Update for RC2 changes

Remove openshift-deployer.kubeconfig from master template
Sync config template
Update enterprise image names
Switch to node auto registration
Add deployer to list of serviceAccountConfig.managedNames
Move package installation before registering facts
change default kubeconfig location
Change system:openshift-client to system:openshift-master
Rename node cert/key/kubeconfig per openshift/origin#3160
Update references to /var/lib/openshift/openshift.local.certificates

README_OSE.md

@@ -19,7 +19,7 @@
 * Either ssh key based auth for the root user or ssh key based auth for a user
   with sudo access (no password)
 * A checkout of openshift-ansible from https://github.com/openshift/openshift-ansible/
-  
+
   ```sh
   git clone https://github.com/openshift/openshift-ansible.git
   cd openshift-ansible
@@ -80,7 +80,7 @@ ansible_ssh_user=root
 deployment_type=enterprise
 
 # Pre-release registry URL
-oreg_url=docker-buildvm-rhose.usersys.redhat.com:5000/openshift3_beta/ose-${component}:${version}
+oreg_url=docker-buildvm-rhose.usersys.redhat.com:5000/openshift3/ose-${component}:${version}
 
 # Pre-release additional repo
 openshift_additional_repos=[{'id': 'ose-devel', 'name': 'ose-devel',
@@ -120,16 +120,16 @@ inventory file use the -i option for ansible-playbook.
 On the master host:
 ```sh
 openshift ex router --create=true \
-  --credentials=/var/lib/openshift/openshift.local.certificates/openshift-router/.kubeconfig \
-  --images='docker-buildvm-rhose.usersys.redhat.com:5000/openshift3_beta/ose-${component}:${version}'
+  --credentials=/etc/openshift/master/openshift-router.kubeconfig \
+  --images='docker-buildvm-rhose.usersys.redhat.com:5000/openshift3/ose-${component}:${version}'
 ```
 
 #### Create the default docker-registry
 On the master host:
 ```sh
 openshift ex registry --create=true \
-  --credentials=/var/lib/openshift/openshift.local.certificates/openshift-registry/.kubeconfig \
-  --images='docker-buildvm-rhose.usersys.redhat.com:5000/openshift3_beta/ose-${component}:${version}' \
+  --credentials=/etc/openshift/master/openshift-registry.kubeconfig \
+  --images='docker-buildvm-rhose.usersys.redhat.com:5000/openshift3/ose-${component}:${version}' \
   --mount-host=/var/lib/openshift/docker-registry
 ```
 

README_origin.md

@@ -19,7 +19,7 @@
 * Either ssh key based auth for the root user or ssh key based auth for a user
   with sudo access (no password)
 * A checkout of openshift-ansible from https://github.com/openshift/openshift-ansible/
-  
+
   ```sh
   git clone https://github.com/openshift/openshift-ansible.git
   cd openshift-ansible
@@ -92,14 +92,14 @@ inventory file use the -i option for ansible-playbook.
 On the master host:
 ```sh
 openshift ex router --create=true \
-  --credentials=/var/lib/openshift/openshift.local.certificates/openshift-router/.kubeconfig
+  --credentials=/etc/openshift/master/openshift-router.kubeconfig
 ```
 
 #### Create the default docker-registry
 On the master host:
 ```sh
 openshift ex registry --create=true \
-  --credentials=/var/lib/openshift/openshift.local.certificates/openshift-registry/.kubeconfig \
+  --credentials=/etc/openshift/master/openshift-registry.kubeconfig \
   --mount-host=/var/lib/openshift/docker-registry
 ```
 

inventory/byo/hosts

@@ -17,7 +17,7 @@ ansible_ssh_user=root
 deployment_type=enterprise
 
 # Pre-release registry URL
-oreg_url=docker-buildvm-rhose.usersys.redhat.com:5000/openshift3_beta/ose-${component}:${version}
+oreg_url=docker-buildvm-rhose.usersys.redhat.com:5000/openshift3/ose-${component}:${version}
 
