fix

playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml

@@ -189,8 +189,6 @@
   roles:
   - { role: openshift_cli }
   vars:
-    origin_reconcile_bindings: "{{ deployment_type == 'origin' and openshift_version | version_compare('1.0.6', '>') }}"
-    ent_reconcile_bindings: true
     openshift_docker_hosted_registry_network: "{{ hostvars[groups.oo_first_master.0].openshift.common.portal_net }}"
     # Another spot where we assume docker is running and do not want to accidentally trigger an unsafe
     # restart.
@@ -202,6 +200,7 @@
       {{ openshift.common.client_binary }} adm --config={{ openshift.common.config_base }}/master/admin.kubeconfig
       policy reconcile-cluster-roles --additive-only=true --confirm -o name
     register: reconcile_cluster_role_result
+    when: not openshift.common.version_gte_3_7 | bool
     changed_when:
     - reconcile_cluster_role_result.stdout != ''
     - reconcile_cluster_role_result.rc == 0
@@ -216,7 +215,7 @@
       --exclude-groups=system:unauthenticated
       --exclude-users=system:anonymous
       --additive-only=true --confirm -o name
-    when: origin_reconcile_bindings | bool or ent_reconcile_bindings | bool
+    when: not openshift.common.version_gte_3_7 | bool
     register: reconcile_bindings_result
     changed_when:
     - reconcile_bindings_result.stdout != ''
@@ -231,25 +230,45 @@
     changed_when:
     - reconcile_jenkins_role_binding_result.stdout != ''
     - reconcile_jenkins_role_binding_result.rc == 0
-    when: openshift.common.version_gte_3_4_or_1_4  | bool
+    when: (not openshift.common.version_gte_3_7 | bool) and (openshift.common.version_gte_3_4_or_1_4 | bool)
 
   - when: (openshift.common.version_gte_3_6 | bool) and (not openshift.common.version_gte_3_7 | bool)
     block:
+    - name: Retrieve shared-resource-viewer
+      oc_obj:
+        state: list
+        kind: role
+        name: "shared-resource-viewer"
+        namespace: "openshift"
+      register: objout
+
+    - name: Determine if shared-resource-viewer is protected
+      set_fact:
+        __shared_resource_viewer_protected: true
+      when: 
+        - "'results' in objout"
+        - "'results' in objout['results']"
+        - "'annotations' in objout['results']['results'][0]['metadata']"
+        - "'openshift.io/reconcile-protect' in objout['results']['results'][0]['metadata']['annotations']"
+        - "objout['results']['results'][0]['metadata']['annotations']['openshift.io/reconcile-protect'] == 'true'"
+
     - copy:
         src: "{{ item }}"
         dest: "/tmp/{{ item }}"
       with_items:
       - "{{ __master_shared_resource_viewer_file }}"
+      when: __shared_resource_viewer_protected is not defined
 
     - name: Fixup shared-resource-viewer role
       oc_obj:
         state: present
+        kind: role
         name: "shared-resource-viewer"
         namespace: "openshift"
-        kind: role
         files:
         - "/tmp/{{ __master_shared_resource_viewer_file }}"
         delete_after: true
+      when: __shared_resource_viewer_protected is not defined
 
   - name: Reconcile Security Context Constraints
     command: >
@@ -266,11 +285,11 @@
       migrate storage --include=* --confirm
     run_once: true
     register: l_pb_upgrade_control_plane_post_upgrade_storage
-    when: openshift_upgrade_post_storage_migration_enabled | default(true,true) | bool
+    when: openshift_upgrade_post_storage_migration_enabled | default(true) | bool
     failed_when:
-    - openshift_upgrade_post_storage_migration_enabled | default(true,true) | bool
+    - openshift_upgrade_post_storage_migration_enabled | default(true) | bool
     - l_pb_upgrade_control_plane_post_upgrade_storage.rc != 0
-    - openshift_upgrade_post_storage_migration_fatal | default(false,true) | bool
+    - openshift_upgrade_post_storage_migration_fatal | default(false) | bool
 
   - set_fact:
       reconcile_complete: True
@@ -300,7 +319,7 @@
   roles:
   - openshift_facts
   tasks:
-  - include: docker/upgrade.yml
+  - include: docker/tasks/upgrade.yml
     when: l_docker_upgrade is defined and l_docker_upgrade | bool and not openshift.common.is_atomic | bool
 
 - name: Drain and upgrade master nodes