more tweaks

filter_plugins/oo_filters.py

@@ -253,7 +253,7 @@ class FilterModule(object):
             server_ip = host_info['openshift']['common']['ip']
             server_port = host_info['openshift']['master']['api_port']
             server['address'] = "%s:%s" % (server_ip, server_port)
-            server['opts'] = 'check ssl verify none'
+            server['opts'] = 'check'
             servers.append(server)
         return servers
 

playbooks/common/openshift-master/config.yml

@@ -170,6 +170,10 @@
     masters_needing_certs: "{{ hostvars
                                | oo_select_keys(groups['oo_masters_to_config'] | difference(groups['oo_first_master']))
                                | oo_filter_list(filter_attr='master_certs_missing') }}"
+    master_hostnames: "{{ hostvars
+                               | oo_select_keys(groups['oo_masters_to_config'])
+                               | oo_collect('openshift.common.all_hostnames')
+                               | oo_flatten | unique }}"
     sync_tmpdir: "{{ hostvars.localhost.g_master_mktemp.stdout }}"
   roles:
   - openshift_master_certificates
@@ -209,24 +213,7 @@
       parsed_named_certificates: "{{ openshift_master_named_certificates | oo_parse_certificate_names(master_cert_config_dir, openshift.common.internal_hostnames) }}"
     when: openshift_master_named_certificates is defined
 
-- name: Fetch master server certificate for load balancer
-  hosts: oo_first_master
-  vars:
-    sync_tmpdir: "{{ hostvars.localhost.g_master_mktemp.stdout }}"
-  tasks:
-  - file:
-      path: "{{ sync_tmpdir }}/haproxy_cert"
-      state: directory
-  - fetch:
-      src: /etc/origin/master/master.server.crt
-      dest: "{{ sync_tmpdir }}/haproxy_cert/server.crt"
-      flat: yes
-  - fetch:
-      src: /etc/origin/master/master.server.key
-      dest: "{{ sync_tmpdir }}/haproxy_cert/server.key"
-      flat: yes
-
-- name: Compute haproxy_backend_servers and combine certificate
+- name: Compute haproxy_backend_servers
   hosts: localhost
   connection: local
   sudo: false
@@ -234,11 +221,6 @@
   tasks:
   - set_fact:
       haproxy_backend_servers: "{{ hostvars | oo_select_keys(groups['oo_masters_to_config']) | oo_haproxy_backend_masters }}"
-  - shell: cat server.crt server.key > server.pem
-    args:
-      chdir: "{{ g_master_mktemp.stdout }}/haproxy_cert"
-      creates: "{{ g_master_mktemp.stdout }}/haproxy_cert/server.pem"
-
 
 - name: Configure load balancers
   hosts: oo_lb_to_config
@@ -246,32 +228,24 @@
     sync_tmpdir: "{{ hostvars.localhost.g_master_mktemp.stdout }}"
     haproxy_frontends:
     - name: atomic-openshift-api
+      mode: tcp
       options:
       - tcplog
       binds:
-      - "*:{{ hostvars[groups.oo_first_master.0].openshift.master.api_port }} ssl crt /etc/haproxy/server.pem"
+      - "*:{{ hostvars[groups.oo_first_master.0].openshift.master.api_port }}"
       default_backend: atomic-openshift-api
     haproxy_backends:
     - name: atomic-openshift-api
+      mode: tcp
+      option: tcplog
       balance: roundrobin
       servers: "{{ hostvars.localhost.haproxy_backend_servers }}"
-  pre_tasks:
-  - file:
-      path: /etc/haproxy
-      state: directory
-  - copy:
-      src: "{{ sync_tmpdir }}/haproxy_cert/server.pem"
-      dest: /etc/haproxy/server.pem
-      mode: 0600
-      owner: root
-      group: root
   roles:
   - role: haproxy
     when: groups.oo_masters_to_config | length > 1
 
 - name: Configure master instances
   hosts: oo_masters_to_config
-  serial: 1
   vars:
     named_certificates: "{{ hostvars[groups['oo_first_master'][0]]['parsed_named_certificates'] | default([])}}"
     sync_tmpdir: "{{ hostvars.localhost.g_master_mktemp.stdout }}"

roles/haproxy/defaults/main.yml

@@ -12,3 +12,10 @@ haproxy_backends:
   - name: web01
     address: 127.0.0.1:9000
     opts: check
+
+os_firewall_use_firewalld: False
+os_firewall_allow:
+- service: haproxy stats
+  port: "9000/tcp"
+- service: haproxy balance
+  port: "8443/tcp"

roles/haproxy/meta/main.yml

@@ -9,4 +9,6 @@ galaxy_info:
   - name: EL
     versions:
     - 7
-dependencies: []
+dependencies:
+- { role: os_firewall }
+- { role: openshift_repos }

roles/haproxy/templates/haproxy.cfg.j2

@@ -27,12 +27,17 @@ defaults
     timeout http-request    10s
     timeout queue           1m
     timeout connect         10s
-    timeout client          1m
-    timeout server          1m
+    timeout client          300s
+    timeout server          300s
     timeout http-keep-alive 10s
     timeout check           10s
     maxconn                 3000
 
