diff options
| author | Nick Bartos <flamingo@2thebatcave.com> | 2017-12-05 15:02:52 +1100 |
|---|---|---|
| committer | Nick Bartos <flamingo@2thebatcave.com> | 2018-01-08 07:44:35 +1100 |
| commit | 6daf71565fd69e9ddb2ac20e787d49f74cf7a9d7 (patch) | |
| tree | 217ed334a99474d8307a65c75a4c864acbabf7d8 /roles | |
| parent | a5eee09d02120bb16d7f81d1b05982e1a69df4dc (diff) | |
| download | openshift-6daf71565fd69e9ddb2ac20e787d49f74cf7a9d7.tar.gz openshift-6daf71565fd69e9ddb2ac20e787d49f74cf7a9d7.tar.bz2 openshift-6daf71565fd69e9ddb2ac20e787d49f74cf7a9d7.tar.xz openshift-6daf71565fd69e9ddb2ac20e787d49f74cf7a9d7.zip | |
Contiv multi-master and other fixes
Contiv's etcd was not being deployed correctly when using more than
one master. To make it easier to manage, it has been moved into a
k8s container.
The api proxy was hardcoded to an old version (1.1.1), and in some
environments would run into a docker error. This has been moved into
a k8s container for easier management.
The firewall was too permissive on several ports. Many were open to
the world when they should have only been accessible inside the
cluster.
Many of the contiv role variables were not prefixed with 'contiv',
which may end up clobbering variables from another role. Now all the
contiv specific role variables start with 'contiv_'.
The api proxy's default self-signed certificate was bundled with the
role. This means someone with read-only MITM access and this key
could decrypt traffic. Granted a user defined certificate from a
trusted CA should be used in a production environment, it is still
better to generate one in each environment when one is not provided.
Diffstat (limited to 'roles')
50 files changed, 896 insertions, 565 deletions
diff --git a/roles/contiv/README.md b/roles/contiv/README.md index fa36039d9..ce414f9fb 100644 --- a/roles/contiv/README.md +++ b/roles/contiv/README.md @@ -19,8 +19,8 @@ Install Contiv components (netmaster, netplugin, contiv_etcd) on Master and Mini * ``openshift_use_contiv=True`` * ``openshift_use_openshift_sdn=False`` * ``os_sdn_network_plugin_name='cni'`` -* ``netmaster_interface=eth0`` -* ``netplugin_interface=eth1`` +* ``contiv_netmaster_interface=eth0`` +* ``contiv_netplugin_interface=eth1`` * ref. Openshift docs Contiv section for more details ## Example bare metal deployment of Openshift + Contiv diff --git a/roles/contiv/defaults/main.yml b/roles/contiv/defaults/main.yml index 0825af8a5..c029fee15 100644 --- a/roles/contiv/defaults/main.yml +++ b/roles/contiv/defaults/main.yml @@ -3,49 +3,57 @@ contiv_version: 1.1.1 # The version of cni binaries -cni_version: v0.4.0 +contiv_cni_version: v0.4.0 + +# If the node we are deploying to is to be a contiv master. +contiv_master: false contiv_default_subnet: "10.128.0.0/16" contiv_default_gw: "10.128.254.254" -# TCP port that Netmaster listens for network connections -netmaster_port: 9999 -# Default for contiv_role -contiv_role: netmaster +# Ports netmaster listens on +contiv_netmaster_port: 9999 +contiv_netmaster_port_proto: tcp +contiv_ofnet_master_port: 9001 +contiv_ofnet_master_port_proto: tcp +# Ports netplugin listens on +contiv_netplugin_port: 6640 +contiv_netplugin_port_proto: tcp +contiv_ofnet_vxlan_port: 9002 +contiv_ofnet_vxlan_port_proto: tcp +contiv_ovs_port: 9003 +contiv_ovs_port_proto: tcp -# TCP port that Netplugin listens for network connections -netplugin_port: 6640 -contiv_rpc_port1: 9001 -contiv_rpc_port2: 9002 -contiv_rpc_port3: 9003 +contiv_vxlan_port: 4789 +contiv_vxlan_port_proto: udp # Interface used by Netplugin for inter-host traffic when encap_mode is vlan. # The interface must support 802.1Q trunking. -netplugin_interface: "eno16780032" +contiv_netplugin_interface: "eno16780032" # IP address of the interface used for control communication within the cluster # It needs to be reachable from all nodes in the cluster. -netplugin_ctrl_ip: "{{ hostvars[inventory_hostname]['ansible_' + netplugin_interface].ipv4.address }}" +contiv_netplugin_ctrl_ip: "{{ hostvars[inventory_hostname]['ansible_' + contiv_netplugin_interface].ipv4.address }}" # IP used to terminate vxlan tunnels -netplugin_vtep_ip: "{{ hostvars[inventory_hostname]['ansible_' + netplugin_interface].ipv4.address }}" +contiv_netplugin_vtep_ip: "{{ hostvars[inventory_hostname]['ansible_' + contiv_netplugin_interface].ipv4.address }}" # Interface used to bind Netmaster service -netmaster_interface: "{{ netplugin_interface }}" +contiv_netmaster_interface: "{{ contiv_netplugin_interface }}" # Path to the contiv binaries -bin_dir: /usr/bin +contiv_bin_dir: /usr/bin # Path to the contivk8s cni binary -cni_bin_dir: /opt/cni/bin +contiv_cni_bin_dir: /opt/cni/bin # Path to cni archive download directory -cni_download_dir: /tmp +contiv_cni_download_dir: /tmp # URL for cni binaries -cni_bin_url_base: "https://github.com/containernetworking/cni/releases/download/" -cni_bin_url: "{{ cni_bin_url_base }}/{{ cni_version }}/cni-{{ cni_version }}.tbz2" +contiv_cni_bin_url_base: "https://github.com/containernetworking/cni/releases/download/" +contiv_cni_bin_url: "{{ contiv_cni_bin_url_base }}/{{ contiv_cni_version }}/cni-{{ contiv_cni_version }}.tbz2" # Contiv config directory @@ -60,11 +68,11 @@ contiv_download_url_base: "https://github.com/contiv/netplugin/releases/download contiv_download_url: "{{ contiv_download_url_base }}/{{ contiv_version }}/netplugin-{{ contiv_version }}.tar.bz2" # This is where kubelet looks for plugin files -kube_plugin_dir: /usr/libexec/kubernetes/kubelet-plugins/net/exec +contiv_kube_plugin_dir: /usr/libexec/kubernetes/kubelet-plugins/net/exec # Specifies routed mode vs bridged mode for networking (bridge | routing) # if you are using an external router for all routing, you should select bridge here -netplugin_fwd_mode: bridge +contiv_netplugin_fwd_mode: bridge # Contiv fabric mode aci|default contiv_fabric_mode: default @@ -76,7 +84,7 @@ contiv_vlan_range: "2900-3000" contiv_encap_mode: vlan # Backend used by Netplugin for instantiating container networks -netplugin_driver: ovs +contiv_netplugin_driver: ovs # Create a default Contiv network for use by pods contiv_default_network: true @@ -85,38 +93,79 @@ contiv_default_network: true contiv_default_network_tag: "" #SRFIXME (use the openshift variables) -https_proxy: "" -http_proxy: "" -no_proxy: "" +contiv_https_proxy: "" +contiv_http_proxy: "" +contiv_no_proxy: "" # The following are aci specific parameters when contiv_fabric_mode: aci is set. # Otherwise, you can ignore these. -apic_url: "" -apic_username: "" -apic_password: "" -apic_leaf_nodes: "" -apic_phys_dom: "" -apic_contracts_unrestricted_mode: no -apic_epg_bridge_domain: not_specified +contiv_apic_url: "" +contiv_apic_username: "" +contiv_apic_password: "" +contiv_apic_leaf_nodes: "" +contiv_apic_phys_dom: "" +contiv_apic_contracts_unrestricted_mode: no +contiv_apic_epg_bridge_domain: not_specified apic_configure_default_policy: false -apic_default_external_contract: "uni/tn-common/brc-default" -apic_default_app_profile: "contiv-infra-app-profile" -kube_cert_dir: "/data/src/github.com/openshift/origin/openshift.local.config/master" -master_name: "{{ groups['masters'][0] }}" -contiv_etcd_port: 22379 -etcd_url: "{{ hostvars[groups['masters'][0]]['ansible_' + netmaster_interface].ipv4.address }}:{{ contiv_etcd_port }}" -kube_ca_cert: "{{ kube_cert_dir }}/ca.crt" -kube_key: "{{ kube_cert_dir }}/admin.key" -kube_cert: "{{ kube_cert_dir }}/admin.crt" -kube_master_api_port: 8443 +contiv_apic_default_external_contract: "uni/tn-common/brc-default" +contiv_apic_default_app_profile: "contiv-infra-app-profile" +contiv_kube_cert_dir: "/data/src/github.com/openshift/origin/openshift.local.config/master" +contiv_kube_ca_cert: "{{ contiv_kube_cert_dir }}/ca.crt" +contiv_kube_key: "{{ contiv_kube_cert_dir }}/admin.key" +contiv_kube_cert: "{{ contiv_kube_cert_dir }}/admin.crt" +contiv_kube_master_api_port: 8443 +contiv_kube_master_api_port_proto: tcp # contivh1 default subnet and gateway -#contiv_h1_subnet_default: "132.1.1.0/24" -#contiv_h1_gw_default: "132.1.1.1" contiv_h1_subnet_default: "10.129.0.0/16" contiv_h1_gw_default: "10.129.0.1" # contiv default private subnet for ext access contiv_private_ext_subnet: "10.130.0.0/16" -openshift_docker_service_name: "{{ 'container-engine' if (openshift_docker_use_system_container | default(False) | bool) else 'docker' }}" +contiv_openshift_docker_service_name: "{{ 'container-engine' if (openshift_docker_use_system_container | default(False) | bool) else 'docker' }}" + +contiv_api_proxy_port: 10000 +contiv_api_proxy_port_proto: tcp +contiv_api_proxy_image_repo: contiv/auth_proxy + +contiv_etcd_system_user: contivetcd +contiv_etcd_system_uid: 823 +contiv_etcd_system_group: contivetcd +contiv_etcd_system_gid: 823 +contiv_etcd_port: 22379 +contiv_etcd_port_proto: tcp +contiv_etcd_peer_port: 22380 +contiv_etcd_peer_port_proto: tcp +contiv_etcd_url: "etcd://127.0.0.1:{{ contiv_etcd_port }}" +contiv_etcd_init_image_repo: ferest/etcd-initer +contiv_etcd_init_image_tag: latest +contiv_etcd_image_repo: quay.io/coreos/etcd +contiv_etcd_image_tag: v3.2.4 +contiv_etcd_conf_dir: /etc/contiv-etcd +contiv_etcd_data_dir: /var/lib/contiv-etcd +contiv_etcd_peers: |- + {% for host in groups.oo_masters_to_config -%} + {{ host }}=http://{{ hostvars[host]['ip'] | default(hostvars[host].ansible_default_ipv4['address']) }}:{{ contiv_etcd_peer_port }}{% if not loop.last %},{% endif %} + {%- endfor %} + +# List of port/protocol pairs to allow inbound access to on every host +# netplugin runs on, from all host IPs in the cluster. +contiv_netplugin_internal: [ "{{ contiv_ofnet_vxlan_port }}/{{ contiv_ofnet_vxlan_port_proto }}", + "{{ contiv_ovs_port }}/{{ contiv_ovs_port_proto }}", + "{{ contiv_vxlan_port }}/{{ contiv_vxlan_port_proto }}" ] +# Allow all forwarded traffic in and out of these interfaces. +contiv_netplugin_forward_interfaces: [ contivh0, contivh1 ] + +# List of port/protocol pairs to allow inbound access to on every host +# netmaster runs on, from all host IPs in the cluster. Note that every host +# that runs netmaster also runs netplugin, so the above netplugin rules will +# apply as well. +contiv_netmaster_internal: [ "{{ contiv_ofnet_master_port }}/{{ contiv_ofnet_master_port_proto }}", + "{{ contiv_netmaster_port }}/{{ contiv_netmaster_port_proto }}", + "{{ contiv_etcd_port }}/{{ contiv_etcd_port_proto }}", + "{{ contiv_etcd_peer_port }}/{{ contiv_etcd_peer_port_proto }}", + "{{ contiv_kube_master_api_port }}/{{ contiv_kube_master_api_port_proto }}" ] +# List of port/protocol pairs to allow inbound access to on every host +# netmaster runs on, from any host anywhere. +contiv_netmaster_external: [ "{{ contiv_api_proxy_port }}/{{ contiv_api_proxy_port_proto }}" ] diff --git a/roles/contiv/meta/main.yml b/roles/contiv/meta/main.yml index 67fb23db8..e8607cc90 100644 --- a/roles/contiv/meta/main.yml +++ b/roles/contiv/meta/main.yml @@ -15,17 +15,3 @@ galaxy_info: dependencies: - role: lib_utils - role: contiv_facts -- role: etcd - etcd_service: contiv-etcd - etcd_is_thirdparty: True - etcd_peer_port: 22380 - etcd_client_port: 22379 - etcd_conf_dir: /etc/contiv-etcd/ - etcd_data_dir: /var/lib/contiv-etcd/ - etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}" - etcd_cert_config_dir: /etc/contiv-etcd/ - etcd_url_scheme: http - etcd_peer_url_scheme: http - when: contiv_role == "netmaster" -- role: contiv_auth_proxy - when: contiv_role == "netmaster" diff --git a/roles/contiv/tasks/aci.yml b/roles/contiv/tasks/aci.yml index 30d2eb339..8a56b3590 100644 --- a/roles/contiv/tasks/aci.yml +++ b/roles/contiv/tasks/aci.yml @@ -11,7 +11,7 @@ - name: ACI | Copy shell script used by aci-gw service template: src: aci_gw.j2 - dest: "{{ bin_dir }}/aci_gw.sh" + dest: "{{ contiv_bin_dir }}/aci_gw.sh" mode: u=rwx,g=rx,o=rx - name: ACI | Copy systemd units for aci-gw diff --git a/roles/contiv/tasks/api_proxy.yml b/roles/contiv/tasks/api_proxy.yml new file mode 100644 index 000000000..8b524dd6e --- /dev/null +++ b/roles/contiv/tasks/api_proxy.yml @@ -0,0 +1,120 @@ +--- +- name: API proxy | Create contiv-api-proxy openshift user + oc_serviceaccount: + state: present + name: contiv-api-proxy + namespace: kube-system + run_once: true + +- name: API proxy | Set contiv-api-proxy openshift user permissions + oc_adm_policy_user: + user: system:serviceaccount:kube-system:contiv-api-proxy + resource_kind: scc + resource_name: hostnetwork + state: present + run_once: true + +- name: API proxy | Create temp directory for doing work + command: mktemp -d /tmp/openshift-contiv-XXXXXX + register: mktemp + changed_when: False + # For things that pass temp files between steps, we want to make sure they + # run on the same node. + delegate_to: "{{ groups.oo_masters_to_config.0 }}" + run_once: true + +- name: API proxy | Check for existing api proxy secret volume + oc_obj: + namespace: kube-system + kind: secret + state: list + selector: "name=contiv-api-proxy-secret" + register: existing_secret_volume + run_once: true + +- name: API proxy | Generate a self signed certificate for api proxy + command: openssl req -new -nodes -x509 -subj "/C=US/ST=/L=/O=/CN=localhost" -days 3650 -keyout "{{ mktemp.stdout }}/key.pem" -out "{{ mktemp.stdout }}/cert.pem" -extensions v3_ca + when: (contiv_api_proxy_cert is not defined or contiv_api_proxy_key is not defined) + and not existing_secret_volume.results.results[0]['items'] + register: created_self_signed_cert + delegate_to: "{{ groups.oo_masters_to_config.0 }}" + run_once: true + +- name: API proxy | Read self signed certificate file + command: cat "{{ mktemp.stdout }}/cert.pem" + register: generated_cert + when: created_self_signed_cert.changed + delegate_to: "{{ groups.oo_masters_to_config.0 }}" + run_once: true + +- name: API proxy | Read self signed key file + command: cat "{{ mktemp.stdout }}/key.pem" + register: generated_key + when: created_self_signed_cert.changed + delegate_to: "{{ groups.oo_masters_to_config.0 }}" + run_once: true + +- name: API proxy | Create api-proxy-secrets.yml from template using generated cert + template: + src: api-proxy-secrets.yml.j2 + dest: "{{ mktemp.stdout }}/api-proxy-secrets.yml" + vars: + key: "{{ generated_key.stdout }}" + cert: "{{ generated_cert.stdout }}" + when: created_self_signed_cert.changed + delegate_to: "{{ groups.oo_masters_to_config.0 }}" + run_once: true + +- name: API proxy | Create api-proxy-secrets.yml from template using user defined cert + template: + src: api-proxy-secrets.yml.j2 + dest: "{{ mktemp.stdout }}/api-proxy-secrets.yml" + vars: + key: "{{ lookup('file', contiv_api_proxy_key) }}" + cert: "{{ lookup('file', contiv_api_proxy_cert) }}" + when: contiv_api_proxy_cert is defined and contiv_api_proxy_key is defined + delegate_to: "{{ groups.oo_masters_to_config.0 }}" + run_once: true + +- name: API proxy | Create secret certificate volume + oc_obj: + state: present + namespace: "kube-system" + kind: secret + name: contiv-api-proxy-secret + files: + - "{{ mktemp.stdout }}/api-proxy-secrets.yml" + when: (contiv_api_proxy_cert is defined and contiv_api_proxy_key is defined) + or created_self_signed_cert.changed + delegate_to: "{{ groups.oo_masters_to_config.0 }}" + run_once: true + +- name: API proxy | Create api-proxy-daemonset.yml from template + template: + src: api-proxy-daemonset.yml.j2 + dest: "{{ mktemp.stdout }}/api-proxy-daemonset.yml" + vars: + etcd_host: "etcd://{{ groups.oo_etcd_to_config.0 }}:{{ contiv_etcd_port }}" + delegate_to: "{{ groups.oo_masters_to_config.0 }}" + run_once: true + +# Always "import" this file, k8s won't do anything if it matches exactly what +# is already in the cluster. +- name: API proxy | Add API proxy daemonset + oc_obj: + state: present + namespace: "kube-system" + kind: daemonset + name: contiv-api-proxy + files: + - "{{ mktemp.stdout }}/api-proxy-daemonset.yml" + delegate_to: "{{ groups.oo_masters_to_config.0 }}" + run_once: true + +- name: API proxy | Delete temp directory + file: + name: "{{ mktemp.stdout }}" + state: absent + changed_when: False + delegate_to: "{{ groups.oo_masters_to_config.0 }}" + run_once: true diff --git a/roles/contiv/tasks/default_network.yml b/roles/contiv/tasks/default_network.yml index 8a928ea54..e9763d34a 100644 --- a/roles/contiv/tasks/default_network.yml +++ b/roles/contiv/tasks/default_network.yml @@ -1,71 +1,71 @@ --- -- name: Contiv | Wait for netmaster - command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ netmaster_port }}" tenant ls' +- name: Default network | Wait for netmaster + command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ contiv_netmaster_port }}" tenant ls' register: tenant_result until: tenant_result.stdout.find("default") != -1 retries: 9 delay: 10 -- name: Contiv | Set globals - command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ netmaster_port }}" global set --fabric-mode {{ contiv_fabric_mode }} --vlan-range {{ contiv_vlan_range }} --fwd-mode {{ netplugin_fwd_mode }} --private-subnet {{ contiv_private_ext_subnet }}' +- name: Default network | Set globals + command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ contiv_netmaster_port }}" global set --fabric-mode {{ contiv_fabric_mode }} --vlan-range {{ contiv_vlan_range }} --fwd-mode {{ contiv_netplugin_fwd_mode }} --private-subnet {{ contiv_private_ext_subnet }}' run_once: true -- name: Contiv | Set arp mode to flood if ACI - command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ netmaster_port }}" global set --arp-mode flood' +- name: Default network | Set arp mode to flood if ACI + command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ contiv_netmaster_port }}" global set --arp-mode flood' when: contiv_fabric_mode == "aci" run_once: true -- name: Contiv | Check if default-net exists - command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ netmaster_port }}" net ls' +- name: Default network | Check if default-net exists + command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ contiv_netmaster_port }}" net ls' register: net_result run_once: true -- name: Contiv | Create default-net - command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ netmaster_port }}" net create --subnet={{ contiv_default_subnet }} -e {{ contiv_encap_mode }} -p {{ contiv_default_network_tag }} --gateway {{ contiv_default_gw }} default-net' +- name: Default network | Create default-net + command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ contiv_netmaster_port }}" net create --subnet={{ contiv_default_subnet }} -e {{ contiv_encap_mode }} -p {{ contiv_default_network_tag }} --gateway {{ contiv_default_gw }} default-net' when: net_result.stdout.find("default-net") == -1 run_once: true -- name: Contiv | Create host access infra network for VxLan routing case - command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ netmaster_port }}" net create --subnet={{ contiv_h1_subnet_default }} --gateway={{ contiv_h1_gw_default }} --nw-type="infra" contivh1' - when: (contiv_encap_mode == "vxlan") and (netplugin_fwd_mode == "routing") +- name: Default network | Create host access infra network for VxLan routing case + command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ contiv_netmaster_port }}" net create --subnet={{ contiv_h1_subnet_default }} --gateway={{ contiv_h1_gw_default }} --nw-type="infra" contivh1' + when: (contiv_encap_mode == "vxlan") and (contiv_netplugin_fwd_mode == "routing") run_once: true -#- name: Contiv | Create an allow-all policy for the default-group -# command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ netmaster_port }}" policy create ose-allow-all-policy' +#- name: Default network | Create an allow-all policy for the default-group +# command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ contiv_netmaster_port }}" policy create ose-allow-all-policy' # when: contiv_fabric_mode == "aci" # run_once: true -- name: Contiv | Set up aci external contract to consume default external contract - command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ netmaster_port }}" external-contracts create -c -a {{ apic_default_external_contract }} oseExtToConsume' +- name: Default network | Set up aci external contract to consume default external contract + command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ contiv_netmaster_port }}" external-contracts create -c -a {{ contiv_apic_default_external_contract }} oseExtToConsume' when: (contiv_fabric_mode == "aci") and (apic_configure_default_policy == true) run_once: true -- name: Contiv | Set up aci external contract to provide default external contract - command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ netmaster_port }}" external-contracts create -p -a {{ apic_default_external_contract }} oseExtToProvide' +- name: Default network | Set up aci external contract to provide default external contract + command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ contiv_netmaster_port }}" external-contracts create -p -a {{ contiv_apic_default_external_contract }} oseExtToProvide' when: (contiv_fabric_mode == "aci") and (apic_configure_default_policy == true) run_once: true -- name: Contiv | Create aci default-group - command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ netmaster_port }}" group create default-net default-group' +- name: Default network | Create aci default-group + command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ contiv_netmaster_port }}" group create default-net default-group' when: contiv_fabric_mode == "aci" run_once: true -- name: Contiv | Add external contracts to the default-group - command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ netmaster_port }}" group create -e oseExtToConsume -e oseExtToProvide default-net default-group' +- name: Default network | Add external contracts to the default-group + command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ contiv_netmaster_port }}" group create -e oseExtToConsume -e oseExtToProvide default-net default-group' when: (contiv_fabric_mode == "aci") and (apic_configure_default_policy == true) run_once: true -#- name: Contiv | Add policy rule 1 for allow-all policy -# command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ netmaster_port }}" policy rule-add -d in --action allow ose-allow-all-policy 1' +#- name: Default network | Add policy rule 1 for allow-all policy +# command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ contiv_netmaster_port }}" policy rule-add -d in --action allow ose-allow-all-policy 1' # when: contiv_fabric_mode == "aci" # run_once: true -#- name: Contiv | Add policy rule 2 for allow-all policy -# command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ netmaster_port }}" policy rule-add -d out --action allow ose-allow-all-policy 2' +#- name: Default network | Add policy rule 2 for allow-all policy +# command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ contiv_netmaster_port }}" policy rule-add -d out --action allow ose-allow-all-policy 2' # when: contiv_fabric_mode == "aci" # run_once: true -- name: Contiv | Create default aci app profile - command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ netmaster_port }}" app-profile create -g default-group {{ apic_default_app_profile }}' +- name: Default network | Create default aci app profile + command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ contiv_netmaster_port }}" app-profile create -g default-group {{ contiv_apic_default_app_profile }}' when: contiv_fabric_mode == "aci" run_once: true diff --git a/roles/contiv/tasks/download_bins.yml b/roles/contiv/tasks/download_bins.yml index 831fd360a..47d74da9c 100644 --- a/roles/contiv/tasks/download_bins.yml +++ b/roles/contiv/tasks/download_bins.yml @@ -4,7 +4,7 @@ path: "{{ contiv_current_release_directory }}" state: directory -- name: Install bzip2 +- name: Download Bins | Install bzip2 yum: name: bzip2 state: installed @@ -18,9 +18,9 @@ mode: 0755 validate_certs: False environment: - http_proxy: "{{ http_proxy|default('') }}" - https_proxy: "{{ https_proxy|default('') }}" - no_proxy: "{{ no_proxy|default('') }}" + http_proxy: "{{ contiv_http_proxy|default('') }}" + https_proxy: "{{ contiv_https_proxy|default('') }}" + no_proxy: "{{ contiv_no_proxy|default('') }}" - name: Download Bins | Extract Contiv tar file unarchive: @@ -30,19 +30,19 @@ - name: Download Bins | Download cni tar file get_url: - url: "{{ cni_bin_url }}" - dest: "{{ cni_download_dir }}" + url: "{{ contiv_cni_bin_url }}" + dest: "{{ contiv_cni_download_dir }}" mode: 0755 validate_certs: False environment: - http_proxy: "{{ http_proxy|default('') }}" - https_proxy: "{{ https_proxy|default('') }}" - no_proxy: "{{ no_proxy|default('') }}" + http_proxy: "{{ contiv_http_proxy|default('') }}" + https_proxy: "{{ contiv_https_proxy|default('') }}" + no_proxy: "{{ contiv_no_proxy|default('') }}" register: download_file - name: Download Bins | Extract cni tar file unarchive: src: "{{ download_file.dest }}" - dest: "{{ cni_download_dir }}" + dest: "{{ contiv_cni_download_dir }}" copy: no when: download_file.changed diff --git a/roles/contiv/tasks/etcd.yml b/roles/contiv/tasks/etcd.yml new file mode 100644 index 000000000..b08ead982 --- /dev/null +++ b/roles/contiv/tasks/etcd.yml @@ -0,0 +1,114 @@ +--- +# To run contiv-etcd in a container as non-root, we need to match the uid/gid +# with the filesystem permissions on the host. +- name: Contiv etcd | Create local unix group + group: + name: "{{ contiv_etcd_system_group }}" + gid: "{{ contiv_etcd_system_gid }}" + system: yes + +- name: Contiv etcd | Create local unix user + user: + name: "{{ contiv_etcd_system_user }}" + createhome: no + uid: "{{ contiv_etcd_system_uid }}" + group: "{{ contiv_etcd_system_group }}" + home: "{{ contiv_etcd_data_dir }}" + shell: /bin/false + system: yes + +- name: Contiv etcd | Create directories + file: + path: "{{ item }}" + state: directory + mode: g-rwx,o-rwx + owner: "{{ contiv_etcd_system_user }}" + group: "{{ contiv_etcd_system_group }}" + setype: svirt_sandbox_file_t + seuser: system_u + serole: object_r + selevel: s0 + recurse: yes + with_items: + - "{{ contiv_etcd_data_dir }}" + - "{{ contiv_etcd_conf_dir }}" + +- name: Contiv etcd | Create contiv-etcd openshift user + oc_serviceaccount: + state: present + name: contiv-etcd + namespace: kube-system + run_once: true + +- name: Contiv etcd | Create temp directory for doing work + command: mktemp -d /tmp/openshift-contiv-XXXXXX + register: mktemp + changed_when: False + # For things that pass temp files between steps, we want to make sure they + # run on the same node. + delegate_to: "{{ groups.oo_masters_to_config.0 }}" + run_once: true + +- name: Contiv etcd | Create etcd-scc.yml from template + template: + src: etcd-scc.yml.j2 + dest: "{{ mktemp.stdout }}/etcd-scc.yml" + delegate_to: "{{ groups.oo_masters_to_config.0 }}" + run_once: true + +- name: Contiv etcd | Create etcd.yml from template + template: + src: etcd-daemonset.yml.j2 + dest: "{{ mktemp.stdout }}/etcd-daemonset.yml" + delegate_to: "{{ groups.oo_masters_to_config.0 }}" + run_once: true + +- name: Contiv etcd | Create etcd-proxy.yml from template + template: + src: etcd-proxy-daemonset.yml.j2 + dest: "{{ mktemp.stdout }}/etcd-proxy-daemonset.yml" + delegate_to: "{{ groups.oo_masters_to_config.0 }}" + run_once: true + +- name: Contiv etcd | Add etcd scc + oc_obj: + state: present + namespace: "kube-system" + kind: SecurityContextConstraints + name: contiv-etcd + files: + - "{{ mktemp.stdout }}/etcd-scc.yml" + delegate_to: "{{ groups.oo_masters_to_config.0 }}" + run_once: true + +# Always "import" this file, k8s won't do anything if it matches exactly what +# is already in the cluster. +- name: Contiv etcd | Add etcd daemonset + oc_obj: + state: present + namespace: "kube-system" + kind: daemonset + name: contiv-etcd + files: + - "{{ mktemp.stdout }}/etcd-daemonset.yml" + delegate_to: "{{ groups.oo_masters_to_config.0 }}" + run_once: true + +- name: Contiv etcd | Add etcd-proxy daemonset + oc_obj: + state: present + namespace: "kube-system" + kind: daemonset + name: contiv-etcd-proxy + files: + - "{{ mktemp.stdout }}/etcd-proxy-daemonset.yml" + delegate_to: "{{ groups.oo_masters_to_config.0 }}" + run_once: true + +- name: Contiv etcd | Delete temp directory + file: + name: "{{ mktemp.stdout }}" + state: absent + changed_when: False + delegate_to: "{{ groups.oo_masters_to_config.0 }}" + run_once: true diff --git a/roles/contiv/tasks/main.yml b/roles/contiv/tasks/main.yml index cb9196a71..4d530ae90 100644 --- a/roles/contiv/tasks/main.yml +++ b/roles/contiv/tasks/main.yml @@ -1,14 +1,15 @@ --- -- name: Ensure bin_dir exists +- include_tasks: old_version_cleanup.yml + +- name: Ensure contiv_bin_dir exists file: - path: "{{ bin_dir }}" + path: "{{ contiv_bin_dir }}" recurse: yes state: directory - include_tasks: download_bins.yml - include_tasks: netmaster.yml - when: contiv_role == "netmaster" + when: contiv_master - include_tasks: netplugin.yml - when: contiv_role == "netplugin" diff --git a/roles/contiv/tasks/netmaster.yml b/roles/contiv/tasks/netmaster.yml index 6f15af8c2..83203bc2e 100644 --- a/roles/contiv/tasks/netmaster.yml +++ b/roles/contiv/tasks/netmaster.yml @@ -1,34 +1,16 @@ --- - include_tasks: netmaster_firewalld.yml - when: has_firewalld + when: contiv_has_firewalld - include_tasks: netmaster_iptables.yml - when: not has_firewalld and has_iptables + when: not contiv_has_firewalld and contiv_has_iptables -- name: Netmaster | Check is /etc/hosts file exists - stat: - path: /etc/hosts - register: hosts - -- name: Netmaster | Create hosts file if it is not present - file: - path: /etc/hosts - state: touch - when: not hosts.stat.exists - -- name: Netmaster | Build hosts file - lineinfile: - dest: /etc/hosts - regexp: .