammond/ansible-logrotate -#logrotate_scripts=[{"name": "syslog", "path": "/var/log/cron\n/var/log/maillog\n/var/log/messages\n/var/log/secure\n/var/log/spooler\n", "options": ["daily", "rotate 7", "compress", "sharedscripts", "missingok"], "scripts": {"postrotate": "/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true"}}] - -# openshift-ansible will wait indefinitely for your input when it detects that the -# value of openshift_hostname resolves to an IP address not bound to any local -# interfaces. This mis-configuration is problematic for any pod leveraging host -# networking and liveness or readiness probes. -# Setting this variable to true will override that check. -#openshift_override_hostname_check=true - -# openshift_use_dnsmasq is deprecated.  This must be true, or installs will fail -# in versions >= 3.6 -#openshift_use_dnsmasq=False - -# Define an additional dnsmasq.conf file to deploy to /etc/dnsmasq.d/openshift-ansible.conf -# This is useful for POC environments where DNS may not actually be available yet or to set -# options like 'strict-order' to alter dnsmasq configuration. -#openshift_node_dnsmasq_additional_config_file=/home/bob/ose-dnsmasq.conf - -# Global Proxy Configuration -# These options configure HTTP_PROXY, HTTPS_PROXY, and NOPROXY environment -# variables for docker and master services. -# -# Hosts in the openshift_no_proxy list will NOT use any globally -# configured HTTP(S)_PROXYs. openshift_no_proxy accepts domains -# (.example.com), and hosts (example.com), and IP addresses. -#openshift_http_proxy=http://USER:PASSWORD@IPADDR:PORT -#openshift_https_proxy=https://USER:PASSWORD@IPADDR:PORT -#openshift_no_proxy='.hosts.example.com,some-host.com' -# -# Most environments don't require a proxy between openshift masters, nodes, and -# etcd hosts. So automatically add those hostnames to the openshift_no_proxy list. -# If all of your hosts share a common domain you may wish to disable this and -# specify that domain above instead. -# -# For example, having hosts with FQDNs: m1.ex.com, n1.ex.com, and -# n2.ex.com, one would simply add '.ex.com' to the openshift_no_proxy -# variable (above) and set this value to False -#openshift_generate_no_proxy_hosts=True -# -# These options configure the BuildDefaults admission controller which injects -# configuration into Builds. Proxy related values will default to the global proxy -# config values. You only need to set these if they differ from the global proxy settings. -# See BuildDefaults documentation at -# https://docs.openshift.org/latest/admin_guide/build_defaults_overrides.html -#openshift_builddefaults_http_proxy=http://USER:PASSWORD@HOST:PORT -#openshift_builddefaults_https_proxy=https://USER:PASSWORD@HOST:PORT -#openshift_builddefaults_no_proxy=mycorp.com -#openshift_builddefaults_git_http_proxy=http://USER:PASSWORD@HOST:PORT -#openshift_builddefaults_git_https_proxy=https://USER:PASSWORD@HOST:PORT -#openshift_builddefaults_git_no_proxy=mycorp.com -#openshift_builddefaults_image_labels=[{'name':'imagelabelname1','value':'imagelabelvalue1'}] -#openshift_builddefaults_nodeselectors={'nodelabel1':'nodelabelvalue1'} -#openshift_builddefaults_annotations={'annotationkey1':'annotationvalue1'} -#openshift_builddefaults_resources_requests_cpu=100m -#openshift_builddefaults_resources_requests_memory=256Mi -#openshift_builddefaults_resources_limits_cpu=1000m -#openshift_builddefaults_resources_limits_memory=512Mi - -# Or you may optionally define your own build defaults configuration serialized as json -#openshift_builddefaults_json='{"BuildDefaults":{"configuration":{"apiVersion":"v1","env":[{"name":"HTTP_PROXY","value":"http://proxy.example.com.redhat.com:3128"},{"name":"NO_PROXY","value":"ose3-master.example.com"}],"gitHTTPProxy":"http://proxy.example.com:3128","gitNoProxy":"ose3-master.example.com","kind":"BuildDefaultsConfig"}}}' - -# These options configure the BuildOverrides admission controller which injects -# configuration into Builds. -# See BuildOverrides documentation at -# https://docs.openshift.org/latest/admin_guide/build_defaults_overrides.html -#openshift_buildoverrides_force_pull=true -#openshift_buildoverrides_image_labels=[{'name':'imagelabelname1','value':'imagelabelvalue1'}] -#openshift_buildoverrides_nodeselectors={'nodelabel1':'nodelabelvalue1'} -#openshift_buildoverrides_annotations={'annotationkey1':'annotationvalue1'} - -# Or you may optionally define your own build overrides configuration serialized as json -#openshift_buildoverrides_json='{"BuildOverrides":{"configuration":{"apiVersion":"v1","kind":"BuildDefaultsConfig","forcePull":"true"}}}' - -# Enable template service broker by specifying one of more namespaces whose -# templates will be served by the broker -#openshift_template_service_broker_namespaces=['openshift'] - -# masterConfig.volumeConfig.dynamicProvisioningEnabled, configurable as of 1.2/3.2, enabled by default -#openshift_master_dynamic_provisioning_enabled=False - -# Admission plugin config -#openshift_master_admission_plugin_config={"ProjectRequestLimit":{"configuration":{"apiVersion":"v1","kind":"ProjectRequestLimitConfig","limits":[{"selector":{"admin":"true"}},{"maxProjects":"1"}]}},"PodNodeConstraints":{"configuration":{"apiVersion":"v1","kind":"PodNodeConstraintsConfig"}}} - -# Configure usage of openshift_clock role. -#openshift_clock_enabled=true - -# OpenShift Per-Service Environment Variables -# Environment variables are added to /etc/sysconfig files for -# each OpenShift service: node, master (api and controllers). -# API and controllers environment variables are merged in single -# master environments. -#openshift_master_api_env_vars={"ENABLE_HTTP2": "true"} -#openshift_master_controllers_env_vars={"ENABLE_HTTP2": "true"} -#openshift_node_env_vars={"ENABLE_HTTP2": "true"} - -# Enable API service auditing, available as of 1.3 -#openshift_master_audit_config={"enabled": true} -# -# In case you want more advanced setup for the auditlog you can -# use this line. -# The directory in "auditFilePath" will be created if it's not -# exist -#openshift_master_audit_config={"enabled": true, "auditFilePath": "/var/log/openpaas-oscp-audit/openpaas-oscp-audit.log", "maximumFileRetentionDays": 14, "maximumFileSizeMegabytes": 500, "maximumRetainedFiles": 5} - -# Enable origin repos that point at Centos PAAS SIG, defaults to true, only used -# by deployment_type=origin -#openshift_enable_origin_repo=false - -# Validity of the auto-generated OpenShift certificates in days. -# See also openshift_hosted_registry_cert_expire_days above. -# -#openshift_ca_cert_expire_days=1825 -#openshift_node_cert_expire_days=730 -#openshift_master_cert_expire_days=730 - -# Validity of the auto-generated external etcd certificates in days. -# Controls validity for etcd CA, peer, server and client certificates. -# -#etcd_ca_default_days=1825 -# -# ServiceAccountConfig:LimitSecretRefences rejects pods that reference secrets their service accounts do not reference -# openshift_master_saconfig_limitsecretreferences=false - -# Upgrade Control -# -# By default nodes are upgraded in a serial manner one at a time and all failures -# are fatal, one set of variables for normal nodes, one set of variables for -# nodes that are part of control plane as the number of hosts may be different -# in those two groups. -#openshift_upgrade_nodes_serial=1 -#openshift_upgrade_nodes_max_fail_percentage=0 -#openshift_upgrade_control_plane_nodes_serial=1 -#openshift_upgrade_control_plane_nodes_max_fail_percentage=0 -# -# You can specify the number of nodes to upgrade at once. We do not currently -# attempt to verify that you have capacity to drain this many nodes at once -# so please be careful when specifying these values. You should also verify that -# the expected number of nodes are all schedulable and ready before starting an -# upgrade. If it's not possible to drain the requested nodes the upgrade will -# stall indefinitely until the drain is successful. -# -# If you're upgrading more than one node at a time you can specify the maximum -# percentage of failure within the batch before the upgrade is aborted. Any -# nodes that do fail are ignored for the rest of the playbook run and you should -# take care to investigate the failure and return the node to service so that -# your cluster. -# -# The percentage must exceed the value, this would fail on two failures -# openshift_upgrade_nodes_serial=4 openshift_upgrade_nodes_max_fail_percentage=49 -# where as this would not -# openshift_upgrade_nodes_serial=4 openshift_upgrade_nodes_max_fail_percentage=50 -# -# Multiple data migrations take place and if they fail they will fail the upgrade -# You may wish to disable these or make them non fatal -# -# openshift_upgrade_pre_storage_migration_enabled=true -# openshift_upgrade_pre_storage_migration_fatal==true -# openshift_upgrade_post_storage_migration_enabled=true -# openshift_upgrade_post_storage_migration_fatal==false - -# host group for masters -[masters] -ose3-master[1:3]-ansible.test.example.com - -[etcd] -ose3-etcd[1:3]-ansible.test.example.com - -# NOTE: Containerized load balancer hosts are not yet supported, if using a global -# containerized=true host variable we must set to false. -[lb] -ose3-lb-ansible.test.example.com containerized=false - -# NOTE: Currently we require that masters be part of the SDN which requires that they also be nodes -# However, in order to ensure that your masters are not burdened with running pods you should -# make them unschedulable by adding openshift_schedulable=False any node that's also a master. -[nodes] -ose3-master[1:3]-ansible.test.example.com -ose3-node[1:2]-ansible.test.example.com openshift_node_labels="{'region': 'primary', 'zone': 'default'}" diff --git a/openshift-ansible.spec b/openshift-ansible.spec index c3a477bf6..097c7faf7 100644 --- a/openshift-ansible.spec +++ b/openshift-ansible.spec @@ -10,7 +10,7 @@  Name:           openshift-ansible  Version:        3.7.0 -Release:        0.143.0%{?dist} +Release:        0.156.0%{?dist}  Summary:        Openshift and Atomic Enterprise Ansible  License:        ASL 2.0  URL:            https://github.com/openshift/openshift-ansible @@ -276,6 +276,125 @@ Atomic OpenShift Utilities includes  %changelog +* Mon Oct 16 2017 Jenkins CD Merge Bot <smunilla@redhat.com> 3.7.0-0.156.0 +- set initial etcd cluster properly during system container scale up +  (jchaloup@redhat.com) + +* Sun Oct 15 2017 Jenkins CD Merge Bot <smunilla@redhat.com> 3.7.0-0.155.0 +-  + +* Sat Oct 14 2017 Jenkins CD Merge Bot <smunilla@redhat.com> 3.7.0-0.154.0 +-  + +* Fri Oct 13 2017 Jenkins CD Merge Bot <smunilla@redhat.com> 3.7.0-0.153.0 +- default groups.oo_new_etcd_to_config to an empty list (jchaloup@redhat.com) + +* Fri Oct 13 2017 Jenkins CD Merge Bot <smunilla@redhat.com> 3.7.0-0.152.0 +-  + +* Fri Oct 13 2017 Jenkins CD Merge Bot <smunilla@redhat.com> 3.7.0-0.151.0 +- updated dynamic provision section for openshift metrics to support storage +  class name (elvirkuric@gmail.com) + +* Fri Oct 13 2017 Jenkins CD Merge Bot <smunilla@redhat.com> 3.7.0-0.150.0 +- Ensure upgrade playbook exits on health check failures (rteague@redhat.com) +- Ensure docker is installed for containerized load balancers +  (mgugino@redhat.com) +- Fix containerized node service unit placement order (mgugino@redhat.com) +- Provisioning Documentation Updates (mgugino@redhat.com) + +* Thu Oct 12 2017 Jenkins CD Merge Bot <smunilla@redhat.com> 3.7.0-0.149.0 +- Fix broken debug_level (mgugino@redhat.com) +- Ensure host was reached for proper conditional validation +  (rteague@redhat.com) +- Ensure docker service status actually changes (mgugino@redhat.com) +- Display warnings at the end of the control plane upgrade (sdodson@redhat.com) +- Force reconciliation of role for 3.6 (simo@redhat.com) +- Remove etcd health check (sdodson@redhat.com) +- migrate embedded etcd to external etcd (jchaloup@redhat.com) + +* Wed Oct 11 2017 Jenkins CD Merge Bot <smunilla@redhat.com> 3.7.0-0.148.0 +- Bug 1490647 - logging-fluentd deployed with openshift_logging_use_mux=false +  fails to start due to missing (nhosoi@redhat.com) +- Fix typo in inventory example (rteague@redhat.com) +- Separate tuned daemon setup into a role. (jmencak@redhat.com) +- crio, docker: expect openshift_release to have 'v' (gscrivan@redhat.com) +- rebase on master (maxamillion@fedoraproject.org) +- Add fedora compatibility (maxamillion@fedoraproject.org) +- Allow checkpoint status to work across all groups (rteague@redhat.com) +- Add valid search when search does not exist on resolv.conf +  (nakayamakenjiro@gmail.com) + +* Tue Oct 10 2017 Jenkins CD Merge Bot <smunilla@redhat.com> 3.7.0-0.147.0 +- Add PartOf to docker systemd service unit. (mgugino@redhat.com) +- crio: use systemd manager (gscrivan@redhat.com) +- Ensure servingInfo.clientCA is set as ca.crt rather than ca-bundle.crt. +  (abutcher@redhat.com) +- crio, docker: use openshift_release when openshift_image_tag is not used +  (gscrivan@redhat.com) +- crio: fix typo (gscrivan@redhat.com) +- Update registry_config.j2 (jialiu@redhat.com) +- Update registry_config.j2 (jialiu@redhat.com) + +* Mon Oct 09 2017 Jenkins CD Merge Bot <smunilla@redhat.com> 3.7.0-0.146.0 +- docker_image_availability: credentials to skopeo (mgugino@redhat.com) +- Rename openshift_cfme role to openshift_management (tbielawa@redhat.com) + +* Mon Oct 09 2017 Jenkins CD Merge Bot <smunilla@redhat.com> 3.7.0-0.145.0 +- add missing restart node handler to flannel (jchaloup@redhat.com) +- Switch to configmap leader election on 3.7 upgrade (mkhan@redhat.com) +- crio.conf.j2: sync from upstream (gscrivan@redhat.com) +- cri-o: use overlay instead of overlay2 (gscrivan@redhat.com) +- Ensure docker is restarted when iptables is restarted (mgugino@redhat.com) +- Stop including origin and ose hosts example file (sdodson@redhat.com) +- node: make node service PartOf=openvswitch.service when openshift-sdn is used +  (dcbw@redhat.com) + +* Fri Oct 06 2017 Jenkins CD Merge Bot <smunilla@redhat.com> 3.7.0-0.144.0 +- fix typo for default in etcd (mgugino@redhat.com) +- Bumping version of service catalog image for 3.7 (ewolinet@redhat.com) +- remove duplicate [OSEv3:children] group (jfchevrette@gmail.com) +- Fix lint error (tbielawa@redhat.com) +- Update hosts.ose.example (ephillipe@gmail.com) +- Remove the no-longer-used App/DB pv size override variables from inventories +  (tbielawa@redhat.com) +- openshift_checks: lb and nfs do not need docker (lmeyer@redhat.com) +- openshift_checks: use oo group names everywhere (lmeyer@redhat.com) +- Add notes about SA token. Improve NFS validation. (tbielawa@redhat.com) +- Hooks for installing CFME during full openshift installation +  (tbielawa@redhat.com) +- Documentation (tbielawa@redhat.com) +- Import upstream templates. Do the work. Validate parameters. +  (tbielawa@redhat.com) +- CFME 4.6 work begins. CFME 4.5 references added to the release-3.6 branch +  (tbielawa@redhat.com) +- Update hosts.origin.example (ephillipe@gmail.com) +- Add logging es prometheus endpoint (jcantril@redhat.com) +- bug 1497401. Default logging and metrics images to 3.7 (jcantril@redhat.com) +- Ensure docker service started prior to credentials (mgugino@redhat.com) +- Adding support for an inventory directory/hybrid inventory +  (esauer@redhat.com) +- Remove unused tasks file in openshift_named_certificates (rteague@redhat.com) +- Move node cert playbook into node config path (rteague@redhat.com) +- Move master cert playbooks into master config path (rteague@redhat.com) +- Move etcd cert playbooks into etcd config path (rteague@redhat.com) +- Fix hosted selector variable migration (mgugino@redhat.com) +- Bug 1496271 - Perserve SCC for ES local persistent storage +  (jcantril@redhat.com) +- Limit hosts that run openshift_version role (mgugino@redhat.com) +- Update ansible-service-broker config to track latest broker +  (fabian@fabianism.us) +- fix master-facts for provisioning (mgugino@redhat.com) +- Make provisioning steps more reusable (mgugino@redhat.com) +- logging: honor openshift_logging_es_cpu_limit (jwozniak@redhat.com) +- Addressing tox issues (ewolinet@redhat.com) +- bug 1482661. Preserve ES dc nodeSelector and supplementalGroups +  (jcantril@redhat.com) +- Checking if any openshift_*_storage_kind variables are set to dynamic without +  enabling dynamic provisioning (ewolinet@redhat.com) +- Removing setting pvc size and dynamic to remove looped var setting +  (ewolinet@redhat.com) +  * Wed Oct 04 2017 Jenkins CD Merge Bot <smunilla@redhat.com> 3.7.0-0.143.0  - Limit base-package install during master upgrades (mgugino@redhat.com)  - Fix provisiong scale group and elb logic (mgugino@redhat.com) diff --git a/playbooks/aws/BUILD_AMI.md b/playbooks/aws/BUILD_AMI.md new file mode 100644 index 000000000..468264a9a --- /dev/null +++ b/playbooks/aws/BUILD_AMI.md @@ -0,0 +1,21 @@ +# Build AMI + +When seeking to deploy a working openshift cluster using these plays, a few +items must be in place. + +These are: + +1. Create an instance, using a specified ssh key. +2. Run openshift-ansible setup roles to ensure packages and services are correctly configured. +3. Create the AMI. +4. If encryption is desired +  - A KMS key is created with the name of $clusterid +  - An encrypted AMI will be produced with $clusterid KMS key +5. Terminate the instance used to configure the AMI. + +More AMI specific options can be found in ['openshift_aws/defaults/main.yml'](../../roles/openshift_aws/defaults/main.yml).  When creating an encrypted AMI please specify use_encryption: +``` +# openshift_aws_ami_encrypt: True  # defaults to false +``` + +**Note**:  This will ensure to take the recently created AMI and encrypt it to be used later.  If encryption is not desired then set the value to false (defaults to false). The AMI id will be fetched and used according to its most recent creation date. diff --git a/playbooks/aws/PREREQUISITES.md b/playbooks/aws/PREREQUISITES.md new file mode 100644 index 000000000..4f428dcc3 --- /dev/null +++ b/playbooks/aws/PREREQUISITES.md @@ -0,0 +1,40 @@ +# Prerequisites + +When seeking to deploy a working openshift cluster using these plays, a few +items must be in place. + +These are: + +1) vpc +2) security group to build the AMI in. +3) ssh keys to log into instances + +These items can be provisioned ahead of time, or you can utilize the plays here +to create these items. + +If you wish to provision these items yourself, or you already have these items +provisioned and wish to utilize existing components, please refer to +provisioning_vars.yml.example. + +If you wish to have these items created for you, continue with this document. + +# Running prerequisites.yml + +Warning:  Running these plays will provision items in your AWS account (if not +present), and you may incur billing charges.  These plays are not suitable +for the free-tier. + +## Step 1: +Ensure you have specified all the necessary provisioning variables.  See +provisioning_vars.example.yml and README.md for more information. + +## Step 2: +``` +$ ansible-playbook -i inventory.yml prerequisites.yml -e @provisioning_vars.yml +``` + +This will create a VPC, security group, and ssh_key.  These plays are idempotent, +and multiple runs should result in no additional provisioning of these components. + +You can also verify that you will successfully utilize existing components with +these plays. diff --git a/playbooks/aws/README.md b/playbooks/aws/README.md index 816cb35b4..fbab61189 100644 --- a/playbooks/aws/README.md +++ b/playbooks/aws/README.md @@ -8,6 +8,13 @@ With recent desire for provisioning from customers and developers alike, the AWS   deploy highly scalable Openshift clusters utilizing AWS auto scale groups and   custom AMIs. +To speed in the provisioning of medium and large clusters, openshift-node +instances are created using a pre-built AMI.  A list of pre-built AMIs will +be available soon. + +If the deployer wishes to build their own AMI for provisioning, instructions +to do so are provided here. +  ### Where do I start?  Before any provisioning may occur, AWS account credentials must be present in the environment.  This can be done in two ways: @@ -31,8 +38,13 @@ Before any provisioning may occur, AWS account credentials must be present in th  ### Let's Provision! -The newly added playbooks are the following: -- build_ami.yml - Builds a custom AMI.  This currently requires the user to supply a valid AMI with access to repositories that contain openshift repositories. +Warning:  Running these plays will provision items in your AWS account (if not +present), and you may incur billing charges.  These plays are not suitable +for the free-tier. + +#### High-level overview +- prerequisites.yml - Provision VPC, Security Groups, SSH keys, if needed.  See PREREQUISITES.md for more information. +- build_ami.yml - Builds a custom AMI.  See BUILD_AMI.md for more information.  - provision.yml - Create a vpc, elbs, security groups, launch config, asg's, etc.  - install.yml - Calls the openshift-ansible installer on the newly created instances  - provision_nodes.yml - Creates the infra and compute node scale groups @@ -41,82 +53,38 @@ The newly added playbooks are the following:  The current expected work flow should be to provide an AMI with access to Openshift repositories.  There should be a repository specified in the `openshift_additional_repos` parameter of the inventory file. The next expectation is a minimal set of values in the `provisioning_vars.yml` file to configure the desired settings for cluster instances.  These settings are AWS specific and should be tailored to the consumer's AWS custom account settings. +Values specified in provisioning_vars.yml may instead be specified in your inventory group_vars +under the appropriate groups.  Most variables can exist in the 'all' group. +  ```yaml  --- -# when creating an AMI set this to True -# when installing a cluster set this to False -openshift_node_bootstrap: True - -# specify a clusterid -# openshift_aws_clusterid: default - -# specify a region -# openshift_aws_region: us-east-1 - -# must specify a base_ami when building an AMI -# openshift_aws_base_ami: # base image for AMI to build from -# specify when using a custom AMI -# openshift_aws_ami: - -# when creating an encrypted AMI please specify use_encryption -# openshift_aws_ami_encrypt: False - -# custom certificates are required for the ELB -# openshift_aws_iam_cert_path: '/path/to/cert/wildcard.<clusterid>.<domain>.com.crt' -# openshift_aws_iam_cert_key_path: '/path/to/key/wildcard.<clusterid>.<domain>.com.key' -# openshift_aws_iam_cert_chain_path: '/path/to/ca_cert_file/ca.crt' - -# This is required for any ec2 instances -# openshift_aws_ssh_key_name: myuser_key - -# This will ensure these users are created -#openshift_aws_users: -#- key_name: myuser_key -#  username: myuser -#  pub_key: | -#         ssh-rsa AAAA +# Minimum mandatory provisioning variables.  See provisioning_vars.yml.example. +# for more information. +openshift_deployment_type: # 'origin' or 'openshift-enterprise' +openshift_release: # example: v3.7 +openshift_pkg_version: # example: -3.7.0 +openshift_aws_ssh_key_name: # example: myuser_key +openshift_aws_base_ami: # example: ami-12345678 +openshift_aws_iam_cert_path: # example: '/path/to/wildcard.<clusterid>.example.com.crt' +openshift_aws_iam_key_path: # example: '/path/to/wildcard.<clusterid>.example.com.key'  ```  If customization is required for the instances, scale groups, or any other configurable option please see the ['openshift_aws/defaults/main.yml'](../../roles/openshift_aws/defaults/main.yml) for variables and overrides. These overrides can be placed in the `provisioning_vars.yml`, `inventory`, or `group_vars`. -In order to create the bootstrap-able AMI we need to create an openshift-ansible inventory file.  This file enables us to create the AMI using the openshift-ansible node roles. The exception here is that there will be no hosts specified by the inventory file.  Here is an example: - -```ini -[OSEv3:children] -masters -nodes -etcd - -[OSEv3:vars] -################################################################################ -# Ensure these variables are set for bootstrap -################################################################################ -# openshift_deployment_type is required for installation -openshift_deployment_type=origin +In order to create the bootstrap-able AMI we need to create a basic openshift-ansible inventory.  This enables us to create the AMI using the openshift-ansible node roles.  This inventory should not include any hosts, but certain variables should be defined in the appropriate groups, just as deploying a cluster +using the normal openshift-ansible method.  See provisioning-inventory.example.ini for an example. -# required when building an AMI.  This will -# be dependent on the version provided by the yum repository -openshift_pkg_version=-3.6.0 - -openshift_master_bootstrap_enabled=True - -openshift_hosted_router_wait=False -openshift_hosted_registry_wait=False - -# Repository for installation -openshift_additional_repos=[{'name': 'openshift-repo', 'id': 'openshift-repo',  'baseurl': 'https://mirror.openshift.com/enterprise/enterprise-3.6/latest/x86_64/os/', 'enabled': 'yes', 'gpgcheck': 0, 'sslverify': 'no', 'sslclientcert': '/var/lib/yum/client-cert.pem', 'sslclientkey': '/var/lib/yum/client-key.pem', 'gpgkey': 'https://mirror.ops.rhcloud.com/libra/keys/RPM-GPG-KEY-redhat-release https://mirror.ops.rhcloud.com/libra/keys/RPM-GPG-KEY-redhat-beta https://mirror.ops.rhcloud.com/libra/keys/RPM-GPG-KEY-redhat-openshifthosted'}] - -################################################################################ -# cluster specific settings maybe be placed here +There are more examples of cluster inventory settings [`here`](../../inventory/byo/). -[masters] +#### Step 0 (optional) -[etcd] +You may provision a VPC, Security Group, and SSH keypair to build the AMI. -[nodes] +``` +$ ansible-playbook -i inventory.yml prerequisites.yml -e @provisioning_vars.yml  ``` -There are more examples of cluster inventory settings [`here`](../../inventory/byo/). +See PREREQUISITES.md for more information.  #### Step 1 @@ -126,24 +94,6 @@ Once the `inventory` and the `provisioning_vars.yml` file has been updated with  $ ansible-playbook -i inventory.yml build_ami.yml -e @provisioning_vars.yml  ``` -1. This script will build a VPC. Default name will be clusterid if not specified. -2. Create an ssh key required for the instance. -3. Create a security group. -4. Create an instance using the key from step 2 or a specified key. -5. Run openshift-ansible setup roles to ensure packages and services are correctly configured. -6. Create the AMI. -7. If encryption is desired -  - A KMS key is created with the name of $clusterid -  - An encrypted AMI will be produced with $clusterid KMS key -8. Terminate the instance used to configure the AMI. - -More AMI specific options can be found in ['openshift_aws/defaults/main.yml'](../../roles/openshift_aws/defaults/main.yml).  When creating an encrypted AMI please specify use_encryption: -``` -# openshift_aws_ami_encrypt: True  # defaults to false -``` - -**Note**:  This will ensure to take the recently created AMI and encrypt it to be used later.  If encryption is not desired then set the value to false (defaults to false). The AMI id will be fetched and used according to its most recent creation date. -  #### Step 2  Now that we have created an AMI for our Openshift installation, there are two ways to use the AMI. @@ -167,16 +117,14 @@ $ ansible-playbook provision.yml -e @provisioning_vars.yml  ```  This playbook runs through the following steps: -1. Ensures a VPC is created. -2. Ensures a SSH key exists. -3. Creates an s3 bucket for the registry named $clusterid-docker-registry -4. Create master security groups. -5. Create a master launch config. -6. Create the master auto scaling groups. -7. If certificates are desired for ELB, they will be uploaded. -8. Create internal and external master ELBs. -9. Add newly created masters to the correct groups. -10. Set a couple of important facts for the masters. +1. Creates an s3 bucket for the registry named $clusterid-docker-registry +2. Create master security groups. +3. Create a master launch config. +4. Create the master auto scaling groups. +5. If certificates are desired for ELB, they will be uploaded. +6. Create internal and external master ELBs. +7. Add newly created masters to the correct groups. +8. Set a couple of important facts for the masters.  At this point we have successfully created the infrastructure including the master nodes. @@ -195,13 +143,13 @@ Once this playbook completes, the cluster masters should be installed and config  #### Step 5 -Now that we have a cluster deployed it will be more interesting to create some node types.  This can be done easily with the following playbook: +Now that we have the cluster masters deployed, we need to deploy our infrastructure and compute nodes:  ```  $ ansible-playbook provision_nodes.yml -e @provisioning_vars.yml  ``` -Once this playbook completes, it should create the compute and infra node scale groups.  These nodes will attempt to register themselves to the cluster.  These requests must be approved by an administrator. +Once this playbook completes, it should create the compute and infra node scale groups.  These nodes will attempt to register themselves to the cluster.  These requests must be approved by an administrator in Step 6.  #### Step 6 diff --git a/playbooks/aws/openshift-cluster/build_ami.yml b/playbooks/aws/openshift-cluster/build_ami.yml index 1e54f0467..559a37cbe 100644 --- a/playbooks/aws/openshift-cluster/build_ami.yml +++ b/playbooks/aws/openshift-cluster/build_ami.yml @@ -17,35 +17,9 @@      - name: openshift_aws_region        msg: "openshift_aws_region={{ openshift_aws_region | default('us-east-1') }}" -  - name: create an instance and prepare for ami -    include_role: -      name: openshift_aws -      tasks_from: build_ami.yml -    vars: -      openshift_aws_node_group_type: compute - -  - name: fetch newly created instances -    ec2_remote_facts: -      region: "{{ openshift_aws_region | default('us-east-1') }}" -      filters: -        "tag:Name": "{{ openshift_aws_base_ami_name | default('ami_base') }}" -        instance-state-name: running -    register: instancesout -    retries: 20 -    delay: 3 -    until: instancesout.instances|length > 0 - -  - name: wait for ssh to become available -    wait_for: -      port: 22 -      host: "{{ instancesout.instances[0].public_ip_address }}" -      timeout: 300 -      search_regex: OpenSSH - -  - name: add host to nodes -    add_host: -      groups: nodes -      name: "{{ instancesout.instances[0].public_dns_name }}" +- include: provision_instance.yml +  vars: +    openshift_aws_node_group_type: compute  - hosts: nodes    gather_facts: False @@ -54,34 +28,10 @@      set_fact:        ansible_ssh_user: "{{ openshift_aws_build_ami_ssh_user | default('root') }}" -- name: normalize groups -  include: ../../byo/openshift-cluster/initialize_groups.yml - -- name: run the std_include -  include: ../../common/openshift-cluster/evaluate_groups.yml - -- name: run the std_include -  include: ../../common/openshift-cluster/initialize_facts.yml - -- name: run the std_include -  include: ../../common/openshift-cluster/initialize_openshift_repos.yml +# This is the part that installs all of the software and configs for the instance +# to become a node. +- include: ../../common/openshift-node/image_prep.yml -- name: run node config setup -  include: ../../common/openshift-node/setup.yml - -- name: run node config -  include: ../../common/openshift-node/configure_nodes.yml - -- name: Re-enable excluders -  include: ../../common/openshift-node/enable_excluders.yml - -- hosts: localhost -  connection: local -  become: no -  tasks: -  - name: seal the ami -    include_role: -      name: openshift_aws -      tasks_from: seal_ami.yml -    vars: -      openshift_aws_ami_name: "openshift-gi-{{ lookup('pipe', 'date +%Y%m%d%H%M')}}" +- include: seal_ami.yml +  vars: +    openshift_aws_ami_name: "openshift-gi-{{ lookup('pipe', 'date +%Y%m%d%H%M')}}" diff --git a/playbooks/aws/openshift-cluster/install.yml b/playbooks/aws/openshift-cluster/install.yml index 86d58a68e..4d0bf9531 100644 --- a/playbooks/aws/openshift-cluster/install.yml +++ b/playbooks/aws/openshift-cluster/install.yml @@ -1,68 +1,19 @@  --- -- name: Setup the vpc and the master node group +- name: Setup the master node group    hosts: localhost    tasks: -  - name: Alert user to variables needed - clusterid -    debug: -      msg: "openshift_aws_clusterid={{ openshift_aws_clusterid | default('default') }}" - -  - name: Alert user to variables needed - region -    debug: -      msg: "openshift_aws_region={{ openshift_aws_region | default('us-east-1') }}" - -  - name: fetch newly created instances -    ec2_remote_facts: -      region: "{{ openshift_aws_region | default('us-east-1') }}" -      filters: -        "tag:clusterid": "{{ openshift_aws_clusterid | default('default') }}" -        "tag:host-type": master -        instance-state-name: running -    register: instancesout -    retries: 20 -    delay: 3 -    until: instancesout.instances|length > 0 - -  - name: add new master to masters group -    add_host: -      groups: "masters,etcd,nodes" -      name: "{{ item.public_ip_address }}" -      hostname: "{{ openshift_aws_clusterid | default('default') }}-master-{{ item.id[:-5] }}" -    with_items: "{{ instancesout.instances }}" - -  - name: wait for ssh to become available -    wait_for: -      port: 22 -      host: "{{ item.public_ip_address }}" -      timeout: 300 -      search_regex: OpenSSH -    with_items: "{{ instancesout.instances }}" +  - include_role: +      name: openshift_aws +      tasks_from: setup_master_group.yml  - name: set the master facts for hostname to elb    hosts: masters    gather_facts: no    remote_user: root    tasks: -  - name: fetch elbs -    ec2_elb_facts: -      region: "{{ openshift_aws_region | default('us-east-1') }}" -      names: -      - "{{ item }}" -    with_items: -    - "{{ openshift_aws_clusterid | default('default') }}-master-external" -    - "{{ openshift_aws_clusterid | default('default') }}-master-internal" -    delegate_to: localhost -    register: elbs - -  - debug: var=elbs - -  - name: set fact -    set_fact: -      openshift_master_cluster_hostname: "{{ elbs.results[1].elbs[0].dns_name }}" -      osm_custom_cors_origins: -      - "{{ elbs.results[1].elbs[0].dns_name }}" -      - "console.{{ openshift_aws_clusterid | default('default') }}.openshift.com" -      - "api.{{ openshift_aws_clusterid | default('default') }}.openshift.com" -    with_items: "{{ groups['masters'] }}" +  - include_role: +      name: openshift_aws +      tasks_from: master_facts.yml  - name: normalize groups    include: ../../byo/openshift-cluster/initialize_groups.yml diff --git a/playbooks/aws/openshift-cluster/prerequisites.yml b/playbooks/aws/openshift-cluster/prerequisites.yml new file mode 100644 index 000000000..df77fe3bc --- /dev/null +++ b/playbooks/aws/openshift-cluster/prerequisites.yml @@ -0,0 +1,8 @@ +--- +- include: provision_vpc.yml + +- include: provision_ssh_keypair.yml + +- include: provision_sec_group.yml +  vars: +    openshift_aws_node_group_type: compute diff --git a/playbooks/aws/openshift-cluster/provision.yml b/playbooks/aws/openshift-cluster/provision.yml index 8f018abd0..4b5bd22ea 100644 --- a/playbooks/aws/openshift-cluster/provision.yml +++ b/playbooks/aws/openshift-cluster/provision.yml @@ -1,5 +1,5 @@  --- -- name: Setup the vpc and the master node group +- name: Setup the elb and the master node group    hosts: localhost    tasks: diff --git a/playbooks/aws/openshift-cluster/provision_instance.yml b/playbooks/aws/openshift-cluster/provision_instance.yml new file mode 100644 index 000000000..6e843453c --- /dev/null +++ b/playbooks/aws/openshift-cluster/provision_instance.yml @@ -0,0 +1,12 @@ +--- +# If running this play directly, be sure the variable +# 'openshift_aws_node_group_type' is set correctly for your usage. +# See build_ami.yml for an example. +- hosts: localhost +  connection: local +  gather_facts: no +  tasks: +  - name: create an instance and prepare for ami +    include_role: +      name: openshift_aws +      tasks_from: provision_instance.yml diff --git a/playbooks/aws/openshift-cluster/provision_sec_group.yml b/playbooks/aws/openshift-cluster/provision_sec_group.yml new file mode 100644 index 000000000..039357adb --- /dev/null +++ b/playbooks/aws/openshift-cluster/provision_sec_group.yml @@ -0,0 +1,13 @@ +--- +# If running this play directly, be sure the variable +# 'openshift_aws_node_group_type' is set correctly for your usage. +# See build_ami.yml for an example. +- hosts: localhost +  connection: local +  gather_facts: no +  tasks: +  - name: create an instance and prepare for ami +    include_role: +      name: openshift_aws +      tasks_from: security_group.yml +    when: openshift_aws_create_security_groups | default(True) | bool diff --git a/playbooks/aws/openshift-cluster/provision_ssh_keypair.yml b/playbooks/aws/openshift-cluster/provision_ssh_keypair.yml new file mode 100644 index 000000000..3ec683958 --- /dev/null +++ b/playbooks/aws/openshift-cluster/provision_ssh_keypair.yml @@ -0,0 +1,12 @@ +--- +- hosts: localhost +  connection: local +  gather_facts: no +  tasks: +  - name: create an instance and prepare for ami +    include_role: +      name: openshift_aws +      tasks_from: ssh_keys.yml +    vars: +      openshift_aws_node_group_type: compute +    when: openshift_aws_users | default([]) | length  > 0 diff --git a/playbooks/aws/openshift-cluster/provision_vpc.yml b/playbooks/aws/openshift-cluster/provision_vpc.yml new file mode 100644 index 000000000..0a23a6d32 --- /dev/null +++ b/playbooks/aws/openshift-cluster/provision_vpc.yml @@ -0,0 +1,10 @@ +--- +- hosts: localhost +  connection: local +  gather_facts: no +  tasks: +  - name: create a vpc +    include_role: +      name: openshift_aws +      tasks_from: vpc.yml +    when: openshift_aws_create_vpc | default(True) | bool diff --git a/playbooks/aws/openshift-cluster/provisioning_vars.example.yml b/playbooks/aws/openshift-cluster/provisioning_vars.example.yml deleted file mode 100644 index 28eb9c993..000000000 --- a/playbooks/aws/openshift-cluster/provisioning_vars.example.yml +++ /dev/null @@ -1,28 +0,0 @@ ---- -# when creating an AMI set this option to True -# when installing the cluster, set this to False -openshift_node_bootstrap: True - -# specify a clusterid -#openshift_aws_clusterid: default - -# must specify a base_ami when building an AMI -#openshift_aws_base_ami: - -# when creating an encrypted AMI please specify use_encryption -#openshift_aws_ami_encrypt: False - -# custom certificates are required for the ELB -#openshift_aws_iam_cert_path: '/path/to/wildcard.<clusterid>.example.com.crt' -#openshift_aws_iam_key_path: '/path/to/wildcard.<clusterid>.example.com.key' -#openshift_aws_iam_cert_chain_path: '/path/to/cert.ca.crt' - -# This is required for any ec2 instances -#openshift_aws_ssh_key_name: myuser_key - -# This will ensure these users are created -#openshift_aws_users: -#- key_name: myuser_key -#  username: myuser -#  pub_key: | -#         ssh-rsa AAAA diff --git a/playbooks/aws/openshift-cluster/seal_ami.yml b/playbooks/aws/openshift-cluster/seal_ami.yml new file mode 100644 index 000000000..8239a64fb --- /dev/null +++ b/playbooks/aws/openshift-cluster/seal_ami.yml @@ -0,0 +1,12 @@ +--- +# If running this play directly, be sure the variable +# 'openshift_aws_ami_name' is set correctly for your usage. +# See build_ami.yml for an example. +- hosts: localhost +  connection: local +  become: no +  tasks: +  - name: seal the ami +    include_role: +      name: openshift_aws +      tasks_from: seal_ami.yml diff --git a/playbooks/aws/provisioning-inventory.example.ini b/playbooks/aws/provisioning-inventory.example.ini new file mode 100644 index 000000000..238a7eb2f --- /dev/null +++ b/playbooks/aws/provisioning-inventory.example.ini @@ -0,0 +1,25 @@ +[OSEv3:children] +masters +nodes +etcd + +[OSEv3:vars] +################################################################################ +# Ensure these variables are set for bootstrap +################################################################################ +# openshift_deployment_type is required for installation +openshift_deployment_type=origin + +openshift_master_bootstrap_enabled=True + +openshift_hosted_router_wait=False +openshift_hosted_registry_wait=False + +################################################################################ +# cluster specific settings maybe be placed here + +[masters] + +[etcd] + +[nodes] diff --git a/playbooks/aws/provisioning_vars.yml.example b/playbooks/aws/provisioning_vars.yml.example new file mode 100644 index 000000000..aa91363ae --- /dev/null +++ b/playbooks/aws/provisioning_vars.yml.example @@ -0,0 +1,120 @@ +--- +# Variables that are commented in this file are optional; uncommented variables +# are mandatory. + +# Default values for each variable are provided, as applicable. +# Example values for mandatory variables are provided as a comment at the end +# of the line. + +# ------------------------ # +# Common/Cluster Variables # +# ------------------------ # +# Variables in this section affect all areas of the cluster + +# Deployment type must be specified. +openshift_deployment_type: # 'origin' or 'openshift-enterprise' + +# openshift_release must be specified.  Use whatever version of openshift +# that is supported by openshift-ansible that you wish. +openshift_release: # v3.7 + +# This will be dependent on the version provided by the yum repository +openshift_pkg_version: # -3.7.0 + +# specify a clusterid +# This value is also used as the default value for many other components. +#openshift_aws_clusterid: default + +# AWS region +# This value will instruct the plays where all items should be created. +# Multi-region deployments are not supported using these plays at this time. +#openshift_aws_region: us-east-1 + +#openshift_aws_create_launch_config: true +#openshift_aws_create_scale_group: true + +# --- # +# VPC # +# --- # + +# openshift_aws_create_vpc defaults to true.  If you don't wish to provision +# a vpc, set this to false. +#openshift_aws_create_vpc: true + +# Name of the vpc.  Needs to be set if using a pre-existing vpc. +#openshift_aws_vpc_name: "{{ openshift_aws_clusterid }}" + +# Name of the subnet in the vpc to use.  Needs to be set if using a pre-existing +# vpc + subnet. +#openshift_aws_subnet_name: + +# -------------- # +# Security Group # +# -------------- # + +# openshift_aws_create_security_groups defaults to true.  If you wish to use +# an existing security group, set this to false. +#openshift_aws_create_security_groups: true + +# openshift_aws_build_ami_group is the name of the security group to build the +# ami in.  This defaults to the value of openshift_aws_clusterid. +#openshift_aws_build_ami_group: "{{ openshift_aws_clusterid }}" + +# openshift_aws_launch_config_security_groups specifies the security groups to +# apply to the launch config.  The launch config security groups will be what +# the cluster actually is deployed in. +#openshift_aws_launch_config_security_groups: see roles/openshift_aws/defaults.yml + +# openshift_aws_node_security_groups are created when +# openshift_aws_create_security_groups is set to true. +#openshift_aws_node_security_groups: see roles/openshift_aws/defaults.yml + +# -------- # +# ssh keys # +# -------- # + +# Specify the key pair name here to connect to the provisioned instances.  This +# can be an existing key, or it can be one of the keys specified in +# openshift_aws_users +openshift_aws_ssh_key_name: # myuser_key + +# This will ensure these user and public keys are created. +#openshift_aws_users: +#- key_name: myuser_key +#  username: myuser +#  pub_key: | +#         ssh-rsa AAAA + +# When building the AMI, specify the user to ssh to the instance as. +# openshift_aws_build_ami_ssh_user: root + +# --------- # +# AMI Build # +# --------- # +# Variables in this section apply to building a node AMI for use in your +# openshift cluster. + +# must specify a base_ami when building an AMI +openshift_aws_base_ami: # ami-12345678 + +# when creating an encrypted AMI please specify use_encryption +#openshift_aws_ami_encrypt: False + +# -- # +# S3 # +# -- # + +# Create an s3 bucket. +#openshift_aws_create_s3: True + +# --- # +# ELB # +# --- # + +# openshift_aws_elb_name will be the base-name of the ELBs. +#openshift_aws_elb_name: "{{ openshift_aws_clusterid }}" + +# custom certificates are required for the ELB +openshift_aws_iam_cert_path: # '/path/to/wildcard.<clusterid>.example.com.crt' +openshift_aws_iam_key_path: # '/path/to/wildcard.<clusterid>.example.com.key' +#openshift_aws_iam_cert_chain_path: '/path/to/cert.ca.crt' diff --git a/playbooks/byo/openshift-etcd/embedded2external.yml b/playbooks/byo/openshift-etcd/embedded2external.yml new file mode 100644 index 000000000..6690a7624 --- /dev/null +++ b/playbooks/byo/openshift-etcd/embedded2external.yml @@ -0,0 +1,6 @@ +--- +- include: ../openshift-cluster/initialize_groups.yml + +- include: ../../common/openshift-cluster/std_include.yml + +- include: ../../common/openshift-etcd/embedded2external.yml diff --git a/playbooks/byo/openshift-cfme/config.yml b/playbooks/byo/openshift-management/config.yml index 0e8e7a94d..33a555cc1 100644 --- a/playbooks/byo/openshift-cfme/config.yml +++ b/playbooks/byo/openshift-management/config.yml @@ -5,4 +5,4 @@  - include: ../../common/openshift-cluster/evaluate_groups.yml -- include: ../../common/openshift-cfme/config.yml +- include: ../../common/openshift-management/config.yml diff --git a/playbooks/byo/openshift-cfme/uninstall.yml b/playbooks/byo/openshift-management/uninstall.yml index c8ed16859..ebd6fb261 100644 --- a/playbooks/byo/openshift-cfme/uninstall.yml +++ b/playbooks/byo/openshift-management/uninstall.yml @@ -3,4 +3,4 @@  #   tags:  #     - always -- include: ../../common/openshift-cfme/uninstall.yml +- include: ../../common/openshift-management/uninstall.yml diff --git a/playbooks/common/openshift-cfme/config.yml b/playbooks/common/openshift-cfme/config.yml deleted file mode 100644 index 533a35d9e..000000000 --- a/playbooks/common/openshift-cfme/config.yml +++ /dev/null @@ -1,44 +0,0 @@ ---- -# TODO: Make this work. The 'name' variable below is undefined -# presently because it's part of the cfme role. This play can't run -# until that's re-worked. -# -# - name: Pre-Pull manageiq-pods docker images -#   hosts: nodes -#   tasks: -#   - name: Ensure the latest manageiq-pods docker image is pulling -#     docker_image: -#       name: "{{ openshift_cfme_container_image }}" -#     # Fire-and-forget method, never timeout -#     async: 99999999999 -#     # F-a-f, never check on this. True 'background' task. -#     poll: 0 - -- name: Configure Masters for CFME Bulk Image Imports -  hosts: oo_masters_to_config -  serial: 1 -  tasks: -  - name: Run master cfme tuning playbook -    include_role: -      name: openshift_cfme -      tasks_from: tune_masters - -- name: Setup CFME -  hosts: oo_first_master -  vars: -    r_openshift_cfme_miq_template_content: "{{ lookup('file', 'roles/openshift_cfme/files/miq-template.yaml') | from_yaml}}" -  pre_tasks: -  - name: Create a temporary place to evaluate the PV templates -    command: mktemp -d /tmp/openshift-ansible-XXXXXXX -    register: r_openshift_cfme_mktemp -    changed_when: false -  - name: Ensure the server template was read from disk -    debug: -      msg="{{ r_openshift_cfme_miq_template_content | from_yaml }}" - -  tasks: -  - name: Run the CFME Setup Role -    include_role: -      name: openshift_cfme -    vars: -      template_dir: "{{ hostvars[groups.masters.0].r_openshift_cfme_mktemp.stdout }}" diff --git a/playbooks/common/openshift-cluster/config.yml b/playbooks/common/openshift-cluster/config.yml index 96a43230d..dbe09dce2 100644 --- a/playbooks/common/openshift-cluster/config.yml +++ b/playbooks/common/openshift-cluster/config.yml @@ -8,7 +8,10 @@    vars:    - r_openshift_health_checker_playbook_context: install    post_tasks: -  - action: openshift_health_check + +  - name: Verify Requirements - EL +    when: ansible_distribution != "Fedora" +    action: openshift_health_check      args:        checks:        - disk_availability @@ -17,6 +20,12 @@        - package_version        - docker_image_availability        - docker_storage +  - name: Verify Requirements - Fedora +    when: ansible_distribution == "Fedora" +    action: openshift_health_check +    args: +      checks: +      - docker_image_availability  - include: ../openshift-etcd/config.yml @@ -46,6 +55,9 @@  - include: service_catalog.yml    when: openshift_enable_service_catalog | default(false) | bool +- include: openshift_management.yml +  when: openshift_management_install_management | default(false) | bool +  - name: Print deprecated variable warning message if necessary    hosts: oo_first_master    gather_facts: no diff --git a/playbooks/common/openshift-cluster/initialize_openshift_version.yml b/playbooks/common/openshift-cluster/initialize_openshift_version.yml index 6100c36e1..e6400ea61 100644 --- a/playbooks/common/openshift-cluster/initialize_openshift_version.yml +++ b/playbooks/common/openshift-cluster/initialize_openshift_version.yml @@ -19,8 +19,8 @@  # NOTE: We set this even on etcd hosts as they may also later run as masters,  # and we don't want to install wrong version of docker and have to downgrade  # later. -- name: Set openshift_version for all hosts -  hosts: oo_all_hosts:!oo_first_master +- name: Set openshift_version for etcd, node, and master hosts +  hosts: oo_etcd_to_config:oo_nodes_to_config:oo_masters_to_config:!oo_first_master    vars:      openshift_version: "{{ hostvars[groups.oo_first_master.0].openshift_version }}"    pre_tasks: diff --git a/playbooks/common/openshift-cluster/openshift_hosted.yml b/playbooks/common/openshift-cluster/openshift_hosted.yml index 32e5e708a..c1536eb36 100644 --- a/playbooks/common/openshift-cluster/openshift_hosted.yml +++ b/playbooks/common/openshift-cluster/openshift_hosted.yml @@ -1,7 +1,6 @@  ---  - name: Hosted Install Checkpoint Start -  hosts: localhost -  connection: local +  hosts: oo_all_hosts    gather_facts: false    tasks:    - name: Set Hosted install 'In Progress' @@ -26,8 +25,7 @@    when: openshift_hosted_prometheus_deploy | default(False) | bool  - name: Hosted Install Checkpoint End -  hosts: localhost -  connection: local +  hosts: oo_all_hosts    gather_facts: false    tasks:    - name: Set Hosted install 'Complete' diff --git a/playbooks/common/openshift-cluster/openshift_logging.yml b/playbooks/common/openshift-cluster/openshift_logging.yml index 69f50fbcd..529a4c939 100644 --- a/playbooks/common/openshift-cluster/openshift_logging.yml +++ b/playbooks/common/openshift-cluster/openshift_logging.yml @@ -1,7 +1,6 @@  ---  - name: Logging Install Checkpoint Start -  hosts: localhost -  connection: local +  hosts: oo_all_hosts    gather_facts: false    tasks:    - name: Set Logging install 'In Progress' @@ -24,8 +23,7 @@          tasks_from: update_master_config  - name: Logging Install Checkpoint End -  hosts: localhost -  connection: local +  hosts: oo_all_hosts    gather_facts: false    tasks:    - name: Set Logging install 'Complete' diff --git a/playbooks/common/openshift-cluster/openshift_management.yml b/playbooks/common/openshift-cluster/openshift_management.yml new file mode 100644 index 000000000..6e582920b --- /dev/null +++ b/playbooks/common/openshift-cluster/openshift_management.yml @@ -0,0 +1,25 @@ +--- +- name: Management Install Checkpoint Start +  hosts: localhost +  connection: local +  gather_facts: false +  tasks: +  - name: Set Management install 'In Progress' +    set_stats: +      data: +        installer_phase_Management: "In Progress" +      aggregate: false + +- name: Management +  include: ../openshift-management/config.yml + +- name: Management Install Checkpoint End +  hosts: localhost +  connection: local +  gather_facts: false +  tasks: +  - name: Set Management install 'Complete' +    set_stats: +      data: +        installer_phase_Management: "Complete" +      aggregate: false diff --git a/playbooks/common/openshift-cluster/openshift_metrics.yml b/playbooks/common/openshift-cluster/openshift_metrics.yml index e369dcd86..9c0bd489b 100644 --- a/playbooks/common/openshift-cluster/openshift_metrics.yml +++ b/playbooks/common/openshift-cluster/openshift_metrics.yml @@ -1,7 +1,6 @@  ---  - name: Metrics Install Checkpoint Start -  hosts: localhost -  connection: local +  hosts: oo_all_hosts    gather_facts: false    tasks:    - name: Set Metrics install 'In Progress' @@ -25,8 +24,7 @@        tasks_from: update_master_config.yaml  - name: Metrics Install Checkpoint End -  hosts: localhost -  connection: local +  hosts: oo_all_hosts    gather_facts: false    tasks:    - name: Set Metrics install 'Complete' diff --git a/playbooks/common/openshift-cluster/redeploy-certificates/openshift-ca.yml b/playbooks/common/openshift-cluster/redeploy-certificates/openshift-ca.yml index e4193a00e..2068ed199 100644 --- a/playbooks/common/openshift-cluster/redeploy-certificates/openshift-ca.yml +++ b/playbooks/common/openshift-cluster/redeploy-certificates/openshift-ca.yml @@ -44,8 +44,8 @@    - modify_yaml:        dest: "{{ openshift.common.config_base }}/master/master-config.yaml"        yaml_key: servingInfo.clientCA -      yaml_value: ca-bundle.crt -    when: (g_master_config_output.content|b64decode|from_yaml).servingInfo.clientCA != 'ca-bundle.crt' +      yaml_value: ca.crt +    when: (g_master_config_output.content|b64decode|from_yaml).servingInfo.clientCA != 'ca.crt'    - modify_yaml:        dest: "{{ openshift.common.config_base }}/master/master-config.yaml"        yaml_key: etcdClientInfo.ca diff --git a/playbooks/common/openshift-cluster/service_catalog.yml b/playbooks/common/openshift-cluster/service_catalog.yml index 95a8f601c..bd964b2ce 100644 --- a/playbooks/common/openshift-cluster/service_catalog.yml +++ b/playbooks/common/openshift-cluster/service_catalog.yml @@ -1,7 +1,6 @@  ---  - name: Service Catalog Install Checkpoint Start -  hosts: localhost -  connection: local +  hosts: oo_all_hosts    gather_facts: false    tasks:    - name: Set Service Catalog install 'In Progress' @@ -20,8 +19,7 @@      first_master: "{{ groups.oo_first_master[0] }}"  - name: Service Catalog Install Checkpoint End -  hosts: localhost -  connection: local +  hosts: oo_all_hosts    gather_facts: false    tasks:    - name: Set Service Catalog install 'Complete' diff --git a/playbooks/common/openshift-cluster/std_include.yml b/playbooks/common/openshift-cluster/std_include.yml index 090ad6445..45b34c8bd 100644 --- a/playbooks/common/openshift-cluster/std_include.yml +++ b/playbooks/common/openshift-cluster/std_include.yml @@ -1,7 +1,6 @@  ---  - name: Initialization Checkpoint Start -  hosts: localhost -  connection: local +  hosts: oo_all_hosts    gather_facts: false    roles:    - installer_checkpoint @@ -37,8 +36,7 @@    - always  - name: Initialization Checkpoint End -  hosts: localhost -  connection: local +  hosts: oo_all_hosts    gather_facts: false    tasks:    - name: Set install initialization 'Complete' diff --git a/playbooks/common/openshift-cluster/upgrades/files/shared_resource_viewer_role.yaml b/playbooks/common/openshift-cluster/upgrades/files/shared_resource_viewer_role.yaml new file mode 100644 index 000000000..9c9c260fb --- /dev/null +++ b/playbooks/common/openshift-cluster/upgrades/files/shared_resource_viewer_role.yaml @@ -0,0 +1,37 @@ +--- +apiVersion: v1 +kind: Role +metadata: +  name: shared-resource-viewer +  namespace: openshift +rules: +- apiGroups: +  - "" +  - template.openshift.io +  attributeRestrictions: null +  resources: +  - templates +  verbs: +  - get +  - list +  - watch +- apiGroups: +  - "" +  - image.openshift.io +  attributeRestrictions: null +  resources: +  - imagestreamimages +  - imagestreams +  - imagestreamtags +  verbs: +  - get +  - list +  - watch +- apiGroups: +  - "" +  - image.openshift.io +  attributeRestrictions: null +  resources: +  - imagestreams/layers +  verbs: +  - get diff --git a/playbooks/common/openshift-cluster/upgrades/initialize_nodes_to_upgrade.yml b/playbooks/common/openshift-cluster/upgrades/initialize_nodes_to_upgrade.yml index 72de63070..fc1cbf32a 100644 --- a/playbooks/common/openshift-cluster/upgrades/initialize_nodes_to_upgrade.yml +++ b/playbooks/common/openshift-cluster/upgrades/initialize_nodes_to_upgrade.yml @@ -30,6 +30,7 @@          ansible_become: "{{ g_sudo | default(omit) }}"        with_items: " {{ groups['oo_nodes_to_config'] }}"        when: +      - hostvars[item].openshift is defined        - hostvars[item].openshift.common.hostname in nodes_to_upgrade.results.results[0]['items'] | map(attribute='metadata.name') | list        changed_when: false diff --git a/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml index 07e521a89..122066955 100644 --- a/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml +++ b/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml @@ -103,9 +103,16 @@      openshift_hosted_templates_import_command: replace  # Check for warnings to be printed at the end of the upgrade: -- name: Check for warnings +- name: Clean up and display warnings    hosts: oo_masters_to_config -  tasks: +  tags: +  - always +  gather_facts: no +  roles: +  - role: openshift_excluder +    r_openshift_excluder_action: enable +    r_openshift_excluder_service_type: "{{ openshift.common.service_type }}" +  post_tasks:    # Check if any masters are using pluginOrderOverride and warn if so, only for 1.3/3.3 and beyond:    - name: grep pluginOrderOverride      command: grep pluginOrderOverride {{ openshift.common.config_base }}/master/master-config.yaml @@ -121,12 +128,8 @@      - not grep_plugin_order_override | skipped      - grep_plugin_order_override.rc == 0 -- name: Re-enable excluder if it was previously enabled -  hosts: oo_masters_to_config -  tags: -  - always -  gather_facts: no -  roles: -  - role: openshift_excluder -    r_openshift_excluder_action: enable -    r_openshift_excluder_service_type: "{{ openshift.common.service_type }}" +  - name: Warn if shared-resource-viewer could not be updated +    debug: +      msg: "WARNING the shared-resource-viewer role could not be upgraded to 3.6 spec because it's marked protected, please see https://bugzilla.redhat.com/show_bug.cgi?id=1493213" +    when: +    - __shared_resource_viewer_protected | default(false) diff --git a/playbooks/common/openshift-cluster/upgrades/pre/verify_health_checks.yml b/playbooks/common/openshift-cluster/upgrades/pre/verify_health_checks.yml index ad6325ca0..2a8de50a2 100644 --- a/playbooks/common/openshift-cluster/upgrades/pre/verify_health_checks.yml +++ b/playbooks/common/openshift-cluster/upgrades/pre/verify_health_checks.yml @@ -1,12 +1,14 @@  --- -- name: Verify Host Requirements +- name: OpenShift Health Checks    hosts: oo_all_hosts +  any_errors_fatal: true    roles:    - openshift_health_checker    vars:    - r_openshift_health_checker_playbook_context: upgrade    post_tasks: -  - action: openshift_health_check +  - name: Run health checks (upgrade) +    action: openshift_health_check      args:        checks:        - disk_availability diff --git a/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml index da47491c1..c37a5f9ab 100644 --- a/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml +++ b/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml @@ -31,7 +31,6 @@        role: master        local_facts:          embedded_etcd: "{{ groups.oo_etcd_to_config | default([]) | length == 0 }}" -        debug_level: "{{ openshift_master_debug_level | default(openshift.common.debug_level | default(2)) }}"  - name: Upgrade and backup etcd    include: ./etcd/main.yml @@ -193,6 +192,7 @@      # Another spot where we assume docker is running and do not want to accidentally trigger an unsafe      # restart.      