Revert "First run at stg OSBS for layered build system"

This reverts commit 9cd22bd47e.

playbooks/groups/osbs.yml

@@ -43,16 +43,3 @@
 
   handlers:
   - include: "{{ handlers }}/restart_services.yml"
-
-- name: apply common osbs configuration
-  hosts: osbs-stg
-  roles:
-  - osbs_common
-
-- name: set up openshift build hosts
-  hosts: osbs-stg
-  roles:
-  - osbs_install_openshift_copr
-
-  # change behind_auth_proxy to true when using kerberos proxy
-  - { role: osbs_builder, behind_auth_proxy: false }

roles/osbs_builder/defaults/main.yml

@@ -1,38 +0,0 @@
----
-# OSBS expects the build image to be named buildroot
-buildroot_tag: buildroot
-
-# create build image from source or pull it from a registry?
-# see options below
-buildroot_from_source: true
-
-## for build_buildroot_from_source=false
-buildroot_pull:
-  registry: registry.hub.docker.com
-  registry_insecure: false
-  image: mmilata/buildroot:latest
-
-## for build_buildroot_from_source=true
-buildroot_build:
-  # buildroot base image source
-  base_registry: registry.hub.docker.com
-  base_registry_insecure: false
-  base_image: library/fedora:latest
-  # allow retagging the base image to match FROM in Dockerfile
-  base_image_retag: fedora:latest
-  # buildroot dockerfile source
-  git_url: https://github.com/mmilata/osbs-buildroot-osv3.git
-  git_branch: master
-  git_subdir: ""
-  git_local_path: "{{ ansible_env.HOME }}/osbs-buildroot-docker"
-
-## docker needs to know which registries are insecure
-insecure_registries: []
-
-# is authenticating proxy in front of us? if true, do not expose openshift port
-# and require users to be authenticated
-# set to false for debugging
-behind_auth_proxy: true
-
-# set to false if you don't use firewalld or do not want the playbook to modify it
-manage_firewall: true

roles/osbs_builder/files/sysconfig-openshift-master

@@ -1,9 +0,0 @@
-OPTIONS="--loglevel=3"
-CONFIG_FILE=/etc/openshift/master/master-config.yaml
-
-# Proxy configuration
-# OpenShift uses standard HTTP_PROXY environment variables. Be sure to set
-# NO_PROXY for your master
-#NO_PROXY=master.example.com
-#HTTP_PROXY=http://USER:PASSWORD@IPADDR:PORT
-#HTTPS_PROXY=https://USER:PASSWORD@IPADDR:PORT

roles/osbs_builder/files/sysconfig-openshift-node

@@ -1,22 +0,0 @@
-OPTIONS="--loglevel=3"
-# /etc/openshift/node/ should contain the entire contents of
-# /var/lib/openshift.local.certificates/node-${node-fqdn} generated by
-# running 'openshift admin create-node-config' on your master
-#
-# If if your node is running on a separate host you can rsync the contents
-# rsync -a root@openshift-master:/var/lib/openshift/openshift.local.certificates/node-`hostname`/ /etc/openshift/node
-CONFIG_FILE=/etc/openshift/node/node-config.yaml
-
-# The $DOCKER_NETWORK_OPTIONS variable is used by sdn plugins to set
-# $DOCKER_NETWORK_OPTIONS variable in the /etc/sysconfig/docker-network
-# Most plugins include their own defaults within the scripts
-# TODO: More elegant solution like this
-# https://github.com/coreos/flannel/blob/master/dist/mk-docker-opts.sh
-# DOCKER_NETWORK_OPTIONS='-b=lbr0 --mtu=1450'
-
-# Proxy configuration
-# OpenShift uses standard HTTP_PROXY environment variables. Be sure to set
-# NO_PROXY for your master
-#NO_PROXY=master.example.com
-#HTTP_PROXY=http://USER:PASSWORD@IPADDR:PORT
-#HTTPS_PROXY=https://USER:PASSWORD@IPADDR:PORT

roles/osbs_builder/tasks/buildroot_from_source.yml

@@ -1,19 +0,0 @@
----
-- name: pull buildroot base image
-  command: docker pull {{ buildroot_build.base_registry }}/{{ buildroot_build.base_image }}
-
-- name: tag buildroot base image
-  command: docker tag -f {{ buildroot_build.base_registry }}/{{ buildroot_build.base_image }} {{ buildroot_build.base_image_retag }}
-  when: buildroot_base_image_retag is defined
-
-- name: pull build image git repository
-  git:
-    repo: "{{ buildroot_build.git_url }}"
-    dest: "{{ buildroot_build.git_local_path }}"
-    version: "{{ buildroot_build.git_branch }}"
-    accept_hostkey: yes
-  register: buildroot_git_repo
-
-- name: build buildroot
-  command: docker build --no-cache=true --tag={{ buildroot_tag }} {{ buildroot_build.git_local_path }}/{{ buildroot_build.git_subdir }}
-  when: buildroot_git_repo.changed

