shixiong
/
okd


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174
							---
###############################################################################
# The restart playbook should be run after this playbook completes.
###############################################################################

###############################################################################
# Upgrade Masters
###############################################################################
- name: Upgrade master
  hosts: oo_masters_to_config
  handlers:
  - include: ../../../../roles/openshift_master/handlers/main.yml
    static: yes
  roles:
  - openshift_facts
  tasks:
  - include: rpm_upgrade.yml component=master
    when: not openshift.common.is_containerized | bool

  - include: "{{ master_config_hook }}"
    when: master_config_hook is defined

  - include_vars: ../../../../roles/openshift_master/vars/main.yml

  - name: Update systemd units
    include: ../../../../roles/openshift_master/tasks/systemd_units.yml

#  - name: Upgrade master configuration
#    openshift_upgrade_config:
#      from_version: '3.1'
#       to_version: '3.2'
#      role: master
#      config_base: "{{ hostvars[inventory_hostname].openshift.common.config_base }}"

- name: Set master update status to complete
  hosts: oo_masters_to_config
  tasks:
  - set_fact:
      master_update_complete: True

##############################################################################
# Gate on master update complete
##############################################################################
- name: Gate on master update
  hosts: localhost
  connection: local
  become: no
  tasks:
  - set_fact:
      master_update_completed: "{{ hostvars
                                 | oo_select_keys(groups.oo_masters_to_config)
                                 | oo_collect('inventory_hostname', {'master_update_complete': true}) }}"
  - set_fact:
      master_update_failed: "{{ groups.oo_masters_to_config | difference(master_update_completed) }}"
  - fail:
      msg: "Upgrade cannot continue. The following masters did not finish updating: {{ master_update_failed | join(',') }}"
    when: master_update_failed | length > 0

###############################################################################
# Upgrade Nodes
###############################################################################

# Here we handle all tasks that might require a node evac. (upgrading docker, and the node service)
- name: Perform upgrades that may require node evacuation
  hosts: oo_masters_to_config:oo_etcd_to_config:oo_nodes_to_config
  serial: 1
  any_errors_fatal: true
  roles:
  - openshift_facts
  handlers:
  - include: ../../../../roles/openshift_node/handlers/main.yml
    static: yes
  tasks:
  # TODO: To better handle re-trying failed upgrades, it would be nice to check if the node
  # or docker actually needs an upgrade before proceeding. Perhaps best to save this until
  # we merge upgrade functionality into the base roles and a normal config.yml playbook run.
  - name: Mark unschedulable if host is a node
    command: >
      {{ openshift.common.admin_binary }} manage-node {{ openshift.common.hostname | lower }} --schedulable=false
    delegate_to: "{{ groups.oo_first_master.0 }}"
    when: inventory_hostname in groups.oo_nodes_to_config

  - name: Evacuate Node for Kubelet upgrade
    command: >
      {{ openshift.common.admin_binary }} manage-node {{ openshift.common.hostname | lower }} --evacuate --force
    delegate_to: "{{ groups.oo_first_master.0 }}"
    when: inventory_hostname in groups.oo_nodes_to_config

  # Only check if docker upgrade is required if docker_upgrade is not
  # already set to False.
  - include: docker/upgrade_check.yml
    when: docker_upgrade is not defined or docker_upgrade | bool and not openshift.common.is_atomic | bool

  - include: docker/upgrade.yml
    when: l_docker_upgrade is defined and l_docker_upgrade | bool and not openshift.common.is_atomic | bool
  - include: "{{ node_config_hook }}"
    when: node_config_hook is defined

  - include: rpm_upgrade.yml
    vars:
       component: "node"
       openshift_version: "{{ openshift_pkg_version | default('') }}"
    when: inventory_hostname in groups.oo_nodes_to_config and not openshift.common.is_containerized | bool

  - include: containerized_node_upgrade.yml
    when: inventory_hostname in groups.oo_nodes_to_config and openshift.common.is_containerized | bool

  - name: Set node schedulability
    command: >
      {{ openshift.common.admin_binary }} manage-node {{ openshift.common.hostname | lower }} --schedulable=true
    delegate_to: "{{ groups.oo_first_master.0 }}"
    when: inventory_hostname in groups.oo_nodes_to_config and openshift.node.schedulable | bool


###############################################################################
# Reconcile Cluster Roles, Cluster Role Bindings and Security Context Constraints
###############################################################################

- name: Reconcile Cluster Roles and Cluster Role Bindings and Security Context Constraints
  hosts: oo_masters_to_config
  roles:
  - { role: openshift_cli }
  vars:
    origin_reconcile_bindings: "{{ deployment_type == 'origin' and openshift_version | version_compare('1.0.6', '>') }}"
    ent_reconcile_bindings: true
    openshift_docker_hosted_registry_network: "{{ hostvars[groups.oo_first_master.0].openshift.common.portal_net }}"
  tasks:
  - name: Verifying the correct commandline tools are available
    shell: grep {{ verify_upgrade_version }} {{ openshift.common.admin_binary}}
    when: openshift.common.is_containerized | bool and verify_upgrade_version is defined

  - name: Reconcile Cluster Roles
    command: >
      {{ openshift.common.admin_binary}} --config={{ openshift.common.config_base }}/master/admin.kubeconfig
      policy reconcile-cluster-roles --additive-only=true --confirm
    run_once: true

  - name: Reconcile Cluster Role Bindings
    command: >
      {{ openshift.common.admin_binary}} --config={{ openshift.common.config_base }}/master/admin.kubeconfig
      policy reconcile-cluster-role-bindings
      --exclude-groups=system:authenticated
      --exclude-groups=system:authenticated:oauth
      --exclude-groups=system:unauthenticated
      --exclude-users=system:anonymous
      --additive-only=true --confirm
    when: origin_reconcile_bindings | bool or ent_reconcile_bindings | bool
    run_once: true

  - name: Reconcile Security Context Constraints
    command: >
      {{ openshift.common.admin_binary}} policy reconcile-sccs --confirm --additive-only=true
    run_once: true

  - set_fact:
      reconcile_complete: True

##############################################################################
# Gate on reconcile
##############################################################################
- name: Gate on reconcile
  hosts: localhost
  connection: local
  become: no
  tasks:
  - set_fact:
      reconcile_completed: "{{ hostvars
                                 | oo_select_keys(groups.oo_masters_to_config)
                                 | oo_collect('inventory_hostname', {'reconcile_complete': true}) }}"
  - set_fact:
      reconcile_failed: "{{ groups.oo_masters_to_config | difference(reconcile_completed) }}"
  - fail:
      msg: "Upgrade cannot continue. The following masters did not finish reconciling: {{ reconcile_failed | join(',') }}"
    when: reconcile_failed | length > 0