view | history | commit | commitdiff
Tok
2018-11-09 04259f14a042c84a1164402d9ac2009c9db6adf5
commit | author | age
785be8 1 ---
EMJ 2 ## TODO: What variables can we strip out of here to build complex variables?
3 ## i.e. what can we add into group_vars as opposed to config_vars?
4 ## Example: We don't really need "subdomain_base_short". If we want to use this,
5 ## should just toss in group_vars/all.
6 ### Also, we should probably just create a variable reference in the README.md
7 ### For now, just tagging comments in line with configuration file.
8
9 ### Vars that can be removed:
10 # use_satellite: true
58aa25 11 use_subscription_manager: false
EMJ 12 use_own_repos: true
785be8 13
EMJ 14 ###### VARIABLES YOU SHOULD CONFIGURE FOR YOUR DEPLOYEMNT
15 ###### OR PASS as "-e" args to ansible-playbook command
16
17 ### Common Host settings
ecfb11 18 repo_version: "3.11"
58aa25 19 repo_method: file # Other Options are: file, satellite and rhn
785be8 20
EMJ 21 #If using repo_method: satellite, you must set these values as well.
22 # satellite_url: https://satellite.example.com
23 # satellite_org: Sat_org_name
24 # satellite_activationkey: "rhel7basic"
25
26 # Do you want to run a full yum update
573ee0 27 update_packages: false
785be8 28
EMJ 29 ## guid is the deployment unique identifier, it will be appended to all tags,
30 ## files and anything that identifies this environment from another "just like it"
31 guid: defaultguid
32
33 # This var is used to identify stack (cloudformation, azure resourcegroup, ...)
34 project_tag: "{{ env_type }}-{{ guid }}"
35
36 software_to_deploy: openshift
37 deploy_openshift: true
38 deploy_openshift_post: true
39 deploy_env_post: true
40
41 install_bastion: false
42 install_common: true
43 install_nfs: true
44 install_glusterfs: false
45 install_opentlc_integration: true
46 install_zabbix: false
47 install_prometheus: false
48 install_ipa_client: false
49 install_lets_encrypt_certificates: false
50 install_openwhisk: false
ecfb11 51 install_metrics: false
EMJ 52 install_logging: false
785be8 53 install_aws_broker: false
EMJ 54
55 glusterfs_device_name: /dev/xvdc
56 glusterfs_device_size: 500
57
58 ocp_report: false
59 remove_self_provisioners: false
60 idm_ca_url: http://ipa.opentlc.com/ipa/config/ca.crt
61 zabbix_host: 23.246.247.58
62
63 # Options for container_runtime: docker, cri-o
64 container_runtime: "docker"
65 docker_version: "{{ '1.12.6' if repo_version | version_compare('3.9', '<')  else '1.13.1' }}"
66 docker_device: /dev/xvdb
67
68 ### If you want a Key Pair name created and injected into the hosts,
69 # set `set_env_authorized_key` to true and set the keyname in `env_authorized_key`
70 # you can use the key used to create the environment or use your own self generated key
71 # if you set "use_own_key" to false your PRIVATE key will be copied to the bastion. (This is {{key_name}})
72
73 use_own_key: true
74 env_authorized_key: "{{guid}}key"
75 ansible_ssh_private_key_file: ~/.ssh/{{key_name}}.pem
76 set_env_authorized_key: true
77
78 # Is this running from Red Hat Ansible Tower
79 tower_run: false
80
81 admin_user: opentlc-mgr
82 admin_project: "ocp-workshop"
83
84 ### Azure
85
86 # Create a dedicated resourceGroup for this deployment
87 az_destroy_method: resource_group
88 az_resource_group: "{{ project_tag }}"
89
90 # you can operate differently: if you share on resourceGroup for all you deployments,
91 # you can specify a different resourceGroup and method:
92 #az_destroy_method: deployment
93 #az_resource_group: my-shared-resource-group
94 #az_storage_account_type: Premium_LRS
95
96 ### AWS EC2 Environment settings
97
98 ### Route 53 Zone ID (AWS)
99 # This is the Route53 HostedZoneId where you will create your Public DNS entries
100 # This only needs to be defined if your CF template uses route53
101 HostedZoneId: Z1TQFSYFZUAO0D
102 # The region to be used, if not specified by -e in the command line
103 aws_region: us-east-1
104 # The key that is used to
105 key_name: "default_key_name"
106
107 ## Networking (AWS)
108 subdomain_base_short: "{{ guid }}"
109 subdomain_base_suffix: ".openshift.opentlc.com"
110 subdomain_base: "{{subdomain_base_short}}{{subdomain_base_suffix}}"
111
112 ## Environment Sizing
113
573ee0 114 master_instance_type: "p2.xlarge"
