view | history | commit | commitdiff
Guillaume Coré
2018-12-06 beeb397895a4bec3a1790d49939189689e0707a5
commit | author | age
c0aee3 1 ---
6363e8 2 ## TODO: What variables can we strip out of here to build complex variables?
S 3 ## i.e. what can we add into group_vars as opposed to config_vars?
4 ## Example: We don't really need "subdomain_base_short". If we want to use this,
5 ## should just toss in group_vars/all.
6 ### Also, we should probably just create a variable reference in the README.md
7 ### For now, just tagging comments in line with configuration file.
8
c6075f 9 ### Vars that can be removed:
S 10 # use_satellite: true
11 # use_subscription_manager: false
12 # use_own_repos: false
13
6363e8 14 ###### VARIABLES YOU SHOULD CONFIGURE FOR YOUR DEPLOYEMNT
S 15 ###### OR PASS as "-e" args to ansible-playbook command
c6075f 16
S 17 ### Common Host settings
18 repo_method: file # Other Options are: file, satellite and rhn
0f4134 19 osrelease: 3.10.34
beeb39 20 repo_version: "{{ osrelease | regex_replace('^([0-9])\\.([0-9]*).*', '\\1.\\2')  }}"
GC 21
0f4134 22
WK 23 ### Authentication for Red Hat Registry (registry.redhat.io), needs to be a user that can log into
24 ### the customer portal. Not required before 3.11...
25 ### Best to set via the command line
26 redhat_registry_user: ""
27 redhat_registry_password: ""
f9cbd0 28
c6075f 29 #If using repo_method: satellite, you must set these values as well.
b1612f 30 # satellite_url: https://satellite.example.com
S 31 # satellite_org: Sat_org_name
32 # satellite_activationkey: "rhel7basic"
f9cbd0 33
WK 34 # Do you want to run a full yum update
35 update_packages: true
b1612f 36
c6075f 37 ## guid is the deployment unique identifier, it will be appended to all tags,
S 38 ## files and anything that identifies this environment from another "just like it"
39 guid: defaultguid
3cc138 40
GC 41 # This var is used to identify stack (cloudformation, azure resourcegroup, ...)
42 project_tag: "{{ env_type }}-{{ guid }}"
6363e8 43
acbd9a 44 ## SB Don't set software_to_deploy from here, always use extra vars (-e) or "none" will be used
S 45 #software_to_deploy: openshift
c6075f 46 deploy_openshift: true
S 47 deploy_openshift_post: true
48 deploy_env_post: true
f9cbd0 49
WK 50 install_bastion: true
51 install_common: true
52 install_nfs: true
8c678c 53 install_dynamic_nfs: false
f9cbd0 54 install_glusterfs: false
WK 55 install_opentlc_integration: true
6fc3fd 56 install_zabbix: false
060b1f 57 install_prometheus: false
78d110 58 install_ipa_client: false
e1ceae 59 install_openwhisk: false
c6075f 60 install_metrics: true
S 61 install_logging: true
f9cbd0 62 install_aws_broker: false
379649 63 install_nexus: true
5f069b 64 install_openshiftapb: false
24284e 65 install_maistra: false
WK 66 install_lets_encrypt_certificates: false
30def6 67 # Set the next variable to false to run tests.
