RedHatTraining/agnosticd.git

changes the configuration of the deployed istio controlplane (#408)

Erik M Jacobs

2019-05-03 c3acbfa2c482f3cf87ce8a93b426bf134a620f07

commit \| author \| age
ec1d18	1	# vim: set ft=ansible
EMJ	2	---
	3	# Implement your Workload deployment tasks here
	4
240c1f	5	- name: create istio-system and istio-operator projects
ec1d18	6	k8s:
EMJ	7	state: present
	8	definition:
	9	apiVersion: project.openshift.io/v1
	10	kind: Project
	11	metadata:
240c1f	12	name: "{{ item }}"
EMJ	13	with_items:
	14	- istio-system
	15	- istio-operator
ec1d18	16
240c1f	17	- name: installation crd (to be removed in subsequent release)
EMJ	18	k8s:
	19	state: present
	20	definition:
	21	apiVersion: apiextensions.k8s.io/v1beta1
	22	kind: CustomResourceDefinition
	23	metadata:
	24	name: installations.istio.openshift.com
	25	spec:
	26	group: istio.openshift.com
	27	names:
	28	kind: Installation
	29	plural: installations
	30	singular: installation
	31	scope: Namespaced
	32	subresources:
	33	status: {}
	34	version: v1alpha1
ec1d18	35
240c1f	36	- name: istio controlplane crd
EMJ	37	k8s:
	38	state: present
	39	definition:
	40	apiVersion: apiextensions.k8s.io/v1beta1
	41	kind: CustomResourceDefinition
	42	metadata:
	43	name: controlplanes.istio.openshift.com
	44	spec:
	45	group: istio.openshift.com
	46	names:
	47	kind: ControlPlane
	48	listKind: ControlPlaneList
	49	plural: controlplanes
	50	singular: controlplane
	51	scope: Namespaced
	52	subresources:
	53	status: {}
	54	version: v1alpha3
	55
	56	- name: istio operator rbac
	57	k8s:
	58	state: present
	59	definition:
	60	apiVersion: rbac.authorization.k8s.io/v1
	61	kind: ClusterRole
	62	metadata:
	63	name: istio-operator
	64	rules:
	65	- apiGroups:
	66	- ""
	67	resources:
	68	- pods
	69	- services
	70	- endpoints
	71	- persistentvolumeclaims
	72	- events
	73	- configmaps
	74	- secrets
	75	- serviceaccounts
	76	- namespaces
	77	- routes
	78	verbs:
	79	- '*'
	80	- apiGroups:
	81	- apps
	82	resources:
	83	- deployments
	84	- daemonsets
	85	- replicasets
	86	- statefulsets
	87	verbs:
	88	- '*'
	89	- apiGroups:
	90	- autoscaling
	91	resources:
	92	- horizontalpodautoscalers
	93	verbs:
	94	- '*'
	95	- apiGroups:
	96	- extensions
	97	resources:
	98	- daemonsets
	99	- deployments
	100	verbs:
	101	- '*'
	102	- apiGroups:
	103	- policy
	104	resources:
	105	- poddisruptionbudgets
	106	verbs:
	107	- '*'
	108	- apiGroups:
	109	- admissionregistration.k8s.io
	110	resources:
	111	- mutatingwebhookconfigurations
	112	- validatingwebhookconfigurations
	113	verbs:
	114	- '*'
	115	- apiGroups:
	116	- certmanager.k8s.io
	117	resources:
	118	- clusterissuers
	119	verbs:
	120	- '*'
	121	- apiGroups:
	122	- rbac.authorization.k8s.io
	123	resources:
	124	- clusterrolebindings
	125	- clusterroles
	126	- roles
	127	- rolebindings
	128	verbs:
	129	- '*'
	130	- apiGroups:
	131	- authentication.istio.io
	132	resources:
	133	# for galley, *: get, list, watch
	134	# for mixer, *: create, get, list, watch
	135	# for pilot, :
	136	# for istio-authenticated, :
	137	- '*'
	138	- meshpolicies
	139	verbs:
	140	- '*'
	141	- apiGroups:
	142	- config.istio.io
	143	resources:
	144	# for galley, *: get, list, watch
	145	# for pilot, :
	146	# for istio-authenticated, :
	147	- '*'
	148	- attributemanifests
	149	- handlers
	150	- logentries
	151	- rules
	152	- metrics
	153	- kuberneteses
	154	verbs:
	155	- '*'
	156	- apiGroups:
	157	- networking.istio.io
	158	resources:
	159	# for galley, *: get, list, watch
	160	# for pilot, :
	161	# for istio-authenticated, :
	162	- '*'
	163	- gateways
	164	- destinationrules
	165	- virtualservices
	166	- envoyfilters
	167	verbs:
	168	- '*'
	169	- apiGroups:
	170	- monitoring.coreos.com
	171	resources:
	172	- servicemonitors
	173	verbs:
	174	- get
	175	- create
	176	- apiGroups:
	177	- istio.openshift.com
	178	resources:
	179	- '*'
	180	- istiocontrolplanes
	181	- installations
	182	verbs:
	183	- '*'
	184	- apiGroups:
