| commit | author | age | ||
| e2d605 | 1 | --- |
| S | 2 | - name: Step 00xxxxx post software |
| 3 | hosts: support | |
| 4 | gather_facts: False | |
| 5 | become: yes | |
| 6 | vars_files: | |
| 7 | - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" | |
| 8 | tasks: | |
| 9 | - name: Create user vols | |
| 10 | shell: "mkdir -p /srv/nfs/user-vols/vol{1..{{user_vols}}}" | |
| 11 | - name: chmod the user vols | |
| 12 | shell: "chmod -R 777 /srv/nfs/user-vols" | |
| 13 | ||
| 14 | - name: Step 00xxxxx post software | |
| 15 | hosts: bastions | |
| 16 | run_once: true | |
| 17 | gather_facts: False | |
| 18 | become: yes | |
| 19 | vars_files: | |
| 20 | - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" | |
| 21 | tasks: | |
| 22 | - when: install_nfs|bool | |
| 23 | block: | |
| 24 | - name: get nfs Hostname | |
| 25 | set_fact: | |
| 26 | nfs_host: "{{ groups['support']|sort|first }}" | |
| 27 | ||
| 28 | - set_fact: | |
| 29 | pv_size: '10Gi' | |
| 30 | pv_list: "{{ ocp_pvs }}" | |
| 31 | persistentVolumeReclaimPolicy: Retain | |
| 32 | ||
| 33 | - name: Generate PV file | |
| 34 | template: | |
| 35 | src: "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/files/pvs.j2" | |
| 36 | dest: "/root/pvs-{{ env_type }}-{{ guid }}.yml" | |
| 37 | tags: [ gen_pv_file ] | |
| 38 | when: pv_list.0 is defined | |
| 39 | ||
| 40 | - set_fact: | |
| 41 | pv_size: "{{user_vols_size}}" | |
| 42 | persistentVolumeReclaimPolicy: Recycle | |
| 43 | ||
| 44 | notify: restart nfs services | |
| 45 | run_once: True | |
| 46 | ||
| 47 | - name: Generate user vol PV file | |
| 48 | template: | |
| 49 | src: "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/files/userpvs.j2" | |
| 50 | dest: "/root/userpvs-{{ env_type }}-{{ guid }}.yml" | |
| 51 | tags: | |
| 52 | - gen_user_vol_pv | |
| 53 | ||
| 54 | - shell: 'oc create -f /root/pvs-{{ env_type }}-{{ guid }}.yml || oc replace -f /root/pvs-{{ env_type }}-{{ guid }}.yml' | |
| 55 | tags: | |
| 56 | - create_user_pv | |
| 57 | when: pv_list.0 is defined | |
| 58 | ||
| 59 | - shell: 'oc create -f /root/userpvs-{{ env_type }}-{{ guid }}.yml || oc replace -f /root/userpvs-{{ env_type }}-{{ guid }}.yml' | |
| 60 | tags: | |
| 61 | - create_user_pv | |
| 62 | ||
| 63 | - name: For CNS change default storage class to glusterfs-storage (3.9.27, 3.9.30) | |
| 64 | hosts: masters | |
| 65 | run_once: true | |
| 66 | become: yes | |
| 67 | gather_facts: False | |
| 68 | vars_files: | |
| 69 | - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" | |
| 70 | tags: | |
| 71 | - env-specific | |
| 72 | - env-specific_infra | |
| 73 | - storage-class | |
| 74 | tasks: | |
| 75 | - when: | |
| 76 | - osrelease is version_compare('3.9.27', '>=') | |
| 77 | - osrelease is version_compare('3.9.30', '<=') | |
| 78 | - install_glusterfs|bool | |
| 79 | block: | |
| 80 | - name: Set glusterfs-storage class to default | |
| 81 | command: > | |
| 82 | oc patch storageclass glusterfs-storage | |
| 83 | -p '{"metadata": {"annotations": {"storageclass.kubernetes.io/is-default-class": "true"}}}' | |
| 84 | register: changesc_r | |
| 85 | failed_when: | |
| 86 | - changesc_r.stdout.find('storageclass "glusterfs-storage" not patched') == -1 | |
| 87 | - changesc_r.rc != 0 | |
| 88 | changed_when: changesc_r.stdout.find('storageclass "glusterfs-storage" patched') != -1 | |
| 89 | - name: Remove default from glusterfs-storage-block class | |
| 90 | register: changesc_r | |
| 91 | changed_when: changesc_r.stdout.find('storageclass "glusterfs-storage-block" patched') != -1 | |
| 92 | failed_when: | |
| 93 | - changesc_r.stdout.find('storageclass "glusterfs-storage-block" not patched') == -1 | |
| 94 | - changesc_r.rc != 0 | |
| 95 | command: > | |
| 96 | oc patch storageclass glusterfs-storage-block | |
| 97 | -p '{"metadata": {"annotations": {"storageclass.kubernetes.io/is-default-class": "false"}}}' | |
| 98 | ||
| 99 | - name: Configure Bastion for CF integration | |
| 100 | hosts: bastions | |
| 101 | become: yes | |
| 102 | gather_facts: False | |
| 103 | vars_files: | |
| 104 | - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/mgr_users.yml" | |
| 105 | - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" | |
