diff options
Diffstat (limited to 'roles')
71 files changed, 1401 insertions, 123 deletions
diff --git a/roles/docker/tasks/udev_workaround.yml b/roles/docker/tasks/udev_workaround.yml index 3c236f698..aa7af0cb3 100644 --- a/roles/docker/tasks/udev_workaround.yml +++ b/roles/docker/tasks/udev_workaround.yml @@ -14,7 +14,7 @@ copy: content: | [Service] - #Need blank ExecStart to "clear" pre-exising one + #Need blank ExecStart to "clear" pre-existing one ExecStart= {{ udevw_udev_start_cmd.stdout }} --event-timeout=300 dest: "{{ udevw_udevd_dir }}/override.conf" diff --git a/roles/etcd_common/library/delegated_serial_command.py b/roles/etcd_common/library/delegated_serial_command.py index 3969edfdd..84d4f97c2 100755 --- a/roles/etcd_common/library/delegated_serial_command.py +++ b/roles/etcd_common/library/delegated_serial_command.py @@ -270,6 +270,5 @@ def main(): # import module snippets from ansible.module_utils.basic import * -from ansible.module_utils.splitter import * main() diff --git a/roles/kube_nfs_volumes/library/partitionpool.py b/roles/kube_nfs_volumes/library/partitionpool.py index 1ac8eed4d..9bd3228c1 100644 --- a/roles/kube_nfs_volumes/library/partitionpool.py +++ b/roles/kube_nfs_volumes/library/partitionpool.py @@ -60,7 +60,7 @@ options: - Example 3: size=200G:1,100G:2 says that the ratio of space occupied by 200 GiB partitions and 100GiB partition is 1:2. Therefore, on 1 TiB disk, 1/3 (300 GiB) should be occupied by 200 GiB partitions. Only one fits there, - so only one is created (we always round nr. of partitions *down*). Teh rest + so only one is created (we always round nr. of partitions *down*). The rest (800 GiB) is split into eight 100 GiB partitions, even though it's more than 2/3 of total space - free space is always allocated as much as possible. - size=200G:1,100G:2 = 1x 200 GiB and 8x 100 GiB partitions (on 1 TiB disk). diff --git a/roles/kube_nfs_volumes/tasks/main.yml b/roles/kube_nfs_volumes/tasks/main.yml index 5432a5e2f..5eff30f6f 100644 --- a/roles/kube_nfs_volumes/tasks/main.yml +++ b/roles/kube_nfs_volumes/tasks/main.yml @@ -12,11 +12,11 @@ - name: create filesystem filesystem: fstype=ext4 dev=/dev/{{ item.name }} - with_items: partition_pool + with_items: "{{ partition_pool }}" - name: mount mount: name={{mount_dir}}/{{ item.name }} src=/dev/{{ item.name }} state=mounted fstype=ext4 passno=2 - with_items: partition_pool + with_items: "{{ partition_pool }}" - include: nfs.yml @@ -28,4 +28,4 @@ body_format: json status_code: 201 HEADER_Authorization: "Bearer {{ kubernetes_token }}" - with_items: partition_pool + with_items: "{{ partition_pool }}" diff --git a/roles/kube_nfs_volumes/tasks/nfs.yml b/roles/kube_nfs_volumes/tasks/nfs.yml index 9a68ceb8d..474ec69e5 100644 --- a/roles/kube_nfs_volumes/tasks/nfs.yml +++ b/roles/kube_nfs_volumes/tasks/nfs.yml @@ -13,5 +13,5 @@ lineinfile: dest=/etc/exports regexp="^{{ mount_dir }}/{{ item.name }} " line="{{ mount_dir }}/{{ item.name }} {{nfs_export_options}}" - with_items: partition_pool + with_items: "{{ partition_pool }}" notify: restart nfs diff --git a/roles/nickhammond.logrotate/tasks/main.yml b/roles/nickhammond.logrotate/tasks/main.yml index e2c51a903..1979c851f 100644 --- a/roles/nickhammond.logrotate/tasks/main.yml +++ b/roles/nickhammond.logrotate/tasks/main.yml @@ -7,5 +7,5 @@ template: src: logrotate.d.j2 dest: /etc/logrotate.d/{{ item.name }} - with_items: logrotate_scripts + with_items: "{{ logrotate_scripts | default([]) }}" when: logrotate_scripts is defined diff --git a/roles/nuage_common/defaults/main.yaml b/roles/nuage_common/defaults/main.yaml index 9b777213e..16dac8720 100644 --- a/roles/nuage_common/defaults/main.yaml +++ b/roles/nuage_common/defaults/main.yaml @@ -10,4 +10,4 @@ nuage_master_mon_dir: /usr/share/nuage-openshift-monitor nuage_node_plugin_dir: /usr/share/vsp-openshift nuage_mon_rest_server_port: "{{ nuage_openshift_monitor_rest_server_port | default('9443') }}" - +nuage_mon_cert_validity_period: "{{ nuage_cert_validity_period | default('3650') }}" diff --git a/roles/nuage_master/tasks/certificates.yml b/roles/nuage_master/tasks/certificates.yml index 32b024487..0a2f375cd 100644 --- a/roles/nuage_master/tasks/certificates.yml +++ b/roles/nuage_master/tasks/certificates.yml @@ -15,7 +15,7 @@ - name: Generate the crt file command: > - openssl x509 -req -in "{{ nuage_mon_rest_server_crt_dir }}/restServer.req" -CA "{{ nuage_ca_crt }}" -CAkey "{{ nuage_ca_key }}" -CAserial "{{ nuage_ca_serial }}" -out "{{ nuage_ca_master_rest_server_crt }}" + openssl x509 -req -in "{{ nuage_mon_rest_server_crt_dir }}/restServer.req" -CA "{{ nuage_ca_crt }}" -CAkey "{{ nuage_ca_key }}" -CAserial "{{ nuage_ca_serial }}" -out "{{ nuage_ca_master_rest_server_crt }}" -days "{{ nuage_mon_cert_validity_period }}" delegate_to: "{{ nuage_ca_master }}" - name: Remove the req file diff --git a/roles/nuage_master/tasks/serviceaccount.yml b/roles/nuage_master/tasks/serviceaccount.yml index 5b4af5824..2b3ae0454 100644 --- a/roles/nuage_master/tasks/serviceaccount.yml +++ b/roles/nuage_master/tasks/serviceaccount.yml @@ -16,7 +16,7 @@ shell: > echo {{ nuage_service_account_config | to_json | quote }} | {{ openshift.common.client_binary }} create - -n default + -n default --config={{nuage_tmp_conf}} -f - register: osnuage_create_service_account @@ -25,7 +25,7 @@ - name: Configure role/user permissions command: > - {{ openshift.common.admin_binary }} {{item}} + {{ openshift.common.client_binary }} adm {{item}} --config={{nuage_tmp_conf}} with_items: "{{nuage_tasks}}" register: osnuage_perm_task @@ -34,7 +34,7 @@ - name: Generate the node client config command: > - {{ openshift.common.admin_binary }} create-api-client-config + {{ openshift.common.client_binary }} adm create-api-client-config --certificate-authority={{ openshift_master_ca_cert }} --client-dir={{ cert_output_dir }} --master={{ openshift.master.api_url }} diff --git a/roles/nuage_master/templates/nuage-openshift-monitor.j2 b/roles/nuage_master/templates/nuage-openshift-monitor.j2 index 63117adc0..de2a97e37 100644 --- a/roles/nuage_master/templates/nuage-openshift-monitor.j2 +++ b/roles/nuage_master/templates/nuage-openshift-monitor.j2 @@ -23,7 +23,7 @@ enterpriseAdminUser: {{ nuage_master_adminusername }} enterpriseAdminPassword: {{ nuage_master_adminuserpasswd }} # Location where logs should be saved log_dir: {{ nuage_mon_rest_server_logdir }} -# Monitor rest server paramters +# Monitor rest server parameters # Logging level for the nuage openshift monitor # allowed options are: 0 => INFO, 1 => WARNING, 2 => ERROR, 3 => FATAL logLevel: {{ nuage_mon_log_level }} diff --git a/roles/nuage_node/tasks/certificates.yml b/roles/nuage_node/tasks/certificates.yml index 0fe6f7bac..7fcd4274d 100644 --- a/roles/nuage_node/tasks/certificates.yml +++ b/roles/nuage_node/tasks/certificates.yml @@ -15,7 +15,7 @@ - name: Generate the crt file command: > - openssl x509 -req -in "{{ nuage_plugin_rest_client_crt_dir }}/restClient.req" -CA "{{ nuage_ca_crt }}" -CAkey "{{ nuage_ca_key }}" -CAserial "{{ nuage_ca_serial }}" -out "{{ nuage_ca_master_plugin_crt }}" -extensions clientauth -extfile "{{ nuage_ca_dir }}"/openssl.cnf + openssl x509 -req -in "{{ nuage_plugin_rest_client_crt_dir }}/restClient.req" -CA "{{ nuage_ca_crt }}" -CAkey "{{ nuage_ca_key }}" -CAserial "{{ nuage_ca_serial }}" -out "{{ nuage_ca_master_plugin_crt }}" -extensions clientauth -extfile "{{ nuage_ca_dir }}"/openssl.cnf -days {{ nuage_mon_cert_validity_period }} delegate_to: "{{ nuage_ca_master }}" - name: Remove the req file diff --git a/roles/openshift_ca/tasks/main.yml b/roles/openshift_ca/tasks/main.yml index bb89b65a6..b6d403067 100644 --- a/roles/openshift_ca/tasks/main.yml +++ b/roles/openshift_ca/tasks/main.yml @@ -80,7 +80,7 @@ - name: Create the master certificates if they do not already exist command: > - {{ openshift.common.admin_binary }} create-master-certs + {{ openshift.common.client_binary }} adm create-master-certs {% for named_ca_certificate in openshift.master.named_certificates | default([]) | oo_collect('cafile') %} --certificate-authority {{ named_ca_certificate }} {% endfor %} diff --git a/roles/openshift_certificate_expiry/README.md b/roles/openshift_certificate_expiry/README.md new file mode 100644 index 000000000..d44438332 --- /dev/null +++ b/roles/openshift_certificate_expiry/README.md @@ -0,0 +1,250 @@ +OpenShift Certificate Expiration Checker +======================================== + +OpenShift certificate expiration checking. Be warned of certificates +expiring within a configurable window of days, and notified of +certificates which have already expired. Certificates examined +include: + +* Master/Node Service Certificates +* Router/Registry Service Certificates from etcd secrets +* Master/Node/Router/Registry/Admin `kubeconfig`s +* Etcd certificates + +This role pairs well with the redeploy certificates playbook: + +* [Redeploying Certificates Documentation](https://docs.openshift.com/container-platform/latest/install_config/redeploying_certificates.html) + +Just like the redeploying certificates playbook, this role is intended +to be used with an inventory that is representative of the +cluster. For best results run `ansible-playbook` with the `-v` option. + + + +Role Variables +-------------- + +Core variables in this role: + +| Name | Default value | Description | +|-------------------------------------------------------|--------------------------------|-----------------------------------------------------------------------| +| `openshift_certificate_expiry_config_base` | `/etc/origin` | Base openshift config directory | +| `openshift_certificate_expiry_warning_days` | `30` | Flag certificates which will expire in this many days from now | +| `openshift_certificate_expiry_show_all` | `no` | Include healthy (non-expired and non-warning) certificates in results | + +Optional report/result saving variables in this role: + +| Name | Default value | Description | +|-------------------------------------------------------|--------------------------------|-----------------------------------------------------------------------| +| `openshift_certificate_expiry_generate_html_report` | `no` | Generate an HTML report of the expiry check results | +| `openshift_certificate_expiry_html_report_path` | `/tmp/cert-expiry-report.html` | The full path to save the HTML report as | +| `openshift_certificate_expiry_save_json_results` | `no` | Save expiry check results as a json file | +| `openshift_certificate_expiry_json_results_path` | `/tmp/cert-expiry-report.json` | The full path to save the json report as | + + +Example Playbook +---------------- + +Default behavior: + +```yaml +--- +- name: Check cert expirys + hosts: nodes:masters:etcd + become: yes + gather_facts: no + roles: + - role: openshift_certificate_expiry +``` + +Generate HTML and JSON artifacts in their default paths: + +```yaml +--- +- name: Check cert expirys + hosts: nodes:masters:etcd + become: yes + gather_facts: no + vars: + openshift_certificate_expiry_generate_html_report: yes + openshift_certificate_expiry_save_json_results: yes + roles: + - role: openshift_certificate_expiry +``` + +Change the expiration warning window to 1500 days (good for testing +the module out): + +```yaml +--- +- name: Check cert expirys + hosts: nodes:masters:etcd + become: yes + gather_facts: no + vars: + openshift_certificate_expiry_warning_days: 1500 + roles: + - role: openshift_certificate_expiry +``` + +Change the expiration warning window to 1500 days (good for testing +the module out) and save the results as a JSON file: + +```yaml +--- +- name: Check cert expirys + hosts: nodes:masters:etcd + become: yes + gather_facts: no + vars: + openshift_certificate_expiry_warning_days: 1500 + openshift_certificate_expiry_save_json_results: yes + roles: + - role: openshift_certificate_expiry +``` + + +JSON Output +----------- + +There are two top-level keys in the saved JSON results, `data` and +`summary`. + +The `data` key is a hash where the keys are the names of each host +examined and the values are the check results for each respective +host. + +The `summary` key is a hash that summarizes the number of certificates +expiring within the configured warning window and the number of +already expired certificates. + +The example below is abbreviated to save space: + +```json +{ + "data": { + "192.168.124.148": { + "etcd": [ + { + "cert_cn": "CN:etcd-signer@1474563722", + "days_remaining": 350, + "expiry": "2017-09-22 17:02:25", + "health": "warning", + "path": "/etc/etcd/ca.crt" + }, + ], + "kubeconfigs": [ + { + "cert_cn": "O:system:nodes, CN:system:node:m01.example.com", + "days_remaining": 715, + "expiry": "2018-09-22 17:08:57", + "health": "warning", + "path": "/etc/origin/node/system:node:m01.example.com.kubeconfig" + }, + { + "cert_cn": "O:system:cluster-admins, CN:system:admin", + "days_remaining": 715, + "expiry": "2018-09-22 17:04:40", + "health": "warning", + "path": "/etc/origin/master/admin.kubeconfig" + } + ], + "meta": { + "checked_at_time": "2016-10-07 15:26:47.608192", + "show_all": "True", + "warn_before_date": "2020-11-15 15:26:47.608192", + "warning_days": 1500 + }, + "ocp_certs": [ + { + "cert_cn": "CN:172.30.0.1, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, DNS:m01.example.com, DNS:openshift, DNS:openshift.default, DNS:openshift.default.svc, DNS:openshift.default.svc.cluster.local, DNS:172.30.0.1, DNS:192.168.124.148, IP Address:172.30.0.1, IP Address:192.168.124.148", + "days_remaining": 715, + "expiry": "2018-09-22 17:04:39", + "health": "warning", + "path": "/etc/origin/master/master.server.crt" + }, + { + "cert_cn": "CN:openshift-signer@1474563878", + "days_remaining": 1810, + "expiry": "2021-09-21 17:04:38", + "health": "ok", + "path": "/etc/origin/node/ca.crt" + } + ], + "registry": [ + { + "cert_cn": "CN:172.30.101.81, DNS:docker-registry-default.router.default.svc.cluster.local, DNS:docker-registry.default.svc.cluster.local, DNS:172.30.101.81, IP Address:172.30.101.81", + "days_remaining": 728, + "expiry": "2018-10-05 18:54:29", + "health": "warning", + "path": "/api/v1/namespaces/default/secrets/registry-certificates" + } + ], + "router": [ + { + "cert_cn": "CN:router.default.svc, DNS:router.default.svc, DNS:router.default.svc.cluster.local", + "days_remaining": 715, + "expiry": "2018-09-22 17:48:23", + "health": "warning", + "path": "/api/v1/namespaces/default/secrets/router-certs" + } + ] + } + }, + "summary": { + "warning": 6, + "expired": 0 + } +} +``` + +The `summary` from the json data can be easily checked for +warnings/expirations using a variety of command-line tools. + +For exampe, using `grep` we can look for the word `summary` and print +out the 2 lines **after** the match (`-A2`): + +``` +$ grep -A2 summary /tmp/cert-expiry-report.json + "summary": { + "warning": 16, + "expired": 0 +``` + +If available, the [jq](https://stedolan.github.io/jq/) tool can also +be used to pick out specific values. Example 1 and 2 below show how to +select just one value, either `warning` or `expired`. Example 3 shows +how to select both values at once: + +``` +$ jq '.summary.warning' /tmp/cert-expiry-report.json +16 +$ jq '.summary.expired' /tmp/cert-expiry-report.json +0 +$ jq '.summary.warning,.summary.expired' /tmp/cert-expiry-report.json +16 +0 +``` + + +Requirements +------------ + +* None + + +Dependencies +------------ + +* None + + +License +------- + +Apache License, Version 2.0 + +Author Information +------------------ + +Tim Bielawa (tbielawa@redhat.com) diff --git a/roles/openshift_certificate_expiry/defaults/main.yml b/roles/openshift_certificate_expiry/defaults/main.yml new file mode 100644 index 000000000..6d7b19298 --- /dev/null +++ b/roles/openshift_certificate_expiry/defaults/main.yml @@ -0,0 +1,8 @@ +--- +openshift_certificate_expiry_config_base: "/etc/origin" +openshift_certificate_expiry_warning_days: 30 +openshift_certificate_expiry_show_all: no +openshift_certificate_expiry_generate_html_report: no +openshift_certificate_expiry_html_report_path: "/tmp/cert-expiry-report.html" +openshift_certificate_expiry_save_json_results: no +openshift_certificate_expiry_json_results_path: "/tmp/cert-expiry-report.json" diff --git a/roles/openshift_certificate_expiry/filter_plugins/oo_cert_expiry.py b/roles/openshift_certificate_expiry/filter_plugins/oo_cert_expiry.py new file mode 100644 index 000000000..2e2430ee6 --- /dev/null +++ b/roles/openshift_certificate_expiry/filter_plugins/oo_cert_expiry.py @@ -0,0 +1,88 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- +# vim: expandtab:tabstop=4:shiftwidth=4 +""" +Custom filters for use in openshift-ansible +""" + +from ansible import errors +from collections import Mapping +from distutils.util import strtobool +from distutils.version import LooseVersion +from operator import itemgetter +import OpenSSL.crypto +import os +import pdb +import pkg_resources +import re +import json +import yaml +from ansible.parsing.yaml.dumper import AnsibleDumper +from urlparse import urlparse + +try: + # ansible-2.2 + # ansible.utils.unicode.to_unicode is deprecated in ansible-2.2, + # ansible.module_utils._text.to_text should be used instead. + from ansible.module_utils._text import to_text +except ImportError: + # ansible-2.1 + from ansible.utils.unicode import to_unicode as to_text + +# Disabling too-many-public-methods, since filter methods are necessarily +# public +# pylint: disable=too-many-public-methods +class FilterModule(object): + """ Custom ansible filters """ + + @staticmethod + def oo_cert_expiry_results_to_json(hostvars, play_hosts): + """Takes results (`hostvars`) from the openshift_cert_expiry role +check and serializes them into proper machine-readable JSON +output. This filter parameter **MUST** be the playbook `hostvars` +variable. The `play_hosts` parameter is so we know what to loop over +when we're extrating the values. + +Returns: + +Results are collected into two top-level keys under the `json_results` +dict: + +* `json_results.data` [dict] - Each individual host check result, keys are hostnames +* `json_results.summary` [dict] - Summary of number of `warning` and `expired` +certificates + +Example playbook usage: + + - name: Generate expiration results JSON + become: no + run_once: yes + delegate_to: localhost + when: "{{ openshift_certificate_expiry_save_json_results|bool }}" + copy: + content: "{{ hostvars|oo_cert_expiry_results_to_json() }}" + dest: "{{ openshift_certificate_expiry_json_results_path }}" + + """ + json_result = { + 'data': {}, + 'summary': {}, + } + + for host in play_hosts: + json_result['data'][host] = hostvars[host]['check_results']['check_results'] + + total_warnings = sum([hostvars[h]['check_results']['summary']['warning'] for h in play_hosts]) + total_expired = sum([hostvars[h]['check_results']['summary']['expired'] for h in play_hosts]) + + json_result['summary']['warning'] = total_warnings + json_result['summary']['expired'] = total_expired + + return json_result + + + def filters(self): + """ returns a mapping of filters to methods """ + return { + "oo_cert_expiry_results_to_json": self.oo_cert_expiry_results_to_json, + } diff --git a/roles/openshift_certificate_expiry/library/openshift_cert_expiry.py b/roles/openshift_certificate_expiry/library/openshift_cert_expiry.py new file mode 100644 index 000000000..2cdb87dc1 --- /dev/null +++ b/roles/openshift_certificate_expiry/library/openshift_cert_expiry.py @@ -0,0 +1,637 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- +# pylint: disable=line-too-long,invalid-name + +"""For details on this module see DOCUMENTATION (below)""" + +# router/registry cert grabbing +import subprocess +# etcd config file +import ConfigParser +# Expiration parsing +import datetime +# File path stuff +import os +# Config file parsing +import yaml +# Certificate loading +import OpenSSL.crypto + +DOCUMENTATION = ''' +--- +module: openshift_cert_expiry +short_description: Check OpenShift Container Platform (OCP) and Kube certificate expirations on a cluster +description: + - The M(openshift_cert_expiry) module has two basic functions: to flag certificates which will expire in a set window of time from now, and to notify you about certificates which have already expired. + - When the module finishes, a summary of the examination is returned. Each certificate in the summary has a C(health) key with a value of one of the following: + - C(ok) - not expired, and outside of the expiration C(warning_days) window. + - C(warning) - not expired, but will expire between now and the C(warning_days) window. + - C(expired) - an expired certificate. + - Certificate flagging follow this logic: + - If the expiration date is before now then the certificate is classified as C(expired). + - The certificates time to live (expiration date - now) is calculated, if that time window is less than C(warning_days) the certificate is classified as C(warning). + - All other conditions are classified as C(ok). + - The following keys are ALSO present in the certificate summary: + - C(cert_cn) - The common name of the certificate (additional CNs present in SAN extensions are omitted) + - C(days_remaining) - The number of days until the certificate expires. + - C(expiry) - The date the certificate expires on. + - C(path) - The full path to the certificate on the examined host. +version_added: "1.0" +options: + config_base: + description: + - Base path to OCP system settings. + required: false + default: /etc/origin + warning_days: + description: + - Flag certificates which will expire in C(warning_days) days from now. + required: false + default: 30 + show_all: + description: + - Enable this option to show analysis of ALL certificates examined by this module. + - By default only certificates which have expired, or will expire within the C(warning_days) window will be reported. + required: false + default: false + +author: "Tim Bielawa (@tbielawa) <tbielawa@redhat.com>" +''' + +EXAMPLES = ''' +# Default invocation, only notify about expired certificates or certificates which will expire within 30 days from now +- openshift_cert_expiry: + +# Expand the warning window to show certificates expiring within a year from now +- openshift_cert_expiry: warning_days=365 + +# Show expired, soon to expire (now + 30 days), and all other certificates examined +- openshift_cert_expiry: show_all=true +''' + + +# We only need this for one thing, we don't care if it doesn't have +# that many public methods +# +# pylint: disable=too-few-public-methods +class FakeSecHead(object): + """etcd does not begin their config file with an opening [section] as +required by the Python ConfigParser module. We hack around it by +slipping one in ourselves prior to parsing. + +Source: Alex Martelli - http://stackoverflow.com/a/2819788/6490583 + """ + def __init__(self, fp): + self.fp = fp + self.sechead = '[ETCD]\n' + + def readline(self): + """Make this look like a file-type object""" + if self.sechead: + try: + return self.sechead + finally: + self.sechead = None + else: + return self.fp.readline() + + +###################################################################### +def filter_paths(path_list): + """`path_list` - A list of file paths to check. Only files which exist +will be returned + """ + return [p for p in path_list if os.path.exists(os.path.realpath(p))] + + +def load_and_handle_cert(cert_string, now, base64decode=False): + """Load a