Various hosted component improvements

* [openshift_projects] Add openshift_projects role
* [openshift_hosted] hosted deployments use openshift_hosted_infra_selector if openshift_hosted_<component>_selector is not defined
* [openshift_hosted] move openshift_projects, openshift_serviceaccounts and openshift_metrics to dependencies of openshift_hosted
* [router] improve router deployment
  - add router option to force subdomain
  - add CA to router certificate options
* [registry] move registry config into openshift_hosted role
  - additional registry fixes/tweaks
  - add s3 storage support for registry
* [serviceaccount] fix up serviceaccount creation

filter_plugins/oo_filters.py

@@ -340,85 +340,6 @@ class FilterModule(object):
         return [x for x in data if filter_attr in x and x[filter_attr]]
 
     @staticmethod
-    def oo_oc_nodes_matching_selector(nodes, selector):
-        """ Filters a list of nodes by selector.
-
-            Examples:
-                nodes = [{"kind": "Node", "metadata": {"name": "node1.example.com",
-                          "labels": {"kubernetes.io/hostname": "node1.example.com",
-                          "color": "green"}}},
-                         {"kind": "Node", "metadata": {"name": "node2.example.com",
-                          "labels": {"kubernetes.io/hostname": "node2.example.com",
-                          "color": "red"}}}]
-                selector = 'color=green'
-                returns = ['node1.example.com']
-
-                nodes = [{"kind": "Node", "metadata": {"name": "node1.example.com",
-                          "labels": {"kubernetes.io/hostname": "node1.example.com",
-                          "color": "green"}}},
-                         {"kind": "Node", "metadata": {"name": "node2.example.com",
-                          "labels": {"kubernetes.io/hostname": "node2.example.com",
-                          "color": "red"}}}]
-                selector = 'color=green,color=red'
-                returns = ['node1.example.com','node2.example.com']
-
-            Args:
-                nodes (list[dict]): list of node definitions
-                selector (str): "label=value" node selector to filter `nodes` by
-            Returns:
-                list[str]: nodes filtered by selector
-        """
-        if not isinstance(nodes, list):
-            raise errors.AnsibleFilterError("failed expects nodes to be a list, got {0}".format(type(nodes)))
-        if not isinstance(selector, basestring):
-            raise errors.AnsibleFilterError("failed expects selector to be a string")
-        if not re.match('.*=.*', selector):
-            raise errors.AnsibleFilterError("failed selector does not match \"label=value\" format")
-        node_lists = []
-        for node_selector in ''.join(selector.split()).split(','):
-            label = node_selector.split('=')[0]
-            value = node_selector.split('=')[1]
-            node_lists.append(FilterModule.oo_oc_nodes_with_label(nodes, label, value))
-        nodes = set(node_lists[0])
-        for node_list in node_lists[1:]:
-            nodes.intersection_update(node_list)
-        return list(nodes)
-
-    @staticmethod
-    def oo_oc_nodes_with_label(nodes, label, value):
-        """ Filters a list of nodes by label, value.
-
-            Examples:
-                nodes = [{"kind": "Node", "metadata": {"name": "node1.example.com",
-                          "labels": {"kubernetes.io/hostname": "node1.example.com",
-                          "color": "green"}}},
-                         {"kind": "Node", "metadata": {"name": "node2.example.com",
-                          "labels": {"kubernetes.io/hostname": "node2.example.com",
-                          "color": "red"}}}]
-                label = 'color'
-                value = 'green'
-                returns = ['node1.example.com']
-            Args:
-                nodes (list[dict]): list of node definitions
-                label (str): label to filter `nodes` by
-                value (str): value of `label` to filter `nodes` by
-            Returns:
-                list[str]: nodes filtered by selector
-        """
-        if not isinstance(nodes, list):
-            raise errors.AnsibleFilterError("failed expects nodes to be a list")
-        if not isinstance(label, basestring):
-            raise errors.AnsibleFilterError("failed expects label to be a string")
-        if not isinstance(value, basestring):
-            raise errors.AnsibleFilterError("failed expects value to be a string")
-        matching_nodes = []
-        for node in nodes:
-            if label in node['metadata']['labels']:
-                if node['metadata']['labels'][label] == value:
-                    matching_nodes.append(node['metadata']['name'])
-        return matching_nodes
-
-    @staticmethod
     def oo_nodes_with_label(nodes, label, value=None):
         """ Filters a list of nodes by label and value (if provided)
 
@@ -707,7 +628,8 @@ class FilterModule(object):
             if regex.match(key):
                 facts[key] = hostvars[key]
 
-        migrations = {'openshift_router_selector': 'openshift_hosted_router_selector'}
+        migrations = {'openshift_router_selector': 'openshift_hosted_router_selector',
+                      'openshift_registry_selector': 'openshift_hosted_registry_selector'}
         for old_fact, new_fact in migrations.iteritems():
             if old_fact in facts and new_fact not in facts:
                 facts[new_fact] = facts[old_fact]
@@ -771,7 +693,7 @@ class FilterModule(object):
                                         fsType=filesystem,
                                         volumeID=volume_id)))
                             persistent_volumes.append(persistent_volume)
-                        else:
+                        elif kind != 'object':
                             msg = "|failed invalid storage kind '{0}' for component '{1}'".format(
                                 kind,
                                 component)
@@ -922,7 +844,5 @@ class FilterModule(object):
             "oo_get_hosts_from_hostvars": self.oo_get_hosts_from_hostvars,
             "oo_image_tag_to_rpm_version": self.oo_image_tag_to_rpm_version,
             "oo_merge_dicts": self.oo_merge_dicts,
-            "oo_oc_nodes_matching_selector": self.oo_oc_nodes_matching_selector,
-            "oo_oc_nodes_with_label": self.oo_oc_nodes_with_label,
             "oo_merge_hostvars": self.oo_merge_hostvars,
         }

inventory/byo/hosts.aep.example

@@ -140,6 +140,9 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true',
 #osm_mcs_labels_per_project=5
 #osm_uid_allocator_range='1000000000-1999999999/10000'
 
+# Configure additional projects
+#openshift_additional_projects={'my-project': {'default_node_selector': 'label=value'}}
+
 # Enable cockpit
 #osm_use_cockpit=true
 #
@@ -220,10 +223,15 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true',
 # based on the number of nodes matching the openshift router selector.
 #openshift_hosted_router_replicas=2
 #
+# Router force subdomain (optional)
+# A router path format to force on all routes used by this router
+# (will ignore the route host value)
+#openshift_hosted_router_force_subdomain='${name}-${namespace}.apps.example.com'
+#
 # Router certificate (optional)
 # Provide local certificate paths which will be configured as the
 # router's default certificate.
-#openshift_hosted_router_certificate={"certfile": "/path/to/router.crt", "keyfile": "/path/to/router.key"}
+#openshift_hosted_router_certificate={"certfile": "/path/to/router.crt", "keyfile": "/path/to/router.key", "cafile": "/path/to/router-ca.crt"}
 