| 106 | - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_secret_vars.yml" | |
| 107 | tags: | |
| 108 | - env-specific | |
| 109 | - cf_integration | |
| 110 | - opentlc_integration | |
| 111 | tasks: | |
| 112 | - name: Configure Bastion | |
| 240bb5 | 113 | include_role: |
| e2d605 | 114 | name: "{{ ANSIBLE_REPO_PATH }}/roles/opentlc-integration" |
| S | 115 | vars: |
| 116 | no_log: yes | |
| 117 | when: install_opentlc_integration|bool | |
| 118 | - name: Copy /root/.kube to ~opentlc-mgr/ | |
| 119 | command: "cp -rf /root/.kube /home/opentlc-mgr/" | |
| 120 | when: install_opentlc_integration|bool | |
| 121 | ||
| 122 | - name: set permission for .kube | |
| 123 | when: install_opentlc_integration|bool | |
| 124 | file: | |
| 125 | path: /home/opentlc-mgr/.kube | |
| 126 | owner: opentlc-mgr | |
| 127 | group: opentlc-mgr | |
| 128 | recurse: yes | |
| 129 | ||
| 130 | - name: env-specific infrastructure | |
| 131 | hosts: masters | |
| 132 | run_once: true | |
| 133 | become: yes | |
| 134 | gather_facts: False | |
| 135 | vars_files: | |
| 136 | - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" | |
| 137 | tags: | |
| 138 | - env-specific | |
| 139 | - env-specific_infra | |
| 140 | tasks: | |
| 141 | - name: Command to enable the wildcard routes in the OCP cluster for 3scale | |
| 142 | shell: "oc set env dc/router ROUTER_ALLOW_WILDCARD_ROUTES=true -n default" | |
| 143 | ||
| 144 | - name: Give administrative user cluster-admin privileges | |
| 145 | command: "oc adm policy add-cluster-role-to-user cluster-admin {{ admin_user }}" | |
| 146 | ||
| 147 | - name: Check for admin_project project | |
| 148 | command: "oc get project {{admin_project}}" | |
| 149 | register: result | |
| 150 | changed_when: false | |
| 151 | ignore_errors: true | |
| 152 | ||
| 153 | - name: Create admin_project project (for OCP before 3.10) | |
| 154 | command: "oc adm new-project {{admin_project}} --admin {{admin_user}} --node-selector='env=infra'" | |
| 155 | when: | |
| 156 | - result | failed | |
| 157 | - osrelease is version_compare("3.10", "<") | |
| 158 | ||
| 159 | - name: Create admin_project project (for OCP 3.10+) | |
| 160 | command: "oc adm new-project {{admin_project}} --admin {{admin_user}} --node-selector='node-role.kubernetes.io/infra=true'" | |
| 161 | when: | |
| 162 | - result | failed | |
| 163 | - osrelease is version_compare("3.10", ">=") | |
| 164 | ||
| 165 | - name: Make admin_project project network global | |
| 166 | command: "oc adm pod-network make-projects-global {{admin_project}}" | |
| 167 | when: ovs_plugin == "multitenant" | |
| 168 | ||
| 169 | - name: Set admin_project SCC for anyuid | |
| 170 | command: "oc adm policy add-scc-to-group anyuid system:serviceaccounts:{{admin_project}}" | |
| 171 | ||
| 172 | - name: Add capabilities within anyuid which is not really ideal | |
| 173 | command: "oc patch scc/anyuid --patch '{\"requiredDropCapabilities\":[\"MKNOD\",\"SYS_CHROOT\"]}'" | |
| 174 | ignore_errors: true | |
| 175 | ||
| 176 | - name: Set Node Selector to empty for project openshift-template-service-broker | |
| 177 | shell: oc annotate namespace openshift-template-service-broker openshift.io/node-selector="" --overwrite | |
| 178 | ignore_errors: true | |
| 179 | when: | |
| 180 | - osrelease is version_compare('3.7', '>=') | |
| 181 | - osrelease is version_compare('3.10', '<') | |
| 182 | ||
| 183 | - name: Remove all users from self-provisioners group | |
| 184 | hosts: masters | |
| 185 | run_once: true | |
| 186 | become: yes | |
| 187 | gather_facts: False | |
| 188 | vars_files: | |
| 189 | - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" | |
| 190 | tags: [ env-specific, remove_self_provisioners ] | |
| 191 | tasks: | |
| 192 | - when: remove_self_provisioners|bool | |
| 193 | block: | |
| 194 | - name: Set clusterRoleBinding auto-update to false | |
| 195 | command: oc annotate -n default --overwrite clusterrolebinding.rbac self-provisioners rbac.authorization.kubernetes.io/autoupdate=false | |
| 196 | ||
| 197 | - name: Remove system:authenticated from self-provisioner role | |
