commit | author | age
|
785be8
|
1 |
--- |
EMJ |
2 |
## TODO: What variables can we strip out of here to build complex variables? |
|
3 |
## i.e. what can we add into group_vars as opposed to config_vars? |
|
4 |
## Example: We don't really need "subdomain_base_short". If we want to use this, |
|
5 |
## should just toss in group_vars/all. |
|
6 |
### Also, we should probably just create a variable reference in the README.md |
|
7 |
### For now, just tagging comments in line with configuration file. |
|
8 |
|
|
9 |
### Vars that can be removed: |
|
10 |
# use_satellite: true |
58aa25
|
11 |
use_subscription_manager: false |
EMJ |
12 |
use_own_repos: true |
785be8
|
13 |
|
EMJ |
14 |
###### VARIABLES YOU SHOULD CONFIGURE FOR YOUR DEPLOYEMNT |
|
15 |
###### OR PASS as "-e" args to ansible-playbook command |
|
16 |
|
|
17 |
### Common Host settings |
ecfb11
|
18 |
repo_version: "3.11" |
58aa25
|
19 |
repo_method: file # Other Options are: file, satellite and rhn |
785be8
|
20 |
|
EMJ |
21 |
#If using repo_method: satellite, you must set these values as well. |
|
22 |
# satellite_url: https://satellite.example.com |
|
23 |
# satellite_org: Sat_org_name |
|
24 |
# satellite_activationkey: "rhel7basic" |
|
25 |
|
|
26 |
# Do you want to run a full yum update |
573ee0
|
27 |
update_packages: false |
785be8
|
28 |
|
EMJ |
29 |
## guid is the deployment unique identifier, it will be appended to all tags, |
|
30 |
## files and anything that identifies this environment from another "just like it" |
|
31 |
guid: defaultguid |
|
32 |
|
|
33 |
# This var is used to identify stack (cloudformation, azure resourcegroup, ...) |
|
34 |
project_tag: "{{ env_type }}-{{ guid }}" |
|
35 |
|
|
36 |
software_to_deploy: openshift |
|
37 |
deploy_openshift: true |
|
38 |
deploy_openshift_post: true |
|
39 |
deploy_env_post: true |
|
40 |
|
|
41 |
install_bastion: false |
|
42 |
install_common: true |
|
43 |
install_nfs: true |
|
44 |
install_glusterfs: false |
|
45 |
install_opentlc_integration: true |
|
46 |
install_zabbix: false |
|
47 |
install_prometheus: false |
|
48 |
install_ipa_client: false |
|
49 |
install_lets_encrypt_certificates: false |
|
50 |
install_openwhisk: false |
ecfb11
|
51 |
install_metrics: false |
EMJ |
52 |
install_logging: false |
785be8
|
53 |
install_aws_broker: false |
EMJ |
54 |
|
|
55 |
glusterfs_device_name: /dev/xvdc |
|
56 |
glusterfs_device_size: 500 |
|
57 |
|
|
58 |
ocp_report: false |
|
59 |
remove_self_provisioners: false |
|
60 |
idm_ca_url: http://ipa.opentlc.com/ipa/config/ca.crt |
|
61 |
zabbix_host: 23.246.247.58 |
|
62 |
|
|
63 |
# Options for container_runtime: docker, cri-o |
|
64 |
container_runtime: "docker" |
|
65 |
docker_version: "{{ '1.12.6' if repo_version | version_compare('3.9', '<') else '1.13.1' }}" |
|
66 |
docker_device: /dev/xvdb |
|
67 |
|
|
68 |
### If you want a Key Pair name created and injected into the hosts, |
|
69 |
# set `set_env_authorized_key` to true and set the keyname in `env_authorized_key` |
|
70 |
# you can use the key used to create the environment or use your own self generated key |
|
71 |
# if you set "use_own_key" to false your PRIVATE key will be copied to the bastion. (This is {{key_name}}) |
|
72 |
|
|
73 |
use_own_key: true |
|
74 |
env_authorized_key: "{{guid}}key" |
|
75 |
ansible_ssh_private_key_file: ~/.ssh/{{key_name}}.pem |
|
76 |
set_env_authorized_key: true |
|
77 |
|
