commit | author | age
|
ec1d18
|
1 |
# vim: set ft=ansible |
EMJ |
2 |
--- |
|
3 |
# Implement your Workload deployment tasks here |
|
4 |
|
240c1f
|
5 |
- name: create istio-system and istio-operator projects |
ec1d18
|
6 |
k8s: |
EMJ |
7 |
state: present |
|
8 |
definition: |
|
9 |
apiVersion: project.openshift.io/v1 |
|
10 |
kind: Project |
|
11 |
metadata: |
240c1f
|
12 |
name: "{{ item }}" |
EMJ |
13 |
with_items: |
|
14 |
- istio-system |
|
15 |
- istio-operator |
ec1d18
|
16 |
|
240c1f
|
17 |
- name: installation crd (to be removed in subsequent release) |
EMJ |
18 |
k8s: |
|
19 |
state: present |
|
20 |
definition: |
|
21 |
apiVersion: apiextensions.k8s.io/v1beta1 |
|
22 |
kind: CustomResourceDefinition |
|
23 |
metadata: |
|
24 |
name: installations.istio.openshift.com |
|
25 |
spec: |
|
26 |
group: istio.openshift.com |
|
27 |
names: |
|
28 |
kind: Installation |
|
29 |
plural: installations |
|
30 |
singular: installation |
|
31 |
scope: Namespaced |
|
32 |
subresources: |
|
33 |
status: {} |
|
34 |
version: v1alpha1 |
ec1d18
|
35 |
|
240c1f
|
36 |
- name: istio controlplane crd |
EMJ |
37 |
k8s: |
|
38 |
state: present |
|
39 |
definition: |
|
40 |
apiVersion: apiextensions.k8s.io/v1beta1 |
|
41 |
kind: CustomResourceDefinition |
|
42 |
metadata: |
|
43 |
name: controlplanes.istio.openshift.com |
|
44 |
spec: |
|
45 |
group: istio.openshift.com |
|
46 |
names: |
|
47 |
kind: ControlPlane |
|
48 |
listKind: ControlPlaneList |
|
49 |
plural: controlplanes |
|
50 |
singular: controlplane |
|
51 |
scope: Namespaced |
|
52 |
subresources: |
|
53 |
status: {} |
|
54 |
version: v1alpha3 |
|
55 |
|
|
56 |
- name: istio operator rbac |
|
57 |
k8s: |
|
58 |
state: present |
|
59 |
definition: |
|
60 |
apiVersion: rbac.authorization.k8s.io/v1 |
|
61 |
kind: ClusterRole |
|
62 |
metadata: |
|
63 |
name: istio-operator |
|
64 |
rules: |
|
65 |
- apiGroups: |
|
66 |
- "" |
|
67 |
resources: |
|
68 |
- pods |
|
69 |
- services |
|
70 |
- endpoints |
|
71 |
- persistentvolumeclaims |
|
72 |
- events |
|
73 |
- configmaps |
|
74 |
- secrets |
|
75 |
- serviceaccounts |
|
76 |
- namespaces |
|
77 |
- routes |
|
78 |
verbs: |
|
79 |
- '*' |
|
80 |
- apiGroups: |
|
81 |
- apps |
|
82 |
resources: |
|
83 |
- deployments |
|
84 |
- daemonsets |
|
85 |
- replicasets |
|
86 |
- statefulsets |
|
87 |
verbs: |
|
88 |
- '*' |
|
89 |
- apiGroups: |
|
90 |
- autoscaling |
|
91 |
resources: |
|
92 |
- horizontalpodautoscalers |
|
93 |
verbs: |
|
94 |
- '*' |
|
95 |
- apiGroups: |
|
96 |
- extensions |
|
97 |
resources: |
|
98 |
- daemonsets |
|
99 |
- deployments |
|
100 |
verbs: |
|
101 |
- '*' |
|
102 |
- apiGroups: |
|
103 |
- policy |
|
104 |
resources: |
|
105 |
- poddisruptionbudgets |
|
106 |
verbs: |
|
107 |
- '*' |
|
108 |
- apiGroups: |
|
109 |
- admissionregistration.k8s.io |
|
110 |
resources: |
|
111 |
- mutatingwebhookconfigurations |
|
112 |
