Merge pull request #1247 from openshift/master

Merge master into prod

git/parent.rb

@@ -1,45 +0,0 @@
-#!/usr/bin/env ruby
-#
-#
-#
-
-if __FILE__ == $0
-  # If we aren't on master we don't need to parent check
-  branch = 'prod'
-  exit(0) if ARGV[0] !~ /#{branch}/
-  commit_id = ARGV[1]
-  %x[/usr/bin/git checkout #{branch}]
-  %x[/usr/bin/git merge #{commit_id}]
-
-  count = 0
-  #lines = %x[/usr/bin/git rev-list --left-right stg...master].split("\n")
-  lines = %x[/usr/bin/git rev-list --left-right remotes/origin/stg...#{branch}].split("\n")
-  lines.each do |commit|
-    # next if they are in stage
-    next if commit =~ /^</
-    # remove the first char '>'
-    commit = commit[1..-1]
-    # check if any remote branches contain $commit
-    results = %x[/usr/bin/git branch -q -r --contains #{commit} 2>/dev/null ]
-    # if this comes back empty, nothing contains it, we can skip it as
-    # we have probably created the merge commit here locally
-    next if results.empty?
-
-    # The results generally contain origin/pr/246/merge and origin/pr/246/head
-    # this is the pull request which would contain the commit in question.
-    #
-    # If the results do not contain origin/stg then stage does not contain
-    # the commit in question.  Therefore we need to alert!
-    unless results =~ /origin\/stg/
-      puts "\nFAILED: (These commits are not in stage.)\n"
-      puts "\t#{commit}"
-      count += 1
-    end
-  end
-
-  # Exit with count of commits in #{branch} but not stg
-  exit(count)
-end
-
-__END__
-

git/yaml_validate.py

@@ -8,7 +8,6 @@ python yaml validator for a git commit
 import shutil
 import sys
 import os
-import glob
 import tempfile
 import subprocess
 import yaml
@@ -17,8 +16,8 @@ def get_changes(oldrev, newrev, tempdir):
     '''Get a list of git changes from oldrev to newrev'''
     proc = subprocess.Popen(['/usr/bin/git', 'diff', '--name-only', oldrev,
                              newrev, '--diff-filter=ACM'], stdout=subprocess.PIPE)
-    proc.wait()
-    files = proc.stdout.read().strip().split('\n')
+    stdout, _ = proc.communicate()
+    files = stdout.split('\n')
 
     # No file changes
     if not files:
@@ -26,9 +25,14 @@ def get_changes(oldrev, newrev, tempdir):
 
     cmd = '/usr/bin/git archive %s %s | /bin/tar x -C %s' % (newrev, " ".join(files), tempdir)
     proc = subprocess.Popen(cmd, shell=True)
-    proc.wait()
+    _, _ = proc.communicate()
 
-    return [fmod for fmod in glob.glob('%s/**/*' % tempdir) if not os.path.isdir(fmod)]
+    rfiles = []
+    for dirpath, _, fnames in os.walk(tempdir):
+        for fname in fnames:
+            rfiles.append(os.path.join(dirpath, fname))
+
+    return rfiles
 
 def main():
     '''
@@ -43,15 +47,15 @@ def main():
 
             print "+++++++ Received: %s" % file_mod
 
-            if not file_mod.endswith('.yml') or not file_mod.endswith('.yaml'):
+            if not file_mod.endswith('.yml') and not file_mod.endswith('.yaml'):
                 continue
 
             try:
-                yaml.load(file_mod)
+                yaml.load(open(file_mod))
                 results.append(True)
 
             except yaml.scanner.ScannerError as yerr:
-                print yerr.message
+                print yerr
                 results.append(False)
     finally:
         shutil.rmtree(tmpdir)
@@ -61,3 +65,4 @@ def main():
 