 # Openshift Registry Options
 #
@@ -239,7 +247,54 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true',
 # Registry selector (optional)
 # Registry will only be created if nodes matching this label are present.
 # Default value: 'region=infra'
-#openshift_registry_selector='region=infra'
+#openshift_hosted_registry_selector='region=infra'
+#
+# Registry replicas (optional)
+# Unless specified, openshift-ansible will calculate the replica count
+# based on the number of nodes matching the openshift registry selector.
+#openshift_hosted_registry_replicas=2
+
+# Registry Storage Options
+#
+# NFS Host Group
+# An NFS volume will be created with path "nfs_directory/volume_name"
+# on the host within the [nfs] host group.  For example, the volume
+# path using these options would be "/exports/registry"
+#openshift_hosted_registry_storage_kind=nfs
+#openshift_hosted_registry_storage_access_modes=['ReadWriteMany']
+#openshift_hosted_registry_storage_nfs_directory=/exports
+#openshift_hosted_registry_storage_nfs_options='*(rw,root_squash)'
+#openshift_hosted_registry_storage_volume_name=registry
+#openshift_hosted_registry_storage_volume_size=10Gi
+#
+# External NFS Host
+# NFS volume must already exist with path "nfs_directory/_volume_name" on
+# the storage_host. For example, the remote volume path using these
+# options would be "nfs.example.com:/exports/registry"
+#openshift_hosted_registry_storage_kind=nfs
+#openshift_hosted_registry_storage_access_modes=['ReadWriteMany']
+#openshift_hosted_registry_storage_host=nfs.example.com
+#openshift_hosted_registry_storage_nfs_directory=/exports
+#openshift_hosted_registry_storage_volume_name=registry
+#openshift_hosted_registry_storage_volume_size=10Gi
+#
+# Openstack
+# Volume must already exist.
+#openshift_hosted_registry_storage_kind=openstack
+#openshift_hosted_registry_storage_access_modes=['ReadWriteOnce']
+#openshift_hosted_registry_storage_openstack_filesystem=ext4
+#openshift_hosted_registry_storage_openstack_volumeID=3a650b4f-c8c5-4e0a-8ca5-eaee11f16c57
+#openshift_hosted_registry_storage_volume_size=10Gi
+#
+# AWS S3
+# S3 bucket must already exist.
+#openshift_hosted_registry_storage_kind=object
+#openshift_hosted_registry_storage_provider=s3
+#openshift_hosted_registry_storage_s3_accesskey=aws_access_key_id
+#openshift_hosted_registry_storage_s3_secretkey=aws_secret_access_key
+#openshift_hosted_registry_storage_s3_bucket=bucket_name
+#openshift_hosted_registry_storage_s3_region=bucket_region
+#openshift_hosted_registry_storage_s3_chunksize=26214400
 
 # Configure the multi-tenant SDN plugin (default is 'redhat/openshift-ovs-subnet')
 # os_sdn_network_plugin_name='redhat/openshift-ovs-multitenant'
@@ -310,57 +365,6 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true',
 # Configure dnsIP in the node config
 #openshift_dns_ip=172.30.0.1
 
-# Persistent Storage Options
-#
-## Registry Storage Options
-##
-## Storage Kind
-## Specifies which storage kind will be used for the registry.
-## "nfs" and "openstack" are supported kinds at this time.
-##openshift_hosted_registry_storage_kind=nfs
-##
-## Persistent Volume Access Mode
-## When using the 'openstack' storage kind, this has to be 'ReadWriteOnce'
-##openshift_hosted_registry_storage_access_modes=['ReadWriteMany']
-##
-## Registry Volume Name
-## Specify the storage volume name. This directory will be created
-## within openshift_hosted_registry_storage_nfs_directory if
-## specifying an [nfs] group. Ex. /exports/registry
-## This variable must be supplied if using a pre-existing nfs server.
-##openshift_hosted_registry_storage_volume_name=registry
-##
-## NFS Specific Options
-##
-## Storage Host
-## This variable can be used to identify a pre-existing storage host
-## if a storage host group corresponding to the storage kind (such as
-## [nfs]) is not specified,
-##openshift_hosted_registry_storage_host=nfs.example.com
-##
-## NFS Export Options
-##openshift_hosted_registry_storage_nfs_options='*(rw,root_squash)'
-##
-## NFS Export Directory
-## Specify the root exports directory. This directory will be created
-## if specifying an [nfs] host group.
-## This variable must be supplied if using a pre-existing nfs server.
-##openshift_hosted_registry_storage_nfs_directory=/exports
-##
-## Openstack Specific Options
-##
-## Openstack Volume ID
-## Specify the identifier of the volume to use for the registry.
-## At this time, the volume has to be created manually by the administrator.
-##openshift_hosted_registry_storage_openstack_volumeID=3a650b4f-c8c5-4e0a-8ca5-eaee11f16c57
-##
-## Openstack Volume Size
-##openshift_hosted_registry_storage_volume_size=10Gi
-##
-## Openstack Volume Filesystem
-## Specify the filesystem that will be used when formatting the volume
-##openshift_hosted_registry_storage_openstack_filesystem=ext4
-
 # Configure node kubelet arguments
 #openshift_node_kubelet_args={'max-pods': ['110'], 'image-gc-high-threshold': ['90'], 'image-gc-low-threshold': ['80']}
 

inventory/byo/hosts.origin.example

@@ -146,6 +146,9 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true',
 #osm_mcs_labels_per_project=5
 #osm_uid_allocator_range='1000000000-1999999999/10000'
 
+# Configure additional projects
+#openshift_additional_projects={'my-project': {'default_node_selector': 'label=value'}}
+
 # Enable cockpit
 #osm_use_cockpit=true
 #
@@ -226,10 +229,15 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true',
 # based on the number of nodes matching the openshift router selector.
 #openshift_hosted_router_replicas=2
 #
+# Router force subdomain (optional)
+# A router path format to force on all routes used by this router
+# (will ignore the route host value)
+#openshift_hosted_router_force_subdomain='${name}-${namespace}.apps.example.com'
+#
 # Router certificate (optional)
 # Provide local certificate paths which will be configured as the
 # router's default certificate.
-#openshift_hosted_router_certificate={"certfile": "/path/to/router.crt", "keyfile": "/path/to/router.key"}
+#openshift_hosted_router_certificate={"certfile": "/path/to/router.crt", "keyfile": "/path/to/router.key", "cafile": "/path/to/router-ca.crt"}
 
 # Openshift Registry Options
 #
@@ -245,7 +253,54 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true',
 # Registry selector (optional)
 # Registry will only be created if nodes matching this label are present.
 # Default value: 'region=infra'
-#openshift_registry_selector='region=infra'
+#openshift_hosted_registry_selector='region=infra'
+#
+# Registry replicas (optional)
+# Unless specified, openshift-ansible will calculate the replica count
+# based on the number of nodes matching the openshift registry selector.
+#openshift_hosted_registry_replicas=2
+
+# Registry Storage Options
+#
+# NFS Host Group
+# An NFS volume will be created with path "nfs_directory/volume_name"
+# on the host within the [nfs] host group.  For example, the volume
+# path using these options would be "/exports/registry"
+#openshift_hosted_registry_storage_kind=nfs
+#openshift_hosted_registry_storage_access_modes=['ReadWriteMany']
+#openshift_hosted_registry_storage_nfs_directory=/exports
+#openshift_hosted_registry_storage_nfs_options='*(rw,root_squash)'
+#openshift_hosted_registry_storage_volume_name=registry
+#openshift_hosted_registry_storage_volume_size=10Gi
+#
+# External NFS Host
+# NFS volume must already exist with path "nfs_directory/_volume_name" on
+# the storage_host. For example, the remote volume path using these
+# options would be "nfs.example.com:/exports/registry"
+#openshift_hosted_registry_storage_kind=nfs
+#openshift_hosted_registry_storage_access_modes=['ReadWriteMany']
+#openshift_hosted_registry_storage_host=nfs.example.com
+#openshift_hosted_registry_storage_nfs_directory=/exports
+#openshift_hosted_registry_storage_volume_name=registry
+#openshift_hosted_registry_storage_volume_size=10Gi
+#
+# Openstack
+# Volume must already exist.
+#openshift_hosted_registry_storage_kind=openstack
+#openshift_hosted_registry_storage_access_modes=['ReadWriteOnce']
+#openshift_hosted_registry_storage_openstack_filesystem=ext4
+#openshift_hosted_registry_storage_openstack_volumeID=3a650b4f-c8c5-4e0a-8ca5-eaee11f16c57
+#openshift_hosted_registry_storage_volume_size=10Gi
+#
+# AWS S3
+# S3 bucket must already exist.
+#openshift_hosted_registry_storage_kind=object
+#openshift_hosted_registry_storage_provider=s3
+#openshift_hosted_registry_storage_s3_accesskey=aws_access_key_id
+#openshift_hosted_registry_storage_s3_secretkey=aws_secret_access_key
+#openshift_hosted_registry_storage_s3_bucket=bucket_name
+#openshift_hosted_registry_storage_s3_region=bucket_region
+#openshift_hosted_registry_storage_s3_chunksize=26214400
 