- validatingwebhookconfigurations |
|
113 |
verbs: |
|
114 |
- '*' |
|
115 |
- apiGroups: |
|
116 |
- certmanager.k8s.io |
|
117 |
resources: |
|
118 |
- clusterissuers |
|
119 |
verbs: |
|
120 |
- '*' |
|
121 |
- apiGroups: |
|
122 |
- rbac.authorization.k8s.io |
|
123 |
resources: |
|
124 |
- clusterrolebindings |
|
125 |
- clusterroles |
|
126 |
- roles |
|
127 |
- rolebindings |
|
128 |
verbs: |
|
129 |
- '*' |
|
130 |
- apiGroups: |
|
131 |
- authentication.istio.io |
|
132 |
resources: |
|
133 |
# for galley, *: get, list, watch |
|
134 |
# for mixer, *: create, get, list, watch |
|
135 |
# for pilot, *: * |
|
136 |
# for istio-authenticated, *: * |
|
137 |
- '*' |
|
138 |
- meshpolicies |
|
139 |
verbs: |
|
140 |
- '*' |
|
141 |
- apiGroups: |
|
142 |
- config.istio.io |
|
143 |
resources: |
|
144 |
# for galley, *: get, list, watch |
|
145 |
# for pilot, *: * |
|
146 |
# for istio-authenticated, *: * |
|
147 |
- '*' |
|
148 |
- attributemanifests |
|
149 |
- handlers |
|
150 |
- logentries |
|
151 |
- rules |
|
152 |
- metrics |
|
153 |
- kuberneteses |
|
154 |
verbs: |
|
155 |
- '*' |
|
156 |
- apiGroups: |
|
157 |
- networking.istio.io |
|
158 |
resources: |
|
159 |
# for galley, *: get, list, watch |
|
160 |
# for pilot, *: * |
|
161 |
# for istio-authenticated, *: * |
|
162 |
- '*' |
|
163 |
- gateways |
|
164 |
- destinationrules |
|
165 |
- virtualservices |
|
166 |
- envoyfilters |
|
167 |
verbs: |
|
168 |
- '*' |
|
169 |
- apiGroups: |
|
170 |
- monitoring.coreos.com |
|
171 |
resources: |
|
172 |
- servicemonitors |
|
173 |
verbs: |
|
174 |
- get |
|
175 |
- create |
|
176 |
- apiGroups: |
|
177 |
- istio.openshift.com |
|
178 |
resources: |
|
179 |
- '*' |
|
180 |
- istiocontrolplanes |
|
181 |
- installations |
|
182 |
verbs: |
|
183 |
- '*' |
|
184 |
- apiGroups: |
|
185 |
- apps.openshift.io |
|
186 |
resources: |
|
187 |
- deploymentconfigs |
|
188 |
verbs: |
|
189 |
- '*' |
|
190 |
- apiGroups: |
|
191 |
- oauth.openshift.io |
|
192 |
resources: |
|
193 |
- oauthclients |
|
194 |
verbs: |
|
195 |
- '*' |
|
196 |
- apiGroups: |
|
197 |
- project.openshift.io |
|
198 |
resources: |
|
199 |
- projects |
|
200 |
- projectrequests |
|
201 |
verbs: |
|
202 |
- '*' |
|
203 |
- apiGroups: |
|
204 |
- route.openshift.io |
|
205 |
resources: |
|
206 |
- routes |
|
207 |
- routes/custom-host |
|
208 |
verbs: |
|
209 |
- '*' |
|
210 |
- apiGroups: |
|
211 |
- security.openshift.io |
|
212 |
resources: |
|
213 |
- securitycontextconstraints |
|
214 |
verbs: |
|
215 |
- '*' |
|
216 |
# for galley (pilot and prometheus also watch nodes) |
|
217 |
- apiGroups: |
|
218 |
- "" |
|
219 |
resources: |
|
220 |
- nodes |
|
221 |
verbs: |
|
222 |
- get |
|
223 |
- list |
|
224 |
- watch |
|
225 |
- apiGroups: |
|
226 |
- extensions |
|
227 |
resources: |
|
228 |
- ingresses |
|
229 |
verbs: |
|
230 |
- get |
|
231 |
- list |
|
232 |
- watch |
|
233 |
- apiGroups: |