roles/osbs_builder/tasks/main.yml

@@ -1,139 +0,0 @@
----
-- name: install packages required by osbs
-  yum: name={{ item }} state=installed
-  with_items:
-  - bind-utils
-  - iptables-services
-  - bridge-utils
-  - dock
-  - docker
-  - docker-registry
-
-### docker service ###
-
-- name: ensure docker is running
-  service: name=docker state=started enabled=yes
-
-- name: configure docker
-  template: src=sysconfig-docker.j2 dest=/etc/sysconfig/docker
-  register: docker_sysconfig
-
-- name: restart docker after changing configuration
-  service: name=docker state=restarted
-  when: docker_sysconfig.changed
-
-### openshift service ###
-
-# Permanent rules aren't applied immediately. Starting with ansible 1.9,
-# these two rules can be merged into one with permanent=true immediate=true.
-- name: open openshift port in the firewall
-  firewalld: port={{ openshift_port }}/tcp state=enabled permanent={{ item }}
-  with_items:
-  - true
-  - false
-  when: not behind_auth_proxy and manage_firewall
-
-- name: close openshift port in the firewall
-  firewalld: port={{ openshift_port }}/tcp state=disabled permanent={{ item }}
-  with_items:
-  - true
-  - false
-  when: behind_auth_proxy and manage_firewall
-
-- name: modifications in /etc/sysconfig/openshift
-  copy: src=sysconfig-openshift-{{ item }} dest=/etc/sysconfig/openshift-{{ item }}
-  with_items:
-  - master
-  - node
-
-- name: generate basic openshift configuration and certificates
-  command: openshift start --write-config=/etc/openshift
-  args:
-    chdir: "{{ openshift_home }}"
-    creates: /etc/openshift/node-{{ ansible_fqdn }}/node-config.yaml
-
-- name: link /etc/openshift/node to actual node directory
-  file: path=/etc/openshift/node src=/etc/openshift/node-{{ ansible_fqdn }} force=yes state=link
-
-- name: configure openshift master
-  template: src=master.yaml.j2 dest=/etc/openshift/master/master-config.yaml
-  register: openshift_master_config
-
-- name: configure openshift node
-  template: src=node.yaml.j2 dest=/etc/openshift/node/node-config.yaml
-  register: openshift_node_config
-
-- name: generate cert for authenticating proxy - self-signed certificate
-  command: >
-    openssl req -new -nodes -x509
-    -subj "/C=CZ/ST=SelfSigned/L=SelfSigned/O=IT/CN={{ ansible_fqdn }}"
-    -days 3650
-    -keyout {{ proxy_auth_key_file }}
-    -out {{ proxy_auth_cert_file }}
-    -extensions v3_ca
-  args:
-    creates: "{{ proxy_auth_cert_file }}"
-  when: behind_auth_proxy and proxy_auth_generate_selfsigned
-  register: auth_proxy_cert
-
-- name: generate cert for authenticating proxy - convert privkey to rsa
-  command: openssl rsa -in {{ proxy_auth_key_file }} -out {{ proxy_auth_key_file }}
-  when: auth_proxy_cert.changed
-
-- name: restart openshift master after changing configuration
-  service: name=openshift-master state=restarted
-  when: openshift_master_config.changed
-
-- name: restart openshift node after changing configuration
-  service: name=openshift-node state=restarted
-  when: openshift_node_config.changed
-
-- name: ensure openshift is running
-  service: name=openshift-{{ item }} state=started enabled=yes
-  with_items:
-  - master
-  - node
-
-- name: wait for openshift to start accepting connections
-  wait_for: port={{ openshift_port }} timeout=30
-
-# Set up authorization policy. If we are behind proxy then assign authenticated
-# users the "edit" role which can start builds and watch build logs.
-# If we are not (=debug), add both authenticated and unauthenticated users to
-# the role.
-- name: openshift auth - clear
-  command: osadm policy remove-role-from-group edit system:authenticated system:unauthenticated
-  environment: osc_environment
-  register: command_result
-  failed_when: command_result.rc != 0 and "unable to locate RoleBinding" not in command_result.stderr
-
-- name: openshift auth - make everyone cluster admin
-  command: osadm policy add-role-to-group edit system:unauthenticated system:authenticated
-  environment: osc_environment
-  when: not behind_auth_proxy
-
-- name: openshift auth - authenticated users are cluster admins
-  command: osadm policy add-role-to-group edit system:authenticated
-  environment: osc_environment
-  when: behind_auth_proxy
-
-# Useful when using "osc" to inspect openshift state.
-- name: add OPENSHIFTCONFIG to .bashrc
-  lineinfile:
-    dest: "{{ ansible_env.HOME }}/.bashrc"
-    regexp: "export OPENSHIFTCONFIG="
-    line: "export OPENSHIFTCONFIG={{ kubeconfig_path }}"
-
-### buildroot image ###
-
-- name: pull buildroot image
-  command: docker pull {{ buildroot_pull.registry }}/{{ buildroot_pull.image }}
-  register: pull_buildroot
-  when: not buildroot_from_source
-
-- name: tag buildroot image
-  command: docker tag -f {{ buildroot_pull.registry }}/{{ buildroot_pull.image }} {{ buildroot_tag }}
-  when: pull_buildroot.changed
-
-- include: buildroot_from_source.yml
-  when: buildroot_from_source

