RedHatTraining/agnosticd.git

Set of fixes to make the provisioning of DO999 and DO280 courses compatible...

Razique Mahroua

2020-03-18 b85c91a8192593f6b62f93e11c971868964343a9

commit \| author \| age
bf4161	1	---
JR	2	# Implement your Workload deployment tasks here
	3
	4	- name: Setting up workload for user
	5	debug:
	6	msg: "Setting up workload for user ocp_username = {{ ocp_username }}"
	7
	8	- include_role:
	9	name: idm-server
	10	vars:
	11	become_override: yes
	12
0d0d0e	13	# /home/{{ ansible_user }}/.aws/credentials needs to exist before calling this role
JR	14	- name: Create Let's Encrypt Certificates
	15	include_role:
	16	name: host-lets-encrypt-certs-certbot
	17	vars:
	18	- _certbot_domain: "{{ idm_dns_name }}"
	19	- _certbot_wildcard_domain: "{{cluster_name}}{{subdomain_base_suffix}}"
	20	- _certbot_dns_provider: "route53"
	21	- _certbot_remote_dir: "/home/{{ ansible_user }}/idm"
	22	- _certbot_remote_dir_owner: "{{ ansible_user }}"
	23	- _certbot_install_dir: "/home/{{ ansible_user }}/idm/certificates"
	24	- _certbot_install_dir_owner: "{{ ansible_user }}"
	25	- _certbot_cache_archive_file: "{{ output_dir\|d('/tmp') }}/{{ guid }}-idm-certs.tar.gz"
	26	- _certbot_renew_automatically: True
	27	- _certbot_use_cache: True
b85c91	28	- _certbot_force_issue: True
0d0d0e	29	- _certbot_production: True
JR	30	- _certbot_cron_job_name: LETS_ENCRYPT_RENEW_IDM
	31
	32	- name: Get Root CA
	33	copy:
	34	src: ./files/DSTRootCAX3.pem
	35	dest: /tmp/DSTRootCAX3.pem
	36
	37	- name: Get Intermediate CA
	38	copy:
	39	src: ./files/LEAuthX3.pem
	40	dest: /tmp/LEAuthX3.pem
	41
	42	- name: Install CAs
	43	shell: \|
30a6b5	44	echo '{{ idm_admin_password }}' \| kinit admin
JR	45	ipa-cacert-manage -p '{{ idm_dm_password }}' install /tmp/DSTRootCAX3.pem -n DSTRootCAX3 -t C,,
	46	ipa-cacert-manage -p '{{ idm_dm_password }}' install /tmp/LEAuthX3.pem -n LEAuthX3 -t C,,
0d0d0e	47	ipa-certupdate -v
JR	48	become: True
	49
	50	- name: Install IPA Certificate
	51	shell: \|
30a6b5	52	ipa-server-certinstall -w -d /home/{{ ansible_user }}/idm/certificates/privkey.pem /home/{{ ansible_user }}/idm/certificates/fullchain.pem -p '{{ idm_dm_password }}' --pin=''
0d0d0e	53	ipactl restart
JR	54	become: True
	55
	56	- name: Install redeploy hook scripts
	57	template:
	58	src: ./files/deploy_certs.sh
30a6b5	59	dest: "/home/{{ ansible_user }}/idm/certbot/config/renewal-hooks/deploy/deploy_certs.sh"
0d0d0e	60	mode: 0775
JR	61	owner: "{{ ansible_user }}"
	62	- name: Install redeploy hook ansible components
	63	copy:
	64	src: "./files/{{ item }}"
30a6b5	65	dest: "/home/{{ ansible_user }}/idm/certbot/config/renewal-hooks/deploy/{{ item }}"
0d0d0e	66	mode: 0664
JR	67	owner: "{{ ansible_user }}"
	68	loop:
	69	- deploy_certs.yml
	70
30a6b5	71	- name: Install AWS python prerequisites
JR	72	become: True
	73	pip:
	74	state: present
	75	name:
	76	- boto
	77	- botocore
	78	- boto3
	79
bf4161	80	# Find public IP of bastion
JR	81	- name: Gather VPC facts
	82	ec2_vpc_net_facts:
