Merge pull request #1326 from detiber/bz1303939

Fix infra_node deployment

playbooks/common/openshift-master/config.yml

@@ -174,10 +174,10 @@
       master_cert_subdir: master-{{ openshift.common.hostname }}
       master_cert_config_dir: "{{ openshift.common.config_base }}/master"
   - set_fact:
-      openshift_infra_nodes: "{{ hostvars | oo_select_keys(groups['nodes'])
+      openshift_infra_nodes: "{{ hostvars | oo_select_keys(groups['oo_nodes_to_config'])
                                  | oo_nodes_with_label('region', 'infra')
                                  | oo_collect('inventory_hostname') }}"
-    when: openshift_infra_nodes is not defined
+    when: openshift_infra_nodes is not defined and groups.oo_nodes_to_config | default([]) | length > 0
 
 - name: Configure master certificates
   hosts: oo_first_master
@@ -364,6 +364,8 @@
 - name: Additional master configuration
   hosts: oo_first_master
   vars:
+    cockpit_plugins: "{{ osm_cockpit_plugins | default(['cockpit-kubernetes']) }}"
+    etcd_urls: "{{ openshift.master.etcd_urls }}"
     openshift_master_ha: "{{ groups.oo_masters_to_config | length > 1 }}"
     omc_cluster_hosts: "{{ groups.oo_masters_to_config | join(' ')}}"
   roles:
@@ -375,30 +377,16 @@
     when: openshift.common.use_cluster_metrics | bool
   - role: openshift_manageiq
     when: openshift.common.use_manageiq | bool
-
-- name: Enable cockpit
-  hosts: oo_first_master
-  vars:
-    cockpit_plugins: "{{ osm_cockpit_plugins | default(['cockpit-kubernetes']) }}"
-  roles:
   - role: cockpit
     when: not openshift.common.is_atomic and ( deployment_type in ['atomic-enterprise','openshift-enterprise'] ) and
       (osm_use_cockpit | bool or osm_use_cockpit is undefined )
-
-- name: Configure flannel
-  hosts: oo_first_master
-  vars:
-    etcd_urls: "{{ openshift.master.etcd_urls }}"
-  roles:
   - role: flannel_register
     when: openshift.common.use_flannel | bool
+  - role: pods
+    when: openshift.common.deployment_type == 'online'
+  - role: os_env_extras
+    when: openshift.common.deployment_type == 'online'
 
-# Additional instance config for online deployments
-- name: Additional instance config
-  hosts: oo_masters_deployment_type_online
-  roles:
-  - pods
-  - os_env_extras
 
 - name: Delete temporary directory on localhost
   hosts: localhost
@@ -409,22 +397,25 @@
   - file: name={{ g_master_mktemp.stdout }} state=absent
     changed_when: False
 
-- name: Configure service accounts
-  hosts: oo_first_master
-  vars:
-    accounts: ["router", "registry"]
-  roles:
-  - openshift_serviceaccounts
-
-- name: Create persistent volumes and services
+- name: Create persistent volumes and create hosted services
   hosts: oo_first_master
   vars:
+    attach_registry_volume: "{{ openshift.hosted.registry.storage.kind != None }}"
+    deploy_infra: "{{ openshift.master.infra_nodes | default([]) | length > 0 }}"
     persistent_volumes: "{{ hostvars[groups.oo_first_master.0] | oo_persistent_volumes(groups) }}"
     persistent_volume_claims: "{{ hostvars[groups.oo_first_master.0] | oo_persistent_volume_claims }}"
   roles:
   - role: openshift_persistent_volumes
     when: persistent_volumes | length > 0 or persistent_volume_claims | length > 0
+  - role: openshift_serviceaccounts
+    openshift_serviceaccounts_names:
+    - router
+    - registry
+    openshift_serviceaccounts_namespace: default
+    openshift_serviceaccounts_sccs:
+    - privileged
   - role: openshift_router
-    when: openshift.master.infra_nodes is defined
+    when: deploy_infra | bool
   - role: openshift_registry
-    when: openshift.master.infra_nodes is defined and openshift.hosted.registry.storage.kind != None
+    when: deploy_infra | bool and attach_registry_volume | bool
+

playbooks/common/openshift-node/config.yml

@@ -176,6 +176,7 @@
 - name: Evaluate node groups
   hosts: localhost
   become: no
+  connection: local
   tasks:
   - name: Evaluate oo_containerized_master_nodes
     add_host:

roles/fluentd_master/meta/main.yml

@@ -0,0 +1,15 @@
+---
+galaxy_info:
+  author: OpenShift Red Hat
+  description: Fluentd Master
+  company: Red Hat, Inc.
+  license: Apache License, Version 2.0
+  min_ansible_version: 1.9
+  platforms:
+  - name: EL
+    versions:
+    - 7
+  categories:
+  - monitoring
+  dependencies:
+  - openshift_facts

roles/openshift_registry/README.md

@@ -17,12 +17,6 @@ From this role:
 |--------------------|-------------------------------------------------------|---------------------|
 |                    |                                                       |                     |
 
