commit | author | age
|
1874b6
|
1 |
--- |
GC |
2 |
- name: Step 00xxxxx post software |
|
3 |
hosts: bastions |
|
4 |
become: no |
|
5 |
gather_facts: False |
|
6 |
environment: |
|
7 |
KUBECONFIG: /home/{{ remote_user }}/{{ cluster_name }}/auth/kubeconfig |
|
8 |
tasks: |
|
9 |
- debug: |
|
10 |
msg: "Post-Software Steps starting" |
|
11 |
|
|
12 |
- name: Configure Bastion for CF integration |
|
13 |
hosts: bastions |
|
14 |
become: yes |
|
15 |
gather_facts: False |
|
16 |
tags: |
|
17 |
- env-specific |
|
18 |
- cf_integration |
|
19 |
- opentlc_integration |
|
20 |
tasks: |
|
21 |
- when: install_opentlc_integration|bool |
|
22 |
block: |
|
23 |
- name: Include mgr_users vars |
|
24 |
include_vars: |
|
25 |
file: mgr_users.yml |
|
26 |
|
|
27 |
- name: Configure Bastion |
|
28 |
include_role: |
|
29 |
name: opentlc-integration |
|
30 |
vars: |
|
31 |
no_log: yes |
|
32 |
|
|
33 |
- name: Configure opentlc-mgr, root and {{ remote_user }} when OpenShift installed |
|
34 |
when: |
|
35 |
- install_ocp4 | d(False) | bool |
|
36 |
block: |
470b13
|
37 |
- name: Create .kube for opentlc-mgr user |
GC |
38 |
file: |
|
39 |
path: /home/opentlc-mgr/.kube |
|
40 |
state: directory |
|
41 |
owner: opentlc-mgr |
|
42 |
group: opentlc-mgr |
1874b6
|
43 |
|
470b13
|
44 |
- name: Copy /home/{{ remote_user }}/{{ cluster_name }}/auth/kubeconfig to ~opentlc-mgr |
GC |
45 |
copy: |
|
46 |
src: /home/{{ remote_user }}/{{ cluster_name }}/auth/kubeconfig |
|
47 |
dest: /home/opentlc-mgr/.kube/config |
|
48 |
remote_src: yes |
|
49 |
owner: opentlc-mgr |
|
50 |
group: opentlc-mgr |
|
51 |
mode: 0600 |
1874b6
|
52 |
|
ca7329
|
53 |
- name: Set up Student User |
WK |
54 |
when: install_student_user | bool |
470b13
|
55 |
block: |
ca7329
|
56 |
- name: Create .kube for {{ student_name }} user |
470b13
|
57 |
file: |
ca7329
|
58 |
path: /home/{{ student_name }}/.kube |
470b13
|
59 |
state: directory |
ca7329
|
60 |
owner: "{{ student_name }}" |
1874b6
|
61 |
|
ca7329
|
62 |
- name: Copy /home/{{ remote_user }}/{{ cluster_name }}/auth/kubeconfig to ~{{ student_name }} |
470b13
|
63 |
copy: |
GC |
64 |
src: /home/{{ remote_user }}/{{ cluster_name }}/auth/kubeconfig |
ca7329
|
65 |
dest: /home/{{ student_name }}/.kube/config |
470b13
|
66 |
remote_src: yes |
ca7329
|
67 |
owner: "{{ student_name }}" |
470b13
|
68 |
mode: 0600 |
GC |
69 |
|
3bf114
|
70 |
- name: Setup mount bind for cluster directory |
GC |
71 |
become: yes |
|
72 |
mount: |
|
73 |
path: /home/{{ student_name }}/{{ cluster_name }} |
|
74 |
src: /home/{{ remote_user }}/{{ cluster_name }} |
|
75 |
fstype: none |
|
76 |
opts: defaults,bind,ro |
|
77 |
state: mounted |
|
78 |
|
470b13
|
79 |
- name: Create OpenShift Bash completion file |
GC |
80 |
shell: oc completion bash >/etc/bash_completion.d/openshift |
|
81 |
|
|
82 |
- name: Configure bashrc to include KUBECONFIG |
|
83 |
shell: "echo export KUBECONFIG=/home/{{ remote_user }}/{{ cluster_name }}/auth/kubeconfig >> /home/{{ remote_user }}/.bashrc" |