skip_docker_role: True +    __master_shared_resource_viewer_file: "shared_resource_viewer_role.yaml"    tasks:    - name: Reconcile Cluster Roles      command: > @@ -231,6 +231,44 @@      - reconcile_jenkins_role_binding_result.rc == 0      when: (not openshift.common.version_gte_3_7 | bool) and (openshift.common.version_gte_3_4_or_1_4 | bool) +  - when: (openshift.common.version_gte_3_6 | bool) and (not openshift.common.version_gte_3_7 | bool) +    block: +    - name: Retrieve shared-resource-viewer +      oc_obj: +        state: list +        kind: role +        name: "shared-resource-viewer" +        namespace: "openshift" +      register: objout + +    - name: Determine if shared-resource-viewer is protected +      set_fact: +        __shared_resource_viewer_protected: true +      when: +      - "'results' in objout" +      - "'results' in objout['results']" +      - "'annotations' in objout['results']['results'][0]['metadata']" +      - "'openshift.io/reconcile-protect' in objout['results']['results'][0]['metadata']['annotations']" +      - "objout['results']['results'][0]['metadata']['annotations']['openshift.io/reconcile-protect'] == 'true'" + +    - copy: +        src: "{{ item }}" +        dest: "/tmp/{{ item }}" +      with_items: +      - "{{ __master_shared_resource_viewer_file }}" +      when: __shared_resource_viewer_protected is not defined + +    - name: Fixup shared-resource-viewer role +      oc_obj: +        state: present +        kind: role +        name: "shared-resource-viewer" +        namespace: "openshift" +        files: +        - "/tmp/{{ __master_shared_resource_viewer_file }}" +        delete_after: true +      when: __shared_resource_viewer_protected is not defined +    - name: Reconcile Security Context Constraints      command: >        {{ openshift.common.client_binary }} adm policy --config={{ openshift.common.config_base }}/master/admin.kubeconfig reconcile-sccs --confirm --additive-only=true -o name diff --git a/playbooks/common/openshift-cluster/upgrades/v3_7/master_config_upgrade.yml b/playbooks/common/openshift-cluster/upgrades/v3_7/master_config_upgrade.yml index ed89dbe8d..df59a8782 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_7/master_config_upgrade.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_7/master_config_upgrade.yml @@ -14,3 +14,8 @@      dest: "{{ openshift.common.config_base}}/master/master-config.yaml"      yaml_key: 'kubernetesMasterConfig.admissionConfig'      yaml_value: + +- modify_yaml: +    dest: "{{ openshift.common.config_base}}/master/master-config.yaml" +    yaml_key: 'controllerConfig.election.lockName' +    yaml_value: 'openshift-master-controllers' diff --git a/playbooks/common/openshift-etcd/certificates.yml b/playbooks/common/openshift-etcd/certificates.yml index 31a0f50d8..eb6b94f33 100644 --- a/playbooks/common/openshift-etcd/certificates.yml +++ b/playbooks/common/openshift-etcd/certificates.yml @@ -1,29 +1,4 @@  --- -- name: Create etcd server certificates for etcd hosts -  hosts: oo_etcd_to_config -  any_errors_fatal: true -  roles: -    - role: openshift_etcd_facts -  post_tasks: -    - include_role: -        name: etcd -        tasks_from: server_certificates -      vars: -        etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}" -        etcd_peers: "{{ groups.oo_etcd_to_config | default([], true) }}" -        etcd_certificates_etcd_hosts: "{{ groups.oo_etcd_to_config | default([], true) }}" -        r_etcd_common_etcd_runtime: "{{ openshift.common.etcd_runtime }}" +- include: server_certificates.yml -- name: Create etcd client certificates for master hosts -  hosts: oo_masters_to_config -  any_errors_fatal: true -  roles: -    - role: openshift_etcd_facts -    - role: openshift_etcd_client_certificates -      etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}" -      etcd_cert_subdir: "openshift-master-{{ openshift.common.hostname }}" -      etcd_cert_config_dir: "{{ openshift.common.config_base }}/master" -      etcd_cert_prefix: "master.etcd-" -      openshift_ca_host: "{{ groups.oo_first_master.0 }}" -      r_etcd_common_etcd_runtime: "{{ openshift.common.etcd_runtime }}" -      when: groups.oo_etcd_to_config is defined and groups.oo_etcd_to_config +- include: master_etcd_certificates.yml diff --git a/playbooks/common/openshift-etcd/config.yml b/playbooks/common/openshift-etcd/config.yml index 82539dac8..48d46bbb0 100644 --- a/playbooks/common/openshift-etcd/config.yml +++ b/playbooks/common/openshift-etcd/config.yml @@ -1,7 +1,6 @@  ---  - name: etcd Install Checkpoint Start -  hosts: localhost -  connection: local +  hosts: oo_all_hosts    gather_facts: false    tasks:    - name: Set etcd install 'In Progress' @@ -27,8 +26,7 @@    - role: nickhammond.logrotate  - name: etcd Install Checkpoint End -  hosts: localhost -  connection: local +  hosts: oo_all_hosts    gather_facts: false    tasks:    - name: Set etcd install 'Complete' diff --git a/playbooks/common/openshift-etcd/embedded2external.yml b/playbooks/common/openshift-etcd/embedded2external.yml new file mode 100644 index 000000000..9264f3c32 --- /dev/null +++ b/playbooks/common/openshift-etcd/embedded2external.yml @@ -0,0 +1,172 @@ +--- +- name: Pre-migrate checks +  hosts: localhost +  tasks: +  # Check there is only one etcd host +  - assert: +      that: groups.oo_etcd_to_config | default([]) | length == 1 +      msg: "[etcd] group must contain only one host" +  # Check there is only one master +  - assert: +      that: groups.oo_masters_to_config | default([]) | length == 1 +      msg: "[master] group must contain only one host" + +# 1. stop a master +- name: Prepare masters for etcd data migration +  hosts: oo_first_master +  roles: +  - role: openshift_facts +  tasks: +  - name: Check the master API is ready +    include_role: +      name: openshift_master +      tasks_from: check_master_api_is_ready +  - set_fact: +      master_service: "{{ openshift.common.service_type + '-master' }}" +      embedded_etcd_backup_suffix: "{{ lookup('pipe', 'date +%Y%m%d%H%M%S') }}" +  - debug: +      msg: "master service name: {{ master_service }}" +  - name: Stop master +    service: +      name: "{{ master_service }}" +      state: stopped +  # 2. backup embedded etcd +  # Can't use with_items with include_role: https://github.com/ansible/ansible/issues/21285 +  - include_role: +      name: etcd +      tasks_from: backup +    vars: +      r_etcd_common_etcd_runtime: "{{ openshift.common.etcd_runtime }}" +      r_etcd_common_backup_tag: pre-migrate +      r_etcd_common_embedded_etcd: "{{ true }}" +      r_etcd_common_backup_sufix_name: "{{ embedded_etcd_backup_suffix }}" + +  - include_role: +      name: etcd +      tasks_from: backup.archive +    vars: +      r_etcd_common_etcd_runtime: "{{ openshift.common.etcd_runtime }}" +      r_etcd_common_backup_tag: pre-migrate +      r_etcd_common_embedded_etcd: "{{ true }}" +      r_etcd_common_backup_sufix_name: "{{ embedded_etcd_backup_suffix }}" + +# 3. deploy certificates (for etcd and master) +- include: ca.yml + +- include: server_certificates.yml + +- name: Backup etcd client certificates for master host +  hosts: oo_first_master +  tasks: +  - include_role: +      name: etcd +      tasks_from: backup_master_etcd_certificates + +- name: Redeploy master etcd certificates +  include: master_etcd_certificates.yml +  vars: +    etcd_certificates_redeploy: "{{ true }}" + +# 4. deploy external etcd +- include: ../openshift-etcd/config.yml + +# 5. stop external etcd +- name: Cleanse etcd +  hosts: oo_etcd_to_config[0] +  gather_facts: no +  pre_tasks: +  - include_role: +      name: etcd +      tasks_from: disable_etcd +    vars: +      r_etcd_common_etcd_runtime: "{{ openshift.common.etcd_runtime }}" +  - include_role: +      name: etcd +      tasks_from: clean_data +    vars: +      r_etcd_common_etcd_runtime: "{{ openshift.common.etcd_runtime }}" + +# 6. copy the embedded etcd backup to the external host +# TODO(jchaloup): if the etcd and first master are on the same host, just copy the directory +- name: Copy embedded etcd backup to the external host +  hosts: localhost +  tasks: +  - name: Create local temp directory for syncing etcd backup +    local_action: command mktemp -d /tmp/etcd_backup-XXXXXXX +    register: g_etcd_client_mktemp +    changed_when: False +    become: no + +  - include_role: +      name: etcd +      tasks_from: backup.fetch +    vars: +      r_etcd_common_etcd_runtime: "{{ hostvars[groups.oo_first_master.0].openshift.common.etcd_runtime }}" +      etcd_backup_sync_directory: "{{ g_etcd_client_mktemp.stdout }}" +      r_etcd_common_backup_tag: pre-migrate +      r_etcd_common_embedded_etcd: "{{ true }}" +      r_etcd_common_backup_sufix_name: "{{ hostvars[groups.oo_first_master.0].embedded_etcd_backup_suffix }}" +    delegate_to: "{{ groups.oo_first_master[0] }}" + +  - include_role: +      name: etcd +      tasks_from: backup.copy +    vars: +      r_etcd_common_etcd_runtime: "{{ hostvars[groups.oo_etcd_to_config.0].openshift.common.etcd_runtime }}" +      etcd_backup_sync_directory: "{{ g_etcd_client_mktemp.stdout }}" +      r_etcd_common_backup_tag: pre-migrate +      r_etcd_common_backup_sufix_name: "{{ hostvars[groups.oo_first_master.0].embedded_etcd_backup_suffix }}" +    delegate_to: "{{ groups.oo_etcd_to_config[0] }}" + +  - debug: +      msg: "etcd_backup_dest_directory: {{ g_etcd_client_mktemp.stdout }}" + +  - name: Delete temporary directory +    local_action: file path="{{ g_etcd_client_mktemp.stdout }}" state=absent +    changed_when: False +    become: no + +# 7. force new cluster from the backup +- name: Force new etcd cluster +  hosts: oo_etcd_to_config[0] +  tasks: +  - include_role: +      name: etcd +      tasks_from: backup.unarchive +    vars: +      r_etcd_common_etcd_runtime: "{{ openshift.common.etcd_runtime }}" +      r_etcd_common_backup_tag: pre-migrate +      r_etcd_common_backup_sufix_name: "{{ hostvars[groups.oo_first_master.0].embedded_etcd_backup_suffix }}" + +  - include_role: +      name: etcd +      tasks_from: backup.force_new_cluster +    vars: +      r_etcd_common_etcd_runtime: "{{ openshift.common.etcd_runtime }}" +      r_etcd_common_backup_tag: pre-migrate +      r_etcd_common_backup_sufix_name: "{{ hostvars[groups.oo_first_master.0].embedded_etcd_backup_suffix }}" +      etcd_peer: "{{ openshift.common.ip }}" +      etcd_url_scheme: "https" +      etcd_peer_url_scheme: "https" + +# 8. re-configure master to use the external etcd +- name: Configure master to use external etcd +  hosts: oo_first_master +  tasks: +  - include_role: +      name: openshift_master +      tasks_from: configure_external_etcd +    vars: +      etcd_peer_url_scheme: "https" +      etcd_ip: "{{ openshift.common.ip }}" +      etcd_peer_port: 2379 + +  # 9. start the master +  - name: Start master +    service: +      name: "{{ master_service }}" +      state: started +    register: service_status +    until: service_status.state is defined and service_status.state == "started" +    retries: 5 +    delay: 10 diff --git a/playbooks/common/openshift-etcd/master_etcd_certificates.yml b/playbooks/common/openshift-etcd/master_etcd_certificates.yml new file mode 100644 index 000000000..0a25aac57 --- /dev/null +++ b/playbooks/common/openshift-etcd/master_etcd_certificates.yml @@ -0,0 +1,14 @@ +--- +- name: Create etcd client certificates for master hosts +  hosts: oo_masters_to_config +  any_errors_fatal: true +  roles: +    - role: openshift_etcd_facts +    - role: openshift_etcd_client_certificates +      etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}" +      etcd_cert_subdir: "openshift-master-{{ openshift.common.hostname }}" +      etcd_cert_config_dir: "{{ openshift.common.config_base }}/master" +      etcd_cert_prefix: "master.etcd-" +      openshift_ca_host: "{{ groups.oo_first_master.0 }}" +      r_etcd_common_etcd_runtime: "{{ openshift.common.etcd_runtime }}" +      when: groups.oo_etcd_to_config is defined and groups.oo_etcd_to_config diff --git a/playbooks/common/openshift-etcd/scaleup.yml b/playbooks/common/openshift-etcd/scaleup.yml index b5ba2bbba..20061366c 100644 --- a/playbooks/common/openshift-etcd/scaleup.yml +++ b/playbooks/common/openshift-etcd/scaleup.yml @@ -46,7 +46,7 @@      etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}"      etcd_certificates_etcd_hosts: "{{ groups.oo_etcd_to_config | default([], true) }}"      etcd_initial_cluster_state: "existing" -    initial_etcd_cluster: "{{ etcd_add_check.stdout_lines[3] | regex_replace('ETCD_INITIAL_CLUSTER=','') | regex_replace('\"','') }}" +    etcd_initial_cluster: "{{ etcd_add_check.stdout_lines[3] | regex_replace('ETCD_INITIAL_CLUSTER=','') | regex_replace('\"','') }}"      etcd_ca_setup: False      r_etcd_common_etcd_runtime: "{{ openshift.common.etcd_runtime }}"    - role: nickhammond.logrotate @@ -71,7 +71,7 @@      etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}"      openshift_ca_host: "{{ groups.oo_first_master.0 }}"      openshift_master_etcd_hosts: "{{ hostvars -                                     | oo_select_keys(groups['oo_etcd_to_config'] | union(groups['oo_new_etcd_to_config'])) +                                     | oo_select_keys(groups['oo_etcd_to_config'] | union(groups['oo_new_etcd_to_config'] | default([]) ))                                       | oo_collect('openshift.common.hostname')                                       | default(none, true) }}"      openshift_master_etcd_port: "{{ (etcd_client_port | default('2379')) if (groups.oo_etcd_to_config is defined and groups.oo_etcd_to_config) else none }}" diff --git a/playbooks/common/openshift-etcd/server_certificates.yml b/playbooks/common/openshift-etcd/server_certificates.yml new file mode 100644 index 000000000..10e06747b --- /dev/null +++ b/playbooks/common/openshift-etcd/server_certificates.yml @@ -0,0 +1,15 @@ +--- +- name: Create etcd server certificates for etcd hosts +  hosts: oo_etcd_to_config +  any_errors_fatal: true +  roles: +    - role: openshift_etcd_facts +  post_tasks: +    - include_role: +        name: etcd +        tasks_from: server_certificates +      vars: +        etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}" +        etcd_peers: "{{ groups.oo_etcd_to_config | default([], true) }}" +        etcd_certificates_etcd_hosts: "{{ groups.oo_etcd_to_config | default([], true) }}" +        r_etcd_common_etcd_runtime: "{{ openshift.common.etcd_runtime }}" diff --git a/playbooks/common/openshift-glusterfs/config.yml b/playbooks/common/openshift-glusterfs/config.yml index 516618de2..80cda9e21 100644 --- a/playbooks/common/openshift-glusterfs/config.yml +++ b/playbooks/common/openshift-glusterfs/config.yml @@ -1,7 +1,6 @@  ---  - name: GlusterFS Install Checkpoint Start -  hosts: localhost -  connection: local +  hosts: oo_all_hosts    gather_facts: false    tasks:    - name: Set GlusterFS install 'In Progress' @@ -37,8 +36,7 @@      when: groups.oo_glusterfs_to_config | default([]) | count > 0  - name: GlusterFS Install Checkpoint End -  hosts: localhost -  connection: local +  hosts: oo_all_hosts    gather_facts: false    tasks:    - name: Set GlusterFS install 'Complete' diff --git a/playbooks/common/openshift-loadbalancer/config.yml b/playbooks/common/openshift-loadbalancer/config.yml index ecbb092bc..2a703cb61 100644 --- a/playbooks/common/openshift-loadbalancer/config.yml +++ b/playbooks/common/openshift-loadbalancer/config.yml @@ -1,7 +1,6 @@  ---  - name: Load Balancer Install Checkpoint Start -  hosts: localhost -  connection: local +  hosts: oo_all_hosts    gather_facts: false    tasks:    - name: Set load balancer install 'In Progress' @@ -10,6 +9,15 @@          installer_phase_loadbalancer: "In Progress"        aggregate: false +- name: Configure firewall and docker for load balancers +  hosts: oo_lb_to_config:!oo_masters_to_config:!oo_nodes_to_config +  vars: +    openshift_image_tag: "{{ hostvars[groups.oo_first_master.0].openshift_image_tag }}" +  roles: +  - role: os_firewall +  - role: openshift_docker +    when: openshift.common.is_containerized | default(False) | bool and not skip_docker_role | default(False) | bool +  - name: Configure load balancers    hosts: oo_lb_to_config    vars: @@ -25,12 +33,11 @@                                            + openshift_loadbalancer_additional_backends | default([]) }}"      openshift_image_tag: "{{ hostvars[groups.oo_first_master.0].openshift_image_tag }}"    roles: -  - role: os_firewall    - role: openshift_loadbalancer +  - role: tuned  - name: Load Balancer Install Checkpoint End -  hosts: localhost -  connection: local +  hosts: oo_all_hosts    gather_facts: false    tasks:    - name: Set load balancer install 'Complete' diff --git a/playbooks/common/openshift-management/config.yml b/playbooks/common/openshift-management/config.yml new file mode 100644 index 000000000..0aaafe440 --- /dev/null +++ b/playbooks/common/openshift-management/config.yml @@ -0,0 +1,15 @@ +--- +- name: Setup CFME +  hosts: oo_first_master +  pre_tasks: +  - name: Create a temporary place to evaluate the PV templates +    command: mktemp -d /tmp/openshift-ansible-XXXXXXX +    register: r_openshift_management_mktemp +    changed_when: false + +  tasks: +  - name: Run the CFME Setup Role +    include_role: +      name: openshift_management +    vars: +      template_dir: "{{ hostvars[groups.masters.0].r_openshift_management_mktemp.stdout }}" diff --git a/playbooks/common/openshift-cfme/filter_plugins b/playbooks/common/openshift-management/filter_plugins index 99a95e4ca..99a95e4ca 120000 --- a/playbooks/common/openshift-cfme/filter_plugins +++ b/playbooks/common/openshift-management/filter_plugins diff --git a/playbooks/common/openshift-cfme/library b/playbooks/common/openshift-management/library index ba40d2f56..ba40d2f56 120000 --- a/playbooks/common/openshift-cfme/library +++ b/playbooks/common/openshift-management/library diff --git a/playbooks/common/openshift-cfme/roles b/playbooks/common/openshift-management/roles index 20c4c58cf..20c4c58cf 120000 --- a/playbooks/common/openshift-cfme/roles +++ b/playbooks/common/openshift-management/roles diff --git a/playbooks/common/openshift-cfme/uninstall.yml b/playbooks/common/openshift-management/uninstall.yml index 78b8e7668..698d93405 100644 --- a/playbooks/common/openshift-cfme/uninstall.yml +++ b/playbooks/common/openshift-management/uninstall.yml @@ -4,5 +4,5 @@    tasks:    - name: Run the CFME Uninstall Role Tasks      include_role: -      name: openshift_cfme +      name: openshift_management        tasks_from: uninstall diff --git a/playbooks/common/openshift-master/additional_config.yml b/playbooks/common/openshift-master/additional_config.yml index ee76e2ed7..1b3eb268a 100644 --- a/playbooks/common/openshift-master/additional_config.yml +++ b/playbooks/common/openshift-master/additional_config.yml @@ -1,7 +1,6 @@  ---  - name: Master Additional Install Checkpoint Start -  hosts: localhost -  connection: local +  hosts: oo_all_hosts    gather_facts: false    tasks:    - name: Set Master Additional install 'In Progress' @@ -37,8 +36,7 @@      when: openshift_use_flannel | default(false) | bool  - name: Master Additional Install Checkpoint End -  hosts: localhost -  connection: local +  hosts: oo_all_hosts    gather_facts: false    tasks:    - name: Set Master Additional install 'Complete' diff --git a/playbooks/common/openshift-master/config.yml b/playbooks/common/openshift-master/config.yml index bc1fee982..6e57f282e 100644 --- a/playbooks/common/openshift-master/config.yml +++ b/playbooks/common/openshift-master/config.yml @@ -1,7 +1,6 @@  ---  - name: Master Install Checkpoint Start -  hosts: localhost -  connection: local +  hosts: oo_all_hosts    gather_facts: false    tasks:    - name: Set Master install 'In Progress' @@ -198,6 +197,7 @@      openshift_master_default_registry_value: "{{ hostvars[groups.oo_first_master.0].l_default_registry_value }}"      openshift_master_default_registry_value_api: "{{ hostvars[groups.oo_first_master.0].l_default_registry_value_api }}"      openshift_master_default_registry_value_controllers: "{{ hostvars[groups.oo_first_master.0].l_default_registry_value_controllers }}" +  - role: tuned    - role: nuage_ca      when: openshift_use_nuage | default(false) | bool    - role: nuage_common @@ -226,8 +226,7 @@      r_openshift_excluder_service_type: "{{ openshift.common.service_type }}"  - name: Master Install Checkpoint End -  hosts: localhost -  connection: local +  hosts: oo_all_hosts    gather_facts: false    tasks:    - name: Set Master install 'Complete' diff --git a/playbooks/common/openshift-nfs/config.yml b/playbooks/common/openshift-nfs/config.yml index 66303d6f7..ce672daf5 100644 --- a/playbooks/common/openshift-nfs/config.yml +++ b/playbooks/common/openshift-nfs/config.yml @@ -1,7 +1,6 @@  ---  - name: NFS Install Checkpoint Start -  hosts: localhost -  connection: local +  hosts: oo_all_hosts    gather_facts: false    tasks:    - name: Set NFS install 'In Progress' @@ -17,8 +16,7 @@    - role: openshift_storage_nfs  - name: NFS Install Checkpoint End -  hosts: localhost -  connection: local +  hosts: oo_all_hosts    gather_facts: false    tasks:    - name: Set NFS install 'Complete' diff --git a/playbooks/common/openshift-node/config.yml b/playbooks/common/openshift-node/config.yml index 700aab48c..4f8f98aef 100644 --- a/playbooks/common/openshift-node/config.yml +++ b/playbooks/common/openshift-node/config.yml @@ -1,7 +1,6 @@  ---  - name: Node Install Checkpoint Start -  hosts: localhost -  connection: local +  hosts: oo_all_hosts    gather_facts: false    tasks:    - name: Set Node install 'In Progress' @@ -25,8 +24,7 @@  - include: enable_excluders.yml  - name: Node Install Checkpoint End -  hosts: localhost -  connection: local +  hosts: oo_all_hosts    gather_facts: false    tasks:    - name: Set Node install 'Complete' diff --git a/playbooks/common/openshift-node/configure_nodes.yml b/playbooks/common/openshift-node/configure_nodes.yml index c96e4921c..17259422d 100644 --- a/playbooks/common/openshift-node/configure_nodes.yml +++ b/playbooks/common/openshift-node/configure_nodes.yml @@ -13,4 +13,5 @@    roles:    - role: os_firewall    - role: openshift_node +  - role: tuned    - role: nickhammond.logrotate diff --git a/playbooks/common/openshift-node/image_prep.yml b/playbooks/common/openshift-node/image_prep.yml new file mode 100644 index 000000000..fc06621ee --- /dev/null +++ b/playbooks/common/openshift-node/image_prep.yml @@ -0,0 +1,21 @@ +--- +- name: normalize groups +  include: ../../byo/openshift-cluster/initialize_groups.yml + +- name: run the std_include +  include: ../openshift-cluster/evaluate_groups.yml + +- name: run the std_include +  include: ../openshift-cluster/initialize_facts.yml + +- name: run the std_include +  include: ../openshift-cluster/initialize_openshift_repos.yml + +- name: run node config setup +  include: setup.yml + +- name: run node config +  include: configure_nodes.yml + +- name: Re-enable excluders +  include: enable_excluders.yml diff --git a/roles/docker/handlers/main.yml b/roles/docker/handlers/main.yml index 591367467..866ed0452 100644 --- a/roles/docker/handlers/main.yml +++ b/roles/docker/handlers/main.yml @@ -4,6 +4,7 @@    systemd:      name: "{{ openshift.docker.service_name }}"      state: restarted +    daemon_reload: yes    register: r_docker_restart_docker_result    until: not r_docker_restart_docker_result | failed    retries: 3 diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index dae17c3ce..f73f90686 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -10,14 +10,6 @@      l_use_crio: "{{ openshift_use_crio | default(False) }}"      l_use_crio_only: "{{ openshift_use_crio_only | default(False) }}" -- when: -    - openshift_deployment_type == 'openshift-enterprise' -  assert: -    that: -      - "openshift_image_tag is defined" -    msg: > -      openshift_image_tag is a required inventory variable when installing openshift-enterprise -  - name: Use Package Docker if Requested    include: package_docker.yml    when: diff --git a/roles/docker/tasks/package_docker.yml b/roles/docker/tasks/package_docker.yml index eab5c3bb1..888ae40e7 100644 --- a/roles/docker/tasks/package_docker.yml +++ b/roles/docker/tasks/package_docker.yml @@ -48,7 +48,9 @@      template:        dest: "{{ docker_systemd_dir }}/custom.conf"        src: custom.conf.j2 -  when: not os_firewall_use_firewalld | default(False) | bool +    notify: +    - restart docker +  when: not (os_firewall_use_firewalld | default(False)) | bool  - name: Add enterprise registry, if necessary    set_fact: @@ -137,6 +139,13 @@    notify:    - restart docker +# The following task is needed as the systemd module may report a change in +# state even though docker is already running. +- name: Detect if docker is already started +  command: "systemctl show docker -p ActiveState" +  changed_when: False +  register: r_docker_already_running_result +  - name: Start the Docker service    systemd:      name: docker @@ -149,7 +158,7 @@    delay: 30  - set_fact: -    docker_service_status_changed: "{{ r_docker_package_docker_start_result | changed }}" +    docker_service_status_changed: "{{ (r_docker_package_docker_start_result | changed) and (r_docker_already_running_result.stdout != 'ActiveState=active' ) }}"  - name: Check for credentials file for registry auth    stat: diff --git a/roles/docker/tasks/systemcontainer_crio.yml b/roles/docker/tasks/systemcontainer_crio.yml index 386369d26..fdc6cd24a 100644 --- a/roles/docker/tasks/systemcontainer_crio.yml +++ b/roles/docker/tasks/systemcontainer_crio.yml @@ -14,6 +14,22 @@      l_additional_crio_registries: "{{ '\"{}\"'.format('\", \"'.join(l_crio_registries)) }}"    when: l2_docker_additional_registries +- set_fact: +    l_openshift_image_tag: "{{ openshift_image_tag | string }}" +  when: openshift_image_tag is defined + +- set_fact: +    l_openshift_image_tag: "latest" +  when: +    - openshift_image_tag is not defined +    - openshift_release == "latest" + +- set_fact: +    l_openshift_image_tag: "{{ openshift_release | string }}" +  when: +    - openshift_image_tag is not defined +    - openshift_release != "latest" +  - name: Ensure container-selinux is installed    package:      name: container-selinux @@ -106,10 +122,9 @@      - name: Set CRI-O image tag        set_fact: -        l_crio_image_tag: "{{ openshift_image_tag }}" +        l_crio_image_tag: "{{ l_openshift_image_tag }}"        when:          - openshift_deployment_type == 'openshift-enterprise' -        - openshift_image_tag is defined      - name: Use RHEL based image when distribution is Red Hat        set_fact: @@ -147,7 +162,7 @@      image: "{{ l_crio_image }}"      state: latest -- name: Remove CRI-o default configuration files +- name: Remove CRI-O default configuration files    file:      path: "{{ item }}"      state: absent diff --git a/roles/docker/tasks/systemcontainer_docker.yml b/roles/docker/tasks/systemcontainer_docker.yml index 5b1605b58..15c6a55db 100644 --- a/roles/docker/tasks/systemcontainer_docker.yml +++ b/roles/docker/tasks/systemcontainer_docker.yml @@ -1,5 +1,21 @@  --- +- set_fact: +    l_openshift_image_tag: "{{ openshift_image_tag | string }}" +  when: openshift_image_tag is defined + +- set_fact: +    l_openshift_image_tag: "latest" +  when: +    - openshift_image_tag is not defined +    - openshift_release == "latest" + +- set_fact: +    l_openshift_image_tag: "{{ openshift_release | string }}" +  when: +    - openshift_image_tag is not defined +    - openshift_release != "latest" +  # If docker_options are provided we should fail. We should not install docker and ignore  # the users configuration. NOTE: docker_options == inventory:openshift_docker_options  - name: Fail quickly if openshift_docker_options are set @@ -94,10 +110,9 @@      - name: Set container engine image tag        set_fact: -        l_docker_image_tag: "{{ openshift_image_tag }}" +        l_docker_image_tag: "{{ l_openshift_image_tag }}"        when:          - openshift_deployment_type == 'openshift-enterprise' -        - openshift_image_tag is defined      - name: Use Red Hat Registry for image when distribution is Red Hat        set_fact: diff --git a/roles/docker/templates/crio.conf.j2 b/roles/docker/templates/crio.conf.j2 index b4ee84fd0..b715c2ffa 100644 --- a/roles/docker/templates/crio.conf.j2 +++ b/roles/docker/templates/crio.conf.j2 @@ -13,12 +13,12 @@ runroot = "/var/run/containers/storage"  # storage_driver select which storage driver is used to manage storage  # of images and containers. -storage_driver = "overlay2" +storage_driver = "overlay"  # storage_option is used to pass an option to the storage driver.  storage_option = [  {% if ansible_distribution in ['RedHat', 'CentOS'] %} -	"overlay2.override_kernel_check=1" +	"overlay.override_kernel_check=1"  {% endif %}  ] @@ -35,6 +35,10 @@ stream_address = ""  # stream_port is the port on which the stream server will listen  stream_port = "10010" +# file_locking is whether file-based locking will be used instead of +# in-memory locking +file_locking = true +  # The "crio.runtime" table contains settings pertaining to the OCI  # runtime used and options for how to set up and manage the OCI runtime.  [crio.runtime] @@ -67,6 +71,9 @@ runtime_untrusted_workload = ""  # container runtime for all containers.  default_workload_trust = "trusted" +# no_pivot instructs the runtime to not use pivot_root, but instead use MS_MOVE +no_pivot = false +  # conmon is the path to conmon binary, used for managing the runtime.  conmon = "/usr/libexec/crio/conmon" @@ -93,6 +100,16 @@ apparmor_profile = "crio-default"  # for the runtime.  cgroup_manager = "systemd" +# hooks_dir_path is the oci hooks directory for automatically executed hooks +hooks_dir_path = "/usr/share/containers/oci/hooks.d" + +# pids_limit is the number of processes allowed in a container +pids_limit = 1024 + +# log_size_max is the max limit for the container log size in bytes. +# Negative values indicate that no limit is imposed. +log_size_max = -1 +  # The "crio.image" table contains settings pertaining to the  # management of OCI images.  [crio.image] @@ -115,6 +132,10 @@ pause_command = "/pause"  # unspecified so that the default system-wide policy will be used.  signature_policy = "" +# image_volumes controls how image volumes are handled. +# The valid values are mkdir and ignore. +image_volumes = "mkdir" +  # insecure_registries is used to skip TLS verification when pulling images.  insecure_registries = [  {{ l_insecure_crio_registries|default("") }} @@ -125,6 +146,7 @@ insecure_registries = [  registries = [  {{ l_additional_crio_registries|default("") }}  ] +  # The "crio.network" table contains settings pertaining to the  # management of CNI plugins.  [crio.network] diff --git a/roles/docker/templates/custom.conf.j2 b/roles/docker/templates/custom.conf.j2 index 9b47cb6ab..713412473 100644 --- a/roles/docker/templates/custom.conf.j2 +++ b/roles/docker/templates/custom.conf.j2 @@ -3,3 +3,9 @@  [Unit]  Wants=iptables.service  After=iptables.service + +# The following line is a work-around to ensure docker is restarted whenever +# iptables is restarted.  This ensures the proper iptables rules will be in +# place for docker. +# Note:  This will also cause docker to be stopped if iptables is stopped. +PartOf=iptables.service diff --git a/roles/etcd/defaults/main.yaml b/roles/etcd/defaults/main.yaml index 18164050a..78f231416 100644 --- a/roles/etcd/defaults/main.yaml +++ b/roles/etcd/defaults/main.yaml @@ -70,7 +70,8 @@ etcd_listen_peer_urls: "{{ etcd_peer_url_scheme }}://{{ etcd_ip }}:{{ etcd_peer_  etcd_advertise_client_urls: "{{ etcd_url_scheme }}://{{ etcd_ip }}:{{ etcd_client_port }}"  etcd_listen_client_urls: "{{ etcd_url_scheme }}://{{ etcd_ip }}:{{ etcd_client_port }}" -etcd_peer: 127.0.0.1 +# required role variable +#etcd_peer: 127.0.0.1  etcdctlv2: "etcdctl --cert-file {{ etcd_peer_cert_file }} --key-file {{ etcd_peer_key_file }} --ca-file {{ etcd_peer_ca_file }} -C https://{{ etcd_peer }}:{{ etcd_client_port }}"  etcd_service: "{{ 'etcd_container' if r_etcd_common_etcd_runtime == 'docker' else 'etcd' }}" @@ -78,7 +79,7 @@ etcd_service: "{{ 'etcd_container' if r_etcd_common_etcd_runtime == 'docker' els  etcd_service_file: "/etc/systemd/system/{{ etcd_service }}.service"  r_etcd_firewall_enabled: "{{ os_firewall_enabled | default(True) }}" -r_etcd_use_firewalld: "{{ os_firewall_use_firewalld | default(Falsel) }}" +r_etcd_use_firewalld: "{{ os_firewall_use_firewalld | default(False) }}"  etcd_systemd_dir: "/etc/systemd/system/{{ etcd_service }}.service.d"  r_etcd_os_firewall_deny: [] diff --git a/roles/etcd/tasks/auxiliary/clean_data.yml b/roles/etcd/tasks/auxiliary/clean_data.yml index 95a0e7c0a..1ed2db5bc 100644 --- a/roles/etcd/tasks/auxiliary/clean_data.yml +++ b/roles/etcd/tasks/auxiliary/clean_data.yml @@ -1,5 +1,5 @@  ---  - name: Remove member data    file: -    path: /var/lib/etcd/member +    path: "{{ etcd_data_dir }}/member"      state: absent diff --git a/roles/etcd/tasks/auxiliary/disable_etcd.yml b/roles/etcd/tasks/auxiliary/disable_etcd.yml new file mode 100644 index 000000000..7c6d0409d --- /dev/null +++ b/roles/etcd/tasks/auxiliary/disable_etcd.yml @@ -0,0 +1,5 @@ +--- +- name: Disable etcd members +  service: +    name: "{{ etcd_service }}" +    state: stopped diff --git a/roles/etcd/tasks/auxiliary/force_new_cluster.yml b/roles/etcd/tasks/auxiliary/force_new_cluster.yml new file mode 100644 index 000000000..ae8a36130 --- /dev/null +++ b/roles/etcd/tasks/auxiliary/force_new_cluster.yml @@ -0,0 +1,31 @@ +--- +- name: Set ETCD_FORCE_NEW_CLUSTER=true on first etcd host +  lineinfile: +    line: "ETCD_FORCE_NEW_CLUSTER=true" +    dest: /etc/etcd/etcd.conf +    backup: true + +- name: Start etcd +  systemd: +    name: "{{ etcd_service }}" +    state: started + +- name: Wait for cluster to become healthy after bringing up first member +  command: > +    etcdctl --cert-file {{ etcd_peer_cert_file }} --key-file {{ etcd_peer_key_file }} --ca-file {{ etcd_peer_ca_file }} --endpoint https://{{ etcd_peer }}:{{ etcd_client_port }} cluster-health +  register: l_etcd_migrate_health +  until: l_etcd_migrate_health.rc == 0 +  retries: 3 +  delay: 30 + +- name: Unset ETCD_FORCE_NEW_CLUSTER=true on first etcd host +  lineinfile: +    line: "ETCD_FORCE_NEW_CLUSTER=true" +    dest: /etc/etcd/etcd.conf +    state: absent +    backup: true + +- name: Restart first etcd host +  systemd: +    name: "{{ etcd_service }}" +    state: restarted diff --git a/roles/etcd/tasks/backup.archive.yml b/roles/etcd/tasks/backup.archive.yml new file mode 100644 index 000000000..6daa6dc51 --- /dev/null +++ b/roles/etcd/tasks/backup.archive.yml @@ -0,0 +1,3 @@ +--- +- include: backup/vars.yml +- include: backup/archive.yml diff --git a/roles/etcd/tasks/backup.copy.yml b/roles/etcd/tasks/backup.copy.yml new file mode 100644 index 000000000..cc540cbca --- /dev/null +++ b/roles/etcd/tasks/backup.copy.yml @@ -0,0 +1,3 @@ +--- +- include: backup/vars.yml +- include: backup/copy.yml diff --git a/roles/etcd/tasks/backup.fetch.yml b/roles/etcd/tasks/backup.fetch.yml new file mode 100644 index 000000000..26ec15043 --- /dev/null +++ b/roles/etcd/tasks/backup.fetch.yml @@ -0,0 +1,3 @@ +--- +- include: backup/vars.yml +- include: backup/fetch.yml diff --git a/roles/etcd/tasks/backup.force_new_cluster.yml b/roles/etcd/tasks/backup.force_new_cluster.yml new file mode 100644 index 000000000..24bd0540d --- /dev/null +++ b/roles/etcd/tasks/backup.force_new_cluster.yml @@ -0,0 +1,12 @@ +--- +- include: backup/vars.yml + +- name: Move content of etcd backup under the etcd data directory +  command: > +    mv "{{ l_etcd_backup_dir }}/member" "{{ l_etcd_data_dir }}" + +- name: Set etcd group for the etcd data directory +  command: > +    chown -R etcd:etcd "{{ l_etcd_data_dir }}" + +- include: auxiliary/force_new_cluster.yml diff --git a/roles/etcd/tasks/backup.unarchive.yml b/roles/etcd/tasks/backup.unarchive.yml new file mode 100644 index 000000000..77a637360 --- /dev/null +++ b/roles/etcd/tasks/backup.unarchive.yml @@ -0,0 +1,3 @@ +--- +- include: backup/vars.yml +- include: backup/unarchive.yml diff --git a/roles/etcd/tasks/backup/archive.yml b/roles/etcd/tasks/backup/archive.yml new file mode 100644 index 000000000..f6aa68a6e --- /dev/null +++ b/roles/etcd/tasks/backup/archive.yml @@ -0,0 +1,5 @@ +--- +- name: Archive backup +  archive: +    path: "{{ l_etcd_backup_dir }}" +    dest: "{{ l_etcd_backup_dir }}.tgz" diff --git a/roles/etcd/tasks/backup/backup.yml b/roles/etcd/tasks/backup/backup.yml index 42d27c081..ec1a1989c 100644 --- a/roles/etcd/tasks/backup/backup.yml +++ b/roles/etcd/tasks/backup/backup.yml @@ -1,21 +1,5 @@  --- -# set the etcd backup directory name here in case the tag or sufix consists of dynamic value that changes over time -# e.g. openshift-backup-{{ lookup('pipe', 'date +%Y%m%d%H%M%S') }} value will change every second so if the date changes -# right after setting l_etcd_incontainer_backup_dir and before l_etcd_backup_dir facts, the backup directory name is different -- set_fact: -    l_backup_dir_name: "openshift-backup-{{ r_etcd_common_backup_tag }}{{ r_etcd_common_backup_sufix_name }}" - -- set_fact: -    l_etcd_data_dir: "{{ etcd_data_dir }}{{ '/etcd.etcd' if r_etcd_common_etcd_runtime == 'runc' else '' }}" - -- set_fact: -    l_etcd_incontainer_data_dir: "{{ etcd_data_dir }}" - -- set_fact: -    l_etcd_incontainer_backup_dir: "{{ l_etcd_incontainer_data_dir }}/{{ l_backup_dir_name }}" - -- set_fact: -    l_etcd_backup_dir: "{{ l_etcd_data_dir }}/{{ l_backup_dir_name }}" +- include: vars.yml  # TODO: replace shell module with command and update later checks  - name: Check available disk space for etcd backup diff --git a/roles/etcd/tasks/backup/copy.yml b/roles/etcd/tasks/backup/copy.yml new file mode 100644 index 000000000..16604bae8 --- /dev/null +++ b/roles/etcd/tasks/backup/copy.yml @@ -0,0 +1,5 @@ +--- +- name: Copy etcd backup +  copy: +    src: "{{ etcd_backup_sync_directory }}/{{ l_backup_dir_name }}.tgz" +    dest: "{{ l_etcd_data_dir }}" diff --git a/roles/etcd/tasks/backup/fetch.yml b/roles/etcd/tasks/backup/fetch.yml new file mode 100644 index 000000000..610ce1960 --- /dev/null +++ b/roles/etcd/tasks/backup/fetch.yml @@ -0,0 +1,8 @@ +--- +- name: Fetch etcd backup +  fetch: +    src: "{{ l_etcd_backup_dir }}.tgz" +    dest: "{{ etcd_backup_sync_directory }}/" +    flat: yes +    fail_on_missing: yes +    validate_checksum: yes diff --git a/roles/etcd/tasks/backup/unarchive.yml b/roles/etcd/tasks/backup/unarchive.yml new file mode 100644 index 000000000..6c75d00a7 --- /dev/null +++ b/roles/etcd/tasks/backup/unarchive.yml @@ -0,0 +1,14 @@ +--- +- shell: ls /var/lib/etcd +  register: output + +- debug: +    msg: "output: {{ output }}" + +- name: Unarchive backup +  # can't use unarchive https://github.com/ansible/ansible/issues/30821 +  # unarchive: +  #   src: "{{ l_etcd_backup_dir }}.tgz" +  #   dest: "{{ l_etcd_backup_dir }}" +  command: > +    tar -xf "{{ l_etcd_backup_dir }}.tgz" -C "{{ l_etcd_data_dir }}" diff --git a/roles/etcd/tasks/backup/vars.yml b/roles/etcd/tasks/backup/vars.yml new file mode 100644 index 000000000..3c009f557 --- /dev/null +++ b/roles/etcd/tasks/backup/vars.yml @@ -0,0 +1,18 @@ +--- +# set the etcd backup directory name here in case the tag or sufix consists of dynamic value that changes over time +# e.g. openshift-backup-{{ lookup('pipe', 'date +%Y%m%d%H%M%S') }} value will change every second so if the date changes +# right after setting l_etcd_incontainer_backup_dir and before l_etcd_backup_dir facts, the backup directory name is different +- set_fact: +    l_backup_dir_name: "openshift-backup-{{ r_etcd_common_backup_tag }}{{ r_etcd_common_backup_sufix_name }}" + +- set_fact: +    l_etcd_data_dir: "{{ etcd_data_dir }}{{ '/etcd.etcd' if r_etcd_common_etcd_runtime == 'runc' else '' }}" + +- set_fact: +    l_etcd_incontainer_data_dir: "{{ etcd_data_dir }}" + +- set_fact: +    l_etcd_incontainer_backup_dir: "{{ l_etcd_incontainer_data_dir }}/{{ l_backup_dir_name }}" + +- set_fact: +    l_etcd_backup_dir: "{{ l_etcd_data_dir }}/{{ l_backup_dir_name }}" diff --git a/roles/etcd/tasks/backup_master_etcd_certificates.yml b/roles/etcd/tasks/backup_master_etcd_certificates.yml new file mode 100644 index 000000000..129e1831c --- /dev/null +++ b/roles/etcd/tasks/backup_master_etcd_certificates.yml @@ -0,0 +1,2 @@ +--- +- include: certificates/backup_master_etcd_certificates.yml diff --git a/roles/etcd/tasks/certificates/backup_master_etcd_certificates.yml b/roles/etcd/tasks/certificates/backup_master_etcd_certificates.yml new file mode 100644 index 000000000..e65b3e5a2 --- /dev/null +++ b/roles/etcd/tasks/certificates/backup_master_etcd_certificates.yml @@ -0,0 +1,7 @@ +--- +- name: Backup master etcd certificates +  shell: > +    tar -czvf /etc/origin/master/master-etcd-certificate-backup-{{ ansible_date_time.epoch }}.tgz +    /etc/origin/master/master.etcd-* +  args: +    warn: no diff --git a/roles/etcd/tasks/check_cluster_health.yml b/roles/etcd/tasks/check_cluster_health.yml new file mode 100644 index 000000000..75c110972 --- /dev/null +++ b/roles/etcd/tasks/check_cluster_health.yml @@ -0,0 +1,2 @@ +--- +- include: migration/check_cluster_health.yml diff --git a/roles/etcd/tasks/disable_etcd.yml b/roles/etcd/tasks/disable_etcd.yml new file mode 100644 index 000000000..9202e6e48 --- /dev/null +++ b/roles/etcd/tasks/disable_etcd.yml @@ -0,0 +1,2 @@ +--- +- include: auxiliary/disable_etcd.yml diff --git a/roles/etcd/tasks/fetch_backup.yml b/roles/etcd/tasks/fetch_backup.yml new file mode 100644 index 000000000..513eed17a --- /dev/null +++ b/roles/etcd/tasks/fetch_backup.yml @@ -0,0 +1,8 @@ +--- +- include: backup/vars.yml + +- include: backup/archive.yml + +- include: backup/sync_backup.yml + +- include: backup/ diff --git a/roles/etcd/tasks/system_container.yml b/roles/etcd/tasks/system_container.yml index e735bf50a..024479fb4 100644 --- a/roles/etcd/tasks/system_container.yml +++ b/roles/etcd/tasks/system_container.yml @@ -17,6 +17,7 @@        {{ hostvars[host].etcd_hostname }}={{ etcd_peer_url_scheme }}://{{ hostvars[host].etcd_ip }}:{{ etcd_peer_port }},        {%- endif -%}        {% endfor -%} +  when: etcd_initial_cluster is undefined  - name: Check etcd system container package    command: > diff --git a/roles/etcd/templates/etcd.conf.j2 b/roles/etcd/templates/etcd.conf.j2 index 8462bb4c8..3027a9447 100644 --- a/roles/etcd/templates/etcd.conf.j2 +++ b/roles/etcd/templates/etcd.conf.j2 @@ -29,8 +29,8 @@ ETCD_INITIAL_CLUSTER={{ etcd_hostname}}={{ etcd_initial_advertise_peer_urls }}  ETCD_INITIAL_CLUSTER_STATE={{ etcd_initial_cluster_state }}  ETCD_INITIAL_CLUSTER_TOKEN=thirdparty-etcd-cluster-1  {% else %} -{% if initial_etcd_cluster is defined and initial_etcd_cluster %} -ETCD_INITIAL_CLUSTER={{ initial_etcd_cluster }} +{% if etcd_initial_cluster is defined and etcd_initial_cluster %} +ETCD_INITIAL_CLUSTER={{ etcd_initial_cluster }}  {% else %}  ETCD_INITIAL_CLUSTER={{ initial_cluster() }}  {% endif %} diff --git a/roles/flannel/handlers/main.yml b/roles/flannel/handlers/main.yml index 02f5a5f64..889069485 100644 --- a/roles/flannel/handlers/main.yml +++ b/roles/flannel/handlers/main.yml @@ -12,3 +12,12 @@    until: not l_docker_restart_docker_in_flannel_result | failed    retries: 3    delay: 30 + +- name: restart node +  systemd: +    name: "{{ openshift.common.service_type }}-node" +    state: restarted +  register: l_restart_node_result +  until: not l_restart_node_result | failed +  retries: 3 +  delay: 30 diff --git a/roles/installer_checkpoint/README.md b/roles/installer_checkpoint/README.md index 321acca21..83e00e504 100644 --- a/roles/installer_checkpoint/README.md +++ b/roles/installer_checkpoint/README.md @@ -92,8 +92,7 @@ phase/component and then a final play for setting `installer_hase_initialize` to  # common/openshift-cluster/std_include.yml  ---  - name: Initialization Checkpoint Start -  hosts: localhost -  connection: local +  hosts: oo_all_hosts    gather_facts: false    roles:    - installer_checkpoint diff --git a/roles/installer_checkpoint/callback_plugins/installer_checkpoint.py b/roles/installer_checkpoint/callback_plugins/installer_checkpoint.py index 033240e62..ac369b882 100644 --- a/roles/installer_checkpoint/callback_plugins/installer_checkpoint.py +++ b/roles/installer_checkpoint/callback_plugins/installer_checkpoint.py @@ -81,6 +81,7 @@ class CallbackModule(CallbackBase):              'installer_phase_metrics',              'installer_phase_logging',              'installer_phase_servicecatalog', +            'installer_phase_management',          ]          # Define the attributes of the installer phases @@ -133,6 +134,10 @@ class CallbackModule(CallbackBase):                  'title': 'Service Catalog Install',                  'playbook': 'playbooks/byo/openshift-cluster/service-catalog.yml'              }, +            'installer_phase_management': { +                'title': 'Management Install', +                'playbook': 'playbooks/common/openshift-cluster/openshift_management.yml' +            },          }          # Find the longest phase title diff --git a/roles/openshift_aws/README.md b/roles/openshift_aws/README.md index 696efbea5..4aca5c7a8 100644 --- a/roles/openshift_aws/README.md +++ b/roles/openshift_aws/README.md @@ -1,7 +1,29 @@  openshift_aws  ================================== -Provision AWS infrastructure helpers. +Provision AWS infrastructure and instances. + +This role contains many task-areas to provision resources and perform actions +against an AWS account for the purposes of dynamically building an openshift +cluster. + +This role is primarily intended to be used with "include_role" and "tasks_from". + +include_role can be called from the tasks section in a play.  See example +playbook below for reference. + +These task-areas are: + +* provision a vpc: vpc.yml +* provision elastic load balancers: elb.yml +* upload IAM ssl certificates to use with load balancers: iam_cert.yml +* provision an S3 bucket: s3.yml +* provision an instance to build an AMI: provision_instance.yml +* provision a security group in AWS: security_group.yml +* provision ssh keys and users in AWS: ssh_keys.yml +* provision an AMI in AWS: seal_ami.yml +* provision scale groups: scale_group.yml +* provision launch configs: launch_config.yml  Requirements  ------------ @@ -9,57 +31,9 @@ Requirements  * Ansible 2.3  * Boto -Role Variables --------------- - -From this role: - -| Name                                              | Default value -|---------------------------------------------------|----------------------- -| openshift_aws_clusterid                           | default -| openshift_aws_elb_scheme                          | internet-facing -| openshift_aws_launch_config_bootstrap_token       | '' -| openshift_aws_node_group_config                   | {'master': {'ami': '{{ openshift_aws_ami }}', 'health_check': {'type': 'EC2', 'period': 60}, 'volumes': '{{ openshift_aws_node_group_config_master_volumes }}', 'tags': {'host-type': 'master', 'sub-host-type': 'default'}, 'min_size': 3, 'instance_type': 'm4.xlarge', 'desired_size': 3, 'wait_for_instances': True, 'max_size': 3}, 'tags': '{{ openshift_aws_node_group_config_tags }}', 'compute': {'ami': '{{ openshift_aws_ami }}', 'health_check': {'type': 'EC2', 'period': 60}, 'volumes': '{{ openshift_aws_node_group_config_node_volumes }}', 'tags': {'host-type': 'node', 'sub-host-type': 'compute'}, 'min_size': 3, 'instance_type': 'm4.xlarge', 'desired_size': 3, 'max_size': 100}, 'infra': {'ami': '{{ openshift_aws_ami }}', 'health_check': {'type': 'EC2', 'period': 60}, 'volumes': '{{ openshift_aws_node_group_config_node_volumes }}', 'tags': {'host-type': 'node', 'sub-host-type': 'infra'}, 'min_size': 2, 'instance_type': 'm4.xlarge', 'desired_size': 2, 'max_size': 20}} -| openshift_aws_ami_copy_wait                       | False -| openshift_aws_users                               | [] -| openshift_aws_launch_config_name                  | {{ openshift_aws_clusterid }}-{{ openshift_aws_node_group_type }} -| openshift_aws_create_vpc                          | False -| openshift_aws_node_group_type                     | master -| openshift_aws_elb_cert_arn                        | '' -| openshift_aws_kubernetes_cluster_status           | owned -| openshift_aws_s3_mode                             | create -| openshift_aws_vpc                                 | {'subnets': {'us-east-1': [{'cidr': '172.31.48.0/20', 'az': 'us-east-1c'}, {'cidr': '172.31.32.0/20', 'az': 'us-east-1e'}, {'cidr': '172.31.16.0/20', 'az': 'us-east-1a'}]}, 'cidr': '172.31.0.0/16', 'name': '{{ openshift_aws_vpc_name }}'} -| openshift_aws_create_ssh_keys                     | False -| openshift_aws_iam_kms_alias                       | alias/{{ openshift_aws_clusterid }}_kms -| openshift_aws_use_custom_ami                      | False -| openshift_aws_ami_copy_src_region                 | {{ openshift_aws_region }} -| openshift_aws_s3_bucket_name                      | {{ openshift_aws_clusterid }} -| openshift_aws_elb_health_check                    | {'response_timeout': 5, 'ping_port': 443, 'ping_protocol': 'tcp', 'interval': 30, 'healthy_threshold': 2, 'unhealthy_threshold': 2} -| openshift_aws_node_security_groups                | {'default': {'rules': [{'to_port': 22, 'from_port': 22, 'cidr_ip': '0.0.0.0/0', 'proto': 'tcp'}, {'to_port': 'all', 'from_port': 'all', 'proto': 'all', 'group_name': '{{ openshift_aws_clusterid }}'}], 'name': '{{ openshift_aws_clusterid }}', 'desc': '{{ openshift_aws_clusterid }} default'}, 'master': {'rules': [{'to_port': 80, 'from_port': 80, 'cidr_ip': '0.0.0.0/0', 'proto': 'tcp'}, {'to_port': 443, 'from_port': 443, 'cidr_ip': '0.0.0.0/0', 'proto': 'tcp'}], 'name': '{{ openshift_aws_clusterid }}_master', 'desc': '{{ openshift_aws_clusterid }} master instances'}, 'compute': {'name': '{{ openshift_aws_clusterid }}_compute', 'desc': '{{ openshift_aws_clusterid }} compute node instances'}, 'etcd': {'name': '{{ openshift_aws_clusterid }}_etcd', 'desc': '{{ openshift_aws_clusterid }} etcd instances'}, 'infra': {'rules': [{'to_port': 80, 'from_port': 80, 'cidr_ip': '0.0.0.0/0', 'proto': 'tcp'}, {'to_port': 443, 'from_port': 443, 'cidr_ip': '0.0.0.0/0', 'proto': 'tcp'}, {'to_port': 32000, 'from_port': 30000, 'cidr_ip': '0.0.0.0/0', 'proto': 'tcp'}], 'name': '{{ openshift_aws_clusterid }}_infra', 'desc': '{{ openshift_aws_clusterid }} infra node instances'}} -| openshift_aws_elb_security_groups                 | ['{{ openshift_aws_clusterid }}', '{{ openshift_aws_clusterid }}_{{ openshift_aws_node_group_type }}'] -| openshift_aws_vpc_tags                            | {'Name': '{{ openshift_aws_vpc_name }}'} -| openshift_aws_create_security_groups              | False -| openshift_aws_create_iam_cert                     | False -| openshift_aws_create_scale_group                  | True -| openshift_aws_ami_encrypt                         | False -| openshift_aws_node_group_config_node_volumes      | [{'volume_size': 100, 'delete_on_termination': True, 'device_type': 'gp2', 'device_name': '/dev/sdb'}] -| openshift_aws_elb_instance_filter                 | {'tag:host-type': '{{ openshift_aws_node_group_type }}', 'tag:clusterid': '{{ openshift_aws_clusterid }}', 'instance-state-name': 'running'} -| openshift_aws_region                              | us-east-1 -| openshift_aws_elb_name                            | {{ openshift_aws_clusterid }}-{{ openshift_aws_node_group_type }} -| openshift_aws_elb_idle_timout                     | 400 -| openshift_aws_subnet_name                     | us-east-1c -| openshift_aws_node_group_config_tags              | {{ openshift_aws_clusterid | openshift_aws_build_instance_tags(openshift_aws_kubernetes_cluster_status) }} -| openshift_aws_create_launch_config                | True -| openshift_aws_ami_tags                            | {'bootstrap': 'true', 'clusterid': '{{ openshift_aws_clusterid }}', 'openshift-created': 'true'} -| openshift_aws_ami_name                            | openshift-gi -| openshift_aws_node_group_config_master_volumes    | [{'volume_size': 100, 'delete_on_termination': False, 'device_type': 'gp2', 'device_name': '/dev/sdb'}] -| openshift_aws_vpc_name                            | {{ openshift_aws_clusterid }} -| openshift_aws_elb_listeners                       | {'master': {'internal': [{'instance_port': 80, 'instance_protocol': 'tcp', 'load_balancer_port': 80, 'protocol': 'tcp'}, {'instance_port': 443, 'instance_protocol': 'tcp', 'load_balancer_port': 443, 'protocol': 'tcp'}], 'external': [{'instance_port': 443, 'instance_protocol': 'ssl', 'load_balancer_port': 80, 'protocol': 'tcp'}, {'instance_port': 443, 'instance_protocol': 'ssl', 'load_balancer_port': 443, 'ssl_certificate_id': '{{ openshift_aws_elb_cert_arn }}', 'protocol': 'ssl'}]}} -| - - -Dependencies ------------- +Appropriate AWS credentials and permissions are required. + +  Example Playbook @@ -72,7 +46,6 @@ Example Playbook    vars:      openshift_aws_clusterid: test      openshift_aws_region: us-east-1 -    openshift_aws_create_vpc: true  ```  License diff --git a/roles/openshift_aws/defaults/main.yml b/roles/openshift_aws/defaults/main.yml index 94c0f4472..ea09857b0 100644 --- a/roles/openshift_aws/defaults/main.yml +++ b/roles/openshift_aws/defaults/main.yml @@ -1,5 +1,4 @@  --- -openshift_aws_create_vpc: True  openshift_aws_create_s3: True  openshift_aws_create_iam_cert: True  openshift_aws_create_security_groups: True diff --git a/roles/openshift_aws/tasks/master_facts.yml b/roles/openshift_aws/tasks/master_facts.yml new file mode 100644 index 000000000..737cfc7a6 --- /dev/null +++ b/roles/openshift_aws/tasks/master_facts.yml @@ -0,0 +1,22 @@ +--- +- name: fetch elbs +  ec2_elb_facts: +    region: "{{ openshift_aws_region }}" +    names: +    - "{{ item }}" +  with_items: +  - "{{ openshift_aws_elb_name }}-external" +  - "{{ openshift_aws_elb_name }}-internal" +  delegate_to: localhost +  register: elbs + +- debug: var=elbs + +- name: set fact +  set_fact: +    openshift_master_cluster_hostname: "{{ elbs.results[1].elbs[0].dns_name }}" +    osm_custom_cors_origins: +    - "{{ elbs.results[1].elbs[0].dns_name }}" +    - "console.