 # Pre-release additional repo
 openshift_additional_repos=[{'id': 'ose-devel', 'name': 'ose-devel', 'baseurl': 'http://buildvm-devops.usersys.redhat.com/puddle/build/OpenShiftEnterprise/3.0/latest/RH7-RHOSE-3.0/$basearch/os', 'enabled': 1, 'gpgcheck': 0}]

playbooks/common/openshift-node/config.yml

@@ -27,10 +27,12 @@
     stat:
       path: "{{ item }}"
     with_items:
-    - "/etc/openshift/node/node.key"
-    - "/etc/openshift/node/node.kubeconfig"
+    - "/etc/openshift/node/system:node:{{ openshift.common.hostname }}.crt"
+    - "/etc/openshift/node/system:node:{{ openshift.common.hostname }}.key"
+    - "/etc/openshift/node/system:node:{{ openshift.common.hostname }}.kubeconfig"
     - "/etc/openshift/node/ca.crt"
     - "/etc/openshift/node/server.key"
+    - "/etc/openshift/node/server.crt"
     register: stat_result
   - set_fact:
       certs_missing: "{{ stat_result.results | map(attribute='stat.exists')
@@ -50,7 +52,7 @@
     register: mktemp
     changed_when: False
 
-- name: Register nodes
+- name: Create node certificates
   hosts: oo_first_master
   vars:
     nodes_needing_certs: "{{ hostvars
@@ -60,7 +62,7 @@
                          | oo_select_keys(groups['oo_nodes_to_config']) }}"
     sync_tmpdir: "{{ hostvars.localhost.mktemp.stdout }}"
   roles:
-  - openshift_register_nodes
+  - openshift_node_certificates
   post_tasks:
   - name: Create a tarball of the node config directories
     command: >

roles/openshift_common/tasks/main.yml

@@ -15,4 +15,3 @@
 
 - name: Set hostname
   hostname: name={{ openshift.common.hostname }}
-

roles/openshift_facts/library/openshift_facts.py

@@ -298,10 +298,10 @@ def set_registry_url_if_unset(facts):
             if 'registry_url' not in facts[role]:
                 registry_url = "openshift/origin-${component}:${version}"
                 if deployment_type == 'enterprise':
-                    registry_url = "openshift3_beta/ose-${component}:${version}"
+                    registry_url = "openshift3/ose-${component}:${version}"
                 elif deployment_type == 'online':
                     registry_url = ("docker-registry.ops.rhcloud.com/"
-                                    "openshift3_beta/ose-${component}:${version}")
+                                    "openshift3/ose-${component}:${version}")
                 facts[role]['registry_url'] = registry_url
 
     return facts
@@ -450,7 +450,9 @@ def get_current_config(facts):
 
         # TODO: parse the /etc/sysconfig/openshift-{master,node} config to
         # determine the location of files.
-
+        # TODO: I suspect this isn't working right now, but it doesn't prevent
+        # anything from working properly as far as I can tell, perhaps because
+        # we override the kubeconfig path everywhere we use it?
         # Query kubeconfig settings
         kubeconfig_dir = '/var/lib/openshift/openshift.local.certificates'
         if role == 'node':

roles/openshift_master/tasks/main.yml

@@ -8,6 +8,15 @@
     - openshift_master_oauth_grant_method in openshift_master_valid_grant_methods
   when: openshift_master_oauth_grant_method is defined
 
+- name: Install OpenShift Master package
+  yum: pkg=openshift-master state=present
+  register: install_result
+
+# TODO: Is this necessary or was this a workaround for an old bug in packaging?
+- name: Reload systemd units
+  command: systemctl daemon-reload
+  when: install_result | changed
+
 - name: Set master OpenShift facts
   openshift_facts:
     role: master
@@ -51,14 +60,6 @@
       domain: cluster.local
   when: openshift.master.embedded_dns
 
-- name: Install OpenShift Master package
-  yum: pkg=openshift-master state=present
-  register: install_result
-
-- name: Reload systemd units
-  command: systemctl daemon-reload
-  when: install_result | changed
-
 - name: Create config parent directory if it doesn't exist
   file:
     path: "{{ openshift_master_config_dir }}"
@@ -130,7 +131,7 @@
 
