From 7b316631a2b988318b47d3a50a7b66e3ff3fdbd2 Mon Sep 17 00:00:00 2001 From: Scott Dodson Date: Wed, 10 Jun 2015 10:31:39 -0400 Subject: Update for RC2 changes Remove openshift-deployer.kubeconfig from master template Sync config template Update enterprise image names Switch to node auto registration Add deployer to list of serviceAccountConfig.managedNames Move package installation before registering facts change default kubeconfig location Change system:openshift-client to system:openshift-master Rename node cert/key/kubeconfig per openshift/origin#3160 Update references to /var/lib/openshift/openshift.local.certificates --- README_OSE.md | 12 ++++---- README_origin.md | 6 ++-- inventory/byo/hosts | 2 +- playbooks/common/openshift-node/config.yml | 10 ++++--- roles/openshift_common/tasks/main.yml | 1 - roles/openshift_facts/library/openshift_facts.py | 8 +++-- roles/openshift_master/tasks/main.yml | 25 ++++++++-------- roles/openshift_master/templates/master.yaml.v1.j2 | 29 ++++++++++++++---- roles/openshift_node/tasks/main.yml | 28 ++++++++--------- roles/openshift_node/templates/node.yaml.v1.j2 | 6 ++-- roles/openshift_node_certificates/README.md | 34 +++++++++++++++++++++ roles/openshift_node_certificates/meta/main.yml | 16 ++++++++++ roles/openshift_node_certificates/tasks/main.yml | 35 ++++++++++++++++++++++ roles/openshift_node_certificates/vars/main.yml | 8 +++++ roles/openshift_register_nodes/README.md | 23 ++------------ roles/openshift_register_nodes/tasks/main.yml | 7 +++-- 16 files changed, 176 insertions(+), 74 deletions(-) create mode 100644 roles/openshift_node_certificates/README.md create mode 100644 roles/openshift_node_certificates/meta/main.yml create mode 100644 roles/openshift_node_certificates/tasks/main.yml create mode 100644 roles/openshift_node_certificates/vars/main.yml diff --git a/README_OSE.md b/README_OSE.md index dffabc714..5a691053c 100644 --- a/README_OSE.md +++ b/README_OSE.md @@ -19,7 +19,7 @@ * Either ssh key based auth for the root user or ssh key based auth for a user with sudo access (no password) * A checkout of openshift-ansible from https://github.com/openshift/openshift-ansible/ - + ```sh git clone https://github.com/openshift/openshift-ansible.git cd openshift-ansible @@ -80,7 +80,7 @@ ansible_ssh_user=root deployment_type=enterprise # Pre-release registry URL -oreg_url=docker-buildvm-rhose.usersys.redhat.com:5000/openshift3_beta/ose-${component}:${version} +oreg_url=docker-buildvm-rhose.usersys.redhat.com:5000/openshift3/ose-${component}:${version} # Pre-release additional repo openshift_additional_repos=[{'id': 'ose-devel', 'name': 'ose-devel', @@ -120,16 +120,16 @@ inventory file use the -i option for ansible-playbook. On the master host: ```sh openshift ex router --create=true \ - --credentials=/var/lib/openshift/openshift.local.certificates/openshift-router/.kubeconfig \ - --images='docker-buildvm-rhose.usersys.redhat.com:5000/openshift3_beta/ose-${component}:${version}' + --credentials=/etc/openshift/master/openshift-router.kubeconfig \ + --images='docker-buildvm-rhose.usersys.redhat.com:5000/openshift3/ose-${component}:${version}' ``` #### Create the default docker-registry On the master host: ```sh openshift ex registry --create=true \ - --credentials=/var/lib/openshift/openshift.local.certificates/openshift-registry/.kubeconfig \ - --images='docker-buildvm-rhose.usersys.redhat.com:5000/openshift3_beta/ose-${component}:${version}' \ + --credentials=/etc/openshift/master/openshift-registry.kubeconfig \ + --images='docker-buildvm-rhose.usersys.redhat.com:5000/openshift3/ose-${component}:${version}' \ --mount-host=/var/lib/openshift/docker-registry ``` diff --git a/README_origin.md b/README_origin.md index 5b3fd2435..32287d65c 100644 --- a/README_origin.md +++ b/README_origin.md @@ -19,7 +19,7 @@ * Either ssh key based auth for the root user or ssh key based auth for a user with sudo access (no password) * A checkout of openshift-ansible from https://github.com/openshift/openshift-ansible/ - + ```sh git clone https://github.com/openshift/openshift-ansible.git cd openshift-ansible @@ -92,14 +92,14 @@ inventory file use the -i option for ansible-playbook. On the master host: ```sh openshift ex router --create=true \ - --credentials=/var/lib/openshift/openshift.local.certificates/openshift-router/.kubeconfig + --credentials=/etc/openshift/master/openshift-router.kubeconfig ``` #### Create the default docker-registry On the master host: ```sh openshift ex registry --create=true \ - --credentials=/var/lib/openshift/openshift.local.certificates/openshift-registry/.kubeconfig \ + --credentials=/etc/openshift/master/openshift-registry.kubeconfig \ --mount-host=/var/lib/openshift/docker-registry ``` diff --git a/inventory/byo/hosts b/inventory/byo/hosts index 4d4da5468..ab54ce2db 100644 --- a/inventory/byo/hosts +++ b/inventory/byo/hosts @@ -17,7 +17,7 @@ ansible_ssh_user=root deployment_type=enterprise # Pre-release registry URL -oreg_url=docker-buildvm-rhose.usersys.redhat.com:5000/openshift3_beta/ose-${component}:${version} +oreg_url=docker-buildvm-rhose.usersys.redhat.com:5000/openshift3/ose-${component}:${version} # Pre-release additional repo openshift_additional_repos=[{'id': 'ose-devel', 'name': 'ose-devel', 'baseurl': 'http://buildvm-devops.usersys.redhat.com/puddle/build/OpenShiftEnterprise/3.0/latest/RH7-RHOSE-3.0/$basearch/os', 'enabled': 1, 'gpgcheck': 0}] diff --git a/playbooks/common/openshift-node/config.yml b/playbooks/common/openshift-node/config.yml index 9e642f3d3..2d2560db4 100644 --- a/playbooks/common/openshift-node/config.yml +++ b/playbooks/common/openshift-node/config.yml @@ -27,10 +27,12 @@ stat: path: "{{ item }}" with_items: - - "/etc/openshift/node/node.key" - - "/etc/openshift/node/node.kubeconfig" + - "/etc/openshift/node/system:node:{{ openshift.common.hostname }}.crt" + - "/etc/openshift/node/system:node:{{ openshift.common.hostname }}.key" + - "/etc/openshift/node/system:node:{{ openshift.common.hostname }}.kubeconfig" - "/etc/openshift/node/ca.crt" - "/etc/openshift/node/server.key" + - "/etc/openshift/node/server.crt" register: stat_result - set_fact: certs_missing: "{{ stat_result.results | map(attribute='stat.exists') @@ -50,7 +52,7 @@ register: mktemp changed_when: False -- name: Register nodes +- name: Create node certificates hosts: oo_first_master vars: nodes_needing_certs: "{{ hostvars @@ -60,7 +62,7 @@ | oo_select_keys(groups['oo_nodes_to_config']) }}" sync_tmpdir: "{{ hostvars.localhost.mktemp.stdout }}" roles: - - openshift_register_nodes + - openshift_node_certificates post_tasks: - name: Create a tarball of the node config directories command: > diff --git a/roles/openshift_common/tasks/main.yml b/roles/openshift_common/tasks/main.yml index f76dd84ed..a7c565067 100644 --- a/roles/openshift_common/tasks/main.yml +++ b/roles/openshift_common/tasks/main.yml @@ -15,4 +15,3 @@ - name: Set hostname hostname: name={{ openshift.common.hostname }} - diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py index 