Templatize configs and 0.5.2 changes

- Templatize node config - Templatize master config - Integrated sdn changes - Updates for openshift_facts - Added support for node, master and sdn related changes - registry_url - added identity provider facts - Removed openshift_sdn_* roles - Install httpd-tools if configuring htpasswd auth - Remove references to external_id - Setting external_id interferes with nodes associating with the generated node object when pre-registering nodes. - osc/oc and osadm/oadm binary detection in openshift_facts Misc Changes: - make non-errata puddle default for byo example - comment out master in list of nodes in inventory/byo/hosts - remove non-error errors from fluentd_* roles - Use admin kubeconfig instead of openshift-client
author: Jason DeTiberus <jdetiber@redhat.com> 2015-05-22 13:13:17 -0400
committer: Jason DeTiberus <jdetiber@redhat.com> 2015-06-10 11:43:47 -0400
commit: 94a77cb1d81b6e4e316ae679890df4994816532f (patch)
tree: 3a77b836f726f2d972931ae777421888f67aa1ed /roles/openshift_master
parent: b57392ddd54bbff225ba83dd5a5bf40ea99344a4 (diff)
download: openshift-94a77cb1d81b6e4e316ae679890df4994816532f.tar.gz
openshift-94a77cb1d81b6e4e316ae679890df4994816532f.tar.bz2
openshift-94a77cb1d81b6e4e316ae679890df4994816532f.tar.xz
openshift-94a77cb1d81b6e4e316ae679890df4994816532f.zip
5 files changed, 271 insertions, 37 deletions
diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml
index f243825b2..b718ab6d1 100644
--- a/roles/openshift_master/tasks/main.yml
+++ b/roles/openshift_master/tasks/main.yml
@@ -1,10 +1,16 @@
 ---
-# TODO: actually have api_port, api_use_ssl, console_port, console_use_ssl,
-# etcd_use_ssl actually change the master config.
+# TODO: add validation for openshift_master_identity_providers
+# TODO: add ability to configure certificates given either a local file to
+#       point to or certificate contents, set in default cert locations.
+
+- assert:
+    that:
+    - openshift_master_oauth_grant_method in openshift_master_valid_grant_methods
+  when: openshift_master_oauth_grant_method is defined
 
 - name: Set master OpenShift facts
   openshift_facts:
-    role: 'master'
+    role: master
     local_facts:
       debug_level: "{{ openshift_master_debug_level | default(openshift.common.debug_level) }}"
       api_port: "{{ openshift_master_api_port | default(None) }}"
@@ -18,15 +24,32 @@
       public_console_url: "{{ openshift_master_public_console_url | default(None) }}"
       etcd_port: "{{ openshift_master_etcd_port | default(None) }}"
       etcd_use_ssl: "{{ openshift_master_etcd_use_ssl | default(None) }}"
+      etcd_urls: "{{ openshift_master_etcd_urls | default(None) }}"
+      embedded_etcd: "{{ openshift_master_embedded_etcd | default(None) }}"
+      embedded_kube: "{{ openshift_master_embedded_kube | default(None) }}"
+      embedded_dns: "{{ openshift_master_embedded_dns | default(None) }}"
+      dns_port: "{{ openshift_master_dns_port | default(None) }}"
+      bind_addr: "{{ openshift_master_bind_addr | default(None) }}"
       portal_net: "{{ openshift_master_portal_net | default(None) }}"
+      session_max_seconds: "{{ openshift_master_session_max_seconds | default(None) }}"
+      session_name: "{{ openshift_master_session_name | default(None) }}"
+      session_secrets_file: "{{ openshift_master_session_secrets_file | default(None) }}"
+      access_token_max_seconds: "{{ openshift_master_access_token_max_seconds | default(None) }}"
+      auth_token_max_seconds: "{{ openshift_master_auth_token_max_seconds | default(None) }}"
+      identity_providers: "{{ openshift_master_identity_providers | default(None) }}"
+      registry_url: "{{ oreg_url | default(None) }}"
+      oauth_grant_method: "{{ openshift_master_oauth_grant_method | default(None) }}"
+      sdn_cluster_network_cidr: "{{ osm_cluster_network_cidr | default(None) }}"
+      sdn_host_subnet_length: "{{ osm_host_subnet_length | default(None) }}"
 