{{ openshift_aws_clusterid | default('default') }}.openshift.com" +    - "api.{{ openshift_aws_clusterid | default('default') }}.openshift.com" +  with_items: "{{ groups['masters'] }}" diff --git a/roles/openshift_aws/tasks/provision.yml b/roles/openshift_aws/tasks/provision.yml index a2920b744..a8518d43a 100644 --- a/roles/openshift_aws/tasks/provision.yml +++ b/roles/openshift_aws/tasks/provision.yml @@ -1,16 +1,8 @@  --- -- when: openshift_aws_create_vpc | bool -  name: create default vpc -  include: vpc.yml -  - when: openshift_aws_create_iam_cert | bool    name: create the iam_cert for elb certificate    include: iam_cert.yml -- when: openshift_aws_users | length > 0 -  name: create aws ssh keypair -  include: ssh_keys.yml -  - when: openshift_aws_create_s3 | bool    name: create s3 bucket for registry    include: s3.yml diff --git a/roles/openshift_aws/tasks/build_ami.yml b/roles/openshift_aws/tasks/provision_instance.yml index 48555e5da..1384bae59 100644 --- a/roles/openshift_aws/tasks/build_ami.yml +++ b/roles/openshift_aws/tasks/provision_instance.yml @@ -1,16 +1,4 @@  --- -- when: openshift_aws_create_vpc | bool -  name: create a vpc -  include: vpc.yml - -- when: openshift_aws_users | length  > 0 -  name: create aws ssh keypair -  include: ssh_keys.yml - -- when: openshift_aws_create_security_groups | bool -  name: Create compute security_groups -  include: security_group.yml -  - name: query vpc    ec2_vpc_net_facts:      region: "{{ openshift_aws_region }}" @@ -33,7 +21,7 @@      key_name: "{{ openshift_aws_ssh_key_name }}"      group: "{{ openshift_aws_build_ami_group }}"      instance_type: m4.xlarge -    vpc_subnet_id: "{{ subnetout.subnets[0].id }}" +    vpc_subnet_id: "{{ openshift_aws_subnet_id | default(subnetout.subnets[0].id) }}"      image: "{{ openshift_aws_base_ami }}"      volumes:      - device_name: /dev/sdb @@ -46,3 +34,30 @@        Name: "{{ openshift_aws_base_ami_name }}"      instance_tags:        Name: "{{ openshift_aws_base_ami_name }}" + +- name: fetch newly created instances +  ec2_remote_facts: +    region: "{{ openshift_aws_region }}" +    filters: +      "tag:Name": "{{ openshift_aws_base_ami_name }}" +      instance-state-name: running +  register: instancesout +  retries: 20 +  delay: 3 +  until: instancesout.instances|length > 0 + +- name: wait for ssh to become available +  wait_for: +    port: 22 +    host: "{{ instancesout.instances[0].public_ip_address }}" +    timeout: 300 +    search_regex: OpenSSH + +- name: Pause 10 seconds to ensure ssh actually accepts logins +  pause: +    seconds: 20 + +- name: add host to nodes +  add_host: +    groups: nodes +    name: "{{ instancesout.instances[0].public_dns_name }}" diff --git a/roles/openshift_aws/tasks/setup_master_group.yml b/roles/openshift_aws/tasks/setup_master_group.yml new file mode 100644 index 000000000..166f3b938 --- /dev/null +++ b/roles/openshift_aws/tasks/setup_master_group.yml @@ -0,0 +1,35 @@ +--- +- name: Alert user to variables needed - clusterid +  debug: +    msg: "openshift_aws_clusterid={{ openshift_aws_clusterid }}" + +- name: Alert user to variables needed - region +  debug: +    msg: "openshift_aws_region={{ openshift_aws_region }}" + +- name: fetch newly created instances +  ec2_remote_facts: +    region: "{{ openshift_aws_region }}" +    filters: +      "tag:clusterid": "{{ openshift_aws_clusterid }}" +      "tag:host-type": master +      instance-state-name: running +  register: instancesout +  retries: 20 +  delay: 3 +  until: instancesout.instances|length > 0 + +- name: add new master to masters group +  add_host: +    groups: "masters,etcd,nodes" +    name: "{{ item.public_dns_name }}" +    hostname: "{{ openshift_aws_clusterid }}-master-{{ item.id[:-5] }}" +  with_items: "{{ instancesout.instances }}" + +- name: wait for ssh to become available +  wait_for: +    port: 22 +    host: "{{ item.public_dns_name }}" +    timeout: 300 +    search_regex: OpenSSH +  with_items: "{{ instancesout.instances }}" diff --git a/roles/openshift_cfme/README.md b/roles/openshift_cfme/README.md deleted file mode 100644 index 8283afed6..000000000 --- a/roles/openshift_cfme/README.md +++ /dev/null @@ -1,404 +0,0 @@ -# OpenShift-Ansible - CFME Role - -# PROOF OF CONCEPT - Alpha Version - -This role is based on the work in the upstream -[manageiq/manageiq-pods](https://github.com/ManageIQ/manageiq-pods) -project. For additional literature on configuration specific to -ManageIQ (optional post-installation tasks), visit the project's -[upstream documentation page](http://manageiq.org/docs/get-started/basic-configuration). - -Please submit a -[new issue](https://github.com/openshift/openshift-ansible/issues/new) -if you run into bugs with this role or wish to request enhancements. - -# Important Notes - -This is an early *proof of concept* role to install the Cloud Forms -Management Engine (ManageIQ) on OpenShift Container Platform (OCP). - -* This role is still in **ALPHA STATUS** -* Many options are hard-coded still (ex: NFS setup) -* Not many configurable options yet -* **Should** be ran on a dedicated cluster -* **Will not run** on undersized infra -* The terms *CFME* and *MIQ* / *ManageIQ* are interchangeable - -## Requirements - -**NOTE:** These requirements are copied from the upstream -[manageiq/manageiq-pods](https://github.com/ManageIQ/manageiq-pods) -project. - -### Prerequisites: - -* -  [OpenShift Origin 1.5](https://docs.openshift.com/container-platform/3.5/welcome/index.html) -  or -  [higher](https://docs.openshift.com/container-platform/latest/welcome/index.html) -  provisioned -* NFS or other compatible volume provider -* A cluster-admin user (created by role if required) - -### Cluster Sizing - -In order to avoid random deployment failures due to resource -starvation, we recommend a minimum cluster size for a **test** -environment. - -| Type           | Size    | CPUs     | Memory   | -|----------------|---------|----------|----------| -| Masters        | `1+`    | `8`      | `12GB`   | -| Nodes          | `2+`    | `4`      | `8GB`    | -| PV Storage     | `25GB`  | `N/A`    | `N/A`    | - - - - -**CFME has hard-requirements for memory. CFME will NOT install if your -  infrastructure does not meet or exceed the requirements given -  above. Do not run this playbook if you do not have the required -  memory, you will just waste your time.** - - -### Other sizing considerations - -* Recommendations assume MIQ will be the **only application running** -  on this cluster. -* Alternatively, you can provision an infrastructure node to run -  registry/metrics/router/logging pods. -* Each MIQ application pod will consume at least `3GB` of RAM on initial -  deployment (blank deployment without providers). -* RAM consumption will ramp up higher depending on appliance use, once -  providers are added expect higher resource consumption. - - -### Assumptions - -1) You meet/exceed the [cluster sizing](#cluster-sizing) requirements -1) Your NFS server is on your master host -1) Your PV backing NFS storage volume is mounted on `/exports/` - -Required directories that NFS will export to back the PVs: - -* `/exports/miq-pv0[123]` - -If the required directories are not present at install-time, they will -be created using the recommended permissions per the -[upstream documentation](https://github.com/ManageIQ/manageiq-pods#make-persistent-volumes-to-host-the-miq-database-and-application-data): - -* UID/GID: `root`/`root` -* Mode: `0775` - -**IMPORTANT:** If you are using a separate volume (`/dev/vdX`) for NFS -  storage, **ensure** it is mounted on `/exports/` **before** running -  this role. - - - -## Role Variables - -Core variables in this role: - -| Name                          | Default value | Description   | -|-------------------------------|---------------|---------------| -| `openshift_cfme_install_app`  | `False`       | `True`: Install everything and create a new CFME app, `False`: Just install all of the templates and scaffolding | - - -Variables you may override have defaults defined in -[defaults/main.yml](defaults/main.yml). - - -# Important Notes - -This is a **tech preview** status role presently. Use it with the same -caution you would give any other pre-release software. - -**Most importantly** follow this one rule: don't re-run the entrypoint -playbook multiple times in a row without cleaning up after previous -runs if some of the CFME steps have ran. This is a known -flake. Cleanup instructions are provided at the bottom of this README. - - -# Usage - -This section describes the basic usage of this role. All parameters -will use their [default values](defaults/main.yml). - -## Pre-flight Checks - -**IMPORTANT:** As documented above in [the prerequisites](#prerequisites), -  you **must already** have your OCP cluster up and running. - -**Optional:** The ManageIQ pod is fairly large (about 1.7 GB) so to -save some spin-up time post-deployment, you can begin pre-pulling the -docker image to each of your nodes now: - -``` -root@node0x # docker pull docker.io/manageiq/manageiq-pods:app-latest-fine -``` - -## Getting Started - -1) The *entry point playbook* to install CFME is located in -[the BYO playbooks](../../playbooks/byo/openshift-cfme/config.yml) -directory - -2) Update your existing `hosts` inventory file and ensure the -parameter `openshift_cfme_install_app` is set to `True` under the -`[OSEv3:vars]` block. - -2) Using your existing `hosts` inventory file, run `ansible-playbook` -with the entry point playbook: - -``` -$ ansible-playbook -v -i <INVENTORY_FILE> playbooks/byo/openshift-cfme/config.yml -``` - -## Next Steps - -Once complete, the playbook will let you know: - - -``` -TASK [openshift_cfme : Status update] ********************************************************* -ok: [ho.st.na.me] => { -    "msg": "CFME has been deployed. Note that there will be a delay before it is fully initialized.\n" -} -``` - -This will take several minutes (*possibly 10 or more*, depending on -your network connection). However, you can get some insight into the -deployment process during initialization. - -### oc describe pod manageiq-0 - -*Some useful information about the output you will see if you run the -`oc describe pod manageiq-0` command* - -**Readiness probe**s - These will take a while to become -`Healthy`. The initial health probes won't even happen for at least 8 -minutes depending on how long it takes you to pull down the large -images. ManageIQ is a large application so it may take a considerable -amount of time for it to deploy and be marked as `Healthy`. - -If you go to the node you know the application is running on (check -for `Successfully assigned manageiq-0 to <HOST|IP>` in the `describe` -output) you can run a `docker pull` command to monitor the progress of -the image pull: - -``` -[root@cfme-node ~]# docker pull docker.io/manageiq/manageiq-pods:app-latest-fine -Trying to pull repository docker.io/manageiq/manageiq-pods ... -sha256:6c055ca9d3c65cd694d6c0e28986b5239ba56bbdf0488cccdaa283d545258f8a: Pulling from docker.io/manageiq/manageiq-pods -Digest: sha256:6c055ca9d3c65cd694d6c0e28986b5239ba56bbdf0488cccdaa283d545258f8a -Status: Image is up to date for docker.io/manageiq/manageiq-pods:app-latest-fine -``` - -The example above demonstrates the case where the image has been -successfully pulled already. - -If the image isn't completely pulled already then you will see -multiple progress bars detailing each image layer download status. - - -### rsh - -*Useful inspection/progress monitoring techniques with the `oc rsh` -command.* - - -On your master node, switch to the `cfme` project (or whatever you -named it if you overrode the `openshift_cfme_project` variable) and -check on the pod states: - -``` -[root@cfme-master01 ~]# oc project cfme -Now using project "cfme" on server "https://10.10.0.100:8443". - -[root@cfme-master01 ~]# oc get pod -NAME                 READY     STATUS    RESTARTS   AGE -manageiq-0           0/1       Running   0          14m -memcached-1-3lk7g    1/1       Running   0          14m -postgresql-1-12slb   1/1       Running   0          14m -``` - -Note how the `manageiq-0` pod says `0/1` under the **READY** -column. After some time (depending on your network connection) you'll -be able to `rsh` into the pod to find out more of what's happening in -real time. First, the easy-mode command, run this once `rsh` is -available and then watch until it says `Started Initialize Appliance -Database`: - -``` -[root@cfme-master01 ~]# oc rsh manageiq-0 journalctl -f -u appliance-initialize.service -``` - -For the full explanation of what this means, and more interactive -inspection techniques, keep reading on. - -To obtain a shell on our `manageiq` pod we use this command: - -``` -[root@cfme-master01 ~]# oc rsh manageiq-0 bash -l -``` - -The `rsh` command opens a shell in your pod for you. In this case it's -the pod called `manageiq-0`. `systemd` is managing the services in -this pod so we can use the `list-units` command to see what is running -currently: `# systemctl list-units | grep appliance`. - -If you see the `appliance-initialize` service running, this indicates -that basic setup is still in progress. We can monitor the process with -the `journalctl` command like so: - - -``` -[root@manageiq-0 vmdb]# journalctl -f -u appliance-initialize.service -Jun 14 14:55:52 manageiq-0 appliance-initialize.sh[58]: == Checking deployment status == -Jun 14 14:55:52 manageiq-0 appliance-initialize.sh[58]: No pre-existing EVM configuration found on region PV -Jun 14 14:55:52 manageiq-0 appliance-initialize.sh[58]: == Checking for existing data on server PV == -Jun 14 14:55:52 manageiq-0 appliance-initialize.sh[58]: == Starting New Deployment == -Jun 14 14:55:52 manageiq-0 appliance-initialize.sh[58]: == Applying memcached config == -Jun 14 14:55:53 manageiq-0 appliance-initialize.sh[58]: == Initializing Appliance == -Jun 14 14:55:57 manageiq-0 appliance-initialize.sh[58]: create encryption key -Jun 14 14:55:57 manageiq-0 appliance-initialize.sh[58]: configuring external database -Jun 14 14:55:57 manageiq-0 appliance-initialize.sh[58]: Checking for connections to the database... -Jun 14 14:56:09 manageiq-0 appliance-initialize.sh[58]: Create region starting -Jun 14 14:58:15 manageiq-0 appliance-initialize.sh[58]: Create region complete -Jun 14 14:58:15 manageiq-0 appliance-initialize.sh[58]: == Initializing PV data == -Jun 14 14:58:16 manageiq-0 appliance-initialize.sh[58]: == Initializing PV data backup == -Jun 14 14:58:16 manageiq-0 appliance-initialize.sh[58]: sending incremental file list -Jun 14 14:58:16 manageiq-0 appliance-initialize.sh[58]: created directory /persistent/server-deploy/backup/backup_2017_06_14_145816 -Jun 14 14:58:16 manageiq-0 appliance-initialize.sh[58]: region-data/ -Jun 14 14:58:16 manageiq-0 appliance-initialize.sh[58]: region-data/var/ -Jun 14 14:58:16 manageiq-0 appliance-initialize.sh[58]: region-data/var/www/ -Jun 14 14:58:16 manageiq-0 appliance-initialize.sh[58]: region-data/var/www/miq/ -Jun 14 14:58:16 manageiq-0 appliance-initialize.sh[58]: region-data/var/www/miq/vmdb/ -Jun 14 14:58:16 manageiq-0 appliance-initialize.sh[58]: region-data/var/www/miq/vmdb/REGION -Jun 14 14:58:16 manageiq-0 appliance-initialize.sh[58]: region-data/var/www/miq/vmdb/certs/ -Jun 14 14:58:16 manageiq-0 appliance-initialize.sh[58]: region-data/var/www/miq/vmdb/certs/v2_key -Jun 14 14:58:16 manageiq-0 appliance-initialize.sh[58]: region-data/var/www/miq/vmdb/config/ -Jun 14 14:58:16 manageiq-0 appliance-initialize.sh[58]: region-data/var/www/miq/vmdb/config/database.yml -Jun 14 14:58:16 manageiq-0 appliance-initialize.sh[58]: server-data/ -Jun 14 14:58:16 manageiq-0 appliance-initialize.sh[58]: server-data/var/ -Jun 14 14:58:16 manageiq-0 appliance-initialize.sh[58]: server-data/var/www/ -Jun 14 14:58:16 manageiq-0 appliance-initialize.sh[58]: server-data/var/www/miq/ -Jun 14 14:58:16 manageiq-0 appliance-initialize.sh[58]: server-data/var/www/miq/vmdb/ -Jun 14 14:58:16 manageiq-0 appliance-initialize.sh[58]: server-data/var/www/miq/vmdb/GUID -Jun 14 14:58:16 manageiq-0 appliance-initialize.sh[58]: sent 1330 bytes  received 136 bytes  2932.00 bytes/sec -Jun 14 14:58:16 manageiq-0 appliance-initialize.sh[58]: total size is 770  speedup is 0.53 -Jun 14 14:58:16 manageiq-0 appliance-initialize.sh[58]: == Restoring PV data symlinks == -Jun 14 14:58:16 manageiq-0 appliance-initialize.sh[58]: /var/www/miq/vmdb/REGION symlink is already in place, skipping -Jun 14 14:58:16 manageiq-0 appliance-initialize.sh[58]: /var/www/miq/vmdb/config/database.yml symlink is already in place, skipping -Jun 14 14:58:16 manageiq-0 appliance-initialize.sh[58]: /var/www/miq/vmdb/certs/v2_key symlink is already in place, skipping -Jun 14 14:58:16 manageiq-0 appliance-initialize.sh[58]: /var/www/miq/vmdb/log symlink is already in place, skipping -Jun 14 14:58:28 manageiq-0 systemctl[304]: Removed symlink /etc/systemd/system/multi-user.target.wants/appliance-initialize.service. -Jun 14 14:58:29 manageiq-0 systemd[1]: Started Initialize Appliance Database. -``` - -Most of what we see here (above) is the initial database seeding -process. This process isn't very quick, so be patient. - -At the bottom of the log there is a special line from the `systemctl` -service, `Removed symlink -/etc/systemd/system/multi-user.target.wants/appliance-initialize.service`. The -`appliance-initialize` service is no longer marked as enabled. This -indicates that the base application initialization is complete now. - -We're not done yet though, there are other ancillary services which -run in this pod to support the application. *Still in the rsh shell*, -Use the `ps` command to monitor for the `httpd` processes -starting. You will see output similar to the following when that stage -has completed: - -``` -[root@manageiq-0 vmdb]# ps aux | grep http -root       1941  0.0  0.1 249820  7640 ?        Ss   15:02   0:00 /usr/sbin/httpd -DFOREGROUND -apache     1942  0.0  0.0 250752  6012 ?        S    15:02   0:00 /usr/sbin/httpd -DFOREGROUND -apache     1943  0.0  0.0 250472  5952 ?        S    15:02   0:00 /usr/sbin/httpd -DFOREGROUND -apache     1944  0.0  0.0 250472  5916 ?        S    15:02   0:00 /usr/sbin/httpd -DFOREGROUND -apache     1945  0.0  0.0 250360  5764 ?        S    15:02   0:00 /usr/sbin/httpd -DFOREGROUND -``` - -Furthermore, you can find other related processes by just looking for -ones with `MIQ` in their name: - -``` -[root@manageiq-0 vmdb]# ps aux | grep miq -root        333 27.7  4.2 555884 315916 ?       Sl   14:58   3:59 MIQ Server -root       1976  0.6  4.0 507224 303740 ?       SNl  15:02   0:03 MIQ: MiqGenericWorker id: 1, queue: generic -root       1984  0.6  4.0 507224 304312 ?       SNl  15:02   0:03 MIQ: MiqGenericWorker id: 2, queue: generic -root       1992  0.9  4.0 508252 304888 ?       SNl  15:02   0:05 MIQ: MiqPriorityWorker id: 3, queue: generic -root       2000  0.7  4.0 510308 304696 ?       SNl  15:02   0:04 MIQ: MiqPriorityWorker id: 4, queue: generic -root       2008  1.2  4.0 514000 303612 ?       SNl  15:02   0:07 MIQ: MiqScheduleWorker id: 5 -root       2026  0.2  4.0 517504 303644 ?       SNl  15:02   0:01 MIQ: MiqEventHandler id: 6, queue: ems -root       2036  0.2  4.0 518532 303768 ?       SNl  15:02   0:01 MIQ: MiqReportingWorker id: 7, queue: reporting -root       2044  0.2  4.0 519560 303812 ?       SNl  15:02   0:01 MIQ: MiqReportingWorker id: 8, queue: reporting -root       2059  0.2  4.0 528372 303956 ?       SNl  15:02   0:01 puma 3.3.0 (tcp://127.0.0.1:5000) [MIQ: Web Server Worker] -root       2067  0.9  4.0 529664 305716 ?       SNl  15:02   0:05 puma 3.3.0 (tcp://127.0.0.1:3000) [MIQ: Web Server Worker] -root       2075  0.2  4.0 529408 304056 ?       SNl  15:02   0:01 puma 3.3.0 (tcp://127.0.0.1:4000) [MIQ: Web Server Worker] -root       2329  0.0  0.0  10640   972 ?        S+   15:13   0:00 grep --color=auto -i miq -``` - -Finally, *still in the rsh shell*, to test if the application is -running correctly, we can request the application homepage. If the -page is available the page title will be `ManageIQ: Login`: - -``` -[root@manageiq-0 vmdb]# curl -s -k https://localhost | grep -A2 '<title>' -<title> -ManageIQ: Login -</title> -``` - -**Note:** The `-s` flag makes `curl` operations silent and the `-k` -flag to ignore errors about untrusted certificates. - - - -# Additional Upstream Resources - -Below are some useful resources from the upstream project -documentation. You may find these of value. - -* [Verify Setup Was Successful](https://github.com/ManageIQ/manageiq-pods#verifying-the-setup-was-successful) -* [POD Access And Routes](https://github.com/ManageIQ/manageiq-pods#pod-access-and-routes) -* [Troubleshooting](https://github.com/ManageIQ/manageiq-pods#troubleshooting) - - -# Manual Cleanup - -At this time uninstallation/cleanup is still a manual process. You -will have to follow a few steps to fully remove CFME from your -cluster. - -Delete the project: - -* `oc delete project cfme` - -Delete the PVs: - -* `oc delete pv miq-pv01` -* `oc delete pv miq-pv02` -* `oc delete pv miq-pv03` - -Clean out the old PV data: - -* `cd /exports/` -* `find miq* -type f -delete` -* `find miq* -type d -delete` - -Remove the NFS exports: - -* `rm /etc/exports.d/openshift_cfme.exports` -* `exportfs -ar` - -Delete the user: - -* `oc delete user cfme` - -**NOTE:** The `oc delete project cfme` command will return quickly -however it will continue to operate in the background. Continue -running `oc get project` after you've completed the other steps to -monitor the pods and final project termination progress. diff --git a/roles/openshift_cfme/defaults/main.yml b/roles/openshift_cfme/defaults/main.yml deleted file mode 100644 index b82c2e602..000000000 --- a/roles/openshift_cfme/defaults/main.yml +++ /dev/null @@ -1,42 +0,0 @@ ---- -# Namespace for the CFME project (Note: changed post-3.6 to use -# reserved 'openshift-' namespace prefix) -openshift_cfme_project: openshift-cfme -# Namespace/project description -openshift_cfme_project_description: ManageIQ - CloudForms Management Engine -# Basic user assigned the `admin` role for the project -openshift_cfme_user: cfme -# Project system account for enabling privileged pods -openshift_cfme_service_account: "system:serviceaccount:{{ openshift_cfme_project }}:default" -# All the required exports -openshift_cfme_pv_exports: -  - miq-pv01 -  - miq-pv02 -  - miq-pv03 -# PV template files and their created object names -openshift_cfme_pv_data: -  - pv_name: miq-pv01 -    pv_template: miq-pv-db.yaml -    pv_label: CFME DB PV -  - pv_name: miq-pv02 -    pv_template: miq-pv-region.yaml -    pv_label: CFME Region PV -  - pv_name: miq-pv03 -    pv_template: miq-pv-server.yaml -    pv_label: CFME Server PV - -# Tuning parameter to use more than 5 images at once from an ImageStream -openshift_cfme_maxImagesBulkImportedPerRepository: 100 -# TODO: Refactor '_install_app' variable. This is just for testing but -# maybe in the future it should control the entire yes/no for CFME. -# -# Whether or not the manageiq app should be initialized ('oc new-app -# --template=manageiq). If False everything UP TO 'new-app' is ran. -openshift_cfme_install_app: False -# Docker image to pull -openshift_cfme_application_img_name: "{{ 'registry.access.redhat.com/cloudforms45/cfme-openshift-app' if openshift_deployment_type == 'openshift-enterprise' else 'docker.io/manageiq/manageiq-pods' }}" -openshift_cfme_postgresql_img_name: "{{ 'registry.access.redhat.com/cloudforms45/cfme-openshift-postgresql' if openshift_deployment_type == 'openshift-enterprise' else 'docker.io/manageiq/manageiq-pods' }}" -openshift_cfme_memcached_img_name: "{{ 'registry.access.redhat.com/cloudforms45/cfme-openshift-memcached' if openshift_deployment_type == 'openshift-enterprise' else 'docker.io/manageiq/manageiq-pods' }}" -openshift_cfme_application_img_tag: "{{ 'latest' if openshift_deployment_type == 'openshift-enterprise' else 'app-latest-fine' }}" -openshift_cfme_memcached_img_tag: "{{ 'latest' if openshift_deployment_type == 'openshift-enterprise' else 'memcached-latest-fine' }}" -openshift_cfme_postgresql_img_tag: "{{ 'latest' if openshift_deployment_type == 'openshift-enterprise' else 'postgresql-latest-fine' }}" diff --git a/roles/openshift_cfme/files/miq-template.yaml b/roles/openshift_cfme/files/miq-template.yaml deleted file mode 100644 index 8f0d2af38..000000000 --- a/roles/openshift_cfme/files/miq-template.yaml +++ /dev/null @@ -1,566 +0,0 @@ ---- -path: /tmp/miq-template-out -data: -  apiVersion: v1 -  kind: Template -  labels: -    template: manageiq -  metadata: -    name: manageiq -    annotations: -      description: "ManageIQ appliance with persistent storage" -      tags: "instant-app,manageiq,miq" -      iconClass: "icon-rails" -  objects: -  - apiVersion: v1 -    kind: Secret -    metadata: -      name: "${NAME}-secrets" -    stringData: -      pg-password: "${DATABASE_PASSWORD}" -  - apiVersion: v1 -    kind: Service -    metadata: -      annotations: -        description: "Exposes and load balances ManageIQ pods" -        service.alpha.openshift.io/dependencies: '[{"name":"${DATABASE_SERVICE_NAME}","namespace":"","kind":"Service"},{"name":"${MEMCACHED_SERVICE_NAME}","namespace":"","kind":"Service"}]' -      name: ${NAME} -    spec: -      clusterIP: None -      ports: -      - name: http -        port: 80 -        protocol: TCP -        targetPort: 80 -      - name: https -        port: 443 -        protocol: TCP -        targetPort: 443 -      selector: -        name: ${NAME} -  - apiVersion: v1 -    kind: Route -    metadata: -      name: ${NAME} -    spec: -      host: ${APPLICATION_DOMAIN} -      port: -        targetPort: https -      tls: -        termination: passthrough -      to: -        kind: Service -        name: ${NAME} -  - apiVersion: v1 -    kind: ImageStream -    metadata: -      name: miq-app -      annotations: -        description: "Keeps track of the ManageIQ image changes" -    spec: -      dockerImageRepository: "${APPLICATION_IMG_NAME}" -  - apiVersion: v1 -    kind: ImageStream -    metadata: -      name: miq-postgresql -      annotations: -        description: "Keeps track of the PostgreSQL image changes" -    spec: -      dockerImageRepository: "${POSTGRESQL_IMG_NAME}" -  - apiVersion: v1 -    kind: ImageStream -    metadata: -      name: miq-memcached -      annotations: -        description: "Keeps track of the Memcached image changes" -    spec: -      dockerImageRepository: "${MEMCACHED_IMG_NAME}" -  - apiVersion: v1 -    kind: PersistentVolumeClaim -    metadata: -      name: "${NAME}-${DATABASE_SERVICE_NAME}" -    spec: -      accessModes: -        - ReadWriteOnce -      resources: -        requests: -          storage: ${DATABASE_VOLUME_CAPACITY} -  - apiVersion: v1 -    kind: PersistentVolumeClaim -    metadata: -      name: "${NAME}-region" -    spec: -      accessModes: -        - ReadWriteOnce -      resources: -        requests: -          storage: ${APPLICATION_REGION_VOLUME_CAPACITY} -  - apiVersion: apps/v1beta1 -    kind: "StatefulSet" -    metadata: -      name: ${NAME} -      annotations: -        description: "Defines how to deploy the ManageIQ appliance" -    spec: -      serviceName: "${NAME}" -      replicas: "${APPLICATION_REPLICA_COUNT}" -      template: -        metadata: -          labels: -            name: ${NAME} -          name: ${NAME} -        spec: -          containers: -          - name: manageiq -            image: "${APPLICATION_IMG_NAME}:${APPLICATION_IMG_TAG}" -            livenessProbe: -              tcpSocket: -                port: 443 -              initialDelaySeconds: 480 -              timeoutSeconds: 3 -            readinessProbe: -              httpGet: -                path: / -                port: 443 -                scheme: HTTPS -              initialDelaySeconds: 200 -              timeoutSeconds: 3 -            ports: -            - containerPort: 80 -              protocol: TCP -            - containerPort: 443 -              protocol: TCP -            securityContext: -              privileged: true -            volumeMounts: -                - -                  name: "${NAME}-server" -                  mountPath: "/persistent" -                - -                  name: "${NAME}-region" -                  mountPath: "/persistent-region" -            env: -              - -                name: "APPLICATION_INIT_DELAY" -                value: "${APPLICATION_INIT_DELAY}" -              - -                name: "DATABASE_SERVICE_NAME" -                value: "${DATABASE_SERVICE_NAME}" -              - -                name: "DATABASE_REGION" -                value: "${DATABASE_REGION}" -              - -                name: "MEMCACHED_SERVICE_NAME" -                value: "${MEMCACHED_SERVICE_NAME}" -              - -                name: "POSTGRESQL_USER" -                value: "${DATABASE_USER}" -              - -                name: "POSTGRESQL_PASSWORD" -                valueFrom: -                  secretKeyRef: -                    name: "${NAME}-secrets" -                    key: "pg-password" -              - -                name: "POSTGRESQL_DATABASE" -                value: "${DATABASE_NAME}" -              - -                name: "POSTGRESQL_MAX_CONNECTIONS" -                value: "${POSTGRESQL_MAX_CONNECTIONS}" -              - -                name: "POSTGRESQL_SHARED_BUFFERS" -                value: "${POSTGRESQL_SHARED_BUFFERS}" -            resources: -              requests: -                memory: "${APPLICATION_MEM_REQ}" -                cpu: "${APPLICATION_CPU_REQ}" -              limits: -                memory: "${APPLICATION_MEM_LIMIT}" -            lifecycle: -              preStop: -                exec: -                  command: -                    - /opt/manageiq/container-scripts/sync-pv-data -          volumes: -           - -             name: "${NAME}-region" -             persistentVolumeClaim: -               claimName: ${NAME}-region -      volumeClaimTemplates: -        - metadata: -            name: "${NAME}-server" -            annotations: -              # Uncomment this if using dynamic volume provisioning. -              # https://docs.openshift.org/latest/install_config/persistent_storage/dynamically_provisioning_pvs.html -              # volume.alpha.kubernetes.io/storage-class: anything -          spec: -            accessModes: [ ReadWriteOnce ] -            resources: -              requests: -                storage: "${APPLICATION_VOLUME_CAPACITY}" -  - apiVersion: v1 -    kind: "Service" -    metadata: -      name: "${MEMCACHED_SERVICE_NAME}" -      annotations: -        description: "Exposes the memcached server" -    spec: -      ports: -        - -          name: "memcached" -          port: 11211 -          targetPort: 11211 -      selector: -        name: "${MEMCACHED_SERVICE_NAME}" -  - apiVersion: v1 -    kind: "DeploymentConfig" -    metadata: -      name: "${MEMCACHED_SERVICE_NAME}" -      annotations: -        description: "Defines how to deploy memcached" -    spec: -      strategy: -        type: "Recreate" -      triggers: -        - -          type: "ImageChange" -          imageChangeParams: -            automatic: true -            containerNames: -              - "memcached" -            from: -              kind: "ImageStreamTag" -              name: "miq-memcached:${MEMCACHED_IMG_TAG}" -        - -          type: "ConfigChange" -      replicas: 1 -      selector: -        name: "${MEMCACHED_SERVICE_NAME}" -      template: -        metadata: -          name: "${MEMCACHED_SERVICE_NAME}" -          labels: -            name: "${MEMCACHED_SERVICE_NAME}" -        spec: -          volumes: [] -          containers: -            - -              name: "memcached" -              image: "${MEMCACHED_IMG_NAME}:${MEMCACHED_IMG_TAG}" -              ports: -                - -                  containerPort: 11211 -              readinessProbe: -                timeoutSeconds: 1 -                initialDelaySeconds: 5 -                tcpSocket: -                  port: 11211 -              livenessProbe: -                timeoutSeconds: 1 -                initialDelaySeconds: 30 -                tcpSocket: -                  port: 11211 -              volumeMounts: [] -              env: -                - -                  name: "MEMCACHED_MAX_MEMORY" -                  value: "${MEMCACHED_MAX_MEMORY}" -                - -                  name: "MEMCACHED_MAX_CONNECTIONS" -                  value: "${MEMCACHED_MAX_CONNECTIONS}" -                - -                  name: "MEMCACHED_SLAB_PAGE_SIZE" -                  value: "${MEMCACHED_SLAB_PAGE_SIZE}" -              resources: -                requests: -                  memory: "${MEMCACHED_MEM_REQ}" -                  cpu: "${MEMCACHED_CPU_REQ}" -                limits: -                  memory: "${MEMCACHED_MEM_LIMIT}" -  - apiVersion: v1 -    kind: "Service" -    metadata: -      name: "${DATABASE_SERVICE_NAME}" -      annotations: -        description: "Exposes the database server" -    spec: -      ports: -        - -          name: "postgresql" -          port: 5432 -          targetPort: 5432 -      selector: -        name: "${DATABASE_SERVICE_NAME}" -  - apiVersion: v1 -    kind: "DeploymentConfig" -    metadata: -      name: "${DATABASE_SERVICE_NAME}" -      annotations: -        description: "Defines how to deploy the database" -    spec: -      strategy: -        type: "Recreate" -      triggers: -        - -          type: "ImageChange" -          imageChangeParams: -            automatic: true -            containerNames: -              - "postgresql" -            from: -              kind: "ImageStreamTag" -              name: "miq-postgresql:${POSTGRESQL_IMG_TAG}" -        - -          type: "ConfigChange" -      replicas: 1 -      selector: -        name: "${DATABASE_SERVICE_NAME}" -      template: -        metadata: -          name: "${DATABASE_SERVICE_NAME}" -          labels: -            name: "${DATABASE_SERVICE_NAME}" -        spec: -          volumes: -            - -              name: "miq-pgdb-volume" -              persistentVolumeClaim: -                claimName: "${NAME}-${DATABASE_SERVICE_NAME}" -          containers: -            - -              name: "postgresql" -              image: "${POSTGRESQL_IMG_NAME}:${POSTGRESQL_IMG_TAG}" -              ports: -                - -                  containerPort: 5432 -              readinessProbe: -                timeoutSeconds: 1 -                initialDelaySeconds: 15 -                exec: -                  command: -                    - "/bin/sh" -                    - "-i" -                    - "-c" -                    - "psql -h 127.0.0.1 -U ${POSTGRESQL_USER} -q -d ${POSTGRESQL_DATABASE} -c 'SELECT 1'" -              livenessProbe: -                timeoutSeconds: 1 -                initialDelaySeconds: 60 -                tcpSocket: -                  port: 5432 -              volumeMounts: -                - -                  name: "miq-pgdb-volume" -                  mountPath: "/var/lib/pgsql/data" -              env: -                - -                  name: "POSTGRESQL_USER" -                  value: "${DATABASE_USER}" -                - -                  name: "POSTGRESQL_PASSWORD" -                  valueFrom: -                    secretKeyRef: -                      name: "${NAME}-secrets" -                      key: "pg-password" -                - -                  name: "POSTGRESQL_DATABASE" -                  value: "${DATABASE_NAME}" -                - -                  name: "POSTGRESQL_MAX_CONNECTIONS" -                  value: "${POSTGRESQL_MAX_CONNECTIONS}" -                - -                  name: "POSTGRESQL_SHARED_BUFFERS" -                  value: "${POSTGRESQL_SHARED_BUFFERS}" -              resources: -                requests: -                  memory: "${POSTGRESQL_MEM_REQ}" -                  cpu: "${POSTGRESQL_CPU_REQ}" -                limits: -                  memory: "${POSTGRESQL_MEM_LIMIT}" - -  parameters: -    - -      name: "NAME" -      displayName: Name -      required: true -      description: "The name assigned to all of the frontend objects defined in this template." -      value: manageiq -    - -      name: "DATABASE_SERVICE_NAME" -      displayName: "PostgreSQL Service Name" -      required: true -      description: "The name of the OpenShift Service exposed for the PostgreSQL container." -      value: "postgresql" -    - -      name: "DATABASE_USER" -      displayName: "PostgreSQL User" -      required: true -      description: "PostgreSQL user that will access the database." -      value: "root" -    - -      name: "DATABASE_PASSWORD" -      displayName: "PostgreSQL Password" -      required: true -      description: "Password for the PostgreSQL user." -      from: "[a-zA-Z0-9]{8}" -      generate: expression -    - -      name: "DATABASE_NAME" -      required: true -      displayName: "PostgreSQL Database Name" -      description: "Name of the PostgreSQL database accessed." -      value: "vmdb_production" -    - -      name: "DATABASE_REGION" -      required: true -      displayName: "Application Database Region" -      description: "Database region that will be used for application." -      value: "0" -    - -      name: "MEMCACHED_SERVICE_NAME" -      required: true -      displayName: "Memcached Service Name" -      description: "The name of the OpenShift Service exposed for the Memcached container." -      value: "memcached" -    - -      name: "MEMCACHED_MAX_MEMORY" -      displayName: "Memcached Max Memory" -      description: "Memcached maximum memory for memcached object storage in MB." -      value: "64" -    - -      name: "MEMCACHED_MAX_CONNECTIONS" -      displayName: "Memcached Max Connections" -      description: "Memcached maximum number of connections allowed." -      value: "1024" -    - -      name: "MEMCACHED_SLAB_PAGE_SIZE" -      displayName: "Memcached Slab Page Size" -      description: "Memcached size of each slab page." -      value: "1m" -    - -      name: "POSTGRESQL_MAX_CONNECTIONS" -      displayName: "PostgreSQL Max Connections" -      description: "PostgreSQL maximum number of database connections allowed." -      value: "100" -    - -      name: "POSTGRESQL_SHARED_BUFFERS" -      displayName: "PostgreSQL Shared Buffer Amount" -      description: "Amount of memory dedicated for PostgreSQL shared memory buffers." -      value: "256MB" -    - -      name: "APPLICATION_CPU_REQ" -      displayName: "Application Min CPU Requested" -      required: true -      description: "Minimum amount of CPU time the Application container will need (expressed in millicores)." -      value: "1000m" -    - -      name: "POSTGRESQL_CPU_REQ" -      displayName: "PostgreSQL Min CPU Requested" -      required: true -      description: "Minimum amount of CPU time the PostgreSQL container will need (expressed in millicores)." -      value: "500m" -    - -      name: "MEMCACHED_CPU_REQ" -      displayName: "Memcached Min CPU Requested" -      required: true -      description: "Minimum amount of CPU time the Memcached container will need (expressed in millicores)." -      value: "200m" -    - -      name: "APPLICATION_MEM_REQ" -      displayName: "Application Min RAM Requested" -      required: true -      description: "Minimum amount of memory the Application container will need." -      value: "6144Mi" -    - -      name: "POSTGRESQL_MEM_REQ" -      displayName: "PostgreSQL Min RAM Requested" -      required: true -      description: "Minimum amount of memory the PostgreSQL container will need." -      value: "1024Mi" -    - -      name: "MEMCACHED_MEM_REQ" -      displayName: "Memcached Min RAM Requested" -      required: true -      description: "Minimum amount of memory the Memcached container will need." -      value: "64Mi" -    - -      name: "APPLICATION_MEM_LIMIT" -      displayName: "Application Max RAM Limit" -      required: true -      description: "Maximum amount of memory the Application container can consume." -      value: "16384Mi" -    - -      name: "POSTGRESQL_MEM_LIMIT" -      displayName: "PostgreSQL Max RAM Limit" -      required: true -      description: "Maximum amount of memory the PostgreSQL container can consume." -      value: "8192Mi" -    - -      name: "MEMCACHED_MEM_LIMIT" -      displayName: "Memcached Max RAM Limit" -      required: true -      description: "Maximum amount of memory the Memcached container can consume." -      value: "256Mi" -    - -      name: "POSTGRESQL_IMG_NAME" -      displayName: "PostgreSQL Image Name" -      description: "This is the PostgreSQL image name requested to deploy." -      value: "docker.io/manageiq/manageiq-pods" -    - -      name: "POSTGRESQL_IMG_TAG" -      displayName: "PostgreSQL Image Tag" -      description: "This is the PostgreSQL image tag/version requested to deploy." -      value: "postgresql-latest-fine" -    - -      name: "MEMCACHED_IMG_NAME" -      displayName: "Memcached Image Name" -      description: "This is the Memcached image name requested to deploy." -      value: "docker.io/manageiq/manageiq-pods" -    - -      name: "MEMCACHED_IMG_TAG" -      displayName: "Memcached Image Tag" -      description: "This is the Memcached image tag/version requested to deploy." -      value: "memcached-latest-fine" -    - -      name: "APPLICATION_IMG_NAME" -      displayName: "Application Image Name" -      description: "This is the Application image name requested to deploy." -      value: "docker.io/manageiq/manageiq-pods" -    - -      name: "APPLICATION_IMG_TAG" -      displayName: "Application Image Tag" -      description: "This is the Application image tag/version requested to deploy." -      value: "app-latest-fine" -    - -      name: "APPLICATION_DOMAIN" -      displayName: "Application Hostname" -      description: "The exposed hostname that will route to the application service, if left blank a value will be defaulted." -      value: "" -    - -      name: "APPLICATION_REPLICA_COUNT" -      displayName: "Application Replica Count" -      description: "This is the number of Application replicas requested to deploy." -      value: "1" -    - -      name: "APPLICATION_INIT_DELAY" -      displayName: "Application Init Delay" -      required: true -      description: "Delay in seconds before we attempt to initialize the application." -      value: "15" -    - -      name: "APPLICATION_VOLUME_CAPACITY" -      displayName: "Application Volume Capacity" -      required: true -      description: "Volume space available for application data." -      value: "5Gi" -    - -      name: "APPLICATION_REGION_VOLUME_CAPACITY" -      displayName: "Application Region Volume Capacity" -      required: true -      description: "Volume space available for region application data." -      value: "5Gi" -    - -      name: "DATABASE_VOLUME_CAPACITY" -      displayName: "Database Volume Capacity" -      required: true -      description: "Volume space available for database." -      value: "15Gi" diff --git a/roles/openshift_cfme/files/openshift_cfme.exports b/roles/openshift_cfme/files/openshift_cfme.exports deleted file mode 100644 index 5457d41fc..000000000 --- a/roles/openshift_cfme/files/openshift_cfme.exports +++ /dev/null @@ -1,3 +0,0 @@ -/exports/miq-pv01 *(rw,no_root_squash,no_wdelay) -/exports/miq-pv02 *(rw,no_root_squash,no_wdelay) -/exports/miq-pv03 *(rw,no_root_squash,no_wdelay) diff --git a/roles/openshift_cfme/handlers/main.yml b/roles/openshift_cfme/handlers/main.yml deleted file mode 100644 index 7e90b09a4..000000000 --- a/roles/openshift_cfme/handlers/main.yml +++ /dev/null @@ -1,37 +0,0 @@ ---- -###################################################################### -# NOTE: These are duplicated from roles/openshift_master/handlers/main.yml -# -# TODO: Use the consolidated 'openshift_handlers' role once it's ready -# See: https://github.com/openshift/openshift-ansible/pull/4041#discussion_r118770782 -###################################################################### - -- name: restart master api -  systemd: name={{ openshift.common.service_type }}-master-api state=restarted -  when: (not (master_api_service_status_changed | default(false) | bool)) and openshift.master.cluster_method == 'native' -  notify: Verify API Server - -- name: restart master controllers -  systemd: name={{ openshift.common.service_type }}-master-controllers state=restarted -  when: (not (master_controllers_service_status_changed | default(false) | bool)) and openshift.master.cluster_method == 'native' - -- name: Verify API Server -  # Using curl here since the uri module requires python-httplib2 and -  # wait_for port doesn't provide health information. -  command: > -    curl --silent --tlsv1.2 -    {% if openshift.common.version_gte_3_2_or_1_2 | bool %} -    --cacert {{ openshift.common.config_base }}/master/ca-bundle.crt -    {% else %} -    --cacert {{ openshift.common.config_base }}/master/ca.crt -    {% endif %} -    {{ openshift.master.api_url }}/healthz/ready -  args: -    # Disables the following warning: -    # Consider using get_url or uri module rather than running curl -    warn: no -  register: api_available_output -  until: api_available_output.stdout == 'ok' -  retries: 120 -  delay: 1 -  changed_when: false diff --git a/roles/openshift_cfme/img/CFMEBasicDeployment.png b/roles/openshift_cfme/img/CFMEBasicDeployment.pngBinary files differ deleted file mode 100644 index a89c1e325..000000000 --- a/roles/openshift_cfme/img/CFMEBasicDeployment.png +++ /dev/null diff --git a/roles/openshift_cfme/tasks/create_pvs.yml b/roles/openshift_cfme/tasks/create_pvs.yml deleted file mode 100644 index 7fa7d3997..000000000 --- a/roles/openshift_cfme/tasks/create_pvs.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- -# Check for existance and then conditionally: -# - evaluate templates -# - PVs -# -# These tasks idempotently create required CFME PV objects. Do not -# call this file directly. This file is intended to be ran as an -# include that has a 'with_items' attached to it. Hence the use below -# of variables like "{{ item.pv_label }}" - -- name: "Check if the {{ item.pv_label }} template has been created already" -  oc_obj: -    namespace: "{{ openshift_cfme_project }}" -    state: list -    kind: pv -    name: "{{ item.pv_name }}" -  register: miq_pv_check - -# Skip all of this if the PV already exists -- block: -    - name: "Ensure the {{ item.pv_label }} template is evaluated" -      template: -        src: "{{ item.pv_template }}.j2" -        dest: "{{ template_dir }}/{{ item.pv_template }}" - -    - name: "Ensure {{ item.pv_label }} is created" -      oc_obj: -        namespace: "{{ openshift_cfme_project }}" -        kind: pv -        name: "{{ item.pv_name }}" -        state: present -        delete_after: True -        files: -          - "{{ template_dir }}/{{ item.pv_template }}" -  when: -    - not miq_pv_check.results.results.0 diff --git a/roles/openshift_cfme/tasks/main.yml b/roles/openshift_cfme/tasks/main.yml deleted file mode 100644 index 74ae16d91..000000000 --- a/roles/openshift_cfme/tasks/main.yml +++ /dev/null @@ -1,117 +0,0 @@ ---- -###################################################################### -# Users, projects, and privileges - -- name: Ensure the CFME user exists -  oc_user: -    state: present -    username: "{{ openshift_cfme_user }}" - -- name: Ensure the CFME namespace exists with CFME user as admin -  oc_project: -    state: present -    name: "{{ openshift_cfme_project }}" -    display_name: "{{ openshift_cfme_project_description }}" -    admin: "{{ openshift_cfme_user }}" - -- name: Ensure the CFME namespace service account is privileged -  oc_adm_policy_user: -    namespace: "{{ openshift_cfme_project }}" -    user: "{{ openshift_cfme_service_account }}" -    resource_kind: scc -    resource_name: privileged -    state: present - -###################################################################### -# NFS -# In the case that we are not running on a cloud provider, volumes must be statically provisioned - -- include: nfs.yml -  when: not (openshift_cloudprovider_kind is defined and (openshift_cloudprovider_kind == 'aws' or openshift_cloudprovider_kind == 'gce')) - -###################################################################### -# CFME App Template -# -# Note, this is different from the create_pvs.yml tasks in that the -# application template does not require any jinja2 evaluation. -# -# TODO: Handle the case where the server template is updated in -# openshift-ansible and the change needs to be landed on the managed -# cluster. - -- name: Check if the CFME Server template has been created already -  oc_obj: -    namespace: "{{ openshift_cfme_project }}" -    state: list -    kind: template -    name: manageiq -  register: miq_server_check - -- name: Copy over CFME Server template -  copy: -    src: miq-template.yaml -    dest: "{{ template_dir }}/miq-template.yaml" - -- name: Ensure the server template was read from disk -  debug: -    var=r_openshift_cfme_miq_template_content - -- name: Ensure CFME Server Template exists -  oc_obj: -    namespace: "{{ openshift_cfme_project }}" -    kind: template -    name: "manageiq" -    state: present -    content: "{{ r_openshift_cfme_miq_template_content }}" - -###################################################################### -# Let's do this - -- name: Ensure the CFME Server is created -  oc_process: -    namespace: "{{ openshift_cfme_project }}" -    template_name: manageiq -    create: True -    params: -      APPLICATION_IMG_NAME: "{{ openshift_cfme_application_img_name }}" -      POSTGRESQL_IMG_NAME: "{{ openshift_cfme_postgresql_img_name }}" -      MEMCACHED_IMG_NAME: "{{ openshift_cfme_memcached_img_name }}" -      APPLICATION_IMG_TAG: "{{ openshift_cfme_application_img_tag }}" -      POSTGRESQL_IMG_TAG: "{{ openshift_cfme_postgresql_img_tag }}" -      MEMCACHED_IMG_TAG: "{{ openshift_cfme_memcached_img_tag }}" -  register: cfme_new_app_process -  run_once: True -  when: -    # User said to install CFME in their inventory -    - openshift_cfme_install_app | bool -    # # The server app doesn't exist already -    # - not miq_server_check.results.results.0 - -- debug: -    var: cfme_new_app_process - -###################################################################### -# Various cleanup steps - -# TODO: Not sure what to do about this right now. Might be able to -# just delete it?  This currently warns about "Unable to find -# '<TEMP_DIR>' in expected paths." -- name: Ensure the temporary PV/App templates are erased -  file: -    path: "{{ item }}" -    state: absent -  with_fileglob: -    - "{{ template_dir }}/*.yaml" - -- name: Ensure the temporary PV/app template directory is erased -  file: -    path: "{{ template_dir }}" -    state: absent - -###################################################################### - -- name: Status update -  debug: -    msg: > -      CFME has been deployed. Note that there will be a delay before -      it is fully initialized. diff --git a/roles/openshift_cfme/tasks/nfs.yml b/roles/openshift_cfme/tasks/nfs.yml deleted file mode 100644 index ca04628a8..000000000 --- a/roles/openshift_cfme/tasks/nfs.yml +++ /dev/null @@ -1,51 +0,0 @@ ---- -# Tasks to statically provision NFS volumes -# Include if not using dynamic volume provisioning - -- name: Set openshift_cfme_nfs_server fact -  when: openshift_cfme_nfs_server is not defined -  set_fact: -    # Hostname/IP of the NFS server. Currently defaults to first master -    openshift_cfme_nfs_server: "{{ oo_nfs_to_config.0 }}" - -- name: Ensure the /exports/ directory exists -  file: -    path: /exports/ -    state: directory -    mode: 0755 -    owner: root -    group: root - -- name: Ensure the miq-pv0X export directories exist -  file: -    path: "/exports/{{ item }}" -    state: directory -    mode: 0775 -    owner: root -    group: root -  with_items: "{{ openshift_cfme_pv_exports }}" - -- name: Ensure the NFS exports for CFME PVs exist -  copy: -    src: openshift_cfme.exports -    dest: /etc/exports.d/openshift_cfme.exports -  register: nfs_exports_updated - -- name: Ensure the NFS export table is refreshed if exports were added -  command: exportfs -ar -  when: -    - nfs_exports_updated.changed - - -###################################################################### -# Create the required CFME PVs. Check out these online docs if you -# need a refresher on includes looping with items: -# * http://docs.ansible.com/ansible/playbooks_loops.html#loops-and-includes-in-2-0 -# * http://stackoverflow.com/a/35128533 -# -# TODO: Handle the case where a PV template is updated in -# openshift-ansible and the change needs to be landed on the managed -# cluster. - -- include: create_pvs.yml -  with_items: "{{ openshift_cfme_pv_data }}" diff --git a/roles/openshift_cfme/tasks/tune_masters.yml b/roles/openshift_cfme/tasks/tune_masters.yml deleted file mode 100644 index 02b0f10bf..000000000 --- a/roles/openshift_cfme/tasks/tune_masters.