Install OpenShift admin console

playbooks/common/openshift-cluster/upgrades/post_control_plane.yml

@@ -9,6 +9,13 @@
     when:
     - openshift_web_console_install | default(true) | bool
 
+- name: Install admin console
+  hosts: oo_first_master
+  roles:
+  - role: openshift_console
+    when:
+    - openshift_console_install | default(true) | bool
+
 # upgrade registry and router pods; we defer waiting for these pods
 # until after the next play to hopefully save some time polling.
 - import_playbook: ../../../openshift-hosted/private/upgrade.yml

playbooks/common/private/components.yml

@@ -25,6 +25,9 @@
 - import_playbook: ../../openshift-web-console/private/config.yml
   when: openshift_web_console_install | default(true) | bool
 
+- import_playbook: ../../openshift-console/private/config.yml
+  when: openshift_console_install | default(true) | bool
+
 - import_playbook: ../../openshift-metrics/private/config.yml
   when: openshift_metrics_install_metrics | default(false) | bool
 

playbooks/openshift-console/OWNERS

@@ -0,0 +1,14 @@
+# approval == this is a good idea /approve
+approvers:
+  - spadgett
+  - michaelgugino
+  - mtnbikenc
+  - sdodson
+  - vrutkovs
+# review == this code is good /lgtm
+reviewers:
+  - spadgett
+  - michaelgugino
+  - mtnbikenc
+  - sdodson
+  - vrutkovs

playbooks/openshift-console/config.yml

@@ -0,0 +1,8 @@
+---
+- import_playbook: ../init/main.yml
+  vars:
+    l_init_fact_hosts: "oo_masters_to_config"
+    l_openshift_version_set_hosts: "oo_masters_to_config:!oo_first_master"
+    l_sanity_check_hosts: "{{ groups['oo_masters_to_config'] }}"
+
+- import_playbook: private/config.yml

playbooks/openshift-console/private/config.yml

@@ -0,0 +1,34 @@
+---
+- name: Console Install Checkpoint Start
+  hosts: all
+  gather_facts: false
+  tasks:
+  - name: Set Console install 'In Progress'
+    run_once: true
+    set_stats:
+      data:
+        installer_phase_console:
+          title: "Console Install"
+          playbook: "playbooks/openshift-console/config.yml"
+          status: "In Progress"
+          start: "{{ lookup('pipe', 'date +%Y%m%d%H%M%SZ') }}"
+
+- name: Console
+  hosts: oo_first_master
+  vars:
+    first_master: "{{ groups.oo_first_master[0] }}"
+  tasks:
+  - import_role:
+      name: openshift_console
+
+- name: Console Install Checkpoint End
+  hosts: all
+  gather_facts: false
+  tasks:
+  - name: Set Console install 'Complete'
+    run_once: true
+    set_stats:
+      data:
+        installer_phase_console:
+          status: "Complete"
+          end: "{{ lookup('pipe', 'date +%Y%m%d%H%M%SZ') }}"

playbooks/openshift-console/private/roles

@@ -0,0 +1 @@
+../../../roles/

roles/openshift_console/OWNERS

@@ -0,0 +1,10 @@
+# approval == this is a good idea /approve
+approvers:
+  - spadgett
+  - jwforres
+  - sdodson
+# review == this code is good /lgtm
+reviewers:
+  - spadgett
+  - jwforres
+  - sdodson

roles/openshift_console/defaults/main.yml

@@ -0,0 +1,25 @@
+---
+openshift_console_nodeselector: {"node-role.kubernetes.io/master":"true"}
+
+__console_template_file: "console-template.yaml"
+__console_config_file: "console-config.yaml"
+
+openshift_console_image_name: "{{ l_osm_registry_url | regex_replace('${component}' | regex_escape, 'console') }}"
+
+# Default the replica count to the number of masters.
+openshift_console_replica_count: "{{ groups.oo_masters_to_config | length }}"
+
+openshift_console_hostname: "console.{{openshift_master_default_subdomain}}"
+
+openshift_console_auth_ca_file: "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
+
+# The logo to use in the masthead.
+l_openshift_logo_image_names_dict:
+  origin: 'origin'
+  openshift-enterprise: 'ocp'
+openshift_console_logo_image_name: "{{ l_openshift_logo_image_names_dict[openshift_deployment_type] }}"
+
+l_openshift_documentation_url_dict:
+  origin: 'https://docs.openshift.org/3.11/'
+  openshift-enterprise: 'https://docs.openshift.com/container-platform/3.11/'
+openshift_console_documentation_base_url: "{{ l_openshift_documentation_url_dict[openshift_deployment_type] }}"