| 198 | command: "oc adm policy remove-cluster-role-from-group self-provisioner system:authenticated system:authenticated:oauth" | |
| 199 | ignore_errors: true | |
| 200 | ||
| 201 | - name: create our own OPENTLC-PROJECT-PROVISIONERS | |
| 202 | command: "oc adm groups new OPENTLC-PROJECT-PROVISIONERS" | |
| 203 | ignore_errors: true | |
| 204 | ||
| 205 | - name: allow OPENTLC-PROJECT-PROVISIONERS members to provision their own projects | |
| 206 | command: "oc adm policy add-cluster-role-to-group self-provisioner OPENTLC-PROJECT-PROVISIONERS" | |
| 207 | ||
| 208 | - name: Project Request Template | |
| 209 | hosts: masters | |
| 210 | gather_facts: False | |
| 211 | become: yes | |
| 212 | vars_files: | |
| 213 | - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" | |
| 214 | tags: | |
| 215 | - env-specific | |
| 216 | - project_request | |
| 217 | tasks: | |
| 218 | - name: Copy project request template to master | |
| 219 | copy: | |
| 220 | src: ./files/project-template.yml | |
| 221 | dest: /root/project-template.yml | |
| 222 | ||
| 223 | - name: Check for project request template | |
| 224 | command: "oc get template project-request -n default" | |
| 225 | register: request_template | |
| 226 | ignore_errors: true | |
| 227 | ||
| 228 | - name: Create project request template in default project | |
| 229 | shell: "oc create -f /root/project-template.yml -n default || oc replace -f /root/project-template.yml -n default" | |
| 230 | when: request_template | failed | |
| 231 | ||
| 232 | - name: Update master config file to use project request template | |
| 233 | lineinfile: | |
| 234 | regexp: " projectRequestTemplate" | |
| 235 | dest: "/etc/origin/master/master-config.yaml" | |
| 236 | line: ' projectRequestTemplate: "default/project-request"' | |
| 237 | state: present | |
| 238 | register: master_config | |
| 239 | ||
| 240 | - name: Add Project request message | |
| 241 | replace: | |
| 242 | dest: '/etc/origin/master/master-config.yaml' | |
| 243 | regexp: 'projectRequestMessage.*' | |
| 244 | replace: "projectRequestMessage: '{{project_request_message}}'" | |
| 245 | backup: yes | |
| 246 | ||
| 247 | - name: Restart master service (Pre 3.7) | |
| 248 | service: | |
| 249 | name: atomic-openshift-master | |
| 250 | state: restarted | |
| 251 | when: | |
| 252 | - master_config.changed | |
| 253 | - osrelease is version_compare('3.7', '<') | |
| 254 | ||
| 255 | - name: Restart master API service (3.7 - 3.9) | |
| 256 | service: | |
| 257 | name: atomic-openshift-master-api | |
| 258 | state: restarted | |
| 259 | when: | |
| 260 | - master_config.changed | |
| 261 | - osrelease is version_compare('3.7', '>=') | |
| 262 | - osrelease is version_compare('3.10', '<') | |
| 263 | ||
| 264 | - name: Restart master API Pods (3.10+) | |
| 265 | command: /usr/local/bin/master-restart api | |
| 266 | when: | |
| 267 | - master_config.changed | |
| 268 | - osrelease is version_compare('3.10', '>=') | |
| 269 | ||
| 270 | - name: node admin configs | |
| 271 | hosts: nodes | |
| 272 | gather_facts: False | |
| 273 | become: yes | |
| 274 | vars_files: | |
| 275 | - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" | |
| 276 | tags: | |
| 277 | - env-specific | |
| 278 | - env_specific_images | |
| 279 | tasks: | |
| 280 | - name: 'Pull Env Specific Images' | |
| 281 | command: "docker pull {{ item }}" | |
| 282 | with_items: '{{ env_specific_images }}' | |
| 283 | when: env_specific_images.0 is defined | |
| 284 | ||
| 285 | - name: Import jenkins images for OCP 3.7 and newer | |
| 286 | hosts: masters | |
| 287 | run_once: true | |
| 288 | become: yes | |
| 289 | gather_facts: False | |
| 290 | vars_files: | |
| 291 | - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" | |
| 292 | tags: | |
| 293 | - env-specific | |
| 294 | - env_specific_images | |
| 295 | tasks: | |
| 296 | - when: osrelease is version_compare('3.7', '>=') | |
| 297 | block: | |
| 298 | - name: Remove default Jenkins ImageStream | |
| 299 | command: oc delete is jenkins -n openshift | |
| 300 | ignore_errors: true | |
| 301 | ||
| 302 | - name: Import jenkins from Red Hat Registry | |
| 303 | command: oc tag --source=docker registry.access.redhat.com/openshift3/jenkins-2-rhel7:v{{ repo_version }} openshift/jenkins:v{{ repo_version }} -n openshift | |
