Various HA changes for pacemaker and native methods.

filter_plugins/oo_filters.py

@@ -422,6 +422,6 @@ class FilterModule(object):
             "oo_split": self.oo_split,
             "oo_filter_list": self.oo_filter_list,
             "oo_parse_heat_stack_outputs": self.oo_parse_heat_stack_outputs,
-            "oo_parse_certificate_names": self.oo_parse_certificate_names
+            "oo_parse_certificate_names": self.oo_parse_certificate_names,
             "oo_haproxy_backend_masters": self.oo_haproxy_backend_masters
         }

inventory/byo/hosts.example

@@ -21,6 +21,9 @@ ansible_ssh_user=root
 # deployment type valid values are origin, online and enterprise
 deployment_type=atomic-enterprise
 
+# Enable cluster metrics
+#use_cluster_metrics=true
+
 # Pre-release registry URL
 #oreg_url=example.com/openshift3/ose-${component}:${version}
 
@@ -55,27 +58,27 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true',
 # Set cockpit plugins
 #osm_cockpit_plugins=['cockpit-kubernetes']
 
-# master cluster ha variables using pacemaker or RHEL HA
-#openshift_master_cluster_password=openshift_cluster
-#openshift_master_cluster_vip=192.168.133.25
-#openshift_master_cluster_public_vip=192.168.133.25
+# Native high availbility cluster method with optional load balancer.
+# If no lb group is defined installer assumes that a load balancer has
+# been preconfigured. For installation the value of
+# openshift_master_cluster_hostname must resolve to the load balancer
+# or to one or all of the masters defined in the inventory if no load
+# balancer is present.
+#openshift_master_cluster_method=native
 #openshift_master_cluster_hostname=openshift-ansible.test.example.com
 #openshift_master_cluster_public_hostname=openshift-ansible.test.example.com
 
-# master cluster ha variables when using a different HA solution
-# For installation the value of openshift_master_cluster_hostname must resolve
-# to the first master defined in the inventory.
-# The HA solution must be manually configured after installation and must ensure
-# that the master is running on a single master host.
+# Pacemaker high availability cluster method.
+# Pacemaker HA environment must be able to self provision the
+# configured VIP. For installation openshift_master_cluster_hostname
+# must resolve to the configured VIP.
+#openshift_master_cluster_method=pacemaker
+#openshift_master_cluster_password=openshift_cluster
+#openshift_master_cluster_vip=192.168.133.25
+#openshift_master_cluster_public_vip=192.168.133.25
 #openshift_master_cluster_hostname=openshift-ansible.test.example.com
 #openshift_master_cluster_public_hostname=openshift-ansible.test.example.com
-#openshift_master_cluster_defer_ha=True
 
-# Native clustering with haproxy as an optional load balancer
-#openshift_master_cluster_hostname=openshift-ansible.test.example.com
-#openshift_master_cluster_public_hostname=openshift-ansible.test.example.com
-#openshift_master_cluster_vip=192.168.133.25
-#openshift_master_cluster_public_vip=192.168.133.25
 # Override the default controller lease ttl
 #osm_controller_lease_ttl=30
 
@@ -110,6 +113,22 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true',
 # Detected names may be overridden by specifying the "names" key
 #openshift_master_named_certificates=[{"certfile": "/path/to/custom1.crt", "keyfile": "/path/to/custom1.key", "names": ["public-master-host.com"]}]
 
+# Session options
+#openshift_master_session_name=ssn
+#openshift_master_session_max_seconds=3600
+
+# An authentication and encryption secret will be generated if secrets
+# are not provided. If provided, openshift_master_session_auth_secrets
+# and openshift_master_encryption_secrets must be equal length.
+#
+# Signing secrets, used to authenticate sessions using
+# HMAC. Recommended to use secrets with 32 or 64 bytes.
+#openshift_master_session_auth_secrets=['DONT+USE+THIS+SECRET+b4NV+pmZNSO']
+#
+# Encrypting secrets, used to encrypt sessions. Must be 16, 24, or 32
+# characters long, to select AES-128, AES-192, or AES-256.
+#openshift_master_session_encryption_secrets=['DONT+USE+THIS+SECRET+b4NV+pmZNSO']
+
 # host group for masters
 [masters]
 ose3-master[1:3]-ansible.test.example.com
@@ -120,7 +139,9 @@ ose3-etcd[1:3]-ansible.test.example.com
 [lb]
 ose3-lb-ansible.test.example.com
 