*netmaster$ - line: "{{ hostvars[item]['ansible_' + netmaster_interface].ipv4.address }} netmaster" - state: present - when: hostvars[item]['ansible_' + netmaster_interface].ipv4.address is defined - with_items: "{{ groups['masters'] }}" +- include_tasks: etcd.yml - name: Netmaster | Create netmaster symlinks file: src: "{{ contiv_current_release_directory }}/{{ item }}" - dest: "{{ bin_dir }}/{{ item }}" + dest: "{{ contiv_bin_dir }}/{{ item }}" state: link with_items: - netmaster @@ -75,3 +57,5 @@ - include_tasks: default_network.yml when: contiv_default_network == true + +- include_tasks: api_proxy.yml diff --git a/roles/contiv/tasks/netmaster_firewalld.yml b/roles/contiv/tasks/netmaster_firewalld.yml index 2975351ac..0d52f821d 100644 --- a/roles/contiv/tasks/netmaster_firewalld.yml +++ b/roles/contiv/tasks/netmaster_firewalld.yml @@ -1,16 +1,17 @@ --- -- name: Netmaster Firewalld | Open Netmaster port +- name: Netmaster Firewalld | Add internal rules firewalld: - port: "{{ netmaster_port }}/tcp" - permanent: false - state: enabled - # in case this is also a node where firewalld turned off - ignore_errors: yes + immediate: true + permanent: true + port: "{{ item[0] }}" + source: "{{ item[1] }}" + with_nested: + - "{{ contiv_netmaster_internal }}" + - "{{ groups.oo_nodes_to_config|difference(hostvars[inventory_hostname]['ansible_' + contiv_netmaster_interface].ipv4.address)|list }}" -- name: Netmaster Firewalld | Save Netmaster port +- name: Netmaster Firewalld | Add external rules firewalld: - port: "{{ netmaster_port }}/tcp" + immediate: true permanent: true - state: enabled - # in case this is also a node where firewalld turned off - ignore_errors: yes + port: "{{ item }}" + with_items: "{{ contiv_netmaster_external }}" diff --git a/roles/contiv/tasks/netmaster_iptables.yml b/roles/contiv/tasks/netmaster_iptables.yml index c98e7b6a5..3b68ea0c3 100644 --- a/roles/contiv/tasks/netmaster_iptables.yml +++ b/roles/contiv/tasks/netmaster_iptables.yml @@ -1,27 +1,32 @@ --- -- name: Netmaster IPtables | Get iptables rules - command: iptables -L --wait - register: iptablesrules - check_mode: no - -- name: Netmaster IPtables | Enable iptables at boot - service: - name: iptables - enabled: yes - state: started - -- name: Netmaster IPtables | Open Netmaster with iptables - command: /sbin/iptables -I INPUT 1 -p tcp --dport {{ item }} -j ACCEPT -m comment --comment "contiv" - with_items: - - "{{ contiv_rpc_port1 }}" - - "{{ contiv_rpc_port2 }}" - - "{{ contiv_rpc_port3 }}" - when: iptablesrules.stdout.find("contiv") == -1 +- name: Netmaster IPtables | Add internal rules + iptables: + action: insert + chain: INPUT + # Parsed from the contiv_netmaster_internal list, this will be tcp or udp. + protocol: "{{ item[0].split('/')[1] }}" + match: "{{ item[0].split('/')[1] }}" + # Parsed from the contiv_netmaster_internal list, this will be a port number. + destination_port: "{{ item[0].split('/')[0] }}" + # This is an IP address from a node in the cluster. + source: "{{ item[1] }}" + jump: ACCEPT + comment: contiv + with_nested: + - "{{ contiv_netmaster_internal }}" + - "{{ groups.oo_nodes_to_config|difference(hostvars[inventory_hostname]['ansible_' + contiv_netmaster_interface].ipv4.address)|list }}" notify: Save iptables rules -- name: Netmaster IPtables | Open netmaster main port - command: /sbin/iptables -I INPUT 1 -p tcp -s {{ item }} --dport {{ netmaster_port }} -j ACCEPT -m comment --comment "contiv" - with_items: - - "{{ groups.oo_nodes_to_config|difference(hostvars[inventory_hostname]['ansible_' + netmaster_interface].ipv4.address)|list }}" - when: iptablesrules.stdout.find("contiv") == -1 +- name: Netmaster IPtables | Add external rules + iptables: + action: insert + chain: INPUT + # Parsed from the contiv_netmaster_external list, this will be tcp or udp. + protocol: "{{ item.split('/')[1] }}" + match: "{{ item.split('/')[1] }}" + # Parsed from the contiv_netmaster_external list, this will be a port number. + destination_port: "{{ item.split('/')[0] }}" + jump: ACCEPT + comment: contiv + with_items: "{{ contiv_netmaster_external }}" notify: Save iptables rules diff --git a/roles/contiv/tasks/netplugin.yml b/roles/contiv/tasks/netplugin.yml index 540f6e4bc..60f432202 100644 --- a/roles/contiv/tasks/netplugin.yml +++ b/roles/contiv/tasks/netplugin.yml @@ -1,9 +1,9 @@ --- - include_tasks: netplugin_firewalld.yml - when: has_firewalld + when: contiv_has_firewalld - include_tasks: netplugin_iptables.yml - when: has_iptables + when: not contiv_has_firewalld and contiv_has_iptables - name: Netplugin | Ensure localhost entry correct in /etc/hosts lineinfile: @@ -20,41 +20,40 @@ state: absent - include_tasks: ovs.yml - when: netplugin_driver == "ovs" + when: contiv_netplugin_driver == "ovs" - name: Netplugin | Create Netplugin bin symlink file: src: "{{ contiv_current_release_directory }}/netplugin" - dest: "{{ bin_dir }}/netplugin" + dest: "{{ contiv_bin_dir }}/netplugin" state: link - -- name: Netplugin | Ensure cni_bin_dir exists +- name: Netplugin | Ensure contiv_cni_bin_dir exists file: - path: "{{ cni_bin_dir }}" + path: "{{ contiv_cni_bin_dir }}" recurse: yes state: directory - name: Netplugin | Create CNI bin symlink file: src: "{{ contiv_current_release_directory }}/contivk8s" - dest: "{{ cni_bin_dir }}/contivk8s" + dest: "{{ contiv_cni_bin_dir }}/contivk8s" state: link - name: Netplugin | Copy CNI loopback bin copy: - src: "{{ cni_download_dir }}/loopback" - dest: "{{ cni_bin_dir }}/loopback" + src: "{{ contiv_cni_download_dir }}/loopback" + dest: "{{ contiv_cni_bin_dir }}/loopback" remote_src: True mode: 0755 -- name: Netplugin | Ensure kube_plugin_dir and cni/net.d directories exist +- name: Netplugin | Ensure contiv_kube_plugin_dir and cni/net.d directories exist file: path: "{{ item }}" recurse: yes state: directory with_items: - - "{{ kube_plugin_dir }}" + - "{{ contiv_kube_plugin_dir }}" - "/etc/cni/net.d" - name: Netplugin | Ensure contiv_config_dir exists @@ -68,7 +67,7 @@ src: contiv_cni.conf dest: "{{ item }}" with_items: - - "{{ kube_plugin_dir }}/contiv_cni.conf" + - "{{ contiv_kube_plugin_dir }}/contiv_cni.conf" - "/etc/cni/net.d" # notify: restart kubelet @@ -85,11 +84,11 @@ mode: 0644 notify: restart netplugin -- name: Docker | Make sure proxy setting exists +- name: Netplugin | Make sure docker proxy setting exists lineinfile: dest: /etc/sysconfig/docker-network regexp: '^https_proxy.*' - line: 'https_proxy={{ https_proxy }}' + line: 'https_proxy={{ contiv_https_proxy }}' state: present register: docker_updated @@ -103,9 +102,9 @@ command: systemctl daemon-reload when: docker_updated is changed -- name: Docker | Restart docker +- name: Netplugin | Restart docker service: - name: "{{ openshift_docker_service_name }}" + name: "{{ contiv_openshift_docker_service_name }}" state: restarted when: docker_updated is changed register: l_docker_restart_docker_in_contiv_result diff --git a/roles/contiv/tasks/netplugin_firewalld.yml b/roles/contiv/tasks/netplugin_firewalld.yml index 3aeffae56..5ac531ec6 100644 --- a/roles/contiv/tasks/netplugin_firewalld.yml +++ b/roles/contiv/tasks/netplugin_firewalld.yml @@ -1,34 +1,17 @@ --- -- name: Netplugin Firewalld | Open Netplugin port +- name: Netplugin Firewalld | Add internal rules firewalld: - port: "{{ netplugin_port }}/tcp" - permanent: false - state: enabled - # in case this is also a node where firewalld turned off - ignore_errors: yes - -- name: Netplugin Firewalld | Save Netplugin port - firewalld: - port: "{{ netplugin_port }}/tcp" + immediate: true permanent: true - state: enabled - # in case this is also a node where firewalld turned off - ignore_errors: yes - -- name: Netplugin Firewalld | Open vxlan port - firewalld: - port: "8472/udp" - permanent: false - state: enabled - # in case this is also a node where firewalld turned off - ignore_errors: yes - when: contiv_encap_mode == "vxlan" + port: "{{ item[0] }}" + source: "{{ item[1] }}" + with_nested: + - "{{ contiv_netplugin_internal }}" + - "{{ groups.oo_nodes_to_config|difference(hostvars[inventory_hostname]['ansible_' + contiv_netmaster_interface].ipv4.address)|list }}" -- name: Netplugin Firewalld | Save firewalld vxlan port for flanneld +- name: Netplugin Firewalld | Add dns rule firewalld: - port: "8472/udp" + immediate: true permanent: true - state: enabled - # in case this is also a node where firewalld turned off - ignore_errors: yes - when: contiv_encap_mode == "vxlan" + port: "53/udp" + interface: contivh0 diff --git a/roles/contiv/tasks/netplugin_iptables.yml b/roles/contiv/tasks/netplugin_iptables.yml index 3ea34645d..9d376f4e5 100644 --- a/roles/contiv/tasks/netplugin_iptables.yml +++ b/roles/contiv/tasks/netplugin_iptables.yml @@ -1,58 +1,52 @@ --- -- name: Netplugin IPtables | Get iptables rules - command: iptables -L --wait - register: iptablesrules - check_mode: no +- name: Netplugin IPtables | Add internal rules + iptables: + action: insert + chain: INPUT + protocol: "{{ item[0].split('/')[1] }}" + match: "{{ item[0].split('/')[1] }}" + destination_port: "{{ item[0].split('/')[0] }}" + source: "{{ item[1] }}" + jump: ACCEPT + comment: contiv + with_nested: + - "{{ contiv_netplugin_internal }}" + - "{{ groups.oo_nodes_to_config|difference(hostvars[inventory_hostname]['ansible_' + contiv_netmaster_interface].ipv4.address)|list }}" + notify: Save iptables rules + +- name: Netplugin IPtables | Add [in] forward rules + iptables: + action: insert + chain: FORWARD + in_interface: "{{ item }}" + jump: ACCEPT + comment: contiv + with_items: "{{ contiv_netplugin_forward_interfaces }}" + notify: Save iptables rules + +- name: Netplugin IPtables | Add [out] forward rules + iptables: + action: insert + chain: FORWARD + out_interface: "{{ item }}" + jump: ACCEPT + comment: contiv + with_items: "{{ contiv_netplugin_forward_interfaces }}" + notify: Save iptables rules + +- name: Netplugin IPtables | Add dns rule + iptables: + action: insert + chain: INPUT + protocol: udp + match: udp + destination_port: 53 + in_interface: contivh0 + jump: ACCEPT + comment: contiv + notify: Save iptables rules - name: Netplugin IPtables | Enable iptables at boot service: name: iptables enabled: yes - state: started - -- name: Netplugin IPtables | Open Netmaster with iptables - command: /sbin/iptables -I INPUT 1 -p tcp --dport {{ item }} -j ACCEPT -m comment --comment "contiv" - with_items: - - "{{ netmaster_port }}" - - "{{ contiv_rpc_port1 }}" - - "{{ contiv_rpc_port2 }}" - - "{{ contiv_rpc_port3 }}" - - "{{ contiv_etcd_port }}" - - "{{ kube_master_api_port }}" - when: iptablesrules.stdout.find("contiv") == -1 - notify: Save iptables rules - -- name: Netplugin IPtables | Open vxlan port with iptables - command: /sbin/iptables -I INPUT 1 -p udp --dport 8472 -j ACCEPT -m comment --comment "netplugin vxlan 8472" - when: iptablesrules.stdout.find("netplugin vxlan 8472") == -1 - notify: Save iptables rules - -- name: Netplugin IPtables | Open vxlan port with iptables - command: /sbin/iptables -I INPUT 1 -p udp --dport 4789 -j ACCEPT -m comment --comment "netplugin vxlan 4789" - when: iptablesrules.stdout.find("netplugin vxlan 4789") == -1 - notify: Save iptables rules - -- name: Netplugin IPtables | Allow from contivh0 - command: /sbin/iptables -I FORWARD 1 -i contivh0 -j ACCEPT -m comment --comment "contivh0 FORWARD input" - when: iptablesrules.stdout.find("contivh0 FORWARD input") == -1 - notify: Save iptables rules - -- name: Netplugin IPtables | Allow to contivh0 - command: /sbin/iptables -I FORWARD 1 -o contivh0 -j ACCEPT -m comment --comment "contivh0 FORWARD output" - when: iptablesrules.stdout.find("contivh0 FORWARD output") == -1 - notify: Save iptables rules - -- name: Netplugin IPtables | Allow from contivh1 - command: /sbin/iptables -I FORWARD 1 -i contivh1 -j ACCEPT -m comment --comment "contivh1 FORWARD input" - when: iptablesrules.stdout.find("contivh1 FORWARD input") == -1 - notify: Save iptables rules - -- name: Netplugin IPtables | Allow to contivh1 - command: /sbin/iptables -I FORWARD 1 -o contivh1 -j ACCEPT -m comment --comment "contivh1 FORWARD output" - when: iptablesrules.stdout.find("contivh1 FORWARD output") == -1 - notify: Save iptables rules - -- name: Netplugin IPtables | Allow dns - command: /sbin/iptables -I INPUT 1 -p udp --dport 53 -j ACCEPT -m comment --comment "contiv dns" - when: iptablesrules.stdout.find("contiv dns") == -1 - notify: Save iptables rules diff --git a/roles/contiv/tasks/old_version_cleanup.yml b/roles/contiv/tasks/old_version_cleanup.yml new file mode 100644 index 000000000..8b3d88096 --- /dev/null +++ b/roles/contiv/tasks/old_version_cleanup.yml @@ -0,0 +1,43 @@ +--- +- name: Old version cleanup | Check if old auth proxy service exists + stat: + path: /etc/systemd/system/auth-proxy.service + register: auth_proxy_stat + +- name: Old version cleanup | Stop old auth proxy + service: + name: auth-proxy + enabled: no + state: stopped + when: auth_proxy_stat.stat.exists + +# Note(NB): The new containerized contiv-etcd service uses the same data +# directory on the host, so etcd data is not lost. +- name: Old version cleanup | Check if old contiv-etcd service exists + stat: + path: /etc/systemd/system/contiv-etcd.service + register: contiv_etcd_stat + +- name: Old version cleanup | Stop old contiv-etcd + service: + name: contiv-etcd + enabled: no + state: stopped + when: contiv_etcd_stat.stat.exists + +- name: Old version cleanup | Delete old files + file: + state: absent + path: "{{ item }}" + with_items: + - /etc/systemd/system/auth-proxy.service + - /var/contiv/certs + - /usr/bin/auth_proxy.sh + - /etc/systemd/system/contiv-etcd.service + - /etc/systemd/system/contiv-etcd.service.d + +- include_tasks: old_version_cleanup_iptables.yml + when: not contiv_has_firewalld and contiv_has_iptables + +- include_tasks: old_version_cleanup_firewalld.yml + when: contiv_has_firewalld diff --git a/roles/contiv/tasks/old_version_cleanup_firewalld.yml b/roles/contiv/tasks/old_version_cleanup_firewalld.yml new file mode 100644 index 000000000..675a6358a --- /dev/null +++ b/roles/contiv/tasks/old_version_cleanup_firewalld.yml @@ -0,0 +1,11 @@ +--- +- name: Old version cleanup | Delete old firewalld rules + firewalld: + state: absent + immediate: true + permanent: true + port: "{{ item }}" + with_items: + - "9999/tcp" + - "6640/tcp" + - "8472/udp" diff --git a/roles/contiv/tasks/old_version_cleanup_iptables.yml b/roles/contiv/tasks/old_version_cleanup_iptables.yml new file mode 100644 index 000000000..513357606 --- /dev/null +++ b/roles/contiv/tasks/old_version_cleanup_iptables.yml @@ -0,0 +1,44 @@ +--- +- name: Old version cleanup | Delete old forward [in] iptables rules + iptables: + state: absent + chain: FORWARD + in_interface: "{{ item }}" + jump: ACCEPT + comment: "{{ item }} FORWARD input" + with_items: + - contivh0 + - contivh1 + notify: Save iptables rules + +- name: Old version cleanup | Delete old forward [out] iptables rules + iptables: + state: absent + chain: FORWARD + out_interface: "{{ item }}" + jump: ACCEPT + comment: "{{ item }} FORWARD output" + with_items: + - contivh0 + - contivh1 + notify: Save iptables rules + +- name: Old version cleanup | Delete old input iptables rules + iptables: + state: absent + chain: INPUT + protocol: "{{ item.split('/')[1] }}" + match: "{{ item.split('/')[1] }}" + destination_port: "{{ item.split('/')[0] }}" + comment: "{{ item.split('/')[2] }}" + jump: ACCEPT + with_items: + - "53/udp/contiv dns" + - "4789/udp/netplugin vxlan 4789" + - "8472/udp/netplugin vxlan 8472" + - "9003/tcp/contiv" + - "9002/tcp/contiv" + - "9001/tcp/contiv" + - "9999/tcp/contiv" + - "10000/tcp/Contiv auth proxy service (10000)" + notify: Save iptables rules diff --git a/roles/contiv/tasks/ovs.yml b/roles/contiv/tasks/ovs.yml index 5c92e90e9..21ba6ead4 100644 --- a/roles/contiv/tasks/ovs.yml +++ b/roles/contiv/tasks/ovs.yml @@ -1,6 +1,6 @@ --- - include_tasks: packageManagerInstall.yml - when: source_type == "packageManager" + when: contiv_source_type == "packageManager" tags: - binary-update diff --git a/roles/contiv/tasks/packageManagerInstall.yml b/roles/contiv/tasks/packageManagerInstall.yml index 3367844a8..8c8e7a7bd 100644 --- a/roles/contiv/tasks/packageManagerInstall.yml +++ b/roles/contiv/tasks/packageManagerInstall.yml @@ -4,10 +4,9 @@ did_install: false - include_tasks: pkgMgrInstallers/centos-install.yml - when: (ansible_os_family == "RedHat") and - not openshift_is_atomic + when: ansible_os_family == "RedHat" and not openshift_is_atomic | bool - name: Package Manager | Set fact saying we did CentOS package install set_fact: did_install: true - when: (ansible_os_family == "RedHat") + when: ansible_os_family == "RedHat" diff --git a/roles/contiv/tasks/pkgMgrInstallers/centos-install.yml b/roles/contiv/tasks/pkgMgrInstallers/centos-install.yml index 53c5b4099..2c82973d6 100644 --- a/roles/contiv/tasks/pkgMgrInstallers/centos-install.yml +++ b/roles/contiv/tasks/pkgMgrInstallers/centos-install.yml @@ -12,9 +12,9 @@ dest: /tmp/rdo-release-ocata-2.noarch.rpm validate_certs: False environment: - http_proxy: "{{ http_proxy|default('') }}" - https_proxy: "{{ https_proxy|default('') }}" - no_proxy: "{{ no_proxy|default('') }}" + http_proxy: "{{ contiv_http_proxy|default('') }}" + https_proxy: "{{ contiv_https_proxy|default('') }}" + no_proxy: "{{ contiv_no_proxy|default('') }}" tags: - ovs_install @@ -30,9 +30,9 @@ pkg=openvswitch state=present environment: - http_proxy: "{{ http_proxy|default('') }}" - https_proxy: "{{ https_proxy|default('') }}" - no_proxy: "{{ no_proxy|default('') }}" + http_proxy: "{{ contiv_http_proxy|default('') }}" + https_proxy: "{{ contiv_https_proxy|default('') }}" + no_proxy: "{{ contiv_no_proxy|default('') }}" tags: - ovs_install register: result diff --git a/roles/contiv/templates/aci-gw.service b/roles/contiv/templates/aci-gw.service index 9b3f12567..e2813c99d 100644 --- a/roles/contiv/templates/aci-gw.service +++ b/roles/contiv/templates/aci-gw.service @@ -1,10 +1,10 @@ [Unit] Description=Contiv ACI gw -After=auditd.service systemd-user-sessions.service time-sync.target {{ openshift_docker_service_name }}.service +After=auditd.service systemd-user-sessions.service time-sync.target {{ contiv_openshift_docker_service_name }}.service [Service] -ExecStart={{ bin_dir }}/aci_gw.sh start -ExecStop={{ bin_dir }}/aci_gw.sh stop +ExecStart={{ contiv_bin_dir }}/aci_gw.sh start +ExecStop={{ contiv_bin_dir }}/aci_gw.sh stop KillMode=control-group Restart=always RestartSec=10 diff --git a/roles/contiv/templates/aci_gw.j2 b/roles/contiv/templates/aci_gw.j2 index ab4ad46a6..5ff349945 100644 --- a/roles/contiv/templates/aci_gw.j2 +++ b/roles/contiv/templates/aci_gw.j2 @@ -11,13 +11,13 @@ start) set -e docker run --net=host \ - -e "APIC_URL={{ apic_url }}" \ - -e "APIC_USERNAME={{ apic_username }}" \ - -e "APIC_PASSWORD={{ apic_password }}" \ - -e "APIC_LEAF_NODE={{ apic_leaf_nodes }}" \ - -e "APIC_PHYS_DOMAIN={{ apic_phys_dom }}" \ - -e "APIC_EPG_BRIDGE_DOMAIN={{ apic_epg_bridge_domain }}" \ - -e "APIC_CONTRACTS_UNRESTRICTED_MODE={{ apic_contracts_unrestricted_mode }}" \ + -e "APIC_URL={{ contiv_apic_url }}" \ + -e "APIC_USERNAME={{ contiv_apic_username }}" \ + -e "APIC_PASSWORD={{ contiv_apic_password }}" \ + -e "APIC_LEAF_NODE={{ contiv_apic_leaf_nodes }}" \ + -e "APIC_PHYS_DOMAIN={{ contiv_apic_phys_dom }}" \ + -e "APIC_EPG_BRIDGE_DOMAIN={{ contiv_apic_epg_bridge_domain }}" \ + -e "APIC_CONTRACTS_UNRESTRICTED_MODE={{ contiv_apic_contracts_unrestricted_mode }}" \ --name=contiv-aci-gw \ contiv/aci-gw ;; diff --git a/roles/contiv/templates/api-proxy-daemonset.yml.j2 b/roles/contiv/templates/api-proxy-daemonset.yml.j2 new file mode 100644 index 000000000..4d4388706 --- /dev/null +++ b/roles/contiv/templates/api-proxy-daemonset.yml.j2 @@ -0,0 +1,56 @@ +--- +apiVersion: extensions/v1beta1 +kind: DaemonSet +metadata: + name: contiv-api-proxy + namespace: kube-system +spec: + updateStrategy: + type: RollingUpdate + selector: + matchLabels: + name: contiv-api-proxy + template: + metadata: + namespace: kube-system + labels: + name: contiv-api-proxy + annotations: + scheduler.alpha.kubernetes.io/critical-pod: "" + spec: + serviceAccountName: contiv-api-proxy + hostNetwork: true + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/hostname + operator: In + values: +{% for node in groups.oo_masters_to_config %} + - "{{ node }}" +{% endfor %} + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + containers: + - name: contiv-api-proxy + image: "{{ contiv_api_proxy_image_repo }}:{{ contiv_version }}" + args: + - "--listen-address=0.0.0.0:{{ contiv_api_proxy_port }}" + - --tls-key-file=/var/contiv/api_proxy_key.pem + - --tls-certificate=/var/contiv/api_proxy_cert.pem + - "--data-store-address={{ etcd_host }}" + - "--netmaster-address=127.0.0.1:{{ contiv_netmaster_port }}" + ports: + - containerPort: "{{ contiv_api_proxy_port }}" + hostPort: "{{ contiv_api_proxy_port }}" + volumeMounts: + - name: secret-volume + mountPath: /var/contiv + readOnly: true + volumes: + - name: secret-volume + secret: + secretName: contiv-api-proxy-secret diff --git a/roles/contiv/templates/api-proxy-secrets.yml.j2 b/roles/contiv/templates/api-proxy-secrets.yml.j2 new file mode 100644 index 000000000..cd800c97d --- /dev/null +++ b/roles/contiv/templates/api-proxy-secrets.yml.j2 @@ -0,0 +1,12 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: contiv-api-proxy-secret + namespace: kube-system + labels: + name: contiv-api-proxy-secret +# Use data+b64encode, because stringData doesn't preserve newlines. +data: + api_proxy_key.pem: "{{ key | b64encode }}" + api_proxy_cert.pem: "{{ cert | b64encode }}" diff --git a/roles/contiv/templates/contiv.cfg.j2 b/roles/contiv/templates/contiv.cfg.j2 index f0e99c556..1dce9fcc2 100644 --- a/roles/contiv/templates/contiv.cfg.j2 +++ b/roles/contiv/templates/contiv.cfg.j2 @@ -1,5 +1,5 @@ { - "K8S_API_SERVER": "https://{{ hostvars[groups['masters'][0]]['ansible_' + netmaster_interface].ipv4.address }}:{{ kube_master_api_port }}", + "K8S_API_SERVER": "https://{{ hostvars[groups['masters'][0]]['ansible_' + contiv_netmaster_interface].ipv4.address }}:{{ contiv_kube_master_api_port }}", "K8S_CA": "{{ openshift.common.config_base }}/node/ca.crt", "K8S_KEY": "{{ openshift.common.config_base }}/node/system:node:{{ openshift.common.hostname }}.key", "K8S_CERT": "{{ openshift.common.config_base }}/node/system:node:{{ openshift.common.hostname }}.crt", diff --git a/roles/contiv/templates/contiv.cfg.master.j2 b/roles/contiv/templates/contiv.cfg.master.j2 index fac8e3c4c..ca29b8001 100644 --- a/roles/contiv/templates/contiv.cfg.master.j2 +++ b/roles/contiv/templates/contiv.cfg.master.j2 @@ -1,5 +1,5 @@ { - "K8S_API_SERVER": "https://{{ hostvars[groups['masters'][0]]['ansible_' + netmaster_interface].ipv4.address }}:{{ kube_master_api_port }}", + "K8S_API_SERVER": "https://{{ hostvars[groups['masters'][0]]['ansible_' + contiv_netmaster_interface].ipv4.address }}:{{ contiv_kube_master_api_port }}", "K8S_CA": "{{ openshift.common.config_base }}/master/ca.crt", "K8S_KEY": "{{ openshift.common.config_base }}/master/system:node:{{ openshift.common.hostname }}.key", "K8S_CERT": "{{ openshift.common.config_base }}/master/system:node:{{ openshift.common.hostname }}.crt", diff --git a/roles/contiv/templates/etcd-daemonset.yml.j2 b/roles/contiv/templates/etcd-daemonset.yml.j2 new file mode 100644 index 000000000..76937e670 --- /dev/null +++ b/roles/contiv/templates/etcd-daemonset.yml.j2 @@ -0,0 +1,83 @@ +--- +apiVersion: extensions/v1beta1 +kind: DaemonSet +metadata: + name: contiv-etcd + namespace: kube-system +spec: + updateStrategy: + type: RollingUpdate + selector: + matchLabels: + name: contiv-etcd + template: + metadata: + namespace: kube-system + labels: + name: contiv-etcd + annotations: + scheduler.alpha.kubernetes.io/critical-pod: "" + spec: + serviceAccountName: contiv-etcd + hostNetwork: true + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/hostname + operator: In + values: +{% for node in groups.oo_masters_to_config %} + - "{{ node }}" +{% endfor %} + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + initContainers: + - name: contiv-etcd-init + image: "{{ contiv_etcd_init_image_repo }}:{{ contiv_etcd_init_image_tag }}" + env: + - name: ETCD_INIT_ARGSFILE + value: "{{ contiv_etcd_conf_dir }}/contiv-etcd-args" + - name: ETCD_INIT_LISTEN_PORT + value: "{{ contiv_etcd_port }}" + - name: ETCD_INIT_PEER_PORT + value: "{{ contiv_etcd_peer_port }}" + - name: ETCD_INIT_CLUSTER + value: "{{ contiv_etcd_peers }}" + - name: ETCD_INIT_DATA_DIR + value: "{{ contiv_etcd_data_dir }}" + volumeMounts: + - name: contiv-etcd-conf-dir + mountPath: "{{ contiv_etcd_conf_dir }}" + securityContext: + runAsUser: "{{ contiv_etcd_system_uid }}" + fsGroup: "{{ contiv_etcd_system_gid }}" + containers: + - name: contiv-etcd + image: "{{ contiv_etcd_image_repo }}:{{ contiv_etcd_image_tag }}" + command: + - sh + - -c + - 'exec etcd $(cat "$ETCD_INIT_ARGSFILE")' + env: + - name: ETCD_INIT_ARGSFILE + value: "{{ contiv_etcd_conf_dir }}/contiv-etcd-args" + volumeMounts: + - name: contiv-etcd-conf-dir + mountPath: "{{ contiv_etcd_conf_dir }}" + - name: contiv-etcd-data-dir + mountPath: "{{ contiv_etcd_data_dir }}" + securityContext: + runAsUser: "{{ contiv_etcd_system_uid }}" + fsGroup: "{{ contiv_etcd_system_gid }}" + volumes: + - name: contiv-etcd-data-dir + hostPath: + type: DirectoryOrCreate + path: "{{ contiv_etcd_data_dir }}" + - name: contiv-etcd-conf-dir + hostPath: + type: DirectoryOrCreate + path: "{{ contiv_etcd_conf_dir }}" diff --git a/roles/contiv/templates/etcd-proxy-daemonset.yml.j2 b/roles/contiv/templates/etcd-proxy-daemonset.yml.j2 new file mode 100644 index 000000000..4ec6cfd76 --- /dev/null +++ b/roles/contiv/templates/etcd-proxy-daemonset.yml.j2 @@ -0,0 +1,55 @@ +--- +apiVersion: extensions/v1beta1 +kind: DaemonSet +metadata: + name: contiv-etcd-proxy + namespace: kube-system +spec: + updateStrategy: + type: RollingUpdate + selector: + matchLabels: + name: contiv-etcd-proxy + template: + metadata: + namespace: kube-system + labels: + name: contiv-etcd-proxy + annotations: + scheduler.alpha.kubernetes.io/critical-pod: "" + spec: + serviceAccountName: contiv-etcd + hostNetwork: true + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/hostname + operator: NotIn + values: +{% for node in groups.oo_masters_to_config %} + - "{{ node }}" +{% endfor %} + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + containers: + - name: contiv-etcd-proxy + image: "{{ contiv_etcd_image_repo }}:{{ contiv_etcd_image_tag }}" + command: + - etcd + - "--proxy=on" + - "--listen-client-urls=http://127.0.0.1:{{ contiv_etcd_port }}" + - "--advertise-client-urls=http://127.0.0.1:{{ contiv_etcd_port }}" + - "--initial-cluster={{ contiv_etcd_peers }}" + - "--data-dir={{ contiv_etcd_data_dir }}" + volumeMounts: + - name: contiv-etcd-data-dir + mountPath: "{{ contiv_etcd_data_dir }}" + securityContext: + runAsUser: "{{ contiv_etcd_system_uid }}" + fsGroup: "{{ contiv_etcd_system_gid }}" + volumes: + - name: contiv-etcd-data-dir + emptyDir: {} diff --git a/roles/contiv/templates/etcd-scc.yml.j2 b/roles/contiv/templates/etcd-scc.yml.j2 new file mode 100644 index 000000000..6c4bb1d1e --- /dev/null +++ b/roles/contiv/templates/etcd-scc.yml.j2 @@ -0,0 +1,42 @@ +allowHostDirVolumePlugin: true +allowHostIPC: false +allowHostNetwork: true +allowHostPID: false +allowHostPorts: false +allowPrivilegedContainer: false +allowedCapabilities: [] +allowedFlexVolumes: [] +apiVersion: v1 +defaultAddCapabilities: [] +fsGroup: + ranges: + - max: "{{ contiv_etcd_system_gid }}" + min: "{{ contiv_etcd_system_gid }}" + type: MustRunAs +groups: [] +kind: SecurityContextConstraints +metadata: + annotations: + kubernetes.io/description: 'For contiv-etcd only.' + creationTimestamp: null + name: contiv-etcd +priority: null +readOnlyRootFilesystem: true +requiredDropCapabilities: +- KILL +- MKNOD +- SETUID +- SETGID +runAsUser: + type: MustRunAs + uid: "{{ contiv_etcd_system_uid }}" +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: MustRunAs +users: +- system:serviceaccount:kube-system:contiv-etcd +volumes: +- emptyDir +- hostPath +- secret diff --git a/roles/contiv/templates/netmaster.env.j2 b/roles/contiv/templates/netmaster.env.j2 index 5b5c84a2e..9a38f32ea 100644 --- a/roles/contiv/templates/netmaster.env.j2 +++ b/roles/contiv/templates/netmaster.env.j2 @@ -1,2 +1 @@ -NETMASTER_ARGS='--cluster-store etcd://{{ etcd_url }} --cluster-mode=kubernetes' - +NETMASTER_ARGS='--cluster-store {{ contiv_etcd_url }} --cluster-mode=kubernetes' diff --git a/roles/contiv/templates/netmaster.service b/roles/contiv/templates/netmaster.service index ce7d0c75e..b7289bc38 100644 --- a/roles/contiv/templates/netmaster.service +++ b/roles/contiv/templates/netmaster.service @@ -4,7 +4,7 @@ After=auditd.service systemd-user-sessions.service contiv-etcd.service [Service] EnvironmentFile=/etc/default/netmaster -ExecStart={{ bin_dir }}/netmaster $NETMASTER_ARGS +ExecStart={{ contiv_bin_dir }}/netmaster $NETMASTER_ARGS KillMode=control-group Restart=always RestartSec=10 diff --git a/roles/contiv/templates/netplugin.j2 b/roles/contiv/templates/netplugin.j2 index a4928cc3d..9ce44e2dc 100644 --- a/roles/contiv/templates/netplugin.j2 +++ b/roles/contiv/templates/netplugin.j2 @@ -1,7 +1,6 @@ {% if contiv_encap_mode == "vlan" %} -NETPLUGIN_ARGS='-vlan-if {{ netplugin_interface }} -ctrl-ip {{ netplugin_ctrl_ip }} -plugin-mode kubernetes -cluster-store etcd://{{ etcd_url }}' +NETPLUGIN_ARGS='-vlan-if {{ contiv_netplugin_interface }} -ctrl-ip {{ contiv_netplugin_ctrl_ip }} -plugin-mode kubernetes -cluster-store {{ contiv_etcd_url }}' {% endif %} {% if contiv_encap_mode == "vxlan" %} -NETPLUGIN_ARGS='-vtep-ip {{ netplugin_ctrl_ip }} -ctrl-ip {{ netplugin_ctrl_ip }} -plugin-mode kubernetes -cluster-store etcd://{{ etcd_url }}' +NETPLUGIN_ARGS='-vtep-ip {{ contiv_netplugin_ctrl_ip }} -ctrl-ip {{ contiv_netplugin_ctrl_ip }} -plugin-mode kubernetes -cluster-store {{ contiv_etcd_url }}' {% endif %} - diff --git a/roles/contiv/templates/netplugin.service b/roles/contiv/templates/netplugin.service index 6358d89ec..2e1ca1bdf 100644 --- a/roles/contiv/templates/netplugin.service +++ b/roles/contiv/templates/netplugin.service @@ -4,7 +4,7 @@ After=auditd.service systemd-user-sessions.service contiv-etcd.service [Service] EnvironmentFile=/etc/default/netplugin -ExecStart={{ bin_dir }}/netplugin $NETPLUGIN_ARGS +ExecStart={{ contiv_bin_dir }}/netplugin $NETPLUGIN_ARGS KillMode=control-group Restart=always RestartSec=10 diff --git a/roles/contiv_auth_proxy/README.md b/roles/contiv_auth_proxy/README.md deleted file mode 100644 index 287b6c148..000000000 --- a/roles/contiv_auth_proxy/README.md +++ /dev/null @@ -1,29 +0,0 @@ -Role Name -========= - -Role to install Contiv API Proxy and UI - -Requirements ------------- - -Docker needs to be installed to run the auth proxy container. - -Role Variables --------------- - -auth_proxy_image specifies the image with version tag to be used to spin up the auth proxy container. -auth_proxy_cert, auth_proxy_key specify files to use for the proxy server certificates. -auth_proxy_port is the host port and auth_proxy_datastore the cluster data store address. - -Dependencies ------------- - -docker - -Example Playbook ----------------- - -- hosts: netplugin-node - become: true - roles: - - { role: auth_proxy, auth_proxy_port: 10000, auth_proxy_datastore: etcd://netmaster:22379 } diff --git a/roles/contiv_auth_proxy/defaults/main.yml b/roles/contiv_auth_proxy/defaults/main.yml deleted file mode 100644 index e1d904c6a..000000000 --- a/roles/contiv_auth_proxy/defaults/main.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -auth_proxy_image: "contiv/auth_proxy:1.1.1" -auth_proxy_port: 10000 -contiv_certs: "/var/contiv/certs" -cluster_store: "etcd://{{ hostvars[groups['masters'][0]]['ansible_' + netmaster_interface].ipv4.address }}:22379" -auth_proxy_cert: "{{ contiv_certs }}/auth_proxy_cert.pem" -auth_proxy_key: "{{ contiv_certs }}/auth_proxy_key.pem" -auth_proxy_datastore: "{{ cluster_store }}" -auth_proxy_binaries: "/var/contiv_cache" -auth_proxy_local_install: False -auth_proxy_rule_comment: "Contiv auth proxy service" -service_vip: "{{ hostvars[groups['masters'][0]]['ansible_' + netmaster_interface].ipv4.address }}" diff --git a/roles/contiv_auth_proxy/files/auth-proxy.service b/roles/contiv_auth_proxy/files/auth-proxy.service deleted file mode 100644 index 7cd2edff1..000000000 --- a/roles/contiv_auth_proxy/files/auth-proxy.service +++ /dev/null @@ -1,13 +0,0 @@ -[Unit] -Description=Contiv Proxy and UI -After=auditd.service systemd-user-sessions.service time-sync.target docker.service - -[Service] -ExecStart=/usr/bin/auth_proxy.sh start -ExecStop=/usr/bin/auth_proxy.sh stop -KillMode=control-group -Restart=on-failure -RestartSec=10 - -[Install] -WantedBy=multi-user.target diff --git a/roles/contiv_auth_proxy/files/cert.pem b/roles/contiv_auth_proxy/files/cert.pem deleted file mode 100644 index 63df4603f..000000000 --- a/roles/contiv_auth_proxy/files/cert.pem +++ /dev/null @@ -1,33 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFuTCCA6GgAwIBAgIJAOFyylO2zW2EMA0GCSqGSIb3DQEBCwUAMHMxCzAJBgNV -BAYTAlVTMQswCQYDVQQIDAJDQTERMA8GA1UEBwwIU2FuIEpvc2UxDTALBgNVBAoM -BENQU0cxFjAUBgNVBAsMDUlUIERlcGFydG1lbnQxHTAbBgNVBAMMFGF1dGgtbG9j -YWwuY2lzY28uY29tMB4XDTE3MDcxMzE5NDYwMVoXDTI3MDcxMTE5NDYwMVowczEL -MAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMREwDwYDVQQHDAhTYW4gSm9zZTENMAsG -A1UECgwEQ1BTRzEWMBQGA1UECwwNSVQgRGVwYXJ0bWVudDEdMBsGA1UEAwwUYXV0 -aC1sb2NhbC5jaXNjby5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC -AQDKCg26dvsD1u3f1lCaLlVptyTyGyanaJ73mlHiUnAMcu0A/p3kzluTeQLZJxtl -MToM7rT/lun6fbhQC+7TQep9mufBzLhssyzRnT9rnGSeGwN66mO/rlYPZc5C1D7p -7QZh1uLznzgOA2zMkgnI+n6LB2TZWg+XLhZZIr5SVYE18lj0tnwq3R1uznVv9t06 -grUYK2K7x0Y3Pt2e6yV0e1w2FOGH+7v3mm0c8r1+7U+4EZ2SM3fdG7nyTL/187gl -yE8X4HOnAyYGbAnULJC02LR/DTQpv/RpLN/YJEpHZWApHZCKh+fbFdIhRRwEnT4L -DLy3GJVFDEsmFaC91wf24+HAeUl9/hRIbxo9x/7kXmrhMlK38x2oo3cPh0XZxHje -XmJUGG1OByAuIZaGFwS9lUuGTNvpN8P/v3HN/nORc0RE3fvoXIv4nuhaEfuo32q4 -dvO4aNjmxjz1JcUEx6DiMQe4ECaReYdvI+j9ZkUJj/e89iLsQ8gz5t3FTM+tmBi1 -hrRBAgWyRY5DKECVv2SNFiX55JQGA5vQDGw51qTTuhntfBhkHvhKL7V1FRZazx6N -wqFyynig/jplb1ZNdKZ9ZxngZr6qHIx4RcGaJ9HdVhik7NyUCiHjWeGagzun2Omq -FFXAD9Hmfctac5bGxx0FBi95kO8bd8b0GSIh2CWanETjawIDAQABo1AwTjAdBgNV -HQ4EFgQU5P1g5gFZot//iwEV98MwW2YXzEMwHwYDVR0jBBgwFoAU5P1g5gFZot// -iwEV98MwW2YXzEMwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAbWgN -BkFzzG5sbG7vUb23Ggv/0TCCuMtuKBGOBR0EW5Ssw6Aml7j3AGiy/1+2sdrQMsx2 -nVpexyQW5XS/X+8JjH7H7ifvwl3bVJ8xiR/9ioIJovrQojxQO0cUB2Lljj3bPd/R -/tddAhPj0uN9N7UAejA12kXGa0Rrzb2U1rIpO9jnTbQYJiTOSzFiiGRMZWx3hfsW -SDTpPmsV2Mh+jcmuxvPITl0s+vtqsm7SYoUZHwJ80LvrPbmk/5hTZGRsI3W5jipB -PpOxvBnAWnQH3miMhty2TDaQ9JjYUwnxjFFZvNIYtp8+eH4nlbSldbgZoUeAe8It -X6SsP8gT/uQh3TPvzNIfYROA7qTwoOQ8ZW8ssai/EttHAztFxketgNEfjwUTz8EJ -yKeyAJ7qk3zD5k7p33ZNLWjmN0Awx3fCE9OQmNUyNX7PpYb4i+tHWu3h6Clw0RUf -0gb1I+iyB3PXmpiYtxdMxGSi9CQIyWHzC4bsTQZkrzzIHWFSwewhUWOQ2Wko0hrv -DnkS5k0cMPn5aNxw56H6OI+6hb+y/GGkTxNY9Gbxypx6lgZson0EY80EPZOJAORM -XggJtTjiMpzvKh18DZY/Phmdh0C2tt8KYFdG83qLEhya9WZujbLAm38vIziFHbdX -jOitXBSPyVrV3JvsCVksp+YC8Lnv3FsM494R4kA= ------END CERTIFICATE----- diff --git a/roles/contiv_auth_proxy/files/key.pem b/roles/contiv_auth_proxy/files/key.pem deleted file mode 100644 index 7224e569c..000000000 --- a/roles/contiv_auth_proxy/files/key.pem +++ /dev/null @@ -1,51 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIJKQIBAAKCAgEAygoNunb7A9bt39ZQmi5Vabck8hsmp2ie95pR4lJwDHLtAP6d -5M5bk3kC2ScbZTE6DO60/5bp+n24UAvu00HqfZrnwcy4bLMs0Z0/a5xknhsDeupj -v65WD2XOQtQ+6e0GYdbi8584DgNszJIJyPp+iwdk2VoPly4WWSK+UlWBNfJY9LZ8 -Kt0dbs51b/bdOoK1GCtiu8dGNz7dnusldHtcNhThh/u795ptHPK9fu1PuBGdkjN3 -3Ru58ky/9fO4JchPF+BzpwMmBmwJ1CyQtNi0fw00Kb/0aSzf2CRKR2VgKR2Qiofn -2xXSIUUcBJ0+Cwy8txiVRQxLJhWgvdcH9uPhwHlJff4USG8aPcf+5F5q4TJSt/Md -qKN3D4dF2cR43l5iVBhtTgcgLiGWhhcEvZVLhkzb6TfD/79xzf5zkXNERN376FyL -+J7oWhH7qN9quHbzuGjY5sY89SXFBMeg4jEHuBAmkXmHbyPo/WZFCY/3vPYi7EPI -M+bdxUzPrZgYtYa0QQIFskWOQyhAlb9kjRYl+eSUBgOb0AxsOdak07oZ7XwYZB74 -Si+1dRUWWs8ejcKhcsp4oP46ZW9WTXSmfWcZ4Ga+qhyMeEXBmifR3VYYpOzclAoh -41nhmoM7p9jpqhRVwA/R5n3LWnOWxscdBQYveZDvG3fG9BkiIdglmpxE42sCAwEA -AQKCAgANVU6EoLd+EGAQZo9ZLXebi2eXxqztXV0oT/nZasFUQP1dFHCNGgU3HURP -2mHXcsE2+0XcnDQCwOs59R+kt3PnKCLlSkJdghGSH8OAsYh+WqAHK5K7oqCxUXGk -PWeNfoPuTwUZOMe1PQqgEX8t0UIqoKlKIsRmoLb+2Okge94UFlNCiwx0s7TujBd5 -9Ruycc/LsYlJhSQgHzj29OO65S03sHcVx0onU/yhbW+OAdFB/3+bl2PwppTF5cTB -UX00mRyHIdvgCLgoslaPtwUxuh9nRxLLMozJqBl5pSN1xL3s2LOiQMfPUIhWg74O -m+XtSsDlgGzRardG4ySBgsBWzcEnGWi5/xyc/6dtERzR382+CLUfOEoucGJHk6kj -RdbVx5FCawpAzjs9Wo49Vr+WQceSiBfb2+ndNUTiD0wu7xLEVPcYC6CMk71qZv5H -0qGlLhtkHF0nSQytbwqwfMz2SGDfkwIHgQ0gTKMpEMWK79E24ewE1BnMiaKC1bgk -evB6WM1YZFMKS5L7fshJcbeMe9dhSF3s+Y0MYVv5MCL1VMZyIzAcj8mkPYZyBRUk -MC87GnaebeTvHNtimvqCuWDGVI1SOoc1xtopkxinTqtIYGuQacrSmfyf9D3Rg4+l -kB0ibtJV+HLP94q266aef/PdpXszs7zo0h6skpLItW/jAuSNuQKCAQEA/VdXpMi8 -nfOtXwOZlGA2+jShYyHyCl2TKgbpfDGl1yKNkbBrIu2/PEl1DpmzSeG1tdNCzN68 -4vEjpF/jBsdSJj4BDiRY6HEcURXpw4yTZ7oCnUCbzadLIo3wX/gFDEVZz+0nQQ29 -5x0XGuQnJXC2fe/CyrkfltKhFSYoTSjtMbma4Pm3Q3HP3wGOvoUKtKNDO5rF26Qh -YtqJgJSKBAms0wKiy9VVTa6DaXrtSnXTR+Ltud3xnWBrX1Z+idwxYt/Be5W2woHf -M5zPIqMUgry5ujtRxhLmleFXDAYbaIQR9AZXlSS3w+9Gcl5EDRkFXqlaoCfppwTR -wakj2lNjbAidPwKCAQEAzCjgko4/Yss/0dCs8ySKd2IaRF93OwC/E2SHVqe5bATh -rVmDn/KIH4J2fI4FiaIHELT1CU5vmganYbK2k7CoJztjJltM1B7rkpHiVSL+qMqn -yBZFg3LFq9eiBPZHyQEc+HMJUhFRexjdeqLH78HCoPz1QnKo2xRoGHhSQ/Rh6lXo -20tldL9HrSxPRmwxnyLgWGcWopv/92JNxu6FgnZcnsVjkpO2mriLD7+Ty5qfvkwc -RFDBYnq2JjBcvqngrzDIGDzC7hTA5BRuuQdNMZggJwO6nKdZDUrq5NIo9B07FLj1 -IRMVm7D1vJYzYI6HW7Wj4vNRXMY8jG1fwvNG0+xy1QKCAQEA7m14R9bAZWuDnGt3 -7APNWheUWAcHk6fTq/cLYV4cdWfIkvfVLO9STrvXliEjcoIhkPk94jAy1ucZo0a3 -FJccgm9ScOvWXRSvEMUt12ODC1ktwq+esqMi/GdXdgqnPZA7YYwRqJD1TAC90Qou -qXb12Xp/+mjWCQ08mvnpbgz5hxXmZJvAVZJUj84YeMgfdjg9O2iDlB5ZaX7BcCjb -58bvRzww2ONzQAPhG7Gch7pyWTKCh64RCgtHold2CesY87QglV4mvdKarSmEbFXN -JOnXZiUT5fW93AtS8DcDLo81klMxtGT1KksUIukC5MzKl/eNGjPWG+FWRAwaeQyI -ApHs4wKCAQAI10RSVGKeTprm5Rh4Nv7gCJmGmHO7VF7x4gqSUBURfmyfax7uEDyg -0K982VGYEjIoIQ3zZzgh/WPGMU0CvEWr3UB/6rg6/1PINxUMBsXsXUpCueQsuw2g -UWgsutWE+M1eXOzsZt+Waw88PkxWL5fUDOA6DmkNg6a2WI+Hbc/HrAy3Yl50Xcwm -zaJpNEo5z/LTITOzuvmsps8jbDTP33xHS9jyAf+IV7F97xfhW0LLpNQciTq2nwXA -RZvejdCzBXPEyOzQDooD1natAInxOds6lUjBe+W5U6M0YX1whMuILDJBSmhHI7Sg -hAiZh9KIwCbmrw6468S3eA0LjillB/o5AoIBAQCg93syT50nYF2UWWP/rEa7qf6h -+YpBPpJskIl3NDMJtie9OcdsoFpjblpFbsMqsSag9KhGl7wn4f8qXO0HERSb8oYd -1Zu6BgUCuRXuAKNI4f508IooNpXx9y7xxl4giFBnDPa6W3KWqZ2LMDt92htMd/Zm -qvoyYZhFhMSyKFzPDAFdsZijJgahqJRKhHeW9BsPqho5i7Ys+PhE8e/vUZs2zUeS -QEHWhVisDTNKOoJIdz7JXFgEXCPTLAxXIIhYSkIfQxHxsWjt0vs79tzUkV8NlpKt -d7s0iyHnD6kDvoxYOSI9YmSEnnFBFdgeiD+/VD+7enOdqb5MHsjuw+by09ft ------END RSA PRIVATE KEY----- diff --git a/roles/contiv_auth_proxy/handlers/main.yml b/roles/contiv_auth_proxy/handlers/main.yml deleted file mode 100644 index 9cb9bea49..000000000 --- a/roles/contiv_auth_proxy/handlers/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -# handlers file for auth_proxy diff --git a/roles/contiv_auth_proxy/tasks/cleanup.yml b/roles/contiv_auth_proxy/tasks/cleanup.yml deleted file mode 100644 index a29659cc9..000000000 --- a/roles/contiv_auth_proxy/tasks/cleanup.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- - -- name: stop auth-proxy container - service: name=auth-proxy state=stopped - -- name: cleanup iptables for auth proxy - shell: iptables -D INPUT -p tcp --dport {{ item }} -j ACCEPT -m comment --comment "{{ auth_proxy_rule_comment }} ({{ item }})" - become: true - with_items: - - "{{ auth_proxy_port }}" diff --git a/roles/contiv_auth_proxy/tasks/main.yml b/roles/contiv_auth_proxy/tasks/main.yml deleted file mode 100644 index 74e7bf794..000000000 --- a/roles/contiv_auth_proxy/tasks/main.yml +++ /dev/null @@ -1,37 +0,0 @@ ---- -# tasks file for auth_proxy -- name: setup iptables for auth proxy - shell: > - ( iptables -L INPUT | grep "{{ auth_proxy_rule_comment }} ({{ item }})" ) || \ - iptables -I INPUT 1 -p tcp --dport {{ item }} -j ACCEPT -m comment --comment "{{ auth_proxy_rule_comment }} ({{ item }})" - become: true - with_items: - - "{{ auth_proxy_port }}" - -# Load the auth-proxy-image from local tar. Ignore any errors to handle the -# case where the image is not built in -- name: copy auth-proxy image - copy: src={{ auth_proxy_binaries }}/auth-proxy-image.tar dest=/tmp/auth-proxy-image.tar - when: auth_proxy_local_install == True - -- name: load auth-proxy image - shell: docker load -i /tmp/auth-proxy-image.tar - when: auth_proxy_local_install == True - -- name: create cert folder for proxy - file: path=/var/contiv/certs state=directory - -- name: copy shell script for starting auth-proxy - template: src=auth_proxy.j2 dest=/usr/bin/auth_proxy.sh mode=u=rwx,g=rx,o=rx - -- name: copy cert for starting auth-proxy - copy: src=cert.pem dest=/var/contiv/certs/auth_proxy_cert.pem mode=u=rw,g=r,o=r - -- name: copy key for starting auth-proxy - copy: src=key.pem dest=/var/contiv/certs/auth_proxy_key.pem mode=u=rw,g=r,o=r - -- name: copy systemd units for auth-proxy - copy: src=auth-proxy.service dest=/etc/systemd/system/auth-proxy.service - -- name: start auth-proxy container - systemd: name=auth-proxy daemon_reload=yes state=started enabled=yes diff --git a/roles/contiv_auth_proxy/templates/auth_proxy.j2 b/roles/contiv_auth_proxy/templates/auth_proxy.j2 deleted file mode 100644 index 0ab8c831b..000000000 --- a/roles/contiv_auth_proxy/templates/auth_proxy.j2 +++ /dev/null @@ -1,36 +0,0 @@ -#!/bin/bash - -usage="$0 start/stop" -if [ $# -ne 1 ]; then - echo USAGE: $usage - exit 1 -fi - -case $1 in -start) - set -e - - /usr/bin/docker run --rm \ - -p 10000:{{ auth_proxy_port }} \ - --net=host --name=auth-proxy \ - -e NO_NETMASTER_STARTUP_CHECK=1 \ - -v /var/contiv:/var/contiv:z \ - {{ auth_proxy_image }} \ - --tls-key-file={{ auth_proxy_key }} \ - --tls-certificate={{ auth_proxy_cert }} \ - --data-store-address={{ auth_proxy_datastore }} \ - --netmaster-address={{ service_vip }}:9999 \ - --listen-address=:10000 - ;; - -stop) - # don't stop on error - /usr/bin/docker stop auth-proxy - /usr/bin/docker rm -f -v auth-proxy - ;; - -*) - echo USAGE: $usage - exit 1 - ;; -esac diff --git a/roles/contiv_auth_proxy/tests/inventory b/roles/contiv_auth_proxy/tests/inventory deleted file mode 100644 index d18580b3c..000000000 --- a/roles/contiv_auth_proxy/tests/inventory +++ /dev/null @@ -1 +0,0 @@ -localhost
\ No newline at end of file diff --git a/roles/contiv_auth_proxy/tests/test.yml b/roles/contiv_auth_proxy/tests/test.yml deleted file mode 100644 index 2af3250cd..000000000 --- a/roles/contiv_auth_proxy/tests/test.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- hosts: localhost - remote_user: root - roles: - - auth_proxy diff --git a/roles/contiv_auth_proxy/vars/main.yml b/roles/contiv_auth_proxy/vars/main.yml deleted file mode 100644 index 9032766c4..000000000 --- a/roles/contiv_auth_proxy/vars/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -# vars file for auth_proxy diff --git a/roles/contiv_facts/defaults/main.yaml b/roles/contiv_facts/defaults/main.yaml index 7b8150954..c1622c56a 100644 --- a/roles/contiv_facts/defaults/main.yaml +++ b/roles/contiv_facts/defaults/main.yaml @@ -1,13 +1,10 @@ --- # The directory where binaries are stored on Ansible # managed systems. -bin_dir: /usr/bin +contiv_bin_dir: /usr/bin # The directory used by Ansible to temporarily store # files on Ansible managed systems. -ansible_temp_dir: /tmp/.ansible/files +contiv_ansible_temp_dir: /tmp/.ansible/files -source_type: packageManager - -# Whether or not to also install and enable the Contiv auth_proxy -contiv_enable_auth_proxy: false +contiv_source_type: packageManager diff --git a/roles/contiv_facts/tasks/fedora-install.yml b/roles/contiv_facts/tasks/fedora-install.yml index 932ff091a..b8239a636 100644 --- a/roles/contiv_facts/tasks/fedora-install.yml +++ b/roles/contiv_facts/tasks/fedora-install.yml @@ -11,9 +11,9 @@ retries: 5 delay: 10 environment: - https_proxy: "{{ https_proxy }}" - http_proxy: "{{ http_proxy }}" - no_proxy: "{{ no_proxy }}" + https_proxy: "{{ contiv_https_proxy }}" + http_proxy: "{{ contiv_http_proxy }}" + no_proxy: "{{ contiv_no_proxy }}" - name: Install libselinux-python command: dnf install {{ item }} -y @@ -21,6 +21,6 @@ - python-dnf - libselinux-python environment: - https_proxy: "{{ https_proxy }}" - http_proxy: "{{ http_proxy }}" - no_proxy: "{{ no_proxy }}" + https_proxy: "{{ contiv_https_proxy }}" + http_proxy: "{{ contiv_http_proxy }}" + no_proxy: "{{ contiv_no_proxy }}" diff --git a/roles/contiv_facts/tasks/main.yml b/roles/contiv_facts/tasks/main.yml index ced04759d..11f1e1369 100644 --- a/roles/contiv_facts/tasks/main.yml +++ b/roles/contiv_facts/tasks/main.yml @@ -4,42 +4,28 @@ register: distro check_mode: no -- name: Init the is_coreos fact +- name: Init the contiv_is_coreos fact set_fact: - is_coreos: false + contiv_is_coreos: false -- name: Set the is_coreos fact +- name: Set the contiv_is_coreos fact set_fact: - is_coreos: true + contiv_is_coreos: true when: "'CoreOS' in distro.stdout" -- name: Set docker config file directory - set_fact: - docker_config_dir: "/etc/sysconfig" - -- name: Override docker config file directory for Debian - set_fact: - docker_config_dir: "/etc/default" - when: ansible_distribution == "Debian" or ansible_distribution == "Ubuntu" - -- name: Create config file directory - file: - path: "{{ docker_config_dir }}" - state: directory - - name: Set the bin directory path for CoreOS set_fact: - bin_dir: "/opt/bin" - when: is_coreos + contiv_bin_dir: "/opt/bin" + when: contiv_is_coreos - name: Create the directory used to store binaries file: - path: "{{ bin_dir }}" + path: "{{ contiv_bin_dir }}" state: directory - name: Create Ansible temp directory file: - path: "{{ ansible_temp_dir }}" + path: "{{ contiv_ansible_temp_dir }}" state: directory - name: Determine if has rpm @@ -48,26 +34,26 @@ changed_when: false check_mode: no -- name: Init the has_rpm fact +- name: Init the contiv_has_rpm fact set_fact: - has_rpm: false + contiv_has_rpm: false -- name: Set the has_rpm fact +- name: Set the contiv_has_rpm fact set_fact: - has_rpm: true + contiv_has_rpm: true when: s.stat.exists -- name: Init the has_firewalld fact +- name: Init the contiv_has_firewalld fact set_fact: - has_firewalld: false + contiv_has_firewalld: false -- name: Init the has_iptables fact +- name: Init the contiv_has_iptables fact set_fact: - has_iptables: false + contiv_has_iptables: false # collect information about what packages are installed - include_tasks: rpm.yml - when: has_rpm + when: contiv_has_rpm - include_tasks: fedora-install.yml when: not openshift_is_atomic and ansible_distribution == "Fedora" diff --git a/roles/contiv_facts/tasks/rpm.yml b/roles/contiv_facts/tasks/rpm.yml index d12436f96..dc6c5d3b7 100644 --- a/roles/contiv_facts/tasks/rpm.yml +++ b/roles/contiv_facts/tasks/rpm.yml @@ -13,9 +13,9 @@ failed_when: false check_mode: no -- name: Set the has_firewalld fact +- name: Set the contiv_has_firewalld fact set_fact: - has_firewalld: true + contiv_has_firewalld: true when: s.rc == 0 and ss.rc == 0 - name: Determine if iptables-services installed @@ -25,7 +25,7 @@ failed_when: false check_mode: no -- name: Set the has_iptables fact +- name: Set the contiv_has_iptables fact set_fact: - has_iptables: true + contiv_has_iptables: true when: s.rc == 0 |