 # Configure the multi-tenant SDN plugin (default is 'redhat/openshift-ovs-subnet')
 # os_sdn_network_plugin_name='redhat/openshift-ovs-multitenant'
@@ -316,57 +371,6 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true',
 # Configure dnsIP in the node config
 #openshift_dns_ip=172.30.0.1
 
-# Persistent Storage Options
-#
-## Registry Storage Options
-##
-## Storage Kind
-## Specifies which storage kind will be used for the registry.
-## "nfs" and "openstack" are supported kinds at this time.
-##openshift_hosted_registry_storage_kind=nfs
-##
-## Persistent Volume Access Mode
-## When using the 'openstack' storage kind, this has to be 'ReadWriteOnce'
-##openshift_hosted_registry_storage_access_modes=['ReadWriteMany']
-##
-## Registry Volume Name
-## Specify the storage volume name. This directory will be created
-## within openshift_hosted_registry_storage_nfs_directory if
-## specifying an [nfs] group. Ex. /exports/registry
-## This variable must be supplied if using a pre-existing nfs server.
-##openshift_hosted_registry_storage_volume_name=registry
-##
-## NFS Specific Options
-##
-## Storage Host
-## This variable can be used to identify a pre-existing storage host
-## if a storage host group corresponding to the storage kind (such as
-## [nfs]) is not specified,
-##openshift_hosted_registry_storage_host=nfs.example.com
-##
-## NFS Export Options
-##openshift_hosted_registry_storage_nfs_options='*(rw,root_squash)'
-##
-## NFS Export Directory
-## Specify the root exports directory. This directory will be created
-## if specifying an [nfs] host group.
-## This variable must be supplied if using a pre-existing nfs server.
-##openshift_hosted_registry_storage_nfs_directory=/exports
-##
-## Openstack Specific Options
-##
-## Openstack Volume ID
-## Specify the identifier of the volume to use for the registry.
-## At this time, the volume has to be created manually by the administrator.
-##openshift_hosted_registry_storage_openstack_volumeID=3a650b4f-c8c5-4e0a-8ca5-eaee11f16c57
-##
-## Openstack Volume Size
-##openshift_hosted_registry_storage_volume_size=10Gi
-##
-## Openstack Volume Filesystem
-## Specify the filesystem that will be used when formatting the volume
-##openshift_hosted_registry_storage_openstack_filesystem=ext4
-
 # Configure node kubelet arguments
 #openshift_node_kubelet_args={'max-pods': ['110'], 'image-gc-high-threshold': ['90'], 'image-gc-low-threshold': ['80']}
 

inventory/byo/hosts.ose.example

@@ -140,6 +140,9 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true',
 #osm_mcs_labels_per_project=5
 #osm_uid_allocator_range='1000000000-1999999999/10000'
 
+# Configure additional projects
+#openshift_additional_projects={'my-project': {'default_node_selector': 'label=value'}}
+
 # Enable cockpit
 #osm_use_cockpit=true
 #
@@ -220,10 +223,15 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true',
 # based on the number of nodes matching the openshift router selector.
 #openshift_hosted_router_replicas=2
 #
+# Router force subdomain (optional)
+# A router path format to force on all routes used by this router
+# (will ignore the route host value)
+#openshift_hosted_router_force_subdomain='${name}-${namespace}.apps.example.com'
+#
 # Router certificate (optional)
 # Provide local certificate paths which will be configured as the
 # router's default certificate.
-#openshift_hosted_router_certificate={"certfile": "/path/to/router.crt", "keyfile": "/path/to/router.key"}
+#openshift_hosted_router_certificate={"certfile": "/path/to/router.crt", "keyfile": "/path/to/router.key", "cafile": "/path/to/router-ca.crt"}
 
 # Openshift Registry Options
 #
@@ -239,7 +247,54 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true',
 # Registry selector (optional)
 # Registry will only be created if nodes matching this label are present.
 # Default value: 'region=infra'
-#openshift_registry_selector='region=infra'
+#openshift_hosted_registry_selector='region=infra'
+#
+# Registry replicas (optional)
+# Unless specified, openshift-ansible will calculate the replica count
+# based on the number of nodes matching the openshift registry selector.
+#openshift_hosted_registry_replicas=2
+
+# Registry Storage Options
+#
+# NFS Host Group
+# An NFS volume will be created with path "nfs_directory/volume_name"
+# on the host within the [nfs] host group.  For example, the volume
+# path using these options would be "/exports/registry"
+#openshift_hosted_registry_storage_kind=nfs
+#openshift_hosted_registry_storage_access_modes=['ReadWriteMany']
+#openshift_hosted_registry_storage_nfs_directory=/exports
+#openshift_hosted_registry_storage_nfs_options='*(rw,root_squash)'
+#openshift_hosted_registry_storage_volume_name=registry
+#openshift_hosted_registry_storage_volume_size=10Gi
+#
+# External NFS Host
+# NFS volume must already exist with path "nfs_directory/_volume_name" on
+# the storage_host. For example, the remote volume path using these
+# options would be "nfs.example.com:/exports/registry"
+#openshift_hosted_registry_storage_kind=nfs
+#openshift_hosted_registry_storage_access_modes=['ReadWriteMany']
+#openshift_hosted_registry_storage_host=nfs.example.com
+#openshift_hosted_registry_storage_nfs_directory=/exports
+#openshift_hosted_registry_storage_volume_name=registry
+#openshift_hosted_registry_storage_volume_size=10Gi
+#
+# Openstack
+# Volume must already exist.
+#openshift_hosted_registry_storage_kind=openstack
+#openshift_hosted_registry_storage_access_modes=['ReadWriteOnce']
+#openshift_hosted_registry_storage_openstack_filesystem=ext4
+#openshift_hosted_registry_storage_openstack_volumeID=3a650b4f-c8c5-4e0a-8ca5-eaee11f16c57
+#openshift_hosted_registry_storage_volume_size=10Gi
+#
+# AWS S3
+# S3 bucket must already exist.
+#openshift_hosted_registry_storage_kind=object
+#openshift_hosted_registry_storage_provider=s3
+#openshift_hosted_registry_storage_s3_accesskey=aws_access_key_id
+#openshift_hosted_registry_storage_s3_secretkey=aws_secret_access_key
+#openshift_hosted_registry_storage_s3_bucket=bucket_name
+#openshift_hosted_registry_storage_s3_region=bucket_region
+#openshift_hosted_registry_storage_s3_chunksize=26214400
 
 # Configure the multi-tenant SDN plugin (default is 'redhat/openshift-ovs-subnet')
 # os_sdn_network_plugin_name='redhat/openshift-ovs-multitenant'
@@ -310,57 +365,6 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true',
 # Configure dnsIP in the node config
 #openshift_dns_ip=172.30.0.1
 
