commit | author | age
|
e2d605
|
1 |
--- |
S |
2 |
## TODO: What variables can we strip out of here to build complex variables? |
|
3 |
## i.e. what can we add into group_vars as opposed to config_vars? |
|
4 |
## Example: We don't really need "subdomain_base_short". If we want to use this, |
|
5 |
## should just toss in group_vars/all. |
|
6 |
### Also, we should probably just create a variable reference in the README.md |
|
7 |
### For now, just tagging comments in line with configuration file. |
|
8 |
|
|
9 |
### Vars that can be removed: |
|
10 |
# use_satellite: true |
|
11 |
# use_subscription_manager: false |
|
12 |
# use_own_repos: false |
|
13 |
|
|
14 |
###### VARIABLES YOU SHOULD CONFIGURE FOR YOUR DEPLOYEMNT |
|
15 |
###### OR PASS as "-e" args to ansible-playbook command |
|
16 |
|
|
17 |
### Common Host settings |
|
18 |
repo_version: "3.9" |
|
19 |
repo_method: file # Other Options are: file, satellite and rhn |
|
20 |
|
|
21 |
#If using repo_method: satellite, you must set these values as well. |
|
22 |
# satellite_url: https://satellite.example.com |
|
23 |
# satellite_org: Sat_org_name |
|
24 |
# satellite_activationkey: "rhel7basic" |
|
25 |
|
|
26 |
# Do you want to run a full yum update |
|
27 |
update_packages: true |
|
28 |
|
|
29 |
## guid is the deployment unique identifier, it will be appended to all tags, |
|
30 |
## files and anything that identifies this environment from another "just like it" |
|
31 |
guid: defaultguid |
|
32 |
|
|
33 |
# This var is used to identify stack (cloudformation, azure resourcegroup, ...) |
|
34 |
project_tag: "{{ env_type }}-{{ guid }}" |
|
35 |
|
|
36 |
software_to_deploy: openshift |
|
37 |
deploy_openshift: true |
|
38 |
deploy_openshift_post: true |
|
39 |
deploy_env_post: true |
|
40 |
|
|
41 |
install_bastion: true |
|
42 |
install_common: true |
|
43 |
install_nfs: true |
|
44 |
install_glusterfs: false |
|
45 |
install_opentlc_integration: true |
|
46 |
install_zabbix: false |
|
47 |
install_prometheus: false |
|
48 |
install_ipa_client: false |
|
49 |
install_openwhisk: false |
|
50 |
install_metrics: true |
|
51 |
install_logging: true |
|
52 |
install_aws_broker: false |
|
53 |
install_nexus: true |
|
54 |
install_openshiftapb: false |
|
55 |
install_maistra: false |
|
56 |
install_lets_encrypt_certificates: false |
11275f
|
57 |
ocp-client-vm: true |
e2d605
|
58 |
# Set the next variable to false to run tests. This prevents hitting the |
S |
59 |
# rate limiter of Let's Encrypt when requesting lots of certificates |
|
60 |
# Set to true for "real" certificates |
|
61 |
lets_encrypt_production: true |
|
62 |
|
|
63 |
glusterfs_device_name: /dev/xvdc |
|
64 |
glusterfs_device_size: 1500 |
|
65 |
|
|
66 |
ocp_report: false |
|
67 |
remove_self_provisioners: false |
|
68 |
idm_ca_url: http://ipa.opentlc.com/ipa/config/ca.crt |
|
69 |
zabbix_host: 23.246.247.58 |
|
70 |
|
|
71 |
# Options for container_runtime: docker, cri-o |
|
72 |
container_runtime: "docker" |
|
73 |
