11 files changed, 205 insertions, 106 deletions

diff --git a/inventory/aws/ec2.py b/inventory/aws/ec2.py
index f4e029553..1a863d8a8 100644..100755
--- a/inventory/aws/ec2.py
+++ b/inventory/aws/ec2.py
@@ -215,8 +215,14 @@ class Ec2Inventory(object):
         # Destination addresses
         self.destination_variable = config.get('ec2', 'destination_variable')
         self.vpc_destination_variable = config.get('ec2', 'vpc_destination_variable')
-        self.destination_format = config.get('ec2', 'destination_format')
-        self.destination_format_tags = config.get('ec2', 'destination_format_tags', '').split(',')
+
+        if config.has_option('ec2', 'destination_format') and \
+           config.has_option('ec2', 'destination_format_tags'):
+            self.destination_format = config.get('ec2', 'destination_format')
+            self.destination_format_tags = config.get('ec2', 'destination_format_tags').split(',')
+        else:
+            self.destination_format = None
+            self.destination_format_tags = None
 
         # Route53
         self.route53_enabled = config.getboolean('ec2', 'route53')
diff --git a/roles/openshift_common/tasks/main.yml b/roles/openshift_common/tasks/main.yml
index 723bdd9fa..728bba4e4 100644
--- a/roles/openshift_common/tasks/main.yml
+++ b/roles/openshift_common/tasks/main.yml
@@ -7,14 +7,6 @@
 - name: Configure local facts file
   file: path=/etc/ansible/facts.d/ state=directory mode=0750
 
-- name: Add KUBECONFIG to .bash_profile for user root
-  lineinfile:
-    dest: /root/.bash_profile
-    regexp: "KUBECONFIG="
-    line: "export KUBECONFIG=/var/lib/openshift/openshift.local.certificates/admin/.kubeconfig"
-    state: present
-    insertafter: EOF
-
 - name: Set common OpenShift facts
   include: set_facts.yml
   facts:
diff --git a/roles/openshift_common/vars/main.yml b/roles/openshift_common/vars/main.yml
index 0855c0cc5..623aed9bf 100644
--- a/roles/openshift_common/vars/main.yml
+++ b/roles/openshift_common/vars/main.yml
@@ -3,4 +3,4 @@ openshift_master_credentials_dir: /var/lib/openshift/openshift.local.certificate
 
 # TODO: Upstream kubernetes only supports iptables currently, if this changes,
 # then these variable should be moved to defaults
-openshift_use_firewalld: False
+os_firewall_use_firewalld: False
diff --git a/roles/openshift_master/defaults/main.yml b/roles/openshift_master/defaults/main.yml
index 3c941089c..0159afbb5 100644
--- a/roles/openshift_master/defaults/main.yml
+++ b/roles/openshift_master/defaults/main.yml
@@ -1,3 +1,16 @@
 ---
 openshift_master_manage_service_externally: false
 openshift_master_debug_level: "{{ openshift_debug_level | default(0) }}"
+openshift_node_ips: []
+os_firewall_allow:
+- service: etcd embedded
+  port: 4001/tcp
+- service: etcd peer
+  port: 7001/tcp
+- service: OpenShift api https
+  port: 8443/tcp
+- service: OpenShift web console https
+  port: 8444/tcp
+os_firewall_deny:
+- service: OpenShift api http
+  port: 8080/tcp
diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml
index 2f8f8b950..7a7f02be9 100644
--- a/roles/openshift_master/tasks/main.yml
+++ b/roles/openshift_master/tasks/main.yml
@@ -2,27 +2,13 @@
 - name: Install OpenShift Master package
   yum: pkg=openshift-master state=installed
 
-- name: Configure firewall for OpenShift Master
-  include: "{{ role_path | dirname }}/openshift_common/tasks/firewall.yml"
-  allow:
-  - service: etcd embedded
-    port: 4001/tcp
-  - service: etcd peer
-    port: 7001/tcp
-  - service: OpenShift api https
-    port: 8443/tcp
-  - service: OpenShift web console https
-    port: 8444/tcp
-  deny:
-  - service: OpenShift api http
-    port: 8080/tcp
-
 - name: Configure OpenShift settings
   lineinfile:
     dest: /etc/sysconfig/openshift-master
     regexp: '^OPTIONS='
-    line: "OPTIONS=\"--public-master={{ openshift_hostname }} --nodes={{ openshift_node_ips
-              | join(',') }}  --loglevel={{ openshift_master_debug_level }}\""
+    line: "OPTIONS=\"--public-master={{ openshift_hostname }} {% if
+    openshift_node_ips %} --nodes={{ openshift_node_ips
+              | join(',') }} {% endif %} --loglevel={{ openshift_master_debug_level }}\""
   notify:
   - restart openshift-master
 