 if __name__ == "__main__":
     main()
+

git/yaml_validation.rb

@@ -1,72 +0,0 @@
-#!/usr/bin/env ruby
-#
-#
-#
-require 'yaml'
-require 'tmpdir'
-
-class YamlValidate
-  def self.yaml_file?(filename)
-    return filename.end_with?('.yaml') || filename.end_with?('.yml')
-  end
-
-  def self.short_yaml_ext?(filename)
-    return filename.end_with?(".yml")
-  end
-
-  def self.valid_yaml?(filename)
-    YAML::load_file(filename)
-
-    return true
-  end
-end
-
-class GitCommit
-  attr_accessor :oldrev, :newrev, :refname, :tmp
-  def initialize(oldrev, newrev, refname)
-    @oldrev = oldrev
-    @newrev = newrev
-    @refname = refname
-    @tmp = Dir.mktmpdir(@newrev)
-  end
-
-  def get_file_changes()
-    files = %x[/usr/bin/git diff --name-only #{@oldrev} #{@newrev} --diff-filter=ACM].split("\n")
-
-    # if files is empty we will get a full checkout.  This happens on
-    # a git rm file.  If there are no changes then we need to skip the archive
-    return [] if files.empty?
-
-    # We only want to take the files that changed.  Archive will do that when passed
-    # the filenames.  It will export these to a tmp dir
-    system("/usr/bin/git archive #{@newrev} #{files.join(" ")} | tar x -C #{@tmp}")
-    return Dir.glob("#{@tmp}/**/*").delete_if { |file| File.directory?(file) }
-  end
-end
-
-if __FILE__ == $0
-  while data = STDIN.gets
-    oldrev, newrev, refname = data.split
-    gc = GitCommit.new(oldrev, newrev, refname)
-
-    results = []
-    gc.get_file_changes().each do |file|
-      begin
-        puts "++++++ Received:  #{file}"
-
-        #raise "Yaml file extensions must be .yaml not .yml" if YamlValidate.short_yaml_ext? file
-
-        # skip readme, other files, etc
-        next unless YamlValidate.yaml_file?(file)
-
-        results << YamlValidate.valid_yaml?(file)
-      rescue Exception => ex
-        puts "\n#{ex.message}\n\n"
-        results << false
-      end
-    end
-
-    #puts "RESULTS\n#{results.inspect}\n"
-    exit 1 if results.include?(false)
-  end
-end

inventory/byo/hosts.aep.example

@@ -117,6 +117,9 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true',
 # default project node selector
 #osm_default_node_selector='region=primary'
 
+# Override the default pod eviction timeout
+#openshift_master_pod_eviction_timeout=5m
+
 # default storage plugin dependencies to install, by default the ceph and
 # glusterfs plugin dependencies will be installed, if available.
 #osn_storage_plugin_deps=['ceph','glusterfs']

inventory/byo/hosts.origin.example

@@ -122,6 +122,9 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true',
 # default project node selector
 #osm_default_node_selector='region=primary'
 
+# Override the default pod eviction timeout
+#openshift_master_pod_eviction_timeout=5m
+
 # default storage plugin dependencies to install, by default the ceph and
 # glusterfs plugin dependencies will be installed, if available.
 #osn_storage_plugin_deps=['ceph','glusterfs']

inventory/byo/hosts.ose.example

@@ -117,6 +117,9 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true',
 # default project node selector
 #osm_default_node_selector='region=primary'
 
+# Override the default pod eviction timeout
+#openshift_master_pod_eviction_timeout=5m
+
 # default storage plugin dependencies to install, by default the ceph and
 # glusterfs plugin dependencies will be installed, if available.
 #osn_storage_plugin_deps=['ceph','glusterfs']

playbooks/common/openshift-cluster/upgrades/v3_0_to_v3_1/upgrade.yml

@@ -248,7 +248,31 @@
       config_base: "{{ hostvars[inventory_hostname].openshift.common.config_base }}"
 
   - set_fact:
-      master_certs_missing: True
+      openshift_master_certs_no_etcd:
+      - admin.crt
+      - master.kubelet-client.crt
+      - "{{ 'master.proxy-client.crt' if openshift.common.version_greater_than_3_1_or_1_1 else omit }}"
+      - master.server.crt
+      - openshift-master.crt
+      - openshift-registry.crt
+      - openshift-router.crt
+      - etcd.server.crt
+      openshift_master_certs_etcd:
+      - master.etcd-client.crt
+
+  - set_fact:
+      openshift_master_certs: "{{ (openshift_master_certs_no_etcd | union(openshift_master_certs_etcd)) if (groups.oo_etcd_to_config is defined and groups.oo_etcd_to_config) else openshift_master_certs_no_etcd }}"
+
+  - name: Check status of master certificates
+    stat:
+      path: "{{ openshift.common.config_base }}/master/{{ item }}"
+    with_items: openshift_master_certs
+    register: g_master_cert_stat_result
+
+  - set_fact:
+      master_certs_missing: "{{ False in (g_master_cert_stat_result.results
+                                | oo_collect(attribute='stat.exists')
+                                | list ) }}"
       master_cert_subdir: master-{{ openshift.common.hostname }}
       master_cert_config_dir: "{{ openshift.common.config_base }}/master"
 
