view | history | commit | commitdiff
sborenst
2018-08-28 11275f83c361d544292b57fca3f1b7d18f95e82e
commit | author | age
e2d605 1 ---
S 2 ## TODO: What variables can we strip out of here to build complex variables?
3 ## i.e. what can we add into group_vars as opposed to config_vars?
4 ## Example: We don't really need "subdomain_base_short". If we want to use this,
5 ## should just toss in group_vars/all.
6 ### Also, we should probably just create a variable reference in the README.md
7 ### For now, just tagging comments in line with configuration file.
8
9 ### Vars that can be removed:
10 # use_satellite: true
11 # use_subscription_manager: false
12 # use_own_repos: false
13
14 ###### VARIABLES YOU SHOULD CONFIGURE FOR YOUR DEPLOYEMNT
15 ###### OR PASS as "-e" args to ansible-playbook command
16
17 ### Common Host settings
18 repo_version: "3.9"
19 repo_method: file # Other Options are: file, satellite and rhn
20
21 #If using repo_method: satellite, you must set these values as well.
22 # satellite_url: https://satellite.example.com
23 # satellite_org: Sat_org_name
24 # satellite_activationkey: "rhel7basic"
25
26 # Do you want to run a full yum update
27 update_packages: true
28
29 ## guid is the deployment unique identifier, it will be appended to all tags,
30 ## files and anything that identifies this environment from another "just like it"
31 guid: defaultguid
32
33 # This var is used to identify stack (cloudformation, azure resourcegroup, ...)
34 project_tag: "{{ env_type }}-{{ guid }}"
35
36 software_to_deploy: openshift
37 deploy_openshift: true
38 deploy_openshift_post: true
39 deploy_env_post: true
40
41 install_bastion: true
42 install_common: true
43 install_nfs: true
44 install_glusterfs: false
45 install_opentlc_integration: true
46 install_zabbix: false
47 install_prometheus: false
48 install_ipa_client: false
49 install_openwhisk: false
50 install_metrics: true
51 install_logging: true
52 install_aws_broker: false
53 install_nexus: true
54 install_openshiftapb: false
55 install_maistra: false
56 install_lets_encrypt_certificates: false
11275f 57 ocp-client-vm: true
e2d605 58 # Set the next variable to false to run tests. This prevents hitting the
S 59 # rate limiter of Let's Encrypt when requesting lots of certificates
60 # Set to true for "real" certificates
61 lets_encrypt_production: true
62
63 glusterfs_device_name: /dev/xvdc
64 glusterfs_device_size: 1500
65
66 ocp_report: false
67 remove_self_provisioners: false
68 idm_ca_url: http://ipa.opentlc.com/ipa/config/ca.crt
69 zabbix_host: 23.246.247.58
70
71 # Options for container_runtime: docker, cri-o
72 container_runtime: "docker"
73 docker_version: "{{ '1.12.6' if repo_version | version_compare('3.9', '<')  else '1.13.1' }}"
74 docker_device: /dev/xvdb
75
76 ### If you want a Key Pair name created and injected into the hosts,
77 # set `set_env_authorized_key` to true and set the keyname in `env_authorized_key`
78 # you can use the key used to create the environment or use your own self generated key
79 # if you set "use_own_key" to false your PRIVATE key will be copied to the bastion. (This is {{key_name}})
80
81 use_own_key: true
82 env_authorized_key: "{{guid}}key"
83 ansible_ssh_private_key_file: ~/.ssh/{{key_name}}.pem
84 set_env_authorized_key: true
85
86 # Is this running from Red Hat Ansible Tower
87 tower_run: false
88
89 admin_user: opentlc-mgr
90 admin_project: "ocp-workshop"
91
92 # UI Customizations
93 enable_workshops_catalog: false
94
11275f 95 ### Azure
e2d605 96
S 97 # Create a dedicated resourceGroup for this deployment
98 az_destroy_method: resource_group
99 az_resource_group: "{{ project_tag }}"
100
101 # you can operate differently: if you share on resourceGroup for all you deployments,
102 # you can specify a different resourceGroup and method:
103 #az_destroy_method: deployment
104 #az_resource_group: my-shared-resource-group
105 #az_storage_account_type: Premium_LRS
106
107 ### AWS EC2 Environment settings
108
109 ### Route 53 Zone ID (AWS)
110 # This is the Route53 HostedZoneId where you will create your Public DNS entries
111 # This only needs to be defined if your CF template uses route53
112 HostedZoneId: Z1TQFSYFZUAO0D
113 # The region to be used, if not specified by -e in the command line
114 aws_region: us-east-1
115 # The key that is used to
116 key_name: "default_key_name"
117
118 ## Networking (AWS)
119 subdomain_base_short: "{{ guid }}"
120 subdomain_base_suffix: ".openshift.opentlc.com"
121 subdomain_base: "{{subdomain_base_short}}{{subdomain_base_suffix}}"
122
123 ## Environment Sizing
124
125 bastion_instance_type: "t2.large"
126 master_instance_type: "m4.4xlarge"
127 etcd_instance_type: "{{master_instance_type}}"
128 infranode_instance_type: "m4.4xlarge"
129 node_instance_type: "m4.4xlarge"