|
78 |
# Is this running from Red Hat Ansible Tower |
|
79 |
tower_run: false |
|
80 |
|
|
81 |
admin_user: opentlc-mgr |
|
82 |
admin_project: "ocp-workshop" |
|
83 |
|
|
84 |
### Azure |
|
85 |
|
|
86 |
# Create a dedicated resourceGroup for this deployment |
|
87 |
az_destroy_method: resource_group |
|
88 |
az_resource_group: "{{ project_tag }}" |
|
89 |
|
|
90 |
# you can operate differently: if you share on resourceGroup for all you deployments, |
|
91 |
# you can specify a different resourceGroup and method: |
|
92 |
#az_destroy_method: deployment |
|
93 |
#az_resource_group: my-shared-resource-group |
|
94 |
#az_storage_account_type: Premium_LRS |
|
95 |
|
|
96 |
### AWS EC2 Environment settings |
|
97 |
|
|
98 |
### Route 53 Zone ID (AWS) |
|
99 |
# This is the Route53 HostedZoneId where you will create your Public DNS entries |
|
100 |
# This only needs to be defined if your CF template uses route53 |
|
101 |
HostedZoneId: Z1TQFSYFZUAO0D |
|
102 |
# The region to be used, if not specified by -e in the command line |
|
103 |
aws_region: us-east-1 |
|
104 |
# The key that is used to |
|
105 |
key_name: "default_key_name" |
|
106 |
|
|
107 |
## Networking (AWS) |
|
108 |
subdomain_base_short: "{{ guid }}" |
|
109 |
subdomain_base_suffix: ".openshift.opentlc.com" |
|
110 |
subdomain_base: "{{subdomain_base_short}}{{subdomain_base_suffix}}" |
|
111 |
|
|
112 |
## Environment Sizing |
|
113 |
|
573ee0
|
114 |
master_instance_type: "p2.xlarge" |
785be8
|
115 |
master_instance_count: 1 |
573ee0
|
116 |
bastion_instance_type: "p2.xlarge" |
785be8
|
117 |
infranode_instance_count: 0 |
EMJ |
118 |
|
|
119 |
###### VARIABLES YOU SHOULD ***NOT*** CONFIGURE FOR YOUR DEPLOYEMNT |
|
120 |
|
|
121 |
## This might get removed |
|
122 |
env_specific_images: |
|
123 |
# - "registry.access.redhat.com/jboss-eap-7/eap70-openshift:latest" |
|
124 |
# - "registry.access.redhat.com/openshift3/jenkins-2-rhel7:latest" |
|
125 |
# - "registry.access.redhat.com/openshift3/jenkins-slave-maven-rhel7:latest" |
|
126 |
|
|
127 |
#### Vars for the OpenShift Ansible hosts file |
|
128 |
master_api_port: 8443 |
|
129 |
ovs_plugin: "subnet" # This can also be set to: "multitenant" or "networkpolicy" |
|
130 |
multi_tenant_setting: "os_sdn_network_plugin_name='redhat/openshift-ovs-{{ovs_plugin}}'" |
573ee0
|
131 |
master_lb_dns: "bastion.{{subdomain_base}}" |
785be8
|
132 |
|
EMJ |
133 |
lets_encrypt_openshift_master_named_certificates: |
|
134 |
- certfile: "/root/.acme.sh/{{ master_lb_dns }}/{{ master_lb_dns }}.cer" |
|
135 |
keyfile: "/root/.acme.sh/{{ master_lb_dns }}/{{ master_lb_dns }}.key" |
|
136 |
cafile: "/root/.acme.sh/{{ master_lb_dns }}/ca.cer" |
|
137 |
|
|
138 |
lets_encrypt_openshift_hosted_router_certificate: |
|
139 |
certfile: "/root/.acme.sh/{{ master_lb_dns }}/{{ master_lb_dns }}.cer" |
|
140 |
keyfile: "/root/.acme.sh/{{ master_lb_dns }}/{{ master_lb_dns }}.key" |
|
141 |
cafile: "/root/.acme.sh/{{ master_lb_dns }}/ca.cer" |
|
142 |
|
|
143 |
project_request_message: 'To provision Projects you must request access in https://labs.opentlc.com or https://rhpds.redhat.com' |
|
144 |
|
|
145 |
cloudapps_suffix: 'apps.{{subdomain_base}}' |
|
146 |
## TODO: This should be registered as a variable. Awk for os verions (OCP). |
|
147 |
## yum info openshift... |
ecfb11
|
148 |
osrelease: "3.11.16" |
EMJ |
149 |
installer_release: "3.11.16" |
785be8
|