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -- name: Ensure bulk image import limit is tuned -  yedit: -    src: /etc/origin/master/master-config.yaml -    key: 'imagePolicyConfig.maxImagesBulkImportedPerRepository' -    value: "{{ openshift_cfme_maxImagesBulkImportedPerRepository | int() }}" -    state: present -    backup: True -  notify: -    - restart master - -- meta: flush_handlers diff --git a/roles/openshift_cfme/tasks/uninstall.yml b/roles/openshift_cfme/tasks/uninstall.yml deleted file mode 100644 index 406b59364..000000000 --- a/roles/openshift_cfme/tasks/uninstall.yml +++ /dev/null @@ -1,46 +0,0 @@ ---- -- include_role: -    name: lib_openshift - -- name: Uninstall CFME - ManageIQ -  debug: -    msg: Uninstalling Cloudforms Management Engine - ManageIQ - -- name: Ensure the CFME project is removed -  oc_project: -    state: absent -    name: "{{ openshift_cfme_project }}" - -- name: Ensure the CFME template is removed -  oc_obj: -    namespace: "{{ openshift_cfme_project }}" -    state: absent -    kind: template -    name: manageiq - -- name: Ensure the CFME PVs are removed -  oc_obj: -    state: absent -    all_namespaces: True -    kind: pv -    name: "{{ item }}" -  with_items: "{{ openshift_cfme_pv_exports }}" -  when: not (openshift_cloudprovider_kind is defined and (openshift_cloudprovider_kind == 'aws' or openshift_cloudprovider_kind == 'gce')) - -- name: Ensure the CFME user is removed -  oc_user: -    state: absent -    username: "{{ openshift_cfme_user }}" - -- name: Ensure the CFME NFS Exports are removed -  file: -    path: /etc/exports.d/openshift_cfme.exports -    state: absent -  register: nfs_exports_removed -  when: not (openshift_cloudprovider_kind is defined and (openshift_cloudprovider_kind == 'aws' or openshift_cloudprovider_kind == 'gce')) - -- name: Ensure the NFS export table is refreshed if exports were removed -  command: exportfs -ar -  when: -    - nfs_exports_removed.changed -    - not (openshift_cloudprovider_kind is defined and (openshift_cloudprovider_kind == 'aws' or openshift_cloudprovider_kind == 'gce')) diff --git a/roles/openshift_cfme/templates/miq-pv-db.yaml.j2 b/roles/openshift_cfme/templates/miq-pv-db.yaml.j2 deleted file mode 100644 index 280f3e97a..000000000 --- a/roles/openshift_cfme/templates/miq-pv-db.yaml.j2 +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: PersistentVolume -metadata: -  name: miq-pv01 -spec: -  capacity: -    storage: 15Gi -  accessModes: -    - ReadWriteOnce -  nfs:  -    path: {{ openshift_cfme_nfs_directory }}/miq-pv01 -    server: {{ openshift_cfme_nfs_server }} -  persistentVolumeReclaimPolicy: Retain diff --git a/roles/openshift_cfme/templates/miq-pv-region.yaml.j2 b/roles/openshift_cfme/templates/miq-pv-region.yaml.j2 deleted file mode 100644 index fe80dffa5..000000000 --- a/roles/openshift_cfme/templates/miq-pv-region.yaml.j2 +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: PersistentVolume -metadata: -  name: miq-pv02 -spec: -  capacity: -    storage: 5Gi -  accessModes: -    - ReadWriteOnce -  nfs:  -    path: {{ openshift_cfme_nfs_directory }}/miq-pv02 -    server: {{ openshift_cfme_nfs_server }} -  persistentVolumeReclaimPolicy: Retain diff --git a/roles/openshift_cfme/templates/miq-pv-server.yaml.j2 b/roles/openshift_cfme/templates/miq-pv-server.yaml.j2 deleted file mode 100644 index f84b67ea9..000000000 --- a/roles/openshift_cfme/templates/miq-pv-server.yaml.j2 +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: PersistentVolume -metadata: -  name: miq-pv03 -spec: -  capacity: -    storage: 5Gi -  accessModes: -    - ReadWriteOnce -  nfs:  -    path: {{ openshift_cfme_nfs_directory }}/miq-pv03 -    server: {{ openshift_cfme_nfs_server }} -  persistentVolumeReclaimPolicy: Retain diff --git a/roles/openshift_excluder/tasks/install.yml b/roles/openshift_excluder/tasks/install.yml index 3a866cedf..7a5bebf6f 100644 --- a/roles/openshift_excluder/tasks/install.yml +++ b/roles/openshift_excluder/tasks/install.yml @@ -6,19 +6,46 @@    block: -  - name: Install docker excluder +  - name: Install docker excluder - yum      package:        name: "{{ r_openshift_excluder_service_type }}-docker-excluder{{ openshift_pkg_version | default('') | oo_image_tag_to_rpm_version(include_dash=True) +  '*' }}"        state: "{{ r_openshift_excluder_docker_package_state }}"      when:      - r_openshift_excluder_enable_docker_excluder | bool +    - ansible_pkg_mgr == "yum" -  - name: Install openshift excluder + +  # For DNF we do not need the "*" and if we add it, it causes an error because +  # it's not a valid pkg_spec +  # +  # https://bugzilla.redhat.com/show_bug.cgi?id=1199432 +  - name: Install docker excluder - dnf +    package: +      name: "{{ r_openshift_excluder_service_type }}-docker-excluder{{ openshift_pkg_version | default('') | oo_image_tag_to_rpm_version(include_dash=True) }}" +      state: "{{ r_openshift_excluder_docker_package_state }}" +    when: +    - r_openshift_excluder_enable_docker_excluder | bool +    - ansible_pkg_mgr == "dnf" + +  - name: Install openshift excluder - yum      package:        name: "{{ r_openshift_excluder_service_type }}-excluder{{ openshift_pkg_version | default('') | oo_image_tag_to_rpm_version(include_dash=True) + '*' }}"        state: "{{ r_openshift_excluder_package_state }}"      when:      - r_openshift_excluder_enable_openshift_excluder | bool +    - ansible_pkg_mgr == "yum" + +  # For DNF we do not need the "*" and if we add it, it causes an error because +  # it's not a valid pkg_spec +  # +  # https://bugzilla.redhat.com/show_bug.cgi?id=1199432 +  - name: Install openshift excluder - dnf +    package: +      name: "{{ r_openshift_excluder_service_type }}-excluder{{ openshift_pkg_version | default('') | oo_image_tag_to_rpm_version(include_dash=True) }}" +      state: "{{ r_openshift_excluder_package_state }}" +    when: +    - r_openshift_excluder_enable_openshift_excluder | bool +    - ansible_pkg_mgr == "dnf"    - set_fact:        r_openshift_excluder_install_ran: True diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py index 215ff4b72..ba1d8f29d 100755 --- a/roles/openshift_facts/library/openshift_facts.py +++ b/roles/openshift_facts/library/openshift_facts.py @@ -1907,7 +1907,6 @@ class OpenShiftFacts(object):                                    portal_net='172.30.0.0/16',                                    client_binary='oc', admin_binary='oadm',                                    dns_domain='cluster.local', -                                  debug_level=2,                                    config_base='/etc/origin')          if 'master' in roles: diff --git a/roles/openshift_health_checker/openshift_checks/disk_availability.py b/roles/openshift_health_checker/openshift_checks/disk_availability.py index cdf56e959..7956559c6 100644 --- a/roles/openshift_health_checker/openshift_checks/disk_availability.py +++ b/roles/openshift_health_checker/openshift_checks/disk_availability.py @@ -15,31 +15,31 @@ class DiskAvailability(OpenShiftCheck):      # https://docs.openshift.org/latest/install_config/install/prerequisites.html#system-requirements      recommended_disk_space_bytes = {          '/var': { -            'masters': 40 * 10**9, -            'nodes': 15 * 10**9, -            'etcd': 20 * 10**9, +            'oo_masters_to_config': 40 * 10**9, +            'oo_nodes_to_config': 15 * 10**9, +            'oo_etcd_to_config': 20 * 10**9,          },          # Used to copy client binaries into,          # see roles/openshift_cli/library/openshift_container_binary_sync.py.          '/usr/local/bin': { -            'masters': 1 * 10**9, -            'nodes': 1 * 10**9, -            'etcd': 1 * 10**9, +            'oo_masters_to_config': 1 * 10**9, +            'oo_nodes_to_config': 1 * 10**9, +            'oo_etcd_to_config': 1 * 10**9,          },          # Used as temporary storage in several cases.          tempfile.gettempdir(): { -            'masters': 1 * 10**9, -            'nodes': 1 * 10**9, -            'etcd': 1 * 10**9, +            'oo_masters_to_config': 1 * 10**9, +            'oo_nodes_to_config': 1 * 10**9, +            'oo_etcd_to_config': 1 * 10**9,          },      }      # recommended disk space for each location under an upgrade context      recommended_disk_upgrade_bytes = {          '/var': { -            'masters': 10 * 10**9, -            'nodes': 5 * 10 ** 9, -            'etcd': 5 * 10 ** 9, +            'oo_masters_to_config': 10 * 10**9, +            'oo_nodes_to_config': 5 * 10 ** 9, +            'oo_etcd_to_config': 5 * 10 ** 9,          },      } @@ -61,9 +61,9 @@ class DiskAvailability(OpenShiftCheck):              number = float(user_config)              user_config = {                  '/var': { -                    'masters': number, -                    'nodes': number, -                    'etcd': number, +                    'oo_masters_to_config': number, +                    'oo_nodes_to_config': number, +                    'oo_etcd_to_config': number,                  },              }          except TypeError: diff --git a/roles/openshift_health_checker/openshift_checks/docker_image_availability.py b/roles/openshift_health_checker/openshift_checks/docker_image_availability.py index fa07c1dde..7c8ac78fe 100644 --- a/roles/openshift_health_checker/openshift_checks/docker_image_availability.py +++ b/roles/openshift_health_checker/openshift_checks/docker_image_availability.py @@ -1,5 +1,6 @@  """Check that required Docker images are available.""" +from pipes import quote  from ansible.module_utils import six  from openshift_checks import OpenShiftCheck  from openshift_checks.mixins import DockerHostMixin @@ -33,10 +34,39 @@ class DockerImageAvailability(DockerHostMixin, OpenShiftCheck):      # we use python-docker-py to check local docker for images, and skopeo      # to look for images available remotely without waiting to pull them.      dependencies = ["python-docker-py", "skopeo"] -    skopeo_img_check_command = "timeout 10 skopeo inspect --tls-verify=false docker://{registry}/{image}" +    # command for checking if remote registries have an image, without docker pull +    skopeo_command = "timeout 10 skopeo inspect --tls-verify={tls} {creds} docker://{registry}/{image}" +    skopeo_example_command = "skopeo inspect [--tls-verify=false] [--creds=<user>:<pass>] docker://<registry>/<image>"      def __init__(self, *args, **kwargs):          super(DockerImageAvailability, self).__init__(*args, **kwargs) + +        self.registries = dict( +            # set of registries that need to be checked insecurely (note: not accounting for CIDR entries) +            insecure=set(self.ensure_list("openshift_docker_insecure_registries")), +            # set of registries that should never be queried even if given in the image +            blocked=set(self.ensure_list("openshift_docker_blocked_registries")), +        ) + +        # ordered list of registries (according to inventory vars) that docker will try for unscoped images +        regs = self.ensure_list("openshift_docker_additional_registries") +        # currently one of these registries is added whether the user wants it or not. +        deployment_type = self.get_var("openshift_deployment_type") +        if deployment_type == "origin" and "docker.io" not in regs: +            regs.append("docker.io") +        elif deployment_type == 'openshift-enterprise' and "registry.access.redhat.com" not in regs: +            regs.append("registry.access.redhat.com") +        self.registries["configured"] = regs + +        # for the oreg_url registry there may be credentials specified +        components = self.get_var("oreg_url", default="").split('/') +        self.registries["oreg"] = "" if len(components) < 3 else components[0] +        self.skopeo_command_creds = "" +        oreg_auth_user = self.get_var('oreg_auth_user', default='') +        oreg_auth_password = self.get_var('oreg_auth_password', default='') +        if oreg_auth_user != '' and oreg_auth_password != '': +            self.skopeo_command_creds = "--creds={}:{}".format(quote(oreg_auth_user), quote(oreg_auth_password)) +          # record whether we could reach a registry or not (and remember results)          self.reachable_registries = {} @@ -62,26 +92,25 @@ class DockerImageAvailability(DockerHostMixin, OpenShiftCheck):          if not missing_images:              return {} -        registries = self.known_docker_registries() -        if not registries: -            return {"failed": True, "msg": "Unable to retrieve any docker registries."} - -        available_images = self.available_images(missing_images, registries) +        available_images = self.available_images(missing_images)          unavailable_images = set(missing_images) - set(available_images)          if unavailable_images: -            registries = [ -                reg if self.reachable_registries.get(reg, True) else reg + " (unreachable)" -                for reg in registries -            ] +            unreachable = [reg for reg, reachable in self.reachable_registries.items() if not reachable] +            unreachable_msg = "Failed connecting to: {}\n".format(", ".join(unreachable)) +            blocked_msg = "Blocked registries: {}\n".format(", ".join(self.registries["blocked"]))              msg = ( -                "One or more required Docker images are not available:\n    {}\n" -                "Configured registries: {}\n" -                "Checked by: {}" +                "One or more required container images are not available:\n    {missing}\n" +                "Checked with: {cmd}\n" +                "Default registries searched: {registries}\n" +                "{blocked}" +                "{unreachable}"              ).format( -                ",\n    ".join(sorted(unavailable_images)), -                ", ".join(registries), -                self.skopeo_img_check_command +                missing=",\n    ".join(sorted(unavailable_images)), +                cmd=self.skopeo_example_command, +                registries=", ".join(self.registries["configured"]), +                blocked=blocked_msg if self.registries["blocked"] else "", +                unreachable=unreachable_msg if unreachable else "",              )              return dict(failed=True, msg=msg) @@ -114,7 +143,7 @@ class DockerImageAvailability(DockerHostMixin, OpenShiftCheck):          # template for images that run on top of OpenShift          image_url = "{}/{}-{}:{}".format(image_info["namespace"], image_info["name"], "${component}", "${version}")          image_url = self.get_var("oreg_url", default="") or image_url -        if 'nodes' in host_groups: +        if 'oo_nodes_to_config' in host_groups:              for suffix in NODE_IMAGE_SUFFIXES:                  required.add(image_url.replace("${component}", suffix).replace("${version}", image_tag))              # The registry-console is for some reason not prefixed with ose- like the other components. @@ -125,24 +154,23 @@ class DockerImageAvailability(DockerHostMixin, OpenShiftCheck):          # images for containerized components          if self.get_var("openshift", "common", "is_containerized"):              components = set() -            if 'nodes' in host_groups: +            if 'oo_nodes_to_config' in host_groups:                  components.update(["node", "openvswitch"]) -            if 'masters' in host_groups:  # name is "origin" or "ose" +            if 'oo_masters_to_config' in host_groups:  # name is "origin" or "ose"                  components.add(image_info["name"])              for component in components:                  required.add("{}/{}:{}".format(image_info["namespace"], component, image_tag)) -            if 'etcd' in host_groups:  # special case, note it is the same for origin/enterprise +            if 'oo_etcd_to_config' in host_groups:  # special case, note it is the same for origin/enterprise                  required.add("registry.access.redhat.com/rhel7/etcd")  # and no image tag          return required      def local_images(self, images):          """Filter a list of images and return those available locally.""" -        registries = self.known_docker_registries()          found_images = []          for image in images:              # docker could have the image name as-is or prefixed with any registry -            imglist = [image] + [reg + "/" + image for reg in registries] +            imglist = [image] + [reg + "/" + image for reg in self.registries["configured"]]              if self.is_image_local(imglist):                  found_images.append(image)          return found_images @@ -152,37 +180,27 @@ class DockerImageAvailability(DockerHostMixin, OpenShiftCheck):          result = self.execute_module("docker_image_facts", {"name": image})          return bool(result.get("images")) and not result.get("failed") -    def known_docker_registries(self): -        """Build a list of docker registries available according to inventory vars.""" -        regs = self.get_var("openshift_docker_additional_registries", default=[]) +    def ensure_list(self, registry_param): +        """Return the task var as a list."""          # https://bugzilla.redhat.com/show_bug.cgi?id=1497274 -        # if the result was a string type, place it into a list. We must do this +        # If the result was a string type, place it into a list. We must do this          # as using list() on a string will split the string into its characters. -        if isinstance(regs, six.string_types): -            regs = [regs] -        else: -            # Otherwise cast to a list as was done previously -            regs = list(regs) +        # Otherwise cast to a list as was done previously. +        registry = self.get_var(registry_param, default=[]) +        if not isinstance(registry, six.string_types): +            return list(registry) +        return self.normalize(registry) -        deployment_type = self.get_var("openshift_deployment_type") -        if deployment_type == "origin" and "docker.io" not in regs: -            regs.append("docker.io") -        elif deployment_type == 'openshift-enterprise' and "registry.access.redhat.com" not in regs: -            regs.append("registry.access.redhat.com") - -        return regs - -    def available_images(self, images, default_registries): +    def available_images(self, images):          """Search remotely for images. Returns: list of images found."""          return [              image for image in images -            if self.is_available_skopeo_image(image, default_registries) +            if self.is_available_skopeo_image(image)          ] -    def is_available_skopeo_image(self, image, default_registries): +    def is_available_skopeo_image(self, image):          """Use Skopeo to determine if required image exists in known registry(s).""" -        registries = default_registries - +        registries = self.registries["configured"]          # If image already includes a registry, only use that.          # NOTE: This logic would incorrectly identify images that do not use a namespace, e.g.          # registry.access.redhat.com/rhel7 as if the registry were a namespace. @@ -193,13 +211,18 @@ class DockerImageAvailability(DockerHostMixin, OpenShiftCheck):              registries = [registry]          for registry in registries: +            if registry in self.registries["blocked"]: +                continue  # blocked will never be consulted              if registry not in self.reachable_registries:                  self.reachable_registries[registry] = self.connect_to_registry(registry)              if not self.reachable_registries[registry]: -                continue +                continue  # do not keep trying unreachable registries + +            args = dict(registry=registry, image=image) +            args["tls"] = "false" if registry in self.registries["insecure"] else "true" +            args["creds"] = self.skopeo_command_creds if registry == self.registries["oreg"] else "" -            args = {"_raw_params": self.skopeo_img_check_command.format(registry=registry, image=image)} -            result = self.execute_module_with_retries("command", args) +            result = self.execute_module_with_retries("command", {"_raw_params": self.skopeo_command.format(**args)})              if result.get("rc", 0) == 0 and not result.get("failed"):                  return True              if result.get("rc") == 124:  # RC 124 == timed out; mark unreachable diff --git a/roles/openshift_health_checker/openshift_checks/etcd_traffic.py b/roles/openshift_health_checker/openshift_checks/etcd_traffic.py index b4c8957e9..8b20ccb49 100644 --- a/roles/openshift_health_checker/openshift_checks/etcd_traffic.py +++ b/roles/openshift_health_checker/openshift_checks/etcd_traffic.py @@ -12,7 +12,7 @@ class EtcdTraffic(OpenShiftCheck):      def is_active(self):          """Skip hosts that do not have etcd in their group names."""          group_names = self.get_var("group_names", default=[]) -        valid_group_names = "etcd" in group_names +        valid_group_names = "oo_etcd_to_config" in group_names          version = self.get_major_minor_version(self.get_var("openshift_image_tag"))          valid_version = version in ((3, 4), (3, 5)) diff --git a/roles/openshift_health_checker/openshift_checks/etcd_volume.py b/roles/openshift_health_checker/openshift_checks/etcd_volume.py index 79955cb2f..3d75da6f9 100644 --- a/roles/openshift_health_checker/openshift_checks/etcd_volume.py +++ b/roles/openshift_health_checker/openshift_checks/etcd_volume.py @@ -15,7 +15,11 @@ class EtcdVolume(OpenShiftCheck):      etcd_mount_path = "/var/lib/etcd"      def is_active(self): -        etcd_hosts = self.get_var("groups", "etcd", default=[]) or self.get_var("groups", "masters", default=[]) or [] +        etcd_hosts = ( +            self.get_var("groups", "oo_etcd_to_config", default=[]) or +            self.get_var("groups", "oo_masters_to_config", default=[]) or +            [] +        )          is_etcd_host = self.get_var("ansible_host") in etcd_hosts          return super(EtcdVolume, self).is_active() and is_etcd_host diff --git a/roles/openshift_health_checker/openshift_checks/logging/fluentd_config.py b/roles/openshift_health_checker/openshift_checks/logging/fluentd_config.py index d783e6760..e93cc9028 100644 --- a/roles/openshift_health_checker/openshift_checks/logging/fluentd_config.py +++ b/roles/openshift_health_checker/openshift_checks/logging/fluentd_config.py @@ -46,7 +46,7 @@ class FluentdConfig(LoggingCheck):          # if check is running on a master, retrieve all running pods          # and check any pod's container for the env var "USE_JOURNAL"          group_names = self.get_var("group_names") -        if "masters" in group_names: +        if "oo_masters_to_config" in group_names:              use_journald = self.check_fluentd_env_var()          docker_info = self.execute_module("docker_info", {}) diff --git a/roles/openshift_health_checker/openshift_checks/memory_availability.py b/roles/openshift_health_checker/openshift_checks/memory_availability.py index 765ba072d..e7a8ec976 100644 --- a/roles/openshift_health_checker/openshift_checks/memory_availability.py +++ b/roles/openshift_health_checker/openshift_checks/memory_availability.py @@ -14,9 +14,9 @@ class MemoryAvailability(OpenShiftCheck):      # Values taken from the official installation documentation:      # https://docs.openshift.org/latest/install_config/install/prerequisites.html#system-requirements      recommended_memory_bytes = { -        "masters": 16 * GIB, -        "nodes": 8 * GIB, -        "etcd": 8 * GIB, +        "oo_masters_to_config": 16 * GIB, +        "oo_nodes_to_config": 8 * GIB, +        "oo_etcd_to_config": 8 * GIB,      }      # https://access.redhat.com/solutions/3006511 physical RAM is partly reserved from memtotal      memtotal_adjustment = 1 * GIB diff --git a/roles/openshift_health_checker/openshift_checks/mixins.py b/roles/openshift_health_checker/openshift_checks/mixins.py index b90ebf6dd..cfbdea303 100644 --- a/roles/openshift_health_checker/openshift_checks/mixins.py +++ b/roles/openshift_health_checker/openshift_checks/mixins.py @@ -21,9 +21,11 @@ class DockerHostMixin(object):      def is_active(self):          """Only run on hosts that depend on Docker.""" -        is_containerized = self.get_var("openshift", "common", "is_containerized") -        is_node = "nodes" in self.get_var("group_names", default=[]) -        return super(DockerHostMixin, self).is_active() and (is_containerized or is_node) +        group_names = set(self.get_var("group_names", default=[])) +        needs_docker = set(["oo_nodes_to_config"]) +        if self.get_var("openshift.common.is_containerized"): +            needs_docker.update(["oo_masters_to_config", "oo_etcd_to_config"]) +        return super(DockerHostMixin, self).is_active() and bool(group_names.intersection(needs_docker))      def ensure_dependencies(self):          """ diff --git a/roles/openshift_health_checker/openshift_checks/ovs_version.py b/roles/openshift_health_checker/openshift_checks/ovs_version.py index 363c12def..416805c4d 100644 --- a/roles/openshift_health_checker/openshift_checks/ovs_version.py +++ b/roles/openshift_health_checker/openshift_checks/ovs_version.py @@ -24,7 +24,7 @@ class OvsVersion(NotContainerizedMixin, OpenShiftCheck):      def is_active(self):          """Skip hosts that do not have package requirements."""          group_names = self.get_var("group_names", default=[]) -        master_or_node = 'masters' in group_names or 'nodes' in group_names +        master_or_node = 'oo_masters_to_config' in group_names or 'oo_nodes_to_config' in group_names          return super(OvsVersion, self).is_active() and master_or_node      def run(self): diff --git a/roles/openshift_health_checker/openshift_checks/package_availability.py b/roles/openshift_health_checker/openshift_checks/package_availability.py index 21355c2f0..090e438ff 100644 --- a/roles/openshift_health_checker/openshift_checks/package_availability.py +++ b/roles/openshift_health_checker/openshift_checks/package_availability.py @@ -20,9 +20,9 @@ class PackageAvailability(NotContainerizedMixin, OpenShiftCheck):          packages = set() -        if "masters" in group_names: +        if "oo_masters_to_config" in group_names:              packages.update(self.master_packages(rpm_prefix)) -        if "nodes" in group_names: +        if "oo_nodes_to_config" in group_names:              packages.update(self.node_packages(rpm_prefix))          args = {"packages": sorted(set(packages))} diff --git a/roles/openshift_health_checker/openshift_checks/package_version.py b/roles/openshift_health_checker/openshift_checks/package_version.py index d4aec3ed8..2f09b22fc 100644 --- a/roles/openshift_health_checker/openshift_checks/package_version.py +++ b/roles/openshift_health_checker/openshift_checks/package_version.py @@ -36,7 +36,7 @@ class PackageVersion(NotContainerizedMixin, OpenShiftCheck):      def is_active(self):          """Skip hosts that do not have package requirements."""          group_names = self.get_var("group_names", default=[]) -        master_or_node = 'masters' in group_names or 'nodes' in group_names +        master_or_node = 'oo_masters_to_config' in group_names or 'oo_nodes_to_config' in group_names          return super(PackageVersion, self).is_active() and master_or_node      def run(self): diff --git a/roles/openshift_health_checker/test/action_plugin_test.py b/roles/openshift_health_checker/test/action_plugin_test.py index f14887303..40ad27d5d 100644 --- a/roles/openshift_health_checker/test/action_plugin_test.py +++ b/roles/openshift_health_checker/test/action_plugin_test.py @@ -94,6 +94,7 @@ def skipped(result):      {},  ])  def test_action_plugin_missing_openshift_facts(plugin, task_vars, monkeypatch): +    monkeypatch.setattr(plugin, 'load_known_checks', lambda *_: {})      monkeypatch.setattr('openshift_health_check.resolve_checks', lambda *args: ['fake_check'])      result = plugin.run(tmp=None, task_vars=task_vars) diff --git a/roles/openshift_health_checker/test/disk_availability_test.py b/roles/openshift_health_checker/test/disk_availability_test.py index 9ae679b79..29a325a17 100644 --- a/roles/openshift_health_checker/test/disk_availability_test.py +++ b/roles/openshift_health_checker/test/disk_availability_test.py @@ -4,11 +4,11 @@ from openshift_checks.disk_availability import DiskAvailability, OpenShiftCheckE  @pytest.mark.parametrize('group_names,is_active', [ -    (['masters'], True), -    (['nodes'], True), -    (['etcd'], True), -    (['masters', 'nodes'], True), -    (['masters', 'etcd'], True), +    (['oo_masters_to_config'], True), +    (['oo_nodes_to_config'], True), +    (['oo_etcd_to_config'], True), +    (['oo_masters_to_config', 'oo_nodes_to_config'], True), +    (['oo_masters_to_config', 'oo_etcd_to_config'], True),      ([], False),      (['lb'], False),      (['nfs'], False), @@ -39,7 +39,7 @@ def test_is_active(group_names, is_active):  ])  def test_cannot_determine_available_disk(desc, ansible_mounts, expect_chunks):      task_vars = dict( -        group_names=['masters'], +        group_names=['oo_masters_to_config'],          ansible_mounts=ansible_mounts,      ) @@ -52,7 +52,7 @@ def test_cannot_determine_available_disk(desc, ansible_mounts, expect_chunks):  @pytest.mark.parametrize('group_names,configured_min,ansible_mounts', [      ( -        ['masters'], +        ['oo_masters_to_config'],          0,          [{              'mount': '/', @@ -60,7 +60,7 @@ def test_cannot_determine_available_disk(desc, ansible_mounts, expect_chunks):          }],      ),      ( -        ['nodes'], +        ['oo_nodes_to_config'],          0,          [{              'mount': '/', @@ -68,7 +68,7 @@ def test_cannot_determine_available_disk(desc, ansible_mounts, expect_chunks):          }],      ),      ( -        ['etcd'], +        ['oo_etcd_to_config'],          0,          [{              'mount': '/', @@ -76,7 +76,7 @@ def test_cannot_determine_available_disk(desc, ansible_mounts, expect_chunks):          }],      ),      ( -        ['etcd'], +        ['oo_etcd_to_config'],          1,  # configure lower threshold          [{              'mount': '/', @@ -84,7 +84,7 @@ def test_cannot_determine_available_disk(desc, ansible_mounts, expect_chunks):          }],      ),      ( -        ['etcd'], +        ['oo_etcd_to_config'],          0,          [{              # not enough space on / ... @@ -112,7 +112,7 @@ def test_succeeds_with_recommended_disk_space(group_names, configured_min, ansib  @pytest.mark.parametrize('name,group_names,configured_min,ansible_mounts,expect_chunks', [      (          'test with no space available', -        ['masters'], +        ['oo_masters_to_config'],          0,          [{              'mount': '/', @@ -122,7 +122,7 @@ def test_succeeds_with_recommended_disk_space(group_names, configured_min, ansib      ),      (          'test with a higher configured required value', -        ['masters'], +        ['oo_masters_to_config'],          100,  # set a higher threshold          [{              'mount': '/', @@ -132,7 +132,7 @@ def test_succeeds_with_recommended_disk_space(group_names, configured_min, ansib      ),      (          'test with 1GB available, but "0" GB space requirement', -        ['nodes'], +        ['oo_nodes_to_config'],          0,          [{              'mount': '/', @@ -142,7 +142,7 @@ def test_succeeds_with_recommended_disk_space(group_names, configured_min, ansib      ),      (          'test with no space available, but "0" GB space requirement', -        ['etcd'], +        ['oo_etcd_to_config'],          0,          [{              'mount': '/', @@ -152,7 +152,7 @@ def test_succeeds_with_recommended_disk_space(group_names, configured_min, ansib      ),      (          'test with enough space for a node, but not for a master', -        ['nodes', 'masters'], +        ['oo_nodes_to_config', 'oo_masters_to_config'],          0,          [{              'mount': '/', @@ -162,7 +162,7 @@ def test_succeeds_with_recommended_disk_space(group_names, configured_min, ansib      ),      (          'test failure with enough space on "/", but not enough on "/var"', -        ['etcd'], +        ['oo_etcd_to_config'],          0,          [{              # enough space on / ... @@ -194,7 +194,7 @@ def test_fails_with_insufficient_disk_space(name, group_names, configured_min, a  @pytest.mark.parametrize('name,group_names,context,ansible_mounts,failed,extra_words', [      (          'test without enough space for master under "upgrade" context', -        ['nodes', 'masters'], +        ['oo_nodes_to_config', 'oo_masters_to_config'],          "upgrade",          [{              'mount': '/', @@ -206,7 +206,7 @@ def test_fails_with_insufficient_disk_space(name, group_names, configured_min, a      ),      (          'test with enough space for master under "upgrade" context', -        ['nodes', 'masters'], +        ['oo_nodes_to_config', 'oo_masters_to_config'],          "upgrade",          [{              'mount': '/', @@ -218,7 +218,7 @@ def test_fails_with_insufficient_disk_space(name, group_names, configured_min, a      ),      (          'test with not enough space for master, and non-upgrade context', -        ['nodes', 'masters'], +        ['oo_nodes_to_config', 'oo_masters_to_config'],          "health",          [{              'mount': '/', diff --git a/roles/openshift_health_checker/test/docker_image_availability_test.py b/roles/openshift_health_checker/test/docker_image_availability_test.py index c523ffd5c..dec99e5db 100644 --- a/roles/openshift_health_checker/test/docker_image_availability_test.py +++ b/roles/openshift_health_checker/test/docker_image_availability_test.py @@ -16,19 +16,19 @@ def task_vars():          ),          openshift_deployment_type='origin',          openshift_image_tag='', -        group_names=['nodes', 'masters'], +        group_names=['oo_nodes_to_config', 'oo_masters_to_config'],      )  @pytest.mark.parametrize('deployment_type, is_containerized, group_names, expect_active', [ -    ("origin", True, [], True), -    ("openshift-enterprise", True, [], True),      ("invalid", True, [], False),      ("", True, [], False),      ("origin", False, [], False),      ("openshift-enterprise", False, [], False), -    ("origin", False, ["nodes", "masters"], True), -    ("openshift-enterprise", False, ["etcd"], False), +    ("origin", False, ["oo_nodes_to_config", "oo_masters_to_config"], True), +    ("openshift-enterprise", False, ["oo_etcd_to_config"], False), +    ("origin", True, ["nfs"], False), +    ("openshift-enterprise", True, ["lb"], False),  ])  def test_is_active(task_vars, deployment_type, is_containerized, group_names, expect_active):      task_vars['openshift_deployment_type'] = deployment_type @@ -98,40 +98,7 @@ def test_all_images_unavailable(task_vars):      actual = check.run()      assert actual['failed'] -    assert "required Docker images are not available" in actual['msg'] - - -def test_no_known_registries(): -    def execute_module(module_name=None, *_): -        if module_name == "command": -            return { -                'failed': True, -            } - -        return { -            'changed': False, -        } - -    def mock_known_docker_registries(): -        return [] - -    dia = DockerImageAvailability(execute_module, task_vars=dict( -        openshift=dict( -            common=dict( -                service_type='origin', -                is_containerized=False, -                is_atomic=False, -            ) -        ), -        openshift_docker_additional_registries=["docker.io"], -        openshift_deployment_type="openshift-enterprise", -        openshift_image_tag='latest', -        group_names=['nodes', 'masters'], -    )) -    dia.known_docker_registries = mock_known_docker_registries -    actual = dia.run() -    assert actual['failed'] -    assert "Unable to retrieve any docker registries." in actual['msg'] +    assert "required container images are not available" in actual['msg']  @pytest.mark.parametrize("message,extra_words", [ @@ -172,13 +139,13 @@ def test_skopeo_update_failure(task_vars, message, extra_words):              "spam/eggs:v1", ["test.reg"],              True, True,              False, -            {"test.reg": False}, +            {"test.reg": False, "docker.io": False},          ),          (              "spam/eggs:v1", ["test.reg"],              False, True,              False, -            {"test.reg": True}, +            {"test.reg": True, "docker.io": True},          ),          (              "eggs.reg/spam/eggs:v1", ["test.reg"], @@ -195,17 +162,19 @@ def test_registry_availability(image, registries, connection_test_failed, skopeo          elif module_name == "command":              return dict(msg="msg", failed=skopeo_failed) -    check = DockerImageAvailability(execute_module, task_vars()) +    tv = task_vars() +    tv.update({"openshift_docker_additional_registries": registries}) +    check = DockerImageAvailability(execute_module, tv)      check._module_retry_interval = 0 -    available = check.is_available_skopeo_image(image, registries) +    available = check.is_available_skopeo_image(image)      assert available == expect_success      assert expect_registries_reached == check.reachable_registries  @pytest.mark.parametrize("deployment_type, is_containerized, groups, oreg_url, expected", [      (  # standard set of stuff required on nodes -        "origin", False, ['nodes'], None, +        "origin", False, ['oo_nodes_to_config'], "",          set([              'openshift/origin-pod:vtest',              'openshift/origin-deployer:vtest', @@ -215,7 +184,7 @@ def test_registry_availability(image, registries, connection_test_failed, skopeo          ])      ),      (  # set a different URL for images -        "origin", False, ['nodes'], 'foo.io/openshift/origin-${component}:${version}', +        "origin", False, ['oo_nodes_to_config'], 'foo.io/openshift/origin-${component}:${version}',          set([              'foo.io/openshift/origin-pod:vtest',              'foo.io/openshift/origin-deployer:vtest', @@ -225,7 +194,7 @@ def test_registry_availability(image, registries, connection_test_failed, skopeo          ])      ),      ( -        "origin", True, ['nodes', 'masters', 'etcd'], None, +        "origin", True, ['oo_nodes_to_config', 'oo_masters_to_config', 'oo_etcd_to_config'], "",          set([              # images running on top of openshift              'openshift/origin-pod:vtest', @@ -241,7 +210,7 @@ def test_registry_availability(image, registries, connection_test_failed, skopeo          ])      ),      (  # enterprise images -        "openshift-enterprise", True, ['nodes'], 'foo.io/openshift3/ose-${component}:f13ac45', +        "openshift-enterprise", True, ['oo_nodes_to_config'], 'foo.io/openshift3/ose-${component}:f13ac45',          set([              'foo.io/openshift3/ose-pod:f13ac45',              'foo.io/openshift3/ose-deployer:f13ac45', @@ -255,7 +224,7 @@ def test_registry_availability(image, registries, connection_test_failed, skopeo          ])      ),      ( -        "openshift-enterprise", True, ['etcd', 'lb'], 'foo.io/openshift3/ose-${component}:f13ac45', +        "openshift-enterprise", True, ['oo_etcd_to_config', 'lb'], 'foo.io/openshift3/ose-${component}:f13ac45',          set([              'registry.access.redhat.com/rhel7/etcd',              # lb does not yet come in a containerized version @@ -288,7 +257,7 @@ def test_containerized_etcd():              ),          ),          openshift_deployment_type="origin", -        group_names=['etcd'], +        group_names=['oo_etcd_to_config'],      )      expected = set(['registry.access.redhat.com/rhel7/etcd'])      assert expected == DockerImageAvailability(task_vars=task_vars).required_images() diff --git a/roles/openshift_health_checker/test/docker_storage_test.py b/roles/openshift_health_checker/test/docker_storage_test.py index e0dccc062..8fa68c378 100644 --- a/roles/openshift_health_checker/test/docker_storage_test.py +++ b/roles/openshift_health_checker/test/docker_storage_test.py @@ -5,9 +5,9 @@ from openshift_checks.docker_storage import DockerStorage  @pytest.mark.parametrize('is_containerized, group_names, is_active', [ -    (False, ["masters", "etcd"], False), -    (False, ["masters", "nodes"], True), -    (True, ["etcd"], True), +    (False, ["oo_masters_to_config", "oo_etcd_to_config"], False), +    (False, ["oo_masters_to_config", "oo_nodes_to_config"], True), +    (True, ["oo_etcd_to_config"], True),  ])  def test_is_active(is_containerized, group_names, is_active):      task_vars = dict( diff --git a/roles/openshift_health_checker/test/etcd_traffic_test.py b/roles/openshift_health_checker/test/etcd_traffic_test.py index fae3e578d..dd6f4ad81 100644 --- a/roles/openshift_health_checker/test/etcd_traffic_test.py +++ b/roles/openshift_health_checker/test/etcd_traffic_test.py @@ -4,14 +4,14 @@ from openshift_checks.etcd_traffic import EtcdTraffic  @pytest.mark.parametrize('group_names,version,is_active', [ -    (['masters'], "3.5", False), -    (['masters'], "3.6", False), -    (['nodes'], "3.4", False), -    (['etcd'], "3.4", True), -    (['etcd'], "1.5", True), -    (['etcd'], "3.1", False), -    (['masters', 'nodes'], "3.5", False), -    (['masters', 'etcd'], "3.5", True), +    (['oo_masters_to_config'], "3.5", False), +    (['oo_masters_to_config'], "3.6", False), +    (['oo_nodes_to_config'], "3.4", False), +    (['oo_etcd_to_config'], "3.4", True), +    (['oo_etcd_to_config'], "1.5", True), +    (['oo_etcd_to_config'], "3.1", False), +    (['oo_masters_to_config', 'oo_nodes_to_config'], "3.5", False), +    (['oo_masters_to_config', 'oo_etcd_to_config'], "3.5", True),      ([], "3.4", False),  ])  def test_is_active(group_names, version, is_active): @@ -23,9 +23,9 @@ def test_is_active(group_names, version, is_active):  @pytest.mark.parametrize('group_names,matched,failed,extra_words', [ -    (["masters"], True, True, ["Higher than normal", "traffic"]), -    (["masters", "etcd"], False, False, []), -    (["etcd"], False, False, []), +    (["oo_masters_to_config"], True, True, ["Higher than normal", "traffic"]), +    (["oo_masters_to_config", "oo_etcd_to_config"], False, False, []), +    (["oo_etcd_to_config"], False, False, []),  ])  def test_log_matches_high_traffic_msg(group_names, matched, failed, extra_words):      def execute_module(module_name, *_): diff --git a/roles/openshift_health_checker/test/fluentd_config_test.py b/roles/openshift_health_checker/test/fluentd_config_test.py index 10db253bc..b5b4858d6 100644 --- a/roles/openshift_health_checker/test/fluentd_config_test.py +++ b/roles/openshift_health_checker/test/fluentd_config_test.py @@ -82,7 +82,7 @@ def test_check_logging_config_non_master(name, use_journald, logging_driver, ext          return {}      task_vars = dict( -        group_names=["nodes", "etcd"], +        group_names=["oo_nodes_to_config", "oo_etcd_to_config"],          openshift_logging_fluentd_use_journal=use_journald,          openshift=dict(              common=dict(config_base=""), @@ -128,7 +128,7 @@ def test_check_logging_config_non_master_failed(name, use_journald, logging_driv          return {}      task_vars = dict( -        group_names=["nodes", "etcd"], +        group_names=["oo_nodes_to_config", "oo_etcd_to_config"],          openshift_logging_fluentd_use_journal=use_journald,          openshift=dict(              common=dict(config_base=""), @@ -192,7 +192,7 @@ def test_check_logging_config_master(name, pods, logging_driver, extra_words):          return {}      task_vars = dict( -        group_names=["masters"], +        group_names=["oo_masters_to_config"],          openshift=dict(              common=dict(config_base=""),          ), @@ -274,7 +274,7 @@ def test_check_logging_config_master_failed(name, pods, logging_driver, words):          return {}      task_vars = dict( -        group_names=["masters"], +        group_names=["oo_masters_to_config"],          openshift=dict(              common=dict(config_base=""),          ), @@ -331,7 +331,7 @@ def test_check_logging_config_master_fails_on_unscheduled_deployment(name, pods,          return {}      task_vars = dict( -        group_names=["masters"], +        group_names=["oo_masters_to_config"],          openshift=dict(              common=dict(config_base=""),          ), diff --git a/roles/openshift_health_checker/test/memory_availability_test.py b/roles/openshift_health_checker/test/memory_availability_test.py index aee2f0416..5ec83dd79 100644 --- a/roles/openshift_health_checker/test/memory_availability_test.py +++ b/roles/openshift_health_checker/test/memory_availability_test.py @@ -4,11 +4,11 @@ from openshift_checks.memory_availability import MemoryAvailability  @pytest.mark.parametrize('group_names,is_active', [ -    (['masters'], True), -    (['nodes'], True), -    (['etcd'], True), -    (['masters', 'nodes'], True), -    (['masters', 'etcd'], True), +    (['oo_masters_to_config'], True), +    (['oo_nodes_to_config'], True), +    (['oo_etcd_to_config'], True), +    (['oo_masters_to_config', 'oo_nodes_to_config'], True), +    (['oo_masters_to_config', 'oo_etcd_to_config'], True),      ([], False),      (['lb'], False),      (['nfs'], False), @@ -22,32 +22,32 @@ def test_is_active(group_names, is_active):  @pytest.mark.parametrize('group_names,configured_min,ansible_memtotal_mb', [      ( -        ['masters'], +        ['oo_masters_to_config'],          0,          17200,      ),      ( -        ['nodes'], +        ['oo_nodes_to_config'],          0,          8200,      ),      ( -        ['nodes'], +        ['oo_nodes_to_config'],          1,  # configure lower threshold          2000,  # too low for recommended but not for configured      ),      ( -        ['nodes'], +        ['oo_nodes_to_config'],          2,  # configure threshold where adjustment pushes it over          1900,      ),      ( -        ['etcd'], +        ['oo_etcd_to_config'],          0,          8200,      ),      ( -        ['masters', 'nodes'], +        ['oo_masters_to_config', 'oo_nodes_to_config'],          0,          17000,      ), @@ -66,43 +66,43 @@ def test_succeeds_with_recommended_memory(group_names, configured_min, ansible_m  @pytest.mark.parametrize('group_names,configured_min,ansible_memtotal_mb,extra_words', [      ( -        ['masters'], +        ['oo_masters_to_config'],          0,          0,          ['0.0 GiB'],      ),      ( -        ['nodes'], +        ['oo_nodes_to_config'],          0,          100,          ['0.1 GiB'],      ),      ( -        ['nodes'], +        ['oo_nodes_to_config'],          24,  # configure higher threshold          20 * 1024,  # enough to meet recommended but not configured          ['20.0 GiB'],      ),      ( -        ['nodes'], +        ['oo_nodes_to_config'],          24,  # configure higher threshold          22 * 1024,  # not enough for adjustment to push over threshold          ['22.0 GiB'],      ),      ( -        ['etcd'], +        ['oo_etcd_to_config'],          0,          6 * 1024,          ['6.0 GiB'],      ),      ( -        ['etcd', 'masters'], +        ['oo_etcd_to_config', 'oo_masters_to_config'],          0,          9 * 1024,  # enough memory for etcd, not enough for a master          ['9.0 GiB'],      ),      ( -        ['nodes', 'masters'], +        ['oo_nodes_to_config', 'oo_masters_to_config'],          0,          # enough memory for a node, not enough for a master          11 * 1024, diff --git a/roles/openshift_health_checker/test/ovs_version_test.py b/roles/openshift_health_checker/test/ovs_version_test.py index 602f32989..5a82a43bf 100644 --- a/roles/openshift_health_checker/test/ovs_version_test.py +++ b/roles/openshift_health_checker/test/ovs_version_test.py @@ -67,14 +67,14 @@ def test_ovs_package_version(openshift_release, expected_ovs_version):  @pytest.mark.parametrize('group_names,is_containerized,is_active', [ -    (['masters'], False, True), +    (['oo_masters_to_config'], False, True),      # ensure check is skipped on containerized installs -    (['masters'], True, False), -    (['nodes'], False, True), -    (['masters', 'nodes'], False, True), -    (['masters', 'etcd'], False, True), +    (['oo_masters_to_config'], True, False), +    (['oo_nodes_to_config'], False, True), +    (['oo_masters_to_config', 'oo_nodes_to_config'], False, True), +    (['oo_masters_to_config', 'oo_etcd_to_config'], False, True),      ([], False, False), -    (['etcd'], False, False), +    (['oo_etcd_to_config'], False, False),      (['lb'], False, False),      (['nfs'], False, False),  ]) diff --git a/roles/openshift_health_checker/test/package_availability_test.py b/roles/openshift_health_checker/test/package_availability_test.py index b34e8fbfc..9815acb38 100644 --- a/roles/openshift_health_checker/test/package_availability_test.py +++ b/roles/openshift_health_checker/test/package_availability_test.py @@ -26,7 +26,7 @@ def test_is_active(pkg_mgr, is_containerized, is_active):      (          dict(              openshift=dict(common=dict(service_type='origin')), -            group_names=['masters'], +            group_names=['oo_masters_to_config'],          ),          set(['origin-master']),          set(['origin-node']), @@ -34,7 +34,7 @@ def test_is_active(pkg_mgr, is_containerized, is_active):      (          dict(              openshift=dict(common=dict(service_type='atomic-openshift')), -            group_names=['nodes'], +            group_names=['oo_nodes_to_config'],          ),          set(['atomic-openshift-node']),          set(['atomic-openshift-master']), @@ -42,7 +42,7 @@ def test_is_active(pkg_mgr, is_containerized, is_active):      (          dict(              openshift=dict(common=dict(service_type='atomic-openshift')), -            group_names=['masters', 'nodes'], +            group_names=['oo_masters_to_config', 'oo_nodes_to_config'],          ),          set(['atomic-openshift-master', 'atomic-openshift-node']),          set(), diff --git a/roles/openshift_health_checker/test/package_version_test.py b/roles/openshift_health_checker/test/package_version_test.py index 8564cd4db..3cf4ce033 100644 --- a/roles/openshift_health_checker/test/package_version_test.py +++ b/roles/openshift_health_checker/test/package_version_test.py @@ -97,14 +97,14 @@ def test_docker_package_version(deployment_type, openshift_release, expected_doc  @pytest.mark.parametrize('group_names,is_containerized,is_active', [ -    (['masters'], False, True), +    (['oo_masters_to_config'], False, True),      # ensure check is skipped on containerized installs -    (['masters'], True, False), -    (['nodes'], False, True), -    (['masters', 'nodes'], False, True), -    (['masters', 'etcd'], False, True), +    (['oo_masters_to_config'], True, False), +    (['oo_nodes_to_config'], False, True), +    (['oo_masters_to_config', 'oo_nodes_to_config'], False, True), +    (['oo_masters_to_config', 'oo_etcd_to_config'], False, True),      ([], False, False), -    (['etcd'], False, False), +    (['oo_etcd_to_config'], False, False),      (['lb'], False, False),      (['nfs'], False, False),  ]) diff --git a/roles/openshift_hosted/templates/registry_config.j2 b/roles/openshift_hosted/templates/registry_config.j2 index eae8b328e..222b63b8a 100644 --- a/roles/openshift_hosted/templates/registry_config.j2 +++ b/roles/openshift_hosted/templates/registry_config.j2 @@ -53,7 +53,7 @@ storage:  {%   if openshift_hosted_registry_storage_swift_domain is defined %}      domain: {{ openshift_hosted_registry_storage_swift_domain }}  {%   endif -%} -{%   if openshift_hosted_registry_storage_swift_domainid %} +{%   if openshift_hosted_registry_storage_swift_domainid is defined %}      domainid: {{ openshift_hosted_registry_storage_swift_domainid }}  {%   endif -%}  {% elif openshift_hosted_registry_storage_provider | default('') == 'gcs' %} @@ -63,7 +63,7 @@ storage:      keyfile: /etc/registry/gcs.json  {%   endif -%}  {%   if openshift_hosted_registry_storage_gcs_rootdirectory is defined %} -    rootdirectory: {{ openshift_hosted_registry_storage_gcs_rootdirectory }} +    rootdirectory: {{ openshift_hosted_registry_storage_gcs_rootdirectory | default('/registry') }}  {%   endif -%}  {% endif -%}  auth: diff --git a/roles/openshift_logging/defaults/main.yml b/roles/openshift_logging/defaults/main.yml index 0f1f659c6..6e7e2557f 100644 --- a/roles/openshift_logging/defaults/main.yml +++ b/roles/openshift_logging/defaults/main.yml @@ -94,7 +94,7 @@ openshift_logging_es_pvc_dynamic: "{{ openshift_logging_elasticsearch_pvc_dynami  openshift_logging_es_pvc_size: "{{ openshift_logging_elasticsearch_pvc_size | default('') }}"  openshift_logging_es_pvc_prefix: "{{ openshift_logging_elasticsearch_pvc_prefix | default('logging-es') }}"  openshift_logging_es_recover_after_time: 5m -openshift_logging_es_storage_group: "{{ openshift_logging_elasticsearch_storage_group | default('65534') }}" +openshift_logging_es_storage_group: "65534"  openshift_logging_es_nodeselector: {}  # openshift_logging_es_config is a hash to be merged into the defaults for the elasticsearch.yaml  openshift_logging_es_config: {} @@ -133,7 +133,7 @@ openshift_logging_es_ops_pvc_dynamic: "{{ openshift_logging_elasticsearch_ops_pv  openshift_logging_es_ops_pvc_size: "{{ openshift_logging_elasticsearch_ops_pvc_size | default('') }}"  openshift_logging_es_ops_pvc_prefix: "{{ openshift_logging_elasticsearch_ops_pvc_prefix | default('logging-es-ops') }}"  openshift_logging_es_ops_recover_after_time: 5m -openshift_logging_es_ops_storage_group: "{{ openshift_logging_elasticsearch_storage_group | default('65534') }}" +openshift_logging_es_ops_storage_group: "65534"  openshift_logging_es_ops_nodeselector: {}  # for exposing es-ops to external (outside of the cluster) clients diff --git a/roles/openshift_logging/filter_plugins/openshift_logging.py b/roles/openshift_logging/filter_plugins/openshift_logging.py index eac086e81..330e7e59a 100644 --- a/roles/openshift_logging/filter_plugins/openshift_logging.py +++ b/roles/openshift_logging/filter_plugins/openshift_logging.py @@ -45,6 +45,21 @@ def map_from_pairs(source, delim="="):      return dict(item.split(delim) for item in source.split(",")) +def serviceaccount_name(qualified_sa): +    ''' Returns the simple name from a fully qualified name ''' +    return qualified_sa.split(":")[-1] + + +def serviceaccount_namespace(qualified_sa, default=None): +    ''' Returns the namespace from a fully qualified name ''' +    seg = qualified_sa.split(":") +    if len(seg) > 1: +        return seg[-2] +    if default: +        return default +    return seg[-1] + +  # pylint: disable=too-few-public-methods  class FilterModule(object):      ''' OpenShift Logging Filters ''' @@ -56,5 +71,7 @@ class FilterModule(object):              'random_word': random_word,              'entry_from_named_pair': entry_from_named_pair,              'map_from_pairs': map_from_pairs, -            'es_storage': es_storage +            'es_storage': es_storage, +            'serviceaccount_name': serviceaccount_name, +            'serviceaccount_namespace': serviceaccount_namespace          } diff --git a/roles/openshift_logging/library/openshift_logging_facts.py b/roles/openshift_logging/library/openshift_logging_facts.py index 35accfb78..f10df8da5 100644 --- a/roles/openshift_logging/library/openshift_logging_facts.py +++ b/roles/openshift_logging/library/openshift_logging_facts.py @@ -171,22 +171,25 @@ class OpenshiftLoggingFacts(OCBaseCommand):              if comp is not None:                  spec = dc_item["spec"]["template"]["spec"]                  facts = dict( +                    name=name,                      selector=dc_item["spec"]["selector"],                      replicas=dc_item["spec"]["replicas"],                      serviceAccount=spec["serviceAccount"],                      containers=dict(),                      volumes=dict()                  ) +                if "nodeSelector" in spec: +                    facts["nodeSelector"] = spec["nodeSelector"] +                if "supplementalGroups" in spec["securityContext"]: +                    facts["storageGroups"] = spec["securityContext"]["supplementalGroups"] +                facts["spec"] = spec                  if "volumes" in spec:                      for vol in spec["volumes"]:                          clone = copy.deepcopy(vol)                          clone.pop("name", None)                          facts["volumes"][vol["name"]] = clone                  for container in spec["containers"]: -                    facts["containers"][container["name"]] = dict( -                        image=container["image"], -                        resources=container["resources"], -                    ) +                    facts["containers"][container["name"]] = container                  self.add_facts_for(comp, "deploymentconfigs", name, facts)      def facts_for_services(self, namespace): diff --git a/roles/openshift_logging/tasks/delete_logging.yaml b/roles/openshift_logging/tasks/delete_logging.yaml index 3040d15ca..ffed956a4 100644 --- a/roles/openshift_logging/tasks/delete_logging.yaml +++ b/roles/openshift_logging/tasks/delete_logging.yaml @@ -92,6 +92,7 @@    with_items:      - rolebinding-reader      - daemonset-admin +    - prometheus-metrics-viewer  # delete our configmaps  - name: delete configmaps diff --git a/roles/openshift_logging/tasks/generate_certs.yaml b/roles/openshift_logging/tasks/generate_certs.yaml index 9c8f0986a..f526fd734 100644 --- a/roles/openshift_logging/tasks/generate_certs.yaml +++ b/roles/openshift_logging/tasks/generate_certs.yaml @@ -139,10 +139,10 @@  # TODO: make idempotent  - name: Generate proxy session -  set_fact: session_secret={{'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'|random_word(200)}} +  set_fact: session_secret={{ 200 | oo_random_word}}    check_mode: no  # TODO: make idempotent  - name: Generate oauth client secret -  set_fact: oauth_secret={{'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'|random_word(64)}} +  set_fact: oauth_secret={{ 64 | oo_random_word}}    check_mode: no diff --git a/roles/openshift_logging/tasks/install_logging.yaml b/roles/openshift_logging/tasks/install_logging.yaml index a3e653cb8..21fd79c28 100644 --- a/roles/openshift_logging/tasks/install_logging.yaml +++ b/roles/openshift_logging/tasks/install_logging.yaml @@ -69,15 +69,18 @@    vars:      generated_certs_dir: "{{openshift.common.config_base}}/logging"      openshift_logging_elasticsearch_namespace: "{{ openshift_logging_namespace }}" -    openshift_logging_elasticsearch_deployment_name: "{{ item.0 }}" +    openshift_logging_elasticsearch_deployment_name: "{{ item.0.name }}"      openshift_logging_elasticsearch_pvc_name: "{{ openshift_logging_es_pvc_prefix ~ '-' ~ item.2 if item.1 is none else item.1 }}"      openshift_logging_elasticsearch_replica_count: "{{ openshift_logging_es_cluster_size | int }}"      openshift_logging_elasticsearch_storage_type: "{{ elasticsearch_storage_type }}"      openshift_logging_elasticsearch_pvc_pv_selector: "{{ openshift_logging_es_pv_selector }}" +    openshift_logging_elasticsearch_nodeselector: "{{ openshift_logging_es_nodeselector if item.0.nodeSelector | default(None) is none else item.0.nodeSelector }}" +    openshift_logging_elasticsearch_storage_group: "{{ [openshift_logging_es_storage_group] if item.0.storageGroups | default([]) | length == 0 else item.0.storageGroups }}" +    _es_containers: "{{item.0.containers}}"    with_together: -  - "{{ openshift_logging_facts.elasticsearch.deploymentconfigs }}" +  - "{{ openshift_logging_facts.elasticsearch.deploymentconfigs.values() }}"    - "{{ openshift_logging_facts.elasticsearch.pvcs }}"    - "{{ es_indices }}"    when: @@ -119,7 +122,7 @@    vars:      generated_certs_dir: "{{openshift.common.config_base}}/logging"      openshift_logging_elasticsearch_namespace: "{{ openshift_logging_namespace }}" -    openshift_logging_elasticsearch_deployment_name: "{{ item.0 }}" +    openshift_logging_elasticsearch_deployment_name: "{{ item.0.name }}"      openshift_logging_elasticsearch_pvc_name: "{{ openshift_logging_es_ops_pvc_prefix ~ '-' ~ item.2 if item.1 is none else item.1 }}"      openshift_logging_elasticsearch_ops_deployment: true      openshift_logging_elasticsearch_replica_count: "{{ openshift_logging_es_ops_cluster_size | int }}" @@ -130,16 +133,18 @@      openshift_logging_elasticsearch_pvc_pv_selector: "{{ openshift_logging_es_ops_pv_selector }}"      openshift_logging_elasticsearch_memory_limit: "{{ openshift_logging_es_ops_memory_limit }}"      openshift_logging_elasticsearch_cpu_limit: "{{ openshift_logging_es_ops_cpu_limit }}" -    openshift_logging_elasticsearch_nodeselector: "{{ openshift_logging_es_ops_nodeselector }}" +    openshift_logging_elasticsearch_nodeselector: "{{ openshift_logging_es_ops_nodeselector if item.0.nodeSelector | default(None) is none else item.0.nodeSelector }}" +    openshift_logging_elasticsearch_storage_group: "{{ [openshift_logging_es_ops_storage_group] if item.0.storageGroups | default([]) | length == 0 else item.0.storageGroups }}"      openshift_logging_es_key: "{{ openshift_logging_es_ops_key }}"      openshift_logging_es_cert: "{{ openshift_logging_es_ops_cert }}"      openshift_logging_es_ca_ext: "{{ openshift_logging_es_ops_ca_ext }}"      openshift_logging_es_hostname: "{{ openshift_logging_es_ops_hostname }}"      openshift_logging_es_edge_term_policy: "{{ openshift_logging_es_ops_edge_term_policy | default('') }}"      openshift_logging_es_allow_external: "{{ openshift_logging_es_ops_allow_external }}" +    _es_containers: "{{item.0.containers}}"    with_together: -  - "{{ openshift_logging_facts.elasticsearch_ops.deploymentconfigs }}" +  - "{{ openshift_logging_facts.elasticsearch_ops.deploymentconfigs.values() }}"    - "{{ openshift_logging_facts.elasticsearch_ops.pvcs }}"    - "{{ es_ops_indices }}"    when: diff --git a/roles/openshift_logging_elasticsearch/defaults/main.yml b/roles/openshift_logging_elasticsearch/defaults/main.yml index 75bd479be..554aa5bb2 100644 --- a/roles/openshift_logging_elasticsearch/defaults/main.yml +++ b/roles/openshift_logging_elasticsearch/defaults/main.yml @@ -6,7 +6,7 @@ openshift_logging_elasticsearch_image_pull_secret: "{{ openshift_hosted_logging_  openshift_logging_elasticsearch_namespace: logging  openshift_logging_elasticsearch_nodeselector: "{{ openshift_logging_es_nodeselector | default('') }}" -openshift_logging_elasticsearch_cpu_limit: 1000m +openshift_logging_elasticsearch_cpu_limit: "{{ openshift_logging_es_cpu_limit | default('1000m') }}"  openshift_logging_elasticsearch_memory_limit: "{{ openshift_logging_es_memory_limit | default('1Gi') }}"  openshift_logging_elasticsearch_recover_after_time: "{{ openshift_logging_es_recover_after_time | default('5m') }}" @@ -33,13 +33,19 @@ openshift_logging_elasticsearch_pvc_size: ""  openshift_logging_elasticsearch_pvc_dynamic: false  openshift_logging_elasticsearch_pvc_pv_selector: {}  openshift_logging_elasticsearch_pvc_access_modes: ['ReadWriteOnce'] -openshift_logging_elasticsearch_storage_group: '65534' +openshift_logging_elasticsearch_storage_group: ['65534']  openshift_logging_es_pvc_prefix: "{{ openshift_hosted_logging_elasticsearch_pvc_prefix | default('logging-es') }}"  # config the es plugin to write kibana index based on the index mode  openshift_logging_elasticsearch_kibana_index_mode: 'unique' +openshift_logging_elasticsearch_proxy_image_prefix: "openshift/oauth-proxy" +openshift_logging_elasticsearch_proxy_image_version: "v1.0.0" +openshift_logging_elasticsearch_proxy_cpu_limit: "100m" +openshift_logging_elasticsearch_proxy_memory_limit: "64Mi" +openshift_logging_elasticsearch_prometheus_sa: "system:serviceaccount:{{openshift_prometheus_namespace | default('prometheus')}}:prometheus" +  # this is used to determine if this is an operations deployment or a non-ops deployment  # simply used for naming purposes  openshift_logging_elasticsearch_ops_deployment: false diff --git a/roles/openshift_logging_elasticsearch/tasks/main.yaml b/roles/openshift_logging_elasticsearch/tasks/main.yaml index 1e800b1d6..df2c17aa0 100644 --- a/roles/openshift_logging_elasticsearch/tasks/main.yaml +++ b/roles/openshift_logging_elasticsearch/tasks/main.yaml @@ -37,6 +37,7 @@  # we want to make sure we have all the necessary components here  # service account +  - name: Create ES service account    oc_serviceaccount:      state: present @@ -77,6 +78,38 @@      resource_name: rolebinding-reader      user: "system:serviceaccount:{{ openshift_logging_elasticsearch_namespace }}:aggregated-logging-elasticsearch" +- oc_adm_policy_user: +    state: present +    namespace: "{{ openshift_logging_elasticsearch_namespace }}" +    resource_kind: cluster-role +    resource_name: system:auth-delegator +    user: "system:serviceaccount:{{ openshift_logging_elasticsearch_namespace}}:aggregated-logging-elasticsearch" + +# logging-metrics-reader role +- template: +    src: logging-metrics-role.j2 +    dest: "{{mktemp.stdout}}/templates/logging-metrics-role.yml" +  vars: +    namespace: "{{ openshift_logging_elasticsearch_namespace }}" +    role_namespace: "{{ openshift_logging_elasticsearch_prometheus_sa | serviceaccount_namespace(openshift_logging_elasticsearch_namespace) }}" +    role_user: "{{ openshift_logging_elasticsearch_prometheus_sa | serviceaccount_name }}" + +- name: Create logging-metrics-reader-role +  command: > +    {{ openshift.common.client_binary }} +    --config={{ openshift.common.config_base }}/master/admin.kubeconfig +    -n "{{ openshift_logging_elasticsearch_namespace }}" +    create -f "{{mktemp.stdout}}/templates/logging-metrics-role.yml" +  register: prometheus_out +  check_mode: no +  ignore_errors: yes + +- fail: +    msg: "There was an error creating the logging-metrics-role and binding: {{prometheus_out}}" +  when: +  - "prometheus_out.stderr | length > 0" +  - "'already exists' not in prometheus_out.stderr" +  # View role and binding  - name: Generate logging-elasticsearch-view-role    template: @@ -206,6 +239,32 @@      - port: 9200        targetPort: "restapi" +- name: Set logging-{{ es_component}}-prometheus service +  oc_service: +    state: present +    name: "logging-{{es_component}}-prometheus" +    namespace: "{{ openshift_logging_elasticsearch_namespace }}" +    labels: +      logging-infra: 'support' +    ports: +    - name: proxy +      port: 443 +      targetPort: 4443 +    selector: +      component: "{{ es_component }}-prometheus" +      provider: openshift + +- oc_edit: +    kind: service +    name: "logging-{{es_component}}-prometheus" +    namespace: "{{ openshift_logging_elasticsearch_namespace }}" +    separator: '#' +    content: +      metadata#annotations#service.alpha.openshift.io/serving-cert-secret-name: "prometheus-tls" +      metadata#annotations#prometheus.io/scrape: "true" +      metadata#annotations#prometheus.io/scheme: "https" +      metadata#annotations#prometheus.io/path: "_prometheus/metrics" +  - name: Check to see if PVC already exists    oc_obj:      state: list @@ -260,7 +319,7 @@        delete_after: true  - set_fact: -    es_deploy_name: "logging-{{ es_component }}-{{ openshift_logging_elasticsearch_deployment_type }}-{{ 'abcdefghijklmnopqrstuvwxyz0123456789' | random_word(8) }}" +    es_deploy_name: "logging-{{ es_component }}-{{ openshift_logging_elasticsearch_deployment_type }}-{{ 8 | oo_random_word('abcdefghijklmnopqrstuvwxyz0123456789') }}"    when: openshift_logging_elasticsearch_deployment_name == ""  - set_fact: @@ -281,6 +340,8 @@      es_cpu_limit: "{{ openshift_logging_elasticsearch_cpu_limit }}"      es_memory_limit: "{{ openshift_logging_elasticsearch_memory_limit }}"      es_node_selector: "{{ openshift_logging_elasticsearch_nodeselector | default({}) }}" +    es_storage_groups: "{{ openshift_logging_elasticsearch_storage_group | default([]) }}" +    es_container_security_context: "{{ _es_containers.elasticsearch.securityContext if _es_containers is defined and 'elasticsearch' in _es_containers and 'securityContext' in _es_containers.elasticsearch else None }}"      deploy_type: "{{ openshift_logging_elasticsearch_deployment_type }}"      es_replicas: 1 diff --git a/roles/openshift_logging_elasticsearch/templates/es.j2 b/roles/openshift_logging_elasticsearch/templates/es.j2 index 3c8f390c4..1ed886627 100644 --- a/roles/openshift_logging_elasticsearch/templates/es.j2 +++ b/roles/openshift_logging_elasticsearch/templates/es.j2 @@ -29,7 +29,9 @@ spec:        serviceAccountName: aggregated-logging-elasticsearch        securityContext:          supplementalGroups: -        - {{openshift_logging_elasticsearch_storage_group}} +{% for group in es_storage_groups %} +        - {{group}} +{% endfor %}  {% if es_node_selector is iterable and es_node_selector | length > 0 %}        nodeSelector:  {% for key, value in es_node_selector.iteritems() %} @@ -37,6 +39,40 @@ spec:  {% endfor %}  {% endif %}        containers: +        - name: proxy +          image: {{openshift_logging_elasticsearch_proxy_image_prefix}}:{{openshift_logging_elasticsearch_proxy_image_version}} +          imagePullPolicy: Always +          args: +           - --upstream-ca=/etc/elasticsearch/secret/admin-ca +           - --https-address=:4443 +           - -provider=openshift +           - -client-id={{openshift_logging_elasticsearch_prometheus_sa}} +           - -client-secret-file=/var/run/secrets/kubernetes.io/serviceaccount/token +           - -cookie-secret={{ 16 | oo_random_word | b64encode }} +           - -upstream=https://localhost:9200 +           - '-openshift-sar={"namespace": "{{ openshift_logging_elasticsearch_namespace}}", "verb": "view", "resource": "prometheus", "group": "metrics.openshift.io"}' +           - '-openshift-delegate-urls={"/": {"resource": "prometheus", "verb": "view", "group": "metrics.openshift.io", "namespace": "{{ openshift_logging_elasticsearch_namespace}}"}}' +           - --tls-cert=/etc/tls/private/tls.crt +           - --tls-key=/etc/tls/private/tls.key +           - -pass-access-token +           - -pass-user-headers +          ports: +          - containerPort: 4443 +            name: proxy +            protocol: TCP +          volumeMounts: +          - mountPath: /etc/tls/private +            name: proxy-tls +            readOnly: true +          - mountPath: /etc/elasticsearch/secret +            name: elasticsearch +            readOnly: true +          resources: +            limits: +              cpu: "{{openshift_logging_elasticsearch_proxy_cpu_limit }}" +              memory: "{{openshift_logging_elasticsearch_proxy_memory_limit }}" +            requests: +              memory: "{{openshift_logging_elasticsearch_proxy_memory_limit }}"          -            name: "elasticsearch"            image: {{image}} @@ -49,6 +85,9 @@ spec:  {% endif %}              requests:                memory: "{{es_memory_limit}}" +{% if es_container_security_context %} +          securityContext: {{ es_container_security_context | to_yaml }}  +{% endif %}            ports:              -                containerPort: 9200 @@ -94,7 +133,7 @@ spec:                value: "30"              -                name: "POD_LABEL" -              value: "component={{component}}"  +              value: "component={{component}}"              -                name: "IS_MASTER"                value: "{% if deploy_type in ['data-master', 'master'] %}true{% else %}false{% endif %}" @@ -102,6 +141,9 @@ spec:              -                name: "HAS_DATA"                value: "{% if deploy_type in ['data-master', 'data-client'] %}true{% else %}false{% endif %}" +            - +              name: "PROMETHEUS_USER" +              value: "{{openshift_logging_elasticsearch_prometheus_sa}}"            volumeMounts:              - name: elasticsearch @@ -120,6 +162,9 @@ spec:              timeoutSeconds: 30              periodSeconds: 5        volumes: +        - name: proxy-tls +          secret: +            secretName: prometheus-tls          - name: elasticsearch            secret:              secretName: logging-elasticsearch diff --git a/roles/openshift_logging_elasticsearch/templates/logging-metrics-role.j2 b/roles/openshift_logging_elasticsearch/templates/logging-metrics-role.j2 new file mode 100644 index 000000000..d9800e5a5 --- /dev/null +++ b/roles/openshift_logging_elasticsearch/templates/logging-metrics-role.j2 @@ -0,0 +1,31 @@ +--- +apiVersion: v1 +kind: List +items: +- apiVersion: rbac.authorization.k8s.io/v1beta1 +  kind: Role +  metadata: +    annotations: +      rbac.authorization.kubernetes.io/autoupdate: "true" +    name: prometheus-metrics-viewer +    namespace: {{ namespace }} +  rules: +  - apiGroups: +    - metrics.openshift.io +    resources: +    - prometheus +    verbs: +    - view +- apiVersion: rbac.authorization.k8s.io/v1beta1 +  kind: RoleBinding +  metadata: +    name: prometheus-metrics-viewer +    namespace: {{ namespace }} +  roleRef: +    apiGroup: rbac.authorization.k8s.io +    kind: Role +    name: prometheus-metrics-viewer +  subjects: +  - kind: ServiceAccount +    namespace: {{ role_namespace }} +    name: {{ role_user }} diff --git a/roles/openshift_logging_fluentd/templates/fluentd.j2 b/roles/openshift_logging_fluentd/templates/fluentd.j2 index b5f27b60d..f286b0656 100644 --- a/roles/openshift_logging_fluentd/templates/fluentd.j2 +++ b/roles/openshift_logging_fluentd/templates/fluentd.j2 @@ -66,7 +66,9 @@ spec:            readOnly: true          - name: filebufferstorage            mountPath: /var/lib/fluentd -{% if openshift_logging_mux_client_mode is defined %} +{% if openshift_logging_mux_client_mode is defined and +     ((openshift_logging_mux_allow_external is defined and openshift_logging_mux_allow_external | bool) or +      (openshift_logging_use_mux is defined and openshift_logging_use_mux | bool)) %}          - name: muxcerts            mountPath: /etc/fluent/muxkeys            readOnly: true @@ -114,7 +116,9 @@ spec:                resource: limits.memory          - name: "FILE_BUFFER_LIMIT"            value: "{{ openshift_logging_fluentd_file_buffer_limit | default('1Gi') }}" -{% if openshift_logging_mux_client_mode is defined %} +{% if openshift_logging_mux_client_mode is defined and +     ((openshift_logging_mux_allow_external is defined and openshift_logging_mux_allow_external | bool) or +      (openshift_logging_use_mux is defined and openshift_logging_use_mux | bool)) %}          - name: "MUX_CLIENT_MODE"            value: "{{ openshift_logging_mux_client_mode }}"  {% endif %} @@ -196,7 +200,9 @@ spec:        - name: dockerdaemoncfg          hostPath:            path: /etc/docker -{% if openshift_logging_mux_client_mode is defined %} +{% if openshift_logging_mux_client_mode is defined and +     ((openshift_logging_mux_allow_external is defined and openshift_logging_mux_allow_external | bool) or +      (openshift_logging_use_mux is defined and openshift_logging_use_mux | bool)) %}        - name: muxcerts          secret:            secretName: logging-mux diff --git a/roles/openshift_manageiq/tasks/main.yaml b/roles/openshift_manageiq/tasks/main.yaml index 7789d2232..088d0b171 100644 --- a/roles/openshift_manageiq/tasks/main.yaml +++ b/roles/openshift_manageiq/tasks/main.yaml @@ -1,8 +1,4 @@  --- -- fail: -    msg: "The openshift_manageiq role requires OpenShift Enterprise 3.1 or Origin 1.1." -  when: not openshift.common.version_gte_3_1_or_1_1 | bool -  - name: Add Management Infrastructure project    oc_project:      name: management-infra @@ -61,4 +57,3 @@      resource_kind: "{{ item.resource_kind }}"      user: "{{ item.user }}"    with_items: "{{manage_iq_openshift_3_2_tasks}}" -  when: openshift.common.version_gte_3_2_or_1_2 | bool diff --git a/roles/openshift_management/README.md b/roles/openshift_management/README.md new file mode 100644 index 000000000..3a71d9211 --- /dev/null +++ b/roles/openshift_management/README.md @@ -0,0 +1,475 @@ +# CloudForms Availability + +As noted in [Limitations - Product Choice](#product-choice), +[CloudForms](https://www.redhat.com/en/technologies/management/cloudforms) +(CFME) 4.6 is not yet released. Until such time, this role is limited +to installing [ManageIQ](http://manageiq.org) (MIQ), the open source +project that CFME is based on. + +After CFME 4.6 is available to customers this role will enable +(optional) logic which will install CFME or MIQ based on your +deployment type (`openshift_deployment_type`): + +* `openshift-enterprise` → CloudForms +* `origin` → ManageIQ + + +# Table of Contents + +   * [Introduction](#introduction) +      * [Important Notes](#important-notes) +   * [Requirements](#requirements) +   * [Role Variables](#role-variables) +   * [Getting Started](#getting-started) +      * [All Defaults](#all-defaults) +      * [External NFS Storage](#external-nfs-storage) +      * [Override PV sizes](#override-pv-sizes) +      * [Override Memory Requirements](#override-memory-requirements) +      * [External PostgreSQL Database](#external-postgresql-database) +   * [Limitations](#limitations) +      * [Product Choice](#product-choice) +   * [Configuration](#configuration) +      * [Database](#database) +         * [Podified](#podified) +         * [External](#external) +      * [Storage Classes](#storage-classes) +         * [NFS (Default)](#nfs-default) +         * [NFS External](#nfs-external) +         * [Cloud Provider](#cloud-provider) +         * [Preconfigured (Expert Configuration Only)](#preconfigured-expert-configuration-only) +   * [Customization](#customization) +   * [Uninstall](#uninstall) +   * [Additional Information](#additional-information) + +# Introduction + +This role will allow a user to install CFME 4.6 or MIQ on an OCP +3.7 cluster. The role provides customization options for overriding +default deployment parameters. This role allows the user to deploy +different installation flavors: + +* **Fully Podified** - In this way all application services are ran as +  pods in the container platform. +* **External Database** - In this way the application utilizes an +  externally hosted database server. All other services are ran in the +  container platform. + +This role includes the following storage class options: + +* NFS - **Default** - local, on cluster +* NFS External - NFS somewhere else, like a storage appliance +* Cloud Provider - Use automatic storage provisioning from your cloud +  provider (*gce* or *aws*) +* Preconfigured - **expert only**, assumes you created everything ahead +  of time + +You may skip ahead to the [Getting Started](#getting-started) section +now for examples of how to set up your Ansible inventory for various +deployment configurations. However, you are **strongly urged** to +first read through the [Configuration](#configuration) and +[Customization](#customization) sections as well as the following +[Important Notes](#important-notes). + +## Important Notes + +Not all parameters are present in **both** template versions (podified +db and external db). For example, while the podified database template +has a `POSTGRESQL_MEM_REQ` parameter, no such parameter is present in +the external db template, as there is no need for this information due +to there being no databases that require pods. + +*Be extra careful* if you are overriding template +parameters. Including parameters not defined in a template **will +cause errors**. + +**Container Provider Integration** - If you want add your container +platform (OCP/Origin) as a *Container Provider* in CFME/MIQ then you +must ensure that the infrastructure management hooks are installed. + +* During your OCP/Origin install, ensure that you have the +  `openshift_use_manageiq` parameter set to `true` in your inventory +  at install time. This will create a `management-infra` project and a +  service account user. +* After CFME/MIQ is installed, obtain the `management-admin` service +  account token and copy it somewhere safe. + +```bash +$ oc serviceaccounts get-token -n management-infra management-admin +eyJhuGdiOiJSUzI1NiIsInR5dCI6IkpXVCJ9.eyJpd9MiOiJrbWJldm5lbGVzL9NldnZpY2VhY2NvbW50Iiwiy9ViZXJuZXRldy5puy9zZXJ2yWNlYWNju9VubC9uYW1ld9BhY2UiOiJtYW5hZ2VtZW50LWluZnJhIiwiy9ViZXJuZXRldy5puy9zZXJ2yWNlYWNju9VubC9zZWNyZXQuumFtZSI6Im1humFnZW1lunQtYWRtyW4tbG9rZW4tdDBnOTAiLCJrbWJldm5lbGVzLmlvL9NldnZpY2VhY2NvbW50L9NldnZpY2UtYWNju9VubC5uYW1lIjoiuWFuYWbluWVubC1hZG1puiIsImt1YmVyumV0ZXMuyW8vd2VybmljZWFjY291unQvd2VybmljZS1hY2NvbW50LnVpZCI6IjRiZDM2MWQ1LWE1NDAtMTFlNy04YzI5LTUyNTQwMDliMmNkZCIsInN1YiI6InN5d9RluTpzZXJ2yWNlYWNju9VubDptYW5hZ2VtZW50LWluZnJhOm1humFnZW1lunQtYWRtyW4ifQ.B6sZLGD9O4vBu9MHwiG-C_4iEwjBXb7Af8BPw-LNlujDmHhOnQ-Oo4QxQKyj9edynfmDy2yutUyJ2Mm9HfDGWg4C9xhWImHoq6Nl7T5_9djkeGKkK7Ejvg4fA-IkrzEsZeQuluBvXnE6wvP0LCjUo_dx4pPyZJyp46teV9NqKQeDzeysjlMCyqp6AK6-Lj8ILG8YA6d_97HlzL_EgFBLAu0lBSn-uC_9J0gLysqBtK6TI0nExfhv9Bm1_5bdHEbKHPW7xIlYlI9AgmyTyhsQ6SoQWtL2khBjkG9TlPBq9wYJj9bzqgVZlqEfICZxgtXO7sYyuoje4y8lo0YQ0kZmig +``` + +* In the CFME/MIQ web interface, navigate to `Compute` → +  `Containers` → `Providers` and select `⚙ Configuration` → `⊕ +  Add a new Containers Provider` + +*See the [upstream documentation](http://manageiq.org/docs/reference/latest/doc-Managing_Providers/miq/index.html#containers-providers) for additional information.* + + + +# Requirements + +The **default** requirements are listed in the table below. These can +be overridden through customization parameters (See +[Customization](#customization), below). + +**Note** that the application performance will suffer, or possibly +even fail to deploy, if these requirements are not satisfied. + + +| Item                | Requirement   | Description                                  | Customization Parameter       | +|---------------------|---------------|----------------------------------------------|-------------------------------| +| Application Memory  | `≥ 4.0 Gi`    | Minimum required memory for the application  | `APPLICATION_MEM_REQ`         | +| Application Storage | `≥ 5.0 Gi`    | Minimum PV size required for the application | `APPLICATION_VOLUME_CAPACITY` | +| PostgreSQL Memory   | `≥ 6.0 Gi`    | Minimum required memory for the database     | `POSTGRESQL_MEM_REQ`          | +| PostgreSQL Storage  | `≥ 15.0 Gi`   | Minimum PV size required for the database    | `DATABASE_VOLUME_CAPACITY`    | +| Cluster Hosts       | `≥ 3`         | Number of hosts in your cluster              |                               | + +The implications of this table are summarized below: + +* You need several cluster nodes +* Your cluster nodes must have lots of memory available +* You will need several GiB's of storage available, either locally or +  on your cloud provider +* PV sizes can be changed by providing override values to template +  parameters (see also: [Customization](#customization)) + +# Role Variables + +The following is a table of the publicly exposed variables that may be +used in your Ansible inventory to control the behavior of this +installer. + + +| Variable                                       | Required | Default                        | Description                         | +|------------------------------------------------|:--------:|:------------------------------:|-------------------------------------| +| `openshift_management_project`                       | **No**   | `openshift-management`               | Namespace for the installation.     | +| `openshift_management_project_description`           | **No**   | *CloudForms Management Engine* | Namespace/project description.      | +| `openshift_management_install_management`                  | **No**   | `false`                        | Boolean, set to `true` to install the application | +| **PRODUCT CHOICE**  | | | | | +| `openshift_management_app_template`                  | **No**   | `miq-template`                 | The project flavor to install. Choices: <ul><li>`miq-template`: ManageIQ using a podified database</li> <li> `miq-template-ext-db`: ManageIQ using an external database</li> <li>`cfme-template`: CloudForms using a podified database<sup>[1]</sup></li> <li> `cfme-template-ext-db`: CloudForms using an external database.<sup>[1]</sup></li></ul> | +| **STORAGE CLASSES** | | | | | +| `openshift_management_storage_class`                 | **No**   | `nfs`                          | Storage type to use, choices: <ul><li>`nfs` - Best used for proof-of-concept installs. Will setup NFS on a cluster host (defaults to your first master in the inventory file) to back the required PVCs. The application requires a PVC and the database (which may be hosted externally) may require a second. PVC minimum required sizes are 5GiB for the MIQ application, and 15GiB for the PostgreSQL database (20GiB minimum available space on a volume/partition if used specifically for NFS purposes)</li> <li>`nfs_external` - You are using an external NFS server, such as a netapp appliance. See the [Configuration - Storage Classes](#storage-classes) section below for required information.</li> <li>`preconfigured` - This CFME role will do NOTHING to modify storage settings. This option assumes expert knowledge and that you have done everything required ahead of time.</li> <li>`cloudprovider` - You are using an OCP cloudprovider integration for your storage class. For this to work you must have already configured the required inventory parameters for your cloud provider. Ensure `openshift_cloudprovider_kind` is defined (aws or gce) and that the applicable cloudprovider parameters are provided. | +| `openshift_management_storage_nfs_external_hostname` | **No**   | `false`                        | If you are using an *external NFS server*, such as a netapp appliance, then you must set the hostname here. Leave the value as `false` if you are not using external NFS. <br /> *Additionally*: **External NFS REQUIRES** that you create the NFS exports that will back the application PV and optionally the database PV. +| `openshift_management_storage_nfs_base_dir`          | **No**   | `/exports/`                    | If you are using **External NFS** then you may set the base path to the exports location here. <br />**Local NFS Note**: You *may* also change this value if you want to change the default path used for local NFS exports. | +| `openshift_management_storage_nfs_local_hostname`    | **No**   | `false`                        | If you do not have an `[nfs]` group in your inventory, or want to simply manually define the local NFS host in your cluster, set this parameter to the hostname of the preferred NFS server. The server must be a part of your OCP/Origin cluster. | +| **CUSTOMIZATION OPTIONS** | | | | | +| `openshift_management_template_parameters`           | **No**   | `{}`                           | A dictionary of any parameters you want to override in the application/pv templates. + +* <sup>[1]</sup> The `cfme-template`s will be available and +  automatically detected once CFME 4.6 is released + + +# Getting Started + +Below are some inventory snippets that can help you get started right +away. + +If you want to install CFME/MIQ at the same time you install your +OCP/Origin cluster, ensure that `openshift_management_install_management` is set +to `true` in your inventory. Call the standard +`playbooks/byo/config.yml` playbook to begin the cluster and CFME/MIQ +installation. + +If you are installing CFME/MIQ on an *already provisioned cluster* +then you can call the CFME/MIQ playbook directly: + +``` +$ ansible-playbook -v -i <YOUR_INVENTORY> playbooks/byo/openshift-management/config.yml +``` + +*Note: Use `miq-template` in the following examples for ManageIQ installs* + +## All Defaults + +This example is the simplest. All of the default values and choices +are used. This will result in a fully podified CFME installation. All +application components, as well as the PostgreSQL database will be +created as pods in the container platform. + +```ini +[OSEv3:vars] +openshift_management_app_template=cfme-template +``` + +## External NFS Storage + +This is as the previous example, except that instead of using local +NFS services in the cluster it will use an external NFS server (such +as a storage appliance). Note the two new parameters: + +* `openshift_management_storage_class` - set to `nfs_external` +* `openshift_management_storage_nfs_external_hostname` - set to the hostname +  of the NFS server + +```ini +[OSEv3:vars] +openshift_management_app_template=cfme-template +openshift_management_storage_class=nfs_external +openshift_management_storage_nfs_external_hostname=nfs.example.com +``` + +If the external NFS host exports directories under a different parent +directory, such as `/exports/hosted/prod` then we would add an +additional parameter, `openshift_management_storage_nfs_base_dir`: + +```ini +# ... +openshift_management_storage_nfs_base_dir=/exports/hosted/prod +``` + +## Override PV sizes + +This example will override the PV sizes. Note that we set the PV sizes +in the template parameters, `openshift_management_template_parameters`. This +ensures that the application/db will be able to make claims on created +PVs without clobbering each other. + +```ini +[OSEv3:vars] +openshift_management_app_template=cfme-template +openshift_management_template_parameters={'APPLICATION_VOLUME_CAPACITY': '10Gi', 'DATABASE_VOLUME_CAPACITY': '25Gi'} +``` + +## Override Memory Requirements + +In a test or proof-of-concept installation you may need to reduce the +application/database memory requirements to fit within your +capacity. Note that reducing memory limits can result in reduced +performance or a complete failure to initialize the application. + +```ini +[OSEv3:vars] +openshift_management_app_template=cfme-template +openshift_management_template_parameters={'APPLICATION_MEM_REQ': '3000Mi', 'POSTGRESQL_MEM_REQ': '1Gi', 'ANSIBLE_MEM_REQ': '512Mi'} +``` + +Here we have instructed the installer to process the application +template with the parameter `APPLICATION_MEM_REQ` set to `3000Mi`, +`POSTGRESQL_MEM_REQ` set to `1Gi`, and `ANSIBLE_MEM_REQ` set to +`512Mi`. + +These parameters can be combined with the PV size override parameters +displayed in the previous example. + +## External PostgreSQL Database + +To use an external database you must change the +`openshift_management_app_template` parameter value to `miq-template-ext-db` +or `cfme-template-ext-db`. + +Additionally, database connection information **must** be supplied in +the `openshift_management_template_parameters` customization parameter. See +[Customization - Database - External](#external) for more +information. + +```ini +[OSEv3:vars] +openshift_management_app_template=cfme-template-ext-db +openshift_management_template_parameters={'DATABASE_USER': 'root', 'DATABASE_PASSWORD': 'r1ck&M0r7y', 'DATABASE_IP': '10.10.10.10', 'DATABASE_PORT': '5432', 'DATABASE_NAME': 'cfme'} +``` + +# Limitations + +This release is the first OpenShift CFME release in the OCP 3.7 +series. It is not complete yet. + +## Product Choice + +Due to staggered release dates, **CFME support is not +integrated**. Presently this role will only deploy a ManageIQ +installation. This role will be updated once CFME 4.6 is released and +this limitation note will be removed. + +# Configuration + +Before you can deploy CFME you must decide *how* you want to deploy +it. There are two major decisions to make: + +1. Do you want an external, or a podified database? +1. Which storage class will back your PVs? + +## Database + +### Podified + +Any `POSTGRES_*` or `DATABASE_*` template parameters in +[miq-template.yaml](files/templates/manageiq/miq-template.yaml) or +[cfme-template.yaml](files/templates/cloudforms/cfme-template.yaml) +may be customized through the `openshift_management_template_parameters` +hash. + +### External + +Any `POSTGRES_*` or `DATABASE_*` template parameters in +[miq-template-ext-db.yaml](files/templates/manageiq/miq-template-ext-db.yaml) +or +[cfme-template-ext-db.yaml](files/templates/cloudforms/cfme-template-ext-db.yaml) +may be customized through the `openshift_management_template_parameters` +hash. + +External PostgreSQL databases require you to provide database +connection parameters. You must set the required connection keys in +the `openshift_management_template_parameters` parameter in your +inventory. The following keys are required: + +* `DATABASE_USER` +* `DATABASE_PASSWORD` +* `DATABASE_IP` +* `DATABASE_PORT` - *note: Most PostgreSQL servers run on port `5432`* +* `DATABASE_NAME` + +Your inventory would contain a line similar to this: + +```ini +[OSEv3:vars] +openshift_management_app_template=cfme-template-ext-db +openshift_management_template_parameters={'DATABASE_USER': 'root', 'DATABASE_PASSWORD': 'r1ck&M0r7y', 'DATABASE_IP': '10.10.10.10', 'DATABASE_PORT': '5432', 'DATABASE_NAME': 'cfme'} +``` + +**Note** the new value for the `openshift_management_app_template` +parameter, `cfme-template-ext-db` (ManageIQ installations would use +`miq-template-ext-db` instead). + +At run time you may run into errors similar to this: + +``` +TASK [openshift_management : Ensure the CFME App is created] *********************************** +task path: /home/tbielawa/rhat/os/openshift-ansible/roles/openshift_management/tasks/main.yml:74 +Tuesday 03 October 2017  15:30:44 -0400 (0:00:00.056)       0:00:12.278 ******* +{"cmd": "/usr/bin/oc create -f /tmp/postgresql-ZPEWQS -n openshift-management", "kind": "Endpoints", "results": {}, "returncode": 1, "stderr": "Error from server (BadRequest): error when creating \"/tmp/postgresql-ZPEWQS\": Endpoints in version \"v1\" cannot be handled as a Endpoints: [pos 218]: json: decNum: got first char 'f'\n", "stdout": ""} +``` + +Or like this: + +``` +TASK [openshift_management : Ensure the CFME App is created] *********************************** +task path: /home/tbielawa/rhat/os/openshift-ansible/roles/openshift_management/tasks/main.yml:74 +Tuesday 03 October 2017  16:05:36 -0400 (0:00:00.052)       0:00:18.948 ******* +fatal: [m01.example.com]: FAILED! => {"changed": true, "failed": true, "msg": +{"cmd": "/usr/bin/oc create -f /tmp/postgresql-igS5sx -n openshift-management", "kind": "Endpoints", "results": {}, "returncode": 1, "stderr": "The Endpoints \"postgresql\" is invalid: subsets[0].addresses[0].ip: Invalid value: \"doo\": must be a valid IP address, (e.g. 10.9.8.7)\n", "stdout": ""}, +``` + +While intimidating at first, there are useful bits of information in +here. Examine the error output closely and we can tell exactly what is +wrong. + +In the first example we see `Endpoints in version \"v1\" cannot be +handled as a Endpoints: [pos 218]: json: decNum: got first char +...`. This is because in my example I used the value `foo` for the +parameter `DATABASE_PORT`. + +In the second example we see `The Endpoints \"postgresql\" is invalid: +subsets[0].addresses[0].ip: Invalid value: \"doo\": must be a valid IP +address ...`. This is because in my example I used the value `doo` in +the `DATABASE_IP` field. + +Luckily for us when the templates are processed behind the scenes they +are also running type checking validation. So, don't worry, just look +closely at the errors and ensure you are providing the correct values +for each parameter. + +## Storage Classes + +OpenShift CFME supports several storage class options. + +### NFS (Default) + +The NFS storage class is best suited for proof-of-concept and +test/demo deployments. It is also the **default** storage class for +deployments. No additional configuration is required for this +choice. + +Customization is provided through the following role variables: + +* `openshift_management_storage_nfs_base_dir` +* `openshift_management_storage_nfs_local_hostname` + +### NFS External + +External NFS leans on pre-configured NFS servers to provide exports +for the required PVs. For external NFS you must have: + +* For CFME: a `cfme-app` and optionally a `cfme-db` (for podified database) exports +* For ManageIQ: an `miq-app` and optionally an `miq-db` (for podified database) exports + +Configuration is provided through the following role variables: + +* `openshift_management_storage_nfs_external_hostname` +* `openshift_management_storage_nfs_base_dir` + +The `openshift_management_storage_nfs_external_hostname` parameter must be +set to the hostname or IP of your external NFS server. + +If `/exports` is not the parent directory to your exports then you +must set the base directory via the +`openshift_management_storage_nfs_base_dir` parameter. + +For example, if your server export is `/exports/hosted/prod/cfme-app` +then you must set +`openshift_management_storage_nfs_base_dir=/exports/hosted/prod`. + +### Cloud Provider + +CFME can also use a cloud provider storage to back required PVs. For +this functionality to work you must have also configured the +`openshift_cloudprovider_kind` variable and all associated parameters +specific to your chosen cloud provider. + +Using this storage class, when the application is created the required +PVs will automatically be provisioned using the configured cloud +provider storage integration. + +There are no additional variables to configure the behavior of this +storage class. + +### Preconfigured (Expert Configuration Only) + +The *preconfigured* storage class implies that you know exactly what +you're doing and that all storage requirements have been taken care +ahead of time. Typically this means that you've already created the +correctly sized PVs. + +There are no additional variables to configure the behavior of this +storage class. + +# Customization + +Application and database parameters may be customized by means of the +`openshift_management_template_parameters` inventory parameter. + +**For example**, if you wanted to reduce the memory requirement of the +PostgreSQL pod then you could configure the parameter like this: + +`openshift_management_template_parameters={'POSTGRESQL_MEM_REQ': '1Gi'}` + +When the CFME template is processed `1Gi` will be used for the value +of the `POSTGRESQL_MEM_REQ` template parameter. + +Any parameter in the `parameters` section of the +[miq-template.yaml](files/templates/manageiq/miq-template.yaml) or +[miq-template-ext-db.yaml](files/templates/manageiq/miq-template-ext-db.yaml) +may be overridden through the `openshift_management_template_parameters` +hash. This applies to **CloudForms** installations as well: +[cfme-template.yaml](files/templates/cloudforms/cfme-template.yaml), +[cfme-template-ext-db.yaml](files/templates/cloudforms/cfme-template-ext-db.yaml). + + +# Uninstall + +This role includes a playbook to uninstall and erase the CFME/MIQ +installation: + +* `playbooks/byo/openshift-management/uninstall.yml` + +# Additional Information + +The upstream project, +[@manageiq/manageiq-pods](https://github.com/ManageIQ/manageiq-pods), +contains a wealth of additional information useful for managing and +operating your CFME installation. Topics include: + +* [Verifying Successful Installation](https://github.com/ManageIQ/manageiq-pods#verifying-the-setup-was-successful) +* [Disabling Image Change Triggers](https://github.com/ManageIQ/manageiq-pods#disable-image-change-triggers) +* [Scaling CFME](https://github.com/ManageIQ/manageiq-pods#scale-miq) +* [Backing up and Restoring the DB](https://github.com/ManageIQ/manageiq-pods#backup-and-restore-of-the-miq-database) +* [Troubleshooting](https://github.com/ManageIQ/manageiq-pods#troubleshooting) diff --git a/roles/openshift_management/defaults/main.yml b/roles/openshift_management/defaults/main.yml new file mode 100644 index 000000000..ebb56313f --- /dev/null +++ b/roles/openshift_management/defaults/main.yml @@ -0,0 +1,90 @@ +--- +# Namespace for the CFME project +openshift_management_project: openshift-management +# Namespace/project description +openshift_management_project_description: CloudForms Management Engine + +###################################################################### +# BASE TEMPLATE AND DATABASE OPTIONS +###################################################################### +# Which flavor of CFME would you like? You may install CFME using a +# podified PostgreSQL server, or you may choose to use an existing +# PostgreSQL server. +# +# Choose 'miq-template' for a podified database install +# Choose 'miq-template-ext-db' for an external database install +openshift_management_app_template: miq-template +# If you are using the miq-template-ext-db template then you must add +# the required database parameters to the +# openshift_management_template_parameters variable. + +###################################################################### +# STORAGE OPTIONS +###################################################################### +# DEFAULT - 'nfs' +# Allowed options: nfs, nfs_external, preconfigured, cloudprovider. +openshift_management_storage_class: nfs +# * nfs - Best used for proof-of-concept installs. Will setup NFS on a +#   cluster host (defaults to your first master in the inventory file) +#   to back the required PVCs. The application requires a PVC and the +#   database (which may be hosted externally) may require a +#   second. PVC minimum required sizes are: 5GiB for the MIQ +#   application, and 15GiB for the PostgreSQL database (20GiB minimum +#   available space on an volume/partition if used specifically for +#   NFS purposes) +# +# * nfs_external - You are using an external NFS server, such as a +#   netapp appliance. See the STORAGE - NFS OPTIONS section below for +#   required information. +# +# * preconfigured - This CFME role will do NOTHING to modify storage +#   settings. This option assumes expert knowledge and that you have +#   done everything required ahead of time. +# +# * cloudprovider - You are using an OCP cloudprovider integration for +#   your storage class. For this to work you must have already +#   configured the required inventory parameters for your cloud +#   provider +# +#   Ensure 'openshift_cloudprovider_kind' is defined (aws or gce) and +#   that the applicable cloudprovider parameters are provided. + +#--------------------------------------------------------------------- +# STORAGE - NFS OPTIONS +#--------------------------------------------------------------------- +# [OPTIONAL] - If you are using an EXTERNAL NFS server, such as a +# netapp appliance, then you must set the hostname here. Leave the +# value as 'false' if you are not using external NFS. +openshift_management_storage_nfs_external_hostname: false +# [OPTIONAL] - If you are using external NFS then you must set the base +# path to the exports location here. +# +# Additionally: EXTERNAL NFS REQUIRES that YOU CREATE the nfs exports +# that will back the application PV and optionally the database +# pv. Export path definitions, relative to +# {{ openshift_management_storage_nfs_base_dir }} +# +# LOCAL NFS NOTE: +# +# You may may also change this value if you want to change the default +# path used for local NFS exports. +openshift_management_storage_nfs_base_dir: /exports +# +# LOCAL NFS NOTE: +# +# You may override the automatically selected LOCAL NFS server by +# setting this variable. Useful for testing specific task files. +openshift_management_storage_nfs_local_hostname: false + +###################################################################### +# SCAFFOLDING - These are parameters we pre-seed that a user may or +# may not set later +###################################################################### +# A hash of parameters you want to override or set in the +# miq-template.yaml or miq-template-ext-db.yaml templates. Set this in +# your inventory file as a simple hash. Acceptable values are defined +# under the .parameters list in files/miq-template{-ext-db}.yaml +# Example: +# +# openshift_management_template_parameters={'APPLICATION_MEM_REQ': '512Mi'} +openshift_management_template_parameters: {} diff --git a/roles/openshift_management/files/templates/cloudforms/cfme-backup-job.yaml b/roles/openshift_management/files/templates/cloudforms/cfme-backup-job.yaml new file mode 100644 index 000000000..c3bc1d20c --- /dev/null +++ b/roles/openshift_management/files/templates/cloudforms/cfme-backup-job.yaml @@ -0,0 +1,28 @@ +apiVersion: batch/v1 +kind: Job +metadata: +  name: cloudforms-backup +spec: +  template: +    metadata: +      name: cloudforms-backup +    spec: +      containers: +      - name: postgresql +        image: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-postgresql:latest +        command: +        - "/opt/rh/cfme-container-scripts/backup_db" +        env: +        - name: DATABASE_URL +          valueFrom: +            secretKeyRef: +              name: cloudforms-secrets +              key: database-url +        volumeMounts: +        - name: cfme-backup-vol +          mountPath: "/backups" +      volumes: +      - name: cfme-backup-vol +        persistentVolumeClaim: +          claimName: cloudforms-backup +      restartPolicy: Never diff --git a/roles/openshift_management/files/templates/cloudforms/cfme-backup-pvc.yaml b/roles/openshift_management/files/templates/cloudforms/cfme-backup-pvc.yaml new file mode 100644 index 000000000..92598ce82 --- /dev/null +++ b/roles/openshift_management/files/templates/cloudforms/cfme-backup-pvc.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: +  name: cloudforms-backup +spec: +  accessModes: +  - ReadWriteOnce +  resources: +    requests: +      storage: 15Gi diff --git a/roles/openshift_management/files/templates/cloudforms/cfme-pv-backup-example.yaml b/roles/openshift_management/files/templates/cloudforms/cfme-pv-backup-example.yaml new file mode 100644 index 000000000..4fe349897 --- /dev/null +++ b/roles/openshift_management/files/templates/cloudforms/cfme-pv-backup-example.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: PersistentVolume +metadata: +  name: cfme-pv03 +spec: +  capacity: +    storage: 15Gi +  accessModes: +  - ReadWriteOnce +  nfs: +    path: "/exports/cfme-pv03" +    server: "<your-nfs-host-here>" +  persistentVolumeReclaimPolicy: Retain diff --git a/roles/openshift_management/files/templates/cloudforms/cfme-pv-db-example.yaml b/roles/openshift_management/files/templates/cloudforms/cfme-pv-db-example.yaml new file mode 100644 index 000000000..0cdd821b5 --- /dev/null +++ b/roles/openshift_management/files/templates/cloudforms/cfme-pv-db-example.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: Template +labels: +  template: cloudforms-db-pv +metadata: +  name: cloudforms-db-pv +  annotations: +    description: PV Template for CFME PostgreSQL DB +    tags: PVS, CFME +objects: +- apiVersion: v1 +  kind: PersistentVolume +  metadata: +    name: cfme-db +  spec: +    capacity: +      storage: "${PV_SIZE}" +    accessModes: +    - ReadWriteOnce +    nfs: +      path: "${BASE_PATH}/cfme-db" +      server: "${NFS_HOST}" +    persistentVolumeReclaimPolicy: Retain +parameters: +- name: PV_SIZE +  displayName: PV Size for DB +  required: true +  description: The size of the CFME DB PV given in Gi +  value: 15Gi +- name: BASE_PATH +  displayName: Exports Directory Base Path +  required: true +  description: The parent directory of your NFS exports +  value: "/exports" +- name: NFS_HOST +  displayName: NFS Server Hostname +  required: true +  description: The hostname or IP address of the NFS server diff --git a/roles/openshift_management/files/templates/cloudforms/cfme-pv-server-example.yaml b/roles/openshift_management/files/templates/cloudforms/cfme-pv-server-example.yaml new file mode 100644 index 000000000..527090ae8 --- /dev/null +++ b/roles/openshift_management/files/templates/cloudforms/cfme-pv-server-example.