-From openshift_common:
-
-| Name                  | Default value |                                      |
-|-----------------------|---------------|--------------------------------------|
-| openshift_debug_level | 2             | Global openshift debug log verbosity |
-
 
 Dependencies
 ------------

roles/openshift_registry/meta/main.yml

@@ -4,10 +4,12 @@ galaxy_info:
   description: OpenShift Embedded Docker Registry
   company: Red Hat, Inc.
   license: Apache License, Version 2.0
-  min_ansible_version: 1.7
+  min_ansible_version: 1.9
   platforms:
   - name: EL
     versions:
     - 7
   categories:
   - cloud
+  dependencies:
+  - openshift_facts

roles/openshift_router/README.md

@@ -16,11 +16,6 @@ From this role:
 |--------------------|-------------------------------------------------------|---------------------|
 |                    |                                                       |                     |
 
-From openshift_common:
-| Name                  | Default value |                                      |
-|-----------------------|---------------|--------------------------------------|
-| openshift_debug_level | 2             | Global openshift debug log verbosity |
-
 Dependencies
 ------------
 

roles/openshift_router/meta/main.yml

@@ -4,10 +4,12 @@ galaxy_info:
   description: OpenShift Embedded Router
   company: Red Hat, Inc.
   license: Apache License, Version 2.0
-  min_ansible_version: 1.7
+  min_ansible_version: 1.9
   platforms:
   - name: EL
     versions:
     - 7
   categories:
   - cloud
+  dependencies:
+  - openshift_facts

roles/openshift_serviceaccounts/meta/main.yml

@@ -0,0 +1,15 @@
+---
+galaxy_info:
+  author: OpenShift Operations
+  description: OpenShift Service Accounts
+  company: Red Hat, Inc.
+  license: Apache License, Version 2.0
+  min_ansible_version: 1.9
+  platforms:
+  - name: EL
+    versions:
+    - 7
+  categories:
+  - cloud
+dependencies:
+- { role: openshift_facts }

roles/openshift_serviceaccounts/tasks/main.yml

@@ -1,36 +1,33 @@
-- name: tmp dir for openshift
-  file:
-    path: /tmp/openshift
-    state: directory
-    owner: root
-    mode: 700
-
-- name: Create service account configs
-  template:
-    src: serviceaccount.j2
-    dest: "/tmp/openshift/{{ item }}-serviceaccount.yaml"
-  with_items: accounts
-
-- name: Create {{ item }} service account
+- name: test if service accounts exists
   command: >
-    {{ openshift.common.client_binary }} create -f "/tmp/openshift/{{ item }}-serviceaccount.yaml"
-  with_items: accounts
-  register: _sa_result
-  failed_when: "'serviceaccounts \"{{ item }}\" already exists' not in _sa_result.stderr and _sa_result.rc != 0"
-  changed_when: "'serviceaccounts \"{{ item }}\" already exists' not in _sa_result.stderr and _sa_result.rc == 0"
+      {{ openshift.common.client_binary }} get sa {{ item }} -n {{ openshift_serviceaccounts_namespace }}
+  with_items: openshift_serviceaccounts_names
+  failed_when: false
+  changed_when: false
+  register: account_test
 
-- name: Get current security context constraints
+- name: create the service account
   shell: >
-    {{ openshift.common.client_binary }} get scc privileged -o yaml
-    --output-version=v1 > /tmp/openshift/scc.yaml
-  changed_when: false
+       echo {{ lookup('template', '../templates/serviceaccount.j2')
+               | from_yaml | to_json | quote }} | {{ openshift.common.client_binary }}  create -f -
+  when: item.1.rc != 0
+  with_together:
+  - openshift_serviceaccounts_names
+  - account_test.results
 
-- name: Add security context constraint for {{ item }}
-  lineinfile:
-    dest: /tmp/openshift/scc.yaml
-    line: "- system:serviceaccount:default:{{ item }}"
-    insertafter: "^users:$"
-  with_items: accounts
+- name: test if scc needs to be updated
+  command: >
+      {{ openshift.common.client_binary }} get scc {{ item }} -o yaml
+  changed_when: false
+  failed_when: false
+  register: scc_test
+  with_items: openshift_serviceaccounts_sccs
 
-- name: Apply new scc rules for service accounts
-  command: "{{ openshift.common.client_binary }} update -f /tmp/openshift/scc.yaml --api-version=v1"
+- name: Grant the user access to the privileged scc
+  command: >
+      {{ openshift.common.admin_binary }} policy add-scc-to-user
+      privileged system:serviceaccount:{{ openshift_serviceaccounts_namespace }}:{{ item.0 }}
+  when: "item.1.rc == 0 and 'system:serviceaccount:{{ openshift_serviceaccounts_namespace }}:{{ item.0 }}' not in {{ (item.1.stdout | from_yaml).users }}"
+  with_nested:
+  - openshift_serviceaccounts_names
+  - scc_test.results

roles/openshift_serviceaccounts/templates/serviceaccount.j2

@@ -1,4 +1,4 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ item }}
+  name: {{ item.0 }}