	185	- apps.openshift.io
	186	resources:
	187	- deploymentconfigs
	188	verbs:
	189	- '*'
	190	- apiGroups:
	191	- oauth.openshift.io
	192	resources:
	193	- oauthclients
	194	verbs:
	195	- '*'
	196	- apiGroups:
	197	- project.openshift.io
	198	resources:
	199	- projects
	200	- projectrequests
	201	verbs:
	202	- '*'
	203	- apiGroups:
	204	- route.openshift.io
	205	resources:
	206	- routes
	207	- routes/custom-host
	208	verbs:
	209	- '*'
	210	- apiGroups:
	211	- security.openshift.io
	212	resources:
	213	- securitycontextconstraints
	214	verbs:
	215	- '*'
	216	# for galley (pilot and prometheus also watch nodes)
	217	- apiGroups:
	218	- ""
	219	resources:
	220	- nodes
	221	verbs:
	222	- get
	223	- list
	224	- watch
	225	- apiGroups:
	226	- extensions
	227	resources:
	228	- ingresses
	229	verbs:
	230	- get
	231	- list
	232	- watch
	233	- apiGroups:
	234	- extensions
	235	- apps
	236	resources:
	237	- deployments/finalizers
	238	resourceNames:
	239	- istio-galley
	240	- istio-sidecar-injector
	241	verbs:
	242	- update
	243	# for mixer
	244	- apiGroups:
	245	- apiextensions.k8s.io
	246	resources:
	247	- customresourcedefinitions
	248	verbs:
	249	- get
	250	- list
	251	- watch
	252	- apiGroups:
	253	- extensions
	254	resources:
	255	- replicasets
	256	verbs:
	257	- get
	258	- list
	259	- watch
	260	- apiGroups:
	261	- ""
	262	resources:
	263	- replicationcontrollers
	264	verbs:
	265	- get
	266	- list
	267	- watch
	268	# for pilot
	269	# for istio-authenticated, :
	270	- apiGroups:
	271	- rbac.istio.io
	272	resources:
	273	- '*'
	274	verbs:
	275	- '*'
	276	- get
	277	- list
	278	- watch
	279	- apiGroups:
	280	- apiextensions.k8s.io
	281	resources:
	282	- customresourcedefinitions
	283	verbs:
	284	- '*'
	285	- apiGroups:
	286	- extensions
	287	resources:
	288	- ingresses
	289	- ingresses/status
	290	verbs:
	291	- '*'
	292	# prometheus
	293	- apiGroups:
	294	- ""
	295	resources:
	296	- nodes/proxy
	297	verbs:
	298	- get
	299	- list
	300	- watch
	301	- nonResourceURLs:
	302	- "/metrics"
	303	verbs:
	304	- get
	305	# citadel
	306	- apiGroups:
	307	- authentication.k8s.io
	308	resources:
	309	- tokenreviews
	310	verbs:
	311	- create
	312	# kiali
	313	- apiGroups: [""]
	314	resources:
	315	- configmaps
	316	- endpoints
	317	- namespaces
	318	- nodes
	319	- pods
	320	- services
	321	- replicationcontrollers
	322	verbs:
	323	- get
	324	- list
	325	- watch
	326	- apiGroups: ["extensions", "apps"]
	327	resources:
	328	- deployments
	329	- statefulsets
	330	- replicasets
	331	verbs:
	332	- get
	333	- list
	334	- watch
	335	- apiGroups: ["autoscaling"]
	336	resources:
	337	- horizontalpodautoscalers
	338	verbs:
	339	- get
	340	- list
	341	- watch
	342	- apiGroups: ["batch"]
	343	resources:
	344	- cronjobs
	345	- jobs
	346	verbs:
	347	- '*'
	348	- apiGroups: ["project.openshift.io"]
	349	resources:
	350	- projects
	351	verbs:
	352	- get
	353	- apiGroups: ["route.openshift.io"]
	354	resources:
	355	- routes
	356	verbs:
	357	- get
	358	- apiGroups: ["apps.openshift.io"]
	359	resources:
	360	- deploymentconfigs
	361	verbs:
	362	- get
	363	- list
	364	- watch
	365	- apiGroups: ["config.istio.io"]
	366	resources:
	367	- apikeys
	368	- authorizations
	369	- checknothings
	370	- circonuses
	371	- deniers
	372	- fluentds
	373	- handlers
	374	- kubernetesenvs
	375	- kuberneteses
	376	- listcheckers
	377	- listentries
	378	- logentries
	379	- memquotas
	380	- metrics
	381	- opas
	382	- prometheuses
	383	- quotas
	384	- quotaspecbindings
	385	- quotaspecs
	386	- rbacs
	387	- reportnothings
	388	- rules
	389	- solarwindses
	390	- stackdrivers
	391	- statsds
	392	- stdios
	393	verbs:
	394	- create
	395	- delete
	396	- get
	397	- list
	398	- patch
	399	- watch
	400	- apiGroups: ["networking.istio.io"]
	401	resources:
	402	- destinationrules
	403	- gateways
	404	- serviceentries
	405	- virtualservices
	406	verbs:
	407	- create
	408	- delete
	409	- get
	410	- list
	411	- patch
	412	- watch
