daemonset config role.

roles/openshift_daemonset_config/defaults/main.yml

@@ -0,0 +1,19 @@
+---
+openshift_daemonset_config_namespace: openshift-node
+openshift_daemonset_config_daemonset_name: ops-node-config
+openshift_daemonset_config_configmap_name: "{{ openshift_daemonset_config_daemonset_name }}"
+openshift_daemonset_config_node_selector:
+  config: config
+openshift_daemonset_config_sa_name: ops
+openshift_daemonset_config_configmap_files: {}
+openshift_daemonset_config_configmap_literals: {}
+openshift_daemonset_config_monitoring: False
+openshift_daemonset_config_interval: 300
+openshift_daemonset_config_script: config.sh
+openshift_daemonset_config_secret_name: operations-config-secret
+openshift_daemonset_config_secrets: {}
+openshift_daemonset_config_runasuser: 0
+openshift_daemonset_config_privileged: True
+openshift_daemonset_config_resources:
+  cpu: 10m
+  memory: 10Mi

roles/openshift_daemonset_config/meta/main.yml

@@ -0,0 +1,3 @@
+---
+dependencies:
+- lib_openshift

roles/openshift_daemonset_config/tasks/main.yml

@@ -0,0 +1,58 @@
+---
+- name: add a sa
+  oc_serviceaccount:
+    name: "{{ openshift_daemonset_config_sa_name }}"
+    namespace: "{{ openshift_daemonset_config_namespace }}"
+
+- name: add sa to privileged scc
+  oc_adm_policy_user:
+    namespace: "{{ openshift_daemonset_config_namespace }}"
+    resource_kind: scc
+    resource_name: privileged
+    state: present
+    user: "system:serviceaccount:{{ openshift_daemonset_config_namespace }}:{{ openshift_daemonset_config_sa_name }}"
+
+- name: copy template to disk
+  template:
+    dest: "/tmp/{{ item.name }}"
+    src: "{{ item.name }}.j2"
+  with_items:
+  - name: daemonset.yml
+
+- name: copy files to disk
+  copy:
+    src: "{{ item.key }}"
+    dest: "{{ item.value }}"
+  with_dict: "{{ openshift_daemonset_config_configmap_files }}"
+
+- name: create the namespace
+  oc_project:
+    state: present
+    name: "{{ openshift_daemonset_config_namespace }}"
+
+- name: lay down secrets
+  oc_secret:
+    state: present
+    name: "{{ openshift_daemonset_config_secret_name }}"
+    namespace: "{{ openshift_daemonset_config_namespace }}"
+    delete_after: true
+    contents: "{{ openshift_daemonset_config_secrets }}"
+  when:
+  - openshift_daemonset_config_secrets != {}
+
+- name: create the configmap
+  oc_configmap:
+    state: present
+    name: "{{ openshift_daemonset_config_configmap_name }}"
+    namespace: "{{ openshift_daemonset_config_namespace }}"
+    from_literal: "{{ openshift_daemonset_config_configmap_literals }}"
+    from_file: "{{ openshift_daemonset_config_configmap_files }}"
+
+- name: deploy daemonset
+  oc_obj:
+    state: present
+    namespace: "{{ openshift_daemonset_config_namespace }}"  # openshift-node??
+    name: "{{ openshift_daemonset_config_daemonset_name }}"
+    kind: daemonset
+    files:
+    - /tmp/daemonset.yml