WK 68 # This prevents hitting the rate limiter of
69 # Let's Encrypt when requesting lots of certificates
24284e 70 # Set to true for "real" certificates
WK 71 lets_encrypt_production: true
6ce369 72
f9cbd0 73 glusterfs_device_name: /dev/xvdc
190a8d 74 glusterfs_device_size: 1500
72ec3e 75 glusterfs_image_tag: v3.10
f9cbd0 76
WK 77 ocp_report: false
78 remove_self_provisioners: false
79 idm_ca_url: http://ipa.opentlc.com/ipa/config/ca.crt
80 zabbix_host: 23.246.247.58
81
82 # Options for container_runtime: docker, cri-o
83 container_runtime: "docker"
924662 84 docker_version: "{{ '1.12.6' if repo_version is version_compare('3.9', '<')  else '1.13.1' }}"
c6075f 85 docker_device: /dev/xvdb
S 86
87 ### If you want a Key Pair name created and injected into the hosts,
88 # set `set_env_authorized_key` to true and set the keyname in `env_authorized_key`
89 # you can use the key used to create the environment or use your own self generated key
90 # if you set "use_own_key" to false your PRIVATE key will be copied to the bastion. (This is {{key_name}})
91
92 use_own_key: true
6363e8 93 env_authorized_key: "{{guid}}key"
c6075f 94 ansible_ssh_private_key_file: ~/.ssh/{{key_name}}.pem
6363e8 95 set_env_authorized_key: true
c6075f 96
S 97 # Is this running from Red Hat Ansible Tower
98 tower_run: false
99
100 admin_user: opentlc-mgr
101 admin_project: "ocp-workshop"
3cc138 102
8b8801 103 # UI Customizations
JM 104 enable_workshops_catalog: false
105
4cac96 106 # Red Hat Registry Location
WK 107 redhat_registry: "{{ 'registry.access.redhat.com' if repo_version is version_compare('3.11', '<')  else 'registry.redhat.io' }}"
108
acbd9a 109 ### Azure
3cc138 110
GC 111 # Create a dedicated resourceGroup for this deployment
112 az_destroy_method: resource_group
113 az_resource_group: "{{ project_tag }}"
114
115 # you can operate differently: if you share on resourceGroup for all you deployments,
116 # you can specify a different resourceGroup and method:
117 #az_destroy_method: deployment
118 #az_resource_group: my-shared-resource-group
78ff23 119 #az_storage_account_type: Premium_LRS
c6075f 120
S 121 ### AWS EC2 Environment settings
122
123 ### Route 53 Zone ID (AWS)
124 # This is the Route53 HostedZoneId where you will create your Public DNS entries
125 # This only needs to be defined if your CF template uses route53
126 HostedZoneId: Z1TQFSYFZUAO0D
127 # The region to be used, if not specified by -e in the command line
128 aws_region: us-east-1
129 # The key that is used to
130 key_name: "default_key_name"
131
6363e8 132 ## Networking (AWS)
S 133 subdomain_base_short: "{{ guid }}"
134 subdomain_base_suffix: ".openshift.opentlc.com"
135 subdomain_base: "{{subdomain_base_short}}{{subdomain_base_suffix}}"
136
137 ## Environment Sizing
138
139 bastion_instance_type: "t2.large"
752d49 140 master_instance_type: "m4.4xlarge"
6363e8 141 etcd_instance_type: "{{master_instance_type}}"
752d49 142 infranode_instance_type: "m4.4xlarge"
WK 143 node_instance_type: "m4.4xlarge"
4cac96 144 support_instance_type: "m4.4xlarge"
WK 145 nfs_instance_type: "{{ support_instance_type }}"
6363e8 146
c6075f 147 node_instance_count: 5
6363e8 148 infranode_instance_count: 1
S 149 master_instance_count: 1
740f49 150 support_instance_count: "{{ 3 if install_glusterfs|bool else 1 }}"
25a97a 151 # scaleup
GC 152 new_node_instance_count: 0
6363e8 153
S 154 ###### VARIABLES YOU SHOULD ***NOT*** CONFIGURE FOR YOUR DEPLOYEMNT
0f4134 155 timeout: 60
c6075f 156
S 157 ## This might get removed
158 env_specific_images:
4cac96 159 #  - "{{ redhat_registry }}/openshift3/jenkins-2-rhel7:v{{ repo_version }}"
WK 160 #  - "{{ redhat_registry }}/openshift3/ose-recycler:v{{ repo_version }}"
c6075f 161
S 162 #### Vars for the OpenShift Ansible hosts file
163 master_api_port: 443
3d92a1 164 ovs_plugin: "subnet" # This can also be set to: "multitenant" or "networkpolicy"
c6075f 165 multi_tenant_setting: "os_sdn_network_plugin_name='redhat/openshift-ovs-{{ovs_plugin}}'"
S 166 master_lb_dns: "master.{{subdomain_base}}"
0f4134 167 master_lb_private_dns: "master1.{{ guid }}.internal"
WK 168
169 openshift_master_overwrite_named_certificates: true
c6075f 170
6eaf0f 171 lets_encrypt_openshift_master_named_certificates:
GC 172   - certfile: "/root/.acme.sh/{{ master_lb_dns }}/{{ master_lb_dns }}.cer"
173     keyfile: "/root/.acme.sh/{{ master_lb_dns }}/{{ master_lb_dns }}.key"
174     cafile: "/root/.acme.sh/{{ master_lb_dns }}/ca.cer"
175
176 lets_encrypt_openshift_hosted_router_certificate:
177   certfile: "/root/.acme.sh/{{ master_lb_dns }}/{{ master_lb_dns }}.cer"
178   keyfile: "/root/.acme.sh/{{ master_lb_dns }}/{{ master_lb_dns }}.key"
179   cafile: "/root/.acme.sh/{{ master_lb_dns }}/ca.cer"
180
c6075f 181 project_request_message: 'To provision Projects you must request access in https://labs.opentlc.com or https://rhpds.redhat.com'
S 182
183 cloudapps_suffix: 'apps.{{subdomain_base}}'
184
4b23ce 185 ########## OCP identity providers
GC 186 # Options for install_idm: allow_all, htpasswd, ldap, ...  see the available below
acbd9a 187 install_idm: htpasswd
4b23ce 188
GC 189 # if you want to install several identity providers, just pick from the
190 # available_identity_providers list:
191 install_idms:
192   - "{{ install_idm }}"
193
194 # This var is empty by default.