certificate, split off the good parts, and return some +useful data + +Params: + +- `cert_string` (string) - a certificate loaded into a string object +- `now` (datetime) - a datetime object of the time to calculate the certificate 'time_remaining' against +- `base64decode` (bool) - run .decode('base64') on the input? + +Returns: +A 3-tuple of the form: (certificate_common_name, certificate_expiry_date, certificate_time_remaining) + + """ + if base64decode: + _cert_string = cert_string.decode('base-64') + else: + _cert_string = cert_string + + cert_loaded = OpenSSL.crypto.load_certificate( + OpenSSL.crypto.FILETYPE_PEM, _cert_string) + + ###################################################################### + # Read all possible names from the cert + cert_subjects = [] + for name, value in cert_loaded.get_subject().get_components(): + cert_subjects.append('{}:{}'.format(name, value)) + + # To read SANs from a cert we must read the subjectAltName + # extension from the X509 Object. What makes this more difficult + # is that pyOpenSSL does not give extensions as a list, nor does + # it provide a count of all loaded extensions. + # + # Rather, extensions are REQUESTED by index. We must iterate over + # all extensions until we find the one called 'subjectAltName'. If + # we don't find that extension we'll eventually request an + # extension at an index where no extension exists (IndexError is + # raised). When that happens we know that the cert has no SANs so + # we break out of the loop. + i = 0 + checked_all_extensions = False + while not checked_all_extensions: + try: + # Read the extension at index 'i' + ext = cert_loaded.get_extension(i) + except IndexError: + # We tried to read an extension but it isn't there, that + # means we ran out of extensions to check. Abort + san = None + checked_all_extensions = True + else: + # We were able to load the extension at index 'i' + if ext.get_short_name() == 'subjectAltName': + san = ext + checked_all_extensions = True + else: + # Try reading the next extension + i += 1 + + if san is not None: + # The X509Extension object for subjectAltName prints as a + # string with the alt names separated by a comma and a + # space. Split the string by ', ' and then add our new names + # to the list of existing names + cert_subjects.extend(str(san).split(', ')) + + cert_subject = ', '.join(cert_subjects) + ###################################################################### + + # Grab the expiration date + cert_expiry = cert_loaded.get_notAfter() + cert_expiry_date = datetime.datetime.strptime( + cert_expiry, + # example get_notAfter() => 20180922170439Z + '%Y%m%d%H%M%SZ') + + time_remaining = cert_expiry_date - now + + return (cert_subject, cert_expiry_date, time_remaining) + + +def classify_cert(cert_meta, now, time_remaining, expire_window, cert_list): + """Given metadata about a certificate under examination, classify it + into one of three categories, 'ok', 'warning', and 'expired'. + +Params: + +- `cert_meta` dict - A dict with certificate metadata. Required fields + include: 'cert_cn', 'path', 'expiry', 'days_remaining', 'health'. +- `now` (datetime) - a datetime object of the time to calculate the certificate 'time_remaining' against +- `time_remaining` (datetime.timedelta) - a timedelta for how long until the cert expires +- `expire_window` (datetime.timedelta) - a timedelta for how long the warning window is +- `cert_list` list - A list to shove the classified cert into + +Return: +- `cert_list` - The updated list of classified certificates + """ + expiry_str = str(cert_meta['expiry']) + # Categorization + if cert_meta['expiry'] < now: + # This already expired, must NOTIFY + cert_meta['health'] = 'expired' + elif time_remaining < expire_window: + # WARN about this upcoming expirations + cert_meta['health'] = 'warning' + else: + # Not expired or about to expire + cert_meta['health'] = 'ok' + + cert_meta['expiry'] = expiry_str + cert_list.append(cert_meta) + return cert_list + + +def tabulate_summary(certificates, kubeconfigs, etcd_certs, router_certs, registry_certs): + """Calculate the summary text for when the module finishes +running. This includes counts of each classification and what have +you. + +Params: + +- `certificates` (list of dicts) - Processed `expire_check_result` + dicts with filled in `health` keys for system certificates. +- `kubeconfigs` - as above for kubeconfigs +- `etcd_certs` - as above for etcd certs + +Return: + +- `summary_results` (dict) - Counts of each cert type classification + and total items examined. + """ + items = certificates + kubeconfigs + etcd_certs + router_certs + registry_certs + + summary_results = { + 'system_certificates': len(certificates), + 'kubeconfig_certificates': len(kubeconfigs), + 'etcd_certificates': len(etcd_certs), + 'router_certs': len(router_certs), + 'registry_certs': len(registry_certs), + 'total': len(items), + 'ok': 0, + 'warning': 0, + 'expired': 0 + } + + summary_results['expired'] = len([c for c in items if c['health'] == 'expired']) + summary_results['warning'] = len([c for c in items if c['health'] == 'warning']) + summary_results['ok'] = len([c for c in items if c['health'] == 'ok']) + + return summary_results + + +###################################################################### +# This is our module MAIN function after all, so there's bound to be a +# lot of code bundled up into one block +# +# pylint: disable=too-many-locals,too-many-locals,too-many-statements,too-many-branches +def main(): + """This module examines certificates (in various forms) which compose +an OpenShift Container Platform cluster + """ + + module = AnsibleModule( + argument_spec=dict( + config_base=dict( + required=False, + default="/etc/origin", + type='str'), + warning_days=dict( + required=False, + default=30, + type='int'), + show_all=dict( + required=False, + default=False, + type='bool') + ), + supports_check_mode=True, + ) + + # Basic scaffolding for OpenShift specific certs + openshift_base_config_path = module.params['config_base'] + openshift_master_config_path = os.path.normpath( + os.path.join(openshift_base_config_path, "master/master-config.yaml") + ) + openshift_node_config_path = os.path.normpath( + os.path.join(openshift_base_config_path, "node/node-config.yaml") + ) + openshift_cert_check_paths = [ + openshift_master_config_path, + openshift_node_config_path, + ] + + # Paths for Kubeconfigs. Additional kubeconfigs are conditionally + # checked later in the code + master_kube_configs = ['admin', 'openshift-master', + 'openshift-node', 'openshift-router', + 'openshift-registry'] + + kubeconfig_paths = [] + for m_kube_config in master_kube_configs: + kubeconfig_paths.append( + os.path.normpath( + os.path.join(openshift_base_config_path, "master/%s.kubeconfig" % m_kube_config) + ) + ) + + # Validate some paths we have the ability to do ahead of time + openshift_cert_check_paths = filter_paths(openshift_cert_check_paths) + kubeconfig_paths = filter_paths(kubeconfig_paths) + + # etcd, where do you hide your certs? Used when parsing etcd.conf + etcd_cert_params = [ + "ETCD_CA_FILE", + "ETCD_CERT_FILE", + "ETCD_PEER_CA_FILE", + "ETCD_PEER_CERT_FILE", + ] + + # Expiry checking stuff + now = datetime.datetime.now() + # todo, catch exception for invalid input and return a fail_json + warning_days = int(module.params['warning_days']) + expire_window = datetime.timedelta(days=warning_days) + + # Module stuff + # + # The results of our cert checking to return from the task call + check_results = {} + check_results['meta'] = {} + check_results['meta']['warning_days'] = warning_days + check_results['meta']['checked_at_time'] = str(now) + check_results['meta']['warn_before_date'] = str(now + expire_window) + check_results['meta']['show_all'] = str(module.params['show_all']) + # All the analyzed certs accumulate here + ocp_certs = [] + + ###################################################################### + # Sure, why not? Let's enable check mode. + if module.check_mode: + check_results['ocp_certs'] = [] + module.exit_json( + check_results=check_results, + msg="Checked 0 total certificates. Expired/Warning/OK: 0/0/0. Warning window: %s days" % module.params['warning_days'], + rc=0, + changed=False + ) + + ###################################################################### + # Check for OpenShift Container Platform specific certs + ###################################################################### + for os_cert in filter_paths(openshift_cert_check_paths): + # Open up that config file and locate the cert and CA + with open(os_cert, 'r') as fp: + cert_meta = {} + cfg = yaml.load(fp) + # cert files are specified in parsed `fp` as relative to the path + # of the original config file. 'master-config.yaml' with certFile + # = 'foo.crt' implies that 'foo.crt' is in the same + # directory. certFile = '../foo.crt' is in the parent directory. + cfg_path = os.path.dirname(fp.name) + cert_meta['certFile'] = os.path.join(cfg_path, cfg['servingInfo']['certFile']) + cert_meta['clientCA'] = os.path.join(cfg_path, cfg['servingInfo']['clientCA']) + + ###################################################################### + # Load the certificate and the CA, parse their expiration dates into + # datetime objects so we can manipulate them later + for _, v in cert_meta.iteritems(): + with open(v, 'r') as fp: + cert = fp.read() + cert_subject, cert_expiry_date, time_remaining = load_and_handle_cert(cert, now) + + expire_check_result = { + 'cert_cn': cert_subject, + 'path': fp.name, + 'expiry': cert_expiry_date, + 'days_remaining': time_remaining.days, + 'health': None, + } + + classify_cert(expire_check_result, now, time_remaining, expire_window, ocp_certs) + + ###################################################################### + # /Check for OpenShift Container Platform specific certs + ###################################################################### + + ###################################################################### + # Check service Kubeconfigs + ###################################################################### + kubeconfigs = [] + + # There may be additional kubeconfigs to check, but their naming + # is less predictable than the ones we've already assembled. + + try: + # Try to read the standard 'node-config.yaml' file to check if + # this host is a node. + with open(openshift_node_config_path, 'r') as fp: + cfg = yaml.load(fp) + + # OK, the config file exists, therefore this is a + # node. Nodes have their own kubeconfig files to + # communicate with the master API. Let's read the relative + # path to that file from the node config. + node_masterKubeConfig = cfg['masterKubeConfig'] + # As before, the path to the 'masterKubeConfig' file is + # relative to `fp` + cfg_path = os.path.dirname(fp.name) + node_kubeconfig = os.path.join(cfg_path, node_masterKubeConfig) + + with open(node_kubeconfig, 'r') as fp: + # Read in the nodes kubeconfig file and grab the good stuff + cfg = yaml.load(fp) + + c = cfg['users'][0]['user']['client-certificate-data'] + (cert_subject, + cert_expiry_date, + time_remaining) = load_and_handle_cert(c, now, base64decode=True) + + expire_check_result = { + 'cert_cn': cert_subject, + 'path': fp.name, + 'expiry': cert_expiry_date, + 'days_remaining': time_remaining.days, + 'health': None, + } + + classify_cert(expire_check_result, now, time_remaining, expire_window, kubeconfigs) + except IOError: + # This is not a node + pass + + for kube in filter_paths(kubeconfig_paths): + with open(kube, 'r') as fp: + # TODO: Maybe consider catching exceptions here? + cfg = yaml.load(fp) + + # Per conversation, "the kubeconfigs you care about: + # admin, router, registry should all be single + # value". Following