785be8 115 master_instance_count: 1
573ee0 116 bastion_instance_type: "p2.xlarge"
785be8 117 infranode_instance_count: 0
EMJ 118
119 ###### VARIABLES YOU SHOULD ***NOT*** CONFIGURE FOR YOUR DEPLOYEMNT
120
121 ## This might get removed
122 env_specific_images:
123 #   - "registry.access.redhat.com/jboss-eap-7/eap70-openshift:latest"
124 #   - "registry.access.redhat.com/openshift3/jenkins-2-rhel7:latest"
125 #   - "registry.access.redhat.com/openshift3/jenkins-slave-maven-rhel7:latest"
126
127 #### Vars for the OpenShift Ansible hosts file
128 master_api_port: 8443
129 ovs_plugin: "subnet" # This can also be set to: "multitenant" or "networkpolicy"
130 multi_tenant_setting: "os_sdn_network_plugin_name='redhat/openshift-ovs-{{ovs_plugin}}'"
573ee0 131 master_lb_dns: "bastion.{{subdomain_base}}"
785be8 132
EMJ 133 lets_encrypt_openshift_master_named_certificates:
134   - certfile: "/root/.acme.sh/{{ master_lb_dns }}/{{ master_lb_dns }}.cer"
135     keyfile: "/root/.acme.sh/{{ master_lb_dns }}/{{ master_lb_dns }}.key"
136     cafile: "/root/.acme.sh/{{ master_lb_dns }}/ca.cer"
137
138 lets_encrypt_openshift_hosted_router_certificate:
139   certfile: "/root/.acme.sh/{{ master_lb_dns }}/{{ master_lb_dns }}.cer"
140   keyfile: "/root/.acme.sh/{{ master_lb_dns }}/{{ master_lb_dns }}.key"
141   cafile: "/root/.acme.sh/{{ master_lb_dns }}/ca.cer"
142
143 project_request_message: 'To provision Projects you must request access in https://labs.opentlc.com or https://rhpds.redhat.com'
144
145 cloudapps_suffix: 'apps.{{subdomain_base}}'
146 ## TODO: This should be registered as a variable. Awk for os verions (OCP).
147 ## yum info openshift...
ecfb11 148 osrelease: "3.11.16"
EMJ 149 installer_release: "3.11.16"
785be8 150 openshift_master_overwrite_named_certificates: true
EMJ 151 timeout: 60
152
153 ########## OCP identity providers
154 # Options for install_idm: allow_all, htpasswd, ldap, ...  see the available below
573ee0 155 install_idms: allow_all
785be8 156 install_idm: allow_all
EMJ 157
158 # This var is empty by default.
159 # Every idm in the list 'install_idms' will be added, using the 'available_identity_providers' map
160 # you can:
161 #   - directly override the 'identity_providers' list
162 # or
163 #   - add an option to 'available_identity_providers' and then
164 #     reference it in 'install_idm' or the 'install_idms' list
165 identity_providers: []
166
167 openshift_master_ldap_ca_file: 'openshift_master_ldap_ca_file=/root/ca.crt'
168
169 available_identity_providers:
170   ldap:
171     name: OpenTLC IPA
172     challenge: true
173     login: true
174     kind: LDAPPasswordIdentityProvider
175     attributes:
176       id: ['dn']
177       email: ['mail']
178       name: ['cn']
179       preferredUsername: ['uid']
180     bindDN: uid=ose-mwl-auth,cn=users,cn=accounts,dc=opentlc,dc=com
181     bindPassword: "{{bindPassword|d('NOT_DEFINED')}}"
182     ca: ipa-ca.crt
183     insecure: false
184     url: ldaps://ipa1.opentlc.com:636/cn=users,cn=accounts,dc=opentlc,dc=com?uid
185
186   ssodev:
187     name: ssodev-iad00
188     challenge: false
189     login: true
190     kind: OpenIDIdentityProvider
191     clientID: "{{ opentlc_ssodev_client_id|d('NOT_DEFINED') }}"
192     clientSecret: "{{ opentlc_ssodev_client_secret|d('NOT_DEFINED') }}"
193     ca: lets-encrypt-x3-cross-signed.pem.txt
194     urls:
195       authorize: https://ssodev-iad00.opentlc.com:8443/auth/realms/ipatest/protocol/openid-connect/auth
196       token: https://ssodev-iad00.opentlc.com:8443/auth/realms/ipatest/protocol/openid-connect/token
197       userInfo: https://ssodev-iad00.opentlc.com:8443/auth/realms/ipatest/protocol/openid-connect/userinfo
198     claims:
199       id:
200         - sub
201       preferredUsername:
202         - preferred_username
203       name:
204         - name
205       email:
206         - email
207
208   allow_all:
209     name: allow_all
573ee0 210     login: "true"
EMJ 211     challenge: "true"
785be8 212     kind: AllowAllPasswordIdentityProvider
EMJ 213
214   htpasswd:
215     name: htpasswd_auth
216     login: true
217     challenge: true
218     kind: HTPasswdPasswordIdentityProvider
219     filename: /etc/origin/master/htpasswd
220
221 ###### You can, but you usually wouldn't need to.