@@ -51,7 +37,28 @@
 - name: Start and enable openshift-master
   service: name=openshift-master enabled=yes state=started
   when: not openshift_master_manage_service_externally
+  register: result
+
+#TODO: remove this when origin PR #1204 has landed in OSE
+- name: need to pause here, otherwise we attempt to copy certificates generated by the master before they are generated
+  pause: seconds=30
+  when: result | changed
 
 - name: Disable openshift-master if openshift-master is managed externally
   service: name=openshift-master enabled=false
   when: openshift_master_manage_service_externally
+
+# TODO: create an os_vars role that has generic env related config and move
+# the root kubeconfig setting there, cannot use dependencies to force ordering
+# with openshift_node and openshift_master because the way conditional
+# dependencies work with current ansible would also exclude the
+# openshift_common dependency.
+- name: Create .kube directory
+  file:
+    path: /root/.kube
+    state: directory
+    mode: 0700
+- name: Configure root user kubeconfig
+  command: cp /var/lib/openshift/openshift.local.certificates/admin/.kubeconfig /root/.kube/.kubeconfig
+  args:
+    creates: /root/.kube/.kubeconfig
diff --git a/roles/openshift_node/defaults/main.yml b/roles/openshift_node/defaults/main.yml
index ae05a4479..6dc73a96e 100644
--- a/roles/openshift_node/defaults/main.yml
+++ b/roles/openshift_node/defaults/main.yml
@@ -1,3 +1,6 @@
 ---
 openshift_node_manage_service_externally: false
 openshift_node_debug_level: "{{ openshift_debug_level | default(0) }}"
+os_firewall_allow:
+- service: OpenShift kubelet
+  port: 10250/tcp
diff --git a/roles/openshift_node/library/openshift_register_node.py b/roles/openshift_node/library/openshift_register_node.py
index 981b818c8..4b306db9f 100644
--- a/roles/openshift_node/library/openshift_register_node.py
+++ b/roles/openshift_node/library/openshift_register_node.py
@@ -62,35 +62,81 @@ EXAMPLES = '''
 '''
 
 def main():
-    default_config='/var/lib/openshift/openshift.local.certificates/admin/.kubeconfig'
-
     module = AnsibleModule(
-        argument_spec     = dict(
-            name          = dict(required = True),
-            hostIP        = dict(),
-            apiVersion    = dict(),
-            cpu           = dict(),
-            memory        = dict(),
-            resources     = dict(),
-            client_config = dict(default = default_config)
+        argument_spec      = dict(
+            name           = dict(required = True),
+            hostIP         = dict(),
+            apiVersion     = dict(),
+            cpu            = dict(),
+            memory         = dict(),
+            resources      = dict(),
+            client_config  = dict(),
+            client_cluster = dict(default = 'master'),
+            client_context = dict(default = 'master'),
+            client_user    = dict(default = 'admin')
         ),
+        mutually_exclusive = [
+            ['resources', 'cpu'],
+            ['resources', 'memory']
+        ],
         supports_check_mode=True
     )
 
-    if module.params['resources'] and (module.params['cpu'] or module.params['memory']):
-        module.fail_json(msg="Error: argument resources cannot be specified with the following arguments: cpu, memory")
+    user_has_client_config = os.path.exists(os.path.expanduser('~/.kube/.kubeconfig'))
+    if not (user_has_client_config or module.params['client_config']):
+        module.fail_json(msg="Could not locate client configuration, "
+                         "client_config must be specified if "
+                         "~/.kube/.kubeconfig is not present")
+
+    client_opts = []
+    if module.params['client_config']:
+        client_opts.append("--kubeconfig=%s" % module.params['client_config'])
 