| 304 | ignore_errors: true | |
| 305 | ||
| 306 | - name: Tag Jenkins jenkins:latest | |
| 307 | command: oc tag openshift/jenkins:v{{ repo_version }} openshift/jenkins:latest -n openshift | |
| 308 | register: octag_result | |
| 309 | retries: 5 | |
| 310 | delay: 2 | |
| 311 | until: octag_result is succeeded | |
| 312 | ignore_errors: true | |
| 313 | ||
| 314 | - name: Tag Jenkins jenkins:2 | |
| 315 | command: oc tag openshift/jenkins:v{{ repo_version }} openshift/jenkins:2 -n openshift | |
| 316 | register: octag_result | |
| 317 | retries: 5 | |
| 318 | delay: 2 | |
| 319 | until: octag_result is succeeded | |
| 320 | ignore_errors: true | |
| 321 | ||
| 322 | - name: Fix NFS PV Recycling for OCP 3.7 and newer | |
| 323 | gather_facts: False | |
| 324 | become: yes | |
| 325 | hosts: | |
| 326 | - nodes | |
| 327 | - infranodes | |
| 328 | - masters | |
| 329 | vars_files: | |
| 330 | - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" | |
| 331 | tags: | |
| 332 | - env-specific | |
| 333 | - install_nfs | |
| 334 | tasks: | |
| 335 | - name: Fix NFS PV Recycling | |
| 336 | when: | |
| 337 | - install_nfs|d(True)|bool | |
| 338 | block: | |
| 339 | - name: Pull ose-recycler Image | |
| 340 | command: docker pull registry.access.redhat.com/openshift3/ose-recycler:latest | |
| 341 | register: pull_result | |
| 342 | retries: 5 | |
| 343 | delay: 10 | |
| 344 | until: pull_result is succeeded | |
| 345 | when: | |
| 346 | - osrelease is version_compare('3.7', '>=') | |
| 347 | ||
| 348 | - name: Tag ose-recycler Image (for OCP 3.7 - 3.9) | |
| 349 | command: > | |
| 350 | docker tag registry.access.redhat.com/openshift3/ose-recycler:latest | |
| 351 | registry.access.redhat.com/openshift3/ose-recycler:v{{ osrelease }} | |
| 352 | when: | |
| 353 | - osrelease is version_compare('3.7', '>=') | |
| 354 | - osrelease is version_compare('3.10', '<') | |
| 355 | ||
| 356 | - name: Tag ose-recycler Image (for OCP 3.10+) | |
| 357 | command: > | |
| 358 | docker tag registry.access.redhat.com/openshift3/ose-recycler:latest | |
| 359 | registry.access.redhat.com/openshift3/ose-recycler:v1.10.0 | |
| 360 | when: | |
| 361 | - osrelease is version_compare('3.10', '>=') | |
| 362 | ||
| 363 | - name: Fix CRI-O Garbage Collection DaemonSet for OCP 3.9 (up to 3.9.25) | |
| 364 | gather_facts: False | |
| 365 | become: yes | |
| 366 | hosts: masters | |
| 367 | run_once: true | |
| 368 | vars_files: | |
| 369 | - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" | |
| 370 | tasks: | |
| 371 | - name: Fix cri-o garbage collection | |
| 372 | when: | |
| 373 | - osrelease is version_compare('3.9.0', '>=') | |
| 374 | - osrelease is version_compare('3.9.25', '<=') | |
| 375 | - container_runtime == "cri-o" | |
| 376 | block: | |
| 377 | - name: Patch dockergc DaemonSet | |
| 378 | shell: "oc patch daemonset dockergc --patch='\"spec\": { \"template\": { \"spec\": { \"containers\": [ { \"command\": [ \"/usr/bin/oc\" ], \"name\": \"dockergc\" } ] } } }' -n default" | |
| 379 | ignore_errors: true | |
| 380 | - name: Redeploy dockergc DaemonSet pods | |
| 381 | shell: "oc delete pod $(oc get pods -n default|grep dockergc|awk -c '{print $1}') -n default" | |
| 382 | ||
| 383 | # Install OpenWhisk | |
| 384 | - name: Install OpenWhisk | |
| 385 | hosts: masters | |
| 386 | run_once: true | |
| 387 | gather_facts: False | |
| 388 | become: yes | |
| 389 | vars_files: | |
| 390 | - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" | |
| 391 | tags: | |
| 392 | - env-specific | |
| 393 | - install_openwhisk | |
| 394 | tasks: | |
| 240bb5 | 395 | - include_role: |
| e2d605 | 396 | name: "{{ ANSIBLE_REPO_PATH }}/roles/ocp-infra-openwhisk" |
| S | 397 | when: |
| 398 | - install_openwhisk|d(False)|bool | |
| 399 | ||
| 400 | # Set up Prometheus/Node Exporter/Alertmanager/Grafana | |
| 401 | # on the OpenShift Cluster | |
| 402 | - name: Install Prometheus and Grafana (Pre 3.10) | |
| 403 | gather_facts: False | |
| 404 | become: yes | |
| 405 | hosts: | |
| 406 | - nodes | |
| 407 | - infranodes | |
| 408 | - masters | |
| 409 | - bastions | |