@@ -262,8 +286,8 @@
                           | oo_flatten | unique }}"
     master_generated_certs_dir: "{{ openshift.common.config_base }}/generated-configs"
     masters_needing_certs: "{{ hostvars
-                               | oo_select_keys(groups.oo_masters_to_config)
-                               | difference([groups.oo_first_master.0]) }}"
+                               | oo_select_keys(groups['oo_masters_to_config'] | difference(groups['oo_first_master']))
+                               | oo_filter_list(filter_attr='master_certs_missing') }}"
     sync_tmpdir: "{{ hostvars.localhost.g_master_mktemp.stdout }}"
     openshift_deployment_type: "{{ deployment_type }}"
   roles:

playbooks/common/openshift-master/config.yml

@@ -43,6 +43,7 @@
           api_port: "{{ openshift_master_api_port | default(None) }}"
           api_url: "{{ openshift_master_api_url | default(None) }}"
           api_use_ssl: "{{ openshift_master_api_use_ssl | default(None) }}"
+          controllers_port: "{{ openshift_master_controllers_port | default(None) }}"
           public_api_url: "{{ openshift_master_public_api_url | default(None) }}"
           cluster_hostname: "{{ openshift_master_cluster_hostname | default(None) }}"
           cluster_public_hostname: "{{ openshift_master_cluster_public_hostname | default(None) }}"
@@ -218,6 +219,7 @@
   hosts: oo_lb_to_config
   vars:
     sync_tmpdir: "{{ hostvars.localhost.g_master_mktemp.stdout }}"
+    haproxy_frontend_port: "{{ hostvars[groups.oo_first_master.0].openshift.master.api_port }}"
     haproxy_frontends:
     - name: atomic-openshift-api
       mode: tcp

playbooks/gce/openshift-cluster/config.yml

@@ -13,4 +13,3 @@
     openshift_debug_level: "{{ debug_level }}"
     openshift_deployment_type: "{{ deployment_type }}"
     openshift_hostname: "{{ gce_private_ip }}"
-    openshift_use_openshift_sdn: "{{ do_we_use_openshift_sdn }}"

playbooks/gce/openshift-cluster/join_node.yml

@@ -48,6 +48,4 @@
     openshift_debug_level: 4
     openshift_deployment_type: "{{ deployment_type }}"
     openshift_hostname: "{{ ansible_default_ipv4.address }}"
-    openshift_use_openshift_sdn: true
     openshift_node_labels: "{{ lookup('oo_option', 'openshift_node_labels') }} "
-    os_sdn_network_plugin_name: "redhat/openshift-ovs-subnet"

playbooks/gce/openshift-cluster/vars.yml

@@ -1,8 +1,5 @@
 ---
-do_we_use_openshift_sdn: true
-sdn_network_plugin: redhat/openshift-ovs-subnet
 debug_level: 2
-# os_sdn_network_plugin_name can be ovssubnet or multitenant, see https://docs.openshift.org/latest/architecture/additional_concepts/sdn.html#ovssubnet-plugin-operation
 
 deployment_rhel7_ent_base:
   image: rhel-7

roles/haproxy/defaults/main.yml

@@ -1,4 +1,6 @@
 ---
+haproxy_frontend_port: 80
+
 haproxy_frontends:
 - name: main
   binds:
@@ -18,4 +20,4 @@ os_firewall_allow:
 - service: haproxy stats
   port: "9000/tcp"
 - service: haproxy balance
-  port: "8443/tcp"
+  port: "{{ haproxy_frontend_port }}/tcp"

roles/openshift_facts/library/openshift_facts.py

@@ -188,9 +188,6 @@ def normalize_gce_facts(metadata, facts):
     _, _, zone = metadata['instance']['zone'].rpartition('/')
     facts['zone'] = zone
 