1874b6
|
84 |
|
GC |
85 |
- name: Set up Authentication |
|
86 |
hosts: bastions |
|
87 |
become: False |
|
88 |
gather_facts: False |
|
89 |
run_once: true |
|
90 |
tags: |
|
91 |
- env-specific |
|
92 |
- setup-authentication |
|
93 |
tasks: |
|
94 |
- when: |
|
95 |
- install_ocp4 | d(False) | bool |
|
96 |
- install_idm is defined |
|
97 |
environment: |
|
98 |
KUBECONFIG: "{{ cluster_name }}/auth/kubeconfig" |
|
99 |
block: |
|
100 |
- name: Set up htpasswd |
|
101 |
when: |
|
102 |
- install_idm == "htpasswd" |
|
103 |
block: |
|
104 |
- name: Generate htpasswd hash for user_password |
|
105 |
shell: >- |
|
106 |
htpasswd -nb "userN" "{{ user_password }}"|cut -d: -f2 |
|
107 |
register: htpasswd_line |
|
108 |
when: |
|
109 |
- user_password is defined |
|
110 |
- user_password_hash is not defined |
|
111 |
|
|
112 |
- name: Set fact user_password_hash |
|
113 |
set_fact: |
|
114 |
user_password_hash: "{{ htpasswd_line.stdout }}" |
|
115 |
when: |
|
116 |
- user_password is defined |
|
117 |
- user_password_hash is not defined |
|
118 |
- htpasswd_line is succeeded |
|
119 |
|
|
120 |
- name: Generate htpasswd hash for admin user |
|
121 |
shell: >- |
|
122 |
htpasswd -nb "admin" "{{ admin_password }}"|cut -d: -f2 |
|
123 |
register: htpasswd_line |
|
124 |
when: |
|
125 |
- admin_password_hash is not defined |
|
126 |
- admin_password is defined |
|
127 |
|
|
128 |
- name: Set fact admin_password_hash |
|
129 |
set_fact: |
|
130 |
admin_password_hash: "{{ htpasswd_line.stdout }}" |
|
131 |
when: |
|
132 |
- admin_password is defined |
|
133 |
- admin_password_hash is not defined |
|
134 |
- htpasswd_line is succeeded |
|
135 |
- name: Set fact user_count |
|
136 |
set_fact: |
|
137 |
user_count: 200 |
|
138 |
when: |
|
139 |
- user_count is not defined |
|
140 |
|
|
141 |
- name: Generate htpasswd file |
|
142 |
template: |
|
143 |
src: "./files/htpasswd.j2" |
|
144 |
dest: "/home/{{ ansible_user }}/users.htpasswd" |
|
145 |
owner: "{{ ansible_user }}" |
|
146 |
mode: 0664 |
|
147 |
- name: Upload OAuth Configuration File |
|
148 |
copy: |
|
149 |
src: "./files/oauth-htpasswd.yaml" |
|
150 |
dest: "/home/{{ ansible_user }}/oauth-htpasswd.yaml" |
|
151 |
owner: "{{ ansible_user }}" |
|
152 |
mode: 0664 |
|
153 |
- name: Create htpasswd Secret |
|
154 |
command: oc create secret generic htpasswd-secret -n openshift-config --from-file=htpasswd=$HOME/users.htpasswd |
|
155 |
ignore_errors: true |
|
156 |
- name: Update OAuth Configuration |
|
157 |
shell: "oc apply -f /home/{{ ansible_user }}/oauth-htpasswd.yaml" |
|
158 |
|
|
159 |
- name: Set up OpenTLC LDAP |
|
160 |
when: |
|
161 |
- install_idm == "ldap" |
|
162 |
block: |
|
163 |
- name: Check for LDAP Bind Password |
|
164 |
fail: |
|
165 |
msg: LDAP Authentication is configured but LDAP BindPassword (bindPassword) is not defined. |
|
166 |
when: bindPassword is not defined |