 # TODO: These values need to be configurable
 - name: Set dns OpenShift facts
   openshift_facts:
-    role: 'dns'
+    role: dns
     local_facts:
       ip: "{{ openshift.common.ip }}"
-      domain: local
+      domain: cluster.local
+  when: openshift.master.embedded_dns
 
 - name: Install OpenShift Master package
   yum: pkg=openshift-master state=installed
@@ -41,34 +64,53 @@
     path: "{{ openshift_master_config_dir }}"
     state: directory
 
-# TODO: should probably use a template lookup for this
-# TODO: should allow for setting --etcd, --kubernetes options
-# TODO: recreate config if values change
-- name: Use enterprise default for oreg_url if not set
-  set_fact:
-    oreg_url: "openshift3_beta/ose-${component}:${version}"
-  when: openshift.common.deployment_type == 'enterprise' and oreg_url is not defined
-
-- name: Use online default for oreg_url if not set
-  set_fact:
-    oreg_url: "docker-registry.ops.rhcloud.com/openshift3_beta/ose-${component}:${version}"
-  when: openshift.common.deployment_type == 'online' and oreg_url is not defined
+- name: Create the master certificates if they do not already exist
+  command: >
+    {{ openshift.common.admin_binary }} create-master-certs
+      --hostnames={{ openshift.common.hostname }},{{ openshift.common.public_hostname }}
+      --master={{ openshift.master.api_url }}
+      --public-master={{ openshift.master.public_api_url }}
+      --cert-dir={{ openshift_master_config_dir }} --overwrite=false
+  args:
+    creates: "{{ openshift_master_config_dir }}/master.server.key"
 
-# TODO: Need to get a flag added for volumes path, i think it'll get put in
-- name: Create master config
+- name: Create the policy file if it does not already exist
   command: >
-    /usr/bin/openshift start master
-    --write-config={{ openshift_master_config_dir }}
-    --portal-net={{ openshift.master.portal_net }}
-    --etcd-dir={{ openshift_data_dir }}/openshift.local.etcd
-    --master={{ openshift.master.api_url }}
-    --public-master={{ openshift.master.public_api_url }}
-    --listen={{ 'https' if openshift.master.api_use_ssl else 'http' }}://0.0.0.0:{{ openshift.master.api_port }}
-    {{ ('--images=' ~ oreg_url) if (oreg_url | default('', true) != '') else '' }}
-    {{ ('--nodes=' ~ openshift_node_ips | join(',')) if (openshift_node_ips | default('', true) != '') else '' }}
+    {{ openshift.common.admin_binary }} create-bootstrap-policy-file
+      --filename={{ openshift_master_policy }}
   args:
-    chdir: "{{ openshift_master_config_dir }}"
-    creates: "{{ openshift_master_config_file }}"
+    creates: "{{ openshift_master_policy }}"
+  notify:
+  - restart openshift-master
+
+- name: Create the scheduler config
+  template:
+    dest: "{{ openshift_master_scheduler_conf }}"
+    src: scheduler.json.j2
+  notify:
+  - restart openshift-master
+
+- name: Install httpd-tools if needed
+  yum: pkg=httpd-tools state=installed
+  when: item.kind == 'HTPasswdPasswordIdentityProvider'
+  with_items: openshift.master.identity_providers
+
+- name: Create the htpasswd file if needed
+  copy:
+    dest: "{{ item.filename }}"
+    content: ""
+    mode: 0600
+    force: no
+  when: item.kind == 'HTPasswdPasswordIdentityProvider'
+  with_items: openshift.master.identity_providers
+
+# TODO: add the validate parameter when there is a validation command to run
+- name: Create master config
+  template:
+    dest: "{{ openshift_master_config_file }}"
+    src: master.yaml.v1.j2
+  notify:
+  - restart openshift-master
 
 - name: Configure OpenShift settings
   lineinfile:
@@ -79,7 +121,7 @@
     - regex: '^OPTIONS='
       line: "OPTIONS=--loglevel={{ openshift.master.debug_level }}"
     - regex: '^CONFIG_FILE='
-      line: "CONFIG_FILE={{ openshift_master_config_file}}"
+      line: "CONFIG_FILE={{ openshift_master_config_file }}"
   notify:
   - restart openshift-master
 
