Merge pull request openshift#6754 from spadgett/remove-old-console-co…

…nfig

Automatic merge from submit-queue.

Remove obsolete properties from console config map

Stop writing deprecated config to the console config map.

/hold

This can't be merged until openshift/origin-web-console-server#20 merges.
Follow on to openshift#6730

.tito/packages/openshift-ansible

@@ -1 +1,5 @@
+<<<<<<< HEAD
 3.9.0-0.22.0 ./
+=======
+3.9.0-0.16.0 ./
+>>>>>>> Automatic commit of package [openshift-ansible] release [3.9.0-0.16.0].

files/origin-components/console-config.yaml

@@ -6,13 +6,10 @@ clusterInfo:
   logoutPublicURL: ""
   masterPublicURL: https://127.0.0.1:8443
   metricsPublicURL: ""
-# TODO: The new extensions properties cannot be set until
-# origin-web-console-server has been updated with the API changes since
-# `extensions` in the old asset config was an array.
-#extensions:
-#  scriptURLs: []
-#  stylesheetURLs: []
-#  properties: null
+extensions:
+  scriptURLs: []
+  stylesheetURLs: []
+  properties: null
 features:
   inactivityTimeoutMinutes: 0
 servingInfo:
@@ -24,19 +21,3 @@ servingInfo:
   maxRequestsInFlight: 0
   namedCertificates: null
   requestTimeoutSeconds: 0
-
-# START deprecated properties
-# These properties have been renamed and will be removed from the install
-# in a future pull. Keep both the old and new properties for now so that
-# the install is not broken while the origin-web-console image is updated.
-extensionDevelopment: false
-extensionProperties: null
-extensionScripts: null
-extensionStylesheets: null
-extensions: null
-loggingPublicURL: ""
-logoutURL: ""
-masterPublicURL: https://127.0.0.1:8443
-metricsPublicURL: ""
-publicURL: https://127.0.0.1:8443/console/
-# END deprecated properties

openshift-ansible.spec

@@ -10,7 +10,11 @@
 
 Name:           openshift-ansible
 Version:        3.9.0
+<<<<<<< HEAD
 Release:        0.22.0%{?dist}
+=======
+Release:        0.16.0%{?dist}
+>>>>>>> Automatic commit of package [openshift-ansible] release [3.9.0-0.16.0].
 Summary:        Openshift and Atomic Enterprise Ansible
 License:        ASL 2.0
 URL:            https://github.com/openshift/openshift-ansible
@@ -202,6 +206,7 @@ Atomic OpenShift Utilities includes
 
 
 %changelog
+<<<<<<< HEAD
 * Fri Jan 19 2018 Jenkins CD Merge Bot <smunilla@redhat.com> 3.9.0-0.22.0
 - Fix OpenStack readme (tomas@sedovic.cz)
 - Quick installer: deprecate upgrades (vrutkovs@redhat.com)
@@ -383,6 +388,8 @@ Atomic OpenShift Utilities includes
 - Fix yaml indentation (ichavero@redhat.com)
 - Add iptables rules for flannel (ichavero@redhat.com)
 
+=======
+>>>>>>> Automatic commit of package [openshift-ansible] release [3.9.0-0.16.0].
 * Wed Jan 03 2018 Jenkins CD Merge Bot <smunilla@redhat.com> 3.9.0-0.16.0
 - Add gluster 3.9 templates (sdodson@redhat.com)
 - Add in-tree CI scripts (mgugino@redhat.com)

roles/openshift_logging/tasks/delete_logging.yaml

@@ -138,6 +138,6 @@
     tasks_from: update_console_config.yml
   vars:
     console_config_edits:
-      - key: loggingPublicURL
+      - key: clusterInfo#loggingPublicURL
         value: ""
   when: openshift_web_console_install | default(true) | bool