-# host group for nodes
+# NOTE: Currently we require that masters be part of the SDN which requires that they also be nodes
+# However, in order to ensure that your masters are not burdened with running pods you should
+# make them unschedulable by adding openshift_scheduleable=False any node that's also a master.
 [nodes]
 ose3-master[1:3]-ansible.test.example.com
 ose3-node[1:2]-ansible.test.example.com openshift_node_labels="{'region': 'primary', 'zone': 'default'}"

playbooks/common/openshift-cluster/config.yml

@@ -1,14 +1,6 @@
 ---
 - include: evaluate_groups.yml
 
-  - name: Evaluate oo_lb_to_config
-    add_host:
-      name: "{{ item }}"
-      groups: oo_lb_to_config
-      ansible_ssh_user: "{{ g_ssh_user | default(omit) }}"
-      ansible_sudo: "{{ g_sudo | default(omit) }}"
-    with_items: groups[g_lb_group] | default(groups[g_masters_group]) | default([])
-
 - include: ../openshift-etcd/config.yml
 
 - include: ../openshift-master/config.yml
@@ -16,4 +8,4 @@
 - include: ../openshift-node/config.yml
   vars:
     osn_cluster_dns_domain: "{{ hostvars[groups.oo_first_master.0].openshift.dns.domain }}"
-    osn_cluster_dns_ip: "{{ hostvars[groups.oo_first_master.0].openshift.dns.ip }}"
+    osn_cluster_dns_ip: "{{ hostvars[groups.oo_first_master.0].cluster_dns_ip }}"

playbooks/common/openshift-cluster/evaluate_groups.yml

@@ -62,3 +62,11 @@
       ansible_ssh_user: "{{ g_ssh_user | default(omit) }}"
       ansible_sudo: "{{ g_sudo | default(omit) }}"
     when: g_masters_group in groups and (groups[g_masters_group] | length) > 0
+
+  - name: Evaluate oo_lb_to_config
+    add_host:
+      name: "{{ item }}"
+      groups: oo_lb_to_config
+      ansible_ssh_user: "{{ g_ssh_user | default(omit) }}"
+      ansible_sudo: "{{ g_sudo | default(omit) }}"
+    with_items: groups[g_lb_group] | default([])

playbooks/common/openshift-master/config.yml

@@ -46,7 +46,6 @@
           public_api_url: "{{ openshift_master_public_api_url | default(None) }}"
           cluster_hostname: "{{ openshift_master_cluster_hostname | default(None) }}"
           cluster_public_hostname: "{{ openshift_master_cluster_public_hostname | default(None) }}"
-          cluster_defer_ha: "{{ openshift_master_cluster_defer_ha | default(None) }}"
           console_path: "{{ openshift_master_console_path | default(None) }}"
           console_port: "{{ openshift_master_console_port | default(None) }}"
           console_url: "{{ openshift_master_console_url | default(None) }}"
@@ -244,6 +243,35 @@
   - role: haproxy
     when: groups.oo_masters_to_config | length > 1
 