roles/osbs_builder/templates/master.yaml.j2

@@ -1,127 +0,0 @@
-apiLevels:
-- v1beta3
-- v1beta1
-- v1
-apiVersion: v1
-assetConfig:
-  logoutURL: ""
-  masterPublicURL: https://{{ ansible_default_ipv4.address }}:8443
-  publicURL: https://{{ ansible_default_ipv4.address }}:8443/console/
-  servingInfo:
-    bindAddress: 0.0.0.0:8443
-    certFile: master.server.crt
-    clientCA: ""
-    keyFile: master.server.key
-corsAllowedOrigins:
-- 127.0.0.1
-- {{ ansible_default_ipv4.address }}:8443
-- localhost
-dnsConfig:
-  bindAddress: 0.0.0.0:53
-etcdClientInfo:
-  ca: ca.crt
-  certFile: master.etcd-client.crt
-  keyFile: master.etcd-client.key
-  urls:
-  - https://{{ ansible_default_ipv4.address }}:4001
-etcdConfig:
-  address: {{ ansible_default_ipv4.address }}:4001
-  peerAddress: {{ ansible_default_ipv4.address }}:7001
-  peerServingInfo:
-    bindAddress: 0.0.0.0:7001
-    certFile: etcd.server.crt
-    clientCA: ca.crt
-    keyFile: etcd.server.key
-  servingInfo:
-    bindAddress: 0.0.0.0:4001
-    certFile: etcd.server.crt
-    clientCA: ca.crt
-    keyFile: etcd.server.key
-  storageDirectory: /var/lib/openshift/openshift.local.etcd
-etcdStorageConfig:
-  kubernetesStoragePrefix: kubernetes.io
-  kubernetesStorageVersion: v1beta3
-  openShiftStoragePrefix: openshift.io
-  openShiftStorageVersion: v1beta3
-imageConfig:
-  format: openshift/origin-${component}:${version}
-  latest: false
-kind: MasterConfig
-kubeletClientInfo:
-  ca: ca.crt
-  certFile: master.kubelet-client.crt
-  keyFile: master.kubelet-client.key
-  port: 10250
-kubernetesMasterConfig:
-  apiLevels:
-  - v1beta1
-  - v1beta2
-  - v1beta3
-  - v1
-  masterCount: 1
-  masterIP: {{ ansible_default_ipv4.address }}
-  podEvictionTimeout: 5m
-  schedulerConfigFile: ""
-  servicesSubnet: 172.30.0.0/16
-  staticNodeNames:
-  - {{ ansible_fqdn }}
-masterClients:
-  deployerKubeConfig: openshift-deployer.kubeconfig
-  externalKubernetesKubeConfig: ""
-  openshiftLoopbackKubeConfig: openshift-client.kubeconfig
-masterPublicURL: https://{{ ansible_default_ipv4.address }}:8443
-networkConfig:
-  clusterNetworkCIDR: 10.1.0.0/16
-  hostSubnetLength: 8
-  networkPluginName: ""
-oauthConfig:
-  assetPublicURL: https://{{ ansible_default_ipv4.address }}:8443/console/
-  grantConfig:
-    method: auto
-  identityProviders:
-{% if behind_auth_proxy %}
-  - name: my_request_header_provider
-    challenge: false
-    login: false
-    provider:
-      apiVersion: v1
-      kind: RequestHeaderIdentityProvider
-      clientCA: {{ proxy_auth_ca_file | default('/etc/openshift/master/ca.crt') }}
-      headers:
-      - X-Remote-User
-{% else %}
-  - challenge: true
-    login: true
-    name: anypassword
-    provider:
-      apiVersion: v1
-      kind: AllowAllPasswordIdentityProvider
-{% endif %}
-  masterPublicURL: https://{{ ansible_default_ipv4.address }}:8443
-  masterURL: https://{{ ansible_default_ipv4.address }}:8443
-  sessionConfig:
-    sessionMaxAgeSeconds: 300
-    sessionName: ssn
-    sessionSecretsFile: ""
-  tokenConfig:
-    accessTokenMaxAgeSeconds: 86400
-    authorizeTokenMaxAgeSeconds: 300
-policyConfig:
-  bootstrapPolicyFile: policy.json
-  openshiftSharedResourcesNamespace: openshift
-projectConfig:
-  defaultNodeSelector: ""
-  projectRequestMessage: ""
-  projectRequestTemplate: ""
-serviceAccountConfig:
-  managedNames:
-  - default
-  - builder
-  privateKeyFile: serviceaccounts.private.key
-  publicKeyFiles:
-  - serviceaccounts.public.key
-servingInfo:
-  bindAddress: 0.0.0.0:8443
-  certFile: master.server.crt
-  clientCA: ca.crt
-  keyFile: master.server.key

roles/osbs_builder/templates/node.yaml.j2

@@ -1,20 +0,0 @@
-allowDisabledDocker: true
-apiVersion: v1
-dnsDomain: cluster.local
-dnsIP: {{ ansible_default_ipv4.address }}
-dockerConfig:
-  execHandlerName: native
-imageConfig:
-  format: openshift/origin-${component}:${version}
-  latest: false
-kind: NodeConfig
-masterKubeConfig: node.kubeconfig
-networkPluginName: ""
-nodeName: {{ ansible_fqdn }}
-podManifestConfig: null
-servingInfo:
-  bindAddress: 0.0.0.0:10250
-  certFile: server.crt
-  clientCA: node-client-ca.crt
-  keyFile: server.key
-volumeDirectory: /var/lib/openshift/openshift.local.volumes

roles/osbs_builder/templates/sysconfig-docker.j2

@@ -1,32 +0,0 @@
-# Modify these options if you want to change the way the docker daemon runs
-OPTIONS='--selinux-enabled'
-
-DOCKER_CERT_PATH=/etc/docker
-
-# If you want to add your own registry to be used for docker search and docker pull use the
-# ADD_REGISTRY option to list a set of comma separated registries.
-# Note the last registry added will be the first regisry searched.
-ADD_REGISTRY='--add-registry registry.access.redhat.com'
-
-# If you want to block registries from being used, use the
-# BLOCK_REGISTRY option  to list a set of comma separated registries, and uncommenting
-# it. For example adding docker.io will stop users  from downloading images from docker.io
-# BLOCK_REGISTRY='--block-registry public'
-
-# If you have a registry secured with https but do not have proper certs destributed, you can
-# tell docker to not look for full authorization by adding the registry to the
-# INSECURE_REGISTRY line and uncommentin it.
-INSECURE_REGISTRY='{% if buildroot_build.base_registry_insecure %}--insecure-registry {{ buildroot_build.base_registry }}{% elif buildroot_pull.registry_insecure %}--insecure--registry {{ buildroot_pull.registry }}{% endif %}{% for r in insecure_registries %} --insecure-registry {{ r }}{% endfor %}'
-
-# On an SELinux system, if you remove the --selinux-enabled option, you
-# also need to turn on the docker_transition_unconfined boolean.
-# setsebool -P docker_transition_unconfined 1
-
-# Location used for temporary files, such as those created by
-# docker load and build operations. Default is /var/lib/docker/tmp
-# Can be overriden by setting the following environment variable.
-# DOCKER_TMPDIR=/var/tmp
-
-# Controls the /etc/cron.daily/docker-logrotate cron job status.
-# To disable, uncomment the line below.
-# LOGROTATE=false