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: Template +labels: +  template: cloudforms-app-pv +metadata: +  name: cloudforms-app-pv +  annotations: +    description: PV Template for CFME Server +    tags: PVS, CFME +objects: +- apiVersion: v1 +  kind: PersistentVolume +  metadata: +    name: cfme-app +  spec: +    capacity: +      storage: "${PV_SIZE}" +    accessModes: +    - ReadWriteOnce +    nfs: +      path: "${BASE_PATH}/cfme-app" +      server: "${NFS_HOST}" +    persistentVolumeReclaimPolicy: Retain +parameters: +- name: PV_SIZE +  displayName: PV Size for App +  required: true +  description: The size of the CFME APP PV given in Gi +  value: 5Gi +- name: BASE_PATH +  displayName: Exports Directory Base Path +  required: true +  description: The parent directory of your NFS exports +  value: "/exports" +- name: NFS_HOST +  displayName: NFS Server Hostname +  required: true +  description: The hostname or IP address of the NFS server diff --git a/roles/openshift_management/files/templates/cloudforms/cfme-restore-job.yaml b/roles/openshift_management/files/templates/cloudforms/cfme-restore-job.yaml new file mode 100644 index 000000000..8b23f8a33 --- /dev/null +++ b/roles/openshift_management/files/templates/cloudforms/cfme-restore-job.yaml @@ -0,0 +1,35 @@ +apiVersion: batch/v1 +kind: Job +metadata: +  name: cloudforms-restore +spec: +  template: +    metadata: +      name: cloudforms-restore +    spec: +      containers: +      - name: postgresql +        image: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-postgresql:latest +        command: +        - "/opt/rh/cfme-container-scripts/restore_db" +        env: +        - name: DATABASE_URL +          valueFrom: +            secretKeyRef: +              name: cloudforms-secrets +              key: database-url +        - name: BACKUP_VERSION +          value: latest +        volumeMounts: +        - name: cfme-backup-vol +          mountPath: "/backups" +        - name: cfme-prod-vol +          mountPath: "/restore" +      volumes: +      - name: cfme-backup-vol +        persistentVolumeClaim: +          claimName: cloudforms-backup +      - name: cfme-prod-vol +        persistentVolumeClaim: +          claimName: cloudforms-postgresql +      restartPolicy: Never diff --git a/roles/openshift_management/files/templates/cloudforms/cfme-scc-sysadmin.yaml b/roles/openshift_management/files/templates/cloudforms/cfme-scc-sysadmin.yaml new file mode 100644 index 000000000..d2ece9298 --- /dev/null +++ b/roles/openshift_management/files/templates/cloudforms/cfme-scc-sysadmin.yaml @@ -0,0 +1,38 @@ +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegedContainer: false +allowedCapabilities: +apiVersion: v1 +defaultAddCapabilities: +- SYS_ADMIN +fsGroup: +  type: RunAsAny +groups: +- system:cluster-admins +kind: SecurityContextConstraints +metadata: +  annotations: +    kubernetes.io/description: cfme-sysadmin provides all features of the anyuid SCC but allows users to have SYS_ADMIN capabilities. This is the required scc for Pods requiring to run with systemd and the message bus. +  creationTimestamp: +  name: cfme-sysadmin +priority: 10 +readOnlyRootFilesystem: false +requiredDropCapabilities: +- MKNOD +- SYS_CHROOT +runAsUser: +  type: RunAsAny +seLinuxContext: +  type: MustRunAs +supplementalGroups: +  type: RunAsAny +users: +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- secret diff --git a/roles/openshift_management/files/templates/cloudforms/cfme-template-ext-db.yaml b/roles/openshift_management/files/templates/cloudforms/cfme-template-ext-db.yaml new file mode 100644 index 000000000..4a04f3372 --- /dev/null +++ b/roles/openshift_management/files/templates/cloudforms/cfme-template-ext-db.yaml @@ -0,0 +1,763 @@ +apiVersion: v1 +kind: Template +labels: +  template: cloudforms-ext-db +metadata: +  name: cloudforms-ext-db +  annotations: +    description: CloudForms appliance with persistent storage using a external DB host +    tags: instant-app,cloudforms,cfme +    iconClass: icon-rails +objects: +- apiVersion: v1 +  kind: ServiceAccount +  metadata: +    name: cfme-orchestrator +- apiVersion: v1 +  kind: ServiceAccount +  metadata: +    name: cfme-anyuid +- apiVersion: v1 +  kind: ServiceAccount +  metadata: +    name: cfme-privileged +- apiVersion: v1 +  kind: ServiceAccount +  metadata: +    name: cfme-httpd +- apiVersion: v1 +  kind: Secret +  metadata: +    name: "${NAME}-secrets" +  stringData: +    pg-password: "${DATABASE_PASSWORD}" +    database-url: postgresql://${DATABASE_USER}:${DATABASE_PASSWORD}@${DATABASE_SERVICE_NAME}/${DATABASE_NAME}?encoding=utf8&pool=5&wait_timeout=5 +    v2-key: "${V2_KEY}" +- apiVersion: v1 +  kind: Secret +  metadata: +    name: "${ANSIBLE_SERVICE_NAME}-secrets" +  stringData: +    rabbit-password: "${ANSIBLE_RABBITMQ_PASSWORD}" +    secret-key: "${ANSIBLE_SECRET_KEY}" +    admin-password: "${ANSIBLE_ADMIN_PASSWORD}" +- apiVersion: v1 +  kind: Service +  metadata: +    annotations: +      description: Exposes and load balances CloudForms pods +      service.alpha.openshift.io/dependencies: '[{"name":"${DATABASE_SERVICE_NAME}","namespace":"","kind":"Service"},{"name":"${MEMCACHED_SERVICE_NAME}","namespace":"","kind":"Service"}]' +    name: "${NAME}" +  spec: +    clusterIP: None +    ports: +    - name: http +      port: 80 +      protocol: TCP +      targetPort: 80 +    selector: +      name: "${NAME}" +- apiVersion: v1 +  kind: Route +  metadata: +    name: "${HTTPD_SERVICE_NAME}" +  spec: +    host: "${APPLICATION_DOMAIN}" +    port: +      targetPort: http +    tls: +      termination: edge +      insecureEdgeTerminationPolicy: Redirect +    to: +      kind: Service +      name: "${HTTPD_SERVICE_NAME}" +- apiVersion: apps/v1beta1 +  kind: StatefulSet +  metadata: +    name: "${NAME}" +    annotations: +      description: Defines how to deploy the CloudForms appliance +  spec: +    serviceName: "${NAME}" +    replicas: "${APPLICATION_REPLICA_COUNT}" +    template: +      metadata: +        labels: +          name: "${NAME}" +        name: "${NAME}" +      spec: +        containers: +        - name: cloudforms +          image: "${FRONTEND_APPLICATION_IMG_NAME}:${FRONTEND_APPLICATION_IMG_TAG}" +          livenessProbe: +            tcpSocket: +              port: 80 +            initialDelaySeconds: 480 +            timeoutSeconds: 3 +          readinessProbe: +            httpGet: +              path: "/" +              port: 80 +              scheme: HTTP +            initialDelaySeconds: 200 +            timeoutSeconds: 3 +          ports: +          - containerPort: 80 +            protocol: TCP +          volumeMounts: +          - name: "${NAME}-server" +            mountPath: "/persistent" +          env: +          - name: MY_POD_NAMESPACE +            valueFrom: +              fieldRef: +                fieldPath: metadata.namespace +          - name: APPLICATION_INIT_DELAY +            value: "${APPLICATION_INIT_DELAY}" +          - name: DATABASE_REGION +            value: "${DATABASE_REGION}" +          - name: DATABASE_URL +            valueFrom: +              secretKeyRef: +                name: "${NAME}-secrets" +                key: database-url +          - name: V2_KEY +            valueFrom: +              secretKeyRef: +                name: "${NAME}-secrets" +                key: v2-key +          - name: ANSIBLE_ADMIN_PASSWORD +            valueFrom: +              secretKeyRef: +                name: "${ANSIBLE_SERVICE_NAME}-secrets" +                key: admin-password +          resources: +            requests: +              memory: "${APPLICATION_MEM_REQ}" +              cpu: "${APPLICATION_CPU_REQ}" +            limits: +              memory: "${APPLICATION_MEM_LIMIT}" +          lifecycle: +            preStop: +              exec: +                command: +                - "/opt/rh/cfme-container-scripts/sync-pv-data" +        serviceAccount: cfme-orchestrator +        serviceAccountName: cfme-orchestrator +        terminationGracePeriodSeconds: 90 +    volumeClaimTemplates: +    - metadata: +        name: "${NAME}-server" +        annotations: +      spec: +        accessModes: +        - ReadWriteOnce +        resources: +          requests: +            storage: "${APPLICATION_VOLUME_CAPACITY}" +- apiVersion: v1 +  kind: Service +  metadata: +    annotations: +      description: Headless service for CloudForms backend pods +    name: "${NAME}-backend" +  spec: +    clusterIP: None +    selector: +      name: "${NAME}-backend" +- apiVersion: apps/v1beta1 +  kind: StatefulSet +  metadata: +    name: "${NAME}-backend" +    annotations: +      description: Defines how to deploy the CloudForms appliance +  spec: +    serviceName: "${NAME}-backend" +    replicas: 0 +    template: +      metadata: +        labels: +          name: "${NAME}-backend" +        name: "${NAME}-backend" +      spec: +        containers: +        - name: cloudforms +          image: "${BACKEND_APPLICATION_IMG_NAME}:${BACKEND_APPLICATION_IMG_TAG}" +          livenessProbe: +            exec: +              command: +              - pidof +              - MIQ Server +            initialDelaySeconds: 480 +            timeoutSeconds: 3 +          volumeMounts: +          - name: "${NAME}-server" +            mountPath: "/persistent" +          env: +          - name: APPLICATION_INIT_DELAY +            value: "${APPLICATION_INIT_DELAY}" +          - name: DATABASE_URL +            valueFrom: +              secretKeyRef: +                name: "${NAME}-secrets" +                key: database-url +          - name: MIQ_SERVER_DEFAULT_ROLES +            value: database_operations,event,reporting,scheduler,smartstate,ems_operations,ems_inventory,automate +          - name: FRONTEND_SERVICE_NAME +            value: "${NAME}" +          - name: V2_KEY +            valueFrom: +              secretKeyRef: +                name: "${NAME}-secrets" +                key: v2-key +          - name: ANSIBLE_ADMIN_PASSWORD +            valueFrom: +              secretKeyRef: +                name: "${ANSIBLE_SERVICE_NAME}-secrets" +                key: admin-password +          resources: +            requests: +              memory: "${APPLICATION_MEM_REQ}" +              cpu: "${APPLICATION_CPU_REQ}" +            limits: +              memory: "${APPLICATION_MEM_LIMIT}" +          lifecycle: +            preStop: +              exec: +                command: +                - "/opt/rh/cfme-container-scripts/sync-pv-data" +        serviceAccount: cfme-orchestrator +        serviceAccountName: cfme-orchestrator +        terminationGracePeriodSeconds: 90 +    volumeClaimTemplates: +    - metadata: +        name: "${NAME}-server" +        annotations: +      spec: +        accessModes: +        - ReadWriteOnce +        resources: +          requests: +            storage: "${APPLICATION_VOLUME_CAPACITY}" +- apiVersion: v1 +  kind: Service +  metadata: +    name: "${MEMCACHED_SERVICE_NAME}" +    annotations: +      description: Exposes the memcached server +  spec: +    ports: +    - name: memcached +      port: 11211 +      targetPort: 11211 +    selector: +      name: "${MEMCACHED_SERVICE_NAME}" +- apiVersion: v1 +  kind: DeploymentConfig +  metadata: +    name: "${MEMCACHED_SERVICE_NAME}" +    annotations: +      description: Defines how to deploy memcached +  spec: +    strategy: +      type: Recreate +    triggers: +    - type: ConfigChange +    replicas: 1 +    selector: +      name: "${MEMCACHED_SERVICE_NAME}" +    template: +      metadata: +        name: "${MEMCACHED_SERVICE_NAME}" +        labels: +          name: "${MEMCACHED_SERVICE_NAME}" +      spec: +        volumes: [] +        containers: +        - name: memcached +          image: "${MEMCACHED_IMG_NAME}:${MEMCACHED_IMG_TAG}" +          ports: +          - containerPort: 11211 +          readinessProbe: +            timeoutSeconds: 1 +            initialDelaySeconds: 5 +            tcpSocket: +              port: 11211 +          livenessProbe: +            timeoutSeconds: 1 +            initialDelaySeconds: 30 +            tcpSocket: +              port: 11211 +          volumeMounts: [] +          env: +          - name: MEMCACHED_MAX_MEMORY +            value: "${MEMCACHED_MAX_MEMORY}" +          - name: MEMCACHED_MAX_CONNECTIONS +            value: "${MEMCACHED_MAX_CONNECTIONS}" +          - name: MEMCACHED_SLAB_PAGE_SIZE +            value: "${MEMCACHED_SLAB_PAGE_SIZE}" +          resources: +            requests: +              memory: "${MEMCACHED_MEM_REQ}" +              cpu: "${MEMCACHED_CPU_REQ}" +            limits: +              memory: "${MEMCACHED_MEM_LIMIT}" +- apiVersion: v1 +  kind: Service +  metadata: +    name: "${DATABASE_SERVICE_NAME}" +    annotations: +      description: Remote database service +  spec: +    ports: +    - name: postgresql +      port: 5432 +      targetPort: "${{DATABASE_PORT}}" +    selector: {} +- apiVersion: v1 +  kind: Endpoints +  metadata: +    name: "${DATABASE_SERVICE_NAME}" +  subsets: +  - addresses: +    - ip: "${DATABASE_IP}" +    ports: +    - port: "${{DATABASE_PORT}}" +      name: postgresql +- apiVersion: v1 +  kind: Service +  metadata: +    annotations: +      description: Exposes and load balances Ansible pods +      service.alpha.openshift.io/dependencies: '[{"name":"${DATABASE_SERVICE_NAME}","namespace":"","kind":"Service"}]' +    name: "${ANSIBLE_SERVICE_NAME}" +  spec: +    ports: +    - name: http +      port: 80 +      protocol: TCP +      targetPort: 80 +    - name: https +      port: 443 +      protocol: TCP +      targetPort: 443 +    selector: +      name: "${ANSIBLE_SERVICE_NAME}" +- apiVersion: v1 +  kind: DeploymentConfig +  metadata: +    name: "${ANSIBLE_SERVICE_NAME}" +    annotations: +      description: Defines how to deploy the Ansible appliance +  spec: +    strategy: +      type: Recreate +    serviceName: "${ANSIBLE_SERVICE_NAME}" +    replicas: 0 +    template: +      metadata: +        labels: +          name: "${ANSIBLE_SERVICE_NAME}" +        name: "${ANSIBLE_SERVICE_NAME}" +      spec: +        containers: +        - name: ansible +          image: "${ANSIBLE_IMG_NAME}:${ANSIBLE_IMG_TAG}" +          livenessProbe: +            tcpSocket: +              port: 443 +            initialDelaySeconds: 480 +            timeoutSeconds: 3 +          readinessProbe: +            httpGet: +              path: "/" +              port: 443 +              scheme: HTTPS +            initialDelaySeconds: 200 +            timeoutSeconds: 3 +          ports: +          - containerPort: 80 +            protocol: TCP +          - containerPort: 443 +            protocol: TCP +          securityContext: +            privileged: true +          env: +          - name: ADMIN_PASSWORD +            valueFrom: +              secretKeyRef: +                name: "${ANSIBLE_SERVICE_NAME}-secrets" +                key: admin-password +          - name: RABBITMQ_USER_NAME +            value: "${ANSIBLE_RABBITMQ_USER_NAME}" +          - name: RABBITMQ_PASSWORD +            valueFrom: +              secretKeyRef: +                name: "${ANSIBLE_SERVICE_NAME}-secrets" +                key: rabbit-password +          - name: ANSIBLE_SECRET_KEY +            valueFrom: +              secretKeyRef: +                name: "${ANSIBLE_SERVICE_NAME}-secrets" +                key: secret-key +          - name: DATABASE_SERVICE_NAME +            value: "${DATABASE_SERVICE_NAME}" +          - name: POSTGRESQL_USER +            value: "${DATABASE_USER}" +          - name: POSTGRESQL_PASSWORD +            valueFrom: +              secretKeyRef: +                name: "${NAME}-secrets" +                key: pg-password +          - name: POSTGRESQL_DATABASE +            value: "${ANSIBLE_DATABASE_NAME}" +          resources: +            requests: +              memory: "${ANSIBLE_MEM_REQ}" +              cpu: "${ANSIBLE_CPU_REQ}" +            limits: +              memory: "${ANSIBLE_MEM_LIMIT}" +        serviceAccount: cfme-privileged +        serviceAccountName: cfme-privileged +- apiVersion: v1 +  kind: ConfigMap +  metadata: +    name: "${HTTPD_SERVICE_NAME}-configs" +  data: +    application.conf: | +      # Timeout: The number of seconds before receives and sends time out. +      Timeout 120 + +      RewriteEngine On +      Options SymLinksIfOwnerMatch + +      <VirtualHost *:80> +        KeepAlive on +        ProxyPreserveHost on +        ProxyPass        /ws/ ws://${NAME}/ws/ +        ProxyPassReverse /ws/ ws://${NAME}/ws/ +        ProxyPass        / http://${NAME}/ +        ProxyPassReverse / http://${NAME}/ +      </VirtualHost> +- apiVersion: v1 +  kind: ConfigMap +  metadata: +    name: "${HTTPD_SERVICE_NAME}-auth-configs" +  data: +    auth-type: internal +    auth-configuration.conf: | +      # External Authentication Configuration File +      # +      # For details on usage please see https://github.com/ManageIQ/manageiq-pods/blob/master/README.md#configuring-external-authentication +- apiVersion: v1 +  kind: Service +  metadata: +    name: "${HTTPD_SERVICE_NAME}" +    annotations: +      description: Exposes the httpd server +      service.alpha.openshift.io/dependencies: '[{"name":"${NAME}","namespace":"","kind":"Service"}]' +  spec: +    ports: +    - name: http +      port: 80 +      targetPort: 80 +    selector: +      name: httpd +- apiVersion: v1 +  kind: DeploymentConfig +  metadata: +    name: "${HTTPD_SERVICE_NAME}" +    annotations: +      description: Defines how to deploy httpd +  spec: +    strategy: +      type: Recreate +      recreateParams: +        timeoutSeconds: 1200 +    triggers: +    - type: ConfigChange +    replicas: 1 +    selector: +      name: "${HTTPD_SERVICE_NAME}" +    template: +      metadata: +        name: "${HTTPD_SERVICE_NAME}" +        labels: +          name: "${HTTPD_SERVICE_NAME}" +      spec: +        volumes: +        - name: httpd-config +          configMap: +            name: "${HTTPD_SERVICE_NAME}-configs" +        - name: httpd-auth-config +          configMap: +            name: "${HTTPD_SERVICE_NAME}-auth-configs" +        containers: +        - name: httpd +          image: "${HTTPD_IMG_NAME}:${HTTPD_IMG_TAG}" +          ports: +          - containerPort: 80 +          livenessProbe: +            exec: +              command: +              - pidof +              - httpd +            initialDelaySeconds: 15 +            timeoutSeconds: 3 +          readinessProbe: +            tcpSocket: +              port: 80 +            initialDelaySeconds: 10 +            timeoutSeconds: 3 +          volumeMounts: +          - name: httpd-config +            mountPath: "${HTTPD_CONFIG_DIR}" +          - name: httpd-auth-config +            mountPath: "${HTTPD_AUTH_CONFIG_DIR}" +          resources: +            requests: +              memory: "${HTTPD_MEM_REQ}" +              cpu: "${HTTPD_CPU_REQ}" +            limits: +              memory: "${HTTPD_MEM_LIMIT}" +          env: +          - name: HTTPD_AUTH_TYPE +            valueFrom: +              configMapKeyRef: +                name: "${HTTPD_SERVICE_NAME}-auth-configs" +                key: auth-type +          lifecycle: +            postStart: +              exec: +                command: +                - "/usr/bin/save-container-environment" +        serviceAccount: cfme-httpd +        serviceAccountName: cfme-httpd +parameters: +- name: NAME +  displayName: Name +  required: true +  description: The name assigned to all of the frontend objects defined in this template. +  value: cloudforms +- name: V2_KEY +  displayName: CloudForms Encryption Key +  required: true +  description: Encryption Key for CloudForms Passwords +  from: "[a-zA-Z0-9]{43}" +  generate: expression +- name: DATABASE_SERVICE_NAME +  displayName: PostgreSQL Service Name +  required: true +  description: The name of the OpenShift Service exposed for the PostgreSQL container. +  value: postgresql +- name: DATABASE_USER +  displayName: PostgreSQL User +  required: true +  description: PostgreSQL user that will access the database. +  value: root +- name: DATABASE_PASSWORD +  displayName: PostgreSQL Password +  required: true +  description: Password for the PostgreSQL user. +  from: "[a-zA-Z0-9]{8}" +  generate: expression +- name: DATABASE_IP +  displayName: PostgreSQL Server IP +  required: true +  description: PostgreSQL external server IP used to configure service. +  value: '' +- name: DATABASE_PORT +  displayName: PostgreSQL Server Port +  required: true +  description: PostgreSQL external server port used to configure service. +  value: '5432' +- name: DATABASE_NAME +  required: true +  displayName: PostgreSQL Database Name +  description: Name of the PostgreSQL database accessed. +  value: vmdb_production +- name: DATABASE_REGION +  required: true +  displayName: Application Database Region +  description: Database region that will be used for application. +  value: '0' +- name: ANSIBLE_DATABASE_NAME +  displayName: Ansible PostgreSQL database name +  required: true +  description: The database to be used by the Ansible continer +  value: awx +- name: MEMCACHED_SERVICE_NAME +  required: true +  displayName: Memcached Service Name +  description: The name of the OpenShift Service exposed for the Memcached container. +  value: memcached +- name: MEMCACHED_MAX_MEMORY +  displayName: Memcached Max Memory +  description: Memcached maximum memory for memcached object storage in MB. +  value: '64' +- name: MEMCACHED_MAX_CONNECTIONS +  displayName: Memcached Max Connections +  description: Memcached maximum number of connections allowed. +  value: '1024' +- name: MEMCACHED_SLAB_PAGE_SIZE +  displayName: Memcached Slab Page Size +  description: Memcached size of each slab page. +  value: 1m +- name: ANSIBLE_SERVICE_NAME +  displayName: Ansible Service Name +  description: The name of the OpenShift Service exposed for the Ansible container. +  value: ansible +- name: ANSIBLE_ADMIN_PASSWORD +  displayName: Ansible admin User password +  required: true +  description: The password for the Ansible container admin user +  from: "[a-zA-Z0-9]{32}" +  generate: expression +- name: ANSIBLE_SECRET_KEY +  displayName: Ansible Secret Key +  required: true +  description: Encryption key for the Ansible container +  from: "[a-f0-9]{32}" +  generate: expression +- name: ANSIBLE_RABBITMQ_USER_NAME +  displayName: RabbitMQ Username +  required: true +  description: Username for the Ansible RabbitMQ Server +  value: ansible +- name: ANSIBLE_RABBITMQ_PASSWORD +  displayName: RabbitMQ Server Password +  required: true +  description: Password for the Ansible RabbitMQ Server +  from: "[a-zA-Z0-9]{32}" +  generate: expression +- name: APPLICATION_CPU_REQ +  displayName: Application Min CPU Requested +  required: true +  description: Minimum amount of CPU time the Application container will need (expressed in millicores). +  value: 1000m +- name: MEMCACHED_CPU_REQ +  displayName: Memcached Min CPU Requested +  required: true +  description: Minimum amount of CPU time the Memcached container will need (expressed in millicores). +  value: 200m +- name: ANSIBLE_CPU_REQ +  displayName: Ansible Min CPU Requested +  required: true +  description: Minimum amount of CPU time the Ansible container will need (expressed in millicores). +  value: 1000m +- name: APPLICATION_MEM_REQ +  displayName: Application Min RAM Requested +  required: true +  description: Minimum amount of memory the Application container will need. +  value: 6144Mi +- name: MEMCACHED_MEM_REQ +  displayName: Memcached Min RAM Requested +  required: true +  description: Minimum amount of memory the Memcached container will need. +  value: 64Mi +- name: ANSIBLE_MEM_REQ +  displayName: Ansible Min RAM Requested +  required: true +  description: Minimum amount of memory the Ansible container will need. +  value: 2048Mi +- name: APPLICATION_MEM_LIMIT +  displayName: Application Max RAM Limit +  required: true +  description: Maximum amount of memory the Application container can consume. +  value: 16384Mi +- name: MEMCACHED_MEM_LIMIT +  displayName: Memcached Max RAM Limit +  required: true +  description: Maximum amount of memory the Memcached container can consume. +  value: 256Mi +- name: ANSIBLE_MEM_LIMIT +  displayName: Ansible Max RAM Limit +  required: true +  description: Maximum amount of memory the Ansible container can consume. +  value: 8096Mi +- name: MEMCACHED_IMG_NAME +  displayName: Memcached Image Name +  description: This is the Memcached image name requested to deploy. +  value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-memcached +- name: MEMCACHED_IMG_TAG +  displayName: Memcached Image Tag +  description: This is the Memcached image tag/version requested to deploy. +  value: latest +- name: FRONTEND_APPLICATION_IMG_NAME +  displayName: Frontend Application Image Name +  description: This is the Frontend Application image name requested to deploy. +  value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-app-ui +- name: BACKEND_APPLICATION_IMG_NAME +  displayName: Backend Application Image Name +  description: This is the Backend Application image name requested to deploy. +  value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-app +- name: FRONTEND_APPLICATION_IMG_TAG +  displayName: Front end Application Image Tag +  description: This is the CloudForms Frontend Application image tag/version requested to deploy. +  value: latest +- name: BACKEND_APPLICATION_IMG_TAG +  displayName: Back end Application Image Tag +  description: This is the CloudForms Backend Application image tag/version requested to deploy. +  value: latest +- name: ANSIBLE_IMG_NAME +  displayName: Ansible Image Name +  description: This is the Ansible image name requested to deploy. +  value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-embedded-ansible +- name: ANSIBLE_IMG_TAG +  displayName: Ansible Image Tag +  description: This is the Ansible image tag/version requested to deploy. +  value: latest +- name: APPLICATION_DOMAIN +  displayName: Application Hostname +  description: The exposed hostname that will route to the application service, if left blank a value will be defaulted. +  value: '' +- name: APPLICATION_REPLICA_COUNT +  displayName: Application Replica Count +  description: This is the number of Application replicas requested to deploy. +  value: '1' +- name: APPLICATION_INIT_DELAY +  displayName: Application Init Delay +  required: true +  description: Delay in seconds before we attempt to initialize the application. +  value: '15' +- name: APPLICATION_VOLUME_CAPACITY +  displayName: Application Volume Capacity +  required: true +  description: Volume space available for application data. +  value: 5Gi +- name: HTTPD_SERVICE_NAME +  required: true +  displayName: Apache httpd Service Name +  description: The name of the OpenShift Service exposed for the httpd container. +  value: httpd +- name: HTTPD_IMG_NAME +  displayName: Apache httpd Image Name +  description: This is the httpd image name requested to deploy. +  value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-httpd +- name: HTTPD_IMG_TAG +  displayName: Apache httpd Image Tag +  description: This is the httpd image tag/version requested to deploy. +  value: latest +- name: HTTPD_CONFIG_DIR +  displayName: Apache httpd Configuration Directory +  description: Directory used to store the Apache configuration files. +  value: "/etc/httpd/conf.d" +- name: HTTPD_AUTH_CONFIG_DIR +  displayName: External Authentication Configuration Directory +  description: Directory used to store the external authentication configuration files. +  value: "/etc/httpd/auth-conf.d" +- name: HTTPD_CPU_REQ +  displayName: Apache httpd Min CPU Requested +  required: true +  description: Minimum amount of CPU time the httpd container will need (expressed in millicores). +  value: 500m +- name: HTTPD_MEM_REQ +  displayName: Apache httpd Min RAM Requested +  required: true +  description: Minimum amount of memory the httpd container will need. +  value: 512Mi +- name: HTTPD_MEM_LIMIT +  displayName: Apache httpd Max RAM Limit +  required: true +  description: Maximum amount of memory the httpd container can consume. +  value: 8192Mi diff --git a/roles/openshift_management/files/templates/cloudforms/cfme-template.yaml b/roles/openshift_management/files/templates/cloudforms/cfme-template.yaml new file mode 100644 index 000000000..d7c9f5af7 --- /dev/null +++ b/roles/openshift_management/files/templates/cloudforms/cfme-template.yaml @@ -0,0 +1,940 @@ +apiVersion: v1 +kind: Template +labels: +  template: cloudforms +metadata: +  name: cloudforms +  annotations: +    description: CloudForms appliance with persistent storage +    tags: instant-app,cloudforms,cfme +    iconClass: icon-rails +objects: +- apiVersion: v1 +  kind: ServiceAccount +  metadata: +    name: cfme-orchestrator +- apiVersion: v1 +  kind: ServiceAccount +  metadata: +    name: cfme-anyuid +- apiVersion: v1 +  kind: ServiceAccount +  metadata: +    name: cfme-privileged +- apiVersion: v1 +  kind: ServiceAccount +  metadata: +    name: cfme-httpd +- apiVersion: v1 +  kind: Secret +  metadata: +    name: "${NAME}-secrets" +  stringData: +    pg-password: "${DATABASE_PASSWORD}" +    database-url: postgresql://${DATABASE_USER}:${DATABASE_PASSWORD}@${DATABASE_SERVICE_NAME}/${DATABASE_NAME}?encoding=utf8&pool=5&wait_timeout=5 +    v2-key: "${V2_KEY}" +- apiVersion: v1 +  kind: Secret +  metadata: +    name: "${ANSIBLE_SERVICE_NAME}-secrets" +  stringData: +    rabbit-password: "${ANSIBLE_RABBITMQ_PASSWORD}" +    secret-key: "${ANSIBLE_SECRET_KEY}" +    admin-password: "${ANSIBLE_ADMIN_PASSWORD}" +- apiVersion: v1 +  kind: ConfigMap +  metadata: +    name: "${DATABASE_SERVICE_NAME}-configs" +  data: +    01_miq_overrides.conf: | +      #------------------------------------------------------------------------------ +      # CONNECTIONS AND AUTHENTICATION +      #------------------------------------------------------------------------------ + +      tcp_keepalives_count = 9 +      tcp_keepalives_idle = 3 +      tcp_keepalives_interval = 75 + +      #------------------------------------------------------------------------------ +      # RESOURCE USAGE (except WAL) +      #------------------------------------------------------------------------------ + +      shared_preload_libraries = 'pglogical,repmgr_funcs' +      max_worker_processes = 10 + +      #------------------------------------------------------------------------------ +      # WRITE AHEAD LOG +      #------------------------------------------------------------------------------ + +      wal_level = 'logical' +      wal_log_hints = on +      wal_buffers = 16MB +      checkpoint_completion_target = 0.9 + +      #------------------------------------------------------------------------------ +      # REPLICATION +      #------------------------------------------------------------------------------ + +      max_wal_senders = 10 +      wal_sender_timeout = 0 +      max_replication_slots = 10 +      hot_standby = on + +      #------------------------------------------------------------------------------ +      # ERROR REPORTING AND LOGGING +      #------------------------------------------------------------------------------ + +      log_filename = 'postgresql.log' +      log_rotation_age = 0 +      log_min_duration_statement = 5000 +      log_connections = on +      log_disconnections = on +      log_line_prefix = '%t:%r:%c:%u@%d:[%p]:' +      log_lock_waits = on + +      #------------------------------------------------------------------------------ +      # AUTOVACUUM PARAMETERS +      #------------------------------------------------------------------------------ + +      log_autovacuum_min_duration = 0 +      autovacuum_naptime = 5min +      autovacuum_vacuum_threshold = 500 +      autovacuum_analyze_threshold = 500 +      autovacuum_vacuum_scale_factor = 0.05 + +      #------------------------------------------------------------------------------ +      # LOCK MANAGEMENT +      #------------------------------------------------------------------------------ + +      deadlock_timeout = 5s + +      #------------------------------------------------------------------------------ +      # VERSION/PLATFORM COMPATIBILITY +      #------------------------------------------------------------------------------ + +      escape_string_warning = off +      standard_conforming_strings = off +- apiVersion: v1 +  kind: ConfigMap +  metadata: +    name: "${HTTPD_SERVICE_NAME}-configs" +  data: +    application.conf: | +      # Timeout: The number of seconds before receives and sends time out. +      Timeout 120 + +      RewriteEngine On +      Options SymLinksIfOwnerMatch + +      <VirtualHost *:80> +        KeepAlive on +        ProxyPreserveHost on +        ProxyPass        /ws/ ws://${NAME}/ws/ +        ProxyPassReverse /ws/ ws://${NAME}/ws/ +        ProxyPass        / http://${NAME}/ +        ProxyPassReverse / http://${NAME}/ +      </VirtualHost> +- apiVersion: v1 +  kind: ConfigMap +  metadata: +    name: "${HTTPD_SERVICE_NAME}-auth-configs" +  data: +    auth-type: internal +    auth-configuration.conf: | +      # External Authentication Configuration File +      # +      # For details on usage please see https://github.com/ManageIQ/manageiq-pods/blob/master/README.md#configuring-external-authentication +- apiVersion: v1 +  kind: Service +  metadata: +    annotations: +      description: Exposes and load balances CloudForms pods +      service.alpha.openshift.io/dependencies: '[{"name":"${DATABASE_SERVICE_NAME}","namespace":"","kind":"Service"},{"name":"${MEMCACHED_SERVICE_NAME}","namespace":"","kind":"Service"}]' +    name: "${NAME}" +  spec: +    clusterIP: None +    ports: +    - name: http +      port: 80 +      protocol: TCP +      targetPort: 80 +    selector: +      name: "${NAME}" +- apiVersion: v1 +  kind: Route +  metadata: +    name: "${HTTPD_SERVICE_NAME}" +  spec: +    host: "${APPLICATION_DOMAIN}" +    port: +      targetPort: http +    tls: +      termination: edge +      insecureEdgeTerminationPolicy: Redirect +    to: +      kind: Service +      name: "${HTTPD_SERVICE_NAME}" +- apiVersion: v1 +  kind: PersistentVolumeClaim +  metadata: +    name: "${NAME}-${DATABASE_SERVICE_NAME}" +  spec: +    accessModes: +    - ReadWriteOnce +    resources: +      requests: +        storage: "${DATABASE_VOLUME_CAPACITY}" +- apiVersion: apps/v1beta1 +  kind: StatefulSet +  metadata: +    name: "${NAME}" +    annotations: +      description: Defines how to deploy the CloudForms appliance +  spec: +    serviceName: "${NAME}" +    replicas: "${APPLICATION_REPLICA_COUNT}" +    template: +      metadata: +        labels: +          name: "${NAME}" +        name: "${NAME}" +      spec: +        containers: +        - name: cloudforms +          image: "${FRONTEND_APPLICATION_IMG_NAME}:${FRONTEND_APPLICATION_IMG_TAG}" +          livenessProbe: +            tcpSocket: +              port: 80 +            initialDelaySeconds: 480 +            timeoutSeconds: 3 +          readinessProbe: +            httpGet: +              path: "/" +              port: 80 +              scheme: HTTP +            initialDelaySeconds: 200 +            timeoutSeconds: 3 +          ports: +          - containerPort: 80 +            protocol: TCP +          volumeMounts: +          - name: "${NAME}-server" +            mountPath: "/persistent" +          env: +          - name: MY_POD_NAMESPACE +            valueFrom: +              fieldRef: +                fieldPath: metadata.namespace +          - name: APPLICATION_INIT_DELAY +            value: "${APPLICATION_INIT_DELAY}" +          - name: DATABASE_REGION +            value: "${DATABASE_REGION}" +          - name: DATABASE_URL +            valueFrom: +              secretKeyRef: +                name: "${NAME}-secrets" +                key: database-url +          - name: V2_KEY +            valueFrom: +              secretKeyRef: +                name: "${NAME}-secrets" +                key: v2-key +          - name: ANSIBLE_ADMIN_PASSWORD +            valueFrom: +              secretKeyRef: +                name: "${ANSIBLE_SERVICE_NAME}-secrets" +                key: admin-password +          resources: +            requests: +              memory: "${APPLICATION_MEM_REQ}" +              cpu: "${APPLICATION_CPU_REQ}" +            limits: +              memory: "${APPLICATION_MEM_LIMIT}" +          lifecycle: +            preStop: +              exec: +                command: +                - "/opt/rh/cfme-container-scripts/sync-pv-data" +        serviceAccount: cfme-orchestrator +        serviceAccountName: cfme-orchestrator +        terminationGracePeriodSeconds: 90 +    volumeClaimTemplates: +    - metadata: +        name: "${NAME}-server" +        annotations: +      spec: +        accessModes: +        - ReadWriteOnce +        resources: +          requests: +            storage: "${APPLICATION_VOLUME_CAPACITY}" +- apiVersion: v1 +  kind: Service +  metadata: +    annotations: +      description: Headless service for CloudForms backend pods +    name: "${NAME}-backend" +  spec: +    clusterIP: None +    selector: +      name: "${NAME}-backend" +- apiVersion: apps/v1beta1 +  kind: StatefulSet +  metadata: +    name: "${NAME}-backend" +    annotations: +      description: Defines how to deploy the CloudForms appliance +  spec: +    serviceName: "${NAME}-backend" +    replicas: 0 +    template: +      metadata: +        labels: +          name: "${NAME}-backend" +        name: "${NAME}-backend" +      spec: +        containers: +        - name: cloudforms +          image: "${BACKEND_APPLICATION_IMG_NAME}:${BACKEND_APPLICATION_IMG_TAG}" +          livenessProbe: +            exec: +              command: +              - pidof +              - MIQ Server +            initialDelaySeconds: 480 +            timeoutSeconds: 3 +          volumeMounts: +          - name: "${NAME}-server" +            mountPath: "/persistent" +          env: +          - name: APPLICATION_INIT_DELAY +            value: "${APPLICATION_INIT_DELAY}" +          - name: DATABASE_URL +            valueFrom: +              secretKeyRef: +                name: "${NAME}-secrets" +                key: database-url +          - name: MIQ_SERVER_DEFAULT_ROLES +            value: database_operations,event,reporting,scheduler,smartstate,ems_operations,ems_inventory,automate +          - name: FRONTEND_SERVICE_NAME +            value: "${NAME}" +          - name: V2_KEY +            valueFrom: +              secretKeyRef: +                name: "${NAME}-secrets" +                key: v2-key +          - name: ANSIBLE_ADMIN_PASSWORD +            valueFrom: +              secretKeyRef: +                name: "${ANSIBLE_SERVICE_NAME}-secrets" +                key: admin-password +          resources: +            requests: +              memory: "${APPLICATION_MEM_REQ}" +              cpu: "${APPLICATION_CPU_REQ}" +            limits: +              memory: "${APPLICATION_MEM_LIMIT}" +          lifecycle: +            preStop: +              exec: +                command: +                - "/opt/rh/cfme-container-scripts/sync-pv-data" +        serviceAccount: cfme-orchestrator +        serviceAccountName: cfme-orchestrator +        terminationGracePeriodSeconds: 90 +    volumeClaimTemplates: +    - metadata: +        name: "${NAME}-server" +        annotations: +      spec: +        accessModes: +        - ReadWriteOnce +        resources: +          requests: +            storage: "${APPLICATION_VOLUME_CAPACITY}" +- apiVersion: v1 +  kind: Service +  metadata: +    name: "${MEMCACHED_SERVICE_NAME}" +    annotations: +      description: Exposes the memcached server +  spec: +    ports: +    - name: memcached +      port: 11211 +      targetPort: 11211 +    selector: +      name: "${MEMCACHED_SERVICE_NAME}" +- apiVersion: v1 +  kind: DeploymentConfig +  metadata: +    name: "${MEMCACHED_SERVICE_NAME}" +    annotations: +      description: Defines how to deploy memcached +  spec: +    strategy: +      type: Recreate +    triggers: +    - type: ConfigChange +    replicas: 1 +    selector: +      name: "${MEMCACHED_SERVICE_NAME}" +    template: +      metadata: +        name: "${MEMCACHED_SERVICE_NAME}" +        labels: +          name: "${MEMCACHED_SERVICE_NAME}" +      spec: +        volumes: [] +        containers: +        - name: memcached +          image: "${MEMCACHED_IMG_NAME}:${MEMCACHED_IMG_TAG}" +          ports: +          - containerPort: 11211 +          readinessProbe: +            timeoutSeconds: 1 +            initialDelaySeconds: 5 +            tcpSocket: +              port: 11211 +          livenessProbe: +            timeoutSeconds: 1 +            initialDelaySeconds: 30 +            tcpSocket: +              port: 11211 +          volumeMounts: [] +          env: +          - name: MEMCACHED_MAX_MEMORY +            value: "${MEMCACHED_MAX_MEMORY}" +          - name: MEMCACHED_MAX_CONNECTIONS +            value: "${MEMCACHED_MAX_CONNECTIONS}" +          - name: MEMCACHED_SLAB_PAGE_SIZE +            value: "${MEMCACHED_SLAB_PAGE_SIZE}" +          resources: +            requests: +              memory: "${MEMCACHED_MEM_REQ}" +              cpu: "${MEMCACHED_CPU_REQ}" +            limits: +              memory: "${MEMCACHED_MEM_LIMIT}" +- apiVersion: v1 +  kind: Service +  metadata: +    name: "${DATABASE_SERVICE_NAME}" +    annotations: +      description: Exposes the database server +  spec: +    ports: +    - name: postgresql +      port: 5432 +      targetPort: 5432 +    selector: +      name: "${DATABASE_SERVICE_NAME}" +- apiVersion: v1 +  kind: DeploymentConfig +  metadata: +    name: "${DATABASE_SERVICE_NAME}" +    annotations: +      description: Defines how to deploy the database +  spec: +    strategy: +      type: Recreate +    triggers: +    - type: ConfigChange +    replicas: 1 +    selector: +      name: "${DATABASE_SERVICE_NAME}" +    template: +      metadata: +        name: "${DATABASE_SERVICE_NAME}" +        labels: +          name: "${DATABASE_SERVICE_NAME}" +      spec: +        volumes: +        - name: cfme-pgdb-volume +          persistentVolumeClaim: +            claimName: "${NAME}-${DATABASE_SERVICE_NAME}" +        - name: cfme-pg-configs +          configMap: +            name: "${DATABASE_SERVICE_NAME}-configs" +        containers: +        - name: postgresql +          image: "${POSTGRESQL_IMG_NAME}:${POSTGRESQL_IMG_TAG}" +          ports: +          - containerPort: 5432 +          readinessProbe: +            timeoutSeconds: 1 +            initialDelaySeconds: 15 +            exec: +              command: +              - "/bin/sh" +              - "-i" +              - "-c" +              - psql -h 127.0.0.1 -U ${POSTGRESQL_USER} -q -d ${POSTGRESQL_DATABASE} -c 'SELECT 1' +          livenessProbe: +            timeoutSeconds: 1 +            initialDelaySeconds: 60 +            tcpSocket: +              port: 5432 +          volumeMounts: +          - name: cfme-pgdb-volume +            mountPath: "/var/lib/pgsql/data" +          - name: cfme-pg-configs +            mountPath: "${POSTGRESQL_CONFIG_DIR}" +          env: +          - name: POSTGRESQL_USER +            value: "${DATABASE_USER}" +          - name: POSTGRESQL_PASSWORD +            valueFrom: +              secretKeyRef: +                name: "${NAME}-secrets" +                key: pg-password +          - name: POSTGRESQL_DATABASE +            value: "${DATABASE_NAME}" +          - name: POSTGRESQL_MAX_CONNECTIONS +            value: "${POSTGRESQL_MAX_CONNECTIONS}" +          - name: POSTGRESQL_SHARED_BUFFERS +            value: "${POSTGRESQL_SHARED_BUFFERS}" +          - name: POSTGRESQL_CONFIG_DIR +            value: "${POSTGRESQL_CONFIG_DIR}" +          resources: +            requests: +              memory: "${POSTGRESQL_MEM_REQ}" +              cpu: "${POSTGRESQL_CPU_REQ}" +            limits: +              memory: "${POSTGRESQL_MEM_LIMIT}" +- apiVersion: v1 +  kind: Service +  metadata: +    annotations: +      description: Exposes and load balances Ansible pods +      service.alpha.openshift.io/dependencies: '[{"name":"${DATABASE_SERVICE_NAME}","namespace":"","kind":"Service"}]' +    name: "${ANSIBLE_SERVICE_NAME}" +  spec: +    ports: +    - name: http +      port: 80 +      protocol: TCP +      targetPort: 80 +    - name: https +      port: 443 +      protocol: TCP +      targetPort: 443 +    selector: +      name: "${ANSIBLE_SERVICE_NAME}" +- apiVersion: v1 +  kind: DeploymentConfig +  metadata: +    name: "${ANSIBLE_SERVICE_NAME}" +    annotations: +      description: Defines how to deploy the Ansible appliance +  spec: +    strategy: +      type: Recreate +    serviceName: "${ANSIBLE_SERVICE_NAME}" +    replicas: 0 +    template: +      metadata: +        labels: +          name: "${ANSIBLE_SERVICE_NAME}" +        name: "${ANSIBLE_SERVICE_NAME}" +      spec: +        containers: +        - name: ansible +          image: "${ANSIBLE_IMG_NAME}:${ANSIBLE_IMG_TAG}" +          livenessProbe: +            tcpSocket: +              port: 443 +            initialDelaySeconds: 480 +            timeoutSeconds: 3 +          readinessProbe: +            httpGet: +              path: "/" +              port: 443 +              scheme: HTTPS +            initialDelaySeconds: 200 +            timeoutSeconds: 3 +          ports: +          - containerPort: 80 +            protocol: TCP +          - containerPort: 443 +            protocol: TCP +          securityContext: +            privileged: true +          env: +          - name: ADMIN_PASSWORD +            valueFrom: +              secretKeyRef: +                name: "${ANSIBLE_SERVICE_NAME}-secrets" +                key: admin-password +          - name: RABBITMQ_USER_NAME +            value: "${ANSIBLE_RABBITMQ_USER_NAME}" +          - name: RABBITMQ_PASSWORD +            valueFrom: +              secretKeyRef: +                name: "${ANSIBLE_SERVICE_NAME}-secrets" +                key: rabbit-password +          - name: ANSIBLE_SECRET_KEY +            valueFrom: +              secretKeyRef: +                name: "${ANSIBLE_SERVICE_NAME}-secrets" +                key: secret-key +          - name: DATABASE_SERVICE_NAME +            value: "${DATABASE_SERVICE_NAME}" +          - name: POSTGRESQL_USER +            value: "${DATABASE_USER}" +          - name: POSTGRESQL_PASSWORD +            valueFrom: +              secretKeyRef: +                name: "${NAME}-secrets" +                key: pg-password +          - name: POSTGRESQL_DATABASE +            value: "${ANSIBLE_DATABASE_NAME}" +          resources: +            requests: +              memory: "${ANSIBLE_MEM_REQ}" +              cpu: "${ANSIBLE_CPU_REQ}" +            limits: +              memory: "${ANSIBLE_MEM_LIMIT}" +        serviceAccount: cfme-privileged +        serviceAccountName: cfme-privileged +- apiVersion: v1 +  kind: Service +  metadata: +    name: "${HTTPD_SERVICE_NAME}" +    annotations: +      description: Exposes the httpd server +      service.alpha.openshift.io/dependencies: '[{"name":"${NAME}","namespace":"","kind":"Service"}]' +  spec: +    ports: +    - name: http +      port: 80 +      targetPort: 80 +    selector: +      name: httpd +- apiVersion: v1 +  kind: DeploymentConfig +  metadata: +    name: "${HTTPD_SERVICE_NAME}" +    annotations: +      description: Defines how to deploy httpd +  spec: +    strategy: +      type: Recreate +      recreateParams: +        timeoutSeconds: 1200 +    triggers: +    - type: ConfigChange +    replicas: 1 +    selector: +      name: "${HTTPD_SERVICE_NAME}" +    template: +      metadata: +        name: "${HTTPD_SERVICE_NAME}" +        labels: +          name: "${HTTPD_SERVICE_NAME}" +      spec: +        volumes: +        - name: httpd-config +          configMap: +            name: "${HTTPD_SERVICE_NAME}-configs" +        - name: httpd-auth-config +          configMap: +            name: "${HTTPD_SERVICE_NAME}-auth-configs" +        containers: +        - name: httpd +          image: "${HTTPD_IMG_NAME}:${HTTPD_IMG_TAG}" +          ports: +          - containerPort: 80 +          livenessProbe: +            exec: +              command: +              - pidof +              - httpd +            initialDelaySeconds: 15 +            timeoutSeconds: 3 +          readinessProbe: +            tcpSocket: +              port: 80 +            initialDelaySeconds: 10 +            timeoutSeconds: 3 +          volumeMounts: +          - name: httpd-config +            mountPath: "${HTTPD_CONFIG_DIR}" +          - name: httpd-auth-config +            mountPath: "${HTTPD_AUTH_CONFIG_DIR}" +          resources: +            requests: +              memory: "${HTTPD_MEM_REQ}" +              cpu: "${HTTPD_CPU_REQ}" +            limits: +              memory: "${HTTPD_MEM_LIMIT}" +          env: +          - name: HTTPD_AUTH_TYPE +            valueFrom: +              configMapKeyRef: +                name: "${HTTPD_SERVICE_NAME}-auth-configs" +                key: auth-type +          lifecycle: +            postStart: +              exec: +                command: +                - "/usr/bin/save-container-environment" +        serviceAccount: cfme-httpd +        serviceAccountName: cfme-httpd +parameters: +- name: NAME +  displayName: Name +  required: true +  description: The name assigned to all of the frontend objects defined in this template. +  value: cloudforms +- name: V2_KEY +  displayName: CloudForms Encryption Key +  required: true +  description: Encryption Key for CloudForms Passwords +  from: "[a-zA-Z0-9]{43}" +  generate: expression +- name: DATABASE_SERVICE_NAME +  displayName: PostgreSQL Service Name +  required: true +  description: The name of the OpenShift Service exposed for the PostgreSQL container. +  value: postgresql +- name: DATABASE_USER +  displayName: PostgreSQL User +  required: true +  description: PostgreSQL user that will access the database. +  value: root +- name: DATABASE_PASSWORD +  displayName: PostgreSQL Password +  required: true +  description: Password for the PostgreSQL user. +  from: "[a-zA-Z0-9]{8}" +  generate: expression +- name: DATABASE_NAME +  required: true +  displayName: PostgreSQL Database Name +  description: Name of the PostgreSQL database accessed. +  value: vmdb_production +- name: DATABASE_REGION +  required: true +  displayName: Application Database Region +  description: Database region that will be used for application. +  value: '0' +- name: ANSIBLE_DATABASE_NAME +  displayName: Ansible PostgreSQL database name +  required: true +  description: The database to be used by the Ansible continer +  value: awx +- name: MEMCACHED_SERVICE_NAME +  required: true +  displayName: Memcached Service Name +  description: The name of the OpenShift Service exposed for the Memcached container. +  value: memcached +- name: MEMCACHED_MAX_MEMORY +  displayName: Memcached Max Memory +  description: Memcached maximum memory for memcached object storage in MB. +  value: '64' +- name: MEMCACHED_MAX_CONNECTIONS +  displayName: Memcached Max Connections +  description: Memcached maximum number of connections allowed. +  value: '1024' +- name: MEMCACHED_SLAB_PAGE_SIZE +  displayName: Memcached Slab Page Size +  description: Memcached size of each slab page. +  value: 1m +- name: POSTGRESQL_CONFIG_DIR +  displayName: PostgreSQL Configuration Overrides +  description: Directory used to store PostgreSQL configuration overrides. +  value: "/var/lib/pgsql/conf.d" +- name: POSTGRESQL_MAX_CONNECTIONS +  displayName: PostgreSQL Max Connections +  description: PostgreSQL maximum number of database connections allowed. +  value: '1000' +- name: POSTGRESQL_SHARED_BUFFERS +  displayName: PostgreSQL Shared Buffer Amount +  description: Amount of memory dedicated for PostgreSQL shared memory buffers. +  value: 1GB +- name: ANSIBLE_SERVICE_NAME +  displayName: Ansible Service Name +  description: The name of the OpenShift Service exposed for the Ansible container. +  value: ansible +- name: ANSIBLE_ADMIN_PASSWORD +  displayName: Ansible admin User password +  required: true +  description: The password for the Ansible container admin user +  from: "[a-zA-Z0-9]{32}" +  generate: expression +- name: ANSIBLE_SECRET_KEY +  displayName: Ansible Secret Key +  required: true +  description: Encryption key for the Ansible container +  from: "[a-f0-9]{32}" +  generate: expression +- name: ANSIBLE_RABBITMQ_USER_NAME +  displayName: RabbitMQ Username +  required: true +  description: Username for the Ansible RabbitMQ Server +  value: ansible +- name: ANSIBLE_RABBITMQ_PASSWORD +  displayName: RabbitMQ Server Password +  required: true +  description: Password for the Ansible RabbitMQ Server +  from: "[a-zA-Z0-9]{32}" +  generate: expression +- name: APPLICATION_CPU_REQ +  displayName: Application Min CPU Requested +  required: true +  description: Minimum amount of CPU time the Application container will need (expressed in millicores). +  value: 1000m +- name: POSTGRESQL_CPU_REQ +  displayName: PostgreSQL Min CPU Requested +  required: true +  description: Minimum amount of CPU time the PostgreSQL container will need (expressed in millicores). +  value: 500m +- name: MEMCACHED_CPU_REQ +  displayName: Memcached Min CPU Requested +  required: true +  description: Minimum amount of CPU time the Memcached container will need (expressed in millicores). +  value: 200m +- name: ANSIBLE_CPU_REQ +  displayName: Ansible Min CPU Requested +  required: true +  description: Minimum amount of CPU time the Ansible container will need (expressed in millicores). +  value: 1000m +- name: APPLICATION_MEM_REQ +  displayName: Application Min RAM Requested +  required: true +  description: Minimum amount of memory the Application container will need. +  value: 6144Mi +- name: POSTGRESQL_MEM_REQ +  displayName: PostgreSQL Min RAM Requested +  required: true +  description: Minimum amount of memory the PostgreSQL container will need. +  value: 4Gi +- name: MEMCACHED_MEM_REQ +  displayName: Memcached Min RAM Requested +  required: true +  description: Minimum amount of memory the Memcached container will need. +  value: 64Mi +- name: ANSIBLE_MEM_REQ +  displayName: Ansible Min RAM Requested +  required: true +  description: Minimum amount of memory the Ansible container will need. +  value: 2048Mi +- name: APPLICATION_MEM_LIMIT +  displayName: Application Max RAM Limit +  required: true +  description: Maximum amount of memory the Application container can consume. +  value: 16384Mi +- name: POSTGRESQL_MEM_LIMIT +  displayName: PostgreSQL Max RAM Limit +  required: true +  description: Maximum amount of memory the PostgreSQL container can consume. +  value: 8Gi +- name: MEMCACHED_MEM_LIMIT +  displayName: Memcached Max RAM Limit +  required: true +  description: Maximum amount of memory the Memcached container can consume. +  value: 256Mi +- name: ANSIBLE_MEM_LIMIT +  displayName: Ansible Max RAM Limit +  required: true +  description: Maximum amount of memory the Ansible container can consume. +  value: 8096Mi +- name: POSTGRESQL_IMG_NAME +  displayName: PostgreSQL Image Name +  description: This is the PostgreSQL image name requested to deploy. +  value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-postgresql +- name: POSTGRESQL_IMG_TAG +  displayName: PostgreSQL Image Tag +  description: This is the PostgreSQL image tag/version requested to deploy. +  value: latest +- name: MEMCACHED_IMG_NAME +  displayName: Memcached Image Name +  description: This is the Memcached image name requested to deploy. +  value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-memcached +- name: MEMCACHED_IMG_TAG +  displayName: Memcached Image Tag +  description: This is the Memcached image tag/version requested to deploy. +  value: latest +- name: FRONTEND_APPLICATION_IMG_NAME +  displayName: Frontend Application Image Name +  description: This is the Frontend Application image name requested to deploy. +  value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-app-ui +- name: BACKEND_APPLICATION_IMG_NAME +  displayName: Backend Application Image Name +  description: This is the Backend Application image name requested to deploy. +  value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-app +- name: FRONTEND_APPLICATION_IMG_TAG +  displayName: Front end Application Image Tag +  description: This is the CloudForms Frontend Application image tag/version requested to deploy. +  value: latest +- name: BACKEND_APPLICATION_IMG_TAG +  displayName: Back end Application Image Tag +  description: This is the CloudForms Backend Application image tag/version requested to deploy. +  value: latest +- name: ANSIBLE_IMG_NAME +  displayName: Ansible Image Name +  description: This is the Ansible image name requested to deploy. +  value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-embedded-ansible +- name: ANSIBLE_IMG_TAG +  displayName: Ansible Image Tag +  description: This is the Ansible image tag/version requested to deploy. +  value: latest +- name: APPLICATION_DOMAIN +  displayName: Application Hostname +  description: The exposed hostname that will route to the application service, if left blank a value will be defaulted. +  value: '' +- name: APPLICATION_REPLICA_COUNT +  displayName: Application Replica Count +  description: This is the number of Application replicas requested to deploy. +  value: '1' +- name: APPLICATION_INIT_DELAY +  displayName: Application Init Delay +  required: true +  description: Delay in seconds before we attempt to initialize the application. +  value: '15' +- name: APPLICATION_VOLUME_CAPACITY +  displayName: Application Volume Capacity +  required: true +  description: Volume space available for application data. +  value: 5Gi +- name: DATABASE_VOLUME_CAPACITY +  displayName: Database Volume Capacity +  required: true +  description: Volume space available for database. +  value: 15Gi +- name: HTTPD_SERVICE_NAME +  required: true +  displayName: Apache httpd Service Name +  description: The name of the OpenShift Service exposed for the httpd container. +  value: httpd +- name: HTTPD_IMG_NAME +  displayName: Apache httpd Image Name +  description: This is the httpd image name requested to deploy. +  value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-httpd +- name: HTTPD_IMG_TAG +  displayName: Apache httpd Image Tag +  description: This is the httpd image tag/version requested to deploy. +  value: latest +- name: HTTPD_CONFIG_DIR +  displayName: Apache Configuration Directory +  description: Directory used to store the Apache configuration files. +  value: "/etc/httpd/conf.d" +- name: HTTPD_AUTH_CONFIG_DIR +  displayName: External Authentication Configuration Directory +  description: Directory used to store the external authentication configuration files. +  value: "/etc/httpd/auth-conf.d" +- name: HTTPD_CPU_REQ +  displayName: Apache httpd Min CPU Requested +  required: true +  description: Minimum amount of CPU time the httpd container will need (expressed in millicores). +  value: 500m +- name: HTTPD_MEM_REQ +  displayName: Apache httpd Min RAM Requested +  required: true +  description: Minimum amount of memory the httpd container will need. +  value: 512Mi +- name: HTTPD_MEM_LIMIT +  displayName: Apache httpd Max RAM Limit +  required: true +  description: Maximum amount of memory the httpd container can consume. +  value: 8192Mi diff --git a/roles/openshift_management/files/templates/manageiq/miq-backup-job.yaml b/roles/openshift_management/files/templates/manageiq/miq-backup-job.yaml new file mode 100644 index 000000000..044cb73a5 --- /dev/null +++ b/roles/openshift_management/files/templates/manageiq/miq-backup-job.yaml @@ -0,0 +1,28 @@ +apiVersion: batch/v1 +kind: Job +metadata: +  name: manageiq-backup +spec: +  template: +    metadata: +      name: manageiq-backup +    spec: +      containers: +      - name: postgresql +        image: docker.io/manageiq/postgresql:latest +        command: +        - "/opt/manageiq/container-scripts/backup_db" +        env: +        - name: DATABASE_URL +          valueFrom: +            secretKeyRef: +              name: manageiq-secrets +              key: database-url +        volumeMounts: +        - name: miq-backup-vol +          mountPath: "/backups" +      volumes: +      - name: miq-backup-vol +        persistentVolumeClaim: +          claimName: manageiq-backup +      restartPolicy: Never diff --git a/roles/openshift_management/files/templates/manageiq/miq-backup-pvc.yaml b/roles/openshift_management/files/templates/manageiq/miq-backup-pvc.yaml new file mode 100644 index 000000000..25696ef23 --- /dev/null +++ b/roles/openshift_management/files/templates/manageiq/miq-backup-pvc.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: +  name: manageiq-backup +spec: +  accessModes: +  - ReadWriteOnce +  resources: +    requests: +      storage: 15Gi diff --git a/roles/openshift_management/files/templates/manageiq/miq-pv-backup-example.yaml b/roles/openshift_management/files/templates/manageiq/miq-pv-backup-example.yaml new file mode 100644 index 000000000..a5cf54d4e --- /dev/null +++ b/roles/openshift_management/files/templates/manageiq/miq-pv-backup-example.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: PersistentVolume +metadata: +  name: miq-pv03 +spec: +  capacity: +    storage: 15Gi +  accessModes: +  - ReadWriteOnce +  nfs: +    path: "/exports/miq-pv03" +    server: "<your-nfs-host-here>" +  persistentVolumeReclaimPolicy: Retain diff --git a/roles/openshift_management/files/templates/manageiq/miq-pv-db-example.yaml b/roles/openshift_management/files/templates/manageiq/miq-pv-db-example.yaml new file mode 100644 index 000000000..a803bebe2 --- /dev/null +++ b/roles/openshift_management/files/templates/manageiq/miq-pv-db-example.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: Template +labels: +  template: manageiq-db-pv +metadata: +  name: manageiq-db-pv +  annotations: +    description: PV Template for MIQ PostgreSQL DB +    tags: PVS, MIQ +objects: +- apiVersion: v1 +  kind: PersistentVolume +  metadata: +    name: miq-db +  spec: +    capacity: +      storage: "${PV_SIZE}" +    accessModes: +    - ReadWriteOnce +    nfs: +      path: "${BASE_PATH}/miq-db" +      server: "${NFS_HOST}" +    persistentVolumeReclaimPolicy: Retain +parameters: +- name: PV_SIZE +  displayName: PV Size for DB +  required: true +  description: The size of the MIQ DB PV given in Gi +  value: 15Gi +- name: BASE_PATH +  displayName: Exports Directory Base Path +  required: true +  description: The parent directory of your NFS exports +  value: "/exports" +- name: NFS_HOST +  displayName: NFS Server Hostname +  required: true +  description: The hostname or IP address of the NFS server diff --git a/roles/openshift_management/files/templates/manageiq/miq-pv-server-example.yaml b/roles/openshift_management/files/templates/manageiq/miq-pv-server-example.yaml new file mode 100644 index 000000000..1288544d1 --- /dev/null +++ b/roles/openshift_management/files/templates/manageiq/miq-pv-server-example.