 - name: Create the OpenShift client config dir(s)
   file:
-    path: "~{{ item }}/.config/openshift"
+    path: "~{{ item }}/.kube"
     state: directory
     mode: 0700
     owner: "{{ item }}"
@@ -142,16 +143,16 @@
 # TODO: Update this file if the contents of the source file are not present in
 # the dest file, will need to make sure to ignore things that could be added
 - name: Copy the OpenShift admin client config(s)
-  command: cp {{ openshift_master_config_dir }}/admin.kubeconfig ~{{ item }}/.config/openshift/.config
+  command: cp {{ openshift_master_config_dir }}/admin.kubeconfig ~{{ item }}/.kube/config
   args:
-    creates: ~{{ item }}/.config/openshift/.config
+    creates: ~{{ item }}/.kube/config
   with_items:
   - root
   - "{{ ansible_ssh_user }}"
 
 - name: Update the permissions on the OpenShift admin client config(s)
   file:
-    path: "~{{ item }}/.config/openshift/.config"
+    path: "~{{ item }}/.kube/config"
     state: file
     mode: 0700
     owner: "{{ item }}"

roles/openshift_master/templates/master.yaml.v1.j2

@@ -1,3 +1,6 @@
+apiLevels:
+- v1beta3
+- v1
 apiVersion: v1
 assetConfig:
   logoutURL: ""
@@ -8,6 +11,8 @@ assetConfig:
     certFile: master.server.crt
     clientCA: ""
     keyFile: master.server.key
+    maxRequestsInFlight: 0
+    requestTimeoutSeconds: 0
 corsAllowedOrigins:
 {# TODO: add support for user specified corsAllowedOrigins #}
 {% for origin in ['127.0.0.1', 'localhost', openshift.common.hostname, openshift.common.ip, openshift.common.public_hostname, openshift.common.public_ip] %}
@@ -43,9 +48,9 @@ etcdConfig:
 {% endif %}
 etcdStorageConfig:
   kubernetesStoragePrefix: kubernetes.io
-  kubernetesStorageVersion: v1beta3
-  kubernetesStoragePrefix: kubernetes.io
-  openShiftStorageVersion: v1beta3
+  kubernetesStorageVersion: v1
+  openShiftStoragePrefix: openshift.io
+  openShiftStorageVersion: v1
 imageConfig:
   format: {{ openshift.master.registry_url }}
   latest: false
@@ -58,18 +63,24 @@ kubeletClientInfo:
   port: 10250
 {% if openshift.master.embedded_kube %}
 kubernetesMasterConfig:
+  apiLevels:
+  - v1beta3
+  - v1
+  apiServerArguments: null
+  controllerArguments: null
 {# TODO: support overriding masterCount #}
   masterCount: 1
   masterIP: ""
+  podEvictionTimeout: ""
   schedulerConfigFile: {{ openshift_master_scheduler_conf }}
+  servicesNodePortRange: ""
   servicesSubnet: {{ openshift.master.portal_net }}
   staticNodeNames: {{ openshift_node_ips | default([], true) }}
 {% endif %}
 masterClients:
 {# TODO: allow user to set externalKubernetesKubeConfig #}
-  deployerKubeConfig: openshift-deployer.kubeconfig
   externalKubernetesKubeConfig: ""
-  openshiftLoopbackKubeConfig: openshift-client.kubeconfig
+  openshiftLoopbackKubeConfig: openshift-master.kubeconfig
 masterPublicURL: {{ openshift.master.public_api_url }}
 networkConfig:
   clusterNetworkCIDR: {{ openshift.master.sdn_cluster_network_cidr }}
@@ -78,16 +89,22 @@ networkConfig:
 {% include 'v1_partials/oauthConfig.j2' %}
 policyConfig:
   bootstrapPolicyFile: {{ openshift_master_policy }}
+  openshiftInfrastructureNamespace: openshift-infra
   openshiftSharedResourcesNamespace: openshift
 {# TODO: Allow users to override projectConfig items #}
 projectConfig:
   defaultNodeSelector: ""
   projectRequestMessage: ""
   projectRequestTemplate: ""
+  securityAllocator:
+    mcsAllocatorRange: s0:/2
+    mcsLabelsPerProject: 5
+    uidAllocatorRange: 1000000000-1999999999/10000
 serviceAccountConfig:
   managedNames:
   - default
   - builder
+  - deployer
   privateKeyFile: serviceaccounts.private.key
   publicKeyFiles:
   - serviceaccounts.public.key
@@ -96,3 +113,5 @@ servingInfo:
   certFile: master.server.crt
   clientCA: ca.crt
   keyFile: master.server.key
+  maxRequestsInFlight: 0
+  requestTimeoutSeconds: 0