roles/openshift_logging/tasks/install_logging.yaml

@@ -326,9 +326,4 @@
     console_config_edits:
     - key: clusterInfo#loggingPublicURL
       value: "https://{{ openshift_logging_kibana_hostname }}"
-    # Continue to set the old deprecated property until the
-    # origin-web-console image is updated for the new name.
-    # This will be removed in a future pull.
-    - key: loggingPublicURL
-      value: "https://{{ openshift_logging_kibana_hostname }}"
   when: openshift_web_console_install | default(true) | bool

roles/openshift_metrics/tasks/install_metrics.yaml

@@ -79,11 +79,6 @@
     console_config_edits:
       - key: clusterInfo#metricsPublicURL
         value: "https://{{ openshift_metrics_hawkular_hostname}}/hawkular/metrics"
-      # Continue to set the old deprecated property until the
-      # origin-web-console image is updated for the new name.
-      # This will be removed in a future pull.
-      - key: metricsPublicURL
-        value: "https://{{ openshift_metrics_hawkular_hostname}}/hawkular/metrics"
   when: openshift_web_console_install | default(true) | bool
 
 - command: >

roles/openshift_metrics/tasks/uninstall_metrics.yaml

@@ -26,6 +26,6 @@
     tasks_from: update_console_config.yml
   vars:
     console_config_edits:
-      - key: metricsPublicURL
+      - key: clusterInfo#metricsPublicURL
         value: ""
   when: openshift_web_console_install | default(true) | bool

roles/openshift_prometheus/defaults/main.yaml

@@ -7,6 +7,7 @@ openshift_prometheus_namespace: openshift-metrics
 # defaults hosts for routes
 openshift_prometheus_hostname: prometheus-{{openshift_prometheus_namespace}}.{{openshift_master_default_subdomain}}
 openshift_prometheus_alerts_hostname: alerts-{{openshift_prometheus_namespace}}.{{openshift_master_default_subdomain}}
+openshift_prometheus_alertmanager_hostname: alertmanager-{{openshift_prometheus_namespace}}.{{openshift_master_default_subdomain}}
 
 openshift_prometheus_node_selector: {"region":"infra"}
 

roles/openshift_prometheus/tasks/install_prometheus.yaml

@@ -9,7 +9,7 @@
     description: Prometheus
 
 # secrets
-- name: Set alert and prometheus secrets
+- name: Set alert, alertmanager and prometheus secrets
   oc_secret:
     state: present
     name: "{{ item }}-proxy"
@@ -20,6 +20,7 @@
   with_items:
     - prometheus
     - alerts
+    - alertmanager
 
 # serviceaccount
 - name: create prometheus serviceaccount
@@ -43,6 +44,7 @@
     serviceaccount prometheus
     serviceaccounts.openshift.io/oauth-redirectreference.prom='{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"prometheus"}}'
     serviceaccounts.openshift.io/oauth-redirectreference.alerts='{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"alerts"}}'
+    serviceaccounts.openshift.io/oauth-redirectreference.alertmanager='{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"alertmanager"}}'
 
 
 # create clusterrolebinding for prometheus serviceaccount
@@ -54,9 +56,8 @@
     resource_name: cluster-reader
     user: "system:serviceaccount:{{ openshift_prometheus_namespace }}:prometheus"
 
-# create prometheus and alerts services
-# TODO join into 1 task with loop
-- name: Create prometheus service
+# create prometheus and alerts, alertmanager services
+- name: Create prometheus services
   oc_service:
     state: present
     name: "{{ item.name }}"
@@ -69,28 +70,12 @@
       #    annotations:
       #      service.alpha.openshift.io/serving-cert-secret-name: "{{item.name}}-tls"
     ports:
-      - port: 443
-        targetPort: 8443
+      - port: "{{ item.port }}"
+        targetPort: "{{ item.targetPort }}"
   with_items:
-    - name: prometheus
-
-- name: Create alerts service
-  oc_service:
-    state: present
-    name: "{{ item.name }}"
-    namespace: "{{ openshift_prometheus_namespace }}"
-    selector:
-      app: prometheus
-    labels:
-      name: "{{ item.name }}"
-      #    TODO add annotations when supported
-      #    annotations:
-      #      service.alpha.openshift.io/serving-cert-secret-name: "{{item.name}}-tls"
-    ports:
-      - port: 443
-        targetPort: 9443
-  with_items:
-    - name: alerts
+    - { name: 'prometheus', targetPort: '8443', port: '443' }
+    - { name: 'alerts', targetPort: '9443', port: '443' }
+    - { name: 'alertmanager', targetPort: '10443', port: '443' }
 