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: Template +labels: +  template: manageiq-app-pv +metadata: +  name: manageiq-app-pv +  annotations: +    description: PV Template for MIQ Server +    tags: PVS, MIQ +objects: +- apiVersion: v1 +  kind: PersistentVolume +  metadata: +    name: miq-app +  spec: +    capacity: +      storage: "${PV_SIZE}" +    accessModes: +    - ReadWriteOnce +    nfs: +      path: "${BASE_PATH}/miq-app" +      server: "${NFS_HOST}" +    persistentVolumeReclaimPolicy: Retain +parameters: +- name: PV_SIZE +  displayName: PV Size for App +  required: true +  description: The size of the MIQ APP PV given in Gi +  value: 5Gi +- name: BASE_PATH +  displayName: Exports Directory Base Path +  required: true +  description: The parent directory of your NFS exports +  value: "/exports" +- name: NFS_HOST +  displayName: NFS Server Hostname +  required: true +  description: The hostname or IP address of the NFS server diff --git a/roles/openshift_management/files/templates/manageiq/miq-restore-job.yaml b/roles/openshift_management/files/templates/manageiq/miq-restore-job.yaml new file mode 100644 index 000000000..eea284dd4 --- /dev/null +++ b/roles/openshift_management/files/templates/manageiq/miq-restore-job.yaml @@ -0,0 +1,35 @@ +apiVersion: batch/v1 +kind: Job +metadata: +  name: manageiq-restore +spec: +  template: +    metadata: +      name: manageiq-restore +    spec: +      containers: +      - name: postgresql +        image: docker.io/manageiq/postgresql:latest +        command: +        - "/opt/manageiq/container-scripts/restore_db" +        env: +        - name: DATABASE_URL +          valueFrom: +            secretKeyRef: +              name: manageiq-secrets +              key: database-url +        - name: BACKUP_VERSION +          value: latest +        volumeMounts: +        - name: miq-backup-vol +          mountPath: "/backups" +        - name: miq-prod-vol +          mountPath: "/restore" +      volumes: +      - name: miq-backup-vol +        persistentVolumeClaim: +          claimName: manageiq-backup +      - name: miq-prod-vol +        persistentVolumeClaim: +          claimName: manageiq-postgresql +      restartPolicy: Never diff --git a/roles/openshift_management/files/templates/manageiq/miq-template-ext-db.yaml b/roles/openshift_management/files/templates/manageiq/miq-template-ext-db.yaml new file mode 100644 index 000000000..82cd5d49e --- /dev/null +++ b/roles/openshift_management/files/templates/manageiq/miq-template-ext-db.yaml @@ -0,0 +1,771 @@ +apiVersion: v1 +kind: Template +labels: +  template: manageiq-ext-db +metadata: +  name: manageiq-ext-db +  annotations: +    description: ManageIQ appliance with persistent storage using a external DB host +    tags: instant-app,manageiq,miq +    iconClass: icon-rails +objects: +- apiVersion: v1 +  kind: ServiceAccount +  metadata: +    name: miq-orchestrator +- apiVersion: v1 +  kind: ServiceAccount +  metadata: +    name: miq-anyuid +- apiVersion: v1 +  kind: ServiceAccount +  metadata: +    name: miq-privileged +- apiVersion: v1 +  kind: ServiceAccount +  metadata: +    name: miq-httpd +- apiVersion: v1 +  kind: Secret +  metadata: +    name: "${NAME}-secrets" +  stringData: +    pg-password: "${DATABASE_PASSWORD}" +    database-url: postgresql://${DATABASE_USER}:${DATABASE_PASSWORD}@${DATABASE_SERVICE_NAME}/${DATABASE_NAME}?encoding=utf8&pool=5&wait_timeout=5 +    v2-key: "${V2_KEY}" +- apiVersion: v1 +  kind: Secret +  metadata: +    name: "${ANSIBLE_SERVICE_NAME}-secrets" +  stringData: +    rabbit-password: "${ANSIBLE_RABBITMQ_PASSWORD}" +    secret-key: "${ANSIBLE_SECRET_KEY}" +    admin-password: "${ANSIBLE_ADMIN_PASSWORD}" +- apiVersion: v1 +  kind: Service +  metadata: +    annotations: +      description: Exposes and load balances ManageIQ pods +      service.alpha.openshift.io/dependencies: '[{"name":"${DATABASE_SERVICE_NAME}","namespace":"","kind":"Service"},{"name":"${MEMCACHED_SERVICE_NAME}","namespace":"","kind":"Service"}]' +    name: "${NAME}" +  spec: +    clusterIP: None +    ports: +    - name: http +      port: 80 +      protocol: TCP +      targetPort: 80 +    selector: +      name: "${NAME}" +- apiVersion: v1 +  kind: Route +  metadata: +    name: "${HTTPD_SERVICE_NAME}" +  spec: +    host: "${APPLICATION_DOMAIN}" +    port: +      targetPort: http +    tls: +      termination: edge +      insecureEdgeTerminationPolicy: Redirect +    to: +      kind: Service +      name: "${HTTPD_SERVICE_NAME}" +- apiVersion: apps/v1beta1 +  kind: StatefulSet +  metadata: +    name: "${NAME}" +    annotations: +      description: Defines how to deploy the ManageIQ appliance +  spec: +    serviceName: "${NAME}" +    replicas: "${APPLICATION_REPLICA_COUNT}" +    template: +      metadata: +        labels: +          name: "${NAME}" +        name: "${NAME}" +      spec: +        containers: +        - name: manageiq +          image: "${APPLICATION_IMG_NAME}:${FRONTEND_APPLICATION_IMG_TAG}" +          livenessProbe: +            tcpSocket: +              port: 80 +            initialDelaySeconds: 480 +            timeoutSeconds: 3 +          readinessProbe: +            httpGet: +              path: "/" +              port: 80 +              scheme: HTTP +            initialDelaySeconds: 200 +            timeoutSeconds: 3 +          ports: +          - containerPort: 80 +            protocol: TCP +          volumeMounts: +          - name: "${NAME}-server" +            mountPath: "/persistent" +          env: +          - name: MY_POD_NAMESPACE +            valueFrom: +              fieldRef: +                fieldPath: metadata.namespace +          - name: APPLICATION_INIT_DELAY +            value: "${APPLICATION_INIT_DELAY}" +          - name: DATABASE_SERVICE_NAME +            value: "${DATABASE_SERVICE_NAME}" +          - name: DATABASE_REGION +            value: "${DATABASE_REGION}" +          - name: DATABASE_URL +            valueFrom: +              secretKeyRef: +                name: "${NAME}-secrets" +                key: database-url +          - name: MEMCACHED_SERVER +            value: "${MEMCACHED_SERVICE_NAME}:11211" +          - name: MEMCACHED_SERVICE_NAME +            value: "${MEMCACHED_SERVICE_NAME}" +          - name: V2_KEY +            valueFrom: +              secretKeyRef: +                name: "${NAME}-secrets" +                key: v2-key +          - name: ANSIBLE_SERVICE_NAME +            value: "${ANSIBLE_SERVICE_NAME}" +          - name: ANSIBLE_ADMIN_PASSWORD +            valueFrom: +              secretKeyRef: +                name: "${ANSIBLE_SERVICE_NAME}-secrets" +                key: admin-password +          resources: +            requests: +              memory: "${APPLICATION_MEM_REQ}" +              cpu: "${APPLICATION_CPU_REQ}" +            limits: +              memory: "${APPLICATION_MEM_LIMIT}" +          lifecycle: +            preStop: +              exec: +                command: +                - "/opt/manageiq/container-scripts/sync-pv-data" +        serviceAccount: miq-orchestrator +        serviceAccountName: miq-orchestrator +        terminationGracePeriodSeconds: 90 +    volumeClaimTemplates: +    - metadata: +        name: "${NAME}-server" +        annotations: +      spec: +        accessModes: +        - ReadWriteOnce +        resources: +          requests: +            storage: "${APPLICATION_VOLUME_CAPACITY}" +- apiVersion: v1 +  kind: Service +  metadata: +    annotations: +      description: Headless service for ManageIQ backend pods +    name: "${NAME}-backend" +  spec: +    clusterIP: None +    selector: +      name: "${NAME}-backend" +- apiVersion: apps/v1beta1 +  kind: StatefulSet +  metadata: +    name: "${NAME}-backend" +    annotations: +      description: Defines how to deploy the ManageIQ appliance +  spec: +    serviceName: "${NAME}-backend" +    replicas: 0 +    template: +      metadata: +        labels: +          name: "${NAME}-backend" +        name: "${NAME}-backend" +      spec: +        containers: +        - name: manageiq +          image: "${APPLICATION_IMG_NAME}:${BACKEND_APPLICATION_IMG_TAG}" +          livenessProbe: +            exec: +              command: +              - pidof +              - MIQ Server +            initialDelaySeconds: 480 +            timeoutSeconds: 3 +          volumeMounts: +          - name: "${NAME}-server" +            mountPath: "/persistent" +          env: +          - name: APPLICATION_INIT_DELAY +            value: "${APPLICATION_INIT_DELAY}" +          - name: DATABASE_URL +            valueFrom: +              secretKeyRef: +                name: "${NAME}-secrets" +                key: database-url +          - name: MIQ_SERVER_DEFAULT_ROLES +            value: database_operations,event,reporting,scheduler,smartstate,ems_operations,ems_inventory,automate +          - name: FRONTEND_SERVICE_NAME +            value: "${NAME}" +          - name: MEMCACHED_SERVER +            value: "${MEMCACHED_SERVICE_NAME}:11211" +          - name: V2_KEY +            valueFrom: +              secretKeyRef: +                name: "${NAME}-secrets" +                key: v2-key +          - name: ANSIBLE_SERVICE_NAME +            value: "${ANSIBLE_SERVICE_NAME}" +          - name: ANSIBLE_ADMIN_PASSWORD +            valueFrom: +              secretKeyRef: +                name: "${ANSIBLE_SERVICE_NAME}-secrets" +                key: admin-password +          resources: +            requests: +              memory: "${APPLICATION_MEM_REQ}" +              cpu: "${APPLICATION_CPU_REQ}" +            limits: +              memory: "${APPLICATION_MEM_LIMIT}" +          lifecycle: +            preStop: +              exec: +                command: +                - "/opt/manageiq/container-scripts/sync-pv-data" +        serviceAccount: miq-orchestrator +        serviceAccountName: miq-orchestrator +        terminationGracePeriodSeconds: 90 +    volumeClaimTemplates: +    - metadata: +        name: "${NAME}-server" +        annotations: +      spec: +        accessModes: +        - ReadWriteOnce +        resources: +          requests: +            storage: "${APPLICATION_VOLUME_CAPACITY}" +- apiVersion: v1 +  kind: Service +  metadata: +    name: "${MEMCACHED_SERVICE_NAME}" +    annotations: +      description: Exposes the memcached server +  spec: +    ports: +    - name: memcached +      port: 11211 +      targetPort: 11211 +    selector: +      name: "${MEMCACHED_SERVICE_NAME}" +- apiVersion: v1 +  kind: DeploymentConfig +  metadata: +    name: "${MEMCACHED_SERVICE_NAME}" +    annotations: +      description: Defines how to deploy memcached +  spec: +    strategy: +      type: Recreate +    triggers: +    - type: ConfigChange +    replicas: 1 +    selector: +      name: "${MEMCACHED_SERVICE_NAME}" +    template: +      metadata: +        name: "${MEMCACHED_SERVICE_NAME}" +        labels: +          name: "${MEMCACHED_SERVICE_NAME}" +      spec: +        volumes: [] +        containers: +        - name: memcached +          image: "${MEMCACHED_IMG_NAME}:${MEMCACHED_IMG_TAG}" +          ports: +          - containerPort: 11211 +          readinessProbe: +            timeoutSeconds: 1 +            initialDelaySeconds: 5 +            tcpSocket: +              port: 11211 +          livenessProbe: +            timeoutSeconds: 1 +            initialDelaySeconds: 30 +            tcpSocket: +              port: 11211 +          volumeMounts: [] +          env: +          - name: MEMCACHED_MAX_MEMORY +            value: "${MEMCACHED_MAX_MEMORY}" +          - name: MEMCACHED_MAX_CONNECTIONS +            value: "${MEMCACHED_MAX_CONNECTIONS}" +          - name: MEMCACHED_SLAB_PAGE_SIZE +            value: "${MEMCACHED_SLAB_PAGE_SIZE}" +          resources: +            requests: +              memory: "${MEMCACHED_MEM_REQ}" +              cpu: "${MEMCACHED_CPU_REQ}" +            limits: +              memory: "${MEMCACHED_MEM_LIMIT}" +- apiVersion: v1 +  kind: Service +  metadata: +    name: "${DATABASE_SERVICE_NAME}" +    annotations: +      description: Remote database service +  spec: +    ports: +    - name: postgresql +      port: 5432 +      targetPort: "${{DATABASE_PORT}}" +    selector: {} +- apiVersion: v1 +  kind: Endpoints +  metadata: +    name: "${DATABASE_SERVICE_NAME}" +  subsets: +  - addresses: +    - ip: "${DATABASE_IP}" +    ports: +    - port: "${{DATABASE_PORT}}" +      name: postgresql +- apiVersion: v1 +  kind: Service +  metadata: +    annotations: +      description: Exposes and load balances Ansible pods +      service.alpha.openshift.io/dependencies: '[{"name":"${DATABASE_SERVICE_NAME}","namespace":"","kind":"Service"}]' +    name: "${ANSIBLE_SERVICE_NAME}" +  spec: +    ports: +    - name: http +      port: 80 +      protocol: TCP +      targetPort: 80 +    - name: https +      port: 443 +      protocol: TCP +      targetPort: 443 +    selector: +      name: "${ANSIBLE_SERVICE_NAME}" +- apiVersion: v1 +  kind: DeploymentConfig +  metadata: +    name: "${ANSIBLE_SERVICE_NAME}" +    annotations: +      description: Defines how to deploy the Ansible appliance +  spec: +    strategy: +      type: Recreate +    serviceName: "${ANSIBLE_SERVICE_NAME}" +    replicas: 0 +    template: +      metadata: +        labels: +          name: "${ANSIBLE_SERVICE_NAME}" +        name: "${ANSIBLE_SERVICE_NAME}" +      spec: +        containers: +        - name: ansible +          image: "${ANSIBLE_IMG_NAME}:${ANSIBLE_IMG_TAG}" +          livenessProbe: +            tcpSocket: +              port: 443 +            initialDelaySeconds: 480 +            timeoutSeconds: 3 +          readinessProbe: +            httpGet: +              path: "/" +              port: 443 +              scheme: HTTPS +            initialDelaySeconds: 200 +            timeoutSeconds: 3 +          ports: +          - containerPort: 80 +            protocol: TCP +          - containerPort: 443 +            protocol: TCP +          securityContext: +            privileged: true +          env: +          - name: ADMIN_PASSWORD +            valueFrom: +              secretKeyRef: +                name: "${ANSIBLE_SERVICE_NAME}-secrets" +                key: admin-password +          - name: RABBITMQ_USER_NAME +            value: "${ANSIBLE_RABBITMQ_USER_NAME}" +          - name: RABBITMQ_PASSWORD +            valueFrom: +              secretKeyRef: +                name: "${ANSIBLE_SERVICE_NAME}-secrets" +                key: rabbit-password +          - name: ANSIBLE_SECRET_KEY +            valueFrom: +              secretKeyRef: +                name: "${ANSIBLE_SERVICE_NAME}-secrets" +                key: secret-key +          - name: DATABASE_SERVICE_NAME +            value: "${DATABASE_SERVICE_NAME}" +          - name: POSTGRESQL_USER +            value: "${DATABASE_USER}" +          - name: POSTGRESQL_PASSWORD +            valueFrom: +              secretKeyRef: +                name: "${NAME}-secrets" +                key: pg-password +          - name: POSTGRESQL_DATABASE +            value: "${ANSIBLE_DATABASE_NAME}" +          resources: +            requests: +              memory: "${ANSIBLE_MEM_REQ}" +              cpu: "${ANSIBLE_CPU_REQ}" +            limits: +              memory: "${ANSIBLE_MEM_LIMIT}" +        serviceAccount: miq-privileged +        serviceAccountName: miq-privileged +- apiVersion: v1 +  kind: ConfigMap +  metadata: +    name: "${HTTPD_SERVICE_NAME}-configs" +  data: +    application.conf: | +      # Timeout: The number of seconds before receives and sends time out. +      Timeout 120 + +      RewriteEngine On +      Options SymLinksIfOwnerMatch + +      <VirtualHost *:80> +        KeepAlive on +        ProxyPreserveHost on +        ProxyPass        /ws/ ws://${NAME}/ws/ +        ProxyPassReverse /ws/ ws://${NAME}/ws/ +        ProxyPass        / http://${NAME}/ +        ProxyPassReverse / http://${NAME}/ +      </VirtualHost> +- apiVersion: v1 +  kind: ConfigMap +  metadata: +    name: "${HTTPD_SERVICE_NAME}-auth-configs" +  data: +    auth-type: internal +    auth-configuration.conf: | +      # External Authentication Configuration File +      # +      # For details on usage please see https://github.com/ManageIQ/manageiq-pods/blob/master/README.md#configuring-external-authentication +- apiVersion: v1 +  kind: Service +  metadata: +    name: "${HTTPD_SERVICE_NAME}" +    annotations: +      description: Exposes the httpd server +      service.alpha.openshift.io/dependencies: '[{"name":"${NAME}","namespace":"","kind":"Service"}]' +  spec: +    ports: +    - name: http +      port: 80 +      targetPort: 80 +    selector: +      name: httpd +- apiVersion: v1 +  kind: DeploymentConfig +  metadata: +    name: "${HTTPD_SERVICE_NAME}" +    annotations: +      description: Defines how to deploy httpd +  spec: +    strategy: +      type: Recreate +      recreateParams: +        timeoutSeconds: 1200 +    triggers: +    - type: ConfigChange +    replicas: 1 +    selector: +      name: "${HTTPD_SERVICE_NAME}" +    template: +      metadata: +        name: "${HTTPD_SERVICE_NAME}" +        labels: +          name: "${HTTPD_SERVICE_NAME}" +      spec: +        volumes: +        - name: httpd-config +          configMap: +            name: "${HTTPD_SERVICE_NAME}-configs" +        - name: httpd-auth-config +          configMap: +            name: "${HTTPD_SERVICE_NAME}-auth-configs" +        containers: +        - name: httpd +          image: "${HTTPD_IMG_NAME}:${HTTPD_IMG_TAG}" +          ports: +          - containerPort: 80 +          livenessProbe: +            exec: +              command: +              - pidof +              - httpd +            initialDelaySeconds: 15 +            timeoutSeconds: 3 +          readinessProbe: +            tcpSocket: +              port: 80 +            initialDelaySeconds: 10 +            timeoutSeconds: 3 +          volumeMounts: +          - name: httpd-config +            mountPath: "${HTTPD_CONFIG_DIR}" +          - name: httpd-auth-config +            mountPath: "${HTTPD_AUTH_CONFIG_DIR}" +          resources: +            requests: +              memory: "${HTTPD_MEM_REQ}" +              cpu: "${HTTPD_CPU_REQ}" +            limits: +              memory: "${HTTPD_MEM_LIMIT}" +          env: +          - name: HTTPD_AUTH_TYPE +            valueFrom: +              configMapKeyRef: +                name: "${HTTPD_SERVICE_NAME}-auth-configs" +                key: auth-type +          lifecycle: +            postStart: +              exec: +                command: +                - "/usr/bin/save-container-environment" +        serviceAccount: miq-anyuid +        serviceAccountName: miq-anyuid +parameters: +- name: NAME +  displayName: Name +  required: true +  description: The name assigned to all of the frontend objects defined in this template. +  value: manageiq +- name: V2_KEY +  displayName: ManageIQ Encryption Key +  required: true +  description: Encryption Key for ManageIQ Passwords +  from: "[a-zA-Z0-9]{43}" +  generate: expression +- name: DATABASE_SERVICE_NAME +  displayName: PostgreSQL Service Name +  required: true +  description: The name of the OpenShift Service exposed for the PostgreSQL container. +  value: postgresql +- name: DATABASE_USER +  displayName: PostgreSQL User +  required: true +  description: PostgreSQL user that will access the database. +  value: root +- name: DATABASE_PASSWORD +  displayName: PostgreSQL Password +  required: true +  description: Password for the PostgreSQL user. +  from: "[a-zA-Z0-9]{8}" +  generate: expression +- name: DATABASE_IP +  displayName: PostgreSQL Server IP +  required: true +  description: PostgreSQL external server IP used to configure service. +  value: '' +- name: DATABASE_PORT +  displayName: PostgreSQL Server Port +  required: true +  description: PostgreSQL external server port used to configure service. +  value: '5432' +- name: DATABASE_NAME +  required: true +  displayName: PostgreSQL Database Name +  description: Name of the PostgreSQL database accessed. +  value: vmdb_production +- name: DATABASE_REGION +  required: true +  displayName: Application Database Region +  description: Database region that will be used for application. +  value: '0' +- name: ANSIBLE_DATABASE_NAME +  displayName: Ansible PostgreSQL database name +  required: true +  description: The database to be used by the Ansible continer +  value: awx +- name: MEMCACHED_SERVICE_NAME +  required: true +  displayName: Memcached Service Name +  description: The name of the OpenShift Service exposed for the Memcached container. +  value: memcached +- name: MEMCACHED_MAX_MEMORY +  displayName: Memcached Max Memory +  description: Memcached maximum memory for memcached object storage in MB. +  value: '64' +- name: MEMCACHED_MAX_CONNECTIONS +  displayName: Memcached Max Connections +  description: Memcached maximum number of connections allowed. +  value: '1024' +- name: MEMCACHED_SLAB_PAGE_SIZE +  displayName: Memcached Slab Page Size +  description: Memcached size of each slab page. +  value: 1m +- name: ANSIBLE_SERVICE_NAME +  displayName: Ansible Service Name +  description: The name of the OpenShift Service exposed for the Ansible container. +  value: ansible +- name: ANSIBLE_ADMIN_PASSWORD +  displayName: Ansible admin User password +  required: true +  description: The password for the Ansible container admin user +  from: "[a-zA-Z0-9]{32}" +  generate: expression +- name: ANSIBLE_SECRET_KEY +  displayName: Ansible Secret Key +  required: true +  description: Encryption key for the Ansible container +  from: "[a-f0-9]{32}" +  generate: expression +- name: ANSIBLE_RABBITMQ_USER_NAME +  displayName: RabbitMQ Username +  required: true +  description: Username for the Ansible RabbitMQ Server +  value: ansible +- name: ANSIBLE_RABBITMQ_PASSWORD +  displayName: RabbitMQ Server Password +  required: true +  description: Password for the Ansible RabbitMQ Server +  from: "[a-zA-Z0-9]{32}" +  generate: expression +- name: APPLICATION_CPU_REQ +  displayName: Application Min CPU Requested +  required: true +  description: Minimum amount of CPU time the Application container will need (expressed in millicores). +  value: 1000m +- name: MEMCACHED_CPU_REQ +  displayName: Memcached Min CPU Requested +  required: true +  description: Minimum amount of CPU time the Memcached container will need (expressed in millicores). +  value: 200m +- name: ANSIBLE_CPU_REQ +  displayName: Ansible Min CPU Requested +  required: true +  description: Minimum amount of CPU time the Ansible container will need (expressed in millicores). +  value: 1000m +- name: APPLICATION_MEM_REQ +  displayName: Application Min RAM Requested +  required: true +  description: Minimum amount of memory the Application container will need. +  value: 6144Mi +- name: MEMCACHED_MEM_REQ +  displayName: Memcached Min RAM Requested +  required: true +  description: Minimum amount of memory the Memcached container will need. +  value: 64Mi +- name: ANSIBLE_MEM_REQ +  displayName: Ansible Min RAM Requested +  required: true +  description: Minimum amount of memory the Ansible container will need. +  value: 2048Mi +- name: APPLICATION_MEM_LIMIT +  displayName: Application Max RAM Limit +  required: true +  description: Maximum amount of memory the Application container can consume. +  value: 16384Mi +- name: MEMCACHED_MEM_LIMIT +  displayName: Memcached Max RAM Limit +  required: true +  description: Maximum amount of memory the Memcached container can consume. +  value: 256Mi +- name: ANSIBLE_MEM_LIMIT +  displayName: Ansible Max RAM Limit +  required: true +  description: Maximum amount of memory the Ansible container can consume. +  value: 8096Mi +- name: MEMCACHED_IMG_NAME +  displayName: Memcached Image Name +  description: This is the Memcached image name requested to deploy. +  value: docker.io/manageiq/memcached +- name: MEMCACHED_IMG_TAG +  displayName: Memcached Image Tag +  description: This is the Memcached image tag/version requested to deploy. +  value: latest +- name: APPLICATION_IMG_NAME +  displayName: Application Image Name +  description: This is the Application image name requested to deploy. +  value: docker.io/manageiq/manageiq-pods +- name: FRONTEND_APPLICATION_IMG_TAG +  displayName: Front end Application Image Tag +  description: This is the ManageIQ Frontend Application image tag/version requested to deploy. +  value: frontend-latest +- name: BACKEND_APPLICATION_IMG_TAG +  displayName: Back end Application Image Tag +  description: This is the ManageIQ Backend Application image tag/version requested to deploy. +  value: backend-latest +- name: ANSIBLE_IMG_NAME +  displayName: Ansible Image Name +  description: This is the Ansible image name requested to deploy. +  value: docker.io/manageiq/embedded-ansible +- name: ANSIBLE_IMG_TAG +  displayName: Ansible Image Tag +  description: This is the Ansible image tag/version requested to deploy. +  value: latest +- name: APPLICATION_DOMAIN +  displayName: Application Hostname +  description: The exposed hostname that will route to the application service, if left blank a value will be defaulted. +  value: '' +- name: APPLICATION_REPLICA_COUNT +  displayName: Application Replica Count +  description: This is the number of Application replicas requested to deploy. +  value: '1' +- name: APPLICATION_INIT_DELAY +  displayName: Application Init Delay +  required: true +  description: Delay in seconds before we attempt to initialize the application. +  value: '15' +- name: APPLICATION_VOLUME_CAPACITY +  displayName: Application Volume Capacity +  required: true +  description: Volume space available for application data. +  value: 5Gi +- name: HTTPD_SERVICE_NAME +  required: true +  displayName: Apache httpd Service Name +  description: The name of the OpenShift Service exposed for the httpd container. +  value: httpd +- name: HTTPD_IMG_NAME +  displayName: Apache httpd Image Name +  description: This is the httpd image name requested to deploy. +  value: docker.io/manageiq/httpd +- name: HTTPD_IMG_TAG +  displayName: Apache httpd Image Tag +  description: This is the httpd image tag/version requested to deploy. +  value: latest +- name: HTTPD_CONFIG_DIR +  displayName: Apache httpd Configuration Directory +  description: Directory used to store the Apache configuration files. +  value: "/etc/httpd/conf.d" +- name: HTTPD_AUTH_CONFIG_DIR +  displayName: External Authentication Configuration Directory +  description: Directory used to store the external authentication configuration files. +  value: "/etc/httpd/auth-conf.d" +- name: HTTPD_CPU_REQ +  displayName: Apache httpd Min CPU Requested +  required: true +  description: Minimum amount of CPU time the httpd container will need (expressed in millicores). +  value: 500m +- name: HTTPD_MEM_REQ +  displayName: Apache httpd Min RAM Requested +  required: true +  description: Minimum amount of memory the httpd container will need. +  value: 512Mi +- name: HTTPD_MEM_LIMIT +  displayName: Apache httpd Max RAM Limit +  required: true +  description: Maximum amount of memory the httpd container can consume. +  value: 8192Mi diff --git a/roles/openshift_management/files/templates/manageiq/miq-template.yaml b/roles/openshift_management/files/templates/manageiq/miq-template.yaml new file mode 100644 index 000000000..3f5a12205 --- /dev/null +++ b/roles/openshift_management/files/templates/manageiq/miq-template.yaml @@ -0,0 +1,948 @@ +apiVersion: v1 +kind: Template +labels: +  template: manageiq +metadata: +  name: manageiq +  annotations: +    description: ManageIQ appliance with persistent storage +    tags: instant-app,manageiq,miq +    iconClass: icon-rails +objects: +- apiVersion: v1 +  kind: ServiceAccount +  metadata: +    name: miq-orchestrator +- apiVersion: v1 +  kind: ServiceAccount +  metadata: +    name: miq-anyuid +- apiVersion: v1 +  kind: ServiceAccount +  metadata: +    name: miq-privileged +- apiVersion: v1 +  kind: ServiceAccount +  metadata: +    name: miq-httpd +- apiVersion: v1 +  kind: Secret +  metadata: +    name: "${NAME}-secrets" +  stringData: +    pg-password: "${DATABASE_PASSWORD}" +    database-url: postgresql://${DATABASE_USER}:${DATABASE_PASSWORD}@${DATABASE_SERVICE_NAME}/${DATABASE_NAME}?encoding=utf8&pool=5&wait_timeout=5 +    v2-key: "${V2_KEY}" +- apiVersion: v1 +  kind: Secret +  metadata: +    name: "${ANSIBLE_SERVICE_NAME}-secrets" +  stringData: +    rabbit-password: "${ANSIBLE_RABBITMQ_PASSWORD}" +    secret-key: "${ANSIBLE_SECRET_KEY}" +    admin-password: "${ANSIBLE_ADMIN_PASSWORD}" +- apiVersion: v1 +  kind: ConfigMap +  metadata: +    name: "${DATABASE_SERVICE_NAME}-configs" +  data: +    01_miq_overrides.conf: | +      #------------------------------------------------------------------------------ +      # CONNECTIONS AND AUTHENTICATION +      #------------------------------------------------------------------------------ + +      tcp_keepalives_count = 9 +      tcp_keepalives_idle = 3 +      tcp_keepalives_interval = 75 + +      #------------------------------------------------------------------------------ +      # RESOURCE USAGE (except WAL) +      #------------------------------------------------------------------------------ + +      shared_preload_libraries = 'pglogical,repmgr_funcs' +      max_worker_processes = 10 + +      #------------------------------------------------------------------------------ +      # WRITE AHEAD LOG +      #------------------------------------------------------------------------------ + +      wal_level = 'logical' +      wal_log_hints = on +      wal_buffers = 16MB +      checkpoint_completion_target = 0.9 + +      #------------------------------------------------------------------------------ +      # REPLICATION +      #------------------------------------------------------------------------------ + +      max_wal_senders = 10 +      wal_sender_timeout = 0 +      max_replication_slots = 10 +      hot_standby = on + +      #------------------------------------------------------------------------------ +      # ERROR REPORTING AND LOGGING +      #------------------------------------------------------------------------------ + +      log_filename = 'postgresql.log' +      log_rotation_age = 0 +      log_min_duration_statement = 5000 +      log_connections = on +      log_disconnections = on +      log_line_prefix = '%t:%r:%c:%u@%d:[%p]:' +      log_lock_waits = on + +      #------------------------------------------------------------------------------ +      # AUTOVACUUM PARAMETERS +      #------------------------------------------------------------------------------ + +      log_autovacuum_min_duration = 0 +      autovacuum_naptime = 5min +      autovacuum_vacuum_threshold = 500 +      autovacuum_analyze_threshold = 500 +      autovacuum_vacuum_scale_factor = 0.05 + +      #------------------------------------------------------------------------------ +      # LOCK MANAGEMENT +      #------------------------------------------------------------------------------ + +      deadlock_timeout = 5s + +      #------------------------------------------------------------------------------ +      # VERSION/PLATFORM COMPATIBILITY +      #------------------------------------------------------------------------------ + +      escape_string_warning = off +      standard_conforming_strings = off +- apiVersion: v1 +  kind: ConfigMap +  metadata: +    name: "${HTTPD_SERVICE_NAME}-configs" +  data: +    application.conf: | +      # Timeout: The number of seconds before receives and sends time out. +      Timeout 120 + +      RewriteEngine On +      Options SymLinksIfOwnerMatch + +      <VirtualHost *:80> +        KeepAlive on +        ProxyPreserveHost on +        ProxyPass        /ws/ ws://${NAME}/ws/ +        ProxyPassReverse /ws/ ws://${NAME}/ws/ +        ProxyPass        / http://${NAME}/ +        ProxyPassReverse / http://${NAME}/ +      </VirtualHost> +- apiVersion: v1 +  kind: ConfigMap +  metadata: +    name: "${HTTPD_SERVICE_NAME}-auth-configs" +  data: +    auth-type: internal +    auth-configuration.conf: | +      # External Authentication Configuration File +      # +      # For details on usage please see https://github.com/ManageIQ/manageiq-pods/blob/master/README.md#configuring-external-authentication +- apiVersion: v1 +  kind: Service +  metadata: +    annotations: +      description: Exposes and load balances ManageIQ pods +      service.alpha.openshift.io/dependencies: '[{"name":"${DATABASE_SERVICE_NAME}","namespace":"","kind":"Service"},{"name":"${MEMCACHED_SERVICE_NAME}","namespace":"","kind":"Service"}]' +    name: "${NAME}" +  spec: +    clusterIP: None +    ports: +    - name: http +      port: 80 +      protocol: TCP +      targetPort: 80 +    selector: +      name: "${NAME}" +- apiVersion: v1 +  kind: Route +  metadata: +    name: "${HTTPD_SERVICE_NAME}" +  spec: +    host: "${APPLICATION_DOMAIN}" +    port: +      targetPort: http +    tls: +      termination: edge +      insecureEdgeTerminationPolicy: Redirect +    to: +      kind: Service +      name: "${HTTPD_SERVICE_NAME}" +- apiVersion: v1 +  kind: PersistentVolumeClaim +  metadata: +    name: "${NAME}-${DATABASE_SERVICE_NAME}" +  spec: +    accessModes: +    - ReadWriteOnce +    resources: +      requests: +        storage: "${DATABASE_VOLUME_CAPACITY}" +- apiVersion: apps/v1beta1 +  kind: StatefulSet +  metadata: +    name: "${NAME}" +    annotations: +      description: Defines how to deploy the ManageIQ appliance +  spec: +    serviceName: "${NAME}" +    replicas: "${APPLICATION_REPLICA_COUNT}" +    template: +      metadata: +        labels: +          name: "${NAME}" +        name: "${NAME}" +      spec: +        containers: +        - name: manageiq +          image: "${APPLICATION_IMG_NAME}:${FRONTEND_APPLICATION_IMG_TAG}" +          livenessProbe: +            tcpSocket: +              port: 80 +            initialDelaySeconds: 480 +            timeoutSeconds: 3 +          readinessProbe: +            httpGet: +              path: "/" +              port: 80 +              scheme: HTTP +            initialDelaySeconds: 200 +            timeoutSeconds: 3 +          ports: +          - containerPort: 80 +            protocol: TCP +          volumeMounts: +          - name: "${NAME}-server" +            mountPath: "/persistent" +          env: +          - name: MY_POD_NAMESPACE +            valueFrom: +              fieldRef: +                fieldPath: metadata.namespace +          - name: APPLICATION_INIT_DELAY +            value: "${APPLICATION_INIT_DELAY}" +          - name: DATABASE_SERVICE_NAME +            value: "${DATABASE_SERVICE_NAME}" +          - name: DATABASE_REGION +            value: "${DATABASE_REGION}" +          - name: DATABASE_URL +            valueFrom: +              secretKeyRef: +                name: "${NAME}-secrets" +                key: database-url +          - name: MEMCACHED_SERVER +            value: "${MEMCACHED_SERVICE_NAME}:11211" +          - name: MEMCACHED_SERVICE_NAME +            value: "${MEMCACHED_SERVICE_NAME}" +          - name: V2_KEY +            valueFrom: +              secretKeyRef: +                name: "${NAME}-secrets" +                key: v2-key +          - name: ANSIBLE_SERVICE_NAME +            value: "${ANSIBLE_SERVICE_NAME}" +          - name: ANSIBLE_ADMIN_PASSWORD +            valueFrom: +              secretKeyRef: +                name: "${ANSIBLE_SERVICE_NAME}-secrets" +                key: admin-password +          resources: +            requests: +              memory: "${APPLICATION_MEM_REQ}" +              cpu: "${APPLICATION_CPU_REQ}" +            limits: +              memory: "${APPLICATION_MEM_LIMIT}" +          lifecycle: +            preStop: +              exec: +                command: +                - "/opt/manageiq/container-scripts/sync-pv-data" +        serviceAccount: miq-orchestrator +        serviceAccountName: miq-orchestrator +        terminationGracePeriodSeconds: 90 +    volumeClaimTemplates: +    - metadata: +        name: "${NAME}-server" +        annotations: +      spec: +        accessModes: +        - ReadWriteOnce +        resources: +          requests: +            storage: "${APPLICATION_VOLUME_CAPACITY}" +- apiVersion: v1 +  kind: Service +  metadata: +    annotations: +      description: Headless service for ManageIQ backend pods +    name: "${NAME}-backend" +  spec: +    clusterIP: None +    selector: +      name: "${NAME}-backend" +- apiVersion: apps/v1beta1 +  kind: StatefulSet +  metadata: +    name: "${NAME}-backend" +    annotations: +      description: Defines how to deploy the ManageIQ appliance +  spec: +    serviceName: "${NAME}-backend" +    replicas: 0 +    template: +      metadata: +        labels: +          name: "${NAME}-backend" +        name: "${NAME}-backend" +      spec: +        containers: +        - name: manageiq +          image: "${APPLICATION_IMG_NAME}:${BACKEND_APPLICATION_IMG_TAG}" +          livenessProbe: +            exec: +              command: +              - pidof +              - MIQ Server +            initialDelaySeconds: 480 +            timeoutSeconds: 3 +          volumeMounts: +          - name: "${NAME}-server" +            mountPath: "/persistent" +          env: +          - name: APPLICATION_INIT_DELAY +            value: "${APPLICATION_INIT_DELAY}" +          - name: DATABASE_URL +            valueFrom: +              secretKeyRef: +                name: "${NAME}-secrets" +                key: database-url +          - name: MIQ_SERVER_DEFAULT_ROLES +            value: database_operations,event,reporting,scheduler,smartstate,ems_operations,ems_inventory,automate +          - name: FRONTEND_SERVICE_NAME +            value: "${NAME}" +          - name: MEMCACHED_SERVER +            value: "${MEMCACHED_SERVICE_NAME}:11211" +          - name: V2_KEY +            valueFrom: +              secretKeyRef: +                name: "${NAME}-secrets" +                key: v2-key +          - name: ANSIBLE_SERVICE_NAME +            value: "${ANSIBLE_SERVICE_NAME}" +          - name: ANSIBLE_ADMIN_PASSWORD +            valueFrom: +              secretKeyRef: +                name: "${ANSIBLE_SERVICE_NAME}-secrets" +                key: admin-password +          resources: +            requests: +              memory: "${APPLICATION_MEM_REQ}" +              cpu: "${APPLICATION_CPU_REQ}" +            limits: +              memory: "${APPLICATION_MEM_LIMIT}" +          lifecycle: +            preStop: +              exec: +                command: +                - "/opt/manageiq/container-scripts/sync-pv-data" +        serviceAccount: miq-orchestrator +        serviceAccountName: miq-orchestrator +        terminationGracePeriodSeconds: 90 +    volumeClaimTemplates: +    - metadata: +        name: "${NAME}-server" +        annotations: +      spec: +        accessModes: +        - ReadWriteOnce +        resources: +          requests: +            storage: "${APPLICATION_VOLUME_CAPACITY}" +- apiVersion: v1 +  kind: Service +  metadata: +    name: "${MEMCACHED_SERVICE_NAME}" +    annotations: +      description: Exposes the memcached server +  spec: +    ports: +    - name: memcached +      port: 11211 +      targetPort: 11211 +    selector: +      name: "${MEMCACHED_SERVICE_NAME}" +- apiVersion: v1 +  kind: DeploymentConfig +  metadata: +    name: "${MEMCACHED_SERVICE_NAME}" +    annotations: +      description: Defines how to deploy memcached +  spec: +    strategy: +      type: Recreate +    triggers: +    - type: ConfigChange +    replicas: 1 +    selector: +      name: "${MEMCACHED_SERVICE_NAME}" +    template: +      metadata: +        name: "${MEMCACHED_SERVICE_NAME}" +        labels: +          name: "${MEMCACHED_SERVICE_NAME}" +      spec: +        volumes: [] +        containers: +        - name: memcached +          image: "${MEMCACHED_IMG_NAME}:${MEMCACHED_IMG_TAG}" +          ports: +          - containerPort: 11211 +          readinessProbe: +            timeoutSeconds: 1 +            initialDelaySeconds: 5 +            tcpSocket: +              port: 11211 +          livenessProbe: +            timeoutSeconds: 1 +            initialDelaySeconds: 30 +            tcpSocket: +              port: 11211 +          volumeMounts: [] +          env: +          - name: MEMCACHED_MAX_MEMORY +            value: "${MEMCACHED_MAX_MEMORY}" +          - name: MEMCACHED_MAX_CONNECTIONS +            value: "${MEMCACHED_MAX_CONNECTIONS}" +          - name: MEMCACHED_SLAB_PAGE_SIZE +            value: "${MEMCACHED_SLAB_PAGE_SIZE}" +          resources: +            requests: +              memory: "${MEMCACHED_MEM_REQ}" +              cpu: "${MEMCACHED_CPU_REQ}" +            limits: +              memory: "${MEMCACHED_MEM_LIMIT}" +- apiVersion: v1 +  kind: Service +  metadata: +    name: "${DATABASE_SERVICE_NAME}" +    annotations: +      description: Exposes the database server +  spec: +    ports: +    - name: postgresql +      port: 5432 +      targetPort: 5432 +    selector: +      name: "${DATABASE_SERVICE_NAME}" +- apiVersion: v1 +  kind: DeploymentConfig +  metadata: +    name: "${DATABASE_SERVICE_NAME}" +    annotations: +      description: Defines how to deploy the database +  spec: +    strategy: +      type: Recreate +    triggers: +    - type: ConfigChange +    replicas: 1 +    selector: +      name: "${DATABASE_SERVICE_NAME}" +    template: +      metadata: +        name: "${DATABASE_SERVICE_NAME}" +        labels: +          name: "${DATABASE_SERVICE_NAME}" +      spec: +        volumes: +        - name: miq-pgdb-volume +          persistentVolumeClaim: +            claimName: "${NAME}-${DATABASE_SERVICE_NAME}" +        - name: miq-pg-configs +          configMap: +            name: "${DATABASE_SERVICE_NAME}-configs" +        containers: +        - name: postgresql +          image: "${POSTGRESQL_IMG_NAME}:${POSTGRESQL_IMG_TAG}" +          ports: +          - containerPort: 5432 +          readinessProbe: +            timeoutSeconds: 1 +            initialDelaySeconds: 15 +            exec: +              command: +              - "/bin/sh" +              - "-i" +              - "-c" +              - psql -h 127.0.0.1 -U ${POSTGRESQL_USER} -q -d ${POSTGRESQL_DATABASE} -c 'SELECT 1' +          livenessProbe: +            timeoutSeconds: 1 +            initialDelaySeconds: 60 +            tcpSocket: +              port: 5432 +          volumeMounts: +          - name: miq-pgdb-volume +            mountPath: "/var/lib/pgsql/data" +          - name: miq-pg-configs +            mountPath: "${POSTGRESQL_CONFIG_DIR}" +          env: +          - name: POSTGRESQL_USER +            value: "${DATABASE_USER}" +          - name: POSTGRESQL_PASSWORD +            valueFrom: +              secretKeyRef: +                name: "${NAME}-secrets" +                key: pg-password +          - name: POSTGRESQL_DATABASE +            value: "${DATABASE_NAME}" +          - name: POSTGRESQL_MAX_CONNECTIONS +            value: "${POSTGRESQL_MAX_CONNECTIONS}" +          - name: POSTGRESQL_SHARED_BUFFERS +            value: "${POSTGRESQL_SHARED_BUFFERS}" +          - name: POSTGRESQL_CONFIG_DIR +            value: "${POSTGRESQL_CONFIG_DIR}" +          resources: +            requests: +              memory: "${POSTGRESQL_MEM_REQ}" +              cpu: "${POSTGRESQL_CPU_REQ}" +            limits: +              memory: "${POSTGRESQL_MEM_LIMIT}" +- apiVersion: v1 +  kind: Service +  metadata: +    annotations: +      description: Exposes and load balances Ansible pods +      service.alpha.openshift.io/dependencies: '[{"name":"${DATABASE_SERVICE_NAME}","namespace":"","kind":"Service"}]' +    name: "${ANSIBLE_SERVICE_NAME}" +  spec: +    ports: +    - name: http +      port: 80 +      protocol: TCP +      targetPort: 80 +    - name: https +      port: 443 +      protocol: TCP +      targetPort: 443 +    selector: +      name: "${ANSIBLE_SERVICE_NAME}" +- apiVersion: v1 +  kind: DeploymentConfig +  metadata: +    name: "${ANSIBLE_SERVICE_NAME}" +    annotations: +      description: Defines how to deploy the Ansible appliance +  spec: +    strategy: +      type: Recreate +    serviceName: "${ANSIBLE_SERVICE_NAME}" +    replicas: 0 +    template: +      metadata: +        labels: +          name: "${ANSIBLE_SERVICE_NAME}" +        name: "${ANSIBLE_SERVICE_NAME}" +      spec: +        containers: +        - name: ansible +          image: "${ANSIBLE_IMG_NAME}:${ANSIBLE_IMG_TAG}" +          livenessProbe: +            tcpSocket: +              port: 443 +            initialDelaySeconds: 480 +            timeoutSeconds: 3 +          readinessProbe: +            httpGet: +              path: "/" +              port: 443 +              scheme: HTTPS +            initialDelaySeconds: 200 +            timeoutSeconds: 3 +          ports: +          - containerPort: 80 +            protocol: TCP +          - containerPort: 443 +            protocol: TCP +          securityContext: +            privileged: true +          env: +          - name: ADMIN_PASSWORD +            valueFrom: +              secretKeyRef: +                name: "${ANSIBLE_SERVICE_NAME}-secrets" +                key: admin-password +          - name: RABBITMQ_USER_NAME +            value: "${ANSIBLE_RABBITMQ_USER_NAME}" +          - name: RABBITMQ_PASSWORD +            valueFrom: +              secretKeyRef: +                name: "${ANSIBLE_SERVICE_NAME}-secrets" +                key: rabbit-password +          - name: ANSIBLE_SECRET_KEY +            valueFrom: +              secretKeyRef: +                name: "${ANSIBLE_SERVICE_NAME}-secrets" +                key: secret-key +          - name: DATABASE_SERVICE_NAME +            value: "${DATABASE_SERVICE_NAME}" +          - name: POSTGRESQL_USER +            value: "${DATABASE_USER}" +          - name: POSTGRESQL_PASSWORD +            valueFrom: +              secretKeyRef: +                name: "${NAME}-secrets" +                key: pg-password +          - name: POSTGRESQL_DATABASE +            value: "${ANSIBLE_DATABASE_NAME}" +          resources: +            requests: +              memory: "${ANSIBLE_MEM_REQ}" +              cpu: "${ANSIBLE_CPU_REQ}" +            limits: +              memory: "${ANSIBLE_MEM_LIMIT}" +        serviceAccount: miq-privileged +        serviceAccountName: miq-privileged +- apiVersion: v1 +  kind: Service +  metadata: +    name: "${HTTPD_SERVICE_NAME}" +    annotations: +      description: Exposes the httpd server +      service.alpha.openshift.io/dependencies: '[{"name":"${NAME}","namespace":"","kind":"Service"}]' +  spec: +    ports: +    - name: http +      port: 80 +      targetPort: 80 +    selector: +      name: httpd +- apiVersion: v1 +  kind: DeploymentConfig +  metadata: +    name: "${HTTPD_SERVICE_NAME}" +    annotations: +      description: Defines how to deploy httpd +  spec: +    strategy: +      type: Recreate +      recreateParams: +        timeoutSeconds: 1200 +    triggers: +    - type: ConfigChange +    replicas: 1 +    selector: +      name: "${HTTPD_SERVICE_NAME}" +    template: +      metadata: +        name: "${HTTPD_SERVICE_NAME}" +        labels: +          name: "${HTTPD_SERVICE_NAME}" +      spec: +        volumes: +        - name: httpd-config +          configMap: +            name: "${HTTPD_SERVICE_NAME}-configs" +        - name: httpd-auth-config +          configMap: +            name: "${HTTPD_SERVICE_NAME}-auth-configs" +        containers: +        - name: httpd +          image: "${HTTPD_IMG_NAME}:${HTTPD_IMG_TAG}" +          ports: +          - containerPort: 80 +          livenessProbe: +            exec: +              command: +              - pidof +              - httpd +            initialDelaySeconds: 15 +            timeoutSeconds: 3 +          readinessProbe: +            tcpSocket: +              port: 80 +            initialDelaySeconds: 10 +            timeoutSeconds: 3 +          volumeMounts: +          - name: httpd-config +            mountPath: "${HTTPD_CONFIG_DIR}" +          - name: httpd-auth-config +            mountPath: "${HTTPD_AUTH_CONFIG_DIR}" +          resources: +            requests: +              memory: "${HTTPD_MEM_REQ}" +              cpu: "${HTTPD_CPU_REQ}" +            limits: +              memory: "${HTTPD_MEM_LIMIT}" +          env: +          - name: HTTPD_AUTH_TYPE +            valueFrom: +              configMapKeyRef: +                name: "${HTTPD_SERVICE_NAME}-auth-configs" +                key: auth-type +          lifecycle: +            postStart: +              exec: +                command: +                - "/usr/bin/save-container-environment" +        serviceAccount: miq-anyuid +        serviceAccountName: miq-anyuid +parameters: +- name: NAME +  displayName: Name +  required: true +  description: The name assigned to all of the frontend objects defined in this template. +  value: manageiq +- name: V2_KEY +  displayName: ManageIQ Encryption Key +  required: true +  description: Encryption Key for ManageIQ Passwords +  from: "[a-zA-Z0-9]{43}" +  generate: expression +- name: DATABASE_SERVICE_NAME +  displayName: PostgreSQL Service Name +  required: true +  description: The name of the OpenShift Service exposed for the PostgreSQL container. +  value: postgresql +- name: DATABASE_USER +  displayName: PostgreSQL User +  required: true +  description: PostgreSQL user that will access the database. +  value: root +- name: DATABASE_PASSWORD +  displayName: PostgreSQL Password +  required: true +  description: Password for the PostgreSQL user. +  from: "[a-zA-Z0-9]{8}" +  generate: expression +- name: DATABASE_NAME +  required: true +  displayName: PostgreSQL Database Name +  description: Name of the PostgreSQL database accessed. +  value: vmdb_production +- name: DATABASE_REGION +  required: true +  displayName: Application Database Region +  description: Database region that will be used for application. +  value: '0' +- name: ANSIBLE_DATABASE_NAME +  displayName: Ansible PostgreSQL database name +  required: true +  description: The database to be used by the Ansible continer +  value: awx +- name: MEMCACHED_SERVICE_NAME +  required: true +  displayName: Memcached Service Name +  description: The name of the OpenShift Service exposed for the Memcached container. +  value: memcached +- name: MEMCACHED_MAX_MEMORY +  displayName: Memcached Max Memory +  description: Memcached maximum memory for memcached object storage in MB. +  value: '64' +- name: MEMCACHED_MAX_CONNECTIONS +  displayName: Memcached Max Connections +  description: Memcached maximum number of connections allowed. +  value: '1024' +- name: MEMCACHED_SLAB_PAGE_SIZE +  displayName: Memcached Slab Page Size +  description: Memcached size of each slab page. +  value: 1m +- name: POSTGRESQL_CONFIG_DIR +  displayName: PostgreSQL Configuration Overrides +  description: Directory used to store PostgreSQL configuration overrides. +  value: "/var/lib/pgsql/conf.d" +- name: POSTGRESQL_MAX_CONNECTIONS +  displayName: PostgreSQL Max Connections +  description: PostgreSQL maximum number of database connections allowed. +  value: '1000' +- name: POSTGRESQL_SHARED_BUFFERS +  displayName: PostgreSQL Shared Buffer Amount +  description: Amount of memory dedicated for PostgreSQL shared memory buffers. +  value: 1GB +- name: ANSIBLE_SERVICE_NAME +  displayName: Ansible Service Name +  description: The name of the OpenShift Service exposed for the Ansible container. +  value: ansible +- name: ANSIBLE_ADMIN_PASSWORD +  displayName: Ansible admin User password +  required: true +  description: The password for the Ansible container admin user +  from: "[a-zA-Z0-9]{32}" +  generate: expression +- name: ANSIBLE_SECRET_KEY +  displayName: Ansible Secret Key +  required: true +  description: Encryption key for the Ansible container +  from: "[a-f0-9]{32}" +  generate: expression +- name: ANSIBLE_RABBITMQ_USER_NAME +  displayName: RabbitMQ Username +  required: true +  description: Username for the Ansible RabbitMQ Server +  value: ansible +- name: ANSIBLE_RABBITMQ_PASSWORD +  displayName: RabbitMQ Server Password +  required: true +  description: Password for the Ansible RabbitMQ Server +  from: "[a-zA-Z0-9]{32}" +  generate: expression +- name: APPLICATION_CPU_REQ +  displayName: Application Min CPU Requested +  required: true +  description: Minimum amount of CPU time the Application container will need (expressed in millicores). +  value: 1000m +- name: POSTGRESQL_CPU_REQ +  displayName: PostgreSQL Min CPU Requested +  required: true +  description: Minimum amount of CPU time the PostgreSQL container will need (expressed in millicores). +  value: 500m +- name: MEMCACHED_CPU_REQ +  displayName: Memcached Min CPU Requested +  required: true +  description: Minimum amount of CPU time the Memcached container will need (expressed in millicores). +  value: 200m +- name: ANSIBLE_CPU_REQ +  displayName: Ansible Min CPU Requested +  required: true +  description: Minimum amount of CPU time the Ansible container will need (expressed in millicores). +  value: 1000m +- name: APPLICATION_MEM_REQ +  displayName: Application Min RAM Requested +  required: true +  description: Minimum amount of memory the Application container will need. +  value: 6144Mi +- name: POSTGRESQL_MEM_REQ +  displayName: PostgreSQL Min RAM Requested +  required: true +  description: Minimum amount of memory the PostgreSQL container will need. +  value: 4Gi +- name: MEMCACHED_MEM_REQ +  displayName: Memcached Min RAM Requested +  required: true +  description: Minimum amount of memory the Memcached container will need. +  value: 64Mi +- name: ANSIBLE_MEM_REQ +  displayName: Ansible Min RAM Requested +  required: true +  description: Minimum amount of memory the Ansible container will need. +  value: 2048Mi +- name: APPLICATION_MEM_LIMIT +  displayName: Application Max RAM Limit +  required: true +  description: Maximum amount of memory the Application container can consume. +  value: 16384Mi +- name: POSTGRESQL_MEM_LIMIT +  displayName: PostgreSQL Max RAM Limit +  required: true +  description: Maximum amount of memory the PostgreSQL container can consume. +  value: 8Gi +- name: MEMCACHED_MEM_LIMIT +  displayName: Memcached Max RAM Limit +  required: true +  description: Maximum amount of memory the Memcached container can consume. +  value: 256Mi +- name: ANSIBLE_MEM_LIMIT +  displayName: Ansible Max RAM Limit +  required: true +  description: Maximum amount of memory the Ansible container can consume. +  value: 8096Mi +- name: POSTGRESQL_IMG_NAME +  displayName: PostgreSQL Image Name +  description: This is the PostgreSQL image name requested to deploy. +  value: docker.io/manageiq/postgresql +- name: POSTGRESQL_IMG_TAG +  displayName: PostgreSQL Image Tag +  description: This is the PostgreSQL image tag/version requested to deploy. +  value: latest +- name: MEMCACHED_IMG_NAME +  displayName: Memcached Image Name +  description: This is the Memcached image name requested to deploy. +  value: docker.io/manageiq/memcached +- name: MEMCACHED_IMG_TAG +  displayName: Memcached Image Tag +  description: This is the Memcached image tag/version requested to deploy. +  value: latest +- name: APPLICATION_IMG_NAME +  displayName: Application Image Name +  description: This is the Application image name requested to deploy. +  value: docker.io/manageiq/manageiq-pods +- name: FRONTEND_APPLICATION_IMG_TAG +  displayName: Front end Application Image Tag +  description: This is the ManageIQ Frontend Application image tag/version requested to deploy. +  value: frontend-latest +- name: BACKEND_APPLICATION_IMG_TAG +  displayName: Back end Application Image Tag +  description: This is the ManageIQ Backend Application image tag/version requested to deploy. +  value: backend-latest +- name: ANSIBLE_IMG_NAME +  displayName: Ansible Image Name +  description: This is the Ansible image name requested to deploy. +  value: docker.io/manageiq/embedded-ansible +- name: ANSIBLE_IMG_TAG +  displayName: Ansible Image Tag +  description: This is the Ansible image tag/version requested to deploy. +  value: latest +- name: APPLICATION_DOMAIN +  displayName: Application Hostname +  description: The exposed hostname that will route to the application service, if left blank a value will be defaulted. +  value: '' +- name: APPLICATION_REPLICA_COUNT +  displayName: Application Replica Count +  description: This is the number of Application replicas requested to deploy. +  value: '1' +- name: APPLICATION_INIT_DELAY +  displayName: Application Init Delay +  required: true +  description: Delay in seconds before we attempt to initialize the application. +  value: '15' +- name: APPLICATION_VOLUME_CAPACITY +  displayName: Application Volume Capacity +  required: true +  description: Volume space available for application data. +  value: 5Gi +- name: DATABASE_VOLUME_CAPACITY +  displayName: Database Volume Capacity +  required: true +  description: Volume space available for database. +  value: 15Gi +- name: HTTPD_SERVICE_NAME +  required: true +  displayName: Apache httpd Service Name +  