that advice we only grab the data for + # the user at index 0 in the 'users' list. There should + # not be more than one user. + c = cfg['users'][0]['user']['client-certificate-data'] + (cert_subject, + cert_expiry_date, + time_remaining) = load_and_handle_cert(c, now, base64decode=True) + + expire_check_result = { + 'cert_cn': cert_subject, + 'path': fp.name, + 'expiry': cert_expiry_date, + 'days_remaining': time_remaining.days, + 'health': None, + } + + classify_cert(expire_check_result, now, time_remaining, expire_window, kubeconfigs) + + ###################################################################### + # /Check service Kubeconfigs + ###################################################################### + + ###################################################################### + # Check etcd certs + ###################################################################### + # Some values may be duplicated, make this a set for now so we + # unique them all + etcd_certs_to_check = set([]) + etcd_certs = [] + etcd_cert_params.append('dne') + try: + with open('/etc/etcd/etcd.conf', 'r') as fp: + etcd_config = ConfigParser.ConfigParser() + etcd_config.readfp(FakeSecHead(fp)) + + for param in etcd_cert_params: + try: + etcd_certs_to_check.add(etcd_config.get('ETCD', param)) + except ConfigParser.NoOptionError: + # That parameter does not exist, oh well... + pass + except IOError: + # No etcd to see here, move along + pass + + for etcd_cert in filter_paths(etcd_certs_to_check): + with open(etcd_cert, 'r') as fp: + c = fp.read() + (cert_subject, + cert_expiry_date, + time_remaining) = load_and_handle_cert(c, now) + + expire_check_result = { + 'cert_cn': cert_subject, + 'path': fp.name, + 'expiry': cert_expiry_date, + 'days_remaining': time_remaining.days, + 'health': None, + } + + classify_cert(expire_check_result, now, time_remaining, expire_window, etcd_certs) + + ###################################################################### + # /Check etcd certs + ###################################################################### + + ###################################################################### + # Check router/registry certs + # + # These are saved as secrets in etcd. That means that we can not + # simply read a file to grab the data. Instead we're going to + # subprocess out to the 'oc get' command. On non-masters this + # command will fail, that is expected so we catch that exception. + ###################################################################### + router_certs = [] + registry_certs = [] + + ###################################################################### + # First the router certs + try: + router_secrets_raw = subprocess.Popen('oc get secret router-certs -o yaml'.split(), + stdout=subprocess.PIPE) + router_ds = yaml.load(router_secrets_raw.communicate()[0]) + router_c = router_ds['data']['tls.crt'] + router_path = router_ds['metadata']['selfLink'] + except TypeError: + # YAML couldn't load the result, this is not a master + pass + except OSError: + # The OC command doesn't exist here. Move along. + pass + else: + (cert_subject, + cert_expiry_date, + time_remaining) = load_and_handle_cert(router_c, now, base64decode=True) + + expire_check_result = { + 'cert_cn': cert_subject, + 'path': router_path, + 'expiry': cert_expiry_date, + 'days_remaining': time_remaining.days, + 'health': None, + } + + classify_cert(expire_check_result, now, time_remaining, expire_window, router_certs) + + ###################################################################### + # Now for registry + try: + registry_secrets_raw = subprocess.Popen('oc get secret registry-certificates -o yaml'.split(), + stdout=subprocess.PIPE) + registry_ds = yaml.load(registry_secrets_raw.communicate()[0]) + registry_c = registry_ds['data']['registry.crt'] + registry_path = registry_ds['metadata']['selfLink'] + except TypeError: + # YAML couldn't load the result, this is not a master + pass + except OSError: + # The OC command doesn't exist here. Move along. + pass + else: + (cert_subject, + cert_expiry_date, + time_remaining) = load_and_handle_cert(registry_c, now, base64decode=True) + + expire_check_result = { + 'cert_cn': cert_subject, + 'path': registry_path, + 'expiry': cert_expiry_date, + 'days_remaining': time_remaining.days, + 'health': None, + } + + classify_cert(expire_check_result, now, time_remaining, expire_window, registry_certs) + + ###################################################################### + # /Check router/registry certs + ###################################################################### + + res = tabulate_summary(ocp_certs, kubeconfigs, etcd_certs, router_certs, registry_certs) + + msg = "Checked {count} total certificates. Expired/Warning/OK: {exp}/{warn}/{ok}. Warning window: {window} days".format( + count=res['total'], + exp=res['expired'], + warn=res['warning'], + ok=res['ok'], + window=int(module.params['warning_days']), + ) + + # By default we only return detailed information about expired or + # warning certificates. If show_all is true then we will print all + # the certificates examined. + if not module.params['show_all']: + check_results['ocp_certs'] = [crt for crt in ocp_certs if crt['health'] in ['expired', 'warning']] + check_results['kubeconfigs'] = [crt for crt in kubeconfigs if crt['health'] in ['expired', 'warning']] + check_results['etcd'] = [crt for crt in etcd_certs if crt['health'] in ['expired', 'warning']] + check_results['registry'] = [crt for crt in registry_certs if crt['health'] in ['expired', 'warning']] + check_results['router'] = [crt for crt in router_certs if crt['health'] in ['expired', 'warning']] + else: + check_results['ocp_certs'] = ocp_certs + check_results['kubeconfigs'] = kubeconfigs + check_results['etcd'] = etcd_certs + check_results['registry'] = registry_certs + check_results['router'] = router_certs + + # Sort the final results to report in order of ascending safety + # time. That is to say, the certificates which will expire sooner + # will be at the front of the list and certificates which will + # expire later are at the end. Router and registry certs should be + # limited to just 1 result, so don't bother sorting those. + check_results['ocp_certs'] = sorted(check_results['ocp_certs'], cmp=lambda x, y: cmp(x['days_remaining'], y['days_remaining'])) + check_results['kubeconfigs'] = sorted(check_results['kubeconfigs'], cmp=lambda x, y: cmp(x['days_remaining'], y['days_remaining'])) + check_results['etcd'] = sorted(check_results['etcd'], cmp=lambda x, y: cmp(x['days_remaining'], y['days_remaining'])) + + # This module will never change anything, but we might want to + # change the return code parameter if there is some catastrophic + # error we noticed earlier + module.exit_json( + check_results=check_results, + summary=res, + msg=msg, + rc=0, + changed=False + ) + +###################################################################### +# It's just the way we do things in Ansible. So disable this warning +# +# pylint: disable=wrong-import-position,import-error +from ansible.module_utils.basic import AnsibleModule +if __name__ == '__main__': + main() diff --git a/roles/openshift_certificate_expiry/meta/main.yml b/roles/openshift_certificate_expiry/meta/main.yml new file mode 100644 index 000000000..c13b29ba5 --- /dev/null +++ b/roles/openshift_certificate_expiry/meta/main.yml @@ -0,0 +1,16 @@ +--- +galaxy_info: + author: Tim Bielawa + description: OpenShift Certificate Expiry Checker + company: Red Hat, Inc. + license: Apache License, Version 2.0 + min_ansible_version: 2.1 + version: 1.0 + platforms: + - name: EL + versions: + - 7 + categories: + - cloud + - system +dependencies: [] diff --git a/roles/openshift_certificate_expiry/tasks/main.yml b/roles/openshift_certificate_expiry/tasks/main.yml new file mode 100644 index 000000000..139d5de6e --- /dev/null +++ b/roles/openshift_certificate_expiry/tasks/main.yml @@ -0,0 +1,30 @@ +--- +- name: Check cert expirys on host + openshift_cert_expiry: + warning_days: "{{ openshift_certificate_expiry_warning_days|int }}" + config_base: "{{ openshift_certificate_expiry_config_base }}" + show_all: "{{ openshift_certificate_expiry_show_all|bool }}" + register: check_results + +- name: Generate expiration report HTML + become: no + run_once: yes + template: + src: cert-expiry-table.html.j2 + dest: "{{ openshift_certificate_expiry_html_report_path }}" + delegate_to: localhost + when: "{{ openshift_certificate_expiry_generate_html_report|bool }}" + +- name: Generate the result JSON string + run_once: yes + set_fact: json_result_string="{{ hostvars|oo_cert_expiry_results_to_json(play_hosts) }}" + when: "{{ openshift_certificate_expiry_save_json_results|bool }}" + +- name: Generate results JSON file + become: no + run_once: yes + template: + src: save_json_results.j2 + dest: "{{ openshift_certificate_expiry_json_results_path }}" + delegate_to: localhost + when: "{{ openshift_certificate_expiry_save_json_results|bool }}" diff --git a/roles/openshift_certificate_expiry/templates/cert-expiry-table.html.j2 b/roles/openshift_certificate_expiry/templates/cert-expiry-table.html.j2 new file mode 100644 index 000000000..b05110336 --- /dev/null +++ b/roles/openshift_certificate_expiry/templates/cert-expiry-table.html.j2 @@ -0,0 +1,124 @@ +<!DOCTYPE html> +<html> + <head> + <meta charset="UTF-8" /> + <title>OCP Certificate Expiry Report</title> + {# For fancy icons and a pleasing font #} + <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" /> + <link href="https://fonts.googleapis.com/css?family=Source+Sans+Pro:300,400,700" rel="stylesheet" /> + <style type="text/css"> + body { + font-family: 'Source Sans Pro', sans-serif; + margin-left: 50px; + margin-right: 50px; + margin-bottom: 20px; + padding-top: 70px; + } + table { + border-collapse: collapse; + margin-bottom: 20px; + } + table, th, td { + border: 1px solid black; + } + th, td { + padding: 5px; + } + .cert-kind { + margin-top: 5px; + margin-bottom: 5px; + } + footer { + font-size: small; + text-align: center; + } + tr.odd { + background-color: #f2f2f2; + } + </style> + </head> + <body> + <nav class="navbar navbar-default navbar-fixed-top"> + <div class="container-fluid"> + <div class="navbar-header"> + <a class="navbar-brand" href="#">OCP Certificate Expiry Report</a> + </div> + <div class="collapse navbar-collapse"> + <p class="navbar-text navbar-right"> + <a href="https://docs.openshift.com/container-platform/latest/install_config/redeploying_certificates.html" + target="_blank" + class="navbar-link"> + <i class="glyphicon glyphicon-book"></i> Redeploying Certificates + </a> + </p> + </div> + </div> + </nav> + + {# Each host has a header and table to itself #} + {% for host in play_hosts %} + <h1>{{ host }}</h1> + + <p> + {{ hostvars[host].check_results.msg }} + </p> + <ul> + <li><b>Expirations checked at:</b> {{ hostvars[host].check_results.check_results.meta.checked_at_time }}</li> + <li><b>Warn after date:</b> {{ hostvars[host].check_results.check_results.meta.warn_before_date }}</li> + </ul> + + <table border="1" width="100%"> + {# These are hard-coded right now, but should be grabbed dynamically from the registered results #} + {%- for kind in ['ocp_certs', 'etcd', 'kubeconfigs', 'router', 'registry'] -%} + <tr> + <th colspan="6" style="text-align:center"><h2 class="cert-kind">{{ kind }}</h2></th> + </tr> + + <tr> + <th> </th> + <th style="width:33%">Certificate Common/Alt Name(s)</th> + <th>Health</th> + <th>Days Remaining</th> + <th>Expiration Date</th> + <th>Path</th> + </tr> + + {# A row for each certificate examined #} + {%- for v in hostvars[host].check_results.check_results[kind] -%} + + {# Let's add some flair and show status visually