 
 # Annotate services with secret name
@@ -108,6 +93,11 @@
     {{ openshift_client_binary }} annotate --overwrite -n {{ openshift_prometheus_namespace }}
     service alerts 'service.alpha.openshift.io/serving-cert-secret-name=prometheus-alerts-tls'
 
+- name: annotate alertmanager service
+  command: >
+    {{ openshift_client_binary }} annotate --overwrite -n {{ openshift_prometheus_namespace }}
+    service alerts 'service.alpha.openshift.io/serving-cert-secret-name=alertmanager-tls'
+
 # create prometheus and alerts routes
 - name: create prometheus and alerts routes
   oc_route:
@@ -118,10 +108,9 @@
     service_name: "{{ item.name }}"
     tls_termination: reencrypt
   with_items:
-    - name: prometheus
-      host: "{{ openshift_prometheus_hostname }}"
-    - name: alerts
-      host: "{{ openshift_prometheus_alerts_hostname }}"
+    - { name: prometheus, host: "{{ openshift_prometheus_hostname }}" }
+    - { name: alerts, host: "{{ openshift_prometheus_alerts_hostname }}" }
+    - { name: alertmanager, host: "{{ openshift_prometheus_alertmanager_hostname }}" }
 
 # Storage
 - name: create prometheus pvc

roles/openshift_prometheus/templates/alertmanager.yml.j2

@@ -4,17 +4,15 @@ global:
 route:
   # default route if none match
   receiver: alert-buffer-wh
-
   # The labels by which incoming alerts are grouped together. For example,
   # multiple alerts coming in for cluster=A and alertname=LatencyHigh would
   # be batched into a single group.
   # TODO:
   group_by: []
-
   # All the above attributes are inherited by all child routes and can
   # overwritten on each.
-
 receivers:
 - name: alert-buffer-wh
   webhook_configs:
   - url: http://localhost:9099/topics/alerts
+

roles/openshift_prometheus/templates/prometheus.j2

@@ -67,9 +67,9 @@ spec:
         - -skip-auth-regex=^/metrics
         volumeMounts:
         - mountPath: /etc/tls/private
-          name: prometheus-tls
+          name: prometheus-tls-secret
         - mountPath: /etc/proxy/secrets
-          name: prometheus-secrets
+          name: prometheus-proxy-secret
         - mountPath: /prometheus
           name: prometheus-data
 
@@ -143,9 +143,9 @@ spec:
         - -openshift-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
         volumeMounts:
         - mountPath: /etc/tls/private
-          name: alerts-tls
+          name: prometheus-alerts-tls-secret
         - mountPath: /etc/proxy/secrets
-          name: alerts-secrets
+          name: prometheus-alerts-proxy-secrets
 
       - name: alert-buffer
         args:
@@ -169,11 +169,39 @@ spec:
 {% endif %}
         volumeMounts:
         - mountPath: /alert-buffer
-          name: alert-buffer-data
+          name: alerts-data
         ports:
         - containerPort: 9099
           name: alert-buf
 