+listen stats :9000
+    mode http
+    stats enable
+    stats uri /
+
 {% for frontend in haproxy_frontends %}
 frontend  {{ frontend.name }}
 {% for bind in frontend.binds %}

roles/openshift_master/files/atomic-openshift-master-api

@@ -0,0 +1,9 @@
+OPTIONS=
+CONFIG_FILE=/etc/origin/master/master-config.yaml
+
+# Proxy configuration
+# Origin uses standard HTTP_PROXY environment variables. Be sure to set
+# NO_PROXY for your master
+#NO_PROXY=master.example.com
+#HTTP_PROXY=http://USER:PASSWORD@IPADDR:PORT
+#HTTPS_PROXY=https://USER:PASSWORD@IPADDR:PORT

roles/openshift_master/files/atomic-openshift-master-api.service

@@ -0,0 +1,21 @@
+[Unit]
+Description=Atomic OpenShift Master API
+Documentation=https://github.com/openshift/origin
+After=network.target
+After=etcd.service
+Before=atomic-openshift-node.service
+Requires=network.target
+
+[Service]
+Type=notify
+EnvironmentFile=/etc/sysconfig/atomic-openshift-master-api
+Environment=GOTRACEBACK=crash
+ExecStart=/usr/bin/atomic-enterprise start master api --config=${CONFIG_FILE} $OPTIONS
+LimitNOFILE=131072
+LimitCORE=infinity
+WorkingDirectory=/var/lib/origin/
+SyslogIdentifier=atomic-openshift-master-api
+
+[Install]
+WantedBy=multi-user.target
+WantedBy=atomic-openshift-node.service

roles/openshift_master/files/atomic-openshift-master-controllers

@@ -0,0 +1,9 @@
+OPTIONS=
+CONFIG_FILE=/etc/origin/master/master-config.yaml
+
+# Proxy configuration
+# Origin uses standard HTTP_PROXY environment variables. Be sure to set
+# NO_PROXY for your master
+#NO_PROXY=master.example.com
+#HTTP_PROXY=http://USER:PASSWORD@IPADDR:PORT
+#HTTPS_PROXY=https://USER:PASSWORD@IPADDR:PORT

roles/openshift_master/files/atomic-openshift-master-controllers.service

@@ -0,0 +1,22 @@
+[Unit]
+Description=Atomic OpenShift Master Controllers
+Documentation=https://github.com/openshift/origin
+After=network.target
+After=atomic-openshift-master-api.service
+Before=atomic-openshift-node.service
+Requires=network.target
+
+[Service]
+Type=notify
+EnvironmentFile=/etc/sysconfig/atomic-openshift-master-controllers
+Environment=GOTRACEBACK=crash
+ExecStart=/usr/bin/atomic-enterprise start master controllers --config=${CONFIG_FILE} $OPTIONS
+LimitNOFILE=131072
+LimitCORE=infinity
+WorkingDirectory=/var/lib/origin/
+SyslogIdentifier=atomic-openshift-master-controllers
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target
+WantedBy=atomic-openshift-node.service

roles/openshift_master/tasks/main.yml

@@ -204,27 +204,16 @@
   when: not openshift_master_ha | bool
   register: start_result
 
-# workaround for start bug when configuring ha
-- name: Start master for ha workaround
-  service: name={{ openshift.common.service_type }}-master state=started
-  when: openshift_master_ha | bool and inventory_hostname in groups.oo_first_master
-
-- name: pause for 30 seconds to let master finish starting up for ha workaround
-  pause: seconds=30
-  when: openshift_master_ha | bool and inventory_hostname in groups.oo_first_master
-
-- name: Stop master for ha workaround
-  service: name={{ openshift.common.service_type }}-master state=stopped
-  when: openshift_master_ha | bool and inventory_hostname in groups.oo_first_master
-# end workaround for start bug when configuring ha
-
-- fail:
-
 - name: Start and enable master api
   service: name={{ openshift.common.service_type }}-master-api enabled=yes state=started
   when: openshift_master_ha | bool
   register: start_result
 
+# TODO: work to eliminate this workaround
+- name: pause a random interval to avoid startup errors for controller
+  pause: seconds={{ 60 | random(step=5) }}
+  when: openshift_master_ha | bool
+
 - name: Start and enable master controller
   service: name={{ openshift.common.service_type }}-master-controllers enabled=yes state=started
   when: openshift_master_ha | bool

roles/openshift_master_ca/tasks/main.yml

@@ -14,7 +14,7 @@
 - name: Create the master certificates if they do not already exist
   command: >
     {{ openshift.common.admin_binary }} create-master-certs
-      --hostnames={{ openshift.common.all_hostnames | join(',') }}
+      --hostnames={{ master_hostnames | join(',') }}
       --master={{ openshift.master.api_url }}
       --public-master={{ openshift.master.public_api_url }}
       --cert-dir={{ openshift_master_config_dir }} --overwrite=false