7 files changed, 79 insertions, 19 deletions

diff --git a/playbooks/common/openshift-master/config.yml b/playbooks/common/openshift-master/config.yml
index 125aab0ae..17afbb48c 100644
--- a/playbooks/common/openshift-master/config.yml
+++ b/playbooks/common/openshift-master/config.yml
@@ -156,6 +156,29 @@
     - master.etcd-ca.crt
     when: etcd_client_certs_missing is defined and etcd_client_certs_missing
 
+# Must be run before generating master certs which involved openshift_cli role and needs
+# to pull down the correct docker container:
+- name: Determine openshift_version to install on first master
+  hosts: oo_first_master
+  any_errors_fatal: true
+  tasks:
+  - debug: var=openshift.common
+  - debug: var=openshift_image_tag
+  - debug: var=openshift_release
+  - name: Determine version to configure if containerized and release specified
+    set_fact:
+      openshift_version: "{{ openshift_release }}"
+    when: openshift.common.is_containerized | bool and openshift_release is defined
+  - name: Determine version to configure if containerized and image tag specified
+    set_fact:
+      openshift_version: "{{ openshift_image_tag.split('v',1)[1] }}"
+    when: openshift.common.is_containerized | bool and openshift_image_tag is defined
+  - name: Determine version to configure if already installed
+    set_fact:
+      openshift_version: "{{ openshift.common.version }}"
+    when: openshift.common.is_containerized | bool and openshift.common.version is defined
+  - debug: var=openshift_version
+
 - name: Determine if master certificates need to be generated
   hosts: oo_first_master:oo_masters_to_config
   tasks:
@@ -337,8 +360,50 @@
     with_items: openshift_master_named_certificates
     when: named_certs_specified | bool
 
-- name: Configure master instances
-  hosts: oo_masters_to_config
+- name: Configure first master instances
+  hosts: oo_first_master
+  any_errors_fatal: true
+  serial: 1
+  vars:
+    sync_tmpdir: "{{ hostvars.localhost.g_master_mktemp.stdout }}"
+    openshift_master_ha: "{{ openshift.master.ha }}"
+    openshift_master_count: "{{ openshift.master.master_count }}"
+    openshift_master_session_auth_secrets: "{{ hostvars[groups.oo_first_master.0].openshift.master.session_auth_secrets }}"
+    openshift_master_session_encryption_secrets: "{{ hostvars[groups.oo_first_master.0].openshift.master.session_encryption_secrets }}"
+    openshift_docker_hosted_registry_network: "{{ hostvars[groups.oo_first_master.0].openshift.common.portal_net }}"
+    openshift_no_proxy_internal_hostnames: "{{ hostvars | oo_select_keys(groups['oo_nodes_to_config']
+                                                    | union(groups['oo_masters_to_config'])
+                                                    | union(groups['oo_etcd_to_config'] | default([])))
+                                                | oo_collect('openshift.common.hostname') | default([]) | join (',')
+                                                }}"
+    openshift_version: "{{ g_openshift_version_requested }}"
+    when: "{{ (openshift_http_proxy is defined or openshift_https_proxy is defined) and
+            openshift_generate_no_proxy_hosts | default(True) | bool }}"
+  pre_tasks:
+  - name: Ensure certificate directory exists
+    file:
+      path: "{{ openshift.common.config_base }}/master"
+      state: directory
+    when: master_certs_missing | bool and 'oo_first_master' not in group_names
+  - name: Unarchive the tarball on the master
+    unarchive:
+      src: "{{ sync_tmpdir }}/{{ master_cert_subdir }}.tgz"
+      dest: "{{ master_cert_config_dir }}"
+    when: master_certs_missing | bool and 'oo_first_master' not in group_names
+  - debug: var=openshift_version
+  roles:
+  - openshift_master
+  - role: nickhammond.logrotate
+  - role: nuage_master
+    when: openshift.common.use_nuage | bool
+  post_tasks:
+  - name: Create group for deployment type
+    group_by: key=oo_masters_deployment_type_{{ openshift.common.deployment_type }}
+    changed_when: False
+
+# TODO: This is a copy paste of the oo_first_master, how do we reconcile the code but change openshift_version?
+- name: Configure remaining master instances
+  hosts: oo_masters_to_config[1:]
   any_errors_fatal: true
   serial: 1
   vars:
@@ -353,7 +418,8 @@
                                                     | union(groups['oo_etcd_to_config'] | default([])))
                                                 | oo_collect('openshift.common.hostname') | default([]) | join (',')
                                                 }}"
-    when: "{{ (openshift_http_proxy is defined or openshift_https_proxy is defined) and 
+    openshift_version: "{{ g_openshift_version_requested }}"
+    when: "{{ (openshift_http_proxy is defined or openshift_https_proxy is defined) and
             openshift_generate_no_proxy_hosts | default(True) | bool }}"
   pre_tasks:
   - name: Ensure certificate directory exists
diff --git a/roles/openshift_cli/defaults/main.yml b/roles/openshift_cli/defaults/main.yml
index 7baa87ab8..ed97d539c 100644
--- a/roles/openshift_cli/defaults/main.yml
+++ b/roles/openshift_cli/defaults/main.yml
@@ -1,2 +1 @@
 ---
-openshift_version: "{{ openshift_image_tag | default(openshift.docker.openshift_image_tag | default('')) }}"
diff --git a/roles/openshift_cli/tasks/main.yml b/roles/openshift_cli/tasks/main.yml
index a2be95eac..95711f95d 100644
--- a/roles/openshift_cli/tasks/main.yml
+++ b/roles/openshift_cli/tasks/main.yml
@@ -1,9 +1,6 @@
 ---
 - debug: var=openshift_version
-- debug: var=openshift_release
-- debug: var=openshift_image_tag
 - debug: var=openshift.common
-- debug: var=openshift.docker
 