+      - name: alertmanager-proxy
+        image: "{{ l_openshift_prometheus_proxy_image_prefix }}oauth-proxy:{{ l_openshift_prometheus_proxy_image_version }}"
+        imagePullPolicy: IfNotPresent
+        ports:
+        - containerPort: 10443
+          name: web
+        args:
+        - -provider=openshift
+        - -https-address=:10443
+        - -http-address=
+        - -email-domain=*
+        - -upstream=http://localhost:9093
+        - -client-id=system:serviceaccount:${NAMESPACE}:prometheus
+        - -openshift-ca=/etc/pki/tls/cert.pem
+        - -openshift-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+        - '-openshift-sar={"resource": "namespaces", "verb": "get", "resourceName": "${NAMESPACE}", "namespace": "${NAMESPACE}"}'
+        - '-openshift-delegate-urls={"/": {"resource": "namespaces", "verb": "get", "resourceName": "${NAMESPACE}", "namespace": "${NAMESPACE}"}}'
+        - -tls-cert=/etc/tls/private/tls.crt
+        - -tls-key=/etc/tls/private/tls.key
+        - -client-secret-file=/var/run/secrets/kubernetes.io/serviceaccount/token
+        - -cookie-secret-file=/etc/proxy/secrets/session_secret
+        - -skip-auth-regex=^/metrics
+        volumeMounts:
+        - mountPath: /etc/tls/private
+          name: alertmanager-tls-secret
+        - mountPath: /etc/proxy/secrets
+          name: alertmanager-proxy-secret
+
       - name: alertmanager
         args:
         - -config.file=/etc/alertmanager/alertmanager.yml
@@ -205,14 +233,15 @@ spec:
 
       restartPolicy: Always
       volumes:
+
       - name: prometheus-config
         configMap:
           defaultMode: 420
           name: prometheus
-      - name: prometheus-secrets
+      - name: prometheus-proxy-secrets
         secret:
           secretName: prometheus-proxy
-      - name: prometheus-tls
+      - name: prometheus-tls-secret
         secret:
           secretName: prometheus-tls
       - name: prometheus-data
@@ -225,21 +254,27 @@ spec:
       - name: alertmanager-config
         configMap:
           defaultMode: 420
-          name: prometheus-alerts
-      - name: alerts-secrets
+          name: alertmanager
+      - name: alertmanager-tls-secret
+        secret:
+          secretName: alertmanager-tls  
+      - name: alertmanager-proxy-secret
+        secret:
+          secretName: alertmanager-proxy 
+      - name: alerts-proxy-secrets
         secret:
           secretName: alerts-proxy
-      - name: alerts-tls
+      - name: alerts-tls-secret
         secret:
-          secretName: prometheus-alerts-tls
+          secretName: alerts-tls
       - name: alertmanager-data
 {% if openshift_prometheus_alertmanager_storage_type == 'pvc' %}
         persistentVolumeClaim:
           claimName: {{ openshift_prometheus_alertmanager_pvc_name }}
 {% else %}
         emptydir: {}
 {% endif %}
-      - name: alert-buffer-data
+      - name: alerts-data
 {% if openshift_prometheus_alertbuffer_storage_type == 'pvc' %}
         persistentVolumeClaim:
           claimName: {{ openshift_prometheus_alertbuffer_pvc_name }}

roles/openshift_prometheus/templates/prometheus.rules.j2

@@ -2,3 +2,9 @@ groups:
 - name: example-rules
   interval: 30s # defaults to global interval
   rules:
+  - alert: Node Down
+    expr: up{job="kubernetes-nodes"} == 0
+    annotations:
+      miqTarget: "ContainerNode"
+      severity: "HIGH"
+      message: "{{$labels.instance}} is down"

roles/openshift_web_console/defaults/main.yml

@@ -1,3 +1,2 @@
 ---
-# TODO: This is temporary and will be updated to use taints and tolerations so that the console runs on the masters
-openshift_web_console_nodeselector: {"region":"infra"}
+openshift_web_console_nodeselector: "{{ openshift_hosted_infra_selector | default('region=infra') | map_from_pairs }}"