222 ansible_ssh_user: ec2-user
223 remote_user: ec2-user
224
225 common_packages:
226   - python
227   - unzip
228   - bash-completion
229   - tmux
230   - bind-utils
231   - wget
232   - ansible
233   - git
234   - vim-enhanced
235   - at
236   - sysstat
237   - strace
238   - net-tools
239   - iptables-services
240   - bridge-utils
241   - kexec-tools
242   - sos
243   - psacct
244   - iotop
245
246 rhel_repos:
247   - rhel-7-server-rpms
248   - rhel-7-server-extras-rpms
249   - rhel-7-fast-datapath-rpms
573ee0 250   - rhel-7-server-ose-{{repo_version}}-rpms
785be8 251
EMJ 252 # rhn_pool_id_string: OpenShift Container Platform
253
254 ### NFS Server settings
255 #nfs_vg: nfsvg
256 #nfs_pvs: /dev/xvdd
257 #nfs_export_path: /srv/nfs
258 #nfs_size: 200
259 #
260 #nfs_shares:
261 #  - user-vols
262
263 ocp_pvs:
264 #   - es-storage
265 #   - nexus
266 #   - nexus2
267 #   - nexus3
268
269 #user_vols: 200
270 #user_vols_size: 10Gi
271
272 cache_images:
795ea4 273   - "docker.io/caffe2ai/caffe2:latest"
EMJ 274   - "docker.io/mirrorgooglecontainers/cuda-vector-add:v0.1"
785be8 275
EMJ 276 ### CLOUDFORMATIONS vars
277
feca86 278
785be8 279 zone_internal_dns: "{{guid}}.internal."
EMJ 280 chomped_zone_internal_dns: "{{guid}}.internal"
feca86 281
785be8 282 cloudapps_record: '*.apps'
EMJ 283 cloudapps_dns: '{{cloudapps_record}}.{{subdomain_base}}.'
284
285 master_public_dns: "master.{{subdomain_base}}."
286 bastion_public_dns: "bastion.{{subdomain_base}}."
287 certtest_public_dns: "certtest.{{subdomain_base}}."
288 bastion_public_dns_chomped: "bastion.{{subdomain_base}}"
289 vpcid_cidr_block: "192.168.0.0/16"
290 vpcid_name_tag: "{{subdomain_base}}"
291
292 az_1_name: "{{ aws_region }}a"
293 az_2_name: "{{ aws_region }}b"
294
295 subnet_private_1_cidr_block: "192.168.2.0/24"
296 subnet_private_1_az: "{{ az_2_name }}"
297 subnet_private_1_name_tag: "{{subdomain_base}}-private"
298
299 subnet_private_2_cidr_block: "192.168.1.0/24"
300 subnet_private_2_az: "{{ az_1_name }}"
301 subnet_private_2_name_tag: "{{subdomain_base}}-private"
302
303 subnet_public_1_cidr_block: "192.168.10.0/24"
304 subnet_public_1_az: "{{ az_1_name }}"
305 subnet_public_1_name_tag: "{{subdomain_base}}-public"
306
307 subnet_public_2_cidr_block: "192.168.20.0/24"
308 subnet_public_2_az: "{{ az_2_name }}"
309 subnet_public_2_name_tag: "{{subdomain_base}}-public"
310
311 dopt_domain_name: "{{ aws_region }}.compute.internal"
312
313 rtb_public_name_tag: "{{subdomain_base}}-public"
314 rtb_private_name_tag: "{{subdomain_base}}-private"
315
316 cf_template_description: "{{ env_type }}-{{ guid }} template "
317
318 rootfs_size_node: 50
319 rootfs_size_infranode: 150
320 rootfs_size_master: 50
321 rootfs_size_bastion: 20
322 rootfs_size_support: 20
323
324 instances:
325   - name: "bastion"
326     count: 1
327     unique: true
328     public_dns: true
329     dns_loadbalancer: true
330     flavor:
331       ec2: "{{master_instance_type}}"
332       azure: "{{master_instance_type}}"
333     tags:
334       - key: "AnsibleGroup"
573ee0 335         value: "bastions"
785be8 336       - key: "ostype"
EMJ 337         value: "linux"
573ee0 338     rootfs_size: "{{ rootfs_size_bastion }}"
785be8 339     rootfs_size: "{{ rootfs_size_master }}"
EMJ 340     volumes:
341       - device_name: "{{docker_device}}"
342         volume_size: "{{master_docker_size|default(docker_size)|default('20')}}"
343         volume_type: gp2
344         purpose: docker
345         lun: 0