130 support_instance_type: "c4.xlarge"
131
132 node_instance_count: 5
133 infranode_instance_count: 1
134 master_instance_count: 1
135 support_instance_count: "{{ 3 if install_glusterfs|bool else 1 }}"
136 # scaleup
137 new_node_instance_count: 0
138
139 ###### VARIABLES YOU SHOULD ***NOT*** CONFIGURE FOR YOUR DEPLOYEMNT
140
141 ## This might get removed
142 env_specific_images:
143 #   - "registry.access.redhat.com/jboss-eap-7/eap70-openshift:latest"
144 #   - "registry.access.redhat.com/openshift3/jenkins-2-rhel7:latest"
145 #   - "registry.access.redhat.com/openshift3/jenkins-slave-maven-rhel7:latest"
146
147 #### Vars for the OpenShift Ansible hosts file
148 master_api_port: 443
149 ovs_plugin: "subnet" # This can also be set to: "multitenant" or "networkpolicy"
150 multi_tenant_setting: "os_sdn_network_plugin_name='redhat/openshift-ovs-{{ovs_plugin}}'"
151 master_lb_dns: "master.{{subdomain_base}}"
152
153 lets_encrypt_openshift_master_named_certificates:
154   - certfile: "/root/.acme.sh/{{ master_lb_dns }}/{{ master_lb_dns }}.cer"
155     keyfile: "/root/.acme.sh/{{ master_lb_dns }}/{{ master_lb_dns }}.key"
156     cafile: "/root/.acme.sh/{{ master_lb_dns }}/ca.cer"
157
158 lets_encrypt_openshift_hosted_router_certificate:
159   certfile: "/root/.acme.sh/{{ master_lb_dns }}/{{ master_lb_dns }}.cer"
160   keyfile: "/root/.acme.sh/{{ master_lb_dns }}/{{ master_lb_dns }}.key"
161   cafile: "/root/.acme.sh/{{ master_lb_dns }}/ca.cer"
162
163 project_request_message: 'To provision Projects you must request access in https://labs.opentlc.com or https://rhpds.redhat.com'
164
165 cloudapps_suffix: 'apps.{{subdomain_base}}'
166 ## TODO: This should be registered as a variable. Awk for os verions (OCP).
167 ## yum info openshift...
168 osrelease: 3.9.30
169 openshift_master_overwrite_named_certificates: true
170 timeout: 60
171
172 ########## OCP identity providers
173 # Options for install_idm: allow_all, htpasswd, ldap, ...  see the available below
174 install_idm: ldap
175
176 # if you want to install several identity providers, just pick from the
177 # available_identity_providers list:
178 install_idms:
179   - "{{ install_idm }}"
180
181 # This var is empty by default.
182 # Every idm in the list 'install_idms' will be added, using the 'available_identity_providers' map
183 # you can:
184 #   - directly override the 'identity_providers' list
185 # or
186 #   - add an option to 'available_identity_providers' and then
187 #     reference it in 'install_idm' or the 'install_idms' list
188 identity_providers: []
189
190 openshift_master_ldap_ca_file: 'openshift_master_ldap_ca_file=/root/ca.crt'
191
192 available_identity_providers:
193   ldap:
194     name: 'OpenTLC IPA'
195     challenge: 'true'
196     login: 'true'
197     kind: 'LDAPPasswordIdentityProvider'
198     attributes:
199       id: ['dn']
200       email: ['mail']
201       name: ['cn']
202       preferredUsername: ['uid']
203     bindDN: 'uid=ose-mwl-auth,cn=users,cn=accounts,dc=opentlc,dc=com'
204     bindPassword: "{{bindPassword|d('NOT_DEFINED')}}"
205     ca: ipa-ca.crt
206     insecure: 'false'
207     url: ldaps://ipa1.opentlc.com:636/cn=users,cn=accounts,dc=opentlc,dc=com?uid
208
209   ssodev:
210     name: ssodev-iad00
211     challenge: 'false'
212     login: 'true'
213     kind: OpenIDIdentityProvider
214     clientID: "{{ opentlc_ssodev_client_id|d('NOT_DEFINED') }}"
215     clientSecret: "{{ opentlc_ssodev_client_secret|d('NOT_DEFINED') }}"
216     ca: lets-encrypt-x3-cross-signed.pem.txt
217     urls:
218       authorize: https://ssodev-iad00.opentlc.com:8443/auth/realms/ipatest/protocol/openid-connect/auth
219       token: https://ssodev-iad00.opentlc.com:8443/auth/realms/ipatest/protocol/openid-connect/token
220       userInfo: https://ssodev-iad00.opentlc.com:8443/auth/realms/ipatest/protocol/openid-connect/userinfo
221     claims:
222       id:
223         - sub
224       preferredUsername:
225         - preferred_username
226       name:
227         - name
228       email:
229         - email
230
231   allow_all:
232     name: allow_all
233     login: 'true'
234     challenge: 'true'
235     kind: AllowAllPasswordIdentityProvider
236
237   htpasswd:
238     name: htpasswd_auth
239     login: 'true'
240     challenge: 'true'
241     kind: HTPasswdPasswordIdentityProvider
242     filename: /etc/origin/master/htpasswd
243
244 admission_plugin_config:
245   MutatingAdmissionWebhook:
246     configuration:
247       apiVersion: v1
248       disable: false
249       kind: DefaultAdmissionConfig
250   ValidatingAdmissionWebhook:
251     configuration:
252       apiVersion: v1
253       disable: false
254       kind: DefaultAdmissionConfig
255
256
257 ###### You can, but you usually wouldn't need to.
258 ansible_ssh_user: ec2-user
259 remote_user: ec2-user
260
261 common_packages:
262   - python
263   - unzip
264   - bash-completion
265   - tmux
266   - bind-utils
267   - wget
268   - nano
269   - ansible
270   - git
271   - vim-enhanced
272   - at
273   - sysstat
274   - strace
275   - net-tools
276   - iptables-services
277   - bridge-utils
278   - kexec-tools
279   - sos
280   - psacct
281   - iotop
282
283 rhel_repos:
284   - rhel-7-server-rpms
285   - rhel-7-server-extras-rpms
286   - rhel-7-server-ose-{{repo_version}}-rpms
287   - rhel-7-fast-datapath-rpms
288
289 # use_subscription_manager: false
290 # use_own_repos: true
291 #
292 # rhn_pool_id_string: OpenShift Container Platform
293
294 ## NFS Server settings
295 nfs_vg: nfsvg
296 nfs_pvs: /dev/xvdd
297 nfs_export_path: /srv/nfs
298 nfs_size: 200
299
300 nfs_shares:
301   - user-vols
302
303 ocp_pvs:
304 #   - es-storage
305 #   - nexus
306 #   - nexus2
307 #   - nexus3
308
309 user_vols: 200
310 user_vols_size: 10Gi
311 user_count: 200
312
313 cache_images:
314   - "registry.access.redhat.com/jboss-eap-7/eap70-openshift:latest"
315   - "registry.access.redhat.com/openshift3/jenkins-2-rhel7:v{{ repo_version }}"
316   - "registry.access.redhat.com/openshift3/jenkins-slave-maven-rhel7:v{{ repo_version }}"
317
318 ### CLOUDFORMATIONS vars
319
320 create_internal_dns_entries: true
321 zone_internal_dns: "{{guid}}.internal."
322 chomped_zone_internal_dns: "{{guid}}.internal"
323 zone_public_dns: "{{subdomain_base}}."
324 cloudapps_record: '*.apps'
325 cloudapps_dns: '{{cloudapps_record}}.{{subdomain_base}}.'
326
327 master_public_dns: "master.{{subdomain_base}}."
328 bastion_public_dns: "bastion.{{subdomain_base}}."
329 certtest_public_dns: "certtest.{{subdomain_base}}."
330 bastion_public_dns_chomped: "bastion.{{subdomain_base}}"
331 vpcid_cidr_block: "192.168.0.0/16"
332 vpcid_name_tag: "{{subdomain_base}}"
333
334 az_1_name: "{{ aws_region }}a"
335 az_2_name: "{{ aws_region }}b"
336
337 subnet_private_1_cidr_block: "192.168.2.0/24"
338 subnet_private_1_az: "{{ az_2_name }}"
339 subnet_private_1_name_tag: "{{subdomain_base}}-private"
340
341 subnet_private_2_cidr_block: "192.168.1.0/24"
342 subnet_private_2_az: "{{ az_1_name }}"
343 subnet_private_2_name_tag: "{{subdomain_base}}-private"
344
345 subnet_public_1_cidr_block: "192.168.10.0/24"
346 subnet_public_1_az: "{{ az_1_name }}"
347 subnet_public_1_name_tag: "{{subdomain_base}}-public"
348
349 subnet_public_2_cidr_block: "192.168.20.0/24"
350 subnet_public_2_az: "{{ az_2_name }}"
351 subnet_public_2_name_tag: "{{subdomain_base}}-public"
352
353 dopt_domain_name: "{{ aws_region }}.compute.internal"
354
355 rtb_public_name_tag: "{{subdomain_base}}-public"
356 rtb_private_name_tag: "{{subdomain_base}}-private"
357
358 cf_template_description: "{{ env_type }}-{{ guid }} template "
359
360 rootfs_size_node: 50
361 rootfs_size_infranode: 150
362 rootfs_size_master: 50
363 rootfs_size_bastion: 20
364 rootfs_size_support: 20
11275f 365 rootfs_size_clientvm: 20
e2d605 366
S 367 instances:
368   - name: "bastion"
369     count: 1
370     unique: true
371     public_dns: true
372     dns_loadbalancer: true
373     flavor:
374       ec2: "{{bastion_instance_type}}"
375       azure: "{{bastion_instance_type}}"
376     tags:
377       - key: "AnsibleGroup"
378         value: "bastions"
379       - key: "ostype"
380         value: "linux"
381     rootfs_size: "{{ rootfs_size_bastion }}"
382
383   - name: "master"
384     count: "{{master_instance_count}}"
385     public_dns: true
386     dns_loadbalancer: true
387     flavor:
388       ec2: "{{master_instance_type}}"
389       azure: "{{master_instance_type}}"
390     tags:
391       - key: "AnsibleGroup"
392         value: "masters"
393       - key: "ostype"
394         value: "linux"
395     rootfs_size: "{{ rootfs_size_master }}"
396     volumes:
397       - device_name: "{{docker_device}}"
398         volume_size: "{{master_docker_size|default(docker_size)|default('20')}}"
399         volume_type: gp2
400         purpose: docker
401         lun: 0
402
403   - name: "node"
404     count: "{{node_instance_count}}"
405     public_dns: false
406     dns_loadbalancer: false
407     flavor:
408       ec2: "{{node_instance_type}}"
409       azure: "{{node_instance_type}}"
410     tags:
411       - key: "AnsibleGroup"
412         value: "nodes"
413       - key: "ostype"
414         value: "linux"
415     rootfs_size: "{{ rootfs_size_node }}"
416     volumes:
417       - device_name: "{{docker_device}}"
418         volume_size: "{{node_docker_size|d(docker_size)|d('100')}}"
419         volume_type: gp2
420         purpose: docker
421         lun: 0
422
423   - name: "infranode"
424     count: "{{infranode_instance_count}}"
425     public_dns: true
426     dns_loadbalancer: true
427     flavor:
428       ec2: "{{infranode_instance_type}}"
429       azure: "{{infranode_instance_type}}"
430     tags:
431       - key: "AnsibleGroup"
432         value: "infranodes"
433       - key: "ostype"
434         value: "linux"
435     rootfs_size: "{{ rootfs_size_infranode }}"
436     volumes:
437       - device_name: "{{docker_device}}"
438         volume_size: "{{infranode_docker_size|d(docker_size)|d('50')}}"
439         volume_type: gp2
440         purpose: docker
441         lun: 0
11275f 442   - name: "clientvm"
S 443     count: "{{num_users}}"
444     public_dns: true
445     flavor:
446       "ec2": "{{clientvm_instance_type}}"
447     tags:
448       - key: "AnsibleGroup"
449         value: "clientvms"
450       - key: "ostype"
451         value: "linux"
452     rootfs_size: "{{ rootfs_size_clientvm }}"
453     volumes:
454       - device_name: "{{docker_device}}"
455         volume_size: 100
456         volume_type: gp2
e2d605 457
S 458   - name: "support"
459     count: "{{support_instance_count}}"
460     public_dns: false
461     dns_loadbalancer: false
462     flavor:
463       ec2: "{{support_instance_type}}"
464       azure: "{{support_instance_type}}"
465     tags:
466       - key: "AnsibleGroup"
467         value: "{{ 'support,glusterfs,nodes' if install_glusterfs|bool else 'support' }}"
468       - key: "ostype"
469         value: "linux"
470     rootfs_size: "{{ rootfs_size_support }}"
471     volumes:
472       - device_name: "{{docker_device}}"
473         volume_size: "{{support_docker_size|d(docker_size)|d('50')}}"
474         volume_type: gp2
475         purpose: docker
476         lun: 0
477       - device_name: "{{glusterfs_device_name}}"
478         volume_size: "{{glusterfs_device_size}}"
479         volume_type: gp2
480         purpose: glusterfs
481         lun: 1
482       - device_name: "{{nfs_pvs}}"
483         volume_size: "{{nfs_size}}"
484         volume_type: gp2
485         purpose: nfs
486         lun: 2