Add support for creating secure router.

* Move openshift_router to openshift_hosted role which will eventually
  contain registry, metrics and logging.
* Adds option for specifying an openshift_hosted_router_certificate
  cert and key pair.
* Removes dependency on node label variables and retrieves the node
  list from the API s.t. this role can be applied to any cluster with
  existing nodes. I've added an openshift_hosted playbook that occurs
  after node install to account for this.
* Infrastructure nodes are selected using
  openshift_hosted_router_selector which is based on deployment type
  by default; openshift-enterprise -> "region=infra" and online ->
  "type=infra".

filter_plugins/oo_filters.py

@@ -298,6 +298,69 @@ def oo_filter_list(data, filter_attr=None):
         # Gather up the values for the list of keys passed in
         return [x for x in data if x.has_key(filter_attr) and x[filter_attr]]
 
+    @staticmethod
+    def oo_oc_nodes_matching_selector(nodes, selector):
+        """ Filters a list of nodes by selector.
+
+            Examples:
+                nodes = [{"kind": "Node", "metadata": {"name": "node1.example.com",
+                          "labels": {"kubernetes.io/hostname": "node1.example.com",
+                          "color": "green"}}},
+                         {"kind": "Node", "metadata": {"name": "node2.example.com",
+                          "labels": {"kubernetes.io/hostname": "node2.example.com",
+                          "color": "red"}}}]
+                selector = 'color=green'
+                returns = ['node1.example.com']
+            Args:
+                nodes (list[dict]): list of node definitions
+                selector (str): "label=value" node selector to filter `nodes` by
+            Returns:
+                list[str]: nodes filtered by selector
+        """
+        if not isinstance(nodes, list):
+            raise errors.AnsibleFilterError("failed expects nodes to be a list, got {0}".format(type(nodes)))
+        if not isinstance(selector, basestring):
+            raise errors.AnsibleFilterError("failed expects selector to be a string")
+        if not re.match('.*=.*', selector):
+            raise errors.AnsibleFilterError("failed selector does not match \"label=value\" format")
+        label = selector.split('=')[0]
+        value = selector.split('=')[1]
+        return FilterModule.oo_oc_nodes_with_label(nodes, label, value)
+
+    @staticmethod
+    def oo_oc_nodes_with_label(nodes, label, value):
+        """ Filters a list of nodes by label, value.
+
+            Examples:
+                nodes = [{"kind": "Node", "metadata": {"name": "node1.example.com",
+                          "labels": {"kubernetes.io/hostname": "node1.example.com",
+                          "color": "green"}}},
+                         {"kind": "Node", "metadata": {"name": "node2.example.com",
+                          "labels": {"kubernetes.io/hostname": "node2.example.com",
+                          "color": "red"}}}]
+                label = 'color'
+                value = 'green'
+                returns = ['node1.example.com']
+            Args:
+                nodes (list[dict]): list of node definitions
+                label (str): label to filter `nodes` by
+                value (str): value of `label` to filter `nodes` by
+            Returns:
+                list[str]: nodes filtered by selector
+        """
+        if not isinstance(nodes, list):
+            raise errors.AnsibleFilterError("failed expects nodes to be a list")
+        if not isinstance(label, basestring):
+            raise errors.AnsibleFilterError("failed expects label to be a string")
+        if not isinstance(value, basestring):
+            raise errors.AnsibleFilterError("failed expects value to be a string")
+        matching_nodes = []
+        for node in nodes:
+            if label in node['metadata']['labels']:
+                if node['metadata']['labels'][label] == value:
+                    matching_nodes.append(node['metadata']['name'])
+        return matching_nodes
+
     @staticmethod
     def oo_nodes_with_label(nodes, label, value=None):
         """ Filters a list of nodes by label and value (if provided)
@@ -601,36 +664,38 @@ def oo_persistent_volumes(hostvars, groups, persistent_volumes=None):
 