| 410 | vars_files: | |
| 411 | - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" | |
| 412 | tags: | |
| 413 | - install_prometheus | |
| 414 | tasks: | |
| 240bb5 | 415 | - include_role: |
| e2d605 | 416 | name: "{{ ANSIBLE_REPO_PATH }}/roles/ocp-infra-prometheus-pre310" |
| S | 417 | when: |
| 418 | - install_prometheus|d(False)|bool | |
| 419 | - osrelease is version_compare("3.10", "<") | |
| 420 | ||
| 421 | # Deploy Grafana Manually until the install playbooks can | |
| 422 | # (3.10 and onwards) | |
| 423 | - name: Pre-pull Grafana Image (3.10+) | |
| 424 | gather_facts: False | |
| 425 | become: yes | |
| 426 | hosts: | |
| 427 | - infranodes | |
| 428 | vars_files: | |
| 429 | - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" | |
| 430 | tags: | |
| 431 | - install_prometheus | |
| 432 | tasks: | |
| 433 | - name: Ensure Grafana Image is on Infranodes | |
| 434 | shell: "docker pull docker.io/mrsiano/grafana-ocp:latest" | |
| 435 | when: | |
| 436 | - install_prometheus|d(False)|bool | |
| 437 | - osrelease is version_compare("3.10", ">=") | |
| 438 | ||
| 439 | - name: Install Grafana (3.10+) | |
| 440 | gather_facts: False | |
| 441 | become: yes | |
| 442 | hosts: | |
| 443 | - bastions | |
| 444 | run_once: true | |
| 445 | vars_files: | |
| 446 | - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" | |
| 447 | tags: | |
| 448 | - install_prometheus | |
| 449 | tasks: | |
| 450 | - when: | |
| 451 | - install_prometheus|bool | |
| 452 | - osrelease is version_compare("3.10", ">=") | |
| 453 | block: | |
| 454 | - name: Check if Grafana is already there | |
| 455 | command: "oc get project openshift-grafana" | |
| 456 | register: grafana_exists | |
| 457 | changed_when: False | |
| 458 | ignore_errors: true | |
| 459 | - name: Run Grafana Installation Playbook | |
| 460 | shell: "ansible-playbook -i /etc/ansible/hosts /usr/share/ansible/openshift-ansible/playbooks/openshift-grafana/config.yml" | |
| 461 | when: grafana_exists is failed | |
| 462 | - name: Add admin permissions to admin_user for Grafana project | |
| 463 | shell: "oc policy add-role-to-user admin {{admin_user}} -n openshift-grafana" | |
| 464 | when: grafana_exists is failed | |
| 465 | ||
| 466 | # Update Firewall Rules for Node Exporter to work (3.10 and onwards). | |
| 467 | - name: Node Exporter and Grafana Configuration (3.10+) | |
| 468 | gather_facts: False | |
| 469 | become: yes | |
| 470 | hosts: | |
| 471 | - nodes | |
| 472 | - infranodes | |
| 473 | - masters | |
| 474 | vars_files: | |
| 475 | - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" | |
| 476 | tags: | |
| 477 | - install_prometheus | |
| 478 | tasks: | |
| 479 | - when: | |
| 480 | - install_prometheus|d(False)|bool | |
| 481 | - osrelease is version_compare("3.10", ">=") | |
| 5570da | 482 | - osrelease is version_compare("3.10.34", "<") |
| e2d605 | 483 | block: |
| S | 484 | # Node Exporters on all Nodes liston on port 9100. |
| 485 | # Open Firewall Port 9100 for future sessions by adding | |
| 486 | # the rule to the iptables file. | |
| 487 | - name: Open Firewall port 9100 for future sessions | |
| 488 | lineinfile: | |
| 489 | dest: /etc/sysconfig/iptables | |
| 490 | insertafter: '-A FORWARD -j REJECT --reject-with icmp-host-prohibited' | |
| 491 | line: '-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 9100 -j ACCEPT' | |
| 492 | state: present | |
| 493 | # Open Firewall Port 9100 for current session by adding | |
| 494 | # the rule to the current iptables configuration. We won't | |
| 495 | # need to restart the iptables service - which will ensure | |
| 496 | # all OpenShift rules stay in place. | |
| 497 | - name: Open Firewall Port 9100 for current session | |
| 498 | iptables: | |
| 499 | action: insert | |
| 500 | protocol: tcp | |
| 501 | destination_port: 9100 | |
| 502 | state: present | |
| 503 | chain: OS_FIREWALL_ALLOW | |
| 504 | jump: ACCEPT | |
| 505 | ||
| 506 | - name: Customize Service Catalog UI for workshops | |
| 507 | hosts: masters | |
| 508 | run_once: true | |
| 509 | gather_facts: False | |
| 510 | become: yes | |
| 511 | vars_files: | |
| 512 | - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" | |