-    client_env = os.environ.copy()
-    client_env['KUBECONFIG'] = module.params['client_config']
+    try:
+        output = check_output(["/usr/bin/openshift", "ex", "config", "view",
+                               "-o", "json"] + client_opts,
+                stderr=subprocess.STDOUT)
+    except subprocess.CalledProcessError as e:
+        module.fail_json(msg="Failed to get client configuration",
+                command=e.cmd, returncode=e.returncode, output=e.output)
+
+    config = json.loads(output)
+    if not (bool(config['clusters']) or bool(config['contexts']) or
+            bool(config['current-context']) or bool(config['users'])):
+        module.fail_json(msg="Client config missing required values",
+                         output=output)
+
+    client_context = module.params['client_context']
+    if client_context:
+        if client_context not in config['contexts']:
+            module.fail_json(msg="Context %s not found in client config" %
+                             client_context)
+        if not config['current-context'] or config['current-context'] != client_context:
+            client_opts.append("--context=%s" % client_context)
+
+    client_user = module.params['client_user']
+    if client_user:
+        if client_user not in config['users']:
+            module.fail_json(msg="User %s not found in client config" %
+                             client_user)
+        if client_user != config['contexts'][client_context]['user']:
+            client_opts.append("--user=%s" % client_user)
+
+    client_cluster = module.params['client_cluster']
+    if client_cluster:
+        if client_cluster not in config['clusters']:
+            module.fail_json(msg="Cluster %s not found in client config" %
+                             client_cluster)
+        if client_cluster != config['contexts'][client_context]['cluster']:
+            client_opts.append("--cluster=%s" % client_cluster)
 
     node_def = dict(
-        metadata = dict(
-            name = module.params['name']
-        ),
-        kind = 'Node',
-        resources = dict(
-            capacity = dict()
-        )
+            id = module.params['name'],
+            kind = 'Node',
+            apiVersion = 'v1beta1',
+            resources = dict(
+                capacity = dict()
+            )
     )
 
     for key, value in module.params.iteritems():
@@ -110,41 +156,49 @@ def main():
             for line in mem:
                 entries = line.split()
                 if str(entries.pop(0)) == 'MemTotal:':
-                    mem_free_kb = int(entries.pop(0))
-                    mem_capacity = int(mem_free_kb * 1024 * .80)
+                    mem_total_kb = int(entries.pop(0))
+                    mem_capacity = int(mem_total_kb * 1024 * .75)
                     node_def['resources']['capacity']['memory'] = mem_capacity
                     break
 
     try:
-        output = check_output("osc get nodes", shell=True, env=client_env,
+        output = check_output(["/usr/bin/osc", "get", "nodes"] +  client_opts,
                 stderr=subprocess.STDOUT)
     except subprocess.CalledProcessError as e:
         module.fail_json(msg="Failed to get node list", command=e.cmd,
                 returncode=e.returncode, output=e.output)
 
-    if module.check_mode:
-        if re.search(module.params['name'], output, re.MULTILINE):
-            module.exit_json(changed=False, node_def=node_def)
-        else:
-            module.exit_json(changed=True, node_def=node_def)
+    if re.search(module.params['name'], output, re.MULTILINE):
+        module.exit_json(changed=False, node_def=node_def)
+    elif module.check_mode:
+        module.exit_json(changed=True, node_def=node_def)
+
+    config_def = dict(
+        metadata = dict(
+            name = "add-node-%s" % module.params['name']
+        ),
+        kind = 'Config',
+        apiVersion = 'v1beta1',
+        items = [node_def]
+    )
 
-    p = Popen("osc create node -f -", shell=True, stdin=subprocess.PIPE,
-            stdout=subprocess.PIPE, stderr=subprocess.PIPE, close_fds=True,
-            env=client_env)
-    (out, err) = p.communicate(module.jsonify(node_def))
+    p = Popen(["/usr/bin/osc"] + client_opts + ["create", "node"] + ["-f", "-"],
+            stdin=subprocess.PIPE, stdout=subprocess.PIPE,
+            stderr=subprocess.PIPE, close_fds=True)
+    (out, err) = p.communicate(module.jsonify(config_def))
     ret = p.returncode
 
     if ret != 0:
         if re.search("minion \"%s\" already exists" % module.params['name'],
                 err):
             module.exit_json(changed=False,
-                    msg="node definition already exists", node_def=node_def)
+                    msg="node definition already exists", config_def=config_def)
         else:
             module.fail_json(msg="Node creation failed.", ret=ret, out=out,
-                    err=err, node_def=node_def)
+                    err=err, config_def=config_def)
 
     module.exit_json(changed=True, out=out, err=err, ret=ret,
-           node_def=node_def)
+           node_def=config_def)
 