with fancy icons #} + {% if v.health == 'ok' %} + {% set health_icon = 'glyphicon glyphicon-ok' %} + {% elif v.health == 'warning' %} + {% set health_icon = 'glyphicon glyphicon-alert' %} + {% else %} + {% set health_icon = 'glyphicon glyphicon-remove' %} + {% endif %} + + <tr class="{{ loop.cycle('odd', 'even') }}"> + <td style="text-align:center"><i class="{{ health_icon }}"></i></td> + <td style="width:33%">{{ v.cert_cn }}</td> + <td>{{ v.health }}</td> + <td>{{ v.days_remaining }}</td> + <td>{{ v.expiry }}</td> + <td>{{ v.path }}</td> + </tr> + {% endfor %} + {# end row generation per cert of this type #} + {% endfor %} + {# end generation for each kind of cert block #} + </table> + <hr /> + {% endfor %} + {# end section generation for each host #} + + <footer> + <p> + Expiration report generated by <a href="https://github.com/openshift/openshift-ansible" target="_blank">openshift-ansible</a> + </p> + <p> + Status icons from bootstrap/glyphicon + </p> + </footer> + </body> +</html> diff --git a/roles/openshift_certificate_expiry/templates/save_json_results.j2 b/roles/openshift_certificate_expiry/templates/save_json_results.j2 new file mode 100644 index 000000000..c1173d9ea --- /dev/null +++ b/roles/openshift_certificate_expiry/templates/save_json_results.j2 @@ -0,0 +1 @@ +{{ json_result_string | to_nice_json(indent=2)}} diff --git a/roles/openshift_cli/library/openshift_container_binary_sync.py b/roles/openshift_cli/library/openshift_container_binary_sync.py index fd290c6fc..9ff738d14 100644 --- a/roles/openshift_cli/library/openshift_container_binary_sync.py +++ b/roles/openshift_cli/library/openshift_container_binary_sync.py @@ -83,8 +83,13 @@ class BinarySyncer(object): def _sync_symlink(self, binary_name, link_to): """ Ensure the given binary name exists and links to the expected binary. """ + + # The symlink we are creating: link_path = os.path.join(self.bin_dir, binary_name) - link_dest = os.path.join(self.bin_dir, binary_name) + + # The expected file we should be linking to: + link_dest = os.path.join(self.bin_dir, link_to) + if not os.path.exists(link_path) or \ not os.path.islink(link_path) or \ os.path.realpath(link_path) != os.path.realpath(link_dest): diff --git a/roles/openshift_examples/tasks/main.yml b/roles/openshift_examples/tasks/main.yml index 82536e8af..551e21e72 100644 --- a/roles/openshift_examples/tasks/main.yml +++ b/roles/openshift_examples/tasks/main.yml @@ -106,22 +106,6 @@ failed_when: "'already exists' not in oex_import_quickstarts.stderr and oex_import_quickstarts.rc != 0" changed_when: false -- name: Import origin infrastructure-templates - command: > - {{ openshift.common.client_binary }} {{ openshift_examples_import_command }} -n openshift -f {{ infrastructure_origin_base }} - when: openshift_examples_load_centos | bool - register: oex_import_infrastructure - failed_when: "'already exists' not in oex_import_infrastructure.stderr and oex_import_infrastructure.rc != 0" - changed_when: false - -- name: Import enterprise infrastructure-templates - command: > - {{ openshift.common.client_binary }} {{ openshift_examples_import_command }} -n openshift -f {{ infrastructure_enterprise_base }} - when: openshift_examples_load_rhel | bool - register: oex_import_infrastructure - failed_when: "'already exists' not in oex_import_infrastructure.stderr and oex_import_infrastructure.rc != 0" - changed_when: false - - name: Remove old xPaas template files file: path: "{{ item }}" diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py index cb642e12e..61ce55b7f 100755 --- a/roles/openshift_facts/library/openshift_facts.py +++ b/roles/openshift_facts/library/openshift_facts.py @@ -59,7 +59,7 @@ def migrate_docker_facts(facts): facts['docker']['hosted_registry_network'] = facts['node'].pop('portal_net') # log_options was originally meant to be a comma separated string, but - # we now prefer an actual list, with backward compatability: + # we now prefer an actual list, with backward compatibility: if 'log_options' in facts['docker'] and \ isinstance(facts['docker']['log_options'], basestring): facts['docker']['log_options'] = facts['docker']['log_options'].split(",") @@ -1035,12 +1035,23 @@ def get_current_config(facts): return current_config def build_kubelet_args(facts): - """ Build node kubelet_args """ - cloud_cfg_path = os.path.join(facts['common']['config_base'], - 'cloudprovider') + """Build node kubelet_args + +In the node-config.yaml file, kubeletArgument sub-keys have their +values provided as a list. Hence the gratuitous use of ['foo'] below. + """ + cloud_cfg_path = os.path.join( + facts['common']['config_base'], + 'cloudprovider') + + # We only have to do this stuff on hosts that are nodes if 'node' in facts: + # Any changes to the kubeletArguments parameter are stored + # here first. kubelet_args = {} + if 'cloudprovider' in facts: + # EVERY cloud is special <3 if 'kind' in facts['cloudprovider']: if facts['cloudprovider']['kind'] == 'aws': kubelet_args['cloud-provider'] = ['aws'] @@ -1050,6 +1061,28 @@ def build_kubelet_args(facts): kubelet_args['cloud-config'] = [cloud_cfg_path + '/openstack.conf'] if facts['cloudprovider']['kind'] == 'gce': kubelet_args['cloud-provider'] = ['gce'] + + # Automatically add node-labels to the kubeletArguments + # parameter. See BZ1359848 for additional details. + # + # Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1359848 + if 'labels' in facts['node'] and isinstance(facts['node']['labels'], dict): + # tl;dr: os_node_labels="{'foo': 'bar', 'a': 'b'}" turns + # into ['foo=bar', 'a=b'] + # + # On the openshift_node_labels inventory variable we loop + # over each key-value tuple (from .items()) and join the + # key to the value with an '=' character, this produces a + # list. + # + # map() seems to be returning an itertools.imap object + # instead of a list. We cast it to a list ourselves. + labels_str = list(map(lambda x: '='.join(x), facts['node']['labels'].items())) + if labels_str != '': + kubelet_args['node-labels'] = labels_str + + # If we've added items to the kubelet_args dict then we need + # to merge the new items back into the main facts object. if kubelet_args != {}: facts = merge_facts({'node': {'kubelet_args': kubelet_args}}, facts, [], []) return facts diff --git a/roles/openshift_hosted/tasks/registry/registry.yml b/roles/openshift_hosted/tasks/registry/registry.yml index 4e525a2da..c29df1873 100644 --- a/roles/openshift_hosted/tasks/registry/registry.yml +++ b/roles/openshift_hosted/tasks/registry/registry.yml @@ -30,7 +30,7 @@ - name: Create OpenShift registry command: > - {{ openshift.common.admin_binary }} registry --create + {{ openshift.common.client_binary }} adm registry --create --config={{ openshift_hosted_kubeconfig }} {% if replicas > 1 -%} --replicas={{ replicas }} diff --git a/roles/openshift_hosted/tasks/registry/secure.yml b/roles/openshift_hosted/tasks/registry/secure.yml index 664edef41..d2f6ba5f6 100644 --- a/roles/openshift_hosted/tasks/registry/secure.yml +++ b/roles/openshift_hosted/tasks/registry/secure.yml @@ -33,7 +33,7 @@ - name: Create registry certificates if they do not exist command: > - {{ openshift.common.admin_binary }} ca create-server-cert + {{ openshift.common.client_binary }} adm ca create-server-cert --signer-cert=/etc/origin/master/ca.crt --signer-key=/etc/origin/master/ca.key --signer-serial=/etc/origin/master/ca.serial.txt diff --git a/roles/openshift_hosted/tasks/router/router.yml b/roles/openshift_hosted/tasks/router/router.yml index 0cad19c34..b944fa522 100644 --- a/roles/openshift_hosted/tasks/router/router.yml +++ b/roles/openshift_hosted/tasks/router/router.yml @@ -48,7 +48,7 @@ - name: Create OpenShift router command: > - {{ openshift.common.admin_binary }} router --create + {{ openshift.common.client_binary }} adm router --create --config={{ openshift_hosted_kubeconfig }} {% if replicas > 1 -%} --replicas={{ replicas }} @@ -73,7 +73,7 @@ {% if openshift.hosted.router.name | default(none) is not none -%} {{ openshift.hosted.router.name }} {% endif -%} - + register: openshift_hosted_router_results changed_when: "'service exists' not in openshift_hosted_router_results.stdout" failed_when: "openshift_hosted_router_results.rc != 0 and 'service exists' not in openshift_hosted_router_results.stdout and 'deployment_config' not in openshift_hosted_router_results.stderr and 'service' not in openshift_hosted_router_results.stderr" diff --git a/roles/openshift_hosted/templates/registry_config.j2 b/roles/openshift_hosted/templates/registry_config.j2 index 75d8f7fa6..557fd03af 100644 --- a/roles/openshift_hosted/templates/registry_config.j2 +++ b/roles/openshift_hosted/templates/registry_config.j2 @@ -8,55 +8,55 @@ storage: enabled: true cache: blobdescriptor: inmemory -{% if openshift.hosted.registry.storage.provider == 's3' %} +{% if openshift_hosted_registry_storage_provider | default('') == 's3' %} s3: - accesskey: {{ openshift.hosted.registry.storage.s3.accesskey }} - secretkey: {{ openshift.hosted.registry.storage.s3.secretkey }} - region: {{ openshift.hosted.registry.storage.s3.region }} -{% if 'regionendpoint' in openshift.hosted.registry.storage.s3 %} - regionendpoint: {{ openshift.hosted.registry.storage.s3.regionendpoint }} + accesskey: {{ openshift_hosted_registry_storage_s3_accesskey }} + secretkey: {{ openshift_hosted_registry_storage_s3_secretkey }} + region: {{ openshift_hosted_registry_storage_s3_region }} +{% if openshift_hosted_registry_storage_s3_regionendpoint is defined %} + regionendpoint: {{ openshift_hosted_registry_storage_s3_regionendpoint }} {% endif %} - bucket: {{ openshift.hosted.registry.storage.s3.bucket }} + bucket: {{ openshift_hosted_registry_storage_s3_bucket }} encrypt: false secure: true v4auth: true - rootdirectory: {{ openshift.hosted.registry.storage.s3.rootdirectory | default('/registry') }} - chunksize: "{{ openshift.hosted.registry.storage.s3.chunksize | default(26214400) }}" -{% elif openshift.hosted.registry.storage.provider == 'azure_blob' %} + rootdirectory: {{ openshift_hosted_registry_storage_s3_rootdirectory | default('/registry') }} + chunksize: "{{ openshift_hosted_registry_storage_s3_chunksize | default(26214400) }}" +{% elif openshift_hosted_registry_storage_provider | default('') == 'azure_blob' %} azure: - accountname: {{ openshift.hosted.registry.storage.azure_blob.accountname }} - accountkey: {{ openshift.hosted.registry.storage.azure_blob.accountkey }} - container: {{ openshift.hosted.registry.storage.azure_blob.container }} - realm: {{ openshift.hosted.registry.storage.azure_blob.realm }} -{% elif openshift.hosted.registry.storage.provider == 'swift' %} + accountname: {{ openshift_hosted_registry_storage_azure_blob_accountname }} + accountkey: {{ openshift_hosted_registry_storage_azure_blob_accountkey }} + container: {{ openshift_hosted_registry_storage_azure_blob_container }} + realm: {{ openshift_hosted_registry_storage_azure_blob_realm }} +{% elif openshift_hosted_registry_storage_provider | default('') == 'swift' %} swift: - authurl: {{ openshift.hosted.registry.storage.swift.authurl }} - username: {{ openshift.hosted.registry.storage.swift.username }} - password: {{ openshift.hosted.registry.storage.swift.password }} - container: {{ openshift.hosted.registry.storage.swift.container }} -{% if 'region' in openshift.hosted.registry.storage.swift %} - region: {{ openshift.hosted.registry.storage.swift.region }} + authurl: {{ openshift_hosted_registry_storage_swift_authurl }} + username: {{ openshift_hosted_registry_storage_swift_username }} + password: {{ openshift_hosted_registry_storage_swift_password }} + container: {{ openshift_hosted_registry_storage_swift_container }} +{% if openshift_hosted_registry_storage_swift_region