| 513 | tasks: | |
| 514 | - name: Customize Service Catalog UI for workshops | |
| 240bb5 | 515 | include_role: |
| e2d605 | 516 | name: "{{ ANSIBLE_REPO_PATH }}/roles/ocp-infra-enable-custom-catalog" |
| S | 517 | when: enable_workshops_catalog|d(False)|bool |
| 518 | tags: | |
| 519 | - env-specific | |
| 520 | - custom_ui | |
| 521 | ||
| 522 | - name: Install Nexus | |
| 523 | hosts: masters | |
| 524 | run_once: true | |
| 525 | gather_facts: False | |
| 526 | become: yes | |
| 527 | vars_files: | |
| 528 | - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" | |
| 529 | tasks: | |
| 240bb5 | 530 | - include_role: |
| e2d605 | 531 | name: "{{ ANSIBLE_REPO_PATH }}/roles/ocp-infra-nexus" |
| S | 532 | vars: |
| 533 | desired_project: "{{admin_project}}" | |
| 534 | nexus_version: "3" | |
| 535 | when: install_nexus|d(False)|bool | |
| 536 | tags: | |
| 537 | - env-specific | |
| 538 | - install_nexus | |
| 539 | ||
| 540 | - name: Install AWS Broker | |
| 541 | hosts: masters | |
| 542 | run_once: true | |
| 543 | gather_facts: False | |
| 544 | become: yes | |
| 545 | vars_files: | |
| 546 | - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" | |
| 547 | tags: | |
| 548 | - env-specific | |
| 549 | - install_aws_broker | |
| 550 | tasks: | |
| 240bb5 | 551 | - include_role: |
| e2d605 | 552 | name: "{{ ANSIBLE_REPO_PATH }}/roles/ocp-infra-aws-service-broker" |
| S | 553 | when: install_aws_broker|d(False)|bool |
| 554 | ||
| 555 | - name: Update Ansible (Automation) Broker to show images from DockerHub | |
| 556 | hosts: masters | |
| 557 | run_once: true | |
| 558 | gather_facts: False | |
| 559 | become: yes | |
| 560 | vars_files: | |
| 561 | - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" | |
| 562 | tags: | |
| 563 | - env-specific | |
| 564 | - install_openshiftapb | |
| 565 | tasks: | |
| 566 | - name: Update ASB | |
| 240bb5 | 567 | include_role: |
| e2d605 | 568 | name: "{{ ANSIBLE_REPO_PATH }}/roles/openshift-ansible-broker" |
| S | 569 | when: install_openshiftapb|d(False)|bool |
| 570 | ||
| 571 | - name: Install Maistra (Istio) | |
| 572 | hosts: masters | |
| 573 | run_once: true | |
| 574 | gather_facts: False | |
| 575 | become: yes | |
| 576 | vars_files: | |
| 577 | - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" | |
| 578 | tags: | |
| 579 | - env-specific | |
| 580 | - install_maistra | |
| 581 | tasks: | |
| 582 | - name: Install Maistra | |
| 240bb5 | 583 | include_role: |
| e2d605 | 584 | name: "{{ ANSIBLE_REPO_PATH }}/roles/ocp-infra-maistra" |
| S | 585 | vars: |
| 586 | openshift_master_public: "{{ master_lb_dns }}" | |
| 587 | when: install_maistra|d(False)|bool | |
| 588 | ||
| 589 | # WK Added for RHTE | |
| f95237 | 590 | # Install Infrastructure workloads first |
| WK | 591 | - name: Install ocp-infra workloads |
| 592 | hosts: masters | |
| 593 | gather_facts: false | |
| 594 | run_once: true | |
| 595 | become: yes | |
| 596 | vars_files: | |
| 597 | - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" | |
| 598 | - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_secret_vars.yml" | |
| 599 | tasks: | |
| 600 | - name: Install ocp-infra workloads | |
| 601 | when: | |
| 602 | - infra_workloads|d("")|length > 0 | |
| 603 | block: | |
| 604 | - name: Check if admin_user is set | |
| 605 | fail: | |
| 606 | msg: admin_user must be set for ocp-infra workloads | |
| 607 | when: | |
| 608 | - not admin_user is defined or admin_user|length == 0 | |
| 609 | - name: Install ocp-infra-workloads | |
| 610 | when: | |
| 611 | - infra_workloads|d("")|length >0 | |
| 612 | block: | |
| 613 | - name: Deploy ocp-infra workloads | |
| 614 | include_role: | |
| 5c4f36 | 615 | name: "{{ ANSIBLE_REPO_PATH }}/roles/{{ workload_loop_var }}" |
| f95237 | 616 | vars: |
| WK | 617 | admin_user: "{{ admin_user }}" |
| 5c4f36 | 618 | ocp_username: "{{ admin_user }}" |
| f95237 | 619 | ACTION: "provision" |
| WK | 620 | loop: "{{ infra_workloads.split(',')|list }}" |
| 621 | loop_control: | |
| 622 | loop_var: workload_loop_var | |
| 623 | ||
| 624 | # Install User Workloads second | |
| 240bb5 | 625 | - name: Install ocp-workload workloads for multiple Users |