roles/openshift_console/files/console-config.yaml

@@ -0,0 +1,13 @@
+apiVersion: console.openshift.io/v1beta1
+kind: ConsoleConfig
+servingInfo:
+  bindAddress: https://0.0.0.0:8443
+  certFile: /var/serving-cert/tls.crt
+  keyFile: /var/serving-cert/tls.key
+clusterInfo:
+  consoleBaseAddress: ''
+auth:
+  clientID: openshift-console
+  clientSecretFile: /var/oauth-config/clientSecret
+customization:
+  logoImageName: os-origin

roles/openshift_console/files/console-template.yaml

@@ -0,0 +1,209 @@
+apiVersion: template.openshift.io/v1
+kind: Template
+metadata:
+  name: openshift-console
+  annotations:
+    openshift.io/display-name: OpenShift Console
+    description: The server for the OpenShift console.
+    iconClass: icon-openshift
+    tags: openshift,infra
+    openshift.io/support-url: https://access.redhat.com
+    openshift.io/provider-display-name: Red Hat, Inc.
+parameters:
+- name: IMAGE
+  value: openshift/origin-console:latest
+  required: true
+- name: NAMESPACE
+  # This namespace cannot be changed. Only `openshift-console` is supported.
+  value: openshift-console
+  required: true
+- name: CONSOLE_HOSTNAME
+  value: console.router.default.svc.cluster.local
+  required: true
+- name: NODE_SELECTOR
+  value: "{}"
+  required: true
+- name: REPLICA_COUNT
+  value: "1"
+  required: true
+- name: SERVER_CONFIG
+  required: true
+- name: OAUTH_SECRET
+  generate: expression
+  from: "[a-zA-Z0-9]{32}"
+objects:
+
+# to create the web console server
+- apiVersion: apps/v1
+  kind: Deployment
+  metadata:
+    name: console
+    namespace: ${NAMESPACE}
+    labels:
+      app: openshift-console
+      component: ui
+  spec:
+    selector:
+      matchLabels:
+        app: openshift-console
+        component: ui
+    strategy:
+      type: RollingUpdate
+    progressDeadlineSeconds: 600
+    template:
+      metadata:
+        labels:
+          app: openshift-console
+          component: ui
+        name: console
+      spec:
+        selector:
+          matchLabels:
+            app: openshift-console
+            component: ui
+        affinity:
+          podAntiAffinity:
+            preferredDuringSchedulingIgnoredDuringExecution:
+            - weight: 100
+              podAffinityTerm:
+                labelSelector:
+                  matchLabels:
+                    app: openshift-console
+                topologyKey: kubernetes.io/hostname
+        containers:
+        - command:
+          - /opt/bridge/bin/bridge
+          - "--public-dir=/opt/bridge/static"
+          - "--config=/var/console-config/console-config.yaml"
+          image: ${IMAGE}
+          imagePullPolicy: IfNotPresent
+          readinessProbe:
+            httpGet:
+              path: /health
+              port: 8443
+              scheme: HTTPS
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: 8443
+              scheme: HTTPS
+            initialDelaySeconds: 30
+          name: console
+          ports:
+          - containerPort: 8443
+            protocol: TCP
+          resources:
+            limits:
+              cpu: 100m
+              memory: 100Mi
+            requests:
+              cpu: 100m
+              memory: 100Mi
+          terminationMessagePath: /dev/termination-log
+          volumeMounts:
+          - mountPath: /var/serving-cert
+            name: serving-cert
+            readOnly: true
+          - mountPath: /var/oauth-config
+            name: oauth-config
+            readOnly: true
+          - mountPath: /var/console-config
+            name: console-config
+        dnsPolicy: ClusterFirst
+        replicas: "${{REPLICA_COUNT}}"
+        restartPolicy: Always
+        terminationGracePeriodSeconds: 30
+        volumes:
+        - name: serving-cert
+          secret:
+            defaultMode: 0440
+            secretName: console-serving-cert
+        - name: oauth-config
+          secret:
+            defaultMode: 0440
+            secretName: console-oauth-config
+        - name: console-config
+          configMap:
+            defaultMode: 0440
+            name: console-config
+        nodeSelector: "${{NODE_SELECTOR}}"
+
+# to create the config for the console
+- apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    namespace: ${NAMESPACE}
+    name: console-config
+    labels:
+      app: openshift-console
+  data:
+    console-config.yaml: ${SERVER_CONFIG}
+
+# to store the OAauth client ID and secret
+- apiVersion: v1
+  kind: Secret
+  metadata:
+    namespace: ${NAMESPACE}
+    name: console-oauth-config
+    labels:
+      app: openshift-console
+  stringData:
+    clientID: ${OAUTH_CLIENT_ID}
+    clientSecret: ${OAUTH_SECRET}
+
+# to be able to assign powers to the process
+- apiVersion: v1
+  kind: ServiceAccount
+  metadata:
+    namespace: ${NAMESPACE}
+    name: console
+    labels:
+      app: openshift-console
+
+# to be able to expose cluster console inside the cluster
+- apiVersion: v1
+  kind: Service
+  metadata:
+    namespace: ${NAMESPACE}
+    name: console
+    labels:
+      app: openshift-console
+    annotations:
+      service.alpha.openshift.io/serving-cert-secret-name: console-serving-cert
+  spec:
+    selector:
+      app: openshift-console
+      component: ui
+    ports:
+    - name: https
+      port: 443
+      targetPort: 8443
+
+# to be able to expose cluster console outside the cluster
+- apiVersion: v1
+  kind: Route
+  metadata:
+    namespace: ${NAMESPACE}
+    name: console
+    labels:
+      app: openshift-console
+  spec:
+    host: ${CONSOLE_HOSTNAME}
+    to:
+      kind: Service
+      name: console
+    port:
+      targetPort: https
+    tls:
+      insecureEdgeTerminationPolicy: Redirect
+      termination: reencrypt
+
+# to let users log in
+- apiVersion: oauth.openshift.io/v1
+  kind: OAuthClient
+  metadata:
+    name: openshift-console
+  grantMethod: auto
+  secret: ${OAUTH_SECRET}
+  redirectURIs:
+  - https://${CONSOLE_HOSTNAME}/