150 |
openshift_master_overwrite_named_certificates: true |
EMJ |
151 |
timeout: 60 |
|
152 |
|
|
153 |
########## OCP identity providers |
|
154 |
# Options for install_idm: allow_all, htpasswd, ldap, ... see the available below |
573ee0
|
155 |
install_idms: allow_all |
785be8
|
156 |
install_idm: allow_all |
EMJ |
157 |
|
|
158 |
# This var is empty by default. |
|
159 |
# Every idm in the list 'install_idms' will be added, using the 'available_identity_providers' map |
|
160 |
# you can: |
|
161 |
# - directly override the 'identity_providers' list |
|
162 |
# or |
|
163 |
# - add an option to 'available_identity_providers' and then |
|
164 |
# reference it in 'install_idm' or the 'install_idms' list |
|
165 |
identity_providers: [] |
|
166 |
|
|
167 |
openshift_master_ldap_ca_file: 'openshift_master_ldap_ca_file=/root/ca.crt' |
|
168 |
|
|
169 |
available_identity_providers: |
|
170 |
ldap: |
|
171 |
name: OpenTLC IPA |
|
172 |
challenge: true |
|
173 |
login: true |
|
174 |
kind: LDAPPasswordIdentityProvider |
|
175 |
attributes: |
|
176 |
id: ['dn'] |
|
177 |
email: ['mail'] |
|
178 |
name: ['cn'] |
|
179 |
preferredUsername: ['uid'] |
|
180 |
bindDN: uid=ose-mwl-auth,cn=users,cn=accounts,dc=opentlc,dc=com |
|
181 |
bindPassword: "{{bindPassword|d('NOT_DEFINED')}}" |
|
182 |
ca: ipa-ca.crt |
|
183 |
insecure: false |
|
184 |
url: ldaps://ipa1.opentlc.com:636/cn=users,cn=accounts,dc=opentlc,dc=com?uid |
|
185 |
|
|
186 |
ssodev: |
|
187 |
name: ssodev-iad00 |
|
188 |
challenge: false |
|
189 |
login: true |
|
190 |
kind: OpenIDIdentityProvider |
|
191 |
clientID: "{{ opentlc_ssodev_client_id|d('NOT_DEFINED') }}" |
|
192 |
clientSecret: "{{ opentlc_ssodev_client_secret|d('NOT_DEFINED') }}" |
|
193 |
ca: lets-encrypt-x3-cross-signed.pem.txt |
|
194 |
urls: |
|
195 |
authorize: https://ssodev-iad00.opentlc.com:8443/auth/realms/ipatest/protocol/openid-connect/auth |
|
196 |
token: https://ssodev-iad00.opentlc.com:8443/auth/realms/ipatest/protocol/openid-connect/token |
|
197 |
userInfo: https://ssodev-iad00.opentlc.com:8443/auth/realms/ipatest/protocol/openid-connect/userinfo |
|
198 |
claims: |
|
199 |
id: |
|
200 |
- sub |
|
201 |
preferredUsername: |
|
202 |
- preferred_username |
|
203 |
name: |
|
204 |
- name |
|
205 |
email: |
|
206 |
- email |
|
207 |
|
|
208 |
allow_all: |
|
209 |
name: allow_all |
573ee0
|
210 |
login: "true" |
EMJ |
211 |
challenge: "true" |
785be8
|
212 |
kind: AllowAllPasswordIdentityProvider |
EMJ |
213 |
|
|
214 |
htpasswd: |
|
215 |
name: htpasswd_auth |
|
216 |
login: true |
|
217 |
challenge: true |
|
218 |
kind: HTPasswdPasswordIdentityProvider |
|
219 |
filename: /etc/origin/master/htpasswd |
|
220 |
|
|
221 |
###### You can, but you usually wouldn't need to. |
|
222 |
ansible_ssh_user: ec2-user |
|
223 |
remote_user: ec2-user |
|
224 |
|
|
225 |
common_packages: |
|
226 |
- python |
|
227 |
- unzip |
|
228 |
- bash-completion |
|
229 |
- tmux |
|
230 |
- bind-utils |
|
231 |
- wget |
|
232 |
- ansible |
|
233 |
- git |
|
234 |
- vim-enhanced |
|
235 |
- at |
|
236 |
- sysstat |
|
237 |
- strace |
|
238 |
- net-tools |
|
239 |
- iptables-services |
|
240 |
- bridge-utils |
|
241 |
- kexec-tools |
|
242 |
- sos |
|
243 |
- psacct |
|
244 |
- iotop |
|
245 |
|
|
246 |
rhel_repos: |
|
247 |
- rhel-7-server-rpms |
|
248 |
- rhel-7-server-extras-rpms |
|
249 |
- rhel-7-fast-datapath-rpms |
573ee0
|
250 |