docker_version: "{{ '1.12.6' if repo_version | version_compare('3.9', '<') else '1.13.1' }}" |
|
74 |
docker_device: /dev/xvdb |
|
75 |
|
|
76 |
### If you want a Key Pair name created and injected into the hosts, |
|
77 |
# set `set_env_authorized_key` to true and set the keyname in `env_authorized_key` |
|
78 |
# you can use the key used to create the environment or use your own self generated key |
|
79 |
# if you set "use_own_key" to false your PRIVATE key will be copied to the bastion. (This is {{key_name}}) |
|
80 |
|
|
81 |
use_own_key: true |
|
82 |
env_authorized_key: "{{guid}}key" |
|
83 |
ansible_ssh_private_key_file: ~/.ssh/{{key_name}}.pem |
|
84 |
set_env_authorized_key: true |
|
85 |
|
|
86 |
# Is this running from Red Hat Ansible Tower |
|
87 |
tower_run: false |
|
88 |
|
|
89 |
admin_user: opentlc-mgr |
|
90 |
admin_project: "ocp-workshop" |
|
91 |
|
|
92 |
# UI Customizations |
|
93 |
enable_workshops_catalog: false |
|
94 |
|
11275f
|
95 |
### Azure |
e2d605
|
96 |
|
S |
97 |
# Create a dedicated resourceGroup for this deployment |
|
98 |
az_destroy_method: resource_group |
|
99 |
az_resource_group: "{{ project_tag }}" |
|
100 |
|
|
101 |
# you can operate differently: if you share on resourceGroup for all you deployments, |
|
102 |
# you can specify a different resourceGroup and method: |
|
103 |
#az_destroy_method: deployment |
|
104 |
#az_resource_group: my-shared-resource-group |
|
105 |
#az_storage_account_type: Premium_LRS |
|
106 |
|
|
107 |
### AWS EC2 Environment settings |
|
108 |
|
|
109 |
### Route 53 Zone ID (AWS) |
|
110 |
# This is the Route53 HostedZoneId where you will create your Public DNS entries |
|
111 |
# This only needs to be defined if your CF template uses route53 |
|
112 |
HostedZoneId: Z1TQFSYFZUAO0D |
|
113 |
# The region to be used, if not specified by -e in the command line |
|
114 |
aws_region: us-east-1 |
|
115 |
# The key that is used to |
|
116 |
key_name: "default_key_name" |
|
117 |
|
|
118 |
## Networking (AWS) |
|
119 |
subdomain_base_short: "{{ guid }}" |
|
120 |
subdomain_base_suffix: ".openshift.opentlc.com" |
|
121 |
subdomain_base: "{{subdomain_base_short}}{{subdomain_base_suffix}}" |
|
122 |
|
|
123 |
## Environment Sizing |
|
124 |
|
|
125 |
bastion_instance_type: "t2.large" |
|
126 |
master_instance_type: "m4.4xlarge" |
|
127 |
etcd_instance_type: "{{master_instance_type}}" |
|
128 |
infranode_instance_type: "m4.4xlarge" |
|
129 |
node_instance_type: "m4.4xlarge" |
|
130 |
support_instance_type: "c4.xlarge" |
|
131 |
|
|
132 |
node_instance_count: 5 |
|
133 |
infranode_instance_count: 1 |
|
134 |
master_instance_count: 1 |
|
135 |
support_instance_count: "{{ 3 if install_glusterfs|bool else 1 }}" |
|
136 |
# scaleup |
|
137 |
new_node_instance_count: 0 |
|
138 |
|
|
139 |
###### VARIABLES YOU SHOULD ***NOT*** CONFIGURE FOR YOUR DEPLOYEMNT |
|
140 |
|
|
141 |
## This might get removed |
|
142 |
env_specific_images: |
|
143 |
# - "registry.access.redhat.com/jboss-eap-7/eap70-openshift:latest" |
|
144 |
# - "registry.access.redhat.com/openshift3/jenkins-2-rhel7:latest" |
|
