Support setting imagePolicyConfig JSON in inventory.

For flexibility this is another pure JSON field to translate directly to
yaml in the master config.

Also updated to more safely handle JSON inventory variables as this
uncovered a bug with booleans where you end up with a string containing
json in your yaml.

inventory/byo/hosts.aep.example

@@ -58,6 +58,10 @@ deployment_type=atomic-enterprise
 # See: https://docs.openshift.com/enterprise/latest/install_config/aggregate_logging.html
 #openshift_master_logging_public_url=https://kibana.example.com
 
+# Configure imagePolicyConfig in the master config
+# See: https://godoc.org/github.com/openshift/origin/pkg/cmd/server/api#ImagePolicyConfig
+#openshift_master_image_policy_config={"maxImagesBulkImportedPerRepository": 3, "disableScheduledImport": true}
+
 # Docker Configuration
 # Add additional, insecure, and blocked registries to global docker configuration
 # For enterprise deployment types we ensure that registry.access.redhat.com is

inventory/byo/hosts.origin.example

@@ -59,6 +59,10 @@ deployment_type=origin
 # See: https://docs.openshift.org/latest/install_config/aggregate_logging.html
 #openshift_master_logging_public_url=https://kibana.example.com
 
+# Configure imagePolicyConfig in the master config
+# See: https://godoc.org/github.com/openshift/origin/pkg/cmd/server/api#ImagePolicyConfig
+#openshift_master_image_policy_config={"maxImagesBulkImportedPerRepository": 3, "disableScheduledImport": true}
+
 # Docker Configuration
 # Add additional, insecure, and blocked registries to global docker configuration
 # For enterprise deployment types we ensure that registry.access.redhat.com is

inventory/byo/hosts.ose.example

@@ -57,6 +57,10 @@ deployment_type=openshift-enterprise
 # Configure loggingPublicURL in the master config for aggregate logging
 # See: https://docs.openshift.com/enterprise/latest/install_config/aggregate_logging.html
 #openshift_master_logging_public_url=https://kibana.example.com
+#
+# Configure imagePolicyConfig in the master config
+# See: https://godoc.org/github.com/openshift/origin/pkg/cmd/server/api#ImagePolicyConfig
+#openshift_master_image_policy_config={"maxImagesBulkImportedPerRepository": 3, "disableScheduledImport": true}
 
 # Docker Configuration
 # Add additional, insecure, and blocked registries to global docker configuration

roles/openshift_facts/library/openshift_facts.py

@@ -1142,17 +1142,23 @@ def merge_facts(orig, new, additive_facts_to_overwrite, protected_facts_to_overw
     protected_facts = ['ha', 'master_count']
 
     # Facts we do not ever want to merge. These originate in inventory variables
-    # and typically contain JSON dicts. We don't ever want to trigger a merge
+    # and contain JSON dicts. We don't ever want to trigger a merge
     # here, just completely overwrite with the new if they are present there.
-    overwrite_facts = ['admission_plugin_config',
-                       'kube_admission_plugin_config']
+    inventory_json_facts = ['admission_plugin_config',
+                            'kube_admission_plugin_config',
+                            'image_policy_config']
 
     facts = dict()
     for key, value in orig.iteritems():
         # Key exists in both old and new facts.
         if key in new:
-            if key in overwrite_facts:
-                facts[key] = copy.deepcopy(new[key])
+            if key in inventory_json_facts:
+                # Watchout for JSON facts that sometimes load as strings.
+                # (can happen if the JSON contains a boolean)
+                if isinstance(new[key], str):
+                    facts[key] = yaml.safe_load(new[key])
+                else:
+                    facts[key] = copy.deepcopy(new[key])
             # Continue to recurse if old and new fact is a dictionary.
             elif isinstance(value, dict) and isinstance(new[key], dict):
                 # Collect the subset of additive facts to overwrite if

roles/openshift_master/templates/master.yaml.v1.j2

@@ -89,6 +89,9 @@ etcdStorageConfig:
 imageConfig:
   format: {{ openshift.master.registry_url }}
   latest: false
+{% if 'image_policy_config' in openshift.master %}
+imagePolicyConfig:{{ openshift.master.image_policy_config | to_padded_yaml(level=1) }}
+{% endif %}
 kind: MasterConfig
 kubeletClientInfo:
 {# TODO: allow user specified kubelet port #}

roles/openshift_master_facts/tasks/main.yml

@@ -72,3 +72,4 @@
       oauth_template: "{{ openshift_master_oauth_template | default(None) }}" # deprecated in origin 1.2 / OSE 3.2
       oauth_templates: "{{ openshift_master_oauth_templates | default(None) }}"
       oauth_always_show_provider_selection: "{{ openshift_master_oauth_always_show_provider_selection | default(None) }}"
+      image_policy_config: "{{ openshift_master_image_policy_config | default(None) }}"