	413	- apiGroups: ["authentication.istio.io"]
	414	resources:
	415	- policies
	416	verbs:
	417	- create
	418	- delete
	419	- get
	420	- list
	421	- patch
	422	- watch
	423	- apiGroups: ["monitoring.kiali.io"]
	424	resources:
	425	- monitoringdashboards
	426	verbs:
	427	- get
	428
	429	- name: istio operator sa
	430	k8s:
	431	state: present
	432	definition:
	433	apiVersion: v1
	434	kind: ServiceAccount
	435	metadata:
	436	name: istio-operator
	437	namespace: istio-operator
	438
	439	- name: istio operator cluster role binding
	440	k8s:
	441	state: present
	442	definition:
	443	kind: ClusterRoleBinding
	444	apiVersion: rbac.authorization.k8s.io/v1beta1
	445	metadata:
	446	name: istio-operator-account-istio-operator-cluster-role-binding
	447	subjects:
	448	- kind: ServiceAccount
	449	namespace: istio-operator
	450	name: istio-operator
	451	roleRef:
	452	kind: ClusterRole
	453	name: istio-operator
	454	apiGroup: rbac.authorization.k8s.io
	455
	456	- name: istio operator deployment
	457	k8s:
	458	state: present
	459	definition:
	460	apiVersion: apps/v1
	461	kind: Deployment
	462	metadata:
	463	name: istio-operator
	464	namespace: istio-operator
	465	spec:
	466	replicas: 1
	467	selector:
	468	matchLabels:
	469	name: istio-operator
	470	template:
	471	metadata:
	472	labels:
	473	name: istio-operator
	474	spec:
	475	serviceAccountName: istio-operator
	476	volumes:
	477	- name: discovery-cache
	478	emptyDir:
	479	medium: Memory
	480	containers:
	481	- name: istio-operator
	482	image: openshift-istio-tech-preview/istio-operator:0.10.0
	483	ports:
	484	- containerPort: 60000
	485	name: metrics
	486	command:
	487	- istio-operator
	488	- --discoveryCacheDir
	489	- /home/istio-operator/.kube/cache/discovery
	490	- "--istioPrefix=openshift-istio-tech-preview/"
	491	- "--deploymentType=openshift"
	492	imagePullPolicy: Always
	493	env:
	494	- name: WATCH_NAMESPACE
	495	value: ""
	496	- name: POD_NAME
	497	valueFrom:
	498	fieldRef:
	499	fieldPath: metadata.name
	500	- name: OPERATOR_NAME
	501	value: "istio-operator"
	502	volumeMounts:
	503	- name: discovery-cache
	504	mountPath: /home/istio-operator/.kube/cache/discovery
	505
	506	- name: istio controlplane cr
	507	k8s:
	508	state: present
	509	definition:
	510	apiVersion: istio.openshift.com/v1alpha3
	511	kind: ControlPlane
	512	metadata:
	513	name: basic-install
	514	namespace: istio-system
	515	spec:
	516	istio:
	517	global:
	518	proxy:
	519	resources:
	520	requests:
	521	cpu: 100m
	522	memory: 128Mi
	523	limits:
	524	cpu: 500m
	525	memory: 128Mi
c3acbf	526	disablePolicyChecks: false
240c1f	527	gateways:
EMJ	528	istio-egressgateway:
	529	autoscaleEnabled: false
	530	istio-ingressgateway:
	531	autoscaleEnabled: false
	532	ior_enabled: false
	533	mixer:
	534	policy:
	535	autoscaleEnabled: false
	536	telemetry:
	537	autoscaleEnabled: false
	538	resources:
	539	requests:
	540	cpu: 100m
	541	memory: 1G
	542	limits:
	543	cpu: 500m
	544	memory: 4G
	545	pilot:
	546	autoscaleEnabled: false
	547	traceSampling: 100.0
	548	kiali:
c3acbf	549	enabled: true
EMJ	550	dashboard:
240c1f	551	user: admin
EMJ	552	passphrase: admin
c3acbf	553	tracing:
EMJ	554	enabled: true
240c1f	555
EMJ	556	- name: wait up to 5 minutes for istio operator pod to be ready
	557	shell: "oc get deployment -n istio-operator istio-operator -o jsonpath='{.status.readyReplicas}'"
	558	register: istio_deployment_status
	559	until: "istio_deployment_status.stdout \| int >= 1"
	560	retries: 5
	561	delay: 60
	562
	563	- name: wait up to 8 minutes for the elasticsearch statefulset to exist
	564	shell: "oc get statefulset elasticsearch -n istio-system"
	565	register: elasticsearch_set_status
	566	until: elasticsearch_set_status.rc == 0
	567	retries: 8
89dc0d	568	delay: 60
EMJ	569
	570	# Leave this as the last task in the playbook.
	571	- name: workload tasks complete
	572	debug:
	573	msg: "Workload Tasks completed successfully."
	574	when: not silent\|bool
	575