|
234 |
- extensions |
|
235 |
- apps |
|
236 |
resources: |
|
237 |
- deployments/finalizers |
|
238 |
resourceNames: |
|
239 |
- istio-galley |
|
240 |
- istio-sidecar-injector |
|
241 |
verbs: |
|
242 |
- update |
|
243 |
# for mixer |
|
244 |
- apiGroups: |
|
245 |
- apiextensions.k8s.io |
|
246 |
resources: |
|
247 |
- customresourcedefinitions |
|
248 |
verbs: |
|
249 |
- get |
|
250 |
- list |
|
251 |
- watch |
|
252 |
- apiGroups: |
|
253 |
- extensions |
|
254 |
resources: |
|
255 |
- replicasets |
|
256 |
verbs: |
|
257 |
- get |
|
258 |
- list |
|
259 |
- watch |
|
260 |
- apiGroups: |
|
261 |
- "" |
|
262 |
resources: |
|
263 |
- replicationcontrollers |
|
264 |
verbs: |
|
265 |
- get |
|
266 |
- list |
|
267 |
- watch |
|
268 |
# for pilot |
|
269 |
# for istio-authenticated, *: * |
|
270 |
- apiGroups: |
|
271 |
- rbac.istio.io |
|
272 |
resources: |
|
273 |
- '*' |
|
274 |
verbs: |
|
275 |
- '*' |
|
276 |
- get |
|
277 |
- list |
|
278 |
- watch |
|
279 |
- apiGroups: |
|
280 |
- apiextensions.k8s.io |
|
281 |
resources: |
|
282 |
- customresourcedefinitions |
|
283 |
verbs: |
|
284 |
- '*' |
|
285 |
- apiGroups: |
|
286 |
- extensions |
|
287 |
resources: |
|
288 |
- ingresses |
|
289 |
- ingresses/status |
|
290 |
verbs: |
|
291 |
- '*' |
|
292 |
# prometheus |
|
293 |
- apiGroups: |
|
294 |
- "" |
|
295 |
resources: |
|
296 |
- nodes/proxy |
|
297 |
verbs: |
|
298 |
- get |
|
299 |
- list |
|
300 |
- watch |
|
301 |
- nonResourceURLs: |
|
302 |
- "/metrics" |
|
303 |
verbs: |
|
304 |
- get |
|
305 |
# citadel |
|
306 |
- apiGroups: |
|
307 |
- authentication.k8s.io |
|
308 |
resources: |
|
309 |
- tokenreviews |
|
310 |
verbs: |
|
311 |
- create |
|
312 |
# kiali |
|
313 |
- apiGroups: [""] |
|
314 |
resources: |
|
315 |
- configmaps |
|
316 |
- endpoints |
|
317 |
- namespaces |
|
318 |
- nodes |
|
319 |
- pods |
|
320 |
- services |
|
321 |
- replicationcontrollers |
|
322 |
verbs: |
|
323 |
- get |
|
324 |
- list |
|
325 |
- watch |
|
326 |
- apiGroups: ["extensions", "apps"] |
|
327 |
resources: |
|
328 |
- deployments |
|
329 |
- statefulsets |
|
330 |
- replicasets |
|
331 |
verbs: |
|
332 |
- get |
|
333 |
- list |
|
334 |
- watch |
|
335 |
- apiGroups: ["autoscaling"] |
|
336 |
resources: |
|
337 |
- horizontalpodautoscalers |
|
338 |
verbs: |
|
339 |
- get |
|
340 |
- list |
|
341 |
- watch |
|
342 |
- apiGroups: ["batch"] |
|
343 |
resources: |
|
344 |
- cronjobs |
|
345 |
- jobs |
|
346 |
verbs: |
|
347 |
- '*' |
|
348 |
- apiGroups: ["project.openshift.io"] |
|
349 |
resources: |
|
350 |
- projects |
|
351 |
verbs: |
|
352 |
- get |
|
353 |
- apiGroups: ["route.openshift.io"] |
|
354 |
resources: |
|
355 |
- routes |
|
356 |
verbs: |
|
357 |
- get |
|
358 |
- apiGroups: ["apps.openshift.io"] |
|
359 |
resources: |
|
360 |
- deploymentconfigs |
|
361 |
verbs: |
|
362 |
- get |
|
363 |
- list |
|
364 |
- watch |
|
365 |