roles/osbs_builder/vars/main.yml

@@ -1,7 +0,0 @@
----
-openshift_home: /var/lib/openshift
-kubeconfig_path: /etc/openshift/master/admin.kubeconfig
-openshift_port: 8443
-
-osc_environment:
-  OPENSHIFTCONFIG: "{{ kubeconfig_path }}"

roles/osbs_common/defaults/main.yml

@@ -1,6 +0,0 @@
----
-# set hostname of the machine
-#hostname: example.org
-
-# set to false if you don't use firewalld or do not want the playbook to modify it
-manage_firewall: true

roles/osbs_common/tasks/main.yml

@@ -1,34 +0,0 @@
----
-- name: set hostname
-  hostname: name={{ hostname }}
-  when: hostname is defined
-
-- name: install basic packages
-  yum: name={{ item }} state=installed
-  with_items:
-  - vim
-  - tmux
-  - wget
-  - git
-  - net-tools
-  - yum-utils
-  - tree
-
-- name: enable rhel7 repos
-  command: yum-config-manager --enable {{ item }}
-  with_items:
-  - rhel-7-server-optional-rpms
-  - rhel-7-server-extras-rpms
-  when: ansible_distribution == 'RedHat' and ansible_distribution_major_version == '7'
-
-- name: enable epel7
-  yum: name={{ epel7_url }} state=installed
-  when: ansible_os_family == 'RedHat' and ansible_distribution_major_version == '7'
-
-- name: install firewalld
-  yum: name=firewalld state=installed
-  when: manage_firewall
-
-- name: enable firewalld
-  service: name=firewalld state=started enabled=yes
-  when: manage_firewall

roles/osbs_common/vars/main.yml

@@ -1,2 +0,0 @@
----
-epel7_url: http://download.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm

roles/osbs_install_openshift_copr/defaults/main.yml

@@ -1,2 +0,0 @@
----
-openshift_version: 0.5.4

roles/osbs_install_openshift_copr/tasks/main.yml

@@ -1,9 +0,0 @@
----
-- name: copy repository file
-  template: src=mmilata-openshift.repo.j2 dest=/etc/yum.repos.d/mmilata-openshift.repo
-
-- name: install openshift
-  yum: name={{ item }} state=installed
-  with_items:
-  - openshift-master
-  - openshift-node

roles/osbs_install_openshift_copr/templates/mmilata-openshift.repo.j2

@@ -1,8 +0,0 @@
-[mmilata-openshift]
-name=Copr repo for openshift owned by mmilata
-baseurl=https://copr-be.cloud.fedoraproject.org/results/mmilata/openshift/{{ (ansible_distribution == "Fedora") | ternary("fedora", "epel") }}-{{ ansible_distribution_major_version }}-$basearch/
-skip_if_unavailable=True
-gpgcheck=1
-gpgkey=https://copr-be.cloud.fedoraproject.org/results/mmilata/openshift/pubkey.gpg
-enabled=1
-

roles/osbs_install_openshift_source/defaults/main.yml

@@ -1,5 +0,0 @@
----
-rpmbuild_dir: "{{ ansible_env.HOME }}/rpmbuild"
-openshift_commit: 17a2e840914a9e2b0c2161e9f39efc22a043dec9
-openshift_archive: openshift-{{ openshift_commit }}.tar.gz
-openshift_version: 0.5.2

roles/osbs_install_openshift_source/tasks/main.yml

@@ -1,42 +0,0 @@
----
-- name: install build packages
-  yum: name={{ item }} state=installed
-  with_items:
-  - rpm-build
-  - yum-utils
-  - rpmdevtools
-
-- name: delete rpmbuild directories
-  file: path={{ rpmbuild_dir }}/{{ item }}/ state=absent
-  with_items:
-  - RPMS
-  - SRPMS
-  - BUILD
-  - BUILDROOT
-
-- name: create rpmbuild directories
-  file: path={{ rpmbuild_dir }}/{{ item }}/ state=directory recurse=yes
-  with_items:
-  - SPECS
-  - SOURCES
-
-- name: upload SPEC
-  template: src=openshift.spec.j2 dest={{ rpmbuild_dir }}/SPECS/openshift.spec
-
-- name: install build dependencies
-  command: yum-builddep -y {{ rpmbuild_dir }}/SPECS/openshift.spec
-
-- name: download openshift tarball
-  get_url:
-    url: https://github.com/openshift/origin/archive/{{ openshift_commit }}/{{ openshift_archive }}
-    dest: "{{ rpmbuild_dir }}/SOURCES/{{ openshift_archive }}"
-
-- name: run build
-  command: rpmbuild -bb --clean {{ rpmbuild_dir }}/SPECS/openshift.spec
-
-- name: find the RPMs
-  command: find {{ rpmbuild_dir }}/RPMS/ -type f
-  register: find_rpms
-
-- name: install the RPMs
-  shell: yum -y localinstall {{ rpmbuild_dir }}/RPMS/x86_64/*openshift*.rpm

