| commit | author | age | ||
| 1874b6 | 1 | --- |
| GC | 2 | - name: Step 00xxxxx post software |
| 3 | hosts: bastions | |
| 4 | become: no | |
| 5 | gather_facts: False | |
| 6 | environment: | |
| 7 | KUBECONFIG: /home/{{ remote_user }}/{{ cluster_name }}/auth/kubeconfig | |
| 8 | tasks: | |
| 9 | - debug: | |
| 10 | msg: "Post-Software Steps starting" | |
| 11 | ||
| 12 | - name: Configure Bastion for CF integration | |
| 13 | hosts: bastions | |
| 14 | become: yes | |
| 15 | gather_facts: False | |
| 16 | tags: | |
| 17 | - env-specific | |
| 18 | - cf_integration | |
| 19 | - opentlc_integration | |
| 20 | tasks: | |
| 21 | - when: install_opentlc_integration|bool | |
| 22 | block: | |
| 23 | - name: Include mgr_users vars | |
| 24 | include_vars: | |
| 25 | file: mgr_users.yml | |
| 26 | ||
| 27 | - name: Configure Bastion | |
| 28 | include_role: | |
| 29 | name: opentlc-integration | |
| 30 | vars: | |
| 31 | no_log: yes | |
| 32 | ||
| 33 | - name: Configure opentlc-mgr, root and {{ remote_user }} when OpenShift installed | |
| 34 | when: | |
| 35 | - install_ocp4 | d(False) | bool | |
| 36 | block: | |
| 470b13 | 37 | - name: Create .kube for opentlc-mgr user |
| GC | 38 | file: |
| 39 | path: /home/opentlc-mgr/.kube | |
| 40 | state: directory | |
| 41 | owner: opentlc-mgr | |
| 42 | group: opentlc-mgr | |
| 1874b6 | 43 | |
| 470b13 | 44 | - name: Copy /home/{{ remote_user }}/{{ cluster_name }}/auth/kubeconfig to ~opentlc-mgr |
| GC | 45 | copy: |
| 46 | src: /home/{{ remote_user }}/{{ cluster_name }}/auth/kubeconfig | |
| 47 | dest: /home/opentlc-mgr/.kube/config | |
| 48 | remote_src: yes | |
| 49 | owner: opentlc-mgr | |
| 50 | group: opentlc-mgr | |
| 51 | mode: 0600 | |
| 1874b6 | 52 | |
| ca7329 | 53 | - name: Set up Student User |
| WK | 54 | when: install_student_user | bool |
| 470b13 | 55 | block: |
| ca7329 | 56 | - name: Create .kube for {{ student_name }} user |
| 470b13 | 57 | file: |
| ca7329 | 58 | path: /home/{{ student_name }}/.kube |
| 470b13 | 59 | state: directory |
| ca7329 | 60 | owner: "{{ student_name }}" |
| 1874b6 | 61 | |
| ca7329 | 62 | - name: Copy /home/{{ remote_user }}/{{ cluster_name }}/auth/kubeconfig to ~{{ student_name }} |
| 470b13 | 63 | copy: |
| GC | 64 | src: /home/{{ remote_user }}/{{ cluster_name }}/auth/kubeconfig |
| ca7329 | 65 | dest: /home/{{ student_name }}/.kube/config |
| 470b13 | 66 | remote_src: yes |
| ca7329 | 67 | owner: "{{ student_name }}" |
| 470b13 | 68 | mode: 0600 |
| GC | 69 | |
| 3bf114 | 70 | - name: Setup mount bind for cluster directory |
| GC | 71 | become: yes |
| 72 | mount: | |
| 73 | path: /home/{{ student_name }}/{{ cluster_name }} | |
| 74 | src: /home/{{ remote_user }}/{{ cluster_name }} | |
| 75 | fstype: none | |
| 76 | opts: defaults,bind,ro | |
| 77 | state: mounted | |
| 78 | ||
| 470b13 | 79 | - name: Create OpenShift Bash completion file |
| GC | 80 | shell: oc completion bash >/etc/bash_completion.d/openshift |
| 81 | ||
| 82 | - name: Configure bashrc to include KUBECONFIG | |