|
167 |
- name: Get IPA CA Cert |
|
168 |
get_url: |
|
169 |
url: "{{ idm_ca_url }}" |
|
170 |
dest: "/home/{{ ansible_user }}/ipa-ca.crt" |
|
171 |
mode: 0660 |
|
172 |
- name: Create IPA CA Cert ConfigMap |
|
173 |
shell: "oc create configmap opentlc-ldap-ca-cert --from-file=ca.crt=/home/{{ ansible_user }}/ipa-ca.crt -n openshift-config" |
|
174 |
ignore_errors: true |
|
175 |
- name: Create LDAP Bind Password Secret |
|
176 |
shell: "oc create secret generic opentlc-ldap-secret --from-literal=bindPassword=\"{{ bindPassword }}\" -n openshift-config" |
|
177 |
ignore_errors: true |
bf4161
|
178 |
- name: Upload OAuth Configuration File |
1874b6
|
179 |
copy: |
GC |
180 |
src: "./files/oauth-opentlc-ldap.yaml" |
|
181 |
dest: "/home/{{ ansible_user }}/oauth-opentlc-ldap.yaml" |
|
182 |
owner: "{{ ansible_user }}" |
|
183 |
mode: 0664 |
|
184 |
- name: Update OAuth Configuration |
|
185 |
shell: "oc apply -f /home/{{ ansible_user }}/oauth-opentlc-ldap.yaml" |
31d612
|
186 |
|
1874b6
|
187 |
- name: Set up Admin User |
31d612
|
188 |
when: admin_user is defined |
1874b6
|
189 |
shell: "oc adm policy add-cluster-role-to-user cluster-admin {{ admin_user }}" |
31d612
|
190 |
# try for 5 minutes |
GC |
191 |
retries: 30 |
|
192 |
delay: 10 |
|
193 |
register: r_setup_admin_user |
|
194 |
until: r_setup_admin_user is succeeded |
|
195 |
|
1874b6
|
196 |
- name: Remove kubeadmin User |
GC |
197 |
when: |
|
198 |
- admin_user is defined |
917847
|
199 |
- install_idm != "none" |
bf4161
|
200 |
- auth_remove_kubeadmin |
1874b6
|
201 |
command: oc delete secret kubeadmin -n kube-system |
GC |
202 |
ignore_errors: true |
|
203 |
|
|
204 |
- name: PostSoftware flight-check |
|
205 |
hosts: bastions |
|
206 |
run_once: yes |
|
207 |
gather_facts: false |
|
208 |
become: false |
|
209 |
tags: |
|
210 |
- post_flight_check |
|
211 |
tasks: |
|
212 |
- when: |
|
213 |
- install_ocp4 | d(False) | bool |
|
214 |
environment: |
|
215 |
KUBECONFIG: "{{ cluster_name }}/auth/kubeconfig" |
|
216 |
ignore_errors: yes |
|
217 |
block: |
d62cea
|
218 |
- name: Get API for command line |
GC |
219 |
command: oc whoami --show-server |
|
220 |
register: showserver |
|
221 |
|
5a1cdb
|
222 |
- when: webconsole is not defined |
GC |
223 |
block: |
|
224 |
- name: Get console route |
|
225 |
command: oc get route -n openshift-console console -o json |
|
226 |
register: routeconsole |
|
227 |
retries: 10 |
|
228 |
delay: 30 |
|
229 |
until: routeconsole is succeeded |
|
230 |
ignore_errors: yes |
|
231 |
|
|
232 |
- name: Set webconsole address |
|
233 |
set_fact: |
|
234 |
webconsole: "http://{{ routeconsole.stdout | from_json | json_query('spec.host') }}" |
|
235 |
when: routeconsole is succeeded |
|
236 |
|
1874b6
|
237 |
- name: Check DNS webconsole |
GC |
238 |
command: nslookup "{{ webconsole | urlsplit('hostname') }}" |
|
239 |
register: checkdnswebconsole |
|
240 |
changed_when: false |
|
241 |