| WK | 626 | hosts: masters |
| 627 | gather_facts: false | |
| 628 | run_once: true | |
| 629 | become: yes | |
| 630 | vars_files: | |
| 631 | - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" | |
| 632 | - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_secret_vars.yml" | |
| 633 | tasks: | |
| 634 | - name: Install ocp-workloads | |
| 635 | when: | |
| 636 | - num_users|d(0)|int > 0 | |
| 637 | - student_workloads|d("")|length > 0 | |
| 638 | block: | |
| 639 | - name: Check if authentication mechanism is set to htpasswd | |
| 640 | fail: | |
| 641 | msg: Authentication Mechanism must be htpasswd | |
| 642 | when: | |
| 643 | - install_idm|d("") != "htpasswd" | |
| 644 | - name: Check if remove_self_provisioners=true | |
| 645 | fail: | |
| 646 | msg: remove_self_provisioners must be set to true | |
| d345b4 | 647 | tags: |
| GC | 648 | - remove_self_provisioners |
| 240bb5 | 649 | when: |
| WK | 650 | - not remove_self_provisioners|d(False)|bool |
| e2d605 | 651 | |
| 240bb5 | 652 | - name: Generate list of User IDs |
| WK | 653 | set_fact: |
| 654 | users: "{{ lookup('sequence', 'start=1 end={{ num_users|int }}', wantlist=true) | map('int') | list }}" | |
| e2d605 | 655 | |
| 240bb5 | 656 | - name: Deploy ocp-workloads for each user ID |
| WK | 657 | include_role: |
| 658 | name: "{{ ANSIBLE_REPO_PATH }}/roles/{{ workload_loop_var[1] }}" | |
| 659 | vars: | |
| 660 | ocp_username: "user{{ workload_loop_var[0] }}" | |
| 661 | ACTION: "provision" | |
| 662 | loop: "{{ users | product(student_workloads.split(','))|list }}" | |
| 663 | loop_control: | |
| 664 | loop_var: workload_loop_var | |
| e2d605 | 665 | # WK Added for RHTE End |
| S | 666 | |
| 667 | - name: Zabbix for masters | |
| 668 | hosts: masters | |
| 669 | gather_facts: true | |
| 670 | become: yes | |
| 671 | vars_files: | |
| 672 | - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" | |
| 673 | - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_secret_vars.yml" | |
| 674 | vars: | |
| 675 | zabbix_auto_registration_keyword: OCP Master | |
| 240bb5 | 676 | tasks: |
| WK | 677 | - when: install_zabbix|bool |
| 678 | block: | |
| 679 | - include_role: | |
| 680 | name: "{{ ANSIBLE_REPO_PATH }}/roles/zabbix-client" | |
| 681 | - include_role: | |
| 682 | name: "{{ ANSIBLE_REPO_PATH }}/roles/zabbix-client-openshift-master" | |
| 683 | - include_role: | |
| 684 | name: "{{ ANSIBLE_REPO_PATH }}/roles/zabbix-client-openshift-node" | |
| e2d605 | 685 | tags: |
| S | 686 | - env-specific |
| 687 | - install_zabbix | |
| 688 | ||
| 689 | - name: Zabbix for nodes | |
| 690 | hosts: | |
| 691 | - nodes | |
| 692 | - infranodes | |
| 693 | gather_facts: true | |
| 694 | become: yes | |
| 695 | vars_files: | |
| 696 | - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" | |
| 697 | - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_secret_vars.yml" | |
| 698 | vars: | |
| 699 | zabbix_auto_registration_keyword: OCP Node | |
| 700 | zabbix_token: "{{ hostvars[groups['masters'][0]].zabbix_token }}" | |
| 701 | hawkular_route: "{{ hostvars[groups['masters'][0]].hawkular_route }}" | |
| 240bb5 | 702 | tasks: |
| WK | 703 | - when: install_zabbix|bool |
| 704 | block: | |
| 705 | - include_role: | |
| 706 | name: "{{ ANSIBLE_REPO_PATH }}/roles/zabbix-client" | |
| 707 | - include_role: | |
| 708 | name: "{{ ANSIBLE_REPO_PATH }}/roles/zabbix-client-openshift-node" | |
| e2d605 | 709 | tags: |
| S | 710 | - env-specific |
| 711 | - install_zabbix | |
| 712 | ||
| 713 | - name: Zabbix for all other hosts (bastion, support, ...) | |
| 714 | hosts: | |
| 715 | - bastions | |
| 716 | - support | |
| 717 | gather_facts: true | |
| 718 | become: yes | |
| 719 | vars_files: | |
| 720 | - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" | |
| 721 | - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_secret_vars.yml" | |
| 722 | vars: | |
| 723 | zabbix_auto_registration_keyword: OCP Host | |
| 240bb5 | 724 | tasks: |
| 2ea4ed | 725 | - when: install_zabbix|bool |
| 240bb5 | 726 | include_role: |
| WK | 727 | name: "{{ ANSIBLE_REPO_PATH }}/roles/zabbix-client" |
| e2d605 | 728 | tags: |
| S | 729 | - env-specific |
| 730 | - install_zabbix | |