| 83 | shell: "echo export KUBECONFIG=/home/{{ remote_user }}/{{ cluster_name }}/auth/kubeconfig >> /home/{{ remote_user }}/.bashrc" | |
| 1874b6 | 84 | |
| GC | 85 | - name: Set up Authentication |
| 86 | hosts: bastions | |
| 87 | become: False | |
| 88 | gather_facts: False | |
| 89 | run_once: true | |
| 90 | tags: | |
| 91 | - env-specific | |
| 92 | - setup-authentication | |
| 93 | tasks: | |
| 94 | - when: | |
| 95 | - install_ocp4 | d(False) | bool | |
| 96 | - install_idm is defined | |
| 97 | environment: | |
| 98 | KUBECONFIG: "{{ cluster_name }}/auth/kubeconfig" | |
| 99 | block: | |
| 100 | - name: Set up htpasswd | |
| 101 | when: | |
| 102 | - install_idm == "htpasswd" | |
| 103 | block: | |
| 104 | - name: Generate htpasswd hash for user_password | |
| 105 | shell: >- | |
| 106 | htpasswd -nb "userN" "{{ user_password }}"|cut -d: -f2 | |
| 107 | register: htpasswd_line | |
| 108 | when: | |
| 109 | - user_password is defined | |
| 110 | - user_password_hash is not defined | |
| 111 | ||
| 112 | - name: Set fact user_password_hash | |
| 113 | set_fact: | |
| 114 | user_password_hash: "{{ htpasswd_line.stdout }}" | |
| 115 | when: | |
| 116 | - user_password is defined | |
| 117 | - user_password_hash is not defined | |
| 118 | - htpasswd_line is succeeded | |
| 119 | ||
| 120 | - name: Generate htpasswd hash for admin user | |
| 121 | shell: >- | |
| 122 | htpasswd -nb "admin" "{{ admin_password }}"|cut -d: -f2 | |
| 123 | register: htpasswd_line | |
| 124 | when: | |
| 125 | - admin_password_hash is not defined | |
| 126 | - admin_password is defined | |
| 127 | ||
| 128 | - name: Set fact admin_password_hash | |
| 129 | set_fact: | |
| 130 | admin_password_hash: "{{ htpasswd_line.stdout }}" | |
| 131 | when: | |
| 132 | - admin_password is defined | |
| 133 | - admin_password_hash is not defined | |
| 134 | - htpasswd_line is succeeded | |
| 135 | - name: Set fact user_count | |
| 136 | set_fact: | |
| 137 | user_count: 200 | |
| 138 | when: | |
| 139 | - user_count is not defined | |
| 140 | ||
| 141 | - name: Generate htpasswd file | |
| 142 | template: | |
| 143 | src: "./files/htpasswd.j2" | |
| 144 | dest: "/home/{{ ansible_user }}/users.htpasswd" | |
| 145 | owner: "{{ ansible_user }}" | |
| 146 | mode: 0664 | |
| 147 | - name: Upload OAuth Configuration File | |
| 148 | copy: | |
| 149 | src: "./files/oauth-htpasswd.yaml" | |
| 150 | dest: "/home/{{ ansible_user }}/oauth-htpasswd.yaml" | |
| 151 | owner: "{{ ansible_user }}" | |
| 152 | mode: 0664 | |
| 153 | - name: Create htpasswd Secret | |
| 154 | command: oc create secret generic htpasswd-secret -n openshift-config --from-file=htpasswd=$HOME/users.htpasswd | |
| 155 | ignore_errors: true | |
| 156 | - name: Update OAuth Configuration | |
| 157 | shell: "oc apply -f /home/{{ ansible_user }}/oauth-htpasswd.yaml" | |
| 158 | ||
| 159 | - name: Set up OpenTLC LDAP | |
| 160 | when: | |
| 161 | - install_idm == "ldap" | |
| 162 | block: | |
| 163 | - name: Check for LDAP Bind Password | |
| 164 | fail: | |
| 165 | msg: LDAP Authentication is configured but LDAP BindPassword (bindPassword) is not defined. | |