roles/openshift_daemonset_config/templates/daemonset.yml.j2

@@ -0,0 +1,142 @@
+---
+kind: DaemonSet
+apiVersion: extensions/v1beta1
+metadata:
+  name: {{ openshift_daemonset_config_daemonset_name }}
+  annotations:
+    kubernetes.io/description: |
+      This daemon set manages the operational configuration for a cluster and ensures all nodes have
+      a concrete set of config in place. It could also use a local ansible run against the /host directory.
+spec:
+  selector:
+    matchLabels:
+      app: {{ openshift_daemonset_config_daemonset_name }}
+      confighosts: ops
+      ops.openshift.io/role: operations
+  updateStrategy:
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        app: {{ openshift_daemonset_config_daemonset_name }}
+        confighosts: ops
+        ops.openshift.io/role: operations
+      annotations:
+        scheduler.alpha.kubernetes.io/critical-pod: ''
+    spec:
+{% if openshift_daemonset_config_node_selector is defined and openshift_daemonset_config_node_selector != {} %}
+      nodeSelector: {{ openshift_daemonset_config_node_selector | to_json }}
+{% endif %}
+      serviceAccountName: {{ openshift_daemonset_config_sa_name }}
+      hostNetwork: true
+      hostPID: true
+      hostIPC: true
+      containers:
+      - name: config
+        image: centos:7
+        env:
+        - name: RESYNC_INTERVAL
+          value: "{{ openshift_daemonset_config_interval }}"
+        command:
+        - /bin/bash
+        - -c
+        - |
+          #!/bin/sh
+          set -o errexit
+
+          while true; do
+
+            # execute user defined script
+            sh /opt/config/{{ openshift_daemonset_config_script }}
+
+            # sleep for ${RESYNC_INTERVAL} minutes, then loop. if we fail Kubelet will restart us again
+            echo "Success, sleeping for ${RESYNC_INTERVAL}s"
+            exec sleep ${RESYNC_INTERVAL}
+
+          # Return to perform the config
+          done
+        securityContext:
+          # Must be root to modify host system
+          runAsUser: {{ openshift_daemonset_config_runasuser }}
+          # Permission could be reduced by selecting an appropriate SELinux policy that allows
+          # us to update the named directories
+          privileged: {{ openshift_daemonset_config_privileged }}
+        volumeMounts:
+        # Directory which contains the host volume.
+        - mountPath: /host
+          name: host
+        # Our node configuration
+        - mountPath: /opt/config
+          name: config
+{% if openshift_daemonset_config_secrets != {} %}
+        # Our delivered secrets
+        - mountPath: /opt/secrets
+          name: secrets
+{% endif %}
+        resources:
+          requests:
+            cpu: {{ openshift_daemonset_config_resources.cpu }}
+            memory: {{ openshift_daemonset_config_resources.memory }}
+{% if openshift_daemonset_config_monitoring %}
+      - name: monitoring
+        image: openshifttools/oso-centos7-host-monitoring:latest
+        securityContext:
+          # Must be root to read content
+          runAsUser: 0
+          privileged: true
+
+        volumeMounts:
+        - mountPath: /host
+          name: host
+          readOnly: true
+        - mountPath: /etc/localtime
+          subPath: etc/localtime
+          name: host
+          readOnly: true
+        - mountPath: /sys
+          subPath: sys
+          name: host
+          readOnly: true
+        - mountPath: /var/run/docker.sock
+          subPath: var/run/docker.sock
+          name: host
+          readOnly: true
+        - mountPath: /var/run/openvswitch
+          subPath: var/run/openvswitch
+          name: host
+          readOnly: true
+        - mountPath: /etc/origin
+          subPath: etc/origin
+          name: host
+          readOnly: true
+        - mountPath: /usr/bin/oc
+          subPath: usr/bin/oc
+          name: host
+          readOnly: true
+          name: host
+          readOnly: true
+        - mountPath: /host/var/cache/yum
+          subPath: var/cache/yum
+          name: host
+        - mountPath: /container_setup/monitoring-config.yml
+          subPath: monitoring-config.yaml
+          name: config
+        - mountPath: /opt/config
+          name: config
+        resources:
+          requests:
+            cpu: 10m
+            memory: 10Mi
+{% endif %}
+      volumes:
+      - name: config
+        configMap:
+          name: {{ openshift_daemonset_config_configmap_name }}
+{% if openshift_daemonset_config_secrets != {} %}
+      - name: secrets
+        secret:
+          secretName: {{ openshift_daemonset_config_secret_name }}
+{% endif %}
+      - name: host
+        hostPath:
+          path: /