roles/openshift_node/tasks/main.yml

@@ -1,6 +1,20 @@
 ---
 # TODO: allow for overriding default ports where possible
 
+- name: Install OpenShift Node package
+  yum: pkg=openshift-node state=present
+  register: node_install_result
+
+- name: Install openshift-sdn-ovs
+  yum: pkg=openshift-sdn-ovs state=present
+  register: sdn_install_result
+  when: openshift.common.use_openshift_sdn
+
+- name: Reload systemd units
+  command: systemctl daemon-reload
+  when: (node_install_result | changed or (openshift.common.use_openshift_sdn
+          and sdn_install_result | changed))
+
 - name: Set node OpenShift facts
   openshift_facts:
     role: "{{ item.role }}"
@@ -22,20 +36,6 @@
       debug_level: "{{ openshift_node_debug_level | default(openshift.common.debug_level) }}"
       portal_net: "{{ openshift_master_portal_net | default(None) }}"
 
-- name: Install OpenShift Node package
-  yum: pkg=openshift-node state=present
-  register: node_install_result
-
-- name: Install openshift-sdn-ovs
-  yum: pkg=openshift-sdn-ovs state=present
-  register: sdn_install_result
-  when: openshift.common.use_openshift_sdn
-
-- name: Reload systemd units
-  command: systemctl daemon-reload
-  when: (node_install_result | changed or (openshift.common.use_openshift_sdn
-          and sdn_install_result | changed))
-
 # TODO: add the validate parameter when there is a validation command to run
 - name: Create the Node config
   template:

roles/openshift_node/templates/node.yaml.v1.j2

@@ -2,14 +2,16 @@ allowDisabledDocker: false
 apiVersion: v1
 dnsDomain: {{ hostvars[openshift_first_master].openshift.dns.domain }}
 dnsIP: {{ hostvars[openshift_first_master].openshift.dns.ip }}
+dockerConfig:
+  execHandlerName: ""
 imageConfig:
   format: {{ openshift.node.registry_url }}
   latest: false
 kind: NodeConfig
-masterKubeConfig: node.kubeconfig
+masterKubeConfig: system:node:{{ openshift.common.hostname }}.kubeconfig
 networkPluginName: {{ openshift.common.sdn_network_plugin_name }}
 nodeName: {{ openshift.common.hostname }}
-podManifestConfig: null
+podManifestConfig:
 servingInfo:
   bindAddress: 0.0.0.0:10250
   certFile: server.crt

roles/openshift_node_certificates/README.md

@@ -0,0 +1,34 @@
+OpenShift Node Certificates
+========================
+
+TODO
+
+Requirements
+------------
+
+TODO
+
+Role Variables
+--------------
+
+TODO
+
+Dependencies
+------------
+
+TODO
+
+Example Playbook
+----------------
+
+TODO
+
+License
+-------
+
+Apache License Version 2.0
+
+Author Information
+------------------
+
+Jason DeTiberus (jdetiber@redhat.com)

roles/openshift_node_certificates/meta/main.yml

@@ -0,0 +1,16 @@
+---
+galaxy_info:
+  author: Jason DeTiberus
+  description:
+  company: Red Hat, Inc.
+  license: Apache License, Version 2.0
+  min_ansible_version: 1.8
+  platforms:
+  - name: EL
+    versions:
+    - 7
+  categories:
+  - cloud
+  - system
+dependencies:
+- { role: openshift_facts }