195 # Every idm in the list 'install_idms' will be added, using the 'available_identity_providers' map
196 # you can:
197 #   - directly override the 'identity_providers' list
198 # or
199 #   - add an option to 'available_identity_providers' and then
200 #     reference it in 'install_idm' or the 'install_idms' list
201 identity_providers: []
202
203 openshift_master_ldap_ca_file: 'openshift_master_ldap_ca_file=/root/ca.crt'
204
205 available_identity_providers:
206   ldap:
904a6e 207     name: 'OpenTLC IPA'
051d60 208     challenge: 'true'
WK 209     login: 'true'
904a6e 210     kind: 'LDAPPasswordIdentityProvider'
4b23ce 211     attributes:
GC 212       id: ['dn']
213       email: ['mail']
214       name: ['cn']
215       preferredUsername: ['uid']
904a6e 216     bindDN: 'uid=ose-mwl-auth,cn=users,cn=accounts,dc=opentlc,dc=com'
4b23ce 217     bindPassword: "{{bindPassword|d('NOT_DEFINED')}}"
GC 218     ca: ipa-ca.crt
c683e3 219     insecure: 'false'
4b23ce 220     url: ldaps://ipa1.opentlc.com:636/cn=users,cn=accounts,dc=opentlc,dc=com?uid
GC 221
222   ssodev:
223     name: ssodev-iad00
051d60 224     challenge: 'false'
WK 225     login: 'true'
4b23ce 226     kind: OpenIDIdentityProvider
GC 227     clientID: "{{ opentlc_ssodev_client_id|d('NOT_DEFINED') }}"
228     clientSecret: "{{ opentlc_ssodev_client_secret|d('NOT_DEFINED') }}"
229     ca: lets-encrypt-x3-cross-signed.pem.txt
230     urls:
231       authorize: https://ssodev-iad00.opentlc.com:8443/auth/realms/ipatest/protocol/openid-connect/auth
232       token: https://ssodev-iad00.opentlc.com:8443/auth/realms/ipatest/protocol/openid-connect/token
233       userInfo: https://ssodev-iad00.opentlc.com:8443/auth/realms/ipatest/protocol/openid-connect/userinfo
234     claims:
235       id:
236         - sub
237       preferredUsername:
238         - preferred_username
239       name:
240         - name
241       email:
242         - email
243
244   allow_all:
245     name: allow_all
051d60 246     login: 'true'
WK 247     challenge: 'true'
4b23ce 248     kind: AllowAllPasswordIdentityProvider
GC 249
250   htpasswd:
251     name: htpasswd_auth
051d60 252     login: 'true'
WK 253     challenge: 'true'
4b23ce 254     kind: HTPasswdPasswordIdentityProvider
GC 255     filename: /etc/origin/master/htpasswd
256
a80496 257 admission_plugin_config:
GC 258   MutatingAdmissionWebhook:
61890d 259     configuration:
GC 260       apiVersion: v1
f3cbc0 261       disable: false
61890d 262       kind: DefaultAdmissionConfig
GC 263   ValidatingAdmissionWebhook:
264     configuration:
265       apiVersion: v1
f3cbc0 266       disable: false
61890d 267       kind: DefaultAdmissionConfig
GC 268
6363e8 269 ###### You can, but you usually wouldn't need to.