         if persistent_volumes == None:
             persistent_volumes = []
-        for component in hostvars['openshift']['hosted']:
-            kind = hostvars['openshift']['hosted'][component]['storage']['kind']
-            create_pv = hostvars['openshift']['hosted'][component]['storage']['create_pv']
-            if kind != None and create_pv:
-                if kind == 'nfs':
-                    host = hostvars['openshift']['hosted'][component]['storage']['host']
-                    if host == None:
-                        if len(groups['oo_nfs_to_config']) > 0:
-                            host = groups['oo_nfs_to_config'][0]
+        if 'hosted' in hostvars['openshift']:
+            for component in hostvars['openshift']['hosted']:
+                if 'storage' in hostvars['openshift']['hosted'][component]:
+                    kind = hostvars['openshift']['hosted'][component]['storage']['kind']
+                    create_pv = hostvars['openshift']['hosted'][component]['storage']['create_pv']
+                    if kind != None and create_pv:
+                        if kind == 'nfs':
+                            host = hostvars['openshift']['hosted'][component]['storage']['host']
+                            if host == None:
+                                if len(groups['oo_nfs_to_config']) > 0:
+                                    host = groups['oo_nfs_to_config'][0]
+                                else:
+                                    raise errors.AnsibleFilterError("|failed no storage host detected")
+                            directory = hostvars['openshift']['hosted'][component]['storage']['nfs']['directory']
+                            volume = hostvars['openshift']['hosted'][component]['storage']['volume']['name']
+                            path = directory + '/' + volume
+                            size = hostvars['openshift']['hosted'][component]['storage']['volume']['size']
+                            access_modes = hostvars['openshift']['hosted'][component]['storage']['access_modes']
+                            persistent_volume = dict(
+                                name="{0}-volume".format(volume),
+                                capacity=size,
+                                access_modes=access_modes,
+                                storage=dict(
+                                    nfs=dict(
+                                        server=host,
+                                        path=path)))
+                            persistent_volumes.append(persistent_volume)
                         else:
-                            raise errors.AnsibleFilterError("|failed no storage host detected")
-                    directory = hostvars['openshift']['hosted'][component]['storage']['nfs']['directory']
-                    volume = hostvars['openshift']['hosted'][component]['storage']['volume']['name']
-                    path = directory + '/' + volume
-                    size = hostvars['openshift']['hosted'][component]['storage']['volume']['size']
-                    access_modes = hostvars['openshift']['hosted'][component]['storage']['access_modes']
-                    persistent_volume = dict(
-                        name="{0}-volume".format(volume),
-                        capacity=size,
-                        access_modes=access_modes,
-                        storage=dict(
-                            nfs=dict(
-                                server=host,
-                                path=path)))
-                    persistent_volumes.append(persistent_volume)
-                else:
-                    msg = "|failed invalid storage kind '{0}' for component '{1}'".format(
-                        kind,
-                        component)
-                    raise errors.AnsibleFilterError(msg)
+                            msg = "|failed invalid storage kind '{0}' for component '{1}'".format(
+                                kind,
+                                component)
+                            raise errors.AnsibleFilterError(msg)
         return persistent_volumes
 
     @staticmethod
@@ -645,18 +710,20 @@ def oo_persistent_volume_claims(hostvars, persistent_volume_claims=None):
 
         if persistent_volume_claims == None:
             persistent_volume_claims = []
-        for component in hostvars['openshift']['hosted']:
-            kind = hostvars['openshift']['hosted'][component]['storage']['kind']
-            create_pv = hostvars['openshift']['hosted'][component]['storage']['create_pv']
-            if kind != None and create_pv:
-                volume = hostvars['openshift']['hosted'][component]['storage']['volume']['name']
-                size = hostvars['openshift']['hosted'][component]['storage']['volume']['size']
-                access_modes = hostvars['openshift']['hosted'][component]['storage']['access_modes']
-                persistent_volume_claim = dict(
-                    name="{0}-claim".format(volume),
-                    capacity=size,
-                    access_modes=access_modes)
-                persistent_volume_claims.append(persistent_volume_claim)
+        if 'hosted' in hostvars['openshift']:
+            for component in hostvars['openshift']['hosted']:
+                if 'storage' in hostvars['openshift']['hosted'][component]:
+                    kind = hostvars['openshift']['hosted'][component]['storage']['kind']
+                    create_pv = hostvars['openshift']['hosted'][component]['storage']['create_pv']
+                    if kind != None and create_pv:
+                        volume = hostvars['openshift']['hosted'][component]['storage']['volume']['name']
+                        size = hostvars['openshift']['hosted'][component]['storage']['volume']['size']
+                        access_modes = hostvars['openshift']['hosted'][component]['storage']['access_modes']
+                        persistent_volume_claim = dict(
+                            name="{0}-claim".format(volume),
+                            capacity=size,
+                            access_modes=access_modes)
+                        persistent_volume_claims.append(persistent_volume_claim)
         return persistent_volume_claims
 