@@ -99,15 +141,15 @@
 
 # TODO: Update this file if the contents of the source file are not present in
 # the dest file, will need to make sure to ignore things that could be added
-- name: Create the OpenShift client config(s)
-  command: cp {{ openshift_master_config_dir }}/openshift-client.kubeconfig ~{{ item }}/.config/openshift/.config
+- name: Copy the OpenShift admin client config(s)
+  command: cp {{ openshift_master_config_dir }}/admin.kubeconfig ~{{ item }}/.config/openshift/.config
   args:
     creates: ~{{ item }}/.config/openshift/.config
   with_items:
   - root
   - "{{ ansible_ssh_user }}"
 
-- name: Update the permissions on the OpenShift client config(s)
+- name: Update the permissions on the OpenShift admin client config(s)
   file:
     path: "~{{ item }}/.config/openshift/.config"
     state: file
diff --git a/roles/openshift_master/templates/master.yaml.v1.j2 b/roles/openshift_master/templates/master.yaml.v1.j2
new file mode 100644
index 000000000..1c2d37b63
--- /dev/null
+++ b/roles/openshift_master/templates/master.yaml.v1.j2
@@ -0,0 +1,98 @@
+apiVersion: v1
+assetConfig:
+  logoutURL: ""
+  masterPublicURL: {{ openshift.master.public_api_url }}
+  publicURL: {{ openshift.master.public_console_url }}/
+  servingInfo:
+    bindAddress: {{ openshift.master.bind_addr }}:{{ openshift.master.console_port }}
+    certFile: master.server.crt
+    clientCA: ""
+    keyFile: master.server.key
+corsAllowedOrigins:
+{# TODO: add support for user specified corsAllowedOrigins #}
+{% for origin in ['127.0.0.1', 'localhost', openshift.common.hostname, openshift.common.ip, openshift.common.public_hostname, openshift.common.public_ip] %}
+  - {{ origin }}
+{% endfor %}
+{% if openshift.master.embedded_dns %}
+dnsConfig:
+  bindAddress: {{ openshift.master.bind_addr }}:{{ openshift.master.dns_port }}
+{% endif %}
+etcdClientInfo:
+  ca: ca.crt
+  certFile: master.etcd-client.crt
+  keyFile: master.etcd-client.key
+  urls:
+{% for etcd_url in openshift.master.etcd_urls %}
+    - {{ etcd_url }}
+{% endfor %}
+{% if openshift.master.embedded_etcd %}
+etcdConfig:
+  address: {{ openshift.common.hostname }}:{{ openshift.master.etcd_port }}
+  peerAddress: {{ openshift.common.hostname }}:7001
+  peerServingInfo:
+    bindAddress: {{ openshift.master.bind_addr }}:7001
+    certFile: etcd.server.crt
+    clientCA: ca.crt
+    keyFile: etcd.server.key
+  servingInfo:
+    bindAddress: {{ openshift.master.bind_addr }}:{{ openshift.master.etcd_port }}
+    certFile: etcd.server.crt
+    clientCA: ca.crt
+    keyFile: etcd.server.key
+  storageDirectory: {{ openshift_data_dir }}/openshift.local.etcd
+{% endif %}
+etcdStorageConfig:
+  kubernetesStoragePrefix: kubernetes.io
+  kubernetesStorageVersion: v1beta3
+  kubernetesStoragePrefix: kubernetes.io
+  openShiftStorageVersion: v1beta3
+imageConfig:
+  format: {{ openshift.master.registry_url }}
+  latest: false
+kind: MasterConfig
+kubeletClientInfo:
+{# TODO: allow user specified kubelet port #}
+  ca: ca.crt
+  certFile: master.kubelet-client.crt
+  keyFile: master.kubelet-client.key
+  port: 10250
+{% if openshift.master.embedded_kube %}
+kubernetesMasterConfig:
+{# TODO: support overriding masterCount #}
+  masterCount: 1
+  masterIP: ""
+  schedulerConfigFile: {{ openshift_master_scheduler_conf }}
+  servicesSubnet: {{ openshift.master.portal_net }}
+  staticNodeNames: {{ openshift_node_ips | default([], true) }}