roles/osbs_install_openshift_source/templates/openshift.spec.j2

@@ -1,295 +0,0 @@
-#debuginfo not supported with Go
-%global debug_package %{nil}
-%global gopath      %{_datadir}/gocode
-%global import_path github.com/openshift/origin
-%global kube_plugin_path /usr/libexec/kubernetes/kubelet-plugins/net/exec/redhat~openshift-ovs-subnet
-%global sdn_import_path github.com/openshift/openshift-sdn
-
-# %commit and %ldflags are intended to be set by tito custom builders provided
-# in the rel-eng directory. The values in this spec file will not be kept up to date.
-%{!?commit:
-%global commit {{ openshift_commit }}
-}
-%global shortcommit %(c=%{commit}; echo ${c:0:7})
-# OpenShift specific ldflags from hack/common.sh os::build:ldflags
-%{!?ldflags:
-%global ldflags -X github.com/openshift/origin/pkg/version.majorFromGit 0 -X github.com/openshift/origin/pkg/version.minorFromGit 0+ -X github.com/openshift/origin/pkg/version.versionFromGit v{{ openshift_version }} -X github.com/openshift/origin/pkg/version.commitFromGit {{ openshift_commit | truncate(7, True, '') }} -X github.com/GoogleCloudPlatform/kubernetes/pkg/version.gitCommit 6241a21 -X github.com/GoogleCloudPlatform/kubernetes/pkg/version.gitVersion v0.11.0-330-g6241a21
-}
-
-Name:           openshift
-# Version is not kept up to date and is intended to be set by tito custom
-# builders provided in the rel-eng directory of this project
-Version:        {{ openshift_version }}
-Release:        0%{?dist}
-Summary:        Open Source Platform as a Service by Red Hat
-License:        ASL 2.0
-URL:            https://%{import_path}
-ExclusiveArch:  x86_64
-Source0:        https://%{import_path}/archive/%{commit}/%{name}-%{commit}.tar.gz
-
-BuildRequires:  systemd
-BuildRequires:  golang >= 1.2-7
-#XXX upstream has golang >= 1.4 but it's not in rhel7 (yet)
-
-
-%description
-%{summary}
-
-%package master
-Summary:        OpenShift Master
-Requires:       %{name} = %{version}-%{release}
-Requires(post): systemd
-Requires(preun): systemd
-Requires(postun): systemd
-
-%description master
-%{summary}
-
-%package node
-Summary:        OpenShift Node
-Requires:       %{name} = %{version}-%{release}
-Requires:       docker-io >= 1.6.0
-Requires:       tuned-profiles-openshift-node
-Requires:       util-linux
-Requires:       socat
-Requires(post): systemd
-Requires(preun): systemd
-Requires(postun): systemd
-
-%description node
-%{summary}
-
-%package -n tuned-profiles-openshift-node
-Summary:        Tuned profiles for OpenShift Node hosts
-Requires:       tuned >= 2.3
-Requires:       %{name} = %{version}-%{release}
-
-%description -n tuned-profiles-openshift-node
-%{summary}
-
-%package clients
-Summary:      Openshift Client binaries for Linux, Mac OSX, and Windows
-BuildRequires: golang-pkg-darwin-amd64
-BuildRequires: golang-pkg-windows-386
-
-%description clients
-%{summary}
-
-%package dockerregistry
-Summary:        Docker Registry v2 for OpenShift
-Requires:       %{name} = %{version}-%{release}
-
-%description dockerregistry
-%{summary}
-
-%package pod
-Summary:        OpenShift Pod
-Requires:       openshift = %{version}-%{release}
-
-%description pod
-%{summary}
-
-%prep
-%setup -qn origin-%{commit}
-
-%build
-
-# Don't judge me for this ... it's so bad.
-mkdir _build
-
-# Horrid hack because golang loves to just bundle everything
-pushd _build
-    mkdir -p src/github.com/openshift
-    ln -s $(dirs +1 -l) src/%{import_path}
-popd
-
-
-# Gaming the GOPATH to include the third party bundled libs at build
-# time. This is bad and I feel bad.
-mkdir _thirdpartyhacks
-pushd _thirdpartyhacks
-    ln -s \
-        $(dirs +1 -l)/Godeps/_workspace/src/ \
-            src
-popd
-export GOPATH=$(pwd)/_build:$(pwd)/_thirdpartyhacks:%{buildroot}%{gopath}:%{gopath}
-# Build all linux components we care about
-for cmd in openshift dockerregistry
-do
-        go install -ldflags "%{ldflags}" %{import_path}/cmd/${cmd}
-done
-
-# Build only 'openshift' for other platforms
-GOOS=windows GOARCH=386 go install -ldflags "%{ldflags}" %{import_path}/cmd/openshift
-GOOS=darwin GOARCH=amd64 go install -ldflags "%{ldflags}" %{import_path}/cmd/openshift
-
-#Build our pod
-pushd images/pod/
-    go build -ldflags "%{ldflags}" pod.go
-popd
-
-%install
-
-install -d %{buildroot}%{_bindir}
-install -d %{buildroot}%{_datadir}/%{name}/{linux,macosx,windows}
-
-# Install linux components
-for bin in openshift dockerregistry
-do
-  echo "+++ INSTALLING ${bin}"
-  install -p -m 755 _build/bin/${bin} %{buildroot}%{_bindir}/${bin}
-done
-# Install 'openshift' as client executable for windows and mac
-install -p -m 755 _build/bin/openshift %{buildroot}%{_datadir}/%{name}/linux/osc
-install -p -m 755 _build/bin/darwin_amd64/openshift %{buildroot}%{_datadir}/%{name}/macosx/osc
-install -p -m 755 _build/bin/windows_386/openshift.exe %{buildroot}%{_datadir}/%{name}/windows/osc.exe
-#Install openshift pod
-install -p -m 755 images/pod/pod %{buildroot}%{_bindir}/
-
-install -d -m 0755 %{buildroot}/etc/%{name}/{master,node}
-install -d -m 0755 %{buildroot}%{_unitdir}