is defined %} + region: {{ openshift_hosted_registry_storage_swift_region }} {% endif -%} -{% if 'tenant' in openshift.hosted.registry.storage.swift %} - tenant: {{ openshift.hosted.registry.storage.swift.tenant }} +{% if openshift_hosted_registry_storage_swift_tenant is defined %} + tenant: {{ openshift_hosted_registry_storage_swift_tenant }} {% endif -%} -{% if 'tenantid' in openshift.hosted.registry.storage.swift %} - tenantid: {{ openshift.hosted.registry.storage.swift.tenantid }} +{% if openshift_hosted_registry_storage_swift_tenantid is defined %} + tenantid: {{ openshift_hosted_registry_storage_swift_tenantid }} {% endif -%} -{% if 'domain' in openshift.hosted.registry.storage.swift %} - domain: {{ openshift.hosted.registry.storage.swift.domain }} +{% if openshift_hosted_registry_storage_swift_domain is defined %} + domain: {{ openshift_hosted_registry_storage_swift_domain }} {% endif -%} -{% if 'domainid' in openshift.hosted.registry.storage.swift %} - domainid: {{ openshift.hosted.registry.storage.swift.domainid }} +{% if openshift_hosted_registry_storage_swift_domainid %} + domainid: {{ openshift_hosted_registry_storage_swift_domainid }} {% endif -%} -{% elif openshift.hosted.registry.storage.provider == 'gcs' %} +{% elif openshift_hosted_registry_storage_provider | default('') == 'gcs' %} gcs: - bucket: {{ openshift.hosted.registry.storage.gcs.bucket }} -{% if 'keyfile' in openshift.hosted.registry.storage.gcs %} - keyfile: {{ openshift.hosted.registry.storage.gcs.keyfile }} + bucket: {{ openshift_hosted_registry_storage_gcs_bucket }} +{% if openshift_hosted_registry_storage_gcs_keyfile is defined %} + keyfile: {{ openshift_hosted_registry_storage_gcs_keyfile }} {% endif -%} -{% if 'rootdirectory' in openshift.hosted.registry.storage.gcs %} - rootdirectory: {{ openshift.hosted.registry.storage.gcs.rootdirectory }} +{% if openshift_hosted_registry_storage_gcs_rootdirectory is defined %} + rootdirectory: {{ openshift_hosted_registry_storage_gcs_rootdirectory }} {% endif -%} {% endif -%} auth: @@ -70,16 +70,16 @@ middleware: repository: - name: openshift options: - pullthrough: {{ openshift.hosted.registry.pullthrough | default(true) }} - acceptschema2: {{ openshift.hosted.registry.acceptschema2 | default(false) }} - enforcequota: {{ openshift.hosted.registry.enforcequota | default(false) }} -{% if openshift.hosted.registry.storage.provider == 's3' and 'cloudfront' in openshift.hosted.registry.storage.s3 %} + pullthrough: {{ openshift_hosted_registry_pullthrough | default(true) }} + acceptschema2: {{ openshift_hosted_registry_acceptschema2 | default(false) }} + enforcequota: {{ openshift_hosted_registry_enforcequota | default(false) }} +{% if openshift_hosted_registry_storage_provider | default('') == 's3' and openshift_hosted_registry_storage_s3_cloudfront_baseurl is defined %} storage: - name: cloudfront options: - baseurl: {{ openshift.hosted.registry.storage.s3.cloudfront.baseurl }} - privatekey: {{ openshift.hosted.registry.storage.s3.cloudfront.privatekeyfile }} - keypairid: {{ openshift.hosted.registry.storage.s3.cloudfront.keypairid }} + baseurl: {{ openshift_hosted_registry_storage_s3_cloudfront_baseurl }} + privatekey: {{ openshift_hosted_registry_storage_s3_cloudfront_privatekeyfile }} + keypairid: {{ openshift_hosted_registry_storage_s3_cloudfront_keypairid }} {% elif openshift.common.version_gte_3_3_or_1_3 | bool %} storage: - name: openshift diff --git a/roles/openshift_hosted_logging/defaults/main.yml b/roles/openshift_hosted_logging/defaults/main.yml index e357899e5..a01f24df8 100644 --- a/roles/openshift_hosted_logging/defaults/main.yml +++ b/roles/openshift_hosted_logging/defaults/main.yml @@ -1,2 +1,2 @@ --- -examples_base: "{{ openshift.common.config_base if openshift.common.is_containerized | bool else '/usr/share/openshift' }}/examples" +hosted_base: "{{ openshift.common.config_base if openshift.common.is_containerized | bool else '/usr/share/openshift' }}/hosted" diff --git a/roles/openshift_hosted_logging/tasks/cleanup_logging.yaml b/roles/openshift_hosted_logging/tasks/cleanup_logging.yaml index 8331f0389..8754616d9 100644 --- a/roles/openshift_hosted_logging/tasks/cleanup_logging.yaml +++ b/roles/openshift_hosted_logging/tasks/cleanup_logging.yaml @@ -46,8 +46,8 @@ - name: "Remove deployer template" command: "{{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig delete template logging-deployer-template -n openshift" - register: delete_ouput - failed_when: delete_ouput.rc == 1 and 'exists' not in delete_ouput.stderr + register: delete_output + failed_when: delete_output.rc == 1 and 'exists' not in delete_output.stderr - name: Delete temp directory diff --git a/roles/openshift_hosted_logging/tasks/deploy_logging.yaml b/roles/openshift_hosted_logging/tasks/deploy_logging.yaml index 65af1c08e..0162d1fb0 100644 --- a/roles/openshift_hosted_logging/tasks/deploy_logging.yaml +++ b/roles/openshift_hosted_logging/tasks/deploy_logging.yaml @@ -17,7 +17,7 @@ cp {{ openshift_master_config_dir }}/admin.kubeconfig {{ mktemp.stdout }}/admin.kubeconfig changed_when: False - - name: Check for logging project already exists + - name: "Check for logging project already exists" command: > {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get project logging -o jsonpath='{.metadata.name}' register: logging_project_result @@ -25,7 +25,7 @@ - name: "Create logging project" command: > - {{ openshift.common.admin_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig new-project logging + {{ openshift.common.client_binary }} adm --config={{ mktemp.stdout }}/admin.kubeconfig new-project logging when: logging_project_result.stdout == "" - name: "Changing projects" @@ -40,9 +40,13 @@ - name: "Create templates for logging accounts and the deployer" command: > - {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig create -f {{ examples_base }}/infrastructure-templates/{{ 'enterprise' if openshift_deployment_type == 'openshift-enterprise' else 'origin' }}/logging-deployer.yaml - register: template_output - failed_when: "template_output.rc == 1 and 'exists' not in template_output.stderr" + {{ openshift.common.client_binary }} create + -f {{ hosted_base }}/logging-deployer.yaml + --config={{ mktemp.stdout }}/admin.kubeconfig + -n logging + register: logging_import_template + failed_when: "'already exists' not in logging_import_template.stderr and logging_import_template.rc != 0" + changed_when: "'created' in logging_import_template.stdout" - name: "Process the logging accounts template" shell: "{{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig process logging-deployer-account-template | {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig create -f -" @@ -51,19 +55,19 @@ - name: "Set permissions for logging-deployer service account" command: > - {{ openshift.common.admin_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig policy add-cluster-role-to-user oauth-editor system:serviceaccount:logging:logging-deployer + {{ openshift.common.client_binary }} adm --config={{ mktemp.stdout }}/admin.kubeconfig policy add-cluster-role-to-user oauth-editor system:serviceaccount:logging:logging-deployer register: permiss_output failed_when: "permiss_output.rc == 1 and 'exists' not in permiss_output.stderr" - name: "Set permissions for fluentd" command: > - {{ openshift.common.admin_binary}} policy add-scc-to-user privileged system:serviceaccount:logging:aggregated-logging-fluentd + {{ openshift.common.client_binary }} adm policy add-scc-to-user privileged system:serviceaccount:logging:aggregated-logging-fluentd register: fluentd_output failed_when: "fluentd_output.rc == 1 and 'exists' not in fluentd_output.stderr" - name: "Set additional permissions for fluentd" command: > - {{ openshift.common.admin_binary}} policy add-cluster-role-to-user cluster-reader system:serviceaccount:logging:aggregated-logging-fluentd + {{ openshift.common.client_binary }} adm policy add-cluster-role-to-user cluster-reader system:serviceaccount:logging:aggregated-logging-fluentd register: fluentd2_output failed_when: "fluentd2_output.rc == 1 and 'exists' not in fluentd2_output.stderr" diff --git a/roles/openshift_hosted_templates/defaults/main.yml b/roles/openshift_hosted_templates/defaults/main.yml new file mode 100644 index 000000000..f4fd15089 --- /dev/null +++ b/roles/openshift_hosted_templates/defaults/main.yml @@ -0,0 +1,10 @@ +--- +hosted_base: "{{ openshift.common.config_base if openshift.common.is_containerized | bool else '/usr/share/openshift' }}/hosted" +hosted_deployment_type: "{{ 'origin' if openshift_deployment_type == 'origin' else 'enterprise' }}" + +content_version: "{{ openshift.common.examples_content_version }}" + +registry_url: "" +registry_host: "{{ registry_url.split('/')[0] if '.' in registry_url.split('/')[0] else '' }}" + +openshift_hosted_templates_import_command: 'create' diff --git a/roles/openshift_examples/files/examples/v1.0/infrastructure-templates/enterprise/logging-deployer.yaml b/roles/openshift_hosted_templates/files/v1.0/enterprise/logging-deployer.yaml index b3b60bf9b..b3b60bf9b 100644 --- a/roles/openshift_examples/files/examples/v1.0/infrastructure-templates/enterprise/logging-deployer.yaml +++ b/roles/openshift_hosted_templates/files/v1.0/enterprise/logging-deployer.yaml diff --git a/roles/openshift_examples/files/examples/v1.0/infrastructure-templates/enterprise/metrics-deployer.yaml b/roles/openshift_hosted_templates/files/v1.0/enterprise/metrics-deployer.yaml index ddd9f2f75..ddd9f2f75 100644 --- a/roles/openshift_examples/files/examples/v1.0/infrastructure-templates/enterprise/metrics-deployer.yaml +++ b/roles/openshift_hosted_templates/files/v1.0/enterprise/metrics-deployer.yaml diff --git a/roles/openshift_examples/files/examples/v1.0/infrastructure-templates/origin/logging-deployer.yaml b/roles/openshift_hosted_templates/files/v1.0/origin/logging-deployer.yaml index 4c798e148..4c798e148 100644 --- a/roles/openshift_examples/files/examples/v1.0/infrastructure-templates/origin/logging-deployer.yaml +++ b/roles/openshift_hosted_templates/files/v1.0/origin/logging-deployer.yaml diff --git a/roles/openshift_examples/files/examples/v1.0/infrastructure-templates/origin/metrics-deployer.yaml b/roles/openshift_hosted_templates/files/v1.0/origin/metrics-deployer.yaml index 3e9bcde5b..3e9bcde5b 100644 --- a/roles/openshift_examples/files/examples/v1.0/infrastructure-templates/origin/metrics-deployer.yaml +++ b/roles/openshift_hosted_templates/files/v1.0/origin/metrics-deployer.yaml diff --git a/roles/openshift_examples/files/examples/v1.1/infrastructure-templates/enterprise/logging-deployer.yaml b/roles/openshift_hosted_templates/files/v1.1/enterprise/logging-deployer.yaml index 9c8f1071a..9c8f1071a 100644 --- a/roles/openshift_examples/files/examples/v1.1/infrastructure-templates/enterprise/logging-deployer.yaml +++ b/roles/openshift_hosted_templates/files/v1.1/enterprise/logging-deployer.yaml diff --git a/roles/openshift_examples/files/examples/v1.1/infrastructure-templates/enterprise/metrics-deployer.yaml b/roles/openshift_hosted_templates/files/v1.1/enterprise/metrics-deployer.yaml index 99f2df4fa..99f2df4fa 100644 --- a/roles/openshift_examples/files/examples/v1.1/infrastructure-templates/enterprise/metrics-deployer.yaml +++ b/roles/openshift_hosted_templates/files/v1.1/enterprise/metrics-deployer.yaml diff --git a/roles/openshift_examples/files/examples/v1.1/infrastructure-templates/origin/logging-deployer.yaml b/roles/openshift_hosted_templates/files/v1.1/origin/logging-deployer.yaml index 9257b1f28..9257b1f28 100644 --- a/roles/openshift_examples/files/examples/v1.1/infrastructure-templates/origin/logging-deployer.yaml +++ b/roles/openshift_hosted_templates/files/v1.1/origin/logging-deployer.yaml diff --git a/roles/openshift_examples/files/examples/v1.1/infrastructure-templates/origin/metrics-deployer.yaml b/roles/openshift_hosted_templates/files/v1.1/origin/metrics-deployer.yaml index 30d79acee..30d79acee 100644 --- a/roles/openshift_examples/files/examples/v1.1/infrastructure-templates/origin/metrics-deployer.yaml +++ b/roles/openshift_hosted_templates/files/v1.1/origin/metrics-deployer.yaml diff --git a/roles/openshift_examples/files/examples/v1.2/infrastructure-templates/enterprise/logging-deployer.yaml b/roles/openshift_hosted_templates/files/v1.2/enterprise/logging-deployer.yaml index b6975eead..b6975eead 100644 --- a/roles/openshift_examples/files/examples/v1.2/infrastructure-templates/enterprise/logging-deployer.yaml +++ b/roles/openshift_hosted_templates/files/v1.2/enterprise/logging-deployer.yaml diff --git a/roles/openshift_examples/files/examples/v1.2/infrastructure-templates/enterprise/metrics-deployer.yaml b/roles/openshift_hosted_templates/files/v1.2/enterprise/metrics-deployer.yaml index 032f94a18..032f94a18 100644 --- a/roles/openshift_examples/files/examples/v1.2/infrastructure-templates/enterprise/metrics-deployer.yaml +++ b/roles/openshift_hosted_templates/files/v1.2/enterprise/metrics-deployer.yaml diff --git a/roles/openshift_examples/files/examples/v1.2/infrastructure-templates/origin/logging-deployer.yaml b/roles/openshift_hosted_templates/files/v1.2/origin/logging-deployer.yaml index 8b28f872f..8b28f872f 100644 --- a/roles/openshift_examples/files/examples/v1.2/infrastructure-templates/origin/logging-deployer.yaml +++ b/roles/openshift_hosted_templates/files/v1.2/origin/logging-deployer.yaml diff --git a/roles/openshift_examples/files/examples/v1.2/infrastructure-templates/origin/metrics-deployer.yaml b/roles/openshift_hosted_templates/files/v1.2/origin/metrics-deployer.yaml index ab62ae76f..ab62ae76f 100644 --- a/roles/openshift_examples/files/examples/v1.2/infrastructure-templates/origin/metrics-deployer.yaml +++ b/roles/openshift_hosted_templates/files/v1.2/origin/metrics-deployer.yaml diff --git a/roles/openshift_examples/files/examples/v1.3/infrastructure-templates/enterprise/logging-deployer.yaml b/roles/openshift_hosted_templates/files/v1.3/enterprise/logging-deployer.yaml index a8d4b1cbb..13cef2d66 100644 --- a/roles/openshift_examples/files/examples/v1.3/infrastructure-templates/enterprise/logging-deployer.yaml +++ b/roles/openshift_hosted_templates/files/v1.3/enterprise/logging-deployer.yaml @@ -200,13 +200,13 @@ items: name: MODE value: "install" - - description: 'Specify prefix for logging components; e.g. for "registry.access.redhat.com/openshift3/logging-deployer:3.3.0", set prefix "registry.access.redhat.com/openshift3/"' + description: 'Specify prefix for logging components; e.g. for "registry.access.redhat.com/openshift3/logging-deployer:3.3.1", set prefix "registry.access.redhat.com/openshift3/"' name: IMAGE_PREFIX value: "registry.access.redhat.com/openshift3/" - - description: 'Specify version for logging components; e.g. for "registry.access.redhat.com/openshift3/logging-deployer:3.3.0", set version "3.3.0"' + description: 'Specify version for logging components; e.g. for "registry.access.redhat.com/openshift3/logging-deployer:3.3.1", set version "3.3.1"' name: IMAGE_VERSION - value: "3.3.0" + value: "3.3.1" - description: "(Deprecated) Specify the name of an existing pull secret to be used for pulling component images from an authenticated registry." name: IMAGE_PULL_SECRET diff --git a/roles/openshift_examples/files/examples/v1.3/infrastructure-templates/enterprise/metrics-deployer.yaml b/roles/openshift_hosted_templates/files/v1.3/enterprise/metrics-deployer.yaml index afd47ec7c..5e21e3a7a 100644 --- a/roles/openshift_examples/files/examples/v1.3/infrastructure-templates/enterprise/metrics-deployer.yaml +++ b/roles/openshift_hosted_templates/files/v1.3/enterprise/metrics-deployer.yaml @@ -101,7 +101,7 @@ parameters: - description: 'Specify version for metrics components; e.g. for "openshift/origin-metrics-deployer:latest", set version "latest"' name: IMAGE_VERSION - value: "3.3.0" + value: "3.3.1" - description: "Internal URL for the master, for authentication retrieval" name: MASTER_URL diff --git a/roles/openshift_examples/files/examples/v1.3/infrastructure-templates/enterprise/registry-console.yaml b/roles/openshift_hosted_templates/files/v1.3/enterprise/registry-console.yaml index 11478263c..11478263c 100644 --- a/roles/openshift_examples/files/examples/v1.3/infrastructure-templates/enterprise/registry-console.yaml +++ b/roles/openshift_hosted_templates/files/v1.3/enterprise/registry-console.yaml diff --git a/roles/openshift_examples/files/examples/v1.3/infrastructure-templates/origin/logging-deployer.yaml b/roles/openshift_hosted_templates/files/v1.3/origin/logging-deployer.yaml index 8b28f872f..8b28f872f 100644 --- a/roles/openshift_examples/files/examples/v1.3/infrastructure-templates/origin/logging-deployer.yaml +++ b/roles/openshift_hosted_templates/files/v1.3/origin/logging-deployer.yaml diff --git a/roles/openshift_examples/files/examples/v1.3/infrastructure-templates/origin/metrics-deployer.yaml b/roles/openshift_hosted_templates/files/v1.3/origin/metrics-deployer.yaml index 5f2290419..5f2290419 100644 --- a/roles/openshift_examples/files/examples/v1.3/infrastructure-templates/origin/metrics-deployer.yaml +++ b/roles/openshift_hosted_templates/files/v1.3/origin/metrics-deployer.yaml diff --git a/roles/openshift_examples/files/examples/v1.3/infrastructure-templates/origin/registry-console.yaml b/roles/openshift_hosted_templates/files/v1.3/origin/registry-console.yaml index 80cc4233b..80cc4233b 100644 --- a/roles/openshift_examples/files/examples/v1.3/infrastructure-templates/origin/registry-console.yaml +++ b/roles/openshift_hosted_templates/files/v1.3/origin/registry-console.yaml diff --git a/roles/openshift_examples/files/examples/v1.4/infrastructure-templates/enterprise/logging-deployer.yaml b/roles/openshift_hosted_templates/files/v1.4/enterprise/logging-deployer.yaml index a8d4b1cbb..9cff9daca 100644 --- a/roles/openshift_examples/files/examples/v1.4/infrastructure-templates/enterprise/logging-deployer.yaml +++ b/roles/openshift_hosted_templates/files/v1.4/enterprise/logging-deployer.yaml @@ -200,13 +200,13 @@ items: name: MODE value: "install" - - description: 'Specify prefix for logging components; e.g. for "registry.access.redhat.com/openshift3/logging-deployer:3.3.0", set prefix "registry.access.redhat.com/openshift3/"' + description: 'Specify prefix for logging components; e.g. for "registry.access.redhat.com/openshift3/logging-deployer:3.4.0", set prefix "registry.access.redhat.com/openshift3/"' name: IMAGE_PREFIX value: "registry.access.redhat.com/openshift3/" - - description: 'Specify version for logging components; e.g. for "registry.access.redhat.com/openshift3/logging-deployer:3.3.0", set version "3.3.0"' + description: 'Specify version for logging components; e.g. for "registry.access.redhat.com/openshift3/logging-deployer:3.4.0", set version "3.4.0"' name: IMAGE_VERSION - value: "3.3.0" + value: "3.4.0" - description: "(Deprecated) Specify the name of an existing pull secret to be used for pulling component images from an authenticated registry." name: IMAGE_PULL_SECRET diff --git a/roles/openshift_examples/files/examples/v1.4/infrastructure-templates/enterprise/metrics-deployer.yaml b/roles/openshift_hosted_templates/files/v1.4/enterprise/metrics-deployer.yaml index afd47ec7c..1b46d6ac7 100644 --- a/roles/openshift_examples/files/examples/v1.4/infrastructure-templates/enterprise/metrics-deployer.yaml +++ b/roles/openshift_hosted_templates/files/v1.4/enterprise/metrics-deployer.yaml @@ -101,7 +101,7 @@ parameters: - description: 'Specify version for metrics components; e.g. for "openshift/origin-metrics-deployer:latest", set version "latest"' name: IMAGE_VERSION - value: "3.3.0" + value: "3.4.0" - description: "Internal URL for the master, for authentication retrieval" name: MASTER_URL diff --git a/roles/openshift_examples/files/examples/v1.4/infrastructure-templates/enterprise/registry-console.yaml b/roles/openshift_hosted_templates/files/v1.4/enterprise/registry-console.yaml index 11478263c..11478263c 100644 --- a/roles/openshift_examples/files/examples/v1.4/infrastructure-templates/enterprise/registry-console.yaml +++ b/roles/openshift_hosted_templates/files/v1.4/enterprise/registry-console.yaml diff --git a/roles/openshift_examples/files/examples/v1.4/infrastructure-templates/origin/logging-deployer.yaml b/roles/openshift_hosted_templates/files/v1.4/origin/logging-deployer.yaml index 8b28f872f..8b28f872f 100644 --- a/roles/openshift_examples/files/examples/v1.4/infrastructure-templates/origin/logging-deployer.yaml +++ b/roles/openshift_hosted_templates/files/v1.4/origin/logging-deployer.yaml diff --git a/roles/openshift_examples/files/examples/v1.4/infrastructure-templates/origin/metrics-deployer.yaml b/roles/openshift_hosted_templates/files/v1.4/origin/metrics-deployer.yaml index 5f2290419..5f2290419 100644 --- a/roles/openshift_examples/files/examples/v1.4/infrastructure-templates/origin/metrics-deployer.yaml +++ b/roles/openshift_hosted_templates/files/v1.4/origin/metrics-deployer.yaml diff --git a/roles/openshift_examples/files/examples/v1.4/infrastructure-templates/origin/registry-console.yaml b/roles/openshift_hosted_templates/files/v1.4/origin/registry-console.yaml index 80cc4233b..80cc4233b 100644 --- a/roles/openshift_examples/files/examples/v1.4/infrastructure-templates/origin/registry-console.yaml +++ b/roles/openshift_hosted_templates/files/v1.4/origin/registry-console.yaml diff --git a/roles/openshift_hosted_templates/meta/main.yml b/roles/openshift_hosted_templates/meta/main.yml new file mode 100644 index 000000000..9c12865bf --- /dev/null +++ b/roles/openshift_hosted_templates/meta/main.yml @@ -0,0 +1,15 @@ +--- +galaxy_info: + author: Andrew Butcher + description: OpenShift Hosted Templates + company: Red Hat, Inc. + license: Apache License, Version 2.0 + min_ansible_version: 2.1 + platforms: + - name: EL + versions: + - 7 + categories: + - cloud +dependencies: +- role: openshift_common diff --git a/roles/openshift_hosted_templates/tasks/main.yml b/roles/openshift_hosted_templates/tasks/main.yml new file mode 100644 index 000000000..7d176bce3 --- /dev/null +++ b/roles/openshift_hosted_templates/tasks/main.yml @@ -0,0 +1,65 @@ +--- +- name: Create local temp dir for OpenShift hosted templates copy + local_action: command mktemp -d /tmp/openshift-ansible-XXXXXXX + become: False + register: copy_hosted_templates_mktemp + run_once: True + +- name: Create tar of OpenShift examples + local_action: command tar -C "{{ role_path }}/files/{{ content_version }}/{{ hosted_deployment_type }}" -cvf "{{ copy_hosted_templates_mktemp.stdout }}/openshift-hosted-templates.tar" . + args: + # Disables the following warning: + # Consider using unarchive module rather than running tar + warn: no + become: False + register: copy_hosted_templates_tar + +- name: Create remote OpenShift hosted templates directory + file: + dest: "{{ hosted_base }}" + state: directory + mode: 0755 + +- name: Unarchive the OpenShift hosted templates on the remote + unarchive: + src: "{{ copy_hosted_templates_mktemp.stdout }}/openshift-hosted-templates.tar" + dest: "{{ hosted_base }}/" + +- name: Cleanup the OpenShift hosted templates temp dir + become: False + local_action: file dest="{{ copy_hosted_templates_mktemp.stdout }}" state=absent + +- name: Modify registry paths if registry_url is not registry.access.redhat.com + shell: > + find {{ hosted_base }} -type f | xargs -n 1 sed -i 