- rhel-7-server-ose-{{repo_version}}-rpms |
785be8
|
251 |
|
EMJ |
252 |
# rhn_pool_id_string: OpenShift Container Platform |
|
253 |
|
|
254 |
### NFS Server settings |
|
255 |
#nfs_vg: nfsvg |
|
256 |
#nfs_pvs: /dev/xvdd |
|
257 |
#nfs_export_path: /srv/nfs |
|
258 |
#nfs_size: 200 |
|
259 |
# |
|
260 |
#nfs_shares: |
|
261 |
# - user-vols |
|
262 |
|
|
263 |
ocp_pvs: |
|
264 |
# - es-storage |
|
265 |
# - nexus |
|
266 |
# - nexus2 |
|
267 |
# - nexus3 |
|
268 |
|
|
269 |
#user_vols: 200 |
|
270 |
#user_vols_size: 10Gi |
|
271 |
|
|
272 |
cache_images: |
795ea4
|
273 |
- "docker.io/caffe2ai/caffe2:latest" |
EMJ |
274 |
- "docker.io/mirrorgooglecontainers/cuda-vector-add:v0.1" |
785be8
|
275 |
|
EMJ |
276 |
### CLOUDFORMATIONS vars |
|
277 |
|
feca86
|
278 |
|
785be8
|
279 |
zone_internal_dns: "{{guid}}.internal." |
EMJ |
280 |
chomped_zone_internal_dns: "{{guid}}.internal" |
feca86
|
281 |
|
785be8
|
282 |
cloudapps_record: '*.apps' |
EMJ |
283 |
cloudapps_dns: '{{cloudapps_record}}.{{subdomain_base}}.' |
|
284 |
|
|
285 |
master_public_dns: "master.{{subdomain_base}}." |
|
286 |
bastion_public_dns: "bastion.{{subdomain_base}}." |
|
287 |
certtest_public_dns: "certtest.{{subdomain_base}}." |
|
288 |
bastion_public_dns_chomped: "bastion.{{subdomain_base}}" |
|
289 |
vpcid_cidr_block: "192.168.0.0/16" |
|
290 |
vpcid_name_tag: "{{subdomain_base}}" |
|
291 |
|
|
292 |
az_1_name: "{{ aws_region }}a" |
|
293 |
az_2_name: "{{ aws_region }}b" |
|
294 |
|
|
295 |
subnet_private_1_cidr_block: "192.168.2.0/24" |
|
296 |
subnet_private_1_az: "{{ az_2_name }}" |
|
297 |
subnet_private_1_name_tag: "{{subdomain_base}}-private" |
|
298 |
|
|
299 |
subnet_private_2_cidr_block: "192.168.1.0/24" |
|
300 |
subnet_private_2_az: "{{ az_1_name }}" |
|
301 |
subnet_private_2_name_tag: "{{subdomain_base}}-private" |
|
302 |
|
|
303 |
subnet_public_1_cidr_block: "192.168.10.0/24" |
|
304 |
subnet_public_1_az: "{{ az_1_name }}" |
|
305 |
subnet_public_1_name_tag: "{{subdomain_base}}-public" |
|
306 |
|
|
307 |
subnet_public_2_cidr_block: "192.168.20.0/24" |
|
308 |
subnet_public_2_az: "{{ az_2_name }}" |
|
309 |
subnet_public_2_name_tag: "{{subdomain_base}}-public" |
|
310 |
|
|
311 |
dopt_domain_name: "{{ aws_region }}.compute.internal" |
|
312 |
|
|
313 |
rtb_public_name_tag: "{{subdomain_base}}-public" |
|
314 |
rtb_private_name_tag: "{{subdomain_base}}-private" |
|
315 |
|
|
316 |
cf_template_description: "{{ env_type }}-{{ guid }} template " |
|
317 |
|
|
318 |
rootfs_size_node: 50 |
|
319 |
rootfs_size_infranode: 150 |
|
320 |
rootfs_size_master: 50 |
|
321 |
rootfs_size_bastion: 20 |
|
322 |
rootfs_size_support: 20 |
|
323 |
|
|
324 |
instances: |
|
325 |
- name: "bastion" |
|
326 |
count: 1 |
|
327 |
unique: true |
|
328 |
public_dns: true |
|
329 |
dns_loadbalancer: true |
|
330 |
flavor: |
|
331 |
ec2: "{{master_instance_type}}" |
|
332 |
azure: "{{master_instance_type}}" |
|
333 |
tags: |
|
334 |
- key: "AnsibleGroup" |
573ee0
|
335 |
value: "bastions" |
785be8
|
336 |
- key: "ostype" |
EMJ |
337 |
value: "linux" |
573ee0
|
338 |
rootfs_size: "{{ rootfs_size_bastion }}" |
785be8
|
339 |
rootfs_size: "{{ rootfs_size_master }}" |
EMJ |
340 |
volumes: |
|
341 |
- device_name: "{{docker_device}}" |
|
342 |
volume_size: "{{master_docker_size|default(docker_size)|default('20')}}" |
|
343 |
volume_type: gp2 |
|
344 |
purpose: docker |
|
345 |
lun: 0 |