Merge openshift/installer 4.1.0 rc.5

data/data/bootstrap/files/usr/local/bin/approve-csr.sh

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+
+KUBECONFIG="${1}"
+
+echo "Approving all CSR requests until bootstrapping is complete..."
+while [ ! -f /opt/openshift/bootkube.done ]
+do
+    oc --config="$KUBECONFIG" get csr --no-headers | grep Pending | \
+        awk '{print $1}' | \
+        xargs --no-run-if-empty oc --config="$KUBECONFIG" adm certificate approve
+	sleep 20
+done

data/data/bootstrap/files/usr/local/bin/installer-gather.sh

@@ -4,7 +4,7 @@ ARTIFACTS="/tmp/artifacts"
 
 echo "Gathering bootstrap journals ..."
 mkdir -p "${ARTIFACTS}/bootstrap/journals"
-for service in bootkube openshift kubelet crio
+for service in bootkube openshift kubelet crio approve-csr
 do
     journalctl --boot --no-pager --output=short --unit="${service}" > "${ARTIFACTS}/bootstrap/journals/${service}.log"
 done
@@ -14,8 +14,8 @@ mkdir -p "${ARTIFACTS}/bootstrap/containers"
 sudo crictl ps --all --quiet | while read -r container
 do
     container_name="$(sudo crictl ps -a --id "${container}" -v | grep -oP "Name: \\K(.*)")"
-    sudo crictl logs "${container}" >& "${ARTIFACTS}/bootstrap/containers/${container_name}.log"
-    sudo crictl inspect "${container}" >& "${ARTIFACTS}/bootstrap/containers/${container_name}.inspect"
+    sudo crictl logs "${container}" >& "${ARTIFACTS}/bootstrap/containers/${container_name}-${container}.log"
+    sudo crictl inspect "${container}" >& "${ARTIFACTS}/bootstrap/containers/${container_name}-${container}.inspect"
 done
 mkdir -p "${ARTIFACTS}/bootstrap/pods"
 sudo podman ps --all --quiet | while read -r container
@@ -26,7 +26,9 @@ done
 
 echo "Gathering rendered assets..."
 mkdir -p "${ARTIFACTS}/rendered-assets"
-cp -r /var/opt/openshift/ "${ARTIFACTS}/rendered-assets"
+sudo cp -r /var/opt/openshift/ "${ARTIFACTS}/rendered-assets"
+sudo chown -R "${USER}":"${USER}" "${ARTIFACTS}/rendered-assets"
+sudo find "${ARTIFACTS}/rendered-assets" -type d -print0 | xargs -0 sudo chmod u+x
 # remove sensitive information
 # TODO leave tls.crt inside of secret yaml files
 find "${ARTIFACTS}/rendered-assets" -name "*secret*" -print0 | xargs -0 rm
@@ -107,10 +109,10 @@ mapfile -t MASTERS < "${ARTIFACTS}/resources/masters.list"
 for master in "${MASTERS[@]}"
 do
   echo "Collecting info from ${master}"
-  scp -o PreferredAuthentications=publickey -o StrictHostKeyChecking=false -o UserKnownHostsFile=/dev/null /usr/local/bin/installer-masters-gather.sh "core@${master}:"
+  scp -o PreferredAuthentications=publickey -o StrictHostKeyChecking=false -o UserKnownHostsFile=/dev/null -q /usr/local/bin/installer-masters-gather.sh "core@${master}:"
   mkdir -p "${ARTIFACTS}/control-plane/${master}"
   ssh -o PreferredAuthentications=publickey -o StrictHostKeyChecking=false -o UserKnownHostsFile=/dev/null "core@${master}" -C 'sudo ./installer-masters-gather.sh' </dev/null
-  ssh -o PreferredAuthentications=publickey -o StrictHostKeyChecking=false -o UserKnownHostsFile=/dev/null "core@${master}" -C 'sudo tar c -C /tmp/artifacts/ .' </dev/null | tar -x -C "${ARTIFACTS}/control-plane/${master}/"
+  scp -o PreferredAuthentications=publickey -o StrictHostKeyChecking=false -o UserKnownHostsFile=/dev/null -r -q "core@${master}:/tmp/artifacts/*" "${ARTIFACTS}/control-plane/${master}/"
 done
 tar cz -C /tmp/artifacts . > ~/log-bundle.tar.gz
 echo "Log bundle written to ~/log-bundle.tar.gz"