's|registry.access.redhat.com|{{ registry_host | quote }}|g' + when: registry_host != '' and openshift_hosted_modify_imagestreams | default(openshift_examples_modify_imagestreams | default(False)) | bool + +- name: Create temp directory for kubeconfig + command: mktemp -d /tmp/openshift-ansible-XXXXXX + register: mktemp + changed_when: False + +- name: Record kubeconfig tmp dir + set_fact: + openshift_hosted_templates_kubeconfig: "{{ mktemp.stdout }}/admin.kubeconfig" + +- name: Copy the admin client config(s) + command: > + cp {{ openshift.common.config_base }}/master/admin.kubeconfig {{ openshift_hosted_templates_kubeconfig }} + changed_when: False + +- name: Create or update hosted templates + command: > + {{ openshift.common.client_binary }} {{ openshift_hosted_templates_import_command }} + -f {{ hosted_base }} + --config={{ openshift_hosted_templates_kubeconfig }} + -n openshift + register: oht_import_templates + failed_when: "'already exists' not in oht_import_templates.stderr and oht_import_templates.rc != 0" + changed_when: "'created' in oht_import_templates.stdout" + +- name: Delete temp directory + file: + name: "{{ mktemp.stdout }}" + state: absent + changed_when: False diff --git a/roles/openshift_manage_node/tasks/main.yml b/roles/openshift_manage_node/tasks/main.yml index d1cc5b274..28e4e46e9 100644 --- a/roles/openshift_manage_node/tasks/main.yml +++ b/roles/openshift_manage_node/tasks/main.yml @@ -26,7 +26,7 @@ - name: Set node schedulability command: > - {{ openshift.common.admin_binary }} manage-node {{ hostvars[item].openshift.node.nodename }} --schedulable={{ 'true' if hostvars[item].openshift.node.schedulable | bool else 'false' }} + {{ openshift.common.client_binary }} adm manage-node {{ hostvars[item].openshift.node.nodename }} --schedulable={{ 'true' if hostvars[item].openshift.node.schedulable | bool else 'false' }} --config={{ openshift_manage_node_kubeconfig }} -n default with_items: "{{ openshift_nodes }}" diff --git a/roles/openshift_manageiq/tasks/main.yaml b/roles/openshift_manageiq/tasks/main.yaml index 5d7a3c038..bdaf64b3f 100644 --- a/roles/openshift_manageiq/tasks/main.yaml +++ b/roles/openshift_manageiq/tasks/main.yaml @@ -8,9 +8,9 @@ cp {{ openshift.common.config_base }}/master/admin.kubeconfig {{manage_iq_tmp_conf}} changed_when: false -- name: Add Managment Infrastructure project +- name: Add Management Infrastructure project command: > - {{ openshift.common.admin_binary }} new-project + {{ openshift.common.client_binary }} adm new-project management-infra --description="Management Infrastructure" --config={{manage_iq_tmp_conf}} @@ -52,7 +52,7 @@ - name: Configure role/user permissions command: > - {{ openshift.common.admin_binary }} {{item}} + {{ openshift.common.client_binary }} adm {{item}} --config={{manage_iq_tmp_conf}} with_items: "{{manage_iq_tasks}}" register: osmiq_perm_task @@ -61,7 +61,7 @@ - name: Configure 3_2 role/user permissions command: > - {{ openshift.common.admin_binary }} {{item}} + {{ openshift.common.client_binary }} adm {{item}} --config={{manage_iq_tmp_conf}} with_items: "{{manage_iq_openshift_3_2_tasks}}" register: osmiq_perm_3_2_task diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml index 1a59717c7..1d6758c4a 100644 --- a/roles/openshift_master/tasks/main.yml +++ b/roles/openshift_master/tasks/main.yml @@ -57,7 +57,7 @@ - name: Create the policy file if it does not already exist command: > - {{ openshift.common.admin_binary }} create-bootstrap-policy-file + {{ openshift.common.client_binary }} adm create-bootstrap-policy-file --filename={{ openshift_master_policy }} args: creates: "{{ openshift_master_policy }}" diff --git a/roles/openshift_master_certificates/tasks/main.yml b/roles/openshift_master_certificates/tasks/main.yml index ffde59358..e9b7de330 100644 --- a/roles/openshift_master_certificates/tasks/main.yml +++ b/roles/openshift_master_certificates/tasks/main.yml @@ -52,7 +52,7 @@ - name: Create the master certificates if they do not already exist command: > - {{ openshift.common.admin_binary }} create-master-certs + {{ openshift.common.client_binary }} adm create-master-certs {% for named_ca_certificate in openshift.master.named_certificates | default([]) | oo_collect('cafile') %} --certificate-authority {{ named_ca_certificate }} {% endfor %} diff --git a/roles/openshift_metrics/defaults/main.yml b/roles/openshift_metrics/defaults/main.yml new file mode 100644 index 000000000..a01f24df8 --- /dev/null +++ b/roles/openshift_metrics/defaults/main.yml @@ -0,0 +1,2 @@ +--- +hosted_base: "{{ openshift.common.config_base if openshift.common.is_containerized | bool else '/usr/share/openshift' }}/hosted" diff --git a/roles/openshift_metrics/tasks/install.yml b/roles/openshift_metrics/tasks/install.yml index 9c4eb22d7..4976c7153 100644 --- a/roles/openshift_metrics/tasks/install.yml +++ b/roles/openshift_metrics/tasks/install.yml @@ -30,7 +30,7 @@ - name: Add edit permission to the openshift-infra project to metrics-deployer SA command: > - {{ openshift.common.admin_binary }} + {{ openshift.common.client_binary }} adm --config={{ openshift_metrics_kubeconfig }} --namespace openshift-infra policy add-role-to-user edit @@ -48,7 +48,7 @@ - name: Add cluster-reader permission to the openshift-infra project to heapster SA command: > - {{ openshift.common.admin_binary }} + {{ openshift.common.client_binary }} adm --config={{ openshift_metrics_kubeconfig }} --namespace openshift-infra policy add-cluster-role-to-user cluster-reader @@ -70,7 +70,7 @@ - name: Build metrics deployer command set_fact: deployer_cmd: "{{ openshift.common.client_binary }} process -f \ - {{ metrics_template_dir }}/metrics-deployer.yaml -v \ + {{ hosted_base }}/metrics-deployer.yaml -v \ HAWKULAR_METRICS_HOSTNAME={{ metrics_hostname }},USE_PERSISTENT_STORAGE={{metrics_persistence | string | lower }},DYNAMICALLY_PROVISION_STORAGE={{metrics_dynamic_vol | string | lower }},METRIC_DURATION={{ openshift.hosted.metrics.duration }},METRIC_RESOLUTION={{ openshift.hosted.metrics.resolution }}{{ image_prefix }}{{ image_version }},MODE={{ deployment_mode }} \ | {{ openshift.common.client_binary }} --namespace openshift-infra \ --config={{ openshift_metrics_kubeconfig }} \ diff --git a/roles/openshift_node/tasks/main.yml b/roles/openshift_node/tasks/main.yml index 64c90db50..8b3145785 100644 --- a/roles/openshift_node/tasks/main.yml +++ b/roles/openshift_node/tasks/main.yml @@ -9,6 +9,10 @@ role: "{{ item.role }}" local_facts: "{{ item.local_facts }}" with_items: + # Reset node labels to an empty dictionary. + - role: node + local_facts: + labels: {} - role: node local_facts: annotations: "{{ openshift_node_annotations | default(none) }}" @@ -76,7 +80,7 @@ # TODO: add the validate parameter when there is a validation command to run - name: Create the Node config template: - dest: "{{ openshift_node_config_file }}" + dest: "{{ openshift.common.config_base }}/node/node-config.yaml" src: node.yaml.v1.j2 backup: true owner: root diff --git a/roles/openshift_node/tasks/systemd_units.yml b/roles/openshift_node/tasks/systemd_units.yml index 40d1dd50b..27c9b48f0 100644 --- a/roles/openshift_node/tasks/systemd_units.yml +++ b/roles/openshift_node/tasks/systemd_units.yml @@ -42,7 +42,7 @@ - regex: '^OPTIONS=' line: "OPTIONS=--loglevel={{ openshift.node.debug_level | default(2) }}" - regex: '^CONFIG_FILE=' - line: "CONFIG_FILE={{ openshift_node_config_file }}" + line: "CONFIG_FILE={{ openshift.common.config_base }}/node/node-config.yaml" - regex: '^IMAGE_VERSION=' line: "IMAGE_VERSION={{ openshift_image_tag }}" notify: diff --git a/roles/openshift_node/vars/main.yml b/roles/openshift_node/vars/main.yml deleted file mode 100644 index 77a9694de..000000000 --- a/roles/openshift_node/vars/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -openshift_node_config_dir: "{{ openshift.common.config_base }}/node" -openshift_node_config_file: "{{ openshift_node_config_dir }}/node-config.yaml" diff --git a/roles/openshift_node_certificates/tasks/main.yml b/roles/openshift_node_certificates/tasks/main.yml index 80ab4bb1d..69bcd3668 100644 --- a/roles/openshift_node_certificates/tasks/main.yml +++ b/roles/openshift_node_certificates/tasks/main.yml @@ -44,7 +44,7 @@ - name: Generate the node client config command: > - {{ openshift.common.admin_binary }} create-api-client-config + {{ openshift.common.client_binary }} adm create-api-client-config {% for named_ca_certificate in hostvars[openshift_ca_host].openshift.master.named_certificates | default([]) | oo_collect('cafile') %} --certificate-authority {{ named_ca_certificate }} {% endfor %} @@ -63,7 +63,7 @@ - name: Generate the node server certificate command: > - {{ openshift.common.admin_binary }} ca create-server-cert + {{ openshift.common.client_binary }} adm ca create-server-cert --cert={{ openshift_node_generated_config_dir }}/server.crt --key={{ openshift_generated_configs_dir }}/node-{{ openshift.common.hostname }}/server.key --overwrite=true diff --git a/roles/openshift_node_dnsmasq/tasks/main.yml b/roles/openshift_node_dnsmasq/tasks/main.yml index bd9a0ffb6..396c27295 100644 --- a/roles/openshift_node_dnsmasq/tasks/main.yml +++ b/roles/openshift_node_dnsmasq/tasks/main.yml @@ -29,6 +29,12 @@ when: openshift_node_dnsmasq_additional_config_file is defined notify: restart dnsmasq +- name: Enable dnsmasq + service: + name: dnsmasq + enabled: yes + state: started + # Dynamic NetworkManager based dispatcher - include: ./network-manager.yml when: network_manager_active | bool diff --git a/roles/openshift_projects/tasks/main.yml b/roles/openshift_projects/tasks/main.yml index 62a357cf7..30d58afd3 100644 --- a/roles/openshift_projects/tasks/main.yml +++ b/roles/openshift_projects/tasks/main.yml @@ -20,7 +20,7 @@ - name: Create projects command: > - {{ openshift.common.admin_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig + {{ openshift.common.client_binary }} adm --config={{ mktemp.stdout }}/admin.kubeconfig new-project {{ item.item.key }} {% if item.item.value.default_node_selector | default(none) != none %} {{ '--node-selector=' ~ item.item.value.default_node_selector }} diff --git a/roles/openshift_serviceaccounts/tasks/main.yml b/roles/openshift_serviceaccounts/tasks/main.yml index e90384d37..1ff9e6dcb 100644 --- a/roles/openshift_serviceaccounts/tasks/main.yml +++ b/roles/openshift_serviceaccounts/tasks/main.yml @@ -26,7 +26,7 @@ - name: Grant the user access to the appropriate scc command: > - {{ openshift.common.admin_binary }} policy add-scc-to-user + {{ openshift.common.client_binary }} adm policy add-scc-to-user {{ item.1.item }} system:serviceaccount:{{ openshift_serviceaccounts_namespace }}:{{ item.0 }} when: "openshift.common.version_gte_3_1_or_1_1 and item.1.rc == 0 and 'system:serviceaccount:{{ openshift_serviceaccounts_namespace }}:{{ item.0 }}' not in {{ (item.1.stdout | from_yaml).users | default([]) }}" with_nested: diff --git a/roles/os_firewall/library/os_firewall_manage_iptables.py b/roles/os_firewall/library/os_firewall_manage_iptables.py index 190016c14..bd638b69b 100755 --- a/roles/os_firewall/library/os_firewall_manage_iptables.py +++ b/roles/os_firewall/library/os_firewall_manage_iptables.py @@ -50,8 +50,8 @@ class IpTablesCreateJumpRuleError(IpTablesError): self.chain = chain -# TODO: impliment rollbacks for any events that where successful and an -# exception was thrown later. for example, when the chain is created +# TODO: implement rollbacks for any events that were successful and an +# exception was thrown later. For example, when the chain is created # successfully, but the add/remove rule fails. class IpTablesManager(object): # pylint: disable=too-many-instance-attributes def __init__(self, module): |