- apiGroups: ["config.istio.io"] |
|
366 |
resources: |
|
367 |
- apikeys |
|
368 |
- authorizations |
|
369 |
- checknothings |
|
370 |
- circonuses |
|
371 |
- deniers |
|
372 |
- fluentds |
|
373 |
- handlers |
|
374 |
- kubernetesenvs |
|
375 |
- kuberneteses |
|
376 |
- listcheckers |
|
377 |
- listentries |
|
378 |
- logentries |
|
379 |
- memquotas |
|
380 |
- metrics |
|
381 |
- opas |
|
382 |
- prometheuses |
|
383 |
- quotas |
|
384 |
- quotaspecbindings |
|
385 |
- quotaspecs |
|
386 |
- rbacs |
|
387 |
- reportnothings |
|
388 |
- rules |
|
389 |
- solarwindses |
|
390 |
- stackdrivers |
|
391 |
- statsds |
|
392 |
- stdios |
|
393 |
verbs: |
|
394 |
- create |
|
395 |
- delete |
|
396 |
- get |
|
397 |
- list |
|
398 |
- patch |
|
399 |
- watch |
|
400 |
- apiGroups: ["networking.istio.io"] |
|
401 |
resources: |
|
402 |
- destinationrules |
|
403 |
- gateways |
|
404 |
- serviceentries |
|
405 |
- virtualservices |
|
406 |
verbs: |
|
407 |
- create |
|
408 |
- delete |
|
409 |
- get |
|
410 |
- list |
|
411 |
- patch |
|
412 |
- watch |
|
413 |
- apiGroups: ["authentication.istio.io"] |
|
414 |
resources: |
|
415 |
- policies |
|
416 |
verbs: |
|
417 |
- create |
|
418 |
- delete |
|
419 |
- get |
|
420 |
- list |
|
421 |
- patch |
|
422 |
- watch |
|
423 |
- apiGroups: ["monitoring.kiali.io"] |
|
424 |
resources: |
|
425 |
- monitoringdashboards |
|
426 |
verbs: |
|
427 |
- get |
|
428 |
|
|
429 |
- name: istio operator sa |
|
430 |
k8s: |
|
431 |
state: present |
|
432 |
definition: |
|
433 |
apiVersion: v1 |
|
434 |
kind: ServiceAccount |
|
435 |
metadata: |
|
436 |
name: istio-operator |
|
437 |
namespace: istio-operator |
|
438 |
|
|
439 |
- name: istio operator cluster role binding |
|
440 |
k8s: |
|
441 |
state: present |
|
442 |
definition: |
|
443 |
kind: ClusterRoleBinding |
|
444 |
apiVersion: rbac.authorization.k8s.io/v1beta1 |
|
445 |
metadata: |
|
446 |
name: istio-operator-account-istio-operator-cluster-role-binding |
|
447 |
subjects: |
|
448 |
- kind: ServiceAccount |
|
449 |
namespace: istio-operator |
|
450 |
name: istio-operator |
|
451 |
roleRef: |
|
452 |
kind: ClusterRole |
|
453 |
name: istio-operator |
|
454 |
apiGroup: rbac.authorization.k8s.io |
|
455 |
|
|
456 |
- name: istio operator deployment |
|
457 |
k8s: |
|
458 |
state: present |
|
459 |
definition: |
|
460 |
apiVersion: apps/v1 |
|
461 |
kind: Deployment |
|
462 |
metadata: |
|
463 |
name: istio-operator |
|
464 |
namespace: istio-operator |
|
465 |
spec: |
|
466 |
replicas: 1 |
|
467 |
selector: |
|
468 |
matchLabels: |
|
469 |
name: istio-operator |
|
470 |
template: |
|
471 |
metadata: |
|
472 |
labels: |
|
473 |
name: istio-operator |
|
474 |
spec: |
|
475 |
serviceAccountName: istio-operator |
|
476 |
volumes: |
|
477 |
- name: discovery-cache |
|
478 |
emptyDir: |
|
479 |
medium: Memory |
|
480 |
containers: |
|
481 |
- name: istio-operator |
|