| 166 | when: bindPassword is not defined | |
| 167 | - name: Get IPA CA Cert | |
| 168 | get_url: | |
| 169 | url: "{{ idm_ca_url }}" | |
| 170 | dest: "/home/{{ ansible_user }}/ipa-ca.crt" | |
| 171 | mode: 0660 | |
| 172 | - name: Create IPA CA Cert ConfigMap | |
| 173 | shell: "oc create configmap opentlc-ldap-ca-cert --from-file=ca.crt=/home/{{ ansible_user }}/ipa-ca.crt -n openshift-config" | |
| 174 | ignore_errors: true | |
| 175 | - name: Create LDAP Bind Password Secret | |
| 176 | shell: "oc create secret generic opentlc-ldap-secret --from-literal=bindPassword=\"{{ bindPassword }}\" -n openshift-config" | |
| 177 | ignore_errors: true | |
| bf4161 | 178 | - name: Upload OAuth Configuration File |
| 1874b6 | 179 | copy: |
| GC | 180 | src: "./files/oauth-opentlc-ldap.yaml" |
| 181 | dest: "/home/{{ ansible_user }}/oauth-opentlc-ldap.yaml" | |
| 182 | owner: "{{ ansible_user }}" | |
| 183 | mode: 0664 | |
| 184 | - name: Update OAuth Configuration | |
| 185 | shell: "oc apply -f /home/{{ ansible_user }}/oauth-opentlc-ldap.yaml" | |
| 31d612 | 186 | |
| 1874b6 | 187 | - name: Set up Admin User |
| 31d612 | 188 | when: admin_user is defined |
| 1874b6 | 189 | shell: "oc adm policy add-cluster-role-to-user cluster-admin {{ admin_user }}" |
| 31d612 | 190 | # try for 5 minutes |
| GC | 191 | retries: 30 |
| 192 | delay: 10 | |
| 193 | register: r_setup_admin_user | |
| 194 | until: r_setup_admin_user is succeeded | |
| 195 | ||
| 1874b6 | 196 | - name: Remove kubeadmin User |
| GC | 197 | when: |
| 198 | - admin_user is defined | |
| 917847 | 199 | - install_idm != "none" |
| bf4161 | 200 | - auth_remove_kubeadmin |
| 1874b6 | 201 | command: oc delete secret kubeadmin -n kube-system |
| GC | 202 | ignore_errors: true |
| 203 | ||
| 204 | - name: PostSoftware flight-check | |
| 205 | hosts: bastions | |
| 206 | run_once: yes | |
| 207 | gather_facts: false | |
| 208 | become: false | |
| 209 | tags: | |
| 210 | - post_flight_check | |
| 211 | tasks: | |
| 212 | - when: | |
| 213 | - install_ocp4 | d(False) | bool | |
| 214 | environment: | |
| 215 | KUBECONFIG: "{{ cluster_name }}/auth/kubeconfig" | |
| 216 | ignore_errors: yes | |
| 217 | block: | |
| d62cea | 218 | - name: Get API for command line |
| GC | 219 | command: oc whoami --show-server |
| 220 | register: showserver | |
| 221 | ||
| 5a1cdb | 222 | - when: webconsole is not defined |
| GC | 223 | block: |
| 224 | - name: Get console route | |
| 225 | command: oc get route -n openshift-console console -o json | |
| 226 | register: routeconsole | |
| 227 | retries: 10 | |
| 228 | delay: 30 | |
| 229 | until: routeconsole is succeeded | |
| 230 | ignore_errors: yes | |
| 231 | ||
| 232 | - name: Set webconsole address | |
| 233 | set_fact: | |
| 234 | webconsole: "http://{{ routeconsole.stdout | from_json | json_query('spec.host') }}" | |
| 235 | when: routeconsole is succeeded | |
| 236 | ||
| 1874b6 | 237 | - name: Check DNS webconsole |
| GC | 238 | command: nslookup "{{ webconsole | urlsplit('hostname') }}" |
| 239 | register: checkdnswebconsole | |
| 240 | changed_when: false | |