-# Persistent Storage Options
-#
-## Registry Storage Options
-##
-## Storage Kind
-## Specifies which storage kind will be used for the registry.
-## "nfs" and "openstack" are supported kinds at this time.
-##openshift_hosted_registry_storage_kind=nfs
-##
-## Persistent Volume Access Mode
-## When using the 'openstack' storage kind, this has to be 'ReadWriteOnce'
-##openshift_hosted_registry_storage_access_modes=['ReadWriteMany']
-##
-## Registry Volume Name
-## Specify the storage volume name. This directory will be created
-## within openshift_hosted_registry_storage_nfs_directory if
-## specifying an [nfs] group. Ex. /exports/registry
-## This variable must be supplied if using a pre-existing nfs server.
-##openshift_hosted_registry_storage_volume_name=registry
-##
-## NFS Specific Options
-##
-## Storage Host
-## This variable can be used to identify a pre-existing storage host
-## if a storage host group corresponding to the storage kind (such as
-## [nfs]) is not specified,
-##openshift_hosted_registry_storage_host=nfs.example.com
-##
-## NFS Export Options
-##openshift_hosted_registry_storage_nfs_options='*(rw,root_squash)'
-##
-## NFS Export Directory
-## Specify the root exports directory. This directory will be created
-## if specifying an [nfs] host group.
-## This variable must be supplied if using a pre-existing nfs server.
-##openshift_hosted_registry_storage_nfs_directory=/exports
-##
-## Openstack Specific Options
-##
-## Openstack Volume ID
-## Specify the identifier of the volume to use for the registry.
-## At this time, the volume has to be created manually by the administrator.
-##openshift_hosted_registry_storage_openstack_volumeID=3a650b4f-c8c5-4e0a-8ca5-eaee11f16c57
-##
-## Openstack Volume Size
-##openshift_hosted_registry_storage_volume_size=10Gi
-##
-## Openstack Volume Filesystem
-## Specify the filesystem that will be used when formatting the volume
-##openshift_hosted_registry_storage_openstack_filesystem=ext4
-
 # Configure node kubelet arguments
 #openshift_node_kubelet_args={'max-pods': ['110'], 'image-gc-high-threshold': ['90'], 'image-gc-low-threshold': ['80']}
 

playbooks/aws/openshift-cluster/config.yml

@@ -23,9 +23,8 @@
     openshift_debug_level: "{{ debug_level }}"
     openshift_deployment_type: "{{ deployment_type }}"
     openshift_public_hostname: "{{ ec2_ip_address }}"
-    openshift_registry_selector: 'type=infra'
+    openshift_hosted_registry_selector: 'type=infra'
     openshift_hosted_router_selector: 'type=infra'
-    openshift_infra_nodes: "{{ g_infra_hosts }}"
     openshift_node_labels:
       region: "{{ deployment_vars[deployment_type].region }}"
       type: "{{ hostvars[inventory_hostname]['ec2_tag_sub-host-type'] if inventory_hostname in groups['tag_host-type_node'] else hostvars[inventory_hostname]['ec2_tag_host-type'] }}"

playbooks/common/openshift-cluster/openshift_hosted.yml

@@ -1,30 +1,18 @@
-- name: Create persistent volumes and create hosted services
+- name: Create persistent volumes
   hosts: oo_first_master
   vars:
-    attach_registry_volume: "{{ openshift.hosted.registry.storage.kind != None }}"
-    deploy_infra: "{{ openshift.master.infra_nodes | default([]) | length > 0 }}"
     persistent_volumes: "{{ hostvars[groups.oo_first_master.0] | oo_persistent_volumes(groups) }}"
     persistent_volume_claims: "{{ hostvars[groups.oo_first_master.0] | oo_persistent_volume_claims }}"
   roles:
   - role: openshift_persistent_volumes
     when: persistent_volumes | length > 0 or persistent_volume_claims | length > 0
-  - role: openshift_serviceaccounts
-    openshift_serviceaccounts_names:
-    - router
-    - registry
-    openshift_serviceaccounts_namespace: default
-    openshift_serviceaccounts_sccs:
-    - privileged
-  - role: openshift_registry
-    registry_volume_claim: "{{ openshift.hosted.registry.storage.volume.name }}-claim"
-    when: deploy_infra | bool and attach_registry_volume | bool
-  - role: openshift_metrics
-    when: openshift.hosted.metrics.deploy | bool
 
 - name: Create Hosted Resources
   hosts: oo_first_master
   pre_tasks:
   - set_fact:
       openshift_hosted_router_registryurl: "{{ hostvars[groups.oo_first_master.0].openshift.master.registry_url }}"
+      openshift_hosted_registry_registryurl: "{{ hostvars[groups.oo_first_master.0].openshift.master.registry_url }}"
+    when: "'master' in hostvars[groups.oo_first_master.0].openshift and 'registry_url' in hostvars[groups.oo_first_master.0].openshift.master"
   roles:
   - role: openshift_hosted

playbooks/common/openshift-master/config.yml

@@ -186,11 +186,6 @@
                                 | list ) }}"
       master_cert_subdir: master-{{ openshift.common.hostname }}
       master_cert_config_dir: "{{ openshift.common.config_base }}/master"
-  - set_fact:
-      openshift_infra_nodes: "{{ hostvars | oo_select_keys(groups['oo_nodes_to_config'])
-                                 | oo_nodes_with_label('region', 'infra')
-                                 | oo_collect('inventory_hostname') }}"
-    when: openshift_infra_nodes is not defined and groups.oo_nodes_to_config | default([]) | length > 0
 
 - name: Configure master certificates
   hosts: oo_first_master

playbooks/gce/openshift-cluster/config.yml

@@ -26,9 +26,8 @@
     openshift_debug_level: "{{ debug_level }}"
     openshift_deployment_type: "{{ deployment_type }}"
     openshift_hostname: "{{ gce_private_ip }}"
-    openshift_registry_selector: 'type=infra'
+    openshift_hosted_registry_selector: 'type=infra'
     openshift_hosted_router_selector: 'type=infra'
-    openshift_infra_nodes: "{{ g_infra_hosts }}"
     openshift_master_cluster_method: 'native'
     openshift_use_openshift_sdn: "{{ lookup('oo_option', 'use_openshift_sdn') }}"
     os_sdn_network_plugin_name: "{{ lookup('oo_option', 'sdn_network_plugin_name') }}"

playbooks/libvirt/openshift-cluster/config.yml

@@ -26,9 +26,8 @@
     openshift_cluster_id: "{{ cluster_id }}"
     openshift_debug_level: "{{ debug_level }}"
     openshift_deployment_type: "{{ deployment_type }}"
-    openshift_registry_selector: 'type=infra'
+    openshift_hosted_registry_selector: 'type=infra'
     openshift_hosted_router_selector: 'type=infra'
-    openshift_infra_nodes: "{{ g_infra_hosts }}"
     openshift_master_cluster_method: 'native'
     openshift_use_openshift_sdn: "{{ lookup('oo_option', 'use_openshift_sdn') }}"
     os_sdn_network_plugin_name: "{{ lookup('oo_option', 'sdn_network_plugin_name') }}"

playbooks/openstack/openshift-cluster/config.yml

@@ -23,9 +23,8 @@
     openshift_cluster_id: "{{ cluster_id }}"
     openshift_debug_level: "{{ debug_level }}"
     openshift_deployment_type: "{{ deployment_type }}"
-    openshift_registry_selector: 'type=infra'
+    openshift_hosted_registry_selector: 'type=infra'
     openshift_hosted_router_selector: 'type=infra'
-    openshift_infra_nodes: "{{ g_infra_hosts }}"
     openshift_master_cluster_method: 'native'
     openshift_use_openshift_sdn: "{{ lookup('oo_option', 'use_openshift_sdn') }}"
     os_sdn_network_plugin_name: "{{ lookup('oo_option', 'sdn_network_plugin_name') }}"

roles/openshift_facts/library/openshift_facts.py

@@ -114,6 +114,12 @@ def migrate_hosted_facts(facts):
             if 'router' not in facts['hosted']:
                 facts['hosted']['router'] = {}
             facts['hosted']['router']['selector'] = facts['master'].pop('router_selector')
+        if 'registry_selector' in facts['master']:
+            if 'hosted' not in facts:
+                facts['hosted'] = {}
+            if 'registry' not in facts['hosted']:
+                facts['hosted']['registry'] = {}
+            facts['hosted']['registry']['selector'] = facts['master'].pop('registry_selector')
     return facts
 
 def first_ip(network):
@@ -466,11 +472,11 @@ def set_selectors(facts):
         facts['hosted']['router'] = {}
     if 'selector' not in facts['hosted']['router'] or facts['hosted']['router']['selector'] in [None, 'None']:
         facts['hosted']['router']['selector'] = selector
+    if 'registry' not in facts['hosted']:
+        facts['hosted']['registry'] = {}
+    if 'selector' not in facts['hosted']['registry'] or facts['hosted']['registry']['selector'] in [None, 'None']:
+        facts['hosted']['registry']['selector'] = selector
 
-    if 'master' in facts:
-        if 'infra_nodes' in facts['master']:
-            if 'registry_selector' not in facts['master']:
-                facts['master']['registry_selector'] = selector
     return facts
 
 def set_metrics_facts_if_unset(facts):

roles/openshift_hosted/README.md

@@ -4,24 +4,27 @@ OpenShift Hosted
 OpenShift Hosted Resources
 
 * OpenShift Router
+* OpenShift Registry
 
 Requirements
 ------------
 
-This role requires a running OpenShift cluster with nodes labeled to
-match the openshift_hosted_router_selector (default: region=infra).
+This role requires a running OpenShift cluster.
 