S 270 ansible_ssh_user: ec2-user
271 remote_user: ec2-user
272
273 common_packages:
274   - python
275   - unzip
276   - bash-completion
277   - tmux
278   - bind-utils
279   - wget
16819c 280   - nano
6363e8 281   - ansible
S 282   - git
283   - vim-enhanced
c29152 284   - at
641971 285   - sysstat
GC 286   - strace
8be2ef 287   - net-tools
WK 288   - iptables-services
289   - bridge-utils
290   - kexec-tools
291   - sos
292   - psacct
cf6128 293   - iotop
2c52bd 294   - rsync
6363e8 295
S 296 rhel_repos:
297   - rhel-7-server-rpms
298   - rhel-7-server-extras-rpms
299   - rhel-7-server-ose-{{repo_version}}-rpms
300
b1612f 301 # use_subscription_manager: false
S 302 # use_own_repos: true
303 #
e384de 304 rhn_pool_id_string: OpenShift Container Platform
6363e8 305
S 306 ## NFS Server settings
307 nfs_vg: nfsvg
740f49 308 nfs_pvs: /dev/xvdd
6363e8 309 nfs_export_path: /srv/nfs
06ebeb 310 nfs_size: 200
6363e8 311
S 312 nfs_shares:
313   - user-vols
314
315 ocp_pvs:
983ad9 316 #   - nexus3
6363e8 317
S 318 user_vols: 200
983ad9 319 user_vols_size: 10Gi
abd9e5 320 user_count: 200
6363e8 321
4cac96 322 # The Logic for the cache_images is disabled in install_docker.yml.... so this has no effect
6363e8 323 cache_images:
4cac96 324   - "{{ redhat_registry }}/openshift3/jenkins-2-rhel7:v{{ repo_version }}"
WK 325   - "{{ redhat_registry }}/openshift3/ose-recycler:v{{ repo_version }}"
6363e8 326
S 327 ### CLOUDFORMATIONS vars
feca86 328
6363e8 329 zone_internal_dns: "{{guid}}.internal."
S 330 chomped_zone_internal_dns: "{{guid}}.internal"
feca86 331
ed0fa8 332 cloudapps_record: '*.apps'
GC 333 cloudapps_dns: '{{cloudapps_record}}.{{subdomain_base}}.'
6363e8 334
S 335 master_public_dns: "master.{{subdomain_base}}."
336 bastion_public_dns: "bastion.{{subdomain_base}}."
51e41b 337 certtest_public_dns: "certtest.{{subdomain_base}}."
8b25d6 338 bastion_public_dns_chomped: "bastion.{{subdomain_base}}"
6363e8 339 vpcid_cidr_block: "192.168.0.0/16"
S 340 vpcid_name_tag: "{{subdomain_base}}"
341
342 az_1_name: "{{ aws_region }}a"
343 az_2_name: "{{ aws_region }}b"
344
345 subnet_private_1_cidr_block: "192.168.2.0/24"
346 subnet_private_1_az: "{{ az_2_name }}"
347 subnet_private_1_name_tag: "{{subdomain_base}}-private"
348
349 subnet_private_2_cidr_block: "192.168.1.0/24"
350 subnet_private_2_az: "{{ az_1_name }}"
351 subnet_private_2_name_tag: "{{subdomain_base}}-private"
352
353 subnet_public_1_cidr_block: "192.168.10.0/24"
354 subnet_public_1_az: "{{ az_1_name }}"
355 subnet_public_1_name_tag: "{{subdomain_base}}-public"
356
357 subnet_public_2_cidr_block: "192.168.20.0/24"
358 subnet_public_2_az: "{{ az_2_name }}"
359 subnet_public_2_name_tag: "{{subdomain_base}}-public"
360
361 dopt_domain_name: "{{ aws_region }}.compute.internal"
362
363 rtb_public_name_tag: "{{subdomain_base}}-public"
364 rtb_private_name_tag: "{{subdomain_base}}-private"
365
366 cf_template_description: "{{ env_type }}-{{ guid }} template "
8fd65b 367
GC 368 rootfs_size_node: 50
2282a3 369 rootfs_size_infranode: 150
8fd65b 370 rootfs_size_master: 50
GC 371 rootfs_size_bastion: 20
372 rootfs_size_support: 20
4338f7 373
GC 374 instances:
375   - name: "bastion"
376     count: 1
377     unique: true
378     public_dns: true
379     dns_loadbalancer: true
380     flavor:
3cc138 381       ec2: "{{bastion_instance_type}}"
GC 382       azure: "{{bastion_instance_type}}"
4338f7 383     tags:
GC 384       - key: "AnsibleGroup"
385         value: "bastions"
386       - key: "ostype"