-install -m 0644 -t %{buildroot}%{_unitdir} rel-eng/openshift-master.service
-install -m 0644 -t %{buildroot}%{_unitdir} rel-eng/openshift-node.service
-
-mkdir -p %{buildroot}%{_sysconfdir}/sysconfig
-install -m 0644 rel-eng/openshift-master.sysconfig %{buildroot}%{_sysconfdir}/sysconfig/openshift-master
-install -m 0644 rel-eng/openshift-node.sysconfig %{buildroot}%{_sysconfdir}/sysconfig/openshift-node
-
-mkdir -p %{buildroot}%{_sharedstatedir}/%{name}
-
-ln -s %{_bindir}/openshift %{buildroot}%{_bindir}/osc
-ln -s %{_bindir}/openshift %{buildroot}%{_bindir}/osadm
-
-install -d -m 0755 %{buildroot}%{_prefix}/lib/tuned/openshift-node-{guest,host}
-install -m 0644 tuned/openshift-node-guest/tuned.conf %{buildroot}%{_prefix}/lib/tuned/openshift-node-guest/
-install -m 0644 tuned/openshift-node-host/tuned.conf %{buildroot}%{_prefix}/lib/tuned/openshift-node-host/
-install -d -m 0755 %{buildroot}%{_mandir}/man7
-install -m 0644 tuned/man/tuned-profiles-openshift-node.7 %{buildroot}%{_mandir}/man7/tuned-profiles-openshift-node.7
-
-# Install sdn scripts for node subpackage
-install -d -m 0755 %{buildroot}%{kube_plugin_path}
-pushd _thirdpartyhacks/src/%{sdn_import_path}/ovssubnet/bin
-   install -p -m 755 openshift-ovs-subnet %{buildroot}%{kube_plugin_path}/openshift-ovs-subnet
-   install -p -m 755 openshift-sdn-kube-subnet-setup.sh %{buildroot}%{_bindir}/
-   install -p -m 755 openshift-sdn-simple-setup-node.sh %{buildroot}%{_bindir}/
-popd
-
-%files
-%defattr(-,root,root,-)
-%doc README.md LICENSE
-%{_bindir}/openshift
-%{_bindir}/osc
-%{_bindir}/osadm
-%{_sharedstatedir}/%{name}
-
-%files master
-%defattr(-,root,root,-)
-%{_unitdir}/openshift-master.service
-%config(noreplace) %{_sysconfdir}/sysconfig/openshift-master
-%config(noreplace) /etc/%{name}/master
-
-%post master
-%systemd_post %{basename:openshift-master.service}
-
-%preun master
-%systemd_preun %{basename:openshift-master.service}
-
-%postun master
-%systemd_postun
-
-
-%files node
-%defattr(-,root,root,-)
-%{_unitdir}/openshift-node.service
-%config(noreplace) %{_sysconfdir}/sysconfig/openshift-node
-%config(noreplace) /etc/%{name}/node
-%{_bindir}/openshift-sdn-simple-setup-node.sh
-%{_bindir}/openshift-sdn-kube-subnet-setup.sh
-%{kube_plugin_path}/openshift-ovs-subnet
-
-%post node
-%systemd_post %{basename:openshift-node.service}
-
-%preun node
-%systemd_preun %{basename:openshift-node.service}
-
-%postun node
-%systemd_postun
-
-%files -n tuned-profiles-openshift-node
-%defattr(-,root,root,-)
-%{_prefix}/lib/tuned/openshift-node-host
-%{_prefix}/lib/tuned/openshift-node-guest
-%{_mandir}/man7/tuned-profiles-openshift-node.7*
-
-%post -n tuned-profiles-openshift-node
-recommended=`/usr/sbin/tuned-adm recommend`
-if [[ "${recommended}" =~ guest ]] ; then
-  /usr/sbin/tuned-adm profile openshift-node-guest > /dev/null 2>&1
-else
-  /usr/sbin/tuned-adm profile openshift-node-host > /dev/null 2>&1
-fi
-
-%preun -n tuned-profiles-openshift-node
-# reset the tuned profile to the recommended profile
-# $1 = 0 when we're being removed > 0 during upgrades
-if [ "$1" = 0 ]; then
-  recommended=`/usr/sbin/tuned-adm recommend`
-  /usr/sbin/tuned-adm profile $recommended > /dev/null 2>&1
-fi
-
-%files clients
-%{_datadir}/%{name}/linux/osc
-%{_datadir}/%{name}/macosx/osc
-%{_datadir}/%{name}/windows/osc.exe
-
-%files dockerregistry
-%defattr(-,root,root,-)
-%{_bindir}/dockerregistry
-
-%files pod
-%defattr(-,root,root,-)
-%{_bindir}/pod
-
-%changelog
-* Mon Jan 26 2015 Scott Dodson <sdodson@redhat.com> 0.2-3
-- Update to 21fb40637c4e3507cca1fcab6c4d56b06950a149
-- Split packaging of openshift-master and openshift-node
-
-* Mon Jan 19 2015 Scott Dodson <sdodson@redhat.com> 0.2-2
-- new package built with tito
-
-* Fri Jan 09 2015 Adam Miller <admiller@redhat.com> - 0.2-2
-- Add symlink for osc command line tooling (merged in from jhonce@redhat.com)
-
-* Wed Jan 07 2015 Adam Miller <admiller@redhat.com> - 0.2-1
-- Update to latest upstream release
-- Restructured some of the golang deps  build setup for restructuring done
-  upstream
-
-* Thu Oct 23 2014 Adam Miller <admiller@redhat.com> - 0-0.0.9.git562842e
-- Add new patches from jhonce for systemd units
-
-* Mon Oct 20 2014 Adam Miller <admiller@redhat.com> - 0-0.0.8.git562842e
-- Update to latest master snapshot
-
-* Wed Oct 15 2014 Adam Miller <admiller@redhat.com> - 0-0.0.7.git7872f0f
-- Update to latest master snapshot
-
-* Fri Oct 03 2014 Adam Miller <admiller@redhat.com> - 0-0.0.6.gite4d4ecf
-- Update to latest Alpha nightly build tag 20141003
-
-* Wed Oct 01 2014 Adam Miller <admiller@redhat.com> - 0-0.0.5.git6d9f1a9
-- Switch to consistent naming, patch by jhonce
-
-* Tue Sep 30 2014 Adam Miller <admiller@redhat.com> - 0-0.0.4.git6d9f1a9
-- Add systemd and sysconfig entries from jhonce
-
-* Tue Sep 23 2014 Adam Miller <admiller@redhat.com> - 0-0.0.3.git6d9f1a9
-- Update to latest upstream.
-
-* Mon Sep 15 2014 Adam Miller <admiller@redhat.com> - 0-0.0.2.git2647df5
-- Update to latest upstream.
-
-* Thu Aug 14 2014 Adam Miller <admiller@redhat.com> - 0-0.0.1.gitc3839b8
-- First package