+- name: Generate master session keys
+  hosts: oo_first_master
+  tasks:
+  - fail:
+      msg: "Both openshift_master_session_auth_secrets and openshift_master_session_encryption_secrets must be provided if either variable is set"
+    when: (openshift_master_session_auth_secrets is defined and openshift_master_session_encryption_secrets is not defined) or (openshift_master_session_encryption_secrets is defined and openshift_master_session_auth_secrets is not defined)
+  - fail:
+      msg: "openshift_master_session_auth_secrets and openshift_master_encryption_secrets must be equal length"
+    when: (openshift_master_session_auth_secrets is defined and openshift_master_session_encryption_secrets is defined) and (openshift_master_session_auth_secrets | length != openshift_master_session_encryption_secrets | length)
+  - name: Generate session authentication key
+    command: /usr/bin/openssl rand -base64 24
+    register: session_auth_output
+    with_sequence: count=1
+    when: openshift_master_session_auth_secrets is undefined
+  - name: Generate session encryption key
+    command: /usr/bin/openssl rand -base64 24
+    register: session_encryption_output
+    with_sequence: count=1
+    when: openshift_master_session_encryption_secrets is undefined
+  - set_fact:
+      session_auth_secret: "{{ openshift_master_session_auth_secrets
+                                | default(session_auth_output.results
+                                | map(attribute='stdout')
+                                | list) }}"
+      session_encryption_secret: "{{ openshift_master_session_encryption_secrets
+                                      | default(session_encryption_output.results
+                                      | map(attribute='stdout')
+                                      | list) }}"
+
 - name: Configure master instances
   hosts: oo_masters_to_config
   serial: 1
@@ -252,6 +280,8 @@
     sync_tmpdir: "{{ hostvars.localhost.g_master_mktemp.stdout }}"
     openshift_master_ha: "{{ groups.oo_masters_to_config | length > 1 }}"
     openshift_master_count: "{{ groups.oo_masters_to_config | length }}"
+    openshift_master_session_auth_secrets: "{{ hostvars[groups['oo_first_master'][0]]['session_auth_secret'] }}"
+    openshift_master_session_encryption_secrets: "{{ hostvars[groups['oo_first_master'][0]]['session_encryption_secret'] }}"
   pre_tasks:
   - name: Ensure certificate directory exists
     file:
@@ -276,15 +306,29 @@
 - name: Additional master configuration
   hosts: oo_first_master
   vars:
-  #openshift_master_ha: "{{ groups.oo_masters_to_config | length > 1 }}"
-  #  omc_cluster_hosts: "{{ groups.oo_masters_to_config | join(' ')}}"
+    openshift_master_ha: "{{ groups.oo_masters_to_config | length > 1 }}"
+    omc_cluster_hosts: "{{ groups.oo_masters_to_config | join(' ')}}"
   roles:
-#  - role: openshift_master_cluster
-#    when: openshift_master_ha | bool
+  - role: openshift_master_cluster
+    when: openshift_master_ha | bool and openshift.master.cluster_method == "pacemaker"
   - openshift_examples
   - role: openshift_cluster_metrics
     when: openshift.common.use_cluster_metrics | bool
 
+- name: Determine cluster dns ip
+  hosts: oo_first_master
+  tasks:
+  - name: Get master service ip
+    command: "{{ openshift.common.client_binary }} get -o template svc kubernetes --template=\\{\\{.spec.clusterIP\\}\\}"
+    register: master_service_ip_output
+    when: openshift.common.version_greater_than_3_1_or_1_1 | bool
+  - set_fact:
+      cluster_dns_ip: "{{ hostvars[groups.oo_first_master.0].openshift.dns.ip }}"
+    when: not openshift.common.version_greater_than_3_1_or_1_1 | bool
+  - set_fact:
+      cluster_dns_ip: "{{ master_service_ip_output.stdout }}"
+    when: openshift.common.version_greater_than_3_1_or_1_1 | bool
+
 - name: Enable cockpit
   hosts: oo_first_master
   vars:

playbooks/gce/openshift-cluster/join_node.yml

@@ -46,4 +46,4 @@
     openshift_node_labels: "{{ lookup('oo_option', 'openshift_node_labels') }} "
     os_sdn_network_plugin_name: "redhat/openshift-ovs-subnet"
     osn_cluster_dns_domain: "{{ hostvars[groups.oo_first_master.0].openshift.dns.domain }}"
-    osn_cluster_dns_ip: "{{ hostvars[groups.oo_first_master.0].openshift.dns.ip }}"
+    osn_cluster_dns_ip: "{{ hostvars[groups.oo_first_master.0].cluster_dns_ip }}"

roles/openshift_common/vars/main.yml

@@ -5,5 +5,3 @@
 # chains with the public zone (or the zone associated with the correct
 # interfaces)
 os_firewall_use_firewalld: False
-
-openshift_data_dir: /var/lib/origin