retries: 15 |
|
242 |
until: checkdnswebconsole is succeeded |
|
243 |
delay: 30 |
|
244 |
|
|
245 |
- name: Check DNS API |
|
246 |
command: nslookup "{{ showserver.stdout | trim | urlsplit('hostname') }}" |
|
247 |
register: checkdnsapi |
|
248 |
changed_when: false |
|
249 |
|
|
250 |
- name: Webconsole |
|
251 |
uri: |
|
252 |
url: "{{ webconsole }}" |
|
253 |
validate_certs: no |
|
254 |
register: testwebconsole |
|
255 |
retries: 5 |
|
256 |
until: testwebconsole is succeeded |
|
257 |
delay: 60 |
|
258 |
|
|
259 |
- name: Cluster-info |
|
260 |
command: oc cluster-info |
|
261 |
register: clusterinfor |
|
262 |
changed_when: false |
|
263 |
|
|
264 |
- name: Create project |
|
265 |
command: oc new-project postflightcheck |
|
266 |
register: newproject |
|
267 |
|
|
268 |
- name: New-app |
|
269 |
command: oc new-app cakephp-mysql-persistent -n postflightcheck |
|
270 |
register: newapp |
|
271 |
|
|
272 |
- name: Wait for mysql |
|
273 |
command: timeout 300 oc rollout status dc/mysql -w -n postflightcheck |
|
274 |
register: mysqlw |
|
275 |
changed_when: false |
|
276 |
|
|
277 |
- name: Wait for php |
|
278 |
command: timeout 300 oc rollout status dc/cakephp-mysql-persistent -w -n postflightcheck |
|
279 |
register: phpw |
|
280 |
changed_when: false |
|
281 |
retries: 2 |
|
282 |
delay: 60 |
|
283 |
until: phpw is succeeded |
|
284 |
|
|
285 |
- name: Get route |
|
286 |
command: >- |
|
287 |
oc get route |
|
288 |
-l template=cakephp-mysql-persistent |
|
289 |
--no-headers |
|
290 |
-o json |
|
291 |
-n postflightcheck |
|
292 |
register: getroute |
|
293 |
changed_when: false |
|
294 |
retries: 10 |
|
295 |
delay: 5 |
|
296 |
until: getroute is succeeded |
|
297 |
|
|
298 |
- name: Test that route is reachable |
|
299 |
uri: |
|
300 |
url: "http://{{ getroute.stdout|from_json|json_query('items[0].spec.host') }}" |
|
301 |
register: testroute |
|
302 |
retries: 15 |
|
303 |
delay: 5 |
|
304 |
until: testroute is succeeded |
|
305 |
|
|
306 |
- name: Delete project |
|
307 |
command: oc delete project postflightcheck |
|
308 |
|
6a19bb
|
309 |
- name: Switch back to default project |
GC |
310 |
command: oc project default |
|
311 |
|
4663a0
|
312 |
- agnosticd_user_info: |
1874b6
|
313 |
msg: "{{ item }}" |
GC |
314 |
loop: |
4663a0
|
315 |
- "" |
JK |
316 |
- "Post Flight Check" |
|
317 |
- "DNS Web Console ............... {{ 'OK' if checkdnswebconsole.rc == 0 else 'FAIL' }}" |
|
318 |
- "DNS API ....................... {{ 'OK' if checkdnsapi.rc == 0 else 'FAIL' }}" |
|
319 |
- "Web console ................... {{ 'OK' if testwebconsole is succeeded else 'FAIL' }}" |
|
320 |
- "API ........................... {{ 'OK' if clusterinfor.rc == 0 else 'FAIL' }}" |
|
321 |
- "Create Project with PV ........ {{ 'OK' if newproject.rc == 0 else 'FAIL' }}" |
|
322 |
- "App deployed .................. {{ 'OK' if phpw.rc == 0 and mysqlw.rc == 0 else 'FAIL' }}" |
|
323 |