     @staticmethod
@@ -768,5 +835,7 @@ def filters(self):
             "oo_pods_match_component": self.oo_pods_match_component,
             "oo_get_hosts_from_hostvars": self.oo_get_hosts_from_hostvars,
             "oo_image_tag_to_rpm_version": self.oo_image_tag_to_rpm_version,
-            "oo_merge_dicts": self.oo_merge_dicts
+            "oo_merge_dicts": self.oo_merge_dicts,
+            "oo_oc_nodes_matching_selector": self.oo_oc_nodes_matching_selector,
+            "oo_oc_nodes_with_label": self.oo_oc_nodes_with_label
         }

inventory/byo/hosts.aep.example

@@ -173,9 +173,47 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true',
 # glusterfs plugin dependencies will be installed, if available.
 #osn_storage_plugin_deps=['ceph','glusterfs','iscsi']
 
-# default selectors for router and registry services
-# openshift_router_selector='region=infra'
-# openshift_registry_selector='region=infra'
+# OpenShift Router Options
+#
+# An OpenShift router will be created during install if there are
+# nodes present with labels matching the default router selector,
+# "region=infra". Set openshift_node_labels per node as needed in
+# order to label nodes.
+#
+# Example:
+# [nodes]
+# node.example.com openshift_node_labels="{'region': 'infra'}"
+#
+# Router selector (optional)
+# Router will only be created if nodes matching this label are present.
+# Default value: 'region=infra'
+#openshift_hosted_router_selector='region=infra'
+#
+# Router replicas (optional)
+# Unless specified, openshift-ansible will calculate the replica count
+# based on the number of nodes matching the openshift router selector.
+#openshift_hosted_router_replicas=2
+#
+# Router certificate (optional)
+# Provide local certificate paths which will be configured as the
+# router's default certificate.
+#openshift_hosted_router_certificate={"certfile": "/path/to/router.crt", "keyfile": "/path/to/router.key"}
+
+# Openshift Registry Options
+#
+# An OpenShift registry will be created during install if there are
+# nodes present with labels matching the default registry selector,
+# "region=infra". Set openshift_node_labels per node as needed in
+# order to label nodes.
+#
+# Example:
+# [nodes]
+# node.example.com openshift_node_labels="{'region': 'infra'}"
+#
+# Registry selector (optional)
+# Registry will only be created if nodes matching this label are present.
+# Default value: 'region=infra'
+#openshift_registry_selector='region=infra'
 
 # Configure the multi-tenant SDN plugin (default is 'redhat/openshift-ovs-subnet')
 # os_sdn_network_plugin_name='redhat/openshift-ovs-multitenant'

inventory/byo/hosts.origin.example

@@ -178,9 +178,47 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true',
 # glusterfs plugin dependencies will be installed, if available.
 #osn_storage_plugin_deps=['ceph','glusterfs','iscsi']
 