+{% endif %}
+masterClients:
+{# TODO: allow user to set externalKubernetesKubeConfig #}
+  deployerKubeConfig: openshift-deployer.kubeconfig
+  externalKubernetesKubeConfig: ""
+  openshiftLoopbackKubeConfig: openshift-client.kubeconfig
+masterPublicURL: {{ openshift.master.public_api_url }}
+networkConfig:
+  clusterNetworkCIDR: {{ openshift.master.sdn_cluster_network_cidr }}
+  hostSubnetLength: {{ openshift.master.sdn_host_subnet_length }}
+  networkPluginName: {{ openshift.common.sdn_network_plugin_name }}
+{% include 'v1_partials/oauthConfig.j2' %}
+policyConfig:
+  bootstrapPolicyFile: {{ openshift_master_policy }}
+  openshiftSharedResourcesNamespace: openshift
+{# TODO: Allow users to override projectConfig items #}
+projectConfig:
+  defaultNodeSelector: ""
+  projectRequestMessage: ""
+  projectRequestTemplate: ""
+serviceAccountConfig:
+  managedNames:
+  - default
+  - builder
+  privateKeyFile: serviceaccounts.private.key
+  publicKeyFiles:
+  - serviceaccounts.public.key
+servingInfo:
+  bindAddress: {{ openshift.master.bind_addr }}:{{ openshift.master.api_port }}
+  certFile: master.server.crt
+  clientCA: ca.crt
+  keyFile: master.server.key
diff --git a/roles/openshift_master/templates/scheduler.json.j2 b/roles/openshift_master/templates/scheduler.json.j2
new file mode 100644
index 000000000..833e7f3e1
--- /dev/null
+++ b/roles/openshift_master/templates/scheduler.json.j2
@@ -0,0 +1,12 @@
+{
+  "predicates": [
+    {"name": "PodFitsResources"},
+    {"name": "PodFitsPorts"},
+    {"name": "NoDiskConflict"},
+    {"name": "Region", "argument": {"serviceAffinity" : {"labels" : ["region"]}}}
+  ],"priorities": [
+    {"name": "LeastRequestedPriority", "weight": 1},
+    {"name": "ServiceSpreadingPriority", "weight": 1},
+    {"name": "Zone", "weight" : 2, "argument": {"serviceAntiAffinity" : {"label": "zone"}}}
+  ]
+}
diff --git a/roles/openshift_master/templates/v1_partials/oauthConfig.j2 b/roles/openshift_master/templates/v1_partials/oauthConfig.j2
new file mode 100644
index 000000000..f6fd88c65
--- /dev/null
+++ b/roles/openshift_master/templates/v1_partials/oauthConfig.j2
@@ -0,0 +1,78 @@
+{% macro identity_provider_config(identity_provider) %}
+      apiVersion: v1
+      kind: {{ identity_provider.kind }}
+{% if identity_provider.kind == 'HTPasswdPasswordIdentityProvider' %}
+      file: {{ identity_provider.filename }}
+{% elif identity_provider.kind == 'BasicAuthPasswordIdentityProvider' %}
+      url: {{ identity_provider.url }}
+{% for key in ('ca', 'certFile', 'keyFile') %}
+{% if key in identity_provider %}
+      {{ key }}: {{ identity_provider[key] }}"
+{% endif %}
+{% endfor %}
+{% elif identity_provider.kind == 'RequestHeaderIdentityProvider' %}
+      headers: {{ identity_provider.headers }}
+{% if 'clientCA' in identity_provider %}
+      clientCA: {{ identity_provider.clientCA }}
+{% endif %}
+{% elif identity_provider.kind == 'GitHubIdentityProvider' %}
+      clientID: {{ identity_provider.clientID }}
+      clientSecret: {{ identity_provider.clientSecret }}
+{% elif identity_provider.kind == 'GoogleIdentityProvider' %}
+      clientID: {{ identity_provider.clientID }}
+      clientSecret: {{ identity_provider.clientSecret }}
+{% if 'hostedDomain' in identity_provider %}
+      hostedDomain: {{ identity_provider.hostedDomain }}
+{% endif %}
+{% elif identity_provider.kind == 'OpenIDIdentityProvider' %}
