From 4ac07696f3db92d1361290c3a0d7b7637d3d1994 Mon Sep 17 00:00:00 2001
From: Andrew Butcher <abutcher@redhat.com>
Date: Mon, 11 Apr 2016 15:45:26 -0400
Subject: Add support for creating secure router.
* Move openshift_router to openshift_hosted role which will eventually
contain registry, metrics and logging.
* Adds option for specifying an openshift_hosted_router_certificate
cert and key pair.
* Removes dependency on node label variables and retrieves the node
list from the API s.t. this role can be applied to any cluster with
existing nodes. I've added an openshift_hosted playbook that occurs
after node install to account for this.
* Infrastructure nodes are selected using
openshift_hosted_router_selector which is based on deployment type
by default; openshift-enterprise -> "region=infra" and online ->
"type=infra".
---
roles/openshift_hosted/README.md | 55 +++++++++++++++++++++++++++
roles/openshift_hosted/handlers/main.yml | 0
roles/openshift_hosted/meta/main.yml | 16 ++++++++
roles/openshift_hosted/tasks/main.yml | 3 ++
roles/openshift_hosted/tasks/router.yml | 64 ++++++++++++++++++++++++++++++++
roles/openshift_hosted/vars/main.yml | 2 +
6 files changed, 140 insertions(+)
create mode 100644 roles/openshift_hosted/README.md
create mode 100644 roles/openshift_hosted/handlers/main.yml
create mode 100644 roles/openshift_hosted/meta/main.yml
create mode 100644 roles/openshift_hosted/tasks/main.yml
create mode 100644 roles/openshift_hosted/tasks/router.yml
create mode 100644 roles/openshift_hosted/vars/main.yml
(limited to 'roles/openshift_hosted')
diff --git a/roles/openshift_hosted/README.md b/roles/openshift_hosted/README.md
new file mode 100644
index 000000000..633ec0937
--- /dev/null
+++ b/roles/openshift_hosted/README.md
@@ -0,0 +1,55 @@
+OpenShift Hosted
+================
+
+OpenShift Hosted Resources
+
+* OpenShift Router
+
+Requirements
+------------
+
+This role requires a running OpenShift cluster with nodes labeled to
+match the openshift_hosted_router_selector (default: region=infra).
+
+Role Variables
+--------------
+
+From this role:
+
+| Name | Default value | Description |
+|-------------------------------------|------------------------------------------|----------------------------------------------------------------------------------------------------------------------|
+| openshift_hosted_router_certificate | None | Dictionary containing "certfile" and "keyfile" keys with values containing paths to local certificate files. |
+| openshift_hosted_router_registryurl | 'openshift3/ose-${component}:${version}' | The image to base the OpenShift router on. |
+| openshift_hosted_router_replicas | Number of nodes matching selector | The number of replicas to configure. |
+| openshift_hosted_router_selector | region=infra | Node selector used when creating router. The OpenShift router will only be deployed to nodes matching this selector. |
+
+Dependencies
+------------
+
+* openshift_common
+* openshift_hosted_facts
+
+Example Playbook
+----------------
+
+```
+- name: Create hosted resources
+ hosts: oo_first_master
+ roles:
+ - role: openshift_hosted
+ openshift_hosted_router_certificate:
+ certfile: /path/to/my-router.crt
+ keyfile: /path/to/my-router.key
+ openshift_hosted_router_registryurl: 'registry.access.redhat.com/openshift3/ose-haproxy-router:v3.0.2.0'
+ openshift_hosted_router_selector: 'type=infra'
+```
+
+License
+-------
+
+Apache License, Version 2.0
+
+Author Information
+------------------
+
+Red Hat openshift@redhat.com
diff --git a/roles/openshift_hosted/handlers/main.yml b/roles/openshift_hosted/handlers/main.yml
new file mode 100644
index 000000000..e69de29bb
diff --git a/roles/openshift_hosted/meta/main.yml b/roles/openshift_hosted/meta/main.yml
new file mode 100644
index 000000000..75dfc24c3
--- /dev/null
+++ b/roles/openshift_hosted/meta/main.yml
@@ -0,0 +1,16 @@
+---
+galaxy_info:
+ author: OpenShift Red Hat
+ description: OpenShift Embedded Router
+ company: Red Hat, Inc.