387         value: "linux"
388     rootfs_size: "{{ rootfs_size_bastion }}"
389
390   - name: "master"
391     count: "{{master_instance_count}}"
392     public_dns: true
393     dns_loadbalancer: true
394     flavor:
3cc138 395       ec2: "{{master_instance_type}}"
GC 396       azure: "{{master_instance_type}}"
4338f7 397     tags:
GC 398       - key: "AnsibleGroup"
399         value: "masters"
400       - key: "ostype"
401         value: "linux"
402     rootfs_size: "{{ rootfs_size_master }}"
403     volumes:
04219c 404       - name: docker_device
GC 405         device_name: "{{docker_device}}"
78ff23 406         volume_size: "{{master_docker_size|default(docker_size)|default('20')}}"
4338f7 407         volume_type: gp2
3cc138 408         purpose: docker
GC 409         lun: 0
4338f7 410
GC 411   - name: "node"
412     count: "{{node_instance_count}}"
413     public_dns: false
414     dns_loadbalancer: false
415     flavor:
3cc138 416       ec2: "{{node_instance_type}}"
GC 417       azure: "{{node_instance_type}}"
4338f7 418     tags:
GC 419       - key: "AnsibleGroup"
420         value: "nodes"
421       - key: "ostype"
422         value: "linux"
423     rootfs_size: "{{ rootfs_size_node }}"
424     volumes:
04219c 425       - name: docker_device
GC 426         device_name: "{{docker_device}}"
78ff23 427         volume_size: "{{node_docker_size|d(docker_size)|d('100')}}"
4338f7 428         volume_type: gp2
3cc138 429         purpose: docker
GC 430         lun: 0
4338f7 431
GC 432   - name: "infranode"
433     count: "{{infranode_instance_count}}"
434     public_dns: true
435     dns_loadbalancer: true
436     flavor:
3cc138 437       ec2: "{{infranode_instance_type}}"
GC 438       azure: "{{infranode_instance_type}}"
4338f7 439     tags:
GC 440       - key: "AnsibleGroup"
441         value: "infranodes"
442       - key: "ostype"
443         value: "linux"
444     rootfs_size: "{{ rootfs_size_infranode }}"
445     volumes:
04219c 446       - name: docker_device
GC 447         device_name: "{{docker_device}}"
78ff23 448         volume_size: "{{infranode_docker_size|d(docker_size)|d('50')}}"
4338f7 449         volume_type: gp2
3cc138 450         purpose: docker
GC 451         lun: 0
4338f7 452
GC 453   - name: "support"
454     count: "{{support_instance_count}}"
455     public_dns: false
456     dns_loadbalancer: false
457     flavor:
3cc138 458       ec2: "{{support_instance_type}}"
GC 459       azure: "{{support_instance_type}}"
4338f7 460     tags:
GC 461       - key: "AnsibleGroup"
740f49 462         value: "{{ 'support,glusterfs,nodes' if install_glusterfs|bool else 'support' }}"
4338f7 463       - key: "ostype"
GC 464         value: "linux"
465     rootfs_size: "{{ rootfs_size_support }}"
466     volumes:
04219c 467       - name: docker_device
GC 468         device_name: "{{docker_device}}"
78ff23 469         volume_size: "{{support_docker_size|d(docker_size)|d('50')}}"
740f49 470         volume_type: gp2
GC 471         purpose: docker
04219c 472       - name: glusterfs_device_name
GC 473         enable: "{{ install_glusterfs | bool }}"
474         device_name: "{{glusterfs_device_name}}"
740f49 475         volume_size: "{{glusterfs_device_size}}"
GC 476         volume_type: gp2
477         purpose: glusterfs
04219c 478       - name: nfs_device
GC 479         enable: "{{ install_nfs | bool }}"
480         device_name: "{{nfs_pvs}}"
3cc138 481         volume_size: "{{nfs_size}}"
GC 482         volume_type: gp2
483         purpose: nfs