| 731 | ||
| 732 | # start supporting this only for OCP >= 3.9 | |
| 733 | - name: Run diagnostics from master | |
| 734 | hosts: masters | |
| 735 | become: yes | |
| 736 | gather_facts: False | |
| 737 | run_once: yes | |
| 738 | vars_files: | |
| 739 | - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" | |
| 740 | tasks: | |
| 741 | - when: | |
| 742 | - osrelease is version_compare('3.9', '>=') | |
| 743 | - run_ocp_diagnostics|d(False)| bool | |
| 744 | block: | |
| 745 | # this command should return 0 (no error) | |
| 746 | - name: Run oc adm diagnostics | |
| 747 | shell: oc adm diagnostics > /tmp/diagnostics.log | |
| 748 | register: r_diag | |
| 749 | retries: 2 | |
| 750 | until: r_diag is succeeded | |
| 751 | ignore_errors: true | |
| 752 | ||
| 753 | - name: Ensure /tmp/openshift exist | |
| 754 | file: | |
| 755 | path: /tmp/openshift | |
| 756 | state: directory | |
| 757 | ||
| 758 | # oc adm diagnostics logs everything in /tmp/openshift | |
| 759 | - name: Create an archive of diagnostics output logs | |
| 760 | archive: | |
| 761 | path: | |
| 762 | - /tmp/openshift | |
| 763 | - /tmp/diagnostics.log | |
| 764 | dest: /tmp/diagnostics.tar.gz | |
| 765 | ||
| 766 | - name: Fetch the diagnostic archive and logs | |
| 767 | fetch: | |
| 768 | src: /tmp/diagnostics.tar.gz | |
| 769 | dest: "{{ANSIBLE_REPO_PATH}}/workdir/{{project_tag}}_diagnostics.tar.gz" | |
| 770 | flat: true | |
| 771 | ||
| 772 | - name: Report diagnostics failure | |
| 773 | fail: | |
| 774 | msg: "FAIL {{ project_tag }} Diagnostics" | |
| 775 | when: r_diag is failed | |
| 776 | ||
| 777 | - name: Configure IPA on bastion | |
| 778 | hosts: bastions | |
| 779 | become: yes | |
| 780 | gather_facts: False | |
| 781 | run_once: yes | |
| 782 | vars_files: | |
| 783 | - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" | |
| 784 | - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_secret_vars.yml" | |
| 785 | tasks: | |
| 240bb5 | 786 | - include_role: |
| e2d605 | 787 | name: "{{ ANSIBLE_REPO_PATH }}/roles/bastion-opentlc-ipa" |
| S | 788 | when: install_ipa_client|bool |
| 789 | ||
| 790 | - name: PostSoftware flight-check | |
| 791 | hosts: localhost | |
| 792 | connection: local | |
| 793 | gather_facts: false | |
| 794 | become: false | |
| 795 | vars_files: | |
| 796 | - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" | |
| 797 | tags: | |
| 798 | - post_flight_check | |
| 799 | tasks: | |
| 800 | - debug: | |
| 801 | msg: "Post-Software checks completed successfully" | |
| 802 | ||
| 803 | - name: Gather facts | |
| 804 | hosts: | |
| 805 | - all | |
| 806 | vars_files: | |
| 807 | - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" | |
| 808 | gather_facts: true | |
| 809 | tags: | |
| 810 | - ocp_report | |
| 811 | ||
| 812 | - name: Generate reports | |
| 813 | hosts: localhost | |
| 814 | connection: local | |
| 815 | become: false | |
| 816 | ||
| 817 | vars_files: | |
| 818 | - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" | |
| 819 | - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_secret_vars.yml" | |
| 820 | tags: | |
| 821 | - ocp_report | |
| 822 | vars: | |
| 823 | env_all_hosts: all | |
| 824 | tasks: | |
| 825 | - name: get repo version used to deploy | |
| 826 | command: git rev-parse HEAD | |
| 827 | args: | |
| 828 | chdir: "{{ ANSIBLE_REPO_PATH }}" | |
| 829 | register: ansible_agnostic_deployer_head | |
| 830 | ||
| 831 | - name: Gather ec2 facts | |
| 832 | ec2_remote_facts: | |
| 833 | aws_access_key: "{{ aws_access_key_id }}" | |
| 834 | aws_secret_key: "{{ aws_secret_access_key }}" | |
| 835 | region: "{{ aws_region_final|d(aws_region) }}" | |
| 836 | filters: | |
| 837 | instance-state-name: running | |
| 838 | "tag:Project": "{{project_tag}}" | |
| 839 | when: | |
| 840 | - ocp_report|bool | |
| 841 | - cloud_provider == 'ec2' | |
| 842 | - name: Generate report | |
| 843 | template: | |
| 844 | src: "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/files/ocp_report.adoc.j2" | |
| 845 | dest: "{{ ANSIBLE_REPO_PATH }}/workdir/ocp_report_{{ env_type }}-{{ guid }}.adoc" | |
| 846 | when: | |
| 847 | - ocp_report|bool | |
| 848 | - cloud_provider == 'ec2' | |