- "Route ......................... {{ 'OK' if testroute is succeeded else 'FAIL' }}" |
1874b6
|
324 |
|
GC |
325 |
- when: |
|
326 |
- smoke_tests | bool |
|
327 |
- >- |
|
328 |
checkdnswebconsole.rc != 0 |
|
329 |
or checkdnsapi.rc != 0 |
|
330 |
or testwebconsole is failed |
|
331 |
or clusterinfor.rc != 0 |
|
332 |
or newproject.rc != 0 |
|
333 |
or phpw.rc != 0 |
|
334 |
or mysqlw.rc != 0 |
|
335 |
or testroute is failed |
|
336 |
fail: |
|
337 |
msg: "FAIL Smoke tests" |
|
338 |
ignore_errors: no |
|
339 |
|
3bf619
|
340 |
- name: Deploy Default, Infra and Student Workloads |
WK |
341 |
import_playbook: ocp_workloads.yml |
|
342 |
|
0b7d25
|
343 |
- name: Enable Cluster Shutdown and Resume |
WK |
344 |
hosts: bastions |
|
345 |
run_once: yes |
|
346 |
gather_facts: false |
|
347 |
become: false |
|
348 |
tasks: |
|
349 |
- when: |
|
350 |
- install_ocp4 | d(False) | bool |
8c3473
|
351 |
- ocp4_enable_cluster_shutdown | d(True) | bool |
0b7d25
|
352 |
environment: |
WK |
353 |
KUBECONFIG: "{{ cluster_name }}/auth/kubeconfig" |
|
354 |
ignore_errors: yes |
|
355 |
block: |
|
356 |
- name: Create Daemon Set to renew Bootstrap Credentials |
|
357 |
k8s: |
|
358 |
state: present |
|
359 |
merge_type: |
|
360 |
- strategic-merge |
|
361 |
- merge |
a870c0
|
362 |
definition: "{{ lookup('file', './files/kubelet-bootstrap-cred-manager-ds.yaml' ) | from_yaml }}" |
0b7d25
|
363 |
- name: Delete initial Bootstrap Secrets to force regeneration |
WK |
364 |
k8s: |
|
365 |
state: absent |
|
366 |
api_version: v1 |
|
367 |
kind: Secret |
|
368 |
name: "{{ item }}" |
|
369 |
namespace: openshift-kube-controller-manager-operator |
|
370 |
loop: |
|
371 |
- "csr-signer-signer" |
|
372 |
- "csr-signer" |
ec2b27
|
373 |
# The next tasks are to fix the bug fixed in https://github.com/openshift/cluster-kube-controller-manager-operator/pull/305 |
WK |
374 |
# Also the operator dealing with prometheus adapters doesn't watch the certificates. |
|
375 |
# Need to force it to reconcile |
8b21f1
|
376 |
- name: Wait 15 seconds before next command |
WK |
377 |
pause: |
|
378 |
seconds: 15 |
ec2b27
|
379 |
- name: Get Config Map Definition |
WK |
380 |
shell: oc get configmap extension-apiserver-authentication -n kube-system -o yaml >/tmp/extension-apiserver-authentication.yaml |
|
381 |
- name: Add an empty line to config map file |
|
382 |
lineinfile: |
|
383 |
path: /tmp/extension-apiserver-authentication.yaml |
|
384 |
firstmatch: true |
|
385 |
insertafter: '-----END CERTIFICATE-----' |
|
386 |
line: '' |
|
387 |
- name: Update Config Map with new file |
|
388 |
k8s: |
|
389 |
state: present |
|
390 |
src: /tmp/extension-apiserver-authentication.yaml |
43b8b8
|
391 |
- name: Tell CloudForms we are done |
ca6a6b
|
392 |
hosts: bastions |
WK |
393 |
run_once: yes |
|
394 |
gather_facts: false |
|
395 |
become: false |
|
396 |
tasks: |
|
397 |
- debug: |
470b13
|
398 |
msg: "Post-Software checks completed successfully" |