roles/openshift_facts/library/openshift_facts.py

@@ -540,7 +540,7 @@ def set_deployment_facts_if_unset(facts):
         if 'service_type' not in facts['common']:
             service_type = 'atomic-openshift'
             if deployment_type == 'origin':
-                service_type = 'openshift'
+                service_type = 'origin'
             elif deployment_type in ['enterprise', 'online']:
                 service_type = 'openshift'
             facts['common']['service_type'] = service_type
@@ -548,23 +548,10 @@ def set_deployment_facts_if_unset(facts):
             config_base = '/etc/origin'
             if deployment_type in ['enterprise', 'online']:
                 config_base = '/etc/openshift'
-            elif deployment_type == 'origin':
-                config_base = '/etc/openshift'
             facts['common']['config_base'] = config_base
         if 'data_dir' not in facts['common']:
             data_dir = '/var/lib/origin'
-            if deployment_type in ['enterprise', 'online']:
-                data_dir = '/var/lib/openshift'
             facts['common']['data_dir'] = data_dir
-        facts['common']['version'] = version = get_openshift_version()
-        if version is not None:
-            if deployment_type == 'origin':
-                version_gt_3_1_or_1_1 = LooseVersion(version) > LooseVersion('1.0.6')
-            else:
-                version_gt_3_1_or_1_1 = LooseVersion(version) > LooseVersion('3.0.2.900')
-        else:
-            version_gt_3_1_or_1_1 = True
-        facts['common']['version_greater_than_3_1_or_1_1'] = version_gt_3_1_or_1_1
 
     for role in ('master', 'node'):
         if role in facts:
@@ -598,6 +585,27 @@ def set_deployment_facts_if_unset(facts):
 
     return facts
 
+def set_version_facts_if_unset(facts):
+    """ Set version facts. This currently includes common.version and
+        common.version_greater_than_3_1_or_1_1.
+
+        Args:
+            facts (dict): existing facts
+        Returns:
+            dict: the facts dict updated with version facts.
+    """
+    if 'common' in facts:
+        deployment_type = facts['common']['deployment_type']
+        facts['common']['version'] = version = get_openshift_version()
+        if version is not None:
+            if deployment_type == 'origin':
+                version_gt_3_1_or_1_1 = LooseVersion(version) > LooseVersion('1.0.6')
+            else:
+                version_gt_3_1_or_1_1 = LooseVersion(version) > LooseVersion('3.0.2.900')
+        else:
+            version_gt_3_1_or_1_1 = True
+        facts['common']['version_greater_than_3_1_or_1_1'] = version_gt_3_1_or_1_1
+    return facts
 
 def set_sdn_facts_if_unset(facts):
     """ Set sdn facts if not already present in facts dict
@@ -897,6 +905,7 @@ class OpenShiftFacts(object):
         facts = set_identity_providers_if_unset(facts)
         facts = set_sdn_facts_if_unset(facts)
         facts = set_deployment_facts_if_unset(facts)
+        facts = set_version_facts_if_unset(facts)
         facts = set_aggregate_facts(facts)
         return dict(openshift=facts)
 
@@ -936,7 +945,7 @@ class OpenShiftFacts(object):
                           session_name='ssn', session_secrets_file='',
                           access_token_max_seconds=86400,
                           auth_token_max_seconds=500,
-                          oauth_grant_method='auto', cluster_defer_ha=False)
+                          oauth_grant_method='auto')
             defaults['master'] = master
 
         if 'node' in roles:

roles/openshift_master/handlers/main.yml

@@ -5,10 +5,10 @@
 
 - name: restart master api
   service: name={{ openshift.common.service_type }}-master-api state=restarted
-  when: openshift_master_ha | bool
+  when: (openshift_master_ha | bool) and (not master_api_service_status_changed | default(false)) and openshift.master.cluster_method == 'native'
 
 # TODO: need to fix up ignore_errors here
 - name: restart master controllers
   service: name={{ openshift.common.service_type }}-master-controllers state=restarted
-  when: openshift_master_ha | bool
+  when: (openshift_master_ha | bool) and (not master_controllers_service_status_changed | default(false)) and openshift.master.cluster_method == 'native'
   ignore_errors: yes

roles/openshift_master/tasks/main.yml

@@ -8,17 +8,23 @@
     - openshift_master_oauth_grant_method in openshift_master_valid_grant_methods
   when: openshift_master_oauth_grant_method is defined
 
