Contiv multi-master and other fixes

Contiv's etcd was not being deployed correctly when using more than
one master.  To make it easier to manage, it has been moved into a
k8s container.

The api proxy was hardcoded to an old version (1.1.1), and in some
environments would run into a docker error.  This has been moved into
a k8s container for easier management.

The firewall was too permissive on several ports.  Many were open to
the world when they should have only been accessible inside the
cluster.

Many of the contiv role variables were not prefixed with 'contiv',
which may end up clobbering variables from another role.  Now all the
contiv specific role variables start with 'contiv_'.

The api proxy's default self-signed certificate was bundled with the
role.  This means someone with read-only MITM access and this key
could decrypt traffic.  Granted a user defined certificate from a
trusted CA should be used in a production environment, it is still
better to generate one in each environment when one is not provided.

4 files changed, 30 insertions, 47 deletions

diff --git a/roles/contiv_facts/defaults/main.yaml b/roles/contiv_facts/defaults/main.yaml
index 7b8150954..c1622c56a 100644
--- a/roles/contiv_facts/defaults/main.yaml
+++ b/roles/contiv_facts/defaults/main.yaml
@@ -1,13 +1,10 @@
 ---
 # The directory where binaries are stored on Ansible
 # managed systems.
-bin_dir: /usr/bin
+contiv_bin_dir: /usr/bin
 
 # The directory used by Ansible to temporarily store
 # files on Ansible managed systems.
-ansible_temp_dir: /tmp/.ansible/files
+contiv_ansible_temp_dir: /tmp/.ansible/files
 
-source_type: packageManager
-
-# Whether or not to also install and enable the Contiv auth_proxy
-contiv_enable_auth_proxy: false
+contiv_source_type: packageManager
diff --git a/roles/contiv_facts/tasks/fedora-install.yml b/roles/contiv_facts/tasks/fedora-install.yml
index 932ff091a..b8239a636 100644
--- a/roles/contiv_facts/tasks/fedora-install.yml
+++ b/roles/contiv_facts/tasks/fedora-install.yml
@@ -11,9 +11,9 @@
   retries: 5
   delay: 10
   environment:
-    https_proxy: "{{ https_proxy }}"
-    http_proxy: "{{ http_proxy }}"
-    no_proxy: "{{ no_proxy }}"
+    https_proxy: "{{ contiv_https_proxy }}"
+    http_proxy: "{{ contiv_http_proxy }}"
+    no_proxy: "{{ contiv_no_proxy }}"
 
 - name: Install libselinux-python
   command: dnf install {{ item }} -y
@@ -21,6 +21,6 @@
     - python-dnf
     - libselinux-python
   environment:
-    https_proxy: "{{ https_proxy }}"
-    http_proxy: "{{ http_proxy }}"
-    no_proxy: "{{ no_proxy }}"
+    https_proxy: "{{ contiv_https_proxy }}"
+    http_proxy: "{{ contiv_http_proxy }}"
+    no_proxy: "{{ contiv_no_proxy }}"
diff --git a/roles/contiv_facts/tasks/main.yml b/roles/contiv_facts/tasks/main.yml
index ced04759d..11f1e1369 100644
--- a/roles/contiv_facts/tasks/main.yml
+++ b/roles/contiv_facts/tasks/main.yml
@@ -4,42 +4,28 @@
   register: distro
   check_mode: no
 
-- name: Init the is_coreos fact
+- name: Init the contiv_is_coreos fact
   set_fact:
-    is_coreos: false
+    contiv_is_coreos: false
 
-- name: Set the is_coreos fact
+- name: Set the contiv_is_coreos fact
   set_fact:
-    is_coreos: true
+    contiv_is_coreos: true
   when: "'CoreOS' in distro.stdout"
 
-- name: Set docker config file directory
-  set_fact:
-    docker_config_dir: "/etc/sysconfig"
-
-- name: Override docker config file directory for Debian
-  set_fact:
-    docker_config_dir: "/etc/default"
-  when: ansible_distribution == "Debian" or ansible_distribution == "Ubuntu"
-
-- name: Create config file directory
-  file:
-    path: "{{ docker_config_dir }}"
-    state: directory
-
 - name: Set the bin directory path for CoreOS
   set_fact:
-    bin_dir: "/opt/bin"
-  when: is_coreos
+    contiv_bin_dir: "/opt/bin"
+  when: contiv_is_coreos
 
 - name: Create the directory used to store binaries
   file:
-    path: "{{ bin_dir }}"
+    path: "{{ contiv_bin_dir }}"
     state: directory
 
 - name: Create Ansible temp directory
   file:
-    path: "{{ ansible_temp_dir }}"
+    path: "{{ contiv_ansible_temp_dir }}"
     state: directory
 
 - name: Determine if has rpm
@@ -48,26 +34,26 @@
   changed_when: false
   check_mode: no
 
-- name: Init the has_rpm fact
+- name: Init the contiv_has_rpm fact
   set_fact:
-    has_rpm: false
+    contiv_has_rpm: false
 
-- name: Set the has_rpm fact
+- name: Set the contiv_has_rpm fact
   set_fact:
-    has_rpm: true
+    contiv_has_rpm: true
   when: s.stat.exists
 
-- name: Init the has_firewalld fact
+- name: Init the contiv_has_firewalld fact
   set_fact:
-    has_firewalld: false
+    contiv_has_firewalld: false
 
-- name: Init the has_iptables fact
+- name: Init the contiv_has_iptables fact
   set_fact:
-    has_iptables: false
+    contiv_has_iptables: false
 
 # collect information about what packages are installed
 - include_tasks: rpm.yml
-  when: has_rpm
+  when: contiv_has_rpm
 
 - include_tasks: fedora-install.yml
   when: not openshift_is_atomic and ansible_distribution == "Fedora"
diff --git a/roles/contiv_facts/tasks/rpm.yml b/roles/contiv_facts/tasks/rpm.yml
index d12436f96..dc6c5d3b7 100644
--- a/roles/contiv_facts/tasks/rpm.yml
+++ b/roles/contiv_facts/tasks/rpm.yml
@@ -13,9 +13,9 @@
   failed_when: false
   check_mode: no
 
-- name: Set the has_firewalld fact
+- name: Set the contiv_has_firewalld fact
   set_fact:
-    has_firewalld: true
+    contiv_has_firewalld: true
   when: s.rc == 0 and ss.rc == 0
 
 - name: Determine if iptables-services installed
@@ -25,7 +25,7 @@
   failed_when: false
   check_mode: no
 
-- name: Set the has_iptables fact
+- name: Set the contiv_has_iptables fact
   set_fact:
-    has_iptables: true
+    contiv_has_iptables: true
   when: s.rc == 0