roles/openshift_console/meta/main.yaml

@@ -0,0 +1,19 @@
+---
+galaxy_info:
+  author: OpenShift Development <dev@lists.openshift.redhat.com>
+  description: Deploy OpenShift console
+  company: Red Hat, Inc.
+  license: Apache License, Version 2.0
+  min_ansible_version: 2.4
+  platforms:
+  - name: EL
+    versions:
+    - 7
+  - name: Fedora
+    versions:
+    - all
+  categories:
+  - openshift
+dependencies:
+- role: lib_openshift
+- role: openshift_facts

roles/openshift_console/tasks/install.yml

@@ -0,0 +1,89 @@
+---
+- name: Ensure openshift-console project exists
+  oc_project:
+    name: openshift-console
+    state: present
+    node_selector:
+    - ""
+
+- name: Make temp directory for console templates
+  command: mktemp -d /tmp/console-ansible-XXXXXX
+  register: mktemp
+  changed_when: False
+
+- name: Copy admin client config
+  command: >
+    cp {{ openshift.common.config_base }}/master/admin.kubeconfig {{ mktemp.stdout }}/admin.kubeconfig
+  changed_when: false
+
+- name: Copy console templates to temp directory
+  copy:
+    src: "{{ item }}"
+    dest: "{{ mktemp.stdout }}/{{ item }}"
+  with_items:
+  - "{{ __console_template_file }}"
+  - "{{ __console_config_file }}"
+
+# Check if an existing console-config config map exists. If so, use those
+# contents so we don't overwrite changes.
+- name: Read the existing console config map
+  oc_configmap:
+    namespace: openshift-console
+    name: console-config
+    state: list
+  register: console_config_map
+
+- set_fact:
+    existing_config_map_data: "{{ console_config_map.results.results[0].data | default({}) }}"
+
+- name: Copy the existing web console config to temp directory
+  copy:
+    content: "{{ existing_config_map_data['console-config.yaml'] }}"
+    dest: "{{ mktemp.stdout }}/{{ __console_config_file }}"
+  when: existing_config_map_data['console-config.yaml'] is defined
+
+# Generate a new config when a config map is not defined.
+- name: Set web console config properties from inventory variables
+  yedit:
+    src: "{{ mktemp.stdout }}/{{ __console_config_file }}"
+    edits:
+    - key: clusterInfo#consoleBaseAddress
+      value: "https://{{ openshift_console_hostname }}"
+    - key: clusterInfo#consoleBasePath
+      value: "{{ openshift_console_base_path | default('') }}"
+    - key: clusterInfo#masterPublicURL
+      value: "{{ openshift.master.public_api_url }}"
+    - key: auth#oauthEndpointCAFile
+      value: "{{ openshift_console_auth_ca_file }}"
+    - key: auth#logoutRedirect
+      value: "{{ openshift.master.logout_url | default('') }}"
+    - key: customization#logoImageName
+      value: "{{ openshift_console_logo_image_name }}"
+    - key: customization#documentationBaseURL
+      value: "{{ openshift_console_documentation_base_url }}"
+    separator: '#'
+    state: present
+  when: existing_config_map_data['console-config.yaml'] is not defined
+
+- slurp:
+    src: "{{ mktemp.stdout }}/{{ __console_config_file }}"
+  register: updated_console_config
+
+- name: Apply the console template file
+  shell: >
+    {{ openshift_client_binary }} process -f "{{ mktemp.stdout }}/{{ __console_template_file }}"
+    --param IMAGE="{{ openshift_console_image_name }}"
+    --param NODE_SELECTOR={{ openshift_console_nodeselector | to_json | quote }}
+    --param SERVER_CONFIG="{{ updated_console_config['content'] | b64decode }}"
+    --param REPLICA_COUNT="{{ openshift_console_replica_count }}"
+    --param CONSOLE_HOSTNAME="{{ openshift_console_hostname }}"
+    --config={{ mktemp.stdout }}/admin.kubeconfig
+    | {{ openshift_client_binary }} apply --config={{ mktemp.stdout }}/admin.kubeconfig -f -
+
+- name: Remove temp directory
+  file:
+    state: absent
+    name: "{{ mktemp.stdout }}"
+  changed_when: False
+
+- include_tasks: start.yml

roles/openshift_console/tasks/main.yml

@@ -0,0 +1,8 @@
+---
+# do any asserts here
+
+- include_tasks: install.yml
+  when: openshift_console_install | default(true) | bool
+
+- include_tasks: remove.yml
+  when: not openshift_console_install | default(true) | bool

roles/openshift_console/tasks/remove.yml

@@ -0,0 +1,7 @@
+---
+- name: Remove openshift-console project
+  oc_project:
+    name: openshift-console
+    state: absent
+
+# TODO: Remove OAuthClient

roles/openshift_console/tasks/start.yml

@@ -0,0 +1,46 @@
+---
+- name: Waiting for console rollout to complete
+  # `oc rollout status` will block until either the rollout succeeds or `spec.progressDeadlineSeconds` elapse.
+  # A zero return code indicates the rollout succeeded.
+  # https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#complete-deployment
+  command: >
+    {{ openshift_client_binary }} rollout status deployment/console --config={{ openshift.common.config_base }}/master/admin.kubeconfig -n openshift-console
+  changed_when: false
+  # Ignore errors so we can log troubleshooting info on failures.
+  ignore_errors: yes
+  register: console_rollout_status
+
+# Log the result of `oc status`, `oc get pods`, `oc get events`, and `oc logs deployment/console` for troubleshooting failures.
+- when: console_rollout_status.rc != 0
+  block:
+  - name: Check status in the openshift-console namespace
+    command: >
+      {{ openshift_client_binary }} status --config={{ openshift.common.config_base }}/master/admin.kubeconfig -n openshift-console
+    register: endpoint_status
+    ignore_errors: true
+  - debug:
+      msg: "{{ endpoint_status.stdout_lines }}"
+  - name: Get pods in the openshift-console namespace
+    command: >
+      {{ openshift_client_binary }} get pods --config={{ openshift.common.config_base }}/master/admin.kubeconfig -n openshift-console -o wide
+    register: endpoint_pods
+    ignore_errors: true
+  - debug:
+      msg: "{{ endpoint_pods.stdout_lines }}"
+  - name: Get events in the openshift-console namespace
+    command: >
+      {{ openshift_client_binary }} get events --config={{ openshift.common.config_base }}/master/admin.kubeconfig --sort-by='.metadata.creationTimestamp' -n openshift-console
+    register: endpoint_events
+    ignore_errors: true
+  - debug:
+      msg: "{{ endpoint_events.stdout_lines }}"
+  - name: Get console pod logs
+    command: >
+      {{ openshift_client_binary }} logs deployment/console --tail=50 --config={{ openshift.common.config_base }}/master/admin.kubeconfig -n openshift-console
+    register: endpoint_log
+    ignore_errors: true
+  - debug:
+      msg: "{{ endpoint_log.stdout_lines }}"
+  - name: Report console errors
+    fail:
+      msg: Console install failed.

roles/openshift_console/vars/main.yml

@@ -0,0 +1 @@
+---