description: The name of the OpenShift Service exposed for the httpd container. +  value: httpd +- name: HTTPD_IMG_NAME +  displayName: Apache httpd Image Name +  description: This is the httpd image name requested to deploy. +  value: docker.io/manageiq/httpd +- name: HTTPD_IMG_TAG +  displayName: Apache httpd Image Tag +  description: This is the httpd image tag/version requested to deploy. +  value: latest +- name: HTTPD_CONFIG_DIR +  displayName: Apache Configuration Directory +  description: Directory used to store the Apache configuration files. +  value: "/etc/httpd/conf.d" +- name: HTTPD_AUTH_CONFIG_DIR +  displayName: External Authentication Configuration Directory +  description: Directory used to store the external authentication configuration files. +  value: "/etc/httpd/auth-conf.d" +- name: HTTPD_CPU_REQ +  displayName: Apache httpd Min CPU Requested +  required: true +  description: Minimum amount of CPU time the httpd container will need (expressed in millicores). +  value: 500m +- name: HTTPD_MEM_REQ +  displayName: Apache httpd Min RAM Requested +  required: true +  description: Minimum amount of memory the httpd container will need. +  value: 512Mi +- name: HTTPD_MEM_LIMIT +  displayName: Apache httpd Max RAM Limit +  required: true +  description: Maximum amount of memory the httpd container can consume. +  value: 8192Mi diff --git a/roles/openshift_management/handlers/main.yml b/roles/openshift_management/handlers/main.yml new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/roles/openshift_management/handlers/main.yml diff --git a/roles/openshift_cfme/meta/main.yml b/roles/openshift_management/meta/main.yml index 162d817f0..07ad51126 100644 --- a/roles/openshift_cfme/meta/main.yml +++ b/roles/openshift_management/meta/main.yml @@ -16,4 +16,3 @@ galaxy_info:  dependencies:  - role: lib_openshift  - role: lib_utils -- role: openshift_master_facts diff --git a/roles/openshift_management/tasks/accounts.yml b/roles/openshift_management/tasks/accounts.yml new file mode 100644 index 000000000..e45ea8d43 --- /dev/null +++ b/roles/openshift_management/tasks/accounts.yml @@ -0,0 +1,28 @@ +--- +# This role task file is responsible for user/system account creation, +# and ensuring correct access is provided as required. +- name: Ensure the CFME system accounts exist +  oc_serviceaccount: +    namespace: "{{ openshift_management_project }}" +    state: present +    name: "{{ openshift_management_flavor_short }}{{ item.name }}" +  with_items: +    - "{{ __openshift_system_account_sccs }}" + +- name: Ensure the CFME system accounts have all the required SCCs +  oc_adm_policy_user: +    namespace: "{{ openshift_management_project }}" +    user: "system:serviceaccount:{{ openshift_management_project }}:{{ openshift_management_flavor_short }}{{ item.name }}" +    resource_kind: scc +    resource_name: "{{ item.resource_name }}" +  with_items: +    - "{{ __openshift_system_account_sccs }}" + +- name: Ensure the CFME system accounts have the required roles +  oc_adm_policy_user: +    namespace: "{{ openshift_management_project }}" +    user: "system:serviceaccount:{{ openshift_management_project }}:{{ openshift_management_flavor_short }}{{ item.name }}" +    resource_kind: role +    resource_name: "{{ item.resource_name }}" +  with_items: +    - "{{ __openshift_management_system_account_roles }}" diff --git a/roles/openshift_management/tasks/main.yml b/roles/openshift_management/tasks/main.yml new file mode 100644 index 000000000..86c4d0010 --- /dev/null +++ b/roles/openshift_management/tasks/main.yml @@ -0,0 +1,79 @@ +--- +######################################################################) +# Users, projects, and privileges + +- name: Run pre-install CFME validation checks +  include: validate.yml + +- name: "Ensure the CFME '{{ openshift_management_project }}' namespace exists" +  oc_project: +    state: present +    name: "{{ openshift_management_project }}" +    display_name: "{{ openshift_management_project_description }}" + +- name: Create and Authorize CFME Accounts +  include: accounts.yml + +###################################################################### +# STORAGE - Initialize basic storage class +#--------------------------------------------------------------------- +# * nfs - set up NFS shares on the first master for a proof of concept +- name: Create required NFS exports for CFME app storage +  include: storage/nfs.yml +  when: openshift_management_storage_class == 'nfs' + +#--------------------------------------------------------------------- +# * external - NFS again, but pointing to a pre-configured NFS server +- name: Note Storage Type -  External NFS +  debug: +    msg: "Setting up external NFS storage, openshift_management_storage_class is {{ openshift_management_storage_class }}" +  when: openshift_management_storage_class == 'nfs_external' + +#--------------------------------------------------------------------- +# * cloudprovider - use an existing cloudprovider based storage +- name: Note Storage Type - Cloud Provider +  debug: +    msg: Validating cloud provider storage type, openshift_management_storage_class is 'cloudprovider' +  when: openshift_management_storage_class == 'cloudprovider' + +#--------------------------------------------------------------------- +# * preconfigured - don't do anything, assume it's all there ready to go +- name: Note Storage Type - Preconfigured +  debug: +    msg: Skipping storage configuration, openshift_management_storage_class is 'preconfigured' +  when: openshift_management_storage_class == 'preconfigured' + +###################################################################### +# APPLICATION TEMPLATE +- name: Install the CFME app and PV templates +  include: template.yml + +###################################################################### +# APP & DB Storage + +# For local/external NFS backed installations +- name: "Create the required App and DB PVs using {{ openshift_management_storage_class }}" +  include: storage/create_nfs_pvs.yml +  when: +    - openshift_management_storage_class in ['nfs', 'nfs_external'] + +###################################################################### +# CREATE APP +- name: Note the correct ext-db template name +  set_fact: +    openshift_management_template_name: "{{ openshift_management_flavor }}-ext-db" +  when: +    - openshift_management_app_template in ['miq-template-ext-db', 'cfme-template-ext-db'] + +- name: Note the correct podified db template name +  set_fact: +    openshift_management_template_name: "{{ openshift_management_flavor }}" +  when: +    - openshift_management_app_template in ['miq-template', 'cfme-template'] + +- name: Ensure the CFME App is created +  oc_process: +    namespace: "{{ openshift_management_project }}" +    template_name: "{{ openshift_management_template_name }}" +    create: True +    params: "{{ openshift_management_template_parameters }}" diff --git a/roles/openshift_management/tasks/storage/create_nfs_pvs.yml b/roles/openshift_management/tasks/storage/create_nfs_pvs.yml new file mode 100644 index 000000000..31c845725 --- /dev/null +++ b/roles/openshift_management/tasks/storage/create_nfs_pvs.yml @@ -0,0 +1,69 @@ +--- +# Create the required PVs for the App and the DB +- name: Note the App PV Size from Template Parameters +  set_fact: +    openshift_management_app_pv_size: "{{ openshift_management_template_parameters.APPLICATION_VOLUME_CAPACITY }}" +  when: +    - openshift_management_template_parameters.APPLICATION_VOLUME_CAPACITY is defined + +- name: Note the App PV Size from defaults +  set_fact: +    openshift_management_app_pv_size: "{{ __openshift_management_app_pv_size }}" +  when: +    - openshift_management_template_parameters.APPLICATION_VOLUME_CAPACITY is not defined + +- when: openshift_management_app_template in ['miq-template', 'cfme-template'] +  block: +    - name: Note the DB PV Size from Template Parameters +      set_fact: +        openshift_management_db_pv_size: "{{ openshift_management_template_parameters.DATABASE_VOLUME_CAPACITY }}" +      when: +        - openshift_management_template_parameters.DATABASE_VOLUME_CAPACITY is defined + +    - name: Note the DB PV Size from defaults +      set_fact: +        openshift_management_db_pv_size: "{{ __openshift_management_db_pv_size }}" +      when: +        - openshift_management_template_parameters.DATABASE_VOLUME_CAPACITY is not defined + +- name: Check if the CFME App PV has been created +  oc_obj: +    namespace: "{{ openshift_management_project }}" +    state: list +    kind: pv +    name: "{{ openshift_management_flavor_short }}-app" +  register: miq_app_pv_check + +- name: Check if the CFME DB PV has been created +  oc_obj: +    namespace: "{{ openshift_management_project }}" +    state: list +    kind: pv +    name: "{{ openshift_management_flavor_short }}-db" +  register: miq_db_pv_check +  when: +    - openshift_management_app_template in ['miq-template', 'cfme-template'] + +- name: Ensure the CFME App PV is created +  oc_process: +    namespace: "{{ openshift_management_project }}" +    template_name: "{{ openshift_management_flavor }}-app-pv" +    create: True +    params: +      PV_SIZE: "{{ openshift_management_app_pv_size }}" +      BASE_PATH: "{{ openshift_management_storage_nfs_base_dir }}" +      NFS_HOST: "{{ openshift_management_nfs_server }}" +  when: miq_app_pv_check.results.results == [{}] + +- name: Ensure the CFME DB PV is created +  oc_process: +    namespace: "{{ openshift_management_project }}" +    template_name: "{{ openshift_management_flavor }}-db-pv" +    create: True +    params: +      PV_SIZE: "{{ openshift_management_db_pv_size }}" +      BASE_PATH: "{{ openshift_management_storage_nfs_base_dir }}" +      NFS_HOST: "{{ openshift_management_nfs_server }}" +  when: +    - openshift_management_app_template in ['miq-template', 'cfme-template'] +    - miq_db_pv_check.results.results == [{}] diff --git a/roles/openshift_management/tasks/storage/nfs.yml b/roles/openshift_management/tasks/storage/nfs.yml new file mode 100644 index 000000000..696808328 --- /dev/null +++ b/roles/openshift_management/tasks/storage/nfs.yml @@ -0,0 +1,67 @@ +--- +# Tasks to statically provision NFS volumes +# Include if not using dynamic volume provisioning + +- name: Ensure we save the local NFS server if one is provided +  set_fact: +    openshift_management_nfs_server: "{{ openshift_management_storage_nfs_local_hostname }}" +  when: +    - openshift_management_storage_nfs_local_hostname is defined +    - openshift_management_storage_nfs_local_hostname != False +    - openshift_management_storage_class == "nfs" + +- name: Ensure we save the local NFS server +  set_fact: +    openshift_management_nfs_server: "{{ groups['oo_nfs_to_config'].0 }}" +  when: +    - openshift_management_nfs_server is not defined +    - openshift_management_storage_class == "nfs" + +- name: Ensure we save the external NFS server +  set_fact: +    openshift_management_nfs_server: "{{ openshift_management_storage_nfs_external_hostname }}" +  when: +    - openshift_management_storage_class == "nfs_external" + +- name: Failed NFS server detection +  assert: +    that: +      - openshift_management_nfs_server is defined +    msg: | +      "Unable to detect an NFS server. The 'nfs_external' +      openshift_management_storage_class option requires that you set +      openshift_management_storage_nfs_external_hostname. NFS hosts detected +      for local nfs services: {{ groups['oo_nfs_to_config'] | join(', ') }}" + +- name: Setting up NFS storage +  block: +    - name: Include the NFS Setup role tasks +      include_role: +        role: openshift_nfs +        tasks_from: setup +      vars: +        l_nfs_base_dir: "{{ openshift_management_storage_nfs_base_dir }}" + +    - name: Create the App export +      include_role: +        role: openshift_nfs +        tasks_from: create_export +      vars: +        l_nfs_base_dir: "{{ openshift_management_storage_nfs_base_dir }}" +        l_nfs_export_config: "{{ openshift_management_flavor_short }}" +        l_nfs_export_name: "{{ openshift_management_flavor_short }}-app" +        l_nfs_options: "*(rw,no_root_squash,no_wdelay)" + +    - name: Create the DB export +      include_role: +        role: openshift_nfs +        tasks_from: create_export +      vars: +        l_nfs_base_dir: "{{ openshift_management_storage_nfs_base_dir }}" +        l_nfs_export_config: "{{ openshift_management_flavor_short }}" +        l_nfs_export_name: "{{ openshift_management_flavor_short }}-db" +        l_nfs_options: "*(rw,no_root_squash,no_wdelay)" +      when: +        - openshift_management_app_template in ['miq-template', 'cfme-template'] + +  delegate_to: "{{ openshift_management_nfs_server }}" diff --git a/roles/openshift_management/tasks/storage/storage.yml b/roles/openshift_management/tasks/storage/storage.yml new file mode 100644 index 000000000..d8bf7aa3e --- /dev/null +++ b/roles/openshift_management/tasks/storage/storage.yml @@ -0,0 +1,3 @@ +--- +- include: nfs.yml +  when: not (openshift_cloudprovider_kind is defined and (openshift_cloudprovider_kind == 'aws' or openshift_cloudprovider_kind == 'gce')) diff --git a/roles/openshift_management/tasks/template.yml b/roles/openshift_management/tasks/template.yml new file mode 100644 index 000000000..299158ac4 --- /dev/null +++ b/roles/openshift_management/tasks/template.yml @@ -0,0 +1,128 @@ +--- +# Tasks for ensuring the correct CFME templates are landed on the remote system + +###################################################################### +# CFME App Template +# +# Note, this is different from the create_nfs_pvs.yml tasks in that +# the application template does not require any jinja2 evaluation. +# +# TODO: Handle the case where the server or PV templates are updated +# in openshift-ansible and the change needs to be landed on the +# managed cluster. + +###################################################################### +# STANDARD PODIFIED DATABASE TEMPLATE +- when: openshift_management_app_template in ['miq-template', 'cfme-template'] +  block: +  - name: Check if the CFME Server template has been created already +    oc_obj: +      namespace: "{{ openshift_management_project }}" +      state: list +      kind: template +      name: "{{ openshift_management_flavor }}" +    register: miq_server_check + +  - when: miq_server_check.results.results == [{}] +    block: +    - name: Copy over CFME Server template +      copy: +        src: "templates/{{ openshift_management_flavor }}/{{ openshift_management_flavor_short }}-template.yaml" +        dest: "{{ template_dir }}/" + +    - name: Ensure CFME Server Template is created +      oc_obj: +        namespace: "{{ openshift_management_project }}" +        name: "{{ openshift_management_flavor }}" +        state: present +        kind: template +        files: +        - "{{ template_dir }}/{{ openshift_management_flavor_short }}-template.yaml" + +###################################################################### +# EXTERNAL DATABASE TEMPLATE +- when: openshift_management_app_template in ['miq-template-ext-db', 'cfme-template'] +  block: +  - name: Check if the CFME Ext-DB Server template has been created already +    oc_obj: +      namespace: "{{ openshift_management_project }}" +      state: list +      kind: template +      name: "{{ openshift_management_flavor }}-ext-db" +    register: miq_ext_db_server_check + +  - when: miq_ext_db_server_check.results.results == [{}] +    block: +    - name: Copy over CFME Ext-DB Server template +      copy: +        src: "templates/{{ openshift_management_flavor }}/{{openshift_management_flavor_short}}-template-ext-db.yaml" +        dest: "{{ template_dir }}/" + +    - name: Ensure CFME Ext-DB Server Template is created +      oc_obj: +        namespace: "{{ openshift_management_project }}" +        name: "{{ openshift_management_flavor }}-ext-db" +        state: present +        kind: template +        files: +        - "{{ template_dir }}/{{ openshift_management_flavor_short }}-template-ext-db.yaml" + +# End app template creation. +###################################################################### + +###################################################################### +# Begin conditional PV template creations + +# Required for the application server +- name: Check if the CFME App PV template has been created already +  oc_obj: +    namespace: "{{ openshift_management_project }}" +    state: list +    kind: template +    name: "{{ openshift_management_flavor }}-app-pv" +  register: miq_app_pv_check + +- when: miq_app_pv_check.results.results == [{}] +  block: +  - name: Copy over CFME App PV template +    copy: +      src: "templates/{{ openshift_management_flavor }}/{{ openshift_management_flavor_short }}-pv-server-example.yaml" +      dest: "{{ template_dir }}/" + +  - name: Ensure CFME App PV Template is created +    oc_obj: +      namespace: "{{ openshift_management_project }}" +      name: "{{ openshift_management_flavor }}-app-pv" +      state: present +      kind: template +      files: +      - "{{ template_dir }}/{{ openshift_management_flavor_short }}-pv-server-example.yaml" + +#--------------------------------------------------------------------- + +# Required for database if the installation is fully podified +- when: openshift_management_app_template in ['miq-template', 'cfme-template'] +  block: +  - name: Check if the CFME DB PV template has been created already +    oc_obj: +      namespace: "{{ openshift_management_project }}" +      state: list +      kind: template +      name: "{{ openshift_management_flavor }}-db-pv" +    register: miq_db_pv_check + +  - when: miq_db_pv_check.results.results == [{}] +    block: +    - name: Copy over CFME DB PV template +      copy: +        src: "templates/{{ openshift_management_flavor }}/{{ openshift_management_flavor_short }}-pv-db-example.yaml" +        dest: "{{ template_dir }}/" + +    - name: Ensure CFME DB PV Template is created +      oc_obj: +        namespace: "{{ openshift_management_project }}" +        name: "{{ openshift_management_flavor }}-db-pv" +        state: present +        kind: template +        files: +        - "{{ template_dir }}/{{ openshift_management_flavor_short }}-pv-db-example.yaml" diff --git a/roles/openshift_management/tasks/uninstall.yml b/roles/openshift_management/tasks/uninstall.yml new file mode 100644 index 000000000..09fbc609f --- /dev/null +++ b/roles/openshift_management/tasks/uninstall.yml @@ -0,0 +1,23 @@ +--- +- name: Start removing all the objects +  command: "oc delete -n {{ openshift_management_project }} {{ item }} --all" +  with_items: +    - rc +    - dc +    - po +    - svc +    - pv +    - pvc +    - statefulsets +    - routes + +- name: Remove the project +  command: "oc delete -n {{ openshift_management_project }} project {{ openshift_management_project }}" + +- name: Verify project has been destroyed +  command: "oc get project {{ openshift_management_project }}" +  ignore_errors: True +  register: project_terminated +  until: project_terminated.stderr.find("NotFound") != -1 +  delay: 5 +  retries: 30 diff --git a/roles/openshift_management/tasks/validate.yml b/roles/openshift_management/tasks/validate.yml new file mode 100644 index 000000000..8b20bdc5e --- /dev/null +++ b/roles/openshift_management/tasks/validate.yml @@ -0,0 +1,90 @@ +--- +# Validate configuration parameters passed to the openshift_management role + +###################################################################### +# CORE PARAMETERS +- name: Ensure openshift_management_app_template is valid +  assert: +    that: +      - openshift_management_app_template in __openshift_management_app_templates + +    msg: | +      "openshift_management_app_template must be one of {{ +      __openshift_management_app_templates | join(', ') }}" + +- name: Ensure openshift_management_storage_class is a valid type +  assert: +    that: +      - openshift_management_storage_class in __openshift_management_storage_classes +    msg: | +      "openshift_management_storage_class must be one of {{ +      __openshift_management_storage_classes | join(', ') }}" + +###################################################################### +# STORAGE PARAMS - NFS +- name: Ensure external NFS storage has a valid NFS server hostname defined +  assert: +    that: +      - openshift_management_storage_nfs_external_hostname | default(False) +    msg: | +      The selected storage class 'nfs_external' requires a valid +      hostname for the openshift_management_storage_nfs_hostname parameter +  when: +    - openshift_management_storage_class == 'nfs_external' + +- name: Ensure local NFS storage has a valid NFS server to use +  fail: +    msg: | +      No NFS hosts detected or defined but storage class is set to +      'nfs'. Add hosts to your [nfs] group or define one manually with +      the 'openshift_management_storage_nfs_local_hostname' parameter +  when: +    - openshift_management_storage_class == 'nfs' +    # You haven't created any NFS groups +    - (groups.nfs is defined and groups.nfs | length == 0) or (groups.nfs is not defined) +    # You did not manually specify a host to use +    - (openshift_management_storage_nfs_local_hostname is not defined) or (openshift_management_storage_nfs_local_hostname == false) + +###################################################################### +# STORAGE PARAMS  -CLOUD PROVIDER +- name: Validate Cloud Provider storage class +  assert: +    that: +      - openshift_cloudprovider_kind == 'aws' or openshift_cloudprovider_kind == 'gce' +    msg: | +      openshift_management_storage_class is 'cloudprovider' but you have an +      invalid kind defined, '{{ openshift_cloudprovider_kind }}'. See +      'openshift_cloudprovider_kind' in the example inventories for +      the required parameters for your selected cloud +      provider. Working providers: 'aws' and 'gce'. +  when: +    - openshift_management_storage_class == 'cloudprovider' +    - openshift_cloudprovider_kind is defined + +- name: Validate 'cloudprovider' Storage Class has required parameters defined +  assert: +    that: +      - openshift_cloudprovider_kind is defined +    msg: | +      openshift_management_storage_class is 'cloudprovider' but you do not +      have 'openshift_cloudprovider_kind' defined, this is +      required. Search the example inventories for +      'openshift_cloudprovider_kind'. The required parameters for your +      selected cloud provider must be defined in your inventory as +      well. Working providers: 'aws' and 'gce'. +  when: +    - openshift_management_storage_class == 'cloudprovider' + +###################################################################### +# DATABASE CONNECTION VALIDATION +- name: Validate all required database parameters were provided for ext-db template +  assert: +    that: +      - item in openshift_management_template_parameters +    msg: | +      "You are using external database services but a required +      database parameter {{ item }} was not found in +      'openshift_management_template_parameters'" +  with_items: "{{ __openshift_management_required_db_conn_params }}" +  when: +    - openshift_management_app_template in ['miq-template-ext-db', 'cfme-template-ext-db'] diff --git a/roles/openshift_management/vars/main.yml b/roles/openshift_management/vars/main.yml new file mode 100644 index 000000000..da3ad0af7 --- /dev/null +++ b/roles/openshift_management/vars/main.yml @@ -0,0 +1,76 @@ +--- +# Misc enumerated values +#--------------------------------------------------------------------- +# Allowed choices for the storage class parameter +__openshift_management_storage_classes: +  - nfs +  - nfs_external +  - preconfigured +  - cloudprovider + +#--------------------------------------------------------------------- +# DEFAULT PV SIZES +# How large to make the MIQ application PV +__openshift_management_app_pv_size: 5Gi +# How large to make the MIQ PostgreSQL PV +__openshift_management_db_pv_size: 15Gi + +# Name of the application templates with object/parameter definitions +__openshift_management_app_templates: +  - miq-template-ext-db +  - miq-template +  - cfme-template-ext-db +  - cfme-template + +# PostgreSQL database connection parameters +__openshift_management_db_parameters: +  - DATABASE_USER +  - DATABASE_PASSWORD +  - DATABASE_IP +  - DATABASE_PORT +  - DATABASE_NAME + +# # Commented out until we can support both CFME and MIQ +# # openshift_management_flavor: "{{ 'cloudforms' if openshift_deployment_type == 'openshift-enterprise' else 'manageiq' }}" +#openshift_management_flavor: cloudforms +openshift_management_flavor: manageiq +# TODO: Make this conditional as well based on the prior variable +# # openshift_management_flavor_short: "{{ 'cfme' if openshift_deployment_type == 'openshift-enterprise' else 'miq' }}" +# openshift_management_flavor_short: cfme +openshift_management_flavor_short: miq + +###################################################################### +# ACCOUNTING +###################################################################### +# Service Account SSCs +__openshift_system_account_sccs: +  - name: -anyuid +    resource_name: anyuid +  - name: -orchestrator +    resource_name: anyuid +  - name: -privileged +    resource_name: privileged +  - name: -httpd +    resource_name: anyuid + +# Service Account Roles +__openshift_management_system_account_roles: +  - name: -orchestrator +    resource_name: view +  - name: -orchestrator +    resource_name: edit + +###################################################################### +# DEFAULTS +###################################################################### +# User only has to provide parameters they need to override, we will +# do a hash update method with the provided user parameters to create +# the final connection structure. +# +# TODO: Update user provided configs with this if they are missing fields +__openshift_management_required_db_conn_params: +  - DATABASE_USER +  - DATABASE_PASSWORD +  - DATABASE_IP +  - DATABASE_PORT +  - DATABASE_NAME diff --git a/roles/openshift_master/defaults/main.yml b/roles/openshift_master/defaults/main.yml index 73e935d3f..7e62a8c6d 100644 --- a/roles/openshift_master/defaults/main.yml +++ b/roles/openshift_master/defaults/main.yml @@ -1,4 +1,9 @@  --- +# openshift_master_defaults_in_use is a workaround to detect if we are consuming +# the plays from the role or outside of the role. +openshift_master_defaults_in_use: True +openshift_master_debug_level: "{{ debug_level | default(2) }}" +  r_openshift_master_firewall_enabled: "{{ os_firewall_enabled | default(True) }}"  r_openshift_master_use_firewalld: "{{ os_firewall_use_firewalld | default(False) }}" @@ -26,6 +31,9 @@ oreg_auth_credentials_path: "{{ r_openshift_master_data_dir }}/.docker"  oreg_auth_credentials_replace: False  l_bind_docker_reg_auth: False +containerized_svc_dir: "/usr/lib/systemd/system" +ha_svc_template_path: "native-cluster" +  # NOTE  # r_openshift_master_*_default may be defined external to this role.  # openshift_use_*, if defined, may affect other roles or play behavior. diff --git a/roles/openshift_master/tasks/check_master_api_is_ready.yml b/roles/openshift_master/tasks/check_master_api_is_ready.yml new file mode 100644 index 000000000..7e8a7a596 --- /dev/null +++ b/roles/openshift_master/tasks/check_master_api_is_ready.yml @@ -0,0 +1,14 @@ +--- +- name: Wait for API to become available +  # Using curl here since the uri module requires python-httplib2 and +  # wait_for port doesn't provide health information. +  command: > +    curl --silent --tlsv1.2 +    --cacert {{ openshift.common.config_base }}/master/ca-bundle.crt +    {{ openshift.master.api_url }}/healthz/ready +  register: l_api_available_output +  until: l_api_available_output.stdout == 'ok' +  retries: 120 +  delay: 1 +  run_once: true +  changed_when: false diff --git a/roles/openshift_master/tasks/configure_external_etcd.yml b/roles/openshift_master/tasks/configure_external_etcd.yml new file mode 100644 index 000000000..b0590ac84 --- /dev/null +++ b/roles/openshift_master/tasks/configure_external_etcd.yml @@ -0,0 +1,17 @@ +--- +- name: Remove etcdConfig section +  yedit: +    src: /etc/origin/master/master-config.yaml +    key: "etcdConfig" +    state: absent +- name: Set etcdClientInfo.ca to master.etcd-ca.crt +  yedit: +    src: /etc/origin/master/master-config.yaml +    key: etcdClientInfo.ca +    value: master.etcd-ca.crt +- name: Set etcdClientInfo.urls to the external etcd +  yedit: +    src: /etc/origin/master/master-config.yaml +    key: etcdClientInfo.urls +    value: +      - "{{ etcd_peer_url_scheme }}://{{ etcd_ip }}:{{ etcd_peer_port }}" diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml index 82b4b420c..824a5886e 100644 --- a/roles/openshift_master/tasks/main.yml +++ b/roles/openshift_master/tasks/main.yml @@ -311,23 +311,7 @@  # A separate wait is required here for native HA since notifies will  # be resolved after all tasks in the role. -- name: Wait for API to become available -  # Using curl here since the uri module requires python-httplib2 and -  # wait_for port doesn't provide health information. -  command: > -    curl --silent --tlsv1.2 -    {% if openshift.common.version_gte_3_2_or_1_2 | bool %} -    --cacert {{ openshift.common.config_base }}/master/ca-bundle.crt -    {% else %} -    --cacert {{ openshift.common.config_base }}/master/ca.crt -    {% endif %} -    {{ openshift.master.api_url }}/healthz/ready -  register: l_api_available_output -  until: l_api_available_output.stdout == 'ok' -  retries: 120 -  delay: 1 -  run_once: true -  changed_when: false +- include: check_master_api_is_ready.yml    when:    - openshift.master.cluster_method == 'native'    - master_api_service_status_changed | bool diff --git a/roles/openshift_master/tasks/registry_auth.yml b/roles/openshift_master/tasks/registry_auth.yml index 2644f235e..63d483760 100644 --- a/roles/openshift_master/tasks/registry_auth.yml +++ b/roles/openshift_master/tasks/registry_auth.yml @@ -1,14 +1,4 @@  --- -# We need to setup some variables as this play might be called directly -# from outside of the role. -- set_fact: -    oreg_auth_credentials_path: "{{ r_openshift_master_data_dir }}/.docker" -  when: oreg_auth_credentials_path is not defined - -- set_fact: -    oreg_host: "{{ oreg_url.split('/')[0] if (oreg_url is defined and '.' in oreg_url.split('/')[0]) else '' }}" -  when: oreg_host is not defined -  - name: Check for credentials file for registry auth    stat:      path: "{{ oreg_auth_credentials_path }}" diff --git a/roles/openshift_master/tasks/systemd_units.yml b/roles/openshift_master/tasks/systemd_units.yml index 8de62c59a..fcc66044b 100644 --- a/roles/openshift_master/tasks/systemd_units.yml +++ b/roles/openshift_master/tasks/systemd_units.yml @@ -1,31 +1,9 @@  --- -# This file is included both in the openshift_master role and in the upgrade -# playbooks.  For that reason the ha_svc variables are use set_fact instead of -# the vars directory on the role. +# systemd_units.yml is included both in the openshift_master role and in the upgrade +# playbooks. -# This play may be consumed outside the role, we need to ensure that -# openshift_master_config_dir is set. -- name: Set openshift_master_config_dir if unset -  set_fact: -    openshift_master_config_dir: '/etc/origin/master' -  when: openshift_master_config_dir is not defined - -# This play may be consumed outside the role, we need to ensure that -# r_openshift_master_data_dir is set. -- name: Set r_openshift_master_data_dir if unset -  set_fact: -    r_openshift_master_data_dir: "{{ openshift_data_dir | default('/var/lib/origin') }}" -  when: r_openshift_master_data_dir is not defined - -- include: registry_auth.yml - -- name: Remove the legacy master service if it exists -  include: clean_systemd_units.yml - -- name: Init HA Service Info -  set_fact: -    containerized_svc_dir: "/usr/lib/systemd/system" -    ha_svc_template_path: "native-cluster" +- include: upgrade_facts.yml +  when: openshift_master_defaults_in_use is not defined  - name: Set HA Service Info for containerized installs    set_fact: @@ -34,6 +12,11 @@    when:    - openshift.common.is_containerized | bool +- include: registry_auth.yml + +- name: Remove the legacy master service if it exists +  include: clean_systemd_units.yml +  # This is the image used for both HA and non-HA clusters:  - name: Pre-pull master image    command: > diff --git a/roles/openshift_master/tasks/upgrade_facts.yml b/roles/openshift_master/tasks/upgrade_facts.yml new file mode 100644 index 000000000..f6ad438aa --- /dev/null +++ b/roles/openshift_master/tasks/upgrade_facts.yml @@ -0,0 +1,33 @@ +--- +# This file exists because we call systemd_units.yml from outside of the role +# during upgrades.  When we remove this pattern, we can probably +# eliminate most of these set_fact items. + +- name: Set openshift_master_config_dir if unset +  set_fact: +    openshift_master_config_dir: '/etc/origin/master' +  when: openshift_master_config_dir is not defined + +- name: Set r_openshift_master_data_dir if unset +  set_fact: +    r_openshift_master_data_dir: "{{ openshift_data_dir | default('/var/lib/origin') }}" +  when: r_openshift_master_data_dir is not defined + +- set_fact: +    oreg_auth_credentials_path: "{{ r_openshift_master_data_dir }}/.docker" +  when: oreg_auth_credentials_path is not defined + +- set_fact: +    oreg_host: "{{ oreg_url.split('/')[0] if (oreg_url is defined and '.' in oreg_url.split('/')[0]) else '' }}" +  when: oreg_host is not defined + +- name: Set openshift_master_debug_level +  set_fact: +    openshift_master_debug_level: "{{ debug_level | default(2) }}" +  when: +  - openshift_master_debug_level is not defined + +- name: Init HA Service Info +  set_fact: +    containerized_svc_dir: "{{ containerized_svc_dir | default('/usr/lib/systemd/system') }}" +    ha_svc_template_path: "{{ ha_svc_template_path | default('native-cluster') }}" diff --git a/roles/openshift_master/templates/atomic-openshift-master.j2 b/roles/openshift_master/templates/atomic-openshift-master.j2 index b931f1414..7ec26ceb7 100644 --- a/roles/openshift_master/templates/atomic-openshift-master.j2 +++ b/roles/openshift_master/templates/atomic-openshift-master.j2 @@ -1,4 +1,4 @@ -OPTIONS=--loglevel={{ openshift.master.debug_level | default(2) }} +OPTIONS=--loglevel={{ openshift_master_debug_level }}  CONFIG_FILE={{ openshift_master_config_file }}  {# Preserve existing OPENSHIFT_DEFAULT_REGISTRY settings in scale up runs #}  {% if openshift_master_is_scaleup_host %} diff --git a/roles/openshift_master/templates/master.yaml.v1.j2 b/roles/openshift_master/templates/master.yaml.v1.j2 index d045b402b..9b3fbcf49 100644 --- a/roles/openshift_master/templates/master.yaml.v1.j2 +++ b/roles/openshift_master/templates/master.yaml.v1.j2 @@ -251,11 +251,7 @@ servingInfo:    bindAddress: {{ openshift.master.bind_addr }}:{{ openshift.master.api_port }}    bindNetwork: tcp4    certFile: master.server.crt -{% if openshift.common.version_gte_3_2_or_1_2 | bool %} -  clientCA: ca-bundle.crt -{% else %}    clientCA: ca.crt -{% endif %}    keyFile: master.server.key    maxRequestsInFlight: {{ openshift.master.max_requests_inflight }}    requestTimeoutSeconds: 3600 diff --git a/roles/openshift_master/templates/native-cluster/atomic-openshift-master-api.j2 b/roles/openshift_master/templates/native-cluster/atomic-openshift-master-api.j2 index 63eb3ea1b..cc21b37af 100644 --- a/roles/openshift_master/templates/native-cluster/atomic-openshift-master-api.j2 +++ b/roles/openshift_master/templates/native-cluster/atomic-openshift-master-api.j2 @@ -1,4 +1,4 @@ -OPTIONS=--loglevel={{ openshift.master.debug_level }} --listen={{ 'https' if openshift.master.api_use_ssl else 'http' }}://{{ openshift.master.bind_addr }}:{{ openshift.master.api_port }} --master={{ openshift.master.loopback_api_url }} +OPTIONS=--loglevel={{ openshift_master_debug_level }} --listen={{ 'https' if openshift.master.api_use_ssl else 'http' }}://{{ openshift.master.bind_addr }}:{{ openshift.master.api_port }} --master={{ openshift.master.loopback_api_url }}  CONFIG_FILE={{ openshift_master_config_file }}  {# Preserve existing OPENSHIFT_DEFAULT_REGISTRY settings in scale up runs #}  {% if openshift_master_is_scaleup_host %} diff --git a/roles/openshift_master/templates/native-cluster/atomic-openshift-master-controllers.j2 b/roles/openshift_master/templates/native-cluster/atomic-openshift-master-controllers.j2 index 0adfd05b6..493fc510e 100644 --- a/roles/openshift_master/templates/native-cluster/atomic-openshift-master-controllers.j2 +++ b/roles/openshift_master/templates/native-cluster/atomic-openshift-master-controllers.j2 @@ -1,4 +1,4 @@ -OPTIONS=--loglevel={{ openshift.master.debug_level }} --listen={{ 'https' if openshift.master.api_use_ssl else 'http' }}://{{ openshift.master.bind_addr }}:{{ openshift.master.controllers_port }} +OPTIONS=--loglevel={{ openshift_master_debug_level }} --listen={{ 'https' if openshift.master.api_use_ssl else 'http' }}://{{ openshift.master.bind_addr }}:{{ openshift.master.controllers_port }}  CONFIG_FILE={{ openshift_master_config_file }}  {# Preserve existing OPENSHIFT_DEFAULT_REGISTRY settings in scale up runs #}  {% if openshift_master_is_scaleup_host %} diff --git a/roles/openshift_master_facts/tasks/main.yml b/roles/openshift_master_facts/tasks/main.yml index a95570d38..501be148e 100644 --- a/roles/openshift_master_facts/tasks/main.yml +++ b/roles/openshift_master_facts/tasks/main.yml @@ -34,7 +34,6 @@        cluster_method: "{{ openshift_master_cluster_method | default('native') }}"        cluster_hostname: "{{ openshift_master_cluster_hostname | default(None) }}"        cluster_public_hostname: "{{ openshift_master_cluster_public_hostname | default(None) }}" -      debug_level: "{{ openshift_master_debug_level | default(openshift.common.debug_level) }}"        api_port: "{{ openshift_master_api_port | default(None) }}"        api_url: "{{ openshift_master_api_url | default(None) }}"        api_use_ssl: "{{ openshift_master_api_use_ssl | default(None) }}" diff --git a/roles/openshift_metrics/tasks/install_cassandra.yaml b/roles/openshift_metrics/tasks/install_cassandra.yaml index 7928a0346..48584bd64 100644 --- a/roles/openshift_metrics/tasks/install_cassandra.yaml +++ b/roles/openshift_metrics/tasks/install_cassandra.yaml @@ -54,6 +54,7 @@      access_modes: "{{ openshift_metrics_cassandra_pvc_access | list }}"      size: "{{ openshift_metrics_cassandra_pvc_size }}"      pv_selector: "{{ openshift_metrics_cassandra_pv_selector }}" +    storage_class_name: "{{ openshift_metrics_cassanda_pvc_storage_class_name | default('', true) }}"    with_sequence: count={{ openshift_metrics_cassandra_replicas }}    when: openshift_metrics_cassandra_storage_type == 'dynamic'    changed_when: false diff --git a/roles/openshift_nfs/README.md b/roles/openshift_nfs/README.md new file mode 100644 index 000000000..36ea36385 --- /dev/null +++ b/roles/openshift_nfs/README.md @@ -0,0 +1,17 @@ +OpenShift NFS +============= + +Sets up basic NFS services on a cluster host. + +See [tasks/create_export.yml](tasks/create_export.yml) for +instructions on using the export creation tasks file. + +License +------- + +Apache License, Version 2.0 + +Author Information +------------------ + +Tim Bielawa (tbielawa@redhat.com) diff --git a/roles/openshift_nfs/defaults/main.yml b/roles/openshift_nfs/defaults/main.yml new file mode 100644 index 000000000..ee94c7c57 --- /dev/null +++ b/roles/openshift_nfs/defaults/main.yml @@ -0,0 +1,8 @@ +--- +r_openshift_nfs_firewall_enabled: "{{ os_firewall_enabled | default(True) }}" +r_openshift_nfs_use_firewalld: "{{ os_firewall_use_firewalld | default(False) }}" + +r_openshift_nfs_os_firewall_deny: [] +r_openshift_nfs_firewall_allow: +- service: nfs +  port: "2049/tcp" diff --git a/roles/openshift_nfs/meta/main.yml b/roles/openshift_nfs/meta/main.yml new file mode 100644 index 000000000..d7b5910f2 --- /dev/null +++ b/roles/openshift_nfs/meta/main.yml @@ -0,0 +1,16 @@ +--- +galaxy_info: +  author: Tim Bielawa +  description: OpenShift Basic NFS Configuration +  company: Red Hat, Inc. +  license: Apache License, Version 2.0 +  min_ansible_version: 2.2 +  platforms: +  - name: EL +    versions: +    - 7 +  categories: +  - cloud +dependencies: +- role: lib_utils +- role: lib_os_firewall diff --git a/roles/openshift_nfs/tasks/create_export.yml b/roles/openshift_nfs/tasks/create_export.yml new file mode 100644 index 000000000..39323904f --- /dev/null +++ b/roles/openshift_nfs/tasks/create_export.yml @@ -0,0 +1,34 @@ +--- +# Makes a new NFS export +# +# Include signature +# +# include_role: +#   role: openshift_nfs +#   tasks_from: create_export +# vars: +#   l_nfs_base_dir: Base dir to exports +#   l_nfs_export_config: Name to prefix the .exports file with +#   l_nfs_export_name: Name of sub-directory of the export +#   l_nfs_options: Mount Options + +- name: Ensure CFME App NFS export directory exists +  file: +    path: "{{ l_nfs_base_dir }}/{{ l_nfs_export_name }}" +    state: directory +    mode: 0777 +    owner: nfsnobody +    group: nfsnobody + +- name: "Create {{ l_nfs_export_name }} NFS export" +  lineinfile: +    path: "/etc/exports.d/{{ l_nfs_export_config }}.exports" +    create: true +    state: present +    line: "{{ l_nfs_base_dir }}/{{ l_nfs_export_name }} {{ l_nfs_options }}" +  register: created_export + +- name: Re-export NFS filesystems +  command: exportfs -ar +  when: +    - created_export | changed diff --git a/roles/openshift_nfs/tasks/firewall.yml b/roles/openshift_nfs/tasks/firewall.yml new file mode 100644 index 000000000..0898b2b5c --- /dev/null +++ b/roles/openshift_nfs/tasks/firewall.yml @@ -0,0 +1,40 @@ +--- +- when: r_openshift_nfs_firewall_enabled | bool and not r_openshift_nfs_use_firewalld | bool +  block: +  - name: Add iptables allow rules +    os_firewall_manage_iptables: +      name: "{{ item.service }}" +      action: add +      protocol: "{{ item.port.split('/')[1] }}" +      port: "{{ item.port.split('/')[0] }}" +    when: item.cond | default(True) +    with_items: "{{ r_openshift_nfs_firewall_allow }}" + +  - name: Remove iptables rules +    os_firewall_manage_iptables: +      name: "{{ item.service }}" +      action: remove +      protocol: "{{ item.port.split('/')[1] }}" +      port: "{{ item.port.split('/')[0] }}" +    when: item.cond | default(True) +    with_items: "{{ r_openshift_nfs_os_firewall_deny }}" + +- when: r_openshift_nfs_firewall_enabled | bool and r_openshift_nfs_use_firewalld | bool +  block: +  - name: Add firewalld allow rules +    firewalld: +      port: "{{ item.port }}" +      permanent: true +      immediate: true +      state: enabled +    when: item.cond | default(True) +    with_items: "{{ r_openshift_nfs_firewall_allow }}" + +  - name: Remove firewalld allow rules +    firewalld: +      port: "{{ item.port }}" +      permanent: true +      immediate: true +      state: disabled +    when: item.cond | default(True) +    with_items: "{{ r_openshift_nfs_os_firewall_deny }}" diff --git a/roles/openshift_nfs/tasks/setup.yml b/roles/openshift_nfs/tasks/setup.yml new file mode 100644 index 000000000..3070de495 --- /dev/null +++ b/roles/openshift_nfs/tasks/setup.yml @@ -0,0 +1,29 @@ +--- +- name: setup firewall +  include: firewall.yml +  static: yes + +- name: Install nfs-utils +  package: name=nfs-utils state=present + +- name: Configure NFS +  lineinfile: +    dest: /etc/sysconfig/nfs +    regexp: '^RPCNFSDARGS=.*$' +    line: 'RPCNFSDARGS="-N 2 -N 3"' +  register: nfs_config + +- name: Restart nfs-config +  systemd: name=nfs-config state=restarted +  when: nfs_config | changed + +- name: Ensure exports directory exists +  file: +    path: "{{ l_nfs_base_dir }}" +    state: directory + +- name: Enable and start NFS services +  systemd: +    name: nfs-server +    state: started +    enabled: yes diff --git a/roles/openshift_node/defaults/main.yml b/roles/openshift_node/defaults/main.yml index 1214c08e5..298d1013f 100644 --- a/roles/openshift_node/defaults/main.yml +++ b/roles/openshift_node/defaults/main.yml @@ -1,4 +1,6 @@  --- +openshift_node_debug_level: "{{ debug_level | default(2) }}" +  r_openshift_node_firewall_enabled: "{{ os_firewall_enabled | default(True) }}"  r_openshift_node_use_firewalld: "{{ os_firewall_use_firewalld | default(False) }}" diff --git a/roles/openshift_node/tasks/bootstrap.yml b/roles/openshift_node/tasks/bootstrap.yml index b83b2c452..6bd2df362 100644 --- a/roles/openshift_node/tasks/bootstrap.yml +++ b/roles/openshift_node/tasks/bootstrap.yml @@ -29,7 +29,7 @@      line: "{% raw %}ExecStart=/usr/bin/openshift start node --bootstrap --kubeconfig=${KUBECONFIG} $OPTIONS{% endraw %}"      regexp: "^ExecStart=.*" -- name: "systemctl enable {{ openshift_service_type }}-node" +- name: "disable {{ openshift_service_type }}-node and {{ openshift_service_type }}-master services"    systemd:      name: "{{ item }}"      enabled: no diff --git a/roles/openshift_node/tasks/config.yml b/roles/openshift_node/tasks/config.yml index e3898b520..e5fcaf9af 100644 --- a/roles/openshift_node/tasks/config.yml +++ b/roles/openshift_node/tasks/config.yml @@ -111,9 +111,5 @@      msg: Node failed to start please inspect the logs and try again    when: node_start_result | failed -- name: Setup tuned -  include: tuned.yml -  static: yes -  - set_fact:      node_service_status_changed: "{{ node_start_result | changed }}" diff --git a/roles/openshift_node/tasks/config/configure-node-settings.yml b/roles/openshift_node/tasks/config/configure-node-settings.yml index 1186062eb..527580481 100644 --- a/roles/openshift_node/tasks/config/configure-node-settings.yml +++ b/roles/openshift_node/tasks/config/configure-node-settings.yml @@ -7,7 +7,7 @@      create: true    with_items:    - regex: '^OPTIONS=' -    line: "OPTIONS=--loglevel={{ openshift.node.debug_level | default(2) }}" +    line: "OPTIONS=--loglevel={{ openshift_node_debug_level }}"    - regex: '^CONFIG_FILE='      line: "CONFIG_FILE={{ openshift.common.config_base }}/node/node-config.yaml"    - regex: '^IMAGE_VERSION=' diff --git a/roles/openshift_node/tasks/config/install-node-docker-service-file.yml b/roles/openshift_node/tasks/config/install-node-docker-service-file.yml deleted file mode 100644 index f92ff79b5..000000000 --- a/roles/openshift_node/tasks/config/install-node-docker-service-file.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -- name: Install Node docker service file -  template: -    dest: "/etc/systemd/system/{{ openshift.common.service_type }}-node.service" -    src: openshift.docker.node.service -  notify: -  - reload systemd units -  - restart node diff --git a/roles/openshift_node/tasks/install.yml b/roles/openshift_node/tasks/install.yml index 265bf2c46..1539d6e3b 100644 --- a/roles/openshift_node/tasks/install.yml +++ b/roles/openshift_node/tasks/install.yml @@ -27,5 +27,3 @@        docker pull {{ openshift.node.node_image }}:{{ openshift_image_tag }}      register: pull_result      changed_when: "'Downloaded newer image' in pull_result.stdout" - -  - include: config/install-node-docker-service-file.yml diff --git a/roles/openshift_node/tasks/systemd_units.yml b/roles/openshift_node/tasks/systemd_units.yml index 6b4490f61..9c182ade6 100644 --- a/roles/openshift_node/tasks/systemd_units.yml +++ b/roles/openshift_node/tasks/systemd_units.yml @@ -1,11 +1,9 @@  --- -# This file is included both in the openshift_master role and in the upgrade -# playbooks.  - name: Install Node service file    template:      dest: "/etc/systemd/system/{{ openshift.common.service_type }}-node.service" -    src: "node.service.j2" -  when: not openshift.common.is_containerized | bool +    src: "{{ openshift.common.is_containerized | bool | ternary('openshift.docker.node.service', 'node.service.j2') }}" +  when: not openshift.common.is_node_system_container | bool    notify:    - reload systemd units    - restart node diff --git a/roles/openshift_node/templates/openshift.docker.node.service b/roles/openshift_node/templates/openshift.docker.node.service index 310d8b29d..561aa01f4 100644 --- a/roles/openshift_node/templates/openshift.docker.node.service +++ b/roles/openshift_node/templates/openshift.docker.node.service @@ -6,6 +6,7 @@ PartOf={{ openshift.docker.service_name }}.service  Requires={{ openshift.docker.service_name }}.service  {% if openshift_node_use_openshift_sdn %}  Wants=openvswitch.service +PartOf=openvswitch.service  After=ovsdb-server.service  After=ovs-vswitchd.service  {% endif %} diff --git a/roles/openshift_node_dnsmasq/files/networkmanager/99-origin-dns.sh b/roles/openshift_node_dnsmasq/files/networkmanager/99-origin-dns.sh index df02bcf0e..230f0a28c 100755 --- a/roles/openshift_node_dnsmasq/files/networkmanager/99-origin-dns.sh +++ b/roles/openshift_node_dnsmasq/files/networkmanager/99-origin-dns.sh @@ -112,10 +112,10 @@ EOF        fi        sed -e '/^nameserver.*$/d' /etc/resolv.conf >> ${NEW_RESOLV_CONF}        echo "nameserver "${def_route_ip}"" >> ${NEW_RESOLV_CONF} -      if ! grep -q 'search.*cluster.local' ${NEW_RESOLV_CONF}; then -        sed -i '/^search/ s/$/ cluster.local/' ${NEW_RESOLV_CONF} -      elif ! grep -qw search ${NEW_RESOLV_CONF}; then +      if ! grep -qw search ${NEW_RESOLV_CONF}; then          echo 'search cluster.local' >> ${NEW_RESOLV_CONF} +      elif ! grep -q 'search.*cluster.local' ${NEW_RESOLV_CONF}; then +        sed -i '/^search/ s/$/ cluster.local/' ${NEW_RESOLV_CONF}        fi        cp -Z ${NEW_RESOLV_CONF} /etc/resolv.conf      fi diff --git a/roles/openshift_node_facts/tasks/main.yml b/roles/openshift_node_facts/tasks/main.yml index 0d5fa664c..b45130400 100644 --- a/roles/openshift_node_facts/tasks/main.yml +++ b/roles/openshift_node_facts/tasks/main.yml @@ -11,7 +11,6 @@    - role: node      local_facts:        annotations: "{{ openshift_node_annotations | default(none) }}" -      debug_level: "{{ openshift_node_debug_level | default(openshift.common.debug_level) }}"        iptables_sync_period: "{{ openshift_node_iptables_sync_period | default(None) }}"        kubelet_args: "{{ openshift_node_kubelet_args | default(None) }}"        labels: "{{ openshift_node_labels | default(None) }}" diff --git a/roles/openshift_node_upgrade/README.md b/roles/openshift_node_upgrade/README.md index c7c0ff34a..73b98ad90 100644 --- a/roles/openshift_node_upgrade/README.md +++ b/roles/openshift_node_upgrade/README.md @@ -49,7 +49,6 @@ From openshift.node:  | Name                               |  Default Value      |                     |  |------------------------------------|---------------------|---------------------| -| openshift.node.debug_level         |---------------------|---------------------|  | openshift.node.node_image          |---------------------|---------------------|  | openshift.node.ovs_image           |---------------------|---------------------| diff --git a/roles/openshift_node_upgrade/defaults/main.yml b/roles/openshift_node_upgrade/defaults/main.yml index 6507b015d..10b4c6977 100644 --- a/roles/openshift_node_upgrade/defaults/main.yml +++ b/roles/openshift_node_upgrade/defaults/main.yml @@ -1,4 +1,6 @@  --- +openshift_node_debug_level: "{{ debug_level | default(2) }}" +  openshift_use_openshift_sdn: True  os_sdn_network_plugin_name: "redhat/openshift-ovs-subnet" diff --git a/roles/openshift_node_upgrade/tasks/config/configure-node-settings.yml b/roles/openshift_node_upgrade/tasks/config/configure-node-settings.yml index 1186062eb..527580481 100644 --- a/roles/openshift_node_upgrade/tasks/config/configure-node-settings.yml +++ b/roles/openshift_node_upgrade/tasks/config/configure-node-settings.yml @@ -7,7 +7,7 @@      create: true    with_items:    - regex: '^OPTIONS=' -    line: "OPTIONS=--loglevel={{ openshift.node.debug_level | default(2) }}" +    line: "OPTIONS=--loglevel={{ openshift_node_debug_level }}"    - regex: '^CONFIG_FILE='      line: "CONFIG_FILE={{ openshift.common.config_base }}/node/node-config.yaml"    - regex: '^IMAGE_VERSION=' diff --git a/roles/openshift_node_upgrade/tasks/systemd_units.yml b/roles/openshift_node_upgrade/tasks/systemd_units.yml index afff2f8ba..226f5290c 100644 --- a/roles/openshift_node_upgrade/tasks/systemd_units.yml +++ b/roles/openshift_node_upgrade/tasks/systemd_units.yml @@ -6,7 +6,7 @@  # - openshift.node.ovs_image  # - openshift_use_openshift_sdn  # - openshift.common.service_type -# - openshift.node.debug_level +# - openshift_node_debug_level  # - openshift.common.config_base  # - openshift.common.http_proxy  # - openshift.common.portal_net diff --git a/roles/openshift_node_upgrade/templates/openshift.docker.node.service b/roles/openshift_node_upgrade/templates/openshift.docker.node.service index 864e4b5d6..07d1ebc3c 100644 --- a/roles/openshift_node_upgrade/templates/openshift.docker.node.service +++ b/roles/openshift_node_upgrade/templates/openshift.docker.node.service @@ -6,6 +6,7 @@ PartOf={{ openshift.docker.service_name }}.service  Requires={{ openshift.docker.service_name }}.service  {% if openshift_use_openshift_sdn %}  Wants=openvswitch.service +PartOf=openvswitch.service  After=ovsdb-server.service  After=ovs-vswitchd.service  {% endif %} diff --git a/roles/openshift_service_catalog/vars/openshift-enterprise.yml b/roles/openshift_service_catalog/vars/openshift-enterprise.yml index 4df60e9a8..cab9cc7d8 100644 --- a/roles/openshift_service_catalog/vars/openshift-enterprise.yml +++ b/roles/openshift_service_catalog/vars/openshift-enterprise.yml @@ -1,3 +1,3 @@  ---  __openshift_service_catalog_image_prefix: "registry.access.redhat.com/openshift3/ose-" -__openshift_service_catalog_image_version: "v3.6" +__openshift_service_catalog_image_version: "v3.7" diff --git a/roles/tuned/defaults/main.yml b/roles/tuned/defaults/main.yml new file mode 100644 index 000000000..418a4b521 --- /dev/null +++ b/roles/tuned/defaults/main.yml @@ -0,0 +1,3 @@ +--- +tuned_etc_directory: '/etc/tuned' +tuned_templates_source: '../templates' diff --git a/roles/tuned/meta/main.yml b/roles/tuned/meta/main.yml new file mode 100644 index 000000000..833d94c13 --- /dev/null +++ b/roles/tuned/meta/main.yml @@ -0,0 +1,13 @@ +--- +galaxy_info: +  author: Jiri Mencak +  description: Restart the tuned daemon if present and make it use the recommended profile +  company: Red Hat, Inc. +  license: Apache License, Version 2.0 +  min_ansible_version: 2.3 +  platforms: +  - name: EL +    versions: +    - 7 +  categories: +  - cloud diff --git a/roles/openshift_node/tasks/tuned.yml b/roles/tuned/tasks/main.yml index 425bf6a26..e95d274d5 100644 --- a/roles/openshift_node/tasks/tuned.yml +++ b/roles/tuned/tasks/main.yml @@ -12,8 +12,6 @@    - name: Set tuned OpenShift variables      set_fact:        openshift_tuned_guest_profile: "{{ 'atomic-guest' if openshift.common.is_atomic else 'virtual-guest' }}" -      tuned_etc_directory: '/etc/tuned' -      tuned_templates_source: '../templates/tuned'    - name: Ensure directory structure exists      file: diff --git a/roles/openshift_node/templates/tuned/openshift-control-plane/tuned.conf b/roles/tuned/templates/openshift-control-plane/tuned.conf index f22f21065..f22f21065 100644 --- a/roles/openshift_node/templates/tuned/openshift-control-plane/tuned.conf +++ b/roles/tuned/templates/openshift-control-plane/tuned.conf diff --git a/roles/openshift_node/templates/tuned/openshift-node/tuned.conf b/roles/tuned/templates/openshift-node/tuned.conf index 78c7d19c9..78c7d19c9 100644 --- a/roles/openshift_node/templates/tuned/openshift-node/tuned.conf +++ b/roles/tuned/templates/openshift-node/tuned.conf diff --git a/roles/openshift_node/templates/tuned/openshift/tuned.conf b/roles/tuned/templates/openshift/tuned.conf index 68ac5dadb..68ac5dadb 100644 --- a/roles/openshift_node/templates/tuned/openshift/tuned.conf +++ b/roles/tuned/templates/openshift/tuned.conf diff --git a/roles/openshift_node/templates/tuned/recommend.conf b/roles/tuned/templates/recommend.conf index 5fa765798..086e5673d 100644 --- a/roles/openshift_node/templates/tuned/recommend.conf +++ b/roles/tuned/templates/recommend.conf @@ -1,8 +1,11 @@ -[openshift-node] -/etc/origin/node/node-config.yaml=.*region=primary -  [openshift-control-plane,master]  /etc/origin/master/master-config.yaml=.*  [openshift-control-plane,node]  /etc/origin/node/node-config.yaml=.*region=infra + +[openshift-control-plane,lb] +/etc/haproxy/haproxy.cfg=.* + +[openshift-node] +/etc/origin/node/node-config.yaml=.* | 
