commit | author | age
|
bf4161
|
1 |
--- |
JR |
2 |
# Implement your Workload deployment tasks here |
|
3 |
|
|
4 |
- name: Setting up workload for user |
|
5 |
debug: |
|
6 |
msg: "Setting up workload for user ocp_username = {{ ocp_username }}" |
|
7 |
|
|
8 |
- include_role: |
|
9 |
name: idm-server |
|
10 |
vars: |
|
11 |
become_override: yes |
|
12 |
|
0d0d0e
|
13 |
# /home/{{ ansible_user }}/.aws/credentials needs to exist before calling this role |
JR |
14 |
- name: Create Let's Encrypt Certificates |
|
15 |
include_role: |
|
16 |
name: host-lets-encrypt-certs-certbot |
|
17 |
vars: |
|
18 |
- _certbot_domain: "{{ idm_dns_name }}" |
|
19 |
- _certbot_wildcard_domain: "{{cluster_name}}{{subdomain_base_suffix}}" |
|
20 |
- _certbot_dns_provider: "route53" |
|
21 |
- _certbot_remote_dir: "/home/{{ ansible_user }}/idm" |
|
22 |
- _certbot_remote_dir_owner: "{{ ansible_user }}" |
|
23 |
- _certbot_install_dir: "/home/{{ ansible_user }}/idm/certificates" |
|
24 |
- _certbot_install_dir_owner: "{{ ansible_user }}" |
|
25 |
- _certbot_cache_archive_file: "{{ output_dir|d('/tmp') }}/{{ guid }}-idm-certs.tar.gz" |
|
26 |
- _certbot_renew_automatically: True |
|
27 |
- _certbot_use_cache: True |
b85c91
|
28 |
- _certbot_force_issue: True |
0d0d0e
|
29 |
- _certbot_production: True |
JR |
30 |
- _certbot_cron_job_name: LETS_ENCRYPT_RENEW_IDM |
|
31 |
|
|
32 |
- name: Get Root CA |
|
33 |
copy: |
|
34 |
src: ./files/DSTRootCAX3.pem |
|
35 |
dest: /tmp/DSTRootCAX3.pem |
|
36 |
|
|
37 |
- name: Get Intermediate CA |
|
38 |
copy: |
|
39 |
src: ./files/LEAuthX3.pem |
|
40 |
dest: /tmp/LEAuthX3.pem |
|
41 |
|
|
42 |
- name: Install CAs |
|
43 |
shell: | |
30a6b5
|
44 |
echo '{{ idm_admin_password }}' | kinit admin |
JR |
45 |
ipa-cacert-manage -p '{{ idm_dm_password }}' install /tmp/DSTRootCAX3.pem -n DSTRootCAX3 -t C,, |
|
46 |
ipa-cacert-manage -p '{{ idm_dm_password }}' install /tmp/LEAuthX3.pem -n LEAuthX3 -t C,, |
0d0d0e
|
47 |
ipa-certupdate -v |
JR |
48 |
become: True |
|
49 |
|
|
50 |
- name: Install IPA Certificate |
|
51 |
shell: | |
30a6b5
|
52 |
ipa-server-certinstall -w -d /home/{{ ansible_user }}/idm/certificates/privkey.pem /home/{{ ansible_user }}/idm/certificates/fullchain.pem -p '{{ idm_dm_password }}' --pin='' |
0d0d0e
|
53 |
ipactl restart |
JR |
54 |
become: True |
|
55 |
|
|
56 |
- name: Install redeploy hook scripts |
|
57 |
template: |
|
58 |
src: ./files/deploy_certs.sh |
30a6b5
|
59 |
dest: "/home/{{ ansible_user }}/idm/certbot/config/renewal-hooks/deploy/deploy_certs.sh" |
0d0d0e
|
60 |
mode: 0775 |
JR |
61 |
owner: "{{ ansible_user }}" |
|
62 |
- name: Install redeploy hook ansible components |
|
63 |
copy: |
|
64 |
src: "./files/{{ item }}" |
30a6b5
|
65 |
dest: "/home/{{ ansible_user }}/idm/certbot/config/renewal-hooks/deploy/{{ item }}" |
0d0d0e
|
66 |
mode: 0664 |
JR |
67 |
owner: "{{ ansible_user }}" |
|
68 |
loop: |
|
69 |
- deploy_certs.yml |
|
70 |
|
30a6b5
|
71 |
- name: Install AWS python prerequisites |
JR |
72 |
become: True |
|
73 |
pip: |
|
74 |
state: present |
|
75 |
name: |
|
76 |
- boto |
|
77 |
- botocore |
|
78 |
- boto3 |
|
79 |
|
bf4161
|
80 |
# Find public IP of bastion |
JR |
81 |
- name: Gather VPC facts |
|
82 |
ec2_vpc_net_facts: |
|
83 |
filters: |
|
84 |
tag:Name: "{{ aws_vpc_name }}" |
|
85 |
region: "{{ aws_region_final | default(aws_region) }}" |
|
86 |
register: vpc |
|
87 |
|
|
88 |
- name: Get instance facts |
|
89 |
ec2_instance_facts: |
|
90 |
filters: |
|
91 |
# FIXME - find a better way to discover the bastion name |
|
92 |
"tag:Name": "{{ instances[0].name }}" |
|
93 |
region: "{{ aws_region_final | default(aws_region) }}" |
|
94 |
register: instancesr |
|
95 |
failed_when: instancesr|length == 0 |
|
96 |
|
|
97 |
- name: Get non-terminated instance |
|
98 |
set_fact: |
|
99 |
ec2instance: "{{ item }}" |
|
100 |
with_items: |
|
101 |
- "{{ instancesr.instances }}" |
|
102 |
when: not item.state.name == 'terminated' |
|
103 |
failed_when: ec2instance is undefined |
|
104 |
|
|
105 |
# Make external DNS of IdM available to OpenShift cluster |
|
106 |
- name: Get cluster metadata |
|
107 |
slurp: |
|
108 |
path: "{{ cluster_name }}/metadata.json" |
|
109 |
register: metadata |
|
110 |
|
|
111 |
- name: Get cluster infrastructure ID |
|
112 |
set_fact: |
|
113 |
cluster_vpc_name: "{{ metadata.content | b64decode | from_json | json_query('infraID')}}-vpc" |
|
114 |
|
|
115 |
- name: Gather Cluster VPC facts |
|
116 |
ec2_vpc_net_facts: |
|
117 |
filters: |
|
118 |
tag:Name: "{{ cluster_vpc_name }}" |
|
119 |
region: "{{ aws_region_final | default(aws_region) }}" |
|
120 |
register: cluster_vpc |
|
121 |
failed_when: cluster_vpc.vpcs | length == 0 |
|
122 |
|
|
123 |
- name: Create Private DNS Entry for IdM in cluster private zone |
|
124 |
route53: |
|
125 |
state: present |
|
126 |
overwrite: yes |
|
127 |
private_zone: yes |
|
128 |
record: "{{ idm_dns_name }}" |
|
129 |
type: A |
|
130 |
ttl: 60 |
|
131 |
value: "{{ ec2instance.public_ip_address }}" |
|
132 |
zone: "{{ cluster_name }}{{ subdomain_base_suffix }}." |
|
133 |
vpc_id: "{{ cluster_vpc.vpcs[0].vpc_id }}" |
|
134 |
|
|
135 |
- name: Configure Local Authentication |
|
136 |
when: |
|
137 |
- install_ocp4 | d(False) | bool |
|
138 |
- install_idm is defined |
|
139 |
environment: |
|
140 |
KUBECONFIG: "{{ cluster_name }}/auth/kubeconfig" |
|
141 |
block: |
|
142 |
- name: Set up Local IdM LDAP |
|
143 |
when: |
|
144 |
- install_idm == "local-ldap" |
|
145 |
block: |
|
146 |
- name: Create admin user |
|
147 |
when: admin_user is defined |
|
148 |
ipa_user: |
|
149 |
name: "{{ admin_user }}" |
|
150 |
password: "{{ admin_password }}" |
|
151 |
state: present |
|
152 |
givenname: OpenShift |
|
153 |
sn: Administrator |
|
154 |
mail: |
|
155 |
- "{{ email }}" |
|
156 |
ipa_host: "{{ idm_dns_name }}" |
|
157 |
ipa_user: admin |
|
158 |
ipa_pass: "{{ idm_admin_password }}" |
|
159 |
- name: Upload OAuth Configuration File |
|
160 |
template: |
|
161 |
src: "./files/oauth-ldap.yaml" |
|
162 |
dest: "/home/{{ ansible_user }}/oauth-ldap.yaml" |
|
163 |
owner: "{{ ansible_user }}" |
|
164 |
mode: 0664 |
|
165 |
- name: Update OAuth Configuration |
|
166 |
shell: "oc apply -f /home/{{ ansible_user }}/oauth-ldap.yaml" |
|
167 |
- name: Remove kubeadmin User |
|
168 |
when: |
|
169 |
- admin_user is defined |
|
170 |
- auth_remove_kubeadmin |
|
171 |
command: oc delete secret kubeadmin -n kube-system |
|
172 |
ignore_errors: true |
|
173 |
|
|
174 |
# Leave this as the last task in the playbook. |
|
175 |
- name: workload tasks complete |
|
176 |
debug: |
|
177 |
msg: "Workload Tasks completed successfully." |
|
178 |
when: not silent|bool |