-#- fail:
-#    msg: "openshift_master_cluster_password must be set for multi-master installations"
-#  when: openshift_master_ha | bool and not openshift.master.cluster_defer_ha | bool and openshift_master_cluster_password is not defined
+- fail:
+    msg: "openshift_master_cluster_method must be set to either 'native' or 'pacemaker' for multi-master installations"
+  when: openshift_master_ha | bool and ((openshift_master_cluster_method is not defined) or (openshift_master_cluster_method is defined and openshift_master_cluster_method not in ["native", "pacemaker"]))
+- fail:
+    msg: "'native' high availability is not supported for the requested OpenShift version"
+  when: openshift_master_ha | bool and openshift_master_cluster_method == "native" and not openshift.common.version_greater_than_3_1_or_1_1 | bool
+- fail:
+    msg: "openshift_master_cluster_password must be set for multi-master installations"
+  when: openshift_master_ha | bool and openshift_master_cluster_method == "pacemaker" and (openshift_master_cluster_password is not defined or not openshift_master_cluster_password)
 
 - name: Set master facts
   openshift_facts:
     role: master
     local_facts:
+      cluster_method: "{{ openshift_master_cluster_method | default(None) }}"
       cluster_hostname: "{{ openshift_master_cluster_hostname | default(None) }}"
       cluster_public_hostname: "{{ openshift_master_cluster_public_hostname | default(None) }}"
-      cluster_defer_ha: "{{ openshift_master_cluster_defer_ha | default(None) }}"
       debug_level: "{{ openshift_master_debug_level | default(openshift.common.debug_level) }}"
       api_port: "{{ openshift_master_api_port | default(None) }}"
       api_url: "{{ openshift_master_api_url | default(None) }}"
@@ -41,6 +47,8 @@
       portal_net: "{{ openshift_master_portal_net | default(None) }}"
       session_max_seconds: "{{ openshift_master_session_max_seconds | default(None) }}"
       session_name: "{{ openshift_master_session_name | default(None) }}"
+      session_auth_secrets: "{{ openshift_master_session_auth_secrets | default(None) }}"
+      session_encryption_secrets: "{{ openshift_master_session_encryption_secrets | default(None) }}"
       session_secrets_file: "{{ openshift_master_session_secrets_file | default(None) }}"
       access_token_max_seconds: "{{ openshift_master_access_token_max_seconds | default(None) }}"
       auth_token_max_seconds: "{{ openshift_master_auth_token_max_seconds | default(None) }}"
@@ -67,7 +75,7 @@
       controller_lease_ttl: "{{ osm_controller_lease_ttl | default(None) }}"
 
 - name: Install Master package
-  yum: pkg={{ openshift.common.service_type }}-master state=present
+  yum: pkg={{ openshift.common.service_type }}-master{{ openshift_version  }} state=present
   register: install_result
 
 # TODO: These values need to be configurable
@@ -79,7 +87,7 @@
       domain: cluster.local
   when: openshift.master.embedded_dns
 
-- name: Create config parent directory if it doesn't exist
+- name: Create config parent directory if it does not exist
   file:
     path: "{{ openshift_master_config_dir }}"
     state: directory
@@ -128,28 +136,37 @@
 
 # workaround for missing systemd unit files for controllers/api
 - name: Create the api service file
-  copy:
-    src: atomic-openshift-master-api.service
-    dest: /usr/lib/systemd/system/atomic-openshift-master-api.service
+  template:
+    src: atomic-openshift-master-api.service.j2
+    dest: /usr/lib/systemd/system/{{ openshift.common.service_type }}-master-api.service
     force: no
 - name: Create the controllers service file
-  copy:
-    src: atomic-openshift-master-controllers.service
-    dest: /usr/lib/systemd/system/atomic-openshift-master-controllers.service
+  template:
+    src: atomic-openshift-master-controllers.service.j2
+    dest: /usr/lib/systemd/system/{{ openshift.common.service_type }}-master-controllers.service
     force: no
 - name: Create the api env file
-  copy:
-    src: atomic-openshift-master-api
-    dest: /etc/sysconfig/atomic-openshift-master-api
+  template:
+    src: atomic-openshift-master-api.j2
+    dest: /etc/sysconfig/{{ openshift.common.service_type }}-master-api
     force: no
 - name: Create the controllers env file
-  copy:
-    src: atomic-openshift-master-controllers
-    dest: /etc/sysconfig/atomic-openshift-master-controllers
+  template:
+    src: atomic-openshift-master-controllers.j2
+    dest: /etc/sysconfig/{{ openshift.common.service_type }}-master-controllers
     force: no
 - command: systemctl daemon-reload
 # end workaround for missing systemd unit files
 
