additional ha related updates

playbooks/byo/openshift-cluster/config.yml

@@ -4,6 +4,7 @@
     g_etcd_group: "{{ 'etcd' }}"
     g_masters_group: "{{ 'masters' }}"
     g_nodes_group: "{{ 'nodes' }}"
+    g_lb_group: "{{ 'lb' }}"
     openshift_cluster_id: "{{ cluster_id | default('default') }}"
     openshift_debug_level: 2
     openshift_deployment_type: "{{ deployment_type }}"

playbooks/common/openshift-cluster/config.yml

@@ -1,6 +1,14 @@
 ---
 - include: evaluate_groups.yml
 
+  - name: Evaluate oo_lb_to_config
+    add_host:
+      name: "{{ item }}"
+      groups: oo_lb_to_config
+      ansible_ssh_user: "{{ g_ssh_user | default(omit) }}"
+      ansible_sudo: "{{ g_sudo | default(omit) }}"
+    with_items: groups[g_lb_group] | default(groups[g_masters_group]) | default([])
+
 - include: ../openshift-etcd/config.yml
 
 - include: ../openshift-master/config.yml

playbooks/common/openshift-master/config.yml

@@ -209,7 +209,24 @@
       parsed_named_certificates: "{{ openshift_master_named_certificates | oo_parse_certificate_names(master_cert_config_dir, openshift.common.internal_hostnames) }}"
     when: openshift_master_named_certificates is defined
 
-- name: Compute haproxy_backend_servers
+- name: Fetch master server certificate for load balancer
+  hosts: oo_first_master
+  vars:
+    sync_tmpdir: "{{ hostvars.localhost.g_master_mktemp.stdout }}"
+  tasks:
+  - file:
+      path: "{{ sync_tmpdir }}/haproxy_cert"
+      state: directory
+  - fetch:
+      src: /etc/origin/master/master.server.crt
+      dest: "{{ sync_tmpdir }}/haproxy_cert/server.crt"
+      flat: yes
+  - fetch:
+      src: /etc/origin/master/master.server.key
+      dest: "{{ sync_tmpdir }}/haproxy_cert/server.key"
+      flat: yes
+
+- name: Compute haproxy_backend_servers and combine certificate
   hosts: localhost
   connection: local
   sudo: false
@@ -217,24 +234,44 @@
   tasks:
   - set_fact:
       haproxy_backend_servers: "{{ hostvars | oo_select_keys(groups['oo_masters_to_config']) | oo_haproxy_backend_masters }}"
+  - shell: cat server.crt server.key > server.pem
+    args:
+      chdir: "{{ g_master_mktemp.stdout }}/haproxy_cert"
+      creates: "{{ g_master_mktemp.stdout }}/haproxy_cert/server.pem"
+
 
 - name: Configure load balancers
-  hosts: oo_first_master
+  hosts: oo_lb_to_config
   vars:
+    sync_tmpdir: "{{ hostvars.localhost.g_master_mktemp.stdout }}"
     haproxy_frontends:
-    - name: atomic-openshift
-      bind: "*:80"
-      default_backend: atomic-openshift
+    - name: atomic-openshift-api
+      options:
+      - tcplog
+      binds:
+      - "*:{{ hostvars[groups.oo_first_master.0].openshift.master.api_port }} ssl crt /etc/haproxy/server.pem"
+      default_backend: atomic-openshift-api
     haproxy_backends:
-    - name: atomic-openshift
+    - name: atomic-openshift-api
       balance: roundrobin
       servers: "{{ hostvars.localhost.haproxy_backend_servers }}"
+  pre_tasks:
+  - file:
+      path: /etc/haproxy
+      state: directory
+  - copy:
+      src: "{{ sync_tmpdir }}/haproxy_cert/server.pem"
+      dest: /etc/haproxy/server.pem
+      mode: 0600
+      owner: root
+      group: root
   roles:
   - role: haproxy
     when: groups.oo_masters_to_config | length > 1
 
 - name: Configure master instances
   hosts: oo_masters_to_config
+  serial: 1
   vars:
     named_certificates: "{{ hostvars[groups['oo_first_master'][0]]['parsed_named_certificates'] | default([])}}"
     sync_tmpdir: "{{ hostvars.localhost.g_master_mktemp.stdout }}"

roles/haproxy/defaults/main.yml

@@ -1,7 +1,8 @@
 ---
 haproxy_frontends:
 - name: main
-  bind: "*:80"
+  binds:
+  - "*:80"
   default_backend: default
 
 haproxy_backends:

roles/haproxy/templates/haproxy.cfg.j2

@@ -35,13 +35,36 @@ defaults
 
 {% for frontend in haproxy_frontends %}
 frontend  {{ frontend.name }}
-    bind {{ frontend.bind }}
+{% for bind in frontend.binds %}
+    bind {{ bind }}
+{% endfor %}
     default_backend {{ frontend.default_backend }}
+{% if 'mode' in frontend %}
+    mode {{ frontend.mode }}
+{% endif %}
+{% if 'options' in frontend %}
+{% for option in frontend.options %}
+    option {{ option }}
+{% endfor %}
+{% endif %}
+{% if 'redirects' in frontend %}
+{% for redirect in frontend.redirects %}
+    redirect {{ redirect }}
+{% endfor %}
+{% endif %}
 {% endfor %}
 