+ license: Apache License, Version 2.0
+ min_ansible_version: 1.9
+ platforms:
+ - name: EL
+ versions:
+ - 7
+ categories:
+ - cloud
+dependencies:
+- openshift_common
+- openshift_hosted_facts
diff --git a/roles/openshift_hosted/tasks/main.yml b/roles/openshift_hosted/tasks/main.yml
new file mode 100644
index 000000000..d42a4e365
--- /dev/null
+++ b/roles/openshift_hosted/tasks/main.yml
@@ -0,0 +1,3 @@
+---
+
+- include: router.yml
diff --git a/roles/openshift_hosted/tasks/router.yml b/roles/openshift_hosted/tasks/router.yml
new file mode 100644
index 000000000..6a36f74b2
--- /dev/null
+++ b/roles/openshift_hosted/tasks/router.yml
@@ -0,0 +1,64 @@
+---
+- fail:
+ msg: "Both 'certfile' and 'keyfile' keys must be specified when supplying the openshift_hosted_router_certificate variable."
+ when: openshift_hosted_router_certificate is defined and ('certfile' not in openshift_hosted_router_certificate or 'keyfile' not in openshift_hosted_router_certificate)
+
+- name: Read router certificate and key
+ slurp:
+ src: "{{ item }}"
+ register: openshift_router_certificate_output
+ with_items:
+ - "{{ openshift_hosted_router_certificate.certfile }}"
+ - "{{ openshift_hosted_router_certificate.keyfile }}"
+ delegate_to: localhost
+ when: openshift_hosted_router_certificate is defined
+
+- name: Persist certificate contents
+ openshift_facts:
+ role: hosted
+ openshift_env:
+ openshift_hosted_router_certificate_contents: "{% for certificate in openshift_router_certificate_output.results -%}{{ certificate.content | b64decode }}{% endfor -%}"
+ when: openshift_hosted_router_certificate is defined
+
+- name: Create PEM certificate
+ copy:
+ content: "{{ openshift.hosted.router.certificate.contents }}"
+ dest: "{{ openshift_master_config_dir }}/openshift-router.pem"
+ mode: 0600
+ when: openshift.hosted.router.certificate | default(None) != None
+
+- name: Retrieve list of openshift nodes
+ command: >
+ {{ openshift.common.client_binary }} --api-version='v1' -o json
+ get nodes -n default --config={{ openshift.common.config_base }}/master/admin.kubeconfig
+ register: openshift_hosted_router_nodes_json
+ when: openshift.hosted.router.replicas | default(None) == None
+
+- name: Collect nodes matching router selector
+ set_fact:
+ openshift_hosted_router_nodes: >
+ {{ (openshift_hosted_router_nodes_json.stdout|from_json)['items']
+ | oo_oc_nodes_matching_selector(openshift.hosted.router.selector) }}
+ when: openshift.hosted.router.replicas | default(None) == None
+
+- name: Create OpenShift router
+ command: >
+ {{ openshift.common.admin_binary }} router --create
+ {% if openshift.hosted.router.replicas | default(None) != None -%}
+ --replicas={{ openshift.hosted.router.replicas }}
+ {% else -%}
+ --replicas={{ openshift_hosted_router_nodes | length }}
+ {% endif %}
+ {% if openshift.hosted.router.certificate | default(None) != None -%}
+ --default-cert={{ openshift_master_config_dir }}/openshift-router.pem
+ {% endif -%}
+ --namespace=default
+ --service-account=router
+ --selector='{{ openshift.hosted.router.selector }}'
+ --credentials={{ openshift_master_config_dir }}/openshift-router.kubeconfig
+ {% if openshift.hosted.router.registryurl | default(None)!= None -%}
+ --images='{{ openshift.hosted.router.registryurl }}'
+ {% endif -%}
+ register: openshift_hosted_router_results
+ changed_when: "'service exists' not in openshift_hosted_router_results.stdout"
+ when: openshift.hosted.router.replicas | default(None) != None or (openshift_hosted_router_nodes is defined and openshift_hosted_router_nodes | length > 0)
diff --git a/roles/openshift_hosted/vars/main.yml b/roles/openshift_hosted/vars/main.yml
new file mode 100644
index 000000000..9967e26f4
--- /dev/null
+++ b/roles/openshift_hosted/vars/main.yml
@@ -0,0 +1,2 @@
+---
+openshift_master_config_dir: "{{ openshift.common.config_base }}/master"
--
cgit v1.2.3