482 |
image: openshift-istio-tech-preview/istio-operator:0.10.0 |
|
483 |
ports: |
|
484 |
- containerPort: 60000 |
|
485 |
name: metrics |
|
486 |
command: |
|
487 |
- istio-operator |
|
488 |
- --discoveryCacheDir |
|
489 |
- /home/istio-operator/.kube/cache/discovery |
|
490 |
- "--istioPrefix=openshift-istio-tech-preview/" |
|
491 |
- "--deploymentType=openshift" |
|
492 |
imagePullPolicy: Always |
|
493 |
env: |
|
494 |
- name: WATCH_NAMESPACE |
|
495 |
value: "" |
|
496 |
- name: POD_NAME |
|
497 |
valueFrom: |
|
498 |
fieldRef: |
|
499 |
fieldPath: metadata.name |
|
500 |
- name: OPERATOR_NAME |
|
501 |
value: "istio-operator" |
|
502 |
volumeMounts: |
|
503 |
- name: discovery-cache |
|
504 |
mountPath: /home/istio-operator/.kube/cache/discovery |
|
505 |
|
|
506 |
- name: istio controlplane cr |
|
507 |
k8s: |
|
508 |
state: present |
|
509 |
definition: |
|
510 |
apiVersion: istio.openshift.com/v1alpha3 |
|
511 |
kind: ControlPlane |
|
512 |
metadata: |
|
513 |
name: basic-install |
|
514 |
namespace: istio-system |
|
515 |
spec: |
|
516 |
istio: |
|
517 |
global: |
|
518 |
proxy: |
|
519 |
resources: |
|
520 |
requests: |
|
521 |
cpu: 100m |
|
522 |
memory: 128Mi |
|
523 |
limits: |
|
524 |
cpu: 500m |
|
525 |
memory: 128Mi |
c3acbf
|
526 |
disablePolicyChecks: false |
240c1f
|
527 |
gateways: |
EMJ |
528 |
istio-egressgateway: |
|
529 |
autoscaleEnabled: false |
|
530 |
istio-ingressgateway: |
|
531 |
autoscaleEnabled: false |
|
532 |
ior_enabled: false |
|
533 |
mixer: |
|
534 |
policy: |
|
535 |
autoscaleEnabled: false |
|
536 |
telemetry: |
|
537 |
autoscaleEnabled: false |
|
538 |
resources: |
|
539 |
requests: |
|
540 |
cpu: 100m |
|
541 |
memory: 1G |
|
542 |
limits: |
|
543 |
cpu: 500m |
|
544 |
memory: 4G |
|
545 |
pilot: |
|
546 |
autoscaleEnabled: false |
|
547 |
traceSampling: 100.0 |
|
548 |
kiali: |
c3acbf
|
549 |
enabled: true |
EMJ |
550 |
dashboard: |
240c1f
|
551 |
user: admin |
EMJ |
552 |
passphrase: admin |
c3acbf
|
553 |
tracing: |
EMJ |
554 |
enabled: true |
240c1f
|
555 |
|
EMJ |
556 |
- name: wait up to 5 minutes for istio operator pod to be ready |
|
557 |
shell: "oc get deployment -n istio-operator istio-operator -o jsonpath='{.status.readyReplicas}'" |
|
558 |
register: istio_deployment_status |
|
559 |
until: "istio_deployment_status.stdout | int >= 1" |
|
560 |
retries: 5 |
|
561 |
delay: 60 |
|
562 |
|
|
563 |
- name: wait up to 8 minutes for the elasticsearch statefulset to exist |
|
564 |
shell: "oc get statefulset elasticsearch -n istio-system" |
|
565 |
register: elasticsearch_set_status |
|
566 |
until: elasticsearch_set_status.rc == 0 |
|
567 |
retries: 8 |
89dc0d
|
568 |
delay: 60 |
EMJ |
569 |
|
|
570 |
# Leave this as the last task in the playbook. |
|
571 |
- name: workload tasks complete |
|
572 |
debug: |
|
573 |
msg: "Workload Tasks completed successfully." |
|
574 |
when: not silent|bool |
|
575 |
|