-    # Default to no sdn for GCE deployments
-    facts['use_openshift_sdn'] = False
-
     # GCE currently only supports a single interface
     facts['network']['ip'] = facts['network']['interfaces'][0]['ips'][0]
     pub_ip = facts['network']['interfaces'][0]['public_ips'][0]
@@ -461,52 +458,68 @@ def set_url_facts_if_unset(facts):
                   were not already present
     """
     if 'master' in facts:
-        api_use_ssl = facts['master']['api_use_ssl']
-        api_port = facts['master']['api_port']
-        console_use_ssl = facts['master']['console_use_ssl']
-        console_port = facts['master']['console_port']
-        console_path = facts['master']['console_path']
-        etcd_use_ssl = facts['master']['etcd_use_ssl']
-        etcd_hosts = facts['master']['etcd_hosts']
-        etcd_port = facts['master']['etcd_port']
         hostname = facts['common']['hostname']
-        public_hostname = facts['common']['public_hostname']
         cluster_hostname = facts['master'].get('cluster_hostname')
         cluster_public_hostname = facts['master'].get('cluster_public_hostname')
+        public_hostname = facts['common']['public_hostname']
+        api_hostname = cluster_hostname if cluster_hostname else hostname
+        api_public_hostname = cluster_public_hostname if cluster_public_hostname else public_hostname
+        console_path = facts['master']['console_path']
+        etcd_hosts = facts['master']['etcd_hosts']
+
+        use_ssl = dict(
+            api=facts['master']['api_use_ssl'],
+            public_api=facts['master']['api_use_ssl'],
+            loopback_api=facts['master']['api_use_ssl'],
+            console=facts['master']['console_use_ssl'],
+            public_console=facts['master']['console_use_ssl'],
+            etcd=facts['master']['etcd_use_ssl']
+        )
+
+        ports = dict(
+            api=facts['master']['api_port'],
+            public_api=facts['master']['api_port'],
+            loopback_api=facts['master']['api_port'],
+            console=facts['master']['console_port'],
+            public_console=facts['master']['console_port'],
+            etcd=facts['master']['etcd_port'],
+        )
+
+        etcd_urls = []
+        if etcd_hosts != '':
+            facts['master']['etcd_port'] = ports['etcd']
+            facts['master']['embedded_etcd'] = False
+            for host in etcd_hosts:
+                etcd_urls.append(format_url(use_ssl['etcd'], host,
+                                            ports['etcd']))
+        else:
+            etcd_urls = [format_url(use_ssl['etcd'], hostname,
+                                    ports['etcd'])]
+
+        facts['master'].setdefault('etcd_urls', etcd_urls)
+
+        prefix_hosts = [('api', api_hostname),
+                        ('public_api', api_public_hostname),
+                        ('loopback_api', hostname)]
+
+        for prefix, host in prefix_hosts:
+            facts['master'].setdefault(prefix + '_url', format_url(use_ssl[prefix],
+                                                                   host,
+                                                                   ports[prefix]))
+
+
+        r_lhn = "{0}:{1}".format(api_hostname, ports['api']).replace('.', '-')
+        facts['master'].setdefault('loopback_cluster_name', r_lhn)
+        facts['master'].setdefault('loopback_context_name', "default/{0}/system:openshift-master".format(r_lhn))
+        facts['master'].setdefault('loopback_user', "system:openshift-master/{0}".format(r_lhn))
+
+        prefix_hosts = [('console', api_hostname), ('public_console', api_public_hostname)]
+        for prefix, host in prefix_hosts:
+            facts['master'].setdefault(prefix + '_url', format_url(use_ssl[prefix],
+                                                                   host,
+                                                                   ports[prefix],
+                                                                   console_path))
 