| 241 | retries: 15 | |
| 242 | until: checkdnswebconsole is succeeded | |
| 243 | delay: 30 | |
| 244 | ||
| 245 | - name: Check DNS API | |
| 246 | command: nslookup "{{ showserver.stdout | trim | urlsplit('hostname') }}" | |
| 247 | register: checkdnsapi | |
| 248 | changed_when: false | |
| 249 | ||
| 250 | - name: Webconsole | |
| 251 | uri: | |
| 252 | url: "{{ webconsole }}" | |
| 253 | validate_certs: no | |
| 254 | register: testwebconsole | |
| 255 | retries: 5 | |
| 256 | until: testwebconsole is succeeded | |
| 257 | delay: 60 | |
| 258 | ||
| 259 | - name: Cluster-info | |
| 260 | command: oc cluster-info | |
| 261 | register: clusterinfor | |
| 262 | changed_when: false | |
| 263 | ||
| 264 | - name: Create project | |
| 265 | command: oc new-project postflightcheck | |
| 266 | register: newproject | |
| 267 | ||
| 268 | - name: New-app | |
| 269 | command: oc new-app cakephp-mysql-persistent -n postflightcheck | |
| 270 | register: newapp | |
| 271 | ||
| 272 | - name: Wait for mysql | |
| 273 | command: timeout 300 oc rollout status dc/mysql -w -n postflightcheck | |
| 274 | register: mysqlw | |
| 275 | changed_when: false | |
| 276 | ||
| 277 | - name: Wait for php | |
| 278 | command: timeout 300 oc rollout status dc/cakephp-mysql-persistent -w -n postflightcheck | |
| 279 | register: phpw | |
| 280 | changed_when: false | |
| 281 | retries: 2 | |
| 282 | delay: 60 | |
| 283 | until: phpw is succeeded | |
| 284 | ||
| 285 | - name: Get route | |
| 286 | command: >- | |
| 287 | oc get route | |
| 288 | -l template=cakephp-mysql-persistent | |
| 289 | --no-headers | |
| 290 | -o json | |
| 291 | -n postflightcheck | |
| 292 | register: getroute | |
| 293 | changed_when: false | |
| 294 | retries: 10 | |
| 295 | delay: 5 | |
| 296 | until: getroute is succeeded | |
| 297 | ||
| 298 | - name: Test that route is reachable | |
| 299 | uri: | |
| 300 | url: "http://{{ getroute.stdout|from_json|json_query('items[0].spec.host') }}" | |
| 301 | register: testroute | |
| 302 | retries: 15 | |
| 303 | delay: 5 | |
| 304 | until: testroute is succeeded | |
| 305 | ||
| 306 | - name: Delete project | |
| 307 | command: oc delete project postflightcheck | |
| 308 | ||
| 6a19bb | 309 | - name: Switch back to default project |
| GC | 310 | command: oc project default |
| 311 | ||
| 4663a0 | 312 | - agnosticd_user_info: |
| 1874b6 | 313 | msg: "{{ item }}" |
| GC | 314 | loop: |
| 4663a0 | 315 | - "" |
| JK | 316 | - "Post Flight Check" |
| 317 | - "DNS Web Console ............... {{ 'OK' if checkdnswebconsole.rc == 0 else 'FAIL' }}" | |
| 318 | - "DNS API ....................... {{ 'OK' if checkdnsapi.rc == 0 else 'FAIL' }}" | |
| 319 | - "Web console ................... {{ 'OK' if testwebconsole is succeeded else 'FAIL' }}" | |
| 320 | - "API ........................... {{ 'OK' if clusterinfor.rc == 0 else 'FAIL' }}" | |
| 321 | - "Create Project with PV ........ {{ 'OK' if newproject.rc == 0 else 'FAIL' }}" | |
| 322 | - "App deployed .................. {{ 'OK' if phpw.rc == 0 and mysqlw.rc == 0 else 'FAIL' }}" | |
