From 52ed80a943abb015d6e46f718d3a9560a0e2e355 Mon Sep 17 00:00:00 2001 From: Vladislav Walek <22072258+vwalek@users.noreply.github.com> Date: Sep 30 2020 22:14:01 +0000 Subject: Merge remote-tracking branch 'upstream/release-3.11' into vwalek-named-cert-play --- diff --git a/.tito/packages/openshift-ansible b/.tito/packages/openshift-ansible index 037c16e..313eb79 100644 --- a/.tito/packages/openshift-ansible +++ b/.tito/packages/openshift-ansible @@ -1 +1 @@ -3.11.293-1 ./ +3.11.301-1 ./ diff --git a/openshift-ansible.spec b/openshift-ansible.spec index a3ffb2b..22e70fd 100644 --- a/openshift-ansible.spec +++ b/openshift-ansible.spec @@ -9,7 +9,7 @@ %global __requires_exclude ^/usr/bin/ansible-playbook$ Name: openshift-ansible -Version: 3.11.293 +Version: 3.11.301 Release: 1%{?dist} Summary: Openshift and Atomic Enterprise Ansible License: ASL 2.0 @@ -190,6 +190,36 @@ BuildArch: noarch %{_datadir}/ansible/%{name}/test %changelog +* Wed Sep 30 2020 AOS Automation Release Team 3.11.301-1 +- BZ-1883036 - adding option to not redeploy service signer even when + openshift_redeploy_openshift_ca=true + (22072258+vwalek@users.noreply.github.com) + +* Tue Sep 29 2020 AOS Automation Release Team 3.11.300-1 +- roles/openshift_master_certificates: Update node.kubeconfig + (rteague@redhat.com) +- Bug 1848454: OpenShift logging upgrade from 3.11.161 to 3.11.219 fails + (syedriko@redhat.com) + +* Mon Sep 28 2020 AOS Automation Release Team 3.11.299-1 +- Detect an incomplete OpenShift CA redeployment (rteague@redhat.com) + +* Sun Sep 27 2020 AOS Automation Release Team 3.11.298-1 +- + +* Sat Sep 26 2020 AOS Automation Release Team 3.11.297-1 +- + +* Fri Sep 25 2020 AOS Automation Release Team 3.11.296-1 +- roles/openshift_master_certificates: Update bootstrap.kubeconfig + (rteague@redhat.com) + +* Thu Sep 24 2020 AOS Automation Release Team 3.11.295-1 +- + +* Wed Sep 23 2020 AOS Automation Release Team 3.11.294-1 +- + * Tue Sep 22 2020 AOS Automation Release Team 3.11.293-1 - diff --git a/playbooks/openshift-master/private/certificates-backup.yml b/playbooks/openshift-master/private/certificates-backup.yml index d624819..1b75dc9 100644 --- a/playbooks/openshift-master/private/certificates-backup.yml +++ b/playbooks/openshift-master/private/certificates-backup.yml @@ -71,4 +71,4 @@ with_items: - service-signer.crt - service-signer.key - when: openshift_redeploy_openshift_ca | default(false) | bool + when: (openshift_redeploy_openshift_ca | default(false) | bool) and (openshift_redeploy_service_signer | default(true) | bool) diff --git a/playbooks/openshift-master/private/check-client-ca.yml b/playbooks/openshift-master/private/check-client-ca.yml new file mode 100644 index 0000000..b1f3a10 --- /dev/null +++ b/playbooks/openshift-master/private/check-client-ca.yml @@ -0,0 +1,21 @@ +--- +- name: Detect incomplete OpenShift CA redeployment + hosts: oo_masters_to_config + tasks: + - name: Read master config + slurp: + src: "{{ openshift.common.config_base }}/master/master-config.yaml" + register: g_master_config_output + + # servingInfo.clientCA may be set as the client-ca-bundle.crt from + # CA redeployment and openshift_redeploy_openshift_ca must be set as true + # in the inventory to complete the redeployment + - name: Check servingInfo.clientCA = ca.crt in master config + fail: + msg: > + Detected an incomplete OpenShift CA redeployment. Please set + openshift_redeploy_openshift_ca=true in the inventory and re-run + redeploy-certifcates.yml + when: + - (g_master_config_output.content|b64decode|from_yaml).servingInfo.clientCA != 'ca.crt' + - openshift_redeploy_openshift_ca is undefined or openshift_redeploy_openshift_ca | bool == false diff --git a/playbooks/redeploy-certificates.yml b/playbooks/redeploy-certificates.yml index 8f8ab4b..7fbe0aa 100644 --- a/playbooks/redeploy-certificates.yml +++ b/playbooks/redeploy-certificates.yml @@ -1,6 +1,8 @@ --- - import_playbook: init/main.yml +- import_playbook: openshift-master/private/check-client-ca.yml + - import_playbook: openshift-etcd/private/redeploy-certificates.yml - import_playbook: openshift-master/private/redeploy-certificates.yml diff --git a/roles/openshift_logging/tasks/install_logging.yaml b/roles/openshift_logging/tasks/install_logging.yaml index 0d557cb..f39c15b 100644 --- a/roles/openshift_logging/tasks/install_logging.yaml +++ b/roles/openshift_logging/tasks/install_logging.yaml @@ -65,7 +65,8 @@ with_sequence: count={{ openshift_logging_facts.elasticsearch.deploymentconfigs.keys() | count }} when: openshift_logging_facts.elasticsearch.deploymentconfigs.keys() | count > 0 -- set_fact: es_indices=[] +- set_fact: + es_indices: [] when: openshift_logging_facts.elasticsearch.deploymentconfigs.keys() | count == 0 - set_fact: openshift_logging_es_pvc_prefix="logging-es" @@ -82,6 +83,13 @@ - set_fact: default_elasticsearch_storage_type: "{{ 'pvc' if ( openshift_logging_es_pvc_dynamic | bool or openshift_logging_storage_kind | default('') == 'nfs' or openshift_logging_es_pvc_size | length > 0) else 'emptydir' }}" +# Pre-condition check for the following include_role, to make sure the lists in with_together are +# the same length and do not get padded with Nones +# +- fail: + msg: There must be the same number of ES DeploymentConfigs, ES PVCs and ES indices. Found ES DeploymentConfigs - "{{ openshift_logging_facts.elasticsearch.deploymentconfigs.keys() }}", ES DC count - "{{ openshift_logging_facts.elasticsearch.deploymentconfigs.keys() | count }}", ES PVCs - "{{ openshift_logging_facts.elasticsearch.pvcs }}", ES PVC length - "{{ openshift_logging_facts.elasticsearch.pvcs | length }}" and ES indices - "{{ es_indices }}", ES indices length - "{{ es_indices | length }}" + when: (openshift_logging_facts.elasticsearch.deploymentconfigs.keys() | count != openshift_logging_facts.elasticsearch.pvcs | length) or (openshift_logging_facts.elasticsearch.pvcs | length != es_indices | length) or (openshift_logging_facts.elasticsearch.deploymentconfigs.keys() | count != es_indices | length) + - include_role: name: openshift_logging_elasticsearch vars: @@ -145,7 +153,8 @@ - openshift_logging_use_ops | bool - openshift_logging_facts.elasticsearch_ops.deploymentconfigs.keys() | count > 0 -- set_fact: es_ops_indices=[] +- set_fact: + es_ops_indices: [] when: openshift_logging_facts.elasticsearch_ops.deploymentconfigs.keys() | count == 0 - set_fact: openshift_logging_es_ops_pvc_prefix="logging-es-ops" @@ -156,6 +165,15 @@ when: - openshift_logging_use_ops | bool +# Pre-condition check for the following include_role, to make sure the lists in with_together are +# the same length and do not get padded with Nones +# +- fail: + msg: There must be the same number of ES DeploymentConfigs, ES PVCs and ES Ops indices. Found ES DeploymentConfigs - "{{ openshift_logging_facts.elasticsearch.deploymentconfigs.keys() }}", ES PVCs - "{{ openshift_logging_facts.elasticsearch.pvcs }}" and ES Ops indices - "{{ es_ops_indices }}" + when: + - (openshift_logging_facts.elasticsearch.deploymentconfigs.keys() | count != openshift_logging_facts.elasticsearch.pvcs | length) or (openshift_logging_facts.elasticsearch.pvcs | length != es_ops_indices | length) or (openshift_logging_facts.elasticsearch.deploymentconfigs.keys() | count != es_ops_indices | length) + - openshift_logging_use_ops | bool + - include_role: name: openshift_logging_elasticsearch vars: diff --git a/roles/openshift_master_certificates/tasks/main.yml b/roles/openshift_master_certificates/tasks/main.yml index 8cac81f..2751957 100644 --- a/roles/openshift_master_certificates/tasks/main.yml +++ b/roles/openshift_master_certificates/tasks/main.yml @@ -253,3 +253,13 @@ state: link force: yes when: ca_crt_stat.stat.isreg and not ca_bundle_stat.stat.exists + +- name: Update the default bootstrap kubeconfig for masters + copy: + remote_src: true + src: "/etc/origin/master/admin.kubeconfig" + dest: "{{ item }}" + mode: 0600 + with_items: + - /etc/origin/node/bootstrap.kubeconfig + - /etc/origin/node/node.kubeconfig