roles/osbs_kerberos_proxy/defaults/main.yml

@@ -1,43 +0,0 @@
----
-# generate self-signed certificates? useful for debugging
-ssl_generate_selfsigned: false
-
-ssl_cert_file: /etc/pki/tls/certs/{{ ansible_fqdn }}.crt
-ssl_key_file: /etc/pki/tls/private/{{ ansible_fqdn }}.key
-ssl_client_certkey_file: /etc/httpd/krbproxy_certkey.crt
-ssl_client_ca_file: /etc/httpd/krbproxy_ca.crt
-
-proxy_port: 9443
-proxy_dest_url: https://127.0.0.1:8443/
-proxy_authname: Kerberos Authentication
-
-# used for mutually authenticating the proxy and the proxied machine
-# no authentication happens when unset
-#proxy_machine_ca_file: /var/lib/openshift/openshift.local.certificates/ca/cert.crt
-#proxy_machine_cert_file: /var/lib/openshift/openshift.local.certificates/openshift-client/cert.crt
-#proxy_machine_key_file: /var/lib/openshift/openshift.local.certificates/openshift-client/key.key
-
-# if no ticket is supplied, fall back to basic authentication by login+password
-# (through kerberos)
-proxy_enable_password_login: false
-
-proxy_secrets_owner: apache
-proxy_secrets_group: root
-proxy_secrets_perms: "0600"
-
-krb_keytab_file: /etc/httpd/HTTP-{{ ansible_fqdn }}.keytab
-
-kerberos_client_realm_name: EXAMPLE.COM
-kerberos_client_kdc_hostname: kerberos
-kerberos_client_admin_hostname: kerberos
-kerberos_client_dns_lookup_realm: false
-kerberos_client_dns_lookup_kdc: false
-kerberos_client_ticket_lifetime: 24h
-kerberos_client_renew_lifetime: 7d
-kerberos_client_forwardable: true
-
-# extra verbose httpd logs?
-proxy_debug: false
-
-# set to false if you don't use firewalld or do not want the playbook to modify it
-manage_firewall: true

roles/osbs_kerberos_proxy/handlers/main.yml

@@ -1,3 +0,0 @@
----
-- name: restart httpd
-  service: name=httpd state=restarted

roles/osbs_kerberos_proxy/tasks/main.yml

@@ -1,89 +0,0 @@
----
-- name: ensure required packages are installed
-  yum: name={{ item }} state=present
-  with_items:
-  # kerberos
-  - krb5-workstation
-  # httpd
-  - httpd
-  - mod_ssl
-  - mod_auth_kerb
-  # selinux
-  - policycoreutils-python
-
-# Based on https://github.com/bennojoy/kerberos_client
-# BSD licensed
-- name: configure kerberos client
-  template: src=krb5.conf.j2 dest=/etc/krb5.conf
-
-- name: generate self-signed certificate
-  command: >
-    openssl req -new -nodes -x509
-    -subj "/C=CZ/ST=SelfSigned/L=SelfSigned/O=IT/CN={{ ansible_fqdn }}"
-    -days 3650
-    -keyout {{ ssl_key_file }}
-    -out {{ ssl_cert_file }}
-    -extensions v3_ca
-  args:
-    creates: "{{ ssl_cert_file }}"
-  when: ssl_generate_selfsigned
-  notify:
-  - restart httpd
-
-# TODO: The private key is world readable after it is generated but before this task finishes.
-# We should use umask/private directory to protect it.
-- name: set permissions on private key
-  file:
-    path: "{{ ssl_key_file }}"
-    state: file
-    owner: "{{ proxy_secrets_owner }}"
-    group: "{{ proxy_secrets_group }}"
-    mode: "{{ proxy_secrets_perms }}"
-
-- name: create proxy client cert+key file
-  shell: cat {{ proxy_machine_cert_file }} {{ proxy_machine_key_file}} > {{ ssl_client_certkey_file }}
-  when: proxy_machine_cert_file is defined
-  register: certkey_file
-  notify:
-  - restart httpd
-
-- name: set permissions on client cert+key
-  file:
-    path: "{{ ssl_client_certkey_file }}"
-    state: file
-    owner: "{{ proxy_secrets_owner }}"
-    group: "{{ proxy_secrets_group }}"
-    mode: "{{ proxy_secrets_perms }}"
-  when: certkey_file.changed
-
-- name: copy client CA file
-  command: cp {{ proxy_machine_ca_file }} {{ ssl_client_ca_file }}
-  when: proxy_machine_ca_file is defined
-
-- name: set permissions on kerberos keytab
-  file:
-    path: "{{ krb_keytab_file }}"
-    state: file
-    owner: "{{ proxy_secrets_owner }}"
-    group: "{{ proxy_secrets_group }}"
-    mode: "{{ proxy_secrets_perms }}"
-
-- name: configure httpd
-  template: src=httpd-krbproxy.conf.j2 dest=/etc/httpd/conf.d/krbproxy.conf
-  notify:
-  - restart httpd
-
-- name: allow proxy port in selinux
-  shell: semanage port -a -t http_port_t -p tcp {{ proxy_port }} || true
-
-# Permanent rules aren't applied immediately. Starting with ansible 1.9,
-# this ugliness can be replaced with permanent=true immediate=true.
-- name: open required ports in the firewall
-  firewalld: port={{ proxy_port }}/tcp state=enabled permanent={{ item }}
-  with_items:
-  - true
-  - false
-  when: manage_firewall
-
-- name: ensure httpd is running
-  service: name=httpd state=started enabled=yes