 {% for backend in haproxy_backends %}
 backend {{ backend.name }}
     balance {{ backend.balance }}
+{% if 'mode' in backend %}
+    mode {{ backend.mode }}
+{% endif %}
+{% if 'options' in backend %}
+{% for option in backend.options %}
+    option {{ option }}
+{% endfor %}
+{% endif %}
 {% for server in backend.servers %}
     server      {{ server.name }} {{ server.address }} {{ server.opts }}
 {% endfor %}

roles/openshift_master/handlers/main.yml

@@ -2,3 +2,11 @@
 - name: restart master
   service: name={{ openshift.common.service_type }}-master state=restarted
   when: (not openshift_master_ha | bool) and (not master_service_status_changed | default(false))
+
+- name: restart master api
+  service: name={{ openshift.common.service_type }}-master-api state=restarted
+  when: openshift_master_ha | bool
+
+- name: restart master controllers
+  service: name={{ openshift.common.service_type }}-master-controllers state=restarted
+  when: openshift_master_ha | bool

roles/openshift_master/tasks/main.yml

@@ -91,6 +91,8 @@
     creates: "{{ openshift_master_policy }}"
   notify:
   - restart master
+  - restart master api
+  - restart master controllers
 
 - name: Create the scheduler config
   template:
@@ -99,6 +101,8 @@
     backup: true
   notify:
   - restart master
+  - restart master api
+  - restart master controllers
 
 - name: Install httpd-tools if needed
   yum: pkg=httpd-tools state=present
@@ -121,6 +125,30 @@
   when: item.kind == 'HTPasswdPasswordIdentityProvider'
   with_items: openshift.master.identity_providers
 
+# workaround for missing systemd unit files for controllers/api
+- name: Create the api service file
+  copy:
+    src: atomic-openshift-master-api.service
+    dest: /usr/lib/systemd/system/atomic-openshift-master-api.service
+    force: no
+- name: Create the controllers service file
+  copy:
+    src: atomic-openshift-master-controllers.service
+    dest: /usr/lib/systemd/system/atomic-openshift-master-controllers.service
+    force: no
+- name: Create the api env file
+  copy:
+    src: atomic-openshift-master-api
+    dest: /etc/sysconfig/atomic-openshift-master-api
+    force: no
+- name: Create the controllers env file
+  copy:
+    src: atomic-openshift-master-controllers
+    dest: /etc/sysconfig/atomic-openshift-master-controllers
+    force: no
+- command: systemctl daemon-reload
+# end workaround for missing systemd unit files
+
 # TODO: add the validate parameter when there is a validation command to run
 - name: Create master config
   template:
@@ -129,6 +157,8 @@
     backup: true
   notify:
   - restart master
+  - restart master api
+  - restart master controllers
 
 - name: Configure master settings
   lineinfile:
@@ -143,9 +173,61 @@
   notify:
   - restart master
 
+- name: Configure master api settings
+  lineinfile:
+    dest: /etc/sysconfig/{{ openshift.common.service_type }}-master-api
+    regexp: "{{ item.regex }}"
+    line: "{{ item.line }}"
+  with_items:
+    - regex: '^OPTIONS='
+      line: "OPTIONS=--loglevel={{ openshift.master.debug_level }} --listen=https://0.0.0.0:8443 --master=https://{{ openshift.common.ip }}:8443"
+    - regex: '^CONFIG_FILE='
+      line: "CONFIG_FILE={{ openshift_master_config_file }}"
+  notify:
+  - restart master api
+
+- name: Configure master controller settings
+  lineinfile:
+    dest: /etc/sysconfig/{{ openshift.common.service_type }}-master-controllers
+    regexp: "{{ item.regex }}"
+    line: "{{ item.line }}"
+  with_items:
+    - regex: '^OPTIONS='
+      line: "OPTIONS=--loglevel={{ openshift.master.debug_level }} --listen=https://0.0.0.0:8444"
+    - regex: '^CONFIG_FILE='
+      line: "CONFIG_FILE={{ openshift_master_config_file }}"
+  notify:
+  - restart master controllers
+
 - name: Start and enable master
   service: name={{ openshift.common.service_type }}-master enabled=yes state=started
-#  when: not openshift_master_ha | bool
+  when: not openshift_master_ha | bool
+  register: start_result
+
+# workaround for start bug when configuring ha
+- name: Start master for ha workaround
+  service: name={{ openshift.common.service_type }}-master state=started
+  when: openshift_master_ha | bool and inventory_hostname in groups.oo_first_master
+
+- name: pause for 30 seconds to let master finish starting up for ha workaround
+  pause: seconds=30
+  when: openshift_master_ha | bool and inventory_hostname in groups.oo_first_master
+
+- name: Stop master for ha workaround
+  service: name={{ openshift.common.service_type }}-master state=stopped
+  when: openshift_master_ha | bool and inventory_hostname in groups.oo_first_master
+# end workaround for start bug when configuring ha
+
+- fail:
+
+- name: Start and enable master api
+  service: name={{ openshift.common.service_type }}-master-api enabled=yes state=started
+  when: openshift_master_ha | bool
+  register: start_result
+
+- name: Start and enable master controller
+  service: name={{ openshift.common.service_type }}-master-controllers enabled=yes state=started
+  when: openshift_master_ha | bool
   register: start_result
 