7bc7c3260..1b789ca89 100755 --- a/roles/openshift_facts/library/openshift_facts.py +++ b/roles/openshift_facts/library/openshift_facts.py @@ -298,10 +298,10 @@ def set_registry_url_if_unset(facts): if 'registry_url' not in facts[role]: registry_url = "openshift/origin-${component}:${version}" if deployment_type == 'enterprise': - registry_url = "openshift3_beta/ose-${component}:${version}" + registry_url = "openshift3/ose-${component}:${version}" elif deployment_type == 'online': registry_url = ("docker-registry.ops.rhcloud.com/" - "openshift3_beta/ose-${component}:${version}") + "openshift3/ose-${component}:${version}") facts[role]['registry_url'] = registry_url return facts @@ -450,7 +450,9 @@ def get_current_config(facts): # TODO: parse the /etc/sysconfig/openshift-{master,node} config to # determine the location of files. - + # TODO: I suspect this isn't working right now, but it doesn't prevent + # anything from working properly as far as I can tell, perhaps because + # we override the kubeconfig path everywhere we use it? # Query kubeconfig settings kubeconfig_dir = '/var/lib/openshift/openshift.local.certificates' if role == 'node': diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml index 23f8b4649..da0a663ec 100644 --- a/roles/openshift_master/tasks/main.yml +++ b/roles/openshift_master/tasks/main.yml @@ -8,6 +8,15 @@ - openshift_master_oauth_grant_method in openshift_master_valid_grant_methods when: openshift_master_oauth_grant_method is defined +- name: Install OpenShift Master package + yum: pkg=openshift-master state=present + register: install_result + +# TODO: Is this necessary or was this a workaround for an old bug in packaging? +- name: Reload systemd units + command: systemctl daemon-reload + when: install_result | changed + - name: Set master OpenShift facts openshift_facts: role: master @@ -51,14 +60,6 @@ domain: cluster.local when: openshift.master.embedded_dns -- name: Install OpenShift Master package - yum: pkg=openshift-master state=present - register: install_result - -- name: Reload systemd units - command: systemctl daemon-reload - when: install_result | changed - - name: Create config parent directory if it doesn't exist file: path: "{{ openshift_master_config_dir }}" @@ -130,7 +131,7 @@ - name: Create the OpenShift client config dir(s) file: - path: "~{{ item }}/.config/openshift" + path: "~{{ item }}/.kube" state: directory mode: 0700 owner: "{{ item }}" @@ -142,16 +143,16 @@ # TODO: Update this file if the contents of the source file are not present in # the dest file, will need to make sure to ignore things that could be added - name: Copy the OpenShift admin client config(s) - command: cp {{ openshift_master_config_dir }}/admin.kubeconfig ~{{ item }}/.config/openshift/.config + command: cp {{ openshift_master_config_dir }}/admin.kubeconfig ~{{ item }}/.kube/config args: - creates: ~{{ item }}/.config/openshift/.config + creates: ~{{ item }}/.kube/config with_items: - root - "{{ ansible_ssh_user }}" - name: Update the permissions on the OpenShift admin client config(s) file: - path: "~{{ item }}/.config/openshift/.config" + path: "~{{ item }}/.kube/config" state: file mode: 0700 owner: "{{ item }}" diff --git a/roles/openshift_master/templates/master.yaml.v1.j2 b/roles/openshift_master/templates/master.yaml.v1.j2 index 1c2d37b63..9df07e925 100644 --- a/roles/openshift_master/templates/master.yaml.v1.j2 +++ b/roles/openshift_master/templates/master.yaml.v1.j2 @@ -1,3 +1,6 @@ +apiLevels: +- v1beta3 +- v1 apiVersion: v1 