data/data/bootstrap/files/usr/local/bin/installer-masters-gather.sh

@@ -15,8 +15,8 @@ mkdir -p "${ARTIFACTS}/containers"
 for container in $(crictl ps --all --quiet)
 do
     container_name=$(crictl ps -a --id "${container}" -v | grep -oP "Name: \\K(.*)")
-    crictl logs "${container}" >& "${ARTIFACTS}/containers/${container_name}.log"
-    crictl inspect "${container}" >& "${ARTIFACTS}/containers/${container_name}.inspect"
+    crictl logs "${container}" >& "${ARTIFACTS}/containers/${container_name}-${container}.log"
+    crictl inspect "${container}" >& "${ARTIFACTS}/containers/${container_name}-${container}.inspect"
 done
 for container in $(podman ps --all --quiet)
 do

data/data/bootstrap/systemd/units/approve-csr.service

@@ -0,0 +1,13 @@
+[Unit]
+Description=Approve CSRs during bootstrap phase
+Wants=bootkube.service
+After=bootkube.service
+
+[Service]
+ExecStart=/usr/local/bin/approve-csr.sh /opt/openshift/auth/kubeconfig
+
+Restart=on-failure
+RestartSec=5s
+
+[Install]
+WantedBy=multi-user.target

images/openstack/Dockerfile.ci

@@ -7,7 +7,8 @@ RUN hack/build.sh
 
 FROM registry.svc.ci.openshift.org/origin/4.1:base
 COPY --from=builder /go/src/github.com/openshift/installer/bin/openshift-install /bin/openshift-install
-COPY --from=builder images/openstack/rdo-stein.repo /etc/yum.repos.d/rdo-stein.repo
+COPY --from=builder /go/src/github.com/openshift/installer/images/openstack/rdo-stein.repo /etc/yum.repos.d/rdo-stein.repo
+COPY --from=builder /go/src/github.com/openshift/installer/images/openstack/rdo-stein.gpg /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Cloud
 COPY --from=registry.svc.ci.openshift.org/openshift/origin-v4.0:cli /usr/bin/oc /bin/oc
 
 RUN yum install --setopt=tsflags=nodocs -y \

images/openstack/rdo-stein.gpg

@@ -0,0 +1,20 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2.0.22 (GNU/Linux)
+
+mQENBFVWcCcBCACfm3eQ0526/I0/p7HpR0NjK7K307XHhnbcbZv1sDUjQABDaqh0
+N4gnZcovf+3fj6pcdOmeOpGI0cKE7Fh68RbEIqyjB7l7+j1grjewR0oCFFZ38KGm
+j+DWQrj1IJW7JU5fH/G0Cu66ix+dJPcuTB3PJTqXN3ce+4TuG09D+epgwfbHlqaT
+pH2qHCu2uiGj/AaRSM/ZZzcInMaeleHSB+NChvaQ0W/m+kK5d/20d7sfkaTfI/pY
+SrodCfVTYxfKAd0TLW03kimHs5/Rdz+iZWecVKv6aFxzaywbrOjmOsy2q0kEWIwX
+MTZrq6cBRRuWyiXsI2zT2YHQ4UK44IxINiaJABEBAAG0WkNlbnRPUyBDbG91ZCBT
+SUcgKGh0dHA6Ly93aWtpLmNlbnRvcy5vcmcvU3BlY2lhbEludGVyZXN0R3JvdXAv
+Q2xvdWQpIDxzZWN1cml0eUBjZW50b3Mub3JnPokBOQQTAQIAIwUCVVZwJwIbAwcL
+CQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEPm5/ud2RCnmATUH/3HDtWxpFkmy
+FiA3VGkMt5dp3bgCRSd84X6Orfx1LARowpI4LomCGglGBGXVJePBacwcclorbLaz
+uWrW/wU0efz0aDB5c4NPg/yXfNvujvlda8ADJwZXVBQphzvaIKwl4PqBsEnxC10I
+93T/0iyphAhfMRJ5R8AbEHMj7uF+TWTX/JoyQagllMqWTwoP4DFRutPdOmmjwvSV
+kWItH7hq6z9+M4dhlqeoOvPbL5oCxX7TVmLck02Q5gI4syULOa7sqntzUQKFkhWp
+9U0+5KrBQBKezrurrrkq/WZR3WNE1KQfNQ77f7S2JcXJdOaKgJ7xe7Y2flPq98Aq
+wKXK7l1c3dc=
+=W6yF
+-----END PGP PUBLIC KEY BLOCK-----

images/openstack/rdo-stein.repo

@@ -2,5 +2,6 @@
 name=OpenStack Stein Repository
 baseurl=http://mirror.centos.org/centos/7/cloud/$basearch/openstack-stein/
 #mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=cloud-openstack-stein
-gpgcheck=0
+gpgcheck=1
 enabled=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Cloud

pkg/asset/ignition/bootstrap/bootstrap.go

@@ -250,6 +250,7 @@ func (a *Bootstrap) addSystemdUnits(uri string, templateData *bootstrapTemplateD
 		"keepalived.service":              {},
 		"coredns.service":                 {},
 		"systemd-journal-gatewayd.socket": {},
+		"approve-csr.service":             {},
 	}
 