+- name: Create session secrets file
+  template:
+    dest: "{{ openshift.master.session_secrets_file }}"
+    src: sessionSecretsFile.yaml.v1.j2
+    force: no
+  notify:
+  - restart master
+  - restart master api
+
 # TODO: add the validate parameter when there is a validation command to run
 - name: Create master config
   template:
@@ -166,6 +183,7 @@
     dest: /etc/sysconfig/{{ openshift.common.service_type }}-master
     regexp: "{{ item.regex }}"
     line: "{{ item.line }}"
+    create: yes
   with_items:
     - regex: '^OPTIONS='
       line: "OPTIONS=--loglevel={{ openshift.master.debug_level }}"
@@ -205,34 +223,39 @@
   when: not openshift_master_ha | bool
   register: start_result
 
+- set_fact:
+    master_service_status_changed = start_result | changed
+  when: not openshift_master_ha | bool
+
 - name: Start and enable master api
   service: name={{ openshift.common.service_type }}-master-api enabled=yes state=started
-  when: openshift_master_ha | bool
+  when: openshift_master_ha | bool and openshift.master.cluster_method == 'native'
   register: start_result
 
-- name: pause to prevent service restart from interfering with bootstrapping
-  pause: seconds=30
-  when: openshift_master_ha | bool
+- set_fact:
+    master_api_service_status_changed = start_result | changed
+  when: openshift_master_ha | bool and openshift.master.cluster_method == 'native'
 
 # TODO: fix the ugly workaround of setting ignore_errors
 #       the controllers service tries to start even if it is already started
 - name: Start and enable master controller
   service: name={{ openshift.common.service_type }}-master-controllers enabled=yes state=started
-  when: openshift_master_ha | bool
+  when: openshift_master_ha | bool and openshift.master.cluster_method == 'native'
   register: start_result
   ignore_errors: yes
 
 - set_fact:
-    master_service_status_changed = start_result | changed
+    master_controllers_service_status_changed = start_result | changed
+  when: openshift_master_ha | bool and openshift.master.cluster_method == 'native'
 
 - name: Install cluster packages
   yum: pkg=pcs state=present
-  when: openshift_master_ha | bool and not openshift.master.cluster_defer_ha | bool
+  when: openshift_master_ha | bool and openshift.master.cluster_method == 'pacemaker'
   register: install_result
 
 - name: Start and enable cluster service
   service: name=pcsd enabled=yes state=started
-  when: openshift_master_ha | bool and not openshift.master.cluster_defer_ha | bool
+  when: openshift_master_ha | bool and openshift.master.cluster_method == 'pacemaker'
 
 - name: Set the cluster user password
   shell: echo {{ openshift_master_cluster_password | quote }} | passwd --stdin hacluster

roles/openshift_master/files/atomic-openshift-master-api

@@ -1,5 +1,5 @@
 OPTIONS=
-CONFIG_FILE=/etc/origin/master/master-config.yaml
+CONFIG_FILE={{ openshift_master_config_dir }}/master-config.yaml
 
 # Proxy configuration
 # Origin uses standard HTTP_PROXY environment variables. Be sure to set

roles/openshift_master/files/atomic-openshift-master-api.service

@@ -3,19 +3,19 @@ Description=Atomic OpenShift Master API
 Documentation=https://github.com/openshift/origin
 After=network.target
 After=etcd.service
-Before=atomic-openshift-node.service
+Before={{ openshift.common.service_type }}-node.service
 Requires=network.target
 
 [Service]
 Type=notify
-EnvironmentFile=/etc/sysconfig/atomic-openshift-master-api
+EnvironmentFile=/etc/sysconfig/{{ openshift.common.service_type }}-master-api
 Environment=GOTRACEBACK=crash
 ExecStart=/usr/bin/openshift start master api --config=${CONFIG_FILE} $OPTIONS
 LimitNOFILE=131072
 LimitCORE=infinity
-WorkingDirectory=/var/lib/origin/
+WorkingDirectory={{ openshift.common.data_dir }}
 SyslogIdentifier=atomic-openshift-master-api
 
 [Install]
 WantedBy=multi-user.target
-WantedBy=atomic-openshift-node.service
+WantedBy={{ openshift.common.service_type }}-node.service

roles/openshift_master/files/atomic-openshift-master-controllers

@@ -1,5 +1,5 @@
 OPTIONS=
-CONFIG_FILE=/etc/origin/master/master-config.yaml
+CONFIG_FILE={{ openshift_master_config_dir }}/master-config.yaml
 