-        if 'etcd_urls' not in facts['master']:
-            etcd_urls = []
-            if etcd_hosts != '':
-                facts['master']['etcd_port'] = etcd_port
-                facts['master']['embedded_etcd'] = False
-                for host in etcd_hosts:
-                    etcd_urls.append(format_url(etcd_use_ssl, host,
-                                                etcd_port))
-            else:
-                etcd_urls = [format_url(etcd_use_ssl, hostname,
-                                        etcd_port)]
-            facts['master']['etcd_urls'] = etcd_urls
-        if 'api_url' not in facts['master']:
-            api_hostname = cluster_hostname if cluster_hostname else hostname
-            facts['master']['api_url'] = format_url(api_use_ssl, api_hostname,
-                                                    api_port)
-        if 'public_api_url' not in facts['master']:
-            api_public_hostname = cluster_public_hostname if cluster_public_hostname else public_hostname
-            facts['master']['public_api_url'] = format_url(api_use_ssl,
-                                                           api_public_hostname,
-                                                           api_port)
-        if 'console_url' not in facts['master']:
-            console_hostname = cluster_hostname if cluster_hostname else hostname
-            facts['master']['console_url'] = format_url(console_use_ssl,
-                                                        console_hostname,
-                                                        console_port,
-                                                        console_path)
-        if 'public_console_url' not in facts['master']:
-            console_public_hostname = cluster_public_hostname if cluster_public_hostname else public_hostname
-            facts['master']['public_console_url'] = format_url(console_use_ssl,
-                                                               console_public_hostname,
-                                                               console_port,
-                                                               console_path)
     return facts
 
 def set_aggregate_facts(facts):
@@ -884,10 +897,6 @@ def apply_provider_facts(facts, provider_facts):
     if not provider_facts:
         return facts
 
-    use_openshift_sdn = provider_facts.get('use_openshift_sdn')
-    if isinstance(use_openshift_sdn, bool):
-        facts['common']['use_openshift_sdn'] = use_openshift_sdn
-
     common_vars = [('hostname', 'ip'), ('public_hostname', 'public_ip')]
     for h_var, ip_var in common_vars:
         ip_value = provider_facts['network'].get(ip_var)
@@ -1038,6 +1047,10 @@ def set_container_facts_if_unset(facts):
         if 'ovs_image' not in facts['node']:
             facts['node']['ovs_image'] = ovs_image
 
+    if facts['common']['is_containerized']:
+        facts['common']['admin_binary'] = '/usr/local/bin/oadm'
+        facts['common']['client_binary'] = '/usr/local/bin/oc'
+
     return facts
 
 
@@ -1078,7 +1091,7 @@ class OpenShiftFacts(object):
         Raises:
             OpenShiftFactsUnsupportedRoleError:
     """
-    known_roles = ['common', 'master', 'node', 'master_sdn', 'node_sdn', 'etcd', 'nfs']
+    known_roles = ['common', 'master', 'node', 'etcd', 'nfs']
 
     def __init__(self, role, filename, local_facts, additive_facts_to_overwrite=False):
         self.changed = False
@@ -1156,7 +1169,7 @@ class OpenShiftFacts(object):
         defaults['common'] = common
 
         if 'master' in roles:
-            master = dict(api_use_ssl=True, api_port='8443',
+            master = dict(api_use_ssl=True, api_port='8443', controllers_port='8444',
                           console_use_ssl=True, console_path='/console',
                           console_port='8443', etcd_use_ssl=True, etcd_hosts='',
                           etcd_port='4001', portal_net='172.30.0.0/16',

roles/openshift_master/defaults/main.yml

@@ -6,7 +6,9 @@ os_firewall_allow:
 - service: etcd embedded
   port: 4001/tcp
 - service: api server https
-  port: 8443/tcp
+  port: "{{ openshift.master.api_port }}/tcp"
+- service: api controllers https
+  port: "{{ openshift.master.controllers_port }}/tcp"
 - service: dns tcp
   port: 53/tcp
 - service: dns udp
@@ -24,7 +26,5 @@ os_firewall_allow:
 os_firewall_deny:
 - service: api server http
   port: 8080/tcp
-- service: former web console port
-  port: 8444/tcp
 - service: former etcd peer port
   port: 7001/tcp

roles/openshift_master/tasks/main.yml

@@ -51,6 +51,7 @@
       embedded_dns: "{{ openshift_master_embedded_dns | default(None) }}"
       dns_port: "{{ openshift_master_dns_port | default(None) }}"
       bind_addr: "{{ openshift_master_bind_addr | default(None) }}"
+      pod_eviction_timeout: "{{ openshift_master_pod_eviction_timeout | default(None) }}"
       portal_net: "{{ openshift_master_portal_net | default(None) }}"
       session_max_seconds: "{{ openshift_master_session_max_seconds | default(None) }}"
       session_name: "{{ openshift_master_session_name | default(None) }}"
@@ -94,12 +95,12 @@
 - name: Install Master docker service file
   template:
     dest: "/etc/systemd/system/{{ openshift.common.service_type }}-master.service"
-    src: master.docker.service.j2
+    src: docker/master.docker.service.j2
   register: install_result
   when: openshift.common.is_containerized | bool and not openshift_master_ha | bool
-  
+
 - name: Create openshift.common.data_dir
-  file: 
+  file:
     path: "{{ openshift.common.data_dir }}"
     state: directory
     mode: 0755
@@ -174,31 +175,42 @@
   when: openshift.common.is_containerized | bool
 
 # workaround for missing systemd unit files for controllers/api
-- name: Create the api service file
-  template:
-    src: atomic-openshift-master-api{{ ha_suffix }}.service.j2
-    dest: "{{ ha_svcdir }}/{{ openshift.common.service_type }}-master-api.service"
-  when: openshift_master_ha | bool and openshift_master_cluster_method == "native"
-- name: Create the controllers service file
+- name: Create the systemd unit files
   template:
-    src: atomic-openshift-master-controllers{{ ha_suffix }}.service.j2
-    dest: "{{ ha_svcdir }}/{{ openshift.common.service_type }}-master-controllers.service"
+    src: "{{ ha_svc_template_path }}/atomic-openshift-master-{{ item }}.service.j2"
+    dest: "{{ ha_svcdir }}/{{ openshift.common.service_type }}-master-{{ item }}.service"
   when: openshift_master_ha | bool and openshift_master_cluster_method == "native"
-- name: Create the api env file
+  with_items:
+  - api
+  - controllers
+  register: create_unit_files
+
+- command: systemctl daemon-reload
+  when: create_unit_files | changed
+# end workaround for missing systemd unit files
+
+- name: Create the master api service env file
   template:
-    src: atomic-openshift-master-api.j2
+    src: "{{ ha_svc_template_path }}/atomic-openshift-master-api.j2"
     dest: /etc/sysconfig/{{ openshift.common.service_type }}-master-api
-    force: no
   when: openshift_master_ha | bool and openshift_master_cluster_method == "native"
-- name: Create the controllers env file
+  notify:
+  - restart master api
+
+- name: Create the master controllers service env file
   template:
-    src: atomic-openshift-master-controllers.j2
+    src: "{{ ha_svc_template_path }}/atomic-openshift-master-controllers.j2"
     dest: /etc/sysconfig/{{ openshift.common.service_type }}-master-controllers
-    force: no
-  when: openshift_master_ha | bool and openshift_master_cluster_method == "native"
-- command: systemctl daemon-reload
   when: openshift_master_ha | bool and openshift_master_cluster_method == "native"
-# end workaround for missing systemd unit files
+  notify:
+  - restart master controllers
+
+- name: Create the master service env file
+  template:
+    src: "atomic-openshift-master.j2"
+    dest: /etc/sysconfig/{{ openshift.common.service_type }}-master
+  notify:
+  - restart master
 
 - name: Create session secrets file
   template:
@@ -223,47 +235,36 @@
   - restart master api
   - restart master controllers
 
-- name: Configure master settings
-  lineinfile:
-    dest: /etc/sysconfig/{{ openshift.common.service_type }}-master
-    regexp: "{{ item.regex }}"
-    line: "{{ item.line }}"
-    create: yes
-  with_items:
-    - regex: '^OPTIONS='
-      line: "OPTIONS=--loglevel={{ openshift.master.debug_level }}"
-    - regex: '^CONFIG_FILE='
-      line: "CONFIG_FILE={{ openshift_master_config_file }}"
-  notify:
-  - restart master
-
-- name: Configure master api settings
-  lineinfile:
-    dest: /etc/sysconfig/{{ openshift.common.service_type }}-master-api
-    regexp: "{{ item.regex }}"
-    line: "{{ item.line }}"
-  with_items:
-    - regex: '^OPTIONS='
-      line: "OPTIONS=--loglevel={{ openshift.master.debug_level }} --listen=https://0.0.0.0:8443 --master=https://{{ openshift.common.ip }}:8443"
-    - regex: '^CONFIG_FILE='
-      line: "CONFIG_FILE={{ openshift_master_config_file }}"
-  when: openshift_master_ha | bool and openshift_master_cluster_method == "native"
-  notify:
-  - restart master api
-
-- name: Configure master controller settings
-  lineinfile:
-    dest: /etc/sysconfig/{{ openshift.common.service_type }}-master-controllers
-    regexp: "{{ item.regex }}"
-    line: "{{ item.line }}"
-  with_items:
-    - regex: '^OPTIONS='
-      line: "OPTIONS=--loglevel={{ openshift.master.debug_level }} --listen=https://0.0.0.0:8444"
-    - regex: '^CONFIG_FILE='
-      line: "CONFIG_FILE={{ openshift_master_config_file }}"
-  when: openshift_master_ha | bool and openshift_master_cluster_method == "native"
-  notify:
-  - restart master controllers
+- name: Test local loopback context
+  command: >
+    {{ openshift.common.client_binary }} config view
+    --config={{ openshift_master_loopback_config }}
+  changed_when: false
+  register: loopback_config
+
+- command: >
+    {{ openshift.common.client_binary }} config set-cluster
+    --certificate-authority={{ openshift_master_config_dir }}/ca.crt
+    --embed-certs=true --server={{ openshift.master.loopback_api_url }}
+    {{ openshift.master.loopback_cluster_name }}
+    --config={{ openshift_master_loopback_config }}
+  when: loopback_context_string not in loopback_config.stdout
+  register: set_loopback_cluster
+
+- command: >
+    {{ openshift.common.client_binary }} config set-context
+    --cluster={{ openshift.master.loopback_cluster_name }}
+    --namespace=default --user={{ openshift.master.loopback_user }}
+    {{ openshift.master.loopback_context_name }}
+    --config={{ openshift_master_loopback_config }}
+  when: set_loopback_cluster | changed
+  register: set_loopback_context
+
+- command: >
+    {{ openshift.common.client_binary }} config use-context {{ openshift.master.loopback_context_name }}
+    --config={{ openshift_master_loopback_config }}
+  when: set_loopback_context | changed
+  register: set_current_context
 
 - name: Start and enable master
   service: name={{ openshift.common.service_type }}-master enabled=yes state=started

roles/openshift_master/templates/atomic-openshift-master-api.j2

@@ -1,5 +1,5 @@
-OPTIONS=
-CONFIG_FILE={{ openshift_master_config_dir }}/master-config.yaml
+OPTIONS=--loglevel={{ openshift.master.debug_level }}
+CONFIG_FILE={{ openshift_master_config_file }}
 
 # Proxy configuration
 # Origin uses standard HTTP_PROXY environment variables. Be sure to set

roles/openshift_master/templates/docker-cluster/atomic-openshift-master-api.j2

@@ -0,0 +1 @@
+../native-cluster/atomic-openshift-master-api.j2

roles/openshift_master/templates/atomic-openshift-master-api.docker.service.j2

@@ -23,4 +23,4 @@ Restart=always
 
 [Install]
 WantedBy=multi-user.target
-WantedBy={{ openshift.common.service_type }}-node.service
+WantedBy={{ openshift.common.service_type }}-node.service

roles/openshift_master/templates/docker-cluster/atomic-openshift-master-controllers.j2

@@ -0,0 +1 @@
+../native-cluster/atomic-openshift-master-controllers.j2

roles/openshift_master/templates/master.yaml.v1.j2

@@ -91,7 +91,7 @@ kubernetesMasterConfig:
   controllerArguments: {{ openshift.master.controller_args | default(None) | to_padded_yaml( level=2 ) }}
   masterCount: {{ openshift.master.master_count if openshift.master.cluster_method | default(None) == 'native' else 1 }}
   masterIP: {{ openshift.common.ip }}
-  podEvictionTimeout: ""
+  podEvictionTimeout: {{ openshift.master.pod_eviction_timeout | default("") }}
   proxyClientInfo:
     certFile: master.proxy-client.crt
     keyFile: master.proxy-client.key

roles/openshift_master/templates/native-cluster/atomic-openshift-master-api.j2

@@ -0,0 +1,9 @@
+OPTIONS=--loglevel={{ openshift.master.debug_level }} --listen={{ 'https' if openshift.master.api_use_ssl else 'http' }}://{{ openshift.master.bind_addr }}:{{ openshift.master.api_port }} --master={{ openshift.master.loopback_api_url }}
+CONFIG_FILE={{ openshift_master_config_file }}
+
+# Proxy configuration
+# Origin uses standard HTTP_PROXY environment variables. Be sure to set
+# NO_PROXY for your master
+#NO_PROXY=master.example.com
+#HTTP_PROXY=http://USER:PASSWORD@IPADDR:PORT
+#HTTPS_PROXY=https://USER:PASSWORD@IPADDR:PORT

roles/openshift_master/templates/atomic-openshift-master-controllers.j2

@@ -1,5 +1,5 @@
-OPTIONS=
-CONFIG_FILE={{ openshift_master_config_dir }}/master-config.yaml
+OPTIONS=--loglevel={{ openshift.master.debug_level }} --listen={{ 'https' if openshift.master.api_use_ssl else 'http' }}://{{ openshift.master.bind_addr }}:{{ openshift.master.controllers_port }}
+CONFIG_FILE={{ openshift_master_config_file }}
 
 # Proxy configuration
 # Origin uses standard HTTP_PROXY environment variables. Be sure to set

roles/openshift_master/vars/main.yml

@@ -1,11 +1,16 @@
 ---
 openshift_master_config_dir: "{{ openshift.common.config_base }}/master"
 openshift_master_config_file: "{{ openshift_master_config_dir }}/master-config.yaml"
+openshift_master_loopback_config: "{{ openshift_master_config_dir }}/openshift-master.kubeconfig"
+loopback_context_string: "current-context: {{ openshift.master.loopback_context_name }}"
 openshift_master_scheduler_conf: "{{ openshift_master_config_dir }}/scheduler.json"
 openshift_master_session_secrets_file: "{{ openshift_master_config_dir }}/session-secrets.yaml"
 openshift_master_policy: "{{ openshift_master_config_dir }}/policy.json"
 openshift_version: "{{ openshift_pkg_version | default('') }}"
 
+ha_svc_template_path: "{{ 'docker-cluster' if openshift.common.is_containerized | bool else 'native-cluster' }}"
+ha_svc_svc_dir: "{{ '/etc/systemd/system' if openshift.common.is_containerized | bool else '/usr/lib/systemd/system' }}"
+
 openshift_master_valid_grant_methods:
 - auto
 - prompt

roles/openshift_master_cluster/tasks/configure.yml

@@ -34,11 +34,10 @@
 - name: Disable stonith
   command: pcs property set stonith-enabled=false
 
-# TODO: handle case where api port is not 8443
 - name: Wait for the clustered master service to be available
   wait_for:
     host: "{{ openshift_master_cluster_vip }}"
-    port: 8443
+    port: "{{ openshift.master.api_port }}"
     state: started
     timeout: 180
     delay: 90

roles/os_firewall/defaults/main.yml

@@ -1,2 +1,3 @@
 ---
+os_firewall_enabled: True
 os_firewall_use_firewalld: True

roles/os_firewall/tasks/main.yml

@@ -1,6 +1,6 @@
 ---
 - include: firewall/firewalld.yml
-  when: os_firewall_use_firewalld
+  when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool
 
 - include: firewall/iptables.yml
-  when: not os_firewall_use_firewalld
+  when: os_firewall_enabled | bool and not os_firewall_use_firewalld | bool

roles/oso_host_monitoring/templates/oso-rhel7-host-monitoring.service.j2

@@ -47,6 +47,7 @@ ExecStart=/usr/bin/docker run --name {{ osohm_host_monitoring }}
            -e ZAGG_SSL_VERIFY={{ osohm_zagg_verify_ssl }}                                    \
            -e OSO_CLUSTER_GROUP={{ cluster_group }}                                          \
            -e OSO_CLUSTER_ID={{ oo_clusterid }}                                              \
+           -e OSO_ENVIRONMENT={{ oo_environment }}                                           \
            -e OSO_HOST_TYPE={{ hostvars[inventory_hostname]['ec2_tag_host-type'] }}          \
            -e OSO_SUB_HOST_TYPE={{ hostvars[inventory_hostname]['ec2_tag_sub-host-type'] }}  \
            -v /etc/localtime:/etc/localtime                                                  \