| 323 | - "Route ......................... {{ 'OK' if testroute is succeeded else 'FAIL' }}" | |
| 1874b6 | 324 | |
| GC | 325 | - when: |
| 326 | - smoke_tests | bool | |
| 327 | - >- | |
| 328 | checkdnswebconsole.rc != 0 | |
| 329 | or checkdnsapi.rc != 0 | |
| 330 | or testwebconsole is failed | |
| 331 | or clusterinfor.rc != 0 | |
| 332 | or newproject.rc != 0 | |
| 333 | or phpw.rc != 0 | |
| 334 | or mysqlw.rc != 0 | |
| 335 | or testroute is failed | |
| 336 | fail: | |
| 337 | msg: "FAIL Smoke tests" | |
| 338 | ignore_errors: no | |
| 339 | ||
| 3bf619 | 340 | - name: Deploy Default, Infra and Student Workloads |
| WK | 341 | import_playbook: ocp_workloads.yml |
| 342 | ||
| 0b7d25 | 343 | - name: Enable Cluster Shutdown and Resume |
| WK | 344 | hosts: bastions |
| 345 | run_once: yes | |
| 346 | gather_facts: false | |
| 347 | become: false | |
| 348 | tasks: | |
| 349 | - when: | |
| 350 | - install_ocp4 | d(False) | bool | |
| 8c3473 | 351 | - ocp4_enable_cluster_shutdown | d(True) | bool |
| 0b7d25 | 352 | environment: |
| WK | 353 | KUBECONFIG: "{{ cluster_name }}/auth/kubeconfig" |
| 354 | ignore_errors: yes | |
| 355 | block: | |
| 356 | - name: Create Daemon Set to renew Bootstrap Credentials | |
| 357 | k8s: | |
| 358 | state: present | |
| 359 | merge_type: | |
| 360 | - strategic-merge | |
| 361 | - merge | |
| a870c0 | 362 | definition: "{{ lookup('file', './files/kubelet-bootstrap-cred-manager-ds.yaml' ) | from_yaml }}" |
| 0b7d25 | 363 | - name: Delete initial Bootstrap Secrets to force regeneration |
| WK | 364 | k8s: |
| 365 | state: absent | |
| 366 | api_version: v1 | |
| 367 | kind: Secret | |
| 368 | name: "{{ item }}" | |
| 369 | namespace: openshift-kube-controller-manager-operator | |
| 370 | loop: | |
| 371 | - "csr-signer-signer" | |
| 372 | - "csr-signer" | |
| ec2b27 | 373 | # The next tasks are to fix the bug fixed in https://github.com/openshift/cluster-kube-controller-manager-operator/pull/305 |
| WK | 374 | # Also the operator dealing with prometheus adapters doesn't watch the certificates. |
| 375 | # Need to force it to reconcile | |
| 8b21f1 | 376 | - name: Wait 15 seconds before next command |
| WK | 377 | pause: |
| 378 | seconds: 15 | |
| ec2b27 | 379 | - name: Get Config Map Definition |
| WK | 380 | shell: oc get configmap extension-apiserver-authentication -n kube-system -o yaml >/tmp/extension-apiserver-authentication.yaml |
| 381 | - name: Add an empty line to config map file | |
| 382 | lineinfile: | |
| 383 | path: /tmp/extension-apiserver-authentication.yaml | |
| 384 | firstmatch: true | |
| 385 | insertafter: '-----END CERTIFICATE-----' | |
| 386 | line: '' | |
| 387 | - name: Update Config Map with new file | |
| 388 | k8s: | |
| 389 | state: present | |
| 390 | src: /tmp/extension-apiserver-authentication.yaml | |
| 43b8b8 | 391 | - name: Tell CloudForms we are done |
| ca6a6b | 392 | hosts: bastions |
| WK | 393 | run_once: yes |
| 394 | gather_facts: false | |
| 395 | become: false | |
| 396 | tasks: | |
| 397 | - debug: | |
| 470b13 | 398 | msg: "Post-Software checks completed successfully" |