 # Proxy configuration
 # Origin uses standard HTTP_PROXY environment variables. Be sure to set

roles/openshift_master/files/atomic-openshift-master-controllers.service

@@ -2,21 +2,21 @@
 Description=Atomic OpenShift Master Controllers
 Documentation=https://github.com/openshift/origin
 After=network.target
-After=atomic-openshift-master-api.service
-Before=atomic-openshift-node.service
+After={{ openshift.common.service_type }}-master-api.service
+Before={{ openshift.common.service_type }}-node.service
 Requires=network.target
 
 [Service]
 Type=notify
-EnvironmentFile=/etc/sysconfig/atomic-openshift-master-controllers
+EnvironmentFile=/etc/sysconfig/{{ openshift.common.service_type }}-master-controllers
 Environment=GOTRACEBACK=crash
 ExecStart=/usr/bin/openshift start master controllers --config=${CONFIG_FILE} $OPTIONS
 LimitNOFILE=131072
 LimitCORE=infinity
-WorkingDirectory=/var/lib/origin/
-SyslogIdentifier=atomic-openshift-master-controllers
+WorkingDirectory={{ openshift.common.data_dir }}
+SyslogIdentifier={{ openshift.common.service_type }}-master-controllers
 Restart=on-failure
 
 [Install]
 WantedBy=multi-user.target
-WantedBy=atomic-openshift-node.service
+WantedBy={{ openshift.common.service_type }}-node.service

roles/openshift_master/templates/sessionSecretsFile.yaml.v1.j2

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: SessionSecrets
+secrets:
+{% for secret in openshift_master_session_auth_secrets %}
+- authentication: "{{ openshift_master_session_auth_secrets[loop.index0] }}"
+  encryption: "{{ openshift_master_session_encryption_secrets[loop.index0] }}"
+{% endfor %}

roles/openshift_master/vars/main.yml

@@ -2,6 +2,7 @@
 openshift_master_config_dir: "{{ openshift.common.config_base }}/master"
 openshift_master_config_file: "{{ openshift_master_config_dir }}/master-config.yaml"
 openshift_master_scheduler_conf: "{{ openshift_master_config_dir }}/scheduler.json"
+openshift_master_session_secrets_file: "{{ openshift_master_config_dir }}/session-secrets.yaml"
 openshift_master_policy: "{{ openshift_master_config_dir }}/policy.json"
 openshift_version: "{{ openshift_pkg_version | default('') }}"
 

roles/openshift_master_cluster/tasks/configure_deferred.yml

@@ -1,8 +0,0 @@
----
-- debug: msg="Deferring config"
-
-- name: Start and enable the master
-  service:
-    name: "{{ openshift.common.service_type }}-master"
-    state: started
-    enabled: yes

roles/openshift_master_cluster/tasks/main.yml

@@ -4,10 +4,7 @@
   register: pcs_status
   changed_when: false
   failed_when: false
-  when: not openshift.master.cluster_defer_ha | bool
+  when: openshift.master.cluster_method == "pacemaker"
 
 - include: configure.yml
   when: "pcs_status | failed and 'Error: cluster is not currently running on this node' in pcs_status.stderr"
-
-- include: configure_deferred.yml
-  when: openshift.master.cluster_defer_ha | bool

roles/openshift_node/meta/main.yml

@@ -13,3 +13,4 @@ galaxy_info:
   - cloud
 dependencies:
 - { role: openshift_common }
+- { role: docker }

roles/openshift_node/tasks/main.yml

@@ -68,6 +68,7 @@
     dest: /etc/sysconfig/{{ openshift.common.service_type }}-node
     regexp: "{{ item.regex }}"
     line: "{{ item.line }}"
+    create: yes
   with_items:
     - regex: '^OPTIONS='
       line: "OPTIONS=--loglevel={{ openshift.node.debug_level }}"

roles/openshift_repos/tasks/main.yaml

@@ -8,7 +8,7 @@
 #       proper repos correctly.
 
 - assert:
-    that: openshift_deployment_type in known_openshift_deployment_types
+    that: openshift.common.deployment_type in known_openshift_deployment_types
 
 - name: Ensure libselinux-python is installed
   yum: