summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDevan Goodwin <dgoodwin@redhat.com>2016-03-23 16:16:47 -0300
committerDevan Goodwin <dgoodwin@redhat.com>2016-04-01 13:26:24 -0300
commit89db887bd536156421fbc701c5d1b46656070347 (patch)
treee327d53004131bda6a2f766cd8c784bea58ea8bd
parentc8f5f05df668eaa6502b17fed9dc8099e7fab258 (diff)
downloadopenshift-89db887bd536156421fbc701c5d1b46656070347.tar.gz
openshift-89db887bd536156421fbc701c5d1b46656070347.tar.bz2
openshift-89db887bd536156421fbc701c5d1b46656070347.tar.xz
openshift-89db887bd536156421fbc701c5d1b46656070347.zip
Add support for templating master admissionConfig.
Adds four new inventory variables for setting sections in "admissionConfig" and "kubernetesMasterConfig.admissionConfig". openshift_master_admission_plugin_order allows configuring the list of origin admission controller plugins to enable and what order to run them in. This must be a JSON formatted list of strings: openshift_master_admission_plugin_order=["RunOnceDuration", "NamespaceLifecycle", "OriginPodNodeEnvironment", "ClusterResourceOverride", "LimitRanger", "ServiceAccount", "SecurityContextConstraint", "ResourceQuota", "SCCExecRestrictions"] openshift_master_kube_admission_plugin_order is identical but for the kubernetes admission controller plugins which appear beneath kubernetesMasterConfig. openshift_master_admission_plugin_config allows setting free-form configuration stanzas that match up with enabled admission controller plugins. This must be a JSON formatted hash: openshift_master_admission_plugin_config={"RunOnceDuration":{"configuration":{"apiVersion":"v1","kind":"RunOnceDurationConfig","activeDeadlineSecondsOverride":3600}},"ClusterResourceOverride":{"configuration":{"apiVersion":"v1","kind":"ClusterResourceOverrideConfig","limitCPUToMemoryPercent":200,"cpuRequestToLimitPercent":6,"memoryRequestToLimitPercent":60}}} openshift_master_kube_admission_plugin_config is the equivalent for kubernetes admission controller plugins. Contains a change to merge_facts to fix issues with modifying inventory variables that contain JSON dicts. If you modified a previously set variable, the result would be a merge of old and new, which is completely wrong in this case. Addded new overwrite_facts to shortcut to just taking the new values. This differs from the pre-existing concept of "protected" in that we're not protecting an old value, we're trashing it and taking the new.
-rwxr-xr-xroles/openshift_facts/library/openshift_facts.py11
-rw-r--r--roles/openshift_master/templates/master.yaml.v1.j214
-rw-r--r--roles/openshift_master_facts/tasks/main.yml4
3 files changed, 28 insertions, 1 deletions
diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py
index 0d31d4ddf..9054e0bd4 100755
--- a/roles/openshift_facts/library/openshift_facts.py
+++ b/roles/openshift_facts/library/openshift_facts.py
@@ -1118,12 +1118,21 @@ def merge_facts(orig, new, additive_facts_to_overwrite, protected_facts_to_overw
"""
additive_facts = ['named_certificates']
protected_facts = ['ha', 'master_count']
+
+ # Facts we do not ever want to merge. These originate in inventory variables
+ # and typically contain JSON dicts. We don't ever want to trigger a merge
+ # here, just completely overwrite with the new if they are present there.
+ overwrite_facts = ['admission_plugin_config',
+ 'kube_admission_plugin_config']
+
facts = dict()
for key, value in orig.iteritems():
# Key exists in both old and new facts.
if key in new:
+ if key in overwrite_facts:
+ facts[key] = copy.deepcopy(new[key])
# Continue to recurse if old and new fact is a dictionary.
- if isinstance(value, dict) and isinstance(new[key], dict):
+ elif isinstance(value, dict) and isinstance(new[key], dict):
# Collect the subset of additive facts to overwrite if
# key matches. These will be passed to the subsequent
# merge_facts call.
diff --git a/roles/openshift_master/templates/master.yaml.v1.j2 b/roles/openshift_master/templates/master.yaml.v1.j2
index 813a58d60..618ad8744 100644
--- a/roles/openshift_master/templates/master.yaml.v1.j2
+++ b/roles/openshift_master/templates/master.yaml.v1.j2
@@ -1,3 +1,10 @@
+admissionConfig:
+{% if 'admission_plugin_order' in openshift.master %}
+ pluginOrderOverride:{{ openshift.master.admission_plugin_order | to_padded_yaml(level=2) }}
+{% endif %}
+{% if 'admission_plugin_config' in openshift.master %}
+ pluginConfig:{{ openshift.master.admission_plugin_config | to_padded_yaml(level=2) }}
+{% endif %}
apiLevels:
{% if not openshift.common.version_gte_3_1_or_1_1 | bool %}
- v1beta3
@@ -96,6 +103,13 @@ kubernetesMasterConfig:
- v1beta3
- v1
{% endif %}
+ admissionConfig:
+{% if 'kube_admission_plugin_order' in openshift.master %}
+ pluginOrderOverride:{{ openshift.master.kube_admission_plugin_order | to_padded_yaml(level=3) }}
+{% endif %}
+{% if 'kube_admission_plugin_config' in openshift.master %}
+ pluginConfig:{{ openshift.master.kube_admission_plugin_config | to_padded_yaml(level=3) }}
+{% endif %}
apiServerArguments: {{ openshift.master.api_server_args | default(None) | to_padded_yaml( level=2 ) }}
controllerArguments: {{ openshift.master.controller_args | default(None) | to_padded_yaml( level=2 ) }}
masterCount: {{ openshift.master.master_count if openshift.master.cluster_method | default(None) == 'native' else 1 }}
diff --git a/roles/openshift_master_facts/tasks/main.yml b/roles/openshift_master_facts/tasks/main.yml
index 2a3e38af4..c54f11c1a 100644
--- a/roles/openshift_master_facts/tasks/main.yml
+++ b/roles/openshift_master_facts/tasks/main.yml
@@ -65,3 +65,7 @@
master_image: "{{ osm_image | default(None) }}"
scheduler_predicates: "{{ openshift_master_scheduler_predicates | default(None) }}"
scheduler_priorities: "{{ openshift_master_scheduler_priorities | default(None) }}"
+ admission_plugin_order: "{{openshift_master_admission_plugin_order | default(None) }}"
+ admission_plugin_config: "{{openshift_master_admission_plugin_config | default(None) }}"
+ kube_admission_plugin_order: "{{openshift_master_kube_admission_plugin_order | default(None) }}"
+ kube_admission_plugin_config: "{{openshift_master_kube_admission_plugin_config | default(None) }}"