assetConfig: logoutURL: "" @@ -8,6 +11,8 @@ assetConfig: certFile: master.server.crt clientCA: "" keyFile: master.server.key + maxRequestsInFlight: 0 + requestTimeoutSeconds: 0 corsAllowedOrigins: {# TODO: add support for user specified corsAllowedOrigins #} {% for origin in ['127.0.0.1', 'localhost', openshift.common.hostname, openshift.common.ip, openshift.common.public_hostname, openshift.common.public_ip] %} @@ -43,9 +48,9 @@ etcdConfig: {% endif %} etcdStorageConfig: kubernetesStoragePrefix: kubernetes.io - kubernetesStorageVersion: v1beta3 - kubernetesStoragePrefix: kubernetes.io - openShiftStorageVersion: v1beta3 + kubernetesStorageVersion: v1 + openShiftStoragePrefix: openshift.io + openShiftStorageVersion: v1 imageConfig: format: {{ openshift.master.registry_url }} latest: false @@ -58,18 +63,24 @@ kubeletClientInfo: port: 10250 {% if openshift.master.embedded_kube %} kubernetesMasterConfig: + apiLevels: + - v1beta3 + - v1 + apiServerArguments: null + controllerArguments: null {# TODO: support overriding masterCount #} masterCount: 1 masterIP: "" + podEvictionTimeout: "" schedulerConfigFile: {{ openshift_master_scheduler_conf }} + servicesNodePortRange: "" servicesSubnet: {{ openshift.master.portal_net }} staticNodeNames: {{ openshift_node_ips | default([], true) }} {% endif %} masterClients: {# TODO: allow user to set externalKubernetesKubeConfig #} - deployerKubeConfig: openshift-deployer.kubeconfig externalKubernetesKubeConfig: "" - openshiftLoopbackKubeConfig: openshift-client.kubeconfig + openshiftLoopbackKubeConfig: openshift-master.kubeconfig masterPublicURL: {{ openshift.master.public_api_url }} networkConfig: clusterNetworkCIDR: {{ openshift.master.sdn_cluster_network_cidr }} @@ -78,16 +89,22 @@ networkConfig: {% include 'v1_partials/oauthConfig.j2' %} policyConfig: bootstrapPolicyFile: {{ openshift_master_policy }} + openshiftInfrastructureNamespace: openshift-infra openshiftSharedResourcesNamespace: openshift {# TODO: Allow users to override projectConfig items #} projectConfig: defaultNodeSelector: "" projectRequestMessage: "" projectRequestTemplate: "" + securityAllocator: + mcsAllocatorRange: s0:/2 + mcsLabelsPerProject: 5 + uidAllocatorRange: 1000000000-1999999999/10000 serviceAccountConfig: managedNames: - default - builder + - deployer privateKeyFile: serviceaccounts.private.key publicKeyFiles: - serviceaccounts.public.key @@ -96,3 +113,5 @@ servingInfo: certFile: master.server.crt clientCA: ca.crt keyFile: master.server.key + maxRequestsInFlight: 0 + requestTimeoutSeconds: 0 diff --git a/roles/openshift_node/tasks/main.yml b/roles/openshift_node/tasks/main.yml index 15d18f510..770b55351 100644 --- a/roles/openshift_node/tasks/main.yml +++ b/roles/openshift_node/tasks/main.yml @@ -1,6 +1,20 @@ --- # TODO: allow for overriding default ports where possible +- name: Install OpenShift Node package + yum: pkg=openshift-node state=present + register: node_install_result + +- name: Install openshift-sdn-ovs + yum: pkg=openshift-sdn-ovs state=present + register: sdn_install_result + when: openshift.common.use_openshift_sdn + +- name: Reload systemd units + command: systemctl daemon-reload + when: (node_install_result | changed or (openshift.common.use_openshift_sdn + and sdn_install_result | changed)) + - name: Set node OpenShift facts openshift_facts: role: "{{ item.role }}" @@ -22,20 +36,6 @@ debug_level: "{{ openshift_node_debug_level | default(openshift.common.debug_level) }}" portal_net: "{{ openshift_master_portal_net | default(None) }}" -- name: Install OpenShift Node package - yum: pkg=openshift-node state=present - register: node_install_result - -- name: Install openshift-sdn-ovs - yum: pkg=openshift-sdn-ovs state=present - register: sdn_install_result - when: openshift.common.use_openshift_sdn - -- name: Reload systemd units - command: systemctl daemon-reload - when: (node_install_result | changed or (openshift.common.use_openshift_sdn - and sdn_install_result | changed)) - # TODO: add the validate parameter when there is a validation command to run - name: Create the Node config template: diff --git a/roles/openshift_node/templates/node.yaml.v1.j2 b/roles/openshift_node/templates/node.yaml.v1.j2 index cab75cd49..f313f6a4b 100644 --- a/roles/openshift_node/templates/node.yaml.v1.j2 +++ b/roles/openshift_node/templates/node.yaml.v1.j2 @@ -2,14 +2,16 @@ allowDisabledDocker: false apiVersion: v1 dnsDomain: {{ hostvars[openshift_first_master].openshift.dns.domain }} dnsIP: {{ hostvars[openshift_first_master].openshift.dns.ip }} +dockerConfig: + execHandlerName: "" imageConfig: format: {{ openshift.node.registry_url }} latest: false kind: NodeConfig -masterKubeConfig: node.kubeconfig +masterKubeConfig: system:node:{{ openshift.common.hostname }}.kubeconfig networkPluginName: {{ openshift.common.sdn_network_plugin_name }} nodeName: {{ openshift.common.hostname }} -podManifestConfig: null +podManifestConfig: servingInfo: bindAddress: 0.0.0.0:10250 certFile: server.crt diff --git a/roles/openshift_node_certificates/README.md b/roles/openshift_node_certificates/README.md new file mode 100644 index 000000000..c6304e4b0 --- /dev/null +++ b/roles/openshift_node_certificates/README.md @@ -0,0 +1,34 @@ +OpenShift Node Certificates +======================== + +TODO + +Requirements +------------ + +TODO + +Role Variables +-------------- + +TODO + +Dependencies +------------ + +TODO + +Example Playbook +---------------- + +TODO + +License +------- + +Apache License Version 2.0 + +Author Information +------------------ + +Jason DeTiberus (jdetiber@redhat.com) diff --git a/roles/openshift_node_certificates/meta/main.yml b/roles/openshift_node_certificates/meta/main.yml new file mode 100644 index 000000000..f3236e850 --- /dev/null +++ b/roles/openshift_node_certificates/meta/main.yml @@ -0,0 +1,16 @@ +--- +galaxy_info: + author: Jason DeTiberus + description: + company: Red Hat, Inc. + license: Apache License, Version 2.0 + min_ansible_version: 1.8 + platforms: + - name: EL + versions: + - 7 + categories: + - cloud + - system +dependencies: +- { role: openshift_facts } diff --git a/roles/openshift_node_certificates/tasks/main.yml b/roles/openshift_node_certificates/tasks/main.yml new file mode 100644 index 000000000..1b68bc673 --- /dev/null +++ b/roles/openshift_node_certificates/tasks/main.yml @@ -0,0 +1,35 @@ +--- +- name: Create openshift_generated_configs_dir if it doesn't exist + file: + path: "{{ openshift_generated_configs_dir }}" + state: directory + +- name: Generate the node client config + command: > + {{ openshift.common.admin_binary }} create-api-client-config + --certificate-authority={{ openshift_master_ca_cert }} + --client-dir={{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }} + --groups=system:nodes + --master={{ openshift.master.api_url }} + --signer-cert={{ openshift_master_ca_cert }} + --signer-key={{ openshift_master_ca_key }} + --signer-serial={{ openshift_master_ca_serial }} + --user=system:node:{{ item.openshift.common.hostname }} + args: + chdir: "{{ openshift_generated_configs_dir }}" + creates: "{{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}" + with_items: nodes_needing_certs + +- name: Generate the node server certificate + delegate_to: "{{ openshift_first_master }}" + command: > + {{ openshift.common.admin_binary }} create-server-cert + --cert=server.crt --key=server.key --overwrite=true + --hostnames={{ [item.openshift.common.hostname, item.openshift.common.public_hostname]|unique|join(",") }} + --signer-cert={{ openshift_master_ca_cert }} + --signer-key={{ openshift_master_ca_key }} + --signer-serial={{ openshift_master_ca_serial }} + args: + chdir: "{{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}" + creates: "{{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}/server.crt" + with_items: nodes_needing_certs diff --git a/roles/openshift_node_certificates/vars/main.yml b/roles/openshift_node_certificates/vars/main.yml new file mode 100644 index 000000000..3801b8427 --- /dev/null +++ b/roles/openshift_node_certificates/vars/main.yml @@ -0,0 +1,8 @@ +--- +openshift_node_config_dir: /etc/openshift/node +openshift_master_config_dir: /etc/openshift/master +openshift_generated_configs_dir: /etc/openshift/generated-configs +openshift_master_ca_cert: "{{ openshift_master_config_dir }}/ca.crt" +openshift_master_ca_key: "{{ openshift_master_config_dir }}/ca.key" +openshift_master_ca_serial: "{{ openshift_master_config_dir }}/ca.serial.txt" +openshift_kube_api_version: v1beta3 diff --git a/roles/openshift_register_nodes/README.md b/roles/openshift_register_nodes/README.md index b96faa044..b1d2000f1 100644 --- a/roles/openshift_register_nodes/README.md +++ b/roles/openshift_register_nodes/README.md @@ -1,27 +1,8 @@ OpenShift Register Nodes ======================== -TODO - -Requirements ------------- - -TODO - -Role Variables --------------- - -TODO - -Dependencies ------------- - -TODO - -Example Playbook ----------------- - -TODO +DEPRECATED!!! +Nodes should now auto register themselves. Use openshift_node_certificates role instead. License ------- diff --git a/roles/openshift_register_nodes/tasks/main.yml b/roles/openshift_register_nodes/tasks/main.yml index 11097a7cf..502dffc26 100644 --- a/roles/openshift_register_nodes/tasks/main.yml +++ b/roles/openshift_register_nodes/tasks/main.yml @@ -14,7 +14,7 @@ --signer-cert={{ openshift_master_ca_cert }} --signer-key={{ openshift_master_ca_key }} --signer-serial={{ openshift_master_ca_serial }} - --user=system:node-{{ item.openshift.common.hostname }} + --user=system:node:{{ item.openshift.common.hostname }} args: chdir: "{{ openshift_generated_configs_dir }}" creates: "{{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}" @@ -37,7 +37,7 @@ - name: Register unregistered nodes kubernetes_register_node: kubectl_cmd: "{{ [openshift.common.client_binary] }}" - default_client_config: '~/.config/openshift/.config' + default_client_config: '~/.kube/config' name: "{{ item.openshift.common.hostname }}" api_version: "{{ openshift_kube_api_version }}" cpu: "{{ item.openshift.node.resources_cpu | default(None) }}" @@ -46,5 +46,8 @@ host_ip: "{{ item.openshift.common.ip }}" labels: "{{ item.openshift.node.labels | default({}) }}" annotations: "{{ item.openshift.node.annotations | default({}) }}" + client_context: default/ose3-master-example-com:8443/system:openshift-master + client_user: system:openshift-master/ose3-master-example-com:8443 + client_cluster: ose3-master-example-com:8443 with_items: openshift_nodes register: register_result -- cgit v1.2.1