	83	filters:
	84	tag:Name: "{{ aws_vpc_name }}"
	85	region: "{{ aws_region_final \| default(aws_region) }}"
	86	register: vpc
	87
	88	- name: Get instance facts
	89	ec2_instance_facts:
	90	filters:
	91	# FIXME - find a better way to discover the bastion name
	92	"tag:Name": "{{ instances[0].name }}"
	93	region: "{{ aws_region_final \| default(aws_region) }}"
	94	register: instancesr
	95	failed_when: instancesr\|length == 0
	96
	97	- name: Get non-terminated instance
	98	set_fact:
	99	ec2instance: "{{ item }}"
	100	with_items:
	101	- "{{ instancesr.instances }}"
	102	when: not item.state.name == 'terminated'
	103	failed_when: ec2instance is undefined
	104
	105	# Make external DNS of IdM available to OpenShift cluster
	106	- name: Get cluster metadata
	107	slurp:
	108	path: "{{ cluster_name }}/metadata.json"
	109	register: metadata
	110
	111	- name: Get cluster infrastructure ID
	112	set_fact:
	113	cluster_vpc_name: "{{ metadata.content \| b64decode \| from_json \| json_query('infraID')}}-vpc"
	114
	115	- name: Gather Cluster VPC facts
	116	ec2_vpc_net_facts:
	117	filters:
	118	tag:Name: "{{ cluster_vpc_name }}"
	119	region: "{{ aws_region_final \| default(aws_region) }}"
	120	register: cluster_vpc
	121	failed_when: cluster_vpc.vpcs \| length == 0
	122
	123	- name: Create Private DNS Entry for IdM in cluster private zone
	124	route53:
	125	state: present
	126	overwrite: yes
	127	private_zone: yes
	128	record: "{{ idm_dns_name }}"
	129	type: A
	130	ttl: 60
	131	value: "{{ ec2instance.public_ip_address }}"
	132	zone: "{{ cluster_name }}{{ subdomain_base_suffix }}."
	133	vpc_id: "{{ cluster_vpc.vpcs[0].vpc_id }}"
	134
	135	- name: Configure Local Authentication
	136	when:
	137	- install_ocp4 \| d(False) \| bool
	138	- install_idm is defined
	139	environment:
	140	KUBECONFIG: "{{ cluster_name }}/auth/kubeconfig"
	141	block:
	142	- name: Set up Local IdM LDAP
	143	when:
	144	- install_idm == "local-ldap"
	145	block:
	146	- name: Create admin user
	147	when: admin_user is defined
	148	ipa_user:
	149	name: "{{ admin_user }}"
	150	password: "{{ admin_password }}"
	151	state: present
	152	givenname: OpenShift
	153	sn: Administrator
	154	mail:
	155	- "{{ email }}"
	156	ipa_host: "{{ idm_dns_name }}"
	157	ipa_user: admin
	158	ipa_pass: "{{ idm_admin_password }}"
	159	- name: Upload OAuth Configuration File
	160	template:
	161	src: "./files/oauth-ldap.yaml"
	162	dest: "/home/{{ ansible_user }}/oauth-ldap.yaml"
	163	owner: "{{ ansible_user }}"
	164	mode: 0664
	165	- name: Update OAuth Configuration
	166	shell: "oc apply -f /home/{{ ansible_user }}/oauth-ldap.yaml"
	167	- name: Remove kubeadmin User
	168	when:
	169	- admin_user is defined
	170	- auth_remove_kubeadmin
	171	command: oc delete secret kubeadmin -n kube-system
	172	ignore_errors: true
	173
	174	# Leave this as the last task in the playbook.
	175	- name: workload tasks complete
	176	debug:
	177	msg: "Workload Tasks completed successfully."
	178	when: not silent\|bool