145 |
# - "registry.access.redhat.com/openshift3/jenkins-slave-maven-rhel7:latest" |
|
146 |
|
|
147 |
#### Vars for the OpenShift Ansible hosts file |
|
148 |
master_api_port: 443 |
|
149 |
ovs_plugin: "subnet" # This can also be set to: "multitenant" or "networkpolicy" |
|
150 |
multi_tenant_setting: "os_sdn_network_plugin_name='redhat/openshift-ovs-{{ovs_plugin}}'" |
|
151 |
master_lb_dns: "master.{{subdomain_base}}" |
|
152 |
|
|
153 |
lets_encrypt_openshift_master_named_certificates: |
|
154 |
- certfile: "/root/.acme.sh/{{ master_lb_dns }}/{{ master_lb_dns }}.cer" |
|
155 |
keyfile: "/root/.acme.sh/{{ master_lb_dns }}/{{ master_lb_dns }}.key" |
|
156 |
cafile: "/root/.acme.sh/{{ master_lb_dns }}/ca.cer" |
|
157 |
|
|
158 |
lets_encrypt_openshift_hosted_router_certificate: |
|
159 |
certfile: "/root/.acme.sh/{{ master_lb_dns }}/{{ master_lb_dns }}.cer" |
|
160 |
keyfile: "/root/.acme.sh/{{ master_lb_dns }}/{{ master_lb_dns }}.key" |
|
161 |
cafile: "/root/.acme.sh/{{ master_lb_dns }}/ca.cer" |
|
162 |
|
|
163 |
project_request_message: 'To provision Projects you must request access in https://labs.opentlc.com or https://rhpds.redhat.com' |
|
164 |
|
|
165 |
cloudapps_suffix: 'apps.{{subdomain_base}}' |
|
166 |
## TODO: This should be registered as a variable. Awk for os verions (OCP). |
|
167 |
## yum info openshift... |
|
168 |
osrelease: 3.9.30 |
|
169 |
openshift_master_overwrite_named_certificates: true |
|
170 |
timeout: 60 |
|
171 |
|
|
172 |
########## OCP identity providers |
|
173 |
# Options for install_idm: allow_all, htpasswd, ldap, ... see the available below |
|
174 |
install_idm: ldap |
|
175 |
|
|
176 |
# if you want to install several identity providers, just pick from the |
|
177 |
# available_identity_providers list: |
|
178 |
install_idms: |
|
179 |
- "{{ install_idm }}" |
|
180 |
|
|
181 |
# This var is empty by default. |
|
182 |
# Every idm in the list 'install_idms' will be added, using the 'available_identity_providers' map |
|
183 |
# you can: |
|
184 |
# - directly override the 'identity_providers' list |
|
185 |
# or |
|
186 |
# - add an option to 'available_identity_providers' and then |
|
187 |
# reference it in 'install_idm' or the 'install_idms' list |
|
188 |
identity_providers: [] |
|
189 |
|
|
190 |
openshift_master_ldap_ca_file: 'openshift_master_ldap_ca_file=/root/ca.crt' |
|
191 |
|
|
192 |
available_identity_providers: |
|
193 |
ldap: |
|
194 |
name: 'OpenTLC IPA' |
|
195 |
challenge: 'true' |
|
196 |
login: 'true' |
|
197 |
kind: 'LDAPPasswordIdentityProvider' |
|
198 |
attributes: |
|
199 |
id: ['dn'] |
|
200 |
email: ['mail'] |
|
201 |
name: ['cn'] |
|
202 |
preferredUsername: ['uid'] |
|
203 |
bindDN: 'uid=ose-mwl-auth,cn=users,cn=accounts,dc=opentlc,dc=com' |
|
204 |
bindPassword: "{{bindPassword|d('NOT_DEFINED')}}" |
|
205 |
ca: ipa-ca.crt |
|
206 |
insecure: 'false' |
|
207 |
url: ldaps://ipa1.opentlc.com:636/cn=users,cn=accounts,dc=opentlc,dc=com?uid |
|
208 |
|
|
209 |
ssodev: |
|
210 |
name: ssodev-iad00 |
|
211 |
challenge: 'false' |
|
212 |
login: 'true' |
|
213 |
kind: OpenIDIdentityProvider |
|
214 |
clientID: "{{ opentlc_ssodev_client_id|d('NOT_DEFINED') }}" |
|
215 |
clientSecret: "{{ opentlc_ssodev_client_secret|d('NOT_DEFINED') }}" |
|
216 |
ca: lets-encrypt-x3-cross-signed.pem.txt |
|
217 |
urls: |
|
218 |
authorize: https://ssodev-iad00.opentlc.com:8443/auth/realms/ipatest/protocol/openid-connect/auth |
|
219 |
token: https://ssodev-iad00.opentlc.com:8443/auth/realms/ipatest/protocol/openid-connect/token |
|
220 |
userInfo: https://ssodev-iad00.opentlc.com:8443/auth/realms/ipatest/protocol/openid-connect/userinfo |
|
221 |
claims: |
|
222 |
id: |
|
223 |
- sub |
|
224 |
preferredUsername: |
|
225 |
- preferred_username |
|
226 |
name: |
|
227 |
- name |
|
228 |
email: |
|
229 |
- email |
|
230 |
|
|
231 |
allow_all: |
|
232 |
name: allow_all |
|
233 |
login: 'true' |
|
234 |
challenge: 'true' |
|
235 |
kind: AllowAllPasswordIdentityProvider |
|
236 |
|
|
237 |
htpasswd: |
|
238 |
name: htpasswd_auth |
|
239 |
login: 'true' |
|
240 |
challenge: 'true' |
|
241 |
kind: HTPasswdPasswordIdentityProvider |
|
242 |
filename: /etc/origin/master/htpasswd |
|
243 |
|
|
244 |
admission_plugin_config: |
|
245 |
MutatingAdmissionWebhook: |
|
246 |
configuration: |
|
247 |
apiVersion: v1 |
|
248 |
disable: false |
|
249 |
kind: DefaultAdmissionConfig |
|
250 |
ValidatingAdmissionWebhook: |
|
251 |
configuration: |
|
252 |
apiVersion: v1 |
|
253 |
disable: false |
|
254 |
kind: DefaultAdmissionConfig |
|
255 |
|
|
256 |
|
|
257 |
###### You can, but you usually wouldn't need to. |
|
258 |
ansible_ssh_user: ec2-user |
|
259 |
remote_user: ec2-user |
|
260 |
|
|
261 |
common_packages: |
|
262 |
- python |
|
263 |
- unzip |
|
264 |
- bash-completion |
|
265 |
- tmux |
|
266 |
- bind-utils |
|
267 |
- wget |
|
268 |
- nano |
|
269 |
- ansible |
|
270 |
- git |
|
271 |
- vim-enhanced |
|
272 |
- at |
|
273 |
- sysstat |
|
274 |
- strace |
|
275 |
- net-tools |
|
276 |
- iptables-services |
|
277 |
- bridge-utils |
|
278 |
- kexec-tools |
|
279 |
- sos |
|
280 |
- psacct |
|
281 |
- iotop |
|
282 |
|
|
283 |
rhel_repos: |
|
284 |
- rhel-7-server-rpms |
|
285 |
- rhel-7-server-extras-rpms |
|
286 |
- rhel-7-server-ose-{{repo_version}}-rpms |
|
287 |
- rhel-7-fast-datapath-rpms |
|
288 |
|
|
289 |
# use_subscription_manager: false |
|
290 |
# use_own_repos: true |
|
291 |
# |
|
292 |
# rhn_pool_id_string: OpenShift Container Platform |
|
293 |
|
|
294 |
## NFS Server settings |
|
295 |
nfs_vg: nfsvg |
|
296 |
nfs_pvs: /dev/xvdd |
|
297 |
nfs_export_path: /srv/nfs |
|
298 |
nfs_size: 200 |
|
299 |
|
|
300 |
nfs_shares: |
|
301 |
- user-vols |
|
302 |
|
|
303 |
ocp_pvs: |
|
304 |
# - es-storage |
|
305 |
# - nexus |
|
306 |
# - nexus2 |
|
307 |
# - nexus3 |
|
308 |
|
|
309 |
user_vols: 200 |
|
310 |
user_vols_size: 10Gi |
|
311 |
user_count: 200 |
|
312 |
|
|
313 |
cache_images: |
|
314 |
- "registry.access.redhat.com/jboss-eap-7/eap70-openshift:latest" |
|
315 |
- "registry.access.redhat.com/openshift3/jenkins-2-rhel7:v{{ repo_version }}" |
|
316 |
- "registry.access.redhat.com/openshift3/jenkins-slave-maven-rhel7:v{{ repo_version }}" |
|
317 |
|
|
318 |
### CLOUDFORMATIONS vars |
|
319 |
|
|
320 |
create_internal_dns_entries: true |
|
321 |
zone_internal_dns: "{{guid}}.internal." |
|
322 |
chomped_zone_internal_dns: "{{guid}}.internal" |
|
323 |
zone_public_dns: "{{subdomain_base}}." |
|
324 |
cloudapps_record: '*.apps' |
|
325 |
cloudapps_dns: '{{cloudapps_record}}.{{subdomain_base}}.' |
|
326 |
|
|
327 |
master_public_dns: "master.{{subdomain_base}}." |
|
328 |
bastion_public_dns: "bastion.{{subdomain_base}}." |
|
329 |
certtest_public_dns: "certtest.{{subdomain_base}}." |
|
330 |
bastion_public_dns_chomped: "bastion.{{subdomain_base}}" |
|
331 |
vpcid_cidr_block: "192.168.0.0/16" |
|
332 |
vpcid_name_tag: "{{subdomain_base}}" |
|
333 |
|
|
334 |
az_1_name: "{{ aws_region }}a" |
|
335 |
az_2_name: "{{ aws_region }}b" |
|
336 |
|
|
337 |
subnet_private_1_cidr_block: "192.168.2.0/24" |
|
338 |
subnet_private_1_az: "{{ az_2_name }}" |
|
339 |
subnet_private_1_name_tag: "{{subdomain_base}}-private" |
|
340 |
|
|
341 |
subnet_private_2_cidr_block: "192.168.1.0/24" |
|
342 |
subnet_private_2_az: "{{ az_1_name }}" |
|
343 |
subnet_private_2_name_tag: "{{subdomain_base}}-private" |
|
344 |
|
|
345 |
subnet_public_1_cidr_block: "192.168.10.0/24" |
|
346 |
subnet_public_1_az: "{{ az_1_name }}" |
|
347 |
subnet_public_1_name_tag: "{{subdomain_base}}-public" |
|
348 |
|
|
349 |
subnet_public_2_cidr_block: "192.168.20.0/24" |
|
350 |
subnet_public_2_az: "{{ az_2_name }}" |
|
351 |
subnet_public_2_name_tag: "{{subdomain_base}}-public" |
|
352 |
|
|
353 |
dopt_domain_name: "{{ aws_region }}.compute.internal" |
|
354 |
|
|
355 |
rtb_public_name_tag: "{{subdomain_base}}-public" |
|
356 |
rtb_private_name_tag: "{{subdomain_base}}-private" |
|
357 |
|
|
358 |
cf_template_description: "{{ env_type }}-{{ guid }} template " |
|
359 |
|
|
360 |
rootfs_size_node: 50 |
|
361 |
rootfs_size_infranode: 150 |
|
362 |
rootfs_size_master: 50 |
|
363 |
rootfs_size_bastion: 20 |
|
364 |
rootfs_size_support: 20 |
11275f
|
365 |
rootfs_size_clientvm: 20 |
e2d605
|
366 |
|
S |
367 |
instances: |
|
368 |
- name: "bastion" |
|
369 |
count: 1 |
|
370 |
unique: true |
|
371 |
public_dns: true |
|
372 |
dns_loadbalancer: true |
|
373 |
flavor: |
|
374 |
ec2: "{{bastion_instance_type}}" |
|
375 |
azure: "{{bastion_instance_type}}" |
|
376 |
tags: |
|
377 |
- key: "AnsibleGroup" |
|
378 |
value: "bastions" |
|
379 |
- key: "ostype" |
|
380 |
value: "linux" |
|
381 |
rootfs_size: "{{ rootfs_size_bastion }}" |
|
382 |
|
|
383 |
- name: "master" |
|
384 |
count: "{{master_instance_count}}" |
|
385 |
public_dns: true |
|
386 |
dns_loadbalancer: true |
|
387 |
flavor: |
|
388 |
ec2: "{{master_instance_type}}" |
|
389 |
azure: "{{master_instance_type}}" |
|
390 |
tags: |
|
391 |
- key: "AnsibleGroup" |
|
392 |
value: "masters" |
|
393 |
- key: "ostype" |
|
394 |
value: "linux" |