 - name: Install clients
   action: "{{ ansible_pkg_mgr }} name={{ openshift.common.service_type }}-clients state=present"
@@ -11,7 +8,7 @@
 
 - name: Pull CLI Image
   command: >
-    docker pull {{ openshift.common.cli_image }}:{{ openshift_version }}
+    docker pull {{ openshift.common.cli_image }}:v{{ openshift_version }}
   when: openshift.common.is_containerized | bool
 
 - name: Create /usr/local/bin/openshift cli wrapper
diff --git a/roles/openshift_cli/templates/openshift.j2 b/roles/openshift_cli/templates/openshift.j2
index 437e08aab..501796b0b 100644
--- a/roles/openshift_cli/templates/openshift.j2
+++ b/roles/openshift_cli/templates/openshift.j2
@@ -5,14 +5,14 @@ fi
 cmd=`basename $0`
 user=`id -u`
 group=`id -g`
-image_tag={{ openshift_version }}
+image_tag=v{{ openshift_version }}
 
 >&2 echo """
 ================================================================================
 ATTENTION: You are running ${cmd} via a wrapper around 'docker run {{ openshift.common.cli_image }}:${image_tag}'.
 This wrapper is intended only to be used to bootstrap an environment. Please
 install client tools on another host once you have granted cluster-admin
-privileges to a user. 
+privileges to a user.
 {% if openshift.common.deployment_type in ['openshift-enterprise','atomic-enterprise'] %}
 See https://docs.openshift.com/enterprise/latest/cli_reference/get_started_cli.html
 {% else %}
diff --git a/roles/openshift_docker/tasks/main.yml b/roles/openshift_docker/tasks/main.yml
index cff1c6bb4..79efb193b 100644
--- a/roles/openshift_docker/tasks/main.yml
+++ b/roles/openshift_docker/tasks/main.yml
@@ -17,6 +17,8 @@
   register: cli_image_version
   when: is_containerized | bool and openshift_image_tag is not defined and (upgrading | bool or not has_image_tag_fact | bool)
 
+- debug: var=cli_image_version
+
 # Use the pre-existing image tag from system facts if present, and we're not upgrading.
 # Ignores explicit openshift_image_tag if it's in the inventory, as this isn't an upgrade.
 - set_fact:
diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py
index b13343776..6127948bf 100755
--- a/roles/openshift_facts/library/openshift_facts.py
+++ b/roles/openshift_facts/library/openshift_facts.py
@@ -1133,15 +1133,9 @@ def get_openshift_version(facts):
     if os.path.isfile('/usr/bin/openshift'):
         _, output, _ = module.run_command(['/usr/bin/openshift', 'version'])
         version = parse_openshift_version(output)
-
-    # openshift_facts runs before openshift_docker_facts.  However, it will be
-    # called again and set properly throughout the playbook run.  This could be
-    # refactored to simply set the openshift.common.version in the
-    # openshift_docker_facts role but it would take reworking some assumptions
-    # on how get_openshift_version is called.
-    if 'is_containerized' in facts['common'] and safe_get_bool(facts['common']['is_containerized']):
-        if 'docker' in facts and 'openshift_version' in facts['docker']:
-            version = facts['docker']['openshift_version']
+    elif os.path.isfile('/usr/local/bin/openshift'):
+        _, output, _ = module.run_command(['/usr/local/bin/openshift', 'version'])
+        version = parse_openshift_version(output)
 
     return version
 
diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml
index 56ce0e396..0cbb49758 100644
--- a/roles/openshift_master/tasks/main.yml
+++ b/roles/openshift_master/tasks/main.yml
@@ -1,6 +1,8 @@
 ---
 # TODO: add ability to configure certificates given either a local file to
 #       point to or certificate contents, set in default cert locations.
+- debug: var=openshift_version
+- fail:
 
 # Authentication Variable Validation
 # TODO: validate the different identity provider kinds as well