 	directory, err := data.Assets.Open(uri)

pkg/asset/tls/apiserver.go

@@ -293,6 +293,9 @@ func (a *KubeAPIServerServiceNetworkServerCertKey) Generate(dependencies asset.P
 			"kubernetes", "kubernetes.default",
 			"kubernetes.default.svc",
 			"kubernetes.default.svc.cluster.local",
+			"openshift", "openshift.default",
+			"openshift.default.svc",
+			"openshift.default.svc.cluster.local",
 		},
 		IPAddresses: []net.IP{net.ParseIP(serviceAddress)},
 	}

pkg/destroy/openstack/openstack_deprovision.go

@@ -329,51 +329,61 @@ func deleteRouters(opts *clientconfig.ClientOpts, filter Filter, logger logrus.F
 		os.Exit(1)
 	}
 	for _, router := range allRouters {
-		// Get non HA router interface ports
-		portListOpts := ports.ListOpts{
-			DeviceID:    router.ID,
-			DeviceOwner: "network:router_interface",
+		// If a user provisioned floating ip was used, it needs to be dissociated
+		// Any floating Ip's associated with routers that are going to be deleted will be dissociated
+		fipOpts := floatingips.ListOpts{
+			RouterID: router.ID,
 		}
-		allPagesPort, err := ports.List(conn, portListOpts).AllPages()
+
+		fipPages, err := floatingips.List(conn, fipOpts).AllPages()
 		if err != nil {
 			logger.Fatalf("%v", err)
 			os.Exit(1)
 		}
-		allPorts, err := ports.ExtractPorts(allPagesPort)
+
+		allFIPs, err := floatingips.ExtractFloatingIPs(fipPages)
 		if err != nil {
 			logger.Fatalf("%v", err)
 			os.Exit(1)
 		}
 
-		// Get HA router interface ports
-		HAportListOpts := ports.ListOpts{
-			DeviceID:    router.ID,
-			DeviceOwner: "network:ha_router_replicated_interface",
+		for _, fip := range allFIPs {
+			_, err := floatingips.Update(conn, fip.ID, floatingips.UpdateOpts{}).Extract()
+			if err != nil {
+				logger.Fatalf("%v", err)
+			}
+		}
+
+		// Get router interface ports
+		portListOpts := ports.ListOpts{
+			DeviceID: router.ID,
 		}
-		HAallPagesPort, err := ports.List(conn, HAportListOpts).AllPages()
+		allPagesPort, err := ports.List(conn, portListOpts).AllPages()
 		if err != nil {
 			logger.Fatalf("%v", err)
 			os.Exit(1)
 		}
-		HAPorts, err := ports.ExtractPorts(HAallPagesPort)
+		allPorts, err := ports.ExtractPorts(allPagesPort)
 		if err != nil {
 			logger.Fatalf("%v", err)
 			os.Exit(1)
 		}
 
-		// Catch all, since router may not be HA
-		allPorts = append(allPorts, HAPorts...)
-
+		// map to keep track of whethere interface for subnet was already removed
+		removedSubnets := make(map[string]bool)
 		for _, port := range allPorts {
 			for _, IP := range port.FixedIPs {
-				removeOpts := routers.RemoveInterfaceOpts{
-					SubnetID: IP.SubnetID,
-				}
-				logger.Debugf("Removing Subnet %v from Router %v\n", IP.SubnetID, router.ID)
-				_, err = routers.RemoveInterface(conn, router.ID, removeOpts).Extract()
-				if err != nil {
-					// This can fail when subnet is still in use
-					return false, nil
+				if !removedSubnets[IP.SubnetID] {
+					removeOpts := routers.RemoveInterfaceOpts{
+						SubnetID: IP.SubnetID,
+					}
+					logger.Debugf("Removing Subnet %v from Router %v\n", IP.SubnetID, router.ID)
+					_, err = routers.RemoveInterface(conn, router.ID, removeOpts).Extract()
+					if err != nil {
+						// This can fail when subnet is still in use
+						return false, nil
+					}
+					removedSubnets[IP.SubnetID] = true
 				}
 			}
 		}

upi/metal/README.md

@@ -16,7 +16,7 @@ Setup `default` AWS cli profile on the host that will run the example terraform
 
 ### Packet
 
-Setup a Project in Packet.net that will be used to deploy servers, for example using this [guide](packet-deploy-server)
+Setup a Project in Packet.net that will be used to deploy servers, for example using this [guide][packet-deploy-server]
 
 Setup API keys for your Project in Packet.net using this [guide][packet-api-keys]