+      clientID: {{ identity_provider.clientID }}
+      clientSecret: {{ identity_provider.clientSecret }}
+      claims:
+        id: identity_provider.claims.id
+{% for claim_key in ('preferredUsername', 'name', 'email') %}
+{% if claim_key in identity_provider.claims %}
+        {{ claim_key }}: {{ identity_provider.claims[claim_key] }}
+{% endif %}
+{% endfor %}
+      urls:
+        authorize: {{ identity_provider.urls.authorize }}
+        token: {{ identity_provider.urls.token }}
+{% if 'userInfo' in identity_provider.urls %}
+        userInfo: {{ identity_provider.userInfo }}
+{% endif %}
+{% if 'extraScopes' in identity_provider %}
+      extraScopes:
+{% for scope in identity_provider.extraScopes %}
+      - {{ scope }}
+{% endfor %}
+{% endif %}
+{% if 'extraAuthorizeParameters' in identity_provider %}
+      extraAuthorizeParameters:
+{% for param_key, param_value in identity_provider.extraAuthorizeParameters.iteritems() %}
+        {{ param_key }}: {{ param_value }}
+{% endfor %}
+{% endif %}
+{% endif %}
+{% endmacro %}
+oauthConfig:
+  assetPublicURL: {{ openshift.master.public_console_url }}/
+  grantConfig:
+    method: {{ openshift.master.oauth_grant_method }}
+  identityProviders:
+{% for identity_provider in openshift.master.identity_providers %}
+  - name: {{ identity_provider.name }}
+    challenge: {{ identity_provider.challenge }}
+    login: {{ identity_provider.login }}
+    provider:
+{{ identity_provider_config(identity_provider) }}
+{%- endfor %}
+  masterPublicURL: {{ openshift.master.public_api_url }}
+  masterURL: {{ openshift.master.api_url }}
+  sessionConfig:
+    sessionMaxAgeSeconds: {{ openshift.master.session_max_seconds }}
+    sessionName: {{ openshift.master.session_name }}
+    sessionSecretsFile: {{ openshift.master.session_secrets_file }}
+  tokenConfig:
+    accessTokenMaxAgeSeconds: {{ openshift.master.access_token_max_seconds }}
+    authorizeTokenMaxAgeSeconds: {{ openshift.master.auth_token_max_seconds }}
+{# Comment to preserve newline after authorizeTokenMaxAgeSeconds #}
diff --git a/roles/openshift_master/vars/main.yml b/roles/openshift_master/vars/main.yml
index 0739e2b44..f6f69966a 100644
--- a/roles/openshift_master/vars/main.yml
+++ b/roles/openshift_master/vars/main.yml
@@ -1,6 +1,10 @@
 ---
-openshift_data_dir: /var/lib/openshift
 openshift_master_config_dir: /etc/openshift/master
 openshift_master_config_file: "{{ openshift_master_config_dir }}/master-config.yaml"
-openshift_master_ca_cert: "{{ openshift_master_config_dir }}/ca.crt"
-openshift_master_ca_key: "{{ openshift_master_config_dir }}/ca.key"
+openshift_master_scheduler_conf: "{{ openshift_master_config_dir }}/scheduler.json"
+openshift_master_policy: "{{ openshift_master_config_dir }}/policy.json"
+
+openshift_master_valid_grant_methods:
+- auto
+- prompt
+- deny
author	Jason DeTiberus <jdetiber@redhat.com>	2015-05-22 13:13:17 -0400
committer	Jason DeTiberus <jdetiber@redhat.com>	2015-06-10 11:43:47 -0400
commit	94a77cb1d81b6e4e316ae679890df4994816532f (patch)
tree	3a77b836f726f2d972931ae777421888f67aa1ed /roles/openshift_master
parent	b57392ddd54bbff225ba83dd5a5bf40ea99344a4 (diff)
download	openshift-94a77cb1d81b6e4e316ae679890df4994816532f.tar.gz openshift-94a77cb1d81b6e4e316ae679890df4994816532f.tar.bz2 openshift-94a77cb1d81b6e4e316ae679890df4994816532f.tar.xz openshift-94a77cb1d81b6e4e316ae679890df4994816532f.zip