-# default selectors for router and registry services
-# openshift_router_selector='region=infra'
-# openshift_registry_selector='region=infra'
+# OpenShift Router Options
+#
+# An OpenShift router will be created during install if there are
+# nodes present with labels matching the default router selector,
+# "region=infra". Set openshift_node_labels per node as needed in
+# order to label nodes.
+#
+# Example:
+# [nodes]
+# node.example.com openshift_node_labels="{'region': 'infra'}"
+#
+# Router selector (optional)
+# Router will only be created if nodes matching this label are present.
+# Default value: 'region=infra'
+#openshift_hosted_router_selector='region=infra'
+#
+# Router replicas (optional)
+# Unless specified, openshift-ansible will calculate the replica count
+# based on the number of nodes matching the openshift router selector.
+#openshift_hosted_router_replicas=2
+#
+# Router certificate (optional)
+# Provide local certificate paths which will be configured as the
+# router's default certificate.
+#openshift_hosted_router_certificate={"certfile": "/path/to/router.crt", "keyfile": "/path/to/router.key"}
+
+# Openshift Registry Options
+#
+# An OpenShift registry will be created during install if there are
+# nodes present with labels matching the default registry selector,
+# "region=infra". Set openshift_node_labels per node as needed in
+# order to label nodes.
+#
+# Example:
+# [nodes]
+# node.example.com openshift_node_labels="{'region': 'infra'}"
+#
+# Registry selector (optional)
+# Registry will only be created if nodes matching this label are present.
+# Default value: 'region=infra'
+#openshift_registry_selector='region=infra'
 
 # Configure the multi-tenant SDN plugin (default is 'redhat/openshift-ovs-subnet')
 # os_sdn_network_plugin_name='redhat/openshift-ovs-multitenant'

inventory/byo/hosts.ose.example

@@ -174,9 +174,47 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true',
 # glusterfs plugin dependencies will be installed, if available.
 #osn_storage_plugin_deps=['ceph','glusterfs']
 
-# default selectors for router and registry services
-# openshift_router_selector='region=infra'
-# openshift_registry_selector='region=infra'
+# OpenShift Router Options
+#
+# An OpenShift router will be created during install if there are
+# nodes present with labels matching the default router selector,
+# "region=infra". Set openshift_node_labels per node as needed in
+# order to label nodes.
+#
+# Example:
+# [nodes]
+# node.example.com openshift_node_labels="{'region': 'infra'}"
+#
+# Router selector (optional)
+# Router will only be created if nodes matching this label are present.
+# Default value: 'region=infra'
+#openshift_hosted_router_selector='region=infra'
+#
+# Router replicas (optional)
+# Unless specified, openshift-ansible will calculate the replica count
+# based on the number of nodes matching the openshift router selector.
+#openshift_hosted_router_replicas=2
+#
+# Router certificate (optional)
+# Provide local certificate paths which will be configured as the
+# router's default certificate.
+#openshift_hosted_router_certificate={"certfile": "/path/to/router.crt", "keyfile": "/path/to/router.key"}
+
+# Openshift Registry Options
+#
+# An OpenShift registry will be created during install if there are
+# nodes present with labels matching the default registry selector,
+# "region=infra". Set openshift_node_labels per node as needed in
+# order to label nodes.
+#
+# Example:
+# [nodes]
+# node.example.com openshift_node_labels="{'region': 'infra'}"
+#
+# Registry selector (optional)
+# Registry will only be created if nodes matching this label are present.
+# Default value: 'region=infra'
+#openshift_registry_selector='region=infra'
 
 # Configure the multi-tenant SDN plugin (default is 'redhat/openshift-ovs-subnet')
 # os_sdn_network_plugin_name='redhat/openshift-ovs-multitenant'

playbooks/common/openshift-cluster/additional_config.yml

@@ -49,8 +49,6 @@
     openshift_serviceaccounts_namespace: default
     openshift_serviceaccounts_sccs:
     - privileged
-  - role: openshift_router
-    when: deploy_infra | bool
   - role: openshift_registry
     registry_volume_claim: "{{ openshift.hosted.registry.storage.volume.name }}-claim"
     when: deploy_infra | bool and attach_registry_volume | bool

playbooks/common/openshift-cluster/config.yml

@@ -34,3 +34,5 @@
 - include: additional_config.yml
 
 - include: ../openshift-node/config.yml
+
+- include: openshift_hosted.yml

playbooks/common/openshift-cluster/openshift_hosted.yml

@@ -0,0 +1,5 @@
+- name: Create Hosted Resources
+  hosts: oo_first_master
+  roles:
+  - role: openshift_hosted
+    openshift_hosted_router_registryurl: "{{ hostvars[groups.oo_first_master.0].openshift.master.registry_url }}"