 Role Variables
 --------------
 
 From this role:
 
-| Name                                | Default value                            | Description                                                                                                          |
-|-------------------------------------|------------------------------------------|----------------------------------------------------------------------------------------------------------------------|
-| openshift_hosted_router_certificate | None                                     | Dictionary containing "certfile" and "keyfile" keys with values containing paths to local certificate files.         |
-| openshift_hosted_router_registryurl | 'openshift3/ose-${component}:${version}' | The image to base the OpenShift router on.                                                                           |
-| openshift_hosted_router_replicas    | Number of nodes matching selector        | The number of replicas to configure.                                                                                 |
-| openshift_hosted_router_selector    | region=infra                             | Node selector used when creating router. The OpenShift router will only be deployed to nodes matching this selector. |
+| Name                                  | Default value                            | Description                                                                                                              |
+|---------------------------------------|------------------------------------------|--------------------------------------------------------------------------------------------------------------------------|
+| openshift_hosted_router_certificate   | None                                     | Dictionary containing "certfile", "keyfile" and "cafile" keys with values containing paths to local certificate files.   |
+| openshift_hosted_router_registryurl   | 'openshift3/ose-${component}:${version}' | The image to base the OpenShift router on.                                                                               |
+| openshift_hosted_router_replicas      | Number of nodes matching selector        | The number of replicas to configure.                                                                                     |
+| openshift_hosted_router_selector      | region=infra                             | Node selector used when creating router. The OpenShift router will only be deployed to nodes matching this selector.     |
+| openshift_hosted_registry_registryurl | 'openshift3/ose-${component}:${version}' | The image to base the OpenShift registry on.                                                                             |
+| openshift_hosted_registry_replicas    | Number of nodes matching selector        | The number of replicas to configure.                                                                                     |
+| openshift_hosted_registry_selector    | region=infra                             | Node selector used when creating registry. The OpenShift registry will only be deployed to nodes matching this selector. |
 
 Dependencies
 ------------
@@ -40,6 +43,7 @@ Example Playbook
     openshift_hosted_router_certificate:
       certfile: /path/to/my-router.crt
       keyfile: /path/to/my-router.key
+      cafile: /path/to/my-router-ca.crt
     openshift_hosted_router_registryurl: 'registry.access.redhat.com/openshift3/ose-haproxy-router:v3.0.2.0'
     openshift_hosted_router_selector: 'type=infra'
 ```

roles/openshift_hosted/meta/main.yml

@@ -12,5 +12,26 @@ galaxy_info:
   categories:
   - cloud
 dependencies:
-- openshift_common
-- openshift_hosted_facts
+- role: openshift_cli
+- role: openshift_hosted_facts
+- role: openshift_projects
+  # TODO: Move standard project definitions to openshift_hosted/vars/main.yml
+  # Vars are not accessible in meta/main.yml in ansible-1.9.x
+  openshift_projects: "{{ openshift_additional_projects | default({}) | oo_merge_dicts({'default':{'default_node_selector':''},'openshift-infra':{'default_node_selector':''},'logging':{'default_node_selector':''}}) }}"
+- role: openshift_serviceaccounts
+  openshift_serviceaccounts_names:
+  - router
+  openshift_serviceaccounts_namespace: default
+  openshift_serviceaccounts_sccs:
+  - hostnetwork
+  when: openshift.common.version_gte_3_2_or_1_2
+- role: openshift_serviceaccounts
+  openshift_serviceaccounts_names:
+  - router
+  - registry
+  openshift_serviceaccounts_namespace: default
+  openshift_serviceaccounts_sccs:
+  - privileged
+  when: not openshift.common.version_gte_3_2_or_1_2
+- role: openshift_metrics
+  when: openshift.hosted.metrics.deploy | bool

roles/openshift_hosted/tasks/main.yml

@@ -1,3 +1,22 @@
 ---
+- name: Create temp directory for kubeconfig
+  command: mktemp -d /tmp/openshift-ansible-XXXXXX
+  register: mktemp
+  changed_when: False
 
-- include: router.yml
+- set_fact:
+    openshift_hosted_kubeconfig: "{{ mktemp.stdout }}/admin.kubeconfig"
+
+- name: Copy the admin client config(s)
+  command: >
+    cp {{ openshift_master_config_dir }}/admin.kubeconfig {{ openshift_hosted_kubeconfig }}
+  changed_when: False
+
+- include: router/router.yml
+- include: registry/registry.yml
+
+- name: Delete temp directory
+  file:
+    name: "{{ mktemp.stdout }}"
+    state: absent
+  changed_when: False

roles/openshift_hosted/tasks/registry/registry.yml

@@ -0,0 +1,40 @@
+---
+- name: Retrieve list of openshift nodes matching registry selector
+  command: >
+    {{ openshift.common.client_binary }} --api-version='v1' -o json
+    get nodes -n default --config={{ openshift_hosted_kubeconfig }}
+    --selector={{ openshift.hosted.registry.selector | default('') }}
+  register: openshift_hosted_registry_nodes_json
+  changed_when: false
+  when: openshift.hosted.registry.replicas | default(none) is none
+
+- set_fact:
+    replicas: "{{ openshift.hosted.registry.replicas | default((openshift_hosted_registry_nodes_json.stdout | from_json)['items'] | length) }}"
+
+- name: Create OpenShift registry
+  command: >
+    {{ openshift.common.admin_binary }} registry --create
+    --config={{ openshift_hosted_kubeconfig }}
+    {% if replicas > 1 -%}
+    --replicas={{ replicas }}
+    {% endif -%}
+    --namespace={{ openshift.hosted.registry.namespace | default('default') }}
+    --service-account=registry
+    {% if openshift.hosted.registry.selector | default(none) is not none -%}
+    --selector='{{ openshift.hosted.registry.selector }}'
+    {% endif -%}
+    {% if not openshift.common.version_gte_3_2_or_1_2 | bool -%}
+    --credentials={{ openshift_master_config_dir }}/openshift-registry.kubeconfig
+    {% endif -%}
+    {% if openshift.hosted.registry.registryurl | default(none) is not none -%}
+    --images='{{ openshift.hosted.registry.registryurl }}'
+    {% endif -%}
+  register: openshift_hosted_registry_results
+  changed_when: "'service exists' not in openshift_hosted_registry_results.stdout"
+  failed_when: "openshift_hosted_registry_results.rc != 0 and 'service exists' not in openshift_hosted_registry_results.stdout and 'deployment_config' not in openshift_hosted_registry_results.stderr and 'service' not in openshift_hosted_registry_results.stderr"
+
+- include: storage/object_storage.yml
+  when: openshift.hosted.registry.storage.kind | default(none) == 'object'
+
+- include: storage/persistent_volume.yml
+  when: openshift.hosted.registry.storage.kind | default(none) in ['nfs', 'openstack']

roles/openshift_hosted/tasks/registry/storage/object_storage.yml

@@ -0,0 +1,114 @@
+- fail:
+    msg: >
+      Object Storage Provider: {{ openshift.hosted.registry.storage.provider }}
+      is not currently supported
+  when: openshift.hosted.registry.storage.provider not in ['azure_blob', 's3', 'swift']
+
+- fail:
+    msg: >
+      Support for provider: "{{ openshift.hosted.registry.storage.provider }}"
+      not implemented yet
+  when: openshift.hosted.registry.storage.provider in ['azure_blob', 'swift']
+
+- include: s3.yml
+  when: openshift.hosted.registry.storage.provider == 's3'
+
+- name: Test if docker registry config secret exists
+  command: >
+    {{ openshift.common.client_binary }}
+    --config={{ openshift_hosted_kubeconfig }}
+    --namespace={{ openshift.hosted.registry.namespace | default('default') }}
+    get secrets {{ registry_config_secret_name }} -o json
+  register: secrets
+  changed_when: false
+  failed_when: false
+
+- set_fact:
+    registry_config: "{{ lookup('template', '../templates/registry_config.j2') | b64encode }}"
+
+- set_fact:
+    registry_config_secret: "{{ lookup('template', '../templates/registry_config_secret.j2') | from_yaml }}"
+
+- set_fact:
+    same_storage_provider: "{{ (secrets.stdout|from_json)['metadata']['annotations']['provider'] | default(none) == openshift.hosted.registry.storage.provider }}"
+  when: secrets.rc == 0
+
+- name: Update registry config secret
+  command: >
+    {{ openshift.common.client_binary }}
+    --config={{ openshift_hosted_kubeconfig }}
+    --namespace={{ openshift.hosted.registry.namespace | default('default') }}
+    patch secret/{{ registry_config_secret_name }}
+    -p '{"data": {"config.yml": "{{ registry_config }}"}}'
+  register: update_config_secret
+  when: secrets.rc == 0 and (secrets.stdout|from_json)['data']['config.yml'] != registry_config and same_storage_provider | bool
+
+- name: Create registry config secret
+  shell: >
+    echo '{{ registry_config_secret |to_json }}' |
+    {{ openshift.common.client_binary }}
+    --config={{ openshift_hosted_kubeconfig }}
+    --namespace={{ openshift.hosted.registry.namespace | default('default') }}
+    create -f -
+  when: secrets.rc == 1
+
+- name: Determine if service account contains secrets
+  command: >
+    {{ openshift.common.client_binary }}
+    --config={{ openshift_hosted_kubeconfig }}
+    --namespace={{ openshift.hosted.registry.namespace | default('default') }}
+    get serviceaccounts registry
+    -o jsonpath='{.secrets[?(@.name=="{{ registry_config_secret_name }}")].name}'
+  register: serviceaccount
+  changed_when: false
+
+- name: Add secrets to registry service account
+  command: >
+    {{ openshift.common.client_binary }}
+    --config={{ openshift_hosted_kubeconfig }}
+    --namespace={{ openshift.hosted.registry.namespace | default('default') }}
+    secrets add serviceaccount/registry secrets/{{ registry_config_secret_name }}
+  when: serviceaccount.stdout == ''
+
+- name: Determine if deployment config contains secrets
+  command: >
+    {{ openshift.common.client_binary }}
+    --config={{ openshift_hosted_kubeconfig }}
+    --namespace={{ openshift.hosted.registry.namespace | default('default') }}
+    set volumes dc/docker-registry --list
+  register: volume
+  changed_when: false
+
+- name: Add secrets to registry deployment config
+  command: >
+    {{ openshift.common.client_binary }}
+    --config={{ openshift_hosted_kubeconfig }}
+    --namespace={{ openshift.hosted.registry.namespace | default('default') }}
+    set volumes dc/docker-registry --add --name=docker-config -m /etc/registry
+    --type=secret --secret-name={{ registry_config_secret_name }}
+  when: registry_config_secret_name not in volume.stdout
+
+- name: Determine if registry environment variable needs to be created
+  command: >
+    {{ openshift.common.client_binary }}
+    --config={{ openshift_hosted_kubeconfig }}
+    --namespace={{ openshift.hosted.registry.namespace | default('default') }}
+    set env --list dc/docker-registry
+  register: oc_env
+  changed_when: false
+
+- name: Add registry environment variable
+  command: >
+    {{ openshift.common.client_binary }}
+    --config={{ openshift_hosted_kubeconfig }}
+    --namespace={{ openshift.hosted.registry.namespace | default('default') }}
+    set env dc/docker-registry REGISTRY_CONFIGURATION_PATH=/etc/registry/config.yml
+  when: "'REGISTRY_CONFIGURATION_PATH' not in oc_env.stdout"
+
+- name: Redeploy registry
+  command: >
+    {{ openshift.common.client_binary }}
+    --config={{ openshift_hosted_kubeconfig }}
+    --namespace={{ openshift.hosted.registry.namespace | default('default') }}
+    deploy dc/docker-registry --latest
+  when: secrets.rc == 0 and update_config_secret.rc == 0 and same_storage_provider | bool

roles/openshift_registry/tasks/main.yml

@@ -1,15 +1,9 @@
 ---
-- name: Deploy OpenShift Registry
-  command: >
-    {{ openshift.common.admin_binary }} registry
-    --create --replicas={{ openshift.master.infra_nodes | length }}
-    --service-account=registry {{ oreg_selector }}
-    --credentials={{ openshift_master_config_dir }}/openshift-registry.kubeconfig {{ oreg_images }}
-  register: oreg_results
-  changed_when: "'service exists' not in oreg_results.stdout"
+- set_fact:
+    registry_volume_claim: "{{ openshift.hosted.registry.storage.volume.name }}-claim"
 
 - name: Determine if volume is already attached to dc/docker-registry
-  command: "{{ openshift.common.client_binary }} get -o template dc/docker-registry --template=\\{\\{.spec.template.spec.volumes\\}\\}"
+  command: "{{ openshift.common.client_binary }} get -o template dc/docker-registry --template=\\{\\{.spec.template.spec.volumes\\}\\} --output-version=v1"
   changed_when: false
   register: registry_volumes_output
 

roles/openshift_hosted/tasks/registry/storage/s3.yml

@@ -0,0 +1,12 @@
+---
+- fail:
+    msg: >
+      openshift_hosted_registry_storage_s3_accesskey and
+      openshift_hosted_registry_storage_s3_secretkey are required
+  when: openshift.hosted.registry.storage.s3.accesskey | default(none) is none or openshift.hosted.registry.storage.s3.secretkey | default(none) is none
+
+- fail:
+    msg: >
+      openshift_hosted_registry_storage_s3_bucket and
+      openshift_hosted_registry_storage_s3_region are required
+  when: openshift.hosted.registry.storage.s3.bucket | default(none) is none or openshift.hosted.registry.storage.s3.region | default(none) is none

roles/openshift_hosted/tasks/router.yml

@@ -1,65 +0,0 @@
----
-- fail:
-    msg: "Both 'certfile' and 'keyfile' keys must be specified when supplying the openshift_hosted_router_certificate variable."
-  when: openshift_hosted_router_certificate is defined and ('certfile' not in openshift_hosted_router_certificate or 'keyfile' not in openshift_hosted_router_certificate)
-
-- name: Read router certificate and key
-  slurp:
-    src: "{{ item }}"
-  register: openshift_router_certificate_output
-  with_items:
-  - "{{ openshift_hosted_router_certificate.certfile }}"
-  - "{{ openshift_hosted_router_certificate.keyfile }}"
-  delegate_to: localhost
-  when: openshift_hosted_router_certificate is defined
-
-- name: Persist certificate contents
-  openshift_facts:
-    role: hosted
-    openshift_env:
-      openshift_hosted_router_certificate_contents: "{% for certificate in openshift_router_certificate_output.results -%}{{ certificate.content | b64decode }}{% endfor -%}"
-  when: openshift_hosted_router_certificate is defined
-
-- name: Create PEM certificate
-  copy:
-    content: "{{ openshift.hosted.router.certificate.contents }}"
-    dest: "{{ openshift_master_config_dir }}/openshift-router.pem"
-    mode: 0600
-  when: openshift.hosted.router.certificate | default(None) != None
-
-- name: Retrieve list of openshift nodes
-  command: >
-    {{ openshift.common.client_binary }} --api-version='v1' -o json
-    get nodes -n default --config={{ openshift.common.config_base }}/master/admin.kubeconfig
-  register: openshift_hosted_router_nodes_json
-  changed_when: false
-  when: openshift.hosted.router.replicas | default(None) == None
-
-- name: Collect nodes matching router selector
-  set_fact:
-    openshift_hosted_router_nodes: >
-      {{ (openshift_hosted_router_nodes_json.stdout|from_json)['items']
-         | oo_oc_nodes_matching_selector(openshift.hosted.router.selector) }}
-  when: openshift.hosted.router.replicas | default(None) == None
-
-- name: Create OpenShift router
-  command: >
-    {{ openshift.common.admin_binary }} router --create
-    {% if openshift.hosted.router.replicas | default(None) != None -%}
-    --replicas={{ openshift.hosted.router.replicas }}
-    {% else -%}
-    --replicas={{ openshift_hosted_router_nodes | length }}
-    {% endif %}
-    {% if openshift.hosted.router.certificate | default(None) != None -%}
-    --default-cert={{ openshift_master_config_dir }}/openshift-router.pem
-    {% endif -%}
-    --namespace=default
-    --service-account=router
-    --selector='{{ openshift.hosted.router.selector }}'
-    --credentials={{ openshift_master_config_dir }}/openshift-router.kubeconfig
-    {% if openshift.hosted.router.registryurl | default(None)!= None -%}
-    --images='{{ openshift.hosted.router.registryurl }}'
-    {% endif -%}
-  register: openshift_hosted_router_results
-  changed_when: "'service exists' not in openshift_hosted_router_results.stdout"
-  when: openshift.hosted.router.replicas | default(None) != None or (openshift_hosted_router_nodes is defined and openshift_hosted_router_nodes | length > 0)

roles/openshift_hosted/tasks/router/router.yml

@@ -0,0 +1,70 @@
+---
+- fail:
+    msg: "'certfile', 'keyfile' and 'cafile' keys must be specified when supplying the openshift_hosted_router_certificate variable."
+  when: openshift_hosted_router_certificate is defined and ('certfile' not in openshift_hosted_router_certificate or 'keyfile' not in openshift_hosted_router_certificate or 'cafile' not in openshift_hosted_router_certificate) 
+
+- name: Read router certificate and key
+  become: no
+  local_action:
+    module: slurp
+    src: "{{ item }}"
+  register: openshift_router_certificate_output
+  with_items:
+  - "{{ openshift_hosted_router_certificate.certfile }}"
+  - "{{ openshift_hosted_router_certificate.keyfile }}"
+  - "{{ openshift_hosted_router_certificate.cafile }}"
+  when: openshift_hosted_router_certificate is defined
+
+- name: Persist certificate contents
+  openshift_facts:
+    role: hosted
+    openshift_env:
+      openshift_hosted_router_certificate_contents: "{% for certificate in openshift_router_certificate_output.results -%}{{ certificate.content | b64decode }}{% endfor -%}"
+  when: openshift_hosted_router_certificate is defined
+
+- name: Create PEM certificate
+  copy:
+    content: "{{ openshift.hosted.router.certificate.contents }}"
+    dest: "{{ openshift_master_config_dir }}/openshift-router.pem"
+    mode: 0600
+  when: openshift.hosted.router.certificate | default(none) is not none
+
+- name: Retrieve list of openshift nodes matching router selector
+  command: >
+    {{ openshift.common.client_binary }} --api-version='v1' -o json
+    get nodes -n default --config={{ openshift_hosted_kubeconfig }}
+    --selector={{ openshift.hosted.router.selector | default('') }}
+  register: openshift_hosted_router_nodes_json
+  changed_when: false
+  when: openshift.hosted.router.replicas | default(none) is none
+
+- set_fact:
+    replicas: "{{ openshift.hosted.router.replicas | default((openshift_hosted_router_nodes_json.stdout | from_json)['items'] | length) }}"
+
+- name: Create OpenShift router
+  command: >
+    {{ openshift.common.admin_binary }} router --create
+    --config={{ openshift_hosted_kubeconfig }}
+    {% if replicas > 1 -%}
+    --replicas={{ replicas }}
+    {% endif -%}
+    {% if openshift.hosted.router.certificate | default(none) is not none -%}
+    --default-cert={{ openshift_master_config_dir }}/openshift-router.pem
+    {% endif -%}
+    --namespace={{ openshift.hosted.router.namespace | default('default') }}
+    {% if openshift.hosted.router.force_subdomain | default(none) is not none %}
+    --force-subdomain={{ openshift.hosted.router.force_subdomain }}
+    {% endif %}
+    --service-account=router
+    {% if openshift.hosted.router.selector | default(none) is not none -%}
+    --selector='{{ openshift.hosted.router.selector }}'
+    {% endif -%}
+    {% if not openshift.common.version_gte_3_2_or_1_2 | bool -%}
+    --credentials={{ openshift_master_config_dir }}/openshift-router.kubeconfig
+    {% endif -%}
+    {% if openshift.hosted.router.registryurl | default(none) is not none -%}
+    --images='{{ openshift.hosted.router.registryurl }}'
+    {% endif -%}
+  register: openshift_hosted_router_results
+  changed_when: "'service exists' not in openshift_hosted_router_results.stdout"
+  failed_when: "openshift_hosted_router_results.rc != 0 and 'service exists' not in openshift_hosted_router_results.stdout and 'deployment_config' not in openshift_hosted_router_results.stderr and 'service' not in openshift_hosted_router_results.stderr"

roles/openshift_hosted/templates/registry_config.j2

@@ -0,0 +1,70 @@
+version: 0.1
+log:
+  level: debug
+http:
+  addr: :5000
+storage:
+  cache:
+    blobdescriptor: inmemory
+{% if openshift.hosted.registry.storage.provider == 's3' %}
+  s3:
+    accesskey: {{ openshift.hosted.registry.storage.s3.accesskey }}
+    secretkey: {{ openshift.hosted.registry.storage.s3.secretkey }}
+    region: {{ openshift.hosted.registry.storage.s3.region }}
+    bucket: {{ openshift.hosted.registry.storage.s3.bucket }}
+    encrypt: false
+    secure: true
+    v4auth: true
+    rootdirectory: /registry
+    chunksize: "{{ openshift.hosted.registry.storage.s3.chunksize | default(26214400) }}"
+{% elif openshift.hosted.registry.storage.provider == 'azure_blob' %}
+  azure:
+    accountname: {{ openshift.hosted.registry.storage.azure_blob.accountname }}
+    accountkey: {{ openshift.hosted.registry.storage.azure_blob.accountkey }}
+    container: {{ openshift.hosted.registry.storage.azure_blob.container }}
+    realm: {{ openshift.hosted.registry.storage.azure_blob.realm }}
+{% elif openshift.hosted.registry.storage.provider == 'swift' %}
+  swift:
+    authurl: {{ openshift.hosted.registry.storage.swift.authurl }}
+    username: {{ openshift.hosted.registry.storage.swift.username }}
+    password: {{ openshift.hosted.registry.storage.swift.password }}
+    container: {{ openshift.hosted.registry.storage.swift.container }}
+{%   if 'region' in openshift.hosted.registry.storage.swift %}
+    region: {{ openshift.hosted.registry.storage.swift.region }}
+{%   endif -%}
+{%   if 'tenant' in openshift.hosted.registry.storage.swift %}
+    tenant: {{ openshift.hosted.registry.storage.swift.tenant }}
+{%   endif -%}
+{%   if 'tenantid' in openshift.hosted.registry.storage.swift %}
+    tenantid: {{ openshift.hosted.registry.storage.swift.tenantid }}
+{%   endif -%}
+{%   if 'domain' in openshift.hosted.registry.storage.swift %}
+    domain: {{ openshift.hosted.registry.storage.swift.domain }}
+{%   endif -%}
+{%   if 'domainid' in openshift.hosted.registry.storage.swift %}
+    domainid: {{ openshift.hosted.registry.storage.swift.domainid }}
+{%   endif -%}
+{% elif openshift.hosted.registry.storage.provider == 'gcs' %}
+  gcs:
+    bucket: {{ openshift.hosted.registry.storage.gcs.bucket }}
+{%   if 'keyfile' in openshift.hosted.registry.storage.gcs %}
+    keyfile: {{ openshift.hosted.registry.storage.gcs.keyfile }}
+{%   endif -%}
+{%   if 'rootdirectory' in openshift.hosted.registry.storage.gcs %}
+    rootdirectory: {{ openshift.hosted.registry.storage.gcs.rootdirectory }}
+{%   endif -%}
+{% endif -%}
+auth:
+  openshift:
+    realm: openshift
+middleware:
+  repository:
+  - name: openshift
+{% if openshift.hosted.registry.storage.provider == 's3' and 'cloudfront' in openshift.hosted.registry.storage.s3 %}
+  storage:
+  - name: cloudfront
+    options:
+      baseurl: {{ openshift.hosted.registry.storage.s3.cloudfront.baseurl }}
+      privatekey: {{ openshift.hosted.registry.storage.s3.cloudfront.privatekeyfile }}
+      keypairid: {{ openshift.hosted.registry.storage.s3.cloudfront.keypairid }}
+{% endif -%}

roles/openshift_hosted/templates/registry_config_secret.j2

@@ -0,0 +1,9 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: registry-config
+  annotations:
+    provider: {{ openshift.hosted.registry.storage.provider }}
+data:
+  config.yml: {{ registry_config }}

roles/openshift_hosted/vars/main.yml

@@ -1,2 +1,3 @@
 ---
 openshift_master_config_dir: "{{ openshift.common.config_base }}/master"
+registry_config_secret_name: registry-config

roles/openshift_hosted_facts/tasks/main.yml

@@ -1,7 +1,16 @@
 ---
+- set_fact:
+    openshift_hosted_router_selector: "{{ openshift_hosted_infra_selector }}"
+  when: openshift_hosted_router_selector is not defined and openshift_hosted_infra_selector is defined
+- set_fact:
+    openshift_hosted_registry_selector: "{{ openshift_hosted_infra_selector }}"
+  when: openshift_hosted_registry_selector is not defined and openshift_hosted_infra_selector is defined
+
 - name: Set hosted facts
   openshift_facts:
     role: hosted
     openshift_env: "{{ hostvars
                        | oo_merge_hostvars(vars, inventory_hostname)
                        | oo_openshift_env }}"
+    openshift_env_structures:
+    - 'openshift.hosted.router.*'

roles/openshift_master_facts/tasks/main.yml

@@ -61,7 +61,6 @@
       registry_selector: "{{ openshift_registry_selector | default(None) }}"
       api_server_args: "{{ osm_api_server_args | default(None) }}"
       controller_args: "{{ osm_controller_args | default(None) }}"
-      infra_nodes: "{{ openshift_infra_nodes | default(None) }}"
       disabled_features: "{{ osm_disabled_features | default(None) }}"
       master_count: "{{ openshift_master_count | default(None) }}"
       controller_lease_ttl: "{{ osm_controller_lease_ttl | default(None) }}"

roles/openshift_registry/meta/main.yml

@@ -1,7 +1,7 @@
 ---
 galaxy_info:
-  author: OpenShift Red Hat
-  description: OpenShift Embedded Docker Registry
+  author: Jason DeTiberus
+  description: OpenShift Projects
   company: Red Hat, Inc.
   license: Apache License, Version 2.0
   min_ansible_version: 1.9
@@ -12,4 +12,4 @@ galaxy_info:
   categories:
   - cloud
 dependencies:
-- role: openshift_hosted_facts
+- { role: openshift_facts }

roles/openshift_projects/tasks/main.yml

@@ -0,0 +1,47 @@
+---
+- name: Create temp directory for kubeconfig
+  command: mktemp -d /tmp/openshift-ansible-XXXXXX
+  register: mktemp
+  changed_when: False
+
+- name: Copy the admin client config(s)
+  command: >
+    cp {{ openshift_master_config_dir }}/admin.kubeconfig {{ mktemp.stdout }}/admin.kubeconfig
+  changed_when: False
+
+- name: Determine if projects exist
+  command: >
+    {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig
+    get projects {{ item.key }} -o json
+  with_dict: "{{ openshift_projects }}"
+  failed_when: false
+  changed_when: false
+  register: project_test
+
+- name: Create projects
+  command: >
+    {{ openshift.common.admin_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig
+    new-project {{ item.item.key }}
+    {% if item.item.value.default_node_selector | default(none) != none %}
+    {{ '--node-selector=' ~ item.item.value.default_node_selector }}
+    {% endif %}
+  when: item.rc == 1
+  with_items:
+  - "{{ project_test.results }}"
+
+- name: Update project default node selector if necessary
+  command: >
+    {{ openshift.common.client_binary }}
+    --config={{ mktemp.stdout }}/admin.kubeconfig patch namespace {{ item.item.key }}
+    -p '{"metadata": {"annotations": {"openshift.io/node-selector": "{{ item.item.value.default_node_selector }}"}}}'
+  when: "{{ item.rc == 0 and item.item.value.default_node_selector | default(none) != none
+            and item.item.value.default_node_selector | default(none) != (item.stdout | from_json).metadata.annotations['openshift.io/node-selector'] | default(none) }}"
+  with_items:
+  - "{{ project_test.results }}"
+  register: annotate_project
+
+- name: Delete temp directory
+  file:
+    name: "{{ mktemp.stdout }}"
+    state: absent
+  changed_when: False

roles/openshift_projects/vars/main.yml

@@ -0,0 +1,2 @@
+---
+openshift_master_config_dir: "{{ openshift.common.config_base }}/master"

roles/openshift_registry/README.md

@@ -1,37 +0,0 @@
-OpenShift Container Docker Registry
-===================================
-
-OpenShift Docker Registry  service installation
-
-Requirements
-------------
-
-Running OpenShift cluster
-
-Role Variables
---------------
-
-From this role:
-
-| Name               | Default value                                         |                     |
-|--------------------|-------------------------------------------------------|---------------------|
-|                    |                                                       |                     |
-
-
-Dependencies
-------------
-
-Example Playbook
-----------------
-
-TODO
-
-License
--------
-
-Apache License, Version 2.0
-
-Author Information
-------------------
-
-Red Hat openshift@redhat.com

roles/openshift_registry/vars/main.yml

@@ -1,4 +0,0 @@
----
-openshift_master_config_dir: "{{ openshift.common.config_base }}/master"
-oreg_images: "--images='{{ openshift.master.registry_url }}'"
-oreg_selector: "--selector='{{ openshift.master.registry_selector }}'"

roles/openshift_serviceaccounts/tasks/main.yml

@@ -24,11 +24,11 @@
   register: scc_test
   with_items: "{{ openshift_serviceaccounts_sccs }}"
 
-- name: Grant the user access to the privileged scc
+- name: Grant the user access to the appropriate scc
   command: >
       {{ openshift.common.admin_binary }} policy add-scc-to-user
-      privileged system:serviceaccount:{{ openshift_serviceaccounts_namespace }}:{{ item.0 }}
-  when: "openshift.common.version_gte_3_1_or_1_1 and item.1.rc == 0 and 'system:serviceaccount:{{ openshift_serviceaccounts_namespace }}:{{ item.0 }}' not in {{ (item.1.stdout | from_yaml).users }}"
+      {{ item.1.item }} system:serviceaccount:{{ openshift_serviceaccounts_namespace }}:{{ item.0 }}
+  when: "openshift.common.version_gte_3_1_or_1_1 and item.1.rc == 0 and 'system:serviceaccount:{{ openshift_serviceaccounts_namespace }}:{{ item.0 }}' not in {{ (item.1.stdout | from_yaml).users | default([]) }}"
   with_nested:
   - "{{ openshift_serviceaccounts_names }}"
   - "{{ scc_test.results }}"