 - set_fact:

roles/openshift_master/templates/master.yaml.v1.j2

@@ -10,13 +10,16 @@ assetConfig:
   publicURL: {{ openshift.master.public_console_url }}/
   servingInfo:
     bindAddress: {{ openshift.master.bind_addr }}:{{ openshift.master.console_port }}
+    bindNetwork: tcp4
     certFile: master.server.crt
     clientCA: ""
     keyFile: master.server.key
     maxRequestsInFlight: 0
     requestTimeoutSeconds: 0
+controllerLeaseTTL: 0
+controllers: '*'
 corsAllowedOrigins:
-{% for origin in ['127.0.0.1', 'localhost', openshift.common.hostname, openshift.common.ip, openshift.common.public_hostname, openshift.common.public_ip] | unique %}
+{% for origin in ['127.0.0.1', 'localhost', openshift.common.ip, openshift.common.public_ip] | union(openshift.common.all_hostnames) | unique %}
   - {{ origin }}
 {% endfor %}
 {% for custom_origin in openshift.master.custom_cors_origins | default("") %}
@@ -29,8 +32,10 @@ corsAllowedOrigins:
 disabledFeatures: {{ openshift.master.disabled_features | to_json }}
 {% endif %}
 {% if openshift.master.embedded_dns | bool %}
+disabledFeatures: null
 dnsConfig:
   bindAddress: {{ openshift.master.bind_addr }}:{{ openshift.master.dns_port }}
+  bindNetwork: tcp4
 {% endif %}
 etcdClientInfo:
   ca: {{ "ca.crt" if (openshift.master.embedded_etcd | bool) else "master.etcd-ca.crt" }}
@@ -81,13 +86,13 @@ kubernetesMasterConfig:
   apiServerArguments: {{ api_server_args if api_server_args is defined else 'null' }}
   controllerArguments: {{ controller_args if controller_args is defined else 'null' }}
   masterCount: {{ openshift.master.master_count }}
-  masterIP: ""
-  podEvictionTimeout: ""
+  masterIP: {{ openshift.common.ip }}
+  podEvictionTimeout: 5m
   proxyClientInfo:
     certFile: master.proxy-client.crt
     keyFile: master.proxy-client.key
   schedulerConfigFile: {{ openshift_master_scheduler_conf }}
-  servicesNodePortRange: ""
+  servicesNodePortRange: 30000-32767
   servicesSubnet: {{ openshift.master.portal_net }}
   staticNodeNames: {{ openshift_node_ips | default([], true) }}
 {% endif %}
@@ -105,6 +110,7 @@ networkConfig:
 # serviceNetworkCIDR must match kubernetesMasterConfig.servicesSubnet
   serviceNetworkCIDR: {{ openshift.master.portal_net }}
 {% include 'v1_partials/oauthConfig.j2' %}
+pauseControllers: false
 policyConfig:
   bootstrapPolicyFile: {{ openshift_master_policy }}
   openshiftInfrastructureNamespace: openshift-infra
@@ -118,8 +124,9 @@ projectConfig:
     mcsLabelsPerProject: {{ openshift.master.mcs_labels_per_project }}
     uidAllocatorRange: "{{ openshift.master.uid_allocator_range  }}"
 routingConfig:
-  subdomain:  "{{ openshift.master.default_subdomain | default("") }}"
+  subdomain:  "{{ openshift.master.default_subdomain | default("router.default.svc.cluster.local") }}"
 serviceAccountConfig:
+  limitSecretReferences: false
   managedNames:
   - default
   - builder
@@ -130,6 +137,7 @@ serviceAccountConfig:
   - serviceaccounts.public.key
 servingInfo:
   bindAddress: {{ openshift.master.bind_addr }}:{{ openshift.master.api_port }}
+  bindNetwork: tcp4
   certFile: master.server.crt
   clientCA: ca.crt
   keyFile: master.server.key