roles/osbs_kerberos_proxy/templates/httpd-krbproxy.conf.j2

@@ -1,68 +0,0 @@
-ServerName {{ ansible_fqdn }}
-ProxyRequests Off
-Listen {{ proxy_port }}
-
-{% if proxy_debug %}
-## debugging
-## in prod we should decrease verbosity
-# DumpIOInput On
-# DumpIOOutput On
-LogLevel Debug
-# LogLevel dumpio:trace7
-{% endif %}
-
-<VirtualHost *:{{ proxy_port }}>
-    DocumentRoot /var/www/html
-
-    SSLEngine on
-    SSLCertificateFile {{ ssl_cert_file }}
-    SSLCertificateKeyFile {{ ssl_key_file }}
-
-    SSLProxyEngine On
-{% if proxy_machine_ca_file is defined %}
-    SSLProxyCACertificateFile {{ ssl_client_ca_file }}
-{% endif %}
-{% if proxy_machine_cert_file is defined %}
-    SSLProxyMachineCertificateFile {{ ssl_client_certkey_file }}
-{% endif %}
-
-    SetEnv proxy-sendchunked 1
-    ProxyRequests Off
-    <Location "/">
-        ProxyPass {{ proxy_dest_url }} connectiontimeout=30 timeout=300
-        ProxyPassReverse {{ proxy_dest_url }}
-    </Location>
-
-    # don't auth /oauth/token/request and /oauth/token/display
-    <ProxyMatch /oauth/token/.*>
-        Require all granted
-    </ProxyMatch>
-
-    # /oauth/authorize and /oauth/approve should be protected by Apache.
-    <ProxyMatch /oauth/a.*>
-        <If "-R '{{ ansible_default_ipv4.address }}' || -R '{{ docker_network }}'">
-            Require all granted
-            RequestHeader set X-Remote-User {{ ansible_hostname }}
-        </If>
-        <Else>
-            AuthType Kerberos
-            AuthName "{{ proxy_authname }}"
-            KrbMethodNegotiate on
-            KrbMethodK5Passwd {{ 'on' if proxy_enable_password_login else 'off' }}
-            KrbServiceName Any
-            KrbAuthRealms {{ kerberos_client_realm_name }}
-            Krb5Keytab {{ krb_keytab_file }}
-            Require valid-user
-            RequestHeader set X-Remote-User %{REMOTE_USER}s
-        </Else>
-        RequestHeader unset Authorization
-        RequestHeader unset WWW-Authenticate
-    </ProxyMatch>
-
-    # All other requests should use Bearer tokens.  These can only be verified by
-    # OpenShift so we need to let these requests pass through.
-    <ProxyMatch ^/oauth/>
-        SetEnvIfNoCase Authorization Bearer passthrough
-        Require env passthrough
-    </ProxyMatch>
-</VirtualHost>

roles/osbs_kerberos_proxy/templates/krb5.conf.j2

@@ -1,23 +0,0 @@
-[logging]
- default = FILE:/var/log/krb5libs.log
- kdc = FILE:/var/log/krb5kdc.log
- admin_server = FILE:/var/log/kadmind.log
-
-[libdefaults]
- default_realm = {{ kerberos_client_realm_name|upper() }}
- dns_lookup_realm = {{ kerberos_client_dns_lookup_realm }}
- dns_lookup_kdc = {{ kerberos_client_dns_lookup_kdc }}
- ticket_lifetime = {{ kerberos_client_ticket_lifetime }}
- renew_lifetime = {{ kerberos_client_renew_lifetime }}
- forwardable = {{ kerberos_client_forwardable }}
-
-[realms]
- {{ kerberos_client_realm_name|upper() }} = {
-  kdc = {{ kerberos_client_kdc_hostname }}.{{ kerberos_client_realm_name|lower() }}
-  admin_server = {{ kerberos_client_admin_hostname }}.{{ kerberos_client_realm_name|lower() }}
- }
-
-[domain_realm]
- .{{ kerberos_client_realm_name|lower() }} = {{ kerberos_client_realm_name|upper() }}
-  {{ kerberos_client_realm_name|lower() }} = {{ kerberos_client_realm_name|upper() }}
-

roles/osbs_kerberos_proxy/vars/main.yml

@@ -1,2 +0,0 @@
----
-docker_network: 172.17.42.1/16