 # import module snippets
 from ansible.module_utils.basic import *
diff --git a/roles/openshift_node/tasks/main.yml b/roles/openshift_node/tasks/main.yml
index de010bd0c..df2722a94 100644
--- a/roles/openshift_node/tasks/main.yml
+++ b/roles/openshift_node/tasks/main.yml
@@ -17,11 +17,6 @@
 
 - local_action: file name={{ mktemp.stdout }} state=absent
 
-- name: Configure firewall for OpenShift Node
-  include: "{{ role_path | dirname }}/openshift_common/tasks/firewall.yml"
-  allow:
-  - { service: OpenShift kubelet, port: 10250/tcp }
-
 - name: Configure OpenShift Node settings
   lineinfile:
     dest: /etc/sysconfig/openshift-node
@@ -62,6 +57,21 @@
   service: name=openshift-node enabled=false
   when: openshift_node_manage_service_externally
 
+# TODO: create an os_vars role that has generic env related config and move
+# the root kubeconfig setting there, cannot use dependencies to force ordering
+# with openshift_node and openshift_master because the way conditional
+# dependencies work with current ansible would also exclude the
+# openshift_common dependency.
+- name: Create .kube directory
+  file:
+    path: /root/.kube
+    state: directory
+    mode: 0700
+- name: Configure root user kubeconfig
+  command: cp /var/lib/openshift/openshift.local.certificates/admin/.kubeconfig /root/.kube/.kubeconfig
+  args:
+    creates: /root/.kube/.kubeconfig
+
 # TODO: expose openshift_register_node options to allow for overriding the
 # defaults.
 - name: Register node (if not already registered)
diff --git a/roles/openshift_sdn_node/tasks/main.yml b/roles/openshift_sdn_node/tasks/main.yml
index 71bba2f92..ff05a6972 100644
--- a/roles/openshift_sdn_node/tasks/main.yml
+++ b/roles/openshift_sdn_node/tasks/main.yml
@@ -14,7 +14,7 @@
     backrefs: yes
   with_items:
     - regex: '^(OPTIONS=)'
-      line: '\1"-v={{ openshift_sdn_node_debug_level }} -hostname={{ openshift_bind_ip if openshift_hostname_workaround else ansible_fqdn }}"'
+      line: '\1"-v={{ openshift_sdn_node_debug_level }} -hostname={{ openshift_hostname }}"'
     - regex: '^(MASTER_URL=)'
       line: '\1"http://{{ openshift_master_ips | first }}:4001"'
     - regex: '^(MINION_IP=)'
@@ -25,12 +25,12 @@
       line: '\1"--insecure-registry=0.0.0.0/0 -b=lbr0 --mtu=1450 --selinux-enabled"'
   notify: restart openshift-sdn-node
 
-- name: Set openshift-sdn-master facts
+- name: Set openshift-sdn-node facts
   include: "{{ role_path | dirname }}/openshift_common/tasks/set_facts.yml"
   facts:
-  - section: sdn-master
+  - section: sdn-node
     option: debug_level
-    value: "{{ openshift_sdn_master_debug_level }}"
+    value: "{{ openshift_sdn_node_debug_level }}"
 
 # fixme: Once the openshift_cluster playbook is published state should be started
 # Always bounce service to pick up new credentials
diff --git a/roles/os_firewall/tasks/firewall/firewalld.yml b/roles/os_firewall/tasks/firewall/firewalld.yml
index f6d5fe2eb..469cfab6f 100644
--- a/roles/os_firewall/tasks/firewall/firewalld.yml
+++ b/roles/os_firewall/tasks/firewall/firewalld.yml
@@ -4,6 +4,22 @@
     name: firewalld
     state: present
 
+- name: Check if iptables-services is installed
+  command: rpm -q iptables-services
+  register: pkg_check
+  failed_when: pkg_check.rc > 1
+  changed_when: no
+
+- name: Ensure iptables services are not enabled
+  service:
+    name: "{{ item }}"
+    state: stopped
+    enabled: no
+  with_items:
+  - iptables
+  - ip6tables
+  when: pkg_check.rc == 0
+
 - name: Start and enable firewalld service
   service:
     name: firewalld
@@ -15,23 +31,14 @@
   pause: seconds=10
   when: result | changed
 
-- name: Ensure iptables services are not enabled
-  service:
-    name: "{{ item }}"
-    state: stopped
-    enabled: no
-  with_items:
-  - iptables
-  - ip6tables
-
 - name: Mask iptables services
   command: systemctl mask "{{ item }}"
   register: result
-  failed_when: result.rc != 0
-  changed_when: False
+  changed_when: "'iptables' in result.stdout"
   with_items:
   - iptables
   - ip6tables
+  when: pkg_check.rc == 0
 
 # TODO: Ansible 1.9 will eliminate the need for separate firewalld tasks for
 # enabling rules and making them permanent with the immediate flag
@@ -40,29 +47,29 @@
     port: "{{ item.port }}"
     permanent: false
     state: enabled
-  with_items: allow
-  when: allow is defined
+  with_items: os_firewall_allow
+  when: os_firewall_allow is defined
 
 - name: Persist firewalld allow rules
   firewalld:
     port: "{{ item.port }}"
     permanent: true
     state: enabled
-  with_items: allow
-  when: allow is defined
+  with_items: os_firewall_allow
+  when: os_firewall_allow is defined
 
 - name: Remove firewalld allow rules
   firewalld:
     port: "{{ item.port }}"
     permanent: false
     state: disabled
-  with_items: deny
-  when: deny is defined
+  with_items: os_firewall_deny
+  when: os_firewall_deny is defined
 
 - name: Persist removal of firewalld allow rules
   firewalld:
     port: "{{ item.port }}"
     permanent: true
     state: disabled
-  with_items: deny
-  when: deny is defined
+  with_items: os_firewall_deny
+  when: os_firewall_deny is defined
diff --git a/roles/os_firewall/tasks/firewall/iptables.yml b/roles/os_firewall/tasks/firewall/iptables.yml
index 4f051c2bd..87e77c083 100644
--- a/roles/os_firewall/tasks/firewall/iptables.yml
+++ b/roles/os_firewall/tasks/firewall/iptables.yml
@@ -7,9 +7,22 @@
   - iptables
   - iptables-services
 
+- name: Check if firewalld is installed
+  command: rpm -q firewalld
+  register: pkg_check
+  failed_when: pkg_check.rc > 1
+  changed_when: no
+
+- name: Ensure firewalld service is not enabled
+  service:
+    name: firewalld
+    state: stopped
+    enabled: no
+  when: pkg_check.rc == 0
+
 - name: Start and enable iptables services
   service:
-    name: "{{ os_firewall_svc }}"
+    name: "{{ item }}"
     state: started
     enabled: yes
   with_items:
@@ -21,18 +34,12 @@
   pause: seconds=10
   when: result | changed
 
-- name: Ensure firewalld service is not enabled
-  service:
-    name: firewalld
-    state: stopped
-    enabled: no
-
+# TODO: submit PR upstream to add mask/unmask to service module
 - name: Mask firewalld service
   command: systemctl mask firewalld
   register: result
-  failed_when: result.rc != 0
-  changed_when: False
-  ignore_errors: yes
+  changed_when: "'firewalld' in result.stdout"
+  when: pkg_check.rc == 0
 
 - name: Add iptables allow rules
   os_firewall_manage_iptables:
@@ -40,8 +47,8 @@
     action: add
     protocol: "{{ item.port.split('/')[1] }}"
     port: "{{ item.port.split('/')[0] }}"
-  with_items: allow
-  when: allow is defined
+  with_items: os_firewall_allow
+  when: os_firewall_allow is defined
 
 - name: Remove iptables rules
   os_firewall_manage_iptables:
@@ -49,5 +56,5 @@
     action: remove
     protocol: "{{ item.port.split('/')[1] }}"
     port: "{{ item.port.split('/')[0] }}"
-  with_items: deny
-  when: deny is defined
+  with_items: os_firewall_deny
+  when: os_firewall_deny is defined