roles/openshift_node_certificates/tasks/main.yml

@@ -0,0 +1,35 @@
+---
+- name: Create openshift_generated_configs_dir if it doesn't exist
+  file:
+    path: "{{ openshift_generated_configs_dir }}"
+    state: directory
+
+- name: Generate the node client config
+  command: >
+    {{ openshift.common.admin_binary }} create-api-client-config
+      --certificate-authority={{ openshift_master_ca_cert }}
+      --client-dir={{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}
+      --groups=system:nodes
+      --master={{ openshift.master.api_url }}
+      --signer-cert={{ openshift_master_ca_cert }}
+      --signer-key={{ openshift_master_ca_key }}
+      --signer-serial={{ openshift_master_ca_serial }}
+      --user=system:node:{{ item.openshift.common.hostname }}
+  args:
+    chdir: "{{ openshift_generated_configs_dir }}"
+    creates: "{{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}"
+  with_items: nodes_needing_certs
+
+- name: Generate the node server certificate
+  delegate_to: "{{ openshift_first_master }}"
+  command: >
+    {{ openshift.common.admin_binary }} create-server-cert
+      --cert=server.crt --key=server.key --overwrite=true
+      --hostnames={{ [item.openshift.common.hostname, item.openshift.common.public_hostname]|unique|join(",") }}
+      --signer-cert={{ openshift_master_ca_cert }}
+      --signer-key={{ openshift_master_ca_key }}
+      --signer-serial={{ openshift_master_ca_serial }}
+  args:
+    chdir: "{{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}"
+    creates: "{{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}/server.crt"
+  with_items: nodes_needing_certs

roles/openshift_node_certificates/vars/main.yml

@@ -0,0 +1,8 @@
+---
+openshift_node_config_dir: /etc/openshift/node
+openshift_master_config_dir: /etc/openshift/master
+openshift_generated_configs_dir: /etc/openshift/generated-configs
+openshift_master_ca_cert: "{{ openshift_master_config_dir }}/ca.crt"
+openshift_master_ca_key: "{{ openshift_master_config_dir }}/ca.key"
+openshift_master_ca_serial: "{{ openshift_master_config_dir }}/ca.serial.txt"
+openshift_kube_api_version: v1beta3

roles/openshift_register_nodes/README.md

@@ -1,27 +1,8 @@
 OpenShift Register Nodes
 ========================
 
-TODO
-
-Requirements
-------------
-
-TODO
-
-Role Variables
---------------
-
-TODO
-
-Dependencies
-------------
-
-TODO
-
-Example Playbook
-----------------
-
-TODO
+DEPRECATED!!!
+Nodes should now auto register themselves. Use openshift_node_certificates role instead.
 
 License
 -------

roles/openshift_register_nodes/tasks/main.yml

@@ -14,7 +14,7 @@
       --signer-cert={{ openshift_master_ca_cert }}
       --signer-key={{ openshift_master_ca_key }}
       --signer-serial={{ openshift_master_ca_serial }}
-      --user=system:node-{{ item.openshift.common.hostname }}
+      --user=system:node:{{ item.openshift.common.hostname }}
   args:
     chdir: "{{ openshift_generated_configs_dir }}"
     creates: "{{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}"
@@ -37,7 +37,7 @@
 - name: Register unregistered nodes
   kubernetes_register_node:
     kubectl_cmd: "{{ [openshift.common.client_binary] }}"
-    default_client_config: '~/.config/openshift/.config'
+    default_client_config: '~/.kube/config'
     name: "{{ item.openshift.common.hostname }}"
     api_version: "{{ openshift_kube_api_version }}"
     cpu: "{{ item.openshift.node.resources_cpu | default(None) }}"
@@ -46,5 +46,8 @@
     host_ip: "{{ item.openshift.common.ip }}"
     labels: "{{ item.openshift.node.labels | default({}) }}"
     annotations: "{{ item.openshift.node.annotations | default({}) }}"
+    client_context: default/ose3-master-example-com:8443/system:openshift-master
+    client_user: system:openshift-master/ose3-master-example-com:8443
+    client_cluster: ose3-master-example-com:8443
   with_items: openshift_nodes
   register: register_result