|
395 |
rootfs_size: "{{ rootfs_size_master }}" |
|
396 |
volumes: |
|
397 |
- device_name: "{{docker_device}}" |
|
398 |
volume_size: "{{master_docker_size|default(docker_size)|default('20')}}" |
|
399 |
volume_type: gp2 |
|
400 |
purpose: docker |
|
401 |
lun: 0 |
|
402 |
|
|
403 |
- name: "node" |
|
404 |
count: "{{node_instance_count}}" |
|
405 |
public_dns: false |
|
406 |
dns_loadbalancer: false |
|
407 |
flavor: |
|
408 |
ec2: "{{node_instance_type}}" |
|
409 |
azure: "{{node_instance_type}}" |
|
410 |
tags: |
|
411 |
- key: "AnsibleGroup" |
|
412 |
value: "nodes" |
|
413 |
- key: "ostype" |
|
414 |
value: "linux" |
|
415 |
rootfs_size: "{{ rootfs_size_node }}" |
|
416 |
volumes: |
|
417 |
- device_name: "{{docker_device}}" |
|
418 |
volume_size: "{{node_docker_size|d(docker_size)|d('100')}}" |
|
419 |
volume_type: gp2 |
|
420 |
purpose: docker |
|
421 |
lun: 0 |
|
422 |
|
|
423 |
- name: "infranode" |
|
424 |
count: "{{infranode_instance_count}}" |
|
425 |
public_dns: true |
|
426 |
dns_loadbalancer: true |
|
427 |
flavor: |
|
428 |
ec2: "{{infranode_instance_type}}" |
|
429 |
azure: "{{infranode_instance_type}}" |
|
430 |
tags: |
|
431 |
- key: "AnsibleGroup" |
|
432 |
value: "infranodes" |
|
433 |
- key: "ostype" |
|
434 |
value: "linux" |
|
435 |
rootfs_size: "{{ rootfs_size_infranode }}" |
|
436 |
volumes: |
|
437 |
- device_name: "{{docker_device}}" |
|
438 |
volume_size: "{{infranode_docker_size|d(docker_size)|d('50')}}" |
|
439 |
volume_type: gp2 |
|
440 |
purpose: docker |
|
441 |
lun: 0 |
11275f
|
442 |
- name: "clientvm" |
S |
443 |
count: "{{num_users}}" |
|
444 |
public_dns: true |
|
445 |
flavor: |
|
446 |
"ec2": "{{clientvm_instance_type}}" |
|
447 |
tags: |
|
448 |
- key: "AnsibleGroup" |
|
449 |
value: "clientvms" |
|
450 |
- key: "ostype" |
|
451 |
value: "linux" |
|
452 |
rootfs_size: "{{ rootfs_size_clientvm }}" |
|
453 |
volumes: |
|
454 |
- device_name: "{{docker_device}}" |
|
455 |
volume_size: 100 |
|
456 |
volume_type: gp2 |
e2d605
|
457 |
|
S |
458 |
- name: "support" |
|
459 |
count: "{{support_instance_count}}" |
|
460 |
public_dns: false |
|
461 |
dns_loadbalancer: false |
|
462 |
flavor: |
|
463 |
ec2: "{{support_instance_type}}" |
|
464 |
azure: "{{support_instance_type}}" |
|
465 |
tags: |
|
466 |
- key: "AnsibleGroup" |
|
467 |
value: "{{ 'support,glusterfs,nodes' if install_glusterfs|bool else 'support' }}" |
|
468 |
- key: "ostype" |
|
469 |
value: "linux" |
|
470 |
rootfs_size: "{{ rootfs_size_support }}" |
|
471 |
volumes: |
|
472 |
- device_name: "{{docker_device}}" |
|
473 |
volume_size: "{{support_docker_size|d(docker_size)|d('50')}}" |
|
474 |
volume_type: gp2 |
|
475 |
purpose: docker |
|
476 |
lun: 0 |
|
477 |
- device_name: "{{glusterfs_device_name}}" |
|
478 |
volume_size: "{{glusterfs_device_size}}" |
|
479 |
volume_type: gp2 |
|
480 |
purpose: glusterfs |
|
481 |
lun: 1 |
|
482 |
- device_name: "{{nfs_pvs}}" |
|
483 |
volume_size: "{{nfs_size}}" |
|
484 |
volume_type: gp2 |
|
485 |
purpose: nfs |
|
486 |
lun: 2 |